[Federal Register Volume 87, Number 99 (Monday, May 23, 2022)]
[Rules and Regulations]
[Pages 31093-31094]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-11018]



========================================================================
Rules and Regulations
                                                Federal Register
________________________________________________________________________

This section of the FEDERAL REGISTER contains regulatory documents 
having general applicability and legal effect, most of which are keyed 
to and codified in the Code of Federal Regulations, which is published 
under 50 titles pursuant to 44 U.S.C. 1510.

The Code of Federal Regulations is sold by the Superintendent of Documents. 

========================================================================


Federal Register / Vol. 87, No. 99 / Monday, May 23, 2022 / Rules and 
Regulations

[[Page 31093]]



DEPARTMENT OF HOMELAND SECURITY

6 CFR Chapter I

49 CFR Chapter XII


Ratification of Security Directives

AGENCY: Office of Strategy, Policy, and Plans, Department of Homeland 
Security (DHS).

ACTION: Notification of ratification of security directives.

-----------------------------------------------------------------------

SUMMARY: DHS is publishing official notice that the Transportation 
Security Oversight Board (TSOB) has ratified Transportation Security 
Administration (TSA) Security Directive 1580-21-01, Security Directive 
1582-21-01, Security Directive Pipeline-2021-01A, and Security 
Directive Pipeline-2021-02B. Security Directive 1580-21-01 requires 
owners/operators of specified freight railroad carriers to implement 
certain measures addressing cybersecurity vulnerabilities. Security 
Directive 1582-21-01 applies these same requirements to owner/operators 
of specified passenger railroad carriers and rail transit systems. 
Security Directive Pipeline-2021-01A and Security Directive Pipeline-
2021-02B amend earlier cybersecurity directives applicable to owner/
operators of critical pipeline systems and facilities. Security 
Directive Pipeline-2021-01A incorporates a revised definition of a 
``cybersecurity incident'' and aligns the definition with the 
definition applicable across other modes of transportation regulated by 
TSA. Security Directive Pipeline-2021-02B provides additional 
flexibility to owner/operators in complying with the mitigation 
measures required by Security Directive Pipeline-2021-02.

DATES: The TSOB ratified Security Directive 1580-21-01, Security 
Directive 1582-21-01, and Security Directive Pipeline-2021-01A on 
December 29, 2021. The TSOB ratified Security Directive Pipeline-2021-
02B on January 13, 2022.

FOR FURTHER INFORMATION CONTACT: Thomas McDermott, Acting Assistant 
Secretary for Cyber, Infrastructure, Risk and Resilience Policy at 202-
834-5803 or [email protected].

SUPPLEMENTARY INFORMATION:

I. Background

A. Cybersecurity Threat

    Cybersecurity incidents affecting surface transportation entities 
are a growing threat that pose a risk to the national and economic 
security of the United States. In recent years, cyber attackers have 
maliciously targeted the critical infrastructure of surface 
transportation modes in the United States, including pipelines, freight 
railroads, passenger railroads, and rail transit systems, with multiple 
cyberattack and cyber espionage campaigns.\1\ This threat continues to 
evolve and is ongoing. By targeting the integrated cyber and physical 
infrastructure of surface transportation entities, these attackers 
threaten the safe, secure, and uninterrupted daily operation of surface 
transportation systems relied upon by the U.S. economy with potential 
to cause nation-wide impact.
---------------------------------------------------------------------------

    \1\ These activities include the April 2021 breach of New York 
City's Metropolitan Transportation Authority (the nation's largest 
mass transit agency) by hackers suspected to be linked to the 
Chinese government; the December 2020 ``Sunburst'' attack on transit 
agencies; the August 2020 attack on the Southeastern Pennsylvania 
Transportation Authority; the 2017 ransomware attack on the 
Sacramento Regional Transit District; and the November 2016 
ransomware attack on the San Francisco Municipal Transportation 
agency. This threat is ongoing: for example, on November 17, 2021, 
the Federal Bureau of Investigation, the Cybersecurity and 
Infrastructure Security Agency (CISA), the Australian Cyber Security 
Centre, and the United Kingdom's National Cyber Security Centre 
issued a joint cybersecurity advisory highlighting ongoing malicious 
cyber activity by an advanced persistent threat group (APT) that 
these agencies associated with the government of Iran. The advisory 
states that ``The Iranian government-sponsored APT actors are 
actively targeting a broad range of victims across multiple U.S. 
critical infrastructure sectors, including the Transportation Sector 
and the Healthcare and Public Health Sector, as well as Australian 
organizations.'' Alert AA21-321A (November 17, 2021).
---------------------------------------------------------------------------

B. Security Directive 1580-21-01 and Security Directive 1582-21-01

    In response to this persistent threat, TSA issued two security 
directives on December 2, 2021, requiring specified surface 
transportation entities to implement urgently needed measures that 
immediately enhance the cybersecurity of the surface transportation 
sector.\2\ Specifically, the two materially identical security 
directives--one applicable to specified freight railroad carriers and 
the other applicable to specified passenger railroad carriers and rail 
transit systems--require owner/operators to take the following four 
crucial actions:
---------------------------------------------------------------------------

    \2\ 49 U.S.C. 114(l)(2)(A).
---------------------------------------------------------------------------

     Designate a Cybersecurity Coordinator who is required to 
be available to TSA and CISA at all times (all hours/all days) to 
coordinate implementation of cybersecurity practices, manage 
cybersecurity incidents, and serve as a principal point of contact with 
TSA and CISA for cybersecurity-related matters;
     Report cybersecurity incidents to CISA;
     Conduct a Cybersecurity Vulnerability Assessment to 
identify gaps in current cybersecurity measures, identify remediation 
measures, and develop a plan for the owner/operator to implement the 
remediation measures to address any identified vulnerabilities and 
gaps; and
     Develop a Cybersecurity Incident Response Plan to reduce 
the risk of operational disruption should their Information and/or 
Operational Technology systems be affected by a cybersecurity incident.
    The actions required by these security directives only apply to 
specified owner/operators of freight railroads, passenger railroads, 
and rail transit systems that TSA has determined are higher risk.\3\ 
The covered entities are those that the nation depends on to move 
passengers and transport freight in support of critical sectors, 
including national defense. Both security directives became effective 
on December

[[Page 31094]]

31, 2021 and are set to expire on December 31, 2022.\4\
---------------------------------------------------------------------------

    \3\ See 49 CFR 1580.101 and 1582.101. On December 2, 2021, TSA 
separately issued an Information Circular (IC) to TSA-regulated 
owner/operators of freight railroads, passenger railroads, public 
transportation agencies, and rail transit systems not specifically 
covered by the security directives and -over-the-road-bus owner/
operators regulated under 49 CFR part 1584, recommending that these 
entities generally implement the same four actions that the security 
directives require of higher-risk surface transportation entities. 
See Surface Transportation Information Circular-2021-01.
    \4\ TSA's security directives are presumptively Sensitive 
Security Information (SSI) by regulation and are subject to 
disclosure restrictions. 49 CFR 1520.5(b)(2). The TSA Administrator, 
however, has determined that it is in the interest of public safety 
and in furtherance of transportation security that Security 
Directive 1580-21-01 and Security Directive 1582-21-01 be made 
publicly available. 49 CFR 1520.5(b).
---------------------------------------------------------------------------

C. TSA Security Directive Pipeline-2021-01A

    On December 2, 2021, TSA also issued a security directive amending 
a directive issued earlier that year requiring owner/operators of 
critical pipeline systems and facilities to implement certain 
cybersecurity measures. On May 26, 2021, TSA issued Security Directive 
Pipeline-2021-01, which was the first of multiple security directives 
issued by TSA in 2021 to enhance the cybersecurity of critical pipeline 
systems in response to the ransomware attack on the Colonial Pipeline 
Company on May 8, 2021. This first directive required owner/operators 
to: (1) Report cybersecurity incidents to CISA; (2) appoint a 
cybersecurity coordinator to be available 24/7 to coordinate with TSA 
and CISA; and (3) conduct a self-assessment of cybersecurity practices, 
identify any gaps, and develop a plan and timeline for remediation.\5\ 
This security directive went into effect on May 28, 2021, and was 
ratified by the TSOB on July 3, 2021. 86 FR 38209. It is set to expire 
on May 28, 2022.
---------------------------------------------------------------------------

    \5\ 86 FR 38209.
---------------------------------------------------------------------------

    Security Directive Pipeline-2021-01A, issued on December 2, 2021, 
amended Security Directive Pipeline-2021-01, updating the definition of 
cybersecurity incident applicable in the pipeline context to mirror the 
definition used by the subsequent security directives applicable to 
specified surface transportation sector entities. TSA's determination 
to use a modified definition was made following industry input and 
consultation with DHS cybersecurity experts. The amended definition of 
cybersecurity incident applicable to critical pipeline owner/operators 
provides further clarity regarding the nature of incidents that fall 
within the definition of cybersecurity incident and ensures the 
consistent identification of incidents that must be reported to CISA 
across all covered modes of transportation.

D. TSA Security Directive Pipeline-2021-02B

    On July 19, 2021 TSA issued the second security directive--Security 
Directive Pipeline-2021-02--in response to the Colonial Pipeline 
attack, building on the requirements of Security Directive Pipeline-
2021-01 to further enhance the cybersecurity of critical pipeline 
systems. Security Directive Pipeline-2021-02 required owner/operators 
of critical pipelines to take the following additional actions:
     Implement specified mitigation measures to reduce the risk 
of compromise from a cyberattack;
     Develop a Cybersecurity Contingency/Response Plan to 
reduce the risk of operational disruption or functional degradation of 
information technology and operational technology systems in the event 
of a malicious cyber intrusion; and
     Test the effectiveness of their cybersecurity practices 
through an annual cybersecurity architecture design review conducted by 
a third party.
    Security Directive Pipeline-2021-02 became effective on July 26, 
2021 and was ratified by the TSOB on August 17, 2021. 86 FR 52953 
(September 24, 2021). It is set to expire on July 26, 2022.
    On December 17, 2021, TSA issued Security Directive Pipeline-2021-
02B, amending Security Directive Pipeline-2021-02 to provide additional 
flexibility to owner/operators in complying with the directive's 
requirements. TSA amended the directive's requirements based on 
industry feedback and following consultation with CISA. The revisions 
provide pipeline owner/operators with the necessary flexibility to 
comply with the directive's requirements, while ensuring that the 
requirements are met in a uniform and operationally safe manner.\6\
---------------------------------------------------------------------------

    \6\ Security Directive Pipeline-2021-02B and its specific 
requirements for operators are designated as Sensitive Security 
Information (SSI) under TSA regulations. See 49 CFR 1520.5(b)(1), 
(b)(2), (b)(6), (b)(8). Absent a determination by the TSA 
Administrator to remove the SSI designation in the interest of 
public safety or in furtherance of transportation security, Security 
Directive Pipeline 2021-02B, the records produced in compliance with 
its requirements, and the information contained in these records 
remain designated as SSI and afforded the protections of such a 
designation. See 49 CFR 1520.5(b).
---------------------------------------------------------------------------

II. TSOB Ratification

    TSA has broad statutory responsibility and authority to safeguard 
the nation's transportation system.\7\ The TSOB--a body consisting of 
the Secretary of Homeland Security, the Secretary of Transportation, 
the Attorney General, the Secretary of Defense, the Secretary of the 
Treasury, the Director of National Intelligence, or their designees, 
and a representative of the National Security Council--reviews certain 
TSA regulations and security directives consistent with law.\8\ TSA 
issued each of these security directives under 49 U.S.C. 114(l)(2)(A), 
which authorizes TSA to issue emergency regulations or security 
directives without providing notice or public comment where ``the 
Administrator determines that a regulation or security directive must 
be issued immediately in order to protect transportation security . . . 
.''. Security directives issued pursuant to the procedures in 49 U.S.C. 
114(l)(2) ``shall remain effective for a period not to exceed 90 days 
unless ratified or disapproved by the Board or rescinded by the 
Administrator.'' \9\
---------------------------------------------------------------------------

    \7\ See, e.g., 49 U.S.C. 114(d), (f), (l), (m).
    \8\ See, e.g., 49 U.S.C. 115; 49 U.S.C. 114(l)(2)(B).
    \9\ 49 U.S.C. 114(l)(2)(B).
---------------------------------------------------------------------------

    Following the issuance of Security Directive 1580-21-01, Security 
Directive 1582-21-01, and Security Directive Pipeline-2021-01A on 
December 2, 2021, the chairman of the TSOB convened the board for the 
purpose of reviewing each directive. Following the issuance of Security 
Directive Pipeline-2021-02B on December 17, 2021, the chairman again 
convened the board for the purpose of reviewing that directive. In 
reviewing the directives, the TSOB reviewed the actions required by 
Security Directive 1580-21-01 and Security Directive 1582-21-01 to 
mitigate cybersecurity vulnerabilities in the rail transportation 
sector; the need for TSA to issue the security directives pursuant to 
its emergency authority under 49 U.S.C. 114(l)(2) to prevent the 
disruption and degradation of the country's critical rail 
transportation infrastructure; Security Directive Pipeline-2021-01A's 
amended definition of cybersecurity incident applicable to owner/
operators of critical pipeline systems and facilities; and the 
flexibilities provided by Security Directive Pipeline-2021-02B. 
Following its review, the TSOB ratified all four security directives. 
The TSOB ratified Security Directive 1580-21-01, Security Directive 
1582-21-01, and Security Directive Pipeline-2021-01A on December 29, 
2021. The TSOB ratified Security Directive Pipeline-2021-02B on January 
13, 2022.

John K. Tien,
Deputy Secretary of Homeland Security & Chairman of the Transportation 
Security Oversight Board.
[FR Doc. 2022-11018 Filed 5-20-22; 8:45 am]
BILLING CODE 9110-9M-P