The Transportation Security Administration (TSA) has issued a Notice of Proposed Rulemaking that aims to establish mandatory cyber risk management and reporting obligations for specific owners and operators of surface transportation systems.
TSA Administrator David Pekoske stated, “TSA has worked in close partnership with industry stakeholders to enhance the cybersecurity resilience of the nation’s essential transportation infrastructure. The proposed rule aims to expand upon this collaborative initiative and further fortify the cybersecurity framework for surface transportation entities. We anticipate valuable feedback from both industry participants and the public regarding this proposed regulation.”
This rule reflects TSA’s ongoing dedication to performance-based requirements. It builds upon the performance-oriented cybersecurity mandates that TSA has issued through annual Security Directives since 2021, utilizing the cybersecurity framework established by the National Institute of Standards and Technology and the cross-sector cybersecurity performance objectives created by the Cybersecurity and Infrastructure Security Agency (CISA).
In alignment with these standards and requirements, this rule proposes:
- It is necessary for specific pipeline, freight railroad, passenger railroad, and rail transit owner/operators identified as having elevated cybersecurity risk profiles to develop and uphold a thorough cyber risk management program.
- These owner/operators, along with those operating higher-risk bus-only public transportation and over-the-road bus services, who are already mandated to report significant physical security issues to the Transportation Security Administration (TSA), will also be required to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA).
- Furthermore, the TSA’s existing requirements for rail and higher-risk bus operations will be expanded to include higher-risk pipeline owner/operators, necessitating the appointment of a physical security coordinator and the reporting of significant physical security concerns to the TSA.
The TSA emphasizes that maintaining a robust cybersecurity framework is essential for ensuring that the surface transportation sector is adequately prepared to address and manage cyber risks. The stipulations outlined in this proposed regulation aim to enhance cybersecurity resilience throughout the surface transportation systems sector.
