Security Policy Alert: New Cybersecurity Measures Announced for Transportation Sector

October 6, 2021

TSA Call Reminder

This afternoon, during opening remarks at a cybersecurity summit, DHS Secretary Ali Mayorkas announced new cyber-related requirements for the transportation sector to ensure the transportation sector as a whole is prepared and resilient.  The Secretary also applauded efforts owners and operators have already taken based on voluntary guidance issued by the TSA and the Cybersecurity and Infrastructure Security Agency (CISA).

According to a DHS spokesperson, 'œTSA is currently engaged with transportation operators and plans in the near future to issue a security directive for higher-risk rail and transit entities as well as recommended measures for lower-risk operators. TSA also anticipates issuing new requirements for critical U.S. airport operators, passenger aircraft operators, and all-cargo aircraft operators.' These new aviation requirements would be implemented through amendments to TSA aviation security programs. No specific timeframe was announced as to when TSA would issue the aviation requirements but the rail and transit security directive will be issued later this year.

According to DHS, these new measures do not include a prescriptive list of mitigation measures. Rather, they include three core basic cybersecurity elements:

'¢ Designating a cybersecurity coordinator '“ so the government knows whom to call if needed.
'¢ Reporting incidents when they occur '“ so the government knows if something has happened and can help the affected entity if needed and can provide mitigating measures to others to help prevent similar incidents. 
'¢ Developing a contingency plan '“ so an organization has a plan in place in case something does happen to minimize the impact.

In August, TSA issued a proposed update to TSA National Amendment 14-01: Incidents and Suspicious Activities Reporting. The proposed ASP amendment would require airport operators to report certain cybersecurity incidents and to designate a cybersecurity coordinator. Comments were due on September 19. 

As a reminder, CISA will be participating in TSA'™s monthly call for airport stakeholders tomorrow at 1:00 pm ET and will discuss cyber threats and vulnerabilities. CISA has provided slides in advance of the call. The call-in number is 1-800-857-5826 and the passcode is 9596778.