TSA Publishes 30-day Surface Cybersecurity ICR Renewal Notice – 3-29-23
Today, the TSA published a 30-day Information Collection Request renewal notice in the Federal Register (88 FR 14628-14630) for their Cybersecurity Measures for Surface Modes ICR (1652-0074). The 60-day notice for this ICR renewal was published on November 14th, 2022. This notice is a follow-up to the recent emergency approval of a revision to that ICR supporting the new Security Directive (SD1580/82-2022) for surface transportation cybersecurity.
Burden Estimate Revision
The OMB’s Office of Information and Regulatory Affairs (OIRA) approved the emergency revision of the ICR with the standard caveat that the TSA would submit a renewal through the regular process within 120-days, this is part of that renewal process. As outlined in the Supporting Document (pgs 8-13) for that emergency approval, this ICR has a fairly complex burden estimate because of the way TSA has to define the affected audience.
The ‘high-risk freight railroads’ category only applies to the requirements to develop, document, and audit a cybersecurity implementation plan. The 73 entities included in that category are already included in the 781 members of the ‘freight railroad’ category, so the total number of affected entities is only 781.
That same Supporting Document provides the following data for the current burden estimate for this ICR:
Burden Estimate Confusion
Normally, I would not go into all of this data on a 30-day ICR notice because it would have already been covered in the discussion about the 60-day ICR notice. That did not happen here. TSA does not typically explain their burden estimates in their ICR notices, they save that data for their submission of the data to OIRA, days to weeks after the 30-day ICR notice is published in the Federal Register.
Unfortunately, this ICR notice is a tad bit more confusing than normal, even for the TSA. In the 60-day notice the TSA provided the following burden estimate:
“For this collection, TSA estimates the total annual respondents to be 854 and the total annual hour burden to be 134,023 hours.”
The similar statement in this ICR notice reports that the number of respondents will be 781 and that the annual burden will be 96,163 hours annually. I can tell where the 781 number comes from and agree that it is probably a better number for the ‘number of respondents’. The number for the burden hour estimate is a bit more confusing. That number is way too low for the current requirements under this ICR. Digging into the history of the ICR it looks like this number was taken from 60-day ICR notice for this program that was submitted by the TSA on December 23, 2021. That was submitted as a follow-up to the original TSA security directive placing cybersecurity requirements on the surface transportation sector.
Public Comments
The TSA is soliciting public comments on this ICR renewal. Comments should be submitted to OIRA through their website, unfortunately that will not be possible until TSA actually submits this OIRA for consideration, I will announce that date when ORIA publishes the notice. Comments should be submitted by April 10th, 2023.
NOTE: Removed from paywall on 3-11-23.