The Transportation Security Administration proposed new rules this week that would codify existing temporary directives requiring pipeline and railroad operators to report cyber incidents and create cyber risk management (CRM) plans.
The rule would formalize several security directives issued by TSA since the ransomware attack on Colonial Pipeline in 2021.
“TSA has collaborated closely with its industry partners to increase the cybersecurity resilience of the nation’s critical transportation infrastructure,” said TSA Administrator David Pekoske.
“The requirements in the proposed rule seek to build on this collaborative effort and further strengthen the cybersecurity posture of surface transportation stakeholders.”
The proposed rules, as laid out in the Federal Register on Thursday, would affect “certain pipeline and rail owner/operators,” and impose lesser requirements on some types of bus operators.
The rules would require cyber risk management plans overseen by TSA, which would need to include three elements:
- Annual cybersecurity evaluations;
- Assessment plans that identify unaddressed vulnerabilities, and which are not run by officials who “have…