The Transportation Security Administration (TSA) has released a Notice of Proposed Rulemaking to establish cyber risk management and reporting practices for pipeline, railroad, bus and other public transportation systems. The proposed rules extends existing cybersecurity framework developed by the National Institute of Standards and Technology as well as the cybersecurity performance goals of the Cybersecurity and Infrastructure Security Agency (CISA).
The proposed rules, as laid out in the Federal Register on Thursday, would affect “certain pipeline and rail owner/operators,” and impose lesser requirements on some types of bus operators. These organizations would be required to establish and maintain comprehensive cyber risk management programs, to report incidents to the Cybersecurity and Infrastructure Security Agency (CISA), and to designate a physical security coordinator and report significant physical security concerns to TSA. The cyber risk management plans will need to include annual cybersecurity evaluations; assessment plans that identify unaddressed vulnerabilities; and a cybersecurity operational implementation plan describing officials in charge of cyber,…
