[Federal Register Volume 89, Number 178 (Friday, September 13, 2024)]
[Notices]
[Pages 74975-74977]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-20828]


-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

[Docket No. CISA-2024-0023]


Revision of a Currently Approved Information Collection for 
Chemical-Terrorism Vulnerability Information (CVI)

AGENCY: Cybersecurity and Infrastructure Security Agency, DHS.

ACTION: 60-Day notice and request for comments; renewal of Information 
Collection Request (ICR): 1670-0015.

-----------------------------------------------------------------------

SUMMARY: The Infrastructure Security Division (ISD) within the 
Cybersecurity and Infrastructure Security Agency (CISA) will submit the 
following Information Collection Request to the Office of Management 
and Budget (OMB) for review and clearance in accordance with the 
Paperwork Reduction Act of 1995. The submission proposes to renew the 
information collection for an additional three years and to update both 
the burden estimates and the statutory authority for the information 
collection.

DATES: Comments are encouraged and will be accepted until November 12, 
2024.

ADDRESSES: You may send comments, identified by docket number through 
the Federal eRulemaking Portal: http://www.regulations.gov. Follow the 
instructions for sending comments.
    Instructions: All submissions received must include the agency name 
``CISA'' and docket number CISA-2024-0023. All comments received will 
be posted without change to http://www.regulations.gov, including any 
personal information provided. Comments that include trade secrets, 
confidential commercial or financial information, Chemical-terrorism 
Vulnerability Information (CVI),\1\ Sensitive Security Information 
(SSI),\2\ or Protected Critical Infrastructure

[[Page 74976]]

Information (PCII) \3\ should not be submitted to the public docket. 
Comments containing trade secrets, confidential commercial or financial 
information, CVI, SSI, or PCII should be appropriately marked and 
packaged in accordance with applicable requirements and submission must 
be coordinated with the point of contact for this notice provided in 
FOR FURTHER INFORMATION CONTACT section. Comments must be identified by 
docket number CISA-2024-0023.
---------------------------------------------------------------------------

    \1\ For more information about CVI see 6 CFR 27.400 and the CVI 
Procedural Manual at www.dhs.gov/publication/safeguarding-cvi-manual.
    \2\ For more information about SSI see 49 CFR part 1520 and the 
SSI Program web page at www.tsa.gov/for-industry/sensitive-security-information.
    \3\ For more information about PCII see 6 CFR part 29 and the 
PCII Program web page at www.dhs.gov/pcii-program.

FOR FURTHER INFORMATION CONTACT: Annie Hunziker Boyer, 703-603-5000, 
_____________________________________-
[email protected].

SUPPLEMENTARY INFORMATION: The Chemical Facility Anti-Terrorism 
Standards (CFATS) Program identified and regulated the security of 
high-risk chemical facilities using a risk-based approach. Pursuant to 
section 5 of the Protecting and Securing Chemical Facilities from 
Terrorist Attacks Act of 2014 (Pub. L. 113-254, as amended by Pub. L. 
116-150; 6 U.S.C. 621 note), authorization had been granted for CFATS 
until July 27, 2023. Congress did not act to reauthorize the program in 
time and, as such, the authorization expired on July 28, 2023. 
Therefore, regulations written pursuant to CFATS authority are not 
currently active. While regulatory text for the CFATS regulation, 
including information protection requirements, is located in part 27 of 
title 6 of the Code of Federal Regulations (CFR), the text is inactive 
due to the lapse in authority.
    CISA continues to possess and safeguard the information provided to 
CISA under the CFATS program prior to the program's lapse in authority 
on July 28, 2023. CISA also continues to receive requests for these 
government records and has continued to treat any information 
previously designated as CVI prior to the July 28, 2023 lapse 
consistent with the previously established CVI information handling 
protection regime. As a result, prior to granting access to information 
safeguarded as CVI, CISA verifies that the requestor is a CVI 
Authorized User. If that requestor has a need to know but is not a CVI 
Authorized User, CISA will provide the requestor with CVI training. The 
requestor then submits an application to become a CVI Authorized User.
    CISA is authorized to safeguard information provided to CISA under 
CFATS prior to July 28, 2023 under 6 U.S.C. 652(e)(1)(J), which grants 
CISA the authority to safeguard information from unauthorized 
disclosure and to ensure that the information is handled and used only 
for the performance of official duties.\4\
---------------------------------------------------------------------------

    \4\ 6 U.S.C. 652(e)(1)(J): (J) To ensure that any material 
received pursuant to this chapter is protected from unauthorized 
disclosure and handled and used only for the performance of official 
duties.
---------------------------------------------------------------------------

    It is the Administration's position that CFATS should be 
reauthorized. However, even without statutory reauthorization, there is 
both a reason to continue collecting this information (i.e., enabling 
individuals with a need to know but who are not CVI Authorized Users to 
access historical government records safeguarded as CVI) as well as 
existing statutory authority to do so under 6 U.S.C. 652(e)(1)(J). Once 
CFATS is reauthorized, the training and application to become a CVI 
Authorized User will be made accessible to the public.
    The current information collection for the CVI program (IC 1670-
0015) will expire on November 30, 2024.\5\
---------------------------------------------------------------------------

    \5\ The current information collection for CVI (i.e., IC 1670-
0015) may be viewed at https://www.reginfo.gov/public/do/PRAViewICR?ref_nbr=202012-1670-001.
---------------------------------------------------------------------------

    CISA proposes three revisions from the previously approved 
collection. Specifically, to renew the information collection for an 
additional three years, increase the loaded average hourly wage rate of 
respondents from $79.75 to $101.87 based on updated BLS wage and 
compensation data, and to cite 6 U.S.C. 652(e)(1)(J) as its statutory 
authority rather than 6 U.S.C. 623.
    This process is conducted in accordance with 5 CFR 1320.8.

CISA'S Methodology in Estimating the Burden for the Chemical-Terrorism 
Vulnerability Information Authorization

Number of Respondents

    The current information collection estimated that 20,000 
respondents submit a request to become a CVI Authorized User Number 
annually. The table below provides the number of respondents over the 
past three years (i.e., Calendar Year (CY) 2020 through CY 2022).

----------------------------------------------------------------------------------------------------------------
                                                                   CY 2020          CY 2021          CY 2022
----------------------------------------------------------------------------------------------------------------
Number of Respondents........................................          11,444           12,931           14,252
----------------------------------------------------------------------------------------------------------------

    Due to past fluctuations and uncertainty regarding the number of 
future respondents, CISA believes that 20,000 continues to be a 
reasonable estimate when CFATS is reauthorized. Therefore, CISA 
proposes to retain the estimated annual number of respondents.\6\
---------------------------------------------------------------------------

    \6\ If the CFATS program is not reauthorized, renewal of this IC 
under the authority of 6 U.S.C. 652(e)(1)(J) for the more limited 
purpose of issuing CVI Authorized User Numbers and allowing 
individuals to become CVI Authorized Users would reduce the 
estimated number of respondents to 150. It is CISA's position that 
CFATS will be reauthorized. Therefore, CISA proposes to retain the 
estimate of 20,000 respondents.
---------------------------------------------------------------------------

Estimated Time per Respondent

    In the current information collection, the estimated time per 
respondent to prepare and submit a CVI Authorization is 0.50 hours (30 
minutes). CISA proposes to retain the estimated time per respondent.

Annual Burden Hours

    The annual burden hours for the CVI Authorization is [0.50 hours x 
20,000 respondents x 1 response per respondent], which equals 10,000 
hours.

Total Capital/Startup Burden Cost

    Prior to the expiration of CFATS' statutory authorization, the 
instrument through which the information was collected electronically 
was a web interface incorporated into CISA's Chemical Security 
Assessment Tool (CSAT). Since the lapse, and until reauthorization, the 
instrument is a PDF form sent via email to respondents. The PDF form is 
filled out by respondents and returned to CISA via email. When the 
CFATS program is reauthorized, a web-enabled interface will be made 
accessible to the public.
    Thus, for the purposes of this notice, CISA continues to assume 
there is no annualized capital or start-up costs incurred by 
respondents for this information collection.

Total Recordkeeping Burden

    There are no recordkeeping burden costs incurred by respondents for 
this information collection.

[[Page 74977]]

Total Annual Burden Cost

    CISA assumes that respondents are generally Site Security Officers 
(SSOs), although other types of respondents may also complete this 
instrument (e.g., State, and local government employees and 
contractors). For the purpose of this notice, CISA maintains this 
assumption. To estimate the total annual burden, CISA multiplied the 
annual burden of 10,000 hours by the loaded average hourly wage rate of 
SSOs of $101.87 per hour.\7\ Therefore, the total annual burden cost 
for the CVI Authorization instrument is $1,018,700 [10,000 total annual 
burden hours x $101.87 per hour].
---------------------------------------------------------------------------

    \7\ The wage used for an SSO equals that of Managers, All (11-
9199), with a load factor of 1.4481 to account for benefits in 
addition to wages https://www.bls.gov/oes/2023/may/oes119199.htm. 
The load factor is estimated by dividing total compensation by total 
wages and salaries for the Management, Professional and Related 
series ($72/$49.72), which can be found at https://www.bls.gov/news.release/ecec.t04.htm.
---------------------------------------------------------------------------

Analysis

    Agency: Department of Homeland Security, Cybersecurity and 
Infrastructure Agency, Infrastructure Security Division.
    Title: CFATS Chemical-Terrorism Vulnerability Information.
    OMB Number: 1670-0015.
    Instrument: Chemical-Terrorism Vulnerability Information Training 
and Authorized User Application.
    Frequency: ``On occasion'' and ``Other''.
    Affected Public: Business or other for-profit.
    Number of Respondents: 20,000 respondents (rounded estimate).
    Estimated Time per Respondent: 0.50 hours.
    Total Burden Hours: 10,000 annual burden hours.
    Total Burden Cost (capital/startup): $0.
    Total Recordkeeping Burden: $0.
    Total Burden Cost: $1,001,275.

Robert J. Costello,
Chief Information Officer, Department of Homeland Security, 
Cybersecurity and Infrastructure Security Agency.
[FR Doc. 2024-20828 Filed 9-12-24; 8:45 am]
BILLING CODE 9111-LF-P