Get Demo

What Are TSA Cybersecurity Security Directives?

What Are TSA Cybersecurity Security Directives explained for US organizations — clear, practical guidance to protect critical operations. Learn the essential

📅 Published: June 2026 🔐 Cybersecurity • Critical Infra • USA ⏱️ 2,200 words

The Transportation Security Administration (TSA) Cybersecurity Security Directives are emergency legally binding orders that require owners and operators of specific pipelines, rail, and aviation assets in the United States to implement a defined set of cybersecurity performance measures, report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA), and designate a cybersecurity point of contact.

Since 2021, TSA has issued a series of these directives in response to high-profile ransomware attacks, including the Colonial Pipeline breach, which disrupted fuel supply across the Eastern Seaboard. For organizations operating under TSA’s purview—particularly those in pipeline, rail, and transit sectors—these directives represent a mandatory compliance framework that demands immediate action rather than voluntary best-practice adoption. This article provides a comprehensive technical and regulatory overview of TSA Security Directives, covering who must comply, what the measures require, how they interact with other CISA obligations like CIRCIA, and how organizations can operationalize compliance efficiently.

What Are TSA Cybersecurity Security Directives? A Comprehensive Overview

TSA Security Directives are regulatory instruments issued under 49 U.S.C. § 114, which grants the TSA Administrator authority to impose security measures to protect transportation systems against terrorism and other threats. Unlike voluntary guidance or industry frameworks, a Security Directive carries the full force of federal regulation and can be enforced with civil penalties, operational restrictions, or both.

The directive framework was restructured in 2021 to address the escalating cyber threat to critical infrastructure. TSA’s cybersecurity directives apply to operators of hazardous liquid and natural gas pipelines, passenger rail, freight rail, and certain aviation security program holders. Each directive specifies required actions, reporting timelines, and compliance deadlines.

To date, TSA has issued three major cybersecurity directive packages—SD-2021-01 (Pipeline), SD-2021-02C (Pipeline), and SD-2022-01 (Rail and Aviation). These build on each other, with later editions tightening requirements, adding incident reporting thresholds, and mandating third-party validation of cybersecurity measures.

Key Takeaway: TSA Security Directives are mandatory, legally enforceable cybersecurity regulations. They require covered operators to implement specific measures (e.g., network segmentation, MFA, incident response plans), report confirmed incidents to CISA within 12 hours, and submit an annual compliance assessment signed by the CEO or a senior corporate officer. Noncompliance can result in civil penalties of over $25,000 per day per violation, operational shutdown orders, or revocation of security program approvals.

Which Organizations Must Comply with TSA Security Directives?

Pipeline and Hazardous Liquid Operations

The initial pipeline Security Directive (SD-2021-01) applied to owners and operators of hazardous liquid and natural gas pipelines regulated by TSA’s Surface Security Programs. This includes the majority of interstate and intrastate pipelines with a capacity of 500,000 barrels or more per day (for liquids) or significant throughput for natural gas. Pipeline operators subject to 49 CFR Part 1580 or Part 1584 fall squarely within scope.

Rail and Transit Systems

TSA Security Directive 2022-01 extended requirements to all passenger rail operators (Amtrak, commuter rail, and light rail systems) as well as freight rail operators that transport hazardous materials in quantities requiring placarding under 49 CFR Part 172. High-risk transit agencies that receive TSA security enhancements are also covered.

Aviation Security Program Holders

Certain aviation entities—specifically those holding TSA-approved security programs under 49 CFR Part 1542 (airport operators) and Part 1544 (air carriers)—must comply with relevant cybersecurity directives. Requirements are tiered based on passenger volume and operations.

For a definitive scope determination, covered entities should reference their specific TSA security program documents. TSA communicates applicability via Security Directive amendments or new directive issuances, typically with a 30-to-60-day implementation window.

What Are the Core Requirements of TSA Cybersecurity Directives?

While directives have evolved, the core requirements have stabilized across the three major issuances. The most current and comprehensive compliance baseline includes the following measures:

1. Incident Reporting to CISA (12-Hour Window)

Covered operators must report confirmed cybersecurity incidents to CISA within 12 hours of confirmation. The definition of “incident” aligns with the CISA definition under CIRCIA (6 U.S.C. § 685): an occurrence that actually or imminently jeopardizes the integrity, confidentiality, or availability of an information system or the information it processes, or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.

This reporting obligation is direct—operators report through CISA’s designated portal, not through TSA. However, TSA reviews CISA’s notifications as part of its compliance monitoring.

2. Designation of a Cybersecurity Point of Contact

Each operator must designate a single cybersecurity point of contact (POC) who is available 24/7/365. The POC must be an employee with authority to make cybersecurity decisions and communicate with TSA and CISA during an incident. The POC’s name, title, phone number, and email must be submitted to TSA.

3. Implementation of Specific Cybersecurity Performance Measures

Directives mandate several technical and administrative controls:

4. CEO/Designee Certification of Compliance

An executive officer—typically the CEO or equivalent—must sign an annual certification attesting that the operator is in full compliance with all applicable Security Directive provisions. This certification is a matter of public record and carries legal liability.

How Do TSA Security Directives Compare to Other Regulatory Obligations?

Operators subject to TSA Security Directives are often also regulated under other frameworks—CIRCIA, NRC security orders, NERC CIP, or state pipeline safety rules. Understanding the overlaps and distinctions is critical for efficient compliance.

Regulation / Obligation
Reporting Window
Focus
Enforcer
TSA Security Directive (12-hour rule)
12 hours post-confirmation
Pipeline, rail, aviation cybersecurity
TSA (Transportation Security Administration)
CIRCIA (CISA incident reporting)
72 hours for notification; 24 hours for ransom payments
All critical infrastructure sectors
CISA (Cybersecurity and Infrastructure Security Agency)
NERC CIP (Cyber Security Standards)
Varies (1 hour to 24 hours for certain reports)
Bulk electric system cyber assets
NERC (North American Electric Reliability Corporation)
HHS HIPAA Security Rule
60 days for breach notification
Protected health information (PHI) systems
HHS OCR
NYDFS 23 NYCRR 500
72 hours (notice of cybersecurity event)
Financial services firms in New York
New York Department of Financial Services

Note that TSA’s 12-hour reporting window is shorter than CIRCIA’s 72-hour requirement for non-ransom events. Where both apply, reporting to CISA under TSA directives satisfies the CIRCIA obligation for the same incident, provided the operator labels it as a TSA Security Directive report. However, operators must still comply with CIRCIA’s separate 24-hour window for ransom payment reports.

What Are the Penalties for Noncompliance with TSA Security Directives?

TSA can enforce Security Directives through three primary mechanisms:

To date, TSA has not publicly disclosed specific civil penalty actions, but the enforcement posture has escalated. In 2023, TSA conducted dozens of compliance inspections and issued several warning letters and notices of violation. Industry commentators expect enforcement to increase as TSA builds its cybersecurity inspector workforce.

How to Achieve and Maintain Compliance with TSA Security Directives

For organizations newly subject to a Security Directive, the implementation path requires both technical controls and administrative processes. A phased approach typically works best:

1

Conduct a Gap Assessment Against TSA Requirements

Map your current cybersecurity posture against the directive’s explicit measures: network segmentation, MFA, patching cadence, incident response plan, training, and POC designation. Identify missing controls, documentation gaps, and legacy system exceptions that need CEO-level risk acceptance. A formal gap assessment provides the baseline for your remediation plan.

2

Implement or Remediate Technical Controls

Deploy MFA across all remote access points. Segment OT and IT networks using firewalls, unidirectional gateways, or network diodes. Establish a vulnerability scanning schedule that meets the 30-day/90-day cadence. Ensure your incident response plan (IRP) aligns with CISA’s framework and includes provisions for the 12-hour reporting window.

3

Designate and Train Your Cybersecurity POC

Select an internal employee—typically the CISO, IT director, or OT security lead—who can be reached 24/7. Register the POC with TSA through your compliance submission portal. Provide annual cybersecurity awareness training to all OT-access employees and executive leadership.

4

Engage a Qualified Independent Assessor

TSA requires an annual third-party compliance assessment. The assessor must be independent, hold relevant cybersecurity certifications (e.g., CISSP, CISA, GIAC), and have demonstrated experience with OT/ICS environments. The assessment scope covers all directive requirements plus a review of your CEO certification.

5

Submit Compliance Certification and Prepare for Inspection

Your CEO or designated equivalent signs the annual certification, which is submitted through TSA’s compliance system. Maintain comprehensive evidence (policy documents, scan reports, IRP test records, training logs) because TSA can conduct on-site inspections at any time.

Simplify TSA Compliance with CyberSilo’s Threat Exposure Management

Navigating multiple Security Directives while simultaneously managing CIRCIA reporting, network segmentation, and CEO certifications is a significant operational burden. CyberSilo Threat Exposure Management provides continuous OT/ICS inventory mapping, automated vulnerability scanning aligned to TSA’s cadence, and a centralized compliance dashboard that maps every control to the directive’s language. Our independent assessor services are staffed by certified ICS security professionals with direct pipeline and rail experience.

What Is the Relationship Between TSA Security Directives and CIRCIA?

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) and TSA Security Directives share a key overlap: incident reporting to CISA. However, they are separate legal authorities with distinct scopes and obligations.

CIRCIA applies across 16 critical infrastructure sectors, including transportation, but its reporting timelines (72 hours for notification, 24 hours for ransom payments) differ from TSA’s 12-hour window. For pipeline, rail, and aviation operators subject to both, the TSA requirement is stricter. Where a single incident triggers both, reporting under TSA’s directive satisfies the CIRCIA obligation for that incident, but the operator must clearly note the dual applicability.

Beyond reporting, CIRCIA does not mandate specific cybersecurity measures—it is primarily a notification statute. TSA directives, by contrast, require implementation of controls, third-party assessments, and CEO certification. Operators must comply with both independently.

For a deeper dive into CIRCIA obligations, see our guide to CIRCIA compliance services.

How Do TSA Security Directives Apply to Cross-Border Operations and Canadian Operators?

TSA Security Directives apply to any pipeline, rail, or aviation operation that falls under TSA’s jurisdiction based on physical asset location or security program coverage within the United States. For Canadian operators with pipeline or rail assets that cross into the United States—such as Enbridge’s Mainline system or Canadian National and Canadian Pacific Kansas City rail—the portion of the system within U.S. territory is subject to TSA directives if it meets the applicable throughput or security program criteria.

Canadian operators with U.S. operations should ensure compliance for their U.S. assets. Additionally, Canada’s own critical infrastructure cybersecurity regulations, including those administered by the Canadian Centre for Cyber Security (CCCS) and potentially Bill C-26 / CCSPA, impose parallel but distinct obligations for the Canadian portion of the system.

Industry observers anticipate several developments:

Proactive compliance now positions operators to absorb future directive amendments with minimal disruption.

Get a TSA Compliance Assessment Before Your Next Inspection

Don’t wait for a TSA compliance letter. CyberSilo’s compliance assessment is built specifically for pipeline and rail operators. We map every control to TSA Security Directive language, identify gaps in OT segregation and MFA deployment, and provide a remediation roadmap that keeps your operations online while meeting regulatory deadlines.

Our Conclusion & Recommendation

TSA Cybersecurity Security Directives have transformed from emergency stopgap measures into a permanent regulatory baseline for the U.S. transportation critical infrastructure sector. For pipeline, rail, and aviation operators, the compliance burden is substantial but manageable with the right approach: a systematic gap assessment, targeted implementation of OT-specific controls (network segmentation, MFA, vulnerability scanning), and annual third-party validation with CEO-level sign-off.

The financial and operational risks of noncompliance—daily civil penalties, operational shutdown orders, and reputational damage from enforcement disclosure—far outweigh the investment in proactive compliance. Moreover, aligning TSA compliance with overlapping frameworks like CIRCIA, NERC CIP, and state pipeline safety rules yields efficiency gains and reduces audit fatigue.

We recommend that all covered operators begin with a formal TSA Security Directive gap assessment conducted by assessors with OT/ICS domain experience. CyberSilo Threat Exposure Management provides the continuous asset discovery, vulnerability management, and compliance mapping foundation that makes directive compliance sustainable year after year. Contact our team to start your assessment today.

Future-Proof Your Transportation Cybersecurity Compliance

Secure your operations against evolving TSA, CIRCIA, and CISA requirements with a single integrated compliance and threat management platform.

📰 More from CyberSilo

Latest Articles

Stay ahead of evolving cyber threats with our expert insights

Privacy Compliance for US Online Retailers (CCPA & State Laws)
SIEM
Jun 23, 2026 ⏱ 17 min

Privacy Compliance for US Online Retailers (CCPA & State Laws)

See how CyberSilo helps you strengthen your security posture for US organizations. Practical guidance on privacy compliance for us online retailers (ccpa & s

Read Article
Holiday Season Cyber Threats for Retailers
SIEM
Jun 23, 2026 ⏱ 10 min

Holiday Season Cyber Threats for Retailers

Holiday Season Cyber Threats for Retailers explained for US organizations — clear, practical guidance to strengthen your security posture. Learn the essentia

Read Article
eCommerce Privacy in Canada: PIPEDA & Law 25
SIEM
Jun 23, 2026 ⏱ 10 min

eCommerce Privacy in Canada: PIPEDA & Law 25

See how CyberSilo helps you strengthen your security posture for Canadian organizations. Practical guidance on ecommerce privacy in canada with expert support.

Read Article
Cybersecurity Compliance for US Schools and Universities
SIEM
Jun 23, 2026 ⏱ 15 min

Cybersecurity Compliance for US Schools and Universities

See how CyberSilo helps you strengthen your security posture for US organizations. Practical guidance on cybersecurity compliance for us schools and universi

Read Article
Protecting Student Data: FERPA and COPPA for EdTech
SIEM
Jun 23, 2026 ⏱ 14 min

Protecting Student Data: FERPA and COPPA for EdTech

Protecting Student Data explained for US organizations — clear, practical guidance to strengthen your security posture. Learn the essentials with CyberSilo.

Read Article
Ransomware in K-12 and Higher Ed: Defense Strategies
SIEM
Jun 23, 2026 ⏱ 11 min

Ransomware in K-12 and Higher Ed: Defense Strategies

Ransomware in K-12 and Higher Ed explained for US organizations — clear, practical guidance to strengthen your security posture. Learn the essentials with Cy

Read Article
✅ Link copied!