TSA Issues Cybersecurity Rules for Transportation Sector
Wednesday, December 8, 2021
TSA's two new Security Directives
Print Mail Download i

On December 2, 2021, the US Department of Homeland Security’s (DHS) Transportation Security Administration (TSA) announced two new Security Directives and additional guidance for voluntary measures to strengthen cybersecurity across the transportation sector. These follow a pair of Security Directives from TSA, on May 28, 2021, and July 26, 2021, imposing a variety of cybersecurity requirements (technical and administrative) on the 100 TSA-designated “most critical” pipeline owners/operators. The Biden administration does not appear to be taking its foot off the gas any time soon, particularly when it comes to the cybersecurity of critical infrastructure. Media reports indicate a draft blueprint is currently being circulated by the White House seeking to enhance the cybersecurity of US water utilities, too.

IN DEPTH

The December 2 TSA Security Directives target higher-risk freight railroads, passenger rail and rail transit. They require covered owners and operators to do the following:

  • [effective December 31, 2021] report “cybersecurity incidents” to DHS’s Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours of identifying them, with specifications on what must be included in the submitted report;

  • [by January 6, 2022] designate a cybersecurity coordinator and alternate, who must meet certain eligibility requirements and are “required to be available” to CISA “at all times (all hours/all days) to coordinate implementation of cybersecurity practices, and manage security incidents, and serve as a principal point of contact with TSA and CISA for cybersecurity-related matters”;

  • [by March 30, 2022] conduct a cybersecurity vulnerability assessment to identify potential gaps and vulnerabilities in their systems, using the form provided by TSA, and submit the completed form to TSA; and

  • [by June 28, 2022] develop and implement a cybersecurity incident response plan to reduce the risk of an operational disruption should Information Technology (IT) and/or Operational Technology (OT) be affected by a cybersecurity incident.

The Directives broadly define a cybersecurity incident to mean an unauthorized event that “jeopardizes, disrupts or otherwise impacts, or is reasonably likely to jeopardize, disrupt or otherwise impact, the integrity, confidentiality, or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident on the system.” Notably, a covered cybersecurity incident includes an event that is under investigation as a possible cybersecurity incident without final determination of the event’s root cause or nature (such as malicious, suspicious or benign).

The Directives require owners/operators to submit their completed vulnerability assessment form and remediation plan to TSA by March 30, 2022. The Directives also require the cybersecurity coordinator or “other accountable executive” to submit a statement to TSA certifying compliance with the cybersecurity incident response plan requirements within seven days of completing the plan. Documentation of compliance must be provided to TSA upon request and without a subpoena.

Given the Directives’ detailed requirements, including certifications and submissions to the government, as well as tight implementation deadlines, covered owners/operators should promptly assess their cybersecurity programs. The most pressing deadline is designating a cybersecurity coordinator and alternate. Organizations must be thoughtful about whom they choose; they should be mindful of the gating criteria as well as the individual’s role and responsibility within the organization. The coordinator and the alternate must be US citizens who are eligible for security clearances; entrusted to serve as the primary contact for cyber-related intelligence information and cybersecurity-related activities and communications with TSA and CISA, as well as work with appropriate law enforcement and emergency response agencies; accessible to TSA and CISA 24 hours a day, seven days a week; and empowered to coordinate cyber and related security practices and procedures internally.

© 2024 McDermott Will & Emery

Current Legal Analysis

More from McDermott Will & Emery

Virtually Done: Computer Visualization Patents Are Ineligible for Protection
by: Courtney Seams
Lessons from Ryan S. v. UnitedHealth Group for the 2023 MHPAEA Proposed Rule
by: Alden J. Bianchi
New Guidance Addresses Use of AI Systems, Tools in Practice Before the PTO
by: Peter Brunovskis, PhD
Drawing Can Teach Claim Limitations If “Clear on Its Face”
by: Connor M. Larson
International Trade Commission Seeks Feedback on Proposed Updates to Practice and Procedure
by: Thomas DaMario
Late Expert Report Dooms Copyright Case
by: Karen Gover
Fifth Circuit Rejects Recruiter’s Trade Secret Misappropriation and Contract Defenses
by: Amol Parikh
McDermottPlus Check-Up: April 17, 2024
by: Debra Curtis , Kristen O’Brien
Hospital Settles With OCR for $4.75 Million Over HIPAA Violations
by: McDermott Will & Emery
CMS Releases FY 2025 IPPS Proposed Update
by: Deborah R. Godes , Jeffrey Davis

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins