PRA - NORS 2022 Supporting Statement_june 2022

Download: docx | pdf

SUPPORTING STATEMENT

A. Justification:

1. Explain the circumstances that make the collection of information necessary. Identify any legal or administrative requirements that necessitate the collection.

Revisions to Information Collection Requirements Which Require OMB Approval

The Federal Communications Commission (FCC or Commission) is requesting Office of Management and Budget (OMB) approval of a revision of this information collection, which is associated with the Commission’s outage reporting rules. The Commission seeks to revise this collection to reflect changes to these rules adopted by the Commission in a Second Report and Order on March 18, 2021, as FCC 21-34,¹ allowing certain federal, state, and Tribal Nation agencies (Participating Agencies) to access to certain geographically relevant outage reports filed in the Commission’s Network Outage Reporting System (NORS).

In 2016, the Commission found that Participating Agencies with a demonstrated “need to know” would benefit from having access to NORS reports.² The Commission observed in the 2016 Report and Order that this information sharing would benefit the public interest if implemented with “appropriate and sufficient safeguards” but that the record advancing this proposal was not fully developed because the “information sharing proposal raised a number of complex issues that warranted further consideration.”³ In response, a more complete record was developed with input from affected stakeholders leading to the adoption of the Second Report and Order, which creates a framework to provide state, federal, local, and Tribal partners with access to the critical NORS information they need to ensure the public’s safety while preserving the presumptive confidentiality of the information.

Adoption of the Second Report and Order results in a nominal increase in the reporting burden on service providers filing in NORS. The new rules provide that a Participating Agency will be able to access NORS reports only in the areas where it has jurisdiction. DIRS reporting forms already require filers to include data at the state and county level so searching for and obtaining access to only reports within a Participating Agency’s jurisdiction will be straightforward.⁴ As presently configured, when an outage involves multiple states, NORS filers cannot identify more than one state when filing their report. To facilitate a clearer picture of the breadth of an outage, the Commission is changing the NORS filing form to allow service providers to identify all of the individual states affected by an outage.⁵ This change is necessary to provide a full and accurate picture for Participating Agencies when they seek information on outages in their jurisdictions. In the Second Report and Order, the Commission stated that it had completed a cost benefit analysis and concluded that the benefit to public safety outweighed the minimal additional burden furnishing this additional information places on service providers.⁶

The Second Report and Order also places information collection and recordkeeping requirements on Participating Agencies that voluntarily seek access to the FCC’s NORS reports. Amendments to Section 4.2 of the Commission’s Rules spell out the requirements for Participating Agencies.⁷ Specifically, a Participating Agency seeking “read-only” access to NORS-DIRS information will be required to e-mail a request to a dedicated Commission e-mail address that includes: (i) a signed statement from an agency official, on the agency’s official letterhead, including the official’s full contact information and formally requesting access to NORS filings; (ii) a description of why the agency has a need to access NORS filings (citing to statutes or other regulatory authority that establishes it has official duties making it directly responsible for emergency management and first responder support functions) and how it intends to use the information in practice; (iii) if applicable, a request to exceed the proposed presumptive limits on the number of individuals (i.e., user accounts) permitted to access NORS filings with an explanation of why this is necessary, and (iv) a completed copy of a Certification Form, a template of which is provided in Appendix C to the Second Report and Order.⁸ To ensure confidential NORS information is protected from disclosure, Participating Agencies that are granted access to NORS are required to notify the Commission: (i) within 14 calendar days from the date the agency receives a request from third parties to disclose NORS filings and DIRS filings, or related records, pursuant to its jurisdiction’s open record laws or other legal authority that could compel it to do so, and (ii) at least 30 calendar days prior to the effective date of any change in relevant statutes or rules (e.g., its open records laws) that would affect the agency’s ability to adhere to the confidentiality protections in this information sharing framework. Participating Agencies will also be responsible for developing and implementing initial and annual security training to each person granted a user account for accessing NORS filing, maintaining copies of all training material for Commission inspection upon request.⁹ They also must implement practical data protection safeguards, including assigning user accounts to single employees, promptly reassigning user accounts to reflect changes as their rosters of designated employees change, and periodically changing user account passwords to ensure that user account credentials are not used by individuals who are not the agency’s designated employees.¹⁰ To ensure accountability in the use of NORS information, participating Agencies must also maintain and make available for FCC inspection “a list of all localities for which the agency has disclosed NORS data”¹¹ and immediately report any known or reasonably suspected breach of protocol involving NORS filings to the Commission and to affected providers.¹²

Non-Participating Agencies that request NORS information from a Participating Agency will be responsible for executing a certification form designed by the Commission and supplied by the Participating Agency where the Non-Participating Agency certifies under penalty of perjury, that it will comply with the information sharing framework that the Commission has developed, including maintaining the confidentiality of the information and “securely destroying the information when the public safety event that warrants its access to the information has concluded.”¹³

Current Information Collection Requirements Previously Approved by OMB:

This information collection is associated with the Commission’s outage reporting rules that historically have required a set of communication service providers to report to the Commission when they experience a service disruption, or “outage” in their respective networks.¹⁴ In 2004, the Commission replaced its original outage reporting requirements from the 1990s¹⁵ with outage reporting requirements for service providers of wireline, wireless, satellite, cable, interexchange, local exchange, and SS7 service.¹⁶ Then, in 2012, the Commission further expanded the requirements to include interconnected voice over Internet protocol (interconnected VoIP) service providers.¹⁷ Finally, in 2016, the Commission adopted a set of improvements to these rules in the 2016 Part 4 Report and Order and Order on Reconsideration.¹⁸

In 2004, to facilitate the process when service providers file in accordance with the outage reporting requirements, the Commission created the Network Outage Reporting System (NORS), a web-based filing system. NORS uses an electronic form to promote ease of reporting and encryption technology to ensure the security of the information filed. Providers submit into NORS three types of filings, (1) Notifications, (2) Initial Reports (for non-interconnected VoIP outages), and (3) Final Reports. These filings contain sensitive information about service disruption or outages that, among other things, include: reason the event is reportable, incident date/time and location details, states affected, number of potentially affected customers, and whether E911 was impacted.¹⁹

Statutory authority for this collection of information is contained in sections 1, 4(i), 4(j), 4(o), 251(e)(3), 254, 301, 303(b), 303(g), 303(r), 307, 309(a), 309(j), 316, 332, and 403 of the Communications Act of 1934, as amended, and section 706 of the Telecommunications Act of 1996, 47 U.S.C. 151, 154(i)-(j) & (o), 251(e)(3), 254, 301, 303(b), 303(g), 303(r), 332, 403, and 1302.

This information collection does not affect individuals or households; thus, there are no impacts under the Privacy Act.

2. Indicate how, by whom and for what purpose the information is to be used. Except for a new collection, indicate the actual use the agency has made of the information received from the current collection.

As stated in previous filings for this information collection,²⁰ the general purpose of the Commission’s Part 4 rules is to gather sufficient information regarding disruptions to telecommunications to facilitate FCC monitoring, analysis, and investigation of the reliability and security of voice, paging, and interconnected VoIP communications services, and to identify and act on potential threats to our Nation’s telecommunications infrastructure. The Commission uses this information collection to identify the duration, magnitude, root causes, contributing factors with respect to significant outages, and to identify outage trends; support service restoration efforts; and help coordinate with public safety officials during times of crisis.

The Commission also maintains an ongoing dialogue with reporting service providers, as well as with the telecommunications industry at large. Here, the Commission uses the information collection to draw lessons learned in order to foster a better understanding of significant outages’ root causes, and to explore preventive measures in the future so as to mitigate the potential scale and impact of such outages.

The new obligation for service providers to identify each individual state affected by an outage when they file a report in NORS will allow the Commission to ensure that Participating Agencies receive a full and accurate picture of outages in their jurisdictions and thus have better situational awareness that will enhance their ability to appropriately and effectively respond to emergencies.

To enable the Commission to ensure that only qualifying agencies that agree to follow the information sharing requirements are permitted to access NORS, Participating Agencies that voluntarily seek access will be required, as described above, to e-mail a request to a dedicated Commission e-mail address that includes contact information, a description of why the agency has a need to access NORS filings, how it intends to use the information in practice, any requests to exceed the proposed presumptive limits on individuals with NORS access, and a completed copy of a Certification Form.

Participating Agencies will be responsible for immediately notifying the Commission and affected service providers data breaches or the unauthorized or improper disclosure of NORS/DIRS data. This notification allows service providers to use this information to minimize the negative effects of improper disclosure and allows the Commission to quickly identify misuse of NORS and DIRS information, further investigate violations of information sharing rules, and, if necessary, restrict continued access by offending participating agencies. Participating Agencies are also required to notify the Commission of requests from third parties to disclose NORS filings or related records pursuant to its jurisdiction’s open record laws or other legal authority that could compel it to do so. These notifications will allow the Commission take appropriate action, including (at the Commission’s option) notifying an affected service provider so that the provider can supply its comments on the matter if permitted under the jurisdiction’s open records law. In addition, Participating Agencies are required to notify the Commission at least 30 calendar days prior to the effective date of any change in relevant statutes or rules (e.g., its open records laws) that would affect the agency’s ability to adhere to the confidentiality protections in this information sharing framework. This notification will provide the Commission with an opportunity to determine whether to terminate an agency’s access to NORS or DIRS filings or take other appropriate steps as necessary to protect this information. Participating Agencies will also be responsible for developing and implementing initial and annual security training to each person granted a user account for accessing NORS filing, maintaining copies of all training material for Commission inspection upon request.

Participating Agencies must implement practical data protection safeguards, which will likely include recordkeeping related to assigning user accounts to single employees, promptly reassigning user accounts to reflect changes as their rosters of designated employees change, and periodically changing user account passwords to ensure that user account credentials are not used by individuals who are not the agency’s designated employees. Participating Agencies must also maintain copies of all training material for Commission inspection upon request, which the Commission will use to ensure that the training requirements of the information sharing program have been satisfied. In addition, Participating Agencies will be responsible for maintaining records of downstream sharing that must be made available to the Commission upon request, which provides the Commission with the ability to maintain control over who has access to the NORS filings and whether proper protocol is followed.

Collection of such information through NORS has already been approved by OMB, and the Second Report and Order does not adopt rules that would alter the fundamental aims and purposes of the approved collection.

3. Describe whether, and to what extent, the collection of information involves the use of automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g. permitting electronic submission of responses, and the basis for the decision for adopting this means of collection. Also describe any consideration of using information technology to reduce burden.

The information collection is administered by the FCC’s Public Safety and Homeland Security Bureau (PSHSB), which maintains the NORS web-based portal for the electronic submission of NORS filings.²¹ To facilitate compliance with the reporting requirements, the Commission developed web-based templates that it makes available on the NORS web portal. Service providers use the templates to enter their information about outages experienced in their networks. These submissions are then made available to Commission staff in real time in the NORS web-based portal.

For ease of administration, each service provider may request credentials for NORS for two types of accounts. A user account with two levels of privileges: (a) filings submission on behalf of the service provider; and (b) filings access to all submissions filed on behalf of the service provider, including filings submitted by others acting on behalf of the service provider. Further, other user accounts with a more limited role to submit and view only their respective filings for the service provider. To further facilitate ease of use, users may draw from previously submitted information in a Notification or an Initial Report to submit a Final Report for the same event. For the service providers with automatic filing systems, NORS is equipped with an interface to accept outage filings via automatic filing systems.

Participating Agencies’ requests to access NORS information (including required accompanying materials) and any required notifications will be submitted to the Commission electronically via a dedicated e-mail address. Required follow-up will also be conducted electronically. This method reduces the burden on agency and Commission staff as forms and correspondence will be stored and accessed electronically.

Once the request for access is approved, the Participating Agencies will be able to access a web page maintained by PSHSB that will permit access to the NORS report database using date and location filters. The location filters will limit Participating Agencies “read only” access to reports in states where a Participating Agency has jurisdiction. To protect the integrity and confidentiality of NORS reports downloaded or printed by a Participating Agency, PSHSB implemented certain technological safeguards, such as imbedding a special “CONFIDENTIAL” notice as a header or footer on each page and is investigating the feasibility of adding a watermark to each page downloaded or printed by a Participating Agency.²²

4. Describe efforts to identify duplication. Show specifically why any similar information already available cannot be used or modified for use for the purposes described in item 2 above.

The information collected is not duplicative of other information received by the Commission. Specifically, Participating Agencies have not provided the information in question to the Commission in the past, so the information requested from them by this modified collection will not be duplicative.

5. If the collection of information impacts small businesses or other small entities, describe any methods used to minimize burden.

The Commission does not relieve small providers, in whole or in part, from the outage reporting obligations. However, the Commission explained in the Final Regulatory Flexibility Analysis (FRFA) that accompanied the Report and Order and Order on Reconsideration adopted in 2016, that the agency believed that the “outage reporting triggers are set sufficiently high as to make it unlikely that small businesses would be impacted significantly by the final rules.”²³

While the Commission adopted changes to the NORS form filing to allow users to select more than one state when submitting a request for NORS information that modified the method in which service providers report outage information in NORS, this change did not impose additional levels of reporting to require disaggregation to provide a breakout of state-specific impacts by submitting state specific filings. With the modifications adopted in the Second Report and Order, the Commission can effectuate the provision of access to filings for outages that span across more than one state and minimize the costs for service providers which are discussed in Section E. All service providers commenting on this issue asserted that the submission of several state specific filings instead of a single aggregate filing for each outage that lists all affected states would increase the reporting burdens for service providers. We note that service providers will not need to modify their DIRS reporting processing to accommodate multistate reporting. The new and updated reporting requirements adopted in the Second Report and Order are minimally necessary to assure that the presumptively confidential nature of NORS and DIRS filings is protected when these filings are disseminated to our partners based on the adopted information sharing framework.

To provide Participating Agencies maximum flexibility and reduce potential costs of compliance with the training requirements, rather than mandate an agency’s use of a specific training program, adopted requirements that allow agencies to develop their own training program or rely on an outside training program that covers, at a minimum, each of the required “program elements.”

In addition, rather than requiring third-party audits of training programs to ensure that state and federal agencies’ training programs comply with the Commission’s proposed required program elements, Participating Agencies are required to make copies of their training curriculum available for the Commission’s review upon demand which will significantly minimize costs associated with the required training programs. The Commission also declined to adopt a “downstream training” requirement which would have required any entity receiving NORS information from a Participating Agency to complete formal training. Similarly, the Commission declined to adopt a requirement for Participating Agencies to obtain an affidavit on confidentiality from local entities prior to receipt of NORS information. To further assist and reduce the burden on small entities and other participating agencies with meeting the training requirements the Commission adopted in the Second Report and Order, the Commission will consult with diverse stakeholders with a range of perspectives, including state governments, the public safety community, service providers, and other industry representatives to develop exemplar training materials, that can be used by participating agencies to training their staffs on the proper uses of NORS and DORS filings.

The Commission also declined to grant local agencies direct access to NORS and DIRS considering among other things the burdens that would result for local entities, many of which may be small entities. Providing direct access to local entities would have potentially exponentially increased the number of participating entities, in contrast to the relatively limited number of state, federal, and other entities that the Commission identified for eligibility in the Second Report and Order. These local entities would have to comply with requirements of the information sharing framework and would incur the associated costs. Further, because local entity governments typically do not have the level of experience navigating the kinds of outage and infrastructure status information contained in NORS filings as compared to state agencies, developing this experience would likely increase their cost of compliance as well as increase the risk of improper disclosure of NORS information.

Additionally, the Commission has adopted a single form to address the certifications and acknowledgments required for direct access to NORS. The use of a single form, coupled with the fact that the proposed certification form is similar to one that the Commission currently requires for sharing sensitive numbering data with states using FCC Form 477 data, should help minimize preparation time and costs, specifically for those smaller agencies since these agencies should be familiar with the existing requirements and have comparable operational processes and procedures already in place.

6. Describe the consequences to a Federal program or policy activity, if the collection is not conducted or is conducted less frequently, as well as any technical or legal obstacles to reduce burden.

The Commission has a statutory mandate to “promot[e] the safety of life and property through the use of wire and radio communications,”²⁴ and Congress has delegated to the Commission specific responsibilities to “designate 911 as the universal emergency telephone number for reporting an emergency to appropriate authorities and requesting assistance.”²⁵ The Commission’s efforts to ensure that such reports and requests for assistance can reliably be transmitted are “necessary in the public interest to carry out” these provisions of the Communications Act.²⁶ Outage reporting provides the Commission with timely and reliable data that enables the Commission to monitor the reliability of these networks. Therefore, the information is collected throughout the year.

The Second Report and Order “creates a framework to provide state, federal, local, and Tribal partners with access to the critical NORS and DIRS information they need to ensure the public’s safety while preserving the presumptive confidentiality of the information.”²⁷ This information sharing will “improve situation awareness during and after disasters, enable agencies to better assess the public’s ability to access emergency communications, and assist with the coordination of emergency response efforts.”²⁸ This critical information would be unavailable to state, federal, local, and Tribal partners if this information is not collected.

The above-described requirements for requests to access NORS data, required notifications, and recordkeeping requirements for training programs and downstream sharing allows the Commission to protect the presumptively confidential NORS information and to monitor how Participating Agencies are complying with the information sharing framework. If the Commission did not collect this information, there is a greater likelihood that the sensitive information contained in NORS filings would be shared, disclosed, or used beyond what is permitted by the information sharing framework.

7. Explain any special circumstances that would cause an information collection to be conducted in a manner inconsistent with the criteria listed in supporting statement.

This revised information collection is consistent with the requirements of 5 C.F.R. § 1320 and the criteria listed in this Supporting Statement. While the information collection requires service provider respondents to submit information at short intervals after the respondent discovers that it is experiencing an outage in its network, these respondents already monitor their networks for these service disruptions and submitting this information is accounted for in this supporting statement. Moreover, these respondents may submit proprietary or other sensitive information as a result of this information collection, however, the Commission treats submissions and the information contained therein as presumptively confidential. The Commission does not anticipate circumstances that would result in a collection of information in an inconsistent manner.

8. If applicable, provide a copy and identify the date and page number of publication in the Federal Register of the agency’s Report and Order, required by 5 CFR 1320.8(d), soliciting comments on the information prior to submission to OMB.

Describe efforts to consult with persons outside the agency to obtain their views on the availability of data, frequency of collection, the clarity of instructions and recordkeeping, disclosure, or reporting format (if any), and on the data elements to be recorded, disclosed, or reported.

The Commission published a 60-day notice in the Federal Register on April 11, 2022 (87 FR 21120). No comments were received.

9. Explain any decision to provide any payment or gift to respondents, other than remuneration of contractors or grantees.

No payment or gift to respondents has been or will be made in connection to this information collection.

10. Describe any assurance of confidentiality provided to respondents and the basis for the assurance in statute, regulation, or agency policy.

Outage reports filed with the Commission pursuant to Part 4, and the information contained therein, are presumed confidential.²⁹ The information in these outage reports discuss issues affecting national security and commercial competitiveness.³⁰ The filings are shared with the Department of Homeland Security through a password-protected real time access to NORS. Other persons seeking disclosure must follow the procedures delineated in 47 C.F.R. Sections 0.457 and 0.459 of the Commission's rules for requests for and disclosure of information.

The Second Report and Order adopts procedures allowing state, federal, local, and Tribal agencies with a demonstrated “need to know” to apply for “read-only” access to NORS and DIRS reports impacting locations where the agency has jurisdiction. To protect the confidentiality of the NORS and DIRS information disclosed to these Participating Agencies, the Commission limited the access to only those agencies who complete the registration process and then limits by geographic area the reports available to each Participating Agency. The Commission also adopted safeguards to protect the data accessed by Participating Agencies from manipulation and from distribution to unauthorized recipients.

11. Provide additional justification for any questions of a sensitive nature.

This collection of information does not address any matters of a sensitive nature.

12. Provide estimates of the hour burden of the collection of information. The statement should: indicate the number of respondents, frequency of response, annual hour burden, and an explanation of how the burden was estimated. If the hour burden on respondents is expected to vary widely because of differences in activity, size, or complexity, show the range of estimated hour burden, and explain the reasons for the variance.

Burden Estimate for Service Providers

Number of Respondents: The Commission estimates that 965 respondents will be required to submit information under the Part 4 rules.

Frequency of Response: The Commission estimates that 26,795 responses per outage will be filed per year for the outage reporting obligations under Part 4.

Annual Hour Burden: The existing information collection already approved by OMB includes three components: a Notification that an outage event has occurred, an Initial Report containing detailed information on the outage event (for non-interconnected VoIP service outage events), and a Final Report containing detailed information on the outage event and how the event was resolved. The Commission has previously estimated that reporting entities will require 15 minutes to file a Notification with the Commission, and that the more detailed Initial Report (for non-interconnected VoIP service providers) will ordinarily not take more than 45 minutes to complete and submit to the Commission. The Commission further estimated that respondents will ordinarily not need more than one hour to complete and submit electronically a Final Report to the Commission within 30 days after the outage was discovered. Thus, the total time needed to submit all filings pertinent to each outage that meets or exceeds the reporting threshold criteria has been estimated to be less than two (2) hours as follows:

15 minutes [Notification] + 45 minutes [Initial Report] + 1 hour [Final Report]

= 2 hours maximum for each outage.

The Commission believes these estimates remain valid. Indeed, the Commission noted previously that the two-hour estimate was conservative, and that time required to file the information for each outage was, more likely, estimated to be approximately 1 to 1.5 hours. The Commission assumes that for purposes of this calculation that each outage event will require a submission of a Notification, an Initial Report, and a Final Report. The Commission believes that this is a conservative figure because service providers may file more than one initial report at times when they learn new information before the final report is due, or in the case of interconnected VoIP service providers, may only file a Notification and a Final Report. The Commission believes that the new requirement to identify each affected state from a drop-down menu when each Notification is filed will not change these estimates.

26,795 outages *15 minutes to complete Notification = 6,698.75 hours

26,795 outages *45 minutes to complete Initial Report = 20,096.25 hours

26,795 outages *60 minutes to complete Final Report = 26,795 hours

Sum: 6,698.75 hours + 20,096.25 hours + 26,795 hours = 53,590 hours

In-House Cost: The Commission estimates a total of 53,590 annual burden hours and a total of $4,287,200 in annual in-house costs.³¹

One-Time Costs: The Commission estimates that the nation’s service providers will incur total initial setup cost to meet the requirements of the Second Report and Order of $3,088,000 based on the Commission’s estimate of 965 service provider incurring costs of $80 per hour and spending 40 hours to implement update or revise their software used to report outages to the Commission in both NORS and DIRS.

Method of Calculating Burden: The Commission explains above the calculation method to determine the impact on reporting burdens associated with the estimated responses expected.

Variance in Burden: The Commission expects that the limited impact of the extension to be shared widely among entities that are subject to Part 4, although larger entities will continue to be more likely than smaller ones to experience outages of sufficient scale to trigger a reporting obligation.

Summary of Respondents and Burden:

Total Number of Respondents: 965.

Total Number of Annual Responses: 26,795.

Total Annual Burden Hours: 53,590 hours.

Total Annual In-House Costs: $4,287,200.

Total Annual and One-Time In-House Costs: $7,375,200

Burden Estimate for Participating Agencies

Number of Respondents: The Commission estimates that there will be approximately 100 state, federal, and Tribal Nation agencies that will request access to NORS information as Participating Agencies and be subject to the requirements of the information sharing framework.

Frequency of Response: The initial request to access NORS information that must be filed electronically and reviewed by the FCC need only be filed once. Annually thereafter, Participating Agencies are required to certify to their continued compliance with the requirements for participation in the Commission’s information sharing program. The Commission is unable to quantify the number of times that Participating Agencies would need to provide a notification to the Commission, as they would vary based on each participating agency’s particular circumstances (e.g., the number of requests or changes in law that would necessitate notifications, number of data breaches). However, the number of notifications to be made annually per respondent is expected to be very low (i.e., less than five per respondent).

Annual Hour Burden: The Commission estimates that each Participating Agency will spend five hours preparing, reviewing, and submitting its initial request for NORS access to the FCC and a similar amount of time annually to re-certify their qualifications to access NORS in every year thereafter. We further anticipate that Participating Agencies will require an average of 15 minutes to prepare and submit a required notification to the Commission, for an annual average total of 1.25 hours of notifications per respondent.

Annual In-House Cost: As the Commission noted in the Second Report and Order, it cannot quantify overall costs to Participating Agencies for implementing the information sharing framework, which would vary based on each participating agency’s particular circumstances, including the number of requests or changes in law that would necessitate notifications.³² However, the Commission’s best current estimate is that the in-house cost to Participating Agencies for the information collection elements described above would be based on the salary of the equivalent of an attorney (GS-13 Step 5) working 6.25 hours annually to submit its annual certification form and make any required notifications to the Commission.³³ With 100 Participating Agencies spending 6.25 hours to complete the necessary annual requirements at a wage of $58.01 per hour, the Commission estimates an in-house cost of $36,256.25 annually.

The Commission estimates that maintaining copies of all training material for Commission inspection upon request will require one hour of staff time annually; implementing the necessary records to ensure practical data protection will require five hours of staff time annually; and maintaining and making available for FCC inspection a list of all localities for which the agency has disclosed NORS data will require three hours of staff time annually. With 100 Participating Agencies spending 9 hours to complete the necessary annual recordkeeping requirements at a wage of $58.01 per hour (based on the salary of the equivalent of an attorney (GS-13 Step 5)), the Commission estimates a recordkeeping cost of $52,209 annually.

The Commission notes that the information sharing framework established in the Second Report and Order allows for access to be granted not only for NORS, but also to the Commission’s Disaster Information Reporting System (DIRS). We note that the process and requirements for Participating Agencies under this framework are identical, regardless of whether they seek access to NORS, DIRS, or both. Because the Commission anticipates that NORS and DIRS access will be requested together in most cases, it believes that the estimated costs for Participating Agencies associated with DIRS access are fully included in the estimates an in-house cost of $88,465.25 annually.

Method of Calculating Burden: The Commission explains above the calculation method to determine the impact on reporting burdens associated with the estimated responses expected.

Summary of Respondents and Burden:

Total Number of Respondents: 100

Total Number of Annual Responses: 1 certification renewal; 5 notifications.

Total Annual Burden Hours: 15.25

Total Annual In-House Costs: $88,465.25

Total Service Provider and Participating Agency In-House Costs: $7,463,665.25

13. Provide estimate for the total annual cost burden to respondents or record keepers resulting from the collection of information. (Do not include the cost of any hour burden shown in items 12 and 14).

All anticipated costs are covered in items 12 and 14.

14. Provide estimates of annualized costs to the Federal government. Also provide a description of the method used to estimate cost, which should include quantification of hours, operational expenses (such as equipment, overhead, printing, and support staff), and any other expenses that would not have been incurred without this collection of information.

The Commission estimates that the total annual cost to the Federal Government to be as follows, based on the salaries³⁴ of three engineers (GS-15 step 5), two engineers (GS-14 step 5), an IT Developer (GS-15 step 5), each spending approximately ½ (or 1,040 hours) of their work time each year on the information collected, and two attorneys (GS-13 step 5) spending approximately ¼ (or 520 hours) of their work time each year on the information collection:

(Three) Engineers	GS-15 step 5	at $ 80.63/hr wage	$ 80.63 x 1,040 hours	x 3	= $ 251,565.60
(Two) Engineers	GS-14 step 5	at $ 68.65/hr wage	$ 68.65 x 1,040 hours	x 2	= $ 142,792.00
(One) IT Developer	GS-15 step 5	At $ 80.63/hr wage	$ 80.63 x 1,040 hours	x 1	= $ 83,855.20
(Two) Attorneys	GS-13 step 5	at $ 58.01/hr wage	$ 58.01 x 520 hours	x 2	= $ 60,330.40
TOTAL					= $ 538,543.20

Total Annual Cost to the Federal Government: $538,543.20.

15. Explain the reasons for any program changes or adjustments for this information collection.

From the adoption of the Second Report and Order, there are program changes/increases to the total number of respondents from 965 to 1,065 (+100), the total annual responses increased from 26,795 to 27,395 (+600), the total annual burden hours increased from 53,590 to 54,315 (+625) as a result of the Order. Because information is being collected from Participating Agencies for the first time for purposes for granting them access to NORS, the number of responses from that category of respondents are largely responsible to the burden increases to this collection.

The Commission estimates that neither the total number of service provider respondents and responses will increase due to the modifications to this information collection. Service providers will incur a new one-time initial setup cost to meet the requirements of the Second Report and Order and are further explained as in-house costs in Question 12 of this supporting statement.

16. For collections of information whose results will be published, outline plans for tabulation and publication.

The FCC does not plan to publish this information. The Commission may analyze the information contained in the filings, aggregate and anonymize the information, and present to trade associations and companies individually, the agency’s analysis based on the information. For example, the Commission may present its findings on a quarterly basis to the Network Reliability Steering Committee of the Alliance for Telecommunications Industry Solutions.

17. If seeking approval to not display the expiration date for OMB approval of the information collection, explain the reasons that display would be inappropriate.

The Commission does not intend to seek approval not to display the expiration date of the revisions to this information collection.

18. Explain any exceptions to the Certification Statement identified in Item 19, “Certification of Paperwork Reduction Act Submissions.”

There are no exceptions to the Certification Statement.

B. Collections of Information Employing Statistical Methods:

The revisions to this information collection do not employ any statistical methods.

File Type	application/vnd.openxmlformats-officedocument.wordprocessingml.document
File Title	The Commission is requesting Office of Management and Budget (OMB) approval for a revision of this information collection
Author	nwalls
File Modified	0000-00-00
File Created	2022-06-22