1652-0056 Pipeline CSR SS (emergency request_to DHS)

Download: docx | pdf

1. Explain the circumstances that make the collection of information necessary. Identify any legal or administrative requirements that necessitate the collection. Attach a copy of the appropriate section of each statute and regulation mandating or authorizing the collection of information. (Annotate the CFR parts/sections affected).

The Transportation Security Administration (TSA) has broad responsibility and authority for “security in all modes of transportation . . . including security responsibilities . . . over modes of transportation that are exercised by the Department of Transportation.” 49 U.S.C. 114(d). In addition to carrying out the security responsibilities in paragraph (d), TSA is responsible for “assess[ing] threats to transportation” and “develop[ing] policies, strategies, and plans for dealing with threats to transportation security.” 49 U.S.C. 1114(f)(2) and (3). Congress has recognized TSA’s responsibility for pipeline security by requiring TSA to conduct assessments of pipeline security systems. See Sec. 1557 of the Implementing Recommendations of the 9/11 Commission Act (Pub. L. 110-53; 121 Stat. 475; Aug. 3, 2007), as codified at 6 U.S.C. 1207.

In order to assess current industry security practices, TSA implemented its Pipeline Corporate Security Review (PCSR) program. The PCSR is a voluntary, face-to-face visit with a pipeline owner/operator during which TSA discusses the company’s corporate level security planning and also completes the PCSR Form, which includes 210 questions concerning the owner/operator’s corporate level security planning, covering security topics such as physical and cyber security, vulnerability assessments, training, and emergency communications. TSA also follows up on results of each PCSR.

Emergency Request

Due to the ongoing cybersecurity threat to pipeline systems and associated infrastructure, TSA issued Security Directive (SD) Pipeline 2021-01 in coordination with the Cybersecurity and Infrastructure Security Agency (CISA) under TSA’s authority in 49 U.S.C. §114(l)(2)¹. TSA has statutory authority to immediately issue security directives if the Administrator of TSA determines that actions are needed to protect transportation security. See 49 U.S.C. 114(l)(2). To protect against the ongoing cybersecurity threat, TSA is prepared to use its authority to issue additional requirements through an SD, such as mandating that TSA-specified Owners/Operators of gas and liquid pipelines implement an array of cybersecurity measures to prevent disruption and degradation to their infrastructure. TSA is seeking emergency approval to revise the collection due to the need to impose additional emergency requirements on Pipeline Owner/Operators through this SD.

2. Indicate how, by whom, and for what purpose the information is to be used. Except for a new collection, indicate the actual use the agency has made of the information received from the current collection.

As required by 6 U.S.C. 1207, TSA has used the information collected during the PCSR process to determine baseline security standards and areas of security weakness in the pipeline mode. This data and interaction with stakeholders informs the agency’s Pipeline Security Guidelines and Pipeline Security Best Practice Observation documents.

Regarding the emergency request, to ensure compliance with TSA’s requirements, the SD will also necessitate collection of information. This additional collection requires TSA to amend this currently approved OMB control number 1652-0056, Pipeline Corporate Security Review (PCSR), for which TSA is seeking emergency approval.

Through a security directive, TSA will require Owner/Operators to implement the following collections of information:

Cybersecurity Contingency/Response Plan

Owner/Operators will be required to develop and adopt a Cybersecurity Contingency/Response Plan to ensure the resiliency of their operations in the event of a cybersecurity attack. Owners/operators must provide evidence of compliance to TSA upon request.

Third-Party Evaluation

Owner/Operators are required to have a third-party complete an evaluation of their industrial control system design and architecture to identify previously unrecognized vulnerabilities. This evaluation must include a written report detailing the results of the evaluation and the acceptance or rejection of any recommendations provided by the evaluator to address vulnerabilities. This written report must be made available to TSA upon request and retained for no less than 2 years from the date of completion.

Certification of completion of SD requirements

Within 7 days of the deadlines set forth in the SD, Owner/Operators must ensure that their Cybersecurity Coordinator or other accountable executive submits a statement to TSA via email certifying that the Owner/Operator has met the requirements of the SD. TSA is not requiring any specific format for making these notifications, but is requiring them to be made in a timely way. Documentation of compliance must be provided upon request.

3. Describe whether, and to what extent, the collection of information involves the use of automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g., permitting electronic submission of responses, and the basis for the decision for adopting this means of collection. Also describe any consideration of using information technology to reduce burden.

The collection is conducted by means of a site visit to a pipeline owner/operator’s headquarters location. During the site visit, TSA discusses the owner/operator’s security planning, and all information captured during the visit is later recorded electronically by TSA onto the PCSR Workbook. This collection workbook is secured and retained electronically by TSA upon completion and used for analysis in determining industry baseline standards. The intent of the PCSR program is to verify that the owner/operator is implementing its security program through an onsite review of its security plan as well as to provide a means for TSA to build stakeholder relations through a face-to-face discussion on security planning, a goal which is not readily achievable or practicable if an electronic reporting option were available to the owner/operator as an alternative to the onsite visit.

Regarding the emergency request, TSA’s security directives require collection of information to establish compliance with the security directives’ requirements. For example, TSA will require Owner/Operators to submit a statement that they have complied with requirements within the established deadline. Such statements can be made by e-mail or other means without required use of a specific form.

4. Describe efforts to identify duplication. Show specifically why any similar information already available cannot be used or modified for use for the purpose(s) described in Item 2 above.

TSA works closely with its partners at the U.S. Department of Transportation’s (DOT) Pipeline and Hazardous Materials Safety Administration (PHMSA) to coordinate security initiatives. Since 2006, the two agencies have operated under an annex to the memorandum of understanding (MOU) between DOT and the Department of Homeland Security. This annex specifically addresses the respective roles and responsibilities of TSA and PHMSA as well as coordination processes. There is no other similar information collection currently in place at PHMSA that specifically targets corporate-level security planning and plan implementation in the pipeline mode of transportation.

Regarding the emergency submission, TSA developed the requirements in consultation with CISA and in coordination with PHMSA as well as the Department of Energy and other applicable agencies. TSA has determined that no other agency requires submission of the type of information TSA may collected related to its security directives. These include no other cybersecurity measures, Cybersecurity Contingency/Response Plan or Third Party Evaluation and described certifications so no similar information is available to be used by DHS.

5. If the collection of information has a significant impact on a substantial number of small businesses or other small entities (Item 5 of the Paperwork Reduction Act submission form), describe the methods used to minimize burden.

This information collection should not have a significant impact on small businesses or other small entities. While there are over 2,200 pipeline owner/operators in the United States, the PCSR primarily focuses on the nation’s top 100 pipeline systems, as determined by energy throughput. These top 100 systems are operated by approximately 85 companies, and account for 85 percent of all hazardous liquids and natural gas transported in the United States. These companies are often large, corporate operations with business ventures across the world, and as such, employ hundreds if not thousands of employees. By focusing the PCSR on the top 100 pipeline systems in the United States, TSA is aligning its mission and resources with DHS’s risk-based security approach. It is possible that TSA will visit pipeline systems outside the top 100, but only as circumstances dictate (e.g., intelligence information indicates a smaller system is the target of a credible threat, or smaller systems are of critical importance to national defense). Given that the PCSR program only visits a maximum of 20 out of 2,200 owner/operators a year, and the owner/operators visited often represent the largest pipeline companies in the United States, there should be no significant impact on a substantial number of small pipeline owner/operators in any given year of the program.

Regarding the emergency submission, the SD applies to TSA identified critical pipeline owner/operators – none of which is a small business.

6. Describe the consequence to Federal program or policy activities if the collection is not conducted or is conducted less frequently, as well as any technical or legal obstacles to reducing burden.

If the PCSR collection were to be discontinued, this would impede TSA’s ability to remain current on minimum security standards being voluntarily employed in the industry, as well as diminish its ability to identify areas of security weakness, two activities that are critical to the agency in carrying out its transportation security mission. Without means of collecting this information, TSA would be unable to confidently identify security gaps and weakness in the pipeline mode and, consequently, would not be able to effectively identify areas to develop programs to better strengthen modal security.

Without emergency approval, DHS will be unable to address the critical threat to the nation’s pipeline systems. The use of normal PRA clearance procedures is reasonably likely to result in public harm such that TSA and CISA would be hindered in their ability to address immediate threats to pipeline systems if the SD were not issued in the near future.

7. Explain any special circumstances that require the collection to be conducted in a manner inconsistent with the general information collection guidelines in 5 CFR 1320.5(d)(2).

There are no special circumstances that would require the collection to be conducted in a manner inconsistent with the general information collection guidelines in 5 CFR 1320.5(d) (2).

8. Describe efforts to consult persons outside the agency to obtain their views on the availability of data, frequency of collection, the clarity of instructions and recordkeeping, disclosure, or reporting format (if any), and on the data elements to be recorded, disclosed, or reported. If applicable, provide a copy and identify the date and page number of publication in the Federal Register of the agency's notice, required by 5 CFR 1320.8(d) soliciting comments on the information collection prior to submission to OMB. Summarize public comments received in response to that notice and describe actions taken by the agency in response to these comments. Specifically address comments received on cost and hour burden.

TSA is currently seeking an Emergency Approval of this collection. In light of the ongoing cybersecurity threat, TSA is seeking a waiver to the requirement in 5 CFR 1320.13(d) to publish a Federal Register notice announcing TSA is seeking emergency processing of this ICR. Upon approval of the Emergency Request, TSA will seek public comment on the collection following the normal clearance process providing a 60 and 30 Day commenting period.

9. Explain any decision to provide any payment or gift to respondents, other than remuneration of contractors or grantees.

No payment or gift will be provided to respondents.

10. Describe any assurance of confidentiality provided to respondents and the basis for the assurance in statute, regulation, or agency policy.

No assurances of confidentiality were provided to respondents; however, to the extent permissible under the law, DHS will seek to protect the trade secrets and commercial and financial information of the pipeline owner/operators. Also, to the extent information collected is deemed Sensitive Security Information (SSI), TSA will handle as required by 49 CFR parts 15 and 1520. In addition, Privacy Impact Assessment (PIA) coverage is provided under the DHS/ALL/PIA-006 General Contact Lists PIA. (June 15, 2007).

11. Provide additional justification for any questions of sensitive nature, such as sexual behavior and attitudes, religious beliefs, and other matters that are commonly considered private.

No personal questions of a sensitive nature will be posed during the information collection.

12. Provide estimates of hour and cost burden of the collection of information.

TSA anticipates completing 20 PCSRs annually. Each PCSR places an 8-hour burden on a respondent, and an additional 1-3 hours to follow-up on results of each PCSR, for an annual hour burden of 9-11 hours; the annual hour burden for the entire collection of 180-220 hours. TSA uses a fully-loaded wage rate² of $91.90 for a Corporate Security Manager.³ TSA estimates an annual hour burden cost to the public of $16,542 - $20,218. Table 1 summarizes these results.

Table 1. Public PCSR Hour Burden and Costs
Activity	Number of Annual Responses	Hour Burden per Response	Annual Hour Burden	Annual Hour Burden Cost
	A	B	C = A x B	D = C x $91.90
PCSR	20	9-11	180-120	$16,542 - $20,218
Total	20		180-220	$16,542 - $20,218

Regarding the emergency request, TSA will submit revised burden estimates for the Cybersecurity Contingency/Response Plan, Third Party Evaluation and described certifications in the next renewal for this ICR. These estimates will differ as the scope of the assessment is narrower.

13. Provide an estimate of annualized capital and start-up costs. (Do not include the cost of any hour burden shown in Items 12 and 14).

TSA does not estimate a cost to the pipeline industry beyond the hour burden detailed in answer 12.

Regarding the emergency request, TSA will submit revised burden estimates for the Third Party Evaluation in the next renewal for this ICR.

14. Provide estimates of annualized cost to the Federal Government. Also, provide a description of the method used to estimate cost, and other expenses that would not have been incurred without this collection of information.

A PCSR is conducted by one (1) representative from TSA; either a Senior Analyst (J Band) or a Junior Analyst (I Band). Each review takes approximately 8 hours per employee. Following the review, an additional 32 hours are devoted to completing the form, which is split equally between two analysts, for an annual hour burden of 800 hours. TSA I-Band employees have a fully-loaded wage rate of $66.79. TSA J-Band employees have a fully-loaded wage rate of $78.65. TSA uses a simple average wage rate of $72.72 to estimate the hour burden costs, for an annual hour burden cost of $58,176. Table 2 summarizes these estimates.

Table 2. TSA PCSR Hour Burden and Costs
Activity	Number of Annual Responses	Hour Burden per Response	Annual Hour Burden	Annual Hour Burden Cost
	A	B	C = A x B	D = C x $72.72
PCSR	20	40	800	$58,176
Total	20		800	$58,176

In addition, TSA expends an estimated $24,000 in travel costs to support the PCSR process. This brings the total TSA annual costs $82,176.

14. Explain the reasons for any program changes or adjustments reported in Items 13 or 14 of the OMB Form 83-I.

There are no program changes from the previously reported information; however, TSA is adding the mandatory submission of cybersecurity plan, third party evaluation and certification to this collection as described above related to the emergency request.

14. For collections of information whose results will be published, outline plans for tabulation and publication. Address any complex analytical techniques that will be used. Provide the time schedule for the entire project, including beginning and ending dates of the collection of information, completion of report, publication dates, and other actions.

Security information collected during the PCSR will not be published or shared. To the extent information collected via the PCSR process is considered to be SSI, it will be protected from disclosure and publication, and will be handled as described in 49 CFR parts 15 and 1520.

Regarding the emergency request, no information resulting from the collections under the SD will be published.

14. If seeking approval to not display the expiration date for OMB approval of the information collection, explain the reasons that display would be inappropriate.

Not applicable.

14. Explain each exception to the certification statement identified in Item 19, “Certification for Paperwork Reduction Act Submissions,” of OMB Form 83-I.

No exceptions noted.

File Type	application/vnd.openxmlformats-officedocument.wordprocessingml.document
File Title	PRA 83i Form For Fill-In; with Supplemental Info Section
Author	Marisa.Mullen
File Modified	0000-00-00
File Created	2021-07-15