PDF

Dear Chairwoman Clark, Ranking Member Garbarino, Chairwoman Watson Coleman, and Ranking Member Gimenez,

On behalf of the 1,500 member organizations of the American Public Transportation Association (APTA), and in advance of the House Committee on Homeland Security’s hearing on Transportation Cybersecurity: Protecting Planes, Trains, and Pipelines from Cyber Threats, I write to share our concerns on the forthcoming Transportation Security Administration (TSA) Security Directive for rail transit and passenger rail operations. On October 6, 2021, U.S. Department of Homeland Security Secretary Alejandro Mayorkas announced that TSA is expected to impose cybersecurity mandates on certain rail transit systems and railroads, including a stringent incident reporting deadline and a short timeframe to develop and implement response and contingency plans.

Specifically, APTA is concerned that TSA is imposing these new and potentially costly requirements through an emergency security directive without the benefit of public notice and comment, including an analysis of the economic impact of the new requirements on rail transit and passenger rail operators. For example, mandating a prescriptive 24-hour reporting requirement in a security directive could negatively affect cyber response and mitigation by diverting personnel and resources to reporting when incident response is most critical. Further, the additional personnel and resources needed to comply with the requirements will add significant compliance costs just as transit agencies are working to recover from the COVID-19 pandemic. TSA has previously employed the federal rulemaking process for other security requirements on surface transportation systems, including a rulemaking on Security Training for Surface Transportation Employees (86 Fed. Reg. 23629).

Accordingly, APTA strongly recommends that the Committee on Homeland Security urge TSA to utilize the federal rulemaking process for this security directive and allow for public comment before imposing any new requirements. Publication in the Federal Register, with an opportunity for notice and comment, will allow all affected parties, including APTA members, to identify concerns and potential impacts of the proposed requirements on rail transit and passenger rail operations, and would provide TSA sufficient time to address any issues raised during the process.

In addition, APTA recommends that TSA provide technical assistance, workshops, response plan templates, and funding for public transit agencies to implement the requirements of any final security directive.

We welcome any opportunity to work with the Committee on Homeland Security to address these important issues and ensure that rail transit and passenger rail operators continue to meet any cyber or other security challenges that may arise.

Sincerely,

Paul P. Skoutelas
President and CEO

cc: The Honorable Bennie C. Thompson, Chairman, Committee on Homeland Security, U.S. House of Representatives

The Honorable John Katko, Ranking Member, Committee on Homeland Security, U.S. House of Representatives

The Honorable David P. Pekoske, Administrator, Transportation Security Administration, U.S. Department of Homeland Security

The Honorable Jen Easterly, Director, Cybersecurity and Infrastructure Security Agency, U.S. Department of Homeland Security

The Honorable Nuria Fernandez, Administrator, Federal Transit Administration, U.S. Department of Transportation

Mr. Amit Bose, Deputy Administrator, Federal Railroad Administration, U.S. Department of Transportation