Brady PieperAmid the rising threat of cyber attacks, the Transportation Security Administration (TSA) is seeking comments from surface transportation stakeholders on new performance-based cybersecurity policies.
TSA is unveiling a Notice of Proposed Rulemaking (NPRM) to solicit feedback on new cybersecurity requirements for certain surface transportation operators, including those in the pipeline, freight railroad, passenger railroad, rail transit and bus sectors. TSA’s proposed rule looks to enhance the nation’s cybersecurity resilience in critical transportation infrastructure.
Stakeholders—including transportation operators, cybersecurity professionals and the public—will be encouraged to review the proposed cybersecurity rule and its mandates and submit comments.
The proposed rule is designed to further TSA’s ongoing efforts to address cybersecurity risks in surface transportation. It also aligns with and advances existing cybersecurity framework developed by the National Institute of Standards and Technology (NIST) and performance goals set by the Cybersecurity and Infrastructure Security Agency (CISA).
The cybersecurity rule proposes a variety of requirements that improve surface transportation operators’ security. These potential requirements will feature increased TSA-conducted security assessments, incident reporting mandates, and physical and cybersecurity resilience initiatives.
For this NPRM, TSA will specifically solicit feedback in the following key areas:
- The impact of regulations and requirements on federal, state and local entities. TSA will field comments on DHS components and recommendations for regulatory harmony.
- Potential requirements that ensure any new software purchased or installed for critical cybersecurity systems adheres to CISA’s Secure-by-Design and Secure-by-Default principles.
- Existing training and certification programs that could offer low-cost options to meet qualification requirements for cybersecurity coordinators.
- A Cybersecurity Assessment Plan to annually audit owner/operators’ TSA-approved Cybersecurity Operational Implementation Plan. TSA will specifically seek comments that could be used to develop a robust auditing and assessment program.
- Compliance streamlining and redundancy reduction.
- TSA conducting Security Threat Assessments on accountable executives and cybersecurity coordinators. These assessments would include terrorism, immigration checks and criminal history records checks.
- TSA conducting a vetting process on all frontline workers, also referred to as “security-sensitive employees”. TSA is specifically looking for feedback on how many employees are considered “security-sensitive” and how the vetting process would impact organizations’ operations and costs.
- Inputs used in the Regulatory Impact Analysis, including Security Directives inputs, their implementation and associated costs and benefits. Specifically, TSA invites comments on specific portions of the proposed rule, an explanation, relevant data and/or additional information to support a potential recommendation or suggestion.
- TSA will invite data and information submissions on the results of new regulatory requirements on small businesses and entities.
- The proposed collection of information and its estimated burden.
As part of the rulemaking process, TSA is inviting public and industry feedback on these proposed regulations. This public and stakeholder input will be used to refine the final rule before its implementation.
Interested parties may commit feedback via the Electronic Federal eRulemaking Portal, fax at (202) 493-2251 or mail to the U.S. Department of Transportation’s Docket Management Facility in New Jersey. The deadline to submit comments on the NPRM is Feb. 5, 2025.
Image by Ely Penner from Pixabay
