Cybersecurity Assessment Tool for Transit (CATT)
In 2021, the FTA awarded the Rock Island County Metropolitan Mass Transit District (MetroLINK) a grant to develop a cybersecurity assessment tool to assess its cyber posture as part of FTA’s Public Transportation COVID-19 Research Demonstration Grant Program. MetroLINK recently developed the Cybersecurity Assessment Tool for Transit (CATT), which assists public transit agencies in formalizing and developing their cybersecurity program. The CATT and supporting documents were developed to assist MetroLINK and other small and mid-sized transit agencies in assessing their cyber preparedness and resilience. The goal of the tool is to onboard public transit organizations to develop and strengthen their cybersecurity program to identify risks and prioritize activities to mitigate these risks.
The COVID-19 pandemic forced agencies to change how they operated, bringing in new technologies to manage critical operations and to facilitate remote work, many of which exponentially increased the number of threat vectors. In parallel, cyberattacks and network intrusions continue to proliferate. Recent incidents demonstrate that even small and mid-sized transit agencies are vulnerable to system disruptions due to cyberattacks. Prior to this project, no cybersecurity assessment tools had been developed specifically for the unique context and conditions faced by transit agencies.
MetroLINK engaged Max Cybersecurity and Grayline Group to help them develop, promote, and distribute these materials within the industry. MetroLINK worked closely with the project team to demonstrate the assessment concepts, iterate, and refine the tool in cooperation with the FTA.
CATT Self-Assessment Package
Note: Adobe Acrobat Reader is required to access and use the tool. The tool will not work correctly in Apple's Preview application or other applications that can open basic PDFs.
To begin, download the CATT Self-Assessment Package. This includes the assessment form, as well as detailed guidance for review following the assessment.
The form should be completed in a group setting, with leadership from each of your key departments across the organization represented. It should not be completed solely by your technology team, as cybersecurity is a whole-of-organization endeavor. The discussions the assessment induces is a key value of the exercise, as it helps the organization understand and align on its current status regarding cyber risk.
The tool is designed to be understandable by those not well versed in the language of cybersecurity. Definitions are provided for key words to ensure the broad group at the table is clear on the intent of the question. You may define a facilitator from within your organization to lead the discussion, or you can hire an outside cybersecurity facilitator to assist, should resources allow.
The form will take approximately a full day to complete, given the discussions that occur. However, it is feasible to break up the completion of the form into multiple (shorter) meetings, should you prefer.
Once the form is completed, it is also important to provide time with the same group to review the findings and guidance of the resulting report. An outcome of this discussion should be an action plan documenting the next steps the organization plans to take to address any identified shortcomings. This should also facilitate productive and useful discussion among the team as to how to move forward on filling any gaps identified.