WASHINGTON — The Transportation Security Administration has proposed a rule that would require cybersecurity risk management and reporting requirements for some freight and passenger railroads, as well as rail transportation.
The Notice of Proposed Rulemaking, published today in the Federal Register, also covers some bus and pipeline operations.
The TSA estimates that under the rule’s criteria, 73 of the approximately 620 U.S. freight railroads and 34 of approximately 92 passenger rail and transit operators would be subject to the requirements.
“TSA has collaborated closely with its industry partners to increase the cybersecurity resilience of the nation’s critical transportation infrastructure,” TSA Administrator David Pekoske said in a press release. “The requirements in the proposed rule seek to build on this collaborative effort and further strengthen the cybersecurity posture of surface transportation stakeholders. We look forward to industry and public input on this proposed regulation.”
The rule would require an annual cybersecurity evaluation; a cybersecurity implementation plan identifying those responsible for the program, critical systems, and measures to recover from a cybersecurity incident; and an assessment plan that includes a schedule for cybersecurity assessments, an annual report of results, and identification of unaddressed vulnerabilities.
The comment period for the proposal runs through Feb. 5, 2025. A link to information on how to comment is included at the top of the notice in the Federal Register.
Another government push toward companies, with good goals and intentions, but as always, the “devil” lies in the details. If the rules set up basic guidelines and desired goals, probably fine. If the proposal has rigid and detailed requirements, not fine. Hopefully, they will listen to and work with the comments received and join with the companies, not against them.