PTA for CFATS

The Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version date: July 7, 2012
Page 1 of 9

PRIVACY THRESHOLD ANALYSIS (PTA)
This form is used to determine whether
a Privacy Impact Assessment is required.

Please use the attached form to determine whether a Privacy Impact Assessment (PIA) is required under
the E-Government Act of 2002 and the Homeland Security Act of 2002.
Please complete this form and send it to your component Privacy Office. If you do not have a component
Privacy Office, please send the PTA to the DHS Privacy Office:
Rebecca J. Richards
Senior Director of Privacy Compliance
The Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
Tel: 202-343-1717
[email protected]

Upon receipt from your component Privacy Office, the DHS Privacy Office will review this form. If a
PIA is required, the DHS Privacy Office will send you a copy of the Official Privacy Impact Assessment
Guide and accompanying Template to complete and return.
A copy of the Guide and Template is available on the DHS Privacy Office website,
www.dhs.gov/privacy, on DHSConnect and directly from the DHS Privacy Office via email:
[email protected], phone: 202-343-1717.

The Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version date: July 7, 2012
Page 2 of 9

PRIVACY THRESHOLD ANALYSIS (PTA)
SUMMARY INFORMATION
Project or
Program Name:

Chemical Facility Anti-Terrorism Standards (CFATS) Program Information
Collections

Component:

National Protection and
Programs Directorate (NPPD)

Office or
Program:

Infrastructure Security
Compliance Division (ISCD)

TAFISMA Name:

Click here to enter text.

TAFISMA
Number:

Click here to enter text.

Type of Project or
Program:

Form or other Information
Collection

Project or
program
status:

Update

PROJECT OR PROGRAM MANAGER
Name:

Dave Wulf

Office:

NPPD/IP/ISCD

Title:

Division Director

Phone:

703-603-4778

Email:

[email protected]

INFORMATION SYSTEM SECURITY OFFICER (ISSO)
Name:

Greta Gosch

Phone:

703-235-8237

Email:

[email protected]

ROUTING INFORMATION
Date submitted to Component Privacy Office:

October 26, 2012

Date submitted to DHS Privacy Office:

October 29, 2012

Date approved by DHS Privacy Office:

Click here to enter a date.

The Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version date: July 7, 2012
Page 3 of 9

SPECIFIC PTA QUESTIONS
1. Please describe the purpose of the project or program:
Please provide a general description of the project and its purpose in a way a non-technical person could
understand.
Section 550 of the Department of Homeland Security Appropriations Act of 2007, Pub. L. No. 109-295
authorizes DHS to regulate the security of high-risk chemical facilities. The National Protection and
Programs Directorate (NPPD), Office of Infrastructure Protection (IP), Infrastructure Security
Compliance Division (ISCD) implements this statutory authority through the Chemical Facility AntiTerrorism Standards (CFATS) regulations, 6 CFR Part 27. CFATS establishes a risk-based approach to
identifying and securing chemical facilities determined by NPPD to be “high-risk.” CFATS provides
DHS with authorization to obtain information from high-risk facilities to support the implementation of
CFATS.
The purpose of this PTA is to provide updated information regarding the three CFATS collections being
submitted to the Office of Management and Budget (OMB) for approval.
As background:
The Paperwork Reduction Act (PRA) requires prior approval from OMB on how NPPD proposes to
collect the necessary information for program implementation by affected facilities. NPPD uses three
Information Collection Requests (ICRs) to gather information from chemical facilities in order to
implement CFATS as follows:
OMB Collection #1670-0007 supports the Department’s requirements under CFATS to collect
the primary core regulatory data electronically through the Chemical Security Assessment Tool
(CSAT). This is an ICR for Renewal (revision with change of a currently approved collection),
which includes the following changes: (1) Removal of the Chemical-terrorism Vulnerability
Information (CVI) Authorization Instrument; (2) Addition of the Request to Improve Program
Instrument; (3) Inclusion of Recordkeeping burden for the first time; and (4) Reduction of the
Burden Estimate by $44 million, which is based upon actual historical data collected between
January 2009 and December 2011.
OMB Collection #1670-0014 supports the Department’s requirements to manage the CFATS
program. This is an ICR for Extension (revision without change of a currently approved
collection). Although the collection hasn’t changed, there is a reduction of the Burden Estimate
by $150,000, which is based upon actual historical data collected between January 2009 and
December 2011.
OMB Collection #1670-0015 supports the Department’s requirements to manage the CVI
program in support of CFATS. This is an ICR for Extension (revision without change of a
currently approved collection). Although the collection hasn’t changed, there is an increase of the
Burden Estimate by $2,500, which is based upon actual historical data collected between January
2009 and December 2011.
The current Information Collections (ICs) expire on March 31, 2013. Failure to obtain OMB approval to
revise these ICs will result in NPPD being unable to collect vital information from our stakeholders.

The Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version date: July 7, 2012
Page 4 of 9

2. Project or Program status
March 27, 2007
Date first developed:
July 26, 2012
Date last updated:

Update
Pilot launch date:
Pilot end date:

Click here to enter a date.
Click here to enter a date.

DHS Employees
3. From whom does the Project or
Program collect, maintain, use or
disseminate information?
Please check all that apply.

Contractors working on behalf of DHS
Members of the public
This program does not collect any personally
identifiable information1

4. What specific information about individuals could be collected, generated or retained?
Please provide a specific description of information that might be collected, generated or retained such
as names, addresses, emails, etc.
Since the existing PIA was published on July 26, 2012, no new data elements are being collected.
As background, the PII collected under the features of CFATS described in this document may
include:
First Name, Last Name
Middle Initial (optional)
Phone Number
Business Email Address
Business Address (Street, City, State, Zip Code)
Job Title/Position
U.S. Citizenship
Domiciled in the U.S.? (Yes/No)
Is the individual an Officer of the Corporation or designated by an Officer of the
Corporation? (Yes/No)
Organization Name & Type (chosen from drop down menu)
Description of Official Duties
Direct Supervisor's Name
Direct Supervisor's Telephone
Agency/Affiliation
1

DHS defines personal information as “Personally Identifiable Information” or PII, which is any information that permits the
identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual,
regardless of whether the individual is a U.S. citizen, lawful permanent resident, visitor to the U.S., or employee or contractor to
the Department. “Sensitive PII” is PII, which if lost, compromised, or disclosed without authorization, could result in substantial
harm, embarrassment, inconvenience, or unfairness to an individual. For the purposes of this PTA, SPII and PII are treated the
same.

The Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version date: July 7, 2012
Page 5 of 9

CVI Authorized User Number (to verify that the user has completed CVI Training)
CSAT User Role
DHS Supervisor Name
Information necessary to collect and process civil penalties, such as: business contact
information, credit card numbers or information appearing on checks (e.g., name, address and
bank account information)
Any other PII contained in correspondence or obtained during interactions between NPPD and
the chemical facility
The Help Desk vendor may also collect information from callers or via web form, such as:
Facility Name
First Name, Last Name
Phone Number
Fax Number
Facility Address
Email Address
Registered CSAT User? (Yes/No)
Facility ID (if applicable)
User Registration Form ID (if applicable)
CVI Authorized User Number (a Customer Service Representative may require the CVI Number
to validate that a caller is a CVI Authorized User before proceeding)
Does the Project or Program use Social
Security Numbers (SSNs)?
If yes, please provide the legal authority for
the collection of SSNs:
If yes, please describe the uses of the SSNs
within the Project or Program:

5. Does this system employ any of the
following technologies:

No
Click here to enter text.
Click here to enter text.

Closed Circuit Television (CCTV)
Sharepoint-as-a-Service

If project or program utilizes any of these
technologies, please contact Component Privacy
Officer for specialized PTA.

Social Media
Mobile Application (or GPS)
Web portal2

2

Informational and collaboration-based portals in operation at DHS and its components which collect, use,
maintain, and share limited personally identifiable information (PII) about individuals who are “members” of the
portal or who seek to gain access to the portal “potential members.”

The Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version date: July 7, 2012
Page 6 of 9

None of the above
If this project is a technology/system, does
it relate solely to infrastructure?
For example, is the system a Local Area Network
(LAN) or Wide Area Network (WAN)?

No. Please continue to next question.
Yes. If a log kept of communication traffic,
please answer the following question.

If header or payload data3 is stored in the communication traffic log, please detail the data
elements stored.
Click here to enter text.

6. Does this project or program connect,
receive, or share PII with any other
DHS programs or systems4?

No.
Yes. If yes, please list:
Click here to enter text.
No.
Yes. If yes, please list:

7. Does this project or program connect,
receive, or share PII with any external
(non-DHS) partners or systems?

Is this external sharing pursuant to new
3

Department of Energy’s national research
laboratories – Argonne National Labs and Oak
Ridge National Labs.
PII may be collected through the CFATS Help Desk
via e-mail, mail, fax, or telephone, and through the
CFATS Tip Line via telephone (voicemail).
Additionally, NPPD makes available basic user
information of CSAT Users and CVI Authorized
Users to the CFATS Help Desk vendor in order to
provide better customer service in a more timeefficient manner.
Existing

When data is sent over the Internet, each unit transmitted includes both header information and the actual data
being sent. The header identifies the source and destination of the packet, while the actual data is referred to as the
payload. Because header information, or overhead data, is only used in the transmission process, it is stripped from
the packet when it reaches its destination. Therefore, the payload is the only data received by the destination system.
4 PII may be shared, received, or connected to other DHS systems directly, automatically, or by manual processes.
Often, these systems are listed as “interconnected systems” in TAFISMA.

The Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version date: July 7, 2012
Page 7 of 9

or existing information sharing access
agreement (MOU, MOA, LOI, etc.)?

Please describe applicable information sharing
governance in place.
There are Memoranda of Agreement (MOA)
governing the services between DHS/NPPD and the
Department of Energy’s national research
laboratories, which currently operate the systems
supporting the CFATS Program.
The third party vendor for the CFATS Help Desk,
all Call Center Service agents and user management
staff, are required to sign non-disclosure agreements
as a condition of their contracts.

The Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version date: July 7, 2012
Page 8 of 9

PRIVACY THRESHOLD REVIEW
(TO BE COMPLETED BY COMPONENT PRIVACY OFFICE)
Component Privacy Office Reviewer:

Emily Andrew

Date submitted to DHS Privacy Office:

October 29, 2012

Component Privacy Office Recommendation:
Please include recommendation below, including what new privacy compliance documentation is needed.
NPPD is conducting this PTA to provide updated information regarding the three CFATS collections
being submitted to OMB for approval. NPPD Privacy recommends that this is a privacy sensitive system
and the capabilities/collections are covered under the existing Chemical Facility Anti-Terrorism
Standards (CFATS) PIA from July 26, 2012 and relevant System of Records Notices: DHS/ALL-004 General Information Technology Access Account Records System (GITAARS) and DHS/ALL-002 Department of Homeland Security (DHS) Mailing and Other Lists System.
(TO BE COMPLETED BY THE DHS PRIVACY OFFICE)
DHS Privacy Office Reviewer:

Liz Lyons

Date approved by DHS Privacy Office:

November 13, 2012

PCTS Workflow Number:

922061

DESIGNATION
Privacy Sensitive System:
Category of System:
Determination:

Yes

If “no” PTA adjudication is complete.

Privacy Act Statement
If “other” is selected, please describe: Click here to enter text.
PTA sufficient at this time.
Privacy compliance documentation determination in progress.
New information sharing arrangement is required.
DHS Policy for Computer-Readable Extracts Containing Sensitive PII
applies.
Privacy Act Statement required.
Privacy Impact Assessment (PIA) required.
System of Records Notice (SORN) required.

System covered by existing PIA
PIA:

If covered by existing PIA, please list: DHS/PIA/NPPD-009 Chemical Facility AntiTerrorism Standards (CFATS) PIA from July 26, 2012

The Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis
Version date: July 7, 2012
Page 9 of 9

System covered by existing SORN
If covered by existing SORN, please list: DHS/ALL-004 - General Information
Technology Access Account Records System (GITAARS) and DHS/ALL-002 Department of Homeland Security (DHS) Mailing and Other Lists System.
DHS Privacy Office Comments:
Please describe rationale for privacy compliance determination above.
This collection is analyzed in the existing PIAs and SORNs. No new data is collected.
SORN: