On Friday, July 23, 2022, the Transportation Security Administration (TSA) issued Security Directive Pipeline 2021-02C (SD-02C). SD-02C has three main components and takes effect on July 27, 2022.
SD-02C focuses on performance-based – rather than prescriptive – measures to achieve TSA’s identified cybersecurity outcomes (i.e., TSA does not mandate the specific mechanisms to achieve the outcomes). SD-02C’s key elements are summarized below:
- Affected pipeline operators are those notified by TSA that their pipeline system or facility is critical. In other words, the same pipeline operators that have been implementing TSA’s previous Security Directives since mid-2021 must now implement SD-02C.
- In pertinent part, SD-02C requires affected operators to: (1) develop and implement a TSA-approved Cybersecurity Implementation Plan; (2) establish a Cybersecurity Incident Response Plan; and (3) implement a Cybersecurity Assessment Program.
- Affected operators must submit a Cybersecurity Implementation Plan to TSA for approval no later than October 25, 2022 (i.e., 90 days from the July 27, 2022 effective date). Once TSA approves an affected operator’s Cybersecurity Implementation Plan, TSA will inspect against it to determine compliance.
- Affected operators must develop and submit a Cybersecurity Assessment Program to TSA no later than 60 days from the date that TSA approves the operator’s Cybersecurity Implementation Plan.
- SD-02C supersedes previously issued Security Directives but affected operators must continue to implement Security Directive 2021-02B until a Cybersecurity Implementation Plan is submitted to, and approved by, TSA.