The Transportation Security Administration has operated since the 2021 Colonial Pipeline incident through a sequence of urgent Security Directives, each issued under TSA's statutory emergency authority and each renewed annually. SD Pipeline-2021-01 and 02 (and their renewals through 01D, 02E, and 02F) cover hazardous liquid and natural gas pipeline owners and operators. Parallel SDs cover passenger rail, freight rail, and certain over-the-road bus operations. On November 7, 2024, TSA published an NPRM titled "Enhancing Surface Cyber Risk Management" that would move the bulk of these requirements out of the renewable-SD regime and into a permanent rule applicable across surface transportation modes. The comment period closed February 5, 2025. With a final rule on the regulatory horizon, owners and operators should be operationalizing rather than waiting.
What does the NPRM actually propose?
The NPRM would require covered owners and operators in pipeline, freight rail, and passenger rail to develop, implement, and maintain a Cyber Risk Management Program. The program would include a written Cybersecurity Risk Assessment refreshed annually, a Cybersecurity Operational Implementation Plan documenting the controls, a Cybersecurity Coordinator with defined authority, a Cybersecurity Incident Response Plan with named roles and response timelines, and an annual Cybersecurity Assessment Program evaluating program effectiveness. The proposal embeds the substantive controls already in the pipeline and rail SDs — network segmentation between IT and OT, access control with MFA for sensitive systems, vulnerability management with patching and compensating controls, logging and monitoring, and incident reporting to CISA — and formalizes them as enforceable rule text rather than directive language renewed annually.
Who is covered?
The NPRM identifies covered owners and operators by sector and by criticality. In pipelines, the rule would cover owners and operators of hazardous liquid and natural gas pipeline systems whose facilities meet defined threshold criteria — similar in scope to the entities currently subject to the pipeline SDs. In freight rail, the rule would cover Class I railroads and certain Class II carriers. In passenger rail, the rule would cover higher-risk operations defined by ridership and route criticality. Over-the-road bus operations are addressed in a separate ongoing TSA workstream. Owners and operators currently subject to an SD should presume they will be subject to the final rule; the threshold criteria in the NPRM are aligned with the SD scope.
What does network segmentation mean in the proposal?
The SDs and the NPRM expect that the IT environment and the operational technology environment be segmented to limit lateral movement during an incident. Segmentation is not a single technical pattern. The NPRM expects operators to identify their critical cyber systems, define the trust boundaries between IT and OT and between OT zones, document the data flows allowed across boundaries, and implement controls (firewalls, data diodes, jump hosts) consistent with the architecture. The 2021 Colonial Pipeline incident remains the reference event: the actor's initial access was to the IT environment, the operational impact was driven by the operator's precautionary OT shutdown, and the lesson was that the IT-OT relationship needs to be intentional, documented, and defensible.
What does incident reporting look like?
TSA SDs already require reporting of covered cyber incidents to CISA within 24 hours. The NPRM would maintain a 24-hour reporting clock with continued routing through CISA rather than directly to TSA. When CIRCIA finalizes, the TSA reporting clock should harmonize with the CIRCIA 72-hour clock for covered incidents and 24-hour clock for ransom payments — TSA has signaled an intent to align rather than impose parallel reporting. Operators should not, however, wait for harmonization to operate; the 24-hour expectation is operational today under the SDs and will continue under the rule.
How does the rule interact with existing CIP and oil-and-gas regulation?
The bulk electric system is regulated by NERC CIP under FERC, which is a parallel regime that does not apply to pipelines or rail. Pipeline operators within the oil-and-gas vertical may be regulated by other agencies for safety and environmental purposes but not for cybersecurity in most cases — TSA is the cybersecurity regulator for pipelines under the Aviation and Transportation Security Act as amended. Rail operators are similarly regulated by TSA for cyber. The NPRM does not preempt state regulation, and it does not duplicate existing federal regimes; it consolidates the directive-era requirements into a stable rule. Owners and operators with overlapping NERC CIP and TSA obligations (a generator that also operates pipeline infrastructure, for example) need to maintain control evidence aligned with both regimes.
# TSA Cyber Risk Management Program outline
1. Cybersecurity Coordinator (designated, defined authority)
2. Cybersecurity Risk Assessment (annual)
- Critical cyber systems identified
- Threat scenarios documented
- Risk-prioritized controls
3. Cybersecurity Operational Implementation Plan
- Access controls (MFA on sensitive systems)
- Network segmentation (IT/OT boundary defined)
- Vulnerability management (patching, compensating controls)
- Logging and monitoring
- Backup and recovery
4. Cybersecurity Incident Response Plan
- Named roles
- Reporting to CISA within 24 hours
- Coordination with TSA, FBI as applicable
5. Cybersecurity Assessment Program (annual)
- Independent review or self-assessment with attestation
- Findings tracked to closure
6. Recordkeeping (3 years minimum)
What about the OT supply chain?
OT environments depend on a deep supply chain — programmable logic controllers, SCADA software, engineering workstation operating systems, network appliances, remote-access tools. The NPRM expects operators to address supply chain risk in their program, including third-party access controls and vulnerability monitoring of OT components. The CISA Industrial Control Systems Advisory program publishes vendor-coordinated advisories on OT product vulnerabilities, and operators are expected to track those advisories and apply mitigations. SBOM expectations are evolving here: while not explicit in the NPRM text, operators are increasingly asking OT vendors for SBOMs and for vulnerability disclosure as part of contractual terms.
What should operators do in 2026 ahead of the final rule?
Five practical steps. First, take the Cybersecurity Risk Assessment from the SD compliance file and refresh it deliberately rather than copying forward. Second, audit network segmentation against the documented architecture; many operators discovered drift during recent tabletop exercises. Third, build the Cybersecurity Assessment Program even if not yet required, because the rule will expect a multi-year track record at first compliance check. Fourth, integrate vendor SBOM and advisory monitoring into vulnerability management. Fifth, run a 24-hour incident reporting tabletop with the named Cybersecurity Coordinator on the keyboard, not just in the meeting; reporting practiced is reporting that survives an actual event.
How Safeguard Helps
Safeguard inventories the software and component supply chain across IT and OT environments, including engineering workstations, SCADA hosts, and network appliances that frequently appear in CISA ICS advisories. Griffin AI ties that inventory to KEV entries, vendor advisories, and reachability evidence, supporting the vulnerability management and risk assessment elements the NPRM expects. TPRM workflows score OT vendors and managed-service providers against contractual cooperation clauses, ensuring that when an OT product carries an advisory the operator has a basis to demand mitigation. Policy gates can also enforce segmentation evidence — flagging when a configuration change would breach a documented IT/OT boundary — moving the regulatory program from documented to operational.