The Directive requires owners and operators of critical pipelines to:
- Immediately confirm receipt of the Directive by sending an email to the TSA;
- By June 4, 2021, designate and provide contact information to the TSA for one primary and at least one alternate Cybersecurity Coordinator, who must be available 24 hours a day, 7 days a week to liaise with the TSA and the Cybersecurity and Infrastructure Security Administration (CISA) regarding incidents and cybersecurity-related activities and communications;
- Assess the pipeline’s existing security measures against Section 7 of the TSA’s 2018 Pipeline Security Guidelines, identify any gaps, develop remediation measures, and submit a TSA assessment form to the TSA and the CISA by June 27, 2021; and
- Notify CISA of “cybersecurity incidents” via the agency’s Reporting System form or by calling a CISA hotline as soon as practicable, but no later than 12 hours after an incident is identified. The Directive defines a “cybersecurity incident” broadly, including events that are “under investigation as a possible cybersecurity incident without successful determination of the event’s root cause or nature” that may affect the integrity, confidentiality, or availability of resources.
If an owner or operator is unable to implement these requirements, the Directive instructs them to immediately notify the TSA in writing, seek TSA approval of alternative cybersecurity measures, and provide the rationale for those alternative cybersecurity measures. Importantly, the TSA invites owners and operators of critical pipelines to submit feedback regarding these requirements, and the Directive suggests that the TSA may amend the Directive in response to such comments.
The Directive follows the Biden Administration’s Executive Order modernizing the federal government’s approach to cybersecurity, and it marks a fundamental shift in DHS’s approach to regulating pipeline cybersecurity. The TSA has long had authority to regulate pipeline security, but until now, compliance with its guidelines has largely been voluntary and collaborative. This Directive, spurred by the recent Colonial Pipeline ransomware attack, abandons the voluntary framework and replaces it with mandatory pipeline cybersecurity protections and protocols enforced by the DHS (through TSA and CISA). The TSA has been augmenting its cybersecurity personnel ranks, bolstering its regulatory attention to cyber issues, and improving its risk-assessment tools over the past two years in an effort to address the increasingly difficult challenge of enhancing overall cybersecurity preparedness for the pipeline sector.
Companies in the pipeline sector will want to continue monitoring developments associated with the Directive and should consider whether to provide input to the TSA through the feedback process described above. Hogan Lovells' cross-practice cybersecurity policy and compliance team stands ready to assist you in complying with all aspects of this Directive as questions arise regarding its impact over the coming weeks and months.
Authored by Mark Brennan, Andrew Lillie, Stefan Krantz, Pete Marta, Jessica Black Livingston, Jonathan Hirsch, and Erik Lampmann.
Katherine Kramer, a Summer Associate in our Washington, D.C. office, contributed to this entry.
