SUPPLEMENTARY INFORMATION:

Comments Invited

In accordance with the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.), an agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a valid OMB control number. The ICR documentation will be available at https://www.reginfo.gov upon its submission to OMB. Therefore, in preparation for OMB review and approval of the following information collection, TSA is soliciting comments to—

(1) Evaluate whether the proposed information requirement is necessary for the proper performance of the functions of the agency, including whether the information will have practical utility;

(2) Evaluate the accuracy of the agency's estimate of the burden;

(3) Enhance the quality, utility, and clarity of the information to be collected; and

(4) Minimize the burden of the collection of information on those who are to respond, including using appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology.

Information Collection Requirement

OMB Control Number 1652-0055; Pipeline Operator Security Information. In addition to TSA's broad responsibility and authority for “security in all modes of transportation . . . including security responsibilities . . . over modes of transportation [,]” see49 U.S.C. 114, TSA is required to issue recommendations for pipeline security measures and conduct inspections to assess implementation of the recommendations. See sec. 1557 of the Implementing Recommendations of the 9/11 Commission Act of 2007, Public Law 110-53 (August 3, 2007). Consistent with these requirements, TSA produced Pipeline Security Guidelines in December 2010 and 2011, with an update published in April 2021. These voluntary guidelines were developed with the assistance of industry and government members of the Pipeline Sector and Government Coordinating Councils, industry association representatives, and other interested parties.

Voluntary Collection. As the lead Federal agency for pipeline security and consistent with its statutory authorities, TSA needs to be notified of all (1) incidents that may indicate a deliberate attempt to disrupt pipeline operations and (2) activities that could be precursors to such an attempt. The Pipeline Security Guidelines encourage pipeline operators to notify the Transportation Security Operations Center via phone or email as soon as possible if incidents occur or if there is other reason to believe that a terrorist incident may be planned or may have occurred. When voluntarily contacting the Transportation Security Operations Center, the Guidelines request pipeline operators to provide as much information about the incident as possible.

Mandatory Collection. In May 2021, TSA issued a Security Directive (SD) series with requirements for owner/operators of hazardous liquid and natural gas pipelines and liquefied natural gas facilities that TSA designated as critical. The SD series included two mandatory information collections:

1. TSA requires all owner/operators subject to the SD's requirements to report actual or potential cybersecurity incidents affecting their information technology and operational technology systems to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours of discovery, using the CISA Incident Reporting System. ( print page 90306)

2. The SD series requires critical pipeline owner/operators to appoint cybersecurity coordinator(s) or alternate(s) at the corporate level and to provide contact information for the coordinators to TSA. To ensure that information reported pursuant to the SD series is identifiable within the system, TSA requires these owners/operators to indicate that they are providing the information pursuant to the SD series.

TSA expects voluntary reporting of pipeline security incidents will occur on an irregular basis. TSA estimates that pipeline owner/operators will report approximately 118 incidents annually, requiring an average of 30 minutes (0.50 hour) to collect, review, and submit event information. The total potential burden to the public for this task is estimated to be 59 hours.

Using the CISA Incident Reporting System, TSA expects the mandatory reporting of pipeline cybersecurity incidents to CISA will occur 20 times per year for each covered pipeline owner/operator. TSA estimates that 100 pipeline owner/operators will take approximately 2 hours to gather the appropriate information to submit each incident report. The potential burden to the public for this task is 20 × 100 × 2 hours = 4,000 hours.

TSA estimates that approximately 100 pipeline owner/operators will report their cybersecurity manager and alternate point of contact information. It will take the pipeline owner/operator approximately 30 minutes (0.50 hour) to do so, and the potential burden for this task is 100 × 0.50 hour = 50 hours.

Therefore, the total hour burden to the public for this information collection request is estimated to be 59 hours (Security Incidents) + 4,000 hours (CISA Reporting) + 50 hours (Cyber POC) = 4,109 hours annually.