Definition and purpose

The TSS framework, under the purview of CISA, focuses on safeguarding transportation systems against terrorist threats, natural disasters, and other disruptions while ensuring their freedom of movement and functionality. It aims to provide security, resilience, and rapid recovery of these systems in the face of various threats.

Governing Body

The Cybersecurity and Infrastructure Security Agency (CISA) governs the security directives and guidelines for the Transportation Systems Sector as part of the United States Department of Homeland Security.

Last updated

The specific guidelines and directives for the TSS are updated based on evolving threats, vulnerabilities, and technological changes. The most recent update was released in December 2020.

Applies to

The Transportation Systems Sector covers a wide range of subsectors, including

• Aviation (airports, aircraft, and airlines)
• Maritime transportation (ports, vessels, and support activities)
• Mass transit and passenger rail
• Highway and motor carrier
• Pipeline systems
• Freight rail
• Postal and shipping

Controls and requirements

CISA's recommendations and guidelines for the TSS span a wide array of areas, from physical security to cybersecurity. While it's beyond the scope to list all requirements, some general areas of focus include:

• Threat and vulnerability assessments
• Security training and awareness
• Physical security enhancements
• Cybersecurity best practices and controls
• Incident response and recovery plans
• Collaboration with private sector stakeholders

Specific requirements might vary based on the subsector and the nature of the identified risks.

Please refer to the official Transportation Systems Sector Framework Implementation Guide for a detailed list of controls and requirements.

Audit type, frequency, and duration

Audit type, frequency, and duration can vary based on specific subsectors within the TSS and the nature of guidelines or directives released by CISA. Some audits might be compliance-driven, focusing on adherence to specific regulations, while others might be risk-based. The frequency can range from annual assessments to more sporadic audits following significant changes in the threat landscape or following major incidents. The duration will vary based on the scope, size, and complexity of the entity being audited.