Blogs

APGA Submits Comment on TSA Security Rulemaking

By Joshua St.Pierre posted 02-06-2025 12:19 PM

  
This week, APGA joined six other trade groups in submitting comments on the Transportation Security Administration’s (TSA) Notice of Proposed Rulemaking (NPRM) titled “Enhancing Surface Cyber Risk Management.” Read the comments, here. According to TSA, this rulemaking will “…propos[e] to impose cyber risk management (CRM) requirements on certain pipeline and rail owner/operators and a more limited requirement, on certain over-the-road bus (OTRB) owner/operators, to report cybersecurity incidents. With the proposed addition of requirements applicable to pipeline facilities and systems, TSA is also proposing that a requirement to have a Physical Security Coordinator and report significant physical security concerns be extended to the same facilities and systems.”
 
Generally, the NPRM lays out a regulatory framework similar to the requirements that had been laid out in the TSA’s recent Security Directives (SD), with some additional requirements. While most APGA members are not impacted by the SDs, and likely won’t be impacted by this NPRM, the rule could increase the number of APGA utilities required to abide by the mandates. 
 
The APGA Security Subcommittee conducted an ad-hoc meeting to discuss APGA members’ concerns with the rulemaking and open dialogue about potential impacts. Feedback from this meeting was incorporated into the joint industry comments. 
 
The joint comments focused on key suggestions from the pipeline industry including:
• TSA should limit the scope of this rulemaking to only those operator-designated Critical Cyber Systems.
• TSA should avoid prescriptive management of owners/operators’ personnel decisions.
• TSA should re-evaluate the expanse of compliance obligations for covered owner/operators.
• TSA should clearly articulate the transition from SDs to regulation.
• TSA should not take possession of owners/operators’ sensitive security information.
• TSA is encouraged to be appropriately resourced to address the threat and risk posed to pipeline systems.
 
Updates will be given to members of APGA’s Security Subcommittee as they become available. 
 
For questions on this article, please contact Joshua St.Pierre of APGA staff by phone at 202-470-4262 or by email at jstpierre@apga.org.

Permalink

https://www.apga.org/blogs/joshua-stpierre/2025/02/06/apga-submits-comment-on-tsa-security-rulemaking