-
Start Preamble
Start Printed Page 28569
AGENCY:
Office of Strategy, Policy, and Plans, Department of Homeland Security (DHS).
ACTION:
Notice.
SUMMARY:
DHS is publishing official notice that the Transportation Security Oversight Board (TSOB) has recommended to the Transportation Security Administration (TSA) that a cybersecurity emergency exists that warrants TSA's determination to expedite the implementation of critical cyber mitigation measures through the exercise of emergency regulatory authority.
DATES:
The TSOB provided this recommendation on April 20, 2023.
Start Further InfoFOR FURTHER INFORMATION CONTACT:
Thomas McDermott, Acting Assistant Secretary for Cyber, Infrastructure, Risk and Resilience Policy at 202-834-5803 or thomas.mcdermott@hq.dhs.gov.
End Further Info End Preamble Start Supplemental InformationSUPPLEMENTARY INFORMATION:
I. Background
On March 7, 2023, TSA issued Joint Emergency Amendment (EA) 23-01 [1] to certain aviation stakeholders to address the significant cybersecurity threat to the aviation system, evidenced by recent incidents and intelligence. Joint EA 23-01 is part of TSA's and the Government's, more broadly, ongoing plans and efforts to rapidly increase the cybersecurity resilience of critical transportation infrastructure. TSA determined that proceeding with immediate action was warranted under the circumstances to ensure timely implementation of critical mitigation measures by higher risk regulated entities. Joint EA 23-01 amends the security programs [2] for covered owners/operators to require performance-based cybersecurity measures intended to prevent the disruption and degradation of their critical systems. Joint EA 23-01's requirements are similar to performance-based requirements that TSA has already issued to critical pipeline and rail entities.[3]
II. TSOB Recommendation
The TSOB was created by the Aviation and Transportation Security Act (ATSA) to provide guidance regarding transportation security-related matters. TSOB members include the Secretaries of Homeland Security, Transportation, Defense, and the Treasury, the Attorney General, the Director of National Intelligence, or their designees, and one member appointed by the President to represent the National Security Council. The Secretary of Homeland Security serves in the role of TSOB chairman, which has been further delegated within the Department to the Deputy Secretary.[4] As part of its statutory duties, the TSOB is authorized to review plans for transportation security and make recommendations to the TSA Administrator regarding those plans.[5]
Following the issuance of Joint EA 23-01, TSA sought the TSOB's discretionary review under 49 U.S.C. 115(c)(5) and (6) regarding whether a cybersecurity emergency exists that warrants TSA's determination to expedite the implementation of critical cyber mitigation measures through the exercise of its emergency regulatory authority, under which the EA was issued.[6] TSA sought the TSOB's perspective and guidance given the TSOB's role in ratifying TSA's emergency cybersecurity actions applicable in the pipeline and rail sectors as well as the context of the coordinated efforts across the Government to counter the continuing and serious cyber threats.
Under the authority of 49 U.S.C. 115(c)(5) and (6), the chairman of the TSOB convened a meeting of the Board to review TSA's transportation security plans for cybersecurity in the aviation sector and provide a recommendation regarding whether a cybersecurity emergency exists that warrants TSA's determination to expedite the implementation of critical cyber mitigation measures by exercising its emergency regulatory authority to issue Joint EA 23-01. Representatives from the White House Office of the National Cyber Director, the Department of Defense's United States Transportation Command, DHS's Cybersecurity and Infrastructure Security Agency, and the Federal Aviation Administration, as well as the Deputy National Security Advisor for Cyber and Emerging Technology at NSC were also invited to participate in the meeting given their relevant expertise.
During the meeting, the TSOB was briefed on the cyber threat to the aviation transportation system and on TSA's effort to mitigate the threat through Joint EA 23-01. The briefing included presentation of sensitive security information and classified information. Following the briefing, the TSOB discussed the circumstances precipitating TSA's issuance of Joint EA 23-01, including relevant events and intelligence presented during the briefing. At the meeting's conclusion, the TSOB recommended that a cybersecurity emergency exists that warrants TSA's determination to expedite the implementation of a critical cyber mitigation measures through the exercise of its emergency regulatory authority to issue Joint EA 23-01. This action reinforced the need for TSA to proceed with critical Start Printed Page 28570 mitigation measures on an emergency basis.
Start SignatureKristie Canegallo,
Senior Official Performing the Duties of the Deputy Secretary & Chairman of the Transportation Security Oversight Board.
Footnotes
1. EA 23-01 is Sensitive Security Information (SSI). See49 CFR 1520.5(b).
Back to Citation2. Under TSA regulations, airport and aircraft operators must adopt and carry out a security program approved by TSA that provides for the safety and security of persons and property engaged in air transportation. 49 CFR part 1542, subpart B; 49 CFR part 1544, subpart B.
Back to Citation3. The TSOB reviewed and ratified TSA's security directives mandating performance-based cybersecurity requirements in the pipeline and rail sectors. 88 FR 36919; 88 FR 36921.
Back to Citation4. 49 U.S.C. 115(a), (b)(1), (b)(2), and (c).
Back to Citation6. Certain TSA actions issued pursuant to statutory emergency authority, like the security directives mandating cybersecurity measures in the pipeline and rail sectors, must be ratified by the TSOB to remain effective beyond 90 days. 49 U.S.C. 114( l)(2)(B). Unlike those directives, EA 23-01 was issued under separate TSA regulatory authority, 49 CFR 1542.105(d); 49 CFR 1544.105(d), which does not require TSOB ratification.
Back to Citation[FR Doc. 2024-08394 Filed 4-18-24; 8:45 am]
BILLING CODE 9110-9M-P
Document Information
- Published:
- 04/19/2024
- Department:
- Homeland Security Department
- Entry Type:
- Rule
- Action:
- Notice.
- Document Number:
- 2024-08394
- Dates:
- The TSOB provided this recommendation on April 20, 2023.
- Pages:
- 28569-28570 (2 pages)
- PDF File:
- 2024-08394.pdf
- CFR: (2)
- 6 CFR None
- 49 CFR None