TSA revises information collection for pipeline security reviews, security directives under OMB assessment

TSA revises information collection for pipeline security reviews, security directives under OMB assessment

The U.S. Department of Homeland Security (DHS) announced that its Transportation Security Administration (TSA) division has revised the Information Collection Request (ICR), Office of Management and Budget (OMB). The request calls for review and approval of a revision of the currently approved collection under the Paperwork Reduction Act (PRA), relating to corporate security reviews and security directives applicable to pipeline owners and operators.

In a recent Federal Register notice, the TSA said that the information collection combines the agency’s voluntary Pipeline Corporate Security Review (PCSR) program with the mandatory requirements under the TSA Security Directive (SD) Pipeline-2021-02 series. Additionally, the collection allows the TSA to assess the current security practices in the pipeline industry through TSA’s PCSR program, which is part of the larger domain awareness, prevention, and protection program supporting TSA’s and the missions of the DHS. Furthermore, the information collection allows for the continued institution of mandatory cybersecurity requirements under the TSA SD Pipeline-2021-02 series. 

The updated ICR reflects changes to collection requirements based on TSA’s update to the SD Pipeline-2021-02 series, released last July.

The TSA has historically assessed industry security practices through its voluntary PCSR program, during which the agency discusses an owner’s/operator’s corporate security planning and the entries made by the owner/operator on the PCSR Form. The PCSR Form includes 150 questions concerning the owner’s/operator’s corporate level security planning, covering security topics such as physical security, vulnerability assessments, training, and emergency communications. 

“TSA uses the information collected during the PCSR process to determine baseline security standards, potential areas of security vulnerability, and industry ‘smart’ practices throughout the pipeline mode,” the notice said. “While the PCSR collection supports security plans and processes, TSA has issued the security directives with mandatory requirements in order to mitigate specific security concerns posed by current threats to national security,” it added. 

The TSA solicits comments by Jan. 27, 2023, to assess whether the proposed information requirement is necessary for the proper performance of the functions of the agency, including whether the information will have practical utility. The agency also solicits comments on evaluating the accuracy of the agency’s estimate of the burden and enhancing the quality, utility, and clarity of the information to be collected. 

Additionally, the TSA seeks feedback on minimizing the burden of the information collection on those who are to respond, including using appropriately automated, electronic, mechanical, or other technological collection techniques or other forms of information technology. The notice added that a comment to OMB is most effective if OMB receives it within 30 days of publication.

The notice also added that the TSA is changing the name of OMB control number 1652-0056 from PCSR to ‘Pipeline Corporate Security Reviews (PCSR) and Security Directives’ to more accurately represent the information collection. 

TSA is also revising the information collection to remove a portion of the cybersecurity questions from the PCSR workbook, which are covered in a separate ICR, 1652-0050 Critical Facility Information of the Top 100 Most Critical Pipelines. As a result, TSA removed a vast majority of cybersecurity questions in the PCSR workbook, moving from 210 to 160 questions, which resulted in a burden reduction to the voluntary collection. 

The TSA has been working on bringing together cybersecurity requirements for some time now. In July 2021, the OMB approved TSA’s requests for an emergency revision of information collection, allowing for the institution of mandatory requirements issued in TSA SD Pipeline-2021-02. At the time, the security directive called upon critical pipeline owners/operators to implement critically important mitigation measures to reduce the risk of compromise from a cyberattack, develop and maintain an up-to-date cybersecurity contingency/response plan; and test the effectiveness of the operator’s cybersecurity practices through an annual cybersecurity architecture design review. 

By December of that year, the TSA announced two new security directives and additional guidance for voluntary measures for surface transportation systems and associated infrastructure. These initiatives aim to strengthen cybersecurity across the transportation sector in response to the ongoing cybersecurity threat to the infrastructure. These updates did not affect the information collection requirements.

Last July, the OMB approved TSA’s request to extend the information collection. It also revised and re-issued its SD concerning cybersecurity to oil and natural gas pipeline owners and operators. The directive also extends cybersecurity requirements for another year and focuses on performance-based rather than prescriptive measures to achieve critical cybersecurity outcomes.

Last month, the TSA announced that it is seeking input regarding ways to strengthen cybersecurity and resiliency in the pipeline and rail (including freight, passenger, and transit rail) sectors. The agency is interested in input on improving surface cyber risk management across transportation systems from the industry associations representing these owners/operators, third-party cybersecurity subject matter experts, and insurers and underwriters for cybersecurity risks for these transportation sectors.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related