Enhancing Surface Cyber Risk Management, 88488-88592 [2024-24704]

Download as PDF 88488 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules FOR FURTHER INFORMATION CONTACT: DEPARTMENT OF HOMELAND SECURITY Transportation Security Administration 49 CFR Parts 1500, 1503, 1520, 1570, 1580, 1582, 1584, and 1586 [Docket No. TSA–2022–0001] RIN 1652–AA74 Enhancing Surface Cyber Risk Management Transportation Security Administration, DHS. ACTION: Notice of proposed rulemaking (NPRM). AGENCY: The Transportation Security Administration (TSA) is proposing to impose cyber risk management (CRM) requirements on certain pipeline and rail owner/operators and a more limited requirement, on certain over-the-road bus (OTRB) owner/operators, to report cybersecurity incidents. With the proposed addition of requirements applicable to pipeline facilities and systems, TSA is also proposing that a requirement to have a Physical Security Coordinator and report significant physical security concerns be extended to the same facilities and systems. Finally, TSA is proposing clarifications and reorganization of other regulatory requirements necessitated by these changes. SUMMARY: DATES: Submit comments by February 5, 2025. lotter on DSK11XQN23PROD with PROPOSALS2 ADDRESSES: Comments on this NPRM: You may submit comments on this NPRM, identified by the TSA docket number to this rulemaking, to the Federal Docket Management System (FDMS), a government-wide, electronic docket management system. To avoid duplication, please use only one of the following methods: • Electronic Federal eRulemaking Portal: https://www.regulations.gov. Follow the online instructions for submitting comments. • Mail: Docket Management Facility (M–30), U.S. Department of Transportation, 1200 New Jersey Avenue SE, West Building Ground Floor, Room W12–140, Washington, DC 20590–0001. The Department of Transportation (DOT), which maintains and processes TSA’s official regulatory dockets, will scan the submission and post it to FDMS. • Fax: (202) 493–2251. See the SUPPLEMENTARY INFORMATION section for format and other information about comment submissions on the NPRM. VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 General Questions: Ashlee Marks, Surface Division, Policy, Plans, and Engagement, TSA–28, Transportation Security Administration, 6595 Springfield Center Drive, Springfield, VA 20598–6028; telephone (571) 227– 1039; email: SurfaceCyberPolicy@ tsa.dhs.gov. Legal Questions: Traci Klemm, Regulations and Security Standards, Office of Chief Counsel, Transportation Security Administration, 6595 Springfield Center Drive, Springfield, VA 20598–6002; telephone (571) 227– 3583, or email to SurfaceCyberPolicy@ tsa.dhs.gov. SUPPLEMENTARY INFORMATION: Public Participation TSA invites interested persons to participate in this NPRM by submitting written comments, including relevant data. We also invite comments relating to the economic, environmental, energy, or federalism impacts that might result from this rulemaking action. See the ADDRESSES section above for information on where to submit comments. NPRM-Specific Request for Comments 1. TSA is requesting comments on the impact of regulations and requirements being imposed by other Federal, State, and Local entities, including DHS components, and potential options for regulatory harmonization. 2. TSA is requesting comments on whether proposed requirements for supply chain risk management should also include requirements to ensure that any new software purchased for, or to be installed on, Critical Cyber Systems meets CISA’s Secure-by-Design and Secure-by-Default principles. 3. TSA is requesting comments on existing training and certification programs that could provide low-cost options to meet proposed qualification requirements for Cybersecurity Coordinators. If identified and determined by TSA to be sufficient, TSA could recognize them as examples for owner/operators that would be subject to these requirements. 4. TSA is proposing to require owner/ operators to have a Cybersecurity Assessment Plan (CAP) to annually assess and audit the effectiveness of their TSA-approved Cybersecurity Operational Implementation Plan (COIP). TSA is requesting comments on methodologies owner/operators could use to develop a plan that would meet the required annual minimum for assessments and audits, assessment and auditing capabilities that could be PO 00000 Frm 00002 Fmt 4701 Sfmt 4702 included in the CAP, and other options and resources that could ensure a robust auditing and assessment program that provides frequent and regular reviews of effectiveness of CRM program implementation. 5. TSA is requesting comments from pipeline owner/operators on opportunities to streamline compliance and reduce redundancies and duplication of efforts for pipeline facilities regulated under 33 CFR 105.105(a) or 106.105(a). 6. TSA is requesting comment on whether accountable executives and Cybersecurity Coordinators, for all covered owner/operators, should be required to undergo a TSA-conducted Security Threat Assessment (STA), which would include a terrorism/other analyses check, an immigration check, and a criminal history records check (CHRC). 7. TSA is requesting comment on whether TSA should require all frontline workers (‘‘security-sensitive employees’’) in the pipeline industry to also be vetted by TSA. Although TSA is not proposing this requirement, TSA seeks comments on how the vetting would impact their operations and costs, and specifically how many employees the entity has that would likely be considered security-sensitive employees.1 8. TSA is requesting comment on the inputs used in the Regulatory Impact Analysis (RIA), including those related to the Security Directives (SDs), their implementation, and associated costs and benefits. Comments that will provide the most assistance to TSA will reference a specific portion of this proposed rule, explain the reason for any suggestions or recommended changes, and include data, information, or authority that supports such suggestion or recommended change. 9. TSA invites all interested parties to submit data and information regarding the potential economic impact on small entities that would result from the adoption of the requirements in the proposed rule. 10. TSA invites comments on the proposed collection of information and estimates of burden. Submitting Comments on the NPRM With each comment, please identify the docket number at the beginning of your comments. You may submit comments and material electronically, by mail, or fax as provided under 1 Commenters may find it useful to review the functions that TSA considered for determining security-sensitive employees under current Appendix B to 49 CFR part 1580, Appendix B to part 1582, and Appendix B to part 1584. E:\FR\FM\07NOP2.SGM 07NOP2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules ADDRESSES, but please submit your comments and material by only one means. If you submit comments by mail or in person, submit them in an unbound format, no larger than 8.5 by 11 inches, suitable for copying and electronic filing. If you would like TSA to acknowledge receipt of comments submitted by mail, include with your comments a selfaddressed, stamped postcard or envelope on which the docket number appears, and we will mail it to you. All comments, except those that include confidential or SSI 2 will be posted to https://www.regulations.gov and include any personal information you have provided. Should you wish your personally identifiable information redacted prior to filing in the docket, please clearly indicate this request in your submission. TSA will consider all comments that are in the docket on or before the closing date for comments and will consider comments filed late to the extent practicable. The docket is available for public inspection before and after the comment closing date. Submitting Comments on the Proposed Information Collections Comments on the proposed information collections included in this NPRM should be submitted both to TSA, as indicated above, and to the Office of Information and Regulatory Affairs, Office of Management and Budget (OMB). Comments should be identified by the appropriate OMB Control Number(s) or the title of this proposed rule, addressed to the Desk Officer for the Department of Homeland Security, Transportation Security Administration, and sent via electronic mail to dhsdeskofficer@omb.eop.gov. lotter on DSK11XQN23PROD with PROPOSALS2 Handling of Confidential or Proprietary Information and SSI Submitted in Public Comments Do not submit comments that include trade secrets, confidential commercial or financial information, or SSI to the public regulatory docket. Please submit such comments separately from other comments on the rulemaking. Comments containing this type of information should be appropriately marked as containing such information and submitted by mail to the address listed in the FOR FURTHER INFORMATION CONTACT section. TSA will take the 2 ‘‘Sensitive Security Information’’ or ‘‘SSI’’ is information obtained or developed in the conduct of security activities, the disclosure of which would constitute an unwarranted invasion of privacy, reveal trade secrets or privileged or confidential information, or be detrimental to the security of transportation. The protection of SSI is governed by 49 CFR part 1520. VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 following actions for all submissions containing SSI: • TSA will not place comments containing SSI in the public docket and will handle them with applicable safeguards and restrictions on access. • TSA will hold documents containing SSI, confidential business information, or trade secrets in a separate file to which the public does not have access. • TSA will place a note in the public docket explaining that commenters have submitted such documents. • TSA may include a redacted version of the comment in the public docket. • TSA will treat requests to examine or copy information that is not in the public docket as any other request under the Freedom of Information Act (5 U.S.C. 552) and the Department of Homeland Security (DHS) Freedom of Information Act regulation found in 6 CFR part 5. Reviewing Comments in the Docket Please be aware that anyone can search the electronic form of all comments in any of our dockets by the name of the individual, association, business entity, labor union, etc., who submitted the comment. For more about privacy and the docket, review the Privacy and Security Notice for the FDMS at https://www.regulations.gov/ privacy-notice, as well as the System of Records Notice DOT/ALL 14—Federal Docket Management System (73 FR 3316, January 17, 2008) and the System of Records Notice DHS/ALL 044— eRulemaking (85 FR 14226, March 11, 2020). You may review TSA’s electronic public docket at https:// www.regulations.gov. In addition, DOT’s Docket Management Facility provides a physical facility, staff, equipment, and assistance to the public. To obtain assistance or to review comments in TSA’s public docket, you may visit this facility between 9 a.m. and 5 p.m., Monday through Friday, excluding legal holidays, or call (202) 366–9826. This DOT facility is in the West Building Ground Floor, Room W12–140 at 1200 New Jersey Avenue SE, Washington, DC 20590. Availability of Rulemaking Document You can find an electronic copy of this rulemaking using the internet by accessing the Government Publishing Office’s web page at https:// www.govinfo.gov/app/collection/FR/ to view the daily published Federal Register edition or accessing the Office of the Federal Register’s web page at https://www.federalregister.gov. Copies PO 00000 Frm 00003 Fmt 4701 Sfmt 4702 88489 are also available by contacting the individual identified for ‘‘General Questions’’ in the FOR FURTHER INFORMATION CONTACT section. Abbreviations and Terms Used in This Document 9/11 Act—Implementing Recommendations of the 9/11 Commission Act of 2007 AAR—Association of American Railroads Amtrak—National Railroad Passenger Corporation APTA—American Public Transportation Association ATSA—Aviation and Transportation Security Act BOS—Back Office Server BES—Bulk Electric System CAP—Cybersecurity Assessment Plan CEQ—Council on Environmental Quality CSF—Cybersecurity Framework 2.0 CIRCIA—Cyber Incident Reporting for Critical Infrastructure Act of 2022 CIP—Cybersecurity Implementation Plan CIRP—Cybersecurity Incident Response Plan CISA—Cybersecurity and Infrastructure Security Agency COIP—Cybersecurity Operational Implementation Plan CPGs—Cross-Sector Cybersecurity Performance Goals CRM—Cybersecurity risk management DFAR—Defense Federal Acquisition Regulation Supplement DHS—Department of Homeland Security DoD—Department of Defense DOE—Department of Energy DOT—Department of Transportation E.O.—Executive Order FDMS—Federal Docket Management System FERC—Federal Energy Regulatory Commission FISMA—Federal Information Security Modernization Act of 2014 FR—Federal Register FRA—Federal Railroad Administration FSB—Russian Federal Security Service GPS—Global Positioning System HSIN—Homeland Security Information Network IC—Information Circular ICS—Industrial control system IRFA—Initial Regulatory Flexibility Analysis IT—Information technology MFA—Multi-factor authentication NARA—National Archives and Records Administration NEPA—National Environmental Policy Act NERC—National American Electrical Reliability Corporation NIST—National Institute of Standards and Technology NPRM—Notice of proposed rulemaking OMB—Office of Management and Budget OT—Operational technology OTRB—Over-the-road bus PHMSA—Pipeline and Hazardous Materials Safety Administration POAM—Plan of Action and Milestones PTC—Positive Train Control PTPR—Public Transportation and Passenger Railroads RFA—Regulatory Flexibility Act of 1980 RIA—Regulatory Impact Analysis SCADA—Supervisory control and data acquisition E:\FR\FM\07NOP2.SGM 07NOP2 88490 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules SD—Security Directive SDDCTEA—US Army Military Surface Deployment and Distribution Command Transportation Engineering Agency SOAR—Security orchestration, automation, and response SP—Special Publication SRP—Secure Regulatory Portal SSI—Sensitive security information STA—Security threat assessment STRACNET—Strategic Rail Corridor Network TSA—Transportation Security Administration UMRA—Unfunded Mandates Reform Act of 1995 VADR—Validated Architecture Design Review lotter on DSK11XQN23PROD with PROPOSALS2 Table of Contents I. Executive Summary A. Purpose of the Regulatory Action B. Summary of the Major Provisions C. Costs D. Benefits II. Background A. Context 1. Pipeline Transportation 2. Rail Transportation a. Freight Railroads b. Passenger Railroads c. Rail Transit 3. Cybersecurity Threats 4. Threat of Cybersecurity Incidents at the Nexus of IT and OT Systems B. Statutory Authorities 1. TSA Surface-Related SDs and Information Circulars 2. TSA’s Assessments, Guidelines, and Regulations Applicable to Pipeline and Rail Systems a. Pipeline Guidelines, Assessments, and Regulations b. Regulating Railroads, Public Transportation Systems, and OTRBs C. References 1. National Cybersecurity Strategy 2. NIST Cybersecurity Framework 3. CISA Cross-Sector Cybersecurity Performance Goals 4. TSA’s Advance Notice of Proposed Rulemaking a. General Support and Need for Regulatory Harmonization and Performance-Based Regulation b. Core Elements c. Training d. Supply Chain e. Third-Party Assessors 5. Regulatory Harmonization III. Proposed Rule A. Rule organization 1. Cybersecurity Requirements 2. Physical Security Requirements 3. General Procedures for Security Programs, SDs, and Information Circulars 4. Relation to Other Rulemakings B. Terms 1. General Terms 2. TSA Cybersecurity Lexicon C. Cybersecurity Risk Management Program—General 1. Introduction 2. Applicability a. Freight Railroads Subject to CRM Program Requirements in Proposed Subpart D of Part 1580 VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 b. Public Transportation Agencies and Passenger Railroads Subject to CRM Program Requirements in Proposed Subpart C of Part 1582 c. OTRB Owner/Operators Subject to Cybersecurity Incident Reporting Requirements in Proposed § 1584.107 d. Pipeline Systems and Facilities Subject to Physical Security Requirements in Proposed Subpart B of part 1586 and CRM Program Requirements in Proposed Subpart C of Part 1586 e. Determinations of Applicability for Requirements in the Proposed Rule 3. Structure of CRM Program Requirements (Proposed §§ 1580.303, 1582.203, and 1586.203) D. Specific CRM Program Requirements 1. Cybersecurity Evaluation (Proposed §§ 1580.305, 1582.205, and 1586.205) 2. Cybersecurity Operational Implementation Plan (Proposed §§ 1580.307, 1582.207, and 1586.207) a. General COIP Requirements b. Governance of the CRM Program (Proposed §§ 1580.309, 1580.311, 1582.209, 1582.211, 1586.209, and 1586.211) c. Identification of Critical Cyber Systems, Network Architecture, and Interdependencies d. Procedures, Policies, and Capabilities To Protect Critical Cyber Systems e. Procedures, Policies, and Capabilities To Detect Cybersecurity Incidents (Proposed §§ 1580.321, 1582.221, and 1586.221) f. Procedures, Policies, and Capabilities To Respond to, and Recover From, Cybersecurity Incidents 3. Cybersecurity Assessment Plan (Proposed §§ 1580.329, 1582.229, and 1586.229) 4. Documentation To Establish Compliance (Proposed §§ 1580.331, 1582.231, and 1586.231) E. Physical Security F. General Procedures for Security Programs, SDs, and Information Circulars 1. General Procedures for Security Programs (Proposed Revisions to Subpart B of Part 1570) 2. SDs and Information Circulars (Proposed Subpart C of Part 1570) 3. Exhaustion of Administrative Remedies (Proposed § 1570.119) 4. Severability 5. Enforcement and Compliance G. Summary of Applicability and Requirements H. Compliance Deadlines and Documentation I. Sensitive Security Information 1. Scope of the Revision to TSA’s SSI Regulatory Requirements 2. Disclosure of SSI Upon the ‘‘Need To Know’’ IV. Regulatory Analyses A. Economic Impact Analysis 1. Summary of Regulatory Impact Analysis 2. Assessments Required by E.O.s 12866 and 13563 a. Costs b. Cost Sensitivity Analysis c. Benefits d. Break-Even Analysis PO 00000 Frm 00004 Fmt 4701 Sfmt 4702 3. OMB A–4 Statement 4. Alternatives Considered 5. Regulatory Flexibility Assessment 6. International Trade Impact Assessment 7. Unfunded Mandates Assessment B. Paperwork Reduction Act C. Federalism (E.O. 13132) D. Energy Impact Analysis (E.O. 13211) E. Environmental Analysis F. Tribal Consultation (E.O. 13175) I. Executive Summary A. Purpose of the Regulatory Action On May 8, 2021, a Russian-based cybercriminal group, DarkSide, conducted a ransomware attack 3 that forced a major pipeline company to go offline, resulting in a weeklong shutdown of 5,500 miles of petroleum pipelines on the East Coast. Actions taken to protect the Operational Technology (OT) system temporarily disrupted critical supplies of gasoline and other refined petroleum products throughout the East Coast, resulting in a regional emergency declaration.4 Some news agencies reported pictures of snaking lines of cars at gas stations across the eastern seaboard and panicked Americans filling bags with fuel, fearing not being able to get to work or get their kids to school. TSA subsequently used its emergency authority under 49 U.S.C. 114(l) to impose cybersecurity requirements on certain surface transportation entities. See discussion in section II.B. The cyber threat to the country’s critical infrastructure has only increased in the time since TSA initially issued SDs to address cybersecurity in surface transportation in 2021. Cyber threats to surface transportation systems continue to proliferate, as both nation-states and criminal cyber groups target critical infrastructure in order to cause operational disruption and economic harm.5 Cyber attackers have also maliciously targeted other surface transportation modes in the United States, including freight railroads, passenger railroads, and rail transit systems, with multiple cyberattack and 3 See definition of ‘‘ransomware’’ in 6 U.S.C. 650(22). 4 See, e.g., U.S. Department of Transportation, Federal Motor Carrier Safety Administration, ESC– SSC–WSC—Regional Emergency Declaration 2021– 002—05–09–2021 (May 9, 2021), available at https://www.fmcsa.dot.gov/emergency/esc-ssc-wscregional-emergency-declaration-2021-002-05-092021 (last accessed Aug. 1, 2024). 5 Annual Threat Assessment of the U.S. Intelligence Community, Office of the Director of National Intelligence (2024 Intelligence Community Assessment), 11, 16 (Feb. 5, 2024), available at https://www.dni.gov/files/ODNI/documents/ assessments/ATA-2024-Unclassified-Report.pdf (last accessed July 23, 2024). Note: Infrastructure references in this 2024 assessment include pipelines. E:\FR\FM\07NOP2.SGM 07NOP2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules lotter on DSK11XQN23PROD with PROPOSALS2 cyber espionage campaigns.6 Cybersecurity incidents, particularly ransomware attacks, are likely to increase in the near and long term, due in part to vulnerabilities identified by threat actors in U.S. networks.7 Especially in light of the ongoing Russia-Ukraine conflict, these threats remain elevated and pose a risk to the national and economic security of the United States. In its 2023 annual assessment, the Intelligence Community noted that ‘‘China almost certainly is capable of launching cyber-attacks that could disrupt critical infrastructure services within the United States, including against oil and gas pipelines, and rail systems.’’ 8 Notably, ‘‘[i]f Beijing believed that a major conflict with the United States were imminent, it almost certainly would consider aggressive cyber operations against U.S. homeland critical infrastructure and military assets worldwide. Such a strike would be designed to deter U.S. military action by impeding U.S. decision-making, inducing societal panic, and interfering with the deployment of U.S. forces.’’ 9 In addition, ‘‘Russia maintains its ability to target critical infrastructure . . . in the United States as well as in allied and partner countries’’ and ‘‘Tehran’s opportunistic approach to cyber-attacks puts U.S. infrastructure at risk for being targeted.’’ 10 Furthermore, ‘‘malicious cyber actors have begun testing the capabilities of AI-developed malware and AI-assisted software development— technologies that have the potential to enable larger scale, faster, efficient, and more evasive cyber-attacks—against targets, including pipelines, railways, and other US critical infrastructure.’’ 11 6 These activities include the January 2023 breach of the Washington Metropolitan Area Transit Authority; the January 2023 breach of San Francisco’s Bay Area Rapid Transit System; and the April 2021 breach of New York City’s Metropolitan Transportation Authority (the nation’s largest mass transit agency) by hackers linked to the Chinese government. This threat is ongoing: on February 7, 2024, CISA published an advisory warning of the threat posed by PRC state-sponsored actors. See Cybersecurity Advisory (AA24–038A), PRC StateSponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure, released by CISA on Feb. 7, 2024. 7 Alert (AA22–040A), 2021 Trends Show Increased Globalized Threat of Ransomware, released by CISA on February 10, 2022 (as revised). 8 Annual Threat Assessment of the U.S. Intelligence Community, Office of the Director of National Intelligence (2023) (2023 Intelligence Community Assessment), 10 (Feb. 6, 2023), available at https://www.dni.gov/files/ODNI/ documents/assessments/ATA-2023-UnclassifiedReport.pdf (last accessed July 23, 2024). 9 2023 Intelligence Community Assessment at 10. 10 2024 Intelligence Community Assessment at 11. 11 DHS Intelligence and Analysis (I&A), Homeland Threat Assessment 18 (2024), available VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 While TSA had issued recommendations to strengthen the cybersecurity of pipeline facilities and systems, see discussion in Section II.B.2. of this NPRM, reliance on voluntary actions may not be sufficient in light of the cyber threat to our national and economic security. As noted in the National Cybersecurity Strategy, ‘‘While voluntary approaches to critical infrastructure cybersecurity have produced meaningful improvements, the lack of mandatory requirements has resulted in inadequate and inconsistent outcomes. Today’s marketplace insufficiently rewards— and often disadvantages—the owners and operators of critical infrastructure who invest in proactive measures to prevent or mitigate the effects of cyber incidents.’’ 12 The requirements proposed in this rule would strengthen cybersecurity and resiliency for the surface transportation sector by mandating reporting of cybersecurity incidents and development of a robust CRM program. This rulemaking builds upon TSA’s previously issued requirements and recommendations, the cybersecurity framework (CSF) developed by the National Institute of Standards and Technology (NIST),13 and the CrossSector Cybersecurity Performance Goals (CPGs) developed by the Cybersecurity and Infrastructure Security Agency (CISA).14 B. Summary of the Major Provisions This NPRM proposes to require owner/operators 15 of designated freight railroads, passenger railroads, rail transit, and pipeline facilities and/or systems to have a CRM program approved by TSA. The proposed CRM program includes three primary elements. First, owner/operators to whom the proposed rule applies would be required to annually conduct an enterprise-wide cybersecurity evaluation that would identify the at https://www.dhs.gov/sites/default/files/2023-09/ 23_0913_ia_23-333-ia_u_homeland-threatassessment-2024_508C_V6_13Sep23.pdf (last accessed July 23, 2024). 12 See National Cybersecurity Strategy at 8 (March 2023), available at https://www.whitehouse.gov/wpcontent/uploads/2023/03/National-CybersecurityStrategy-2023.pdf (last accessed July 29, 2024). 13 See https://nvlpubs.nist.gov/nistpubs/CSWP/ NIST.CSWP.29.pdf (last accessed May 5, 2024) for more information on the NIST Cybersecurity Framework (CSF) 2.0. 14 See https://www.cisa.gov/cross-sectorcybersecurity-performance-goals (last accessed Sept. 22, 2023) for more information on the CPGs. A table that aligns the NIST CSF, CPGs, and proposed requirements is available in the docket for this rulemaking. 15 See 49 CFR 1500.3 for the definition of ‘‘owner/ operators’’ as used in this rulemaking. PO 00000 Frm 00005 Fmt 4701 Sfmt 4702 88491 current profile of cybersecurity (including physical and logical/virtual controls) compared to the target profile. The target profile must, at a minimum, include the security outcomes identified in the proposed rule and should also consider recommendations in the NIST CSF.16 Second, those owner/operators would be required to develop a COIP that includes the following information: (a) identification of individuals/positions responsible for the governance of the owner/operator’s CRM program, including an accountable executive and Cybersecurity Coordinator(s); (b) identification of Critical Cyber Systems, specific network architecture issues, and baseline communications; (c) detailed measures to protect these Critical Cyber Systems; (d) detailed measures to detect cybersecurity incidents and monitor these Critical Cyber Systems; and (e) measures to address response to, and recovery from, a cybersecurity incident. Although many of these measures for the COIP are limited to Critical Cyber Systems, all owner/operators within the proposed scope of applicability would be required to have a Cybersecurity Incident Response Plan (CIRP), regardless of whether they identify any Critical Cyber Systems. Third, owner/operators subject to the proposed rule would be required to have a CAP that includes a schedule for assessments, an annual report of assessment results, and identification of unaddressed vulnerabilities. Owner/ operators would also be required to ensure any individuals or companies assigned or hired to evaluate the effectiveness of the owner/operator’s CRM program are independent, i.e., do not have a personal, financial interest in the results of the assessment. As part of this rule, TSA also is proposing to reorganize requirements in subchapter D of 49 CFR chapter XII related to security coordinators, reporting significant security concerns, and security training of securitysensitive employees. TSA would move these requirements from 49 CFR part 1570 and add them to the specific modal requirements in parts 1580, 1582, 1584, and a new part 1586, which is applicable to pipeline systems and facilities.17 In general, the applicability of proposed requirements related to designation of a cybersecurity coordinator and reporting cybersecurity 16 See NIST CSF, supra note 13. may make related revisions to organization of a rulemaking that would finalize proposed requirements in the NPRM, Vetting of Certain Surface Transportation Employees, 88 FR 33472 (May 23, 2023). 17 TSA E:\FR\FM\07NOP2.SGM 07NOP2 88492 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules incidents align with the current requirements for designation of a (physical) security coordinator and reporting of significant (physical) security concerns under 49 CFR part 1570.201 and 1570.203. TSA is also proposing to distinguish between requirements focused on physical security and those focused on cybersecurity. As part of this reorganization and proposed imposition of new cybersecurity requirements, TSA is proposing that all owner/operators currently required to report significant security concerns to TSA, under current 49 CFR 1570.203,18 report significant physical security concerns to TSA and report cybersecurity incidents to CISA. TSA is proposing that owner/operators of designated pipeline facilities and systems also report both physical and cybersecurity incidents. Finally, TSA is proposing to incorporate into subchapter D a new section related to issuance of SDs and Information Circulars (ICs), mirroring language currently applicable in the aviation industry. Adding this section would ensure consistent procedures for issuance of SDs and ICs across all modes of transportation subject to TSA’s authorities. C. Costs TSA estimates the proposed rule would impact just under 300 surface transportation owner/operators. Using the risk-based criteria for application discussed below, see Section III.C.2., TSA estimates these proposed requirements would apply to 73 of the approximately 620 freight railroads currently operating in the United States; 34 of the approximately 92 public transportation agencies and passenger railroads (PTPR) operating in the United States; 71 OTRB owner/operators who are currently subject to TSA’s regulatory requirements to report significant security concerns; and 115 of the approximately 2,105 pipeline facilities and systems subject to safety regulations issued by the Pipeline and Hazardous Materials Safety Administration (PHMSA), as codified in 49 CFR part 192 and 49 CFR 195.1.19 Table 1 identifies TSA’s estimates for the overall cost of this proposed rule. This table captures the industry’s costs associated with implementing the proposed requirements as well as TSA’s costs for overseeing implementation, over a 10-year period of analysis. See Section IV of this NPRM and the related Regulatory Impact Analysis for a more detailed breakdown of the estimated costs. TABLE 1—COST OF FINAL RULE Estimated costs (over 10 years, discounted at 7 percent) Freight Railroads ..................................................................................................................................... Passenger Railroads and Rail Transit ..................................................................................................... OTRBs ..................................................................................................................................................... Pipeline Facilities and Systems ............................................................................................................... TSA .......................................................................................................................................................... $685,776,600 881,136,800 215,900 580,183,200 14,241,200 Total .................................................................................................................................................. 2,161,553,800 Annualized ........................................................................................................................................ 307,756,600 D. Benefits lotter on DSK11XQN23PROD with PROPOSALS2 The primary benefit of the proposed rule is a potential reduction in the risk of a successful attack or cybersecurity incident and the impact of such incidents as a result of implementing the proposed requirements. Implementation of a CRM program, as described under the proposed rule, could help enhance the security of the regulated population by improving the owner/operator’s ability to identify, detect, protect against, respond to, and recover from cybersecurity incidents. The proposed cybersecurity outcomes this rule would require provide owner/ operators with a blueprint for improving defenses against cybersecurity incidents. Industry experience indicates that having a defense-in-depth approach to cybersecurity enhances the ability to 18 See also Appendix A to 49 CFR part 1570. proposed applicability for pipeline facilities and systems specifically excludes U.S. facilities specified in 33 CFR 105.105(a) that are regulated under 33 CFR part 105 or facilities specified in 33 CFR 106.105(a) that are regulated under 33 CFR part 106. 19 The VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 prevent and respond to breaches of operational systems and compromises of sensitive information.20 TSA anticipates the proposed rule’s requirements, such as enhancing system security, maintaining backups, monitoring systems, and developing a response plan, would strengthen cybersecurity defenses over the long term. For instance, depending on the individual circumstances of a given cyber-attack or cybersecurity incident— • A commitment to patch management, system segmentation, and firewalls could limit the resources potential malicious actors would be able to access during an intrusion; 21 • The presence of backups could allow for system restoration, data recovery, and unhindered system operations; 22 20 Well-designed security systems have been credited for limiting damages in recent cyber incident cases: See ABC7 New York, Hackers breached several of MTA’s computer systems in April (June 2, 2021), available at https:// abc7ny.com/mta-hack-computer-nyc-new-york-city/ 10734358/ (last accessed Sept. 28, 2023). 21 See, e.g., outcomes associated with the following CISA CPGs available at https:// PO 00000 Frm 00006 Fmt 4701 Sfmt 4702 • Continuous monitoring of the network could help to detect and respond to potential threats and limit system degradation 23 and • Having a response plan in place in case of a successful cyber-attack or cybersecurity incident would reduce its impact, build in resiliency, and support rapid resumption of normal operations.24 These enhances, in turn, could reduce the chance of negative consequences and service interruptions from cybersecurity incidents to the benefit of owners/operators, passengers, and consumers. www.cisa.gov/cross-sector-cybersecurityperformance-goals (last accessed June 10, 2024): CISA CPG 1.E. 22 See, e.g., id. at CISA CPG 2.R. 23 See, e.g., id. at CISA CPGs 2.A, 2.F., 2.G. and 3.A. 24 See, e.g., id. at CISA CPGs 2.O, 2.P, 2.R., 2.S., and 2.T. E:\FR\FM\07NOP2.SGM 07NOP2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules II. Background A. Context 1. Pipeline Transportation The national pipeline system consists of more than 2.9 million miles of networked pipelines transporting hazardous liquids, natural gas, and other liquids and gases for energy needs and manufacturing.25 Although most pipeline infrastructure is buried underground, operational elements such as compressors, metering, regulating, pumping stations, aerial crossings, and breakout tanks are typically located above ground. Under operating pressure, the pipeline system is used as a conveyance to deliver resources from one location to another. In addition to portions of the network that are manually operated, the pipeline system includes use of automated industrial control systems (ICS), such as supervisory control and data acquisition (SCADA) systems to monitor and manage pipeline operations. These systems use remote sensors, signals, and preprogramed parameters to activate valves and pumps to maintain product flows within tolerances. Pipeline systems supply energy commodities and raw materials across the country to utilities, airports, military sites, and to the nation’s industrial and manufacturing sectors. Protecting the vital supply chain infrastructure of pipeline operations is critical to national security and commerce. 2. Rail Transportation The rail transportation sector includes freight railroads, passenger railroads (including inter-city and commuter), and rail transit. lotter on DSK11XQN23PROD with PROPOSALS2 a. Freight Railroads The national freight rail network is a complex system that includes both physical and cyber infrastructure and consists of more than 620 freight railroads operating across nearly 140,000 rail miles. This sector includes six Class I railroads,26 local (also known as Short Line) railroads, and regional railroads. The Class I railroads had a calendar year 2021 operating revenues of at least $900 million. These six railroads also account for approximately 68 percent of freight rail mileage, 88 percent of employees, and 94 percent of 25 Mileage information is available at https:// www.phmsa.dot.gov/data-and-statistics/pipeline/ annual-report-mileage-summary-statistics (last accessed Nov. 30, 2023). 26 For purposes of TSA’s regulations, ‘‘Class I’’ means ‘‘Class I’’ as assigned by regulations of the Surface Transportation Board (STB) (49 CFR part 1201; General Instructions 1–1). See also infra note 123. VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 revenue. Regional railroads and local railroads range in size from operations handling a few carloads monthly to multi-state operators nearly the size of a Class I operation.27 As stated by the Association of American Railroads (AAR), the freight rail sector provides ‘‘a safe, efficient, and cost-effective transportation network that reliably serves customers and the nation’s economy.’’ 28 Freight railroads are private entities that own and are responsible for their own infrastructure.29 They maintain the locomotives, rolling stock, and fixed assets involved in the transportation of goods and materials across the nation’s rail system. As required by Congress, railroads are subject to safety regulations promulgated and enforced by the Federal Railroad Administration (FRA). TSA administers and enforces the rail security regulations in 49 CFR part 1580. b. Passenger Railroads Passenger rail is divided into two categories: inter-city and commuter rail service. Inter-city provides longdistance service, while commuter railroads provide service over shorter distances, usually less than 100 miles. The National Railroad Passenger Corporation (Amtrak) is the sole longdistance inter-city passenger railroad in the contiguous United States. Amtrak, which had a pre-pandemic annual ridership of approximately 31.7 million, operates a nationwide rail network, serving more than 500 destinations in 46 states, the District of Columbia, and three Canadian provinces on more than 21,300 track-miles.30 Nearly half of all Amtrak trains operate at top speeds of 100 mph or greater. In fiscal year 2023, Amtrak customers took nearly 28.6 million trips, up 24 percent over the previous year.31 In addition to inter-city service, Amtrak is one of the largest operators of contract commuter services in North America, providing services and/or infrastructure access to 13 state and regional authorities.32 27 See https://www.aar.org/wp-content/uploads/ 2020/08/AAR-Railroad-101-Freight-Railroads-FactSheet.pdf (May 2023 update, last accessed June 3, 2023). 28 Id. 29 Id. 30 See https://www.apta.com/wp-content/ uploads/APTA_Fact-Book-2019_FINAL.pdf (last accessed Sept. 19, 2022). 31 See https://media.amtrak.com/2023/11/ amtrak-fiscal-year-2023-ridership-exceedsexpectations-as-demand-for-passenger-rail-soars/ (last accessed July 30, 2024). 32 See https://www.amtrak.com/content/dam/ projects/dotcom/english/public/documents/ corporate/nationalfactsheets/Amtrak-CompanyProfile-FY2023-041824.pdf. at 4 (last accessed July 30, 2024). PO 00000 Frm 00007 Fmt 4701 Sfmt 4702 88493 Freight railroads provide the tracks for most passenger rail operations. For example, 71 percent of the track on which Amtrak operates is owned by other railroads. These ‘‘host railroads’’ include large, publicly traded freight rail companies in the U.S. or Canada, State and Local government agencies, and small businesses. Amtrak pays the host railroads for use of their track and other resources as needed.33 Amtrak and other passenger rail agencies, however, are not wholly dependent on freight rail infrastructure and corridors for operational feasibility; they sometimes control, operate, and maintain tracks, facilities, construction sites, utilities, and computerized networks essential to their own operations. For example, the Northeast Corridor is an electrified railway line in the Northeast megalopolis of the United States owned primarily by Amtrak. It runs from Boston through New York City, Philadelphia, and Baltimore, with a terminus in Washington, DC. The majority of this corridor, 263 of the 457 route-miles of the main line, are owned and operated by Amtrak.34 Amtrak and other passenger railroads also host freight rail operations. In fact, the Northeast Corridor is the busiest railroad in North America, with approximately 2,000 Amtrak, commuter, and freight trains operating over some portion of the Washington-Boston route each day.35 As with freight railroads, passenger railroads are subject to safety regulations put forth and enforced by the FRA. TSA administers and enforces passenger rail security regulations in 49 CFR part 1582. c. Rail Transit Public transportation in America is critically important to our way of life, as evidenced by the number of riders on the nation’s public transportation systems. According to the American Public Transportation Association (APTA), 2022 Public Transportation Fact Book, there were over 4.49 billion unlinked passenger trips in 2021.36 Nationwide, 5.0 million Americans commute to work on transit, equivalent to approximately 3.1 percent of workers. In major metropolitan areas, like New York City, over 27 percent of commuters rely on public transportation for their 33 Id. 34 Id. at 2. at 4. 35 Id. 36 See APTA, 2023 Public Transportation Fact Book at 3, available at https://www.apta.com/wpcontent/uploads/APTA-2023-PublicTransportation-Fact-Book.pdf (last accessed July 30, 2024). Unlinked passenger trips are an industry measure of ridership, with a trip being defined as any time a person boards a transit vehicle, including transfers. E:\FR\FM\07NOP2.SGM 07NOP2 88494 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules daily commute.37 Rail transit is a critical part of this system. According to APTA, 87 percent of trips on transit directly benefit the local economy, including 50 percent of trips to and from work and 37 percent of trips are for shopping and recreational spending.38 A successful cyber-attack would have a profound impact on ridership and a negative economic impact nationwide. TSA administers and enforces rail transit security regulations in 49 CFR part 1582. 3. Cybersecurity Threats Threat actors have demonstrated their willingness to engage in cyber intrusions and conduct cybersecurity incidents against critical infrastructure by exploiting vulnerabilities in OT 39 and Information Technology (IT) 40 systems. Pipeline and rail systems, and associated facilities, may be vulnerable to cybersecurity incidents due to legacy ICS that lack updated security controls and the dispersed nature of pipeline and rail networks spanning urban and outlying areas.41 As pipeline and rail owner/operators have begun to integrate IT and OT systems into their operating environment to further improve safety, enable efficiencies, and/or increase automation, their operations become increasingly vulnerable to new and evolving cyber threats. A successful cyber-intrusion could affect the safe 37 Id. at 12. at 3. Rail transit includes heavy rail systems, often referred to as ‘‘subways’’ or ‘‘metros’’ that do not interact with traffic; light rail and streetcars, often referred to as ‘‘surface rail,’’ that may operate on streets, with or without their own dedicated lanes; and commuter rail services that are higherspeed, higher-capacity trains with less-frequent stops. 39 For purposes of this NPRM, TSA defines an ‘‘OT system’’ as ‘‘a general term that encompasses several types of control systems, including industrial control systems, supervisory control and data acquisition systems, distributed control systems, and other control system configurations, such as programmable logic controllers, fire control systems, and physical access control systems, often found in the industrial sector and critical infrastructure. Such systems consist of combinations of programmable electrical, mechanical, hydraulic, pneumatic devices or systems that interact with the physical environment or manage devices that interact with the physical environment.’’ 40 For purposes of this NPRM, TSA defines an ‘‘IT System’’ as ‘‘any services, equipment, or interconnected systems or subsystems of equipment that are used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information that fall within the responsibility of owner/operator to operate and/or maintain.’’ 41 See CISA, Securing Industrial Control Systems: A Unified Initiative (FY 2019–2023) at 4, available at https://www.cisa.gov/sites/default/files/ publications/Securing_Industrial_Control_Systems_ S508C.pdf (last accessed Aug. 30, 2023). lotter on DSK11XQN23PROD with PROPOSALS2 38 Id. VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 operation and reliability of OT systems, including SCADA systems, process control systems, distributed control systems, safety control systems, measurement systems, and telemetry systems. From a design perspective, some pipeline and rail assets are more attractive to targets for a cybersecurity incident simply because of the transported commodity and the impact an incident would have on national security and commerce. Minor pipeline and rail system disruptions may result in commodity price increases, while prolonged pipeline and rail operational disruptions could lead to widespread energy shortages and disruption of critical supply lines. Short-and longterm disruptions and delays may affect other domestic critical infrastructure and industries, such as our national defense system, that depend on pipeline and rail system commodities, such as our national defense system. The May 2021 DarkSide attack on a major pipeline company is just one of many recent ransomware attacks that have demonstrated the necessity of ensuring that critical infrastructure owner/operators are proactively deploying CRM measures. The MultiState Information Sharing and Analysis Center observed a 153 percent increase in the number of ransomware attacks reported by State, Local, Tribal, and Territorial governments in the one-year period from 2018 to 2019, including both opportunistic and strategic campaigns.42 The need to mitigate the threats facing domestic critical infrastructure, including by enhancing the pipeline and rail industry’s current cybersecurity risk management posture, is further highlighted by recent warnings about Russian,43 Chinese,44 and Iranian 45 state-sponsored cyber espionage campaigns to develop capabilities to disrupt U.S. critical infrastructure to include the transportation sector.46 Failure to take 42 See MS–ISAC Security Primer 2020–0002 (May 2020), available at https://www.cisecurity.org/ insights/white-papers/security-primer-ransomware (last accessed June 3, 2023). 43 See 2023 Intelligence Community Assessment, supra note 9, at 15. 44 See id. at 10. 45 See id. at 19. 46 In addition to the resources available at the cites referenced in the preceding notes, additional information is available on CISA’s advisories organized by state-sponsored groups, i.e., https:// www.cisa.gov/topics/cyber-threats-and-advisories/ advanced-persistent-threats/china (China Cyber Threat Overview and Advisories); https:// www.cisa.gov/topics/cyber-threats-and-advisories/ advanced-persistent-threats/russia (Russian Cyber Threat Overview and Advisories); and https:// www.cisa.gov/topics/cyber-threats-and-advisories/ advanced-persistent-threats/iran (Iran Cyber Threat PO 00000 Frm 00008 Fmt 4701 Sfmt 4702 action could have significant implications for national and economic security. On March 24, 2022, the U.S. Department of Justice unsealed indictments of three Russian Federal Security Service (FSB) officers and employees of a State Research Center of the Russian Federation Central Scientific Research Institute of Chemistry and Mechanics for their involvement in intrusion campaigns against U.S. and international oil refineries, nuclear facilities, and energy companies. Documents revealed that the Russian FSB conducted a multi-stage campaign in which they gained remote access to U.S. and international Energy Sector networks, deployed ICS-focused malware, and collected and exfiltrated enterprise and ICS-related data.47 A recent multi-national cybersecurity advisory noted that ‘‘Russian statesponsored cyber actors have demonstrated capabilities to compromise IT networks; develop mechanisms to maintain long-term, persistent access to IT networks; exfiltrate sensitive data from IT and [OT] networks; and disrupt critical (ICS)/OT functions by deploying destructive malware.’’ 48 The nation’s adversaries and strategic competitors will continue to use cyber espionage and cyber-attacks to seek political, economic, and military advantage over the United States and its allies and partners. These recent incidents demonstrate the potentially devastating impact that increasingly sophisticated cybersecurity incidents can have on our nation’s critical infrastructure, as well as the direct repercussions felt by U.S. citizens. The Overview and Advisories). See also FBI Private Industry Bulletin TRITON Malware Remains Threat to Global Critical Infrastructure Industrial Control Systems (Mar. 24, 2022), available at docs.house.gov/meetings/JU/JU00/20220329/ 114533/HHRG-117-JU00-20220329-SD009.pdf (last accessed Sept. 22, 2023). 47 The superseding indictment is available at https://www.justice.gov/opa/pr/us-citizens-andrussian-intelligence-officers-charged-conspiringuse-us-citizens-illegal#:∼:text=Among%20other% 20illegal%20activities%2C%20the,for%20local%20 office%20in%20St. (Department of Justice Press Release, U.S. Citizens and Russian Intelligence Officers Charged with Conspiring to Use U.S. Citizens as Illegal Agents of the Russian Government, Apr. 18, 2023) (last accessed Sept. 25, 2023); see also Joint Cybersecurity Advisory, Tactics, Techniques, and Procedures of Indicted State-Sponsored Russian Cyber Actors Targeting the Energy Sector, Alert AA22–083A (Mar. 24, 2022), available at https://www.cisa.gov/news-events/ cybersecurity-advisories/aa22-083a (last accessed Dec. 29, 2023). 48 See Joint Cybersecurity Advisory, Russian State Sponsored and Criminal Cyber Threat to Critical Infrastructure, Alert AA22–110A (Apr. 20, 2022), available at https://www.cisa.gov/uscert/ncas/ alerts/aa22-110a (last accessed Dec. 29, 2023). E:\FR\FM\07NOP2.SGM 07NOP2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules lotter on DSK11XQN23PROD with PROPOSALS2 consequences and threats discussed above demonstrate the necessity of ensuring that critical infrastructure owner/operators are proactively deploying CRM measures. 4. Threat of Cybersecurity Incidents at the Nexus of IT and OT Systems Some sectors have taken significant steps to protect either their IT or OT systems, depending on which is considered most critical for their business needs (e.g., a commodities sector may focus on OT systems while a financial sector or other business that focuses on data may focus on IT systems). Ransomware attacks targeting critical infrastructure threaten both IT and OT systems and exploit the connections between these systems. For example, when OT components are connected to IT networks, this connection provides a path for cyber actors to pivot from IT to OT systems.49 Given the importance of critical infrastructure to national and economic security, accessible OT systems and their connected assets and control structures are an attractive target for malicious cyber actors seeking to disrupt critical infrastructure for profit or to further other objectives.50 As CISA notes, recent cybersecurity incidents demonstrate that intrusions affecting IT systems can also affect critical operational processes even if the intrusion does not directly impact an OT system.51 For example, business operations on the IT system sometimes are used to orchestrate OT system operations. As a result, when there is a compromise of the IT system, there is a risk of unaffected OT systems being impacted by the loss of operational directives and accounting functions. DHS, the Department of Energy (DOE), the Federal Bureau of Investigation, and the National Security Agency have all urged the private sector to implement a layered, ‘‘defense-indepth’’ cybersecurity posture. For example, ensuring that OT and IT systems are separate and segregated will help protect against intrusions that can exploit vulnerabilities from one system and move laterally to infect another. A stand-alone, unconnected (‘‘airgapped’’) OT system is safer from outside threats than an OT system connected to one or more enterprise IT systems with external connectivity (no 49 See CISA Fact Sheet, Rising Ransomware Threat to Operational Technology Assets (June 2021), available at https://www.cisa.gov/sites/ default/files/publications/CISA_Fact_Sheet-Rising_ Ransomware_Threat_to_OT_Assets_508C.pdf (last accessed June 3, 2023). 50 Id. 51 Id. VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 matter how secure the outside connections are thought to be).52 By implementing a layered approach, owner/operators and their network administrators will enhance the defensive cybersecurity posture of their OT and IT systems, reducing the risk of compromise or severe operational degradation if their system is compromised by malicious cyber actors.53 The cyber threat to our nation’s critical infrastructure has only increased in the time since TSA’s first cybersecurity SD was issued. The surface transportation sector, including the oil and gas pipeline industry, is increasingly dependent on automation and use of connected technology.54 Cyber threats to surface transportation systems continue to proliferate as both nation-state actors and criminal cyber groups are actively targeting oil and natural gas pipelines with the potential to cause operational disruption and economic harm. Ransomware attacks are likely to increase in the near and long term, due in part to vulnerabilities identified by threat actors in U.S. networks, while nation-state actors continue to target U.S. infrastructure for disruptive cyberattack options in a crisis or conflict.55 These threats and their potential consequences to critical transportation systems and infrastructure demonstrate the need for TSA to ensure owner/operators continue to proactively deploy cybersecurity risk management measures. Protecting this critical and interconnected sector, and the consumers that rely on it, from the impact of cybersecurity impacts, cannot be accomplished on an ad hoc basis that relies entirely on voluntary action. The 52 See National Security Agency Cybersecurity Advisory, Stop Malicious Cyber Activity Against Connected Operational Technology (PP–21–0601 | APR 2021 Ver 1.0), available at https:// media.defense.gov/2021/Apr/29/2002630479/-1/-1/ 1/CSA_STOP-MCA-AGAINST-OT_ UOO13672321.PDF (last accessed Sept. 19, 2022). 53 See Joint Cybersecurity Advisory, Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013 (Alert AA21–200A), available at https://www.cisa.gov/ news-events/cybersecurity-advisories/aa21-201a (last accessed Sept. 19, 2024). 54 See written testimony of Eric Goldstein, Executive Assistant Director for Cybersecurity CISA, Joint Hearing Before the Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation, and the Subcommittee on Transportation and Maritime Security, U.S. House of Representatives Committee on Homeland Security, Cyber Threats in the Pipeline: Lessons from the Federal Response to the Colonial Pipeline Ransomware Attack (June 15, 2021). 55 See 2023 Intelligence Community Assessment, supra note 8, for open-source information on the cybersecurity threat. See also 2024 Intelligence Community Assessment, supra note 5. PO 00000 Frm 00009 Fmt 4701 Sfmt 4702 88495 pipeline sector is an interconnected system. As noted by the Interstate Natural Gas Association of America, ‘‘natural gas transmission systems have numerous interconnection points and market hubs. . . . There are no major interstate pipelines that operate in isolation, i.e., without interconnection with at least one or more other pipelines.’’ 56 As noted by the PHMSA, ‘‘[p]ipelines play a vital role in our daily lives. They transport fuels and petrochemical feedstocks that we use in cooking and cleaning, in our daily commutes and travel, in heating our homes and businesses, and in manufacturing hundreds of products we use daily.’’ 57 Similarly, with the nation’s rail system, railroads move over 1.5 billion tons of freight annually,58 and a disruption to this movement would have damaging ripple effects across industries, including on international trade. In the rail system, the implementation of positive train control (PTC) systems has resulted in a far more interconnected rail system than previously existed in the Unites States. The interoperability of PTC systems occurs when the ‘‘controlling locomotives and/or cab cars of any host railroad and tenant railroad operating on the same PTC-equipped main line are able to communicate with and respond to the PTC system, even when train are moving over property boundaries.’’ 59 The nation’s economic security relies on freight rail owner/ operators to transport critical manufacturing materials, food product, lumber, coal, and other materials critical to the supply chain. These railroads also host major passenger and commuter rail lines.60 The nature of these systems requires a baseline of cybersecurity risk management across the highest-risk operations to protect these vital resources to national security, including economic security. 56 The Interstate Natural Gas Association of America, The Interstate Natural Gas Transmission System: Scale, Physical Complexity, and Business Model, at 1–2 (Aug. 6, 2010). 57 PHMSA, Pipeline Basics, available at https:// primis.phmsa.dot.gov/comm/PipelineBasics.htm (last accessed July 29, 2024). 58 See https://www.aar.org/data-center/railroadsstates/#:∼:text=In%20a%20typical %20year%2C%20U.S.,nearly%20140%2C000% 20miles%20of%20track (last accessed July 31, 2024). 59 See https://www.freightwaves.com/news/u-sclass-i-railroads-inch-towards-full-positive-traincontrol-implementation, PTC is interoperable on nearly half of the Class I U.S. rail operations (posted Feb. 28, 2020, by Joanna Marsh) (last accessed July 29, 2024). 60 Id. E:\FR\FM\07NOP2.SGM 07NOP2 88496 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules B. Statutory Authorities The security of the nation’s transportation systems is vital to the economic health and security of the United States. Ensuring transportation security while promoting the movement of legitimate travelers and commerce is a critical counter-terrorism mission assigned to TSA. Following the attacks of September 11, 2001, Congress created TSA under the Aviation and Transportation Security Act (ATSA) and established the agency’s primary federal role to enhance security for all modes of transportation.61 The scope of TSA’s authority includes assessing security risks,62 developing security measures to address identified risks,63 and enforcing compliance with these measures.64 TSA has broad regulatory authority to issue, rescind, and revise regulations as necessary to carry out its transportation security functions. 1. TSA Surface-Related SDs and Information Circulars lotter on DSK11XQN23PROD with PROPOSALS2 Under 49 U.S.C. 114(l)(2)(A), TSA is authorized to issue emergency regulations or SDs without providing notice or public comment where ‘‘the Administrator determines that a regulation or security directive must be issued immediately in order to protect transportation security.’’ 65 SDs issued pursuant to the procedures in 49 U.S.C. 61 Public Law 107–71, 115 Stat. 597 (Nov. 19, 2001). ATSA created TSA as a component of the DOT. See 49 U.S.C. 114, which codified section 101 of ATSA. Section 403(2) of the Homeland Security Act of 2002 (HSA), Public Law 107–296, 116 Stat. 2135 (Nov. 25, 2002), transferred all functions related to transportation security, including those of the Secretary of Transportation and the Under Secretary of Transportation for Security, to the Secretary of Homeland Security. Pursuant to DHS Delegation Number 7060.02.1, the Secretary delegated to the Administrator, subject to the Secretary’s guidance and control, the authority vested in the Secretary with respect to TSA, including the authority in sec. 403(2) of the HSA. See also 49 U.S.C. 114(d), which specifically gives the Administrator authority over all modes of transportation regulated by the Department of Transportation at the time TSA was established. 62 See, e.g., 49 U.S.C. 114(f)(1)–(3). 63 See, e.g., 49 U.S.C. 114(f)(4), (10), and (11). 64 See, e.g., 49 U.S.C. 114(f)(7) and (9). 65 This provision states: ‘‘Notwithstanding any other provision of law or executive order (including an executive order requiring a cost-benefit analysis), if the Administrator [of TSA] determines that a regulation or security directive must be issued immediately in order to protect transportation security, the Administrator shall issue the regulation or security directive without providing notice or an opportunity for comment and without prior approval of the Secretary.’’ In addition, section 114(d) provides the Administrator authority for security of all modes of transportation; section 114(f) provides specific additional duties and powers to the Administrator; and section 114(m) provides authority for the Administrator to take actions that support other agencies. VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 114(l)(2) ‘‘shall remain effective for a period not to exceed 90 days unless ratified or disapproved by the [Transportation Security Oversight] Board [(TSOB)] or rescinded by the Administrator.’’ 66 TSA issued SDs in 2021 and 2022 67 in response to the cybersecurity threat to surface transportation systems and associated infrastructure to protect against the significant harm to the national and economic security of the United States that could result from the ‘‘degradation, destruction, or malfunction of systems that control this infrastructure.’’ 68 The most current and previous versions of these SDs are available on TSA’s website.69 The first pipeline SD (the SD Pipeline–2021–01 series), issued on May 27, 2021, requires several actions to enhance the security of critical pipeline systems 70 against cybersecurity threats and provided that owners/operators must: (1) designate a primary and alternate Cybersecurity Coordinator; (2) report cybersecurity incidents to CISA within 24 hours of identification of a cybersecurity incident; 71 and (3) review TSA’s pipeline guidelines,72 assess their current cybersecurity posture, and identify remediation measures to address the vulnerabilities and cybersecurity gaps.73 For purposes of the SDs, TSA defined a ‘‘cybersecurity incident’’ as ‘‘an event that, without lawful authority, jeopardizes, disrupts or otherwise impacts, or is reasonably likely to jeopardize, disrupt or otherwise impact, the integrity, confidentiality, or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident on the system.’’ The reports must (1) identify 66 49 U.S.C. 114(l)(2)(B). https://www.tsa.gov/sd-and-ea (last accessed June 10, 2024). TSA issued these SDs under the specific authority of 49 U.S.C. 114(l)(2)(A). 68 National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems (July 28, 2021). 69 See supra note 67. 70 ‘‘Critical pipeline systems’’ are determined by TSA based on risk. 71 As originally issued, the directive required notification within 12 hours of identification. In May 2022, TSA revised this requirement to require notification within 24 hours of identification. 72 See section I.F. for more information on TSA’s guidelines for the pipeline owner/operators. 73 TSA may also use the results of assessments to identify the need to impose additional security measures as appropriate or necessary. TSA and CISA may use the information submitted for vulnerability identification, trend analysis, or to generate anonymized indicators of compromise or other cybersecurity products to prevent other cybersecurity incidents. 67 See PO 00000 Frm 00010 Fmt 4701 Sfmt 4702 the affected systems or facilities; and (2) describe the threat, incident, and impact or potential impact on IT and OT systems and operations. The second pipeline SD (the SD Pipeline–2021–02 series), first issued on July 19, 2021, required owner/operators to implement specific mitigation measures to protect against ransomware attacks and other known threats to IT and OT systems and conduct a cybersecurity architecture design review. This SD also required owner/ operators to develop and adopt a cybersecurity incident response plan to reduce the risk of operational disruption should their IT and/or OT systems be affected by a cybersecurity incident.74 In December 2021, TSA issued SDs to higher-risk freight railroads (the SD 1580–21–01 series) and passenger rail and rail transit owner/operators (the SD 1582–21–01 series), requiring that they also implement the following requirements previously imposed on pipeline systems and facilities: (1) designation of a Cybersecurity Coordinator; (2) reporting of cybersecurity incidents to CISA within 24 hours; (3) developing and implementing a cybersecurity incident response plan to reduce the risk of an operational disruption; and (4) completing a cybersecurity vulnerability assessment to identify potential gaps or vulnerabilities in their systems. For owner/operators not specifically covered under the SD 1580–21–01 or 1582–21–01 series, TSA also issued an Information Circular (IC–2021–01), which included a non-binding recommendation for those surface owner/operators not subject to the SDs to voluntarily implement the same measures.75 In the year following issuance of the second pipeline SD, TSA determined that its prescriptive requirements limited the ability of owner/operators to adapt the requirements to their operational environment and apply innovative alternative measures and new capabilities. Because of the need to provide greater flexibility, TSA revised this SD series, effective July 27, 2022 (SD Pipeline–2021–02C), to maintain the security objectives in the previous versions of the SD but also provide more flexibility by imposing performancebased, rather than prescriptive, security measures. As revised, the SD allows covered owner/operators to choose how 74 See https://www.tsa.gov/sites/default/files/sd_ pipeline_2021-02b-non_ssi_06-06-2022.pdf (last accessed June 10, 2024) for a version of the SD with the prescriptive requirements. 75 See https://www.tsa.gov/sites/default/files/ 20211201_surface-ic-2021-01.pdf (last accessed Oct. 16, 2023). E:\FR\FM\07NOP2.SGM 07NOP2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules best to implement security measures for their specific systems and operations while mandating that they achieve critical security outcomes. This approach also affords these owner/ operators with the ability to adopt new technologies and security capabilities as they become available, if TSA’s mandated security outcomes continue to be met. The current directive, most recently revised in July 2024, specifically requires the covered owner/operators of critical pipeline systems and facilities to take the following actions: • Establish and implement a TSAapproved CIP that describes the specific cybersecurity measures employed to protect Critical Cyber Systems, as defined by the owner/operator, and the schedule for achieving the security outcomes identified by TSA. • Develop and maintain an up-to-date CIRP to reduce the risk of operational disruption, or the risk of other business disruption, as defined in the SD, should the IT and/or OT systems of a gas or liquid pipeline or railroad be affected by a cybersecurity incident. The CIRP must be exercised each year to test at least two objectives of the plan and include personnel responsible for actions in the CIRP. • Develop a CAP that describes how the owner/operator will proactively, regularly, and completely assess the effectiveness of cybersecurity measures in their CIP, and identify and resolve device, network, and/or system vulnerabilities. This plan must be submitted to TSA for approval and an annual report provided to TSA and corporate leadership. The CIP must identify how the owner/ operators meet the following primary security outcomes: • Implement network segmentation policies and controls to ensure that the OT system can continue to safely operate in the event that an IT system has been compromised, or vice versa; • Implement access control measures to secure and prevent unauthorized access to critical cyber systems; • Implement continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect critical cyber system operations; and • Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers, and firmware on critical cyber systems in a timely manner using a risk-based methodology. As noted above, in addition to developing and implementing a TSAapproved CIP, this directive requires the covered owner/operators to continually assess their cybersecurity posture. These owner/operators must develop and update a CAP and submit an annual plan to TSA that describes their program for the coming year, including details on the processes and techniques that they would be using to assess the effectiveness of cybersecurity measures. Techniques such as penetration testing of IT systems and the use of ‘‘red’’ and ‘‘purple’’ team (adversarial perspective) testing are referenced in the SD. At a 88497 minimum, the CAP must include an architectural design review every 2 years. See section III.D.3. of this NPRM for additional discussion regarding the CAP required by the SD. The scope of the requirements in this directive apply to Critical Cyber Systems. TSA defined a Critical Cyber System to include ‘‘any IT or OT system or data that, if compromised or exploited, could result in operational disruption. Critical Cyber Systems include business services that, if compromised or exploited, could result in operational disruption.’’ 76 On October 18, 2022, TSA issued an SD imposing similar performance-based cybersecurity requirements on higherrisk freight railroads and passenger rail owner/operators (SD 1580/82–2022– 01).77 This SD was also developed with extensive input from industry stakeholders and federal partners, including CISA and the FRA, to address issues unique to the rail industry. This engagement included providing the industry with a draft to review and comment upon and several meetings, including technical roundtables with cyber experts within the industry, before TSA issued the SD. As TSA issued these directives under the statutory authority in 49 U.S.C. 114(l)(2) and intended the requirements to be in place for more than 90 days, TSA sought TSOB review and ratification of the use of the agency’s emergency authorities. Table 2 provides the ratification dates for each SD. TABLE 2—TSOB RATIFICATION DATES FOR TSA’S SDS SD series Specific SD SD 1580–21–01 ............................. SD 1582–21–01 ............................. SD 1580/82–2022–01 .................... lotter on DSK11XQN23PROD with PROPOSALS2 SD Pipeline-2021–01 ..................... SD Pipeline–2021–02 .................... SD SD SD SD SD SD SD SD SD SD SD SD SD SD SD SD SD SD SD 1580–21–01 ............................ 1580–21–01A ......................... 1580–21–01B ......................... 1582–21–01 ............................ 1582–21–01A ......................... 1582–21–01B ......................... 1580/82–2022–01 ................... 1580/82–2022–01A ................ 1580/82–2022–01B ................ 1580/82–2022–1C .................. Pipeline–2021–01 ................... Pipeline–2021–01A ................ Pipeline–2021–01B ................ Pipeline–2021–01C ................ Pipeline–2021–01D ................ Pipeline–2021–02 ................... Pipeline–2021–02B ................ Pipeline–2021–02C ................ Pipeline–2021–02D ................ 76 For purposes of this directive, ‘‘operational disruption’’ is defined as ‘‘a deviation from or interruption of business critical functions that results from a compromise or loss of data, system VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 December 29, 2021 ...................... November 16, 2022 ...................... November 22, 2023 ...................... December 29, 2021 ...................... November 16, 2022 ...................... November 22, 2023 ...................... November 16, 2022 ...................... November 22, 2023 ...................... Superseded 78 ............................... July 29, 2024 ................................ July 3, 2021 .................................. December 29, 2021 ...................... June 24, 2022 ............................... June 21, 2023 ............................... June 28, 2024 ............................... August 17, 2021 ........................... January 13, 2022 .......................... August 19, 2022 ........................... August 24, 2023 ........................... availability, system reliability, or control of a TSAdesignated critical pipeline and rail system or facility.’’ ‘‘Business critical functions’’ is defined as the ‘‘owner/operator’s determination of capacity to PO 00000 Frm 00011 Federal Register citation Date of ratification Fmt 4701 Sfmt 4702 87 FR 88 FR TBD. 87 FR 88 FR TBD. 88 FR TBD. N/A. TBD. 86 FR 87 FR 88 FR 89 FR TBD. 86 FR 87 FR 88 FR 89 FR 31093 (May 23, 2022). 36921 TBD (June 6, 2023). 31093 (May 23, 2022). 36921 TBD (June 6, 2023). 36921 (June 6, 2023). 38209 31093 36921 28570 (July 20, 2021). (May 23, 2022). (June 6, 2023). (April 19, 2024). 52953 31093 36921 28570 (Sept. 24, 2021). (May 23, 2022). (June 6, 2023). (April 19, 2024). support functions necessary to meet operational needs and supply-chain expectations. 77 See https://www.tsa.gov/sites/default/files/sd1580-82-2022-01.pdf (last accessed Oct. 19, 2022). E:\FR\FM\07NOP2.SGM 07NOP2 88498 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules TABLE 2—TSOB RATIFICATION DATES FOR TSA’S SDS—Continued SD series Date of ratification SD Pipepilne–2021–02E .............. August 23, 2024 ........................... 2. TSA’s Assessments, Guidelines, and Regulations Applicable to Pipeline and Rail Systems The Implementing Recommendations of the 9/11 Commission Act of 2007 (9/ 11 Act) 79 requires certain actions to enhance surface transportation security. The following two mandates are specifically relevant to this rulemaking. lotter on DSK11XQN23PROD with PROPOSALS2 a. Pipeline Guidelines, Assessments, and Regulations Section 1557(a) of the 9/11 Act requires a program to review pipeline operator adoption of guidelines originally issued by the DOT in 2002.80 TSA originally reviewed operators’ adoption of the Pipeline Security Information Circular, issued on September 5, 2002, by DOT’s Office of Pipeline Safety as the primary federal guideline for industry security. TSA also reviewed operators’ adoption of a complementary document, the DOTissued Pipeline Security Contingency Planning Guidance of June 2002. Recognizing that the Security Circular required updating, TSA initiated a process to amend the federal security guidance. These revised guidelines were first developed in 2010 and 2011 in collaboration with industry and government members of the Pipeline Sector and Government Coordinating Councils and other industry association representatives and included a range of recommended security measures covering all aspects of pipeline operations. Consistent with TSA’s general authorities under ATSA and the requirements in section 1557(d) of the 9/11 Act, the advancement of security practices to meet the ever-changing threat environment in both the physical and cyber security realms required that the guidelines be updated again. Using a similar industry and government collaborative approach, TSA updated the Pipeline Security Guidelines in 2018 (Pipeline Guidelines).81 As part of this update, TSA added Section 7, ‘‘Pipeline 78 SD 1580/82–2022–01B, issued in May 2024, was superseded by SD 1580/82–2022–01C before ratification by the TSOB. 79 Public Law 110–53, 121 Stat. 266 (Aug. 3, 2007). 80 Id., as codified at 6 U.S.C. 1207(a). 81 See Pipeline Security Guidelines (Mar. 2018), with Change 1 (Apr. 2021), available at https:// www.tsa.gov/sites/default/files/pipeline_security_ guidelines.pdf (last accessed Sept. 19, 2022). VerDate Sep<11>2014 19:49 Nov 06, 2024 Federal Register citation Specific SD Jkt 262001 Cyber Asset Security Measures,’’ including pipeline cyber asset identification; security measures for pipeline cyber assets; and cybersecurity planning and implementation guidance. Section 1557(b) also requires reviewing the pipeline security plans and inspection of the most critical facilities for the 100 most critical pipeline operators.82 The Pipeline Guidelines are used as the standard for TSA’s Pipeline Security Program Corporate Security Reviews (CSRs) and Critical Facility Security Reviews (CFSRs) of the most critical pipeline systems. The CSR program has been in effect since 2003, during which time a total of approximately 260 CSRs have been completed industry wide. Approximately 800 CFSRs have been completed since this program’s inception in 2009. Finally, section 1557(d) specifically authorizes the Secretary of Homeland Security (Secretary) to issue regulations, as appropriate and following consultation with the Secretary of Transportation on the extent of risk and appropriate mitigation measures, and to issue binding regulations and carry out necessary inspection and enforcement actions.83 Such regulations would incorporate the 2002 guidelines and contain additional requirements as necessary based upon results of the inspections performed under section 1557(b). This section specifically authorizes assessment of penalties against pipeline facilities and systems for non-compliance.84 While TSA has had this authority since 2007, TSA has not determined it was necessary to exercise it until this current rulemaking, which is intended to address the increasing cybersecurity threat to pipeline facilities and systems. In addition, while the guidelines are available to all pipeline facilities and systems, regardless of whether TSA has determined the system is critical, TSA has not determined it is necessary to impose cybersecurity requirements through its emergency authorities on the full scope of pipeline owner/operators to which the guidelines are issued. 82 See 6 U.S.C. 1207(b). 6 U.S.C. 1207(d). 84 Id. TSA also has specific authority to enforce its security regulations. See 49 U.S.C. 114(f)(7). 83 See PO 00000 Frm 00012 Fmt 4701 Sfmt 4702 TBD. Although this rulemaking would impose cybersecurity requirements on certain pipeline owners and operators and subject such entities to inspections for compliance, TSA would continue to conduct voluntary security assessments in areas where mandatory requirements do not exist (e.g., the physical security measures recommended in the guidelines) as part of a ‘‘structured oversight’’ approach. This approach assesses and provides feedback on voluntary implementation of cybersecurity recommendations for systems not covered by this proposed rule. These assessments would continue TSA’s approach of working with the industry to determine the industry’s voluntary adoption and adherence to non-regulatory guidelines, including Security Action Items and other security measures developed jointly with, and agreed to by, industry stakeholders to meet relevant security needs.85 As part of these assessments, TSA provides recommendations to owner/operators and identifies resources to support them in voluntarily enhancing their physical and security baseline. b. Regulating Railroads, Public Transportation Systems, and OTRBs In 2008, TSA promulgated regulations imposing security requirements on owner/operators of freight railroads, rail transit systems, including passenger rail and commuter rail, heavy rail transit, light rail transit, automated guideway, cable car, inclined plane, funicular, and monorail systems. This regulation, in pertinent part, covers appointment of security coordinators and securityrelated reporting requirements. For freight railroads, the 2008 rule also imposed requirements for the secure transport of Rail Security-Sensitive Materials.86 In addition to measures to enhance pipeline security, the 9/11 Act required other regulations to enhance surface transportation security. On March 23, 2020, consistent with these requirements, TSA published the final rule, ‘‘Security Training for Surface 85 For additional information on TSA’s resources and surface transportation security initiatives, see TSA’s website at: https://www.tsa.gov/for-industry/ resources (last accessed Aug. 30, 2023). 86 See Rail Transportation Security Final Rule (Rail Security Rule), 73 FR 72130 (Nov. 26, 2008). E:\FR\FM\07NOP2.SGM 07NOP2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules Transportation Employees.’’ 87 This regulation requires owner/operators of higher-risk freight railroad carriers (as defined in 49 CFR 1580.101), public transportation agencies (including rail mass transit and bus systems and passenger railroad carriers, as defined in 49 CFR 1582.101), and OTRB companies (as defined in 49 CFR 1584.101), to provide TSA-approved security training to employees performing securitysensitive functions. In addition to implementing these provisions, the final rule also expanded the requirement for security coordinators and reporting of significant security concerns to apply to OTRB and bus-only public transportation agencies, and defined Transportation Security-Sensitive Materials.88 The 9/11 Act also requires regulations for higher-risk public transportation agencies, railroads, and OTRB owner/ operators to develop security plans to address specific security issues and vulnerabilities identified during an assessment of specific systems, infrastructure, and capabilities.89 TSA published an advance notice of proposed rulemaking (ANPRM) in December 2016 seeking comment on specific issues related to the 9/11 Act’s requirements for a regulation to address vulnerability assessments and security plans.90 Through this ANPRM, TSA solicited information on the extent to which owner/operators of freight railroads, PTPR systems, and OTRBs had taken actions consistent with those prescribed by the 9/11 Act for vulnerability assessments and security plans, what resources they used to support these actions, and information on implementation costs. Given the passage of time and different scope of this rulemaking, TSA has established a new docket for this rulemaking and advises commenters on the 2016 ANPRM to submit comments on this NPRM if they wish for their views to be addressed in a final rule. While the requirements in this proposed rule would not address all elements of vulnerability assessments and security plans stipulated in the 9/ 11 Act, it would address the 9/11 Act’s requirements as they relate to the IT and OT systems used by high-risk freight 87 85 FR 16456. secs. 1512 and 1531 of the 9/11 Act, as codified at 6 U.S.C. 1162 and 1181, respectively, for security coordinator requirements. See sec. 1501(13) of the 9/11 Act, as codified at 6 U.S.C. 1151(13), for requirement to define ‘‘Transportation Security Sensitive Materials.’’ 89 See secs. 1405 and 1512 of the 9/11 Act, as codified at 6 U.S.C. 1134 and 1162, respectively; see also section 1531, as codified at 6 U.S.C. 1181 (which imposes similar requirements for OTRBs). 90 See 81 FR 91401 (Dec. 16, 2016). lotter on DSK11XQN23PROD with PROPOSALS2 88 See VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 railroads and PTPR systems. For example, the 9/11 Act requires identification and evaluation of critical systems, including information systems,91 plans for providing redundant and backup systems needed to ensure continued operations in the event of a cybersecurity incident, and identification of the vulnerabilities to these systems.92 The vulnerability assessment requirements applicable to higher-risk rail carriers must also identify strengths and weaknesses in (1) programmable electronic devices, computers, or other automated systems used in providing transportation; (2) alarms, cameras, and other protection systems; (3) communications systems and utilities needed for railroad security purposes, including dispatching and notification systems; and (4) other matters determined appropriate by the Secretary.93 For security plans, the statute requires regulations that address, among other things, actions to mitigate identified vulnerabilities, the protection of passenger communication systems, emergency response, ensuring redundant and backup systems are in place to ensure continued operation of critical elements of the system in the event of a terrorist attack or other incident, and other actions or procedures as the Secretary determines are appropriate to address the security of the public transportation system or the security of railroad carriers, as appropriate.94 The provisions proposed in this NPRM would satisfy such requirements as they relate to cybersecurity in high-risk public transportation agencies and railroads. In short, the 9/11 Act provisions described above contain a combination of detailed requirements regarding vulnerability assessments and the 91 See secs. 1405(a)(3) and 1512(d)(1)(A) of the 9/ 11 Act, as codified at 6 U.S.C. 1134(a)(3), 1162(d)(1)(A), respectively. 92 See id. at secs. 1405(c)(2), 1512(d)(1)(D), and 1512(e)(1)(G), as codified at 6 U.S.C. 1134(c)(2), 1162(d)(1)(D), 1162(e)(1)(G), respectively. 93 See id. at sec. 1512(d), as codified at 6 U.S.C. 1162(d). 94 See id. at secs. 1405(c)(2) and 1512(e), as codified at 6 U.S.C. 1134(c)(2), 1162(e), respectively. Only one commenter on the ANPRM specifically addressed the inclusion of IT and OT systems for purposes of vulnerability assessments and security planning. See TSA–2016–0002–0013, available at https://www.regulations.gov under Docket No. TSA–2016–0002. This commenter indicated that, at the time of the comment, the Rail Information Security Committee of the Association of American Railroads focuses on cybersecurity and the ‘‘industry’s physical and cyber security committees annually conduct risk assessments using ‘‘relevant security information’’ from a variety of resources. As part of this effort, they evaluate specific information technology and communication assets. They also indicated that the industry emphasizes analysis of cyber incidents and sharing information with railroads. PO 00000 Frm 00013 Fmt 4701 Sfmt 4702 88499 content of security plans. Each of these provisions confirms and supplements TSA’s authority to impose such requirements as are appropriate or necessary to ensure the security of the transportation system. TSA would issue the proposed rule pursuant to and consistent with its general authorities and the 9/11 Act’s requirements. C. References 1. National Cybersecurity Strategy In March 2023, the Biden-Harris Administration released the National Cybersecurity Strategy.95 This strategy includes the following five pillars identified as critical for building and enhancing the collaboration necessary to strengthen the nation’s cybersecurity posture to protect infrastructure critical to national security and the economy: (a) defend critical infrastructure; (b) disrupt and dismantle threat actors; (c) shape market forces to drive security and resilience; (d) invest in a resilient future; and (e) forge international partnership to pursued shared goals. Consistent with this strategy, TSA is proposing a performance-based regulation for cybersecurity that builds on the NIST CSF and uses the CISA CPGs as guardrails to ensure prioritization of those measures most critical for establishing a common baseline to reduce known risks to national security and the economy.96 The following provides a high-level overview of the NIST CSF and the CISA CPGs. A table that aligns these two documents with the proposed requirements in this NPRM is available in the docket for this rulemaking. 2. NIST Cybersecurity Framework Executive Order (E.O.) 13636 of February 12, 2013 (Improving Critical Infrastructure Cybersecurity), directed NIST to develop a voluntary framework to reduce cyber risks to critical infrastructure.97 This framework, created in collaboration between industry and government, consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The recommendations in the framework are intended to provide a prioritized, flexible, repeatable, and cost-effective approach to manage cybersecurity-related risks. The framework is not a regulatory document in that it is written as recommendations 95 See supra note 12. at 8–9. 97 Published at 78 FR 11737 (Feb. 19, 2013). The Cybersecurity Enhancement Act of 2014, Public Law 113–274, 128 Stat. 2971, 2972–73, subsequently formalized the requirements in the E.O. into statutory requirements for NIST. 96 Id. E:\FR\FM\07NOP2.SGM 07NOP2 lotter on DSK11XQN23PROD with PROPOSALS2 88500 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules and is not enforceable. The recommendations are also extensive and may not be applicable to every business or context. NIST is currently in the process of reviewing and revising the Cybersecurity Framework. For purposes of this rulemaking, TSA has relied on Version 1.1 of April 16, 2018. The NIST CSF is a comprehensive resource for developing a comprehensive cybersecurity program for any business. The framework generally includes the following key steps: (a) understanding the business’s current cybersecurity posture by scoping the Organizational Profile; (b) gathering information needed to prepare the Organizational Profile, i.e., defining a target state, which should be informed by standards and applicable regulations; (c) creating an Organizational Profile that identifies and prioritizes opportunities for improving within the context of continuous and repeatable processes; (d) analyzing the gaps between current state and the Target Profile, and creating an action plan to address any identified gaps, including a Plan of Action and Milestones; and (e) implementing the action plan and updating the Organizational Profile as necessary to keep the organization moving towards the target.98 These steps are part of an iterative cycle that should also consider opportunities for documenting and communicating the organization’s cybersecurity capabilities and known opportunities for improvement with external stakeholders, including business partners, prospective customers, suppliers, and other third parties.99 There are currently six core functions to the framework: govern, identify, protect, detect, respond, and recover. NIST recommends that all these functions be addressed concurrently as they all have vital roles related to cybersecurity.100 Within each of these functions, there are multiple recommendations. Finally, the framework identifies several framework tiers in ascending order of cybersecurity maturity. The first and lowest tier, ‘‘Partial,’’ recognizes an ad hoc, reactive, and irregular approach to cybersecurity that is driven by case-by-case responses in an environment that fails to identify clear roles and responsibilities for cybersecurity. The next tier, ‘‘Risk Informed,’’ has a cybersecurity program that is approved by management but may not be known organization wide. While there may be an awareness of risk at certain levels within the organization, 98 See supra note 13 at 7. 99 Id. 100 Id. at 5. VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 the company lacks an organization-wide process to manage risks and doesn’t fully recognize both dependencies and dependents that could be affected by insufficient cybersecurity. As companies mature in developing and implementing cybersecurity measures, they should be moving to a ‘‘Repeatable’’ tier. In this tier, processes are formally approved and are known and communicated organization wide. There is an organization-wide approach to managing risks, consistent methods are in place for cybersecurity policies, individuals within the company known their roles and responsibilities for cybersecurity, and the company is aware of dependencies and dependents. The top tier, ‘‘Adaptive,’’ applies to companies that have implemented predictive, advanced technologies to address cybersecurity. In this tier, cybersecurity risks inform corporate decisions, and the company understands its role in the larger ecosystem and contributes to a broadening understanding of cybersecurity in its business environment. As part of this understanding, the company has a strong supply chain understanding and program to manage cybersecurity risks within the supply chain based on dependencies and dependents. 3. CISA Cross-Sector Cybersecurity Performance Goals CISA developed the CPGs as directed by the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems (signed July 28, 2021). The CISA CPGs can be read as a prioritized subset of the NIST CSF framework that critical infrastructure owners and operators can implement to meaningfully reduce the likelihood and impact of known risks and adversary techniques. As with the NIST CSF, the CISA CPGs are voluntary. Unlike the NIST CSF, the CISA CPGs are not intended to be comprehensive. Aligned with the NIST CSF, the CISA CPGs supplement that framework by supporting businesses in prioritizing cybersecurity measures critical for establishing a baseline of cybersecurity across critical infrastructure that emphasizes measures based on their demonstrated ability to reduce known risks. The prioritization used in the CISA CPGs goes beyond consideration of risks to specific entities and considers the aggregate risk to the nation of cybersecurity incidents on critical sectors. The recommendations in the CISA CPGs align with the six core functions of the NIST CSF identified above. PO 00000 Frm 00014 Fmt 4701 Sfmt 4702 4. TSA Advance Notice of Proposed Rulemaking On November 30, 2022, TSA published an ANPRM to provide an opportunity for interested individuals and organizations, particularly higherrisk pipeline and rail (including freight, passenger, and transit rail) operations, to help TSA develop a comprehensive and forward-looking approach to surface cybersecurity requirements. The ANPRM also solicited input from the industry associations representing these companies, third-party cybersecurity subject matter experts, and insurers and underwriters for cybersecurity risks for these transportation sectors.101 TSA received comments from 35 commenters in response to the ANPRM, with almost 600 specific issues raised by the commenters, which included major trade associations and individuals.102 Most comments received fell into a few general categories: (1) general support; (2) emphasis on the need for regulatory harmonization and performance-based regulation; and (3) comments on core elements, particularly comments related to training, supply chain, and third-party assessors. Some comments opposed potential regulation at this time, suggesting that voluntary measures are currently sufficient, and that TSA should wait for other standards (such as the CISA CPGs) to further mature. TSA considered all comments received. The following provides a high-level summary of the comments. a. General Support and Need for Regulatory Harmonization and Performance-Based Regulation The industry comments generally supported a regulation that builds upon the previously issued SDs. Many commenter groups complimented TSA’s current performance-based directives, which provide owner/operators the flexibility to determine how to implement cybersecurity protocols to achieve the desired outcomes. Furthermore, they emphasized how 101 See Enhancing Surface Cyber Risk Management, 87 FR 73527 (Nov. 30, 2022). Through a subsequent notice, TSA extended the comment period from January 17, 2023, to February 1, 2023. See 87 FR 78911 (Dec. 23, 2022). 102 Comments may be viewed in the docket for this rulemaking, TSA–2022–0001, at https:// www.regulations.gov. The American Gas Association, American Fuel and Petrochemical Manufacturers, Association of American Railroads, American Short Line and Regional Railroad Association, American Public Transportation Association, Airlines for America, Liquid Energy Pipeline Association, Interstate Natural Gas Association, American Petroleum Institute, and AFL–CIO Transportation Trades Division were among the major trade associations that submitted comments. E:\FR\FM\07NOP2.SGM 07NOP2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules adaptive CRM programming would enable regulated parties to— • Assess known and potential system and environment vulnerabilities; • Assess the likelihood and potential operational and financial impacts of a threat actor leveraging vulnerabilities to cause a cybersecurity incident; • Develop a regular cadence of reassessing risk factors and recalculating risk; and • Implement and monitor the effectiveness of appropriate mitigating controls to reduce the probability or impact of an attack. A recurring theme in the ANPRM comments focused on encouraging TSA to use existing standards as a reference (e.g., the NIST CSF, the CISA CPGs, and the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards 103) and collaborate with other Federal agencies to harmonize cybersecurity requirements. Several respondents recommended that TSA facilitate a cross-government group composed of State and Federal agencies that would meet regularly (e.g., monthly stakeholder calls or ongoing TSA-led briefings to relevant sector coordinating officials) as well as develop common lexicons between these entities before issuing requirements. b. Core Elements lotter on DSK11XQN23PROD with PROPOSALS2 In the ANPRM, TSA sought comment on the following 11 core elements for a CRM program: • Designation of an individual responsible for cybersecurity; • Access controls; • Vulnerability assessments; • Penetration testing, drills, and exercises; • Technical security controls; • Physical security controls; • Incident response planning & operational resilience; • Incident reporting and information sharing; • Personnel training & awareness; • Supply chain/third-party risk management; and • Recordkeeping and documentation. 103 The NERC CIP standards are reliability standards for operators of the bulk electric system (BES). A small number of companies have both pipeline and BES business units. TSA is aware that when the agency transitioned from prescriptive security requirements in the first iteration of SD Pipeline–2021–02 to the performance-based requirements, some owner/operators subject to both the TSA and NERC requirements incorporated applicable measures into their implementation plans. TSA would continue to provide that flexibility with this proposed rule, to the extent that specific measures meet the performance standards identified in the proposed rule. TSA welcomes comments on any conflicts or divergences that TSA should take account of as part of this rulemaking. VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 88501 While TSA reviewed all of the comments received, we also note that many of the comments reiterated issues raised in discussions with industry post-issuance of the SDs discussed above. The comments, however, also included three issues of particular interest to TSA as they applied to requirements included in this proposed rule that were not specifically in the SDs: employee cyber training, supply chain/third-party vendors, and thirdparty assessors. the regulated parties. Companies within the different surface sub-sectors have varying degrees of capability and capacity to adopt cybersecurity standards. For example, one association indicated that they proactively conduct security control assessments of third parties and include them in response and recovery plans and exercises. Others, however, indicated they lack the capability and resources to use thirdparty assessors. c. Training Many comments referenced or addressed workforce cyber training. Commenters acknowledged that security training is a critical component of overall organizational security and compliance. While generally supportive of the requirement, one of the industry commenters recommended against establishing ‘‘specific training requirements,’’ noting that specific training needs should be based on an organization’s particular operating environment as well as the costs associated with a cybersecurity incident. As noted by the Office of the National Cyber Director (ONCD) in an August 2023 Request for Information,105 the National Cybersecurity Strategy 106 calls for establishing cybersecurity regulations to secure critical infrastructure where existing measures are insufficient, harmonizing and streamlining new and existing regulations, and enabling regulated entities to afford to achieve security. TSA emphasizes its commitment to regulatory harmonization and streamlining, and notes that this proposed rule, which is grounded in NIST’s Framework for Improving Critical Infrastructure Cybersecurity, NIST’s standards and best practices, and the CISA CPGs, is consistent with such priorities. TSA also acknowledges the ongoing rulemakings of other DHS components, including ongoing rulemakings on cybersecurity in maritime transportation and implementation of CIRCIA. Finally, TSA notes that this proposed rule follows several years of implementation of TSA’s SDs. As noted in TSA’s information collection requests for the SDs, TSA has not identified any other duplicative requirements for the cybersecurity mitigation measures required by the SDs and received no comments regarding duplication in response to notices published in the Federal Register.107 TSA’s experience in imposing cybersecurity requirements to date, as well as feedback from the owner/ operators subject to those requirements, indicates that complete harmonization d. Supply Chain The National Cybersecurity Strategy (March 2023) identifies the criticality of a secure global supply chain for information, communications, and OT products and services.104 Consistent with this prioritization, DHS identified supply chain and third-party service provider risk management as a core element for DHS cybersecurity regulations. A majority of comments mentioned or addressed supply chain issues. Many commenters discussed their efforts to establish a common understanding with vendors and third parties through cybersecurity contract provisions regarding notifications of product vulnerability, access to security patches, notifications of cybersecurity incidents, etc. One association specifically noted that a number of pipeline operators are working with DHS to develop improved ways to facilitate conversations on security between vendors and operators. e. Third-Party Assessors The concept of third-party assessors was the topic of a significant number of comments. In general, commenters opposed requiring owners and operators to conduct assessments using thirdparty validators. Commenters considered such a requirement to be shifting costs from the government to 104 See National Cybersecurity Strategy, supra note 12, at 32. PO 00000 Frm 00015 Fmt 4701 Sfmt 4702 5. Regulatory Harmonization 105 See 88 FR 55694 (Aug. 16, 2023). supra note 12. 107 See OMB Approval No. 1652–0074 (Cybersecurity Measures for Surface Modes), approved through Aug. 31, 2026; and OMB Approval No. 1652–0056 (Pipeline Corporate Security Reviews and Security Directives), approved through Feb. 28, 2026; and OMB Approval No. 1652–0050 (Critical Facility Information of the Top 100 Most Critical Pipelines), approved through Mar. 31, 2026). One commenter noted that TSA’s SDs require reporting within 24 hours while the CIRCIA proposed rule requires reporting within 72 hours. This issue is discussed infra in section III.D.2.f. of this proposed rule. 106 See E:\FR\FM\07NOP2.SGM 07NOP2 88502 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules is not possible. Even within the transportation sector, there are modal operational issues, different physical controls by other agencies that support defense-in-depth measures, as well as other factors that must be considered. For example, SD–Pipeline–2021–02 recognizes that the need to provide ready access to industrial control workstations in controls rooms may make a requirement for multi-factor authentication (MFA) inadvisable. TSA allows owner/operators to rely on compensating controls use to meet control room requirements issued by the PHMSA.108 Similarly, TSA provides an allowance for alternatives to encryption for certain systems used by railroads 109 and recognizes compliance with FRA’s requirements to address access to PTC system components in locomotives.110 While TSA believes differences in cybersecurity requirements may be intentional based on sector-specific distinctions, TSA welcomes comments on opportunities to harmonize and streamline regulations where feasible and appropriate. III. Proposed Rule lotter on DSK11XQN23PROD with PROPOSALS2 A. Rule Organization This rule proposes changes to the requirements applicable to owner/ operators of freight railroads, PTPR, and OTRBs in subchapter D of title 49 CFR, subtitle B, chapter XII. The rule also proposes to add a new part 1586 to this subchapter, which would impose requirements applicable to owner/ operators of specific pipeline facilities and systems. To facilitate implementation of these requirements, TSA is proposing to significantly revise subchapter D. Some of these revisions are technical revisions to consolidate previously imposed procedures or requirements or to align procedures for security programs with TSA’s existing processes for aviation. TSA believes consolidating procedural and general requirements in part 1570, while providing consolidated modalspecific requirements in modal-specific parts, would make it easier for owner/ operators to identify and implement the proposed requirements. TSA is also proposing revisions to terms in part 1500 that have use in multiple provisions in chapter XII of title 49 and of part 1520 to ensure information required by the revisions to subchapter XII is protected as SSI, as applicable. 108 See SD–Pipeline–2021–02 at Section III.C.2. 109 See SD–1580/82–2022–01 at Section III.B.2.b. 110 See id. at III.C.6. VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 1. Cybersecurity Requirements The most significant proposed revision to TSA’s regulations is the addition of requirements for higher-risk owner/operators of freight railroads, PTPR, and pipeline facilities and systems to have a comprehensive CRM program. These proposed requirements are found in new subpart D of part 1580 (applicable to freight railroads), subpart C of part 1582 (applicable to PTPR), and subpart C of part 1586 (applicable to pipeline facilities and systems). This proposed rule would also add a requirement in subpart B of part 1584 for higher-risk OTRB owner/operators to report cybersecurity incidents but would not impose the comprehensive CRM program requirements on this mode. 2. Physical Security Requirements Through this rulemaking, TSA is proposing to distinguish between physical security and cybersecurity. TSA is proposing to move the requirements currently in subchapter D related to designating a security coordinator and reporting significant security concerns. TSA is proposing to move these requirements to revised subparts B within parts 1580, 1582, and 1584, respectively. These revised subparts B would contain security program requirements primarily focused on physical security. TSA also proposes to apply these same requirements to pipeline facilities and systems through the new part 1586. Appendix A to part 1570, which identifies types of significant security concerns to be reported, would be removed from part 1570 and repeated in parts 1580, 1582, 1584, and 1586. As incorporated into this proposed subpart, TSA is proposing to clarify that the security coordinator(s) currently required by § 1570.201 must be a U.S. citizen. This requirement is consistent with the 9/11 Act 111 and advances TSA’s need to ensure that the agency can rapidly share sensitive information with the owner/operator that may be critical to ensure appropriate actions are taken to address emerging threats. As provided in the 9/11 Act, TSA may waive the citizenship requirement for the security coordinator(s) if the individual successfully completes a STA.112 In addition, the value of the security coordinator position is significantly impeded if there is not an individual in place who can receive sensitive information. Therefore, TSA is requiring that security coordinators (primary and alternate) must be a U.S. citizen who can receive sensitive information unless waived by TSA. At this time, TSA only anticipates one possible situation where a waiver would be granted; if one of the Security Coordinators is a U.S. citizen (primary or alternate), TSA may grant a waiver for the requirement as applied to the other Security Coordinator. From the agency’s perspective, the purpose of the citizenship requirement is to ensure each covered owner/operator has a designated point of contact for receiving critical threat information, including intelligence information that cannot be shared with foreign citizens. TSA is assuming that owner/operators would ensure that if the security coordinator on duty is not cleared to receive certain information, that individual would promptly notify the security coordinator or other appropriate individual who has the required clearances. Both the primary and alternate Security Coordinators would be required to successfully complete an STA before TSA would consider a waiver. TSA is also proposing to move any procedures or requirements applicable to training of security-sensitive employees 113 currently in 49 CFR 1570.101–1570.111, and 1570.121 to the applicable modal sections. Within the modal requirements, TSA is proposing to consolidate the existing security training requirements into one section for each mode. None of the requirements would be changed as a result of this restructuring. Finally, the title of subpart C of part 1580, which includes chain of custody requirements applicable to the freight rail system, would be changed from ‘‘Operations’’ to ‘‘Security of Rail Security Sensitive Materials’’ without any revisions to the requirements in this subpart. Physical security encompasses threats to physical infrastructure that could affect the safety and security of people, cargo, and infrastructure. The definition for physical security in this NPRM includes measures that provide for the security of systems and facilities, as well as the persons in areas in or near to operations that could have their safety and security threatened by an attack on physical systems and assets. Examples include rail cars, stations, pipelines, terminals, buses, etc. Cybersecurity is also critical for protecting the safety and security of people, cargo, and infrastructure, but 111 See secs 1512(e)(2) and 1531(e)(2) of the 9/11 Act, as codified at 6 U.S.C. 1162(e)(2) and 1181(e)(2), respectively. 112 Id. 113 See §§ 1580.3, 1582.3, and 1584.3 for definitions of ‘‘security-sensitive employees’’ as applied to freight railroads, PTPR, and OTRB, respectively. PO 00000 Frm 00016 Fmt 4701 Sfmt 4702 E:\FR\FM\07NOP2.SGM 07NOP2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules the actions taken to prevent cybersecurity incidents are intended to protect computers, electronic communications systems and services, wire communications, and electronic communications, including information contained on these systems, services, and capabilities.114 It is important to recognize that there is not a bright line between physical and cybersecurity. A comprehensive defense-in-depth plan includes both physical and cybersecurity controls to protect IT and OT systems. For example, someone could use physical capabilities to damage an IT or OT system or thwart ineffective physical access controls to a building or floor in order to gain access to a Critical Cyber System. Similarly, physical security controls may be used to augment cybersecurity measures. Although TSA is distinguishing between Physical Security Coordinators and Cybersecurity Coordinators, we encourage these individuals to work together and communicate to ensure a comprehensive approach to both physical and cybersecurity. 3. General Procedures for Security Programs, SDs, and Information Circulars Through this rulemaking, TSA is also proposing to revise procedures in part 1570 related to security programs. When TSA promulgated the Security Training for Surface Transportation Employees final rule in 2020,115 the rule text incorporated specific security program requirements. This structure reflected the limited scope of the requirements applicable to multiple modes of 88503 transportation. To accommodate the proposed addition of the cybersecurity requirements, TSA proposes to separate security training requirements, as discussed above, into the modal-specific parts and to incorporate general security program requirements that are consistent with the requirements applicable to aviation security programs. These changes, discussed in more detail in section III.F.1. of this preamble, would better ensure consistency across TSA’s regulatory requirements. Table 3 provides a distribution table for these changes and those discussed above related to physical security requirements. TSA welcomes comment on the distribution table and whether any of the proposed changes might have unintended effects on existing requirements. TABLE 3—49 CFR CHAPTER XII, SUBCHAPTER D, DISTRIBUTION TABLE Former section New section 1570.107 ............................................................. 1570.109(b) ......................................................... 1570.109(c)(1) .................................................... 1570.109(c)(2) and (3) ........................................ 1570.109(g) ......................................................... 1570.111(a) ......................................................... 1570.111(b) ......................................................... 1570.111(c) ......................................................... 1570.113(b)(e) .................................................... 1570.113(c) and (d) ............................................ 1580.113(k), 1582.113(k), and 1584.113(k). 1580.113(h); 1582.113(h), and 1582.114(h). 1570.107(a)(1). 1570.107(a)(2)(i) and (ii). 1570.107(a)(2)(iii). 1580.113(i); 1582.113(i); and 1584.113(i). 1580.113(j); 1582.113(j), and 1584.113 (j). 1570.111. 1570.107(b). 1570.107 (amendment process); and 1580.113(o), 1582.113(o), and 1584.113(o) (physical security training specific requirements). 1570.107(b). 1570.107(f). 1570.107(d). 1570.107(e). 1570.109 (narrow alternative process for seasonal or infrequent operations); 1570.203 (provides alternate measures for purposes of requirements in Security Directives). 1570.107(f). 1570.117 (general requirements); and 1580.113(l) and (m),1582.113(l) and (m), and 1584.113(l) and (m) (physical security training specific requirements). 1580.103, 1582.103, and 1584.103. 1580.105. 1582.105, and 1584.105. Part 1580, appendix C; part 1582, appendix C; and part 1584, appendix C. 1580.113(a). 1580.113(d). 1580.113(e). 1580.113(g). 1580.113(b). 1580.113(c). 1580.113(f). 1582.113(a). 1582.113(d). 1582.113(e). 1582.113(g). 1582.113(b). 1582.113(c). 1582.113(f). 1584.113(d). 1584.113(e). 1584.113(g). 1584.113(b). 1584.113(c). 1584.113(f). 1570.113(f) .......................................................... 1570.113(g) ......................................................... 1570.115(a)–(b) .................................................. 1570.115(c) ......................................................... 1570.117 ............................................................. lotter on DSK11XQN23PROD with PROPOSALS2 1570.119 ............................................................. 1570.121 ............................................................. 1570.201 ............................................................. 1570.203 ............................................................. Part 1570, appendix A ........................................ 1580.101 ............................................................. 1580.113(b)(1)–(5) and (7–9) ............................. 1580.113(b)(6) .................................................... 1580.113(c) ......................................................... 1580.115(a) ......................................................... 1580.115(c) ......................................................... 1580.115(c)–(f) ................................................... 1582.101 ............................................................. 1582.113(b)(1)–(5) and (7–9) ............................. 1582.113(b)(6) .................................................... 1582.113(c) ......................................................... 1582.115(a) ......................................................... 1582.115(c) ......................................................... 1582.115(c)–(f) ................................................... 1584.113(b)(1)–(5) and (7–9) ............................. 1584.113(b)(6) .................................................... 1584.113(c) ......................................................... 1584.115(a) ......................................................... 1584.115(c) ......................................................... 1584.115(c)–(f) ................................................... 114 This explanation of cybersecurity is consistent with common understanding as reflected in the NIST Glossary, available at https://csrc.nist.gov/ VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 glossary/term/cybersecurity (last accessed July 6, 2023). PO 00000 Frm 00017 Fmt 4701 Sfmt 4702 115 See E:\FR\FM\07NOP2.SGM supra note 87. 07NOP2 88504 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules 4. Relation to Other Rulemakings TSA has other rulemakings that may reference subparts or sections contained in this proposed rule. Specifically, in the Vetting of Certain Transportation Employees NPRM, TSA has proposed to add vetting requirements as Subpart D of part 1580, Subpart C of part 1582, and Subpart C of part 1584.116 In this rule, we are proposing to add CRM requirements in two of the same subparts, and are proposing to revise other provisions that are crossreferenced in the Vetting of Certain Surface Transportation Employees NPRM.117 Although the substance of the two proposals do not conflict, the numbering and paragraph designations conflict in some cases. TSA will ensure all subparts and sections are deconflicted and consistent before any rules are finalized. B. Terms 1. General Terms Consistent with the proposed rule’s organization, TSA includes proposed definitions for terms relevant to several subchapters of TSA regulations, beyond the requirements of subchapter D, in part 1500. Terms relevant to several parts of subchapter D would be added to § 1570.3. Terms uniquely relevant to each mode would be included in the relevant parts (part 1580 (freight), part 1582 (PTPR), part 1584 (OTRB), and part 1586 (pipeline facilities and systems)). Most of the definitions are derived from existing federal regulatory programs, particularly programs administered by DOT. A few definitions are based on industry sources. TSA’s purpose is to use definitions with which regulated parties are familiar, to the extent that the definitions are consistent with the purposes of this NPRM. Where no existing definition is appropriate, TSA’s subject matter experts developed the definition based upon the generally accepted and known use of terms within each of the modes subject to this proposed regulation. Table 4 provides additional information on the terms that would be added to TSA’s regulations. TABLE 4—EXPLANATION OF PROPOSED TERMS AND DEFINITIONS IN SUBCHAPTER XII OF TITLE 49 Part Summary of change 1500 ................... Propose adding definition of ‘‘carbon dioxide’’. 1500 ................... Propose adding definition of ‘‘gas’’ ...... 1500 ................... Propose adding definition of ‘‘hazardous liquid’’. 1500 ................... Propose adding definition of ‘‘liquefied natural gas (LNG)’’. 1500 ................... Propose adding definition of ‘‘pipeline or pipeline system’’. 1500 ................... Propose adding definition of ‘‘pipeline facility’’. 1500 ................... Propose modifying definition of ‘‘transportation or transport’’. Propose modifying definition of ‘‘transportation facility’’. 1500 ................... lotter on DSK11XQN23PROD with PROPOSALS2 Explanation 1500 ................... Propose modifying definition of ‘‘transportation security equipment and systems’’. 1500 ................... Propose adding definition of ‘‘TSA Cybersecurity Lexicon’’. 1570 ................... Propose adding definition of ‘‘accountable executive’’. 1570 ................... Propose adding definition of ‘‘cyber security-sensitive employee’’. 1580 ................... Propose adding definition of ‘‘defense connector railroad’’. 1580 ................... Propose adding definition of ‘‘switching or terminal services’’. 116 See supra note 17. VerDate Sep<11>2014 19:49 Nov 06, 2024 This term is used in proposed sections regarding pipeline applicability in part 1586. Owner/operators of control rooms within this definition would, under certain criteria, be subject to the requirements in proposed part 1586. The proposed definition has the same meaning as the term is defined in in 49 CFR 195.2. This term is used extensively in proposed part 1586 and refers to a commodity that, if transported by pipelines, may require the owner/operator to be subject to the requirements in part 1586. The term is also used in the definition of other terms defined in this proposed rule. The proposed definition aligns with the definition of this term in 49 CFR 192.3. This term is used extensively in proposed part 1586 and refers to a commodity that, if transported by pipelines, may require the owner/operator to be subject to the requirements in part 1586. The term is also used in the definition of other terms defined in this proposed rule. The proposed definition has the same meaning as the term is defined in in 49 CFR 195.2. This term is used extensively in proposed part 1586 and refers to a commodity that, if transported by pipelines, may require the owner/operator to be subject to the requirements in part 1586. The proposed definition has the same meaning as the term is defined in 49 CFR 193.2007. This term is used extensively in proposed part 1586 and specifically refers to the means of transport of gas and hazardous liquids. Owner/operators of these systems would, under certain applicability criteria, be subject to the requirements in part 1586. The proposed definition has the same meaning as the term is defined in 49 CFR 192.3, 193.2007, and 195.2. This term is used extensively in proposed part 1586 and specifically refers to the facilities used in the transportation of gas and hazardous liquids. Owner/operators of these systems would, under certain applicability criteria, be subject to the requirements in part 1586. The proposed definition has the same meaning as the term is defined in 49 CFR 192.3, 193.2007, and 195.2. TSA is proposing to update the definition to include the addition of pipeline system and facility operations to TSA’s regulations through proposed part 1586. This term is used in part 1520 and requirements (current and proposed) in subchapter D. TSA is proposing to update the definition to include pipeline system and facility operations in proposed part 1586. This term is used in part 1520 and requirements (current and proposed) in subchapter D of 49 CFR chapter XII. TSA is proposing to update the definition to include IT and OT authentication, network logging, and to specify that transportation security equipment and systems includes security equipment and systems for the protection and monitoring of both physical and virtual assets. This term would refer to a controlled vocabulary used in TSA’s cybersecurity requirements. In general, the use of a standard lexicon reduces the possibility of misinterpretations when communicating cybersecurity definitions and terminology. This term is used in proposed sections regarding governance of a CRM program. Accountable executive means an individual employed by an owner/operator who is responsible and accountable for the owner/operator’s compliance with the requirements of subchapter D, including authority over human resource issues, major financial issues, conduct of the owner/operator’s affairs, all operations conducted related to the requirements of subchapter D, and responsibility for all transportation-related security issues. This term is used to describe employees of owner/operators who TSA proposes must receive cybersecurity-related training. The definition includes any employee who is a privileged user with access to, or privileges to access, a Critical Cyber System or any Information or Operational Technology system that is interdependent with a Critical Cyber System, as defined in the TSA Cybersecurity Lexicon. This term is used to identify applicability of CRM requirements and refers to a railroad that has a line of common carrier obligation designated a defense connector line by the US Army Military Surface Deployment and Distribution Command Transportation Engineering Agency (SDDCTEA) and the FRA, which connects defense installations or other activities requiring rail service to STRACNET. This term is used to identify applicability of CRM requirements and refers to persons primarily engaged in the furnishing of terminal facilities for rail passenger or freight traffic for line-haul service, and in the movement of railroad cars between terminal yards, industrial sidings and other local sites. See (https://www.osha.gov/sic-manual/4013). 117 Id. Jkt 262001 PO 00000 Frm 00018 Fmt 4701 Sfmt 4702 E:\FR\FM\07NOP2.SGM 07NOP2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules 88505 TABLE 4—EXPLANATION OF PROPOSED TERMS AND DEFINITIONS IN SUBCHAPTER XII OF TITLE 49—Continued Part Summary of change Explanation 1580 ................... Propose adding definition of ‘‘train miles’’. 1582 ................... Propose adding definition of ‘‘unlinked passenger trips’’. Propose adding definition of ‘‘control room’’. 1586 ................... 1586 ................... 1586 ................... This term is used to identify applicability of CRM requirements. A Train-mile is the movement of a train (which can consist of many cars) the distance of one mile. A Train-mile differs from a vehicle-mile, which is the movement of one car (vehicle) the distance of one mile. A 10-car (vehicle) train traveling one mile would be measured as one Train-mile and 10 vehicle-miles. See (https://www.bts.gov/content/railroad-passenger-safety-data). This term is used in part 1582 and means the number of people making one-way trips on a public transportation system in a given time period. This term is used in proposed sections regarding pipeline applicability in part 1586. Owner/operators of control rooms within this definition would, under certain criteria, be subject to the requirements in proposed part 1586. The proposed definition has the same meaning as the term is defined in 49 CFR 192.3 and 195.2. This term is used in proposed part 1586 relating to the applicability of the requirements in that part. The proposed definition has the same meaning as the term is defined in 49 CFR 192.903 and 195.450. This term is used in proposed sections regarding pipeline applicability in part 1586. Owner/operators of peak shaving facilities would, under certain applicability criteria, be subject to the requirements in part 1586. There is no current federal definition of a ‘‘peak shaving facility,’’ but the term has a commonly accepted interpretation across the industry. Propose adding definition of ‘‘high-consequence area’’. Propose adding definition of ‘‘peak shaving facility’’. 2. TSA Cybersecurity Lexicon TSA has also developed terms specific to cybersecurity requirements for purposes of its SDs and ICs discussed in section II.B.1. of this NPRM. Rather than including these terms in the regulation, TSA is proposing to add ‘‘TSA Cybersecurity Lexicon’’ to the terms in 49 CFR 1500.3. This term would refer to a controlled vocabulary used in TSA’s cybersecurity requirements and be available on TSA’s public website and any secure websites used to communicate with regulated entities. In general, the use of a standard lexicon reduces the possibility of misinterpretations when communicating cybersecurity definitions and terminology. The definitions provided below are generally consistent with those terms and definitions in the SDs and ICs. As the meaning of cybersecurity terms can change over time based on emerging technology and capabilities, TSA is proposing to maintain these definitions separate from the regulatory text. Any changes to the terms would be interpretive in nature and would be made using the procedures for amendments to security programs described in proposed § 1570.107. This approach also allows flexibility for TSA to align with other Federal agencies as part of broader effort to harmonize cybersecurity terminology and requirements without delaying the ability to proceed with this important rule to establish a strong cybersecurity baseline to protect critical surface operations. Table 5 includes the list and definition of terms that TSA proposes to establish for the first iteration of the TSA Cybersecurity Lexicon. lotter on DSK11XQN23PROD with PROPOSALS2 TABLE 5—EXPLANATION OF PROPOSED TERMS AND DEFINITIONS IN TSA CYBERSECURITY LEXICON Term Proposed definition Explanation Authorized representative .............. TSA is proposing to use a modified definition of an ‘‘authorized representative’’ from the definition in 49 CFR 1500.3. For TSA’s cybersecurity requirements, an ‘‘authorized representative’’ is a person who is not a direct employee of the owner/ operator but is authorized to act on the owner/operator’s behalf to perform measures required by the security program. The term authorized representative includes agents, contractors, and subcontractors. This term does not include Managed Security Service Providers. Business critical functions ............. Owner/operator’s determination of capacity or capabilities to support functions necessary to meet operational needs and supply chain expectations. Critical Cyber System .................... Any Information Technology or Operational Technology system used by the owner/operator that, if compromised or exploited, could result in an operational disruption incurred by the owner/operator. Critical Cyber Systems include those business support services that, if compromised or exploited, could result in operational disruption. This term includes systems whose ownership, operation, maintenance, or control is delegated wholly or in part to any other party. CISA .............................................. The Cybersecurity and Infrastructure Security Agency within the Department of Homeland Security. This term is used in proposed sections requiring, as necessary and appropriate, identification of individuals of third parties who are responsible for implementation or oversight of the CRM program of cyber activities identified or critical for implementation of cyber activities described in the owner/operators CRM program. Authorized representatives may be empowered to act on behalf of the authorizing official to coordinate and conduct the day-to-day activities associated with managing risk to information systems and organizations. Considering these responsibilities, authorized representatives may be liable for non-compliance separate or in addition to the owner/operator. [Source: NIST.SP.800–37r2]. This term is used in proposed sections regarding Cybersecurity Incident Response Plans to determine key business functions, resources, infrastructure, and assets to ensure continuity of operations and supply chain expectations. [Source: Transportation Security Template and Assessment Review Toolkit]. This term is used in proposed sections to delineate criticality of any Information Technology or Operational Technology system to prioritize which assets need to be secured first. [Source: NIST IR 8179/SD Pipeline–2021–02 series/SD 1580/82–2022–01 series]. These systems may include programmable electronic devices, computers, or other automated systems which are used in providing transportation; alarms, cameras, and other protection systems; and communication systems, and utilities needed for security purposes, including dispatching systems. [Source: sections 1531(d)(1)(C), 1512(d)(1)(C) of the Implementing Recommendations of the 9/11 Commission Act of 2007, Public Law 110–53 (121 Stat. 266; Aug. 3, 2007)]. This term is used in proposed sections related to reporting of cybersecurity incidents and protection of Critical Cyber Systems. VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 PO 00000 Frm 00019 Fmt 4701 Sfmt 4702 E:\FR\FM\07NOP2.SGM 07NOP2 88506 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules TABLE 5—EXPLANATION OF PROPOSED TERMS AND DEFINITIONS IN TSA CYBERSECURITY LEXICON—Continued Term Proposed definition Explanation Cybersecurity Architecture Design Review. A technical assessment based on government and industryrecognized standards, guidelines, and best practices that evaluates systems, networks, and security services to determine if they are designed, built, and operated in a reliable and resilient manner. These reviews must be designed to be applicable to the owner/operator’s Information Technology and Operational Technology systems. Cybersecurity incident ................... An occurrence that, without lawful authority, jeopardizes or is reasonably likely to jeopardize the integrity, confidentiality, or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident on the system. This definition includes an event that is under investigation or evaluation by the owner/operator as a possible cybersecurity incident without final determination of the event’s root cause or nature (such as, malicious, suspicious, or benign). Any services, equipment, or interconnected systems or subsystems of equipment that are used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information that fall within the responsibility of an owner/operator subject to TSA’s Cybersecurity Requirements to operate and/or maintain. Relationships of reliance within and among Information Technology and Operational Technology systems that must be maintained for those systems to operate and provide services. This term is used in proposed sections to reflect an assessment for owner/operators in developing mitigation strategies to combat cyber intrusion and cybersecurity incidents. CISA offers an assessment called a Validated Architecture Design Review (VADR) while other third-party assessment entities offer a similar assessment based on CISA’s VADR methodology or a separate Architecture Design Review methodology. [Source: CISA Cyber Resource Hub/SD Pipeline– 2021–02 series/SD 1580/82–2022–01 series]. This term is used in proposed sections to detail the elements of a cybersecurity incident in order to accomplish a harmonization of definition across the government. [Source: DHS Lexicon Ed 17 Rev 2/SD Pipeline–2021–02 series/SD 1580/ 82–2022–01 series]. Information technology system ...... Interdependencies ......................... Least privilege ............................... Persons and programs operate using the minimum level of access, permissions, and system resources necessary to perform the function. Managed Security Service Provider. For purposes of TSA’s cybersecurity requirements, a person who is not a direct employee of the owner/operator, but who provides one or more services or capabilities that the owner/ operator is using to perform measures required by the TSA. Managed Security Service Providers generally provide a logical service or capability. Managed Security Service Providers are not authorized representatives. A type of authenticator comprised of a character string intended to be memorized by, or memorable to, the subscriber, permitting the subscriber to demonstrate something they know as part of an authentication process. A deviation from or interruption of business critical functions that results from a compromise or loss of data, system availability, system reliability, or control of systems. Memorized secret authenticator .... Operational disruption ................... lotter on DSK11XQN23PROD with PROPOSALS2 Operational technology system ..... Phishing ......................................... VerDate Sep<11>2014 19:49 Nov 06, 2024 A general term that encompasses several types of control systems, including industrial control systems, supervisory control and data acquisition systems, distributed control systems, and other control system configurations, such as programmable logic controllers, fire control systems, and physical access control systems, often found in the industrial sector and critical infrastructure. Such systems consist of combinations of programmable electrical, mechanical, hydraulic, pneumatic devices or systems that interact with the physical environment or manage devices that interact with the physical environment. Tricking individuals into disclosing sensitive information through deceptive computer-based means such as internet web sites or e-mails using social engineering or counterfeit identifying information. Jkt 262001 PO 00000 Frm 00020 Fmt 4701 Sfmt 4702 This term is used in proposed sections to describe what Information Technology system entails and align the definition with other Federal agencies. [Source: NIST SP 800–12r1/ CISA CPG/DHS Lexicon Ed 17 Rev 2/SD Pipeline–2021–02 series/SD 1580/82–2022–01 series]. This term is used in proposed sections to recognize the vital relationship between Information Technology and Operational Technology systems and used to determine the policies and controls that must be in place to secure critical cyber systems. [Source: SD Pipeline–2021–02 series/SD 1580/82–2022–01 series]. This term is used in proposed sections to emphasize a security principle of granting minimum system resources and authorizations to accomplished assigned tasks. [Source: NIST SP 800–12r1/SD Pipeline–2021–02 series/SD 1580/82– 2022–01 series]. This term is used in proposed sections to make a distinction between a managed security service provider and an authorized representative for the purpose of identifying cybersecurity roles and responsibilities. [Source: NIST SP 800–61r2/ NIST SP 800–172/Joint EA 23–01 Aviation]. This term is used in proposed sections to describe the makeup and function of a password and its critical role in the authentication process. [Source: NIST SP 800–63–3/SD Pipeline– 2021–02 series/SD 1580/82–2022–01 series]. This term is used in two contexts. First, it applies to identify reportable cybersecurity incidents. It is also used for purposes of identifying Critical Cyber Systems. The definition is intended to cover a wide range of potential scenarios. For example, while the term does not explicitly reference unauthorized access, presence of malicious software, or a distributed denial of service incident, those events are covered by the scenarios used in the definition. [Source: NIST SP 800– 34r1/SD Pipeline–2021–02 series/SD 1580/82–2022–01 series]. This term is used in proposed sections to describe what Operational Technology system encompasses and align the definition with other Federal agencies. [Source: NIST SP 800– 37r2/CISA CPG/SD Pipeline–2021–02 series/SD 1580/82– 2022–01 series]. This term is used in proposed sections to expound on a common cybersecurity incident that attempts to acquire sensitive data in which the perpetrator masquerades as a legitimate business or reputable person. [Source: NIST SP 800–150/ SD Pipeline–2021–02 series/SD 1580/82–2022–01 series]. E:\FR\FM\07NOP2.SGM 07NOP2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules 88507 TABLE 5—EXPLANATION OF PROPOSED TERMS AND DEFINITIONS IN TSA CYBERSECURITY LEXICON—Continued Term Reportable cybersecurity incident Security orchestration, automation, and response (SOAR). Shared account ............................. Spam ............................................. Tor, also known as The Onion Router. Trust relationship ........................... Unauthorized access ..................... Proposed definition Explanation Incidents involving systems that the owner/operator has responsibility to operate and/or maintain including: a. Unauthorized access of an Information Technology or Operational Technology system; b. Discovery of malicious software that impacts the confidentiality, integrity, or availability of an Information Technology or Operational Technology system; c. Activity resulting in a denial of service to any Information Technology or Operational Technology system; and/or d. Any other cybersecurity incident that results in, or has the potential to result in, operational disruption affecting the owner/operator’s Information Technology or Operational Technology systems; other aspects of the owner/operator’s systems or facilities, critical infrastructure or core government functions; or national security, economic security, or public health and safety. Capabilities that enable owner/operators to collect inputs monitored by the security operations team. For example, alerts from the security information and event management system and other security technologies, where incident analysis and triage can be performed by leveraging a combination of human and machine power, help define, prioritize and drive standardized incident response activities. These capabilities allow an owner/operator to define incident analysis and response procedures in a digital workflow format. An account that is used by multiple individuals with a common authenticator to access systems or data. A shared account is distinct from a group account, which is a collection of user accounts that allows administrators to group similar user accounts together in order to grant them the same rights and permissions. Group accounts do not have common authenticators. Electronic junk mail or the abuse of electronic messaging systems to indiscriminately send unsolicited bulk messages. Software that allows users to browse the web anonymously by encrypting and routing requests through multiple relay layers or nodes. Tor software obfuscates a user’s identity from anyone seeking to monitor online activity (such as nation states, surveillance organizations, information security tools). This deception is possible because the online activity of someone using Tor software appears to originate from the Internet Protocol address of a Tor exit node, as opposed to the address of the user’s computer. An agreed upon relationship between two or more system elements that is governed by criteria for secure interaction, behavior, and outcomes relative to the protection of assets. This term refers to trust relationships between system elements implemented by hardware, firmware, and software. Access from an unknown source; access by a third party or former employee; an employee accessing systems for which he or she is not authorized. This term may include a nonmalicious policy violation such as the use of shared credential by an employee otherwise authorized to access it. This term is used in proposed sections to inform the criteria for reporting when a cybersecurity incident occurs. [Source: TSA Surface IC/SD Pipeline–2021–02 series/SD 1580/82– 2022–01 series]. C. Cybersecurity Risk Management Program—General lotter on DSK11XQN23PROD with PROPOSALS2 1. Introduction The primary purpose of this rulemaking is to mitigate the impacts of cybersecurity incidents on higher-risk surface modes of transportation. This purpose will not be met by simply codifying the requirements in the SDs or assuming that what is currently being done will be sufficient for the future. Cybersecurity is not static; it is an everevolving capability to address everevolving threats. To ensure critical systems are protected from a cybersecurity incident, this proposed rule includes requirements to establish a CRM program that would ensure cybersecurity maturity as an ongoing and adaptive process. In developing the VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 This term is used in proposed sections to highlight capabilities that enable owner/operators to monitor systems and drive standardized incident response. [Source: NIST SP 800–25/ SD Pipeline–2021–02 series/SD 1580/82–2022–01 series]. This term is used to describe an account that required oversight/restriction due to unique requirement. [Source: NIST SP 800–53r5 (AC–2)/SD Pipeline–2021–02 series/SD 1580/ 82–2022–01 series]. This term is used in proposed sections to describe unsolicited bulk emailed messages. [Source: NIST SP 800—12r1]. This term is used in proposed section to describe an opensource software for enabling anonymous internet communication. [Source: SD Pipeline–2021–02 series/SD 1580/82– 2022–01 series]. This term is used in proposed sections to recognize policies that govern how entities in differing domains honor each other’s authorizations. [Source: NIST SP 800—160v1r1/SD Pipeline–2021–02 series/SD 1580/82–2022–01 series]. This term is used in proposed sections to describe what Unauthorized Access encompasses. [Source: SD Pipeline–2021– 02 series/SD 1580/82–2022–01 series]. requirements in this proposed rule, TSA began with those previously imposed by TSA through SDs issued under the authority of 49 U.S.C. 114(l), considered the structure and recommendations in the NIST CSF, and focused on the actions prioritized by CISA in the CPGs. Through implementation of these requirements, TSA believes the regulated parties would meet the NIST ‘‘Repeatable’’ Tier, which applies to companies with mature cybersecurity programs that are formally approved and are known and communicated organization-wide, reflect an organization-wide approach to managing risks, have consistent methods in place for cybersecurity policies, ensure individuals within the company know their roles and responsibilities for cybersecurity, and PO 00000 Frm 00021 Fmt 4701 Sfmt 4702 maintain an awareness of the company’s dependencies and dependents. 2. Applicability The applicability for this proposed rule is modified from the applicability of the current SD requirements. Specifically, the applicability of those SDs for railroads and rail transit systems generally aligns with the applicability for security training in 49 CFR part 1580 and 1582. For pipelines, applicability of the SDs aligns with TSA’s designation of the most critical pipeline systems and facilities for purposes of the Pipeline Security Program Corporate Security Reviews and Critical Facility Security Reviews required by section 1557 of the E:\FR\FM\07NOP2.SGM 07NOP2 lotter on DSK11XQN23PROD with PROPOSALS2 88508 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules 9/11 Act.118 These applicability determinations were based on the physical security of transportation systems and risks within that context. Use of TSA’s risk-based determinations for applicability is consistent with the focus of the 9/11 Act’s requirements on higher-risk operations. This risk-based focus is reflected in the statutory requirement that focuses security training requirements on frontline employees, not all employees; 119 requiring riskbased tiers where only the highest tier would be required to comply with regulations for vulnerability assessments and security plans; 120 and focusing the pipeline security reviews on the most critical systems and facilities.121 To expedite use of TSA’s emergency authorities under 49 U.S.C. 114(l)(2), the agency primarily relied on the risk determinations used for these requirements and reviews to impose the cybersecurity requirements in the SDs discussed in section II.B.1 of this NPRM. Since issuance of these SDs, TSA has determined that with respect to permanent regulations, different risk criteria apply when the focus is on cybersecurity. In addition to protecting passengers and the immediate supply chain, risk considerations also include protecting national security, including economic security, and recognizing their dependence on reliable freight rail and pipeline systems. As risk is a construct of threat, vulnerabilities, and consequences, the change from physical to virtual risks involves different types of threats related to motivation and capacity, different vulnerabilities reflecting reliance on IT and OT systems and dependency, and different consequences to passenger safety and the supply chain if a Critical Cyber System is the target of a successful cybersecurity incident. Where cybersecurity incidents in some sectors are primarily focused on loss of data or privacy information, in the transportation sector, a cybersecurity incident has a potential impact on operations affecting passenger safety, the environment, and the supply chain. In other words, cybersecurity incidents could have direct physical consequences. See discussion in section II.A.4. regarding cybersecurity threats. As noted in the National Cybersecurity Strategy, regulatory agencies are 118 See supra note 81. 119 See secs. 1408(a), 1517(a), and 1534(a) of the 9/11 Act, codified at 6 U.S.C. 1137(a), 1167(a), and 1184(a), respectively. 120 See secs. 1512(a) and 1181(a) of the 9/11 Act, codified at 6 U.S.C. 1162(a) and 1181(a). 121 See supra note 81. VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 encouraged to ensure ‘‘cybersecurity regulations for critical infrastructure . . . prioritize the availability of essential services.’’ 122 The expanding nature of cyber risks to the transportation sector also requires an assessment of applicability specific to these risks. Consistent with these considerations, TSA is proposing the following applicability criteria for freight railroads, rail transit and passenger railroads, and pipelines facilities and systems. a. Freight Railroads Subject to CRM Program Requirements in Proposed Subpart D of Part 1580 TSA proposes that the CRM program requirements apply to the freight railroads that transport the greatest amount of cargo or are identified as supporting certain Department of Defense (DoD) operations. TSA estimates 73 freight railroads would meet the following risk-based criteria: • Is a Class I railroad as defined in current 49 CFR 1580.3; 123 or • Is a Class II or III railroad that: • Transports one or more of the categories and quantities of Rail Security-Sensitive Materials 124 in a High Threat Urban Area; 125 • Provides switching or terminal services to two or more Class I railroads; • Operates an average of at least 400,000 train miles in any of the three years before the effective date of the final rule or in any calendar year after the effective date; 126 • Is designated as a Defense Connector Railroad by DoD, as defined in proposed 1580.3; or • Serves as a host railroad to any of the freight railroad operations identified above or a higher-risk passenger rail 122 See supra note 12, at 8–9. currently defines a Class I railroad by reference to the classifications of the Surface Transportation Board. For regulatory purposes, the Surface Transportation Board categorizes rail carriers into three classes: Class I, Class II, and Class III. The classes are based on the carrier’s annual operating revenues. Current thresholds establish Class I carriers as any carrier earning revenue greater than $943.9 million, Class II carriers as those earning revenue between $42.4 million and $943.9 million, and Class III carriers as those earning revenue less than $42.4 million. See 49 CFR part 1201; General Instructions 1–1. TSA is proposing to revise its definition applicable to class determinations to include Class I, Class II, and Class III freight railroads. 124 49 CFR 1580.3. 125 Appendix A to 49 CFR part 1580. 126 TSA reviewed historical statistics from the FRA to discern a threshold of annual train miles. The 400,000 train-miles threshold provided a clear breakpoint between large, medium, and small railroad operations. See https://railroads.dot.gov/ accident-and-incident-reporting/overview-reports/ train-miles-and-passengers (last accessed Sept. 27, 2023). 123 TSA PO 00000 Frm 00022 Fmt 4701 Sfmt 4702 operation identified in proposed § 1582.201; 127 This criteria for applicability would capture railroads responsible for approximately 94 percent of the freight transported by rail in the United States, railroads that transport the largest volume of cargo, and railroads that serve as critical connections between Class I railroads or serve as vital links in the Strategic Rail Corridor Network (STRACNET).128 A cybersecurity incident affecting one of these railroads would have the most significant impact on rail transportation, national security, and economic security. The proposed applicability criteria for CRM program requirements would expand the applicability of the requirements set forth in the SDs to include an additional nine railroads, all of which operate more than an average 400,000 train miles 129 per year. TSA is proposing this expansion because these railroads represent a population that, were they to experience a degradation of service due to a cybersecurity incident, the effects of that service-degradation would ripple across the nation’s rail network and cause significant disruption to the industry’s service capacity. TSA is not proposing to apply the CRM program requirements to most short line and regional railroads. Although TSA’s current regulations in 49 CFR part 1580 apply some requirements to the majority of the Short Line and regional railroads, these are not generally high-cost requirements. Applying the CRM program requirements to these smaller railroads would, however, impose costs with limited corresponding benefits to minimize the consequences that the proposed rule is intended to address as there would not be a significant impact on national security, including economic security, if one of these railroads had operational disruption due to a cybersecurity incident. An expanded scope of applicability could also be beyond TSA’s current resources to effectively monitor for compliance. For those operators not determined to be at higher-risk, TSA believes it is more beneficial to continue issuing recommendations and engagements through field inspector outreach, trade association webinars, and other events to encourage railroad owner/operators 127 49 CFR 1582.101. Strategic Rail Corridor Network is an interconnected and continuous rail line network consisting of over 36,000 miles of track serving over 120 defense installations. 129 A train-mile is a unit in railroad accounting and refers to the distance of one mile covered by a single train, which may have several cars. 128 The E:\FR\FM\07NOP2.SGM 07NOP2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules lotter on DSK11XQN23PROD with PROPOSALS2 not subject to TSA’s requirements to take voluntary preventive measures to enhance their cyber security. TSA is not proposing to include rail hazardous materials shippers and receivers in the scope of applicability for CRM requirements. TSA regulates these entities for purposes of ‘‘chain of custody’’ requirements in subpart C of 49 CFR 1580 due to their role at the beginning and end of the line for transporting Rail Security Sensitive Materials (RSSM). Based on their position in the supply chain, the security of these materials necessitates that these entities receive and share critical security information. To meet this need, TSA requires shippers and receivers of RSSM to have Physical Security Coordinators and to report physical incidents affecting these operations that could have an impact on the security of the shipment during transport by a freight railroad. We do not regulate operations within these facilities and do not intend to expand the scope of our requirements through this proposed rule. Finally, TSA currently requires all freight railroads to have a security coordinator and report significant security concerns focused on physical security.130 Similarly, TSA is proposing that all freight railroads currently required to have a security coordinator and report significant security concerns, also have designated individual(s) responsible to serve as a Physical Security Coordinator and/or a Cybersecurity Coordinator 131 and report significant physical security concerns to TSA and cybersecurity incidents to CISA. Although the costs of a robust CRM program for the broader scope of freight railroads may not be justified at this time based on known risks, that determination does not mean that cybersecurity should be ignored. All railroads need a point of contact for receiving and processing information on cybersecurity risks, and the U.S. government needs to be promptly advised of any cybersecurity incidents involving these railroads to have a thorough understanding of the current threat environment. 130 See current 49 CFR 1570.201 and 1570.203. is not preventing an owner/operator from designating the same individual(s) to serve as the Physical Security Coordinator and Cybersecurity Coordinator (or alternate) if all of the applicable requirements are met. At the same time, TSA recognizes that some owner/operators may want to have different individuals serve in these functions based upon their individual expertise and understanding of operations. 131 TSA VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 b. Public Transportation Agencies and Passenger Railroads Subject to CRM Program Requirements in Proposed Subpart C of Part 1582 The criteria for applicability of the CRM program requirements for PTPR systems consider both location and passenger volume as primary risk considerations. Based on these considerations, TSA is proposing that the CRM rule apply to those rail transit systems and passenger railroads with the largest daily ridership. A successful cybersecurity incident against one or more of these systems or railroads could have a significant impact on the transportation sector, with consequences to national and economic security. TSA estimates that 34 rail transit and passenger railroads, including Amtrak, would meet the following risk-based criteria: • Is Amtrak (also known as the National Railroad Passenger Corporation) or other a passenger railroad with average daily unlinked passenger trips of 5,000 or greater in any of the three previous years before the effective date of the final rule, or within any single calendar year after the effective date; Is a passenger railroad that hosts a Class I railroad or Amtrak, regardless of ridership volume; or • Is a rail transit system with average daily unlinked passenger trips of 50,000 or more per year in any of the three calendar years before the effective date of the final rule, or any single calendar year after the effective date of the final rule. TSA is proposing to define ‘‘unlinked passenger trips’’ in § 1582.3 as the number of times an individual boards public transportation as counted each time a vehicle is boarded, not based on travel from origin to destination. For example, a person riding only one vehicle from origin to destination takes one unlinked trip. A person who transfers to a second vehicle while travelling from origin to destination takes two unlinked trips. In some contexts, ‘‘unlinked passenger trips’’ are also referred to as ‘‘boardings.’’ For purposes of this proposed rule, however, TSA is consistently using ‘‘unlinked passenger trips.’’ This scope of applicability would limit the economic burden to the highest consequence operators while still accounting for greater than 90 percent of the total nationwide daily rail ridership volume.132 Consistent with 132 TSA’s proposed applicability reflects analysis of ridership data developed by the APTA. See https://www.apta.com/research-technicalresources/transit-statistics/ridership-report/ PO 00000 Frm 00023 Fmt 4701 Sfmt 4702 88509 the 9/11 Act, each of the systems that would be required to develop and implement a CRM program is eligible to receive grant funding under section 1406 of the 9/11 Act, 6 U.S.C. 1135, and has received such funding. Transit bus and smaller transit rail and passenger rail systems would not be included in the applicability of the CRM components of this proposed rulemaking as the smaller ridership of these systems means the operational disruption would not have the same consequences as impacts on larger operations. If one of these systems is taken offline due to a cybersecurity incident, it would be temporarily disruptive, but would be unlikely to have significant impacts on national or economic security, compared to the disruption of the transit system in a major metropolitan area where public transportation is relied on by many commuters. Similarly, transit bus plays a pivotal role in the movement of people in urban areas, but TSA assesses that a cybersecurity incident affecting this mode of transportation is unlikely to result in a significant operational disruption because transit bus systems do not rely heavily on OT systems and likely could continue to operate in the event of a cybersecurity incident. The proposed applicability for this rulemaking does not include the following four systems that currently fall under the security training requirements in part 1582: Connecticut Department of Transportation (Conn DOT), Delaware River Port Authority, Santa Clara Valley Transportation Authority, and Staten Island Railway. These systems are not included because they did not meet the proposed riskbased criteria, i.e., ridership threshold, determined by TSA as relevant to the specific risks this rulemaking is intended to address. Although not subject to all of the CRM program requirements, TSA is proposing that all PTPR owner/ operators currently required to have a security coordinator and report significant security concerns, also have designated individual(s) responsible to serve as a Physical Security Coordinator and/or Cybersecurity Coordinator and report significant physical security concerns to TSA and cybersecurity incidents to CISA.133 The costs of a robust CRM program may not be justified at this time based on known risks, but that determination does not mean that cybersecurity should be ignored. All PTPR owner/operators need ridership-report-archives/ (last accessed Sept. 27, 2023). 133 See text accompanying supra note 131. E:\FR\FM\07NOP2.SGM 07NOP2 88510 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules a point of contact for receiving and processing information on cybersecurity risks, and the U.S. government needs to be promptly advised of any cybersecurity incidents involving these systems to have a thorough understanding of the current threat environment. c. OTRB Owner/Operators Subject to Cybersecurity Incident Reporting Requirements in Proposed § 1584.107 TSA is not proposing that OTRB owner/operators be required to meet all CRM program requirements, but believes it is appropriate for those OTRB owner/operators required to report significant security concerns 134 be required to report both significant physical security concerns and cybersecurity incidents. TSA estimates that 71 OTRB owner/operators would be subject to this requirement. Through this rulemaking, TSA is proposing to codify and make permanent the cybersecurity requirements previously imposed through SDs issued to address an immediate threat to transportation security. See discussion in section II.B. of this NPRM. TSA has not imposed cybersecurity mitigation measures on OTRB owner/operators based on the risk information currently available to the agency and recognition of the costs as related to the benefits. That decision, however, does not mean that there is zero risk for OTRB operations and that they will never be the victim of a cybersecurity incident. TSA has encouraged OTRB owner/operators to identify Cybersecurity Coordinators, report cybersecurity incidents, have a cybersecurity incident response plan, and conduct a vulnerability assessment.135 TSA believes that higherrisk OTRB owner/operators should be vigilant regarding cybersecurity risks and is proposing that the U.S. government be promptly advised of any cybersecurity incidents involving these owner/operators in order to have a thorough understanding of the current threat environment. Requiring this information is consistent with TSA’s authority to assess threats, share information, and develop policy.136 TSA notes that the 9/11 Act requires TSA to issue regulations to higher-risk d. Pipeline Systems and Facilities Subject to Physical Security Requirements in Proposed Subpart B of Part 1586 and CRM Program Requirements in Proposed Subpart C of Part 1586 TSA is proposing to apply the CRM program requirements to the hazardous liquid, natural gas, and liquefied natural gas pipeline systems and facilities that transport the largest volume of these commodities, which would lead to the potential for a sustained disruption in service should a successful cybersecurity incident affect their ability to support national security needs, including economic security. The recommended criteria for determining applicability of the requirements includes three types of pipeline operations: (1) hazardous liquid pipelines; (2) natural and other gas pipelines; and (3) liquefied natural gas (LNG) facilities. In total, the proposed requirements would apply to 115 owner/operators of covered pipeline facilities and systems. First, TSA is proposing to apply the CRM program requirements to owner/ operators of hazardous liquid or carbon dioxide pipeline facilities and systems that meet any of the following criteria: • Owns or operates a hazardous liquid pipeline or facility subject to 49 CFR part 195 that— • Annually delivered hazardous liquids in excess of 50 million barrels in any of the three calendar years before the effective date of the final rule, or any single calendar year after the effective date of the final rule; or 134 49 lotter on DSK11XQN23PROD with PROPOSALS2 CFR 1570.203. Information Circular (IC)–2021–01 (effective Dec. 31, 2021), available at https:// www.tsa.gov/sites/default/files/20211201_surfaceic-2021-01.pdf (last accessed Sept. 21, 2023). 136 See, e.g., 49 U.S.C. 114(f)(1)–(3) (authority to receive, assess, and distribute intelligence information related to transportation security; assess threats to transportation; and develop policies, strategies, and plans for dealing with threats to transportation security). OTRB owner/operators to conduct vulnerability assessments and implement TSA-approved security plans that address the security of IT and OT systems.137 TSA has not yet issued such regulations, although it has issued ICs recommending voluntary implementation of specific cybersecurity measures to higher-risk OTRB owner-operators.138 TSA will consider reports of both significant physical security concerns (as required by current § 1570.201 and proposed § 1584.105) and cybersecurity incidents as reported under proposed § 1584.107 for purposes of developing future regulatory requirements. 135 See VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 137 See supra section II.B.2.b of this NPRM. 138 See Surface–IC–2021–01, Enhancing Surface Transportation Cybersecurity (Dec. 31, 2021), available at https://www.tsa.gov/sites/default/files/ 20211201_surface-ic-2021-01.pdf (last accessed Sept. 27, 2023); see also information regarding resources and activities supporting security of highway and motor carriers available on TSA’s website at https://www.tsa.gov/for-industry/ resources (last accessed Sept. 27, 2023). PO 00000 Frm 00024 Fmt 4701 Sfmt 4702 • Is in excess of 200 segment miles of pipeline transporting hazardous liquid or carbon dioxide that could affect a High Consequence Area, as defined by PHMSA.139 • Owns or operates a primary control room responsible for multiple hazardous liquid or carbon dioxide systems regulated under 49 CFR part 196 and the total annual delivery for those systems combined is greater than 50 million barrels annually in any of the three calendar years before the effective date of the final rule, or any single calendar year after the effective date of the final rule. • Owns or operates a hazardous liquid pipeline or facility subject to 49 CFR part 195 that has a contract with the Defense Logistics Agency to supply hazardous liquids in excess of 70,000 barrels annually.140 Based on pipeline systems and facilities that report annual throughput to the Federal Energy Regulatory Commission (FERC),141 TSA estimates these systems and facilities account for approximately 90 percent of the total annual volume transported in the United States. Second, TSA is proposing to apply the CRM program requirements to owner/operators of natural gas and other gas pipelines that meet any of the following criteria: • Owns or operates a natural or other gas system subject to 49 CFR part 192 and— • Annually delivered natural or other gas in excess of 275 million dekatherms annually (generally natural gas transmission) in any of the three calendar years before the effective date of the final rule, or any single calendar year after the effective date of the final rule; • Annually delivered natural or other gas to 275,000 or more meters (or service points) annually (generally natural gas distribution or local distribution company (LDC)) in any of the three calendar years before the effective date of the final rule, or any single calendar year after the effective date of the final rule; or • Has more than 200 segment miles that could affect a High Consequence Area. 139 See proposed 49 CFR part 1586 for a definition of High Consequence Area and a discussion of Terms in subsection D of this section. 140 TSA coordinated the criteria for 70,000 barrels with the Defense Logistics Agency. This amount conforms to what TSA uses to identify critical pipeline systems (‘‘Top 100’’). 141 Hazardous Liquid Pipeline Operators subject to FERC jurisdiction provide annual throughput (number of barrels delivers out) to FERC on Form 6, Annual Report of Oil Pipeline Companies. E:\FR\FM\07NOP2.SGM 07NOP2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules lotter on DSK11XQN23PROD with PROPOSALS2 • Owns or operates a primary control room responsible for multiple natural gas and other gas pipeline systems regulated under 49 CFR part 192 and the combined total annual delivery for these systems is greater than 275 million dekatherms (generally natural gas transmission) in any of the three calendar years before the effective date of the final rule, or any single calendar year after the effective date of the final rule. • Provides natural or other gas service to 275,000 or more meters (or service points) annually (generally natural gas distribution or LDC) in any of the three calendar years before the effective date of the final rule, or any single calendar year after the effective date of the final rule. TSA estimates that under these criteria, the requirements of this proposed rule would be applicable to an estimated 66 natural gas transmission and distribution pipeline systems and facilities. These systems and facilities account for approximately 80–90 percent of the total annual volume of natural gas transported in the United States.142 Third, TSA is proposing to apply the CRM program requirements to LNG facilities that import natural gas or operate as peak-shaving facilities.143 Under the proposed criteria, the requirements would apply to an estimated two LNG import facilities and seven peak-shaving facilities. Expanding applicability of the proposed rule from the initial SDs for pipeline facilities and systems to include these facilities reflects TSA’s ongoing discussions with FERC and evolving understanding of cybersecurity risks. The inclusion of these criteria would not significantly affect the number of pipeline systems and facilities subject to the CRM program requirements as all but one of the covered LNG facilities are operated by pipeline companies subject to the other criteria. The SDs issued to pipeline owner/ operators used criteria to include all hazardous liquid and natural gas pipeline systems and facilities that had been designated critical by TSA for purposes of the assessments required by the 9/11 Act. The scope of applicability, 142 TSA’s data is derived from the Pipeline and Gas Journal’s Annual 500 Report. For more information on this report, see https:// pgjonline.com/magazine/2022/november-2022-vol249-no-11/features/annual-500-report-shows-somedecline-few-ranking-surprises (last accessed Sept. 27, 2023). 143 Peak-shaving refers to LNG facilities supplying supplemental gas supplies to meet the increased demand for natural gas on the coldest days of winter. In 2022, two plants located in the Northeast United States imported LNG. VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 however, only accounts for approximately 10 percent of the total number of pipeline systems in the United States. At the other end of the spectrum for the possible scope of applicability, TSA determined it would not be appropriate to recommend covering all pipeline operators subject to PHMSA’s safety regulations in 49 CFR part 192 and 49 CFR 195.1. This option, which includes approximately 2,105 pipelines, would be unnecessarily expensive for the industry based on the expected benefits and extremely difficult for TSA to appropriately monitor and regulate without additional personnel and funding. The proposed criteria for determining applicability would include the most critical pipeline owner/operators as determined by TSA and is consistent with the statutory requirement to determine critical operators 144 as well as TSA’s designation of critical owner/operators required to comply with TSA’s SDs. e. Determinations of Applicability for Requirements in the Proposed Rule As with TSA’s previously issued requirements for surface transportation owner/operators,145 owner/operators would be required to use the criteria in 49 CFR parts 1580, 1582, 1584, and 1586 to determine whether their operations are higher-risk and which requirements apply to them. Under § 1570.105(a), owner/operators would be required to notify TSA within 30 days of the effective date of the final rule if they meet the criteria for applicability of the requirements in the rule. TSA also proposes an obligation for owner/operators to be aware of the criteria as applied to their future operations. Under section 1570.105(b), TSA would continue to require owner/ operators to notify TSA if their operations change, after the notification date specified in paragraph (a), such that the criteria apply. In this situation, an owner/operator would be required to notify TSA no more than the later of (a) 60-days after the effective date or (b) 60days before commencing the new operations. This notification requirement is the first compliance deadline that owner/ operators must meet under the proposed rule. TSA is aware that the deadlines could cause confusion and concern among owner/operators who are currently required to comply with requirements issued by TSA, such as 144 9/11 Act sec. 1557, as codified at 6 U.S.C. 1207(b). 145 See current 49 CFR 1570.105. PO 00000 Frm 00025 Fmt 4701 Sfmt 4702 88511 those issued in 2008 146 and 2021,147 that are also in parts 1580, 1582, 1584, and 1586. To avoid any confusion over whether notification is required, TSA is proposing to add to § 1570.105(a) an exception that effectively exempts the owner/operator from this requirement if TSA has otherwise notified the owner/ operator that the criteria apply. If this notification is received, these owner/ operators would not need to provide separate notification regarding applicability determinations. To mitigate the likelihood of an owner/operator failing to comply based upon lack of recognition of the applicability for these requirements, TSA also intends to use a variety of communication strategies to notify regulated parties that are likely to meet the applicability criteria. For example, TSA would use email to immediately notify its key stakeholder points of contact regarding publication of a final rule. In addition to these established information sharing mechanisms, TSA also conducts regular calls, workshops, and meetings with major industry partners and trade associations. TSA’s surface representatives also work closely with surface-system owner/ operators during industry-led security work groups, conferences, roundtables, and other sector-specific government coordination meetings. TSA would use all these mechanisms to notify relevant industry partners of the new requirements. TSA is also proposing to modify § 1570.105 to add paragraph (c), which would make it clear that once an owner/ operator meets the criteria for applicability, they must continue to comply with the requirements in the proposed rule. New paragraph (d) provides an avenue for owner/operators to request to be removed from the scope of applicability. For example, if an owner/operator meets the applicability criteria because of a contract to support STRACNET, but a future change removes them from that role, they would continue to be subject to the requirements until they notify TSA of the changed circumstances and receive a written determination from TSA that they are currently exempt from the requirements. TSA is not imposing a specific timeline for making this notification as it would be within the discretion of the individual owner/ operator to seek an exemption. As noted above, the owner/operator would continue to be subject to the requirements until TSA makes a final decision that the owner/operator, or a 146 See 147 See E:\FR\FM\07NOP2.SGM supra note 86. supra note 87. 07NOP2 88512 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules specific activity of the owner/operator, no longer meets the applicability criteria. It is the owner/operator’s responsibility to notify TSA, in writing, that their operations have changed and to provide supporting documentation. TSA may also need to request additional documentation to support the assertion that the requirements no longer apply. For example, documentation may include proof that contracts with DoD have been rescinded or that they have been operating 30 percent below the threshold for applicability for three consecutive years. This provision should not be used for non-permanent changes. For example, an owner/ operator may have seasonal operations two-months of every year that meet the criteria for applicability. In this situation, the owner/operator should seek alternative measures under proposed § 1570.109. An exemption from TSA under § 1570.105(c) is operation specific. If operations change in the future such that they meet the criteria for applicability, the owner/operator would be required to comply with § 1570.105(a) and notify TSA. This notification must be provided within 90 days before commencement of operations that would meet the criteria for applicability of requirements in parts 1580, 1582, 1584, or 1586. lotter on DSK11XQN23PROD with PROPOSALS2 3. Structure of CRM Program Requirements (Proposed §§ 1580.303, 1582.203, and 1586.203) This proposed rule requires a CRM program that includes three major components: (a) a cybersecurity evaluation; (b) a COIP; and (c) a CAP. First, the cybersecurity evaluation generally aligns with the assessments required by TSA in the SD Pipeline– 2021–01, SD 1580–21–01, and SD 1582– 21–01 series. This evaluation is also consistent with the NIST CSF, which recommends that a strong cybersecurity program begins with an understanding of the current profile of cybersecurity that looks at both physical and logical/ virtual controls. Second, owner/operators would be required to develop and implement a TSA-approved COIP. This plan aligns with the requirements for a CIP required by the SD Pipeline–2021–02 and SD 1580/82–2022–01 series. As with the CIP requirements in the SDs, the COIP requirements generally apply to Critical Cyber Systems as identified by the owner/operators. TSA is proposing to incorporate other parts of the SDs, including the Cybersecurity Coordinator, requirement to report VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 cybersecurity incidents, and the CIRP, into the COIP. The COIP requirements, which are organized in to align with the NIST components, focus on the following five areas: (1) governance of the CRM program, (2) identification of Critical Cyber Systems; (3) protecting Critical Cyber Systems; (4) detecting and monitoring Critical Cyber Systems; and (5) and ensuring response and recovery. As discussed above, TSA has added additional requirements emphasized in the CISA CPGs, including cybersecurity training and supply chain risk management requirements, not previously addressed in the SDs. Consistent with the NIST CSF, the proposed requirements for a COIP represent TSA’s target cybersecurity outcomes for the owner/operators that would be subject to the proposed rule. While TSA is committed to providing maximum flexibility for owner/ operators to develop CRM programs appropriate for their operations, as provided by the SDs, the proposed rule includes additional requirements that push owner/operators to the level of cybersecurity maturity that is repeatable. These requirements include more specificity in the type of information to be included in the COIP. Establishing a minimum baseline of information to be included in COIP is necessary to ensure enforceability from the perspective of a regulator, but also enhances communication to employees to ensure they know their responsibilities under the CRM program and that the program and its policies are understood across the organization. Finally, the proposed requirements for a CRM program include an assessment requirement that aligns with the NIST CSF’s taxonomy to achieve maturity by assessing progress toward the target state. The proposed CAP requirements expand upon the requirement for assessments in the SD Pipeline–2021–02 and SD 1580/82– 2022–01 series. Under the proposed rule, owner/operators would continue to be required to have a CAP approved by TSA that includes a biennial cybersecurity architecture design review, other assessment capabilities, and annual review of the effectiveness of at least one-third of all required measures in the COIP, so that 100 percent of the policies, procedures, measures, and capabilities and all Critical Cyber Systems would to be assessed at least once over 3 years, with a minimum of 30 percent each year. The rule proposes adding additional requirements to ensure independence of auditors and assessors, reporting results to TSA and corporate leadership, and PO 00000 Frm 00026 Fmt 4701 Sfmt 4702 updates to the COIP based on assessment results. Subsidiaries. Proposed §§ 1580.303(b), 1582.203(b), and 1586.203(b) specifically address the issue of subsidiaries and allow for business with multiple businesses or business units to submit one CRM program for a single corporate entity. Any documents required by the proposed rule, however, would need to clearly identify and distinguish application of the requirements for each business unit. To meet this requirement, TSA would need to be able to review the plan and readily identify how the requirements are being applied to each business unit. In other words, CRM program documents that require TSA to develop a separate analysis to determine how the requirements are applied within each business unit would not be acceptable or approved by TSA as meeting the proposed regulatory requirements. D. Specific CRM Program Requirements 1. Cybersecurity Evaluation (Proposed §§ 1580.305, 1582.205, and 1586.205) The NIST CSF (GV.OC and GV.RM) recognizes the importance of a ‘‘current profile’’ that examines the extent to which the owner/operator is achieving the outcomes in the target profile and identify gaps and potential vulnerabilities. For purposes of the requirements in this proposed rule, TSA would expect owner/operators to use the security outcomes identified in the rule, at a minimum, as a basis for the target profile. The proposed rule specifically requires this evaluation to include both physical and logical/virtual security controls. If the evaluation is limited to logical/virtual controls, the owner/ operator may not fully recognize the strengths and weakness of physical security controls being used instead of, or to augment, cybersecurity measures. For example, if an owner/operator is relying on controls that limit an individual’s access to a building or a floor to offset the impracticability of applying MFA to certain systems, it is important to understand how effective those physical security controls are at meeting the intended purpose. Similarly, understanding available physical security controls can help an owner/operator identify mitigation measures pending ability to fully reach the required target state. As noted above, TSA’s SDs for pipeline and rail operators included a requirement to conduct a vulnerability E:\FR\FM\07NOP2.SGM 07NOP2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules assessment.148 Under proposed §§ 1580.305(b), 1582.205(b), and 1586.205(b), this vulnerability assessment or other similar assessments may be used to comply with the requirement for the initial cybersecurity evaluation as long as it was completed within no more than one year before submission of the owner/operator’s COIP. Under paragraph (c) of these sections, the cybersecurity evaluation must be updated annually. While owner/operators would not be required to submit the evaluation to TSA for approval, they would be required to notify TSA within 7 days of completing the profile and make it available to TSA upon request. lotter on DSK11XQN23PROD with PROPOSALS2 2. Cybersecurity Operational Implementation Plan (Proposed §§ 1580.307, 1582.207, and 1586.207) a. General COIP Requirements The COIP required by §§ 1580.307, 1582.207, and 1586.207 is the center of the comprehensive CRM program. As stated in the proposed rule text, TSA would require the COIP to detail the owner/operator’s defense-in-depth plan, including physical and logical/virtual security controls, to comply with the requirements specified in subsequent sections. The results of the cybersecurity evaluation should be used at the beginning of the process to inform the development and revisions to the COIP from a broader enterpriseperspective, while the CAP informs revisions to the COIP based on testing the effectiveness of the measures in the COIP as implemented by the owner/ operators. The COIP must include specific detail on exactly how the owner/operators meet the requirements for (a) governance; (b) identification of critical cyber systems, network architecture, and interdependencies; (c) procedures, policies, and capabilities to protect Critical Cyber Systems; (d) procedures, policies, and capabilities to detect cybersecurity incidents; and (e) procedures, policies, and capabilities to respond to, and recovery from, cybersecurity incidents, which would include reporting cybersecurity incidents and the CIRP. Each of these components of the COIP will be discussed below. As most of the owner/operators that would be subject to this proposed rule’s requirements are currently required to comply with TSA’s cybersecurity SDs, TSA assumes that the COIP for these owner/operators would include detailed descriptions of what they are currently 148 See section E. of the SD Pipeline 2021–01 series and section D. of the SD 1580–21–01 and 1582–21–01 series. VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 doing to meet the required security outcomes. To meet the regulatory requirements, these detailed descriptions would need to be more than a summary or a restatement of the regulatory text. If an owner/operator is relying on specific software, the COIP should provide details on the software (name, version, scope of deployment, etc.). If relying on policies or procedures identified in other corporate documents, the owner/operator would need to specifically identify the sections of those documents, describe how they meet the required security outcomes, and incorporate the specific sections by reference into their COIP. To the extent the cybersecurity evaluation or CAP identify areas where the owner/operator is not meeting the required security outcomes, the owner/ operator would be required by paragraph (d) of §§ 1580.307, 1582.207, and 1586.207 to include a Plan of Action and Milestones (POAM) in their COIP. Incorporating a POAM in the COIP aligns with the identification of remediation measures in section E.1.c. of SD Pipeline–2021–01 series and section D.2. of SD 1580–21–01 and SD 1582–21–01 series. The proposed POAM requirement also aligns with the NIST CSF, which recommends that organizations determine which actions to take to address gaps identified through assessments to achieve the Target Profile.149 The POAM must include the specific measures to be implemented and a detailed timeframe, not to exceed 3 years, to meet all required outcomes, as well as any mitigating measures that will be implemented pending full compliance with all requirements and security outcomes. As part of the COIP, failure to meet the milestones in the POAM could result in a range of enforcement actions.150 The COIP must be made available to TSA for approval. Once approved by TSA, the COIP is a TSA-approved security program. The proposed rule would require the COIP to be updated to reflect any vulnerabilities or weaknesses identified during the annual cybersecurity evaluation and the CAP, discussed below. In addition, owner/ operators would be required to conduct exercises of CIRPs (required by 149 See supra note 13 at 7, 11. TSA’s Enforcement Sanction Guidance Policy (last updated Nov. 14, 2022) for more information on TSA’s sanction policies, available at https://www.tsa.gov/sites/default/files/ enforcement_sanction_guidance_policy.pdf (last accessed June 28, 2023); see also TSA Action Plan Program (effective Aug. 26, 2019), available at https://www.tsa.gov/sites/default/files/action_plan_ program.pdf (last accessed June 28, 2023). 150 See PO 00000 Frm 00027 Fmt 4701 Sfmt 4702 88513 proposed §§ 1580.327, 1582.227, and 1586.227). The results of the exercises must also inform updates to the CIRP as part of the COIP. Whether resulting from these assessments and exercises—or due to other changes in policies, procedures, capabilities, or Critical Cyber Systems— owner/operators would need to comply with the procedural requirements for security programs, discussed below in section III.F. of this NPRM, to revise their COIP. TSA recognizes that cybersecurity is ever changing in response to new capabilities and emerging threats. In addition, a detailed defense-in-depth plan is likely to include information that is subject to change for a range of reasons. In section 1570.107(c), TSA provides for this possibility by distinguishing between (1) administrative or clerical changes, (2) substantive but temporary changes, and (3) substantive and permanent changes.151 Within the context of the CRM program, substantive and permanent changes include changes to policies, procedures, or measures contained in a TSA-approved COIP, including documents incorporated by reference into the COIP, that relate to how the owner/operator meets the proposed CRM program requirements and are intended to be in place for 60 or more days. Substantive changes to the COIP must be made following the procedures in proposed § 1570.107(b) for amendments to security programs. For example, a limited-time deployment of new equipment as part of a 30-day pilot may not require amending the CIP, but would require an initial notification to TSA and, within seven calendar days, a description of interim measures that are in place to ensure no diminution of security. A decision to permanently replace equipment would likely require additional measures or revisions to the COIP and the owner/operator would need to request an amendment. TSA is not proposing to require owner/operators to follow the amendment process for administrative or clerical changes to COIPs, including administrative or clerical changes to documents incorporated by reference. In other words, administrative or clerical changes do not require a request to TSA, notification to TSA, or TSA approval. Administrative or clerical changes are limited to changes to policies, procedures, or measures contained in a TSA-approved COIP, including documents incorporated by reference, that do not relate to how the owner/ operator meets the CRM program 151 See discussion in Section III.F.1. regarding security program amendments in general. E:\FR\FM\07NOP2.SGM 07NOP2 lotter on DSK11XQN23PROD with PROPOSALS2 88514 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules requirements. Owner/operators would be required to keep a chronological list of all administrative or clerical changes and when they occurred. This list should be consulted by the owner/ operator on a regular basis to determine if any changes may have evolved into permanent changes requiring an amendment. The following are examples of substantive changes requiring an amendment: • Changes in policies, procedures, or capabilities made after a determination that a specific policy, procedure, or measure in the COIP is ineffective based on results of the audits and assessments required under the proposed rule; • New or additional capabilities the owner/operator has identified or obtained for meeting the requirements for a CRM program that have not been previously approved by TSA; • Additions, modifications, and deletions to lists of Critical Cyber Systems; • Changes to the method of MFA required to access a Critical Cyber System; • Updates to the risk methodology for determining criticality of security patches and updates; • Use of new vendors, companies, or products when they change the process the owner/operator is using to meet a requirement for the CRM program; and • Strategic network architecture changes, such as moving from segmenting OT systems with firewalls to using a one-way diode or moving to a zero-trust architecture from a defensein-depth architecture. Examples of administrative or clerical changes to COIPs or documents incorporated that do not require the amendment process in § 1570.107(b) could include, but are not limited to the following: • Changes to names of documents (for example, changing ‘‘IT Policy— Monitoring’’ to ‘‘IT Policy—Monitoring, Detection and Auditing’’); • When only certain parts of a document are incorporated by reference, changes are made to other parts of a document which are not specifically incorporated by reference; and • Changes intended to be in effect for less than 60 calendar days (which would be subject to the process for temporary changes under proposed § 1570.107(c)(2)). TSA would also encourage owner/ operators to avoid having to make amendments related to documents incorporated by reference in their COIPs by specifically indicating which sections of the documents are being used to meet the requirements for a VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 CRM program rather than referencing the document in its entirety when only specific portions are relevant. Under §§ 1580.307(e)(1), 1582.207(e)(1), and 1586.207(e)(1), owner/operators must make their COIP available to TSA in a form and manner prescribed by TSA. TSA decided not to propose a specific method in the NPRM due to the need to remain flexible and adaptive to options for submitting documents. Since first imposition of the SD Pipeline–2021–02 series, TSA has been able to move from only one option (submission through a password protected email or uploading to a secure location using the Homeland Security Information Network (HSIN)) to multiple options, including email/HSIN, a secure portal, and local retention. These options address the concerns of the industry to protect highly sensitive information. While not proposing to codify any of these options, the following discusses each option as they currently exist. As noted above, owner/operators were originally required to send their list of Critical Systems, CIP and CAP using email as password-protected attachments or upload to HSIN. TSA subsequently developed other authorized methods for submitting and maintaining CIPs, and documents incorporated by reference into CIPs, CAPs, and CAP reports. Instead of submitting these documents via password-protected email or via HSIN, owner/operators may submit documents to the TSA Secure Regulatory Portal (SRP) or retain them locally for inperson or other review pursuant to TSAapproved methods, which may include virtual review. Use of the SRP is the preferred method for TSA as it minimizes the time and personnel investment for owner/operators while accelerating TSA’s ability to review and approve submitted documents while maintaining information security. Owner/operators would be required to use the same method of submission for all of their required documents and must notify TSA of their chosen option. If documents are maintained locally for on-site or virtual review by TSA, the owner/operator must attest to TSA (subject to potential penalties for providing false or misleading information) that they have completed the required actions within the designated timeline. The documents are considered conditionally approved and the owner/operator must begin implementation. TSA considers ‘‘implementation’’ of the CIP to mean that the regulated entity has fully developed its CIP to meet the PO 00000 Frm 00028 Fmt 4701 Sfmt 4702 performance-based measures and has begun to carry out the policies, procedures, measures, and capabilities in the CIP. Therefore, that attested-to and complete CIP may also include timelines for implementation of specific cybersecurity measures that will achieve the performance-based objectives. A CIP maintained on location is not considered to have final approval until reviewed by TSA, revised as required by TSA, and the owner/operator receives notification from TSA that the CIP has received final approval. Only final approval of the CIP triggers the timelines associated with requirements to develop the CAP and CAP report. Regardless of the manner of submission of any document, TSA retains its full inspection authority. TSA has not required any owner/ operator to resubmit information previously approved. The required plans and reports submitted to TSA are Federal records and must be retained in accordance with TSA’s National Archives and Records Administration (NARA)-approved records schedules. Similarly, documents submitted via the secure portal are also Federal records and must be retained in accordance with same NARA-approved records schedules once TSA reviews them. Finally, documents maintained at an owner/operator’s location are not considered Federal records. At this time, TSA intends to continue allowing all of these approved methods for the COIP, CIRP, and CAP. b. Governance of the CRM Program (Proposed §§ 1580.309, 1580.311, 1582.209, 1582.211, 1586.209, and 1586.211) Accountable executive (paragraph (a) of §§ 1580.309, 1582.209, and 1586.209). Both the NIST CSF and the CISA CPGs stress the importance of establishing governance for a CRM program. CPG 1.B. urges identifying a single leader who ‘‘is responsible and accountable for cybersecurity within an organization.’’ Specifically, the CISA CPGs recommend that organizations have a named role/position/title identified ‘‘as responsible and accountable for planning, resourcing, and execution of cybersecurity activities. This role may undertake activities such as managing cybersecurity operations at the senior level, requesting and securing budget resources, or leading strategy development to inform future positioning.’’ To the extent possible, this individual should not be the Cybersecurity Coordinator or otherwise have responsibility for day-to-day management of the IT or OT system, but E:\FR\FM\07NOP2.SGM 07NOP2 lotter on DSK11XQN23PROD with PROPOSALS2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules should function at a level between the most senior-executive leadership and the implementation/operations level of the organization.152 CISA has identified this action as one with high impact and low complexity, noting that failure to identify an accountable executive can result in a lack of accountability, investment, or effectiveness of a CRM program.153 TSA is adopting this recommendation for purposes of this proposed rule by requiring covered owner/operators to identify an accountable executive for the CRM program. Contact and identifying information for the accountable executive must be provided to TSA and incorporated into the COIP. Identifying positions with cybersecurity responsibilities (paragraph (b) of §§ 1580.309, 1582.209, and 1586.209). The NIST CSF and the CISA CPGs also emphasize the importance of having a clear understanding of cybersecurity roles and responsibilities within the organization and with stakeholders, and establishing a relationship to ensure effective communication on cybersecurity policies and risks.154 Consistent with these priorities, TSA is proposing to require the COIP to identify positions designated to manage implementation of policies, procedures, and capabilities described in the COIP and coordinate improvements to the CRM program. In addition, the proposed rule would require identification of any authorized representatives, as defined in the TSA Cybersecurity Lexicon, responsible for implementation of any part of the owner/operator’s CRM program. Authorized representatives are empowered to act on the owner/ operator’s behalf to coordinate and conduct activities required by this proposed rule, including specific security measures in the owner/ operator’s TSA-approved COIP. Considering these responsibilities, authorized representatives are liable for non-compliance separate from and in addition to the owner/operator. TSA is proposing to require that the corporate or official business information for all authorized representatives must be incorporated into the COIP and be supported with written documentation, such as contractual agreements, between the owner/operator and the authorized representative detailing the scope of responsibilities as related to the 152 See NIST CSF, supra note 13, at 1210–11. CISA CPG Checklist, v1.01, available at https://www.cisa.gov/sites/default/files/2023-03/ cisa_cpg_checklist_v1.0.1_final.pdf (last accessed Sept. 22, 2023). 154 See NIST CSF GV–RR and CPGs 1.B and 1.C. 153 See VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 measures identified in the COIP. As with other documentation requirements, the owner/operators would need to identify specific provisions applicable to the COIP within any provided documentation. Note that the definition of ‘‘authorized representative’’ in the TSA Cybersecurity Lexicon excludes entities that functions as ‘‘Managed Security Service Providers.’’ If an owner/ operator, or its authorized representative, has delegated or shared responsibility with a Managed Security Service Provider, wholly or in part, for specific security measures, the owner/ operator or authorized representatives retains responsibility for ensuring the application of the cybersecurity performance-based measures. The distinction in liability between authorized representatives and Managed Security Service Providers is generally consistent with principles of agency. Managed Security Service Providers are not direct employees of the owner/ operator but provide one or more services or capabilities that the owner/ operator may use to perform required security measures. Managed Security Service Providers generally provide a logical service that is widely available to anyone who purchases the specific capability or service, such as an internet service provider, a program developer, or IT or OT system monitoring and detection capabilities. The authorized representative is an agent empowered to act on behalf of the owner/operator, such as for day-to-day management of a cybersecurity program. Cybersecurity coordinator (§§ 1580.311, 1582.211, and 1586.211). The proposed rule would codify Section A. of the SD Pipeline–2021–01, SD 1580–21–01 and SD 1582–21–01 series, which requires covered owner/operators to identify a primary and at least one alternate Cybersecurity Coordinator. Security coordinators, in general, are a vital part of transportation security, providing TSA and other government agencies with an identified point of contact with access to company leadership and knowledge of operations, in the event it is necessary to convey extremely time-sensitive information about threats or security procedures to an owner/operator, particularly in situations requiring frequent information updates. Having a designated Cybersecurity Coordinator and alternate provides TSA with a contact in a position to understand cybersecurity problems; immediately raise issues with, or transmit information to, the designated accountable executive or other appropriate corporate or system PO 00000 Frm 00029 Fmt 4701 Sfmt 4702 88515 leadership; and recognize when emergency response action is appropriate. To meet this purpose, the designated individuals must be accessible to TSA 24 hours per day, seven days per week. The proposed rule does not change the expectation from the SDs that the Cybersecurity Coordinator (primary and alternate) be appointed at the headquarters level. In addition, TSA would carry over the requirement in the SDs for the primary Cybersecurity Coordinator to be a U.S. citizen who is eligible to receive a security clearance. This requirement is necessary to ensure that TSA can rapidly share sensitive information with the owner/operator that may be critical to ensure appropriate actions are taken to address emerging threats. This requirement is also consistent with the SDs and TSA’s experience with Physical Security Coordinators. See discussion in Section III.A.2. As with the SDs, the proposed rule would not require the Cybersecurity Coordinator or alternate to be a dedicated position staffed by an individual who has no other primary or additional duties. The proposed rule would require the following information for the Cybersecurity Coordinator(s): name, title, telephone number(s), and email address. Any change in this information would have to be provided to TSA within seven days of the change taking effect. As previously noted, this is not a new requirement for owner/operators of railroads, including the rail transit operations of PTPR owner/operators, and pipeline facility and systems currently subject to the SDs. If an owner/operator subject to this proposed rule has provided the required information for primary and alternate Cybersecurity Coordinator(s) to TSA in the past, and that information is still current, no further action would be needed to meet this requirement. TSA is expanding the requirements for the primary and alternate Cybersecurity Coordinator(s) to ensure they have the knowledge and skills necessary to perform the responsibilities. Cybersecurity is a technical field that requires some degree of knowledge of terms, threats, and the owner/operator’s systems in order to be effective. TSA is specifically requesting comments on existing training and certification programs that could provide low-cost options for meeting these requirements that TSA could review and provide as examples to other owner/operators that would be subject to these requirements. E:\FR\FM\07NOP2.SGM 07NOP2 88516 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules lotter on DSK11XQN23PROD with PROPOSALS2 Updates to governance information. The proposed rule would require owner/operators to notify TSA when information regarding the accountable executive or Cybersecurity Coordinator(s) changes. While the COIP should be current regarding the identification of the accountable executive or Cybersecurity Coordinator(s), TSA would not require the owner/operator to seek an amendment to their COIP to update this information as the updated information would need to be separately provided to TSA. c. Identification of Critical Cyber Systems, Network Architecture, and Interdependencies Identifying Critical Cyber Systems (§§ 1580.313, 1582.213, and 1586.213). Both the NIST CSF and the CISA CPGs emphasize the importance of identification of critical assets.155 As with the applicability determinations for this proposed rule, TSA is proposing an informed, risk-based decision to cybersecurity requirements. A critical first step in this process is risk informed identification of critical IT and OT systems. TSA included a requirement to identify Critical Cyber Systems in the SD Pipeline–2021–01 and SD 1580/82– 2022–01 series. Identifying Critical Cyber Systems, including both IT and OT systems, enables owner/operators to ensure they have adequately identified risks using multiple sources of information and data to identify the threat (i.e., likelihood of an attack), system vulnerabilities, and consequences should the system be the target of a cybersecurity incident. In general, unless otherwise stated, the cybersecurity measures that would be required for protecting, defending, and responding to cybersecurity incidents are limited to these Critical Cyber Systems. For purposes of this proposed rule, TSA proposes to incorporate into the TSA Cybersecurity Lexicon a definition of ‘‘Critical Cyber System’’ that includes any IT or OT system used by the owner/ operator that, if compromised or exploited, could result in an operational disruption incurred by the owner/ operator, including those business support services that, if compromised or exploited, could result in operational disruption. This term includes systems whose ownership, operation, maintenance, or control is delegated wholly or in part to any other party. The definition of an ‘‘operational disruption’’ includes a deviation from or 155 See NIST ID–AM and CPG 1.A. VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 interruption of business critical functions that results in a compromise or loss of data, system availability, system reliability, or control of systems, or indicates unauthorized access to, or malicious software present on, Critical Cyber System. In addition to IT and OT systems that are obviously critical to operations, owner/operators should also consider programmable electronic devices, computers, or other automated systems which are used in providing transportation; alarms, cameras, and other protection systems; and communication systems, and utilities needed for security purposes, including dispatching systems.156 TSA believes the scope of systems to be covered is consistent with the direction in the National Cybersecurity Strategy to ensure cybersecurity regulations ‘‘meet the needs of national security and public safety, in addition to the security and safety of individuals, regulated entities, and their employees, customers, operations, and data.’’ 157 Paragraph (a) of §§ 1580.313, 1582.213, and 1586.213 requires specific identifying information for Critical Cyber Systems. This information, at a minimum, would need to include specific identifying information for the system and manufacturer/designer name for each Critical Cyber System. TSA recognizes that the owner/ operator is in the best position to determine the critical IT and OT systems needed to support its businesscritical functions for operations and market (supply chain) expectations. There is, however, also the potential that a cybersecurity incident that may seem minor to a specific owner/operator could have more wide-ranging impacts on the supply chain as well impacts on national and economic security. Paragraph (b) would require the owner/ operator to include in its COIP the methodology used for identifying Critical Cyber Systems. Looking at systems and processes based on the business services they support may bring more transparency to, and improve the quality of, decision making, thereby improving overall operational resilience. As part of this methodology, TSA expects owner/operators to use information provided to them on particular risks associated with some systems, including intelligence and other information that identifies the likelihood of a system being the subject 156 See sections 1531(d)(1)(C) and 1512(d)(1)(C) of the 9/11 Act, codified at 6 U.S.C 1181(d)(1)(C) and 1162(d)(1)(C), respectively. 157 See supra note 12 at 8–9. PO 00000 Frm 00030 Fmt 4701 Sfmt 4702 of a cybersecurity incident based on known threat information. As noted in the NIST CSF, a mature CRM program is one where the ‘‘organization understands its role, dependencies, and dependents in the larger ecosystem,’’ ‘‘collaborates and receives information from other entities,’’ ‘‘is aware of the cyber supply chain risks associated with the products and services’’ it both provides and uses, and ‘‘acts formally upon those risks.’’ 158 While some systems may pose more risk than others, any system that could result in operational disruption should be considered a Critical Cyber System. The methodology would need to describe these considerations and also consider scenarios for how long critical operations and capabilities could be sustained with identified alternatives if a Critical Cyber System is taken offline due to a cybersecurity incident. Finally, once the initial list of Critical Cyber Systems is identified, the methodology would need to include reviewing IT and OT systems not designated as critical to determine the sustainability and operational impacts if one of these systems is unavailable due to a cybersecurity incident. These considerations by the owner/operator may result in needing to update the list of Critical Cyber Systems. Best practices identified by TSA include considering impacts if a system is offline for a short duration (a 4, 8, 12, 24-hour period), or days, a week, several weeks, or months. It is important to recognize that the availability of backups or ‘‘workarounds’’ should not be considered in determining whether an IT or OT system is a Critical Cyber System. These and other mitigation measures should be considered as part of the COIP as actions that are intended to ensure continuity if a Critical Cyber System is incapacitated. In practice, to the extent an owner/operator has developed backups and other mitigation measures for an IT or OT system, that fact should weigh towards identifying the system as critical, i.e., were it not critical, there would not be a need for robust mitigation measures in the event the system is unavailable. In §§ 1580.313(e), 1582.213(e), and 1586.213(d), TSA is proposing to incorporate a requirement from the SD for owner/operators to add any IT or OT systems identified by TSA as Critical Cyber Systems even if not identified as critical by the owner/operator. While 158 See NIST Cybersecurity Framework V1.1. at 10, available at https://nvlpubs.nist.gov/nistpubs/ CSWP/NIST.CSWP.04162018.pdf (last accessed May 6, 2024); see also https://nvlpubs.nist.gov/ nistpubs/SpecialPublications/NIST.SP.1302.ipd.pdf (last accessed May 6, 2024). E:\FR\FM\07NOP2.SGM 07NOP2 lotter on DSK11XQN23PROD with PROPOSALS2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules TSA is committed to providing flexibility and allowing owner/operators to self-identify their Critical Cyber Systems, the agency is also committed to ensuring a baseline of cybersecurity across specific modes and similarly situated operations. As a result, if TSA notices that an owner/operator has chosen not to identify a system as critical that was identified by other similarly situated owner/operators, TSA would request additional information and, after consultation with the owner/ operator, could require the system to be added. In addition, an owner/operator who does not identify any Critical Cyber Systems is not exempt from the requirements for the CRM program. If TSA agrees that the owner/operator does not have any Critical Cyber Systems, the owner/operator would still need to address other applicable requirements. Positive Train Control. Consistent with these proposed requirements and standards for identification of Critical Cyber Systems, TSA revised the SD 1580/82–2022–01 series in May 2024 with a new requirement for owner/ operators who are either required to install and operate PTC under 49 CFR part 236, subpart I, and/or who voluntarily install and operate PTC under CFR part 236, subpart H or I, to include PTC systems as a Critical Cyber System. TSA is proposing to incorporate this requirement in sections 1580.313 and 1582.213. PTC helps eliminate the risks of accidents and mishandling of locomotives due to human error by using locomotive-borne devices linked to a central dispatching system, through an integrated network communication channel. PTC systems 159 are designed to prevent train-to-train collisions, overspeed derailments, incursions into established work zones, and movements of trains through switches left in the wrong position.160 The imposition of PTC requirements has also resulted in far more interconnected rail systems than previously existed with the potential for a cybersecurity incident to affect multiple operators.161 The criticality of these systems is reflected in the FRA’s regulations that require PTC to be used unless the situation falls within one of the limited exceptions provided in their regulations.162 TSA is proposing to require rail owner/operators who use PTC to include specific PTC components as Critical Cyber Systems. As noted above, the FRA’s regulations expect PTC to be used unless the situation falls within one of the limited exceptions provided in FRA’s regulations. The limited exceptions reflect the criticality of these systems. For example, a train that loses PTC, ‘‘[w]here the failure or cut-out is a result of a defective onboard PTC apparatus,’’ while en route may continue ‘‘no farther than the next forward designated location for the repair or exchange of onboard PTC apparatuses.’’ 163 The fact that railroads may operate without functioning PTC systems only in limited situations demonstrates the critical need for these systems.164 Losing PTC capability is likely to disrupt operations. PTC provides critical safety functions, protecting the public from possible train derailments, misaligned track switches, and head-on collisions. To achieve the intended safety benefits, the PTC system must consistently maintain a high level of availability. If the PTC system fails en route, the train must operate at reduced speed and stop at the next forward designated location until the PTC apparatuses are fixed or replaced. Accordingly, loss of the PTC system could interrupt the railroad’s operations. Additionally, if a PTC system were to be the target of a cyberattack that resulted in a widespread disruption in system 159 Simply described, PTC systems are comprised of the locomotive onboard computer system, the wayside signals, and the Back Office Server (BOS). Connections are established through cabled cellular communication signals, Wi-Fi, and radio. Some of the data points that are received to control the speed of the locomotive are located through the Global Positioning System (GPS), wayside signal, transponder on or around the track, and monitoring of speed for all locomotives on the same subdivision. Data is compiled from the locomotive into the BOS and is compared to the track image in the PTC system, which can detect violation of movement authority and speed restrictions. The PTC system is an important safety function due to its ability to correct the actions of a train operating outside of the known limits of the system. 160 See FRA, Positive Train Control (PTC), https:// railroads.dot.gov/research-development/programareas/train-control/ptc/positive-train-control-ptc (last accessed Nov. 28, 2023). 161 In March 2023, a nationwide outage of PTC for Amtrak resulted in cancelled and delayed trains in and out of Chicago for multiple days, affecting Amtrak, commuter railroads, and freight railroads. See Bob Johnston, PTC issues cause Amtrak cancellations and delays, Trains.com (last updated Feb. 5, 2024), available at https://www.trains.com/ trn/news-reviews/news-wire/ptc-issues-causeamtrak-cancellations-and-delays/ (last accessed Aug. 2, 2024). 162 See 49 CFR 236.1029. Under 49 CFR 236.1029(b)(6), a train that loses PTC en route, ‘‘[w]here the failure or cut-out is a result of a defective onboard PTC apparatus,’’ may continue ‘‘no farther than the next forward designated location for the repair or exchange of onboard PTC apparatuses.’’ 163 49 CFR 236.1029(b)(6). 164 See FRA Information Guide on Positive Train Control, 49 CFR part 236, subpart I (dated Dec. 12, 2022). VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 PO 00000 Frm 00031 Fmt 4701 Sfmt 4702 88517 communication where the result was an inability to initialize communications with multiple locomotives, then trains would have to be held until the issue was resolved or FRA otherwise authorized continued operations.165 As in the SD, the proposed rule incorporates an alternative in lieu of applying access control measures, as required by proposed §§ 1580.317(b) and 1582.217(b), for the PTC hardware and software components installed on freight and passenger locomotives if the owner/operator is complying with the requirements in 49 CFR 232.105(h)(1–4) (General requirements for locomotives), 49 CFR 236.3 (Locking of signal apparatus housings), or 49 CFR 236.553 (Seal, where required). Network architecture. Paragraph (c) would require owner/operators to identify system information and network architecture for each identified Critical Cyber System. In general, the requirements in paragraphs (c)(1) through (3) align with those in section III.B.1. of the SD Pipeline–2021–02 and SD 1580/82–2022–01 series. TSA is proposing to add two additional requirements for purposes of ensuring effective asset identification and management as part of a comprehensive CRM program. First, §§ 1580.313(d)(4), 1582.213(d)(4), and 1586.213(c)(4) would require an owner/operator to identify the baseline of acceptable communications between Critical Cyber Systems and external connections, or between IT and OT systems. This requirement is necessary to ensure the owner/operator can comply with requirements in proposed §§ 1580.323, 1582.223, and 1586.223, which require documenting any communications between IT and OT systems and an external system that deviate from the identified baseline of communications. Sections 1580.313(d)(5), 1582.213(d)(5), and 1586.213(c)(5) would require the owner/operator to identify any operational needs that prevent implementation or delay implementation of the CRM program requirements for Critical Cyber Systems, such as application of security patches and updates, encryption, or MFA. Sections 1580.313(f), 1582.213(f), and 1586.213(e) would provide that any substantive changes to Critical Cyber Systems would require an amendment to the COIP. It is critical for both TSA and the owner/operator to know the COIP has the current list of Critical Cyber Systems. TSA prepares for inspections in advance, and it increases the amount of time inspections take for owner/operators and TSA if the list is 165 Id. E:\FR\FM\07NOP2.SGM 07NOP2 88518 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules not current. In addition, having ready access to this information can help TSA notify owner/operators if specific intelligence or other threat information becomes available relevant to that specific system or capability. Supply chain risk management (§§ 1580.315, 1582.215, and 1586.215). Both the NIST CSF 166 and the CISA CPGs 167 include recommendations related to supply chain risk management. TSA is proposing to incorporate all three recommendations from the CISA CPGs for supply chain risk management into this proposed rule. The requirements would apply to any procurement or contractual documents executed or updated after the effective date of the final rule. The SolarWinds supply chain compromise is one of the most wellknown examples of a cybersecurity risk associated with services and systems provided by external supply chain providers. Using a backdoor implanted in a software update downloaded by customers using the SolarWinds Orion product, malicious actors were able to retrieve and execute commands that included the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masqueraded its network traffic as the Orion Improvement Program-protocol and stored reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor used multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers. Victims included government, consulting, technology, telecom and other entities in North America, Europe, Asia and the Middle East.168 Proposed §§ 1580.315(a), 1582.215(a), and 1586.215(a) address these supply chain threats by incorporating the recommendations in CPG 1.G, which encourage organizations to incorporate supply chain incident reporting in their procurement documents and contracts to ensure they can more rapidly learn of, and respond to, known cybersecurity incidents across vendors and service 166 See GV.SC. of the NIST CSF. CPG 1.G, 1.H, and 1.I. 168 See Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor (Dec. 13, 2020; last updated May 12, 2022) available at https://www.mandiant.com/resources/blog/evasiveattacker-leverages-solarwinds-supply-chaincompromises-with-sunburst-back (last accessed June 12, 2023); see also https://www.cisa.gov/newsevents/news/joint-statement-federal-bureauinvestigation-fbi-cybersecurity-and-infrastructure for more resources regarding the SolarWinds supply chain compromise. lotter on DSK11XQN23PROD with PROPOSALS2 167 See VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 providers. Specifically, CPG 1.G recommends that these documents, such as service-level agreements, ‘‘stipulate that vendors and/or service providers notify the procuring customer of security incidents within a riskinformed time frame as determined by the organization.’’ A risk-informed timeframe is one that is sufficient for the owner/operator to identify and address any potential risks to their Critical Cyber Systems based on the scope and type of cybersecurity incident. Paragraph (b) incorporates CPG 1.H, which recommends that organizations require these documents to stipulate that vendors and/or service providers notify the procuring customer of confirmed security vulnerabilities in their assets within a risk-informed time frame. This reporting ensures organizations can more rapidly learn about, and respond to, vulnerabilities in assets provided by vendors and service providers. Paragraph (c) incorporates CPG 1.I, which recommends that ‘‘procurement documents include cybersecurity requirements and questions, which are evaluated in vendor selection such that, given two offerings of roughly similar cost and function, the more secure offering and/or supplier is preferred.’’ Implementing this recommendation would reduce risk by ensuring that the most secure products and services are purchased and purchasing priority given to more secure suppliers. In its CPG Checklist, CISA has assessed the complexity of these three actions as low, but with high impact at addressing the known threat. In paragraph (d), TSA is proposing that when a notification of a cybersecurity incident or vulnerability is received, the owner/operator must consider mitigation measures sufficient to address the resulting risk to Critical Cyber Systems. In addition, if any of these measures would result in permanent changes, the owner/operator would need to request to amend its COIP. If the vendor’s cybersecurity incident puts the owner/operator’s IT or OT systems at more direct and immediate risk, it may also be a reportable cybersecurity incident. In setting cybersecurity regulations for critical infrastructure, the National Cybersecurity Strategy encourages regulators ‘‘to drive the adoption of secure-by-design principles.’’ 169 TSA is requesting specific comments on whether the supply chain requirements in the final rule should also include ensuring that any software purchased for, or installed on, Critical Cyber 169 See PO 00000 supra note 12 at 8–9. Frm 00032 Fmt 4701 Sfmt 4702 Systems meets CISA’s Secure-by-Design and Secure-by-Default principles.170 d. Procedures, Policies, and Capabilities To Protect Critical Cyber Systems Protecting Critical Cyber Systems requires a combination of controls, capabilities, and awareness. Proposed §§ 1580.317, 1582.217, and 1586.217 include the requirements for network segmentation, capabilities to control access to or disruption of OT and IT systems, patch management, and ensuring these capabilities have robust logging and back-up requirements. Proposed §§ 1580.319, 1582.219, and 1586.219 require training to enhance awareness for individuals regarding their role and responsibilities in protecting Critical Cyber Systems. Network segmentation, controlling communications, zone boundaries, and encryption. Proposed paragraphs (a) through (c) of §§ 1580.317, 1582.217, and 1586.217 would require owner/ operators to incorporate into their COIP the network segmentation policies and controls necessary to address cybersecurity threats. To align with the NIST CSF’s ‘‘Protect’’ function, this section includes requirements from both section III.B. and section III.C. of the SD Pipeline–2021–02 and 1580/82–2022– 01 series.171 The scope of the requirements in paragraphs (a) through (c) specifically include security outcomes intended to (a) protect against access to, or disruption of, the OT system if the IT system is compromised or vice versa; (b) ensure IT and OT system-services transit the other only when necessary for validated business or operational purposes; (c) secure and defend zone boundaries to defend against unauthorized communications between zones and prohibiting OT services from traversing the IT system, or vice versa, unless encryption or other controls are in place; (d) and control access to Critical Cyber Systems. Many historical intrusions demonstrate that adversaries generally compromise a single vulnerable system or host and then move laterally across 170 For more information on these principles, see Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and-Default (Apr. 13, 2023), available at https:// www.cisa.gov/sites/default/files/2023-06/ principles_approaches_for_security-by-designdefault_508c.pdf (last accessed Aug.7, 2023). 171 These requirements generally align with the recommendations in PR–AA of the NIST CSF and CPG 2.C (Unique Credentials), 2.D (Revoking Credentials for Departing Employees), 2.E (Separating User and Privileged accounts), and 2.H (Phishing-Resistant Multifactor Authentication (MFA)), 2.K (Strong and Agile Encryption), 2.0 (Document Device Configurations), 2.P (Document Network Topology), and 2.X (Limit OT Connections to Public internet). E:\FR\FM\07NOP2.SGM 07NOP2 lotter on DSK11XQN23PROD with PROPOSALS2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules a network until reaching an identified target. Implementing segmentation impedes adversaries who have successfully entered the environment from producing cascading consequences and limits their ability to impact the entire process simultaneously, reducing both physical and cyber consequences. Network segmentation is necessary to reasonably ensure that an intrusion is limited to the initially compromised host and does not spread to affect Critical Cyber Systems. Flat or unsegmented networks pose an exigent risk to cybersecurity, as any intrusionspread can result in a significant impact to systems that support public health and safety. Preventing or controlling such spread mitigates the costs of a successful cybersecurity incident, especially if segmentation averts intruder exposure to critical systems, which could potentially cost billions of dollars in damage. Reducing the costly impacts of ransomware attacks over time may change the economic incentive of the attackers and reduce their frequency in the long-term. Access control. Proposed paragraph (b) of §§ 1580.317, 1582.217, and 1586.217 includes requirements for controlling access to Critical Cyber Systems. These requirements generally align with the recommendations in PR– AA of the NIST CSF and CPG 2.C (Unique Credentials), 2.D (Revoking Credentials for Departing Employees), 2.E (Separating User and Privileged accounts). As noted above (see section III.D.2.c.), TSA is proposing a limited exception for application of access control measures required by proposed paragraph (b). In lieu of these requirements, §§ 1580.317(f) and 1582.217(f) would allow owner/ operators to rely on the physical security controls used to comply with the FRA’s regulations under 49 CFR 232.105(h)(1–4) (General requirements for locomotives), 49 CFR 236.3 (Locking of signal apparatus housings), or 49 CFR 236.553 (Seal, where required), as applicable. This exception is limited to PTC hardware and software components installed on freight and passenger locomotives. TSA previously provided this exception in revisions to the SD 1580/82–2022–01 series issued in June 2024. To rely on this exception, owner/ operators would need to be in full compliance with the FRA regulations noted in the exception and specify in their COIP what physical security measures are being used to prevent unauthorized access to the specific PTC components installed on the locomotive. VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 Identification and authentication policies. Managing identification and authentication policies are fundamental controls that should be part of a basic cybersecurity program and should already be in place for organizations covered by applicability of the SDs. To the extent that these controls are not in place, this is a vulnerability that could be imminently exploited. Regularly changing passwords is a fundamental cybersecurity practice. Minimizing this known threat vector requires immediate action to mitigate the threat. VADRs conducted by CISA, and other assessments and interviews with asset owners, have identified cases where passwords used in ICS were stolen, the organization was aware they had been compromised, yet the passwords were subsequently left unchanged for multiple years. In the absence of effective controls, adversaries in possession of these passwords could use them at any time to access the ICS. If at any time passwords were previously compromised and are still valid and have not been disabled or other compensating controls provided to prevent adversarial access to the system, those passwords could be used by an adversary to access the system. Multi-factor authentication. Multifactor authentication (MFA) requirements, or compensating controls that meet the same security outcomes, are also critical to provide a critical, additional layer of security to protect asset accounts whose credentials have been compromised. Aggressive activity being demonstrated by threat actors against both IT and OT systems stems from identity management abuse, which can be significantly mitigated by using strong access control measures, such as MFA. Accounts using only a username and password are vulnerable to multiple modes of compromise, including password spraying and credential stuffing. Multi-factor authentication effectively protects against these tactics and associated unauthorized access. Implementing this requirement reduces the risk of unauthorized access to Critical Cyber Systems by employing security access controls that are equal to or greater than the protection offered by the use of MFA. The intent is to employ MFA where appropriate and, where it is not, to ensure strong physical and logical security controls are in place that meet or exceed the protection that MFA affords. Similar to the PTC exception for rail operations, TSA is proposing to incorporate from the SD Pipeline–2021– 02 series a limited exception for MFA that addresses pipeline-specific operational considerations. In its PO 00000 Frm 00033 Fmt 4701 Sfmt 4702 88519 regulations applicable to the safety of pipeline operations, PHMSA imposes requirements specifically applicable to control rooms used to monitor and control all or part of a pipeline facility through a SCADA system.172 Under PHMSA’s regulations, controllers in the control room are responsible for monitoring day-to-day operations of the SCADA system and managing abnormal and emergency situations. In the midst of an emergency or alarm resolution, requiring MFA to access a workstation could have significant ramifications for pipeline safety and security. Based on these considerations, TSA is proposing to carry forward the limited exception from the SD to proposed § 1586.217(b)(2). Under this exception, if an owner/operator is in compliance with PHMSA’s requirements, and includes in its COIP details of the adequate, compensating controls it uses to prevent unauthorized physical and logical access to control room industrial control systems within the scope of the owner/operator’s Critical Cyber Systems, it can rely on those measures in lieu of MFA. At a minimum, TSA would expect the COIP to detail physical security controls including segmentation of the workstation from enterprise IT systems and additional compensating controls applied to prevent unauthorized physical and logical access to the workstation(s). Privileged accounts. Most intrusions that occur are identity compromises, and implementing these controls greatly reduces the impact from successful compromises by limiting what can be done with any credentials and making intrusions more visible in the use of these credentials. Controlling access to and closely monitoring user accounts is a foundational control necessary to limit the extent of disruption and damage caused by potential intrusions. Establishing governance over privileged accounts addresses the urgent risk of unauthorized administrative access to life safety systems. Establishing governance over such accounts is a foundational step that should be undertaken to increase the industry baseline for control access. Establishing this baseline of security would significantly reduce the vulnerability of the Critical Cyber Systems because adversaries are currently seeking to exploit entities with 172 See, e.g., 49 CFR 192.631 (applicable to transportation of gas) and 49 CFR 195.446 (applicable to hazardous liquids). For purposes of these regulations, a control room is defined as ‘‘an operations center staffed by personnel charged with the responsibility for remotely monitoring and controlling a pipeline facility.’’ See 49 CFR 192.2 and 195.2. E:\FR\FM\07NOP2.SGM 07NOP2 88520 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules lotter on DSK11XQN23PROD with PROPOSALS2 weaker access control compared to competitors or the industry standard. Policies such as Just-In-Time Privileged Account Management can mitigate the risk of privileged-account abuse by reducing the amount of time a threat actor has to gain access to privileged accounts before moving laterally through a system and gaining access to sensitive data. Controlling privileged accounts is an important initial step toward implementing ‘‘zero trust’’ policies. Zero trust is a cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated.173 The purpose of zero trust is to minimize uncertainty in enforcing accurate, least privilege, per-request access decisions for IT and OT systems in the context of assuming that a breach is inevitable or has already likely occurred.174 Unauthorized access to privileged accounts can be used to exercise administrative control of highly critical systems, including those that manage life safety functions. Privileged accounts must be well-governed, including by controlling and closely monitoring their use. Managing shared accounts. In general, shared accounts are inherently vulnerable to a cybersecurity incident and should never be used. As a result, it is best to require individual user and administrator accounts where technically feasible, with security controls appropriate for the different privilege levels and policies that prohibit sharing accounts. Shared accounts open a security vulnerability and complicate postincident review of cybersecurity incidents. The vulnerability exists as long as an active password is known by individuals who no longer need access. It is not sufficient to rely on revoked credentials to mitigate the risk when an employee who knows the password no longer needs access to the system. The lack of unique passwords can also be a critical factor in incident response. For example, when accounts are shared among multiple individuals, it may not be feasible to determine which user is 173 See NIST SP 800–207, Zero Trust Architecture, at 4 (Aug. 2020). Zero trust architecture is an end-to-end approach to enterprise resource and data security that encompasses identity (person and nonperson entities), credentials, access management, operations, endpoints, hosting environments, and the interconnecting infrastructure. The initial focus should be on restricting resources to those with a need to access and grant only the minimum privileges (e.g., read, write, delete) needed to perform the mission. Document available at https:// nvlpubs.nist.gov/nistpubs/SpecialPublications/ NIST.SP.800-207.pdf (last accessed Oct. 16, 2023). 174 Id. VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 responsible for a given action. If a security incident occurs, it can be difficult to identify the source of that incident if it comes from a shared account. While an ideal CRM program would not permit shared accounts, TSA recognizes that, in some control system environments, management may make a risk-based decision to allow shared accounts. If the owner/operator permits shared accounts in limited situations as determined necessary for operations, that decision needs to be managed with appropriate compensating controls, including capabilities such as enterprise password vaults and/or a logging system that allows the owner/operator to determine who has had access to the account and when. This data is critical for a forensic investigation following a cybersecurity incident. The proposed rule would require the owner/operator to include actions to manage the risks of shared accounts in their COIP. Trust relationships, especially identity trust relationships between systems, are exploited by adversaries to compromise systems. In environments with shared trust between the OT and IT environments, a compromise to an IT system can immediately and directly place the OT system at risk. Severing these identity trusts is a critical safeguard in light of the current threat. If credentials from a shared or trusted store have been previously comprised, any system that trusts those credentials is put in immediate risk. Patch management. Proposed paragraphs (e) of §§ 1580.317, 1582.217, and 1586.217 would require owner/ operators to have a patch management strategy that ensures all critical security patches and updates are made consistent with the owner/operator’s risk-based methodology for prioritizing patches. These requirements align with section III.E. of the SD Pipeline–2021– 02 and 1580/82–2022–01 series and CPG 1.E (Mitigating Known Vulnerabilities). Unmanaged software can introduce vulnerabilities into a system and, if left unpatched, could lead to a system compromise. Historical intrusions, including those affecting critical infrastructure, demonstrate that adversaries commonly exploit unpatched or legacy assets. A robust patching program ensures that known vulnerabilities are quickly addressed based upon criticality of the underlying asset. A timely patching program is a fundamental attribute of a mature cybersecurity program and is likely already in place for organizations within the applicability of this proposed rule. Proof of concept exploit codes for critical Windows vulnerabilities are PO 00000 Frm 00034 Fmt 4701 Sfmt 4702 often publicly available and seen ‘‘in the wild’’ within hours/days. Logging. Proposed paragraph(d) of §§ 1580.317, 1582.217, and 1586.217 would require owner/operators to ensure logging data is stored in a secured and centralized system and maintained for a duration sufficient to support risk analysis. When a cybersecurity incident occurs, the focus is often on recovery to normal operations, but it is also critical to have strong procedures in place to ensure that critical data is not destroyed that could identify perpetrators and vulnerabilities. Log retention policies enable an organization to determine the scope of an intrusion, protecting the integrity of critical systems and life safety controls. Numerous recent cybersecurity incidents have indicated that organizations with insufficient logs are unable to effectively identify or assess the extent of a cybersecurity incident. In VADRs conducted by CISA, nearly half of all assessments identified issues related to how logs are kept and maintained, including failures to centrally collect logs and failure to have resources and policies necessary to properly analyze and audit logs. Considering the current capabilities of adversaries as identified in the classified intelligence, owner/operators need to be prepared to determine the scope of an incident to ensure the safety and resiliency of their operations in support of national and economic security. Without this information, organizations often cannot determine whether an actor has penetrated control or digital safety systems. These requirements would generally align with the requirements in section III.E. of the SD Pipeline–2021–02 and 1580/82–2022–01 series. Both the NIST CSF (PR.PS Function) and the CISA CPGs recognize the importance of logging policies.175 While CISA recognizes that log collection can be more complex than some of the other requirements, they also note that effectively implementing this control reduces the risk of delayed, insufficient, or incomplete ability to detect and respond to potential cybersecurity incidents.176 Back-ups. Proposed paragraph (e) of §§ 1580.317, 1582.217, and 1586.217 would require owner/operators to ensure critical systems are backed up. TSA’s SDs required owner/operators to have a CIRP that included security and integrity of backed-up data and ensuring 175 See NIST PR.PS Function and CPG 2.T (Log Collection) and 2.U (Secure Log Storage). 176 See CPG Checklist, supra note 153. E:\FR\FM\07NOP2.SGM 07NOP2 lotter on DSK11XQN23PROD with PROPOSALS2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules that the backed-up data is free from malicious code before it is used to restore a system. For purposes of this rulemaking, TSA is separating this requirement into two sections. The requirement to secure backups would be under the protection portion of the CRM program, while requirements related to using the backups to restore systems would be under measures addressing response and recovery. See proposed §§ 1580.327(b)(2), 1582.227(b)(2), and 1586.227(b)(2). These proposed requirements are consistent with CPG 2.R (System Backups) and the NIST CSF (PR.DS Function). The CISA CPGs recognize the importance of having systems that are necessary for operation backed-up on a regular cadence and ensuring they are stored separately from the source system and tested on a recurring basis. Cybersecurity Training. Proposed §§ 1580.319, 1582.219, and 1586.219 would require owner/operators to provide two levels of initial and recurrent cybersecurity training. First, basic cybersecurity training must be provided to all employees, including contractors, with access to the owner/ operator’s IT or OT system and additional training to cybersecuritysensitive employees. Second, employees who meet the definition of a ‘‘cybersecurity-sensitive employee’’ must receive both basic and role-based cybersecurity training. Consistent with requirements for physical security training, TSA is proposing that individuals who do not receive the required training within the required timeframe must not be allowed access to Critical Cyber Systems or an IT or OT system that is interdependent with a Critical Cyber System. In § 1570.3, TSA is proposing to define ‘‘cybersecuritysensitive employees’’ as ‘‘any employee who is a privileged user with access to, or privileges to access, a Critical Cyber System or any Information or Operational Technology system that is interdependent with a Critical Cyber System as defined in the TSA Cybersecurity Lexicon.’’ Under proposed paragraph (b), owner/ operators would be required to include in their COIP a curriculum or lesson plan for each course needed to meet the specific curriculum requirements. Proposed paragraph (c) of proposed §§ 1580.319, 1582.219, and 1586.219 includes the curriculum requirements for basic cybersecurity training to provide cybersecurity awareness to address best practices, acceptable use, risks associated with their level of privileged access, and awareness of security risks associated with their actions. The requirements in the VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 proposed rule are consistent with CPG 2.I (Basic Cybersecurity Training) and 2.J (OT Cybersecurity Training). All employees should have a basic understanding of the online threat environment. Basic cybersecurity awareness training helps employees understand proper cyber safety, and the security risks associated with their actions. Regular training helps employees recognize their role in cybersecurity and how they serve as an additional ‘‘sensor’’ to detect an incident, regardless of their technical expertise. Proposed paragraph (c) requires the owner/operator to provide cybersecurity-sensitive employees training that specifically addresses their role as a privileged user to prevent and respond to a cybersecurity incident, acceptable uses, and the risks associated with their level of access and use as approved by the owner/operator. This training recognizes that the level of cybersecurity training for someone with access to critical IT systems may be different than the training needed for someone who primarily accesses critical OT systems. In addition, this training must ensure these employees understand and are prepared to execute any actions associated with their positions under the owner/operator’s TSA-approved CIRP. The proposed schedule for cybersecurity training is consistent with the CISA CPGs. Under paragraph (d) of proposed §§ 1580.319, 1582.219, and 1586.219, owner/operators would be required to provide initial cybersecurity training (based and role-based, as applicable) within 60 days after the effective date of TSA’s approval of the COIP. For individuals who onboard or become cybersecurity-sensitive employees after the effective date of the COIP, TSA would require training within 10-days of onboarding. Paragraph (e) of these sections would require annual recurrent training. In the CPGs, CISA noted that basic cybersecurity training should be required annually ‘‘for all organizational employees and contractors that cover basic security concepts, such as phishing, business email compromise, basic operational security, password security, etc.,’’ and organizations should ‘‘foster an internal culture of security and cyber awareness.’’ 177 The CISA CPGs also recommend that all new employees receive this basic initial cybersecurity training within 10 days of onboarding and recurring training on at least an annual basis.178 For individuals with responsibilities for protecting critical systems, such as maintaining or securing OT system, as part of their regular duties, the CISA CPGs recommend additional cybersecurity training on an annual basis.179 In the CPG Checklist, CISA identifies these actions as having low complexity and high impact. The CPG Checklist also identifies free services and references that can be used for cybersecurity training.180 TSA’s proposed requirements for cybersecurity training align with the CPG recommendations. Paragraphs (f), (g) and (h) of proposed §§ 1580.319, 1582.219, and 1586.219 address recognition of prior training and retention of training records. Paragraph (f) specifically allows owner/operators to rely on previously provided cybersecurity training to meet the requirements in the proposed role to the extent they can validate it meets curriculum and schedule requirements in the proposed rule. Paragraphs (g) and (h) include proposed requirements for retention of records and making the record available to employees that are consistent with TSA’s current requirements for physical security training of security-sensitive employees (in current 49 CFR 1570.121). e. Procedures, Policies, and Capabilities To Detect Cybersecurity Incidents (Proposed §§ 1580.321, 1582.221, and 1586.221) As it is not possible to stop all cybersecurity incidents or attempted incidents, it is critical to have strong capabilities to detect cybersecurity incidents when they occur and have automatic measures in place to mitigate the impact. TSA’s cybersecurity SDs included specific requirements to ensure continuous monitoring and detection policies.181 The proposed requirements in §§ 1580.321, 1582.221, and 1586.221 align with the SDs. A key element of initial access for a cyber-intrusion is the execution of malicious software and communications with malicious command-and-control servers. Implementing filters to ensure ‘‘allow-listing’’ of known, good software and blocking malicious domains are essential controls to prevent damaging intrusions from occurring. In the latter case, best practices, such as protective Domain Name System (DNS) resolution, are necessary to proactively block communications with unknown or 179 See CPG 2.J (OT Cybersecurity Training). supra note 153. 181 See section III.D. of the SD Pipeline–2021–02 and 1580/82–2022–01 series. 180 See 177 See CPG 2.I (Basic Cybersecurity Training). 178 Id. PO 00000 Frm 00035 Fmt 4701 Sfmt 4702 88521 E:\FR\FM\07NOP2.SGM 07NOP2 88522 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules potentially malicious web domains.182 Detection should not be limited to a single security control but should include continuous monitoring and detection policies that follow the zero trust principle of assumed breach and a defense-in-depth approach to maximize a defender’s chance of detecting an attack before it reaches the operational environment. Starting with basic controls, such as allow-list filters, email sandboxing, threat-based detection, and protecting DNS, provides a strong foundation for detection of threat activity from advanced adversaries. The costs of implementing these controls would be offset by the benefits of avoiding even a single successful cybersecurity incident that could result in catastrophic costs. The demands of the ransomware threat actors have also increased, and intelligence information indicates the capabilities of adversaries are becoming more sophisticated. The CISA CPGs note that ‘‘[w]ithout the knowledge of relevant threats and ability to detect them, organizations risk that threat actors may exist undetected in their networks for long periods.’’ 183 lotter on DSK11XQN23PROD with PROPOSALS2 f. Procedures, Policies, and Capabilities To Respond to, and Recover From, Cybersecurity Incidents In setting cybersecurity regulations for critical infrastructure, the National Cybersecurity Strategy encourages regulators to ensure that systems are designed to fail safely and recover quickly.184 Having strong procedures, policies, and capabilities to respond to, and recover from, cybersecurity incidents are among the most critical steps owner/operators can take. If a company is the target of one of the most sophisticated adversaries, such as nation-state actors, the issue is when the company will be the target of a cybersecurity incident, not whether they will be targeted. These requirements are related to protection and detection capabilities. Capabilities to respond to a cybersecurity incident (§§ 1580.323, 1582.223, and 1586.223). The detection capabilities discussed above primarily rely on automated systems that flag or block incidents as they occur. CRM programs also need the capability to analyze traffic and trigger responses if certain thresholds are crossed. For this rulemaking, TSA is proposing to consolidate requirements from section D.2 of the SD Pipeline–2021–02 and SD 182 See NIST SP 800–81–2, Secure Domain Name System (DNS) Deployment Guide (Sept. 2013). 183 See CPG 3.A (Detecting Relevant Threats and Tips). 184 See supra note 12 at 8–9. VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 1580/82–2022–01 series that address auditing unauthorized access, documenting communications between systems that deviate from the approved baseline of communications, identifying and responding to execution of unauthorized code, and ensuring standardized incident response activities based on this information. Reporting cybersecurity incidents (§§ 1580.325, 1582.225, 1584.107, and 1586.225). TSA’s first SD requirements for cybersecurity focused on the need to report cybersecurity incidents to the U.S. government promptly to ensure the government can adequately respond to threats to national security, including economic security.185 Both the NIST CSF (Function RS.CO) and CPG 4.A (Incident Reporting) recognize the importance of reporting cybersecurity incidents. In the CPGs, CISA notes that a failure to provide timely incident reporting affects the ability of CISA and other groups to assist the organization and also gain ‘‘critical insight into the broader threat landscape, (such as whether a broader attack is occurring against a specific sector).’’ TSA is proposing that the requirement to report cybersecurity incidents apply to all owner/operators required to report significant security concerns under current § 1570.203. This applicability would generally include all owner/ operators identified in § 1580.1(a)(1), (a)(4), and (a)(5), rail transit and passenger railroads identified in § 1582.1, higher-risk bus-only transit systems identified in § 1582.101, higherrisk OTRB owner/operators identified in § 1584.101, and the pipeline facilities and systems identified in new § 1586.101(b). The proposed requirements for cybersecurity incident reporting mirror those in the current SDs. As under the SDs, TSA would require owner/ operators to report cybersecurity incidents to CISA within 24 hours of identification of a cybersecurity incident.186 For purposes of the proposed rule, a ‘‘cybersecurity incident’’ is defined as ‘‘an event that, without lawful authority, jeopardizes, disrupts or otherwise impacts, or is reasonably likely to jeopardize, disrupt or otherwise impact, the integrity, confidentiality, or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information 185 See Sections B–D of the SD Pipeline–2021–01, 1580–21–01, and 1582–21–01 series. 186 As originally issued, the directive required notification within 12 hours of identification. In May 2022, TSA revised this requirement to require notifications within 24 hours of identification. PO 00000 Frm 00036 Fmt 4701 Sfmt 4702 systems, or information resident on the system.’’ The reports must, among other things, (1) identify the affected systems or facilities; and (2) describe the threat, incident, and impact or potential impact on IT and OT systems and operations. All information reported under this requirement is SSI protected under 49 CFR part 1520 and would be appropriately protected by CISA and TSA. At the time TSA issued specific requirements for reporting of cybersecurity incidents in 2021, it determined that CISA should receive all cybersecurity incident reporting in order to obtain the security and analytical benefits of consolidating this information in one system to enhance threat identification and trend analysis. This action is consistent with 49 U.S.C. 114(m), which permits TSA to use the services and capabilities of other agencies and to support them through use of the agency’s authorities, as appropriate. TSA is aware that CISA is also required to issue a regulation to require reporting of cyber incidents under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).187 Although CIRCIA requires CISA to implement new reporting requirements through regulation, CIRCIA’s rulemaking requirement does not supersede, abrogate, modify, or otherwise limit any authority to regulate or act with respect to the cybersecurity of an entity vested in any U.S. Government officer or agency.188 ‘‘Covered Entities,’’ as defined by CISA, that are obligated to report ‘‘Covered Cyber Incidents’’ or ‘‘Ransom Payments’’ pursuant to another federal regulatory requirement, directive, or similar mandate could remain obligated to do so. TSA is, however, committed to avoiding redundancy and harmonizing with our government partners on cybersecurity requirements. Under the structure proposed by CISA in its NPRM,189 TSA does not anticipate the need to make any significant modifications to its reporting requirements. TSA will continue to require reporting to CISA to avoid duplicate reporting. If CISA’s final rule includes the proposed requirement for agencies to enter into an agreement with CISA to specifically address duplicative information reporting, TSA believes it is 187 See Division Y of Public Law 117–103, 136 Stat. 1039 (Mar. 15, 2022), as amended by Public Law 117–263, 136 Stat. 3661 (Dec. 23, 2022), as codified at 6 U.S.C. 681–681g. 188 6 U.S.C. 681b(h). 189 See 89 FR 23644 (Apr. 4, 2024) (proposed rule); 89 FR 37141 (May 6, 2024) (comment period extension); 89 FR 47471 (June 3, 2024) (correction). E:\FR\FM\07NOP2.SGM 07NOP2 lotter on DSK11XQN23PROD with PROPOSALS2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules well-positioned for this step based on its current reporting requirements. As CISA is likely to finalize the CIRCIA rule before this rulemaking is finalized, TSA will review the final CIRCIA requirements for reporting cybersecurity incidents and consider changes as necessary and/or appropriate in the final rule. Cybersecurity Incident Response Plan (§§ 1580.327, 1582.227, and 1586.227). Incident planning and preparedness is critical to mitigating the impacts of a cybersecurity incident on national security, including economic security. The NIST CSF (PR and RC Functions) and CPG 2.S (Incident Response (IR) Plans) and 5.A (Incident Planning and Preparedness) both recognize the importance of having a plan that is tested, validated, and maintained to ensure timely response to, and recovery from, detected cybersecurity events that cause, or could cause, operational disruption. This proposed rule would incorporate the CIRP requirements from section III.F. of the SD Pipeline–2021– 02 series and section C.1. of the SD 1580–21–01 and 1582–21–01 series. These requirements include having a plan to ensure that each of the following objectives are met: (1) the impacts of a cybersecurity incident that causes, or could cause, operational disruption or significant impacts on business-critical functions are limited and do not spread throughout the system; (2) back-up data is tested before it is used for recovery; (3) measures are in place to ensure isolation of technology to reduce risks; and (4) identification of who, by position, is responsible for implementing measures in the plan. The SDs also require owner/operators to conduct annual exercises of their plans that, at a minimum, test at least two of these objectives each year. The overall objective of the exercise requirement is to ensure that elements of the incident response plan are tested to ensure that they will work and can be properly executed by the responsible person(s). As recommended by CPG 2.S (Incident Response Plans), which aligns with the NIST CSF (Function RS.MA), TSA would continue to require owner/ operators to test their plans through exercises and modify the CIRP within 90 days based on the results of the exercises. While the CIRP required by this proposed rule would be incorporated into the COIP made available to TSA for approval, TSA would require that any changes to the CIRP be reported to TSA within 15 days. As these changes are separately reported to TSA, revisions to the CIRP do not require an amendment to the COIP under § 1570.107 of the proposed rule. VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 3. Cybersecurity Assessment Plan (Proposed §§ 1580.329, 1582.229, and 1586.229) As discussed above, the NIST CSF, the CISA CPGs, and TSA’s SDs, taken in their totality, recognize the importance of having cybersecurity measures informed both by an initial cybersecurity evaluation that looks at the current profile of the owner/ operator’s cybersecurity measures against the target profile, and an assessment program that actually tests the effectiveness of cybersecurity measures in the COIP as related to Critical Cyber Systems. In the initial SD issued to pipeline owner/operators, SD Pipeline–2021–01, TSA required owner/ operators to have a third-party conduct a cybersecurity architecture design review. In SD Pipeline–2021–02C, issued in July 2022, TSA modified the SD to require owner/operators to have a Cybersecurity Assessment Program that allowed owner/operators to conduct their own biennial cybersecurity architecture design review and also required them to use other assessment capabilities intended to test the effectiveness of their cybersecurity measures. Owner/operators were required to have an annual plan for these assessments and to submit the plan to TSA for review, but not for approval.190 In July and October 2023, TSA modified the pipeline and rail SD series, respectively, to change the name from a Cybersecurity Assessment Program to a Cybersecurity Assessment Plan, which more accurately reflects additional changes made to the requirements. Under the current SD series, owner/ operators must submit the CAP to TSA for approval. The CAP must include a specific schedule for the assessments to ensure that at least one-third of the COIP is tested each year at a pace to ensure 100 percent of the policies, procedures, measures, and capabilities in the COIP are assessed over any 3-year period as applied to all Critical Cyber Systems. The intent of this requirement is to ensure a continuous process of assessment, avoiding the potential vulnerabilities that could result from failing to only conducting assessments every few years, potentially leaving vulnerabilities undetected for years. This proposed requirement gives owner/operators flexibility in developing their CAP schedule. One approach would be to assess/audit onethird of the policies, procedures, 190 See Section III.G. of the SD Pipeline–2021–02 series and Section III.F. of SD 1580/82–2022–01 series. PO 00000 Frm 00037 Fmt 4701 Sfmt 4702 88523 measures and capabilities in the CIP each year for all Critical Cyber Systems. Another acceptable option, however, would be to assess/audit one-third of Critical Cyber Systems each year for all applicable policies, procedures, measures and capabilities in the COIP. Either of these options ensures a schedule where one-third of policies, procedures, measures, and capabilities in the COIP are assessed each year with 100 percent of the policies, procedures, measures, and capabilities in the COIP being assessed/audited every 3 years on 100 percent of the Critical Cyber Systems. Under this requirement, an owner/operator who chooses to assess more than one-third in one year, is still required to assess at least one-third the next year. For example, if the owner/ operator assesses 100 percent of their measures in Year 1, at least one-third would need to be assessed again in Year 2 and Year 3 of the cycle. TSA is specifically requesting comment on methods owner/operators would use to ensure this schedule is met. Smaller companies with fewer Critical Cyber Systems that find it easier to assess 100 percent each year could submit a CAP that includes different types of assessments each year, i.e., assessing 100 percent each year using different methodologies. To ensure both the owner/operator and TSA have a clear agreement on the planned assessment program and that it will meet the requirements by the end of the three-year period, TSA is proposing to require the CAP to include a mapping sufficient to validate that the required scope of the assessment will be met within the required period. This step is necessary as TSA recognizes that neither all parts of the COIP nor all Critical Cyber Systems are equal, and it may not be possible to identify a bright line of one-third of the COIP being assessed each year. Mapping the scheduled assessments to the COIP and Critical Cyber Systems will enable TSA and the owner/operator to engage in a discussion to ensure the proposed rule’s intent, a steady state of meaningful assessments, is built into the owner/ operators CRM program and informing future modifications to improve cybersecurity. TSA assumes that the first mapping will be the most burdensome, requiring minor updates in future years to address any changes in the COIP or Critical Cyber Systems. TSA also agrees with the CISA CPGs’ recommendation that, whenever possible, auditors and assessors should be from outside the owner/operator’s E:\FR\FM\07NOP2.SGM 07NOP2 88524 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules lotter on DSK11XQN23PROD with PROPOSALS2 organization.191 At the same time, TSA recognizes that some companies may have in-house capabilities to conduct audits and assessments. Rather than requiring a third-party validator, TSA is requiring that any individual who conducts an audit or assessment must be independent, i.e., they must not have a vested or other financial interest in the results, in order to ensure the integrity and reliability of results. For example, if an individual conducting an audit is part of a team or group that would receive a bonus if the audit results met a certain threshold, they are not sufficiently independent to be eligible to conduct the audit. To support overall governance of the CRM program, the proposed rule would require an annual report of the CAP results. This report must also include the methodologies used. A copy of the report must be provided to corporate leadership and TSA. Under paragraph (f) of §§ 1580.307, 1582.207, and 1586.207, the results of this assessments are to be used for updating the CRM program, as appropriate. TSA is proposing that the report be provided 15 months from the date of TSA’s approval of the first CAP and annually thereafter. This timeline allows for full implementation of the CAP (an annual or 12-month plan), and three additional months to develop a report based on the results. The proposed rule text specifically notes that the audits and assessments conducted under this section are vulnerability assessments subject to the SSI protections in 49 CFR part 1520. The procedures discussed for submission of CIPs in section III.D.2.a. also apply to submission of CAPs. As with CIPs, a CAP maintained at the owner/operator’s location is not considered to have received final approval until reviewed by TSA, revised as required by TSA and the owner/ operator receives notification from TSA that the CAP has received final approval. Only final approval of the CAP triggers the timelines associated with subsequent annual requirements to develop the CAP and CAP report. 4. Documentation To Establish Compliance (Proposed §§ 1580.331, 1582.231, and 1586.231) In accordance with 49 U.S.C. 114(f) and 49 CFR part 1503, TSA may view, inspect, and copy records, in carrying out TSA’s security-related statutory or regulatory authorities, including its authority to enforce security-related laws, regulations, directives, and 191 See CPG 1.F (Third-Party Validation of Cybersecurity Control Effectiveness). VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 requirements. At the request of TSA, each owner/operator subject to the requirements of the proposed rule must provide evidence of compliance, including copies of records if requested, sufficient to demonstrate compliance. TSA must be able to build and preserve a sufficient administrative record for each case. For the specific purposes of the CRM program requirements, the proposed rule includes a section on documentation that TSA may ask to review to establish compliance. The list of documentation provided aligns with the lists in section IV.C of the SD Pipeline–2021–02 and 1580/82–2022– 01 series. While TSA has the authority under 49 U.S.C. 114(f)(7) to review any documents necessary to enforce security-related regulations and requirements (among other purposes), TSA provided this non-exclusive list to provide owner/operators with examples of the types of documents TSA may ask to review in order to support the owner/ operator’s efforts to establish compliance. E. Physical Security As noted above, TSA is reorganizing 49 CFR parts 1570, 1580, 1582, and 1584 through this rulemaking, to distinguish between physical security requirements and cybersecurity requirements. The security measures previously imposed for rail, PTPR, and OTRB—security coordinators, reporting significant security concerns, security training, and chain of custody (for freight railroads)—are primarily intended to address physical security concerns, i.e., threats to physical infrastructure from improvised explosive devices or physically tampering with equipment. With this rulemaking, cybersecurity requirements would receive dedicated treatment. To help distinguish between physical and cybersecurity, the rule proposes to generally include the physical and cybersecurity requirements in separate subparts applicable to each mode. The requirements for OTRB would continue to be in subpart B of part 1584. TSA would also distinguish between (1) requirements for Physical Security Coordinator(s) and reporting physical security concerns and (2) requirements for Cybersecurity Coordinator(s) and reporting cybersecurity incidents. To clearly establish the distinction between physical security and cybersecurity, TSA is proposing to move the security coordinator requirements in current § 1570.201 and reporting requirements in current § 1570.203 to the modal-specific parts with only one change to the current requirements. As PO 00000 Frm 00038 Fmt 4701 Sfmt 4702 with the Cybersecurity Coordinators required under the CRM program, TSA is specifying that the Physical Security Coordinator(s) be a U.S. citizen unless this requirement is waived by TSA.192 TSA would consider several factors before waiving this requirement. Most importantly, the individual would need to successfully complete an STA. In addition, TSA would need to ensure that at least one of the owner/operator’s Physical Security Coordinator(s) (primary or alternate) is a U.S. Citizen who is eligible for a security clearance. This requirement is consistent with current practice and, as previously discussed, necessary to ensure that there is at least one point of contact within every covered entity that TSA can share sensitive information with on a rapid basis. This information could not be shared with non-citizens absent significant coordination at a government-to-government level. The delay caused by this coordination could prevent an owner/operator from receiving critical information on a timely basis needed to protect against actionable intelligence at a classified level. As part of this effort, TSA is proposing to move and consolidate all the requirements for security training of security-sensitive employees (currently referenced in §§ 1570.107, 1570.109, 1570.111, 1570.121, 1580.113, 1580.115, 1582.113, 1582.115, and 1584.113, and 1584.115) into one section in each of the modal-specific parts (proposed §§ 1580.113, 1582.113, and 1584.113) rather than the current structure, which has some requirements in part 1570 and some in multiple sections in parts 1580, 1582, and 1584. None of the requirements for security training (procedural or substantive) would be modified through this rulemaking. Finally, TSA is proposing to require the pipeline facilities and systems within the applicability of the CRM program requirements (proposed § 1586.101(b)) to designate a Physical Security Coordinator and report significant physical security concerns. For almost a decade, TSA’s Pipeline Guidelines have encouraged pipeline owner/operators to report security incidents to TSA 193 and provide contact information for security operations or controls centers for pipeline owner/ operators in order to facilitate the exchange of information.194 Through 192 This requirement is consistent with sections 1512(e)(2) and 1531(e)(2) of the 9/11 Act, as codified at 6 U.S.C. 1162(e)(2) and 1181(e)(2), respectively. 193 See supra note 81, at Appendix B. 194 See Supporting Statement for OMB Control No. 1652–0055, as approved on Dec. 22, 2010, E:\FR\FM\07NOP2.SGM 07NOP2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules this rulemaking, TSA is proposing to make having a Physical Security Coordinator and reporting significant physical security concerns mandatory for the pipeline owner/operators identified in proposed § 1586.101(b). Expanding these requirements to this critical sector would ensure TSA is able to obtain a complete picture of potential threats, both physical and cyber across this sector and as it relates to other critical infrastructure. F. General Procedures for Security Programs, SDs, and Information Circulars lotter on DSK11XQN23PROD with PROPOSALS2 1. General Procedures for Security Programs (Proposed Revisions to Subpart B of Part 1570) In the Security Training for Surface Transportation Employees final rule, TSA established procedures for security programs in 49 CFR part 1570. At that time, the requirements to be included in a security program were primarily related to security training. As part of this rulemaking and the expansion of security program requirements to include a robust CRM program, TSA is proposing to revise the procedures for security programs in part 1570 to align more closely with the well-established procedures applicable to security programs issued for civil aviation under subchapter C of 49 CFR chapter XII. In general, these changes primarily result in reorganizing the requirements currently in §§ 1570.109 through 1570.119.195 In addition, these procedures also address allowances in the 9/11 Act for coordinated development and implementation of vulnerability assessments and security plans, and the requirements in the 9/11 Act related to recognition of existing procedures, protocols, and standards.196 Proposed § 1570.107 includes the procedures for when an owner/operator determines that they need to amend a security program previously approved by TSA. This section is consistent with the procedures for aviation security programs under subchapter C of Chapter XII 197 and would replace current §§ 1570.113 and 1570.117. These procedures ensure a joint understanding between TSA and owner/operators on what the owner/operator is committed to implementing while providing available at https://www.reginfo.gov/public/do/ PRAViewICR?ref_nbr=201006-1652-001 (last accessed Nov. 28, 2023). 195 See supra at Table 3 for distribution of current requirements. 196 See sections 1405(g), (i) and 1512(j), (l) of the 9/11 Act, as codified at 6 U.S.C. 1134(g), (i) and 1162(j), (l), respectively. 197 See 49 CFR 1542.105, 1544.105, 1548.7, and 1549.7. VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 opportunities to modify measures as necessary to address changes in operations, evolving capabilities, and emerging threats. As the COIP is a security program, owner/operators must request an amendment whenever they seek to make substantive changes to their COIPs or to documents incorporated by reference. Current § 1570.113 includes requirements for when owner/operators must request an amendment to their security programs. TSA is proposing to consolidate and streamline these requirements in proposed 1570.107(c). Proposed § 1570.107(b) includes the general requirements for owner/ operators to request an amendment to a TSA-approved security program. Current § 1570.113(e) requires owner/ operators to submit a request for an amendment to their programs no later than 65 days after a permanent change takes effect. For purposes of this requirement, a permanent change is any change in effect for 60 or more calendar days.198 The SDs for cybersecurity requirements require a request for an amendment no later than 50 calendar days after the permanent change takes effect, unless TSA allows a longer time period. A permanent change for that purpose is any change intended to be in effect for 45 or more calendar days.199 In TSA’s aviation programs, TSA requires requests for amendments 45 days before they take effect, unless TSA allows a shorter time period.200 Under the proposed rule, permanent changes would continue to be those intended to be in effect for 60 or more days, but owner/operators would be required to request an amendment at least 45 days before the change takes effect. This section carries over from current § 1570.113(f), the TSA standard for approval. In general, this standard requires that the policies, procedures, or measures in the proposed amendment provide a commensurate level of security to the previously approved policy, procedure, or measure. As validated by TSA’s application of this timeframe in aviation programs, this requirement benefits both the agency and owner/operator by ensuring that TSA agrees with the owner/operator’s determination that a modification to previously approved procedures will continue to meet the required security objectives. This agreement, in turn, avoids situations where an owner/ operator invests in programs, capabilities, or technology that TSA 198 See 49 CFR 1570.113(d). section VI of the SD Pipeline–2021–02 and SD 1580/82–2022–01 series. 200 See, e.g., 49 CFR 1542.105(b)(1). 199 See PO 00000 Frm 00039 Fmt 4701 Sfmt 4702 88525 subsequently disapproves because the modification fails to provide adequate security as required by the regulation. Proposed § 1570.113(c)(1) specifically excludes administrative or clerical changes from the amendment process. These changes are those that do not affect policies procedures, or measures in the owner/operator’s TSA-approved security program. While an amendment is not required, TSA would require owner/operators to maintain a chronological record of these changes for at least one year before the date of the last approved security program. As with all other documentation of compliance, this information be provided to TSA upon request. Proposed § 1570.113(c)(2) includes an exception for temporary, substantive changes. Temporary, substantive changes are those that would have an impact on approved policies, procedures, or measures, but which are not intended to be in effect for 60 or more days. For temporary, substantive changes, TSA is proposing that owner/ operators must notify TSA no more than 24 hours after a temporary, substantive change is made to any policy, procedure, or measure in its TSAapproved security program. Within 7 calendar days of this notification, the owner/operator must, in writing, inform TSA of the interim policies, procedure, or measures it is using to maintain adequate security while the temporary, substantive change is in effect. The owner/operator must include a description of how the interim policy, procedure, or measures provides a commensurate level of security. TSA will notify the owner/operator in writing if the agency does not concur that the interim measure provides a commensurate level of security. If the temporary, substantive change exceeds or is expected to exceed 60 days, then owner/operator must seek an amendment to its security program. This amendment request must be submitted no later than 65 days after the temporary, substantive change initially took effect. These proposed provisions would result in TSA having more visibility into temporary, substantive changes (consistent with TSA’s regulatory requirements in the aviation context) while maintaining some of the flexibility contained in current regulations and SDs with respect to nonpermanent changes. Proposed § 1570.107(c) also provides more specific detail on the difference between administrative or clerical changes and substantive revisions and the procedures to be followed based on the type of amendment. E:\FR\FM\07NOP2.SGM 07NOP2 lotter on DSK11XQN23PROD with PROPOSALS2 88526 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules As specifically applied to the security training programs required by §§ 1580.113, 1582.113, and 1584.113, which are also considered TSAapproved security programs, TSA notes that most revisions to a security training program would be considered substantive and permanent. Training curriculums and programs are usually planned in advance and do not change as rapidly as cybersecurity issues. Within this context, however, TSA would consider changes to the number of employees to be trained within each of the identified functions to be an administrative or clerical change, which would not require an amendment. TSA believes it is more important for the owner/operator to have an accurate and up-to-date awareness of these issues and plan accordingly than to impede this process by imposing an amendment process every time staff levels change. As applied to the CRM program, examples of administrative or clerical, temporary, and permanent changes are discussed more fully in Section III.D.2.a., within the general context of COIP requirements. Proposed § 1570.107(d) and (e) includes procedures for TSA to amend security programs, which align with what is currently in § 1570.115. This section also proposes to add the process for filing a petition for reconsideration, currently in § 1570.119, as proposed § 1570.107(f). Proposed § 1570.109 provides an option for owner/operators who may have operations that meet the criteria for applicability, but those operations are infrequent or seasonal. TSA is proposing to add a section that aligns with an option provided to airports in 49 CFR 1542.109. Under this provision, TSA may make a risk-based determination to impose alternative requirements that are appropriate for the scope of the operations rather than the full programmatic requirements. TSA is proposing to add § 1570.115, which provides the procedures for withdrawing approval of a security program. In general, if an owner/ operator is not in compliance with regulatory requirements, TSA would work through an enforcement process that has a range of actions including notices and an opportunity to correct and penalties. In some situations, however, TSA may determine that the failure to comply is so contrary to security and the public interest that the agency must withdraw approval of the security program. Section 1570.115 provides the standard and process for withdrawal to ensure due process is provided should this action be necessary. VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 In proposed § 1570.117, TSA would incorporate the general recordkeeping requirements from current § 1570.121. The recordkeeping requirements specific to physical security training have been incorporated into the proposed consolidated physical security training requirements in the modalspecific parts, specifically in proposed §§ 1580.113, 1582.113, and 1584.113. Finally, as part of the general effort to establish comprehensive regulatory regime for surface regulations similar to the regime for aviation, TSA is proposing to revise § 1570.1 to add paragraph (b). This paragraph clarifies that the authority for any function exercised by the Administrator within the subchapter, such as approving an amendment to a security program, may be delegated to other officials by the Administrator. The statement is consistent with current 49 CFR 1540.3, as applied to aviation, and is appropriate as TSA continues to implement its authority and responsibilities for surface transportation security. 2. SDs and Information Circulars (Proposed Subpart C of Part 1570) TSA is also proposing to rename Subpart C—Operations to Subpart C— Threat and Threat Response and add a new § 1570.201 related to the issuance of SDs and ICs.201 This section would provide procedures in TSA’s regulations to issue SDs and ICs and make other revisions to align TSA’s processes for surface transportation security with those long-established for the aviation sector. The surface cybersecurity SDs discussed in section II.B.1. were issued under the authority of 49 U.S.C. 114(l)(2). Aviation SDs, however, are a creature of APA rulemaking, having been created by the Federal Aviation Administration (FAA).202 When TSA determines that it must immediately require additional security measures to respond to a threat assessment or to a specific threat against civil aviation, it may issue SDs to certain regulated parties. Regulated parties may request alternative procedures to accomplish the same security goal with different 201 As discussed above, TSA proposes to move existing sections 1570.201 and .203 to parts 1580, 1582 and 1584. 202 See 54 FR 28984 (July 10, 1989); 58 FR 36802 (July 8, 1993) (aircraft operators); 66 FR 37274 (July 17, 2001) (airport operators). Requirements are now in 49 CFR 1542.303 (airport operators) and 1544.305 (aircraft operators). The FAA’s transportation security authority and all rules were given to TSA under ATSA. See 49 U.S.C. 114(d); section 141 of ATSA (Savings Provision). As a result, Aviation SDs are not issued under 49 U.S.C. 114 (l)(2). PO 00000 Frm 00040 Fmt 4701 Sfmt 4702 measures.203 Unless otherwise determined by the Administrator, SDs contain SSI and thus are not available to the general public.204 Review of an SD is available in a U.S. court of appeals.205 The provisions for SD procedures also address issuance of ICs. ICs are intended to notify owner/operators of specific security concerns and may include recommended measures to address the concern. While a specific regulatory provision is not necessary to issue ICs, referencing them in the regulations provides a distinction between voluntary versus mandatory measures. Through this rulemaking, TSA is proposing to create a similar regulatory provision for SDs and ICs for surface transportation to those applicable in the aviation sector.206 As discussed above, see section II.B.1 of this NPRM, TSA has used these two types of actions to address cybersecurity of surface transportation. TSA made a risk-based decision that certain entities must implement cybersecurity measures. Those entities were within the scope of applicability for the SDs. TSA also issued ICs to all owner/operators within a certain mode, recommending that they consider voluntarily implementing the measures imposed on the higher-risk owner/operators. ICs are distinguished from more general guidance documents because they are specific to a certain security concern. This addition to TSA’s regulations would ensure that any person within the scope of applicability of future SDs or ICs would be able to find the applicable procedures for these actions in TSA’s regulations. As noted above, TSA is proposing revisions to streamline regulatory text for owner/operators to request to implement security measures other than those specifically required by TSA, or to revise previously approved security programs. The current regulations provide for amendments to security programs requested by an owner/ operator in current 49 CFR 1570.113, TSA amendments to programs in § 1570.115, and owner/operator 203 See 49 CFR 1542.303 (airport operators); 1544.305 (aircraft operators); 1548.19 (indirect air carriers); and 1549.109 (Certifier Cargo Screening Facilities). The foreign air carrier regulations in 49 CFR part 1546 do not provide for SDs. TSA issues emergency amendments (EAs) to their security programs to require additional security measures when needed. 204 See 49 CFR 1520.5(b)(2) regarding SDs. 205 See Gilmore v. Gonzales, 435 F.3d 1125, 1133 (9th Cir. 2006) (which held that SDs are an agency order subject to court of appeals review pursuant to 49 U.S.C. 46110); see also Corbett v. Transp. Sec. Admin., 19 F4th 478, 480 (D.C. Cir. 2021). 206 See 49 CFR 1542.303, 1544.305, 1548.19, and 1549.109. E:\FR\FM\07NOP2.SGM 07NOP2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules lotter on DSK11XQN23PROD with PROPOSALS2 requested alternative procedures in § 1570.117. Under the current regulations, the distinction between an owner/operator amendment and an alternative procedure is not clear as they both authorize the owner/operator to request to implement a measure other than what is required by TSA and require TSA to determine that granting the request would not have a negative impact on security. TSA is also proposing to revise the procedures for amendments to security programs (such as the COIP) required by subchapter D. See discussion in section II.F.1. As part of this revision, TSA is proposing to move the procedures for requesting alternative measures from current § 1570.117 to § 1570.203, and to limit the alternative procedures measures to SDs. This revision would provide owner/operators with a clearly identified process for requesting to implement alternatives to requirements in an SD. The proposed procedures align with our standard processes for aviation where we require owner/ operators to request an amendment to a security program through the security program process, and also allow owner/ operators the ability to request an alternative measure or procedure to requirements in an SD. Owner/operators would continue to be able to request amendments to their security programs under proposed § 1570.107(b). 3. Exhaustion of Administrative Remedies (Proposed § 1570.119) TSA is proposing to add a new § 1570.119, which would require exhaustion of administrative remedies before challenging final agency orders by TSA related to the requirements in parts 1570, 1580, 1582, 1584, and 1586. Under this proposed requirement, an individual could not seek judicial review until TSA has issued its ‘‘final agency order.’’ TSA has identified in proposed subpart B of part 1570 the point at which a TSA decision is a ‘‘final agency action.’’ For purposes of this rulemaking, ‘‘final agency order’’ and ‘‘final agency action’’ have the same meaning. This requirement would apply to (a) denials of approval of a security program or an amendment to a security program, alternative measures to requirements in a security program; (b) imposition of requirements through an SD or TSA-required amendment to a security program; and (3) withdrawal of a security program. For example, if the specific regulatory provision provides for an owner/operator to request a petition for reconsideration of a denial of security program amendment, see proposed § 1570.107(f), then the owner/ VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 operator would need to have a timely petition for reconsideration denied before they would have exhausted the administrative procedures. The doctrine of exhaustion of administrative remedies is based on the need to conserve judicial resources and ensure that factual issues are resolved by the agency with the expertise and responsibility for administering the program at issue. The doctrine allows agencies to develop a full factual record, correct errors, minimize costs, and create a uniform approach to the issues within its jurisdiction. This process benefits individuals by resolving disputes more quickly and at lower cost through TSA rather than the federal courts. If the individual ultimately seeks review in the Court of Appeals following TSA’s final agency order, the court would have a full record on which to base its review, and the issues would be narrowed to those that truly require judicial review.207 This process also allows TSA the opportunity to correct any errors and narrow the issues, which can be achieved through exhausting administrative remedies, before initiating judicial review.208 For all of the foregoing reasons, TSA is proposing to include in the regulation an explicit requirement for individuals to exhaust administrative remedies before seeking judicial review. 4. Severability Proposed § 1570.121 would reflect TSA’s intent that the various regulatory provisions be considered severable from each other to the greatest extent possible. For instance, if a court of competent jurisdiction were to hold that the rule or a portion thereof may not be applied to a particular owner or operator or in a particular circumstance, TSA would intend for the court to leave the remainder of the rule in place with respect to all other covered persons and circumstances. The inclusion of a severability clause would not be intended to imply a position on severability in other TSA regulations. 5. Enforcement and Compliance TSA has broad authority to: (1) enforce its rules and requirements; (2) oversee the implementation and ensure the adequacy of security measures; and 207 See Mohamed Al Seraji v. Gowadia, No. 8:16– cv–01637–JLS–JCG (C.D. Cal. Apr. 28, 2017). In this case, TSA issued a preliminary denial of a TWIC application, and the individual sought review by a U.S. District Court rather than first appealing the decision to TSA. The court dismissed his claim, stating that he must first exhaust the administrative remedies in TSA’s redress regulations. The court stated that it needed a more developed factual record to effectively evaluate the case. 208 Id. PO 00000 Frm 00041 Fmt 4701 Sfmt 4702 88527 (3) inspect, maintain, and test security facilities, equipment, and systems for all modes of transportation.209 TSA’s authority over transportation security is comprehensive and supported with specific powers related to the development and enforcement of security-related regulations and other requirements. Within this broad authority, the agency may assess a security risk for any mode of transportation and develop security measures for dealing with this risk.210 If TSA identifies noncompliance with its requirements, TSA may hold the owner/ operators responsible for the violation and subject to enforcement action, which may result in civil monetary penalties.211 Pursuant to its statutory authority and responsibilities, TSA is the sole Federal agency with authority to enforce its regulations. Through a separate rulemaking, TSA recently consolidated all of its provisions previously found throughout its regulations relating to inspections, including the regulations governing surface transportation entities in current 49 CFR 1570.9.212 As a result of this revision to TSA’s regulations, TSA’s inspection requirements are now located in one section, 49 CFR 1503.207, which is the part that specifically focuses on investigative and enforcement procedures applicable to all of TSA’s regulatory requirements. When appropriate, TSA will coordinate with an owner/operator on inspections. Notice gives the parties to be inspected the opportunity to gather evidence of compliance and to arrange to have the appropriate personnel available to assist TSA. Some inspections, however, can only be effective if TSA’s presence is unannounced. TSA must have the flexibility to respond to information, operations, and specific circumstances whenever they exist or develop. Security concerns are different at different times of the day and on different days. Terrorists may seek to take advantage of vulnerabilities whenever they occur. TSA has the authority to assess the security of transportation entities at all times (including nights, weekends, and holidays) and under all operational situations. The nature of any given TSA inspection will depend on the specific circumstances surrounding a particular owner/operator at a given point in time 209 See generally 49 U.S.C. 114. U.S.C. 114(f) and (l). 211 49 U.S.C. 114(f) and (u). 212 See Final Rule, Flight Training Security Program, 89 FR 35580 (May 1, 2024). These changes took effect on July 30, 2024. 210 49 E:\FR\FM\07NOP2.SGM 07NOP2 88528 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules and will be considered in conjunction with available threat information. G. Summary of Applicability and Requirements Table 6 identifies the current and proposed applicability of all the requirements discussed above. TABLE 6—SUMMARY OF PROPOSED REQUIREMENTS [Current subchapter D of 49 CFR chapter XII requirements are indicated with an ‘‘X’’; proposed requirements are indicated with a ‘‘P’’] SD and IC procedures Physical security coordinator Reporting significant physical security concerns Security training Cybersecurity coordinator Reporting cybersecurity incidents CRM program P P X X X X X ........................ P ........................ P ........................ * PI ........................ P X X ........................ ........................ ........................ ........................ P X X X *P *P *P P ** X X ........................ ** P P ........................ P X X X P P *P P X X X P P *P P ** X X ........................ ** P P ........................ P X X X ........................ P ........................ P X X X ........................ P ........................ P *P *P ........................ *P *P *P Owner/operators of freight railroads operating on general railroad system ............... Rail hazardous materials shippers ................ Rail hazardous materials receivers in HTUAs ....................................................... Owner/operators hosting freight or passenger rail operations ................................ Owner/operators of private rail cars and circus trains ................................................... Owner/operators of passenger railroads operating on the general railroad system, including intercity passenger train service, and commuter train services ..................... Owner/operators of rail transit systems not part of general railroad system ................. Owner/operators of tourist, scenic, historic, and excursion railroads ............................. Owner/operators of bus transit or commuter bus systems in designated areas .............. OTRB owner/operators providing fixed-route service in designated areas ...................... Owner/operators of pipeline facilities and systems ...................................................... lotter on DSK11XQN23PROD with PROPOSALS2 * If described in proposed 1580.301, 1582.201, or 1586.101. ** If notified by TSA in writing that a threat exists concerning that operation. As further discussed below, this proposed rule builds upon the previously issued SDs that many of the affected owner/operators have endeavored to implement. All the requirements in the SDs discussed in section II.B.1 of this NPRM have been carried over into the proposed rule, either in full or with minor alteration. New requirements include cybersecurity incident reporting for the OTRB industry; specific requirements for governance of the owner/operators’ CRM programs; supply chain risk management requirements addressed as part of the COIP; and cybersecurity training. TSA is also proposing to include physical security requirements for the covered pipeline industry, but these provisions are not considered part of the CRM program. A summary of key updates is listed below, and a more comprehensive presentation can be found in Appendix A of the Regulatory Impact Analysis available in the docket for this rulemaking. • Cybersecurity Evaluation (§§ 1580.305, 1582.205, and 1586.205)— The proposed requirements for a Cybersecurity Evaluation modify the assessments required by the SD Pipeline 2021–01, SD 1580–21–01, and SD 1582– 21–01 series by making the requirement VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 more comprehensive, including the development of an enterprise-wide cybersecurity profile that as set forth in the proposed rule must be updated annually. As discussed in section III.D.1, this type of evaluation is consistent with the NIST CSF. The process to develop this profile is substantively similar to the requirements laid out in the applicable SDs. This requirement also addresses certain requirements in the 9/11 Act related to vulnerability assessments. • Cybersecurity Operational Implementation Plan (COIP) (§§ 1580.303, 1582.203, and 1586.203)— The proposed requirements for a COIP build on the requirement in the SD Pipeline–2021–02 and SD 1580/82– 2022–01 series, which required covered owner/operators to develop a CIP. This requirement also addresses certain requirements in the 9/11 Act related to developing a security plan to address vulnerabilities and ensure security of certain IT and OT systems. The additional requirements in the proposed rule for the COIP are consistent with the transition from the temporary purpose of the SDs’ requirements to establishing a permanent, robust, and mature CRM program. The new proposed COIP requirements include requiring owner/ PO 00000 Frm 00042 Fmt 4701 Sfmt 4702 operators to have a POAM, which supports prioritization and timely implementation of CRM requirements and involves owner/operators developing a plan to address any shortfalls in being able to meet the requirements of the COIP. • Governance (§§ 1580.309, 1582.209, and 1586.209)—Consistent with TSA’s intent to align the requirements in the rulemaking with the NIST CSF, TSA is proposing additional structure around the governance of the CRM program that was not included in the SDs. Establishing strong governance is critical of a viable and mature CRM program because having processes and identifying roles creates a more effective and efficient operation that considers cybersecurity and protects organizational goals. The ‘‘governance’’ requirements include designation of the accountable executive as well as those with cybersecurity responsibilities to have a single leader (by role/position/ title) that will act as the person responsible and accountable for planning, resourcing, and execution of cybersecurity activities. • Cybersecurity Coordinator (§§ 1580.311, 1582.211, and 1586.211)— TSA is proposing to incorporate the requirements to designate a E:\FR\FM\07NOP2.SGM 07NOP2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules lotter on DSK11XQN23PROD with PROPOSALS2 Cybersecurity Coordinator first imposed in the SD Pipeline 2021–01, SD 1580– 21–01, and SD 1582–21–01 series with a few changes that detail the knowledge and skills of the Cybersecurity Coordinator. Such areas include general cybersecurity guidance and best practices; relevant law and regulations pertaining to cybersecurity; handling of SSI and security-related communications; current cybersecurity threats applicable to the owner/ operator’s operations and systems as well as having a HSIN account or other TSA-designated communication platform for information sharing. The Cybersecurity Coordinator information must also be added to the owner/ operator’s COIP. This requirement also addresses certain requirements in the 9/11 Act related to security coordinators, as well as recognizing the distinction between physical security and cybersecurity and the possibility that larger organizations may need to have different individuals handling these responsibilities. • Identification of Critical Cyber Systems (§§ 1580.313, 1582.211, and 1586.211)—The proposed rule incorporates the requirement to identify Critical Cyber Systems first imposed in the SD Pipeline–2021–02 and SD 1580/ 82–2022–01 series that are substantively the same but contain clarifying language modifications with regards to the specifics of what is involved in the identification process. This requirement also addresses certain requirements in the 9/11 Act related to identification of critical assets and infrastructure. • Supply Chain Risk Management (§§ 1580.315, 1582.215, and 1586.215)— TSA is proposing a new requirement, supply chain risk management, which is not in the SDs to align the CRM program requirements with CISA’s CPGs. Under this requirement, the owner/operator must incorporate policies, procedures, and capabilities to address supply chain cyber vulnerabilities into their COIP. • Protection of Critical Cyber Systems (§§ 1580.317, 1582,217, and 1586.217)— These proposed requirements incorporate requirements from the SD VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 Pipeline–2021–02 and SD 1580/82– 2022–01 series involving measures to provide network segmentation, access control, as well as patching and software updates and adds a discussion on procedures related to logging. TSA is not changing the substance but proposing to organize the requirements from the SDs to align with the NIST CSF. This requirement also helps address the 9/11 Act’s requirements related to protection of certain IT and OT systems. • Cybersecurity Training (§§ 1580.319, 1582.219, and 1586.219)— TSA is proposing a new requirement for cybersecurity training, for basic users as well as role-based cybersecurity training for privileged users. As discussed in Section III. D.2.d., this proposed requirement is consistent with recommendations in CISA’s CPGS. This requirement also addresses portions of the 9/11 Act requirements related to requiring security training for certain employees. • Detection of Cybersecurity Incidents (§§ 1580.321, 1582.321, and 1586.321)—TSA is proposing to include requirements from the SD Pipeline– 2021–02 and SD 1580/82–2022–01 series that address detection and monitoring of Critical Cyber Systems. TSA is not changing the substance but proposing to organize the requirements from the SDs to align with the NIST CSF. This proposed requirement also helps address 9/11 Act requirements related to plans to respond to a terrorist attack, which would include a cybersecurity incident caused by a threat actor. • Capabilities to Respond to a Cybersecurity Incident (§§ 1580.323, 1582.223, and 1586.223)—This proposed requirement is included in the SD Pipeline–2021–02 and SD 1580/82– 2022–01 series and involves auditing of unauthorized access to internet domains and communication between OT systems and external systems. TSA is not changing the substance but proposing to organize the requirements from the SDs to align with the NIST CSF. This proposed requirement also PO 00000 Frm 00043 Fmt 4701 Sfmt 4702 88529 helps address 9/11 Act requirements related to plans to respond to a terrorist attack, which would include a cybersecurity incident caused by a threat actor. • Cybersecurity Incident Reporting (§§ 1580.325, 1582.225, 1584.107, and 1586.225)—The proposed rule incorporates the requirement to report cybersecurity incidents first imposed in the SD Pipeline–2021–02 and SD 1580/ 82–2022–01 series with no changes. • Cybersecurity Incident Response Plan (CIRP) (§§ 1580.327, 1582.227, and 1586.227)—The proposed requirement for a CIRP is incorporated from the SD Pipeline–2021–02 and SD 1580–21–01, and SD 1582–21–01 series. This proposed requirement involves having a plan to respond to cybersecurity incidents. The plan must include exercises. The CIRP requirements in the proposed rule are substantively the same as in the SDs with some language changes. This proposed requirement also helps address 9/11 Act requirements related to plans to respond to a terrorist attack, which would include a cybersecurity incident caused by a threat actor. • Cybersecurity Assessment Plan (CAP) (§§ 1580.329, 1582.229, and 1586.229)—This proposed requirement is incorporated from the SD Pipeline– 2021–02 and SD 1580/82–2022–01 series with no substantive changes and involves a robust assessment plan that tests the effectiveness of the COIP. As laid out in the applicable SDs, consistent with the NIST CSF, the proposed requirements include providing an annual report of assessment findings to TSA and corporate leadership, which feeds into the iterative cycle of assessments, planning, implementation, testing, and revisions to plans, that is critical to having a meaningful CRM program. H. Compliance Deadlines and Documentation Table 7 identifies compliance deadlines and the type of documentation required to meet compliance requirements. E:\FR\FM\07NOP2.SGM 07NOP2 88530 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules TABLE 7—COMPLIANCE DEADLINES AND DOCUMENTATION Requirement Record mechanism Deadlines Cybersecurity Evaluation ...................... Owner/operator holds for inspection. Completed no later than 90 days after effective date of final rule or 45 days before commencing new or modified operations (but no more than one year before date of submission of COIP). Must notify TSA within 7 days of completion. Annual updates required.. No later than 180 days after effective date of final rule or 45 days before commencing new or modified operations. Must be reviewed and updated within 60 days of completed Cybersecurity Evaluation or CAP Report. Notification to TSA within 30 days of effective date of final rule and within 7 days of changes to previously submitted information. Notification to TSA within 7 days of effective date of final rule (if not previously provided) and within 7 days of changes to previously submitted information that occur after that date. No separate deadline from COIP submission. No separate deadline from COIP submission. No separate deadline from COIP submission. Initial training within 60 days of approval of COIP or 10 days of onboarding. lotter on DSK11XQN23PROD with PROPOSALS2 COIP ..................................................... Submitted to TSA for review and approval. Identification of accountable executive and individuals/vendors with cybersecurity responsibilities. Included in COIP .. Designation of Cybersecurity Coordinator. Notification to TSA; information included in COIP. Identification of Critical Cyber Systems and Network Architecture. Included in COIP .. Supply Chain Risk Management ... Included in COIP .. Description of how protective security outcomes are met. Included in COIP .. Cybersecurity training .................... Included in COIP .. VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 PO 00000 Frm 00044 Fmt 4701 Sfmt 4702 Amendment required for substantive changes Source 1580.305(b), 1586.205(b). 1582.205(b), and 1580.305(d), 1586.205(d). 1582.205(d), and 1580.305(c), 1582.205(c), 1586.205(c). 1580.307(e),1582.207(e), 1586.207(e). and and No. See below for individual requirements. 1580.307(f), 1586.207(f). 1582.207(f), and 1580.309(a), 1586.209(a). 1582.209(a), and No; but notification to TSA if changed. 1580.313(d), 1586.213(d). 1582.213(d), and No; but notification to TSA if changed. .............................................................. Yes. .............................................................. Yes. .............................................................. Yes. 1580.319(d), 1586.219(d). Yes. 1582.219(d), E:\FR\FM\07NOP2.SGM 07NOP2 and 88531 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules TABLE 7—COMPLIANCE DEADLINES AND DOCUMENTATION—Continued Requirement Record mechanism Description of how detection and monitoring security outcomes are met. Cybersecurity Incident Reporting .. Description of how response security outcomes are met. CIRP .............................................. POAM ............................................ CAP ....................................................... Included in COIP .. Notification to CISA. Included in COIP .. Included in COIP .. Included in COIP .. Submitted to TSA for review and approval. lotter on DSK11XQN23PROD with PROPOSALS2 I. Sensitive Security Information 1. Scope of the Revision to TSA’s SSI Regulatory Requirements TSA is proposing minor changes to 49 CFR part 1520. These revisions consist of two types of modifications. First, revisions ensure the scope of existing designations of SSI for SDs and information circulars includes the section that would be added through this rulemaking as applicable to surface transportation. Second, TSA identified several areas where the SSI regulations explicitly referencing aviation and maritime should be revised to include surface transportation because similar requirements for surface transportation did not exist when the SSI regulations were promulgated. This proposed rule would address that gap. Note that any security program, security plan, or contingency plan VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 Deadlines Annual training 1 year from employee’s last training. No separate deadline from COIP. 1580.319(e), 1586.210(e). .............................................................. Yes. Within 24 hours of identification. No separate deadline from COIP. No separate deadline from COIP, but notification within 15 days if CIRP previously submitted as part of COIP is modified. No separate deadline from COIP (target dates cannot extend beyond three years from date of submission of COIP for TSA approval). No later than 90 days from approval of COIP. Report submitted 15 months from TSA approval of CAP and annually thereafter. Annual update to CAP, submitted no later than 12 months from date of last TSAapproval of CAP. 1580.325(a), 1582.225(a), and 1584.107(a), and 1586.225(a). .............................................................. No. 1580.329(f), 1586.229(f). No; but notification to TSA if changed. 1582.229(a), and No. 1580.329(e), 1586.229(e). 1582.229(e), and 1580.329(f), 1586.229(f). 1582.229(f), and 213 See 49 CFR 1520.5(c) for TSA determinations that information no longer constitutes SSI. Sfmt 4702 and Yes. 1580.329(a), 1586.229(a). Each owner/operator subject to the requirements in this proposed rule is a covered person under 49 CFR 1520.7(n) and is, therefore, required to protect SSI from unauthorized disclosure. TSA’s SSI requirements do not prohibit owner/ operators from sharing SSI with specific Fmt 4701 1580.229(f), and Yes. 2. Disclosure of SSI Upon the ‘‘Need To Know’’ Frm 00045 1582.219(e), .............................................................. required by 49 CFR subchapter D and vulnerability assessments required by, or submitted to TSA, are designated as SSI under current § 1520.5(b)(1) and (5), respectively. These requirements remain subject to SSI protection except as otherwise provided in writing by TSA in the interest of public safety or in furtherance of transportation security.213 PO 00000 Amendment required for substantive changes Source vendors that have a ‘‘need to know.’’ Determining whether information can be shared is a two-step consideration. First, is the individual a ‘‘covered person’’ under 49 CFR 1520.7. Under § 1520.7(k), employees and contractors of an owner/operator are ‘‘covered persons.’’ Section 1520.9 requires all covered persons to protect SSI from unauthorized disclosure. Before sharing information with any person employed by, contracted to, or acting for a covered person, § 1520.9(a)(2) requires the owner/operator to determine that the individual has a need to know the information or record designated as SSI, as described in § 1520.11. If the person has a need to know and the information is shared, that individual is a covered person who is required to protect SSI E:\FR\FM\07NOP2.SGM 07NOP2 88532 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules from unauthorized disclosure.214 When providing the SSI, the owner/operators must include the SSI protection requirements and ensure the covered person is formally advised of their regulatory requirements to protect the information. The materials provided must maintain their SSI markings and be accompanied with an SSI cover sheet, and SSI must be properly disposed of in accordance with TSA regulations.215 Unauthorized disclosure of SSI, by owner/operators or their vendors, is grounds for enforcement action by TSA, including civil penalty actions, under § 1520.17. To support compliance with these requirements, TSA provides resources to regulated entities and other person on proper handling of SSI.216 IV. Regulatory Analyses A. Economic Impact Analysis 1. Summary of Regulatory Impact Analysis Changes to federal regulations must undergo several economic analyses. First, E.O. 12866 of September 30, 1993 (Regulatory Planning and Review),217 as supplemented by E.O. 13563 of January 18, 2011 (Improving Regulation and Regulatory Review),218 and amended by E.O. 14094 of April 6, 2023 (Modernizing Regulatory Review) 219 directs Federal agencies to propose or adopt a regulation only upon a reasoned determination that the benefits of the intended regulation justify its costs. Second, the Regulatory Flexibility Act of 1980 (RFA) 220 requires agencies to consider the economic impact of regulatory changes on small entities. Third, the Trade Agreement Act of 1979 221 prohibits agencies from setting standards that create unnecessary obstacles to the foreign commerce of the United States. Fourth, the Unfunded Mandates Reform Act of 1995 (UMRA) 222 requires agencies to prepare 214 See 49 CFR 1520.7(j), 1520.7(k) and 1520.9. 49 CFR 1520.9, 1520.13, and 1520.19 for specific restrictions related to restrictions on disclosure, marking, and destruction of SSI, respectively. 216 See SSI Best Practices Guide for Non-DHS Employees or contact TSA at (571) 227–3513 or SSI@tsa.dhs.gov. Additional resources are available at https://www.tsa.gov/for-industry/sensitivesecurity-information (last accessed Sept. 24, 2023). 217 Published at 58 FR 51735 (Oct. 4, 1993). 218 Published at 76 FR 3821 (Jan. 21, 2011). 219 Published at 88 FR 21879 (Apr. 6, 2023). 220 Public Law 96–354. 94 Stat. 1164 (Sept. 19, 1980), as codified at 5 U.S.C. 601 et seq., as amended by the Small Business Regulatory Enforcement Fairness Act of 1996 (SBREFA). 221 Public Law 96–39, 93 Stat. 144 (July 26, 1979), as codified at 19 U.S.C. 2531–2533. 222 Public Law 104–4, 109 Stat. 66 (Mar. 22, 1995), as codified at 2 U.S.C. 1181–1538. lotter on DSK11XQN23PROD with PROPOSALS2 215 See VerDate Sep<11>2014 21:18 Nov 06, 2024 Jkt 262001 a written assessment of the costs, benefits, and other effects of proposed or final rulemakings that include a federal mandate likely to result in the expenditure by State, Local, or Tribal governments, in the aggregate, or by the private sector, of $100 million or more annually ($177 million adjusted for inflation).223 The security of the nation’s transportation systems is vital to the economic health and security of the United States. Surface transportation systems in particular—including public transportation systems, intercity and commuter passenger railroads, freight railroads, intercity buses, hazardous liquid and liquefied natural gas pipelines as well as natural gas pipelines, and related infrastructure— are vital to our economy and essential to national security.224 As discussed previously in this preamble, threat actors have demonstrated their willingness to engage in cyber intrusions and perpetrate cybersecurity incidents against critical infrastructure. As technology evolves, so do cybersecurity threats. A successful attack could result in significant negative consequences with potential cascading impacts across many sectors of the economy and people’s lives. Transportation companies have competing priorities with finite resources in which to confront the complexity of building a cybersecurity defense. At the same time, there is a level of uncertainty associated with being impacted by cybersecurity incidents. These competing priorities and level of uncertainty leads to a less than socially optimal level of cybersecurity investment.225 If entities are required to implement the same requirements, there could be fewer free riders or undercutting of cybersecurity investment in favor of profits or due to 223 $100 million in 1995 dollars adjusted for inflation to 2022 using the GDP implicit price deflator for the U.S. economy. Federal Reserve Bank of St. Louis. ‘‘GDP Implicit Price Deflator in United States.’’ Available at: https://fred.stlouisfed.org/ series/USAGDPDEFAISMEI#0 (last accessed Sept. 30, 2023). 224 Surface Transportation and Rail Security Act of 2007, Report of the Senate Committee on Commerce, Science, and Transportation, S. Rep. No. 110–29, at 2 (quoting Exec. Order No. 13416 (Dec. 5, 2006), available at https://www.govinfo.gov/ content/pkg/CRPT-110srpt29/html/CRPT110srpt29.htm. 225 See Cybersecurity trends: Looking over the horizon (Mar. 10, 2022), available at https:// www.mckinsey.com/capabilities/risk-andresilience/our-insights/cybersecurity/cybersecuritytrends-looking-over-the-horizon (last accessed July 25, 2024). PO 00000 Frm 00046 Fmt 4701 Sfmt 4702 budgetary constraints. As noted in the National Cybersecurity Strategy, Today’s marketplace insufficiently rewards—and often disadvantages—the owners and operators of critical infrastructure who invest in proactive measures to prevent or mitigate the effects of cybersecurity incidents. Regulation can level the playing field, enabling healthy competition without sacrificing cybersecurity or operational resilience.226 Ensuring transportation security while promoting the movement of legitimate travelers and commerce is a critical mission assigned to TSA. TSA believes this proposed rule is consistent with its mission given the heightened risk of a cybersecurity threat and the potential of threat actors targeting the transportation system with the purpose to disrupt the supply chain, jeopardize public safety, undermine confidence in the transportation system, and otherwise affect national and economic security. The primary benefit of this proposed rule is a potential reduction in the risk of successful cybersecurity incidents as well as the impact of such incidents on the public, economy, and national security. The proposed requirements could enhance the security of the regulated population, which would reduce the chance of negative consequences and service interruptions from cybersecurity incidents for surface modes like freight railroad, passenger railroad, and pipelines, thereby benefiting owners/operators, passengers, and consumers. A break-even analysis suggests that the prevention of a few significant cybersecurity incidents or a high-consequence incident in any transportation mode provides benefits in excess to the costs of the proposed rule on those modes. TSA estimates the preliminary 10year total costs of the proposed rule to be about $2.6 billion discounted at a 3 percent discount rate and $2.2 billion discounted at 7 percent discount rate, with preliminary annualized costs of about $307.8 million. These preliminary estimates do not consider current industry practice or compliance with recently issued SDs due of a lack of data on the existing internal security practices of individual companies. As a result, many owner/operators may already employ measures that meet the security outcomes that would be required by this proposed rule and therefore have already incurred costs, which means the cost estimate of this proposed rule could be an overestimate when measured against a no-action baseline. Furthermore, costs of 226 Supra E:\FR\FM\07NOP2.SGM note 12 at 8–9. 07NOP2 88533 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules implementing measures to meet the proposed security outcomes may vary greatly across modes and by each owner/operator’s unique needs and scale of operation. Consequently, TSA is requesting public comment on current cybersecurity industry practices and how these practices may vary by company. TSA will consider these public comments and any data provided when estimating the cost of the final rule. 2. Assessments Required by E.O.s 12866 and 13563 E.O.s 12866 and 13563 direct agencies to assess the costs and benefits of available regulatory alternatives and, if regulation is necessary, select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). Under E.O. 12866, as amended by E.O. 14094, agencies must also determine whether a regulatory action is significant.227 These requirements were supplemented by E.O. 13563, which emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. In accordance with E.O. 12866, TSA has submitted the proposal to the OMB, which has determined that this proposed rule is a ‘‘significant regulatory action’’ as defined under section 3(f)(1) of E.O. 12866, as amended by E.O. 14094, its annual effects on the economy would exceed $200 million in any year of the analysis. In conducting these analyses: • TSA prepared an Initial Regulatory Flexibility Analysis (IRFA), which estimates that this rulemaking would likely have a regulatory cost that exceeds one percent of revenue for 26 small entities—17 freight rail and nine pipeline owner/operators—of the 103 small entities that TSA found would be impacted by the NPRM. • This rulemaking would not constitute a barrier to international trade. • Under 2 U.S.C. 1503(5), this rulemaking is not subject to UMRA review because it is a regulation necessary for the national security of the United States. As noted in the National Cybersecurity Strategy, this rulemaking is being promulgated because of national security concerns related to the protection of Critical Cyber Systems, the loss or disruption of which could have impacts on national security, including economic security. TSA has prepared an analysis of its estimated costs and benefits, summarized in the following paragraphs, and in the OMB Circular A– 4 Accounting Statement. When estimating the cost of a rulemaking, agencies typically estimate future expected costs imposed by a regulation over a period of analysis. For this rulemaking’s period of analysis, TSA uses a 10-year period of analysis to estimate the initial and recurring costs to the regulated surface mode owner/ operators and new owner/operators that are expected due to industry growth. a. Costs TSA summarizes the undiscounted costs of the proposed rule to be borne by five types of parties: freight rail owner/operators, PTPR owner/ operators, OTRB owner/operators, pipeline owner/operators, and TSA. Table 8 shows the breakdown of modal entity populations over the 10-year period of analysis. The population of each industry is important because it acts as a cost multiplier for some of the proposed rule’s provisions (e.g., employee training). The population estimates accounts for entity growth, employee growth, and employee turnover dynamics over the period of analysis, which impact the population estimate as well as factor into various costs (e.g., identification of new cybersecurity coordinators with entity growth or employee turnover). It includes entity growth, employee growth, and employee turnover. TABLE 8—POPULATION GROWTH AND TURNOVER FOR MODAL ENTITIES Freight rail Year Entities Entities OTRB Employees Pipelines Entities Entities Growth Growth Turnover Growth Growth Turnover Growth a = (aY1¥6) × (1 + 0.85%) ∧ (Yn¥1) + 6 b = bY1 × (1 + 0.42%) c=b× 4.00% d = dY1 × (1 + 2.19%) ∧ (Y ¥1) n e = eY1 × (1 + 1.11%) ∧ (Yn¥1) f=e× 12.96% g = gY1 × (1 + 2.50%) ∧ (Yn¥1) 73 74 74 75 75 76 76 77 78 78 116,960 117,451 117,945 118,440 118,937 119,437 119,939 120,442 120,948 121,456 34 35 36 36 37 38 39 40 40 41 299,680 303,006 306,370 309,771 313,209 316,686 320,201 323,755 327,349 330,982 1 ........................................ 2 ........................................ 3 ........................................ 4 ........................................ 5 ........................................ 6 ........................................ 7 ........................................ 8 ........................................ 9 ........................................ 10 ...................................... lotter on DSK11XQN23PROD with PROPOSALS2 PTPR Employees ∧ h Employees Growth Turnover i = iY1 × (1 + 0.62%) ∧ (Yn¥1) j=i× 13.67% (Yn ¥ 1) 0 4,698 4,718 4,738 4,757 4,777 4,798 4,818 4,838 4,858 0 39,270 39,706 40,146 40,592 41,042 41,498 41,959 42,424 42,895 71 73 75 76 78 80 82 84 87 89 115 115 115 115 115 115 115 115 115 115 39,920 40,168 40,417 40,667 40,919 41,173 41,428 41,685 41,944 42,204 0 5,491 5,525 5,559 5,594 5,628 5,663 5,698 5,734 5,769 Table 9 shows the 10-year cost by regulated industry. This information includes industry’s costs associated with implementing the proposed requirements. Many of the costs are based on the time to complete identified actions (e.g., submitting accountable executive information). In these instances, TSA calculates an opportunity cost based on the time to complete the task, approximate wage rate of the person thought to complete 227 See section 1(b) of E.O. 14094, revising section 3(f) of E.O. 12866: ‘‘Significant regulatory action’’ means any regulatory action that is likely to result in a rule that may: (1) have an annual effect on the economy of $200 million or more (adjusted every 3 years by the Administrator of OIRA for changes in gross domestic product); or adversely affects in a material way the economy, a sector of the economy, productivity, competition, jobs, the environment, public health or safety, or State, Local, Territorial, or Tribal governments or communities; (2) create a serious inconsistency or otherwise interfere with an action taken or planned by another agency; (3) materially alter the budgetary impact of entitlements, grants, user fees, or loan programs or the rights and obligations of recipients thereof; or (4) raises legal or policy issues for which centralized review would meaningfully further the President’s priorities or the principles set forth in this Executive order, as specifically authorized in a timely manner by the Administrator of OIRA in each case. VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 PO 00000 Frm 00047 Fmt 4701 Sfmt 4702 E:\FR\FM\07NOP2.SGM 07NOP2 88534 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules the task, and how frequently the task would need to be completed. Other costs are based on expenses incurred (e.g., cost to store backup data). In both cases, these costs may change over time with a higher initial cost then lower maintenance cost later. See TSA CRM Preliminary Regulatory Impact Analysis (RIA) for a more detailed discussion and breakdown of the costs. TABLE 9—TOTAL UNDISCOUNTED COST OF THE PROPOSED RULE BY REGULATED INDUSTRY [$ thousands] Cost by regulated industry Freight rail PTPR OTRB Pipelines Total regulated industries cost a b c d e=a+b+c+d Year 1 ............................................................. 2 ............................................................. 3 ............................................................. 4 ............................................................. 5 ............................................................. 6 ............................................................. 7 ............................................................. 8 ............................................................. 9 ............................................................. 10 ........................................................... $97,652 95,471 94,622 97,003 96,187 98,675 97,885 100,405 99,648 102,200 $119,996 120,633 121,508 123,883 124,814 127,289 128,279 130,821 131,874 134,484 $188 6 6 6 6 7 7 7 7 7 $85,636 81,122 79,132 82,232 80,265 83,509 81,565 84,833 82,914 86,207 $303,473 297,233 295,268 303,124 301,273 309,479 307,736 316,065 314,442 322,899 Total ................................................ 979,750 1,263,581 248 827,415 3,070,993 Note: Totals may not add due to rounding. As displayed in Table 10, TSA estimates the 10-year total cost of this proposed rule to be $3.09 billion undiscounted, $2.63 billion discounted at 3 percent, and $2.16 billion discounted at 7 percent. The costs to industry (all four surface modes) comprise approximately 99 percent of the total costs of the proposed rule; and the remaining costs are incurred by TSA. TSA calculated a total cost to each industry based on estimates and assumptions on activities entities would likely engage in to be in compliance with the requirements of the proposed rule. However, due to the scope and performance-based nature of the requirements, TSA recognizes there would be variation in costs to individual covered owner/operators. In response, TSA provides a sensitivity analysis of key cost drivers in section 3.8 of the RIA, which include access control implementation, Critical Cyber System data backups, and cybersecurity training. In addition, there are some areas where there may be unquantified cost. For example, costs related to actual mitigation measures implemented as a result of the proposed rule that are not otherwise captured in TSA’s cost estimates. TSA requests comment on any costs that have not been quantified but may occur as a result of this proposed rule. TABLE 10—TOTAL COST OF THE PROPOSED RULE [$ thousands] Undiscounted lotter on DSK11XQN23PROD with PROPOSALS2 Year Total regulated industries cost TSA cost Total proposed rule cost a (Table 8) b c=a+b Discounted at 3% Discounted at 7% 1 ........................................................................................... 2 ........................................................................................... 3 ........................................................................................... 4 ........................................................................................... 5 ........................................................................................... 6 ........................................................................................... 7 ........................................................................................... 8 ........................................................................................... 9 ........................................................................................... 10 ......................................................................................... $303,473 297,233 295,268 303,124 301,273 309,479 307,736 316,065 314,442 322,899 $4,426 2,408 2,412 1,358 1,363 1,368 1,372 1,377 1,382 1,387 $307,899 299,641 297,681 304,482 302,636 310,847 309,109 317,443 315,825 324,286 $298,932 282,440 272,420 270,529 261,056 260,329 251,334 250,592 242,053 241,299 $287,757 261,718 242,996 232,288 215,775 207,130 192,497 184,755 171,788 164,851 Total .............................................................................. Annualized .................................................................... 3,070,993 ........................ 18,854 ........................ 3,089,847 ........................ 2,630,984 308,432 2,161,554 307,757 Note: Totals may not add due to rounding. Table 11 shows the 10-year costs for the CRM program for the freight rail, PTPR, pipelines, and TSA. TSA estimates the 10-year total cost of the VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 CRM program to be $3.00 billion undiscounted, $2.55 billion discounted at 3 percent, and $2.10 billion discounted at 7 percent. The CRM PO 00000 Frm 00048 Fmt 4701 Sfmt 4702 program is the largest cost provision. These costs include the cybersecurity evaluation (CSE) (which involves an enterprise-wide CSE); the COIP (which E:\FR\FM\07NOP2.SGM 07NOP2 88535 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules includes items related to the Cybersecurity Coordinator, identification of critical cyber systems, supply chain risk management, protection of critical cyber systems, incident response, training, detection of incidents, and the POAM); the CAP (which involves creating and submitting a plan that assesses the effectiveness of the COIP); and recordkeeping and compliance (which relates to those items needed to show compliance with provisions of the proposed rule). TABLE 11—TOTAL COST OF THE CRM PROGRAM [$ thousands] CRM program Year Total cost of the CRM program CSE COIP CAP Recordkeeping and compliance a b c d e = èa,b,c,d Undiscounted Discounted at 3% Discounted at 7% 1 .............................................................. 2 .............................................................. 3 .............................................................. 4 .............................................................. 5 .............................................................. 6 .............................................................. 7 .............................................................. 8 .............................................................. 9 .............................................................. 10 ............................................................ $1,381 1,386 1,390 1,395 1,400 1,404 1,409 1,414 1,419 1,424 $290,796 280,519 283,494 285,223 288,308 291,443 294,636 297,892 301,202 304,583 $3,175 8,212 3,242 8,280 3,312 8,351 3,383 8,423 3,457 8,498 $1,005 1,009 1,013 1,017 1,022 1,026 1,030 1,035 1,039 1,043 $296,357 291,126 289,139 295,915 294,041 302,224 300,458 308,764 307,117 315,549 $287,726 274,414 264,604 262,917 253,642 253,108 244,300 243,741 235,380 234,798 $276,970 254,281 236,024 225,752 209,647 201,385 187,110 179,703 167,051 160,409 Total ................................................. Annualized ....................................... 14,023 ........................ 2,918,095 ........................ 58,333 ........................ 10,240 .............................. 3,000,691 ........................ 2,554,629 299,480 2,098,332 298,755 Note: Totals may not add due to rounding. Table 12 shows the 10-year costs by requirement for the freight rail industry. TSA estimates the 10-year costs to the freight rail industry to be $980 million undiscounted.228 TABLE 12—REQUIREMENT COSTS—FREIGHT RAIL [$ thousands] CRM program Year Familiarization CSE COIP CAP Record-keeping and compliance b c d e a Total cost Reporting cybersecurity incidents CIRP f g Undiscounted h = èa,b,c,d,e,f,g 1 ............................ 2 ............................ 3 ............................ 4 ............................ 5 ............................ 6 ............................ 7 ............................ 8 ............................ 9 ............................ 10 .......................... $242 2 2 2 2 2 2 2 2 2 $233 235 237 239 241 242 244 246 248 250 $94,081 91,019 91,788 92,494 93,295 94,108 94,935 95,779 96,638 97,515 $855 2,514 881 2,540 908 2,567 935 2,595 963 2,622 $276 279 281 283 285 287 290 292 294 297 $1 1 1 1 1 1 1 1 1 1 $1,963 1,422 1,433 1,444 1,455 1,467 1,478 1,490 1,501 1,513 $97,652 95,471 94,622 97,003 96,187 98,675 97,885 100,405 99,648 102,200 Total ............... 260 2,416 941,652 17,381 2,864 10 15,166 979,750 lotter on DSK11XQN23PROD with PROPOSALS2 Note: Totals may not add due to rounding. Table 13 shows the 10-year cost to the PTPR industry by requirement. TSA estimates the 10-year costs to the PTPR industry to be $1.26 billion undiscounted.229 228 Costs include those related to a Cybersecurity Coordinator, reporting cybersecurity incidents, creating a CRM program (which includes the CSE, COIP, Accountable Executive, CIRP, CAP, and training), familiarization, and the costs of compliance and recordkeeping. 229 Costs include those related to a Cybersecurity Coordinator, reporting cybersecurity incidents, VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 PO 00000 Frm 00049 Fmt 4701 Sfmt 4702 creating a CRM program (which includes the CSE, COIP, Accountable Executive, CIRP, CAP, and training), familiarization, and the costs of compliance and recordkeeping. E:\FR\FM\07NOP2.SGM 07NOP2 88536 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules TABLE 13—REQUIREMENT COSTS—PTPR [$ thousands] CRM program Year CSE COIP CAP Record-keeping and compliance Reporting cybersecurity incidents b c d e f Familiarization a Total cost CIRP g Undiscounted h = èa,b,c,d,e,f,g 1 ...................... 2 ...................... 3 ...................... 4 ...................... 5 ...................... 6 ...................... 7 ...................... 8 ...................... 9 ...................... 10 .................... $55 1 1 1 1 1 1 1 1 1 $103 106 108 110 113 115 118 120 123 126 $118,493 118,601 120,197 121,777 123,429 125,106 126,816 128,558 130,329 132,139 $389 1,164 423 1,199 458 1,235 495 1,273 534 1,312 $84 86 88 90 92 94 96 98 100 102 $1 1 1 1 1 1 1 2 2 2 $871 675 690 704 720 736 752 768 785 802 $119,996 120,633 121,508 123,883 124,814 127,289 128,279 130,821 131,874 134,484 Total ......... 66 1,141 1,245,446 8,480 931 14 7,503 1,263,581 Note: Totals may not add due to rounding. Table 14 shows the 10-year cost by requirement for the OTRB industry. TSA estimates the 10-year costs to the OTRB industry to be $248 thousand undiscounted. TABLE 14—REQUIREMENT COSTS—OTRB [$ thousands] Year Reporting cybersecurity incidents Familiarization Total cost (undiscounted) A b e = èa,b,c,d 1 .................................................................................................................................................................................... 2 .................................................................................................................................................................................... 3 .................................................................................................................................................................................... 4 .................................................................................................................................................................................... 5 .................................................................................................................................................................................... 6 .................................................................................................................................................................................... 7 .................................................................................................................................................................................... 8 .................................................................................................................................................................................... 9 .................................................................................................................................................................................... 10 .................................................................................................................................................................................. $1 1 1 1 1 1 1 1 2 2 $187 5 5 5 5 5 5 5 6 6 $188 6 6 6 6 7 7 7 7 7 Total ....................................................................................................................................................................... 14 234 248 Note: Totals may not add due to rounding. lotter on DSK11XQN23PROD with PROPOSALS2 Table 15 shows the 10-year cost by requirement for all the requirements for the pipeline industry. TSA is proposing to incorporate the corresponding physical security costs into this rulemaking to align pipeline with the other covered modes (for whom VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 physical security provisions are already required). TSA estimates the 10-year costs to the combined pipeline industry to be $827 million undiscounted.230 230 Costs include those related to a Physical Security Coordinator, reporting significant physical PO 00000 Frm 00050 Fmt 4701 Sfmt 4702 security concerns, Cybersecurity Coordinator, reporting cybersecurity incidents, creating a CRM program (which includes the CSE, COIP, Accountable Executive, CIRP, CAP, and training), familiarization, and the costs of compliance and recordkeeping. E:\FR\FM\07NOP2.SGM 07NOP2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules 88537 TABLE 15—REQUIREMENT COSTS—PIPELINE [$ thousands] Year CRM program Total physical security costs Familiarization CSE COIP CAP a b c d e Record-keeping and compliance Reporting cybersecurity incidents CIRP Total cost (undiscounted) f g h i = èa, b,c,d,e,f,g,h 1 ............................ 2 ............................ 3 ............................ 4 ............................ 5 ............................ 6 ............................ 7 ............................ 8 ............................ 9 ............................ 10 .......................... $37 21 21 21 21 21 21 21 21 21 $912 0 0 0 0 0 0 0 0 0 $973 973 973 973 973 973 973 973 973 973 $74,786 69,415 70,024 70,525 71,157 71,801 72,457 73,125 73,806 74,500 $1,359 3,959 1,359 3,959 1,359 3,959 1,359 3,959 1,359 3,959 $645 645 645 645 645 645 645 645 645 645 $38 38 38 38 38 38 38 38 38 38 $6,886 6,072 6,072 6,072 6,072 6,072 6,072 6,072 6,072 6,072 $85,636 81,122 79,132 82,232 80,265 83,509 81,565 84,833 82,914 86,207 Total ............... 230 912 9,731 721,596 26,590 6,446 378 61,531 827,415 Note: Totals may not add due to rounding. Table 16 shows the 10-year cost by requirement for TSA. TSA estimates the 10-year costs to TSA to be $18.9 million undiscounted.231 TABLE 16—REQUIREMENT COSTS—TSA [$ thousands] Year CRM program Total cost Physical security CSE COIP CAP a b c d CIRP Undiscounted f = èa,b,c,d,e e 1 .......................................................................................... 2 .......................................................................................... 3 .......................................................................................... 4 .......................................................................................... 5 .......................................................................................... 6 .......................................................................................... 7 .......................................................................................... 8 .......................................................................................... 9 .......................................................................................... 10 ........................................................................................ $75 75 75 75 75 75 75 75 75 75 $72 72 72 73 73 74 74 75 75 76 $3,436 1,484 1,485 427 427 428 428 429 429 430 $572 576 579 582 586 590 593 597 601 605 $272 201 201 201 202 202 202 202 202 202 $4,426 2,408 2,412 1,358 1,363 1,368 1,372 1,377 1,382 1,387 Total ............................................................................. 750 735 9,401 5,881 2,088 18,854 Note: Totals may not add due to rounding. TSA calculates a total cost for each industry based on estimates and assumptions on activities entities would likely engage in to satisfy requirements of the proposed rule. The majority of the costs are primarily driven by access control implementation, Critical Cyber System data backups, and cybersecurity training. Employee population size, which acts as a multiplication factor, is a key contributing factor for why access control and training result in such a high-cost impact. Baseline training, for instance, has a per employee burden of 1-hour per year, but when multiplied across the population of employees covered, the result is a significant expenditure. In section 3.8 of the RIA, TSA provides a sensitivity analysis that assesses uncertainty within these key cost drivers including how owner/ operators may accomplish compliance and to what extent they may already meet the proposed rule requirements through existing actions and thus provide a sense of the possible practical incremental costs of the proposed rule. None of the cost drivers tested under the sensitivity analysis apply to OTRB entities; therefore, TSA did not include OTRB in the sensitivity analysis. Specifically, TSA evaluates cost implications associated with differing assumptions related to MFA being used for access control where 25 percent are assumed to be fully implemented and an additional 25 percent are partially implemented by affected entities, rather than not implemented at all in any affected entities. For Critical Cyber System data backups, TSA assumes 20 percent of entities would fully satisfy the proposed rule’s requirement and 50 percent would partially satisfy the proposed rule’s requirement. For the last cost driver evaluated, employee training, TSA varies assumed compliance with the necessary level of training from 0 percent across industry in the primary analysis to including 20 percent fully compliant and 50 percent partially compliant. The costs resulting from varying these cost driver assumptions for each mode are depicted below. Table 17 presents freight rail sensitivity analysis costs and compares them to the freight rail costs in the 231 Costs include those related to a Physical Security Coordinator, reporting significant physical security concerns, Cybersecurity Coordinator, and the CRM program (which includes the CSE, COIP, Accountable Executive, CIRP, CAP, and training). The TSA burden would be for reviewing the CRM programs, keeping track of key personnel, and ensuring compliance with the program. TSA will incur ongoing costs with the implementation of this rulemaking. lotter on DSK11XQN23PROD with PROPOSALS2 b. Cost Sensitivity Analysis VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 PO 00000 Frm 00051 Fmt 4701 Sfmt 4702 E:\FR\FM\07NOP2.SGM 07NOP2 88538 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules primary analysis. Based on the sensitivity assumptions for access control, data backups, and cybersecurity training, the estimated total cost to freight rail is about $655.5 million which is 33 percent ($342.2 million) less than freight rail estimated cost in the primary analysis. TABLE 17—FREIGHT RAIL SENSITIVITY COSTS [$ thousands] Sensitivity analysis Access control Critical cyber system backups Cybersecurity training All other non-cost driver costs Total costs under sensitivity Total cost in primary analysis Difference from primary analysis a b c d e=a+b+c+d f g = e¥f Year 1 .............................................................. 2 .............................................................. 3 .............................................................. 4 .............................................................. 5 .............................................................. 6 .............................................................. 7 .............................................................. 8 .............................................................. 9 .............................................................. 10 ............................................................ $33,149 33,289 33,428 33,569 33,710 33,851 33,993 34,136 34,280 34,424 $6,665 6,870 7,081 7,299 7,524 7,756 7,995 8,242 8,495 8,758 $4,259 3,981 3,998 4,015 4,032 4,049 4,066 4,083 4,100 4,117 $22,069 19,989 18,492 20,210 18,718 20,516 19,023 20,825 19,335 21,139 $66,142 64,128 62,999 65,092 63,984 66,172 65,078 67,286 66,210 68,437 $97,652 95,471 94,622 97,003 96,187 98,675 97,885 100,405 99,648 102,200 ¥$31,510 ¥31,343 ¥31,624 ¥31,910 ¥32,204 ¥32,503 ¥32,808 ¥33,120 ¥33,438 ¥33,763 Total ................................................. 337,829 76,684 40,701 200,314 655,528 979,750 ¥324,221 Note: Totals may not add due to rounding. Table 18 presents PTPR sensitivity analysis costs and compares them to the PTPR costs in the primary analysis. Based on the sensitivity assumptions, the total cost under the sensitivity is $783.4 million which is about 38 percent ($480.2 million) less than the total cost under the primary analysis. This larger percentage decrease from the primary analysis when compared to the freight rail and pipeline modes is attributed to the larger employee population within the PTPR industry. As the access control and cybersecurity training costs are calculated on a per employee basis, these requirements make up a greater portion of the overall cost to the PTPR industry, and therefore result in a more significant cost difference within the sensitivity analysis. TABLE 18—PTPR SENSITIVITY COST [$ thousands] Sensitivity analysis Access control Critical cyber system backups Cybersecurity training All other non-cost driver costs Total costs under sensitivity Total cost in primary analysis Difference from primary analysis a b c d e=a+b+c+d f g = e¥f Year 1 .............................................................. 2 .............................................................. 3 .............................................................. 4 .............................................................. 5 .............................................................. 6 .............................................................. 7 .............................................................. 8 .............................................................. 9 .............................................................. 10 ............................................................ $55,437 56,053 56,675 57,304 57,940 58,583 59,233 59,891 60,556 61,228 $3,104 3,243 3,391 3,544 3,704 3,872 4,047 4,230 4,421 4,621 $6,629 6,588 6,661 6,735 6,810 6,886 6,962 7,040 7,118 7,197 $9,433 8,936 8,368 9,279 8,717 9,674 9,119 10,086 9,538 10,515 $74,603 74,820 75,095 76,861 77,171 79,014 79,361 81,247 81,632 83,561 $119,996 120,633 121,508 123,883 124,814 127,289 128,279 130,821 131,874 134,484 ¥$45,394 ¥45,813 ¥46,412 ¥47,021 ¥47,643 ¥48,274 ¥48,918 ¥49,574 ¥50,242 ¥50,923 Total ................................................. 582,900 38,176 68,626 93,664 783,367 1,263,581 ¥480,214 Note: Totals may not add due to rounding. lotter on DSK11XQN23PROD with PROPOSALS2 Table 19 presents pipeline sensitivity analysis costs and compares them to the pipeline costs in the primary analysis. Based on the sensitivity assumptions, the total sensitivity analysis cost to VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 pipeline entities is $621.7 million which is about 25 percent ($205.7) less than the primary analysis estimates. This smaller percentage decrease from the primary analysis when compared to PO 00000 Frm 00052 Fmt 4701 Sfmt 4702 the other modes is attributed to the smaller employee population within the pipeline industry. E:\FR\FM\07NOP2.SGM 07NOP2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules 88539 TABLE 19—PIPELINE SENSITIVITY COSTS [$ thousands] Sensitivity analysis Access control Critical cyber system backups Cybersecurity training All other non-cost driver costs Total costs under sensitivity Total cost in primary analysis Difference from primary analysis a b c d e=a+b+c+d f g = e¥f 1 .............................................................. 2 .............................................................. 3 .............................................................. 4 .............................................................. 5 .............................................................. 6 .............................................................. 7 .............................................................. 8 .............................................................. 9 .............................................................. 10 ............................................................ $14,201 14,289 14,377 14,466 14,556 14,646 14,737 14,829 14,920 15,013 $10,494 10,734 10,978 11,229 11,485 11,747 12,015 12,290 12,570 12,858 $1,902 1,476 1,486 1,495 1,504 1,513 1,523 1,532 1,542 1,551 $38,299 35,185 32,585 35,065 32,465 35,065 32,465 35,065 32,465 35,065 $64,896 61,683 59,426 62,255 60,011 62,972 60,741 63,715 61,498 64,487 $85,636 81,122 79,132 82,232 80,265 83,509 81,565 84,833 82,914 86,207 ¥$20,740 ¥19,439 ¥19,706 ¥19,977 ¥20,254 ¥20,537 ¥20,824 ¥21,117 ¥21,416 ¥21,720 Total ................................................. 146,034 116,401 15,523 343,725 621,684 827,415 ¥205,731 Year Note: Totals may not add due to rounding. Table 20 presents the total costs using the aforementioned adjusted values from the sensitivity analysis. As shown, the total costs to industry under the sensitivity analysis based on the altered assumptions for the main cost drivers are $2.1 billion. This cost includes the adjusted costs of the three industries included in the sensitivity (freight rail, PTPR, and pipeline) as well as the unadjusted, undiscounted cost to OTRB entities (see Table 9). The difference from the primary analysis presented in Table 10 is $1.0 billion (a 33 percent reduction). TABLE 20—TOTAL COSTS UNDER THE SENSITIVITY ANALYSIS [$ thousands] Year Total regulated industries sensitivity analysis cost TSA sensitivity analysis cost Total proposed rule sensitivity analysis cost Undiscounted a b c = èa,b Discounted at 3% Discounted at 7% 1 ........................................................................................... 2 ........................................................................................... 3 ........................................................................................... 4 ........................................................................................... 5 ........................................................................................... 6 ........................................................................................... 7 ........................................................................................... 8 ........................................................................................... 9 ........................................................................................... 10 ......................................................................................... $205,829 200,638 197,527 204,215 201,172 208,165 205,186 212,254 209,347 216,492 $4,426 2,408 2,412 1,358 1,363 1,368 1,372 1,377 1,382 1,387 $210,256 203,046 199,939 205,573 202,535 209,533 206,559 213,632 210,729 217,879 $204,132 191,390 182,972 182,649 174,709 175,481 167,951 168,643 161,506 162,123 $196,501 177,348 163,210 156,831 144,405 139,621 128,634 124,336 114,623 110,759 Total .............................................................................. Annualized .................................................................... 2,060,827 ........................ 18,854 ........................ 2,079,681 207,968 1,771,556 207,680 1,456,266 207,340 Note: Totals may not add due to rounding. TSA requests public comment on the assumptions and estimates presented in the primary cost analysis as well as those within this sensitivity both of which may be used to better inform, update, or improve the overall analysis. lotter on DSK11XQN23PROD with PROPOSALS2 c. Benefits The primary benefit of the proposed rule is a potential reduction in the risk of cybersecurity incidents as well as the impact of any such incident. The CRM program could enhance cybersecurity by reducing vulnerability to cybersecurity incidents by having defense mechanisms in place that increase VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 owner/operator ability to monitor and mitigate threats as well as strengthening response measures in the event of a cybersecurity incident. Specifically, the proposed rule would require designated owner/operators for three of the four modes to identify a Cybersecurity Coordinator and report cybersecurity incidents. Owner/operators of freight railroads, PTPR, and pipeline facilities and systems that meet the applicability criteria would also be required to develop and implement a comprehensive CRM program. The proposed CRM program includes three primary elements. First, covered PO 00000 Frm 00053 Fmt 4701 Sfmt 4702 owner/operators would be required to regularly conduct an enterprise-wide cybersecurity evaluation that would identify their current cybersecurity profile. Benefits of regular cybersecurity evaluations, such as through the rule’s CSE requirement, and monitoring over time, include focusing attention on cybersecurity issues and initiatives, providing a means to assess or evaluate cyber-related threats and mitigation measures’ evolution, as well as prioritizing response to address vulnerabilities effectively and informing budgeting and investments decisions for E:\FR\FM\07NOP2.SGM 07NOP2 88540 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules lotter on DSK11XQN23PROD with PROPOSALS2 upgrade cycles and long-term improvements.232 Second, owner/operators would be required to develop a COIP with requirements that focus on: (a) governance of the CRM program that helps ensure its successful implementation, relevance, and ability to address cybersecurity matters; (b) identification of critical cyber systems to help prioritize and optimize efforts; (c) protecting critical cyber systems that help minimize unnecessary network traffic, control internal network access points for users, shorten network downtime and increase reliable operational uptime, stop threats more quickly, as well as minimize the risks associated with lost data; (d) detecting and monitoring critical cyber systems to help detect incidents sooner and respond to incidents more quickly, potentially reducing the associated impacts; and (e) ensuring response and recovery to help ensure efficient and effective restoration of operational capabilities following an incident. As part of this COIP process to ensuring response and recovery, owner/operators would develop a CIRP that would require an established set of policies and procedures in place to respond to intrusions into their critical cybersecurity systems and maintenance or reconstitution of operations during an incident. Reduction in time and confusion with how they respond to future incidents provides a benefit to owner/operators, passengers/consumers, and society. Third, owner/operators would be required to have a CAP that includes an independent evaluation of the effectiveness of their CRM program and identification of unaddressed vulnerabilities that helps establish greater accountability. Independent evaluation will ensure that the assessments, audits, testing, and other assessment capabilities would not be conducted by individuals who have oversight or responsibility for implementing the owner/operators CRM program and have no vested or other financial interest in the results. The proposed rule would also expand the requirement for having a Physical Security Coordinator (currently in 49 CFR 1570.201) and reporting significant physical security concerns (currently in 232 See NIST SP 800–53, Revision 5. Security and Privacy Controls for Information Systems and Organizations, available at https://nvlpubs.nist.gov/ nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf (last accessed July 25, 2024); see also NIST SP 800– 37, Revision 2. Risk Management Framework for Information Systems and Organizations, available at https://nvlpubs.nist.gov/nistpubs/ SpecialPublications/NIST.SP.800-37r2.pdf (last accessed July 25, 2024). VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 49 CFR 1570.203) to owner/operators of designated pipeline facilities and systems, which helps delineate clear communication channels by establishing a single point of contact and creates greater awareness of the various types of cybersecurity threats encountered. The proposed rule’s CRM program requirements could create benefits through the identification, protection, detection, response, and recovery from cybersecurity threats which are discussed more fully in the RIA. Identifying a standardized requirement applicable to owner/operators that meet applicability criteria, would also provide more consistent application of and investments in cybersecurity measures yet offer flexibility by focusing on security outcomes which allows for innovation and the unique operational aspects for each owner/operator. In addition, applicability criteria based on the volume of passengers or goods transported, as opposed to entity size, focuses requirements on owner/ operators where there is the greatest potential impact, including small entities that play a critical role or function. Further, the proposed requirements would encourage greater investment and development of cybersecurity measures, potential pooling of resources to address common issues, as well gains in efficiencies over time which would reduce the direct and indirect costs of cybersecurity incidents. d. Break-Even Analysis TSA uses a break-even analysis to help understand and frame the relationship between the potential benefits of the proposed rule and the costs of implementation.233 Consistent with OMB Circular No. A–4, ‘‘Regulatory Analysis,’’ this analysis answers the question ‘‘How small could the value of the non-qualified benefits be (or how large would the value of the non-quantified costs need to be) before the rule would yield zero net benefits?’’ 234 A break-even analysis estimates a threshold value for the security benefits of the proposed rule so that the benefits of the rulemaking exactly match its costs. TSA compared potential consequence levels of cybersecurity incidents to the annualized cost (discounted at 7 percent) to industry and TSA from the proposed rule for 233 When it is not possible to quantify or monetize a majority of the incremental benefits of a regulation, OMB recommends conducting a threshold, or ‘‘break-even’’ analysis. 234 OMB, ‘‘Circular A–4: Regulatory Analysis,’’ Section B. The Need for Federal Regulatory Action. Sept. 17, 2003. pg. 2. PO 00000 Frm 00054 Fmt 4701 Sfmt 4702 each mode to estimate how often a cybersecurity incident of that size would need to be averted for the expected benefits to equal estimated costs for that transportation mode. As part of calculating the break-even point of an analysis, TSA uses the full cost of the cybersecurity provisions of the proposed rule (physical security related requirements are not included) to assess the level of benefits or avoided costs required to break even.235 Applying the simplest version of the conclusion, if the proposed rule prevents annual costs of approximately $307.8 million (at 7 percent) across all impacted surface modes, its benefits will justify its costs. TSA also calculates the prevention of costs necessary for freight rail, PTPR, and pipeline independently using CRM program costs identified in Tables 21, 22, and 23. These tables also present a selection of break-even scenarios of varying magnitudes to illustrate the level of risk reduction necessary for such sized events to break-even. Specifically, they include the annualized cost of the cybersecurity focused provisions of the proposed rule (discounted at 7 percent) along with identified consequence levels or avoided losses. Those values are divided by each other to derive the required risk reduction and frequency of averted cybersecurity incidents to break even with respect to the cost of the CRM program of the proposed rule. Table 21 presents the amount of risk reduction necessary for a range of consequence levels relative to freight rail estimated CRM program costs. TSA uses the AAR’s estimate that a complete nationwide shutdown of freight rail transportation could cost the U.S. economy more than $2 billion a day as a basis for potential impact.236 Based on this figure, even if only a fractional amount of the system were incapacitated or operated at reduced capacity it would result in substantial impacts depending on the number of days affected. The CRM rule would reduce the likelihood of the type of systemic disruption that would occur from a wide scale attack through the regulation of the largest and most interconnected owner/operators. If an attacker were to gain access to a freight 235 TSA uses the full cost of the CRM program and cybersecurity related costs in this break-even analysis without adjusting for costs industry has incurred as a result of prior industry practices or TSA SDs. 236 AAR, The Economic Impact of a Railroad Shutdown at 2 (2022), available at https:// www.aar.org/wp-content/uploads/2022/09/AARRail-Shutdown-Report-September-2022.pdf (last accessed Sept. 28, 2023). E:\FR\FM\07NOP2.SGM 07NOP2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules such an attack occurring through the protections implemented in the COIP, such as network segmentation, access control and patch management. If the attack partially succeeded, the CRM rule would reduce the impact of such an incident due to the requirements to develop plans to detect, respond to and rail entity’s IT system and further penetrate the OT system, such an attacker could cause rail service interruptions for that entity and potential wider cascading effects, especially if multiple owner/operators were attacked simultaneously. The CRM rule would reduce the likelihood of 88541 recover from cybersecurity incidents as part of the COIP. TSA shows break-even levels based on $1 billion, $10 billion, and $20 billion consequence levels by comparing the magnitude of the consequences to the annualized cost of the proposed CRM rule discounted at 7 percent. TABLE 21—FREIGHT RAIL SUMMARY OF CRM PROGRAM BREAK-EVEN RESULTS Break-even example 1 billion dollar example .......... 10 billion dollar example ........ 20 billion dollar example ........ Annualized cost of CRM program (7% discount rate) Consequence (avoided losses) Required risk reduction Required frequency of averted cybersecurity incidents a b c=a÷b d=b÷a $98.22 million ......................... ................................................ ................................................ $1 billion ................................. 10 billion ................................. 20 billion ................................. derailments or collisions that result in loss of life. If an attacker were to gain access to a transit entity’s IT system and without sufficient network segmentation further penetrate the OT system, such an attacker could cause service interruptions for that entity’s riders by impacting critical systems that prevent travel or disrupt safety measures that could require trains to operate at reduced speeds or potentially cause them to derail/collide. The CRM rule would reduce the likelihood of such an attack occurring through the protections implemented in the COIP like network Table 22 presents the amount of risk reduction necessary for a range of consequence levels relative to PTPR estimated CRM program costs. The type of incident and size of the ridership impacted would greatly impact the level of consequence. For instance, shutting down municipal rail services for under a million passengers for a day is different than shutting down and/or delaying services of multiple million for a prolonged period of time. In such cases, the impact may largely represent delays in time and inconvenience while other instances, they may include train 0.0982 0.0098 0.0049 One every 10.18 years. One every 101.81 years. One every 203.62 years. segmentation, access control and patch management.237 If the attack partially succeeded, the CRM rule would reduce the impact of such an incident due to the requirements to develop plans to detect, respond to and recover from cybersecurity incidents as part of the COIP. TSA shows break-even levels based on $1 billion, $2 billion, or $4 billion consequence levels by comparing the magnitude of the consequences to the annualized cost of the proposed CRM rule discounted at 7 percent. TABLE 22—PTPR SUMMARY OF CRM PROGRAM BREAK-EVEN RESULTS Break-even example lotter on DSK11XQN23PROD with PROPOSALS2 1 billion dollar example .......... 10 billion dollar example ........ 20 billion dollar example ........ Annualized cost of CRM program (7% discount rate) Consequence (avoided losses) Required risk reduction Required frequency of averted cybersecurity incidents a b c=a÷b d=b÷a $125.74 million ....................... ................................................ ................................................ $1 billion ................................. 2 billion ................................... 4 billion ................................... 0.1257 0.00629 0.0314 One every 7.95 years. One every 15.91 years. One every 31.81 years. Table 23 presents the amount of risk reduction necessary for a range of consequence levels relative to pipeline estimated CRM program costs. The national pipeline system transports hazardous liquids, natural gas, and other liquids and gases that are used by various other segments of the economy including supplying materials for energy needs and manufacturing. Disrupting the transportation of these materials can have widespread effects that increase in magnitude depending on the pipelines impacted and the disruptions length of time. If an attacker were to gain access to a pipeline entity’s IT system and without sufficient network segmentation further penetrate the OT system, such an attacker could cause product delivery interruptions for that entity or a wider set of pipeline network effects by causing damages to extensive portions of pipeline or critical/large junctions. Consistent with the above discussion on rail, the CRM rule would reduce the likelihood of such an attack occurring through the protections implemented in the COIP like network segmentation, access control and patch management.238 If the attack partially succeeded, the CRM rule would reduce the impact of such an incident due to the requirements to develop plans to detect, respond to and recover from cybersecurity incidents as part of the COIP. Given the expansive impact pipeline products have on various aspects of the economy, TSA assumes a widespread disruption to the system could range from $1 to $2 billion per day. Based on this figure, even if only a fractional amount of the system 237 See Dragos Year in Review, 2022. There is discussion on the 39 percent fluctuation changes in oil/gas industries (Table 5: Poor Security Perimeters by OT Industry) which is likely correlated to the implementation of the TSA SDs released in response to the ransomware attack on a major pipeline company in 2021. 238 Id. VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 PO 00000 Frm 00055 Fmt 4701 Sfmt 4702 E:\FR\FM\07NOP2.SGM 07NOP2 88542 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules were disrupted or operated at reduced capacity, this disruption could result in substantial impacts depending on the number of days affected. TSA shows break-even levels based on $2 billion, $10 billion, and $20 billion of consequence compared to the annualized cost of the proposed CRM rule discounted at 7 percent. TABLE 23—PIPELINE SUMMARY OF FULL CRM PROGRAM BREAK-EVEN RESULTS Break-even example 2 billion dollar example .......... 10 billion dollar example ........ 20 billion dollar example ........ Annualized cost of CRM program (7% discount rate) Consequence (avoided losses) Required risk reduction Required frequency of averted cybersecurity incidents a b c=a÷b d=b÷a $83.667 million ....................... ................................................ ................................................ $2 billion ................................. 10 billion ................................. 20 billion ................................. falls from $98.22 million in the primary proposal to $65.95 million in the sensitivity analysis. Freight Rail risk reduction is reduced by 33 percent in direct proportion to the 33 percent reduction in cost. Consequently, each of TSA also compares the potential levels of consequence to the estimated costs of the CRM rule under its cost sensitivity assumptions discussed above. For Freight Rail the annualized cost of the rule discounted at 7 percent 0.0418 0.0084 0.0042 One every 23.90 years. One every 119.52 years. One every 239.04 years. the contemplated $1 billion, $10 billion, and $20 billion consequence attacks need to be prevented less frequently for the proposed rule’s costs and benefits to balance. TABLE 24—FREIGHT RAIL SUMMARY OF SENSITIVITY CRM PROGRAM BREAK-EVEN RESULTS Break-even example 1 billion dollar example .......... 10 billion dollar example ........ 20 billion dollar example ........ Annualized cost of CRM program (7% discount rate) Consequence (avoided losses) Required risk reduction Required frequency of averted cybersecurity incidents a b c=a÷b d=b÷a $65.949 million ....................... ................................................ ................................................ $1 billion ................................. 10 billion ................................. 20 billion ................................. For the PTPR mode, the annualized cost of the proposed rule discounted at 7 percent falls from $125.74 million in the primary proposal to $78.06 million in the sensitivity analysis. PTPR risk reduction is reduced by 38 percent in direct proportion to the 38 percent reduction in cost. Consequently, each of the contemplated $1 billion, $2 billion, and $4 billion consequence attacks need 0.0659 0.0066 0.0033 One every 15.16 years. One every 151.63 years. One every 303.27 years. to be prevented less frequently for the proposed rule’s costs and benefits to balance. TABLE 25—PTPR SUMMARY OF SENSITIVITY CRM PROGRAM BREAK-EVEN RESULTS Break-even example 1 billion dollar example .......... 10 billion dollar example ........ 20 billion dollar example ........ Annualized cost of CRM program (7% discount rate) Consequence (avoided losses) Required risk reduction Required frequency of averted cybersecurity incidents a b c=a÷b d=b÷a $78.063 million ....................... ................................................ ................................................ $1 billion ................................. 2 billion ................................... 4 billion ................................... lotter on DSK11XQN23PROD with PROPOSALS2 And finally, for the pipeline mode, the annualized cost of the proposed rule discounted at 7 percent falls from $83.69 million in the primary proposal to $63.22 million in the sensitivity VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 analysis. Pipeline risk reduction is reduced by 25 percent in direct proportion to the 25 percent reduction in cost. Consequently, each of the contemplated $2 billion, $10 billion, PO 00000 Frm 00056 Fmt 4701 Sfmt 4702 0.0781 0.0390 0.0195 One every 12.81 years. One every 25.62 years. One every 51.24 years. and $20 billion consequence attacks need to be prevented less frequently for the proposed rule’s costs and benefits to balance. E:\FR\FM\07NOP2.SGM 07NOP2 88543 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules TABLE 26—PIPELINE SUMMARY OF SENSITIVITY CRM PROGRAM BREAK-EVEN RESULTS Break-even example 2 billion dollar example .......... 10 billion dollar example ........ 20 billion dollar example ........ Annualized cost of CRM program (7% discount rate) Consequence (avoided losses) Required risk reduction Required frequency of averted cybersecurity incidents a b c=a÷b d=b÷a $63.222 million ....................... ................................................ ................................................ $2 billion ................................. 10 billion ................................. 20 billion ................................. 0.0316 0.0063 0.0032 billions of dollars depending on the scope of the incident; therefore, preventing even a small number of such potential incidents can justify the cost of the CRM program.239 However, considering the potentially high costs of future cybersecurity incidents, including the (unquantifiable but real) risk of high-cost or potentially catastrophic incidents, TSA believes that the benefits of the proposed rule are likely to justify its costs. accrued wear and tear at the micro level but also compounded environmental effects at the macro level. A more detailed discussion of the break-even analysis and review of potential consequence with some illustrative examples can be found in Section 4.2 of the RIA. Although the break-even analysis considers each example separately, it is more likely that a combination of preventing all these scenarios and others would provide the benefits from these requirements. Cybersecurity incidents could carry considerable consequences in terms of equipment damages, disruption of services, and even loss of life. The impacts can reach As devastating as the direct impacts of a successful cybersecurity incident can be in terms of the immediate loss of life and property, avoiding the impacts of the more difficult to measure indirect effects are also substantial benefits of preventing a cybersecurity incident. For instance, should there be a cybersecurity incident impacting a public transit system, potential ripple impacts could include additional hardship on individuals who would then have to find alternate means of transportation. This use of alternate means of transportation would likely lead to increased traffic and commuting times on roadways, which has costs both in terms of additional gasoline and One every 31.63 years One every 158.17 years One every 316.35 years 3. OMB A–4 Statement The OMB A–4 Accounting Statement presents annualized costs and qualitative benefits of the proposed rule. TABLE 27—OMB A–4 ACCOUNTING STATEMENT Estimates Units Category Primary I Low I Year dollar High I Discount rate (%) I Period covered (years) Notes Benefits Annualized year). Monetized (millions/ N/A N/A N/A N/A 7 N/A Not Quantified. Annualized Quantified ................... N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 3 7 3 N/A N/A N/A Not Quantified. Qualitative ...................................... The requirements proposed in this rule, if finalized, could produce benefits by reducing cybersecurity risk and service interruptions of owner/operators in affected modes and help strengthen systems against cybersecurity incidents. Additionally, benefits would be produced by increasing the security of passengers, crew, and the general public. Costs Annualized year). Monetized (millions/ Annualized Quantified ................... Qualitative ...................................... $307.76 N/A N/A 2022 7 10 Years 308.43 N/A N/A 2022 3 10 Years N/A N/A N/A N/A 7 N/A N/A N/A N/A N/A 3 N/A Qualitative costs include those related to actual mitigation measures implemented and not otherwise covered as a result of the rule, as well as the cost incurred as a result of the COIP amendment process. Additional administrative costs may also be incurred during the implementation process beyond what TSA has estimated. NPRM RIA None. lotter on DSK11XQN23PROD with PROPOSALS2 Transfers Federal Annualized (millions/year). Monetized From/To Other Annualized Monetized (millions/year). N/A N/A N/A N/A N/A N/A From: N/A 7 NA N/A 3 NA To: N/A N/A N/A N/A 7 NA N/A N/A N/A N/A 3 NA 239 See break-even analysis section 4.3 in the RIA for details. VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 None. PO 00000 Frm 00057 Fmt 4701 Sfmt 4702 E:\FR\FM\07NOP2.SGM 07NOP2 None. 88544 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules TABLE 27—OMB A–4 ACCOUNTING STATEMENT—Continued Estimates Units Category Primary From/To Low Year dollar High From: Discount rate (%) Notes Period covered (years) To: Effects State, Local, and/or Tribal Government. State and Local governments are impacted by the requirements related to passenger rail and rail transit. These modes are primarily owned and operated by State and local governments. Small Business .............................. Wages ........................................... Growth ........................................... Prepared IRFA. None. Not Measured. NA 4. Alternatives Considered In addition to the proposed rule, TSA also considered three alternative regulatory options to the primary alternative reviewed in the analysis. The first alternative is to implement a limited scope of requirements. The second alternative is to reduce the applicability of the rule across the industries being regulated. The third alternative is to add regulatory requirements that mandate vetting, including a terrorism/other analyses check and immigration check for all frontline workers in the pipeline industry, as well as a terrorism/other analyses check, immigration check, and a CHRC for all Cybersecurity Coordinators and accountable executives in all industries. Alternative 1 would limit the rule to the following requirements: • Governance of the CRM program (proposed sections 1580.309, 1582.209, and 1586.209) • Cybersecurity Coordinator (proposed sections 1580.311, 1582.211, and 1586.211) • Identification of Critical Cybersecurity Systems (proposed sections 1580.313, 1582.213, and 1586.213) • Reporting Cybersecurity Incidents (proposed sections 1580.325, 1582.225, and 1586.225) • Cybersecurity Incident Response Plan (proposed sections 1580.327, 1582.227, and 1586.227). These requirements identify responsible persons and organizations for an owner/operator’s CRM program, identify the cybersecurity systems, require the reporting of cybersecurity incidents to CISA, and require the submission of a CIRP. This alternative includes some of the provisions in TSA’s current SDs but does not require owner/operators to implement measures necessary to meet all the proposed security outcomes to protect against ransomware attacks and other known threats to IT and OT systems, nor to conduct a cybersecurity evaluation or have a robust assessment program. Any other security requirements or program implementation would be up to the owner/operator to establish and implement voluntarily for themselves. This alternative would still enable TSA to maintain oversight at a reactionary level, but it would reduce visibility into implementation of any preventative efforts. Alternative 2 would shrink the applicability of the requirements to the largest owner/operators in each of the regulated industries. This alternative would reduce the freight rail applicability to cover a population limited to only Class I rail lines as NA NA None. NPRM IRFA. defined by the Surface Transportation Board, resulting in a scope of just six owner/operators. The PTPR applicability would cover a population limited to just owner/operators who host Class I freight railroads/Amtrak lines or those who have an average daily ridership of 100,000 passengers in any of the previous 3 years or at any time in the future. This covers a current population of 27 owner/operators, down from 34 in the preferred alternative, and would reduce the ridership protected to around 90 percent of daily ridership nationwide. For the regulated pipeline owner/operators, this alternative would change the applicability to the 98 critical owner/operators of hazardous liquid and natural gas pipelines and liquefied natural gas facilities. Alternative 3 would introduce a requirement for accountable executives and Cybersecurity Coordinators, in all covered entities, to receive a Level 3 STA.240 Furthermore, this alternative would require all frontline workers (‘‘security-sensitive employees’’) in the pipeline industry to undergo a Level-2 STA, consistent with the proposed requirements for security-sensitive requirements in the Security Vetting of Certain Transportation Workers Rulemaking.241 Table 28 shows a comparison of the cost of the alternatives considered. TABLE 28—COMPARISON OF COSTS BETWEEN PROPOSED RULE AND ALTERNATIVES [Discounted at 7%, thousands] Initial affected population (number of owner/ operators) Regulatory action lotter on DSK11XQN23PROD with PROPOSALS2 Proposed Rule ....................... Freight Rail—73 .................... PTPR—34 ............................. OTRB—71 ............................. Pipeline—115 ........................ 240 Under the proposed rule, accountable executives and Cybersecurity Coordinators for all covered entities, would not receive an STA. VerDate Sep<11>2014 Ten-year costs 20:53 Nov 06, 2024 Jkt 262001 Annualized costs Industry TSA Total Industry TSA Total a b c = Sa,b d e f = Sd,e $14,241 $2,161,554 $2,147,313 $305,729 241 See https://www.regulations.gov/docket/TSA2023-0001 (last accessed July 5, 2023). PO 00000 Frm 00058 Fmt 4701 Sfmt 4702 E:\FR\FM\07NOP2.SGM 07NOP2 $2,028 $307,757 88545 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules TABLE 28—COMPARISON OF COSTS BETWEEN PROPOSED RULE AND ALTERNATIVES—Continued [Discounted at 7%, thousands] Initial affected population (number of owner/ operators) Regulatory action Alternative 1 .......................... Alternative 2 .......................... lotter on DSK11XQN23PROD with PROPOSALS2 Alternative 3 .......................... Freight Rail—73 .................... PTPR—34 ............................. OTRB—71 ............................. Pipeline—115 ........................ Freight Rail—6 ...................... PTPR—27 ............................. OTRB—0 ............................... Pipeline—98 .......................... Freight Rail—73 .................... PTPR—34 ............................. OTRB—71 ............................. Pipeline—115 ........................ Although not the least costly option, TSA presents the proposed rule as its preferred option. Alternative 1 has a smaller up-front cost but is less proactive. Based on the recentness of the SDs, the extent that some companies are already implementing adequate cybersecurity policies consistent with the guidelines described in this rulemaking, and internal TSA data from 2021/2022, the industry was failing to implement preventative measures on its own. As a result, limiting the scope of the requirements, as Alternative 1 does, produces an unacceptable level of risk for TSA. Reducing the scope would remove the requirement from some entities to meet specific cybersecurity performance measures to protect against cybersecurity incidents that could threaten the availability, integrity, and confidentiality of data on and traversing IT and OT systems, to conduct a cybersecurity evaluation, and have an assessment plan. These proactive cybersecurity actions, evaluations, and assessments are considered best practices. Reducing the scope of the CRM in this fashion would increase the vulnerability of the covered operators to a host of cybersecurity incidents and impacts the CRM is designed to address. Alternative 2 also has a smaller cost. This alternative, however, might increase the risk to the surface transportation infrastructure as it does not cover many entities TSA considers important. This increased risk reduction is important based on the role these entities and industries play in the supply chain, movement of people and goods, and their respective regional economies. Short line and regional railroads provide interconnectedness among the nation’s rail customers and are a critical facet of the overall railroad industry. Leaving these railroads out of the applicability pool may result in VerDate Sep<11>2014 Ten-year costs 19:49 Nov 06, 2024 Jkt 262001 Annualized costs Industry TSA Total Industry TSA Total a b c = Sa,b d e f = Sd,e 81,555 2,377 83,932 11,612 338 11,950 1,419,861 10,264 1,430,125 202,156 1,461 203,618 2,160,147 14,241 2,174,389 307,556 2,028 309,584 critical terminal and switching services in addition to the pickup and delivery portions of the railroad being more vulnerable and susceptible to cybersecurity incidents. Due to the interconnectedness of the nation’s rail system, if the connecting railroads are immobilized, cross-county rail service provided by the Class 1 railroads and its ability to move cargo may also be impacted thus having larger cascading effects. For PTPR, the criteria of the preferred alternative apply to the high consequence operators and cover most of the national daily rail ridership. Reducing the scope of the covered entities in Alternative 2 reduces the level of the commuting population protected by the proposed cybersecurity performance measures and thus they are still exposed to a higher level of risk. If a cybersecurity incident affected one of these entities, the damages and consequences could have a cascading effect beyond just the target and into the local and regional communities. A reduction in covered pipeline operators could affect risk mitigation of potential operational disruption which could have widespread impacts. For instance, a cybersecurity incident affecting a control room that operates multiple pipeline systems, or impacting multiple pipelines, could lead to a large cascading impact on pipeline delivery, which could disrupt the accessibility of needed product to the communities reliant on the pipeline product. Alternative 3 is costlier than the proposed rule due to the additional requirements added. However, the primary benefit of this alternative is the potential to reduce insider threats from employees who may wish to do harm, which could be aggravated to the extent the employee has access to sensitive information and/or operations. PO 00000 Frm 00059 Fmt 4701 Sfmt 4702 Accountable executives and Cybersecurity Coordinators for all modes, and the frontline employees and Physical Security Coordinators for the pipeline industry, are not currently required to undergo a terrorism/other analyses check, immigration check, or a CHRC. Requiring these individuals to undergo a terrorism/other analyses check against government databases may enable TSA to identify individuals who may pose a security threat. Although Alternative 3 is not included in the primary analysis at this time, TSA seeks comments from affected stakeholders on how the vetting of Cybersecurity Coordinators, accountable executives, and/or pipeline employees would impact their operations and costs. TSA specifically seeks data regarding how many of the entity’s employees the entity has that would be subject to the vetting requirements. Based on comments received, TSA may consider including appropriate vetting requirements in a final rule. TSA notes that it has already proposed the vetting of frontline workers for freight rail and PTPR, and of security coordinators for freight rail, PTPR, and OTRBs in a separate rulemaking. 5. Regulatory Flexibility Assessment The RFA requires agencies to consider the impacts of their rules on small entities. TSA performed an IRFA to analyze the impact to small entities affected by the proposed rule. The following provides a summary of the full RIA, which is available in the docket for this rulemaking. Under the RFA, the term ‘‘small entities’’ comprises small businesses, not-for-profit organizations that are independently owned, operated, and E:\FR\FM\07NOP2.SGM 07NOP2 88546 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules not dominant in their fields,242 as well as small governmental jurisdictions with populations of less than 50,000.243 TSA performed an IRFA of the impacts on small entities from this proposed rule in the first year of the analysis and found that it may affect an estimated 293 U.S. entities (73 corporate-level Class I, II, and III freight railroad owner/ operators, 34 PTPR owner/operators, 71 OTRB owner/operators, and 115 pipeline owner/operators). TSA analyzed all the entities that would be affected by the proposed rule and TSA found that 35 percent of them would be considered small. The proposed rule would require small freight rail, PTPR, and pipeline entities to (a) designate a Cybersecurity Coordinator, (b) report cybersecurity incidents to CISA, (c) establish a CRM program, (d) familiarization, (e) compliance, and (f) recordkeeping. Additionally, pipeline owner/operators would have to designate a Physical Security Coordinator and report significant physical security concerns to TSA. OTRB entities would only have to report cybersecurity incidents to CISA. Regulated entities have different requirements under the proposed rule, depending on their industry. Freight rail, PTPR, and pipeline owner/ operators would be required to designate a Cybersecurity Coordinator, report cybersecurity incidents, and have a CRM program approved by TSA and incur costs associated with familiarization, compliance, and recordkeeping requirements. Pipeline owner/operators have additional requirements to designate a Physical Security Coordinator and report significant physical security concerns to TSA. TSA is proposing that OTRB owner/operators must report cybersecurity incidents to CISA, as well as incur familiarization costs. TSA estimates the proposed rule’s requirements to cost $486,792 per entity for freight rail owner/operators, $682 per entity for OTRB owner/operators, and $484,848 per entity for pipeline owner/operators in the highest cost year of the proposed rule. TSA did not calculate the cost per entity for PTPR entities in this IRFA as none of the PTPR owner/operators are considered small. Separately, TSA estimates the proposed rule requirements to cost $537 per employee for freight rail entities, and $659 per employee for pipeline owner/operators. The proposed rule has zero cost per employee for OTRB owner/operators, as the proposed requirements covering these entities (cybersecurity incident reporting) are not based on the number of employees and thus do not incur any associated per employee cost. TSA invites all interested parties to submit data and information regarding the potential economic impact on small entities that would result from the adoption of the requirements in the proposed rule. TSA estimated the overall impact on small entities due to the proposed rule by adding the number of small entities affected (with revenue data available) in each revenue impact range for each of the four subgroups: freight rail, PTPR, OTRB and pipeline industries. Across the combined 293 covered entities, TSA estimates that 79 (27 percent) are considered small. Of these small entities, TSA found employment and revenue data on 75 entities. The IRFA finds that 11 of the analyzed entities would have an impact greater than one percent of their annual revenue. Table 29 presents the likely distribution of impact for small owner/operators. TABLE 29—AVERAGE COST IMPACT ON SMALL ENTITIES AS A PERCENTAGE OF REVENUE Freight rail (# of affected small entities) Freight rail (% of affected small entities) OTRB (# of affected small entities) OTRB (% of affected small entities) Pipeline (# of affected small entities) Pipeline (% of affected small entities) Total (# of affected small entities) Total (% of affected small entities) 0% < Impact ≤ 1% ............ 1% < Impact ≤ 3% ............ 3% < Impact ≤ 5% ............ 5% < Impact ≤ 10% .......... Above 10% ........................ 6 3 4 2 2 35 18 24 12 12 55 ........................ ........................ ........................ ........................ 100 ........................ ........................ ........................ ........................ 7 ........................ ........................ ........................ ........................ 100 ........................ ........................ ........................ ........................ 68 3 4 2 2 86.1 3.8 5.1 2.5 2.5 Total ........................... 17 100 55 100 7 100 79 100 Revenue impact range lotter on DSK11XQN23PROD with PROPOSALS2 An Identification, to the Extent Practicable, of All Relevant Federal Rules Which May Duplicate, Overlap, or Conflict With the Proposed Rule As noted by the ONCD in an August 2023 Request for Information, the National Cybersecurity Strategy calls for establishing cybersecurity regulations to secure critical infrastructure where existing measures are insufficient; harmonizing and streamlining new and existing regulations; and enabling regulated entities to afford to achieve security.244 TSA emphasizes its commitment to regulatory harmonization and streamlining, and notes that this proposed rule, which is grounded in NIST’s Framework for 242 The definition of a small business varies from industry to industry to properly reflect the relative differences in size between industries. An agency must either use the U.S. Small Business Administration (SBA) definition for a small business or establish an alternative definition for VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 Improving Critical Infrastructure Cybersecurity, NIST’s standards and best practices, and the CISA CPGs, is consistent with such priorities. TSA also acknowledges the ongoing rulemakings of other DHS components, including ongoing rulemakings on cybersecurity in maritime transportation and implementation of CIRCIA. TSA notes potential differences in terminology and policy as compared to those rulemakings; although TSA views such differences as intentional and based on sector-specific distinctions, TSA welcomes comments on opportunities to harmonize and streamline regulations where feasible and appropriate. For pipeline owner/operators, TSA will coordinate activities under this part with the FERC, and the PHMSA of the DOT with respect to regulation of pipeline systems and facilities that are also licensed or regulated by the FERC or PHMSA, to avoid conflicting requirements and minimize redundancy of compliance activities. TSA is also aware that some pipeline owner/operators may also have other business lines in the energy sector that are subject to regulations issued by DOE, and FERC’s cybersecurity standards as issued by the NERC. TSA has committed to reducing the impact on these multi-sector companies by aligning the agency’s proposed the industry. TSA has adopted the SBA small business size standards for each relevant industry. 243 Individuals and States are not considered ‘‘small entities’’ based on the definitions in the RFA (5 U.S.C. 601). 244 See Request for Information on Cyber Regulatory Harmonization; Request for Information: Opportunities for and Obstacles to Harmonizing Cybersecurity Regulations, 88 FR 55694 (Aug. 16, 2023). PO 00000 Frm 00060 Fmt 4701 Sfmt 4702 E:\FR\FM\07NOP2.SGM 07NOP2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules requirements with the NIST CSF, which is also used by the DOE, FERC, and NERC.245 TSA is currently participating in a forum of regulatory agencies looking at opportunities for harmonization and reciprocity for cybersecurity requirements. In addition, CISA is required by CIRCIA 246 to issue a rule to implement a 72-hour covered cyber incident reporting requirement and 24hour ransom payment reporting requirement for ransom payments made in connection with a ransomware attack. These requirements would be applicable to covered entities across critical infrastructure sectors, as further defined by CISA through rulemaking. Although this NPRM and CISA’s rulemaking could technically create two cyber incident reporting requirements for some entities, TSA does not believe that this is likely to result in any actual duplicative reporting because entities subject to the cybersecurity incident reporting requirements proposed in this NPRM would be required to make their reports to CISA. Currently, TSA has determined CIRCIA does not require TSA to modify its proposed reporting requirements. TSA will, however, reassess its proposed requirements as CISA’s rule is finalized to avoid any unnecessary conflicts or redundancies. TSA is committed to working with CISA to ensure that entities required to report to CISA under both CIRCIA and this proposed rule, if any, can do so in a single report where legally possible. If necessary to do so, CISA and TSA will explore leveraging an exemption in CIRCIA for covered entities that are required to report substantially similar information to another Federal agency within a substantially similar timeframe, where CISA and the Federal agency have an agreement and information sharing mechanism in place. Currently, TSA has determined CIRCIA does not require TSA to modify its proposed reporting requirements. TSA will, however, re-assess its proposed requirements as CISA’s rule is finalized to avoid any unnecessary conflicts or redundancies. A Description of Any Significant Alternatives to the Proposed Rule That Accomplish the Stated Objectives of Applicable Statues and May Minimize Any Significant Economic Impact of the Proposed Rule on Small Entities, Including Alternatives Considered The first regulatory alternative TSA considered would limit the scope of requirements. This alternative would 88547 include provisions requiring the owner/ operator to identify responsible persons and organizations for an owner/ operator’s CRM program, identify the owner/operator’s cybersecurity systems, the reporting of cybersecurity incidents to CISA/TSA, and the submission of an incident response plan. Any other security requirements or program implementation would be up to the owner/operator to establish and implement voluntarily for themselves. This alternative would still enable TSA to maintain oversight in a more reactive posture, but it would eliminate visibility of any preventative efforts owner/ operators are undertaking and would not ensure the necessary baseline of cybersecurity measures is being consistently implemented across these higher-risk operations. Unlike the proposed rule, Alternative 1 would have no per employee costs, as well as reduce the number of per entity costs. TSA did not evaluate the impact to small entities for PTPR and OTRB owner/operators under this alternative as none of the PTPR owner/operators identified by TSA are considered small under the SBA size standards and OTRB owner/operators would be excluded under the applicability of this alternative. TABLE 30—TOTAL COST PER OWNER OPERATOR ALTERNATIVE 1 Requirement Unit time (hours) Hourly wage rate Unit cost a b c=b×a Freight Rail Familiarization .............................................................................................................................. Cybersecurity Incident Reporting ................................................................................................ CRM program .............................................................................................................................. CIRP ............................................................................................................................................ 15 0.14 87 300 $129.88 97.22 95.39 94.36 $1,904 14 8,299 28,308 Cost per Entity ...................................................................................................................... ........................ ........................ 38,524 Familiarization .............................................................................................................................. Cybersecurity Incident Reporting ................................................................................................ CRM program .............................................................................................................................. CIRP ............................................................................................................................................ 56 3 87 300 126.67 94.55 119.38 89.84 7,093 329 10,386 26,953 Cost per entity ...................................................................................................................... ........................ ........................ 44,761 lotter on DSK11XQN23PROD with PROPOSALS2 Pipeline This alternative has lower estimated costs than the preferred alternative. TSA did not select it because it provides a reduced level of cybersecurity risk mitigation. TSA believes such mitigation is necessary given the key role these industries play in the supply chain, movement of people and goods, and the economy. This alternative would not require the visibility or accountability aspects of NIST’s ‘‘detect’’ or ‘‘protect’’ elements that, when implemented as part of a cyberrisk management program, would help prevent malicious actors from exploiting vulnerabilities as well as ensure the confidentiality, availability, and integrity of their critical systems. Not 245 See NERC CIP–003–8, Critical Infrastructure Protection Reliability Standards, Cyber Security— Security Management Controls, and CIP–008–6 (Cyber Security—Incident Reporting and Response Planning), available at https://www.nerc.com/pa/ Stand/Reliability%20Standards/CIP-003-8.pdf and https://www.nerc.com/pa/Stand/Reliability%20 Standards/CIP-008-6.pdfva (last accessed July 5, 2023). 246 Division Y of Public Law 117–103, 136 Stat. 49 (Mar. 15, 2022). VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 PO 00000 Frm 00061 Fmt 4701 Sfmt 4702 E:\FR\FM\07NOP2.SGM 07NOP2 lotter on DSK11XQN23PROD with PROPOSALS2 88548 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules including protecting critical cyber systems and having capabilities to respond to a cybersecurity incident reduces the level of protection when compared to the preferred alternative. Furthermore, a cybersecurity incident on any entity covered by the proposed rule, regardless of size, could have cascading impacts on the nation’s economy. Dynamic and emerging cybersecurity threats to the nation’s rail and hazardous liquid and natural gas pipeline infrastructure require a more proactive approach toward reducing risk related to cybersecurity. In this case, TSA believes risk-based cybersecurity policy is the most effective means to mitigate the effects of potential cybersecurity incidents on critical infrastructure while minimizing costs to both industry and government. Exempting an entity solely based on its SBA-determined size would diminish the risk reduction this rulemaking is designed to achieve by failing to consider other criteria that may signal the critical value of the owner/operator to the transportation system. The second alternative that TSA considered would limit the applicability of the requirements to the largest and most critical owner/operators in each of the regulated industries. This alternative would limit applicability of requirements for freight railroads to Class I Railroads, as defined by the Surface Transportation Board. For PTPR, requirements would be limited to owner/operators that host Class I Freight Rail Lines or those with an average daily ridership of 100,000 passengers in at least one of the last 3 years or in any future year. For pipelines, only the 98 most critical owner/operators of hazardous liquid and natural gas pipelines and liquefied natural gas facilities would be subject to the requirements. Under this more limited applicability, Alternative 2 would cover six Class I freight rail owner/operators, 27 PTPR agencies, and 100 pipeline owner/operators in the tenth year of the proposed rule. OTRB owner/operators would be excluded under this alternative. While Alternative 2 has the same cost per entity as the preferred alternative, this alternative reduces the overall number of entities determined to be small. All freight rail owner/operators determined to be small under the proposed rule would be removed from applicability of the proposed rule under Alternative 2, as none of the Class 1 freight railroads are considered small. OTRB owner/operators would have the same requirements as the proposed rule; however, none of the small OTRB VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 owner/operators have a cost impact greater than one percent of annual revenue under either the proposed rule or this alternative. The number of small pipeline owner/operators would decrease from 23 to 13. From an RFA perspective, this alternative impacts fewer small entities than the proposed rule. However, TSA has determined this alternative produces an unacceptable level of risk given the key role these industries play in the supply chain, movement of people and goods, and the economy. There are owner/operators not covered under these criteria that play a critical role in contributing to the stability and security of the movement of people and goods. An incident to these owner/ operators may still result in a ripple effect throughout the economy. TSA believes railroads that transport the largest volume of cargo, and freight railroads that serve as critical connections between Class I railroads or serve as vital links in the STRACNET, are critical to the transportation industry. A cybersecurity incident affecting any of these railroads, regardless of the size of the entity, would have the most significant impact on rail transportation, national security, and economic security. Similarly, pipeline systems and facilities that transport the largest volume of commodities, regardless of entity size, would lead to the potential for a sustained disruption in service should a successful cybersecurity incident affect their ability to support national security needs, including economic security. While TSA acknowledges that Alternative 2 would have reduced impacts on small entities, due to the quantitative (volume) and qualitative (strategic) applicability criteria in the proposed rule, TSA does not believe making applicability exceptions based on SBA size standards is justified. In addition, TSA performed a sensitivity analysis of three major cost drivers (access control costs, cybersecurity systems data backup costs, and cybersecurity training) to help understand and evaluate the practical impacts of the proposed rule versus the zero-baseline assumption used in the primary analysis. The sensitivity analysis assumes 25 percent of freight rail and pipeline entities are already in full compliance with identified requirements, and 25 percent are in partial compliance. While the assumptions in the IRFA sensitivity analysis would not result in an increased economic impact on small PTPR entities (because no PTPR entities covered by the NPRM are small entities) or affect the cost estimates for OTRB PO 00000 Frm 00062 Fmt 4701 Sfmt 4702 entities (because OTRB doesn’t incur any of the costs modified in the sensitivity analysis and none have a cost impact greater than one percent of annual revenue), they would reduce cost impacts on small freight rail and pipeline entities and decrease the number that would incur a cost greater than one percent of annual revenues.247 6. International Trade Impact Assessment The Trade Agreement Act of 1979 prohibits Federal agencies from establishing any standards or engaging in related activities that create unnecessary obstacles to the foreign commerce of the United States. The Trade Agreement Act does not consider legitimate domestic objectives, such as essential security, as unnecessary obstacles. The statute also requires that international standards be considered and, where appropriate, that they be the basis for U.S. standards. TSA has assessed the potential effect of this proposed rule and has determined this rulemaking would not have an adverse impact on international trade. 7. Unfunded Mandates Assessment Title II of UMRA 248 establishes requirements for Federal agencies to assess the effects of their regulatory actions on State, Local, and Tribal governments as well as the private sector. Under section 202, UMRA requires Federal agencies to prepare a written statement, including a cost– benefit analysis, for proposed and final rules with ‘‘Federal mandates’’ that may result in expenditures by State, Local, and Tribal governments in the aggregate or by the private sector of $100 million (adjusted for inflation) or more in any year. Before an agency promulgates a rule for which a written statement is required, section 205 249 of UMRA generally requires identification and consideration of a reasonable number of regulatory alternatives, and adopting the least costly, most cost-effective, or least burdensome alternative that achieves the objectives of the rule. The provisions of section 205 do not apply when they are inconsistent with applicable law. Moreover, section 205 allows an agency to adopt an alternative other than the least costly, most costeffective, or least burdensome 247 The primary IRFA analysis estimates 18 freight rail and 10 pipeline entities will have costs greater than one percent of annual revenue. In the IRFA sensitivity analysis, 13 freight rail and 8 pipeline entities will have costs greater than one percent of annual revenue. 248 See supra note 222, as codified at 2 U.S.C. 1532. 249 Id., as codified at 2 U.S.C. 1535. E:\FR\FM\07NOP2.SGM 07NOP2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules alternative if the final rule includes an explanation about why that alternative was not adopted. Before establishing any regulatory requirements that may significantly or uniquely affect small governments, including tribal governments, Federal agencies must develop under section 203 250 of UMRA a small government agency plan. The plan must provide for notifying potentially affected small governments; enabling officials of affected small governments to have meaningful and timely input in the development of regulatory proposals with significant federal intergovernmental mandates; and informing, educating, and advising small governments on compliance with the regulatory requirements. Section 4 of UMRA 251 includes several types of actions that are excluded from its requirements. Among these exclusions are regulations necessary for the national security. This rule is not subject to UMRA review because it is a regulation necessary for the national security of the United States. As noted in the National Cybersecurity Strategy, this rule is being promulgated because of national security concerns related to the protection of Critical Cyber Systems, the loss or disruption of which could have impacts on national security, including economic security. B. Paperwork Reduction Act The Paperwork Reduction Act of 1995 (PRA) 252 requires that DHS consider the impact of paperwork and other information collection burdens imposed on the public. Under the provisions of PRA section 3507(d), DHS must obtain approval from the OMB for each collection of information it conducts, sponsors, or requires through regulations. This proposed rule would call for a collection of information under the PRA. Accordingly, DHS has submitted to OMB the proposed rule and this analysis, including the sections relating to collections of information.253 As defined in 5 CFR 1320.3(c), ‘‘collection of information’’ includes reporting, recordkeeping, monitoring, posting, labeling, and other similar actions. This 250 Id., as codified at 2 U.S.C. 1533. as codified at 2 U.S.C. 1503. 252 44 U.S.C. 3501 et seq. 253 See 5 CFR 1320.11(a). lotter on DSK11XQN23PROD with PROPOSALS2 251 Id., VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 section provides the description of the information collection and of those who must collect the information as well as an estimate of the total annual time burden. We ask for public comment on the proposed collection of information to help us determine, among other things— • How useful the information is; • Whether the information can help us perform our functions better; • How we can improve the quality, usefulness, and clarity of the information; • Whether the information is readily available elsewhere; • How accurate our estimate is of the burden of collection; • How valid our methods are for determining the burden of collection; and • How we can minimize the burden of collection. Please see instructions under ‘‘Public Participation’’ for submission of comments on the information collection. As protection provided by the PRA, as amended, an agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid OMB control number. OMB has previously approved an information collection request (ICR) for Pipeline Critical Infrastructure List under OMB Control Number 1652–0050, Pipeline Security Incident Reporting under OMB Control No. 1652–0055, Pipeline Corporate Security Reviews under OMB Control No. 1652–0056, and Cybersecurity Measures for Surface Modes under OMB Control No. 1652–0074. This proposed collection consolidates and replaces all current ICR requirements for CRM of freight rail, passenger rail, and pipeline owner/operators under one OMB control number. Upon approval of the new ICR and publication of a final rule, TSA will amend, or as appropriate rescind, the current ICRs associated with TSA SDs currently in effect. Even though most of the ICRs in the CRM NPRM are currently covered by approved ICRs, TSA is adding a few new requirements requiring information collection that were not previously included in TSA SDs or otherwise in approved ICRs. These new requirements for all rail (freight, passenger, and transit) and PO 00000 Frm 00063 Fmt 4701 Sfmt 4702 88549 pipeline owner/operators subject to the ICR include: (1) submission of a Cybersecurity training program to TSA for approval (reporting); (2) maintaining records of employee cybersecurity training (record keeping); and (3) maintaining records of inclusion of supply chain security measures in the owner/operator’s COIP. OTRB owner/ operators are currently required to report significant security concerns and would also be required to report cybersecurity incidents. Finally, the CRM NPRM proposes to add a new requirement for pipeline owner/operators to: (1) designate a physical security coordinator and submit the contact information to TSA and (2) report significant physical security concerns to TSA. This additional requirement for pipelines would align with requirements applicable to the other owner/operators covered by the proposed rule. Upon finalization of the CRM rulemaking, TSA will use the information collection to establish compliance with the new regulatory requirements. By implementing these performance-based requirements, TSA would ensure that the 293 higher-risk entities have measures in place to address current cybersecurity risks with the flexibility necessary to address emerging threats and deploy evolving capabilities, and that CISA and TSA are receiving information on cybersecurity threats from all higher-risk surface owner/ operators identified by TSA, including 71 OTRB entities not currently subject to the SDs. Accordingly, TSA has submitted all information requirements to OMB for its review. Table 31 shows the information collection and corresponding burdenhours for entities falling under the requirements of the proposed rule. The collections that have been implemented under the SD-related ICRs would continue or be updated under the proposed rule.254 254 Rail security and rail cybersecurity information collection requirements resulting from the SDs covered under ICR 1652–0051 and 1652– 0074. Pipeline security and cybersecurity information collection requirements from the SDs are covered under ICR 1652–0050, 1652–0055, and 1652–0056. For additional information, Table 1–2 in the RIA details the number of covered entities in the SD ICs and include the Published Notice title as well as the effective date. E:\FR\FM\07NOP2.SGM 07NOP2 88550 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules TABLE 31—PRA BURDEN HOURS Time per response (hours) Collection Number of responses Year 1 Year 2 3-Year time burden Year 3 Average annual time burden Cybersecurity Evaluation (CSE) Freight Rail ................................................................................ PTPR ......................................................................................... Pipelines .................................................................................... 40 40 120 73 34 115 74 35 115 74 36 115 8,829 4,170 41,400 2,943 1,390 13,800 73 34 115 73 34 115 74 35 115 8,783 4,110 13,800 2,928 1,370 4,600 15 7 23 15 7 23 15 7 23 3,531 1,668 5,520 1,177 556 1,840 4 5 16 4 5 16 240 134 439 80 45 146 7 10 9 7 11 9 320 178 497 107 59 166 74 35 115 74 36 115 2207 1,043 3450 736 348 1150 36 166 55 2,908 436 145 1 1 ........................ 5,931 2,841 9,200 1,977 947 3,067 135,064 348,472 46,194 135,626 352,356 46,482 6,753 17,424 2,310 2,251 5,808 770 10 15 15 400 10 16 16 400 30 15 46 1,200 10 15 15 400 ........................ ........................ ........................ ........................ ........................ ........................ 5,840 2,720 9,200 1,947 907 3,067 74 35 115 74 36 115 26,485 12,510 41,400 8,828 4,170 13,800 74 35 115 74 36 115 9,711 4,587 15,180 3,237 1,529 5,060 Submit COIP Freight Rail ................................................................................ PTPR ......................................................................................... Pipelines .................................................................................... 40 40 40 Submit POAM Freight Rail ................................................................................ PTPR ......................................................................................... Pipelines .................................................................................... 80 80 80 Accountable Executive Information Submission Freight Rail ................................................................................ PTPR ......................................................................................... Pipelines .................................................................................... 3 3 3 73 34 115 Cybersecurity Coordinator Information Submission Freight Rail ................................................................................ PTPR ......................................................................................... Pipelines .................................................................................... 2 2 2 146 68 230 Supply Chain Management Freight Rail ................................................................................ PTPR ......................................................................................... Pipelines .................................................................................... 10 10 10 73 34 115 Physical Security Coordinator Information Submission Pipelines .................................................................................... 0.50 261 36 Report Significant Physical Security Concerns to TSA Pipelines .................................................................................... 0.05 2,908 2,908 Initial Cybersecurity Training Plan Development and Submission Freight Rail ................................................................................ PTPR ......................................................................................... Pipelines .................................................................................... 80 80 80 73 34 115 1 1 ........................ Cybersecurity Training Documentation Recordkeeping Freight Rail ................................................................................ PTPR ......................................................................................... Pipelines .................................................................................... 0.02 0.02 0.02 134,504 344,632 45,908 Report Cybersecurity Incidents to CISA Freight Rail ................................................................................ PTPR ......................................................................................... OTRB ........................................................................................ Pipelines .................................................................................... I 1 1 1 1 10 15 15 400 I Cybersecurity Incident Response Plan (CIRP) Freight Rail ................................................................................ PTPR ......................................................................................... Pipelines .................................................................................... 80 80 80 73 34 115 lotter on DSK11XQN23PROD with PROPOSALS2 CIRP Annual Exercise Recordkeeping Freight Rail ................................................................................ PTPR ......................................................................................... Pipelines .................................................................................... 120 120 120 73 34 115 Cybersecurity Assessment Plan (CAP) Freight Rail ................................................................................ PTPR ......................................................................................... Pipelines .................................................................................... VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 PO 00000 Frm 00064 44 44 44 Fmt 4701 73 34 115 Sfmt 4702 E:\FR\FM\07NOP2.SGM 07NOP2 88551 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules TABLE 31—PRA BURDEN HOURS—Continued Time per response (hours) Collection Number of responses Year 1 Year 2 3-Year time burden Year 3 Average annual time burden CAP Annual Report of Scheduled Testing (30 percent of CAP tested annually) Freight Rail ................................................................................ PTPR ......................................................................................... Pipelines .................................................................................... 30 30 30 73 34 115 74 35 115 74 36 115 6,621 3,128 10,350 2,207 1,043 3,450 Recordkeeping Freight Rail ................................................................................ PTPR ......................................................................................... Pipelines .................................................................................... 2 2 2 73 34 115 74 35 115 74 36 115 441 209 690 147 70 230 Total Number of Responses .............................................. Total Time Burden (hours) ........................................................ ........................ ........................ ........................ ........................ ........................ ........................ ........................ ........................ 1,606,559 363,858 535,520 121,286 C. Federalism (E.O. 13132) A rule has implications for federalism under E.O. 13132 of August 4, 1999 (Federalism) 255 if it has substantial direct effects on the States, on the relationship between the national government and the States, or on the distribution of power and responsibilities among the various levels of government. TSA has analyzed this proposed rule under Executive Order 13132 and determined that it does not have implications for federalism. TSA welcomes public comments on Executive Order 13132 federalism implications. D. Energy Impact Analysis (E.O. 13211) DHS analyzed this proposed rule under E.O. 13211 of May 18, 2001 (Actions Concerning Regulations That Significantly Affected Energy Supply, Distribution or Use),256 and determined that it is not a ‘‘significant energy action’’ under that E.O. and is not likely to have a significant adverse effect on the supply, distribution, or use of energy. Therefore, this rulemaking does not require a Statement of Energy Effects. lotter on DSK11XQN23PROD with PROPOSALS2 E. Environmental Analysis DHS reviews proposed actions to determine whether the National Environmental Policy Act (NEPA) applies to them and, if so, what degree of analysis is required. DHS Management Directive 023–01 Rev. 01 and Instruction Manual 023–01–001–01 Rev. 01 establish the procedures that DHS and its components use to comply with NEPA and the Council on Environmental Quality (CEQ)’s regulations for implementing NEPA.257 The CEQ regulations allow Federal agencies to establish, with CEQ review 255 Published at 64 FR 43255 (Aug. 10, 1999). at 66 FR 28355 (May 22, 2001). 257 See 40 CFR parts 1500 through 1508. I I I and concurrence, categories of actions (‘‘categorical exclusions’’) which experience has shown do not individually or cumulatively have a significant effect on the human environment and, therefore, do not require preparation of an Environmental Assessment or Environmental Impact Statement.258 The DHS categorical exclusions are listed in Appendix A of the Instruction Manual. Under DHS NEPA implementing procedures, for an action to be categorically excluded, it must satisfy each of the following three conditions: (1) The entire action clearly fits within one or more of the categorical exclusions; (2) the action is not a piece of a larger action; and (3) no extraordinary circumstances exist that create the potential for a significant environmental effect. As previously discussed, this proposed rule would promote TSA’s surface transportation security mission by establishing performance-based requirements to ensure higher-risk owner/operators have measures in place to address cybersecurity risks with the flexibility necessary to address emerging threats and deploy evolving capabilities. Specifically, this proposed rule would establish minimum cybersecurity requirements in TSA regulations such as account security measures, device security measures, governance and training, risk management, supply chain management, resilience, network segmentation, reporting, and physical security. TSA has determined that this proposed rule clearly fits within categorical exclusion A3 in Appendix A of the Instruction Manual. Categorical exclusion A3 applies to promulgation of rules, issuance of rulings or interpretations, and the development and publication of policies, orders, 256 Published VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 258 See PO 00000 40 CFR 1501.4, 1507.3(e)(2)(ii). Frm 00065 Fmt 4701 Sfmt 4702 directives, notices, procedures, manuals, advisory circulars, and other guidance documents of the following nature: (a) Those of a strictly administrative or procedural nature; (b) those that implement, without substantive change, statutory or regulatory requirements; (c) those that implement, without substantive change, procedures, manuals, and other guidance documents; (d) those that interpret or amend an existing regulation without changing its environmental effect; (e) technical guidance on safety and security matters; or (f) guidance for the preparation of security plans. The requirements proposed in this rule are administrative in nature, providing technical guidance and instruction on safety and security matters and the preparation of security plans. TSA has further determined that the changes proposed in this rule would not result in any significant impact on the environment and, therefore, would not result in any ‘‘change in environmental effect.’’ TSA further finds no extraordinary circumstances associated with this proposed rule that may give rise to significant environmental effects necessitating further documentation and analysis. This rule specifically addresses surface transportation cybersecurity as a standalone rule and is not part of a larger action. Accordingly, this action is categorically excluded, and no further NEPA analysis or documentation is required. We seek any comments or information that may lead to the discovery of a significant environmental impact from this proposed rule. F. Tribal Consultation (E.O. 13175) DHS analyzed this proposed rule under E.O. 13175 of November 6, 2000 (Consultation and Coordination with E:\FR\FM\07NOP2.SGM 07NOP2 88552 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules Indian Tribal Governments),259 and determined that this rulemaking does not have tribal implications. For example, TSA determined that the applicability of requirements in proposed 49 CFR 1582.225 would not affect any public transportation systems owned or controlled by an Indian tribe, as defined in 24 U.S.C. 479A. Based on this determination, TSA has not specifically consulted with Indian tribal officials. Should TSA make a future determination that there is a risk to tribal owned/operated systems supporting the need for security enhancements, TSA will follow relevant consultation requirements before imposing any regulatory requirements. 49 CFR Part 1500 Air carriers, Air transportation, Aircraft, Airports, Buses, Hazardous materials transportation, Law enforcement officers, Maritime carriers, Natural gas, Pipeline safety, Pipelines, Railroad safety, Railroads, Reporting and recordkeeping requirements, Security measures, Transportation facility, Vessels. 49 CFR Part 1503 Administrative practice and procedure, Investigations, Law enforcement, Penalties. 49 CFR Part 1520 Air carriers, Air transportation, Aircraft, Airports, Buses, Law enforcement officer, Maritime carriers, Railroad safety, Railroads, Reporting and recordkeeping requirements, Security measures, Transportation facility, Vessels. 49 CFR Part 1570 Buses, Crime, Fraud, Hazardous materials transportation, Motor carriers, Railroads, Reporting and recordkeeping requirements, Security measures. 49 CFR Part 1580 Hazardous materials transportation, Railroad safety, Railroads, Reporting and recordkeeping requirements, Security measures. lotter on DSK11XQN23PROD with PROPOSALS2 49 CFR Part 1582 Mass transportation, Railroad safety, Railroads, Reporting and recordkeeping requirements, Security measures. 49 CFR Part 1584 Buses, Mass transportation, Reporting and recordkeeping requirements, Security measures. VerDate Sep<11>2014 at 65 FR 67249 (Nov. 9, 2000). 19:49 Nov 06, 2024 Gas, Hazardous materials transportation, Natural gas, Pipelines, Pipeline Safety, Reporting and recordkeeping requirements, Security measures. The Proposed Amendments For the reasons set forth in the preamble, the Transportation Security Administration is proposing to amend 49 CFR parts 1500, 1503, 1520, 1570, 1580, 1582, 1584, and 1586 to read as follows: PART 1500—APPLICABILITY, TERMS, AND ABBREVIATIONS 1. Revise the authority citation for part 1500 to read as follows: ■ List of Subjects 259 Published 49 CFR Part 1586 Jkt 262001 Authority: 49 U.S.C. 114, 5103, 40113, 44901–44907, 44912–44914, 44916–44918, 44935–44936, 44942, 46105; Pub. L. 110–53, 121 Stat. 266. 2. Amend § 1500.3 by: a. Adding the definitions of ‘‘Carbon dioxide’’, ‘‘Gas’’, ‘‘Hazardous liquid’’, ‘‘Liquefied natural gas (LNG)’’, ‘‘Pipeline or pipeline system’’, ‘‘Pipeline facility’’, and ‘‘TSA Cybersecurity Lexicon’’ in alphabetical order; and ■ b. Revising the definitions of ‘‘Transportation or transport’’, ‘‘Transportation facility’’, and ‘‘Transportation security equipment and systems’’. The additions and revisions read as follows: ■ ■ § 1500.3 Terms and abbreviations used in this chapter. * * * * * Carbon dioxide means a fluid consisting of more than 90 percent carbon dioxide molecules compressed to a supercritical state. * * * * * Gas means natural gas, flammable gas, or gas which is toxic or corrosive. * * * * * Hazardous liquid means petroleum, petroleum products, anhydrous ammonia, and ethanol or other nonpetroleum fuel, including biofuel, which is flammable, toxic, or would be harmful to the environment if released in significant quantities. * * * * * Liquefied natural gas (LNG) means natural gas or synthetic gas having methane (CH4) as its major constituent that has been changed to a liquid. * * * * * Pipeline or Pipeline System means all parts of those physical facilities through which gas, hazardous liquid, carbon monoxide, or liquefied natural gas moves in transportation including, but PO 00000 Frm 00066 Fmt 4701 Sfmt 4702 not limited to pipe, line pipe, valves, and other appurtenance attached to pipe and line pipe, compressor units, metering stations, pumping units, regulator stations, metering stations, delivery stations, holders, fabricated assemblies, and breakout tanks as those terms are defined in 49 CFR parts 192, 193, and 195. Pipeline facility means new or existing piping, pipes, pipelines, rightsof-way, and any equipment, facility, or building used in the treatment or transportation of gas, hazardous liquid, carbon monoxide, or liquefied natural gas, as those terms are defined in 49 CFR parts 192, 193, and 195. * * * * * Transportation or transport means (1) the movement of property including loading, unloading, and storage; (2) the movement of people, boarding, and disembarking incident to that movement; and (3) the gathering, transmission, or distribution of gas or hazardous liquids by pipeline. Transportation facility means a location at which transportation cargo, equipment or infrastructure assets are stored, equipment is transferred between conveyances and/or modes of transportation, transportation command and control operations are performed, or maintenance operations are performed. The term also includes, but is not limited to, passenger stations and terminals (including any fixed facility at which passengers are picked-up or discharged), vehicle storage buildings or yards, crew management centers, dispatching centers, fueling centers, telecommunication centers, and facilities used for the gathering, transmission, or distribution of gas or hazardous liquids by pipeline or the storage of gas or hazardous liquids. Transportation security equipment and systems means items, both integrated into a system and standalone, used by owner/operators to enhance capabilities to detect, deter, prevent, or respond to a threat or incident, including, but not limited to, video surveillance, explosives detection, radiological detection, intrusion detection, Information Technology and Operational Technology authentication, network logging, motion detection, and security screening. This includes security equipment and systems for the protection and monitoring of both physical and logical/virtual assets. * * * * * TSA Cybersecurity Lexicon means a list of terms and their meaning applicable to cybersecurity requirements imposed by this chapter and available in a form and manner E:\FR\FM\07NOP2.SGM 07NOP2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules determined by TSA. TSA may update and revise the lexicon following the procedures in this chapter for amendments to security programs. * * * * * PART 1503—INVESTIGATIVE AND ENFORCEMENT PROCEDURES 3. Revise the authority citation for part 1503 to read as follows: ■ Authority: 6 U.S.C. 1142; 18 U.S.C. 6002; 28 U.S.C. 2461 (note); 49 U.S.C. 114, 20109, 31105, 40113–40114, 40119, 44901–44907, 46101–46107, 46109–46110, 46301, 46305, 46311, 46313–46314; Pub. L. 104–134, 110 Stat. 1321, as amended by Pub. L. 114–74, 129 Stat. 584; Pub. L. 110–53, 121 Stat. 266. PART 1520–PROTECTION OF SENSITIVE SECURITY INFORMATION 4. Revise the authority citation for part 1520 to read as follows: ■ Authority: 46 U.S.C. 114, 40113, 44901– 44907, 44912–44914, 44916–44918, 44935– 44936, 44942, 46105, 70102–70106, 70117; Pub. L. 110–53, 121 Stat. 266. 5. Amend § 1520.5 by revising paragraphs (b)(2)(i), (b)(3)(i), (b)(4)(i) and (ii), (b)(6)(ii), introductory text of (b)(12), (b)(13), and (b)(14) to read as follows: ■ § 1520.5 Sensitive Security Information. lotter on DSK11XQN23PROD with PROPOSALS2 * * * * * (b) * * * (2) * * * (i) Issued by TSA under 49 CFR 1542.303, 1544.305, 1548.19, 1570.201, or other authority; * * * * * (3) * * * (i) Information circular issued by TSA under 49 CFR 1542.303, 1544.305, 1548.19, 1570.201, or other authority; and * * * * * (4) * * * (i) Any device used by the Federal Government or any other person pursuant to any aviation, maritime, or surface transportation security requirements of Federal law for the detection of any person, and any weapon, explosive, incendiary, or destructive device, item, or substance; and (ii) Any communications equipment used by the Federal government or any other person in carrying out or complying with any aviation, maritime, or surface transportation security requirements of Federal law. * * * * * (6) * * * (ii) In the case of inspections or investigations performed by TSA, this includes the following information as to VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 events that occurred within 12 months of the date of release of the information: the name of the airport or other transportation facility (including remote systems) where a violation occurred, the airport or other transportation facility identifier in the case number, a description of the violation, the regulation allegedly violated, and the identity of any operator in connection with specific locations or specific security procedures. Such information will be released after the relevant 12month period, except that TSA will not release the specific gate or other location on an airport or other transportation facility where an event occurred, regardless of the amount of time that has passed since its occurrence. During the period within 12 months of the date of release of the information, TSA may release summaries of an operator’s, but not an airport operator’s, total security violations in a specified time range without identifying specific violations or locations. Summaries may include total enforcement actions, total proposed civil penalty amounts, number of cases opened, number of cases referred to TSA or FAA counsel for legal enforcement action, and number of cases closed. * * * * * (12) Critical transportation infrastructure asset information. Any list identifying systems or assets, whether physical or logical/virtual, so vital to the aviation, maritime, or surface transportation that the incapacity or destruction of such assets would have a debilitating impact on transportation security, if the list is— * * * * * (13) Systems security information. Any information involving the security of operational or administrative data systems operated by the Federal government that have been identified by the DOT or DHS as critical to aviation, maritime, or surface transportation safety or security, including automated information security procedures and systems, security inspections, and vulnerability information concerning those systems. (14) Confidential business information. (i) Solicited or unsolicited proposals received by DHS or DOT, and negotiations arising therefrom, to perform work pursuant to a grant, contract, cooperative agreement, or other transaction, but only to the extent that the subject matter of the proposal relates to aviation, maritime, or surface transportation security measures; (ii) Trade secret information, including information required or PO 00000 Frm 00067 Fmt 4701 Sfmt 4702 88553 requested by regulation or SD, obtained by DHS or DOT in carrying out aviation, maritime, or surface transportation security responsibilities; and (iii) Commercial or financial information, including information required or requested by regulation or SD, obtained by DHS or DOT in carrying out aviation, maritime, or surface transportation security responsibilities, but only if the source of the information does not customarily disclose it to the public. * * * * * ■ 6. Amend § 1520.7 by revising paragraph (i) to read as follows: § 1520.7 Covered persons. * * * * * (i) Each person conducting research and development activities that relate to aviation, maritime, or surface transportation security and are approved, accepted, funded, recommended, or directed by DHS or DOT. * * * * * PART 1570—GENERAL RULES 7. Revise the authority citation for part 1570 to read as follows: ■ Authority: 18 U.S.C. 842, 845; 46 U.S.C. 70105; 49 U.S.C. 114, 5103a, 40113, and 46105; Pub. L. 108–90, 117 Stat. 1156, as amended by Pub. L. 110–329, 122 Stat. 3689; Pub. L. 110–53, 121 Stat. 266. Subpart A—General ■ 8. Revise § 1570.1 to read as follows: § 1570.1 Scope. (a) Applicability. This part applies to any person involved in maritime or surface transportation as specified in this subchapter. (b) Delegation of authority. (1) Where the Administrator is named in this subchapter as exercising authority over a function, the authority is exercised by the Administrator or the Deputy Administrator, or any individual formally designated to act as the Administrator or the Deputy Administrator. (2) Where TSA or the designated official is named in this subchapter as exercising authority over a function, the authority is exercised by the official designated by the Administrator to perform that function. ■ 9. Amend § 1570.3 by adding the definitions ‘‘Accountable executive’’, ‘‘Cybersecurity’’, ‘‘Cybersecuritysensitive employee’’, and ‘‘Physical security’’ in alphabetical order to read as follows: § 1570.3 * E:\FR\FM\07NOP2.SGM * Terms used in this subchapter. * 07NOP2 * * 88554 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules Accountable executive means an individual identified by an owner/ operator who has responsibility and accountability for the owner/operator’s compliance with the requirements of this subchapter, including authority over human resource issues, major financial issues, conduct of the owner/ operator’s affairs, all operations conducted related to the requirements of this subchapter, and responsibility for all transportation-related security issues. * * * * * Cybersecurity means measures to prevent damage to, protect, and restore Information Technology and Operational Technology systems as defined in the TSA Cybersecurity Lexicon, including protection of data to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation. Cybersecurity and physical security are not mutually exclusive concepts. Cybersecurity-sensitive employee means any employee who is a privileged user with access to, or privileges to access, a Critical Cyber System or any Information or Operational Technology system that is interdependent with a Critical Cyber System as defined in the TSA Cybersecurity Lexicon. * * * * * Physical security means measures to (1) protect the safety and security of persons and property resulting from disruption of operations; (2) prevent damage to, protection of, and restoration of physical assets and operations; and (3) controls to prevent unauthorized access to or disruption of physical and virtual assets and operations. Physical security encompasses the security of systems and facilities, as well as the persons in areas in or near to operations that could have their safety and security threatened by an attack on physical systems and assets. Cybersecurity and physical security are not mutually exclusive concepts. * * * * * ■ 10. Amend § 1570.7 by adding paragraph (a)(4) to read as follows: lotter on DSK11XQN23PROD with PROPOSALS2 § 1570.7 Security responsibilities of employees and other persons. (a) * * * (4) Access information or operational technology systems without complying with the security measures required under this subchapter to control access to or modification to such systems. * * * * * ■ 11. Revise subpart B of part 1570 to read as follows: VerDate Sep<11>2014 20:53 Nov 06, 2024 Jkt 262001 Subpart B—Security Programs § 1570.105 Responsibility for determinations. Sec. 1570.101 Scope. 1570.103 Content. 1570.105 Responsibility for determinations. 1570.107 Approval and amendments. 1570.109 Alternate means of compliance for seasonal or infrequent operations. 1570.111 Extensions of time. 1570.113 [Reserved] 1570.115 Withdrawal of approval of a security program. 1570.117 Recordkeeping and availability. 1572.119 Exhaustion of administrative remedies. 1570.121 Severability. (a) Higher-risk operations. Owner/ operators of freight railroads, public transportation systems, passenger railroads, over-the-road buses (OTRB), and pipeline system and facilities are required to determine if the applicability criteria identified for security programs or other requirements identified in parts 1580, 1582, 1584, or 1586 of this subchapter apply to their operations. Unless otherwise notified in writing by TSA, owner/operators must notify TSA of applicability before [DATE 30 DAYS AFTER EFFECTIVE DATE OF FINAL RULE]. (b) New or modified operations. If an owner/operator commences new operations or modifies existing operations after [DATE 30 DAYS AFTER EFFECTIVE DATE OF FINAL RULE], that owner/operator is responsible for determining whether the new or modified operations would meet the applicability criteria in parts 1580, 1582, 1584, or 1586 of this subchapter and must notify TSA no more than the later of [DATE 60 DAYS AFTER EFFECTIVE DATE OF FINAL RULE] or 60 calendar days before commencing operations or implementing modifications that would result in meeting the applicability criteria. (c) Continued applicability. Once an owner/operator becomes subject to the requirements in parts 1580, 1582, 1584, or 1586 of this subchapter, the requirements continue to apply unless otherwise exempted under the procedures in paragraph (d) of this section. (d) Permanent changes in operations. If an owner/operator changes operations to the extent that any of the applicability criteria for requirements in parts 1580, 1582, 1584, or 1586 of this subchapter no longer apply, the owner/ operator is responsible for notifying TSA of the change. Notification must be provided in writing and include documentation that operations no longer meet the criteria for applicability. TSA may require additional documentation to support the owner/ operator’s assertions. If TSA confirms the change in operations, TSA will provide a written, operation and requirement-specific exemption to the owner/operator. If the operations change in the future, the owner/operator must comply with the procedures in paragraph (b) for new or modified operations. § 1570.101 Scope. The requirements of this subpart address general security program requirements applicable to each owner/ operator required to have a security program under parts 1580, 1582, 1584, and 1586 of this subchapter. § 1570.103 Content. (a) Security program. Except as otherwise approved by TSA, each owner/operator required to have a security program under parts 1580, 1582, 1584, or 1586 of this subchapter must include in its security program detailed information describing how it addresses each of the requirements identified in the applicable part. (b) Index. The owner/operator required to have a security program under parts 1580, 1582, 1584, or 1586 of this subchapter must ensure the required security program includes an index organized in the same subject area sequence as the requirements in the applicable part or subpart. (c) Use of appendices. (1) The owner/ operator may comply with the requirement in paragraph (a) of this section by including in its security program any document that contains the information required by the applicable security program required by parts 1580, 1582, 1584, or 1586 of this subchapter, including previously developed plans, policies, and/or procedures that support compliance with these requirements. (2) These documents may be provided as either an appendix to the security program or as a list of documents, including specific applicable sections, that contain the required information. The owner/operator must include an index of the records and their location organized in the same sequence as the requirements in the applicable parts. (3) The appendix or documents listed in it must be explicitly incorporated by reference and become part of the corresponding section(s) of the security program. PO 00000 Frm 00068 Fmt 4701 Sfmt 4702 § 1570.107 Approval and amendments. (a) Initial approval of security program. Unless otherwise authorized by TSA, each owner/operator required E:\FR\FM\07NOP2.SGM 07NOP2 lotter on DSK11XQN23PROD with PROPOSALS2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules to have a security program under this subchapter must submit its proposed security program to TSA for approval no later than the deadline specified in the applicable requirements. The proposed security program must meet the requirements applicable to its operation, as required by this subchapter. The following procedures apply to security program approvals: (1) TSA approval. Within 60 days of receiving the owner/operator’s proposed security program required by parts 1580, 1582, 1584, or 1586 of this subchapter, the designated official will either approve the program or give the owner/ operator written notice to modify the program to comply with the applicable requirements of this subchapter. TSA may request additional information, and the owner/operator must provide the information within the time period TSA prescribes. The 60-day period for TSA approval will begin when the owner/ operator provides the additional information. After all required information is received, TSA will notify the owner/operator if it needs an extension of time to approve the program or provide the owner/operator with written notice to modify the program to comply with the applicable requirements of this subchapter. (2) Notice to modify. (i) If TSA provides the owner/operator with written notice to modify the security program to comply with the applicable requirements of this subchapter, the owner/operator must provide a modified security program to TSA for approval within the timeframe specified by TSA. (ii) The owner/operator may either submit a modified security program to the designated official for approval, or petition for reconsideration under paragraph (f) of this section within 30 days of receiving a notice to modify. (b) Amendment requested by an owner/operator. Once a security program (including any appendices, policies, procedures, or measures incorporated by reference) required by parts 1580, 1582, 1584, or 1586 is approved by TSA, the owner/operator must request an amendment for any permanent (intended to be in effect for 60 or more calendar days), substantive changes to its security program. Except as provided in paragraph (c), an owner/ operator requesting approval to amend its security program must request an amendment in advance of implementing the proposed change using the following procedures: (1) The request for an amendment must be filed with the designated official at least 45 days before the date it proposes for the amendment to VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 become effective unless a shorter period is allowed by the designated official. (2) Within 30 days after receiving a proposed amendment, the designated official, in writing, either approves or denies the request to amend. (3) TSA may approve an amendment to a security program if the designated official determines that the interest of the public and transportation security will allow it, and the proposed amendment provides the level of security required under this subchapter. In considering the request for alternative measures, TSA will review all relevant factors including— (i) The risks associated with the type of operation, for example, whether the owner/operator transports hazardous materials or passengers within a high threat urban area, whether the owner/ operator transports passengers and the volume of passengers transported, or whether the owner/operator hosts a passenger operation. (ii) Any relevant threat information. (iii) Other circumstances concerning potential risk to the public and transportation security. (4) No later than 30 calendar days after receiving a denial, the owner/ operator may petition for reconsideration under paragraph (e) of this section. (5) Owner/operators may submit a group proposal for an amendment that is on behalf of it and other owner/ operators that co-sign the proposal. The joint proposal may only be submitted by owner/operators subject to the applicable requirements. (c) Administrative, clerical, and temporary changes to policies, procedures, or measures in a TSAapproved Security Program. (1) Administrative or clerical changes. (i) An owner/operator is not required to notify TSA of administrative or technical changes to its TSA-approved security program. This exception is limited to changes that do not affect policies, procedures, or measures in the owner/operator’s TSA-approved security program. (ii) Owner/operators must keep a chronological record of administrative or clerical changes that indicates the relevant portion of the security program that is being changed and when the change occurred. This information must be maintained for a duration that includes, at a minimum, any changes made during the period of one year before the date of the most recently approved security program. (2) Temporary changes affecting security matters. (i) The owner/operator must notify TSA in writing no more than 24 hours after any temporary, PO 00000 Frm 00069 Fmt 4701 Sfmt 4702 88555 substantive change to its TSA-approved security program. For purposes of this requirement, a temporary, substantive change is any change that affects policies, procedures, or measures in the owner/operator’s TSA-approved security program, that is not intended to be in effect for 60 or more calendar days. (ii) Within seven calendar days of the notification in paragraph (c)(2)(i), the owner/operator must inform TSA, in writing, of each interim policy, procedure, or measure being used to maintain adequate security while the temporary, substantive change is in effect. The owner/operator must include in its written notification a description of how the interim policy, procedure, or measure provides the same level of security as the previously approved policy, procedure, or measure. TSA will notify the owner/operator in writing if TSA does not concur that the interim measures provide a commensurate level of security. TSA may request additional information to make its determination. (iii) If the duration of the temporary, substantive change exceeds or is expected to exceed 60 or more calendar days, the owner/operator must seek an amendment to the security program as required by paragraph (b). The request for an amendment must be submitted no more than 65 days after the temporary, substantive change initially took effect. (d) Amendment by TSA. In the interest of the public and transportation security, TSA may amend a security program using the following procedures: (1) The designated official will notify the owner/operator, in writing, of the proposed amendment, fixing a period of not less than 30 calendar days within which the owner/operator may submit written information, views, and arguments on the amendment. (2) After considering all relevant material, the designated official will notify the owner/operator of any amendment adopted or rescind the notice of amendment. If the amendment is adopted, it becomes effective not less than 30 calendar days after the owner/ operator receives the notice of amendment, unless the owner/operator submits a petition for reconsideration under paragraph (f) of this section no later than 15 calendar days before the effective date of the amendment. A timely petition for reconsideration stays the effective date of the amendment. (e) Emergency amendments. If the designated official finds that there is an emergency requiring immediate action to protect transportation security that makes procedures in this section contrary to the public interest, the designated official may issue an E:\FR\FM\07NOP2.SGM 07NOP2 88556 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules amendment, without the prior notice and comment procedures in paragraph (c) of this section, effective without stay on the date the owner/operator receives notice of it. In such a case, the designated official will incorporate in the notice a brief statement of the reasons and findings for the amendment to be adopted. The owner/operator may file a petition for reconsideration under paragraph (e) of this section within 15 calendar days of the effective date of the emergency amendment; however, this filing does not stay the effective date of the emergency amendment. (f) Petitions for reconsideration. (1) Process for filing. If an owner/operator seeks to petition for reconsideration of a determination, required modification, denial of a request for an amendment by the owner/operator, denial to rescind a TSA-required amendment, denial of an alternative measure, or issuance of a security directive, the owner/operator must submit the petition, together with any pertinent information, to the Administrator for reconsideration. The petition for reconsideration must be submitted within the timeframe given in the applicable section and include a statement and any supporting documentation explaining why the owner/operator believes TSA’s decision or action is incorrect. TSA review of a petition for reconsideration will begin when the owner/operator provides all required information. (2) TSA review. Upon review of the petition for reconsideration, the Administrator or designee will dispose of the petition for reconsideration by affirming, modifying, or rescinding its previous decision. (3) Final agency action. The disposition of a petition for reconsideration by the Administrator is considered a final agency action. lotter on DSK11XQN23PROD with PROPOSALS2 § 1570.109 Alternate means of compliance for seasonal or infrequent operations. If in TSA’s judgment, the overall safety and security of operations for which a security program is required under this subchapter are not diminished, then TSA may approve a security program that provides for the use of alternate measures. Such a program may be considered only for an owner/operator at which operations that meet the criteria for applicability in parts 1580, 1582, 1584, or 1586 of this subchapter are determined by TSA to be seasonal or infrequent. § 1570.111 Extensions of time. TSA may grant an extension of time for implementing a security program required by this subchapter upon a showing of good cause. The owner/ VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 operator must request the extension of time in writing, and TSA must receive the request within a reasonable time before the due date to be extended; an owner/operator may request an extension after the expiration of a due date by sending a written request describing why the failure to meet the due date was excusable. TSA will respond to the request in writing. § 1570.113 [Reserved] § 1570.115 Withdrawal of approval of a security program. (a) Applicability. This section applies to holders of a security program approved or accepted by TSA under 49 CFR chapter XII, subchapter D. (b) Withdrawal of security program approval. TSA may withdraw the approval of a security program, if TSA determines continued operation is contrary to security and the public interest, as follows: (1) Notice of proposed withdrawal of approval. TSA will serve a Notice of Proposed Withdrawal of Approval, which notifies the holder of the security program, in writing, of the facts, charges, and applicable law, regulation, or order that form the basis of the determination. (2) Security program holder’s reply. The holder of the security program may respond to the Notice of Proposed Withdrawal of Approval no later than 15 calendar days after receipt of the withdrawal by providing the designated official, in writing, with any material facts, arguments, applicable law, and regulation. (3) TSA review. The designated official will consider all information available, including any relevant material or information submitted by the holder of the security program, before either issuing a Withdrawal of Approval of the security program or rescinding the Notice of Proposed Withdrawal of Approval. If TSA issues a Withdrawal of Approval, it becomes effective upon receipt by the holder of the security program, or 15 calendar days after service, whichever occurs first. (4) Petition for reconsideration. The holder of the security program may petition TSA to reconsider its Withdrawal of Approval by serving a petition for consideration no later than 15 calendar days after the holder of the security program receives the Withdrawal of Approval. The holder of the security program must serve the Petition for Reconsideration on the designated official. Submission of a Petition for Reconsideration will not stay the Withdrawal of Approval. The PO 00000 Frm 00070 Fmt 4701 Sfmt 4702 holder of the security program may request the designated official to stay the Withdrawal of Approval pending review of and decision on the Petition. (5) Administrator’s review. The designated official transmits the Petition together with all pertinent information to the Administrator for reconsideration. The Administrator will dispose of the Petition within 15 calendar days of receipt by either directing the designated official to rescind the Withdrawal of Approval or by affirming the Withdrawal of Approval. The decision of the Administrator constitutes a final agency order subject to judicial review in accordance with 49 U.S.C. 46110. (6) Emergency withdrawal. If TSA finds that there is an emergency with respect to transportation security requiring immediate action that makes the procedures in this section contrary to the public interest, the designated official may issue an Emergency Withdrawal of Approval of a security program without first issuing a Notice of Proposed Withdrawal of Approval. The Emergency Withdrawal would be effective on the date that the holder of the security program receives the emergency withdrawal. In such a case, the designated official will send the holder of the security program a brief statement of the facts, charges, applicable law, regulation, or order that forms the basis for the Emergency Withdrawal. The holder of the security program may submit a Petition for Reconsideration under the procedures in paragraphs (b)(4) through (b)(5) of this section; however, this petition will not stay the effective date of the Emergency Withdrawal. (c) Service of documents for withdrawal of approval of security program proceedings. Service may be accomplished by personal delivery, certified mail, or express courier. Documents served on the holder of a security program will be served at its official place of business as designated in its security program. Documents served on TSA must be served to the address noted in the Notice of Withdrawal of Approval or Withdrawal of Approval, whichever is applicable. (1) Certificate of service. An individual may attach a certificate of service to a document tendered for filing. A certificate of service must consist of a statement, dated and signed by the person filing the document, that the document was personally delivered, served by certified mail on a specific date, or served by express courier on a specific date. (2) Date of service. The date of service is— E:\FR\FM\07NOP2.SGM 07NOP2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules (i) The date of personal delivery; (ii) If served by certified mail, the mailing date shown on the certificate of service, the date shown on the postmark if there is no certificate of service, or other mailing date shown by other evidence if there is no certificate of service or postmark; or (iii) If served by express courier, the service date shown on the certificate of service, or by other evidence if there is no certificate of service. (d) Extension of time. TSA may grant an extension of time to the limits set forth in this section for good cause shown. A security program holder must submit a request for an extension of time in writing, and TSA must receive it at least 2 days before the due date to be considered. TSA may grant itself an extension of time for good cause. lotter on DSK11XQN23PROD with PROPOSALS2 § 1570.117 Recordkeeping and availability. (a) Retention. In addition to submission of documents as required by parts 1580, 1582, 1584, and 1586 of this subchapter, each owner/operator required to have a security program under these parts must— (1) Maintain and make available to TSA records to establish compliance with the requirements in this subchapter, including all plans, procedures, and other documents (including cited sections of these documents) incorporated by reference into a security program required by parts 1580, 1582, 1584, or 1586 of this subchapter. (2) [Reserved] (b) Location. The records required by paragraph (a) of this section must be retained at the owner/operator’s corporate headquarters unless otherwise directed by TSA. (c) Physical and electronic records. (1) Except as provided in paragraph (c)(2), each owner/operator required to retain records under this section may keep them in electronic form. An owner/ operator may maintain and transfer records through electronic transmission, storage, and retrieval provided that the electronic system provides for the maintenance of records as originally submitted without corruption, loss of data, or tampering. (2) The owner/operator must maintain one written copy of the current and complete TSA-approved security program required by the applicable part or subpart of this subchapter, signed by the owner/operator, at its corporate headquarters, plus one written copy of the most recent security program previously approved by TSA. (d) Availability to TSA. Each owner/ operator must make the records available to TSA upon request, VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 including through electronic submission if applicable, for inspection and copying. (e) Protection of SSI. Each owner/ operator must restrict the distribution, disclosure, and availability of Sensitive Security Information, as identified in part 1520 of this chapter, to persons with a need to know. The owner/ operator must refer requests for such information by other persons to TSA. (f) Dissemination to employees. Subject to the restrictions in paragraph (e) of this section, each owner/operator must make copies of the security program, relevant portions of the security program, or implementing instructions available to the employees who are responsible for implementing it, consistent with personnel security access rights, background investigation restrictions, and a demonstrated need to know. § 1570.119 remedies. Exhaustion of administrative Persons subject to the requirements in parts 1570, 1580, 1582, 1584, and 1586 of this subchapter must exhaust the administrative remedies set forth in this part before seeking judicial review. § 1570.121 Severability. Any provision of this subchapter held to be invalid or unenforceable as applied to any person or circumstance shall be construed so as to continue to give the maximum effect to the provision permitted by law, including as applied to persons not similarly situated or to dissimilar circumstances, unless such holding is that the provision of this subchapter is invalid and unenforceable in all circumstances, in which event the provision shall be severable from the remainder of this subchapter and shall not affect the remainder thereof. ■ 12. Revise subpart C of part 1570 to read as follows: Subpart C—Threat and Threat Response Sec. 1570.201 Security Directives and Information Circulars. 1570.203 Alternate measures. § 1570.201 Security Directives and Information Circulars. (a) The requirements in this section apply to each owner/operator identified in §§ 1580.1, 1582.1, 1584.1, and 1586.1 of this subchapter. (b) TSA may issue an Information Circular to notify owner/operators of security concerns. When TSA determines that additional security measures are necessary to respond to a PO 00000 Frm 00071 Fmt 4701 Sfmt 4702 88557 threat assessment or to a specific threat against transportation security, TSA issues a Security Directive setting forth mandatory measures. (c) Each owner/operator must comply with each Security Directive issued to the owner/operator within the time prescribed in the Security Directive. (d) Each owner/operator that receives a Security Directive must— (1) Within the time prescribed in the Security Directive, acknowledge receipt of the Security Directive to TSA as required in the Security Directive. (2) Within the time prescribed in the Security Directive, specify the method by which the measures in the Security Directive have been implemented (or will be implemented, if the Security Directive is not yet effective). (e) In the event that the owner/ operator is unable to implement the measures in the Security Directive, the owner/operator must submit proposed alternative measures following the procedures in § 1570.203, and the basis for submitting the alternative measures to TSA for approval. The owner/ operator must implement any alternative measures approved by TSA. (f) Each owner/operator that receives a Security Directive may comment on the Security Directive by submitting data, views, or arguments in writing to TSA. TSA may amend the Security Directive based on comments received. Submission of a comment does not delay the effective date of the Security Directive. (g) The owner/operator may file a petition for reconsideration under paragraph (e) of § 1570.107 within 15 days of the effective date of a Security Directive; however, this filing does not stay the effective date of the Security Directive. (h) Except as provided in paragraph (h)(3) of this section, each owner/ operator that receives a Security Directive or an Information Circular and each person who receives information from a Security Directive or an Information Circular must: (1) Restrict the availability of the Security Directive or Information Circular, and information contained in either document, to those persons with an operational need-to-know. (2) Refuse to release the Security Directive or Information Circular, and information contained in either document, to persons other than those who have an operational need to know without the prior written consent of TSA. (3) The requirements in paragraph (h)(1) and (h)(2) of this section do not apply if the TSA Administrator, or designee, under the authority of E:\FR\FM\07NOP2.SGM 07NOP2 88558 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules § 1520.5(c) of this chapter, determines that a Security Directive or Information Circular does not contain Sensitive Security Information. § 1570.203 Alternative measures. (a) If in TSA’s judgment, the overall security of transportation provided by an owner/operator subject to the requirements of parts 1580, 1582, 1584, or 1586 of this subchapter are not diminished, TSA may approve alternative measures to requirements in a Security Directive. (b) Each owner/operator requesting alternative measures must file the request for approval in a form and manner prescribed by TSA. The filing of such a request does not affect the owner/operator’s responsibility for compliance while the request is being considered. (c) TSA may request additional information, and the owner/operator must provide the information within the period TSA prescribes. Within 30 calendar days after receiving a request for alternative measures and all requested information, TSA will, in writing, either approve or deny the request. (d) If TSA finds that the use of the alternative measures is in the interest of the public and transportation security, it may grant the request subject to any conditions TSA deems necessary. In considering the request for alternative measures, TSA will review all relevant factors, including— (1) The risks associated with the type of operation, for example, whether the owner/operator transports hazardous materials or passengers within a high threat urban area, whether the owner/ operator transports passengers and the volume of passengers transported, or whether the owner/operator hosts a passenger operation. (2) Any relevant threat information. (3) Other circumstances concerning potential risk to the public and transportation security. (e) No later than 30 calendar days after receiving a denial, the owner/ operator may petition for reconsideration under § 1570.107(f). Appendix A to Part 1570 [Removed] lotter on DSK11XQN23PROD with PROPOSALS2 ■ 13. Remove Appendix A to part 1570. PART 1580—FREIGHT RAIL TRANSPORTATION SECURITY 14. The authority citation for part 1580 continues to read as follows: ■ Authority: 49 U.S.C. 114; Pub. L. 110–53 (121 Stat. 266, Aug. 3, 2007) secs. 1501 (6 U.S.C. 1151), 1512 (6 U.S.C. 1162) and 1517 (6 U.S.C. 1167). VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 Subpart A—General 15. Amend § 1580.3 by: a. Revising the introductory paragraph; ■ b. Removing the definition of ‘‘Class I’’; ■ c. Adding the definitions of ‘‘Class I, II, or III’’, ‘‘Component’’, ‘‘Defense Connector Railroad’’, ‘‘Positive Train Control’’, ‘‘Switching or terminal service’’, and ‘‘Train miles’’ in alphabetical order. The revision and additions read as follows: ■ ■ § 1580.3 Terms used in this part. In addition to the terms in §§ 1500.3, 1500.5, and 1503.103 of subchapter A and § 1570.3 of subchapter D of this chapter, the following terms apply to this part: * * * * * Class I, Class II, or Class III freight railroad has the same meaning as ‘‘Class I,’’ ‘‘Class II,’’ and ‘‘Class III’’ freight railroads as determined by regulations of the Surface Transportation Board c). Component has the same meaning as ‘‘component’’ as defined in 49 CFR 236.903. Defense Connector Railroad means a railroad that has a line of common carrier obligation designated a defense connector line by the US Army Military Surface Deployment and Distribution Command Transportation Engineering Agency (SDDCTEA) and Federal Railroad Administration (FRA) which connects defense installations or other activities requiring rail service to the Strategic Rail Corridor Network (STRACNET). * * * * * Positive train control (PTC) has the same meaning as ‘‘positive train control’’ as defined in 49 CFR 236.1003. * * * * * Switching or terminal services means the furnishing or terminal facilities for passenger or freight rail traffic for linehaul service and the movement of railroad cars between terminal yards, industrial sidings, and other local sites. This term does not include movement of a train or part of a train within yard limits by the road locomotive and the placement of locomotives or cars in a train or their removal from a train by the road locomotive while en route to the train’s destination. Train miles means a unit in railroad accounting that refers to the distance of one mile covered by a single train, which may have several cars. ■ 16. Revise subpart B of part 1580 to read as follows: PO 00000 Frm 00072 Fmt 4701 Sfmt 4702 Subpart B—Security Programs: Physical Security Sec. 1580.101 Scope. 1580.103 Physical Security Coordinator. 1580.105 Reporting of significant physical security concerns. 1580.107 [Reserved] 1580.109 [Reserved] 1580.111 [Reserved] 1580.113 Security training program requirements. 1580.115 [Reserved] § 1580.101 Scope. This subpart includes requirements that are primarily intended to ensure the physical security of freight rail operations. Physical security encompasses the security of individuals, cargo, rail secure areas, rail cars, and transportation facilities, as well as the persons in areas in or near to rail operations that could have their safety and security threatened by an attack on physical systems and assets. Each person identified in § 1580.1 must review the applicability in each section of this subpart to determine whether they are an owner/operator to whom the requirements apply based on their operations and the criteria for applicability. § 1580.103 Physical Security Coordinator. (a) (1) Except as provided in paragraph (a)(2) of this section, each owner/operator identified in § 1580.1 must designate and use a primary and at least one alternate Physical Security Coordinator at the corporate level to function as the administrator for sharing security-related activities and information. (2) An owner/operator identified in § 1580.1(a)(5) (private rail cars and circus trains) must designate and use a primary and at least one alternate Physical Security Coordinator, only if notified by TSA in writing that a threat exists concerning that type of operation. (b) The primary Physical Security Coordinator and alternate(s) must— (1) Be accessible to TSA on a 24 hours per day, 7 days per week basis; (2) Serve as the primary contact(s) for intelligence information and securityrelated activities and communications with TSA. Any individual designated as a Physical Security Coordinator may perform other duties in addition to the duties described in this section; and (3) Coordinate security practices and procedures required by this subchapter internally and with appropriate law enforcement and emergency response agencies. (c) The Physical Security Coordinator and alternate(s) must be a U.S. citizen E:\FR\FM\07NOP2.SGM 07NOP2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules eligible for a security clearance, unless otherwise waived by TSA. (d) Each owner/operator required to have a Physical Security Coordinator must provide in writing to TSA the names, U.S. citizenship status, titles, business phone number(s), and business email address(es) of the Physical Security Coordinator and alternate(s). Changes in any of the information required by this section must be submitted to TSA within 7 calendar days. lotter on DSK11XQN23PROD with PROPOSALS2 § 1580.105 Reporting of significant physical security concerns. (a) Each owner/operator identified in § 1580.1 must report, within 24 hours of initial discovery, any potential threats and significant physical security concerns involving transportationrelated operations in the United States or transportation to, from, or within the United States as soon as possible by the methods prescribed by TSA. (b) Potential threats or significant physical security concerns encompass incidents, suspicious activities, and threat information affecting physical operations including, but not limited to, the categories of reportable events listed in appendix C to this part. (c) Information reported must include the following, as available and applicable: (1) The name of the reporting individual and contact information, including a telephone number or email address. (2) The affected freight or passenger train, station, terminal, rail hazardous materials facility, or other transportation facility or infrastructure, including identifying information and current location. (3) Scheduled origination and termination locations for the affected freight or passenger train-including departure and destination city and route. (4) Description of the threat, incident, or activity, including who has been notified and what action has been taken. (5) The names, other available biographical data, and/or descriptions (including vehicle or license plate information) of individuals or motor vehicles known or suspected to be involved in the threat, incident, or activity. (6) The source of any threat information. VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 § 1580.107 [Reserved] § 1580.109 [Reserved] § 1580.111 [Reserved] § 1580.113 Security training program requirements. (a) Applicability. This section applies to each owner/operator— (1) Described in § 1580.1(a)(1) that is a Class I freight railroad. (2) Described in § 1580.1(a)(1) that transports one or more of the categories and quantities of RSSM in an HTUA. (3) Described in § 1580.1(a)(4) that serves as a host railroad to a freight railroad described in paragraphs (a)(1) or (a)(2) or a passenger operation described in § 1582.101 of this subchapter. (b) Training required for securitysensitive employees. No owner/operator identified in paragraph (a) of this section may use a security-sensitive employee to perform a function identified in Appendix B to this part, unless that individual has received training as part of a security training program approved by TSA or is under the direct supervision of an employee who has received the training required by this section as applicable to that security-sensitive function. Upon approval, this security training program becomes part of the owner/operators TSA-approved security program. (c) Limits on use of untrained employees. Notwithstanding paragraph (b) of this section, a security-sensitive employee may not perform a securitysensitive function for more than 60 calendar days without receiving security training. (d) General requirements. Each owner/operator required to provide security training to its employees under this section must submit its security training program to TSA for approval in a form and manner prescribed by TSA. The security training program must include the following information: (1) Name of owner/operator. (2) Name, title, telephone number, and email address of the primary individual to be contacted about review of the security training program. (3) Number, by specific job function category identified in Appendix B to this part, of security-sensitive employees trained or to be trained. (4) Implementation schedule that identifies a specific date by which the required initial and recurrent security training will be completed. (5) Location where training program records will be maintained. (6) Plan for ensuring supervision of untrained security-sensitive employees performing functions identified in Appendix B to this part. PO 00000 Frm 00073 Fmt 4701 Sfmt 4702 88559 (7) Plan for notifying employees of changes to security measures that could change information provided in previously provided training. (8) Method(s) for evaluating the effectiveness of the security training program in each area required by paragraph (e) of this section. (e) General curriculum requirements. The security training program submitted to TSA for approval must include a curriculum or lesson plan, including learning objectives and method of delivery (such as instructor-led or computer-based training) for each course used to meet the requirements in paragraph (f) of this section. TSA may request additional information regarding the curriculum during the review and approval process. If recurrent training under paragraph (j) of this section is not the same as initial training, a curriculum or lesson plan for the recurrent training must be submitted and approved by TSA. (f) Specific curriculum requirements. (1) Prepare. Each owner/operator must ensure that each of its security-sensitive employees with position- or functionspecific responsibilities under the owner/operator’s security program has knowledge of how to fulfill those responsibilities in the event of a security threat, breach, or incident to ensure— (i) Employees with responsibility for transportation security equipment and systems are aware of their responsibilities and can verify the equipment and systems are operating and properly maintained; and (ii) Employees with other duties and responsibilities under the company’s security plans and/or programs, including those required by Federal law, know their assignments and the steps or resources needed to fulfill them. (2) Chain of Custody. Each employee who performs any security-related functions under § 1580.205 of this subchapter must be provided training specifically applicable to the functions the employee performs. As applicable, this training must address— (i) Inspecting rail cars for signs of tampering or compromise, IEDs, suspicious items, and items that do not belong; (ii) Identification of rail cars that contain rail security-sensitive materials, including the owner/operator’s procedures for identifying rail securitysensitive material cars on train documents, shipping papers, and in computer train/car management systems; and (iii) Procedures for completing transfer of custody documentation. (3) Observe. Each owner/operator must ensure that each of its security- E:\FR\FM\07NOP2.SGM 07NOP2 lotter on DSK11XQN23PROD with PROPOSALS2 88560 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules sensitive employees has knowledge of the observational skills necessary to recognize— (i) Suspicious and/or dangerous items, such as substances, packages, or conditions (for example, characteristics of an Improvised Explosive Device and signs of equipment tampering or sabotage); (ii) Combinations of actions and individual behaviors that appear suspicious and/or dangerous, inappropriate, inconsistent, or out of the ordinary for the employee’s work environment, which could indicate a threat to transportation security; and (iii) How a terrorist or someone with malicious intent may attempt to gain sensitive information or take advantage of vulnerabilities. (4) Assess. Each owner/operator must ensure that each of its security-sensitive employees has knowledge necessary to— (i) Determine whether the item, individual, behavior, or situation requires a response as a potential terrorist threat based on the respective transportation environment; and (ii) Identify appropriate responses based on observations and context. (4) Respond. Each owner/operator must ensure that each of its securitysensitive employees has knowledge of how to— (i) Appropriately report a security threat, including knowing how and when to report internally to other employees, supervisors, or management, and externally to Local, State, or Federal agencies according to the owner/ operator’s security procedures or other relevant plans; (ii) Interact with the public and first responders at the scene of the threat or incident, including communication with passengers on evacuation and any specific procedures for individuals with disabilities and the elderly; and (iii) Use any applicable self-defense devices or other protective equipment provided to employees by the owner/ operator. (g) Relation to other training. Training conducted by owner/operators to comply with other requirements or standards, such as emergency preparedness training required by the Department of Transportation (DOT) (49 CFR part 239) or other training for communicating with emergency responders to arrange the evacuation of passengers, may be combined with, and used to satisfy, elements of the training requirements in this section. (h) Submission. If commencing or modifying operations subject to these requirements after June 21, 2021, the training program must be submitted to VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 TSA no later than 90 calendar days before commencing new or modified operations. (i) Initial security training. Each owner/operator must provide initial security training to security-sensitive employees, using the curriculum approved by TSA and in compliance with the following schedule. (1) For security training programs submitted to TSA for approval after March 22, 2021, if the employee is employed to perform a security-sensitive function on the date TSA approves the program, then initial training must be provided no later than 12 months after the date that TSA approves the owner/operator’s security training program. (2) If performance of a securitysensitive job function is initiated after TSA approves the owner/operator’s security training program, then initial training must be provided no later than 60 calendar days after the employee first performs the security-sensitive job function. (3) If the security-sensitive job function is performed intermittently, then initial security training must be provided no later than the 60th calendar day of employment performing a security-sensitive function, aggregated over a consecutive 12-month period. (j) Recurrent security training. (1) Except as provided in paragraph (j)(2) of this section, a security-sensitive employee required to receive training must receive the required training at least once every 3 years. (2) If an owner/operator modifies a security program or security plan for which training is required, the owner/ operator must ensure each securitysensitive employee with position- or function-specific responsibilities related to the revised plan or program changes receives training on the revisions within 90 days of implementation of the revised plan or program changes. All other employees must receive training that reflects the changes to the operating security requirements as part of their regularly scheduled recurrent training. (3) The 3-year recurrent training cycle is based on the anniversary calendar month of the employee’s initial security training. If the owner/operator provides the recurrent security training in the month of, the month before, or the month after it is due, the employee is considered to have taken the training in the month it is due. (k) Recognition of prior training. Previously provided security training may be credited towards satisfying the requirements of this section provided the owner/operator— (1) Obtains a complete record of such training and validates the training meets PO 00000 Frm 00074 Fmt 4701 Sfmt 4702 requirements of this section as it relates to the function of the individual security-sensitive employee and the training was provided within the schedule required for recurrent training; and (2) Retains a record of such training in compliance with the requirements in paragraph (l). (l) Retention of security training records. The owner/operator must retain records of initial and recurrent security training records for each individual required to receive security training under this section for no less than 5 years from the date of training that, at a minimum— (1) Includes employee’s full name, job title or function, date of hire, and date of initial and recurrent security training; and (2) Identifies the date, course name, course length, and list of topics addressed for the security training most recently provided in each of the areas required under paragraph (f) of this section. (m) Availability of records to employees. The owner/operator must provide records of security training to current and former employees upon request and at no charge as necessary to provide proof of training. (n) Incorporation into security program. Once approved by TSA, the security training program required by this section is part of the owner/ operator’s TSA-approved security program. The owner/operator must implement and maintain the security training program and comply with timeframes for implementation identified in the security training program. Any modifications or amendments to the program must be made as stipulated in § 1570.107 of this subchapter. (o) Situations requiring owner/ operator to revise security training program. The owner/operator must submit a request to amend its security program if, after approval, the owner/ operator makes, or intends to make, permanent (to be in effect for 60 or more calendar days) or substantive changes to its security training curriculum, including changes to address: (1) Determinations that the security training program is ineffective based on the approved method for evaluating effectiveness in the security training program approved by TSA; or (2) Development of recurrent training material for purposes of meeting the requirements in paragraph (j) of this section or other alternative training materials not previously approved by TSA. E:\FR\FM\07NOP2.SGM 07NOP2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules § 1580.115 [Reserved] 17. Revise the heading of subpart C of part 1580 to read as follows: ■ Subpart C—Security of Rail SecuritySensitive Materials 18. Add subpart D of part 1580 to read as follows: ■ Subpart D—Cybersecurity Risk Management Sec. 1580.301 Scope and applicability. 1580.303 Form, content, and availability of Cybersecurity Risk Management program. 1580.305 Cybersecurity evaluation. 1580.307 Cybersecurity Operational Implementation Plan. 1580.309 Governance of the CRM program. 1580.311 Cybersecurity Coordinator. 1580.313 Identification of Critical Cyber Systems. 1580.315 Supply chain risk management. 1580.317 Protection of Critical Cyber Systems. 1580.319 Cybersecurity training and knowledge. 1580.321 Detection of cybersecurity incidents. 1580.323 Capabilities to respond to a cybersecurity incident. 1580.325 Reporting cybersecurity incidents. 1580.327 Cybersecurity Incident Response Plan. 1580.329 Cybersecurity Assessment Plan. 1580.331 Documentation to establish compliance. lotter on DSK11XQN23PROD with PROPOSALS2 § 1580.301 Scope and applicability. (a) Scope. This subpart includes requirements to ensure the cybersecurity of freight rail operations and to mitigate the risk of significant harm to the individuals, cargo, and transportation facilities, as well as persons in areas in or near rail operations, that could have their safety and security threatened because of the degradation, destruction, or malfunction of systems that control these systems and infrastructure. In addition, cybersecurity incidents could have significant, similar impacts on the movement of cargo critical to the supply chain, affecting the national and economic security of the United States. The owner/operators identified in § 1580.1 must review the applicability for carrying out a Cybersecurity Risk Management program in paragraph (b) of this section, designation of a Cybersecurity Coordinator in § 1580.311, and reporting cybersecurity incidents in § 1580.325 to determine if the requirements apply to their operations. (b) Applicability. Each owner/ operator described in § 1580.1 must adopt and carry out a Cybersecurity Risk VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 Management (CRM) program for any operation that meets any of the following criteria: (1) Is a Class I freight railroad; or (2) Is a Class II or III railroad, that: (i) Provides switching or terminal services to two or more Class I railroads; (ii) Transports one or more of the categories and quantities of RSSM in an HTUA; (iii) Serves as a host railroad to a freight railroad described in paragraph (b)(1) or (b)(2) of this section or a passenger operation described in § 1582.201(b) of this subchapter; or (iv) Operates an average of at least 400,000 train miles in any of the three calendar years before [EFFECTIVE DATE OF FINAL RULE] or any single calendar year after [EFFECTIVE DATE OF FINAL RULE]. (3) Is designated as a Defense Connector Railroad. § 1580.303 Form, content, and availability of Cybersecurity Risk Management program. (a) General content requirements. The CRM program required by this subpart is a comprehensive program that includes the following components: (1) A cybersecurity evaluation completed and updated as required by § 1580.305; (2) A TSA-approved Cybersecurity Operational Implementation Plan (COIP) that meets the requirements in § 1580.307. (3) A Cybersecurity Assessment Plan that meets the requirements in § 1580.329. (b) Subsidiaries. If a single CRM program is developed and implemented for multiple business units within a single corporate entity, any documents used to comply or establish compliance with the requirements in this subpart must clearly identify and distinguish application of the requirements to each business unit. § 1580.305 Cybersecurity evaluation. (a) General. Each owner/operator required to have a CRM program must complete an initial and recurrent cybersecurity evaluation sufficient to determine the owner/operator’s current enterprise-wide cybersecurity profile of logical/virtual and physical security controls when evaluated against the CRM program requirements in this subpart, using a form provided by TSA or other tools approved by TSA. (b) Timing. The initial cybersecurity evaluation must be completed no later than [DATE 90 DAYS AFTER EFFECTIVE DATE OF FINAL RULE], but no more than one year before the date of submission of the owner/ PO 00000 Frm 00075 Fmt 4701 Sfmt 4702 88561 operator’s Cybersecurity Operational Implementation Plan required by § 1580.307. If commencing or modifying operations subject to these requirements after [EFFECTIVE DATE OF FINAL RULE], the initial cybersecurity evaluation must be submitted to TSA no later than 45 calendar days after commencing the new or modified operations triggering applicability. (c) Annual updates. The evaluation required by paragraph (a) of this section must be updated annually, no later than one year from the anniversary date of the previously completed evaluation. (d) Notification. The owner/operator must notify TSA within 7 days of completing the evaluation and annual updates required by this section. A copy of the evaluation must be provided to TSA upon request. (e) Sensitive Security Information. This evaluation is a vulnerability assessment as defined in § 1500.3 of this subchapter and must be protected as Sensitive Security Information under § 1520.5(b)(5) of this subchapter. § 1580.307 Cybersecurity Operational Implementation Plan. (a) Requirement. Each owner/operator required to have a CRM program under this part must adopt a COIP. (b) General Content. The COIP must include the following corporate information: (1) The name and corporate address of the owner/operator; (2) Written attestation by the owner/ operator’s accountable executive that the COIP has been reviewed and approved by senior management; and (3) Identification of specific operations that meet the applicability criteria. (c) Specific Content. The COIP must detail the owner/operator’s defense-indepth plan, including physical and logical/virtual security controls, to comply with the requirements and security outcomes specified in the following sections: (1) Governance. The requirements for governance of the CRM program in § 1580.309 and the designation of a Cybersecurity Coordinator in § 1580.311. (2) Identification of Critical Cyber Systems, Network Architecture, and Interdependencies. The requirements to identify Critical Cyber Systems and network architecture in § 1580.313 and supply chain risk management in § 1580.315. (3) Procedures, policies, and capabilities to protect Critical Cyber Systems. The requirements for protection of Critical Cyber Systems in § 1580.317 and training of E:\FR\FM\07NOP2.SGM 07NOP2 lotter on DSK11XQN23PROD with PROPOSALS2 88562 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules cybersecurity-sensitive employees in § 1580.319. (4) Procedures, policies, and capabilities to detect cybersecurity incidents. The requirements for detecting cybersecurity incidents in § 1580.321. (5) Procedures, policies, and capabilities to respond to, and recover from, cybersecurity incidents. The requirements for responding to cybersecurity incidents in § 1580.323, reporting cybersecurity incidents in § 1580.325, and the Cybersecurity Incident Response Plan in § 1580.327. (d) Plan of Action and Milestones. (1) To the extent an owner/operator does not meet every requirement and security outcome identified in paragraph (c)(1) through (c)(5) of this section, the COIP must include a plan of action and milestones (POAM). (2) The POAM must include: (i) Policies, procedures, measures, or capabilities that owner/operator will develop or obtain, as applicable, to ensure all requirements and security outcomes in this subpart are met; (ii) Physical and logical/virtual security controls that the owner/ operator will implement to mitigate the risks associated with not fully complying with requirements or security outcomes in this subpart; and (iii) A detailed timeframe for full compliance with all requirements and security outcomes in this subpart, not to exceed 3 years from the date of submission to TSA of the COIP required by this section. (3) The POAM must be updated as necessary to address any deficiencies identified during the evaluation required by § 1580.305 or as a result of an assessment conducted under § 1580.329 that will not be immediately addressed through an update to the COIP. (e) Approval and implementation. (1) Submission deadlines. The COIP must be made available to TSA, in a form and manner prescribed by TSA, no later than [DATE 180 DAYS AFTER EFFECTIVE DATE OF FINAL RULE]. If commencing or modifying operations subject to these requirements after [EFFECTIVE DATE OF FINAL RULE], the COIP must be made available to TSA no later than 45 calendar days before commencing new or modified operations. (2) Effective date. After considering all relevant materials and any additional information required by TSA, TSA will notify the owner/operator’s accountable executive of TSA’s decision to approve the owner/operator’s COIP. The COIP becomes effective 30 days after the VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 owner/operator is notified whether its COIP is approved. (3) TSA-approved security program. Once approved by TSA, the COIP, any appendices, and any policies or procedures incorporated by reference, are a part of a TSA-approved security program, subject to the protections in part 1520 of this chapter and the procedures applicable to security programs in subpart B of part 1570 of this subchapter. (f) Status Report and Updates. The CRM program must be reviewed and updated by the owner/operator within 60 days of the evaluations or assessments required by §§ 1580.305 or 1580.329, as necessary to address any identified vulnerabilities or weaknesses in the procedures, policies, or capabilities identified in the CRM program. (g) Revisions. Unless otherwise specified in this subpart, any substantive modifications or amendments to the COIP must be made in accordance with the procedures in § 1570.107 of this subchapter. § 1580.309 program. Governance of the CRM (a) Accountable Executive. (1) No later than [DATE 30 DAYS FROM EFFECTIVE DATE OF FINAL RULE], the owner/operator must provide to TSA the names, titles, business telephone numbers, and business email addresses of the owner/operator’s accountable executive, who is the primary individual to be contacted with regard to the owner/operator’s CRM program. If any of the information required by this paragraph changes, the owner/operator must provide the updated information to TSA within 7 days of the change. (2) The accountable executive must be an individual who has the authority and knowledge necessary for the development, implementation, and managerial oversight of the TSAapproved CRM program, including cybersecurity administration, risk assessments, inspections and control procedures, and coordinating communications with the owner/ operator’s leadership and staff on implementation and sustainment of the CRM program. To the extent possible, the accountable executive should not be the Cybersecurity Coordinator or an individual responsible for management of Information or Operational Technology system or systems’ administration. (b) COIP. The COIP must also include: (1) Identification of positions designated by the owner/operator to manage implementation of policies, PO 00000 Frm 00076 Fmt 4701 Sfmt 4702 procedures, and capabilities described in the COIP and coordinate improvements to the CRM program. (2) Corporate-level identification of any authorized representatives, as defined in the TSA Cybersecurity Lexicon, who are responsible for any or all of the CRM program or cybersecurity measures identified in the CRM program, and written documentation (such as contractual agreements) clearly identifying the roles and responsibilities of the authorized representative under the CRM program. (3) The information required by paragraph (a)(1) of this section. (c) Process. Updating the COIP to align with information provided to TSA under this section does not require an amendment subject to the procedures in § 1570.107 of this subchapter. § 1580.311 Cybersecurity Coordinator. (a)(1) Except as provided in paragraph (a)(2) of this section, each owner/ operator identified in paragraphs § 1580.1(a)(1), (a)(4), and (a)(5) must designate employees at the corporate level to serve as the primary and at least one alternate Cybersecurity Coordinator with responsibility for sharing critical cybersecurity information. (2) Each owner/operator identified in § 1580.1(a)(5) must designate and use a primary and at least one alternate Cybersecurity Coordinator, only if notified by TSA in writing that a threat exists concerning that type of operation. (b) The Cybersecurity Coordinator and alternate(s) must— (1) Serve as the primary contact for cyber-related intelligence information and cybersecurity-related activities and communications with TSA and the Cybersecurity and Infrastructure Security Agency (CISA); (2) Have the following knowledge and skills, through current certifications or equivalent job experience: (i) General cybersecurity guidance and best practices; (ii) Relevant law and regulations pertaining to cybersecurity; (iii) Handling of Sensitive Security Information and security-related communications; and (iv) Current cybersecurity threats applicable to the owner/operator’s operations and systems. (3) Be accessible to TSA and CISA 24 hours per day, 7 days per week; (4) Have a Homeland Security Information Network (HSIN) account or other TSA-designated communication platform for information sharing relevant to the requirements in this subpart; and (5) Work with appropriate law enforcement and emergency response E:\FR\FM\07NOP2.SGM 07NOP2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules agencies in addressing cybersecurity threats or responding to cybersecurity incidents. (c) The Cybersecurity Coordinator and alternate(s) must be a U.S. citizen eligible for a security clearance, unless otherwise waived by TSA. (d) Owner/operators must provide in writing to TSA the names, titles, business phone number(s), and business email address(es) of the Cybersecurity Coordinator and alternate Cybersecurity Coordinator(s) required by paragraph (a) of this section no later than [DATE 7 DAYS AFTER EFFECTIVE DATE OF FINAL RULE], or within 7 days of the commencement of new operations, or change in any of the information required by this section that occur after [DATE 7 DAYS AFTER EFFECTIVE DATE OF FINAL RULE]. (e) In addition to providing the information to TSA as required by paragraph (d), any owner/operator required to have a CRM program under this part must also include the information required by paragraph (d) in the COIP. As the owner/operator must separately notify TSA of this information, and any changes to this information, updating the COIP to align with information provided to TSA under this section does not require an amendment subject to the procedures in § 1570.107 of this subchapter. lotter on DSK11XQN23PROD with PROPOSALS2 § 1580.313 Systems. Identification of Critical Cyber (a) Identifying information. The owner/operator must incorporate into its COIP a list of Critical Cyber Systems, as defined in the TSA Cybersecurity Lexicon, that provides, at a minimum, the following identifying information for each Critical Cyber System: (1) Identifier (system name or commercial name), and (2) System manufacturer/designer name. (b) Identification methodology. The owner/operator must include a description of the methodology and information used to identify Critical Cyber Systems that, at a minimum, includes the following information as used to identify critical systems: (1) Standards and factors, including system interdependencies with critical functions, used to identify Information Technology and Operational Technology systems that could be vulnerable to a cybersecurity incident; (2) Sources and data, such as known threat information relevant to the system, that informed decisions regarding the likelihood of the system being subject to a cybersecurity incident; VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 (3) Potential operational impacts of a cybersecurity incident, including scenarios that identify potential supply chain impacts and how long critical operations and capabilities could be sustained with identified alternatives if a system is offline; and (4) Sustainability and operational impacts if an Information or Operational Technology system not identified as a Critical Cyber System becomes unavailable due to a cybersecurity incident. (c) Positive Train Control (PTC) Systems. Owner/operators who are either required to install and operate PTC under 49 CFR part 236, subpart I, and/or voluntarily install and operate PTC under CFR part 236, subpart H or I, must include PTC systems as a Critical Cyber System. (d) System information and network architecture. For all Critical Cyber Systems, the owner/operator must provide the following information: (1) Information and Operational Technology system interdependencies for Critical Cyber Systems; (2) All external connections to Critical Cyber Systems; (3) Zone boundaries for Critical Cyber Systems, including a description of how Information and Operational Technology systems are defined and organized into logical/virtual zones based on criticality, consequence, and operational necessity; (4) Baseline of acceptable communications between Critical Cyber Systems and external connections or between Information and Operational Technology systems; and (5) Operational needs that prevent or delay implementation of the requirements in this subpart, such as application of security patches and updates, encryption of communications traversing Information and Operational Technology systems, and multi-factor authentication. (e) Additional systems. If notified by TSA, the owner/operator must include additional Critical Cyber Systems identified by TSA not previously identified by the owner/operator. (f) Changes in Critical Cyber Systems. Any substantive changes to Critical Cyber Systems require an amendment to the COIP subject to the procedures in § 1570.107 of this subchapter. § 1580.315 Supply chain risk management. The owner/operator must incorporate into its COIP policies, procedures, and capabilities to address supply chain cybersecurity vulnerabilities that include requiring— (a) All procurement documents and contracts, including service-level PO 00000 Frm 00077 Fmt 4701 Sfmt 4702 88563 agreements, executed or updated after [EFFECTIVE DATE OF FINAL RULE] include a requirement for the vendor or service provider to notify the owner/ operator of the following: (1) Cybersecurity incidents affecting the vendor or service provider within a specified timeframe sufficient for the owner/operator to identify and address any potential risks to their Critical Cyber Systems based on the scope and type of cybersecurity incident. (2) Confirmed security vulnerabilities affecting the goods, services, or capabilities provided by the vendor or service provider within a specified timeframe sufficient for the owner/ operator to identify and address any potential risks to their Critical Cyber Systems based on the scope and type of security vulnerability. (b) Procurement documents and contracts, including service-level agreements, incorporate an evaluation by the owner/operator or qualified third-party of the cybersecurity measures implemented by vendors or service providers of goods, services, or capabilities that will be connected to, installed on, or used by the owner/ operator’s Critical Cyber Systems. (c) When provided two offerings of roughly similar cost and function, giving preference to the offering that provides the greater level of cybersecurity necessary to protect against, or effectively respond to, cybersecurity incidents affecting the owner/operator’s Critical Cyber Systems. (d) Upon notification of a cybersecurity incident or vulnerability under paragraphs (a) or (b) of this section, immediate consideration of mitigation measures sufficient to address the resulting risk to Critical Cyber Systems and, as applicable, revision to the COIP in accordance with § 1570.107 of this subchapter. § 1580.317 Systems. Protection of Critical Cyber The owner/operator must incorporate into its COIP policies, procedures, controls and capabilities to protect Critical Cyber Systems that meet security performance objectives in the following areas— (a) Network segmentation. Network segmentation measures that protect against access to, or disruption of, the Operational Technology system if the Information Technology system is compromised or vice versa. These measures must be sufficient to— (1) Ensure Information and Operational Technology system-services transit the other only when necessary E:\FR\FM\07NOP2.SGM 07NOP2 lotter on DSK11XQN23PROD with PROPOSALS2 88564 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules for validated business or operational purposes; (2) Secure and defend zone boundaries with security controls— (i) To defend against unauthorized communications between zones; and (ii) To prohibit Operational Technology system services from traversing the Information Technology system, and vice-versa, unless the content is encrypted at a level sufficient to secure and protect integrity of data and prevent corruption or compromise while in transit. If encryption is not technologically feasible, ensure content is otherwise secured and protected using compensating controls that provide the same level of security as encryption for data in transit. (b) Access control. Access control measures for Critical Cyber Systems, including for local and remote access, that secure and defend against unauthorized access to Critical Cyber Systems. Except as provided in paragraph (f), these measures must, at a minimum, incorporate the following policies, procedures, and controls: (1) Identification and authentication requirements designed to prevent unauthorized access to Critical Cyber Systems, to include: (i) A policy for memorized secret authenticator resets that includes criteria for passwords and when resets must occur, including procedures to ensure implementation of these requirements, such as password lockouts; and (ii) Documented and defined logical/ virtual and physical security controls for components of Critical Cyber Systems that will not be subject to the requirements in paragraph (b)(1)(i) of this section. (2) Multi-factor authentication, or other logical/virtual and physical security controls to supplement memorized secret authenticators (such as passwords) to provide risk mitigation commensurate to multi-factor authentication. If an owner/operator does not apply multi-factor authentication for access to Operational Technology components or assets, the owner/operator must specify what compensating controls are used to manage access. (3) Management of access rights based on the principles of least privilege and separation of duties. Where not technically feasible to apply these principles, the policies and procedures must describe compensating controls that the owner/operator applies. (4) Policies and procedures limit availability and use of shared accounts to those that are critical for operations, and then only if absolutely necessary. VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 When the owner/operator uses shared accounts for operational purposes, the policies and procedures must ensure: (i) Access to shared accounts is limited through account management that uses principles of least privilege and separation of duties; (ii) Any individual who no longer needs access does not have knowledge of the memorized secret authenticator necessary to access the shared account; and (iii) Logs are maintained sufficient to enable positive user identification of access to shared accounts to enable forensic investigation following a cybersecurity incident. (5) Regularly updated schedule for review of existing domain trust relationships to ensure their necessity and established and enforced policies to manage these relationships. (c) Patch management. Measures that reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers, and firmware on Critical Cyber Systems consistent with the owner/operator’s risk-based methodology. These measures must include: (1) A patch management strategy that ensures all critical security patches and updates on Critical Cyber Systems are current. This strategy must include: (i) The risk methodology for categorizing and determining criticality of patches and updates, and an implementation timeline based on categorization and criticality; and (ii) Prioritization of all security patches and updates on CISA’s Known Exploited Vulnerabilities Catalog. (2) In instances where the owner/ operator cannot apply patches and updates on specific Operational Technology systems without causing a severe degradation of operational capability to meet business critical functions, the owner/operator must provide an explanation for why the actions cannot be taken and a description and timeline of additional mitigations that address the risk created by not installing the patch or update within the recommended timeframe. (d) Logging policies. Logging policies sufficient to ensure logging data is— (1) Stored in a secure and centralized system, such as a security information and event management tool or database on a segmented network that can only be accessed or modified by authorized and authenticated users; and (2) Maintained for a duration sufficient to allow for investigation of cybersecurity incidents as supported by PO 00000 Frm 00078 Fmt 4701 Sfmt 4702 a risk analysis and applicable standards or regulatory guidelines. (e) Secure back-ups. Policies that ensure all Critical Cyber Systems are backed-up on a regular basis consistent with operational need for the information, the back-ups are securely stored separate from the system, and policies that require testing the integrity of back-ups to ensure that the data is free of known malicious code when the back-ups are made. (f) Exception for PTC hardware and software components installed on locomotive. (1) For hardware and software components of a PTC system installed on a locomotive, owner/ operators in compliance with requirements in 49 CFR 232.105(h)(1–4) (General requirements for locomotives), 49 CFR 236.3 (Locking of signal apparatus housings), and 49 CFR 256.553 (Seal, where required), may rely on the physical security measures used to comply with these requirements, as applicable, in lieu of implementing the requirements in paragraph (b). (2) If relying on the exception in paragraph (f)(1), the owner/operator must list the applicable PTC system as a Critical Cyber System; maintain compliance with the requirements specified in 49 CFR 232.105(h)(1–4), 49 CFR 236.3, and 49 CFR 256.553, as applicable; and include in the COIP a description of the physical security measures used to prevent unauthorized access to the identified PTC components. § 1580.319 Cybersecurity training and knowledge. (a) Training required. (1) Owner/ operators required to have a CRM program under this subchapter must provide basic cybersecurity training to all employees, with access to the owner/ operator’s Information or Operational Technology systems. (2) No owner/operator required to have a CRM program under this subpart may permit a cybersecurity-sensitive employee to access, or have privileges to access, a Critical Cyber System or an Information or Operational Technology system that is interdependent with a Critical Cyber System, unless that individual has received basic and rolebased cybersecurity training. (b) General curriculum requirements. The cybersecurity training program must include a curriculum or lesson plan, including learning objectives and method of delivery (such as instructorled or computer-based training) for each course used to meet the requirements in paragraphs (d) and (e) of this section. TSA may request additional information regarding the curriculum during the E:\FR\FM\07NOP2.SGM 07NOP2 lotter on DSK11XQN23PROD with PROPOSALS2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules review and approval process. If recurrent training under paragraph (e) of this section is not the same as initial training, a curriculum or lesson plan for the recurrent training will need to be submitted and approved by TSA. (c) Specific curriculum requirements. (1) Basic cybersecurity training. All employees and contractors with access to the owner/operator’s Information or Operational Technology systems, must receive basic cybersecurity training that includes cybersecurity awareness to address best practices, acceptable use, risks associated with their level of privileged access, and awareness of security risks associated with their actions. This training must address the following topics: (i) Social engineering, including phishing; (ii) Password best practices; (iii) Remote work security basics; (iv) Safe internet and social media use; (v) Mobile device (wireless) vulnerabilities and network security; (vi) Data management and information security, including protecting business email, confidential information, trade secrets, and privacy; and (vii) How and to whom to report suspected inappropriate or suspicious activity involving Information or Operational Technology systems, including mobile devices provided by or connected to the owner/operator’s Information or Operational Technology systems. (2) Role-based cybersecurity training. Cybersecurity-sensitive employees must be provided cybersecurity training that specifically addresses their role as a privileged user to prevent and respond to a cybersecurity incident, acceptable uses, and the risks associated with their level of access and use as approved by the owner/operator. This training must address the following topics as applicable to the specific role: (i) Security measures and requirements in the COIP including how the requirements affect account and access management, server and application management, and system architecture development and assessment; (ii) Recognition and detection of cybersecurity threats, types of cybersecurity incidents, and techniques used to circumvent cybersecurity measures; (iii) Incident handling, including procedures for reporting a cybersecurity incident to the Cybersecurity Coordinator and understanding their roles and responsibilities during a cybersecurity incident and VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 implementation of the owner/operator’s Cybersecurity Incident Response Plan required by § 1580.327; (iv) Requirements and sources for staying aware of changing cybersecurity threats and countermeasures; and (v) Operational Technology-specific cybersecurity training for all personnel whose duties include access to Operational Technology systems. (d) Initial cybersecurity training. (1) Each owner/operator must provide initial cybersecurity training (basic and role-based, as applicable) to employees and contractors, using the curriculum approved by TSA no later than 60 days after the effective date of the owner/ operator’s TSA-approved COIP required by this subpart. (2) For individuals who onboard or become cybersecurity-sensitive employees after the effective date of the owner/operator’s TSA-approved COIP who did not receive training within the period identified in paragraph (d)(1) of this section, the individual must receive the applicable cybersecurity training no later than 10 days after onboarding. (e) Recurrent cybersecurity training. Employees and contractors must receive annual recurrent cybersecurity training no later than the anniversary calendar month of the employee’s initial cybersecurity training. If the owner/ operator provides the recurrent cybersecurity training in the month of, the month before, or the month after it is due, the employee is considered to have taken the training in the month it is due. (f) Recognition of prior or established cybersecurity training. Previously provided cybersecurity training may be credited towards satisfying the requirements of this section provided the owner/operator— (1) Obtains a complete record of such training and validates the training meets requirements of this section as it relates to the role of the individual employee, and the training was provided within the schedule required for recurrent training; and (2) Retains a record of such training in compliance with the requirements in paragraph (g) of this section. (g) Retention of cybersecurity training records. The owner/operator must retain records of initial and recurrent cybersecurity training records for each individual required to receive cybersecurity training under this section for no less than 5 years from the date of training that, at a minimum— (1) Includes the employee’s full name, job title or function, date of hire, and date of initial and recurrent cybersecurity training; and PO 00000 Frm 00079 Fmt 4701 Sfmt 4702 88565 (2) Identifies the date, course name, course length, and list of topics addressed for the cybersecurity training most recently provided in each of the areas required under paragraph (c) of this section. (h) Availability of records to employees. The owner/operator must provide records of cybersecurity training to current and former employees upon request and at no charge as necessary to provide proof of training. § 1580.321 incidents. Detection of cybersecurity The owner/operator must incorporate into its COIP policies, procedures, and capabilities sufficient to detect and respond to cybersecurity threats to, and anomalies on, Critical Cyber Systems that, at a minimum— (a) Defend against malicious email, such as spam and phishing emails, to preclude or mitigate against adverse impacts to operations; (b) Block ingress and egress communications with known or suspected malicious internet Protocol addresses; (c) Control impact of known or suspected malicious web domains or web applications, such as by preventing users and devices from accessing malicious websites; (d) Block and defend against unauthorized code, including macro scripts, from executing; (e) Monitor and/or block connections from known or suspected malicious command and control servers (such as Tor exit nodes, and other anonymization services); and (f) Ensure continuous collection and analysis of data for potential intrusions and anomalous behavior on Critical Cyber Systems and other Information and Operational Technology systems that directly connect with Critical Cyber Systems. § 1580.323 Capabilities to respond to a cybersecurity incident. The owner/operator must incorporate into its COIP capabilities to respond to cybersecurity incidents affecting Critical Cyber Systems that, at a minimum— (a) Audit unauthorized access to internet domains and addresses; (b) Document and audit any communications between the Operational Technology system and an internal or external system that deviates from the owner/operator’s identified baseline of communications; (c) Identify and respond to execution of unauthorized code, including macro scripts; and (d) Define, prioritize, and drive standardized incident response E:\FR\FM\07NOP2.SGM 07NOP2 88566 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules activities, such as Security Orchestration, Automation, and Response (SOAR). lotter on DSK11XQN23PROD with PROPOSALS2 § 1580.325 incidents. Reporting cybersecurity (a) Unless otherwise directed by TSA, each owner/operator identified in § 1580.1(a)(1), (a)(4), and (a)(5) must notify CISA of any Reportable Cybersecurity Incidents, as defined in the TSA Cybersecurity Lexicon, as soon as practicable, but no later than 24 hours after a Reportable Cybersecurity Incident is identified. (b) Reports required by this section must be made by the methods prescribed by TSA. All reported information will be protected in a manner appropriate for the sensitivity and criticality of the information. (c) The report to CISA must include the following information, as available to the reporting owner/operator at the time of the report: (1) The name of the reporting individual and contact information, including a telephone number and email address. The report must also explicitly specify that the information is being reported in order to satisfy the reporting requirements in Transportation Security Regulations. (2) The affected rail system(s) or facilities, including identifying information and location. (3) Description of the threat, incident, or activity, to include: (i) Earliest known date of compromise; (ii) Date of detection; (iii) Information about who has been notified and what action has been taken; (iv) Any relevant information observed or collected by the owner/ operators, such as malicious internet Protocol addresses, malicious domains, malware hashes and/or samples, or the abuse of legitimate software or accounts; and (v) Any known threat information, to include information about the source of the threat or cybersecurity incident, if available. (4) A description of the incident’s impact or potential impact on Information or Operational Technology systems and operations. This information must also include an assessment of actual or imminent adverse impacts to service operations, operational delays, and/or data theft that have or are likely to be incurred, as well as any other information that would be informative in understanding the impact or potential impact of the cybersecurity incident. (5) A description of all responses that are planned or under consideration, to VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 include, for example, a reversion to manual operations of train movement and control, if applicable. (6) Any additional information not specifically required by this section, but which is critical to an understanding of the threat and owner/operator’s response to a reportable cybersecurity incident. (d) If all the required information is not available at the time of reporting, owner/operators must submit an initial report within the specified timeframe and supplement as additional information becomes available. § 1580.327 Cybersecurity Incident Response Plan. (a) The owner/operator must incorporate into its COIP an up-to-date Cybersecurity Incident Response Plan (CIRP) for the owner/operator’s Critical Cyber Systems to reduce the impacts of a cybersecurity incident that causes, or could cause, operational disruption or significant impacts on business-critical functions. (b) The CIRP must provide specific measures sufficient to ensure the following objectives, as applicable: (1) Promptly identifying, isolating, and segregating the infected systems from uninfected systems, networks, and devices using measures that prioritize: (i) Limiting the spread of autonomous malware; (ii) Denying continued access by a threat actor to systems; (iii) Determining extent of compromise; and (iv) Preserving evidence and data. (2) Only data stored and secured as required by § 1580.317(e) is used to restore systems and that all stored backup data is scanned with host security software to ensure the data is free of malicious artifacts before being used for restoration. (3) Established capability and governance for implementing mitigation measures or manual controls that ensure that the Operational Technology system can be isolated when a cybersecurity incident in the Information Technology system creates risk to the safety and reliability of the Operational Technology system. (c) The CIRP must identify who (by position) is responsible for implementing the specific measures in the plan and any necessary resources needed to implement the measures. (d) The owner/operator must conduct an exercise to test the effectiveness of the CIRP no less than annually. The exercise conducted under this paragraph must— (1) Test at least two objectives of the owner/operator’s CIRP required by PO 00000 Frm 00080 Fmt 4701 Sfmt 4702 paragraph (b) of this section, no less than annually; and (2) Include the employees identified (by position) in paragraph (c) as active participants in the exercise. (e) Within no more than 90 days after the date of the exercise required by paragraph (d), the owner/operator must update the CIRP as appropriate to address any issues identified during the exercise. (f) The owner/operator must notify TSA within 15 days of any changes to the CIRP. As the owner/operator must separately notify TSA, updating the COIP to align with information provided to TSA under this section does not require an amendment subject to the procedures in § 1570.107 of this subchapter. § 1580.329 Plan. Cybersecurity Assessment (a) Requirement for a Cybersecurity Assessment Plan. No later than 90 days from TSA’s approval of the owner/ operator’s COIP, the owner/operator must submit to TSA a Cybersecurity Assessment Plan (CAP) sufficient to— (1) Proactively assess the effectiveness of all policies, procedures, measures, and capabilities in the owner/operator’s TSA-approved COIP as applied to all Critical Cyber Systems; and (2) Identify and resolve device, network, and/or system vulnerabilities associated with Critical Cyber Systems. (b) Contents of the CAP. At a minimum, the CAP must describe in detail: (1) The plan to assess the effectiveness of the owner/operator’s TSA-approved COIP and applied to all Critical Cyber Systems; (2) Schedule and scope of an architectural design review within 12 months either before or after TSA’s approval of the owner/operator’s COIP, to be repeated at least once every 2 years thereafter. The architectural design review required by this paragraph must include verification and validation of network traffic, a system log review, and analysis to identify cybersecurity vulnerabilities related to network design, configuration, and interconnectivity to internal and external systems; (3) Other assessment capabilities designed to identify vulnerabilities to Critical Cyber Systems based on evolving threat information and adversarial capabilities, such as penetration testing of Information Technology systems, including the use of ‘‘red’’ and ‘‘purple’’ team (adversarial perspective) testing. (c) Specific Schedule. (1) In addition to specifying the schedule for the E:\FR\FM\07NOP2.SGM 07NOP2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules architectural design review required by paragraph (b)(2), the CAP must include a schedule for conducting the assessments required by paragraph (b) sufficient to ensure at least one-third of the policies, procedures, measures, and capabilities in the TSA-approved COIP are assessed each year, with 100 percent of the COIP and all Critical Cyber Systems assessed over a 3-year period. (2) The schedule required by this paragraph must map the planned assessments to the COIP and Critical Cyber System to document the plan will ensure all policies, procedures, measures, and capabilities in the owner/ operator’s TSA-approved COIP and all Critical Cyber Systems will be assessed within the timeframes required by paragraph (c)(1). (d) Independence of assessors and auditors. Owner/operators must ensure that the assessments, audits, testing, and other capabilities to assess the effectiveness of its TSA-approved COIP are not conducted by individuals who have oversight or responsibility for implementing the owner/operator’s CRM program and have no vested or other financial interest in the results of the CAP. (e) Annual submission of report. The owner/operator must ensure a report of the results of assessments conducted in accordance with the CAP is provided to corporate leadership and individuals designated under § 1580.309(a) and (b)(1) of this subpart, and submitted to TSA, no later than 15 months from the date of approval of the initial CAP and § 1580.331 Documentation to establish compliance. For the purposes of the requirements in this subpart, upon TSA’s request, the owner/operator must provide for inspection or copying the following types of information to establish compliance: (a) Hardware/software asset inventory, including supervisory control and data acquisition (SCADA) systems; (b) Firewall rules; (c) Network diagrams, switch and router configurations, architecture diagrams, publicly routable internet protocol addresses, and Virtual Local Area Networks; (d) Policy, procedural, and other documents that informed the development, and documented implementation of, the owner/operator’s CRM program; (e) Data providing a ‘‘snapshot’’ of activity on and between Information and Operational Technology systems such as: (1) Log files; (2) A capture of network traffic (such as packet capture (PCAP)), for a scope and period directed by TSA, not less than 24 hours and not to exceed 48 hours; (3) ‘‘East-West Traffic’’ of Information Technology systems, sites, and environments within the scope of this subpart; and (4) ‘‘North-South Traffic’’ between Information and Operational Technology systems, and the perimeter boundaries between them; and (f) Any other records or documents necessary to determine compliance with this subpart. ■ 19. Revise appendix B to part 1580 to read as follows: Appendix B to Part 1580—SecuritySensitive Functions for Freight Rail This table identifies security-sensitive job functions for owner/operators regulated under this part. All employees performing security-sensitive functions are ‘‘securitysensitive employees’’ for purposes of this rule and must be trained in accordance with this part. Categories Security-sensitive job functions for freight rail A. Operating a vehicle ............................ 1. Employees who operate or directly control the movements of locomotives or other self-powered rail vehicles. 2. Train conductor, trainman, brakeman, or utility employee or performs acceptance inspections, couples and uncouples rail cars, applies handbrakes, or similar functions. 3. Employees covered under the Federal hours of service laws as ‘‘train employees.’’ See 49 U.S.C. 21101(5) and 21103. Employees who inspect or repair rail cars and locomotives. B. Inspecting and maintaining vehicles .. C. Inspecting or maintaining building or transportation infrastructure. lotter on DSK11XQN23PROD with PROPOSALS2 annually thereafter. The required report must indicate— (1) Which assessment method(s) were used to determine if the policies, procedures, and capabilities described by the owner/operator in its COIP are effective; and (2) Results of the assessment methodologies. (f) Annual update of the CAP. The owner/operator must review and annually update the CAP to address any changes to policies, procedures, measures, or capabilities in the COIP or assessment capabilities required by paragraph (b). The updated CAP must be submitted to TSA for approval no later than 12 months from the date of TSA’s approval of the current CAP. (g) Sensitive Security Information. Assessments conducted under this section are vulnerability assessments as defined in § 1500.3 of this chapter and must be protected as Sensitive Security Information under § 1520.5(b)(5) of this chapter. VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 1. Employees who— a. Maintain, install, or inspect communications and signal equipment. b. Maintain, install, or inspect track and structures, including, but not limited to, bridges, trestles, and tunnels. 2. Employees covered under the Federal hours of service laws as ‘‘signal employees.’’ See 49 U.S.C. 21101(3) and 21104. PO 00000 Frm 00081 Fmt 4701 Sfmt 4702 88567 E:\FR\FM\07NOP2.SGM Examples of job titles applicable to these functions * Engineer, conductor. Carman, car repairman, car inspector, engineer, conductor. Signalman, signal maintainer, trackman, gang foreman, bridge and building laborer, roadmaster, bridge, and building inspector/operator. 07NOP2 88568 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules Categories D. Controlling dispatch or movement of a vehicle. E. Providing security of the owner/operator’s equipment and property. F. Loading or unloading cargo or baggage. G. Interacting with travelling public (on board a vehicle or within a transportation facility). H. Complying with security programs or measures, including those required by Federal law. Security-sensitive job functions for freight rail Examples of job titles applicable to these functions * 1. Employees who— a. Dispatch, direct, or control the movement of trains. b. Operate or supervise the operations of moveable bridges. c. Supervise the activities of train crews, car movements, and switching operations in a yard or terminal. 2. Employees covered under the Federal hours of service laws as ‘‘dispatching service employees.’’ See 49 U.S.C. 21101(2) and 21105. Employees who provide for the security of the railroad carrier’s equipment and property, including acting as a railroad police officer (as that term is defined in 49 CFR 207.2). Includes, but is not limited to, employees that load or unload hazardous materials. Employees of a freight railroad operating in passenger service. Yardmaster, dispatcher, block operator, bridge operator. 1. Employees who serve as security coordinators designated in §§ 1580.103 or 1580.311 of this subchapter, as well as any designated alternates or secondary security coordinators. 2. Employees who— a. Conduct training and testing of employees when the training or testing is required by TSA’s security regulations. b. Perform inspections or operations required by § 1580.205 of this subchapter. c. Manage or direct implementation of security plan requirements. Security coordinator, accountable executive train master, assistant train master, roadmaster, division roadmaster. Police officer, special agent; patrolman; watchman; guard. Service track employee. Conductor, engineer, agent. * These job titles are provided solely as a resource to help understand the functions described; whether an employee must be trained is based upon the function, not the job title. 20. Add appendix C to part 1580 to read as follows: ■ Appendix C to Part 1580—Reporting of Significant Physical Security Concerns Category Description Breach, Attempted Intrusion, and/or Interference .............. Unauthorized personnel attempting to or actually entering a restricted area or secure site relating to a transportation facility or conveyance owned, operated, or used by an owner/operator subject to this part. This includes individuals entering or attempting to enter by impersonation of authorized personnel (for example, police/ security, janitor, vehicle owner/operator). Activity that could interfere with the ability of employees to perform duties to the extent that security is threatened. Presenting false, or misusing, insignia, documents, and/or identification, to misrepresent one’s affiliation with an owner/operator subject to this part to cover possible illicit activity that may pose a risk to transportation security. Stealing or diverting identification media or badges, uniforms, vehicles, keys, tools capable of compromising track integrity, portable derails, technology, or classified or sensitive security information documents which are proprietary to the facility or conveyance owned, operated, or used by an owner/operator subject to this part. Damaging, manipulating, or defeating safety and security appliances in connection with a facility, infrastructure, conveyance, or routing mechanism, resulting in the compromised use or the temporary or permanent loss of use of the facility, infrastructure, conveyance or routing mechanism. Placing or attaching a foreign object to a rail car(s). Communicating a spoken or written threat to damage or compromise a facility/infrastructure/conveyance owned, operated, or used by an owner/operator subject to this part (for example, a bomb threat or active shooter). Questioning that may pose a risk to transportation or national security, such as asking one or more employees of an owner/operator subject to this part about particular facets of a facility’s conveyance’s purpose, operations, or security procedures. Deliberate interactions with employees of an owner/operator subject to this part or challenges to facilities or systems owned, operated, or used by an owner/operator subject to this part that reveal physical, personnel, or security capabilities or sensitive information. Misrepresentation ............................................................... Theft, Loss, and/or Diversion ............................................. Sabotage, Tampering, and/or Vandalism .......................... Expressed or Implied Threat .............................................. lotter on DSK11XQN23PROD with PROPOSALS2 Eliciting Information ............................................................ Testing or Probing of Security ........................................... VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 PO 00000 Frm 00082 Fmt 4701 Sfmt 4702 E:\FR\FM\07NOP2.SGM 07NOP2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules Category Description Photography ....................................................................... Taking photographs or video of facilities, conveyances, or infrastructure owned, operated, or used by an owner/operator subject to this part in a manner that may pose a risk to transportation or national security. Examples include taking photographs or video of infrequently used access points, personnel performing security functions (for example, patrols, badge/vehicle checking), or security-related equipment (for example, perimeter fencing, security cameras). Demonstrating unusual interest in facilities or loitering near conveyances, railcar routing appliances or any potentially critical infrastructure owned or operated by an owner/operator subject to this part in a manner that may pose a risk to transportation or national security. Examples include observation through binoculars, taking notes, or attempting to measure distances. Acquisition and/or storage by an employee of an owner/operator subject to this part of materials such as cell phones, pagers, fuel, chemicals, toxic materials, and/or timers that may pose a risk to transportation or national security (for example, storage of chemicals not needed by an employee for the performance of his or her job duties). Weapons or explosives in or around a facility, conveyance, or infrastructure of an owner/operator subject to this part that may present a risk to transportation or national security (for example, discovery of weapons inconsistent with the type or quantity traditionally used by company security personnel). Discovery or observation of suspicious items, activity or behavior in or around a facility, conveyance, or infrastructure of an owner/operator subject to this part that results in the disruption or termination of operations (for example, halting the operation of a conveyance while law enforcement personnel investigate a suspicious bag, briefcase, or package). Observation or Surveillance ............................................... Materials Acquisition and/or Storage ................................. Weapons Discovery, Discharge, or Seizure ...................... Suspicious Items or Activity ............................................... PART 1582—PUBLIC TRANSPORTATION AND PASSENGER RAILROAD SECURITY 21. Revise the authority citation for part 1582 to read as follows: ■ Authority: 49 U.S.C. 114; Pub. L. 110–53, 121 Stat. 266. 22. Amend § 1582.3 by adding the definition of ‘‘Unlinked passenger trips’’ in alphabetical order. ■ § 1582.3 Terms used in this part. * * * * * Unlinked passenger trips means the number of times passengers board public transportation vehicles based on counting passengers each time they board vehicles, no matter how many vehicles they use to travel from their origin to their destination and regardless of whether they pay a fare, use a pass or transfer, ride for free, or pay in some other way. ■ 23. Revise subpart B of part 1582 to read as follows: Subpart B—Security Programs: Physical Security lotter on DSK11XQN23PROD with PROPOSALS2 88569 Sec. 1582.101 Scope. 1582.103 Physical Security Coordinator. 1582.105 Reporting of significant physical security concerns. 1582.107 [Reserved] 1582.109 [Reserved] 1582.111 [Reserved] 1582.113 Security training program requirements. 1582.115 [Reserved] VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 § 1582.101 Scope. This subpart includes requirements that are primarily intended to ensure the physical security of public transportation and passenger railroads. Physical security encompasses the security of individuals, buses, rail cars, and transportation facilities, as well as the persons in areas in or near to operations that could have their safety and security threatened by an attack on physical systems and assets. Owner/ operators identified in § 1582.1 must review the applicability in each section in this subpart to determine if any of the requirements apply to their operations. § 1582.103 Physical Security Coordinator. (a) (1) Except as provided in (a)(2) and (3) of this paragraph, each owner/ operator identified in § 1582.1 must designate and use a primary and at least one alternate Physical Security Coordinator at the corporate level to function as the administrator for sharing security-related activities and information. (2) An owner/operator identified in § 1582.1(a)(2) that owns or operates a bus-only operation must designate and use a primary and at least one alternate Physical Security Coordinator only if the owner/operator is identified in appendix A to part 1582 of this subchapter or is notified by TSA in writing that a threat exists concerning that operation. (3) An owner/operator identified in § 1582.1(a)(4) (tourist, scenic, historic, or excursion rail operations) must designate and use a primary and at least one alternate Physical Security PO 00000 Frm 00083 Fmt 4701 Sfmt 4702 Coordinator, only if notified by TSA in writing that a threat exists concerning that type of operation. (b) The primary Physical Security Coordinator and alternate(s) must— (1) Be accessible to TSA on a 24 hours per day, 7 days per week basis; and (2) Serve as the primary contact(s) for intelligence information and securityrelated activities and communications with TSA. Any individual designated as a Physical Security Coordinator may perform other duties in addition to the duties described in this section); and (3) Coordinate security practices and procedures required by this subchapter internally and with appropriate law enforcement and emergency response agencies. (c) The Physical Security Coordinator and alternate(s) must be a U.S. citizen eligible for a security clearance, unless otherwise waived by TSA. (d) Each owner/operator required to have a Physical Security Coordinator must provide in writing to TSA the names, U.S. citizenship status, titles, business phone number(s), and business email address(es) of the Physical Security Coordinator and alternate(s). Changes in any of the information required by this section must be submitted to TSA within 7 calendar days. § 1582.105 Reporting of significant physical security concerns. (a) Each owner/operator identified in § 1582.1 must report, within 24 hours of initial discovery, any potential threats and significant physical security concerns involving transportation- E:\FR\FM\07NOP2.SGM 07NOP2 88570 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules related operations in the United States or transportation to, from, or within the United States as soon as possible by the methods prescribed by TSA. (b) Potential threats or significant physical security concerns encompass incidents, suspicious activities, and threat information affecting physical operations including, but not limited to, the categories of reportable events listed in appendix C to this part. (c) Information reported must include the following, as available and applicable: (1) The name of the reporting individual and contact information, including a telephone number or email address. (2) The affected freight or passenger train, bus, conveyance, station, terminal, rail hazardous materials facility, or other transportation facility or infrastructure, including identifying information and current location. (3) Scheduled origination and termination locations for the affected passenger train or bus—including departure and destination station, city, and route, as applicable. (4) Description of the threat, incident, or activity, including who has been notified and what action has been taken. (5) The names, other available biographical data, and/or descriptions (including vehicle or license plate information) of individuals or motor vehicles known or suspected to be involved in the threat, incident, or activity. (6) The source of any threat information. § 1582.107 [Reserved] § 1582.109 [Reserved] § 1582.111 [Reserved] lotter on DSK11XQN23PROD with PROPOSALS2 § 1582.113 Security training program requirements. (a) Applicability. This section applies to the following: (1) Amtrak (also known as the National Railroad Passenger Corporation). (2) Each owner/operator identified in Appendix A to this part. (3) Each owner/operator described in § 1582.1(a)(1) through (3) that serves as a host railroad to a freight operation described in § 1580.113(a) of this subchapter or to a passenger train operation described in paragraphs (1) or (2) of this section. (b) Training required for securitysensitive employees. No owner/operator identified in paragraph (a) of this section may use a security-sensitive employee to perform a function identified in Appendix B to this part, VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 unless that individual has received training as part of a security training program approved by TSA or is under the direct supervision of an employee who has received the training required by this section as applicable to that security-sensitive function. Upon approval, this security training program becomes part of the owner/operators TSA-approved security program. (c) Limits on use of untrained employees. Notwithstanding paragraph (b) of this section, a security-sensitive employee may not perform a securitysensitive function for more than 60 calendar days without receiving security training. (d) General requirements. Each owner/operator required to provide security training to its employees under this section must submit their security training program to TSA for approval in a form and manner prescribed by TSA. The security training program must include the following information: (1) Name of owner/operator. (2) Name, title, telephone number, and email address of the primary individual to be contacted with regard to review of the security training program. (3) Number, by specific job function category identified in Appendix B to this part, of security-sensitive employees trained or to be trained. (4) Implementation schedule that identifies a specific date by which the required initial and recurrent security training will be completed. (5) Location where training program records will be maintained. (6) Plan for ensuring supervision of untrained security-sensitive employees performing functions identified in Appendix B to this part. (7) Plan for notifying employees of changes to security measures that could change information provided in previously provided training. (8) Method(s) for evaluating the effectiveness of the security training program in each area required by paragraph (e) of this section. (e) General curriculum requirements. The security training program submitted to TSA for approval must include a curriculum or lesson plan, including learning objectives and method of delivery (such as instructor-led or computer-based training) for each course used to meet the requirements in paragraph (f) of this section. TSA may request additional information regarding the curriculum during the review and approval process. If recurrent training under paragraph (j) of this section is not the same as initial training, a curriculum or lesson plan for the PO 00000 Frm 00084 Fmt 4701 Sfmt 4702 recurrent training will need to be submitted and approved by TSA. (f) Specific curriculum requirements. (1) Prepare. Each owner/operator must ensure that each of its security-sensitive employees with position- or functionspecific responsibilities under the owner/operator’s security program have knowledge of how to fulfill those responsibilities in the event of a security threat, breach, or incident to ensure— (i) Employees with responsibility for transportation security equipment and systems are aware of their responsibilities and can verify the equipment and systems are operating and properly maintained; and (ii) Employees with other duties and responsibilities under the company’s security plans and/or programs, including those required by Federal law, know their assignments and the steps or resources needed to fulfill them. (2) Observe. Each owner/operator must ensure that each of its securitysensitive employees has knowledge of the observational skills necessary to recognize— (i) Suspicious and/or dangerous items, such as substances, packages, or conditions (for example, characteristics of an Improvised Explosive Device and signs of equipment tampering or sabotage); (ii) Combinations of actions and individual behaviors that appear suspicious and/or dangerous, inappropriate, inconsistent, or out of the ordinary for the employee’s work environment, which could indicate a threat to transportation security; and (iii) How a terrorist or someone with malicious intent may attempt to gain sensitive information or take advantage of vulnerabilities. (3) Assess. Each owner/operator must ensure that each of its security-sensitive employees has knowledge necessary to— (i) Determine whether the item, individual, behavior, or situation requires a response as a potential terrorist threat based on the respective transportation environment; and (ii) Identify appropriate responses based on observations and context. (4) Respond. Each owner/operator must ensure that each of its securitysensitive employees has knowledge of how to— (i) Appropriately report a security threat, including knowing how and when to report internally to other employees, supervisors, or management, and externally to Local, State, or Federal agencies according to the owner/ operator’s security procedures or other relevant plans; E:\FR\FM\07NOP2.SGM 07NOP2 lotter on DSK11XQN23PROD with PROPOSALS2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules (ii) Interact with the public and first responders at the scene of the threat or incident, including communication with passengers on evacuation and any specific procedures for individuals with disabilities and the elderly; and (iii) Use any applicable self-defense devices or other protective equipment provided to employees by the owner/ operator. (g) Relation to other training. Training conducted by owner/operators to comply with other requirements or standards, such as emergency preparedness training required by the Department of Transportation (DOT) (49 CFR part 239) or other training for communicating with emergency responders to arrange the evacuation of passengers, may be combined with and used to satisfy elements of the training requirements in this section. (h) Submission. If commencing or modifying operations subject to these requirements after June 21, 2021, the training program must be submitted to TSA no later than 90 calendar days before commencing new or modified operations. (i) Initial security training. Each owner/operator must provide initial security training to security-sensitive employees, using the curriculum approved by TSA and in compliance with the following schedule. (1) For security training programs submitted to TSA for approval after March 22, 2021, if the employee is employed to perform a securitysensitive function on the date TSA approves the program, then initial training must be provided no later than 12 months after the date that TSA approves the owner/operator’s security training program. (2) If performance of a securitysensitive job function is initiated after TSA approves the owner/operator’s security training program, then initial training must be provided no later than 60 calendar days after the employee first performs the security-sensitive job function. (3) If the security-sensitive job function is performed intermittently, then initial security training must be provided no later than the 60th calendar day of employment performing a security-sensitive function, aggregated over a consecutive 12-month period. (j) Recurrent security training. (1) Except as provided in paragraph (j)(2) of this section, a security-sensitive employee required to receive training must receive the required training at least once every 3 years. (2) If an owner/operator modifies a security program or security plan for which training is required, the owner/ VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 operator must ensure each securitysensitive employee with position- or function-specific responsibilities related to the revised plan or program changes receives training on the revisions within 90 days of implementation of the revised plan or program changes. All other employees must receive training that reflects the changes to the operating security requirements as part of their regularly scheduled recurrent training. (3) The 3-year recurrent training cycle is based on the anniversary calendar month of the employee’s initial security training. If the owner/operator provides the recurrent security training in the month of, the month before, or the month after it is due, the employee is considered to have taken the training in the month it is due. (k) Recognition of prior training. Previously provided security training may be credited towards satisfying the requirements of this section provided the owner/operator— (1) Obtains a complete record of such training and validates the training meets requirements of this section as it relates to the function of the individual security-sensitive employee, and the training was provided within the schedule required for recurrent training; and (2) Retains a record of such training in compliance with the requirements in paragraph (l). (l) Retention of security training records. The owner/operator must retain records of initial and recurrent security training records for each individual required to receive security training under this section for no less than 5 years from the date of training that, at a minimum— (1) Includes employee’s full name, job title or function, date of hire, and date of initial and recurrent security training; and (2) Identifies the date, course name, course length, and list of topics addressed for the security training most recently provided in each of the areas required under paragraph (e) of this section. (m) Availability of records to employees. The owner/operator must provide records of security training to current and former employees upon request and at no charge as necessary to provide proof of training. (n) Incorporation into security program. Once approved by TSA, the security training program required by this section is part of the owner/ operator’s TSA-approved security program. The owner/operator must implement and maintain the security training program and comply with timeframes for implementation PO 00000 Frm 00085 Fmt 4701 Sfmt 4702 88571 identified in the security training program. Any modifications or amendments to the program must be made as stipulated in § 1570.107 of this subchapter. (o) Situations requiring owner/ operator to revise security training program. The owner/operator must submit a request to amend its security program if, after approval, the owner/ operator makes, or intends to make, permanent (to be in effect for 60 or more calendar days) or substantive changes to its security training curriculum, including changes to address: (1) Determinations that the security training program is ineffective based on the approved method for evaluating effectiveness in the security training program approved by TSA; or (2) Development of recurrent training material for purposes of meeting the requirements in paragraph (j) of this section or other alternative training materials not previously approved by TSA. § 1582.115 [Reserved] 24. Add subpart C of part 1582 to read as follows: ■ Subpart C—Cybersecurity Risk Management Sec. 1582.201 Scope and applicability. 1582.203 Form, content, and availability of Cybersecurity Risk Management program. 1582.205 Cybersecurity evaluation. 1582.207 Cybersecurity Operational Implementation Plan. 1582.209 Governance of the CRM program. 1582.211 Cybersecurity Coordinator. 1582.213 Identification of Critical Cyber Systems. 1582.215 Supply chain risk management. 1582.217 Protection of Critical Cyber Systems. 1582.219 Cybersecurity training and knowledge. 1582.221 Detection of cybersecurity incidents. 1582.223 Capabilities to respond to a cybersecurity incident. 1582.225 Reporting cybersecurity incidents. 1582.227 Cybersecurity Incident Response Plan. 1582.229 Cybersecurity Assessment Plan 1582.231 Documentation to establish compliance. § 1582.201 Scope and applicability. (a) Scope. This subpart includes requirements to ensure the cybersecurity of public transportation and passenger railroads to mitigate the risk of significant harm to individuals and transportation facilities, as well as persons in areas in or near rail operations, that could have their safety and security threatened as a result of the E:\FR\FM\07NOP2.SGM 07NOP2 88572 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules degradation, destruction, or malfunction of systems that control these systems and infrastructure. In addition, cybersecurity incidents could have significant impacts on national and economic security of the United States by impeding the movement of people who rely on public transportation for commuting or intercity rail operations. The owner/operators identified in § 1582.1 must review the applicability for carrying out a Cybersecurity Risk Management program in paragraph (b) of this section, designation of a Cybersecurity Coordinator in § 1582.211, and reporting cybersecurity requirements in § 1582.225 to determine if the requirements apply to their operations. (b) Applicability. Each owner/ operator described in § 1582.1 must adopt and carry out a Cybersecurity Risk Management (CRM) program for each operation that meets any of the following criteria: (1) Is a passenger railroad carrier with average daily unlinked passenger trips of 5,000 or greater in any of the three calendar years before [EFFECTIVE DATE OF FINAL RULE] or any single calendar year after [EFFECTIVE DATE OF FINAL RULE]. (2) Is a passenger railroad carrier described in § 1582.1(a)(1) through (3) that serves as a host railroad to a class I railroad or Amtrak, regardless of ridership volume. (3) Is a rail transit system described in § 1582.1(a)(3) with average daily unlinked passenger trips of 50,000 or greater in any of the three calendar years before [EFFECTIVE DATE OF FINAL RULE] or any single calendar year after [EFFECTIVE DATE OF FINAL RULE]. lotter on DSK11XQN23PROD with PROPOSALS2 § 1582.203 Form, content, and availability of Cybersecurity Risk Management program. (a) General content requirements. The CRM program required by this subpart is a comprehensive program that includes the following components: (1) A cybersecurity evaluation completed and updated as required by § 1582.205; (2) A TSA-approved Cybersecurity Operational Implementation Plan (COIP) that meets the requirements in § 1582.207. (3) A Cybersecurity Assessment Plan that meets the requirements in § 1582.229. (b) Subsidiaries. If a single CRM program is developed and implemented for multiple business units within a single corporate entity, any documents used to comply or establish compliance with the requirements in this subpart must clearly identify and distinguish VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 application of the requirements to each business unit. § 1582.205 Cybersecurity evaluation. (a) General. Each owner/operator required to have a CRM program must complete an initial and recurrent cybersecurity evaluation sufficient to determine the owner/operator’s current enterprise-wide cybersecurity profile of logical/virtual and physical security controls when evaluated against the CRM program requirements in this subpart, using a form provided by TSA or other tools approved by TSA. (b) Timing. The initial cybersecurity evaluation must be completed no later than [DATE 90 DAYS AFTER EFFECTIVE DATE OF FINAL RULE], but no more than one year before the date of submission of the owner/ operator’s Cybersecurity Operational Implementation Plan required by § 1582.207 of this subpart. If commencing or modifying operations subject to these requirements after [EFFECTIVE DATE OF FINAL RULE], the initial cybersecurity evaluation must be submitted to TSA no later than 45 calendar days after commencing the new or modified operations triggering applicability. (c) Annual updates. The evaluation required by paragraph (a) of this section must be updated annually, no later than one year from the anniversary date of the previously completed evaluation. (d) Notification. The owner/operator must notify TSA within 7 days of completing the evaluation and annual updates required by this section. A copy of the evaluation must be provided to TSA upon request. (e) Sensitive Security Information. This evaluation is a vulnerability assessment as defined in § 1500.3 of this chapter and must be protected as Sensitive Security Information under § 1520.5(b)(5) of this chapter. § 1582.207 Cybersecurity Operational Implementation Plan. (a) Requirement. Each owner/operator required to have a CRM program under this part must adopt a COIP. (b) General Content. The COIP must include the following corporate information: (1) The name and corporate address of the owner/operator; (2) Written attestation by the owner/ operator’s accountable executive that the COIP has been reviewed and approved by senior management; and (3) Identification of specific operations that meet the applicability criteria. (c) Specific Content. The COIP must detail the owner/operator’s defense-in- PO 00000 Frm 00086 Fmt 4701 Sfmt 4702 depth plan, including physical and logical/virtual security controls, to comply with the requirements and security outcomes specified in the following sections: (1) Governance. The requirements for governance of the CRM program in § 1582.209 and the designation of a Cybersecurity Coordinator in § 1582.211. (2) Identification of Critical Cyber Systems, Network Architecture, and Interdependencies. The requirements to identify Critical Cyber Systems and network architecture in § 1582.213 and supply chain risk management in § 1582.215. (3) Procedures, policies, and capabilities to protect Critical Cyber Systems. The requirements for protection of Critical Cyber Systems in § 1582.217 and training of cybersecurity-sensitive employees in § 1582.219. (4) Procedures, policies, and capabilities to detect cybersecurity incidents. The requirements for detecting cybersecurity incidents in § 1582.221. (5) Procedures, policies, and capabilities to respond to, and recover from, cybersecurity incidents. The requirements for responding to cybersecurity incidents in § 1582.223, reporting cybersecurity incidents in § 1582.225, and the Cybersecurity Incident Response Plan in § 1582.227. (d) Plan of Action and Milestones. (1) To the extent an owner/operator does not meet every requirement and security outcome identified in paragraph (c)(1) through (c)(5) of this section, the COIP must include a plan of action and milestones (POAM). (2) The POAM must include: (i) Policies, procedures, measures, or capabilities that owner/operator will develop or obtain, as applicable, to ensure all requirements and security outcomes in this subpart are met; (ii) Physical and logical/virtual security controls that the owner/ operator will implement to mitigate the risks associated with not fully complying with requirements or security outcomes in this subpart; and (iii) A detailed timeframe for full compliance with all requirements and security outcomes in this subpart, not to exceed 3 years from the date of submission to TSA of the COIP required by this section. (3) The POAM must be updated as necessary to address any deficiencies identified during the evaluation required by § 1582.205 or because of an assessment conducted under § 1582.229 that will not be immediately addressed through an update to the COIP. E:\FR\FM\07NOP2.SGM 07NOP2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules (e) Approval and implementation. (1) Submission deadlines. The COIP must be made available to TSA, in a form and manner prescribed by TSA, no later than [DATE 180 DAYS AFTER EFFECTIVE DATE OF FINAL RULE]. If commencing or modifying operations subject to these requirements after [EFFECTIVE DATE OF FINAL RULE], the COIP must be made available to TSA no later than 45 calendar days before commencing new or modified operations. (2) Effective date. After considering all relevant materials and any additional information required by TSA, TSA will notify the owner/operator’s accountable executive of TSA’s decision to approve the owner/operator’s COIP. The COIP becomes effective 30 days after the owner/operator is notified whether its COIP is approved. (3) TSA-approved security program. Once approved by TSA, the COIP, any appendices, and any policies or procedures incorporated by reference, are a part of a TSA-approved security program, subject to the protections in part 1520 of this chapter and the procedures applicable to security programs in subpart B of part 1570 of this subchapter. (f) Status Report and Updates. The CRM program must be reviewed and updated by the owner/operator within 60 days of the evaluations or assessments required by §§ 1582.205 or 1582.229, as necessary to address any identified vulnerabilities or weaknesses in the procedures, policies, or capabilities identified in the CRM program. (g) Revisions. Unless otherwise specified in this subpart, any substantive modifications or amendments to the COIP must be made in accordance with the procedures in § 1570.107 of this subchapter. lotter on DSK11XQN23PROD with PROPOSALS2 § 1582.209 program. Governance of the CRM (a) Accountable Executive. (1) No later than [DATE 30 DAYS FROM EFFECTIVE DATE OF FINAL RULE], the owner/operator must provide to TSA the names, titles, business telephone numbers, and business email addresses of the owner/operator’s accountable executive and the primary individual to be contacted about the owner/operator’s CRM program. If any of the information required by this section changes, the owner/operator must provide the updated information to TSA within seven days of the change. (2) The accountable executive must be an individual who has the authority and knowledge necessary for the development, implementation, and VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 managerial oversight of the TSAapproved CRM program, including cybersecurity administration, risk assessments, inspections and control procedures, and coordinating communications with the owner/ operator’s leadership and staff on implementation and sustainment of the CRM program. To the extent possible, the accountable executive should not be the Cybersecurity Coordinator or an individual responsible for management of Information or Operational Technology system or systems’ administration. (b) COIP. The COIP must also include: (1) Identification of positions designated by the owner/operator to manage implementation of policies, procedures, and capabilities described in the COIP and coordinate improvements to the CRM program. (2) Corporate-level identification of any authorized representatives, as defined in the TSA Cybersecurity Lexicon, who are responsible for any or all the CRM program or cybersecurity measures identified in the CRM program, and written documentation (such as contractual agreements) clearly identifying the roles and responsibilities of the authorized representative under the CRM program. (3) The information required by paragraph (a)(1) of this section. (c) Process. Updating the COIP to align with information provided to TSA under this section does not require an amendment subject to the procedures in § 1570.107 of this subchapter. § 1582.211 Cybersecurity Coordinator. (a)(1) Except as provided in paragraph (a)(2), each owner/operator identified in paragraphs § 1582.103(a) must designate employees at the corporate level to serve as the primary and at least one alternate Cybersecurity Coordinator with responsibility for sharing critical cybersecurity information. (2) Each owner/operator identified in § 1582.103(a)(3) must designate and use a primary and at least one alternate Cybersecurity Coordinator only if notified by TSA in writing that a threat exists concerning that type of operation. (b) The Cybersecurity Coordinator and alternate(s) must— (1) Serve as the primary contact for cyber-related intelligence information and cybersecurity-related activities and communications with TSA and the Cybersecurity and Infrastructure Security Agency (CISA); (2) Have the following knowledge and skills, through current certifications or equivalent job experience: (i) General cybersecurity guidance and best practices; PO 00000 Frm 00087 Fmt 4701 Sfmt 4702 88573 (ii) Relevant law and regulations pertaining to cybersecurity; (iii) Handling of Sensitive Security Information and security-related communications; and (iv) Current cybersecurity threats applicable to the owner/operator’s operations and systems. (3) Be accessible to TSA and CISA 24 hours per day, seven days per week; (4) Have a Homeland Security Information Network (HSIN) account or other TSA-designated communication platform for information sharing relevant to the requirements in this subpart; and (5) Work with appropriate law enforcement and emergency response agencies in addressing cybersecurity threats or responding to cybersecurity incidents. (c) The Cybersecurity Coordinator and alternate(s) must be a U.S. citizen eligible for a security clearance, unless otherwise waived by TSA. (d) Owner/operators must provide in writing to TSA the names, titles, business phone number(s), and business email address(es) of the Cybersecurity Coordinator and alternate Cybersecurity Coordinator(s) required by paragraph (a) no later than [DATE 7 DAYS AFTER EFFECTIVE DATE OF FINAL RULE], or within 7 days of the commencement of new operations, or change in any of the information required by this section that occur after [DATE 7 DAYS AFTER EFFECTIVE DATE OF FINAL RULE]. (e) In addition to providing the information to TSA as required by paragraph (d), any owner/operator required to have a CRM program under this part must also include the information required by paragraphs (d) of this section in the COIP. As the owner/operator must separately notify TSA of this information, and any changes to this information, updating the COIP to align with information provided to TSA under this section does not require an amendment subject to the procedures in § 1570.107 of this subchapter. § 1582.213 Systems. Identification of Critical Cyber (a) Identifying information. The owner/operator must incorporate into its COIP a list of Critical Cyber Systems, as defined in the TSA Cybersecurity Lexicon, that provides, at a minimum, the following identifying information for each Critical Cyber System: (1) Identifier (system name or commercial name); and (2) System manufacturer/designer name. (b) Identification methodology. The owner/operator must include a E:\FR\FM\07NOP2.SGM 07NOP2 lotter on DSK11XQN23PROD with PROPOSALS2 88574 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules description of the methodology and information used to identify Critical Cyber Systems that, at a minimum, includes the following information as used to identify critical systems: (1) Standards and factors, including system interdependencies with critical functions, used to identify Information Technology and Operational Technology systems that could be vulnerable to a cybersecurity incident; (2) Sources and data, such as known threat information relevant to the system, that informed decisions regarding the likelihood of the system being subject to a cybersecurity incident; (3) Potential operational impacts of a cybersecurity incident, including scenarios that identify potential supply chain impacts and how long critical operations and capabilities could be sustained with identified alternatives if a system is offline; and (4) Sustainability and operational impacts if an Information or Operational Technology system not identified as a Critical Cyber System becomes unavailable due to a cybersecurity incident. (c) Positive Train Control (PTC) Systems. Owner/operators who are either required to install and operate PTC under 49 CFR part 236, subpart I, and/or voluntarily install and operate PTC under CFR part 236, subpart H or I, must include PTC systems as a Critical Cyber System. (d) System information and network architecture. For all Critical Cyber Systems, the owner/operator must provide the following information: (1) Information and Operational Technology system interdependencies for Critical Cyber Systems; (2) All external connections to Critical Cyber Systems; (3) Zone boundaries for Critical Cyber Systems, including a description of how Information and Operational Technology systems are defined and organized into logical/virtual zones based on criticality, consequence, and operational necessity; (4) Baseline of acceptable communications between Critical Cyber Systems and external connections or between Information and Operational Technology systems; and (5) Operational needs that prevent or delay implementation of the requirements in this subpart, such as application of security patches and updates, encryption of communications traversing Information and Operational Technology systems, and multi-factor authentication. (e) Additional systems. If notified by TSA, the owner/operator must include VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 additional Critical Cyber Systems identified by TSA not previously identified by the owner/operator. (f) Changes in Critical Cyber Systems. Any substantive changes to Critical Cyber Systems require an amendment to the Cybersecurity Operational Implementation Plan subject to the procedures in § 1570.107 of this subchapter. § 1582.215 Supply chain risk management. The owner/operator must incorporate into its COIP policies, procedures, and capabilities to address supply chain cybersecurity vulnerabilities that include requiring— (a) All procurement documents and contracts, including service-level agreements, executed or updated after [EFFECTIVE DATE OF FINAL RULE], include a requirement for the vendor or service provider to notify the owner/ operator of the following: (1) Cybersecurity incidents affecting the vendor or service provider within a specified timeframe sufficient for the owner/operator to identify and address any potential risks to their Critical Cyber Systems based on the scope and type of cybersecurity incident. (2) Confirmed security vulnerabilities affecting the goods, services, or capabilities provided by the vendor or service provider within a specified timeframe sufficient for the owner/ operator to identify and address any potential risks to their Critical Cyber Systems based on the scope and type of security vulnerability. (b) Procurement documents and contracts, including service-level agreements, incorporate an evaluation by the owner/operator or qualified third-party of the cybersecurity measures implemented by vendors or service providers of goods, services, or capabilities that will be connected to, installed on, or used by the owner/ operator’s Critical Cyber Systems. (c) When provided two offerings of roughly similar cost and function, giving preference to the offering that provides the greater level of cybersecurity necessary to protect against, or effectively respond to, cybersecurity incidents affecting the owner/operator’s Critical Cyber Systems. (d) Upon notification of a cybersecurity incident or vulnerability under paragraphs (a) or (b) of this section, immediate consideration of mitigation measures sufficient to address the resulting risk to Critical Cyber Systems and, as applicable, revision to the COIP in accordance with § 1570.107 of this subchapter. PO 00000 Frm 00088 Fmt 4701 Sfmt 4702 § 1582.217 Systems. Protection of Critical Cyber The owner/operator must incorporate into its COIP policies, procedures, controls, and capabilities to protect Critical Cyber Systems that meet security performance objectives in the following areas— (a) Network segmentation. Network segmentation measures that protect against access to, or disruption of, the Operational Technology system if the Information Technology system is compromised or vice versa. These measures must be sufficient to— (1) Ensure Information and Operational Technology system-services transit the other only when necessary for validated business or operational purposes; (2) Secure and defend zone boundaries with security controls— (i) To defend against unauthorized communications between zones; and (ii) To prohibit Operational Technology system services from traversing the Information Technology system, and vice-versa, unless the content is encrypted at a level sufficient to secure and protect integrity of data and prevent corruption or compromise while in transit. If encryption is not technologically feasible, ensure content is otherwise secured and protected using compensating controls that provide the same level of security as encryption for data in transit. (b) Access control. Access control measures for Critical Cyber Systems, including for local and remote access, that secure and defend against unauthorized access to Critical Cyber Systems. Except as provided in paragraph (f), these measures must, at a minimum, incorporate the following policies, procedures, and controls: (1) Identification and authentication requirements designed to prevent unauthorized access to Critical Cyber Systems that include: (i) A policy for memorized secret authenticator resets that includes criteria for passwords and when resets must occur, including procedures to ensure implementation of these requirements, such as password lockouts; and (ii) Documented and defined logical/ virtual and physical security controls for components of Critical Cyber Systems that will not be subject to the requirements in paragraph (b)(1)(i) of this section. (2) Multi-factor authentication, or other logical/virtual and physical security controls to supplement memorized secret authenticators (such as passwords) to provide risk mitigation commensurate to multi-factor E:\FR\FM\07NOP2.SGM 07NOP2 lotter on DSK11XQN23PROD with PROPOSALS2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules authentication. If an owner/operator does not apply multi-factor authentication for access to Operational Technology components or assets, the owner/operator must specify what compensating controls are used to manage access. (3) Management of access rights based on the principles of least privilege and separation of duties. Where not technically feasible to apply these principles, the policies and procedures must describe compensating controls that the owner/operator applies. (4) Policies and procedures limit availability and use of shared accounts to those that are critical for operations, and then only if necessary. When the owner/operator uses shared accounts for operational purposes, the policies and procedures must ensure: (i) Access to shared accounts is limited through account management that uses principles of least privilege and separation of duties; (ii) Any individual who no longer needs access does not have knowledge of the memorized secret authenticator necessary to access the shared account; and (iii) Logs are maintained sufficient to enable positive user identification of access to shared accounts to enable forensic investigation following a cybersecurity incident. (5) Regularly updated schedule for review of existing domain trust relationships to ensure their necessity and established and enforced policies to manage these relationships. (c) Patch management. Measures that reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers, and firmware on Critical Cyber Systems consistent with the owner/operator’s risk-based methodology. These measures must include: (1) A patch management strategy that ensures all critical security patches and updates on Critical Cyber Systems are current. This strategy must include: (i) The risk methodology for categorizing and determining criticality of patches and updates, and an implementation timeline based on categorization and criticality; and (ii) Prioritization of all security patches and updates on CISA’s Known Exploited Vulnerabilities Catalog. (2) In instances where the owner/ operator cannot apply patches and updates on specific Operational Technology systems without causing a severe degradation of operational capability to meet business critical functions, the owner/operator must VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 provide an explanation for why the actions cannot be taken and a description and timeline of additional mitigations that address the risk created by not installing the patch or update within the recommended timeframe. (d) Logging policies. Logging policies sufficient to ensure logging data is— (1) Stored in a secure and centralized system, such as a security information and event management tool or database on a segmented network that can only be accessed or modified by authorized and authenticated users; and (2) Maintained for a duration sufficient to allow for investigation of cybersecurity incidents as supported by a risk analysis and applicable standards or regulatory guidelines. (e) Secure back-ups. Policies that ensure all Critical Cyber Systems are backed-up on a regular basis consistent with operational need for the information, the back-ups are securely stored separate from the system, and policies require testing the integrity of back-ups to ensure that the data is free of known malicious code when the back-ups are made. (f) Exception for PTC hardware and software components installed on locomotive. (1) For hardware and software components of a PTC system installed on a locomotive, owner/ operators in compliance with requirements in 49 CFR 232.105(h)(1–4) (General requirements for locomotives), 49 CFR 236.3 (Locking of signal apparatus housings), and 49 CFR 256.553 (Seal, where required), may rely on the physical security measures used to comply with these requirements, as applicable, in lieu of implementing the requirements in paragraph (b). (2) If relying on the exception in paragraph (f)(1), the owner/operator must list the applicable PTC system as a Critical Cyber System; maintain compliance with the requirements specified in 49 CFR 232.105(h)(1–4), 49 CFR 236.3, and 49 CFR 256.553, as applicable; and include in the COIP a description of the physical security measures used to prevent unauthorized access to the identified PTC components. § 1582.219 Cybersecurity training and knowledge. (a) Training required. (1) Owner/ operators required to have a CRM program under this subpart must provide basic cybersecurity training to all employees with access to the owner/ operator’s Information or Operational Technology systems. (2) No owner/operator required to have a CRM program under this subpart may permit a cybersecurity-sensitive PO 00000 Frm 00089 Fmt 4701 Sfmt 4702 88575 employee to access, or have privileges to access, a Critical Cyber System or an Information or Operational Technology system that is interdependent with a Critical Cyber System, unless that individual has received basic and rolebased cybersecurity training. (b) General curriculum requirements. The cybersecurity training program must include a curriculum or lesson plan, including learning objectives and method of delivery (such as instructorled or computer-based training) for each course used to meet the requirements in paragraphs (d) and (e) of this section. TSA may request additional information regarding the curriculum during the review and approval process. If recurrent training under paragraph (e) of this section is not the same as initial training, a curriculum or lesson plan for the recurrent training will need to be submitted and approved by TSA. (c) Specific curriculum requirements. (1) Basic cybersecurity training. All employees and contractors with access to the owner/operator’s Information or Operational Technology systems, must receive basic cybersecurity training that includes cybersecurity awareness to address best practices, acceptable use, risks associated with their level of privileged access, and awareness of security risks associated with their actions. This training must address the following topics: (i) Social engineering, including phishing; (ii) Password best practices; (iii) Remote work security basics; (iv) Safe internet and social media use; (v) Mobile device (wireless) vulnerabilities and network security; (vi) Data management and information security, including protecting business email, confidential information, trade secrets, and privacy; and (vii) How and to whom to report suspected inappropriate or suspicious activity involving Information or Operational Technology systems, including mobile devices provided by or connected to the owner/operator’s Information or Operational Technology systems. (2) Role-based cybersecurity training. Cybersecurity-sensitive employees must be provided cybersecurity training that specifically addresses their role as a privileged user to prevent and respond to a cybersecurity incident, acceptable uses, and the risks associated with their level of access and use as approved by the owner/operator. This training must address the following topics as applicable to the specific role: E:\FR\FM\07NOP2.SGM 07NOP2 lotter on DSK11XQN23PROD with PROPOSALS2 88576 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules (i) Security measures and requirements in the COIP including how the requirements affect account and access management, server and application management, and system architecture development and assessment; (ii) Recognition and detection of cybersecurity threats, types of cybersecurity incidents, and techniques used to circumvent cybersecurity measures; (iii) Incident handling, including procedures for reporting a cybersecurity incident to the Cybersecurity Coordinator and understanding their roles and responsibilities during a cybersecurity incident and implementation of the owner/operator’s Cybersecurity Incident Response Plan required by § 1582.227; (iv) Requirements and sources for staying aware of changing cybersecurity threats and countermeasures; (v) Operational Technology-specific cybersecurity training for all personnel whose duties include access to Operational Technology systems. (d) Initial cybersecurity training. (1) Each owner/operator must provide initial cybersecurity training (basic and role-based, as applicable) to employees and contractors, using the curriculum approved by TSA no later than 60 days after the effective date of the owner/ operator’s TSA-approved COIP required by this subpart. (2) For individuals who onboard or become cybersecurity-sensitive employees after the effective date of the owner/operator’s TSA-approved COIP who did not receive training within the period identified in paragraph (d)(1) of this section, the individual must receive the applicable cybersecurity training no later than 10 days after onboarding. (e) Recurrent cybersecurity training. Employees and contractors must receive annual recurrent cybersecurity training no later than the anniversary calendar month of the employee’s initial cybersecurity training. If the owner/ operator provides the recurrent cybersecurity training in the month of, the month before, or the month after it is due, the employee is considered to have taken the training in the month it is due. (f) Recognition of prior or established cybersecurity training. Previously provided cybersecurity training may be credited towards satisfying the requirements of this section provided the owner/operator— (1) Obtains a complete record of such training and validates the training meets requirements of this section as it relates to the role of the individual employee, and the training was provided within VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 the schedule required for recurrent training; and (2) Retains a record of such training in compliance with the requirements in paragraph (g) of this section. (g) Retention of cybersecurity training records. The owner/operator must retain records of initial and recurrent cybersecurity training records for each individual required to receive cybersecurity training under this section for no less than 5 years from the date of training that, at a minimum— (1) Includes employee’s full name, job title or function, date of hire, and date of initial and recurrent cybersecurity training; and (2) Identifies the date, course name, course length, and list of topics addressed for the cybersecurity training most recently provided in each of the areas required under paragraph (c) of this section. (h) Availability of records to employees. The owner/operator must provide records of cybersecurity training to current and former employees upon request and at no charge as necessary to provide proof of training. § 1582.221 incidents. Detection of cybersecurity The owner/operator must incorporate into its COIP policies, procedures, and capabilities sufficient to detect and respond to cybersecurity threats to, and anomalies on, Critical Cyber Systems that, at a minimum— (a) Defend against malicious email, such as spam and phishing emails, to preclude or mitigate against adverse impacts to operations; (b) Block ingress and egress communications with known or suspected malicious internet Protocol addresses; (c) Control impact of known or suspected malicious web domains or web applications, such as by preventing users and devices from accessing malicious websites; (d) Block and defend against unauthorized code, including macro scripts, from executing; (e) Monitor and/or block connections from known or suspected malicious command and control servers (such as Tor exit nodes, and other anonymization services); and (f) Ensure continuous collection and analysis of data for potential intrusions and anomalous behavior on Critical Cyber Systems and other Information and Operational Technology systems that directly connect with Critical Cyber Systems. PO 00000 Frm 00090 Fmt 4701 Sfmt 4702 § 1582.223 Capabilities to respond to a cybersecurity incident. The owner/operator must incorporate into its COIP capabilities to respond to cybersecurity incidents affecting Critical Cyber Systems that, at a minimum— (a) Audit unauthorized access to internet domains and addresses; (b) Document and audit any communications between the Operational Technology system and an internal or external system that deviates from the owner/operator’s identified baseline of communications; (c) Identify and respond to execution of unauthorized code, including macro scripts; and (d) Define, prioritize, and drive standardized incident response activities, such as Security Orchestration, Automation, and Response (SOAR). § 1582.225 incidents. Reporting cybersecurity (a)(1) Except as provided in paragraph (a)(2) of this section or otherwise directed by TSA, each owner/operator identified in § 1582.1 must notify CISA of any Reportable Cybersecurity Incidents, as defined in the TSA Cybersecurity Lexicon, as soon as practicable, but no later than 24 hours after a Reportable Cybersecurity Incident is identified. (2) An owner/operator identified in § 1582.1(a)(2) that owns or operates a bus-only operation must notify CISA of Reportable Cybersecurity Incidents under paragraph (a)(1) only if the owner/operator is identified in appendix A to part 1582 of this subchapter or is notified by TSA in writing that a threat exists concerning that operation. (b) Reports required by this section must be made by the methods prescribed by TSA. All reported information will be protected in a manner appropriate for the sensitivity and criticality of the information. (c) The report to CISA must include the following information, as available to the reporting owner/operator at the time of the report: (1) The name of the reporting individual and contact information, including a telephone number and email address. The report must also explicitly specify that the information is being reported to satisfy the reporting requirements in Transportation Security Regulations. (2) The affected conveyance, system(s) or facilities, including identifying information and location. (3) Description of the threat, incident, or activity, to include: (i) Earliest known date of compromise; E:\FR\FM\07NOP2.SGM 07NOP2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules (ii) Date of detection; (iii) Information about who has been notified and what action has been taken; (iv) Any relevant information observed or collected by the owner/ operators, such as malicious internet Protocol addresses, malicious domains, malware hashes and/or samples, or the abuse of legitimate software or accounts; and (v) Any known threat information, to include information about the source of the threat or cybersecurity incident, if available. (4) A description of the incident’s impact or potential impact on Information or Operational Technology systems and operations. This information must also include an assessment of actual or imminent adverse impacts to service operations, operational delays, and/or data theft that have or are likely to be incurred, as well as any other information that would be informative in understanding the impact or potential impact of the cybersecurity incident. (5) A description of all responses that are planned or under consideration, to include, for example, a reversion to manual operations of train movement and control, if applicable. (6) Any additional information not specifically required by this section, but which is critical to an understanding of the threat and owner/operator’s response to a reportable cybersecurity incident. (d) If all the required information is not available at the time of reporting, owner/operators must submit an initial report within the specified timeframe and supplement as additional information becomes available. lotter on DSK11XQN23PROD with PROPOSALS2 § 1582.227 Cybersecurity Incident Response Plan. (a) The owner/operator must incorporate into its COIP an up-to-date Cybersecurity Incident Response Plan (CIRP) for the owner/operator’s Critical Cyber Systems to reduce the impacts of a cybersecurity incident that causes, or could cause, operational disruption or significant impacts on business-critical functions. (b) The CIRP must provide specific measures sufficient to ensure the following objectives, as applicable: (1) Promptly identifying, isolating, and segregating the infected systems from uninfected systems, networks, and devices using measures that prioritize: (i) Limiting the spread of autonomous malware; (ii) Denying continued access by a threat actor to systems; (iii) Determining extent of compromise; and VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 (iv) Preserving evidence and data. (2) Only data stored and secured as required by § 1582.217(e) is used to restore systems and that all stored backup data is scanned with host security software to ensure the data is free of malicious artifacts before being used for restoration. (3) Established capability and governance for implementing mitigation measures or manual controls that ensure that the Operational Technology system can be isolated when a cybersecurity incident in the Information Technology system creates risk to the safety and reliability of the Operational Technology system. (c) The CIRP must identify who (by position) is responsible for implementing the specific measures in the plan and any necessary resources needed to implement the measures. (d) The owner/operator must conduct an exercise to test the effectiveness of the CIRP no less than annually. The exercise conducted under this paragraph must— (1) Test at least two objectives of the owner/operator’s CIRP required by paragraph (b) of this section, no less than annually; and (2) Include the employees identified (by position) in paragraph (c) as active participants in the exercise. (e) Within no more than 90 days after the date of the exercise required by paragraph (d), the owner/operator must update the CIRP as appropriate to address any issues identified during the exercise. (f) The owner/operator must notify TSA within 15 days of any changes to the CIRP. As the owner/operator must separately notify TSA, updating the COIP to align with information provided to TSA under this section does not require an amendment subject to the procedures in § 1570.107 of this subchapter. § 1582.229 Plan Cybersecurity Assessment (a) Requirement for a Cybersecurity Assessment Plan. No later than 90 days from TSA’s approval of the owner/ operator’s COIP, the owner/operator must submit to TSA a Cybersecurity Assessment Plan (CAP) sufficient to— (1) Proactively assess the effectiveness of all policies, procedures, measures, and capabilities in the owner/operator’s TSA-approved COIP as applied to all Critical Cyber Systems; and (2) Identify and resolve device, network, and/or system vulnerabilities associated with Critical Cyber Systems. (b) Contents of the CAP. At a minimum, the CAP must describe in detail: PO 00000 Frm 00091 Fmt 4701 Sfmt 4702 88577 (1) The plan to assess the effectiveness of the owner/operator’s TSA-approved COIP as applied to all Critical Cyber Systems; (2) Schedule and scope of an architectural design review within 12 months either before or after TSA’s approval of the owner/operator’s COIP, to be repeated at least once every 2 years thereafter. The architectural design review required by this paragraph must include verification and validation of network traffic, a system log review, and analysis to identify cybersecurity vulnerabilities related to network design, configuration, and interconnectivity to internal and external systems; (3) Other assessment capabilities designed to identify vulnerabilities to Critical Cyber Systems based on evolving threat information and adversarial capabilities, such as penetration testing of Information Technology systems, including the use of ‘‘red’’ and ‘‘purple’’ team (adversarial perspective) testing. (c) Specific Schedule. (1) In addition to specifying the schedule for the architectural design review required by paragraph (b)(2), the CAP must include a schedule for conducting the assessments required by paragraph (b) sufficient to ensure at least one-third of the policies, procedures, measures, and capabilities in the TSA-approved COIP are assessed each year, with 100 percent of the COIP and all Critical Cyber Systems assessed over a 3-year period. (2) The scheduled required by this paragraph must map the planned assessments to the COIP and Critical Cyber System to document the plan will ensure all policies, procedures, measures, and capabilities in the owner/ operator’s TSA-approved COIP and all Critical Cyber Systems will be assessed within the timeframes required by paragraph (c)(1). (d) Independence of assessors and auditors. Owner/operators must ensure that the assessments, audits, testing, and other capabilities to assess the effectiveness of its TSA-approved COIP are not conducted by individuals who have oversight or responsibility for implementing the owner/operators CRM program and have no vested or other financial interest in the results of the CAP. (e) Annual submission of report. The owner/operator must ensure a report of the results of assessments conducted in accordance with the CAP is provided to corporate leadership and individuals designated under § 1582.209(a) and (b)(1) of this subpart, and submitted to TSA, no later than 15 months from the date of approval of the initial CAP and E:\FR\FM\07NOP2.SGM 07NOP2 88578 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules annually thereafter. The required report must indicate— (1) Which assessment method(s) were used to determine if the policies, procedures, and capabilities described by the owner/operator in its COIP are effective; and (2) Results of the individual assessment methodologies. (f) Annual update of the CAP. The owner/operator must review and annually update the CAP to address any changes to policies, procedures, measures, or capabilities in the COIP or assessment capabilities required by paragraph (b). The updated CAP must be submitted to TSA for approval no later than 12 months from the date of TSA’s approval of the current CAP. (g) Assessments conducted under this section are vulnerability assessments as defined in 1500.3 of his chapter and must be protected as Sensitive Security Information under § 1520.5(b)(5) of this chapter. For the purposes of the requirements in this subpart, upon TSA’s request, the owner/operator must provide for inspection or copying the following types of information to establish compliance: (a) Hardware/software asset inventory, including supervisory control and data acquisition (SCADA) systems; (b) Firewall rules; (c) Network diagrams, switch and router configurations, architecture diagrams, publicly routable internet protocol addresses, and Virtual Local Area Networks; (d) Policy, procedural, and other documents that informed the development, and documented implementation of, the owner/operator’s CRM program; (e) Data providing a ‘‘snapshot’’ of activity on and between Information and Operational Technology systems such as: (1) Log files; (2) A capture of network traffic (such as packet capture (PCAP)), for a scope and period directed by TSA, not less than 24 hours and not to exceed 48 hours; (3) ‘‘East-West Traffic’’ of Information Technology systems, sites, and environments within the scope of this subpart; and (4) ‘‘North-South Traffic’’ between Information and Operational Technology systems, and the perimeter boundaries between them; and (f) Any other records or documents necessary to determine compliance with this subpart. ■ 25. Revise appendix B to part 1582 to read as follows: Appendix B to Part 1582—SecuritySensitive Job Functions for Public Transportation and Passenger Railroads This table identifies security-sensitive job functions for owner/operators regulated under this part. All employees performing security-sensitive functions are ‘‘securitysensitive employees’’ for purposes of this rule and must be trained in accordance with this part. Categories Security-sensitive job functions for public transportation and passenger railroads (PTPR) A. Operating a vehicle ............................. 1. Employees who— a. Operate or control the movements of trains, other rail vehicles, or transit buses. b. Act as train conductor, trainman, brakeman, or utility employee or performs acceptance inspections, couples and uncouples rail cars, applies handbrakes, or similar functions. 2. Employees covered under the Federal hours of service laws as ‘‘train employees.’’ See 49 U.S.C. 21101(5) and 21103. Employees who— 1. Perform activities related to the diagnosis, inspection, maintenance, adjustment, repair, or overhaul of electrical or mechanical equipment relating to vehicles, including functions performed by mechanics and automotive technicians. 2. Provide cleaning services to vehicles owned, operated, or controlled by an owner/operator regulated under this subchapter. Employees who— 1. Maintain, install, or inspect communication systems and signal equipment related to the delivery of transportation services. 2. Maintain, install, or inspect track and structures, including, but not limited to, bridges, trestles, and tunnels. 3. Provide cleaning services to stations and terminals owned, operated, or controlled by an owner/operator regulated under this subchapter that are accessible to the general public or passengers. 4. Provide maintenance services to stations, terminals, yards, tunnels, bridges, and operation control centers owned, operated, or controlled by an owner/operator regulated under this subchapter. 5. Employees covered under the Federal hours of service laws as ‘‘signal employees.’’ See 49 U.S.C. 21101(4) and 21104. Employees who— 1. Dispatch, report, transport, receive or deliver orders pertaining to specific vehicles, coordination of transportation schedules, tracking of vehicles and equipment. 2. Manage day-to-day management delivery of transportation services and the prevention of, response to, and redress of service disruptions. 3. Supervise the activities of train crews, car movements, and switching operations in a yard or terminal. 4. Dispatch, direct, or control the movement of trains or buses. 5. Operate or supervise the operations of moveable bridges. 6. Employees covered under the Federal hours of service laws as ‘‘dispatching service employees.’’ See 49 U.S.C. 21101(2) and 21105. Employees who— 1. Provide for the security of PTPR equipment and property, including acting as a police officer. 2. Patrol and inspect property of an owner/operator regulated under subchapter to protect the property, personnel, passengers and/or cargo. Employees who load, or oversee loading of, property tendered by or on behalf of a passenger on or off of a portion of a train that will be inaccessible to the passenger while the train is in operation. B. Inspecting and maintaining vehicles ... C. Inspecting or maintaining building or transportation infrastructure. D. Controlling dispatch or movement of a vehicle. lotter on DSK11XQN23PROD with PROPOSALS2 § 1582.231 Documentation to establish compliance. E. Providing security of the owner/operator’s equipment and property. F. Loading or unloading cargo or baggage. VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 PO 00000 Frm 00092 Fmt 4701 Sfmt 4702 E:\FR\FM\07NOP2.SGM 07NOP2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules Categories Security-sensitive job functions for public transportation and passenger railroads (PTPR) G. Interacting with travelling public (on board a vehicle or within a transportation facility). Employees who provide services to passengers on-board a train or bus, including collecting tickets or cash for fares, providing information, and other similar services. Including: 1. On-board food or beverage employees. 2. Functions on behalf of an owner/operator regulated under this subchapter that require regular interaction with travelling public within a transportation facility, such as ticket agents. 1. Employees who serve as security coordinators designated in §§ 1582.103 and 1582.211 of this subchapter, as well as any designated alternates or secondary security coordinators. 2. Employees who— a. Conduct training and testing of employees when the training or testing is required by TSA’s security regulations. b. Manage or direct implementation of security plan requirements. H. Complying with security programs or measures, including those required by Federal law. 26. Add appendix C to part 1582 to read as follows: Appendix C to Part 1582—Reporting of Significant Physical Security Concerns ■ Category Description Breach, Attempted Intrusion, and/or Interference. Unauthorized personnel attempting to or actually entering a restricted area or secure site relating to a transportation facility or conveyance owned, operated, or used by an owner/operator subject to this part. This includes individuals entering or attempting to enter by impersonation of authorized personnel (for example, police/security, janitor, vehicle owner/operator). Activity that could interfere with the ability of employees to perform duties to the extent that security is threatened. Presenting false, or misusing, insignia, documents, and/or identification, to misrepresent one’s affiliation with an owner/operator subject to this part to cover possible illicit activity that may pose a risk to transportation security. Stealing or diverting identification media or badges, uniforms, vehicles, keys, tools capable of compromising track integrity, portable derails, technology, or classified or sensitive security information documents which are proprietary to the facility or conveyance owned, operated, or used by an owner/operator subject to this part. Damaging, manipulating, or defeating safety and security appliances in connection with a facility, infrastructure, conveyance, or routing mechanism, resulting in the compromised use or the temporary or permanent loss of use of the facility, infrastructure, conveyance or routing mechanism. Placing or attaching a foreign object to a rail car or transit vehicle(s). Communicating a spoken or written threat to damage or compromise a facility/infrastructure/conveyance owned, operated, or used by an owner/operator subject to this part (for example, a bomb threat or active shooter). Questioning that may pose a risk to transportation or national security, such as asking one or more employees of an owner/operator subject to this part about particular facets of a facility’s conveyance’s purpose, operations, or security procedures. Deliberate interactions with employees of an owner/operator subject to this part or challenges to facilities or systems owned, operated, or used by an owner/operator subject to this part that reveal physical, personnel, or security capabilities or sensitive information. Taking photographs or video of facilities, conveyances, or infrastructure owned, operated, or used by an owner/operator subject to this part in a manner that may pose a risk to transportation or national security. Examples include taking photographs or video of infrequently used access points, personnel performing security functions (for example, patrols, badge/vehicle checking), or security-related equipment (for example, perimeter fencing, security cameras). Demonstrating unusual interest in facilities or loitering near conveyances, railcar routing appliances or any potentially critical infrastructure owned or operated by an owner/operator subject to this part in a manner that may pose a risk to transportation or national security. Examples include observation through binoculars, taking notes, or attempting to measure distances. Acquisition and/or storage by an employee of an owner/operator subject to this part of materials such as cell phones, pagers, fuel, chemicals, toxic materials, and/or timers that may pose a risk to transportation or national security (for example, storage of chemicals not needed by an employee for the performance of his or her job duties). Weapons or explosives in or around a facility, conveyance, or infrastructure of an owner/operator subject to this part that may present a risk to transportation or national security (for example, discovery of weapons inconsistent with the type or quantity traditionally used by company security personnel). Discovery or observation of suspicious items, activity or behavior in or around a facility, conveyance, or infrastructure of an owner/operator subject to this part that results in the disruption or termination of operations (for example, halting the operation of a conveyance while law enforcement personnel investigate a suspicious bag, briefcase, or package). Misrepresentation .................................... Theft, Loss, and/or Diversion .................. Sabotage, Tampering, and/or Vandalism Expressed or Implied Threat ................... Eliciting Information ................................. Testing or Probing of Security ................. Photography ............................................ Observation or Surveillance .................... Materials Acquisition and/or Storage ...... Weapons Discovery, Discharge, or Seizure. Suspicious Items or Activity .................... lotter on DSK11XQN23PROD with PROPOSALS2 88579 PART 1584—HIGHWAY AND MOTOR CARRIER SECURITY Authority: 49 U.S.C. 114; Pub. L. 110–53, 121 Stat. 266. Subpart B—Security Programs: General 27. Revise the authority citation for part 1584 to read as follows: ■ 28. Revise subpart B of part 1584 to read as follows: 1584.101 1584.103 ■ VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 PO 00000 Frm 00093 Fmt 4701 Sfmt 4702 E:\FR\FM\07NOP2.SGM Applicability. Physical Security Coordinator. 07NOP2 88580 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules 1584.105 Reporting of significant physical security concerns. 1584.107 Reporting cybersecurity incidents. 1584.109 [Reserved] 1584.111 [Reserved] 1584.113 Security training program requirements. 1584.115 [Reserved] § 1584.101 Applicability. The requirements of this subpart apply to each OTRB owner/operator providing fixed-route service that originates, travels through, or ends in a geographic location identified in appendix A to this part. § 1584.103 Physical Security Coordinator. (a) Each owner/operator identified in § 1584.101 must designate and use a primary and at least one alternate Physical Security Coordinator at the corporate level to function as the administrator for sharing securityrelated activities and information. (b) The Physical Security Coordinator and alternate(s) must— (1) Be accessible to TSA on a 24 hours per day, seven days per week basis; (2) Serve as the primary contact(s) for intelligence information and securityrelated activities and communications with TSA. Any individual designated as a Physical Security Coordinator may perform other duties in addition to the duties described in this section); and (3) Coordinate security practices and procedures required by this subchapter internally and with appropriate law enforcement and emergency response agencies. (c) The Physical Security Coordinator and alternate(s) must be a U.S. citizen eligible for a security clearance, unless otherwise waived by TSA. (d) Each owner/operator required to have a Physical Security Coordinator must provide in writing to TSA the names, U.S. citizenship status, titles, business phone number(s), and business email address(es) of the Physical Security Coordinator and alternate Physical Security Coordinator(s). Changes in any of the information required by this section must be submitted to TSA within seven calendar days. lotter on DSK11XQN23PROD with PROPOSALS2 § 1584.105 Reporting of significant physical security concerns. (a) Each owner/operator identified in § 1584.101 must report, within 24 hours of initial discovery, any potential threats and significant physical security concerns involving transportationrelated operations in the United States or transportation to, from, or within the United States as soon as possible by the methods prescribed by TSA. (b) Potential threats or significant physical security concerns encompass VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 incidents, suspicious activities, and threat information including, but not limited to, the categories of reportable events listed in appendix C to this part. (c) Information reported must include the following, as available and applicable: (1) The name of the reporting individual and contact information, including a telephone number or email address. (2) The affected conveyance, station, terminal, or other transportation facility or infrastructure, including identifying information and current location. (3) Scheduled origination and termination locations for the affected bus—including departure and destination station, city, and route, as applicable. (4) Description of the threat, incident, or activity, including who has been notified and what action has been taken. (5) The names, other available biographical data, and/or descriptions (including vehicle or license plate information) of individuals or motor vehicles known or suspected to be involved in the threat, incident, or activity. (6) The source of any threat information. § 1584.107 incidents. Reporting cybersecurity (a) Reporting Cybersecurity Incidents. Unless otherwise directed by TSA, each owner/operator identified in § 1584.101 must notify CISA of any Reportable Cybersecurity Incidents, as defined in the TSA Cybersecurity Lexicon, as soon as practicable, but no later than 24 hours after a Reportable Cybersecurity Incident is identified. (b) Reports required by this section must be made by the methods prescribed by TSA. All reported information will be protected in a manner appropriate for the sensitivity and criticality of the information. (c) The report to CISA must include the following information, as available to the reporting owner/operator at the time of the report: (1) The name of the reporting individual and contact information, including a telephone number and email address. The report must also explicitly specify that the information is being reported to satisfy the reporting requirements in Transportation Security Regulations. (2) The affected conveyance, system(s) or facilities, including identifying information and location. (3) Description of the threat, incident, or activity, to include: (i) Earliest known date of compromise; PO 00000 Frm 00094 Fmt 4701 Sfmt 4702 (ii) Date of detection; (iii) Information about who has been notified and what action has been taken; (iv) Any relevant information observed or collected by the owner/ operator, such as malicious internet Protocol addresses, malicious domains, malware hashes and/or samples, or the abuse of legitimate software or accounts; and (v) Any known threat information, to include information about the source of the threat or cybersecurity incident, if available. (4) A description of the incident’s impact or potential impact on Information or Operational Technology systems and operations. This information must also include an assessment of actual or imminent adverse impacts to service operations, operational delays, and/or data theft that have or are likely to be incurred, as well as any other information that would be informative in understanding the impact or potential impact of the cybersecurity incident. (5) A description of all responses that are planned or under consideration. (6) Any additional information not specifically required by this section, but which is critical to an understanding of the threat and owner/operator’s response to a reportable cybersecurity incident. (d) If all the required information is not available at the time of reporting, owner/operators must submit an initial report within the specified timeframe and supplement as additional information becomes available. § 1584.109 [Reserved] § 1584.111 [Reserved] § 1584.113 Security training program requirements. (a) Applicability. This section applies to each owner/operator identified in § 1584.101. (b) Training required for securitysensitive employees. No owner/operator identified in paragraph (a) of this section may use a security-sensitive employee to perform a function identified in Appendix B to this part, unless that individual has received training as part of a security training program approved by TSA or is under the direct supervision of an employee who has received the training required by this section as applicable to that security-sensitive function. Upon approval, this security training program becomes part of the owner/operator’s TSA-approved security program. (c) Limits on use of untrained employees. Notwithstanding paragraph (b) of this section, a security-sensitive E:\FR\FM\07NOP2.SGM 07NOP2 lotter on DSK11XQN23PROD with PROPOSALS2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules employee may not perform a securitysensitive function for more than 60 calendar days without receiving security training. (d) General requirements. Each owner/operator required to provide security training to its employees under this section must submit their security training program to TSA for approval in a form and manner prescribed by TSA. The security training program must include the following information: (1) Name of owner/operator. (2) Name, title, telephone number, and email address of the primary individual to be contacted with regard to review of the security training program. (3) Number, by specific job function category identified in Appendix B to this part, of security-sensitive employees trained or to be trained. (4) Implementation schedule that identifies a specific date by which the required initial and recurrent security training will be completed. (5) Location where training program records will be maintained. (6) Plan for ensuring supervision of untrained security-sensitive employees performing functions identified in Appendix B to this part. (7) Plan for notifying employees of changes to security measures that could change information provided in previously provided training. (8) Method(s) for evaluating the effectiveness of the security training program in each area required by paragraph (e) of this section. (e) General curriculum requirements. The security training program submitted to TSA for approval must include a curriculum or lesson plan, including learning objectives and method of delivery (such as instructor-led or computer-based training) for each course used to meet the requirements in paragraph (f) of this section. TSA may request additional information regarding the curriculum during the review and approval process. If recurrent training under paragraph (j) of this section is not the same as initial training, a curriculum or lesson plan for the recurrent training will need to be submitted and approved by TSA. (f) Specific curriculum requirements. (1) Prepare. Each owner/operator must ensure that each of its security-sensitive employees with position- or functionspecific responsibilities under the owner/operator’s security program have knowledge of how to fulfill those responsibilities in the event of a security threat, breach, or incident to ensure— (i) Employees with responsibility for transportation security equipment and systems are aware of their VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 responsibilities and can verify the equipment and systems are operating and properly maintained; and (ii) Employees with other duties and responsibilities under the company’s security plans and/or programs, including those required by Federal law, know their assignments and the steps or resources needed to fulfill them. (2) Observe. Each owner/operator must ensure that each of its securitysensitive employees has knowledge of the observational skills necessary to recognize— (i) Suspicious and/or dangerous items, such as substances, packages, or conditions (for example, characteristics of an Improvised Explosive Device and signs of equipment tampering or sabotage); (ii) Combinations of actions and individual behaviors that appear suspicious and/or dangerous, inappropriate, inconsistent, or out of the ordinary for the employee’s work environment, which could indicate a threat to transportation security; and (iii) How a terrorist or someone with malicious intent may attempt to gain sensitive information or take advantage of vulnerabilities. (3) Assess. Each owner/operator must ensure that each of its security-sensitive employees has knowledge necessary to— (i) Determine whether the item, individual, behavior, or situation requires a response as a potential terrorist threat based on the respective transportation environment; and (ii) Identify appropriate responses based on observations and context. (4) Respond. Each owner/operator must ensure that each of its securitysensitive employees has knowledge of how to— (i) Appropriately report a security threat, including knowing how and when to report internally to other employees, supervisors, or management, and externally to Local, State, or Federal agencies according to the owner/ operator’s security procedures or other relevant plans; (ii) Interact with the public and first responders at the scene of the threat or incident, including communication with passengers on evacuation and any specific procedures for individuals with disabilities and the elderly; and (iii) Use any applicable self-defense devices or other protective equipment provided to employees by the owner/ operator. (g) Relation to other training. Training conducted by owner/operators to comply with other requirements or standards, such as training for communicating with emergency PO 00000 Frm 00095 Fmt 4701 Sfmt 4702 88581 responders to arrange the evacuation of passengers, may be combined with, and used to satisfy, elements of the training requirements in this section. (h) Submission. If commencing or modifying operations subject to these requirements after June 21, 2021, the training program must be submitted to TSA no later than 90 calendar days before commencing new or modified operations. (i) Initial security training. Each owner/operator must provide initial security training to security-sensitive employees, using the curriculum approved by TSA and in compliance with the following schedule. (1) For security training programs submitted to TSA for approval after March 22, 2021, if the employee is employed to perform a securitysensitive function on the date TSA approves the program, then initial training must be provided no later than twelve months after the date that TSA approves the owner/operator’s security training program. (2) If performance of a securitysensitive job function is initiated after TSA approves the owner/operator’s security training program, then initial training must be provided no later than 60 calendar days after the employee first performs the security-sensitive job function. (3) If the security-sensitive job function is performed intermittently, then initial security training must be provided no later than the 60th calendar day of employment performing a security-sensitive function, aggregated over a consecutive 12-month period. (j) Recurrent security training. (1) Except as provided in paragraph (j)(2) of this section, a security-sensitive employee required to receive training must receive the required training at least once every 3 years. (2) If an owner/operator modifies a security program or security plan for which training is required, the owner/ operator must ensure each securitysensitive employee with position- or function-specific responsibilities related to the revised plan or program changes receives training on the revisions within 90 days of implementation of the revised plan or program changes. All other employees must receive training that reflects the changes to the operating security requirements as part of their regularly scheduled recurrent training. (3) The 3-year recurrent training cycle is based on the anniversary calendar month of the employee’s initial security training. If the owner/operator provides the recurrent security training in the month of, the month before, or the month after it is due, the employee is E:\FR\FM\07NOP2.SGM 07NOP2 88582 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules considered to have taken the training in the month it is due. (k) Recognition of prior training. Previously provided security training may be credited towards satisfying the requirements of this section provided the owner/operator— (1) Obtains a complete record of such training and validates the training meets requirements of this section as it relates to the function of the individual security-sensitive employee, and the training was provided within the schedule required for recurrent training; and (2) Retains a record of such training in compliance with the requirements in paragraph (l). (l) Retention of security training records. The owner/operator must retain records of initial and recurrent security training records for each individual required to receive security training under this section for no less than 5 years from the date of training that, at a minimum— (1) Includes employee’s full name, job title or function, date of hire, and date of initial and recurrent security training; and operator makes, or intends to make, permanent (to be in effect for 60 or more calendar days) or substantive changes to its security training curriculum, including changes to address: (1) Determinations that the security training program is ineffective based on the approved method for evaluating effectiveness in the security training program approved by TSA; or (2) Development of recurrent training material for purposes of meeting the requirements in paragraph (j) of this section or other alternative training materials not previously approved by TSA. § 1584.115 [Reserved] 29. Revise appendix B to part 1584 to read as follows: ■ Appendix B to Part 1584—SecuritySensitive Job Functions for Over-theRoad Buses This table identifies security-sensitive job functions for owner/operators regulated under this part. All employees performing security-sensitive functions are ‘‘securitysensitive employees’’ for purposes of this rule and must be trained in accordance with this part. Categories Security-sensitive job functions for over-the-road buses A. Operating a vehicle ............................. B. Inspecting and maintaining vehicles ... Employees who have a CDL and operate an OTRB. Employees who— 1. Perform activities related to the diagnosis, inspection, maintenance, adjustment, repair, or overhaul of electrical or mechanical equipment relating to vehicles, including functions performed by mechanics and automotive technicians. 2. Does not include cleaning or janitorial activities. Employees who— 1. Provide cleaning services to areas of facilities owned, operated, or controlled by an owner/operator regulated under this subchapter that are accessible to the general public or passengers. 2. Provide cleaning services to vehicles owned, operated, or controlled by an owner/operator regulated under this part (does not include vehicle maintenance). 3. Provide general building maintenance services to buildings owned, operated, or controlled by an owner/operator regulated under this part. Employees who— 1. Dispatch, report, transport, receive or deliver orders pertaining to specific vehicles, coordination of transportation schedules, tracking of vehicles and equipment. 2. Manage day-to-day delivery of transportation services and the prevention of, response to, and redress of disruptions to these services. 3. Perform tasks requiring access to or knowledge of specific route information. Employees who patrol and inspect property of an owner/operator regulated under this part to protect the property, personnel, passengers and/or cargo. Employees who load, or oversee loading of, property tendered by or on behalf of a passenger on or off of a portion of a bus that will be inaccessible to the passenger while the vehicle is in operation. Employees who— 1. Provide services to passengers on-board a bus, including collecting tickets or cash for fares, providing information, and other similar services. 2. Includes food or beverage employees, tour guides, and functions on behalf of an owner/operator regulated under this part that require regular interaction with travelling public within a transportation facility, such as ticket agents. 1. Employees who serve as security coordinators designated in § 1584.103 of this subchapter, as well as any designated alternates or secondary security coordinators. 2. Employees who— a. Conduct training and testing of employees when the training or testing is required by TSA’s security regulations. b. Manage or direct implementation of security plan requirements. C. Inspecting or maintaining building or transportation infrastructure. D. Controlling dispatch or movement of a vehicle. E. Providing security of the owner/operator’s equipment and property. F. Loading or unloading cargo or baggage. G. Interacting with travelling public (on board a vehicle or within a transportation facility). lotter on DSK11XQN23PROD with PROPOSALS2 (2) Identifies the date, course name, course length, and list of topics addressed for the security training most recently provided in each of the areas required under paragraph (e) of this section. (m) Availability of records to employees. The owner/operator must provide records of security training to current and former employees upon request and at no charge as necessary to provide proof of training. (n) Incorporation into security program. Once approved by TSA, the security training program required by this section is part of the owner/ operator’s TSA-approved security program. The owner/operator must implement and maintain the security training program and comply with timeframes for implementation identified in the security training program. Any modifications or amendments to the program must be made as stipulated in § 1570.107 of this subchapter. (o) Situations requiring owner/ operator to revise security training program. The owner/operator must submit a request to amend its security program if, after approval, the owner/ H. Complying with security programs or measures, including those required by Federal law. VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 PO 00000 Frm 00096 Fmt 4701 Sfmt 4702 E:\FR\FM\07NOP2.SGM 07NOP2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules 30. Add appendix C to part 1584 to read as follows: Appendix C to Part 1584—Reporting of Significant Physical Security Concerns ■ Category Description Breach, Attempted Intrusion, and/or Interference. Unauthorized personnel attempting to or actually entering a restricted area or secure site relating to a transportation facility or conveyance owned, operated, or used by an owner/operator subject to this part. This includes individuals entering or attempting to enter by impersonation of authorized personnel (for example, police/security, janitor, vehicle owner/operator). Activity that could interfere with the ability of employees to perform duties to the extent that security is threatened. Presenting false, or misusing, insignia, documents, and/or identification, to misrepresent one’s affiliation with an owner/operator subject to this part to cover possible illicit activity that may pose a risk to transportation security. Stealing or diverting identification media or badges, uniforms, vehicles, keys, tools capable of compromising operating systems, technology, or classified or sensitive security information documents which are proprietary to the facility or conveyance owned, operated, or used by an owner/operator subject to this part. Damaging, manipulating, or defeating safety and security appliances in connection with a facility, infrastructure, conveyance, or routing mechanism, resulting in the compromised use or the temporary or permanent loss of use of the facility, infrastructure, conveyance or routing mechanism. Placing or attaching a foreign object to a conveyance. Communicating a spoken or written threat to damage or compromise a facility/infrastructure/conveyance owned, operated, or used by an owner/operator subject to this part (for example, a bomb threat or active shooter). Questioning that may pose a risk to transportation or national security, such as asking one or more employees of an owner/operator subject to this part about particular facets of a facility’s conveyance’s purpose, operations, or security procedures. Deliberate interactions with employees of an owner/operator subject to this part or challenges to facilities or systems owned, operated, or used by an owner/operator subject to this part that reveal physical, personnel, or security capabilities or sensitive information. Taking photographs or video of facilities, conveyances, or infrastructure owned, operated, or used by an owner/operator subject to this part in a manner that may pose a risk to transportation or national security. Examples include taking photographs or video of infrequently used access points, personnel performing security functions (for example, patrols, badge/vehicle checking), or security-related equipment (for example, perimeter fencing, security cameras). Demonstrating unusual interest in facilities or loitering near conveyances, railcar routing appliances or any potentially critical infrastructure owned or operated by an owner/operator subject to this part in a manner that may pose a risk to transportation or national security. Examples include observation through binoculars, taking notes, or attempting to measure distances. Acquisition and/or storage by an employee of an owner/operator subject to this part of materials such as cell phones, pagers, fuel, chemicals, toxic materials, and/or timers that may pose a risk to transportation or national security (for example, storage of chemicals not needed by an employee for the performance of his or her job duties). Weapons or explosives in or around a facility, conveyance, or infrastructure of an owner/operator subject to this part that may present a risk to transportation or national security (for example, discovery of weapons inconsistent with the type or quantity traditionally used by company security personnel). Discovery or observation of suspicious items, activity or behavior in or around a facility, conveyance, or infrastructure of an owner/operator subject to this part that results in the disruption or termination of operations (for example, halting the operation of a conveyance while law enforcement personnel investigate a suspicious bag, briefcase, or package). Misrepresentation .................................... Theft, Loss, and/or Diversion .................. Sabotage, Tampering, and/or Vandalism Expressed or Implied Threat. .................. Eliciting Information ................................. Testing or Probing of Security ................. Photography ............................................ Observation or Surveillance .................... Materials Acquisition and/or Storage ...... Weapons Discovery, Discharge, or Seizure. Suspicious Items or Activity .................... ■ Subpart C—Cybersecurity Risk Management 31. Add part 1586 to read as follows: PART 1586—PIPELINE FACILITIES AND SYSTEMS SECURITY Subpart A—General Sec. 1586.1 Scope. 1586.3 Terms used in this part. 1586.5 Harmonization of Federal regulation. lotter on DSK11XQN23PROD with PROPOSALS2 88583 Subpart B—Security Programs: Physical Security Sec. 1586.101 Scope and Applicability. 1586.103 Physical Security Coordinator. 1586.105 Reporting of significant physical security concerns. VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 Sec. 1586.201 Scope and applicability. 1586.203 Form, content, and availability of Cybersecurity Risk Management program. 1586.205 Cybersecurity evaluation. 1586.207 Cybersecurity Operational Implementation Plan. 1586.209 Governance of the CRM program. 1586.211 Cybersecurity Coordinator. 1586.213 Identification of Critical Cyber Systems. 1586.215 Supply chain risk management. 1586.217 Protection of Critical Cyber Systems. 1586.219 Cybersecurity training and knowledge. 1586.221 Detection of cybersecurity incidents. PO 00000 Frm 00097 Fmt 4701 Sfmt 4702 1586.223 Capabilities to respond to a cybersecurity incident. 1586.225 Reporting cybersecurity incidents. 1586.227 Cybersecurity Incident Response Plan. 1586.229 Cybersecurity Assessment Plan 1586.231 Documentation to establish compliance. Appendix A to Part 1586—Reporting of Significant Physical Security Concerns Authority: 49 U.S.C. 114; Public Law 110– 53, 121 Stat. 266. Subpart A—General § 1586.1 Scope. This part includes requirements for the following persons. Specific sections in this part provide detailed applicability and requirements. E:\FR\FM\07NOP2.SGM 07NOP2 88584 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules security of systems and facilities, as well as the persons in areas in or near to operations that could have their safety and security threatened by an attack on physical systems and assets. Owner/operators identified in § 1586.1 must review the applicability in each section in this subpart to determine if any of the requirements apply to their operations. (b) Applicability. Except as provided in paragraph (c) of this section, this subpart includes requirements for each owner/operator that meets any of the following criteria: (1) Owns or operates a hazardous liquid or carbon dioxide pipeline or system regulated under 49 CFR part 195 § 1586.3 Terms used in this part. and meets any of the following criteria: In addition to the terms in §§ 1500.3, (i) Delivers hazardous liquids or 1500.5, and 1503.103 of this chapter, the carbon dioxide more than 50 million following terms apply to this part. barrels in any of the 3 calendar years Control Room means an operations before [EFFECTIVE DATE OF FINAL center staffed by personnel charged with RULE] or any single calendar year after responsibility for remotely monitoring [EFFECTIVE DATE OF FINAL RULE]; or and controlling a pipeline facility. (ii) Has more than 200 segment miles High Consequence Area has the same of pipeline transporting hazardous meaning as ‘‘high-consequence area’’ as liquid or carbon dioxide that could defined in 49 CFR 192.903 and 49 CFR affect a High Consequence Area. 195.450, as applicable. (2) Owns or operates a primary Industrial control system (ICS) means control room responsible for multiple an information system used to control hazardous liquid or carbon dioxide industrial processes such as systems regulated under 49 CFR part manufacturing, product handling, 196 and the total annual combined production, and distribution. Industrial delivery for these systems is greater than control systems include supervisory 50 million barrels in any of the 3 control and data acquisition systems calendar years before [EFFECTIVE used to control geographically dispersed DATE OF FINAL RULE] or any single assets, as well as distributed control calendar year after [EFFECTIVE DATE systems and smaller control systems OF FINAL RULE]. using programmable logic controllers to (3) Owns or operates a hazardous control localized processes. liquid or carbon dioxide pipeline or Peak-shaving facility means a pipeline system regulated under 49 CFR part 195 facility that stores liquefied natural gas that has a contract with the Defense to meet demand spikes. Logistics Agency to supply hazardous liquids more than 70,000 barrels § 1586.5 Harmonization of Federal annually. regulation. (4) Owns or operates a natural and TSA will coordinate activities under other gas pipeline system that is this part with the Federal Energy Regulatory Commission (FERC), and the regulated under 49 CFR part 192 and Pipeline and Hazardous Materials Safety meets any of the following criteria: (i) Delivered natural or other gas more Administration (PHMSA) of the than 275 million dekatherms annually Department of Transportation with respect to regulation of pipeline systems in any of the 3 calendar years before [EFFECTIVE DATE OF FINAL RULE] or and facilities that are also licensed or any single calendar year after regulated by the FERC or PHMSA, to [EFFECTIVE DATE OF FINAL RULE]; avoid conflicting requirements and (ii) Delivered natural or other gas to minimize redundancy of compliance 275,000 or more meters (or service activities. points) annually in any of the 3 calendar years before [EFFECTIVE DATE OF Subpart B—Security Programs: FINAL RULE] or any single calendar Physical Security year after [EFFECTIVE DATE OF FINAL § 1586.101 Scope and Applicability. RULE]; or (a) Scope. This subpart includes (iii) Transmits natural or other gas requirements that are primarily more than 200 segment miles through a intended to ensure the physical security High Consequence Area. (5) Operates a primary control room of pipeline facilities and systems. responsible for multiple natural or other Physical security encompasses the lotter on DSK11XQN23PROD with PROPOSALS2 (a) Each person that owns or operates a hazardous liquid pipeline or system that is regulated under 49 CFR part 195; operates a primary control room responsible for multiple systems; or has a contract with the Defense Logistics Agency to supply hazardous liquids. (b) Each person that owns or operates a natural and other gas pipeline system that is regulated under 49 CFR part 192; operates a primary control room responsible for multiple systems; or provides natural gas service to service points. (c) Each person that owns or operates a liquefied natural gas facility that is regulated under 49 CFR part 193. VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 PO 00000 Frm 00098 Fmt 4701 Sfmt 4702 gas pipeline systems regulated under 49 CFR part 192 systems and the combined total annual delivery or transmission for these systems is greater than 275 million dekatherms, in any of the 3 calendar years before [EFFECTIVE DATE OF FINAL RULE] or any single calendar year after [EFFECTIVE DATE OF FINAL RULE]. (6) Owns or operates a natural or other gas pipeline system regulated under 49 CFR part 192 that provides natural gas service to 275,000 or more meters (or service points) annually in any of the 3 calendar years before [EFFECTIVE DATE OF FINAL RULE] or any single calendar year after [EFFECTIVE DATE OF FINAL RULE]. (7) Each person that owns or operates a liquefied natural gas facility that is regulated under 49 CFR part 193 and— (i) Imported natural gas in any of the 3 calendar years before [EFFECTIVE DATE OF FINAL RULE] or any single calendar year after [EFFECTIVE DATE OF FINAL RULE]; or (ii) Operates as a ‘‘peak-shaving facility.’’ (c) The requirements in this part do not apply to U.S. facilities specified in 33 CFR 105.105(a) that are regulated under 33 CFR part 105 or facilities specified in 33 CFR 106.105(a) that are regulated under 33 CFR part 106. § 1586.103 Physical Security Coordinator. (a) Each owner/operator identified in § 1586.101(b) must designate and use a primary and at least one alternate Physical Security Coordinator at the corporate level to function as the administrator for sharing securityrelated activities and information. (b) The Physical Security Coordinator and alternate(s) must— (1) Be accessible to TSA on a 24 hours per day, 7 days per week basis; (2) Serve as the primary contact(s) for intelligence information and securityrelated activities and communications with TSA. Any individual designated as a Physical Security Coordinator may perform other duties in addition to the duties described in this section); and (3) Coordinate security practices and procedures required by this subchapter internally and with appropriate law enforcement and emergency response agencies. (c) The Physical Security Coordinator and alternate(s) must be a U.S. citizen eligible for a security clearance, unless otherwise waived by TSA. (d) Each owner/operator required to have a Physical Security Coordinator must provide in writing to TSA the names, U.S. citizenship status, titles, business phone number(s), and business email address(es) of the Physical E:\FR\FM\07NOP2.SGM 07NOP2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules (b) Applicability. Each owner/ operator described in § 1586.101(b) must adopt and carry out a Cybersecurity Risk Management (CRM) program. Security Coordinator and alternate Physical Security Coordinator(s). Changes in any of the information required by this section must be submitted to TSA within 7 calendar days. § 1586.203 Form, content, and availability of Cybersecurity Risk Management program. § 1586.105 Reporting of significant physical security concerns. (a) Each owner/operator identified in § 1586.101(b) must report, within 24 hours of initial discovery, any potential threats and significant physical security concerns involving transportationrelated operations in the United States or transportation to, from, or within the United States as soon as possible by the methods prescribed by TSA. (b) Potential threats or significant physical security concerns encompass incidents, suspicious activities, and threat information including, but not limited to, the categories of reportable events listed in appendix A to this part. (c) Information reported must include the following, as available and applicable: (1) The name of the reporting individual and contact information, including a telephone number or email address. (2) The affected system or facility, including identifying information and current location. (3) Description of the threat, incident, or activity, including who has been notified and what action has been taken. (4) The names, other available biographical data, and/or descriptions (including vehicle or license plate information) of individuals or motor vehicles known or suspected to be involved in the threat, incident, or activity. (5) The source of any threat information. Subpart C—Cybersecurity Risk Management lotter on DSK11XQN23PROD with PROPOSALS2 § 1586.201 Scope and applicability. (a) Scope. This subpart includes requirements to ensure the cybersecurity of gas hazardous liquid, carbon monoxide, and liquefied natural gas pipelines, pipeline systems, and facilities to mitigate the risk of significant harm significant harm to transportation facilities, as well as persons in areas in or near pipeline facilities and systems, that could have their safety and security threatened as a result of the degradation, destruction, or malfunction of systems that control these systems and infrastructure. In addition, cybersecurity incidents could have significant, similar impacts on the supply chain, affecting the national and economic security of the United States. VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 (a) General content requirements. The CRM program required by this subpart is a comprehensive program that includes the following components: (1) A cybersecurity evaluation completed and updated as required by § 1586.205; (2) A TSA-approved Cybersecurity Operational Implementation Plan (COIP) that meets the requirements in § 1586.207. (3) A Cybersecurity Assessment Plan that meets the requirements in § 1586.229. (b) Subsidiaries. If a single CRM program is developed and implemented for multiple business units within a single corporate entity, any documents used to comply or establish compliance with the requirements in this subpart must clearly identify and distinguish application of the requirements to each business unit. § 1586.205 Cybersecurity evaluation. (a) General. Each owner/operator required to have a CRM program must complete an initial and recurrent cybersecurity evaluation sufficient to determine the owner/operator’s current enterprise-wide cybersecurity profile of logical/virtual and physical security controls when evaluated against the CRM program requirements in this subpart, using a form provided by TSA or other tools approved by TSA. (b) Timing. The initial cybersecurity evaluation must be completed no later than [DATE 90 DAYS AFTER EFFECTIVE DATE OF FINAL RULE], but no more than one year before the date of submission of the owner/ operators Cybersecurity Operational Implementation Plan required by § 1586.207. If commencing or modifying operations subject to these requirements after [EFFECTIVE DATE OF FINAL RULE], the initial cybersecurity evaluation must be submitted to TSA no later than 45 calendar days after commencing the new or modified operations triggering applicability. (c) Annual updates. The evaluation required by paragraph (a) of this section must be updated annually, no later than one year from the anniversary date of the previously completed evaluation. (d) Notification. The owner/operator must notify TSA within 7 days of completing the evaluation and annual PO 00000 Frm 00099 Fmt 4701 Sfmt 4702 88585 updates required by this section. A copy of the evaluation must be provided to TSA upon request. (e) Sensitive Security Information. This evaluation is a vulnerability assessment as defined in § 1500.3 of this chapter and must be protected as Sensitive Security Information under § 1520.5(b)(5) of this chapter. § 1586.207 Cybersecurity Operational Implementation Plan. (a) Requirement. Each owner/operator required to have a CRM program under this part must adopt a COIP. (b) General Content. The COIP must include the following corporate information: (1) The name and corporate address of the owner/operator; (2) Written attestation by the owner/ operator’s accountable executive that the COIP has been reviewed and approved by senior management; and (3) Identification of specific operations that meet the applicability criteria. (c) Specific Content. The COIP must detail the owner/operator’s defense-indepth plan, including physical and logical/virtual security controls, to comply with the requirements and security outcomes specified in the following sections: (1) Governance. The requirements for governance of the CRM program in § 1586.209 and the designation of a Cybersecurity Coordinator under § 1586.211. (2) Identification of Critical Cyber Systems, Network Architecture, and Interdependencies. The requirements to identify Critical Cyber Systems and network architecture in § 1586.213 and supply chain risk management in § 1586.215. (3) Procedures, policies, and capabilities to protect Critical Cyber Systems. The requirements for protection of Critical Cyber Systems in § 1586.217 and training of cybersecurity-sensitive employees in § 1586.219. (4) Procedures, policies, and capabilities to detect cybersecurity incidents. The requirements for detecting cybersecurity incidents in § 1586.221. (5) Procedures, policies, and capabilities to respond to, and recover from, cybersecurity incidents. The requirements for responding to cybersecurity incidents in § 1586.223, reporting cybersecurity incidents in § 1586.225, and the Cybersecurity Incident Response Plan in § 1586.227. (d) Plan of Action and Milestones. (1) To the extent an owner/operator does not meet every requirement and security E:\FR\FM\07NOP2.SGM 07NOP2 lotter on DSK11XQN23PROD with PROPOSALS2 88586 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules outcome identified in paragraph (c)(1) through (c)(5) of this section, the COIP must include a plan of action and milestones (POAM). (2) The POAM must include: (i) Policies, procedures, measures, or capabilities that owner/operator will develop or obtain, as applicable, to ensure all requirements and security outcomes in this subpart are met; (ii) Physical and logical/virtual security controls that the owner/ operator will implement to mitigate the risks associated with not fully complying with requirements or security outcomes in this subpart; and (iii) A detailed timeframe for full compliance with all requirements and security outcomes in this subpart, not to exceed three years from the date of submission to TSA of the COIP required by this section. (3) The POAM must be updated as necessary to address any deficiencies identified during the evaluation required by § 1586.205 or as a result of an assessment conducted under § 1586.229 that will not be immediately addressed through an update to the COIP. (e) Approval and implementation. (1) Submission deadlines. The COIP must be made available to TSA, in a form and manner prescribed by TSA, no later than [DATE 180 DAYS AFTER EFFECTIVE DATE OF FINAL RULE]. If commencing or modifying operations subject to these requirements after [EFFECTIVE DATE OF FINAL RULE], the COIP must be made available to TSA no later than 45 calendar days before commencing new or modified operations. (2) Effective date. After considering all relevant materials and any additional information required by TSA, TSA will notify the owner/operator’s accountable executive of TSA’s decision to approve the owner/operator’s COIP. The COIP becomes effective 30 days after the owner/operator is notified whether its COIP is approved. (3) TSA-approved security program. Once approved by TSA, the COIP, any appendices, and any policies or procedures incorporated by reference, are a TSA-approved security program, subject to the protections in part 1520 of this chapter and the procedures applicable to security programs in subpart B of part 1570 of this subchapter. (f) Status Report and Updates. The CRM program must be reviewed and updated by the owner/operator within 60 days of the evaluations or assessments required by §§ 1586.205 or 1586.229, as necessary to address any identified vulnerabilities or weaknesses VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 in the procedures, policies, or capabilities identified in the CRM program. (g) Revisions. Unless otherwise specified in this subpart, any substantive modifications or amendments to the COIP must be made in accordance with the procedures in § 1570.107 of this subchapter. § 1586.209 program. Governance of the CRM (a) Accountable Executive. (1) No later than [DATE 30 DAYS FROM EFFECTIVE DATE OF FINAL RULE], the owner/operator must provide to TSA the names, titles, business telephone numbers, and business email addresses of the owner/operator’s accountable executive and the primary individual to be contacted about the owner/operator’s CRM program. If any of the information required by this paragraph changes, the owner/operator must provide the updated information to TSA within 7 days of the change. (2) The accountable executive must be an individual who has the authority and knowledge necessary for the development, implementation, and managerial oversight of the TSAapproved CRM program, including cybersecurity administration, risk assessments, inspections and control procedures, and coordinating communications with the owner/ operator’s leadership and staff on implementation and sustainment of the CRM program. To the extent possible, the accountable executive should not be the Cybersecurity Coordinator or an individual responsible for management of Information or Operational Technology system or systems’ administration. (b) COIP. The COIP must also include: (1) Identification of positions designated by the owner/operator to manage implementation of policies, procedures, and capabilities described in the COIP and coordinate improvements to the CRM program. (2) Corporate-level identification of any authorized representatives, as defined in the TSA Cybersecurity Lexicon, who are responsible for any or all the CRM program or cybersecurity measures identified in the CRM program, and written documentation (such as contractual agreements) clearly identifying the roles and responsibilities of the authorized representative under the CRM program. (3) The information required by paragraph (a)(1) of this section. (c) Process. Updating the COIP to align with information provided to TSA under this section does not require an PO 00000 Frm 00100 Fmt 4701 Sfmt 4702 amendment subject to the procedures in § 1570.107 of this subchapter. § 1586.211 Cybersecurity Coordinator. (a) Each owner/operator identified in paragraphs § 1586.101(b) must designate employees at the corporate level to serve as the primary and at least one alternate Cybersecurity Coordinator with responsibility for sharing critical cybersecurity information. (b) The Cybersecurity Coordinator and alternate(s) must— (1) Serve as the primary contact for cyber-related intelligence information and cybersecurity-related activities and communications with TSA and the Cybersecurity and Infrastructure Security Agency (CISA); (2) Have the following knowledge and skills, through current certifications or equivalent job experience: (i) General cybersecurity guidance and best practices; (ii) Relevant law and regulations pertaining to cybersecurity; (iii) Handling of Sensitive Security Information and security-related communications; and (iv) Current cybersecurity threats applicable to the owner/operator’s operations and systems. (3) Be accessible to TSA and CISA 24 hours per day, 7 days per week; (4) Have a Homeland Security Information Network (HSIN) account or other TSA-designated communication platform for information sharing relevant to the requirements in this subpart; and (5) Work with appropriate law enforcement and emergency response agencies in addressing cybersecurity threats or responding to cybersecurity incidents. (c) The Cybersecurity Coordinator and alternate(s) must be a U.S. citizen eligible for a security clearance, unless otherwise waived by TSA. (d) Owner/operators must provide in writing to TSA the names, titles, business phone number(s), and business email address(es) of the Cybersecurity Coordinator and alternate Cybersecurity Coordinator(s) required by paragraph (a) of this section no later than [DATE 7 DAYS AFTER EFFECTIVE DATE OF FINAL RULE], or within seven days of the commencement of new operations, or change in any of the information required by this section that occur after [DATE 7 DAYS AFTER EFFECTIVE DATE OF FINAL RULE]. (e) In addition to providing the information to TSA as required by paragraph (d), any owner/operator required to have a CRM program under this part must also include the information required by paragraphs (d) E:\FR\FM\07NOP2.SGM 07NOP2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules of this section in the COIP. As the owner/operator must separately notify TSA of this information, and any changes to this information, updating the COIP to align with information provided to TSA under this section does not require an amendment subject to the procedures in § 1570.107 of this subchapter. lotter on DSK11XQN23PROD with PROPOSALS2 § 1586.213 Systems. Identification of Critical Cyber (a) Identifying information. The owner/operator must incorporate into its COIP a list of Critical Cyber Systems, as defined in the TSA Cybersecurity Lexicon, that provides, at a minimum, the following identifying information for each Critical Cyber System: (1) Identifier (system name or commercial name); and (2) System manufacturer/designer name. (b) Identification methodology. The owner/operator must include a description of the methodology and information used to identify Critical Cyber Systems that, at a minimum, includes the following information as used to identify critical systems: (1) Standards and factors, including system interdependencies with critical functions, used to identify Information Technology and Operational Technology systems that could be vulnerable to a cybersecurity incident; (2) Sources and data, such as known threat information relevant to the system, that informed decisions regarding the likelihood of the system being subject to a cybersecurity incident; (3) Potential operational impacts of a cybersecurity incident, including scenarios that identify potential supply chain impacts and how long critical operations and capabilities could be sustained with identified alternatives if a system is offline; and (4) Sustainability and operational impacts if an Information or Operational Technology system not identified as a Critical Cyber System becomes unavailable due to a cybersecurity incident. (c) System information and network architecture. For all Critical Cyber Systems, the owner/operator must provide the following information: (1) Information and Operational Technology system interdependencies for Critical Cyber Systems; (2) All external connections to Critical Cyber Systems; (3) Zone boundaries for Critical Cyber Systems, including a description of how Information and Operational Technology systems are defined and organized into logical/virtual zones VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 based on criticality, consequence, and operational necessity; (4) Baseline of acceptable communications between Critical Cyber Systems and external connections or between Information and Operational Technology systems; and (5) Operational needs that prevent or delay implementation of the requirements in this subpart, such as application of security patches and updates, encryption of communications traversing Information and Operational Technology systems, and multi-factor authentication. (d) Additional systems. If notified by TSA, the owner/operator must include additional Critical Cyber Systems identified by TSA not previously identified by the owner/operator. (e) Changes in Critical Cyber Systems. Any substantive changes to Critical Cyber Systems require an amendment to the Cybersecurity Operational Implementation Plan subject to the procedures in § 1570.107 of this subchapter. § 1586.215 Supply chain risk management. The owner/operator must incorporate into its COIP policies, procedures, and capabilities to address supply chain cybersecurity vulnerabilities that include requiring— (a) All procurement documents and contracts, including service-level agreements, executed, or updated after [EFFECTIVE DATE OF FINAL RULE], include a requirement for the vendor or service provider to notify the owner/ operator of the following: (1) Cybersecurity incidents affecting the vendor or service provider within a specified timeframe sufficient for the owner/operator to identify and address any potential risks to their Critical Cyber Systems based on the scope and type of cybersecurity incident. (2) Confirmed security vulnerabilities affecting the goods, services, or capabilities provided by the vendor or service provider within a specified timeframe sufficient for the owner/ operator to identify and address any potential risks to their Critical Cyber Systems based on the scope and type of security vulnerability. (b) Procurement documents and contracts, including service-level agreements, incorporate an evaluation by the owner/operator or qualified third-party of the cybersecurity measures implemented by vendors or service providers of goods, services, or capabilities that will be connected to, installed on, or used by the owner/ operator’s Critical Cyber Systems. (c) When provided two offerings of roughly similar cost and function, PO 00000 Frm 00101 Fmt 4701 Sfmt 4702 88587 giving preference to the offering that provides the greater level of cybersecurity necessary to protect against, or effectively respond to, cybersecurity incidents affecting the owner/operator’s Critical Cyber Systems. (d) Upon notification of a cybersecurity incident or vulnerability under paragraphs (a) or (b) of this section, immediate consideration of mitigation measures sufficient to address the resulting risk to Critical Cyber Systems and, as applicable, revision to the COIP in accordance with § 1570.107 of this subchapter. § 1586.217 Systems. Protection of Critical Cyber The owner/operator must incorporate into its COIP policies, procedures, controls, and capabilities to protect Critical Cyber Systems that meet security performance objectives in the following areas— (a) Network segmentation. Network segmentation measures that protect against access to, or disruption of, the Operational Technology system if the Information Technology system is compromised or vice versa. These measures must be sufficient to— (1) Ensure Information and Operational Technology system-services transit the other only when necessary for validated business or operational purposes; (2) Secure and defend zone boundaries with security controls— (i) To defend against unauthorized communications between zones; and (ii) To prohibit Operational Technology system services from traversing the Information Technology system, and vice-versa, unless the content is encrypted at a level sufficient to secure and protect integrity of data and prevent corruption or compromise while in transit. If encryption is not technologically feasible, ensure content is otherwise secured and protected using compensating controls that provide the same level of security as encryption for data in transit. (b) Access control. Access control measures for Critical Cyber Systems, including for local and remote access, that secure and defend against unauthorized access to Critical Cyber Systems. These measures must, at a minimum, incorporate the following policies, procedures, and controls: (1) Identification and authentication requirements designed to prevent unauthorized access to Critical Cyber Systems that include: (i) A policy for memorized secret authenticator resets that includes criteria for passwords and when resets E:\FR\FM\07NOP2.SGM 07NOP2 lotter on DSK11XQN23PROD with PROPOSALS2 88588 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules must occur, including procedures to ensure implementation of these requirements, such as password lockouts; and (ii) Documented and defined logical/ virtual and physical security controls for components of Critical Cyber Systems that will not be subject to the requirements in paragraph (b)(1)(i) of this section. (2)(i) Except as provided in paragraph (b)(2)(ii), multi-factor authentication, or other logical/virtual and physical security controls to supplement memorized secret authenticators (such as passwords) to provide risk mitigation commensurate to multi-factor authentication. (ii) An owner/operator in compliance with the requirements in 49 CFR 192.631 and 195.446, as applicable, may rely on the physical security measures as applied to the control room in lieu of applying multi-factor authentication to specific industrial control system workstations in the covered control room, as applicable, in lieu of implementing the requirements in paragraph (b)(2)(i). If relying on this exception, the owner/operator must identify the applicable system as a Critical Cyber System; maintain compliance with the requirements in 49 CFR 192.631 and 195.446, as applicable; and include in the COIP a description of the physical security measures and other compensating controls used to prevent access to industrial control system workstations. (3) Management of access rights based on the principles of least privilege and separation of duties. Where not technically feasible to apply these principles, the policies and procedures must describe compensating controls that the owner/operator applies. (4) Policies and procedures limit availability and use of shared accounts to those that are critical for operations, and then only if necessary. When the owner/operator uses shared accounts for operational purposes, the policies and procedures must ensure: (i) Access to shared accounts is limited through account management that uses principles of least privilege and separation of duties; (ii) Any individual who no longer needs access does not have knowledge of the memorized secret authenticator necessary to access the shared account; and (iii) Logs are maintained sufficient to enable positive user identification of access to shared accounts to enable forensic investigation following a cybersecurity incident. (5) Regularly updated schedule for review of existing domain trust VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 relationships to ensure their necessity and established and enforced policies to manage these relationships. (c) Patch management. Measures that reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers, and firmware on Critical Cyber Systems consistent with the owner/operator’s risk-based methodology. These measures must include: (1) A patch management strategy that ensures all critical security patches and updates on Critical Cyber Systems are current. This strategy must include: (i) The risk methodology for categorizing and determining criticality of patches and updates, and an implementation timeline based on categorization and criticality; and (ii) Prioritization of all security patches and updates on CISA’s Known Exploited Vulnerabilities Catalog. (2) In instances where the owner/ operator cannot apply patches and updates on specific Operational Technology systems without causing a severe degradation of operational capability to meet business critical functions, the owner/operator must provide an explanation for why the actions cannot be taken and a description and timeline of additional mitigations that address the risk created by not installing the patch or update within the recommended timeframe. (d) Logging policies. Logging policies sufficient to ensure logging data is— (1) Stored in a secure and centralized system, such as a security information and event management tool or database on a segmented network that can only be accessed or modified by authorized and authenticated users; and (2) Maintained for a duration sufficient to allow for investigation of cybersecurity incidents as supported by a risk analysis and applicable standards or regulatory guidelines. (e) Secure back-ups. Policies that ensure all Critical Cyber Systems are backed-up on a regular basis consistent with operational need for the information, the back-ups are securely stored separate from the system, and policies require testing the integrity of back-ups to ensure that the data is free of known malicious code when the back-ups are made. § 1586.219 Cybersecurity training and knowledge. (a) Training required. (1) Owner/ operators required to have a CRM program under this subpart must provide basic cybersecurity training to all employees with access to the owner/ PO 00000 Frm 00102 Fmt 4701 Sfmt 4702 operator’s Information or Operational Technology systems. (2) No owner/operator required to have a CRM program under this subpart may permit a cybersecurity-sensitive employee to access, or have privileges to access, a Critical Cyber System or an Information or Operational Technology system that is interdependent with a Critical Cyber System, unless that individual has received basic and rolebased cybersecurity training. (b) General curriculum requirements. The cybersecurity training program must include a curriculum or lesson plan, including learning objectives and method of delivery (such as instructorled or computer-based training) for each course used to meet the requirements in paragraphs (d) and (e) of this section. TSA may request additional information regarding the curriculum during the review and approval process. If recurrent training under paragraph (e) of this section is not the same as initial training, a curriculum or lesson plan for the recurrent training will need to be submitted and approved by TSA. (c) Specific curriculum requirements. (1) Basic cybersecurity training. All employees and contractors with access to the owner/operator’s Information or Operational Technology systems, must receive basic cybersecurity training that includes cybersecurity awareness to address best practices, acceptable use, risks associated with their level of privileged access, and awareness of security risks associated with their actions. This training must address the following topics: (i) Social engineering, including phishing; (ii) Password best practices; (iii) Remote work security basics; (iv) Safe internet and social media use; (v) Mobile device (wireless) vulnerabilities and network security; (vi) Data management and information security, including protecting business email, confidential information, trade secrets, and privacy; and (vii) How and to whom to report suspected inappropriate or suspicious activity involving Information or Operational Technology systems, including mobile devices provided by or connected to the owner/operator’s Information or Operational Technology systems. (2) Role-based cybersecurity training. Cybersecurity-sensitive employees must be provided cybersecurity training that specifically addresses their role as a privileged user to prevent and respond to a cybersecurity incident, acceptable uses, and the risks associated with their E:\FR\FM\07NOP2.SGM 07NOP2 lotter on DSK11XQN23PROD with PROPOSALS2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules level of access and use as approved by the owner/operator. This training must address the following topics as applicable to the specific role: (i) Security measures and requirements in the COIP including how the requirements affect account and access management, server and application management, and system architecture development and assessment; (ii) Recognition and detection of cybersecurity threats, types of cybersecurity incidents, and techniques used to circumvent cybersecurity measures; (iii) Incident handling, including procedures for reporting a cybersecurity incident to the Cybersecurity Coordinator and understanding their roles and responsibilities during a cybersecurity incident and implementation of the owner/operator’s Cybersecurity Incident Response Plan required by § 1586.227; (iv) Requirements and sources for staying aware of changing cybersecurity threats and countermeasures; (v) Operational Technology-specific cybersecurity training for all personnel whose duties include access to Operational Technology systems. (d) Initial cybersecurity training. (1) Each owner/operator must provide initial cybersecurity training (basic and role-based, as applicable) to employees and contractors, using the curriculum approved by TSA no later than 60 days after the effective date of the owner/ operator’s TSA-approved COIP required by this subpart. (2) For individuals who onboard or become cybersecurity-sensitive employees after the effective date of the owner/operator’s TSA-approved COIP who did not receive training within the period identified in paragraph (d)(1) of this section, the individual must receive the applicable cybersecurity training no later than 10 days after onboarding. (e) Recurrent cybersecurity training. Employees and contractors must receive annual recurrent cybersecurity training no later than the anniversary calendar month of the employee’s initial cybersecurity training. If the owner/ operator provides the recurrent cybersecurity training in the month of, the month before, or the month after it is due, the employee is considered to have taken the training in the month it is due. (f) Recognition of prior or established cybersecurity training. Previously provided cybersecurity training may be credited towards satisfying the requirements of this section provided the owner/operator— VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 (1) Obtains a complete record of such training and validates the training meets requirements of this section as it relates to the role of the individual employee, and the training was provided within the schedule required for recurrent training; and (2) Retains a record of such training in compliance with the requirements in paragraph (g) of this section. (g) Retention of cybersecurity training records. The owner/operator must retain records of initial and recurrent cybersecurity training records for each individual required to receive cybersecurity training under this section for no less than 5 years from the date of training that, at a minimum— (1) Includes employee’s full name, job title or function, date of hire, and date of initial and recurrent cybersecurity training; and (2) Identifies the date, course name, course length, and list of topics addressed for the cybersecurity training most recently provided in each of the areas required under paragraph (c) of this section. (h) Availability of records to employees. The owner/operator must provide records of cybersecurity training to current and former employees upon request and at no charge as necessary to provide proof of training. § 1586.221 incidents. Detection of cybersecurity The owner/operator must incorporate into its COIP policies, procedures, and capabilities sufficient to detect and respond to cybersecurity threats to, and anomalies on, Critical Cyber Systems that, at a minimum— (a) Defend against malicious email, such as spam and phishing emails, to preclude or mitigate against adverse impacts to operations; (b) Block ingress and egress communications with known or suspected malicious internet Protocol addresses; (c) Control impact of known or suspected malicious web domains or web applications, such as by preventing users and devices from accessing malicious websites; (d) Block and defend against unauthorized code, including macro scripts, from executing; (e) Monitor and/or block connections from known or suspected malicious command and control servers (such as Tor exit nodes, and other anonymization services); and (f) Ensure continuous collection and analysis of data for potential intrusions and anomalous behavior on Critical Cyber Systems and other Information PO 00000 Frm 00103 Fmt 4701 Sfmt 4702 88589 and Operational Technology systems that directly connect with Critical Cyber Systems. § 1586.223 Capabilities to respond to a cybersecurity incident. The owner/operator must incorporate into its COIP capabilities to respond to cybersecurity incidents affecting Critical Cyber Systems that, at a minimum— (a) Audit unauthorized access to internet domains and addresses; (b) Document and audit any communications between the Operational Technology system and an internal or external system that deviates from the owner/operator’s identified baseline of communications; (c) Identify and respond to execution of unauthorized code, including macro scripts; and (d) Define, prioritize, and drive standardized incident response activities, such as Security Orchestration, Automation, and Response (SOAR). § 1586.225 incidents. Reporting cybersecurity (a) Unless otherwise directed by TSA, each owner/operator identified in § 1586.101(b) must notify CISA of any Reportable Cybersecurity Incidents, as defined in the TSA Cybersecurity Lexicon, as soon as practicable, but no later than 24 hours after a Reportable Cybersecurity Incident is identified. (b) Reports required by this section must be made by the methods prescribed by TSA. All reported information will be protected in a manner appropriate for the sensitivity and criticality of the information. (c) The report to CISA must include the following information, as available to the reporting owner/operator at the time of the report: (1) The name of the reporting individual and contact information, including a telephone number and email address. The report must also explicitly specify that the information is being reported to satisfy the reporting requirements in Transportation Security Regulations. (2) The affected pipeline system(s) or facilities, including identifying information and location. (3) Description of the threat, incident, or activity, to include: (i) Earliest known date of compromise; (ii) Date of detection; (iii) Information about who has been notified and what action has been taken; (iv) Any relevant information observed or collected by the owner/ operators, such as malicious internet Protocol addresses, malicious domains, E:\FR\FM\07NOP2.SGM 07NOP2 88590 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules malware hashes and/or samples, or the abuse of legitimate software or accounts; and (v) Any known threat information, to include information about the source of the threat or cybersecurity incident, if available. (4) A description of the incident’s impact or potential impact on Information or Operational Technology systems and operations. This information must also include an assessment of actual or imminent adverse impacts to service operations, operational delays, and/or data theft that have or are likely to be incurred, as well as any other information that would be informative in understanding the impact or potential impact of the cybersecurity incident. (5) A description of all responses that are planned or under consideration, to include, for example, a reversion to manual operations and control, if applicable. (6) Any additional information not specifically required by this section, but which is critical to an understanding of the threat and owner/operator’s response to a reportable cybersecurity incident. (d) If all the required information is not available at the time of reporting, owner/operators must submit an initial report within the specified timeframe and supplement as additional information becomes available. lotter on DSK11XQN23PROD with PROPOSALS2 § 1586.227 Cybersecurity Incident Response Plan. (a) The owner/operator must incorporate into its COIP an up-to-date Cybersecurity Incident Response Plan (CIRP) for the owner/operator’s Critical Cyber Systems to reduce the impacts of a cybersecurity incident that causes, or could cause, operational disruption or significant impacts on business-critical functions. (b) The CIRP must provide specific measures sufficient to ensure the following objectives, as applicable: (1) Promptly identifying, isolating, and segregating the infected systems from uninfected systems, networks, and devices using measures that prioritize: (i) Limiting the spread of autonomous malware; (ii) Denying continued access by a threat actor to systems; (iii) Determining extent of compromise; and (iv) Preserving evidence and data. (2) Only data stored and secured as required by § 1586.217(e) is used to restore systems and that all stored backup data is scanned with host security software to ensure the data is free of malicious artifacts before being used for restoration. VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 (3) Established capability and governance for implementing mitigation measures or manual controls that ensure that the Operational Technology system can be isolated when a cybersecurity incident in the Information Technology system creates risk to the safety and reliability of the Operational Technology system. (c) The CIRP must identify who (by position) is responsible for implementing the specific measures in the plan and any necessary resources needed to implement the measures. (d) The owner/operator must conduct an exercise to test the effectiveness of the CIRP no less than annually. The exercise conducted under this paragraph must— (1) Test at least two objectives of the owner/operator’s CIRP required by paragraph (b) of this section, no less than annually; and (2) Include the employees identified (by position) in paragraph (c) as active participants in the exercise. (e) Within no more than 90 days after the date of the exercise required by paragraph (d), the owner/operator must update the CIRP as appropriate to address any issues identified during the exercise. (f) The owner/operator must notify TSA within 15 days of any changes to the CIRP. As the owner/operator must separately notify TSA, updating the COIP to align with information provided to TSA under this section does not require an amendment subject to the procedures in § 1570.107 of this subchapter. § 1586.229 Plan. Cybersecurity Assessment (a) Requirement for a Cybersecurity Assessment Plan. No later than 90 days from TSA’s approval of the owner/ operator’s COIP, the owner/operator must submit to TSA a Cybersecurity Assessment Plan (CAP) sufficient to— (1) Proactively assess the effectiveness of all policies, procedures, measures, and capabilities in the owner/operator’s TSA-approved COIP as applied to all Critical Cyber Systems; and (2) Identify and resolve device, network, and/or system vulnerabilities associated with Critical Cyber Systems. (b) Contents of the CAP. At a minimum, the CAP must describe in detail: (1) The plan to assess the effectiveness of the owner/operator’s TSA-approved COIP as all applied to all Critical Cyber Systems; (2) Schedule and scope of an architectural design review within 12 months either before or after TSA’s approval of the owner/operator’s COIP, PO 00000 Frm 00104 Fmt 4701 Sfmt 4702 to be repeated at least once every 2 years thereafter. The architectural design review required by this paragraph must include verification and validation of network traffic, a system log review, and analysis to identify cybersecurity vulnerabilities related to network design, configuration, and interconnectivity to internal and external systems; (3) Other assessment capabilities designed to identify vulnerabilities to Critical Cyber Systems based on evolving threat information and adversarial capabilities, such as penetration testing of Information Technology systems, including the use of ‘‘red’’ and ‘‘purple’’ team (adversarial perspective) testing. (c) Specific Schedule. (1) In addition to specifying the schedule for the architectural design review required by paragraph (b)(2), the CAP must include a schedule for conducting the assessments required by paragraph (b) sufficient to ensure at least one-third of the policies, procedures, measures, and capabilities in the TSA-approved COIP are assessed each year, with 100 percent of the COIP and all Critical Cyber Systems assessed over a 3-year period. (2) The scheduled required by this paragraph must map the planned assessments to the COIP and Critical Cyber System to document the plan will ensure all policies, procedures, measures, and capabilities in the owner/ operator’s TSA-approved COIP and all Critical Cyber Systems will be assessed within the timeframes required by paragraph (c)(1). F(d) Independence of assessors and auditors. Owner/operators must ensure that the assessments, audits, testing, and other capabilities to assess the effectiveness of its TSA-approved COIP are not conducted by individuals who have oversight or responsibility for implementing the owner/operator’s F program and have no vested or other financial interest in the results of the CAP. (e) Annual submission of report. The owner/operator must ensure a report of the results of assessments conducted in accordance with the CAP is provided to corporate leadership and individuals designated under § 1586.209(a) and (b)(1), and submitted to TSA, no later than 15 months from the date of approval of the initial CAP and annually thereafter. The required report must indicate— (1) Which assessment method(s) were used to determine if the policies, procedures, and capabilities described by the owner/operator in its COIP are effective; and E:\FR\FM\07NOP2.SGM 07NOP2 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules (2) Results of the individual assessment methodologies. (f) Annual update of the CAP. The owner/operator must review and annually update the CAP to address any changes to policies, procedures, measures, or capabilities in the COIP or assessment capabilities required by paragraph (b). The updated CAP must be submitted to TSA for approval no later than 12 months from the date of TSA’s approval of the current CAP. (g) Assessments conducted under this section are vulnerability assessments as defined in § 1500.3 of this chapter and must be protected as Sensitive Security Information under § 1520.5(b)(5) of this chapter. § 1586.231 Documentation to establish compliance. For the purposes of the requirements in this subpart, upon TSA’s request, the owner/operator must provide for inspection or copying the following types of information to establish compliance: (a) Hardware/software asset inventory, including supervisory control and data acquisition (SCADA) systems; (b) Firewall rules; (c) Network diagrams, switch and router configurations, architecture diagrams, publicly routable internet protocol addresses, and Virtual Local Area Networks; (d) Policy, procedural, and other documents that informed the development, and documented implementation of, the owner/operator’s CRM program; (e) Data providing a ‘‘snapshot’’ of activity on and between Information and Operational Technology systems such as: (1) Log files; (2) A capture of network traffic (such as packet capture (PCAP)), for a scope and period directed by TSA, not less than 24 hours and not to exceed 48 hours; (3) ‘‘East-West Traffic’’ of Information Technology systems, sites, and environments within the scope of this subpart; and (4) ‘‘North-South Traffic’’ between Information and Operational Technology systems, and the perimeter boundaries between them; and (f) Any other records or documents necessary to determine compliance with this subpart. Appendix A to Part 1586—Reporting of Significant Physical Security Concerns Category Description Breach, Attempted Intrusion, and/or Interference .............. Unauthorized personnel attempting to or actually entering a restricted area or secure site relating to a pipeline facility or pipeline system owned, operated, or used by an owner/operator subject to this part. This includes individuals entering or attempting to enter by impersonation of authorized personnel (for example, police/security, janitor, vehicle owner/operator). Activity that could interfere with the ability of employees to perform duties to the extent that security is threatened. Presenting false, or misusing, insignia, documents, and/or identification, to misrepresent one’s affiliation with an owner/operator subject to this part to cover possible illicit activity that may pose a risk to transportation security. Stealing or diverting identification media or badges, uniforms, vehicles, keys, tools capable of compromising operating systems, technology, or classified or sensitive security information documents which are proprietary to the pipeline facility or system owned, operated, or used by an owner/operator subject to this part. Damaging, manipulating, or defeating safety and security appliances in connection with a pipeline facility, infrastructure, or systems resulting in the compromised use or the temporary or permanent loss of use of the pipeline facility, infrastructure, or system. Communicating a spoken or written threat to damage or compromise a pipeline facility/infrastructure/system owned, operated, or used by an owner/operator subject to this part (for example, a bomb threat or active shooter). Questioning that may pose a risk to transportation or national security, such as asking one or more employees of an owner/operator subject to this part about particular facets of a facility’s or system’s purpose, operations, or security procedures. Deliberate interactions with employees of an owner/operator subject to this part or challenges to pipeline facilities or systems owned, operated, or used by an owner/ operator subject to this part that reveal physical, personnel, or security capabilities or sensitive information. Taking photographs or video of pipeline facilities, systems, or infrastructure owned, operated, or used by an owner/operator subject to this part in a manner that may pose a risk to transportation or national security. Examples include taking photographs or video of infrequently used access points, personnel performing security functions (for example, patrols, badge/vehicle checking), or security-related equipment (for example, perimeter fencing, security cameras). Demonstrating unusual interest in pipeline facilities or systems or loitering near facilities or systems or other potentially critical infrastructure owned or operated by an owner/operator subject to this part in a manner that may pose a risk to transportation or national security. Examples include observation through binoculars, taking notes, or attempting to measure distances. Acquisition and/or storage by an employee of an owner/operator subject to this part of materials such as cell phones, pagers, fuel, chemicals, toxic materials, and/or timers that may pose a risk to transportation or national security (for example, storage of chemicals not needed by an employee for the performance of his or her job duties). Weapons or explosives in or around a pipeline facility, system, or infrastructure of an owner/operator subject to this part that may present a risk to transportation or national security (for example, discovery of weapons inconsistent with the type or quantity traditionally used by company security personnel). Misrepresentation ............................................................... Theft, Loss, and/or Diversion ............................................. Sabotage, Tampering, and/or Vandalism .......................... Expressed or Implied Threat .............................................. Eliciting Information ............................................................ Testing or Probing of Security ........................................... Photography ....................................................................... Observation or Surveillance ............................................... lotter on DSK11XQN23PROD with PROPOSALS2 88591 Materials Acquisition and/or Storage ................................. Weapons Discovery, Discharge, or Seizure ...................... VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 PO 00000 Frm 00105 Fmt 4701 Sfmt 4700 E:\FR\FM\07NOP2.SGM 07NOP2 88592 Federal Register / Vol. 89, No. 216 / Thursday, November 7, 2024 / Proposed Rules Category Description Suspicious Items or Activity ............................................... Discovery or observation of suspicious items, activity or behavior in or around a pipeline facility, system, or infrastructure of an owner/operator subject to this part that results in the disruption or termination of operations (for example, halting operations while law enforcement personnel investigate a suspicious item, bag, package, etc.). Dated: October 20, 2024. David P. Pekoske, Administrator. [FR Doc. 2024–24704 Filed 11–6–24; 8:45 am] lotter on DSK11XQN23PROD with PROPOSALS2 BILLING CODE 9110–05–P VerDate Sep<11>2014 19:49 Nov 06, 2024 Jkt 262001 PO 00000 Frm 00106 Fmt 4701 Sfmt 9990 E:\FR\FM\07NOP2.SGM 07NOP2

Agencies

[Federal Register Volume 89, Number 216 (Thursday, November 7, 2024)]
[Proposed Rules]
[Pages 88488-88592]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-24704]



[[Page 88487]]

Vol. 89

Thursday,

No. 216

November 7, 2024

Part III





Department of Homeland Security





-----------------------------------------------------------------------





Transportation Security Administration





-----------------------------------------------------------------------





49 CFR Parts 1500, 1503, 1520, et al.





Enhancing Surface Cyber Risk Management; Proposed Rule

Federal Register / Vol. 89 , No. 216 / Thursday, November 7, 2024 / 
Proposed Rules

[[Page 88488]]


-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

Transportation Security Administration

49 CFR Parts 1500, 1503, 1520, 1570, 1580, 1582, 1584, and 1586

[Docket No. TSA-2022-0001]
RIN 1652-AA74


Enhancing Surface Cyber Risk Management

AGENCY: Transportation Security Administration, DHS.

ACTION: Notice of proposed rulemaking (NPRM).

-----------------------------------------------------------------------

SUMMARY: The Transportation Security Administration (TSA) is proposing 
to impose cyber risk management (CRM) requirements on certain pipeline 
and rail owner/operators and a more limited requirement, on certain 
over-the-road bus (OTRB) owner/operators, to report cybersecurity 
incidents. With the proposed addition of requirements applicable to 
pipeline facilities and systems, TSA is also proposing that a 
requirement to have a Physical Security Coordinator and report 
significant physical security concerns be extended to the same 
facilities and systems. Finally, TSA is proposing clarifications and 
reorganization of other regulatory requirements necessitated by these 
changes.

DATES: Submit comments by February 5, 2025.

ADDRESSES: 
    Comments on this NPRM: You may submit comments on this NPRM, 
identified by the TSA docket number to this rulemaking, to the Federal 
Docket Management System (FDMS), a government-wide, electronic docket 
management system. To avoid duplication, please use only one of the 
following methods:
     Electronic Federal eRulemaking Portal: https://www.regulations.gov. Follow the online instructions for submitting 
comments.
     Mail: Docket Management Facility (M-30), U.S. Department 
of Transportation, 1200 New Jersey Avenue SE, West Building Ground 
Floor, Room W12-140, Washington, DC 20590-0001. The Department of 
Transportation (DOT), which maintains and processes TSA's official 
regulatory dockets, will scan the submission and post it to FDMS.
     Fax: (202) 493-2251.
    See the SUPPLEMENTARY INFORMATION section for format and other 
information about comment submissions on the NPRM.

FOR FURTHER INFORMATION CONTACT: 
    General Questions: Ashlee Marks, Surface Division, Policy, Plans, 
and Engagement, TSA-28, Transportation Security Administration, 6595 
Springfield Center Drive, Springfield, VA 20598-6028; telephone (571) 
227-1039; email: [email protected].
    Legal Questions: Traci Klemm, Regulations and Security Standards, 
Office of Chief Counsel, Transportation Security Administration, 6595 
Springfield Center Drive, Springfield, VA 20598-6002; telephone (571) 
227-3583, or email to [email protected].

SUPPLEMENTARY INFORMATION:

Public Participation

    TSA invites interested persons to participate in this NPRM by 
submitting written comments, including relevant data. We also invite 
comments relating to the economic, environmental, energy, or federalism 
impacts that might result from this rulemaking action. See the 
ADDRESSES section above for information on where to submit comments.

NPRM-Specific Request for Comments

    1. TSA is requesting comments on the impact of regulations and 
requirements being imposed by other Federal, State, and Local entities, 
including DHS components, and potential options for regulatory 
harmonization.
    2. TSA is requesting comments on whether proposed requirements for 
supply chain risk management should also include requirements to ensure 
that any new software purchased for, or to be installed on, Critical 
Cyber Systems meets CISA's Secure-by-Design and Secure-by-Default 
principles.
    3. TSA is requesting comments on existing training and 
certification programs that could provide low-cost options to meet 
proposed qualification requirements for Cybersecurity Coordinators. If 
identified and determined by TSA to be sufficient, TSA could recognize 
them as examples for owner/operators that would be subject to these 
requirements.
    4. TSA is proposing to require owner/operators to have a 
Cybersecurity Assessment Plan (CAP) to annually assess and audit the 
effectiveness of their TSA-approved Cybersecurity Operational 
Implementation Plan (COIP). TSA is requesting comments on methodologies 
owner/operators could use to develop a plan that would meet the 
required annual minimum for assessments and audits, assessment and 
auditing capabilities that could be included in the CAP, and other 
options and resources that could ensure a robust auditing and 
assessment program that provides frequent and regular reviews of 
effectiveness of CRM program implementation.
    5. TSA is requesting comments from pipeline owner/operators on 
opportunities to streamline compliance and reduce redundancies and 
duplication of efforts for pipeline facilities regulated under 33 CFR 
105.105(a) or 106.105(a).
    6. TSA is requesting comment on whether accountable executives and 
Cybersecurity Coordinators, for all covered owner/operators, should be 
required to undergo a TSA-conducted Security Threat Assessment (STA), 
which would include a terrorism/other analyses check, an immigration 
check, and a criminal history records check (CHRC).
    7. TSA is requesting comment on whether TSA should require all 
frontline workers (``security-sensitive employees'') in the pipeline 
industry to also be vetted by TSA. Although TSA is not proposing this 
requirement, TSA seeks comments on how the vetting would impact their 
operations and costs, and specifically how many employees the entity 
has that would likely be considered security-sensitive employees.\1\
---------------------------------------------------------------------------

    \1\ Commenters may find it useful to review the functions that 
TSA considered for determining security-sensitive employees under 
current Appendix B to 49 CFR part 1580, Appendix B to part 1582, and 
Appendix B to part 1584.
---------------------------------------------------------------------------

    8. TSA is requesting comment on the inputs used in the Regulatory 
Impact Analysis (RIA), including those related to the Security 
Directives (SDs), their implementation, and associated costs and 
benefits. Comments that will provide the most assistance to TSA will 
reference a specific portion of this proposed rule, explain the reason 
for any suggestions or recommended changes, and include data, 
information, or authority that supports such suggestion or recommended 
change.
    9. TSA invites all interested parties to submit data and 
information regarding the potential economic impact on small entities 
that would result from the adoption of the requirements in the proposed 
rule.
    10. TSA invites comments on the proposed collection of information 
and estimates of burden.

Submitting Comments on the NPRM

    With each comment, please identify the docket number at the 
beginning of your comments. You may submit comments and material 
electronically, by mail, or fax as provided under

[[Page 88489]]

ADDRESSES, but please submit your comments and material by only one 
means. If you submit comments by mail or in person, submit them in an 
unbound format, no larger than 8.5 by 11 inches, suitable for copying 
and electronic filing.
    If you would like TSA to acknowledge receipt of comments submitted 
by mail, include with your comments a self-addressed, stamped postcard 
or envelope on which the docket number appears, and we will mail it to 
you.
    All comments, except those that include confidential or SSI \2\ 
will be posted to https://www.regulations.gov and include any personal 
information you have provided. Should you wish your personally 
identifiable information redacted prior to filing in the docket, please 
clearly indicate this request in your submission. TSA will consider all 
comments that are in the docket on or before the closing date for 
comments and will consider comments filed late to the extent 
practicable. The docket is available for public inspection before and 
after the comment closing date.
---------------------------------------------------------------------------

    \2\ ``Sensitive Security Information'' or ``SSI'' is information 
obtained or developed in the conduct of security activities, the 
disclosure of which would constitute an unwarranted invasion of 
privacy, reveal trade secrets or privileged or confidential 
information, or be detrimental to the security of transportation. 
The protection of SSI is governed by 49 CFR part 1520.
---------------------------------------------------------------------------

Submitting Comments on the Proposed Information Collections

    Comments on the proposed information collections included in this 
NPRM should be submitted both to TSA, as indicated above, and to the 
Office of Information and Regulatory Affairs, Office of Management and 
Budget (OMB). Comments should be identified by the appropriate OMB 
Control Number(s) or the title of this proposed rule, addressed to the 
Desk Officer for the Department of Homeland Security, Transportation 
Security Administration, and sent via electronic mail to 
[email protected].

Handling of Confidential or Proprietary Information and SSI Submitted 
in Public Comments

    Do not submit comments that include trade secrets, confidential 
commercial or financial information, or SSI to the public regulatory 
docket. Please submit such comments separately from other comments on 
the rulemaking. Comments containing this type of information should be 
appropriately marked as containing such information and submitted by 
mail to the address listed in the FOR FURTHER INFORMATION CONTACT 
section. TSA will take the following actions for all submissions 
containing SSI:
     TSA will not place comments containing SSI in the public 
docket and will handle them with applicable safeguards and restrictions 
on access.
     TSA will hold documents containing SSI, confidential 
business information, or trade secrets in a separate file to which the 
public does not have access.
     TSA will place a note in the public docket explaining that 
commenters have submitted such documents.
     TSA may include a redacted version of the comment in the 
public docket.
     TSA will treat requests to examine or copy information 
that is not in the public docket as any other request under the Freedom 
of Information Act (5 U.S.C. 552) and the Department of Homeland 
Security (DHS) Freedom of Information Act regulation found in 6 CFR 
part 5.

Reviewing Comments in the Docket

    Please be aware that anyone can search the electronic form of all 
comments in any of our dockets by the name of the individual, 
association, business entity, labor union, etc., who submitted the 
comment. For more about privacy and the docket, review the Privacy and 
Security Notice for the FDMS at https://www.regulations.gov/privacy-notice, as well as the System of Records Notice DOT/ALL 14--Federal 
Docket Management System (73 FR 3316, January 17, 2008) and the System 
of Records Notice DHS/ALL 044--eRulemaking (85 FR 14226, March 11, 
2020).
    You may review TSA's electronic public docket at https://www.regulations.gov. In addition, DOT's Docket Management Facility 
provides a physical facility, staff, equipment, and assistance to the 
public. To obtain assistance or to review comments in TSA's public 
docket, you may visit this facility between 9 a.m. and 5 p.m., Monday 
through Friday, excluding legal holidays, or call (202) 366-9826. This 
DOT facility is in the West Building Ground Floor, Room W12-140 at 1200 
New Jersey Avenue SE, Washington, DC 20590.

Availability of Rulemaking Document

    You can find an electronic copy of this rulemaking using the 
internet by accessing the Government Publishing Office's web page at 
https://www.govinfo.gov/app/collection/FR/ to view the daily published 
Federal Register edition or accessing the Office of the Federal 
Register's web page at https://www.federalregister.gov. Copies are also 
available by contacting the individual identified for ``General 
Questions'' in the FOR FURTHER INFORMATION CONTACT section.

Abbreviations and Terms Used in This Document

9/11 Act--Implementing Recommendations of the 9/11 Commission Act of 
2007
AAR--Association of American Railroads
Amtrak--National Railroad Passenger Corporation
APTA--American Public Transportation Association
ATSA--Aviation and Transportation Security Act
BOS--Back Office Server
BES--Bulk Electric System
CAP--Cybersecurity Assessment Plan
CEQ--Council on Environmental Quality
CSF--Cybersecurity Framework 2.0
CIRCIA--Cyber Incident Reporting for Critical Infrastructure Act of 
2022
CIP--Cybersecurity Implementation Plan
CIRP--Cybersecurity Incident Response Plan
CISA--Cybersecurity and Infrastructure Security Agency
COIP--Cybersecurity Operational Implementation Plan
CPGs--Cross-Sector Cybersecurity Performance Goals
CRM--Cybersecurity risk management
DFAR--Defense Federal Acquisition Regulation Supplement
DHS--Department of Homeland Security
DoD--Department of Defense
DOE--Department of Energy
DOT--Department of Transportation
E.O.--Executive Order
FDMS--Federal Docket Management System
FERC--Federal Energy Regulatory Commission
FISMA--Federal Information Security Modernization Act of 2014
FR--Federal Register
FRA--Federal Railroad Administration
FSB--Russian Federal Security Service
GPS--Global Positioning System
HSIN--Homeland Security Information Network
IC--Information Circular
ICS--Industrial control system
IRFA--Initial Regulatory Flexibility Analysis
IT--Information technology
MFA--Multi-factor authentication
NARA--National Archives and Records Administration
NEPA--National Environmental Policy Act
NERC--National American Electrical Reliability Corporation
NIST--National Institute of Standards and Technology
NPRM--Notice of proposed rulemaking
OMB--Office of Management and Budget
OT--Operational technology
OTRB--Over-the-road bus
PHMSA--Pipeline and Hazardous Materials Safety Administration
POAM--Plan of Action and Milestones
PTC--Positive Train Control
PTPR--Public Transportation and Passenger Railroads
RFA--Regulatory Flexibility Act of 1980
RIA--Regulatory Impact Analysis
SCADA--Supervisory control and data acquisition

[[Page 88490]]

SD--Security Directive
SDDCTEA--US Army Military Surface Deployment and Distribution 
Command Transportation Engineering Agency
SOAR--Security orchestration, automation, and response
SP--Special Publication
SRP--Secure Regulatory Portal
SSI--Sensitive security information
STA--Security threat assessment
STRACNET--Strategic Rail Corridor Network
TSA--Transportation Security Administration
UMRA--Unfunded Mandates Reform Act of 1995
VADR--Validated Architecture Design Review

Table of Contents

I. Executive Summary
    A. Purpose of the Regulatory Action
    B. Summary of the Major Provisions
    C. Costs
    D. Benefits
II. Background
    A. Context
    1. Pipeline Transportation
    2. Rail Transportation
    a. Freight Railroads
    b. Passenger Railroads
    c. Rail Transit
    3. Cybersecurity Threats
    4. Threat of Cybersecurity Incidents at the Nexus of IT and OT 
Systems
    B. Statutory Authorities
    1. TSA Surface-Related SDs and Information Circulars
    2. TSA's Assessments, Guidelines, and Regulations Applicable to 
Pipeline and Rail Systems
    a. Pipeline Guidelines, Assessments, and Regulations
    b. Regulating Railroads, Public Transportation Systems, and 
OTRBs
    C. References
    1. National Cybersecurity Strategy
    2. NIST Cybersecurity Framework
    3. CISA Cross-Sector Cybersecurity Performance Goals
    4. TSA's Advance Notice of Proposed Rulemaking
    a. General Support and Need for Regulatory Harmonization and 
Performance-Based Regulation
    b. Core Elements
    c. Training
    d. Supply Chain
    e. Third-Party Assessors
    5. Regulatory Harmonization
III. Proposed Rule
    A. Rule organization
    1. Cybersecurity Requirements
    2. Physical Security Requirements
    3. General Procedures for Security Programs, SDs, and 
Information Circulars
    4. Relation to Other Rulemakings
    B. Terms
    1. General Terms
    2. TSA Cybersecurity Lexicon
    C. Cybersecurity Risk Management Program--General
    1. Introduction
    2. Applicability
    a. Freight Railroads Subject to CRM Program Requirements in 
Proposed Subpart D of Part 1580
    b. Public Transportation Agencies and Passenger Railroads 
Subject to CRM Program Requirements in Proposed Subpart C of Part 
1582
    c. OTRB Owner/Operators Subject to Cybersecurity Incident 
Reporting Requirements in Proposed Sec.  1584.107
    d. Pipeline Systems and Facilities Subject to Physical Security 
Requirements in Proposed Subpart B of part 1586 and CRM Program 
Requirements in Proposed Subpart C of Part 1586
    e. Determinations of Applicability for Requirements in the 
Proposed Rule
    3. Structure of CRM Program Requirements (Proposed Sec. Sec.  
1580.303, 1582.203, and 1586.203)
    D. Specific CRM Program Requirements
    1. Cybersecurity Evaluation (Proposed Sec. Sec.  1580.305, 
1582.205, and 1586.205)
    2. Cybersecurity Operational Implementation Plan (Proposed 
Sec. Sec.  1580.307, 1582.207, and 1586.207)
    a. General COIP Requirements
    b. Governance of the CRM Program (Proposed Sec. Sec.  1580.309, 
1580.311, 1582.209, 1582.211, 1586.209, and 1586.211)
    c. Identification of Critical Cyber Systems, Network 
Architecture, and Interdependencies
    d. Procedures, Policies, and Capabilities To Protect Critical 
Cyber Systems
    e. Procedures, Policies, and Capabilities To Detect 
Cybersecurity Incidents (Proposed Sec. Sec.  1580.321, 1582.221, and 
1586.221)
    f. Procedures, Policies, and Capabilities To Respond to, and 
Recover From, Cybersecurity Incidents
    3. Cybersecurity Assessment Plan (Proposed Sec. Sec.  1580.329, 
1582.229, and 1586.229)
    4. Documentation To Establish Compliance (Proposed Sec. Sec.  
1580.331, 1582.231, and 1586.231)
    E. Physical Security
    F. General Procedures for Security Programs, SDs, and 
Information Circulars
    1. General Procedures for Security Programs (Proposed Revisions 
to Subpart B of Part 1570)
    2. SDs and Information Circulars (Proposed Subpart C of Part 
1570)
    3. Exhaustion of Administrative Remedies (Proposed Sec.  
1570.119)
    4. Severability
    5. Enforcement and Compliance
    G. Summary of Applicability and Requirements
    H. Compliance Deadlines and Documentation
    I. Sensitive Security Information
    1. Scope of the Revision to TSA's SSI Regulatory Requirements
    2. Disclosure of SSI Upon the ``Need To Know''
IV. Regulatory Analyses
    A. Economic Impact Analysis
    1. Summary of Regulatory Impact Analysis
    2. Assessments Required by E.O.s 12866 and 13563
    a. Costs
    b. Cost Sensitivity Analysis
    c. Benefits
    d. Break-Even Analysis
    3. OMB A-4 Statement
    4. Alternatives Considered
    5. Regulatory Flexibility Assessment
    6. International Trade Impact Assessment
    7. Unfunded Mandates Assessment
    B. Paperwork Reduction Act
    C. Federalism (E.O. 13132)
    D. Energy Impact Analysis (E.O. 13211)
    E. Environmental Analysis
    F. Tribal Consultation (E.O. 13175)

I. Executive Summary

A. Purpose of the Regulatory Action

    On May 8, 2021, a Russian-based cybercriminal group, DarkSide, 
conducted a ransomware attack \3\ that forced a major pipeline company 
to go offline, resulting in a weeklong shutdown of 5,500 miles of 
petroleum pipelines on the East Coast. Actions taken to protect the 
Operational Technology (OT) system temporarily disrupted critical 
supplies of gasoline and other refined petroleum products throughout 
the East Coast, resulting in a regional emergency declaration.\4\ Some 
news agencies reported pictures of snaking lines of cars at gas 
stations across the eastern seaboard and panicked Americans filling 
bags with fuel, fearing not being able to get to work or get their kids 
to school. TSA subsequently used its emergency authority under 49 
U.S.C. 114(l) to impose cybersecurity requirements on certain surface 
transportation entities. See discussion in section II.B.
---------------------------------------------------------------------------

    \3\ See definition of ``ransomware'' in 6 U.S.C. 650(22).
    \4\ See, e.g., U.S. Department of Transportation, Federal Motor 
Carrier Safety Administration, ESC-SSC-WSC--Regional Emergency 
Declaration 2021-002--05-09-2021 (May 9, 2021), available at https://www.fmcsa.dot.gov/emergency/esc-ssc-wsc-regional-emergency-declaration-2021-002-05-09-2021 (last accessed Aug. 1, 2024).
---------------------------------------------------------------------------

    The cyber threat to the country's critical infrastructure has only 
increased in the time since TSA initially issued SDs to address 
cybersecurity in surface transportation in 2021. Cyber threats to 
surface transportation systems continue to proliferate, as both nation-
states and criminal cyber groups target critical infrastructure in 
order to cause operational disruption and economic harm.\5\ Cyber 
attackers have also maliciously targeted other surface transportation 
modes in the United States, including freight railroads, passenger 
railroads, and rail transit systems, with multiple cyberattack and

[[Page 88491]]

cyber espionage campaigns.\6\ Cybersecurity incidents, particularly 
ransomware attacks, are likely to increase in the near and long term, 
due in part to vulnerabilities identified by threat actors in U.S. 
networks.\7\ Especially in light of the ongoing Russia-Ukraine 
conflict, these threats remain elevated and pose a risk to the national 
and economic security of the United States.
---------------------------------------------------------------------------

    \5\ Annual Threat Assessment of the U.S. Intelligence Community, 
Office of the Director of National Intelligence (2024 Intelligence 
Community Assessment), 11, 16 (Feb. 5, 2024), available at https://www.dni.gov/files/ODNI/documents/assessments/ATA-2024-Unclassified-Report.pdf (last accessed July 23, 2024). Note: Infrastructure 
references in this 2024 assessment include pipelines.
    \6\ These activities include the January 2023 breach of the 
Washington Metropolitan Area Transit Authority; the January 2023 
breach of San Francisco's Bay Area Rapid Transit System; and the 
April 2021 breach of New York City's Metropolitan Transportation 
Authority (the nation's largest mass transit agency) by hackers 
linked to the Chinese government. This threat is ongoing: on 
February 7, 2024, CISA published an advisory warning of the threat 
posed by PRC state-sponsored actors. See Cybersecurity Advisory 
(AA24-038A), PRC State-Sponsored Actors Compromise and Maintain 
Persistent Access to U.S. Critical Infrastructure, released by CISA 
on Feb. 7, 2024.
    \7\ Alert (AA22-040A), 2021 Trends Show Increased Globalized 
Threat of Ransomware, released by CISA on February 10, 2022 (as 
revised).
---------------------------------------------------------------------------

    In its 2023 annual assessment, the Intelligence Community noted 
that ``China almost certainly is capable of launching cyber-attacks 
that could disrupt critical infrastructure services within the United 
States, including against oil and gas pipelines, and rail systems.'' 
\8\ Notably, ``[i]f Beijing believed that a major conflict with the 
United States were imminent, it almost certainly would consider 
aggressive cyber operations against U.S. homeland critical 
infrastructure and military assets worldwide. Such a strike would be 
designed to deter U.S. military action by impeding U.S. decision-
making, inducing societal panic, and interfering with the deployment of 
U.S. forces.'' \9\ In addition, ``Russia maintains its ability to 
target critical infrastructure . . . in the United States as well as in 
allied and partner countries'' and ``Tehran's opportunistic approach to 
cyber-attacks puts U.S. infrastructure at risk for being targeted.'' 
\10\ Furthermore, ``malicious cyber actors have begun testing the 
capabilities of AI-developed malware and AI-assisted software 
development--technologies that have the potential to enable larger 
scale, faster, efficient, and more evasive cyber-attacks--against 
targets, including pipelines, railways, and other US critical 
infrastructure.'' \11\
---------------------------------------------------------------------------

    \8\ Annual Threat Assessment of the U.S. Intelligence Community, 
Office of the Director of National Intelligence (2023) (2023 
Intelligence Community Assessment), 10 (Feb. 6, 2023), available at 
https://www.dni.gov/files/ODNI/documents/assessments/ATA-2023-Unclassified-Report.pdf (last accessed July 23, 2024).
    \9\ 2023 Intelligence Community Assessment at 10.
    \10\ 2024 Intelligence Community Assessment at 11.
    \11\ DHS Intelligence and Analysis (I&A), Homeland Threat 
Assessment 18 (2024), available at https://www.dhs.gov/sites/default/files/2023-09/23_0913_ia_23-333-ia_u_homeland-threat-assessment-2024_508C_V6_13Sep23.pdf (last accessed July 23, 2024).
---------------------------------------------------------------------------

    While TSA had issued recommendations to strengthen the 
cybersecurity of pipeline facilities and systems, see discussion in 
Section II.B.2. of this NPRM, reliance on voluntary actions may not be 
sufficient in light of the cyber threat to our national and economic 
security. As noted in the National Cybersecurity Strategy, ``While 
voluntary approaches to critical infrastructure cybersecurity have 
produced meaningful improvements, the lack of mandatory requirements 
has resulted in inadequate and inconsistent outcomes. Today's 
marketplace insufficiently rewards--and often disadvantages--the owners 
and operators of critical infrastructure who invest in proactive 
measures to prevent or mitigate the effects of cyber incidents.'' \12\
---------------------------------------------------------------------------

    \12\ See National Cybersecurity Strategy at 8 (March 2023), 
available at https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf (last accessed July 29, 
2024).
---------------------------------------------------------------------------

    The requirements proposed in this rule would strengthen 
cybersecurity and resiliency for the surface transportation sector by 
mandating reporting of cybersecurity incidents and development of a 
robust CRM program. This rulemaking builds upon TSA's previously issued 
requirements and recommendations, the cybersecurity framework (CSF) 
developed by the National Institute of Standards and Technology 
(NIST),\13\ and the Cross-Sector Cybersecurity Performance Goals (CPGs) 
developed by the Cybersecurity and Infrastructure Security Agency 
(CISA).\14\
---------------------------------------------------------------------------

    \13\ See https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf 
(last accessed May 5, 2024) for more information on the NIST 
Cybersecurity Framework (CSF) 2.0.
    \14\ See https://www.cisa.gov/cross-sector-cybersecurity-performance-goals (last accessed Sept. 22, 2023) for more 
information on the CPGs. A table that aligns the NIST CSF, CPGs, and 
proposed requirements is available in the docket for this 
rulemaking.
---------------------------------------------------------------------------

B. Summary of the Major Provisions

    This NPRM proposes to require owner/operators \15\ of designated 
freight railroads, passenger railroads, rail transit, and pipeline 
facilities and/or systems to have a CRM program approved by TSA. The 
proposed CRM program includes three primary elements. First, owner/
operators to whom the proposed rule applies would be required to 
annually conduct an enterprise-wide cybersecurity evaluation that would 
identify the current profile of cybersecurity (including physical and 
logical/virtual controls) compared to the target profile. The target 
profile must, at a minimum, include the security outcomes identified in 
the proposed rule and should also consider recommendations in the NIST 
CSF.\16\
---------------------------------------------------------------------------

    \15\ See 49 CFR 1500.3 for the definition of ``owner/operators'' 
as used in this rulemaking.
    \16\ See NIST CSF, supra note 13.
---------------------------------------------------------------------------

    Second, those owner/operators would be required to develop a COIP 
that includes the following information: (a) identification of 
individuals/positions responsible for the governance of the owner/
operator's CRM program, including an accountable executive and 
Cybersecurity Coordinator(s); (b) identification of Critical Cyber 
Systems, specific network architecture issues, and baseline 
communications; (c) detailed measures to protect these Critical Cyber 
Systems; (d) detailed measures to detect cybersecurity incidents and 
monitor these Critical Cyber Systems; and (e) measures to address 
response to, and recovery from, a cybersecurity incident. Although many 
of these measures for the COIP are limited to Critical Cyber Systems, 
all owner/operators within the proposed scope of applicability would be 
required to have a Cybersecurity Incident Response Plan (CIRP), 
regardless of whether they identify any Critical Cyber Systems.
    Third, owner/operators subject to the proposed rule would be 
required to have a CAP that includes a schedule for assessments, an 
annual report of assessment results, and identification of unaddressed 
vulnerabilities. Owner/operators would also be required to ensure any 
individuals or companies assigned or hired to evaluate the 
effectiveness of the owner/operator's CRM program are independent, 
i.e., do not have a personal, financial interest in the results of the 
assessment.
    As part of this rule, TSA also is proposing to reorganize 
requirements in subchapter D of 49 CFR chapter XII related to security 
coordinators, reporting significant security concerns, and security 
training of security-sensitive employees. TSA would move these 
requirements from 49 CFR part 1570 and add them to the specific modal 
requirements in parts 1580, 1582, 1584, and a new part 1586, which is 
applicable to pipeline systems and facilities.\17\ In general, the 
applicability of proposed requirements related to designation of a 
cybersecurity coordinator and reporting cybersecurity

[[Page 88492]]

incidents align with the current requirements for designation of a 
(physical) security coordinator and reporting of significant (physical) 
security concerns under 49 CFR part 1570.201 and 1570.203.
---------------------------------------------------------------------------

    \17\ TSA may make related revisions to organization of a 
rulemaking that would finalize proposed requirements in the NPRM, 
Vetting of Certain Surface Transportation Employees, 88 FR 33472 
(May 23, 2023).
---------------------------------------------------------------------------

    TSA is also proposing to distinguish between requirements focused 
on physical security and those focused on cybersecurity. As part of 
this reorganization and proposed imposition of new cybersecurity 
requirements, TSA is proposing that all owner/operators currently 
required to report significant security concerns to TSA, under current 
49 CFR 1570.203,\18\ report significant physical security concerns to 
TSA and report cybersecurity incidents to CISA. TSA is proposing that 
owner/operators of designated pipeline facilities and systems also 
report both physical and cybersecurity incidents.
---------------------------------------------------------------------------

    \18\ See also Appendix A to 49 CFR part 1570.
---------------------------------------------------------------------------

    Finally, TSA is proposing to incorporate into subchapter D a new 
section related to issuance of SDs and Information Circulars (ICs), 
mirroring language currently applicable in the aviation industry. 
Adding this section would ensure consistent procedures for issuance of 
SDs and ICs across all modes of transportation subject to TSA's 
authorities.

C. Costs

    TSA estimates the proposed rule would impact just under 300 surface 
transportation owner/operators. Using the risk-based criteria for 
application discussed below, see Section III.C.2., TSA estimates these 
proposed requirements would apply to 73 of the approximately 620 
freight railroads currently operating in the United States; 34 of the 
approximately 92 public transportation agencies and passenger railroads 
(PTPR) operating in the United States; 71 OTRB owner/operators who are 
currently subject to TSA's regulatory requirements to report 
significant security concerns; and 115 of the approximately 2,105 
pipeline facilities and systems subject to safety regulations issued by 
the Pipeline and Hazardous Materials Safety Administration (PHMSA), as 
codified in 49 CFR part 192 and 49 CFR 195.1.\19\
---------------------------------------------------------------------------

    \19\ The proposed applicability for pipeline facilities and 
systems specifically excludes U.S. facilities specified in 33 CFR 
105.105(a) that are regulated under 33 CFR part 105 or facilities 
specified in 33 CFR 106.105(a) that are regulated under 33 CFR part 
106.
---------------------------------------------------------------------------

    Table 1 identifies TSA's estimates for the overall cost of this 
proposed rule. This table captures the industry's costs associated with 
implementing the proposed requirements as well as TSA's costs for 
overseeing implementation, over a 10-year period of analysis. See 
Section IV of this NPRM and the related Regulatory Impact Analysis for 
a more detailed breakdown of the estimated costs.

                                           Table 1--Cost of Final Rule
----------------------------------------------------------------------------------------------------------------
                                                                              Estimated costs (over 10 years,
                                                                                 discounted at 7 percent)
----------------------------------------------------------------------------------------------------------------
Freight Railroads.......................................................                            $685,776,600
Passenger Railroads and Rail Transit....................................                             881,136,800
OTRBs...................................................................                                 215,900
Pipeline Facilities and Systems.........................................                             580,183,200
TSA.....................................................................                              14,241,200
                                                                         ---------------------------------------
    Total...............................................................                           2,161,553,800
                                                                         ---------------------------------------
    Annualized..........................................................                             307,756,600
----------------------------------------------------------------------------------------------------------------

D. Benefits

    The primary benefit of the proposed rule is a potential reduction 
in the risk of a successful attack or cybersecurity incident and the 
impact of such incidents as a result of implementing the proposed 
requirements. Implementation of a CRM program, as described under the 
proposed rule, could help enhance the security of the regulated 
population by improving the owner/operator's ability to identify, 
detect, protect against, respond to, and recover from cybersecurity 
incidents.
    The proposed cybersecurity outcomes this rule would require provide 
owner/operators with a blueprint for improving defenses against 
cybersecurity incidents. Industry experience indicates that having a 
defense-in-depth approach to cybersecurity enhances the ability to 
prevent and respond to breaches of operational systems and compromises 
of sensitive information.\20\ TSA anticipates the proposed rule's 
requirements, such as enhancing system security, maintaining backups, 
monitoring systems, and developing a response plan, would strengthen 
cybersecurity defenses over the long term. For instance, depending on 
the individual circumstances of a given cyber-attack or cybersecurity 
incident--
---------------------------------------------------------------------------

    \20\ Well-designed security systems have been credited for 
limiting damages in recent cyber incident cases: See ABC7 New York, 
Hackers breached several of MTA's computer systems in April (June 2, 
2021), available at https://abc7ny.com/mta-hack-computer-nyc-new-york-city/10734358/ (last accessed Sept. 28, 2023).
---------------------------------------------------------------------------

     A commitment to patch management, system segmentation, and 
firewalls could limit the resources potential malicious actors would be 
able to access during an intrusion; \21\
---------------------------------------------------------------------------

    \21\ See, e.g., outcomes associated with the following CISA CPGs 
available at https://www.cisa.gov/cross-sector-cybersecurity-performance-goals (last accessed June 10, 2024): CISA CPG 1.E.
---------------------------------------------------------------------------

     The presence of backups could allow for system 
restoration, data recovery, and unhindered system operations; \22\
---------------------------------------------------------------------------

    \22\ See, e.g., id. at CISA CPG 2.R.
---------------------------------------------------------------------------

     Continuous monitoring of the network could help to detect 
and respond to potential threats and limit system degradation \23\ and
---------------------------------------------------------------------------

    \23\ See, e.g., id. at CISA CPGs 2.A, 2.F., 2.G. and 3.A.
---------------------------------------------------------------------------

     Having a response plan in place in case of a successful 
cyber-attack or cybersecurity incident would reduce its impact, build 
in resiliency, and support rapid resumption of normal operations.\24\
---------------------------------------------------------------------------

    \24\ See, e.g., id. at CISA CPGs 2.O, 2.P, 2.R., 2.S., and 2.T.
---------------------------------------------------------------------------

    These enhances, in turn, could reduce the chance of negative 
consequences and service interruptions from cybersecurity incidents to 
the benefit of owners/operators, passengers, and consumers.

[[Page 88493]]

II. Background

A. Context

1. Pipeline Transportation
    The national pipeline system consists of more than 2.9 million 
miles of networked pipelines transporting hazardous liquids, natural 
gas, and other liquids and gases for energy needs and 
manufacturing.\25\ Although most pipeline infrastructure is buried 
underground, operational elements such as compressors, metering, 
regulating, pumping stations, aerial crossings, and breakout tanks are 
typically located above ground. Under operating pressure, the pipeline 
system is used as a conveyance to deliver resources from one location 
to another. In addition to portions of the network that are manually 
operated, the pipeline system includes use of automated industrial 
control systems (ICS), such as supervisory control and data acquisition 
(SCADA) systems to monitor and manage pipeline operations. These 
systems use remote sensors, signals, and preprogramed parameters to 
activate valves and pumps to maintain product flows within tolerances. 
Pipeline systems supply energy commodities and raw materials across the 
country to utilities, airports, military sites, and to the nation's 
industrial and manufacturing sectors. Protecting the vital supply chain 
infrastructure of pipeline operations is critical to national security 
and commerce.
---------------------------------------------------------------------------

    \25\ Mileage information is available at https://www.phmsa.dot.gov/data-and-statistics/pipeline/annual-report-mileage-summary-statistics (last accessed Nov. 30, 2023).
---------------------------------------------------------------------------

2. Rail Transportation
    The rail transportation sector includes freight railroads, 
passenger railroads (including inter-city and commuter), and rail 
transit.
a. Freight Railroads
    The national freight rail network is a complex system that includes 
both physical and cyber infrastructure and consists of more than 620 
freight railroads operating across nearly 140,000 rail miles. This 
sector includes six Class I railroads,\26\ local (also known as Short 
Line) railroads, and regional railroads. The Class I railroads had a 
calendar year 2021 operating revenues of at least $900 million. These 
six railroads also account for approximately 68 percent of freight rail 
mileage, 88 percent of employees, and 94 percent of revenue. Regional 
railroads and local railroads range in size from operations handling a 
few carloads monthly to multi-state operators nearly the size of a 
Class I operation.\27\ As stated by the Association of American 
Railroads (AAR), the freight rail sector provides ``a safe, efficient, 
and cost-effective transportation network that reliably serves 
customers and the nation's economy.'' \28\
---------------------------------------------------------------------------

    \26\ For purposes of TSA's regulations, ``Class I'' means 
``Class I'' as assigned by regulations of the Surface Transportation 
Board (STB) (49 CFR part 1201; General Instructions 1-1). See also 
infra note 123.
    \27\ See https://www.aar.org/wp-content/uploads/2020/08/AAR-Railroad-101-Freight-Railroads-Fact-Sheet.pdf (May 2023 update, last 
accessed June 3, 2023).
    \28\ Id.
---------------------------------------------------------------------------

    Freight railroads are private entities that own and are responsible 
for their own infrastructure.\29\ They maintain the locomotives, 
rolling stock, and fixed assets involved in the transportation of goods 
and materials across the nation's rail system. As required by Congress, 
railroads are subject to safety regulations promulgated and enforced by 
the Federal Railroad Administration (FRA). TSA administers and enforces 
the rail security regulations in 49 CFR part 1580.
---------------------------------------------------------------------------

    \29\ Id.
---------------------------------------------------------------------------

b. Passenger Railroads
    Passenger rail is divided into two categories: inter-city and 
commuter rail service. Inter-city provides long-distance service, while 
commuter railroads provide service over shorter distances, usually less 
than 100 miles. The National Railroad Passenger Corporation (Amtrak) is 
the sole long-distance inter-city passenger railroad in the contiguous 
United States. Amtrak, which had a pre-pandemic annual ridership of 
approximately 31.7 million, operates a nationwide rail network, serving 
more than 500 destinations in 46 states, the District of Columbia, and 
three Canadian provinces on more than 21,300 track-miles.\30\ Nearly 
half of all Amtrak trains operate at top speeds of 100 mph or greater. 
In fiscal year 2023, Amtrak customers took nearly 28.6 million trips, 
up 24 percent over the previous year.\31\ In addition to inter-city 
service, Amtrak is one of the largest operators of contract commuter 
services in North America, providing services and/or infrastructure 
access to 13 state and regional authorities.\32\
---------------------------------------------------------------------------

    \30\ See https://www.apta.com/wp-content/uploads/APTA_Fact-Book-2019_FINAL.pdf (last accessed Sept. 19, 2022).
    \31\ See https://media.amtrak.com/2023/11/amtrak-fiscal-year-2023-ridership-exceeds-expectations-as-demand-for-passenger-rail-soars/ (last accessed July 30, 2024).
    \32\ See https://www.amtrak.com/content/dam/projects/dotcom/english/public/documents/corporate/nationalfactsheets/Amtrak-Company-Profile-FY2023-041824.pdf. at 4 (last accessed July 30, 
2024).
---------------------------------------------------------------------------

    Freight railroads provide the tracks for most passenger rail 
operations. For example, 71 percent of the track on which Amtrak 
operates is owned by other railroads. These ``host railroads'' include 
large, publicly traded freight rail companies in the U.S. or Canada, 
State and Local government agencies, and small businesses. Amtrak pays 
the host railroads for use of their track and other resources as 
needed.\33\
---------------------------------------------------------------------------

    \33\ Id. at 2.
---------------------------------------------------------------------------

    Amtrak and other passenger rail agencies, however, are not wholly 
dependent on freight rail infrastructure and corridors for operational 
feasibility; they sometimes control, operate, and maintain tracks, 
facilities, construction sites, utilities, and computerized networks 
essential to their own operations. For example, the Northeast Corridor 
is an electrified railway line in the Northeast megalopolis of the 
United States owned primarily by Amtrak. It runs from Boston through 
New York City, Philadelphia, and Baltimore, with a terminus in 
Washington, DC. The majority of this corridor, 263 of the 457 route-
miles of the main line, are owned and operated by Amtrak.\34\
---------------------------------------------------------------------------

    \34\ Id. at 4.
---------------------------------------------------------------------------

    Amtrak and other passenger railroads also host freight rail 
operations. In fact, the Northeast Corridor is the busiest railroad in 
North America, with approximately 2,000 Amtrak, commuter, and freight 
trains operating over some portion of the Washington-Boston route each 
day.\35\ As with freight railroads, passenger railroads are subject to 
safety regulations put forth and enforced by the FRA. TSA administers 
and enforces passenger rail security regulations in 49 CFR part 1582.
---------------------------------------------------------------------------

    \35\ Id.
---------------------------------------------------------------------------

c. Rail Transit
    Public transportation in America is critically important to our way 
of life, as evidenced by the number of riders on the nation's public 
transportation systems. According to the American Public Transportation 
Association (APTA), 2022 Public Transportation Fact Book, there were 
over 4.49 billion unlinked passenger trips in 2021.\36\ Nationwide, 5.0 
million Americans commute to work on transit, equivalent to 
approximately 3.1 percent of workers. In major metropolitan areas, like 
New York City, over 27 percent of commuters rely on public 
transportation for their

[[Page 88494]]

daily commute.\37\ Rail transit is a critical part of this system. 
According to APTA, 87 percent of trips on transit directly benefit the 
local economy, including 50 percent of trips to and from work and 37 
percent of trips are for shopping and recreational spending.\38\ A 
successful cyber-attack would have a profound impact on ridership and a 
negative economic impact nationwide. TSA administers and enforces rail 
transit security regulations in 49 CFR part 1582.
---------------------------------------------------------------------------

    \36\ See APTA, 2023 Public Transportation Fact Book at 3, 
available at https://www.apta.com/wp-content/uploads/APTA-2023-Public-Transportation-Fact-Book.pdf (last accessed July 30, 2024). 
Unlinked passenger trips are an industry measure of ridership, with 
a trip being defined as any time a person boards a transit vehicle, 
including transfers.
    \37\ Id. at 12.
    \38\ Id. at 3. Rail transit includes heavy rail systems, often 
referred to as ``subways'' or ``metros'' that do not interact with 
traffic; light rail and streetcars, often referred to as ``surface 
rail,'' that may operate on streets, with or without their own 
dedicated lanes; and commuter rail services that are higher-speed, 
higher-capacity trains with less-frequent stops.
---------------------------------------------------------------------------

3. Cybersecurity Threats
    Threat actors have demonstrated their willingness to engage in 
cyber intrusions and conduct cybersecurity incidents against critical 
infrastructure by exploiting vulnerabilities in OT \39\ and Information 
Technology (IT) \40\ systems. Pipeline and rail systems, and associated 
facilities, may be vulnerable to cybersecurity incidents due to legacy 
ICS that lack updated security controls and the dispersed nature of 
pipeline and rail networks spanning urban and outlying areas.\41\
---------------------------------------------------------------------------

    \39\ For purposes of this NPRM, TSA defines an ``OT system'' as 
``a general term that encompasses several types of control systems, 
including industrial control systems, supervisory control and data 
acquisition systems, distributed control systems, and other control 
system configurations, such as programmable logic controllers, fire 
control systems, and physical access control systems, often found in 
the industrial sector and critical infrastructure. Such systems 
consist of combinations of programmable electrical, mechanical, 
hydraulic, pneumatic devices or systems that interact with the 
physical environment or manage devices that interact with the 
physical environment.''
    \40\ For purposes of this NPRM, TSA defines an ``IT System'' as 
``any services, equipment, or interconnected systems or subsystems 
of equipment that are used in the automatic acquisition, storage, 
analysis, evaluation, manipulation, management, movement, control, 
display, switching, interchange, transmission, or reception of data 
or information that fall within the responsibility of owner/operator 
to operate and/or maintain.''
    \41\ See CISA, Securing Industrial Control Systems: A Unified 
Initiative (FY 2019-2023) at 4, available at https://www.cisa.gov/sites/default/files/publications/Securing_Industrial_Control_Systems_S508C.pdf (last accessed Aug. 
30, 2023).
---------------------------------------------------------------------------

    As pipeline and rail owner/operators have begun to integrate IT and 
OT systems into their operating environment to further improve safety, 
enable efficiencies, and/or increase automation, their operations 
become increasingly vulnerable to new and evolving cyber threats. A 
successful cyber-intrusion could affect the safe operation and 
reliability of OT systems, including SCADA systems, process control 
systems, distributed control systems, safety control systems, 
measurement systems, and telemetry systems.
    From a design perspective, some pipeline and rail assets are more 
attractive to targets for a cybersecurity incident simply because of 
the transported commodity and the impact an incident would have on 
national security and commerce. Minor pipeline and rail system 
disruptions may result in commodity price increases, while prolonged 
pipeline and rail operational disruptions could lead to widespread 
energy shortages and disruption of critical supply lines. Short-and 
long-term disruptions and delays may affect other domestic critical 
infrastructure and industries, such as our national defense system, 
that depend on pipeline and rail system commodities, such as our 
national defense system.
    The May 2021 DarkSide attack on a major pipeline company is just 
one of many recent ransomware attacks that have demonstrated the 
necessity of ensuring that critical infrastructure owner/operators are 
proactively deploying CRM measures. The Multi-State Information Sharing 
and Analysis Center observed a 153 percent increase in the number of 
ransomware attacks reported by State, Local, Tribal, and Territorial 
governments in the one-year period from 2018 to 2019, including both 
opportunistic and strategic campaigns.\42\ The need to mitigate the 
threats facing domestic critical infrastructure, including by enhancing 
the pipeline and rail industry's current cybersecurity risk management 
posture, is further highlighted by recent warnings about Russian,\43\ 
Chinese,\44\ and Iranian \45\ state-sponsored cyber espionage campaigns 
to develop capabilities to disrupt U.S. critical infrastructure to 
include the transportation sector.\46\ Failure to take action could 
have significant implications for national and economic security.
---------------------------------------------------------------------------

    \42\ See MS-ISAC Security Primer 2020-0002 (May 2020), available 
at https://www.cisecurity.org/insights/white-papers/security-primer-ransomware (last accessed June 3, 2023).
    \43\ See 2023 Intelligence Community Assessment, supra note 9, 
at 15.
    \44\ See id. at 10.
    \45\ See id. at 19.
    \46\ In addition to the resources available at the cites 
referenced in the preceding notes, additional information is 
available on CISA's advisories organized by state-sponsored groups, 
i.e., https://www.cisa.gov/topics/cyber-threats-and-advisories/advanced-persistent-threats/china (China Cyber Threat Overview and 
Advisories); https://www.cisa.gov/topics/cyber-threats-and-advisories/advanced-persistent-threats/russia (Russian Cyber Threat 
Overview and Advisories); and https://www.cisa.gov/topics/cyber-threats-and-advisories/advanced-persistent-threats/iran (Iran Cyber 
Threat Overview and Advisories). See also FBI Private Industry 
Bulletin TRITON Malware Remains Threat to Global Critical 
Infrastructure Industrial Control Systems (Mar. 24, 2022), available 
at docs.house.gov/meetings/JU/JU00/20220329/114533/HHRG-117-JU00-20220329-SD009.pdf (last accessed Sept. 22, 2023).
---------------------------------------------------------------------------

    On March 24, 2022, the U.S. Department of Justice unsealed 
indictments of three Russian Federal Security Service (FSB) officers 
and employees of a State Research Center of the Russian Federation 
Central Scientific Research Institute of Chemistry and Mechanics for 
their involvement in intrusion campaigns against U.S. and international 
oil refineries, nuclear facilities, and energy companies. Documents 
revealed that the Russian FSB conducted a multi-stage campaign in which 
they gained remote access to U.S. and international Energy Sector 
networks, deployed ICS-focused malware, and collected and exfiltrated 
enterprise and ICS-related data.\47\ A recent multi-national 
cybersecurity advisory noted that ``Russian state-sponsored cyber 
actors have demonstrated capabilities to compromise IT networks; 
develop mechanisms to maintain long-term, persistent access to IT 
networks; exfiltrate sensitive data from IT and [OT] networks; and 
disrupt critical (ICS)/OT functions by deploying destructive malware.'' 
\48\
---------------------------------------------------------------------------

    \47\ The superseding indictment is available at https://
www.justice.gov/opa/pr/us-citizens-and-russian-intelligence-
officers-charged-conspiring-use-us-citizens-
illegal#:~:text=Among%20other%20illegal%20activities%2C%20the,for%20l
ocal%20office%20in%20St. (Department of Justice Press Release, U.S. 
Citizens and Russian Intelligence Officers Charged with Conspiring 
to Use U.S. Citizens as Illegal Agents of the Russian Government, 
Apr. 18, 2023) (last accessed Sept. 25, 2023); see also Joint 
Cybersecurity Advisory, Tactics, Techniques, and Procedures of 
Indicted State-Sponsored Russian Cyber Actors Targeting the Energy 
Sector, Alert AA22-083A (Mar. 24, 2022), available at https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-083a (last 
accessed Dec. 29, 2023).
    \48\ See Joint Cybersecurity Advisory, Russian State Sponsored 
and Criminal Cyber Threat to Critical Infrastructure, Alert AA22-
110A (Apr. 20, 2022), available at https://www.cisa.gov/uscert/ncas/alerts/aa22-110a (last accessed Dec. 29, 2023).
---------------------------------------------------------------------------

    The nation's adversaries and strategic competitors will continue to 
use cyber espionage and cyber-attacks to seek political, economic, and 
military advantage over the United States and its allies and partners. 
These recent incidents demonstrate the potentially devastating impact 
that increasingly sophisticated cybersecurity incidents can have on our 
nation's critical infrastructure, as well as the direct repercussions 
felt by U.S. citizens. The

[[Page 88495]]

consequences and threats discussed above demonstrate the necessity of 
ensuring that critical infrastructure owner/operators are proactively 
deploying CRM measures.
4. Threat of Cybersecurity Incidents at the Nexus of IT and OT Systems
    Some sectors have taken significant steps to protect either their 
IT or OT systems, depending on which is considered most critical for 
their business needs (e.g., a commodities sector may focus on OT 
systems while a financial sector or other business that focuses on data 
may focus on IT systems). Ransomware attacks targeting critical 
infrastructure threaten both IT and OT systems and exploit the 
connections between these systems. For example, when OT components are 
connected to IT networks, this connection provides a path for cyber 
actors to pivot from IT to OT systems.\49\ Given the importance of 
critical infrastructure to national and economic security, accessible 
OT systems and their connected assets and control structures are an 
attractive target for malicious cyber actors seeking to disrupt 
critical infrastructure for profit or to further other objectives.\50\ 
As CISA notes, recent cybersecurity incidents demonstrate that 
intrusions affecting IT systems can also affect critical operational 
processes even if the intrusion does not directly impact an OT 
system.\51\ For example, business operations on the IT system sometimes 
are used to orchestrate OT system operations. As a result, when there 
is a compromise of the IT system, there is a risk of unaffected OT 
systems being impacted by the loss of operational directives and 
accounting functions.
---------------------------------------------------------------------------

    \49\ See CISA Fact Sheet, Rising Ransomware Threat to 
Operational Technology Assets (June 2021), available at https://www.cisa.gov/sites/default/files/publications/CISA_Fact_Sheet-Rising_Ransomware_Threat_to_OT_Assets_508C.pdf (last accessed June 
3, 2023).
    \50\ Id.
    \51\ Id.
---------------------------------------------------------------------------

    DHS, the Department of Energy (DOE), the Federal Bureau of 
Investigation, and the National Security Agency have all urged the 
private sector to implement a layered, ``defense-in-depth'' 
cybersecurity posture. For example, ensuring that OT and IT systems are 
separate and segregated will help protect against intrusions that can 
exploit vulnerabilities from one system and move laterally to infect 
another. A stand-alone, unconnected (``air-gapped'') OT system is safer 
from outside threats than an OT system connected to one or more 
enterprise IT systems with external connectivity (no matter how secure 
the outside connections are thought to be).\52\ By implementing a 
layered approach, owner/operators and their network administrators will 
enhance the defensive cybersecurity posture of their OT and IT systems, 
reducing the risk of compromise or severe operational degradation if 
their system is compromised by malicious cyber actors.\53\
---------------------------------------------------------------------------

    \52\ See National Security Agency Cybersecurity Advisory, Stop 
Malicious Cyber Activity Against Connected Operational Technology 
(PP-21-0601 [verbar] APR 2021 Ver 1.0), available at https://media.defense.gov/2021/Apr/29/2002630479/-1/-1/1/CSA_STOP-MCA-AGAINST-OT_UOO13672321.PDF (last accessed Sept. 19, 2022).
    \53\ See Joint Cybersecurity Advisory, Chinese Gas Pipeline 
Intrusion Campaign, 2011 to 2013 (Alert AA21-200A), available at 
https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-201a 
(last accessed Sept. 19, 2024).
---------------------------------------------------------------------------

    The cyber threat to our nation's critical infrastructure has only 
increased in the time since TSA's first cybersecurity SD was issued. 
The surface transportation sector, including the oil and gas pipeline 
industry, is increasingly dependent on automation and use of connected 
technology.\54\ Cyber threats to surface transportation systems 
continue to proliferate as both nation-state actors and criminal cyber 
groups are actively targeting oil and natural gas pipelines with the 
potential to cause operational disruption and economic harm. Ransomware 
attacks are likely to increase in the near and long term, due in part 
to vulnerabilities identified by threat actors in U.S. networks, while 
nation-state actors continue to target U.S. infrastructure for 
disruptive cyberattack options in a crisis or conflict.\55\ These 
threats and their potential consequences to critical transportation 
systems and infrastructure demonstrate the need for TSA to ensure 
owner/operators continue to proactively deploy cybersecurity risk 
management measures.
---------------------------------------------------------------------------

    \54\ See written testimony of Eric Goldstein, Executive 
Assistant Director for Cybersecurity CISA, Joint Hearing Before the 
Subcommittee on Cybersecurity, Infrastructure Protection, and 
Innovation, and the Subcommittee on Transportation and Maritime 
Security, U.S. House of Representatives Committee on Homeland 
Security, Cyber Threats in the Pipeline: Lessons from the Federal 
Response to the Colonial Pipeline Ransomware Attack (June 15, 2021).
    \55\ See 2023 Intelligence Community Assessment, supra note 8, 
for open-source information on the cybersecurity threat. See also 
2024 Intelligence Community Assessment, supra note 5.
---------------------------------------------------------------------------

    Protecting this critical and interconnected sector, and the 
consumers that rely on it, from the impact of cybersecurity impacts, 
cannot be accomplished on an ad hoc basis that relies entirely on 
voluntary action. The pipeline sector is an interconnected system. As 
noted by the Interstate Natural Gas Association of America, ``natural 
gas transmission systems have numerous interconnection points and 
market hubs. . . . There are no major interstate pipelines that operate 
in isolation, i.e., without interconnection with at least one or more 
other pipelines.'' \56\ As noted by the PHMSA, ``[p]ipelines play a 
vital role in our daily lives. They transport fuels and petrochemical 
feedstocks that we use in cooking and cleaning, in our daily commutes 
and travel, in heating our homes and businesses, and in manufacturing 
hundreds of products we use daily.'' \57\
---------------------------------------------------------------------------

    \56\ The Interstate Natural Gas Association of America, The 
Interstate Natural Gas Transmission System: Scale, Physical 
Complexity, and Business Model, at 1-2 (Aug. 6, 2010).
    \57\ PHMSA, Pipeline Basics, available at https://primis.phmsa.dot.gov/comm/PipelineBasics.htm (last accessed July 29, 
2024).
---------------------------------------------------------------------------

    Similarly, with the nation's rail system, railroads move over 1.5 
billion tons of freight annually,\58\ and a disruption to this movement 
would have damaging ripple effects across industries, including on 
international trade. In the rail system, the implementation of positive 
train control (PTC) systems has resulted in a far more interconnected 
rail system than previously existed in the Unites States. The 
interoperability of PTC systems occurs when the ``controlling 
locomotives and/or cab cars of any host railroad and tenant railroad 
operating on the same PTC-equipped main line are able to communicate 
with and respond to the PTC system, even when train are moving over 
property boundaries.'' \59\ The nation's economic security relies on 
freight rail owner/operators to transport critical manufacturing 
materials, food product, lumber, coal, and other materials critical to 
the supply chain. These railroads also host major passenger and 
commuter rail lines.\60\ The nature of these systems requires a 
baseline of cybersecurity risk management across the highest-risk 
operations to protect these vital resources to national security, 
including economic security.
---------------------------------------------------------------------------

    \58\ See https://www.aar.org/data-center/railroads-states/
#:~:text=In%20a%20typical%20year%2C%20U.S.,nearly%20140%2C000%20miles
%20of%20track (last accessed July 31, 2024).
    \59\ See https://www.freightwaves.com/news/u-s-class-i-railroads-inch-towards-full-positive-train-control-implementation, 
PTC is interoperable on nearly half of the Class I U.S. rail 
operations (posted Feb. 28, 2020, by Joanna Marsh) (last accessed 
July 29, 2024).
    \60\ Id.

---------------------------------------------------------------------------

[[Page 88496]]

B. Statutory Authorities

    The security of the nation's transportation systems is vital to the 
economic health and security of the United States. Ensuring 
transportation security while promoting the movement of legitimate 
travelers and commerce is a critical counter-terrorism mission assigned 
to TSA.
    Following the attacks of September 11, 2001, Congress created TSA 
under the Aviation and Transportation Security Act (ATSA) and 
established the agency's primary federal role to enhance security for 
all modes of transportation.\61\ The scope of TSA's authority includes 
assessing security risks,\62\ developing security measures to address 
identified risks,\63\ and enforcing compliance with these measures.\64\ 
TSA has broad regulatory authority to issue, rescind, and revise 
regulations as necessary to carry out its transportation security 
functions.
---------------------------------------------------------------------------

    \61\ Public Law 107-71, 115 Stat. 597 (Nov. 19, 2001). ATSA 
created TSA as a component of the DOT. See 49 U.S.C. 114, which 
codified section 101 of ATSA. Section 403(2) of the Homeland 
Security Act of 2002 (HSA), Public Law 107-296, 116 Stat. 2135 (Nov. 
25, 2002), transferred all functions related to transportation 
security, including those of the Secretary of Transportation and the 
Under Secretary of Transportation for Security, to the Secretary of 
Homeland Security. Pursuant to DHS Delegation Number 7060.02.1, the 
Secretary delegated to the Administrator, subject to the Secretary's 
guidance and control, the authority vested in the Secretary with 
respect to TSA, including the authority in sec. 403(2) of the HSA. 
See also 49 U.S.C. 114(d), which specifically gives the 
Administrator authority over all modes of transportation regulated 
by the Department of Transportation at the time TSA was established.
    \62\ See, e.g., 49 U.S.C. 114(f)(1)-(3).
    \63\ See, e.g., 49 U.S.C. 114(f)(4), (10), and (11).
    \64\ See, e.g., 49 U.S.C. 114(f)(7) and (9).
---------------------------------------------------------------------------

1. TSA Surface-Related SDs and Information Circulars
    Under 49 U.S.C. 114(l)(2)(A), TSA is authorized to issue emergency 
regulations or SDs without providing notice or public comment where 
``the Administrator determines that a regulation or security directive 
must be issued immediately in order to protect transportation 
security.'' \65\ SDs issued pursuant to the procedures in 49 U.S.C. 
114(l)(2) ``shall remain effective for a period not to exceed 90 days 
unless ratified or disapproved by the [Transportation Security 
Oversight] Board [(TSOB)] or rescinded by the Administrator.'' \66\
---------------------------------------------------------------------------

    \65\ This provision states: ``Notwithstanding any other 
provision of law or executive order (including an executive order 
requiring a cost-benefit analysis), if the Administrator [of TSA] 
determines that a regulation or security directive must be issued 
immediately in order to protect transportation security, the 
Administrator shall issue the regulation or security directive 
without providing notice or an opportunity for comment and without 
prior approval of the Secretary.'' In addition, section 114(d) 
provides the Administrator authority for security of all modes of 
transportation; section 114(f) provides specific additional duties 
and powers to the Administrator; and section 114(m) provides 
authority for the Administrator to take actions that support other 
agencies.
    \66\ 49 U.S.C. 114(l)(2)(B).
---------------------------------------------------------------------------

    TSA issued SDs in 2021 and 2022 \67\ in response to the 
cybersecurity threat to surface transportation systems and associated 
infrastructure to protect against the significant harm to the national 
and economic security of the United States that could result from the 
``degradation, destruction, or malfunction of systems that control this 
infrastructure.'' \68\ The most current and previous versions of these 
SDs are available on TSA's website.\69\
---------------------------------------------------------------------------

    \67\ See https://www.tsa.gov/sd-and-ea (last accessed June 10, 
2024). TSA issued these SDs under the specific authority of 49 
U.S.C. 114(l)(2)(A).
    \68\ National Security Memorandum on Improving Cybersecurity for 
Critical Infrastructure Control Systems (July 28, 2021).
    \69\ See supra note 67.
---------------------------------------------------------------------------

    The first pipeline SD (the SD Pipeline-2021-01 series), issued on 
May 27, 2021, requires several actions to enhance the security of 
critical pipeline systems \70\ against cybersecurity threats and 
provided that owners/operators must: (1) designate a primary and 
alternate Cybersecurity Coordinator; (2) report cybersecurity incidents 
to CISA within 24 hours of identification of a cybersecurity incident; 
\71\ and (3) review TSA's pipeline guidelines,\72\ assess their current 
cybersecurity posture, and identify remediation measures to address the 
vulnerabilities and cybersecurity gaps.\73\ For purposes of the SDs, 
TSA defined a ``cybersecurity incident'' as ``an event that, without 
lawful authority, jeopardizes, disrupts or otherwise impacts, or is 
reasonably likely to jeopardize, disrupt or otherwise impact, the 
integrity, confidentiality, or availability of computers, information 
or communications systems or networks, physical or virtual 
infrastructure controlled by computers or information systems, or 
information resident on the system.'' The reports must (1) identify the 
affected systems or facilities; and (2) describe the threat, incident, 
and impact or potential impact on IT and OT systems and operations.
---------------------------------------------------------------------------

    \70\ ``Critical pipeline systems'' are determined by TSA based 
on risk.
    \71\ As originally issued, the directive required notification 
within 12 hours of identification. In May 2022, TSA revised this 
requirement to require notification within 24 hours of 
identification.
    \72\ See section I.F. for more information on TSA's guidelines 
for the pipeline owner/operators.
    \73\ TSA may also use the results of assessments to identify the 
need to impose additional security measures as appropriate or 
necessary. TSA and CISA may use the information submitted for 
vulnerability identification, trend analysis, or to generate 
anonymized indicators of compromise or other cybersecurity products 
to prevent other cybersecurity incidents.
---------------------------------------------------------------------------

    The second pipeline SD (the SD Pipeline-2021-02 series), first 
issued on July 19, 2021, required owner/operators to implement specific 
mitigation measures to protect against ransomware attacks and other 
known threats to IT and OT systems and conduct a cybersecurity 
architecture design review. This SD also required owner/operators to 
develop and adopt a cybersecurity incident response plan to reduce the 
risk of operational disruption should their IT and/or OT systems be 
affected by a cybersecurity incident.\74\
---------------------------------------------------------------------------

    \74\ See https://www.tsa.gov/sites/default/files/sd_pipeline_2021-02b-non_ssi_06-06-2022.pdf (last accessed June 10, 
2024) for a version of the SD with the prescriptive requirements.
---------------------------------------------------------------------------

    In December 2021, TSA issued SDs to higher-risk freight railroads 
(the SD 1580-21-01 series) and passenger rail and rail transit owner/
operators (the SD 1582-21-01 series), requiring that they also 
implement the following requirements previously imposed on pipeline 
systems and facilities: (1) designation of a Cybersecurity Coordinator; 
(2) reporting of cybersecurity incidents to CISA within 24 hours; (3) 
developing and implementing a cybersecurity incident response plan to 
reduce the risk of an operational disruption; and (4) completing a 
cybersecurity vulnerability assessment to identify potential gaps or 
vulnerabilities in their systems. For owner/operators not specifically 
covered under the SD 1580-21-01 or 1582-21-01 series, TSA also issued 
an Information Circular (IC-2021-01), which included a non-binding 
recommendation for those surface owner/operators not subject to the SDs 
to voluntarily implement the same measures.\75\
---------------------------------------------------------------------------

    \75\ See https://www.tsa.gov/sites/default/files/20211201_surface-ic-2021-01.pdf (last accessed Oct. 16, 2023).
---------------------------------------------------------------------------

    In the year following issuance of the second pipeline SD, TSA 
determined that its prescriptive requirements limited the ability of 
owner/operators to adapt the requirements to their operational 
environment and apply innovative alternative measures and new 
capabilities. Because of the need to provide greater flexibility, TSA 
revised this SD series, effective July 27, 2022 (SD Pipeline-2021-02C), 
to maintain the security objectives in the previous versions of the SD 
but also provide more flexibility by imposing performance-based, rather 
than prescriptive, security measures. As revised, the SD allows covered 
owner/operators to choose how

[[Page 88497]]

best to implement security measures for their specific systems and 
operations while mandating that they achieve critical security 
outcomes. This approach also affords these owner/operators with the 
ability to adopt new technologies and security capabilities as they 
become available, if TSA's mandated security outcomes continue to be 
met.
    The current directive, most recently revised in July 2024, 
specifically requires the covered owner/operators of critical pipeline 
systems and facilities to take the following actions:
     Establish and implement a TSA-approved CIP that describes 
the specific cybersecurity measures employed to protect Critical Cyber 
Systems, as defined by the owner/operator, and the schedule for 
achieving the security outcomes identified by TSA.
     Develop and maintain an up-to-date CIRP to reduce the risk 
of operational disruption, or the risk of other business disruption, as 
defined in the SD, should the IT and/or OT systems of a gas or liquid 
pipeline or railroad be affected by a cybersecurity incident. The CIRP 
must be exercised each year to test at least two objectives of the plan 
and include personnel responsible for actions in the CIRP.
     Develop a CAP that describes how the owner/operator will 
proactively, regularly, and completely assess the effectiveness of 
cybersecurity measures in their CIP, and identify and resolve device, 
network, and/or system vulnerabilities. This plan must be submitted to 
TSA for approval and an annual report provided to TSA and corporate 
leadership.
    The CIP must identify how the owner/operators meet the following 
primary security outcomes:
     Implement network segmentation policies and controls to 
ensure that the OT system can continue to safely operate in the event 
that an IT system has been compromised, or vice versa;
     Implement access control measures to secure and prevent 
unauthorized access to critical cyber systems;
     Implement continuous monitoring and detection policies and 
procedures to detect cybersecurity threats and correct anomalies that 
affect critical cyber system operations; and
     Reduce the risk of exploitation of unpatched systems 
through the application of security patches and updates for operating 
systems, applications, drivers, and firmware on critical cyber systems 
in a timely manner using a risk-based methodology.
    As noted above, in addition to developing and implementing a TSA-
approved CIP, this directive requires the covered owner/operators to 
continually assess their cybersecurity posture. These owner/operators 
must develop and update a CAP and submit an annual plan to TSA that 
describes their program for the coming year, including details on the 
processes and techniques that they would be using to assess the 
effectiveness of cybersecurity measures. Techniques such as penetration 
testing of IT systems and the use of ``red'' and ``purple'' team 
(adversarial perspective) testing are referenced in the SD. At a 
minimum, the CAP must include an architectural design review every 2 
years. See section III.D.3. of this NPRM for additional discussion 
regarding the CAP required by the SD.
    The scope of the requirements in this directive apply to Critical 
Cyber Systems. TSA defined a Critical Cyber System to include ``any IT 
or OT system or data that, if compromised or exploited, could result in 
operational disruption. Critical Cyber Systems include business 
services that, if compromised or exploited, could result in operational 
disruption.'' \76\
---------------------------------------------------------------------------

    \76\ For purposes of this directive, ``operational disruption'' 
is defined as ``a deviation from or interruption of business 
critical functions that results from a compromise or loss of data, 
system availability, system reliability, or control of a TSA-
designated critical pipeline and rail system or facility.'' 
``Business critical functions'' is defined as the ``owner/operator's 
determination of capacity to support functions necessary to meet 
operational needs and supply-chain expectations.
---------------------------------------------------------------------------

    On October 18, 2022, TSA issued an SD imposing similar performance-
based cybersecurity requirements on higher-risk freight railroads and 
passenger rail owner/operators (SD 1580/82-2022-01).\77\ This SD was 
also developed with extensive input from industry stakeholders and 
federal partners, including CISA and the FRA, to address issues unique 
to the rail industry. This engagement included providing the industry 
with a draft to review and comment upon and several meetings, including 
technical roundtables with cyber experts within the industry, before 
TSA issued the SD.
---------------------------------------------------------------------------

    \77\ See https://www.tsa.gov/sites/default/files/sd-1580-82-2022-01.pdf (last accessed Oct. 19, 2022).
---------------------------------------------------------------------------

    As TSA issued these directives under the statutory authority in 49 
U.S.C. 114(l)(2) and intended the requirements to be in place for more 
than 90 days, TSA sought TSOB review and ratification of the use of the 
agency's emergency authorities. Table 2 provides the ratification dates 
for each SD.

                                 Table 2--TSOB Ratification Dates for TSA's SDs
----------------------------------------------------------------------------------------------------------------
                                                                                             Federal Register
              SD series                      Specific SD          Date of ratification           citation
----------------------------------------------------------------------------------------------------------------
SD 1580-21-01........................  SD 1580-21-01..........  December 29, 2021......  87 FR 31093 (May 23,
                                                                                          2022).
                                       SD 1580-21-01A.........  November 16, 2022......  88 FR 36921 TBD (June
                                                                                          6, 2023).
                                       SD 1580-21-01B.........  November 22, 2023......  TBD.
SD 1582-21-01........................  SD 1582-21-01..........  December 29, 2021......  87 FR 31093 (May 23,
                                                                                          2022).
                                       SD 1582-21-01A.........  November 16, 2022......  88 FR 36921 TBD (June
                                                                                          6, 2023).
                                       SD 1582-21-01B.........  November 22, 2023......  TBD.
SD 1580/82-2022-01...................  SD 1580/82-2022-01.....  November 16, 2022......  88 FR 36921 (June 6,
                                                                                          2023).
                                       SD 1580/82-2022-01A....  November 22, 2023......  TBD.
                                       SD 1580/82-2022-01B....  Superseded \78\........  N/A.
                                       SD 1580/82-2022-1C.....  July 29, 2024..........  TBD.
SD Pipeline-2021-01..................  SD Pipeline-2021-01....  July 3, 2021...........  86 FR 38209 (July 20,
                                                                                          2021).
                                       SD Pipeline-2021-01A...  December 29, 2021......  87 FR 31093 (May 23,
                                                                                          2022).
                                       SD Pipeline-2021-01B...  June 24, 2022..........  88 FR 36921 (June 6,
                                                                                          2023).
                                       SD Pipeline-2021-01C...  June 21, 2023..........  89 FR 28570 (April 19,
                                                                                          2024).
                                       SD Pipeline-2021-01D...  June 28, 2024..........  TBD.
SD Pipeline-2021-02..................  SD Pipeline-2021-02....  August 17, 2021........  86 FR 52953 (Sept. 24,
                                                                                          2021).
                                       SD Pipeline-2021-02B...  January 13, 2022.......  87 FR 31093 (May 23,
                                                                                          2022).
                                       SD Pipeline-2021-02C...  August 19, 2022........  88 FR 36921 (June 6,
                                                                                          2023).
                                       SD Pipeline-2021-02D...  August 24, 2023........  89 FR 28570 (April 19,
                                                                                          2024).

[[Page 88498]]

 
                                       SD Pipepilne-2021-02E..  August 23, 2024........  TBD.
----------------------------------------------------------------------------------------------------------------

2. TSA's Assessments, Guidelines, and Regulations Applicable to 
Pipeline and Rail Systems
---------------------------------------------------------------------------

    \78\ SD 1580/82-2022-01B, issued in May 2024, was superseded by 
SD 1580/82-2022-01C before ratification by the TSOB.
---------------------------------------------------------------------------

    The Implementing Recommendations of the 9/11 Commission Act of 2007 
(9/11 Act) \79\ requires certain actions to enhance surface 
transportation security. The following two mandates are specifically 
relevant to this rulemaking.
---------------------------------------------------------------------------

    \79\ Public Law 110-53, 121 Stat. 266 (Aug. 3, 2007).
---------------------------------------------------------------------------

a. Pipeline Guidelines, Assessments, and Regulations
    Section 1557(a) of the 9/11 Act requires a program to review 
pipeline operator adoption of guidelines originally issued by the DOT 
in 2002.\80\ TSA originally reviewed operators' adoption of the 
Pipeline Security Information Circular, issued on September 5, 2002, by 
DOT's Office of Pipeline Safety as the primary federal guideline for 
industry security. TSA also reviewed operators' adoption of a 
complementary document, the DOT-issued Pipeline Security Contingency 
Planning Guidance of June 2002.
---------------------------------------------------------------------------

    \80\ Id., as codified at 6 U.S.C. 1207(a).
---------------------------------------------------------------------------

    Recognizing that the Security Circular required updating, TSA 
initiated a process to amend the federal security guidance. These 
revised guidelines were first developed in 2010 and 2011 in 
collaboration with industry and government members of the Pipeline 
Sector and Government Coordinating Councils and other industry 
association representatives and included a range of recommended 
security measures covering all aspects of pipeline operations. 
Consistent with TSA's general authorities under ATSA and the 
requirements in section 1557(d) of the 9/11 Act, the advancement of 
security practices to meet the ever-changing threat environment in both 
the physical and cyber security realms required that the guidelines be 
updated again. Using a similar industry and government collaborative 
approach, TSA updated the Pipeline Security Guidelines in 2018 
(Pipeline Guidelines).\81\ As part of this update, TSA added Section 7, 
``Pipeline Cyber Asset Security Measures,'' including pipeline cyber 
asset identification; security measures for pipeline cyber assets; and 
cybersecurity planning and implementation guidance.
---------------------------------------------------------------------------

    \81\ See Pipeline Security Guidelines (Mar. 2018), with Change 1 
(Apr. 2021), available at https://www.tsa.gov/sites/default/files/pipeline_security_guidelines.pdf (last accessed Sept. 19, 2022).
---------------------------------------------------------------------------

    Section 1557(b) also requires reviewing the pipeline security plans 
and inspection of the most critical facilities for the 100 most 
critical pipeline operators.\82\ The Pipeline Guidelines are used as 
the standard for TSA's Pipeline Security Program Corporate Security 
Reviews (CSRs) and Critical Facility Security Reviews (CFSRs) of the 
most critical pipeline systems. The CSR program has been in effect 
since 2003, during which time a total of approximately 260 CSRs have 
been completed industry wide. Approximately 800 CFSRs have been 
completed since this program's inception in 2009.
---------------------------------------------------------------------------

    \82\ See 6 U.S.C. 1207(b).
---------------------------------------------------------------------------

    Finally, section 1557(d) specifically authorizes the Secretary of 
Homeland Security (Secretary) to issue regulations, as appropriate and 
following consultation with the Secretary of Transportation on the 
extent of risk and appropriate mitigation measures, and to issue 
binding regulations and carry out necessary inspection and enforcement 
actions.\83\ Such regulations would incorporate the 2002 guidelines and 
contain additional requirements as necessary based upon results of the 
inspections performed under section 1557(b). This section specifically 
authorizes assessment of penalties against pipeline facilities and 
systems for non-compliance.\84\ While TSA has had this authority since 
2007, TSA has not determined it was necessary to exercise it until this 
current rulemaking, which is intended to address the increasing 
cybersecurity threat to pipeline facilities and systems.
---------------------------------------------------------------------------

    \83\ See 6 U.S.C. 1207(d).
    \84\ Id. TSA also has specific authority to enforce its security 
regulations. See 49 U.S.C. 114(f)(7).
---------------------------------------------------------------------------

    In addition, while the guidelines are available to all pipeline 
facilities and systems, regardless of whether TSA has determined the 
system is critical, TSA has not determined it is necessary to impose 
cybersecurity requirements through its emergency authorities on the 
full scope of pipeline owner/operators to which the guidelines are 
issued.
    Although this rulemaking would impose cybersecurity requirements on 
certain pipeline owners and operators and subject such entities to 
inspections for compliance, TSA would continue to conduct voluntary 
security assessments in areas where mandatory requirements do not exist 
(e.g., the physical security measures recommended in the guidelines) as 
part of a ``structured oversight'' approach. This approach assesses and 
provides feedback on voluntary implementation of cybersecurity 
recommendations for systems not covered by this proposed rule. These 
assessments would continue TSA's approach of working with the industry 
to determine the industry's voluntary adoption and adherence to non-
regulatory guidelines, including Security Action Items and other 
security measures developed jointly with, and agreed to by, industry 
stakeholders to meet relevant security needs.\85\ As part of these 
assessments, TSA provides recommendations to owner/operators and 
identifies resources to support them in voluntarily enhancing their 
physical and security baseline.
---------------------------------------------------------------------------

    \85\ For additional information on TSA's resources and surface 
transportation security initiatives, see TSA's website at: https://www.tsa.gov/for-industry/resources (last accessed Aug. 30, 2023).
---------------------------------------------------------------------------

b. Regulating Railroads, Public Transportation Systems, and OTRBs
    In 2008, TSA promulgated regulations imposing security requirements 
on owner/operators of freight railroads, rail transit systems, 
including passenger rail and commuter rail, heavy rail transit, light 
rail transit, automated guideway, cable car, inclined plane, funicular, 
and monorail systems. This regulation, in pertinent part, covers 
appointment of security coordinators and security-related reporting 
requirements. For freight railroads, the 2008 rule also imposed 
requirements for the secure transport of Rail Security-Sensitive 
Materials.\86\
---------------------------------------------------------------------------

    \86\ See Rail Transportation Security Final Rule (Rail Security 
Rule), 73 FR 72130 (Nov. 26, 2008).
---------------------------------------------------------------------------

    In addition to measures to enhance pipeline security, the 9/11 Act 
required other regulations to enhance surface transportation security. 
On March 23, 2020, consistent with these requirements, TSA published 
the final rule, ``Security Training for Surface

[[Page 88499]]

Transportation Employees.'' \87\ This regulation requires owner/
operators of higher-risk freight railroad carriers (as defined in 49 
CFR 1580.101), public transportation agencies (including rail mass 
transit and bus systems and passenger railroad carriers, as defined in 
49 CFR 1582.101), and OTRB companies (as defined in 49 CFR 1584.101), 
to provide TSA-approved security training to employees performing 
security-sensitive functions. In addition to implementing these 
provisions, the final rule also expanded the requirement for security 
coordinators and reporting of significant security concerns to apply to 
OTRB and bus-only public transportation agencies, and defined 
Transportation Security-Sensitive Materials.\88\
---------------------------------------------------------------------------

    \87\ 85 FR 16456.
    \88\ See secs. 1512 and 1531 of the 9/11 Act, as codified at 6 
U.S.C. 1162 and 1181, respectively, for security coordinator 
requirements. See sec. 1501(13) of the 9/11 Act, as codified at 6 
U.S.C. 1151(13), for requirement to define ``Transportation Security 
Sensitive Materials.''
---------------------------------------------------------------------------

    The 9/11 Act also requires regulations for higher-risk public 
transportation agencies, railroads, and OTRB owner/operators to develop 
security plans to address specific security issues and vulnerabilities 
identified during an assessment of specific systems, infrastructure, 
and capabilities.\89\ TSA published an advance notice of proposed 
rulemaking (ANPRM) in December 2016 seeking comment on specific issues 
related to the 9/11 Act's requirements for a regulation to address 
vulnerability assessments and security plans.\90\ Through this ANPRM, 
TSA solicited information on the extent to which owner/operators of 
freight railroads, PTPR systems, and OTRBs had taken actions consistent 
with those prescribed by the 9/11 Act for vulnerability assessments and 
security plans, what resources they used to support these actions, and 
information on implementation costs. Given the passage of time and 
different scope of this rulemaking, TSA has established a new docket 
for this rulemaking and advises commenters on the 2016 ANPRM to submit 
comments on this NPRM if they wish for their views to be addressed in a 
final rule.
---------------------------------------------------------------------------

    \89\ See secs. 1405 and 1512 of the 9/11 Act, as codified at 6 
U.S.C. 1134 and 1162, respectively; see also section 1531, as 
codified at 6 U.S.C. 1181 (which imposes similar requirements for 
OTRBs).
    \90\ See 81 FR 91401 (Dec. 16, 2016).
---------------------------------------------------------------------------

    While the requirements in this proposed rule would not address all 
elements of vulnerability assessments and security plans stipulated in 
the 9/11 Act, it would address the 9/11 Act's requirements as they 
relate to the IT and OT systems used by high-risk freight railroads and 
PTPR systems. For example, the 9/11 Act requires identification and 
evaluation of critical systems, including information systems,\91\ 
plans for providing redundant and backup systems needed to ensure 
continued operations in the event of a cybersecurity incident, and 
identification of the vulnerabilities to these systems.\92\ The 
vulnerability assessment requirements applicable to higher-risk rail 
carriers must also identify strengths and weaknesses in (1) 
programmable electronic devices, computers, or other automated systems 
used in providing transportation; (2) alarms, cameras, and other 
protection systems; (3) communications systems and utilities needed for 
railroad security purposes, including dispatching and notification 
systems; and (4) other matters determined appropriate by the 
Secretary.\93\ For security plans, the statute requires regulations 
that address, among other things, actions to mitigate identified 
vulnerabilities, the protection of passenger communication systems, 
emergency response, ensuring redundant and backup systems are in place 
to ensure continued operation of critical elements of the system in the 
event of a terrorist attack or other incident, and other actions or 
procedures as the Secretary determines are appropriate to address the 
security of the public transportation system or the security of 
railroad carriers, as appropriate.\94\ The provisions proposed in this 
NPRM would satisfy such requirements as they relate to cybersecurity in 
high-risk public transportation agencies and railroads.
---------------------------------------------------------------------------

    \91\ See secs. 1405(a)(3) and 1512(d)(1)(A) of the 9/11 Act, as 
codified at 6 U.S.C. 1134(a)(3), 1162(d)(1)(A), respectively.
    \92\ See id. at secs. 1405(c)(2), 1512(d)(1)(D), and 
1512(e)(1)(G), as codified at 6 U.S.C. 1134(c)(2), 1162(d)(1)(D), 
1162(e)(1)(G), respectively.
    \93\ See id. at sec. 1512(d), as codified at 6 U.S.C. 1162(d).
    \94\ See id. at secs. 1405(c)(2) and 1512(e), as codified at 6 
U.S.C. 1134(c)(2), 1162(e), respectively. Only one commenter on the 
ANPRM specifically addressed the inclusion of IT and OT systems for 
purposes of vulnerability assessments and security planning. See 
TSA-2016-0002-0013, available at https://www.regulations.gov under 
Docket No. TSA-2016-0002. This commenter indicated that, at the time 
of the comment, the Rail Information Security Committee of the 
Association of American Railroads focuses on cybersecurity and the 
``industry's physical and cyber security committees annually conduct 
risk assessments using ``relevant security information'' from a 
variety of resources. As part of this effort, they evaluate specific 
information technology and communication assets. They also indicated 
that the industry emphasizes analysis of cyber incidents and sharing 
information with railroads.
---------------------------------------------------------------------------

    In short, the 9/11 Act provisions described above contain a 
combination of detailed requirements regarding vulnerability 
assessments and the content of security plans. Each of these provisions 
confirms and supplements TSA's authority to impose such requirements as 
are appropriate or necessary to ensure the security of the 
transportation system. TSA would issue the proposed rule pursuant to 
and consistent with its general authorities and the 9/11 Act's 
requirements.

C. References

1. National Cybersecurity Strategy
    In March 2023, the Biden-Harris Administration released the 
National Cybersecurity Strategy.\95\ This strategy includes the 
following five pillars identified as critical for building and 
enhancing the collaboration necessary to strengthen the nation's 
cybersecurity posture to protect infrastructure critical to national 
security and the economy: (a) defend critical infrastructure; (b) 
disrupt and dismantle threat actors; (c) shape market forces to drive 
security and resilience; (d) invest in a resilient future; and (e) 
forge international partnership to pursued shared goals.
---------------------------------------------------------------------------

    \95\ See supra note 12.
---------------------------------------------------------------------------

    Consistent with this strategy, TSA is proposing a performance-based 
regulation for cybersecurity that builds on the NIST CSF and uses the 
CISA CPGs as guardrails to ensure prioritization of those measures most 
critical for establishing a common baseline to reduce known risks to 
national security and the economy.\96\ The following provides a high-
level overview of the NIST CSF and the CISA CPGs. A table that aligns 
these two documents with the proposed requirements in this NPRM is 
available in the docket for this rulemaking.
---------------------------------------------------------------------------

    \96\ Id. at 8-9.
---------------------------------------------------------------------------

2. NIST Cybersecurity Framework
    Executive Order (E.O.) 13636 of February 12, 2013 (Improving 
Critical Infrastructure Cybersecurity), directed NIST to develop a 
voluntary framework to reduce cyber risks to critical 
infrastructure.\97\ This framework, created in collaboration between 
industry and government, consists of standards, guidelines, and 
practices to promote the protection of critical infrastructure. The 
recommendations in the framework are intended to provide a prioritized, 
flexible, repeatable, and cost-effective approach to manage 
cybersecurity-related risks. The framework is not a regulatory document 
in that it is written as recommendations

[[Page 88500]]

and is not enforceable. The recommendations are also extensive and may 
not be applicable to every business or context. NIST is currently in 
the process of reviewing and revising the Cybersecurity Framework. For 
purposes of this rulemaking, TSA has relied on Version 1.1 of April 16, 
2018.
---------------------------------------------------------------------------

    \97\ Published at 78 FR 11737 (Feb. 19, 2013). The Cybersecurity 
Enhancement Act of 2014, Public Law 113-274, 128 Stat. 2971, 2972-
73, subsequently formalized the requirements in the E.O. into 
statutory requirements for NIST.
---------------------------------------------------------------------------

    The NIST CSF is a comprehensive resource for developing a 
comprehensive cybersecurity program for any business. The framework 
generally includes the following key steps: (a) understanding the 
business's current cybersecurity posture by scoping the Organizational 
Profile; (b) gathering information needed to prepare the Organizational 
Profile, i.e., defining a target state, which should be informed by 
standards and applicable regulations; (c) creating an Organizational 
Profile that identifies and prioritizes opportunities for improving 
within the context of continuous and repeatable processes; (d) 
analyzing the gaps between current state and the Target Profile, and 
creating an action plan to address any identified gaps, including a 
Plan of Action and Milestones; and (e) implementing the action plan and 
updating the Organizational Profile as necessary to keep the 
organization moving towards the target.\98\ These steps are part of an 
iterative cycle that should also consider opportunities for documenting 
and communicating the organization's cybersecurity capabilities and 
known opportunities for improvement with external stakeholders, 
including business partners, prospective customers, suppliers, and 
other third parties.\99\
---------------------------------------------------------------------------

    \98\ See supra note 13 at 7.
    \99\ Id.
---------------------------------------------------------------------------

    There are currently six core functions to the framework: govern, 
identify, protect, detect, respond, and recover. NIST recommends that 
all these functions be addressed concurrently as they all have vital 
roles related to cybersecurity.\100\ Within each of these functions, 
there are multiple recommendations. Finally, the framework identifies 
several framework tiers in ascending order of cybersecurity maturity. 
The first and lowest tier, ``Partial,'' recognizes an ad hoc, reactive, 
and irregular approach to cybersecurity that is driven by case-by-case 
responses in an environment that fails to identify clear roles and 
responsibilities for cybersecurity. The next tier, ``Risk Informed,'' 
has a cybersecurity program that is approved by management but may not 
be known organization wide. While there may be an awareness of risk at 
certain levels within the organization, the company lacks an 
organization-wide process to manage risks and doesn't fully recognize 
both dependencies and dependents that could be affected by insufficient 
cybersecurity.
---------------------------------------------------------------------------

    \100\ Id. at 5.
---------------------------------------------------------------------------

    As companies mature in developing and implementing cybersecurity 
measures, they should be moving to a ``Repeatable'' tier. In this tier, 
processes are formally approved and are known and communicated 
organization wide. There is an organization-wide approach to managing 
risks, consistent methods are in place for cybersecurity policies, 
individuals within the company known their roles and responsibilities 
for cybersecurity, and the company is aware of dependencies and 
dependents. The top tier, ``Adaptive,'' applies to companies that have 
implemented predictive, advanced technologies to address cybersecurity. 
In this tier, cybersecurity risks inform corporate decisions, and the 
company understands its role in the larger ecosystem and contributes to 
a broadening understanding of cybersecurity in its business 
environment. As part of this understanding, the company has a strong 
supply chain understanding and program to manage cybersecurity risks 
within the supply chain based on dependencies and dependents.
3. CISA Cross-Sector Cybersecurity Performance Goals
    CISA developed the CPGs as directed by the National Security 
Memorandum on Improving Cybersecurity for Critical Infrastructure 
Control Systems (signed July 28, 2021). The CISA CPGs can be read as a 
prioritized subset of the NIST CSF framework that critical 
infrastructure owners and operators can implement to meaningfully 
reduce the likelihood and impact of known risks and adversary 
techniques. As with the NIST CSF, the CISA CPGs are voluntary. Unlike 
the NIST CSF, the CISA CPGs are not intended to be comprehensive. 
Aligned with the NIST CSF, the CISA CPGs supplement that framework by 
supporting businesses in prioritizing cybersecurity measures critical 
for establishing a baseline of cybersecurity across critical 
infrastructure that emphasizes measures based on their demonstrated 
ability to reduce known risks. The prioritization used in the CISA CPGs 
goes beyond consideration of risks to specific entities and considers 
the aggregate risk to the nation of cybersecurity incidents on critical 
sectors. The recommendations in the CISA CPGs align with the six core 
functions of the NIST CSF identified above.
4. TSA Advance Notice of Proposed Rulemaking
    On November 30, 2022, TSA published an ANPRM to provide an 
opportunity for interested individuals and organizations, particularly 
higher-risk pipeline and rail (including freight, passenger, and 
transit rail) operations, to help TSA develop a comprehensive and 
forward-looking approach to surface cybersecurity requirements. The 
ANPRM also solicited input from the industry associations representing 
these companies, third-party cybersecurity subject matter experts, and 
insurers and underwriters for cybersecurity risks for these 
transportation sectors.\101\
---------------------------------------------------------------------------

    \101\ See Enhancing Surface Cyber Risk Management, 87 FR 73527 
(Nov. 30, 2022). Through a subsequent notice, TSA extended the 
comment period from January 17, 2023, to February 1, 2023. See 87 FR 
78911 (Dec. 23, 2022).
---------------------------------------------------------------------------

    TSA received comments from 35 commenters in response to the ANPRM, 
with almost 600 specific issues raised by the commenters, which 
included major trade associations and individuals.\102\ Most comments 
received fell into a few general categories: (1) general support; (2) 
emphasis on the need for regulatory harmonization and performance-based 
regulation; and (3) comments on core elements, particularly comments 
related to training, supply chain, and third-party assessors. Some 
comments opposed potential regulation at this time, suggesting that 
voluntary measures are currently sufficient, and that TSA should wait 
for other standards (such as the CISA CPGs) to further mature. TSA 
considered all comments received. The following provides a high-level 
summary of the comments.
---------------------------------------------------------------------------

    \102\ Comments may be viewed in the docket for this rulemaking, 
TSA-2022-0001, at https://www.regulations.gov. The American Gas 
Association, American Fuel and Petrochemical Manufacturers, 
Association of American Railroads, American Short Line and Regional 
Railroad Association, American Public Transportation Association, 
Airlines for America, Liquid Energy Pipeline Association, Interstate 
Natural Gas Association, American Petroleum Institute, and AFL-CIO 
Transportation Trades Division were among the major trade 
associations that submitted comments.
---------------------------------------------------------------------------

a. General Support and Need for Regulatory Harmonization and 
Performance-Based Regulation
    The industry comments generally supported a regulation that builds 
upon the previously issued SDs. Many commenter groups complimented 
TSA's current performance-based directives, which provide owner/
operators the flexibility to determine how to implement cybersecurity 
protocols to achieve the desired outcomes. Furthermore, they emphasized 
how

[[Page 88501]]

adaptive CRM programming would enable regulated parties to--
     Assess known and potential system and environment 
vulnerabilities;
     Assess the likelihood and potential operational and 
financial impacts of a threat actor leveraging vulnerabilities to cause 
a cybersecurity incident;
     Develop a regular cadence of reassessing risk factors and 
recalculating risk; and
     Implement and monitor the effectiveness of appropriate 
mitigating controls to reduce the probability or impact of an attack.
    A recurring theme in the ANPRM comments focused on encouraging TSA 
to use existing standards as a reference (e.g., the NIST CSF, the CISA 
CPGs, and the North American Electric Reliability Corporation (NERC) 
Critical Infrastructure Protection (CIP) standards \103\) and 
collaborate with other Federal agencies to harmonize cybersecurity 
requirements. Several respondents recommended that TSA facilitate a 
cross-government group composed of State and Federal agencies that 
would meet regularly (e.g., monthly stakeholder calls or ongoing TSA-
led briefings to relevant sector coordinating officials) as well as 
develop common lexicons between these entities before issuing 
requirements.
---------------------------------------------------------------------------

    \103\ The NERC CIP standards are reliability standards for 
operators of the bulk electric system (BES). A small number of 
companies have both pipeline and BES business units. TSA is aware 
that when the agency transitioned from prescriptive security 
requirements in the first iteration of SD Pipeline-2021-02 to the 
performance-based requirements, some owner/operators subject to both 
the TSA and NERC requirements incorporated applicable measures into 
their implementation plans. TSA would continue to provide that 
flexibility with this proposed rule, to the extent that specific 
measures meet the performance standards identified in the proposed 
rule. TSA welcomes comments on any conflicts or divergences that TSA 
should take account of as part of this rulemaking.
---------------------------------------------------------------------------

b. Core Elements
    In the ANPRM, TSA sought comment on the following 11 core elements 
for a CRM program:
     Designation of an individual responsible for 
cybersecurity;
     Access controls;
     Vulnerability assessments;
     Penetration testing, drills, and exercises;
     Technical security controls;
     Physical security controls;
     Incident response planning & operational resilience;
     Incident reporting and information sharing;
     Personnel training & awareness;
     Supply chain/third-party risk management; and
     Recordkeeping and documentation.
    While TSA reviewed all of the comments received, we also note that 
many of the comments reiterated issues raised in discussions with 
industry post-issuance of the SDs discussed above. The comments, 
however, also included three issues of particular interest to TSA as 
they applied to requirements included in this proposed rule that were 
not specifically in the SDs: employee cyber training, supply chain/
third-party vendors, and third-party assessors.
c. Training
    Many comments referenced or addressed workforce cyber training. 
Commenters acknowledged that security training is a critical component 
of overall organizational security and compliance. While generally 
supportive of the requirement, one of the industry commenters 
recommended against establishing ``specific training requirements,'' 
noting that specific training needs should be based on an 
organization's particular operating environment as well as the costs 
associated with a cybersecurity incident.
d. Supply Chain
    The National Cybersecurity Strategy (March 2023) identifies the 
criticality of a secure global supply chain for information, 
communications, and OT products and services.\104\ Consistent with this 
prioritization, DHS identified supply chain and third-party service 
provider risk management as a core element for DHS cybersecurity 
regulations. A majority of comments mentioned or addressed supply chain 
issues. Many commenters discussed their efforts to establish a common 
understanding with vendors and third parties through cybersecurity 
contract provisions regarding notifications of product vulnerability, 
access to security patches, notifications of cybersecurity incidents, 
etc. One association specifically noted that a number of pipeline 
operators are working with DHS to develop improved ways to facilitate 
conversations on security between vendors and operators.
---------------------------------------------------------------------------

    \104\ See National Cybersecurity Strategy, supra note 12, at 32.
---------------------------------------------------------------------------

e. Third-Party Assessors
    The concept of third-party assessors was the topic of a significant 
number of comments. In general, commenters opposed requiring owners and 
operators to conduct assessments using third-party validators. 
Commenters considered such a requirement to be shifting costs from the 
government to the regulated parties. Companies within the different 
surface sub-sectors have varying degrees of capability and capacity to 
adopt cybersecurity standards. For example, one association indicated 
that they proactively conduct security control assessments of third 
parties and include them in response and recovery plans and exercises. 
Others, however, indicated they lack the capability and resources to 
use third-party assessors.
5. Regulatory Harmonization
    As noted by the Office of the National Cyber Director (ONCD) in an 
August 2023 Request for Information,\105\ the National Cybersecurity 
Strategy \106\ calls for establishing cybersecurity regulations to 
secure critical infrastructure where existing measures are 
insufficient, harmonizing and streamlining new and existing 
regulations, and enabling regulated entities to afford to achieve 
security.
---------------------------------------------------------------------------

    \105\ See 88 FR 55694 (Aug. 16, 2023).
    \106\ See supra note 12.
---------------------------------------------------------------------------

    TSA emphasizes its commitment to regulatory harmonization and 
streamlining, and notes that this proposed rule, which is grounded in 
NIST's Framework for Improving Critical Infrastructure Cybersecurity, 
NIST's standards and best practices, and the CISA CPGs, is consistent 
with such priorities. TSA also acknowledges the ongoing rulemakings of 
other DHS components, including ongoing rulemakings on cybersecurity in 
maritime transportation and implementation of CIRCIA. Finally, TSA 
notes that this proposed rule follows several years of implementation 
of TSA's SDs. As noted in TSA's information collection requests for the 
SDs, TSA has not identified any other duplicative requirements for the 
cybersecurity mitigation measures required by the SDs and received no 
comments regarding duplication in response to notices published in the 
Federal Register.\107\
---------------------------------------------------------------------------

    \107\ See OMB Approval No. 1652-0074 (Cybersecurity Measures for 
Surface Modes), approved through Aug. 31, 2026; and OMB Approval No. 
1652-0056 (Pipeline Corporate Security Reviews and Security 
Directives), approved through Feb. 28, 2026; and OMB Approval No. 
1652-0050 (Critical Facility Information of the Top 100 Most 
Critical Pipelines), approved through Mar. 31, 2026). One commenter 
noted that TSA's SDs require reporting within 24 hours while the 
CIRCIA proposed rule requires reporting within 72 hours. This issue 
is discussed infra in section III.D.2.f. of this proposed rule.
---------------------------------------------------------------------------

    TSA's experience in imposing cybersecurity requirements to date, as 
well as feedback from the owner/operators subject to those 
requirements, indicates that complete harmonization

[[Page 88502]]

is not possible. Even within the transportation sector, there are modal 
operational issues, different physical controls by other agencies that 
support defense-in-depth measures, as well as other factors that must 
be considered. For example, SD-Pipeline-2021-02 recognizes that the 
need to provide ready access to industrial control workstations in 
controls rooms may make a requirement for multi-factor authentication 
(MFA) inadvisable. TSA allows owner/operators to rely on compensating 
controls use to meet control room requirements issued by the 
PHMSA.\108\ Similarly, TSA provides an allowance for alternatives to 
encryption for certain systems used by railroads \109\ and recognizes 
compliance with FRA's requirements to address access to PTC system 
components in locomotives.\110\
---------------------------------------------------------------------------

    \108\ See SD-Pipeline-2021-02 at Section III.C.2.
    \109\ See SD-1580/82-2022-01 at Section III.B.2.b.
    \110\ See id. at III.C.6.
---------------------------------------------------------------------------

    While TSA believes differences in cybersecurity requirements may be 
intentional based on sector-specific distinctions, TSA welcomes 
comments on opportunities to harmonize and streamline regulations where 
feasible and appropriate.

III. Proposed Rule

A. Rule Organization

    This rule proposes changes to the requirements applicable to owner/
operators of freight railroads, PTPR, and OTRBs in subchapter D of 
title 49 CFR, subtitle B, chapter XII. The rule also proposes to add a 
new part 1586 to this subchapter, which would impose requirements 
applicable to owner/operators of specific pipeline facilities and 
systems.
    To facilitate implementation of these requirements, TSA is 
proposing to significantly revise subchapter D. Some of these revisions 
are technical revisions to consolidate previously imposed procedures or 
requirements or to align procedures for security programs with TSA's 
existing processes for aviation. TSA believes consolidating procedural 
and general requirements in part 1570, while providing consolidated 
modal-specific requirements in modal-specific parts, would make it 
easier for owner/operators to identify and implement the proposed 
requirements. TSA is also proposing revisions to terms in part 1500 
that have use in multiple provisions in chapter XII of title 49 and of 
part 1520 to ensure information required by the revisions to subchapter 
XII is protected as SSI, as applicable.
1. Cybersecurity Requirements
    The most significant proposed revision to TSA's regulations is the 
addition of requirements for higher-risk owner/operators of freight 
railroads, PTPR, and pipeline facilities and systems to have a 
comprehensive CRM program. These proposed requirements are found in new 
subpart D of part 1580 (applicable to freight railroads), subpart C of 
part 1582 (applicable to PTPR), and subpart C of part 1586 (applicable 
to pipeline facilities and systems). This proposed rule would also add 
a requirement in subpart B of part 1584 for higher-risk OTRB owner/
operators to report cybersecurity incidents but would not impose the 
comprehensive CRM program requirements on this mode.
2. Physical Security Requirements
    Through this rulemaking, TSA is proposing to distinguish between 
physical security and cybersecurity. TSA is proposing to move the 
requirements currently in subchapter D related to designating a 
security coordinator and reporting significant security concerns. TSA 
is proposing to move these requirements to revised subparts B within 
parts 1580, 1582, and 1584, respectively. These revised subparts B 
would contain security program requirements primarily focused on 
physical security. TSA also proposes to apply these same requirements 
to pipeline facilities and systems through the new part 1586. Appendix 
A to part 1570, which identifies types of significant security concerns 
to be reported, would be removed from part 1570 and repeated in parts 
1580, 1582, 1584, and 1586.
    As incorporated into this proposed subpart, TSA is proposing to 
clarify that the security coordinator(s) currently required by Sec.  
1570.201 must be a U.S. citizen. This requirement is consistent with 
the 9/11 Act \111\ and advances TSA's need to ensure that the agency 
can rapidly share sensitive information with the owner/operator that 
may be critical to ensure appropriate actions are taken to address 
emerging threats. As provided in the 9/11 Act, TSA may waive the 
citizenship requirement for the security coordinator(s) if the 
individual successfully completes a STA.\112\
---------------------------------------------------------------------------

    \111\ See secs 1512(e)(2) and 1531(e)(2) of the 9/11 Act, as 
codified at 6 U.S.C. 1162(e)(2) and 1181(e)(2), respectively.
    \112\ Id.
---------------------------------------------------------------------------

    In addition, the value of the security coordinator position is 
significantly impeded if there is not an individual in place who can 
receive sensitive information. Therefore, TSA is requiring that 
security coordinators (primary and alternate) must be a U.S. citizen 
who can receive sensitive information unless waived by TSA. At this 
time, TSA only anticipates one possible situation where a waiver would 
be granted; if one of the Security Coordinators is a U.S. citizen 
(primary or alternate), TSA may grant a waiver for the requirement as 
applied to the other Security Coordinator. From the agency's 
perspective, the purpose of the citizenship requirement is to ensure 
each covered owner/operator has a designated point of contact for 
receiving critical threat information, including intelligence 
information that cannot be shared with foreign citizens. TSA is 
assuming that owner/operators would ensure that if the security 
coordinator on duty is not cleared to receive certain information, that 
individual would promptly notify the security coordinator or other 
appropriate individual who has the required clearances. Both the 
primary and alternate Security Coordinators would be required to 
successfully complete an STA before TSA would consider a waiver.
    TSA is also proposing to move any procedures or requirements 
applicable to training of security-sensitive employees \113\ currently 
in 49 CFR 1570.101-1570.111, and 1570.121 to the applicable modal 
sections. Within the modal requirements, TSA is proposing to 
consolidate the existing security training requirements into one 
section for each mode. None of the requirements would be changed as a 
result of this restructuring. Finally, the title of subpart C of part 
1580, which includes chain of custody requirements applicable to the 
freight rail system, would be changed from ``Operations'' to ``Security 
of Rail Security Sensitive Materials'' without any revisions to the 
requirements in this subpart.
---------------------------------------------------------------------------

    \113\ See Sec. Sec.  1580.3, 1582.3, and 1584.3 for definitions 
of ``security-sensitive employees'' as applied to freight railroads, 
PTPR, and OTRB, respectively.
---------------------------------------------------------------------------

    Physical security encompasses threats to physical infrastructure 
that could affect the safety and security of people, cargo, and 
infrastructure. The definition for physical security in this NPRM 
includes measures that provide for the security of systems and 
facilities, as well as the persons in areas in or near to operations 
that could have their safety and security threatened by an attack on 
physical systems and assets. Examples include rail cars, stations, 
pipelines, terminals, buses, etc. Cybersecurity is also critical for 
protecting the safety and security of people, cargo, and 
infrastructure, but

[[Page 88503]]

the actions taken to prevent cybersecurity incidents are intended to 
protect computers, electronic communications systems and services, wire 
communications, and electronic communications, including information 
contained on these systems, services, and capabilities.\114\
---------------------------------------------------------------------------

    \114\ This explanation of cybersecurity is consistent with 
common understanding as reflected in the NIST Glossary, available at 
https://csrc.nist.gov/glossary/term/cybersecurity (last accessed 
July 6, 2023).
---------------------------------------------------------------------------

    It is important to recognize that there is not a bright line 
between physical and cybersecurity. A comprehensive defense-in-depth 
plan includes both physical and cybersecurity controls to protect IT 
and OT systems. For example, someone could use physical capabilities to 
damage an IT or OT system or thwart ineffective physical access 
controls to a building or floor in order to gain access to a Critical 
Cyber System. Similarly, physical security controls may be used to 
augment cybersecurity measures. Although TSA is distinguishing between 
Physical Security Coordinators and Cybersecurity Coordinators, we 
encourage these individuals to work together and communicate to ensure 
a comprehensive approach to both physical and cybersecurity.
3. General Procedures for Security Programs, SDs, and Information 
Circulars
    Through this rulemaking, TSA is also proposing to revise procedures 
in part 1570 related to security programs. When TSA promulgated the 
Security Training for Surface Transportation Employees final rule in 
2020,\115\ the rule text incorporated specific security program 
requirements. This structure reflected the limited scope of the 
requirements applicable to multiple modes of transportation. To 
accommodate the proposed addition of the cybersecurity requirements, 
TSA proposes to separate security training requirements, as discussed 
above, into the modal-specific parts and to incorporate general 
security program requirements that are consistent with the requirements 
applicable to aviation security programs. These changes, discussed in 
more detail in section III.F.1. of this preamble, would better ensure 
consistency across TSA's regulatory requirements. Table 3 provides a 
distribution table for these changes and those discussed above related 
to physical security requirements. TSA welcomes comment on the 
distribution table and whether any of the proposed changes might have 
unintended effects on existing requirements.
---------------------------------------------------------------------------

    \115\ See supra note 87.

      Table 3--49 CFR Chapter XII, Subchapter D, Distribution Table
------------------------------------------------------------------------
        Former section                        New section
------------------------------------------------------------------------
1570.107.....................  1580.113(k), 1582.113(k), and
                                1584.113(k).
1570.109(b)..................  1580.113(h); 1582.113(h), and
                                1582.114(h).
1570.109(c)(1)...............  1570.107(a)(1).
1570.109(c)(2) and (3).......  1570.107(a)(2)(i) and (ii).
1570.109(g)..................  1570.107(a)(2)(iii).
1570.111(a)..................  1580.113(i); 1582.113(i); and
                                1584.113(i).
1570.111(b)..................  1580.113(j); 1582.113(j), and 1584.113
                                (j).
1570.111(c)..................  1570.111.
1570.113(b)(e)...............  1570.107(b).
1570.113(c) and (d)..........  1570.107 (amendment process); and
                                1580.113(o), 1582.113(o), and
                                1584.113(o) (physical security training
                                specific requirements).
1570.113(f)..................  1570.107(b).
1570.113(g)..................  1570.107(f).
1570.115(a)-(b)..............  1570.107(d).
1570.115(c)..................  1570.107(e).
1570.117.....................  1570.109 (narrow alternative process for
                                seasonal or infrequent operations);
                                1570.203 (provides alternate measures
                                for purposes of requirements in Security
                                Directives).
1570.119.....................  1570.107(f).
1570.121.....................  1570.117 (general requirements); and
                                1580.113(l) and (m),1582.113(l) and (m),
                                and 1584.113(l) and (m) (physical
                                security training specific
                                requirements).
1570.201.....................  1580.103, 1582.103, and 1584.103.
1570.203.....................  1580.105. 1582.105, and 1584.105.
Part 1570, appendix A........  Part 1580, appendix C; part 1582,
                                appendix C; and part 1584, appendix C.
1580.101.....................  1580.113(a).
1580.113(b)(1)-(5) and (7-9).  1580.113(d).
1580.113(b)(6)...............  1580.113(e).
1580.113(c)..................  1580.113(g).
1580.115(a)..................  1580.113(b).
1580.115(c)..................  1580.113(c).
1580.115(c)-(f)..............  1580.113(f).
1582.101.....................  1582.113(a).
1582.113(b)(1)-(5) and (7-9).  1582.113(d).
1582.113(b)(6)...............  1582.113(e).
1582.113(c)..................  1582.113(g).
1582.115(a)..................  1582.113(b).
1582.115(c)..................  1582.113(c).
1582.115(c)-(f)..............  1582.113(f).
1584.113(b)(1)-(5) and (7-9).  1584.113(d).
1584.113(b)(6)...............  1584.113(e).
1584.113(c)..................  1584.113(g).
1584.115(a)..................  1584.113(b).
1584.115(c)..................  1584.113(c).
1584.115(c)-(f)..............  1584.113(f).
------------------------------------------------------------------------


[[Page 88504]]

4. Relation to Other Rulemakings
    TSA has other rulemakings that may reference subparts or sections 
contained in this proposed rule. Specifically, in the Vetting of 
Certain Transportation Employees NPRM, TSA has proposed to add vetting 
requirements as Subpart D of part 1580, Subpart C of part 1582, and 
Subpart C of part 1584.\116\ In this rule, we are proposing to add CRM 
requirements in two of the same subparts, and are proposing to revise 
other provisions that are cross-referenced in the Vetting of Certain 
Surface Transportation Employees NPRM.\117\ Although the substance of 
the two proposals do not conflict, the numbering and paragraph 
designations conflict in some cases. TSA will ensure all subparts and 
sections are deconflicted and consistent before any rules are 
finalized.
---------------------------------------------------------------------------

    \116\ See supra note 17.
    \117\ Id.
---------------------------------------------------------------------------

B. Terms

1. General Terms
    Consistent with the proposed rule's organization, TSA includes 
proposed definitions for terms relevant to several subchapters of TSA 
regulations, beyond the requirements of subchapter D, in part 1500. 
Terms relevant to several parts of subchapter D would be added to Sec.  
1570.3. Terms uniquely relevant to each mode would be included in the 
relevant parts (part 1580 (freight), part 1582 (PTPR), part 1584 
(OTRB), and part 1586 (pipeline facilities and systems)).
    Most of the definitions are derived from existing federal 
regulatory programs, particularly programs administered by DOT. A few 
definitions are based on industry sources. TSA's purpose is to use 
definitions with which regulated parties are familiar, to the extent 
that the definitions are consistent with the purposes of this NPRM. 
Where no existing definition is appropriate, TSA's subject matter 
experts developed the definition based upon the generally accepted and 
known use of terms within each of the modes subject to this proposed 
regulation. Table 4 provides additional information on the terms that 
would be added to TSA's regulations.

              Table 4--Explanation of Proposed Terms and Definitions in Subchapter XII of Title 49
----------------------------------------------------------------------------------------------------------------
             Part                    Summary of change                           Explanation
----------------------------------------------------------------------------------------------------------------
1500..........................  Propose adding definition    This term is used in proposed sections regarding
                                 of ``carbon dioxide''.       pipeline applicability in part 1586. Owner/
                                                              operators of control rooms within this definition
                                                              would, under certain criteria, be subject to the
                                                              requirements in proposed part 1586. The proposed
                                                              definition has the same meaning as the term is
                                                              defined in in 49 CFR 195.2.
1500..........................  Propose adding definition    This term is used extensively in proposed part 1586
                                 of ``gas''.                  and refers to a commodity that, if transported by
                                                              pipelines, may require the owner/operator to be
                                                              subject to the requirements in part 1586. The term
                                                              is also used in the definition of other terms
                                                              defined in this proposed rule. The proposed
                                                              definition aligns with the definition of this term
                                                              in 49 CFR 192.3.
1500..........................  Propose adding definition    This term is used extensively in proposed part 1586
                                 of ``hazardous liquid''.     and refers to a commodity that, if transported by
                                                              pipelines, may require the owner/operator to be
                                                              subject to the requirements in part 1586. The term
                                                              is also used in the definition of other terms
                                                              defined in this proposed rule. The proposed
                                                              definition has the same meaning as the term is
                                                              defined in in 49 CFR 195.2.
1500..........................  Propose adding definition    This term is used extensively in proposed part 1586
                                 of ``liquefied natural gas   and refers to a commodity that, if transported by
                                 (LNG)''.                     pipelines, may require the owner/operator to be
                                                              subject to the requirements in part 1586. The
                                                              proposed definition has the same meaning as the
                                                              term is defined in 49 CFR 193.2007.
1500..........................  Propose adding definition    This term is used extensively in proposed part 1586
                                 of ``pipeline or pipeline    and specifically refers to the means of transport
                                 system''.                    of gas and hazardous liquids. Owner/operators of
                                                              these systems would, under certain applicability
                                                              criteria, be subject to the requirements in part
                                                              1586. The proposed definition has the same meaning
                                                              as the term is defined in 49 CFR 192.3, 193.2007,
                                                              and 195.2.
1500..........................  Propose adding definition    This term is used extensively in proposed part 1586
                                 of ``pipeline facility''.    and specifically refers to the facilities used in
                                                              the transportation of gas and hazardous liquids.
                                                              Owner/operators of these systems would, under
                                                              certain applicability criteria, be subject to the
                                                              requirements in part 1586. The proposed definition
                                                              has the same meaning as the term is defined in 49
                                                              CFR 192.3, 193.2007, and 195.2.
1500..........................  Propose modifying            TSA is proposing to update the definition to
                                 definition of                include the addition of pipeline system and
                                 ``transportation or          facility operations to TSA's regulations through
                                 transport''.                 proposed part 1586.
1500..........................  Propose modifying            This term is used in part 1520 and requirements
                                 definition of                (current and proposed) in subchapter D. TSA is
                                 ``transportation             proposing to update the definition to include
                                 facility''.                  pipeline system and facility operations in
                                                              proposed part 1586.
1500..........................  Propose modifying            This term is used in part 1520 and requirements
                                 definition of                (current and proposed) in subchapter D of 49 CFR
                                 ``transportation security    chapter XII. TSA is proposing to update the
                                 equipment and systems''.     definition to include IT and OT authentication,
                                                              network logging, and to specify that
                                                              transportation security equipment and systems
                                                              includes security equipment and systems for the
                                                              protection and monitoring of both physical and
                                                              virtual assets.
1500..........................  Propose adding definition    This term would refer to a controlled vocabulary
                                 of ``TSA Cybersecurity       used in TSA's cybersecurity requirements. In
                                 Lexicon''.                   general, the use of a standard lexicon reduces the
                                                              possibility of misinterpretations when
                                                              communicating cybersecurity definitions and
                                                              terminology.
1570..........................  Propose adding definition    This term is used in proposed sections regarding
                                 of ``accountable             governance of a CRM program. Accountable executive
                                 executive''.                 means an individual employed by an owner/operator
                                                              who is responsible and accountable for the owner/
                                                              operator's compliance with the requirements of
                                                              subchapter D, including authority over human
                                                              resource issues, major financial issues, conduct
                                                              of the owner/operator's affairs, all operations
                                                              conducted related to the requirements of
                                                              subchapter D, and responsibility for all
                                                              transportation-related security issues.
1570..........................  Propose adding definition    This term is used to describe employees of owner/
                                 of ``cyber security-         operators who TSA proposes must receive
                                 sensitive employee''.        cybersecurity-related training. The definition
                                                              includes any employee who is a privileged user
                                                              with access to, or privileges to access, a
                                                              Critical Cyber System or any Information or
                                                              Operational Technology system that is
                                                              interdependent with a Critical Cyber System, as
                                                              defined in the TSA Cybersecurity Lexicon.
1580..........................  Propose adding definition    This term is used to identify applicability of CRM
                                 of ``defense connector       requirements and refers to a railroad that has a
                                 railroad''.                  line of common carrier obligation designated a
                                                              defense connector line by the US Army Military
                                                              Surface Deployment and Distribution Command
                                                              Transportation Engineering Agency (SDDCTEA) and
                                                              the FRA, which connects defense installations or
                                                              other activities requiring rail service to
                                                              STRACNET.
1580..........................  Propose adding definition    This term is used to identify applicability of CRM
                                 of ``switching or terminal   requirements and refers to persons primarily
                                 services''.                  engaged in the furnishing of terminal facilities
                                                              for rail passenger or freight traffic for line-
                                                              haul service, and in the movement of railroad cars
                                                              between terminal yards, industrial sidings and
                                                              other local sites. See (https://www.osha.gov/sic-manual/4013 manual/4013).

[[Page 88505]]

 
1580..........................  Propose adding definition    This term is used to identify applicability of CRM
                                 of ``train miles''.          requirements. A Train-mile is the movement of a
                                                              train (which can consist of many cars) the
                                                              distance of one mile. A Train-mile differs from a
                                                              vehicle-mile, which is the movement of one car
                                                              (vehicle) the distance of one mile. A 10-car
                                                              (vehicle) train traveling one mile would be
                                                              measured as one Train-mile and 10 vehicle-miles.
                                                              See (https://www.bts.gov/content/railroad-passenger-safety-data).
1582..........................  Propose adding definition    This term is used in part 1582 and means the number
                                 of ``unlinked passenger      of people making one-way trips on a public
                                 trips''.                     transportation system in a given time period.
1586..........................  Propose adding definition    This term is used in proposed sections regarding
                                 of ``control room''.         pipeline applicability in part 1586. Owner/
                                                              operators of control rooms within this definition
                                                              would, under certain criteria, be subject to the
                                                              requirements in proposed part 1586. The proposed
                                                              definition has the same meaning as the term is
                                                              defined in 49 CFR 192.3 and 195.2.
1586..........................  Propose adding definition    This term is used in proposed part 1586 relating to
                                 of ``high-consequence        the applicability of the requirements in that
                                 area''.                      part. The proposed definition has the same meaning
                                                              as the term is defined in 49 CFR 192.903 and
                                                              195.450.
1586..........................  Propose adding definition    This term is used in proposed sections regarding
                                 of ``peak shaving            pipeline applicability in part 1586. Owner/
                                 facility''.                  operators of peak shaving facilities would, under
                                                              certain applicability criteria, be subject to the
                                                              requirements in part 1586. There is no current
                                                              federal definition of a ``peak shaving facility,''
                                                              but the term has a commonly accepted
                                                              interpretation across the industry.
----------------------------------------------------------------------------------------------------------------

2. TSA Cybersecurity Lexicon
    TSA has also developed terms specific to cybersecurity requirements 
for purposes of its SDs and ICs discussed in section II.B.1. of this 
NPRM. Rather than including these terms in the regulation, TSA is 
proposing to add ``TSA Cybersecurity Lexicon'' to the terms in 49 CFR 
1500.3. This term would refer to a controlled vocabulary used in TSA's 
cybersecurity requirements and be available on TSA's public website and 
any secure websites used to communicate with regulated entities. In 
general, the use of a standard lexicon reduces the possibility of 
misinterpretations when communicating cybersecurity definitions and 
terminology. The definitions provided below are generally consistent 
with those terms and definitions in the SDs and ICs.
    As the meaning of cybersecurity terms can change over time based on 
emerging technology and capabilities, TSA is proposing to maintain 
these definitions separate from the regulatory text. Any changes to the 
terms would be interpretive in nature and would be made using the 
procedures for amendments to security programs described in proposed 
Sec.  1570.107.
    This approach also allows flexibility for TSA to align with other 
Federal agencies as part of broader effort to harmonize cybersecurity 
terminology and requirements without delaying the ability to proceed 
with this important rule to establish a strong cybersecurity baseline 
to protect critical surface operations. Table 5 includes the list and 
definition of terms that TSA proposes to establish for the first 
iteration of the TSA Cybersecurity Lexicon.

               Table 5--Explanation of Proposed Terms and Definitions in TSA Cybersecurity Lexicon
----------------------------------------------------------------------------------------------------------------
                 Term                              Proposed definition                      Explanation
----------------------------------------------------------------------------------------------------------------
Authorized representative............  TSA is proposing to use a modified          This term is used in proposed
                                        definition of an ``authorized               sections requiring, as
                                        representative'' from the definition in     necessary and appropriate,
                                        49 CFR 1500.3. For TSA's cybersecurity      identification of
                                        requirements, an ``authorized               individuals of third parties
                                        representative'' is a person who is not a   who are responsible for
                                        direct employee of the owner/operator but   implementation or oversight
                                        is authorized to act on the owner/          of the CRM program of cyber
                                        operator's behalf to perform measures       activities identified or
                                        required by the security program. The       critical for implementation
                                        term authorized representative includes     of cyber activities
                                        agents, contractors, and subcontractors.    described in the owner/
                                        This term does not include Managed          operators CRM program.
                                        Security Service Providers.                 Authorized representatives
                                                                                    may be empowered to act on
                                                                                    behalf of the authorizing
                                                                                    official to coordinate and
                                                                                    conduct the day-to-day
                                                                                    activities associated with
                                                                                    managing risk to information
                                                                                    systems and organizations.
                                                                                    Considering these
                                                                                    responsibilities, authorized
                                                                                    representatives may be
                                                                                    liable for non-compliance
                                                                                    separate or in addition to
                                                                                    the owner/operator. [Source:
                                                                                    NIST.SP.800-37r2].
Business critical functions..........  Owner/operator's determination of capacity  This term is used in proposed
                                        or capabilities to support functions        sections regarding
                                        necessary to meet operational needs and     Cybersecurity Incident
                                        supply chain expectations.                  Response Plans to determine
                                                                                    key business functions,
                                                                                    resources, infrastructure,
                                                                                    and assets to ensure
                                                                                    continuity of operations and
                                                                                    supply chain expectations.
                                                                                    [Source: Transportation
                                                                                    Security Template and
                                                                                    Assessment Review Toolkit].
Critical Cyber System................  Any Information Technology or Operational   This term is used in proposed
                                        Technology system used by the owner/        sections to delineate
                                        operator that, if compromised or            criticality of any
                                        exploited, could result in an operational   Information Technology or
                                        disruption incurred by the owner/           Operational Technology
                                        operator. Critical Cyber Systems include    system to prioritize which
                                        those business support services that, if    assets need to be secured
                                        compromised or exploited, could result in   first. [Source: NIST IR 8179/
                                        operational disruption. This term           SD Pipeline-2021-02 series/
                                        includes systems whose ownership,           SD 1580/82-2022-01 series].
                                        operation, maintenance, or control is       These systems may include
                                        delegated wholly or in part to any other    programmable electronic
                                        party.                                      devices, computers, or other
                                                                                    automated systems which are
                                                                                    used in providing
                                                                                    transportation; alarms,
                                                                                    cameras, and other
                                                                                    protection systems; and
                                                                                    communication systems, and
                                                                                    utilities needed for
                                                                                    security purposes, including
                                                                                    dispatching systems.
                                                                                    [Source: sections
                                                                                    1531(d)(1)(C), 1512(d)(1)(C)
                                                                                    of the Implementing
                                                                                    Recommendations of the 9/11
                                                                                    Commission Act of 2007,
                                                                                    Public Law 110-53 (121 Stat.
                                                                                    266; Aug. 3, 2007)].
CISA.................................  The Cybersecurity and Infrastructure        This term is used in proposed
                                        Security Agency within the Department of    sections related to
                                        Homeland Security.                          reporting of cybersecurity
                                                                                    incidents and protection of
                                                                                    Critical Cyber Systems.

[[Page 88506]]

 
Cybersecurity Architecture Design      A technical assessment based on government  This term is used in proposed
 Review.                                and industry-recognized standards,          sections to reflect an
                                        guidelines, and best practices that         assessment for owner/
                                        evaluates systems, networks, and security   operators in developing
                                        services to determine if they are           mitigation strategies to
                                        designed, built, and operated in a          combat cyber intrusion and
                                        reliable and resilient manner. These        cybersecurity incidents.
                                        reviews must be designed to be applicable   CISA offers an assessment
                                        to the owner/operator's Information         called a Validated
                                        Technology and Operational Technology       Architecture Design Review
                                        systems.                                    (VADR) while other third-
                                                                                    party assessment entities
                                                                                    offer a similar assessment
                                                                                    based on CISA's VADR
                                                                                    methodology or a separate
                                                                                    Architecture Design Review
                                                                                    methodology. [Source: CISA
                                                                                    Cyber Resource Hub/SD
                                                                                    Pipeline-2021-02 series/SD
                                                                                    1580/82-2022-01 series].
Cybersecurity incident...............  An occurrence that, without lawful          This term is used in proposed
                                        authority, jeopardizes or is reasonably     sections to detail the
                                        likely to jeopardize the integrity,         elements of a cybersecurity
                                        confidentiality, or availability of         incident in order to
                                        computers, information or communications    accomplish a harmonization
                                        systems or networks, physical or virtual    of definition across the
                                        infrastructure controlled by computers or   government. [Source: DHS
                                        information systems, or information         Lexicon Ed 17 Rev 2/SD
                                        resident on the system. This definition     Pipeline-2021-02 series/SD
                                        includes an event that is under             1580/82-2022-01 series].
                                        investigation or evaluation by the owner/
                                        operator as a possible cybersecurity
                                        incident without final determination of
                                        the event's root cause or nature (such
                                        as, malicious, suspicious, or benign).
Information technology system........  Any services, equipment, or interconnected  This term is used in proposed
                                        systems or subsystems of equipment that     sections to describe what
                                        are used in the automatic acquisition,      Information Technology
                                        storage, analysis, evaluation,              system entails and align the
                                        manipulation, management, movement,         definition with other
                                        control, display, switching, interchange,   Federal agencies. [Source:
                                        transmission, or reception of data or       NIST SP 800-12r1/CISA CPG/
                                        information that fall within the            DHS Lexicon Ed 17 Rev 2/SD
                                        responsibility of an owner/operator         Pipeline-2021-02 series/SD
                                        subject to TSA's Cybersecurity              1580/82-2022-01 series].
                                        Requirements to operate and/or maintain.
Interdependencies....................  Relationships of reliance within and among  This term is used in proposed
                                        Information Technology and Operational      sections to recognize the
                                        Technology systems that must be             vital relationship between
                                        maintained for those systems to operate     Information Technology and
                                        and provide services.                       Operational Technology
                                                                                    systems and used to
                                                                                    determine the policies and
                                                                                    controls that must be in
                                                                                    place to secure critical
                                                                                    cyber systems. [Source: SD
                                                                                    Pipeline-2021-02 series/SD
                                                                                    1580/82-2022-01 series].
Least privilege......................  Persons and programs operate using the      This term is used in proposed
                                        minimum level of access, permissions, and   sections to emphasize a
                                        system resources necessary to perform the   security principle of
                                        function.                                   granting minimum system
                                                                                    resources and authorizations
                                                                                    to accomplished assigned
                                                                                    tasks. [Source: NIST SP 800-
                                                                                    12r1/SD Pipeline-2021-02
                                                                                    series/SD 1580/82-2022-01
                                                                                    series].
Managed Security Service Provider....  For purposes of TSA's cybersecurity         This term is used in proposed
                                        requirements, a person who is not a         sections to make a
                                        direct employee of the owner/operator,      distinction between a
                                        but who provides one or more services or    managed security service
                                        capabilities that the owner/operator is     provider and an authorized
                                        using to perform measures required by the   representative for the
                                        TSA. Managed Security Service Providers     purpose of identifying
                                        generally provide a logical service or      cybersecurity roles and
                                        capability. Managed Security Service        responsibilities. [Source:
                                        Providers are not authorized                NIST SP 800-61r2/NIST SP 800-
                                        representatives.                            172/Joint EA 23-01
                                                                                    Aviation].
Memorized secret authenticator.......  A type of authenticator comprised of a      This term is used in proposed
                                        character string intended to be memorized   sections to describe the
                                        by, or memorable to, the subscriber,        makeup and function of a
                                        permitting the subscriber to demonstrate    password and its critical
                                        something they know as part of an           role in the authentication
                                        authentication process.                     process. [Source: NIST SP
                                                                                    800-63-3/SD Pipeline-2021-02
                                                                                    series/SD 1580/82-2022-01
                                                                                    series].
Operational disruption...............  A deviation from or interruption of         This term is used in two
                                        business critical functions that results    contexts. First, it applies
                                        from a compromise or loss of data, system   to identify reportable
                                        availability, system reliability, or        cybersecurity incidents. It
                                        control of systems.                         is also used for purposes of
                                                                                    identifying Critical Cyber
                                                                                    Systems. The definition is
                                                                                    intended to cover a wide
                                                                                    range of potential
                                                                                    scenarios. For example,
                                                                                    while the term does not
                                                                                    explicitly reference
                                                                                    unauthorized access,
                                                                                    presence of malicious
                                                                                    software, or a distributed
                                                                                    denial of service incident,
                                                                                    those events are covered by
                                                                                    the scenarios used in the
                                                                                    definition. [Source: NIST SP
                                                                                    800-34r1/SD Pipeline-2021-02
                                                                                    series/SD 1580/82-2022-01
                                                                                    series].
Operational technology system........  A general term that encompasses several     This term is used in proposed
                                        types of control systems, including         sections to describe what
                                        industrial control systems, supervisory     Operational Technology
                                        control and data acquisition systems,       system encompasses and align
                                        distributed control systems, and other      the definition with other
                                        control system configurations, such as      Federal agencies. [Source:
                                        programmable logic controllers, fire        NIST SP 800-37r2/CISA CPG/SD
                                        control systems, and physical access        Pipeline-2021-02 series/SD
                                        control systems, often found in the         1580/82-2022-01 series].
                                        industrial sector and critical
                                        infrastructure. Such systems consist of
                                        combinations of programmable electrical,
                                        mechanical, hydraulic, pneumatic devices
                                        or systems that interact with the
                                        physical environment or manage devices
                                        that interact with the physical
                                        environment.
Phishing.............................  Tricking individuals into disclosing        This term is used in proposed
                                        sensitive information through deceptive     sections to expound on a
                                        computer-based means such as internet web   common cybersecurity
                                        sites or e-mails using social engineering   incident that attempts to
                                        or counterfeit identifying information.     acquire sensitive data in
                                                                                    which the perpetrator
                                                                                    masquerades as a legitimate
                                                                                    business or reputable
                                                                                    person. [Source: NIST SP 800-
                                                                                    150/SD Pipeline-2021-02
                                                                                    series/SD 1580/82-2022-01
                                                                                    series].

[[Page 88507]]

 
Reportable cybersecurity incident....  Incidents involving systems that the owner/ This term is used in proposed
                                        operator has responsibility to operate      sections to inform the
                                        and/or maintain including: a.               criteria for reporting when
                                        Unauthorized access of an Information       a cybersecurity incident
                                        Technology or Operational Technology        occurs. [Source: TSA Surface
                                        system; b. Discovery of malicious           IC/SD Pipeline-2021-02
                                        software that impacts the                   series/SD 1580/82-2022-01
                                        confidentiality, integrity, or              series].
                                        availability of an Information Technology
                                        or Operational Technology system; c.
                                        Activity resulting in a denial of service
                                        to any Information Technology or
                                        Operational Technology system; and/or d.
                                        Any other cybersecurity incident that
                                        results in, or has the potential to
                                        result in, operational disruption
                                        affecting the owner/operator's
                                        Information Technology or Operational
                                        Technology systems; other aspects of the
                                        owner/operator's systems or facilities,
                                        critical infrastructure or core
                                        government functions; or national
                                        security, economic security, or public
                                        health and safety.
Security orchestration, automation,    Capabilities that enable owner/operators    This term is used in proposed
 and response (SOAR).                   to collect inputs monitored by the          sections to highlight
                                        security operations team. For example,      capabilities that enable
                                        alerts from the security information and    owner/operators to monitor
                                        event management system and other           systems and drive
                                        security technologies, where incident       standardized incident
                                        analysis and triage can be performed by     response. [Source: NIST SP
                                        leveraging a combination of human and       800-25/SD Pipeline-2021-02
                                        machine power, help define, prioritize      series/SD 1580/82-2022-01
                                        and drive standardized incident response    series].
                                        activities. These capabilities allow an
                                        owner/operator to define incident
                                        analysis and response procedures in a
                                        digital workflow format.
Shared account.......................  An account that is used by multiple         This term is used to describe
                                        individuals with a common authenticator     an account that required
                                        to access systems or data. A shared         oversight/restriction due to
                                        account is distinct from a group account,   unique requirement. [Source:
                                        which is a collection of user accounts      NIST SP 800-53r5 (AC-2)/SD
                                        that allows administrators to group         Pipeline-2021-02 series/SD
                                        similar user accounts together in order     1580/82-2022-01 series].
                                        to grant them the same rights and
                                        permissions. Group accounts do not have
                                        common authenticators.
Spam.................................  Electronic junk mail or the abuse of        This term is used in proposed
                                        electronic messaging systems to             sections to describe
                                        indiscriminately send unsolicited bulk      unsolicited bulk emailed
                                        messages.                                   messages. [Source: NIST SP
                                                                                    800--12r1].
Tor, also known as The Onion Router..  Software that allows users to browse the    This term is used in proposed
                                        web anonymously by encrypting and routing   section to describe an open-
                                        requests through multiple relay layers or   source software for enabling
                                        nodes. Tor software obfuscates a user's     anonymous internet
                                        identity from anyone seeking to monitor     communication. [Source: SD
                                        online activity (such as nation states,     Pipeline-2021-02 series/SD
                                        surveillance organizations, information     1580/82-2022-01 series].
                                        security tools). This deception is
                                        possible because the online activity of
                                        someone using Tor software appears to
                                        originate from the Internet Protocol
                                        address of a Tor exit node, as opposed to
                                        the address of the user's computer.
Trust relationship...................  An agreed upon relationship between two or  This term is used in proposed
                                        more system elements that is governed by    sections to recognize
                                        criteria for secure interaction,            policies that govern how
                                        behavior, and outcomes relative to the      entities in differing
                                        protection of assets. This term refers to   domains honor each other's
                                        trust relationships between system          authorizations. [Source:
                                        elements implemented by hardware,           NIST SP 800--160v1r1/SD
                                        firmware, and software.                     Pipeline-2021-02 series/SD
                                                                                    1580/82-2022-01 series].
Unauthorized access..................  Access from an unknown source; access by a  This term is used in proposed
                                        third party or former employee; an          sections to describe what
                                        employee accessing systems for which he     Unauthorized Access
                                        or she is not authorized. This term may     encompasses. [Source: SD
                                        include a non-malicious policy violation    Pipeline-2021-02 series/SD
                                        such as the use of shared credential by     1580/82-2022-01 series].
                                        an employee otherwise authorized to
                                        access it.
----------------------------------------------------------------------------------------------------------------

C. Cybersecurity Risk Management Program--General

1. Introduction
    The primary purpose of this rulemaking is to mitigate the impacts 
of cybersecurity incidents on higher-risk surface modes of 
transportation. This purpose will not be met by simply codifying the 
requirements in the SDs or assuming that what is currently being done 
will be sufficient for the future. Cybersecurity is not static; it is 
an ever-evolving capability to address ever-evolving threats. To ensure 
critical systems are protected from a cybersecurity incident, this 
proposed rule includes requirements to establish a CRM program that 
would ensure cybersecurity maturity as an ongoing and adaptive process. 
In developing the requirements in this proposed rule, TSA began with 
those previously imposed by TSA through SDs issued under the authority 
of 49 U.S.C. 114(l), considered the structure and recommendations in 
the NIST CSF, and focused on the actions prioritized by CISA in the 
CPGs. Through implementation of these requirements, TSA believes the 
regulated parties would meet the NIST ``Repeatable'' Tier, which 
applies to companies with mature cybersecurity programs that are 
formally approved and are known and communicated organization-wide, 
reflect an organization-wide approach to managing risks, have 
consistent methods in place for cybersecurity policies, ensure 
individuals within the company know their roles and responsibilities 
for cybersecurity, and maintain an awareness of the company's 
dependencies and dependents.
2. Applicability
    The applicability for this proposed rule is modified from the 
applicability of the current SD requirements. Specifically, the 
applicability of those SDs for railroads and rail transit systems 
generally aligns with the applicability for security training in 49 CFR 
part 1580 and 1582. For pipelines, applicability of the SDs aligns with 
TSA's designation of the most critical pipeline systems and facilities 
for purposes of the Pipeline Security Program Corporate Security 
Reviews and Critical Facility Security Reviews required by section 1557 
of the

[[Page 88508]]

9/11 Act.\118\ These applicability determinations were based on the 
physical security of transportation systems and risks within that 
context.
---------------------------------------------------------------------------

    \118\ See supra note 81.
---------------------------------------------------------------------------

    Use of TSA's risk-based determinations for applicability is 
consistent with the focus of the 9/11 Act's requirements on higher-risk 
operations. This risk-based focus is reflected in the statutory 
requirement that focuses security training requirements on frontline 
employees, not all employees; \119\ requiring risk-based tiers where 
only the highest tier would be required to comply with regulations for 
vulnerability assessments and security plans; \120\ and focusing the 
pipeline security reviews on the most critical systems and 
facilities.\121\ To expedite use of TSA's emergency authorities under 
49 U.S.C. 114(l)(2), the agency primarily relied on the risk 
determinations used for these requirements and reviews to impose the 
cybersecurity requirements in the SDs discussed in section II.B.1 of 
this NPRM.
---------------------------------------------------------------------------

    \119\ See secs. 1408(a), 1517(a), and 1534(a) of the 9/11 Act, 
codified at 6 U.S.C. 1137(a), 1167(a), and 1184(a), respectively.
    \120\ See secs. 1512(a) and 1181(a) of the 9/11 Act, codified at 
6 U.S.C. 1162(a) and 1181(a).
    \121\ See supra note 81.
---------------------------------------------------------------------------

    Since issuance of these SDs, TSA has determined that with respect 
to permanent regulations, different risk criteria apply when the focus 
is on cybersecurity. In addition to protecting passengers and the 
immediate supply chain, risk considerations also include protecting 
national security, including economic security, and recognizing their 
dependence on reliable freight rail and pipeline systems. As risk is a 
construct of threat, vulnerabilities, and consequences, the change from 
physical to virtual risks involves different types of threats related 
to motivation and capacity, different vulnerabilities reflecting 
reliance on IT and OT systems and dependency, and different 
consequences to passenger safety and the supply chain if a Critical 
Cyber System is the target of a successful cybersecurity incident. 
Where cybersecurity incidents in some sectors are primarily focused on 
loss of data or privacy information, in the transportation sector, a 
cybersecurity incident has a potential impact on operations affecting 
passenger safety, the environment, and the supply chain. In other 
words, cybersecurity incidents could have direct physical consequences. 
See discussion in section II.A.4. regarding cybersecurity threats. As 
noted in the National Cybersecurity Strategy, regulatory agencies are 
encouraged to ensure ``cybersecurity regulations for critical 
infrastructure . . . prioritize the availability of essential 
services.'' \122\ The expanding nature of cyber risks to the 
transportation sector also requires an assessment of applicability 
specific to these risks. Consistent with these considerations, TSA is 
proposing the following applicability criteria for freight railroads, 
rail transit and passenger railroads, and pipelines facilities and 
systems.
---------------------------------------------------------------------------

    \122\ See supra note 12, at 8-9.
---------------------------------------------------------------------------

a. Freight Railroads Subject to CRM Program Requirements in Proposed 
Subpart D of Part 1580
    TSA proposes that the CRM program requirements apply to the freight 
railroads that transport the greatest amount of cargo or are identified 
as supporting certain Department of Defense (DoD) operations. TSA 
estimates 73 freight railroads would meet the following risk-based 
criteria:
     Is a Class I railroad as defined in current 49 CFR 1580.3; 
\123\ or
---------------------------------------------------------------------------

    \123\ TSA currently defines a Class I railroad by reference to 
the classifications of the Surface Transportation Board. For 
regulatory purposes, the Surface Transportation Board categorizes 
rail carriers into three classes: Class I, Class II, and Class III. 
The classes are based on the carrier's annual operating revenues. 
Current thresholds establish Class I carriers as any carrier earning 
revenue greater than $943.9 million, Class II carriers as those 
earning revenue between $42.4 million and $943.9 million, and Class 
III carriers as those earning revenue less than $42.4 million. See 
49 CFR part 1201; General Instructions 1-1. TSA is proposing to 
revise its definition applicable to class determinations to include 
Class I, Class II, and Class III freight railroads.
---------------------------------------------------------------------------

     Is a Class II or III railroad that:
     Transports one or more of the categories and quantities of 
Rail Security-Sensitive Materials \124\ in a High Threat Urban Area; 
\125\
---------------------------------------------------------------------------

    \124\ 49 CFR 1580.3.
    \125\ Appendix A to 49 CFR part 1580.
---------------------------------------------------------------------------

     Provides switching or terminal services to two or more 
Class I railroads;
     Operates an average of at least 400,000 train miles in any 
of the three years before the effective date of the final rule or in 
any calendar year after the effective date; \126\
---------------------------------------------------------------------------

    \126\ TSA reviewed historical statistics from the FRA to discern 
a threshold of annual train miles. The 400,000 train-miles threshold 
provided a clear breakpoint between large, medium, and small 
railroad operations. See https://railroads.dot.gov/accident-and-incident-reporting/overview-reports/train-miles-and-passengers (last 
accessed Sept. 27, 2023).
---------------------------------------------------------------------------

     Is designated as a Defense Connector Railroad by DoD, as 
defined in proposed 1580.3; or
     Serves as a host railroad to any of the freight railroad 
operations identified above or a higher-risk passenger rail operation 
identified in proposed Sec.  1582.201; \127\
---------------------------------------------------------------------------

    \127\ 49 CFR 1582.101.
---------------------------------------------------------------------------

    This criteria for applicability would capture railroads responsible 
for approximately 94 percent of the freight transported by rail in the 
United States, railroads that transport the largest volume of cargo, 
and railroads that serve as critical connections between Class I 
railroads or serve as vital links in the Strategic Rail Corridor 
Network (STRACNET).\128\ A cybersecurity incident affecting one of 
these railroads would have the most significant impact on rail 
transportation, national security, and economic security.
---------------------------------------------------------------------------

    \128\ The Strategic Rail Corridor Network is an interconnected 
and continuous rail line network consisting of over 36,000 miles of 
track serving over 120 defense installations.
---------------------------------------------------------------------------

    The proposed applicability criteria for CRM program requirements 
would expand the applicability of the requirements set forth in the SDs 
to include an additional nine railroads, all of which operate more than 
an average 400,000 train miles \129\ per year. TSA is proposing this 
expansion because these railroads represent a population that, were 
they to experience a degradation of service due to a cybersecurity 
incident, the effects of that service-degradation would ripple across 
the nation's rail network and cause significant disruption to the 
industry's service capacity.
---------------------------------------------------------------------------

    \129\ A train-mile is a unit in railroad accounting and refers 
to the distance of one mile covered by a single train, which may 
have several cars.
---------------------------------------------------------------------------

    TSA is not proposing to apply the CRM program requirements to most 
short line and regional railroads. Although TSA's current regulations 
in 49 CFR part 1580 apply some requirements to the majority of the 
Short Line and regional railroads, these are not generally high-cost 
requirements. Applying the CRM program requirements to these smaller 
railroads would, however, impose costs with limited corresponding 
benefits to minimize the consequences that the proposed rule is 
intended to address as there would not be a significant impact on 
national security, including economic security, if one of these 
railroads had operational disruption due to a cybersecurity incident. 
An expanded scope of applicability could also be beyond TSA's current 
resources to effectively monitor for compliance. For those operators 
not determined to be at higher-risk, TSA believes it is more beneficial 
to continue issuing recommendations and engagements through field 
inspector outreach, trade association webinars, and other events to 
encourage railroad owner/operators

[[Page 88509]]

not subject to TSA's requirements to take voluntary preventive measures 
to enhance their cyber security.
    TSA is not proposing to include rail hazardous materials shippers 
and receivers in the scope of applicability for CRM requirements. TSA 
regulates these entities for purposes of ``chain of custody'' 
requirements in subpart C of 49 CFR 1580 due to their role at the 
beginning and end of the line for transporting Rail Security Sensitive 
Materials (RSSM). Based on their position in the supply chain, the 
security of these materials necessitates that these entities receive 
and share critical security information. To meet this need, TSA 
requires shippers and receivers of RSSM to have Physical Security 
Coordinators and to report physical incidents affecting these 
operations that could have an impact on the security of the shipment 
during transport by a freight railroad. We do not regulate operations 
within these facilities and do not intend to expand the scope of our 
requirements through this proposed rule.
    Finally, TSA currently requires all freight railroads to have a 
security coordinator and report significant security concerns focused 
on physical security.\130\ Similarly, TSA is proposing that all freight 
railroads currently required to have a security coordinator and report 
significant security concerns, also have designated individual(s) 
responsible to serve as a Physical Security Coordinator and/or a 
Cybersecurity Coordinator \131\ and report significant physical 
security concerns to TSA and cybersecurity incidents to CISA. Although 
the costs of a robust CRM program for the broader scope of freight 
railroads may not be justified at this time based on known risks, that 
determination does not mean that cybersecurity should be ignored. All 
railroads need a point of contact for receiving and processing 
information on cybersecurity risks, and the U.S. government needs to be 
promptly advised of any cybersecurity incidents involving these 
railroads to have a thorough understanding of the current threat 
environment.
---------------------------------------------------------------------------

    \130\ See current 49 CFR 1570.201 and 1570.203.
    \131\ TSA is not preventing an owner/operator from designating 
the same individual(s) to serve as the Physical Security Coordinator 
and Cybersecurity Coordinator (or alternate) if all of the 
applicable requirements are met. At the same time, TSA recognizes 
that some owner/operators may want to have different individuals 
serve in these functions based upon their individual expertise and 
understanding of operations.
---------------------------------------------------------------------------

b. Public Transportation Agencies and Passenger Railroads Subject to 
CRM Program Requirements in Proposed Subpart C of Part 1582
    The criteria for applicability of the CRM program requirements for 
PTPR systems consider both location and passenger volume as primary 
risk considerations. Based on these considerations, TSA is proposing 
that the CRM rule apply to those rail transit systems and passenger 
railroads with the largest daily ridership. A successful cybersecurity 
incident against one or more of these systems or railroads could have a 
significant impact on the transportation sector, with consequences to 
national and economic security.
    TSA estimates that 34 rail transit and passenger railroads, 
including Amtrak, would meet the following risk-based criteria:
     Is Amtrak (also known as the National Railroad Passenger 
Corporation) or other a passenger railroad with average daily unlinked 
passenger trips of 5,000 or greater in any of the three previous years 
before the effective date of the final rule, or within any single 
calendar year after the effective date; Is a passenger railroad that 
hosts a Class I railroad or Amtrak, regardless of ridership volume; or
     Is a rail transit system with average daily unlinked 
passenger trips of 50,000 or more per year in any of the three calendar 
years before the effective date of the final rule, or any single 
calendar year after the effective date of the final rule.
    TSA is proposing to define ``unlinked passenger trips'' in Sec.  
1582.3 as the number of times an individual boards public 
transportation as counted each time a vehicle is boarded, not based on 
travel from origin to destination. For example, a person riding only 
one vehicle from origin to destination takes one unlinked trip. A 
person who transfers to a second vehicle while travelling from origin 
to destination takes two unlinked trips. In some contexts, ``unlinked 
passenger trips'' are also referred to as ``boardings.'' For purposes 
of this proposed rule, however, TSA is consistently using ``unlinked 
passenger trips.''
    This scope of applicability would limit the economic burden to the 
highest consequence operators while still accounting for greater than 
90 percent of the total nationwide daily rail ridership volume.\132\ 
Consistent with the 9/11 Act, each of the systems that would be 
required to develop and implement a CRM program is eligible to receive 
grant funding under section 1406 of the 9/11 Act, 6 U.S.C. 1135, and 
has received such funding. Transit bus and smaller transit rail and 
passenger rail systems would not be included in the applicability of 
the CRM components of this proposed rulemaking as the smaller ridership 
of these systems means the operational disruption would not have the 
same consequences as impacts on larger operations. If one of these 
systems is taken offline due to a cybersecurity incident, it would be 
temporarily disruptive, but would be unlikely to have significant 
impacts on national or economic security, compared to the disruption of 
the transit system in a major metropolitan area where public 
transportation is relied on by many commuters. Similarly, transit bus 
plays a pivotal role in the movement of people in urban areas, but TSA 
assesses that a cybersecurity incident affecting this mode of 
transportation is unlikely to result in a significant operational 
disruption because transit bus systems do not rely heavily on OT 
systems and likely could continue to operate in the event of a 
cybersecurity incident. The proposed applicability for this rulemaking 
does not include the following four systems that currently fall under 
the security training requirements in part 1582: Connecticut Department 
of Transportation (Conn DOT), Delaware River Port Authority, Santa 
Clara Valley Transportation Authority, and Staten Island Railway. These 
systems are not included because they did not meet the proposed risk-
based criteria, i.e., ridership threshold, determined by TSA as 
relevant to the specific risks this rulemaking is intended to address.
---------------------------------------------------------------------------

    \132\ TSA's proposed applicability reflects analysis of 
ridership data developed by the APTA. See https://www.apta.com/research-technical-resources/transit-statistics/ridership-report/ridership-report-archives/ (last accessed Sept. 27, 2023).
---------------------------------------------------------------------------

    Although not subject to all of the CRM program requirements, TSA is 
proposing that all PTPR owner/operators currently required to have a 
security coordinator and report significant security concerns, also 
have designated individual(s) responsible to serve as a Physical 
Security Coordinator and/or Cybersecurity Coordinator and report 
significant physical security concerns to TSA and cybersecurity 
incidents to CISA.\133\ The costs of a robust CRM program may not be 
justified at this time based on known risks, but that determination 
does not mean that cybersecurity should be ignored. All PTPR owner/
operators need

[[Page 88510]]

a point of contact for receiving and processing information on 
cybersecurity risks, and the U.S. government needs to be promptly 
advised of any cybersecurity incidents involving these systems to have 
a thorough understanding of the current threat environment.
---------------------------------------------------------------------------

    \133\ See text accompanying supra note 131.
---------------------------------------------------------------------------

c. OTRB Owner/Operators Subject to Cybersecurity Incident Reporting 
Requirements in Proposed Sec.  1584.107
    TSA is not proposing that OTRB owner/operators be required to meet 
all CRM program requirements, but believes it is appropriate for those 
OTRB owner/operators required to report significant security concerns 
\134\ be required to report both significant physical security concerns 
and cybersecurity incidents. TSA estimates that 71 OTRB owner/operators 
would be subject to this requirement.
---------------------------------------------------------------------------

    \134\ 49 CFR 1570.203.
---------------------------------------------------------------------------

    Through this rulemaking, TSA is proposing to codify and make 
permanent the cybersecurity requirements previously imposed through SDs 
issued to address an immediate threat to transportation security. See 
discussion in section II.B. of this NPRM. TSA has not imposed 
cybersecurity mitigation measures on OTRB owner/operators based on the 
risk information currently available to the agency and recognition of 
the costs as related to the benefits. That decision, however, does not 
mean that there is zero risk for OTRB operations and that they will 
never be the victim of a cybersecurity incident. TSA has encouraged 
OTRB owner/operators to identify Cybersecurity Coordinators, report 
cybersecurity incidents, have a cybersecurity incident response plan, 
and conduct a vulnerability assessment.\135\ TSA believes that higher-
risk OTRB owner/operators should be vigilant regarding cybersecurity 
risks and is proposing that the U.S. government be promptly advised of 
any cybersecurity incidents involving these owner/operators in order to 
have a thorough understanding of the current threat environment. 
Requiring this information is consistent with TSA's authority to assess 
threats, share information, and develop policy.\136\
---------------------------------------------------------------------------

    \135\ See Information Circular (IC)-2021-01 (effective Dec. 31, 
2021), available at https://www.tsa.gov/sites/default/files/20211201_surface-ic-2021-01.pdf (last accessed Sept. 21, 2023).
    \136\ See, e.g., 49 U.S.C. 114(f)(1)-(3) (authority to receive, 
assess, and distribute intelligence information related to 
transportation security; assess threats to transportation; and 
develop policies, strategies, and plans for dealing with threats to 
transportation security).
---------------------------------------------------------------------------

    TSA notes that the 9/11 Act requires TSA to issue regulations to 
higher-risk OTRB owner/operators to conduct vulnerability assessments 
and implement TSA-approved security plans that address the security of 
IT and OT systems.\137\ TSA has not yet issued such regulations, 
although it has issued ICs recommending voluntary implementation of 
specific cybersecurity measures to higher-risk OTRB owner-
operators.\138\ TSA will consider reports of both significant physical 
security concerns (as required by current Sec.  1570.201 and proposed 
Sec.  1584.105) and cybersecurity incidents as reported under proposed 
Sec.  1584.107 for purposes of developing future regulatory 
requirements.
---------------------------------------------------------------------------

    \137\ See supra section II.B.2.b of this NPRM.
    \138\ See Surface-IC-2021-01, Enhancing Surface Transportation 
Cybersecurity (Dec. 31, 2021), available at https://www.tsa.gov/sites/default/files/20211201_surface-ic-2021-01.pdf (last accessed 
Sept. 27, 2023); see also information regarding resources and 
activities supporting security of highway and motor carriers 
available on TSA's website at https://www.tsa.gov/for-industry/resources (last accessed Sept. 27, 2023).
---------------------------------------------------------------------------

d. Pipeline Systems and Facilities Subject to Physical Security 
Requirements in Proposed Subpart B of Part 1586 and CRM Program 
Requirements in Proposed Subpart C of Part 1586
    TSA is proposing to apply the CRM program requirements to the 
hazardous liquid, natural gas, and liquefied natural gas pipeline 
systems and facilities that transport the largest volume of these 
commodities, which would lead to the potential for a sustained 
disruption in service should a successful cybersecurity incident affect 
their ability to support national security needs, including economic 
security. The recommended criteria for determining applicability of the 
requirements includes three types of pipeline operations: (1) hazardous 
liquid pipelines; (2) natural and other gas pipelines; and (3) 
liquefied natural gas (LNG) facilities. In total, the proposed 
requirements would apply to 115 owner/operators of covered pipeline 
facilities and systems.
    First, TSA is proposing to apply the CRM program requirements to 
owner/operators of hazardous liquid or carbon dioxide pipeline 
facilities and systems that meet any of the following criteria:
     Owns or operates a hazardous liquid pipeline or facility 
subject to 49 CFR part 195 that--
     Annually delivered hazardous liquids in excess of 50 
million barrels in any of the three calendar years before the effective 
date of the final rule, or any single calendar year after the effective 
date of the final rule; or
     Is in excess of 200 segment miles of pipeline transporting 
hazardous liquid or carbon dioxide that could affect a High Consequence 
Area, as defined by PHMSA.\139\
---------------------------------------------------------------------------

    \139\ See proposed 49 CFR part 1586 for a definition of High 
Consequence Area and a discussion of Terms in subsection D of this 
section.
---------------------------------------------------------------------------

     Owns or operates a primary control room responsible for 
multiple hazardous liquid or carbon dioxide systems regulated under 49 
CFR part 196 and the total annual delivery for those systems combined 
is greater than 50 million barrels annually in any of the three 
calendar years before the effective date of the final rule, or any 
single calendar year after the effective date of the final rule.
     Owns or operates a hazardous liquid pipeline or facility 
subject to 49 CFR part 195 that has a contract with the Defense 
Logistics Agency to supply hazardous liquids in excess of 70,000 
barrels annually.\140\
---------------------------------------------------------------------------

    \140\ TSA coordinated the criteria for 70,000 barrels with the 
Defense Logistics Agency. This amount conforms to what TSA uses to 
identify critical pipeline systems (``Top 100'').
---------------------------------------------------------------------------

    Based on pipeline systems and facilities that report annual 
throughput to the Federal Energy Regulatory Commission (FERC),\141\ TSA 
estimates these systems and facilities account for approximately 90 
percent of the total annual volume transported in the United States.
---------------------------------------------------------------------------

    \141\ Hazardous Liquid Pipeline Operators subject to FERC 
jurisdiction provide annual throughput (number of barrels delivers 
out) to FERC on Form 6, Annual Report of Oil Pipeline Companies.
---------------------------------------------------------------------------

    Second, TSA is proposing to apply the CRM program requirements to 
owner/operators of natural gas and other gas pipelines that meet any of 
the following criteria:
     Owns or operates a natural or other gas system subject to 
49 CFR part 192 and--
     Annually delivered natural or other gas in excess of 275 
million dekatherms annually (generally natural gas transmission) in any 
of the three calendar years before the effective date of the final 
rule, or any single calendar year after the effective date of the final 
rule;
     Annually delivered natural or other gas to 275,000 or more 
meters (or service points) annually (generally natural gas distribution 
or local distribution company (LDC)) in any of the three calendar years 
before the effective date of the final rule, or any single calendar 
year after the effective date of the final rule; or
     Has more than 200 segment miles that could affect a High 
Consequence Area.

[[Page 88511]]

     Owns or operates a primary control room responsible for 
multiple natural gas and other gas pipeline systems regulated under 49 
CFR part 192 and the combined total annual delivery for these systems 
is greater than 275 million dekatherms (generally natural gas 
transmission) in any of the three calendar years before the effective 
date of the final rule, or any single calendar year after the effective 
date of the final rule.
     Provides natural or other gas service to 275,000 or more 
meters (or service points) annually (generally natural gas distribution 
or LDC) in any of the three calendar years before the effective date of 
the final rule, or any single calendar year after the effective date of 
the final rule.
    TSA estimates that under these criteria, the requirements of this 
proposed rule would be applicable to an estimated 66 natural gas 
transmission and distribution pipeline systems and facilities. These 
systems and facilities account for approximately 80-90 percent of the 
total annual volume of natural gas transported in the United 
States.\142\
---------------------------------------------------------------------------

    \142\ TSA's data is derived from the Pipeline and Gas Journal's 
Annual 500 Report. For more information on this report, see https://pgjonline.com/magazine/2022/november-2022-vol-249-no-11/features/annual-500-report-shows-some-decline-few-ranking-surprises (last 
accessed Sept. 27, 2023).
---------------------------------------------------------------------------

    Third, TSA is proposing to apply the CRM program requirements to 
LNG facilities that import natural gas or operate as peak-shaving 
facilities.\143\ Under the proposed criteria, the requirements would 
apply to an estimated two LNG import facilities and seven peak-shaving 
facilities. Expanding applicability of the proposed rule from the 
initial SDs for pipeline facilities and systems to include these 
facilities reflects TSA's ongoing discussions with FERC and evolving 
understanding of cybersecurity risks. The inclusion of these criteria 
would not significantly affect the number of pipeline systems and 
facilities subject to the CRM program requirements as all but one of 
the covered LNG facilities are operated by pipeline companies subject 
to the other criteria.
---------------------------------------------------------------------------

    \143\ Peak-shaving refers to LNG facilities supplying 
supplemental gas supplies to meet the increased demand for natural 
gas on the coldest days of winter. In 2022, two plants located in 
the Northeast United States imported LNG.
---------------------------------------------------------------------------

    The SDs issued to pipeline owner/operators used criteria to include 
all hazardous liquid and natural gas pipeline systems and facilities 
that had been designated critical by TSA for purposes of the 
assessments required by the 9/11 Act. The scope of applicability, 
however, only accounts for approximately 10 percent of the total number 
of pipeline systems in the United States. At the other end of the 
spectrum for the possible scope of applicability, TSA determined it 
would not be appropriate to recommend covering all pipeline operators 
subject to PHMSA's safety regulations in 49 CFR part 192 and 49 CFR 
195.1. This option, which includes approximately 2,105 pipelines, would 
be unnecessarily expensive for the industry based on the expected 
benefits and extremely difficult for TSA to appropriately monitor and 
regulate without additional personnel and funding. The proposed 
criteria for determining applicability would include the most critical 
pipeline owner/operators as determined by TSA and is consistent with 
the statutory requirement to determine critical operators \144\ as well 
as TSA's designation of critical owner/operators required to comply 
with TSA's SDs.
---------------------------------------------------------------------------

    \144\ 9/11 Act sec. 1557, as codified at 6 U.S.C. 1207(b).
---------------------------------------------------------------------------

e. Determinations of Applicability for Requirements in the Proposed 
Rule
    As with TSA's previously issued requirements for surface 
transportation owner/operators,\145\ owner/operators would be required 
to use the criteria in 49 CFR parts 1580, 1582, 1584, and 1586 to 
determine whether their operations are higher-risk and which 
requirements apply to them. Under Sec.  1570.105(a), owner/operators 
would be required to notify TSA within 30 days of the effective date of 
the final rule if they meet the criteria for applicability of the 
requirements in the rule. TSA also proposes an obligation for owner/
operators to be aware of the criteria as applied to their future 
operations. Under section 1570.105(b), TSA would continue to require 
owner/operators to notify TSA if their operations change, after the 
notification date specified in paragraph (a), such that the criteria 
apply. In this situation, an owner/operator would be required to notify 
TSA no more than the later of (a) 60-days after the effective date or 
(b) 60-days before commencing the new operations.
---------------------------------------------------------------------------

    \145\ See current 49 CFR 1570.105.
---------------------------------------------------------------------------

    This notification requirement is the first compliance deadline that 
owner/operators must meet under the proposed rule. TSA is aware that 
the deadlines could cause confusion and concern among owner/operators 
who are currently required to comply with requirements issued by TSA, 
such as those issued in 2008 \146\ and 2021,\147\ that are also in 
parts 1580, 1582, 1584, and 1586. To avoid any confusion over whether 
notification is required, TSA is proposing to add to Sec.  1570.105(a) 
an exception that effectively exempts the owner/operator from this 
requirement if TSA has otherwise notified the owner/operator that the 
criteria apply. If this notification is received, these owner/operators 
would not need to provide separate notification regarding applicability 
determinations.
---------------------------------------------------------------------------

    \146\ See supra note 86.
    \147\ See supra note 87.
---------------------------------------------------------------------------

    To mitigate the likelihood of an owner/operator failing to comply 
based upon lack of recognition of the applicability for these 
requirements, TSA also intends to use a variety of communication 
strategies to notify regulated parties that are likely to meet the 
applicability criteria. For example, TSA would use email to immediately 
notify its key stakeholder points of contact regarding publication of a 
final rule. In addition to these established information sharing 
mechanisms, TSA also conducts regular calls, workshops, and meetings 
with major industry partners and trade associations. TSA's surface 
representatives also work closely with surface-system owner/operators 
during industry-led security work groups, conferences, roundtables, and 
other sector-specific government coordination meetings. TSA would use 
all these mechanisms to notify relevant industry partners of the new 
requirements.
    TSA is also proposing to modify Sec.  1570.105 to add paragraph 
(c), which would make it clear that once an owner/operator meets the 
criteria for applicability, they must continue to comply with the 
requirements in the proposed rule. New paragraph (d) provides an avenue 
for owner/operators to request to be removed from the scope of 
applicability. For example, if an owner/operator meets the 
applicability criteria because of a contract to support STRACNET, but a 
future change removes them from that role, they would continue to be 
subject to the requirements until they notify TSA of the changed 
circumstances and receive a written determination from TSA that they 
are currently exempt from the requirements. TSA is not imposing a 
specific timeline for making this notification as it would be within 
the discretion of the individual owner/operator to seek an exemption. 
As noted above, the owner/operator would continue to be subject to the 
requirements until TSA makes a final decision that the owner/operator, 
or a

[[Page 88512]]

specific activity of the owner/operator, no longer meets the 
applicability criteria.
    It is the owner/operator's responsibility to notify TSA, in 
writing, that their operations have changed and to provide supporting 
documentation. TSA may also need to request additional documentation to 
support the assertion that the requirements no longer apply. For 
example, documentation may include proof that contracts with DoD have 
been rescinded or that they have been operating 30 percent below the 
threshold for applicability for three consecutive years. This provision 
should not be used for non-permanent changes. For example, an owner/
operator may have seasonal operations two-months of every year that 
meet the criteria for applicability. In this situation, the owner/
operator should seek alternative measures under proposed Sec.  
1570.109.
    An exemption from TSA under Sec.  1570.105(c) is operation 
specific. If operations change in the future such that they meet the 
criteria for applicability, the owner/operator would be required to 
comply with Sec.  1570.105(a) and notify TSA. This notification must be 
provided within 90 days before commencement of operations that would 
meet the criteria for applicability of requirements in parts 1580, 
1582, 1584, or 1586.
3. Structure of CRM Program Requirements (Proposed Sec. Sec.  1580.303, 
1582.203, and 1586.203)
    This proposed rule requires a CRM program that includes three major 
components: (a) a cybersecurity evaluation; (b) a COIP; and (c) a CAP. 
First, the cybersecurity evaluation generally aligns with the 
assessments required by TSA in the SD Pipeline-2021-01, SD 1580-21-01, 
and SD 1582-21-01 series. This evaluation is also consistent with the 
NIST CSF, which recommends that a strong cybersecurity program begins 
with an understanding of the current profile of cybersecurity that 
looks at both physical and logical/virtual controls.
    Second, owner/operators would be required to develop and implement 
a TSA-approved COIP. This plan aligns with the requirements for a CIP 
required by the SD Pipeline-2021-02 and SD 1580/82-2022-01 series. As 
with the CIP requirements in the SDs, the COIP requirements generally 
apply to Critical Cyber Systems as identified by the owner/operators. 
TSA is proposing to incorporate other parts of the SDs, including the 
Cybersecurity Coordinator, requirement to report cybersecurity 
incidents, and the CIRP, into the COIP.
    The COIP requirements, which are organized in to align with the 
NIST components, focus on the following five areas: (1) governance of 
the CRM program, (2) identification of Critical Cyber Systems; (3) 
protecting Critical Cyber Systems; (4) detecting and monitoring 
Critical Cyber Systems; and (5) and ensuring response and recovery. As 
discussed above, TSA has added additional requirements emphasized in 
the CISA CPGs, including cybersecurity training and supply chain risk 
management requirements, not previously addressed in the SDs.
    Consistent with the NIST CSF, the proposed requirements for a COIP 
represent TSA's target cybersecurity outcomes for the owner/operators 
that would be subject to the proposed rule. While TSA is committed to 
providing maximum flexibility for owner/operators to develop CRM 
programs appropriate for their operations, as provided by the SDs, the 
proposed rule includes additional requirements that push owner/
operators to the level of cybersecurity maturity that is repeatable. 
These requirements include more specificity in the type of information 
to be included in the COIP. Establishing a minimum baseline of 
information to be included in COIP is necessary to ensure 
enforceability from the perspective of a regulator, but also enhances 
communication to employees to ensure they know their responsibilities 
under the CRM program and that the program and its policies are 
understood across the organization.
    Finally, the proposed requirements for a CRM program include an 
assessment requirement that aligns with the NIST CSF's taxonomy to 
achieve maturity by assessing progress toward the target state. The 
proposed CAP requirements expand upon the requirement for assessments 
in the SD Pipeline-2021-02 and SD 1580/82-2022-01 series. Under the 
proposed rule, owner/operators would continue to be required to have a 
CAP approved by TSA that includes a biennial cybersecurity architecture 
design review, other assessment capabilities, and annual review of the 
effectiveness of at least one-third of all required measures in the 
COIP, so that 100 percent of the policies, procedures, measures, and 
capabilities and all Critical Cyber Systems would to be assessed at 
least once over 3 years, with a minimum of 30 percent each year. The 
rule proposes adding additional requirements to ensure independence of 
auditors and assessors, reporting results to TSA and corporate 
leadership, and updates to the COIP based on assessment results.
    Subsidiaries. Proposed Sec. Sec.  1580.303(b), 1582.203(b), and 
1586.203(b) specifically address the issue of subsidiaries and allow 
for business with multiple businesses or business units to submit one 
CRM program for a single corporate entity. Any documents required by 
the proposed rule, however, would need to clearly identify and 
distinguish application of the requirements for each business unit. To 
meet this requirement, TSA would need to be able to review the plan and 
readily identify how the requirements are being applied to each 
business unit. In other words, CRM program documents that require TSA 
to develop a separate analysis to determine how the requirements are 
applied within each business unit would not be acceptable or approved 
by TSA as meeting the proposed regulatory requirements.

D. Specific CRM Program Requirements

1. Cybersecurity Evaluation (Proposed Sec. Sec.  1580.305, 1582.205, 
and 1586.205)
    The NIST CSF (GV.OC and GV.RM) recognizes the importance of a 
``current profile'' that examines the extent to which the owner/
operator is achieving the outcomes in the target profile and identify 
gaps and potential vulnerabilities. For purposes of the requirements in 
this proposed rule, TSA would expect owner/operators to use the 
security outcomes identified in the rule, at a minimum, as a basis for 
the target profile.
    The proposed rule specifically requires this evaluation to include 
both physical and logical/virtual security controls. If the evaluation 
is limited to logical/virtual controls, the owner/operator may not 
fully recognize the strengths and weakness of physical security 
controls being used instead of, or to augment, cybersecurity measures. 
For example, if an owner/operator is relying on controls that limit an 
individual's access to a building or a floor to offset the 
impracticability of applying MFA to certain systems, it is important to 
understand how effective those physical security controls are at 
meeting the intended purpose. Similarly, understanding available 
physical security controls can help an owner/operator identify 
mitigation measures pending ability to fully reach the required target 
state.
    As noted above, TSA's SDs for pipeline and rail operators included 
a requirement to conduct a vulnerability

[[Page 88513]]

assessment.\148\ Under proposed Sec. Sec.  1580.305(b), 1582.205(b), 
and 1586.205(b), this vulnerability assessment or other similar 
assessments may be used to comply with the requirement for the initial 
cybersecurity evaluation as long as it was completed within no more 
than one year before submission of the owner/operator's COIP. Under 
paragraph (c) of these sections, the cybersecurity evaluation must be 
updated annually. While owner/operators would not be required to submit 
the evaluation to TSA for approval, they would be required to notify 
TSA within 7 days of completing the profile and make it available to 
TSA upon request.
---------------------------------------------------------------------------

    \148\ See section E. of the SD Pipeline 2021-01 series and 
section D. of the SD 1580-21-01 and 1582-21-01 series.
---------------------------------------------------------------------------

2. Cybersecurity Operational Implementation Plan (Proposed Sec. Sec.  
1580.307, 1582.207, and 1586.207)
a. General COIP Requirements
    The COIP required by Sec. Sec.  1580.307, 1582.207, and 1586.207 is 
the center of the comprehensive CRM program. As stated in the proposed 
rule text, TSA would require the COIP to detail the owner/operator's 
defense-in-depth plan, including physical and logical/virtual security 
controls, to comply with the requirements specified in subsequent 
sections. The results of the cybersecurity evaluation should be used at 
the beginning of the process to inform the development and revisions to 
the COIP from a broader enterprise-perspective, while the CAP informs 
revisions to the COIP based on testing the effectiveness of the 
measures in the COIP as implemented by the owner/operators. The COIP 
must include specific detail on exactly how the owner/operators meet 
the requirements for (a) governance; (b) identification of critical 
cyber systems, network architecture, and interdependencies; (c) 
procedures, policies, and capabilities to protect Critical Cyber 
Systems; (d) procedures, policies, and capabilities to detect 
cybersecurity incidents; and (e) procedures, policies, and capabilities 
to respond to, and recovery from, cybersecurity incidents, which would 
include reporting cybersecurity incidents and the CIRP. Each of these 
components of the COIP will be discussed below.
    As most of the owner/operators that would be subject to this 
proposed rule's requirements are currently required to comply with 
TSA's cybersecurity SDs, TSA assumes that the COIP for these owner/
operators would include detailed descriptions of what they are 
currently doing to meet the required security outcomes. To meet the 
regulatory requirements, these detailed descriptions would need to be 
more than a summary or a restatement of the regulatory text. If an 
owner/operator is relying on specific software, the COIP should provide 
details on the software (name, version, scope of deployment, etc.). If 
relying on policies or procedures identified in other corporate 
documents, the owner/operator would need to specifically identify the 
sections of those documents, describe how they meet the required 
security outcomes, and incorporate the specific sections by reference 
into their COIP.
    To the extent the cybersecurity evaluation or CAP identify areas 
where the owner/operator is not meeting the required security outcomes, 
the owner/operator would be required by paragraph (d) of Sec. Sec.  
1580.307, 1582.207, and 1586.207 to include a Plan of Action and 
Milestones (POAM) in their COIP. Incorporating a POAM in the COIP 
aligns with the identification of remediation measures in section 
E.1.c. of SD Pipeline-2021-01 series and section D.2. of SD 1580-21-01 
and SD 1582-21-01 series. The proposed POAM requirement also aligns 
with the NIST CSF, which recommends that organizations determine which 
actions to take to address gaps identified through assessments to 
achieve the Target Profile.\149\ The POAM must include the specific 
measures to be implemented and a detailed timeframe, not to exceed 3 
years, to meet all required outcomes, as well as any mitigating 
measures that will be implemented pending full compliance with all 
requirements and security outcomes. As part of the COIP, failure to 
meet the milestones in the POAM could result in a range of enforcement 
actions.\150\
---------------------------------------------------------------------------

    \149\ See supra note 13 at 7, 11.
    \150\ See TSA's Enforcement Sanction Guidance Policy (last 
updated Nov. 14, 2022) for more information on TSA's sanction 
policies, available at https://www.tsa.gov/sites/default/files/enforcement_sanction_guidance_policy.pdf (last accessed June 28, 
2023); see also TSA Action Plan Program (effective Aug. 26, 2019), 
available at https://www.tsa.gov/sites/default/files/action_plan_program.pdf (last accessed June 28, 2023).
---------------------------------------------------------------------------

    The COIP must be made available to TSA for approval. Once approved 
by TSA, the COIP is a TSA-approved security program. The proposed rule 
would require the COIP to be updated to reflect any vulnerabilities or 
weaknesses identified during the annual cybersecurity evaluation and 
the CAP, discussed below. In addition, owner/operators would be 
required to conduct exercises of CIRPs (required by proposed Sec. Sec.  
1580.327, 1582.227, and 1586.227). The results of the exercises must 
also inform updates to the CIRP as part of the COIP. Whether resulting 
from these assessments and exercises--or due to other changes in 
policies, procedures, capabilities, or Critical Cyber Systems--owner/
operators would need to comply with the procedural requirements for 
security programs, discussed below in section III.F. of this NPRM, to 
revise their COIP.
    TSA recognizes that cybersecurity is ever changing in response to 
new capabilities and emerging threats. In addition, a detailed defense-
in-depth plan is likely to include information that is subject to 
change for a range of reasons. In section 1570.107(c), TSA provides for 
this possibility by distinguishing between (1) administrative or 
clerical changes, (2) substantive but temporary changes, and (3) 
substantive and permanent changes.\151\ Within the context of the CRM 
program, substantive and permanent changes include changes to policies, 
procedures, or measures contained in a TSA-approved COIP, including 
documents incorporated by reference into the COIP, that relate to how 
the owner/operator meets the proposed CRM program requirements and are 
intended to be in place for 60 or more days. Substantive changes to the 
COIP must be made following the procedures in proposed Sec.  
1570.107(b) for amendments to security programs. For example, a 
limited-time deployment of new equipment as part of a 30-day pilot may 
not require amending the CIP, but would require an initial notification 
to TSA and, within seven calendar days, a description of interim 
measures that are in place to ensure no diminution of security. A 
decision to permanently replace equipment would likely require 
additional measures or revisions to the COIP and the owner/operator 
would need to request an amendment.
---------------------------------------------------------------------------

    \151\ See discussion in Section III.F.1. regarding security 
program amendments in general.
---------------------------------------------------------------------------

    TSA is not proposing to require owner/operators to follow the 
amendment process for administrative or clerical changes to COIPs, 
including administrative or clerical changes to documents incorporated 
by reference. In other words, administrative or clerical changes do not 
require a request to TSA, notification to TSA, or TSA approval. 
Administrative or clerical changes are limited to changes to policies, 
procedures, or measures contained in a TSA-approved COIP, including 
documents incorporated by reference, that do not relate to how the 
owner/operator meets the CRM program

[[Page 88514]]

requirements. Owner/operators would be required to keep a chronological 
list of all administrative or clerical changes and when they occurred. 
This list should be consulted by the owner/operator on a regular basis 
to determine if any changes may have evolved into permanent changes 
requiring an amendment.
    The following are examples of substantive changes requiring an 
amendment:
     Changes in policies, procedures, or capabilities made 
after a determination that a specific policy, procedure, or measure in 
the COIP is ineffective based on results of the audits and assessments 
required under the proposed rule;
     New or additional capabilities the owner/operator has 
identified or obtained for meeting the requirements for a CRM program 
that have not been previously approved by TSA;
     Additions, modifications, and deletions to lists of 
Critical Cyber Systems;
     Changes to the method of MFA required to access a Critical 
Cyber System;
     Updates to the risk methodology for determining 
criticality of security patches and updates;
     Use of new vendors, companies, or products when they 
change the process the owner/operator is using to meet a requirement 
for the CRM program; and
     Strategic network architecture changes, such as moving 
from segmenting OT systems with firewalls to using a one-way diode or 
moving to a zero-trust architecture from a defense-in-depth 
architecture.
    Examples of administrative or clerical changes to COIPs or 
documents incorporated that do not require the amendment process in 
Sec.  1570.107(b) could include, but are not limited to the following:
     Changes to names of documents (for example, changing ``IT 
Policy--Monitoring'' to ``IT Policy--Monitoring, Detection and 
Auditing'');
     When only certain parts of a document are incorporated by 
reference, changes are made to other parts of a document which are not 
specifically incorporated by reference; and
     Changes intended to be in effect for less than 60 calendar 
days (which would be subject to the process for temporary changes under 
proposed Sec.  1570.107(c)(2)).
    TSA would also encourage owner/operators to avoid having to make 
amendments related to documents incorporated by reference in their 
COIPs by specifically indicating which sections of the documents are 
being used to meet the requirements for a CRM program rather than 
referencing the document in its entirety when only specific portions 
are relevant.
    Under Sec. Sec.  1580.307(e)(1), 1582.207(e)(1), and 
1586.207(e)(1), owner/operators must make their COIP available to TSA 
in a form and manner prescribed by TSA. TSA decided not to propose a 
specific method in the NPRM due to the need to remain flexible and 
adaptive to options for submitting documents. Since first imposition of 
the SD Pipeline-2021-02 series, TSA has been able to move from only one 
option (submission through a password protected email or uploading to a 
secure location using the Homeland Security Information Network (HSIN)) 
to multiple options, including email/HSIN, a secure portal, and local 
retention. These options address the concerns of the industry to 
protect highly sensitive information. While not proposing to codify any 
of these options, the following discusses each option as they currently 
exist.
    As noted above, owner/operators were originally required to send 
their list of Critical Systems, CIP and CAP using email as password-
protected attachments or upload to HSIN. TSA subsequently developed 
other authorized methods for submitting and maintaining CIPs, and 
documents incorporated by reference into CIPs, CAPs, and CAP reports. 
Instead of submitting these documents via password-protected email or 
via HSIN, owner/operators may submit documents to the TSA Secure 
Regulatory Portal (SRP) or retain them locally for in-person or other 
review pursuant to TSA-approved methods, which may include virtual 
review.
    Use of the SRP is the preferred method for TSA as it minimizes the 
time and personnel investment for owner/operators while accelerating 
TSA's ability to review and approve submitted documents while 
maintaining information security. Owner/operators would be required to 
use the same method of submission for all of their required documents 
and must notify TSA of their chosen option. If documents are maintained 
locally for on-site or virtual review by TSA, the owner/operator must 
attest to TSA (subject to potential penalties for providing false or 
misleading information) that they have completed the required actions 
within the designated timeline. The documents are considered 
conditionally approved and the owner/operator must begin 
implementation. TSA considers ``implementation'' of the CIP to mean 
that the regulated entity has fully developed its CIP to meet the 
performance-based measures and has begun to carry out the policies, 
procedures, measures, and capabilities in the CIP. Therefore, that 
attested-to and complete CIP may also include timelines for 
implementation of specific cybersecurity measures that will achieve the 
performance-based objectives. A CIP maintained on location is not 
considered to have final approval until reviewed by TSA, revised as 
required by TSA, and the owner/operator receives notification from TSA 
that the CIP has received final approval. Only final approval of the 
CIP triggers the timelines associated with requirements to develop the 
CAP and CAP report. Regardless of the manner of submission of any 
document, TSA retains its full inspection authority.
    TSA has not required any owner/operator to resubmit information 
previously approved. The required plans and reports submitted to TSA 
are Federal records and must be retained in accordance with TSA's 
National Archives and Records Administration (NARA)-approved records 
schedules. Similarly, documents submitted via the secure portal are 
also Federal records and must be retained in accordance with same NARA-
approved records schedules once TSA reviews them. Finally, documents 
maintained at an owner/operator's location are not considered Federal 
records. At this time, TSA intends to continue allowing all of these 
approved methods for the COIP, CIRP, and CAP.
b. Governance of the CRM Program (Proposed Sec. Sec.  1580.309, 
1580.311, 1582.209, 1582.211, 1586.209, and 1586.211)
    Accountable executive (paragraph (a) of Sec. Sec.  1580.309, 
1582.209, and 1586.209). Both the NIST CSF and the CISA CPGs stress the 
importance of establishing governance for a CRM program. CPG 1.B. urges 
identifying a single leader who ``is responsible and accountable for 
cybersecurity within an organization.'' Specifically, the CISA CPGs 
recommend that organizations have a named role/position/title 
identified ``as responsible and accountable for planning, resourcing, 
and execution of cybersecurity activities. This role may undertake 
activities such as managing cybersecurity operations at the senior 
level, requesting and securing budget resources, or leading strategy 
development to inform future positioning.'' To the extent possible, 
this individual should not be the Cybersecurity Coordinator or 
otherwise have responsibility for day-to-day management of the IT or OT 
system, but

[[Page 88515]]

should function at a level between the most senior-executive leadership 
and the implementation/operations level of the organization.\152\ CISA 
has identified this action as one with high impact and low complexity, 
noting that failure to identify an accountable executive can result in 
a lack of accountability, investment, or effectiveness of a CRM 
program.\153\
---------------------------------------------------------------------------

    \152\ See NIST CSF, supra note 13, at 1210-11.
    \153\ See CISA CPG Checklist, v1.01, available at https://www.cisa.gov/sites/default/files/2023-03/cisa_cpg_checklist_v1.0.1_final.pdf (last accessed Sept. 22, 2023).
---------------------------------------------------------------------------

    TSA is adopting this recommendation for purposes of this proposed 
rule by requiring covered owner/operators to identify an accountable 
executive for the CRM program. Contact and identifying information for 
the accountable executive must be provided to TSA and incorporated into 
the COIP.
    Identifying positions with cybersecurity responsibilities 
(paragraph (b) of Sec. Sec.  1580.309, 1582.209, and 1586.209). The 
NIST CSF and the CISA CPGs also emphasize the importance of having a 
clear understanding of cybersecurity roles and responsibilities within 
the organization and with stakeholders, and establishing a relationship 
to ensure effective communication on cybersecurity policies and 
risks.\154\ Consistent with these priorities, TSA is proposing to 
require the COIP to identify positions designated to manage 
implementation of policies, procedures, and capabilities described in 
the COIP and coordinate improvements to the CRM program.
---------------------------------------------------------------------------

    \154\ See NIST CSF GV-RR and CPGs 1.B and 1.C.
---------------------------------------------------------------------------

    In addition, the proposed rule would require identification of any 
authorized representatives, as defined in the TSA Cybersecurity 
Lexicon, responsible for implementation of any part of the owner/
operator's CRM program. Authorized representatives are empowered to act 
on the owner/operator's behalf to coordinate and conduct activities 
required by this proposed rule, including specific security measures in 
the owner/operator's TSA-approved COIP. Considering these 
responsibilities, authorized representatives are liable for non-
compliance separate from and in addition to the owner/operator. TSA is 
proposing to require that the corporate or official business 
information for all authorized representatives must be incorporated 
into the COIP and be supported with written documentation, such as 
contractual agreements, between the owner/operator and the authorized 
representative detailing the scope of responsibilities as related to 
the measures identified in the COIP. As with other documentation 
requirements, the owner/operators would need to identify specific 
provisions applicable to the COIP within any provided documentation.
    Note that the definition of ``authorized representative'' in the 
TSA Cybersecurity Lexicon excludes entities that functions as ``Managed 
Security Service Providers.'' If an owner/operator, or its authorized 
representative, has delegated or shared responsibility with a Managed 
Security Service Provider, wholly or in part, for specific security 
measures, the owner/operator or authorized representatives retains 
responsibility for ensuring the application of the cybersecurity 
performance-based measures.
    The distinction in liability between authorized representatives and 
Managed Security Service Providers is generally consistent with 
principles of agency. Managed Security Service Providers are not direct 
employees of the owner/operator but provide one or more services or 
capabilities that the owner/operator may use to perform required 
security measures. Managed Security Service Providers generally provide 
a logical service that is widely available to anyone who purchases the 
specific capability or service, such as an internet service provider, a 
program developer, or IT or OT system monitoring and detection 
capabilities. The authorized representative is an agent empowered to 
act on behalf of the owner/operator, such as for day-to-day management 
of a cybersecurity program.
    Cybersecurity coordinator (Sec. Sec.  1580.311, 1582.211, and 
1586.211). The proposed rule would codify Section A. of the SD 
Pipeline-2021-01, SD 1580-21-01 and SD 1582-21-01 series, which 
requires covered owner/operators to identify a primary and at least one 
alternate Cybersecurity Coordinator. Security coordinators, in general, 
are a vital part of transportation security, providing TSA and other 
government agencies with an identified point of contact with access to 
company leadership and knowledge of operations, in the event it is 
necessary to convey extremely time-sensitive information about threats 
or security procedures to an owner/operator, particularly in situations 
requiring frequent information updates. Having a designated 
Cybersecurity Coordinator and alternate provides TSA with a contact in 
a position to understand cybersecurity problems; immediately raise 
issues with, or transmit information to, the designated accountable 
executive or other appropriate corporate or system leadership; and 
recognize when emergency response action is appropriate. To meet this 
purpose, the designated individuals must be accessible to TSA 24 hours 
per day, seven days per week.
    The proposed rule does not change the expectation from the SDs that 
the Cybersecurity Coordinator (primary and alternate) be appointed at 
the headquarters level. In addition, TSA would carry over the 
requirement in the SDs for the primary Cybersecurity Coordinator to be 
a U.S. citizen who is eligible to receive a security clearance. This 
requirement is necessary to ensure that TSA can rapidly share sensitive 
information with the owner/operator that may be critical to ensure 
appropriate actions are taken to address emerging threats. This 
requirement is also consistent with the SDs and TSA's experience with 
Physical Security Coordinators. See discussion in Section III.A.2. As 
with the SDs, the proposed rule would not require the Cybersecurity 
Coordinator or alternate to be a dedicated position staffed by an 
individual who has no other primary or additional duties.
    The proposed rule would require the following information for the 
Cybersecurity Coordinator(s): name, title, telephone number(s), and 
email address. Any change in this information would have to be provided 
to TSA within seven days of the change taking effect. As previously 
noted, this is not a new requirement for owner/operators of railroads, 
including the rail transit operations of PTPR owner/operators, and 
pipeline facility and systems currently subject to the SDs. If an 
owner/operator subject to this proposed rule has provided the required 
information for primary and alternate Cybersecurity Coordinator(s) to 
TSA in the past, and that information is still current, no further 
action would be needed to meet this requirement.
    TSA is expanding the requirements for the primary and alternate 
Cybersecurity Coordinator(s) to ensure they have the knowledge and 
skills necessary to perform the responsibilities. Cybersecurity is a 
technical field that requires some degree of knowledge of terms, 
threats, and the owner/operator's systems in order to be effective.
    TSA is specifically requesting comments on existing training and 
certification programs that could provide low-cost options for meeting 
these requirements that TSA could review and provide as examples to 
other owner/operators that would be subject to these requirements.

[[Page 88516]]

    Updates to governance information. The proposed rule would require 
owner/operators to notify TSA when information regarding the 
accountable executive or Cybersecurity Coordinator(s) changes. While 
the COIP should be current regarding the identification of the 
accountable executive or Cybersecurity Coordinator(s), TSA would not 
require the owner/operator to seek an amendment to their COIP to update 
this information as the updated information would need to be separately 
provided to TSA.
c. Identification of Critical Cyber Systems, Network Architecture, and 
Interdependencies
    Identifying Critical Cyber Systems (Sec. Sec.  1580.313, 1582.213, 
and 1586.213). Both the NIST CSF and the CISA CPGs emphasize the 
importance of identification of critical assets.\155\ As with the 
applicability determinations for this proposed rule, TSA is proposing 
an informed, risk-based decision to cybersecurity requirements. A 
critical first step in this process is risk informed identification of 
critical IT and OT systems. TSA included a requirement to identify 
Critical Cyber Systems in the SD Pipeline-2021-01 and SD 1580/82-2022-
01 series.
---------------------------------------------------------------------------

    \155\ See NIST ID-AM and CPG 1.A.
---------------------------------------------------------------------------

    Identifying Critical Cyber Systems, including both IT and OT 
systems, enables owner/operators to ensure they have adequately 
identified risks using multiple sources of information and data to 
identify the threat (i.e., likelihood of an attack), system 
vulnerabilities, and consequences should the system be the target of a 
cybersecurity incident. In general, unless otherwise stated, the 
cybersecurity measures that would be required for protecting, 
defending, and responding to cybersecurity incidents are limited to 
these Critical Cyber Systems.
    For purposes of this proposed rule, TSA proposes to incorporate 
into the TSA Cybersecurity Lexicon a definition of ``Critical Cyber 
System'' that includes any IT or OT system used by the owner/operator 
that, if compromised or exploited, could result in an operational 
disruption incurred by the owner/operator, including those business 
support services that, if compromised or exploited, could result in 
operational disruption. This term includes systems whose ownership, 
operation, maintenance, or control is delegated wholly or in part to 
any other party. The definition of an ``operational disruption'' 
includes a deviation from or interruption of business critical 
functions that results in a compromise or loss of data, system 
availability, system reliability, or control of systems, or indicates 
unauthorized access to, or malicious software present on, Critical 
Cyber System.
    In addition to IT and OT systems that are obviously critical to 
operations, owner/operators should also consider programmable 
electronic devices, computers, or other automated systems which are 
used in providing transportation; alarms, cameras, and other protection 
systems; and communication systems, and utilities needed for security 
purposes, including dispatching systems.\156\ TSA believes the scope of 
systems to be covered is consistent with the direction in the National 
Cybersecurity Strategy to ensure cybersecurity regulations ``meet the 
needs of national security and public safety, in addition to the 
security and safety of individuals, regulated entities, and their 
employees, customers, operations, and data.'' \157\
---------------------------------------------------------------------------

    \156\ See sections 1531(d)(1)(C) and 1512(d)(1)(C) of the 9/11 
Act, codified at 6 U.S.C 1181(d)(1)(C) and 1162(d)(1)(C), 
respectively.
    \157\ See supra note 12 at 8-9.
---------------------------------------------------------------------------

    Paragraph (a) of Sec. Sec.  1580.313, 1582.213, and 1586.213 
requires specific identifying information for Critical Cyber Systems. 
This information, at a minimum, would need to include specific 
identifying information for the system and manufacturer/designer name 
for each Critical Cyber System.
    TSA recognizes that the owner/operator is in the best position to 
determine the critical IT and OT systems needed to support its 
business-critical functions for operations and market (supply chain) 
expectations. There is, however, also the potential that a 
cybersecurity incident that may seem minor to a specific owner/operator 
could have more wide-ranging impacts on the supply chain as well 
impacts on national and economic security. Paragraph (b) would require 
the owner/operator to include in its COIP the methodology used for 
identifying Critical Cyber Systems. Looking at systems and processes 
based on the business services they support may bring more transparency 
to, and improve the quality of, decision making, thereby improving 
overall operational resilience. As part of this methodology, TSA 
expects owner/operators to use information provided to them on 
particular risks associated with some systems, including intelligence 
and other information that identifies the likelihood of a system being 
the subject of a cybersecurity incident based on known threat 
information. As noted in the NIST CSF, a mature CRM program is one 
where the ``organization understands its role, dependencies, and 
dependents in the larger ecosystem,'' ``collaborates and receives 
information from other entities,'' ``is aware of the cyber supply chain 
risks associated with the products and services'' it both provides and 
uses, and ``acts formally upon those risks.'' \158\
---------------------------------------------------------------------------

    \158\ See NIST Cybersecurity Framework V1.1. at 10, available at 
https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf (last 
accessed May 6, 2024); see also https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1302.ipd.pdf (last accessed May 6, 
2024).
---------------------------------------------------------------------------

    While some systems may pose more risk than others, any system that 
could result in operational disruption should be considered a Critical 
Cyber System. The methodology would need to describe these 
considerations and also consider scenarios for how long critical 
operations and capabilities could be sustained with identified 
alternatives if a Critical Cyber System is taken offline due to a 
cybersecurity incident. Finally, once the initial list of Critical 
Cyber Systems is identified, the methodology would need to include 
reviewing IT and OT systems not designated as critical to determine the 
sustainability and operational impacts if one of these systems is 
unavailable due to a cybersecurity incident. These considerations by 
the owner/operator may result in needing to update the list of Critical 
Cyber Systems. Best practices identified by TSA include considering 
impacts if a system is offline for a short duration (a 4, 8, 12, 24-
hour period), or days, a week, several weeks, or months.
    It is important to recognize that the availability of backups or 
``workarounds'' should not be considered in determining whether an IT 
or OT system is a Critical Cyber System. These and other mitigation 
measures should be considered as part of the COIP as actions that are 
intended to ensure continuity if a Critical Cyber System is 
incapacitated. In practice, to the extent an owner/operator has 
developed backups and other mitigation measures for an IT or OT system, 
that fact should weigh towards identifying the system as critical, 
i.e., were it not critical, there would not be a need for robust 
mitigation measures in the event the system is unavailable.
    In Sec. Sec.  1580.313(e), 1582.213(e), and 1586.213(d), TSA is 
proposing to incorporate a requirement from the SD for owner/operators 
to add any IT or OT systems identified by TSA as Critical Cyber Systems 
even if not identified as critical by the owner/operator. While

[[Page 88517]]

TSA is committed to providing flexibility and allowing owner/operators 
to self-identify their Critical Cyber Systems, the agency is also 
committed to ensuring a baseline of cybersecurity across specific modes 
and similarly situated operations. As a result, if TSA notices that an 
owner/operator has chosen not to identify a system as critical that was 
identified by other similarly situated owner/operators, TSA would 
request additional information and, after consultation with the owner/
operator, could require the system to be added. In addition, an owner/
operator who does not identify any Critical Cyber Systems is not exempt 
from the requirements for the CRM program. If TSA agrees that the 
owner/operator does not have any Critical Cyber Systems, the owner/
operator would still need to address other applicable requirements.
    Positive Train Control. Consistent with these proposed requirements 
and standards for identification of Critical Cyber Systems, TSA revised 
the SD 1580/82-2022-01 series in May 2024 with a new requirement for 
owner/operators who are either required to install and operate PTC 
under 49 CFR part 236, subpart I, and/or who voluntarily install and 
operate PTC under CFR part 236, subpart H or I, to include PTC systems 
as a Critical Cyber System. TSA is proposing to incorporate this 
requirement in sections 1580.313 and 1582.213.
    PTC helps eliminate the risks of accidents and mishandling of 
locomotives due to human error by using locomotive-borne devices linked 
to a central dispatching system, through an integrated network 
communication channel. PTC systems \159\ are designed to prevent train-
to-train collisions, over-speed derailments, incursions into 
established work zones, and movements of trains through switches left 
in the wrong position.\160\
---------------------------------------------------------------------------

    \159\ Simply described, PTC systems are comprised of the 
locomotive onboard computer system, the wayside signals, and the 
Back Office Server (BOS). Connections are established through cabled 
cellular communication signals, Wi-Fi, and radio. Some of the data 
points that are received to control the speed of the locomotive are 
located through the Global Positioning System (GPS), wayside signal, 
transponder on or around the track, and monitoring of speed for all 
locomotives on the same subdivision. Data is compiled from the 
locomotive into the BOS and is compared to the track image in the 
PTC system, which can detect violation of movement authority and 
speed restrictions. The PTC system is an important safety function 
due to its ability to correct the actions of a train operating 
outside of the known limits of the system.
    \160\ See FRA, Positive Train Control (PTC), https://railroads.dot.gov/research-development/program-areas/train-control/ptc/positive-train-control-ptc (last accessed Nov. 28, 2023).
---------------------------------------------------------------------------

    The imposition of PTC requirements has also resulted in far more 
interconnected rail systems than previously existed with the potential 
for a cybersecurity incident to affect multiple operators.\161\ The 
criticality of these systems is reflected in the FRA's regulations that 
require PTC to be used unless the situation falls within one of the 
limited exceptions provided in their regulations.\162\ TSA is proposing 
to require rail owner/operators who use PTC to include specific PTC 
components as Critical Cyber Systems.
---------------------------------------------------------------------------

    \161\ In March 2023, a nationwide outage of PTC for Amtrak 
resulted in cancelled and delayed trains in and out of Chicago for 
multiple days, affecting Amtrak, commuter railroads, and freight 
railroads. See Bob Johnston, PTC issues cause Amtrak cancellations 
and delays, Trains.com (last updated Feb. 5, 2024), available at 
https://www.trains.com/trn/news-reviews/news-wire/ptc-issues-cause-amtrak-cancellations-and-delays/ (last accessed Aug. 2, 2024).
    \162\ See 49 CFR 236.1029. Under 49 CFR 236.1029(b)(6), a train 
that loses PTC en route, ``[w]here the failure or cut-out is a 
result of a defective onboard PTC apparatus,'' may continue ``no 
farther than the next forward designated location for the repair or 
exchange of onboard PTC apparatuses.''
---------------------------------------------------------------------------

    As noted above, the FRA's regulations expect PTC to be used unless 
the situation falls within one of the limited exceptions provided in 
FRA's regulations. The limited exceptions reflect the criticality of 
these systems. For example, a train that loses PTC, ``[w]here the 
failure or cut-out is a result of a defective onboard PTC apparatus,'' 
while en route may continue ``no farther than the next forward 
designated location for the repair or exchange of onboard PTC 
apparatuses.'' \163\ The fact that railroads may operate without 
functioning PTC systems only in limited situations demonstrates the 
critical need for these systems.\164\
---------------------------------------------------------------------------

    \163\ 49 CFR 236.1029(b)(6).
    \164\ See FRA Information Guide on Positive Train Control, 49 
CFR part 236, subpart I (dated Dec. 12, 2022).
---------------------------------------------------------------------------

    Losing PTC capability is likely to disrupt operations. PTC provides 
critical safety functions, protecting the public from possible train 
derailments, misaligned track switches, and head-on collisions. To 
achieve the intended safety benefits, the PTC system must consistently 
maintain a high level of availability. If the PTC system fails en 
route, the train must operate at reduced speed and stop at the next 
forward designated location until the PTC apparatuses are fixed or 
replaced. Accordingly, loss of the PTC system could interrupt the 
railroad's operations. Additionally, if a PTC system were to be the 
target of a cyberattack that resulted in a widespread disruption in 
system communication where the result was an inability to initialize 
communications with multiple locomotives, then trains would have to be 
held until the issue was resolved or FRA otherwise authorized continued 
operations.\165\
---------------------------------------------------------------------------

    \165\ Id.
---------------------------------------------------------------------------

    As in the SD, the proposed rule incorporates an alternative in lieu 
of applying access control measures, as required by proposed Sec. Sec.  
1580.317(b) and 1582.217(b), for the PTC hardware and software 
components installed on freight and passenger locomotives if the owner/
operator is complying with the requirements in 49 CFR 232.105(h)(1-4) 
(General requirements for locomotives), 49 CFR 236.3 (Locking of signal 
apparatus housings), or 49 CFR 236.553 (Seal, where required).
    Network architecture. Paragraph (c) would require owner/operators 
to identify system information and network architecture for each 
identified Critical Cyber System. In general, the requirements in 
paragraphs (c)(1) through (3) align with those in section III.B.1. of 
the SD Pipeline-2021-02 and SD 1580/82-2022-01 series. TSA is proposing 
to add two additional requirements for purposes of ensuring effective 
asset identification and management as part of a comprehensive CRM 
program. First, Sec. Sec.  1580.313(d)(4), 1582.213(d)(4), and 
1586.213(c)(4) would require an owner/operator to identify the baseline 
of acceptable communications between Critical Cyber Systems and 
external connections, or between IT and OT systems. This requirement is 
necessary to ensure the owner/operator can comply with requirements in 
proposed Sec. Sec.  1580.323, 1582.223, and 1586.223, which require 
documenting any communications between IT and OT systems and an 
external system that deviate from the identified baseline of 
communications.
    Sections 1580.313(d)(5), 1582.213(d)(5), and 1586.213(c)(5) would 
require the owner/operator to identify any operational needs that 
prevent implementation or delay implementation of the CRM program 
requirements for Critical Cyber Systems, such as application of 
security patches and updates, encryption, or MFA.
    Sections 1580.313(f), 1582.213(f), and 1586.213(e) would provide 
that any substantive changes to Critical Cyber Systems would require an 
amendment to the COIP. It is critical for both TSA and the owner/
operator to know the COIP has the current list of Critical Cyber 
Systems. TSA prepares for inspections in advance, and it increases the 
amount of time inspections take for owner/operators and TSA if the list 
is

[[Page 88518]]

not current. In addition, having ready access to this information can 
help TSA notify owner/operators if specific intelligence or other 
threat information becomes available relevant to that specific system 
or capability.
    Supply chain risk management (Sec. Sec.  1580.315, 1582.215, and 
1586.215). Both the NIST CSF \166\ and the CISA CPGs \167\ include 
recommendations related to supply chain risk management. TSA is 
proposing to incorporate all three recommendations from the CISA CPGs 
for supply chain risk management into this proposed rule. The 
requirements would apply to any procurement or contractual documents 
executed or updated after the effective date of the final rule.
---------------------------------------------------------------------------

    \166\ See GV.SC. of the NIST CSF.
    \167\ See CPG 1.G, 1.H, and 1.I.
---------------------------------------------------------------------------

    The SolarWinds supply chain compromise is one of the most well-
known examples of a cybersecurity risk associated with services and 
systems provided by external supply chain providers. Using a backdoor 
implanted in a software update downloaded by customers using the 
SolarWinds Orion product, malicious actors were able to retrieve and 
execute commands that included the ability to transfer files, execute 
files, profile the system, reboot the machine, and disable system 
services. The malware masqueraded its network traffic as the Orion 
Improvement Program-protocol and stored reconnaissance results within 
legitimate plugin configuration files allowing it to blend in with 
legitimate SolarWinds activity. The backdoor used multiple obfuscated 
blocklists to identify forensic and anti-virus tools running as 
processes, services, and drivers. Victims included government, 
consulting, technology, telecom and other entities in North America, 
Europe, Asia and the Middle East.\168\
---------------------------------------------------------------------------

    \168\ See Highly Evasive Attacker Leverages SolarWinds Supply 
Chain to Compromise Multiple Global Victims With SUNBURST Backdoor 
(Dec. 13, 2020; last updated May 12, 2022) available at https://www.mandiant.com/resources/blog/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-back (last 
accessed June 12, 2023); see also https://www.cisa.gov/news-events/news/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure for more resources regarding the SolarWinds 
supply chain compromise.
---------------------------------------------------------------------------

    Proposed Sec. Sec.  1580.315(a), 1582.215(a), and 1586.215(a) 
address these supply chain threats by incorporating the recommendations 
in CPG 1.G, which encourage organizations to incorporate supply chain 
incident reporting in their procurement documents and contracts to 
ensure they can more rapidly learn of, and respond to, known 
cybersecurity incidents across vendors and service providers. 
Specifically, CPG 1.G recommends that these documents, such as service-
level agreements, ``stipulate that vendors and/or service providers 
notify the procuring customer of security incidents within a risk-
informed time frame as determined by the organization.'' A risk-
informed timeframe is one that is sufficient for the owner/operator to 
identify and address any potential risks to their Critical Cyber 
Systems based on the scope and type of cybersecurity incident.
    Paragraph (b) incorporates CPG 1.H, which recommends that 
organizations require these documents to stipulate that vendors and/or 
service providers notify the procuring customer of confirmed security 
vulnerabilities in their assets within a risk-informed time frame. This 
reporting ensures organizations can more rapidly learn about, and 
respond to, vulnerabilities in assets provided by vendors and service 
providers.
    Paragraph (c) incorporates CPG 1.I, which recommends that 
``procurement documents include cybersecurity requirements and 
questions, which are evaluated in vendor selection such that, given two 
offerings of roughly similar cost and function, the more secure 
offering and/or supplier is preferred.'' Implementing this 
recommendation would reduce risk by ensuring that the most secure 
products and services are purchased and purchasing priority given to 
more secure suppliers. In its CPG Checklist, CISA has assessed the 
complexity of these three actions as low, but with high impact at 
addressing the known threat.
    In paragraph (d), TSA is proposing that when a notification of a 
cybersecurity incident or vulnerability is received, the owner/operator 
must consider mitigation measures sufficient to address the resulting 
risk to Critical Cyber Systems. In addition, if any of these measures 
would result in permanent changes, the owner/operator would need to 
request to amend its COIP. If the vendor's cybersecurity incident puts 
the owner/operator's IT or OT systems at more direct and immediate 
risk, it may also be a reportable cybersecurity incident.
    In setting cybersecurity regulations for critical infrastructure, 
the National Cybersecurity Strategy encourages regulators ``to drive 
the adoption of secure-by-design principles.'' \169\ TSA is requesting 
specific comments on whether the supply chain requirements in the final 
rule should also include ensuring that any software purchased for, or 
installed on, Critical Cyber Systems meets CISA's Secure-by-Design and 
Secure-by-Default principles.\170\
---------------------------------------------------------------------------

    \169\ See supra note 12 at 8-9.
    \170\ For more information on these principles, see Shifting the 
Balance of Cybersecurity Risk: Principles and Approaches for 
Security-by-Design and-Default (Apr. 13, 2023), available at https://www.cisa.gov/sites/default/files/2023-06/principles_approaches_for_security-by-design-default_508c.pdf (last 
accessed Aug.7, 2023).
---------------------------------------------------------------------------

d. Procedures, Policies, and Capabilities To Protect Critical Cyber 
Systems
    Protecting Critical Cyber Systems requires a combination of 
controls, capabilities, and awareness. Proposed Sec. Sec.  1580.317, 
1582.217, and 1586.217 include the requirements for network 
segmentation, capabilities to control access to or disruption of OT and 
IT systems, patch management, and ensuring these capabilities have 
robust logging and back-up requirements. Proposed Sec. Sec.  1580.319, 
1582.219, and 1586.219 require training to enhance awareness for 
individuals regarding their role and responsibilities in protecting 
Critical Cyber Systems.
    Network segmentation, controlling communications, zone boundaries, 
and encryption. Proposed paragraphs (a) through (c) of Sec. Sec.  
1580.317, 1582.217, and 1586.217 would require owner/operators to 
incorporate into their COIP the network segmentation policies and 
controls necessary to address cybersecurity threats. To align with the 
NIST CSF's ``Protect'' function, this section includes requirements 
from both section III.B. and section III.C. of the SD Pipeline-2021-02 
and 1580/82-2022-01 series.\171\ The scope of the requirements in 
paragraphs (a) through (c) specifically include security outcomes 
intended to (a) protect against access to, or disruption of, the OT 
system if the IT system is compromised or vice versa; (b) ensure IT and 
OT system-services transit the other only when necessary for validated 
business or operational purposes; (c) secure and defend zone boundaries 
to defend against unauthorized communications between zones and 
prohibiting OT services from traversing the IT system, or vice versa, 
unless encryption or other controls are in place; (d) and control 
access to Critical Cyber Systems.
---------------------------------------------------------------------------

    \171\ These requirements generally align with the 
recommendations in PR-AA of the NIST CSF and CPG 2.C (Unique 
Credentials), 2.D (Revoking Credentials for Departing Employees), 
2.E (Separating User and Privileged accounts), and 2.H (Phishing-
Resistant Multifactor Authentication (MFA)), 2.K (Strong and Agile 
Encryption), 2.0 (Document Device Configurations), 2.P (Document 
Network Topology), and 2.X (Limit OT Connections to Public 
internet).
---------------------------------------------------------------------------

    Many historical intrusions demonstrate that adversaries generally 
compromise a single vulnerable system or host and then move laterally 
across

[[Page 88519]]

a network until reaching an identified target. Implementing 
segmentation impedes adversaries who have successfully entered the 
environment from producing cascading consequences and limits their 
ability to impact the entire process simultaneously, reducing both 
physical and cyber consequences. Network segmentation is necessary to 
reasonably ensure that an intrusion is limited to the initially 
compromised host and does not spread to affect Critical Cyber Systems. 
Flat or unsegmented networks pose an exigent risk to cybersecurity, as 
any intrusion-spread can result in a significant impact to systems that 
support public health and safety. Preventing or controlling such spread 
mitigates the costs of a successful cybersecurity incident, especially 
if segmentation averts intruder exposure to critical systems, which 
could potentially cost billions of dollars in damage. Reducing the 
costly impacts of ransomware attacks over time may change the economic 
incentive of the attackers and reduce their frequency in the long-term.
    Access control. Proposed paragraph (b) of Sec. Sec.  1580.317, 
1582.217, and 1586.217 includes requirements for controlling access to 
Critical Cyber Systems. These requirements generally align with the 
recommendations in PR-AA of the NIST CSF and CPG 2.C (Unique 
Credentials), 2.D (Revoking Credentials for Departing Employees), 2.E 
(Separating User and Privileged accounts).
    As noted above (see section III.D.2.c.), TSA is proposing a limited 
exception for application of access control measures required by 
proposed paragraph (b). In lieu of these requirements, Sec. Sec.  
1580.317(f) and 1582.217(f) would allow owner/operators to rely on the 
physical security controls used to comply with the FRA's regulations 
under 49 CFR 232.105(h)(1-4) (General requirements for locomotives), 49 
CFR 236.3 (Locking of signal apparatus housings), or 49 CFR 236.553 
(Seal, where required), as applicable. This exception is limited to PTC 
hardware and software components installed on freight and passenger 
locomotives. TSA previously provided this exception in revisions to the 
SD 1580/82-2022-01 series issued in June 2024. To rely on this 
exception, owner/operators would need to be in full compliance with the 
FRA regulations noted in the exception and specify in their COIP what 
physical security measures are being used to prevent unauthorized 
access to the specific PTC components installed on the locomotive.
    Identification and authentication policies. Managing identification 
and authentication policies are fundamental controls that should be 
part of a basic cybersecurity program and should already be in place 
for organizations covered by applicability of the SDs. To the extent 
that these controls are not in place, this is a vulnerability that 
could be imminently exploited.
    Regularly changing passwords is a fundamental cybersecurity 
practice. Minimizing this known threat vector requires immediate action 
to mitigate the threat. VADRs conducted by CISA, and other assessments 
and interviews with asset owners, have identified cases where passwords 
used in ICS were stolen, the organization was aware they had been 
compromised, yet the passwords were subsequently left unchanged for 
multiple years. In the absence of effective controls, adversaries in 
possession of these passwords could use them at any time to access the 
ICS. If at any time passwords were previously compromised and are still 
valid and have not been disabled or other compensating controls 
provided to prevent adversarial access to the system, those passwords 
could be used by an adversary to access the system.
    Multi-factor authentication. Multi-factor authentication (MFA) 
requirements, or compensating controls that meet the same security 
outcomes, are also critical to provide a critical, additional layer of 
security to protect asset accounts whose credentials have been 
compromised. Aggressive activity being demonstrated by threat actors 
against both IT and OT systems stems from identity management abuse, 
which can be significantly mitigated by using strong access control 
measures, such as MFA. Accounts using only a username and password are 
vulnerable to multiple modes of compromise, including password spraying 
and credential stuffing. Multi-factor authentication effectively 
protects against these tactics and associated unauthorized access. 
Implementing this requirement reduces the risk of unauthorized access 
to Critical Cyber Systems by employing security access controls that 
are equal to or greater than the protection offered by the use of MFA. 
The intent is to employ MFA where appropriate and, where it is not, to 
ensure strong physical and logical security controls are in place that 
meet or exceed the protection that MFA affords.
    Similar to the PTC exception for rail operations, TSA is proposing 
to incorporate from the SD Pipeline-2021-02 series a limited exception 
for MFA that addresses pipeline-specific operational considerations. In 
its regulations applicable to the safety of pipeline operations, PHMSA 
imposes requirements specifically applicable to control rooms used to 
monitor and control all or part of a pipeline facility through a SCADA 
system.\172\ Under PHMSA's regulations, controllers in the control room 
are responsible for monitoring day-to-day operations of the SCADA 
system and managing abnormal and emergency situations. In the midst of 
an emergency or alarm resolution, requiring MFA to access a workstation 
could have significant ramifications for pipeline safety and security. 
Based on these considerations, TSA is proposing to carry forward the 
limited exception from the SD to proposed Sec.  1586.217(b)(2). Under 
this exception, if an owner/operator is in compliance with PHMSA's 
requirements, and includes in its COIP details of the adequate, 
compensating controls it uses to prevent unauthorized physical and 
logical access to control room industrial control systems within the 
scope of the owner/operator's Critical Cyber Systems, it can rely on 
those measures in lieu of MFA. At a minimum, TSA would expect the COIP 
to detail physical security controls including segmentation of the 
workstation from enterprise IT systems and additional compensating 
controls applied to prevent unauthorized physical and logical access to 
the workstation(s).
---------------------------------------------------------------------------

    \172\ See, e.g., 49 CFR 192.631 (applicable to transportation of 
gas) and 49 CFR 195.446 (applicable to hazardous liquids). For 
purposes of these regulations, a control room is defined as ``an 
operations center staffed by personnel charged with the 
responsibility for remotely monitoring and controlling a pipeline 
facility.'' See 49 CFR 192.2 and 195.2.
---------------------------------------------------------------------------

    Privileged accounts. Most intrusions that occur are identity 
compromises, and implementing these controls greatly reduces the impact 
from successful compromises by limiting what can be done with any 
credentials and making intrusions more visible in the use of these 
credentials. Controlling access to and closely monitoring user accounts 
is a foundational control necessary to limit the extent of disruption 
and damage caused by potential intrusions.
    Establishing governance over privileged accounts addresses the 
urgent risk of unauthorized administrative access to life safety 
systems. Establishing governance over such accounts is a foundational 
step that should be undertaken to increase the industry baseline for 
control access. Establishing this baseline of security would 
significantly reduce the vulnerability of the Critical Cyber Systems 
because adversaries are currently seeking to exploit entities with

[[Page 88520]]

weaker access control compared to competitors or the industry standard. 
Policies such as Just-In-Time Privileged Account Management can 
mitigate the risk of privileged-account abuse by reducing the amount of 
time a threat actor has to gain access to privileged accounts before 
moving laterally through a system and gaining access to sensitive data.
    Controlling privileged accounts is an important initial step toward 
implementing ``zero trust'' policies. Zero trust is a cybersecurity 
paradigm focused on resource protection and the premise that trust is 
never granted implicitly but must be continually evaluated.\173\ The 
purpose of zero trust is to minimize uncertainty in enforcing accurate, 
least privilege, per-request access decisions for IT and OT systems in 
the context of assuming that a breach is inevitable or has already 
likely occurred.\174\ Unauthorized access to privileged accounts can be 
used to exercise administrative control of highly critical systems, 
including those that manage life safety functions. Privileged accounts 
must be well-governed, including by controlling and closely monitoring 
their use. Managing shared accounts. In general, shared accounts are 
inherently vulnerable to a cybersecurity incident and should never be 
used. As a result, it is best to require individual user and 
administrator accounts where technically feasible, with security 
controls appropriate for the different privilege levels and policies 
that prohibit sharing accounts. Shared accounts open a security 
vulnerability and complicate post-incident review of cybersecurity 
incidents. The vulnerability exists as long as an active password is 
known by individuals who no longer need access. It is not sufficient to 
rely on revoked credentials to mitigate the risk when an employee who 
knows the password no longer needs access to the system. The lack of 
unique passwords can also be a critical factor in incident response. 
For example, when accounts are shared among multiple individuals, it 
may not be feasible to determine which user is responsible for a given 
action. If a security incident occurs, it can be difficult to identify 
the source of that incident if it comes from a shared account.
---------------------------------------------------------------------------

    \173\ See NIST SP 800-207, Zero Trust Architecture, at 4 (Aug. 
2020). Zero trust architecture is an end-to-end approach to 
enterprise resource and data security that encompasses identity 
(person and nonperson entities), credentials, access management, 
operations, endpoints, hosting environments, and the interconnecting 
infrastructure. The initial focus should be on restricting resources 
to those with a need to access and grant only the minimum privileges 
(e.g., read, write, delete) needed to perform the mission. Document 
available at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf (last accessed Oct. 16, 2023).
    \174\ Id.
---------------------------------------------------------------------------

    While an ideal CRM program would not permit shared accounts, TSA 
recognizes that, in some control system environments, management may 
make a risk-based decision to allow shared accounts. If the owner/
operator permits shared accounts in limited situations as determined 
necessary for operations, that decision needs to be managed with 
appropriate compensating controls, including capabilities such as 
enterprise password vaults and/or a logging system that allows the 
owner/operator to determine who has had access to the account and when. 
This data is critical for a forensic investigation following a 
cybersecurity incident. The proposed rule would require the owner/
operator to include actions to manage the risks of shared accounts in 
their COIP.
    Trust relationships, especially identity trust relationships 
between systems, are exploited by adversaries to compromise systems. In 
environments with shared trust between the OT and IT environments, a 
compromise to an IT system can immediately and directly place the OT 
system at risk. Severing these identity trusts is a critical safeguard 
in light of the current threat. If credentials from a shared or trusted 
store have been previously comprised, any system that trusts those 
credentials is put in immediate risk.
    Patch management. Proposed paragraphs (e) of Sec. Sec.  1580.317, 
1582.217, and 1586.217 would require owner/operators to have a patch 
management strategy that ensures all critical security patches and 
updates are made consistent with the owner/operator's risk-based 
methodology for prioritizing patches. These requirements align with 
section III.E. of the SD Pipeline-2021-02 and 1580/82-2022-01 series 
and CPG 1.E (Mitigating Known Vulnerabilities). Unmanaged software can 
introduce vulnerabilities into a system and, if left unpatched, could 
lead to a system compromise. Historical intrusions, including those 
affecting critical infrastructure, demonstrate that adversaries 
commonly exploit unpatched or legacy assets. A robust patching program 
ensures that known vulnerabilities are quickly addressed based upon 
criticality of the underlying asset. A timely patching program is a 
fundamental attribute of a mature cybersecurity program and is likely 
already in place for organizations within the applicability of this 
proposed rule. Proof of concept exploit codes for critical Windows 
vulnerabilities are often publicly available and seen ``in the wild'' 
within hours/days.
    Logging. Proposed paragraph(d) of Sec. Sec.  1580.317, 1582.217, 
and 1586.217 would require owner/operators to ensure logging data is 
stored in a secured and centralized system and maintained for a 
duration sufficient to support risk analysis. When a cybersecurity 
incident occurs, the focus is often on recovery to normal operations, 
but it is also critical to have strong procedures in place to ensure 
that critical data is not destroyed that could identify perpetrators 
and vulnerabilities. Log retention policies enable an organization to 
determine the scope of an intrusion, protecting the integrity of 
critical systems and life safety controls.
    Numerous recent cybersecurity incidents have indicated that 
organizations with insufficient logs are unable to effectively identify 
or assess the extent of a cybersecurity incident. In VADRs conducted by 
CISA, nearly half of all assessments identified issues related to how 
logs are kept and maintained, including failures to centrally collect 
logs and failure to have resources and policies necessary to properly 
analyze and audit logs. Considering the current capabilities of 
adversaries as identified in the classified intelligence, owner/
operators need to be prepared to determine the scope of an incident to 
ensure the safety and resiliency of their operations in support of 
national and economic security. Without this information, organizations 
often cannot determine whether an actor has penetrated control or 
digital safety systems.
    These requirements would generally align with the requirements in 
section III.E. of the SD Pipeline-2021-02 and 1580/82-2022-01 series. 
Both the NIST CSF (PR.PS Function) and the CISA CPGs recognize the 
importance of logging policies.\175\ While CISA recognizes that log 
collection can be more complex than some of the other requirements, 
they also note that effectively implementing this control reduces the 
risk of delayed, insufficient, or incomplete ability to detect and 
respond to potential cybersecurity incidents.\176\
---------------------------------------------------------------------------

    \175\ See NIST PR.PS Function and CPG 2.T (Log Collection) and 
2.U (Secure Log Storage).
    \176\ See CPG Checklist, supra note 153.
---------------------------------------------------------------------------

    Back-ups. Proposed paragraph (e) of Sec. Sec.  1580.317, 1582.217, 
and 1586.217 would require owner/operators to ensure critical systems 
are backed up. TSA's SDs required owner/operators to have a CIRP that 
included security and integrity of backed-up data and ensuring

[[Page 88521]]

that the backed-up data is free from malicious code before it is used 
to restore a system. For purposes of this rulemaking, TSA is separating 
this requirement into two sections. The requirement to secure backups 
would be under the protection portion of the CRM program, while 
requirements related to using the backups to restore systems would be 
under measures addressing response and recovery. See proposed 
Sec. Sec.  1580.327(b)(2), 1582.227(b)(2), and 1586.227(b)(2).
    These proposed requirements are consistent with CPG 2.R (System 
Backups) and the NIST CSF (PR.DS Function). The CISA CPGs recognize the 
importance of having systems that are necessary for operation backed-up 
on a regular cadence and ensuring they are stored separately from the 
source system and tested on a recurring basis.
    Cybersecurity Training. Proposed Sec. Sec.  1580.319, 1582.219, and 
1586.219 would require owner/operators to provide two levels of initial 
and recurrent cybersecurity training. First, basic cybersecurity 
training must be provided to all employees, including contractors, with 
access to the owner/operator's IT or OT system and additional training 
to cybersecurity-sensitive employees. Second, employees who meet the 
definition of a ``cybersecurity-sensitive employee'' must receive both 
basic and role-based cybersecurity training. Consistent with 
requirements for physical security training, TSA is proposing that 
individuals who do not receive the required training within the 
required timeframe must not be allowed access to Critical Cyber Systems 
or an IT or OT system that is interdependent with a Critical Cyber 
System. In Sec.  1570.3, TSA is proposing to define ``cybersecurity-
sensitive employees'' as ``any employee who is a privileged user with 
access to, or privileges to access, a Critical Cyber System or any 
Information or Operational Technology system that is interdependent 
with a Critical Cyber System as defined in the TSA Cybersecurity 
Lexicon.'' Under proposed paragraph (b), owner/operators would be 
required to include in their COIP a curriculum or lesson plan for each 
course needed to meet the specific curriculum requirements.
    Proposed paragraph (c) of proposed Sec. Sec.  1580.319, 1582.219, 
and 1586.219 includes the curriculum requirements for basic 
cybersecurity training to provide cybersecurity awareness to address 
best practices, acceptable use, risks associated with their level of 
privileged access, and awareness of security risks associated with 
their actions. The requirements in the proposed rule are consistent 
with CPG 2.I (Basic Cybersecurity Training) and 2.J (OT Cybersecurity 
Training). All employees should have a basic understanding of the 
online threat environment. Basic cybersecurity awareness training helps 
employees understand proper cyber safety, and the security risks 
associated with their actions. Regular training helps employees 
recognize their role in cybersecurity and how they serve as an 
additional ``sensor'' to detect an incident, regardless of their 
technical expertise.
    Proposed paragraph (c) requires the owner/operator to provide 
cybersecurity-sensitive employees training that specifically addresses 
their role as a privileged user to prevent and respond to a 
cybersecurity incident, acceptable uses, and the risks associated with 
their level of access and use as approved by the owner/operator. This 
training recognizes that the level of cybersecurity training for 
someone with access to critical IT systems may be different than the 
training needed for someone who primarily accesses critical OT systems. 
In addition, this training must ensure these employees understand and 
are prepared to execute any actions associated with their positions 
under the owner/operator's TSA-approved CIRP.
    The proposed schedule for cybersecurity training is consistent with 
the CISA CPGs. Under paragraph (d) of proposed Sec. Sec.  1580.319, 
1582.219, and 1586.219, owner/operators would be required to provide 
initial cybersecurity training (based and role-based, as applicable) 
within 60 days after the effective date of TSA's approval of the COIP. 
For individuals who onboard or become cybersecurity-sensitive employees 
after the effective date of the COIP, TSA would require training within 
10-days of onboarding. Paragraph (e) of these sections would require 
annual recurrent training.
    In the CPGs, CISA noted that basic cybersecurity training should be 
required annually ``for all organizational employees and contractors 
that cover basic security concepts, such as phishing, business email 
compromise, basic operational security, password security, etc.,'' and 
organizations should ``foster an internal culture of security and cyber 
awareness.'' \177\ The CISA CPGs also recommend that all new employees 
receive this basic initial cybersecurity training within 10 days of 
onboarding and recurring training on at least an annual basis.\178\ For 
individuals with responsibilities for protecting critical systems, such 
as maintaining or securing OT system, as part of their regular duties, 
the CISA CPGs recommend additional cybersecurity training on an annual 
basis.\179\ In the CPG Checklist, CISA identifies these actions as 
having low complexity and high impact. The CPG Checklist also 
identifies free services and references that can be used for 
cybersecurity training.\180\ TSA's proposed requirements for 
cybersecurity training align with the CPG recommendations.
---------------------------------------------------------------------------

    \177\ See CPG 2.I (Basic Cybersecurity Training).
    \178\ Id.
    \179\ See CPG 2.J (OT Cybersecurity Training).
    \180\ See supra note 153.
---------------------------------------------------------------------------

    Paragraphs (f), (g) and (h) of proposed Sec. Sec.  1580.319, 
1582.219, and 1586.219 address recognition of prior training and 
retention of training records. Paragraph (f) specifically allows owner/
operators to rely on previously provided cybersecurity training to meet 
the requirements in the proposed role to the extent they can validate 
it meets curriculum and schedule requirements in the proposed rule. 
Paragraphs (g) and (h) include proposed requirements for retention of 
records and making the record available to employees that are 
consistent with TSA's current requirements for physical security 
training of security-sensitive employees (in current 49 CFR 1570.121).
e. Procedures, Policies, and Capabilities To Detect Cybersecurity 
Incidents (Proposed Sec. Sec.  1580.321, 1582.221, and 1586.221)
    As it is not possible to stop all cybersecurity incidents or 
attempted incidents, it is critical to have strong capabilities to 
detect cybersecurity incidents when they occur and have automatic 
measures in place to mitigate the impact. TSA's cybersecurity SDs 
included specific requirements to ensure continuous monitoring and 
detection policies.\181\ The proposed requirements in Sec. Sec.  
1580.321, 1582.221, and 1586.221 align with the SDs.
---------------------------------------------------------------------------

    \181\ See section III.D. of the SD Pipeline-2021-02 and 1580/82-
2022-01 series.
---------------------------------------------------------------------------

    A key element of initial access for a cyber-intrusion is the 
execution of malicious software and communications with malicious 
command-and-control servers. Implementing filters to ensure ``allow-
listing'' of known, good software and blocking malicious domains are 
essential controls to prevent damaging intrusions from occurring. In 
the latter case, best practices, such as protective Domain Name System 
(DNS) resolution, are necessary to proactively block communications 
with unknown or

[[Page 88522]]

potentially malicious web domains.\182\ Detection should not be limited 
to a single security control but should include continuous monitoring 
and detection policies that follow the zero trust principle of assumed 
breach and a defense-in-depth approach to maximize a defender's chance 
of detecting an attack before it reaches the operational environment. 
Starting with basic controls, such as allow-list filters, email 
sandboxing, threat-based detection, and protecting DNS, provides a 
strong foundation for detection of threat activity from advanced 
adversaries. The costs of implementing these controls would be offset 
by the benefits of avoiding even a single successful cybersecurity 
incident that could result in catastrophic costs. The demands of the 
ransomware threat actors have also increased, and intelligence 
information indicates the capabilities of adversaries are becoming more 
sophisticated. The CISA CPGs note that ``[w]ithout the knowledge of 
relevant threats and ability to detect them, organizations risk that 
threat actors may exist undetected in their networks for long 
periods.'' \183\
---------------------------------------------------------------------------

    \182\ See NIST SP 800-81-2, Secure Domain Name System (DNS) 
Deployment Guide (Sept. 2013).
    \183\ See CPG 3.A (Detecting Relevant Threats and Tips).
---------------------------------------------------------------------------

f. Procedures, Policies, and Capabilities To Respond to, and Recover 
From, Cybersecurity Incidents
    In setting cybersecurity regulations for critical infrastructure, 
the National Cybersecurity Strategy encourages regulators to ensure 
that systems are designed to fail safely and recover quickly.\184\ 
Having strong procedures, policies, and capabilities to respond to, and 
recover from, cybersecurity incidents are among the most critical steps 
owner/operators can take. If a company is the target of one of the most 
sophisticated adversaries, such as nation-state actors, the issue is 
when the company will be the target of a cybersecurity incident, not 
whether they will be targeted. These requirements are related to 
protection and detection capabilities.
---------------------------------------------------------------------------

    \184\ See supra note 12 at 8-9.
---------------------------------------------------------------------------

    Capabilities to respond to a cybersecurity incident (Sec. Sec.  
1580.323, 1582.223, and 1586.223). The detection capabilities discussed 
above primarily rely on automated systems that flag or block incidents 
as they occur. CRM programs also need the capability to analyze traffic 
and trigger responses if certain thresholds are crossed. For this 
rulemaking, TSA is proposing to consolidate requirements from section 
D.2 of the SD Pipeline-2021-02 and SD 1580/82-2022-01 series that 
address auditing unauthorized access, documenting communications 
between systems that deviate from the approved baseline of 
communications, identifying and responding to execution of unauthorized 
code, and ensuring standardized incident response activities based on 
this information.
    Reporting cybersecurity incidents (Sec. Sec.  1580.325, 1582.225, 
1584.107, and 1586.225). TSA's first SD requirements for cybersecurity 
focused on the need to report cybersecurity incidents to the U.S. 
government promptly to ensure the government can adequately respond to 
threats to national security, including economic security.\185\ Both 
the NIST CSF (Function RS.CO) and CPG 4.A (Incident Reporting) 
recognize the importance of reporting cybersecurity incidents. In the 
CPGs, CISA notes that a failure to provide timely incident reporting 
affects the ability of CISA and other groups to assist the organization 
and also gain ``critical insight into the broader threat landscape, 
(such as whether a broader attack is occurring against a specific 
sector).''
---------------------------------------------------------------------------

    \185\ See Sections B-D of the SD Pipeline-2021-01, 1580-21-01, 
and 1582-21-01 series.
---------------------------------------------------------------------------

    TSA is proposing that the requirement to report cybersecurity 
incidents apply to all owner/operators required to report significant 
security concerns under current Sec.  1570.203. This applicability 
would generally include all owner/operators identified in Sec.  
1580.1(a)(1), (a)(4), and (a)(5), rail transit and passenger railroads 
identified in Sec.  1582.1, higher-risk bus-only transit systems 
identified in Sec.  1582.101, higher-risk OTRB owner/operators 
identified in Sec.  1584.101, and the pipeline facilities and systems 
identified in new Sec.  1586.101(b).
    The proposed requirements for cybersecurity incident reporting 
mirror those in the current SDs. As under the SDs, TSA would require 
owner/operators to report cybersecurity incidents to CISA within 24 
hours of identification of a cybersecurity incident.\186\ For purposes 
of the proposed rule, a ``cybersecurity incident'' is defined as ``an 
event that, without lawful authority, jeopardizes, disrupts or 
otherwise impacts, or is reasonably likely to jeopardize, disrupt or 
otherwise impact, the integrity, confidentiality, or availability of 
computers, information or communications systems or networks, physical 
or virtual infrastructure controlled by computers or information 
systems, or information resident on the system.'' The reports must, 
among other things, (1) identify the affected systems or facilities; 
and (2) describe the threat, incident, and impact or potential impact 
on IT and OT systems and operations. All information reported under 
this requirement is SSI protected under 49 CFR part 1520 and would be 
appropriately protected by CISA and TSA.
---------------------------------------------------------------------------

    \186\ As originally issued, the directive required notification 
within 12 hours of identification. In May 2022, TSA revised this 
requirement to require notifications within 24 hours of 
identification.
---------------------------------------------------------------------------

    At the time TSA issued specific requirements for reporting of 
cybersecurity incidents in 2021, it determined that CISA should receive 
all cybersecurity incident reporting in order to obtain the security 
and analytical benefits of consolidating this information in one system 
to enhance threat identification and trend analysis. This action is 
consistent with 49 U.S.C. 114(m), which permits TSA to use the services 
and capabilities of other agencies and to support them through use of 
the agency's authorities, as appropriate.
    TSA is aware that CISA is also required to issue a regulation to 
require reporting of cyber incidents under the Cyber Incident Reporting 
for Critical Infrastructure Act of 2022 (CIRCIA).\187\ Although CIRCIA 
requires CISA to implement new reporting requirements through 
regulation, CIRCIA's rulemaking requirement does not supersede, 
abrogate, modify, or otherwise limit any authority to regulate or act 
with respect to the cybersecurity of an entity vested in any U.S. 
Government officer or agency.\188\ ``Covered Entities,'' as defined by 
CISA, that are obligated to report ``Covered Cyber Incidents'' or 
``Ransom Payments'' pursuant to another federal regulatory requirement, 
directive, or similar mandate could remain obligated to do so. TSA is, 
however, committed to avoiding redundancy and harmonizing with our 
government partners on cybersecurity requirements.
---------------------------------------------------------------------------

    \187\ See Division Y of Public Law 117-103, 136 Stat. 1039 (Mar. 
15, 2022), as amended by Public Law 117-263, 136 Stat. 3661 (Dec. 
23, 2022), as codified at 6 U.S.C. 681-681g.
    \188\ 6 U.S.C. 681b(h).
---------------------------------------------------------------------------

    Under the structure proposed by CISA in its NPRM,\189\ TSA does not 
anticipate the need to make any significant modifications to its 
reporting requirements. TSA will continue to require reporting to CISA 
to avoid duplicate reporting. If CISA's final rule includes the 
proposed requirement for agencies to enter into an agreement with CISA 
to specifically address duplicative information reporting, TSA believes 
it is

[[Page 88523]]

well-positioned for this step based on its current reporting 
requirements. As CISA is likely to finalize the CIRCIA rule before this 
rulemaking is finalized, TSA will review the final CIRCIA requirements 
for reporting cybersecurity incidents and consider changes as necessary 
and/or appropriate in the final rule.
---------------------------------------------------------------------------

    \189\ See 89 FR 23644 (Apr. 4, 2024) (proposed rule); 89 FR 
37141 (May 6, 2024) (comment period extension); 89 FR 47471 (June 3, 
2024) (correction).
---------------------------------------------------------------------------

    Cybersecurity Incident Response Plan (Sec. Sec.  1580.327, 
1582.227, and 1586.227). Incident planning and preparedness is critical 
to mitigating the impacts of a cybersecurity incident on national 
security, including economic security. The NIST CSF (PR and RC 
Functions) and CPG 2.S (Incident Response (IR) Plans) and 5.A (Incident 
Planning and Preparedness) both recognize the importance of having a 
plan that is tested, validated, and maintained to ensure timely 
response to, and recovery from, detected cybersecurity events that 
cause, or could cause, operational disruption. This proposed rule would 
incorporate the CIRP requirements from section III.F. of the SD 
Pipeline-2021-02 series and section C.1. of the SD 1580-21-01 and 1582-
21-01 series. These requirements include having a plan to ensure that 
each of the following objectives are met: (1) the impacts of a 
cybersecurity incident that causes, or could cause, operational 
disruption or significant impacts on business-critical functions are 
limited and do not spread throughout the system; (2) back-up data is 
tested before it is used for recovery; (3) measures are in place to 
ensure isolation of technology to reduce risks; and (4) identification 
of who, by position, is responsible for implementing measures in the 
plan. The SDs also require owner/operators to conduct annual exercises 
of their plans that, at a minimum, test at least two of these 
objectives each year. The overall objective of the exercise requirement 
is to ensure that elements of the incident response plan are tested to 
ensure that they will work and can be properly executed by the 
responsible person(s).
    As recommended by CPG 2.S (Incident Response Plans), which aligns 
with the NIST CSF (Function RS.MA), TSA would continue to require 
owner/operators to test their plans through exercises and modify the 
CIRP within 90 days based on the results of the exercises. While the 
CIRP required by this proposed rule would be incorporated into the COIP 
made available to TSA for approval, TSA would require that any changes 
to the CIRP be reported to TSA within 15 days. As these changes are 
separately reported to TSA, revisions to the CIRP do not require an 
amendment to the COIP under Sec.  1570.107 of the proposed rule.
3. Cybersecurity Assessment Plan (Proposed Sec. Sec.  1580.329, 
1582.229, and 1586.229)
    As discussed above, the NIST CSF, the CISA CPGs, and TSA's SDs, 
taken in their totality, recognize the importance of having 
cybersecurity measures informed both by an initial cybersecurity 
evaluation that looks at the current profile of the owner/operator's 
cybersecurity measures against the target profile, and an assessment 
program that actually tests the effectiveness of cybersecurity measures 
in the COIP as related to Critical Cyber Systems. In the initial SD 
issued to pipeline owner/operators, SD Pipeline-2021-01, TSA required 
owner/operators to have a third-party conduct a cybersecurity 
architecture design review.
    In SD Pipeline-2021-02C, issued in July 2022, TSA modified the SD 
to require owner/operators to have a Cybersecurity Assessment Program 
that allowed owner/operators to conduct their own biennial 
cybersecurity architecture design review and also required them to use 
other assessment capabilities intended to test the effectiveness of 
their cybersecurity measures. Owner/operators were required to have an 
annual plan for these assessments and to submit the plan to TSA for 
review, but not for approval.\190\
---------------------------------------------------------------------------

    \190\ See Section III.G. of the SD Pipeline-2021-02 series and 
Section III.F. of SD 1580/82-2022-01 series.
---------------------------------------------------------------------------

    In July and October 2023, TSA modified the pipeline and rail SD 
series, respectively, to change the name from a Cybersecurity 
Assessment Program to a Cybersecurity Assessment Plan, which more 
accurately reflects additional changes made to the requirements. Under 
the current SD series, owner/operators must submit the CAP to TSA for 
approval. The CAP must include a specific schedule for the assessments 
to ensure that at least one-third of the COIP is tested each year at a 
pace to ensure 100 percent of the policies, procedures, measures, and 
capabilities in the COIP are assessed over any 3-year period as applied 
to all Critical Cyber Systems. The intent of this requirement is to 
ensure a continuous process of assessment, avoiding the potential 
vulnerabilities that could result from failing to only conducting 
assessments every few years, potentially leaving vulnerabilities 
undetected for years.
    This proposed requirement gives owner/operators flexibility in 
developing their CAP schedule. One approach would be to assess/audit 
one-third of the policies, procedures, measures and capabilities in the 
CIP each year for all Critical Cyber Systems. Another acceptable 
option, however, would be to assess/audit one-third of Critical Cyber 
Systems each year for all applicable policies, procedures, measures and 
capabilities in the COIP.
    Either of these options ensures a schedule where one-third of 
policies, procedures, measures, and capabilities in the COIP are 
assessed each year with 100 percent of the policies, procedures, 
measures, and capabilities in the COIP being assessed/audited every 3 
years on 100 percent of the Critical Cyber Systems. Under this 
requirement, an owner/operator who chooses to assess more than one-
third in one year, is still required to assess at least one-third the 
next year. For example, if the owner/operator assesses 100 percent of 
their measures in Year 1, at least one-third would need to be assessed 
again in Year 2 and Year 3 of the cycle.
    TSA is specifically requesting comment on methods owner/operators 
would use to ensure this schedule is met. Smaller companies with fewer 
Critical Cyber Systems that find it easier to assess 100 percent each 
year could submit a CAP that includes different types of assessments 
each year, i.e., assessing 100 percent each year using different 
methodologies.
    To ensure both the owner/operator and TSA have a clear agreement on 
the planned assessment program and that it will meet the requirements 
by the end of the three-year period, TSA is proposing to require the 
CAP to include a mapping sufficient to validate that the required scope 
of the assessment will be met within the required period. This step is 
necessary as TSA recognizes that neither all parts of the COIP nor all 
Critical Cyber Systems are equal, and it may not be possible to 
identify a bright line of one-third of the COIP being assessed each 
year. Mapping the scheduled assessments to the COIP and Critical Cyber 
Systems will enable TSA and the owner/operator to engage in a 
discussion to ensure the proposed rule's intent, a steady state of 
meaningful assessments, is built into the owner/operators CRM program 
and informing future modifications to improve cybersecurity. TSA 
assumes that the first mapping will be the most burdensome, requiring 
minor updates in future years to address any changes in the COIP or 
Critical Cyber Systems.
    TSA also agrees with the CISA CPGs' recommendation that, whenever 
possible, auditors and assessors should be from outside the owner/
operator's

[[Page 88524]]

organization.\191\ At the same time, TSA recognizes that some companies 
may have in-house capabilities to conduct audits and assessments. 
Rather than requiring a third-party validator, TSA is requiring that 
any individual who conducts an audit or assessment must be independent, 
i.e., they must not have a vested or other financial interest in the 
results, in order to ensure the integrity and reliability of results. 
For example, if an individual conducting an audit is part of a team or 
group that would receive a bonus if the audit results met a certain 
threshold, they are not sufficiently independent to be eligible to 
conduct the audit.
---------------------------------------------------------------------------

    \191\ See CPG 1.F (Third-Party Validation of Cybersecurity 
Control Effectiveness).
---------------------------------------------------------------------------

    To support overall governance of the CRM program, the proposed rule 
would require an annual report of the CAP results. This report must 
also include the methodologies used. A copy of the report must be 
provided to corporate leadership and TSA. Under paragraph (f) of 
Sec. Sec.  1580.307, 1582.207, and 1586.207, the results of this 
assessments are to be used for updating the CRM program, as 
appropriate. TSA is proposing that the report be provided 15 months 
from the date of TSA's approval of the first CAP and annually 
thereafter. This timeline allows for full implementation of the CAP (an 
annual or 12-month plan), and three additional months to develop a 
report based on the results. The proposed rule text specifically notes 
that the audits and assessments conducted under this section are 
vulnerability assessments subject to the SSI protections in 49 CFR part 
1520.
    The procedures discussed for submission of CIPs in section 
III.D.2.a. also apply to submission of CAPs. As with CIPs, a CAP 
maintained at the owner/operator's location is not considered to have 
received final approval until reviewed by TSA, revised as required by 
TSA and the owner/operator receives notification from TSA that the CAP 
has received final approval. Only final approval of the CAP triggers 
the timelines associated with subsequent annual requirements to develop 
the CAP and CAP report.
4. Documentation To Establish Compliance (Proposed Sec. Sec.  1580.331, 
1582.231, and 1586.231)
    In accordance with 49 U.S.C. 114(f) and 49 CFR part 1503, TSA may 
view, inspect, and copy records, in carrying out TSA's security-related 
statutory or regulatory authorities, including its authority to enforce 
security-related laws, regulations, directives, and requirements. At 
the request of TSA, each owner/operator subject to the requirements of 
the proposed rule must provide evidence of compliance, including copies 
of records if requested, sufficient to demonstrate compliance. TSA must 
be able to build and preserve a sufficient administrative record for 
each case.
    For the specific purposes of the CRM program requirements, the 
proposed rule includes a section on documentation that TSA may ask to 
review to establish compliance. The list of documentation provided 
aligns with the lists in section IV.C of the SD Pipeline-2021-02 and 
1580/82-2022-01 series. While TSA has the authority under 49 U.S.C. 
114(f)(7) to review any documents necessary to enforce security-related 
regulations and requirements (among other purposes), TSA provided this 
non-exclusive list to provide owner/operators with examples of the 
types of documents TSA may ask to review in order to support the owner/
operator's efforts to establish compliance.

E. Physical Security

    As noted above, TSA is reorganizing 49 CFR parts 1570, 1580, 1582, 
and 1584 through this rulemaking, to distinguish between physical 
security requirements and cybersecurity requirements. The security 
measures previously imposed for rail, PTPR, and OTRB--security 
coordinators, reporting significant security concerns, security 
training, and chain of custody (for freight railroads)--are primarily 
intended to address physical security concerns, i.e., threats to 
physical infrastructure from improvised explosive devices or physically 
tampering with equipment. With this rulemaking, cybersecurity 
requirements would receive dedicated treatment.
    To help distinguish between physical and cybersecurity, the rule 
proposes to generally include the physical and cybersecurity 
requirements in separate subparts applicable to each mode. The 
requirements for OTRB would continue to be in subpart B of part 1584. 
TSA would also distinguish between (1) requirements for Physical 
Security Coordinator(s) and reporting physical security concerns and 
(2) requirements for Cybersecurity Coordinator(s) and reporting 
cybersecurity incidents.
    To clearly establish the distinction between physical security and 
cybersecurity, TSA is proposing to move the security coordinator 
requirements in current Sec.  1570.201 and reporting requirements in 
current Sec.  1570.203 to the modal-specific parts with only one change 
to the current requirements. As with the Cybersecurity Coordinators 
required under the CRM program, TSA is specifying that the Physical 
Security Coordinator(s) be a U.S. citizen unless this requirement is 
waived by TSA.\192\ TSA would consider several factors before waiving 
this requirement. Most importantly, the individual would need to 
successfully complete an STA. In addition, TSA would need to ensure 
that at least one of the owner/operator's Physical Security 
Coordinator(s) (primary or alternate) is a U.S. Citizen who is eligible 
for a security clearance. This requirement is consistent with current 
practice and, as previously discussed, necessary to ensure that there 
is at least one point of contact within every covered entity that TSA 
can share sensitive information with on a rapid basis. This information 
could not be shared with non-citizens absent significant coordination 
at a government-to-government level. The delay caused by this 
coordination could prevent an owner/operator from receiving critical 
information on a timely basis needed to protect against actionable 
intelligence at a classified level.
---------------------------------------------------------------------------

    \192\ This requirement is consistent with sections 1512(e)(2) 
and 1531(e)(2) of the 9/11 Act, as codified at 6 U.S.C. 1162(e)(2) 
and 1181(e)(2), respectively.
---------------------------------------------------------------------------

    As part of this effort, TSA is proposing to move and consolidate 
all the requirements for security training of security-sensitive 
employees (currently referenced in Sec. Sec.  1570.107, 1570.109, 
1570.111, 1570.121, 1580.113, 1580.115, 1582.113, 1582.115, and 
1584.113, and 1584.115) into one section in each of the modal-specific 
parts (proposed Sec. Sec.  1580.113, 1582.113, and 1584.113) rather 
than the current structure, which has some requirements in part 1570 
and some in multiple sections in parts 1580, 1582, and 1584. None of 
the requirements for security training (procedural or substantive) 
would be modified through this rulemaking.
    Finally, TSA is proposing to require the pipeline facilities and 
systems within the applicability of the CRM program requirements 
(proposed Sec.  1586.101(b)) to designate a Physical Security 
Coordinator and report significant physical security concerns. For 
almost a decade, TSA's Pipeline Guidelines have encouraged pipeline 
owner/operators to report security incidents to TSA \193\ and provide 
contact information for security operations or controls centers for 
pipeline owner/operators in order to facilitate the exchange of 
information.\194\ Through

[[Page 88525]]

this rulemaking, TSA is proposing to make having a Physical Security 
Coordinator and reporting significant physical security concerns 
mandatory for the pipeline owner/operators identified in proposed Sec.  
1586.101(b). Expanding these requirements to this critical sector would 
ensure TSA is able to obtain a complete picture of potential threats, 
both physical and cyber across this sector and as it relates to other 
critical infrastructure.
---------------------------------------------------------------------------

    \193\ See supra note 81, at Appendix B.
    \194\ See Supporting Statement for OMB Control No. 1652-0055, as 
approved on Dec. 22, 2010, available at https://www.reginfo.gov/public/do/PRAViewICR?ref_nbr=201006-1652-001 (last accessed Nov. 28, 
2023).
---------------------------------------------------------------------------

F. General Procedures for Security Programs, SDs, and Information 
Circulars

1. General Procedures for Security Programs (Proposed Revisions to 
Subpart B of Part 1570)
    In the Security Training for Surface Transportation Employees final 
rule, TSA established procedures for security programs in 49 CFR part 
1570. At that time, the requirements to be included in a security 
program were primarily related to security training. As part of this 
rulemaking and the expansion of security program requirements to 
include a robust CRM program, TSA is proposing to revise the procedures 
for security programs in part 1570 to align more closely with the well-
established procedures applicable to security programs issued for civil 
aviation under subchapter C of 49 CFR chapter XII. In general, these 
changes primarily result in reorganizing the requirements currently in 
Sec. Sec.  1570.109 through 1570.119.\195\ In addition, these 
procedures also address allowances in the 9/11 Act for coordinated 
development and implementation of vulnerability assessments and 
security plans, and the requirements in the 9/11 Act related to 
recognition of existing procedures, protocols, and standards.\196\
---------------------------------------------------------------------------

    \195\ See supra at Table 3 for distribution of current 
requirements.
    \196\ See sections 1405(g), (i) and 1512(j), (l) of the 9/11 
Act, as codified at 6 U.S.C. 1134(g), (i) and 1162(j), (l), 
respectively.
---------------------------------------------------------------------------

    Proposed Sec.  1570.107 includes the procedures for when an owner/
operator determines that they need to amend a security program 
previously approved by TSA. This section is consistent with the 
procedures for aviation security programs under subchapter C of Chapter 
XII \197\ and would replace current Sec. Sec.  1570.113 and 1570.117. 
These procedures ensure a joint understanding between TSA and owner/
operators on what the owner/operator is committed to implementing while 
providing opportunities to modify measures as necessary to address 
changes in operations, evolving capabilities, and emerging threats. As 
the COIP is a security program, owner/operators must request an 
amendment whenever they seek to make substantive changes to their COIPs 
or to documents incorporated by reference. Current Sec.  1570.113 
includes requirements for when owner/operators must request an 
amendment to their security programs. TSA is proposing to consolidate 
and streamline these requirements in proposed 1570.107(c).
---------------------------------------------------------------------------

    \197\ See 49 CFR 1542.105, 1544.105, 1548.7, and 1549.7.
---------------------------------------------------------------------------

    Proposed Sec.  1570.107(b) includes the general requirements for 
owner/operators to request an amendment to a TSA-approved security 
program. Current Sec.  1570.113(e) requires owner/operators to submit a 
request for an amendment to their programs no later than 65 days after 
a permanent change takes effect. For purposes of this requirement, a 
permanent change is any change in effect for 60 or more calendar 
days.\198\ The SDs for cybersecurity requirements require a request for 
an amendment no later than 50 calendar days after the permanent change 
takes effect, unless TSA allows a longer time period. A permanent 
change for that purpose is any change intended to be in effect for 45 
or more calendar days.\199\ In TSA's aviation programs, TSA requires 
requests for amendments 45 days before they take effect, unless TSA 
allows a shorter time period.\200\
---------------------------------------------------------------------------

    \198\ See 49 CFR 1570.113(d).
    \199\ See section VI of the SD Pipeline-2021-02 and SD 1580/82-
2022-01 series.
    \200\ See, e.g., 49 CFR 1542.105(b)(1).
---------------------------------------------------------------------------

    Under the proposed rule, permanent changes would continue to be 
those intended to be in effect for 60 or more days, but owner/operators 
would be required to request an amendment at least 45 days before the 
change takes effect. This section carries over from current Sec.  
1570.113(f), the TSA standard for approval. In general, this standard 
requires that the policies, procedures, or measures in the proposed 
amendment provide a commensurate level of security to the previously 
approved policy, procedure, or measure. As validated by TSA's 
application of this timeframe in aviation programs, this requirement 
benefits both the agency and owner/operator by ensuring that TSA agrees 
with the owner/operator's determination that a modification to 
previously approved procedures will continue to meet the required 
security objectives. This agreement, in turn, avoids situations where 
an owner/operator invests in programs, capabilities, or technology that 
TSA subsequently disapproves because the modification fails to provide 
adequate security as required by the regulation.
    Proposed Sec.  1570.113(c)(1) specifically excludes administrative 
or clerical changes from the amendment process. These changes are those 
that do not affect policies procedures, or measures in the owner/
operator's TSA-approved security program. While an amendment is not 
required, TSA would require owner/operators to maintain a chronological 
record of these changes for at least one year before the date of the 
last approved security program. As with all other documentation of 
compliance, this information be provided to TSA upon request.
    Proposed Sec.  1570.113(c)(2) includes an exception for temporary, 
substantive changes. Temporary, substantive changes are those that 
would have an impact on approved policies, procedures, or measures, but 
which are not intended to be in effect for 60 or more days. For 
temporary, substantive changes, TSA is proposing that owner/operators 
must notify TSA no more than 24 hours after a temporary, substantive 
change is made to any policy, procedure, or measure in its TSA-approved 
security program. Within 7 calendar days of this notification, the 
owner/operator must, in writing, inform TSA of the interim policies, 
procedure, or measures it is using to maintain adequate security while 
the temporary, substantive change is in effect. The owner/operator must 
include a description of how the interim policy, procedure, or measures 
provides a commensurate level of security. TSA will notify the owner/
operator in writing if the agency does not concur that the interim 
measure provides a commensurate level of security. If the temporary, 
substantive change exceeds or is expected to exceed 60 days, then 
owner/operator must seek an amendment to its security program. This 
amendment request must be submitted no later than 65 days after the 
temporary, substantive change initially took effect. These proposed 
provisions would result in TSA having more visibility into temporary, 
substantive changes (consistent with TSA's regulatory requirements in 
the aviation context) while maintaining some of the flexibility 
contained in current regulations and SDs with respect to non-permanent 
changes. Proposed Sec.  1570.107(c) also provides more specific detail 
on the difference between administrative or clerical changes and 
substantive revisions and the procedures to be followed based on the 
type of amendment.

[[Page 88526]]

    As specifically applied to the security training programs required 
by Sec. Sec.  1580.113, 1582.113, and 1584.113, which are also 
considered TSA-approved security programs, TSA notes that most 
revisions to a security training program would be considered 
substantive and permanent. Training curriculums and programs are 
usually planned in advance and do not change as rapidly as 
cybersecurity issues. Within this context, however, TSA would consider 
changes to the number of employees to be trained within each of the 
identified functions to be an administrative or clerical change, which 
would not require an amendment. TSA believes it is more important for 
the owner/operator to have an accurate and up-to-date awareness of 
these issues and plan accordingly than to impede this process by 
imposing an amendment process every time staff levels change. As 
applied to the CRM program, examples of administrative or clerical, 
temporary, and permanent changes are discussed more fully in Section 
III.D.2.a., within the general context of COIP requirements.
    Proposed Sec.  1570.107(d) and (e) includes procedures for TSA to 
amend security programs, which align with what is currently in Sec.  
1570.115. This section also proposes to add the process for filing a 
petition for reconsideration, currently in Sec.  1570.119, as proposed 
Sec.  1570.107(f).
    Proposed Sec.  1570.109 provides an option for owner/operators who 
may have operations that meet the criteria for applicability, but those 
operations are infrequent or seasonal. TSA is proposing to add a 
section that aligns with an option provided to airports in 49 CFR 
1542.109. Under this provision, TSA may make a risk-based determination 
to impose alternative requirements that are appropriate for the scope 
of the operations rather than the full programmatic requirements.
    TSA is proposing to add Sec.  1570.115, which provides the 
procedures for withdrawing approval of a security program. In general, 
if an owner/operator is not in compliance with regulatory requirements, 
TSA would work through an enforcement process that has a range of 
actions including notices and an opportunity to correct and penalties. 
In some situations, however, TSA may determine that the failure to 
comply is so contrary to security and the public interest that the 
agency must withdraw approval of the security program. Section 1570.115 
provides the standard and process for withdrawal to ensure due process 
is provided should this action be necessary.
    In proposed Sec.  1570.117, TSA would incorporate the general 
recordkeeping requirements from current Sec.  1570.121. The 
recordkeeping requirements specific to physical security training have 
been incorporated into the proposed consolidated physical security 
training requirements in the modal-specific parts, specifically in 
proposed Sec. Sec.  1580.113, 1582.113, and 1584.113.
    Finally, as part of the general effort to establish comprehensive 
regulatory regime for surface regulations similar to the regime for 
aviation, TSA is proposing to revise Sec.  1570.1 to add paragraph (b). 
This paragraph clarifies that the authority for any function exercised 
by the Administrator within the subchapter, such as approving an 
amendment to a security program, may be delegated to other officials by 
the Administrator. The statement is consistent with current 49 CFR 
1540.3, as applied to aviation, and is appropriate as TSA continues to 
implement its authority and responsibilities for surface transportation 
security.
2. SDs and Information Circulars (Proposed Subpart C of Part 1570)
    TSA is also proposing to rename Subpart C--Operations to Subpart 
C--Threat and Threat Response and add a new Sec.  1570.201 related to 
the issuance of SDs and ICs.\201\ This section would provide procedures 
in TSA's regulations to issue SDs and ICs and make other revisions to 
align TSA's processes for surface transportation security with those 
long-established for the aviation sector.
---------------------------------------------------------------------------

    \201\ As discussed above, TSA proposes to move existing sections 
1570.201 and .203 to parts 1580, 1582 and 1584.
---------------------------------------------------------------------------

    The surface cybersecurity SDs discussed in section II.B.1. were 
issued under the authority of 49 U.S.C. 114(l)(2). Aviation SDs, 
however, are a creature of APA rulemaking, having been created by the 
Federal Aviation Administration (FAA).\202\ When TSA determines that it 
must immediately require additional security measures to respond to a 
threat assessment or to a specific threat against civil aviation, it 
may issue SDs to certain regulated parties. Regulated parties may 
request alternative procedures to accomplish the same security goal 
with different measures.\203\ Unless otherwise determined by the 
Administrator, SDs contain SSI and thus are not available to the 
general public.\204\ Review of an SD is available in a U.S. court of 
appeals.\205\
---------------------------------------------------------------------------

    \202\ See 54 FR 28984 (July 10, 1989); 58 FR 36802 (July 8, 
1993) (aircraft operators); 66 FR 37274 (July 17, 2001) (airport 
operators). Requirements are now in 49 CFR 1542.303 (airport 
operators) and 1544.305 (aircraft operators). The FAA's 
transportation security authority and all rules were given to TSA 
under ATSA. See 49 U.S.C. 114(d); section 141 of ATSA (Savings 
Provision). As a result, Aviation SDs are not issued under 49 U.S.C. 
114 (l)(2).
    \203\ See 49 CFR 1542.303 (airport operators); 1544.305 
(aircraft operators); 1548.19 (indirect air carriers); and 1549.109 
(Certifier Cargo Screening Facilities). The foreign air carrier 
regulations in 49 CFR part 1546 do not provide for SDs. TSA issues 
emergency amendments (EAs) to their security programs to require 
additional security measures when needed.
    \204\ See 49 CFR 1520.5(b)(2) regarding SDs.
    \205\ See Gilmore v. Gonzales, 435 F.3d 1125, 1133 (9th Cir. 
2006) (which held that SDs are an agency order subject to court of 
appeals review pursuant to 49 U.S.C. 46110); see also Corbett v. 
Transp. Sec. Admin., 19 F4th 478, 480 (D.C. Cir. 2021).
---------------------------------------------------------------------------

    The provisions for SD procedures also address issuance of ICs. ICs 
are intended to notify owner/operators of specific security concerns 
and may include recommended measures to address the concern. While a 
specific regulatory provision is not necessary to issue ICs, 
referencing them in the regulations provides a distinction between 
voluntary versus mandatory measures.
    Through this rulemaking, TSA is proposing to create a similar 
regulatory provision for SDs and ICs for surface transportation to 
those applicable in the aviation sector.\206\ As discussed above, see 
section II.B.1 of this NPRM, TSA has used these two types of actions to 
address cybersecurity of surface transportation. TSA made a risk-based 
decision that certain entities must implement cybersecurity measures. 
Those entities were within the scope of applicability for the SDs. TSA 
also issued ICs to all owner/operators within a certain mode, 
recommending that they consider voluntarily implementing the measures 
imposed on the higher-risk owner/operators. ICs are distinguished from 
more general guidance documents because they are specific to a certain 
security concern. This addition to TSA's regulations would ensure that 
any person within the scope of applicability of future SDs or ICs would 
be able to find the applicable procedures for these actions in TSA's 
regulations.
---------------------------------------------------------------------------

    \206\ See 49 CFR 1542.303, 1544.305, 1548.19, and 1549.109.
---------------------------------------------------------------------------

    As noted above, TSA is proposing revisions to streamline regulatory 
text for owner/operators to request to implement security measures 
other than those specifically required by TSA, or to revise previously 
approved security programs. The current regulations provide for 
amendments to security programs requested by an owner/operator in 
current 49 CFR 1570.113, TSA amendments to programs in Sec.  1570.115, 
and owner/operator

[[Page 88527]]

requested alternative procedures in Sec.  1570.117. Under the current 
regulations, the distinction between an owner/operator amendment and an 
alternative procedure is not clear as they both authorize the owner/
operator to request to implement a measure other than what is required 
by TSA and require TSA to determine that granting the request would not 
have a negative impact on security.
    TSA is also proposing to revise the procedures for amendments to 
security programs (such as the COIP) required by subchapter D. See 
discussion in section II.F.1. As part of this revision, TSA is 
proposing to move the procedures for requesting alternative measures 
from current Sec.  1570.117 to Sec.  1570.203, and to limit the 
alternative procedures measures to SDs. This revision would provide 
owner/operators with a clearly identified process for requesting to 
implement alternatives to requirements in an SD. The proposed 
procedures align with our standard processes for aviation where we 
require owner/operators to request an amendment to a security program 
through the security program process, and also allow owner/operators 
the ability to request an alternative measure or procedure to 
requirements in an SD. Owner/operators would continue to be able to 
request amendments to their security programs under proposed Sec.  
1570.107(b).
3. Exhaustion of Administrative Remedies (Proposed Sec.  1570.119)
    TSA is proposing to add a new Sec.  1570.119, which would require 
exhaustion of administrative remedies before challenging final agency 
orders by TSA related to the requirements in parts 1570, 1580, 1582, 
1584, and 1586. Under this proposed requirement, an individual could 
not seek judicial review until TSA has issued its ``final agency 
order.'' TSA has identified in proposed subpart B of part 1570 the 
point at which a TSA decision is a ``final agency action.'' For 
purposes of this rulemaking, ``final agency order'' and ``final agency 
action'' have the same meaning.
    This requirement would apply to (a) denials of approval of a 
security program or an amendment to a security program, alternative 
measures to requirements in a security program; (b) imposition of 
requirements through an SD or TSA-required amendment to a security 
program; and (3) withdrawal of a security program. For example, if the 
specific regulatory provision provides for an owner/operator to request 
a petition for reconsideration of a denial of security program 
amendment, see proposed Sec.  1570.107(f), then the owner/operator 
would need to have a timely petition for reconsideration denied before 
they would have exhausted the administrative procedures.
    The doctrine of exhaustion of administrative remedies is based on 
the need to conserve judicial resources and ensure that factual issues 
are resolved by the agency with the expertise and responsibility for 
administering the program at issue. The doctrine allows agencies to 
develop a full factual record, correct errors, minimize costs, and 
create a uniform approach to the issues within its jurisdiction. This 
process benefits individuals by resolving disputes more quickly and at 
lower cost through TSA rather than the federal courts. If the 
individual ultimately seeks review in the Court of Appeals following 
TSA's final agency order, the court would have a full record on which 
to base its review, and the issues would be narrowed to those that 
truly require judicial review.\207\ This process also allows TSA the 
opportunity to correct any errors and narrow the issues, which can be 
achieved through exhausting administrative remedies, before initiating 
judicial review.\208\
---------------------------------------------------------------------------

    \207\ See Mohamed Al Seraji v. Gowadia, No. 8:16-cv-01637-JLS-
JCG (C.D. Cal. Apr. 28, 2017). In this case, TSA issued a 
preliminary denial of a TWIC application, and the individual sought 
review by a U.S. District Court rather than first appealing the 
decision to TSA. The court dismissed his claim, stating that he must 
first exhaust the administrative remedies in TSA's redress 
regulations. The court stated that it needed a more developed 
factual record to effectively evaluate the case.
    \208\ Id.
---------------------------------------------------------------------------

    For all of the foregoing reasons, TSA is proposing to include in 
the regulation an explicit requirement for individuals to exhaust 
administrative remedies before seeking judicial review.
4. Severability
    Proposed Sec.  1570.121 would reflect TSA's intent that the various 
regulatory provisions be considered severable from each other to the 
greatest extent possible. For instance, if a court of competent 
jurisdiction were to hold that the rule or a portion thereof may not be 
applied to a particular owner or operator or in a particular 
circumstance, TSA would intend for the court to leave the remainder of 
the rule in place with respect to all other covered persons and 
circumstances. The inclusion of a severability clause would not be 
intended to imply a position on severability in other TSA regulations.
5. Enforcement and Compliance
    TSA has broad authority to: (1) enforce its rules and requirements; 
(2) oversee the implementation and ensure the adequacy of security 
measures; and (3) inspect, maintain, and test security facilities, 
equipment, and systems for all modes of transportation.\209\ TSA's 
authority over transportation security is comprehensive and supported 
with specific powers related to the development and enforcement of 
security-related regulations and other requirements. Within this broad 
authority, the agency may assess a security risk for any mode of 
transportation and develop security measures for dealing with this 
risk.\210\ If TSA identifies noncompliance with its requirements, TSA 
may hold the owner/operators responsible for the violation and subject 
to enforcement action, which may result in civil monetary 
penalties.\211\ Pursuant to its statutory authority and 
responsibilities, TSA is the sole Federal agency with authority to 
enforce its regulations.
---------------------------------------------------------------------------

    \209\ See generally 49 U.S.C. 114.
    \210\ 49 U.S.C. 114(f) and (l).
    \211\ 49 U.S.C. 114(f) and (u).
---------------------------------------------------------------------------

    Through a separate rulemaking, TSA recently consolidated all of its 
provisions previously found throughout its regulations relating to 
inspections, including the regulations governing surface transportation 
entities in current 49 CFR 1570.9.\212\ As a result of this revision to 
TSA's regulations, TSA's inspection requirements are now located in one 
section, 49 CFR 1503.207, which is the part that specifically focuses 
on investigative and enforcement procedures applicable to all of TSA's 
regulatory requirements.
---------------------------------------------------------------------------

    \212\ See Final Rule, Flight Training Security Program, 89 FR 
35580 (May 1, 2024). These changes took effect on July 30, 2024.
---------------------------------------------------------------------------

    When appropriate, TSA will coordinate with an owner/operator on 
inspections. Notice gives the parties to be inspected the opportunity 
to gather evidence of compliance and to arrange to have the appropriate 
personnel available to assist TSA. Some inspections, however, can only 
be effective if TSA's presence is unannounced. TSA must have the 
flexibility to respond to information, operations, and specific 
circumstances whenever they exist or develop.
    Security concerns are different at different times of the day and 
on different days. Terrorists may seek to take advantage of 
vulnerabilities whenever they occur. TSA has the authority to assess 
the security of transportation entities at all times (including nights, 
weekends, and holidays) and under all operational situations. The 
nature of any given TSA inspection will depend on the specific 
circumstances surrounding a particular owner/operator at a given point 
in time

[[Page 88528]]

and will be considered in conjunction with available threat 
information.

G. Summary of Applicability and Requirements

    Table 6 identifies the current and proposed applicability of all 
the requirements discussed above.

                                                        Table 6--Summary of Proposed Requirements
         [Current subchapter D of 49 CFR chapter XII requirements are indicated with an ``X''; proposed requirements are indicated with a ``P'']
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                        Reporting
                                                        Physical       significant                                         Reporting
                                      SD and IC         security         physical         Security      Cybersecurity    cybersecurity     CRM program
                                      procedures      coordinator        security         training       coordinator       incidents
                                                                         concerns
--------------------------------------------------------------------------------------------------------------------------------------------------------
Owner/operators of freight                      P                X                X                X                P                P             * PI
 railroads operating on general
 railroad system.................
Rail hazardous materials shippers               P                X                X   ...............  ...............  ...............  ...............
Rail hazardous materials                        P                X                X   ...............  ...............  ...............  ...............
 receivers in HTUAs..............
Owner/operators hosting freight                 P                X                X                X              * P              * P              * P
 or passenger rail operations....
Owner/operators of private rail                 P             ** X                X   ...............            ** P                P   ...............
 cars and circus trains..........
Owner/operators of passenger                    P                X                X                X                P                P              * P
 railroads operating on the
 general railroad system,
 including intercity passenger
 train service, and commuter
 train services..................
Owner/operators of rail transit                 P                X                X                X                P                P              * P
 systems not part of general
 railroad system.................
Owner/operators of tourist,                     P             ** X                X   ...............            ** P                P   ...............
 scenic, historic, and excursion
 railroads.......................
Owner/operators of bus transit or               P                X                X                X   ...............               P   ...............
 commuter bus systems in
 designated areas................
OTRB owner/operators providing                  P                X                X                X   ...............               P   ...............
 fixed-route service in
 designated areas................
Owner/operators of pipeline                     P              * P              * P   ...............             * P              * P              * P
 facilities and systems..........
--------------------------------------------------------------------------------------------------------------------------------------------------------
* If described in proposed 1580.301, 1582.201, or 1586.101.
** If notified by TSA in writing that a threat exists concerning that operation.

    As further discussed below, this proposed rule builds upon the 
previously issued SDs that many of the affected owner/operators have 
endeavored to implement. All the requirements in the SDs discussed in 
section II.B.1 of this NPRM have been carried over into the proposed 
rule, either in full or with minor alteration. New requirements include 
cybersecurity incident reporting for the OTRB industry; specific 
requirements for governance of the owner/operators' CRM programs; 
supply chain risk management requirements addressed as part of the 
COIP; and cybersecurity training. TSA is also proposing to include 
physical security requirements for the covered pipeline industry, but 
these provisions are not considered part of the CRM program. A summary 
of key updates is listed below, and a more comprehensive presentation 
can be found in Appendix A of the Regulatory Impact Analysis available 
in the docket for this rulemaking.
     Cybersecurity Evaluation (Sec. Sec.  1580.305, 1582.205, 
and 1586.205)--The proposed requirements for a Cybersecurity Evaluation 
modify the assessments required by the SD Pipeline 2021-01, SD 1580-21-
01, and SD 1582-21-01 series by making the requirement more 
comprehensive, including the development of an enterprise-wide 
cybersecurity profile that as set forth in the proposed rule must be 
updated annually. As discussed in section III.D.1, this type of 
evaluation is consistent with the NIST CSF. The process to develop this 
profile is substantively similar to the requirements laid out in the 
applicable SDs. This requirement also addresses certain requirements in 
the 9/11 Act related to vulnerability assessments.
     Cybersecurity Operational Implementation Plan (COIP) 
(Sec. Sec.  1580.303, 1582.203, and 1586.203)--The proposed 
requirements for a COIP build on the requirement in the SD Pipeline-
2021-02 and SD 1580/82-2022-01 series, which required covered owner/
operators to develop a CIP. This requirement also addresses certain 
requirements in the 9/11 Act related to developing a security plan to 
address vulnerabilities and ensure security of certain IT and OT 
systems. The additional requirements in the proposed rule for the COIP 
are consistent with the transition from the temporary purpose of the 
SDs' requirements to establishing a permanent, robust, and mature CRM 
program. The new proposed COIP requirements include requiring owner/
operators to have a POAM, which supports prioritization and timely 
implementation of CRM requirements and involves owner/operators 
developing a plan to address any shortfalls in being able to meet the 
requirements of the COIP.
     Governance (Sec. Sec.  1580.309, 1582.209, and 1586.209)--
Consistent with TSA's intent to align the requirements in the 
rulemaking with the NIST CSF, TSA is proposing additional structure 
around the governance of the CRM program that was not included in the 
SDs. Establishing strong governance is critical of a viable and mature 
CRM program because having processes and identifying roles creates a 
more effective and efficient operation that considers cybersecurity and 
protects organizational goals. The ``governance'' requirements include 
designation of the accountable executive as well as those with 
cybersecurity responsibilities to have a single leader (by role/
position/title) that will act as the person responsible and accountable 
for planning, resourcing, and execution of cybersecurity activities.
     Cybersecurity Coordinator (Sec. Sec.  1580.311, 1582.211, 
and 1586.211)--TSA is proposing to incorporate the requirements to 
designate a

[[Page 88529]]

Cybersecurity Coordinator first imposed in the SD Pipeline 2021-01, SD 
1580-21-01, and SD 1582-21-01 series with a few changes that detail the 
knowledge and skills of the Cybersecurity Coordinator. Such areas 
include general cybersecurity guidance and best practices; relevant law 
and regulations pertaining to cybersecurity; handling of SSI and 
security-related communications; current cybersecurity threats 
applicable to the owner/operator's operations and systems as well as 
having a HSIN account or other TSA-designated communication platform 
for information sharing. The Cybersecurity Coordinator information must 
also be added to the owner/operator's COIP. This requirement also 
addresses certain requirements in the 9/11 Act related to security 
coordinators, as well as recognizing the distinction between physical 
security and cybersecurity and the possibility that larger 
organizations may need to have different individuals handling these 
responsibilities.
     Identification of Critical Cyber Systems (Sec. Sec.  
1580.313, 1582.211, and 1586.211)--The proposed rule incorporates the 
requirement to identify Critical Cyber Systems first imposed in the SD 
Pipeline-2021-02 and SD 1580/82-2022-01 series that are substantively 
the same but contain clarifying language modifications with regards to 
the specifics of what is involved in the identification process. This 
requirement also addresses certain requirements in the 9/11 Act related 
to identification of critical assets and infrastructure.
     Supply Chain Risk Management (Sec. Sec.  1580.315, 
1582.215, and 1586.215)--TSA is proposing a new requirement, supply 
chain risk management, which is not in the SDs to align the CRM program 
requirements with CISA's CPGs. Under this requirement, the owner/
operator must incorporate policies, procedures, and capabilities to 
address supply chain cyber vulnerabilities into their COIP.
     Protection of Critical Cyber Systems (Sec. Sec.  1580.317, 
1582,217, and 1586.217)--These proposed requirements incorporate 
requirements from the SD Pipeline-2021-02 and SD 1580/82-2022-01 series 
involving measures to provide network segmentation, access control, as 
well as patching and software updates and adds a discussion on 
procedures related to logging. TSA is not changing the substance but 
proposing to organize the requirements from the SDs to align with the 
NIST CSF. This requirement also helps address the 9/11 Act's 
requirements related to protection of certain IT and OT systems.
     Cybersecurity Training (Sec. Sec.  1580.319, 1582.219, and 
1586.219)--TSA is proposing a new requirement for cybersecurity 
training, for basic users as well as role-based cybersecurity training 
for privileged users. As discussed in Section III. D.2.d., this 
proposed requirement is consistent with recommendations in CISA's CPGS. 
This requirement also addresses portions of the 9/11 Act requirements 
related to requiring security training for certain employees.
     Detection of Cybersecurity Incidents (Sec. Sec.  1580.321, 
1582.321, and 1586.321)--TSA is proposing to include requirements from 
the SD Pipeline-2021-02 and SD 1580/82-2022-01 series that address 
detection and monitoring of Critical Cyber Systems. TSA is not changing 
the substance but proposing to organize the requirements from the SDs 
to align with the NIST CSF. This proposed requirement also helps 
address 9/11 Act requirements related to plans to respond to a 
terrorist attack, which would include a cybersecurity incident caused 
by a threat actor.
     Capabilities to Respond to a Cybersecurity Incident 
(Sec. Sec.  1580.323, 1582.223, and 1586.223)--This proposed 
requirement is included in the SD Pipeline-2021-02 and SD 1580/82-2022-
01 series and involves auditing of unauthorized access to internet 
domains and communication between OT systems and external systems. TSA 
is not changing the substance but proposing to organize the 
requirements from the SDs to align with the NIST CSF. This proposed 
requirement also helps address 9/11 Act requirements related to plans 
to respond to a terrorist attack, which would include a cybersecurity 
incident caused by a threat actor.
     Cybersecurity Incident Reporting (Sec. Sec.  1580.325, 
1582.225, 1584.107, and 1586.225)--The proposed rule incorporates the 
requirement to report cybersecurity incidents first imposed in the SD 
Pipeline-2021-02 and SD 1580/82-2022-01 series with no changes.
     Cybersecurity Incident Response Plan (CIRP) (Sec. Sec.  
1580.327, 1582.227, and 1586.227)--The proposed requirement for a CIRP 
is incorporated from the SD Pipeline-2021-02 and SD 1580-21-01, and SD 
1582-21-01 series. This proposed requirement involves having a plan to 
respond to cybersecurity incidents. The plan must include exercises. 
The CIRP requirements in the proposed rule are substantively the same 
as in the SDs with some language changes. This proposed requirement 
also helps address 9/11 Act requirements related to plans to respond to 
a terrorist attack, which would include a cybersecurity incident caused 
by a threat actor.
     Cybersecurity Assessment Plan (CAP) (Sec. Sec.  1580.329, 
1582.229, and 1586.229)--This proposed requirement is incorporated from 
the SD Pipeline-2021-02 and SD 1580/82-2022-01 series with no 
substantive changes and involves a robust assessment plan that tests 
the effectiveness of the COIP. As laid out in the applicable SDs, 
consistent with the NIST CSF, the proposed requirements include 
providing an annual report of assessment findings to TSA and corporate 
leadership, which feeds into the iterative cycle of assessments, 
planning, implementation, testing, and revisions to plans, that is 
critical to having a meaningful CRM program.

H. Compliance Deadlines and Documentation

    Table 7 identifies compliance deadlines and the type of 
documentation required to meet compliance requirements.

[[Page 88530]]



                                 Table 7--Compliance Deadlines and Documentation
----------------------------------------------------------------------------------------------------------------
                                                                                                   Amendment
                                                                                                  required for
          Requirement             Record mechanism      Deadlines              Source             substantive
                                                                                                    changes
----------------------------------------------------------------------------------------------------------------
Cybersecurity Evaluation.......  Owner/operator     Completed no       1580.305(b),            No.
                                  holds for          later than 90      1582.205(b), and
                                  inspection.        days after         1586.205(b).
                                                     effective date
                                                     of final rule or
                                                     45 days before
                                                     commencing new
                                                     or modified
                                                     operations (but
                                                     no more than one
                                                     year before date
                                                     of submission of
                                                     COIP).
                                                    Must notify TSA    1580.305(d),
                                                     within 7 days of   1582.205(d), and
                                                     completion.        1586.205(d).
                                                    Annual updates     1580.305(c),
                                                     required..         1582.205(c), and
                                                                        1586.205(c).
COIP...........................  Submitted to TSA   No later than 180  1580.307(e),1582.207(e  See below for
                                  for review and     days after         ), and 1586.207(e).     individual
                                  approval.          effective date                             requirements.
                                                     of final rule or
                                                     45 days before
                                                     commencing new
                                                     or modified
                                                     operations.
                                                    Must be reviewed   1580.307(f),
                                                     and updated        1582.207(f), and
                                                     within 60 days     1586.207(f).
                                                     of completed
                                                     Cybersecurity
                                                     Evaluation or
                                                     CAP Report.
    Identification of            Included in COIP.  Notification to    1580.309(a),            No; but
     accountable executive and                       TSA within 30      1582.209(a), and        notification to
     individuals/vendors with                        days of            1586.209(a).            TSA if changed.
     cybersecurity                                   effective date
     responsibilities.                               of final rule
                                                     and within 7
                                                     days of changes
                                                     to previously
                                                     submitted
                                                     information.
    Designation of               Notification to    Notification to    1580.313(d),            No; but
     Cybersecurity Coordinator.   TSA; information   TSA within 7       1582.213(d), and        notification to
                                  included in COIP.  days of            1586.213(d).            TSA if changed.
                                                     effective date
                                                     of final rule
                                                     (if not
                                                     previously
                                                     provided) and
                                                     within 7 days of
                                                     changes to
                                                     previously
                                                     submitted
                                                     information that
                                                     occur after that
                                                     date.
    Identification of Critical   Included in COIP.  No separate        ......................  Yes.
     Cyber Systems and Network                       deadline from
     Architecture.                                   COIP submission.
    Supply Chain Risk            Included in COIP.  No separate        ......................  Yes.
     Management.                                     deadline from
                                                     COIP submission.
    Description of how           Included in COIP.  No separate        ......................  Yes.
     protective security                             deadline from
     outcomes are met.                               COIP submission.
    Cybersecurity training.....  Included in COIP.  Initial training   1580.319(d),            Yes.
                                                     within 60 days     1582.219(d), and
                                                     of approval of     1586.219(d).
                                                     COIP or 10 days
                                                     of onboarding.

[[Page 88531]]

 
                                                    Annual training 1  1580.319(e),
                                                     year from          1582.219(e), and
                                                     employee's last    1586.210(e).
                                                     training.
    Description of how           Included in COIP.  No separate        ......................  Yes.
     detection and monitoring                        deadline from
     security outcomes are met.                      COIP.
    Cybersecurity Incident       Notification to    Within 24 hours    1580.325(a),            No.
     Reporting.                   CISA.              of                 1582.225(a), and
                                                     identification.    1584.107(a), and
                                                                        1586.225(a).
    Description of how response  Included in COIP.  No separate        ......................  Yes.
     security outcomes are met.                      deadline from
                                                     COIP.
    CIRP.......................  Included in COIP.  No separate        1580.329(f),            No; but
                                                     deadline from      1580.229(f), and        notification to
                                                     COIP, but          1586.229(f).            TSA if changed.
                                                     notification
                                                     within 15 days
                                                     if CIRP
                                                     previously
                                                     submitted as
                                                     part of COIP is
                                                     modified.
    POAM.......................  Included in COIP.  No separate        ......................  Yes.
                                                     deadline from
                                                     COIP (target
                                                     dates cannot
                                                     extend beyond
                                                     three years from
                                                     date of
                                                     submission of
                                                     COIP for TSA
                                                     approval).
CAP............................  Submitted to TSA   No later than 90   1580.329(a),            No.
                                  for review and     days from          1582.229(a), and
                                  approval.          approval of COIP.  1586.229(a).
                                                    Report submitted   1580.329(e),
                                                     15 months from     1582.229(e), and
                                                     TSA approval of    1586.229(e).
                                                     CAP and annually
                                                     thereafter.
                                                    Annual update to   1580.329(f),
                                                     CAP, submitted     1582.229(f), and
                                                     no later than 12   1586.229(f).
                                                     months from date
                                                     of last TSA-
                                                     approval of CAP.
----------------------------------------------------------------------------------------------------------------

I. Sensitive Security Information

1. Scope of the Revision to TSA's SSI Regulatory Requirements
    TSA is proposing minor changes to 49 CFR part 1520. These revisions 
consist of two types of modifications. First, revisions ensure the 
scope of existing designations of SSI for SDs and information circulars 
includes the section that would be added through this rulemaking as 
applicable to surface transportation. Second, TSA identified several 
areas where the SSI regulations explicitly referencing aviation and 
maritime should be revised to include surface transportation because 
similar requirements for surface transportation did not exist when the 
SSI regulations were promulgated. This proposed rule would address that 
gap.
    Note that any security program, security plan, or contingency plan 
required by 49 CFR subchapter D and vulnerability assessments required 
by, or submitted to TSA, are designated as SSI under current Sec.  
1520.5(b)(1) and (5), respectively. These requirements remain subject 
to SSI protection except as otherwise provided in writing by TSA in the 
interest of public safety or in furtherance of transportation 
security.\213\
---------------------------------------------------------------------------

    \213\ See 49 CFR 1520.5(c) for TSA determinations that 
information no longer constitutes SSI.
---------------------------------------------------------------------------

2. Disclosure of SSI Upon the ``Need To Know''
    Each owner/operator subject to the requirements in this proposed 
rule is a covered person under 49 CFR 1520.7(n) and is, therefore, 
required to protect SSI from unauthorized disclosure. TSA's SSI 
requirements do not prohibit owner/operators from sharing SSI with 
specific vendors that have a ``need to know.'' Determining whether 
information can be shared is a two-step consideration. First, is the 
individual a ``covered person'' under 49 CFR 1520.7. Under Sec.  
1520.7(k), employees and contractors of an owner/operator are ``covered 
persons.''
    Section 1520.9 requires all covered persons to protect SSI from 
unauthorized disclosure. Before sharing information with any person 
employed by, contracted to, or acting for a covered person, Sec.  
1520.9(a)(2) requires the owner/operator to determine that the 
individual has a need to know the information or record designated as 
SSI, as described in Sec.  1520.11. If the person has a need to know 
and the information is shared, that individual is a covered person who 
is required to protect SSI

[[Page 88532]]

from unauthorized disclosure.\214\ When providing the SSI, the owner/
operators must include the SSI protection requirements and ensure the 
covered person is formally advised of their regulatory requirements to 
protect the information. The materials provided must maintain their SSI 
markings and be accompanied with an SSI cover sheet, and SSI must be 
properly disposed of in accordance with TSA regulations.\215\
---------------------------------------------------------------------------

    \214\ See 49 CFR 1520.7(j), 1520.7(k) and 1520.9.
    \215\ See 49 CFR 1520.9, 1520.13, and 1520.19 for specific 
restrictions related to restrictions on disclosure, marking, and 
destruction of SSI, respectively.
---------------------------------------------------------------------------

    Unauthorized disclosure of SSI, by owner/operators or their 
vendors, is grounds for enforcement action by TSA, including civil 
penalty actions, under Sec.  1520.17. To support compliance with these 
requirements, TSA provides resources to regulated entities and other 
person on proper handling of SSI.\216\
---------------------------------------------------------------------------

    \216\ See SSI Best Practices Guide for Non-DHS Employees or 
contact TSA at (571) 227-3513 or [email protected]. Additional 
resources are available at https://www.tsa.gov/for-industry/sensitive-security-information (last accessed Sept. 24, 2023).
---------------------------------------------------------------------------

IV. Regulatory Analyses

A. Economic Impact Analysis

1. Summary of Regulatory Impact Analysis
    Changes to federal regulations must undergo several economic 
analyses. First, E.O. 12866 of September 30, 1993 (Regulatory Planning 
and Review),\217\ as supplemented by E.O. 13563 of January 18, 2011 
(Improving Regulation and Regulatory Review),\218\ and amended by E.O. 
14094 of April 6, 2023 (Modernizing Regulatory Review) \219\ directs 
Federal agencies to propose or adopt a regulation only upon a reasoned 
determination that the benefits of the intended regulation justify its 
costs. Second, the Regulatory Flexibility Act of 1980 (RFA) \220\ 
requires agencies to consider the economic impact of regulatory changes 
on small entities. Third, the Trade Agreement Act of 1979 \221\ 
prohibits agencies from setting standards that create unnecessary 
obstacles to the foreign commerce of the United States. Fourth, the 
Unfunded Mandates Reform Act of 1995 (UMRA) \222\ requires agencies to 
prepare a written assessment of the costs, benefits, and other effects 
of proposed or final rulemakings that include a federal mandate likely 
to result in the expenditure by State, Local, or Tribal governments, in 
the aggregate, or by the private sector, of $100 million or more 
annually ($177 million adjusted for inflation).\223\
---------------------------------------------------------------------------

    \217\ Published at 58 FR 51735 (Oct. 4, 1993).
    \218\ Published at 76 FR 3821 (Jan. 21, 2011).
    \219\ Published at 88 FR 21879 (Apr. 6, 2023).
    \220\ Public Law 96-354. 94 Stat. 1164 (Sept. 19, 1980), as 
codified at 5 U.S.C. 601 et seq., as amended by the Small Business 
Regulatory Enforcement Fairness Act of 1996 (SBREFA).
    \221\ Public Law 96-39, 93 Stat. 144 (July 26, 1979), as 
codified at 19 U.S.C. 2531-2533.
    \222\ Public Law 104-4, 109 Stat. 66 (Mar. 22, 1995), as 
codified at 2 U.S.C. 1181-1538.
    \223\ $100 million in 1995 dollars adjusted for inflation to 
2022 using the GDP implicit price deflator for the U.S. economy. 
Federal Reserve Bank of St. Louis. ``GDP Implicit Price Deflator in 
United States.'' Available at: https://fred.stlouisfed.org/series/USAGDPDEFAISMEI#0 (last accessed Sept. 30, 2023).
---------------------------------------------------------------------------

    The security of the nation's transportation systems is vital to the 
economic health and security of the United States. Surface 
transportation systems in particular--including public transportation 
systems, intercity and commuter passenger railroads, freight railroads, 
intercity buses, hazardous liquid and liquefied natural gas pipelines 
as well as natural gas pipelines, and related infrastructure--are vital 
to our economy and essential to national security.\224\
---------------------------------------------------------------------------

    \224\ Surface Transportation and Rail Security Act of 2007, 
Report of the Senate Committee on Commerce, Science, and 
Transportation, S. Rep. No. 110-29, at 2 (quoting Exec. Order No. 
13416 (Dec. 5, 2006), available at https://www.govinfo.gov/content/pkg/CRPT-110srpt29/html/CRPT-110srpt29.htm.
---------------------------------------------------------------------------

    As discussed previously in this preamble, threat actors have 
demonstrated their willingness to engage in cyber intrusions and 
perpetrate cybersecurity incidents against critical infrastructure. As 
technology evolves, so do cybersecurity threats. A successful attack 
could result in significant negative consequences with potential 
cascading impacts across many sectors of the economy and people's 
lives.
    Transportation companies have competing priorities with finite 
resources in which to confront the complexity of building a 
cybersecurity defense. At the same time, there is a level of 
uncertainty associated with being impacted by cybersecurity incidents. 
These competing priorities and level of uncertainty leads to a less 
than socially optimal level of cybersecurity investment.\225\ If 
entities are required to implement the same requirements, there could 
be fewer free riders or undercutting of cybersecurity investment in 
favor of profits or due to budgetary constraints. As noted in the 
National Cybersecurity Strategy,
---------------------------------------------------------------------------

    \225\ See Cybersecurity trends: Looking over the horizon (Mar. 
10, 2022), available at https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/cybersecurity/cybersecurity-trends-looking-over-the-horizon (last accessed July 25, 2024).

    Today's marketplace insufficiently rewards--and often 
disadvantages--the owners and operators of critical infrastructure 
who invest in proactive measures to prevent or mitigate the effects 
of cybersecurity incidents. Regulation can level the playing field, 
enabling healthy competition without sacrificing cybersecurity or 
operational resilience.\226\
---------------------------------------------------------------------------

    \226\ Supra note 12 at 8-9.

    Ensuring transportation security while promoting the movement of 
legitimate travelers and commerce is a critical mission assigned to 
TSA. TSA believes this proposed rule is consistent with its mission 
given the heightened risk of a cybersecurity threat and the potential 
of threat actors targeting the transportation system with the purpose 
to disrupt the supply chain, jeopardize public safety, undermine 
confidence in the transportation system, and otherwise affect national 
and economic security.
    The primary benefit of this proposed rule is a potential reduction 
in the risk of successful cybersecurity incidents as well as the impact 
of such incidents on the public, economy, and national security. The 
proposed requirements could enhance the security of the regulated 
population, which would reduce the chance of negative consequences and 
service interruptions from cybersecurity incidents for surface modes 
like freight railroad, passenger railroad, and pipelines, thereby 
benefiting owners/operators, passengers, and consumers. A break-even 
analysis suggests that the prevention of a few significant 
cybersecurity incidents or a high-consequence incident in any 
transportation mode provides benefits in excess to the costs of the 
proposed rule on those modes.
    TSA estimates the preliminary 10-year total costs of the proposed 
rule to be about $2.6 billion discounted at a 3 percent discount rate 
and $2.2 billion discounted at 7 percent discount rate, with 
preliminary annualized costs of about $307.8 million. These preliminary 
estimates do not consider current industry practice or compliance with 
recently issued SDs due of a lack of data on the existing internal 
security practices of individual companies. As a result, many owner/
operators may already employ measures that meet the security outcomes 
that would be required by this proposed rule and therefore have already 
incurred costs, which means the cost estimate of this proposed rule 
could be an overestimate when measured against a no-action baseline. 
Furthermore, costs of

[[Page 88533]]

implementing measures to meet the proposed security outcomes may vary 
greatly across modes and by each owner/operator's unique needs and 
scale of operation. Consequently, TSA is requesting public comment on 
current cybersecurity industry practices and how these practices may 
vary by company. TSA will consider these public comments and any data 
provided when estimating the cost of the final rule.
2. Assessments Required by E.O.s 12866 and 13563
    E.O.s 12866 and 13563 direct agencies to assess the costs and 
benefits of available regulatory alternatives and, if regulation is 
necessary, select regulatory approaches that maximize net benefits 
(including potential economic, environmental, public health and safety 
effects, distributive impacts, and equity). Under E.O. 12866, as 
amended by E.O. 14094, agencies must also determine whether a 
regulatory action is significant.\227\ These requirements were 
supplemented by E.O. 13563, which emphasizes the importance of 
quantifying both costs and benefits, of reducing costs, of harmonizing 
rules, and of promoting flexibility. In accordance with E.O. 12866, TSA 
has submitted the proposal to the OMB, which has determined that this 
proposed rule is a ``significant regulatory action'' as defined under 
section 3(f)(1) of E.O. 12866, as amended by E.O. 14094, its annual 
effects on the economy would exceed $200 million in any year of the 
analysis. In conducting these analyses:
---------------------------------------------------------------------------

    \227\ See section 1(b) of E.O. 14094, revising section 3(f) of 
E.O. 12866: ``Significant regulatory action'' means any regulatory 
action that is likely to result in a rule that may: (1) have an 
annual effect on the economy of $200 million or more (adjusted every 
3 years by the Administrator of OIRA for changes in gross domestic 
product); or adversely affects in a material way the economy, a 
sector of the economy, productivity, competition, jobs, the 
environment, public health or safety, or State, Local, Territorial, 
or Tribal governments or communities; (2) create a serious 
inconsistency or otherwise interfere with an action taken or planned 
by another agency; (3) materially alter the budgetary impact of 
entitlements, grants, user fees, or loan programs or the rights and 
obligations of recipients thereof; or (4) raises legal or policy 
issues for which centralized review would meaningfully further the 
President's priorities or the principles set forth in this Executive 
order, as specifically authorized in a timely manner by the 
Administrator of OIRA in each case.
---------------------------------------------------------------------------

     TSA prepared an Initial Regulatory Flexibility Analysis 
(IRFA), which estimates that this rulemaking would likely have a 
regulatory cost that exceeds one percent of revenue for 26 small 
entities--17 freight rail and nine pipeline owner/operators--of the 103 
small entities that TSA found would be impacted by the NPRM.
     This rulemaking would not constitute a barrier to 
international trade.
     Under 2 U.S.C. 1503(5), this rulemaking is not subject to 
UMRA review because it is a regulation necessary for the national 
security of the United States. As noted in the National Cybersecurity 
Strategy, this rulemaking is being promulgated because of national 
security concerns related to the protection of Critical Cyber Systems, 
the loss or disruption of which could have impacts on national 
security, including economic security.
    TSA has prepared an analysis of its estimated costs and benefits, 
summarized in the following paragraphs, and in the OMB Circular A-4 
Accounting Statement. When estimating the cost of a rulemaking, 
agencies typically estimate future expected costs imposed by a 
regulation over a period of analysis. For this rulemaking's period of 
analysis, TSA uses a 10-year period of analysis to estimate the initial 
and recurring costs to the regulated surface mode owner/operators and 
new owner/operators that are expected due to industry growth.
a. Costs
    TSA summarizes the undiscounted costs of the proposed rule to be 
borne by five types of parties: freight rail owner/operators, PTPR 
owner/operators, OTRB owner/operators, pipeline owner/operators, and 
TSA. Table 8 shows the breakdown of modal entity populations over the 
10-year period of analysis. The population of each industry is 
important because it acts as a cost multiplier for some of the proposed 
rule's provisions (e.g., employee training). The population estimates 
accounts for entity growth, employee growth, and employee turnover 
dynamics over the period of analysis, which impact the population 
estimate as well as factor into various costs (e.g., identification of 
new cybersecurity coordinators with entity growth or employee 
turnover). It includes entity growth, employee growth, and employee 
turnover.

                                               Table 8--Population Growth and Turnover for Modal Entities
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                            Freight rail                             PTPR                     OTRB                 Pipelines
                               -------------------------------------------------------------------------------------------------------------------------
             Year                 Entities          Employees          Entities          Employees          Entities    Entities         Employees
                               -------------------------------------------------------------------------------------------------------------------------
                                   Growth       Growth     Turnover     Growth       Growth     Turnover     Growth                  Growth     Turnover
                                a = (aY1-6)    b = bY1 x    c = b x    d = dY1 x    e = eY1 x    f = e x    g = gY1 x          h    i = iY1 x    j = i x
                                     x (1 +  (1 + 0.42%)      4.00%  (1 + 2.19%)  (1 + 1.11%)     12.96%  (1 + 2.50%)             (1 + 0.62%)     13.67%
                                     0.85%)   [supcaret]              [supcaret]   [supcaret]              [supcaret]              [supcaret]
                                 [supcaret]     (Yn - 1)                  (Yn-1)       (Yn-1)                  (Yn-1)                  (Yn-1)
                                 (Yn-1) + 6
--------------------------------------------------------------------------------------------------------------------------------------------------------
1.............................           73      116,960          0           34      299,680          0           71        115       39,920          0
2.............................           74      117,451      4,698           35      303,006     39,270           73        115       40,168      5,491
3.............................           74      117,945      4,718           36      306,370     39,706           75        115       40,417      5,525
4.............................           75      118,440      4,738           36      309,771     40,146           76        115       40,667      5,559
5.............................           75      118,937      4,757           37      313,209     40,592           78        115       40,919      5,594
6.............................           76      119,437      4,777           38      316,686     41,042           80        115       41,173      5,628
7.............................           76      119,939      4,798           39      320,201     41,498           82        115       41,428      5,663
8.............................           77      120,442      4,818           40      323,755     41,959           84        115       41,685      5,698
9.............................           78      120,948      4,838           40      327,349     42,424           87        115       41,944      5,734
10............................           78      121,456      4,858           41      330,982     42,895           89        115       42,204      5,769
--------------------------------------------------------------------------------------------------------------------------------------------------------

    Table 9 shows the 10-year cost by regulated industry. This 
information includes industry's costs associated with implementing the 
proposed requirements. Many of the costs are based on the time to 
complete identified actions (e.g., submitting accountable executive 
information). In these instances, TSA calculates an opportunity cost 
based on the time to complete the task, approximate wage rate of the 
person thought to complete

[[Page 88534]]

the task, and how frequently the task would need to be completed. Other 
costs are based on expenses incurred (e.g., cost to store backup data). 
In both cases, these costs may change over time with a higher initial 
cost then lower maintenance cost later. See TSA CRM Preliminary 
Regulatory Impact Analysis (RIA) for a more detailed discussion and 
breakdown of the costs.

                                       Table 9--Total Undiscounted Cost of the Proposed Rule by Regulated Industry
                                                                      [$ thousands]
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                                   Cost by regulated industry
                           Year                           ----------------------------------------------------------------------------  Total regulated
                                                              Freight rail           PTPR               OTRB            Pipelines       industries cost
                                                                           a                  b                  c                  d  e = a + b + c + d
--------------------------------------------------------------------------------------------------------------------------------------------------------
1........................................................            $97,652           $119,996               $188            $85,636           $303,473
2........................................................             95,471            120,633                  6             81,122            297,233
3........................................................             94,622            121,508                  6             79,132            295,268
4........................................................             97,003            123,883                  6             82,232            303,124
5........................................................             96,187            124,814                  6             80,265            301,273
6........................................................             98,675            127,289                  7             83,509            309,479
7........................................................             97,885            128,279                  7             81,565            307,736
8........................................................            100,405            130,821                  7             84,833            316,065
9........................................................             99,648            131,874                  7             82,914            314,442
10.......................................................            102,200            134,484                  7             86,207            322,899
                                                          ----------------------------------------------------------------------------------------------
    Total................................................            979,750          1,263,581                248            827,415          3,070,993
--------------------------------------------------------------------------------------------------------------------------------------------------------
Note: Totals may not add due to rounding.

    As displayed in Table 10, TSA estimates the 10-year total cost of 
this proposed rule to be $3.09 billion undiscounted, $2.63 billion 
discounted at 3 percent, and $2.16 billion discounted at 7 percent. The 
costs to industry (all four surface modes) comprise approximately 99 
percent of the total costs of the proposed rule; and the remaining 
costs are incurred by TSA. TSA calculated a total cost to each industry 
based on estimates and assumptions on activities entities would likely 
engage in to be in compliance with the requirements of the proposed 
rule. However, due to the scope and performance-based nature of the 
requirements, TSA recognizes there would be variation in costs to 
individual covered owner/operators. In response, TSA provides a 
sensitivity analysis of key cost drivers in section 3.8 of the RIA, 
which include access control implementation, Critical Cyber System data 
backups, and cybersecurity training. In addition, there are some areas 
where there may be unquantified cost. For example, costs related to 
actual mitigation measures implemented as a result of the proposed rule 
that are not otherwise captured in TSA's cost estimates. TSA requests 
comment on any costs that have not been quantified but may occur as a 
result of this proposed rule.

                                    Table 10--Total Cost of the Proposed Rule
                                                  [$ thousands]
----------------------------------------------------------------------------------------------------------------
                                       Total                                               Undiscounted
                                     regulated                    Total proposed -------------------------------
              Year                  industries       TSA cost        rule cost     Discounted at   Discounted at
                                       cost                                             3%              7%
                                     a (Table 8)               b       c = a + b
----------------------------------------------------------------------------------------------------------------
1...............................        $303,473          $4,426        $307,899        $298,932        $287,757
2...............................         297,233           2,408         299,641         282,440         261,718
3...............................         295,268           2,412         297,681         272,420         242,996
4...............................         303,124           1,358         304,482         270,529         232,288
5...............................         301,273           1,363         302,636         261,056         215,775
6...............................         309,479           1,368         310,847         260,329         207,130
7...............................         307,736           1,372         309,109         251,334         192,497
8...............................         316,065           1,377         317,443         250,592         184,755
9...............................         314,442           1,382         315,825         242,053         171,788
10..............................         322,899           1,387         324,286         241,299         164,851
                                 -------------------------------------------------------------------------------
    Total.......................       3,070,993          18,854       3,089,847       2,630,984       2,161,554
    Annualized..................  ..............  ..............  ..............         308,432         307,757
----------------------------------------------------------------------------------------------------------------
Note: Totals may not add due to rounding.

    Table 11 shows the 10-year costs for the CRM program for the 
freight rail, PTPR, pipelines, and TSA. TSA estimates the 10-year total 
cost of the CRM program to be $3.00 billion undiscounted, $2.55 billion 
discounted at 3 percent, and $2.10 billion discounted at 7 percent. The 
CRM program is the largest cost provision. These costs include the 
cybersecurity evaluation (CSE) (which involves an enterprise-wide CSE); 
the COIP (which

[[Page 88535]]

includes items related to the Cybersecurity Coordinator, identification 
of critical cyber systems, supply chain risk management, protection of 
critical cyber systems, incident response, training, detection of 
incidents, and the POAM); the CAP (which involves creating and 
submitting a plan that assesses the effectiveness of the COIP); and 
recordkeeping and compliance (which relates to those items needed to 
show compliance with provisions of the proposed rule).

                                                         Table 11--Total Cost of the CRM Program
                                                                      [$ thousands]
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                  CRM program                                      Total cost of the CRM program
                                      ------------------------------------------------------------------------------------------------------------------
                                             CSE            COIP             CAP       Recordkeeping and                 e = [sum]a,b,c,d
                 Year                 ------------------------------------------------     compliance    -----------------------------------------------
                                                                                      -------------------                  Discounted at   Discounted at
                                              a               b               c                d           Undiscounted         3%              7%
--------------------------------------------------------------------------------------------------------------------------------------------------------
1....................................          $1,381        $290,796          $3,175             $1,005        $296,357        $287,726        $276,970
2....................................           1,386         280,519           8,212              1,009         291,126         274,414         254,281
3....................................           1,390         283,494           3,242              1,013         289,139         264,604         236,024
4....................................           1,395         285,223           8,280              1,017         295,915         262,917         225,752
5....................................           1,400         288,308           3,312              1,022         294,041         253,642         209,647
6....................................           1,404         291,443           8,351              1,026         302,224         253,108         201,385
7....................................           1,409         294,636           3,383              1,030         300,458         244,300         187,110
8....................................           1,414         297,892           8,423              1,035         308,764         243,741         179,703
9....................................           1,419         301,202           3,457              1,039         307,117         235,380         167,051
10...................................           1,424         304,583           8,498              1,043         315,549         234,798         160,409
                                      ------------------------------------------------------------------------------------------------------------------
    Total............................          14,023       2,918,095          58,333             10,240       3,000,691       2,554,629       2,098,332
    Annualized.......................  ..............  ..............  ..............  .................  ..............         299,480         298,755
--------------------------------------------------------------------------------------------------------------------------------------------------------
Note: Totals may not add due to rounding.

    Table 12 shows the 10-year costs by requirement for the freight 
rail industry. TSA estimates the 10-year costs to the freight rail 
industry to be $980 million undiscounted.\228\
---------------------------------------------------------------------------

    \228\ Costs include those related to a Cybersecurity 
Coordinator, reporting cybersecurity incidents, creating a CRM 
program (which includes the CSE, COIP, Accountable Executive, CIRP, 
CAP, and training), familiarization, and the costs of compliance and 
recordkeeping.

                                                                            Table 12--Requirement Costs--Freight Rail
                                                                                          [$ thousands]
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                                                       CRM program                                                                 Total cost
                                                                           -------------------------------------------------------------------    Reporting                   ------------------
                           Year                            Familiarization                                                    Record-keeping    cybersecurity       CIRP
                                                                                  CSE            COIP             CAP         and compliance      incidents                       Undiscounted
                                                                         a               b               c               d                  e               f               g                h =
                                                                                                                                                                               [sum]a,b,c,d,e,f,
                                                                                                                                                                                               g
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
1........................................................             $242            $233         $94,081            $855               $276              $1          $1,963            $97,652
2........................................................                2             235          91,019           2,514                279               1           1,422             95,471
3........................................................                2             237          91,788             881                281               1           1,433             94,622
4........................................................                2             239          92,494           2,540                283               1           1,444             97,003
5........................................................                2             241          93,295             908                285               1           1,455             96,187
6........................................................                2             242          94,108           2,567                287               1           1,467             98,675
7........................................................                2             244          94,935             935                290               1           1,478             97,885
8........................................................                2             246          95,779           2,595                292               1           1,490            100,405
9........................................................                2             248          96,638             963                294               1           1,501             99,648
10.......................................................                2             250          97,515           2,622                297               1           1,513            102,200
                                                          --------------------------------------------------------------------------------------------------------------------------------------
    Total................................................              260           2,416         941,652          17,381              2,864              10          15,166            979,750
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Note: Totals may not add due to rounding.

    Table 13 shows the 10-year cost to the PTPR industry by 
requirement. TSA estimates the 10-year costs to the PTPR industry to be 
$1.26 billion undiscounted.\229\
---------------------------------------------------------------------------

    \229\ Costs include those related to a Cybersecurity 
Coordinator, reporting cybersecurity incidents, creating a CRM 
program (which includes the CSE, COIP, Accountable Executive, CIRP, 
CAP, and training), familiarization, and the costs of compliance and 
recordkeeping.

[[Page 88536]]



                                                                                Table 13--Requirement Costs--PTPR
                                                                                          [$ thousands]
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                                                      CRM program                                                                  Total cost
                                                                        ----------------------------------------------------------------------    Reporting                   ------------------
                         Year                           Familiarization                                                       Record-keeping    cybersecurity       CIRP
                                                                               CSE              COIP              CAP         and compliance      incidents                       Undiscounted
                                                                      a               b                  c               d                  e               f               g                h =
                                                                                                                                                                               [sum]a,b,c,d,e,f,
                                                                                                                                                                                               g
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
1.....................................................              $55            $103           $118,493            $389                $84              $1            $871           $119,996
2.....................................................                1             106            118,601           1,164                 86               1             675            120,633
3.....................................................                1             108            120,197             423                 88               1             690            121,508
4.....................................................                1             110            121,777           1,199                 90               1             704            123,883
5.....................................................                1             113            123,429             458                 92               1             720            124,814
6.....................................................                1             115            125,106           1,235                 94               1             736            127,289
7.....................................................                1             118            126,816             495                 96               1             752            128,279
8.....................................................                1             120            128,558           1,273                 98               2             768            130,821
9.....................................................                1             123            130,329             534                100               2             785            131,874
10....................................................                1             126            132,139           1,312                102               2             802            134,484
                                                       -----------------------------------------------------------------------------------------------------------------------------------------
    Total.............................................               66           1,141          1,245,446           8,480                931              14           7,503          1,263,581
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Note: Totals may not add due to rounding.

    Table 14 shows the 10-year cost by requirement for the OTRB 
industry. TSA estimates the 10-year costs to the OTRB industry to be 
$248 thousand undiscounted.

                                        Table 14--Requirement Costs--OTRB
                                                  [$ thousands]
----------------------------------------------------------------------------------------------------------------
                                                                    Reporting
                              Year                                cybersecurity  Familiarization    Total cost
                                                                    incidents                     (undiscounted)
                                                                              A                b             e =
                                                                                                    [sum]a,b,c,d
----------------------------------------------------------------------------------------------------------------
1..............................................................              $1             $187            $188
2..............................................................               1                5               6
3..............................................................               1                5               6
4..............................................................               1                5               6
5..............................................................               1                5               6
6..............................................................               1                5               7
7..............................................................               1                5               7
8..............................................................               1                5               7
9..............................................................               2                6               7
10.............................................................               2                6               7
                                                                ------------------------------------------------
    Total......................................................              14              234             248
----------------------------------------------------------------------------------------------------------------
Note: Totals may not add due to rounding.

    Table 15 shows the 10-year cost by requirement for all the 
requirements for the pipeline industry. TSA is proposing to incorporate 
the corresponding physical security costs into this rulemaking to align 
pipeline with the other covered modes (for whom physical security 
provisions are already required). TSA estimates the 10-year costs to 
the combined pipeline industry to be $827 million undiscounted.\230\
---------------------------------------------------------------------------

    \230\ Costs include those related to a Physical Security 
Coordinator, reporting significant physical security concerns, 
Cybersecurity Coordinator, reporting cybersecurity incidents, 
creating a CRM program (which includes the CSE, COIP, Accountable 
Executive, CIRP, CAP, and training), familiarization, and the costs 
of compliance and recordkeeping.

[[Page 88537]]



                                                                              Table 15--Requirement Costs--Pipeline
                                                                                          [$ thousands]
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                                                                   CRM program                         Reporting
                                                              Total physical    Familiari-   ------------------------------------------------------     cyber-                     Total cost
                            Year                              security costs      zation                                           Record-keeping      security        CIRP      (undiscounted)
                                                                                                 CSE        COIP         CAP       and compliance      incidents
                                                                           a               b          c           d           e                  f               g          h        i = [sum]a,
                                                                                                                                                                                   b,c,d,e,f,g,h
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
1...........................................................             $37            $912       $973     $74,786      $1,359               $645             $38     $6,886            $85,636
2...........................................................              21               0        973      69,415       3,959                645              38      6,072             81,122
3...........................................................              21               0        973      70,024       1,359                645              38      6,072             79,132
4...........................................................              21               0        973      70,525       3,959                645              38      6,072             82,232
5...........................................................              21               0        973      71,157       1,359                645              38      6,072             80,265
6...........................................................              21               0        973      71,801       3,959                645              38      6,072             83,509
7...........................................................              21               0        973      72,457       1,359                645              38      6,072             81,565
8...........................................................              21               0        973      73,125       3,959                645              38      6,072             84,833
9...........................................................              21               0        973      73,806       1,359                645              38      6,072             82,914
10..........................................................              21               0        973      74,500       3,959                645              38      6,072             86,207
                                                             -----------------------------------------------------------------------------------------------------------------------------------
    Total...................................................             230             912      9,731     721,596      26,590              6,446             378     61,531            827,415
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Note: Totals may not add due to rounding.

    Table 16 shows the 10-year cost by requirement for TSA. TSA 
estimates the 10-year costs to TSA to be $18.9 million 
undiscounted.\231\
---------------------------------------------------------------------------

    \231\ Costs include those related to a Physical Security 
Coordinator, reporting significant physical security concerns, 
Cybersecurity Coordinator, and the CRM program (which includes the 
CSE, COIP, Accountable Executive, CIRP, CAP, and training). The TSA 
burden would be for reviewing the CRM programs, keeping track of key 
personnel, and ensuring compliance with the program. TSA will incur 
ongoing costs with the implementation of this rulemaking.

                                                            Table 16--Requirement Costs--TSA
                                                                      [$ thousands]
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                                         CRM program                                       Total cost
                         Year                             Physical    ------------------------------------------------      CIRP      ------------------
                                                          security           CSE            COIP             CAP                          Undiscounted
                                                                    a               b               c               d               e                f =
                                                                                                                                          [sum]a,b,c,d,e
--------------------------------------------------------------------------------------------------------------------------------------------------------
1....................................................             $75             $72          $3,436            $572            $272             $4,426
2....................................................              75              72           1,484             576             201              2,408
3....................................................              75              72           1,485             579             201              2,412
4....................................................              75              73             427             582             201              1,358
5....................................................              75              73             427             586             202              1,363
6....................................................              75              74             428             590             202              1,368
7....................................................              75              74             428             593             202              1,372
8....................................................              75              75             429             597             202              1,377
9....................................................              75              75             429             601             202              1,382
10...................................................              75              76             430             605             202              1,387
                                                      --------------------------------------------------------------------------------------------------
    Total............................................             750             735           9,401           5,881           2,088             18,854
--------------------------------------------------------------------------------------------------------------------------------------------------------
Note: Totals may not add due to rounding.

b. Cost Sensitivity Analysis
    TSA calculates a total cost for each industry based on estimates 
and assumptions on activities entities would likely engage in to 
satisfy requirements of the proposed rule. The majority of the costs 
are primarily driven by access control implementation, Critical Cyber 
System data backups, and cybersecurity training. Employee population 
size, which acts as a multiplication factor, is a key contributing 
factor for why access control and training result in such a high-cost 
impact. Baseline training, for instance, has a per employee burden of 
1-hour per year, but when multiplied across the population of employees 
covered, the result is a significant expenditure. In section 3.8 of the 
RIA, TSA provides a sensitivity analysis that assesses uncertainty 
within these key cost drivers including how owner/operators may 
accomplish compliance and to what extent they may already meet the 
proposed rule requirements through existing actions and thus provide a 
sense of the possible practical incremental costs of the proposed rule. 
None of the cost drivers tested under the sensitivity analysis apply to 
OTRB entities; therefore, TSA did not include OTRB in the sensitivity 
analysis.
    Specifically, TSA evaluates cost implications associated with 
differing assumptions related to MFA being used for access control 
where 25 percent are assumed to be fully implemented and an additional 
25 percent are partially implemented by affected entities, rather than 
not implemented at all in any affected entities. For Critical Cyber 
System data backups, TSA assumes 20 percent of entities would fully 
satisfy the proposed rule's requirement and 50 percent would partially 
satisfy the proposed rule's requirement. For the last cost driver 
evaluated, employee training, TSA varies assumed compliance with the 
necessary level of training from 0 percent across industry in the 
primary analysis to including 20 percent fully compliant and 50 percent 
partially compliant. The costs resulting from varying these cost driver 
assumptions for each mode are depicted below.
    Table 17 presents freight rail sensitivity analysis costs and 
compares them to the freight rail costs in the

[[Page 88538]]

primary analysis. Based on the sensitivity assumptions for access 
control, data backups, and cybersecurity training, the estimated total 
cost to freight rail is about $655.5 million which is 33 percent 
($342.2 million) less than freight rail estimated cost in the primary 
analysis.

                                                        Table 17--Freight Rail Sensitivity Costs
                                                                      [$ thousands]
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                      Sensitivity analysis
                                      -----------------------------------------------------------------------------------  Total cost in    Difference
                 Year                                                                  All other non-                         primary      from primary
                                       Access control  Critical cyber   Cybersecurity    cost driver   Total costs under     analysis        analysis
                                                       system backups     training          costs         sensitivity
                                                    a               b               c               d  e = a + b + c + d               f         g = e-f
--------------------------------------------------------------------------------------------------------------------------------------------------------
1....................................         $33,149          $6,665          $4,259         $22,069            $66,142         $97,652        -$31,510
2....................................          33,289           6,870           3,981          19,989             64,128          95,471         -31,343
3....................................          33,428           7,081           3,998          18,492             62,999          94,622         -31,624
4....................................          33,569           7,299           4,015          20,210             65,092          97,003         -31,910
5....................................          33,710           7,524           4,032          18,718             63,984          96,187         -32,204
6....................................          33,851           7,756           4,049          20,516             66,172          98,675         -32,503
7....................................          33,993           7,995           4,066          19,023             65,078          97,885         -32,808
8....................................          34,136           8,242           4,083          20,825             67,286         100,405         -33,120
9....................................          34,280           8,495           4,100          19,335             66,210          99,648         -33,438
10...................................          34,424           8,758           4,117          21,139             68,437         102,200         -33,763
                                      ------------------------------------------------------------------------------------------------------------------
    Total............................         337,829          76,684          40,701         200,314            655,528         979,750        -324,221
--------------------------------------------------------------------------------------------------------------------------------------------------------
Note: Totals may not add due to rounding.

    Table 18 presents PTPR sensitivity analysis costs and compares them 
to the PTPR costs in the primary analysis. Based on the sensitivity 
assumptions, the total cost under the sensitivity is $783.4 million 
which is about 38 percent ($480.2 million) less than the total cost 
under the primary analysis. This larger percentage decrease from the 
primary analysis when compared to the freight rail and pipeline modes 
is attributed to the larger employee population within the PTPR 
industry. As the access control and cybersecurity training costs are 
calculated on a per employee basis, these requirements make up a 
greater portion of the overall cost to the PTPR industry, and therefore 
result in a more significant cost difference within the sensitivity 
analysis.

                                                             Table 18--PTPR Sensitivity Cost
                                                                      [$ thousands]
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                      Sensitivity analysis
                                      -----------------------------------------------------------------------------------  Total cost in    Difference
                 Year                                                                  All other non-                         primary      from primary
                                       Access control  Critical cyber   Cybersecurity    cost driver   Total costs under     analysis        analysis
                                                       system backups     training          costs         sensitivity
                                                    a               b               c               d  e = a + b + c + d               f         g = e-f
--------------------------------------------------------------------------------------------------------------------------------------------------------
1....................................         $55,437          $3,104          $6,629          $9,433            $74,603        $119,996        -$45,394
2....................................          56,053           3,243           6,588           8,936             74,820         120,633         -45,813
3....................................          56,675           3,391           6,661           8,368             75,095         121,508         -46,412
4....................................          57,304           3,544           6,735           9,279             76,861         123,883         -47,021
5....................................          57,940           3,704           6,810           8,717             77,171         124,814         -47,643
6....................................          58,583           3,872           6,886           9,674             79,014         127,289         -48,274
7....................................          59,233           4,047           6,962           9,119             79,361         128,279         -48,918
8....................................          59,891           4,230           7,040          10,086             81,247         130,821         -49,574
9....................................          60,556           4,421           7,118           9,538             81,632         131,874         -50,242
10...................................          61,228           4,621           7,197          10,515             83,561         134,484         -50,923
                                      ------------------------------------------------------------------------------------------------------------------
    Total............................         582,900          38,176          68,626          93,664            783,367       1,263,581        -480,214
--------------------------------------------------------------------------------------------------------------------------------------------------------
Note: Totals may not add due to rounding.

    Table 19 presents pipeline sensitivity analysis costs and compares 
them to the pipeline costs in the primary analysis. Based on the 
sensitivity assumptions, the total sensitivity analysis cost to 
pipeline entities is $621.7 million which is about 25 percent ($205.7) 
less than the primary analysis estimates. This smaller percentage 
decrease from the primary analysis when compared to the other modes is 
attributed to the smaller employee population within the pipeline 
industry.

[[Page 88539]]



                                                          Table 19--Pipeline Sensitivity Costs
                                                                      [$ thousands]
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                      Sensitivity analysis
                                      -----------------------------------------------------------------------------------  Total cost in    Difference
                 Year                                                                  All other non-                         primary      from primary
                                       Access control  Critical cyber   Cybersecurity    cost driver   Total costs under     analysis        analysis
                                                       system backups     training          costs         sensitivity
                                                    a               b               c               d  e = a + b + c + d               f         g = e-f
--------------------------------------------------------------------------------------------------------------------------------------------------------
1....................................         $14,201         $10,494          $1,902         $38,299            $64,896         $85,636        -$20,740
2....................................          14,289          10,734           1,476          35,185             61,683          81,122         -19,439
3....................................          14,377          10,978           1,486          32,585             59,426          79,132         -19,706
4....................................          14,466          11,229           1,495          35,065             62,255          82,232         -19,977
5....................................          14,556          11,485           1,504          32,465             60,011          80,265         -20,254
6....................................          14,646          11,747           1,513          35,065             62,972          83,509         -20,537
7....................................          14,737          12,015           1,523          32,465             60,741          81,565         -20,824
8....................................          14,829          12,290           1,532          35,065             63,715          84,833         -21,117
9....................................          14,920          12,570           1,542          32,465             61,498          82,914         -21,416
10...................................          15,013          12,858           1,551          35,065             64,487          86,207         -21,720
                                      ------------------------------------------------------------------------------------------------------------------
    Total............................         146,034         116,401          15,523         343,725            621,684         827,415        -205,731
--------------------------------------------------------------------------------------------------------------------------------------------------------
Note: Totals may not add due to rounding.

    Table 20 presents the total costs using the aforementioned adjusted 
values from the sensitivity analysis. As shown, the total costs to 
industry under the sensitivity analysis based on the altered 
assumptions for the main cost drivers are $2.1 billion. This cost 
includes the adjusted costs of the three industries included in the 
sensitivity (freight rail, PTPR, and pipeline) as well as the 
unadjusted, undiscounted cost to OTRB entities (see Table 9). The 
difference from the primary analysis presented in Table 10 is $1.0 
billion (a 33 percent reduction).

                              Table 20--Total Costs Under the Sensitivity Analysis
                                                  [$ thousands]
----------------------------------------------------------------------------------------------------------------
                                       Total                       Total proposed rule sensitivity analysis cost
                                     regulated          TSA      -----------------------------------------------
              Year                  industries      sensitivity
                                    sensitivity    analysis cost   Undiscounted    Discounted at   Discounted at
                                   analysis cost                                        3%              7%
                                               a               b    c = [sum]a,b
----------------------------------------------------------------------------------------------------------------
1...............................        $205,829          $4,426        $210,256        $204,132        $196,501
2...............................         200,638           2,408         203,046         191,390         177,348
3...............................         197,527           2,412         199,939         182,972         163,210
4...............................         204,215           1,358         205,573         182,649         156,831
5...............................         201,172           1,363         202,535         174,709         144,405
6...............................         208,165           1,368         209,533         175,481         139,621
7...............................         205,186           1,372         206,559         167,951         128,634
8...............................         212,254           1,377         213,632         168,643         124,336
9...............................         209,347           1,382         210,729         161,506         114,623
10..............................         216,492           1,387         217,879         162,123         110,759
                                 -------------------------------------------------------------------------------
    Total.......................       2,060,827          18,854       2,079,681       1,771,556       1,456,266
    Annualized..................  ..............  ..............         207,968         207,680         207,340
----------------------------------------------------------------------------------------------------------------
Note: Totals may not add due to rounding.

    TSA requests public comment on the assumptions and estimates 
presented in the primary cost analysis as well as those within this 
sensitivity both of which may be used to better inform, update, or 
improve the overall analysis.
c. Benefits
    The primary benefit of the proposed rule is a potential reduction 
in the risk of cybersecurity incidents as well as the impact of any 
such incident. The CRM program could enhance cybersecurity by reducing 
vulnerability to cybersecurity incidents by having defense mechanisms 
in place that increase owner/operator ability to monitor and mitigate 
threats as well as strengthening response measures in the event of a 
cybersecurity incident. Specifically, the proposed rule would require 
designated owner/operators for three of the four modes to identify a 
Cybersecurity Coordinator and report cybersecurity incidents. Owner/
operators of freight railroads, PTPR, and pipeline facilities and 
systems that meet the applicability criteria would also be required to 
develop and implement a comprehensive CRM program.
    The proposed CRM program includes three primary elements. First, 
covered owner/operators would be required to regularly conduct an 
enterprise-wide cybersecurity evaluation that would identify their 
current cybersecurity profile. Benefits of regular cybersecurity 
evaluations, such as through the rule's CSE requirement, and monitoring 
over time, include focusing attention on cybersecurity issues and 
initiatives, providing a means to assess or evaluate cyber-related 
threats and mitigation measures' evolution, as well as prioritizing 
response to address vulnerabilities effectively and informing budgeting 
and investments decisions for

[[Page 88540]]

upgrade cycles and long-term improvements.\232\
---------------------------------------------------------------------------

    \232\ See NIST SP 800-53, Revision 5. Security and Privacy 
Controls for Information Systems and Organizations, available at 
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf (last accessed July 25, 2024); see also NIST SP 800-37, 
Revision 2. Risk Management Framework for Information Systems and 
Organizations, available at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf (last accessed July 25, 
2024).
---------------------------------------------------------------------------

    Second, owner/operators would be required to develop a COIP with 
requirements that focus on: (a) governance of the CRM program that 
helps ensure its successful implementation, relevance, and ability to 
address cybersecurity matters; (b) identification of critical cyber 
systems to help prioritize and optimize efforts; (c) protecting 
critical cyber systems that help minimize unnecessary network traffic, 
control internal network access points for users, shorten network 
downtime and increase reliable operational uptime, stop threats more 
quickly, as well as minimize the risks associated with lost data; (d) 
detecting and monitoring critical cyber systems to help detect 
incidents sooner and respond to incidents more quickly, potentially 
reducing the associated impacts; and (e) ensuring response and recovery 
to help ensure efficient and effective restoration of operational 
capabilities following an incident. As part of this COIP process to 
ensuring response and recovery, owner/operators would develop a CIRP 
that would require an established set of policies and procedures in 
place to respond to intrusions into their critical cybersecurity 
systems and maintenance or reconstitution of operations during an 
incident. Reduction in time and confusion with how they respond to 
future incidents provides a benefit to owner/operators, passengers/
consumers, and society.
    Third, owner/operators would be required to have a CAP that 
includes an independent evaluation of the effectiveness of their CRM 
program and identification of unaddressed vulnerabilities that helps 
establish greater accountability. Independent evaluation will ensure 
that the assessments, audits, testing, and other assessment 
capabilities would not be conducted by individuals who have oversight 
or responsibility for implementing the owner/operators CRM program and 
have no vested or other financial interest in the results.
    The proposed rule would also expand the requirement for having a 
Physical Security Coordinator (currently in 49 CFR 1570.201) and 
reporting significant physical security concerns (currently in 49 CFR 
1570.203) to owner/operators of designated pipeline facilities and 
systems, which helps delineate clear communication channels by 
establishing a single point of contact and creates greater awareness of 
the various types of cybersecurity threats encountered.
    The proposed rule's CRM program requirements could create benefits 
through the identification, protection, detection, response, and 
recovery from cybersecurity threats which are discussed more fully in 
the RIA. Identifying a standardized requirement applicable to owner/
operators that meet applicability criteria, would also provide more 
consistent application of and investments in cybersecurity measures yet 
offer flexibility by focusing on security outcomes which allows for 
innovation and the unique operational aspects for each owner/operator. 
In addition, applicability criteria based on the volume of passengers 
or goods transported, as opposed to entity size, focuses requirements 
on owner/operators where there is the greatest potential impact, 
including small entities that play a critical role or function. 
Further, the proposed requirements would encourage greater investment 
and development of cybersecurity measures, potential pooling of 
resources to address common issues, as well gains in efficiencies over 
time which would reduce the direct and indirect costs of cybersecurity 
incidents.
d. Break-Even Analysis
    TSA uses a break-even analysis to help understand and frame the 
relationship between the potential benefits of the proposed rule and 
the costs of implementation.\233\ Consistent with OMB Circular No. A-4, 
``Regulatory Analysis,'' this analysis answers the question ``How small 
could the value of the non-qualified benefits be (or how large would 
the value of the non-quantified costs need to be) before the rule would 
yield zero net benefits?'' \234\
---------------------------------------------------------------------------

    \233\ When it is not possible to quantify or monetize a majority 
of the incremental benefits of a regulation, OMB recommends 
conducting a threshold, or ``break-even'' analysis.
    \234\ OMB, ``Circular A-4: Regulatory Analysis,'' Section B. The 
Need for Federal Regulatory Action. Sept. 17, 2003. pg. 2.
---------------------------------------------------------------------------

    A break-even analysis estimates a threshold value for the security 
benefits of the proposed rule so that the benefits of the rulemaking 
exactly match its costs. TSA compared potential consequence levels of 
cybersecurity incidents to the annualized cost (discounted at 7 
percent) to industry and TSA from the proposed rule for each mode to 
estimate how often a cybersecurity incident of that size would need to 
be averted for the expected benefits to equal estimated costs for that 
transportation mode.
    As part of calculating the break-even point of an analysis, TSA 
uses the full cost of the cybersecurity provisions of the proposed rule 
(physical security related requirements are not included) to assess the 
level of benefits or avoided costs required to break even.\235\ 
Applying the simplest version of the conclusion, if the proposed rule 
prevents annual costs of approximately $307.8 million (at 7 percent) 
across all impacted surface modes, its benefits will justify its costs.
---------------------------------------------------------------------------

    \235\ TSA uses the full cost of the CRM program and 
cybersecurity related costs in this break-even analysis without 
adjusting for costs industry has incurred as a result of prior 
industry practices or TSA SDs.
---------------------------------------------------------------------------

    TSA also calculates the prevention of costs necessary for freight 
rail, PTPR, and pipeline independently using CRM program costs 
identified in Tables 21, 22, and 23. These tables also present a 
selection of break-even scenarios of varying magnitudes to illustrate 
the level of risk reduction necessary for such sized events to break-
even. Specifically, they include the annualized cost of the 
cybersecurity focused provisions of the proposed rule (discounted at 7 
percent) along with identified consequence levels or avoided losses. 
Those values are divided by each other to derive the required risk 
reduction and frequency of averted cybersecurity incidents to break 
even with respect to the cost of the CRM program of the proposed rule.
    Table 21 presents the amount of risk reduction necessary for a 
range of consequence levels relative to freight rail estimated CRM 
program costs. TSA uses the AAR's estimate that a complete nationwide 
shutdown of freight rail transportation could cost the U.S. economy 
more than $2 billion a day as a basis for potential impact.\236\ Based 
on this figure, even if only a fractional amount of the system were 
incapacitated or operated at reduced capacity it would result in 
substantial impacts depending on the number of days affected. The CRM 
rule would reduce the likelihood of the type of systemic disruption 
that would occur from a wide scale attack through the regulation of the 
largest and most interconnected owner/operators. If an attacker were to 
gain access to a freight

[[Page 88541]]

rail entity's IT system and further penetrate the OT system, such an 
attacker could cause rail service interruptions for that entity and 
potential wider cascading effects, especially if multiple owner/
operators were attacked simultaneously. The CRM rule would reduce the 
likelihood of such an attack occurring through the protections 
implemented in the COIP, such as network segmentation, access control 
and patch management. If the attack partially succeeded, the CRM rule 
would reduce the impact of such an incident due to the requirements to 
develop plans to detect, respond to and recover from cybersecurity 
incidents as part of the COIP. TSA shows break-even levels based on $1 
billion, $10 billion, and $20 billion consequence levels by comparing 
the magnitude of the consequences to the annualized cost of the 
proposed CRM rule discounted at 7 percent.
---------------------------------------------------------------------------

    \236\ AAR, The Economic Impact of a Railroad Shutdown at 2 
(2022), available at https://www.aar.org/wp-content/uploads/2022/09/AAR-Rail-Shutdown-Report-September-2022.pdf (last accessed Sept. 28, 
2023).

                        Table 21--Freight Rail Summary of CRM Program Break-Even Results
----------------------------------------------------------------------------------------------------------------
                                                                                              Required frequency
                                    Annualized cost of      Consequence       Required risk       of averted
        Break-even example          CRM  program  (7%     (avoided losses)      reduction       cybersecurity
                                      discount rate)                                              incidents
                                   a..................  b..................       c = a / b  d = b / a
----------------------------------------------------------------------------------------------------------------
1 billion dollar example.........  $98.22 million.....  $1 billion.........          0.0982  One every 10.18
                                                                                              years.
10 billion dollar example........  ...................  10 billion.........          0.0098  One every 101.81
                                                                                              years.
20 billion dollar example........  ...................  20 billion.........          0.0049  One every 203.62
                                                                                              years.
----------------------------------------------------------------------------------------------------------------

    Table 22 presents the amount of risk reduction necessary for a 
range of consequence levels relative to PTPR estimated CRM program 
costs. The type of incident and size of the ridership impacted would 
greatly impact the level of consequence. For instance, shutting down 
municipal rail services for under a million passengers for a day is 
different than shutting down and/or delaying services of multiple 
million for a prolonged period of time. In such cases, the impact may 
largely represent delays in time and inconvenience while other 
instances, they may include train derailments or collisions that result 
in loss of life. If an attacker were to gain access to a transit 
entity's IT system and without sufficient network segmentation further 
penetrate the OT system, such an attacker could cause service 
interruptions for that entity's riders by impacting critical systems 
that prevent travel or disrupt safety measures that could require 
trains to operate at reduced speeds or potentially cause them to 
derail/collide. The CRM rule would reduce the likelihood of such an 
attack occurring through the protections implemented in the COIP like 
network segmentation, access control and patch management.\237\ If the 
attack partially succeeded, the CRM rule would reduce the impact of 
such an incident due to the requirements to develop plans to detect, 
respond to and recover from cybersecurity incidents as part of the 
COIP. TSA shows break-even levels based on $1 billion, $2 billion, or 
$4 billion consequence levels by comparing the magnitude of the 
consequences to the annualized cost of the proposed CRM rule discounted 
at 7 percent.
---------------------------------------------------------------------------

    \237\ See Dragos Year in Review, 2022. There is discussion on 
the 39 percent fluctuation changes in oil/gas industries (Table 5: 
Poor Security Perimeters by OT Industry) which is likely correlated 
to the implementation of the TSA SDs released in response to the 
ransomware attack on a major pipeline company in 2021.

                            Table 22--PTPR Summary of CRM Program Break-Even Results
----------------------------------------------------------------------------------------------------------------
                                                                                              Required frequency
                                    Annualized cost of      Consequence       Required risk       of averted
        Break-even example          CRM  program  (7%     (avoided losses)      reduction       cybersecurity
                                      discount rate)                                              incidents
                                   a..................  b..................       c = a / b  d = b / a
----------------------------------------------------------------------------------------------------------------
1 billion dollar example.........  $125.74 million....  $1 billion.........          0.1257  One every 7.95
                                                                                              years.
10 billion dollar example........  ...................  2 billion..........         0.00629  One every 15.91
                                                                                              years.
20 billion dollar example........  ...................  4 billion..........          0.0314  One every 31.81
                                                                                              years.
----------------------------------------------------------------------------------------------------------------

    Table 23 presents the amount of risk reduction necessary for a 
range of consequence levels relative to pipeline estimated CRM program 
costs. The national pipeline system transports hazardous liquids, 
natural gas, and other liquids and gases that are used by various other 
segments of the economy including supplying materials for energy needs 
and manufacturing. Disrupting the transportation of these materials can 
have widespread effects that increase in magnitude depending on the 
pipelines impacted and the disruptions length of time. If an attacker 
were to gain access to a pipeline entity's IT system and without 
sufficient network segmentation further penetrate the OT system, such 
an attacker could cause product delivery interruptions for that entity 
or a wider set of pipeline network effects by causing damages to 
extensive portions of pipeline or critical/large junctions. Consistent 
with the above discussion on rail, the CRM rule would reduce the 
likelihood of such an attack occurring through the protections 
implemented in the COIP like network segmentation, access control and 
patch management.\238\ If the attack partially succeeded, the CRM rule 
would reduce the impact of such an incident due to the requirements to 
develop plans to detect, respond to and recover from cybersecurity 
incidents as part of the COIP. Given the expansive impact pipeline 
products have on various aspects of the economy, TSA assumes a 
widespread disruption to the system could range from $1 to $2 billion 
per day. Based on this figure, even if only a fractional amount of the 
system

[[Page 88542]]

were disrupted or operated at reduced capacity, this disruption could 
result in substantial impacts depending on the number of days affected. 
TSA shows break-even levels based on $2 billion, $10 billion, and $20 
billion of consequence compared to the annualized cost of the proposed 
CRM rule discounted at 7 percent.
---------------------------------------------------------------------------

    \238\ Id.

                        Table 23--Pipeline Summary of Full CRM Program Break-Even Results
----------------------------------------------------------------------------------------------------------------
                                                                                              Required frequency
                                    Annualized cost of      Consequence       Required risk       of averted
        Break-even example          CRM  program  (7%     (avoided losses)      reduction       cybersecurity
                                      discount rate)                                              incidents
                                   a..................  b..................       c = a / b  d = b / a
----------------------------------------------------------------------------------------------------------------
2 billion dollar example.........  $83.667 million....  $2 billion.........          0.0418  One every 23.90
                                                                                              years.
10 billion dollar example........  ...................  10 billion.........          0.0084  One every 119.52
                                                                                              years.
20 billion dollar example........  ...................  20 billion.........          0.0042  One every 239.04
                                                                                              years.
----------------------------------------------------------------------------------------------------------------

    TSA also compares the potential levels of consequence to the 
estimated costs of the CRM rule under its cost sensitivity assumptions 
discussed above. For Freight Rail the annualized cost of the rule 
discounted at 7 percent falls from $98.22 million in the primary 
proposal to $65.95 million in the sensitivity analysis. Freight Rail 
risk reduction is reduced by 33 percent in direct proportion to the 33 
percent reduction in cost. Consequently, each of the contemplated $1 
billion, $10 billion, and $20 billion consequence attacks need to be 
prevented less frequently for the proposed rule's costs and benefits to 
balance.

                  Table 24--Freight Rail Summary of Sensitivity CRM Program Break-Even Results
----------------------------------------------------------------------------------------------------------------
                                                                                              Required frequency
                                    Annualized cost of      Consequence       Required risk       of averted
        Break-even example          CRM  program  (7%     (avoided losses)      reduction       cybersecurity
                                      discount rate)                                              incidents
                                   a..................  b..................       c = a / b  d = b / a
----------------------------------------------------------------------------------------------------------------
1 billion dollar example.........  $65.949 million....  $1 billion.........          0.0659  One every 15.16
                                                                                              years.
10 billion dollar example........  ...................  10 billion.........          0.0066  One every 151.63
                                                                                              years.
20 billion dollar example........  ...................  20 billion.........          0.0033  One every 303.27
                                                                                              years.
----------------------------------------------------------------------------------------------------------------

    For the PTPR mode, the annualized cost of the proposed rule 
discounted at 7 percent falls from $125.74 million in the primary 
proposal to $78.06 million in the sensitivity analysis. PTPR risk 
reduction is reduced by 38 percent in direct proportion to the 38 
percent reduction in cost. Consequently, each of the contemplated $1 
billion, $2 billion, and $4 billion consequence attacks need to be 
prevented less frequently for the proposed rule's costs and benefits to 
balance.

                      Table 25--PTPR Summary Of Sensitivity CRM Program Break-Even Results
----------------------------------------------------------------------------------------------------------------
                                                                                              Required frequency
                                    Annualized cost of      Consequence       Required risk       of averted
        Break-even example          CRM  program  (7%     (avoided losses)      reduction       cybersecurity
                                      discount rate)                                              incidents
                                   a..................  b..................       c = a / b  d = b / a
----------------------------------------------------------------------------------------------------------------
1 billion dollar example.........  $78.063 million....  $1 billion.........          0.0781  One every 12.81
                                                                                              years.
10 billion dollar example........  ...................  2 billion..........          0.0390  One every 25.62
                                                                                              years.
20 billion dollar example........  ...................  4 billion..........          0.0195  One every 51.24
                                                                                              years.
----------------------------------------------------------------------------------------------------------------

    And finally, for the pipeline mode, the annualized cost of the 
proposed rule discounted at 7 percent falls from $83.69 million in the 
primary proposal to $63.22 million in the sensitivity analysis. 
Pipeline risk reduction is reduced by 25 percent in direct proportion 
to the 25 percent reduction in cost. Consequently, each of the 
contemplated $2 billion, $10 billion, and $20 billion consequence 
attacks need to be prevented less frequently for the proposed rule's 
costs and benefits to balance.

[[Page 88543]]



                    Table 26--Pipeline Summary of Sensitivity CRM Program Break-Even Results
----------------------------------------------------------------------------------------------------------------
                                                                                              Required frequency
                                    Annualized cost of      Consequence       Required risk       of averted
        Break-even example          CRM  program  (7%     (avoided losses)      reduction       cybersecurity
                                      discount rate)                                              incidents
                                   a..................  b..................       c = a / b  d = b / a
----------------------------------------------------------------------------------------------------------------
2 billion dollar example.........  $63.222 million....  $2 billion.........          0.0316  One every 31.63
                                                                                              years
10 billion dollar example........  ...................  10 billion.........          0.0063  One every 158.17
                                                                                              years
20 billion dollar example........  ...................  20 billion.........          0.0032  One every 316.35
                                                                                              years
----------------------------------------------------------------------------------------------------------------

    As devastating as the direct impacts of a successful cybersecurity 
incident can be in terms of the immediate loss of life and property, 
avoiding the impacts of the more difficult to measure indirect effects 
are also substantial benefits of preventing a cybersecurity incident. 
For instance, should there be a cybersecurity incident impacting a 
public transit system, potential ripple impacts could include 
additional hardship on individuals who would then have to find 
alternate means of transportation. This use of alternate means of 
transportation would likely lead to increased traffic and commuting 
times on roadways, which has costs both in terms of additional gasoline 
and accrued wear and tear at the micro level but also compounded 
environmental effects at the macro level. A more detailed discussion of 
the break-even analysis and review of potential consequence with some 
illustrative examples can be found in Section 4.2 of the RIA.
    Although the break-even analysis considers each example separately, 
it is more likely that a combination of preventing all these scenarios 
and others would provide the benefits from these requirements. 
Cybersecurity incidents could carry considerable consequences in terms 
of equipment damages, disruption of services, and even loss of life. 
The impacts can reach billions of dollars depending on the scope of the 
incident; therefore, preventing even a small number of such potential 
incidents can justify the cost of the CRM program.\239\ However, 
considering the potentially high costs of future cybersecurity 
incidents, including the (unquantifiable but real) risk of high-cost or 
potentially catastrophic incidents, TSA believes that the benefits of 
the proposed rule are likely to justify its costs.
---------------------------------------------------------------------------

    \239\ See break-even analysis section 4.3 in the RIA for 
details.
---------------------------------------------------------------------------

3. OMB A-4 Statement
    The OMB A-4 Accounting Statement presents annualized costs and 
qualitative benefits of the proposed rule.

                                                         Table 27--OMB A-4 Accounting Statement
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                     Estimates                                            Units
                                ------------------------------------------------------------------------------------------------------
            Category                                                                                  Discount rate    Period covered        Notes
                                     Primary            Low              High         Year dollar          (%)            (years)
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                        Benefits
--------------------------------------------------------------------------------------------------------------------------------------------------------
Annualized Monetized (millions/              N/A              N/A              N/A              N/A                7              N/A  Not Quantified.
 year).
                                             N/A              N/A              N/A              N/A                3              N/A
Annualized Quantified..........              N/A              N/A              N/A              N/A                7              N/A  Not Quantified.
                                             N/A              N/A              N/A              N/A                3              N/A
--------------------------------------------------------------------------------------------------------------------------------------------------------
Qualitative....................        The requirements proposed in this rule, if finalized, could produce benefits by reducing
                                      cybersecurity risk and service interruptions of owner/operators in affected modes and help
                                    strengthen systems against cybersecurity incidents. Additionally, benefits would be produced by
                                                 increasing the security of passengers, crew, and the general public.
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                          Costs
--------------------------------------------------------------------------------------------------------------------------------------------------------
Annualized Monetized (millions/          $307.76              N/A              N/A             2022                7         10 Years  NPRM RIA
 year).
                                          308.43              N/A              N/A             2022                3         10 Years
Annualized Quantified..........              N/A              N/A              N/A              N/A                7              N/A  None.
                                             N/A              N/A              N/A              N/A                3              N/A
Qualitative....................   Qualitative costs include those related to actual mitigation measures implemented and not otherwise
                                    covered as a result of the rule, as well as the cost incurred as a result of the COIP amendment
                                    process. Additional administrative costs may also be incurred during the implementation process
                                                                    beyond what TSA has estimated.
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                        Transfers
--------------------------------------------------------------------------------------------------------------------------------------------------------
Federal Annualized Monetized                 N/A              N/A              N/A              N/A                7               NA  None.
 (millions/year).
                                             N/A              N/A              N/A              N/A                3               NA
From/To                                    From:  ...............  ...............              To:  ...............  ...............
Other Annualized Monetized                   N/A              N/A              N/A              N/A                7               NA  None.
 (millions/year).
                                             N/A              N/A              N/A              N/A                3               NA

[[Page 88544]]

 
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                         Effects
--------------------------------------------------------------------------------------------------------------------------------------------------------
State, Local, and/or Tribal         State and Local governments are impacted by the requirements related to passenger rail and rail    None.
 Government.                             transit. These modes are primarily owned and operated by State and local governments.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Small Business.................                    Prepared IRFA.                                NA               NA               NA  NPRM IRFA.
Wages..........................                        None.
Growth.........................                    Not Measured.
--------------------------------------------------------------------------------------------------------------------------------------------------------

4. Alternatives Considered
    In addition to the proposed rule, TSA also considered three 
alternative regulatory options to the primary alternative reviewed in 
the analysis. The first alternative is to implement a limited scope of 
requirements. The second alternative is to reduce the applicability of 
the rule across the industries being regulated. The third alternative 
is to add regulatory requirements that mandate vetting, including a 
terrorism/other analyses check and immigration check for all frontline 
workers in the pipeline industry, as well as a terrorism/other analyses 
check, immigration check, and a CHRC for all Cybersecurity Coordinators 
and accountable executives in all industries.
    Alternative 1 would limit the rule to the following requirements:
     Governance of the CRM program (proposed sections 1580.309, 
1582.209, and 1586.209)
     Cybersecurity Coordinator (proposed sections 1580.311, 
1582.211, and 1586.211)
     Identification of Critical Cybersecurity Systems (proposed 
sections 1580.313, 1582.213, and 1586.213)
     Reporting Cybersecurity Incidents (proposed sections 
1580.325, 1582.225, and 1586.225)
     Cybersecurity Incident Response Plan (proposed sections 
1580.327, 1582.227, and 1586.227).
    These requirements identify responsible persons and organizations 
for an owner/operator's CRM program, identify the cybersecurity 
systems, require the reporting of cybersecurity incidents to CISA, and 
require the submission of a CIRP. This alternative includes some of the 
provisions in TSA's current SDs but does not require owner/operators to 
implement measures necessary to meet all the proposed security outcomes 
to protect against ransomware attacks and other known threats to IT and 
OT systems, nor to conduct a cybersecurity evaluation or have a robust 
assessment program. Any other security requirements or program 
implementation would be up to the owner/operator to establish and 
implement voluntarily for themselves. This alternative would still 
enable TSA to maintain oversight at a reactionary level, but it would 
reduce visibility into implementation of any preventative efforts.
    Alternative 2 would shrink the applicability of the requirements to 
the largest owner/operators in each of the regulated industries. This 
alternative would reduce the freight rail applicability to cover a 
population limited to only Class I rail lines as defined by the Surface 
Transportation Board, resulting in a scope of just six owner/operators. 
The PTPR applicability would cover a population limited to just owner/
operators who host Class I freight railroads/Amtrak lines or those who 
have an average daily ridership of 100,000 passengers in any of the 
previous 3 years or at any time in the future. This covers a current 
population of 27 owner/operators, down from 34 in the preferred 
alternative, and would reduce the ridership protected to around 90 
percent of daily ridership nationwide. For the regulated pipeline 
owner/operators, this alternative would change the applicability to the 
98 critical owner/operators of hazardous liquid and natural gas 
pipelines and liquefied natural gas facilities.
    Alternative 3 would introduce a requirement for accountable 
executives and Cybersecurity Coordinators, in all covered entities, to 
receive a Level 3 STA.\240\ Furthermore, this alternative would require 
all frontline workers (``security-sensitive employees'') in the 
pipeline industry to undergo a Level-2 STA, consistent with the 
proposed requirements for security-sensitive requirements in the 
Security Vetting of Certain Transportation Workers Rulemaking.\241\
---------------------------------------------------------------------------

    \240\ Under the proposed rule, accountable executives and 
Cybersecurity Coordinators for all covered entities, would not 
receive an STA.
    \241\ See https://www.regulations.gov/docket/TSA-2023-0001 (last 
accessed July 5, 2023).
---------------------------------------------------------------------------

    Table 28 shows a comparison of the cost of the alternatives 
considered.

                                          Table 28--Comparison of Costs between Proposed Rule and Alternatives
                                                              [Discounted at 7%, thousands]
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                      Initial affected                    Ten-year costs                                 Annualized costs
         Regulatory action           population  (number -----------------------------------------------------------------------------------------------
                                    of owner/ operators)     Industry           TSA            Total         Industry           TSA            Total
                                    ....................               a               b  c = [Sigma]a,b               d               e  f = [Sigma]d,e
--------------------------------------------------------------------------------------------------------------------------------------------------------
Proposed Rule.....................  Freight Rail--73....      $2,147,313         $14,241      $2,161,554        $305,729          $2,028        $307,757
                                    PTPR--34............
                                    OTRB--71............
                                    Pipeline--115.......

[[Page 88545]]

 
Alternative 1.....................  Freight Rail--73....          81,555           2,377          83,932          11,612             338          11,950
                                    PTPR--34............
                                    OTRB--71............
                                    Pipeline--115.......
Alternative 2.....................  Freight Rail--6.....       1,419,861          10,264       1,430,125         202,156           1,461         203,618
                                    PTPR--27............
                                    OTRB--0.............
                                    Pipeline--98........
Alternative 3.....................  Freight Rail--73....       2,160,147          14,241       2,174,389         307,556           2,028         309,584
                                    PTPR--34............
                                    OTRB--71............
                                    Pipeline--115.......
--------------------------------------------------------------------------------------------------------------------------------------------------------

    Although not the least costly option, TSA presents the proposed 
rule as its preferred option. Alternative 1 has a smaller up-front cost 
but is less proactive. Based on the recentness of the SDs, the extent 
that some companies are already implementing adequate cybersecurity 
policies consistent with the guidelines described in this rulemaking, 
and internal TSA data from 2021/2022, the industry was failing to 
implement preventative measures on its own. As a result, limiting the 
scope of the requirements, as Alternative 1 does, produces an 
unacceptable level of risk for TSA. Reducing the scope would remove the 
requirement from some entities to meet specific cybersecurity 
performance measures to protect against cybersecurity incidents that 
could threaten the availability, integrity, and confidentiality of data 
on and traversing IT and OT systems, to conduct a cybersecurity 
evaluation, and have an assessment plan. These proactive cybersecurity 
actions, evaluations, and assessments are considered best practices. 
Reducing the scope of the CRM in this fashion would increase the 
vulnerability of the covered operators to a host of cybersecurity 
incidents and impacts the CRM is designed to address.
    Alternative 2 also has a smaller cost. This alternative, however, 
might increase the risk to the surface transportation infrastructure as 
it does not cover many entities TSA considers important. This increased 
risk reduction is important based on the role these entities and 
industries play in the supply chain, movement of people and goods, and 
their respective regional economies. Short line and regional railroads 
provide interconnectedness among the nation's rail customers and are a 
critical facet of the overall railroad industry. Leaving these 
railroads out of the applicability pool may result in critical terminal 
and switching services in addition to the pickup and delivery portions 
of the railroad being more vulnerable and susceptible to cybersecurity 
incidents. Due to the interconnectedness of the nation's rail system, 
if the connecting railroads are immobilized, cross-county rail service 
provided by the Class 1 railroads and its ability to move cargo may 
also be impacted thus having larger cascading effects.
    For PTPR, the criteria of the preferred alternative apply to the 
high consequence operators and cover most of the national daily rail 
ridership. Reducing the scope of the covered entities in Alternative 2 
reduces the level of the commuting population protected by the proposed 
cybersecurity performance measures and thus they are still exposed to a 
higher level of risk. If a cybersecurity incident affected one of these 
entities, the damages and consequences could have a cascading effect 
beyond just the target and into the local and regional communities.
    A reduction in covered pipeline operators could affect risk 
mitigation of potential operational disruption which could have 
widespread impacts. For instance, a cybersecurity incident affecting a 
control room that operates multiple pipeline systems, or impacting 
multiple pipelines, could lead to a large cascading impact on pipeline 
delivery, which could disrupt the accessibility of needed product to 
the communities reliant on the pipeline product.
    Alternative 3 is costlier than the proposed rule due to the 
additional requirements added. However, the primary benefit of this 
alternative is the potential to reduce insider threats from employees 
who may wish to do harm, which could be aggravated to the extent the 
employee has access to sensitive information and/or operations. 
Accountable executives and Cybersecurity Coordinators for all modes, 
and the frontline employees and Physical Security Coordinators for the 
pipeline industry, are not currently required to undergo a terrorism/
other analyses check, immigration check, or a CHRC. Requiring these 
individuals to undergo a terrorism/other analyses check against 
government databases may enable TSA to identify individuals who may 
pose a security threat.
    Although Alternative 3 is not included in the primary analysis at 
this time, TSA seeks comments from affected stakeholders on how the 
vetting of Cybersecurity Coordinators, accountable executives, and/or 
pipeline employees would impact their operations and costs. TSA 
specifically seeks data regarding how many of the entity's employees 
the entity has that would be subject to the vetting requirements. Based 
on comments received, TSA may consider including appropriate vetting 
requirements in a final rule. TSA notes that it has already proposed 
the vetting of frontline workers for freight rail and PTPR, and of 
security coordinators for freight rail, PTPR, and OTRBs in a separate 
rulemaking.
5. Regulatory Flexibility Assessment
    The RFA requires agencies to consider the impacts of their rules on 
small entities. TSA performed an IRFA to analyze the impact to small 
entities affected by the proposed rule. The following provides a 
summary of the full RIA, which is available in the docket for this 
rulemaking.
    Under the RFA, the term ``small entities'' comprises small 
businesses, not-for-profit organizations that are independently owned, 
operated, and

[[Page 88546]]

not dominant in their fields,\242\ as well as small governmental 
jurisdictions with populations of less than 50,000.\243\ TSA performed 
an IRFA of the impacts on small entities from this proposed rule in the 
first year of the analysis and found that it may affect an estimated 
293 U.S. entities (73 corporate-level Class I, II, and III freight 
railroad owner/operators, 34 PTPR owner/operators, 71 OTRB owner/
operators, and 115 pipeline owner/operators). TSA analyzed all the 
entities that would be affected by the proposed rule and TSA found that 
35 percent of them would be considered small. The proposed rule would 
require small freight rail, PTPR, and pipeline entities to (a) 
designate a Cybersecurity Coordinator, (b) report cybersecurity 
incidents to CISA, (c) establish a CRM program, (d) familiarization, 
(e) compliance, and (f) recordkeeping. Additionally, pipeline owner/
operators would have to designate a Physical Security Coordinator and 
report significant physical security concerns to TSA. OTRB entities 
would only have to report cybersecurity incidents to CISA.
---------------------------------------------------------------------------

    \242\ The definition of a small business varies from industry to 
industry to properly reflect the relative differences in size 
between industries. An agency must either use the U.S. Small 
Business Administration (SBA) definition for a small business or 
establish an alternative definition for the industry. TSA has 
adopted the SBA small business size standards for each relevant 
industry.
    \243\ Individuals and States are not considered ``small 
entities'' based on the definitions in the RFA (5 U.S.C. 601).
---------------------------------------------------------------------------

    Regulated entities have different requirements under the proposed 
rule, depending on their industry. Freight rail, PTPR, and pipeline 
owner/operators would be required to designate a Cybersecurity 
Coordinator, report cybersecurity incidents, and have a CRM program 
approved by TSA and incur costs associated with familiarization, 
compliance, and recordkeeping requirements. Pipeline owner/operators 
have additional requirements to designate a Physical Security 
Coordinator and report significant physical security concerns to TSA. 
TSA is proposing that OTRB owner/operators must report cybersecurity 
incidents to CISA, as well as incur familiarization costs. TSA 
estimates the proposed rule's requirements to cost $486,792 per entity 
for freight rail owner/operators, $682 per entity for OTRB owner/
operators, and $484,848 per entity for pipeline owner/operators in the 
highest cost year of the proposed rule. TSA did not calculate the cost 
per entity for PTPR entities in this IRFA as none of the PTPR owner/
operators are considered small. Separately, TSA estimates the proposed 
rule requirements to cost $537 per employee for freight rail entities, 
and $659 per employee for pipeline owner/operators. The proposed rule 
has zero cost per employee for OTRB owner/operators, as the proposed 
requirements covering these entities (cybersecurity incident reporting) 
are not based on the number of employees and thus do not incur any 
associated per employee cost. TSA invites all interested parties to 
submit data and information regarding the potential economic impact on 
small entities that would result from the adoption of the requirements 
in the proposed rule.
    TSA estimated the overall impact on small entities due to the 
proposed rule by adding the number of small entities affected (with 
revenue data available) in each revenue impact range for each of the 
four subgroups: freight rail, PTPR, OTRB and pipeline industries. 
Across the combined 293 covered entities, TSA estimates that 79 (27 
percent) are considered small. Of these small entities, TSA found 
employment and revenue data on 75 entities. The IRFA finds that 11 of 
the analyzed entities would have an impact greater than one percent of 
their annual revenue. Table 29 presents the likely distribution of 
impact for small owner/operators.

                                                           Table 29--Average Cost Impact on Small Entities as a Percentage of Revenue
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                   Freight rail    Freight rail
                                                                  (# of affected  (% of affected    OTRB (# of      OTRB (% of    Pipeline (# of  Pipeline (% of    Total (# of     Total (% of
                      Revenue impact range                             small           small      affected small  affected small  affected small  affected small  affected small  affected small
                                                                     entities)       entities)       entities)       entities)       entities)       entities)       entities)       entities)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0% < Impact <= 1%...............................................               6              35              55             100               7             100              68            86.1
1% < Impact <= 3%...............................................               3              18  ..............  ..............  ..............  ..............               3             3.8
3% < Impact <= 5%...............................................               4              24  ..............  ..............  ..............  ..............               4             5.1
5% < Impact <= 10%..............................................               2              12  ..............  ..............  ..............  ..............               2             2.5
Above 10%.......................................................               2              12  ..............  ..............  ..............  ..............               2             2.5
                                                                 -------------------------------------------------------------------------------------------------------------------------------
    Total.......................................................              17             100              55             100               7             100              79             100
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

An Identification, to the Extent Practicable, of All Relevant Federal 
Rules Which May Duplicate, Overlap, or Conflict With the Proposed Rule
    As noted by the ONCD in an August 2023 Request for Information, the 
National Cybersecurity Strategy calls for establishing cybersecurity 
regulations to secure critical infrastructure where existing measures 
are insufficient; harmonizing and streamlining new and existing 
regulations; and enabling regulated entities to afford to achieve 
security.\244\ TSA emphasizes its commitment to regulatory 
harmonization and streamlining, and notes that this proposed rule, 
which is grounded in NIST's Framework for Improving Critical 
Infrastructure Cybersecurity, NIST's standards and best practices, and 
the CISA CPGs, is consistent with such priorities. TSA also 
acknowledges the ongoing rulemakings of other DHS components, including 
ongoing rulemakings on cybersecurity in maritime transportation and 
implementation of CIRCIA. TSA notes potential differences in 
terminology and policy as compared to those rulemakings; although TSA 
views such differences as intentional and based on sector-specific 
distinctions, TSA welcomes comments on opportunities to harmonize and 
streamline regulations where feasible and appropriate.
---------------------------------------------------------------------------

    \244\ See Request for Information on Cyber Regulatory 
Harmonization; Request for Information: Opportunities for and 
Obstacles to Harmonizing Cybersecurity Regulations, 88 FR 55694 
(Aug. 16, 2023).
---------------------------------------------------------------------------

    For pipeline owner/operators, TSA will coordinate activities under 
this part with the FERC, and the PHMSA of the DOT with respect to 
regulation of pipeline systems and facilities that are also licensed or 
regulated by the FERC or PHMSA, to avoid conflicting requirements and 
minimize redundancy of compliance activities.
    TSA is also aware that some pipeline owner/operators may also have 
other business lines in the energy sector that are subject to 
regulations issued by DOE, and FERC's cybersecurity standards as issued 
by the NERC. TSA has committed to reducing the impact on these multi-
sector companies by aligning the agency's proposed

[[Page 88547]]

requirements with the NIST CSF, which is also used by the DOE, FERC, 
and NERC.\245\
---------------------------------------------------------------------------

    \245\ See NERC CIP-003-8, Critical Infrastructure Protection 
Reliability Standards, Cyber Security--Security Management Controls, 
and CIP-008-6 (Cyber Security--Incident Reporting and Response 
Planning), available at https://www.nerc.com/pa/Stand/Reliability%20Standards/CIP-003-8.pdf and https://www.nerc.com/pa/Stand/Reliability%20Standards/CIP-008-6.pdfva (last accessed July 5, 
2023).
---------------------------------------------------------------------------

    TSA is currently participating in a forum of regulatory agencies 
looking at opportunities for harmonization and reciprocity for 
cybersecurity requirements. In addition, CISA is required by CIRCIA 
\246\ to issue a rule to implement a 72-hour covered cyber incident 
reporting requirement and 24-hour ransom payment reporting requirement 
for ransom payments made in connection with a ransomware attack. These 
requirements would be applicable to covered entities across critical 
infrastructure sectors, as further defined by CISA through rulemaking. 
Although this NPRM and CISA's rulemaking could technically create two 
cyber incident reporting requirements for some entities, TSA does not 
believe that this is likely to result in any actual duplicative 
reporting because entities subject to the cybersecurity incident 
reporting requirements proposed in this NPRM would be required to make 
their reports to CISA. Currently, TSA has determined CIRCIA does not 
require TSA to modify its proposed reporting requirements. TSA will, 
however, re-assess its proposed requirements as CISA's rule is 
finalized to avoid any unnecessary conflicts or redundancies. TSA is 
committed to working with CISA to ensure that entities required to 
report to CISA under both CIRCIA and this proposed rule, if any, can do 
so in a single report where legally possible. If necessary to do so, 
CISA and TSA will explore leveraging an exemption in CIRCIA for covered 
entities that are required to report substantially similar information 
to another Federal agency within a substantially similar timeframe, 
where CISA and the Federal agency have an agreement and information 
sharing mechanism in place. Currently, TSA has determined CIRCIA does 
not require TSA to modify its proposed reporting requirements. TSA 
will, however, re-assess its proposed requirements as CISA's rule is 
finalized to avoid any unnecessary conflicts or redundancies.
---------------------------------------------------------------------------

    \246\ Division Y of Public Law 117-103, 136 Stat. 49 (Mar. 15, 
2022).
---------------------------------------------------------------------------

A Description of Any Significant Alternatives to the Proposed Rule That 
Accomplish the Stated Objectives of Applicable Statues and May Minimize 
Any Significant Economic Impact of the Proposed Rule on Small Entities, 
Including Alternatives Considered
    The first regulatory alternative TSA considered would limit the 
scope of requirements. This alternative would include provisions 
requiring the owner/operator to identify responsible persons and 
organizations for an owner/operator's CRM program, identify the owner/
operator's cybersecurity systems, the reporting of cybersecurity 
incidents to CISA/TSA, and the submission of an incident response plan. 
Any other security requirements or program implementation would be up 
to the owner/operator to establish and implement voluntarily for 
themselves. This alternative would still enable TSA to maintain 
oversight in a more reactive posture, but it would eliminate visibility 
of any preventative efforts owner/operators are undertaking and would 
not ensure the necessary baseline of cybersecurity measures is being 
consistently implemented across these higher-risk operations.
    Unlike the proposed rule, Alternative 1 would have no per employee 
costs, as well as reduce the number of per entity costs. TSA did not 
evaluate the impact to small entities for PTPR and OTRB owner/operators 
under this alternative as none of the PTPR owner/operators identified 
by TSA are considered small under the SBA size standards and OTRB 
owner/operators would be excluded under the applicability of this 
alternative.

                              Table 30--Total Cost Per Owner Operator Alternative 1
----------------------------------------------------------------------------------------------------------------
                                                                     Unit time      Hourly wage
                           Requirement                                (hours)          rate          Unit cost
                                                                               a               b       c = b x a
----------------------------------------------------------------------------------------------------------------
                                                  Freight Rail
----------------------------------------------------------------------------------------------------------------
Familiarization.................................................              15         $129.88          $1,904
Cybersecurity Incident Reporting................................            0.14           97.22              14
CRM program.....................................................              87           95.39           8,299
CIRP............................................................             300           94.36          28,308
                                                                 -----------------------------------------------
    Cost per Entity.............................................  ..............  ..............          38,524
----------------------------------------------------------------------------------------------------------------
                                                    Pipeline
----------------------------------------------------------------------------------------------------------------
Familiarization.................................................              56          126.67           7,093
Cybersecurity Incident Reporting................................               3           94.55             329
CRM program.....................................................              87          119.38          10,386
CIRP............................................................             300           89.84          26,953
                                                                 -----------------------------------------------
    Cost per entity.............................................  ..............  ..............          44,761
----------------------------------------------------------------------------------------------------------------

    This alternative has lower estimated costs than the preferred 
alternative. TSA did not select it because it provides a reduced level 
of cybersecurity risk mitigation. TSA believes such mitigation is 
necessary given the key role these industries play in the supply chain, 
movement of people and goods, and the economy. This alternative would 
not require the visibility or accountability aspects of NIST's 
``detect'' or ``protect'' elements that, when implemented as part of a 
cyber-risk management program, would help prevent malicious actors from 
exploiting vulnerabilities as well as ensure the confidentiality, 
availability, and integrity of their critical systems. Not

[[Page 88548]]

including protecting critical cyber systems and having capabilities to 
respond to a cybersecurity incident reduces the level of protection 
when compared to the preferred alternative. Furthermore, a 
cybersecurity incident on any entity covered by the proposed rule, 
regardless of size, could have cascading impacts on the nation's 
economy.
    Dynamic and emerging cybersecurity threats to the nation's rail and 
hazardous liquid and natural gas pipeline infrastructure require a more 
proactive approach toward reducing risk related to cybersecurity. In 
this case, TSA believes risk-based cybersecurity policy is the most 
effective means to mitigate the effects of potential cybersecurity 
incidents on critical infrastructure while minimizing costs to both 
industry and government. Exempting an entity solely based on its SBA-
determined size would diminish the risk reduction this rulemaking is 
designed to achieve by failing to consider other criteria that may 
signal the critical value of the owner/operator to the transportation 
system.
    The second alternative that TSA considered would limit the 
applicability of the requirements to the largest and most critical 
owner/operators in each of the regulated industries. This alternative 
would limit applicability of requirements for freight railroads to 
Class I Railroads, as defined by the Surface Transportation Board. For 
PTPR, requirements would be limited to owner/operators that host Class 
I Freight Rail Lines or those with an average daily ridership of 
100,000 passengers in at least one of the last 3 years or in any future 
year. For pipelines, only the 98 most critical owner/operators of 
hazardous liquid and natural gas pipelines and liquefied natural gas 
facilities would be subject to the requirements. Under this more 
limited applicability, Alternative 2 would cover six Class I freight 
rail owner/operators, 27 PTPR agencies, and 100 pipeline owner/
operators in the tenth year of the proposed rule. OTRB owner/operators 
would be excluded under this alternative.
    While Alternative 2 has the same cost per entity as the preferred 
alternative, this alternative reduces the overall number of entities 
determined to be small. All freight rail owner/operators determined to 
be small under the proposed rule would be removed from applicability of 
the proposed rule under Alternative 2, as none of the Class 1 freight 
railroads are considered small. OTRB owner/operators would have the 
same requirements as the proposed rule; however, none of the small OTRB 
owner/operators have a cost impact greater than one percent of annual 
revenue under either the proposed rule or this alternative. The number 
of small pipeline owner/operators would decrease from 23 to 13.
    From an RFA perspective, this alternative impacts fewer small 
entities than the proposed rule. However, TSA has determined this 
alternative produces an unacceptable level of risk given the key role 
these industries play in the supply chain, movement of people and 
goods, and the economy. There are owner/operators not covered under 
these criteria that play a critical role in contributing to the 
stability and security of the movement of people and goods. An incident 
to these owner/operators may still result in a ripple effect throughout 
the economy. TSA believes railroads that transport the largest volume 
of cargo, and freight railroads that serve as critical connections 
between Class I railroads or serve as vital links in the STRACNET, are 
critical to the transportation industry. A cybersecurity incident 
affecting any of these railroads, regardless of the size of the entity, 
would have the most significant impact on rail transportation, national 
security, and economic security. Similarly, pipeline systems and 
facilities that transport the largest volume of commodities, regardless 
of entity size, would lead to the potential for a sustained disruption 
in service should a successful cybersecurity incident affect their 
ability to support national security needs, including economic 
security. While TSA acknowledges that Alternative 2 would have reduced 
impacts on small entities, due to the quantitative (volume) and 
qualitative (strategic) applicability criteria in the proposed rule, 
TSA does not believe making applicability exceptions based on SBA size 
standards is justified.
    In addition, TSA performed a sensitivity analysis of three major 
cost drivers (access control costs, cybersecurity systems data backup 
costs, and cybersecurity training) to help understand and evaluate the 
practical impacts of the proposed rule versus the zero-baseline 
assumption used in the primary analysis. The sensitivity analysis 
assumes 25 percent of freight rail and pipeline entities are already in 
full compliance with identified requirements, and 25 percent are in 
partial compliance. While the assumptions in the IRFA sensitivity 
analysis would not result in an increased economic impact on small PTPR 
entities (because no PTPR entities covered by the NPRM are small 
entities) or affect the cost estimates for OTRB entities (because OTRB 
doesn't incur any of the costs modified in the sensitivity analysis and 
none have a cost impact greater than one percent of annual revenue), 
they would reduce cost impacts on small freight rail and pipeline 
entities and decrease the number that would incur a cost greater than 
one percent of annual revenues.\247\
---------------------------------------------------------------------------

    \247\ The primary IRFA analysis estimates 18 freight rail and 10 
pipeline entities will have costs greater than one percent of annual 
revenue. In the IRFA sensitivity analysis, 13 freight rail and 8 
pipeline entities will have costs greater than one percent of annual 
revenue.
---------------------------------------------------------------------------

6. International Trade Impact Assessment
    The Trade Agreement Act of 1979 prohibits Federal agencies from 
establishing any standards or engaging in related activities that 
create unnecessary obstacles to the foreign commerce of the United 
States. The Trade Agreement Act does not consider legitimate domestic 
objectives, such as essential security, as unnecessary obstacles. The 
statute also requires that international standards be considered and, 
where appropriate, that they be the basis for U.S. standards. TSA has 
assessed the potential effect of this proposed rule and has determined 
this rulemaking would not have an adverse impact on international 
trade.
7. Unfunded Mandates Assessment
    Title II of UMRA \248\ establishes requirements for Federal 
agencies to assess the effects of their regulatory actions on State, 
Local, and Tribal governments as well as the private sector. Under 
section 202, UMRA requires Federal agencies to prepare a written 
statement, including a cost-benefit analysis, for proposed and final 
rules with ``Federal mandates'' that may result in expenditures by 
State, Local, and Tribal governments in the aggregate or by the private 
sector of $100 million (adjusted for inflation) or more in any year. 
Before an agency promulgates a rule for which a written statement is 
required, section 205 \249\ of UMRA generally requires identification 
and consideration of a reasonable number of regulatory alternatives, 
and adopting the least costly, most cost-effective, or least burdensome 
alternative that achieves the objectives of the rule. The provisions of 
section 205 do not apply when they are inconsistent with applicable 
law. Moreover, section 205 allows an agency to adopt an alternative 
other than the least costly, most cost-effective, or least burdensome

[[Page 88549]]

alternative if the final rule includes an explanation about why that 
alternative was not adopted.
---------------------------------------------------------------------------

    \248\ See supra note 222, as codified at 2 U.S.C. 1532.
    \249\ Id., as codified at 2 U.S.C. 1535.
---------------------------------------------------------------------------

    Before establishing any regulatory requirements that may 
significantly or uniquely affect small governments, including tribal 
governments, Federal agencies must develop under section 203 \250\ of 
UMRA a small government agency plan. The plan must provide for 
notifying potentially affected small governments; enabling officials of 
affected small governments to have meaningful and timely input in the 
development of regulatory proposals with significant federal 
intergovernmental mandates; and informing, educating, and advising 
small governments on compliance with the regulatory requirements.
---------------------------------------------------------------------------

    \250\ Id., as codified at 2 U.S.C. 1533.
---------------------------------------------------------------------------

    Section 4 of UMRA \251\ includes several types of actions that are 
excluded from its requirements. Among these exclusions are regulations 
necessary for the national security. This rule is not subject to UMRA 
review because it is a regulation necessary for the national security 
of the United States. As noted in the National Cybersecurity Strategy, 
this rule is being promulgated because of national security concerns 
related to the protection of Critical Cyber Systems, the loss or 
disruption of which could have impacts on national security, including 
economic security.
---------------------------------------------------------------------------

    \251\ Id., as codified at 2 U.S.C. 1503.
---------------------------------------------------------------------------

B. Paperwork Reduction Act

    The Paperwork Reduction Act of 1995 (PRA) \252\ requires that DHS 
consider the impact of paperwork and other information collection 
burdens imposed on the public. Under the provisions of PRA section 
3507(d), DHS must obtain approval from the OMB for each collection of 
information it conducts, sponsors, or requires through regulations.
---------------------------------------------------------------------------

    \252\ 44 U.S.C. 3501 et seq.
---------------------------------------------------------------------------

    This proposed rule would call for a collection of information under 
the PRA. Accordingly, DHS has submitted to OMB the proposed rule and 
this analysis, including the sections relating to collections of 
information.\253\ As defined in 5 CFR 1320.3(c), ``collection of 
information'' includes reporting, recordkeeping, monitoring, posting, 
labeling, and other similar actions. This section provides the 
description of the information collection and of those who must collect 
the information as well as an estimate of the total annual time burden.
---------------------------------------------------------------------------

    \253\ See 5 CFR 1320.11(a).
---------------------------------------------------------------------------

    We ask for public comment on the proposed collection of information 
to help us determine, among other things--
     How useful the information is;
     Whether the information can help us perform our functions 
better;
     How we can improve the quality, usefulness, and clarity of 
the information;
     Whether the information is readily available elsewhere;
     How accurate our estimate is of the burden of collection;
     How valid our methods are for determining the burden of 
collection; and
     How we can minimize the burden of collection.
    Please see instructions under ``Public Participation'' for 
submission of comments on the information collection.
    As protection provided by the PRA, as amended, an agency may not 
conduct or sponsor, and a person is not required to respond to, a 
collection of information unless it displays a currently valid OMB 
control number. OMB has previously approved an information collection 
request (ICR) for Pipeline Critical Infrastructure List under OMB 
Control Number 1652-0050, Pipeline Security Incident Reporting under 
OMB Control No. 1652-0055, Pipeline Corporate Security Reviews under 
OMB Control No. 1652-0056, and Cybersecurity Measures for Surface Modes 
under OMB Control No. 1652-0074. This proposed collection consolidates 
and replaces all current ICR requirements for CRM of freight rail, 
passenger rail, and pipeline owner/operators under one OMB control 
number. Upon approval of the new ICR and publication of a final rule, 
TSA will amend, or as appropriate rescind, the current ICRs associated 
with TSA SDs currently in effect. Even though most of the ICRs in the 
CRM NPRM are currently covered by approved ICRs, TSA is adding a few 
new requirements requiring information collection that were not 
previously included in TSA SDs or otherwise in approved ICRs.
    These new requirements for all rail (freight, passenger, and 
transit) and pipeline owner/operators subject to the ICR include: (1) 
submission of a Cybersecurity training program to TSA for approval 
(reporting); (2) maintaining records of employee cybersecurity training 
(record keeping); and (3) maintaining records of inclusion of supply 
chain security measures in the owner/operator's COIP. OTRB owner/
operators are currently required to report significant security 
concerns and would also be required to report cybersecurity incidents.
    Finally, the CRM NPRM proposes to add a new requirement for 
pipeline owner/operators to: (1) designate a physical security 
coordinator and submit the contact information to TSA and (2) report 
significant physical security concerns to TSA. This additional 
requirement for pipelines would align with requirements applicable to 
the other owner/operators covered by the proposed rule. Upon 
finalization of the CRM rulemaking, TSA will use the information 
collection to establish compliance with the new regulatory 
requirements. By implementing these performance-based requirements, TSA 
would ensure that the 293 higher-risk entities have measures in place 
to address current cybersecurity risks with the flexibility necessary 
to address emerging threats and deploy evolving capabilities, and that 
CISA and TSA are receiving information on cybersecurity threats from 
all higher-risk surface owner/operators identified by TSA, including 71 
OTRB entities not currently subject to the SDs. Accordingly, TSA has 
submitted all information requirements to OMB for its review.
    Table 31 shows the information collection and corresponding burden-
hours for entities falling under the requirements of the proposed rule. 
The collections that have been implemented under the SD-related ICRs 
would continue or be updated under the proposed rule.\254\
---------------------------------------------------------------------------

    \254\ Rail security and rail cybersecurity information 
collection requirements resulting from the SDs covered under ICR 
1652-0051 and 1652-0074. Pipeline security and cybersecurity 
information collection requirements from the SDs are covered under 
ICR 1652-0050, 1652-0055, and 1652-0056. For additional information, 
Table 1-2 in the RIA details the number of covered entities in the 
SD ICs and include the Published Notice title as well as the 
effective date.

[[Page 88550]]



                                                               Table 31--PRA Burden Hours
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                             Time per                   Number of responses
                       Collection                            response    ------------------------------------------------   3-Year time   Average annual
                                                              (hours)         Year 1          Year 2          Year 3          burden        time burden
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                             Cybersecurity Evaluation (CSE)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Freight Rail............................................              40              73              74              74           8,829           2,943
PTPR....................................................              40              34              35              36           4,170           1,390
Pipelines...............................................             120             115             115             115          41,400          13,800
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                       Submit COIP
--------------------------------------------------------------------------------------------------------------------------------------------------------
Freight Rail............................................              40              73              73              74           8,783           2,928
PTPR....................................................              40              34              34              35           4,110           1,370
Pipelines...............................................              40             115             115             115          13,800           4,600
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                       Submit POAM
--------------------------------------------------------------------------------------------------------------------------------------------------------
Freight Rail............................................              80              15              15              15           3,531           1,177
PTPR....................................................              80               7               7               7           1,668             556
Pipelines...............................................              80              23              23              23           5,520           1,840
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                      Accountable Executive Information Submission
--------------------------------------------------------------------------------------------------------------------------------------------------------
Freight Rail............................................               3              73               4               4             240              80
PTPR....................................................               3              34               5               5             134              45
Pipelines...............................................               3             115              16              16             439             146
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                    Cybersecurity Coordinator Information Submission
--------------------------------------------------------------------------------------------------------------------------------------------------------
Freight Rail............................................               2             146               7               7             320             107
PTPR....................................................               2              68              10              11             178              59
Pipelines...............................................               2             230               9               9             497             166
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                 Supply Chain Management
--------------------------------------------------------------------------------------------------------------------------------------------------------
Freight Rail............................................              10              73              74              74            2207             736
PTPR....................................................              10              34              35              36           1,043             348
Pipelines...............................................              10             115             115             115            3450            1150
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                  Physical Security Coordinator Information Submission
--------------------------------------------------------------------------------------------------------------------------------------------------------
Pipelines...............................................            0.50             261              36              36             166              55
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                  Report Significant Physical Security Concerns to TSA
--------------------------------------------------------------------------------------------------------------------------------------------------------
Pipelines...............................................            0.05           2,908           2,908           2,908             436             145
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                             Initial Cybersecurity Training Plan Development and Submission
--------------------------------------------------------------------------------------------------------------------------------------------------------
Freight Rail............................................              80              73               1               1           5,931           1,977
PTPR....................................................              80              34               1               1           2,841             947
Pipelines...............................................              80             115  ..............  ..............           9,200           3,067
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                   Cybersecurity Training Documentation Recordkeeping
--------------------------------------------------------------------------------------------------------------------------------------------------------
Freight Rail............................................            0.02         134,504         135,064         135,626           6,753           2,251
PTPR....................................................            0.02         344,632         348,472         352,356          17,424           5,808
Pipelines...............................................            0.02          45,908          46,194          46,482           2,310             770
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                         Report Cybersecurity Incidents to CISA
--------------------------------------------------------------------------------------------------------------------------------------------------------
Freight Rail............................................               1              10              10              10              30              10
PTPR....................................................               1              15              15              16              15              15
OTRB....................................................               1              15              15              16              46              15
Pipelines...............................................               1             400             400             400           1,200             400
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                       Cybersecurity Incident Response Plan (CIRP)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Freight Rail............................................              80              73  ..............  ..............           5,840           1,947
PTPR....................................................              80              34  ..............  ..............           2,720             907
Pipelines...............................................              80             115  ..............  ..............           9,200           3,067
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                           CIRP Annual Exercise Recordkeeping
--------------------------------------------------------------------------------------------------------------------------------------------------------
Freight Rail............................................             120              73              74              74          26,485           8,828
PTPR....................................................             120              34              35              36          12,510           4,170
Pipelines...............................................             120             115             115             115          41,400          13,800
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                           Cybersecurity Assessment Plan (CAP)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Freight Rail............................................              44              73              74              74           9,711           3,237
PTPR....................................................              44              34              35              36           4,587           1,529
Pipelines...............................................              44             115             115             115          15,180           5,060
--------------------------------------------------------------------------------------------------------------------------------------------------------

[[Page 88551]]

 
                                       CAP Annual Report of Scheduled Testing (30 percent of CAP tested annually)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Freight Rail............................................              30              73              74              74           6,621           2,207
PTPR....................................................              30              34              35              36           3,128           1,043
Pipelines...............................................              30             115             115             115          10,350           3,450
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                      Recordkeeping
--------------------------------------------------------------------------------------------------------------------------------------------------------
Freight Rail............................................               2              73              74              74             441             147
PTPR....................................................               2              34              35              36             209              70
Pipelines...............................................               2             115             115             115             690             230
                                                         -----------------------------------------------------------------------------------------------
    Total Number of Responses...........................  ..............  ..............  ..............  ..............       1,606,559         535,520
Total Time Burden (hours)...............................  ..............  ..............  ..............  ..............         363,858         121,286
--------------------------------------------------------------------------------------------------------------------------------------------------------

C. Federalism (E.O. 13132)

    A rule has implications for federalism under E.O. 13132 of August 
4, 1999 (Federalism) \255\ if it has substantial direct effects on the 
States, on the relationship between the national government and the 
States, or on the distribution of power and responsibilities among the 
various levels of government. TSA has analyzed this proposed rule under 
Executive Order 13132 and determined that it does not have implications 
for federalism. TSA welcomes public comments on Executive Order 13132 
federalism implications.
---------------------------------------------------------------------------

    \255\ Published at 64 FR 43255 (Aug. 10, 1999).
---------------------------------------------------------------------------

    D. Energy Impact Analysis (E.O. 13211)
    DHS analyzed this proposed rule under E.O. 13211 of May 18, 2001 
(Actions Concerning Regulations That Significantly Affected Energy 
Supply, Distribution or Use),\256\ and determined that it is not a 
``significant energy action'' under that E.O. and is not likely to have 
a significant adverse effect on the supply, distribution, or use of 
energy. Therefore, this rulemaking does not require a Statement of 
Energy Effects.
---------------------------------------------------------------------------

    \256\ Published at 66 FR 28355 (May 22, 2001).
---------------------------------------------------------------------------

E. Environmental Analysis

    DHS reviews proposed actions to determine whether the National 
Environmental Policy Act (NEPA) applies to them and, if so, what degree 
of analysis is required. DHS Management Directive 023-01 Rev. 01 and 
Instruction Manual 023-01-001-01 Rev. 01 establish the procedures that 
DHS and its components use to comply with NEPA and the Council on 
Environmental Quality (CEQ)'s regulations for implementing NEPA.\257\ 
The CEQ regulations allow Federal agencies to establish, with CEQ 
review and concurrence, categories of actions (``categorical 
exclusions'') which experience has shown do not individually or 
cumulatively have a significant effect on the human environment and, 
therefore, do not require preparation of an Environmental Assessment or 
Environmental Impact Statement.\258\
---------------------------------------------------------------------------

    \257\ See 40 CFR parts 1500 through 1508.
    \258\ See 40 CFR 1501.4, 1507.3(e)(2)(ii).
---------------------------------------------------------------------------

    The DHS categorical exclusions are listed in Appendix A of the 
Instruction Manual. Under DHS NEPA implementing procedures, for an 
action to be categorically excluded, it must satisfy each of the 
following three conditions: (1) The entire action clearly fits within 
one or more of the categorical exclusions; (2) the action is not a 
piece of a larger action; and (3) no extraordinary circumstances exist 
that create the potential for a significant environmental effect.
    As previously discussed, this proposed rule would promote TSA's 
surface transportation security mission by establishing performance-
based requirements to ensure higher-risk owner/operators have measures 
in place to address cybersecurity risks with the flexibility necessary 
to address emerging threats and deploy evolving capabilities. 
Specifically, this proposed rule would establish minimum cybersecurity 
requirements in TSA regulations such as account security measures, 
device security measures, governance and training, risk management, 
supply chain management, resilience, network segmentation, reporting, 
and physical security.
    TSA has determined that this proposed rule clearly fits within 
categorical exclusion A3 in Appendix A of the Instruction Manual. 
Categorical exclusion A3 applies to promulgation of rules, issuance of 
rulings or interpretations, and the development and publication of 
policies, orders, directives, notices, procedures, manuals, advisory 
circulars, and other guidance documents of the following nature: (a) 
Those of a strictly administrative or procedural nature; (b) those that 
implement, without substantive change, statutory or regulatory 
requirements; (c) those that implement, without substantive change, 
procedures, manuals, and other guidance documents; (d) those that 
interpret or amend an existing regulation without changing its 
environmental effect; (e) technical guidance on safety and security 
matters; or (f) guidance for the preparation of security plans.
    The requirements proposed in this rule are administrative in 
nature, providing technical guidance and instruction on safety and 
security matters and the preparation of security plans. TSA has further 
determined that the changes proposed in this rule would not result in 
any significant impact on the environment and, therefore, would not 
result in any ``change in environmental effect.'' TSA further finds no 
extraordinary circumstances associated with this proposed rule that may 
give rise to significant environmental effects necessitating further 
documentation and analysis. This rule specifically addresses surface 
transportation cybersecurity as a standalone rule and is not part of a 
larger action. Accordingly, this action is categorically excluded, and 
no further NEPA analysis or documentation is required. We seek any 
comments or information that may lead to the discovery of a significant 
environmental impact from this proposed rule.

F. Tribal Consultation (E.O. 13175)

    DHS analyzed this proposed rule under E.O. 13175 of November 6, 
2000 (Consultation and Coordination with

[[Page 88552]]

Indian Tribal Governments),\259\ and determined that this rulemaking 
does not have tribal implications. For example, TSA determined that the 
applicability of requirements in proposed 49 CFR 1582.225 would not 
affect any public transportation systems owned or controlled by an 
Indian tribe, as defined in 24 U.S.C. 479A. Based on this 
determination, TSA has not specifically consulted with Indian tribal 
officials. Should TSA make a future determination that there is a risk 
to tribal owned/operated systems supporting the need for security 
enhancements, TSA will follow relevant consultation requirements before 
imposing any regulatory requirements.
---------------------------------------------------------------------------

    \259\ Published at 65 FR 67249 (Nov. 9, 2000).
---------------------------------------------------------------------------

List of Subjects

49 CFR Part 1500

    Air carriers, Air transportation, Aircraft, Airports, Buses, 
Hazardous materials transportation, Law enforcement officers, Maritime 
carriers, Natural gas, Pipeline safety, Pipelines, Railroad safety, 
Railroads, Reporting and recordkeeping requirements, Security measures, 
Transportation facility, Vessels.

49 CFR Part 1503

    Administrative practice and procedure, Investigations, Law 
enforcement, Penalties.

49 CFR Part 1520

    Air carriers, Air transportation, Aircraft, Airports, Buses, Law 
enforcement officer, Maritime carriers, Railroad safety, Railroads, 
Reporting and recordkeeping requirements, Security measures, 
Transportation facility, Vessels.

49 CFR Part 1570

    Buses, Crime, Fraud, Hazardous materials transportation, Motor 
carriers, Railroads, Reporting and recordkeeping requirements, Security 
measures.

49 CFR Part 1580

    Hazardous materials transportation, Railroad safety, Railroads, 
Reporting and recordkeeping requirements, Security measures.

49 CFR Part 1582

    Mass transportation, Railroad safety, Railroads, Reporting and 
recordkeeping requirements, Security measures.

49 CFR Part 1584

    Buses, Mass transportation, Reporting and recordkeeping 
requirements, Security measures.

49 CFR Part 1586

    Gas, Hazardous materials transportation, Natural gas, Pipelines, 
Pipeline Safety, Reporting and recordkeeping requirements, Security 
measures.

The Proposed Amendments

    For the reasons set forth in the preamble, the Transportation 
Security Administration is proposing to amend 49 CFR parts 1500, 1503, 
1520, 1570, 1580, 1582, 1584, and 1586 to read as follows:

PART 1500--APPLICABILITY, TERMS, AND ABBREVIATIONS

0
1. Revise the authority citation for part 1500 to read as follows:

    Authority: 49 U.S.C. 114, 5103, 40113, 44901-44907, 44912-44914, 
44916-44918, 44935-44936, 44942, 46105; Pub. L. 110-53, 121 Stat. 
266.
0
2. Amend Sec.  1500.3 by:
0
a. Adding the definitions of ``Carbon dioxide'', ``Gas'', ``Hazardous 
liquid'', ``Liquefied natural gas (LNG)'', ``Pipeline or pipeline 
system'', ``Pipeline facility'', and ``TSA Cybersecurity Lexicon'' in 
alphabetical order; and
0
b. Revising the definitions of ``Transportation or transport'', 
``Transportation facility'', and ``Transportation security equipment 
and systems''.
    The additions and revisions read as follows:


Sec.  1500.3  Terms and abbreviations used in this chapter.

* * * * *
    Carbon dioxide means a fluid consisting of more than 90 percent 
carbon dioxide molecules compressed to a supercritical state.
* * * * *
    Gas means natural gas, flammable gas, or gas which is toxic or 
corrosive.
* * * * *
    Hazardous liquid means petroleum, petroleum products, anhydrous 
ammonia, and ethanol or other non-petroleum fuel, including biofuel, 
which is flammable, toxic, or would be harmful to the environment if 
released in significant quantities.
* * * * *
    Liquefied natural gas (LNG) means natural gas or synthetic gas 
having methane (CH4) as its major constituent that has been 
changed to a liquid.
* * * * *
    Pipeline or Pipeline System means all parts of those physical 
facilities through which gas, hazardous liquid, carbon monoxide, or 
liquefied natural gas moves in transportation including, but not 
limited to pipe, line pipe, valves, and other appurtenance attached to 
pipe and line pipe, compressor units, metering stations, pumping units, 
regulator stations, metering stations, delivery stations, holders, 
fabricated assemblies, and breakout tanks as those terms are defined in 
49 CFR parts 192, 193, and 195.
    Pipeline facility means new or existing piping, pipes, pipelines, 
rights-of-way, and any equipment, facility, or building used in the 
treatment or transportation of gas, hazardous liquid, carbon monoxide, 
or liquefied natural gas, as those terms are defined in 49 CFR parts 
192, 193, and 195.
* * * * *
    Transportation or transport means (1) the movement of property 
including loading, unloading, and storage; (2) the movement of people, 
boarding, and disembarking incident to that movement; and (3) the 
gathering, transmission, or distribution of gas or hazardous liquids by 
pipeline.
    Transportation facility means a location at which transportation 
cargo, equipment or infrastructure assets are stored, equipment is 
transferred between conveyances and/or modes of transportation, 
transportation command and control operations are performed, or 
maintenance operations are performed. The term also includes, but is 
not limited to, passenger stations and terminals (including any fixed 
facility at which passengers are picked-up or discharged), vehicle 
storage buildings or yards, crew management centers, dispatching 
centers, fueling centers, telecommunication centers, and facilities 
used for the gathering, transmission, or distribution of gas or 
hazardous liquids by pipeline or the storage of gas or hazardous 
liquids.
    Transportation security equipment and systems means items, both 
integrated into a system and stand-alone, used by owner/operators to 
enhance capabilities to detect, deter, prevent, or respond to a threat 
or incident, including, but not limited to, video surveillance, 
explosives detection, radiological detection, intrusion detection, 
Information Technology and Operational Technology authentication, 
network logging, motion detection, and security screening. This 
includes security equipment and systems for the protection and 
monitoring of both physical and logical/virtual assets.
* * * * *
    TSA Cybersecurity Lexicon means a list of terms and their meaning 
applicable to cybersecurity requirements imposed by this chapter and 
available in a form and manner

[[Page 88553]]

determined by TSA. TSA may update and revise the lexicon following the 
procedures in this chapter for amendments to security programs.
* * * * *

PART 1503--INVESTIGATIVE AND ENFORCEMENT PROCEDURES

0
3. Revise the authority citation for part 1503 to read as follows:

    Authority: 6 U.S.C. 1142; 18 U.S.C. 6002; 28 U.S.C. 2461 (note); 
49 U.S.C. 114, 20109, 31105, 40113-40114, 40119, 44901-44907, 46101-
46107, 46109-46110, 46301, 46305, 46311, 46313-46314; Pub. L. 104-
134, 110 Stat. 1321, as amended by Pub. L. 114-74, 129 Stat. 584; 
Pub. L. 110-53, 121 Stat. 266.

PART 1520-PROTECTION OF SENSITIVE SECURITY INFORMATION

0
4. Revise the authority citation for part 1520 to read as follows:

    Authority:  46 U.S.C. 114, 40113, 44901-44907, 44912-44914, 
44916-44918, 44935-44936, 44942, 46105, 70102-70106, 70117; Pub. L. 
110-53, 121 Stat. 266.

0
5. Amend Sec.  1520.5 by revising paragraphs (b)(2)(i), (b)(3)(i), 
(b)(4)(i) and (ii), (b)(6)(ii), introductory text of (b)(12), (b)(13), 
and (b)(14) to read as follows:


Sec.  1520.5  Sensitive Security Information.

* * * * *
    (b) * * *
    (2) * * *
    (i) Issued by TSA under 49 CFR 1542.303, 1544.305, 1548.19, 
1570.201, or other authority;
* * * * *
    (3) * * *
    (i) Information circular issued by TSA under 49 CFR 1542.303, 
1544.305, 1548.19, 1570.201, or other authority; and
* * * * *
    (4) * * *
    (i) Any device used by the Federal Government or any other person 
pursuant to any aviation, maritime, or surface transportation security 
requirements of Federal law for the detection of any person, and any 
weapon, explosive, incendiary, or destructive device, item, or 
substance; and
    (ii) Any communications equipment used by the Federal government or 
any other person in carrying out or complying with any aviation, 
maritime, or surface transportation security requirements of Federal 
law.
* * * * *
    (6) * * *
    (ii) In the case of inspections or investigations performed by TSA, 
this includes the following information as to events that occurred 
within 12 months of the date of release of the information: the name of 
the airport or other transportation facility (including remote systems) 
where a violation occurred, the airport or other transportation 
facility identifier in the case number, a description of the violation, 
the regulation allegedly violated, and the identity of any operator in 
connection with specific locations or specific security procedures. 
Such information will be released after the relevant 12-month period, 
except that TSA will not release the specific gate or other location on 
an airport or other transportation facility where an event occurred, 
regardless of the amount of time that has passed since its occurrence. 
During the period within 12 months of the date of release of the 
information, TSA may release summaries of an operator's, but not an 
airport operator's, total security violations in a specified time range 
without identifying specific violations or locations. Summaries may 
include total enforcement actions, total proposed civil penalty 
amounts, number of cases opened, number of cases referred to TSA or FAA 
counsel for legal enforcement action, and number of cases closed.
* * * * *
    (12) Critical transportation infrastructure asset information. Any 
list identifying systems or assets, whether physical or logical/
virtual, so vital to the aviation, maritime, or surface transportation 
that the incapacity or destruction of such assets would have a 
debilitating impact on transportation security, if the list is--
* * * * *
    (13) Systems security information. Any information involving the 
security of operational or administrative data systems operated by the 
Federal government that have been identified by the DOT or DHS as 
critical to aviation, maritime, or surface transportation safety or 
security, including automated information security procedures and 
systems, security inspections, and vulnerability information concerning 
those systems.
    (14) Confidential business information. (i) Solicited or 
unsolicited proposals received by DHS or DOT, and negotiations arising 
therefrom, to perform work pursuant to a grant, contract, cooperative 
agreement, or other transaction, but only to the extent that the 
subject matter of the proposal relates to aviation, maritime, or 
surface transportation security measures;
    (ii) Trade secret information, including information required or 
requested by regulation or SD, obtained by DHS or DOT in carrying out 
aviation, maritime, or surface transportation security 
responsibilities; and
    (iii) Commercial or financial information, including information 
required or requested by regulation or SD, obtained by DHS or DOT in 
carrying out aviation, maritime, or surface transportation security 
responsibilities, but only if the source of the information does not 
customarily disclose it to the public.
* * * * *
0
6. Amend Sec.  1520.7 by revising paragraph (i) to read as follows:


Sec.  1520.7  Covered persons.

* * * * *
    (i) Each person conducting research and development activities that 
relate to aviation, maritime, or surface transportation security and 
are approved, accepted, funded, recommended, or directed by DHS or DOT.
* * * * *

PART 1570--GENERAL RULES

0
7. Revise the authority citation for part 1570 to read as follows:

    Authority: 18 U.S.C. 842, 845; 46 U.S.C. 70105; 49 U.S.C. 114, 
5103a, 40113, and 46105; Pub. L. 108-90, 117 Stat. 1156, as amended 
by Pub. L. 110-329, 122 Stat. 3689; Pub. L. 110-53, 121 Stat. 266.

Subpart A--General

0
8. Revise Sec.  1570.1 to read as follows:


Sec.  1570.1  Scope.

    (a) Applicability. This part applies to any person involved in 
maritime or surface transportation as specified in this subchapter.
    (b) Delegation of authority. (1) Where the Administrator is named 
in this subchapter as exercising authority over a function, the 
authority is exercised by the Administrator or the Deputy 
Administrator, or any individual formally designated to act as the 
Administrator or the Deputy Administrator.
    (2) Where TSA or the designated official is named in this 
subchapter as exercising authority over a function, the authority is 
exercised by the official designated by the Administrator to perform 
that function.
0
9. Amend Sec.  1570.3 by adding the definitions ``Accountable 
executive'', ``Cybersecurity'', ``Cybersecurity-sensitive employee'', 
and ``Physical security'' in alphabetical order to read as follows:


Sec.  1570.3  Terms used in this subchapter.

* * * * *

[[Page 88554]]

    Accountable executive means an individual identified by an owner/
operator who has responsibility and accountability for the owner/
operator's compliance with the requirements of this subchapter, 
including authority over human resource issues, major financial issues, 
conduct of the owner/operator's affairs, all operations conducted 
related to the requirements of this subchapter, and responsibility for 
all transportation-related security issues.
* * * * *
    Cybersecurity means measures to prevent damage to, protect, and 
restore Information Technology and Operational Technology systems as 
defined in the TSA Cybersecurity Lexicon, including protection of data 
to ensure its availability, integrity, authentication, confidentiality, 
and nonrepudiation. Cybersecurity and physical security are not 
mutually exclusive concepts.
    Cybersecurity-sensitive employee means any employee who is a 
privileged user with access to, or privileges to access, a Critical 
Cyber System or any Information or Operational Technology system that 
is interdependent with a Critical Cyber System as defined in the TSA 
Cybersecurity Lexicon.
* * * * *
    Physical security means measures to (1) protect the safety and 
security of persons and property resulting from disruption of 
operations; (2) prevent damage to, protection of, and restoration of 
physical assets and operations; and (3) controls to prevent 
unauthorized access to or disruption of physical and virtual assets and 
operations. Physical security encompasses the security of systems and 
facilities, as well as the persons in areas in or near to operations 
that could have their safety and security threatened by an attack on 
physical systems and assets. Cybersecurity and physical security are 
not mutually exclusive concepts.
* * * * *
0
10. Amend Sec.  1570.7 by adding paragraph (a)(4) to read as follows:


Sec.  1570.7  Security responsibilities of employees and other persons.

    (a) * * *
    (4) Access information or operational technology systems without 
complying with the security measures required under this subchapter to 
control access to or modification to such systems.
* * * * *
0
11. Revise subpart B of part 1570 to read as follows:

Subpart B--Security Programs

Sec.
1570.101 Scope.
1570.103 Content.
1570.105 Responsibility for determinations.
1570.107 Approval and amendments.
1570.109 Alternate means of compliance for seasonal or infrequent 
operations.
1570.111 Extensions of time.
1570.113 [Reserved]
1570.115 Withdrawal of approval of a security program.
1570.117 Recordkeeping and availability.
1572.119 Exhaustion of administrative remedies.
1570.121 Severability.


Sec.  1570.101  Scope.

    The requirements of this subpart address general security program 
requirements applicable to each owner/operator required to have a 
security program under parts 1580, 1582, 1584, and 1586 of this 
subchapter.


Sec.  1570.103  Content.

    (a) Security program. Except as otherwise approved by TSA, each 
owner/operator required to have a security program under parts 1580, 
1582, 1584, or 1586 of this subchapter must include in its security 
program detailed information describing how it addresses each of the 
requirements identified in the applicable part.
    (b) Index. The owner/operator required to have a security program 
under parts 1580, 1582, 1584, or 1586 of this subchapter must ensure 
the required security program includes an index organized in the same 
subject area sequence as the requirements in the applicable part or 
subpart.
    (c) Use of appendices. (1) The owner/operator may comply with the 
requirement in paragraph (a) of this section by including in its 
security program any document that contains the information required by 
the applicable security program required by parts 1580, 1582, 1584, or 
1586 of this subchapter, including previously developed plans, 
policies, and/or procedures that support compliance with these 
requirements.
    (2) These documents may be provided as either an appendix to the 
security program or as a list of documents, including specific 
applicable sections, that contain the required information. The owner/
operator must include an index of the records and their location 
organized in the same sequence as the requirements in the applicable 
parts.
    (3) The appendix or documents listed in it must be explicitly 
incorporated by reference and become part of the corresponding 
section(s) of the security program.


Sec.  1570.105  Responsibility for determinations.

    (a) Higher-risk operations. Owner/operators of freight railroads, 
public transportation systems, passenger railroads, over-the-road buses 
(OTRB), and pipeline system and facilities are required to determine if 
the applicability criteria identified for security programs or other 
requirements identified in parts 1580, 1582, 1584, or 1586 of this 
subchapter apply to their operations. Unless otherwise notified in 
writing by TSA, owner/operators must notify TSA of applicability before 
[DATE 30 DAYS AFTER EFFECTIVE DATE OF FINAL RULE].
    (b) New or modified operations. If an owner/operator commences new 
operations or modifies existing operations after [DATE 30 DAYS AFTER 
EFFECTIVE DATE OF FINAL RULE], that owner/operator is responsible for 
determining whether the new or modified operations would meet the 
applicability criteria in parts 1580, 1582, 1584, or 1586 of this 
subchapter and must notify TSA no more than the later of [DATE 60 DAYS 
AFTER EFFECTIVE DATE OF FINAL RULE] or 60 calendar days before 
commencing operations or implementing modifications that would result 
in meeting the applicability criteria.
    (c) Continued applicability. Once an owner/operator becomes subject 
to the requirements in parts 1580, 1582, 1584, or 1586 of this 
subchapter, the requirements continue to apply unless otherwise 
exempted under the procedures in paragraph (d) of this section.
    (d) Permanent changes in operations. If an owner/operator changes 
operations to the extent that any of the applicability criteria for 
requirements in parts 1580, 1582, 1584, or 1586 of this subchapter no 
longer apply, the owner/operator is responsible for notifying TSA of 
the change. Notification must be provided in writing and include 
documentation that operations no longer meet the criteria for 
applicability. TSA may require additional documentation to support the 
owner/operator's assertions. If TSA confirms the change in operations, 
TSA will provide a written, operation and requirement-specific 
exemption to the owner/operator. If the operations change in the 
future, the owner/operator must comply with the procedures in paragraph 
(b) for new or modified operations.


Sec.  1570.107  Approval and amendments.

    (a) Initial approval of security program. Unless otherwise 
authorized by TSA, each owner/operator required

[[Page 88555]]

to have a security program under this subchapter must submit its 
proposed security program to TSA for approval no later than the 
deadline specified in the applicable requirements. The proposed 
security program must meet the requirements applicable to its 
operation, as required by this subchapter. The following procedures 
apply to security program approvals:
    (1) TSA approval. Within 60 days of receiving the owner/operator's 
proposed security program required by parts 1580, 1582, 1584, or 1586 
of this subchapter, the designated official will either approve the 
program or give the owner/operator written notice to modify the program 
to comply with the applicable requirements of this subchapter. TSA may 
request additional information, and the owner/operator must provide the 
information within the time period TSA prescribes. The 60-day period 
for TSA approval will begin when the owner/operator provides the 
additional information. After all required information is received, TSA 
will notify the owner/operator if it needs an extension of time to 
approve the program or provide the owner/operator with written notice 
to modify the program to comply with the applicable requirements of 
this subchapter.
    (2) Notice to modify. (i) If TSA provides the owner/operator with 
written notice to modify the security program to comply with the 
applicable requirements of this subchapter, the owner/operator must 
provide a modified security program to TSA for approval within the 
timeframe specified by TSA.
    (ii) The owner/operator may either submit a modified security 
program to the designated official for approval, or petition for 
reconsideration under paragraph (f) of this section within 30 days of 
receiving a notice to modify.
    (b) Amendment requested by an owner/operator. Once a security 
program (including any appendices, policies, procedures, or measures 
incorporated by reference) required by parts 1580, 1582, 1584, or 1586 
is approved by TSA, the owner/operator must request an amendment for 
any permanent (intended to be in effect for 60 or more calendar days), 
substantive changes to its security program. Except as provided in 
paragraph (c), an owner/operator requesting approval to amend its 
security program must request an amendment in advance of implementing 
the proposed change using the following procedures:
    (1) The request for an amendment must be filed with the designated 
official at least 45 days before the date it proposes for the amendment 
to become effective unless a shorter period is allowed by the 
designated official.
    (2) Within 30 days after receiving a proposed amendment, the 
designated official, in writing, either approves or denies the request 
to amend.
    (3) TSA may approve an amendment to a security program if the 
designated official determines that the interest of the public and 
transportation security will allow it, and the proposed amendment 
provides the level of security required under this subchapter. In 
considering the request for alternative measures, TSA will review all 
relevant factors including--
    (i) The risks associated with the type of operation, for example, 
whether the owner/operator transports hazardous materials or passengers 
within a high threat urban area, whether the owner/operator transports 
passengers and the volume of passengers transported, or whether the 
owner/operator hosts a passenger operation.
    (ii) Any relevant threat information.
    (iii) Other circumstances concerning potential risk to the public 
and transportation security.
    (4) No later than 30 calendar days after receiving a denial, the 
owner/operator may petition for reconsideration under paragraph (e) of 
this section.
    (5) Owner/operators may submit a group proposal for an amendment 
that is on behalf of it and other owner/operators that co-sign the 
proposal. The joint proposal may only be submitted by owner/operators 
subject to the applicable requirements.
    (c) Administrative, clerical, and temporary changes to policies, 
procedures, or measures in a TSA-approved Security Program.
    (1) Administrative or clerical changes. (i) An owner/operator is 
not required to notify TSA of administrative or technical changes to 
its TSA-approved security program. This exception is limited to changes 
that do not affect policies, procedures, or measures in the owner/
operator's TSA-approved security program.
    (ii) Owner/operators must keep a chronological record of 
administrative or clerical changes that indicates the relevant portion 
of the security program that is being changed and when the change 
occurred. This information must be maintained for a duration that 
includes, at a minimum, any changes made during the period of one year 
before the date of the most recently approved security program.
    (2) Temporary changes affecting security matters. (i) The owner/
operator must notify TSA in writing no more than 24 hours after any 
temporary, substantive change to its TSA-approved security program. For 
purposes of this requirement, a temporary, substantive change is any 
change that affects policies, procedures, or measures in the owner/
operator's TSA-approved security program, that is not intended to be in 
effect for 60 or more calendar days.
    (ii) Within seven calendar days of the notification in paragraph 
(c)(2)(i), the owner/operator must inform TSA, in writing, of each 
interim policy, procedure, or measure being used to maintain adequate 
security while the temporary, substantive change is in effect. The 
owner/operator must include in its written notification a description 
of how the interim policy, procedure, or measure provides the same 
level of security as the previously approved policy, procedure, or 
measure. TSA will notify the owner/operator in writing if TSA does not 
concur that the interim measures provide a commensurate level of 
security. TSA may request additional information to make its 
determination.
    (iii) If the duration of the temporary, substantive change exceeds 
or is expected to exceed 60 or more calendar days, the owner/operator 
must seek an amendment to the security program as required by paragraph 
(b). The request for an amendment must be submitted no more than 65 
days after the temporary, substantive change initially took effect.
    (d) Amendment by TSA. In the interest of the public and 
transportation security, TSA may amend a security program using the 
following procedures:
    (1) The designated official will notify the owner/operator, in 
writing, of the proposed amendment, fixing a period of not less than 30 
calendar days within which the owner/operator may submit written 
information, views, and arguments on the amendment.
    (2) After considering all relevant material, the designated 
official will notify the owner/operator of any amendment adopted or 
rescind the notice of amendment. If the amendment is adopted, it 
becomes effective not less than 30 calendar days after the owner/
operator receives the notice of amendment, unless the owner/operator 
submits a petition for reconsideration under paragraph (f) of this 
section no later than 15 calendar days before the effective date of the 
amendment. A timely petition for reconsideration stays the effective 
date of the amendment.
    (e) Emergency amendments. If the designated official finds that 
there is an emergency requiring immediate action to protect 
transportation security that makes procedures in this section contrary 
to the public interest, the designated official may issue an

[[Page 88556]]

amendment, without the prior notice and comment procedures in paragraph 
(c) of this section, effective without stay on the date the owner/
operator receives notice of it. In such a case, the designated official 
will incorporate in the notice a brief statement of the reasons and 
findings for the amendment to be adopted. The owner/operator may file a 
petition for reconsideration under paragraph (e) of this section within 
15 calendar days of the effective date of the emergency amendment; 
however, this filing does not stay the effective date of the emergency 
amendment.
    (f) Petitions for reconsideration. (1) Process for filing. If an 
owner/operator seeks to petition for reconsideration of a 
determination, required modification, denial of a request for an 
amendment by the owner/operator, denial to rescind a TSA-required 
amendment, denial of an alternative measure, or issuance of a security 
directive, the owner/operator must submit the petition, together with 
any pertinent information, to the Administrator for reconsideration. 
The petition for reconsideration must be submitted within the timeframe 
given in the applicable section and include a statement and any 
supporting documentation explaining why the owner/operator believes 
TSA's decision or action is incorrect. TSA review of a petition for 
reconsideration will begin when the owner/operator provides all 
required information.
    (2) TSA review. Upon review of the petition for reconsideration, 
the Administrator or designee will dispose of the petition for 
reconsideration by affirming, modifying, or rescinding its previous 
decision.
    (3) Final agency action. The disposition of a petition for 
reconsideration by the Administrator is considered a final agency 
action.


Sec.  1570.109  Alternate means of compliance for seasonal or 
infrequent operations.

    If in TSA's judgment, the overall safety and security of operations 
for which a security program is required under this subchapter are not 
diminished, then TSA may approve a security program that provides for 
the use of alternate measures. Such a program may be considered only 
for an owner/operator at which operations that meet the criteria for 
applicability in parts 1580, 1582, 1584, or 1586 of this subchapter are 
determined by TSA to be seasonal or infrequent.


Sec.  1570.111  Extensions of time.

    TSA may grant an extension of time for implementing a security 
program required by this subchapter upon a showing of good cause. The 
owner/operator must request the extension of time in writing, and TSA 
must receive the request within a reasonable time before the due date 
to be extended; an owner/operator may request an extension after the 
expiration of a due date by sending a written request describing why 
the failure to meet the due date was excusable. TSA will respond to the 
request in writing.


Sec.  1570.113  [Reserved]


Sec.  1570.115  Withdrawal of approval of a security program.

    (a) Applicability. This section applies to holders of a security 
program approved or accepted by TSA under 49 CFR chapter XII, 
subchapter D.
    (b) Withdrawal of security program approval. TSA may withdraw the 
approval of a security program, if TSA determines continued operation 
is contrary to security and the public interest, as follows:
    (1) Notice of proposed withdrawal of approval. TSA will serve a 
Notice of Proposed Withdrawal of Approval, which notifies the holder of 
the security program, in writing, of the facts, charges, and applicable 
law, regulation, or order that form the basis of the determination.
    (2) Security program holder's reply. The holder of the security 
program may respond to the Notice of Proposed Withdrawal of Approval no 
later than 15 calendar days after receipt of the withdrawal by 
providing the designated official, in writing, with any material facts, 
arguments, applicable law, and regulation.
    (3) TSA review. The designated official will consider all 
information available, including any relevant material or information 
submitted by the holder of the security program, before either issuing 
a Withdrawal of Approval of the security program or rescinding the 
Notice of Proposed Withdrawal of Approval. If TSA issues a Withdrawal 
of Approval, it becomes effective upon receipt by the holder of the 
security program, or 15 calendar days after service, whichever occurs 
first.
    (4) Petition for reconsideration. The holder of the security 
program may petition TSA to reconsider its Withdrawal of Approval by 
serving a petition for consideration no later than 15 calendar days 
after the holder of the security program receives the Withdrawal of 
Approval. The holder of the security program must serve the Petition 
for Reconsideration on the designated official. Submission of a 
Petition for Reconsideration will not stay the Withdrawal of Approval. 
The holder of the security program may request the designated official 
to stay the Withdrawal of Approval pending review of and decision on 
the Petition.
    (5) Administrator's review. The designated official transmits the 
Petition together with all pertinent information to the Administrator 
for reconsideration. The Administrator will dispose of the Petition 
within 15 calendar days of receipt by either directing the designated 
official to rescind the Withdrawal of Approval or by affirming the 
Withdrawal of Approval. The decision of the Administrator constitutes a 
final agency order subject to judicial review in accordance with 49 
U.S.C. 46110.
    (6) Emergency withdrawal. If TSA finds that there is an emergency 
with respect to transportation security requiring immediate action that 
makes the procedures in this section contrary to the public interest, 
the designated official may issue an Emergency Withdrawal of Approval 
of a security program without first issuing a Notice of Proposed 
Withdrawal of Approval. The Emergency Withdrawal would be effective on 
the date that the holder of the security program receives the emergency 
withdrawal. In such a case, the designated official will send the 
holder of the security program a brief statement of the facts, charges, 
applicable law, regulation, or order that forms the basis for the 
Emergency Withdrawal. The holder of the security program may submit a 
Petition for Reconsideration under the procedures in paragraphs (b)(4) 
through (b)(5) of this section; however, this petition will not stay 
the effective date of the Emergency Withdrawal.
    (c) Service of documents for withdrawal of approval of security 
program proceedings. Service may be accomplished by personal delivery, 
certified mail, or express courier. Documents served on the holder of a 
security program will be served at its official place of business as 
designated in its security program. Documents served on TSA must be 
served to the address noted in the Notice of Withdrawal of Approval or 
Withdrawal of Approval, whichever is applicable.
    (1) Certificate of service. An individual may attach a certificate 
of service to a document tendered for filing. A certificate of service 
must consist of a statement, dated and signed by the person filing the 
document, that the document was personally delivered, served by 
certified mail on a specific date, or served by express courier on a 
specific date.
    (2) Date of service. The date of service is--

[[Page 88557]]

    (i) The date of personal delivery;
    (ii) If served by certified mail, the mailing date shown on the 
certificate of service, the date shown on the postmark if there is no 
certificate of service, or other mailing date shown by other evidence 
if there is no certificate of service or postmark; or
    (iii) If served by express courier, the service date shown on the 
certificate of service, or by other evidence if there is no certificate 
of service.
    (d) Extension of time. TSA may grant an extension of time to the 
limits set forth in this section for good cause shown. A security 
program holder must submit a request for an extension of time in 
writing, and TSA must receive it at least 2 days before the due date to 
be considered. TSA may grant itself an extension of time for good 
cause.


Sec.  1570.117  Recordkeeping and availability.

    (a) Retention. In addition to submission of documents as required 
by parts 1580, 1582, 1584, and 1586 of this subchapter, each owner/
operator required to have a security program under these parts must--
    (1) Maintain and make available to TSA records to establish 
compliance with the requirements in this subchapter, including all 
plans, procedures, and other documents (including cited sections of 
these documents) incorporated by reference into a security program 
required by parts 1580, 1582, 1584, or 1586 of this subchapter.
    (2) [Reserved]
    (b) Location. The records required by paragraph (a) of this section 
must be retained at the owner/operator's corporate headquarters unless 
otherwise directed by TSA.
    (c) Physical and electronic records. (1) Except as provided in 
paragraph (c)(2), each owner/operator required to retain records under 
this section may keep them in electronic form. An owner/operator may 
maintain and transfer records through electronic transmission, storage, 
and retrieval provided that the electronic system provides for the 
maintenance of records as originally submitted without corruption, loss 
of data, or tampering.
    (2) The owner/operator must maintain one written copy of the 
current and complete TSA-approved security program required by the 
applicable part or subpart of this subchapter, signed by the owner/
operator, at its corporate headquarters, plus one written copy of the 
most recent security program previously approved by TSA.
    (d) Availability to TSA. Each owner/operator must make the records 
available to TSA upon request, including through electronic submission 
if applicable, for inspection and copying.
    (e) Protection of SSI. Each owner/operator must restrict the 
distribution, disclosure, and availability of Sensitive Security 
Information, as identified in part 1520 of this chapter, to persons 
with a need to know. The owner/operator must refer requests for such 
information by other persons to TSA.
    (f) Dissemination to employees. Subject to the restrictions in 
paragraph (e) of this section, each owner/operator must make copies of 
the security program, relevant portions of the security program, or 
implementing instructions available to the employees who are 
responsible for implementing it, consistent with personnel security 
access rights, background investigation restrictions, and a 
demonstrated need to know.


Sec.  1570.119  Exhaustion of administrative remedies.

    Persons subject to the requirements in parts 1570, 1580, 1582, 
1584, and 1586 of this subchapter must exhaust the administrative 
remedies set forth in this part before seeking judicial review.


Sec.  1570.121  Severability.

    Any provision of this subchapter held to be invalid or 
unenforceable as applied to any person or circumstance shall be 
construed so as to continue to give the maximum effect to the provision 
permitted by law, including as applied to persons not similarly 
situated or to dissimilar circumstances, unless such holding is that 
the provision of this subchapter is invalid and unenforceable in all 
circumstances, in which event the provision shall be severable from the 
remainder of this subchapter and shall not affect the remainder 
thereof.
0
12. Revise subpart C of part 1570 to read as follows:

Subpart C--Threat and Threat Response

Sec.
1570.201 Security Directives and Information Circulars.
1570.203 Alternate measures.


Sec.  1570.201  Security Directives and Information Circulars.

    (a) The requirements in this section apply to each owner/operator 
identified in Sec. Sec.  1580.1, 1582.1, 1584.1, and 1586.1 of this 
subchapter.
    (b) TSA may issue an Information Circular to notify owner/operators 
of security concerns. When TSA determines that additional security 
measures are necessary to respond to a threat assessment or to a 
specific threat against transportation security, TSA issues a Security 
Directive setting forth mandatory measures.
    (c) Each owner/operator must comply with each Security Directive 
issued to the owner/operator within the time prescribed in the Security 
Directive.
    (d) Each owner/operator that receives a Security Directive must--
    (1) Within the time prescribed in the Security Directive, 
acknowledge receipt of the Security Directive to TSA as required in the 
Security Directive.
    (2) Within the time prescribed in the Security Directive, specify 
the method by which the measures in the Security Directive have been 
implemented (or will be implemented, if the Security Directive is not 
yet effective).
    (e) In the event that the owner/operator is unable to implement the 
measures in the Security Directive, the owner/operator must submit 
proposed alternative measures following the procedures in Sec.  
1570.203, and the basis for submitting the alternative measures to TSA 
for approval. The owner/operator must implement any alternative 
measures approved by TSA.
    (f) Each owner/operator that receives a Security Directive may 
comment on the Security Directive by submitting data, views, or 
arguments in writing to TSA. TSA may amend the Security Directive based 
on comments received. Submission of a comment does not delay the 
effective date of the Security Directive.
    (g) The owner/operator may file a petition for reconsideration 
under paragraph (e) of Sec.  1570.107 within 15 days of the effective 
date of a Security Directive; however, this filing does not stay the 
effective date of the Security Directive.
    (h) Except as provided in paragraph (h)(3) of this section, each 
owner/operator that receives a Security Directive or an Information 
Circular and each person who receives information from a Security 
Directive or an Information Circular must:
    (1) Restrict the availability of the Security Directive or 
Information Circular, and information contained in either document, to 
those persons with an operational need-to-know.
    (2) Refuse to release the Security Directive or Information 
Circular, and information contained in either document, to persons 
other than those who have an operational need to know without the prior 
written consent of TSA.
    (3) The requirements in paragraph (h)(1) and (h)(2) of this section 
do not apply if the TSA Administrator, or designee, under the authority 
of

[[Page 88558]]

Sec.  1520.5(c) of this chapter, determines that a Security Directive 
or Information Circular does not contain Sensitive Security 
Information.


Sec.  1570.203  Alternative measures.

    (a) If in TSA's judgment, the overall security of transportation 
provided by an owner/operator subject to the requirements of parts 
1580, 1582, 1584, or 1586 of this subchapter are not diminished, TSA 
may approve alternative measures to requirements in a Security 
Directive.
    (b) Each owner/operator requesting alternative measures must file 
the request for approval in a form and manner prescribed by TSA. The 
filing of such a request does not affect the owner/operator's 
responsibility for compliance while the request is being considered.
    (c) TSA may request additional information, and the owner/operator 
must provide the information within the period TSA prescribes. Within 
30 calendar days after receiving a request for alternative measures and 
all requested information, TSA will, in writing, either approve or deny 
the request.
    (d) If TSA finds that the use of the alternative measures is in the 
interest of the public and transportation security, it may grant the 
request subject to any conditions TSA deems necessary. In considering 
the request for alternative measures, TSA will review all relevant 
factors, including--
    (1) The risks associated with the type of operation, for example, 
whether the owner/operator transports hazardous materials or passengers 
within a high threat urban area, whether the owner/operator transports 
passengers and the volume of passengers transported, or whether the 
owner/operator hosts a passenger operation.
    (2) Any relevant threat information.
    (3) Other circumstances concerning potential risk to the public and 
transportation security.
    (e) No later than 30 calendar days after receiving a denial, the 
owner/operator may petition for reconsideration under Sec.  
1570.107(f).

Appendix A to Part 1570 [Removed]

0
13. Remove Appendix A to part 1570.

PART 1580--FREIGHT RAIL TRANSPORTATION SECURITY

0
14. The authority citation for part 1580 continues to read as follows:

    Authority:  49 U.S.C. 114; Pub. L. 110-53 (121 Stat. 266, Aug. 
3, 2007) secs. 1501 (6 U.S.C. 1151), 1512 (6 U.S.C. 1162) and 1517 
(6 U.S.C. 1167).

Subpart A--General

0
15. Amend Sec.  1580.3 by:
0
a. Revising the introductory paragraph;
0
b. Removing the definition of ``Class I'';
0
c. Adding the definitions of ``Class I, II, or III'', ``Component'', 
``Defense Connector Railroad'', ``Positive Train Control'', ``Switching 
or terminal service'', and ``Train miles'' in alphabetical order.
    The revision and additions read as follows:


Sec.  1580.3  Terms used in this part.

    In addition to the terms in Sec. Sec.  1500.3, 1500.5, and 1503.103 
of subchapter A and Sec.  1570.3 of subchapter D of this chapter, the 
following terms apply to this part:
* * * * *
    Class I, Class II, or Class III freight railroad has the same 
meaning as ``Class I,'' ``Class II,'' and ``Class III'' freight 
railroads as determined by regulations of the Surface Transportation 
Board c).
    Component has the same meaning as ``component'' as defined in 49 
CFR 236.903.
    Defense Connector Railroad means a railroad that has a line of 
common carrier obligation designated a defense connector line by the US 
Army Military Surface Deployment and Distribution Command 
Transportation Engineering Agency (SDDCTEA) and Federal Railroad 
Administration (FRA) which connects defense installations or other 
activities requiring rail service to the Strategic Rail Corridor 
Network (STRACNET).
* * * * *
    Positive train control (PTC) has the same meaning as ``positive 
train control'' as defined in 49 CFR 236.1003.
* * * * *
    Switching or terminal services means the furnishing or terminal 
facilities for passenger or freight rail traffic for line-haul service 
and the movement of railroad cars between terminal yards, industrial 
sidings, and other local sites. This term does not include movement of 
a train or part of a train within yard limits by the road locomotive 
and the placement of locomotives or cars in a train or their removal 
from a train by the road locomotive while en route to the train's 
destination.
    Train miles means a unit in railroad accounting that refers to the 
distance of one mile covered by a single train, which may have several 
cars.
0
16. Revise subpart B of part 1580 to read as follows:

Subpart B--Security Programs: Physical Security

Sec.
1580.101 Scope.
1580.103 Physical Security Coordinator.
1580.105 Reporting of significant physical security concerns.
1580.107 [Reserved]
1580.109 [Reserved]
1580.111 [Reserved]
1580.113 Security training program requirements.
1580.115 [Reserved]


Sec.  1580.101  Scope.

    This subpart includes requirements that are primarily intended to 
ensure the physical security of freight rail operations. Physical 
security encompasses the security of individuals, cargo, rail secure 
areas, rail cars, and transportation facilities, as well as the persons 
in areas in or near to rail operations that could have their safety and 
security threatened by an attack on physical systems and assets. Each 
person identified in Sec.  1580.1 must review the applicability in each 
section of this subpart to determine whether they are an owner/operator 
to whom the requirements apply based on their operations and the 
criteria for applicability.


Sec.  1580.103  Physical Security Coordinator.

    (a) (1) Except as provided in paragraph (a)(2) of this section, 
each owner/operator identified in Sec.  1580.1 must designate and use a 
primary and at least one alternate Physical Security Coordinator at the 
corporate level to function as the administrator for sharing security-
related activities and information.
    (2) An owner/operator identified in Sec.  1580.1(a)(5) (private 
rail cars and circus trains) must designate and use a primary and at 
least one alternate Physical Security Coordinator, only if notified by 
TSA in writing that a threat exists concerning that type of operation.
    (b) The primary Physical Security Coordinator and alternate(s) 
must--
    (1) Be accessible to TSA on a 24 hours per day, 7 days per week 
basis;
    (2) Serve as the primary contact(s) for intelligence information 
and security-related activities and communications with TSA. Any 
individual designated as a Physical Security Coordinator may perform 
other duties in addition to the duties described in this section; and
    (3) Coordinate security practices and procedures required by this 
subchapter internally and with appropriate law enforcement and 
emergency response agencies.
    (c) The Physical Security Coordinator and alternate(s) must be a 
U.S. citizen

[[Page 88559]]

eligible for a security clearance, unless otherwise waived by TSA.
    (d) Each owner/operator required to have a Physical Security 
Coordinator must provide in writing to TSA the names, U.S. citizenship 
status, titles, business phone number(s), and business email 
address(es) of the Physical Security Coordinator and alternate(s). 
Changes in any of the information required by this section must be 
submitted to TSA within 7 calendar days.


Sec.  1580.105  Reporting of significant physical security concerns.

    (a) Each owner/operator identified in Sec.  1580.1 must report, 
within 24 hours of initial discovery, any potential threats and 
significant physical security concerns involving transportation-related 
operations in the United States or transportation to, from, or within 
the United States as soon as possible by the methods prescribed by TSA.
    (b) Potential threats or significant physical security concerns 
encompass incidents, suspicious activities, and threat information 
affecting physical operations including, but not limited to, the 
categories of reportable events listed in appendix C to this part.
    (c) Information reported must include the following, as available 
and applicable:
    (1) The name of the reporting individual and contact information, 
including a telephone number or email address.
    (2) The affected freight or passenger train, station, terminal, 
rail hazardous materials facility, or other transportation facility or 
infrastructure, including identifying information and current location.
    (3) Scheduled origination and termination locations for the 
affected freight or passenger train-including departure and destination 
city and route.
    (4) Description of the threat, incident, or activity, including who 
has been notified and what action has been taken.
    (5) The names, other available biographical data, and/or 
descriptions (including vehicle or license plate information) of 
individuals or motor vehicles known or suspected to be involved in the 
threat, incident, or activity.
    (6) The source of any threat information.


Sec.  1580.107  [Reserved]


Sec.  1580.109  [Reserved]


Sec.  1580.111  [Reserved]


Sec.  1580.113  Security training program requirements.

    (a) Applicability. This section applies to each owner/operator--
    (1) Described in Sec.  1580.1(a)(1) that is a Class I freight 
railroad.
    (2) Described in Sec.  1580.1(a)(1) that transports one or more of 
the categories and quantities of RSSM in an HTUA.
    (3) Described in Sec.  1580.1(a)(4) that serves as a host railroad 
to a freight railroad described in paragraphs (a)(1) or (a)(2) or a 
passenger operation described in Sec.  1582.101 of this subchapter.
    (b) Training required for security-sensitive employees. No owner/
operator identified in paragraph (a) of this section may use a 
security-sensitive employee to perform a function identified in 
Appendix B to this part, unless that individual has received training 
as part of a security training program approved by TSA or is under the 
direct supervision of an employee who has received the training 
required by this section as applicable to that security-sensitive 
function. Upon approval, this security training program becomes part of 
the owner/operators TSA-approved security program.
    (c) Limits on use of untrained employees. Notwithstanding paragraph 
(b) of this section, a security-sensitive employee may not perform a 
security-sensitive function for more than 60 calendar days without 
receiving security training.
    (d) General requirements. Each owner/operator required to provide 
security training to its employees under this section must submit its 
security training program to TSA for approval in a form and manner 
prescribed by TSA. The security training program must include the 
following information:
    (1) Name of owner/operator.
    (2) Name, title, telephone number, and email address of the primary 
individual to be contacted about review of the security training 
program.
    (3) Number, by specific job function category identified in 
Appendix B to this part, of security-sensitive employees trained or to 
be trained.
    (4) Implementation schedule that identifies a specific date by 
which the required initial and recurrent security training will be 
completed.
    (5) Location where training program records will be maintained.
    (6) Plan for ensuring supervision of untrained security-sensitive 
employees performing functions identified in Appendix B to this part.
    (7) Plan for notifying employees of changes to security measures 
that could change information provided in previously provided training.
    (8) Method(s) for evaluating the effectiveness of the security 
training program in each area required by paragraph (e) of this 
section.
    (e) General curriculum requirements. The security training program 
submitted to TSA for approval must include a curriculum or lesson plan, 
including learning objectives and method of delivery (such as 
instructor-led or computer-based training) for each course used to meet 
the requirements in paragraph (f) of this section. TSA may request 
additional information regarding the curriculum during the review and 
approval process. If recurrent training under paragraph (j) of this 
section is not the same as initial training, a curriculum or lesson 
plan for the recurrent training must be submitted and approved by TSA.
    (f) Specific curriculum requirements. (1) Prepare. Each owner/
operator must ensure that each of its security-sensitive employees with 
position- or function-specific responsibilities under the owner/
operator's security program has knowledge of how to fulfill those 
responsibilities in the event of a security threat, breach, or incident 
to ensure--
    (i) Employees with responsibility for transportation security 
equipment and systems are aware of their responsibilities and can 
verify the equipment and systems are operating and properly maintained; 
and
    (ii) Employees with other duties and responsibilities under the 
company's security plans and/or programs, including those required by 
Federal law, know their assignments and the steps or resources needed 
to fulfill them.
    (2) Chain of Custody. Each employee who performs any security-
related functions under Sec.  1580.205 of this subchapter must be 
provided training specifically applicable to the functions the employee 
performs. As applicable, this training must address--
    (i) Inspecting rail cars for signs of tampering or compromise, 
IEDs, suspicious items, and items that do not belong;
    (ii) Identification of rail cars that contain rail security-
sensitive materials, including the owner/operator's procedures for 
identifying rail security-sensitive material cars on train documents, 
shipping papers, and in computer train/car management systems; and
    (iii) Procedures for completing transfer of custody documentation.
    (3) Observe. Each owner/operator must ensure that each of its 
security-

[[Page 88560]]

sensitive employees has knowledge of the observational skills necessary 
to recognize--
    (i) Suspicious and/or dangerous items, such as substances, 
packages, or conditions (for example, characteristics of an Improvised 
Explosive Device and signs of equipment tampering or sabotage);
    (ii) Combinations of actions and individual behaviors that appear 
suspicious and/or dangerous, inappropriate, inconsistent, or out of the 
ordinary for the employee's work environment, which could indicate a 
threat to transportation security; and
    (iii) How a terrorist or someone with malicious intent may attempt 
to gain sensitive information or take advantage of vulnerabilities.
    (4) Assess. Each owner/operator must ensure that each of its 
security-sensitive employees has knowledge necessary to--
    (i) Determine whether the item, individual, behavior, or situation 
requires a response as a potential terrorist threat based on the 
respective transportation environment; and
    (ii) Identify appropriate responses based on observations and 
context.
    (4) Respond. Each owner/operator must ensure that each of its 
security-sensitive employees has knowledge of how to--
    (i) Appropriately report a security threat, including knowing how 
and when to report internally to other employees, supervisors, or 
management, and externally to Local, State, or Federal agencies 
according to the owner/operator's security procedures or other relevant 
plans;
    (ii) Interact with the public and first responders at the scene of 
the threat or incident, including communication with passengers on 
evacuation and any specific procedures for individuals with 
disabilities and the elderly; and
    (iii) Use any applicable self-defense devices or other protective 
equipment provided to employees by the owner/operator.
    (g) Relation to other training. Training conducted by owner/
operators to comply with other requirements or standards, such as 
emergency preparedness training required by the Department of 
Transportation (DOT) (49 CFR part 239) or other training for 
communicating with emergency responders to arrange the evacuation of 
passengers, may be combined with, and used to satisfy, elements of the 
training requirements in this section.
    (h) Submission. If commencing or modifying operations subject to 
these requirements after June 21, 2021, the training program must be 
submitted to TSA no later than 90 calendar days before commencing new 
or modified operations.
    (i) Initial security training. Each owner/operator must provide 
initial security training to security-sensitive employees, using the 
curriculum approved by TSA and in compliance with the following 
schedule. (1) For security training programs submitted to TSA for 
approval after March 22, 2021, if the employee is employed to perform a 
security-sensitive function on the date TSA approves the program, then 
initial training must be provided no later than 12 months after the 
date that TSA approves the owner/operator's security training program.
    (2) If performance of a security-sensitive job function is 
initiated after TSA approves the owner/operator's security training 
program, then initial training must be provided no later than 60 
calendar days after the employee first performs the security-sensitive 
job function.
    (3) If the security-sensitive job function is performed 
intermittently, then initial security training must be provided no 
later than the 60th calendar day of employment performing a security-
sensitive function, aggregated over a consecutive 12-month period.
    (j) Recurrent security training. (1) Except as provided in 
paragraph (j)(2) of this section, a security-sensitive employee 
required to receive training must receive the required training at 
least once every 3 years.
    (2) If an owner/operator modifies a security program or security 
plan for which training is required, the owner/operator must ensure 
each security-sensitive employee with position- or function-specific 
responsibilities related to the revised plan or program changes 
receives training on the revisions within 90 days of implementation of 
the revised plan or program changes. All other employees must receive 
training that reflects the changes to the operating security 
requirements as part of their regularly scheduled recurrent training.
    (3) The 3-year recurrent training cycle is based on the anniversary 
calendar month of the employee's initial security training. If the 
owner/operator provides the recurrent security training in the month 
of, the month before, or the month after it is due, the employee is 
considered to have taken the training in the month it is due.
    (k) Recognition of prior training. Previously provided security 
training may be credited towards satisfying the requirements of this 
section provided the owner/operator--
    (1) Obtains a complete record of such training and validates the 
training meets requirements of this section as it relates to the 
function of the individual security-sensitive employee and the training 
was provided within the schedule required for recurrent training; and
    (2) Retains a record of such training in compliance with the 
requirements in paragraph (l).
    (l) Retention of security training records. The owner/operator must 
retain records of initial and recurrent security training records for 
each individual required to receive security training under this 
section for no less than 5 years from the date of training that, at a 
minimum--
    (1) Includes employee's full name, job title or function, date of 
hire, and date of initial and recurrent security training; and
    (2) Identifies the date, course name, course length, and list of 
topics addressed for the security training most recently provided in 
each of the areas required under paragraph (f) of this section.
    (m) Availability of records to employees. The owner/operator must 
provide records of security training to current and former employees 
upon request and at no charge as necessary to provide proof of 
training.
    (n) Incorporation into security program. Once approved by TSA, the 
security training program required by this section is part of the 
owner/operator's TSA-approved security program. The owner/operator must 
implement and maintain the security training program and comply with 
timeframes for implementation identified in the security training 
program. Any modifications or amendments to the program must be made as 
stipulated in Sec.  1570.107 of this subchapter.
    (o) Situations requiring owner/operator to revise security training 
program. The owner/operator must submit a request to amend its security 
program if, after approval, the owner/operator makes, or intends to 
make, permanent (to be in effect for 60 or more calendar days) or 
substantive changes to its security training curriculum, including 
changes to address:
    (1) Determinations that the security training program is 
ineffective based on the approved method for evaluating effectiveness 
in the security training program approved by TSA; or
    (2) Development of recurrent training material for purposes of 
meeting the requirements in paragraph (j) of this section or other 
alternative training materials not previously approved by TSA.

[[Page 88561]]

Sec.  1580.115  [Reserved]

0
17. Revise the heading of subpart C of part 1580 to read as follows:

Subpart C--Security of Rail Security-Sensitive Materials

0
18. Add subpart D of part 1580 to read as follows:

Subpart D--Cybersecurity Risk Management

Sec.
1580.301 Scope and applicability.
1580.303 Form, content, and availability of Cybersecurity Risk 
Management program.
1580.305 Cybersecurity evaluation.
1580.307 Cybersecurity Operational Implementation Plan.
1580.309 Governance of the CRM program.
1580.311 Cybersecurity Coordinator.
1580.313 Identification of Critical Cyber Systems.
1580.315 Supply chain risk management.
1580.317 Protection of Critical Cyber Systems.
1580.319 Cybersecurity training and knowledge.
1580.321 Detection of cybersecurity incidents.
1580.323 Capabilities to respond to a cybersecurity incident.
1580.325 Reporting cybersecurity incidents.
1580.327 Cybersecurity Incident Response Plan.
1580.329 Cybersecurity Assessment Plan.
1580.331 Documentation to establish compliance.


Sec.  1580.301  Scope and applicability.

    (a) Scope. This subpart includes requirements to ensure the 
cybersecurity of freight rail operations and to mitigate the risk of 
significant harm to the individuals, cargo, and transportation 
facilities, as well as persons in areas in or near rail operations, 
that could have their safety and security threatened because of the 
degradation, destruction, or malfunction of systems that control these 
systems and infrastructure. In addition, cybersecurity incidents could 
have significant, similar impacts on the movement of cargo critical to 
the supply chain, affecting the national and economic security of the 
United States. The owner/operators identified in Sec.  1580.1 must 
review the applicability for carrying out a Cybersecurity Risk 
Management program in paragraph (b) of this section, designation of a 
Cybersecurity Coordinator in Sec.  1580.311, and reporting 
cybersecurity incidents in Sec.  1580.325 to determine if the 
requirements apply to their operations.
    (b) Applicability. Each owner/operator described in Sec.  1580.1 
must adopt and carry out a Cybersecurity Risk Management (CRM) program 
for any operation that meets any of the following criteria:
    (1) Is a Class I freight railroad; or
    (2) Is a Class II or III railroad, that:
    (i) Provides switching or terminal services to two or more Class I 
railroads;
    (ii) Transports one or more of the categories and quantities of 
RSSM in an HTUA;
    (iii) Serves as a host railroad to a freight railroad described in 
paragraph (b)(1) or (b)(2) of this section or a passenger operation 
described in Sec.  1582.201(b) of this subchapter; or
    (iv) Operates an average of at least 400,000 train miles in any of 
the three calendar years before [EFFECTIVE DATE OF FINAL RULE] or any 
single calendar year after [EFFECTIVE DATE OF FINAL RULE].
    (3) Is designated as a Defense Connector Railroad.


Sec.  1580.303  Form, content, and availability of Cybersecurity Risk 
Management program.

    (a) General content requirements. The CRM program required by this 
subpart is a comprehensive program that includes the following 
components:
    (1) A cybersecurity evaluation completed and updated as required by 
Sec.  1580.305;
    (2) A TSA-approved Cybersecurity Operational Implementation Plan 
(COIP) that meets the requirements in Sec.  1580.307.
    (3) A Cybersecurity Assessment Plan that meets the requirements in 
Sec.  1580.329.
    (b) Subsidiaries. If a single CRM program is developed and 
implemented for multiple business units within a single corporate 
entity, any documents used to comply or establish compliance with the 
requirements in this subpart must clearly identify and distinguish 
application of the requirements to each business unit.


Sec.  1580.305  Cybersecurity evaluation.

    (a) General. Each owner/operator required to have a CRM program 
must complete an initial and recurrent cybersecurity evaluation 
sufficient to determine the owner/operator's current enterprise-wide 
cybersecurity profile of logical/virtual and physical security controls 
when evaluated against the CRM program requirements in this subpart, 
using a form provided by TSA or other tools approved by TSA.
    (b) Timing. The initial cybersecurity evaluation must be completed 
no later than [DATE 90 DAYS AFTER EFFECTIVE DATE OF FINAL RULE], but no 
more than one year before the date of submission of the owner/
operator's Cybersecurity Operational Implementation Plan required by 
Sec.  1580.307. If commencing or modifying operations subject to these 
requirements after [EFFECTIVE DATE OF FINAL RULE], the initial 
cybersecurity evaluation must be submitted to TSA no later than 45 
calendar days after commencing the new or modified operations 
triggering applicability.
    (c) Annual updates. The evaluation required by paragraph (a) of 
this section must be updated annually, no later than one year from the 
anniversary date of the previously completed evaluation.
    (d) Notification. The owner/operator must notify TSA within 7 days 
of completing the evaluation and annual updates required by this 
section. A copy of the evaluation must be provided to TSA upon request.
    (e) Sensitive Security Information. This evaluation is a 
vulnerability assessment as defined in Sec.  1500.3 of this subchapter 
and must be protected as Sensitive Security Information under Sec.  
1520.5(b)(5) of this subchapter.


Sec.  1580.307  Cybersecurity Operational Implementation Plan.

    (a) Requirement. Each owner/operator required to have a CRM program 
under this part must adopt a COIP.
    (b) General Content. The COIP must include the following corporate 
information:
    (1) The name and corporate address of the owner/operator;
    (2) Written attestation by the owner/operator's accountable 
executive that the COIP has been reviewed and approved by senior 
management; and
    (3) Identification of specific operations that meet the 
applicability criteria.
    (c) Specific Content. The COIP must detail the owner/operator's 
defense-in-depth plan, including physical and logical/virtual security 
controls, to comply with the requirements and security outcomes 
specified in the following sections:
    (1) Governance. The requirements for governance of the CRM program 
in Sec.  1580.309 and the designation of a Cybersecurity Coordinator in 
Sec.  1580.311.
    (2) Identification of Critical Cyber Systems, Network Architecture, 
and Interdependencies. The requirements to identify Critical Cyber 
Systems and network architecture in Sec.  1580.313 and supply chain 
risk management in Sec.  1580.315.
    (3) Procedures, policies, and capabilities to protect Critical 
Cyber Systems. The requirements for protection of Critical Cyber 
Systems in Sec.  1580.317 and training of

[[Page 88562]]

cybersecurity-sensitive employees in Sec.  1580.319.
    (4) Procedures, policies, and capabilities to detect cybersecurity 
incidents. The requirements for detecting cybersecurity incidents in 
Sec.  1580.321.
    (5) Procedures, policies, and capabilities to respond to, and 
recover from, cybersecurity incidents. The requirements for responding 
to cybersecurity incidents in Sec.  1580.323, reporting cybersecurity 
incidents in Sec.  1580.325, and the Cybersecurity Incident Response 
Plan in Sec.  1580.327.
    (d) Plan of Action and Milestones. (1) To the extent an owner/
operator does not meet every requirement and security outcome 
identified in paragraph (c)(1) through (c)(5) of this section, the COIP 
must include a plan of action and milestones (POAM).
    (2) The POAM must include:
    (i) Policies, procedures, measures, or capabilities that owner/
operator will develop or obtain, as applicable, to ensure all 
requirements and security outcomes in this subpart are met;
    (ii) Physical and logical/virtual security controls that the owner/
operator will implement to mitigate the risks associated with not fully 
complying with requirements or security outcomes in this subpart; and
    (iii) A detailed timeframe for full compliance with all 
requirements and security outcomes in this subpart, not to exceed 3 
years from the date of submission to TSA of the COIP required by this 
section.
    (3) The POAM must be updated as necessary to address any 
deficiencies identified during the evaluation required by Sec.  
1580.305 or as a result of an assessment conducted under Sec.  1580.329 
that will not be immediately addressed through an update to the COIP.
    (e) Approval and implementation. (1) Submission deadlines. The COIP 
must be made available to TSA, in a form and manner prescribed by TSA, 
no later than [DATE 180 DAYS AFTER EFFECTIVE DATE OF FINAL RULE]. If 
commencing or modifying operations subject to these requirements after 
[EFFECTIVE DATE OF FINAL RULE], the COIP must be made available to TSA 
no later than 45 calendar days before commencing new or modified 
operations.
    (2) Effective date. After considering all relevant materials and 
any additional information required by TSA, TSA will notify the owner/
operator's accountable executive of TSA's decision to approve the 
owner/operator's COIP. The COIP becomes effective 30 days after the 
owner/operator is notified whether its COIP is approved.
    (3) TSA-approved security program. Once approved by TSA, the COIP, 
any appendices, and any policies or procedures incorporated by 
reference, are a part of a TSA-approved security program, subject to 
the protections in part 1520 of this chapter and the procedures 
applicable to security programs in subpart B of part 1570 of this 
subchapter.
    (f) Status Report and Updates. The CRM program must be reviewed and 
updated by the owner/operator within 60 days of the evaluations or 
assessments required by Sec. Sec.  1580.305 or 1580.329, as necessary 
to address any identified vulnerabilities or weaknesses in the 
procedures, policies, or capabilities identified in the CRM program.
    (g) Revisions. Unless otherwise specified in this subpart, any 
substantive modifications or amendments to the COIP must be made in 
accordance with the procedures in Sec.  1570.107 of this subchapter.


Sec.  1580.309  Governance of the CRM program.

    (a) Accountable Executive. (1) No later than [DATE 30 DAYS FROM 
EFFECTIVE DATE OF FINAL RULE], the owner/operator must provide to TSA 
the names, titles, business telephone numbers, and business email 
addresses of the owner/operator's accountable executive, who is the 
primary individual to be contacted with regard to the owner/operator's 
CRM program. If any of the information required by this paragraph 
changes, the owner/operator must provide the updated information to TSA 
within 7 days of the change.
    (2) The accountable executive must be an individual who has the 
authority and knowledge necessary for the development, implementation, 
and managerial oversight of the TSA-approved CRM program, including 
cybersecurity administration, risk assessments, inspections and control 
procedures, and coordinating communications with the owner/operator's 
leadership and staff on implementation and sustainment of the CRM 
program. To the extent possible, the accountable executive should not 
be the Cybersecurity Coordinator or an individual responsible for 
management of Information or Operational Technology system or systems' 
administration.
    (b) COIP. The COIP must also include:
    (1) Identification of positions designated by the owner/operator to 
manage implementation of policies, procedures, and capabilities 
described in the COIP and coordinate improvements to the CRM program.
    (2) Corporate-level identification of any authorized 
representatives, as defined in the TSA Cybersecurity Lexicon, who are 
responsible for any or all of the CRM program or cybersecurity measures 
identified in the CRM program, and written documentation (such as 
contractual agreements) clearly identifying the roles and 
responsibilities of the authorized representative under the CRM 
program.
    (3) The information required by paragraph (a)(1) of this section.
    (c) Process. Updating the COIP to align with information provided 
to TSA under this section does not require an amendment subject to the 
procedures in Sec.  1570.107 of this subchapter.


Sec.  1580.311  Cybersecurity Coordinator.

    (a)(1) Except as provided in paragraph (a)(2) of this section, each 
owner/operator identified in paragraphs Sec.  1580.1(a)(1), (a)(4), and 
(a)(5) must designate employees at the corporate level to serve as the 
primary and at least one alternate Cybersecurity Coordinator with 
responsibility for sharing critical cybersecurity information.
    (2) Each owner/operator identified in Sec.  1580.1(a)(5) must 
designate and use a primary and at least one alternate Cybersecurity 
Coordinator, only if notified by TSA in writing that a threat exists 
concerning that type of operation.
    (b) The Cybersecurity Coordinator and alternate(s) must--
    (1) Serve as the primary contact for cyber-related intelligence 
information and cybersecurity-related activities and communications 
with TSA and the Cybersecurity and Infrastructure Security Agency 
(CISA);
    (2) Have the following knowledge and skills, through current 
certifications or equivalent job experience:
    (i) General cybersecurity guidance and best practices;
    (ii) Relevant law and regulations pertaining to cybersecurity;
    (iii) Handling of Sensitive Security Information and security-
related communications; and
    (iv) Current cybersecurity threats applicable to the owner/
operator's operations and systems.
    (3) Be accessible to TSA and CISA 24 hours per day, 7 days per 
week;
    (4) Have a Homeland Security Information Network (HSIN) account or 
other TSA-designated communication platform for information sharing 
relevant to the requirements in this subpart; and
    (5) Work with appropriate law enforcement and emergency response

[[Page 88563]]

agencies in addressing cybersecurity threats or responding to 
cybersecurity incidents.
    (c) The Cybersecurity Coordinator and alternate(s) must be a U.S. 
citizen eligible for a security clearance, unless otherwise waived by 
TSA.
    (d) Owner/operators must provide in writing to TSA the names, 
titles, business phone number(s), and business email address(es) of the 
Cybersecurity Coordinator and alternate Cybersecurity Coordinator(s) 
required by paragraph (a) of this section no later than [DATE 7 DAYS 
AFTER EFFECTIVE DATE OF FINAL RULE], or within 7 days of the 
commencement of new operations, or change in any of the information 
required by this section that occur after [DATE 7 DAYS AFTER EFFECTIVE 
DATE OF FINAL RULE].
    (e) In addition to providing the information to TSA as required by 
paragraph (d), any owner/operator required to have a CRM program under 
this part must also include the information required by paragraph (d) 
in the COIP. As the owner/operator must separately notify TSA of this 
information, and any changes to this information, updating the COIP to 
align with information provided to TSA under this section does not 
require an amendment subject to the procedures in Sec.  1570.107 of 
this subchapter.


Sec.  1580.313  Identification of Critical Cyber Systems.

    (a) Identifying information. The owner/operator must incorporate 
into its COIP a list of Critical Cyber Systems, as defined in the TSA 
Cybersecurity Lexicon, that provides, at a minimum, the following 
identifying information for each Critical Cyber System:
    (1) Identifier (system name or commercial name), and
    (2) System manufacturer/designer name.
    (b) Identification methodology. The owner/operator must include a 
description of the methodology and information used to identify 
Critical Cyber Systems that, at a minimum, includes the following 
information as used to identify critical systems:
    (1) Standards and factors, including system interdependencies with 
critical functions, used to identify Information Technology and 
Operational Technology systems that could be vulnerable to a 
cybersecurity incident;
    (2) Sources and data, such as known threat information relevant to 
the system, that informed decisions regarding the likelihood of the 
system being subject to a cybersecurity incident;
    (3) Potential operational impacts of a cybersecurity incident, 
including scenarios that identify potential supply chain impacts and 
how long critical operations and capabilities could be sustained with 
identified alternatives if a system is offline; and
    (4) Sustainability and operational impacts if an Information or 
Operational Technology system not identified as a Critical Cyber System 
becomes unavailable due to a cybersecurity incident.
    (c) Positive Train Control (PTC) Systems. Owner/operators who are 
either required to install and operate PTC under 49 CFR part 236, 
subpart I, and/or voluntarily install and operate PTC under CFR part 
236, subpart H or I, must include PTC systems as a Critical Cyber 
System.
    (d) System information and network architecture. For all Critical 
Cyber Systems, the owner/operator must provide the following 
information:
    (1) Information and Operational Technology system interdependencies 
for Critical Cyber Systems;
    (2) All external connections to Critical Cyber Systems;
    (3) Zone boundaries for Critical Cyber Systems, including a 
description of how Information and Operational Technology systems are 
defined and organized into logical/virtual zones based on criticality, 
consequence, and operational necessity;
    (4) Baseline of acceptable communications between Critical Cyber 
Systems and external connections or between Information and Operational 
Technology systems; and
    (5) Operational needs that prevent or delay implementation of the 
requirements in this subpart, such as application of security patches 
and updates, encryption of communications traversing Information and 
Operational Technology systems, and multi-factor authentication.
    (e) Additional systems. If notified by TSA, the owner/operator must 
include additional Critical Cyber Systems identified by TSA not 
previously identified by the owner/operator.
    (f) Changes in Critical Cyber Systems. Any substantive changes to 
Critical Cyber Systems require an amendment to the COIP subject to the 
procedures in Sec.  1570.107 of this subchapter.


Sec.  1580.315  Supply chain risk management.

    The owner/operator must incorporate into its COIP policies, 
procedures, and capabilities to address supply chain cybersecurity 
vulnerabilities that include requiring--
    (a) All procurement documents and contracts, including service-
level agreements, executed or updated after [EFFECTIVE DATE OF FINAL 
RULE] include a requirement for the vendor or service provider to 
notify the owner/operator of the following:
    (1) Cybersecurity incidents affecting the vendor or service 
provider within a specified timeframe sufficient for the owner/operator 
to identify and address any potential risks to their Critical Cyber 
Systems based on the scope and type of cybersecurity incident.
    (2) Confirmed security vulnerabilities affecting the goods, 
services, or capabilities provided by the vendor or service provider 
within a specified timeframe sufficient for the owner/operator to 
identify and address any potential risks to their Critical Cyber 
Systems based on the scope and type of security vulnerability.
    (b) Procurement documents and contracts, including service-level 
agreements, incorporate an evaluation by the owner/operator or 
qualified third-party of the cybersecurity measures implemented by 
vendors or service providers of goods, services, or capabilities that 
will be connected to, installed on, or used by the owner/operator's 
Critical Cyber Systems.
    (c) When provided two offerings of roughly similar cost and 
function, giving preference to the offering that provides the greater 
level of cybersecurity necessary to protect against, or effectively 
respond to, cybersecurity incidents affecting the owner/operator's 
Critical Cyber Systems.
    (d) Upon notification of a cybersecurity incident or vulnerability 
under paragraphs (a) or (b) of this section, immediate consideration of 
mitigation measures sufficient to address the resulting risk to 
Critical Cyber Systems and, as applicable, revision to the COIP in 
accordance with Sec.  1570.107 of this subchapter.


Sec.  1580.317  Protection of Critical Cyber Systems.

    The owner/operator must incorporate into its COIP policies, 
procedures, controls and capabilities to protect Critical Cyber Systems 
that meet security performance objectives in the following areas--
    (a) Network segmentation. Network segmentation measures that 
protect against access to, or disruption of, the Operational Technology 
system if the Information Technology system is compromised or vice 
versa. These measures must be sufficient to--
    (1) Ensure Information and Operational Technology system-services 
transit the other only when necessary

[[Page 88564]]

for validated business or operational purposes;
    (2) Secure and defend zone boundaries with security controls--
    (i) To defend against unauthorized communications between zones; 
and
    (ii) To prohibit Operational Technology system services from 
traversing the Information Technology system, and vice-versa, unless 
the content is encrypted at a level sufficient to secure and protect 
integrity of data and prevent corruption or compromise while in 
transit. If encryption is not technologically feasible, ensure content 
is otherwise secured and protected using compensating controls that 
provide the same level of security as encryption for data in transit.
    (b) Access control. Access control measures for Critical Cyber 
Systems, including for local and remote access, that secure and defend 
against unauthorized access to Critical Cyber Systems. Except as 
provided in paragraph (f), these measures must, at a minimum, 
incorporate the following policies, procedures, and controls:
    (1) Identification and authentication requirements designed to 
prevent unauthorized access to Critical Cyber Systems, to include:
    (i) A policy for memorized secret authenticator resets that 
includes criteria for passwords and when resets must occur, including 
procedures to ensure implementation of these requirements, such as 
password lockouts; and
    (ii) Documented and defined logical/virtual and physical security 
controls for components of Critical Cyber Systems that will not be 
subject to the requirements in paragraph (b)(1)(i) of this section.
    (2) Multi-factor authentication, or other logical/virtual and 
physical security controls to supplement memorized secret 
authenticators (such as passwords) to provide risk mitigation 
commensurate to multi-factor authentication. If an owner/operator does 
not apply multi-factor authentication for access to Operational 
Technology components or assets, the owner/operator must specify what 
compensating controls are used to manage access.
    (3) Management of access rights based on the principles of least 
privilege and separation of duties. Where not technically feasible to 
apply these principles, the policies and procedures must describe 
compensating controls that the owner/operator applies.
    (4) Policies and procedures limit availability and use of shared 
accounts to those that are critical for operations, and then only if 
absolutely necessary. When the owner/operator uses shared accounts for 
operational purposes, the policies and procedures must ensure:
    (i) Access to shared accounts is limited through account management 
that uses principles of least privilege and separation of duties;
    (ii) Any individual who no longer needs access does not have 
knowledge of the memorized secret authenticator necessary to access the 
shared account; and
    (iii) Logs are maintained sufficient to enable positive user 
identification of access to shared accounts to enable forensic 
investigation following a cybersecurity incident.
    (5) Regularly updated schedule for review of existing domain trust 
relationships to ensure their necessity and established and enforced 
policies to manage these relationships.
    (c) Patch management. Measures that reduce the risk of exploitation 
of unpatched systems through the application of security patches and 
updates for operating systems, applications, drivers, and firmware on 
Critical Cyber Systems consistent with the owner/operator's risk-based 
methodology. These measures must include:
    (1) A patch management strategy that ensures all critical security 
patches and updates on Critical Cyber Systems are current. This 
strategy must include:
    (i) The risk methodology for categorizing and determining 
criticality of patches and updates, and an implementation timeline 
based on categorization and criticality; and
    (ii) Prioritization of all security patches and updates on CISA's 
Known Exploited Vulnerabilities Catalog.
    (2) In instances where the owner/operator cannot apply patches and 
updates on specific Operational Technology systems without causing a 
severe degradation of operational capability to meet business critical 
functions, the owner/operator must provide an explanation for why the 
actions cannot be taken and a description and timeline of additional 
mitigations that address the risk created by not installing the patch 
or update within the recommended timeframe.
    (d) Logging policies. Logging policies sufficient to ensure logging 
data is--
    (1) Stored in a secure and centralized system, such as a security 
information and event management tool or database on a segmented 
network that can only be accessed or modified by authorized and 
authenticated users; and
    (2) Maintained for a duration sufficient to allow for investigation 
of cybersecurity incidents as supported by a risk analysis and 
applicable standards or regulatory guidelines.
    (e) Secure back-ups. Policies that ensure all Critical Cyber 
Systems are backed-up on a regular basis consistent with operational 
need for the information, the back-ups are securely stored separate 
from the system, and policies that require testing the integrity of 
back-ups to ensure that the data is free of known malicious code when 
the back-ups are made.
    (f) Exception for PTC hardware and software components installed on 
locomotive. (1) For hardware and software components of a PTC system 
installed on a locomotive, owner/operators in compliance with 
requirements in 49 CFR 232.105(h)(1-4) (General requirements for 
locomotives), 49 CFR 236.3 (Locking of signal apparatus housings), and 
49 CFR 256.553 (Seal, where required), may rely on the physical 
security measures used to comply with these requirements, as 
applicable, in lieu of implementing the requirements in paragraph (b).
    (2) If relying on the exception in paragraph (f)(1), the owner/
operator must list the applicable PTC system as a Critical Cyber 
System; maintain compliance with the requirements specified in 49 CFR 
232.105(h)(1-4), 49 CFR 236.3, and 49 CFR 256.553, as applicable; and 
include in the COIP a description of the physical security measures 
used to prevent unauthorized access to the identified PTC components.


Sec.  1580.319  Cybersecurity training and knowledge.

    (a) Training required. (1) Owner/operators required to have a CRM 
program under this subchapter must provide basic cybersecurity training 
to all employees, with access to the owner/operator's Information or 
Operational Technology systems.
    (2) No owner/operator required to have a CRM program under this 
subpart may permit a cybersecurity-sensitive employee to access, or 
have privileges to access, a Critical Cyber System or an Information or 
Operational Technology system that is interdependent with a Critical 
Cyber System, unless that individual has received basic and role-based 
cybersecurity training.
    (b) General curriculum requirements. The cybersecurity training 
program must include a curriculum or lesson plan, including learning 
objectives and method of delivery (such as instructor-led or computer-
based training) for each course used to meet the requirements in 
paragraphs (d) and (e) of this section. TSA may request additional 
information regarding the curriculum during the

[[Page 88565]]

review and approval process. If recurrent training under paragraph (e) 
of this section is not the same as initial training, a curriculum or 
lesson plan for the recurrent training will need to be submitted and 
approved by TSA.
    (c) Specific curriculum requirements. (1) Basic cybersecurity 
training. All employees and contractors with access to the owner/
operator's Information or Operational Technology systems, must receive 
basic cybersecurity training that includes cybersecurity awareness to 
address best practices, acceptable use, risks associated with their 
level of privileged access, and awareness of security risks associated 
with their actions. This training must address the following topics:
    (i) Social engineering, including phishing;
    (ii) Password best practices;
    (iii) Remote work security basics;
    (iv) Safe internet and social media use;
    (v) Mobile device (wireless) vulnerabilities and network security;
    (vi) Data management and information security, including protecting 
business email, confidential information, trade secrets, and privacy; 
and
    (vii) How and to whom to report suspected inappropriate or 
suspicious activity involving Information or Operational Technology 
systems, including mobile devices provided by or connected to the 
owner/operator's Information or Operational Technology systems.
    (2) Role-based cybersecurity training. Cybersecurity-sensitive 
employees must be provided cybersecurity training that specifically 
addresses their role as a privileged user to prevent and respond to a 
cybersecurity incident, acceptable uses, and the risks associated with 
their level of access and use as approved by the owner/operator. This 
training must address the following topics as applicable to the 
specific role:
    (i) Security measures and requirements in the COIP including how 
the requirements affect account and access management, server and 
application management, and system architecture development and 
assessment;
    (ii) Recognition and detection of cybersecurity threats, types of 
cybersecurity incidents, and techniques used to circumvent 
cybersecurity measures;
    (iii) Incident handling, including procedures for reporting a 
cybersecurity incident to the Cybersecurity Coordinator and 
understanding their roles and responsibilities during a cybersecurity 
incident and implementation of the owner/operator's Cybersecurity 
Incident Response Plan required by Sec.  1580.327;
    (iv) Requirements and sources for staying aware of changing 
cybersecurity threats and countermeasures; and
    (v) Operational Technology-specific cybersecurity training for all 
personnel whose duties include access to Operational Technology 
systems.
    (d) Initial cybersecurity training. (1) Each owner/operator must 
provide initial cybersecurity training (basic and role-based, as 
applicable) to employees and contractors, using the curriculum approved 
by TSA no later than 60 days after the effective date of the owner/
operator's TSA-approved COIP required by this subpart.
    (2) For individuals who onboard or become cybersecurity-sensitive 
employees after the effective date of the owner/operator's TSA-approved 
COIP who did not receive training within the period identified in 
paragraph (d)(1) of this section, the individual must receive the 
applicable cybersecurity training no later than 10 days after 
onboarding.
    (e) Recurrent cybersecurity training. Employees and contractors 
must receive annual recurrent cybersecurity training no later than the 
anniversary calendar month of the employee's initial cybersecurity 
training. If the owner/operator provides the recurrent cybersecurity 
training in the month of, the month before, or the month after it is 
due, the employee is considered to have taken the training in the month 
it is due.
    (f) Recognition of prior or established cybersecurity training. 
Previously provided cybersecurity training may be credited towards 
satisfying the requirements of this section provided the owner/
operator--
    (1) Obtains a complete record of such training and validates the 
training meets requirements of this section as it relates to the role 
of the individual employee, and the training was provided within the 
schedule required for recurrent training; and
    (2) Retains a record of such training in compliance with the 
requirements in paragraph (g) of this section.
    (g) Retention of cybersecurity training records. The owner/operator 
must retain records of initial and recurrent cybersecurity training 
records for each individual required to receive cybersecurity training 
under this section for no less than 5 years from the date of training 
that, at a minimum--
    (1) Includes the employee's full name, job title or function, date 
of hire, and date of initial and recurrent cybersecurity training; and
    (2) Identifies the date, course name, course length, and list of 
topics addressed for the cybersecurity training most recently provided 
in each of the areas required under paragraph (c) of this section.
    (h) Availability of records to employees. The owner/operator must 
provide records of cybersecurity training to current and former 
employees upon request and at no charge as necessary to provide proof 
of training.


Sec.  1580.321  Detection of cybersecurity incidents.

    The owner/operator must incorporate into its COIP policies, 
procedures, and capabilities sufficient to detect and respond to 
cybersecurity threats to, and anomalies on, Critical Cyber Systems 
that, at a minimum--
    (a) Defend against malicious email, such as spam and phishing 
emails, to preclude or mitigate against adverse impacts to operations;
    (b) Block ingress and egress communications with known or suspected 
malicious internet Protocol addresses;
    (c) Control impact of known or suspected malicious web domains or 
web applications, such as by preventing users and devices from 
accessing malicious websites;
    (d) Block and defend against unauthorized code, including macro 
scripts, from executing;
    (e) Monitor and/or block connections from known or suspected 
malicious command and control servers (such as Tor exit nodes, and 
other anonymization services); and
    (f) Ensure continuous collection and analysis of data for potential 
intrusions and anomalous behavior on Critical Cyber Systems and other 
Information and Operational Technology systems that directly connect 
with Critical Cyber Systems.


Sec.  1580.323  Capabilities to respond to a cybersecurity incident.

    The owner/operator must incorporate into its COIP capabilities to 
respond to cybersecurity incidents affecting Critical Cyber Systems 
that, at a minimum--
    (a) Audit unauthorized access to internet domains and addresses;
    (b) Document and audit any communications between the Operational 
Technology system and an internal or external system that deviates from 
the owner/operator's identified baseline of communications;
    (c) Identify and respond to execution of unauthorized code, 
including macro scripts; and
    (d) Define, prioritize, and drive standardized incident response

[[Page 88566]]

activities, such as Security Orchestration, Automation, and Response 
(SOAR).


Sec.  1580.325  Reporting cybersecurity incidents.

    (a) Unless otherwise directed by TSA, each owner/operator 
identified in Sec.  1580.1(a)(1), (a)(4), and (a)(5) must notify CISA 
of any Reportable Cybersecurity Incidents, as defined in the TSA 
Cybersecurity Lexicon, as soon as practicable, but no later than 24 
hours after a Reportable Cybersecurity Incident is identified.
    (b) Reports required by this section must be made by the methods 
prescribed by TSA. All reported information will be protected in a 
manner appropriate for the sensitivity and criticality of the 
information.
    (c) The report to CISA must include the following information, as 
available to the reporting owner/operator at the time of the report:
    (1) The name of the reporting individual and contact information, 
including a telephone number and email address. The report must also 
explicitly specify that the information is being reported in order to 
satisfy the reporting requirements in Transportation Security 
Regulations.
    (2) The affected rail system(s) or facilities, including 
identifying information and location.
    (3) Description of the threat, incident, or activity, to include:
    (i) Earliest known date of compromise;
    (ii) Date of detection;
    (iii) Information about who has been notified and what action has 
been taken;
    (iv) Any relevant information observed or collected by the owner/
operators, such as malicious internet Protocol addresses, malicious 
domains, malware hashes and/or samples, or the abuse of legitimate 
software or accounts; and
    (v) Any known threat information, to include information about the 
source of the threat or cybersecurity incident, if available.
    (4) A description of the incident's impact or potential impact on 
Information or Operational Technology systems and operations. This 
information must also include an assessment of actual or imminent 
adverse impacts to service operations, operational delays, and/or data 
theft that have or are likely to be incurred, as well as any other 
information that would be informative in understanding the impact or 
potential impact of the cybersecurity incident.
    (5) A description of all responses that are planned or under 
consideration, to include, for example, a reversion to manual 
operations of train movement and control, if applicable.
    (6) Any additional information not specifically required by this 
section, but which is critical to an understanding of the threat and 
owner/operator's response to a reportable cybersecurity incident.
    (d) If all the required information is not available at the time of 
reporting, owner/operators must submit an initial report within the 
specified timeframe and supplement as additional information becomes 
available.


Sec.  1580.327  Cybersecurity Incident Response Plan.

    (a) The owner/operator must incorporate into its COIP an up-to-date 
Cybersecurity Incident Response Plan (CIRP) for the owner/operator's 
Critical Cyber Systems to reduce the impacts of a cybersecurity 
incident that causes, or could cause, operational disruption or 
significant impacts on business-critical functions.
    (b) The CIRP must provide specific measures sufficient to ensure 
the following objectives, as applicable:
    (1) Promptly identifying, isolating, and segregating the infected 
systems from uninfected systems, networks, and devices using measures 
that prioritize:
    (i) Limiting the spread of autonomous malware;
    (ii) Denying continued access by a threat actor to systems;
    (iii) Determining extent of compromise; and
    (iv) Preserving evidence and data.
    (2) Only data stored and secured as required by Sec.  1580.317(e) 
is used to restore systems and that all stored backup data is scanned 
with host security software to ensure the data is free of malicious 
artifacts before being used for restoration.
    (3) Established capability and governance for implementing 
mitigation measures or manual controls that ensure that the Operational 
Technology system can be isolated when a cybersecurity incident in the 
Information Technology system creates risk to the safety and 
reliability of the Operational Technology system.
    (c) The CIRP must identify who (by position) is responsible for 
implementing the specific measures in the plan and any necessary 
resources needed to implement the measures.
    (d) The owner/operator must conduct an exercise to test the 
effectiveness of the CIRP no less than annually. The exercise conducted 
under this paragraph must--
    (1) Test at least two objectives of the owner/operator's CIRP 
required by paragraph (b) of this section, no less than annually; and
    (2) Include the employees identified (by position) in paragraph (c) 
as active participants in the exercise.
    (e) Within no more than 90 days after the date of the exercise 
required by paragraph (d), the owner/operator must update the CIRP as 
appropriate to address any issues identified during the exercise.
    (f) The owner/operator must notify TSA within 15 days of any 
changes to the CIRP. As the owner/operator must separately notify TSA, 
updating the COIP to align with information provided to TSA under this 
section does not require an amendment subject to the procedures in 
Sec.  1570.107 of this subchapter.


Sec.  1580.329  Cybersecurity Assessment Plan.

    (a) Requirement for a Cybersecurity Assessment Plan. No later than 
90 days from TSA's approval of the owner/operator's COIP, the owner/
operator must submit to TSA a Cybersecurity Assessment Plan (CAP) 
sufficient to--
    (1) Proactively assess the effectiveness of all policies, 
procedures, measures, and capabilities in the owner/operator's TSA-
approved COIP as applied to all Critical Cyber Systems; and
    (2) Identify and resolve device, network, and/or system 
vulnerabilities associated with Critical Cyber Systems.
    (b) Contents of the CAP. At a minimum, the CAP must describe in 
detail:
    (1) The plan to assess the effectiveness of the owner/operator's 
TSA-approved COIP and applied to all Critical Cyber Systems;
    (2) Schedule and scope of an architectural design review within 12 
months either before or after TSA's approval of the owner/operator's 
COIP, to be repeated at least once every 2 years thereafter. The 
architectural design review required by this paragraph must include 
verification and validation of network traffic, a system log review, 
and analysis to identify cybersecurity vulnerabilities related to 
network design, configuration, and interconnectivity to internal and 
external systems;
    (3) Other assessment capabilities designed to identify 
vulnerabilities to Critical Cyber Systems based on evolving threat 
information and adversarial capabilities, such as penetration testing 
of Information Technology systems, including the use of ``red'' and 
``purple'' team (adversarial perspective) testing.
    (c) Specific Schedule. (1) In addition to specifying the schedule 
for the

[[Page 88567]]

architectural design review required by paragraph (b)(2), the CAP must 
include a schedule for conducting the assessments required by paragraph 
(b) sufficient to ensure at least one-third of the policies, 
procedures, measures, and capabilities in the TSA-approved COIP are 
assessed each year, with 100 percent of the COIP and all Critical Cyber 
Systems assessed over a 3-year period.
    (2) The schedule required by this paragraph must map the planned 
assessments to the COIP and Critical Cyber System to document the plan 
will ensure all policies, procedures, measures, and capabilities in the 
owner/operator's TSA-approved COIP and all Critical Cyber Systems will 
be assessed within the timeframes required by paragraph (c)(1).
    (d) Independence of assessors and auditors. Owner/operators must 
ensure that the assessments, audits, testing, and other capabilities to 
assess the effectiveness of its TSA-approved COIP are not conducted by 
individuals who have oversight or responsibility for implementing the 
owner/operator's CRM program and have no vested or other financial 
interest in the results of the CAP.
    (e) Annual submission of report. The owner/operator must ensure a 
report of the results of assessments conducted in accordance with the 
CAP is provided to corporate leadership and individuals designated 
under Sec.  1580.309(a) and (b)(1) of this subpart, and submitted to 
TSA, no later than 15 months from the date of approval of the initial 
CAP and annually thereafter. The required report must indicate--
    (1) Which assessment method(s) were used to determine if the 
policies, procedures, and capabilities described by the owner/operator 
in its COIP are effective; and
    (2) Results of the assessment methodologies.
    (f) Annual update of the CAP. The owner/operator must review and 
annually update the CAP to address any changes to policies, procedures, 
measures, or capabilities in the COIP or assessment capabilities 
required by paragraph (b). The updated CAP must be submitted to TSA for 
approval no later than 12 months from the date of TSA's approval of the 
current CAP.
    (g) Sensitive Security Information. Assessments conducted under 
this section are vulnerability assessments as defined in Sec.  1500.3 
of this chapter and must be protected as Sensitive Security Information 
under Sec.  1520.5(b)(5) of this chapter.


Sec.  1580.331  Documentation to establish compliance.

    For the purposes of the requirements in this subpart, upon TSA's 
request, the owner/operator must provide for inspection or copying the 
following types of information to establish compliance:
    (a) Hardware/software asset inventory, including supervisory 
control and data acquisition (SCADA) systems;
    (b) Firewall rules;
    (c) Network diagrams, switch and router configurations, 
architecture diagrams, publicly routable internet protocol addresses, 
and Virtual Local Area Networks;
    (d) Policy, procedural, and other documents that informed the 
development, and documented implementation of, the owner/operator's CRM 
program;
    (e) Data providing a ``snapshot'' of activity on and between 
Information and Operational Technology systems such as:
    (1) Log files;
    (2) A capture of network traffic (such as packet capture (PCAP)), 
for a scope and period directed by TSA, not less than 24 hours and not 
to exceed 48 hours;
    (3) ``East-West Traffic'' of Information Technology systems, sites, 
and environments within the scope of this subpart; and
    (4) ``North-South Traffic'' between Information and Operational 
Technology systems, and the perimeter boundaries between them; and
    (f) Any other records or documents necessary to determine 
compliance with this subpart.
0
19. Revise appendix B to part 1580 to read as follows:

Appendix B to Part 1580--Security-Sensitive Functions for Freight Rail

    This table identifies security-sensitive job functions for 
owner/operators regulated under this part. All employees performing 
security-sensitive functions are ``security-sensitive employees'' 
for purposes of this rule and must be trained in accordance with 
this part.

------------------------------------------------------------------------
                                                         Examples of job
                                Security-sensitive job        titles
         Categories             functions for freight     applicable to
                                         rail            these functions
                                                                *
------------------------------------------------------------------------
A. Operating a vehicle......  1. Employees who operate   Engineer,
                               or directly control the    conductor.
                               movements of locomotives
                               or other self-powered
                               rail vehicles.
                              2. Train conductor,
                               trainman, brakeman, or
                               utility employee or
                               performs acceptance
                               inspections, couples and
                               uncouples rail cars,
                               applies handbrakes, or
                               similar functions.
                              3. Employees covered
                               under the Federal hours
                               of service laws as
                               ``train employees.'' See
                               49 U.S.C. 21101(5) and
                               21103.
B. Inspecting and             Employees who inspect or   Carman, car
 maintaining vehicles.         repair rail cars and       repairman, car
                               locomotives.               inspector,
                                                          engineer,
                                                          conductor.
C. Inspecting or maintaining  1. Employees who--         Signalman,
 building or transportation   a. Maintain, install, or    signal
 infrastructure.               inspect communications     maintainer,
                               and signal equipment.      trackman, gang
                              b. Maintain, install, or    foreman,
                               inspect track and          bridge and
                               structures, including,     building
                               but not limited to,        laborer,
                               bridges, trestles, and     roadmaster,
                               tunnels.                   bridge, and
                              2. Employees covered        building
                               under the Federal hours    inspector/
                               of service laws as         operator.
                               ``signal employees.''
                               See 49 U.S.C. 21101(3)
                               and 21104.

[[Page 88568]]

 
D. Controlling dispatch or    1. Employees who--         Yardmaster,
 movement of a vehicle.       a. Dispatch, direct, or     dispatcher,
                               control the movement of    block
                               trains.                    operator,
                              b. Operate or supervise     bridge
                               the operations of          operator.
                               moveable bridges.
                              c. Supervise the
                               activities of train
                               crews, car movements,
                               and switching operations
                               in a yard or terminal.
                              2. Employees covered
                               under the Federal hours
                               of service laws as
                               ``dispatching service
                               employees.'' See 49
                               U.S.C. 21101(2) and
                               21105.
E. Providing security of the  Employees who provide for  Police officer,
 owner/operator's equipment    the security of the        special agent;
 and property.                 railroad carrier's         patrolman;
                               equipment and property,    watchman;
                               including acting as a      guard.
                               railroad police officer
                               (as that term is defined
                               in 49 CFR 207.2).
F. Loading or unloading       Includes, but is not       Service track
 cargo or baggage.             limited to, employees      employee.
                               that load or unload
                               hazardous materials.
G. Interacting with           Employees of a freight     Conductor,
 travelling public (on board   railroad operating in      engineer,
 a vehicle or within a         passenger service.         agent.
 transportation facility).
H. Complying with security    1. Employees who serve as  Security
 programs or measures,         security coordinators      coordinator,
 including those required by   designated in Sec.  Sec.   accountable
 Federal law.                    1580.103 or 1580.311     executive
                               of this subchapter, as     train master,
                               well as any designated     assistant
                               alternates or secondary    train master,
                               security coordinators.     roadmaster,
                              2. Employees who--          division
                              a. Conduct training and     roadmaster.
                               testing of employees
                               when the training or
                               testing is required by
                               TSA's security
                               regulations.
                              b. Perform inspections or
                               operations required by
                               Sec.   1580.205 of this
                               subchapter.
                              c. Manage or direct
                               implementation of
                               security plan
                               requirements.
------------------------------------------------------------------------
* These job titles are provided solely as a resource to help understand
  the functions described; whether an employee must be trained is based
  upon the function, not the job title.

0
20. Add appendix C to part 1580 to read as follows:

Appendix C to Part 1580--Reporting of Significant Physical Security 
Concerns

------------------------------------------------------------------------
             Category                            Description
------------------------------------------------------------------------
Breach, Attempted Intrusion, and/   Unauthorized personnel attempting to
 or Interference.                    or actually entering a restricted
                                     area or secure site relating to a
                                     transportation facility or
                                     conveyance owned, operated, or used
                                     by an owner/operator subject to
                                     this part. This includes
                                     individuals entering or attempting
                                     to enter by impersonation of
                                     authorized personnel (for example,
                                     police/security, janitor, vehicle
                                     owner/operator). Activity that
                                     could interfere with the ability of
                                     employees to perform duties to the
                                     extent that security is threatened.
Misrepresentation.................  Presenting false, or misusing,
                                     insignia, documents, and/or
                                     identification, to misrepresent
                                     one's affiliation with an owner/
                                     operator subject to this part to
                                     cover possible illicit activity
                                     that may pose a risk to
                                     transportation security.
Theft, Loss, and/or Diversion.....  Stealing or diverting identification
                                     media or badges, uniforms,
                                     vehicles, keys, tools capable of
                                     compromising track integrity,
                                     portable derails, technology, or
                                     classified or sensitive security
                                     information documents which are
                                     proprietary to the facility or
                                     conveyance owned, operated, or used
                                     by an owner/operator subject to
                                     this part.
Sabotage, Tampering, and/or         Damaging, manipulating, or defeating
 Vandalism.                          safety and security appliances in
                                     connection with a facility,
                                     infrastructure, conveyance, or
                                     routing mechanism, resulting in the
                                     compromised use or the temporary or
                                     permanent loss of use of the
                                     facility, infrastructure,
                                     conveyance or routing mechanism.
                                     Placing or attaching a foreign
                                     object to a rail car(s).
Expressed or Implied Threat.......  Communicating a spoken or written
                                     threat to damage or compromise a
                                     facility/infrastructure/conveyance
                                     owned, operated, or used by an
                                     owner/operator subject to this part
                                     (for example, a bomb threat or
                                     active shooter).
Eliciting Information.............  Questioning that may pose a risk to
                                     transportation or national
                                     security, such as asking one or
                                     more employees of an owner/operator
                                     subject to this part about
                                     particular facets of a facility's
                                     conveyance's purpose, operations,
                                     or security procedures.
Testing or Probing of Security....  Deliberate interactions with
                                     employees of an owner/operator
                                     subject to this part or challenges
                                     to facilities or systems owned,
                                     operated, or used by an owner/
                                     operator subject to this part that
                                     reveal physical, personnel, or
                                     security capabilities or sensitive
                                     information.

[[Page 88569]]

 
Photography.......................  Taking photographs or video of
                                     facilities, conveyances, or
                                     infrastructure owned, operated, or
                                     used by an owner/operator subject
                                     to this part in a manner that may
                                     pose a risk to transportation or
                                     national security. Examples include
                                     taking photographs or video of
                                     infrequently used access points,
                                     personnel performing security
                                     functions (for example, patrols,
                                     badge/vehicle checking), or
                                     security-related equipment (for
                                     example, perimeter fencing,
                                     security cameras).
Observation or Surveillance.......  Demonstrating unusual interest in
                                     facilities or loitering near
                                     conveyances, railcar routing
                                     appliances or any potentially
                                     critical infrastructure owned or
                                     operated by an owner/operator
                                     subject to this part in a manner
                                     that may pose a risk to
                                     transportation or national
                                     security. Examples include
                                     observation through binoculars,
                                     taking notes, or attempting to
                                     measure distances.
Materials Acquisition and/or        Acquisition and/or storage by an
 Storage.                            employee of an owner/operator
                                     subject to this part of materials
                                     such as cell phones, pagers, fuel,
                                     chemicals, toxic materials, and/or
                                     timers that may pose a risk to
                                     transportation or national security
                                     (for example, storage of chemicals
                                     not needed by an employee for the
                                     performance of his or her job
                                     duties).
Weapons Discovery, Discharge, or    Weapons or explosives in or around a
 Seizure.                            facility, conveyance, or
                                     infrastructure of an owner/operator
                                     subject to this part that may
                                     present a risk to transportation or
                                     national security (for example,
                                     discovery of weapons inconsistent
                                     with the type or quantity
                                     traditionally used by company
                                     security personnel).
Suspicious Items or Activity......  Discovery or observation of
                                     suspicious items, activity or
                                     behavior in or around a facility,
                                     conveyance, or infrastructure of an
                                     owner/operator subject to this part
                                     that results in the disruption or
                                     termination of operations (for
                                     example, halting the operation of a
                                     conveyance while law enforcement
                                     personnel investigate a suspicious
                                     bag, briefcase, or package).
------------------------------------------------------------------------

PART 1582--PUBLIC TRANSPORTATION AND PASSENGER RAILROAD SECURITY

0
21. Revise the authority citation for part 1582 to read as follows:

    Authority: 49 U.S.C. 114; Pub. L. 110-53, 121 Stat. 266.

0
22. Amend Sec.  1582.3 by adding the definition of ``Unlinked passenger 
trips'' in alphabetical order.


Sec.  1582.3  Terms used in this part.

* * * * *
    Unlinked passenger trips means the number of times passengers board 
public transportation vehicles based on counting passengers each time 
they board vehicles, no matter how many vehicles they use to travel 
from their origin to their destination and regardless of whether they 
pay a fare, use a pass or transfer, ride for free, or pay in some other 
way.
0
23. Revise subpart B of part 1582 to read as follows:

Subpart B--Security Programs: Physical Security

Sec.
1582.101 Scope.
1582.103 Physical Security Coordinator.
1582.105 Reporting of significant physical security concerns.
1582.107 [Reserved]
1582.109 [Reserved]
1582.111 [Reserved]
1582.113 Security training program requirements.
1582.115 [Reserved]


Sec.  1582.101  Scope.

    This subpart includes requirements that are primarily intended to 
ensure the physical security of public transportation and passenger 
railroads. Physical security encompasses the security of individuals, 
buses, rail cars, and transportation facilities, as well as the persons 
in areas in or near to operations that could have their safety and 
security threatened by an attack on physical systems and assets. Owner/
operators identified in Sec.  1582.1 must review the applicability in 
each section in this subpart to determine if any of the requirements 
apply to their operations.


Sec.  1582.103  Physical Security Coordinator.

    (a) (1) Except as provided in (a)(2) and (3) of this paragraph, 
each owner/operator identified in Sec.  1582.1 must designate and use a 
primary and at least one alternate Physical Security Coordinator at the 
corporate level to function as the administrator for sharing security-
related activities and information.
    (2) An owner/operator identified in Sec.  1582.1(a)(2) that owns or 
operates a bus-only operation must designate and use a primary and at 
least one alternate Physical Security Coordinator only if the owner/
operator is identified in appendix A to part 1582 of this subchapter or 
is notified by TSA in writing that a threat exists concerning that 
operation.
    (3) An owner/operator identified in Sec.  1582.1(a)(4) (tourist, 
scenic, historic, or excursion rail operations) must designate and use 
a primary and at least one alternate Physical Security Coordinator, 
only if notified by TSA in writing that a threat exists concerning that 
type of operation.
    (b) The primary Physical Security Coordinator and alternate(s) 
must--
    (1) Be accessible to TSA on a 24 hours per day, 7 days per week 
basis; and
    (2) Serve as the primary contact(s) for intelligence information 
and security-related activities and communications with TSA. Any 
individual designated as a Physical Security Coordinator may perform 
other duties in addition to the duties described in this section); and
    (3) Coordinate security practices and procedures required by this 
subchapter internally and with appropriate law enforcement and 
emergency response agencies.
    (c) The Physical Security Coordinator and alternate(s) must be a 
U.S. citizen eligible for a security clearance, unless otherwise waived 
by TSA.
    (d) Each owner/operator required to have a Physical Security 
Coordinator must provide in writing to TSA the names, U.S. citizenship 
status, titles, business phone number(s), and business email 
address(es) of the Physical Security Coordinator and alternate(s). 
Changes in any of the information required by this section must be 
submitted to TSA within 7 calendar days.


Sec.  1582.105  Reporting of significant physical security concerns.

    (a) Each owner/operator identified in Sec.  1582.1 must report, 
within 24 hours of initial discovery, any potential threats and 
significant physical security concerns involving transportation-

[[Page 88570]]

related operations in the United States or transportation to, from, or 
within the United States as soon as possible by the methods prescribed 
by TSA.
    (b) Potential threats or significant physical security concerns 
encompass incidents, suspicious activities, and threat information 
affecting physical operations including, but not limited to, the 
categories of reportable events listed in appendix C to this part.
    (c) Information reported must include the following, as available 
and applicable:
    (1) The name of the reporting individual and contact information, 
including a telephone number or email address.
    (2) The affected freight or passenger train, bus, conveyance, 
station, terminal, rail hazardous materials facility, or other 
transportation facility or infrastructure, including identifying 
information and current location.
    (3) Scheduled origination and termination locations for the 
affected passenger train or bus--including departure and destination 
station, city, and route, as applicable.
    (4) Description of the threat, incident, or activity, including who 
has been notified and what action has been taken.
    (5) The names, other available biographical data, and/or 
descriptions (including vehicle or license plate information) of 
individuals or motor vehicles known or suspected to be involved in the 
threat, incident, or activity.
    (6) The source of any threat information.


Sec.  1582.107  [Reserved]


Sec.  1582.109  [Reserved]


Sec.  1582.111  [Reserved]


Sec.  1582.113  Security training program requirements.

    (a) Applicability. This section applies to the following:
    (1) Amtrak (also known as the National Railroad Passenger 
Corporation).
    (2) Each owner/operator identified in Appendix A to this part.
    (3) Each owner/operator described in Sec.  1582.1(a)(1) through (3) 
that serves as a host railroad to a freight operation described in 
Sec.  1580.113(a) of this subchapter or to a passenger train operation 
described in paragraphs (1) or (2) of this section.
    (b) Training required for security-sensitive employees. No owner/
operator identified in paragraph (a) of this section may use a 
security-sensitive employee to perform a function identified in 
Appendix B to this part, unless that individual has received training 
as part of a security training program approved by TSA or is under the 
direct supervision of an employee who has received the training 
required by this section as applicable to that security-sensitive 
function. Upon approval, this security training program becomes part of 
the owner/operators TSA-approved security program.
    (c) Limits on use of untrained employees. Notwithstanding paragraph 
(b) of this section, a security-sensitive employee may not perform a 
security-sensitive function for more than 60 calendar days without 
receiving security training.
    (d) General requirements. Each owner/operator required to provide 
security training to its employees under this section must submit their 
security training program to TSA for approval in a form and manner 
prescribed by TSA. The security training program must include the 
following information:
    (1) Name of owner/operator.
    (2) Name, title, telephone number, and email address of the primary 
individual to be contacted with regard to review of the security 
training program.
    (3) Number, by specific job function category identified in 
Appendix B to this part, of security-sensitive employees trained or to 
be trained.
    (4) Implementation schedule that identifies a specific date by 
which the required initial and recurrent security training will be 
completed.
    (5) Location where training program records will be maintained.
    (6) Plan for ensuring supervision of untrained security-sensitive 
employees performing functions identified in Appendix B to this part.
    (7) Plan for notifying employees of changes to security measures 
that could change information provided in previously provided training.
    (8) Method(s) for evaluating the effectiveness of the security 
training program in each area required by paragraph (e) of this 
section.
    (e) General curriculum requirements. The security training program 
submitted to TSA for approval must include a curriculum or lesson plan, 
including learning objectives and method of delivery (such as 
instructor-led or computer-based training) for each course used to meet 
the requirements in paragraph (f) of this section. TSA may request 
additional information regarding the curriculum during the review and 
approval process. If recurrent training under paragraph (j) of this 
section is not the same as initial training, a curriculum or lesson 
plan for the recurrent training will need to be submitted and approved 
by TSA.
    (f) Specific curriculum requirements. (1) Prepare. Each owner/
operator must ensure that each of its security-sensitive employees with 
position- or function-specific responsibilities under the owner/
operator's security program have knowledge of how to fulfill those 
responsibilities in the event of a security threat, breach, or incident 
to ensure--
    (i) Employees with responsibility for transportation security 
equipment and systems are aware of their responsibilities and can 
verify the equipment and systems are operating and properly maintained; 
and
    (ii) Employees with other duties and responsibilities under the 
company's security plans and/or programs, including those required by 
Federal law, know their assignments and the steps or resources needed 
to fulfill them.
    (2) Observe. Each owner/operator must ensure that each of its 
security-sensitive employees has knowledge of the observational skills 
necessary to recognize--
    (i) Suspicious and/or dangerous items, such as substances, 
packages, or conditions (for example, characteristics of an Improvised 
Explosive Device and signs of equipment tampering or sabotage);
    (ii) Combinations of actions and individual behaviors that appear 
suspicious and/or dangerous, inappropriate, inconsistent, or out of the 
ordinary for the employee's work environment, which could indicate a 
threat to transportation security; and
    (iii) How a terrorist or someone with malicious intent may attempt 
to gain sensitive information or take advantage of vulnerabilities.
    (3) Assess. Each owner/operator must ensure that each of its 
security-sensitive employees has knowledge necessary to--
    (i) Determine whether the item, individual, behavior, or situation 
requires a response as a potential terrorist threat based on the 
respective transportation environment; and
    (ii) Identify appropriate responses based on observations and 
context.
    (4) Respond. Each owner/operator must ensure that each of its 
security-sensitive employees has knowledge of how to--
    (i) Appropriately report a security threat, including knowing how 
and when to report internally to other employees, supervisors, or 
management, and externally to Local, State, or Federal agencies 
according to the owner/operator's security procedures or other relevant 
plans;

[[Page 88571]]

    (ii) Interact with the public and first responders at the scene of 
the threat or incident, including communication with passengers on 
evacuation and any specific procedures for individuals with 
disabilities and the elderly; and
    (iii) Use any applicable self-defense devices or other protective 
equipment provided to employees by the owner/operator.
    (g) Relation to other training. Training conducted by owner/
operators to comply with other requirements or standards, such as 
emergency preparedness training required by the Department of 
Transportation (DOT) (49 CFR part 239) or other training for 
communicating with emergency responders to arrange the evacuation of 
passengers, may be combined with and used to satisfy elements of the 
training requirements in this section.
    (h) Submission. If commencing or modifying operations subject to 
these requirements after June 21, 2021, the training program must be 
submitted to TSA no later than 90 calendar days before commencing new 
or modified operations.
    (i) Initial security training. Each owner/operator must provide 
initial security training to security-sensitive employees, using the 
curriculum approved by TSA and in compliance with the following 
schedule.
    (1) For security training programs submitted to TSA for approval 
after March 22, 2021, if the employee is employed to perform a 
security-sensitive function on the date TSA approves the program, then 
initial training must be provided no later than 12 months after the 
date that TSA approves the owner/operator's security training program.
    (2) If performance of a security-sensitive job function is 
initiated after TSA approves the owner/operator's security training 
program, then initial training must be provided no later than 60 
calendar days after the employee first performs the security-sensitive 
job function.
    (3) If the security-sensitive job function is performed 
intermittently, then initial security training must be provided no 
later than the 60th calendar day of employment performing a security-
sensitive function, aggregated over a consecutive 12-month period.
    (j) Recurrent security training. (1) Except as provided in 
paragraph (j)(2) of this section, a security-sensitive employee 
required to receive training must receive the required training at 
least once every 3 years.
    (2) If an owner/operator modifies a security program or security 
plan for which training is required, the owner/operator must ensure 
each security-sensitive employee with position- or function-specific 
responsibilities related to the revised plan or program changes 
receives training on the revisions within 90 days of implementation of 
the revised plan or program changes. All other employees must receive 
training that reflects the changes to the operating security 
requirements as part of their regularly scheduled recurrent training.
    (3) The 3-year recurrent training cycle is based on the anniversary 
calendar month of the employee's initial security training. If the 
owner/operator provides the recurrent security training in the month 
of, the month before, or the month after it is due, the employee is 
considered to have taken the training in the month it is due.
    (k) Recognition of prior training. Previously provided security 
training may be credited towards satisfying the requirements of this 
section provided the owner/operator--
    (1) Obtains a complete record of such training and validates the 
training meets requirements of this section as it relates to the 
function of the individual security-sensitive employee, and the 
training was provided within the schedule required for recurrent 
training; and
    (2) Retains a record of such training in compliance with the 
requirements in paragraph (l).
    (l) Retention of security training records. The owner/operator must 
retain records of initial and recurrent security training records for 
each individual required to receive security training under this 
section for no less than 5 years from the date of training that, at a 
minimum--
    (1) Includes employee's full name, job title or function, date of 
hire, and date of initial and recurrent security training; and
    (2) Identifies the date, course name, course length, and list of 
topics addressed for the security training most recently provided in 
each of the areas required under paragraph (e) of this section.
    (m) Availability of records to employees. The owner/operator must 
provide records of security training to current and former employees 
upon request and at no charge as necessary to provide proof of 
training.
    (n) Incorporation into security program. Once approved by TSA, the 
security training program required by this section is part of the 
owner/operator's TSA-approved security program. The owner/operator must 
implement and maintain the security training program and comply with 
timeframes for implementation identified in the security training 
program. Any modifications or amendments to the program must be made as 
stipulated in Sec.  1570.107 of this subchapter.
    (o) Situations requiring owner/operator to revise security training 
program. The owner/operator must submit a request to amend its security 
program if, after approval, the owner/operator makes, or intends to 
make, permanent (to be in effect for 60 or more calendar days) or 
substantive changes to its security training curriculum, including 
changes to address:
    (1) Determinations that the security training program is 
ineffective based on the approved method for evaluating effectiveness 
in the security training program approved by TSA; or
    (2) Development of recurrent training material for purposes of 
meeting the requirements in paragraph (j) of this section or other 
alternative training materials not previously approved by TSA.


Sec.  1582.115  [Reserved]

0
24. Add subpart C of part 1582 to read as follows:

Subpart C--Cybersecurity Risk Management

Sec.
1582.201 Scope and applicability.
1582.203 Form, content, and availability of Cybersecurity Risk 
Management program.
1582.205 Cybersecurity evaluation.
1582.207 Cybersecurity Operational Implementation Plan.
1582.209 Governance of the CRM program.
1582.211 Cybersecurity Coordinator.
1582.213 Identification of Critical Cyber Systems.
1582.215 Supply chain risk management.
1582.217 Protection of Critical Cyber Systems.
1582.219 Cybersecurity training and knowledge.
1582.221 Detection of cybersecurity incidents.
1582.223 Capabilities to respond to a cybersecurity incident.
1582.225 Reporting cybersecurity incidents.
1582.227 Cybersecurity Incident Response Plan.
1582.229 Cybersecurity Assessment Plan
1582.231 Documentation to establish compliance.


Sec.  1582.201  Scope and applicability.

    (a) Scope. This subpart includes requirements to ensure the 
cybersecurity of public transportation and passenger railroads to 
mitigate the risk of significant harm to individuals and transportation 
facilities, as well as persons in areas in or near rail operations, 
that could have their safety and security threatened as a result of the

[[Page 88572]]

degradation, destruction, or malfunction of systems that control these 
systems and infrastructure. In addition, cybersecurity incidents could 
have significant impacts on national and economic security of the 
United States by impeding the movement of people who rely on public 
transportation for commuting or intercity rail operations. The owner/
operators identified in Sec.  1582.1 must review the applicability for 
carrying out a Cybersecurity Risk Management program in paragraph (b) 
of this section, designation of a Cybersecurity Coordinator in Sec.  
1582.211, and reporting cybersecurity requirements in Sec.  1582.225 to 
determine if the requirements apply to their operations.
    (b) Applicability. Each owner/operator described in Sec.  1582.1 
must adopt and carry out a Cybersecurity Risk Management (CRM) program 
for each operation that meets any of the following criteria:
    (1) Is a passenger railroad carrier with average daily unlinked 
passenger trips of 5,000 or greater in any of the three calendar years 
before [EFFECTIVE DATE OF FINAL RULE] or any single calendar year after 
[EFFECTIVE DATE OF FINAL RULE].
    (2) Is a passenger railroad carrier described in Sec.  1582.1(a)(1) 
through (3) that serves as a host railroad to a class I railroad or 
Amtrak, regardless of ridership volume.
    (3) Is a rail transit system described in Sec.  1582.1(a)(3) with 
average daily unlinked passenger trips of 50,000 or greater in any of 
the three calendar years before [EFFECTIVE DATE OF FINAL RULE] or any 
single calendar year after [EFFECTIVE DATE OF FINAL RULE].


Sec.  1582.203  Form, content, and availability of Cybersecurity Risk 
Management program.

    (a) General content requirements. The CRM program required by this 
subpart is a comprehensive program that includes the following 
components:
    (1) A cybersecurity evaluation completed and updated as required by 
Sec.  1582.205;
    (2) A TSA-approved Cybersecurity Operational Implementation Plan 
(COIP) that meets the requirements in Sec.  1582.207.
    (3) A Cybersecurity Assessment Plan that meets the requirements in 
Sec.  1582.229.
    (b) Subsidiaries. If a single CRM program is developed and 
implemented for multiple business units within a single corporate 
entity, any documents used to comply or establish compliance with the 
requirements in this subpart must clearly identify and distinguish 
application of the requirements to each business unit.


Sec.  1582.205  Cybersecurity evaluation.

    (a) General. Each owner/operator required to have a CRM program 
must complete an initial and recurrent cybersecurity evaluation 
sufficient to determine the owner/operator's current enterprise-wide 
cybersecurity profile of logical/virtual and physical security controls 
when evaluated against the CRM program requirements in this subpart, 
using a form provided by TSA or other tools approved by TSA.
    (b) Timing. The initial cybersecurity evaluation must be completed 
no later than [DATE 90 DAYS AFTER EFFECTIVE DATE OF FINAL RULE], but no 
more than one year before the date of submission of the owner/
operator's Cybersecurity Operational Implementation Plan required by 
Sec.  1582.207 of this subpart. If commencing or modifying operations 
subject to these requirements after [EFFECTIVE DATE OF FINAL RULE], the 
initial cybersecurity evaluation must be submitted to TSA no later than 
45 calendar days after commencing the new or modified operations 
triggering applicability.
    (c) Annual updates. The evaluation required by paragraph (a) of 
this section must be updated annually, no later than one year from the 
anniversary date of the previously completed evaluation.
    (d) Notification. The owner/operator must notify TSA within 7 days 
of completing the evaluation and annual updates required by this 
section. A copy of the evaluation must be provided to TSA upon request.
    (e) Sensitive Security Information. This evaluation is a 
vulnerability assessment as defined in Sec.  1500.3 of this chapter and 
must be protected as Sensitive Security Information under Sec.  
1520.5(b)(5) of this chapter.


Sec.  1582.207  Cybersecurity Operational Implementation Plan.

    (a) Requirement. Each owner/operator required to have a CRM program 
under this part must adopt a COIP.
    (b) General Content. The COIP must include the following corporate 
information:
    (1) The name and corporate address of the owner/operator;
    (2) Written attestation by the owner/operator's accountable 
executive that the COIP has been reviewed and approved by senior 
management; and
    (3) Identification of specific operations that meet the 
applicability criteria.
    (c) Specific Content. The COIP must detail the owner/operator's 
defense-in-depth plan, including physical and logical/virtual security 
controls, to comply with the requirements and security outcomes 
specified in the following sections:
    (1) Governance. The requirements for governance of the CRM program 
in Sec.  1582.209 and the designation of a Cybersecurity Coordinator in 
Sec.  1582.211.
    (2) Identification of Critical Cyber Systems, Network Architecture, 
and Interdependencies. The requirements to identify Critical Cyber 
Systems and network architecture in Sec.  1582.213 and supply chain 
risk management in Sec.  1582.215.
    (3) Procedures, policies, and capabilities to protect Critical 
Cyber Systems. The requirements for protection of Critical Cyber 
Systems in Sec.  1582.217 and training of cybersecurity-sensitive 
employees in Sec.  1582.219.
    (4) Procedures, policies, and capabilities to detect cybersecurity 
incidents. The requirements for detecting cybersecurity incidents in 
Sec.  1582.221.
    (5) Procedures, policies, and capabilities to respond to, and 
recover from, cybersecurity incidents. The requirements for responding 
to cybersecurity incidents in Sec.  1582.223, reporting cybersecurity 
incidents in Sec.  1582.225, and the Cybersecurity Incident Response 
Plan in Sec.  1582.227.
    (d) Plan of Action and Milestones. (1) To the extent an owner/
operator does not meet every requirement and security outcome 
identified in paragraph (c)(1) through (c)(5) of this section, the COIP 
must include a plan of action and milestones (POAM).
    (2) The POAM must include:
    (i) Policies, procedures, measures, or capabilities that owner/
operator will develop or obtain, as applicable, to ensure all 
requirements and security outcomes in this subpart are met;
    (ii) Physical and logical/virtual security controls that the owner/
operator will implement to mitigate the risks associated with not fully 
complying with requirements or security outcomes in this subpart; and
    (iii) A detailed timeframe for full compliance with all 
requirements and security outcomes in this subpart, not to exceed 3 
years from the date of submission to TSA of the COIP required by this 
section.
    (3) The POAM must be updated as necessary to address any 
deficiencies identified during the evaluation required by Sec.  
1582.205 or because of an assessment conducted under Sec.  1582.229 
that will not be immediately addressed through an update to the COIP.

[[Page 88573]]

    (e) Approval and implementation. (1) Submission deadlines. The COIP 
must be made available to TSA, in a form and manner prescribed by TSA, 
no later than [DATE 180 DAYS AFTER EFFECTIVE DATE OF FINAL RULE]. If 
commencing or modifying operations subject to these requirements after 
[EFFECTIVE DATE OF FINAL RULE], the COIP must be made available to TSA 
no later than 45 calendar days before commencing new or modified 
operations.
    (2) Effective date. After considering all relevant materials and 
any additional information required by TSA, TSA will notify the owner/
operator's accountable executive of TSA's decision to approve the 
owner/operator's COIP. The COIP becomes effective 30 days after the 
owner/operator is notified whether its COIP is approved.
    (3) TSA-approved security program. Once approved by TSA, the COIP, 
any appendices, and any policies or procedures incorporated by 
reference, are a part of a TSA-approved security program, subject to 
the protections in part 1520 of this chapter and the procedures 
applicable to security programs in subpart B of part 1570 of this 
subchapter.
    (f) Status Report and Updates. The CRM program must be reviewed and 
updated by the owner/operator within 60 days of the evaluations or 
assessments required by Sec. Sec.  1582.205 or 1582.229, as necessary 
to address any identified vulnerabilities or weaknesses in the 
procedures, policies, or capabilities identified in the CRM program.
    (g) Revisions. Unless otherwise specified in this subpart, any 
substantive modifications or amendments to the COIP must be made in 
accordance with the procedures in Sec.  1570.107 of this subchapter.


Sec.  1582.209  Governance of the CRM program.

    (a) Accountable Executive. (1) No later than [DATE 30 DAYS FROM 
EFFECTIVE DATE OF FINAL RULE], the owner/operator must provide to TSA 
the names, titles, business telephone numbers, and business email 
addresses of the owner/operator's accountable executive and the primary 
individual to be contacted about the owner/operator's CRM program. If 
any of the information required by this section changes, the owner/
operator must provide the updated information to TSA within seven days 
of the change.
    (2) The accountable executive must be an individual who has the 
authority and knowledge necessary for the development, implementation, 
and managerial oversight of the TSA-approved CRM program, including 
cybersecurity administration, risk assessments, inspections and control 
procedures, and coordinating communications with the owner/operator's 
leadership and staff on implementation and sustainment of the CRM 
program. To the extent possible, the accountable executive should not 
be the Cybersecurity Coordinator or an individual responsible for 
management of Information or Operational Technology system or systems' 
administration.
    (b) COIP. The COIP must also include:
    (1) Identification of positions designated by the owner/operator to 
manage implementation of policies, procedures, and capabilities 
described in the COIP and coordinate improvements to the CRM program.
    (2) Corporate-level identification of any authorized 
representatives, as defined in the TSA Cybersecurity Lexicon, who are 
responsible for any or all the CRM program or cybersecurity measures 
identified in the CRM program, and written documentation (such as 
contractual agreements) clearly identifying the roles and 
responsibilities of the authorized representative under the CRM 
program.
    (3) The information required by paragraph (a)(1) of this section.
    (c) Process. Updating the COIP to align with information provided 
to TSA under this section does not require an amendment subject to the 
procedures in Sec.  1570.107 of this subchapter.


Sec.  1582.211  Cybersecurity Coordinator.

    (a)(1) Except as provided in paragraph (a)(2), each owner/operator 
identified in paragraphs Sec.  1582.103(a) must designate employees at 
the corporate level to serve as the primary and at least one alternate 
Cybersecurity Coordinator with responsibility for sharing critical 
cybersecurity information.
    (2) Each owner/operator identified in Sec.  1582.103(a)(3) must 
designate and use a primary and at least one alternate Cybersecurity 
Coordinator only if notified by TSA in writing that a threat exists 
concerning that type of operation.
    (b) The Cybersecurity Coordinator and alternate(s) must--
    (1) Serve as the primary contact for cyber-related intelligence 
information and cybersecurity-related activities and communications 
with TSA and the Cybersecurity and Infrastructure Security Agency 
(CISA);
    (2) Have the following knowledge and skills, through current 
certifications or equivalent job experience:
    (i) General cybersecurity guidance and best practices;
    (ii) Relevant law and regulations pertaining to cybersecurity;
    (iii) Handling of Sensitive Security Information and security-
related communications; and
    (iv) Current cybersecurity threats applicable to the owner/
operator's operations and systems.
    (3) Be accessible to TSA and CISA 24 hours per day, seven days per 
week;
    (4) Have a Homeland Security Information Network (HSIN) account or 
other TSA-designated communication platform for information sharing 
relevant to the requirements in this subpart; and
    (5) Work with appropriate law enforcement and emergency response 
agencies in addressing cybersecurity threats or responding to 
cybersecurity incidents.
    (c) The Cybersecurity Coordinator and alternate(s) must be a U.S. 
citizen eligible for a security clearance, unless otherwise waived by 
TSA.
    (d) Owner/operators must provide in writing to TSA the names, 
titles, business phone number(s), and business email address(es) of the 
Cybersecurity Coordinator and alternate Cybersecurity Coordinator(s) 
required by paragraph (a) no later than [DATE 7 DAYS AFTER EFFECTIVE 
DATE OF FINAL RULE], or within 7 days of the commencement of new 
operations, or change in any of the information required by this 
section that occur after [DATE 7 DAYS AFTER EFFECTIVE DATE OF FINAL 
RULE].
    (e) In addition to providing the information to TSA as required by 
paragraph (d), any owner/operator required to have a CRM program under 
this part must also include the information required by paragraphs (d) 
of this section in the COIP. As the owner/operator must separately 
notify TSA of this information, and any changes to this information, 
updating the COIP to align with information provided to TSA under this 
section does not require an amendment subject to the procedures in 
Sec.  1570.107 of this subchapter.


Sec.  1582.213  Identification of Critical Cyber Systems.

    (a) Identifying information. The owner/operator must incorporate 
into its COIP a list of Critical Cyber Systems, as defined in the TSA 
Cybersecurity Lexicon, that provides, at a minimum, the following 
identifying information for each Critical Cyber System:
    (1) Identifier (system name or commercial name); and
    (2) System manufacturer/designer name.
    (b) Identification methodology. The owner/operator must include a

[[Page 88574]]

description of the methodology and information used to identify 
Critical Cyber Systems that, at a minimum, includes the following 
information as used to identify critical systems:
    (1) Standards and factors, including system interdependencies with 
critical functions, used to identify Information Technology and 
Operational Technology systems that could be vulnerable to a 
cybersecurity incident;
    (2) Sources and data, such as known threat information relevant to 
the system, that informed decisions regarding the likelihood of the 
system being subject to a cybersecurity incident;
    (3) Potential operational impacts of a cybersecurity incident, 
including scenarios that identify potential supply chain impacts and 
how long critical operations and capabilities could be sustained with 
identified alternatives if a system is offline; and
    (4) Sustainability and operational impacts if an Information or 
Operational Technology system not identified as a Critical Cyber System 
becomes unavailable due to a cybersecurity incident.
    (c) Positive Train Control (PTC) Systems. Owner/operators who are 
either required to install and operate PTC under 49 CFR part 236, 
subpart I, and/or voluntarily install and operate PTC under CFR part 
236, subpart H or I, must include PTC systems as a Critical Cyber 
System.
    (d) System information and network architecture. For all Critical 
Cyber Systems, the owner/operator must provide the following 
information:
    (1) Information and Operational Technology system interdependencies 
for Critical Cyber Systems;
    (2) All external connections to Critical Cyber Systems;
    (3) Zone boundaries for Critical Cyber Systems, including a 
description of how Information and Operational Technology systems are 
defined and organized into logical/virtual zones based on criticality, 
consequence, and operational necessity;
    (4) Baseline of acceptable communications between Critical Cyber 
Systems and external connections or between Information and Operational 
Technology systems; and
    (5) Operational needs that prevent or delay implementation of the 
requirements in this subpart, such as application of security patches 
and updates, encryption of communications traversing Information and 
Operational Technology systems, and multi-factor authentication.
    (e) Additional systems. If notified by TSA, the owner/operator must 
include additional Critical Cyber Systems identified by TSA not 
previously identified by the owner/operator.
    (f) Changes in Critical Cyber Systems. Any substantive changes to 
Critical Cyber Systems require an amendment to the Cybersecurity 
Operational Implementation Plan subject to the procedures in Sec.  
1570.107 of this subchapter.


Sec.  1582.215  Supply chain risk management.

    The owner/operator must incorporate into its COIP policies, 
procedures, and capabilities to address supply chain cybersecurity 
vulnerabilities that include requiring--
    (a) All procurement documents and contracts, including service-
level agreements, executed or updated after [EFFECTIVE DATE OF FINAL 
RULE], include a requirement for the vendor or service provider to 
notify the owner/operator of the following:
    (1) Cybersecurity incidents affecting the vendor or service 
provider within a specified timeframe sufficient for the owner/operator 
to identify and address any potential risks to their Critical Cyber 
Systems based on the scope and type of cybersecurity incident.
    (2) Confirmed security vulnerabilities affecting the goods, 
services, or capabilities provided by the vendor or service provider 
within a specified timeframe sufficient for the owner/operator to 
identify and address any potential risks to their Critical Cyber 
Systems based on the scope and type of security vulnerability.
    (b) Procurement documents and contracts, including service-level 
agreements, incorporate an evaluation by the owner/operator or 
qualified third-party of the cybersecurity measures implemented by 
vendors or service providers of goods, services, or capabilities that 
will be connected to, installed on, or used by the owner/operator's 
Critical Cyber Systems.
    (c) When provided two offerings of roughly similar cost and 
function, giving preference to the offering that provides the greater 
level of cybersecurity necessary to protect against, or effectively 
respond to, cybersecurity incidents affecting the owner/operator's 
Critical Cyber Systems.
    (d) Upon notification of a cybersecurity incident or vulnerability 
under paragraphs (a) or (b) of this section, immediate consideration of 
mitigation measures sufficient to address the resulting risk to 
Critical Cyber Systems and, as applicable, revision to the COIP in 
accordance with Sec.  1570.107 of this subchapter.


Sec.  1582.217  Protection of Critical Cyber Systems.

    The owner/operator must incorporate into its COIP policies, 
procedures, controls, and capabilities to protect Critical Cyber 
Systems that meet security performance objectives in the following 
areas--
    (a) Network segmentation. Network segmentation measures that 
protect against access to, or disruption of, the Operational Technology 
system if the Information Technology system is compromised or vice 
versa. These measures must be sufficient to--
    (1) Ensure Information and Operational Technology system-services 
transit the other only when necessary for validated business or 
operational purposes;
    (2) Secure and defend zone boundaries with security controls--
    (i) To defend against unauthorized communications between zones; 
and
    (ii) To prohibit Operational Technology system services from 
traversing the Information Technology system, and vice-versa, unless 
the content is encrypted at a level sufficient to secure and protect 
integrity of data and prevent corruption or compromise while in 
transit. If encryption is not technologically feasible, ensure content 
is otherwise secured and protected using compensating controls that 
provide the same level of security as encryption for data in transit.
    (b) Access control. Access control measures for Critical Cyber 
Systems, including for local and remote access, that secure and defend 
against unauthorized access to Critical Cyber Systems. Except as 
provided in paragraph (f), these measures must, at a minimum, 
incorporate the following policies, procedures, and controls:
    (1) Identification and authentication requirements designed to 
prevent unauthorized access to Critical Cyber Systems that include:
    (i) A policy for memorized secret authenticator resets that 
includes criteria for passwords and when resets must occur, including 
procedures to ensure implementation of these requirements, such as 
password lockouts; and
    (ii) Documented and defined logical/virtual and physical security 
controls for components of Critical Cyber Systems that will not be 
subject to the requirements in paragraph (b)(1)(i) of this section.
    (2) Multi-factor authentication, or other logical/virtual and 
physical security controls to supplement memorized secret 
authenticators (such as passwords) to provide risk mitigation 
commensurate to multi-factor

[[Page 88575]]

authentication. If an owner/operator does not apply multi-factor 
authentication for access to Operational Technology components or 
assets, the owner/operator must specify what compensating controls are 
used to manage access.
    (3) Management of access rights based on the principles of least 
privilege and separation of duties. Where not technically feasible to 
apply these principles, the policies and procedures must describe 
compensating controls that the owner/operator applies.
    (4) Policies and procedures limit availability and use of shared 
accounts to those that are critical for operations, and then only if 
necessary. When the owner/operator uses shared accounts for operational 
purposes, the policies and procedures must ensure:
    (i) Access to shared accounts is limited through account management 
that uses principles of least privilege and separation of duties;
    (ii) Any individual who no longer needs access does not have 
knowledge of the memorized secret authenticator necessary to access the 
shared account; and
    (iii) Logs are maintained sufficient to enable positive user 
identification of access to shared accounts to enable forensic 
investigation following a cybersecurity incident.
    (5) Regularly updated schedule for review of existing domain trust 
relationships to ensure their necessity and established and enforced 
policies to manage these relationships.
    (c) Patch management. Measures that reduce the risk of exploitation 
of unpatched systems through the application of security patches and 
updates for operating systems, applications, drivers, and firmware on 
Critical Cyber Systems consistent with the owner/operator's risk-based 
methodology. These measures must include:
    (1) A patch management strategy that ensures all critical security 
patches and updates on Critical Cyber Systems are current. This 
strategy must include:
    (i) The risk methodology for categorizing and determining 
criticality of patches and updates, and an implementation timeline 
based on categorization and criticality; and
    (ii) Prioritization of all security patches and updates on CISA's 
Known Exploited Vulnerabilities Catalog.
    (2) In instances where the owner/operator cannot apply patches and 
updates on specific Operational Technology systems without causing a 
severe degradation of operational capability to meet business critical 
functions, the owner/operator must provide an explanation for why the 
actions cannot be taken and a description and timeline of additional 
mitigations that address the risk created by not installing the patch 
or update within the recommended timeframe.
    (d) Logging policies. Logging policies sufficient to ensure logging 
data is--
    (1) Stored in a secure and centralized system, such as a security 
information and event management tool or database on a segmented 
network that can only be accessed or modified by authorized and 
authenticated users; and
    (2) Maintained for a duration sufficient to allow for investigation 
of cybersecurity incidents as supported by a risk analysis and 
applicable standards or regulatory guidelines.
    (e) Secure back-ups. Policies that ensure all Critical Cyber 
Systems are backed-up on a regular basis consistent with operational 
need for the information, the back-ups are securely stored separate 
from the system, and policies require testing the integrity of back-ups 
to ensure that the data is free of known malicious code when the back-
ups are made.
    (f) Exception for PTC hardware and software components installed on 
locomotive. (1) For hardware and software components of a PTC system 
installed on a locomotive, owner/operators in compliance with 
requirements in 49 CFR 232.105(h)(1-4) (General requirements for 
locomotives), 49 CFR 236.3 (Locking of signal apparatus housings), and 
49 CFR 256.553 (Seal, where required), may rely on the physical 
security measures used to comply with these requirements, as 
applicable, in lieu of implementing the requirements in paragraph (b).
    (2) If relying on the exception in paragraph (f)(1), the owner/
operator must list the applicable PTC system as a Critical Cyber 
System; maintain compliance with the requirements specified in 49 CFR 
232.105(h)(1-4), 49 CFR 236.3, and 49 CFR 256.553, as applicable; and 
include in the COIP a description of the physical security measures 
used to prevent unauthorized access to the identified PTC components.


Sec.  1582.219  Cybersecurity training and knowledge.

    (a) Training required. (1) Owner/operators required to have a CRM 
program under this subpart must provide basic cybersecurity training to 
all employees with access to the owner/operator's Information or 
Operational Technology systems.
    (2) No owner/operator required to have a CRM program under this 
subpart may permit a cybersecurity-sensitive employee to access, or 
have privileges to access, a Critical Cyber System or an Information or 
Operational Technology system that is interdependent with a Critical 
Cyber System, unless that individual has received basic and role-based 
cybersecurity training.
    (b) General curriculum requirements. The cybersecurity training 
program must include a curriculum or lesson plan, including learning 
objectives and method of delivery (such as instructor-led or computer-
based training) for each course used to meet the requirements in 
paragraphs (d) and (e) of this section. TSA may request additional 
information regarding the curriculum during the review and approval 
process. If recurrent training under paragraph (e) of this section is 
not the same as initial training, a curriculum or lesson plan for the 
recurrent training will need to be submitted and approved by TSA.
    (c) Specific curriculum requirements. (1) Basic cybersecurity 
training. All employees and contractors with access to the owner/
operator's Information or Operational Technology systems, must receive 
basic cybersecurity training that includes cybersecurity awareness to 
address best practices, acceptable use, risks associated with their 
level of privileged access, and awareness of security risks associated 
with their actions. This training must address the following topics:
    (i) Social engineering, including phishing;
    (ii) Password best practices;
    (iii) Remote work security basics;
    (iv) Safe internet and social media use;
    (v) Mobile device (wireless) vulnerabilities and network security;
    (vi) Data management and information security, including protecting 
business email, confidential information, trade secrets, and privacy; 
and
    (vii) How and to whom to report suspected inappropriate or 
suspicious activity involving Information or Operational Technology 
systems, including mobile devices provided by or connected to the 
owner/operator's Information or Operational Technology systems.
    (2) Role-based cybersecurity training. Cybersecurity-sensitive 
employees must be provided cybersecurity training that specifically 
addresses their role as a privileged user to prevent and respond to a 
cybersecurity incident, acceptable uses, and the risks associated with 
their level of access and use as approved by the owner/operator. This 
training must address the following topics as applicable to the 
specific role:

[[Page 88576]]

    (i) Security measures and requirements in the COIP including how 
the requirements affect account and access management, server and 
application management, and system architecture development and 
assessment;
    (ii) Recognition and detection of cybersecurity threats, types of 
cybersecurity incidents, and techniques used to circumvent 
cybersecurity measures;
    (iii) Incident handling, including procedures for reporting a 
cybersecurity incident to the Cybersecurity Coordinator and 
understanding their roles and responsibilities during a cybersecurity 
incident and implementation of the owner/operator's Cybersecurity 
Incident Response Plan required by Sec.  1582.227;
    (iv) Requirements and sources for staying aware of changing 
cybersecurity threats and countermeasures;
    (v) Operational Technology-specific cybersecurity training for all 
personnel whose duties include access to Operational Technology 
systems.
    (d) Initial cybersecurity training. (1) Each owner/operator must 
provide initial cybersecurity training (basic and role-based, as 
applicable) to employees and contractors, using the curriculum approved 
by TSA no later than 60 days after the effective date of the owner/
operator's TSA-approved COIP required by this subpart.
    (2) For individuals who onboard or become cybersecurity-sensitive 
employees after the effective date of the owner/operator's TSA-approved 
COIP who did not receive training within the period identified in 
paragraph (d)(1) of this section, the individual must receive the 
applicable cybersecurity training no later than 10 days after 
onboarding.
    (e) Recurrent cybersecurity training. Employees and contractors 
must receive annual recurrent cybersecurity training no later than the 
anniversary calendar month of the employee's initial cybersecurity 
training. If the owner/operator provides the recurrent cybersecurity 
training in the month of, the month before, or the month after it is 
due, the employee is considered to have taken the training in the month 
it is due.
    (f) Recognition of prior or established cybersecurity training. 
Previously provided cybersecurity training may be credited towards 
satisfying the requirements of this section provided the owner/
operator--
    (1) Obtains a complete record of such training and validates the 
training meets requirements of this section as it relates to the role 
of the individual employee, and the training was provided within the 
schedule required for recurrent training; and
    (2) Retains a record of such training in compliance with the 
requirements in paragraph (g) of this section.
    (g) Retention of cybersecurity training records. The owner/operator 
must retain records of initial and recurrent cybersecurity training 
records for each individual required to receive cybersecurity training 
under this section for no less than 5 years from the date of training 
that, at a minimum--
    (1) Includes employee's full name, job title or function, date of 
hire, and date of initial and recurrent cybersecurity training; and
    (2) Identifies the date, course name, course length, and list of 
topics addressed for the cybersecurity training most recently provided 
in each of the areas required under paragraph (c) of this section.
    (h) Availability of records to employees. The owner/operator must 
provide records of cybersecurity training to current and former 
employees upon request and at no charge as necessary to provide proof 
of training.


Sec.  1582.221  Detection of cybersecurity incidents.

    The owner/operator must incorporate into its COIP policies, 
procedures, and capabilities sufficient to detect and respond to 
cybersecurity threats to, and anomalies on, Critical Cyber Systems 
that, at a minimum--
    (a) Defend against malicious email, such as spam and phishing 
emails, to preclude or mitigate against adverse impacts to operations;
    (b) Block ingress and egress communications with known or suspected 
malicious internet Protocol addresses;
    (c) Control impact of known or suspected malicious web domains or 
web applications, such as by preventing users and devices from 
accessing malicious websites;
    (d) Block and defend against unauthorized code, including macro 
scripts, from executing;
    (e) Monitor and/or block connections from known or suspected 
malicious command and control servers (such as Tor exit nodes, and 
other anonymization services); and
    (f) Ensure continuous collection and analysis of data for potential 
intrusions and anomalous behavior on Critical Cyber Systems and other 
Information and Operational Technology systems that directly connect 
with Critical Cyber Systems.


Sec.  1582.223  Capabilities to respond to a cybersecurity incident.

    The owner/operator must incorporate into its COIP capabilities to 
respond to cybersecurity incidents affecting Critical Cyber Systems 
that, at a minimum--
    (a) Audit unauthorized access to internet domains and addresses;
    (b) Document and audit any communications between the Operational 
Technology system and an internal or external system that deviates from 
the owner/operator's identified baseline of communications;
    (c) Identify and respond to execution of unauthorized code, 
including macro scripts; and
    (d) Define, prioritize, and drive standardized incident response 
activities, such as Security Orchestration, Automation, and Response 
(SOAR).


Sec.  1582.225  Reporting cybersecurity incidents.

    (a)(1) Except as provided in paragraph (a)(2) of this section or 
otherwise directed by TSA, each owner/operator identified in Sec.  
1582.1 must notify CISA of any Reportable Cybersecurity Incidents, as 
defined in the TSA Cybersecurity Lexicon, as soon as practicable, but 
no later than 24 hours after a Reportable Cybersecurity Incident is 
identified.
    (2) An owner/operator identified in Sec.  1582.1(a)(2) that owns or 
operates a bus-only operation must notify CISA of Reportable 
Cybersecurity Incidents under paragraph (a)(1) only if the owner/
operator is identified in appendix A to part 1582 of this subchapter or 
is notified by TSA in writing that a threat exists concerning that 
operation.
    (b) Reports required by this section must be made by the methods 
prescribed by TSA. All reported information will be protected in a 
manner appropriate for the sensitivity and criticality of the 
information.
    (c) The report to CISA must include the following information, as 
available to the reporting owner/operator at the time of the report:
    (1) The name of the reporting individual and contact information, 
including a telephone number and email address. The report must also 
explicitly specify that the information is being reported to satisfy 
the reporting requirements in Transportation Security Regulations.
    (2) The affected conveyance, system(s) or facilities, including 
identifying information and location.
    (3) Description of the threat, incident, or activity, to include:
    (i) Earliest known date of compromise;

[[Page 88577]]

    (ii) Date of detection;
    (iii) Information about who has been notified and what action has 
been taken;
    (iv) Any relevant information observed or collected by the owner/
operators, such as malicious internet Protocol addresses, malicious 
domains, malware hashes and/or samples, or the abuse of legitimate 
software or accounts; and
    (v) Any known threat information, to include information about the 
source of the threat or cybersecurity incident, if available.
    (4) A description of the incident's impact or potential impact on 
Information or Operational Technology systems and operations. This 
information must also include an assessment of actual or imminent 
adverse impacts to service operations, operational delays, and/or data 
theft that have or are likely to be incurred, as well as any other 
information that would be informative in understanding the impact or 
potential impact of the cybersecurity incident.
    (5) A description of all responses that are planned or under 
consideration, to include, for example, a reversion to manual 
operations of train movement and control, if applicable.
    (6) Any additional information not specifically required by this 
section, but which is critical to an understanding of the threat and 
owner/operator's response to a reportable cybersecurity incident.
    (d) If all the required information is not available at the time of 
reporting, owner/operators must submit an initial report within the 
specified timeframe and supplement as additional information becomes 
available.


Sec.  1582.227  Cybersecurity Incident Response Plan.

    (a) The owner/operator must incorporate into its COIP an up-to-date 
Cybersecurity Incident Response Plan (CIRP) for the owner/operator's 
Critical Cyber Systems to reduce the impacts of a cybersecurity 
incident that causes, or could cause, operational disruption or 
significant impacts on business-critical functions.
    (b) The CIRP must provide specific measures sufficient to ensure 
the following objectives, as applicable:
    (1) Promptly identifying, isolating, and segregating the infected 
systems from uninfected systems, networks, and devices using measures 
that prioritize:
    (i) Limiting the spread of autonomous malware;
    (ii) Denying continued access by a threat actor to systems;
    (iii) Determining extent of compromise; and
    (iv) Preserving evidence and data.
    (2) Only data stored and secured as required by Sec.  1582.217(e) 
is used to restore systems and that all stored backup data is scanned 
with host security software to ensure the data is free of malicious 
artifacts before being used for restoration.
    (3) Established capability and governance for implementing 
mitigation measures or manual controls that ensure that the Operational 
Technology system can be isolated when a cybersecurity incident in the 
Information Technology system creates risk to the safety and 
reliability of the Operational Technology system.
    (c) The CIRP must identify who (by position) is responsible for 
implementing the specific measures in the plan and any necessary 
resources needed to implement the measures.
    (d) The owner/operator must conduct an exercise to test the 
effectiveness of the CIRP no less than annually. The exercise conducted 
under this paragraph must--
    (1) Test at least two objectives of the owner/operator's CIRP 
required by paragraph (b) of this section, no less than annually; and
    (2) Include the employees identified (by position) in paragraph (c) 
as active participants in the exercise.
    (e) Within no more than 90 days after the date of the exercise 
required by paragraph (d), the owner/operator must update the CIRP as 
appropriate to address any issues identified during the exercise.
    (f) The owner/operator must notify TSA within 15 days of any 
changes to the CIRP. As the owner/operator must separately notify TSA, 
updating the COIP to align with information provided to TSA under this 
section does not require an amendment subject to the procedures in 
Sec.  1570.107 of this subchapter.


Sec.  1582.229  Cybersecurity Assessment Plan

    (a) Requirement for a Cybersecurity Assessment Plan. No later than 
90 days from TSA's approval of the owner/operator's COIP, the owner/
operator must submit to TSA a Cybersecurity Assessment Plan (CAP) 
sufficient to--
    (1) Proactively assess the effectiveness of all policies, 
procedures, measures, and capabilities in the owner/operator's TSA-
approved COIP as applied to all Critical Cyber Systems; and
    (2) Identify and resolve device, network, and/or system 
vulnerabilities associated with Critical Cyber Systems.
    (b) Contents of the CAP. At a minimum, the CAP must describe in 
detail:
    (1) The plan to assess the effectiveness of the owner/operator's 
TSA-approved COIP as applied to all Critical Cyber Systems;
    (2) Schedule and scope of an architectural design review within 12 
months either before or after TSA's approval of the owner/operator's 
COIP, to be repeated at least once every 2 years thereafter. The 
architectural design review required by this paragraph must include 
verification and validation of network traffic, a system log review, 
and analysis to identify cybersecurity vulnerabilities related to 
network design, configuration, and interconnectivity to internal and 
external systems;
    (3) Other assessment capabilities designed to identify 
vulnerabilities to Critical Cyber Systems based on evolving threat 
information and adversarial capabilities, such as penetration testing 
of Information Technology systems, including the use of ``red'' and 
``purple'' team (adversarial perspective) testing.
    (c) Specific Schedule. (1) In addition to specifying the schedule 
for the architectural design review required by paragraph (b)(2), the 
CAP must include a schedule for conducting the assessments required by 
paragraph (b) sufficient to ensure at least one-third of the policies, 
procedures, measures, and capabilities in the TSA-approved COIP are 
assessed each year, with 100 percent of the COIP and all Critical Cyber 
Systems assessed over a 3-year period.
    (2) The scheduled required by this paragraph must map the planned 
assessments to the COIP and Critical Cyber System to document the plan 
will ensure all policies, procedures, measures, and capabilities in the 
owner/operator's TSA-approved COIP and all Critical Cyber Systems will 
be assessed within the timeframes required by paragraph (c)(1).
    (d) Independence of assessors and auditors. Owner/operators must 
ensure that the assessments, audits, testing, and other capabilities to 
assess the effectiveness of its TSA-approved COIP are not conducted by 
individuals who have oversight or responsibility for implementing the 
owner/operators CRM program and have no vested or other financial 
interest in the results of the CAP.
    (e) Annual submission of report. The owner/operator must ensure a 
report of the results of assessments conducted in accordance with the 
CAP is provided to corporate leadership and individuals designated 
under Sec.  1582.209(a) and (b)(1) of this subpart, and submitted to 
TSA, no later than 15 months from the date of approval of the initial 
CAP and

[[Page 88578]]

annually thereafter. The required report must indicate--
    (1) Which assessment method(s) were used to determine if the 
policies, procedures, and capabilities described by the owner/operator 
in its COIP are effective; and
    (2) Results of the individual assessment methodologies.
    (f) Annual update of the CAP. The owner/operator must review and 
annually update the CAP to address any changes to policies, procedures, 
measures, or capabilities in the COIP or assessment capabilities 
required by paragraph (b). The updated CAP must be submitted to TSA for 
approval no later than 12 months from the date of TSA's approval of the 
current CAP.
    (g) Assessments conducted under this section are vulnerability 
assessments as defined in 1500.3 of his chapter and must be protected 
as Sensitive Security Information under Sec.  1520.5(b)(5) of this 
chapter.


Sec.  1582.231  Documentation to establish compliance.

    For the purposes of the requirements in this subpart, upon TSA's 
request, the owner/operator must provide for inspection or copying the 
following types of information to establish compliance:
    (a) Hardware/software asset inventory, including supervisory 
control and data acquisition (SCADA) systems;
    (b) Firewall rules;
    (c) Network diagrams, switch and router configurations, 
architecture diagrams, publicly routable internet protocol addresses, 
and Virtual Local Area Networks;
    (d) Policy, procedural, and other documents that informed the 
development, and documented implementation of, the owner/operator's CRM 
program;
    (e) Data providing a ``snapshot'' of activity on and between 
Information and Operational Technology systems such as:
    (1) Log files;
    (2) A capture of network traffic (such as packet capture (PCAP)), 
for a scope and period directed by TSA, not less than 24 hours and not 
to exceed 48 hours;
    (3) ``East-West Traffic'' of Information Technology systems, sites, 
and environments within the scope of this subpart; and
    (4) ``North-South Traffic'' between Information and Operational 
Technology systems, and the perimeter boundaries between them; and
    (f) Any other records or documents necessary to determine 
compliance with this subpart.
0
25. Revise appendix B to part 1582 to read as follows:

Appendix B to Part 1582--Security-Sensitive Job Functions for Public 
Transportation and Passenger Railroads

    This table identifies security-sensitive job functions for 
owner/operators regulated under this part. All employees performing 
security-sensitive functions are ``security-sensitive employees'' 
for purposes of this rule and must be trained in accordance with 
this part.

----------------------------------------------------------------------------------------------------------------
                                                Security-sensitive job functions for public transportation and
                 Categories                                       passenger railroads (PTPR)
----------------------------------------------------------------------------------------------------------------
A. Operating a vehicle......................  1. Employees who--
                                              a. Operate or control the movements of trains, other rail
                                               vehicles, or transit buses.
                                              b. Act as train conductor, trainman, brakeman, or utility employee
                                               or performs acceptance inspections, couples and uncouples rail
                                               cars, applies handbrakes, or similar functions.
                                              2. Employees covered under the Federal hours of service laws as
                                               ``train employees.'' See 49 U.S.C. 21101(5) and 21103.
B. Inspecting and maintaining vehicles......  Employees who--
                                              1. Perform activities related to the diagnosis, inspection,
                                               maintenance, adjustment, repair, or overhaul of electrical or
                                               mechanical equipment relating to vehicles, including functions
                                               performed by mechanics and automotive technicians.
                                              2. Provide cleaning services to vehicles owned, operated, or
                                               controlled by an owner/operator regulated under this subchapter.
C. Inspecting or maintaining building or      Employees who--
 transportation infrastructure.               1. Maintain, install, or inspect communication systems and signal
                                               equipment related to the delivery of transportation services.
                                              2. Maintain, install, or inspect track and structures, including,
                                               but not limited to, bridges, trestles, and tunnels.
                                              3. Provide cleaning services to stations and terminals owned,
                                               operated, or controlled by an owner/operator regulated under this
                                               subchapter that are accessible to the general public or
                                               passengers.
                                              4. Provide maintenance services to stations, terminals, yards,
                                               tunnels, bridges, and operation control centers owned, operated,
                                               or controlled by an owner/operator regulated under this
                                               subchapter.
                                              5. Employees covered under the Federal hours of service laws as
                                               ``signal employees.'' See 49 U.S.C. 21101(4) and 21104.
D. Controlling dispatch or movement of a      Employees who--
 vehicle.                                     1. Dispatch, report, transport, receive or deliver orders
                                               pertaining to specific vehicles, coordination of transportation
                                               schedules, tracking of vehicles and equipment.
                                              2. Manage day-to-day management delivery of transportation
                                               services and the prevention of, response to, and redress of
                                               service disruptions.
                                              3. Supervise the activities of train crews, car movements, and
                                               switching operations in a yard or terminal.
                                              4. Dispatch, direct, or control the movement of trains or buses.
                                              5. Operate or supervise the operations of moveable bridges.
                                              6. Employees covered under the Federal hours of service laws as
                                               ``dispatching service employees.'' See 49 U.S.C. 21101(2) and
                                               21105.
E. Providing security of the owner/           Employees who--
 operator's equipment and property.           1. Provide for the security of PTPR equipment and property,
                                               including acting as a police officer.
                                              2. Patrol and inspect property of an owner/operator regulated
                                               under subchapter to protect the property, personnel, passengers
                                               and/or cargo.
F. Loading or unloading cargo or baggage....  Employees who load, or oversee loading of, property tendered by or
                                               on behalf of a passenger on or off of a portion of a train that
                                               will be inaccessible to the passenger while the train is in
                                               operation.

[[Page 88579]]

 
G. Interacting with travelling public (on     Employees who provide services to passengers on-board a train or
 board a vehicle or within a transportation    bus, including collecting tickets or cash for fares, providing
 facility).                                    information, and other similar services. Including:
                                              1. On-board food or beverage employees.
                                              2. Functions on behalf of an owner/operator regulated under this
                                               subchapter that require regular interaction with travelling
                                               public within a transportation facility, such as ticket agents.
H. Complying with security programs or        1. Employees who serve as security coordinators designated in Sec.
 measures, including those required by          Sec.   1582.103 and 1582.211 of this subchapter, as well as any
 Federal law.                                  designated alternates or secondary security coordinators.
                                              2. Employees who--
                                              a. Conduct training and testing of employees when the training or
                                               testing is required by TSA's security regulations.
                                              b. Manage or direct implementation of security plan requirements.
----------------------------------------------------------------------------------------------------------------

0
26. Add appendix C to part 1582 to read as follows:

Appendix C to Part 1582--Reporting of Significant Physical Security 
Concerns

----------------------------------------------------------------------------------------------------------------
                  Category                                                Description
----------------------------------------------------------------------------------------------------------------
Breach, Attempted Intrusion, and/or           Unauthorized personnel attempting to or actually entering a
 Interference.                                 restricted area or secure site relating to a transportation
                                               facility or conveyance owned, operated, or used by an owner/
                                               operator subject to this part. This includes individuals entering
                                               or attempting to enter by impersonation of authorized personnel
                                               (for example, police/security, janitor, vehicle owner/operator).
                                               Activity that could interfere with the ability of employees to
                                               perform duties to the extent that security is threatened.
Misrepresentation...........................  Presenting false, or misusing, insignia, documents, and/or
                                               identification, to misrepresent one's affiliation with an owner/
                                               operator subject to this part to cover possible illicit activity
                                               that may pose a risk to transportation security.
Theft, Loss, and/or Diversion...............  Stealing or diverting identification media or badges, uniforms,
                                               vehicles, keys, tools capable of compromising track integrity,
                                               portable derails, technology, or classified or sensitive security
                                               information documents which are proprietary to the facility or
                                               conveyance owned, operated, or used by an owner/operator subject
                                               to this part.
Sabotage, Tampering, and/or Vandalism.......  Damaging, manipulating, or defeating safety and security
                                               appliances in connection with a facility, infrastructure,
                                               conveyance, or routing mechanism, resulting in the compromised
                                               use or the temporary or permanent loss of use of the facility,
                                               infrastructure, conveyance or routing mechanism. Placing or
                                               attaching a foreign object to a rail car or transit vehicle(s).
Expressed or Implied Threat.................  Communicating a spoken or written threat to damage or compromise a
                                               facility/infrastructure/conveyance owned, operated, or used by an
                                               owner/operator subject to this part (for example, a bomb threat
                                               or active shooter).
Eliciting Information.......................  Questioning that may pose a risk to transportation or national
                                               security, such as asking one or more employees of an owner/
                                               operator subject to this part about particular facets of a
                                               facility's conveyance's purpose, operations, or security
                                               procedures.
Testing or Probing of Security..............  Deliberate interactions with employees of an owner/operator
                                               subject to this part or challenges to facilities or systems
                                               owned, operated, or used by an owner/operator subject to this
                                               part that reveal physical, personnel, or security capabilities or
                                               sensitive information.
Photography.................................  Taking photographs or video of facilities, conveyances, or
                                               infrastructure owned, operated, or used by an owner/operator
                                               subject to this part in a manner that may pose a risk to
                                               transportation or national security. Examples include taking
                                               photographs or video of infrequently used access points,
                                               personnel performing security functions (for example, patrols,
                                               badge/vehicle checking), or security-related equipment (for
                                               example, perimeter fencing, security cameras).
Observation or Surveillance.................  Demonstrating unusual interest in facilities or loitering near
                                               conveyances, railcar routing appliances or any potentially
                                               critical infrastructure owned or operated by an owner/operator
                                               subject to this part in a manner that may pose a risk to
                                               transportation or national security. Examples include observation
                                               through binoculars, taking notes, or attempting to measure
                                               distances.
Materials Acquisition and/or Storage........  Acquisition and/or storage by an employee of an owner/operator
                                               subject to this part of materials such as cell phones, pagers,
                                               fuel, chemicals, toxic materials, and/or timers that may pose a
                                               risk to transportation or national security (for example, storage
                                               of chemicals not needed by an employee for the performance of his
                                               or her job duties).
Weapons Discovery, Discharge, or Seizure....  Weapons or explosives in or around a facility, conveyance, or
                                               infrastructure of an owner/operator subject to this part that may
                                               present a risk to transportation or national security (for
                                               example, discovery of weapons inconsistent with the type or
                                               quantity traditionally used by company security personnel).
Suspicious Items or Activity................  Discovery or observation of suspicious items, activity or behavior
                                               in or around a facility, conveyance, or infrastructure of an
                                               owner/operator subject to this part that results in the
                                               disruption or termination of operations (for example, halting the
                                               operation of a conveyance while law enforcement personnel
                                               investigate a suspicious bag, briefcase, or package).
----------------------------------------------------------------------------------------------------------------

PART 1584--HIGHWAY AND MOTOR CARRIER SECURITY

0
27. Revise the authority citation for part 1584 to read as follows:

    Authority:  49 U.S.C. 114; Pub. L. 110-53, 121 Stat. 266.

0
28. Revise subpart B of part 1584 to read as follows:

Subpart B--Security Programs: General

1584.101 Applicability.
1584.103 Physical Security Coordinator.

[[Page 88580]]

1584.105 Reporting of significant physical security concerns.
1584.107 Reporting cybersecurity incidents.
1584.109 [Reserved]
1584.111 [Reserved]
1584.113 Security training program requirements.
1584.115 [Reserved]


Sec.  1584.101  Applicability.

    The requirements of this subpart apply to each OTRB owner/operator 
providing fixed-route service that originates, travels through, or ends 
in a geographic location identified in appendix A to this part.


Sec.  1584.103  Physical Security Coordinator.

    (a) Each owner/operator identified in Sec.  1584.101 must designate 
and use a primary and at least one alternate Physical Security 
Coordinator at the corporate level to function as the administrator for 
sharing security-related activities and information.
    (b) The Physical Security Coordinator and alternate(s) must--
    (1) Be accessible to TSA on a 24 hours per day, seven days per week 
basis;
    (2) Serve as the primary contact(s) for intelligence information 
and security-related activities and communications with TSA. Any 
individual designated as a Physical Security Coordinator may perform 
other duties in addition to the duties described in this section); and
    (3) Coordinate security practices and procedures required by this 
subchapter internally and with appropriate law enforcement and 
emergency response agencies.
    (c) The Physical Security Coordinator and alternate(s) must be a 
U.S. citizen eligible for a security clearance, unless otherwise waived 
by TSA.
    (d) Each owner/operator required to have a Physical Security 
Coordinator must provide in writing to TSA the names, U.S. citizenship 
status, titles, business phone number(s), and business email 
address(es) of the Physical Security Coordinator and alternate Physical 
Security Coordinator(s). Changes in any of the information required by 
this section must be submitted to TSA within seven calendar days.


Sec.  1584.105  Reporting of significant physical security concerns.

    (a) Each owner/operator identified in Sec.  1584.101 must report, 
within 24 hours of initial discovery, any potential threats and 
significant physical security concerns involving transportation-related 
operations in the United States or transportation to, from, or within 
the United States as soon as possible by the methods prescribed by TSA.
    (b) Potential threats or significant physical security concerns 
encompass incidents, suspicious activities, and threat information 
including, but not limited to, the categories of reportable events 
listed in appendix C to this part.
    (c) Information reported must include the following, as available 
and applicable:
    (1) The name of the reporting individual and contact information, 
including a telephone number or email address.
    (2) The affected conveyance, station, terminal, or other 
transportation facility or infrastructure, including identifying 
information and current location.
    (3) Scheduled origination and termination locations for the 
affected bus--including departure and destination station, city, and 
route, as applicable.
    (4) Description of the threat, incident, or activity, including who 
has been notified and what action has been taken.
    (5) The names, other available biographical data, and/or 
descriptions (including vehicle or license plate information) of 
individuals or motor vehicles known or suspected to be involved in the 
threat, incident, or activity.
    (6) The source of any threat information.


Sec.  1584.107  Reporting cybersecurity incidents.

    (a) Reporting Cybersecurity Incidents. Unless otherwise directed by 
TSA, each owner/operator identified in Sec.  1584.101 must notify CISA 
of any Reportable Cybersecurity Incidents, as defined in the TSA 
Cybersecurity Lexicon, as soon as practicable, but no later than 24 
hours after a Reportable Cybersecurity Incident is identified.
    (b) Reports required by this section must be made by the methods 
prescribed by TSA. All reported information will be protected in a 
manner appropriate for the sensitivity and criticality of the 
information.
    (c) The report to CISA must include the following information, as 
available to the reporting owner/operator at the time of the report:
    (1) The name of the reporting individual and contact information, 
including a telephone number and email address. The report must also 
explicitly specify that the information is being reported to satisfy 
the reporting requirements in Transportation Security Regulations.
    (2) The affected conveyance, system(s) or facilities, including 
identifying information and location.
    (3) Description of the threat, incident, or activity, to include:
    (i) Earliest known date of compromise;
    (ii) Date of detection;
    (iii) Information about who has been notified and what action has 
been taken;
    (iv) Any relevant information observed or collected by the owner/
operator, such as malicious internet Protocol addresses, malicious 
domains, malware hashes and/or samples, or the abuse of legitimate 
software or accounts; and
    (v) Any known threat information, to include information about the 
source of the threat or cybersecurity incident, if available.
    (4) A description of the incident's impact or potential impact on 
Information or Operational Technology systems and operations. This 
information must also include an assessment of actual or imminent 
adverse impacts to service operations, operational delays, and/or data 
theft that have or are likely to be incurred, as well as any other 
information that would be informative in understanding the impact or 
potential impact of the cybersecurity incident.
    (5) A description of all responses that are planned or under 
consideration.
    (6) Any additional information not specifically required by this 
section, but which is critical to an understanding of the threat and 
owner/operator's response to a reportable cybersecurity incident.
    (d) If all the required information is not available at the time of 
reporting, owner/operators must submit an initial report within the 
specified timeframe and supplement as additional information becomes 
available.


Sec.  1584.109  [Reserved]


Sec.  1584.111  [Reserved]


Sec.  1584.113  Security training program requirements.

    (a) Applicability. This section applies to each owner/operator 
identified in Sec.  1584.101.
    (b) Training required for security-sensitive employees. No owner/
operator identified in paragraph (a) of this section may use a 
security-sensitive employee to perform a function identified in 
Appendix B to this part, unless that individual has received training 
as part of a security training program approved by TSA or is under the 
direct supervision of an employee who has received the training 
required by this section as applicable to that security-sensitive 
function. Upon approval, this security training program becomes part of 
the owner/operator's TSA-approved security program.
    (c) Limits on use of untrained employees. Notwithstanding paragraph 
(b) of this section, a security-sensitive

[[Page 88581]]

employee may not perform a security-sensitive function for more than 60 
calendar days without receiving security training.
    (d) General requirements. Each owner/operator required to provide 
security training to its employees under this section must submit their 
security training program to TSA for approval in a form and manner 
prescribed by TSA. The security training program must include the 
following information:
    (1) Name of owner/operator.
    (2) Name, title, telephone number, and email address of the primary 
individual to be contacted with regard to review of the security 
training program.
    (3) Number, by specific job function category identified in 
Appendix B to this part, of security-sensitive employees trained or to 
be trained.
    (4) Implementation schedule that identifies a specific date by 
which the required initial and recurrent security training will be 
completed.
    (5) Location where training program records will be maintained.
    (6) Plan for ensuring supervision of untrained security-sensitive 
employees performing functions identified in Appendix B to this part.
    (7) Plan for notifying employees of changes to security measures 
that could change information provided in previously provided training.
    (8) Method(s) for evaluating the effectiveness of the security 
training program in each area required by paragraph (e) of this 
section.
    (e) General curriculum requirements. The security training program 
submitted to TSA for approval must include a curriculum or lesson plan, 
including learning objectives and method of delivery (such as 
instructor-led or computer-based training) for each course used to meet 
the requirements in paragraph (f) of this section. TSA may request 
additional information regarding the curriculum during the review and 
approval process. If recurrent training under paragraph (j) of this 
section is not the same as initial training, a curriculum or lesson 
plan for the recurrent training will need to be submitted and approved 
by TSA.
    (f) Specific curriculum requirements. (1) Prepare. Each owner/
operator must ensure that each of its security-sensitive employees with 
position- or function-specific responsibilities under the owner/
operator's security program have knowledge of how to fulfill those 
responsibilities in the event of a security threat, breach, or incident 
to ensure--
    (i) Employees with responsibility for transportation security 
equipment and systems are aware of their responsibilities and can 
verify the equipment and systems are operating and properly maintained; 
and
    (ii) Employees with other duties and responsibilities under the 
company's security plans and/or programs, including those required by 
Federal law, know their assignments and the steps or resources needed 
to fulfill them.
    (2) Observe. Each owner/operator must ensure that each of its 
security-sensitive employees has knowledge of the observational skills 
necessary to recognize--
    (i) Suspicious and/or dangerous items, such as substances, 
packages, or conditions (for example, characteristics of an Improvised 
Explosive Device and signs of equipment tampering or sabotage);
    (ii) Combinations of actions and individual behaviors that appear 
suspicious and/or dangerous, inappropriate, inconsistent, or out of the 
ordinary for the employee's work environment, which could indicate a 
threat to transportation security; and
    (iii) How a terrorist or someone with malicious intent may attempt 
to gain sensitive information or take advantage of vulnerabilities.
    (3) Assess. Each owner/operator must ensure that each of its 
security-sensitive employees has knowledge necessary to--
    (i) Determine whether the item, individual, behavior, or situation 
requires a response as a potential terrorist threat based on the 
respective transportation environment; and
    (ii) Identify appropriate responses based on observations and 
context.
    (4) Respond. Each owner/operator must ensure that each of its 
security-sensitive employees has knowledge of how to--
    (i) Appropriately report a security threat, including knowing how 
and when to report internally to other employees, supervisors, or 
management, and externally to Local, State, or Federal agencies 
according to the owner/operator's security procedures or other relevant 
plans;
    (ii) Interact with the public and first responders at the scene of 
the threat or incident, including communication with passengers on 
evacuation and any specific procedures for individuals with 
disabilities and the elderly; and
    (iii) Use any applicable self-defense devices or other protective 
equipment provided to employees by the owner/operator.
    (g) Relation to other training. Training conducted by owner/
operators to comply with other requirements or standards, such as 
training for communicating with emergency responders to arrange the 
evacuation of passengers, may be combined with, and used to satisfy, 
elements of the training requirements in this section.
    (h) Submission. If commencing or modifying operations subject to 
these requirements after June 21, 2021, the training program must be 
submitted to TSA no later than 90 calendar days before commencing new 
or modified operations.
    (i) Initial security training. Each owner/operator must provide 
initial security training to security-sensitive employees, using the 
curriculum approved by TSA and in compliance with the following 
schedule.
    (1) For security training programs submitted to TSA for approval 
after March 22, 2021, if the employee is employed to perform a 
security-sensitive function on the date TSA approves the program, then 
initial training must be provided no later than twelve months after the 
date that TSA approves the owner/operator's security training program.
    (2) If performance of a security-sensitive job function is 
initiated after TSA approves the owner/operator's security training 
program, then initial training must be provided no later than 60 
calendar days after the employee first performs the security-sensitive 
job function.
    (3) If the security-sensitive job function is performed 
intermittently, then initial security training must be provided no 
later than the 60th calendar day of employment performing a security-
sensitive function, aggregated over a consecutive 12-month period.
    (j) Recurrent security training. (1) Except as provided in 
paragraph (j)(2) of this section, a security-sensitive employee 
required to receive training must receive the required training at 
least once every 3 years.
    (2) If an owner/operator modifies a security program or security 
plan for which training is required, the owner/operator must ensure 
each security-sensitive employee with position- or function-specific 
responsibilities related to the revised plan or program changes 
receives training on the revisions within 90 days of implementation of 
the revised plan or program changes. All other employees must receive 
training that reflects the changes to the operating security 
requirements as part of their regularly scheduled recurrent training.
    (3) The 3-year recurrent training cycle is based on the anniversary 
calendar month of the employee's initial security training. If the 
owner/operator provides the recurrent security training in the month 
of, the month before, or the month after it is due, the employee is

[[Page 88582]]

considered to have taken the training in the month it is due.
    (k) Recognition of prior training. Previously provided security 
training may be credited towards satisfying the requirements of this 
section provided the owner/operator--
    (1) Obtains a complete record of such training and validates the 
training meets requirements of this section as it relates to the 
function of the individual security-sensitive employee, and the 
training was provided within the schedule required for recurrent 
training; and
    (2) Retains a record of such training in compliance with the 
requirements in paragraph (l).
    (l) Retention of security training records. The owner/operator must 
retain records of initial and recurrent security training records for 
each individual required to receive security training under this 
section for no less than 5 years from the date of training that, at a 
minimum--
    (1) Includes employee's full name, job title or function, date of 
hire, and date of initial and recurrent security training; and
    (2) Identifies the date, course name, course length, and list of 
topics addressed for the security training most recently provided in 
each of the areas required under paragraph (e) of this section.
    (m) Availability of records to employees. The owner/operator must 
provide records of security training to current and former employees 
upon request and at no charge as necessary to provide proof of 
training.
    (n) Incorporation into security program. Once approved by TSA, the 
security training program required by this section is part of the 
owner/operator's TSA-approved security program. The owner/operator must 
implement and maintain the security training program and comply with 
timeframes for implementation identified in the security training 
program. Any modifications or amendments to the program must be made as 
stipulated in Sec.  1570.107 of this subchapter.
    (o) Situations requiring owner/operator to revise security training 
program. The owner/operator must submit a request to amend its security 
program if, after approval, the owner/operator makes, or intends to 
make, permanent (to be in effect for 60 or more calendar days) or 
substantive changes to its security training curriculum, including 
changes to address:
    (1) Determinations that the security training program is 
ineffective based on the approved method for evaluating effectiveness 
in the security training program approved by TSA; or
    (2) Development of recurrent training material for purposes of 
meeting the requirements in paragraph (j) of this section or other 
alternative training materials not previously approved by TSA.


Sec.  1584.115  [Reserved]

0
29. Revise appendix B to part 1584 to read as follows:

Appendix B to Part 1584--Security-Sensitive Job Functions for Over-the-
Road Buses

    This table identifies security-sensitive job functions for 
owner/operators regulated under this part. All employees performing 
security-sensitive functions are ``security-sensitive employees'' 
for purposes of this rule and must be trained in accordance with 
this part.

----------------------------------------------------------------------------------------------------------------
                 Categories                        Security-sensitive job functions for over-the-road buses
----------------------------------------------------------------------------------------------------------------
A. Operating a vehicle......................  Employees who have a CDL and operate an OTRB.
B. Inspecting and maintaining vehicles......  Employees who--
                                              1. Perform activities related to the diagnosis, inspection,
                                               maintenance, adjustment, repair, or overhaul of electrical or
                                               mechanical equipment relating to vehicles, including functions
                                               performed by mechanics and automotive technicians.
                                              2. Does not include cleaning or janitorial activities.
C. Inspecting or maintaining building or      Employees who--
 transportation infrastructure.               1. Provide cleaning services to areas of facilities owned,
                                               operated, or controlled by an owner/operator regulated under this
                                               subchapter that are accessible to the general public or
                                               passengers.
                                              2. Provide cleaning services to vehicles owned, operated, or
                                               controlled by an owner/operator regulated under this part (does
                                               not include vehicle maintenance).
                                              3. Provide general building maintenance services to buildings
                                               owned, operated, or controlled by an owner/operator regulated
                                               under this part.
D. Controlling dispatch or movement of a      Employees who--
 vehicle.                                     1. Dispatch, report, transport, receive or deliver orders
                                               pertaining to specific vehicles, coordination of transportation
                                               schedules, tracking of vehicles and equipment.
                                              2. Manage day-to-day delivery of transportation services and the
                                               prevention of, response to, and redress of disruptions to these
                                               services.
                                              3. Perform tasks requiring access to or knowledge of specific
                                               route information.
E. Providing security of the owner/           Employees who patrol and inspect property of an owner/operator
 operator's equipment and property.            regulated under this part to protect the property, personnel,
                                               passengers and/or cargo.
F. Loading or unloading cargo or baggage....  Employees who load, or oversee loading of, property tendered by or
                                               on behalf of a passenger on or off of a portion of a bus that
                                               will be inaccessible to the passenger while the vehicle is in
                                               operation.
G. Interacting with travelling public (on     Employees who--
 board a vehicle or within a transportation   1. Provide services to passengers on-board a bus, including
 facility).                                    collecting tickets or cash for fares, providing information, and
                                               other similar services.
                                              2. Includes food or beverage employees, tour guides, and functions
                                               on behalf of an owner/operator regulated under this part that
                                               require regular interaction with travelling public within a
                                               transportation facility, such as ticket agents.
H. Complying with security programs or        1. Employees who serve as security coordinators designated in Sec.
 measures, including those required by           1584.103 of this subchapter, as well as any designated
 Federal law.                                  alternates or secondary security coordinators.
                                              2. Employees who--
                                              a. Conduct training and testing of employees when the training or
                                               testing is required by TSA's security regulations.
                                              b. Manage or direct implementation of security plan requirements.
----------------------------------------------------------------------------------------------------------------


[[Page 88583]]

0
30. Add appendix C to part 1584 to read as follows:

Appendix C to Part 1584--Reporting of Significant Physical Security 
Concerns

----------------------------------------------------------------------------------------------------------------
                  Category                                                Description
----------------------------------------------------------------------------------------------------------------
Breach, Attempted Intrusion, and/or           Unauthorized personnel attempting to or actually entering a
 Interference.                                 restricted area or secure site relating to a transportation
                                               facility or conveyance owned, operated, or used by an owner/
                                               operator subject to this part. This includes individuals entering
                                               or attempting to enter by impersonation of authorized personnel
                                               (for example, police/security, janitor, vehicle owner/operator).
                                               Activity that could interfere with the ability of employees to
                                               perform duties to the extent that security is threatened.
Misrepresentation...........................  Presenting false, or misusing, insignia, documents, and/or
                                               identification, to misrepresent one's affiliation with an owner/
                                               operator subject to this part to cover possible illicit activity
                                               that may pose a risk to transportation security.
Theft, Loss, and/or Diversion...............  Stealing or diverting identification media or badges, uniforms,
                                               vehicles, keys, tools capable of compromising operating systems,
                                               technology, or classified or sensitive security information
                                               documents which are proprietary to the facility or conveyance
                                               owned, operated, or used by an owner/operator subject to this
                                               part.
Sabotage, Tampering, and/or Vandalism.......  Damaging, manipulating, or defeating safety and security
                                               appliances in connection with a facility, infrastructure,
                                               conveyance, or routing mechanism, resulting in the compromised
                                               use or the temporary or permanent loss of use of the facility,
                                               infrastructure, conveyance or routing mechanism. Placing or
                                               attaching a foreign object to a conveyance.
Expressed or Implied Threat.................  Communicating a spoken or written threat to damage or compromise a
                                               facility/infrastructure/conveyance owned, operated, or used by an
                                               owner/operator subject to this part (for example, a bomb threat
                                               or active shooter).
Eliciting Information.......................  Questioning that may pose a risk to transportation or national
                                               security, such as asking one or more employees of an owner/
                                               operator subject to this part about particular facets of a
                                               facility's conveyance's purpose, operations, or security
                                               procedures.
Testing or Probing of Security..............  Deliberate interactions with employees of an owner/operator
                                               subject to this part or challenges to facilities or systems
                                               owned, operated, or used by an owner/operator subject to this
                                               part that reveal physical, personnel, or security capabilities or
                                               sensitive information.
Photography.................................  Taking photographs or video of facilities, conveyances, or
                                               infrastructure owned, operated, or used by an owner/operator
                                               subject to this part in a manner that may pose a risk to
                                               transportation or national security. Examples include taking
                                               photographs or video of infrequently used access points,
                                               personnel performing security functions (for example, patrols,
                                               badge/vehicle checking), or security-related equipment (for
                                               example, perimeter fencing, security cameras).
Observation or Surveillance.................  Demonstrating unusual interest in facilities or loitering near
                                               conveyances, railcar routing appliances or any potentially
                                               critical infrastructure owned or operated by an owner/operator
                                               subject to this part in a manner that may pose a risk to
                                               transportation or national security. Examples include observation
                                               through binoculars, taking notes, or attempting to measure
                                               distances.
Materials Acquisition and/or Storage........  Acquisition and/or storage by an employee of an owner/operator
                                               subject to this part of materials such as cell phones, pagers,
                                               fuel, chemicals, toxic materials, and/or timers that may pose a
                                               risk to transportation or national security (for example, storage
                                               of chemicals not needed by an employee for the performance of his
                                               or her job duties).
Weapons Discovery, Discharge, or Seizure....  Weapons or explosives in or around a facility, conveyance, or
                                               infrastructure of an owner/operator subject to this part that may
                                               present a risk to transportation or national security (for
                                               example, discovery of weapons inconsistent with the type or
                                               quantity traditionally used by company security personnel).
Suspicious Items or Activity................  Discovery or observation of suspicious items, activity or behavior
                                               in or around a facility, conveyance, or infrastructure of an
                                               owner/operator subject to this part that results in the
                                               disruption or termination of operations (for example, halting the
                                               operation of a conveyance while law enforcement personnel
                                               investigate a suspicious bag, briefcase, or package).
----------------------------------------------------------------------------------------------------------------

0
31. Add part 1586 to read as follows:

PART 1586--PIPELINE FACILITIES AND SYSTEMS SECURITY

Subpart A--General
Sec.
1586.1 Scope.
1586.3 Terms used in this part.
1586.5 Harmonization of Federal regulation.
Subpart B--Security Programs: Physical Security
Sec.
1586.101 Scope and Applicability.
1586.103 Physical Security Coordinator.
1586.105 Reporting of significant physical security concerns.
Subpart C--Cybersecurity Risk Management
Sec.
1586.201 Scope and applicability.
1586.203 Form, content, and availability of Cybersecurity Risk 
Management program.
1586.205 Cybersecurity evaluation.
1586.207 Cybersecurity Operational Implementation Plan.
1586.209 Governance of the CRM program.
1586.211 Cybersecurity Coordinator.
1586.213 Identification of Critical Cyber Systems.
1586.215 Supply chain risk management.
1586.217 Protection of Critical Cyber Systems.
1586.219 Cybersecurity training and knowledge.
1586.221 Detection of cybersecurity incidents.
1586.223 Capabilities to respond to a cybersecurity incident.
1586.225 Reporting cybersecurity incidents.
1586.227 Cybersecurity Incident Response Plan.
1586.229 Cybersecurity Assessment Plan
1586.231 Documentation to establish compliance.

Appendix A to Part 1586--Reporting of Significant Physical Security 
Concerns

    Authority:  49 U.S.C. 114; Public Law 110-53, 121 Stat. 266.

Subpart A--General


Sec.  1586.1  Scope.

    This part includes requirements for the following persons. Specific 
sections in this part provide detailed applicability and requirements.

[[Page 88584]]

    (a) Each person that owns or operates a hazardous liquid pipeline 
or system that is regulated under 49 CFR part 195; operates a primary 
control room responsible for multiple systems; or has a contract with 
the Defense Logistics Agency to supply hazardous liquids.
    (b) Each person that owns or operates a natural and other gas 
pipeline system that is regulated under 49 CFR part 192; operates a 
primary control room responsible for multiple systems; or provides 
natural gas service to service points.
    (c) Each person that owns or operates a liquefied natural gas 
facility that is regulated under 49 CFR part 193.


Sec.  1586.3  Terms used in this part.

    In addition to the terms in Sec. Sec.  1500.3, 1500.5, and 1503.103 
of this chapter, the following terms apply to this part.
    Control Room means an operations center staffed by personnel 
charged with responsibility for remotely monitoring and controlling a 
pipeline facility.
    High Consequence Area has the same meaning as ``high-consequence 
area'' as defined in 49 CFR 192.903 and 49 CFR 195.450, as applicable.
    Industrial control system (ICS) means an information system used to 
control industrial processes such as manufacturing, product handling, 
production, and distribution. Industrial control systems include 
supervisory control and data acquisition systems used to control 
geographically dispersed assets, as well as distributed control systems 
and smaller control systems using programmable logic controllers to 
control localized processes.
    Peak-shaving facility means a pipeline facility that stores 
liquefied natural gas to meet demand spikes.


Sec.  1586.5  Harmonization of Federal regulation.

    TSA will coordinate activities under this part with the Federal 
Energy Regulatory Commission (FERC), and the Pipeline and Hazardous 
Materials Safety Administration (PHMSA) of the Department of 
Transportation with respect to regulation of pipeline systems and 
facilities that are also licensed or regulated by the FERC or PHMSA, to 
avoid conflicting requirements and minimize redundancy of compliance 
activities.

Subpart B--Security Programs: Physical Security


Sec.  1586.101  Scope and Applicability.

    (a) Scope. This subpart includes requirements that are primarily 
intended to ensure the physical security of pipeline facilities and 
systems. Physical security encompasses the security of systems and 
facilities, as well as the persons in areas in or near to operations 
that could have their safety and security threatened by an attack on 
physical systems and assets. Owner/operators identified in Sec.  1586.1 
must review the applicability in each section in this subpart to 
determine if any of the requirements apply to their operations.
    (b) Applicability. Except as provided in paragraph (c) of this 
section, this subpart includes requirements for each owner/operator 
that meets any of the following criteria:
    (1) Owns or operates a hazardous liquid or carbon dioxide pipeline 
or system regulated under 49 CFR part 195 and meets any of the 
following criteria:
    (i) Delivers hazardous liquids or carbon dioxide more than 50 
million barrels in any of the 3 calendar years before [EFFECTIVE DATE 
OF FINAL RULE] or any single calendar year after [EFFECTIVE DATE OF 
FINAL RULE]; or
    (ii) Has more than 200 segment miles of pipeline transporting 
hazardous liquid or carbon dioxide that could affect a High Consequence 
Area.
    (2) Owns or operates a primary control room responsible for 
multiple hazardous liquid or carbon dioxide systems regulated under 49 
CFR part 196 and the total annual combined delivery for these systems 
is greater than 50 million barrels in any of the 3 calendar years 
before [EFFECTIVE DATE OF FINAL RULE] or any single calendar year after 
[EFFECTIVE DATE OF FINAL RULE].
    (3) Owns or operates a hazardous liquid or carbon dioxide pipeline 
or system regulated under 49 CFR part 195 that has a contract with the 
Defense Logistics Agency to supply hazardous liquids more than 70,000 
barrels annually.
    (4) Owns or operates a natural and other gas pipeline system that 
is regulated under 49 CFR part 192 and meets any of the following 
criteria:
    (i) Delivered natural or other gas more than 275 million dekatherms 
annually in any of the 3 calendar years before [EFFECTIVE DATE OF FINAL 
RULE] or any single calendar year after [EFFECTIVE DATE OF FINAL RULE];
    (ii) Delivered natural or other gas to 275,000 or more meters (or 
service points) annually in any of the 3 calendar years before 
[EFFECTIVE DATE OF FINAL RULE] or any single calendar year after 
[EFFECTIVE DATE OF FINAL RULE]; or
    (iii) Transmits natural or other gas more than 200 segment miles 
through a High Consequence Area.
    (5) Operates a primary control room responsible for multiple 
natural or other gas pipeline systems regulated under 49 CFR part 192 
systems and the combined total annual delivery or transmission for 
these systems is greater than 275 million dekatherms, in any of the 3 
calendar years before [EFFECTIVE DATE OF FINAL RULE] or any single 
calendar year after [EFFECTIVE DATE OF FINAL RULE].
    (6) Owns or operates a natural or other gas pipeline system 
regulated under 49 CFR part 192 that provides natural gas service to 
275,000 or more meters (or service points) annually in any of the 3 
calendar years before [EFFECTIVE DATE OF FINAL RULE] or any single 
calendar year after [EFFECTIVE DATE OF FINAL RULE].
    (7) Each person that owns or operates a liquefied natural gas 
facility that is regulated under 49 CFR part 193 and--
    (i) Imported natural gas in any of the 3 calendar years before 
[EFFECTIVE DATE OF FINAL RULE] or any single calendar year after 
[EFFECTIVE DATE OF FINAL RULE]; or
    (ii) Operates as a ``peak-shaving facility.''
    (c) The requirements in this part do not apply to U.S. facilities 
specified in 33 CFR 105.105(a) that are regulated under 33 CFR part 105 
or facilities specified in 33 CFR 106.105(a) that are regulated under 
33 CFR part 106.


Sec.  1586.103  Physical Security Coordinator.

    (a) Each owner/operator identified in Sec.  1586.101(b) must 
designate and use a primary and at least one alternate Physical 
Security Coordinator at the corporate level to function as the 
administrator for sharing security-related activities and information.
    (b) The Physical Security Coordinator and alternate(s) must--
    (1) Be accessible to TSA on a 24 hours per day, 7 days per week 
basis;
    (2) Serve as the primary contact(s) for intelligence information 
and security-related activities and communications with TSA. Any 
individual designated as a Physical Security Coordinator may perform 
other duties in addition to the duties described in this section); and
    (3) Coordinate security practices and procedures required by this 
subchapter internally and with appropriate law enforcement and 
emergency response agencies.
    (c) The Physical Security Coordinator and alternate(s) must be a 
U.S. citizen eligible for a security clearance, unless otherwise waived 
by TSA.
    (d) Each owner/operator required to have a Physical Security 
Coordinator must provide in writing to TSA the names, U.S. citizenship 
status, titles, business phone number(s), and business email 
address(es) of the Physical

[[Page 88585]]

Security Coordinator and alternate Physical Security Coordinator(s). 
Changes in any of the information required by this section must be 
submitted to TSA within 7 calendar days.


Sec.  1586.105  Reporting of significant physical security concerns.

    (a) Each owner/operator identified in Sec.  1586.101(b) must 
report, within 24 hours of initial discovery, any potential threats and 
significant physical security concerns involving transportation-related 
operations in the United States or transportation to, from, or within 
the United States as soon as possible by the methods prescribed by TSA.
    (b) Potential threats or significant physical security concerns 
encompass incidents, suspicious activities, and threat information 
including, but not limited to, the categories of reportable events 
listed in appendix A to this part.
    (c) Information reported must include the following, as available 
and applicable:
    (1) The name of the reporting individual and contact information, 
including a telephone number or email address.
    (2) The affected system or facility, including identifying 
information and current location.
    (3) Description of the threat, incident, or activity, including who 
has been notified and what action has been taken.
    (4) The names, other available biographical data, and/or 
descriptions (including vehicle or license plate information) of 
individuals or motor vehicles known or suspected to be involved in the 
threat, incident, or activity.
    (5) The source of any threat information.

Subpart C--Cybersecurity Risk Management


Sec.  1586.201  Scope and applicability.

    (a) Scope. This subpart includes requirements to ensure the 
cybersecurity of gas hazardous liquid, carbon monoxide, and liquefied 
natural gas pipelines, pipeline systems, and facilities to mitigate the 
risk of significant harm significant harm to transportation facilities, 
as well as persons in areas in or near pipeline facilities and systems, 
that could have their safety and security threatened as a result of the 
degradation, destruction, or malfunction of systems that control these 
systems and infrastructure. In addition, cybersecurity incidents could 
have significant, similar impacts on the supply chain, affecting the 
national and economic security of the United States.
    (b) Applicability. Each owner/operator described in Sec.  
1586.101(b) must adopt and carry out a Cybersecurity Risk Management 
(CRM) program.


Sec.  1586.203   Form, content, and availability of Cybersecurity Risk 
Management program.

    (a) General content requirements. The CRM program required by this 
subpart is a comprehensive program that includes the following 
components:
    (1) A cybersecurity evaluation completed and updated as required by 
Sec.  1586.205;
    (2) A TSA-approved Cybersecurity Operational Implementation Plan 
(COIP) that meets the requirements in Sec.  1586.207.
    (3) A Cybersecurity Assessment Plan that meets the requirements in 
Sec.  1586.229.
    (b) Subsidiaries. If a single CRM program is developed and 
implemented for multiple business units within a single corporate 
entity, any documents used to comply or establish compliance with the 
requirements in this subpart must clearly identify and distinguish 
application of the requirements to each business unit.


Sec.  1586.205  Cybersecurity evaluation.

    (a) General. Each owner/operator required to have a CRM program 
must complete an initial and recurrent cybersecurity evaluation 
sufficient to determine the owner/operator's current enterprise-wide 
cybersecurity profile of logical/virtual and physical security controls 
when evaluated against the CRM program requirements in this subpart, 
using a form provided by TSA or other tools approved by TSA.
    (b) Timing. The initial cybersecurity evaluation must be completed 
no later than [DATE 90 DAYS AFTER EFFECTIVE DATE OF FINAL RULE], but no 
more than one year before the date of submission of the owner/operators 
Cybersecurity Operational Implementation Plan required by Sec.  
1586.207. If commencing or modifying operations subject to these 
requirements after [EFFECTIVE DATE OF FINAL RULE], the initial 
cybersecurity evaluation must be submitted to TSA no later than 45 
calendar days after commencing the new or modified operations 
triggering applicability.
    (c) Annual updates. The evaluation required by paragraph (a) of 
this section must be updated annually, no later than one year from the 
anniversary date of the previously completed evaluation.
    (d) Notification. The owner/operator must notify TSA within 7 days 
of completing the evaluation and annual updates required by this 
section. A copy of the evaluation must be provided to TSA upon request.
    (e) Sensitive Security Information. This evaluation is a 
vulnerability assessment as defined in Sec.  1500.3 of this chapter and 
must be protected as Sensitive Security Information under Sec.  
1520.5(b)(5) of this chapter.


Sec.  1586.207  Cybersecurity Operational Implementation Plan.

    (a) Requirement. Each owner/operator required to have a CRM program 
under this part must adopt a COIP.
    (b) General Content. The COIP must include the following corporate 
information:
    (1) The name and corporate address of the owner/operator;
    (2) Written attestation by the owner/operator's accountable 
executive that the COIP has been reviewed and approved by senior 
management; and
    (3) Identification of specific operations that meet the 
applicability criteria.
    (c) Specific Content. The COIP must detail the owner/operator's 
defense-in-depth plan, including physical and logical/virtual security 
controls, to comply with the requirements and security outcomes 
specified in the following sections:
    (1) Governance. The requirements for governance of the CRM program 
in Sec.  1586.209 and the designation of a Cybersecurity Coordinator 
under Sec.  1586.211.
    (2) Identification of Critical Cyber Systems, Network Architecture, 
and Interdependencies. The requirements to identify Critical Cyber 
Systems and network architecture in Sec.  1586.213 and supply chain 
risk management in Sec.  1586.215.
    (3) Procedures, policies, and capabilities to protect Critical 
Cyber Systems. The requirements for protection of Critical Cyber 
Systems in Sec.  1586.217 and training of cybersecurity-sensitive 
employees in Sec.  1586.219.
    (4) Procedures, policies, and capabilities to detect cybersecurity 
incidents. The requirements for detecting cybersecurity incidents in 
Sec.  1586.221.
    (5) Procedures, policies, and capabilities to respond to, and 
recover from, cybersecurity incidents. The requirements for responding 
to cybersecurity incidents in Sec.  1586.223, reporting cybersecurity 
incidents in Sec.  1586.225, and the Cybersecurity Incident Response 
Plan in Sec.  1586.227.
    (d) Plan of Action and Milestones. (1) To the extent an owner/
operator does not meet every requirement and security

[[Page 88586]]

outcome identified in paragraph (c)(1) through (c)(5) of this section, 
the COIP must include a plan of action and milestones (POAM).
    (2) The POAM must include:
    (i) Policies, procedures, measures, or capabilities that owner/
operator will develop or obtain, as applicable, to ensure all 
requirements and security outcomes in this subpart are met;
    (ii) Physical and logical/virtual security controls that the owner/
operator will implement to mitigate the risks associated with not fully 
complying with requirements or security outcomes in this subpart; and
    (iii) A detailed timeframe for full compliance with all 
requirements and security outcomes in this subpart, not to exceed three 
years from the date of submission to TSA of the COIP required by this 
section.
    (3) The POAM must be updated as necessary to address any 
deficiencies identified during the evaluation required by Sec.  
1586.205 or as a result of an assessment conducted under Sec.  1586.229 
that will not be immediately addressed through an update to the COIP.
    (e) Approval and implementation. (1) Submission deadlines. The COIP 
must be made available to TSA, in a form and manner prescribed by TSA, 
no later than [DATE 180 DAYS AFTER EFFECTIVE DATE OF FINAL RULE]. If 
commencing or modifying operations subject to these requirements after 
[EFFECTIVE DATE OF FINAL RULE], the COIP must be made available to TSA 
no later than 45 calendar days before commencing new or modified 
operations.
    (2) Effective date. After considering all relevant materials and 
any additional information required by TSA, TSA will notify the owner/
operator's accountable executive of TSA's decision to approve the 
owner/operator's COIP. The COIP becomes effective 30 days after the 
owner/operator is notified whether its COIP is approved.
    (3) TSA-approved security program. Once approved by TSA, the COIP, 
any appendices, and any policies or procedures incorporated by 
reference, are a TSA-approved security program, subject to the 
protections in part 1520 of this chapter and the procedures applicable 
to security programs in subpart B of part 1570 of this subchapter.
    (f) Status Report and Updates. The CRM program must be reviewed and 
updated by the owner/operator within 60 days of the evaluations or 
assessments required by Sec. Sec.  1586.205 or 1586.229, as necessary 
to address any identified vulnerabilities or weaknesses in the 
procedures, policies, or capabilities identified in the CRM program.
    (g) Revisions. Unless otherwise specified in this subpart, any 
substantive modifications or amendments to the COIP must be made in 
accordance with the procedures in Sec.  1570.107 of this subchapter.


Sec.  1586.209  Governance of the CRM program.

    (a) Accountable Executive. (1) No later than [DATE 30 DAYS FROM 
EFFECTIVE DATE OF FINAL RULE], the owner/operator must provide to TSA 
the names, titles, business telephone numbers, and business email 
addresses of the owner/operator's accountable executive and the primary 
individual to be contacted about the owner/operator's CRM program. If 
any of the information required by this paragraph changes, the owner/
operator must provide the updated information to TSA within 7 days of 
the change.
    (2) The accountable executive must be an individual who has the 
authority and knowledge necessary for the development, implementation, 
and managerial oversight of the TSA-approved CRM program, including 
cybersecurity administration, risk assessments, inspections and control 
procedures, and coordinating communications with the owner/operator's 
leadership and staff on implementation and sustainment of the CRM 
program. To the extent possible, the accountable executive should not 
be the Cybersecurity Coordinator or an individual responsible for 
management of Information or Operational Technology system or systems' 
administration.
    (b) COIP. The COIP must also include:
    (1) Identification of positions designated by the owner/operator to 
manage implementation of policies, procedures, and capabilities 
described in the COIP and coordinate improvements to the CRM program.
    (2) Corporate-level identification of any authorized 
representatives, as defined in the TSA Cybersecurity Lexicon, who are 
responsible for any or all the CRM program or cybersecurity measures 
identified in the CRM program, and written documentation (such as 
contractual agreements) clearly identifying the roles and 
responsibilities of the authorized representative under the CRM 
program.
    (3) The information required by paragraph (a)(1) of this section.
    (c) Process. Updating the COIP to align with information provided 
to TSA under this section does not require an amendment subject to the 
procedures in Sec.  1570.107 of this subchapter.


Sec.  1586.211  Cybersecurity Coordinator.

    (a) Each owner/operator identified in paragraphs Sec.  1586.101(b) 
must designate employees at the corporate level to serve as the primary 
and at least one alternate Cybersecurity Coordinator with 
responsibility for sharing critical cybersecurity information.
    (b) The Cybersecurity Coordinator and alternate(s) must--
    (1) Serve as the primary contact for cyber-related intelligence 
information and cybersecurity-related activities and communications 
with TSA and the Cybersecurity and Infrastructure Security Agency 
(CISA);
    (2) Have the following knowledge and skills, through current 
certifications or equivalent job experience:
    (i) General cybersecurity guidance and best practices;
    (ii) Relevant law and regulations pertaining to cybersecurity;
    (iii) Handling of Sensitive Security Information and security-
related communications; and
    (iv) Current cybersecurity threats applicable to the owner/
operator's operations and systems.
    (3) Be accessible to TSA and CISA 24 hours per day, 7 days per 
week;
    (4) Have a Homeland Security Information Network (HSIN) account or 
other TSA-designated communication platform for information sharing 
relevant to the requirements in this subpart; and
    (5) Work with appropriate law enforcement and emergency response 
agencies in addressing cybersecurity threats or responding to 
cybersecurity incidents.
    (c) The Cybersecurity Coordinator and alternate(s) must be a U.S. 
citizen eligible for a security clearance, unless otherwise waived by 
TSA.
    (d) Owner/operators must provide in writing to TSA the names, 
titles, business phone number(s), and business email address(es) of the 
Cybersecurity Coordinator and alternate Cybersecurity Coordinator(s) 
required by paragraph (a) of this section no later than [DATE 7 DAYS 
AFTER EFFECTIVE DATE OF FINAL RULE], or within seven days of the 
commencement of new operations, or change in any of the information 
required by this section that occur after [DATE 7 DAYS AFTER EFFECTIVE 
DATE OF FINAL RULE].
    (e) In addition to providing the information to TSA as required by 
paragraph (d), any owner/operator required to have a CRM program under 
this part must also include the information required by paragraphs (d)

[[Page 88587]]

of this section in the COIP. As the owner/operator must separately 
notify TSA of this information, and any changes to this information, 
updating the COIP to align with information provided to TSA under this 
section does not require an amendment subject to the procedures in 
Sec.  1570.107 of this subchapter.


Sec.  1586.213  Identification of Critical Cyber Systems.

    (a) Identifying information. The owner/operator must incorporate 
into its COIP a list of Critical Cyber Systems, as defined in the TSA 
Cybersecurity Lexicon, that provides, at a minimum, the following 
identifying information for each Critical Cyber System:
    (1) Identifier (system name or commercial name); and
    (2) System manufacturer/designer name.
    (b) Identification methodology. The owner/operator must include a 
description of the methodology and information used to identify 
Critical Cyber Systems that, at a minimum, includes the following 
information as used to identify critical systems:
    (1) Standards and factors, including system interdependencies with 
critical functions, used to identify Information Technology and 
Operational Technology systems that could be vulnerable to a 
cybersecurity incident;
    (2) Sources and data, such as known threat information relevant to 
the system, that informed decisions regarding the likelihood of the 
system being subject to a cybersecurity incident;
    (3) Potential operational impacts of a cybersecurity incident, 
including scenarios that identify potential supply chain impacts and 
how long critical operations and capabilities could be sustained with 
identified alternatives if a system is offline; and
    (4) Sustainability and operational impacts if an Information or 
Operational Technology system not identified as a Critical Cyber System 
becomes unavailable due to a cybersecurity incident.
    (c) System information and network architecture. For all Critical 
Cyber Systems, the owner/operator must provide the following 
information:
    (1) Information and Operational Technology system interdependencies 
for Critical Cyber Systems;
    (2) All external connections to Critical Cyber Systems;
    (3) Zone boundaries for Critical Cyber Systems, including a 
description of how Information and Operational Technology systems are 
defined and organized into logical/virtual zones based on criticality, 
consequence, and operational necessity;
    (4) Baseline of acceptable communications between Critical Cyber 
Systems and external connections or between Information and Operational 
Technology systems; and
    (5) Operational needs that prevent or delay implementation of the 
requirements in this subpart, such as application of security patches 
and updates, encryption of communications traversing Information and 
Operational Technology systems, and multi-factor authentication.
    (d) Additional systems. If notified by TSA, the owner/operator must 
include additional Critical Cyber Systems identified by TSA not 
previously identified by the owner/operator.
    (e) Changes in Critical Cyber Systems. Any substantive changes to 
Critical Cyber Systems require an amendment to the Cybersecurity 
Operational Implementation Plan subject to the procedures in Sec.  
1570.107 of this subchapter.


Sec.  1586.215  Supply chain risk management.

    The owner/operator must incorporate into its COIP policies, 
procedures, and capabilities to address supply chain cybersecurity 
vulnerabilities that include requiring--
    (a) All procurement documents and contracts, including service-
level agreements, executed, or updated after [EFFECTIVE DATE OF FINAL 
RULE], include a requirement for the vendor or service provider to 
notify the owner/operator of the following:
    (1) Cybersecurity incidents affecting the vendor or service 
provider within a specified timeframe sufficient for the owner/operator 
to identify and address any potential risks to their Critical Cyber 
Systems based on the scope and type of cybersecurity incident.
    (2) Confirmed security vulnerabilities affecting the goods, 
services, or capabilities provided by the vendor or service provider 
within a specified timeframe sufficient for the owner/operator to 
identify and address any potential risks to their Critical Cyber 
Systems based on the scope and type of security vulnerability.
    (b) Procurement documents and contracts, including service-level 
agreements, incorporate an evaluation by the owner/operator or 
qualified third-party of the cybersecurity measures implemented by 
vendors or service providers of goods, services, or capabilities that 
will be connected to, installed on, or used by the owner/operator's 
Critical Cyber Systems.
    (c) When provided two offerings of roughly similar cost and 
function, giving preference to the offering that provides the greater 
level of cybersecurity necessary to protect against, or effectively 
respond to, cybersecurity incidents affecting the owner/operator's 
Critical Cyber Systems.
    (d) Upon notification of a cybersecurity incident or vulnerability 
under paragraphs (a) or (b) of this section, immediate consideration of 
mitigation measures sufficient to address the resulting risk to 
Critical Cyber Systems and, as applicable, revision to the COIP in 
accordance with Sec.  1570.107 of this subchapter.


Sec.  1586.217  Protection of Critical Cyber Systems.

    The owner/operator must incorporate into its COIP policies, 
procedures, controls, and capabilities to protect Critical Cyber 
Systems that meet security performance objectives in the following 
areas--
    (a) Network segmentation. Network segmentation measures that 
protect against access to, or disruption of, the Operational Technology 
system if the Information Technology system is compromised or vice 
versa. These measures must be sufficient to--
    (1) Ensure Information and Operational Technology system-services 
transit the other only when necessary for validated business or 
operational purposes;
    (2) Secure and defend zone boundaries with security controls--
    (i) To defend against unauthorized communications between zones; 
and
    (ii) To prohibit Operational Technology system services from 
traversing the Information Technology system, and vice-versa, unless 
the content is encrypted at a level sufficient to secure and protect 
integrity of data and prevent corruption or compromise while in 
transit. If encryption is not technologically feasible, ensure content 
is otherwise secured and protected using compensating controls that 
provide the same level of security as encryption for data in transit.
    (b) Access control. Access control measures for Critical Cyber 
Systems, including for local and remote access, that secure and defend 
against unauthorized access to Critical Cyber Systems. These measures 
must, at a minimum, incorporate the following policies, procedures, and 
controls:
    (1) Identification and authentication requirements designed to 
prevent unauthorized access to Critical Cyber Systems that include:
    (i) A policy for memorized secret authenticator resets that 
includes criteria for passwords and when resets

[[Page 88588]]

must occur, including procedures to ensure implementation of these 
requirements, such as password lockouts; and
    (ii) Documented and defined logical/virtual and physical security 
controls for components of Critical Cyber Systems that will not be 
subject to the requirements in paragraph (b)(1)(i) of this section.
    (2)(i) Except as provided in paragraph (b)(2)(ii), multi-factor 
authentication, or other logical/virtual and physical security controls 
to supplement memorized secret authenticators (such as passwords) to 
provide risk mitigation commensurate to multi-factor authentication.
    (ii) An owner/operator in compliance with the requirements in 49 
CFR 192.631 and 195.446, as applicable, may rely on the physical 
security measures as applied to the control room in lieu of applying 
multi-factor authentication to specific industrial control system 
workstations in the covered control room, as applicable, in lieu of 
implementing the requirements in paragraph (b)(2)(i). If relying on 
this exception, the owner/operator must identify the applicable system 
as a Critical Cyber System; maintain compliance with the requirements 
in 49 CFR 192.631 and 195.446, as applicable; and include in the COIP a 
description of the physical security measures and other compensating 
controls used to prevent access to industrial control system 
workstations.
    (3) Management of access rights based on the principles of least 
privilege and separation of duties. Where not technically feasible to 
apply these principles, the policies and procedures must describe 
compensating controls that the owner/operator applies.
    (4) Policies and procedures limit availability and use of shared 
accounts to those that are critical for operations, and then only if 
necessary. When the owner/operator uses shared accounts for operational 
purposes, the policies and procedures must ensure:
    (i) Access to shared accounts is limited through account management 
that uses principles of least privilege and separation of duties;
    (ii) Any individual who no longer needs access does not have 
knowledge of the memorized secret authenticator necessary to access the 
shared account; and
    (iii) Logs are maintained sufficient to enable positive user 
identification of access to shared accounts to enable forensic 
investigation following a cybersecurity incident.
    (5) Regularly updated schedule for review of existing domain trust 
relationships to ensure their necessity and established and enforced 
policies to manage these relationships.
    (c) Patch management. Measures that reduce the risk of exploitation 
of unpatched systems through the application of security patches and 
updates for operating systems, applications, drivers, and firmware on 
Critical Cyber Systems consistent with the owner/operator's risk-based 
methodology. These measures must include:
    (1) A patch management strategy that ensures all critical security 
patches and updates on Critical Cyber Systems are current. This 
strategy must include:
    (i) The risk methodology for categorizing and determining 
criticality of patches and updates, and an implementation timeline 
based on categorization and criticality; and
    (ii) Prioritization of all security patches and updates on CISA's 
Known Exploited Vulnerabilities Catalog.
    (2) In instances where the owner/operator cannot apply patches and 
updates on specific Operational Technology systems without causing a 
severe degradation of operational capability to meet business critical 
functions, the owner/operator must provide an explanation for why the 
actions cannot be taken and a description and timeline of additional 
mitigations that address the risk created by not installing the patch 
or update within the recommended timeframe.
    (d) Logging policies. Logging policies sufficient to ensure logging 
data is--
    (1) Stored in a secure and centralized system, such as a security 
information and event management tool or database on a segmented 
network that can only be accessed or modified by authorized and 
authenticated users; and
    (2) Maintained for a duration sufficient to allow for investigation 
of cybersecurity incidents as supported by a risk analysis and 
applicable standards or regulatory guidelines.
    (e) Secure back-ups. Policies that ensure all Critical Cyber 
Systems are backed-up on a regular basis consistent with operational 
need for the information, the back-ups are securely stored separate 
from the system, and policies require testing the integrity of back-ups 
to ensure that the data is free of known malicious code when the back-
ups are made.


Sec.  1586.219  Cybersecurity training and knowledge.

    (a) Training required. (1) Owner/operators required to have a CRM 
program under this subpart must provide basic cybersecurity training to 
all employees with access to the owner/operator's Information or 
Operational Technology systems.
    (2) No owner/operator required to have a CRM program under this 
subpart may permit a cybersecurity-sensitive employee to access, or 
have privileges to access, a Critical Cyber System or an Information or 
Operational Technology system that is interdependent with a Critical 
Cyber System, unless that individual has received basic and role-based 
cybersecurity training.
    (b) General curriculum requirements. The cybersecurity training 
program must include a curriculum or lesson plan, including learning 
objectives and method of delivery (such as instructor-led or computer-
based training) for each course used to meet the requirements in 
paragraphs (d) and (e) of this section. TSA may request additional 
information regarding the curriculum during the review and approval 
process. If recurrent training under paragraph (e) of this section is 
not the same as initial training, a curriculum or lesson plan for the 
recurrent training will need to be submitted and approved by TSA.
    (c) Specific curriculum requirements. (1) Basic cybersecurity 
training. All employees and contractors with access to the owner/
operator's Information or Operational Technology systems, must receive 
basic cybersecurity training that includes cybersecurity awareness to 
address best practices, acceptable use, risks associated with their 
level of privileged access, and awareness of security risks associated 
with their actions. This training must address the following topics:
    (i) Social engineering, including phishing;
    (ii) Password best practices;
    (iii) Remote work security basics;
    (iv) Safe internet and social media use;
    (v) Mobile device (wireless) vulnerabilities and network security;
    (vi) Data management and information security, including protecting 
business email, confidential information, trade secrets, and privacy; 
and
    (vii) How and to whom to report suspected inappropriate or 
suspicious activity involving Information or Operational Technology 
systems, including mobile devices provided by or connected to the 
owner/operator's Information or Operational Technology systems.
    (2) Role-based cybersecurity training. Cybersecurity-sensitive 
employees must be provided cybersecurity training that specifically 
addresses their role as a privileged user to prevent and respond to a 
cybersecurity incident, acceptable uses, and the risks associated with 
their

[[Page 88589]]

level of access and use as approved by the owner/operator. This 
training must address the following topics as applicable to the 
specific role:
    (i) Security measures and requirements in the COIP including how 
the requirements affect account and access management, server and 
application management, and system architecture development and 
assessment;
    (ii) Recognition and detection of cybersecurity threats, types of 
cybersecurity incidents, and techniques used to circumvent 
cybersecurity measures;
    (iii) Incident handling, including procedures for reporting a 
cybersecurity incident to the Cybersecurity Coordinator and 
understanding their roles and responsibilities during a cybersecurity 
incident and implementation of the owner/operator's Cybersecurity 
Incident Response Plan required by Sec.  1586.227;
    (iv) Requirements and sources for staying aware of changing 
cybersecurity threats and countermeasures;
    (v) Operational Technology-specific cybersecurity training for all 
personnel whose duties include access to Operational Technology 
systems.
    (d) Initial cybersecurity training. (1) Each owner/operator must 
provide initial cybersecurity training (basic and role-based, as 
applicable) to employees and contractors, using the curriculum approved 
by TSA no later than 60 days after the effective date of the owner/
operator's TSA-approved COIP required by this subpart.
    (2) For individuals who onboard or become cybersecurity-sensitive 
employees after the effective date of the owner/operator's TSA-approved 
COIP who did not receive training within the period identified in 
paragraph (d)(1) of this section, the individual must receive the 
applicable cybersecurity training no later than 10 days after 
onboarding.
    (e) Recurrent cybersecurity training. Employees and contractors 
must receive annual recurrent cybersecurity training no later than the 
anniversary calendar month of the employee's initial cybersecurity 
training. If the owner/operator provides the recurrent cybersecurity 
training in the month of, the month before, or the month after it is 
due, the employee is considered to have taken the training in the month 
it is due.
    (f) Recognition of prior or established cybersecurity training. 
Previously provided cybersecurity training may be credited towards 
satisfying the requirements of this section provided the owner/
operator--
    (1) Obtains a complete record of such training and validates the 
training meets requirements of this section as it relates to the role 
of the individual employee, and the training was provided within the 
schedule required for recurrent training; and
    (2) Retains a record of such training in compliance with the 
requirements in paragraph (g) of this section.
    (g) Retention of cybersecurity training records. The owner/operator 
must retain records of initial and recurrent cybersecurity training 
records for each individual required to receive cybersecurity training 
under this section for no less than 5 years from the date of training 
that, at a minimum--
    (1) Includes employee's full name, job title or function, date of 
hire, and date of initial and recurrent cybersecurity training; and
    (2) Identifies the date, course name, course length, and list of 
topics addressed for the cybersecurity training most recently provided 
in each of the areas required under paragraph (c) of this section.
    (h) Availability of records to employees. The owner/operator must 
provide records of cybersecurity training to current and former 
employees upon request and at no charge as necessary to provide proof 
of training.


Sec.  1586.221  Detection of cybersecurity incidents.

    The owner/operator must incorporate into its COIP policies, 
procedures, and capabilities sufficient to detect and respond to 
cybersecurity threats to, and anomalies on, Critical Cyber Systems 
that, at a minimum--
    (a) Defend against malicious email, such as spam and phishing 
emails, to preclude or mitigate against adverse impacts to operations;
    (b) Block ingress and egress communications with known or suspected 
malicious internet Protocol addresses;
    (c) Control impact of known or suspected malicious web domains or 
web applications, such as by preventing users and devices from 
accessing malicious websites;
    (d) Block and defend against unauthorized code, including macro 
scripts, from executing;
    (e) Monitor and/or block connections from known or suspected 
malicious command and control servers (such as Tor exit nodes, and 
other anonymization services); and
    (f) Ensure continuous collection and analysis of data for potential 
intrusions and anomalous behavior on Critical Cyber Systems and other 
Information and Operational Technology systems that directly connect 
with Critical Cyber Systems.


Sec.  1586.223  Capabilities to respond to a cybersecurity incident.

    The owner/operator must incorporate into its COIP capabilities to 
respond to cybersecurity incidents affecting Critical Cyber Systems 
that, at a minimum--
    (a) Audit unauthorized access to internet domains and addresses;
    (b) Document and audit any communications between the Operational 
Technology system and an internal or external system that deviates from 
the owner/operator's identified baseline of communications;
    (c) Identify and respond to execution of unauthorized code, 
including macro scripts; and
    (d) Define, prioritize, and drive standardized incident response 
activities, such as Security Orchestration, Automation, and Response 
(SOAR).


Sec.  1586.225  Reporting cybersecurity incidents.

    (a) Unless otherwise directed by TSA, each owner/operator 
identified in Sec.  1586.101(b) must notify CISA of any Reportable 
Cybersecurity Incidents, as defined in the TSA Cybersecurity Lexicon, 
as soon as practicable, but no later than 24 hours after a Reportable 
Cybersecurity Incident is identified.
    (b) Reports required by this section must be made by the methods 
prescribed by TSA. All reported information will be protected in a 
manner appropriate for the sensitivity and criticality of the 
information.
    (c) The report to CISA must include the following information, as 
available to the reporting owner/operator at the time of the report:
    (1) The name of the reporting individual and contact information, 
including a telephone number and email address. The report must also 
explicitly specify that the information is being reported to satisfy 
the reporting requirements in Transportation Security Regulations.
    (2) The affected pipeline system(s) or facilities, including 
identifying information and location.
    (3) Description of the threat, incident, or activity, to include:
    (i) Earliest known date of compromise;
    (ii) Date of detection;
    (iii) Information about who has been notified and what action has 
been taken;
    (iv) Any relevant information observed or collected by the owner/
operators, such as malicious internet Protocol addresses, malicious 
domains,

[[Page 88590]]

malware hashes and/or samples, or the abuse of legitimate software or 
accounts; and
    (v) Any known threat information, to include information about the 
source of the threat or cybersecurity incident, if available.
    (4) A description of the incident's impact or potential impact on 
Information or Operational Technology systems and operations. This 
information must also include an assessment of actual or imminent 
adverse impacts to service operations, operational delays, and/or data 
theft that have or are likely to be incurred, as well as any other 
information that would be informative in understanding the impact or 
potential impact of the cybersecurity incident.
    (5) A description of all responses that are planned or under 
consideration, to include, for example, a reversion to manual 
operations and control, if applicable.
    (6) Any additional information not specifically required by this 
section, but which is critical to an understanding of the threat and 
owner/operator's response to a reportable cybersecurity incident.
    (d) If all the required information is not available at the time of 
reporting, owner/operators must submit an initial report within the 
specified timeframe and supplement as additional information becomes 
available.


Sec.  1586.227  Cybersecurity Incident Response Plan.

    (a) The owner/operator must incorporate into its COIP an up-to-date 
Cybersecurity Incident Response Plan (CIRP) for the owner/operator's 
Critical Cyber Systems to reduce the impacts of a cybersecurity 
incident that causes, or could cause, operational disruption or 
significant impacts on business-critical functions.
    (b) The CIRP must provide specific measures sufficient to ensure 
the following objectives, as applicable:
    (1) Promptly identifying, isolating, and segregating the infected 
systems from uninfected systems, networks, and devices using measures 
that prioritize:
    (i) Limiting the spread of autonomous malware;
    (ii) Denying continued access by a threat actor to systems;
    (iii) Determining extent of compromise; and
    (iv) Preserving evidence and data.
    (2) Only data stored and secured as required by Sec.  1586.217(e) 
is used to restore systems and that all stored backup data is scanned 
with host security software to ensure the data is free of malicious 
artifacts before being used for restoration.
    (3) Established capability and governance for implementing 
mitigation measures or manual controls that ensure that the Operational 
Technology system can be isolated when a cybersecurity incident in the 
Information Technology system creates risk to the safety and 
reliability of the Operational Technology system.
    (c) The CIRP must identify who (by position) is responsible for 
implementing the specific measures in the plan and any necessary 
resources needed to implement the measures.
    (d) The owner/operator must conduct an exercise to test the 
effectiveness of the CIRP no less than annually. The exercise conducted 
under this paragraph must--
    (1) Test at least two objectives of the owner/operator's CIRP 
required by paragraph (b) of this section, no less than annually; and
    (2) Include the employees identified (by position) in paragraph (c) 
as active participants in the exercise.
    (e) Within no more than 90 days after the date of the exercise 
required by paragraph (d), the owner/operator must update the CIRP as 
appropriate to address any issues identified during the exercise.
    (f) The owner/operator must notify TSA within 15 days of any 
changes to the CIRP. As the owner/operator must separately notify TSA, 
updating the COIP to align with information provided to TSA under this 
section does not require an amendment subject to the procedures in 
Sec.  1570.107 of this subchapter.


Sec.  1586.229  Cybersecurity Assessment Plan.

    (a) Requirement for a Cybersecurity Assessment Plan. No later than 
90 days from TSA's approval of the owner/operator's COIP, the owner/
operator must submit to TSA a Cybersecurity Assessment Plan (CAP) 
sufficient to--
    (1) Proactively assess the effectiveness of all policies, 
procedures, measures, and capabilities in the owner/operator's TSA-
approved COIP as applied to all Critical Cyber Systems; and
    (2) Identify and resolve device, network, and/or system 
vulnerabilities associated with Critical Cyber Systems.
    (b) Contents of the CAP. At a minimum, the CAP must describe in 
detail:
    (1) The plan to assess the effectiveness of the owner/operator's 
TSA-approved COIP as all applied to all Critical Cyber Systems;
    (2) Schedule and scope of an architectural design review within 12 
months either before or after TSA's approval of the owner/operator's 
COIP, to be repeated at least once every 2 years thereafter. The 
architectural design review required by this paragraph must include 
verification and validation of network traffic, a system log review, 
and analysis to identify cybersecurity vulnerabilities related to 
network design, configuration, and interconnectivity to internal and 
external systems;
    (3) Other assessment capabilities designed to identify 
vulnerabilities to Critical Cyber Systems based on evolving threat 
information and adversarial capabilities, such as penetration testing 
of Information Technology systems, including the use of ``red'' and 
``purple'' team (adversarial perspective) testing.
    (c) Specific Schedule. (1) In addition to specifying the schedule 
for the architectural design review required by paragraph (b)(2), the 
CAP must include a schedule for conducting the assessments required by 
paragraph (b) sufficient to ensure at least one-third of the policies, 
procedures, measures, and capabilities in the TSA-approved COIP are 
assessed each year, with 100 percent of the COIP and all Critical Cyber 
Systems assessed over a 3-year period.
    (2) The scheduled required by this paragraph must map the planned 
assessments to the COIP and Critical Cyber System to document the plan 
will ensure all policies, procedures, measures, and capabilities in the 
owner/operator's TSA-approved COIP and all Critical Cyber Systems will 
be assessed within the timeframes required by paragraph (c)(1).
    F(d) Independence of assessors and auditors. Owner/operators must 
ensure that the assessments, audits, testing, and other capabilities to 
assess the effectiveness of its TSA-approved COIP are not conducted by 
individuals who have oversight or responsibility for implementing the 
owner/operator's F program and have no vested or other financial 
interest in the results of the CAP.
    (e) Annual submission of report. The owner/operator must ensure a 
report of the results of assessments conducted in accordance with the 
CAP is provided to corporate leadership and individuals designated 
under Sec.  1586.209(a) and (b)(1), and submitted to TSA, no later than 
15 months from the date of approval of the initial CAP and annually 
thereafter. The required report must indicate--
    (1) Which assessment method(s) were used to determine if the 
policies, procedures, and capabilities described by the owner/operator 
in its COIP are effective; and

[[Page 88591]]

    (2) Results of the individual assessment methodologies.
    (f) Annual update of the CAP. The owner/operator must review and 
annually update the CAP to address any changes to policies, procedures, 
measures, or capabilities in the COIP or assessment capabilities 
required by paragraph (b). The updated CAP must be submitted to TSA for 
approval no later than 12 months from the date of TSA's approval of the 
current CAP.
    (g) Assessments conducted under this section are vulnerability 
assessments as defined in Sec.  1500.3 of this chapter and must be 
protected as Sensitive Security Information under Sec.  1520.5(b)(5) of 
this chapter.


Sec.  1586.231  Documentation to establish compliance.

    For the purposes of the requirements in this subpart, upon TSA's 
request, the owner/operator must provide for inspection or copying the 
following types of information to establish compliance:
    (a) Hardware/software asset inventory, including supervisory 
control and data acquisition (SCADA) systems;
    (b) Firewall rules;
    (c) Network diagrams, switch and router configurations, 
architecture diagrams, publicly routable internet protocol addresses, 
and Virtual Local Area Networks;
    (d) Policy, procedural, and other documents that informed the 
development, and documented implementation of, the owner/operator's CRM 
program;
    (e) Data providing a ``snapshot'' of activity on and between 
Information and Operational Technology systems such as:
    (1) Log files;
    (2) A capture of network traffic (such as packet capture (PCAP)), 
for a scope and period directed by TSA, not less than 24 hours and not 
to exceed 48 hours;
    (3) ``East-West Traffic'' of Information Technology systems, sites, 
and environments within the scope of this subpart; and
    (4) ``North-South Traffic'' between Information and Operational 
Technology systems, and the perimeter boundaries between them; and
    (f) Any other records or documents necessary to determine 
compliance with this subpart.

Appendix A to Part 1586--Reporting of Significant Physical Security 
Concerns

------------------------------------------------------------------------
             Category                            Description
------------------------------------------------------------------------
Breach, Attempted Intrusion, and/   Unauthorized personnel attempting to
 or Interference.                    or actually entering a restricted
                                     area or secure site relating to a
                                     pipeline facility or pipeline
                                     system owned, operated, or used by
                                     an owner/operator subject to this
                                     part. This includes individuals
                                     entering or attempting to enter by
                                     impersonation of authorized
                                     personnel (for example, police/
                                     security, janitor, vehicle owner/
                                     operator). Activity that could
                                     interfere with the ability of
                                     employees to perform duties to the
                                     extent that security is threatened.
Misrepresentation.................  Presenting false, or misusing,
                                     insignia, documents, and/or
                                     identification, to misrepresent
                                     one's affiliation with an owner/
                                     operator subject to this part to
                                     cover possible illicit activity
                                     that may pose a risk to
                                     transportation security.
Theft, Loss, and/or Diversion.....  Stealing or diverting identification
                                     media or badges, uniforms,
                                     vehicles, keys, tools capable of
                                     compromising operating systems,
                                     technology, or classified or
                                     sensitive security information
                                     documents which are proprietary to
                                     the pipeline facility or system
                                     owned, operated, or used by an
                                     owner/operator subject to this
                                     part.
Sabotage, Tampering, and/or         Damaging, manipulating, or defeating
 Vandalism.                          safety and security appliances in
                                     connection with a pipeline
                                     facility, infrastructure, or
                                     systems resulting in the
                                     compromised use or the temporary or
                                     permanent loss of use of the
                                     pipeline facility, infrastructure,
                                     or system.
Expressed or Implied Threat.......  Communicating a spoken or written
                                     threat to damage or compromise a
                                     pipeline facility/infrastructure/
                                     system owned, operated, or used by
                                     an owner/operator subject to this
                                     part (for example, a bomb threat or
                                     active shooter).
Eliciting Information.............  Questioning that may pose a risk to
                                     transportation or national
                                     security, such as asking one or
                                     more employees of an owner/operator
                                     subject to this part about
                                     particular facets of a facility's
                                     or system's purpose, operations, or
                                     security procedures.
Testing or Probing of Security....  Deliberate interactions with
                                     employees of an owner/operator
                                     subject to this part or challenges
                                     to pipeline facilities or systems
                                     owned, operated, or used by an
                                     owner/operator subject to this part
                                     that reveal physical, personnel, or
                                     security capabilities or sensitive
                                     information.
Photography.......................  Taking photographs or video of
                                     pipeline facilities, systems, or
                                     infrastructure owned, operated, or
                                     used by an owner/operator subject
                                     to this part in a manner that may
                                     pose a risk to transportation or
                                     national security. Examples include
                                     taking photographs or video of
                                     infrequently used access points,
                                     personnel performing security
                                     functions (for example, patrols,
                                     badge/vehicle checking), or
                                     security-related equipment (for
                                     example, perimeter fencing,
                                     security cameras).
Observation or Surveillance.......  Demonstrating unusual interest in
                                     pipeline facilities or systems or
                                     loitering near facilities or
                                     systems or other potentially
                                     critical infrastructure owned or
                                     operated by an owner/operator
                                     subject to this part in a manner
                                     that may pose a risk to
                                     transportation or national
                                     security. Examples include
                                     observation through binoculars,
                                     taking notes, or attempting to
                                     measure distances.
Materials Acquisition and/or        Acquisition and/or storage by an
 Storage.                            employee of an owner/operator
                                     subject to this part of materials
                                     such as cell phones, pagers, fuel,
                                     chemicals, toxic materials, and/or
                                     timers that may pose a risk to
                                     transportation or national security
                                     (for example, storage of chemicals
                                     not needed by an employee for the
                                     performance of his or her job
                                     duties).
Weapons Discovery, Discharge, or    Weapons or explosives in or around a
 Seizure.                            pipeline facility, system, or
                                     infrastructure of an owner/operator
                                     subject to this part that may
                                     present a risk to transportation or
                                     national security (for example,
                                     discovery of weapons inconsistent
                                     with the type or quantity
                                     traditionally used by company
                                     security personnel).

[[Page 88592]]

 
Suspicious Items or Activity......  Discovery or observation of
                                     suspicious items, activity or
                                     behavior in or around a pipeline
                                     facility, system, or infrastructure
                                     of an owner/operator subject to
                                     this part that results in the
                                     disruption or termination of
                                     operations (for example, halting
                                     operations while law enforcement
                                     personnel investigate a suspicious
                                     item, bag, package, etc.).
------------------------------------------------------------------------


    Dated: October 20, 2024.
David P. Pekoske,
Administrator.

[FR Doc. 2024-24704 Filed 11-6-24; 8:45 am]
BILLING CODE 9110-05-P


This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.