TSA Cybersecurity Compliance Skill

Directive Coverage by Sector

Pipelines (Highest Risk)

Covered entities: Owners/operators of hazardous liquid and natural gas pipeline and LNG facilities designated as critical by TSA.

Freight Rail

Covered entities: Freight railroad carriers and rail transit systems designated at higher risk by TSA.

Public Transportation and Passenger Rail

Covered entities: Public transportation agencies and passenger railroad operators designated at higher risk by TSA.

Aviation

Aviation cybersecurity is addressed through separate TSA Security Directives and Emergency Amendments for airports and aircraft operators. Key focus areas include network segmentation, access controls, incident reporting to CISA, and designation of a cybersecurity coordinator.

Bus (Proposed — 2024 NPRM)

Bus-only public transportation and over-the-road bus operators with higher cybersecurity risk profiles are subject to incident reporting requirements under the proposed November 2024 NPRM. Full CRMP requirements are not yet mandatory for bus operators.

Consult references/tsa-directives-overview.md for full directive text summaries and revision history.

Core Concepts

Critical Cyber Systems (CCS)

CCS are systems whose compromise or exploitation could result in:

• Operational disruption (inability to safely operate, monitor, or control physical assets)
• Safety impact (risk to employees, passengers, or the public)
• Environmental impact (uncontrolled release of hazardous materials)
• National security impact

CCS include both IT systems (corporate networks, enterprise systems touching OT) and OT systems (ICS, SCADA, DCS, PLCs, HMIs, safety instrumented systems). The CCS boundary — what is and is not a Critical Cyber System — must be formally defined, documented, and updated as the architecture changes.

IT vs OT distinction:

Cybersecurity Coordinator

All covered entities must designate a Cybersecurity Coordinator who:

• Is available 24 hours a day, 7 days a week (or has a backup designee)
• Serves as the primary point of contact between the entity, TSA, and CISA
• Coordinates the entity's response to cybersecurity incidents
• Oversees implementation of the Cybersecurity Implementation Plan (CIP) / COIP
• Reports cybersecurity incidents to CISA within required timelines

CISA vs TSA Roles

Core Requirements (Applicable to All Covered Entities)

1. Cybersecurity Incident Reporting (Immediate)

Requirement: Report cybersecurity incidents to CISA within 24 hours of identification.

What must be reported: Any cybersecurity incident that results in — or is reasonably likely to result in — operational disruption or unauthorised access to a CCS, including:

• Unauthorised access to IT or OT systems
• Discovery of malware or ransomware on CCS
• Denial of service affecting operational capability
• Phishing or social engineering with confirmed system access

How to report: Via CISA's 24/7 Operations Center: 1-888-282-0870 or [email protected]. TSA must also be notified.

Do NOT delay reporting while internal investigation is ongoing. Initial report can be based on limited information; updates follow as investigation matures.

2. Cybersecurity Coordinator Designation

Requirement: Designate a primary and backup Cybersecurity Coordinator within the timeline specified by the applicable directive.

Coordinator duties:

• Serve as 24/7 contact for TSA and CISA
• Coordinate implementation of cybersecurity measures
• Coordinate internal response to cybersecurity incidents
• Ensure incident reports are made to CISA within required timelines
• Maintain knowledge of the entity's CCS inventory

Submission: Coordinator contact information must be submitted to TSA via the designated TSA reporting system.

3. Review of Cybersecurity Practices (Gap Assessment)

Requirement: Conduct a review of current cybersecurity practices and identify any gaps. For newer entities, this establishes the baseline for the Cybersecurity Implementation Plan.

Scope: All systems and processes related to CCS — access controls, monitoring, patching, incident response, network architecture, third-party access.

Cyber Risk Management Program (CRMP) — Core Requirements

The CRMP is the comprehensive cybersecurity programme required by the substantive directives (SD Pipeline-2021-02 series, SD 1580-21-01, SD 1582-21-01). It has four major components:

Component 1: Cybersecurity Implementation Plan (CIP) / COIP

What it is: The governing document that describes how the entity will meet all CRMP requirements. Must be submitted to TSA for review and approval.

Required CIP/COIP contents:

• Leadership structure: Accountable Executive with C-suite authority; designated Cybersecurity Coordinator
• CCS inventory: Complete list of Critical Cyber Systems within scope
• Network architecture description: Current IT/OT architecture; segmentation mechanisms; communication flows
• Baseline cybersecurity measures: How each of the four technical domains (below) is addressed
• Protective measures: Access controls, monitoring, patching procedures
• Incident detection procedures: How anomalies and threats are identified
• Incident response procedures: How incidents are contained, remediated, and reported
• Annual review process: How the CIP is kept current

CIP approval: TSA reviews and either approves, requests modifications, or rejects. Entities cannot use unapproved CIPs as compliance evidence.

Component 2: Incident Response Plan (IRP)

What it is: Documented procedures for detecting, responding to, and recovering from cybersecurity incidents affecting CCS.

Required IRP elements:

• Roles and responsibilities for incident response
• Detection and analysis procedures
• Containment, eradication, and recovery procedures
• Communication procedures (internal, CISA, TSA, leadership)
• Post-incident review process
• Coordination with third-party vendors and OT vendors

Annual testing requirement: Entities must test at least two IRP objectives annually. Testing objectives typically include:

• Isolating IT from OT (IT/OT segregation under incident conditions)
• Testing backup data integrity and restoration capability
• Verifying containment procedures for a simulated ransomware event
• Validating communication channels and escalation procedures

Retain evidence of testing (date, scenario, participants, findings, corrective actions).

Component 3: Architecture Design Review (ADR)

What it is: An annual structured review of the entity's IT/OT network architecture to identify gaps, vulnerabilities, and segmentation deficiencies.

ADR scope:

• Review current network topology diagrams (must be current and accurate)
• Assess IT/OT segmentation effectiveness (firewalls, DMZs, data diodes, unidirectional gateways)
• Identify unauthorised or undocumented network connections to CCS
• Assess remote access paths into OT environments
• Evaluate third-party / vendor connectivity to CCS
• Document findings and remediation plan

ADR outputs: Updated network diagram; findings report; remediation action plan with timelines.

Component 4: Cybersecurity Assessment Plan (CAP)

What it is: A formal plan documenting how the entity will assess the effectiveness of its CRMP annually.

Required CAP elements:

• Scope: which CCS and CRMP components are in scope for the assessment
• Assessment methodology: penetration testing, vulnerability scanning, configuration review, process review
• Assessment schedule: timeline for assessments during the year
• Responsible parties: internal or third-party assessors
• Reporting requirements: how results are reported to TSA

Annual submission: CAP results (findings, remediation status, open vulnerabilities) must be reported to TSA annually.

Four Technical Security Domains

These are the specific technical cybersecurity measures required across all substantive TSA directives:

Domain 1: Network Segmentation

Develop and implement network segmentation policies and controls to ensure the OT system can continue to safely operate if the IT system is compromised, and vice versa.

Implementation requirements:

• Formal network segmentation policy
• Documented and enforced IT/OT boundary (firewall rules, DMZ architecture, or physical separation)
• No direct routable connections between corporate IT and OT/ICS networks without security controls
• Remote access to OT must go through a demilitarised zone (DMZ) or jump server
• All segmentation exceptions documented with business justification

Evidence for TSA/assessors:

• Current and accurate network topology diagrams
• Firewall ruleset documentation
• Segmentation testing results (at least annually via IRP test or ADR)

Domain 2: Access Controls

Implement measures to secure and prevent unauthorised access to Critical Cyber Systems.

Implementation requirements:

• Unique user accounts for all users; no shared accounts on CCS
• Multi-factor authentication (MFA) for all remote access to CCS
• MFA for all privileged access to CCS (local and remote)
• Principle of least privilege for all CCS accounts
• Privileged Access Management (PAM) for OT administrator accounts
• Regular access reviews (at minimum annually)
• Vendor/third-party remote access via time-limited, monitored sessions
• Immediate revocation of access upon termination

Evidence for TSA/assessors:

• Access control policy; account inventory; PAM solution configuration
• MFA deployment evidence for remote and privileged access
• Access review records

Domain 3: Continuous Monitoring and Detection

Build continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies affecting CCS operations.

Implementation requirements:

• Network monitoring for OT environments (OT-aware IDS/IPS or network detection and response)
• Log collection and retention from CCS (both IT and OT where feasible)
• Baseline establishment for normal OT communications (protocol, frequency, endpoints)
• Anomaly detection for deviations from OT baseline
• Alerting and escalation procedures for detected anomalies
• Monitoring of remote access sessions to CCS
• Integration or escalation path to Security Operations Centre (SOC)

OT-specific monitoring considerations:

• Passive monitoring preferred for OT (active scanning can disrupt industrial protocols)
• OT-aware tools: Claroty, Dragos, Nozomi Networks, Armis, Microsoft Defender for IoT
• Focus on detecting: lateral movement, unusual protocol use, unauthorised devices, credential abuse

Domain 4: Patch Management

Apply security patches and updates to operating systems, applications, drivers, and firmware on CCS in a timely manner using a risk-based methodology.

Implementation requirements:

• Formal patch management policy with defined patch SLAs
• Risk-based prioritisation: critical/high vulnerabilities patched faster than medium/low
• OT-specific process: vendor approval, testing in non-production environment before deployment
• Compensating controls for unpatchable legacy OT systems (network isolation, monitoring)
• Regular vulnerability scanning of CCS (both IT and OT-accessible)
• Exception process for patches requiring extended downtime (operational windows)

OT patching realities:

• Vendor approval required for many OT patches (to avoid voiding warranties/support)
• Patching windows may be limited to planned maintenance outages (quarterly, annual)
• Legacy PLC/RTU firmware may be unpatchable — compensating controls required

Core Workflows

1. Applicability Determination

When asked whether an entity is covered by TSA directives:

1. Ask: What sector? (pipeline, freight rail, passenger rail/transit, bus, aviation)
2. Ask: Has TSA specifically notified/designated this entity as covered?
3. Explain: TSA designates covered entities individually; not all operators in a sector are automatically covered
4. Provide: Overview of coverage criteria and how to engage TSA for designation questions
5. Note: The 2024 NPRM proposes broader coverage — if finalised, more entities will be subject to mandatory requirements

2. Gap Assessment

When asked to assess compliance:

1. Ask: Which directive series applies? What sector? What revision is current for them?
2. Produce a table covering all four technical domains + CIP/COIP, IRP, ADR, CAP requirements
3. For each: Status (Compliant / Partial / Non-Compliant / N/A), Gap Description, Evidence Required
4. Highlight highest-risk gaps (no incident reporting process, no IT/OT segmentation, no Cybersecurity Coordinator)
5. Offer prioritised remediation roadmap

3. CIP / COIP Drafting

When asked to draft or review a CIP or COIP:

1. Ask: Which directive applies? Entity type and size? Existing architecture and tools?
2. Build the document following the required sections (see CRMP Component 1 above)
3. Ensure language is outcome-focused and maps to TSA review criteria
4. Flag sections requiring site-specific technical detail that cannot be generic
5. Note: CIP/COIP must be submitted to TSA for approval before use as compliance evidence

4. Incident Response Procedure

When asked about incident response requirements:

1. Provide the 24-hour CISA reporting requirement and contact information
2. Describe required IRP elements and annual testing obligations
3. Draft or review the IRP structure
4. Provide a step-by-step incident response playbook template aligned to TSA requirements

5. Policy Generation

When generating TSA-aligned policies:

• Always include: Purpose, Scope, Policy Statement, Roles & Responsibilities, Procedures, Review Cycle, TSA Directive references
• Map each policy to the specific TSA directive section it satisfies

Common TSA-aligned policies:

2024 NPRM — What's Coming

In November 2024, TSA published a Notice of Proposed Rulemaking (NPRM) that would transition current Security Directive requirements into permanent federal regulations. Key aspects:

CISA Cross-Sector CPGs: TSA's NPRM aligns with CISA's Cybersecurity Performance Goals — a prioritised baseline of cybersecurity practices for critical infrastructure. CPGs map closely to NIST CSF subcategories and are grouped into IT/OT-specific goals.

Reference Files

Load the appropriate reference file based on the task:

• references/tsa-directives-overview.md — All active directive series with revision history, covered sectors, and requirements summary
• references/tsa-crmp-requirements.md — Detailed CRMP component requirements: CIP/COIP, IRP, ADR, CAP, and the four technical domains with implementation guidance
• references/tsa-incident-reporting.md — Incident reporting procedures, CISA contact details, timelines, what qualifies as a reportable incident, and post-incident obligations

When to load reference files:

• Gap assessment or compliance review → load tsa-directives-overview.md + tsa-crmp-requirements.md
• Incident has occurred or user asks about reporting → load tsa-incident-reporting.md
• Architecture review or CIP/COIP drafting → load tsa-crmp-requirements.md
• User asks about which directive applies → load tsa-directives-overview.md
• NPRM or upcoming regulation questions → load tsa-directives-overview.md

Disclaimer

Outputs from this skill provide informational guidance based on publicly available TSA Security Directive summaries, Federal Register notices, and DHS/CISA publications. TSA Security Directives are Sensitive Security Information (SSI) — the full text of some directives is not publicly available. This skill does not constitute legal, regulatory, or professional compliance advice. Entities subject to TSA Security Directives should work directly with TSA, their legal counsel, and qualified OT/ICS cybersecurity professionals to ensure compliance with the specific directives applicable to their operations. Always verify against the current revision of the applicable directive from TSA.