NIST releases a new draft cybersecurity framework for systems that never stop moving

As far back as 2013, the federal government started directing resources toward protecting assets, organizations and technology deemed as critical infrastructure. While the definition of critical infrastructure has been fluid as new sectors are added, it is generally defined as anything whose loss would impact the health, safety, security or economic well-being of many people, or even the entire nation.

Critical infrastructure has been further defined by the Cybersecurity and Infrastructure Security Agency (CISA) as centering on chemical manufacturing, communications, commercial facilities, critical manufacturing, dams, the defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, healthcare, information technology, nuclear reactors, transportation and water systems.

Over the years, there have been many efforts launched to improve cybersecurity in most critical sectors. For example, in 2015 there was a big push to secure the power grid, which is still ongoing today. In fact, public utilities of all types have been getting a lot of attention, and rightfully so. But one area has lagged pretty far behind the others, and that is transportation. Yes, it’s important to secure things like power plants and water systems, but public and private transportation systems are also important. What if a disaster happens at the same time that transit systems are attacked? That could stall or even prevent evacuation efforts. And yet, relatively little has been done to look specifically at cybersecurity issues within transportation. 

The newly released draft Transit Cybersecurity Framework Community Profile paper aims to change that. Developed by the National Institute of Standards and Technology’s National Cybersecurity Center of Excellence (NCCoE), the voluntary framework is now open for public comment through February 23, 2026. It arrives at a moment when transit agencies are grappling with expanding digital systems, aging infrastructure and increased cyber risk.

According to NCCoE, cyberattacks targeting transit systems have increased in both frequency and severity in recent years, highlighting the need for more structured and standardized approaches to managing risk. The new community profile is designed to help transit agencies map their cybersecurity activities to the outcomes defined in NIST’s broader Cybersecurity Framework 2.0, while accounting for the operational realities of transit environments.

The need for a special framework for transportation networks is clear because of how different they are from things like power plants, healthcare environments, factories and other critical infrastructure sectors. Transit agencies operate sprawling networks of operational and business systems that include signaling equipment, fare collection, vehicle telemetry, communications networks and safety systems. Many of those environments rely heavily on wireless connectivity as well as legacy technology, creating a unique risk profile that does not neatly align with traditional IT security models. Much of the transit infrastructure is often on the move itself, adding an additional wrinkle.

With all that in mind, one key recommendation within the new framework is that transit agencies should start by defensively securing any functions that, if disrupted, would threaten passenger safety or service continuity. This includes areas such as signaling, train control, dispatching and communications.

The framework also stresses the need for collaboration, even among potential competitors in the private sector. There are repeated references to the value of collaboration within the sector among suppliers, vendors, federal partners and internal stakeholders. Transit systems do not operate in isolation, and the framework stresses that their cybersecurity posture must reflect that reality. 

Like most NIST frameworks, the recently released draft for the transit sector is designed for scalability. The guidance is designed to be useful for transit systems of all sizes, from small municipal bus fleets to multi-modal regional systems with sprawling infrastructure. Smaller agencies with limited resources are not expected to adopt the same exact practices as large metropolitan systems, but the guide offers scalable actions tied to cybersecurity improvements that can be adapted based on capabilities and risk tolerance.

Federal transportation leaders have been cautiously moving in this direction for some time even without a framework. For example, the Federal Transit Administration already requires rail transit operators to certify that they have processes in place to identify and reduce cybersecurity risks as part of their overall safety management programs. That requirement reflects a growing recognition that cybersecurity and physical safety are now inseparable in modern transit systems.

As federal attention continues to shift toward strengthening critical infrastructure cybersecurity, NIST’s draft Transit Cybersecurity Framework Community Profile offers a practical blueprint for an area that has long flown under the radar. It does not promise instant fixes or dramatic breakthroughs. Instead, it provides transit agencies with a clearer path to managing cyber risk in systems that millions of people rely on every day.

Sometimes the most important cybersecurity work is not flashy. It’s foundational. And for transit agencies migrating from analog, physical systems into increasingly digital operations, that foundation is long overdue. NIST welcomes experts and others who would like to help improve the draft framework to share their feedback any time before the February 23 deadline.

John Breeden II is an award-winning journalist and reviewer with over 20 years of experience covering technology. He is the CEO of the Tech Writers Bureau, a group that creates technological thought leadership content for organizations of all sizes. Twitter: @LabGuys