The Transportation Security Administration (TSA) has released a Notice of Proposed Rulemaking (NPRM) outlining new cybersecurity requirements aimed at protecting critical infrastructure in the United States. The proposal, which focuses on pipelines, railroads, and over-the-road buses, introduces mandatory cybersecurity risk management (CRM) programs and reporting protocols. This shift from voluntary to required measures responds to escalating cyber threats against key sectors that form the backbone of national security and economic stability.

At the heart of this proposal are requirements for owner/operators to establish TSA-approved CRM programs, encompassing comprehensive cybersecurity evaluations, operational plans, and assessment protocols. These programs would ensure systematic reviews of cybersecurity practices, allowing for targeted improvements in identifying, protecting, and recovering from cyber incidents. By requiring annual assessments, the TSA aims to create a dynamic, responsive security framework that evolves with emerging threats. Additionally, this proposal mandates a Cybersecurity Operational Implementation Plan (COIP) for managing vulnerabilities and an incident response plan to mitigate damage in case of an attack. These layered requirements seek to enhance resilience across sectors essential to national infrastructure.

The NPRM was largely prompted by recent cyber incidents, like the 2021 DarkSide ransomware attack on a major U.S. pipeline that disrupted gasoline supplies across the East Coast. This event underscored the vulnerabilities inherent in critical infrastructure networks and the urgency of robust cybersecurity protections. By implementing CRM programs, the TSA expects that industries, including rail and public transit, can better defend against cyber threats, maintain service continuity, and reduce potential economic and public safety impacts.

The implications of this proposal are significant for infrastructure security and operational resilience. Establishing CRM programs will require substantial investment from operators, with TSA estimating over $2 billion in costs over the next decade. However, the potential benefits—reduced disruption and minimized risk to public safety and economic stability—far outweigh the financial burden. This initiative reflects a move toward a more regulated cybersecurity landscape for critical infrastructure, with mandatory compliance helping to close the gaps that voluntary guidelines have left unaddressed.

This summary is not guaranteed to be accurate or comprehensive and does not constitute legal advice.