Transportation Security Administration Proposes Enhanced Cybersecurity Rules for Rail and Other Forms of Transportation

unsplash

WASHINGTON, D.C. –– The Transportation Security Administration (TSA) released a Notice of Proposed Rule Making this week that seeks enhanced cybersecurity rules for railroads and some other forms of transportation.

Here is the executive summary that has been recorded in the Federal Register:

“The Transportation Security Administration (TSA) is proposing to impose cyber risk management (CRM) requirements on certain pipeline and rail owner/operators and a more limited requirement, on certain over-the-road bus (OTRB) owner/operators, to report cybersecurity incidents. With the proposed addition of requirements applicable to pipeline facilities and systems, TSA is also proposing that a requirement to have a Physical Security Coordinator and report significant physical security concerns be extended to the same facilities and systems. Finally, TSA is proposing clarifications and reorganization of other regulatory requirements necessitated by these changes.”

The proposed rule is open for comments through February 5, 2025.

TSA Administrator David Pekoske said “TSA has collaborated closely with its industry partners to increase the cybersecurity resilience of the nation’s critical transportation infrastructure. The requirements in the proposed rule seek to build on this collaborative effort and further strengthen the cybersecurity posture of surface transportation stakeholders. We look forward to industry and public input on this proposed regulation.”

The TSA press release went on to say:

This rule proposes to continue TSA’s commitment to performance-based requirements. Building on the performance-based cybersecurity requirements TSA previously issued via annual Security Directives since 2021, the proposed rule leverages the cybersecurity framework developed by the National Institute of Standards and Technology and the cross-sector cybersecurity performance goals developed by the Cybersecurity and Infrastructure Security Agency (CISA).

Consistent with these requirements and standards, this rule proposes:

• To require that certain pipeline, freight railroad, passenger railroad and rail transit owner/operators with higher cybersecurity risk profiles establish and maintain a comprehensive cyber risk management program;
• To require these owner/operators, and higher-risk bus-only public transportation and over-the-road bus owner/operators, currently required to report significant physical security concerns to TSA to report cybersecurity incidents to CISA; and
• To extend to higher-risk pipeline owner/operators TSA’s current requirements for rail and higher-risk bus operations to designate a physical security coordinator and report significant physical security concerns to TSA.

TSA asserts that maintaining an effective cybersecurity posture is critically important to ensuring that the surface transportation sector is prepared for, and able to manage, cyber risks. The requirements contained in this proposed rule would strengthen cybersecurity resilience across the surface transportation systems sector.

You can read and download the entire proposed rule at this link: https://www.govinfo.gov/content/pkg/FR-2024-11-07/pdf/2024-24704.pdf