Thought Leadership

TSA to Release New Cybersecurity Requirements for Railroad and Aviation Industries

Client Updates

Issue in Brief: Cybersecurity regulations are now being applied to the rail and aviation sector as the Biden administration continues a general program of strengthening the country’s online defenses for its critical infrastructure.

Key Takeaway: Critical rail and aviation operators should prepare for tighter cybersecurity requirements from the Transportation Security Administration (“TSA”), which are set to go into effect by the end of the year.

On the Horizon: Enhancing cybersecurity for critical infrastructure remains at the forefront of lawmakers’ and regulators’ focus, and operators of critical infrastructure across industries should expect more legal requirements imposed upon them in the near future.

As with most industries, the rail and aviation industries have been on a voluntary system of guidelines for reporting cyberattacks, such as ransomware. On October 6, 2021, though, Homeland Security Secretary Alejandro Mayorkas announced new cybersecurity requirements for U.S. railroad and airport operators. During his keynote address at the 12th Annual Billington CyberSecurity Summit, Secretary Mayorkas said that the TSA will issue “a new security directive this year that will cover high-risk railroad and rail transit entities” (the “Security Directive”).

This Security Directive will require “high-risk” railroad and rail transit entities, which could be both commercial and passenger rail, to:

  • Identify a cybersecurity point of contact;
  • Report incidents to the Cybersecurity and Infrastructure Security Agency (“CISA”); and
  • Create a contingency and recovery plan in the event of malicious cyber activity.

Secretary Mayorkas noted that the TSA is “coordinating and consulting with industry as [it] develop[s] all of these plans.”

For “low-risk” surface entities, the TSA will issue separate guidance that encourages—but does not require—implementation of these same measures. Secretary Mayorkas noted that “a dedicated point of contact, cyber incident reporting, and contingency planning . . . represent the bare minimum of today’s cybersecurity best practices.”

The TSA has also starting “updating its aviation security program” and will require U.S. airport operators, passenger aircraft operators, and all-cargo aircraft operators to designate a cybersecurity coordinator and report cyber incidents to CISA. The TSA will “consider additional measures over time.” In addition to the Security Directive, the TSA is initiating a rulemaking process “to develop a longer-term regime to strengthen cybersecurity and resilience in the transportation sector.” To facilitate stakeholder engagement throughout the rulemaking process, the TSA will issue an information circular recommending the completion of a cybersecurity self-assessment.

The Security Directive will be issued by the end of the year. The Secretary’s remarks are available here.

Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit


Related Professionals