Supporting Statement for PRA Submission

Chemical-terrorism Vulnerability Information

OMB CONTROL NO. 1670-NEW

A. JUSTIFICATION

1. Circumstances that make the collection of information necessary

On October 4, 2006, the President signed the Department of Homeland Security Appropriations Act of 2007 (the Act), Public Law 109-295. Section 550 of the Act provides the Department of Homeland Security with the authority to regulate the security of high-risk chemical facilities. Before the enactment of Section 550, the Federal government did not have authority to regulate the security of most chemical facilities. However, provided with the authority under Section 550, the Department is now filling a significant security gap in the country’s anti-terrorism efforts.

The Chemical Facility Anti-Terrorism Standards (CFATS), 6 CFR Part 27, are the Department’s regulations under Section 550 governing security at high-risk chemical facilities. CFATS represents a national-level effort to minimize terrorism risk to such facilities. Its design and implementation balance maintaining economic vitality with securing facilities and their surrounding communities. The regulations were designed, in collaboration with the private sector and other stakeholders, to take advantage of protective measures already in place and to allow facilities to employ a wide range of tailored measures to satisfy the regulations’ Risk-Based Performance Standards (RBPS).

CFATS also establishes, in 6 CFR § 27.400, the requirements that covered persons must follow to safeguard certain documents and other information developed under the regulations. This information is identified as "Chemical-terrorism Vulnerability Information” (CVI) and by law receives protection from public disclosure and misuse.

This collection aligns with 1670-0007 and 201001-1670-006¹ (CFATS) to collect information under CFATS. This collection collects information related to the unique information protection regime which ensures the information provided by high-risk chemical facilities to the federal Government is properly protected. 1670-0007 generally collects the primary core regulatory data electronically through the Chemical Security Assessment Tool (CSAT) from high-risk chemical facilities. 201001-1670-006 (CFATS) is also new collection pending approval by OMB. 201001-1670-006 (CFATS) collects information that supports the department’s management of CFATS communications and notifications from the high-risk chemical facilities.

2. By whom, how, and for what purpose the information is to be used

There are six instruments in this collection. These instruments will be used to manage the CVI program in support of CFATS. The instruments that comprise this collection are as follows:

Chemical-terrorism Vulnerability Information (CVI) Authorization

Chemical-terrorism Vulnerability Information (CVI) is a Sensitive But Unclassified designation authorized under P.L. 109-295 and implemented in 6 CFR 27.400. CVI came into existence on June 8, 2007, when 6 CFR Part 27 became effective. It is essential to provide training in order to protect the sensitive data that will be provided to the government.

Pursuant to 6 CFR 27.400(e) (3), the Department may “make an individual’s access to CVI contingent upon … procedures and requirements for safeguarding CVI that are satisfactory to the Department.” Using this authority the department requires individuals to undergo CVI training. Specifically, the Department trains individuals on the appropriate maintenance, safeguarding, marking, disclosure, and destruction of CVI. The primary audiences for the training are (1) individuals employed or contracted by chemical facilities, and (2) Federal, State, local employees and contractors.

To obtain CVI authorization, an individual must check several CVI affirmation statements, complete a web-based CVI authorized user application, and provide responses to several identity verification questions. Upon completion of the application, the system transmits the individual’s information to the Department. The Department maintains a record for those individuals that has completed this training and provides a unique authorized user number to access CVI. Authorization for access to CVI does not constitute “need to know.” The concept for need to know is addressed in the CVI Training and is based upon 6 CFR 27.400(e).

The information is collected electronically by this instrument. Attached is the CVI

Authorization instrument that establishes the scope of data collected.

Request for Determination of CVI

Pursuant to 6 CFR § 27.400(b)(1)-(8), a high risk facility will use this instrument in the event a facility develops information that could, in the facility's judgment, compromise the facility’s security if publicly disclosed and this information is not currently considered CVI. DHS will communicate its final determination to the appropriate individual at the requesting facility. DHS will maintain a record of each request.

The information collected by this instrument will generally be electronic but may take other forms (e.g. paper, electronic, audio, video…) and content. Attached is a DHS form that identifies most of the data routinely collected routinely through this data collection instrument.

Determination of a Public Official’s Need to Know

Pursuant to 6 CFR § 27.400(e), this instrument will be used by a public official, or by any other CVI Authorized User, to request a determination by DHS that he/she has a need to know specific CVI prior to requesting access to, or disclosure of CVI from a high risk facility.

The information collected by this instrument will generally be electronic but may take other forms (e.g. paper, electronic, audio, video…). Further, the nature of the content collected under this instrument is unpredictable. Therefore, the attached DHS form identifies most of the data routinely collected routinely through this data collection instrument.

Report of Potential Release of CVI

Pursuant to 6 CFR Part 27 under 6 CFR § 27.400(d) this instrument will be used by a CVI Authorized User to notify DHS of any unauthorized release of CVI. This instrument will ensure that appropriate mitigation actions are taken to protect the information disclosed.

The information collected by this instrument will generally be electronic but may take other forms (e.g. paper, electronic, audio, video…). Further, the nature of the content collected under this instrument is unpredictable. Therefore, the attached DHS form identifies most of the data routinely collected routinely through this data collection instrument.

Notification of CVI Access Exigent Circumstances

Pursuant to 6 CFR Part 27, this instrument will be used by a CVI Authorized User in the event CVI is disclosed under emergency and exigent circumstances without standard precaution. Notifying DHS will ensure appropriate mitigation actions to take place to protect the disclosure of CVI.

The information collected by this instrument will generally be electronic but may take other forms (e.g. paper, electronic, audio, video…). Further, the nature of the content collected under this instrument is unpredictable. Therefore, the attached DHS form identifies most of the data routinely collected routinely through this data collection instrument.

Chemical-terrorism Vulnerability Information Tracking Log

This instrument will be used to record relevant information about how, when, who, and to whom CVI that has been shared.

The information collected by this instrument may be paper or electronic. Attached is a standard DHS form that identifies key data that should be necessary for adequate CVI tracking.

3. Consideration of the use of improved information technology

Although most, but not all, of the instruments allow for the collection of data in multiple mediums (e.g. paper, electronic, audio, video…) because the investigative authorities under P.L. 109-295 and implemented in CFATS may require data collection in way that do not allow consideration of information technology.

However, it is the intention of DHS to reduce the overall paperwork burden associated with this collection through the use web-enabled interfaces as the primary data collection process.

Table 1: Medium Information Is Collected In

4. Efforts to identify duplication

CVI is a unique information protection handling program authorized by Congress in P.L. 109-295. As a unique program it does not duplicate any current collection activities.

5. Methods to minimize the burden to small businesses if involved

No unique methods will be used to minimize the burden to small businesses.

6. Consequences to the Federal program if collection were conducted less frequently.

The frequency of collection under is regulation dictated by the 6 CFR 27.400. Reporting less frequently will substantially reduce the ability of the CVI program to ensure the smooth handling and safeguarding CVI. CVI is essential to implementing and regulating the Chemical Facility Anti-Terrorism Standards (CFATS), 6 CFR Part 27. Improper handling or disclosure of CVI could release sensitive information to individuals and groups seeking information that would assist in the successful attack on a high-risk chemical facility.

7. Explain any special circumstances that would cause the information collection to be conducted in a manner inconsistent with guidelines.

There are no special circumstances that would cause the information collected to be conducted in a manner inconsistent with guidelines.

8. Consultation

60 Day Comment Period: A 60-day public notice for comments was published in the Federal Register on July 1, 2009 at 74 FR 31460.  No comments were received.

30 Day Comment Period: A 30-day public notice for comments was published in the Federal Register on September 25, 2009 at 74 FR 48995.  No comments were received.

9. Explain any decision to provide any payment or gift to respondents.

No payment or gift of any kind is provided.

10. Describe any assurance of confidentiality provided to respondents.

Chemical-terrorism Vulnerability Information (CVI) is a new Sensitive But Unclassified designation authorized under P.L. 109-295 and implemented in 6 CFR 27.400.

P.L. 109-295 further clarifies that CVI “in any proceeding to enforce this section, vulnerability assessments, site security plans, and other information submitted to or obtained by the Secretary under this section, and related vulnerability or security information, shall be treated as if the information were classified material.”

Notwithstanding the Freedom of Information Act (5 U.S.C. 552), the Privacy Act (5 U.S.C. 552a), and other laws, in accordance with Sec. 550(c) and 6 CFR § 27.400(g), records containing CVI are not available for public inspection or copying, nor does the Department release such records to persons without a need to know.

If a record contains both information that may not be disclosed under Section 550(c) of Public Law 109-295 and information that may be disclosed, the latter information may be provided in response to a FOIA request, provided that the record is not otherwise exempt from disclosure under FOIA and that it is practical to redact the protected CVI from the requested record.

11. Additional justification for any questions of a sensitive nature

There are no questions of sensitive nature in this collection.

12. Estimates of reporting and recordkeeping hour and cost burdens of the collection of information

The annual total estimate for reporting, recordkeeping and cost burden under this collection is $2,972,382. Individual burden estimates vary by instrument and are summarized in the table below:

Table 2: Instrument Burden Estimate

13. Estimates of annualized capital and start-up costs

There are no annualized capital or start-up costs for respondents due to this collection.

14. Estimates of annualized Federal Government costs

Federal government costs can be divided between the cost associated with collection of information and the cost associated with managing and responding to the submitted data. The cost associated with collecting the information is essentially the cost of operating and maintaining the collection instruments within CSAT. The annual Operating and Maintenance (O&M) costs for the instruments with CSAT are estimated at $0.4M. The cost associated with managing and responding to the submitted data the management is equivalent to the cost of employing two government employees at the GS-14 level.

Table 3: Estimates of Annualized Costs for the Collection of Data

Initial Capital Costs

The initial capital costs for the data collection to design, develop, and implement the instruments within CSAT are estimated to be $250,000.

Total Federal Government Costs

In sum, the estimated total annual operating cost to the United States Government for this collection is $731,800.00 in addition to an estimated initial capital cost of $250,000.

15. Explain the reasons for the change in burden.

This is a new collection therefore there is no change in the burden estimate.

16. For collections of information whose results are planned to be published for statistical use, outline plans for tabulation, statistical analysis and publication.

No plans exist for the use of statistical analysis or to publish this information.

17. Explain the reasons for seeking not to display the expiration date for OMB approval of the information of collection.

The instruments within this collection will be implemented within CSAT. Therefore, the department is seeking approval not to display the expiration date because the expiration dates may cause confusion with different expiration dates for other information collections also collected through CSAT.

18. Explain each exception to the certification statement.

No exceptions have been requested.