TSA proposes new cybersecurity rule to bolster US transportation infrastructure resilience

The US Transportation Security Administration (TSA) has proposed a new cybersecurity rule designed to strengthen the resilience of surface transportation infrastructure. Specifically, the rule mandates high-risk operators, including those in the pipeline, railroad, and bus sectors, to implement comprehensive Cyber Risk Management (CRM) programs to manage and mitigate cybersecurity risks.

In addition to this, operators will be required to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) and physical security concerns to TSA. Furthermore, the rule stipulates that operators must develop and maintain detailed cybersecurity plans, including a Cybersecurity Assessment Plan (CAP) for annual evaluations and a Cybersecurity Operational Implementation Plan (COIP) to guide improvements.

These plans must incorporate governance structures, designate cybersecurity coordinators, and undergo regular audits to assess their effectiveness. Moreover, the rule promotes a defence-in-depth approach to cybersecurity by including system monitoring, patch management, and incident response planning, all of which aim to reduce the impact of cyberattacks.

Additionally, TSA seeks public feedback on the rule’s potential compliance burdens, economic impacts, and ways to streamline the process, particularly for smaller entities. TSA’s initiative reflects a broader commitment to enhancing the cybersecurity posture of surface transportation systems while ensuring regulatory consistency across federal, state, and local levels.

Why does it matter?

The agency is seeking input on reducing redundancies and improving alignment with existing regulations, particularly in cybersecurity training and personnel vetting for high-risk industries. By gathering feedback, TSA aims to refine the rule and ensure it effectively addresses the evolving cyber threats facing the nation’s critical transportation infrastructure.