On October 24, 2022, the Transportation Security Administration (“TSA”) released Security Directive 1580/82-2022-01 regarding “Rail Cybersecurity Mitigation Actions and Testing.” The directive is applicable to freight railroad carriers identified in 49 C.F.R. 1580.101 and other TSA-designated freight and passenger railroads. This Security Directive follows last year’s Security Directive 1580-21-01, “Enhancing Rail Cybersecurity” and is part of a significant effort to increase cybersecurity standards for critical infrastructure in many industry sectors.

“The goal of [the] Security Directive is to reduce the risk that cybersecurity threats pose to critical railroad operations and facilities through implementation of layered cybersecurity measures that provide defense-in-depth.” The Security Directive requires the establishment and implementation of a TSA-approved Cybersecurity Implementation Plan and establishment of a Cybersecurity Assessment Program with an annual plan submitted to TSA.

TSA issued the Security Directive after consulting with the Cybersecurity and Infrastructure Security Agency, the Department of Defense, and the Department of Transportation.

Jim Shreve is the chair of Thompson Coburn’s Cybersecurity group and has advised clients on cybersecurity and privacy issues for over 20 years. Luke Sosnicki is a Los Angeles partner in Thompson Coburn’s Business Litigation group who has written and spoken extensively about data privacy litigation and regulatory risks. Libby Casale is an associate in Thompson Coburn’s Business Litigation group.