The proposed rule would also require the disclosure of cyber incidents to the Cybersecurity and Infrastructure Security Agency and physical security concerns to the Transportation Security Administration.