February 1, 2023

Volume XIII, Number 32


January 31, 2023

Subscribe to Latest Legal News and Analysis

January 30, 2023

Subscribe to Latest Legal News and Analysis

TSA Issues Cybersecurity Rules for Transportation Sector

On December 2, 2021, the US Department of Homeland Security’s (DHS) Transportation Security Administration (TSA) announced two new Security Directives and additional guidance for voluntary measures to strengthen cybersecurity across the transportation sector. These follow a pair of Security Directives from TSA, on May 28, 2021, and July 26, 2021, imposing a variety of cybersecurity requirements (technical and administrative) on the 100 TSA-designated “most critical” pipeline owners/operators. The Biden administration does not appear to be taking its foot off the gas any time soon, particularly when it comes to the cybersecurity of critical infrastructure. Media reports indicate a draft blueprint is currently being circulated by the White House seeking to enhance the cybersecurity of US water utilities, too.


The December 2 TSA Security Directives target higher-risk freight railroads, passenger rail and rail transit. They require covered owners and operators to do the following:

  • [effective December 31, 2021] report “cybersecurity incidents” to DHS’s Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours of identifying them, with specifications on what must be included in the submitted report;

  • [by January 6, 2022] designate a cybersecurity coordinator and alternate, who must meet certain eligibility requirements and are “required to be available” to CISA “at all times (all hours/all days) to coordinate implementation of cybersecurity practices, and manage security incidents, and serve as a principal point of contact with TSA and CISA for cybersecurity-related matters”;

  • [by March 30, 2022] conduct a cybersecurity vulnerability assessment to identify potential gaps and vulnerabilities in their systems, using the form provided by TSA, and submit the completed form to TSA; and

  • [by June 28, 2022] develop and implement a cybersecurity incident response plan to reduce the risk of an operational disruption should Information Technology (IT) and/or Operational Technology (OT) be affected by a cybersecurity incident.

The Directives broadly define a cybersecurity incident to mean an unauthorized event that “jeopardizes, disrupts or otherwise impacts, or is reasonably likely to jeopardize, disrupt or otherwise impact, the integrity, confidentiality, or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident on the system.” Notably, a covered cybersecurity incident includes an event that is under investigation as a possible cybersecurity incident without final determination of the event’s root cause or nature (such as malicious, suspicious or benign).

The Directives require owners/operators to submit their completed vulnerability assessment form and remediation plan to TSA by March 30, 2022. The Directives also require the cybersecurity coordinator or “other accountable executive” to submit a statement to TSA certifying compliance with the cybersecurity incident response plan requirements within seven days of completing the plan. Documentation of compliance must be provided to TSA upon request and without a subpoena.

Given the Directives’ detailed requirements, including certifications and submissions to the government, as well as tight implementation deadlines, covered owners/operators should promptly assess their cybersecurity programs. The most pressing deadline is designating a cybersecurity coordinator and alternate. Organizations must be thoughtful about whom they choose; they should be mindful of the gating criteria as well as the individual’s role and responsibility within the organization. The coordinator and the alternate must be US citizens who are eligible for security clearances; entrusted to serve as the primary contact for cyber-related intelligence information and cybersecurity-related activities and communications with TSA and CISA, as well as work with appropriate law enforcement and emergency response agencies; accessible to TSA and CISA 24 hours a day, seven days a week; and empowered to coordinate cyber and related security practices and procedures internally.

© 2023 McDermott Will & EmeryNational Law Review, Volume XI, Number 342

About this Author

Scott Ferber Cybersecurity Attorney McDermott Will and Emery Washington DC

Scott leverages his extensive experience as a former federal cybercrime prosecutor and in senior leadership at the US Department of Justice (DOJ) to advise clients across industries on the full range of privacy and security issues created by global data collection and usage. This includes responding to cyber incidents and managing complex privacy and cyber risk assessments. Scott often defends clients in regulatory investigations from the Federal Trade Commission (FTC), State Attorneys General and other federal, state and local regulators and criminal authorities.

Robert Duffy Counsel Attorney Cyberseurity Privacy Washington DC

Robert Duffy helps clients manage their cybersecurity, privacy, and information technology legal risks by delivering practical advice, navigating crisis response and aggressively pursuing justice for victims of cybercrime and business torts. Robert conducts internal investigations into security incidents, vulnerability reports, potential compliance issues, insider threats and other high-stakes matters. Robert helps clients meet regulatory and legal obligations by assessing cybersecurity maturity and developing cost-effective and risk-prioritized remediation plans and...