TSA Publishes Baseline Assessment ICR Revision Notice – 6-4-21
Today the Transportation Security Administration published a 60-day Information collection Request (ICR) revision notice in the Federal Register (86 FR 30065-30066) for their “Baseline Assessment for Security Enhancement (BASE) Program” (1652-0062). The BASE program is used by TSA to assess the current security practices in the mass transit/passenger rail and highway and motor carrier industries.
Background
In April of last year, the Government Accountability Office published a report (GAO-20-404) looking at TSA efforts with regards to passenger rail security. That report noted that (pg 1):
“TSA shares standards and key practices with stakeholders, including those related to cybersecurity, through various mechanisms including BASE reviews; however, this assessment does not fully reflect current industry cybersecurity standards and key practices. For example, it does not include any questions related to two of the five functions outlined in the National Institute of Standards and Technology’s Cybersecurity Framework—specifically the Detect and Recover functions. Updating the BASE questions to align more closely with this framework would better assist passenger rail operators in identifying current key practices for detecting intrusion and recovering from incidents.”
BASE Revision
TSA is proposing to add a cyber annex to their BASE questionnaire. Completion of the cyber annex is reportedly going to be voluntary. TSA estimates that the cyber annex will take about six hours to complete. The only information about the questionnaire that TSA is supplying in this notice is the following more than vague statement:
“As a result, TSA is revising the collection to include all five core functions of the National Institute of Standards and Technology cybersecurity framework. All core functions and a majority of the subcategories are amalgamated with industry best practices in the newly developed cybersecurity questions and cyber annex, strengthening the cybersecurity health for the transportation sector.”
Burden Estimate
TSA provides the burden estimate information (‘current estimate’ data taken from OMB web site, .DOCX download link) in the table below. THE ‘MT/PR BASE’ refers to the mass transit/passenger railroad information collection. The ‘HWY BASE’ refers to the truck-freight information collection.
Using the data from the table we can deduce the number of MT/PR by dividing the change in hours burden estimate by 6; this gives us 62 (82.7%) of the 75 annual BASE collections that the TSA expects (to be fair, it is just a guesstimate) to volunteer to answer the cyber annex questions.
The HWY BASE estimate is harder to judge since TSA is inexplicably increasing the number of data collection that they are expecting to do each year. Which is odd since that ‘old’ ICR was just approved last month. In any case if we multiply the 17 new responses by the 1.8 hours per review that TSA is claiming in this ICR revision notice we get 30.6 hours, subtracting that from the 62 hour change in estimated HWY BASE hours 32.4 hours’ worth of cyber annex contact time, or just over 5 out of 512 facilities volunteering to answer the cyber annex questions.
That does not sound right. Just under 1% of the freight truck organizations are expected to complete the cyber annex. Digging back into the supporting document for the currently approved ICR, I can see the problem. That document reports that TSA expects the HWY BASE collection to take five hours not the 1.8 reported in this notice. So, we are comparing apples and pizzas, no wonder the figures do not work out.
So, if we assume that the HWY BASE collection still takes 5 hours (and the notice says nothing about changing the collection other than adding the voluntary cyber annex, we should have a minimum of 535 hours for the original HWY BASE based upon the 107-response figure. If we then use a similar 80% cyber annex response rate for 85.6 cyber annex responses and the 6-hours/cyber annex response figure we get an additional 513.6 hours of response for the cyber annex or a total hour burden of 1,049 hours (rounded to whole hours, of course).
In other words, something appears to be drastically wrong with the TSA’s numbers on either this revision or the previous ICR.
Public Comments
TSA is soliciting public comments on this ICR revision notice. As is usual for TSA, they are not using the Federal eRulemaking Portal for these submissions, apparently in an effort to control who gets to see the public feedback. Instead, comments can be submitted via email to TSAPRA@tsa.dhs.gov. Comments should be submitted to TSA by August 3rd, 2021.
Commentary
I would like to be able to comment on the adequacies of the questions that are going to be asked in the cyber annex to these BASE information collections, but TSA does not provide that data to the public until it submits the ICR to OMB’s Office of Information and Regulatory Affairs. I have complained about how inconsiderate this is when OIRA expects TSA to solicit feedback from the public on the accuracy of the data being proposed in this and the later 30-day ICR notice. In fact, I have been complaining about this for a number of years. Without seeing the questions there is no way for anyone to accurately assess the TSA’s estimate of how long it will take to complete the assessment. But TSA has been doing this poor information sharing job for a large number of years and OIRA has just been letting it slide. So, this will not change, but I will not stop calling them on it. End of rant.
The TSA is still looking to do a voluntary cyber questionnaire, even after the fiasco of their voluntary cyber program in the TSA pipeline security program was exposed by the Colonial Pipeline Hack. Someone at DHS needs to have a firm talking to the leadership at TSA, or maybe it should be the President’s cybersecurity advisor that needs to explain the political facts of life to the TSA Surface management team. This data collection is not making anyone take any cybersecurity action (that is a completely different ball game), but, if TSA is going to at least have an understanding of the current cybersecurity state of affairs, completing the cyber annex is going to have to be at least as mandatory as completing the BASE assessment (and unfortunately, that is still largely voluntary).
I will be submitting a copy of this post as a comment on this ICR notice.