On November 7, 2024, the Transportation Security Administration (TSA) issued its Enhancing Surface Cyber Risk Management Notice of Proposed Rulemaking (NPRM), a significant development for certain pipeline, rail, and over-the-road bus operators. The NPRM, which is open for public comment until February 5, 2025, proposes comprehensive cyber risk management requirements designed to enhance operational security and mitigate the risk of cyberattacks.
Key Requirements of the NPRM
The proposed regulations include the following mandates:
- Physical Security Coordinator: Operators subject to the rule would be required to designate a Physical Security Coordinator at the corporate level to function as an administrator for sharing security-related activities and information with TSA.
- Incident Reporting: The NPRM distinguishes between physical and cybersecurity incident reporting. Certain pipeline, freight railroad, passenger railroad, and rail transit owners and operators would be required to report cybersecurity incidents to CISA and physical security concerns to TSA, within 24 hours.
- Documentation and Verification: The NPRM proposes enhanced requirements for maintaining compliance records and conducting independent assessments and audits.
- Cyber Risk Management Program: Operators subject to the rule would be required to establish and maintain a comprehensive program to manage cyber risks effectively. This would include, among other things, annual cybersecurity evaluations, creation of a TSA-approved Cybersecurity Operational Implementation Plan (COIP), and development of a Cybersecurity Assessment Plan (“CAP”) to identify unaddressed vulnerabilities.
- Broader Classification of Sensitive Security Information (SSI): The NPRM expands SSI classification to include transportation-related cybersecurity materials, heightening the need for confidentiality and data protection.
The NPRM would effectively codify and expand upon existing TSA requirements established through Security Directives issued in 2021 following the Colonial Pipeline cyber-attack. Navigating these evolving requirements can be challenging. Please do not hesitate to contact us with additional questions or for more information.