Since our previous Regulatory Update entitled “Federal Regulatory Response to Colonial Pipeline Ransomware Attack Is Starting,” the Department of Homeland Security’s (DHS) Transportation Security Administration (TSA) formally issued its previously announced Security Directive Pipeline-2021-01 on May 28, 2021.  The provisions of this directive are applicable to the TSA-identified 100 most critical pipeline companies. 

The TSA directive provides details on reporting requirements and associated deadlines for the applicable pipeline companies, which are highlighted below:

  • Immediately confirm to TSA receipt of the directive and disseminate the directive to corporate leadership and security personnel.
  • Within seven days of issuance of the directive provide TSA with contact information for the primary and alternate Cybersecurity Coordinator, and confirm that they are U.S. citizens.
  • Within 30 days of issuance of the directive provide TSA with the required vulnerability assessment report.
  • Outlines cybersecurity incident reporting requirements that must be submitted to TSA within 12 hours after a cybersecurity incident is identified.

As stated in our previous Regulatory Update, it is expected that TSA will issue proposed cybersecurity standards/requirements in the coming weeks.

The TSA Security Directive Pipeline-2021-01 is available here.

For more information, please contact Kristen Connolly McCullough, Barry Lawson, or Ellen Hill.

June 2, 2021