Critical Infrastructure Protection:

Key Pipeline Security Documents Need to Reflect Current Operating Environment

GAO-19-426: Published: Jun 5, 2019. Publicly Released: Jun 5, 2019.

Additional Materials:

Contact:

Bill Russell
(202) 512-8777
russellw@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

More than 2.7 million miles of pipeline transport the natural gas, oil, and other hazardous liquids the nation needs. The Departments of Homeland Security and Transportation share responsibility for safeguarding these pipelines along with pipeline operators.

In 2010, DHS's Transportation Security Administration issued a plan to coordinate pipeline security incident responses among government agencies and with the private sector.

However, TSA has not updated this plan since its issuance, so it doesn't fully reflect developments in key areas, such as cybersecurity.

We recommended that TSA periodically review and update this plan.

Hazardous Liquid and Natural Gas Transmission Pipelines in the United States, September 2018

Map showing the pipelines

Map showing the pipelines

Additional Materials:

Contact:

Bill Russell
(202) 512-8777
russellw@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

The memorandum of understanding (MOU) Annex signed by the Transportation Security Administration (TSA) and Pipeline and Hazardous Materials Safety Administration (PHMSA) in 2006 delineates their mutually agreed-upon roles and responsibilities for pipeline security, but has not been reviewed to consider pipeline security developments since its inception. As a result, the annex may not fully reflect the agencies' pipeline security and safety-related activities. Efforts to update the annex were delayed by other priorities. As of June 2019, there are no timeframes for completion. By developing and implementing timeframes for reviewing the MOU Annex and updating it, as appropriate, TSA and PHMSA could better ensure any future changes to their respective roles and responsibilities are clearly delineated and updated on a regular basis.

TSA's Pipeline Security and Incident Recovery Protocol Plan, issued in March 2010, defines the roles and responsibilities of federal agencies and the private sector, among others, related to pipeline security incidents. For example, in response to a pipeline incident, TSA coordinates information sharing between federal and pipeline stakeholders and PHMSA coordinates federal activities with an affected pipeline operator to restore service. However, TSA has not revised the plan to reflect changes in at least three key areas: pipeline security threats, such as those related to cybersecurity, incident management policies, and DHS's terrorism alert system. By periodically reviewing and, as appropriate, updating its plan, TSA could better ensure it addresses changes in pipeline security threats and federal law and policy related to cybersecurity, incident management and DHS's terrorism alert system, among other things. TSA could also provide greater assurance that pipeline stakeholders understand federal roles and responsibilities related to pipeline incidents, including cyber incidents, and that response efforts to such incidents are well-coordinated.

Map of Hazardous Liquid and Natural Gas Transmission Pipelines in the United States, September 2018

U:\Work in Process\Teams\FY19 Reports\HSJ\103229\Graphics\HL_5 - 103229.tif

Why GAO Did This Study

More than 2.7 million miles of pipeline transport natural gas, oil, and other hazardous liquids needed to operate vehicles and heat homes, among other things, in the United States.

Responsibility for safeguarding these pipelines is shared by TSA, within the Department of Homeland Security (DHS); PHMSA, within the Department of Transportation (DOT); and pipeline operators. TSA oversees the security of all transportation modes, including pipelines. PHMSA oversees pipeline safety. DHS and DOT signed a MOU on their roles across all transportation modes in 2004. In 2006, TSA and PHMSA signed an annex to the MOU (MOU Annex) to further delineate their pipeline security-related responsibilities.

The TSA Modernization Act includes a provision for GAO to review DHS and DOT roles and responsibilities for pipeline security. This report addresses, among other things: (1) the extent the MOU Annex delineates TSA's and PHMSA's pipeline security roles and responsibilities; and (2) the extent TSA has communicated federal incident response procedures for pipeline breaches to stakeholders. GAO reviewed the MOU annex and related documents and TSA's Pipeline Security and Incident Recovery Protocol Plan, and interviewed officials from PHMSA, TSA, and four pipeline associations.

What GAO Recommends

GAO is making five recommendations, including that: (1) TSA and PHMSA develop and implement a timeline for reviewing and, as appropriate, updating the 2006 MOU Annex; and (2) TSA periodically review, and as appropriate, update its 2010 pipeline incident recovery plan. DHS and DOT concurred with these recommendations.

For more information, contact Bill Russell, (202) 512-8777 or russellw@gao.gov.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: In June 2019, we reported on the need for key pipeline security documents to reflect the current operating environment (GAO-19-426). During the course of our review, we found that the memorandum of understanding Annex, signed by the Transportation of Security Administration (TSA) and the Pipeline and Hazardous Materials Safety Administration (PHMSA) had not been reviewed to consider pipeline security developments since its inception. Specifically, the MOU Annex delineated TSA and PHMSA mutually-agreed upon pipeline security roles and responsibilities and acknowledged that both agencies benefit by sharing each other's expertise. Efforts to update the annex were delayed by other priorities. As a result, the annex did not fully reflect the agencies' pipeline security and safety activities. Consequently, we recommended that the TSA and PHMSA Administrators work to (1) develop and implement a timeframe with milestones dates for reviewing, and as appropriate, updating the MOU Annex and (2) revise the MOU Annex to include a provision requiring periodic reviews of, and corresponding updates to the Annex. As of February 2020, TSA and PHMSA implemented both recommendations by: (1) developing and implementing a timeframe with milestone dates for reviewing the MOU Annex; (2) updating the MOU Annex by including a provision that PHMSA and TSA are committed to reviewing the Annex at least once every five years, or whenever applicable authorities are revised or modified; and (3) updating the MOU Annex to reflect the current operating environment in several areas, such as delineating clear lines of authority and responsibility for interagency information-sharing regarding pipeline incidents. As a result, this recommendation is closed as implemented.

    Recommendation: The TSA Administrator should work with the PHMSA Administrator to develop and implement a timeline with milestone dates for reviewing and, as appropriate, updating the 2006 MOU Annex. (Recommendation 1)

    Agency Affected: Department of Homeland Security: Transportation Security Administration

  2. Status: Closed - Implemented

    Comments: In June 2019, we reported on the need for key pipeline security documents to reflect the current operating environment (GAO-19-426). During the course of our review, we found that the memorandum of understanding Annex, signed by the Transportation of Security Administration (TSA) and the Pipeline and Hazardous Materials Safety Administration (PHMSA) had not been reviewed to consider pipeline security developments since its inception. Specifically, the MOU Annex delineated TSA and PHMSA mutually-agreed upon pipeline security roles and responsibilities and acknowledged that both agencies benefit by sharing each other's expertise. Efforts to update the annex were delayed by other priorities. As a result, the annex did not fully reflect the agencies' pipeline security and safety activities. Consequently, we recommended that the TSA and PHMSA Administrators work to (1) develop and implement a timeframe with milestones dates for reviewing, and as appropriate, updating the MOU Annex and (2) revise the MOU Annex to include a provision requiring periodic reviews of, and corresponding updates to the Annex. As of February 2020, TSA and PHMSA implemented both recommendations by: (1) developing and implementing a timeframe with milestone dates for reviewing the MOU Annex; (2) updating the MOU Annex by including a provision that PHMSA and TSA are committed to reviewing the Annex at least once every five years, or whenever applicable authorities are revised or modified; and (3) updating the MOU Annex to reflect the current operating environment in several areas, such as delineating clear lines of authority and responsibility for interagency information-sharing regarding pipeline incidents. As a result, this recommendation is closed as implemented.

    Recommendation: The PHMSA Administrator should work with the TSA Administrator to develop and implement a timeline with milestone dates for reviewing and, as appropriate, updating, the 2006 MOU Annex. (Recommendation 2)

    Agency Affected: Department of Transportation: Pipeline and Hazardous Materials Safety Administration

  3. Status: Closed - Implemented

    Comments: In June 2019, we reported on the need for key pipeline security documents to reflect the current operating environment (GAO-19-426). During the course of our review, we found that the memorandum of understanding Annex, signed by the Transportation of Security Administration (TSA) and the Pipeline and Hazardous Materials Safety Administration (PHMSA) had not been reviewed to consider pipeline security developments since its inception. Specifically, the MOU Annex delineated TSA and PHMSA mutually-agreed upon pipeline security roles and responsibilities and acknowledged that both agencies benefit by sharing each other's expertise. Efforts to update the annex were delayed by other priorities. As a result, the annex did not fully reflect the agencies' pipeline security and safety activities. Consequently, we recommended that the TSA and PHMSA Administrators work to (1) develop and implement a timeframe with milestones dates for reviewing, and as appropriate, updating the MOU Annex and (2) revise the MOU Annex to include a provision requiring periodic reviews of, and corresponding updates to the Annex. As of February 2020, TSA and PHMSA implemented both recommendations by: (1) developing and implementing a timeframe with milestone dates for reviewing the MOU Annex; (2) updating the MOU Annex by including a provision that PHMSA and TSA are committed to reviewing the Annex at least once every five years, or whenever applicable authorities are revised or modified; and (3) updating the MOU Annex to reflect the current operating environment in several areas, such as delineating clear lines of authority and responsibility for interagency information-sharing regarding pipeline incidents. As a result, this recommendation is closed as implemented.

    Recommendation: The TSA Administrator, in consultation with the PHMSA Administrator should revise the 2006 MOU Annex to include a provision requiring periodic reviews of, and as appropriate, corresponding updates to the Annex.(Recommendation 3)

    Agency Affected: Department of Homeland Security: Transportation Security Administration

  4. Status: Closed - Implemented

    Comments: In June 2019, we reported on the need for key pipeline security documents to reflect the current operating environment (GAO-19-426). During the course of our review, we found that the memorandum of understanding Annex, signed by the Transportation of Security Administration (TSA) and the Pipeline and Hazardous Materials Safety Administration (PHMSA) had not been reviewed to consider pipeline security developments since its inception. Specifically, the MOU Annex delineated TSA and PHMSA mutually-agreed upon pipeline security roles and responsibilities and acknowledged that both agencies benefit by sharing each other's expertise. Efforts to update the annex were delayed by other priorities. As a result, the annex did not fully reflect the agencies' pipeline security and safety activities. Consequently, we recommended that the TSA and PHMSA Administrators work to (1) develop and implement a timeframe with milestones dates for reviewing, and as appropriate, updating the MOU Annex and (2) revise the MOU Annex to include a provision requiring periodic reviews of, and corresponding updates to the Annex. As of February 2020, TSA and PHMSA implemented both recommendations by: (1) developing and implementing a timeframe with milestone dates for reviewing the MOU Annex; (2) updating the MOU Annex by including a provision that PHMSA and TSA are committed to reviewing the Annex at least once every five years, or whenever applicable authorities are revised or modified; and (3) updating the MOU Annex to reflect the current operating environment in several areas, such as delineating clear lines of authority and responsibility for interagency information-sharing regarding pipeline incidents. As a result, this recommendation is closed as implemented.

    Recommendation: The PHMSA Administrator, in consultation with the TSA Administrator should revise the 2006 MOU Annex to include a provision requiring periodic reviews of, and as appropriate, corresponding updates to the Annex.(Recommendation 4)

    Agency Affected: Department of Transportation: Pipeline and Hazardous Materials Safety Administration

  5. Status: Open

    Comments: DHS concurred with this recommendation and stated that TSA will periodically review, and as appropriate, update the 2010 Pipeline Security and Incident Recovery Protocol Plan to ensure the plan reflects relevant changes in pipeline security threats, technology, federal law and policy, and any other factors relevant to the security of the nation's pipeline systems. In October 2019, TSA officials reported that they were in the process of reviewing the 2010 Pipeline Security and Incident Recovery Protocol Plan and anticipated completing the review by December 2019. We will continue to monitor TSA's efforts to implement this recommendation.

    Recommendation: The TSA Administrator should periodically review, and as appropriate, update the 2010 Pipeline Security and Incident Recovery Protocol Plan to ensure the plan reflects relevant changes in pipeline security threats, technology, federal law and policy, and any other factors relevant to the security of the nation's pipeline systems. (Recommendation 5)

    Agency Affected: Department of Homeland Security: Transportation Security Administration

 

Explore the full database of GAO's Open Recommendations »

Jul 8, 2020

May 14, 2020

May 7, 2020

May 5, 2020

May 4, 2020

May 1, 2020

Apr 21, 2020

Apr 9, 2020

Apr 8, 2020

Looking for more? Browse all our products here