Case Note: Seventh Circuit Affirms TSA’s Broad “Emergency” Rulemaking Authority
Indirect Air Carriers (IACs), Certified Cargo Screening Facilities (CCSFs), and other entities regulated by the Transportation Security Administration (TSA) operate within a complex framework intended to secure the nation’s transportation networks and prevent attacks on the United States. Many of these requirements are designated Sensitive Security Information (SSI) and shared only with those who have a “need to know.” While TSA often uses an informal notice‑and‑comment process when rolling out SSI‑classified regulations, the agency may bypass that process and issue new measures on an emergency basis when it identifies a new or evolving threat. These measures can take varied forms (e.g., Emergency Amendments, Security Directives), but the effect is the same: a new set of obligations adopted without an opportunity for stakeholders to comment on implementation costs or likely efficacy.
TSA’s emergency authority was recently tested in Grand Trunk Corporation & Illinois Central Railroad Company v. Transportation Security Administration, Nos. 24‑2109, 24‑2156, and 25‑2084 (7th Cir.). In that case, two railroads challenged a series of Security Directives addressing cybersecurity risks. The directives require certain railroads to implement Cybersecurity Implementation Plans (including network segmentation, continuous monitoring, and timely patching of Critical Cyber Systems) and to prepare Cybersecurity Assessment Plans with annual updates for TSA approval. TSA invoked its emergency‑procedures exemption and did not use notice‑and‑comment for these directives. In a related rulemaking, the agency has estimated the freight‑rail industry’s annual compliance cost could be about $100 million.
The railroads argued that an “ongoing threat” like cybersecurity risk cannot qualify as an “emergency,” which they framed as a “definite, unforeseen exigency that requires an immediate response.” In an opinion issued on August 21, 2025 (available here), the U.S. Court of Appeals for the Seventh Circuit rejected that theory and denied the petitions, holding that TSA’s enabling statute authorizes emergency action under a broader standard:
Under [49 U.S.C.] § 114(l)(2), … TSA ‘shall’ skip notice and comment, when TSA ‘determines’ that ‘immediate[]’ action is required ‘to protect transportation security.’ This standard defines the agency’s emergency authority and, in broad terms, imbues TSA with significant discretion to institute procedures to mitigate sophisticated and acute cybersecurity risks facing certain rail operations and freight railroads.
The court likewise rejected arguments that TSA had to conduct a cost‑benefit analysis before issuing the Security Directives, along with a challenge to TSA’s regulatory authority over the rail sector more generally.
Bottom line: The Seventh Circuit affirmed TSA’s broad authority to issue emergency measures without the notice‑and‑comment process where TSA credibly determines that immediate action is necessary to protect transportation security. Although the case arose in the rail context, the decision interprets 49 U.S.C. § 114(l)(2)—a statute that governs TSA generally—so stakeholders across TSA‑regulated modes (including IACs and CCSFs) should expect the agency to continue using emergency mechanisms when it perceives elevated threats. Scopelitis will be closely watching for any changes in the frequency or scope of TSA’s emergency actions following this decision.
News from Scopelitis is intended as a report to our clients and friends on developments affecting the transportation industry. The published material does not constitute an exhaustive legal study and should not be regarded or relied upon as individual legal advice or opinion.
Case Note: Seventh Circuit Affirms TSA’s Broad “Emergency” Rulemaking Authority
Indirect Air Carriers (IACs), Certified Cargo Screening Facilities (CCSFs), and other entities regulated by the Transportation Security Administration (TSA) operate within a complex framework intended to secure the nation’s transportation networks and prevent attacks on the United States. Many of these requirements are designated Sensitive Security Information (SSI) and shared only with those who have a “need to know.” While TSA often uses an informal notice‑and‑comment process when rolling out SSI‑classified regulations, the agency may bypass that process and issue new measures on an emergency basis when it identifies a new or evolving threat. These measures can take varied forms (e.g., Emergency Amendments, Security Directives), but the effect is the same: a new set of obligations adopted without an opportunity for stakeholders to comment on implementation costs or likely efficacy.
TSA’s emergency authority was recently tested in Grand Trunk Corporation & Illinois Central Railroad Company v. Transportation Security Administration, Nos. 24‑2109, 24‑2156, and 25‑2084 (7th Cir.). In that case, two railroads challenged a series of Security Directives addressing cybersecurity risks. The directives require certain railroads to implement Cybersecurity Implementation Plans (including network segmentation, continuous monitoring, and timely patching of Critical Cyber Systems) and to prepare Cybersecurity Assessment Plans with annual updates for TSA approval. TSA invoked its emergency‑procedures exemption and did not use notice‑and‑comment for these directives. In a related rulemaking, the agency has estimated the freight‑rail industry’s annual compliance cost could be about $100 million.
The railroads argued that an “ongoing threat” like cybersecurity risk cannot qualify as an “emergency,” which they framed as a “definite, unforeseen exigency that requires an immediate response.” In an opinion issued on August 21, 2025 (available here), the U.S. Court of Appeals for the Seventh Circuit rejected that theory and denied the petitions, holding that TSA’s enabling statute authorizes emergency action under a broader standard:
Under [49 U.S.C.] § 114(l)(2), … TSA ‘shall’ skip notice and comment, when TSA ‘determines’ that ‘immediate[]’ action is required ‘to protect transportation security.’ This standard defines the agency’s emergency authority and, in broad terms, imbues TSA with significant discretion to institute procedures to mitigate sophisticated and acute cybersecurity risks facing certain rail operations and freight railroads.
The court likewise rejected arguments that TSA had to conduct a cost‑benefit analysis before issuing the Security Directives, along with a challenge to TSA’s regulatory authority over the rail sector more generally.
Bottom line: The Seventh Circuit affirmed TSA’s broad authority to issue emergency measures without the notice‑and‑comment process where TSA credibly determines that immediate action is necessary to protect transportation security. Although the case arose in the rail context, the decision interprets 49 U.S.C. § 114(l)(2)—a statute that governs TSA generally—so stakeholders across TSA‑regulated modes (including IACs and CCSFs) should expect the agency to continue using emergency mechanisms when it perceives elevated threats. Scopelitis will be closely watching for any changes in the frequency or scope of TSA’s emergency actions following this decision.
News from Scopelitis is intended as a report to our clients and friends on developments affecting the transportation industry. The published material does not constitute an exhaustive legal study and should not be regarded or relied upon as individual legal advice or opinion.