GAO offers pipeline security program guidance

The Government Accountability Office (GAO) has made a series of recommendations designed to strengthen the Transportation Security Administration’s (TSA) management of its pipeline security program.

The GAO analysis stems from the fact pipeline system disruptions could result in commodity price increases or widespread energy shortages while noting several federal and private entities have roles in pipeline security. The TSA is primarily responsible for the federal oversight of pipeline physical security and cybersecurity.

The TSA revised its voluntary pipeline security guidelines in March 2018 to reflect changes in the threat environment and incorporate principles and practices from the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity. The GAO maintains TSA’s revisions did not include all elements of the current NIST framework and TSA does not have a documented process for reviewing and revising its guidelines regularly.

GAO’s work involved analyzing TSA documents, such as its Pipeline Security Guidelines; evaluating TSA pipeline risk assessment efforts; and interviewing TSA officials, 10 pipeline operators and representatives from five pipeline industry associations. GAO also reviewed information on TSA’s actions to implement its prior recommendations.

GAO is recommending that the TSA develop a strategic workforce plan, which the TSA plans to complete by July 2019 and update its risk ranking tool to include up-to-date data to ensure it reflects industry conditions and fully document the data sources, assumptions and judgments that form the basis of the tool. It also recommends the TSA take steps to update information on security review recommendations and monitor and record their status, which the TSA plans to address by November 2019.