✈️ TSA Security Directives Toolkit

Meet TSA Security Directive Cyber Requirements with
Incident Response Exercises

TSA's cybersecurity Security Directives — the pipeline SD Pipeline-2021-02 series, the freight & passenger rail directives (1580/1582), and aviation — require designated owner/operators to implement a Cybersecurity Implementation Plan, a Cybersecurity Assessment Plan, and a Cybersecurity Incident Response Plan (CIRP) that must be exercised, plus reporting of cybersecurity incidents to CISA. CyberICS delivers the CIRP exercises, AI-generated After Action Reports, and audit-ready evidence — turning a recurring TSA obligation into demonstrable readiness across pipeline, rail, and aviation surface transportation.

CIRP — annual exercise requirement
Report to CISA — 24-hour timeline
Cybersecurity Assessment Plan (CAP)
Pipeline · Rail · Aviation owner/operators
OT/IT critical cyber systems
Start Free — 14-Day Trial 🏭 See the NIST SP 800-82 Toolkit → Talk to Our Transportation Security Team
Compliance & Handling Note: CyberICS exercises and evidence artifacts support the cybersecurity Security Directive requirements — the Cybersecurity Incident Response Plan (CIRP) and its annual exercise, Cybersecurity Assessment Plan input, and CISA incident-reporting readiness — as part of a structured program. They are not a determination of TSA compliance; verify your specific obligations directly with TSA and qualified counsel. Do not enter sensitive operational or SSI (Sensitive Security Information) details into the platform; it is for unclassified training and exercise content and completion records.
Who the TSA Security Directives Apply To

Designated Pipeline, Rail & Aviation Owner/Operators

TSA's cybersecurity Security Directives bind the owner/operators of higher-risk surface transportation systems — and the requirements run consistently across modes: identify critical cyber systems, plan and assess, and stand up and exercise a Cybersecurity Incident Response Plan.

TSA-Designated Pipeline Owner/Operators

Hazardous Liquid & Natural Gas Pipelines

Owner/operators of TSA-designated critical pipeline systems and facilities must implement the cybersecurity Security Directive program — a Cybersecurity Implementation Plan, a Cybersecurity Assessment Plan, and a Cybersecurity Incident Response Plan that is exercised — and report cybersecurity incidents to CISA.

  • Natural gas transmission & distribution pipelines
  • Hazardous liquid & crude oil pipelines
  • Pipeline SCADA, compressor/pump stations & control centers
  • LNG facilities & terminal operations
  • Critical OT/IT systems whose compromise affects safe operation
Tabletop exercises directly satisfy the SD Pipeline-2021-02 series requirement to exercise the Cybersecurity Incident Response Plan and rehearse reporting to CISA.
Freight & Passenger Rail / Aviation Operators

Surface Transportation & Airport / Aircraft Operators

Higher-risk freight railroads, public transportation and passenger rail agencies, and TSA-regulated airport and aircraft operators carry parallel cybersecurity Security Directive duties — identify critical cyber systems, segment networks, and exercise an incident response plan in their working language.

  • Freight rail (1580) — higher-risk freight railroad carriers
  • Passenger rail (1582) — public transportation & passenger rail agencies
  • Aviation — TSA-regulated airport & aircraft operators
  • Rail signaling, dispatch, traction power & OT control systems
  • Airport baggage, gate, ramp & building OT systems
Each mode must designate a Cybersecurity Coordinator and exercise its incident response plan — the CyberICS exercise evidence pack supplies that record.
🔄

A Recurring, Audited Obligation — Across Every Transportation Mode

The cybersecurity Security Directives require designated owner/operators to exercise their Cybersecurity Incident Response Plan and to conduct periodic assessments — not just write a plan once. A standing CyberICS exercise program turns the annual CIRP exercise into a repeatable, evidence-generating cycle across pipeline, freight rail, passenger rail, and aviation — in your team's working language.

🇬🇧 English 🇫🇷 Français 🇵🇹 Português 🇪🇸 Español 🇩🇪 Deutsch 🇮🇹 Italiano
TSA Security Directive Mapping

SD Requirements → CyberICS Capability

The cybersecurity Security Directives name specific planning, assessment, response, and reporting duties. Tabletop exercises directly satisfy the incident-response-plan exercise and reporting requirements, and generate evidence for several more.

TSA Cybersecurity Security Directive Requirements Reference

Coverage: Core = exercise directly satisfies the requirement  |  Supporting = exercise validates / documents  |  Partial = scenario content covers the domain

Reference Requirement Requirement Summary CyberICS Capability Coverage
CIRP Cybersecurity Incident Response Plan Develop and maintain a Cybersecurity Incident Response Plan addressing detection, response, and recovery for critical cyber systems Live Session mode executes the CIRP end-to-end; the AI AAR documents detection, containment, eradication, and recovery against the plan's procedures Core
CIRP · Exercise Annual CIRP exercise requirement The Cybersecurity Incident Response Plan must be exercised periodically (at least annually) to validate it works in practice A standing exercise program is the CIRP-exercise system-of-record — recurring, timestamped sessions with participation logs and AARs retained as evidence Core
CAP Cybersecurity Assessment Plan Develop and submit a Cybersecurity Assessment Plan and conduct ongoing assessments of cybersecurity measures' effectiveness Exercise AARs and Gap Analysis feed the assessment with prioritized, dated findings; exercise history evidences ongoing assessment activity Supporting
Report to CISA Reporting cybersecurity incidents to CISA Report cybersecurity incidents to CISA within the directive's timeline (24 hours), with required content and a designated point of contact The CISA incident-reporting drill rehearses the who / what / 24-hour timeline of the report under realistic pressure Core
Critical Systems Critical-cyber-system identification Identify and document the Critical Cyber Systems (OT and IT) whose compromise could disrupt safe and continuous operation Scenario context drives owner/operators to name the critical OT/IT systems in play; AARs surface gaps in the identification Partial
Segmentation Network segmentation (IT/OT) Implement network segmentation policies and controls to isolate OT systems if the IT network is compromised, and vice versa IT→OT pivot scenarios exercise segmentation response and containment decisions; AARs flag segmentation weaknesses surfaced in play Partial
Access Control Access control policies Implement access control measures to secure and prevent unauthorized access to Critical Cyber Systems Credential-abuse and privilege-escalation scenarios exercise access-control response; AARs flag access-management gaps Supporting
Detection Continuous monitoring & detection Implement continuous monitoring and detection policies to detect cybersecurity threats and anomalies affecting operations Scenarios begin from realistic detection signals and exercise the triage and escalation path; AARs document monitoring/detection gaps Partial
Recovery Recovery & resilience Ensure the CIRP provides for timely recovery and continuity of operations following a cybersecurity incident Exercises run through containment to recovery and continuity decisions; AARs capture recovery-time and resilience gaps Supporting
Platform Capabilities

How CyberICS Supports Your TSA Security Directive Program

Three core capabilities work together to deliver, document, and evidence the Cybersecurity Incident Response Plan exercise, assessment, and CISA reporting requirements.

🎲
CIRP · Annual Exercise

Structured CIRP Exercise Execution

Live Session mode runs real-time, multi-participant incident-response exercises. Every step, response, and host action is timestamped — producing the auditable CIRP-exercise record the cybersecurity Security Directives require owner/operators to retain.

  • Per-participant participation & completion record
  • Step-by-step CIRP walkthrough log
  • Session date, scope, and duration metadata
  • Detection → containment → recovery trace
📋
CISA Report · CAP

AI-Generated After Action Report

Immediately after each exercise, CyberICS generates a structured AAR documenting the response, gaps, and SD requirement references — the artifact a Cybersecurity Coordinator files as proof the CIRP was exercised and what it found.

  • SD requirement references per gap
  • CISA reporting-readiness notes (24-hour timeline)
  • Corrective-action recommendations for the CAP
  • Multilingual output (EN/FR/PT/ES/DE/IT)
📄
Assessment Evidence

TSA Security Directive Evidence Pack

The Compliance Dashboard assembles an SD evidence package — CIRP exercise records, CISA reporting drills, assessment input, and a remediation timeline — so a Cybersecurity Coordinator can demonstrate the exercised plan with the file already built.

  • CIRP exercise completion roster
  • CISA incident-report rehearsal records
  • Cybersecurity Assessment Plan input
  • Gap & remediation timeline
Scenario Library

TSA-Relevant Scenarios for Pipeline, Rail & Aviation

Six high-fidelity transportation scenarios — pipeline, freight rail, passenger rail, and aviation OT incidents — ready to run as a CIRP exercise with AI facilitator briefing included.

Pipeline · SCADA
SD Pipeline-2021-02
Pipeline SCADA Ransomware Shutdown

Ransomware reaches the enterprise network and forces a precautionary shutdown of pipeline SCADA. Exercises CIRP detection, the IT/OT containment decision, and the 24-hour report to CISA under time pressure.

CIRP CISA Report SCADA
Pipeline · OT Intrusion
SD Pipeline-2021-02
Compressor-Station OT Intrusion

An intruder gains access to OT at a remote compressor station and manipulates control logic, threatening safe operation. Tests CIRP response across the IT/OT boundary and critical-system identification.

CIRP OT/ICS IEC 62443
Freight Rail · Signaling
1580 — Freight Rail
Freight Rail Signaling System Compromise

A higher-risk freight railroad detects manipulation of dispatch and signaling OT, risking train movement safety. Exercises the CIRP, network segmentation response, and the CISA report.

1580 CIRP OT/ICS
Passenger Rail · OT
1582 — Passenger Rail
Passenger Rail Traction-Power OT Incident

A public transportation agency loses confidence in its traction-power and SCADA control systems mid-service. Exercises CIRP-driven service-continuity decisions and incident reporting to CISA.

1582 CIRP SCADA
Aviation · Airport OT
Aviation
Airport Baggage & Building-OT Disruption

An airport operator's baggage handling and building OT systems are disrupted by a cyber intrusion, threatening operations. Exercises the CIRP, critical-system identification, and CISA reporting.

Aviation CIRP OT/ICS
Cross-Mode · IT→OT Pivot
Segmentation
Transportation IT→OT Pivot

A compromise of the corporate IT network attempts to pivot into transportation OT. Exercises the segmentation controls, the IT/OT isolation decision, and the CIRP escalation the Security Directives require.

Segmentation CIRP IT/OT

Plus 300+ additional ICS/OT and enterprise scenarios spanning the transportation modes TSA regulates. Browse the full library →

Evidence Artifacts

Audit-Ready Documentation for TSA Security Directive Requirements

Every CyberICS exercise generates four categories of evidence supporting the CIRP exercise, CISA reporting, and assessment requirements of the cybersecurity Security Directives.

🎲
CIRP Exercise Record

Per-participant participation and completion roster for each annual Cybersecurity Incident Response Plan exercise — the retained record the SDs require.

CIRP · Annual Exercise
📧
CISA Incident-Report Drill

Timestamped log of a CISA reporting drill — who decided what, and how fast — demonstrating readiness to report within the 24-hour timeline.

Report to CISA
📊
Assessment Input

Gap and remediation findings from each exercise that feed the Cybersecurity Assessment Plan with dated, prioritized corrective actions.

CAP
📄
AI After Action Report

Structured AAR mapping response actions and gaps to SD requirements — the artifact proving the CIRP was exercised and what it surfaced.

AAR

Explore the Full Regulatory Toolkit Library

CyberICS exercise evidence maps to multiple frameworks simultaneously. One exercise program — complete regulatory coverage.

Ready to Turn Your CIRP Exercise into Demonstrable Readiness?

Start with a free 14-day trial — no credit card required. Or speak with our transportation security team about a standing CIRP exercise program for your pipeline, rail, or aviation operation.

Also explore: NIST SP 800-82 Toolkit  ·  CISA CPG Toolkit  ·  IEC 62443 Toolkit