Supporting Statement A
for the
Chemical Security Assessment Tool (CSAT)
A. JUSTIFICATION
1) Circumstances that make the collection of information necessary.
Section 550 of P.L. 109-295 (Section 550) directed the Department of Homeland Security to promulgate and enforce regulations to enhance the security of the nation’s high risk chemical facilities. On April 9, 2007, the Department issued an Interim Final Rule, implementing this statutory mandate. (72 FR 17688). Section 550 requires a risk-based approach to security. To facilitate this approach, the Department is employing a risk assessment methodology known as the Chemical Security Assessment Tool (CSAT). The CSAT is a series of six public web-based computer applications: User Registration, Top-Screen, Security Vulnerability Assessment, Site Security Plan, Personnel Surety, and Chemical-terrorism Vulnerability Information Authorization. Each of these computer applications constitutes a collection. In addition, there is also a CSAT Helpdesk, which constitutes another collection.
Section 550 required the Department to promulgate interim final regulations no later than six months from the date of enactment of the statute (i.e., April 4, 2007). Due to that short statutory deadline, the CSAT applications are in different development stages. In early March, when DHS submitted the IFR to OMB, only two of the collections (User Registration and Top-Screen) were ready for PRA review. As of mid-May, four of the collections (Helpdesk, User Registration, Top-Screen, and Chemical-terrorism Vulnerability Information Authorization) are sufficiently complete for PRA review. The remaining three applications (Security Vulnerability Assessment, Site Security Plan, and Personnel Surety) are either in the early stages of development or still working through the requirements definition stage of the IT development lifecycle.
Scope: This submission includes the CSAT Helpdesk collection and three of the six CSAT applications. The Department is requesting that OMB approve these collections no later than June 7, 2007. DHS will present the remaining three collections to OMB for approval at a later date.
The seven separate collection requirements associated with CSAT are outlined below. As noted above, the Department is requesting OMB’s review and approval for four of the collections.
CSAT Helpdesk (not publicly accessible from the internet) (PRA Request Included)
Chemical-terrorism Vulnerability Information (CVI) Authorization (PRA Request Included)
CSAT User Registration (PRA Request Included)
CSAT Top Screen (PRA Request Included)
CSAT Security Vulnerability Assessment (Future Submission)
CSAT Site Security Plan (Future Submission)
CSAT Personnel Surety (Future Submission)
This CSAT information collection supports the following strategic goals:
Department of Homeland Security
Prevents of terrorist attacks against the nation
Office of Infrastructure Protection
Secures Chemical Facilities against Terrorism
Chemical Security Assessment Tool
Facilitates self-assessment by facilities of their vulnerabilities
2) By whom, how, and for what purpose the information is to be used.
All information collected supports the Department’s effort to reduce the risk of a successful terrorist attack against chemical facilities. The seven collections either directly or indirectly support the identification of high risk facilities, the determination of the risk tiers of the facilities, the approval of security measures at the facilities, and/or the protection of sensitive information that would, if disclosed, substantially assist terrorists in planning and targeting the facilities.
CSAT Helpdesk
Pursuant to 6 CFR 27.210(b), the Department will provide technical assistance and consultation to chemical facilities. One of the methods through which the Department will provide such assistance is through a CSAT Helpdesk. Through the CSAT Helpdesk, the Department will provide technical assistance for the use of the CSAT computer applications.
The Department will manage the CSAT Helpdesk through Oak Ridge National Laboratory. Oak Ridge National Laboratory maintains the Helpdesk both on site and with a subcontracted third party. Chemical facilities that need technical assistance or consultation can contact the CSAT Helpdesk via phone or e-mail ([email protected]).
ATTACHMENTS:
CSAT Helpdesk Tier 1 Representative Screenshots – Attachment 1
CSAT Helpdesk Tier 1 Data Collection – Attachment 2
CSAT Helpdesk Tier 2 Representative Screenshots & Data Collection – Attachment 3
CSAT Helpdesk Telephone scripts – Attachment 4
Chemical-terrorism Vulnerability Information (CVI) Authorization
Pursuant to 6 CFR 27.400(e)(3), the Department may “make an individual’s access to CVI contingent upon … procedures and requirements for safeguarding CVI that are satisfactory to the Department.” In order to provide individuals with access to CVI, the Department will require individuals to undergo training about CVI. Specifically, the Department will train individuals on the appropriate maintenance, safeguarding, making, disclosure, and destruction of CVI. The CVI training will be targeted primarily towards (1) individuals employed or contracted by chemical facilities and (2) Federal, State, local employees and contractors. The Department will need to maintain a record that an individual has completed this training and is authorized to access CVI.
To obtain CVI authorization, an individual will complete a web-based application. Upon completion of the application, the system will transmit the individual’s information to the Department, so that the Department can determine authorization and subsequently maintain a list of authorized people who have access to CVI data. Authorization for access to CVI does not constitute “need to know.” The individual will sign a Non-Disclosure Agreement (NDA) by selecting a series of boxes next to each paragraph of the NDA and providing basic identifying information.
Chemical-terrorism Vulnerability Information (CVI) is a new Sensitive But Unclassified designation authorized under P.L. 109-295 and implemented in 6 CFR 27.400. CVI becomes effective when 6 CFR Part 27 becomes effective on June 8, 2007. It is essential to provide training in order to protect the sensitive data that will be provided to the government.
ATTACHMENTS:
CVI Training web-pages – Attachment 5
CVI NDA & Data Collection - Attachment 6
CSAT User Registration
CSAT User Registration is completed by individuals at a chemical facility who will be involved in the development of the Top-Screen, SVA, SSP, or Personnel Surety applications of CSAT. The CSAT User Registration application is a public, web-based tool available through www.dhs.gov/chemicalsecurity.
With a user account, an individual can access the CSAT system. Upon completion of the User Registration form, the system generates an Acrobat PDF document (DHS Form 9002) and print request. All individuals requesting or providing authority to access CSAT are listed on the printed document that they sign and date. The individual should send the completed form via fax to 866-731-2728 or via mail to Chemical Security Compliance Division, ATTN: CSAT User Registration, Department of Homeland Security, Building 5300, MS 6282, P.O. Box 2008, Oak Ridge, TN 37831-6282.
There are three user roles a company must designate in the User Registration:
The Preparer is authorized to enter the required data into the CSAT on-line screening tool and should therefore be a qualified individual familiar with the facility in question. (However, this individual is not authorized to formally submit the data on the company’s behalf).
The Submitter is the individual certified by the company or corporation to formally submit the regulatory required data to the Department. The Submitter must be authorized and domiciled in the U.S. To gain user access, each Preparer and each Submitter require the signature of an “Authorizer.”
The Authorizer is empowered by the facility parent company to provide assurance that the user account request for the Preparer and Submitter is valid.
The Preparer, Submitter, and Authorizer can be the same person or separate individuals. Some facilities may designate the same individual as the Preparer and Submitter. Larger facilities or companies with complex organizational structures may wish to consolidate a significant number of facility submissions through a single or a few Submitters. Authorizers will not be granted edit privileges unless they are also designated as Preparers or Submitters. This approach to managing user access is intended to accommodate the varied organizational structures of the companies and corporations that will use this tool.
There is a fourth user role, which a chemical facility may designate. While it is functionally a part of the Top-Screen, it is still worth noting here. The fourth user role is a “Reviewer,” who reviews facility information. A Reviewer does not have edit or approval privileges and must be invited by a known user from within the Top-Screen Module.
ATTACHMENTS:
CSAT User Registration Screenshots - Attachment 7
CSAT User Registration Form – Attachment 8
CSAT Top-Screen
The CSAT Top Screen identifies covered facilities under 6 CFR Part 27. To identify covered facilities, DHS will have to gather information (via the Top-Screen) from a much larger pool of facilities. Specifically, 6 CFR 27.200(b) requires “A facility must complete and submit a Top-Screen in accordance with the schedule provided in § 27.210 if it possesses any of the chemicals listed in Appendix A to this part at the corresponding Screening Threshold Quantities.”
The CSAT Top-Screen uses the collected data to (1) begin the process for identifying the high-risk chemical facilities covered under the regulation, (2) assign the preliminary tier level for the facility, and (3) articulate the security concerns to be addressed in the SVA and SSP.
The CSAT Top-Screen makes these determinations in a classified database and subsequently sends each facility a CVI-protected letter. Information on how the collected data is specifically manipulated in the classified area is available upon request with the proper security clearances and need to know.
ATTACHMENT:
CSAT Top-Screen – Attachment 9
3) Consideration of the use of improved information technology.
The paperwork burden associated with this information collection will be reduced as a result of the web-enabled interface of the user data submission process. Users can type in their information and submit it over the Internet, cutting down on the time associated with paper-based, manual processes (including traditional postal services). The systems are designed to dynamically respond to user input and thereby only request the minimum amount of necessary data that results in the correct conclusion for each facility.
4) Efforts to identify duplication.
The CSAT is a new tool, which the Department has developed for this regulatory program. One of the key features inherent to the CSAT tool is the capability to estimate with a high degree of confidence the health and safety impacts of a terrorist attack, and thus, the CSAT allows for comparative analysis between chemical facilities. Although there are state, local, and other Federal security regulations relating to chemical security, those regimes do not collect the core metrics that enable comparative risk analysis across the chemical sector. Comparative risk analysis is essential to implementing the risk based regulation required by P.L. 109-295.
5) Methods to minimize the burden to small businesses if involved.
The burden imposed on small businesses is alleviated in instances when certain smaller facilities are not deemed high risk, and therefore would be exempted from the regulation and registration processes. Burden is further reduced by the Top-Screen’s ability to dynamically generate questions based on the user’s input so that only the minimum number of questions answered is required.
6) Consequences to the Federal program if collection were conducted less frequently.
CSAT Helpdesk –
The Helpdesk is available Monday to Friday 7am to 7pm EST. Information is only collected when an individual contacts the Helpdesk.
Chemical-terrorism Vulnerability Information (CVI) Authorization–
Individuals need to obtain CVI authorization only once. However, in the event an individual’s information changes (e.g., the individual leaves a company), the individual will need to update their information.
CSAT User Registration –
The CSAT User Registration is available 24 hours a day, seven days a week. An individual needs only register once. However, an individual will need to update any changes to their information. An update capability exists in the CSAT User Registration application. In addition, assistance is available through the CSAT Helpdesk.
CSAT Top Screen –
The CSAT Top-Screen is available 24 hours a day, seven days a week. 6 CFR Part 27.210 provides a specific submission schedule for chemical facilities.
7) Explain any special circumstances that would cause the information collection to be conducted in a manner inconsistent with guidelines.
There are no special circumstances with this collection.
8) Consultation.
On December 27, 2006, the Department published the Chemical Facility Security Advance Notice of Rulemaking (ANR) (71 FR 78275), seeking comment on proposed regulatory text and on several practical and policy issues integral to the development of a chemical facility security program. The public provided substantial comments, including comments related to the information collection, in the ANR. The Department responded to those comments in the Interim Final Rule.
On April 9, 2007, the Department published an Interim Final Rule (72 FR 17688). The IFR included a proposed Appendix A, containing the DHS Chemicals of Interest list. The comment period for proposed Appendix A closed on May 9, 2007.
Throughout this process, the Department has consulted with those parties that will be impacted by this chemical facility security regulation. During the comment period for the Advance Notice, the Department conducted listening sessions with state and local groups, environmental organizations, and union representatives. A list of participants and brief summary of each of the meetings are available in the docket for the rulemaking. In addition, during the development of the CSAT, the Department hosted pilot sessions, whereby industry representatives (from a representative sampling of companies, including companies of various sizes, types of operations, and types of products) tested the CSAT system. Finally, the Department has also consulted with other Federal agencies throughout the process (e.g., EPA, DOD, DOE).
9) Explain any decision to provide any payment or gift to respondents.
No payment or gift of any kind is provided to any respondents.
10) Describe any assurance of confidentiality provided to respondents.
The confidentiality of information provided by respondents is covered through several mechanisms.
Chemical-terrorism Vulnerability Information (CVI) is a new Sensitive But Unclassified designation authorized under P.L. 109-295 and implemented in 6 CFR 27.400. CVI becomes effective when the 6 CFR Part 27 becomes effective on June 8, 2007.
P.L. 109-295 further clarifies that CVI “in any proceeding to enforce this section, vulnerability assessments, site security plans, and other information submitted to or obtained by the Secretary under this section, and related vulnerability or security information, shall be treated as if the information were classified material.”
The Department published a System of Records Notice on December 29, 2006 (71 FR 78446). DHS will develop and publish additional System of Record Notices as necessary.
The Helpdesk completed an initial Certification and Accreditation test to a satisfactory level. The Department reserves the right to audit the Helpdesk facilities and infrastructure at any time. There are physical measures in place to ensure that only authorized individuals have access to the Helpdesk call center. The same access restrictions are part of the electronic infrastructure.
DHS’s primary IT design requirement was ensuring data security. DHS acknowledges that there is a non-zero risk, both to the original transmission and the receiving transmission, when requesting data over the Internet. DHS has weighed the risk to the data collection approach against the risk to collecting the data through paper submissions and concluded that the web-based approach was the best approach given the risk and benefits.
DHS has taken a number of steps to protect both the data that will be collected through the CSAT program and the process of collection. The security of the data has been the number one priority of the system design. The site that the Department will use to collect submissions is equipped with hardware encryption that requires Transport Layer Security (TLS), as mandated by the latest Federal Information Processing Standard (FIPS). The encryption devices have full Common Criteria Evaluation and Validation Scheme (CCEVS) certifications. CCEVS is the implementation of the partnership between the National Security Agency and the National Institute of Standards (NIST) to certify security hardware and software.
11) Additional justification for any questions of a sensitive nature.
The CSAT system does not request any information to personally sensitive data. The CSAT system requests limited personally identifiable information for registration purposes only. Top-Screen questions may require the disclosure of proprietary business information.
Estimates of reporting and recordkeeping hour and cost burdens of the collection of information.
The total respondents for the User Registration and Top-Screen are estimated to be approximately 40,000. No facility can access the Top-Screen portion without completing the User Registration portion. Because each respondent will be entering information for each part of the system, there will technically be 80,000 responses.
Individuals will need to obtain CVI authorization only once. Thus, the total annual responses in the first year are expected to be approximately 40,000. This is because although all CSAT users must obtain CVI authorization and sign Non-Disclosure Agreements, not all CVI-authorized individuals will need to access CSAT.
Individuals may either call into the Helpdesk or contact the Helpdesk through email. The total estimated annual number of responses is 20,800.
The total hour burden for completing the User Registration and Top Screen and obtaining CVI authorization (including calls to the Helpdesk) is 1,278,000 hours.
The total annual burden cost estimate is: $111,415,100.
The total contractual cost for the government for this system is: $10,000,000.
A. Estimated Burden for the CSAT Helpdesk (DHS Forms 9009 & 9010)
Time Required for Each Individual Respondent (Minutes) |
15 |
Annual Hours Burden (Hours x 20,800 respondents) |
5,200 |
The Department estimates that the Helpdesk will receive 400 requests for assistance per week. Of these 400 requests, we believe 95% will be phone calls and 5% will be emails. We estimate that the time required for each contact will be approximately 15 minutes. This includes follow-up calls and emails. At this rate, there will be approximately 20,800 calls and emails per a year, equating to 5,200 hours.
B. Estimated Burden for the CVI Authorization (DHS form number has been requested)
Time Estimated for Individual (Minutes) |
30.0 |
Annual Hours Burden (Hours x 40,000 Individuals) |
20,000 |
The Department estimates that CVI authorization will take 30 minutes per individual. This includes the time it takes to complete the Non-Disclosure Agreement. The Department anticipates there will be 40,000 individuals that will obtain this authorization.
C. Estimated Burden for User Registration (DHS Form 9002)
Time Required for Each Facility (Hours) |
1 |
Annual Hours Burden (Hours x 40,000 facilities) |
40,000 |
D. Estimated Burden for the Top-Screen (DHS Form 9007)1
Time Required for Each Facility (Hours) |
30.3 |
Annual Hours Burden (Hours x 40,000 facilities) |
1,212,800 |
Facilities will have different burden rates due to the size and complexity of the facility. The Top-Screen is designed to dynamically respond as the user answers different questions. The Department estimates that, on average, it will take 30.3 hours to complete the Top-Screen, thus resulting in an estimated total burden of 1,212,800 hours.
13) Estimates of annualized capital and start-up costs.
There are no annualized capital or start-up costs for this information collection. It is assumed that all participants will already have the computer hardware and web browser.
14) Estimates of annualized Federal Government costs.
The cost to develop and implement the entire CSAT system is estimated to approximately $10M. Annual estimates for the seven information collections can not yet be estimated, because the system is still under development.
15) Explain the reasons for the change in burden.
This is a new collection.
16) For collections of information whose results are planned to be published for statistical use, outline plans for tabulation, statistical analysis and publication.
No plans exist for the use of statistical analysis or to publish this information.
17) Explain the reasons for seeking not to display the expiration date for OMB approval of the information of collection.
The expiration date will be displayed in the system.
18) Explain each exception to the certification statement.
No exceptions have been requested.
1 Numbers may not sum to total due to rounding.
| File Type | application/msword |
| File Title | Supporting Statement |
| Author | USCG |
| Last Modified By | Christina McDonald |
| File Modified | 2007-05-22 |
| File Created | 2007-05-22 |