AGENCY:

Office of Strategy, Policy, and Plans, Department of Homeland Security (DHS).

ACTION:

Notice.

SUMMARY:

DHS is publishing official notice that the Transportation Security Oversight Board (TSOB) has recommended to the Transportation Security Administration (TSA) that a cybersecurity emergency exists that warrants TSA's determination to expedite the implementation of critical cyber mitigation measures through the exercise of emergency regulatory authority.

DATES:

The TSOB provided this recommendation on April 20, 2023.

FOR FURTHER INFORMATION CONTACT:

Thomas McDermott, Acting Assistant Secretary for Cyber, Infrastructure, Risk and Resilience Policy at 202-834-5803 or thomas.mcdermott@hq.dhs.gov.

SUPPLEMENTARY INFORMATION:

I. Background

On March 7, 2023, TSA issued Joint Emergency Amendment (EA) 23-01 ^[1] to certain aviation stakeholders to address the significant cybersecurity threat to the aviation system, evidenced by recent incidents and intelligence. Joint EA 23-01 is part of TSA's and the Government's, more broadly, ongoing plans and efforts to rapidly increase the cybersecurity resilience of critical transportation infrastructure. TSA determined that proceeding with immediate action was warranted under the circumstances to ensure timely implementation of critical mitigation measures by higher risk regulated entities. Joint EA 23-01 amends the security programs ^[2] for covered owners/operators to require performance-based cybersecurity measures intended to prevent the disruption and degradation of their critical systems. Joint EA 23-01's requirements are similar to performance-based requirements that TSA has already issued to critical pipeline and rail entities.^[3]

II. TSOB Recommendation

The TSOB was created by the Aviation and Transportation Security Act (ATSA) to provide guidance regarding transportation security-related matters. TSOB members include the Secretaries of Homeland Security, Transportation, Defense, and the Treasury, the Attorney General, the Director of National Intelligence, or their designees, and one member appointed by the President to represent the National Security Council. The Secretary of Homeland Security serves in the role of TSOB chairman, which has been further delegated within the Department to the Deputy Secretary.^[4] As part of its statutory duties, the TSOB is authorized to review plans for transportation security and make recommendations to the TSA Administrator regarding those plans.^[5]

Following the issuance of Joint EA 23-01, TSA sought the TSOB's discretionary review under 49 U.S.C. 115(c)(5) and (6) regarding whether a cybersecurity emergency exists that warrants TSA's determination to expedite the implementation of critical cyber mitigation measures through the exercise of its emergency regulatory authority, under which the EA was issued.^[6] TSA sought the TSOB's perspective and guidance given the TSOB's role in ratifying TSA's emergency cybersecurity actions applicable in the pipeline and rail sectors as well as the context of the coordinated efforts across the Government to counter the continuing and serious cyber threats.

Under the authority of 49 U.S.C. 115(c)(5) and (6), the chairman of the TSOB convened a meeting of the Board to review TSA's transportation security plans for cybersecurity in the aviation sector and provide a recommendation regarding whether a cybersecurity emergency exists that warrants TSA's determination to expedite the implementation of critical cyber mitigation measures by exercising its emergency regulatory authority to issue Joint EA 23-01. Representatives from the White House Office of the National Cyber Director, the Department of Defense's United States Transportation Command, DHS's Cybersecurity and Infrastructure Security Agency, and the Federal Aviation Administration, as well as the Deputy National Security Advisor for Cyber and Emerging Technology at NSC were also invited to participate in the meeting given their relevant expertise.

During the meeting, the TSOB was briefed on the cyber threat to the aviation transportation system and on TSA's effort to mitigate the threat through Joint EA 23-01. The briefing included presentation of sensitive security information and classified information. Following the briefing, the TSOB discussed the circumstances precipitating TSA's issuance of Joint EA 23-01, including relevant events and intelligence presented during the briefing. At the meeting's conclusion, the TSOB recommended that a cybersecurity emergency exists that warrants TSA's determination to expedite the implementation of a critical cyber mitigation measures through the exercise of its emergency regulatory authority to issue Joint EA 23-01. This action reinforced the need for TSA to proceed with critical Start Printed Page 28570 mitigation measures on an emergency basis.

Footnotes