Full Report
The U.S. Department of Homeland Security, through its Transportation Security Administration (TSA), published a 60-day notice inviting public... The post TSA seeks stakeholder input on cybersecurity reporting requirements, assessment burden estimates by June 15 appeared first on Industrial Cyber.
Analysis Summary
# Regulation/Compliance: TSA Surface Transportation Cybersecurity Information Collection (SD 1580/82 series)
## Overview
The Transportation Security Administration (TSA) is seeking public comment on the revision and extension of Information Collection Requests (ICRs) related to cybersecurity mandates for surface transportation. This initiative aims to standardize how owners and operators report incidents, designate coordinators, and assess their cybersecurity posture to protect U.S. critical infrastructure.
## Key Details
- **Issuing Authority:** Transportation Security Administration (TSA) / Dept. of Homeland Security (DHS)
- **Effective Date:** June 15, 2026 (Commonly cited deadline for stakeholder input)
- **Jurisdiction:** United States Surface Transportation Sector
- **Status:** Proposed Revision / Public Comment Period
## Requirements
### Mandatory Requirements
1. **Designation of Cybersecurity Coordinator:** Must appoint a primary and alternate coordinator available to TSA 24/7.
2. **Security Threat Assessments (STA):** Non-U.S. citizens serving as coordinators must be members of NEXUS, Global Entry, or a comparable TSA-approved program.
3. **Incident Reporting:** Mandatory reporting of cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA).
4. **Cybersecurity Implementation Plan:** Submission of a formal plan detailing how the organization meets TSA-required security outcomes.
5. **Cybersecurity Assessment Plan:** A roadmap describing how the entity will evaluate the effectiveness of its security measures.
6. **Annual Assessment Reports:** Yearly summaries of cybersecurity assessment results submitted to TSA.
### Recommended Practices
1. **Automated Collection:** Encouragement of automated/mechanical methods to minimize the administrative burden of data collection.
2. **Voluntary Information Sharing:** Participation in Information Certificates (IC) for surface transportation to increase industry-wide threat awareness.
## Affected Organizations
- **Industries:** Railroads (Freight and Passenger), Public Transportation Agencies, Rail Transit Systems, and Over-the-Road Bus (OTRB) operators.
- **Organization Size:** Approximately 836 total respondents (73 high-priority owners/operators under SD 1580/82-2022-01).
- **Geographic Scope:** United States.
## Compliance Timeline
- **April 17, 2026:** Publication of the 60-day notice in the Federal Register.
- **June 15, 2026:** Deadline for stakeholders to submit comments on burden estimates and utility.
- **Ongoing:** Annual submission of assessment results and immediate reporting of incidents.
## Implementation Guidance
### Assessment Phase
- **Gap Analysis:** Identify gaps between current security posture and the required security outcomes outlined in the SD 1580/82 series.
- **Burden Evaluation:** Review the TSA’s estimated "annual hour burden" (210,661 hours across the industry) to determine internal resource allocation.
### Implementation Phase
- **Coordinator Vetting:** Ensure all designated Cybersecurity Coordinators meet the new STA requirements (Global Entry/NEXUS for non-citizens).
- **Reporting Integration:** Establish direct communication channels with CISA for immediate incident notification.
### Validation Phase
- **Annual Reporting:** Submit a summary of the prior year’s assessment results.
- **Documentation Access:** Maintain records and supporting documentation to be provided to TSA upon request for compliance audits.
## Technical Requirements
- **Contingency & Recovery Planning:** Development of plans to address cybersecurity gaps and ensure operational resilience during an incident.
- **Outcome-Based Controls:** Implementation of technical measures as defined in the entity’s approved Cybersecurity Implementation Plan (CIP).
## Penalties & Enforcement
- **Fines:** TSA has the authority to issue civil penalties for non-compliance with Security Directives.
- **Other Consequences:** Potential for increased oversight, mandatory corrective action plans, and reputational risk.
- **Enforcement:** TSA oversees the adequacy of security measures and monitors compliance through the required submission of Implementation and Assessment Plans.
## Related Standards
- **NIST Cybersecurity Framework:** Often serves as the underlying structure for the "required security outcomes" in TSA directives.
- **Paperwork Reduction Act (PRA):** The legal driver for this specific notice regarding collection burden.
## Resources
- **Official Documentation:** [Federal Register - TSA-2026-XXXX] (Defanged link)
- **Guidance Documents:** TSA Security Directives 1580-21-01 and 1582-21-01 series.
## Practical Recommendations
- **Audit Coordinator Status:** Immediately verify the citizenship and STA status of current Cybersecurity Coordinators to ensure they meet the new NEXUS/Global Entry requirements.
- **Submit Comments:** Impacted entities should provide feedback by June 15 regarding whether the TSA’s "burden estimates" accurately reflect the time and cost spent on compliance.
- **Standardize Reporting:** Align internal incident response triggers with CISA reporting timelines to ensure "mandatory reporting" requirements are met seamlessly.