New TSA cyber rules leave lawmakers, industry hopeful for happy medium regulations

Rep. Carlos Gimenez, R-Fla., walks down the House steps after the final votes of the week as members of Congress head home for the holiday recess on Thursday, December 14, 2023. Gimenez warned against 'reactive, hastily implemented' directives during a Nov. 19 hearing.

Rep. Carlos Gimenez, R-Fla., walks down the House steps after the final votes of the week as members of Congress head home for the holiday recess on Thursday, December 14, 2023. Gimenez warned against 'reactive, hastily implemented' directives during a Nov. 19 hearing. Bill Clark/CQ-Roll Call, Inc via Getty Images

The agency argues its Nov. 8 proposed rulemaking will dually address the transportation industry’s regulation concerns while ensuring they’re suitably protected from hackers. Others want to wait and see.

The Transportation Security Administration is out with another cybersecurity rule proposal, and the release has resurfaced recurring discussions about overlapping cybersecurity reporting laws and “check-the-box” mentalities that many cyber thought leaders argue don’t end up protecting critical systems from hackers.

The notice of proposed rulemaking issued earlier this month would require a slew of pipeline, freight railroad and passenger railroad owners and operators to establish cybersecurity risk management programs that aim to help the surface transportation landscape respond to digital incidents. It followed earlier rounds of TSA cybersecurity rules, born out of the 2021 Colonial Pipeline incident that motivated the Biden administration to invigorate U.S. cyber posture.

What followed has been a slew of incident reporting guidelines, many requiring private sector industries to report cybersecurity episodes to oversight agencies, albeit under various time constraints that have upset cybersecurity executives and lawmakers on both sides of the aisle. Specifically, one TSA security program, unveiled in 2021, required major pipeline operators to report incidents to the agency within 12 hours.

“These directives often seem reactive, hastily implemented and lacking the necessary consultation with stakeholders,” said Carlos Gimenez, R-Fla. in an opening statement for a Tuesday hearing with the House Homeland Security subcommittee examining the impact of the agency’s cyber regulations.

TSA is hopeful this time around that a recent performance-based evaluation approach will keep vital transportation systems safe while satisfying industry concerns about regulators breathing down their necks. The proposed rule, in essence, would codify the provisions of the recent security directives into a blanket cybersecurity risk management program.

Specifically, companies covered in the rule must undergo annual evaluations and independent assessments to identify vulnerabilities and implement comprehensive operational plans. Those plans should designate cybersecurity leaders, outline critical systems and their protections, detail procedures for detecting and responding to cyberattacks and establish recovery strategies.

The proposal “continues TSA’s commitment to performance-based requirements and builds on TSA’s previously issued cybersecurity requirements aimed at establishing sustainable and comprehensive cyber risk management programs for owners and operators with high risk profiles,” Chad Gorman, TSA’s deputy executive assistant administrator for operations support, said in opening remarks at the hearing.

But industry concerns are still in the air. Kimberly Denbow, the American Gas Association’s vice president of security and operations, raised questions in a later panel about the need for the private sector to transmit — physically or electronically — assets to TSA for security audits.

“Reasonable cybersecurity regulations have to be attainable. The operators have to be able to achieve them. They have to be sustainable. The operators have to be able to sustain them and keep them going; otherwise it’s wasted money,” she said. TSA and industry representatives headbutt the most on audits because companies’ sensitive information may be exposed when materials are transmitted to auditors outside of facilities.

Her arguments are a recurring theme among those who push back on incident reporting requirements. For instance, opponents of the Security and Exchange Commission’s four business day cyber incident reporting window argue that publicizing a security breach in such a small time period will make the exposure available for other hackers to leverage.

“I would be looking to have more of a closed-door session with the people that are being regulated — without TSA being in the room — so that we can actually get a better idea of what they really think about the regulations,” Gimenez told Nextgov/FCW after the hearing.

The comment window for the proposed rules closes on Feb. 5 of next year. The White House and Congress are aligned on proposed legislation that would help harmonize the cyber incident reporting landscape.