Pipeline Cyber Checks Updated by TSA: Comments Welcome
Published Date: 1/2/2026
Notice
Summary
The TSA is updating how it collects info from pipeline companies to keep security strong, especially around cybersecurity rules. This affects pipeline businesses who must keep up with these security checks and rules. Comments on these changes are open until February 2, 2026, and the update helps TSA make sure pipelines stay safe without adding extra hassle or costs.
Analyzed Economic Effects
6 provisions identified: 1 benefits, 4 costs, 1 mixed.
Mandatory Cybersecurity Implementation Plan
If TSA designates your pipeline company as critical, you must submit a Cybersecurity Implementation Plan to TSA for approval (there is no designated form or format). Once TSA approves it, you must implement and maintain all measures and submit any changes to the plan for TSA approval under the TSA Security Directive Pipeline-2021-02 series.
Incident Response Plan and Annual Testing
Designated critical pipeline owner/operators must develop and keep an up-to-date Cybersecurity Incident Response Plan for critical cyber systems and must test the plan at least once every year. The testing requirement is explicitly stated as "no less than annually."
Annual Cybersecurity Assessment Plan Submission
Pipeline owner/operators designated critical must submit a Cybersecurity Assessment Plan to TSA for approval on an annual basis (there is no designated form or format). This is a recurring, yearly submission requirement tied to the Security Directive Pipeline-2021-02 series.
Information Collection Renewal and Burden Estimate
TSA is revising the collection title and seeking renewal of this information collection (OMB Control Number 1652-0056) for a 3-year approval period. TSA estimates 100 annual respondents and 80,231 estimated annual burden hours for the collection; comments are due by February 2, 2026.
Recordkeeping and Sensitive Security Information Protection
Pipeline owner/operators must maintain records that show compliance with the SD Pipeline-2021-02 series and make them available to TSA on request for inspection or copying. Submissions made under the voluntary PCSR or mandatory SD Pipelines-2021-02 series are treated as Sensitive Security Information (SSI) and protected under 49 CFR part 1520.
Voluntary Pipeline Corporate Security Reviews Continue
TSA continues to conduct Pipeline Corporate Security Reviews (CSRs) as a voluntary, face-to-face program, usually at pipeline headquarters, using a structured CSR Question Set to assess physical security practices. Participation in CSRs remains voluntary rather than mandatory.
Your PRIA Score
Personalized for You
How does this regulation affect your finances?
Sign up for a PRIA Policy Scan to see your personalized alignment score for this federal register document and every other regulation we track. We analyze your financial profile against policy provisions to show you exactly what matters to your wallet.
Key Dates
Department and Agencies
Take It Personal
Get Your Personalized Policy View
Start a Free Government Policy Watch to see how policy affects your household, then upgrade to PRIA Full Coverage for year-round monitoring.
Already have an account? Sign in