The U.S. Department of Homeland Security, through its Transportation Security Administration (TSA), published a 60-day notice inviting public comment on one currently-approved Information Collection Request (ICR), Office of Management and Budget (OMB), that the agency will submit to OMB for a revision in compliance with the Paperwork Reduction Act (PRA). The ICR describes the nature of the information collection and its expected burden, covering data on the designation of a Cybersecurity Coordinator; reporting of cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA); development of a cybersecurity contingency/recovery plan to address cybersecurity gaps; and completion of a cybersecurity assessment.
In a Thursday Federal Register notice, the TSA said it is seeking public comment ahead of OMB review to determine whether the proposed information collection is necessary to support agency functions and deliver practical utility. It also seeks input on the accuracy of its burden estimates and ways to enhance the quality, utility, and clarity of the information to be collected. It also looks at approaches to minimize the burden on respondents using appropriate automated, electronic, mechanical, or other technological collection methods.
Interested stakeholders must submit comments by June 15, 2026.
The TSA is empowered to assess threats to the transportation sector; develop policies, strategies, and plans for dealing with these threats; oversee implementation and adequacy of security measures at transportation facilities; and carry out other appropriate duties relating to transportation security. Additionally, the agency has the authority to issue Security Directives (SDs) if the TSA administrator determines that a regulation or SD must be issued immediately to protect transportation security.
In January, the TSA revised the SD 1580-21-01 series and the SD 1582-21-01 series, requiring that any non-U.S. citizen serving as a primary or alternate cybersecurity coordinator must be a current member of NEXUS, Global Entry, or another program determined by TSA to include a comparable security threat assessment (STA). TSA is revising the collection to include this new requirement.
The information collected pursuant to the requirements in the SDs and the recommendations in the IC allows TSA to execute its security responsibilities within the surface transportation industry, through awareness of potential security incidents and suspicious activities.
The SD 1580/82-2022-01 series outlines several information collection requirements. Owners and operators must submit a Cybersecurity Implementation Plan to the TSA for approval, detailing how they will meet the directive’s required security outcomes. They are also required to provide a Cybersecurity Assessment Plan describing how the effectiveness of their cybersecurity measures will be evaluated, along with an annual report summarizing assessment results from the previous year. In addition, supporting documentation must be provided to TSA upon request to demonstrate compliance.
Christina A. Walsh, TSA’s Paperwork Reduction Act Officer for Information Technology wrote in the notice that the agency “estimates SD 1580/82-2022-01 applies to a total of 73 Owner/Operators; and SD 1580-21-01, SD 1582-21-01, and Surface Transportation IC-2021-01 apply to 449 railroad Owner/Operators, 242 public transportation agencies and rail transit system Owner/Operators, and 72 over-the-road bus Owner/Operators, for a total of 836 respondents. TSA estimates the annual hour burden to be 210,661.”
The SD 1580-21-01 and SD 1582-21-01 directives, along with Surface Transportation IC-2021-01 and IC Surface-2025-01, establish mandatory and voluntary information collection requirements. Owners and operators must provide the TSA with contact details for a primary and at least one alternate Cybersecurity Coordinator. Where a designated coordinator is a non-U.S. citizen, they must be a current member of a trusted traveler program, such as the NEXUS or Global Entry program, or an equivalent program recognized by TSA, with documentation submitted accordingly.
The requirements also mandate timely reporting of cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency. Under 49 CFR 1570.203, incidents must be reported as soon as practicable and no later than 72 hours after identification. In parallel, organizations are required to develop a Cybersecurity Incident Response Plan to reduce the risk of operational disruption affecting information and operational technology systems. They must also conduct a cybersecurity vulnerability assessment using a TSA-issued form and submit the completed assessment to the agency.
The information collection encourages, but does not require, owners and operators to notify the TSA within 12 hours of discovering significant cybersecurity incidents. Required plans and reports can be submitted through TSA’s secure portal or retained for review, with compliance documentation provided upon request, while voluntary measures do not mandate reporting.
TSA, working with the CISA, uses incident data to track emerging threats, coordinate response actions, and issue warnings to prevent wider impact. The information also supports updates to cybersecurity policies to strengthen transportation and economic security while ensuring adherence to mandated security directives.
Walsh noted that in terms of the revision to include the STA requirement, “TSA anticipates that only nine or fewer Owners/operators will need to respond annually to the STA requirement for a non-U.S. citizen to be designated as Cybersecurity Coordinator. However, the burden scope estimates presume that 10 or more Owner/Operators could respond. TSA estimates that if there are 10 non-U.S. citizen respondents, based on other information collection STA burdens, they will spend approximately 0.25 hours to compile and submit the information, a total of 2.5 burden hours.”
She added that should TSA require a fingerprint-based criminal history records check, there would be an additional time burden of approximately two hours per respondent, a total of 20 burden hours. “For this collection, TSA estimates the total annual respondents to be 846 and the total annual hour burden to be 210,684 hours.”
