- 408-924-7560
- mineta-institute@sjsu.edu
- Donate
Developing a Replicable, Group-Based Cybersecurity Assessment Methodology for Small and Rural Transit Operators
Despite years of education and advocacy, increased availability of free training and resources, increase funding availability, and new requirements for cybersecurity programs as a prerequisite for new federal discretionary grants or insurance, the gap in cyber resilience among small to mid-sized transit and their larger counterparts continues to grow. Agencies continue to struggle not due to a lack of commitment but because of limited funding, insufficient expertise, and a clear regulatory mandate.
This project responds to this gap by developing a new approach to conducting National Institute for Standards and Technology (NIST) - based Cyber Resilience Reviews (CRR) for small and rural transit agencies. Unlike traditional individual assessments, this project will develop a group-based methodology that fosters shared learning and collective improvement to minimize shared vulnerabilities and risk among similar transit authorities.
U.S. DOT Priorities
The primary objective of this project is to strengthen the cyber resilience of small and rural transit agencies by developing a replicable innovative, collaborative approach to conducting NIST CRR– based cybersecurity assessments in group settings rather than individually, this project seeks to foster a culture of shared learning and best practices, benchmarking among peer agencies, and collective progress towards overall industry resiliency. Doing so aligns with the U.S. DOT objectives of protecting critical infrastructure, advancing global competitiveness, and enhancing economic strength. All sectors of critical infrastructure must be equally secure to ensure that “every community can connect to the people, places, and opportunities that make their lives meaningful.”
Principal Investigator:
Scott Belcher
PI Contact Information:
MTI Research Associate
Funding Source(s) and Amounts Provided (by each agency or organization):
Federal-$100,035 Non-Federal - $0
Total Project Cost:
$100,035
Agency ID or Contract Number:
69A3552348328
Dates:
February 2025 to April 2026
Implementation of Research Outcomes:
To achieve the goal of enhancing cyber resilience among small and rural transit agencies, this project will employ a comprehensive, multi-step approach that leverages strategic collaborations and innovative assessment methodologies. Central to this approach is Cybrbase XRM, a NIST CRR – based cybersecurity assessment tool specifically designed to help transit agencies measure, optimize, and effectively communicate the maturity of their cybersecurity programs. Cybrbase XRM is a logical extension of the Federal Transit Administration’s Cybersecurity Assessment Tool for Transit (CATT), in that it moves from a static tool to a SaaS based platform that allows for tracking progress from one assessment to the next and combines an intuitive online assessment interface will enable peer benchmarking, risk-based prioritization, and long-term tracking capabilities, empowering agencies to make data-driven decisions for cybersecurity investments.
This project will develop a replicable model to baseline current cyber maturity, foster shared learning, and provide practical pathways to continuous improvement that drive down the costs of cybersecurity assessments. The following outlines the key components of our proposed methods:
The Project Team will engage Quad Cities MetroLINK, Illinois DOT, four additional transit agencies, the Community Transportation Association of America (CTAA), the National Rural Transit Assistance Program (National RTAP), and/or the American Public Transportation Association (APTA). These organizations will help to enhance and promote this new cohort-based approach for cybersecurity assessments.
Impacts/Benefits of Implementation:
This project will develop and implement a replicable, group-based cybersecurity assessment methodology for small and rural transit operators. This approach has the potential to increase the number of small and rural agencies conducting cybersecurity assessments by driving their costs and providing them the comfort of engaging in the process with their peers. Currently, many agencies do initiate this foundational cybersecurity practice because they lack both the financial and technical resources to do so. Ideally, this approach will help overcome both. If successful, state departments of transportation, state transit associations, transit risk pools and other organizations supporting small and rural transit organization will provide such programs for their members and the cybersecurity posture of this segment of critical infrastructure will be improved.
Project Number:
2512
-
Contact Us
SJSU Research Foundation 210 N. 4th Street, 4th Floor, San Jose, CA 95112 Phone: 408-924-7560 Email: mineta-institute@sjsu.edu
