The TSA Security Directive issued in the wake of the May 2021 ransomware attack against Colonial Pipeline imposed mandatory obligations to report incidents within 24 hours, update systems and appoint cyber security officials was criticized by industry as being too rigid and misunderstanding the unique cybersecurity needs of pipeline operators. With its July 21, 2022 revision, the TSA seems to acknowledge these criticisms by adopting a more flexible and less prescriptive approach.
This article highlights some of the recent cyber regulatory efforts by federal agencies, discusses the components of the revised TSA Security Directive and offers a perspective on whether the coming cyber regulations will adopt the TSA approach or something more draconian.