The federal Transportation Security Administration (TSA) yesterday proposed to mandate cyber risk management and reporting requirements for certain surface transportation owners and operators, including those running pipelines and railroads.
The notice of proposed rulemaking suggests a new standard that would require that:
- certain pipeline, freight railroad, passenger railroad, and rail transit owner/operators with higher cybersecurity risk profiles establish and maintain a comprehensive cyber risk management program;
- these owner/operators, and higher-risk bus-only public transportation and over-the-road bus owner/operators, currently required to report significant physical security concerns to TSA to also report cybersecurity incidents to CISA; and
- higher-risk pipeline owner/operators adopt TSA’s current requirements for rail and higher-risk bus operations to designate a physical security coordinator and report significant physical security concerns to TSA.
The publication of a “notice of proposed rulemaking” in the Federal Register typically begins a 60-day period for public comment from any interested party, and an additional 30 days for reply comments.
“TSA has collaborated…
