Directive changes
TSA Eases Deadlines on Security Directive for Rail Transit, Railroad Entities
The Transportation Security Administration is extending compliance deadlines in its proposed security directive for major railroad and rail transit entities after considering industry feedback.
The forthcoming rules, scheduled for release in the coming weeks, are targeted at entities that transport the most passengers and cargo through the nation’s most populated metropolitan areas, TSA Administrator David Pekoske said at a recent meeting of the Surface Transportation Security Advisory Committee.
Following pushback from industry, the TSA decided to extend the directive’s incident reporting requirement from 12 to 24 hours and give organizations six months to complete an incident response plan instead of 60 days, Federal News Network reported Tuesday.
According to Pekoske, a general rule will be implemented that would allow organizations to defer some lower priority requirements past the deadlines as long as they have an action plan in place.
Companies would also be given flexibility to conduct alternative measures to the cybersecurity activities laid out in the directive granted that they result in the same security outcome, he added.
The planned directive is slated for release following the announcement of similar regulations for the pipeline sector. The emergency directives, issued in the wake of the ransomware attack on Colonial Pipeline, required pipeline owners and operators to designate a cybersecurity coordinator and immediately report cyber incidents to federal authorities, among other things.
Unlike the pipeline sector regulations, which are kept under wraps, the rail and railroad directives will be public documents, Pekoske said.
Category: Cybersecurity