Download: docx | pdf

Supporting Statement for Paperwork Reduction Act Submissions

Title: CISA Gateway User Registration

OMB Control Number: 1670-0009

Supporting Statement A

A. Justification

1. Explain the circumstances that make the collection of information necessary. Identify any legal or administrative requirements that necessitate the collection. Attach a copy of the appropriate section of each statute and regulation mandating or authorizing the collection of information.

The Presidential Policy Directive-21 (PPD-21) (2013) and the National Infrastructure Protection Plan (NIPP) (2013) highlight the need for a centrally managed repository of infrastructure attributes capable of assessing risks and facilitating data sharing. The Protected Critical Infrastructure Information Management System (PCIIMS) is an unclassified web-based U.S. Government information technology (IT) system authorized by 6 CFR § 29.4 (e) to record the receipt, acknowledgement, and validation of submitted critical infrastructure information (CII), as well as storage, dissemination, and destruction of original PCII. The system allows for the registration, training, and management of all PCII Authorized Users. To support these mission needs, the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) developed the CISA Gateway and the Protected Critical Infrastructure Information System (PCIIMS). The CISA Gateway and PCIIMS contain several capabilities which support the homeland security mission in the area of critical infrastructure (CI) and information protection. The collection was initially approved on October 9, 2007, and the most recent approval was on December 19, 2023, with an expiration date of June 30, 2024.

The CISA requests the Office of Management and Budget (OMB) to review and approve the renewal of the Paperwork Reduction Act (PRA) information collection, 1670-0009 CISA Gateway User Registration that set to expire on June 30, 2024.

The purpose of this collection is to gather the details pertaining to the users of the CISA Gateway and PCIIMS for the purpose of creating accounts to access the CISA Gateway and PCIIMS. This information is also used to verify a need to know to access the CISA Gateway and PCIIMS. After being vetted and granted access, users are prompted and required to take an online training course upon first logging into the system. After completing the training, users are permitted access to the system.

The Information Collection is being revised to remove the instrument, “IP Gateway Registration Training form.”

2. Indicate how, by whom, and for what purpose the information is to be used. Except for a new collection, indicate the actual use the agency has made of the information received from the current collection.

The information gathered will be used by the CISA Gateway Program Management Team and the PCII Program Office to vet users for a need to know and grant access to the system. As part of the registration process, users are required to take a one-time online training course for the CISA Gateway and annual refresher training for PCIIMS. When logging into the system for the first time, the system prompts users to take the training courses. Users cannot opt out of the training and are required to take the course in order to gain and maintain access to the system. When users complete the training, the system automatically logs that the training is complete and allows full access to the system.

Below is a list of identified system users and stakeholders.

1. Critical Infrastructure Community

2. Protective Security Advisors (PSAs)

3. State Fusion Centers

4. The State, Local, Tribal, and Territorial Governing Coordinating Council (SLTTGCC)

5. State representatives for critical infrastructure

6. Facility owner/operators

7. DHS Components and Sub-components to include:

   1. Cybersecurity and Infrastructure Security Agency (CISA)

   2. Federal Protective Service (FPS)

   3. Cybersecurity Division (CSD)

   4. Infrastructure Security Division (ISD)

   5. Emergency Communications Division (ECD)

   6. Integrated Operations Division (IOD)

      1. Cyber Security Advisors (CSAs)

      2. Protective Security Advisors (PSAs)

      3. CISA Central Operations

   7. Infrastructure Security Division (ISD)

   8. National Risk Management Center (NRMC)

   9. Stakeholder Engagement Division (SED)

   10. Transportation Security Administration (TSA)

   11. Office of Health Affairs (OHA)

   12. Sector-Specific Agencies (SSAs)

8. Critical Infrastructure Sectors:

   1. Chemical Sector

   2. Commercial Facilities Sector

   3. Communications Sector

   4. Critical Manufacturing Sector

   5. Dams Sector

   6. Defense Industrial Base Sector

   7. Emergency Services Sector

   8. Energy Sector

   9. Financial Services Sector

   10. Food and Agriculture Sector

   11. Government Facilities Sector

   12. Healthcare and Public Health Sector

   13. Information Technology Sector

   14. Nuclear Reactors, Materials, and Waste Sector

   15. Transportation Systems Sector

   16. Water and Wastewater Systems Sector

9. Army Corps of Engineers

3. Describe whether, and to what extent, the collection of information involves the use of automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g., permitting electronic submission of responses, and the basis for the decision for adopting this means of collection. Also describe any consideration of using information technology to reduce burden.

The collection of information uses automated an electronic form, CISA Gateway Registration Form. During the online registration process, the electronic form is used to create a user account to grant access.

CISA conducted usability testing on CISA Gateway Registration Form and the IP Gateway Registration Training form to help with the verification of the burden hours and to verify the ease of use. Usability testing participants had no difficulty traversing through the documents. However, the participants suggested that the IP Gateway Registration Training form was redundant to the collection. As a result, CISA removed the IP Gateway Registration Training form from the collection. Subsequently, the burden hours were adjusted due to the removal of the form.

4. Describe efforts to identify duplication. Show specifically why any similar information already available cannot be used or modified for use for the purposes described in Item 2 above.

Currently there are no known similar programs or information collections that collects details pertaining to the users of the CISA Gateway and PCIIMS for the purpose of creating accounts to access the CISA Gateway and PCIIMS. A search of reginfo.gov also revealed that this information is not collected or duplicated elsewhere.

5. If the collection of information impacts small businesses or other small entities (Item 5 of OMB Form 83-I), describe any methods used to minimize.

The program does not impact small business or other small entities.

6. Describe the consequence to Federal/DHS program or policy activities if the collection of information is not conducted, or is conducted less frequently, as well as any technical or legal obstacles to reducing burden.

By not collecting this information, the CISA Gateway program and the PCII Program could not vet and verify users need to know and could not grant access to the system. If the training is not collected automatically during registration process, a much more costly and cumbersome method to distribute and verify completion of the training requirement would be needed.

7. Explain any special circumstances that would cause an information collection to be conducted in a manner:

1. Requiring respondents to report information to the agency more often than quarterly.

N/A

2. Requiring respondents to prepare a written response to a collection of information in fewer than 30 days after receipt of it.

N/A

3. Requiring respondents to submit more than an original and two copies of any document.

N/A

4. Requiring respondents to retain records, other than health, medical, government contract, grant-in-aid, or tax records for more than three years.

N/A

5. In connection with a statistical survey, that is not designed to produce valid and reliable results that can be generalized to the universe of study.

N/A

6. Requiring the use of a statistical data classification that has not been reviewed and approved by OMB.

N/A

7. That includes a pledge of confidentiality that is not supported by authority established in statute or regulation, that is not supported by disclosure and data security policies that are consistent with the pledge, or which unnecessarily impedes sharing of data with other agencies for compatible confidential use.

N/A

(h) Requiring respondents to submit proprietary trade secret, or other confidential information unless the agency can demonstrate that it has instituted procedures to protect the information’s confidentiality to the extent permitted by law.



N/A

8. Federal Register Notice:

a. Provide a copy and identify the date and page number of the publication in the Federal Register of the agency’s notice soliciting comments on the information collection prior to submission to OMB. Summarize public comments received in response to that notice and describe actions taken by the agency in response to these comments. Specifically address comments received on cost and hour burden.

b. Describe efforts to consult with persons outside the agency to obtain their views on the availability of data, frequency of collection, the clarity of instructions and recordkeeping, disclosure, or reporting format (if any), and on the data elements to be recorded, disclosed, or reported.

c. Describe consultations with representatives of those from whom information is to be obtained or those who must compile records. Consultation should occur at least once every three years, even if the collection of information activities is the same as in prior periods. There may be circumstances that may preclude consultation in a specific situation. These circumstances should be explained.



	Date of Publication	Volume #	Number #	Page #	Comments Addressed
60-Day Federal Register Notice:	April 24, 2024	89	80	31211-31212	0
30-Day Federal Register Notice	June 28, 2024	89	125	54026-54027	0

A 60-day notice for comments was published in the Federal Register on April 24, 2024. 0 comments were received related to the 60-day notice.

A 30-day notice for comments was published in the Federal Register on June 28, 2024. comments were received related to the 30-day notice.

9. Explain any decision to provide any payment or gift to respondents, other than remuneration of contractors or grantees.

There is no offer of monetary or material value for this information.

10. Describe any assurance of confidentiality provided to respondents and the basis for the assurance in statute, regulation, or agency policy.



There is no assurance of confidentiality. All user information and surveys are for internal use only and are not published to the public.

The DHS Privacy Office review finds that this a privacy sensitive collection requiring a Privacy Impact Assessment (PIA) and Systems of Records Notice (SORN). The collection is covered by PIA, DHS/NPPD/PIA-023 – Infrastructure Protection Gateway, and SORN, DHS/ALL-004 – General Information Technology Access Account Records System (GITAARS) November 27, 2012, 77 FR 70792.

11. Provide additional justification for any questions of a sensitive nature, such as sexual behavior and attitudes, religious beliefs, and other matters that are commonly considered private. This justification should include the reasons why the agency considers the questions necessary, the specific uses to be made of the information, the explanation to be given to persons from whom the information is requested, and any steps to be taken to obtain their consent.

The survey and assessments template does not contain any questions that are sensitive in nature.

12. Provide estimates of the hour burden of the collection of information. The statement should:



The CISA Gateway was designed and built to fill the lack of a repository for the Nation’s critical infrastructure (CI) community. Examples of users of the CI community include federal, state, local and county representatives as well as emergency response personnel, facility owners, and security personnel.

The frequency of response is the duration of completion of the registration page information, which requires a maximum of ten minutes. Information is automatically collected for the training requirement. Trainees may suspend training before completion and may later return and log-on to the program to continue training, in as many sessions as suits their individual situation. Therefore, collection of data could take place over several sessions, or could be completed in only one session.

CISA estimates that 200 respondents will complete CISA Gateway Registration annually and 500 respondents will complete PCIIMS registration annually, and that each respondent will spend .167 hours (10 minutes) to complete the registration, for an annual burden of 33.33hours for CISA Gateway and 83.33 hours for PCIIMS. CISA uses Bureau of Labor Statistics (BLS) wage data for Emergency Management Directors to estimate the cost of this collection. The average wage for Emergency Management Directors is $42.74.¹ This wage is multiplied by a compensation factor of 1.4488² to account for benefits and non-wage compensation, for an hourly compensation rate of $61.92. For CISA Gateway, multiplying the hourly compensation rate by the estimated total burden hours of 33.33 provides an estimated annual respondent cost of $2,064.11 for registration. For PCIIMS, multiplying the hourly compensation rate by the estimated total burden hours of 83.33 provides an estimated annual respondent cost of $5,160.29. The total annual cost for these instruments covered by this collection is estimated to be $7,224.40 as presented in Table A.12.

Table A.12: Estimated Annualized Burden Hours and Costs

Instrument	Number of Respondents	Number of Responses per Respondent	Average Burden per Response (hours)	Total Time Burden (hours)	Average Hourly Compensation Rate	Total Labor Costs
CISA Gateway Registration	200	1	0.167	33.33	61.92	$2,064.11
PCIIMA Registration Training Requirement	500	1	0.167	83.33	61.92	$5,160.29
Total	700			116.67		$7,224.40

13. Provide an estimate of the total annual cost burden to respondents or record keepers resulting from the collection of information. (Do not include the cost of any hour burden shown in Items 12 and 14.)

There are no recordkeeping, capital, start-up, or maintenance costs to respondents associated with this information collection.

 14. Provide estimates of annualized cost to the Federal Government. Also, provide a description of the method used to estimate cost, which should include quantification of hours, operational expenses (such as equipment, overhead, printing and support staff), and any other expense that would have been incurred without this collection of information. You may also aggregate cost estimates for Items 12, 13, and 14 in a single table.



CISA Gateway estimates that the federal government will respond to 200 registrations per year. The PCIIMS estimates that the federal government will respond to 500 registrations per year. The government burden to respond to a registration will be .167 hours (10 minutes), for a total of 116.67 hours. To estimate the burden to the federal government, the annual burden hours, the estimated annual time burden is multiplied by the fully loaded hourly wage rate. Using the Office of Personnel Management Salary Table for GS14 step 3 wage rate of $71.25³ per hour multiplied by a load factor of 1.6919⁴, we get a total compensation rate of $120.55Multiplying the compensation rate by the estimated total burden hours of 116.67 provides an estimated annual government cost of $14,063.9, as shown in Table 2.

Instrument	Number of Reports	Average Burden per Report (hours)	Total Time Burden (hours)	Average Hourly Compensation Rate	Total Labor Cost
Registration	700	0.167	116.67	120.55	$14,063.92

15. Explain the reasons for any program changes or adjustments reported in Items 13 or 14 of the OMB Form 83-I. Changes in hour burden, i.e., program changes or adjustments made to annual reporting and recordkeeping hour and cost burden. A program change is the result of deliberate Federal government action. All new collections and any subsequent revisions of existing collections (e.g., the addition or deletion of questions) are recorded as program changes. An adjustment is a change that is not the result of a deliberate Federal government action. These changes that result from new estimates or actions not controllable by the Federal government are recorded as adjustments.



The changes to the collection since the previous OMB approval include:

The total number of responses has increased from 200 to 700 due to the updated metrics resulting from the awareness campaign, the addition of PCIIMS respondents, and the registration process changing which no longer includes the training registration.

The annual government cost for the collection has changed by $8,340.92 from $5,723 to $14,063.92 , due to the removal of the utilization survey, and the addition of PCIIMS respondents.

16. For collections of information whose results will be published, outline plans for tabulation and publication. Address any complex analytical techniques that will be used. Provide the time schedule for the entire project, including beginning and ending dates of the collection of information, completion of report, publication dates, and other actions.



The results of the survey will not be published or used outside of the Program. The information gathered is for internal use only.

17. If seeking approval to not display the expiration date for OMB approval of the information collection, explain reasons that display would be inappropriate.



CISA will display the expiration date for the OMB approval.

18. Explain each exception to the certification statement identified in Item 19 “Certification for Paperwork Reduction Act Submissions,” of OMB Form 83-I.

CISA is not requesting an exception.

File Type	application/vnd.openxmlformats-officedocument.wordprocessingml.document
File Title	Supporting Statement A - Template
Author	fema user
File Modified	0000-00-00
File Created	2024-07-20