AGENCY:

Transportation Security Administration, DHS.

ACTION:

60-Day notice.

SUMMARY:

The Transportation Security Administration (TSA) invites public comment on one currently-approved Information Collection Request (ICR), Office of Management and Budget (OMB) control number 1652-0056, abstracted below, that we will submit to OMB for an extension in compliance with the Paperwork Reduction Act (PRA). On July 15, 2021, OMB approved TSA's request for an emergency revision of this collection to address the ongoing cybersecurity threat to pipeline systems and associated infrastructure. TSA is now seeking to renew the collection, which expires on January 31, 2022, with incorporation of the subject of the emergency revision. The ICR describes the nature of the information collection and its expected burden. The collection allows TSA to assess the current security practices in the pipeline industry through TSA's Pipeline Corporate Security Review (PCSR) program. The PCSR program is part of the larger domain awareness, prevention, and protection program supporting TSA's and the Department of Homeland Security's missions.

DATES:

Send your comments by October 26, 2021.

ADDRESSES:

Comments may be emailed to TSAPRA@tsa.dhs.gov or delivered to the TSA PRA Officer, Information Technology (IT), TSA-11, Transportation Security Administration, 6595 Springfield Center Drive, Springfield, VA 20598-6011.

FOR FURTHER INFORMATION CONTACT:

Christina A. Walsh at the above address, or by telephone (571) 227-2062.

SUPPLEMENTARY INFORMATION:

Comments Invited

In accordance with the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.), an agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a valid OMB control number. The ICR documentation will be available at http://www.reginfo.gov upon its submission to OMB. Therefore, in preparation for OMB review and approval of the following information collection, TSA is soliciting comments to—

(1) Evaluate whether the proposed information requirement is necessary for the proper performance of the functions of the agency, including whether the information will have practical utility;

(2) Evaluate the accuracy of the agency's estimate of the burden;

(3) Enhance the quality, utility, and clarity of the information to be collected; and

(4) Minimize the burden of the collection of information on those who are to respond, including using appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology.

Information Collection Requirement

OMB Control Number 1652-0056; Pipeline Corporate Security Review (PCSR) Program. Under the Aviation and Transportation Security Act ^[1] and delegated authority from the Secretary of Homeland Security, TSA has broad responsibility and authority for “security in all modes of transportation . . . including security responsibilities . . . over modes of transportation that are exercised by the Department of Transportation.” ^[2] TSA is specifically empowered to assess threats to transportation; ^[3] develop policies, strategies, and plans for dealing with threats to transportation; ^[4] oversee the implementation and adequacy of security measures at transportation facilities; ^[5] and carry out other appropriate duties relating to transportation security.^[6] The Implementing Recommendations of the 9/11 Commission Act of 2007 (9/11 Act) included a specific requirement for TSA to conduct assessments of critical pipeline facilities.^[7]

Assessing Voluntary Implementation of Recommendations

Consistent with these authorities and requirements, TSA developed the PCSR program to assess the current security practices in the pipeline industry, with a focus on the physical and cyber security of pipelines and the crude oil and petroleum products, such as gasoline, diesel, jet fuel, home heating oil, and natural gas, moving through the system infrastructure. PCSRs are voluntary, face-to-face visits, usually at the headquarters facility of the pipeline owner/operator. Typically, TSA sends one to three employees to conduct a seven to eight hour interview with representatives from the owner/operator. The TSA representatives analyze the owner/operator's security plan and policies and compare their practices with recommendations in TSA's Pipeline Security Guidelines.

During the PCSR assessment, the PCSR program subject matter experts:

• Meet with senior corporate officers and security managers.
• Develop knowledge of security planning at critical pipeline infrastructure sites.
• Establish and maintain a working relationship with key security staff who operate critical pipeline infrastructure.
• Identify industry smart practices and lessons learned.
• Maintain a dynamic modal network through effective communications with Start Printed Page 48240the pipeline industry and government stakeholders.

Through this engagement, TSA is also able to establish and maintain productive working relationships with key pipeline security personnel. This engagement and access to pipeline facilities also enables TSA to identify and share smart security practices observed at one facility to help enhance and improve the security of the pipeline industry. As a result, participation in the voluntary PCSR program enhances pipeline security at both specific facilities and across the industry.

TSA has developed a Question Set to aid in the conducting of PCSRs. The PCSR Question Set structures the TSA-owner/operator discussion and is the central data source for the security information TSA collects. TSA developed the PCSR Question Set based on input from government and industry stakeholders on how best to obtain relevant information from a pipeline owner/operator about its security plan and processes. The questions are designed to examine the company's current state of security, as well as to address measures that are applied if there is a change in the National Terrorism Advisory System. The PCSR Question Set also includes sections for facility site visits and owner/operator contact information. By asking questions related to specific topics (such as security program management, vulnerability assessments, components of the security plan, security training, and emergency communications), TSA is able to assess the strength of owner/operator's physical security, cyber security, emergency communication capabilities, and security training.

This PCSR information collection provides TSA with real-time information on a company's security posture. The relationships these face-to-face contacts foster are critical to the Federal government's ability to reach out to the pipeline stakeholders affected by the PCSRs. In addition, TSA follows up via email with owner/operators on specific recommendations made by TSA during the PCSR.

When combined with information from other companies across the sector, TSA can identify and develop recommended smart practices and security recommendations for the pipeline mode. This information allows TSA to adapt programs to the changing security threat, while incorporating an understanding of the improvements owners/operators make in their security measures. Without this information, the ability of TSA to perform its security mission would be severely hindered.

Establishing Compliance With Mandatory Requirements (Emergency Revision)

While the above listed collections are voluntary, on July 15, 2021, OMB approved TSA's request for an emergency revision of this information collection, allowing for the institution of mandatory requirements. See ICR Reference Number: 202107-1652-002. TSA is now seeking renewal of this information collection for the maximum three-year approval period.

The revision was necessary as a result of actions TSA took to address the ongoing cybersecurity threat to pipeline systems and associated infrastructure. On July 19, 2021, TSA issued a Security Directive (SD) applicable to owners/operators of critical hazardous liquid and natural pipelines and liquefied natural gas facilities.^[8] These owners/operators are required to develop and adopt a Cybersecurity Contingency/Response Plan to ensure the resiliency of their operations in the event of a cybersecurity attack. Owners/operators must provide evidence of compliance to TSA upon request. In addition, owner/operators are required to have a third-party complete an evaluation of their industrial control system design and architecture to identify previously unrecognized vulnerabilities. This evaluation must include a written report detailing the results of the evaluation and the acceptance or rejection of any recommendations provided by the evaluator to address vulnerabilities. This written report must be made available to TSA upon request and retained for no less than 2 years from the date of completion. Finally, within 7 days of each deadline set forth in the SD, owner/operators must ensure that their Cybersecurity Coordinator or other accountable executive submits a statement to TSA via email certifying that the owner/operator has met the requirements of the SD. For convenience, TSA will provide an optional form (TSA Security Directive Pipeline 2021-02 Statement of Completion) for each submission deadline that owner/operators can complete and submit via email. This form is Sensitive Security Information (SSI) and will only be shared with the owner/operators and others with the need to know. TSA requires that certifications be made in a timely way. Documentation of compliance must be provided upon request.

Portions of PCSR responses that are deemed SSI are protected in accordance with procedures meeting the transmission, handling, and storage requirements of SSI set forth in parts 15 and 1520 of title 49, Code of Federal Regulations (CFR). Information developed and submitted pursuant to TSA's SD is also SSI.

The annual hour burden for the voluntary information collection is estimated to be 220 hours based upon 20 PCSR visits per year, each lasting a total of eight hours and the follow-up regarding security recommendations, lasting up to three hours, ((20 × 8 = 160 hours) + (20 × 3 = 60 hours) = 220 hours).

For the mandatory information collection, TSA estimates a total of 97 owner/operators will provide the responses for the Cybersecurity Contingency/Response Plan; Third-Party Evaluation; and Certification of Completion. TSA estimates the total annual burden hours for the mandatory collection to be 12,610 hours.

TSA estimates that it will take approximately 80 hours to complete the response for the Cybersecurity Contingency/Response Plan, totaling 7,760 hours (97 respondents × 80 hours = 7,760 hours). In addition, TSA estimates that it will require approximately 42 hours to complete the Third-Party Evaluation, totaling 4,074 hours (97 respondents × 42 hours = 4,074 hours). Finally, TSA estimates that it will take eight (8) hours to complete the Certification of completion of SD requirements, totaling 776 hours (97 respondents × 8 hours = 776 hours). Thus, the total annual burden hours for the mandatory collection is 12,610 hours (7,760 + 4,074 + 776 = 12,610).

TSA estimates the total respondents for the information collection is 97 and the combined annual burden hours for the voluntary and mandatory collections are 12,830 hours (220 + 7,760 + 4,074 + 776 = 12,830).

Footnotes