TSA Issues Cybersecurity Rules for Transportation Sector

McDermott Will & Emery
Contact

McDermott Will & Emery

On December 2, 2021, the US Department of Homeland Security’s (DHS) Transportation Security Administration (TSA) announced two new Security Directives and additional guidance for voluntary measures to strengthen cybersecurity across the transportation sector. These follow a pair of Security Directives from TSA, on May 28, 2021, and July 26, 2021, imposing a variety of cybersecurity requirements (technical and administrative) on the 100 TSA-designated “most critical” pipeline owners/operators. The Biden administration does not appear to be taking its foot off the gas any time soon, particularly when it comes to the cybersecurity of critical infrastructure. Media reports indicate a draft blueprint is currently being circulated by the White House seeking to enhance the cybersecurity of US water utilities, too.

IN DEPTH


The December 2 TSA Security Directives target higher-risk freight railroads, passenger rail and rail transit. They require covered owners and operators to do the following:

  • [effective December 31, 2021] report “cybersecurity incidents” to DHS’s Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours of identifying them, with specifications on what must be included in the submitted report;
  • [by January 6, 2022] designate a cybersecurity coordinator and alternate, who must meet certain eligibility requirements and are “required to be available” to CISA “at all times (all hours/all days) to coordinate implementation of cybersecurity practices, and manage security incidents, and serve as a principal point of contact with TSA and CISA for cybersecurity-related matters”;
  • [by March 30, 2022] conduct a cybersecurity vulnerability assessment to identify potential gaps and vulnerabilities in their systems, using the form provided by TSA, and submit the completed form to TSA; and
  • [by June 28, 2022] develop and implement a cybersecurity incident response plan to reduce the risk of an operational disruption should Information Technology (IT) and/or Operational Technology (OT) be affected by a cybersecurity incident.

The Directives broadly define a cybersecurity incident to mean an unauthorized event that “jeopardizes, disrupts or otherwise impacts, or is reasonably likely to jeopardize, disrupt or otherwise impact, the integrity, confidentiality, or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident on the system.” Notably, a covered cybersecurity incident includes an event that is under investigation as a possible cybersecurity incident without final determination of the event’s root cause or nature (such as malicious, suspicious or benign).

The Directives require owners/operators to submit their completed vulnerability assessment form and remediation plan to TSA by March 30, 2022. The Directives also require the cybersecurity coordinator or “other accountable executive” to submit a statement to TSA certifying compliance with the cybersecurity incident response plan requirements within seven days of completing the plan. Documentation of compliance must be provided to TSA upon request and without a subpoena.

Given the Directives’ detailed requirements, including certifications and submissions to the government, as well as tight implementation deadlines, covered owners/operators should promptly assess their cybersecurity programs. The most pressing deadline is designating a cybersecurity coordinator and alternate. Organizations must be thoughtful about whom they choose; they should be mindful of the gating criteria as well as the individual’s role and responsibility within the organization. The coordinator and the alternate must be US citizens who are eligible for security clearances; entrusted to serve as the primary contact for cyber-related intelligence information and cybersecurity-related activities and communications with TSA and CISA, as well as work with appropriate law enforcement and emergency response agencies; accessible to TSA and CISA 24 hours a day, seven days a week; and empowered to coordinate cyber and related security practices and procedures internally.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© McDermott Will & Emery | Attorney Advertising

Written by:

McDermott Will & Emery
Contact
more
less

McDermott Will & Emery on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.