[Federal Register Volume 89, Number 77 (Friday, April 19, 2024)]
[Rules and Regulations]
[Pages 28570-28572]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-08393]


-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

6 CFR Chapter I

49 CFR Chapter XII


Ratification of Security Directives

AGENCY: Office of Strategy, Policy, and Plans, Department of Homeland 
Security (DHS).

ACTION: Notice of ratification of security directives.

-----------------------------------------------------------------------

SUMMARY: The Department of Homeland Security (DHS) is publishing 
official notice that the Transportation Security Oversight Board (TSOB) 
ratified Transportation Security Administration (TSA) Security 
Directive Pipeline-2021-01C and Security Directive Pipeline-2021-02D, 
applicable to owners and operators of critical hazardous liquid and 
natural gas pipeline infrastructure (owner/operators). Security 
Directive Pipeline-2021-01C, issued on May 22, 2023, extended the 
requirements of the Security Directive Pipeline-2021-01 series for an 
additional year. Security Directive Pipeline-2021-02D, issued on July 
26, 2023, extended the requirements of the Security Directive Pipeline-
2021-02 series for an additional year and amended them to strengthen 
their effectiveness and address emerging cyber threats.

DATES: The TSOB ratified Security Directive Pipeline-2021-01C on June 
21, 2023, and Security Directive Pipeline-2021-02D on August 24, 2023.

FOR FURTHER INFORMATION CONTACT: Thomas McDermott, Deputy Assistant 
Secretary for Cyber, Infrastructure, Risk and Resilience Policy, at 
202-834-5803 or [email protected].

SUPPLEMENTARY INFORMATION:

I. Background

A. Cybersecurity Threat

    The cyber threat to the country's critical infrastructure has only 
increased in the time since TSA issued its initial cybersecurity-
related security directive (Security Directive Pipeline-2021-01) in 
response to the Colonial Pipeline incident. Cyber threats to surface 
transportation systems, including pipelines, continue to proliferate, 
as both nation-states and criminal cyber groups continue to target 
critical infrastructure in order to cause operational disruption and 
economic harm.\1\ Cyber incidents, particularly ransomware attacks, are 
likely to increase in the near and long term, due in part to 
vulnerabilities identified by threat actors in U.S. networks.\2\ 
Particularly in light of the ongoing Russia-Ukraine conflict,\3\ these 
threats remain elevated and pose a risk to the national and economic 
security of the United States.
---------------------------------------------------------------------------

    \1\ Annual Threat Assessment of the U.S. Intelligence Community, 
Office of the Director of National Intelligence, 10, 15 (February 
2023); Press Release 23-530, Justice Department Announces Court-
Authorized Disruption of Snake Malware Network Controlled by 
Russia's Federal Security Service, Department of Justice, issued on 
May 9, 2023, available at https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-snake-malware-network-controlled; Joint Cybersecurity Advisory (AA23-144a), 
People's Republic of China State-Sponsored Cyber Actor Living off 
the Land to Evade Detection, released by CISA on May 24, 2023.
    \2\ Alert (AA22-040A), 2021 Trends Show Increased Globalized 
Threat of Ransomware, released by CISA on February 10, 2022 (as 
revised).
    \3\ Joint Cybersecurity Alert--Alert (AA22-011A), Understanding 
and Mitigating Russian State-Sponsored Cyber Threats to U.S. 
Critical Infrastructure, released by CISA, the Federal Bureau of 
Investigation (FBI), and the National Security Agency (NSA) on 
January 11, 2022 (as revised); Joint Cybersecurity Alert--Alert 
(AA22-110A), Russian State-Sponsored and Criminal Cyber Threats to 
Critical Infrastructure, released cybersecurity authorities of the 
United States, Australia, Canada, New Zealand, and the United 
Kingdom on April 20, 2022 (as revised).
---------------------------------------------------------------------------

B. Security Directive Pipeline-2021-01C

    On May 27, 2021, TSA issued Security Directive Pipeline-2021-01, 
which was the first of two security directives issued by TSA to enhance 
the cybersecurity of critical pipeline systems in response to the 
Colonial Pipeline attack on May 7, 2021. Security Directive Pipeline-
2021-01, and the subsequent amendments in this series, required covered 
owner/operators to: (1) report cybersecurity incidents to CISA; (2) 
appoint a cybersecurity coordinator to be available 24/7 to coordinate 
with TSA and CISA; and (3) conduct a self-assessment of cybersecurity 
practices, identify any gaps, and develop a plan and timeline for 
remediation.\4\ This first security directive went into effect on May 
28, 2021, was ratified by the TSOB on July 3, 2021, and was set to 
expire on May 28, 2022.\5\
---------------------------------------------------------------------------

    \4\ Security Directive Pipeline-2021-01: Enhancing Pipeline 
Cybersecurity.
    \5\ 86 FR 38209.
---------------------------------------------------------------------------

    On December 2, 2021, TSA issued Security Directive Pipeline-2021-
01A, amending Security Directive Pipeline-2021-01, to update the 
definition of cybersecurity incident covered by the directive's 
reporting requirement and align it with the definition applicable to 
the other modes.\6\ The TSOB ratified Security Directive Pipeline-2021-
01A on December 29, 2021.\7\ Security Directive Pipeline-2021-01, as 
amended by Security Directive Pipeline-2021-01A, was set to expire May 
28, 2022. On May 27, 2022, TSA issued Security Directive Pipeline-2021-
01B to extend the requirements of Security Directive Pipeline-2021-01A 
for an additional year.\8\ Security Directive Pipeline-2021-01B became 
effective May 29, 2022 and was set to expire on May 29, 2023. The TSOB 
ratified Security Directive Pipeline-2021-01B on June 24, 2021.\9\
---------------------------------------------------------------------------

    \6\ During TSA's development of cybersecurity actions applicable 
to other transportation modes, TSA made a determination to modify 
the definition of cybersecurity incident it had used in the first 
security directive following industry input and consultation with 
DHS cybersecurity experts.
    \7\ 87 FR 31093.
    \8\ 88 FR 36919. Security Directive Pipeline-2021-01B also 
extended the deadline by which cybersecurity incidents must be 
reported to CISA from 12 hours to 24 hours after an incident is 
identified. This change aligned the reporting timeline for critical 
pipeline entities to mirror the reporting requirements applicable to 
other surface transportation entities and aviation entities.
    \9\ Id.
---------------------------------------------------------------------------

    In light of the continuing threat, TSA determined that the measures 
required by the Security Directive Pipeline-2021-01, as amended and 
extended by Security Directive Pipeline-2021-01A and Security Directive 
Pipeline-2021-01B, remain necessary to protect the Nation's critical 
pipeline infrastructure beyond Security Directive Pipeline-2021-01B's 
expiration date of May 29, 2023. On May 22, 2023, TSA issued Security 
Directive Pipeline-2021-01C to extend the requirements of Security 
Directive Pipeline-2021-01B for an additional year. Security Directive 
Pipeline-2021-01C became effective May 29, 2023 and expires on May 29, 
2024. Security Directive Pipeline-2021-01C contains no substantive 
changes from Security Directive Pipeline-2021-01B. Security Directive 
Pipeline-2021-01C is available online in TSA's Surface Transportation 
Cybersecurity Toolkit.\10\
---------------------------------------------------------------------------

    \10\ TSA Surface Transportation Cybersecurity Toolkit, available 
at https://www.tsa.gov/for-industry/surface-transportation-cybersecurity-toolkit.
---------------------------------------------------------------------------

C. Security Directive Pipeline-2021-02D

    On July 19, 2021, TSA issued Security Directive Pipeline-2021-02, 
the second security directive TSA issued in response to the attack on 
Colonial Pipeline. This directive required owner/operators to implement 
additional

[[Page 28571]]

cybersecurity measures to prevent disruption and degradation to their 
infrastructure in response to the ongoing threat, including a number of 
specific, prescribed mitigation measures.\11\ On December 17, 2021, TSA 
issued Security Directive Pipeline-2021-02B, revising Security 
Directive Pipeline-2021-02 to provide additional flexibility to owner/
operators in complying with certain requirements. The TSOB ratified 
Security Directive Pipeline-2021-02B on January 13, 2022.\12\
---------------------------------------------------------------------------

    \11\ Security Directive Pipeline-2021-02 became effective on 
July 26, 2021, and was ratified by the TSOB on August 17, 2021.
    \12\ See 87 FR 31093 (May 23, 2022).
---------------------------------------------------------------------------

    On July 21, 2022, TSA issued Security Directive Pipeline-2021-02C, 
transitioning the requirements of the previous versions in the series 
to be more performance-based and less prescriptive. The performance-
based approach enhanced security by mandating that critical security 
outcomes are achieved while allowing owner/operators to choose the most 
appropriate security measures for their specific systems and 
operations. The directive became effective on July 27, 2022, and was 
set to expire on July 27, 2023. The TSOB ratified Security Directive 
Pipeline-2021-02C on August 19, 2022.\13\
---------------------------------------------------------------------------

    \13\ See 88 FR 36919 (May 6, 2023). The TSOB also authorized TSA 
to extend Security Directive Pipeline-2021-02C beyond its expiration 
date of July 27, 2023, subject to certain conditions, including that 
such an extension would make no changes other than the extension of 
the expiration date.
---------------------------------------------------------------------------

    Security Directive Pipeline-2021-02C identified critical security 
outcomes that covered parties must achieve. To ensure that these 
outcomes are met, the directive requires owner/operators to:
     Establish and implement a TSA-approved Cybersecurity 
Implementation Plan (CIP) that describes the specific cybersecurity 
measures employed and the schedule for achieving the security outcomes 
identified;
     Develop and maintain an up-to-date Cybersecurity Incident 
Response Plan (CIRP) to reduce the risk of operational disruption, or 
the risk of other significant impacts on necessary capacity, as defined 
in the directive, should the Information and/or Operational Technology 
systems of a gas or liquid pipeline be affected by a cybersecurity 
incident; and
     Establish a Cybersecurity Assessment Program (CAP) and 
submit an annual plan that describes how the owner/operator will 
proactively and regularly assess the effectiveness of cybersecurity 
measures and identify and resolve device, network, and/or system 
vulnerabilities.
    In light of the continuing threat, TSA issued Security Directive 
Pipeline-2021-02D on July 26, 2023, extending the requirements of 
Security Directive Pipeline-2021-02C for an additional year. The 
directive became effective on July 27, 2023, and expires on July 27, 
2024.
    In addition to extending the performance-based requirements, 
Security Directive Pipeline-2021-02D includes several revisions 
intended to strengthen the effectiveness of the directive's 
requirements and allow greater ability to respond to changing threats. 
Security Directive Pipeline-2021-02D modified the requirements related 
to CIRPS and CAPS to provide greater clarity and strengthen their 
effectiveness and to ensure the provisions related to defining Critical 
Cyber Systems allow flexibility to respond to emerging and evolving 
threats. The security directive also contains several other 
clarifications and refinements of the existing requirements. The 
revisions contained in the directive were made following engagement 
with covered entities and in consultation with federal partners. 
Security Directive Pipeline-2021-02D is available online in TSA's 
Surface Transportation Cybersecurity Toolkit.\14\
---------------------------------------------------------------------------

    \14\ TSA Surface Transportation Cybersecurity Toolkit, available 
at https://www.tsa.gov/for-industry/surface-transportation-cybersecurity-toolkit.
---------------------------------------------------------------------------

II. TSOB Ratification

    TSA has broad statutory responsibility and authority to safeguard 
the nation's transportation system.\15\ The TSOB--a body consisting of 
the Secretary of Homeland Security, the Secretary of Transportation, 
the Attorney General, the Secretary of Defense, the Secretary of the 
Treasury, the Director of National Intelligence, or their designees, 
and a representative of the National Security Council--reviews certain 
TSA regulations and security directives as consistent with law.\16\ TSA 
issued Security Directive Pipeline-2021-01C and Security Directive 
Pipeline-2021-02D under 49 U.S.C. 114(l)(2)(A), which authorizes TSA to 
issue emergency regulations or security directives without providing 
notice or the opportunity for public comment where ``the Administrator 
determines that a regulation or security directive must be issued 
immediately in order to protect transportation security.'' Security 
directives issued pursuant to the procedures in 49 U.S.C. 114(l)(2) 
``shall remain effective for a period not to exceed 90 days unless 
ratified or disapproved by the Board or rescinded by the 
Administrator.'' \17\
---------------------------------------------------------------------------

    \15\ See, e.g., 49 U.S.C. 114(d), (f), (l), (m).
    \16\ See, e.g., 49 U.S.C. 115; 49 U.S.C. 114(l)(2)(B).
    \17\ 49 U.S.C. 114(l)(2)(B).
---------------------------------------------------------------------------

    Following the issuance of Security Directive Pipeline-2021-01C on 
May 22, 2023, the chair of the TSOB convened the board to review the 
directive. In reviewing Security Directive Pipeline-2021-01C, the TSOB 
reviewed the required measures extended by the directive and the 
continuing need for TSA to maintain these requirements pursuant to its 
emergency authority under 49 U.S.C. 114(1)(2) to prevent the disruption 
and degradation of the country's critical transportation 
infrastructure. The TSOB also considered whether to authorize TSA to 
extend the security directive beyond its current expiration date of May 
29, 2024, subject to certain conditions, should the TSA Administrator 
believe such an extension is necessary to address the evolving threat 
that may continue beyond the original expiration date.
    Following its review, the TSOB ratified Security Directive 
Pipeline-2021-01C on June 21, 2023. The TSOB also authorized TSA to 
extend the security directive beyond its current expiration date, 
should the TSA Administrator determine such an extension is necessary 
to address the evolving threat that may continue beyond the original 
expiration date. Such an extension is subject to the following 
conditions: (1) there are no changes to the security directive other 
than an extended expiration date; (2) the TSA Administrator makes an 
affirmative determination that conditions warrant the extension of the 
directive's requirements; and (3) the TSA Administrator documents such 
a determination and notifies the TSOB.
    After TSA issued Security Directive Pipeline-2021-02D on July 26, 
2023, the chair of the TSOB again convened the board to review that 
directive. In reviewing Security Directive Pipeline-2021-02D, the TSOB 
reviewed the amended required measures extended by the directive as 
well as the continuing need for TSA to maintain these requirements 
pursuant to its emergency authority under 49 U.S.C. 114(l)(2) to 
protect critical transportation infrastructure. Again, the TSOB also 
considered whether to authorize TSA to extend Security Directive 
Pipeline-2021-02D beyond its current expiration date of July 27, 2024, 
subject to the same conditions, should the TSA Administrator believe 
such an extension is necessary to address the threat.

[[Page 28572]]

    The TSOB ratified Security Directive Pipeline-2021-02D on August 
24, 2023. The TSOB also authorized TSA to extend the security directive 
beyond its current expiration date, should the TSA Administrator 
determine such an extension is necessary to address the evolving threat 
that may continue beyond the original expiration date. Such an 
extension is subject to the following conditions: (1) there are no 
changes to the security directive other than an extended expiration 
date; (2) the TSA Administrator makes an affirmative determination that 
conditions warrant the extension of the directive's requirements; and 
(3) the TSA Administrator documents such a determination and notifies 
the TSOB.

Kristie Canegallo,
Senior Official Performing the Duties of the Deputy Secretary & 
Chairman of the Transportation Security Oversight Board.
[FR Doc. 2024-08393 Filed 4-18-24; 8:45 am]
BILLING CODE 9110-9M-P