Watch Now


TSA proposes new cybersecurity rule for some railroads, other transit systems

Agency estimates more than 100 freight and passenger or transit systems would be covered by new requirements

(Photo: Jim Allen/FreightWaves)

This story originally appeared on Trains.com.

WASHINGTON — The Transportation Security Administration has proposed a rule that would require cybersecurity risk management and reporting requirements for some freight and passenger railroads, as well as rail transportation.

The Notice of Proposed Rulemaking, published Thursday in the Federal Register, also covers some bus and pipeline operations.

The TSA says that under the rule’s criteria, 73 of the approximately 620 U.S. freight railroads and 34 of approximately 92 passenger rail and transit operators would be subject to the requirements.


“TSA has collaborated closely with its industry partners to increase the cybersecurity resilience of the nation’s critical transportation infrastructure,” Administrator David Pekoske said in a press release. “The requirements in the proposed rule seek to build on this collaborative effort and further strengthen the cybersecurity posture of surface transportation stakeholders. We look forward to industry and public input on this proposed regulation.”

The rule would require an annual cybersecurity evaluation; a cybersecurity implementation plan identifying those responsible for the program, critical systems and measures to recover from a cybersecurity incident; and an assessment plan that includes a schedule for cybersecurity assessments, an annual report of results and identification of unaddressed vulnerabilities.

The comment period for the proposal runs through Feb. 5, 2025. A link to information on how to comment is included at the top of the notice in the Federal Register.