Download:
docx |
pdf
Supporting Statement for Paperwork Reduction Act Submissions
Title:
OMB
Control Number: 1670-0014
Chemical-Facility
Anti-Terrorism Standards
Supporting
Statement A
A. Justification
���1. Explain the circumstances that make the collection of
information necessary. Identify any legal or administrative
requirements that necessitate the collection. Attach a copy of the
appropriate section of each statute and regulation mandating or
authorizing the collection of information.
The CFATS Program
identifies and regulates the security of high-risk chemical
facilities using a risk-based approach. The Protecting and Securing
Chemical Facilities from Terrorist Attacks Act of 2014 (also known as
the CFATS Act of 2014, Public Law 113-254) and also codified the
CFATS program into the Homeland Security Act of 2002. See 6 U.S.C.
621 et seq., as amended by Public Law 116-136, Sec. 16007 (2020).The
Department implemented the CFATS Program through rulemaking and
issued an Interim Final Rule (IFR) on April 9, 2007 and a final rule
on November 20, 2007. See 72 FR 17688 and 72 FR 65396.
Pursuant to 6 U.S.C.
623, the CFATS regulations allows, and sometimes requires, facilities
to communicate or notify CISA of specific information that is not
otherwise collected through the primary CFATS information collection
no.1670-0007.
This information
collection (1670-0014) will expire on December 31, 2021.
History of the
Currently Approved Information Collection
In January 2010, the
Department submitted an ICR to OMB to establish four new instruments.
This request was approved by OMB on March 19, 2010.
In March 2013, the
Department submitted an ICR to OMB, to extend the authorization to
use the four instruments without change. This request was approved by
OMB on September 13, 2014.
In August 2017, the
Department submitted an ICR which: (a) revised the burden of the
collection, (b) revised the existing four instruments, and (c) added
a new instrument. This request was also approved by OMB on December
19, 2018.
This ICR requests a
revision of the Information Collection and subsequent approval to
collect information for an additional three years.
Reasons for
Revisions
CISA requests that
OMB extend this information collection with the following revisions:
Minor revisions
to all five instruments that reflect the passage of the
Cybersecurity and Infrastructure Security Act of 2018, 6 U.S.C. §§
651-74, such as updating the Agency name to conform with the
Agency’s new designation as CISA, as well as provide clearer
descriptions of the scope of each instrument. CISA is not proposing
changes to the scope of any instrument.
Updated the
number of respondents for all instruments based on historical data
collected related to these instruments between CY2018 and CY2021.
Updated the
number of responses per respondent for two instruments (i.e.,
Request for an Extension and Compliance Assistance) based on
historical data collected between CY2018 and CY2020.
An increase of
the annual reporting and recordkeeping hour and cost burden due to
an increase in the respondent wage rate from $79.75/hour to
$85.82/hour, which is based on updated Bureau of Labor Statistics
(BLS) data.
An increase of
the overall total annual operating cost to the Federal Government
for this collection from $957,562 to $1,001,189 based on the
projected costs for Government Full-time Equivalent (FTE) salaries
that is reflected in the Office of Personnel Management’s
(OPM) 2020 General Schedule Locality Pay Table.
���2. Indicate how, by whom, and for what purpose the information is
to be used. Except for a new collection, indicate the actual use the
agency has made of the information received from the current
collection.
The instruments that
comprise this collection are as follows:
Request for
Redetermination
Request for an
Extension
Top-Screen
Update
Compliance
Assistance
Declaration of
Reporting Status
All information
collected supports CISA’s effort to reduce the risk of a
successful terrorist attack against high-risk chemical facilities.
This collection directly and indirectly supports the affected
chemical facilities’ requirements to submit data under the
CFATS Act of 2014 and CFATS, 6 CFR Part 27.
Request for Redetermination
Pursuant to 6 CFR §
27.205(b), a covered facility that has been previously determined to
present a high level of security risk that has materially altered its
operations may seek a redetermination from CISA by completing this
instrument. In many instances, a request for redetermination may be
submitted by a facility concurrent with its submission of a
Top-Screen as a result of a material modification pursuant to 6 CFR §
27.210(d). Whether or not a Top Screen is submitted, this instrument
also provides a facility with the opportunity to provide an
explanation supporting why CISA should grant the redetermination
request. Under 6 CFR § 27.205(b), CISA is required to respond
within 45 calendar days of receipt of a redetermination request. This
instrument allows the covered facility to notify CISA of a reduced
quantity of chemical(s) of interest or to notify of the removal of a
chemical(s) of interest. The instrument will collect the supporting
information needed to verify the reason for the request for
redetermination.
The information is
primarily collected electronically by this instrument.
Request for an
Extension
Pursuant to 6 CFR §
27.210(c), CISA has authority to modify the submission schedule for
Top Screens, Security Vulnerability Assessments (SVA), Site Security
Plans (SSP), and Alternative Security Programs (ASPs). Facilities
that require additional time to submit information may request an
extension from CISA using this instrument. By completing this
instrument CISA will consider extending the submission deadline for a
particular facility.
The information is
primarily collected electronically by this instrument.
Top-Screen Update
Pursuant to 6 CFR §
27.210, a facility will use this instrument when it needs to submit a
revised Top Screen based on closure or sale of the facility, addition
of a new Chemical of Interest (COI), and elimination or changes to
the amount of existing COI. This instrument also covers the
resubmission of a Top Screen pursuant to the schedule provided in 6
CFR § 27.210(b).
The information is
primarily collected electronically by this instrument.
Compliance
Assistance
A chemical facility
of interest may submit a written request to initiate consultations or
seek technical assistance from CISA. This instrument may be used by a
facility to request such consultation and/or technical assistance. If
requested, CISA may provide assistance with submission of a TS, SVA,
SSP, or ASP; assist a facility with registration; or answer
additional questions, as necessary; allow an inspector to visit a
potentially non-compliant facility; verify material modifications
during the redetermination process; or follow-up on security issues
or results of a recent incident. This instrument requires that the
facility specify a reason for the request and their desired outcome.
The information is
primarily collected electronically by this instrument.
Declaration of
Reporting Status
Pursuant to 6 CFR
Part 27, this instrument will be used by a chemical facility to
identify that it is not required to submit a Top Screen. The facility
must specify a reason for the request and the facility’s
desired outcome. This information will be used by CISA to assist in
its efforts to identify chemical facilities of interest.
The information is
primarily collected electronically by this instrument.
���3. Describe whether, and to what extent, the collection of
information involves the use of automated, electronic, mechanical, or
other technological collection techniques or other forms of
information technology, e.g., permitting electronic submission of
responses and the basis for the decision for adopting this means of
collection. Also describe any consideration of using information
technology to reduce burden.
CISA collects
information primarily in electronic format through the CSAT system to
enhance access controls and reduce the paperwork burden for chemical
facilities. CISA collects information covered by the Compliance
Assistance instrument from chemical facilities primarily through
email requests.
Table 1: Medium
Information Is Collected In
Name of Instrument
|
Medium Collection
|
Request for Redetermination
|
The information is
primarily collected electronically by this instrument.
|
Request for an Extension
|
The information is
primarily collected electronically by this instrument.
|
Top-Screen Update
|
The information is
primarily collected electronically by this instrument.
|
Compliance Assistance
|
The information is
primarily collected electronically by this instrument.
|
Declaration of Reporting
Status
|
The information is
primarily collected electronically by this instrument.
|
���4. Describe efforts to identify duplication. Show specifically why
any similar information already available cannot be used or modified
for use for the purposes described in Item 2 above.
CFATS is authorized
by the Protecting and Securing Chemical Facilities from Terrorist
Attacks Act of 2014 (also known as the CFATS Act of 2014, Pub. L. No.
113-254) which codified the CFATS program into the Homeland Security
Act of 2002. See 6 U.S.C. 621 et seq., as amended by
Pub. L. No. 116-136, Sec. 16007 (2020).
As a unique chemical
security program it does not duplicate any current collection
activities.
���5. If the collection of information impacts small businesses or
other small entities (Item 5 of OMB Form 83-I), describe any methods
used to minimize.
No unique methods
will be used to minimize the burden to small businesses.
���6. Describe the consequence to Federal/DHS program or policy
activities if the collection of information is not conducted, or is
conducted less frequently, as well as any technical or legal
obstacles to reducing burden.
The frequency of
collection is largely dictated by regulation, specifically 6 CFR part
27. Failure to conduct this collection, or to conduct collection less
frequently would hinder a facilities’ ability to comply with
the regulation and CISA’s ability to enforce compliance with
the regulation.
���7. Explain any special circumstances that would cause an
information collection to be conducted in a manner:
���(a) Requiring respondents to report information to the agency more
often than quarterly.
������(b) Requiring respondents to prepare a written response to a
collection of information in fewer than 30 days after receipt of it.
���(c) Requiring respondents to submit more than an original and two
copies of any document.
���(d) Requiring respondents to retain records, other than health,
medical, government contract, grant-in-aid, or tax records for more
than three years.
���(e) In connection with a statistical survey, that is not designed
to produce valid and reliable results that can be generalized to the
universe of study.
������(f) Requiring the use of a statistical data classification that
has not been reviewed and approved by OMB.
���(g) That includes a pledge of confidentiality that is not
supported by authority established in statute or regulation, that is
not supported by disclosure and data security policies that are
consistent with the pledge, or which unnecessarily impedes sharing of
data with other agencies for compatible confidential use.
���(h) Requiring respondents to submit proprietary trade secret, or
other confidential information unless the agency can demonstrate that
it has instituted procedures to protect the information’s
confidentiality to the extent permitted by law.
���
No special
circumstances are involved with this collection.
8. Federal Register Notice:
������a. Provide a copy and identify the date and page number of
publication in the Federal Register of the agency’s
notice soliciting comments on the information collection prior to
submission to OMB. Summarize public comments received in response to
that notice and describe actions taken by the agency in response to
these comments. Specifically address comments received on cost and
hour burden.
������b. Describe efforts to consult with persons outside the agency
to obtain their views on the availability of data, frequency of
collection, the clarity of instructions and recordkeeping,
disclosure, or reporting format (if any), and on the data elements to
be recorded, disclosed, or reported.
���c. Describe consultations with representatives of those from whom
information is to be obtained or those who must compile records.
Consultation should occur at least once every three years, even if
the collection of information activities is the same as in prior
periods. There may be circumstances that may preclude consultation in
a specific situation. These circumstances should be explained.
���
Table 2: Listing
of Federal Register Notices
|
Date of Publication
|
Volume #
|
Number #
|
Page #
|
Comments Addressed
|
60-Day Federal Register
Notice:
|
3/23/2021
|
86
|
54
|
15490
|
YES
|
30-Day Federal Register
Notice
|
6/23/2021
|
86
|
118
|
32953
|
N/A
|
CORRECTION to 30-Day
Federal Register Notice
|
6/29/2021
|
86
|
122
|
34267
|
|
A 60-day public
notice for comments was published in the Federal Register on
March 23, 2021 at 86 FR 15490.
A 30-day public
notice for comments was published in the Federal Register on
June 23, 2021 at 86 FR 32953.
A correction to the
30-day public notice for comments was published in the Federal
Register on June 29, 2021 at 86 FR 34267.
���9. Explain any decision to provide any payment or gift to
respondents, other than remuneration of contractors or grantees.
No payment or gift
of any kind is provided to any respondents.
���10. Describe any assurance of confidentiality provided to
respondents and the basis for the assurance in statute, regulation,
or agency policy.
���
No assurance of
confidentiality is provided to the respondents. However, some
information may be protected from disclosure by CISA under the
designation CVI. CVI is a Sensitive but Unclassified designation
authorized under Pub. Law 107-296 and implemented in 6 CFR 27.400.
6 U.S.C. 623(d)
states that “in any proceeding to enforce this section,
vulnerability assessments, site security plans, and other information
submitted to or obtained by the Secretary under this section, and
related vulnerability or security information, shall be treated as if
the information were classified material.” In addition, 6 CFR §
27.400(h) specifies the circumstances under which access to CVI may
be provided by CISA in the context of an administrative enforcement
proceeding.
This is a privacy
sensitive system. A Privacy Threshold Analysis has been adjudicated
by the DHS Privacy Office which resulted in a determination that PIA
coverage is provided by DHS/NPPD/PIA-009(a) Chemical Facility
Anti-Terrorism Standards August 12, 2016. SORN coverage is provided
by DHS/ALL-002-Department of Homeland Security (DHS) Mailing and
Other Lists System, November 25, 2008, 73 FR 71659,
DHS/ALL-004-General Information Technology Access Account Records
System (GITAARS), November 27, 2012, 77 FR 70792.
Notwithstanding the
Freedom of Information Act (FOIA) (5 U.S.C. 552), the Privacy Act (5
U.S.C. 552a), and other laws in accordance with 6 U.S.C. 623(c) and 6
CFR § 27.400(g), records containing CVI are not available for
public inspection or copying, nor does CISA release such records to
persons without a need to know. See 6 CFR 27.400(g)(1).
If a record contains
both CVI and non-CVI information, the latter information may be
disclosed in response to a FOIA request, provided that the record is
not otherwise exempt from disclosure under FOIA and that it is
practical to redact the protected CVI from the requested record. See
6 CFR 27.400(g)(2).
CISA’s primary
IT design requirement is ensuring data security. CISA acknowledges
that a non-zero risk exists, both to the original transmission and
the receiving transmission, when requesting data over the Internet.
CISA has weighed the risk to the data collection approach against the
risk to collecting the data through paper submissions and concluded
that the web-based approach was the best approach given the risk and
benefits.
CISA has taken a
number of steps to protect both the data that will be collected
through the CSAT Program and the process of collection. The security
of the data has been the number one priority of the system design.
The site that CISA uses to collect submissions is equipped with
hardware encryption that requires Transport Layer Security (TLS), as
mandated by the latest Federal Information Processing Standard
(FIPS). The encryption devices have full Common Criteria Evaluation
and Validation Scheme (CCEVS) certifications. CCEVS is the
implementation of the partnership between the National Security
Agency and the National Institute of Standards (NIST) to certify
security hardware and software.
11. Provide additional justification for any questions of a sensitive
nature, such as sexual behavior and attitudes, religious beliefs, and
other matters that are commonly considered private. This
justification should include the reasons why the agency considers the
questions necessary, the specific uses to be made of the information,
the explanation to be given to persons from whom the information is
requested, and any steps to be taken to obtain their consent.
The instrument
described in this collection does not request any information of a
personally sensitive nature.
������12. Provide estimates of the hour burden of the collection of
information. The statement should:
������a. Indicate the number of respondents, frequency of response,
annual hour burden, and an explanation of how the burden was
estimated. Unless directed to do so, agencies should not conduct
special surveys to obtain information on which to base hour burden
estimates. Consultation with a sample (fewer than 10) of potential
respondents is desired. If the hour burden on respondents is expected
to vary widely because of differences in activity, size, or
complexity, show the range of estimated hour burden, and explain the
reasons for the variance. Generally, estimates should not include
burden hours for customary and usual business practices.
���
b. If this request for approval covers more than one form, provide
separate hour burden estimates for each form and aggregate the hour
burdens in Item 13 of OMB Form 83-I.
c. Provide estimates of annualized cost to respondents for the hour
burdens for collections of information, identifying and using
appropriate wage rate categories. The cost of contracting out or
paying outside parties for information collection activities should
not be included here. Instead, this cost should be included in Item
14.
CISA assumes that
the majority of individuals who will complete this instrument are
SSOs, although a smaller number of other individuals may also
complete this instrument (e.g., Federal, State, and local government
employees and contractors). For the purpose of this notice, CISA
maintains this assumption. Therefore, to estimate the total annual
burden, CISA multiplied the annual burden of 575 hours by the average
hourly wage rate of SSOs of $85.82 per hour. The SSOs’ average
hourly wage rate was based on an average hourly wage rate of $58.88
with a benefits multiplier of 1.4575.
The instrument
burden estimates are summarized in the table below:
Table 3:
Instrument Burden Estimate
Instrument
|
# of Respondents
|
Responses per Respondent
|
Average Burden per
Response (in hours)
|
Total Annual Burden (in
hours)
|
Total Annual Burden (in
dollars)
|
|
(a)
|
(b)
|
(c)
|
(d) = (a) x (b) x (c)
|
(e) = (d) x $85.82
|
Request for Redetermination
|
250
|
1
|
0.25
|
62.5
|
$5,364
|
Request for an Extension
|
400
|
1.25
|
0.083
|
41.7
|
$3,576
|
Top-Screen Update
|
2,500
|
1.5
|
0.083
|
312.5
|
$26,818
|
Compliance Assistance
|
1,600
|
1
|
0.083
|
133.3
|
$11,443
|
Declaration of Reporting
Status
|
100
|
1
|
0.25
|
25
|
$2,145
|
Total
|
4,850
|
6,200
|
|
575
|
$49,346
|
Accordingly, the
annual total estimate for reporting, recordkeeping, and cost burden,
under this collection, is $49,346.
���13. Provide an estimate of the total annual cost burden to
respondents or record keepers resulting from the collection of
information. (Do not include the cost of any hour burden shown in
Items 12 and 14.)
The cost estimate should be split into two components: (1) a total
capital and start-up cost component (annualized over its expected
useful life); and (b) a total operation and maintenance and purchase
of services component. The estimates should take into account costs
associated with generating, maintaining, and disclosing or providing
the information. Include descriptions of methods used to estimate
major cost factors including system and technology acquisition,
expected useful life of capital equipment, the discount rate(s), and
the time period over which costs will be incurred. Capital and
start-up costs include, among other items, preparations for
collecting information such as purchasing computers and software;
monitoring, sampling, drilling and testing equipment; and record
storage facilities.
If cost estimates are expected to vary widely, agencies should
present ranges of cost burdens and explain the reasons for the
variance. The cost of purchasing or contracting out information
collection services should be a part of this cost burden estimate. In
developing cost burden estimates, agencies may consult with a sample
of respondents (fewer than 10), utilize the 60-day pre-OMB submission
public comment process and use existing economic or regulatory impact
analysis associated with the rulemaking containing the information
collection as appropriate.
Generally, estimates should not include purchases of equipment or
services, or portions thereof, made: (1) prior to October 1, 1995,
(2) to achieve regulatory compliance with requirements not associated
with the information collection, (3) for reasons other than to
provide information to keep records for the government, or (4) as
part of customary and usual business or private practices.
CISA provides access
to CSAT free of charge and assumes that each respondent already has
computer hardware and access to the internet for basic business
needs. No other annualized capital or start-up costs are incurred by
chemical facilities of interest or high-risk chemical facilities for
this information collection.
14. Provide estimates of annualized cost to the Federal Government.
Also, provide a description of the method used to estimate cost,
which should include quantification of hours, operational expenses
(such as equipment, overhead, printing and support staff), and any
other expense that would have been incurred without this collection
of information. You may also aggregate cost estimates for Items 12,
13, and 14 in a single table.
���
Federal Government
costs can be divided between the cost associated with collection of
information and the cost associated with managing and responding to
the submitted data. The cost associated with collecting the
information is essentially the cost of operating and maintaining the
collection instruments within CSAT. The annual Operating and
Maintenance (O&M) costs for the instruments with CSAT are
estimated at $0.4M. The cost associated with managing and responding
to the submitted data is the management equivalent to the cost of
employing 3 FTE at the GS-14, Step 5 level.
Table 3:
Estimates of Annualized Costs for the Collection of Data
Expense Type
|
Expense Explanation
|
Annual Costs (in
dollars)
|
Direct Costs to the Federal
Government
|
Three FTEs (GS-14, Step 5)
|
$601,189
|
CSAT O&M
|
Costs for O&M of CSAT
Application
|
400,000
|
Total
|
|
$1,001,189
|
In sum, the
estimated total annual operating cost to the U.S. Government for this
collection is $1,001,189.
���15. Explain the reasons for any program changes or adjustments
reported in Items 13 or 14 of the OMB Form 83-I. Changes in hour
burden, i.e., program changes or adjustments made to annual reporting
and recordkeeping hour and cost burden. A program
change is the result of deliberate Federal Government action. All new
collections and any subsequent revisions of existing collections
(e.g., the addition or deletion of questions) are recorded as program
changes. An adjustment is a change that is not the result of a
deliberate Federal Government action. These changes that result from
new estimates or actions not controllable by the Federal Government
are recorded as adjustments.
���
There are no program
changes or adjustments reported items 13 or 14. The minor revisions
to the burden estimates described in question 1 of this document and
again here:
Minor revisions
to all five instruments that reflect the passage of the
Cybersecurity and Infrastructure Security Act of 2018, 6 U.S.C. §§
651-74, such as updating the Agency name to conform with the
Agency’s new designation as CISA, as well as provide clearer
descriptions of the scope of each instrument. CISA is not proposing
changes to the scope of any instrument.
Updated the
number of respondents for all instruments based on historical data
collected related to these instruments between CY2018 and CY2021.
Updated the
number of responses per respondent for two instruments (i.e.,
Request for an Extension and Compliance Assistance) based on
historical data collected between CY2018 and CY2020.
An increase of
the annual reporting and recordkeeping hour and cost burden due to
an increase in the respondent wage rate from $79.75/hour to
$85.82/hour, which is based on updated Bureau of Labor Statistics
(BLS) data.
An increase of
the overall total annual operating cost to the Federal Government
for this collection from $957,562 to $1,001,189 based on the
projected costs for Government Full-time Equivalent (FTE) salaries
that is reflected in the Office of Personnel Management’s
(OPM) 2020 General Schedule Locality Pay Table.
���16. For collections of information whose results will be
published, outline plans for tabulation and publication. Address any
complex analytical techniques that will be used. Provide the time
schedule for the entire project, including beginning and ending dates
of the collection of information, completion of report, publication
dates, and other actions.
���
No plans exist for
the use of statistical analysis or to publish this information.
���17. If seeking approval to not display the expiration date for OMB
approval of the information collection, explain reasons that display
would be inappropriate.
���
The expiration date
will be displayed in the instruments.
���18. Explain each exception to the certification statement
identified in Item 19 “Certification for Paperwork Reduction
Act Submissions,” of OMB Form 83-I.
No exceptions have
been requested.
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| File Title | Supporting Statement A - CVI |
| Author | fema user |
| File Modified | 0000-00-00 |
| File Created | 2021-07-30 |