[Federal Register Volume 86, Number 123 (Wednesday, June 30, 2021)]
[Notices]
[Pages 34775-34777]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-13884]
-----------------------------------------------------------------------
DEPARTMENT OF HOMELAND SECURITY
Transportation Security Administration
Intent To Request Revision From OMB of One Current Public
Collection of Information: Critical Facility Information of the Top 100
Most Critical Pipelines
AGENCY: Transportation Security Administration, DHS.
ACTION: 60-Day notice.
-----------------------------------------------------------------------
SUMMARY: The Transportation Security Administration (TSA) invites
public comment on one currently approved Information Collection Request
(ICR), Office of Management and Budget (OMB) control number 1652-0050,
abstracted below that we will submit to OMB for a revision in
compliance with the Paperwork Reduction Act (PRA). The ICR addresses a
statutory requirement for TSA to develop and implement a plan to
inspect critical pipeline systems. On May 26, 2021, OMB approved TSA's
request for an emergency revision of this collection to address the
ongoing cybersecurity threat to pipeline systems and associated
infrastructure. TSA is now seeking to renew and revise the collection
as it expires on November 30, 2021. The ICR describes the nature of the
information collection and its expected burden, which TSA is seeking to
continue its collection of critical facility security information.
DATES: Send your comments by August 30, 2021.
ADDRESSES: Comments may be emailed to [email protected] or delivered to
the TSA PRA Officer, Information Technology (IT), TSA-11,
Transportation Security Administration, 6595 Springfield Center Drive,
Springfield, VA 20598-6011
FOR FURTHER INFORMATION CONTACT: Christina A. Walsh at the above
address, or by telephone (571) 227-2062.
[[Page 34776]]
SUPPLEMENTARY INFORMATION:
Comments Invited
In accordance with the Paperwork Reduction Act of 1995 (44 U.S.C.
3501 et seq.), an agency may not conduct or sponsor, and a person is
not required to respond to, a collection of information unless it
displays a valid OMB control number. The ICR documentation will be
available at http://www.reginfo.gov upon its submission to OMB.
Therefore, in preparation for OMB review and approval of the following
information collection, TSA is soliciting comments to--
(1) Evaluate whether the proposed information requirement is
necessary for the proper performance of the functions of the agency,
including whether the information will have practical utility;
(2) Evaluate the accuracy of the agency's estimate of the burden;
(3) Enhance the quality, utility, and clarity of the information to
be collected; and
(4) Minimize the burden of the collection of information on those
who are to respond, including using appropriate automated, electronic,
mechanical, or other technological collection techniques or other forms
of information technology.
Information Collection Requirement
OMB Control Number 1652-0050; Critical Facility Information of the
Top 100 Most Critical Pipelines: The Implementing Recommendations of
the 9/11 Commission Act of 2007 (9/11 Act) specifically required TSA to
develop and implement a plan for reviewing the pipeline security plans
and inspecting the critical facilities of the 100 most critical
pipeline systems.\1\ Pipeline owner/operators determine which
facilities qualify as critical facilities based on guidance and
criteria set forth in the TSA Pipeline Security Guidelines published in
December 2010 and 2011, with an update published in April 2021. To
execute the 9/11 Act mandate, TSA visits critical pipeline facilities
and collects site-specific information from pipeline owner/operators on
facility security policies, procedures, and physical security measures.
---------------------------------------------------------------------------
\1\ See sec. 1557 of the 9/11 Act, Public Law 110-53 (121 Stat.
266, 475; Aug. 3, 2007), as codified at 6 U.S.C. 1207.
---------------------------------------------------------------------------
TSA collects facility security information during the site visits
using a Critical Facility Security Review (CFSR) form. The CFSR looks
at individual pipeline facility security measures and procedures.\2\
This collection is voluntary. Information collected from the reviews is
analyzed and used to determine strengths and weaknesses at the nation's
critical pipeline facilities, areas to target for risk reduction
strategies, pipeline industry implementation of the voluntary
guidelines, and the potential need for regulations in accordance with
the 9/11 Act provision previously cited.
---------------------------------------------------------------------------
\2\ The CFSR differs from a Corporate Security Review (CSR)
conducted by TSA in another information collection that looks at
corporate or company-wide security management plans and practices
for pipeline operators. See OMB Control No. 1652-0056 at https://www.reginfo.gov for the PRA approval of information collection for
these CSRs.
---------------------------------------------------------------------------
TSA visits with pipeline owner/operators to follow up on their
implementation of security improvements and recommendations made during
facility visits. During critical facility visits, TSA documents and
provides recommendations to improve the security posture of the
facility. TSA intends to continue to follow up with pipeline owner/
operators via email on their status toward implementation of the
recommendations made during the critical facility visits. The follow up
will be conducted at intervals of six, 12, and 18 months after the
facility visit.
TSA previously initiated the PRA approval process by publishing a
notice on April 8, 2021, 86 FR 18291, announcing our intent to conduct
this collection with a revision. Due to the emergency revision of the
information collection, TSA is reinitiating the approval process.
Revision
TSA is revising the information collection to align the CFSR
question set with the revised Pipeline Security Guidelines, and to
capture additional criticality criteria. As a result, the question set
has been edited by removing, adding and rewriting several questions, to
meet the Pipeline Security Guidelines and criticality needs. Further,
TSA is moving the collection instrument from a PDF format to an Excel
Workbook format.
Emergency Revision
While the above listed collections are voluntary, on May 26, 2021,
OMB approved TSA's request for an emergency revision of this
information collection, allowing for the institution of mandatory
requirements. See ICR Reference Number: 202105-1652-002. The revision
was necessary as a result of the recent ransomware attack on one of the
Nation's top pipeline supplies and other emerging threat information.
In order to address the ongoing cybersecurity threat to pipeline
systems and associated infrastructure, TSA issued a Security Directive
(SD) applicable to owner/operators of a hazardous liquid and natural
gas pipeline or liquefied natural gas facility notified by TSA that
their pipeline system or facility is critical. These owner/operators
are required to review Section 7 of TSA's Pipeline Security Guidelines
and assess current activities, using the TSA Pipeline Cybersecurity
Self-Assessment form, to address cyber risk, and identify remediation
measures that will be taken to fill those gaps and a timeframe for
achieving those measures. The form provided is based on the instrument
used for the CFSRs, limited to cybersecurity issues and augmented to
address the scope of the SD. The critical pipeline owner/operators are
required to report the results of this assessment to TSA within 30 days
of issuance of the SD. In cooperation with the Cybersecurity and
Infrastructure Security Agency, TSA will use this information to make a
global assessment of the cyber risk posture of the industry.
TSA is seeking renewal of this information collection for the
maximum three-year approval period.
To the extent information provided by operators for each
information collection is Sensitive Security Information (SSI), TSA
will protect in accordance with procedures meeting the transmission,
handling, and storage requirements of SSI set forth in 49 CFR parts 15
and 1520.
TSA estimates the annual hour burden for the information collection
related to the voluntary collection of the CFSR form to be 320 hours.
TSA will conduct a maximum of 80 facility reviews each year, with each
review taking approximately 4 hours (320 = 80 x 4).
TSA estimates the annual hour burden for the information collection
related to TSA follow ups on the recommendations based on the above
CFSRs made to facility owner/operators to be 480 hours. TSA estimates
each owner/operator will spend approximately 2 hours to submit a
response to TSA regarding its voluntary implementation of security
recommendations made during each critical facility visit. If a maximum
of 80 critical facilities are reviewed each year, and TSA follows up
with each facility owner/operator every 6, 12, and 18 months following
the visit, the total annual burden is 480 (80 x 2 x 3) hours.
For the mandatory collection, TSA estimates 100 owner/operators
will complete and submit the Pipeline Cybersecurity Self-Assessment
form. It will take each owner/operator approximately 6 hours to
complete and
[[Page 34777]]
submit this form, for a total of 600 hours (100 x 6).
The total estimated burden for the entire information collection is
1,400 hours annually--320 hours for the CFSR form, 480 hours for the
recommendations follow-up procedures, and 600 hours for the Pipeline
Cybersecurity Self-Assessment form.
Dated: June 24, 2021.
Christina A. Walsh,
TSA Paperwork Reduction Act Officer, Information Technology.
[FR Doc. 2021-13884 Filed 6-29-21; 8:45 am]
BILLING CODE 9110-05-P