Enhancing Surface Cyber Risk Management

DEPARTMENT OF HOMELAND SECURITY <SUBAGY>Transportation Security Administration</SUBAGY> <CFR>49 CFR Parts 1500, 1503, 1520, 1570, 1580, 1582, 1584, and 1586</CFR> <DEPDOC>[Docket No. TSA-2022-0001]</DEPDOC> <RIN>RIN 1652-AA74</RIN> <SUBJECT>Enhancing Surface Cyber Risk Management</SUBJECT> <HD SOURCE="HED">AGENCY:</HD> Transportation Security Administration, DHS. <HD SOURCE="HED">ACTION:</HD> Notice of proposed rulemaking (NPRM). <SUM> <HD SOURCE="HED">SUMMARY:</HD> The Transportation Security Administration (TSA) is proposing to impose cyber risk management (CRM) requirements on certain pipeline and rail owner/operators and a more limited requirement, on certain over-the-road bus (OTRB) owner/operators, to report cybersecurity incidents. With the proposed addition of requirements applicable to pipeline facilities and systems, TSA is also proposing that a requirement to have a Physical Security Coordinator and report significant physical security concerns be extended to the same facilities and systems. Finally, TSA is proposing clarifications and reorganization of other regulatory requirements necessitated by these changes. </SUM> <EFFDATE> <HD SOURCE="HED">DATES:</HD> Submit comments by February 5, 2025. </EFFDATE> <HD SOURCE="HED">ADDRESSES:</HD> <E T="03">Comments on this NPRM:</E> You may submit comments on this NPRM, identified by the TSA docket number to this rulemaking, to the Federal Docket Management System (FDMS), a government-wide, electronic docket management system. To avoid duplication, please use only one of the following methods: • <E T="03">Electronic Federal eRulemaking Portal: https://www.regulations.gov.</E> Follow the online instructions for submitting comments. • <E T="03">Mail:</E> Docket Management Facility (M-30), U.S. Department of Transportation, 1200 New Jersey Avenue SE, West Building Ground Floor, Room W12-140, Washington, DC 20590-0001. The Department of Transportation (DOT), which maintains and processes TSA's official regulatory dockets, will scan the submission and post it to FDMS. • <E T="03">Fax:</E> (202) 493-2251. <E T="03">See</E> the <E T="02">SUPPLEMENTARY INFORMATION</E> section for format and other information about comment submissions on the NPRM. <FURINF> <HD SOURCE="HED">FOR FURTHER INFORMATION CONTACT:</HD> <E T="03">General Questions:</E> Ashlee Marks, Surface Division, Policy, Plans, and Engagement, TSA-28, Transportation Security Administration, 6595 Springfield Center Drive, Springfield, VA 20598-6028; telephone (571) 227-1039; email: <E T="03">SurfaceCyberPolicy@tsa.dhs.gov.</E> <E T="03">Legal Questions:</E> Traci Klemm, Regulations and Security Standards, Office of Chief Counsel, Transportation Security Administration, 6595 Springfield Center Drive, Springfield, VA 20598-6002; telephone (571) 227-3583, or email to <E T="03">SurfaceCyberPolicy@tsa.dhs.gov.</E> </FURINF> <SUPLINF> <HD SOURCE="HED">SUPPLEMENTARY INFORMATION:</HD> <HD SOURCE="HD1">Public Participation</HD> TSA invites interested persons to participate in this NPRM by submitting written comments, including relevant data. We also invite comments relating to the economic, environmental, energy, or federalism impacts that might result from this rulemaking action. <E T="03">See</E> the <E T="02">ADDRESSES</E> section above for information on where to submit comments. <HD SOURCE="HD2">NPRM-Specific Request for Comments</HD> 1. TSA is requesting comments on the impact of regulations and requirements being imposed by other Federal, State, and Local entities, including DHS components, and potential options for regulatory harmonization. 2. TSA is requesting comments on whether proposed requirements for supply chain risk management should also include requirements to ensure that any new software purchased for, or to be installed on, Critical Cyber Systems meets CISA's Secure-by-Design and Secure-by-Default principles. 3. TSA is requesting comments on existing training and certification programs that could provide low-cost options to meet proposed qualification requirements for Cybersecurity Coordinators. If identified and determined by TSA to be sufficient, TSA could recognize them as examples for owner/operators that would be subject to these requirements. 4. TSA is proposing to require owner/operators to have a Cybersecurity Assessment Plan (CAP) to annually assess and audit the effectiveness of their TSA-approved Cybersecurity Operational Implementation Plan (COIP). TSA is requesting comments on methodologies owner/operators could use to develop a plan that would meet the required annual minimum for assessments and audits, assessment and auditing capabilities that could be included in the CAP, and other options and resources that could ensure a robust auditing and assessment program that provides frequent and regular reviews of effectiveness of CRM program implementation. 5. TSA is requesting comments from pipeline owner/operators on opportunities to streamline compliance and reduce redundancies and duplication of efforts for pipeline facilities regulated under 33 CFR 105.105(a) or 106.105(a). 6. TSA is requesting comment on whether accountable executives and Cybersecurity Coordinators, for all covered owner/operators, should be required to undergo a TSA-conducted Security Threat Assessment (STA), which would include a terrorism/other analyses check, an immigration check, and a criminal history records check (CHRC). 7. TSA is requesting comment on whether TSA should require all frontline workers (“security-sensitive employees”) in the pipeline industry to also be vetted by TSA. Although TSA is not proposing this requirement, TSA seeks comments on how the vetting would impact their operations and costs, and specifically how many employees the entity has that would likely be considered security-sensitive employees. <SU>1</SU> <FTREF/> <FTNT> <SU>1</SU>  Commenters may find it useful to review the functions that TSA considered for determining security-sensitive employees under current Appendix B to 49 CFR part 1580, Appendix B to part 1582, and Appendix B to part 1584. </FTNT> 8. TSA is requesting comment on the inputs used in the Regulatory Impact Analysis (RIA), including those related to the Security Directives (SDs), their implementation, and associated costs and benefits. Comments that will provide the most assistance to TSA will reference a specific portion of this proposed rule, explain the reason for any suggestions or recommended changes, and include data, information, or authority that supports such suggestion or recommended change. 9. TSA invites all interested parties to submit data and information regarding the potential economic impact on small entities that would result from the adoption of the requirements in the proposed rule. 10. TSA invites comments on the proposed collection of information and estimates of burden. <HD SOURCE="HD2">Submitting Comments on the NPRM</HD> With each comment, please identify the docket number at the beginning of your comments. You may submit comments and material electronically, by mail, or fax as provided under <E T="02">ADDRESSES</E> , but please submit your comments and material by only one means. If you submit comments by mail or in person, submit them in an unbound format, no larger than 8.5 by 11 inches, suitable for copying and electronic filing. If you would like TSA to acknowledge receipt of comments submitted by mail, include with your comments a self-addressed, stamped postcard or envelope on which the docket number appears, and we will mail it to you. All comments, except those that include confidential or SSI  <SU>2</SU> <FTREF/> will be posted to <E T="03">https://www.regulations.gov</E> and include any personal information you have provided. Should you wish your personally identifiable information redacted prior to filing in the docket, please clearly indicate this request in your submission. TSA will consider all comments that are in the docket on or before the closing date for comments and will consider comments filed late to the extent practicable. The docket is available for public inspection before and after the comment closing date. <FTNT> <SU>2</SU>  “Sensitive Security Information” or “SSI” is information obtained or developed in the conduct of security activities, the disclosure of which would constitute an unwarranted invasion of privacy, reveal trade secrets or privileged or confidential information, or be detrimental to the security of transportation. The protection of SSI is governed by 49 CFR part 1520. </FTNT> <HD SOURCE="HD2">Submitting Comments on the Proposed Information Collections</HD> Comments on the proposed information collections included in this NPRM should be submitted both to TSA, as indicated above, and to the Office of Information and Regulatory Affairs, Office of Management and Budget (OMB). Comments should be identified by the appropriate OMB Control Number(s) or the title of this proposed rule, addressed to the Desk Officer for the Department of Homeland Security, Transportation Security Administration, and sent via electronic mail to <E T="03">dhsdeskofficer@omb.eop.gov.</E> <HD SOURCE="HD2">Handling of Confidential or Proprietary Information and SSI Submitted in Public Comments</HD> Do not submit comments that include trade secrets, confidential commercial or financial information, or SSI to the public regulatory docket. Please submit such comments separately from other comments on the rulemaking. Comments containing this type of information should be appropriately marked as containing such information and submitted by mail to the address listed in the <E T="02">FOR FURTHER INFORMATION CONTACT</E> section. TSA will take the following actions for all submissions containing SSI: • TSA will not place comments containing ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Preview showing 10k of 731k characters. Full document text is stored and available for version comparison. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━