60 Day Notice

Federal Register / Vol. 86, No. 164 / Friday, August 27, 2021 / Notices
The purpose of these public meetings
and the RFI is to seek feedback on the
CRS program. FEMA is holding public
meetings to ensure that all interested
parties have sufficient opportunity to
provide comments on the CRS program
during these meetings and the RFI to
identify those aspects of the CRS
program that may benefit from
modification, streamlining, or
expansion in light of FEMA’s improved
understanding of flood risk and flood
risk reduction approaches gained since
the initiation of the CRS program.
FEMA will carefully consider all
relevant comments received during the
meetings and during the RFI comment
period closing on September 22, 2021.
All comments or remarks provided on
the request for information during the
meetings will be recorded and posted to
the rulemaking docket on https://
www.regulations.gov.
Deanne Criswell,
Administrator, Federal Emergency
Management Agency.
[FR Doc. 2021–18456 Filed 8–26–21; 8:45 am]
BILLING CODE 9111–47–P

DEPARTMENT OF HOMELAND
SECURITY
Transportation Security Administration
Intent To Request an Extension From
OMB of One Current Public Collection
of Information: Pipeline Corporate
Security Review Program
Transportation Security
Administration, DHS.
ACTION: 60-Day notice.
AGENCY:

The Transportation Security
Administration (TSA) invites public
comment on one currently-approved
Information Collection Request (ICR),
Office of Management and Budget
(OMB) control number 1652–0056,
abstracted below, that we will submit to
OMB for an extension in compliance
with the Paperwork Reduction Act
(PRA). On July 15, 2021, OMB approved
TSA’s request for an emergency revision
of this collection to address the ongoing
cybersecurity threat to pipeline systems
and associated infrastructure. TSA is
now seeking to renew the collection,
which expires on January 31, 2022, with
incorporation of the subject of the
emergency revision. The ICR describes
the nature of the information collection
and its expected burden. The collection
allows TSA to assess the current
security practices in the pipeline
industry through TSA’s Pipeline
Corporate Security Review (PCSR)
program. The PCSR program is part of

lotter on DSK11XQN23PROD with NOTICES1

SUMMARY:

VerDate Sep<11>2014

17:52 Aug 26, 2021

Jkt 253001

the larger domain awareness,
prevention, and protection program
supporting TSA’s and the Department of
Homeland Security’s missions.
DATES: Send your comments by October
26, 2021.
ADDRESSES: Comments may be emailed
to [email protected] or delivered to
the TSA PRA Officer, Information
Technology (IT), TSA–11,
Transportation Security Administration,
6595 Springfield Center Drive,
Springfield, VA 20598–6011.
FOR FURTHER INFORMATION CONTACT:
Christina A. Walsh at the above address,
or by telephone (571) 227–2062.
SUPPLEMENTARY INFORMATION:
Comments Invited
In accordance with the Paperwork
Reduction Act of 1995 (44 U.S.C. 3501
et seq.), an agency may not conduct or
sponsor, and a person is not required to
respond to, a collection of information
unless it displays a valid OMB control
number. The ICR documentation will be
available at http://www.reginfo.gov
upon its submission to OMB. Therefore,
in preparation for OMB review and
approval of the following information
collection, TSA is soliciting comments
to—
(1) Evaluate whether the proposed
information requirement is necessary for
the proper performance of the functions
of the agency, including whether the
information will have practical utility;
(2) Evaluate the accuracy of the
agency’s estimate of the burden;
(3) Enhance the quality, utility, and
clarity of the information to be
collected; and
(4) Minimize the burden of the
collection of information on those who
are to respond, including using
appropriate automated, electronic,
mechanical, or other technological
collection techniques or other forms of
information technology.
Information Collection Requirement
OMB Control Number 1652–0056;
Pipeline Corporate Security Review
(PCSR) Program. Under the Aviation
and Transportation Security Act 1 and
delegated authority from the Secretary
of Homeland Security, TSA has broad
responsibility and authority for
‘‘security in all modes of transportation
. . . including security responsibilities
. . . over modes of transportation that
are exercised by the Department of
Transportation.’’ 2 TSA is specifically
1 Public Law 107–71 (115 Stat. 597; Nov. 19,
2001), codified at 49 U.S.C. 114.
2 See 49 U.S.C. 114(d). The TSA Administrator’s
current authorities under the Aviation and
Transportation Security Act have been delegated to

PO 00000

Frm 00126

Fmt 4703

Sfmt 4703

48239

empowered to assess threats to
transportation; 3 develop policies,
strategies, and plans for dealing with
threats to transportation; 4 oversee the
implementation and adequacy of
security measures at transportation
facilities; 5 and carry out other
appropriate duties relating to
transportation security.6 The
Implementing Recommendations of the
9/11 Commission Act of 2007 (9/11 Act)
included a specific requirement for TSA
to conduct assessments of critical
pipeline facilities.7
Assessing Voluntary Implementation of
Recommendations
Consistent with these authorities and
requirements, TSA developed the PCSR
program to assess the current security
practices in the pipeline industry, with
a focus on the physical and cyber
security of pipelines and the crude oil
and petroleum products, such as
gasoline, diesel, jet fuel, home heating
oil, and natural gas, moving through the
system infrastructure. PCSRs are
voluntary, face-to-face visits, usually at
the headquarters facility of the pipeline
owner/operator. Typically, TSA sends
one to three employees to conduct a
seven to eight hour interview with
representatives from the owner/
operator. The TSA representatives
analyze the owner/operator’s security
plan and policies and compare their
practices with recommendations in
TSA’s Pipeline Security Guidelines.
During the PCSR assessment, the
PCSR program subject matter experts:
• Meet with senior corporate officers
and security managers.
• Develop knowledge of security
planning at critical pipeline
infrastructure sites.
• Establish and maintain a working
relationship with key security staff who
operate critical pipeline infrastructure.
• Identify industry smart practices
and lessons learned.
• Maintain a dynamic modal network
through effective communications with
him by the Secretary of Homeland Security. Section
403(2) of the Homeland Security Act (HSA) of 2002,
Public Law 107–296 (116 Stat. 2135, Nov. 25, 2002),
transferred all functions of TSA, including those of
the Secretary of Transportation and the Under
Secretary of Transportation of Security related to
TSA, to the Secretary of Homeland Security.
Pursuant to DHS Delegation Number 7060.2, the
Secretary delegated to the Administrator of TSA,
subject to the Secretary’s guidance and control, the
authority vested in the Secretary with respect to
TSA, including that in section 403(2) of the HSA.
3 49 U.S.C. 114(f)(2).
4 49 U.S.C. 114(f)(3).
5 49 U.S.C. 114(f)(11).
6 49 U.S.C. 114(f)(15).
7 See section 1557 of Public Law 110–53 (121
Stat. 266; Aug. 3, 2007) as codified at 6 U.S.C. 1207.

E:\FR\FM\27AUN1.SGM

27AUN1

lotter on DSK11XQN23PROD with NOTICES1

48240

Federal Register / Vol. 86, No. 164 / Friday, August 27, 2021 / Notices

the pipeline industry and government
stakeholders.
Through this engagement, TSA is also
able to establish and maintain
productive working relationships with
key pipeline security personnel. This
engagement and access to pipeline
facilities also enables TSA to identify
and share smart security practices
observed at one facility to help enhance
and improve the security of the pipeline
industry. As a result, participation in
the voluntary PCSR program enhances
pipeline security at both specific
facilities and across the industry.
TSA has developed a Question Set to
aid in the conducting of PCSRs. The
PCSR Question Set structures the TSAowner/operator discussion and is the
central data source for the security
information TSA collects. TSA
developed the PCSR Question Set based
on input from government and industry
stakeholders on how best to obtain
relevant information from a pipeline
owner/operator about its security plan
and processes. The questions are
designed to examine the company’s
current state of security, as well as to
address measures that are applied if
there is a change in the National
Terrorism Advisory System. The PCSR
Question Set also includes sections for
facility site visits and owner/operator
contact information. By asking
questions related to specific topics (such
as security program management,
vulnerability assessments, components
of the security plan, security training,
and emergency communications), TSA
is able to assess the strength of owner/
operator’s physical security, cyber
security, emergency communication
capabilities, and security training.
This PCSR information collection
provides TSA with real-time
information on a company’s security
posture. The relationships these face-toface contacts foster are critical to the
Federal government’s ability to reach
out to the pipeline stakeholders affected
by the PCSRs. In addition, TSA follows
up via email with owner/operators on
specific recommendations made by TSA
during the PCSR.
When combined with information
from other companies across the sector,
TSA can identify and develop
recommended smart practices and
security recommendations for the
pipeline mode. This information allows
TSA to adapt programs to the changing
security threat, while incorporating an
understanding of the improvements
owners/operators make in their security
measures. Without this information, the
ability of TSA to perform its security
mission would be severely hindered.

VerDate Sep<11>2014

17:52 Aug 26, 2021

Jkt 253001

Establishing Compliance With
Mandatory Requirements (Emergency
Revision)
While the above listed collections are
voluntary, on July 15, 2021, OMB
approved TSA’s request for an
emergency revision of this information
collection, allowing for the institution of
mandatory requirements. See ICR
Reference Number: 202107–1652–002.
TSA is now seeking renewal of this
information collection for the maximum
three-year approval period.
The revision was necessary as a result
of actions TSA took to address the
ongoing cybersecurity threat to pipeline
systems and associated infrastructure.
On July 19, 2021, TSA issued a Security
Directive (SD) applicable to owners/
operators of critical hazardous liquid
and natural pipelines and liquefied
natural gas facilities.8 These owners/
operators are required to develop and
adopt a Cybersecurity Contingency/
Response Plan to ensure the resiliency
of their operations in the event of a
cybersecurity attack. Owners/operators
must provide evidence of compliance to
TSA upon request. In addition, owner/
operators are required to have a thirdparty complete an evaluation of their
industrial control system design and
architecture to identify previously
unrecognized vulnerabilities. This
evaluation must include a written report
detailing the results of the evaluation
and the acceptance or rejection of any
recommendations provided by the
evaluator to address vulnerabilities.
This written report must be made
available to TSA upon request and
retained for no less than 2 years from
the date of completion. Finally, within
7 days of each deadline set forth in the
SD, owner/operators must ensure that
their Cybersecurity Coordinator or other
accountable executive submits a
statement to TSA via email certifying
that the owner/operator has met the
requirements of the SD. For
convenience, TSA will provide an
optional form (TSA Security Directive
Pipeline 2021–02 Statement of
Completion) for each submission
8 On May 28, 2021, TSA issued another SD which
included three information collections. OMB
control number 1652–0055, includes two of these
information collections, requiring owner/operators
to report cybersecurity incidents to CISA, and to
designate a Cybersecurity Coordinator, who is
required to be available to the TSA 24/7 to
coordinate cybersecurity practices and address any
incidents that arise, and who must submit contact
information to TSA. OMB control number 1652–
0050 contains the remaining information collection,
requiring owner/operators to conduct a
cybersecurity assessment, to address cyber risk, and
identify remediation measures that will be taken to
fill those gaps and a time frame for achieving those
measures.

PO 00000

Frm 00127

Fmt 4703

Sfmt 9990

deadline that owner/operators can
complete and submit via email. This
form is Sensitive Security Information
(SSI) and will only be shared with the
owner/operators and others with the
need to know. TSA requires that
certifications be made in a timely way.
Documentation of compliance must be
provided upon request.
Portions of PCSR responses that are
deemed SSI are protected in accordance
with procedures meeting the
transmission, handling, and storage
requirements of SSI set forth in parts 15
and 1520 of title 49, Code of Federal
Regulations (CFR). Information
developed and submitted pursuant to
TSA’s SD is also SSI.
The annual hour burden for the
voluntary information collection is
estimated to be 220 hours based upon
20 PCSR visits per year, each lasting a
total of eight hours and the follow-up
regarding security recommendations,
lasting up to three hours, ((20 × 8 = 160
hours) + (20 × 3 = 60 hours) = 220
hours).
For the mandatory information
collection, TSA estimates a total of 97
owner/operators will provide the
responses for the Cybersecurity
Contingency/Response Plan; ThirdParty Evaluation; and Certification of
Completion. TSA estimates the total
annual burden hours for the mandatory
collection to be 12,610 hours.
TSA estimates that it will take
approximately 80 hours to complete the
response for the Cybersecurity
Contingency/Response Plan, totaling
7,760 hours (97 respondents × 80 hours
= 7,760 hours). In addition, TSA
estimates that it will require
approximately 42 hours to complete the
Third-Party Evaluation, totaling 4,074
hours (97 respondents × 42 hours =
4,074 hours). Finally, TSA estimates
that it will take eight (8) hours to
complete the Certification of completion
of SD requirements, totaling 776 hours
(97 respondents × 8 hours = 776 hours).
Thus, the total annual burden hours for
the mandatory collection is 12,610
hours (7,760 + 4,074 + 776 = 12,610).
TSA estimates the total respondents
for the information collection is 97 and
the combined annual burden hours for
the voluntary and mandatory collections
are 12,830 hours (220 + 7,760 + 4,074
+ 776 = 12,830).
Dated: August 24, 2021.
Christina A. Walsh,
TSA Paperwork Reduction Act Officer,
Information Technology.
[FR Doc. 2021–18533 Filed 8–26–21; 8:45 am]
BILLING CODE 9110–05–P

E:\FR\FM\27AUN1.SGM

27AUN1