TSA Seeks Feedback on Bus and Train Cyber Security Reporting
Published Date: 4/16/2026
Notice
Summary
The TSA wants to update how they collect info about cybersecurity for surface transportation like buses and trains. They’re asking companies to name a Cybersecurity Coordinator, report cyber incidents, create recovery plans, and do security checks. If you’re involved, get ready to share feedback by June 15, 2026—this helps keep travel safe without adding too much paperwork or cost.
Free Policy Watch
New rules are filed every week. Most people never see them.
Pick a topic. PRIA watches every federal rule and tells you when one hits your household.
Pick a topic to get started
Analyzed Economic Effects
5 provisions identified: 0 benefits, 5 costs, 0 mixed.
Submit Plans, Assessments, and Annual Reports
Covered Owner/Operators must submit a TSA-approved Cybersecurity Implementation Plan, a Cybersecurity Assessment Plan and annual assessment reports, complete a TSA-issued cybersecurity vulnerability assessment form and submit it, and provide documentation to TSA upon request. Submissions can be made via the TSA Secure Regulatory Portal or operators may retain documents locally for in-person or TSA-approved virtual review.
Scale: 846 Respondents and 210,684 Hours Annually
TSA estimates this collection applies to a total of 846 respondents and imposes a total annual hour burden of 210,684 hours. The notice lists specific counts: 73 Owner/Operators under SD 1580/82-2022-01, 449 railroad Owner/Operators, 242 public transportation and rail transit Owner/Operators, and 72 over-the-road bus Owner/Operators (previously totaling 836 respondents before the revision).
Report Cyber Incidents to CISA Quickly
Owner/Operators covered by the directives must report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) as soon as practicable, but no later than 72 hours after identifying a cybersecurity incident (per 49 CFR 1570.203). The Information Circular also recommends (voluntarily) notifying TSA's Transportation Security Operations Center by phone as soon as possible and no more than 12 hours after discovery.
Name a Primary and Backup Cyber Lead
If you operate surface transportation (rail, transit, or over-the-road bus) covered by TSA directives or information circulars, you must provide contact information for a primary Cybersecurity Coordinator and at least one alternate to TSA. This is a required information submission under the TSA Security Directives and/or Information Circulars.
Non‑U.S. Citizen Coordinator STA Requirement
Starting with the TSA revision on January 15, 2026, any non-U.S. citizen serving as a primary or alternate Cybersecurity Coordinator must be a current member of NEXUS, Global Entry, or another program TSA finds provides a comparable security threat assessment, and must submit proof of that membership to TSA. TSA anticipates nine or fewer Owner/Operators will need to respond annually for this requirement; burden estimates assume up to 10 respondents and estimate about 0.25 hours per respondent to compile and submit documentation, with an additional ~2 hours per respondent if a fingerprint-based criminal history check is required.
Your PRIA Score
Personalized for You
How does this regulation affect your finances?
Sign up for a PRIA Policy Scan to see your personalized alignment score for this federal register document and every other regulation we track. We analyze your financial profile against policy provisions to show you exactly what matters to your wallet.
Key Dates
Department and Agencies
Take It Personal
Get Your Personalized Policy View
Start a Free Government Policy Watch to see how policy affects your household, then upgrade to PRIA Full Coverage for year-round monitoring.
Already have an account? Sign in