Supporting Statement Appendix

Commenters

Document ID

Comment and Response

Patrick Coyle

Chemical Facility Security News

Comment 1: There is no link provided for the PCSA form, apparently TSA never submitted a copy of that form to OIRA for the emergency approval back in May. Without access to the form, it is impossible to evaluate the amount of time that TSA estimates that it will take to complete the form. TSA should be required to re-submit this 60-day ICR revision notice after making that form publicly available for review.

Response 1: The ICR documentation, including the TSA Pipeline Cybersecurity Self-Assessment form, which was not finalized at the time the 60-day notice was published, will be available at http://www.reginfo.gov upon its submission to OMB. The public will have an additional opportunity to comment at that time upon publication of TSA’s 30-day Federal Register notice.

Patrick Coyle

Chemical Facility Security News

Comment 2: TSA is soliciting public comments on this ICR revision notice. As is usual for the TSA, they do not use (sic) the Federal eRulemaking Portal (www.Regulations.gov) site for comment submission. They require that comments be emailed (or delivered) to [email protected].

Response 2: TSA requests comments to the 60-day notice be sent to [email protected] due to some technical difficulties in using the eRulemaking portal. TSA has successfully received public comments on its ICRs via the TSA email address. TSA is complying with the PRA and OMB PRA implementing regulations with respect to its notice and comment process. See 5 CFR 1320.8 (d)(1) and 5 CFR 1320.5(a)(1)(iii)(F).

Kimberly Denbow; Matthew J. Agen

American Gas Association (AGA)

Comment 1: The questions asked as part of the CFSR are similar to the

questions proposed in the Security Directive. The amount of detail and requested information within Security Directive 1, however, requires more defined responses. This can cause these two review forms to appear to not be in sync due to the inconsistency on guidance. AGA recommends that TSA consider

having additional consistency and clarity between the forms. If an entity completes a CFSR, then it should not have to complete the TSA Pipeline Cybersecurity Self-Assessment form or vice-versa.

Response 1: There is no inconsistency in TSA’s guidance nor has the commenter provided an example of an inconsistency. The CFSR and the Cybersecurity Self-Assessment form are two distinct collections. The CFSR is a voluntary collection, while the Cybersecurity Self-Assessment form is a mandatory information collection.

Kimberly Denbow; Matthew J. Agen

AGA

Comment 2: AGA recommends that TSA consider not leveraging the provided “information to make a global assessment of the cyber risk posture of the industry.” Companies had difficulties identifying the appropriate scope for completing the assessment. Organizations may have taken different

approaches to completing the assessment based on the lack of guidance provided by TSA to date. Therefore, the various scope perspectives driving responses will result in inconsistencies that will cause the cyber risk posture to potentially be inaccurate. This can cause future TSA decision making to be inaccurate. AGA requests the TSA issue clear guidance and definitions that further define the scope of the Pipeline Cybersecurity Self-Assessment.

Response 2: TSA does not see any basis for the assertion regarding difficulties identifying the appropriate scope for completing the assessment. In fact, TSA received very few questions from operators on difficulty interpreting questions on the cybersecurity self-assessment required by Security Directive Pipeline 2021-01. The assessment was a one-time requirement that was due to TSA in June 2021 and has been completed by all operators. TSA and CISA are conducting an analysis of the findings of the assessment and understand the limitations of the assessment instrument.

Kimberly Denbow; Matthew J. Agen

AGA

Comment 3: TSA is seeking renewal of the Critical Pipeline ICR for the maximum three-year approval period. Due to the fact that the Security Directive 1 has a stated expiration date of May 28, 2022, AGA recommends that the Critical Pipeline ICR renewal should correspond with that expiration date. It is unclear why the renewal is for a longer term than the effectiveness of Security Directive 1. If TSA seeks to extend the term of Security Directive 1, a further renewal can be requested.

Response 3: The timeline for ICR approvals is set under the PRA and OMB implementing regulations. See 5 CFR 1320.10(b). OMB has authority to grant up to a three-year approval for ICRs, which approval is typically granted. As this ICR includes a voluntary collection separate and apart from the mandatory collection stemming from Security Directive Pipeline 2021-01, TSA is requesting a three-year approval period. TSA acknowledges that the security directive (SD) expiration date is currently May 28, 2022; however, that expiration date may be extended under the authority of the TSA Administrator as ratified by the Transportation Security Oversight Board.

Kimberly Denbow; Matthew J. Agen

AGA

Comment 4: Operators have reported to AGA that the time spent on the Pipeline Cybersecurity Self-Assessment was between 60-150 hours (10 – 25 times the TSA estimate). AGA requests that TSA accurately reflect the excessive amounts of time it took owners/operators to complete the Pipeline Cybersecurity Self-Assessment, update the estimate in the Critical Pipeline ICR, and take the burden on owners/operators into consideration in future directives/regulations. TSA has underestimated the burden on owners/operators to complete the Pipeline Cybersecurity Self-Assessment form. This underestimation also calls into question TSA’s other estimates. TSA should update the estimated burden in the Critical Pipeline ICR (and the Operator Security Information ICR) to reflect the burdens on owners/operators.

Response 4: As this comment addresses a requirement resulting in a new collection, TSA used historical data along with information from owners/operators to make a good faith estimate. Upon the renewal of the ICR, TSA will have actual data to rely upon to estimate the burden. TSA has provided detailed calculations and explanations in the Information Collection Supporting Statement (SS), which is available for public viewing upon submission to OMB (see question 12).

Maggie O’Connell

American Fuel & Petrochemical Manufacturers Association Privacy Project, et al. (AFPM)

Comment 1: The Associations do not believe a three-year renewal of the May 26, 2021, emergency revision is warranted given that it undermines the emergent need for an SD.

Response 1: Please see “Response 3” to AGA.

Maggie O’Connell

AFPM

Comment 2: TSA is basing the emergency revision on vague cybersecurity threat information that has not been shared so companies can adjust risk-based security programs. Should TSA seek to regulate pipeline cybersecurity, the agency must proceed through regular notice and comment rulemaking.

Response 2: TSA will use the information collected to analyze the data in order to better evaluate the threat. The Administrator has the authority under 49 USC 114(l)(2) to issue SDs. TSA articulated its justification for the issuance of the SD in Security Directive Pipeline 2021-01.

Maggie O’Connell

AFPM

Comment 3: The Associations appreciate TSA’s intent in allowing the operator company to apply their methodology to determine asset criticality; however, a more focused approach on designation would eliminate ambiguity between the operator and TSA. Furthermore, the Associations recognize TSA’s need to periodically review the Pipeline Security Guidelines to reflect additional criticality criteria, but High Consequence Areas (HCAs) should not be weighed more than other criteria in determining criticality. As HCA is not determinate of criticality for US critical infrastructure, the effect of HCAs on critical infrastructure operations should be the criteria.

Response 3: TSA and the pipeline industry collaborated on the development of the updated criteria for the designation of critical facilities throughout 2020 resulting in the publication of Change 1 to the TSA Pipeline Security Guidelines in April 2021. The voluntary Guidelines note that natural gas transmission and hazardous liquid pipeline facilities located in HCAs should be considered critical. The information collected will enable TSA to evaluate the issue of criticality, and may make revisions to methodology if appropriate.

Maggie O’Connell

AFPM

Comment 4: This emergent requirement supposes that an urgent threat to pipeline systems will otherwise directly impact pipeline systems if not immediately addressed. However, the “ongoing” threat cited by TSA suggests that the threat has been in existence for an extended period of time and therefore does not meet the threshold for an immediate regulatory action such as an SD.

Response 4: The cybersecurity threat to pipeline is a current and ongoing threat. The Administrator has the authority under 49 USC 114(l)(2) to issue SDs to address threats to transportation security.

Maggie O’Connell

AFPM

Comment 5: The inclusion of “other emerging threat information” without clarity or operator knowledge of such threat information weakens the ability of the owner/operator to respond to such threats based on their own risk-based security programs, as outlined in the TSA Pipeline Security Guidelines.

Response 5: TSA recognizes our responsibility to share timely, relevant threat information with pipeline operators. This however is not required for operators to fulfill the collection requirements of this Information Collection Request.

Maggie O’Connell

AFPM

Comment 6: Notably absent from the ICR is a cost-benefit analysis of the measures prescribed in the statutory requirements for issuance of an SD. Safety and security of pipeline operations are the top concern of pipeline operators, and the Associations’ members are proactive in improving the security posture of their facilities; however, the measures outlined in the two SDs do not enhance operational security and the TSA Administrator has not presented a cost-benefit analysis justifying the security benefit for these measures.

Response 6: The ICR does not require a cost-benefit analysis and meets the requirements outlined in 5 CFR 1320.8.

Maggie O’Connell

AFPM

Comment 7: The unintended consequences that several of the highly prescriptive measures in the second SD may have on pipeline operational safety and security. During the SD drafting process, the Associations provided specific comments around potential operational concerns that could arise by imposing prescriptive cyber requirements without specific understanding of a company’s existing approach or protections. Although some of the compliance timelines have been extended, there remain significant concerns regarding rigid implementation of the SD to pipeline operating systems, which might unnecessarily impact the integrity and reliability of these systems. The Associations urge TSA to work with operators and The Pipeline and Hazardous Materials Safety Administration (PHMSA), to ensure that, as changes are required, operators are not sacrificing one risk to reliability for another.

Response 7: This ICR covers the information collection requirements for TSA Security Directive Pipeline 2021-01, not Security Directive Pipeline 2021-02.