DHS adds cyber requirements for transportation industry

The Transportation Security Agency and the Coast Guard are getting increased authority over industry cybersecurity.

security dashboard (KanawatVector/Shutterstock.com)

Homeland Security Secretary Alejandro Mayorkas announced on Wednesday that the government will add requirements for cybersecurity information sharing to companies in the transportation sector.

The move comes as DHS is in the midst of a 60-day "sprint" launched in September focusing on transportation industry cybersecurity, Mayorkas said in a speech at the Billington Cybersecurity Summit.

The Coast Guard is expanding its oversight of maritime cybersecurity with the deployment of cybersecurity personnel to U.S. ports to supervise planning, response and recovery. Mayorkas also announced that 2,300 "maritime entities" are charged with sharing cybersecurity plans with the Coast Guard and following up on any weaknesses identified in those plans.

Additionally, the Transportation Security Administration is taking a more high-profile role in managing railroad industry cybersecurity. Under a security directive to be issued later this year, "higher risk" rail freight and rail transit companies will be required to designate a cybersecurity contact for government and to report incidents to the Cybersecurity and Infrastructure Security Agency.

On the aviation side, TSA is planning new requirements for critical industry players, including airport operators, passenger airlines and cargo aircraft operators, to name a cybersecurity contact and report incidents to CISA.

The move represents the continuing expansion of TSA's formal role as a cybersecurity regulator. In the wake of the Colonial Pipeline hack, TSA issued two sets of rules governing cybersecurity preparedness and reporting in that industry.

"Taken together, these elements -- a dedicated point of contact, cyber incident reporting and contingency planning -- represent the bare minimum of today’s cybersecurity best practices," Mayorkas said in his speech.

Cyber bills advance in Senate

The Senate Homeland Security and Government Affairs Committee advanced two pieces of cybersecurity legislation on Wednesday.

The Cyber Incident Reporting Act of 2021 sets a 72-hour reporting requirement for breaches and other incidents at covered companies, which include critical infrastructure firms. Additionally, the legislation requires covered companies to report any ransomware payments made to hackers within 24 hours. The bill also sets up a new office at CISA to receive reports from covered companies. That bill did advance, but it drew some opposition from committee Republicans because of the scope of coverage -- currently extending to small businesses with 50 or more employees. The bill was amended to except mandatory disclosures required under the legislation from being included in discovery in litigation initiated over cybersecurity breaches.

Earlier this year a bipartisan group of lawmakers on the Senate Select Committee on Intelligence introduced their own bill that sets a 24-hour clock for critical infrastructure operators and federal contractors to report cybersecurity incidents.

The Federal Information Security Modernization Act of 2021 requires federal civilian agencies to report breaches to CISA and the Office of Management and Budget, and it includes new authorities that make CISA the lead agency on cybersecurity incidents affecting federal civilian agency networks. That bill was advanced without objection.

Sen. Gary Peters (D-Mich.), the chairman of the committee, announced his intention to add both pieces of legislation to the National Defense Authorization Act, which lawmakers hope to pass before the end of the calendar year.