TSA Issues Security Rules for Higher-Risk Surface Transportation Entities

The Transportation Security Administration has officially released security directives aimed at higher-risk freight railroads, passenger rail and rail transit after considering input from industry stakeholders and federal partners.

Under the new rules, organizations will have to designate a cybersecurity coordinator, report cybersecurity incidents to the Cybersecurity Infrastructure and Security Agency within 24 hours, come up with a cybersecurity incident response plan and complete a cybersecurity vulnerability assessment.

The TSA also issued guidance advising lower-risk surface transportation owners and operators to adopt the same measures, the DHS said Thursday.

Similar to surface transportation entities, airport and airline operators will also need to select a cybersecurity coordinator and immediately report cyber incidents to CISA in line with a security program update from the TSA.

The security directives for the transportation sector were more stringent prior to intervention from industry.

After receiving pushback, the TSA decided to extend the directive’s incident reporting requirement from 12 to 24 hours and give organizations six months to complete an incident response plan instead of 60 days.

TSA Administrator David Pekoske elaborated on adjustments made by the agency at a recent meeting of the Surface Transportation Security Advisory Committee.

According to Pekoske, a general rule will be implemented that would allow organizations to defer some lower priority requirements past the deadlines as long as they have an action plan in place.

Companies would also be given flexibility to conduct alternative measures to the cybersecurity activities laid out in the directive granted that they result in the same security outcome, he added.

Sign Up Now! Potomac Officers Club provides you with Daily Updates and News Briefings about Cybersecurity

Join Us Now