|   | |||||||||
| DEPARTMENT OF HOMELAND SECURITY | ||||
| Transportation Security Administration | ||||
| Pipeline Corporate Security Review (CSR) | CSR FY2020 V.1 (October 2019) | |||
| Operator Name: | Assessment Date: | |||
| 0 | 1/1/2019 | |||
| Question Type | Question # | CSR Question | Answer (Yes/No/X) | |
| SAI | 1.0000 | Security Plans | SAI | |
| 1.0100 | Is your corporate security manager solely dedicated to a corporate security function or tasked with other responsibilities such as environmental, health, and safety? | |||
| 1.0200 | Does your corporate security manager or equivalent position have a direct reporting relationship to the senior leadership in the corporation? | |||
| 1.0300 | Does the corporation have a cross-departmental security committee? | |||
| 1.0400 | Which of the following departments are represented on the security committee? | ZZZ | ||
| 1.0401 | Corporate Management | |||
| 1.0402 | Human Resources | |||
| 1.0403 | Security | |||
| 1.0404 | Legal | |||
| 1.0405 | Engineering | |||
| 1.0406 | Operations and/or Maintenance | |||
| 1.0407 | Information Technology | |||
| 1.0408 | Other (if checked, elaborate) | |||
| R | 1.0500 | Have you established a corporate security program to address and document policies and procedures for managing security-related threats, incidents, and responses? | ||
| R | 1.0600 | Does your corporation have a written corporate security plan? | ||
| R | 1.0700 | Which of the following company plans are directly included or incorporated by reference in the corporate security plan? | ||
| 1.0701 | Business Continuity Plan | |||
| 1.0702 | Incident Response Plan | |||
| 1.0703 | Incident Recovery Plan | |||
| 1.0704 | Enterprise Cybersecurity Plans | |||
| 1.0705 | OT Cybersecurity Plans | |||
| 1.0706 | Other (if checked, elaborate) | |||
| R | 1.0800 | Is the corporate security plan reviewed on an annual basis and updated as required? | ||
| R | 1.0900 | Does the corporate security plan identify the primary and alternate security manager or officer responsible for executing and maintaining the plan? | ||
| 1.1000 | Is the corporate security plan readily available to those persons responsible for security actions? | |||
| R | 1.1100 | Do you incorporate the following elements into your corporate security plan or associated documents? | ||
| 1.1101 | System Description | |||
| 1.1102 | Security Administration and Management Structure | |||
| 1.1103 | Risk Analysis and Assessments | |||
| 1.1104 | Physical Security and Access Control Measures | |||
| 1.1105 | Equipment Maintenance and Testing | |||
| 1.1106 | Personnel Screening | |||
| 1.1107 | Communications | |||
| 1.1108 | Personnel Training | |||
| 1.1109 | Security Incident Procedures | |||
| 1.1110 | National Terrorism Advisory System (NTAS) Response Procedures | |||
| 1.1111 | Security Plan Reviews | |||
| 1.1112 | Recordkeeping | |||
| 1.1113 | Cyber/SCADA System Security Measures | |||
| 1.1114 | Essential Security Contacts | |||
| 1.1115 | Security Testing and Audits | |||
| 1.1116 | Outreach (neighbors, law enforcement, media, public) | |||
| 1.1117 | Other (if checked, elaborate) | |||
| R | 1.1200 | Do you have sufficient resources, including trained staff and equipment, to effectively execute the corporate security program? | ||
| R | 1.1300 | Are appropriate financial resources allocated in the corporate budgeting and purchasing process to correct identified security deficiencies? | ||
| 1.1400 | How much operations and/or maintenance money did your corporation spend on security in the previous fiscal year? | ZZZ | ||
| 1.1401 | < $99,999 | |||
| 1.1402 | $100,000 - $249,999 | |||
| 1.1403 | $250,000 - $499,999 | |||
| 1.1404 | $500,000 - $999,999 | |||
| 1.1405 | $1,000,000 - $4,999,999 | |||
| 1.1406 | >$5,000,000 | |||
| 1.1500 | How much capital money did your corporation spend on security in the previous fiscal year? | ZZZ | ||
| 1.1501 | < $99,999 | |||
| 1.1502 | $100,000 - $249,999 | |||
| 1.1503 | $250,000 - $499,999 | |||
| 1.1504 | $500,000 - $999,999 | |||
| 1.1505 | $1,000,000 - $4,999,999 | |||
| 1.1506 | >$5,000,000 | |||
| 1.1600 | Has your corporation established security metrics? | |||
| R | 1.1700 | Are the corporate security plan, the enterprise cyber security plan, and the OT cyber security plan, as applicable, protected from unauthorized access? | ||
| R | 1.1800 | Are the corporate security plan, the enterprise cyber security plan, and the OT cyber security plan, as applicable, available for TSA review upon request? | ||
| SAI | 2.0000 | Security Plans - Cyber | SAI | |
| 2.0100 | Do your cybersecurity plans incorporate any of the following approaches? | |||
| 2.0101 | National Institute of Standards and Technology (NIST), Framework for Improving Critical Infrastructure Cybersecurity | |||
| 2.0102 | U.S. Department of Energy, Office of Electricity and Energy Reliability, Energy Sector Cybersecurity Framework Implementation Guidance | |||
| 2.0103 | U.S. Department of Homeland Security, Transportation Systems Sector Cybersecurity Framework Implementation Guidance | |||
| 2.0104 | Industry-specific methodologies (See 2018 TSA Pipeline Security Guidelines, Section 7.4 for partial listing.) | |||
| 2.0105 | Other (if checked, elaborate) | |||
| R | 2.0200 | Does your corporation review, assess, and update as necessary all cybersecurity policies plans, processes, and supporting procedures at least every 36 months, or when there is a significant organizational or technological change? | ||
| R | 2.0300 | For critical pipeline cyber assets, does your corporation review, assess, and update as necessary all cybersecurity policies plans, processes, and supporting procedures at least every 12 months, or when there is a significant organizational change? | ||
| R | 2.0400 | Has your corporation established policies and procedures for cybersecurity incident handling, analysis, and reporting, including assignments of specific roles/tasks to individuals and teams? | ||
| R | 2.0500 | Has your corporation established and maintained a cyber-incident response capability? | ||
| R | 2.0600 | For critical pipeline cyber assets, has your corporation established and maintained a process that supports 24/7 cyber-incident response? | ||
| R | 2.0700 | Do your corporation’s response plans and procedures include mitigation measures to help prevent further impacts? | ||
| R | 2.0800 | Has your corporation established a plan for the recovery and reconstitution of pipeline cyber assets within a time frame to align with the company’s safety and business continuity objectives? | ||
| R | 2.0900 | Does your corporation review its cyber recovery plan annually and update it as necessary? | ||
| SAI | 3.0000 | Communication | SAI | |
| R | 3.0100 | Does your corporation have internal and external notification requirements and procedures for security events? | ||
| R | 3.0200 | Does your corporation document and periodically update contact and communication information for Federal, state, and local homeland security/law enforcement agencies? | ||
| R | 3.0300 | Does your corporation have a defined process for receiving, handling, disseminating, and storing security and threat information? | ||
| R | 3.0400 | Do all critical facilities have primary and alternate communication capabilities for internal and external reporting of appropriate security events and information? | ||
| 3.0500 | Which of the following external agencies/organizations would the corporation notify in the event of a security incident, a security threat, or suspicious activity? | ZZZ | ||
| 3.0501 | National Response Center (NRC) | |||
| 3.0502 | Local emergency responders/911 | |||
| 3.0503 | Transportation Security Administration / Transportation Security Operations Center (TSA/TSOC) | |||
| 3.0504 | Tribal emergency responders | |||
| 3.0505 | State emergency responders | |||
| 3.0506 | Other federal agencies | |||
| 3.0507 | Federal Bureau of Investigation (FBI) | |||
| 3.0508 | Department of Homeland Security (DHS) | |||
| 3.0509 | Neighboring corporations | |||
| 3.0510 | Other (if checked, elaborate) | |||
| SAI | 4.0000 | Security Incident Procedures | SAI | |
| R | 4.0100 | Are security elements developed and maintained within the corporate incident response and recovery plan? | ||
| 4.0200 | Does your corporation have a policy and/or procedure for handling security threat or incident information? | |||
| 4.0300 | From whom does your corporation receive current security threat information? | ZZZ | ||
| 4.0301 | Transportation Security Operations Center (TSOC) | |||
| 4.0302 | DHS Protective Security Advisor (DHS PSA) | |||
| 4.0303 | Joint Terrorism Task Force (JTTF) | |||
| 4.0304 | Federal Bureau of Investigation (FBI) | |||
| 4.0305 | Homeland Security Information Network (HSIN) | |||
| 4.0306 | State fusion center(s) | |||
| 4.0307 | Local law enforcement | |||
| 4.0308 | Coast Guard | |||
| 4.0309 | Corporate affiliations | |||
| 4.0310 | Department of Energy | |||
| 4.0311 | Homeland Infrastructure Threat and Risk Analysis Center (HITRAC) | |||
| 4.0312 | Other (if checked, elaborate) | |||
| R | 4.0400 | Does your corporation notify TSA via the Transportation Security Operations Center (TSOC) by phone or email as soon as possible if any of the types of security incidents listed in Appendix B – TSA Notification Criteria, 2018 TSA Pipeline Security Guidelines occurs or if there is any other reason to believe that a terrorist incident may be planned or may have occurred? | ||
| R | 4.0500 | Has your corporation implemented procedures for responding to security incidents or emergencies and to pertinent National Terrorism Advisory System (NTAS) Bulletins or Alerts, including appropriate reporting requirements? | ||
| R | 4.0600 | Has your corporation implemented site-specific security measures for each critical facility to be taken in response to pertinent NTAS Bulletins or Alerts or other threat information? | ||
| R | 4.0700 | Are the site-specific security measures for each critical facility reviewed and updated as necessary at least every 18 months? | ||
| R | 4.0800 | Does your corporation have adequate staffing to implement security measures in response to security threat information? | ||
| 4.0900 | Does your corporation have contracts in place with private security providers to augment existing security staffing during times of heightened alert? | |||
| R | 4.1000 | Are bomb threat checklists posted by telephones at all staffed facilities? | ||
| R | 4.1100 | At an Elevated Threat Level, would your corporation enact the following physical access controls at your critical facilities? | ||
| 4.1101 | Limit facility access to essential personnel. | |||
| 4.1102 | Limit facility access to essential visitors, personnel, and vehicles. | |||
| 4.1103 | Increase surveillance of critical areas and facilities. | |||
| 4.1104 | Restrict deliveries to those essential to continued operations. | |||
| 4.1105 | Conduct random inspections of vehicles and of bags, backpacks, purses, etc. | |||
| 4.1106 | Delay or reschedule nonvital maintenance and capital project work that could affect facility security, as appropriate. | |||
| 4.1107 | Increase lighting in facility buffer zones, as appropriate. | |||
| 4.1108 | Verify the operating condition of security systems such as intrusion detection, cameras, and lighting initially and at least weekly thereafter until termination of the advisory. | |||
| 4.1109 | Request that local law enforcement agencies increase the frequency of patrols of the facility. | |||
| 4.1110 | Other (if checked, elaborate) | |||
| R | 4.1200 | At an Elevated Threat Level, would your corporation enact the following measures on your cyber/SCADA system(s)? | ||
| 4.1201 | Increase monitoring of intrusion detection systems. | |||
| 4.1202 | Remind personnel of the reporting requirements for any unusual enterprise or control systems network activity. | |||
| 4.1203 | Remind personnel to be vigilant regarding suspicious electronic mail. | |||
| 4.1204 | Other (if checked, elaborate) | |||
| R | 4.1300 | At an Elevated Threat Level, would your corporation enact the following communications measures at your critical facilities? | ||
| 4.1301 | Inform all employees and on-site contractors of the change to the Elevated Threat Level. | |||
| 4.1302 | Conduct security awareness briefings for all employees and on-site contractors. | |||
| 4.1303 | Brief employees and on-site contractors on the characteristics of suspicious packages or mail. | |||
| 4.1304 | Review response procedures for suspicious packages or mail. | |||
| 4.1305 | Inform local law enforcement that the facility is at an Elevated Threat Level and advise them of the security measures being employed. | |||
| 4.1306 | Verify the proper operation of intelligence and emergency communications networks/channels, including those with TSA and first responder agencies. | |||
| 4.1307 | Monitor these networks/channels as appropriate. | |||
| 4.1308 | Other (if checked, elaborate) | |||
| R | 4.1400 | At an Imminent Threat Level, would your corporation enact the following physical access controls at your critical facilities? | ||
| 4.1401 | Cancel or delay non-vital contractor work and services. | |||
| 4.1402 | Allow deliveries by appointment only. | |||
| 4.1403 | Inspect all bags, backpacks, purses, etc. prior to entering the facility. | |||
| 4.1404 | Inspect all vehicles prior to gaining access to the facility. | |||
| 4.1405 | Inspect all deliveries, including packages and cargo. | |||
| 4.1406 | Secure all non-essential entrances and facility access points. | |||
| 4.1407 | Staff or monitor active facility entrances and access points 24/7. | |||
| 4.1408 | Erect barriers and/or obstacles to control vehicular traffic flow. | |||
| 4.1409 | Where possible, restrict vehicle parking to 150 feet from all critical areas and assets. | |||
| 4.1410 | Coordinate with local authorities regarding closing nearby public roads and facilities, if appropriate. | |||
| 4.1411 | Other (if checked, elaborate) | |||
| R | 4.1500 | At an Imminent Threat Level, would your corporation enact the following measures on your cyber/SCADA system(s)? | ||
| 4.1501 | Limit network communications links to essential sites/users. | |||
| 4.1502 | Review remote access for individuals and revoke any credentials that are not current and necessary. | |||
| 4.1503 | Other (if checked, elaborate) | |||
| R | 4.1600 | At an Imminent Threat Level, would your corporation enact the following communications measures? | ||
| 4.1601 | Inform all employees and contractors of the increase to the Imminent Threat Level. | |||
| 4.1602 | Conduct daily security and awareness briefings for each shift. | |||
| 4.1603 | Participate in situation update briefings with TSA, other government agencies including local law enforcement, and pipeline industry associations. | |||
| 4.1604 | Other (if checked, elaborate) | |||
| 4.1700 | Does your corporation use an incident management system, such as the National Incident Management System (NIMS), for security-related events? | |||
| 4.1800 | Does your company have a process for assuring the viability of the OT cyber recovery plan, including a backup control center? | |||
| SAI | 5.0000 | Security Training | SAI | |
| R | 5.0100 | Does your corporation provide security awareness briefings, to include security incident recognition and reporting procedures, for all personnel with unescorted access upon hiring and every three years thereafter? | ||
| R | 5.0200 | Does your corporation document security training and maintain records in accordance with company record retention policy? | ||
| R | 5.0300 | Does your corporation provide security training, to include incident response training, to personnel assigned security duties upon hiring and annually thereafter? | ||
| 5.0400 | Have your corporation’s security personnel availed themselves of any of the following training opportunities or affiliations? | |||
| 5.0401 | Security forums or conferences | |||
| 5.0402 | Pipeline forums or conferences | |||
| 5.0403 | Advanced security training | |||
| 5.0404 | Security Committee(s) participation | |||
| 5.0405 | Government Sector Committee(s) | |||
| 5.0406 | Industry security collaboration | |||
| 5.0407 | Other (if checked, elaborate) | |||
| 5.0500 | Does your corporation use any of the TSA security training material? | |||
| R | 5.0600 | Do all persons requiring access to the company’s pipeline cyber assets receive cybersecurity awareness training? | ||
| R | 5.0700 | Is there a cyber-threat awareness program for employees that includes practical exercises/testing? | ||
| R | 5.0800 | For critical pipeline cyber assets, does your corporation provide role-based security training on recognizing and reporting potential indicators of system compromise prior to granting access to critical pipeline cyber assets? | ||
| SAI | 6.0000 | Outreach | SAI | |
| R | 6.0100 | Does each critical facility conduct outreach to nearby law enforcement agencies to ensure awareness of the facility’s functions and significance? | ||
| R | 6.0200 | Does each critical facility conduct outreach to neighboring businesses to coordinate security efforts and to neighboring residences to provide facility security awareness? | ||
| R | 6.0300 | For critical pipeline cyber assets, does your corporation ensure that threat and vulnerability information received from information-sharing forums and sources are made available to those responsible for assessing and determining the appropriate course of action? | ||
| R | 6.0400 | Does your corporation report significant cyber incidents to the following? | ||
| 6.0401 | Senior management | |||
| 6.0402 | Appropriate federal entities | |||
| 6.0403 | Appropriate state, local, and tribal entities | |||
| 6.0404 | Applicable ISAC(s) | |||
| R | 6.0500 | Does the corporation have procedures in place to contact the National Cybersecurity and Communications Integration Center (NCCIC) for actual or suspected cyber-attacks that could impact pipeline industrial control systems (SCADA, PCS, DCS) measurement systems and telemetry systems or enterprise-associated IT systems? (Appendix B – TSA Notification Criteria, 2018 TSA Pipeline Security Guidelines.) | ||
| SAI | 7.0000 | Risk Analysis and Assessments | SAI | |
| R | 7.0100 | Does your corporation conduct criticality assessments for all facilities at least every 18 months? | ||
| R | 7.0200 | Is the methodology used to determine critical facilities documented in the corporate security plan? | ||
| R | 7.0300 | Did you utilize the criteria from the 2018 TSA Pipeline Security Guidelines to determine your list of critical facilities? | ||
| R | 7.0400 | During the criticality assessment of your facilities, were all of the following criteria considered? | ||
| 7.0401 | Critical to national defense | |||
| 7.0402 | Key infrastructure | |||
| 7.0403 | Mass casualty or significant health effects | |||
| 7.0404 | Disruption to state or local government public or emergency services | |||
| 7.0405 | National landmarks or monuments | |||
| 7.0406 | Major rivers, lakes, or waterways | |||
| 7.0407 | Deliverability to significant number of customers | |||
| 7.0408 | Signifcantly disrupt pipeline system operations for an extended period of time, i.e., business critical facilities | |||
| 7.0409 | Other (if checked, elaborate) | |||
| R | 7.0500 | Does your corporation conduct a security vulnerability assessment (SVA) or equivalent of each critical facility at least every 36 months? | ||
| R | 7.0600 | Does your corporation conduct an SVA or equivalent within 12 months after achieving operational status for newly identified or constructed facilities? | ||
| R | 7.0700 | Does your corporation conduct an SVA or equivalent of any critical facility within 12 months of completing a significant enhancement or modification to the facility? | ||
| R | 7.0800 | Upon completion of an SVA or equivalent, are corrective actions implemented within 24 months? | ||
| R | 7.0900 | Are assessment results documented and retained until no longer valid? | ||
| 7.1000 | Does your corporation conduct SVAs or equivalent on your non-critical facilities? | |||
| R | 7.1100 | When conducting an SVA or equivalent, do you use one or more of the following methodologies? | ||
| 7.1101 | Criticality, Accessibility, Recuperability, Vulnerability, Effect, Recognizability (CARVER) | |||
| 7.1102 | American Petroleum Institute/National Petrochemical and Refiners Association (API/NPRA) | |||
| 7.1103 | Mission, Symbolism, History, Accessibility, Recognizability, Population, Proximity (MSHARPP) | |||
| 7.1104 | Third-party or corporate proprietary | |||
| 7.1105 | Other (if checked, elaborate) | |||
| R | 7.1200 | Does your corporation integrate security risk mitigation measures during the design, construction, or renovation of a facility? | ||
| SAI | 8.0000 | Risk Analysis and Assessments - Cyber | SAI | |
| R | 8.0100 | Does your corporation evaluate and classify pipeline cyber assets using the following criteria? | ||
| 8.0101 | Critical pipeline cyber assets are operational technologies (OT) systems that can control operations on the pipeline. | |||
| 8.0102 | Non-critical pipeline cyber assets are OT systems that monitor operations on the pipeline. | |||
| R | 8.0200 | Does your corporation review and assess pipeline cyber asset classification as critical or noncritical at least every 12 months? | ||
| R | 8.0300 | Has your corporation established and distributed cybersecurity policies, plans, processes, and supporting procedures commensurate with the current regulatory, risk, legal, and operational environment? | ||
| R | 8.0400 | Has your corporation established a process to identify and evaluate vulnerabilities and compensating security controls? | ||
| 8.0500 | Does the process address unmitigated/accepted vulnerabilities in the OT environment? | |||
| R | 8.0600 | Does your corporation conduct cyber vulnerability assessments as described in your risk assessment process? | ||
| R | 8.0700 | For critical pipeline cyber assets, does your corporation use independent assessors to conduct pipeline cybersecurity assessments? | ||
| SAI | 9.0000 | Drills & Exercises | SAI | |
| R | 9.0100 | Does your corporation conduct periodic security drills and exercises for all facilities, including in conjunction with other required drills or exercises? | ||
| R | 9.0200 | Does your corporation require each critical facility to conduct or participate in an annual security drill or exercise, including common drills or exercises in which multiple facilities may participate? | ||
| R | 9.0300 | Does your corporation require each critical facility to prepare a written post-event report assessing security drills and exercises and documenting corrective actions? | ||
| 9.0400 | Over the past three years, with whom has your corporation participated in security drills or exercises? | ZZZ | ||
| 9.0401 | Local emergency responders | |||
| 9.0402 | Tribal emergency responders | |||
| 9.0403 | State emergency responders | |||
| 9.0404 | Federal emergency responders | |||
| 9.0405 | Federal Bureau of Investigation (FBI) | |||
| 9.0406 | Department of Homeland Security (DHS) | |||
| 9.0407 | Transportation Security Administration (TSA) | |||
| 9.0408 | Neighboring corporations | |||
| 9.0409 | Other (if checked, elaborate) | |||
| R | 9.0500 | Does the corporate security plan include policies and procedures for auditing and testing the effectiveness of the company’s security procedures, to include documentation of results? | ||
| R | 9.0600 | For critical pipeline cyber assets, are cybersecurity incident response exercises conducted periodically? | ||
| SAI | 10.0000 | Cyber Security | SAI | |
| R | 10.0100 | Has your corporation established and documented policies and procedures for the following? | ||
| 10.0101 | Assessing and maintaining configuration information. | |||
| 10.0102 | Tracking changes made to pipeline cyber assets. | |||
| 10.0103 | Patching/upgrading operating systems and applications. | |||
| 10.0104 | Ensuring that the changes do not adversely impact existing cybersecurity controls. | |||
| 10.0105 | Other (if checked, elaborate) | |||
| R | 10.0200 | For critical pipeline assets, has an inventory of the components of the operating system been developed, documented, and maintained that accurately reflects the current OT system? | ||
| 10.0300 | For critical pipeline cyber assets, is there a defined list of software programs authorized to execute in the operating system? | |||
| R | 10.0400 | Has your corporation developed and maintained a comprehensive setof network/system architecture diagrams or other documentation, including nodes, interfaces, remote and third-party connections, and information flows? | ||
| 10.0500 | Are methods in place to verify the accuracy of the diagrams and/or other documentation related to your OT system? | |||
| R | 10.0600 | For critical pipeline cyber assets, does your corporation employ mechanisms to detect unauthorized components? | ||
| R | 10.0700 | For critical pipeline cyber assets, does your corporation review network connections periodically, including remote access and third-party connections? | ||
| R | 10.0800 | For critical pipeline cyber assets, does the OT environment have a detailed software and hardware inventory of cyber asset endpoints? | ||
| R | 10.0900 | Does your corporation ensure that any change that adds control operations to a non-critical pipeline cyber asset results in the system being recognized as a critical cyber pipeline asset and enhanced security measuresbeing applied? | ||
| R | 10.1000 | Has your corporation developed an operational framework to ensure coordination, communication, and accountability for information security on and between the control systems and enterprise networks? | ||
| R | 10.1100 | Has your corporation implemented the following measures? | ||
| 10.1101 | Establish and enforce unique accounts for each individual user and administrator. | |||
| 10.1102 | Establish security requirements for certain types of privileged accounts. | |||
| 10.1103 | Prohibit the sharing of these accounts. | |||
| 10.1200 | Are authentication methods and specific standards employed throughout your company’s cyber access control environment? | |||
| R | 10.1300 | Where systems do not support unique user accounts, are appropriate compensating security controls (e.g., physical controls) implemented? | ||
| R | 10.1400 | Does your corporation ensure user accounts are modified, deleted, or de-activated expeditiously for personnel who no longer require access or are no longer employed by the company? | ||
| R | 10.1500 | Has your corporation implemented the following measures? | ||
| 10.1501 | Establish and enforce access control policies for local and remote users. | |||
| 10.1502 | Have procedures and controls in place for approving and enforcing remote and third-party connections. | |||
| R | 10.1600 | Does your corporation ensure appropriate segregation of duties is in place and, where this is not feasible, apply appropriate compensating security controls? | ||
| R | 10.1700 | Does your corporation change all default passwords for new software, hardware, etc., upon installation and, where this is not feasible (e.g., a control system with a hard-wired password), implement appropriate compensating security controls (e.g., administrative controls)? | ||
| R | 10.1800 | For critical pipeline cyber assets, has your corporation implemented the following measures? | ||
| 10.1801 | Restrict user physical access to control systems and control networks by using appropriate controls. | |||
| 10.1802 | Employ more stringent identity and access management practices (e.g., authenticators, password-construct, access control). | |||
| R | 10.1900 | Does your corporation monitor physical and remote user access to critical pipeline cyber assets? | ||
| R | 10.2000 | Does your corporation employ mechanisms (e.g., active directory) to support the management of accounts for critical pipeline cyber assets? | ||
| R | 10.2100 | Has your corporation established and implemented policies and procedures to ensure data protection measures are in place, including the following? | ||
| 10.2101 | Identifying critical data and establishing classification of different types of data. | |||
| 10.2102 | Establishing specific data handling procedures. | |||
| 10.2103 | Establishing specific data disposal procedures. | |||
| 10.2200 | If data protection measures are not in place, are compensating controls in place? | |||
| R | 10.2300 | Are pipeline cyber assets segregated and protected from enterprise networks and the internet by use of physical separation, firewalls, and other protections? | ||
| 10.2400 | Does the OT system deny network traffic by default and allow only authorized network traffic? | |||
| 10.2500 | Does the OT system monitor and manage communications at appropriate OT network boundaries? | |||
| 10.2600 | Do OT system controls protect the integrity of electronically-communicated information? (e.g., preventing man in the middle)? | |||
| 10.2700 | Does the OT system prevent traffic from being routed to the internet? | |||
| R | 10.2800 | Does your corporation regularly validate that technical controls comply with the company’s cybersecurity policies, plans, and procedures, and report results to senior management? | ||
| R | 10.2900 | Has your corporation implemented technical or procedural controls to restrict the use of pipeline cyber assets to only approved activities? | ||
| R | 10.3000 | Has your corporation implemented processes to respond to anomalous activity through the following? | ||
| 10.3001 | Generating alerts and responding to them in a timely manner. | |||
| 10.3002 | Logging cybersecurity events and reviewing these logs. | |||
| R | 10.3100 | Does your corporation monitor for unauthorized access or the introduction of malicious code or communications? | ||
| R | 10.3200 | Has your corporation established technical or procedural controls for cyber intrusion monitoring and detection? | ||
| R | 10.3300 | Does your corporation perform regular testing of intrusion and malware detection processes and procedures (e.g., penetration testing)? | ||
| SAI | 11.0000 | Physical Security & Access Control | SAI | |
| 11.0100 | Which of the following security measures does your corporate security plan require at critical facilities? | ZZZ | ||
| 11.0101 | Fences | |||
| 11.0102 | Gates equivalent to attached barriers | |||
| 11.0103 | Signage such as No Trespassing, Do Not Enter, Authorized Personnel Only, CCTV in Use, etc. | |||
| 11.0104 | Closed circuit television (CCTV) | |||
| 11.0105 | Intrusion sensors | |||
| 11.0106 | Alarms | |||
| 11.0107 | Clear zones around fence lines | |||
| 11.0108 | Locks | |||
| 11.0109 | Barriers such as bollards, planters, or Jersey barriers | |||
| 11.0110 | Tamper devices | |||
| 11.0111 | Patrols | |||
| 11.0112 | Lighting | |||
| 11.0113 | Crime Prevention Through Environmental Design (CPTED) | |||
| 11.0114 | Unarmed Guards | |||
| 11.0115 | Armed Guards | |||
| 11.0116 | Video-analytic Systems | |||
| 11.0117 | Video Recording | |||
| 11.0118 | Intrustion-detection Systems | |||
| 11.0119 | Other (if checked, elaborate) | |||
| 11.0200 | How does your corporation physically control access to controlled-access areas? | ZZZ | ||
| 11.0201 | Lock and Key | |||
| 11.0202 | Biometric reader | |||
| 11.0203 | Digital keycard | |||
| 11.0204 | PIN Code | |||
| 11.0205 | Proximity Card | |||
| 11.0206 | Radio Remote Control | |||
| 11.0207 | Other (if checked, elaborate) | |||
| 11.0300 | Which of the following security measures does your corporate security plan require at all facilities? | ZZZ | ||
| 11.0301 | Fences | |||
| 11.0302 | Gates equivalent to attached barriers | |||
| 11.0303 | Signage such as No Trespassing, Do Not Enter, Authorized Personnel Only, CCTV in Use, etc. | |||
| 11.0304 | Closed circuit television (CCTV) | |||
| 11.0305 | Intrusion sensors | |||
| 11.0306 | Alarms | |||
| 11.0307 | Clear zones around fence lines | |||
| 11.0308 | Locks | |||
| 11.0309 | Barriers such as bollards, planters, or Jersey barriers | |||
| 11.0310 | Tamper devices | |||
| 11.0311 | Patrols | |||
| 11.0312 | Lighting | |||
| 11.0313 | Crime Prevention Through Environmental Design (CPTED) | |||
| 11.0314 | Unarmed Guards | |||
| 11.0315 | Armed Guards | |||
| 11.0316 | Video-analytic Systems | |||
| 11.0317 | Video Recording | |||
| 11.0318 | Intrustion-detection Systems | |||
| 11.0319 | Other (if checked, elaborate) | |||
| R | 11.0400 | Does the corporate security plan require the following security measures at all facilities? | ||
| 11.0401 | Employ measures to impede unauthorized persons from gaining access to a facility and restricted areas within a facility. | |||
| 11.0402 | Close and secure perimeter gates or entrances when not in use. | |||
| 11.0403 | Post “No Trespassing” or “Authorized Personnel Only” signs at intervals that are visible from any point of potential entry. | |||
| R | 11.0500 | Does the corporate security plan require the following security measures at all facilities? | ||
| 11.0501 | Employ measures to impede unauthorized access to facilities. | |||
| 11.0502 | Maintain fences, if used, without gaps around gates or underneath the fence line. | |||
| 11.0503 | Ensure that there is a clear zone for several feet on either side of the fence, free of obstructions, vegetation, or objects that could be used for concealment or to scale the fence. | |||
| R | 11.0600 | Does the corporate security plan require that each critical facility implement procedures (e.g., manual or electronic sign in/out) for controlling access to the facility and restricted buildings or areas within the facility? | ||
| R | 11.0700 | Does the corporate security plan require that each critical facility create a security perimeter that impedes unauthorized vehicles from entering the facility perimeter or critical areas by installing and maintaining barriers (e.g., fences, bollards, jersey barriers)? | ||
| R | 11.0800 | Does the corporate security plan require that each critical facility ensure that visitors are monitored and escorted? | ||
| R | 11.0900 | Does the corporate security plan require that each critical facility install and maintain gates of an equivalent quality to the barrier to which they are attached? | ||
| R | 11.1000 | Does the corporate security plan require that each critical facility provide sufficient illumination for human and technological recognition of intrusion into the facility perimeter or critical areas? | ||
| R | 11.1100 | Does the corporate security plan require that each critical facility or critical areas within a facility have security measures to monitor, detect, and assess 24 hours per day, 7 days per week? | ||
| R | 11.1200 | Does your corporation have key control procedures for key issuance, tracking, collection, loss, and unauthorized duplication? | ||
| R | 11.1300 | Does your corporation conduct a key inventory at least every 24 months? | ||
| R | 11.1400 | Does your corporation use patent keys to prevent unauthorized duplication? | ||
| SAI | 12.0000 | Personnel Security | SAI | |
| R | 12.0100 | Has your corporation established policies and procedures for applicant pre-employment screening and behavioral criteria for disqualification of applicants and employees? | ||
| 12.0200 | Is there at least one individual within your corporation who holds a current federal security clearance? | |||
| 12.0300 | What is the highest level of clearance that is held within your corporation? | ZZZ | ||
| 12.0301 | Secret | |||
| 12.0302 | Top Secret | |||
| 12.0303 | Top Secret SCI | |||
| 12.0400 | Does your corporation conduct pre-employment background investigations on all potential employees? | |||
| R | 12.0500 | Does your corporation conduct pre-employment background investigations of applicants for positions that involve any of the following? | ||
| 12.0501 | Authorized regular unescorted access to control systems or sensitive areas. | |||
| 12.0502 | Authorized access to sensitive information. | |||
| 12.0503 | Assigned security roles | |||
| 12.0504 | Assigned to work at or granted access rights to critical facilities. | |||
| 12.0600 | Does your corporation have a designated individual solely responsible for cyber/SCADA security? | |||
| R | 12.0700 | Do pre-employment background investigations of applicants for positions described in Question 12.0500 above include all of the following? | ||
| 12.0701 | Verification and validation of identity | |||
| 12.0702 | Criminal history check | |||
| 12.0703 | Verification and validation of legal authorization to work | |||
| R | 12.0800 | Has your corporation developed identification and badging policies and procedures for personnel who have access to secure areas or sensitive information that address the following? | ||
| 12.0801 | Lost or stolen identification cards or badges | |||
| 12.0802 | Temporary badges | |||
| 12.0803 | Personnel termination | |||
| 12.0900 | Does your corporation use the federally-established list of disqualifying crimes (listed in 49 CFR 1572.103) to assess the suitability of personnel for positions described in Question 12.0500 above? | |||
| R | 12.1000 | Does your corporation conduct recurring background investigations at least every ten years for employees occupying security positions or who have access to sensitive information or areas? | ||
| R | 12.1100 | Does the corporate security plan require that each critical facility ensure that company or vendor identification is available for examination by being visibly displayed or carried by personnel while on-site? | ||
| R | 12.1200 | Does your corporation verify that contractors have background investigation policies and procedures at least as rigorous as the corporation’s? | ||
| R | 12.1300 | Does the corporate security plan require that each critical facility ensure personnel identification cards or badges are secure from tampering and contain the individual’s photograph and name? | ||
| 12.1400 | Does your corporation have a policy and/or procedure in place addressing security issues related to employee termination? | |||
| 12.1500 | Are the following actions taken during termination activities? | |||
| 12.1501 | Retrieve badge or identification card. | |||
| 12.1502 | Disable passwords. | |||
| 12.1503 | Retrieve keys. | |||
| 12.1504 | Retrieve operational and/or security manuals. | |||
| 12.1505 | Block computer-system access. | |||
| 12.1506 | Discharged employee signs nondisclosure agreement. | |||
| 12.1507 | Other (if checked, elaborate) | |||
| SAI | 13.0000 | Equipment Maintenance and Testing | SAI | |
| R | 13.0100 | Has your corporation implemented a maintenance program to ensure that security systems are in good working order? | ||
| R | 13.0200 | Does your corporation identify and respond to security equipment malfunctions or failures in a timely manner? | ||
| R | 13.0300 | Do all critical facilities, through routine use or quarterly examination, verify the proper operation and/or condition of all security equipment? | ||
| R | 13.0400 | Do all critical facilities provide an equivalent level of protective security measures to mitigate risk during power outages, security equipment failure, or extended repair of security systems? | ||
| 13.0500 | Does your corporate security maintenance program include all of the following? | |||
| 13.0501 | Corrective maintenance | |||
| 13.0502 | Preventive maintenance | |||
| 13.0503 | Testing | |||
| 13.0504 | Inspection | |||
| SAI | 14.0000 | Recordkeeping | SAI | |
| R | 14.0100 | Does the corporate security plan address recordkeeping policies and procedures for security information, including the protection of Sensitive Security Information (SSI) in accordance with the provisions of 49 CFR Parts 15 and 1520? | ||
| R | 14.0200 | Do all facilities retain the following documents, as appropriate, until superseded or replaced? | ||
| 14.0201 | Corporate security plan | |||
| 14.0202 | Criticality assessment(s) | |||
| 14.0203 | Training records | |||
| 14.0204 | Security drill or exercise reports | |||
| 14.0205 | Incident response plan(s) | |||
| 14.0206 | Security testing and audits | |||
| R | 14.0300 | In addition to the documents listed in Question 14.0200 above, does each critical facility retain the following documents until superseded or replaced? | ||
| 14.0301 | SVA(s) | |||
| 14.0302 | Site-specific security measures | |||
| 14.0400 | Does your corporation have a document-marking policy or procedure? | |||
| R | 14.0500 | Does the corporation make the security information records described in Questions 14.0200 and 14.0300 above available to TSA upon request? | ||
| 14.0600 | Has your corporation taken any of the following steps to apply operations security (OPSEC) in daily activities? | |||
| 14.0601 | Mark documents. | |||
| 14.0602 | Hold conversations in appropriate locations. | |||
| 14.0603 | Report undue interest in pipeline security or operations. | |||
| 14.0604 | Secure sensitive documents outside of office areas such as in vehicles or in transport. | |||
| 14.0605 | Dispose of documents properly. | |||
| 14.0606 | Dispose of computer equipment and associated media securely. | |||
| 14.0607 | Create strong passwords. | |||
| 14.0608 | Change passwords periodically. | |||
| 14.0609 | Vary patterns of behavior | |||
| 14.0610 | Remove badges in public | |||
| 14.0611 | Other (if checked, elaborate) | |||
| R | 14.0700 | Does your corporation maintain and secure criticality assessments, critical facility lists, and security vulnerability assessments or equivalent? | ||
| DEPARTMENT OF HOMELAND SECURITY | ||||
| Transportation Security Administration | ||||
| Pipeline Corporate Security Review (CSR) IT Questions | CSR FY2020 V.1 (October 2019) | |||
| Operator Name: | Assessment Date: | |||
| 0 | 1/1/2019 | |||
| Question Type | Question # | CSR Question | Answer (Yes/No/X) | |
| SAI | 2.0000 | Security Plans - Cyber | SAI | |
| 2.0100 | Do your cybersecurity plans incorporate any of the following approaches? | |||
| 2.0101 | National Institute of Standards and Technology (NIST), Framework for Improving Critical Infrastructure Cybersecurity | |||
| 2.0102 | U.S. Department of Energy, Office of Electricity and Energy Reliability, Energy Sector Cybersecurity Framework Implementation Guidance | |||
| 2.0103 | U.S. Department of Homeland Security, Transportation Systems Sector Cybersecurity Framework Implementation Guidance | |||
| 2.0104 | Industry-specific methodologies (See 2018 TSA Pipeline Security Guidelines, Section 7.4 for partial listing.) | |||
| 2.0105 | Other (if checked, elaborate) | |||
| R | 2.0200 | Does your corporation review, assess, and update as necessary all cybersecurity policies plans, processes, and supporting procedures at least every 36 months, or when there is a significant organizational or technological change? | ||
| R | 2.0300 | For critical pipeline cyber assets, does your corporation review, assess, and update as necessary all cybersecurity policies plans, processes, and supporting procedures at least every 12 months, or when there is a significant organizational change? | ||
| R | 2.0400 | Has your corporation established policies and procedures for cybersecurity incident handling, analysis, and reporting, including assignments of specific roles/tasks to individuals and teams? | ||
| R | 2.0500 | Has your corporation established and maintained a cyber-incident response capability? | ||
| R | 2.0600 | For critical pipeline cyber assets, has your corporation established and maintained a process that supports 24/7 cyber-incident response? | ||
| R | 2.0700 | Do your corporation’s response plans and procedures include mitigation measures to help prevent further impacts? | ||
| R | 2.0800 | Has your corporation established a plan for the recovery and reconstitution of pipeline cyber assets within a time frame to align with the company’s safety and business continuity objectives? | ||
| R | 2.0900 | Does your corporation review its cyber recovery plan annually and update it as necessary? | ||
| SAI | 8.0000 | Risk Analysis and Assessments - Cyber | SAI | |
| R | 8.0100 | Does your corporation evaluate and classify pipeline cyber assets using the following criteria? | ||
| 8.0101 | Critical pipeline cyber assets are operational technologies (OT) systems that can control operations on the pipeline. | |||
| 8.0102 | Non-critical pipeline cyber assets are OT systems that monitor operations on the pipeline. | |||
| R | 8.0200 | Does your corporation review and assess pipeline cyber asset classification as critical or noncritical at least every 12 months? | ||
| R | 8.0300 | Has your corporation established and distributed cybersecurity policies, plans, processes, and supporting procedures commensurate with the current regulatory, risk, legal, and operational environment? | ||
| R | 8.0400 | Has your corporation established a process to identify and evaluate vulnerabilities and compensating security controls? | ||
| 8.0500 | Does the process address unmitigated/accepted vulnerabilities in the OT environment? | |||
| R | 8.0600 | Does your corporation conduct cyber vulnerability assessments as described in your risk assessment process? | ||
| R | 8.0700 | For critical pipeline cyber assets, does your corporation use independent assessors to conduct pipeline cybersecurity assessments? | ||
| SAI | 10.0000 | Cyber Security | SAI | |
| R | 10.0100 | Has your corporation established and documented policies and procedures for the following? | ||
| 10.0101 | Assessing and maintaining configuration information. | |||
| 10.0102 | Tracking changes made to pipeline cyber assets. | |||
| 10.0103 | Patching/upgrading operating systems and applications. | |||
| 10.0104 | Ensuring that the changes do not adversely impact existing cybersecurity controls. | |||
| 10.0105 | Other (if checked, elaborate) | |||
| R | 10.0200 | For critical pipeline assets, has an inventory of the components of the operating system been developed, documented, and maintained that accurately reflects the current OT system? | ||
| 10.0300 | For critical pipeline cyber assets, is there a defined list of software programs authorized to execute in the operating system? | |||
| R | 10.0400 | Has your corporation developed and maintained a comprehensive setof network/system architecture diagrams or other documentation, including nodes, interfaces, remote and third-party connections, and information flows? | ||
| 10.0500 | Are methods in place to verify the accuracy of the diagrams and/or other documentation related to your OT system? | |||
| R | 10.0600 | For critical pipeline cyber assets, does your corporation employ mechanisms to detect unauthorized components? | ||
| R | 10.0700 | For critical pipeline cyber assets, does your corporation review network connections periodically, including remote access and third-party connections? | ||
| R | 10.0800 | For critical pipeline cyber assets, does the OT environment have a detailed software and hardware inventory of cyber asset endpoints? | ||
| R | 10.0900 | Does your corporation ensure that any change that adds control operations to a non-critical pipeline cyber asset results in the system being recognized as a critical cyber pipeline asset and enhanced security measuresbeing applied? | ||
| R | 10.1000 | Has your corporation developed an operational framework to ensure coordination, communication, and accountability for information security on and between the control systems and enterprise networks? | ||
| R | 10.1100 | Has your corporation implemented the following measures? | ||
| 10.1101 | Establish and enforce unique accounts for each individual user and administrator. | |||
| 10.1102 | Establish security requirements for certain types of privileged accounts. | |||
| 10.1103 | Prohibit the sharing of these accounts. | |||
| 10.1200 | Are authentication methods and specific standards employed throughout your company’s cyber access control environment? | |||
| R | 10.1300 | Where systems do not support unique user accounts, are appropriate compensating security controls (e.g., physical controls) implemented? | ||
| R | 10.1400 | Does your corporation ensure user accounts are modified, deleted, or de-activated expeditiously for personnel who no longer require access or are no longer employed by the company? | ||
| R | 10.1500 | Has your corporation implemented the following measures? | ||
| 10.1501 | Establish and enforce access control policies for local and remote users. | |||
| 10.1502 | Have procedures and controls in place for approving and enforcing remote and third-party connections. | |||
| R | 10.1600 | Does your corporation ensure appropriate segregation of duties is in place and, where this is not feasible, apply appropriate compensating security controls? | ||
| R | 10.1700 | Does your corporation change all default passwords for new software, hardware, etc., upon installation and, where this is not feasible (e.g., a control system with a hard-wired password), implement appropriate compensating security controls (e.g., administrative controls)? | ||
| R | 10.1800 | For critical pipeline cyber assets, has your corporation implemented the following measures? | ||
| 10.1801 | Restrict user physical access to control systems and control networks by using appropriate controls. | |||
| 10.1802 | Employ more stringent identity and access management practices (e.g., authenticators, password-construct, access control). | |||
| R | 10.1900 | Does your corporation monitor physical and remote user access to critical pipeline cyber assets? | ||
| R | 10.2000 | Does your corporation employ mechanisms (e.g., active directory) to support the management of accounts for critical pipeline cyber assets? | ||
| R | 10.2100 | Has your corporation established and implemented policies and procedures to ensure data protection measures are in place, including the following? | ||
| 10.2101 | Identifying critical data and establishing classification of different types of data. | |||
| 10.2102 | Establishing specific data handling procedures. | |||
| 10.2103 | Establishing specific data disposal procedures. | |||
| 10.2200 | If data protection measures are not in place, are compensating controls in place? | |||
| R | 10.2300 | Are pipeline cyber assets segregated and protected from enterprise networks and the internet by use of physical separation, firewalls, and other protections? | ||
| 10.2400 | Does the OT system deny network traffic by default and allow only authorized network traffic? | |||
| 10.2500 | Does the OT system monitor and manage communications at appropriate OT network boundaries? | |||
| 10.2600 | Do OT system controls protect the integrity of electronically-communicated information? (e.g., preventing man in the middle)? | |||
| 10.2700 | Does the OT system prevent traffic from being routed to the internet? | |||
| R | 10.2800 | Does your corporation regularly validate that technical controls comply with the company’s cybersecurity policies, plans, and procedures, and report results to senior management? | ||
| R | 10.2900 | Has your corporation implemented technical or procedural controls to restrict the use of pipeline cyber assets to only approved activities? | ||
| R | 10.3000 | Has your corporation implemented processes to respond to anomalous activity through the following? | ||
| 10.3001 | Generating alerts and responding to them in a timely manner. | |||
| 10.3002 | Logging cybersecurity events and reviewing these logs. | |||
| R | 10.3100 | Does your corporation monitor for unauthorized access or the introduction of malicious code or communications? | ||
| R | 10.3200 | Has your corporation established technical or procedural controls for cyber intrusion monitoring and detection? | ||
| R | 10.3300 | Does your corporation perform regular testing of intrusion and malware detection processes and procedures (e.g., penetration testing)? | ||
| DO NOT MODIFY OR ENTER ANY DATA ON THIS SHEET! | ||||||
| DEPARTMENT OF HOMELAND SECURITY | ||||||
| Transportation Security Administration | ||||||
| Pipeline Operator Overview | CSR FY2020 V.1 (October 2019) | |||||
| Operator Name | Lead Inspector: | 0 | ||||
| 0 | Assessment Date: | 1/1/2019 | ||||
| SAI # | SECURITY ACTION ITEM (SAI) DESCRIPTION | Implementation | R Only | # of Recommendations | ||
| 1 | Security Plans | 0% | 0% | 0 | ||
| 2 | Security Plans - Cyber | 0% | 0% | 0 | ||
| 3 | Communication | 0% | 0% | 0 | ||
| 4 | Security Incident Procedures | 0% | 0% | 0 | ||
| 5 | Security Training | 0% | 0% | 0 | ||
| 6 | Outreach | 0% | 0% | 0 | ||
| 7 | Risk Analysis and Assessments | 0% | 0% | 0 | ||
| 8 | Risk Analysis and Assessments - Cyber | 0% | 0% | 0 | ||
| 9 | Drills & Exercises | 0% | 0% | 0 | ||
| 10 | Cyber Security | 0% | 0% | 0 | ||
| 11 | Physical Security & Access Control | 0% | 0% | 0 | ||
| 12 | Personnel Security | 0% | 0% | 0 | ||
| 13 | Equipment Maintenance and Testing | 0% | 0% | 0 | ||
| 14 | Recordkeeping | 0% | 0% | 0 | ||
| Overall Implementation: | 0.00% | 0% | 0 | |||
| Color Key: | ||||||
|   | Requirements have been met. | |||||
|   | Requirements are partially met and/or are in the process of being completed. | |||||
| Does not meet requirements as described in reference materials. | ||||||
 
| 0 | |||
| Recommendations | |||
| Recommendation # | CSR Question # | SAI Category | Recommendation Narrative | 
| 1 | |||
| 2 | |||
| 3 | |||
| 4 | |||
| 5 | |||
| 6 | |||
| 7 | |||
| 8 | |||
| 9 | |||
| 10 | |||
| 11 | |||
| 12 | |||
| 13 | |||
| 14 | |||
| 15 | |||
| 16 | |||
| 17 | |||
| 18 | |||
| 19 | |||
| 20 | |||
| 21 | |||
| 22 | |||
| 23 | |||
| 24 | |||
| 25 | |||
| 26 | |||
| 27 | |||
| 28 | |||
| 29 | |||
| 30 | |||
| 31 | |||
| 32 | |||
| 33 | |||
| 34 | |||
| 35 | |||
| 36 | |||
| 37 | |||
| 38 | |||
| 39 | |||
| 40 | |||
| 41 | |||
| 42 | |||
| 43 | |||
| 44 | |||
| 45 | |||
| 46 | |||
| 47 | |||
| 48 | |||
| 49 | |||
| 50 | |||
| 51 | |||
| 52 | |||
| 53 | |||
| 54 | |||
| 55 | |||
| 56 | |||
| 57 | |||
| 58 | |||
| 59 | |||
| 60 | |||
| 61 | |||
| 62 | |||
| 63 | |||
| 64 | |||
| 65 | |||
| 66 | |||
| 67 | |||
| 68 | |||
| 69 | |||
| 70 | |||
| 71 | |||
| 72 | |||
| 73 | |||
| 74 | |||
| 75 | |||
| 76 | |||
| 77 | |||
| 78 | |||
| 79 | |||
| 80 | |||
| 81 | |||
| 82 | |||
| 83 | |||
| 84 | |||
| 85 | |||
| 86 | |||
| 87 | |||
| 88 | |||
| 89 | |||
| 90 | |||
| 91 | |||
| 92 | |||
| 93 | |||
| 94 | |||
| 95 | |||
| 96 | |||
| 97 | |||
| 98 | |||
| 99 | |||
| 100 | |||
| CSR Recommendations Follow-up | ||||||
| Pipeline Operator | 0 | CSR Date: | 1/1/2019 | |||
| Follow-up Request Date | Stakeholder Response Date | 18-24 Month Follow-up Window | ||||
| From: | To: | |||||
| 7/1/2020 | 12/31/2020 | |||||
| Recommendation # | CSR Question # | Recommendation | Stakeholder Response Code | |||
| 1 | ||||||
| 2 | Response Codes | |||||
| 3 | ||||||
| 4 | 1 - Recommendation has been completed/implemented | |||||
| 5 | 2 - Recommendation will be completed/implemented | |||||
| 6 | 3 - Recommendation being evaluated | |||||
| 7 | 4 - Recommendation will not be completed/implemented | |||||
| 8 | 5 - Recommendation no longer applicable | |||||
| 9 | ||||||
| 10 | ||||||
| 11 | ||||||
| 12 | ||||||
| 13 | ||||||
| 14 | ||||||
| 15 | ||||||
| 16 | ||||||
| 17 | ||||||
| 18 | ||||||
| 19 | ||||||
| 20 | ||||||
| 21 | ||||||
| 22 | ||||||
| 23 | ||||||
| 24 | ||||||
| 25 | ||||||
| 26 | ||||||
| 27 | ||||||
| 28 | ||||||
| 29 | ||||||
| 30 | ||||||
| 31 | ||||||
| 32 | ||||||
| 33 | ||||||
| 34 | ||||||
| 35 | ||||||
| 36 | ||||||
| 37 | ||||||
| 38 | ||||||
| 39 | ||||||
| 40 | ||||||
| 41 | ||||||
| 42 | ||||||
| 43 | ||||||
| 44 | ||||||
| 45 | ||||||
| 46 | ||||||
| 47 | ||||||
| 48 | ||||||
| 49 | ||||||
| 50 | ||||||
| 51 | ||||||
| 52 | ||||||
| 53 | ||||||
| 54 | ||||||
| 55 | ||||||
| 56 | ||||||
| 57 | ||||||
| 58 | ||||||
| 59 | ||||||
| 60 | ||||||
| 61 | ||||||
| 62 | ||||||
| 63 | ||||||
| 64 | ||||||
| 65 | ||||||
| 66 | ||||||
| 67 | ||||||
| 68 | ||||||
| 69 | ||||||
| 70 | ||||||
| 71 | ||||||
| 72 | ||||||
| 73 | ||||||
| 74 | ||||||
| 75 | ||||||
| 76 | ||||||
| 77 | ||||||
| 78 | ||||||
| 79 | ||||||
| 80 | ||||||
| 81 | ||||||
| 82 | ||||||
| 83 | ||||||
| 84 | ||||||
| 85 | ||||||
| 86 | ||||||
| 87 | ||||||
| 88 | ||||||
| 89 | ||||||
| 90 | ||||||
| 91 | ||||||
| 92 | ||||||
| 93 | ||||||
| 94 | ||||||
| 95 | ||||||
| 96 | ||||||
| 97 | ||||||
| 98 | ||||||
| 99 | ||||||
| 100 | ||||||
| 0 | |||
| Considerations | |||
| Consideration # | CSR Question # | SAI Category | Consideration Narrative | 
| 1 | |||
| 2 | |||
| 3 | |||
| 4 | |||
| 5 | |||
| 6 | |||
| 7 | |||
| 8 | |||
| 9 | |||
| 10 | |||
| 11 | |||
| 12 | |||
| 13 | |||
| 14 | |||
| 15 | |||
| 16 | |||
| 17 | |||
| 18 | |||
| 19 | |||
| 20 | |||
| 0 | |||
| Best Practices | |||
| # | CSR Question # | SAI Category | Best Practice Description | 
| 1 | |||
| 2 | |||
| 3 | |||
| 4 | |||
| 5 | |||
| 6 | |||
| 7 | |||
| 8 | |||
| 9 | |||
| 10 | |||
| 0 | |||||||
| Critical Facility List | |||||||
| # | Critical Facility Name | Address | City | State | Latitude | Longitude | Description / Notes | 
| 1 | |||||||
| 2 | |||||||
| 3 | |||||||
| 4 | |||||||
| 5 | |||||||
| 6 | |||||||
| 7 | |||||||
| 8 | |||||||
| 9 | |||||||
| 10 | |||||||
| 11 | |||||||
| 12 | |||||||
| 13 | |||||||
| 14 | |||||||
| 15 | |||||||
| 16 | |||||||
| 17 | |||||||
| 18 | |||||||
| 19 | |||||||
| 20 | |||||||
| 0 | |||||
| Meeting Attendees | |||||
| Date: | 1/1/2019 | ||||
| TSA Pipeline Security Attendees | |||||
| Name | Title | Division | Name | Title | Division | 
| Pipeline Corporation Attendees | |||||
| Name | Title | Division | Name | Title | Division | 
| Other Attendees | |||||
| Name | Title | Organization / Company | Name | Title | Organization / Company | 
| CSR Form Filled Out By | |||||
| Name | Title | Division | Name | Title | Division | 
| SAI # | SAI Description | 
| 1 | Security Plans | 
| 2 | Security Plans - Cyber | 
| 3 | Communication | 
| 4 | Security Incident Procedures | 
| 5 | Security Training | 
| 6 | Outreach | 
| 7 | Risk Analysis and Assessments | 
| 8 | Risk Analysis and Assessments - Cyber | 
| 9 | Drills & Exercises | 
| 10 | Cyber Security | 
| 11 | Physical Security & Access Control | 
| 12 | Personnel Security | 
| 13 | Equipment Maintenance and Testing | 
| 14 | Recordkeeping | 
| Paperwork Reduction Act Burden Statement: This is a voluntary collection of information. TSA estimates that the total average burden per response associated with this collection is approximately 8 hours and an additional 1-3 hours for follow-up on TSA recommendations. An agency may not conduct or sponsor, and a person is not required to respond to a collection of information unless it displays a valid OMB control number. The control number assigned to this collection is OMB 1652-0056, which expires on 02/29/2020. Send comments regarding this burden estimate or collection to: TSA-11, Attention: PRA 1652-0056 Pipeline CSR, 601 South 12th Street, Arlington, VA 20598. | 
| File Type | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet | 
| File Modified | 0000-00-00 | 
| File Created | 0000-00-00 |