Critical infrastructure companies should expect substantial new federal cybersecurity requirements based on the National Cybersecurity Strategy that President Biden announced on March 2, 2023. The Strategy includes enhanced requirements for critical infrastructure. Specifically, President Biden pivoted federal cybersecurity policy from encouraging voluntary adoption of proactive security measures to using regulation and other measures to mandate
New TSA Rail Cybersecurity Rule Shows Trend Toward Prescriptive Mandates
The Transportation Security Administration issued a new cybersecurity directive to enhance cybersecurity preparedness and resilience for designated passenger and freight railroads. The requirements focus on performance-based measures to achieve critical cybersecurity outcomes in light of the growing sophistication of evolving threats.
The directive is effective as of October 24, 2023, and companies will need to
Almost There and Starting Again: CPPA Votes To Finalize Regulations and Launches Round Two
The Board of the California Privacy Protection Agency (CPPA) approved a rulemaking package covering Sections 7000–7304 of their draft regulations on February 3, 2023. The board also initiated preliminary rulemaking activities for risk assessments, cybersecurity audits, and automated decision-making. In approving the rulemaking package, the CPPA did not make substantive changes to the version of its draft regulations published in October 2022, indicating that any changes following from the more than 400 pages of public comment analysis could be advanced in future rulemaking activities.