[Federal Register Volume 89, Number 77 (Friday, April 19, 2024)]
[Rules and Regulations]
[Pages 28569-28570]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-08394]



 ========================================================================
 Rules and Regulations
                                                 Federal Register
 ________________________________________________________________________
 
 This section of the FEDERAL REGISTER contains regulatory documents 
 having general applicability and legal effect, most of which are keyed 
 to and codified in the Code of Federal Regulations, which is published 
 under 50 titles pursuant to 44 U.S.C. 1510.
 
 The Code of Federal Regulations is sold by the Superintendent of Documents. 
 
 ========================================================================
 

  Federal Register / Vol. 89, No. 77 / Friday, April 19, 2024 / Rules 
and Regulations  

[[Page 28569]]



DEPARTMENT OF HOMELAND SECURITY

6 CFR Chapter I

49 CFR Chapter XII


Recommendation Regarding Emergency Action in Aviation

AGENCY: Office of Strategy, Policy, and Plans, Department of Homeland 
Security (DHS).

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: DHS is publishing official notice that the Transportation 
Security Oversight Board (TSOB) has recommended to the Transportation 
Security Administration (TSA) that a cybersecurity emergency exists 
that warrants TSA's determination to expedite the implementation of 
critical cyber mitigation measures through the exercise of emergency 
regulatory authority.

DATES: The TSOB provided this recommendation on April 20, 2023.

FOR FURTHER INFORMATION CONTACT: Thomas McDermott, Acting Assistant 
Secretary for Cyber, Infrastructure, Risk and Resilience Policy at 202-
834-5803 or [email protected].

SUPPLEMENTARY INFORMATION: 

I. Background

    On March 7, 2023, TSA issued Joint Emergency Amendment (EA) 23-01 
\1\ to certain aviation stakeholders to address the significant 
cybersecurity threat to the aviation system, evidenced by recent 
incidents and intelligence. Joint EA 23-01 is part of TSA's and the 
Government's, more broadly, ongoing plans and efforts to rapidly 
increase the cybersecurity resilience of critical transportation 
infrastructure. TSA determined that proceeding with immediate action 
was warranted under the circumstances to ensure timely implementation 
of critical mitigation measures by higher risk regulated entities. 
Joint EA 23-01 amends the security programs \2\ for covered owners/
operators to require performance-based cybersecurity measures intended 
to prevent the disruption and degradation of their critical systems. 
Joint EA 23-01's requirements are similar to performance-based 
requirements that TSA has already issued to critical pipeline and rail 
entities.\3\
---------------------------------------------------------------------------

    \1\ EA 23-01 is Sensitive Security Information (SSI). See 49 CFR 
1520.5(b).
    \2\ Under TSA regulations, airport and aircraft operators must 
adopt and carry out a security program approved by TSA that provides 
for the safety and security of persons and property engaged in air 
transportation. 49 CFR part 1542, subpart B; 49 CFR part 1544, 
subpart B.
    \3\ The TSOB reviewed and ratified TSA's security directives 
mandating performance-based cybersecurity requirements in the 
pipeline and rail sectors. 88 FR 36919; 88 FR 36921.
---------------------------------------------------------------------------

II. TSOB Recommendation

    The TSOB was created by the Aviation and Transportation Security 
Act (ATSA) to provide guidance regarding transportation security-
related matters. TSOB members include the Secretaries of Homeland 
Security, Transportation, Defense, and the Treasury, the Attorney 
General, the Director of National Intelligence, or their designees, and 
one member appointed by the President to represent the National 
Security Council. The Secretary of Homeland Security serves in the role 
of TSOB chairman, which has been further delegated within the 
Department to the Deputy Secretary.\4\ As part of its statutory duties, 
the TSOB is authorized to review plans for transportation security and 
make recommendations to the TSA Administrator regarding those plans.\5\
---------------------------------------------------------------------------

    \4\ 49 U.S.C. 115(a), (b)(1), (b)(2), and (c).
    \5\ 49 U.S.C. 115(c)(5)-(6).
---------------------------------------------------------------------------

    Following the issuance of Joint EA 23-01, TSA sought the TSOB's 
discretionary review under 49 U.S.C. 115(c)(5) and (6) regarding 
whether a cybersecurity emergency exists that warrants TSA's 
determination to expedite the implementation of critical cyber 
mitigation measures through the exercise of its emergency regulatory 
authority, under which the EA was issued.\6\ TSA sought the TSOB's 
perspective and guidance given the TSOB's role in ratifying TSA's 
emergency cybersecurity actions applicable in the pipeline and rail 
sectors as well as the context of the coordinated efforts across the 
Government to counter the continuing and serious cyber threats.
---------------------------------------------------------------------------

    \6\ Certain TSA actions issued pursuant to statutory emergency 
authority, like the security directives mandating cybersecurity 
measures in the pipeline and rail sectors, must be ratified by the 
TSOB to remain effective beyond 90 days. 49 U.S.C. 114(l)(2)(B). 
Unlike those directives, EA 23-01 was issued under separate TSA 
regulatory authority, 49 CFR 1542.105(d); 49 CFR 1544.105(d), which 
does not require TSOB ratification.
---------------------------------------------------------------------------

    Under the authority of 49 U.S.C. 115(c)(5) and (6), the chairman of 
the TSOB convened a meeting of the Board to review TSA's transportation 
security plans for cybersecurity in the aviation sector and provide a 
recommendation regarding whether a cybersecurity emergency exists that 
warrants TSA's determination to expedite the implementation of critical 
cyber mitigation measures by exercising its emergency regulatory 
authority to issue Joint EA 23-01. Representatives from the White House 
Office of the National Cyber Director, the Department of Defense's 
United States Transportation Command, DHS's Cybersecurity and 
Infrastructure Security Agency, and the Federal Aviation 
Administration, as well as the Deputy National Security Advisor for 
Cyber and Emerging Technology at NSC were also invited to participate 
in the meeting given their relevant expertise.
    During the meeting, the TSOB was briefed on the cyber threat to the 
aviation transportation system and on TSA's effort to mitigate the 
threat through Joint EA 23-01. The briefing included presentation of 
sensitive security information and classified information. Following 
the briefing, the TSOB discussed the circumstances precipitating TSA's 
issuance of Joint EA 23-01, including relevant events and intelligence 
presented during the briefing. At the meeting's conclusion, the TSOB 
recommended that a cybersecurity emergency exists that warrants TSA's 
determination to expedite the implementation of a critical cyber 
mitigation measures through the exercise of its emergency regulatory 
authority to issue Joint EA 23-01. This action reinforced the need for 
TSA to proceed with critical

[[Page 28570]]

mitigation measures on an emergency basis.

Kristie Canegallo,
Senior Official Performing the Duties of the Deputy Secretary & 
Chairman of the Transportation Security Oversight Board.
[FR Doc. 2024-08394 Filed 4-18-24; 8:45 am]
BILLING CODE 9110-9M-P