Rail groups urge cautious approach to regulation in TSA process, cite existing cyber risk management efforts

Railroad groups want the Transportation Security Administration to switch tracks in a cybersecurity regulatory proceeding and defer to the industry’s ongoing cyber risk management programs, while also scrapping plans for a TSA incident reporting requirement as CISA develops a notification rule.

“In general, TSA has not identified a need for regulation of CRM, nor has it articulated any specific problem faced by the railroad industry, aside from general statements that rail may be vulnerable to cyber-attacks,” the Association of American...