Privacy & Cybersecurity Law Blog

On December 2, 2021, the Transportation Security Administration (“TSA”) announced that it issued two security directives requiring higher-risk freight railroads, passenger rail and rail transit to implement measures to strengthen cybersecurity within the sector. In its press release, the TSA stated that it determined these requirements needed to be issued immediately to protect the transportation sector. The TSA also stated that it sought input from industry stakeholders and federal partners, including the Cybersecurity and Infrastructure Security Agency (“CISA”), in developing its approach.

Key among the requirements in the security directives is a requirement to report cybersecurity incidents to CISA within 24 hours. The directives also require these rail transportation owners and operators to (1) designate a cybersecurity coordinator, (2) develop and implement a cybersecurity incident response plan, and (3) conduct a cybersecurity vulnerability assessment to identify potential gaps or vulnerabilities in their systems.

Homeland Security Secretary Alejandro Mayorkas said the new requirements “will help keep the traveling public safe and protect our critical infrastructure from evolving threats” and indicated that the Department of Homeland Security will continue public and private partnerships to increase the resilience of critical infrastructure. Ian Jefferies, President and Chief Executive Officer of the Association of American Railroads, said in a statement that “[r]ailroads take these threats seriously and value our productive work with government partners to keep the network safe.”

The press release also announces that the TSA is releasing guidance recommending that all other lower-risk rail transportation owners and operators voluntarily implement the same measures.