Hogan Lovells 2024 Election Impact and Congressional Outlook Report
The U.S. Department of Homeland Security (DHS) issued a security directive (Directive) that, for the first time, imposes mandatory cybersecurity requirements on companies in the pipeline industry. Through the Directive, which took effect on May 28, 2021, the Transportation Security Administration (TSA) is requiring owners and operators of pipelines deemed “critical” under section 1557(b) of the Implementing Recommendations of the 9/11 Commission Act of 2007 to undertake required cybersecurity measures. This Directive is expected to be the first step in a broader effort to regulate cybersecurity for critical infrastructure.
The Directive requires owners and operators of critical pipelines to:
If an owner or operator is unable to implement these requirements, the Directive instructs them to immediately notify the TSA in writing, seek TSA approval of alternative cybersecurity measures, and provide the rationale for those alternative cybersecurity measures. Importantly, the TSA invites owners and operators of critical pipelines to submit feedback regarding these requirements, and the Directive suggests that the TSA may amend the Directive in response to such comments.
The Directive follows the Biden Administration’s Executive Order modernizing the federal government’s approach to cybersecurity, and it marks a fundamental shift in DHS’s approach to regulating pipeline cybersecurity. The TSA has long had authority to regulate pipeline security, but until now, compliance with its guidelines has largely been voluntary and collaborative. This Directive, spurred by the recent Colonial Pipeline ransomware attack, abandons the voluntary framework and replaces it with mandatory pipeline cybersecurity protections and protocols enforced by the DHS (through TSA and CISA). The TSA has been augmenting its cybersecurity personnel ranks, bolstering its regulatory attention to cyber issues, and improving its risk-assessment tools over the past two years in an effort to address the increasingly difficult challenge of enhancing overall cybersecurity preparedness for the pipeline sector.
Companies in the pipeline sector will want to continue monitoring developments associated with the Directive and should consider whether to provide input to the TSA through the feedback process described above. Hogan Lovells' cross-practice cybersecurity policy and compliance team stands ready to assist you in complying with all aspects of this Directive as questions arise regarding its impact over the coming weeks and months.
Authored by Mark Brennan, Andrew Lillie, Stefan Krantz, Pete Marta, Jessica Black Livingston, Jonathan Hirsch, and Erik Lampmann.
Katherine Kramer, a Summer Associate in our Washington, D.C. office, contributed to this entry.