Deadline to Comment on TSA Proposed Rule on Enhancing Cyber Risk Management for Surface Transportation Sectors

The TSA aims to strengthen cybersecurity and resiliency for the surface transportation sector following the 2021 ransomware attack on the Colonial Pipeline by mandating the reporting of cybersecurity incidents to the TSA and Cybersecurity and Infrastructure Security Agency (“CISA”), as well as the development of a robust CRM program.

The Proposed Rule is based on the TSA’s previously issued requirements and recommendations, the cybersecurity framework developed by the National Institute of Standards and Technology, and the cross-sector cybersecurity performance goals developed by CISA.

The Proposed Rule would require, in addition to other requirements, covered owners and operators to:

• Have a TSA-approved CRM program;
• Conduct annual enterprise-wide cybersecurity evaluations;
• Develop a Cybersecurity Operational Implementation Plan which identifies who is responsible for the governance of the CRM program, have detailed measures to protect and monitor critical cyber systems, and have continuity plans for these critical systems; and
• Establish a Cybersecurity Assessment Plan that includes the identification of unaddressed vulnerabilities and the reporting of annual assessment results.

Both physical security incidents and cybersecurity incidents would need to be reported. The Proposed Rule builds on previously issued security directives, which are emergency regulations that the TSA may issue without providing notice or soliciting public comment. Security directives are only effective up to 90 days unless ratified by the Transportation Security Oversight Board. The TSA estimates the Proposed Rule would impact approximately 300 surface transportation owners and operators, including 115 pipeline facilities.

Given the potential compliance burden and rapidly approaching end of the comment period, industry stakeholders should evaluate how the proposed new CRM requirements align with their existing security.

The Vinson & Elkins Technology Transactions team assists clients in identifying, managing, and mitigating cybersecurity risks and managing incident response and resulting investigations and litigation. If you have questions, please contact your V&E attorney.