[Federal Register Volume 87, Number 248 (Wednesday, December 28, 2022)]
[Notices]
[Pages 79899-79900]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-28175]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

Transportation Security Administration


Revision of Agency Information Collection Activity Under OMB 
Review: Pipeline Corporate Security Reviews and Security Directives

AGENCY: Transportation Security Administration, DHS.

ACTION: 30-day notice.

-----------------------------------------------------------------------

SUMMARY: This notice announces that the Transportation Security 
Administration (TSA) has forwarded the Information Collection Request 
(ICR), Office of Management and Budget (OMB) control number 1652-0056, 
abstracted below, to OMB for review and approval of a revision of the 
currently approved collection under the Paperwork Reduction Act (PRA). 
The ICR describes the nature of the information collection and its 
expected burden. This collection combines TSA's voluntary Pipeline 
Corporate Security Review (PCSR) program with the mandatory 
requirements under the TSA Security Directive (SD) Pipeline-2021-02 
series. The collection allows TSA to assess the current security 
practices in the pipeline industry through TSA's PCSR program, which is 
part of the larger domain awareness, prevention, and protection program 
supporting TSA's and the Department of Homeland Security's missions. 
The collection also allows for the continued institution of mandatory 
cybersecurity requirements under the TSA SD Pipeline-2021-02 series. 
The updated ICR reflects changes to collection requirements based on 
TSA's update to the SD Pipline-2021-02 series, released on July 21, 
2022.

DATES: Send your comments by January 27, 2023. A comment to OMB is most 
effective if OMB receives it within 30 days of publication.

ADDRESSES: Written comments and recommendations for the proposed 
information collection should be sent within 30 days of publication of 
this notice to www.reginfo.gov/public/do/PRAMain. Find this particular 
information collection by selecting ``Currently under Review--Open for 
Public Comments'' and by using the find function.

FOR FURTHER INFORMATION CONTACT: Christina A. Walsh, TSA PRA Officer, 
Information Technology (IT), TSA-11, Transportation Security 
Administration, 6595 Springfield Center Drive, Springfield, VA 20598-
6011; telephone (571) 227-2062; email [email protected].

SUPPLEMENTARY INFORMATION: TSA published a Federal Register notice, 
with a 60-day comment period soliciting comments, of the following 
collection of information on October 3, 2022, 87 FR 59816.
    This collection is separate from those associated with the 
requirements of TSA SD Pipeline 2021-01.\1\
---------------------------------------------------------------------------

    \1\ There are three information collection requirements 
associated with TSA Security Directive Pipeline 2021-01. OMB control 
number 1652-0055 addresses two of them and OMB control number 1652-
0050 addresses the third.
---------------------------------------------------------------------------

Comments Invited

    In accordance with the Paperwork Reduction Act of 1995 (44 U.S.C. 
3501 et seq.), an agency may not conduct or sponsor, and a person is 
not required to respond to, a collection of information unless it 
displays a valid OMB control number. The ICR documentation will be 
available at http://www.reginfo.gov upon its submission to OMB. 
Therefore, in preparation for OMB review and approval of the following 
information collection, TSA is soliciting comments to--
    (1) Evaluate whether the proposed information requirement is 
necessary for the proper performance of the functions of the agency, 
including whether the information will have practical utility;
    (2) Evaluate the accuracy of the agency's estimate of the burden;
    (3) Enhance the quality, utility, and clarity of the information to 
be collected; and
    (4) Minimize the burden of the collection of information on those 
who are to respond, including using appropriate automated, electronic, 
mechanical, or other technological collection techniques or other forms 
of information technology.

Information Collection Requirement

    Title: Pipeline Corporate Security Reviews (PCSR) Security 
Directives.
    Type of Request: Revision of a currently approved collection.
    OMB Control Number: 1652-0056.
    Forms(s): Pipeline Corporate Security Review (PCSR) Protocol Form 
and documents submitted to TSA pursuant to the requirements in the 
Security Directive.
    Affected Public: Hazardous Liquids and Natural Gas Pipeline 
Industry.
    Abstract: Under the Aviation and Transportation Security Act \2\ 
and delegated authority from the Secretary of Homeland Security, TSA 
has broad responsibility and authority for ``security in all modes of 
transportation . . . including security responsibilities . . . over 
modes of transportation that are exercised by the Department of 
Transportation.'' \3\ Congress' specific recognition of TSA's 
responsibility for pipeline security is reflected in Sec. 1557 of the 
Implementing Recommendations of the 9/11 Commission Act of 2007, Public 
Law 110-53 (121 Stat. 266; Aug. 3, 2007). In addition, TSA has 
statutory authority to issue security directives (SDs) as necessary to 
protect transportation

[[Page 79900]]

security and critical infrastructure. See 49 U.S.C. 114(l)(2).
---------------------------------------------------------------------------

    \2\ Public Law 107-71 (115 Stat. 597; Nov. 19, 2001), codified 
at 49 U.S.C. 114.
    \3\ See 49 U.S.C. 114(d). The TSA Administrator's current 
authorities under the Aviation and Transportation Security Act have 
been delegated to him by the Secretary of Homeland Security. Section 
403(2) of the Homeland Security Act (HSA) of 2002, Public Law 107-
296 (116 Stat. 2135, Nov. 25, 2002), transferred all functions of 
TSA, including those of the Secretary of Transportation and the 
Under Secretary of Transportation of Security related to TSA, to the 
Secretary of Homeland Security. Pursuant to DHS Delegation Number 
7060.2, the Secretary delegated to the Administrator of TSA, subject 
to the Secretary's guidance and control, the authority vested in the 
Secretary with respect to TSA, including that in section 403(2) of 
the HSA.
---------------------------------------------------------------------------

    TSA has historically assessed industry security practices through 
its PCSR program.\4\ The PCSR is a voluntary, face-to-face visit with a 
pipeline owner/operator during which TSA discusses an owner/operator's 
corporate security planning and the entries made by the owner/operator 
on the PCSR Form. The PCSR Form includes 150 questions concerning the 
owner/operator's corporate level security planning, covering security 
topics such as physical security, vulnerability assessments, training, 
and emergency communications. TSA uses the information collected during 
the PCSR process to determine baseline security standards, potential 
areas of security vulnerability, and industry ``smart'' practices 
throughout the pipeline mode. While the PCSR collection supports 
security plans and processes, TSA has issued the security directives 
with mandatory requirements in order to mitigate specific security 
concerns posed by current threats to national security.
---------------------------------------------------------------------------

    \4\ See section 1557 of Public Law 110-53 (121 Stat. 266; Aug. 
3, 2007) as codified at 6 U.S.C. 1207.
---------------------------------------------------------------------------

Establishing Compliance With Mandatory Requirements in the TSA SD 
Pipeline-2021-02 Series; Information Collection Requirements (Emergency 
Revision)

    On July 15, 2021, OMB approved TSA's requests for an emergency 
revision of this information collection, allowing for the institution 
of mandatory requirements issued in TSA SD Pipeline-2021-02 on July 19, 
2021. See ICR Reference Number: 202107-1652-002. This SD mandated that 
critical pipeline owner/operators take the following actions: (1) 
Implement critically important mitigation measures to reduce the risk 
of compromise from a cyberattack; (2) develop and maintain an up-to-
date Cybersecurity Contingency/Response Plan; and (3) test the 
effectiveness of the operator's cybersecurity practices through an 
annual cybersecurity architecture design review. Subsequently, on July 
26, 2022, OMB approved TSA's request to extend the information 
collection. See ICR Reference Number: 202111-1652-001. On December 10, 
2021, and December 17, 2021, TSA revised the SD Pipeline-2021-02 
series. These updates did not affect the information collection 
requirements.
    On July 21, 2022, TSA issued a substantive revision to the series, 
SD Pipeline 2021-02C. This revision provides owner/operators with more 
flexibility to meet the intended security outcomes while ensuring 
sustainment of the cybersecurity enhancements accomplished through this 
SD series. Overall, SD Pipeline-2021-02C changed the cybersecurity 
requirements from a prescriptive approach to a performance-based 
approach focused on certain security outcomes. The revision also 
clarified that the requirements apply to Critical Cyber Systems, as 
defined in the SD, and changed cybersecurity assessment requirements.
    On July 29, 2022, OMB approved TSA's requests for the emergency 
revision of this information collection, allowing for the 
implementation of the revisions in SD Pipeline-2021-02C. See ICR 
Reference Number: 202207-1652-001.
    SD Pipeline 2021-02C requires identified owner/operators to meet 
three general requirements: (1) Establish and implement a TSA-approved 
Cybersecurity Implementation Plan; (2) develop and maintain an up-to-
date Cybersecurity Incident Response Plan; and (3) establish a 
Cybersecurity Assessment Program and submit an annual plan. In 
addition, owner/operators must make records to establish compliance 
with the SD available to TSA upon request for inspection and/or 
copying.
    Submissions by pipeline owner/operators in compliance with the 
voluntary PCSR or the mandatory SD Pipeline-2021-02 series requirements 
are deemed Sensitive Security Information (SSI) and are protected in 
accordance with procedures meeting the transmission, handling, and 
storage requirements of SSI in 49 CFR part 1520.

Revision of the Collection

    TSA is changing the name of OMB control number 1652-0056 from 
``Pipeline Corporate Security Review (PCSR)'' to ``Pipeline Corporate 
Security Reviews (PCSR) and Security Directives'' to more accurately 
represent the information collection. TSA is also revising the 
information collection to remove a portion of the cybersecurity 
questions from the PCSR workbook, which are covered in a separate ICR, 
1652-0050 Critical Facility Information of the Top 100 Most Critical 
Pipelines. As a result, TSA removed the majority (~ 60) of the 
cybersecurity questions in the PCSR workbook, moving from 210 to 160 
questions, which resulted in a burden reduction to the voluntary 
collection.
    TSA is seeking renewal of this information collection for the 
maximum three-year approval period.
    Number of Respondents: 100 respondents annually.
    Estimated Annual Burden Hours: 20,180 hours.\5\
---------------------------------------------------------------------------

    \5\ In the 60-day notice, TSA reported the annual burden hours 
as 20,220. Since then, TSA has revised the voluntary collection, 
resulting in a reduction in the annual burden hours. TSA estimates 
the total annual burden hours for the collection to be 20,180 hours 
(PCSR-180, Cybersecurity Incident Response Plan-8,000, Annual Plan 
for Cybersecurity Assessment-4,000, Compliance Documentation-8,000). 
In addition, the one-time burden for the development and submission 
to TSA of the owner/operator's Cybersecurity Implementation Plan is 
40,000 hours.

    Dated: December 21, 2022.
Christina A. Walsh,
TSA Paperwork Reduction Act Officer, Information Technology.
[FR Doc. 2022-28175 Filed 12-27-22; 8:45 am]
BILLING CODE 9110-05-P