TSA preps new guidelines on pipeline cyber
- By Mark Rockwell
- May 01, 2019
The Transportation Security Administration has submitted a plan to keep pipeline cybersecurity guidelines up to date, the Government Accountability Office's acting director told a May 1 House Energy and Commerce Energy Subcommittee hearing on pipeline security.
TSA has federal oversight responsibility for the physical security and cybersecurity of oil, natural gas and hazardous materials pipelines in the U.S. That pipeline infrastructure is mostly privately held.
In his testimony at the hearing, GAO Acting Director William Russell referenced his agency's December 2018 report on TSA's pipeline oversight. In that report, the GAO had recommended TSA formally document its review and revision processes for its Pipeline Security Guidelines for private pipeline infrastructure providers.
The GAO also found weakness in TSA's cybersecurity workforce, as well as a shortage of workers. The watchdog agency said staffing levels for the agency's pipeline branch have fluctuated "significantly" from a single worker in 2014, to six between 2015 and 2018. Those workers, it said, lacked cybersecurity expertise.
GAO's 2018 report said although TSA updated its guidelines with the National Institute for Standards and Technologies' cybersecurity framework in March, it missed some important updates to the NIST framework, particularly the Supply Chain Risk Management category that NIST added the following month. TSA missed that update because, according to the report, its plan didn't have a formal update process. GAO recommended TSA adopt a formalized process that allowed for more thorough and frequent updates at regular defined intervals.
"Without a documented process defining how frequently TSA is to review and, if deemed necessary, revise its guidelines, TSA cannot ensure that the guidelines reflect the latest known standards and best practices of physical security and cybersecurity," it said.
GAO's Russell's written testimony for the May 1 hearing said TSA had agreed to develop that plan and complete it by April 30, 2019. Russell said his agency is now reviewing the plan. To address the cyber workforce issues, GAO recommended TSA develop a strategic workforce plan and complete it by this coming July.
Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.
Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.
Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.
Click here for previous articles by Rockwell.
Contact him at [email protected] or follow him on Twitter at @MRockwell4.