An increased borrowing limit for the U.S. was not the only change brought about by the recently enacted Fiscal Responsibility Act of 2023. The National Environmental Policy Act (NEPA) review process was also on the minds of our legislators. Indeed, Congress chose to use the debt ceiling fight as a vehicle for implementing several changes to NEPA aimed at improving project authorization and management and establishing timelines for completing the review process. While not all the changes in the so-called Builder Act are dramatic, a handful of them could provide additional certainty for those in the oil and gas and renewables industries seeking federal approval for their projects.

In the weeks that followed a ransomware attack on a domestic pipeline company, the federal government’s efforts to shore up the cybersecurity posture of America’s critical infrastructure and supply chains, including the oil and gas industry, have garnered increased attention.  Historically, the oil and gas sector has not been subject to mandatory cybersecurity regulations, but rather was encouraged to follow voluntary security guidelines that were initially published by the Transportation Security Administration (TSA) in 2011 and revised in 2018. Yet, the industry sector’s geographic size, number of operators/stakeholders within the sector, and its importance to the national economy make the oil and gas industry an attractive target for cyberattacks.

Each of these factors begs the question whether voluntary cybersecurity measures are sufficient to protect this critical infrastructure component? Based on the TSA’s decision to publish the very first Pipeline Security Directive (“Directive”) three weeks after Colonial Pipeline was victimized by a ransomware attack, the answer to this rhetorical question appears to be an emphatic “No.”