Enhancing Surface Cyber Risk Management

SUPPLEMENTARY INFORMATION:

Public Participation

TSA invites interested persons to participate in this NPRM by submitting written comments, including relevant data. We also invite comments relating to the economic, environmental, energy, or federalism impacts that might result from this rulemaking action. See the ADDRESSES section above for information on where to submit comments.

NPRM-Specific Request for Comments

1. TSA is requesting comments on the impact of regulations and requirements being imposed by other Federal, State, and Local entities, including DHS components, and potential options for regulatory harmonization.

2. TSA is requesting comments on whether proposed requirements for supply chain risk management should also include requirements to ensure that any new software purchased for, or to be installed on, Critical Cyber Systems meets CISA's Secure-by-Design and Secure-by-Default principles.

3. TSA is requesting comments on existing training and certification programs that could provide low-cost options to meet proposed qualification requirements for Cybersecurity Coordinators. If identified and determined by TSA to be sufficient, TSA could recognize them as examples for owner/operators that would be subject to these requirements.

4. TSA is proposing to require owner/operators to have a Cybersecurity Assessment Plan (CAP) to annually assess and audit the effectiveness of their TSA-approved Cybersecurity Operational Implementation Plan (COIP). TSA is requesting comments on methodologies owner/operators could use to develop a plan that would meet the required annual minimum for assessments and audits, assessment and auditing capabilities that could be included in the CAP, and other options and resources that could ensure a robust auditing and assessment program that provides frequent and regular reviews of effectiveness of CRM program implementation.

5. TSA is requesting comments from pipeline owner/operators on opportunities to streamline compliance and reduce redundancies and duplication of efforts for pipeline facilities regulated under 33 CFR 105.105(a) or 106.105(a).

6. TSA is requesting comment on whether accountable executives and Cybersecurity Coordinators, for all covered owner/operators, should be required to undergo a TSA-conducted Security Threat Assessment (STA), which would include a terrorism/other analyses check, an immigration check, and a criminal history records check (CHRC).

7. TSA is requesting comment on whether TSA should require all frontline workers (“security-sensitive employees”) in the pipeline industry to also be vetted by TSA. Although TSA is not proposing this requirement, TSA seeks comments on how the vetting would impact their operations and costs, and specifically how many employees the entity has that would likely be considered security-sensitive employees.

8. TSA is requesting comment on the inputs used in the Regulatory Impact Analysis (RIA), including those related to the Security Directives (SDs), their implementation, and associated costs and benefits. Comments that will provide the most assistance to TSA will reference a specific portion of this proposed rule, explain the reason for any suggestions or recommended changes, and include data, information, or authority that supports such suggestion or recommended change.

9. TSA invites all interested parties to submit data and information regarding the potential economic impact on small entities that would result from the adoption of the requirements in the proposed rule.

10. TSA invites comments on the proposed collection of information and estimates of burden.

Submitting Comments on the NPRM

With each comment, please identify the docket number at the beginning of your comments. You may submit comments and material electronically, by mail, or fax as provided under ADDRESSES , but please submit your comments and material by only one means. If you submit comments by mail or in person, submit them in an unbound format, no larger than 8.5 by 11 inches, suitable for copying and electronic filing.

If you would like TSA to acknowledge receipt of comments submitted by mail, include with your comments a self-addressed, stamped postcard or envelope on which the docket number appears, and we will mail it to you.

All comments, except those that include confidential or SSI will be posted to https://www.regulations.gov and include any personal information you have provided. Should you wish your personally identifiable information redacted prior to filing in the docket, please clearly indicate this request in your submission. TSA will consider all comments that are in the docket on or before the closing date for comments and will consider comments filed late to the extent practicable. The docket is available for public inspection before and after the comment closing date.

Submitting Comments on the Proposed Information Collections

Comments on the proposed information collections included in this NPRM should be submitted both to TSA, as indicated above, and to the Office of Information and Regulatory Affairs, Office of Management and Budget (OMB). Comments should be identified by the appropriate OMB Control Number(s) or the title of this proposed rule, addressed to the Desk Officer for the Department of Homeland Security, Transportation Security Administration, and sent via electronic mail to dhsdeskofficer@omb.eop.gov.

Handling of Confidential or Proprietary Information and SSI Submitted in Public Comments

Do not submit comments that include trade secrets, confidential commercial or financial information, or SSI to the public regulatory docket. Please submit such comments separately from other comments on the rulemaking. Comments containing this type of information should be appropriately marked as containing such information and submitted by mail to the address listed in the FOR FURTHER INFORMATION CONTACT section. TSA will take the following actions for all submissions containing SSI:

• TSA will not place comments containing SSI in the public docket and will handle them with applicable safeguards and restrictions on access.
• TSA will hold documents containing SSI, confidential business information, or trade secrets in a separate file to which the public does not have access.
• TSA will place a note in the public docket explaining that commenters have submitted such documents.
• TSA may include a redacted version of the comment in the public docket.
• TSA will treat requests to examine or copy information that is not in the public docket as any other request under the Freedom of Information Act (5 U.S.C. 552) and the Department of Homeland Security (DHS) Freedom of Information Act regulation found in 6 CFR part 5.

Reviewing Comments in the Docket

Please be aware that anyone can search the electronic form of all comments in any of our dockets by the name of the individual, association, business entity, labor union, etc., who submitted the comment. For more about privacy and the docket, review the Privacy and Security Notice for the FDMS at https://www.regulations.gov/privacy-notice, as well as the System of Records Notice DOT/ALL 14—Federal Docket Management System (73 FR 3316, January 17, 2008) and the System of Records Notice DHS/ALL 044—eRulemaking (85 FR 14226, March 11, 2020).

You may review TSA's electronic public docket at https://www.regulations.gov. In addition, DOT's Docket Management Facility provides a physical facility, staff, equipment, and assistance to the public. To obtain assistance or to review comments in TSA's public docket, you may visit this facility between 9 a.m. and 5 p.m., Monday through Friday, excluding legal holidays, or call (202) 366-9826. This DOT facility is in the West Building Ground Floor, Room W12-140 at 1200 New Jersey Avenue SE, Washington, DC 20590.

Availability of Rulemaking Document

You can find an electronic copy of this rulemaking using the internet by accessing the Government Publishing Office's web page at https://www.govinfo.gov/app/collection/FR/ to view the daily published Federal Register edition or accessing the Office of the Federal Register's web page at https://www.federalregister.gov. Copies are also available by contacting the individual identified for “General Questions” in the FOR FURTHER INFORMATION CONTACT section.

Abbreviations and Terms Used in This Document

9/11 Act—Implementing Recommendations of the 9/11 Commission Act of 2007

AAR—Association of American Railroads

Amtrak—National Railroad Passenger Corporation

APTA—American Public Transportation Association

ATSA—Aviation and Transportation Security Act

BOS—Back Office Server

BES—Bulk Electric System

CAP—Cybersecurity Assessment Plan

CEQ—Council on Environmental Quality

CSF—Cybersecurity Framework 2.0

CIRCIA—Cyber Incident Reporting for Critical Infrastructure Act of 2022

CIP—Cybersecurity Implementation Plan

CIRP—Cybersecurity Incident Response Plan

CISA—Cybersecurity and Infrastructure Security Agency

COIP—Cybersecurity Operational Implementation Plan

CPGs—Cross-Sector Cybersecurity Performance Goals

CRM—Cybersecurity risk management

DFAR—Defense Federal Acquisition Regulation Supplement

DHS—Department of Homeland Security

DoD—Department of Defense

DOE—Department of Energy

DOT—Department of Transportation

E.O.—Executive Order

FDMS—Federal Docket Management System

FERC—Federal Energy Regulatory Commission

FISMA—Federal Information Security Modernization Act of 2014

FR—Federal Register

FRA—Federal Railroad Administration

FSB—Russian Federal Security Service

GPS—Global Positioning System

HSIN—Homeland Security Information Network

IC—Information Circular

ICS—Industrial control system

IRFA—Initial Regulatory Flexibility Analysis

IT—Information technology

MFA—Multi-factor authentication

NARA—National Archives and Records Administration

NEPA—National Environmental Policy Act

NERC—National American Electrical Reliability Corporation

NIST—National Institute of Standards and Technology

NPRM—Notice of proposed rulemaking

OMB—Office of Management and Budget

OT—Operational technology

OTRB—Over-the-road bus

PHMSA—Pipeline and Hazardous Materials Safety Administration

POAM—Plan of Action and Milestones

PTC—Positive Train Control

PTPR—Public Transportation and Passenger Railroads

RFA—Regulatory Flexibility Act of 1980

RIA—Regulatory Impact Analysis

SCADA—Supervisory control and data acquisition

SD—Security Directive

SDDCTEA—US Army Military Surface Deployment and Distribution Command Transportation Engineering Agency

SOAR—Security orchestration, automation, and response

SP—Special Publication

SRP—Secure Regulatory Portal

SSI—Sensitive security information

STA—Security threat assessment

STRACNET—Strategic Rail Corridor Network

TSA—Transportation Security Administration

UMRA—Unfunded Mandates Reform Act of 1995

VADR—Validated Architecture Design Review

Table of Contents

I. Executive Summary

A. Purpose of the Regulatory Action

B. Summary of the Major Provisions

C. Costs

D. Benefits

II. Background

A. Context

1. Pipeline Transportation

2. Rail Transportation

a. Freight Railroads

b. Passenger Railroads

c. Rail Transit

3. Cybersecurity Threats

4. Threat of Cybersecurity Incidents at the Nexus of IT and OT Systems

B. Statutory Authorities

1. TSA Surface-Related SDs and Information Circulars

2. TSA's Assessments, Guidelines, and Regulations Applicable to Pipeline and Rail Systems

a. Pipeline Guidelines, Assessments, and Regulations

b. Regulating Railroads, Public Transportation Systems, and OTRBs

C. References

1. National Cybersecurity Strategy

2. NIST Cybersecurity Framework

3. CISA Cross-Sector Cybersecurity Performance Goals

4. TSA's Advance Notice of Proposed Rulemaking

a. General Support and Need for Regulatory Harmonization and Performance-Based Regulation

b. Core Elements

c. Training

d. Supply Chain

e. Third-Party Assessors

5. Regulatory Harmonization

III. Proposed Rule

A. Rule organization

1. Cybersecurity Requirements

2. Physical Security Requirements

3. General Procedures for Security Programs, SDs, and Information Circulars

4. Relation to Other Rulemakings

B. Terms

1. General Terms

2. TSA Cybersecurity Lexicon

C. Cybersecurity Risk Management Program—General

1. Introduction

2. Applicability

a. Freight Railroads Subject to CRM Program Requirements in Proposed Subpart D of Part 1580

b. Public Transportation Agencies and Passenger Railroads Subject to CRM Program Requirements in Proposed Subpart C of Part 1582

c. OTRB Owner/Operators Subject to Cybersecurity Incident Reporting Requirements in Proposed § 1584.107

d. Pipeline Systems and Facilities Subject to Physical Security Requirements in Proposed Subpart B of part 1586 and CRM Program Requirements in Proposed Subpart C of Part 1586

e. Determinations of Applicability for Requirements in the Proposed Rule

3. Structure of CRM Program Requirements (Proposed §§ 1580.303, 1582.203, and 1586.203)

D. Specific CRM Program Requirements

1. Cybersecurity Evaluation (Proposed §§ 1580.305, 1582.205, and 1586.205)

2. Cybersecurity Operational Implementation Plan (Proposed §§ 1580.307, 1582.207, and 1586.207)

a. General COIP Requirements

b. Governance of the CRM Program (Proposed §§ 1580.309, 1580.311, 1582.209, 1582.211, 1586.209, and 1586.211)

c. Identification of Critical Cyber Systems, Network Architecture, and Interdependencies

d. Procedures, Policies, and Capabilities To Protect Critical Cyber Systems

e. Procedures, Policies, and Capabilities To Detect Cybersecurity Incidents (Proposed §§ 1580.321, 1582.221, and 1586.221)

f. Procedures, Policies, and Capabilities To Respond to, and Recover From, Cybersecurity Incidents

3. Cybersecurity Assessment Plan (Proposed §§ 1580.329, 1582.229, and 1586.229)

4. Documentation To Establish Compliance (Proposed §§ 1580.331, 1582.231, and 1586.231)

E. Physical Security

F. General Procedures for Security Programs, SDs, and Information Circulars

1. General Procedures for Security Programs (Proposed Revisions to Subpart B of Part 1570)

2. SDs and Information Circulars (Proposed Subpart C of Part 1570)

3. Exhaustion of Administrative Remedies (Proposed § 1570.119)

4. Severability

5. Enforcement and Compliance

G. Summary of Applicability and Requirements

H. Compliance Deadlines and Documentation

I. Sensitive Security Information

1. Scope of the Revision to TSA's SSI Regulatory Requirements

2. Disclosure of SSI Upon the “Need To Know”

IV. Regulatory Analyses

A. Economic Impact Analysis

1. Summary of Regulatory Impact Analysis

2. Assessments Required by E.O.s 12866 and 13563

a. Costs

b. Cost Sensitivity Analysis

c. Benefits

d. Break-Even Analysis

3. OMB A-4 Statement

4. Alternatives Considered

5. Regulatory Flexibility Assessment

6. International Trade Impact Assessment

7. Unfunded Mandates Assessment

B. Paperwork Reduction Act

C. Federalism (E.O. 13132)

D. Energy Impact Analysis (E.O. 13211)

E. Environmental Analysis

F. Tribal Consultation (E.O. 13175)

I. Executive Summary

A. Purpose of the Regulatory Action

On May 8, 2021, a Russian-based cybercriminal group, DarkSide, conducted a ransomware attack that forced a major pipeline company to go offline, resulting in a weeklong shutdown of 5,500 miles of petroleum pipelines on the East Coast. Actions taken to protect the Operational Technology (OT) system temporarily disrupted critical supplies of gasoline and other refined petroleum products throughout the East Coast, resulting in a regional emergency declaration. Some news agencies reported pictures of snaking lines of cars at gas stations across the eastern seaboard and panicked Americans filling bags with fuel, fearing not being able to get to work or get their kids to school. TSA subsequently used its emergency authority under 49 U.S.C. 114( l) to impose cybersecurity requirements on certain surface transportation entities. See discussion in section II.B.

The cyber threat to the country's critical infrastructure has only increased in the time since TSA initially issued SDs to address cybersecurity in surface transportation in 2021. Cyber threats to surface transportation systems continue to proliferate, as both nation-states and criminal cyber groups target critical infrastructure in order to cause operational disruption and economic harm. Cyber attackers have also maliciously targeted other surface transportation modes in the United States, including freight railroads, passenger railroads, and rail transit systems, with multiple cyberattack and cyber espionage campaigns. Cybersecurity incidents, particularly ransomware attacks, are likely to increase in the near and long term, due in part to vulnerabilities identified by threat actors in U.S. networks. Especially in light of the ongoing Russia-Ukraine conflict, these threats remain elevated and pose a risk to the national and economic security of the United States.

In its 2023 annual assessment, the Intelligence Community noted that “China almost certainly is capable of launching cyber-attacks that could disrupt critical infrastructure services within the United States, including against oil and gas pipelines, and rail systems.” Notably, “[i]f Beijing believed that a major conflict with the United States were imminent, it almost certainly would consider aggressive cyber operations against U.S. homeland critical infrastructure and military assets worldwide. Such a strike would be designed to deter U.S. military action by impeding U.S. decision-making, inducing societal panic, and interfering with the deployment of U.S. forces.” In addition, “Russia maintains its ability to target critical infrastructure . . . in the United States as well as in allied and partner countries” and “Tehran's opportunistic approach to cyber-attacks puts U.S. infrastructure at risk for being targeted.” Furthermore, “malicious cyber actors have begun testing the capabilities of AI-developed malware and AI-assisted software development—technologies that have the potential to enable larger scale, faster, efficient, and more evasive cyber-attacks—against targets, including pipelines, railways, and other US critical infrastructure.”

While TSA had issued recommendations to strengthen the cybersecurity of pipeline facilities and systems, see discussion in Section II.B.2. of this NPRM, reliance on voluntary actions may not be sufficient in light of the cyber threat to our national and economic security. As noted in the National Cybersecurity Strategy, “While voluntary approaches to critical infrastructure cybersecurity have produced meaningful improvements, the lack of mandatory requirements has resulted in inadequate and inconsistent outcomes. Today's marketplace insufficiently rewards—and often disadvantages—the owners and operators of critical infrastructure who invest in proactive measures to prevent or mitigate the effects of cyber incidents.”

The requirements proposed in this rule would strengthen cybersecurity and resiliency for the surface transportation sector by mandating reporting of cybersecurity incidents and development of a robust CRM program. This rulemaking builds upon TSA's previously issued requirements and recommendations, the cybersecurity framework (CSF) developed by the National Institute of Standards and Technology (NIST), and the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by the Cybersecurity and Infrastructure Security Agency (CISA).

B. Summary of the Major Provisions

This NPRM proposes to require owner/operators of designated freight railroads, passenger railroads, rail transit, and pipeline facilities and/or systems to have a CRM program approved by TSA. The proposed CRM program includes three primary elements. First, owner/operators to whom the proposed rule applies would be required to annually conduct an enterprise-wide cybersecurity evaluation that would identify the current profile of cybersecurity (including physical and logical/virtual controls) compared to the target profile. The target profile must, at a minimum, include the security outcomes identified in the proposed rule and should also consider recommendations in the NIST CSF.

Second, those owner/operators would be required to develop a COIP that includes the following information: (a) identification of individuals/positions responsible for the governance of the owner/operator's CRM program, including an accountable executive and Cybersecurity Coordinator(s); (b) identification of Critical Cyber Systems, specific network architecture issues, and baseline communications; (c) detailed measures to protect these Critical Cyber Systems; (d) detailed measures to detect cybersecurity incidents and monitor these Critical Cyber Systems; and (e) measures to address response to, and recovery from, a cybersecurity incident. Although many of these measures for the COIP are limited to Critical Cyber Systems, all owner/operators within the proposed scope of applicability would be required to have a Cybersecurity Incident Response Plan (CIRP), regardless of whether they identify any Critical Cyber Systems.

Third, owner/operators subject to the proposed rule would be required to have a CAP that includes a schedule for assessments, an annual report of assessment results, and identification of unaddressed vulnerabilities. Owner/operators would also be required to ensure any individuals or companies assigned or hired to evaluate the effectiveness of the owner/operator's CRM program are independent, i.e., do not have a personal, financial interest in the results of the assessment.

As part of this rule, TSA also is proposing to reorganize requirements in subchapter D of 49 CFR chapter XII related to security coordinators, reporting significant security concerns, and security training of security-sensitive employees. TSA would move these requirements from 49 CFR part 1570 and add them to the specific modal requirements in parts 1580, 1582, 1584, and a new part 1586, which is applicable to pipeline systems and facilities. In general, the applicability of proposed requirements related to designation of a cybersecurity coordinator and reporting cybersecurity incidents align with the current requirements for designation of a (physical) security coordinator and reporting of significant (physical) security concerns under 49 CFR part 1570.201 and 1570.203.

TSA is also proposing to distinguish between requirements focused on physical security and those focused on cybersecurity. As part of this reorganization and proposed imposition of new cybersecurity requirements, TSA is proposing that all owner/operators currently required to report significant security concerns to TSA, under current 49 CFR 1570.203, report significant physical security concerns to TSA and report cybersecurity incidents to CISA. TSA is proposing that owner/operators of designated pipeline facilities and systems also report both physical and cybersecurity incidents.

Finally, TSA is proposing to incorporate into subchapter D a new section related to issuance of SDs and Information Circulars (ICs), mirroring language currently applicable in the aviation industry. Adding this section would ensure consistent procedures for issuance of SDs and ICs across all modes of transportation subject to TSA's authorities.

C. Costs

TSA estimates the proposed rule would impact just under 300 surface transportation owner/operators. Using the risk-based criteria for application discussed below, see Section III.C.2., TSA estimates these proposed requirements would apply to 73 of the approximately 620 freight railroads currently operating in the United States; 34 of the approximately 92 public transportation agencies and passenger railroads (PTPR) operating in the United States; 71 OTRB owner/operators who are currently subject to TSA's regulatory requirements to report significant security concerns; and 115 of the approximately 2,105 pipeline facilities and systems subject to safety regulations issued by the Pipeline and Hazardous Materials Safety Administration (PHMSA), as codified in 49 CFR part 192 and 49 CFR 195.1.

Table 1 identifies TSA's estimates for the overall cost of this proposed rule. This table captures the industry's costs associated with implementing the proposed requirements as well as TSA's costs for overseeing implementation, over a 10-year period of analysis. See Section IV of this NPRM and the related Regulatory Impact Analysis for a more detailed breakdown of the estimated costs.

D. Benefits

The primary benefit of the proposed rule is a potential reduction in the risk of a successful attack or cybersecurity incident and the impact of such incidents as a result of implementing the proposed requirements. Implementation of a CRM program, as described under the proposed rule, could help enhance the security of the regulated population by improving the owner/operator's ability to identify, detect, protect against, respond to, and recover from cybersecurity incidents.

The proposed cybersecurity outcomes this rule would require provide owner/operators with a blueprint for improving defenses against cybersecurity incidents. Industry experience indicates that having a defense-in-depth approach to cybersecurity enhances the ability to prevent and respond to breaches of operational systems and compromises of sensitive information. TSA anticipates the proposed rule's requirements, such as enhancing system security, maintaining backups, monitoring systems, and developing a response plan, would strengthen cybersecurity defenses over the long term. For instance, depending on the individual circumstances of a given cyber-attack or cybersecurity incident—

• A commitment to patch management, system segmentation, and firewalls could limit the resources potential malicious actors would be able to access during an intrusion;

• The presence of backups could allow for system restoration, data recovery, and unhindered system operations;

• Continuous monitoring of the network could help to detect and respond to potential threats and limit system degradation and

• Having a response plan in place in case of a successful cyber-attack or cybersecurity incident would reduce its impact, build in resiliency, and support rapid resumption of normal operations.

These enhances, in turn, could reduce the chance of negative consequences and service interruptions from cybersecurity incidents to the benefit of owners/operators, passengers, and consumers.

II. Background

A. Context

1. Pipeline Transportation

The national pipeline system consists of more than 2.9 million miles of networked pipelines transporting hazardous liquids, natural gas, and other liquids and gases for energy needs and manufacturing. Although most pipeline infrastructure is buried underground, operational elements such as compressors, metering, regulating, pumping stations, aerial crossings, and breakout tanks are typically located above ground. Under operating pressure, the pipeline system is used as a conveyance to deliver resources from one location to another. In addition to portions of the network that are manually operated, the pipeline system includes use of automated industrial control systems (ICS), such as supervisory control and data acquisition (SCADA) systems to monitor and manage pipeline operations. These systems use remote sensors, signals, and preprogramed parameters to activate valves and pumps to maintain product flows within tolerances. Pipeline systems supply energy commodities and raw materials across the country to utilities, airports, military sites, and to the nation's industrial and manufacturing sectors. Protecting the vital supply chain infrastructure of pipeline operations is critical to national security and commerce.

2. Rail Transportation

The rail transportation sector includes freight railroads, passenger railroads (including inter-city and commuter), and rail transit.

a. Freight Railroads

The national freight rail network is a complex system that includes both physical and cyber infrastructure and consists of more than 620 freight railroads operating across nearly 140,000 rail miles. This sector includes six Class I railroads, local (also known as Short Line) railroads, and regional railroads. The Class I railroads had a calendar year 2021 operating revenues of at least $900 million. These six railroads also account for approximately 68 percent of freight rail mileage, 88 percent of employees, and 94 percent of revenue. Regional railroads and local railroads range in size from operations handling a few carloads monthly to multi-state operators nearly the size of a Class I operation. As stated by the Association of American Railroads (AAR), the freight rail sector provides “a safe, efficient, and cost-effective transportation network that reliably serves customers and the nation's economy.”

Freight railroads are private entities that own and are responsible for their own infrastructure. They maintain the locomotives, rolling stock, and fixed assets involved in the transportation of goods and materials across the nation's rail system. As required by Congress, railroads are subject to safety regulations promulgated and enforced by the Federal Railroad Administration (FRA). TSA administers and enforces the rail security regulations in 49 CFR part 1580.

b. Passenger Railroads

Passenger rail is divided into two categories: inter-city and commuter rail service. Inter-city provides long-distance service, while commuter railroads provide service over shorter distances, usually less than 100 miles. The National Railroad Passenger Corporation (Amtrak) is the sole long-distance inter-city passenger railroad in the contiguous United States. Amtrak, which had a pre-pandemic annual ridership of approximately 31.7 million, operates a nationwide rail network, serving more than 500 destinations in 46 states, the District of Columbia, and three Canadian provinces on more than 21,300 track-miles. Nearly half of all Amtrak trains operate at top speeds of 100 mph or greater. In fiscal year 2023, Amtrak customers took nearly 28.6 million trips, up 24 percent over the previous year. In addition to inter-city service, Amtrak is one of the largest operators of contract commuter services in North America, providing services and/or infrastructure access to 13 state and regional authorities.

Freight railroads provide the tracks for most passenger rail operations. For example, 71 percent of the track on which Amtrak operates is owned by other railroads. These “host railroads” include large, publicly traded freight rail companies in the U.S. or Canada, State and Local government agencies, and small businesses. Amtrak pays the host railroads for use of their track and other resources as needed.

Amtrak and other passenger rail agencies, however, are not wholly dependent on freight rail infrastructure and corridors for operational feasibility; they sometimes control, operate, and maintain tracks, facilities, construction sites, utilities, and computerized networks essential to their own operations. For example, the Northeast Corridor is an electrified railway line in the Northeast megalopolis of the United States owned primarily by Amtrak. It runs from Boston through New York City, Philadelphia, and Baltimore, with a terminus in Washington, DC. The majority of this corridor, 263 of the 457 route-miles of the main line, are owned and operated by Amtrak.

Amtrak and other passenger railroads also host freight rail operations. In fact, the Northeast Corridor is the busiest railroad in North America, with approximately 2,000 Amtrak, commuter, and freight trains operating over some portion of the Washington-Boston route each day. As with freight railroads, passenger railroads are subject to safety regulations put forth and enforced by the FRA. TSA administers and enforces passenger rail security regulations in 49 CFR part 1582.

c. Rail Transit

Public transportation in America is critically important to our way of life, as evidenced by the number of riders on the nation's public transportation systems. According to the American Public Transportation Association (APTA), 2022 Public Transportation Fact Book, there were over 4.49 billion unlinked passenger trips in 2021. Nationwide, 5.0 million Americans commute to work on transit, equivalent to approximately 3.1 percent of workers. In major metropolitan areas, like New York City, over 27 percent of commuters rely on public transportation for their daily commute. Rail transit is a critical part of this system. According to APTA, 87 percent of trips on transit directly benefit the local economy, including 50 percent of trips to and from work and 37 percent of trips are for shopping and recreational spending. A successful cyber-attack would have a profound impact on ridership and a negative economic impact nationwide. TSA administers and enforces rail transit security regulations in 49 CFR part 1582.

3. Cybersecurity Threats

Threat actors have demonstrated their willingness to engage in cyber intrusions and conduct cybersecurity incidents against critical infrastructure by exploiting vulnerabilities in OT and Information Technology (IT) systems. Pipeline and rail systems, and associated facilities, may be vulnerable to cybersecurity incidents due to legacy ICS that lack updated security controls and the dispersed nature of pipeline and rail networks spanning urban and outlying areas.

As pipeline and rail owner/operators have begun to integrate IT and OT systems into their operating environment to further improve safety, enable efficiencies, and/or increase automation, their operations become increasingly vulnerable to new and evolving cyber threats. A successful cyber-intrusion could affect the safe operation and reliability of OT systems, including SCADA systems, process control systems, distributed control systems, safety control systems, measurement systems, and telemetry systems.

From a design perspective, some pipeline and rail assets are more attractive to targets for a cybersecurity incident simply because of the transported commodity and the impact an incident would have on national security and commerce. Minor pipeline and rail system disruptions may result in commodity price increases, while prolonged pipeline and rail operational disruptions could lead to widespread energy shortages and disruption of critical supply lines. Short-and long-term disruptions and delays may affect other domestic critical infrastructure and industries, such as our national defense system, that depend on pipeline and rail system commodities, such as our national defense system.

The May 2021 DarkSide attack on a major pipeline company is just one of many recent ransomware attacks that have demonstrated the necessity of ensuring that critical infrastructure owner/operators are proactively deploying CRM measures. The Multi-State Information Sharing and Analysis Center observed a 153 percent increase in the number of ransomware attacks reported by State, Local, Tribal, and Territorial governments in the one-year period from 2018 to 2019, including both opportunistic and strategic campaigns. The need to mitigate the threats facing domestic critical infrastructure, including by enhancing the pipeline and rail industry's current cybersecurity risk management posture, is further highlighted by recent warnings about Russian, Chinese, and Iranian state-sponsored cyber espionage campaigns to develop capabilities to disrupt U.S. critical infrastructure to include the transportation sector. Failure to take action could have significant implications for national and economic security.

On March 24, 2022, the U.S. Department of Justice unsealed indictments of three Russian Federal Security Service (FSB) officers and employees of a State Research Center of the Russian Federation Central Scientific Research Institute of Chemistry and Mechanics for their involvement in intrusion campaigns against U.S. and international oil refineries, nuclear facilities, and energy companies. Documents revealed that the Russian FSB conducted a multi-stage campaign in which they gained remote access to U.S. and international Energy Sector networks, deployed ICS-focused malware, and collected and exfiltrated enterprise and ICS-related data. A recent multi-national cybersecurity advisory noted that “Russian state-sponsored cyber actors have demonstrated capabilities to compromise IT networks; develop mechanisms to maintain long-term, persistent access to IT networks; exfiltrate sensitive data from IT and [OT] networks; and disrupt critical (ICS)/OT functions by deploying destructive malware.”

The nation's adversaries and strategic competitors will continue to use cyber espionage and cyber-attacks to seek political, economic, and military advantage over the United States and its allies and partners. These recent incidents demonstrate the potentially devastating impact that increasingly sophisticated cybersecurity incidents can have on our nation's critical infrastructure, as well as the direct repercussions felt by U.S. citizens. The consequences and threats discussed above demonstrate the necessity of ensuring that critical infrastructure owner/operators are proactively deploying CRM measures.

4. Threat of Cybersecurity Incidents at the Nexus of IT and OT Systems

Some sectors have taken significant steps to protect either their IT or OT systems, depending on which is considered most critical for their business needs ( e.g., a commodities sector may focus on OT systems while a financial sector or other business that focuses on data may focus on IT systems). Ransomware attacks targeting critical infrastructure threaten both IT and OT systems and exploit the connections between these systems. For example, when OT components are connected to IT networks, this connection provides a path for cyber actors to pivot from IT to OT systems. Given the importance of critical infrastructure to national and economic security, accessible OT systems and their connected assets and control structures are an attractive target for malicious cyber actors seeking to disrupt critical infrastructure for profit or to further other objectives. As CISA notes, recent cybersecurity incidents demonstrate that intrusions affecting IT systems can also affect critical operational processes even if the intrusion does not directly impact an OT system. For example, business operations on the IT system sometimes are used to orchestrate OT system operations. As a result, when there is a compromise of the IT system, there is a risk of unaffected OT systems being impacted by the loss of operational directives and accounting functions.

DHS, the Department of Energy (DOE), the Federal Bureau of Investigation, and the National Security Agency have all urged the private sector to implement a layered, “defense-in-depth” cybersecurity posture. For example, ensuring that OT and IT systems are separate and segregated will help protect against intrusions that can exploit vulnerabilities from one system and move laterally to infect another. A stand-alone, unconnected (“air-gapped”) OT system is safer from outside threats than an OT system connected to one or more enterprise IT systems with external connectivity (no matter how secure the outside connections are thought to be). By implementing a layered approach, owner/operators and their network administrators will enhance the defensive cybersecurity posture of their OT and IT systems, reducing the risk of compromise or severe operational degradation if their system is compromised by malicious cyber actors.

The cyber threat to our nation's critical infrastructure has only increased in the time since TSA's first cybersecurity SD was issued. The surface transportation sector, including the oil and gas pipeline industry, is increasingly dependent on automation and use of connected technology. Cyber threats to surface transportation systems continue to proliferate as both nation-state actors and criminal cyber groups are actively targeting oil and natural gas pipelines with the potential to cause operational disruption and economic harm. Ransomware attacks are likely to increase in the near and long term, due in part to vulnerabilities identified by threat actors in U.S. networks, while nation-state actors continue to target U.S. infrastructure for disruptive cyberattack options in a crisis or conflict. These threats and their potential consequences to critical transportation systems and infrastructure demonstrate the need for TSA to ensure owner/operators continue to proactively deploy cybersecurity risk management measures.

Protecting this critical and interconnected sector, and the consumers that rely on it, from the impact of cybersecurity impacts, cannot be accomplished on an ad hoc basis that relies entirely on voluntary action. The pipeline sector is an interconnected system. As noted by the Interstate Natural Gas Association of America, “natural gas transmission systems have numerous interconnection points and market hubs. . . . There are no major interstate pipelines that operate in isolation, i.e., without interconnection with at least one or more other pipelines.” As noted by the PHMSA, “[p]ipelines play a vital role in our daily lives. They transport fuels and petrochemical feedstocks that we use in cooking and cleaning, in our daily commutes and travel, in heating our homes and businesses, and in manufacturing hundreds of products we use daily.”

Similarly, with the nation's rail system, railroads move over 1.5 billion tons of freight annually, and a disruption to this movement would have damaging ripple effects across industries, including on international trade. In the rail system, the implementation of positive train control (PTC) systems has resulted in a far more interconnected rail system than previously existed in the Unites States. The interoperability of PTC systems occurs when the “controlling locomotives and/or cab cars of any host railroad and tenant railroad operating on the same PTC-equipped main line are able to communicate with and respond to the PTC system, even when train are moving over property boundaries.” The nation's economic security relies on freight rail owner/operators to transport critical manufacturing materials, food product, lumber, coal, and other materials critical to the supply chain. These railroads also host major passenger and commuter rail lines. The nature of these systems requires a baseline of cybersecurity risk management across the highest-risk operations to protect these vital resources to national security, including economic security.

B. Statutory Authorities

The security of the nation's transportation systems is vital to the economic health and security of the United States. Ensuring transportation security while promoting the movement of legitimate travelers and commerce is a critical counter-terrorism mission assigned to TSA.

Following the attacks of September 11, 2001, Congress created TSA under the Aviation and Transportation Security Act (ATSA) and established the agency's primary federal role to enhance security for all modes of transportation. The scope of TSA's authority includes assessing security risks, developing security measures to address identified risks, and enforcing compliance with these measures. TSA has broad regulatory authority to issue, rescind, and revise regulations as necessary to carry out its transportation security functions.

1. TSA Surface-Related SDs and Information Circulars

Under 49 U.S.C. 114(l)(2)(A), TSA is authorized to issue emergency regulations or SDs without providing notice or public comment where “the Administrator determines that a regulation or security directive must be issued immediately in order to protect transportation security.” SDs issued pursuant to the procedures in 49 U.S.C. 114(l)(2) “shall remain effective for a period not to exceed 90 days unless ratified or disapproved by the [Transportation Security Oversight] Board [(TSOB)] or rescinded by the Administrator.”

TSA issued SDs in 2021 and 2022 in response to the cybersecurity threat to surface transportation systems and associated infrastructure to protect against the significant harm to the national and economic security of the United States that could result from the “degradation, destruction, or malfunction of systems that control this infrastructure.” The most current and previous versions of these SDs are available on TSA's website.

The first pipeline SD (the SD Pipeline-2021-01 series), issued on May 27, 2021, requires several actions to enhance the security of critical pipeline systems against cybersecurity threats and provided that owners/operators must: (1) designate a primary and alternate Cybersecurity Coordinator; (2) report cybersecurity incidents to CISA within 24 hours of identification of a cybersecurity incident; and (3) review TSA's pipeline guidelines, assess their current cybersecurity posture, and identify remediation measures to address the vulnerabilities and cybersecurity gaps. For purposes of the SDs, TSA defined a “cybersecurity incident” as “an event that, without lawful authority, jeopardizes, disrupts or otherwise impacts, or is reasonably likely to jeopardize, disrupt or otherwise impact, the integrity, confidentiality, or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident on the system.” The reports must (1) identify the affected systems or facilities; and (2) describe the threat, incident, and impact or potential impact on IT and OT systems and operations.

The second pipeline SD (the SD Pipeline-2021-02 series), first issued on July 19, 2021, required owner/operators to implement specific mitigation measures to protect against ransomware attacks and other known threats to IT and OT systems and conduct a cybersecurity architecture design review. This SD also required owner/operators to develop and adopt a cybersecurity incident response plan to reduce the risk of operational disruption should their IT and/or OT systems be affected by a cybersecurity incident.

In December 2021, TSA issued SDs to higher-risk freight railroads (the SD 1580-21-01 series) and passenger rail and rail transit owner/operators (the SD 1582-21-01 series), requiring that they also implement the following requirements previously imposed on pipeline systems and facilities: (1) designation of a Cybersecurity Coordinator; (2) reporting of cybersecurity incidents to CISA within 24 hours; (3) developing and implementing a cybersecurity incident response plan to reduce the risk of an operational disruption; and (4) completing a cybersecurity vulnerability assessment to identify potential gaps or vulnerabilities in their systems. For owner/operators not specifically covered under the SD 1580-21-01 or 1582-21-01 series, TSA also issued an Information Circular (IC-2021-01), which included a non-binding recommendation for those surface owner/operators not subject to the SDs to voluntarily implement the same measures.

In the year following issuance of the second pipeline SD, TSA determined that its prescriptive requirements limited the ability of owner/operators to adapt the requirements to their operational environment and apply innovative alternative measures and new capabilities. Because of the need to provide greater flexibility, TSA revised this SD series, effective July 27, 2022 (SD Pipeline-2021-02C), to maintain the security objectives in the previous versions of the SD but also provide more flexibility by imposing performance-based, rather than prescriptive, security measures. As revised, the SD allows covered owner/operators to choose how best to implement security measures for their specific systems and operations while mandating that they achieve critical security outcomes. This approach also affords these owner/operators with the ability to adopt new technologies and security capabilities as they become available, if TSA's mandated security outcomes continue to be met.

The current directive, most recently revised in July 2024, specifically requires the covered owner/operators of critical pipeline systems and facilities to take the following actions:

• Establish and implement a TSA-approved CIP that describes the specific cybersecurity measures employed to protect Critical Cyber Systems, as defined by the owner/operator, and the schedule for achieving the security outcomes identified by TSA.
• Develop and maintain an up-to-date CIRP to reduce the risk of operational disruption, or the risk of other business disruption, as defined in the SD, should the IT and/or OT systems of a gas or liquid pipeline or railroad be affected by a cybersecurity incident. The CIRP must be exercised each year to test at least two objectives of the plan and include personnel responsible for actions in the CIRP.
• Develop a CAP that describes how the owner/operator will proactively, regularly, and completely assess the effectiveness of cybersecurity measures in their CIP, and identify and resolve device, network, and/or system vulnerabilities. This plan must be submitted to TSA for approval and an annual report provided to TSA and corporate leadership.

The CIP must identify how the owner/operators meet the following primary security outcomes:

• Implement network segmentation policies and controls to ensure that the OT system can continue to safely operate in the event that an IT system has been compromised, or vice versa;
• Implement access control measures to secure and prevent unauthorized access to critical cyber systems;
• Implement continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect critical cyber system operations; and
• Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers, and firmware on critical cyber systems in a timely manner using a risk-based methodology.

As noted above, in addition to developing and implementing a TSA-approved CIP, this directive requires the covered owner/operators to continually assess their cybersecurity posture. These owner/operators must develop and update a CAP and submit an annual plan to TSA that describes their program for the coming year, including details on the processes and techniques that they would be using to assess the effectiveness of cybersecurity measures. Techniques such as penetration testing of IT systems and the use of “red” and “purple” team (adversarial perspective) testing are referenced in the SD. At a minimum, the CAP must include an architectural design review every 2 years. See section III.D.3. of this NPRM for additional discussion regarding the CAP required by the SD.

The scope of the requirements in this directive apply to Critical Cyber Systems. TSA defined a Critical Cyber System to include “any IT or OT system or data that, if compromised or exploited, could result in operational disruption. Critical Cyber Systems include business services that, if compromised or exploited, could result in operational disruption.”

On October 18, 2022, TSA issued an SD imposing similar performance-based cybersecurity requirements on higher-risk freight railroads and passenger rail owner/operators (SD 1580/82-2022-01). This SD was also developed with extensive input from industry stakeholders and federal partners, including CISA and the FRA, to address issues unique to the rail industry. This engagement included providing the industry with a draft to review and comment upon and several meetings, including technical roundtables with cyber experts within the industry, before TSA issued the SD.

As TSA issued these directives under the statutory authority in 49 U.S.C. 114( l)(2) and intended the requirements to be in place for more than 90 days, TSA sought TSOB review and ratification of the use of the agency's emergency authorities. Table 2 provides the ratification dates for each SD.

2. TSA's Assessments, Guidelines, and Regulations Applicable to Pipeline and Rail Systems

The Implementing Recommendations of the 9/11 Commission Act of 2007 (9/11 Act) requires certain actions to enhance surface transportation security. The following two mandates are specifically relevant to this rulemaking.

a. Pipeline Guidelines, Assessments, and Regulations

Section 1557(a) of the 9/11 Act requires a program to review pipeline operator adoption of guidelines originally issued by the DOT in 2002. TSA originally reviewed operators' adoption of the Pipeline Security Information Circular, issued on September 5, 2002, by DOT's Office of Pipeline Safety as the primary federal guideline for industry security. TSA also reviewed operators' adoption of a complementary document, the DOT-issued Pipeline Security Contingency Planning Guidance of June 2002.

Recognizing that the Security Circular required updating, TSA initiated a process to amend the federal security guidance. These revised guidelines were first developed in 2010 and 2011 in collaboration with industry and government members of the Pipeline Sector and Government Coordinating Councils and other industry association representatives and included a range of recommended security measures covering all aspects of pipeline operations. Consistent with TSA's general authorities under ATSA and the requirements in section 1557(d) of the 9/11 Act, the advancement of security practices to meet the ever-changing threat environment in both the physical and cyber security realms required that the guidelines be updated again. Using a similar industry and government collaborative approach, TSA updated the Pipeline Security Guidelines in 2018 (Pipeline Guidelines). As part of this update, TSA added Section 7, “Pipeline Cyber Asset Security Measures,” including pipeline cyber asset identification; security measures for pipeline cyber assets; and cybersecurity planning and implementation guidance.

Section 1557(b) also requires reviewing the pipeline security plans and inspection of the most critical facilities for the 100 most critical pipeline operators. The Pipeline Guidelines are used as the standard for TSA's Pipeline Security Program Corporate Security Reviews (CSRs) and Critical Facility Security Reviews (CFSRs) of the most critical pipeline systems. The CSR program has been in effect since 2003, during which time a total of approximately 260 CSRs have been completed industry wide. Approximately 800 CFSRs have been completed since this program's inception in 2009.

Finally, section 1557(d) specifically authorizes the Secretary of Homeland Security (Secretary) to issue regulations, as appropriate and following consultation with the Secretary of Transportation on the extent of risk and appropriate mitigation measures, and to issue binding regulations and carry out necessary inspection and enforcement actions. Such regulations would incorporate the 2002 guidelines and contain additional requirements as necessary based upon results of the inspections performed under section 1557(b). This section specifically authorizes assessment of penalties against pipeline facilities and systems for non-compliance. While TSA has had this authority since 2007, TSA has not determined it was necessary to exercise it until this current rulemaking, which is intended to address the increasing cybersecurity threat to pipeline facilities and systems.

In addition, while the guidelines are available to all pipeline facilities and systems, regardless of whether TSA has determined the system is critical, TSA has not determined it is necessary to impose cybersecurity requirements through its emergency authorities on the full scope of pipeline owner/operators to which the guidelines are issued.

Although this rulemaking would impose cybersecurity requirements on certain pipeline owners and operators and subject such entities to inspections for compliance, TSA would continue to conduct voluntary security assessments in areas where mandatory requirements do not exist ( e.g., the physical security measures recommended in the guidelines) as part of a “structured oversight” approach. This approach assesses and provides feedback on voluntary implementation of cybersecurity recommendations for systems not covered by this proposed rule. These assessments would continue TSA's approach of working with the industry to determine the industry's voluntary adoption and adherence to non-regulatory guidelines, including Security Action Items and other security measures developed jointly with, and agreed to by, industry stakeholders to meet relevant security needs. As part of these assessments, TSA provides recommendations to owner/operators and identifies resources to support them in voluntarily enhancing their physical and security baseline.

b. Regulating Railroads, Public Transportation Systems, and OTRBs

In 2008, TSA promulgated regulations imposing security requirements on owner/operators of freight railroads, rail transit systems, including passenger rail and commuter rail, heavy rail transit, light rail transit, automated guideway, cable car, inclined plane, funicular, and monorail systems. This regulation, in pertinent part, covers appointment of security coordinators and security-related reporting requirements. For freight railroads, the 2008 rule also imposed requirements for the secure transport of Rail Security-Sensitive Materials.

In addition to measures to enhance pipeline security, the 9/11 Act required other regulations to enhance surface transportation security. On March 23, 2020, consistent with these requirements, TSA published the final rule, “Security Training for Surface Transportation Employees.” This regulation requires owner/operators of higher-risk freight railroad carriers (as defined in 49 CFR 1580.101), public transportation agencies (including rail mass transit and bus systems and passenger railroad carriers, as defined in 49 CFR 1582.101), and OTRB companies (as defined in 49 CFR 1584.101), to provide TSA-approved security training to employees performing security-sensitive functions. In addition to implementing these provisions, the final rule also expanded the requirement for security coordinators and reporting of significant security concerns to apply to OTRB and bus-only public transportation agencies, and defined Transportation Security-Sensitive Materials.

The 9/11 Act also requires regulations for higher-risk public transportation agencies, railroads, and OTRB owner/operators to develop security plans to address specific security issues and vulnerabilities identified during an assessment of specific systems, infrastructure, and capabilities. TSA published an advance notice of proposed rulemaking (ANPRM) in December 2016 seeking comment on specific issues related to the 9/11 Act's requirements for a regulation to address vulnerability assessments and security plans. Through this ANPRM, TSA solicited information on the extent to which owner/operators of freight railroads, PTPR systems, and OTRBs had taken actions consistent with those prescribed by the 9/11 Act for vulnerability assessments and security plans, what resources they used to support these actions, and information on implementation costs. Given the passage of time and different scope of this rulemaking, TSA has established a new docket for this rulemaking and advises commenters on the 2016 ANPRM to submit comments on this NPRM if they wish for their views to be addressed in a final rule.

While the requirements in this proposed rule would not address all elements of vulnerability assessments and security plans stipulated in the 9/11 Act, it would address the 9/11 Act's requirements as they relate to the IT and OT systems used by high-risk freight railroads and PTPR systems. For example, the 9/11 Act requires identification and evaluation of critical systems, including information systems, plans for providing redundant and backup systems needed to ensure continued operations in the event of a cybersecurity incident, and identification of the vulnerabilities to these systems. The vulnerability assessment requirements applicable to higher-risk rail carriers must also identify strengths and weaknesses in (1) programmable electronic devices, computers, or other automated systems used in providing transportation; (2) alarms, cameras, and other protection systems; (3) communications systems and utilities needed for railroad security purposes, including dispatching and notification systems; and (4) other matters determined appropriate by the Secretary. For security plans, the statute requires regulations that address, among other things, actions to mitigate identified vulnerabilities, the protection of passenger communication systems, emergency response, ensuring redundant and backup systems are in place to ensure continued operation of critical elements of the system in the event of a terrorist attack or other incident, and other actions or procedures as the Secretary determines are appropriate to address the security of the public transportation system or the security of railroad carriers, as appropriate. The provisions proposed in this NPRM would satisfy such requirements as they relate to cybersecurity in high-risk public transportation agencies and railroads.

In short, the 9/11 Act provisions described above contain a combination of detailed requirements regarding vulnerability assessments and the content of security plans. Each of these provisions confirms and supplements TSA's authority to impose such requirements as are appropriate or necessary to ensure the security of the transportation system. TSA would issue the proposed rule pursuant to and consistent with its general authorities and the 9/11 Act's requirements.

C. References

1. National Cybersecurity Strategy

In March 2023, the Biden-Harris Administration released the National Cybersecurity Strategy. This strategy includes the following five pillars identified as critical for building and enhancing the collaboration necessary to strengthen the nation's cybersecurity posture to protect infrastructure critical to national security and the economy: (a) defend critical infrastructure; (b) disrupt and dismantle threat actors; (c) shape market forces to drive security and resilience; (d) invest in a resilient future; and (e) forge international partnership to pursued shared goals.

Consistent with this strategy, TSA is proposing a performance-based regulation for cybersecurity that builds on the NIST CSF and uses the CISA CPGs as guardrails to ensure prioritization of those measures most critical for establishing a common baseline to reduce known risks to national security and the economy. The following provides a high-level overview of the NIST CSF and the CISA CPGs. A table that aligns these two documents with the proposed requirements in this NPRM is available in the docket for this rulemaking.

2. NIST Cybersecurity Framework

Executive Order (E.O.) 13636 of February 12, 2013 (Improving Critical Infrastructure Cybersecurity), directed NIST to develop a voluntary framework to reduce cyber risks to critical infrastructure. This framework, created in collaboration between industry and government, consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The recommendations in the framework are intended to provide a prioritized, flexible, repeatable, and cost-effective approach to manage cybersecurity-related risks. The framework is not a regulatory document in that it is written as recommendations and is not enforceable. The recommendations are also extensive and may not be applicable to every business or context. NIST is currently in the process of reviewing and revising the Cybersecurity Framework. For purposes of this rulemaking, TSA has relied on Version 1.1 of April 16, 2018.

The NIST CSF is a comprehensive resource for developing a comprehensive cybersecurity program for any business. The framework generally includes the following key steps: (a) understanding the business's current cybersecurity posture by scoping the Organizational Profile; (b) gathering information needed to prepare the Organizational Profile, i.e., defining a target state, which should be informed by standards and applicable regulations; (c) creating an Organizational Profile that identifies and prioritizes opportunities for improving within the context of continuous and repeatable processes; (d) analyzing the gaps between current state and the Target Profile, and creating an action plan to address any identified gaps, including a Plan of Action and Milestones; and (e) implementing the action plan and updating the Organizational Profile as necessary to keep the organization moving towards the target. These steps are part of an iterative cycle that should also consider opportunities for documenting and communicating the organization's cybersecurity capabilities and known opportunities for improvement with external stakeholders, including business partners, prospective customers, suppliers, and other third parties.

There are currently six core functions to the framework: govern, identify, protect, detect, respond, and recover. NIST recommends that all these functions be addressed concurrently as they all have vital roles related to cybersecurity. Within each of these functions, there are multiple recommendations. Finally, the framework identifies several framework tiers in ascending order of cybersecurity maturity. The first and lowest tier, “Partial,” recognizes an ad hoc, reactive, and irregular approach to cybersecurity that is driven by case-by-case responses in an environment that fails to identify clear roles and responsibilities for cybersecurity. The next tier, “Risk Informed,” has a cybersecurity program that is approved by management but may not be known organization wide. While there may be an awareness of risk at certain levels within the organization, the company lacks an organization-wide process to manage risks and doesn't fully recognize both dependencies and dependents that could be affected by insufficient cybersecurity.

As companies mature in developing and implementing cybersecurity measures, they should be moving to a “Repeatable” tier. In this tier, processes are formally approved and are known and communicated organization wide. There is an organization-wide approach to managing risks, consistent methods are in place for cybersecurity policies, individuals within the company known their roles and responsibilities for cybersecurity, and the company is aware of dependencies and dependents. The top tier, “Adaptive,” applies to companies that have implemented predictive, advanced technologies to address cybersecurity. In this tier, cybersecurity risks inform corporate decisions, and the company understands its role in the larger ecosystem and contributes to a broadening understanding of cybersecurity in its business environment. As part of this understanding, the company has a strong supply chain understanding and program to manage cybersecurity risks within the supply chain based on dependencies and dependents.

3. CISA Cross-Sector Cybersecurity Performance Goals

CISA developed the CPGs as directed by the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems (signed July 28, 2021). The CISA CPGs can be read as a prioritized subset of the NIST CSF framework that critical infrastructure owners and operators can implement to meaningfully reduce the likelihood and impact of known risks and adversary techniques. As with the NIST CSF, the CISA CPGs are voluntary. Unlike the NIST CSF, the CISA CPGs are not intended to be comprehensive. Aligned with the NIST CSF, the CISA CPGs supplement that framework by supporting businesses in prioritizing cybersecurity measures critical for establishing a baseline of cybersecurity across critical infrastructure that emphasizes measures based on their demonstrated ability to reduce known risks. The prioritization used in the CISA CPGs goes beyond consideration of risks to specific entities and considers the aggregate risk to the nation of cybersecurity incidents on critical sectors. The recommendations in the CISA CPGs align with the six core functions of the NIST CSF identified above.

4. TSA Advance Notice of Proposed Rulemaking

On November 30, 2022, TSA published an ANPRM to provide an opportunity for interested individuals and organizations, particularly higher-risk pipeline and rail (including freight, passenger, and transit rail) operations, to help TSA develop a comprehensive and forward-looking approach to surface cybersecurity requirements. The ANPRM also solicited input from the industry associations representing these companies, third-party cybersecurity subject matter experts, and insurers and underwriters for cybersecurity risks for these transportation sectors.

TSA received comments from 35 commenters in response to the ANPRM, with almost 600 specific issues raised by the commenters, which included major trade associations and individuals. Most comments received fell into a few general categories: (1) general support; (2) emphasis on the need for regulatory harmonization and performance-based regulation; and (3) comments on core elements, particularly comments related to training, supply chain, and third-party assessors. Some comments opposed potential regulation at this time, suggesting that voluntary measures are currently sufficient, and that TSA should wait for other standards (such as the CISA CPGs) to further mature. TSA considered all comments received. The following provides a high-level summary of the comments.

a. General Support and Need for Regulatory Harmonization and Performance-Based Regulation

The industry comments generally supported a regulation that builds upon the previously issued SDs. Many commenter groups complimented TSA's current performance-based directives, which provide owner/operators the flexibility to determine how to implement cybersecurity protocols to achieve the desired outcomes. Furthermore, they emphasized how adaptive CRM programming would enable regulated parties to—

• Assess known and potential system and environment vulnerabilities;
• Assess the likelihood and potential operational and financial impacts of a threat actor leveraging vulnerabilities to cause a cybersecurity incident;
• Develop a regular cadence of reassessing risk factors and recalculating risk; and
• Implement and monitor the effectiveness of appropriate mitigating controls to reduce the probability or impact of an attack.

A recurring theme in the ANPRM comments focused on encouraging TSA to use existing standards as a reference ( e.g., the NIST CSF, the CISA CPGs, and the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards ) and collaborate with other Federal agencies to harmonize cybersecurity requirements. Several respondents recommended that TSA facilitate a cross-government group composed of State and Federal agencies that would meet regularly ( e.g., monthly stakeholder calls or ongoing TSA-led briefings to relevant sector coordinating officials) as well as develop common lexicons between these entities before issuing requirements.

b. Core Elements

In the ANPRM, TSA sought comment on the following 11 core elements for a CRM program:

• Designation of an individual responsible for cybersecurity;
• Access controls;
• Vulnerability assessments;
• Penetration testing, drills, and exercises;
• Technical security controls;
• Physical security controls;
• Incident response planning & operational resilience;
• Incident reporting and information sharing;
• Personnel training & awareness;
• Supply chain/third-party risk management; and
• Recordkeeping and documentation.

While TSA reviewed all of the comments received, we also note that many of the comments reiterated issues raised in discussions with industry post-issuance of the SDs discussed above. The comments, however, also included three issues of particular interest to TSA as they applied to requirements included in this proposed rule that were not specifically in the SDs: employee cyber training, supply chain/third-party vendors, and third-party assessors.

c. Training

Many comments referenced or addressed workforce cyber training. Commenters acknowledged that security training is a critical component of overall organizational security and compliance. While generally supportive of the requirement, one of the industry commenters recommended against establishing “specific training requirements,” noting that specific training needs should be based on an organization's particular operating environment as well as the costs associated with a cybersecurity incident.

d. Supply Chain

The National Cybersecurity Strategy (March 2023) identifies the criticality of a secure global supply chain for information, communications, and OT products and services. Consistent with this prioritization, DHS identified supply chain and third-party service provider risk management as a core element for DHS cybersecurity regulations. A majority of comments mentioned or addressed supply chain issues. Many commenters discussed their efforts to establish a common understanding with vendors and third parties through cybersecurity contract provisions regarding notifications of product vulnerability, access to security patches, notifications of cybersecurity incidents, etc. One association specifically noted that a number of pipeline operators are working with DHS to develop improved ways to facilitate conversations on security between vendors and operators.

e. Third-Party Assessors

The concept of third-party assessors was the topic of a significant number of comments. In general, commenters opposed requiring owners and operators to conduct assessments using third-party validators. Commenters considered such a requirement to be shifting costs from the government to the regulated parties. Companies within the different surface sub-sectors have varying degrees of capability and capacity to adopt cybersecurity standards. For example, one association indicated that they proactively conduct security control assessments of third parties and include them in response and recovery plans and exercises. Others, however, indicated they lack the capability and resources to use third-party assessors.

5. Regulatory Harmonization

As noted by the Office of the National Cyber Director (ONCD) in an August 2023 Request for Information, the National Cybersecurity Strategy calls for establishing cybersecurity regulations to secure critical infrastructure where existing measures are insufficient, harmonizing and streamlining new and existing regulations, and enabling regulated entities to afford to achieve security.

TSA emphasizes its commitment to regulatory harmonization and streamlining, and notes that this proposed rule, which is grounded in NIST's Framework for Improving Critical Infrastructure Cybersecurity, NIST's standards and best practices, and the CISA CPGs, is consistent with such priorities. TSA also acknowledges the ongoing rulemakings of other DHS components, including ongoing rulemakings on cybersecurity in maritime transportation and implementation of CIRCIA. Finally, TSA notes that this proposed rule follows several years of implementation of TSA's SDs. As noted in TSA's information collection requests for the SDs, TSA has not identified any other duplicative requirements for the cybersecurity mitigation measures required by the SDs and received no comments regarding duplication in response to notices published in the Federal Register .

TSA's experience in imposing cybersecurity requirements to date, as well as feedback from the owner/operators subject to those requirements, indicates that complete harmonization is not possible. Even within the transportation sector, there are modal operational issues, different physical controls by other agencies that support defense-in-depth measures, as well as other factors that must be considered. For example, SD-Pipeline-2021-02 recognizes that the need to provide ready access to industrial control workstations in controls rooms may make a requirement for multi-factor authentication (MFA) inadvisable. TSA allows owner/operators to rely on compensating controls use to meet control room requirements issued by the PHMSA. Similarly, TSA provides an allowance for alternatives to encryption for certain systems used by railroads and recognizes compliance with FRA's requirements to address access to PTC system components in locomotives.

While TSA believes differences in cybersecurity requirements may be intentional based on sector-specific distinctions, TSA welcomes comments on opportunities to harmonize and streamline regulations where feasible and appropriate.

III. Proposed Rule

A. Rule Organization

This rule proposes changes to the requirements applicable to owner/operators of freight railroads, PTPR, and OTRBs in subchapter D of title 49 CFR, subtitle B, chapter XII. The rule also proposes to add a new part 1586 to this subchapter, which would impose requirements applicable to owner/operators of specific pipeline facilities and systems.

To facilitate implementation of these requirements, TSA is proposing to significantly revise subchapter D. Some of these revisions are technical revisions to consolidate previously imposed procedures or requirements or to align procedures for security programs with TSA's existing processes for aviation. TSA believes consolidating procedural and general requirements in part 1570, while providing consolidated modal-specific requirements in modal-specific parts, would make it easier for owner/operators to identify and implement the proposed requirements. TSA is also proposing revisions to terms in part 1500 that have use in multiple provisions in chapter XII of title 49 and of part 1520 to ensure information required by the revisions to subchapter XII is protected as SSI, as applicable.

1. Cybersecurity Requirements

The most significant proposed revision to TSA's regulations is the addition of requirements for higher-risk owner/operators of freight railroads, PTPR, and pipeline facilities and systems to have a comprehensive CRM program. These proposed requirements are found in new subpart D of part 1580 (applicable to freight railroads), subpart C of part 1582 (applicable to PTPR), and subpart C of part 1586 (applicable to pipeline facilities and systems). This proposed rule would also add a requirement in subpart B of part 1584 for higher-risk OTRB owner/operators to report cybersecurity incidents but would not impose the comprehensive CRM program requirements on this mode.

2. Physical Security Requirements

Through this rulemaking, TSA is proposing to distinguish between physical security and cybersecurity. TSA is proposing to move the requirements currently in subchapter D related to designating a security coordinator and reporting significant security concerns. TSA is proposing to move these requirements to revised subparts B within parts 1580, 1582, and 1584, respectively. These revised subparts B would contain security program requirements primarily focused on physical security. TSA also proposes to apply these same requirements to pipeline facilities and systems through the new part 1586. Appendix A to part 1570, which identifies types of significant security concerns to be reported, would be removed from part 1570 and repeated in parts 1580, 1582, 1584, and 1586.

As incorporated into this proposed subpart, TSA is proposing to clarify that the security coordinator(s) currently required by § 1570.201 must be a U.S. citizen. This requirement is consistent with the 9/11 Act and advances TSA's need to ensure that the agency can rapidly share sensitive information with the owner/operator that may be critical to ensure appropriate actions are taken to address emerging threats. As provided in the 9/11 Act, TSA may waive the citizenship requirement for the security coordinator(s) if the individual successfully completes a STA.

In addition, the value of the security coordinator position is significantly impeded if there is not an individual in place who can receive sensitive information. Therefore, TSA is requiring that security coordinators (primary and alternate) must be a U.S. citizen who can receive sensitive information unless waived by TSA. At this time, TSA only anticipates one possible situation where a waiver would be granted; if one of the Security Coordinators is a U.S. citizen (primary or alternate), TSA may grant a waiver for the requirement as applied to the other Security Coordinator. From the agency's perspective, the purpose of the citizenship requirement is to ensure each covered owner/operator has a designated point of contact for receiving critical threat information, including intelligence information that cannot be shared with foreign citizens. TSA is assuming that owner/operators would ensure that if the security coordinator on duty is not cleared to receive certain information, that individual would promptly notify the security coordinator or other appropriate individual who has the required clearances. Both the primary and alternate Security Coordinators would be required to successfully complete an STA before TSA would consider a waiver.

TSA is also proposing to move any procedures or requirements applicable to training of security-sensitive employees currently in 49 CFR 1570.101-1570.111, and 1570.121 to the applicable modal sections. Within the modal requirements, TSA is proposing to consolidate the existing security training requirements into one section for each mode. None of the requirements would be changed as a result of this restructuring. Finally, the title of subpart C of part 1580, which includes chain of custody requirements applicable to the freight rail system, would be changed from “Operations” to “Security of Rail Security Sensitive Materials” without any revisions to the requirements in this subpart.

Physical security encompasses threats to physical infrastructure that could affect the safety and security of people, cargo, and infrastructure. The definition for physical security in this NPRM includes measures that provide for the security of systems and facilities, as well as the persons in areas in or near to operations that could have their safety and security threatened by an attack on physical systems and assets. Examples include rail cars, stations, pipelines, terminals, buses, etc. Cybersecurity is also critical for protecting the safety and security of people, cargo, and infrastructure, but the actions taken to prevent cybersecurity incidents are intended to protect computers, electronic communications systems and services, wire communications, and electronic communications, including information contained on these systems, services, and capabilities.

It is important to recognize that there is not a bright line between physical and cybersecurity. A comprehensive defense-in-depth plan includes both physical and cybersecurity controls to protect IT and OT systems. For example, someone could use physical capabilities to damage an IT or OT system or thwart ineffective physical access controls to a building or floor in order to gain access to a Critical Cyber System. Similarly, physical security controls may be used to augment cybersecurity measures. Although TSA is distinguishing between Physical Security Coordinators and Cybersecurity Coordinators, we encourage these individuals to work together and communicate to ensure a comprehensive approach to both physical and cybersecurity.

3. General Procedures for Security Programs, SDs, and Information Circulars

Through this rulemaking, TSA is also proposing to revise procedures in part 1570 related to security programs. When TSA promulgated the Security Training for Surface Transportation Employees final rule in 2020, the rule text incorporated specific security program requirements. This structure reflected the limited scope of the requirements applicable to multiple modes of transportation. To accommodate the proposed addition of the cybersecurity requirements, TSA proposes to separate security training requirements, as discussed above, into the modal-specific parts and to incorporate general security program requirements that are consistent with the requirements applicable to aviation security programs. These changes, discussed in more detail in section III.F.1. of this preamble, would better ensure consistency across TSA's regulatory requirements. Table 3 provides a distribution table for these changes and those discussed above related to physical security requirements. TSA welcomes comment on the distribution table and whether any of the proposed changes might have unintended effects on existing requirements.

4. Relation to Other Rulemakings

TSA has other rulemakings that may reference subparts or sections contained in this proposed rule. Specifically, in the Vetting of Certain Transportation Employees NPRM, TSA has proposed to add vetting requirements as Subpart D of part 1580, Subpart C of part 1582, and Subpart C of part 1584. In this rule, we are proposing to add CRM requirements in two of the same subparts, and are proposing to revise other provisions that are cross-referenced in the Vetting of Certain Surface Transportation Employees NPRM. Although the substance of the two proposals do not conflict, the numbering and paragraph designations conflict in some cases. TSA will ensure all subparts and sections are deconflicted and consistent before any rules are finalized.

B. Terms

1. General Terms

Consistent with the proposed rule's organization, TSA includes proposed definitions for terms relevant to several subchapters of TSA regulations, beyond the requirements of subchapter D, in part 1500. Terms relevant to several parts of subchapter D would be added to § 1570.3. Terms uniquely relevant to each mode would be included in the relevant parts (part 1580 (freight), part 1582 (PTPR), part 1584 (OTRB), and part 1586 (pipeline facilities and systems)).

Most of the definitions are derived from existing federal regulatory programs, particularly programs administered by DOT. A few definitions are based on industry sources. TSA's purpose is to use definitions with which regulated parties are familiar, to the extent that the definitions are consistent with the purposes of this NPRM. Where no existing definition is appropriate, TSA's subject matter experts developed the definition based upon the generally accepted and known use of terms within each of the modes subject to this proposed regulation. Table 4 provides additional information on the terms that would be added to TSA's regulations.

2. TSA Cybersecurity Lexicon

TSA has also developed terms specific to cybersecurity requirements for purposes of its SDs and ICs discussed in section II.B.1. of this NPRM. Rather than including these terms in the regulation, TSA is proposing to add “TSA Cybersecurity Lexicon” to the terms in 49 CFR 1500.3. This term would refer to a controlled vocabulary used in TSA's cybersecurity requirements and be available on TSA's public website and any secure websites used to communicate with regulated entities. In general, the use of a standard lexicon reduces the possibility of misinterpretations when communicating cybersecurity definitions and terminology. The definitions provided below are generally consistent with those terms and definitions in the SDs and ICs.

As the meaning of cybersecurity terms can change over time based on emerging technology and capabilities, TSA is proposing to maintain these definitions separate from the regulatory text. Any changes to the terms would be interpretive in nature and would be made using the procedures for amendments to security programs described in proposed § 1570.107.

This approach also allows flexibility for TSA to align with other Federal agencies as part of broader effort to harmonize cybersecurity terminology and requirements without delaying the ability to proceed with this important rule to establish a strong cybersecurity baseline to protect critical surface operations. Table 5 includes the list and definition of terms that TSA proposes to establish for the first iteration of the TSA Cybersecurity Lexicon.

C. Cybersecurity Risk Management Program—General

1. Introduction

The primary purpose of this rulemaking is to mitigate the impacts of cybersecurity incidents on higher-risk surface modes of transportation. This purpose will not be met by simply codifying the requirements in the SDs or assuming that what is currently being done will be sufficient for the future. Cybersecurity is not static; it is an ever-evolving capability to address ever-evolving threats. To ensure critical systems are protected from a cybersecurity incident, this proposed rule includes requirements to establish a CRM program that would ensure cybersecurity maturity as an ongoing and adaptive process. In developing the requirements in this proposed rule, TSA began with those previously imposed by TSA through SDs issued under the authority of 49 U.S.C. 114( l), considered the structure and recommendations in the NIST CSF, and focused on the actions prioritized by CISA in the CPGs. Through implementation of these requirements, TSA believes the regulated parties would meet the NIST “Repeatable” Tier, which applies to companies with mature cybersecurity programs that are formally approved and are known and communicated organization-wide, reflect an organization-wide approach to managing risks, have consistent methods in place for cybersecurity policies, ensure individuals within the company know their roles and responsibilities for cybersecurity, and maintain an awareness of the company's dependencies and dependents.

2. Applicability

The applicability for this proposed rule is modified from the applicability of the current SD requirements. Specifically, the applicability of those SDs for railroads and rail transit systems generally aligns with the applicability for security training in 49 CFR part 1580 and 1582. For pipelines, applicability of the SDs aligns with TSA's designation of the most critical pipeline systems and facilities for purposes of the Pipeline Security Program Corporate Security Reviews and Critical Facility Security Reviews required by section 1557 of the 9/11 Act. These applicability determinations were based on the physical security of transportation systems and risks within that context.

Use of TSA's risk-based determinations for applicability is consistent with the focus of the 9/11 Act's requirements on higher-risk operations. This risk-based focus is reflected in the statutory requirement that focuses security training requirements on frontline employees, not all employees; requiring risk-based tiers where only the highest tier would be required to comply with regulations for vulnerability assessments and security plans; and focusing the pipeline security reviews on the most critical systems and facilities. To expedite use of TSA's emergency authorities under 49 U.S.C. 114( l)(2), the agency primarily relied on the risk determinations used for these requirements and reviews to impose the cybersecurity requirements in the SDs discussed in section II.B.1 of this NPRM.

Since issuance of these SDs, TSA has determined that with respect to permanent regulations, different risk criteria apply when the focus is on cybersecurity. In addition to protecting passengers and the immediate supply chain, risk considerations also include protecting national security, including economic security, and recognizing their dependence on reliable freight rail and pipeline systems. As risk is a construct of threat, vulnerabilities, and consequences, the change from physical to virtual risks involves different types of threats related to motivation and capacity, different vulnerabilities reflecting reliance on IT and OT systems and dependency, and different consequences to passenger safety and the supply chain if a Critical Cyber System is the target of a successful cybersecurity incident. Where cybersecurity incidents in some sectors are primarily focused on loss of data or privacy information, in the transportation sector, a cybersecurity incident has a potential impact on operations affecting passenger safety, the environment, and the supply chain. In other words, cybersecurity incidents could have direct physical consequences. See discussion in section II.A.4. regarding cybersecurity threats. As noted in the National Cybersecurity Strategy, regulatory agencies are encouraged to ensure “cybersecurity regulations for critical infrastructure . . . prioritize the availability of essential services.” The expanding nature of cyber risks to the transportation sector also requires an assessment of applicability specific to these risks. Consistent with these considerations, TSA is proposing the following applicability criteria for freight railroads, rail transit and passenger railroads, and pipelines facilities and systems.

a. Freight Railroads Subject to CRM Program Requirements in Proposed Subpart D of Part 1580

TSA proposes that the CRM program requirements apply to the freight railroads that transport the greatest amount of cargo or are identified as supporting certain Department of Defense (DoD) operations. TSA estimates 73 freight railroads would meet the following risk-based criteria:

• Is a Class I railroad as defined in current49 CFR 1580.3; or

• Is a Class II or III railroad that:
• Transports one or more of the categories and quantities of Rail Security-Sensitive Materials in a High Threat Urban Area;

• Provides switching or terminal services to two or more Class I railroads;
• Operates an average of at least 400,000 train miles in any of the three years before the effective date of the final rule or in any calendar year after the effective date;

• Is designated as a Defense Connector Railroad by DoD, as defined in proposed 1580.3; or
• Serves as a host railroad to any of the freight railroad operations identified above or a higher-risk passenger rail operation identified in proposed § 1582.201;

This criteria for applicability would capture railroads responsible for approximately 94 percent of the freight transported by rail in the United States, railroads that transport the largest volume of cargo, and railroads that serve as critical connections between Class I railroads or serve as vital links in the Strategic Rail Corridor Network (STRACNET). A cybersecurity incident affecting one of these railroads would have the most significant impact on rail transportation, national security, and economic security.

The proposed applicability criteria for CRM program requirements would expand the applicability of the requirements set forth in the SDs to include an additional nine railroads, all of which operate more than an average 400,000 train miles per year. TSA is proposing this expansion because these railroads represent a population that, were they to experience a degradation of service due to a cybersecurity incident, the effects of that service-degradation would ripple across the nation's rail network and cause significant disruption to the industry's service capacity.

TSA is not proposing to apply the CRM program requirements to most short line and regional railroads. Although TSA's current regulations in 49 CFR part 1580 apply some requirements to the majority of the Short Line and regional railroads, these are not generally high-cost requirements. Applying the CRM program requirements to these smaller railroads would, however, impose costs with limited corresponding benefits to minimize the consequences that the proposed rule is intended to address as there would not be a significant impact on national security, including economic security, if one of these railroads had operational disruption due to a cybersecurity incident. An expanded scope of applicability could also be beyond TSA's current resources to effectively monitor for compliance. For those operators not determined to be at higher-risk, TSA believes it is more beneficial to continue issuing recommendations and engagements through field inspector outreach, trade association webinars, and other events to encourage railroad owner/operators not subject to TSA's requirements to take voluntary preventive measures to enhance their cyber security.

TSA is not proposing to include rail hazardous materials shippers and receivers in the scope of applicability for CRM requirements. TSA regulates these entities for purposes of “chain of custody” requirements in subpart C of 49 CFR 1580 due to their role at the beginning and end of the line for transporting Rail Security Sensitive Materials (RSSM). Based on their position in the supply chain, the security of these materials necessitates that these entities receive and share critical security information. To meet this need, TSA requires shippers and receivers of RSSM to have Physical Security Coordinators and to report physical incidents affecting these operations that could have an impact on the security of the shipment during transport by a freight railroad. We do not regulate operations within these facilities and do not intend to expand the scope of our requirements through this proposed rule.

Finally, TSA currently requires all freight railroads to have a security coordinator and report significant security concerns focused on physical security. Similarly, TSA is proposing that all freight railroads currently required to have a security coordinator and report significant security concerns, also have designated individual(s) responsible to serve as a Physical Security Coordinator and/or a Cybersecurity Coordinator and report significant physical security concerns to TSA and cybersecurity incidents to CISA. Although the costs of a robust CRM program for the broader scope of freight railroads may not be justified at this time based on known risks, that determination does not mean that cybersecurity should be ignored. All railroads need a point of contact for receiving and processing information on cybersecurity risks, and the U.S. government needs to be promptly advised of any cybersecurity incidents involving these railroads to have a thorough understanding of the current threat environment.

b. Public Transportation Agencies and Passenger Railroads Subject to CRM Program Requirements in Proposed Subpart C of Part 1582

The criteria for applicability of the CRM program requirements for PTPR systems consider both location and passenger volume as primary risk considerations. Based on these considerations, TSA is proposing that the CRM rule apply to those rail transit systems and passenger railroads with the largest daily ridership. A successful cybersecurity incident against one or more of these systems or railroads could have a significant impact on the transportation sector, with consequences to national and economic security.

TSA estimates that 34 rail transit and passenger railroads, including Amtrak, would meet the following risk-based criteria:

• Is Amtrak (also known as the National Railroad Passenger Corporation) or other a passenger railroad with average daily unlinked passenger trips of 5,000 or greater in any of the three previous years before the effective date of the final rule, or within any single calendar year after the effective date; Is a passenger railroad that hosts a Class I railroad or Amtrak, regardless of ridership volume; or
• Is a rail transit system with average daily unlinked passenger trips of 50,000 or more per year in any of the three calendar years before the effective date of the final rule, or any single calendar year after the effective date of the final rule.

TSA is proposing to define “unlinked passenger trips” in § 1582.3 as the number of times an individual boards public transportation as counted each time a vehicle is boarded, not based on travel from origin to destination. For example, a person riding only one vehicle from origin to destination takes one unlinked trip. A person who transfers to a second vehicle while travelling from origin to destination takes two unlinked trips. In some contexts, “unlinked passenger trips” are also referred to as “boardings.” For purposes of this proposed rule, however, TSA is consistently using “unlinked passenger trips.”

This scope of applicability would limit the economic burden to the highest consequence operators while still accounting for greater than 90 percent of the total nationwide daily rail ridership volume. Consistent with the 9/11 Act, each of the systems that would be required to develop and implement a CRM program is eligible to receive grant funding under section 1406 of the 9/11 Act, 6 U.S.C. 1135, and has received such funding. Transit bus and smaller transit rail and passenger rail systems would not be included in the applicability of the CRM components of this proposed rulemaking as the smaller ridership of these systems means the operational disruption would not have the same consequences as impacts on larger operations. If one of these systems is taken offline due to a cybersecurity incident, it would be temporarily disruptive, but would be unlikely to have significant impacts on national or economic security, compared to the disruption of the transit system in a major metropolitan area where public transportation is relied on by many commuters. Similarly, transit bus plays a pivotal role in the movement of people in urban areas, but TSA assesses that a cybersecurity incident affecting this mode of transportation is unlikely to result in a significant operational disruption because transit bus systems do not rely heavily on OT systems and likely could continue to operate in the event of a cybersecurity incident. The proposed applicability for this rulemaking does not include the following four systems that currently fall under the security training requirements in part 1582: Connecticut Department of Transportation (Conn DOT), Delaware River Port Authority, Santa Clara Valley Transportation Authority, and Staten Island Railway. These systems are not included because they did not meet the proposed risk-based criteria, i.e., ridership threshold, determined by TSA as relevant to the specific risks this rulemaking is intended to address.

Although not subject to all of the CRM program requirements, TSA is proposing that all PTPR owner/operators currently required to have a security coordinator and report significant security concerns, also have designated individual(s) responsible to serve as a Physical Security Coordinator and/or Cybersecurity Coordinator and report significant physical security concerns to TSA and cybersecurity incidents to CISA. The costs of a robust CRM program may not be justified at this time based on known risks, but that determination does not mean that cybersecurity should be ignored. All PTPR owner/operators need a point of contact for receiving and processing information on cybersecurity risks, and the U.S. government needs to be promptly advised of any cybersecurity incidents involving these systems to have a thorough understanding of the current threat environment.

c. OTRB Owner/Operators Subject to Cybersecurity Incident Reporting Requirements in Proposed § 1584.107

TSA is not proposing that OTRB owner/operators be required to meet all CRM program requirements, but believes it is appropriate for those OTRB owner/operators required to report significant security concerns be required to report both significant physical security concerns and cybersecurity incidents. TSA estimates that 71 OTRB owner/operators would be subject to this requirement.

Through this rulemaking, TSA is proposing to codify and make permanent the cybersecurity requirements previously imposed through SDs issued to address an immediate threat to transportation security. See discussion in section II.B. of this NPRM. TSA has not imposed cybersecurity mitigation measures on OTRB owner/operators based on the risk information currently available to the agency and recognition of the costs as related to the benefits. That decision, however, does not mean that there is zero risk for OTRB operations and that they will never be the victim of a cybersecurity incident. TSA has encouraged OTRB owner/operators to identify Cybersecurity Coordinators, report cybersecurity incidents, have a cybersecurity incident response plan, and conduct a vulnerability assessment. TSA believes that higher-risk OTRB owner/operators should be vigilant regarding cybersecurity risks and is proposing that the U.S. government be promptly advised of any cybersecurity incidents involving these owner/operators in order to have a thorough understanding of the current threat environment. Requiring this information is consistent with TSA's authority to assess threats, share information, and develop policy.

TSA notes that the 9/11 Act requires TSA to issue regulations to higher-risk OTRB owner/operators to conduct vulnerability assessments and implement TSA-approved security plans that address the security of IT and OT systems. TSA has not yet issued such regulations, although it has issued ICs recommending voluntary implementation of specific cybersecurity measures to higher-risk OTRB owner-operators. TSA will consider reports of both significant physical security concerns (as required by current § 1570.201 and proposed § 1584.105) and cybersecurity incidents as reported under proposed § 1584.107 for purposes of developing future regulatory requirements.

d. Pipeline Systems and Facilities Subject to Physical Security Requirements in Proposed Subpart B of Part 1586 and CRM Program Requirements in Proposed Subpart C of Part 1586

TSA is proposing to apply the CRM program requirements to the hazardous liquid, natural gas, and liquefied natural gas pipeline systems and facilities that transport the largest volume of these commodities, which would lead to the potential for a sustained disruption in service should a successful cybersecurity incident affect their ability to support national security needs, including economic security. The recommended criteria for determining applicability of the requirements includes three types of pipeline operations: (1) hazardous liquid pipelines; (2) natural and other gas pipelines; and (3) liquefied natural gas (LNG) facilities. In total, the proposed requirements would apply to 115 owner/operators of covered pipeline facilities and systems.

First, TSA is proposing to apply the CRM program requirements to owner/operators of hazardous liquid or carbon dioxide pipeline facilities and systems that meet any of the following criteria:

• Owns or operates a hazardous liquid pipeline or facility subject to49 CFR part 195 that—
• Annually delivered hazardous liquids in excess of 50 million barrels in any of the three calendar years before the effective date of the final rule, or any single calendar year after the effective date of the final rule; or
• Is in excess of 200 segment miles of pipeline transporting hazardous liquid or carbon dioxide that could affect a High Consequence Area, as defined by PHMSA.

• Owns or operates a primary control room responsible for multiple hazardous liquid or carbon dioxide systems regulated under49 CFR part 196 and the total annual delivery for those systems combined is greater than 50 million barrels annually in any of the three calendar years before the effective date of the final rule, or any single calendar year after the effective date of the final rule.
• Owns or operates a hazardous liquid pipeline or facility subject to49 CFR part 195 that has a contract with the Defense Logistics Agency to supply hazardous liquids in excess of 70,000 barrels annually.

Based on pipeline systems and facilities that report annual throughput to the Federal Energy Regulatory Commission (FERC), TSA estimates these systems and facilities account for approximately 90 percent of the total annual volume transported in the United States.

Second, TSA is proposing to apply the CRM program requirements to owner/operators of natural gas and other gas pipelines that meet any of the following criteria:

• Owns or operates a natural or other gas system subject to49 CFR part 192 and—
• Annually delivered natural or other gas in excess of 275 million dekatherms annually (generally natural gas transmission) in any of the three calendar years before the effective date of the final rule, or any single calendar year after the effective date of the final rule;
• Annually delivered natural or other gas to 275,000 or more meters (or service points) annually (generally natural gas distribution or local distribution company (LDC)) in any of the three calendar years before the effective date of the final rule, or any single calendar year after the effective date of the final rule; or
• Has more than 200 segment miles that could affect a High Consequence Area.
• Owns or operates a primary control room responsible for multiple natural gas and other gas pipeline systems regulated under49 CFR part 192 and the combined total annual delivery for these systems is greater than 275 million dekatherms (generally natural gas transmission) in any of the three calendar years before the effective date of the final rule, or any single calendar year after the effective date of the final rule.
• Provides natural or other gas service to 275,000 or more meters (or service points) annually (generally natural gas distribution or LDC) in any of the three calendar years before the effective date of the final rule, or any single calendar year after the effective date of the final rule.

TSA estimates that under these criteria, the requirements of this proposed rule would be applicable to an estimated 66 natural gas transmission and distribution pipeline systems and facilities. These systems and facilities account for approximately 80-90 percent of the total annual volume of natural gas transported in the United States.

Third, TSA is proposing to apply the CRM program requirements to LNG facilities that import natural gas or operate as peak-shaving facilities. Under the proposed criteria, the requirements would apply to an estimated two LNG import facilities and seven peak-shaving facilities. Expanding applicability of the proposed rule from the initial SDs for pipeline facilities and systems to include these facilities reflects TSA's ongoing discussions with FERC and evolving understanding of cybersecurity risks. The inclusion of these criteria would not significantly affect the number of pipeline systems and facilities subject to the CRM program requirements as all but one of the covered LNG facilities are operated by pipeline companies subject to the other criteria.

The SDs issued to pipeline owner/operators used criteria to include all hazardous liquid and natural gas pipeline systems and facilities that had been designated critical by TSA for purposes of the assessments required by the 9/11 Act. The scope of applicability, however, only accounts for approximately 10 percent of the total number of pipeline systems in the United States. At the other end of the spectrum for the possible scope of applicability, TSA determined it would not be appropriate to recommend covering all pipeline operators subject to PHMSA's safety regulations in 49 CFR part 192 and 49 CFR 195.1. This option, which includes approximately 2,105 pipelines, would be unnecessarily expensive for the industry based on the expected benefits and extremely difficult for TSA to appropriately monitor and regulate without additional personnel and funding. The proposed criteria for determining applicability would include the most critical pipeline owner/operators as determined by TSA and is consistent with the statutory requirement to determine critical operators as well as TSA's designation of critical owner/operators required to comply with TSA's SDs.

e. Determinations of Applicability for Requirements in the Proposed Rule

As with TSA's previously issued requirements for surface transportation owner/operators, owner/operators would be required to use the criteria in 49 CFR parts 1580, 1582, 1584, and 1586 to determine whether their operations are higher-risk and which requirements apply to them. Under § 1570.105(a), owner/operators would be required to notify TSA within 30 days of the effective date of the final rule if they meet the criteria for applicability of the requirements in the rule. TSA also proposes an obligation for owner/operators to be aware of the criteria as applied to their future operations. Under section 1570.105(b), TSA would continue to require owner/operators to notify TSA if their operations change, after the notification date specified in paragraph (a), such that the criteria apply. In this situation, an owner/operator would be required to notify TSA no more than the later of (a) 60-days after the effective date or (b) 60-days before commencing the new operations.

This notification requirement is the first compliance deadline that owner/operators must meet under the proposed rule. TSA is aware that the deadlines could cause confusion and concern among owner/operators who are currently required to comply with requirements issued by TSA, such as those issued in 2008 and 2021, that are also in parts 1580, 1582, 1584, and 1586. To avoid any confusion over whether notification is required, TSA is proposing to add to § 1570.105(a) an exception that effectively exempts the owner/operator from this requirement if TSA has otherwise notified the owner/operator that the criteria apply. If this notification is received, these owner/operators would not need to provide separate notification regarding applicability determinations.

To mitigate the likelihood of an owner/operator failing to comply based upon lack of recognition of the applicability for these requirements, TSA also intends to use a variety of communication strategies to notify regulated parties that are likely to meet the applicability criteria. For example, TSA would use email to immediately notify its key stakeholder points of contact regarding publication of a final rule. In addition to these established information sharing mechanisms, TSA also conducts regular calls, workshops, and meetings with major industry partners and trade associations. TSA's surface representatives also work closely with surface-system owner/operators during industry-led security work groups, conferences, roundtables, and other sector-specific government coordination meetings. TSA would use all these mechanisms to notify relevant industry partners of the new requirements.

TSA is also proposing to modify § 1570.105 to add paragraph (c), which would make it clear that once an owner/operator meets the criteria for applicability, they must continue to comply with the requirements in the proposed rule. New paragraph (d) provides an avenue for owner/operators to request to be removed from the scope of applicability. For example, if an owner/operator meets the applicability criteria because of a contract to support STRACNET, but a future change removes them from that role, they would continue to be subject to the requirements until they notify TSA of the changed circumstances and receive a written determination from TSA that they are currently exempt from the requirements. TSA is not imposing a specific timeline for making this notification as it would be within the discretion of the individual owner/operator to seek an exemption. As noted above, the owner/operator would continue to be subject to the requirements until TSA makes a final decision that the owner/operator, or a specific activity of the owner/operator, no longer meets the applicability criteria.

It is the owner/operator's responsibility to notify TSA, in writing, that their operations have changed and to provide supporting documentation. TSA may also need to request additional documentation to support the assertion that the requirements no longer apply. For example, documentation may include proof that contracts with DoD have been rescinded or that they have been operating 30 percent below the threshold for applicability for three consecutive years. This provision should not be used for non-permanent changes. For example, an owner/operator may have seasonal operations two-months of every year that meet the criteria for applicability. In this situation, the owner/operator should seek alternative measures under proposed § 1570.109.

An exemption from TSA under § 1570.105(c) is operation specific. If operations change in the future such that they meet the criteria for applicability, the owner/operator would be required to comply with § 1570.105(a) and notify TSA. This notification must be provided within 90 days before commencement of operations that would meet the criteria for applicability of requirements in parts 1580, 1582, 1584, or 1586.

3. Structure of CRM Program Requirements (Proposed §§ 1580.303, 1582.203, and 1586.203)

This proposed rule requires a CRM program that includes three major components: (a) a cybersecurity evaluation; (b) a COIP; and (c) a CAP. First, the cybersecurity evaluation generally aligns with the assessments required by TSA in the SD Pipeline-2021-01, SD 1580-21-01, and SD 1582-21-01 series. This evaluation is also consistent with the NIST CSF, which recommends that a strong cybersecurity program begins with an understanding of the current profile of cybersecurity that looks at both physical and logical/virtual controls.

Second, owner/operators would be required to develop and implement a TSA-approved COIP. This plan aligns with the requirements for a CIP required by the SD Pipeline-2021-02 and SD 1580/82-2022-01 series. As with the CIP requirements in the SDs, the COIP requirements generally apply to Critical Cyber Systems as identified by the owner/operators. TSA is proposing to incorporate other parts of the SDs, including the Cybersecurity Coordinator, requirement to report cybersecurity incidents, and the CIRP, into the COIP.

The COIP requirements, which are organized in to align with the NIST components, focus on the following five areas: (1) governance of the CRM program, (2) identification of Critical Cyber Systems; (3) protecting Critical Cyber Systems; (4) detecting and monitoring Critical Cyber Systems; and (5) and ensuring response and recovery. As discussed above, TSA has added additional requirements emphasized in the CISA CPGs, including cybersecurity training and supply chain risk management requirements, not previously addressed in the SDs.

Consistent with the NIST CSF, the proposed requirements for a COIP represent TSA's target cybersecurity outcomes for the owner/operators that would be subject to the proposed rule. While TSA is committed to providing maximum flexibility for owner/operators to develop CRM programs appropriate for their operations, as provided by the SDs, the proposed rule includes additional requirements that push owner/operators to the level of cybersecurity maturity that is repeatable. These requirements include more specificity in the type of information to be included in the COIP. Establishing a minimum baseline of information to be included in COIP is necessary to ensure enforceability from the perspective of a regulator, but also enhances communication to employees to ensure they know their responsibilities under the CRM program and that the program and its policies are understood across the organization.

Finally, the proposed requirements for a CRM program include an assessment requirement that aligns with the NIST CSF's taxonomy to achieve maturity by assessing progress toward the target state. The proposed CAP requirements expand upon the requirement for assessments in the SD Pipeline-2021-02 and SD 1580/82-2022-01 series. Under the proposed rule, owner/operators would continue to be required to have a CAP approved by TSA that includes a biennial cybersecurity architecture design review, other assessment capabilities, and annual review of the effectiveness of at least one-third of all required measures in the COIP, so that 100 percent of the policies, procedures, measures, and capabilities and all Critical Cyber Systems would to be assessed at least once over 3 years, with a minimum of 30 percent each year. The rule proposes adding additional requirements to ensure independence of auditors and assessors, reporting results to TSA and corporate leadership, and updates to the COIP based on assessment results.

Subsidiaries. Proposed §§ 1580.303(b), 1582.203(b), and 1586.203(b) specifically address the issue of subsidiaries and allow for business with multiple businesses or business units to submit one CRM program for a single corporate entity. Any documents required by the proposed rule, however, would need to clearly identify and distinguish application of the requirements for each business unit. To meet this requirement, TSA would need to be able to review the plan and readily identify how the requirements are being applied to each business unit. In other words, CRM program documents that require TSA to develop a separate analysis to determine how the requirements are applied within each business unit would not be acceptable or approved by TSA as meeting the proposed regulatory requirements.

D. Specific CRM Program Requirements

1. Cybersecurity Evaluation (Proposed §§ 1580.305, 1582.205, and 1586.205)

The NIST CSF (GV.OC and GV.RM) recognizes the importance of a “current profile” that examines the extent to which the owner/operator is achieving the outcomes in the target profile and identify gaps and potential vulnerabilities. For purposes of the requirements in this proposed rule, TSA would expect owner/operators to use the security outcomes identified in the rule, at a minimum, as a basis for the target profile.

The proposed rule specifically requires this evaluation to include both physical and logical/virtual security controls. If the evaluation is limited to logical/virtual controls, the owner/operator may not fully recognize the strengths and weakness of physical security controls being used instead of, or to augment, cybersecurity measures. For example, if an owner/operator is relying on controls that limit an individual's access to a building or a floor to offset the impracticability of applying MFA to certain systems, it is important to understand how effective those physical security controls are at meeting the intended purpose. Similarly, understanding available physical security controls can help an owner/operator identify mitigation measures pending ability to fully reach the required target state.

As noted above, TSA's SDs for pipeline and rail operators included a requirement to conduct a vulnerability assessment. Under proposed §§ 1580.305(b), 1582.205(b), and 1586.205(b), this vulnerability assessment or other similar assessments may be used to comply with the requirement for the initial cybersecurity evaluation as long as it was completed within no more than one year before submission of the owner/operator's COIP. Under paragraph (c) of these sections, the cybersecurity evaluation must be updated annually. While owner/operators would not be required to submit the evaluation to TSA for approval, they would be required to notify TSA within 7 days of completing the profile and make it available to TSA upon request.

2. Cybersecurity Operational Implementation Plan (Proposed §§ 1580.307, 1582.207, and 1586.207)

a. General COIP Requirements

The COIP required by §§ 1580.307, 1582.207, and 1586.207 is the center of the comprehensive CRM program. As stated in the proposed rule text, TSA would require the COIP to detail the owner/operator's defense-in-depth plan, including physical and logical/virtual security controls, to comply with the requirements specified in subsequent sections. The results of the cybersecurity evaluation should be used at the beginning of the process to inform the development and revisions to the COIP from a broader enterprise-perspective, while the CAP informs revisions to the COIP based on testing the effectiveness of the measures in the COIP as implemented by the owner/operators. The COIP must include specific detail on exactly how the owner/operators meet the requirements for (a) governance; (b) identification of critical cyber systems, network architecture, and interdependencies; (c) procedures, policies, and capabilities to protect Critical Cyber Systems; (d) procedures, policies, and capabilities to detect cybersecurity incidents; and (e) procedures, policies, and capabilities to respond to, and recovery from, cybersecurity incidents, which would include reporting cybersecurity incidents and the CIRP. Each of these components of the COIP will be discussed below.

As most of the owner/operators that would be subject to this proposed rule's requirements are currently required to comply with TSA's cybersecurity SDs, TSA assumes that the COIP for these owner/operators would include detailed descriptions of what they are currently doing to meet the required security outcomes. To meet the regulatory requirements, these detailed descriptions would need to be more than a summary or a restatement of the regulatory text. If an owner/operator is relying on specific software, the COIP should provide details on the software (name, version, scope of deployment, etc.). If relying on policies or procedures identified in other corporate documents, the owner/operator would need to specifically identify the sections of those documents, describe how they meet the required security outcomes, and incorporate the specific sections by reference into their COIP.

To the extent the cybersecurity evaluation or CAP identify areas where the owner/operator is not meeting the required security outcomes, the owner/operator would be required by paragraph (d) of §§ 1580.307, 1582.207, and 1586.207 to include a Plan of Action and Milestones (POAM) in their COIP. Incorporating a POAM in the COIP aligns with the identification of remediation measures in section E.1.c. of SD Pipeline-2021-01 series and section D.2. of SD 1580-21-01 and SD 1582-21-01 series. The proposed POAM requirement also aligns with the NIST CSF, which recommends that organizations determine which actions to take to address gaps identified through assessments to achieve the Target Profile. The POAM must include the specific measures to be implemented and a detailed timeframe, not to exceed 3 years, to meet all required outcomes, as well as any mitigating measures that will be implemented pending full compliance with all requirements and security outcomes. As part of the COIP, failure to meet the milestones in the POAM could result in a range of enforcement actions.

The COIP must be made available to TSA for approval. Once approved by TSA, the COIP is a TSA-approved security program. The proposed rule would require the COIP to be updated to reflect any vulnerabilities or weaknesses identified during the annual cybersecurity evaluation and the CAP, discussed below. In addition, owner/operators would be required to conduct exercises of CIRPs (required by proposed §§ 1580.327, 1582.227, and 1586.227). The results of the exercises must also inform updates to the CIRP as part of the COIP. Whether resulting from these assessments and exercises—or due to other changes in policies, procedures, capabilities, or Critical Cyber Systems—owner/operators would need to comply with the procedural requirements for security programs, discussed below in section III.F. of this NPRM, to revise their COIP.

TSA recognizes that cybersecurity is ever changing in response to new capabilities and emerging threats. In addition, a detailed defense-in-depth plan is likely to include information that is subject to change for a range of reasons. In section 1570.107(c), TSA provides for this possibility by distinguishing between (1) administrative or clerical changes, (2) substantive but temporary changes, and (3) substantive and permanent changes. Within the context of the CRM program, substantive and permanent changes include changes to policies, procedures, or measures contained in a TSA-approved COIP, including documents incorporated by reference into the COIP, that relate to how the owner/operator meets the proposed CRM program requirements and are intended to be in place for 60 or more days. Substantive changes to the COIP must be made following the procedures in proposed § 1570.107(b) for amendments to security programs. For example, a limited-time deployment of new equipment as part of a 30-day pilot may not require amending the CIP, but would require an initial notification to TSA and, within seven calendar days, a description of interim measures that are in place to ensure no diminution of security. A decision to permanently replace equipment would likely require additional measures or revisions to the COIP and the owner/operator would need to request an amendment.

TSA is not proposing to require owner/operators to follow the amendment process for administrative or clerical changes to COIPs, including administrative or clerical changes to documents incorporated by reference. In other words, administrative or clerical changes do not require a request to TSA, notification to TSA, or TSA approval. Administrative or clerical changes are limited to changes to policies, procedures, or measures contained in a TSA-approved COIP, including documents incorporated by reference, that do not relate to how the owner/operator meets the CRM program requirements. Owner/operators would be required to keep a chronological list of all administrative or clerical changes and when they occurred. This list should be consulted by the owner/operator on a regular basis to determine if any changes may have evolved into permanent changes requiring an amendment.

The following are examples of substantive changes requiring an amendment:

• Changes in policies, procedures, or capabilities made after a determination that a specific policy, procedure, or measure in the COIP is ineffective based on results of the audits and assessments required under the proposed rule;
• New or additional capabilities the owner/operator has identified or obtained for meeting the requirements for a CRM program that have not been previously approved by TSA;
• Additions, modifications, and deletions to lists of Critical Cyber Systems;
• Changes to the method of MFA required to access a Critical Cyber System;
• Updates to the risk methodology for determining criticality of security patches and updates;
• Use of new vendors, companies, or products when they change the process the owner/operator is using to meet a requirement for the CRM program; and
• Strategic network architecture changes, such as moving from segmenting OT systems with firewalls to using a one-way diode or moving to a zero-trust architecture from a defense-in-depth architecture.

Examples of administrative or clerical changes to COIPs or documents incorporated that do not require the amendment process in § 1570.107(b) could include, but are not limited to the following:

• Changes to names of documents (for example, changing “IT Policy—Monitoring” to “IT Policy—Monitoring, Detection and Auditing”);
• When only certain parts of a document are incorporated by reference, changes are made to other parts of a document which are not specifically incorporated by reference; and
• Changes intended to be in effect for less than 60 calendar days (which would be subject to the process for temporary changes under proposed § 1570.107(c)(2)).

TSA would also encourage owner/operators to avoid having to make amendments related to documents incorporated by reference in their COIPs by specifically indicating which sections of the documents are being used to meet the requirements for a CRM program rather than referencing the document in its entirety when only specific portions are relevant.

Under §§ 1580.307(e)(1), 1582.207(e)(1), and 1586.207(e)(1), owner/operators must make their COIP available to TSA in a form and manner prescribed by TSA. TSA decided not to propose a specific method in the NPRM due to the need to remain flexible and adaptive to options for submitting documents. Since first imposition of the SD Pipeline-2021-02 series, TSA has been able to move from only one option (submission through a password protected email or uploading to a secure location using the Homeland Security Information Network (HSIN)) to multiple options, including email/HSIN, a secure portal, and local retention. These options address the concerns of the industry to protect highly sensitive information. While not proposing to codify any of these options, the following discusses each option as they currently exist.

As noted above, owner/operators were originally required to send their list of Critical Systems, CIP and CAP using email as password-protected attachments or upload to HSIN. TSA subsequently developed other authorized methods for submitting and maintaining CIPs, and documents incorporated by reference into CIPs, CAPs, and CAP reports. Instead of submitting these documents via password-protected email or via HSIN, owner/operators may submit documents to the TSA Secure Regulatory Portal (SRP) or retain them locally for in-person or other review pursuant to TSA-approved methods, which may include virtual review.

Use of the SRP is the preferred method for TSA as it minimizes the time and personnel investment for owner/operators while accelerating TSA's ability to review and approve submitted documents while maintaining information security. Owner/operators would be required to use the same method of submission for all of their required documents and must notify TSA of their chosen option. If documents are maintained locally for on-site or virtual review by TSA, the owner/operator must attest to TSA (subject to potential penalties for providing false or misleading information) that they have completed the required actions within the designated timeline. The documents are considered conditionally approved and the owner/operator must begin implementation. TSA considers “implementation” of the CIP to mean that the regulated entity has fully developed its CIP to meet the performance-based measures and has begun to carry out the policies, procedures, measures, and capabilities in the CIP. Therefore, that attested-to and complete CIP may also include timelines for implementation of specific cybersecurity measures that will achieve the performance-based objectives. A CIP maintained on location is not considered to have final approval until reviewed by TSA, revised as required by TSA, and the owner/operator receives notification from TSA that the CIP has received final approval. Only final approval of the CIP triggers the timelines associated with requirements to develop the CAP and CAP report. Regardless of the manner of submission of any document, TSA retains its full inspection authority.

TSA has not required any owner/operator to resubmit information previously approved. The required plans and reports submitted to TSA are Federal records and must be retained in accordance with TSA's National Archives and Records Administration (NARA)-approved records schedules. Similarly, documents submitted via the secure portal are also Federal records and must be retained in accordance with same NARA-approved records schedules once TSA reviews them. Finally, documents maintained at an owner/operator's location are not considered Federal records. At this time, TSA intends to continue allowing all of these approved methods for the COIP, CIRP, and CAP.

b. Governance of the CRM Program (Proposed §§ 1580.309, 1580.311, 1582.209, 1582.211, 1586.209, and 1586.211)

Accountable executive (paragraph (a) of §§ 1580.309, 1582.209, and 1586.209). Both the NIST CSF and the CISA CPGs stress the importance of establishing governance for a CRM program. CPG 1.B. urges identifying a single leader who “is responsible and accountable for cybersecurity within an organization.” Specifically, the CISA CPGs recommend that organizations have a named role/position/title identified “as responsible and accountable for planning, resourcing, and execution of cybersecurity activities. This role may undertake activities such as managing cybersecurity operations at the senior level, requesting and securing budget resources, or leading strategy development to inform future positioning.” To the extent possible, this individual should not be the Cybersecurity Coordinator or otherwise have responsibility for day-to-day management of the IT or OT system, but should function at a level between the most senior-executive leadership and the implementation/operations level of the organization. CISA has identified this action as one with high impact and low complexity, noting that failure to identify an accountable executive can result in a lack of accountability, investment, or effectiveness of a CRM program.

TSA is adopting this recommendation for purposes of this proposed rule by requiring covered owner/operators to identify an accountable executive for the CRM program. Contact and identifying information for the accountable executive must be provided to TSA and incorporated into the COIP.

Identifying positions with cybersecurity responsibilities (paragraph (b) of §§ 1580.309, 1582.209, and 1586.209). The NIST CSF and the CISA CPGs also emphasize the importance of having a clear understanding of cybersecurity roles and responsibilities within the organization and with stakeholders, and establishing a relationship to ensure effective communication on cybersecurity policies and risks. Consistent with these priorities, TSA is proposing to require the COIP to identify positions designated to manage implementation of policies, procedures, and capabilities described in the COIP and coordinate improvements to the CRM program.

In addition, the proposed rule would require identification of any authorized representatives, as defined in the TSA Cybersecurity Lexicon, responsible for implementation of any part of the owner/operator's CRM program. Authorized representatives are empowered to act on the owner/operator's behalf to coordinate and conduct activities required by this proposed rule, including specific security measures in the owner/operator's TSA-approved COIP. Considering these responsibilities, authorized representatives are liable for non-compliance separate from and in addition to the owner/operator. TSA is proposing to require that the corporate or official business information for all authorized representatives must be incorporated into the COIP and be supported with written documentation, such as contractual agreements, between the owner/operator and the authorized representative detailing the scope of responsibilities as related to the measures identified in the COIP. As with other documentation requirements, the owner/operators would need to identify specific provisions applicable to the COIP within any provided documentation.

Note that the definition of “authorized representative” in the TSA Cybersecurity Lexicon excludes entities that functions as “Managed Security Service Providers.” If an owner/operator, or its authorized representative, has delegated or shared responsibility with a Managed Security Service Provider, wholly or in part, for specific security measures, the owner/operator or authorized representatives retains responsibility for ensuring the application of the cybersecurity performance-based measures.

The distinction in liability between authorized representatives and Managed Security Service Providers is generally consistent with principles of agency. Managed Security Service Providers are not direct employees of the owner/operator but provide one or more services or capabilities that the owner/operator may use to perform required security measures. Managed Security Service Providers generally provide a logical service that is widely available to anyone who purchases the specific capability or service, such as an internet service provider, a program developer, or IT or OT system monitoring and detection capabilities. The authorized representative is an agent empowered to act on behalf of the owner/operator, such as for day-to-day management of a cybersecurity program.

Cybersecurity coordinator (§§ 1580.311, 1582.211, and 1586.211). The proposed rule would codify Section A. of the SD Pipeline-2021-01, SD 1580-21-01 and SD 1582-21-01 series, which requires covered owner/operators to identify a primary and at least one alternate Cybersecurity Coordinator. Security coordinators, in general, are a vital part of transportation security, providing TSA and other government agencies with an identified point of contact with access to company leadership and knowledge of operations, in the event it is necessary to convey extremely time-sensitive information about threats or security procedures to an owner/operator, particularly in situations requiring frequent information updates. Having a designated Cybersecurity Coordinator and alternate provides TSA with a contact in a position to understand cybersecurity problems; immediately raise issues with, or transmit information to, the designated accountable executive or other appropriate corporate or system leadership; and recognize when emergency response action is appropriate. To meet this purpose, the designated individuals must be accessible to TSA 24 hours per day, seven days per week.

The proposed rule does not change the expectation from the SDs that the Cybersecurity Coordinator (primary and alternate) be appointed at the headquarters level. In addition, TSA would carry over the requirement in the SDs for the primary Cybersecurity Coordinator to be a U.S. citizen who is eligible to receive a security clearance. This requirement is necessary to ensure that TSA can rapidly share sensitive information with the owner/operator that may be critical to ensure appropriate actions are taken to address emerging threats. This requirement is also consistent with the SDs and TSA's experience with Physical Security Coordinators. See discussion in Section III.A.2. As with the SDs, the proposed rule would not require the Cybersecurity Coordinator or alternate to be a dedicated position staffed by an individual who has no other primary or additional duties.

The proposed rule would require the following information for the Cybersecurity Coordinator(s): name, title, telephone number(s), and email address. Any change in this information would have to be provided to TSA within seven days of the change taking effect. As previously noted, this is not a new requirement for owner/operators of railroads, including the rail transit operations of PTPR owner/operators, and pipeline facility and systems currently subject to the SDs. If an owner/operator subject to this proposed rule has provided the required information for primary and alternate Cybersecurity Coordinator(s) to TSA in the past, and that information is still current, no further action would be needed to meet this requirement.

TSA is expanding the requirements for the primary and alternate Cybersecurity Coordinator(s) to ensure they have the knowledge and skills necessary to perform the responsibilities. Cybersecurity is a technical field that requires some degree of knowledge of terms, threats, and the owner/operator's systems in order to be effective.

TSA is specifically requesting comments on existing training and certification programs that could provide low-cost options for meeting these requirements that TSA could review and provide as examples to other owner/operators that would be subject to these requirements.

Updates to governance information. The proposed rule would require owner/operators to notify TSA when information regarding the accountable executive or Cybersecurity Coordinator(s) changes. While the COIP should be current regarding the identification of the accountable executive or Cybersecurity Coordinator(s), TSA would not require the owner/operator to seek an amendment to their COIP to update this information as the updated information would need to be separately provided to TSA.

c. Identification of Critical Cyber Systems, Network Architecture, and Interdependencies

Identifying Critical Cyber Systems (§§ 1580.313, 1582.213, and 1586.213). Both the NIST CSF and the CISA CPGs emphasize the importance of identification of critical assets. As with the applicability determinations for this proposed rule, TSA is proposing an informed, risk-based decision to cybersecurity requirements. A critical first step in this process is risk informed identification of critical IT and OT systems. TSA included a requirement to identify Critical Cyber Systems in the SD Pipeline-2021-01 and SD 1580/82-2022-01 series.

Identifying Critical Cyber Systems, including both IT and OT systems, enables owner/operators to ensure they have adequately identified risks using multiple sources of information and data to identify the threat ( i.e., likelihood of an attack), system vulnerabilities, and consequences should the system be the target of a cybersecurity incident. In general, unless otherwise stated, the cybersecurity measures that would be required for protecting, defending, and responding to cybersecurity incidents are limited to these Critical Cyber Systems.

For purposes of this proposed rule, TSA proposes to incorporate into the TSA Cybersecurity Lexicon a definition of “Critical Cyber System” that includes any IT or OT system used by the owner/operator that, if compromised or exploited, could result in an operational disruption incurred by the owner/operator, including those business support services that, if compromised or exploited, could result in operational disruption. This term includes systems whose ownership, operation, maintenance, or control is delegated wholly or in part to any other party. The definition of an “operational disruption” includes a deviation from or interruption of business critical functions that results in a compromise or loss of data, system availability, system reliability, or control of systems, or indicates unauthorized access to, or malicious software present on, Critical Cyber System.

In addition to IT and OT systems that are obviously critical to operations, owner/operators should also consider programmable electronic devices, computers, or other automated systems which are used in providing transportation; alarms, cameras, and other protection systems; and communication systems, and utilities needed for security purposes, including dispatching systems. TSA believes the scope of systems to be covered is consistent with the direction in the National Cybersecurity Strategy to ensure cybersecurity regulations “meet the needs of national security and public safety, in addition to the security and safety of individuals, regulated entities, and their employees, customers, operations, and data.”

Paragraph (a) of §§ 1580.313, 1582.213, and 1586.213 requires specific identifying information for Critical Cyber Systems. This information, at a minimum, would need to include specific identifying information for the system and manufacturer/designer name for each Critical Cyber System.

TSA recognizes that the owner/operator is in the best position to determine the critical IT and OT systems needed to support its business-critical functions for operations and market (supply chain) expectations. There is, however, also the potential that a cybersecurity incident that may seem minor to a specific owner/operator could have more wide-ranging impacts on the supply chain as well impacts on national and economic security. Paragraph (b) would require the owner/operator to include in its COIP the methodology used for identifying Critical Cyber Systems. Looking at systems and processes based on the business services they support may bring more transparency to, and improve the quality of, decision making, thereby improving overall operational resilience. As part of this methodology, TSA expects owner/operators to use information provided to them on particular risks associated with some systems, including intelligence and other information that identifies the likelihood of a system being the subject of a cybersecurity incident based on known threat information. As noted in the NIST CSF, a mature CRM program is one where the “organization understands its role, dependencies, and dependents in the larger ecosystem,” “collaborates and receives information from other entities,” “is aware of the cyber supply chain risks associated with the products and services” it both provides and uses, and “acts formally upon those risks.”

While some systems may pose more risk than others, any system that could result in operational disruption should be considered a Critical Cyber System. The methodology would need to describe these considerations and also consider scenarios for how long critical operations and capabilities could be sustained with identified alternatives if a Critical Cyber System is taken offline due to a cybersecurity incident. Finally, once the initial list of Critical Cyber Systems is identified, the methodology would need to include reviewing IT and OT systems not designated as critical to determine the sustainability and operational impacts if one of these systems is unavailable due to a cybersecurity incident. These considerations by the owner/operator may result in needing to update the list of Critical Cyber Systems. Best practices identified by TSA include considering impacts if a system is offline for a short duration (a 4, 8, 12, 24-hour period), or days, a week, several weeks, or months.

It is important to recognize that the availability of backups or “workarounds” should not be considered in determining whether an IT or OT system is a Critical Cyber System. These and other mitigation measures should be considered as part of the COIP as actions that are intended to ensure continuity if a Critical Cyber System is incapacitated. In practice, to the extent an owner/operator has developed backups and other mitigation measures for an IT or OT system, that fact should weigh towards identifying the system as critical, i.e., were it not critical, there would not be a need for robust mitigation measures in the event the system is unavailable.

In §§ 1580.313(e), 1582.213(e), and 1586.213(d), TSA is proposing to incorporate a requirement from the SD for owner/operators to add any IT or OT systems identified by TSA as Critical Cyber Systems even if not identified as critical by the owner/operator. While TSA is committed to providing flexibility and allowing owner/operators to self-identify their Critical Cyber Systems, the agency is also committed to ensuring a baseline of cybersecurity across specific modes and similarly situated operations. As a result, if TSA notices that an owner/operator has chosen not to identify a system as critical that was identified by other similarly situated owner/operators, TSA would request additional information and, after consultation with the owner/operator, could require the system to be added. In addition, an owner/operator who does not identify any Critical Cyber Systems is not exempt from the requirements for the CRM program. If TSA agrees that the owner/operator does not have any Critical Cyber Systems, the owner/operator would still need to address other applicable requirements.

Positive Train Control. Consistent with these proposed requirements and standards for identification of Critical Cyber Systems, TSA revised the SD 1580/82-2022-01 series in May 2024 with a new requirement for owner/operators who are either required to install and operate PTC under 49 CFR part 236, subpart I, and/or who voluntarily install and operate PTC under CFR part 236, subpart H or I, to include PTC systems as a Critical Cyber System. TSA is proposing to incorporate this requirement in sections 1580.313 and 1582.213.

PTC helps eliminate the risks of accidents and mishandling of locomotives due to human error by using locomotive-borne devices linked to a central dispatching system, through an integrated network communication channel. PTC systems are designed to prevent train-to-train collisions, over-speed derailments, incursions into established work zones, and movements of trains through switches left in the wrong position.

The imposition of PTC requirements has also resulted in far more interconnected rail systems than previously existed with the potential for a cybersecurity incident to affect multiple operators. The criticality of these systems is reflected in the FRA's regulations that require PTC to be used unless the situation falls within one of the limited exceptions provided in their regulations. TSA is proposing to require rail owner/operators who use PTC to include specific PTC components as Critical Cyber Systems.

As noted above, the FRA's regulations expect PTC to be used unless the situation falls within one of the limited exceptions provided in FRA's regulations. The limited exceptions reflect the criticality of these systems. For example, a train that loses PTC, “[w]here the failure or cut-out is a result of a defective onboard PTC apparatus,” while en route may continue “no farther than the next forward designated location for the repair or exchange of onboard PTC apparatuses.” The fact that railroads may operate without functioning PTC systems only in limited situations demonstrates the critical need for these systems.

Losing PTC capability is likely to disrupt operations. PTC provides critical safety functions, protecting the public from possible train derailments, misaligned track switches, and head-on collisions. To achieve the intended safety benefits, the PTC system must consistently maintain a high level of availability. If the PTC system fails en route, the train must operate at reduced speed and stop at the next forward designated location until the PTC apparatuses are fixed or replaced. Accordingly, loss of the PTC system could interrupt the railroad's operations. Additionally, if a PTC system were to be the target of a cyberattack that resulted in a widespread disruption in system communication where the result was an inability to initialize communications with multiple locomotives, then trains would have to be held until the issue was resolved or FRA otherwise authorized continued operations.

As in the SD, the proposed rule incorporates an alternative in lieu of applying access control measures, as required by proposed §§ 1580.317(b) and 1582.217(b), for the PTC hardware and software components installed on freight and passenger locomotives if the owner/operator is complying with the requirements in 49 CFR 232.105(h)(1-4) (General requirements for locomotives), 49 CFR 236.3 (Locking of signal apparatus housings), or 49 CFR 236.553 (Seal, where required).

Network architecture. Paragraph (c) would require owner/operators to identify system information and network architecture for each identified Critical Cyber System. In general, the requirements in paragraphs (c)(1) through (3) align with those in section III.B.1. of the SD Pipeline-2021-02 and SD 1580/82-2022-01 series. TSA is proposing to add two additional requirements for purposes of ensuring effective asset identification and management as part of a comprehensive CRM program. First, §§ 1580.313(d)(4), 1582.213(d)(4), and 1586.213(c)(4) would require an owner/operator to identify the baseline of acceptable communications between Critical Cyber Systems and external connections, or between IT and OT systems. This requirement is necessary to ensure the owner/operator can comply with requirements in proposed §§ 1580.323, 1582.223, and 1586.223, which require documenting any communications between IT and OT systems and an external system that deviate from the identified baseline of communications.

Sections 1580.313(d)(5), 1582.213(d)(5), and 1586.213(c)(5) would require the owner/operator to identify any operational needs that prevent implementation or delay implementation of the CRM program requirements for Critical Cyber Systems, such as application of security patches and updates, encryption, or MFA.

Sections 1580.313(f), 1582.213(f), and 1586.213(e) would provide that any substantive changes to Critical Cyber Systems would require an amendment to the COIP. It is critical for both TSA and the owner/operator to know the COIP has the current list of Critical Cyber Systems. TSA prepares for inspections in advance, and it increases the amount of time inspections take for owner/operators and TSA if the list is not current. In addition, having ready access to this information can help TSA notify owner/operators if specific intelligence or other threat information becomes available relevant to that specific system or capability.

Supply chain risk management (§§ 1580.315, 1582.215, and 1586.215). Both the NIST CSF and the CISA CPGs include recommendations related to supply chain risk management. TSA is proposing to incorporate all three recommendations from the CISA CPGs for supply chain risk management into this proposed rule. The requirements would apply to any procurement or contractual documents executed or updated after the effective date of the final rule.

The SolarWinds supply chain compromise is one of the most well-known examples of a cybersecurity risk associated with services and systems provided by external supply chain providers. Using a backdoor implanted in a software update downloaded by customers using the SolarWinds Orion product, malicious actors were able to retrieve and execute commands that included the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masqueraded its network traffic as the Orion Improvement Program-protocol and stored reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor used multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers. Victims included government, consulting, technology, telecom and other entities in North America, Europe, Asia and the Middle East.

Proposed §§ 1580.315(a), 1582.215(a), and 1586.215(a) address these supply chain threats by incorporating the recommendations in CPG 1.G, which encourage organizations to incorporate supply chain incident reporting in their procurement documents and contracts to ensure they can more rapidly learn of, and respond to, known cybersecurity incidents across vendors and service providers. Specifically, CPG 1.G recommends that these documents, such as service-level agreements, “stipulate that vendors and/or service providers notify the procuring customer of security incidents within a risk-informed time frame as determined by the organization.” A risk-informed timeframe is one that is sufficient for the owner/operator to identify and address any potential risks to their Critical Cyber Systems based on the scope and type of cybersecurity incident.

Paragraph (b) incorporates CPG 1.H, which recommends that organizations require these documents to stipulate that vendors and/or service providers notify the procuring customer of confirmed security vulnerabilities in their assets within a risk-informed time frame. This reporting ensures organizations can more rapidly learn about, and respond to, vulnerabilities in assets provided by vendors and service providers.

Paragraph (c) incorporates CPG 1.I, which recommends that “procurement documents include cybersecurity requirements and questions, which are evaluated in vendor selection such that, given two offerings of roughly similar cost and function, the more secure offering and/or supplier is preferred.” Implementing this recommendation would reduce risk by ensuring that the most secure products and services are purchased and purchasing priority given to more secure suppliers. In its CPG Checklist, CISA has assessed the complexity of these three actions as low, but with high impact at addressing the known threat.

In paragraph (d), TSA is proposing that when a notification of a cybersecurity incident or vulnerability is received, the owner/operator must consider mitigation measures sufficient to address the resulting risk to Critical Cyber Systems. In addition, if any of these measures would result in permanent changes, the owner/operator would need to request to amend its COIP. If the vendor's cybersecurity incident puts the owner/operator's IT or OT systems at more direct and immediate risk, it may also be a reportable cybersecurity incident.

In setting cybersecurity regulations for critical infrastructure, the National Cybersecurity Strategy encourages regulators “to drive the adoption of secure-by-design principles.” TSA is requesting specific comments on whether the supply chain requirements in the final rule should also include ensuring that any software purchased for, or installed on, Critical Cyber Systems meets CISA's Secure-by-Design and Secure-by-Default principles.

d. Procedures, Policies, and Capabilities To Protect Critical Cyber Systems

Protecting Critical Cyber Systems requires a combination of controls, capabilities, and awareness. Proposed §§ 1580.317, 1582.217, and 1586.217 include the requirements for network segmentation, capabilities to control access to or disruption of OT and IT systems, patch management, and ensuring these capabilities have robust logging and back-up requirements. Proposed §§ 1580.319, 1582.219, and 1586.219 require training to enhance awareness for individuals regarding their role and responsibilities in protecting Critical Cyber Systems.

Network segmentation, controlling communications, zone boundaries, and encryption. Proposed paragraphs (a) through (c) of §§ 1580.317, 1582.217, and 1586.217 would require owner/operators to incorporate into their COIP the network segmentation policies and controls necessary to address cybersecurity threats. To align with the NIST CSF's “Protect” function, this section includes requirements from both section III.B. and section III.C. of the SD Pipeline-2021-02 and 1580/82-2022-01 series. The scope of the requirements in paragraphs (a) through (c) specifically include security outcomes intended to (a) protect against access to, or disruption of, the OT system if the IT system is compromised or vice versa; (b) ensure IT and OT system-services transit the other only when necessary for validated business or operational purposes; (c) secure and defend zone boundaries to defend against unauthorized communications between zones and prohibiting OT services from traversing the IT system, or vice versa, unless encryption or other controls are in place; (d) and control access to Critical Cyber Systems.

Many historical intrusions demonstrate that adversaries generally compromise a single vulnerable system or host and then move laterally across a network until reaching an identified target. Implementing segmentation impedes adversaries who have successfully entered the environment from producing cascading consequences and limits their ability to impact the entire process simultaneously, reducing both physical and cyber consequences. Network segmentation is necessary to reasonably ensure that an intrusion is limited to the initially compromised host and does not spread to affect Critical Cyber Systems. Flat or unsegmented networks pose an exigent risk to cybersecurity, as any intrusion-spread can result in a significant impact to systems that support public health and safety. Preventing or controlling such spread mitigates the costs of a successful cybersecurity incident, especially if segmentation averts intruder exposure to critical systems, which could potentially cost billions of dollars in damage. Reducing the costly impacts of ransomware attacks over time may change the economic incentive of the attackers and reduce their frequency in the long-term.

Access control. Proposed paragraph (b) of §§ 1580.317, 1582.217, and 1586.217 includes requirements for controlling access to Critical Cyber Systems. These requirements generally align with the recommendations in PR-AA of the NIST CSF and CPG 2.C (Unique Credentials), 2.D (Revoking Credentials for Departing Employees), 2.E (Separating User and Privileged accounts).

As noted above ( see section III.D.2.c.), TSA is proposing a limited exception for application of access control measures required by proposed paragraph (b). In lieu of these requirements, §§ 1580.317(f) and 1582.217(f) would allow owner/operators to rely on the physical security controls used to comply with the FRA's regulations under 49 CFR 232.105(h)(1-4) (General requirements for locomotives), 49 CFR 236.3 (Locking of signal apparatus housings), or49 CFR 236.553 (Seal, where required), as applicable. This exception is limited to PTC hardware and software components installed on freight and passenger locomotives. TSA previously provided this exception in revisions to the SD 1580/82-2022-01 series issued in June 2024. To rely on this exception, owner/operators would need to be in full compliance with the FRA regulations noted in the exception and specify in their COIP what physical security measures are being used to prevent unauthorized access to the specific PTC components installed on the locomotive.

Identification and authentication policies. Managing identification and authentication policies are fundamental controls that should be part of a basic cybersecurity program and should already be in place for organizations covered by applicability of the SDs. To the extent that these controls are not in place, this is a vulnerability that could be imminently exploited.

Regularly changing passwords is a fundamental cybersecurity practice. Minimizing this known threat vector requires immediate action to mitigate the threat. VADRs conducted by CISA, and other assessments and interviews with asset owners, have identified cases where passwords used in ICS were stolen, the organization was aware they had been compromised, yet the passwords were subsequently left unchanged for multiple years. In the absence of effective controls, adversaries in possession of these passwords could use them at any time to access the ICS. If at any time passwords were previously compromised and are still valid and have not been disabled or other compensating controls provided to prevent adversarial access to the system, those passwords could be used by an adversary to access the system.

Multi-factor authentication. Multi-factor authentication (MFA) requirements, or compensating controls that meet the same security outcomes, are also critical to provide a critical, additional layer of security to protect asset accounts whose credentials have been compromised. Aggressive activity being demonstrated by threat actors against both IT and OT systems stems from identity management abuse, which can be significantly mitigated by using strong access control measures, such as MFA. Accounts using only a username and password are vulnerable to multiple modes of compromise, including password spraying and credential stuffing. Multi-factor authentication effectively protects against these tactics and associated unauthorized access. Implementing this requirement reduces the risk of unauthorized access to Critical Cyber Systems by employing security access controls that are equal to or greater than the protection offered by the use of MFA. The intent is to employ MFA where appropriate and, where it is not, to ensure strong physical and logical security controls are in place that meet or exceed the protection that MFA affords.

Similar to the PTC exception for rail operations, TSA is proposing to incorporate from the SD Pipeline-2021-02 series a limited exception for MFA that addresses pipeline-specific operational considerations. In its regulations applicable to the safety of pipeline operations, PHMSA imposes requirements specifically applicable to control rooms used to monitor and control all or part of a pipeline facility through a SCADA system. Under PHMSA's regulations, controllers in the control room are responsible for monitoring day-to-day operations of the SCADA system and managing abnormal and emergency situations. In the midst of an emergency or alarm resolution, requiring MFA to access a workstation could have significant ramifications for pipeline safety and security. Based on these considerations, TSA is proposing to carry forward the limited exception from the SD to proposed § 1586.217(b)(2). Under this exception, if an owner/operator is in compliance with PHMSA's requirements, and includes in its COIP details of the adequate, compensating controls it uses to prevent unauthorized physical and logical access to control room industrial control systems within the scope of the owner/operator's Critical Cyber Systems, it can rely on those measures in lieu of MFA. At a minimum, TSA would expect the COIP to detail physical security controls including segmentation of the workstation from enterprise IT systems and additional compensating controls applied to prevent unauthorized physical and logical access to the workstation(s).

Privileged accounts. Most intrusions that occur are identity compromises, and implementing these controls greatly reduces the impact from successful compromises by limiting what can be done with any credentials and making intrusions more visible in the use of these credentials. Controlling access to and closely monitoring user accounts is a foundational control necessary to limit the extent of disruption and damage caused by potential intrusions.

Establishing governance over privileged accounts addresses the urgent risk of unauthorized administrative access to life safety systems. Establishing governance over such accounts is a foundational step that should be undertaken to increase the industry baseline for control access. Establishing this baseline of security would significantly reduce the vulnerability of the Critical Cyber Systems because adversaries are currently seeking to exploit entities with weaker access control compared to competitors or the industry standard. Policies such as Just-In-Time Privileged Account Management can mitigate the risk of privileged-account abuse by reducing the amount of time a threat actor has to gain access to privileged accounts before moving laterally through a system and gaining access to sensitive data.

Controlling privileged accounts is an important initial step toward implementing “zero trust” policies. Zero trust is a cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated. The purpose of zero trust is to minimize uncertainty in enforcing accurate, least privilege, per-request access decisions for IT and OT systems in the context of assuming that a breach is inevitable or has already likely occurred. Unauthorized access to privileged accounts can be used to exercise administrative control of highly critical systems, including those that manage life safety functions. Privileged accounts must be well-governed, including by controlling and closely monitoring their use. Managing shared accounts. In general, shared accounts are inherently vulnerable to a cybersecurity incident and should never be used. As a result, it is best to require individual user and administrator accounts where technically feasible, with security controls appropriate for the different privilege levels and policies that prohibit sharing accounts. Shared accounts open a security vulnerability and complicate post-incident review of cybersecurity incidents. The vulnerability exists as long as an active password is known by individuals who no longer need access. It is not sufficient to rely on revoked credentials to mitigate the risk when an employee who knows the password no longer needs access to the system. The lack of unique passwords can also be a critical factor in incident response. For example, when accounts are shared among multiple individuals, it may not be feasible to determine which user is responsible for a given action. If a security incident occurs, it can be difficult to identify the source of that incident if it comes from a shared account.

While an ideal CRM program would not permit shared accounts, TSA recognizes that, in some control system environments, management may make a risk-based decision to allow shared accounts. If the owner/operator permits shared accounts in limited situations as determined necessary for operations, that decision needs to be managed with appropriate compensating controls, including capabilities such as enterprise password vaults and/or a logging system that allows the owner/operator to determine who has had access to the account and when. This data is critical for a forensic investigation following a cybersecurity incident. The proposed rule would require the owner/operator to include actions to manage the risks of shared accounts in their COIP.

Trust relationships, especially identity trust relationships between systems, are exploited by adversaries to compromise systems. In environments with shared trust between the OT and IT environments, a compromise to an IT system can immediately and directly place the OT system at risk. Severing these identity trusts is a critical safeguard in light of the current threat. If credentials from a shared or trusted store have been previously comprised, any system that trusts those credentials is put in immediate risk.

Patch management. Proposed paragraphs (e) of §§ 1580.317, 1582.217, and 1586.217 would require owner/operators to have a patch management strategy that ensures all critical security patches and updates are made consistent with the owner/operator's risk-based methodology for prioritizing patches. These requirements align with section III.E. of the SD Pipeline-2021-02 and 1580/82-2022-01 series and CPG 1.E (Mitigating Known Vulnerabilities). Unmanaged software can introduce vulnerabilities into a system and, if left unpatched, could lead to a system compromise. Historical intrusions, including those affecting critical infrastructure, demonstrate that adversaries commonly exploit unpatched or legacy assets. A robust patching program ensures that known vulnerabilities are quickly addressed based upon criticality of the underlying asset. A timely patching program is a fundamental attribute of a mature cybersecurity program and is likely already in place for organizations within the applicability of this proposed rule. Proof of concept exploit codes for critical Windows vulnerabilities are often publicly available and seen “in the wild” within hours/days.

Logging. Proposed paragraph(d) of §§ 1580.317, 1582.217, and 1586.217 would require owner/operators to ensure logging data is stored in a secured and centralized system and maintained for a duration sufficient to support risk analysis. When a cybersecurity incident occurs, the focus is often on recovery to normal operations, but it is also critical to have strong procedures in place to ensure that critical data is not destroyed that could identify perpetrators and vulnerabilities. Log retention policies enable an organization to determine the scope of an intrusion, protecting the integrity of critical systems and life safety controls.

Numerous recent cybersecurity incidents have indicated that organizations with insufficient logs are unable to effectively identify or assess the extent of a cybersecurity incident. In VADRs conducted by CISA, nearly half of all assessments identified issues related to how logs are kept and maintained, including failures to centrally collect logs and failure to have resources and policies necessary to properly analyze and audit logs. Considering the current capabilities of adversaries as identified in the classified intelligence, owner/operators need to be prepared to determine the scope of an incident to ensure the safety and resiliency of their operations in support of national and economic security. Without this information, organizations often cannot determine whether an actor has penetrated control or digital safety systems.

These requirements would generally align with the requirements in section III.E. of the SD Pipeline-2021-02 and 1580/82-2022-01 series. Both the NIST CSF (PR.PS Function) and the CISA CPGs recognize the importance of logging policies. While CISA recognizes that log collection can be more complex than some of the other requirements, they also note that effectively implementing this control reduces the risk of delayed, insufficient, or incomplete ability to detect and respond to potential cybersecurity incidents.

Back-ups. Proposed paragraph (e) of §§ 1580.317, 1582.217, and 1586.217 would require owner/operators to ensure critical systems are backed up. TSA's SDs required owner/operators to have a CIRP that included security and integrity of backed-up data and ensuring that the backed-up data is free from malicious code before it is used to restore a system. For purposes of this rulemaking, TSA is separating this requirement into two sections. The requirement to secure backups would be under the protection portion of the CRM program, while requirements related to using the backups to restore systems would be under measures addressing response and recovery. See proposed §§ 1580.327(b)(2), 1582.227(b)(2), and 1586.227(b)(2).

These proposed requirements are consistent with CPG 2.R (System Backups) and the NIST CSF (PR.DS Function). The CISA CPGs recognize the importance of having systems that are necessary for operation backed-up on a regular cadence and ensuring they are stored separately from the source system and tested on a recurring basis.

Cybersecurity Training. Proposed §§ 1580.319, 1582.219, and 1586.219 would require owner/operators to provide two levels of initial and recurrent cybersecurity training. First, basic cybersecurity training must be provided to all employees, including contractors, with access to the owner/operator's IT or OT system and additional training to cybersecurity-sensitive employees. Second, employees who meet the definition of a “cybersecurity-sensitive employee” must receive both basic and role-based cybersecurity training. Consistent with requirements for physical security training, TSA is proposing that individuals who do not receive the required training within the required timeframe must not be allowed access to Critical Cyber Systems or an IT or OT system that is interdependent with a Critical Cyber System. In § 1570.3, TSA is proposing to define “cybersecurity-sensitive employees” as “any employee who is a privileged user with access to, or privileges to access, a Critical Cyber System or any Information or Operational Technology system that is interdependent with a Critical Cyber System as defined in the TSA Cybersecurity Lexicon.” Under proposed paragraph (b), owner/operators would be required to include in their COIP a curriculum or lesson plan for each course needed to meet the specific curriculum requirements.

Proposed paragraph (c) of proposed §§ 1580.319, 1582.219, and 1586.219 includes the curriculum requirements for basic cybersecurity training to provide cybersecurity awareness to address best practices, acceptable use, risks associated with their level of privileged access, and awareness of security risks associated with their actions. The requirements in the proposed rule are consistent with CPG 2.I (Basic Cybersecurity Training) and 2.J (OT Cybersecurity Training). All employees should have a basic understanding of the online threat environment. Basic cybersecurity awareness training helps employees understand proper cyber safety, and the security risks associated with their actions. Regular training helps employees recognize their role in cybersecurity and how they serve as an additional “sensor” to detect an incident, regardless of their technical expertise.

Proposed paragraph (c) requires the owner/operator to provide cybersecurity-sensitive employees training that specifically addresses their role as a privileged user to prevent and respond to a cybersecurity incident, acceptable uses, and the risks associated with their level of access and use as approved by the owner/operator. This training recognizes that the level of cybersecurity training for someone with access to critical IT systems may be different than the training needed for someone who primarily accesses critical OT systems. In addition, this training must ensure these employees understand and are prepared to execute any actions associated with their positions under the owner/operator's TSA-approved CIRP.

The proposed schedule for cybersecurity training is consistent with the CISA CPGs. Under paragraph (d) of proposed §§ 1580.319, 1582.219, and 1586.219, owner/operators would be required to provide initial cybersecurity training (based and role-based, as applicable) within 60 days after the effective date of TSA's approval of the COIP. For individuals who onboard or become cybersecurity-sensitive employees after the effective date of the COIP, TSA would require training within 10-days of onboarding. Paragraph (e) of these sections would require annual recurrent training.

In the CPGs, CISA noted that basic cybersecurity training should be required annually “for all organizational employees and contractors that cover basic security concepts, such as phishing, business email compromise, basic operational security, password security, etc.,” and organizations should “foster an internal culture of security and cyber awareness.” The CISA CPGs also recommend that all new employees receive this basic initial cybersecurity training within 10 days of onboarding and recurring training on at least an annual basis. For individuals with responsibilities for protecting critical systems, such as maintaining or securing OT system, as part of their regular duties, the CISA CPGs recommend additional cybersecurity training on an annual basis. In the CPG Checklist, CISA identifies these actions as having low complexity and high impact. The CPG Checklist also identifies free services and references that can be used for cybersecurity training. TSA's proposed requirements for cybersecurity training align with the CPG recommendations.

Paragraphs (f), (g) and (h) of proposed §§ 1580.319, 1582.219, and 1586.219 address recognition of prior training and retention of training records. Paragraph (f) specifically allows owner/operators to rely on previously provided cybersecurity training to meet the requirements in the proposed role to the extent they can validate it meets curriculum and schedule requirements in the proposed rule. Paragraphs (g) and (h) include proposed requirements for retention of records and making the record available to employees that are consistent with TSA's current requirements for physical security training of security-sensitive employees (in current 49 CFR 1570.121).

e. Procedures, Policies, and Capabilities To Detect Cybersecurity Incidents (Proposed §§ 1580.321, 1582.221, and 1586.221)

As it is not possible to stop all cybersecurity incidents or attempted incidents, it is critical to have strong capabilities to detect cybersecurity incidents when they occur and have automatic measures in place to mitigate the impact. TSA's cybersecurity SDs included specific requirements to ensure continuous monitoring and detection policies. The proposed requirements in §§ 1580.321, 1582.221, and 1586.221 align with the SDs.

A key element of initial access for a cyber-intrusion is the execution of malicious software and communications with malicious command-and-control servers. Implementing filters to ensure “allow-listing” of known, good software and blocking malicious domains are essential controls to prevent damaging intrusions from occurring. In the latter case, best practices, such as protective Domain Name System (DNS) resolution, are necessary to proactively block communications with unknown or potentially malicious web domains. Detection should not be limited to a single security control but should include continuous monitoring and detection policies that follow the zero trust principle of assumed breach and a defense-in-depth approach to maximize a defender's chance of detecting an attack before it reaches the operational environment. Starting with basic controls, such as allow-list filters, email sandboxing, threat-based detection, and protecting DNS, provides a strong foundation for detection of threat activity from advanced adversaries. The costs of implementing these controls would be offset by the benefits of avoiding even a single successful cybersecurity incident that could result in catastrophic costs. The demands of the ransomware threat actors have also increased, and intelligence information indicates the capabilities of adversaries are becoming more sophisticated. The CISA CPGs note that “[w]ithout the knowledge of relevant threats and ability to detect them, organizations risk that threat actors may exist undetected in their networks for long periods.”

f. Procedures, Policies, and Capabilities To Respond to, and Recover From, Cybersecurity Incidents

In setting cybersecurity regulations for critical infrastructure, the National Cybersecurity Strategy encourages regulators to ensure that systems are designed to fail safely and recover quickly. Having strong procedures, policies, and capabilities to respond to, and recover from, cybersecurity incidents are among the most critical steps owner/operators can take. If a company is the target of one of the most sophisticated adversaries, such as nation-state actors, the issue is when the company will be the target of a cybersecurity incident, not whether they will be targeted. These requirements are related to protection and detection capabilities.

Capabilities to respond to a cybersecurity incident (§§ 1580.323, 1582.223, and 1586.223). The detection capabilities discussed above primarily rely on automated systems that flag or block incidents as they occur. CRM programs also need the capability to analyze traffic and trigger responses if certain thresholds are crossed. For this rulemaking, TSA is proposing to consolidate requirements from section D.2 of the SD Pipeline-2021-02 and SD 1580/82-2022-01 series that address auditing unauthorized access, documenting communications between systems that deviate from the approved baseline of communications, identifying and responding to execution of unauthorized code, and ensuring standardized incident response activities based on this information.

Reporting cybersecurity incidents (§§ 1580.325, 1582.225, 1584.107, and 1586.225). TSA's first SD requirements for cybersecurity focused on the need to report cybersecurity incidents to the U.S. government promptly to ensure the government can adequately respond to threats to national security, including economic security. Both the NIST CSF (Function RS.CO) and CPG 4.A (Incident Reporting) recognize the importance of reporting cybersecurity incidents. In the CPGs, CISA notes that a failure to provide timely incident reporting affects the ability of CISA and other groups to assist the organization and also gain “critical insight into the broader threat landscape, (such as whether a broader attack is occurring against a specific sector).”

TSA is proposing that the requirement to report cybersecurity incidents apply to all owner/operators required to report significant security concerns under current § 1570.203. This applicability would generally include all owner/operators identified in § 1580.1(a)(1), (a)(4), and (a)(5), rail transit and passenger railroads identified in § 1582.1, higher-risk bus-only transit systems identified in § 1582.101, higher-risk OTRB owner/operators identified in § 1584.101, and the pipeline facilities and systems identified in new § 1586.101(b).

The proposed requirements for cybersecurity incident reporting mirror those in the current SDs. As under the SDs, TSA would require owner/operators to report cybersecurity incidents to CISA within 24 hours of identification of a cybersecurity incident. For purposes of the proposed rule, a “cybersecurity incident” is defined as “an event that, without lawful authority, jeopardizes, disrupts or otherwise impacts, or is reasonably likely to jeopardize, disrupt or otherwise impact, the integrity, confidentiality, or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident on the system.” The reports must, among other things, (1) identify the affected systems or facilities; and (2) describe the threat, incident, and impact or potential impact on IT and OT systems and operations. All information reported under this requirement is SSI protected under 49 CFR part 1520 and would be appropriately protected by CISA and TSA.

At the time TSA issued specific requirements for reporting of cybersecurity incidents in 2021, it determined that CISA should receive all cybersecurity incident reporting in order to obtain the security and analytical benefits of consolidating this information in one system to enhance threat identification and trend analysis. This action is consistent with 49 U.S.C. 114(m), which permits TSA to use the services and capabilities of other agencies and to support them through use of the agency's authorities, as appropriate.

TSA is aware that CISA is also required to issue a regulation to require reporting of cyber incidents under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Although CIRCIA requires CISA to implement new reporting requirements through regulation, CIRCIA's rulemaking requirement does not supersede, abrogate, modify, or otherwise limit any authority to regulate or act with respect to the cybersecurity of an entity vested in any U.S. Government officer or agency. “Covered Entities,” as defined by CISA, that are obligated to report “Covered Cyber Incidents” or “Ransom Payments” pursuant to another federal regulatory requirement, directive, or similar mandate could remain obligated to do so. TSA is, however, committed to avoiding redundancy and harmonizing with our government partners on cybersecurity requirements.

Under the structure proposed by CISA in its NPRM, TSA does not anticipate the need to make any significant modifications to its reporting requirements. TSA will continue to require reporting to CISA to avoid duplicate reporting. If CISA's final rule includes the proposed requirement for agencies to enter into an agreement with CISA to specifically address duplicative information reporting, TSA believes it is well-positioned for this step based on its current reporting requirements. As CISA is likely to finalize the CIRCIA rule before this rulemaking is finalized, TSA will review the final CIRCIA requirements for reporting cybersecurity incidents and consider changes as necessary and/or appropriate in the final rule.

Cybersecurity Incident Response Plan (§§ 1580.327, 1582.227, and 1586.227). Incident planning and preparedness is critical to mitigating the impacts of a cybersecurity incident on national security, including economic security. The NIST CSF (PR and RC Functions) and CPG 2.S (Incident Response (IR) Plans) and 5.A (Incident Planning and Preparedness) both recognize the importance of having a plan that is tested, validated, and maintained to ensure timely response to, and recovery from, detected cybersecurity events that cause, or could cause, operational disruption. This proposed rule would incorporate the CIRP requirements from section III.F. of the SD Pipeline-2021-02 series and section C.1. of the SD 1580-21-01 and 1582-21-01 series. These requirements include having a plan to ensure that each of the following objectives are met: (1) the impacts of a cybersecurity incident that causes, or could cause, operational disruption or significant impacts on business-critical functions are limited and do not spread throughout the system; (2) back-up data is tested before it is used for recovery; (3) measures are in place to ensure isolation of technology to reduce risks; and (4) identification of who, by position, is responsible for implementing measures in the plan. The SDs also require owner/operators to conduct annual exercises of their plans that, at a minimum, test at least two of these objectives each year. The overall objective of the exercise requirement is to ensure that elements of the incident response plan are tested to ensure that they will work and can be properly executed by the responsible person(s).

As recommended by CPG 2.S (Incident Response Plans), which aligns with the NIST CSF (Function RS.MA), TSA would continue to require owner/operators to test their plans through exercises and modify the CIRP within 90 days based on the results of the exercises. While the CIRP required by this proposed rule would be incorporated into the COIP made available to TSA for approval, TSA would require that any changes to the CIRP be reported to TSA within 15 days. As these changes are separately reported to TSA, revisions to the CIRP do not require an amendment to the COIP under § 1570.107 of the proposed rule.

3. Cybersecurity Assessment Plan (Proposed §§ 1580.329, 1582.229, and 1586.229)

As discussed above, the NIST CSF, the CISA CPGs, and TSA's SDs, taken in their totality, recognize the importance of having cybersecurity measures informed both by an initial cybersecurity evaluation that looks at the current profile of the owner/operator's cybersecurity measures against the target profile, and an assessment program that actually tests the effectiveness of cybersecurity measures in the COIP as related to Critical Cyber Systems. In the initial SD issued to pipeline owner/operators, SD Pipeline-2021-01, TSA required owner/operators to have a third-party conduct a cybersecurity architecture design review.

In SD Pipeline-2021-02C, issued in July 2022, TSA modified the SD to require owner/operators to have a Cybersecurity Assessment Program that allowed owner/operators to conduct their own biennial cybersecurity architecture design review and also required them to use other assessment capabilities intended to test the effectiveness of their cybersecurity measures. Owner/operators were required to have an annual plan for these assessments and to submit the plan to TSA for review, but not for approval.

In July and October 2023, TSA modified the pipeline and rail SD series, respectively, to change the name from a Cybersecurity Assessment Program to a Cybersecurity Assessment Plan, which more accurately reflects additional changes made to the requirements. Under the current SD series, owner/operators must submit the CAP to TSA for approval. The CAP must include a specific schedule for the assessments to ensure that at least one-third of the COIP is tested each year at a pace to ensure 100 percent of the policies, procedures, measures, and capabilities in the COIP are assessed over any 3-year period as applied to all Critical Cyber Systems. The intent of this requirement is to ensure a continuous process of assessment, avoiding the potential vulnerabilities that could result from failing to only conducting assessments every few years, potentially leaving vulnerabilities undetected for years.

This proposed requirement gives owner/operators flexibility in developing their CAP schedule. One approach would be to assess/audit one-third of the policies, procedures, measures and capabilities in the CIP each year for all Critical Cyber Systems. Another acceptable option, however, would be to assess/audit one-third of Critical Cyber Systems each year for all applicable policies, procedures, measures and capabilities in the COIP.

Either of these options ensures a schedule where one-third of policies, procedures, measures, and capabilities in the COIP are assessed each year with 100 percent of the policies, procedures, measures, and capabilities in the COIP being assessed/audited every 3 years on 100 percent of the Critical Cyber Systems. Under this requirement, an owner/operator who chooses to assess more than one-third in one year, is still required to assess at least one-third the next year. For example, if the owner/operator assesses 100 percent of their measures in Year 1, at least one-third would need to be assessed again in Year 2 and Year 3 of the cycle.

TSA is specifically requesting comment on methods owner/operators would use to ensure this schedule is met. Smaller companies with fewer Critical Cyber Systems that find it easier to assess 100 percent each year could submit a CAP that includes different types of assessments each year, i.e., assessing 100 percent each year using different methodologies.

To ensure both the owner/operator and TSA have a clear agreement on the planned assessment program and that it will meet the requirements by the end of the three-year period, TSA is proposing to require the CAP to include a mapping sufficient to validate that the required scope of the assessment will be met within the required period. This step is necessary as TSA recognizes that neither all parts of the COIP nor all Critical Cyber Systems are equal, and it may not be possible to identify a bright line of one-third of the COIP being assessed each year. Mapping the scheduled assessments to the COIP and Critical Cyber Systems will enable TSA and the owner/operator to engage in a discussion to ensure the proposed rule's intent, a steady state of meaningful assessments, is built into the owner/operators CRM program and informing future modifications to improve cybersecurity. TSA assumes that the first mapping will be the most burdensome, requiring minor updates in future years to address any changes in the COIP or Critical Cyber Systems.

TSA also agrees with the CISA CPGs' recommendation that, whenever possible, auditors and assessors should be from outside the owner/operator's organization. At the same time, TSA recognizes that some companies may have in-house capabilities to conduct audits and assessments. Rather than requiring a third-party validator, TSA is requiring that any individual who conducts an audit or assessment must be independent, i.e., they must not have a vested or other financial interest in the results, in order to ensure the integrity and reliability of results. For example, if an individual conducting an audit is part of a team or group that would receive a bonus if the audit results met a certain threshold, they are not sufficiently independent to be eligible to conduct the audit.

To support overall governance of the CRM program, the proposed rule would require an annual report of the CAP results. This report must also include the methodologies used. A copy of the report must be provided to corporate leadership and TSA. Under paragraph (f) of §§ 1580.307, 1582.207, and 1586.207, the results of this assessments are to be used for updating the CRM program, as appropriate. TSA is proposing that the report be provided 15 months from the date of TSA's approval of the first CAP and annually thereafter. This timeline allows for full implementation of the CAP (an annual or 12-month plan), and three additional months to develop a report based on the results. The proposed rule text specifically notes that the audits and assessments conducted under this section are vulnerability assessments subject to the SSI protections in 49 CFR part 1520.

The procedures discussed for submission of CIPs in section III.D.2.a. also apply to submission of CAPs. As with CIPs, a CAP maintained at the owner/operator's location is not considered to have received final approval until reviewed by TSA, revised as required by TSA and the owner/operator receives notification from TSA that the CAP has received final approval. Only final approval of the CAP triggers the timelines associated with subsequent annual requirements to develop the CAP and CAP report.

4. Documentation To Establish Compliance (Proposed §§ 1580.331, 1582.231, and 1586.231)

In accordance with 49 U.S.C. 114(f) and 49 CFR part 1503, TSA may view, inspect, and copy records, in carrying out TSA's security-related statutory or regulatory authorities, including its authority to enforce security-related laws, regulations, directives, and requirements. At the request of TSA, each owner/operator subject to the requirements of the proposed rule must provide evidence of compliance, including copies of records if requested, sufficient to demonstrate compliance. TSA must be able to build and preserve a sufficient administrative record for each case.

For the specific purposes of the CRM program requirements, the proposed rule includes a section on documentation that TSA may ask to review to establish compliance. The list of documentation provided aligns with the lists in section IV.C of the SD Pipeline-2021-02 and 1580/82-2022-01 series. While TSA has the authority under 49 U.S.C. 114(f)(7) to review any documents necessary to enforce security-related regulations and requirements (among other purposes), TSA provided this non-exclusive list to provide owner/operators with examples of the types of documents TSA may ask to review in order to support the owner/operator's efforts to establish compliance.

E. Physical Security

As noted above, TSA is reorganizing 49 CFR parts 1570, 1580, 1582, and 1584 through this rulemaking, to distinguish between physical security requirements and cybersecurity requirements. The security measures previously imposed for rail, PTPR, and OTRB—security coordinators, reporting significant security concerns, security training, and chain of custody (for freight railroads)—are primarily intended to address physical security concerns, i.e., threats to physical infrastructure from improvised explosive devices or physically tampering with equipment. With this rulemaking, cybersecurity requirements would receive dedicated treatment.

To help distinguish between physical and cybersecurity, the rule proposes to generally include the physical and cybersecurity requirements in separate subparts applicable to each mode. The requirements for OTRB would continue to be in subpart B of part 1584. TSA would also distinguish between (1) requirements for Physical Security Coordinator(s) and reporting physical security concerns and (2) requirements for Cybersecurity Coordinator(s) and reporting cybersecurity incidents.

To clearly establish the distinction between physical security and cybersecurity, TSA is proposing to move the security coordinator requirements in current § 1570.201 and reporting requirements in current § 1570.203 to the modal-specific parts with only one change to the current requirements. As with the Cybersecurity Coordinators required under the CRM program, TSA is specifying that the Physical Security Coordinator(s) be a U.S. citizen unless this requirement is waived by TSA. TSA would consider several factors before waiving this requirement. Most importantly, the individual would need to successfully complete an STA. In addition, TSA would need to ensure that at least one of the owner/operator's Physical Security Coordinator(s) (primary or alternate) is a U.S. Citizen who is eligible for a security clearance. This requirement is consistent with current practice and, as previously discussed, necessary to ensure that there is at least one point of contact within every covered entity that TSA can share sensitive information with on a rapid basis. This information could not be shared with non-citizens absent significant coordination at a government-to-government level. The delay caused by this coordination could prevent an owner/operator from receiving critical information on a timely basis needed to protect against actionable intelligence at a classified level.

As part of this effort, TSA is proposing to move and consolidate all the requirements for security training of security-sensitive employees (currently referenced in §§ 1570.107, 1570.109, 1570.111, 1570.121, 1580.113, 1580.115, 1582.113, 1582.115, and 1584.113, and 1584.115) into one section in each of the modal-specific parts (proposed §§ 1580.113, 1582.113, and 1584.113) rather than the current structure, which has some requirements in part 1570 and some in multiple sections in parts 1580, 1582, and 1584. None of the requirements for security training (procedural or substantive) would be modified through this rulemaking.

Finally, TSA is proposing to require the pipeline facilities and systems within the applicability of the CRM program requirements (proposed § 1586.101(b)) to designate a Physical Security Coordinator and report significant physical security concerns. For almost a decade, TSA's Pipeline Guidelines have encouraged pipeline owner/operators to report security incidents to TSA and provide contact information for security operations or controls centers for pipeline owner/operators in order to facilitate the exchange of information. Through this rulemaking, TSA is proposing to make having a Physical Security Coordinator and reporting significant physical security concerns mandatory for the pipeline owner/operators identified in proposed § 1586.101(b). Expanding these requirements to this critical sector would ensure TSA is able to obtain a complete picture of potential threats, both physical and cyber across this sector and as it relates to other critical infrastructure.

F. General Procedures for Security Programs, SDs, and Information Circulars

1. General Procedures for Security Programs (Proposed Revisions to Subpart B of Part 1570)

In the Security Training for Surface Transportation Employees final rule, TSA established procedures for security programs in 49 CFR part 1570. At that time, the requirements to be included in a security program were primarily related to security training. As part of this rulemaking and the expansion of security program requirements to include a robust CRM program, TSA is proposing to revise the procedures for security programs in part 1570 to align more closely with the well-established procedures applicable to security programs issued for civil aviation under subchapter C of 49 CFR chapter XII. In general, these changes primarily result in reorganizing the requirements currently in §§ 1570.109 through 1570.119. In addition, these procedures also address allowances in the 9/11 Act for coordinated development and implementation of vulnerability assessments and security plans, and the requirements in the 9/11 Act related to recognition of existing procedures, protocols, and standards.

Proposed § 1570.107 includes the procedures for when an owner/operator determines that they need to amend a security program previously approved by TSA. This section is consistent with the procedures for aviation security programs under subchapter C of Chapter XII and would replace current §§ 1570.113 and 1570.117. These procedures ensure a joint understanding between TSA and owner/operators on what the owner/operator is committed to implementing while providing opportunities to modify measures as necessary to address changes in operations, evolving capabilities, and emerging threats. As the COIP is a security program, owner/operators must request an amendment whenever they seek to make substantive changes to their COIPs or to documents incorporated by reference. Current § 1570.113 includes requirements for when owner/operators must request an amendment to their security programs. TSA is proposing to consolidate and streamline these requirements in proposed 1570.107(c).

Proposed § 1570.107(b) includes the general requirements for owner/operators to request an amendment to a TSA-approved security program. Current § 1570.113(e) requires owner/operators to submit a request for an amendment to their programs no later than 65 days after a permanent change takes effect. For purposes of this requirement, a permanent change is any change in effect for 60 or more calendar days. The SDs for cybersecurity requirements require a request for an amendment no later than 50 calendar days after the permanent change takes effect, unless TSA allows a longer time period. A permanent change for that purpose is any change intended to be in effect for 45 or more calendar days. In TSA's aviation programs, TSA requires requests for amendments 45 days before they take effect, unless TSA allows a shorter time period.

Under the proposed rule, permanent changes would continue to be those intended to be in effect for 60 or more days, but owner/operators would be required to request an amendment at least 45 days before the change takes effect. This section carries over from current § 1570.113(f), the TSA standard for approval. In general, this standard requires that the policies, procedures, or measures in the proposed amendment provide a commensurate level of security to the previously approved policy, procedure, or measure. As validated by TSA's application of this timeframe in aviation programs, this requirement benefits both the agency and owner/operator by ensuring that TSA agrees with the owner/operator's determination that a modification to previously approved procedures will continue to meet the required security objectives. This agreement, in turn, avoids situations where an owner/operator invests in programs, capabilities, or technology that TSA subsequently disapproves because the modification fails to provide adequate security as required by the regulation.

Proposed § 1570.113(c)(1) specifically excludes administrative or clerical changes from the amendment process. These changes are those that do not affect policies procedures, or measures in the owner/operator's TSA-approved security program. While an amendment is not required, TSA would require owner/operators to maintain a chronological record of these changes for at least one year before the date of the last approved security program. As with all other documentation of compliance, this information be provided to TSA upon request.

Proposed § 1570.113(c)(2) includes an exception for temporary, substantive changes. Temporary, substantive changes are those that would have an impact on approved policies, procedures, or measures, but which are not intended to be in effect for 60 or more days. For temporary, substantive changes, TSA is proposing that owner/operators must notify TSA no more than 24 hours after a temporary, substantive change is made to any policy, procedure, or measure in its TSA-approved security program. Within 7 calendar days of this notification, the owner/operator must, in writing, inform TSA of the interim policies, procedure, or measures it is using to maintain adequate security while the temporary, substantive change is in effect. The owner/operator must include a description of how the interim policy, procedure, or measures provides a commensurate level of security. TSA will notify the owner/operator in writing if the agency does not concur that the interim measure provides a commensurate level of security. If the temporary, substantive change exceeds or is expected to exceed 60 days, then owner/operator must seek an amendment to its security program. This amendment request must be submitted no later than 65 days after the temporary, substantive change initially took effect. These proposed provisions would result in TSA having more visibility into temporary, substantive changes (consistent with TSA's regulatory requirements in the aviation context) while maintaining some of the flexibility contained in current regulations and SDs with respect to non-permanent changes. Proposed § 1570.107(c) also provides more specific detail on the difference between administrative or clerical changes and substantive revisions and the procedures to be followed based on the type of amendment.

As specifically applied to the security training programs required by §§ 1580.113, 1582.113, and 1584.113, which are also considered TSA-approved security programs, TSA notes that most revisions to a security training program would be considered substantive and permanent. Training curriculums and programs are usually planned in advance and do not change as rapidly as cybersecurity issues. Within this context, however, TSA would consider changes to the number of employees to be trained within each of the identified functions to be an administrative or clerical change, which would not require an amendment. TSA believes it is more important for the owner/operator to have an accurate and up-to-date awareness of these issues and plan accordingly than to impede this process by imposing an amendment process every time staff levels change. As applied to the CRM program, examples of administrative or clerical, temporary, and permanent changes are discussed more fully in Section III.D.2.a., within the general context of COIP requirements.

Proposed § 1570.107(d) and (e) includes procedures for TSA to amend security programs, which align with what is currently in § 1570.115. This section also proposes to add the process for filing a petition for reconsideration, currently in § 1570.119, as proposed § 1570.107(f).

Proposed § 1570.109 provides an option for owner/operators who may have operations that meet the criteria for applicability, but those operations are infrequent or seasonal. TSA is proposing to add a section that aligns with an option provided to airports in 49 CFR 1542.109. Under this provision, TSA may make a risk-based determination to impose alternative requirements that are appropriate for the scope of the operations rather than the full programmatic requirements.

TSA is proposing to add § 1570.115, which provides the procedures for withdrawing approval of a security program. In general, if an owner/operator is not in compliance with regulatory requirements, TSA would work through an enforcement process that has a range of actions including notices and an opportunity to correct and penalties. In some situations, however, TSA may determine that the failure to comply is so contrary to security and the public interest that the agency must withdraw approval of the security program. Section 1570.115 provides the standard and process for withdrawal to ensure due process is provided should this action be necessary.

In proposed § 1570.117, TSA would incorporate the general recordkeeping requirements from current § 1570.121. The recordkeeping requirements specific to physical security training have been incorporated into the proposed consolidated physical security training requirements in the modal-specific parts, specifically in proposed §§ 1580.113, 1582.113, and 1584.113.

Finally, as part of the general effort to establish comprehensive regulatory regime for surface regulations similar to the regime for aviation, TSA is proposing to revise § 1570.1 to add paragraph (b). This paragraph clarifies that the authority for any function exercised by the Administrator within the subchapter, such as approving an amendment to a security program, may be delegated to other officials by the Administrator. The statement is consistent with current 49 CFR 1540.3, as applied to aviation, and is appropriate as TSA continues to implement its authority and responsibilities for surface transportation security.

2. SDs and Information Circulars (Proposed Subpart C of Part 1570)

TSA is also proposing to rename Subpart C—Operations to Subpart C—Threat and Threat Response and add a new § 1570.201 related to the issuance of SDs and ICs. This section would provide procedures in TSA's regulations to issue SDs and ICs and make other revisions to align TSA's processes for surface transportation security with those long-established for the aviation sector.

The surface cybersecurity SDs discussed in section II.B.1. were issued under the authority of 49 U.S.C. 114( l )(2). Aviation SDs, however, are a creature of APA rulemaking, having been created by the Federal Aviation Administration (FAA). When TSA determines that it must immediately require additional security measures to respond to a threat assessment or to a specific threat against civil aviation, it may issue SDs to certain regulated parties. Regulated parties may request alternative procedures to accomplish the same security goal with different measures. Unless otherwise determined by the Administrator, SDs contain SSI and thus are not available to the general public. Review of an SD is available in a U.S. court of appeals.

The provisions for SD procedures also address issuance of ICs. ICs are intended to notify owner/operators of specific security concerns and may include recommended measures to address the concern. While a specific regulatory provision is not necessary to issue ICs, referencing them in the regulations provides a distinction between voluntary versus mandatory measures.

Through this rulemaking, TSA is proposing to create a similar regulatory provision for SDs and ICs for surface transportation to those applicable in the aviation sector. As discussed above, see section II.B.1 of this NPRM, TSA has used these two types of actions to address cybersecurity of surface transportation. TSA made a risk-based decision that certain entities must implement cybersecurity measures. Those entities were within the scope of applicability for the SDs. TSA also issued ICs to all owner/operators within a certain mode, recommending that they consider voluntarily implementing the measures imposed on the higher-risk owner/operators. ICs are distinguished from more general guidance documents because they are specific to a certain security concern. This addition to TSA's regulations would ensure that any person within the scope of applicability of future SDs or ICs would be able to find the applicable procedures for these actions in TSA's regulations.

As noted above, TSA is proposing revisions to streamline regulatory text for owner/operators to request to implement security measures other than those specifically required by TSA, or to revise previously approved security programs. The current regulations provide for amendments to security programs requested by an owner/operator in current 49 CFR 1570.113, TSA amendments to programs in § 1570.115, and owner/operator requested alternative procedures in § 1570.117. Under the current regulations, the distinction between an owner/operator amendment and an alternative procedure is not clear as they both authorize the owner/operator to request to implement a measure other than what is required by TSA and require TSA to determine that granting the request would not have a negative impact on security.

TSA is also proposing to revise the procedures for amendments to security programs (such as the COIP) required by subchapter D. See discussion in section II.F.1. As part of this revision, TSA is proposing to move the procedures for requesting alternative measures from current § 1570.117 to § 1570.203, and to limit the alternative procedures measures to SDs. This revision would provide owner/operators with a clearly identified process for requesting to implement alternatives to requirements in an SD. The proposed procedures align with our standard processes for aviation where we require owner/operators to request an amendment to a security program through the security program process, and also allow owner/operators the ability to request an alternative measure or procedure to requirements in an SD. Owner/operators would continue to be able to request amendments to their security programs under proposed § 1570.107(b).

3. Exhaustion of Administrative Remedies (Proposed § 1570.119)

TSA is proposing to add a new § 1570.119, which would require exhaustion of administrative remedies before challenging final agency orders by TSA related to the requirements in parts 1570, 1580, 1582, 1584, and 1586. Under this proposed requirement, an individual could not seek judicial review until TSA has issued its “final agency order.” TSA has identified in proposed subpart B of part 1570 the point at which a TSA decision is a “final agency action.” For purposes of this rulemaking, “final agency order” and “final agency action” have the same meaning.

This requirement would apply to (a) denials of approval of a security program or an amendment to a security program, alternative measures to requirements in a security program; (b) imposition of requirements through an SD or TSA-required amendment to a security program; and (3) withdrawal of a security program. For example, if the specific regulatory provision provides for an owner/operator to request a petition for reconsideration of a denial of security program amendment, see proposed § 1570.107(f), then the owner/operator would need to have a timely petition for reconsideration denied before they would have exhausted the administrative procedures.

The doctrine of exhaustion of administrative remedies is based on the need to conserve judicial resources and ensure that factual issues are resolved by the agency with the expertise and responsibility for administering the program at issue. The doctrine allows agencies to develop a full factual record, correct errors, minimize costs, and create a uniform approach to the issues within its jurisdiction. This process benefits individuals by resolving disputes more quickly and at lower cost through TSA rather than the federal courts. If the individual ultimately seeks review in the Court of Appeals following TSA's final agency order, the court would have a full record on which to base its review, and the issues would be narrowed to those that truly require judicial review. This process also allows TSA the opportunity to correct any errors and narrow the issues, which can be achieved through exhausting administrative remedies, before initiating judicial review.

For all of the foregoing reasons, TSA is proposing to include in the regulation an explicit requirement for individuals to exhaust administrative remedies before seeking judicial review.

4. Severability

Proposed § 1570.121 would reflect TSA's intent that the various regulatory provisions be considered severable from each other to the greatest extent possible. For instance, if a court of competent jurisdiction were to hold that the rule or a portion thereof may not be applied to a particular owner or operator or in a particular circumstance, TSA would intend for the court to leave the remainder of the rule in place with respect to all other covered persons and circumstances. The inclusion of a severability clause would not be intended to imply a position on severability in other TSA regulations.

5. Enforcement and Compliance

TSA has broad authority to: (1) enforce its rules and requirements; (2) oversee the implementation and ensure the adequacy of security measures; and (3) inspect, maintain, and test security facilities, equipment, and systems for all modes of transportation. TSA's authority over transportation security is comprehensive and supported with specific powers related to the development and enforcement of security-related regulations and other requirements. Within this broad authority, the agency may assess a security risk for any mode of transportation and develop security measures for dealing with this risk. If TSA identifies noncompliance with its requirements, TSA may hold the owner/operators responsible for the violation and subject to enforcement action, which may result in civil monetary penalties. Pursuant to its statutory authority and responsibilities, TSA is the sole Federal agency with authority to enforce its regulations.

Through a separate rulemaking, TSA recently consolidated all of its provisions previously found throughout its regulations relating to inspections, including the regulations governing surface transportation entities in current 49 CFR 1570.9. As a result of this revision to TSA's regulations, TSA's inspection requirements are now located in one section, 49 CFR 1503.207, which is the part that specifically focuses on investigative and enforcement procedures applicable to all of TSA's regulatory requirements.

When appropriate, TSA will coordinate with an owner/operator on inspections. Notice gives the parties to be inspected the opportunity to gather evidence of compliance and to arrange to have the appropriate personnel available to assist TSA. Some inspections, however, can only be effective if TSA's presence is unannounced. TSA must have the flexibility to respond to information, operations, and specific circumstances whenever they exist or develop.

Security concerns are different at different times of the day and on different days. Terrorists may seek to take advantage of vulnerabilities whenever they occur. TSA has the authority to assess the security of transportation entities at all times (including nights, weekends, and holidays) and under all operational situations. The nature of any given TSA inspection will depend on the specific circumstances surrounding a particular owner/operator at a given point in time and will be considered in conjunction with available threat information.

G. Summary of Applicability and Requirements

Table 6 identifies the current and proposed applicability of all the requirements discussed above.

As further discussed below, this proposed rule builds upon the previously issued SDs that many of the affected owner/operators have endeavored to implement. All the requirements in the SDs discussed in section II.B.1 of this NPRM have been carried over into the proposed rule, either in full or with minor alteration. New requirements include cybersecurity incident reporting for the OTRB industry; specific requirements for governance of the owner/operators' CRM programs; supply chain risk management requirements addressed as part of the COIP; and cybersecurity training. TSA is also proposing to include physical security requirements for the covered pipeline industry, but these provisions are not considered part of the CRM program. A summary of key updates is listed below, and a more comprehensive presentation can be found in Appendix A of the Regulatory Impact Analysis available in the docket for this rulemaking.

• Cybersecurity Evaluation (§§ 1580.305, 1582.205, and 1586.205)—The proposed requirements for a Cybersecurity Evaluation modify the assessments required by the SD Pipeline 2021-01, SD 1580-21-01, and SD 1582-21-01 series by making the requirement more comprehensive, including the development of an enterprise-wide cybersecurity profile that as set forth in the proposed rule must be updated annually. As discussed in section III.D.1, this type of evaluation is consistent with the NIST CSF. The process to develop this profile is substantively similar to the requirements laid out in the applicable SDs. This requirement also addresses certain requirements in the 9/11 Act related to vulnerability assessments.
• Cybersecurity Operational Implementation Plan (COIP) (§§ 1580.303, 1582.203, and 1586.203)—The proposed requirements for a COIP build on the requirement in the SD Pipeline-2021-02 and SD 1580/82-2022-01 series, which required covered owner/operators to develop a CIP. This requirement also addresses certain requirements in the 9/11 Act related to developing a security plan to address vulnerabilities and ensure security of certain IT and OT systems. The additional requirements in the proposed rule for the COIP are consistent with the transition from the temporary purpose of the SDs' requirements to establishing a permanent, robust, and mature CRM program. The new proposed COIP requirements include requiring owner/operators to have a POAM, which supports prioritization and timely implementation of CRM requirements and involves owner/operators developing a plan to address any shortfalls in being able to meet the requirements of the COIP.
• Governance (§§ 1580.309, 1582.209, and 1586.209)—Consistent with TSA's intent to align the requirements in the rulemaking with the NIST CSF, TSA is proposing additional structure around the governance of the CRM program that was not included in the SDs. Establishing strong governance is critical of a viable and mature CRM program because having processes and identifying roles creates a more effective and efficient operation that considers cybersecurity and protects organizational goals. The “governance” requirements include designation of the accountable executive as well as those with cybersecurity responsibilities to have a single leader (by role/position/title) that will act as the person responsible and accountable for planning, resourcing, and execution of cybersecurity activities.
• Cybersecurity Coordinator (§§ 1580.311, 1582.211, and 1586.211)—TSA is proposing to incorporate the requirements to designate a Cybersecurity Coordinator first imposed in the SD Pipeline 2021-01, SD 1580-21-01, and SD 1582-21-01 series with a few changes that detail the knowledge and skills of the Cybersecurity Coordinator. Such areas include general cybersecurity guidance and best practices; relevant law and regulations pertaining to cybersecurity; handling of SSI and security-related communications; current cybersecurity threats applicable to the owner/operator's operations and systems as well as having a HSIN account or other TSA-designated communication platform for information sharing. The Cybersecurity Coordinator information must also be added to the owner/operator's COIP. This requirement also addresses certain requirements in the9/11 Act related to security coordinators, as well as recognizing the distinction between physical security and cybersecurity and the possibility that larger organizations may need to have different individuals handling these responsibilities.
• Identification of Critical Cyber Systems (§§ 1580.313, 1582.211, and 1586.211)—The proposed rule incorporates the requirement to identify Critical Cyber Systems first imposed in the SD Pipeline-2021-02 and SD 1580/82-2022-01 series that are substantively the same but contain clarifying language modifications with regards to the specifics of what is involved in the identification process. This requirement also addresses certain requirements in the 9/11 Act related to identification of critical assets and infrastructure.
• Supply Chain Risk Management (§§ 1580.315, 1582.215, and 1586.215)—TSA is proposing a new requirement, supply chain risk management, which is not in the SDs to align the CRM program requirements with CISA's CPGs. Under this requirement, the owner/operator must incorporate policies, procedures, and capabilities to address supply chain cyber vulnerabilities into their COIP.
• Protection of Critical Cyber Systems (§§ 1580.317, 1582,217, and 1586.217)—These proposed requirements incorporate requirements from the SD Pipeline-2021-02 and SD 1580/82-2022-01 series involving measures to provide network segmentation, access control, as well as patching and software updates and adds a discussion on procedures related to logging. TSA is not changing the substance but proposing to organize the requirements from the SDs to align with the NIST CSF. This requirement also helps address the 9/11 Act's requirements related to protection of certain IT and OT systems.
• Cybersecurity Training (§§ 1580.319, 1582.219, and 1586.219)—TSA is proposing a new requirement for cybersecurity training, for basic users as well as role-based cybersecurity training for privileged users. As discussed in Section III. D.2.d., this proposed requirement is consistent with recommendations in CISA's CPGS. This requirement also addresses portions of the 9/11 Act requirements related to requiring security training for certain employees.
• Detection of Cybersecurity Incidents (§§ 1580.321, 1582.321, and 1586.321)—TSA is proposing to include requirements from the SD Pipeline-2021-02 and SD 1580/82-2022-01 series that address detection and monitoring of Critical Cyber Systems. TSA is not changing the substance but proposing to organize the requirements from the SDs to align with the NIST CSF. This proposed requirement also helps address 9/11 Act requirements related to plans to respond to a terrorist attack, which would include a cybersecurity incident caused by a threat actor.
• Capabilities to Respond to a Cybersecurity Incident (§§ 1580.323, 1582.223, and 1586.223)—This proposed requirement is included in the SD Pipeline-2021-02 and SD 1580/82-2022-01 series and involves auditing of unauthorized access to internet domains and communication between OT systems and external systems. TSA is not changing the substance but proposing to organize the requirements from the SDs to align with the NIST CSF. This proposed requirement also helps address 9/11 Act requirements related to plans to respond to a terrorist attack, which would include a cybersecurity incident caused by a threat actor.
• Cybersecurity Incident Reporting (§§ 1580.325, 1582.225, 1584.107, and 1586.225)—The proposed rule incorporates the requirement to report cybersecurity incidents first imposed in the SD Pipeline-2021-02 and SD 1580/82-2022-01 series with no changes.
• Cybersecurity Incident Response Plan (CIRP) (§§ 1580.327, 1582.227, and 1586.227)—The proposed requirement for a CIRP is incorporated from the SD Pipeline-2021-02 and SD 1580-21-01, and SD 1582-21-01 series. This proposed requirement involves having a plan to respond to cybersecurity incidents. The plan must include exercises. The CIRP requirements in the proposed rule are substantively the same as in the SDs with some language changes. This proposed requirement also helps address 9/11 Act requirements related to plans to respond to a terrorist attack, which would include a cybersecurity incident caused by a threat actor.
• Cybersecurity Assessment Plan (CAP) (§§ 1580.329, 1582.229, and 1586.229)—This proposed requirement is incorporated from the SD Pipeline-2021-02 and SD 1580/82-2022-01 series with no substantive changes and involves a robust assessment plan that tests the effectiveness of the COIP. As laid out in the applicable SDs, consistent with the NIST CSF, the proposed requirements include providing an annual report of assessment findings to TSA and corporate leadership, which feeds into the iterative cycle of assessments, planning, implementation, testing, and revisions to plans, that is critical to having a meaningful CRM program.

H. Compliance Deadlines and Documentation

Table 7 identifies compliance deadlines and the type of documentation required to meet compliance requirements.

I. Sensitive Security Information

1. Scope of the Revision to TSA's SSI Regulatory Requirements

TSA is proposing minor changes to 49 CFR part 1520. These revisions consist of two types of modifications. First, revisions ensure the scope of existing designations of SSI for SDs and information circulars includes the section that would be added through this rulemaking as applicable to surface transportation. Second, TSA identified several areas where the SSI regulations explicitly referencing aviation and maritime should be revised to include surface transportation because similar requirements for surface transportation did not exist when the SSI regulations were promulgated. This proposed rule would address that gap.

Note that any security program, security plan, or contingency plan required by 49 CFR subchapter D and vulnerability assessments required by, or submitted to TSA, are designated as SSI under current § 1520.5(b)(1) and (5), respectively. These requirements remain subject to SSI protection except as otherwise provided in writing by TSA in the interest of public safety or in furtherance of transportation security.

2. Disclosure of SSI Upon the “Need To Know”

Each owner/operator subject to the requirements in this proposed rule is a covered person under 49 CFR 1520.7(n) and is, therefore, required to protect SSI from unauthorized disclosure. TSA's SSI requirements do not prohibit owner/operators from sharing SSI with specific vendors that have a “need to know.” Determining whether information can be shared is a two-step consideration. First, is the individual a “covered person” under 49 CFR 1520.7. Under § 1520.7(k), employees and contractors of an owner/operator are “covered persons.”

Section 1520.9 requires all covered persons to protect SSI from unauthorized disclosure. Before sharing information with any person employed by, contracted to, or acting for a covered person, § 1520.9(a)(2) requires the owner/operator to determine that the individual has a need to know the information or record designated as SSI, as described in § 1520.11. If the person has a need to know and the information is shared, that individual is a covered person who is required to protect SSI from unauthorized disclosure. When providing the SSI, the owner/operators must include the SSI protection requirements and ensure the covered person is formally advised of their regulatory requirements to protect the information. The materials provided must maintain their SSI markings and be accompanied with an SSI cover sheet, and SSI must be properly disposed of in accordance with TSA regulations.

Unauthorized disclosure of SSI, by owner/operators or their vendors, is grounds for enforcement action by TSA, including civil penalty actions, under § 1520.17. To support compliance with these requirements, TSA provides resources to regulated entities and other person on proper handling of SSI.

IV. Regulatory Analyses

A. Economic Impact Analysis

1. Summary of Regulatory Impact Analysis

Changes to federal regulations must undergo several economic analyses. First, E.O. 12866 of September 30, 1993 (Regulatory Planning and Review), as supplemented by E.O. 13563 of January 18, 2011 (Improving Regulation and Regulatory Review), and amended by E.O. 14094 of April 6, 2023 (Modernizing Regulatory Review) directs Federal agencies to propose or adopt a regulation only upon a reasoned determination that the benefits of the intended regulation justify its costs. Second, the Regulatory Flexibility Act of 1980 (RFA) requires agencies to consider the economic impact of regulatory changes on small entities. Third, the Trade Agreement Act of 1979 prohibits agencies from setting standards that create unnecessary obstacles to the foreign commerce of the United States. Fourth, the Unfunded Mandates Reform Act of 1995 (UMRA) requires agencies to prepare a written assessment of the costs, benefits, and other effects of proposed or final rulemakings that include a federal mandate likely to result in the expenditure by State, Local, or Tribal governments, in the aggregate, or by the private sector, of $100 million or more annually ($177 million adjusted for inflation).

The security of the nation's transportation systems is vital to the economic health and security of the United States. Surface transportation systems in particular—including public transportation systems, intercity and commuter passenger railroads, freight railroads, intercity buses, hazardous liquid and liquefied natural gas pipelines as well as natural gas pipelines, and related infrastructure—are vital to our economy and essential to national security.

As discussed previously in this preamble, threat actors have demonstrated their willingness to engage in cyber intrusions and perpetrate cybersecurity incidents against critical infrastructure. As technology evolves, so do cybersecurity threats. A successful attack could result in significant negative consequences with potential cascading impacts across many sectors of the economy and people's lives.

Transportation companies have competing priorities with finite resources in which to confront the complexity of building a cybersecurity defense. At the same time, there is a level of uncertainty associated with being impacted by cybersecurity incidents. These competing priorities and level of uncertainty leads to a less than socially optimal level of cybersecurity investment. If entities are required to implement the same requirements, there could be fewer free riders or undercutting of cybersecurity investment in favor of profits or due to budgetary constraints. As noted in the National Cybersecurity Strategy,

Today's marketplace insufficiently rewards—and often disadvantages—the owners and operators of critical infrastructure who invest in proactive measures to prevent or mitigate the effects of cybersecurity incidents. Regulation can level the playing field, enabling healthy competition without sacrificing cybersecurity or operational resilience.

Ensuring transportation security while promoting the movement of legitimate travelers and commerce is a critical mission assigned to TSA. TSA believes this proposed rule is consistent with its mission given the heightened risk of a cybersecurity threat and the potential of threat actors targeting the transportation system with the purpose to disrupt the supply chain, jeopardize public safety, undermine confidence in the transportation system, and otherwise affect national and economic security.

The primary benefit of this proposed rule is a potential reduction in the risk of successful cybersecurity incidents as well as the impact of such incidents on the public, economy, and national security. The proposed requirements could enhance the security of the regulated population, which would reduce the chance of negative consequences and service interruptions from cybersecurity incidents for surface modes like freight railroad, passenger railroad, and pipelines, thereby benefiting owners/operators, passengers, and consumers. A break-even analysis suggests that the prevention of a few significant cybersecurity incidents or a high-consequence incident in any transportation mode provides benefits in excess to the costs of the proposed rule on those modes.

TSA estimates the preliminary 10-year total costs of the proposed rule to be about $2.6 billion discounted at a 3 percent discount rate and $2.2 billion discounted at 7 percent discount rate, with preliminary annualized costs of about $307.8 million. These preliminary estimates do not consider current industry practice or compliance with recently issued SDs due of a lack of data on the existing internal security practices of individual companies. As a result, many owner/operators may already employ measures that meet the security outcomes that would be required by this proposed rule and therefore have already incurred costs, which means the cost estimate of this proposed rule could be an overestimate when measured against a no-action baseline. Furthermore, costs of implementing measures to meet the proposed security outcomes may vary greatly across modes and by each owner/operator's unique needs and scale of operation. Consequently, TSA is requesting public comment on current cybersecurity industry practices and how these practices may vary by company. TSA will consider these public comments and any data provided when estimating the cost of the final rule.

2. Assessments Required by E.O.s 12866 and 13563

E.O.s 12866 and 13563 direct agencies to assess the costs and benefits of available regulatory alternatives and, if regulation is necessary, select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). Under E.O. 12866, as amended by E.O. 14094, agencies must also determine whether a regulatory action is significant. These requirements were supplemented by E.O. 13563, which emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. In accordance with E.O. 12866, TSA has submitted the proposal to the OMB, which has determined that this proposed rule is a “significant regulatory action” as defined under section 3(f)(1) of E.O. 12866, as amended by E.O. 14094, its annual effects on the economy would exceed $200 million in any year of the analysis. In conducting these analyses:

• TSA prepared an Initial Regulatory Flexibility Analysis (IRFA), which estimates that this rulemaking would likely have a regulatory cost that exceeds one percent of revenue for 26 small entities—17 freight rail and nine pipeline owner/operators—of the 103 small entities that TSA found would be impacted by the NPRM.
• This rulemaking would not constitute a barrier to international trade.
• Under2 U.S.C. 1503(5), this rulemaking is not subject to UMRA review because it is a regulation necessary for the national security of the United States. As noted in the National Cybersecurity Strategy, this rulemaking is being promulgated because of national security concerns related to the protection of Critical Cyber Systems, the loss or disruption of which could have impacts on national security, including economic security.

TSA has prepared an analysis of its estimated costs and benefits, summarized in the following paragraphs, and in the OMB Circular A-4 Accounting Statement. When estimating the cost of a rulemaking, agencies typically estimate future expected costs imposed by a regulation over a period of analysis. For this rulemaking's period of analysis, TSA uses a 10-year period of analysis to estimate the initial and recurring costs to the regulated surface mode owner/operators and new owner/operators that are expected due to industry growth.

a. Costs

TSA summarizes the undiscounted costs of the proposed rule to be borne by five types of parties: freight rail owner/operators, PTPR owner/operators, OTRB owner/operators, pipeline owner/operators, and TSA. Table 8 shows the breakdown of modal entity populations over the 10-year period of analysis. The population of each industry is important because it acts as a cost multiplier for some of the proposed rule's provisions ( e.g., employee training). The population estimates accounts for entity growth, employee growth, and employee turnover dynamics over the period of analysis, which impact the population estimate as well as factor into various costs ( e.g., identification of new cybersecurity coordinators with entity growth or employee turnover). It includes entity growth, employee growth, and employee turnover.

Table 9 shows the 10-year cost by regulated industry. This information includes industry's costs associated with implementing the proposed requirements. Many of the costs are based on the time to complete identified actions ( e.g., submitting accountable executive information). In these instances, TSA calculates an opportunity cost based on the time to complete the task, approximate wage rate of the person thought to complete the task, and how frequently the task would need to be completed. Other costs are based on expenses incurred ( e.g., cost to store backup data). In both cases, these costs may change over time with a higher initial cost then lower maintenance cost later. See TSA CRM Preliminary Regulatory Impact Analysis (RIA) for a more detailed discussion and breakdown of the costs.

As displayed in Table 10, TSA estimates the 10-year total cost of this proposed rule to be $3.09 billion undiscounted, $2.63 billion discounted at 3 percent, and $2.16 billion discounted at 7 percent. The costs to industry (all four surface modes) comprise approximately 99 percent of the total costs of the proposed rule; and the remaining costs are incurred by TSA. TSA calculated a total cost to each industry based on estimates and assumptions on activities entities would likely engage in to be in compliance with the requirements of the proposed rule. However, due to the scope and performance-based nature of the requirements, TSA recognizes there would be variation in costs to individual covered owner/operators. In response, TSA provides a sensitivity analysis of key cost drivers in section 3.8 of the RIA, which include access control implementation, Critical Cyber System data backups, and cybersecurity training. In addition, there are some areas where there may be unquantified cost. For example, costs related to actual mitigation measures implemented as a result of the proposed rule that are not otherwise captured in TSA's cost estimates. TSA requests comment on any costs that have not been quantified but may occur as a result of this proposed rule.

Table 11 shows the 10-year costs for the CRM program for the freight rail, PTPR, pipelines, and TSA. TSA estimates the 10-year total cost of the CRM program to be $3.00 billion undiscounted, $2.55 billion discounted at 3 percent, and $2.10 billion discounted at 7 percent. The CRM program is the largest cost provision. These costs include the cybersecurity evaluation (CSE) (which involves an enterprise-wide CSE); the COIP (which includes items related to the Cybersecurity Coordinator, identification of critical cyber systems, supply chain risk management, protection of critical cyber systems, incident response, training, detection of incidents, and the POAM); the CAP (which involves creating and submitting a plan that assesses the effectiveness of the COIP); and recordkeeping and compliance (which relates to those items needed to show compliance with provisions of the proposed rule).

Table 12 shows the 10-year costs by requirement for the freight rail industry. TSA estimates the 10-year costs to the freight rail industry to be $980 million undiscounted.

Table 13 shows the 10-year cost to the PTPR industry by requirement. TSA estimates the 10-year costs to the PTPR industry to be $1.26 billion undiscounted.

Table 14 shows the 10-year cost by requirement for the OTRB industry. TSA estimates the 10-year costs to the OTRB industry to be $248 thousand undiscounted.

Table 15 shows the 10-year cost by requirement for all the requirements for the pipeline industry. TSA is proposing to incorporate the corresponding physical security costs into this rulemaking to align pipeline with the other covered modes (for whom physical security provisions are already required). TSA estimates the 10-year costs to the combined pipeline industry to be $827 million undiscounted.

Table 16 shows the 10-year cost by requirement for TSA. TSA estimates the 10-year costs to TSA to be $18.9 million undiscounted.

b. Cost Sensitivity Analysis

TSA calculates a total cost for each industry based on estimates and assumptions on activities entities would likely engage in to satisfy requirements of the proposed rule. The majority of the costs are primarily driven by access control implementation, Critical Cyber System data backups, and cybersecurity training. Employee population size, which acts as a multiplication factor, is a key contributing factor for why access control and training result in such a high-cost impact. Baseline training, for instance, has a per employee burden of 1-hour per year, but when multiplied across the population of employees covered, the result is a significant expenditure. In section 3.8 of the RIA, TSA provides a sensitivity analysis that assesses uncertainty within these key cost drivers including how owner/operators may accomplish compliance and to what extent they may already meet the proposed rule requirements through existing actions and thus provide a sense of the possible practical incremental costs of the proposed rule. None of the cost drivers tested under the sensitivity analysis apply to OTRB entities; therefore, TSA did not include OTRB in the sensitivity analysis.

Specifically, TSA evaluates cost implications associated with differing assumptions related to MFA being used for access control where 25 percent are assumed to be fully implemented and an additional 25 percent are partially implemented by affected entities, rather than not implemented at all in any affected entities. For Critical Cyber System data backups, TSA assumes 20 percent of entities would fully satisfy the proposed rule's requirement and 50 percent would partially satisfy the proposed rule's requirement. For the last cost driver evaluated, employee training, TSA varies assumed compliance with the necessary level of training from 0 percent across industry in the primary analysis to including 20 percent fully compliant and 50 percent partially compliant. The costs resulting from varying these cost driver assumptions for each mode are depicted below.

Table 17 presents freight rail sensitivity analysis costs and compares them to the freight rail costs in the primary analysis. Based on the sensitivity assumptions for access control, data backups, and cybersecurity training, the estimated total cost to freight rail is about $655.5 million which is 33 percent ($342.2 million) less than freight rail estimated cost in the primary analysis.

Table 18 presents PTPR sensitivity analysis costs and compares them to the PTPR costs in the primary analysis. Based on the sensitivity assumptions, the total cost under the sensitivity is $783.4 million which is about 38 percent ($480.2 million) less than the total cost under the primary analysis. This larger percentage decrease from the primary analysis when compared to the freight rail and pipeline modes is attributed to the larger employee population within the PTPR industry. As the access control and cybersecurity training costs are calculated on a per employee basis, these requirements make up a greater portion of the overall cost to the PTPR industry, and therefore result in a more significant cost difference within the sensitivity analysis.

Table 19 presents pipeline sensitivity analysis costs and compares them to the pipeline costs in the primary analysis. Based on the sensitivity assumptions, the total sensitivity analysis cost to pipeline entities is $621.7 million which is about 25 percent ($205.7) less than the primary analysis estimates. This smaller percentage decrease from the primary analysis when compared to the other modes is attributed to the smaller employee population within the pipeline industry.

Table 20 presents the total costs using the aforementioned adjusted values from the sensitivity analysis. As shown, the total costs to industry under the sensitivity analysis based on the altered assumptions for the main cost drivers are $2.1 billion. This cost includes the adjusted costs of the three industries included in the sensitivity (freight rail, PTPR, and pipeline) as well as the unadjusted, undiscounted cost to OTRB entities (see Table 9). The difference from the primary analysis presented in Table 10 is $1.0 billion (a 33 percent reduction).

TSA requests public comment on the assumptions and estimates presented in the primary cost analysis as well as those within this sensitivity both of which may be used to better inform, update, or improve the overall analysis.

c. Benefits

The primary benefit of the proposed rule is a potential reduction in the risk of cybersecurity incidents as well as the impact of any such incident. The CRM program could enhance cybersecurity by reducing vulnerability to cybersecurity incidents by having defense mechanisms in place that increase owner/operator ability to monitor and mitigate threats as well as strengthening response measures in the event of a cybersecurity incident. Specifically, the proposed rule would require designated owner/operators for three of the four modes to identify a Cybersecurity Coordinator and report cybersecurity incidents. Owner/operators of freight railroads, PTPR, and pipeline facilities and systems that meet the applicability criteria would also be required to develop and implement a comprehensive CRM program.

The proposed CRM program includes three primary elements. First, covered owner/operators would be required to regularly conduct an enterprise-wide cybersecurity evaluation that would identify their current cybersecurity profile. Benefits of regular cybersecurity evaluations, such as through the rule's CSE requirement, and monitoring over time, include focusing attention on cybersecurity issues and initiatives, providing a means to assess or evaluate cyber-related threats and mitigation measures' evolution, as well as prioritizing response to address vulnerabilities effectively and informing budgeting and investments decisions for upgrade cycles and long-term improvements.

Second, owner/operators would be required to develop a COIP with requirements that focus on: (a) governance of the CRM program that helps ensure its successful implementation, relevance, and ability to address cybersecurity matters; (b) identification of critical cyber systems to help prioritize and optimize efforts; (c) protecting critical cyber systems that help minimize unnecessary network traffic, control internal network access points for users, shorten network downtime and increase reliable operational uptime, stop threats more quickly, as well as minimize the risks associated with lost data; (d) detecting and monitoring critical cyber systems to help detect incidents sooner and respond to incidents more quickly, potentially reducing the associated impacts; and (e) ensuring response and recovery to help ensure efficient and effective restoration of operational capabilities following an incident. As part of this COIP process to ensuring response and recovery, owner/operators would develop a CIRP that would require an established set of policies and procedures in place to respond to intrusions into their critical cybersecurity systems and maintenance or reconstitution of operations during an incident. Reduction in time and confusion with how they respond to future incidents provides a benefit to owner/operators, passengers/consumers, and society.

Third, owner/operators would be required to have a CAP that includes an independent evaluation of the effectiveness of their CRM program and identification of unaddressed vulnerabilities that helps establish greater accountability. Independent evaluation will ensure that the assessments, audits, testing, and other assessment capabilities would not be conducted by individuals who have oversight or responsibility for implementing the owner/operators CRM program and have no vested or other financial interest in the results.

The proposed rule would also expand the requirement for having a Physical Security Coordinator (currently in 49 CFR 1570.201) and reporting significant physical security concerns (currently in 49 CFR 1570.203) to owner/operators of designated pipeline facilities and systems, which helps delineate clear communication channels by establishing a single point of contact and creates greater awareness of the various types of cybersecurity threats encountered.

The proposed rule's CRM program requirements could create benefits through the identification, protection, detection, response, and recovery from cybersecurity threats which are discussed more fully in the RIA. Identifying a standardized requirement applicable to owner/operators that meet applicability criteria, would also provide more consistent application of and investments in cybersecurity measures yet offer flexibility by focusing on security outcomes which allows for innovation and the unique operational aspects for each owner/operator. In addition, applicability criteria based on the volume of passengers or goods transported, as opposed to entity size, focuses requirements on owner/operators where there is the greatest potential impact, including small entities that play a critical role or function. Further, the proposed requirements would encourage greater investment and development of cybersecurity measures, potential pooling of resources to address common issues, as well gains in efficiencies over time which would reduce the direct and indirect costs of cybersecurity incidents.

d. Break-Even Analysis

TSA uses a break-even analysis to help understand and frame the relationship between the potential benefits of the proposed rule and the costs of implementation. Consistent with OMB Circular No. A-4, “Regulatory Analysis,” this analysis answers the question “How small could the value of the non-qualified benefits be (or how large would the value of the non-quantified costs need to be) before the rule would yield zero net benefits?”

A break-even analysis estimates a threshold value for the security benefits of the proposed rule so that the benefits of the rulemaking exactly match its costs. TSA compared potential consequence levels of cybersecurity incidents to the annualized cost (discounted at 7 percent) to industry and TSA from the proposed rule for each mode to estimate how often a cybersecurity incident of that size would need to be averted for the expected benefits to equal estimated costs for that transportation mode.

As part of calculating the break-even point of an analysis, TSA uses the full cost of the cybersecurity provisions of the proposed rule (physical security related requirements are not included) to assess the level of benefits or avoided costs required to break even. Applying the simplest version of the conclusion, if the proposed rule prevents annual costs of approximately $307.8 million (at 7 percent) across all impacted surface modes, its benefits will justify its costs.

TSA also calculates the prevention of costs necessary for freight rail, PTPR, and pipeline independently using CRM program costs identified in Tables 21, 22, and 23. These tables also present a selection of break-even scenarios of varying magnitudes to illustrate the level of risk reduction necessary for such sized events to break-even. Specifically, they include the annualized cost of the cybersecurity focused provisions of the proposed rule (discounted at 7 percent) along with identified consequence levels or avoided losses. Those values are divided by each other to derive the required risk reduction and frequency of averted cybersecurity incidents to break even with respect to the cost of the CRM program of the proposed rule.

Table 21 presents the amount of risk reduction necessary for a range of consequence levels relative to freight rail estimated CRM program costs. TSA uses the AAR's estimate that a complete nationwide shutdown of freight rail transportation could cost the U.S. economy more than $2 billion a day as a basis for potential impact. Based on this figure, even if only a fractional amount of the system were incapacitated or operated at reduced capacity it would result in substantial impacts depending on the number of days affected. The CRM rule would reduce the likelihood of the type of systemic disruption that would occur from a wide scale attack through the regulation of the largest and most interconnected owner/operators. If an attacker were to gain access to a freight rail entity's IT system and further penetrate the OT system, such an attacker could cause rail service interruptions for that entity and potential wider cascading effects, especially if multiple owner/operators were attacked simultaneously. The CRM rule would reduce the likelihood of such an attack occurring through the protections implemented in the COIP, such as network segmentation, access control and patch management. If the attack partially succeeded, the CRM rule would reduce the impact of such an incident due to the requirements to develop plans to detect, respond to and recover from cybersecurity incidents as part of the COIP. TSA shows break-even levels based on $1 billion, $10 billion, and $20 billion consequence levels by comparing the magnitude of the consequences to the annualized cost of the proposed CRM rule discounted at 7 percent.

Table 22 presents the amount of risk reduction necessary for a range of consequence levels relative to PTPR estimated CRM program costs. The type of incident and size of the ridership impacted would greatly impact the level of consequence. For instance, shutting down municipal rail services for under a million passengers for a day is different than shutting down and/or delaying services of multiple million for a prolonged period of time. In such cases, the impact may largely represent delays in time and inconvenience while other instances, they may include train derailments or collisions that result in loss of life. If an attacker were to gain access to a transit entity's IT system and without sufficient network segmentation further penetrate the OT system, such an attacker could cause service interruptions for that entity's riders by impacting critical systems that prevent travel or disrupt safety measures that could require trains to operate at reduced speeds or potentially cause them to derail/collide. The CRM rule would reduce the likelihood of such an attack occurring through the protections implemented in the COIP like network segmentation, access control and patch management. If the attack partially succeeded, the CRM rule would reduce the impact of such an incident due to the requirements to develop plans to detect, respond to and recover from cybersecurity incidents as part of the COIP. TSA shows break-even levels based on $1 billion, $2 billion, or $4 billion consequence levels by comparing the magnitude of the consequences to the annualized cost of the proposed CRM rule discounted at 7 percent.

Table 23 presents the amount of risk reduction necessary for a range of consequence levels relative to pipeline estimated CRM program costs. The national pipeline system transports hazardous liquids, natural gas, and other liquids and gases that are used by various other segments of the economy including supplying materials for energy needs and manufacturing. Disrupting the transportation of these materials can have widespread effects that increase in magnitude depending on the pipelines impacted and the disruptions length of time. If an attacker were to gain access to a pipeline entity's IT system and without sufficient network segmentation further penetrate the OT system, such an attacker could cause product delivery interruptions for that entity or a wider set of pipeline network effects by causing damages to extensive portions of pipeline or critical/large junctions. Consistent with the above discussion on rail, the CRM rule would reduce the likelihood of such an attack occurring through the protections implemented in the COIP like network segmentation, access control and patch management. If the attack partially succeeded, the CRM rule would reduce the impact of such an incident due to the requirements to develop plans to detect, respond to and recover from cybersecurity incidents as part of the COIP. Given the expansive impact pipeline products have on various aspects of the economy, TSA assumes a widespread disruption to the system could range from $1 to $2 billion per day. Based on this figure, even if only a fractional amount of the system were disrupted or operated at reduced capacity, this disruption could result in substantial impacts depending on the number of days affected. TSA shows break-even levels based on $2 billion, $10 billion, and $20 billion of consequence compared to the annualized cost of the proposed CRM rule discounted at 7 percent.

TSA also compares the potential levels of consequence to the estimated costs of the CRM rule under its cost sensitivity assumptions discussed above. For Freight Rail the annualized cost of the rule discounted at 7 percent falls from $98.22 million in the primary proposal to $65.95 million in the sensitivity analysis. Freight Rail risk reduction is reduced by 33 percent in direct proportion to the 33 percent reduction in cost. Consequently, each of the contemplated $1 billion, $10 billion, and $20 billion consequence attacks need to be prevented less frequently for the proposed rule's costs and benefits to balance.

For the PTPR mode, the annualized cost of the proposed rule discounted at 7 percent falls from $125.74 million in the primary proposal to $78.06 million in the sensitivity analysis. PTPR risk reduction is reduced by 38 percent in direct proportion to the 38 percent reduction in cost. Consequently, each of the contemplated $1 billion, $2 billion, and $4 billion consequence attacks need to be prevented less frequently for the proposed rule's costs and benefits to balance.

And finally, for the pipeline mode, the annualized cost of the proposed rule discounted at 7 percent falls from $83.69 million in the primary proposal to $63.22 million in the sensitivity analysis. Pipeline risk reduction is reduced by 25 percent in direct proportion to the 25 percent reduction in cost. Consequently, each of the contemplated $2 billion, $10 billion, and $20 billion consequence attacks need to be prevented less frequently for the proposed rule's costs and benefits to balance.

As devastating as the direct impacts of a successful cybersecurity incident can be in terms of the immediate loss of life and property, avoiding the impacts of the more difficult to measure indirect effects are also substantial benefits of preventing a cybersecurity incident. For instance, should there be a cybersecurity incident impacting a public transit system, potential ripple impacts could include additional hardship on individuals who would then have to find alternate means of transportation. This use of alternate means of transportation would likely lead to increased traffic and commuting times on roadways, which has costs both in terms of additional gasoline and accrued wear and tear at the micro level but also compounded environmental effects at the macro level. A more detailed discussion of the break-even analysis and review of potential consequence with some illustrative examples can be found in Section 4.2 of the RIA.

Although the break-even analysis considers each example separately, it is more likely that a combination of preventing all these scenarios and others would provide the benefits from these requirements. Cybersecurity incidents could carry considerable consequences in terms of equipment damages, disruption of services, and even loss of life. The impacts can reach billions of dollars depending on the scope of the incident; therefore, preventing even a small number of such potential incidents can justify the cost of the CRM program. However, considering the potentially high costs of future cybersecurity incidents, including the (unquantifiable but real) risk of high-cost or potentially catastrophic incidents, TSA believes that the benefits of the proposed rule are likely to justify its costs.

3. OMB A-4 Statement

The OMB A-4 Accounting Statement presents annualized costs and qualitative benefits of the proposed rule.

4. Alternatives Considered

In addition to the proposed rule, TSA also considered three alternative regulatory options to the primary alternative reviewed in the analysis. The first alternative is to implement a limited scope of requirements. The second alternative is to reduce the applicability of the rule across the industries being regulated. The third alternative is to add regulatory requirements that mandate vetting, including a terrorism/other analyses check and immigration check for all frontline workers in the pipeline industry, as well as a terrorism/other analyses check, immigration check, and a CHRC for all Cybersecurity Coordinators and accountable executives in all industries.

Alternative 1 would limit the rule to the following requirements:

• Governance of the CRM program (proposed sections 1580.309, 1582.209, and 1586.209)
• Cybersecurity Coordinator (proposed sections 1580.311, 1582.211, and 1586.211)
• Identification of Critical Cybersecurity Systems (proposed sections 1580.313, 1582.213, and 1586.213)
• Reporting Cybersecurity Incidents (proposed sections 1580.325, 1582.225, and 1586.225)
• Cybersecurity Incident Response Plan (proposed sections 1580.327, 1582.227, and 1586.227).

These requirements identify responsible persons and organizations for an owner/operator's CRM program, identify the cybersecurity systems, require the reporting of cybersecurity incidents to CISA, and require the submission of a CIRP. This alternative includes some of the provisions in TSA's current SDs but does not require owner/operators to implement measures necessary to meet all the proposed security outcomes to protect against ransomware attacks and other known threats to IT and OT systems, nor to conduct a cybersecurity evaluation or have a robust assessment program. Any other security requirements or program implementation would be up to the owner/operator to establish and implement voluntarily for themselves. This alternative would still enable TSA to maintain oversight at a reactionary level, but it would reduce visibility into implementation of any preventative efforts.

Alternative 2 would shrink the applicability of the requirements to the largest owner/operators in each of the regulated industries. This alternative would reduce the freight rail applicability to cover a population limited to only Class I rail lines as defined by the Surface Transportation Board, resulting in a scope of just six owner/operators. The PTPR applicability would cover a population limited to just owner/operators who host Class I freight railroads/Amtrak lines or those who have an average daily ridership of 100,000 passengers in any of the previous 3 years or at any time in the future. This covers a current population of 27 owner/operators, down from 34 in the preferred alternative, and would reduce the ridership protected to around 90 percent of daily ridership nationwide. For the regulated pipeline owner/operators, this alternative would change the applicability to the 98 critical owner/operators of hazardous liquid and natural gas pipelines and liquefied natural gas facilities.

Alternative 3 would introduce a requirement for accountable executives and Cybersecurity Coordinators, in all covered entities, to receive a Level 3 STA. Furthermore, this alternative would require all frontline workers (“security-sensitive employees”) in the pipeline industry to undergo a Level-2 STA, consistent with the proposed requirements for security-sensitive requirements in the Security Vetting of Certain Transportation Workers Rulemaking.

Table 28 shows a comparison of the cost of the alternatives considered.

Although not the least costly option, TSA presents the proposed rule as its preferred option. Alternative 1 has a smaller up-front cost but is less proactive. Based on the recentness of the SDs, the extent that some companies are already implementing adequate cybersecurity policies consistent with the guidelines described in this rulemaking, and internal TSA data from 2021/2022, the industry was failing to implement preventative measures on its own. As a result, limiting the scope of the requirements, as Alternative 1 does, produces an unacceptable level of risk for TSA. Reducing the scope would remove the requirement from some entities to meet specific cybersecurity performance measures to protect against cybersecurity incidents that could threaten the availability, integrity, and confidentiality of data on and traversing IT and OT systems, to conduct a cybersecurity evaluation, and have an assessment plan. These proactive cybersecurity actions, evaluations, and assessments are considered best practices. Reducing the scope of the CRM in this fashion would increase the vulnerability of the covered operators to a host of cybersecurity incidents and impacts the CRM is designed to address.

Alternative 2 also has a smaller cost. This alternative, however, might increase the risk to the surface transportation infrastructure as it does not cover many entities TSA considers important. This increased risk reduction is important based on the role these entities and industries play in the supply chain, movement of people and goods, and their respective regional economies. Short line and regional railroads provide interconnectedness among the nation's rail customers and are a critical facet of the overall railroad industry. Leaving these railroads out of the applicability pool may result in critical terminal and switching services in addition to the pickup and delivery portions of the railroad being more vulnerable and susceptible to cybersecurity incidents. Due to the interconnectedness of the nation's rail system, if the connecting railroads are immobilized, cross-county rail service provided by the Class 1 railroads and its ability to move cargo may also be impacted thus having larger cascading effects.

For PTPR, the criteria of the preferred alternative apply to the high consequence operators and cover most of the national daily rail ridership. Reducing the scope of the covered entities in Alternative 2 reduces the level of the commuting population protected by the proposed cybersecurity performance measures and thus they are still exposed to a higher level of risk. If a cybersecurity incident affected one of these entities, the damages and consequences could have a cascading effect beyond just the target and into the local and regional communities.

A reduction in covered pipeline operators could affect risk mitigation of potential operational disruption which could have widespread impacts. For instance, a cybersecurity incident affecting a control room that operates multiple pipeline systems, or impacting multiple pipelines, could lead to a large cascading impact on pipeline delivery, which could disrupt the accessibility of needed product to the communities reliant on the pipeline product.

Alternative 3 is costlier than the proposed rule due to the additional requirements added. However, the primary benefit of this alternative is the potential to reduce insider threats from employees who may wish to do harm, which could be aggravated to the extent the employee has access to sensitive information and/or operations. Accountable executives and Cybersecurity Coordinators for all modes, and the frontline employees and Physical Security Coordinators for the pipeline industry, are not currently required to undergo a terrorism/other analyses check, immigration check, or a CHRC. Requiring these individuals to undergo a terrorism/other analyses check against government databases may enable TSA to identify individuals who may pose a security threat.

Although Alternative 3 is not included in the primary analysis at this time, TSA seeks comments from affected stakeholders on how the vetting of Cybersecurity Coordinators, accountable executives, and/or pipeline employees would impact their operations and costs. TSA specifically seeks data regarding how many of the entity's employees the entity has that would be subject to the vetting requirements. Based on comments received, TSA may consider including appropriate vetting requirements in a final rule. TSA notes that it has already proposed the vetting of frontline workers for freight rail and PTPR, and of security coordinators for freight rail, PTPR, and OTRBs in a separate rulemaking.

5. Regulatory Flexibility Assessment

The RFA requires agencies to consider the impacts of their rules on small entities. TSA performed an IRFA to analyze the impact to small entities affected by the proposed rule. The following provides a summary of the full RIA, which is available in the docket for this rulemaking.

Under the RFA, the term “small entities” comprises small businesses, not-for-profit organizations that are independently owned, operated, and not dominant in their fields, as well as small governmental jurisdictions with populations of less than 50,000. TSA performed an IRFA of the impacts on small entities from this proposed rule in the first year of the analysis and found that it may affect an estimated 293 U.S. entities (73 corporate-level Class I, II, and III freight railroad owner/operators, 34 PTPR owner/operators, 71 OTRB owner/operators, and 115 pipeline owner/operators). TSA analyzed all the entities that would be affected by the proposed rule and TSA found that 35 percent of them would be considered small. The proposed rule would require small freight rail, PTPR, and pipeline entities to (a) designate a Cybersecurity Coordinator, (b) report cybersecurity incidents to CISA, (c) establish a CRM program, (d) familiarization, (e) compliance, and (f) recordkeeping. Additionally, pipeline owner/operators would have to designate a Physical Security Coordinator and report significant physical security concerns to TSA. OTRB entities would only have to report cybersecurity incidents to CISA.

Regulated entities have different requirements under the proposed rule, depending on their industry. Freight rail, PTPR, and pipeline owner/operators would be required to designate a Cybersecurity Coordinator, report cybersecurity incidents, and have a CRM program approved by TSA and incur costs associated with familiarization, compliance, and recordkeeping requirements. Pipeline owner/operators have additional requirements to designate a Physical Security Coordinator and report significant physical security concerns to TSA. TSA is proposing that OTRB owner/operators must report cybersecurity incidents to CISA, as well as incur familiarization costs. TSA estimates the proposed rule's requirements to cost $486,792 per entity for freight rail owner/operators, $682 per entity for OTRB owner/operators, and $484,848 per entity for pipeline owner/operators in the highest cost year of the proposed rule. TSA did not calculate the cost per entity for PTPR entities in this IRFA as none of the PTPR owner/operators are considered small. Separately, TSA estimates the proposed rule requirements to cost $537 per employee for freight rail entities, and $659 per employee for pipeline owner/operators. The proposed rule has zero cost per employee for OTRB owner/operators, as the proposed requirements covering these entities (cybersecurity incident reporting) are not based on the number of employees and thus do not incur any associated per employee cost. TSA invites all interested parties to submit data and information regarding the potential economic impact on small entities that would result from the adoption of the requirements in the proposed rule.

TSA estimated the overall impact on small entities due to the proposed rule by adding the number of small entities affected (with revenue data available) in each revenue impact range for each of the four subgroups: freight rail, PTPR, OTRB and pipeline industries. Across the combined 293 covered entities, TSA estimates that 79 (27 percent) are considered small. Of these small entities, TSA found employment and revenue data on 75 entities. The IRFA finds that 11 of the analyzed entities would have an impact greater than one percent of their annual revenue. Table 29 presents the likely distribution of impact for small owner/operators.

An Identification, to the Extent Practicable, of All Relevant Federal Rules Which May Duplicate, Overlap, or Conflict With the Proposed Rule

As noted by the ONCD in an August 2023 Request for Information, the National Cybersecurity Strategy calls for establishing cybersecurity regulations to secure critical infrastructure where existing measures are insufficient; harmonizing and streamlining new and existing regulations; and enabling regulated entities to afford to achieve security. TSA emphasizes its commitment to regulatory harmonization and streamlining, and notes that this proposed rule, which is grounded in NIST's Framework for Improving Critical Infrastructure Cybersecurity, NIST's standards and best practices, and the CISA CPGs, is consistent with such priorities. TSA also acknowledges the ongoing rulemakings of other DHS components, including ongoing rulemakings on cybersecurity in maritime transportation and implementation of CIRCIA. TSA notes potential differences in terminology and policy as compared to those rulemakings; although TSA views such differences as intentional and based on sector-specific distinctions, TSA welcomes comments on opportunities to harmonize and streamline regulations where feasible and appropriate.

For pipeline owner/operators, TSA will coordinate activities under this part with the FERC, and the PHMSA of the DOT with respect to regulation of pipeline systems and facilities that are also licensed or regulated by the FERC or PHMSA, to avoid conflicting requirements and minimize redundancy of compliance activities.

TSA is also aware that some pipeline owner/operators may also have other business lines in the energy sector that are subject to regulations issued by DOE, and FERC's cybersecurity standards as issued by the NERC. TSA has committed to reducing the impact on these multi-sector companies by aligning the agency's proposed requirements with the NIST CSF, which is also used by the DOE, FERC, and NERC.

TSA is currently participating in a forum of regulatory agencies looking at opportunities for harmonization and reciprocity for cybersecurity requirements. In addition, CISA is required by CIRCIA to issue a rule to implement a 72-hour covered cyber incident reporting requirement and 24-hour ransom payment reporting requirement for ransom payments made in connection with a ransomware attack. These requirements would be applicable to covered entities across critical infrastructure sectors, as further defined by CISA through rulemaking. Although this NPRM and CISA's rulemaking could technically create two cyber incident reporting requirements for some entities, TSA does not believe that this is likely to result in any actual duplicative reporting because entities subject to the cybersecurity incident reporting requirements proposed in this NPRM would be required to make their reports to CISA. Currently, TSA has determined CIRCIA does not require TSA to modify its proposed reporting requirements. TSA will, however, re-assess its proposed requirements as CISA's rule is finalized to avoid any unnecessary conflicts or redundancies. TSA is committed to working with CISA to ensure that entities required to report to CISA under both CIRCIA and this proposed rule, if any, can do so in a single report where legally possible. If necessary to do so, CISA and TSA will explore leveraging an exemption in CIRCIA for covered entities that are required to report substantially similar information to another Federal agency within a substantially similar timeframe, where CISA and the Federal agency have an agreement and information sharing mechanism in place. Currently, TSA has determined CIRCIA does not require TSA to modify its proposed reporting requirements. TSA will, however, re-assess its proposed requirements as CISA's rule is finalized to avoid any unnecessary conflicts or redundancies.

A Description of Any Significant Alternatives to the Proposed Rule That Accomplish the Stated Objectives of Applicable Statues and May Minimize Any Significant Economic Impact of the Proposed Rule on Small Entities, Including Alternatives Considered

The first regulatory alternative TSA considered would limit the scope of requirements. This alternative would include provisions requiring the owner/operator to identify responsible persons and organizations for an owner/operator's CRM program, identify the owner/operator's cybersecurity systems, the reporting of cybersecurity incidents to CISA/TSA, and the submission of an incident response plan. Any other security requirements or program implementation would be up to the owner/operator to establish and implement voluntarily for themselves. This alternative would still enable TSA to maintain oversight in a more reactive posture, but it would eliminate visibility of any preventative efforts owner/operators are undertaking and would not ensure the necessary baseline of cybersecurity measures is being consistently implemented across these higher-risk operations.

Unlike the proposed rule, Alternative 1 would have no per employee costs, as well as reduce the number of per entity costs. TSA did not evaluate the impact to small entities for PTPR and OTRB owner/operators under this alternative as none of the PTPR owner/operators identified by TSA are considered small under the SBA size standards and OTRB owner/operators would be excluded under the applicability of this alternative.

This alternative has lower estimated costs than the preferred alternative. TSA did not select it because it provides a reduced level of cybersecurity risk mitigation. TSA believes such mitigation is necessary given the key role these industries play in the supply chain, movement of people and goods, and the economy. This alternative would not require the visibility or accountability aspects of NIST's “detect” or “protect” elements that, when implemented as part of a cyber-risk management program, would help prevent malicious actors from exploiting vulnerabilities as well as ensure the confidentiality, availability, and integrity of their critical systems. Not including protecting critical cyber systems and having capabilities to respond to a cybersecurity incident reduces the level of protection when compared to the preferred alternative. Furthermore, a cybersecurity incident on any entity covered by the proposed rule, regardless of size, could have cascading impacts on the nation's economy.

Dynamic and emerging cybersecurity threats to the nation's rail and hazardous liquid and natural gas pipeline infrastructure require a more proactive approach toward reducing risk related to cybersecurity. In this case, TSA believes risk-based cybersecurity policy is the most effective means to mitigate the effects of potential cybersecurity incidents on critical infrastructure while minimizing costs to both industry and government. Exempting an entity solely based on its SBA-determined size would diminish the risk reduction this rulemaking is designed to achieve by failing to consider other criteria that may signal the critical value of the owner/operator to the transportation system.

The second alternative that TSA considered would limit the applicability of the requirements to the largest and most critical owner/operators in each of the regulated industries. This alternative would limit applicability of requirements for freight railroads to Class I Railroads, as defined by the Surface Transportation Board. For PTPR, requirements would be limited to owner/operators that host Class I Freight Rail Lines or those with an average daily ridership of 100,000 passengers in at least one of the last 3 years or in any future year. For pipelines, only the 98 most critical owner/operators of hazardous liquid and natural gas pipelines and liquefied natural gas facilities would be subject to the requirements. Under this more limited applicability, Alternative 2 would cover six Class I freight rail owner/operators, 27 PTPR agencies, and 100 pipeline owner/operators in the tenth year of the proposed rule. OTRB owner/operators would be excluded under this alternative.

While Alternative 2 has the same cost per entity as the preferred alternative, this alternative reduces the overall number of entities determined to be small. All freight rail owner/operators determined to be small under the proposed rule would be removed from applicability of the proposed rule under Alternative 2, as none of the Class 1 freight railroads are considered small. OTRB owner/operators would have the same requirements as the proposed rule; however, none of the small OTRB owner/operators have a cost impact greater than one percent of annual revenue under either the proposed rule or this alternative. The number of small pipeline owner/operators would decrease from 23 to 13.

From an RFA perspective, this alternative impacts fewer small entities than the proposed rule. However, TSA has determined this alternative produces an unacceptable level of risk given the key role these industries play in the supply chain, movement of people and goods, and the economy. There are owner/operators not covered under these criteria that play a critical role in contributing to the stability and security of the movement of people and goods. An incident to these owner/operators may still result in a ripple effect throughout the economy. TSA believes railroads that transport the largest volume of cargo, and freight railroads that serve as critical connections between Class I railroads or serve as vital links in the STRACNET, are critical to the transportation industry. A cybersecurity incident affecting any of these railroads, regardless of the size of the entity, would have the most significant impact on rail transportation, national security, and economic security. Similarly, pipeline systems and facilities that transport the largest volume of commodities, regardless of entity size, would lead to the potential for a sustained disruption in service should a successful cybersecurity incident affect their ability to support national security needs, including economic security. While TSA acknowledges that Alternative 2 would have reduced impacts on small entities, due to the quantitative (volume) and qualitative (strategic) applicability criteria in the proposed rule, TSA does not believe making applicability exceptions based on SBA size standards is justified.

In addition, TSA performed a sensitivity analysis of three major cost drivers (access control costs, cybersecurity systems data backup costs, and cybersecurity training) to help understand and evaluate the practical impacts of the proposed rule versus the zero-baseline assumption used in the primary analysis. The sensitivity analysis assumes 25 percent of freight rail and pipeline entities are already in full compliance with identified requirements, and 25 percent are in partial compliance. While the assumptions in the IRFA sensitivity analysis would not result in an increased economic impact on small PTPR entities (because no PTPR entities covered by the NPRM are small entities) or affect the cost estimates for OTRB entities (because OTRB doesn't incur any of the costs modified in the sensitivity analysis and none have a cost impact greater than one percent of annual revenue), they would reduce cost impacts on small freight rail and pipeline entities and decrease the number that would incur a cost greater than one percent of annual revenues.

6. International Trade Impact Assessment

The Trade Agreement Act of 1979 prohibits Federal agencies from establishing any standards or engaging in related activities that create unnecessary obstacles to the foreign commerce of the United States. The Trade Agreement Act does not consider legitimate domestic objectives, such as essential security, as unnecessary obstacles. The statute also requires that international standards be considered and, where appropriate, that they be the basis for U.S. standards. TSA has assessed the potential effect of this proposed rule and has determined this rulemaking would not have an adverse impact on international trade.

7. Unfunded Mandates Assessment

Title II of UMRA establishes requirements for Federal agencies to assess the effects of their regulatory actions on State, Local, and Tribal governments as well as the private sector. Under section 202, UMRA requires Federal agencies to prepare a written statement, including a cost-benefit analysis, for proposed and final rules with “Federal mandates” that may result in expenditures by State, Local, and Tribal governments in the aggregate or by the private sector of $100 million (adjusted for inflation) or more in any year. Before an agency promulgates a rule for which a written statement is required, section 205 of UMRA generally requires identification and consideration of a reasonable number of regulatory alternatives, and adopting the least costly, most cost-effective, or least burdensome alternative that achieves the objectives of the rule. The provisions of section 205 do not apply when they are inconsistent with applicable law. Moreover, section 205 allows an agency to adopt an alternative other than the least costly, most cost-effective, or least burdensome alternative if the final rule includes an explanation about why that alternative was not adopted.

Before establishing any regulatory requirements that may significantly or uniquely affect small governments, including tribal governments, Federal agencies must develop under section 203 of UMRA a small government agency plan. The plan must provide for notifying potentially affected small governments; enabling officials of affected small governments to have meaningful and timely input in the development of regulatory proposals with significant federal intergovernmental mandates; and informing, educating, and advising small governments on compliance with the regulatory requirements.

Section 4 of UMRA includes several types of actions that are excluded from its requirements. Among these exclusions are regulations necessary for the national security. This rule is not subject to UMRA review because it is a regulation necessary for the national security of the United States. As noted in the National Cybersecurity Strategy, this rule is being promulgated because of national security concerns related to the protection of Critical Cyber Systems, the loss or disruption of which could have impacts on national security, including economic security.

B. Paperwork Reduction Act

The Paperwork Reduction Act of 1995 (PRA) requires that DHS consider the impact of paperwork and other information collection burdens imposed on the public. Under the provisions of PRA section 3507(d), DHS must obtain approval from the OMB for each collection of information it conducts, sponsors, or requires through regulations.

This proposed rule would call for a collection of information under the PRA. Accordingly, DHS has submitted to OMB the proposed rule and this analysis, including the sections relating to collections of information. As defined in 5 CFR 1320.3(c), “collection of information” includes reporting, recordkeeping, monitoring, posting, labeling, and other similar actions. This section provides the description of the information collection and of those who must collect the information as well as an estimate of the total annual time burden.

We ask for public comment on the proposed collection of information to help us determine, among other things—

• How useful the information is;
• Whether the information can help us perform our functions better;
• How we can improve the quality, usefulness, and clarity of the information;
• Whether the information is readily available elsewhere;
• How accurate our estimate is of the burden of collection;
• How valid our methods are for determining the burden of collection; and
• How we can minimize the burden of collection.

Please see instructions under “Public Participation” for submission of comments on the information collection.

As protection provided by the PRA, as amended, an agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid OMB control number. OMB has previously approved an information collection request (ICR) for Pipeline Critical Infrastructure List under OMB Control Number 1652-0050, Pipeline Security Incident Reporting under OMB Control No. 1652-0055, Pipeline Corporate Security Reviews under OMB Control No. 1652-0056, and Cybersecurity Measures for Surface Modes under OMB Control No. 1652-0074. This proposed collection consolidates and replaces all current ICR requirements for CRM of freight rail, passenger rail, and pipeline owner/operators under one OMB control number. Upon approval of the new ICR and publication of a final rule, TSA will amend, or as appropriate rescind, the current ICRs associated with TSA SDs currently in effect. Even though most of the ICRs in the CRM NPRM are currently covered by approved ICRs, TSA is adding a few new requirements requiring information collection that were not previously included in TSA SDs or otherwise in approved ICRs.

These new requirements for all rail (freight, passenger, and transit) and pipeline owner/operators subject to the ICR include: (1) submission of a Cybersecurity training program to TSA for approval (reporting); (2) maintaining records of employee cybersecurity training (record keeping); and (3) maintaining records of inclusion of supply chain security measures in the owner/operator's COIP. OTRB owner/operators are currently required to report significant security concerns and would also be required to report cybersecurity incidents.

Finally, the CRM NPRM proposes to add a new requirement for pipeline owner/operators to: (1) designate a physical security coordinator and submit the contact information to TSA and (2) report significant physical security concerns to TSA. This additional requirement for pipelines would align with requirements applicable to the other owner/operators covered by the proposed rule. Upon finalization of the CRM rulemaking, TSA will use the information collection to establish compliance with the new regulatory requirements. By implementing these performance-based requirements, TSA would ensure that the 293 higher-risk entities have measures in place to address current cybersecurity risks with the flexibility necessary to address emerging threats and deploy evolving capabilities, and that CISA and TSA are receiving information on cybersecurity threats from all higher-risk surface owner/operators identified by TSA, including 71 OTRB entities not currently subject to the SDs. Accordingly, TSA has submitted all information requirements to OMB for its review.

Table 31 shows the information collection and corresponding burden-hours for entities falling under the requirements of the proposed rule. The collections that have been implemented under the SD-related ICRs would continue or be updated under the proposed rule.

C. Federalism (E.O. 13132)

A rule has implications for federalism under E.O. 13132 of August 4, 1999 (Federalism) if it has substantial direct effects on the States, on the relationship between the national government and the States, or on the distribution of power and responsibilities among the various levels of government. TSA has analyzed this proposed rule under Executive Order 13132 and determined that it does not have implications for federalism. TSA welcomes public comments on Executive Order 13132 federalism implications.

D. Energy Impact Analysis (E.O. 13211)

DHS analyzed this proposed rule under E.O. 13211 of May 18, 2001 (Actions Concerning Regulations That Significantly Affected Energy Supply, Distribution or Use), and determined that it is not a “significant energy action” under that E.O. and is not likely to have a significant adverse effect on the supply, distribution, or use of energy. Therefore, this rulemaking does not require a Statement of Energy Effects.

E. Environmental Analysis

DHS reviews proposed actions to determine whether the National Environmental Policy Act (NEPA) applies to them and, if so, what degree of analysis is required. DHS Management Directive 023-01 Rev. 01 and Instruction Manual 023-01-001-01 Rev. 01 establish the procedures that DHS and its components use to comply with NEPA and the Council on Environmental Quality (CEQ)'s regulations for implementing NEPA. The CEQ regulations allow Federal agencies to establish, with CEQ review and concurrence, categories of actions (“categorical exclusions”) which experience has shown do not individually or cumulatively have a significant effect on the human environment and, therefore, do not require preparation of an Environmental Assessment or Environmental Impact Statement.

The DHS categorical exclusions are listed in Appendix A of the Instruction Manual. Under DHS NEPA implementing procedures, for an action to be categorically excluded, it must satisfy each of the following three conditions: (1) The entire action clearly fits within one or more of the categorical exclusions; (2) the action is not a piece of a larger action; and (3) no extraordinary circumstances exist that create the potential for a significant environmental effect.

As previously discussed, this proposed rule would promote TSA's surface transportation security mission by establishing performance-based requirements to ensure higher-risk owner/operators have measures in place to address cybersecurity risks with the flexibility necessary to address emerging threats and deploy evolving capabilities. Specifically, this proposed rule would establish minimum cybersecurity requirements in TSA regulations such as account security measures, device security measures, governance and training, risk management, supply chain management, resilience, network segmentation, reporting, and physical security.

TSA has determined that this proposed rule clearly fits within categorical exclusion A3 in Appendix A of the Instruction Manual. Categorical exclusion A3 applies to promulgation of rules, issuance of rulings or interpretations, and the development and publication of policies, orders, directives, notices, procedures, manuals, advisory circulars, and other guidance documents of the following nature: (a) Those of a strictly administrative or procedural nature; (b) those that implement, without substantive change, statutory or regulatory requirements; (c) those that implement, without substantive change, procedures, manuals, and other guidance documents; (d) those that interpret or amend an existing regulation without changing its environmental effect; (e) technical guidance on safety and security matters; or (f) guidance for the preparation of security plans.

The requirements proposed in this rule are administrative in nature, providing technical guidance and instruction on safety and security matters and the preparation of security plans. TSA has further determined that the changes proposed in this rule would not result in any significant impact on the environment and, therefore, would not result in any “change in environmental effect.” TSA further finds no extraordinary circumstances associated with this proposed rule that may give rise to significant environmental effects necessitating further documentation and analysis. This rule specifically addresses surface transportation cybersecurity as a standalone rule and is not part of a larger action. Accordingly, this action is categorically excluded, and no further NEPA analysis or documentation is required. We seek any comments or information that may lead to the discovery of a significant environmental impact from this proposed rule.

F. Tribal Consultation (E.O. 13175)

DHS analyzed this proposed rule under E.O. 13175 of November 6, 2000 (Consultation and Coordination with Indian Tribal Governments), and determined that this rulemaking does not have tribal implications. For example, TSA determined that the applicability of requirements in proposed 49 CFR 1582.225 would not affect any public transportation systems owned or controlled by an Indian tribe, as defined in 24 U.S.C. 479A. Based on this determination, TSA has not specifically consulted with Indian tribal officials. Should TSA make a future determination that there is a risk to tribal owned/operated systems supporting the need for security enhancements, TSA will follow relevant consultation requirements before imposing any regulatory requirements.

The Proposed Amendments

For the reasons set forth in the preamble, the Transportation Security Administration is proposing to amend 49 CFR parts 1500, 1503, 1520, 1570, 1580, 1582, 1584, and 1586 to read as follows:

1. Revise the authority citation for part 1500 to read as follows:

Authority:49 U.S.C. 114, 5103, 40113, 44901-44907, 44912-44914, 44916-44918, 44935-44936, 44942, 46105; Pub. L. 110-53, 121 Stat. 266.

2. Amend § 1500.3 by:

a. Adding the definitions of “Carbon dioxide”, “Gas”, “Hazardous liquid”, “Liquefied natural gas (LNG)”, “Pipeline or pipeline system”, “Pipeline facility”, and “TSA Cybersecurity Lexicon” in alphabetical order; and

b. Revising the definitions of “Transportation or transport”, “Transportation facility”, and “Transportation security equipment and systems”.

The additions and revisions read as follows:

3. Revise the authority citation for part 1503 to read as follows:

Authority: 6 U.S.C. 1142; 18 U.S.C. 6002; 28 U.S.C. 2461 (note); 49 U.S.C. 114, 20109, 31105, 40113-40114, 40119, 44901-44907, 46101-46107, 46109-46110, 46301, 46305, 46311, 46313-46314; Pub. L. 104-134, 110 Stat. 1321, as amended by Pub. L. 114-74, 129 Stat. 584; Pub. L. 110-53, 121 Stat. 266.

4. Revise the authority citation for part 1520 to read as follows:

Authority: 46 U.S.C. 114, 40113, 44901-44907, 44912-44914, 44916-44918, 44935-44936, 44942, 46105, 70102-70106, 70117; Pub. L. 110-53, 121 Stat. 266.

5. Amend § 1520.5 by revising paragraphs (b)(2)(i), (b)(3)(i), (b)(4)(i) and (ii), (b)(6)(ii), introductory text of (b)(12), (b)(13), and (b)(14) to read as follows:

6. Amend § 1520.7 by revising paragraph (i) to read as follows:

7. Revise the authority citation for part 1570 to read as follows:

Authority: 18 U.S.C. 842, 845; 46 U.S.C. 70105; 49 U.S.C. 114, 5103a, 40113, and 46105; Pub. L. 108-90, 117 Stat. 1156, as amended by Pub. L. 110-329, 122 Stat. 3689; Pub. L. 110-53, 121 Stat. 266.

8. Revise § 1570.1 to read as follows:

9. Amend § 1570.3 by adding the definitions “Accountable executive”, “Cybersecurity”, “Cybersecurity-sensitive employee”, and “Physical security” in alphabetical order to read as follows:

10. Amend § 1570.7 by adding paragraph (a)(4) to read as follows:

11. Revise subpart B of part 1570 to read as follows:

12. Revise subpart C of part 1570 to read as follows:

13. Remove Appendix A to part 1570.

14. The authority citation for part 1580 continues to read as follows:

Authority: 49 U.S.C. 114; Pub. L. 110-53 (121 Stat. 266, Aug. 3, 2007) secs. 1501 (6 U.S.C. 1151), 1512 (6 U.S.C. 1162) and 1517 (6 U.S.C. 1167).

15. Amend § 1580.3 by:

a. Revising the introductory paragraph;

b. Removing the definition of “Class I”;

c. Adding the definitions of “Class I, II, or III”, “Component”, “Defense Connector Railroad”, “Positive Train Control”, “Switching or terminal service”, and “Train miles” in alphabetical order.

The revision and additions read as follows:

16. Revise subpart B of part 1580 to read as follows:

17. Revise the heading of subpart C of part 1580 to read as follows:

18. Add subpart D of part 1580 to read as follows:

19. Revise appendix B to part 1580 to read as follows:

Appendix B to Part 1580—Security-Sensitive Functions for Freight Rail

This table identifies security-sensitive job functions for owner/operators regulated under this part. All employees performing security-sensitive functions are “security-sensitive employees” for purposes of this rule and must be trained in accordance with this part.

20. Add appendix C to part 1580 to read as follows:

Appendix C to Part 1580—Reporting of Significant Physical Security Concerns

21. Revise the authority citation for part 1582 to read as follows:

Authority: 49 U.S.C. 114; Pub. L. 110-53, 121 Stat. 266.

22. Amend § 1582.3 by adding the definition of “Unlinked passenger trips” in alphabetical order.

23. Revise subpart B of part 1582 to read as follows:

24. Add subpart C of part 1582 to read as follows:

25. Revise appendix B to part 1582 to read as follows:

Appendix B to Part 1582—Security-Sensitive Job Functions for Public Transportation and Passenger Railroads

This table identifies security-sensitive job functions for owner/operators regulated under this part. All employees performing security-sensitive functions are “security-sensitive employees” for purposes of this rule and must be trained in accordance with this part.

26. Add appendix C to part 1582 to read as follows:

Appendix C to Part 1582—Reporting of Significant Physical Security Concerns

27. Revise the authority citation for part 1584 to read as follows:

Authority: 49 U.S.C. 114; Pub. L. 110-53, 121 Stat. 266.

28. Revise subpart B of part 1584 to read as follows:

29. Revise appendix B to part 1584 to read as follows:

Appendix B to Part 1584—Security-Sensitive Job Functions for Over-the-Road Buses

This table identifies security-sensitive job functions for owner/operators regulated under this part. All employees performing security-sensitive functions are “security-sensitive employees” for purposes of this rule and must be trained in accordance with this part.

30. Add appendix C to part 1584 to read as follows:

Appendix C to Part 1584—Reporting of Significant Physical Security Concerns

31. Add part 1586 to read as follows: