1670-0015 CVI Supporting Statement A (29-SEP-2020) FINAL

Download: docx | pdf

Supporting Statement for Paperwork Reduction Act Submissions

Title:

OMB Control Number: 1670-0015

Chemical-terrorism Vulnerability Information

Supporting Statement A

A. Justification

1. Explain the circumstances that make the collection of information necessary. Identify any legal or administrative requirements that necessitate the collection. Attach a copy of the appropriate section of each statute and regulation mandating or authorizing the collection of information.

The CFATS Program identifies and regulates the security of high-risk chemical facilities using a risk-based approach. Congress initially authorized the CFATS Program under Section 550 of the Department of Homeland Security Appropriations Act of 2007, Pub. L. 109-295 (2006) and reauthorized it under the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014¹ or “CFATS Act of 2014” (Pub. L. No. 113-254, 6 USC § 621 et seq.). The Department implemented the CFATS Program through rulemaking and issued an Interim Final Rule (IFR) on April 9, 2007 and a final rule on November 20, 2007. See 72 FR 17688 and 72 FR 65396.

Pursuant to 6 U.S.C. 623, the CFATS regulations establish the requirements under 6 CFR § 27.400 that covered persons must follow to safeguard certain documents and other information developed under the regulations from unauthorized disclosure. This information is identified as CVI and, by law, receives protection from public disclosure and misuse. This collection will be used to manage the CVI program in support of CFATS. The current information collection for the CVI program (IC 1670-0015) will expire on January 31, 2021.²

History of the Currently Approved Information Collection

In January 2010, the Department submitted an ICR to OMB for six instruments. The ICR was approved by OMB in March 2010 for three years.

In March 2013, the Department submitted an ICR to OMB, to extend the Information Collection (IC) without change. The ICR was approved by OMB on September 13, 2014 for three years.

In August 2017, the Department submitted an ICR to OMB to revise the IC by: (a) reducing the burden of one instrument (i.e., CVI Authorization), and (b) removing five instruments. The request was approved by OMB on January 19, 2018 for three years.

This ICR requests an extension of the existing IC for three years. The estimated burden is based on historical use of the instrument and not programmatic changes.

Reasons for Revisions

CISA requests that OMB extend this information collection with the following revisions:

• An increase of the annual reporting and recordkeeping hour and cost burden due to an increase in the respondent wage rate from $78.93/hour to $79.75/hour, which is based on updated Bureau of Labor Statistics (BLS) data.

• An increase of the overall total annual operating cost to the Federal Government for this collection from $492.927 to $498,655 based on the projected costs for Government Full-time Equivalent (FTE) salaries that is reflected in the Office of Personnel Management’s (OPM) 2020 General Schedule Locality Pay Table.

2. Indicate how, by whom, and for what purpose the information is to be used. Except for a new collection, indicate the actual use the agency has made of the information received from the current collection.

Only one instrument is in this IC (i.e., CVI Authorization) and this instrument will be used to manage the CVI Program in support of CFATS. All information collected supports CISA’s effort to reduce the risk of a successful terrorist attack against high-risk chemical facilities. This collection directly and indirectly supports the affected chemical facilities’ requirements to submit data under the CFATS Act of 2014 and CFATS, 6 CFR Part 27.

Chemical-terrorism Vulnerability Information (CVI) Authorization

CVI is a Sensitive but Unclassified designation authorized under 6 U.S.C. 623 and implemented in 6 CFR § 27.400. Providing CVI training is essential to protect the sensitive data developed and/or submitted to CISA pursuant to the CFATS regulation.

Pursuant to 6 CFR 27.400(e)(3), CISA may “make an individual’s access to CVI contingent upon…procedures and requirements for safeguarding CVI that are satisfactory to the [CISA].” Using this authority CISA requires individuals to undergo CVI training before granting the individual Authorized User status.³ Specifically, CISA trains individuals on the appropriate maintenance, safeguarding, marking, disclosure, and destruction of CVI. The primary audiences for the training are (1) individuals employed or contracted by chemical facilities, and (2) Federal, State, local employees and contractors.

To obtain CVI Authorized User status, an individual must check several CVI affirmation statements, complete a web-based CVI authorized user application, and provide responses to several identity verification questions. Upon completion of the application, the system assigns a unique CVI Authorization Number to the individual and transmits that number to CISA. CISA maintains a record of those individuals who have completed the training and received a CVI Authorized User Number.

The information is collected electronically by this instrument.

3. Describe whether, and to what extent, the collection of information involves the use of automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g., permitting electronic submission of responses and the basis for the decision for adopting this means of collection. Also describe any consideration of using information technology to reduce burden.

The instrument under this IC use a web-enabled interface as the primary data collection process.

Table 1: Medium Information Collected

Name of Instrument	Medium of Collection
CVI Authorization	Information is collected electronically, by this instrument, via CSAT.



4. Describe efforts to identify duplication. Show specifically why any similar information already available cannot be used or modified for use for the purposes described in Item 2 above.

CVI is a unique information protection and handling program originally authorized by Congress in Section 550(c) of Pub. Law 109-295 and currently authorized under 6 U.S.C. § 623. As a unique program it does not duplicate any current collection activities.

5. If the collection of information impacts small businesses or other small entities (Item 5 of OMB Form 83-I), describe any methods used to minimize.

No unique methods will be used to minimize the burden to small businesses.

6. Describe the consequence to Federal/DHS program or policy activities if the collection of information is not conducted, or is conducted less frequently, as well as any technical or legal obstacles to reducing burden.

The frequency of collection is dictated by regulation, specifically 6 CFR 27.400. Reporting less frequently will substantially reduce the ability of the CVI Program to ensure the smooth handling and safeguarding of CVI. CVI is essential to implementing and regulating the CFATS, 6 CFR Part 27. Improper handling or disclosure of CVI could release sensitive information to individuals and groups seeking information that would increase the risk of a successful terrorist attack on a high-risk chemical facility.

7. Explain any special circumstances that would cause an information collection to be conducted in a manner:

(a) Requiring respondents to report information to the agency more often than quarterly.

(b) Requiring respondents to prepare a written response to a collection of information in fewer than 30 days after receipt of it.

(c) Requiring respondents to submit more than an original and two copies of any document.

(d) Requiring respondents to retain records, other than health, medical, government contract, grant-in-aid, or tax records for more than three years.

(e) In connection with a statistical survey, that is not designed to produce valid and reliable results that can be generalized to the universe of study.

(f) Requiring the use of a statistical data classification that has not been reviewed and approved by OMB.

(g) That includes a pledge of confidentiality that is not supported by authority established in statute or regulation, that is not supported by disclosure and data security policies that are consistent with the pledge, or which unnecessarily impedes sharing of data with other agencies for compatible confidential use.

(h) Requiring respondents to submit proprietary trade secret, or other confidential information unless the agency can demonstrate that it has instituted procedures to protect the information’s confidentiality to the extent permitted by law.



No special circumstances are involved with this collection.

8. Federal Register Notice:

a. Provide a copy and identify the date and page number of publication in the Federal Register of the agency’s notice soliciting comments on the information collection prior to submission to OMB. Summarize public comments received in response to that notice and describe actions taken by the agency in response to these comments. Specifically address comments received on cost and hour burden.

b. Describe efforts to consult with persons outside the agency to obtain their views on the availability of data, frequency of collection, the clarity of instructions and recordkeeping, disclosure, or reporting format (if any), and on the data elements to be recorded, disclosed, or reported.

c. Describe consultations with representatives of those from whom information is to be obtained or those who must compile records. Consultation should occur at least once every three years, even if the collection of information activities is the same as in prior periods. There may be circumstances that may preclude consultation in a specific situation. These circumstances should be explained.



	Date of Publication	Volume #	Number #	Page #	Comments Addressed
60-Day Federal Register Notice:	March 30, 2020	85	61	17953	No comments received.
30-Day Federal Register Notice	July 20, 2020	85	139	43863	No comments received.
Update & Correction to 30-Day Federal Register Notice	August 11, 2020	85	155	48552

A 60-day public notice for comments was published in the Federal Register on March 30, 2020 at 85 FR 17953.⁴

A 30-day public notice for comments was published in the Federal Register on July 20, 2020 at 85 FR 43863.⁵ A subsequent notice was published to correct the 30-day notice to include an update and correct the docket number on August 11, 2020 at 85 FR 48552.⁶ The notice also extended the comment period for an additional 30 days.

9. Explain any decision to provide any payment or gift to respondents, other than remuneration of contractors or grantees.

No payment or gift of any kind is provided to any respondents.

10. Describe any assurance of confidentiality provided to respondents and the basis for the assurance in statute, regulation, or agency policy.



No assurance of confidentiality is provided to the respondents. However, some information may be protected from disclosure by CISA under the designation CVI. CVI is a Sensitive but Unclassified designation authorized under Pub. Law 107-296 and implemented in 6 CFR 27.400.

6 U.S.C. 623(d) states that “in any proceeding to enforce this section, vulnerability assessments, site security plans, and other information submitted to or obtained by the Secretary under this section, and related vulnerability or security information, shall be treated as if the information were classified material.” In addition, 6 CFR § 27.400(h) specifies the circumstances under which access to CIV may be provided by CISA in the context of an administrative enforcement proceeding.

This is a privacy sensitive system. A Privacy Threshold Analysis has been adjudicated by the DHS Privacy Office which resulted in a determination that PIA coverage is provided by DHS/NPPD/PIA-009(a) Chemical Facility Anti-Terrorism Standards August 12, 2016. SORN coverage is provided by DHS/ALL-002-Department of Homeland Security (DHS) Mailing and Other Lists System, November 25, 2008, 73 FR 71659, DHS/ALL-004-General Information Technology Access Account Records System (GITAARS), November 27, 2012, 77 FR 70792.

Notwithstanding the Freedom of Information Act (FOIA) (5 U.S.C. 552), the Privacy Act (5 U.S.C. 552a), and other laws in accordance with 6 U.S.C. 623(c) and 6 CFR § 27.400(g), records containing CVI are not available for public inspection or copying, nor does CISA release such records to persons without a need to know. See 6 CFR 27.400(g)(1).

If a record contains both CVI and non-CVI information, the latter information may be disclosed in response to a FOIA request, provided that the record is not otherwise exempt from disclosure under FOIA and that it is practical to redact the protected CVI from the requested record. See 6 CFR 27.400(g)(2).

CISA’s primary IT design requirement is ensuring data security. CISA acknowledges that a non-zero risk exists, both to the original transmission and the receiving transmission, when requesting data over the Internet. CISA has weighed the risk to the data collection approach against the risk to collecting the data through paper submissions and concluded that the web-based approach was the best approach given the risk and benefits.

CISA has taken a number of steps to protect both the data that will be collected through the CSAT Program and the process of collection. The security of the data has been the number one priority of the system design. The site that CISA uses to collect submissions is equipped with hardware encryption that requires Transport Layer Security (TLS), as mandated by the latest Federal Information Processing Standard (FIPS). The encryption devices have full Common Criteria Evaluation and Validation Scheme (CCEVS) certifications. CCEVS is the implementation of the partnership between the National Security Agency and the National Institute of Standards (NIST) to certify security hardware and software.

11. Provide additional justification for any questions of a sensitive nature, such as sexual behavior and attitudes, religious beliefs, and other matters that are commonly considered private. This justification should include the reasons why the agency considers the questions necessary, the specific uses to be made of the information, the explanation to be given to persons from whom the information is requested, and any steps to be taken to obtain their consent.

The instrument described in this collection does not request any information of a personally sensitive nature.

12. Provide estimates of the hour burden of the collection of information. The statement should:

a. Indicate the number of respondents, frequency of response, annual hour burden, and an explanation of how the burden was estimated. Unless directed to do so, agencies should not conduct special surveys to obtain information on which to base hour burden estimates. Consultation with a sample (fewer than 10) of potential respondents is desired. If the hour burden on respondents is expected to vary widely because of differences in activity, size, or complexity, show the range of estimated hour burden, and explain the reasons for the variance. Generally, estimates should not include burden hours for customary and usual business practices.



b. If this request for approval covers more than one form, provide separate hour burden estimates for each form and aggregate the hour burdens in Item 13 of OMB Form 83-I.

c. Provide estimates of annualized cost to respondents for the hour burdens for collections of information, identifying and using appropriate wage rate categories. The cost of contracting out or paying outside parties for information collection activities should not be included here. Instead, this cost should be included in Item 14.

CISA assumes that the majority of individuals who will complete this instrument are SSOs, although a smaller number of other individuals may also complete this instrument (e.g., Federal, State, and local government employees and contractors). For the purpose of this notice, CISA maintains this assumption. Therefore, to estimate the total annual burden, CISA multiplied the annual burden of 10,000 hours by the average hourly wage rate of SSOs of $79.75 per hour. The SSOs’ average hourly wage rate of $79.75 was based on an average hourly wage rate of $55.57⁷ with a benefits multiplier of 1.43508.⁸

The individual burden estimate is summarized in the table below:

Table 2: Instrument Burden Estimate

Instrument	# of Respondents	Responses per Respondent	Average Burden per Response (in hours)	Total Annual Burden (in hours)	Total Annual Burden (in dollars)
	(a)	(b)	(c)	(d) = (a) x (b) x (c)	(e) = (d) x $79.75
CVI Authorization	20,000	1	0.50	10,000	$797,474
Total	20,000			10,000	$797,474

Accordingly, the annual total estimate for reporting, recordkeeping, and cost burden, under this collection, is $797,474.

13. Provide an estimate of the total annual cost burden to respondents or record keepers resulting from the collection of information. (Do not include the cost of any hour burden shown in Items 12 and 14.)

The cost estimate should be split into two components: (1) a total capital and start-up cost component (annualized over its expected useful life); and (b) a total operation and maintenance and purchase of services component. The estimates should take into account costs associated with generating, maintaining, and disclosing or providing the information. Include descriptions of methods used to estimate major cost factors including system and technology acquisition, expected useful life of capital equipment, the discount rate(s), and the time period over which costs will be incurred. Capital and start-up costs include, among other items, preparations for collecting information such as purchasing computers and software; monitoring, sampling, drilling and testing equipment; and record storage facilities.

If cost estimates are expected to vary widely, agencies should present ranges of cost burdens and explain the reasons for the variance. The cost of purchasing or contracting out information collection services should be a part of this cost burden estimate. In developing cost burden estimates, agencies may consult with a sample of respondents (fewer than 10), utilize the 60-day pre-OMB submission public comment process and use existing economic or regulatory impact analysis associated with the rulemaking containing the information collection as appropriate.

Generally, estimates should not include purchases of equipment or services, or portions thereof, made: (1) prior to October 1, 1995, (2) to achieve regulatory compliance with requirements not associated with the information collection, (3) for reasons other than to provide information to keep records for the government, or (4) as part of customary and usual business or private practices.

CISA provides access to CSAT free of charge and assumes that each respondent already has computer hardware and access to the internet for basic business needs. No other annualized capital or start-up costs are incurred by chemical facilities of interest or high-risk chemical facilities for this information collection.

14. Provide estimates of annualized cost to the Federal Government. Also, provide a description of the method used to estimate cost, which should include quantification of hours, operational expenses (such as equipment, overhead, printing and support staff), and any other expense that would have been incurred without this collection of information. You may also aggregate cost estimates for Items 12, 13, and 14 in a single table.



Federal Government costs can be divided between the cost associated with collection of information and the cost associated with managing and responding to the submitted data. The cost associated with collecting the information is essentially the cost of operating and maintaining the collection instruments within CSAT. The annual Operating and Maintenance (O&M) costs for the instruments with CSAT are estimated at $0.4M. In addition, the costs of Government FTE have decreased from two GS-14 FTE Program Managers to ½ GS-14, Step 5 FTE Program Manager due to a reassessment of manpower requirements in support of the CVI Program. The costs from the Government FTE have decreased due to a reassessment of manpower requirements in support of the CVI Program. The cost associated with managing and responding to the submitted data is the management equivalent to the cost of employing a ½ FTE at the GS-14, Step 5 level. These FTE costs are the fully-loaded cost associated with salary costs with a 1.43508 benefits multiplier. The fully-loaded wage rate for a GS-14, Step 5 FTE is $137,491 base salary x 1.43508 benefit multiplier is $197,311.

Table 3: Estimates of Annualized Costs for the Collection of Data

Expense Type	Expense Explanation	Annual Costs (in dollars)
Direct Costs to the Federal Government	1/2 FTE (GS-14, Step 5) @ $197,311/year (Washington-Baltimore-Arlington, DC-MD-VA-WV-PA 2020 Pay Scale)	$98,655
CSAT O&M	Costs for O&M of CSAT Application	$400,000
Total		$498,655

In sum, the estimated total annual operating cost to the U.S. Government for this collection is $498,655.

15. Explain the reasons for any program changes or adjustments reported in Items 13 or 14 of the OMB Form 83-I. Changes in hour burden, i.e., program changes or adjustments made to annual reporting and recordkeeping hour and cost burden. A program change is the result of deliberate Federal Government action. All new collections and any subsequent revisions of existing collections (e.g., the addition or deletion of questions) are recorded as program changes. An adjustment is a change that is not the result of a deliberate Federal Government action. These changes that result from new estimates or actions not controllable by the Federal Government are recorded as adjustments.



There are no program changes or adjustments reported items 13 or 14. The minor revisions to the burden estimates described in question 1 of this document and again here:

• An increase of the annual reporting and recordkeeping hour and cost burden for SSOs using a wage rate of $79.75/hour which is based on updated Bureau of Labor Statistics (BLS) data.

• An increase of the overall total annual operating cost to the Federal Government for this collection from $492.927 to $498,655 based on the projected costs for Government Full-time Equivalent (FTE) salaries that is reflected in the Office of Personnel Management’s (OPM) 2020 General Schedule Locality Pay Table.

Taking into consideration these minor changes, the total annual estimate for reporting, recordkeeping, and cost burden under this collection is expected to increase from $789,335 to $797,474.

16. For collections of information whose results will be published, outline plans for tabulation and publication. Address any complex analytical techniques that will be used. Provide the time schedule for the entire project, including beginning and ending dates of the collection of information, completion of report, publication dates, and other actions.



No plans exist for the use of statistical analysis or to publish this information.

17. If seeking approval to not display the expiration date for OMB approval of the information collection, explain reasons that display would be inappropriate.



The expiration date will be displayed in the instruments.

18. Explain each exception to the certification statement identified in Item 19 “Certification for Paperwork Reduction Act Submissions,” of OMB Form 83-I.

No exceptions have been requested.

File Type	application/vnd.openxmlformats-officedocument.wordprocessingml.document
File Title	Supporting Statement A - CVI
Author	fema user
File Modified	0000-00-00
File Created	2021-01-13