1652-0074 Rail Cyber MeasSurfModes SS_10.25.2022

1652-0074 Rail Cyber MeasSurfModes SS_10.25.2022.docx

Cybersecurity Measures for Surface Modes

OMB: 1652-0074

Document [docx]
Download: docx | pdf

INFORMATION COLLECTION SUPPORTING STATEMENT


Cybersecurity Measures for Surface Modes

OMB control number 1652-0074

EXP. xx/xx/xxxx



  1. Explain the circumstances that make the collection of information necessary. Identify any legal or administrative requirements that necessitate the collection. Attach a copy of the appropriate section of each statute and regulation mandating or authorizing the collection of information. (Annotate the CFR parts/sections affected).


Congress granted the TSA Administrator authority for the security of the transportation system.1 Under the specific authorities of 49 U.S.C. § 114, TSA may take immediate action to impose measures to protect transportation security without providing notice or an opportunity for comment.2 The cybersecurity threats to surface transportation infrastructure that necessitate these collections are consistent with TSA’s mission, as well as TSA’s responsibility and authority for “security in all modes of transportation … including security responsibilities … over modes of transportation that are exercised by the Department of Transportation.” See 49 U.S.C. § 114(d).


Additionally, under 49 U.S.C. § 114(l)(2),3 TSA has the authority to issue SDs if the Administrator of TSA determines that a regulation or SD must be issued immediately in order to protect transportation security. TSA also has authority, at the discretion of the Administrator, to assist another Federal agency in carrying out its authority in order to address a threat to transportation. See 49 U.S.C. § 114(m).4


The United States (U.S.) surface transportation system is a complex interconnected and largely open network including freight railroads, public transportation and passenger rail systems, and over-the-bus (OTRB) Owner/Operators. Many of these modes employ increasingly integrated cyber and physical systems that operate daily in close coordination with and proximity to each other nationwide.


On December 17, 2021,5 TSA issued Security Directive (SD) 1580-21-01 and SD 1582-21-02, 6which became effective on December 31, 2021, mandating that TSA-specified Owner/Operators of “higher risk” freight railroads and “higher-risk” passenger railroads and rail transit systems, respectively, implement an array of cybersecurity measures to prevent disruption and degradation to their infrastructure. The scope of these SDs align with the railroads and rail transit systems required to report significant security incidents to TSA under 49 CFR 1570.203. On that same date, TSA also issued an “information circular” (IC), which contains non-binding recommendations with the same measures for railroad Owner/Operators, public transportation agencies, rail transit system Owner/Operators, and certain OTRB Owner/Operators not specifically covered under SDs 1580-21-01 or 1582-21-02. The requirements in the SDs and the recommendations in the IC allow TSA to execute its security responsibilities within the surface transportation industry, through reporting of cybersecurity incidents, designating a cybersecurity coordinator, conducting a cybersecurity risk assessment, implementing a TSA-approved Cybersecurity Implementation Plan; maintaining an up-to-date Cybersecurity Incident Response Plan, submit a Cybersecurity Vulnerability Assessment, and establishing a Cybersecurity Assessment Program.


To address the ongoing cybersecurity threats to the United States’ national and economic security posed by this threat, TSA is issuing an additional SD, SD 1580/1582-2022-01, Rail Cybersecurity Mitigation Actions, Contingency Planning, and Testing, which will apply to 73 Owner/Operators including the “Higher Risk” freight railroads identified in 49 CFR 1580.101 and additional TSA-designated freight and passenger railroads. This SD was developed in coordination with the Cybersecurity and Infrastructure Security Agency (CISA), Department of Defense (DOD), and the Department of Transportation (DOT). The requirements in the SD are necessary to protect against operational disruption and severe degradation of necessary capacity in the event that a bad actor attacks industry infrastructure by exploiting weaknesses in cybersecurity, particularly through unprotected connections between Information Technology (IT) and Operational Technology (OT) systems as noted in CISA alerts over since the initial SD was issued.


TSA is requesting an emergency approval for a revision of OMB Control Number 1652-0074, Cybersecurity Measures for Surface Modes, to address the collection of information required by SD 1580/1582-22-01. This emergency request does not effect the previously approved collection for SD 1580-21-01,7 SD 1582-21-01, and IC 2021-01, which remain in effect.



  1. Indicate how, by whom, and for what purpose the information is to be used. Except for a new collection, indicate the actual use the agency has made of the information received from the current collection.


TSA plans to collect the following information:


A. SD 1580/1582-22-01 includes the following requirements:


  • A Cybersecurity Implementation Plan (CIP) submitted to TSA for approval that addresses how the Owner/Operator will achieve each of the following objectives:

    • Identification of the Owner/Operator’s Critical Cyber Systems 

    • Implementation of network segmentation policies and controls to ensure that the Operational Technology system can continue to safely operate in the event that an Information Technology system has been compromised

    • Implementation of access control measures to secure and prevent unauthorized access to critical cyber systems;

    • Implementation of continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect Critical Cyber System operations; and;

    • Reduction of the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers and firmware on Critical Cyber Systems in a timely manner using a risk-based methodology.


  • An annual plan that describes how the Owner/Operator will proactively and regularly assess the effectiveness of cybersecurity measures, and identify and resolve device, network, and/or system vulnerabilities.


  • Providing documentation as necessary to establish compliance, to be provided to TSA upon request.


B. SD 1580-21-01, SD 1582-21-01, and IC 2021-01 remain in effect and include the following information collection requirements for the SDs and recommendations for the IC:


  • Provide to TSA:

    • Contact information for a designated Cybersecurity Coordinator;

    • A completed Cybersecurity Vulnerability Assessment (using the TSA form); and

    • A statement certifying that the Owner/Operator has completed the requirement of the Cybersecurity Contingency/ Response Plan.


  • Report actual and potential cybersecurity incidents to CISA within 24 hours of identification of a cybersecurity incident. Cybersecurity incident reports are submitted using the CISA Reporting System form at: https://us-cert.cisa.gov/forms/report. Incident reports can also be reported by calling (888) 282-0870. CISA has an approved information collection for cybersecurity incident reporting. See OMB control number 1670-0037.


To the extent these requirements have not been already fulfilled, Owner/Operators can complete and submit the required information via email or other electronic options provided by TSA. Documentation of compliance must be provided upon request to TSA. As the measures in the IC are voluntary, the IC does not require Owner/Operators to report on their compliance.


Information submitted by the Owner/Operators to TSA as required by the SD, and if voluntarily submitted under the IC, are deemed Sensitive Security Information (SSI) are protected in accordance with procedures meeting the transmission, handling, and storage requirements of SSI set forth in 49 CFR part 1520.


  1. Describe whether, and to what extent, the collection of information involves the use of automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g., permitting electronic submission of responses, and the basis for the decision for adopting this means of collection. Also describe any consideration of using information technology to reduce burden.


SD 1580/1582-22-01 Collection:

TSA will require the following collection of information and maintenance of records to establish compliance with SD 1580/1582-2022-01:

  • Cybersecurity Implementation Plan: Freight/Passenger Rail Owner/Operators must transmit their implementation plans to TSA electronically via a secure means. All implementation plans submitted by operators are considered SSI under the provisions of 49 CFR part 1520.

  • Cybersecurity Assessment Program: Freight/Passenger Rail Owner/Operators must submit their cybersecurity assessment plans on an annual basis to TSA electronically via a secure means. All cybersecurity assessment plans submitted by operators are considered SSI under the provisions of 49 CFR part 1520.


  • Records to Establish Compliance: Freight/Passenger Rail Owner/Operators must provide to TSA electronically, as part of a compliance inspection, documentation to establish their compliance with the SD. Operator records provided to TSA to document compliance with the SD are considered SSI under the provisions of 49 CFR part 1520.



SD 1580-21-01, SD 1582-21-01, and IC 2021-01 Collection:

In compliance with the Government Paperwork Elimination Act, the following fully electronic reporting options are available and continuing for surface Owner/Operators as described below.


  • The Cybersecurity Coordinator contact information can be submitted to TSA via email or regular mail.


  • Cybersecurity incident reports are submitted using the CISA Reporting System form at: https://us-cert.cisa.gov/forms/report. Incident reports can also be reported by calling (888) 282-0870. CISA has an approved information collection for cybersecurity incident reporting. See OMB control number 1670-0037.


  • For those Owner/Operators to whom the SD applies, they can submit statements confirming that they have complied with requirements within the established deadlines or other electronic options provided by TSA. For convenience, TSA provides optional forms that can be submitted via email confirming completion (TSA SD-1580-21-01 Statement of Completion and TSA SD-1582-21-02 Statement of Completion) for each submission deadline.


  • In addition, Owner/Operators are required by the SD, and recommended under the IC, to develop a cybersecurity contingency/recovery plan to address cybersecurity gaps. Lastly, Owner/Operators are required by the SD, and recommended under the IC, to conduct the assessment of their cybersecurity posture using a TSA form and submit the results to TSA. There are two methods for Owner/Operators to submit the required information, which are considered SSI under 49 CFR part 1520 once completed. The first is via email and a password protected document with the password being sent in a separate email. The second is to upload the document on a specific secure portal that TSA has established.


  1. Describe efforts to identify duplication. Show specifically why any similar information already available cannot be used or modified for use for the purpose(s) described in Item 2 above.


SD 1580/1582-22-01 Collection:

TSA developed the requirements in consultation with CISA and in coordination with DOT, DOD, and other applicable agencies. TSA has determined that no other agency requires submission of the type of information TSA may collect related to its SDs.


SD 1580-21-01, SD 1582-21-01, and IC 2021-01 Collection:

The Department of Homeland Security (DHS) has a broad Memorandum of Understanding (MOU) with the DOT that ensures coordination on security and safety issues. Through annexes to this MOU, TSA works closely with its partners at the FRA, Federal Transit Administration (FTA, and Federal Motor Carrier Safety Administration (FMCSA) to coordinate security initiatives. There is no other similar information collection currently in place at DOT that specifically targets corporate-level cybersecurity planning and plan implementation in the surface modes of transportation.


Within DHS, TSA coordinates closely with CISA, which advances the Initiative’s effort and secures the cybersecurity posture of the critical surface transportation sectors due to the interconnected systems and importance to the American way of life. TSA developed the requirements and recommendations, as applicable, in consultation with CISA and in coordination with DOT, DOD, and other agencies, as applicable. TSA requires reporting of certain information directly to CISA, which CISA shares with TSA to reduce duplication. Apart from the reporting to CISA under the SD or IC, and provisions for sharing information with federal partners, TSA has determined that no other agency requires submission of the type of information collected via its SDs and IC from the same persons.


  1. If the collection of information has a significant impact on a substantial number of small businesses or other small entities (Item 5 of the Paperwork Reduction Act submission form), describe the methods used to minimize burden.


This collection does not have a significant impact on a substantial number of small businesses.

  1. Describe the consequence to Federal program or policy activities if the collection is not conducted or is conducted less frequently, as well as any technical or legal obstacles to reducing burden.


Without these collections, DHS will be unable to address the critical, imminent threat of cyberattacks, such as ransomware, to the nation’s surface transportation systems. Further, DHS would be hindered in its ability to quickly obtain information needed to address imminent, serious, quickly moving and rapidly evolving threats to these systems, which is key to national and economic security and would be impeded if TSA did not have this foundational posture information for the covered Owner/Operators now in the light of this continuous threat. Reducing the vulnerability of “Higher Risk” railroads, rail transit systems, and OTRB8 operations and infrastructure to cybersecurity threats is fundamental to securing our nation’s travelling public and economic security.


In addition, TSA will be unable to address the critical threat to the nation’s freight railroad and passenger rail systems, which is reasonably likely to result in public harm. For example, if an attack occurred against a railway system and TSA did not have this collection, freight/passenger rail Owner/Operators may not have adequate cybersecurity measures or a Cybersecurity Implementation Plan and Cybersecurity Audit Program in place. These measures decrease the impact of a cybersecurity incident affecting critical infrastructure and increase an operator’s awareness of possible vulnerabilities.

  1. Explain any special circumstances that require the collection to be conducted in a manner inconsistent with the general information collection guidelines in 5 CFR 1320.5(d)(2).


This collection is conducted consistent with the information collection guidelines, except for those in 5 CFR 1320.5(d)(2)(i). This collection requires respondents to report information to the agency more often than quarterly. Quarterly reporting would not meet the security needs that is the basis for this information collection.


  1. Describe efforts to consult persons outside the agency to obtain their views on the availability of data, frequency of collection, the clarity of instructions and recordkeeping, disclosure, or reporting format (if any), and on the data elements to be recorded, disclosed, or reported. If applicable, provide a copy and identify the date and page number of publication in the Federal Register of the agency's notice, required by 5 CFR 1320.8(d) soliciting comments on the information collection prior to submission to OMB. Summarize public comments received in response to that notice and describe actions taken by the agency in response to these comments. Specifically address comments received on cost and hour burden.


TSA is currently seeking an Emergency Approval to revise this collection. In light of the ongoing cybersecurity threat, TSA is seeking a waiver to the requirement in 5 CFR § 1320.13(d) to publish a Federal Register notice announcing that TSA is seeking emergency processing of this ICR. Upon approval of the Emergency Request, TSA will seek public comment on the collection following the normal clearance process providing a 60-day and 30-day commenting period.


Please see the response to question #2 for the efforts that TSA made to consult externally with industry as well as federal partners.


  1. Explain any decision to provide any payment or gift to respondents, other than remuneration of contractors or grantees.


No payment or gift is provided to respondents.


  1. Describe any assurance of confidentiality provided to respondents and the basis for the assurance in statute, regulation, or agency policy.


While there is no assurance of confidentiality provided to reporting entities, TSA protects information collected from disclosure to the extent appropriate under applicable provisions of the Freedom of Information Act, Federal Information Security Management Act, E-Government Act, and Privacy Act of 1974. TSA would also appropriately treat any information collected that it determines is SSI and/or Personally Identifiable Information (PII), consistent with the requirements of 49 CFR part 1520 and OMB Guidance, M-07-16.


Also, to the extent permissible under the law, DHS will seek to protect the trade secrets and commercial and financial information of the Freight/Passenger Rail Owner/Operators. See 49 CFR part 1520. In addition, any PII associated with reported incidents is handled in accordance with the System of Records Notices for DHS/TSA-001 Transportation Security Enforcement Record System 79 FR 6609 (February 4, 2014) and; and DHS/TSA 011 - Transportation Security Intelligence Service Files, 75 FR 18867 (April 13, 2010).

For defensive measures and indicators shared under CISA’s framework, federal entities are required to apply appropriate controls to protect the confidentiality of cyber threat indicators that contain personal information of a specific individual or information that identifies a specific individual that is directly related to a cybersecurity threat or a use authorized under CISA to the greatest extent practicable. 6 U.S.C. § 1504(b).

  1. Provide additional justification for any questions of sensitive nature, such as sexual behavior and attitudes, religious beliefs, and other matters that are commonly considered private.


No personal questions of a sensitive nature are posed during the information collection.


  1. Provide estimates of hour and cost burden of the collection of information.



SD 1580/1582-2022-01 Collection:


The information collection required by SD 1580/1582-2022-01 would only apply to a total of 73 owner operators to include the 38 “Higher Risk” freight railroads identified in 49 CFR 1580.101, 30 TSA newly-designated critical railroads,9 and five of the passenger rail owner/operators operations identified in 49 CFR 1582.101.


Cybersecurity Implementation Plan:  TSA estimates 73 entities will develop a cybersecurity implementation plan, and the plan will be developed by a team consisting of a cybersecurity manager and 4 cybersecurity analysts/specialists. TSA assumes the team will spend 2 weeks developing the implementation plan; therefore, the time burden for this task will be 5 individuals x 40 hours x 2 weeks, or 400 hours. TSA uses a fully-loaded, blended wage rate of $93.6410 to estimate a cost for this task to be $3,200,067. This is a one-time collection, and is depicted in Table 1.


Table 1: Costs for Cybersecurity Implementation Plan (Mandatory - NEW)

Activity

Number of Responses

Time Burden per Response

Time Burden

Time Burden Cost

A

B

C = A x B

D = C x $93.64

Cybersecurity Implementation Plan

73

400

29,200

$3,200,067


Annual Plan for Cybersecurity Assessment Program: TSA estimates 73 entities will conduct annual audits of their cybersecurity measures, and the time burden for submitting an annual audit plan to TSA is 40 hours. TSA believes the preparation and submission of the plan to TSA will be conducted by a corporate Audit/Compliance Manager, and uses a fully-loaded wage rate of $94.20.11 The annual cost for this requirement is depicted in Table 2.


Table 2: Annual Costs for Cybersecurity Audits Plans of Cybersecurity Measures (Mandatory - NEW)


Activity

Number of Annual Responses

Hour Burden per Response

Annual Hour Burden

Annual Hour Burden Cost

A

B

C = A x B

D = C x $94.20

Cybersecurity Audit Plan

73

40

2,920

$275,064


Compliance Documentation: TSA estimates 73 entities will conduct cybersecurity compliance documentation, and the time burden for this requirement is 80 hours. TSA believes this task will be performed by the cybersecurity manager, and applies a fully-loaded wage rate of $109.59. The annual cost for this requirement is depicted in Table 3.


Table 3: Annual Costs for Compliance Documentation (Mandatory - NEW)

Activity

Number of Annual Responses

Hour Burden per Response

Annual Hour Burden

Annual Hour Burden Cost


A

B

C = A x B

D = C x $109.59


Compliance Documentation

73

80

5,840

$640,006



The total time burden of this NEW information collection for the 73 entities regulated under SD Rail-1580/1582-2022-01 is 29,200 (one-time) + 2,920 (annually) + 5,840 (annually) = 37,960 hours in Year 1, 8760 hours in Year 2, and 8760 in Year 3. This information is depicted in Table 4.



Table 4: Total Costs


Time Burden (in Hours)

Time Burden Cost

Year 1

37,960

$4,115,137

Year 2

8,760

$915,070

Year 3

8,760

$915,070

Total

55,480

$5,945,276

Average

18,493

$1,981,758.71


SD Rail-1580-21-01, SD Rail-1582-21-01, and IC 2021-01 Collection:

TSA estimates this collection applies to 457 railroad Owner/Operators, 115 rail transit system Owner/Operators, and 209 OTRB Owner/Operators, for a total of 781 respondents. “Higher risk” railroad and rail transit Owner/Operators within the 781 respondents are required to provide Cybersecurity Coordinator information, complete a Cybersecurity Incident Response Plan, complete and submit to TSA a Cybersecurity Vulnerability Assessment, and report cybersecurity incidents to CISA. Although the collections are voluntary for some respondents,12 burden calculations assume all of the respondents will do all of the collections. TSA assumes these tasks will be performed by the cybersecurity coordinator, applies a fully-loaded wage rate of $109.5913 for railroad cybersecurity coordinators, and $97.4414 for rail transit system and for OTRB15 cybersecurity coordinators.


Designate a Cybersecurity Coordinator/Alternate Cybersecurity Coordinator.

TSA estimates respondents will spend 1 hour each performing this task. Tables 5-7 represent the hour burden and hour burden cost for railroad Owner/Operators, rail transit system Owner/Operators, and OTRB Owner/Operators, respectively.


Table 5: Hour Burden Cost for Freight Railroad Cybersecurity Coordinator and Alternate Information

Mode

Number of Responses

Hours per Response

Total Annual Hour Burden

Year 1 Hour Burden Cost


A

B

C = A x B

D = C x $109.59

FR

457

1

457

$50,083



Table 6: Hour Burden Cost for Passenger Rail Transit Cybersecurity Coordinator and Alternate Information



Mode

Number of Responses

Hours per Response

Total Annual Hour Burden

Year 1 Hour Burden Cost




A

B

C = A x B

D = C x $97.44



PR

115

1

115

$11,206





Table 7: Hour Burden Cost for OTRB Cybersecurity Coordinator and Alternate Information


Mode

Number of Responses

Hours per Response

Total Annual Hour Burden

Year 1 Hour Burden Cost



A

B

C = A x B

D = C x $97.44


OTRB

209

1

209

$20,365



In addition, TSA estimates that 50 respondents will need to update their cybersecurity coordinator and alternate information annually in both Year 2 and Year 3. The hour burden for Years 2 and 3 is 50 hours each, and the hour burden cost for Years 2 and 3 is $5,22816 each.


Develop a Cybersecurity Incident Response Plan.

TSA estimates respondents will spend 80 hours each performing this task. Tables 8-10 represent the hour burden and hour burden cost for railroad Owner/Operators, rail transit system Owner/Operators, and OTRB Owner/Operators, respectively.



Table 8: Freight Railroad Cybersecurity Incident Response Plan Development

Mode

Number of Responses

Hours per Response

Total Annual Hour Burden

Annual Hour Burden Cost


A

B

C = A x B

D = C x $109.59

FR

457

80

36,560

$4,006,660



Table 9: Passenger Rail Transit Cybersecurity Incident Response Plan Development

Mode

Number of Responses

Hours per Response

Total Annual Hour Burden

Annual Hour Burden Cost


A

B

C = A x B

D = C x $97.44

PR

115

80

9,200

$1,008,240



Table 10: OTRB Cybersecurity Incident Response Plan Development

Mode

Number of Responses

Hours per Response

Total Annual Hour Burden

Annual Hour Burden Cost


A

B

C = A x B

D = C x $97.44

OTRB

209

80

16,720

$1,629,243


Complete a Cybersecurity Vulnerability Assessment.

TSA estimates each respondent will spend an average of 42 hours performing this task. Tables 11-13 represent the hour burden and hour burden cost for railroad Owner/Operators, rail transit system Owner/Operators, and OTRB Owner/Operators, respectively.



Table 11: Railroad Cybersecurity Vulnerability Assessment

Mode

Number of Responses

Hours per Response

Total Annual Hour Burden

Annual Hour Burden Cost


A

B

C = A x B

D = C x $109.59

FR

457

42

19,194

$2,103,496



Table 12: Passenger Rail Transit Cybersecurity Vulnerability Assessment

Mode

Number of Responses

Hours per Response

Total Annual Hour Burden

Annual Hour Burden Cost


A

B

C = A x B

D = C x $97.44

PR

115

42

4,830

$470,649



Table 13: OTRB Cybersecurity Vulnerability Assessment

Mode

Number of Responses

Hours per Response

Total Annual Hour Burden

Annual Hour Burden Cost


A

B

C = A x B

D = C x $97.44

OTRB

209

42

8,778

$855,353


Report cybersecurity incidents to CISA.

This burden is covered in OMB control number 1670-0037.


TSA estimates the total hour burden for the collection, relating to SD Rail-1580-01, SD Rail-1582-01, and IC 2021-01, to be 342,207 hours (134,023 hours in Year 1, 104,092 hours in Year 2, and 104,092 hours in Year 3), and total hour burden cost to be $35,922,818 ($14,158,602 in Year 1, $10,882,108 in Year 2, and $10,882,108 in Year 3). Table 14 represents the total hour burden and hour burden cost for this collection.


Table 14: Summary Time Burden and Cost



IC Title

Responses

Hours per Response

Year 1

Year 2

Year 3

Time Burden

Cost

Time Burden

Cost

Time Burden

Cost

Cybersecurity Implementation Plan

73

400

29,200

$3,200,067

0

$0

0

$0

Annual Plan for Cybersecurity Assessment Program

73

40

2,920

$275,064

2,920

$275,064

2,920

$275,064

Compliance Documentation

73

80

5,840

$640,006

5840

$640,006

5,840

$640,006

Designation of Cybersecurity Coordinator

781

1

781

$81,654

50

$5,228

50

$5,228

Cybersecurity Incident Response Plan

781

80

62,480

$6,532,377

62,480

$6,532,377

62,480

$6,532,377

Cybersecurity Vulnerability Assessment

781

42

32,802

$3,429,434

32,802

$3,429,434

32,802

$3,429,434

Total

2,562


134,023

$14,158,602

104,092

$10,882,108

104,092

$10,882,108





  1. Provide an estimate of the total annual cost burden to respondents or recordkeepers resulting from the collection of information).


TSA does not estimate a cost to industry beyond the burden detailed in the previous section.


  1. Provide estimates of annualized cost to the Federal Government. Also, provide a description of the method used to estimate cost, and other expenses that would not have been incurred without this collection of information.


SD 1580/1582-22-01 Collection:

For SD 1580/1582-2022-01 there are three elements of the mandatory collection on which TSA conducts reviews and audits and table & summaries these costs in Table 15.



Table 15: TSA Hour Burden and Costs



Activity

Hour Burden

Wage Rate

First-Year Hour Burden Cost

Year-2 Hour Burden Cost

Year-3 Hour Burden Cost

A

B

C = A x B

C = A x B

C = A x B

TSA Review of Implementation Plans (One-Time)

2,336

$90.88

$212,302

$0

$0

TSA Compliance Inspection

3,504

$73.95

$259,121

$259,121

$259,121

TSA Travel Costs for Compliance Inspections

 

 

$299,300

$299,300

$299,300

TSA Review of Audit Plan

292

$73.95

$21,593

$21,593

$21,593

Total

 

 

$792,316

$580,014

$580,014



Implementation Plan Reviews: TSA estimates it will conduct 73 Cybersecurity Implementation Plan reviews utilizing a manager and an analyst. This is a one-time review, and the manager will spend 8 hours conducting the review, while the analyst will spend 24 hours. TSA uses a K-band rate of $102.20 for the manager and J-band rate of $87.11 for the analyst. The total cost of implementation plan reviews is 73 x ((8 hours x $102.20) + (24 hours x $87.11)) = $212,302.


Compliance Inspections: TSA estimates it will conduct 73 compliance inspections utilizing two inspectors. Each inspector will spend 24 hours each per inspection, so the total time burden for this activity will be 48 x 73 = 3,504 hours. TSA uses an I-band rate of $73.95 for the inspectors. The labor cost of compliance reviews is $73.95 x 3,504 = $259,121. In addition, TSA expects to spend $299,300 per year in travel costs; therefore, the total annual cost for compliance reviews is $558,421.


Audit Plan Reviews: TSA estimates it will conduct 73 Audit Plan reviews annually, and it takes an inspector 4 hours to conduct the review. TSA uses an I-band rate of $73.95 for the inspector. The total cost of audit plan reviews is 73 x 4 hours x $73.95 = $21,593.


TSA Time Burden: 10,001.4 hours (3,333.8 average per year)

TSA Cost: $1,957,017 ($652,339 average per year)


SD 1580-21-01, SD 1582-21-01, and IC 2021-01 Collection:

TSA estimates that it will receive and process 781 cybersecurity coordinator and alternate cybersecurity coordinator Point of Contact (POC) submissions in Year 1, and 50 submissions each in Years 2 and 3. TSA estimates it takes 5 minutes (0.08333 hour) to process each submission, and that it will be processed by an H-Band17 (GS-12) pay level employee at TSA.


The government burden for this task during the 3-year period of analysis is 73 hours (average of 24.47 hours per year), and the burden cost is $4,673 (average $1,558 per year). 18


The government burden and cost are displayed in Table 16.


Table 16: Federal Government Time Burden and Cost

Type of Information Reported

Year 1 Responses

Year 2 Responses

Year 3 Responses

Hour Burden Per Response

Hour Burden

Total Hour Burden Cost

A

B

C

D

E = (A+B+C) × D

F = E × $63.65

Cybersecurity POC Info Processing

781

50

50

0.08333

73

$4,673

Total

781

50

50

 

73

$4,673


The total government time burden for this information collection is 10,001.4 hours + 73 hours = 10,075.1 hours (3,358.4 hours per year). The total government time burden cost is $1,957,017 + $4,674 = $1,961,690 ($653,897 per year).


  1. Explain the reasons for any program changes or adjustments reported in Items 13 or 14 of the OMB Form 83-I.


TSA is making program changes as a result of the new collections to be implemented upon issuance of SD 1580/1582-2022-01.


  1. For collections of information whose results will be published, outline plans for tabulation and publication. Address any complex analytical techniques that will be used. Provide the time schedule for the entire project, including beginning and ending dates of the collection of information, completion of report, publication dates, and other actions.


SD 1580/1582-22-01 Collection:

Regarding the new collection, no information resulting from the collections under the SD 1580/1582-2022-01will be published. However, TSA and CISA may use information submitted for vulnerability identification, trend analysis, or to generate anonymized indicators of compromise or other cybersecurity products to prevent other cybersecurity incidents.


SD 1580-21-01, SD 1582-21-01, and IC 2021-01 Collection:

Security information collected during the provision of Cybersecurity Coordinator information, Cybersecurity Incident Reporting, provision of the Cybersecurity Incident Response Plan and completion of the Cybersecurity Vulnerability Assessment will not be published. To the extent information collected via this process is considered to be SSI, it will be protected from disclosure and publication, and will be handled as described in 49 CFR part 1520.


  1. If seeking approval to not display the expiration date for OMB approval of the information collection, explain the reasons that display would be inappropriate.


Not applicable.


  1. Explain each exception to the certification statement identified in Item 19, “Certification for Paperwork Reduction Act Submissions,” of OMB Form 83-I.


No exceptions noted.


1 See section 114(d) of title 49, United States Code (U.S.C.). Under 49 U.S.C. § 114(f)(3) and (4), TSA may “develop policies, strategies, and plans for dealing with the threats ... including coordinating countermeasures with appropriate departments, agencies, and instrumentalities of the United States.”

2 TSA issues SDs for surface transportation operators under the statutory authority of 49 U.S.C. § 114(l)(2)(A). This provision, from section 101 of the Aviation and Transportation Security Act, Pub. L. 107-71 (115 Stat. 597; Nov. 19, 2001), states: “Notwithstanding any other provision of law or executive order (including an executive order requiring a cost-benefit analysis), if the Administrator determines that a regulation or security directive must be issued immediately in order to protect transportation security, the Administrator shall issue the regulation or security directive without providing notice or an opportunity for comment and without prior approval of the Secretary.”

3 Notwithstanding any other provision of law or executive order (including an executive order requiring a cost-benefit analysis), if the Administrator determines that a regulation or security directive must be issued immediately in order to protect transportation security, the Administrator shall issue the regulation or security directive without providing notice or an opportunity for comment and without prior approval of the Secretary.

4 49 U.S.C. § 114(m) grants the TSA Administrator the same authority as the Administrator of the Federal Aviation Administration under 49 U.S.C. § 106(m), and is applicable to all modes of transportation.

5 On November 30, 2021, OMB approved TSA’s request for the new information collection to address the ongoing cybersecurity threat to surface transportation and associated infrastructure. On April 7, 2022, TSA submitted an extension request to OMB, which was approved on October 25, 2022. See ICR Reference Number 202203-1652-003.

6 The numbering methodology for SDs uses regulatory provisions as a shorthand reference to the sector. For example, “1580” refers to freight rail owner/operators regulated under 49 CFR part 1580, “1582” refers passenger rail and public transportation agencies regulated under 49 CFR part 1582, and “1584” would refer to OTRB owner/operators regulated under 49 CFR part 1584.

7 SD 1580-21-01 is being revised to align the applicability with the applicability of SD 1580-22-01, but the requirements will remain the same.

8 The IC recommendation applies to OTRB owner/operators.

9 TSA newly-designated critical railroads will be subject to SD 1580-21-01.

10 TSA calculates a blended wage rate for a team consisting of a cybersecurity manager and four cybersecurity analysts. TSA uses the unloaded rate for computer and information systems managers to represent the cybersecurity manager rate, which is $73.25. BLS. May 2021 National Industry-Specific Occupational Employment and Wage Estimates. NAICS 482000 –Rail Transportation. OCC 11-3021 Computer and Information Systems Managers. Last modified March 31, 2022 (accessed August 4, 2022). https://www.bls.gov/oes/2021/May/naics3_486000.htm.https://www.bls.gov/oes/2021/May/naics3_486000.htm. TSA uses the unloaded rate for information security analysts to represent cybersecurity analyst rate, which is $59.92. BLS. May 2021 National Industry-Specific Occupational Employment and Wage Estimates. NAICS 482000 – Rail Transportation. OCC 15-1211 Computer Systems Analysts. Last modified March 31, 2022 (accessed August 4,2022). https://www.bls.gov/oes/2021/May/naics3_486000.htm. The unloaded, blended rate = ($73.25 x 0.2) + ($59.92 x 0.8) = $62.59. The fully-loaded wage rate is $62.59 x 1.4961276 = $93.64.

11 The unloaded wage rate for Administrative Services Managers is $62.96. BLS. May 2021 National Industry-Specific Occupational Employment and Wage Estimates. NAICS 482000 - Rail Transportation. OCC 11-3012 Administrative Services Managers. Last modified March 31, 2021 (accessed July 25,2022). https://www.bls.gov/oes/2021/May/naics3_486000.htm. TSA multiplies this rate by the load factor of 1.4961276, so $62.96 x 1.4961276 = $94.20.

12 “Higher Risk” OTRB and bus-only transit Owner/Operators received an IC that recommends they provide cybersecurity coordinator information, complete a Cybersecurity Contingency Plan, and report cybersecurity incidents. TSA also provides the IC to all respondents, recommending a Cybersecurity Assessment be completed.

13 The unloaded wage rate for a Computer and Information Systems Manager is $73.25. BLS. May 2021 National Industry-Specific Occupational Employment and Wage Estimates. NAICS 482000 – Rail Transportation. OCC 11-3021 Computer and Information Systems Manager. Last modified March 31, 2022 (accessed August 4, 2021). https://www.bls.gov/oes/2021/May/naics3_482000.htm.

TSA calculates a load factor to increase the unloaded wage to account for non-wage compensation. TSA calculates this factor by dividing the total compensation ($32.84) by the wage and salary component ($21.95) of compensation to get a load factor of 1.4961276. BLS. Employer Costs for Employee Compensation – March 2022. Table 2. Employer costs per hour worked for employee compensation and costs as a percent of total compensation: private industry workers. Transportation and material moving occupations. Last modified June 16, 2022 (accessed August 4, 2022). https://www.bls.gov/news.release/archives/ecec_06162022.htm. TSA calculates a fully-loaded wage rate of $73.25 × 1.4961276 = $109.59.

14 The unloaded wage rate for a Computer and Information Systems Manager is $65.13. BLS. May 2021 National Industry-Specific Occupational Employment and Wage Estimates. NAICS 485000 – Transit and Ground Transportation. OCC 11-3021 Computer and Information Systems Manager. Last modified March 31, 2022 (accessed August 4, 2022). https://www.bls.gov/oes/2021/May/naics3_485000.htm.

TSA uses the same load factor of 1.4961276 as described in the previous footnote to calculate a fully-loaded wage rate of $65.13 × 1.4961276 = $97.44.

15 IC is recommended for OTRB operators are recommended the IC.

16 TSA estimates that 58.51 percent (457 ÷ 781) of updated cybersecurity coordinator information in Years 2 and 3 will be from Railroad respondents, while the remainder (41.49 percent) will be from Rail Transit and OTRB respondents. Therefore, the hour burden cost of 50 respondents in years 2 and 3 is (50 × $109.61 × .5851) + (50 × $116.47 × .4149) = $5,622.81.

17 The fully-loaded pay rate for an H-Band is $63.65. Source: TSA. Office of Finance and Administration, Personnel Modular Cost Data (FY21).

18 The government burden for cybersecurity incident reports is reported in OMB control number 1670-0037.

Updated 08/25/2022

File Typeapplication/vnd.openxmlformats-officedocument.wordprocessingml.document
File TitlePRA 83i Form For Fill-In; with Supplemental Info Section
AuthorMarisa.Mullen
File Modified0000-00-00
File Created2023-08-30

© 2024 OMB.report | Privacy Policy