Article

Understand Which TSA Security Directives Must be Submitted by Airports before April 2022

February 17, 2022

Many airport and airline operators are being asked or required to comply with the Transportation Security Administration’s (“TSA”) newest Security Directives to combat cybersecurity threats. The first step of compliance is registering a cybersecurity coordinator and alternate with the TSA by March 30, 2022.

Why is the TSA Introducing New Security Directives?

The Colonial Pipeline ransomware hack in May 2021, ceased operations of the pipeline for several days, driving gas shortages along the East Coast and leaving many airports with concerns on fuel reserves to maintain refueling operations. The pipeline hack coupled with the SolarWinds and Microsoft Exchange cyberattacks has driven the Department of Homeland Security (“DHS”) to confront the growing threat of cyberattacks by launching a series of 60-day cybersecurity-focused sprints to operationalize cybersecurity efforts and raise public awareness of key cybersecurity priorities.

The DHS cybersecurity and transportation sprint resulted in the TSA issuing two new Security Directives and additional guidance to strengthen cybersecurity across the transportation sector.

What are the New TSA Security Directives?

The Security Directives require owners and operators to implement the following measures:

  1. Designate a cybersecurity coordinator.
  2. Report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (“CISA”) within 24 hours.
  3. Develop and implement a cybersecurity incident response plan.
  4. Complete a cybersecurity vulnerability assessment.

Who is Impacted by the New TSA Security Directives?

The Security Directives became effective on December 31, 2021. Initially they were targeted to higher-risk freight railroads, passenger rail, and rail transit; however, TSA updated its guidance recommending that lower-risk surface transportation owners and operators voluntarily implement those same measures. The updated guidance also impacts TSA’s aviation security programs by requiring airports and airline operators to implement the first two measures. TSA expects to expand the remaining two requirements to the aviation sector and establish a rule-making process for certain surface transportation entities.

What are the Eligibility Requirements for the Cybersecurity Coordinator?

Eligibility requirements for the designated cybersecurity coordinator and alternative include but are not limited to a U.S. citizenship, and availability at all times, all hours, all days to coordinate implementation of cybersecurity practices and manage cybersecurity incidents.

What are the Deadlines for the New TSA Security Directives?

For those required to implement the four measures included in the TSA Security Directives, the first reporting deadline is quickly approaching. Owners and operators are required to submit the TSA-provided form to identify their designated cybersecurity coordinator and alternate by March 30, 2022.

For the last two measures, owners and operators must develop and implement a Cybersecurity Incident Response Plan, complete a Vulnerability Assessment, and report that plan and the results of the assessment to TSA by June 28, 2022.

How to Implement a Cybersecurity Incident Response Plan

The Cybersecurity Incident Response Plan should be designed to address the following five objectives:

  1. Safeguard covered and protected information
  2. Identify an attack
  3. Contain the damage
  4. Eradicate the root cause
  5. Restore business operations in a timely manner

Developing or updating information security processes is key to a successful plan. Required actions should be specified and roles and responsibilities need to be clearly defined. In the event of an incident, the cybersecurity incident reporting elements should provide specific information including but not limited to the following:

  1. Details about the compromise
  2. Description of how the breach occurred
  3. Which assets were compromised?
  4. How compromised information was used (if available)
  5. Remediation actions completed to date
  6. Who to contact for more information?

What is a Vulnerability Assessment?

Addressing cybersecurity risks begins with accessing current policies and defining the organization’s security risk tolerance. Vulnerability Assessments review external-facing systems, internal networks, or both to uncover the existence of vulnerabilities, allowing organizations to address specific weaknesses when developing a Cybersecurity Risk Management Program.

Cybersecurity Incident Response Plans and Vulnerability Assessments must meet provisions set by your state or federal law. Working with outside IT security specialists, such as Cherry Bekaert’s Risk & Accounting Advisory professionals, helps to streamline the process of developing realistic response plans.

For more information about the TSA’s new Security Directives, contact your Cherry Bekaert Advisor or the Firm’s Government Services Group.