On December 2, 2021, the Transportation Security Administration (“TSA”) announced the issuance of Security Directive 1580-21-01, Enhancing Rail Cybersecurity, and Security Directive 1582-21-01, Enhancing Public Transportation and Passenger Railroad Cybersecurity (the “December Security Directives”), and “additional guidance for voluntary measures to strengthen cybersecurity across the transportation sector in response to the ongoing cybersecurity threat to surface transportation systems and associated infrastructure.” TSA’s announcement clarifies that these actions are “among several steps DHS is taking to increase the cybersecurity of U.S. critical infrastructure.”
The December Security Directives, which become effective on December 31, 2021, impose significant requirements on owners and operators of “higher-risk freight railroads, passenger rail, and rail transit.” TSA’s announcement also explained that it has extended certain requirements of the December Security Directives to airport and airline operators and has recommended that “all other lower-risk surface transportation owners and operators voluntarily implement” the requirements of the December Security Directives.
Freight and Passenger Rail. Specifically, the December Security Directives require freight rail carriers identified in 49 C.F.R. § 1580.101 and owners and operators of a passenger railroad carrier or rail transit system identified in 49 C.F.R. § 1582.101 to undertake, among other things, “four critical actions”:
- Designate a cybersecurity coordinator who is “available to” TSA and the Department of Homeland Security (“DHS”) Cybersecurity and Infrastructure Security Agency (CISA) “at all times” and provide the name, title, phone number, and email address of the cybersecurity coordinator and at least one alternate cybersecurity coordinator by email to TSA within seven days of the effective date of the December Security Directives, upon commencement of new operations, or in the event of changes to this information;
- Report a cybersecurity incident—which is defined to include “an event that is under investigation or evaluation . . . as a possible cybersecurity incident”—to CISA within 24 hours;
- Develop and implement a cybersecurity incident response plan within 180 days from the effective date of the December Security Directives (unless otherwise directed) to reduce the risk of an operational disruption to information technology and operational technology systems, and certify to TSA that it has met these requirements within 7 days of completion; and
- Complete a cybersecurity vulnerability assessment—which will include an assessment of current practices and activities to address cyber risks to information technology and operational technology systems, identification of gaps in current cybersecurity measures, and identification of remediation measures to address any identified vulnerabilities and gaps and develop a plan to implement these measures—and submit that assessment and remediation plan to TSA within 90 days of the effective date of the December Security Directives.
The December Security Directives also require owners and operators to comply with a range of additional requirements and procedures including, for example, confirming receipt of the December Security Directives and notifying TSA if unable to implement any of the measures in the December Security Directives within the required timeframes.
Aviation. While the Security Directives are targeted at certain freight railroads, passenger rail, and rail transit, TSA’s announcement also explained that the agency “recently updated its aviation security programs to require that airport and airline operators implement the first two provisions above”; that is, these operators must designate a cybersecurity coordinator and report cybersecurity incidents to CISA within 24 hours. TSA also announced its intention to “expand the requirements for the aviation sector and issue guidance to smaller operators.”
Information Sharing. The December Security Directives make clear that information produced under the requirements of these directives will be shared amongst the U.S. Government. Specifically, the December Security Directives clarify that any information provided to CISA under the December Security Directives “will” be shared with TSA, any information provided to TSA “will” be shared with CISA, and such information “may” be shared with the National Response Center and “other agencies as appropriate.”
Looking Forward. These latest regulatory actions by TSA follows the issuance of two previous TSA cybersecurity directives issued in May and July 2021, which targeted TSA-designated critical pipelines. These actions are also in line with DHS Secretary Alejandro Mayorkas’ recent public remarks, which previewed the issuance of the December Security Directives and also announced a forthcoming rulemaking process to develop a “longer-term regime to strengthen cybersecurity and resilience in the transportation sector.” These efforts are consistent with the U.S. Government’s ongoing focus on strengthening critical infrastructure cybersecurity. More broadly, the White House has made U.S. cybersecurity a key issue over the past year, including by issuing an Executive Order on Improving the Nation’s Cybersecurity seeking to strengthen the federal government’s ability to respond to and prevent cybersecurity threats and engaging with private sector leaders to bolster the nation’s cybersecurity. Accordingly, companies in all sectors—both in and out of the critical infrastructure space—should expect further developments in coming months.