"TSA to Issue Cybersecurity Requirements For US Rail, Aviation Sectors"

After issuing cybersecurity requirements for pipeline companies via two directives earlier this year, the Transportation Safety Administration (TSA) will also issue cybersecurity requirements for rail systems and airport operators. First, TSA will issue a new directive to cover high-risk railroads and rail transit entities.  Reports suggest that at the minimum, Amtrak and significant subway systems such as those in Washington, DC, and New York would fall under the regulations.  The new directive would require covered entities to identify a cybersecurity point person, report cyber incidents to DHS's Cybersecurity and Infrastructure Security Agency (CISA), and create a contingency and recovery plan to follow if they become victims of malicious cyber activity. For "lower-risk surface entities," TSA will issue separate guidance that encourages, rather than requires, these entities to follow the same measures.  In terms of aviation security, TSA will require that critical US airport operators, passenger aircraft operators, and all-cargo aircraft operators designate a cybersecurity coordinator and report cyber incidents to CISA. In addition, TSA will gradually expand the directive's reach to cover other relevant entities and consider additional measures over time.  TSA is also initiating a rulemaking process to develop a longer-term regime to strengthen cybersecurity and resilience in the transportation sector. To help transportation organizations better prepare for that process, the agency will issue an information circular recommending the completion of a cybersecurity self-assessment.

CSO reports: "TSA to Issue Cybersecurity Requirements For US Rail, Aviation Sectors"