According to TSA Administrator David Pekoske, “We’ve collaborated closely with our industry partners to improve the cybersecurity posture of the nation’s critical transportation infrastructure. This proposed rule will build on those efforts to better strengthen the cybersecurity posture of surface transportation stakeholders, and we welcome feedback from industry and the public.”
The proposed rule develops off previous performance-based cybersecurity requirements issued by TSA since annual security directives in 2021. It draws ideas from the National Institute of Standards and Technology as well as the cybersecurity performance goals outlined by CISA.
Key provisions of the proposed rule include: •Requiring certain pipeline, freight railroad, passenger railroad and rail transit owner/operators with greater cybersecurity risks to implement and maintain a comprehensive cyber risk management program. •requiring these operators, together with higher-risk bus-only public transportation and over-the-road bus operators, to submit cybersecurity incidents to CISA, just as they are currently required to do concerning physical security concerns at TSA. • Expand the existing TSA physical security coordinator and reporting requirements to the higher-risk pipeline operators.
TSA clearly emphasizes that a robust cybersecurity posture is necessary for protecting the surface transportation systems and more specifically for the mitigation of cyber risks. The present rulemaking further strengthens the cybersecurity resilience of the entire industry.
