The agency is exercising its authority to regulate pipelines and railways after issuing a series of short-term emergency security directives.
The Transportation Security Administration is looking to expand its use of third-party certifiers to include regulating the cybersecurity of critical pipeline and rail operators, according to the agency.
“TSA has maximized the capability of third-party certifiers in other contexts and is interested in options for leveraging this capability for cybersecurity,” reads an advance notice of proposed rulemaking set to publish in the Federal Register Wednesday.
The agency first flagged the coming regulations this summer, noting they would permanently codify a number of year-long cybersecurity directives it started issuing for pipelines and other surface transportation sectors following the May 2021 Colonial Pipeline attack, which caused a panic at the pump and emergency declarations by multiple states along the East Coast.
“In light of the critical role that pipelines and rail sectors play in our nation’s economic and national security, as well as the ongoing and growing cyber threats to such sectors, TSA has determined that it is appropriate to issue a regulation for [Cyber Risk Management] in these sectors,” the agency wrote.
The notice soliciting public input within 45 days of being issued listed “identifying opportunities for third-party experts to support compliance,” as being among the agency’s policy priorities for crafting the new rules. “The use of third-party evaluators and certifiers of cybersecurity programs and cloud service providers can drive sustainable compliance at a scale that exceeds TSA’s compliance resources,” it reads.
Expressing cost concerns throughout the notice, TSA specifically asked operators to comment on what benefits or challenges they would encounter if required to use accredited third-party certifiers to audit their implementation of cybersecurity measures.
“In general, the concept would require some level of approval by the federal government that recognizes the qualifications of the third-parties, vetting to identify any potential conflicts of interest or other risks associated with an insider threat, and consistent standards to be applied,” TSA noted, citing the Bank of England’s assessment system as a potential model.
Other priorities for the rulemaking included: improving operators’ response and resilience to incidents while allowing flexibility for dealing with changing threats and technology as well as resource disparities; incentivizing compliance; establishing quantifiable performance assessment measures; and harmonizing the requirements with existing regulations.