TSA Form 3157 TSA Surface (Rail and Public Transportation) Cybersecuri

DEPARTMENT OF HOMELAND SECURITY

SENSITIVE SECURITY
INFORMATION
Cover Sheet

For more information on handling SSI, contact [email protected].

WARNING: This record contains Sensitive Security Information that is controlled under 49 CFR
parts 15 and 1520. No part of this record may be disclosed to persons without a “need to know”, as
defined in 49 CFR parts 15 and 1520, except with the written permission of the Administrator of
the Transportation Security Administration or the Secretary of Transportation. Unauthorized
release may result in civil penalty or other action. For U.S. government agencies, public disclosure
is governed by 5 U.S.C. 552 and 49 CFR parts 15 and 1520.
DHS Form 11054 (8/10)

Reference: 49 CFR § 1520.13, Marking SSI

Sensitive Security Information

OMB Control Number 1652-0074

This record contains Sensitive Security Information when completed

Transportation
Security
Administration

U.S. Department of Homeland Security

Version 1.0

Instructions: Select the appropriate response for each question below. The Additional Information column must include the following information based on response:
1) If answering "Yes", either list the security plan, policy, document name, etc. with chapter/section; or if implemented but not documented, provide a brief explanation.
2) If answering "No", identify the gap, intended mitigation(s) measures, and the mitigation timeline.
For any questions concerning the completion of this assessment please email [email protected]

TSA Surface (Rail and Public Transportation) Cybersecurity Vulnerability Assessment
Owner/Operator
Name:

Assessment Completed Date:

Submitter (First/Last):

Submitter Title:

Submitter Email:

Submitter Contact Number:

Cybersecurity Coordinator
(First/Last):
Cybersecurity
Coordinator Email:
24 Hour Operations Center phone number, if applicable:
Question #

Cybersecurity Coordinator Title:
Cybersecurity Coordinator
Contact Number:

Answer
(Yes/No)

Question

Additional Information

Cyber Asset Security Measures
1.00

Do your cybersecurity plans incorporate any of the following approaches?

1.00A

National Institute of Standards and Technology (NIST),
Framework for Improving Critical Infrastructure
Cybersecurity

Select


1.00B

U.S. Department of Homeland Security, Transportation
Systems Sector Cybersecurity Framework
Implementation Guidance


Select

1.00C

1.00D

Industry-specific methodologies

Other (if checked, elaborate)

Select


Select


Page 1 of 8

Sensitive Security Information

OMB Control Number 1652-0074

This record contains Sensitive Security Information when completed

Asset Management
2.00

Has your company established and documented policies and procedures for the following?

2.00A

Assessing and maintaining configuration information.

Select


2.00B

Tracking changes made to surface transportation cyber
assets.

Select


2.00C

Patching/upgrading operating systems and applications. Select


2.00D

Ensuring that the changes do not adversely impact
existing cybersecurity controls.

Select


2.00E

Other (if checked, elaborate)

Select


2.01

Does your company evaluate and classify surface transportation cyber assets using the following criteria?

2.01A

Cyber assets that are operational technologies
(OT/ICS/SCADA systems) that can control surface
operations.

Select


2.01B

Cyber assets that are OT systems that monitor surface
operations.

Select


2.02

Has your company developed and maintained a
comprehensive set of network/system architecture
diagrams or other documentation, including nodes,
interfaces, remote and third-party connections, and
information flows?


Select

2.03

2.04

For cyber assets that can control surface operations, does
the OT environment have a detailed software and
Select

hardware inventory of cyber asset endpoints?
For cyber assets that can control surface operations, has
an inventory of the components of the operating system 
Select
been developed, documented, and maintained that
accurately reflects the current OT/ICS/SCADA system?

Page 2 of 8

Sensitive Security Information

OMB Control Number 1652-0074

This record contains Sensitive Security Information when completed.

2.05

2.06

2.06A

2.06B

2.07

2.08

Does your company periodically review network
connections, including remote access and thirdparty connections for cyber assets that can control
surface operations?


Select

For cyber assets that can control surface operations, has your company implemented the following measures?

Restrict user physical access to control systems and
control networks by using appropriate controls.


Select

Employ more stringent identity and access management

Select
practices (e.g., authenticators, password-construct,
access control).
For cyber assets that can control surface operations,
does your company review, assess, and update as

necessary all cybersecurity policies plans, processes, and Select
supporting procedures at least every 12 months, or
when there is a significant organizational change?
Does your company review and assess surface
transportation cyber asset functions controlling or
monitoring OT systems at least every 12 months?

Select


Business Environment
3.00

Does your company have a designated individual solely
responsible for cyber/ IT/ OT / SCADA security?


Select

3.01

Does your company document new transportation
cyber assets, when changes or upgrades are made to
control operations resulting in the system being
recognized as such?


Select

Governance
4.00

Has your company established and distributed
cybersecurity policies, plans, processes, and supporting
procedures commensurate with the current regulatory,
risk, legal, and operational environment?


Select

Page 3 of 8

Sensitive Security Information

OMB Control Number 1652-0074

This record contains Sensitive Security Information when completed

4.02

Does your company review, assess, and update as
necessary all cybersecurity policy plans, processes, and
supporting procedures at least every 36 months, or
when there is a significant organizational or
technological change?


Select

Risk Management Strategy
5.00

Has your company developed an operational framework
to ensure coordination, communication,and
Select
accountability for information security on and between 
the control systems and enterprise networks?

Risk Assessment
6.00

For cyber assets that can control surface operations,
does your company use independent assessors to
conduct surface transportation cybersecurity
assessments?


Select

6.01

Has your company established a process to identify and
evaluate vulnerabilities and compensating security
controls?


Select

6.02

Does the process address unmitigated/accepted
vulnerabilities in the IT and OT environment?

Select


Access Control
7.00

Has your company implemented the following measures?

7.00A

Establish and enforce unique accounts for each
Individual user and ensure each administrator has an
Individual account and an administrator account.

Select


7.00B

Establish security requirements for certain types of
Privileged accounts.

Select


7.00C

Prohibit the sharing of these accounts.

Select


7.01

Does your company employ strong credential
management or Active Directory monitoring throughout
the company’s cyber access control environment and is it
documented in overarching corporate IT/OT security
plans?

Select


Page 4 of 8

Sensitive Security Information

OMB Control Number 1652-0074

This record contains Sensitive Security Information when completed

7.02

Where systems do not support unique user accounts,
are appropriate compensating security controls (e.g., Select

physical controls) implemented?

7.03

Does your company ensure user accounts are modified,
deleted, or de-activated expeditiously for personnel
who no longer require access or are no longer
employed by the company?

7.04

Has your company implemented the following measures?


Select

7.04A

Establish and enforce access control policies for local
and remote users.

Select


7.04B

Have procedures and controls in place for approving
and enforcing remote and third-party connections.

Select


7.05

Are access control levels of permission and privileges
defined in the IT/ OT security plan?

Select


7.06

Does your company ensure appropriate segregation of
duties is in place and where this is not feasible, apply
appropriate compensating security controls?

Select


7.07

Does your company change all default passwords for
new software, hardware, etc., upon installation and,
where this is not feasible (e.g., a control system with a
hard-wired password), implement appropriate
compensating security controls (e.g., administrative
controls)?


Select

7.08

Do email and communications systems have features
that automatically download attachments turned off?

Select


7.09

Do systems only allow the execution of programs known 
Select
and permitted by security policy (i.e., allow lists?)

Awareness & Training
8.00

Do all persons requiring access to the company’s surface

Select
transportation cyber assets receive cybersecurity
awareness training?

Page 5 of 8

Sensitive Security Information

OMB Control Number 1652-0074

This record contains Sensitive Security Information when completed

8.01

For cyber assets that can control surface operations,
does your company provide role-based security training
on recognizing and reporting potential indicators of
system compromise prior to granting access to those
cyber assets?

8.02

Is there a cyber-threat awareness program for employees 
Select
that includes practical exercises/testing?


Select

Data Security & Information Protection
9.00

Has your company established and implemented policies and procedures to ensure data protection measures are in
place, including the following?

9.00A

Identifying critical data and establishing classification of
different types of data.

Select


9.00B

Establishing specific data handling procedures.

Select


9.00C

Establishing specific data disposal procedures.

Select


Protective Technology
10.00

Are surface transportation cyber assets segregated
and protected from enterprise networks and the
internet by use of physical separation, firewalls, and
other protections?

10.01

Do IT/ OT systems monitor and manage communications Select

at appropriate IT/ OT network boundaries?

10.02

Does your company employ mechanisms (e.g., active
directory) to support the management of accounts
for cyber assets that can control surface operations?


Select


Select

10.03

Does your company regularly validate that technical
controls comply with the company’s cybersecurity
policies, plans, and procedures, and report results to
senior management?


Select

10.04

Has your company implemented technical or
procedural controls to restrict the use of surface
transportation cyber assets to only approved
activities?


Select

Page 6 of 8

Sensitive Security Information

OMB Control Number 1652-0074

This record contains Sensitive Security Information when completed

Anomalies & Events
11.00

Has your company implemented processes to respond to anomalous activity through the following?

11.00A

Generating alerts and responding to them in a timely
manner.

Select


11.00B

Logging cybersecurity events and reviewing these logs.

Select


Security Continuous Monitoring
12.00

Does your company monitor for unauthorized
access or the introduction of malicious code or
communications?

Select


Does your company monitor physical and remote user
12.01 access to cyber assets that can control surface

Select
operations?
For cyber assets that can control surface operations, does
Select
12.02 your company employ mechanisms to detect components 
that should not be on the network?
Does your company conduct cyber vulnerability
12.03 assessments as described in your risk assessment
process?


Select

Detection Processes
13.00

13.01

Has your company established technical or procedural
controls for cyber intrusion monitoring and detection?


Select

Does your company perform regular testing of intrusion
and malware detection processes and procedures (e.g., Select

penetration testing)?

Response Planning
Has your company established policies and
procedures for cybersecurity incident handling,
14.00
analysis, and reporting, including assignments
of specific roles/tasks to individuals and teams?
For cyber assets that can control surface operations, are
14.01 cybersecurity incident response exercises conducted
periodically?


Select


Select

For cyber assets that can control surface operations, has
Select
14.02 your company established and maintained a process that 
supports 24/7 cyber-incident response?

Page 7 of 8

Sensitive Security Information

OMB Control Number 1652-0074

This record contains Sensitive Security Information when completed

14.03

Has your company established and maintained a cyberincident response capability?

Select


Communications

15.00

Does the company have procedures in place for
reporting to CISA Central, actual or suspected cyber
attacks that may impact surface transportation
surface industrial control systems (SCADA, PCS, DCS),
measurement and telemetry systems, or enterpriseassociated IT systems (IAW Security Directive
1580-21-01)?


Select

Mitigation
16.00

Do your company's response plans and procedures
include mitigation measures to help prevent further
impacts?


Select

Recovery Planning
Has your company established a plan for the recovery and
reconstitution of surface transportation cyber assets

17.00 within a time frame to align with the company’s safety Select
and business continuity objectives?
Does the company have documented procedures in place
to coordinate restoration efforts with internal and

Select
17.01 external stakeholders (coordination centers, Internet
Service Providers, victims, vendors, etc.)?

Continuous Improvement
18.00

Does your company review its cyber incident response
plan annually and update it as necessary?


Select

Paperwork Reduction Act Burden Statement: This is a mandatory collection of information. TSA estimates that the total average burden per response associated with this collection
is approximately 42 hours for Cybersecurity Vulnerability Assessments. The burden hour for the statement of completion for this information collection is included within the 42 hours
burden estimate. An agency may not conduct or sponsor, and a person is not required to respond to a collection of information unless it displays a valid OMB control number. The
control number assigned to this collection is OMB 1652-0074, which expires on 04/30/2023. Send comments regarding this burden estimate or collection to: TSA-11, Attention: PRA
1652-0074 Cybersecurity Measures for Surface Modes, 6565 Springfield Center Drive, Springfield, VA 20598-6011.

Page 8 of 8