Key Points
- This December, the Transportation Security Administration (TSA) issued a pair of Directives establishing cybersecurity measures for high-risk freight rail, passenger rail, and rail transit owners and operators. These directives went into effect December 31, 2021. Specifically, owners and operators must: (1) name a cybersecurity coordinator; (2) report any cyber incidents within 24 hours to the Cybersecurity and Infrastructure Security Agency (CISA); (3) develop an incident response plan; and (4) complete a cybersecurity vulnerability assessment.
- At the same time, TSA issued an Information Circular recommending that lower-risk rail owners and operators and over-the-road bus owners and operators implement the above requirements voluntarily.
- TSA had previously directed airports and airline operators to (1) name a cybersecurity coordinator; and (2) report cyber incidents within 24 hours to CISA.
- The resulting deadlines for applicable rail owners and operators are the following:
- January 7, 2022 – Designate a cybersecurity coordinator
- March 31, 2022 – Conduct cybersecurity vulnerability assessment
- June 29, 2022 – Implement a cyber incident response…
