On Thursday, the Department of Homeland Security (DHS) released new rules for the US’s freight railroad and passenger rail transit industry. The rules make it mandatory for companies to have a cybersecurity coordinator, report cybersecurity incidents to CISA, complete a cybersecurity self-assessment and create a cyber-incident response plan.
DHS officials repeatedly said the new rules were made after consultation with industry experts and meetings with rail companies. They added that the rules were pushed by the Transportation Security Administration (TSA) after CISA informed them of legitimate threats facing the rail industry.
The government agency has faced backlash this year from companies in a variety of industries — as well as senior Republican lawmakers — for cybersecurity rules that some have called onerous and unnecessary.
In October, Senators Roger Wicker, John Thune, Cynthia Lummis, Todd Young, Deb Fischer — all Republican leaders on the Committee on Commerce, Science and Transportation — slammed DHS’ use of emergency authority to push new rules for US railroad and airport systems, questioning whether they were “appropriate absent an immediate threat.”
The Republican lawmakers said the “prescriptive requirements” rolled out by TSA “may be out of step with current practices” and may “limit