TSA’s proposed rule “Enhancing Surface Cyber Risk Management” imposes significant supply chain and third-party risk management requirements on critical infrastructure owner/operators of passenger railroads, rail transit, and gas pipeline facilities. The rule requires organizations to adopt comprehensive risk management practices, specifically in managing their supply chains, to mitigate vulnerabilities originating from third-party suppliers, vendors, and service providers. By mandating that organizations assess and control the cyber risks associated with their supply chains, TSA aims to ensure that even indirect vulnerabilities are addressed, given the integral role that vendors and partners play in supporting core operational functions.
Key Supply Chain Implications in the TSA Proposed Rule
The following implications were determined from an analysis of the TSA proposed rule, in conjunction with CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs)
- Vendor and Supplier Assessment: Organizations are required to evaluate the cybersecurity practices of their third-party vendors and suppliers. This includes assessing potential risks introduced by these parties and verifying that they adhere to TSA’s cybersecurity standards.
- Establish Cybersecurity Requirements with Third Parties: Organizations should set clear cybersecurity requirements for all vendors and suppliers to prevent vulnerabilities from third-party sources. This includes confirming that suppliers follow cybersecurity standards compatible with the organization’s risk tolerance and reporting frameworks.
- Cyber Incident Reporting and Disclosure: Pipeline and surface transportation entities must establish incident reporting systems that include supply chain-originated incidents. This fosters transparency across the supply chain and enables rapid response to emerging threats.
- Control Validation and Continuous Monitoring: Operators must regularly validate that third-party entities meet cybersecurity requirements and conduct ongoing monitoring for vulnerabilities, especially in critical systems or services supplied by external parties.
How Fortress Information Security Can Help
Fortress Information Security offers services that align closely with these TSA requirements, making it an ideal partner for pipeline and rail owners aiming to comply with the rule’s supply chain risk management mandates. Key areas that Fortress can support a supply chain risk management program include:
- Vendor Risk Assessment: Fortress conducts in-depth cybersecurity assessments of suppliers, providing pipeline owners with a clear view of their vendors' cyber risk postures. Fortress’ platform also offers continuous monitoring, alerting operators to any changes in third-party risk levels, which is crucial for ongoing TSA compliance.
- Threat Intelligence and Vulnerability Management: Through its extensive threat intelligence capabilities, Fortress helps organizations stay aware of and address vulnerabilities within the supply chain. This includes monitoring for Known Exploited Vulnerabilities (KEVs) and recommending patches or compensating controls.
- Supply Chain Incident Response Solutions: Fortress supports incident response reporting by using the incident campaign functionality and accompanying workflows found within the Fortress Platform. This aligns with TSA’s requirement for quick incident reporting and coordinated responses to combat potential supply chain disruptions.
By partnering with Fortress Information Security, a pipeline operator can not only align with TSA’s proposed requirements but also build a resilient, scalable supply chain risk management program that protects against evolving threats in the transportation sector.