[Federal Register Volume 86, Number 164 (Friday, August 27, 2021)]
[Pages 48239-48240]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-18533]



Transportation Security Administration

Intent To Request an Extension From OMB of One Current Public 
Collection of Information: Pipeline Corporate Security Review Program

AGENCY: Transportation Security Administration, DHS.

ACTION: 60-Day notice.


SUMMARY: The Transportation Security Administration (TSA) invites 
public comment on one currently-approved Information Collection Request 
(ICR), Office of Management and Budget (OMB) control number 1652-0056, 
abstracted below, that we will submit to OMB for an extension in 
compliance with the Paperwork Reduction Act (PRA). On July 15, 2021, 
OMB approved TSA's request for an emergency revision of this collection 
to address the ongoing cybersecurity threat to pipeline systems and 
associated infrastructure. TSA is now seeking to renew the collection, 
which expires on January 31, 2022, with incorporation of the subject of 
the emergency revision. The ICR describes the nature of the information 
collection and its expected burden. The collection allows TSA to assess 
the current security practices in the pipeline industry through TSA's 
Pipeline Corporate Security Review (PCSR) program. The PCSR program is 
part of the larger domain awareness, prevention, and protection program 
supporting TSA's and the Department of Homeland Security's missions.

DATES: Send your comments by October 26, 2021.

ADDRESSES: Comments may be emailed to [email protected] or delivered 
to the TSA PRA Officer, Information Technology (IT), TSA-11, 
Transportation Security Administration, 6595 Springfield Center Drive, 
Springfield, VA 20598-6011.

FOR FURTHER INFORMATION CONTACT: Christina A. Walsh at the above 
address, or by telephone (571) 227-2062.


Comments Invited

    In accordance with the Paperwork Reduction Act of 1995 (44 U.S.C. 
3501 et seq.), an agency may not conduct or sponsor, and a person is 
not required to respond to, a collection of information unless it 
displays a valid OMB control number. The ICR documentation will be 
available at http://www.reginfo.gov upon its submission to OMB. 
Therefore, in preparation for OMB review and approval of the following 
information collection, TSA is soliciting comments to--
    (1) Evaluate whether the proposed information requirement is 
necessary for the proper performance of the functions of the agency, 
including whether the information will have practical utility;
    (2) Evaluate the accuracy of the agency's estimate of the burden;
    (3) Enhance the quality, utility, and clarity of the information to 
be collected; and
    (4) Minimize the burden of the collection of information on those 
who are to respond, including using appropriate automated, electronic, 
mechanical, or other technological collection techniques or other forms 
of information technology.

Information Collection Requirement

    OMB Control Number 1652-0056; Pipeline Corporate Security Review 
(PCSR) Program. Under the Aviation and Transportation Security Act \1\ 
and delegated authority from the Secretary of Homeland Security, TSA 
has broad responsibility and authority for ``security in all modes of 
transportation . . . including security responsibilities . . . over 
modes of transportation that are exercised by the Department of 
Transportation.'' \2\ TSA is specifically empowered to assess threats 
to transportation; \3\ develop policies, strategies, and plans for 
dealing with threats to transportation; \4\ oversee the implementation 
and adequacy of security measures at transportation facilities; \5\ and 
carry out other appropriate duties relating to transportation 
security.\6\ The Implementing Recommendations of the 9/11 Commission 
Act of 2007 (9/11 Act) included a specific requirement for TSA to 
conduct assessments of critical pipeline facilities.\7\

    \1\ Public Law 107-71 (115 Stat. 597; Nov. 19, 2001), codified 
at 49 U.S.C. 114.
    \2\ See 49 U.S.C. 114(d). The TSA Administrator's current 
authorities under the Aviation and Transportation Security Act have 
been delegated to him by the Secretary of Homeland Security. Section 
403(2) of the Homeland Security Act (HSA) of 2002, Public Law 107-
296 (116 Stat. 2135, Nov. 25, 2002), transferred all functions of 
TSA, including those of the Secretary of Transportation and the 
Under Secretary of Transportation of Security related to TSA, to the 
Secretary of Homeland Security. Pursuant to DHS Delegation Number 
7060.2, the Secretary delegated to the Administrator of TSA, subject 
to the Secretary's guidance and control, the authority vested in the 
Secretary with respect to TSA, including that in section 403(2) of 
the HSA.
    \3\ 49 U.S.C. 114(f)(2).
    \4\ 49 U.S.C. 114(f)(3).
    \5\ 49 U.S.C. 114(f)(11).
    \6\ 49 U.S.C. 114(f)(15).
    \7\ See section 1557 of Public Law 110-53 (121 Stat. 266; Aug. 
3, 2007) as codified at 6 U.S.C. 1207.

Assessing Voluntary Implementation of Recommendations

    Consistent with these authorities and requirements, TSA developed 
the PCSR program to assess the current security practices in the 
pipeline industry, with a focus on the physical and cyber security of 
pipelines and the crude oil and petroleum products, such as gasoline, 
diesel, jet fuel, home heating oil, and natural gas, moving through the 
system infrastructure. PCSRs are voluntary, face-to-face visits, 
usually at the headquarters facility of the pipeline owner/operator. 
Typically, TSA sends one to three employees to conduct a seven to eight 
hour interview with representatives from the owner/operator. The TSA 
representatives analyze the owner/operator's security plan and policies 
and compare their practices with recommendations in TSA's Pipeline 
Security Guidelines.
    During the PCSR assessment, the PCSR program subject matter 
     Meet with senior corporate officers and security managers.
     Develop knowledge of security planning at critical 
pipeline infrastructure sites.
     Establish and maintain a working relationship with key 
security staff who operate critical pipeline infrastructure.
     Identify industry smart practices and lessons learned.
     Maintain a dynamic modal network through effective 
communications with

[[Page 48240]]

the pipeline industry and government stakeholders.
    Through this engagement, TSA is also able to establish and maintain 
productive working relationships with key pipeline security personnel. 
This engagement and access to pipeline facilities also enables TSA to 
identify and share smart security practices observed at one facility to 
help enhance and improve the security of the pipeline industry. As a 
result, participation in the voluntary PCSR program enhances pipeline 
security at both specific facilities and across the industry.
    TSA has developed a Question Set to aid in the conducting of PCSRs. 
The PCSR Question Set structures the TSA-owner/operator discussion and 
is the central data source for the security information TSA collects. 
TSA developed the PCSR Question Set based on input from government and 
industry stakeholders on how best to obtain relevant information from a 
pipeline owner/operator about its security plan and processes. The 
questions are designed to examine the company's current state of 
security, as well as to address measures that are applied if there is a 
change in the National Terrorism Advisory System. The PCSR Question Set 
also includes sections for facility site visits and owner/operator 
contact information. By asking questions related to specific topics 
(such as security program management, vulnerability assessments, 
components of the security plan, security training, and emergency 
communications), TSA is able to assess the strength of owner/operator's 
physical security, cyber security, emergency communication 
capabilities, and security training.
    This PCSR information collection provides TSA with real-time 
information on a company's security posture. The relationships these 
face-to-face contacts foster are critical to the Federal government's 
ability to reach out to the pipeline stakeholders affected by the 
PCSRs. In addition, TSA follows up via email with owner/operators on 
specific recommendations made by TSA during the PCSR.
    When combined with information from other companies across the 
sector, TSA can identify and develop recommended smart practices and 
security recommendations for the pipeline mode. This information allows 
TSA to adapt programs to the changing security threat, while 
incorporating an understanding of the improvements owners/operators 
make in their security measures. Without this information, the ability 
of TSA to perform its security mission would be severely hindered.

Establishing Compliance With Mandatory Requirements (Emergency 

    While the above listed collections are voluntary, on July 15, 2021, 
OMB approved TSA's request for an emergency revision of this 
information collection, allowing for the institution of mandatory 
requirements. See ICR Reference Number: 202107-1652-002. TSA is now 
seeking renewal of this information collection for the maximum three-
year approval period.
    The revision was necessary as a result of actions TSA took to 
address the ongoing cybersecurity threat to pipeline systems and 
associated infrastructure. On July 19, 2021, TSA issued a Security 
Directive (SD) applicable to owners/operators of critical hazardous 
liquid and natural pipelines and liquefied natural gas facilities.\8\ 
These owners/operators are required to develop and adopt a 
Cybersecurity Contingency/Response Plan to ensure the resiliency of 
their operations in the event of a cybersecurity attack. Owners/
operators must provide evidence of compliance to TSA upon request. In 
addition, owner/operators are required to have a third-party complete 
an evaluation of their industrial control system design and 
architecture to identify previously unrecognized vulnerabilities. This 
evaluation must include a written report detailing the results of the 
evaluation and the acceptance or rejection of any recommendations 
provided by the evaluator to address vulnerabilities. This written 
report must be made available to TSA upon request and retained for no 
less than 2 years from the date of completion. Finally, within 7 days 
of each deadline set forth in the SD, owner/operators must ensure that 
their Cybersecurity Coordinator or other accountable executive submits 
a statement to TSA via email certifying that the owner/operator has met 
the requirements of the SD. For convenience, TSA will provide an 
optional form (TSA Security Directive Pipeline 2021-02 Statement of 
Completion) for each submission deadline that owner/operators can 
complete and submit via email. This form is Sensitive Security 
Information (SSI) and will only be shared with the owner/operators and 
others with the need to know. TSA requires that certifications be made 
in a timely way. Documentation of compliance must be provided upon 

    \8\ On May 28, 2021, TSA issued another SD which included three 
information collections. OMB control number 1652-0055, includes two 
of these information collections, requiring owner/operators to 
report cybersecurity incidents to CISA, and to designate a 
Cybersecurity Coordinator, who is required to be available to the 
TSA 24/7 to coordinate cybersecurity practices and address any 
incidents that arise, and who must submit contact information to 
TSA. OMB control number 1652-0050 contains the remaining information 
collection, requiring owner/operators to conduct a cybersecurity 
assessment, to address cyber risk, and identify remediation measures 
that will be taken to fill those gaps and a time frame for achieving 
those measures.

    Portions of PCSR responses that are deemed SSI are protected in 
accordance with procedures meeting the transmission, handling, and 
storage requirements of SSI set forth in parts 15 and 1520 of title 49, 
Code of Federal Regulations (CFR). Information developed and submitted 
pursuant to TSA's SD is also SSI.
    The annual hour burden for the voluntary information collection is 
estimated to be 220 hours based upon 20 PCSR visits per year, each 
lasting a total of eight hours and the follow-up regarding security 
recommendations, lasting up to three hours, ((20 x 8 = 160 hours) + (20 
x 3 = 60 hours) = 220 hours).
    For the mandatory information collection, TSA estimates a total of 
97 owner/operators will provide the responses for the Cybersecurity 
Contingency/Response Plan; Third-Party Evaluation; and Certification of 
Completion. TSA estimates the total annual burden hours for the 
mandatory collection to be 12,610 hours.
    TSA estimates that it will take approximately 80 hours to complete 
the response for the Cybersecurity Contingency/Response Plan, totaling 
7,760 hours (97 respondents x 80 hours = 7,760 hours). In addition, TSA 
estimates that it will require approximately 42 hours to complete the 
Third-Party Evaluation, totaling 4,074 hours (97 respondents x 42 hours 
= 4,074 hours). Finally, TSA estimates that it will take eight (8) 
hours to complete the Certification of completion of SD requirements, 
totaling 776 hours (97 respondents x 8 hours = 776 hours). Thus, the 
total annual burden hours for the mandatory collection is 12,610 hours 
(7,760 + 4,074 + 776 = 12,610).
    TSA estimates the total respondents for the information collection 
is 97 and the combined annual burden hours for the voluntary and 
mandatory collections are 12,830 hours (220 + 7,760 + 4,074 + 776 = 

    Dated: August 24, 2021.
Christina A. Walsh,
TSA Paperwork Reduction Act Officer, Information Technology.
[FR Doc. 2021-18533 Filed 8-26-21; 8:45 am]