Developed with input from industry stakeholders and federal partners, including the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Department of Transportation’s Federal Railroad Administration (FRA), the three security directives seek to strengthen the industry’s defenses against cyberattacks.  The Enhancing Rail Cybersecurity directive clarifies its applicability to owner/operators of freight railroads and now extends to freight railroads designated by TSA that were not already subject to the security directive.  This directive adds a requirement for covered owners/operators to test a minimum of two objectives in their Cybersecurity Incident Response Plan (CIRP) annually, and to include certain identified employees as active participants in the exercises.  The second directive, Enhancing Public Transportation and Passenger Railroad Cybersecurity, similarly extends its applicability to TSA-designated passenger railroads and similarly requires testing of at least two objectives of the CIRP annually.  Finally, the Rail Cybersecurity Mitigation Actions and Testing directive, which applies to freight railroads and passenger railroads, now contains new sections requiring owners/operators to annually review and update their Cybersecurity Assessment Program (CAP), submit it annually for TSA review and approval, and to report results from the prior year using a schedule designed to assess and audit specific cybersecurity measures for effectiveness such that all cybersecurity measures are assessed within a three-year period.  This directive also clarifies that owners/operators leveraging a Managed Security Service Provider (MSSP) retain sole responsibility for compliance with the directive.

TSA’s recent revisions to the three security directives follow the release of a TSA advanced notice of proposed rulemaking (ANPRM) on November 30, 2022, requesting input on how pipeline and rail sectors can implement cyber risk management (CRM) into their operations to enhance pipeline and rail cybersecurity.  Earlier this year, the Association of American Railroads (AAR) and the American Short Line and Regional Railroad Association (ASLRRA) submitted comments in response to the ANPRM, pushing back against the need for a separate CRM regulation, among other topics, and citing the industry’s ongoing implementation of the TSA’s cybersecurity directives.  TSA had been targeting September 2023 to issue an NPRM, but the agency has yet to publish a proposed rule.

In October 2022, TSA initially issued Security Directive 1580/82-2022-01, “Rail Cybersecurity Mitigation Actions and Testing,” which sets performance-based cybersecurity standards for the rail industry and builds on TSA’s Security Directive 1580-21-01, “Enhancing Rail Cybersecurity,” which took effect December 31, 2021. 

Hogan Lovells has been helping clients in various industries navigate TSA's new security directives since before they were released.  To date, Hogan Lovells has assisted numerous large and small infrastructure clients to overcome compliance challenges.  Hogan Lovells lawyers offer one-on-one connections with TSA as well as other key government actors (including in law enforcement and cyber leadership) and know the world of cybersecurity intimately.  Hogan Lovells also has deep understanding of the transportation sector and how it works.  We can bring that experience to assist our rail clients in tackling the latest cybersecurity challenges and anticipated regulations.