News

DHS Semiannual Regulatory Agenda

The Department of Homeland Security (DHS) published its Semiannual Regulatory Agenda on July 30, 2021, which included proposed actions related to the Ammonium Nitrate Security Program and the Chemical Facility Anti-Terrorism Standards (CFATS).

Ammonium Nitrate Security Program

DHS’s Cybersecurity and Infrastructure Security Agency (CISA) proposed a rulemaking to implement the December 2007 amendment to the Homeland Security Act titled “Secure Handling of Ammonium Nitrate.” The amendment requires DHS to “regulate the sale and transfer of ammonium nitrate by an ammonium nitrate facility . . . to prevent the misappropriation or use of ammonium nitrate in an act of terrorism.” CISA previously issued a Notice of Proposed Rulemaking (NPRM) on August 3, 2011, and CISA is planning to issue a Supplemental NPRM in November 2021.

CFATS

Taking into consideration the comments received during the August 2014 Advance NPRM regarding potential revisions to the CFATS regulations, CISA has determined to limit the scope of its next CFATS rulemaking to improving Appendix A to the CFATS regulations and addressing concerns with release-flammable security issues. Additionally, in June 2020, CISA published a notice announcing the availability of a retrospective analysis of the data, assumptions, and methodology that were used to support the 2007 CFATS interim final rule and provided the public an opportunity to provide comment. CISA is reviewing the comments received on the retrospective analysis and determining the next appropriate step for this rulemaking.

TSA Issues Additional Cybersecurity Requirements for Critical Pipeline Owners and Operators

The Transportation Security Administration (TSA) announced the issuance of a Second Security Directive that requires owners and operators of TSA-designated critical pipelines to: (1) implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems; (2) develop and implement a cybersecurity contingency and recovery plan; and (3) conduct a cybersecurity architecture design review.   

A few hours after announcing its issuance, TSA began notifying affected companies of the requirement to comply with the Second Security Directive by the effective date. Deadlines for required actions range from 30-180 days. TSA indicated that it would host calls with affected parties to discuss specific requirements after the Second Security Directive’s publication. The Second Security Directive is considered Sensitive Security Information (SSI), which will limit its distribution in some regard.

In May 2021, TSA issued an Initial Security Directive that requires critical pipeline owners and operators to: (1) report confirmed and potential cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA); (2) designate a Cybersecurity Coordinator to be available 24 hours a day, seven days a week; (3) review current practices; and (4) identify any gaps and related remediation measures to address cyber-related risks and report the results to TSA and CISA within 30 days.

DHS Announces New Cybersecurity Requirements for Critical Pipeline Owners and Operators

The Department of Homeland Security’s Transportation Security Administration (TSA) announced a new Security Directive that will require critical pipeline owners and operators to:

• Report confirmed and potential cybersecurity incidents to the DHS Cybersecurity and Infrastructure Security Agency (CISA);

• Designate a Cybersecurity Coordinator that must be available 24 hours a day, seven days a week; and

• Review their current practices and identify any gaps and related remediation measures to address cyber-related risks and report the results to TSA and CISA within 30 days.

TSA is also considering follow-on mandatory cybersecurity measures for the pipeline industry.

Potential CFATS Appendix A Revisions

The Department of Homeland Security (DHS) released its unified agenda in Federal Register on March 31, 2021, stating that one of its rulemaking priorities was “improving Appendix A” to the Chemical Facility Anti-Terrorism Standards (CFATS) regulations and addressing “concerns with release-flammable security issues.”

Industry stakeholders, including the International Liquid Terminals Association (ILTA), anticipate this rulemaking likely applies to the inclusion of gasoline, diesel, and other fuel mixes in Appendix A, which the Cybersecurity & Infrastructure Security Agency (CISA) has not enforced to date.

CFATS Information Collection Request

On March 23, 2021, the Cybersecurity and Infrastructure Security Agency (CISA) published a 60-day notice in the Federal Register soliciting public comment on revisions to an Information Collection Request (ICR) relating to various efforts under the CFATS program – including tiering redeterminations, compliance assistance, and verifying Top-Screen information associated with the sale of a facility or the removal of a Chemical of Interest (COI).

In this Federal Register notice, CISA is requesting approval to continue the collection of information to support these efforts, as well as a clearer description of the scope of each instrument. CISA is not proposing changes to the scope of what information is collected. The ICR in question was approved for a three-year period in December 2018 and is set to expire in December 2021.

Online TWIC Renewals

The Transportation Security Administration (TSA) has sent proposed revisions to the Transportation Worker Identification Credential (TWIC) program to the Office of Management and Budget (OMB) for review and approval.

Among other revisions related to Merchant Mariners, TSA is implementing an online renewal capability for applicants who previously maintained an active TWIC. According to TSA, approximately 60% of active TWIC cardholders enroll for a new TWIC after the initial five-year expiration date. TSA believes online TWIC renewals will reduce cost and processing time by permitting eligible applicants to obtain a new TWIC without enrolling in-person at a TSA enrollment center. Accordingly, the renewal fee for TWIC will decrease with the implementation of online renewals.

TSA is accepting comments on the proposed revisions until March 26, 2021.