Unknown. Notification of ratification of security directives
4,593 words·~21 min read·
/register/2023/06/06/2023-11941A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
--- schema: federal-register doc_type: fedreg source_file: FR-2023-06-06.xml --- 88 108 Tuesday, June 6, 2023 Contents Agency Agency for International Development NOTICES Meetings: Board for International Food and Agricultural Development, 37005 2023-11978 Agriculture Agriculture Department NOTICES Agency Information Collection Activities; Proposals, Submissions, and Approvals, 37005-37006 2023-11940 2023-12031 Antitrust Division Antitrust Division NOTICES Changes Under the National Cooperative Research and Production Act:
ASTM International, 37100 2023-12037 Centers Medicare Centers for Medicare & Medicaid Services NOTICES Agency Information Collection Activities; Proposals, Submissions, and Approvals, 37065-37067 2023-11996 2023-12013 Children Children and Families Administration NOTICES Agency Information Collection Activities; Proposals, Submissions, and Approvals: Replication of Recovery and Reunification Interventions for Families-Impact Study, 37067-37068 2023-11989 Coast Guard Coast Guard RULES Safety Zone:
Allegheny River Mile Markers 0.0-0.3, Pittsburgh, PA, 36952-36954 2023-11985 Annual Events in the Captain of the Port Buffalo Zone, 36954-36955 2023-12033 Annual Fireworks Displays Within the Sector Columbia River Captain of the Port Zone, 36955-36956 2023-11919 Fireworks Displays in the Fifth Coast Guard District—Avalon, NJ, 36951-36952 2023-12015 Fireworks Displays in the Fifth Coast Guard District—Beach Haven, NJ, 36956 2023-12024 Fireworks Displays in the Fifth Coast Guard District—Lewes, DE, 36955 2023-12014 Lake of the Ozarks MM .5-1, Approximately 500 Feet Off the Bagnell Dam, Lake of the Ozarks, MO, 36950-36951 2023-12064 Security Zone:
Portland Rose Festival on Willamette River, 36952 2023-11926 Special Local Regulation: Marine Events Within the Fifth Coast Guard District—Cape May, NJ, 36949-36950 2023-11984 Marine Events Within the Fifth Coast Guard District—Lower Township, NJ, 36949 2023-11986 PROPOSED RULES Special Local Regulation: Henderson Bay, Henderson Bay, NY, 36999-37003 2023-11654 Commerce Commerce Department See Foreign-Trade Zones Board See Industry and Security Bureau See International Trade Administration See National Institute of Standards and Technology See National Oceanic and Atmospheric Administration See Patent and Trademark Office NOTICES Agency Information Collection Activities;
Proposals, Submissions, and Approvals: Generic Clearance Collection for Meetings, Events, Registrations, and Miscellaneous Forms, 37006-37007 2023-12068 Commission Fine Commission of Fine Arts NOTICES Meetings, 37041-37042 2023-11906 Consumer Product Consumer Product Safety Commission NOTICES Meetings: Lithium-Ion Battery Safety, 37042-37044 2023-11981 Defense Department Defense Department NOTICES Meetings: Board of Actuaries, 37044 2023-12066 Uniform Formulary Beneficiary Advisory Panel, 37044-37045 2023-11928 Education Department Education Department NOTICES Agency Information Collection Activities;
Proposals, Submissions, and Approvals: Migrant Education Program Regulations and Certificate of Eligibility, 37045 2023-12073 Applications for New Awards: Transformative Research in the Education Sciences and Using Longitudinal Data To Support State Education Policymaking Grant Programs, 37045-37048 2023-11915 Employee Benefits Employee Benefits Security Administration NOTICES Meetings: Advisory Council on Employee Welfare and Pension Benefit Plans, 37101 2023-11939 Energy Department Energy Department See Federal Energy Regulatory Commission See National Nuclear Security Administration Environmental Protection Environmental Protection Agency RULES Air Quality State Implementation Plans;
Approvals and Promulgations: Wisconsin; VOC RACT for Miscellaneous Industrial Adhesives and Miscellaneous Metal and Plastic Parts Coatings, 36962-36964 2023-11893 NOTICES Meetings: Science Advisory Board Environmental Justice Screen Review Panel, 37064-37065 2023-12043 Federal Aviation Federal Aviation Administration RULES Airspace Designations and Reporting Points: Nashville, TN, 36936-36942 2023-11909 Sandusky, MI, 36935-36936 2023-11959 Airworthiness Directives: Airbus SAS Airplanes, 36926-36928, 36930-36935 2023-11911 2023-11914 2023-11930 ATR-GIE Avions de Transport Regional Airplanes, 36928-36930 2023-11918 MHI RJ Aviation ULC (Type Certificate Previously Held by Bombardier, Inc.
) Airplanes, 36924-36926 2023-11931 PROPOSED RULES Airspace Designations and Reporting Points: Eastern United States, 36976-36979 2023-11908 Ruston, LA, 36979-36980 2023-11957 Federal Energy Federal Energy Regulatory Commission NOTICES Application: Missisquoi, LLC, 37054-37056 2023-11936 Town of Bedford, VA, 37058-37060 2023-12077 Combined Filings, 37051-37052, 37060-37062 2023-12032 2023-12034 Environmental Assessments; Availability, etc.: Columbia Gas Transmission, LLC, 37062-37063 2023-11933 East Tennessee Natural Gas, LLC, 37050-37051 2023-11938 Green Lake Water Power Co., 37063 2023-12076 Filing:
Argus Media, Inc., 37058 2023-11934 Initial Market-Based Rate Filings Including Requests for Blanket Section 204 Authorizations: BE-Pine 1 LLC, 37052 2023-12023 MFT Energy US Power LLC, 37051 2023-12035 Sagebrush ESS II, LLC, 37052 2023-12025 Joint Technical Conference: North American Electric Reliability Corp., 37058 2023-11937 Permits: Western Minnesota Municipal Power Agency, 37054 2023-12081 White Rapids, LLC, 37060 2023-12080 Preliminary Determination of a Qualifying Conduit Hydropower Facility:
Moulton Niguel Water District, 37063-37064 2023-11932 Request Under Blanket Authorization: Great Basin Gas Transmission Co., 37056-37058 2023-12078 Southern Star Central Gas Pipeline, Inc., 37053-37054 2023-12079 Waiver Period for Water Quality Certification Application: Green Lake Water Power Co., 37063 2023-12075 Federal Transit Federal Transit Administration NOTICES Limitation on Claims Against Proposed Public Transportation Projects: Coolidge Terminal Replacement Project, and VIA Advanced Rapid Transit North/South Corridor, 37124-37125 2023-12065 Food and Drug Food and Drug Administration NOTICES Guidance:
Cover Letter Attachments for Controlled Correspondence and Abbreviated New Drug Application Submissions, 37069-37070 2023-11943 Issuance of Priority Review Voucher; Rare Pediatric Disease Product, 37068 2023-11907 Withdrawal of Approval of Drug Application: Bracco Diagnostics et al.; Correction, 37071 2023-11990 Vintage Pharmaceuticals; Pemoline Tablets, 18.75 Milligrams, 37.5 Milligrams, and 75 Milligrams, 37068-37069 2023-11991 Foreign Assets Foreign Assets Control Office RULES Publication of Belarus Sanctions Regulations Web General License 1 and Subsequent Iterations, 36946-36947 2023-11867 Publication of Belarus Sanctions Regulations Web General License 2 and Subsequent Iterations, 36942-36946 2023-11866 Publication of Belarus Sanctions Regulations Web General Licenses 3, 4, 5, 6, and 7, 36947-36949 2023-11868 NOTICES Sanctions Action, 37139 2023-12069 Foreign Trade Foreign-Trade Zones Board NOTICES Authorization of Production Activity:
Curia Global, Inc., Foreign-Trade Zone 121, Rensselaer, NY, 37007 2023-12036 Geological Geological Survey NOTICES Agency Information Collection Activities; Proposals, Submissions, and Approvals: Nonindigenous Aquatic Species eDNA Data and Metadata Submission Forms, 37087-37088 2023-12017 Health and Human Health and Human Services Department See Centers for Medicare & Medicaid Services See Children and Families Administration See Food and Drug Administration See Indian Health Service See National Institutes of Health Homeland Homeland Security Department See Coast Guard RULES Ratification of Security Directives, 36919-36924 2023-11941 2023-11942 Housing Housing and Urban Development Department NOTICES Agency Information Collection Activities;
Proposals, Submissions, and Approvals: Emergency Housing Vouchers and Stability Vouchers, 37086-37087 2023-12063 Indian Health Indian Health Service NOTICES Purchased/Referred Care Delivery Area Redesignation for the Hoh Indian Tribe in the State of Washington, 37071-37076 2023-12042 Industry Industry and Security Bureau NOTICES Denial of Export Privileges: Quicksilver Manufacturing, Inc., Rapid Cut, LLC, US Prototype, Inc., 37007-37009 2023-12067 Interior Interior Department See Geological Survey See Land Management Bureau See National Indian Gaming Commission See National Park Service Internal Revenue Internal Revenue Service NOTICES Meetings:
Taxpayer Advocacy Panel Joint Committee, 37141 2023-11955 Taxpayer Advocacy Panel Taxpayer Assistance Center Improvements Project Committee, 37140 2023-11952 Taxpayer Advocacy Panel Taxpayer Communications Project Committee, 37141 2023-11951 Taxpayer Advocacy Panel's Notices and Correspondence Project Committee, 37140 2023-11954 Taxpayer Advocacy Panel's Special Projects Committee, 37141-37142 2023-11950 Taxpayer Advocacy Panel's Tax Forms and Publications Project Committee, 37140 2023-11949 Taxpayer Advocacy Panel's Toll-Free Phone Lines Project Committee, 37141 2023-11953 International Trade Adm International Trade Administration NOTICES Antidumping or Countervailing Duty Investigations, Orders, or Reviews:
Aluminum Extrusions From the People's Republic of China, 37031-37033 2023-12052 Certain Carbon and Alloy Steel Cut-to-Length Plate From the Republic of Korea, 37019-37021 2023-12029 Certain Hardwood Plywood Products From the People's Republic of China, 37014-37017 2023-12028 Diffusion-Annealed, Nickel-Plated Flat-Rolled Steel Products From Japan, 37029-37031 2023-11963 Large Diameter Welded Pipe From Canada, 37011-37013 2023-12027 Large Diameter Welded Pipe From the Republic of Turkey, 37017-37019 2023-12026 Mattresses From Indonesia, 37027-37029 2023-12050 Mattresses From Thailand, 37009-37011 2023-12049 Non-Refillable Steel Cylinders From the People's Republic of China, 37024-37027 2023-12053 Pure Magnesium in Granular Form From the People's Republic of China, 37014 2023-12030 Silicomanganese From India, 37021-37023 2023-12048 Truck and Bus Tires From the People's Republic of China, 37023-37024 2023-12051 Meetings:
Environmental Technologies Trade Advisory Committee, 37029 2023-12083 International Trade Com International Trade Commission NOTICES Investigations; Determinations, Modifications, and Rulings, etc.: Carbon and Alloy Seamless Standard, Line, and Pressure Pipe From Japan and Romania, 37096 2023-11929 Certain Electronic Devices, Semiconductor Devices, and Components Thereof, 37095-37096 2023-11993 Cut-to-Length Carbon-Quality Steel Plate From India, Indonesia, and South Korea, 37098-37099 2023-12074 Lined Paper School Supplies From China and India, 37096-37097 2023-11988 Paper Shopping Bags From Cambodia, China, Colombia, India, Malaysia, Portugal, Taiwan, Turkey, and Vietnam, 37097-37098 2023-11994 Judicial Conference Judicial Conference of the United States NOTICES Meetings:
Advisory Committee on Appellate Rules, 37099 2023-11944 Advisory Committee on Bankruptcy Rules, 37099 2023-11947 Advisory Committee on Civil Rules, 37099 2023-11945 Advisory Committee on Criminal Rules, 37100 2023-11948 Advisory Committee on Evidence Rules, 37099-37100 2023-11946 Justice Department Justice Department See Antitrust Division See National Institute of Corrections Labor Department Labor Department See Employee Benefits Security Administration Land Land Management Bureau NOTICES Temporary Closure:
Rob Jaggers Campground, 37089-37090 2023-11982 Withdrawal Application: Prescott National Forest/Hassayampa River, AZ; Public Meeting, 37088-37089 2023-11998 Maritime Maritime Administration NOTICES Agency Information Collection Activities; Proposals, Submissions, and Approvals: Customer Satisfaction Surveys, 37127 2023-11999 Coastwise Endorsement Eligibility Determination for a Foreign-Built Vessel: Club Aeronautique (Motor), 37137-37138 2023-12012 Dallaris (Sail), 37138-37139 2023-12000 Drakkar (Motor), 37134-37135 2023-12001 Game Plan (Motor), 37130-37131 2023-12002 Coastwise Endorsement Eligibility Determination for a Foreign-Built Vessel:
Guiding Principal (Motor), 37129-37130 2023-12003 Coastwise Endorsement Eligibility Determination for a Foreign-Built Vessel: La Jefita (Motor), 37128-37129 2023-12004 Coastwise Endorsement Eligibility Determination for a Foreign-Built Vessel: Mia Via (Motor), 37125-37126 2023-12005 Mine Set (Motor), 37126-37127 2023-12006 PEDAZO FINO (Motor), 37135-37136 2023-12007 Perlita (Motor), 37136-37137 2023-12008 Coastwise Endorsement Eligibility Determination for a Foreign-Built Vessel:
Running Silent (Sail), 37131-37132 2023-12009 Sol Mate (Motor), 37133-37134 2023-12010 The Three C's (Motor), 37127-37128 2023-11997 Valentina (Sail), 37132-37133 2023-12011 National Indian National Indian Gaming Commission NOTICES Agency Information Collection Activities; Proposals, Submissions, and Approvals, 37090-37093 2023-11368 National Institute Corrections National Institute of Corrections NOTICES Meetings: Advisory Board, 37100 2023-12072 National Institute National Institute of Standards and Technology NOTICES Research Data Framework, 37033-37035 2023-11916 National Institute National Institutes of Health NOTICES Agency Information Collection Activities;
Proposals, Submissions, and Approvals: Office of Minority Health Research Coordination Research Training and Mentor Programs Applications, 37077-37079 2023-11912 Charter Amendments, Establishments, Renewals and Terminations: Office of the Director, 37081 2023-11966 Meetings: Center for Scientific Review, 37080-37084 2023-11965 2023-11970 2023-12082 2023-12084 2023-12086 National Cancer Institute, 37077, 37079 2023-11968 2023-11973 National Center for Advancing Translational Sciences, 37079, 37086 2023-12085 2023-12087 National Heart, Lung and Blood Institute, 37084 2023-12038 National Human Genome Research Institute, 37085 2023-12088 National Institute of Diabetes and Digestive and Kidney Diseases, 37077 2023-11971 National Institute of Mental Health, 37085 2023-11975 National Institute on Aging, 37079-37080 2023-11969 National Institute on Alcohol Abuse and Alcoholism, 37082 2023-11974 Office of the Director, 37085 2023-11967 2023-12039 Energy National Nuclear National Nuclear Security Administration NOTICES Addition of Property for the Kansas City Plant Facilities, 37048-37050 2023-11995 National Oceanic National Oceanic and Atmospheric Administration RULES Pacific Halibut Fisheries of the West Coast:
Catch Sharing Plan; Inseason Action, 36973-36975 2023-12071 Taking or Importing of Marine Mammals: Commercial Fishing Operations; Amendment to the Atlantic Pelagic Longline Take Reduction Plan, 36965-36972 2023-11761 NOTICES Taking and Importing Marine Mammals: United States Navy Training and Testing Activities in the Point Mugu Sea Range Study Area, 37035-37036 2023-12045 National Park National Park Service NOTICES Agency Information Collection Activities; Proposals, Submissions, and Approvals:
Procedures for State, Tribal, and Local Government Historic Preservation Programs and Management of Historic Preservation Fund Grants, 37093-37095 2023-12070 National Science National Science Foundation NOTICES Charter Amendments, Establishments, Renewals and Terminations, 37101-37102 2023-12093 National Transportation National Transportation Safety Board RULES Internal Personnel Rules and Practices, 36964-36965 2023-11962 Patent Patent and Trademark Office RULES Setting and Adjusting Patent Fees During Fiscal Year 2020, 36956-36958 2023-11917 NOTICES Agency Information Collection Activities;
Proposals, Submissions, and Approvals: DOCX Submission Requirements, 37039-37041 2023-11913 Extension of the Option for Submission of a PDF With a Patent Application Filed in DOCX Format, 37036-37037 2023-11910 Request for Comments: Southeast Regional Office and Community Outreach Office Locations, 37037-37039 2023-11987 Postal Regulatory Postal Regulatory Commission PROPOSED RULES Periodic Reporting, 37003-37004 2023-11935 Postal Service Postal Service RULES New Mailing Standards:
Domestic Mailing Services Products, 36958-36960 2023-11892 Relocating Retail Services; Adding New Retail Service Facilities, 36960-36962 2023-11896 Railroad Retirement Railroad Retirement Board NOTICES Meetings; Sunshine Act, 37102 2023-12135 Securities Securities and Exchange Commission NOTICES Agency Information Collection Activities; Proposals, Submissions, and Approvals, 37119 2023-11992 Self-Regulatory Organizations; Proposed Rule Changes: Cboe Exchange, Inc., 37102-37107 2023-11925 Financial Industry Regulatory Authority, Inc., 37112 2023-11924 Nasdaq BX, Inc., 37112-37115 2023-11922 Nasdaq ISE, LLC, 37110-37112 2023-11921 Nasdaq PHLX, LLC, 37107-37110, 37116-37119 2023-11920 2023-11923 Social Social Security Administration PROPOSED RULES Availability of Information and Records to the Public, 36980-36999 2023-09824 State Department State Department NOTICES Privacy Act;
Systems of Records, 37119-37124 2023-12022 Transportation Department Transportation Department See Federal Aviation Administration See Federal Transit Administration See Maritime Administration Treasury Treasury Department See Foreign Assets Control Office See Internal Revenue Service Veteran Affairs Veterans Affairs Department NOTICES Meetings: Advisory Committee on Disability Compensation, 37142 2023-12041 Reader Aids Consult the Reader Aids section at the end of this issue for phone numbers, online resources, finding aids, and notice of recently enacted public laws.
To subscribe to the Federal Register Table of Contents electronic mailing list, go to https://public.govdelivery.com/accounts/USGPOOFR/subscriber/new, enter your e-mail address, then follow the instructions to join, leave, or manage your subscription. 88 108 Tuesday, June 6, 2023 Rules and Regulations DEPARTMENT OF HOMELAND SECURITY 6 CFR Chapter I 49 CFR Chapter XII Ratification of Security Directives AGENCY: Office of Strategy, Policy, and Plans, Department of Homeland Security (DHS).
ACTION: Notification of ratification of security directives. SUMMARY: DHS is publishing official notification that the Transportation Security Oversight Board
(TSOB)has ratified Transportation Security Administration
(TSA)Security Directive Pipeline-2021-01B and Security Directive Pipeline-2021-02C applicable to owners and operators of critical oil and natural gas pipeline infrastructure (owner/operators). Security Directive Pipeline-2021-01B extended the expiration date of cybersecurity measures initially required by Security Directive Pipeline-2021-01, issued on May 27, 2022, for an additional year. Security Directive Pipeline-2021-02C revised the cybersecurity measures originally required by Security Directive Pipeline-2021-02, issued on July 19, 2021, to be more performance-based and less prescriptive than the original requirements. This performance-based approach ensures the mandated critical security outcomes are achieved while allowing covered owner/operators options to implement security measures for their specific systems and operations. DATES: The TSOB ratified Security Directive Pipeline-2021-01B on June 24, 2021 and ratified Security Directive Pipeline-2021-02C on August 19, 2022. FOR FURTHER INFORMATION CONTACT: Thomas McDermott, Acting Assistant Secretary for Cyber, Infrastructure, Risk and Resilience Policy at 202-834-5803 or *thomas.mcdermott@hq.dhs.gov.* SUPPLEMENTARY INFORMATION: I. Background A. Cybersecurity Threat The cyber threat to the country's critical infrastructure, including pipelines, has remained elevated since the ransomware attack on the Colonial Pipeline Company on May 8, 2021. That attack temporarily disrupted critical supplies of gasoline and other refined petroleum products throughout the East Coast and demonstrated the significant threat such attacks pose to the country's infrastructure and economic well-being. The cyber threat posed by both criminal enterprises and nation-state actors continues to expand and become more complex. Ransomware tactics and techniques continue to evolve, exhibiting threat actors' growing technological sophistication and an increased ransomware threat to organizations globally. 1 The intelligence community has assessed that both the People's Republic of China and the Russian Federation have the capability to target critical infrastructure with cyber operations. 2 1 Alert (AA22-040A), *2021 Trends Show Increased Globalized Threat of Ransomware,* released by CISA on February 10, 2022 (as revised). 2 Annual Threat Assessment of the U.S. Intelligence Community, Office of the Director of National Intelligence, 8, 12 (February 2022). In 2022, the threat was heightened further in light of the Russian Federation's attack on Ukraine. 3 Throughout the ongoing Russia-Ukraine conflict there has been an increase in activity by politically or ideologically-motivated cyber groups and criminal cyber groups, who may act independently and without official support from a nation-state government, to target critical infrastructure, including the transportation sector. Illustrating the threat, on March 24, 2022, the U.S. Department of Justice unsealed indictments of three Russian Federal Security Service
(FSB)officers and employees of a State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics (also known as “TsNIIKhM”) for their involvement in intrusion campaigns against U.S. and international oil refineries, nuclear facilities, and energy companies. Documents revealed that the FSB conducted a multi-stage campaign in which they gained remote access to U.S. and international energy sector networks, deployed industrial control systems (ICS)-focused malware, and collected and exfiltrated enterprise and ICS-related data. 4 Since April 15, 2022, a pro-Russian hacking group known as “Killnet” has targeted a number of transportation entities, including U.S. and European airports and a U.S. oil and natural gas company. Killnet claimed responsibility for an October 10, 2022, cyber incident targeting the public-facing website of 48 airports across the United States, resulting in a number of these websites being unavailable for a period of time. 3 Joint Cybersecurity Alert—Alert (AA22-011A), *Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure,* released by CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency
(NSA)on January 11, 2022 (as revised); Joint Cybersecurity Alert—Alert (AA22-110A), *Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure,* released cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom on April 20, 2022 (as revised). 4 Press Release 22-285, *Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide,* Department of Justice, issued on March 24, 2022, available at *https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical.* B. Security Directive Pipeline-2021-01B On May 27, 2021, TSA issued Security Directive Pipeline-2021-01, which was the first of two security directives issued by TSA to enhance the cybersecurity of critical pipeline systems in response to the attack on Colonial Pipeline. Security Directive Pipeline-2021-01, and the subsequent amendments in this series, required covered owner/operators to:
(1)report cybersecurity incidents to CISA;
(2)appoint a cybersecurity coordinator to be available 24/7 to coordinate with TSA and CISA; and
(3)conduct a self-assessment of cybersecurity practices, identify any gaps, and develop a plan and timeline for remediation. 5 This first security directive went into effect on May 28, 2021 and was ratified by the TSOB on July 3, 2021. 6 5 Security Directive Pipeline-2021-01: Enhancing Pipeline Cybersecurity. 6 *See* 86 FR 38209 (July 20, 2021). On December 1, 2021, TSA amended Security Directive Pipeline-2021-01 to update the definition of cybersecurity incident to ensure the consistent identification of incidents that must be reported to CISA across all modes of transportation. 7 This amended directive, Security Directive Pipeline-2021-01A, was ratified by the TSOB on December 29, 2021. 8 7 To counter the persistent and growing cyber threat to critical transportation infrastructure, TSA took action over the course of 2021 to require entities across the modes of transportation regulated by TSA to institute the same critical measures Security Directive Pipeline-2021-01 required in the pipeline context. To date, TSA has issued security directives to high-risk freight railroad carriers, passenger railroad carriers, and rail transit systems and, in the aviation sector, issued security program amendments to airports and aircraft operators. 8 *See* 87 FR 31093 (May 23, 2022). In light of the continuing and evolving threat, as reflected in recent and ongoing intelligence, TSA determined that the measures required by the Security Directive Pipeline-2021-01 series remain necessary to protect the Nation's critical pipeline infrastructure beyond Security Directive Pipeline-2021-01A's expiration date of May 28, 2022. On May 27, 2022, TSA issued Security Directive Pipeline-2021-01B to extend the requirements of Security Directive Pipeline-2021-01A for an additional year. Security Directive Pipeline-2021-01B became effective May 29, 2022 and expires on May 29, 2023. Security Directive Pipeline 2021-01B is available online in TSA's Surface Transportation Cybersecurity Toolkit. 9 9 TSA Surface Transportation Cybersecurity Toolkit, *available at https://www.tsa.gov/for-industry/surface-transportation-cybersecurity-toolkit.* The only substantive change in Security Directive Pipeline-2021-01B to the prior requirements is an increase in the amount of time covered entities have to report cybersecurity incidents to CISA from 12 hours to 24 hours after an incident is identified. This change aligned the reporting timeline for critical pipeline entities to mirror the reporting requirements applicable to other surface transportation entities and aviation entities. TSA reached the determination to extend the reporting deadline to 24 hours following engagement with industry stakeholders and in consultation with CISA. C. Security Directive Pipeline-2021-02C Due to the extent of the threat to pipeline cybersecurity reflected by intelligence, and the need for widespread best practices to be mandated within the industry, TSA issued Security Directive Pipeline-2021-02 on July 19, 2021. This directive required owner/operators to implement additional cybersecurity measures to prevent disruption and degradation to their infrastructure in response to the ongoing threat. Specifically, Security Directive Pipeline-2021-02, which became effective on July 26, 2021, and was set to expire on July 26, 2022, required owner/operators to take the following additional actions: • Implement an array of specified mitigation measures to reduce the risk of compromise from a cyberattack; • Develop a Cybersecurity Contingency/Response Plan to reduce the risk of operational disruption or functional degradation of information technology and operational technology systems in the event of a malicious cyber intrusion; and • Test the effectiveness their cybersecurity practices through an annual cybersecurity architecture design review conducted by a third party. Security Directive Pipeline-2021-02 was ratified by the TSOB on August 17, 2021. 10 10 *See* 86 FR 52953 (September 24, 2021). On December 17, 2021, TSA issued Security Directive Pipeline-2021-02B, amending Security Directive Pipeline-2021-02 in response to industry input. Specifically, the amended directive revised the time limits for owner/operators to install security software updates and patches for operating systems, applications, drivers, and firmware on Information Technology systems. The TSOB ratified Security Directive Pipeline-2021-02B on January 13, 2022. 11 11 *See* 87 FR 31093 (May 23, 2022). In response to the persistent threat to critical oil and natural gas pipelines, TSA determined that it remains necessary for owner/operators of the most critical oil and natural pipelines to implement and maintain cybersecurity measures to prevent disruption and degradation to their infrastructure. On July 21, 2022, TSA issued Security Directive Pipeline-2021-02C requiring owner/operators of the most critical oil and natural gas pipelines to continue to implement necessary cybersecurity measures. The directive became effective on July 27, 2022, and is set to expire on July 27, 2023. In order to best achieve the critical security outcomes necessary to counter the threat, Security Directive Pipeline-2021-02C transitioned the original requirements to a performance-based model. The directive maintains the security objectives of the previous versions, but implements them through performance-based standards rather than requiring specific prescriptive measures. This approach enhances security by allowing owner/operators to choose the most appropriate cybersecurity measures to protect their specific systems, while mandating that certain security outcomes are achieved. It also provides owner/operators greater ability to be agile and adaptive in leveraging innovative technologies in a changing threat environment. Security Directive Pipeline-2021-02C identifies four critical security outcomes that covered entities are required to achieve: • Implement network segmentation policies and controls to ensure that the Operational Technology
(OT)system can continue to safely operate in the event that an Information Technology
(IT)system has been compromised; • Implement access control measures to secure and prevent unauthorized access to critical cyber systems; • Implement continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect critical cyber system operations; and • Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers and firmware on critical cyber systems in a timely manner using a risk-based methodology. For each of these performance outcomes, the directive includes specific issues that must be addressed and provides options for achieving the required outcomes. To ensure that the critical security outcomes identified are achieved under this performance-based framework, Security Directive Pipeline-2021-02C requires that owner/operators: • Establish and implement a TSA-approved Cybersecurity Implementation Plan that describes the specific cybersecurity measures employed and the schedule for achieving the security outcomes identified; • Develop and maintain an up-to-date Cybersecurity Incident Response Plan to reduce the risk of operational disruption, or the risk of other significant impacts on necessary capacity, as defined in the directive, should the Information and/or Operational Technology systems of a gas or liquid pipeline be affected by a cybersecurity incident; and • Establish a Cybersecurity Assessment Program and submit an annual plan that describes how the Owner/Operator will proactively and regularly assess the effectiveness of cybersecurity measures and identify and resolve device, network, and/or system vulnerabilities. Cybersecurity experts from TSA and the Cybersecurity and Infrastructure Security Agency
(CISA)contributed to the development of the requirements and performance-based standards in Security Directive Pipeline-2021-02C to ensure the efficacy of the requirements in mitigating vulnerabilities. The directive also reflects input from stakeholders and for a transition to a performance-based, security outcome-focused model. Security Directive Pipeline-2021-02C is available online in TSA's Surface Transportation Cybersecurity Toolkit. 12 12 TSA Surface Transportation Cybersecurity Toolkit, *available at https://www.tsa.gov/for-industry/surface-transportation-cybersecurity-toolkit.* II. TSOB Ratification TSA has broad statutory responsibility and authority to safeguard the nation's transportation system. 13 The TSOB—a body consisting of the Secretary of Homeland Security, the Secretary of Transportation, the Attorney General, the Secretary of Defense, the Secretary of the Treasury, the Director of National Intelligence, or their designees, and a representative of the National Security Council—reviews certain TSA regulations and security directives consistent with law. 14 TSA issued both of these security directives under 49 U.S.C. 114( *l* )(2)(A), which authorizes TSA to issue emergency regulations or security directives without providing notice or public comment where “the Administrator determines that a regulation or security directive must be issued immediately in order to protect transportation security. . . .”. Security directives issued pursuant to the procedures in 49 U.S.C. 114( *l* )(2) “shall remain effective for a period not to exceed 90 days unless ratified or disapproved by the Board or rescinded by the Administrator.” 15 13 *See, e.g.,* 49 U.S.C. 114(d), (f), ( *l* ), (m). 14 *See, e.g.,* 49 U.S.C. 115; 49 U.S.C. 114( *l* )(2)(B). 15 49 U.S.C. 114( *l* )(2)(B). Following the issuance of Security Directive Pipeline-2021-01B on May 27, 2022, the chairman of the TSOB convened the board for the purpose of reviewing the directive. In reviewing Security Directive Pipeline-2021-01B, the TSOB considered the continuing need for TSA to maintain the directive's requirements pursuant to its emergency authority under 49 U.S.C. 114( *1* )(2) to prevent the disruption and degradation of the country's critical transportation infrastructure and the change in the deadline for reporting cybersecurity incidents to CISA from 12 hours to 24 hours. Following its review, the TSOB ratified Security Directive Pipeline-2021-01B on June 24, 2022. Following the issuance of Security Directive Pipeline-2021-02C on July 21, 2022, the chairman again convened the board for the purpose of reviewing that directive. In reviewing Security Directive Pipeline-2021-02C, the TSOB considered its transition to a performance-based approach to requiring owner/operators of critical oil and natural gas pipelines to address persistent and evolving cyber threats that threaten the country's critical pipeline infrastructure as well as the need for TSA to issue the directive's requirements using its emergency authority under 49 U.S.C. ll4( *l* )(2)(A). The TSOB also considered whether to authorize TSA to extend the security directive beyond its current expiration date of July 27, 2023, subject to certain conditions, should the TSA Administrator believe such an extension is necessary to address the evolving threat that may continue beyond the original expiration date. Following its review, the TSOB ratified Security Directive Pipeline-2021-02C on August 19, 2022. The TSOB also authorized TSA to extend the security directive beyond its current expiration date, should the TSA Administrator determine such an extension is necessary to address the evolving threat that may continue beyond the original expiration date. Such an extension is subject to the following conditions:
(1)there are no changes to the security directive other than an extended expiration date;
(2)the TSA Administrator makes an affirmative determination that conditions warrant the extension of the directive's requirements; and
(3)the TSA Administrator documents such a determination and notifies the TSOB. John K. Tien, Deputy Secretary of Homeland Security & Chairman of the Transportation Security Oversight Board. [FR Doc. 2023-11941 Filed 6-5-23; 8:45 am]
Connectionstraces to 2
Traces to 2 documents
Citation graph
cites case law
Cites 2Cited by 0 across 0 sources