TSA rule would require cyber risk management for railroads, buses, and pipeline operators

TSA’s NPRM would impose cybersecurity requirements on designated critical surface transportation sectors—including pipelines, freight railroads, passenger railroads, and bus operators—adapted from the cybersecurity framework developed by the National Institute of Standards and Technology and the cross-sector cybersecurity performance goals developed by the Cybersecurity and Infrastructure Security Agency (CISA). In particular, the rule would require:

• certain (i) pipeline, (ii) freight railroad, (iii) passenger railroad, and (iv) rail transit owner/operators with higher cybersecurity risk profiles to establish and maintain a comprehensive cyber risk management program, which would include annual cybersecurity evaluations, continuity of operations plans for critical systems, and corrective action plans to address vulnerabilities; 
• certain (i) pipeline, (ii) freight railroad, (iii) passenger railroad, (iv) rail transit, (v) higher-risk bus-only public transportation, and (vi) over-the-road bus owner/operators, currently required to report significant physical security concerns to TSA, to report cybersecurity incidents to CISA within 24 hours of detection, in alignment with CISA’s broader Cyber Incident Reporting for Critical Infrastructure Act regulations, which are slated to be finalized in October 2025; and
• (i) higher-risk pipeline owner/operators—not previously subjected to TSA’s current requirements for rail and higher-risk bus operations—to designate a physical security coordinator—a person responsible for overseeing and managing security measures—to report significant physical security concerns, such as potential threats, vulnerabilities, or incidents, to TSA.

The proposed rule iterates on previous TSA cybersecurity directives and mandates established after the 2021 Colonial Pipeline ransomware attack. TSA’s recent initiatives have focused on levying stricter cybersecurity requirements for railroad and pipeline operators. For example, on July 27, 2024, TSA reissued its Security Directive regarding oil and natural gas pipeline cybersecurity to mandate pipeline owners/operators annually submit updated cybersecurity plans, report security assessment results, test incident response plans, and ensure all security measures are reviewed every three years, while continuing to report incidents to CISA and maintain vulnerability assessments. On October 24, 2024, TSA renewed its cybersecurity requirements for passenger and freight railroad carriers to annually test their cybersecurity response plans, include key staff in security-related exercises, submit updated security assessment plans, and review all security measures every three years.

The November 6 NPRM expands the agency’s cybersecurity obligations transportation modes by including bus operators and introducing additional performance-based requirements, such as cyber risk management and incident reporting, across transportation critical sectors. TSA estimates the rule will impact nearly 300 transportation entities, including 73 freight railroads, 34 public transportation systems, 71 intercity bus operators, and 115 pipeline facilities.

Authored by Nathan Salminen and Baily Martin.