[Federal Register Volume 84, Number 88 (Tuesday, May 7, 2019)] [Notices] [Pages 19929-19933] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 2019-09319] ----------------------------------------------------------------------- DEPARTMENT OF HOMELAND SECURITY [Docket No. DHS-2018-0068] Chemical Security Assessment Tool (CSAT) AGENCY: Infrastructure Security Division (ISD), Cybersecurity and Infrastructure Security Agency (CISA), Department of Homeland Security (DHS). ACTION: 30-Day notice and request for comments; revision of information collection. ----------------------------------------------------------------------- SUMMARY: DHS CISA ISD will submit the following Information Collection Request (ICR) to the Office of Management and Budget (OMB) for review and clearance in accordance with the Paperwork Reduction Act of 1995. CISA previously published this ICR, in the Federal Register on February 7, 2019, for a 60-day comment period. In this notice, CISA: (1) Responds to one commenter that submitted multiple comments in response to the 60-day [[Page 19930]] notice, (2) revises the burden associated with an instrument, and (3) solicits public comment concerning this ICR for an additional 30-days. DATES: Comments are due by June 6, 2019. ADDRESSES: Interested persons are invited to submit written comments on the proposed information collection to the Office of Information and Regulatory Affairs, OMB. Comments should be addressed to OMB Desk Officer, Department of Homeland Security, Cybersecurity and Infrastructure Security Agency and sent via electronic mail to [email protected]. All submissions must include the words ``Department of Homeland Security'' and the OMB Control Number 1670- 0007--Chemical Security Assessment Tool. Comments submitted in response to this notice may be made available to the public through relevant websites. For this reason, please do not include in your comments information of a confidential nature, such as sensitive personal information or proprietary information. Please note that responses to this public comment request containing any routine notice about the confidentiality of the communication will be treated as public comments that may be made available to the public notwithstanding the inclusion of the routine notice. Comments that include trade secrets, confidential commercial or financial information, Chemical-terrorism Vulnerability Information (CVI),\1\ Sensitive Security Information (SSI),\2\ or Protected Critical Infrastructure Information (PCII) \3\ should not be submitted to the public docket. Comments containing trade secrets, confidential commercial or financial information, CVI, SSI, or PCII should be appropriately marked and packaged in accordance with applicable requirements and submitted by mail to the DHS/CISA/Infrastructure Security Division, CFATS Program Manager, 245 Murray Lane SW, Mail Stop 0610, Arlington, VA 20528-0610. The Department will forward all comments received by the submission deadline to the OMB Desk Officer. --------------------------------------------------------------------------- \1\ For more information about CVI see 6 CFR 27.400 and the CVI Procedural Manual at www.dhs.gov/publication/safeguarding-cvi-manual. \2\ For more information about SSI see 49 CFR part 1520 and the SSI Program web page at www.tsa.gov/for-industry/sensitive-security-information. \3\ For more information about PCII see 6 CFR part 29 and the PCII Program web page at www.dhs.gov/pcii-program. FOR FURTHER INFORMATION CONTACT: Craig Conklin, 703-235-5263, _____________________________________- [email protected]. SUPPLEMENTARY INFORMATION: The CFATS Program identifies and regulates the security of high-risk chemical facilities using a risk-based approach. Congress initially authorized the CFATS Program under Section 550 of the Department of Homeland Security Appropriations Act of 2007, Public Law 109-295 (2006). Congress reauthorized the CFATS Program for an additional five years and three months under the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014 and the Chemical Facility Anti-Terrorism Standards Program Extension Act.\4\ The Department implemented the CFATS Program through rulemaking and issued an Interim Final Rule (IFR) on April 9, 2007 and a final rule on November 20, 2007. See 72 FR 17688 and 72 FR 65396. --------------------------------------------------------------------------- \4\ The CFATS Act of 2014 codified the CFATS program into the Homeland Security Act of 2002. See 6 U.S.C. 621 et seq.; see also The Chemical Facility Anti-Terrorism Standards Program Extension Act. Public Law 116-2 (2019). --------------------------------------------------------------------------- CISA\5\ collects the core regulatory data necessary to implement CFATS through the Chemical Security Assessment Tool (CSAT) covered under this collection. For more information about CFATS and CSAT, please visit www.dhs.gov/chemicalsecurity. This information collection (OMB Control No. 1670-0007) will expire on July 31, 2019.\6\ --------------------------------------------------------------------------- \5\ Pursuant to the Cybersecurity and Infrastructure Security Agency Act of 2018, the National Protection and Program Directorate (NPPD) was re-designated as CISA. See 6 U.S.C. 652. \6\ The currently approved version of this information collection (OMB Control No. 1670-0007) can be viewed at https://www.reginfo.gov/public/do/PRAViewICR?ref_nbr=201604-1670-001. --------------------------------------------------------------------------- 1. Responses to Comments Submitted During 60-Day Comment Period In response to the 60-day notice \7\ that solicited comments, CISA received several comments from a single commenter related to the instrument, ``Identification of Facilities and Assets at Risk.'' \8\ --------------------------------------------------------------------------- \7\ The 60-day notice for this ICR was published on February 7, 2019 at 84 FR 2558. The notice may be viewed at https://www.federalregister.gov/d/2019-01378. \8\ The comment may be viewed at https://www.regulations.gov/document?D=DHS-2018-0068-0002. --------------------------------------------------------------------------- Comment: The commenter believed that CISA had not provided sufficient information in the 60-day notice to allow adequate comment about the instrument, ``Identification of Additional Facilities and Assets at Risk.'' The commenter referenced the existing instrument \9\ and described the two sections within the instrument. --------------------------------------------------------------------------- \9\ The instrument ``Identification of Additional Facilities and Assets at Risk'' in the currently approved information collection may be viewed at https://www.reginfo.gov/public/do/DownloadDocument?objectID=66215302. --------------------------------------------------------------------------- The first section of the current instrument is titled, ``Identification of Facilities'' and collects information on a voluntary basis when a facility ships and/or receives Chemicals of Interest (COI). The instrument collects: (1) Shipping and/or receiving procedures, (2) Invoices and receipts, and (3) Company names and locations that COI is shipped to and/or received from. The second section is titled, ``Assets at Risk'' and collects information on a voluntary basis when the facility identifies a Supervisory Control and Data Acquisition (SCADA), Distributed Control System (DCS), Process Control Systems (PCS), or Industrial Control Systems (ICS). Specifically, the instrument collects information about: (1) Details on the system(s) that controls, monitors, and/or manages small to large production systems as well as how the system(s) operates; and (2) If it is standalone or connected to other systems or networks and document the specific brand and name of the system(s). The commenter reviewed the current instrument and noticed that CISA's estimates about the number of respondents related to only the first section of the current instrument (i.e. Identification of Facilities). Specifically, in the 60-day notice, CISA stated: The current information collection estimated that each year 211 respondents would respond to this instrument. For this ICR, CISA estimates that the annual number of respondents will be 845, because CISA only requests this information from covered chemical facilities that undergo compliance inspections and ship chemicals of interest (COI). CISA completes approximately 1,920 compliance inspections per year. Of these, approximately 44 percent of the covered chemical facilities inspected ship COI. Therefore, CISA estimates 845 respondents for this instrument [= 1,920 facilities inspected x 44 percent of facilities ship COI].\10\ \10\ This quote is from the 60-day Federal Register Notice at 84 FR 2563 (Feb. 7, 2019). The commenter concluded that CISA, based on the description provided in the 60-day notice about how the number of respondents was derived, could be seeking to revise the instrument and remove the second section (i.e., Assets at Risk). Response: CISA is not seeking to remove the Assets at Risk portion of the instrument. As a result of the commenter's questions CISA realized that it had omitted accounting for the burden associated with the second section (i.e., Assets at Risk) within the instrument. Therefore, CISA has revised [[Page 19931]] its estimates for this instrument in Part 2 (Analysis) of this notice. Comment: The commenter requested information on how many facilities provided responses to the first section (i.e., Identification of Facilities) and the second section (i.e., Assets at Risk) of the ``Identification of Additional Facilities and Assets at Risk'' instrument. The commenter also requested the criteria CISA used to select which facilities were requested information under the second section of the instrument. Response: With respect to the first section of the instrument (i.e. Identification of Facilities), as discussed in the 60-day notice, CISA collects information under the first section of this instrument when conducting inspections at facilities that ship and/or receive COI. As described in the 60-day notice, CISA completes approximately 1,920 compliance inspections per year. Of these, approximately 44 percent of the covered chemical facilities inspected ship COI. Therefore, CISA estimates 845 facilities were asked to identify facilities. With respect to the second section of the instrument (i.e., Assets at Risk), if a covered chemical facility has identified a cyber-related system in their Security Vulnerability Assessment (SVA) or Site Security Plan (SSP) information, CISA may request the information covered under this instrument during interactions that occur during: (1) Compliance Assistance Visits, (2) Authorization Inspections, and (3) a Compliance Inspections.\11\ Since October 2016 CISA has performed 6,453 of these interactions at such facilities and asked questions about assets at risk. The results of these interactions and number of times CISA asked questions about assets at risk are provided in the table below:\12\ --------------------------------------------------------------------------- \11\ This information is not covered under the SSP because the information is not subsequently submitted through the CSAT SSP but rather documented by an inspector or other appropriate employee of CISA. \12\ The data element used to determine whether or not cyber questions were explicitly asked as a part of compliance questions CISA is whether the data from the SVA and SSP were auto-populated in Compliance Inspection reports. This process began during FY2016 and thus the estimate of 1066 is an undercount of the total questions asked during the FY. ---------------------------------------------------------------------------------------------------------------- FY2017 (10/2016-09/ FY2018 (10/2017-09/ FY2019 (10/2018-02/ 2017) 2018) 2019) ---------------------------------------------------------------------------------------------------------------- Compliance Assistance Visits..................... 824 1,444 388 Authorization Inspections........................ 128 875 85 Compliance Inspections........................... \12\ 1066 1009 634 -------------------------------------------------------------- Subtotal..................................... 2,018 3,328 1,107 -------------------------------------------------------------- Total.................................... ................... ................... 6,453 ---------------------------------------------------------------------------------------------------------------- Comment: The commenter requested information about how many facilities voluntarily provided information to the first section (i.e., Identification of Facilities) and the second section (i.e., Assets at Risk) of the ``Identification of Additional Facilities and Assets at Risk'' instrument. Response: With respect to the first section of the instrument (i.e. Identification of Facilities), approximately 15 facilities provided information that identified other facilities. With respect to the second section (i.e., Assets at Risk), every facility provided information about their assets at risk. Comment: The commenter requested information about whether any data provided in the ``Assets at Risk'' section of the instrument had not been previously provided in an approved facility's site security plan (SSP). Response: CISA has found that the information generally collected under the section (Assets at Risk) is not information previously provided in an approved facility's SSP or ASP. The information collected through the second section of the instrument generally supplements the information provided by covered chemical facilities in their SSP or ASP. Information collected through this instrument is recorded in case files created by CISA employees outside of the SSP or ASP (e.g., Compliance Inspection Reports). Comment: The commenter requested information about the outcomes from the information collected under the first section (i.e. Identification of Facilities) of this instrument. Specifically: (1) How many of the facilities identified by CISA through information collected from the first section of this instrument had not previously completed a Top Screen submission; (2) Of those previously unidentified facilities, how many subsequently submitted Top-Screens; and (3) Of those previously unidentified facilities that submitted Top Screens, how many were subsequently identified as being at high-risk. Response: CISA began routinely requesting information under the first section (i.e., Identification of Facilities) of this instrument in 2018. Since then CISA approximately 15 facilities responded to the request for information, those that did respond provided valuable data. CISA received information on 172 facilities that had not previously submitted Top-Screens. CISA is currently working with those facilities to determine if they are required to submit a Top-Screen. As of February 2019, from the 172 facilities CISA has received 27 Top-Screens of which 18 were subsequently determined to be high-risk (i.e., 66%). CISA believes that voluntarily supplied customer and suppliers lists are an excellent source of information to identify chemical facilities of interest and covered chemical facilities. Comment: The commenter also asked why this instrument was not mentioned in the FY 2019 CFATS Outreach Implementation Plan.\13\ --------------------------------------------------------------------------- \13\ The FY19 CFATS Outreach Implementation Plan is required by the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014 (the CFATS Act of 2014), Public Law 113-254 (6 U.S.C. 621 et seq.). The CFATS Act of 2014 directed the Department of Homeland Security, among other provisions, to establish an outreach implementation plan in coordination with the heads of appropriate Federal and State agencies, relevant business associations, and public and private stakeholders' labor organizations in order to identify chemical facilities of interest (CFOI) that may be subject to regulations under CFATS and to make available compliance assistance materials and information on CFATS- related education and training. The FY19 CFATS Outreach Implementation Plan may be viewed at (https://www.dhs.gov/publication/cfats-oip). --------------------------------------------------------------------------- Response: CISA did not include this process, by which CISA could potentially identify facilities, because of the low response rate. CISA will consider including it in the next outreach plan. [[Page 19932]] 2. Analysis CISA continues to rely on the analysis and resulting burden estimates provided in the 60-day notice for the: (1) Top-Screen, (2) Security Vulnerability Assessment (SVA) and Alternative Security Plan (ASP) submitted in lieu of an SVA, (3) SSP and ASP submitted in lieu of an SSP, (4) CFATS Help Desk, and (5) CSAT User Registration. CISA has revised its analysis and resulting burden estimates for the instrument, ``Identification of Facilities and Assets at Risk.'' CISA's analysis is described in the next section. CISA would also like to clarify the scope and purpose of one aspect of the CSAT User Registration instrument that does not revise its burden estimate. Specifically, that CISA uses the Authorizer role in CSAT to send official correspondence. 3. CISA'S Methodology in Estimating the Burden for Identification of Additional Facilities and Assets at Risk Number of Respondents The current information collection estimated that each year 211 respondents would respond to this instrument. In the 60-day notice, CISA estimated that the annual number of respondents to be 845. As a result of public comment CISA has revised its estimate in this notice from 845 to 3,426. This revised estimate is based upon the sum of 845 respondents for the first section of this instrument (see 60-day notice for the basis of this estimate) and 2,581 respondents for the second section of this instrument. CISA estimated 2,581 respondents for the second section by annualizing the number of interactions described earlier in this notice since October of 2016 (i.e., 2,581 = [6,453 respondents over a 2.5 year time span/2.5 years]). Estimated Time per Respondent In the current information collection, the estimated time per respondent is 0.17 hours (10 minutes). CISA believes that this estimate is reasonable for either the first or the second section of the instrument. Therefore, in this ICR, CISA maintains this estimate. Annual Burden Hours The annual burden estimate is 571 hours [ = 3,426 respondents x 1 response per respondent x 0.17 hours per respondent]. Total Annual Burden Cost CISA assumes that SSOs will be responsible for providing this information. Therefore, to estimate the total annual burden, CISA multiplied the annual burden of 571 hours by the average hourly compensation rate of SSOs. The total annual burden for the Identification of Additional Facilities and Assets at Risk is $45,505 [ = 571 annual burden hours x $79.69 per hour]. Total Burden Cost (Capital/Startup) In the current information collection, CISA estimated a one-time capital cost would be incurred by 3,000 respondents as a result of the CSAT 2.0 implementation. These capital costs were one-time costs for respondents and therefore have been removed from this information collection. Total Recordkeeping Burden There is no recordkeeping burden for this instrument. Public Participation OMB is particularly interested in comments that: 1. Evaluate whether the proposed collection of information is necessary for the proper performance of the functions of the agency, including whether the information will have practical utility; 2. Evaluate the accuracy of the agency's estimate of the burden of the proposed collection of information, including the validity of the methodology and assumptions used; 3. Enhance the quality, utility, and clarity of the information to be collected; and 4. Minimize the burden of the collection of information on those who are to respond, including through the use of appropriate automated, electronic, mechanical, or other technological collection techniques, or other forms of information technology (e.g., permitting electronic submissions of responses). Analysis Title of Collection: Chemical Security Assessment Tool. OMB Control Number: 1670-0007. Instrument: Top-Screen. Frequency: ``On occasion'' and ``Other''. Affected Public: Business or other for-profit. Annual Number of Respondents: 2,332 respondents (estimate). Estimated Time per Respondent: 1.09 hours. Total Annual Burden Hours: 2,553 hours. Total Annual Burden Cost: $203,450. Total Annual Burden Cost (capital/startup): $0. Total Recordkeeping Burden: $0 Instrument: Security Vulnerability Assessment and Alternative Security Program submitted in lieu of a Security Vulnerability Assessment. Frequency: ``On occasion'' and ``Other.'' Affected Public: Business or other for-profit. Annual Number of Respondents: 1,683 respondents (estimate). Estimated Time per Respondent: 1.24 hours. Total Annual Burden Hours: 2,083 hours. Total Annual Burden Cost: $166,028. Total Annual Burden Cost (capital/startup): $0. Total Recordkeeping Burden: $0. Instrument: Site Security Plan and Alternative Security Program submitted in lieu of a Site Security Plan. Frequency: ``On occasion'' and ``Other.'' Affected Public: Business or other for-profit. Annual Number of Respondents: 1,683 respondents (estimate). Estimated Time per Respondent: 2.72 hours. Total Annual Burden Hours: 4,582 hours. Total Annual Burden Cost: $365,141. Total Annual Burden Cost (capital/startup): $0. Total Recordkeeping Burden: $516,825. Instrument: CFATS Help Desk. Frequency: ``On occasion'' and ``Other.'' Affected Public: Business or other for-profit. Annual Number of Respondents: 15,000 respondents (estimate). Estimated Time per Respondent: 0.17 hours. Total Annual Burden Hours: 2,500 hours. Total Annual Burden Cost: $199,233. Total Annual Burden Cost (capital/startup): $0. Total Recordkeeping Burden: $0. Instrument: User Registration. Frequency: ``On occasion'' and ``Other'' Affected Public: Business or other for-profit. Annual Number of Respondents: 1,000 respondents (estimate). Estimated Time per Respondent: 2.5 hours. Total Annual Burden Hours: 2,500 hours. Total Annual Burden Cost: $199,233. Total Annual Burden Cost (capital/startup): $0. Total Recordkeeping Burden: $0. Instrument: Identification of Facilities and Assets at Risk. Frequency: ``On occasion'' and ``Other.'' [[Page 19933]] Affected Public: Business or other for-profit. Annual Number of Respondents: 3,426 respondents (estimate). Estimated Time per Respondent: 0.17 hours. Total Annual Burden Hours: 571 hours. Total Annual Burden Cost: $45,505. Total Annual Burden Cost (capital/startup): $0. Total Recordkeeping Burden: $0. Scott Libby, Deputy Chief Information Officer. [FR Doc. 2019-09319 Filed 5-6-19; 8:45 am] BILLING CODE 9110-9P-P