[Federal Register Volume 84, Number 88 (Tuesday, May 7, 2019)]
[Notices]
[Pages 19929-19933]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-09319]


-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

[Docket No. DHS-2018-0068]


Chemical Security Assessment Tool (CSAT)

AGENCY: Infrastructure Security Division (ISD), Cybersecurity and 
Infrastructure Security Agency (CISA), Department of Homeland Security 
(DHS).

ACTION: 30-Day notice and request for comments; revision of information 
collection.

-----------------------------------------------------------------------

SUMMARY: DHS CISA ISD will submit the following Information Collection 
Request (ICR) to the Office of Management and Budget (OMB) for review 
and clearance in accordance with the Paperwork Reduction Act of 1995. 
CISA previously published this ICR, in the Federal Register on February 
7, 2019, for a 60-day comment period. In this notice, CISA: (1) 
Responds to one commenter that submitted multiple comments in response 
to the 60-day

[[Page 19930]]

notice, (2) revises the burden associated with an instrument, and (3) 
solicits public comment concerning this ICR for an additional 30-days.

DATES: Comments are due by June 6, 2019.

ADDRESSES: Interested persons are invited to submit written comments on 
the proposed information collection to the Office of Information and 
Regulatory Affairs, OMB. Comments should be addressed to OMB Desk 
Officer, Department of Homeland Security, Cybersecurity and 
Infrastructure Security Agency and sent via electronic mail to 
[email protected]. All submissions must include the words 
``Department of Homeland Security'' and the OMB Control Number 1670-
0007--Chemical Security Assessment Tool.
    Comments submitted in response to this notice may be made available 
to the public through relevant websites. For this reason, please do not 
include in your comments information of a confidential nature, such as 
sensitive personal information or proprietary information. Please note 
that responses to this public comment request containing any routine 
notice about the confidentiality of the communication will be treated 
as public comments that may be made available to the public 
notwithstanding the inclusion of the routine notice.
    Comments that include trade secrets, confidential commercial or 
financial information, Chemical-terrorism Vulnerability Information 
(CVI),\1\ Sensitive Security Information (SSI),\2\ or Protected 
Critical Infrastructure Information (PCII) \3\ should not be submitted 
to the public docket. Comments containing trade secrets, confidential 
commercial or financial information, CVI, SSI, or PCII should be 
appropriately marked and packaged in accordance with applicable 
requirements and submitted by mail to the DHS/CISA/Infrastructure 
Security Division, CFATS Program Manager, 245 Murray Lane SW, Mail Stop 
0610, Arlington, VA 20528-0610. The Department will forward all 
comments received by the submission deadline to the OMB Desk Officer.
---------------------------------------------------------------------------

    \1\ For more information about CVI see 6 CFR 27.400 and the CVI 
Procedural Manual at www.dhs.gov/publication/safeguarding-cvi-manual.
    \2\ For more information about SSI see 49 CFR part 1520 and the 
SSI Program web page at www.tsa.gov/for-industry/sensitive-security-information.
    \3\ For more information about PCII see 6 CFR part 29 and the 
PCII Program web page at www.dhs.gov/pcii-program.

FOR FURTHER INFORMATION CONTACT: Craig Conklin, 703-235-5263, 
_____________________________________-
[email protected].

SUPPLEMENTARY INFORMATION: The CFATS Program identifies and regulates 
the security of high-risk chemical facilities using a risk-based 
approach. Congress initially authorized the CFATS Program under Section 
550 of the Department of Homeland Security Appropriations Act of 2007, 
Public Law 109-295 (2006). Congress reauthorized the CFATS Program for 
an additional five years and three months under the Protecting and 
Securing Chemical Facilities from Terrorist Attacks Act of 2014 and the 
Chemical Facility Anti-Terrorism Standards Program Extension Act.\4\ 
The Department implemented the CFATS Program through rulemaking and 
issued an Interim Final Rule (IFR) on April 9, 2007 and a final rule on 
November 20, 2007. See 72 FR 17688 and 72 FR 65396.
---------------------------------------------------------------------------

    \4\ The CFATS Act of 2014 codified the CFATS program into the 
Homeland Security Act of 2002. See 6 U.S.C. 621 et seq.; see also 
The Chemical Facility Anti-Terrorism Standards Program Extension 
Act. Public Law 116-2 (2019).
---------------------------------------------------------------------------

    CISA\5\ collects the core regulatory data necessary to implement 
CFATS through the Chemical Security Assessment Tool (CSAT) covered 
under this collection. For more information about CFATS and CSAT, 
please visit www.dhs.gov/chemicalsecurity. This information collection 
(OMB Control No. 1670-0007) will expire on July 31, 2019.\6\
---------------------------------------------------------------------------

    \5\ Pursuant to the Cybersecurity and Infrastructure Security 
Agency Act of 2018, the National Protection and Program Directorate 
(NPPD) was re-designated as CISA. See 6 U.S.C. 652.
    \6\ The currently approved version of this information 
collection (OMB Control No. 1670-0007) can be viewed at https://www.reginfo.gov/public/do/PRAViewICR?ref_nbr=201604-1670-001.
---------------------------------------------------------------------------

1. Responses to Comments Submitted During 60-Day Comment Period

    In response to the 60-day notice \7\ that solicited comments, CISA 
received several comments from a single commenter related to the 
instrument, ``Identification of Facilities and Assets at Risk.'' \8\
---------------------------------------------------------------------------

    \7\ The 60-day notice for this ICR was published on February 7, 
2019 at 84 FR 2558. The notice may be viewed at https://www.federalregister.gov/d/2019-01378.
    \8\ The comment may be viewed at https://www.regulations.gov/document?D=DHS-2018-0068-0002.
---------------------------------------------------------------------------

    Comment: The commenter believed that CISA had not provided 
sufficient information in the 60-day notice to allow adequate comment 
about the instrument, ``Identification of Additional Facilities and 
Assets at Risk.'' The commenter referenced the existing instrument \9\ 
and described the two sections within the instrument.
---------------------------------------------------------------------------

    \9\ The instrument ``Identification of Additional Facilities and 
Assets at Risk'' in the currently approved information collection 
may be viewed at https://www.reginfo.gov/public/do/DownloadDocument?objectID=66215302.
---------------------------------------------------------------------------

    The first section of the current instrument is titled, 
``Identification of Facilities'' and collects information on a 
voluntary basis when a facility ships and/or receives Chemicals of 
Interest (COI). The instrument collects: (1) Shipping and/or receiving 
procedures, (2) Invoices and receipts, and (3) Company names and 
locations that COI is shipped to and/or received from.
    The second section is titled, ``Assets at Risk'' and collects 
information on a voluntary basis when the facility identifies a 
Supervisory Control and Data Acquisition (SCADA), Distributed Control 
System (DCS), Process Control Systems (PCS), or Industrial Control 
Systems (ICS). Specifically, the instrument collects information about: 
(1) Details on the system(s) that controls, monitors, and/or manages 
small to large production systems as well as how the system(s) 
operates; and (2) If it is standalone or connected to other systems or 
networks and document the specific brand and name of the system(s).
    The commenter reviewed the current instrument and noticed that 
CISA's estimates about the number of respondents related to only the 
first section of the current instrument (i.e. Identification of 
Facilities). Specifically, in the 60-day notice, CISA stated:

    The current information collection estimated that each year 211 
respondents would respond to this instrument. For this ICR, CISA 
estimates that the annual number of respondents will be 845, because 
CISA only requests this information from covered chemical facilities 
that undergo compliance inspections and ship chemicals of interest 
(COI). CISA completes approximately 1,920 compliance inspections per 
year. Of these, approximately 44 percent of the covered chemical 
facilities inspected ship COI. Therefore, CISA estimates 845 
respondents for this instrument [= 1,920 facilities inspected x 44 
percent of facilities ship COI].\10\

    \10\ This quote is from the 60-day Federal Register Notice at 84 
FR 2563 (Feb. 7, 2019).

    The commenter concluded that CISA, based on the description 
provided in the 60-day notice about how the number of respondents was 
derived, could be seeking to revise the instrument and remove the 
second section (i.e., Assets at Risk).
    Response: CISA is not seeking to remove the Assets at Risk portion 
of the instrument. As a result of the commenter's questions CISA 
realized that it had omitted accounting for the burden associated with 
the second section (i.e., Assets at Risk) within the instrument. 
Therefore, CISA has revised

[[Page 19931]]

its estimates for this instrument in Part 2 (Analysis) of this notice.
    Comment: The commenter requested information on how many facilities 
provided responses to the first section (i.e., Identification of 
Facilities) and the second section (i.e., Assets at Risk) of the 
``Identification of Additional Facilities and Assets at Risk'' 
instrument. The commenter also requested the criteria CISA used to 
select which facilities were requested information under the second 
section of the instrument.
    Response: With respect to the first section of the instrument (i.e. 
Identification of Facilities), as discussed in the 60-day notice, CISA 
collects information under the first section of this instrument when 
conducting inspections at facilities that ship and/or receive COI. As 
described in the 60-day notice, CISA completes approximately 1,920 
compliance inspections per year. Of these, approximately 44 percent of 
the covered chemical facilities inspected ship COI. Therefore, CISA 
estimates 845 facilities were asked to identify facilities.
    With respect to the second section of the instrument (i.e., Assets 
at Risk), if a covered chemical facility has identified a cyber-related 
system in their Security Vulnerability Assessment (SVA) or Site 
Security Plan (SSP) information, CISA may request the information 
covered under this instrument during interactions that occur during: 
(1) Compliance Assistance Visits, (2) Authorization Inspections, and 
(3) a Compliance Inspections.\11\ Since October 2016 CISA has performed 
6,453 of these interactions at such facilities and asked questions 
about assets at risk. The results of these interactions and number of 
times CISA asked questions about assets at risk are provided in the 
table below:\12\
---------------------------------------------------------------------------

    \11\ This information is not covered under the SSP because the 
information is not subsequently submitted through the CSAT SSP but 
rather documented by an inspector or other appropriate employee of 
CISA.
    \12\ The data element used to determine whether or not cyber 
questions were explicitly asked as a part of compliance questions 
CISA is whether the data from the SVA and SSP were auto-populated in 
Compliance Inspection reports. This process began during FY2016 and 
thus the estimate of 1066 is an undercount of the total questions 
asked during the FY.

----------------------------------------------------------------------------------------------------------------
                                                   FY2017 (10/2016-09/  FY2018 (10/2017-09/  FY2019 (10/2018-02/
                                                          2017)                2018)                2019)
----------------------------------------------------------------------------------------------------------------
Compliance Assistance Visits.....................                  824                1,444                  388
Authorization Inspections........................                  128                  875                   85
Compliance Inspections...........................            \12\ 1066                 1009                  634
                                                  --------------------------------------------------------------
    Subtotal.....................................                2,018                3,328                1,107
                                                  --------------------------------------------------------------
        Total....................................  ...................  ...................                6,453
----------------------------------------------------------------------------------------------------------------

    Comment: The commenter requested information about how many 
facilities voluntarily provided information to the first section (i.e., 
Identification of Facilities) and the second section (i.e., Assets at 
Risk) of the ``Identification of Additional Facilities and Assets at 
Risk'' instrument.
    Response: With respect to the first section of the instrument (i.e. 
Identification of Facilities), approximately 15 facilities provided 
information that identified other facilities. With respect to the 
second section (i.e., Assets at Risk), every facility provided 
information about their assets at risk.
    Comment: The commenter requested information about whether any data 
provided in the ``Assets at Risk'' section of the instrument had not 
been previously provided in an approved facility's site security plan 
(SSP).
    Response: CISA has found that the information generally collected 
under the section (Assets at Risk) is not information previously 
provided in an approved facility's SSP or ASP. The information 
collected through the second section of the instrument generally 
supplements the information provided by covered chemical facilities in 
their SSP or ASP. Information collected through this instrument is 
recorded in case files created by CISA employees outside of the SSP or 
ASP (e.g., Compliance Inspection Reports).
    Comment: The commenter requested information about the outcomes 
from the information collected under the first section (i.e. 
Identification of Facilities) of this instrument. Specifically: (1) How 
many of the facilities identified by CISA through information collected 
from the first section of this instrument had not previously completed 
a Top Screen submission; (2) Of those previously unidentified 
facilities, how many subsequently submitted Top-Screens; and (3) Of 
those previously unidentified facilities that submitted Top Screens, 
how many were subsequently identified as being at high-risk.
    Response: CISA began routinely requesting information under the 
first section (i.e., Identification of Facilities) of this instrument 
in 2018. Since then CISA approximately 15 facilities responded to the 
request for information, those that did respond provided valuable data. 
CISA received information on 172 facilities that had not previously 
submitted Top-Screens. CISA is currently working with those facilities 
to determine if they are required to submit a Top-Screen. As of 
February 2019, from the 172 facilities CISA has received 27 Top-Screens 
of which 18 were subsequently determined to be high-risk (i.e., 66%). 
CISA believes that voluntarily supplied customer and suppliers lists 
are an excellent source of information to identify chemical facilities 
of interest and covered chemical facilities.
    Comment: The commenter also asked why this instrument was not 
mentioned in the FY 2019 CFATS Outreach Implementation Plan.\13\
---------------------------------------------------------------------------

    \13\ The FY19 CFATS Outreach Implementation Plan is required by 
the Protecting and Securing Chemical Facilities from Terrorist 
Attacks Act of 2014 (the CFATS Act of 2014), Public Law 113-254 (6 
U.S.C. 621 et seq.). The CFATS Act of 2014 directed the Department 
of Homeland Security, among other provisions, to establish an 
outreach implementation plan in coordination with the heads of 
appropriate Federal and State agencies, relevant business 
associations, and public and private stakeholders' labor 
organizations in order to identify chemical facilities of interest 
(CFOI) that may be subject to regulations under CFATS and to make 
available compliance assistance materials and information on CFATS-
related education and training. The FY19 CFATS Outreach 
Implementation Plan may be viewed at (https://www.dhs.gov/publication/cfats-oip).
---------------------------------------------------------------------------

    Response: CISA did not include this process, by which CISA could 
potentially identify facilities, because of the low response rate. CISA 
will consider including it in the next outreach plan.

[[Page 19932]]

2. Analysis

    CISA continues to rely on the analysis and resulting burden 
estimates provided in the 60-day notice for the: (1) Top-Screen, (2) 
Security Vulnerability Assessment (SVA) and Alternative Security Plan 
(ASP) submitted in lieu of an SVA, (3) SSP and ASP submitted in lieu of 
an SSP, (4) CFATS Help Desk, and (5) CSAT User Registration. CISA has 
revised its analysis and resulting burden estimates for the instrument, 
``Identification of Facilities and Assets at Risk.'' CISA's analysis is 
described in the next section.
    CISA would also like to clarify the scope and purpose of one aspect 
of the CSAT User Registration instrument that does not revise its 
burden estimate. Specifically, that CISA uses the Authorizer role in 
CSAT to send official correspondence.

3. CISA'S Methodology in Estimating the Burden for Identification of 
Additional Facilities and Assets at Risk

Number of Respondents

    The current information collection estimated that each year 211 
respondents would respond to this instrument. In the 60-day notice, 
CISA estimated that the annual number of respondents to be 845. As a 
result of public comment CISA has revised its estimate in this notice 
from 845 to 3,426. This revised estimate is based upon the sum of 845 
respondents for the first section of this instrument (see 60-day notice 
for the basis of this estimate) and 2,581 respondents for the second 
section of this instrument. CISA estimated 2,581 respondents for the 
second section by annualizing the number of interactions described 
earlier in this notice since October of 2016 (i.e., 2,581 = [6,453 
respondents over a 2.5 year time span/2.5 years]).

Estimated Time per Respondent

    In the current information collection, the estimated time per 
respondent is 0.17 hours (10 minutes). CISA believes that this estimate 
is reasonable for either the first or the second section of the 
instrument. Therefore, in this ICR, CISA maintains this estimate.

Annual Burden Hours

    The annual burden estimate is 571 hours [ = 3,426 respondents x 1 
response per respondent x 0.17 hours per respondent].

Total Annual Burden Cost

    CISA assumes that SSOs will be responsible for providing this 
information. Therefore, to estimate the total annual burden, CISA 
multiplied the annual burden of 571 hours by the average hourly 
compensation rate of SSOs. The total annual burden for the 
Identification of Additional Facilities and Assets at Risk is $45,505 [ 
= 571 annual burden hours x $79.69 per hour].

Total Burden Cost (Capital/Startup)

    In the current information collection, CISA estimated a one-time 
capital cost would be incurred by 3,000 respondents as a result of the 
CSAT 2.0 implementation. These capital costs were one-time costs for 
respondents and therefore have been removed from this information 
collection.

Total Recordkeeping Burden

    There is no recordkeeping burden for this instrument.

Public Participation

    OMB is particularly interested in comments that:
    1. Evaluate whether the proposed collection of information is 
necessary for the proper performance of the functions of the agency, 
including whether the information will have practical utility;
    2. Evaluate the accuracy of the agency's estimate of the burden of 
the proposed collection of information, including the validity of the 
methodology and assumptions used;
    3. Enhance the quality, utility, and clarity of the information to 
be collected; and
    4. Minimize the burden of the collection of information on those 
who are to respond, including through the use of appropriate automated, 
electronic, mechanical, or other technological collection techniques, 
or other forms of information technology (e.g., permitting electronic 
submissions of responses).

Analysis

    Title of Collection: Chemical Security Assessment Tool.
    OMB Control Number: 1670-0007.
    Instrument: Top-Screen.
    Frequency: ``On occasion'' and ``Other''.
    Affected Public: Business or other for-profit.
    Annual Number of Respondents: 2,332 respondents (estimate).
    Estimated Time per Respondent: 1.09 hours.
    Total Annual Burden Hours: 2,553 hours.
    Total Annual Burden Cost: $203,450.
    Total Annual Burden Cost (capital/startup): $0.
    Total Recordkeeping Burden: $0

    Instrument: Security Vulnerability Assessment and Alternative 
Security Program submitted in lieu of a Security Vulnerability 
Assessment.
    Frequency: ``On occasion'' and ``Other.''
    Affected Public: Business or other for-profit.
    Annual Number of Respondents: 1,683 respondents (estimate).
    Estimated Time per Respondent: 1.24 hours.
    Total Annual Burden Hours: 2,083 hours.
    Total Annual Burden Cost: $166,028.
    Total Annual Burden Cost (capital/startup): $0.
    Total Recordkeeping Burden: $0.

    Instrument: Site Security Plan and Alternative Security Program 
submitted in lieu of a Site Security Plan.
    Frequency: ``On occasion'' and ``Other.''
    Affected Public: Business or other for-profit.
    Annual Number of Respondents: 1,683 respondents (estimate).
    Estimated Time per Respondent: 2.72 hours.
    Total Annual Burden Hours: 4,582 hours.
    Total Annual Burden Cost: $365,141.
    Total Annual Burden Cost (capital/startup): $0.
    Total Recordkeeping Burden: $516,825.

    Instrument: CFATS Help Desk.
    Frequency: ``On occasion'' and ``Other.''
    Affected Public: Business or other for-profit.
    Annual Number of Respondents: 15,000 respondents (estimate).
    Estimated Time per Respondent: 0.17 hours.
    Total Annual Burden Hours: 2,500 hours.
    Total Annual Burden Cost: $199,233.
    Total Annual Burden Cost (capital/startup): $0.
    Total Recordkeeping Burden: $0.

    Instrument: User Registration.
    Frequency: ``On occasion'' and ``Other''
    Affected Public: Business or other for-profit.
    Annual Number of Respondents: 1,000 respondents (estimate).
    Estimated Time per Respondent: 2.5 hours.
    Total Annual Burden Hours: 2,500 hours.
    Total Annual Burden Cost: $199,233.
    Total Annual Burden Cost (capital/startup): $0.
    Total Recordkeeping Burden: $0.

    Instrument: Identification of Facilities and Assets at Risk.
    Frequency: ``On occasion'' and ``Other.''

[[Page 19933]]

    Affected Public: Business or other for-profit.
    Annual Number of Respondents: 3,426 respondents (estimate).
    Estimated Time per Respondent: 0.17 hours.
    Total Annual Burden Hours: 571 hours.
    Total Annual Burden Cost: $45,505.
    Total Annual Burden Cost (capital/startup): $0.
    Total Recordkeeping Burden: $0.

Scott Libby,
Deputy Chief Information Officer.
[FR Doc. 2019-09319 Filed 5-6-19; 8:45 am]
 BILLING CODE 9110-9P-P