The Transportation Security Administration (TSA) Cybersecurity Directives represent the U.S. federal government’s most direct and enforceable cybersecurity mandates for critical infrastructure operators outside the energy sector. Triggered by the Colonial Pipeline ransomware attack in May 2021 — which disrupted fuel supply across the U.S. East Coast and led to a $4.4 million ransom payment — TSA moved rapidly to exercise its statutory authority under 49 U.S.C. § 114(l) to issue legally binding directives requiring pipeline, aviation, and surface transportation operators to implement specific cybersecurity controls. Unlike voluntary frameworks such as NIST CSF or CISA’s Cybersecurity Performance Goals, TSA Directives carry the full force of federal law. Failure to comply can result in civil monetary penalties and, in serious cases, revocation of operating certificates or authority. This guide explains exactly what each directive requires, which operators are covered, and how to achieve and demonstrate compliance.
1. The TSA Cybersecurity Directives: Origin and Scope
Following the Colonial Pipeline incident, TSA issued the first pipeline cybersecurity directives in May and July 2021. Subsequent directives extended requirements to aviation and surface transportation (rail), and multiple revision cycles have updated and expanded requirements as the threat landscape has evolved. The directives are issued under TSA’s emergency authority, which allows requirements to be imposed immediately without the normal notice-and-comment rulemaking process.
Three Sectors Covered
- Hazardous liquid and natural gas pipelines — operators of TSA-designated critical pipeline facilities, including transmission systems, storage, and terminals
- Aviation — airports with TSA-approved security programs and Part 121 air carriers (commercial airlines)
- Surface transportation — passenger rail (Amtrak, commuter rail, heavy rail transit) and freight rail (Class I railroads)
Legal Status and Enforcement
TSA Directives are emergency action instruments — they are legally mandatory requirements, not voluntary guidelines or aspirational frameworks. TSA inspectors have authority to audit compliance, and the agency can impose civil monetary penalties for violations. In the most serious cases, TSA can pursue suspension or revocation of operating certificates. The Department of Homeland Security has made clear that TSA Directives represent a floor, not a ceiling: organizations are expected to exceed these minimum requirements as their capabilities mature.
Current Directive Versions
- Pipeline SD-02E — May 2024 (fifth revision of the pipeline series; supersedes SD-02D)
- Aviation SD-01D — March 2024 (fourth revision; supersedes SD-01C)
- Surface Transportation SD-01B — October 2023 (second revision; supersedes SD-01A)
2. Pipeline Directives (SD-02E): What Operators Must Do
The pipeline directives have evolved through five revisions since May 2021, each building on the previous. SD-02E is the current operative version and consolidates all requirements into a comprehensive cybersecurity framework for critical pipeline operators.
Cybersecurity Incident Response Plan
Operators must maintain a documented Cybersecurity Incident Response Plan (IRP) that addresses detection, containment, eradication, and recovery from cybersecurity incidents affecting operational technology. The IRP must be submitted to CISA and TSA, kept current, and — critically — tested annually through tabletop or functional exercises. Testing records must be documented and retained for TSA inspection.
Network Segmentation (IT/OT Separation)
Operators must implement network segmentation between IT and OT environments, with defined and documented data flows across the segmentation boundary. Uncontrolled IT-to-OT connectivity — a condition that enabled the Colonial Pipeline attack to threaten operational systems — is explicitly prohibited. Operators must document their segmentation architecture and maintain up-to-date network diagrams showing IT/OT boundaries.
Access Control Measures
- Multi-factor authentication (MFA) for all remote access to OT systems and for all privileged accounts with administrative access to OT
- Principle of least privilege enforced for OT access rights
- Regular review and recertification of privileged access
- Shared or generic accounts prohibited for OT administrative access
Continuous Monitoring
Operators must implement continuous monitoring capabilities to detect cybersecurity threats in the OT environment. This includes deploying OT-aware monitoring tools (passive network monitoring is acceptable for safety-sensitive systems) and establishing processes to review and respond to alerts. Monitoring must cover both east-west lateral movement within OT networks and north-south traffic crossing the IT/OT boundary.
Annual Architecture Review and Reporting Obligations
- Annual cybersecurity architecture review: documented assessment of the OT security architecture against current threat landscape and directive requirements
- 12-hour incident reporting obligation to CISA: all cybersecurity incidents affecting OT systems must be reported within 12 hours of identification
- Designated Cybersecurity Coordinator (CSC): available 24/7, with current contact information reported to TSA and updated within 7 days of any change
3. Aviation Directives (SD-01D): Airport and Aircraft Operator Requirements
The aviation directives apply to airports operating under TSA-approved security programs and Part 121 air carriers, covering the full range of operational technology systems used in aviation operations — from aircraft maintenance systems and baggage handling to gate management and air traffic support systems.
Cybersecurity Implementation Plan
Covered aviation entities must develop and submit a Cybersecurity Implementation Plan (CIP) to TSA detailing the specific technical and procedural measures they will implement to comply with directive requirements. The CIP must be reviewed and approved by TSA, and must be updated whenever there are significant changes to the organization’s OT environment or security posture.
Network Access Controls
Aviation operators must restrict access to operational technology systems, including systems supporting aircraft maintenance, baggage handling, gate operations, and passenger processing. This includes deploying network segmentation between corporate IT networks and OT systems, implementing strict access controls for vendor and third-party remote access, and logging all access to OT systems for review.
Patch Management and Training
- Risk-based patch management program with defined remediation timelines by severity level (critical vulnerabilities require faster remediation than informational findings)
- Annual cybersecurity awareness training for all staff with access to OT systems or with cybersecurity responsibilities
- Documentation of training completion rates and records retention for TSA inspection
Incident Reporting and Vendor Risk
- 24-hour incident reporting to CISA for any cybersecurity incident causing operational disruption; immediate notification required for ransom payments
- Third-party and vendor risk management requirements: contractual security requirements for vendors with OT access, assessment of vendor security practices, and monitoring for vendor-originated incidents
4. Surface Transportation Directives (SD-01B): Passenger and Freight Rail
The surface transportation directives cover Amtrak, commuter rail operators, Class I freight railroads, and heavy rail transit operators. Rail OT environments present unique challenges: Positive Train Control (PTC) systems, signaling infrastructure, and train management systems are safety-critical and often run on legacy protocols not designed for cybersecurity.
Cybersecurity Coordinator and Incident Reporting
- Designation of a Cybersecurity Coordinator: available 24/7, reported to TSA with full contact information, with an alternate designated for continuity
- 24-hour incident reporting to CISA for all identified cybersecurity incidents
- Clear internal escalation path from operational staff to Cybersecurity Coordinator to CISA notification
Vulnerability Assessment and Implementation Plan
Rail operators must conduct cybersecurity vulnerability assessments of their OT and IT systems supporting critical rail operations. Assessment results and findings must be submitted to TSA and CISA. Based on the vulnerability assessment, operators must develop a Cybersecurity Implementation Plan (CIP) with specific measures to address identified vulnerabilities — prioritized by risk level, with defined implementation timelines and ownership.
Positive Train Control (PTC) and Annual Review
PTC systems and other safety-critical OT systems require additional consideration in the CIP, including an assessment of OT-specific threats such as GPS spoofing, communication jamming, and protocol manipulation. CIPs must be reviewed and updated annually, and whenever significant changes are made to covered systems. Rail operators must retain documentation of all annual reviews for TSA inspection.
5. The 10 Most Common TSA Directive Compliance Gaps
Based on pre-audit assessments and TSA inspection findings across pipeline, aviation, and rail operators, the following gaps appear most frequently and represent the highest risk of enforcement action:
Failure to test the Incident Response Plan is the single most cited deficiency in TSA Directive compliance reviews. TSA explicitly requires annual IRP testing — documentation alone is insufficient.
Source: CyberICS Solutions Research — Analysis of TSA compliance assessments and publicly available enforcement actions, Q1 2026
- IRP not tested with tabletop exercises — documented incident response plan exists but has never been exercised; fails the explicit annual IRP testing requirement in all three directive series
- IT/OT segmentation exists on paper but not enforced — network diagrams show segmentation; actual firewall rules permit unrestricted or loosely controlled IT-to-OT traffic
- MFA deployed for IT but not extended to OT jump servers — remote access to IT systems is MFA-protected but OT jump hosts, historian servers, and remote SCADA access remain single-factor
- Cybersecurity Coordinator role not 24/7 available — CSC designated but no alternate designated; contact information not updated with TSA; CSC unavailable outside business hours
- Incident reporting process not drilled — staff unaware of 12-hour vs. 24-hour reporting timelines; no rehearsed internal escalation path from detection to CISA notification
- Patch management documented but not executed within required timeframes — formal patch policy defines timelines but operational pressures delay OT patching beyond policy thresholds
- Vendor remote access not controlled under directive requirements — third-party vendors access OT systems via unmonitored, shared credentials without MFA or session logging
- Annual architecture review not completed or not documented — security review performed informally but not documented as a formal annual architecture review meeting directive language
- Staff cybersecurity training records incomplete — training conducted but completion records not maintained for all staff within regulatory scope; training content not updated to reflect current threats
- CIP submitted but not updated following significant changes — Cybersecurity Implementation Plan filed with TSA but not revised after major system changes, acquisitions, or significant threat landscape shifts
Test Your TSA Incident Response Plan
Run OT-specific tabletop exercises mapped to TSA Directive requirements. Generate documented evidence of IRP testing — the #1 TSA compliance requirement teams fail.
Run a TSA Tabletop Exercise →View TSA Directives Toolkit →
6. TSA Directives and Adjacent OT Security Frameworks
TSA Directives do not exist in isolation. Most covered operators are already engaged with one or more voluntary cybersecurity frameworks, and understanding how TSA requirements map to those frameworks enables organizations to build a unified compliance posture rather than managing each requirement separately.
TSA + NIST CSF 2.0
NIST CSF 2.0’s six functions — Govern, Identify, Protect, Detect, Respond, and Recover — map cleanly to TSA Directive requirements. The GOVERN function aligns with TSA’s Cybersecurity Coordinator designation and governance requirements. PROTECT covers IT/OT segmentation and access controls. DETECT maps to continuous monitoring obligations. RESPOND and RECOVER directly address IRP requirements and the incident reporting timelines. CISA has published a CSF-to-TSA mapping guide specifically for pipeline operators.
TSA + IEC 62443
IEC 62443’s zones and conduits concept directly addresses TSA’s IT/OT segmentation requirements. Defining Security Zones (groupings of OT assets with similar security requirements) and Conduits (communication paths between zones, each with defined access controls) provides the technical architecture to meet TSA segmentation mandates. IEC 62443-2-1 (security management system) and IEC 62443-3-3 (system security requirements) are particularly relevant for pipeline and rail OT environments.
TSA + NERC CIP
Energy companies operating both power generation assets and pipeline infrastructure may face both NERC CIP and TSA Directive requirements. A key operational difference: NERC CIP requires incident reporting within 1 hour for specific categories of incidents; TSA pipeline directives require CISA notification within 12 hours. Organizations subject to both must maintain dual reporting workflows and train staff on which timeline applies to which system type.
TSA + CISA CPG
CISA’s Cybersecurity Performance Goals (CPG), particularly CPG 4.D on OT-specific security, align with and reinforce TSA Directive requirements. While CPG compliance is voluntary, TSA Directive compliance effectively satisfies most CPG 4.D objectives. Organizations that have completed a CPG self-assessment have typically already addressed the majority of TSA technical requirements.
Tabletop Exercises as Regulatory Evidence
TSA Directives specifically require annual testing of the Cybersecurity Incident Response Plan. Documented tabletop exercises — exercises that simulate a realistic OT cybersecurity incident and test the IRP procedures — are the primary compliance mechanism accepted by TSA inspectors. The documentation package must include: the exercise scenario, participant list, tested IRP procedures, identified gaps, and after-action improvement actions with owners and timelines.
7. Preparing for TSA Directive Compliance
Achieving and maintaining TSA Directive compliance requires a structured approach that goes beyond policy documentation. The following steps provide a practical path to compliance for pipeline, aviation, and rail operators.
Building Your Cybersecurity Implementation Plan (CIP)
The CIP is the central compliance document under the aviation and rail directives. An effective CIP documents the specific technical and procedural controls you have implemented or will implement, with timelines, owners, and measurable completion criteria. The CIP should be organized by directive requirement area (segmentation, access controls, monitoring, incident response, training) and should reference supporting documentation such as network diagrams, access control policies, and monitoring tool configurations.
Structuring IRP Testing Tabletop Exercises for TSA Evidence
To satisfy TSA’s annual IRP testing requirement, tabletop exercises must be documented with sufficient detail to demonstrate that the IRP procedures — not just a general cybersecurity scenario — were tested. The exercise documentation must show that participants rehearsed the 12-hour or 24-hour CISA notification workflow, the internal escalation chain, the OT isolation decision process, and the stakeholder communication procedures. A brief after-action report noting “we ran a tabletop” is not sufficient. CyberICS Solutions generates TSA-ready after-action reports with mapped IRP procedure coverage automatically.
The Role of OT-Specific Scenario Libraries
Generic IT-focused tabletop scenarios do not adequately test OT incident response procedures. TSA-compliant IRP testing requires scenarios that reflect the actual threat landscape for pipeline, aviation, and rail OT environments — ransomware propagating from IT to OT, HMI manipulation attacks, PTC system interference for rail operators, and GPS spoofing for aviation. The CyberICS Solutions platform includes OT-specific scenarios for all three TSA-covered sectors, each mapped to TSA Directive compliance requirements and CISA’s sector-specific threat intelligence.
CISA Resources and Sector-Specific Guidance
CISA provides free resources for TSA-covered operators, including the ICS-CERT advisories, the CISA KEV (Known Exploited Vulnerabilities) catalog for OT CVEs, and sector-specific cybersecurity frameworks for each TSA-covered industry. CISA’s regional cybersecurity advisors (CSAs) can provide no-cost assessments to TSA-covered operators. The CISA cross-sector cybersecurity framework also provides a unified view of how TSA Directives, NIST CSF, and CISA CPG requirements interact.
Build TSA Compliance Evidence with Tabletop Exercises
ICS-specific tabletop exercises with scenarios covering pipeline, aviation, and rail OT environments. Generate TSA-ready IRP testing evidence — start free.
Frequently Asked Questions
Are TSA Cybersecurity Directives legally mandatory?
Yes. TSA Cybersecurity Directives are issued under 49 U.S.C. § 114(l) and are mandatory legal requirements with civil penalty enforcement. Unlike voluntary NIST or CISA guidance, TSA Directives carry the force of federal law. Non-compliance can result in civil penalties and, in serious cases, revocation of operating certificates or authority.
What is the incident reporting timeline under TSA Directives?
Pipeline operators must report cybersecurity incidents to CISA within 12 hours of identification. Aviation and surface transportation (rail) operators must report within 24 hours. All reports go to CISA. Organizations must also designate a Cybersecurity Coordinator available 24/7 to manage reporting obligations.
Do TSA Directives apply to small pipeline operators?
TSA Directives apply to pipeline facilities designated as critical by TSA based on volume, geographic significance, or national security considerations. Not all pipeline operators fall within scope — TSA maintains a list of designated critical pipeline facilities. Operators unsure of their designation status should contact TSA directly.
What is a Cybersecurity Coordinator under TSA requirements?
A Cybersecurity Coordinator (CSC) is a designated individual or team available 24 hours a day, 7 days a week to coordinate cybersecurity practices and report incidents to TSA and CISA. The CSC’s current contact information must be reported to TSA and kept up to date. The role cannot be left vacant — covered operators must have a primary and alternate CSC designated at all times.
How do tabletop exercises satisfy TSA Directive IRP testing requirements?
TSA Directives explicitly require annual testing of the Cybersecurity Incident Response Plan (IRP). Documented tabletop exercises with after-action reports are the accepted compliance mechanism for demonstrating IRP testing. The exercise must test the plan’s procedures — including the incident reporting timeline, notification chain, and OT isolation decisions — and the documentation must be retained and available for TSA inspection.
Next Steps & Related Resources
The most effective next step after reviewing TSA Directive requirements is to conduct a documented tabletop exercise that tests your Cybersecurity Incident Response Plan against a realistic OT-specific scenario. This single action addresses the most commonly cited TSA compliance gap, generates the documentation required by TSA inspectors, and surfaces real gaps in your team’s notification and OT isolation procedures before a real incident reveals them. The CyberICS Solutions platform includes sector-specific scenarios for pipeline, aviation, and rail environments with automatic TSA-ready documentation output.