On December 2, 2021, the Transportation Security Administration (“TSA”) announced the issuance of Security Directive 1580-21-01, Enhancing Rail Cybersecurity, and Security Directive 1582-21-01, Enhancing Public Transportation and Passenger Railroad Cybersecurity (the “December Security Directives”), and “additional guidance for voluntary measures to strengthen cybersecurity across the transportation sector in response to the ongoing cybersecurity threat to surface transportation systems and associated infrastructure.”  TSA’s announcement clarifies that these actions are “among several steps DHS is taking to increase the cybersecurity of U.S. critical infrastructure.”

The December Security Directives, which become effective on December 31, 2021, impose significant requirements on owners and operators of “higher-risk freight railroads, passenger rail, and rail transit.”  TSA’s announcement also explained that it has extended certain requirements of the December Security Directives to airport and airline operators and has recommended that “all other lower-risk surface transportation owners and operators voluntarily implement” the requirements of the December Security Directives.

Freight and Passenger Rail.  Specifically, the December Security Directives require freight rail carriers identified in 49 C.F.R. § 1580.101 and owners and operators of a passenger railroad carrier or rail transit system identified in 49 C.F.R. § 1582.101 to undertake, among other things, “four critical actions”:

  1. Designate a cybersecurity coordinator who is “available to” TSA and the Department of Homeland Security (“DHS”) Cybersecurity and Infrastructure Security Agency (CISA) “at all times” and provide the name, title, phone number, and email address of the cybersecurity coordinator and at least one alternate cybersecurity coordinator by email to TSA within seven days of the effective date of the December Security Directives, upon commencement of new operations, or in the event of changes to this information;
  2. Report a cybersecurity incident—which is defined to include “an event that is under investigation or evaluation . . . as a possible cybersecurity incident”—to CISA within 24 hours;
  3. Develop and implement a cybersecurity incident response plan within 180 days from the effective date of the December Security Directives (unless otherwise directed) to reduce the risk of an operational disruption to information technology and operational technology systems, and certify to TSA that it has met these requirements within 7 days of completion; and
  4. Complete a cybersecurity vulnerability assessment—which will include an assessment of current practices and activities to address cyber risks to information technology and operational technology systems, identification of gaps in current cybersecurity measures, and identification of remediation measures to address any identified vulnerabilities and gaps and develop a plan to implement these measures—and submit that assessment and remediation plan to TSA within 90 days of the effective date of the December Security Directives.

The December Security Directives also require owners and operators to comply with a range of additional requirements and procedures including, for example, confirming receipt of the December Security Directives and notifying TSA if unable to implement any of the measures in the December Security Directives within the required timeframes.

Aviation.  While the Security Directives are targeted at certain freight railroads, passenger rail, and rail transit, TSA’s announcement also explained that the agency “recently updated its aviation security programs to require that airport and airline operators implement the first two provisions above”; that is, these operators must designate a cybersecurity coordinator and report cybersecurity incidents to CISA within 24 hours.  TSA also announced its intention to “expand the requirements for the aviation sector and issue guidance to smaller operators.”

Information Sharing.  The December Security Directives make clear that information produced under the requirements of these directives will be shared amongst the U.S. Government.  Specifically, the December Security Directives clarify that any information provided to CISA under the December Security Directives “will” be shared with TSA, any information provided to TSA “will” be shared with CISA, and such information “may” be shared with the National Response Center and “other agencies as appropriate.”

Looking Forward.  These latest regulatory actions by TSA follows the issuance of two previous TSA cybersecurity directives issued in May and July 2021, which targeted TSA-designated critical pipelines.  These actions are also in line with DHS Secretary Alejandro Mayorkas’ recent public remarks, which previewed the issuance of the December Security Directives and also announced a forthcoming rulemaking process to develop a “longer-term regime to strengthen cybersecurity and resilience in the transportation sector.”  These efforts are consistent with the U.S. Government’s ongoing focus on strengthening critical infrastructure cybersecurity.  More broadly, the White House has made U.S. cybersecurity a key issue over the past year, including by issuing an Executive Order on Improving the Nation’s Cybersecurity seeking to strengthen the federal government’s ability to respond to and prevent cybersecurity threats and engaging with private sector leaders to bolster the nation’s cybersecurity.  Accordingly, companies in all sectors—both in and out of the critical infrastructure space—should expect further developments in coming months.

Print:
EmailTweetLikeLinkedIn
Photo of Ashden Fein Ashden Fein

Ashden Fein advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Mr. Fein counsels clients on preparing for and responding to cyber-based attacks, assessing…

Ashden Fein advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Mr. Fein counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Mr. Fein frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, and destructive attacks.

Additionally, Mr. Fein assists clients from across industries with leading internal investigations and responding to government inquiries related to the U.S. national security. He also advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, and requirements related to supply chain security.

Before joining Covington, Mr. Fein served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks.

Mr. Fein currently serves as a Judge Advocate in the U.S. Army Reserve.

John Webster Leslie

Web Leslie represents and advises emerging and leading companies on a broad array of technology issues, including on cybersecurity, national security, investigations, and data privacy matters.
Web provides strategic advice and counsel on cybersecurity preparedness, data breach, cross-border privacy law, and government investigations…

Web Leslie represents and advises emerging and leading companies on a broad array of technology issues, including on cybersecurity, national security, investigations, and data privacy matters.
Web provides strategic advice and counsel on cybersecurity preparedness, data breach, cross-border privacy law, and government investigations, and helps clients navigate complex policy matters related to cybersecurity and national security.

In addition to his regular practice, Web also counsels pro bono clients on technology, immigration, and criminal law matters, including representing a client sentenced to life without parole by a non-unanimous jury in Louisiana.

Web previously served in government in various roles at the Department of Homeland Security, including at the Cybersecurity and Infrastructure Security Agency (CISA), where he specialized in cybersecurity policy, public-private partnerships, and interagency cyber operations. He also served as Special Assistant to the Secretary of Homeland Security.