View Rule

On July 28, 2021, the President issued the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems.  Consistent with this priority of the Administration and in response to the ongoing cybersecurity threat to pipeline systems, TSA used its authority under 49 U.S.C. 114 to issue security directives to owners and operators of TSA-designated critical pipelines that transport hazardous liquids and natural gas to implement a number of urgently needed protections against cyber intrusions.  The first directive, issued in May 2021, requires critical owner/operators to (1) Report confirmed and potential cybersecurity incidents to the Cybersecurity and Infrastructure Agency (CISA); (2) designate a Cybersecurity Coordinator to be available 24 hours a day, seven days a week; (3) review current cybersecurity practices; and (4) identify any gaps and related remediation measures to address cyber-related risks and report the results to TSA and CISA within 30 days of issuance of the SD.  A second security directive issued in July requires these owners and operators to (1) Implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems; (2) develop and implement a cybersecurity contingency and recovery plan; and (3) conduct a cybersecurity architecture design review. TSA is committed to enhancing and sustaining cybersecurity and intends to issue a rulemaking that will codify certain requirements with respect to pipeline and certain other surface modes.

Statement of Need:

This rulemaking is necessary to address the ongoing cybersecurity threat to U.S. transportation modes.

Anticipated Costs and Benefits:

TSA is in the process of determining the costs and benefits of this rulemaking.