Key Takeaways
- The TSA has issued a 60‑day Federal Register notice seeking public comment on a revision to an existing Information Collection Request (ICR) tied to several Surface Transportation Security Directives.
- Comments must be submitted by June 15, 2026 and will inform OMB review under the Paperwork Reduction Act (PRA).
- The ICR captures data on cybersecurity coordinators, incident reporting to CISA, contingency/recovery planning, and cybersecurity assessments.
- Recent revisions to SD 1580‑21‑01 and SD 1582‑21‑01 now require that any non‑U.S. citizen serving as a primary or alternate cybersecurity coordinator be a current member of a trusted traveler program (e.g., NEXUS, Global Entry) or an equivalent TSA‑approved program.
- TSA estimates the revised collection will affect ≈ 846 respondents (owner/operators across rail, public transit, bus, and other surface‑transport sectors) and generate an annual burden of ≈ 210,684 hours.
- The agency anticipates that the new STA (Security Threat Assessment) requirement will impact nine or fewer respondents, with an added burden of only a few hours if fingerprint‑based checks are later required.
- Collected information supports threat tracking, coordinated response, policy updates, and compliance verification with TSA’s cybersecurity directives.
Background and Purpose of the Notice
The Transportation Security Administration (TSA), a component of the U.S. Department of Homeland Security, published a Federal Register notice on Thursday inviting public comment for a 60‑day period on an existing Information Collection Request (ICR) that it plans to submit to the Office of Management and Budget (OMB) for revision. The action is required by the Paperwork Reduction Act (PRA), which mandates that federal agencies justify the necessity and burden of any information collection before OMB approval. By soliciting stakeholder feedback, TSA aims to confirm that the proposed collection is essential to its mission, evaluate the accuracy of its burden estimates, and identify ways to improve the quality, utility, and clarity of the data while minimizing respondent burden through modern collection methods.
Public Comment Process and OMB Review
Interested parties—including transportation owners and operators, industry associations, and cybersecurity experts—must submit written comments by June 15, 2026. The notice emphasizes that comments should address whether the information collection is necessary for TSA functions, whether the estimated hourly burden is accurate, and how the agency might enhance the collection’s usefulness. Additionally, respondents are invited to suggest automated, electronic, or other technological approaches that could reduce the time and effort required to comply. After the comment period closes, TSA will review the input, potentially revise the ICR, and forward the final package to OMB for approval under the PRA.
TSA Authority and Security Directives
TSA’s statutory mandate includes assessing threats to the nation’s transportation sector, developing policies and strategies to mitigate those threats, overseeing the implementation and adequacy of security measures at transportation facilities, and issuing Security Directives (SDs) when immediate action is required to protect transportation security. These directives enable TSA to impose specific, enforceable requirements on owners and operators of surface transportation systems, ranging from railroads to public transit agencies and over‑the‑road bus carriers. The current ICR is directly linked to several SDs that establish cybersecurity obligations for these entities.
Revisions to Security Directives (SD 1580/82 series)
In January, TSA updated the SD 1580‑21‑01 and SD 1582‑21‑01 series to incorporate a new stipulation: any non‑U.S. citizen designated as a primary or alternate Cybersecurity Coordinator must be a current member of a trusted traveler program such as NEXUS or Global Entry, or another program deemed by TSA to provide a comparable Security Threat Assessment (STA). Documentation of membership must be submitted to TSA. This change reflects heightened scrutiny of foreign nationals occupying critical cybersecurity roles within the transportation infrastructure.
Information Collection Requirements under the SDs
The SD 1580/82‑2022‑01 series, together with the Surface Transportation IC‑2021‑01 and IC‑Surface‑2025‑01, outline both mandatory and voluntary information‑collection obligations. Owners and operators must submit a Cybersecurity Implementation Plan for TSA approval, detailing how they will achieve the directive’s security outcomes. They also need to provide a Cybersecurity Assessment Plan describing how the effectiveness of their cybersecurity measures will be evaluated, followed by an annual report summarizing the prior year’s assessment results. Supporting documentation must be available to TSA upon request to demonstrate compliance.
Reporting Cybersecurity Incidents to CISA
Under 49 CFR 1570.203, entities are required to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) as soon as practicable, but no later than 72 hours after identification. The reporting obligation is mandatory, and organizations must maintain a Cybersecurity Incident Response Plan aimed at reducing the risk of operational disruption to information and operational technology (OT) systems. Additionally, they must conduct a cybersecurity vulnerability assessment using a TSA‑issued form and submit the completed assessment to the agency.
Voluntary vs. Mandatory Measures
While the core requirements—coordinator designation, incident reporting, planning, and assessment—are mandatory, the ICR also encourages (but does not compel) owners and operators to notify TSA within 12 hours of discovering a significant cybersecurity incident. Required plans and reports may be submitted via TSA’s secure portal or retained for later review, with compliance documentation provided on request. Voluntary measures, such as early notification, are intended to improve situational awareness without imposing additional legal obligations.
Use of Collected Data by TSA and CISA
TSA, in collaboration with CISA, leverages the submitted data to monitor emerging cyber threats, coordinate response actions, and issue timely warnings that could prevent broader impact across the transportation sector. The information also informs periodic updates to cybersecurity policies, strengthening both transportation and economic security while ensuring adherence to the mandated directives. By aggregating incident reports and assessment results, the agencies can identify trends, allocate resources effectively, and refine guidance for owners and operators.
Burden Estimates and Respondent Numbers
Christina A. Walsh, TSA’s Paperwork Reduction Act Officer for Information Technology, provided detailed burden estimates in the notice. She calculated that SD 1580/82‑2022‑01 applies to 73 owner/operators, while the broader set of directives (SD 1580‑21‑01, SD 1582‑21‑01, and Surface Transportation IC‑2021‑01) covers 449 railroad owner/operators, 242 public transportation agencies and rail transit system owner/operators, and 72 over‑the‑road bus owner/operators—totaling 836 respondents. Based on these figures, TSA estimates an annual hour burden of 210,661 hours for the current collection.
Impact of the STA Requirement for Non‑U.S. Citizens
Regarding the recent addition that non‑U.S. citizen cybersecurity coordinators must belong to a trusted traveler program, Walsh noted that TSA anticipates nine or fewer owner/operators will need to comply with this STA requirement each year. However, to provide a conservative estimate, the burden calculations assume ten or more respondents could be affected. If ten non‑U.S. citizen respondents each spend about 0.25 hours to compile and submit the required documentation, the added burden would be 2.5 hours annually.
Potential Fingerprint‑Based Checks and Updated Burden
Walsh further explained that should TSA decide to implement a fingerprint‑based criminal history records check for these coordinators, each respondent would incur an additional approximately two hours of burden. With ten potential respondents, this would add 20 burden hours to the total. Consequently, the revised annual burden would rise to 210,684 hours for an estimated 846 total respondents (the slight increase reflecting the inclusion of the STA‑related respondents).
Conclusion and Next Steps
The TSA’s notice initiates a critical public‑engagement step aimed at ensuring that its cybersecurity information collection remains justified, accurate, and minimally burdensome while supporting the agency’s security mission. Stakeholders have until June 15, 2026 to submit comments on the necessity, burden estimates, and potential improvements to the collection process. After reviewing the feedback, TSA will adjust the ICR as needed and forward it to OMB for final approval under the Paperwork Reduction Act. The outcome will shape how surface‑transportation entities report cybersecurity coordinators, incidents, assessments, and plans for the coming years, ultimately influencing the resilience of the nation’s transportation infrastructure against cyber threats.