Download: docx | pdf

Supporting Statement for Paperwork Reduction Act Submissions

Title: CISA Gateway User Registration

OMB Control Number: 1670-0009

Supporting Statement A

A. Justification

1. Explain the circumstances that make the collection of information necessary. Identify any legal or administrative requirements that necessitate the collection. Attach a copy of the appropriate section of each statute and regulation mandating or authorizing the collection of information.

The Presidential Policy Directive-21 (PPD-21) (2013) and the National Infrastructure Protection Plan (NIPP) (2013) (Public Law 107-296) highlight the need for a centrally managed repository of infrastructure attributes capable of assessing risks and facilitating data sharing. To support this mission need, the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) has developed the CISA Gateway. The CISA Gateway contains several capabilities which support the homeland security mission in the area of critical infrastructure (CI) protection. The collection was initially approved on October ,9 2007 and the most recent approval was on August 28, 2020, with an expiration date of August 31, 2023.

The CISA requests the Office of Management and Budget (OMB) use the emergency review and approval process to reinstate an expired Paperwork Reduction Act (PRA) information collection, 1670-0009 CISA Gateway User Registration. See Request for Emergency Clearance: CISA Gateway User Registration.

The purpose of this collection is to gather the details pertaining to the users of the CISA Gateway for the purpose of creating accounts to access the CISA Gateway. This information is also used to verify a need to know to access the CISA Gateway. After being vetted and granted access, users are prompted and required to take an online training course upon first logging into the system. After completing the training, users are permitted full access to the system.

The title for this collection will be changed from “IP Gateway User Registration” to “CISA Gateway User Registration.” The instrument “IP Gateway Utilization Survey” will be removed for this collection and will not longer be utilized. This will result in reducing the number of burden hours and the removal of the “Supporting Statement B”.

2. Indicate how, by whom, and for what purpose the information is to be used. Except for a new collection, indicate the actual use the agency has made of the information received from the current collection.

The information gathered will be used by the CISA Gateway Program Management Team to vet users for a need to know and grant access to the system. As part of the registration process are required to take a one-time online training course. When logging into the system for the first time, the system prompts users to take the training courses. Users cannot opt out of the training and are required to take the course in order to gain and maintain access to the system. When users complete the training, the system automatically logs that the training is complete and allows full access to the system.

Below is a list of identified system users and stakeholders.

1. Critical Infrastructure Community

2. Protective Security Advisors (PSAs)

3. State Fusion Centers

4. The State, Local, Tribal, and Territorial Governing Coordinating Council (SLTTGCC)

5. State representatives for critical infrastructure

6. Facility owner/operators

7. DHS Components and Sub-components to include:

   1. Cybersecurity and Infrastructure Security Agency (CISA)

   2. Federal Protective Service (FPS)

   3. Cybersecurity Division (CSD)

   4. Infrastructure Security Division (ISD)

   5. Emergency Communications Division (ECD)

   6. Integrated Operations Division (IOD)

      1. Cyber Security Advisors (CSAs)

      2. Protective Security Advisors (PSAs)

      3. CISA Central Operations

   7. Infrastructure Security Division (ISD)

   8. National Risk Management Center (NRMC)

   9. Stakeholder Engagement Division (SED)

   10. Transportation Security Administration (TSA)

   11. Office of Health Affairs (OHA)

   12. Sector-Specific Agencies (SSAs)

8. Critical Infrastructure Sectors:

   1. Chemical Sector

   2. Commercial Facilities Sector

   3. Communications Sector

   4. Critical Manufacturing Sector

   5. Dams Sector

   6. Defense Industrial Base Sector

   7. Emergency Services Sector

   8. Energy Sector

   9. Financial Services Sector

   10. Food and Agriculture Sector

   11. Government Facilities Sector

   12. Healthcare and Public Health Sector

   13. Information Technology Sector

   14. Nuclear Reactors, Materials, and Waste Sector

   15. Transportation Systems Sector

   16. Water and Wastewater Systems Sector

9. Army Corp of Engineers

The “Supporting Statement B” will be removed as it is no longer needed due to the removal of the “IP Gateway Utilization Survey”,

3. Describe whether, and to what extent, the collection of information involves the use of automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g., permitting electronic submission of responses, and the basis for the decision for adopting this means of collection. Also describe any consideration of using information technology to reduce burden.

The collection of information uses automated electronic forms. During the online registration process, there is an electronic form used to create a user account and an online training course required to grant access.

4. Describe efforts to identify duplication. Show specifically why any similar information already available cannot be used or modified for use for the purposes described in Item 2 above.

Currently there are no known similar programs or information collections that collect CI facility information pertaining to security and resiliency. A search of reginfo.gov also revealed that this information is not collected or duplicated elsewhere.

5. If the collection of information impacts small businesses or other small entities (Item 5 of OMB Form 83-I), describe any methods used to minimize.

The program does not impact small business or other small entities.

6. Describe the consequence to Federal/DHS program or policy activities if the collection of information is not conducted, or is conducted less frequently, as well as any technical or legal obstacles to reducing burden.

By not collecting this information, the CISA Gateway program could not vet and verify users need to know and could not grant access to the system. If the training is not collected automatically during registration process, a much more costly and cumbersome method to distribute and verify completion of the training requirement would be needed.

7. Explain any special circumstances that would cause an information collection to be conducted in a manner:

1. Requiring respondents to report information to the agency more often than quarterly.

N/A

2. Requiring respondents to prepare a written response to a collection of information in fewer than 30 days after receipt of it.

N/A

3. Requiring respondents to submit more than an original and two copies of any document.

N/A

4. Requiring respondents to retain records, other than health, medical, government contract, grant-in-aid, or tax records for more than three years.

N/A

5. In connection with a statistical survey, that is not designed to produce valid and reliable results that can be generalized to the universe of study.

N/A

6. Requiring the use of a statistical data classification that has not been reviewed and approved by OMB.

N/A

7. That includes a pledge of confidentiality that is not supported by authority established in statute or regulation, that is not supported by disclosure and data security policies that are consistent with the pledge, or which unnecessarily impedes sharing of data with other agencies for compatible confidential use.

N/A

(h) Requiring respondents to submit proprietary trade secret, or other confidential information unless the agency can demonstrate that it has instituted procedures to protect the information’s confidentiality to the extent permitted by law.



N/A

8. Federal Register Notice:

a. Provide a copy and identify the date and page number of publication in the Federal Register of the agency’s notice soliciting comments on the information collection prior to submission to OMB. Summarize public comments received in response to that notice and describe actions taken by the agency in response to these comments. Specifically address comments received on cost and hour burden.

b. Describe efforts to consult with persons outside the agency to obtain their views on the availability of data, frequency of collection, the clarity of instructions and recordkeeping, disclosure, or reporting format (if any), and on the data elements to be recorded, disclosed, or reported.

c. Describe consultations with representatives of those from whom information is to be obtained or those who must compile records. Consultation should occur at least once every three years, even if the collection of information activities is the same as in prior periods. There may be circumstances that may preclude consultation in a specific situation. These circumstances should be explained.



	Date of Publication	Volume #	Number #	Page #	Comments Addressed
60-Day Federal Register Notice:
30-Day Federal Register Notice

CISA is currently seeking emergency approval of this collection. In light of the ongoing need, CISA is seeking a waiver to the requirement in 5 CFR 1320.13(d) to publish a Federal Register notice announcing CISA is seeking emergency processing of this ICR. Upon approval of the Emergency Request, CISA will seek public comment on the collection following the normal clearance process providing a 60 and 30 Day commenting period.

9. Explain any decision to provide any payment or gift to respondents, other than remuneration of contractors or grantees.

There is no offer of monetary or material value for this information.

10. Describe any assurance of confidentiality provided to respondents and the basis for the assurance in statute, regulation, or agency policy.



There is no assurance of confidentiality. All user information and surveys are for internal use only and are not published to the public.

The DHS Privacy Office review finds that this a privacy sensitive collection requiring a Privacy Impact Assessment (PIA) and Systems of Records Notice (SORN). The collection is covered by PIA, DHS/NPPD/PIA-023 – Infrastructure Protection Gateway, and SORN, DHS/ALL-004 – General Information Technology Access Account Records System (GITAARS) November 27, 2012, 77 FR 70792.

11. Provide additional justification for any questions of a sensitive nature, such as sexual behavior and attitudes, religious beliefs, and other matters that are commonly considered private. This justification should include the reasons why the agency considers the questions necessary, the specific uses to be made of the information, the explanation to be given to persons from whom the information is requested, and any steps to be taken to obtain their consent.

The survey and assessments template does not contain any questions that are sensitive in nature.

12. Provide estimates of the hour burden of the collection of information. The statement should:



The CISA Gateway was designed and built to fill the lack of a repository for the Nation’s critical infrastructure (CI) community. Examples of users of the CI community include federal, state, local and county representatives as well as emergency response personnel, facility owners, and security personnel.

The frequency of response is the duration of completion of the registration page information, which requires a maximum of ten minutes. Information is automatically collected for the training requirement. Trainees may suspend training before completion and may later return and log-on to the program to continue training, in as many sessions as suits their individual situation. Therefore, collection of data could take place over several sessions, or could be completed in only one session.

CISA estimates that 100 respondents will complete CISA Gateway Registration annually, and that each respondent will spend .167 hours (10 minutes) to complete the registration, for an annual burden of 17 hours. CISA uses Bureau of Labor Statistics (BLS) wage data for Emergency Management Directors to estimate the cost of this collection. The average wage for Emergency Management Directors is $42.74.¹ This wage is multiplied by a compensation factor of 1.4488² to account for benefits and non-wage compensation, for an hourly compensation rate of $61.92. Multiplying the hourly compensation rate by the estimated total burden hours of 17 provides an estimated annual respondent cost of $1,032 for registration. The last instrument in this collection is the CISA Registration training requirement, which CISA estimates 100 respondents will spend .5 hours completing, for a total of 50 hours. Using the same hourly compensation rate of $61.92, CISA estimates a cost of $3,096 for training requirements. The total annual cost of all three instruments covered by this collection is estimated to be $4,128, as presented in Table A.12.

Table A.12: Estimated Annualized Burden Hours and Costs

Instrument	Number of Respondents	Number of Responses per Respondent	Average Burden per Response (hours)	Total Time Burden (hours)	Average Hourly Compensation Rate	Total Labor Cost
CISA Gateway Registration	100	1	0.17	17	$61.92	$1,032
CISA Registration Training Requirement	100	1	0.50	50	$61.92	$3,096
Total	200			67		$4,128

13. Provide an estimate of the total annual cost burden to respondents or record keepers resulting from the collection of information. (Do not include the cost of any hour burden shown in Items 12 and 14.)

There are no recordkeeping, capital, start-up, or maintenance costs to respondents associated with this information collection.

 14. Provide estimates of annualized cost to the Federal Government. Also, provide a description of the method used to estimate cost, which should include quantification of hours, operational expenses (such as equipment, overhead, printing and support staff), and any other expense that would have been incurred without this collection of information. You may also aggregate cost estimates for Items 12, 13, and 14 in a single table.



CISA estimates that the federal government will respond to 100 registrations per year. The government burden to respond to a registration will be .5 hours, for a total of 50 hours. To estimate the burden to the federal government, the annual burden hours, the estimated annual time burden is multiplied by the fully loaded hourly wage rate. Using the Office of Personnel Management Salary Table for GS14 step 3 wage rate of $67.5³ per hour multiplied by a load factor of 1.6919⁴, we get a total compensation rate of $114.46. Multiplying the compensation rate by the estimated total burden hours of 50 provides an estimated annual government cost of $5,723, as shown in Table 2.

Instrument	Number of Reports	Average Burden per Report (hours)	Total Time Burden (hours)	Average Hourly Compensation Rate	Total Labor Cost
Registration and Assessments	100	0.50	50	$114.46	$5,723

15. Explain the reasons for any program changes or adjustments reported in Items 13 or 14 of the OMB Form 83-I. Changes in hour burden, i.e., program changes or adjustments made to annual reporting and recordkeeping hour and cost burden. A program change is the result of deliberate Federal government action. All new collections and any subsequent revisions of existing collections (e.g., the addition or deletion of questions) are recorded as program changes. An adjustment is a change that is not the result of a deliberate Federal government action. These changes that result from new estimates or actions not controllable by the Federal government are recorded as adjustments.



The changes to the collection since the previous OMB approval include:

The total annual burden cost for the collection has decreased by $1,193, from $5,321 to $4,128 due to the removal of the utilization survey.

The total number of responses has decreased from 350 to 200 due to the removal of the utilization survey.

The annual government cost for the collection has decreased by $6,945 from $12,668 to $5,723, due to the removal of the utilization survey.

16. For collections of information whose results will be published, outline plans for tabulation and publication. Address any complex analytical techniques that will be used. Provide the time schedule for the entire project, including beginning and ending dates of the collection of information, completion of report, publication dates, and other actions.



The results of the survey will not be published or used outside of the Program. The information gathered is for internal use only.

17. If seeking approval to not display the expiration date for OMB approval of the information collection, explain reasons that display would be inappropriate.



CISA will display the expiration date for the OMB approval.

18. Explain each exception to the certification statement identified in Item 19 “Certification for Paperwork Reduction Act Submissions,” of OMB Form 83-I.

CISA is not requesting an exception.

File Type	application/vnd.openxmlformats-officedocument.wordprocessingml.document
File Title	Supporting Statement A - Template
Author	fema user
File Modified	0000-00-00
File Created	2023-12-20