WASHINGTON, D.C. — This week, House Committee on Homeland Security Chairman Mark E. Green, MD (R-TN), Subcommittee on Transportation and Maritime Security Chairman Carlos Gimenez (R-FL), Subcommittee on Cybersecurity and Infrastructure Protection Chairman Andrew Garbarino (R-NY), and Committee member Rep. Sheri Biggs (R-SC) sent a letter to the Transportation Security Administration’s (TSA) Acting Administrator, Adam Stahl, highlighting the importance of the agency’s cybersecurity and resilience measures in the wake of increasing threats. Members highlighted the evolving cyber threats facing our nation’s transportation infrastructure, which create an urgent need for an adaptive cybersecurity posture that doesn’t add to the already complex cybersecurity regulatory landscape. Recent incidents that impacted the sector include the cyberattack at the Seattle-Tacoma International Airport in August 2024, the global IT outage in July 2024, and the cyberattack against Colonial Pipeline in 2021.
 
The letter requests information on TSA’s formal incident response framework for large-scale cyberattacks, specific measures TSA is implementing in the wake of the Volt Typhoon intrusions, how TSA works with the Cybersecurity and Infrastructure Security Agency (CISA), how the agency evaluates regulatory measures issued under the previous administration, and more. The agency’s answers are due by Tuesday, March 18, 2025. Read the full letter here.

Read more in Inside Cybersecurity via Jacob Livesay.

In the letter, the members wrote, “TSA’s Notice of Proposed Rulemaking (NPRM) published on November 6, 2024, entitled, ‘Enhancing Surface Cyber Risk Management,’ would further mandate the establishment of cyber risk management programs for certain pipeline and rail operators, extending cybersecurity resilience efforts across higher-risk transportation stakeholders. According to the NPRM, the proposed rule aims to formalize TSA’s existing cybersecurity directives while incorporating the cybersecurity framework developed by the National Institute of Standards and Technology (NIST) and the cross-sector cybersecurity performance goals established by the Cybersecurity and Infrastructure Security Agency (CISA). With the public comment period closing on February 5, 2025, evaluating the rule’s potential impact on security, regulatory compliance, and industry operations should be a priority.”
 
The members continued, “As TSA refines its cybersecurity posture, it is also essential to assess whether this regulatory framework is effective, sustainable, and appropriately balanced between security imperatives and operational realities. TSA must ensure that its cybersecurity framework is not only effective but also agile enough to respond to multiple simultaneous cyber incidents that impact different nodes of the transportation sector without compromising operational continuity.” 
 
The members concluded, “We are concerned that the Biden administration did not take this pragmatic and balanced approach to regulation for the Transportation Systems Sector, instead imposing more requirements on entities that already face a complex cyber regulatory landscape. A rigid or overly burdensome approach could impose operational challenges, while insufficient oversight may leave critical vulnerabilities unaddressed. Striking the right balance will require continuous engagement with industry partners, regular assessments of existing directives, and the flexibility to refine policies in response to emerging threats and technological advancements.”
 
Background:
 
In the Committee’s first hearing of the 119th Congress, members examined global cybersecurity threats to the homeland, featuring testimony from the private sector. Retired Admiral Mark Montgomery revealed the startling extent of the Chinese Communist Party’s (CCP) ongoing access to our networks, as well as the sinister reason behind China’s pre-positioning efforts in our critical infrastructure. CrowdStrike’s Adam Meyers further outlined how threat actors, such as China, Russia, and North Korea, find and exploit known or zero-day vulnerabilities in American technology. As America’s adversaries increasingly use cyberspace as a battlefield, every witness called for enhanced cyber readiness across the government and private networks. Witnesses agreed the danger lies in failing to prioritize cybersecurity efforts––whether defensive or offensive. 
 
In March 2024, Chairmen Green and Garbarino released a statement on CISA’s proposed rule for incident reporting required by the “Cyber Incident Reporting for Critical Infrastructure Act of 2022” (CIRCIA), in which the members reinforced the Committee’s efforts to ensure the law’s implementation is a turning point in national cyber preparedness and fosters a partnership to increase visibility across critical infrastructure sectors.

###