TSA Revises Cyber Measures Reporting for Surface Transport
Published Date: 4/16/2026
Notice
Summary
The TSA is updating how it collects info about cybersecurity for surface transportation like buses and trains. They want to make sure companies have a Cybersecurity Coordinator, report cyber incidents, and have plans to fix problems. If you’re involved, get ready to share updated info by June 15, 2026, helping keep travel safe without extra hassle or cost.
Analyzed Economic Effects
5 provisions identified: 0 benefits, 5 costs, 0 mixed.
Plans, Assessments, and Annual Reporting Required
Covered Owner/Operators must: submit a Cybersecurity Implementation Plan for TSA approval; submit a Cybersecurity Assessment Plan and an annual report of assessment results; develop a Cybersecurity Incident Response (contingency/recovery) Plan; and complete and submit a TSA cybersecurity vulnerability assessment form. These materials may be submitted via the TSA Secure Regulatory Portal or retained locally for review.
Estimated Respondent Counts and Total Hour Burden
TSA estimates the collection applies to 846 total respondents and that the total annual hour burden is 210,684 hours. TSA also provided breakdowns: 73 Owner/Operators for SD 1580/82-2022-01; 449 railroad Owner/Operators; 242 public transportation and rail transit Owner/Operators; and 72 over-the-road bus Owner/Operators.
72‑Hour Cyber Incident Reporting Requirement
Owner/Operators covered by the Security Directives must report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) as soon as practicable and no later than 72 hours after identifying an incident under 49 CFR 1570.203. This reporting requirement is mandatory under the Directives and is a part of TSA's information collection.
Must Name Cybersecurity Coordinators
If you run a railroad, transit agency, or over-the-road bus company, you must provide TSA contact information for a primary Cybersecurity Coordinator and at least one alternate. This requirement is part of TSA's cybersecurity information collection and applies to Owner/Operators covered by the Security Directives and Information Circulars.
New STA Requirement for Non‑U.S. Coordinators
TSA now requires that any non-U.S. citizen who serves as a primary or alternate Cybersecurity Coordinator be a current member of NEXUS, Global Entry, or another TSA‑determined program with a comparable security threat assessment, and submit proof of that membership. TSA notes this revision became effective January 15, 2026 and expects nine or fewer Owner/Operators to respond annually; TSA estimated a 0.25 hour burden per respondent and an additional 2 hours each if a fingerprint-based criminal history check is required.
Your PRIA Score
Personalized for You
How does this regulation affect your finances?
Sign up for a PRIA Policy Scan to see your personalized alignment score for this federal register document and every other regulation we track. We analyze your financial profile against policy provisions to show you exactly what matters to your wallet.
Key Dates
Department and Agencies
Related Federal Register Documents
2026-08578 — Intent To Request Extension From OMB of One Current Public Collection of Information: Law Enforcement/Federal Air Marshal Service Physical and Mental Health Certification
The TSA is asking to keep collecting health info from Federal Air Marshal applicants and current officers to make sure they’re fit for duty. This paperwork helps keep our skies safe without adding new costs or big changes. If you want to share your thoughts, you’ve got until July 6, 2026, to speak up!
2026-08532 — Extension of Agency Information Collection Activity Under OMB Review: TSA Reimbursable Screening Services Program (RSSP) Pilot Request
TSA is asking to keep collecting info for its Reimbursable Screening Services Program (RSSP), which lets businesses and groups get TSA security checks outside regular airport screening areas. This extension means the program can keep running smoothly without extra costs or delays. If you have thoughts, you’ve got until June 1, 2026, to share them!
2026-07857 — Intent To Request Approval From OMB of One New Public Collection of Information: Insider Threat Incident Reporting Tool
The TSA is planning to launch a new tool where the public can report insider threats—people who might cause security problems from the inside. This helps TSA keep transportation safe and asks for your input by June 22, 2026. It won’t cost you money but may take a little time to share important info if you spot something suspicious.
2026-04443 — Intent to Request Approval From OMB of One New Public Collection of Information: Real-Time Wait-Time Dashboarding
The TSA is planning to collect new info from airports about how long passengers wait in security lines using real-time tech. This helps airports and travelers know wait times better and improve the experience. They want your thoughts by May 5, 2026, and this won’t cost passengers extra but will help make security smoother.
2025-21830 — TSA Confirm.ID User Fee
Starting December 3, 2025, TSA is rolling out TSA Confirm.ID, a new program for travelers who forget their ID at airport security. If you don’t have a REAL ID or passport, you can use this service for a $45 fee to verify your identity and keep your trip on track. This fee helps cover TSA’s costs for running the program smoothly and safely.
2025-20474 — TSA Modernized Alternative Identity Verification User Fee
Starting November 20, 2025, TSA is rolling out a new way to verify your identity if you forget your ID at the airport. If you want to use this backup option, you’ll pay an $18 fee, but it’s totally optional and doesn’t guarantee you’ll get through security. This change helps TSA cover costs while giving travelers a modern safety net.
Previous / Next Documents
Previous: 2026-07363 — Procurement List; Additions and Deletions
The government is removing a high-capacity hole punch from its official buying list starting May 16, 2026. This change affects nonprofit groups that employ people who are blind or severely disabled, giving other small businesses a chance to supply this product. No big money or paperwork changes are expected, so it’s a smooth switch for everyone involved!
Next: 2026-07368 — Notice of Approval of Product Under Voucher: Rare Pediatric Disease Priority Review Voucher; AREXVY (Respiratory Syncytial Virus Vaccine, Adjuvanted)
The FDA just gave a big thumbs-up to AREXVY, a vaccine that helps protect kids from a serious lung virus called RSV. This approval used a special Rare Pediatric Disease Priority Review Voucher, which speeds up the review process for important medicines for rare childhood diseases. This means faster access to life-saving treatments for families, with no extra cost to the public.