TSA Form 3157 TSA Surface (Rail and Public Transportation) Cybersecuri

Cybersecurity Measures for Surface Modes

SD_Cybersecurity_Assessment_508C

OMB: 1652-0074

Document [pdf]
Download: pdf | pdf
DEPARTMENT OF HOMELAND SECURITY

SENSITIVE SECURITY
INFORMATION
Cover Sheet

For more information on handling SSI, contact SSI@dhs.gov.

WARNING: This record contains Sensitive Security Information that is controlled under 49 CFR
parts 15 and 1520. No part of this record may be disclosed to persons without a “need to know”, as
defined in 49 CFR parts 15 and 1520, except with the written permission of the Administrator of
the Transportation Security Administration or the Secretary of Transportation. Unauthorized
release may result in civil penalty or other action. For U.S. government agencies, public disclosure
is governed by 5 U.S.C. 552 and 49 CFR parts 15 and 1520.
DHS Form 11054 (8/10)

Reference: 49 CFR § 1520.13, Marking SSI

Sensitive Security Information

OMB Control Number 1652-0074

This record contains Sensitive Security Information when completed

Transportation
Security
Administration

U.S. Department of Homeland Security

Version 1.0

Instructions: Select the appropriate response for each question below. The Additional Information column must include the following information based on response:
1) If answering "Yes", either list the security plan, policy, document name, etc. with chapter/section; or if implemented but not documented, provide a brief explanation.
2) If answering "No", identify the gap, intended mitigation(s) measures, and the mitigation timeline.
For any questions concerning the completion of this assessment please email SurfOpsRail-SD@tsa.dhs.gov

TSA Surface (Rail and Public Transportation) Cybersecurity Vulnerability Assessment
Owner/Operator
Name:

Assessment Completed Date:

Submitter (First/Last):

Submitter Title:

Submitter Email:

Submitter Contact Number:

Cybersecurity Coordinator
(First/Last):
Cybersecurity
Coordinator Email:
24 Hour Operations Center phone number, if applicable:
Question #

Cybersecurity Coordinator Title:
Cybersecurity Coordinator
Contact Number:

Answer
(Yes/No)

Question

Additional Information

Cyber Asset Security Measures
1.00

Do your cybersecurity plans incorporate any of the following approaches?

1.00A

National Institute of Standards and Technology (NIST),
Framework for Improving Critical Infrastructure
Cybersecurity

Select

Select

1.00C

1.00D

Industry-specific methodologies

Other (if checked, elaborate)

Select


Page 1 of 8

Sensitive Security Information

OMB Control Number 1652-0074

This record contains Sensitive Security Information when completed

Asset Management
2.00

Has your company established and documented policies and procedures for the following?

2.00A

Assessing and maintaining configuration information.

Select


2.00C

Patching/upgrading operating systems and applications. Select


2.00E

Other (if checked, elaborate)

Select


2.01B

Cyber assets that are OT systems that monitor surface
operations.

Select

Select

2.03

2.04

For cyber assets that can control surface operations, does
the OT environment have a detailed software and
Select

Select
been developed, documented, and maintained that
accurately reflects the current OT/ICS/SCADA system?

Page 2 of 8

Sensitive Security Information

OMB Control Number 1652-0074

This record contains Sensitive Security Information when completed.

2.05

2.06

2.06A

2.06B

2.07

2.08

Does your company periodically review network
connections, including remote access and thirdparty connections for cyber assets that can control
surface operations?


Select

Employ more stringent identity and access management

necessary all cybersecurity policies plans, processes, and Select
supporting procedures at least every 12 months, or
when there is a significant organizational change?
Does your company review and assess surface
transportation cyber asset functions controlling or
monitoring OT systems at least every 12 months?

Select

Select

3.01

Does your company document new transportation
cyber assets, when changes or upgrades are made to
control operations resulting in the system being
recognized as such?


Select

Page 3 of 8

Sensitive Security Information

OMB Control Number 1652-0074

This record contains Sensitive Security Information when completed

4.02

Does your company review, assess, and update as
necessary all cybersecurity policy plans, processes, and
supporting procedures at least every 36 months, or
when there is a significant organizational or
technological change?


the control systems and enterprise networks?

Risk Assessment
6.00

For cyber assets that can control surface operations,
does your company use independent assessors to
conduct surface transportation cybersecurity
assessments?


Select

6.02

Does the process address unmitigated/accepted
vulnerabilities in the IT and OT environment?

Select


7.00B

Establish security requirements for certain types of
Privileged accounts.

Select


7.01

Does your company employ strong credential
management or Active Directory monitoring throughout
the company’s cyber access control environment and is it
documented in overarching corporate IT/OT security
plans?

Select

physical controls) implemented?

7.03

Does your company ensure user accounts are modified,
deleted, or de-activated expeditiously for personnel
who no longer require access or are no longer
employed by the company?

7.04

Has your company implemented the following measures?



7.04B

Have procedures and controls in place for approving
and enforcing remote and third-party connections.

Select


7.06

Does your company ensure appropriate segregation of
duties is in place and where this is not feasible, apply
appropriate compensating security controls?

Select

Select

7.08

Do email and communications systems have features
that automatically download attachments turned off?

Select

Select
and permitted by security policy (i.e., allow lists?)

Awareness & Training
8.00

Do all persons requiring access to the company’s surface

Select
that includes practical exercises/testing?



9.00B

Establishing specific data handling procedures.

Select


Protective Technology
10.00

Are surface transportation cyber assets segregated
and protected from enterprise networks and the
internet by use of physical separation, firewalls, and
other protections?

10.01

Do IT/ OT systems monitor and manage communications Select

Select


Select

10.04

Has your company implemented technical or
procedural controls to restrict the use of surface
transportation cyber assets to only approved
activities?



11.00B

Logging cybersecurity events and reviewing these logs.

Select


Does your company monitor physical and remote user
12.01 access to cyber assets that can control surface

that should not be on the network?
Does your company conduct cyber vulnerability
12.03 assessments as described in your risk assessment
process?


Select

Does your company perform regular testing of intrusion
and malware detection processes and procedures (e.g., Select

Select


supports 24/7 cyber-incident response?

Page 7 of 8

Sensitive Security Information

OMB Control Number 1652-0074

This record contains Sensitive Security Information when completed

14.03

Has your company established and maintained a cyberincident response capability?

Select

Select

Mitigation
16.00

Do your company's response plans and procedures
include mitigation measures to help prevent further
impacts?


17.00 within a time frame to align with the company’s safety Select
and business continuity objectives?
Does the company have documented procedures in place
to coordinate restoration efforts with internal and

Select

Paperwork Reduction Act Burden Statement: This is a mandatory collection of information. TSA estimates that the total average burden per response associated with this collection
is approximately 42 hours for Cybersecurity Vulnerability Assessments. The burden hour for the statement of completion for this information collection is included within the 42 hours
burden estimate. An agency may not conduct or sponsor, and a person is not required to respond to a collection of information unless it displays a valid OMB control number. The
control number assigned to this collection is OMB 1652-0074, which expires on 04/30/2023. Send comments regarding this burden estimate or collection to: TSA-11, Attention: PRA
1652-0074 Cybersecurity Measures for Surface Modes, 6565 Springfield Center Drive, Springfield, VA 20598-6011.

Page 8 of 8


File Typeapplication/pdf
File TitleTSA Surface Rail and Public Transportation Cybersecurity Vulnerability Assessment
SubjectTSA, Surface, Cybersecurity, Rail, Public Transportation
AuthorTransportation Security Administration - Policy Plans & Engageme
File Modified2023-03-09
File Created2022-04-25

© 2024 OMB.report | Privacy Policy