29

Supporting Statement for Paperwork Reduction Act Submissions

Title: Infrastructure Protection Gateway Facility Surveys

OMB Control Number: 1670-NEW

Supporting Statement A

A. Justification

1. Explain the circumstances that make the collection of information necessary. Identify any legal or administrative requirements that necessitate the collection. Attach a copy of the appropriate section of each statute and regulation mandating or authorizing the collection of information.

The Homeland Security Presidential Directive-7 (HSPD-7) (2003), Presidential Policy Directive-21 (PPD-21) (2013) and the National Infrastructure Protection Plan (NIPP) (2013) highlight the need for a centrally managed repository of infrastructure attributes capable of assessing risks and facilitating data sharing. To support this mission need, the Department of Homeland Security’s (DHS) National Protection and Programs Directorate (NPPD) Office of Infrastructure Protection (IP) is developing the IP Gateway. The IP Gateway contains several capabilities which support the homeland security mission in the area of critical infrastructure (CI) protection.

The IP Gateway allows Protective Security Advisors (PSAs) and Cyber Security Advisors (CSAs) to conduct voluntary surveys on CI facilities. These surveys are web-based and are used to collect a facility’s basic, high-level information, and its dependencies. This data is then used to determine a Protective Measures Index (PMI) and a Resilience Measures Index (RMI) for the surveyed facility. This information allows a facility to see how it compares to other facilities within the same sector as well as allows them to see how adjusting certain aspects would change their score. This allows the facility to then determine where best to allocate funding and perform other high level decision making processes pertaining to the security and resiliency of the facility.

2. Indicate how, by whom, and for what purpose the information is to be used. Except for a new collection, indicate the actual use the agency has made of the information received from the current collection.

The information will be gathered by site visits, arranged between the facility owners and DHS PSAs or CSAs. The PSA or CSA will then visit the site and perform the survey, as requested. They then return to complete the survey and input the data into the IP Gateway were the data is then accessible to users of the IP Gateway. Once available, the facility and other relevant users of the IP Gateway can then review the data and use it for planning, risk identification, mitigation and decision making. All data is captured electronically by the PSA, CSA or by the facility as a self-assessment. Below is a list of identified users/stakeholders for the IP Gateway.

1. Critical Infrastructure Community

2. Protective Security Advisors (PSAs)

3. State Fusion Centers

4. The State, Local, Tribal, and Territorial Governing Coordinating Council (SLTTGCC)

5. State representatives for critical infrastructure

6. Facility owner/operators

7. DHS Components and Sub-components to include:

   1. National Protection and Programs Directorate (NPPD)

   2. Federal Protective Service (FPS)

   3. Cyber Security and Communications (CS&C)

      1. Cyber Security Advisors (CSAs)

   4. Office of Infrastructure Protection (IP)

      1. Infrastructure Information Collection Division (IICD)

      2. Sector Outreach and Programs Division (SOPD)

      3. Protective Security Coordination Division (PSCD)

      4. National Infrastructure Coordinating Center (NICC)

   5. Transportation Security Administration (TSA)

   6. Office of Health Affairs (OHA)

   7. Sector-Specific Agencies (SSAs)

8. Critical Infrastructure Sectors:

   1. Chemical Sector

   2. Commercial Facilities Sector

   3. Communications Sector

   4. Critical Manufacturing Sector

   5. Dams Sector

   6. Defense Industrial Base Sector

   7. Emergency Services Sector

   8. Energy Sector

   9. Financial Services Sector

   10. Food and Agriculture Sector

   11. Government Facilities Sector

   12. Healthcare and Public Health Sector

   13. Information Technology Sector

   14. Nuclear Reactors, Materials, and Waste Sector

   15. Transportation Systems Sector

   16. Water and Wastewater Systems Sector

9. Army Corp of Engineers

3. Describe whether, and to what extent, the collection of information involves the use of automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g., permitting electronic submission of responses, and the basis for the decision for adopting this means of collection. Also describe any consideration of using information technology to reduce burden.

The collection of information uses automated electronic surveys. The surveys are electronic in nature and include questions that measure the security, resiliency and dependencies of a facility. The surveys are voluntary, and are arranged at the request of a facility. They are then scheduled and performed by a PSA or CSA.

4. Describe efforts to identify duplication. Show specifically why any similar information already available cannot be used or modified for use for the purposes described in Item 2 above.



Currently there are no known similar programs or information collections that collect CI facility information pertaining to security and resiliency.

5. If the collection of information impacts small businesses or other small entities (Item 5 of OMB Form 83-I), describe any methods used to minimize.

The program and surveys do not impact small business or other small entities.

6. Describe the consequence to Federal/DHS program or policy activities if the collection of information is not conducted, or is conducted less frequently, as well as any technical or legal obstacles to reducing burden.

Without the survey, there would be no way for the CI community to effectively measure its security and resiliency. All data captured in the surveys is protected under the Protected Critical Infrastructure Information (PCII) act. Without the surveys DHS would lack the abilities below:

• Identify and document critical security and resilience information, including physical security, security force, security management, and business continuity;

• Provide information for protective measures, backup procedures planning, and resource allocation;

• Enhance overall capabilities, methodologies, and resources for identifying and mitigating gaps;

• Facilitate information sharing; and

• Benchmark overall security or resilience and demonstrate how assets and sectors are “buying down” risk

(e.g., lowering risk by investing in measures to enhance the security posture of the facility or asset).

7. Explain any special circumstances that would cause an information collection to be conducted in a manner:

(a) Requiring respondents to report information to the agency more often than quarterly.

(b) Requiring respondents to prepare a written response to a collection of information in fewer than 30 days after receipt of it.

(c) Requiring respondents to submit more than an original and two copies of any document.

(d) Requiring respondents to retain records, other than health, medical, government contract, grant-in-aid, or tax records for more than three years.

(e) In connection with a statistical survey, that is not designed to produce valid and reliable results that can be generalized to the universe of study.

(f) Requiring the use of a statistical data classification that has not been reviewed and approved by OMB.

(g) That includes a pledge of confidentiality that is not supported by authority established in statute or regulation, that is not supported by disclosure and data security policies that are consistent with the pledge, or which unnecessarily impedes sharing of data with other agencies for compatible confidential use.

(h) Requiring respondents to submit proprietary trade secret, or other confidential information unless the agency can demonstrate that it has instituted procedures to protect the information’s confidentiality to the extent permitted by law.



There are no identified special circumstances at this time that would affect this program or surveys.

8. Federal Register Notice:

a. Provide a copy and identify the date and page number of publication in the Federal Register of the agency’s notice soliciting comments on the information collection prior to submission to OMB. Summarize public comments received in response to that notice and describe actions taken by the agency in response to these comments. Specifically address comments received on cost and hour burden.

b. Describe efforts to consult with persons outside the agency to obtain their views on the availability of data, frequency of collection, the clarity of instructions and recordkeeping, disclosure, or reporting format (if any), and on the data elements to be recorded, disclosed, or reported.

c. Describe consultations with representatives of those from whom information is to be obtained or those who must compile records. Consultation should occur at least once every three years, even if the collection of information activities is the same as in prior periods. There may be circumstances that may preclude consultation in a specific situation. These circumstances should be explained.



9. Explain any decision to provide any payment or gift to respondents, other than remuneration of contractors or grantees.

There is no offer of monetary or material value for this information.

10. Describe any assurance of confidentiality provided to respondents and the basis for the assurance in statute, regulation, or agency policy.



There is no assurance of confidentiality that is not supported by established authority in statute or regulation. The Program has in place an approved Privacy Impact Assessment and is covered by the following SORNS: DHS/ALL-004 - General Information Technology Access Account Records System (GITAARS) November 27, 2012, 77 FR 70792, and DHS/ALL-002 - Department of Homeland Security (DHS) Mailing and Other Lists System November 25, 2008, 73 FR 71659.

Additionally, the Protected Critical Infrastructure Information Act of 2002 (PCII Act) 1 is a crucial tool in facilitating the Department of Homeland Security’s (DHS) analysis of infrastructure vulnerability and related information for planning, preparedness, warnings and other purposes. The PCII Act enables DHS to collaborate effectively to protect America’s critical infrastructure, eighty-five percent of which is in the private sector’s hands. The PCII Act authorized DHS to accept information relating to critical infrastructure from the public, owners and operators of critical infrastructure, and State, local, and tribal governmental entities, while limiting public disclosure of that sensitive information under the Freedom of Information Act, 5 U.S.C. 552 (FOIA), and other laws, rules, and processes.

All user information is for internal use only and is not published to the public. All survey data submitted in compliance with PCII, and all users of the IP Gateway must go through PCII training annually. PSA’s and CSA’s are responsible for entering the assessment data by accessing the IP Gateway. Information can be retrieved by the facility and not any personally identifiable information.

11. Provide additional justification for any questions of a sensitive nature, such as sexual behavior and attitudes, religious beliefs, and other matters that are commonly considered private. This justification should include the reasons why the agency considers the questions necessary, the specific uses to be made of the information, the explanation to be given to persons from whom the information is requested, and any steps to be taken to obtain their consent.

The survey does not contain any questions that are sensitive in nature.

12. Provide estimates of the hour burden of the collection of information. The statement should:

a. Indicate the number of respondents, frequency of response, annual hour burden, and an explanation of how the burden was estimated. Unless directed to do so, agencies should not conduct special surveys to obtain information on which to base hour burden estimates. Consultation with a sample (fewer than 10) of potential respondents is desired. If the hour burden on respondents is expected to vary widely because of differences in activity, size, or complexity, show the range of estimated hour burden, and explain the reasons for the variance. Generally, estimates should not include burden hours for customary and usual business practices.

b. If this request for approval covers more than one form, provide separate hour burden estimates for each form and aggregate the hour burdens in Item 13 of OMB Form 83-I.

c. Provide estimates of annualized cost to respondents for the hour burdens for collections of information, identifying and using appropriate wage rate categories. The cost of contracting out or paying outside parties for information collection activities should not be included here. Instead, this cost should be included in Item 14.

The IP Gateway was designed and built to fill the lack of a repository for the Nation’s CI community. Examples of users of the CI community include Federal, state, and county representatives as well as emergency response personnel, facility owners, and security personnel.

Using an estimated General and Operations Manager occupation with a fully loaded hourly rate of $55.81 per hour (from the Bureau of Labor Statistics 2013 Occupational Outlook Handbook http://www.bls.gov/oes/2013/may/oes111021.htm).

Table A.12: Estimated Annualized Burden Hours and Costs