Cybersecurity Measures for Surface Modes

On December 17, 2021, TSA issued the Security Directive (SD) 1580-21-01 series, Enhancing Rail Cybersecurity, and the SD 1582-21-01 series, Enhancing Public Transportation and Passenger Railroad Cybersecurity, which remain in effect as revised, mandating TSA-specified Owner/Operators of “higher risk” railroads and rail transit systems, respectively, to implement an array of cybersecurity measures to prevent disruption and degradation to their infrastructure; these security directives became effective December 31, 2021. In addition, on October 18, 2022, TSA issued the SD 1580/1582-2022-01 series, Rail Cybersecurity Mitigation Actions and Testing, which applies to Owner/Operators of the “Higher Risk” freight railroads identified in 49 CFR 1580.101 and additional TSA-designated freight and passenger railroads. This security directive, which is complementary to the requirements in the previous directives, took effect on October 24, 2022. On October 26, 2022, OMB approved TSA’s request for an emergency approval, revising this information collection. See ICR Reference Number: 202210-1652-001. The collection covers both mandatory reporting under the security directives and collection of information voluntarily submitted under Information Circular (IC) 2021-01, Enhancing Surface Transportation Cybersecurity, which recommended voluntary implementation of actions and reporting by Owner/Operators not covered by the security directives. The OMB approval allowed for the additional institution of mandatory reporting requirements and collection of information voluntarily submitted. See ICR Reference Number: 202111-1652-003.

The latest form for Cybersecurity Measures for Surface Modes expires 2026-08-31 and can be found here.

SD Rail-1580-21-01, SD Rail-1582-21-01, and IC 2021-01 Designation of Cybersecurity Coordinator

Federal Enterprise Architecture: Homeland Security - Border and Transportation Security