Frameworks Index
United Statesregulation

TSA Pipeline Security Directives

Civil penalties up to $86,525 per violation per day and potential operational suspension make TSA directive compliance an existential requirement for pipeline operators.

Mapped to Microsoft controls
Effective DateMay 2021 (SD-01); July 2021 (SD-02); July 2023 (SD-02D)
Enforcement BodyTransportation Security Administration (TSA) / Department of Homeland Security (DHS)
Penalty FrameworkCivil penalties of up to $86,525 per violation per day for non-compliance with TSA Security Directives. TSA can also issue compliance orders, suspend or revoke security credentials, and refer cases for criminal prosecution. Pipeline operators may face operational restrictions until compliance is achieved.

The TSA Pipeline Security Directives were issued in response to the May 2021 Colonial Pipeline ransomware attack, which disrupted fuel supply to the US East Coast. They represent the first mandatory cybersecurity requirements for the pipeline sector, shifting from a voluntary guidelines-based approach.

Security Directive Pipeline-2021-01 requires incident reporting to CISA within 12 hours and designation of a cybersecurity coordinator. SD Pipeline-2021-02 (updated to 02D in 2023) mandates specific cybersecurity measures including network segmentation, access control, continuous monitoring, and incident response planning.

For Microsoft 365 environments supporting pipeline operations, compliance requires Conditional Access for strict access control, Defender XDR for continuous monitoring and threat detection, and Purview audit logs for incident evidence and regulatory reporting. StremarControl engineers and operates the Microsoft-native controls required for TSA Security Directive mandates, translating obligations into enforceable Microsoft-native controls, structured evidence, and ongoing assurance discipline.

Why This Matters Now

Following the Colonial Pipeline ransomware attack in May 2021, TSA issued emergency Security Directives mandating cybersecurity controls for critical pipeline operators. These directives require access control, continuous monitoring, and incident reporting to CISA within 12 hours. For M365 environments supporting pipeline operations, compliance demands Conditional Access for access control, Defender XDR for continuous monitoring, and Purview audit logs for incident evidence. The directives represent a paradigm shift from voluntary to mandatory cybersecurity for critical infrastructure.

Scope & Applicability

Applies to owners and operators of TSA-designated critical pipelines (approximately 100 operators covering the most critical systems). SD-01 covers incident reporting and cybersecurity coordinator designation. SD-02 (revised as SD-02D) mandates specific cybersecurity controls including network segmentation, access control, continuous monitoring, and patch management. M365 tenants supporting pipeline operations must implement directive-aligned controls.

Core Obligations

01
SD Pipeline-2021-01, §I

12-Hour Incident Reporting

Report cybersecurity incidents to CISA within 12 hours of identification. Designate a cybersecurity coordinator available 24/7.

02
SD Pipeline-2021-02D, §III

Access Control Measures

Implement access control measures to secure critical cyber systems. Employ MFA for remote access and privileged accounts.

03
SD Pipeline-2021-02D, §IV

Continuous Monitoring

Implement continuous monitoring and detection policies for threats and anomalies in critical cyber systems.

04
SD Pipeline-2021-02D, §V

Cybersecurity Assessment

Conduct cybersecurity architecture design reviews and develop a cybersecurity implementation plan with milestones.

Microsoft 365 Control Mapping

How each obligation maps to enforceable Microsoft 365 controls and the evidence they produce.

Obligation

12-Hour Incident Reporting

M365 Control

Defender XDR incident detection with Sentinel playbooks for CISA notification within 12-hour window. Automated incident classification and escalation.

Evidence

Defender incident reports, Sentinel playbook execution logs, CISA notification records.

Obligation

Access Control

M365 Control

Conditional Access with phishing-resistant MFA for all access. PIM for privileged access. Named locations and device compliance. Network segmentation via Conditional Access policies.

Evidence

Conditional Access policy exports, MFA reports, PIM activation logs, access review records.

Obligation

Continuous Monitoring

M365 Control

Defender XDR unified incident queue. Sentinel SIEM with analytics rules for pipeline-specific threat detection. Microsoft Secure Score tracking.

Evidence

Sentinel alert summaries, Defender threat analytics, monthly Secure Score reports.

Implementation Timeline

May 2021
Colonial Pipeline ransomware attack triggers emergency response
May 2021
SD Pipeline-2021-01 issued - incident reporting and cybersecurity coordinators
July 2021
SD Pipeline-2021-02 issued - mandatory cybersecurity controls
July 2023
SD Pipeline-2021-02D issued - updated with performance-based requirements

Related Frameworks

United States
NIST 800-171

Non-compliance with NIST 800-171 triggers loss of DoD contracts and False Claims Act liability—making CUI protection a direct fiduciary obligation for management.

United States
FedRAMP

Without FedRAMP authorisation alignment, your organisation is excluded from the US federal cloud market—revocation of ATO terminates all federal contracts.

International
ISO 27001

ISO 27001 certification is increasingly a procurement prerequisite. Without it, organisations face exclusion from enterprise supply chain shortlists and heightened scrutiny from insurers and regulators.

Ready to get TSA Pipeline SD-ready?

Start with a fixed-scope sprint. We assess your Microsoft 365 controls against TSA Pipeline SD requirements, close gaps, and produce audit-ready evidence.

Start a readiness sprint Book a readiness call