A proposed final rule would mandate cyber risk management and reporting requirements for certain surface transportation owners and operators, the Transportation Security Administration (TSA) said.
In a Notice of Proposed Rulemaking published Wednesday, the TSA said the proposed rule would leverage the cybersecurity framework developed by the National Institute of Standards and Technology and the Cybersecurity and Infrastructure Security Agency (CISA). The rule would require certain pipeline, freight railroad, passenger railroad and rail transit owner/operators with higher cybersecurity risk profiles establish and maintain a comprehensive cyber risk management program.
“TSA has collaborated closely with its industry partners to increase the cybersecurity resilience of the nation’s critical transportation infrastructure,” TSA Administrator David Pekoske said. “The requirements in the proposed rule seek to build on this collaborative effort and further strengthen the cybersecurity posture of surface transportation stakeholders. We look forward to industry and public input on this proposed regulation.”
The proposed rule would also require owner/operators, and higher-risk bus-only public transportation and over-the-road bus owner/operators, to report cybersecurity incidents to CISA. Additionally, the proposed rule would extend to higher-risk pipeline owner/operators the requirements currently in place for rail and higher-risk bus operations that they designate a physical security coordinator and report physical security concerns to TSA.
The agency said that maintaining effective cybersecurity procedures is important to ensuring the surface transportation sector is prepared for, and able to manage, cyber risks.