Chemical Security Assessment Tool (CSAT)

 
CONTENT
Federal Register, Volume 84 Issue 88 (Tuesday, May 7, 2019)
[Federal Register Volume 84, Number 88 (Tuesday, May 7, 2019)]
[Notices]
[Pages 19929-19933]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-09319]
-----------------------------------------------------------------------
DEPARTMENT OF HOMELAND SECURITY
[Docket No. DHS-2018-0068]
Chemical Security Assessment Tool (CSAT)
AGENCY: Infrastructure Security Division (ISD), Cybersecurity and
Infrastructure Security Agency (CISA), Department of Homeland Security
(DHS).
ACTION: 30-Day notice and request for comments; revision of information
collection.
-----------------------------------------------------------------------
SUMMARY: DHS CISA ISD will submit the following Information Collection
Request (ICR) to the Office of Management and Budget (OMB) for review
and clearance in accordance with the Paperwork Reduction Act of 1995.
CISA previously published this ICR, in the Federal Register on February
7, 2019, for a 60-day comment period. In this notice, CISA: (1)
Responds to one commenter that submitted multiple comments in response
to the 60-day
[[Page 19930]]
notice, (2) revises the burden associated with an instrument, and (3)
solicits public comment concerning this ICR for an additional 30-days.
DATES: Comments are due by June 6, 2019.
ADDRESSES: Interested persons are invited to submit written comments on
the proposed information collection to the Office of Information and
Regulatory Affairs, OMB. Comments should be addressed to OMB Desk
Officer, Department of Homeland Security, Cybersecurity and
Infrastructure Security Agency and sent via electronic mail to
[email protected]. All submissions must include the words
``Department of Homeland Security'' and the OMB Control Number 1670-
0007--Chemical Security Assessment Tool.
    Comments submitted in response to this notice may be made available
to the public through relevant websites. For this reason, please do not
include in your comments information of a confidential nature, such as
sensitive personal information or proprietary information. Please note
that responses to this public comment request containing any routine
notice about the confidentiality of the communication will be treated
as public comments that may be made available to the public
notwithstanding the inclusion of the routine notice.
    Comments that include trade secrets, confidential commercial or
financial information, Chemical-terrorism Vulnerability Information
(CVI),\1\ Sensitive Security Information (SSI),\2\ or Protected
Critical Infrastructure Information (PCII) \3\ should not be submitted
to the public docket. Comments containing trade secrets, confidential
commercial or financial information, CVI, SSI, or PCII should be
appropriately marked and packaged in accordance with applicable
requirements and submitted by mail to the DHS/CISA/Infrastructure
Security Division, CFATS Program Manager, 245 Murray Lane SW, Mail Stop
0610, Arlington, VA 20528-0610. The Department will forward all
comments received by the submission deadline to the OMB Desk Officer.
---------------------------------------------------------------------------
    \1\ For more information about CVI see 6 CFR 27.400 and the CVI
Procedural Manual at www.dhs.gov/publication/safeguarding-cvi-manual.
    \2\ For more information about SSI see 49 CFR part 1520 and the
SSI Program web page at www.tsa.gov/for-industry/sensitive-security-information.
    \3\ For more information about PCII see 6 CFR part 29 and the
PCII Program web page at www.dhs.gov/pcii-program.
FOR FURTHER INFORMATION CONTACT: Craig Conklin, 703-235-5263,
_____________________________________-
[email protected].
SUPPLEMENTARY INFORMATION: The CFATS Program identifies and regulates
the security of high-risk chemical facilities using a risk-based
approach. Congress initially authorized the CFATS Program under Section
550 of the Department of Homeland Security Appropriations Act of 2007,
Public Law 109-295 (2006). Congress reauthorized the CFATS Program for
an additional five years and three months under the Protecting and
Securing Chemical Facilities from Terrorist Attacks Act of 2014 and the
Chemical Facility Anti-Terrorism Standards Program Extension Act.\4\
The Department implemented the CFATS Program through rulemaking and
issued an Interim Final Rule (IFR) on April 9, 2007 and a final rule on
November 20, 2007. See 72 FR 17688 and 72 FR 65396.
---------------------------------------------------------------------------
    \4\ The CFATS Act of 2014 codified the CFATS program into the
Homeland Security Act of 2002. See 6 U.S.C. 621 et seq.; see also
The Chemical Facility Anti-Terrorism Standards Program Extension
Act. Public Law 116-2 (2019).
---------------------------------------------------------------------------
    CISA\5\ collects the core regulatory data necessary to implement
CFATS through the Chemical Security Assessment Tool (CSAT) covered
under this collection. For more information about CFATS and CSAT,
please visit www.dhs.gov/chemicalsecurity. This information collection
(OMB Control No. 1670-0007) will expire on July 31, 2019.\6\
---------------------------------------------------------------------------
    \5\ Pursuant to the Cybersecurity and Infrastructure Security
Agency Act of 2018, the National Protection and Program Directorate
(NPPD) was re-designated as CISA. See 6 U.S.C. 652.
    \6\ The currently approved version of this information
collection (OMB Control No. 1670-0007) can be viewed at https://www.reginfo.gov/public/do/PRAViewICR?ref_nbr=201604-1670-001.
---------------------------------------------------------------------------
1. Responses to Comments Submitted During 60-Day Comment Period
    In response to the 60-day notice \7\ that solicited comments, CISA
received several comments from a single commenter related to the
instrument, ``Identification of Facilities and Assets at Risk.'' \8\
---------------------------------------------------------------------------
    \7\ The 60-day notice for this ICR was published on February 7,
2019 at 84 FR 2558. The notice may be viewed at https://www.federalregister.gov/d/2019-01378.
    \8\ The comment may be viewed at https://www.regulations.gov/document?D=DHS-2018-0068-0002.
---------------------------------------------------------------------------
    Comment: The commenter believed that CISA had not provided
sufficient information in the 60-day notice to allow adequate comment
about the instrument, ``Identification of Additional Facilities and
Assets at Risk.'' The commenter referenced the existing instrument \9\
and described the two sections within the instrument.
---------------------------------------------------------------------------
    \9\ The instrument ``Identification of Additional Facilities and
Assets at Risk'' in the currently approved information collection
may be viewed at https://www.reginfo.gov/public/do/DownloadDocument?objectID=66215302.
---------------------------------------------------------------------------
    The first section of the current instrument is titled,
``Identification of Facilities'' and collects information on a
voluntary basis when a facility ships and/or receives Chemicals of
Interest (COI). The instrument collects: (1) Shipping and/or receiving
procedures, (2) Invoices and receipts, and (3) Company names and
locations that COI is shipped to and/or received from.
    The second section is titled, ``Assets at Risk'' and collects
information on a voluntary basis when the facility identifies a
Supervisory Control and Data Acquisition (SCADA), Distributed Control
System (DCS), Process Control Systems (PCS), or Industrial Control
Systems (ICS). Specifically, the instrument collects information about:
(1) Details on the system(s) that controls, monitors, and/or manages
small to large production systems as well as how the system(s)
operates; and (2) If it is standalone or connected to other systems or
networks and document the specific brand and name of the system(s).
    The commenter reviewed the current instrument and noticed that
CISA's estimates about the number of respondents related to only the
first section of the current instrument (i.e. Identification of
Facilities). Specifically, in the 60-day notice, CISA stated:
    The current information collection estimated that each year 211
respondents would respond to this instrument. For this ICR, CISA
estimates that the annual number of respondents will be 845, because
CISA only requests this information from covered chemical facilities
that undergo compliance inspections and ship chemicals of interest
(COI). CISA completes approximately 1,920 compliance inspections per
year. Of these, approximately 44 percent of the covered chemical
facilities inspected ship COI. Therefore, CISA estimates 845
respondents for this instrument [= 1,920 facilities inspected x 44
percent of facilities ship COI].\10\
    \10\ This quote is from the 60-day Federal Register Notice at 84
FR 2563 (Feb. 7, 2019).
    The commenter concluded that CISA, based on the description
provided in the 60-day notice about how the number of respondents was
derived, could be seeking to revise the instrument and remove the
second section (i.e., Assets at Risk).
    Response: CISA is not seeking to remove the Assets at Risk portion
of the instrument. As a result of the commenter's questions CISA
realized that it had omitted accounting for the burden associated with
the second section (i.e., Assets at Risk) within the instrument.
Therefore, CISA has revised
[[Page 19931]]
its estimates for this instrument in Part 2 (Analysis) of this notice.
    Comment: The commenter requested information on how many facilities
provided responses to the first section (i.e., Identification of
Facilities) and the second section (i.e., Assets at Risk) of the
``Identification of Additional Facilities and Assets at Risk''
instrument. The commenter also requested the criteria CISA used to
select which facilities were requested information under the second
section of the instrument.
    Response: With respect to the first section of the instrument (i.e.
Identification of Facilities), as discussed in the 60-day notice, CISA
collects information under the first section of this instrument when
conducting inspections at facilities that ship and/or receive COI. As
described in the 60-day notice, CISA completes approximately 1,920
compliance inspections per year. Of these, approximately 44 percent of
the covered chemical facilities inspected ship COI. Therefore, CISA
estimates 845 facilities were asked to identify facilities.
    With respect to the second section of the instrument (i.e., Assets
at Risk), if a covered chemical facility has identified a cyber-related
system in their Security Vulnerability Assessment (SVA) or Site
Security Plan (SSP) information, CISA may request the information
covered under this instrument during interactions that occur during:
(1) Compliance Assistance Visits, (2) Authorization Inspections, and
(3) a Compliance Inspections.\11\ Since October 2016 CISA has performed
6,453 of these interactions at such facilities and asked questions
about assets at risk. The results of these interactions and number of
times CISA asked questions about assets at risk are provided in the
table below:\12\
---------------------------------------------------------------------------
    \11\ This information is not covered under the SSP because the
information is not subsequently submitted through the CSAT SSP but
rather documented by an inspector or other appropriate employee of
CISA.
    \12\ The data element used to determine whether or not cyber
questions were explicitly asked as a part of compliance questions
CISA is whether the data from the SVA and SSP were auto-populated in
Compliance Inspection reports. This process began during FY2016 and
thus the estimate of 1066 is an undercount of the total questions
asked during the FY.
----------------------------------------------------------------------------------------------------------------
                                                   FY2017 (10/2016-09/  FY2018 (10/2017-09/  FY2019 (10/2018-02/
                                                          2017)                2018)                2019)
----------------------------------------------------------------------------------------------------------------
Compliance Assistance Visits.....................                  824                1,444                  388
Authorization Inspections........................                  128                  875                   85
Compliance Inspections...........................            \12\ 1066                 1009                  634
                                                  --------------------------------------------------------------
    Subtotal.....................................                2,018                3,328                1,107
                                                  --------------------------------------------------------------
        Total....................................  ...................  ...................                6,453
----------------------------------------------------------------------------------------------------------------
    Comment: The commenter requested information about how many
facilities voluntarily provided information to the first section (i.e.,
Identification of Facilities) and the second section (i.e., Assets at
Risk) of the ``Identification of Additional Facilities and Assets at
Risk'' instrument.
    Response: With respect to the first section of the instrument (i.e.
Identification of Facilities), approximately 15 facilities provided
information that identified other facilities. With respect to the
second section (i.e., Assets at Risk), every facility provided
information about their assets at risk.
    Comment: The commenter requested information about whether any data
provided in the ``Assets at Risk'' section of the instrument had not
been previously provided in an approved facility's site security plan
(SSP).
    Response: CISA has found that the information generally collected
under the section (Assets at Risk) is not information previously
provided in an approved facility's SSP or ASP. The information
collected through the second section of the instrument generally
supplements the information provided by covered chemical facilities in
their SSP or ASP. Information collected through this instrument is
recorded in case files created by CISA employees outside of the SSP or
ASP (e.g., Compliance Inspection Reports).
    Comment: The commenter requested information about the outcomes
from the information collected under the first section (i.e.
Identification of Facilities) of this instrument. Specifically: (1) How
many of the facilities identified by CISA through information collected
from the first section of this instrument had not previously completed
a Top Screen submission; (2) Of those previously unidentified
facilities, how many subsequently submitted Top-Screens; and (3) Of
those previously unidentified facilities that submitted Top Screens,
how many were subsequently identified as being at high-risk.
    Response: CISA began routinely requesting information under the
first section (i.e., Identification of Facilities) of this instrument
in 2018. Since then CISA approximately 15 facilities responded to the
request for information, those that did respond provided valuable data.
CISA received information on 172 facilities that had not previously
submitted Top-Screens. CISA is currently working with those facilities
to determine if they are required to submit a Top-Screen. As of
February 2019, from the 172 facilities CISA has received 27 Top-Screens
of which 18 were subsequently determined to be high-risk (i.e., 66%).
CISA believes that voluntarily supplied customer and suppliers lists
are an excellent source of information to identify chemical facilities
of interest and covered chemical facilities.
    Comment: The commenter also asked why this instrument was not
mentioned in the FY 2019 CFATS Outreach Implementation Plan.\13\
---------------------------------------------------------------------------
    \13\ The FY19 CFATS Outreach Implementation Plan is required by
the Protecting and Securing Chemical Facilities from Terrorist
Attacks Act of 2014 (the CFATS Act of 2014), Public Law 113-254 (6
U.S.C. 621 et seq.). The CFATS Act of 2014 directed the Department
of Homeland Security, among other provisions, to establish an
outreach implementation plan in coordination with the heads of
appropriate Federal and State agencies, relevant business
associations, and public and private stakeholders' labor
organizations in order to identify chemical facilities of interest
(CFOI) that may be subject to regulations under CFATS and to make
available compliance assistance materials and information on CFATS-
related education and training. The FY19 CFATS Outreach
Implementation Plan may be viewed at (https://www.dhs.gov/publication/cfats-oip).
---------------------------------------------------------------------------
    Response: CISA did not include this process, by which CISA could
potentially identify facilities, because of the low response rate. CISA
will consider including it in the next outreach plan.
[[Page 19932]]
2. Analysis
    CISA continues to rely on the analysis and resulting burden
estimates provided in the 60-day notice for the: (1) Top-Screen, (2)
Security Vulnerability Assessment (SVA) and Alternative Security Plan
(ASP) submitted in lieu of an SVA, (3) SSP and ASP submitted in lieu of
an SSP, (4) CFATS Help Desk, and (5) CSAT User Registration. CISA has
revised its analysis and resulting burden estimates for the instrument,
``Identification of Facilities and Assets at Risk.'' CISA's analysis is
described in the next section.
    CISA would also like to clarify the scope and purpose of one aspect
of the CSAT User Registration instrument that does not revise its
burden estimate. Specifically, that CISA uses the Authorizer role in
CSAT to send official correspondence.
3. CISA'S Methodology in Estimating the Burden for Identification of
Additional Facilities and Assets at Risk
Number of Respondents
    The current information collection estimated that each year 211
respondents would respond to this instrument. In the 60-day notice,
CISA estimated that the annual number of respondents to be 845. As a
result of public comment CISA has revised its estimate in this notice
from 845 to 3,426. This revised estimate is based upon the sum of 845
respondents for the first section of this instrument (see 60-day notice
for the basis of this estimate) and 2,581 respondents for the second
section of this instrument. CISA estimated 2,581 respondents for the
second section by annualizing the number of interactions described
earlier in this notice since October of 2016 (i.e., 2,581 = [6,453
respondents over a 2.5 year time span/2.5 years]).
Estimated Time per Respondent
    In the current information collection, the estimated time per
respondent is 0.17 hours (10 minutes). CISA believes that this estimate
is reasonable for either the first or the second section of the
instrument. Therefore, in this ICR, CISA maintains this estimate.
Annual Burden Hours
    The annual burden estimate is 571 hours [ = 3,426 respondents x 1
response per respondent x 0.17 hours per respondent].
Total Annual Burden Cost
    CISA assumes that SSOs will be responsible for providing this
information. Therefore, to estimate the total annual burden, CISA
multiplied the annual burden of 571 hours by the average hourly
compensation rate of SSOs. The total annual burden for the
Identification of Additional Facilities and Assets at Risk is $45,505 [
= 571 annual burden hours x $79.69 per hour].
Total Burden Cost (Capital/Startup)
    In the current information collection, CISA estimated a one-time
capital cost would be incurred by 3,000 respondents as a result of the
CSAT 2.0 implementation. These capital costs were one-time costs for
respondents and therefore have been removed from this information
collection.
Total Recordkeeping Burden
    There is no recordkeeping burden for this instrument.
Public Participation
    OMB is particularly interested in comments that:
    1. Evaluate whether the proposed collection of information is
necessary for the proper performance of the functions of the agency,
including whether the information will have practical utility;
    2. Evaluate the accuracy of the agency's estimate of the burden of
the proposed collection of information, including the validity of the
methodology and assumptions used;
    3. Enhance the quality, utility, and clarity of the information to
be collected; and
    4. Minimize the burden of the collection of information on those
who are to respond, including through the use of appropriate automated,
electronic, mechanical, or other technological collection techniques,
or other forms of information technology (e.g., permitting electronic
submissions of responses).
Analysis
    Title of Collection: Chemical Security Assessment Tool.
    OMB Control Number: 1670-0007.
    Instrument: Top-Screen.
    Frequency: ``On occasion'' and ``Other''.
    Affected Public: Business or other for-profit.
    Annual Number of Respondents: 2,332 respondents (estimate).
    Estimated Time per Respondent: 1.09 hours.
    Total Annual Burden Hours: 2,553 hours.
    Total Annual Burden Cost: $203,450.
    Total Annual Burden Cost (capital/startup): $0.
    Total Recordkeeping Burden: $0
    Instrument: Security Vulnerability Assessment and Alternative
Security Program submitted in lieu of a Security Vulnerability
Assessment.
    Frequency: ``On occasion'' and ``Other.''
    Affected Public: Business or other for-profit.
    Annual Number of Respondents: 1,683 respondents (estimate).
    Estimated Time per Respondent: 1.24 hours.
    Total Annual Burden Hours: 2,083 hours.
    Total Annual Burden Cost: $166,028.
    Total Annual Burden Cost (capital/startup): $0.
    Total Recordkeeping Burden: $0.
    Instrument: Site Security Plan and Alternative Security Program
submitted in lieu of a Site Security Plan.
    Frequency: ``On occasion'' and ``Other.''
    Affected Public: Business or other for-profit.
    Annual Number of Respondents: 1,683 respondents (estimate).
    Estimated Time per Respondent: 2.72 hours.
    Total Annual Burden Hours: 4,582 hours.
    Total Annual Burden Cost: $365,141.
    Total Annual Burden Cost (capital/startup): $0.
    Total Recordkeeping Burden: $516,825.
    Instrument: CFATS Help Desk.
    Frequency: ``On occasion'' and ``Other.''
    Affected Public: Business or other for-profit.
    Annual Number of Respondents: 15,000 respondents (estimate).
    Estimated Time per Respondent: 0.17 hours.
    Total Annual Burden Hours: 2,500 hours.
    Total Annual Burden Cost: $199,233.
    Total Annual Burden Cost (capital/startup): $0.
    Total Recordkeeping Burden: $0.
    Instrument: User Registration.
    Frequency: ``On occasion'' and ``Other''
    Affected Public: Business or other for-profit.
    Annual Number of Respondents: 1,000 respondents (estimate).
    Estimated Time per Respondent: 2.5 hours.
    Total Annual Burden Hours: 2,500 hours.
    Total Annual Burden Cost: $199,233.
    Total Annual Burden Cost (capital/startup): $0.
    Total Recordkeeping Burden: $0.
    Instrument: Identification of Facilities and Assets at Risk.
    Frequency: ``On occasion'' and ``Other.''
[[Page 19933]]
    Affected Public: Business or other for-profit.
    Annual Number of Respondents: 3,426 respondents (estimate).
    Estimated Time per Respondent: 0.17 hours.
    Total Annual Burden Hours: 571 hours.
    Total Annual Burden Cost: $45,505.
    Total Annual Burden Cost (capital/startup): $0.
    Total Recordkeeping Burden: $0.
Scott Libby,
Deputy Chief Information Officer.
[FR Doc. 2019-09319 Filed 5-6-19; 8:45 am]
 BILLING CODE 9110-9P-P