Review - TSA Published Surface Cybersecurity NPRM

Last week, the Transportation Security Administration (TSA) published a notice of proposed rulemaking (NPRM) in the Federal Register (89 FR 88488-88592) on “Enhancing Surface Cyber Risk Management”. The advanced notice of proposed rulemaking for this rule was published on November 30^th, 2022. The proposed rulemaking would require owner/operators of designated freight railroads, passenger railroads, rail transit, and pipeline facilities and/or systems to have a CRM program approved by TSA.

Overview

In general, the new rule would require designated owner/operators:

To have a Cyber Risk Management (CRM) program approved by TSA,

To develop a Cybersecurity Operational Implementation Plan (COIP), and

To have a Cybersecurity Assessment Plan (CAP) that includes a schedule for assessments, an annual report of assessment results, and identification of unaddressed vulnerabilities.

Additionally, TSA is proposing the following administrative changes to existing regulations:

To reorganize requirements in subchapter D of 49 CFR chapter XII related to security coordinators, reporting significant security concerns, and security training of security-sensitive employees,

To distinguish between requirements focused on physical security and those focused on cybersecurity, and

To incorporate into subchapter D a new section related to issuance of SDs and Information Circulars (ICs), mirroring language currently applicable in the aviation industry.

Public Comments

The TSA is soliciting public comments on this proposed rule. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # TSA-2022-0001). Comments should be submitted by February 5^th, 2025.

 

For more information on the provisions of this proposed rule, including links to proposed regulatory language, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/tsa-published-surface-cybersecurity - subscription required.