DHS Adds Cyber Requirements for Transportation Industry
Homeland Security Secretary Alejandro Mayorkas said on Wednesday that the government would add requirements for sharing cybersecurity information to companies in the transport sector.
The move comes as DHS is in the midst of a 60-day “sprint” launched in September and focused on cybersecurity in the transportation sector, Mayorkas said in a speech at the Billington Cybersecurity Summit.
The Coast Guard is expanding its maritime cybersecurity oversight with the deployment of cybersecurity personnel to U.S. ports to oversee planning, response and recovery. Mayorkas also announced that 2,300 “maritime entities” are responsible for sharing cybersecurity plans with the Coast Guard and tracking any weaknesses identified in those plans.
In addition, the Transportation Security Administration is playing a larger role in managing the cybersecurity of the rail industry. Under a security directive to be released later this year, “high-risk” rail freight and rail transit companies will be required to designate a cybersecurity contact for the government and report incidents to the Cybersecurity and Infrastructure Security Agency.
On the aviation side, the TSA is planning new requirements for key industry players, including airport operators, passenger airlines, and cargo aircraft operators, to appoint a contact on cybersecurity and report incidents to CISA.
The move represents the continued expansion of TSA’s official role as cybersecurity regulator. In the aftermath of the Colonial Pipeline hack, the TSA released two sets of rules governing cybersecurity preparedness and reporting in this industry.
“Taken together, these elements – a dedicated point of contact, cyber incident reporting and contingency planning – represent the bare minimum of today’s cybersecurity best practices,” Mayorkas said in his speech.
Cyber Bills Advance in the Senate
The Senate Committee on Homeland Security and Government Affairs presented two cybersecurity bills on Wednesday.
The Cyber Incident Reporting Act of 2021 establishes a 72-hour reporting requirement for breaches and other incidents at covered businesses, which include critical infrastructure businesses. In addition, the law requires covered companies to report any ransomware payments made to hackers within 24 hours. The bill also establishes a new office at CISA to receive reports from covered companies. This bill moved forward, but met with some opposition from Republicans on the committee because of the breadth of coverage – currently extending to small businesses with 50 or more employees. The bill has been amended to exclude mandatory disclosures required by law from being included in discovery in litigation initiated over cybersecurity breaches.
Earlier this year, a bipartisan group of lawmakers from the Special Senate Intelligence Committee introduced their own bill that sets a 24-hour clock for critical infrastructure operators and federal contractors to report cybersecurity incidents.
The Federal Information Security Modernization Act of 2021 requires federal civilian agencies to report violations to the CISA and the Office of Management and Budget, and it includes new authorities that make the CISA the lead agency for cybersecurity incidents affecting federal civil agency networks. This bill was presented without objection.
Committee chair Senator Gary Peters (D-Mich.) Announced plans to add the two pieces of legislation to the National Defense Authorization Act, which lawmakers hope to pass before the end of the calendar year.
Adam Mazmanian is editor-in-chief of FCW.
Prior to joining the editorial team, Mazmanian was a writer at FCW covering Congress, government-wide technology policy, and the Department of Veterans Affairs. Prior to joining FCW, Mazmanian was a technology correspondent for the National Journal and held various editorial positions at the B2B SmartBrief news service. Mazmanian has written reviews and articles for The Washington Post, Washington City Paper, Newsday, New York Press, Architect Magazine, and other publications.
Click here for previous Mazmanian articles. Connect with him on Twitter at @thisismaz.