When Colonial Pipeline shut down 5,500 miles of fuel transport in May 2021 after a single ransomware payload hit its billing systems, federal pipeline cybersecurity regulation went from voluntary guidance to mandatory directive in 33 days. Five years later, that emergency framework is still running — extended, revised, ratified, and now mid-transition into permanent rule. If you work in critical infrastructure security and you’ve been treating this as “the gas pipeline thing,” you missed the moment it became the template.
The TSA Pipeline Security Directives are a working model of how the federal government plans to regulate operational technology cybersecurity across surface transportation, and increasingly across other sectors that touch industrial control systems. The directives have iterated through more letter suffixes than most CVEs, the Notice of Proposed Rulemaking that would codify them is sitting in regulatory limbo, and the latest version quietly added a U.S. citizenship requirement for cybersecurity coordinators. This is the compliance regime worth paying attention to.
How a Ransomware Attack Became a Federal Directive
The Colonial Pipeline incident was, by ransomware standards, technically unremarkable. DarkSide affiliates obtained credentials to a legacy VPN account that was no longer in active use but had not been deactivated and lacked multi-factor authentication. They encrypted business-side IT systems, not the operational technology controlling the pipeline itself. Colonial shut down the pipeline preemptively because it could not bill customers — a financial decision with operational consequences. The shutdown produced fuel shortages from Texas to New Jersey and panic buying that emptied stations across the Southeast.
TSA had previously regulated pipeline security through voluntary guidelines dating to 2010, with cybersecurity addressed in the agency’s 2018 Pipeline Security Guidelines. After Colonial, TSA invoked its emergency authority under 49 U.S.C. 114(l)(2)(A) — the statute permitting the agency to issue directives without notice-and-comment rulemaking when the Administrator determines immediate action is required. The first directive, SD Pipeline-2021-01, took effect May 28, 2021. The second, SD Pipeline-2021-02, followed on July 26, 2021.
These directives have iterated continuously. The 01 series moved through versions A, B, C, D, E, F, and now G — each cancellation-and-replacement extending the regime by another year while incorporating revisions. The 02 series tracks similarly through 02F. SD Pipeline-2021-01G took effect January 16, 2026, and expires January 15, 2027. SD Pipeline-2021-02F took effect May 3, 2025, and expires May 2, 2026. The Transportation Security Oversight Board ratifies these directives within 90 days of issuance — a procedural requirement that converts emergency directives into ratified regulations until rulemaking catches up.
What the Two Directive Series Actually Require
The 01 and 02 series cover distinct compliance surfaces, and operators subject to one are typically subject to both.
SD Pipeline-2021-01 addresses three foundational requirements. Owner/operators must designate a Cybersecurity Coordinator and at least one alternate, available 24/7, who serves as the primary contact for TSA and CISA on cyber-related intelligence and incidents. Operators must report cybersecurity incidents to CISA within 24 hours, with the definition of “cybersecurity incident” written broadly enough to include events under investigation where root cause has not been determined. And operators must conduct a Cybersecurity Vulnerability Assessment using TSA Form 1604 — a self-assessment aligned to the NIST Cybersecurity Framework — and submit it to TSA.
The latest version, SD Pipeline-2021-01G, introduced a substantive change: any non-U.S. citizen serving as a primary or alternate Cybersecurity Coordinator must now be a current member of an approved category, a clarification that closes a gap operators with offshore security operations centers had been working through.
SD Pipeline-2021-02 is the heavier lift. It requires a TSA-approved Cybersecurity Implementation Plan (CIP) that documents how the operator achieves performance-based outcomes across four domains: network segmentation between IT and OT systems, access control, continuous monitoring and threat detection, and patch management for operating systems, applications, and firmware. Operators must also maintain a Cybersecurity Incident Response Plan, conduct annual tabletop exercises, and submit an annual Cybersecurity Assessment Plan (CAP) describing how they will independently assess CIP effectiveness over the coming year. Results feed into annual reports filed with TSA.
The performance-based framing matters. TSA explicitly avoided prescriptive controls in favor of outcomes — the agency does not tell operators which firewall to buy or which segmentation architecture to implement, only that segmentation must achieve specific security objectives that TSA will inspect against. This was a deliberate concession to the heterogeneity of pipeline operations and a response to industry pushback against the more prescriptive original 2021-02 directive, which mandated specific actions on specific timelines and was widely criticized as unworkable.
Why the NPRM Matters More Than the Directives
In November 2024, TSA published the Enhancing Surface Cyber Risk Management Notice of Proposed Rulemaking. The comment period closed February 5, 2025. The proposed rule would codify the directive regime into permanent regulation under a new 49 CFR framework, expand applicability to roughly 300 surface transportation owner/operators including approximately 115 pipeline facilities, and apply parallel requirements to higher-risk freight rail, passenger rail, rail transit, and over-the-road bus operators.
The NPRM does several things the directives cannot. It creates a tiered applicability framework that captures national security and supply chain risks the original directives missed, including operators whose service to defense or supply chain logistics elevates them above standard size-based thresholds. It introduces Physical Security Coordinator requirements at the corporate level for covered operators. It expands Sensitive Security Information (SSI) classification under 49 CFR Part 1520 to cover a broader range of cybersecurity materials, raising the confidentiality bar for incident documentation and CIP submissions. And critically, it imposes a 24-hour cybersecurity incident reporting deadline to CISA, harmonized with — but distinct from — CIRCIA reporting once that rule is finalized.
The proposed rule sat unfinalized through 2025 and into 2026. The Congressional Committee on Homeland Security wrote to TSA on March 6, 2025, requesting clarification on TSA’s cybersecurity posture and citing concerns about regulatory overlap with CIRCIA and Coast Guard MTSA cybersecurity rules — particularly relevant after the Coast Guard’s MTSA Cybersecurity Final Rule took effect July 16, 2025, establishing parallel baseline requirements for maritime facilities. The committee letter was, in effect, a request for TSA to slow down and harmonize, not a rejection of the framework. The directives continue to operate in parallel pending final rule action.
How Operators Actually Comply
The compliance architecture for a covered pipeline operator looks roughly like this. The operator identifies its Critical Cyber Systems — defined as cyber systems that, if compromised, could cause operational disruption to business critical functions. This identification is consequential: systems classified as critical fall under CIP requirements; everything else does not. Operators have submitted determinations claiming they have no Critical Cyber Systems, and TSA has the authority to push back on those determinations under Section II.B of the directives.
The CIP itself is a substantial document. Operators must demonstrate how they achieve the four required outcomes — segmentation, access control, monitoring, patching — across both information technology and operational technology environments. The plan is reviewed by TSA cybersecurity staff, frequently with iterative back-and-forth before approval. Until the plan is approved, operators apply the prior directive version’s requirements as a baseline. Approved CIPs are inspected against during TSA Corporate Security Reviews and ad-hoc inspections.
The Cybersecurity Assessment Plan is the audit layer on top of the CIP. Operators describe how they will assess their own CIP effectiveness over the next year, including which controls will be tested, how testing will be conducted, and what evidence will be retained. Annual reports document what was tested, what was found, and what was remediated. A finding that the CIP is not achieving its stated outcomes obligates the operator to remediate, document, and report.
The Pitfalls Operators Keep Hitting
Several patterns have emerged from five years of compliance activity. First, Critical Cyber System scoping is where most disputes begin. Operators have an incentive to scope narrowly to reduce CIP burden; TSA has authority to push back. Operators that classified Engineering Workstations or historian databases as non-critical have had those determinations challenged, and the conversation typically takes months. Documenting the methodology — not just the outcome — is what survives review.
Second, the CIP is not a one-time deliverable. It’s a living document, and material changes to the operator’s environment require updates. Acquisitions, ICS replacements, cloud migrations of OT-adjacent systems, and new third-party access arrangements all trigger update obligations. Operators that submitted a CIP in 2022 and have not revisited it are out of compliance regardless of how thorough the original document was.
Third, third-party responsibility is shared but not transferable. An operator using a managed security services provider for monitoring remains liable for compliance with monitoring requirements. The 02E and 02F revisions clarified this explicitly because operators were treating MSSP contracts as a compliance handoff.
Fourth, incident reporting timing has tightened. The 24-hour CISA reporting clock starts at discovery, not at confirmation. Events under investigation must be reported even if root cause is unknown. Operators waiting for forensic confirmation before reporting are systematically late. The GAO has flagged this as one of the directive’s underdeveloped areas — the GAO-25-107947 testimony before the House Subcommittee on Transportation and Maritime Security in November 2024 noted that TSA’s directives did not align with ransomware leading practices in several respects, and reporting practices were among them.
Fifth, the regime sits in a multi-regulator environment that operators have to reconcile. CIRCIA reporting under CISA, MTSA cybersecurity reporting for any maritime-adjacent infrastructure, state PUC requirements, and now NERC CIP for any pipeline that touches grid-connected compressor stations all overlap unevenly. Harmonization is a stated goal; harmonization is not yet a reality.
Frequently Asked Questions
Are the TSA pipeline directives still in effect, or did the NPRM replace them? They are still in effect. SD Pipeline-2021-01G runs through January 15, 2027, and SD Pipeline-2021-02F runs through May 2, 2026. The NPRM has not been finalized, and until it is, the directives are the operative authority. TSA reissues and ratifies them annually.
Do the directives apply to gathering lines and small distribution systems? No. Applicability is limited to TSA-designated critical pipeline systems and facilities — roughly 100 of the largest hazardous liquid and natural gas pipeline operators, plus designated LNG facilities. The November 2024 NPRM proposes an expanded applicability framework that would capture additional operators based on national security and supply chain criteria, but that has not been finalized.
What is the relationship between the TSA directives and CIRCIA? TSA directive reporting goes to CISA today and is not displaced by CIRCIA. Once CIRCIA’s final rule is in effect, covered entities will report under both regimes unless a substantially similar reporting exception applies. TSA and CISA have stated they intend to harmonize through information sharing, not duplicate filing, but the legal obligations are separate.
What happens if an operator submits a CIP and TSA denies approval? The operator may file a petition for reconsideration within 30 calendar days. Pending approval, the operator must apply the requirements of the prior directive version as a baseline. Continuing to operate without an approved CIP after the deadline triggers enforcement action.
What This Regime Looks Like in 2027
The directive-based approach has held up better than its original critics expected, in large part because TSA pivoted away from prescriptive controls in 2022 and built the performance-based framework that the NPRM now seeks to codify. The operators that took the directives seriously in 2021 are in materially better security postures today. The operators that treated each annual extension as a paperwork exercise are visible to TSA, and the inspection regime is catching up to them.
The interesting question is whether the NPRM gets finalized before the directive series accumulates enough internal contradiction to become unworkable, or whether TSA continues annual extensions indefinitely. As of April 2026, the regulatory and political environment around critical infrastructure cybersecurity is volatile enough that no outcome is predictable. What is predictable is that operators with mature CIPs, current CAPs, and documented Critical Cyber System methodologies will absorb whatever rule emerges with less friction than operators waiting for clarity. The compliance regime is already real. The rulemaking is paperwork catching up to it.
