TSA issues proposed cyber mandates for pipelines, rail, airlines | CyberScoop<\/title> <meta name=\"description\" content=\"The post-Colonial Pipeline proposal requires the agency's charges to follow one cyber mandate to rule them all.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/tsa-pipeline-railway-aviation-rule-nopr\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"TSA issues proposed cyber mandates for pipelines, rail, airlines\"> <meta property=\"og:description\" content=\"The post-Colonial Pipeline proposal requires the agency's charges to follow one cyber mandate to rule them all.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/tsa-pipeline-railway-aviation-rule-nopr\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-11-07T19:49:27+00:00\"> <meta property=\"article:modified_time\" content=\"2024-11-07T19:49:30+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/tsa-issues-proposed-cyber-mandates-for-pipelines-rail-airlines-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1280\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Christian Vasquez\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@chrismvasq\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1729616464g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1730999764g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1729103471g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=ada0ad45b21fc79c6694\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/82514\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.6.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=82514\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Ftsa-pipeline-railway-aviation-rule-nopr%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Ftsa-pipeline-railway-aviation-rule-nopr%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-82514 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/tsa-pipeline-railway-aviation-rule-nopr\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"24.651162790698\">\n<div class=\"single-article__header-content\" readability=\"33.17277486911\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/cybersecurity\/\"> <span>Cybersecurity<\/span> <\/a> <\/li>\n<\/ul>\n<p> The post-Colonial Pipeline proposal requires the agency’s charges to follow one cyber mandate to rule them all. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/82514\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/tsa-issues-proposed-cyber-mandates-for-pipelines-rail-airlines.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/tsa-issues-proposed-cyber-mandates-for-pipelines-rail-airlines-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/tsa-issues-proposed-cyber-mandates-for-pipelines-rail-airlines-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/tsa-issues-proposed-cyber-mandates-for-pipelines-rail-airlines-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/tsa-issues-proposed-cyber-mandates-for-pipelines-rail-airlines-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/tsa-issues-proposed-cyber-mandates-for-pipelines-rail-airlines-2.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/tsa-issues-proposed-cyber-mandates-for-pipelines-rail-airlines-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/tsa-issues-proposed-cyber-mandates-for-pipelines-rail-airlines-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/tsa-issues-proposed-cyber-mandates-for-pipelines-rail-airlines-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/tsa-issues-proposed-cyber-mandates-for-pipelines-rail-airlines-2.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/tsa-issues-proposed-cyber-mandates-for-pipelines-rail-airlines-2.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> Steel oil pipes from a refinery. (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"38.182535641548\"><body readability=\"79.8378688055\"><\/p>\n<p>The Transportation Security Administration issued long-waited proposed cyber mandates Thursday that would set in stone, harmonize, and add to the emergency security directives first issued following the Colonial Pipeline ransomware attack in 2021.<\/p>\n<p>The <a href=\"https:\/\/www.federalregister.gov\/documents\/2024\/11\/07\/2024-24704\/enhancing-surface-cyber-risk-management\">notice of proposed rulemaking<\/a> (NOPR) will serve as one of the last major policy actions the Biden administration will take to protect critical infrastructure from malicious cyberattacks before President-elect Donald Trump takes office. <\/p>\n<p>\u201cTSA has collaborated closely with its industry partners to increase the cybersecurity resilience of the nation\u2019s critical transportation infrastructure,\u201d TSA Administrator David Pekoske said in a <a href=\"https:\/\/www.tsa.gov\/news\/press\/releases\/2024\/11\/06\/tsa-announces-proposed-rule-would-require-establishment-pipeline-and\">Wednesday press release<\/a>. \u201cThe requirements in the proposed rule seek to build on this collaborative effort and further strengthen the cybersecurity posture of surface transportation stakeholders. We look forward to industry and public input on this proposed regulation.\u201d<\/p>\n<p>The Biden administration\u2019s efforts to secure pipelines began in earnest in May 2021 following the <a href=\"https:\/\/cyberscoop.com\/tag\/colonial-pipeline\/\">Colonial Pipeline<\/a> attack. Weeks after the extortion attempt by the ransomware group BlackCat, <a href=\"https:\/\/cyberscoop.com\/tsa-cyber-regulations-colonial-pipeline\/\">TSA sent out security directives<\/a> that issued first-of-its-kind cyber mandates to the pipeline sector, which previously relied on voluntary efforts. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The security directives were considered unwelcome by many trade organizations representing oil and natural gas. However, subsequent directives were issued by TSA that soothed industry concerns. Additionally, TSA\u2019s security directives have to be renewed annually, so the agency moved forward with a more permanent rulemaking process.<\/p>\n<p>TSA\u2019s new proposed rule would impact just under 300 owners and operators that fall under the agency\u2019s authority in freight railroad, passenger railroad, rail transit, and pipeline sectors, the notice states. Additionally, the rule would ensure the aviation sector follows the same mandates. <\/p>\n<p>The mandates would also require covered entities to develop cyber risk management programs and establish a cybersecurity operational plan, including regular audits to assess their effectiveness. <\/p>\n<p>Additionally, the proposal would require covered entities to report incidents to the Cybersecurity and Infrastructure Security Agency in <a href=\"https:\/\/cyberscoop.com\/cisa-circia-critical-infrastructure-reporting-letter\/\">anticipation of the upcoming law<\/a>.<\/p>\n<p>Marco Ayala, president of InfraGard Houston, said that \u201cafter a year-and-a-half of anticipation\u201d the proposal would largely consolidate the security directives that were issued shortly after Colonial Pipeline was forced to take down operational systems following the 2021 ransomware attack.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>However, Ayala said the TSA proposal also adds several \u201ckey additions,\u201d like adhering to CISA\u2019s secure-by-design and secure-by-default principles, new training, certification, and vetting standards. <\/p>\n<p>The NOPR also calls for extending the cyber risk management program to \u201clarge-scale hazardous liquid or carbon dioxide pipelines,\u201d Ayala said. Pipelines that carry large volumes or have high mileage in high-risk areas, or are a large supplier to the Pentagon\u2019s Defense Logistics Agency, would also be required to follow these new rules, Ayala said.<\/p>\n<p>TSA expects the proposal to impact 73 freight railroads, 34 public transportation agencies and passenger railroads, and 115 pipeline facilities and systems. Additionally, 71 over-the-road bus owners will be required to report significant security concerns.<\/p>\n<p>Comments are due by Feb. 5, 2025.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"1.1697247706422\">\n<div class=\"author-card\" readability=\"9\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/tsa-issues-proposed-cyber-mandates-for-pipelines-rail-airlines-1.jpg?w=640&ssl=1\" alt=\"Christian Vasquez\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Christian Vasquez<\/h4>\n<p> Christian covers industrial cybersecurity for CyberScoop News. He previously wrote for E&E News at POLITICO covering cybersecurity in the energy sector. Reach out: christian.vasquez at cyberscoop dot com <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/tsa-pipeline-railway-aviation-rule-nopr\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>TSA issues proposed cyber mandates for pipelines, rail, airlines |<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[916,622,78,452,293,117,1579,439,3067,2917,812],"tags":[920,627,86,454,299,119,1582,443,3068,2920,813],"class_list":["post-6143","post","type-post","status-publish","format-standard","hentry","category-aviation","category-biden-administration","category-cybersecurity","category-cybersecurity-and-infrastructure-security-agency-cisa","category-department-of-homeland-security-dhs","category-government","category-pipeline","category-policy","category-railroads","category-transportation","category-transportation-security-administration-tsa","tag-aviation","tag-biden-administration","tag-cybersecurity","tag-cybersecurity-and-infrastructure-security-agency-cisa","tag-department-of-homeland-security-dhs","tag-government","tag-pipeline","tag-policy","tag-railroads","tag-transportation","tag-transportation-security-administration-tsa"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/aviation\/\" rel=\"category tag\">aviation<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/biden-administration\/\" rel=\"category tag\">Biden administration<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity-and-infrastructure-security-agency-cisa\/\" rel=\"category tag\">Cybersecurity and Infrastructure Security Agency (CISA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/department-of-homeland-security-dhs\/\" rel=\"category tag\">Department of Homeland Security (DHS)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/government\/\" rel=\"category tag\">Government<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/pipeline\/\" rel=\"category tag\">pipeline<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/policy\/\" rel=\"category tag\">Policy<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/railroads\/\" rel=\"category tag\">railroads<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/transportation\/\" rel=\"category tag\">transportation<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/transportation-security-administration-tsa\/\" rel=\"category tag\">Transportation Security Administration (TSA)<\/a>","tag_info":"Transportation Security Administration (TSA)","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6143","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=6143"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6143\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=6143"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=6143"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=6143"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":6143,"date":"2024-11-07T13:49:27","date_gmt":"2024-11-07T19:49:27","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=82514"},"modified":"2024-11-07T13:49:27","modified_gmt":"2024-11-07T19:49:27","slug":"tsa-issues-proposed-cyber-mandates-for-pipelines-rail-airlines","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/11\/07\/tsa-issues-proposed-cyber-mandates-for-pipelines-rail-airlines\/","title":{"rendered":"TSA issues proposed cyber mandates for pipelines, rail, airlines"},"content":{"rendered":"