Download:
docx |
pdf
Supporting Statement for Paperwork Reduction Act Submissions
Title:
OMB Control
Number: 1670-0007
Chemical
Security Assessment Tool
Supporting
Statement A
A. Justification
���1.
Explain the circumstances that make the collection of information
necessary. Identify any legal or administrative requirements that
necessitate the collection. Attach a copy of the appropriate section
of each statute and regulation mandating or authorizing the
collection of information.
Congress initially authorized the
CFATS Program under Section 550 of the Department of Homeland
Security Appropriations Act of 2007, Pub. L. 109-295 (2006).
Congress reauthorized the CFATS Program for an additional five years
and three months under the Protecting and Securing Chemical
Facilities from Terrorist Attacks Act of 2014 and the Chemical
Facility Anti-Terrorism Standards Program Extension Act..
The CFATS Act of 2014 codified the Department’s authority to
implement the CFATS program into the Homeland Security Act of 2002.
See 6 U.S.C. § 621 et seq., as amended by H.R. 251, 116th Cong.
(2019) (enacted).
On April 9, 2007, the Department
issued the CFATS Interim Final Rule (IFR), implementing this
statutory mandate. See 72 FR 17688. CISA collects the core regulatory
data electronically through the Chemical Security Assessment Tool
(CSAT).
Reason for Revision
This request is submitted to
revise a collection which is currently approved but not yet expired.
This revision: (a) modifies the burden on some of the instruments
based upon historical data from January 2019 to December 2021, and
(b) makes a revision to the scope of the SSP/ASP instrument and the
scope of the user registration instrument.
2.
Indicate how, by whom, and for what purpose the information is to be
used. Except for a new collection, indicate the actual use the agency
has made of the information received from the current collection.
All information collected supports
CISA’s effort to reduce the risk of a successful terrorist
attack against high-risk chemical facilities. These instruments
either directly or indirectly support the affected chemical
facilities’ requirements to submit data pursuant to 6 CFR Part
27.
Six instruments are in this
collection:
Top-Screen
Security Vulnerability
Assessment (SVA) and Alternative Security Program (ASP) Submitted in
lieu of an SVA
Site Security Plan (SSP) and
ASP Submitted in lieu of an SSP
CFATS Help Desk
User Registration
Identification of Facilities
and Assets at Risk
Top-Screen
The purpose of the Top-Screen is
to obtain information that enables CISA to identify high-risk
chemical facilities and obtain an overview of security issues
presented by chemical facilities in the nation. CISA electronically
collects information via the Top-Screen from chemical facilities that
possess screening threshold quantities (STQ) of any chemical of
interest (COI) listed in Appendix A of the CFATS regulation.
Specifically, 6 CFR § 27.200(b)(2) requires that “A
facility must complete and submit a Top-Screen in accordance with the
schedule provided in § 27.210, the calculation provisions in §
27.203, and the minimum concentration provisions in § 27.204 if
it possesses any of the chemicals listed in Appendix A to this part
at or above the STQ for any applicable Security Issue.”
The Top-Screen uses the collected
data to: (1) identify the high-risk chemical facilities covered under
the regulation, (2) assign a tier level, and (3) identify security
concerns to be addressed in the SVA/ASP and SSP/ASP.
6 CFR § 27.200(a) authorizes
this instrument to collect “… information from chemical
facilities that may reflect potential consequences of or
vulnerabilities to a terrorist attack or incident, including
questions specifically related to the nature of the business and
activities conducted at the facility; information concerning the
names, nature, conditions of storage, quantities, volumes,
properties, customers, major uses, and other pertinent information
about specific chemicals or chemicals meeting a specific criterion;
information concerning facilities’ security, safety, and
emergency response practices, operations, and procedures; information
regarding incidents, history, funding, and other matters bearing on
the effectiveness of the security, safety and emergency response
programs, and other information as necessary.” Information is
collected electronically by this instrument.
SVA and ASP submitted in lieu of an SVA
The purpose of an SVA/ASP is for
high-risk chemical facilities to meet the requirements referenced in
6 CFR § 27.215. Specifically, chemical facilities determined to
be high-risk, “must complete a Security Vulnerability
Assessment … [which] shall include:
Asset Characterization, which
includes the identification and characterization of potential
critical assets; identification of hazards and consequences of
concern for the facility, its surroundings, its identified critical
asset(s), and its supporting infrastructure; and identification of
existing layers of protection;
Threat Assessment, which
includes a description of possible internal threats, external
threats, and internally assisted threats;
Security Vulnerability
Analysis, which includes the identification of potential security
vulnerabilities and the identification of existing countermeasures
and their level of effectiveness in both reducing identified
vulnerabilities and in meeting the applicable risk-based performance
standards;
Risk Assessment, including a
determination of the relative degree of risk to the facility in
terms of the expected effect on each critical asset and the
likelihood of a success of an attack; and
Countermeasures Analysis,
including strategies that reduce the probability of a successful
attack or reduce the probable degree of success, strategies that
enhance the degree of risk reduction, the reliability and
maintainability of the options, the capabilities and effectiveness
of mitigation options, and the feasibility of the options.”
The information is collected
electronically by this instrument.
This instrument also supports
CISA’s evaluation of submitted SVA/ASPs from high-risk chemical
facilities pursuant to 6 CFR § 27.240.
SSP and ASP submitted in lieu of an SSP
CISA is proposing a revision to
this instrument to include the collection of Internet Protocol (IP)
address(es) and Domain Name System (DNS) information.
The purpose of an SSP/ASP is for
high-risk chemical facilities to meet the requirements referenced in
6 CFR §§ 27.225, 27.230, and in 6 CFR § 27.235.
The requirements under 6 CFR §
27.225 are as follows:
Address each vulnerability
identified in the facility's Security Vulnerability Assessment, and
identifies and describes the security measures to address each such
vulnerability;
Identify and describe how
security measures selected by the facility will address the
applicable risk-based performance standards and potential modes of
terrorist attack including, as applicable, vehicle-borne explosive
devices, water-borne explosive devices, ground assault, or other
modes or potential modes identified by the Department;
Identify and describe how
security measures selected and utilized by the facility will meet or
exceed each applicable performance standard for the appropriate
risk-based tier for the facility; and
Specify other information the
Executive Assistant Director deems necessary regarding chemical
facility security.
6 CFR § 27.225(2) requires
that facilities “[i]identify and describe how security measures
selected by the facility will address the applicable risk-based
performance standards.” The 19 RBPS are listed in 6 CFR §
27.230. They are as follows:
Restrict Area Perimeter.
Secure and monitor the perimeter of the facility;
Secure Site Assets. Secure
and monitor restricted areas or potentially critical targets within
the facility;
Screen and Control Access.
Control access to the facility and to restricted areas within the
facility by screening and/or inspecting individuals and vehicles as
they enter, including,
Measures to deter the
unauthorized introduction of dangerous substances and devices that
may facilitate an attack or actions having serious negative
consequences for the population surrounding the facility; and
Measures implementing a
regularly updated identification system that checks the
identification of facility personnel and other persons seeking
access to the facility and discourages abuse through established
disciplinary measures.
Deter, Detect, and Delay.
Deter, detect, and delay an attack, creating sufficient time between
detection of an attack and the point at which the attack becomes
successful, including measures to:
Deter vehicles from
penetrating the facility perimeter, gaining unauthorized access to
restricted areas or otherwise presenting a hazard to potentially
critical targets;
Deter attacks through
visible, professional, well-maintained security measures and
systems, including security personnel, detection systems, barriers
and barricades, and hardened or reduced value targets;
Detect attacks at early
stages, through counter surveillance, frustration of opportunity to
observe potential targets, surveillance and sensing systems, and
barriers and barricades; and
Delay an attack for a
sufficient period of time to allow appropriate response through
onsite security response, barriers and barricades, hardened targets,
and well-coordinated response planning.
Shipping, Receipt, and
Storage. Secure and monitor the shipping, receipt, and storage of
hazardous materials for the facility;
Theft and Diversion. Deter
theft or diversion of potentially dangerous chemicals;
Sabotage. Deter insider
sabotage;
Cyber. Deter cyber sabotage,
including by preventing unauthorized onsite or remote access to
critical process controls, such as Supervisory Control and Data
Acquisition (SCADA) systems, Distributed Control Systems (DCS),
Process Control Systems (PCS), Industrial Control Systems (ICS),
critical business system, and other sensitive computerized systems;
Response. Develop and
exercise an emergency plan to respond to security incidents
internally and with assistance of local law enforcement and first
responders;
Monitoring. Maintain
effective monitoring, communications and warning systems, including,
Measures designed to ensure
that security systems and equipment are in good working order and
inspected, tested, calibrated, and otherwise maintained;
Measures designed to
regularly test security systems, note deficiencies, correct for
detected deficiencies, and record results so that they are available
for inspection by the Department; and
Measures to allow the
facility to promptly identify and respond to security system and
equipment failures or malfunctions.
Training. Ensure proper
security training, exercises, and drills of facility personnel;
Personnel Surety. Perform
appropriate background checks on and ensure appropriate credentials
for facility personnel, and as appropriate, for unescorted visitors
with access to restricted areas or critical assets, including,
Measures designed to verify
and validate identity;
Measures designed to check
criminal history;
Measures designed to verify
and validate legal authorization to work; and
Measures designed to identify
people with terrorist ties.
Elevated Threats. Escalate
the level of protective measures for periods of elevated threat;
Specific Threats,
Vulnerabilities, or Risks. Address specific threats, vulnerabilities
or risks identified by the Executive Assistant Director for the
particular facility at issue;
Reporting of Significant
Security Incidents. Report significant security incidents to the
Department and to local law enforcement officials;
Significant Security
Incidents and Suspicious Activities. Identify, investigate, report,
and maintain records of significant security incidents and
suspicious activities in or near the site;
Officials and Organization.
Establish official(s) and an organization responsible for security
and for compliance with these standards;
Records. Maintain appropriate
records; and
Address any additional
performance standards the Executive Assistant Director may specify.
CISA continues to collect through
a single instrument SSPs and ASPs submitted in lieu of an SSP.
Covered chemical facilities that wish to submit an ASP or Expedited
Approval Program (EAP)
in lieu of the SSP upload their documentation electronically into the
instrument. The information is collected electronically by this
instrument.
This instrument also supports
CISA’s evaluation of submitted SSPs, ASPs, and EAPs submitted
in lieu of SSPs pursuant to 6 CFR § 27.245.
CFATS Help Desk
CISA provides technical assistance
and consultation to chemical facilities. Inquiries to CISA may be
made via a toll-free phone number, web-forms, and email
([email protected]).
The CFATS Help Desk provides
additional customer service functions such as:
Receiving tips about possible
security concerns at facilities regulated by CFATS. This allows the
general public to report possible security concerns directly to
CISA;
Short surveys to solicit
feedback and suggestions to improve customer service; and
Verification that an
individual is a CVI Authorized User.
The information collected by this
instrument takes many forms (e.g., paper, electronic, audio, etc.).
User Registration
CISA is proposing a revision to
this instrument to include the collection of facility employer
identification number(s).
The user registration application
is a public, web-based tool available through
www.dhs.gov/chemicalsecurity
for chemical facilities of interest that do not have CSAT user
accounts. User Registration is completed and subsequently maintained
by the chemical facility Authorizer and/or individuals designated by
the Authorizer as having some responsibility for the submission of
information collected by CISA through CSAT. The Authorizer role in
CSAT is also used by CISA to send official correspondence. Several
user roles may be assigned by an Authorizer.
This instrument collects both: (1)
basic personally identifiable information (PII) (e.g., full name,
contact information, unique identity verification questions) about
each individual for their CSAT user account, as well as PII for key
security personnel, and (2) facility-related information. Collected
facility-related information includes basic demographic information
(e.g., location, internet protocol addresses, domain names, NAICS,
employer identification number, unique identifying names or numbers,
relationships to other companies, etc.). The instrument also collects
information about “groups” to support the CFATS Personnel
Surety Program.
Information is collected
electronically by this instrument.
Identification of Facilities and Assets at Risk.
The purpose of Identification of
Facilities and Assets at Risk is to collect information from each
respondent of an SSP/ASP on their chemical of interest supply and
distribution chain or other information about their business
operations. This information will be used by CISA to assist in its
efforts to identify either potential chemical facility(s) of interest
or potential asset(s) at risk at the covered chemical facility.
Participation in this collection
is voluntary and respondents will not be required to provide this
information to CISA for purposes of complying with any portion of
CFATS.
The information collected by this
instrument takes many forms (e.g., paper, electronic, audio, etc.).
���3.
Describe whether, and to what extent, the collection of information
involves the use of automated, electronic, mechanical, or other
technological collection techniques or other forms of information
technology, e.g., permitting electronic submission of responses, and
the basis for the decision for adopting this means of collection.
Also, describe any consideration of using information technology to
reduce burden.
This collection continues to use
CSAT to reduce the burden on chemical facilities by streamlining the
data collection process to meet CFATS regulatory obligations.
Collecting the required information primarily through CSAT enhances
access controls and reduces the paperwork burden on covered chemical
facilities.
Table 1: Medium Information Is Collected In
Name of Instrument
|
Medium of Collection
|
Top-Screen
|
The information is
collected electronically by this instrument.
|
SVA & ASP submitted in
lieu of an SVA
|
The information is
collected electronically by this instrument.
|
SSP & ASP submitted in
lieu of an SSP
|
The information is
collected electronically by this instrument.
|
CFATS Help Desk
|
The information collected
by this instrument takes many forms (e.g., paper, electronic,
audio, etc.).
|
User Registration
|
The information is
collected electronically by this instrument.
|
Identification of
Facilities and Assets at Risk.
|
The information collected
by this instrument takes many forms (e.g., paper, electronic,
audio, etc.).
|
���4.
Describe efforts to identify duplication. Show specifically why any
similar information already available cannot be used or modified for
use for the purposes described in Item 2 above.
���
CISA maintains the CSAT tool to
support the CFATS regulatory program. One of the key features
inherent to the CSAT tool is the capability to estimate with a high
degree of confidence the health, safety, and security impacts of a
terrorist attack. Although State, local, and other Federal
regulations relate to chemical safety, those regimes do not collect
the core security metrics that enable the identification of high-risk
chemical facilities essential to implementing the risk-based security
regulation under 6 CFR Part 27.
���5. If
the collection of information impacts small businesses or other small
entities (Item 5 of OMB Form 83-I), describe any methods used to
minimize.
No unique methods will be used to
minimize the burden to small businesses.
���6.
Describe the consequence to Federal/DHS program or policy activities
if the collection of information is not conducted, or is conducted
less frequently, as well as any technical or legal obstacles to
reducing burden.
6 CFR § 27.210 provides
specific submission schedules for chemical facilities data
submissions along with revisions to the schedule published at 81 FR
47001 in accordance with § 27.210(a)(2). Additional submission
requirements may be found in a high-risk chemical facility SSP/ASP.
6 CFR § 27.200(a) authorizes
CISA to “at any time, request information from chemical
facilities.” This includes both requirements for a facility to
(1) resubmit information if a previous submission has been found
inadequate, incomplete, contains one or more errors, or otherwise
found unacceptable or (2) submit new information necessary for CISA
to re-evaluate the facility.
���7.
Explain any special circumstances that would cause an information
collection to be conducted in a manner:
���(a)
Requiring respondents to report information to the agency more often
than quarterly.
������(b)
Requiring respondents to prepare a written response to a collection
of information in fewer than 30 days after receipt of it.
���(c)
Requiring respondents to submit more than an original and two copies
of any document.
���(d)
Requiring respondents to retain records, other than health, medical,
government contract, grant-in-aid, or tax records for more than three
years.
���(e)
In connection with a statistical survey, that is not designed to
produce valid and reliable results that can be generalized to the
universe of study.
������(f)
Requiring the use of a statistical data classification that has not
been reviewed and approved by OMB.
���(g)
That includes a pledge of confidentiality that is not supported by
authority established in statute or regulation, that is not supported
by disclosure and data security policies that are consistent with the
pledge, or which unnecessarily impedes sharing of data with other
agencies for compatible confidential use.
���(h)
Requiring respondents to submit proprietary trade secret, or other
confidential information unless the agency can demonstrate that it
has instituted procedures to protect the information’s
confidentiality to the extent permitted by law.
���
There are no special circumstances
with this collection.
���8.
Federal Register Notice:
������a.
Provide a copy and identify the date and page number of publication
in the Federal Register of the agency’s notice
soliciting comments on the information collection prior to submission
to OMB. Summarize public comments received in response to that notice
and describe actions taken by the agency in response to these
comments. Specifically address comments received on cost and hour
burden.
������b.
Describe efforts to consult with persons outside the agency to obtain
their views on the availability of data, frequency of collection, the
clarity of instructions and recordkeeping, disclosure, or reporting
format (if any), and on the data elements to be recorded, disclosed,
or reported.
���c.
Describe consultations with representatives of those from whom
information is to be obtained or those who must compile records.
Consultation should occur at least once every three years, even if
the collection of information activities is the same as in prior
periods. There may be circumstances that may preclude consultation in
a specific situation. These circumstances should be explained.
���
���
|
Date of
Publication
|
Volume #
|
Number #
|
Page #
|
Comments Addressed
|
60-Day Federal Register
Notice:
|
December 27, 2022
|
87
|
247
|
79337 - 79341
|
0
|
30-Day Federal Register
Notice
|
April 20, 2023
|
88
|
76
|
24435 - 24437
|
0
|
In response to the 60-day notice
for this ICR, CISA received no comments.
���9.
Explain any decision to provide any payment or gift to respondents,
other than remuneration of contractors or grantees.
No payment or gift of any kind is
provided to any respondents.
���10.
Describe any assurance of confidentiality provided to respondents and
the basis for the assurance in statute, regulation, or agency policy.
���
There is no assurance of
confidentiality provided to the respondents, with the exception of
whistleblower protections mandated by statute at 6 USC §
625(a)(2).
Some information collected through
this collection may be protected from disclosure by the Department
under the designation Chemical-terrorism Vulnerability Information
(CVI). CVI is a Sensitive but Unclassified designation authorized
under the CFATS Act of 2014 and implemented in 6 CFR § 27.400.
6 U.S.C. 623(d) states that CVI
“in any proceeding to enforce this section, vulnerability
assessments, site security plans, and other information submitted to
or obtained by the Secretary under this section, and related
vulnerability or security information, shall be treated as if the
information were classified material.” In addition, 6 CFR §
27.400(h) specifies the circumstances under which access to CVI may
be provided by the Department in the context of an administrative
enforcement proceeding.
Notwithstanding the Freedom of
Information Act (FOIA) (5 U.S.C. 552), the Privacy Act (5 U.S.C.
552a), and other laws, in accordance with Sec. 550(c) of P.L. 107-296
6 U.S.C. 623(c) and 6 CFR § 27.400(g), records containing CVI
are not available for public inspection or copying, nor does the
Department release such records to persons without a need to know.
See 6 CFR 27.400(g)(1).
If a record contains both CVI and
non-CVI information that may not be disclosed under Public Law
107-296 and information that may be disclosed, the latter information
may be provided dis-closed in response to a FOIA request, provided
that the record is not otherwise exempt from dis-closure under FOIA
and that it is practical to redact the protected CVI from the
requested rec-ord. See 6 CFR 27.400(g)(2).
This is a privacy sensitive
system. A Privacy Threshold Analysis has been adjudicated by the DHS
Privacy Office which resulted in a determination that PIA coverage is
provided by DHS/NPPD/PIA-009(a) Chemical Facility Anti-Terrorism
Standards August 12, 2016. SORN coverage is provided by
DHS/ALL-002-Department of Homeland Security (DHS) Mailing and Other
Lists System, November 25, 2008, 73 FR 71659, DHS/ALL-004-General
Information Technology Access Account Records System (GITAARS),
November 27, 2012, 77 FR 70792.
CISA’s primary information
technology design requirement was ensuring data security. CISA
acknowledges that there is a non-zero risk, both to the original
transmission and the receiving transmission, when requesting data
over the Internet. CISA has weighed the risk to the data collection
approach against the risk to collecting the data through paper
submissions and concluded that the web-based approach was the best
approach given the risk and benefits.
CISA has taken a number of steps
to protect both the data that will be collected through the CFATS
program and the process of collection. The security of the data has
been the number one priority of the system design. The site that CISA
uses to collect submissions is equipped with hardware encryption that
requires Transport Layer Security (TLS), as mandated by the latest
Federal Information Processing Standard (FIPS). The encryption
devices have full Common Criteria Evaluation and Validation Scheme
(CCEVS) certifications. CCEVS is the implementation of the
partnership between the National Security Agency and the National
Institute of Standards (NIST) to certify security hardware and
software.
11.
Provide additional justification for any questions of a sensitive
nature, such as sexual behavior and attitudes, religious beliefs, and
other matters that are commonly considered private. This
justification should include the reasons why the agency considers the
questions necessary, the specific uses to be made of the information,
the explanation to be given to persons from whom the information is
requested, and any steps to be taken to obtain their consent.
The instruments described in this
collection do not request any information of a personally-sensitive
nature.
������12.
Provide estimates of the hour burden of the collection of
information. The statement should:
������a.
Indicate the number of respondents, frequency of response, annual
hour burden, and an
explanation
of how the burden was estimated. Unless directed to do so, agencies
should not conduct special surveys to obtain information on which to
base hour burden estimates. Consultation with a sample (fewer than
10) of potential respondents is desired. If the hour burden on
respondents is expected to vary widely because of differences in
activity, size, or complexity, show the range of estimated hour
burden, and explain the reasons for the variance. Generally,
estimates should not include burden hours for customary and usual
business practices.
���b. If
this request for approval covers more than one form, provide separate
hour burden estimates for each form and aggregate the hour burdens in
Item 13 of OMB Form 83-I.
c.
Provide estimates of annualized cost to respondents for the hour
burdens for collections of information, identifying and using
appropriate wage rate categories. The cost of contracting out or
paying outside parties for information collection activities should
not be included here. Instead, this cost should be included in Item
14.
REPORTING BURDEN
To estimate the average annual
reporting burden associated with each instrument, CISA multiplies the
number of respondents by the annual number of responses per
respondent and the estimated time needed to respond. The number of
responses per respondent and the time burden estimates vary by
instrument and are summarized in Table 2, along with the total annual
reporting burden for each instrument.
As shown in Table 2, the estimated
annual labor cost associated with reporting is approximately $3
million.
Table 2: Estimated Annual Burden Hours and Costs of Reporting by
Instrument*
Instrument
|
Number of Respondents
|
Number of Responses per
Respondent
|
Average Burden per
Response (hours)
|
Total Annual Burden
(hours)
|
Average
Hourly
Compensation Rate
|
Total Annual Burden
Cost
|
A
|
B
|
C
|
D = A × B ×
C
|
E
|
F = D × E
|
CFATS Help Desk
|
12,000
|
1
|
0.1167
|
1,400
|
$90.41
|
$126,580
|
User
Registration
|
1,000
|
1
|
2.5
|
2,500
|
$90.41
|
$226,035
|
Top-Screen
|
3,817
|
1
|
2.04
|
7,785
|
$90.41
|
$703,829
|
SVA & ASP Submitted in
lieu of an SVA
|
2,328
|
1
|
1.4136
|
3,291
|
$90.41
|
$297,530
|
SSP & ASP Submitted in
lieu of an SSP
|
2,328
|
1
|
7.845
|
18,262
|
$90.41
|
$1,651,158
|
Identification of
Facilities & Assets at Risk
|
2,252
|
1
|
0.17
|
375
|
$90.41
|
$33,931
|
Total
|
23,725
|
|
|
33,613
|
|
$3,039,063
|
Note:
Totals may not add due to rounding numbers up or down.
���13.
Provide an estimate of the total annual cost burden to respondents or
record keepers resulting from the collection of information. (Do not
include the cost of any hour burden shown in Items 12 and 14.)
The
cost estimate should be split into two components: (1) a total
capital and start-up cost component (annualized over its expected
useful life); and (b) a total operation and maintenance and purchase
of services component. The estimates should take into account costs
associated with generating, maintaining, and disclosing or providing
the information. Include descriptions of methods used to estimate
major cost factors including system and technology acquisition,
expected useful life of capital equipment, the discount rate(s), and
the time period over which costs will be incurred. Capital and
start-up costs include, among other items, preparations for
collecting information such as purchasing computers and software;
monitoring, sampling, drilling and testing equipment; and record
storage facilities.
���
If cost
estimates are expected to vary widely, agencies should present ranges
of cost burdens and explain the reasons for the variance. The cost of
purchasing or contracting out information collection services should
be a part of this cost burden estimate. In developing cost burden
estimates, agencies may consult with a sample of respondents (fewer
than 10), utilize the 60-day pre-OMB submission public comment
process and use existing economic or regulatory impact analysis
associated with the rulemaking containing the information collection
as appropriate.
Generally,
estimates should not include purchases of equipment or services, or
portions thereof, made: (1) prior to October 1, 1995, (2) to achieve
regulatory compliance with requirements not associated with the
information collection, (3) for reasons other than to provide
information to keep records for the government, or (4) as part of
customary and usual business or private practices.
As described in the 60-day notice,
respondents will incur start-up costs and certain respondents would
incur operations and maintenance (O&M) costs associated with
recordkeeping as required under 6 CFR Part 27. CISA estimates that
the average annual start-up and O&M costs associated with
recordkeeping are $556,040.
���14.
Provide estimates of annualized cost to the Federal Government. Also,
provide a description of the method used to estimate cost, which
should include quantification of hours, operational expenses (such as
equipment, overhead, printing and support staff), and any other
expense that would have been incurred without this collection of
information. You may also aggregate cost estimates for Items 12, 13,
and 14 in a single table.
���
The annual cost of this collection
is estimated to be $10 million. The annual cost of this collection is
based on the Lifecycle Cost Estimate (LCCE) for the CSAT Suite, the
information technology investment that supports the collection. The
LCCE calculation of the annual cost of maintenance of the CSAT Suite
(i.e., the development and testing of minor enhancements and bug
fixes) is developed by extrapolation from the actual costs used for
CSAT Suite development projects. The LCCE calculation of the annual
cost of operation of the CSAT Suite (comprising production hosting
services, software licenses, system and database administration, data
management, information system security, and help desk services) is
based on extrapolation from the actual costs of the current
production hosting services.
���15.
Explain the reasons for any program changes or adjustments reported
in Items 13 or 14 of the OMB Form 83-I. Changes in hour burden, i.e.,
program changes or adjustments made to annual reporting and
recordkeeping hour and cost burden. A program change is the result of
deliberate Federal Government action. All new collections and any
subsequent revisions of existing collections (e.g., the addition or
deletion of questions) are recorded as program changes. An adjustment
is a change that is not the result of a deliberate Federal Government
action. These changes that result from new estimates or actions not
controllable by the Federal Government are recorded as adjustments.
���
Based on historical data, CISA
made several revisions to the burden estimates since the information
collection’s last approval in July of 2019. The revisions
modified the number of respondents and the estimated time per
respondent with the most significant increases present in the Top
Screen and Site Security Plan instruments. CISA also increased the
wage rate and compensation factors used to calculate the labor cost
incurred by respondents.
���16.
For collections of information whose results will be published,
outline plans for tabulation and publication. Address any complex
analytical techniques that will be used. Provide the time schedule
for the entire project, including beginning and ending dates of the
collection of information, completion of report, publication dates,
and other actions.
���
No plans exist for the use of
statistical analysis or to publish this information.
���17.
If seeking approval to not display the expiration date for OMB
approval of the information collection, explain reasons that display
would be inappropriate.
���
The expiration date will be
displayed in the instruments.
���18.
Explain each exception to the certification statement identified in
Item 19 “Certification for Paperwork Reduction Act
Submissions,” of OMB Form 83-I.
No exceptions have been requested.
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| File Title | Supporting Statement A - Template |
| Author | fema user |
| File Modified | 0000-00-00 |
| File Created | 2023-09-06 |