The Department of Homeland Security and the Department of Transportation are designated as the Co-Sector-Specific Agencies for the Transportation Systems Sector. The nation's transportation system quickly, safely, and securely moves people and goods through the country and overseas.
The Transportation Systems Sector consists of seven key subsectors, or modes:
- Aviation includes aircraft, air traffic control systems, and about 19,700 airports, heliports, and landing strips. Approximately 500 provide commercial aviation services at civil and joint-use military airports, heliports, and sea plane bases. In addition, the aviation mode includes commercial and recreational aircraft (manned and unmanned) and a wide-variety of support services, such as aircraft repair stations, fueling facilities, navigation aids, and flight schools.
- Highway and Motor Carrier encompasses more than 4 million miles of roadway, more than 600,000 bridges, and more than 350 tunnels. Vehicles include trucks, including those carrying hazardous materials; other commercial vehicles, including commercial motorcoaches and school buses; vehicle and driver licensing systems; traffic management systems; and cyber systems used for operational management.
- Maritime Transportation System consists of about 95,000 miles of coastline, 361 ports, more than 25,000 miles of waterways, and intermodal landside connections that allow the various modes of transportation to move people and goods to, from, and on the water.
- Mass Transit and Passenger Rail includes terminals, operational systems, and supporting infrastructure for passenger services by transit buses, trolleybuses, monorail, heavy rail—also known as subways or metros—light rail, passenger rail, and vanpool/rideshare. Public transportation and passenger rail operations provided an estimated 10.8 billion passenger trips in 2014.
- Pipeline Systems consist of more than 2.5 million miles of pipelines spanning the country and carrying nearly all of the nation's natural gas and about 65 percent of hazardous liquids, as well as various chemicals. Above-ground assets, such as compressor stations and pumping stations, are also included.
- Freight Rail consists of seven major carriers, hundreds of smaller railroads, over 138,000 miles of active railroad, over 1.33 million freight cars, and approximately 20,000 locomotives. An estimated 12,000 trains operate daily. The Department of Defense has designated 30,000 miles of track and structure as critical to mobilization and resupply of U.S. forces.
- Postal and Shipping moves about 720 million letters and packages each day and includes large integrated carriers, regional and local courier services, mail services, mail management firms, and chartered and delivery services.
The Transportation Systems Sector-Specific Plan details how the National Infrastructure Protection Plan risk management framework is implemented within the context of the unique characteristics and risk landscape of the sector. Each Sector-Specific Agency develops a sector-specific plan through a coordinated effort involving its public and private sector partners. The Postal and Shipping Sector was consolidated within the Transportation Systems Sector in 2013 under Presidential Policy Directive 21. The Department of Homeland Security and the Department of Transportation are designated as the Co-Sector-Specific Agencies for the Transportation Systems Sector.
Sector Cybersecurity Framework Implementation Guidance
The Transportation Systems Sector Cybersecurity Framework Implementation Guidance and its companion workbook provide an approach for Transportation Systems Sector owners and operators to apply the tenets of the National Institute of Standards and Technology Cybersecurity Framework to help reduce cyber risks. Specifically, organizations may use the implementation guidance to:
- Characterize their current cybersecurity posture.
- Identify opportunities for enhancing existing cyber risk management programs.
- Find existing tools, standards, and guides to support Framework implementation.
- Communicate their risk management issues to internal and external stakeholders.
Organizations that lack a formal cybersecurity risk management program could use the guidance to establish risk-based cyber priorities.