The Federal Highway Administration (FHWA) within the U.S. Department of Transportation (DOT) announced this week that it is adopting the Cyber Security Evaluation Tool (CSET). The voluntary tool is designed to help transportation authorities identify, detect, protect against, respond to, and recover from cyber incidents.
The CSET provides a systematic, disciplined, and repeatable approach to evaluating an organization’s security posture. CSET is a desktop software tool that guides asset owners and operators through a step-by-step process to evaluate industrial control systems (ICS) and IT network security practices. Users can evaluate their cybersecurity stance using many recognized government and industry standards and recommendations.
In a notice published in the Federal Register, the FHWA noted that according to the Bipartisan Infrastructure Law (BIL), enacted as the Infrastructure Investment and Jobs Act, FHWA is required to develop a tool to assist transportation authorities in identifying, detecting, protecting against, responding to, and recovering from cyber incidents. Safety is the top priority of DOT and FHWA. The FHWA routinely works closely and collaboratively with Federal and State agencies whose primary missions revolve around securing critical transportation infrastructure.
Consistent with BIL, the FHWA requested comments on its notice proposing to adopt CSET. The FHWA received two comments, both of which supported FHWA’s proposal to adopt CSET as a voluntary cybersecurity tool. The FHWA appreciates the comments.
The FHWA provides subject matter expertise to those agencies in identifying potential physical and cybersecurity threats and appropriate mitigation efforts. When presented with physical or cybersecurity questions, concerns, or incidents from state, local, tribal, and territorial transportation authorities, or other stakeholders, FHWA routinely assists in connecting these entities to security-focused government agencies, including the Transportation Security Administration, the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation.
On March 5, 2024, FHWA published in the Federal Register a notice and request for comments proposing to adopt CISA’s CSET as a voluntary tool that transportation authorities can use to assist in identifying, detecting, protecting against, responding to, and recovering from cyber incidents.
The CISA’s cybersecurity mission is to defend and secure cyberspace by leading national efforts to drive national cyber defense, resilience of national critical functions, and a robust technology ecosystem. The FHWA therefore thinks it is appropriate to leverage CISA’s expertise instead of attempting to create a separate and potentially duplicative tool.
The CSET, developed by CISA, is a comprehensive software tool designed to assist organizations in assessing their cybersecurity posture and developing structured improvement programs. The CSET helps organizations evaluate their cybersecurity practices, identify vulnerabilities, and prioritize mitigation efforts by providing a systematic approach to assess cybersecurity controls and processes. It offers a range of modules and questionnaires tailored to different critical infrastructure sectors, making it a valuable resource for organizations seeking to enhance their cybersecurity resilience through an assessment and development program.
The CSET v12 includes the Incident Management Review (IMR) module, based on the principle that a resilient incident management function can improve an organization’s overall cyber resilience. The IMR consists of a series of questions, the answers to which provide insights into how an organization can improve its ability to identify, analyze, and respond to incidents in a repeatable manner.
Furthermore, under BIL and after reviewing the comments received, FHWA announces with this notice that FHWA adopts CISA’s CSET as a voluntary tool that transportation authorities can use to assist with cyber incidents.