CISA Publishes 60-day Revision ICR for CSAT Collection Tools
CISA published a 60-day information collection request (ICR) notice in tomorrow’s (available on line on Saturday) Federal Register (87 FR 79337-79341) for “Request To Revise and Extend the Chemical Security Assessment Tool (CSAT) Information Collection Under the Paperwork Reduction Act”. The revisions are designed to update the burden estimate based upon the average submission data for the six covered information collections for that last three program years. There are no major program changes discussed in this ICR.
The covered information collections are:
Security Vulnerability Assessment (SVA) & Alternative Security Program (ASP) Submitted in Lieu of an SVA,
Site Security Plan (SSP) & Alternative Security Program (ASP) Submitted in Lieu of an SSP,
Identification of Additional Facilities and Assets at Risk
Note: In the discussion’s below, the ‘current data’ comes from the Supporting Statement included in the current ICR file.
Top Screen
The table below outlines the differences between the current and proposed burden data for the Top Screen collection.
In the discussion, CISA notes that over the last three program years they have had an annual average of 887 ‘first-time’ Top Screens submitted. This reflects changes in the chemical manufacturing sector (new product development at some facilities and newly constructed facilities) and the ongoing outreach program being conducted by CISA’s Office of Chemical Security (OCS) that oversees the CFATS program.
SVA/ASP
The table below outlines the differences between the current and proposed burden data for the SVA/ASP collection.
In the discussion, CISA notes that the respondents data includes 209 first-time SVA/ASP submissions. This would indicate that about 24% of facilities submitting first-time Top Screen submissions are being classified as being at ‘high-risk of terrorist attack’ by the risk assessment process being used by CISA. This has kept fairly constant over the years.
SSP/ASP
The table below outlines the differences between the current and proposed burden data for the SSP/ASP collection.
For this collection, CISA does announce that they intend to make a change to the SSP collection tool to “to collect facility internet Protocol (IP) address(es) and Domain Name System (DNS) information.” In addition to supporting the assessment of the Site Security Plan they note that:
“CISA may potentially use this information to integrate with other data within the U.S. Government, conduct related analysis, and provide warnings about cyber threats affecting chemical facilities. CISA expects that answering these questions will not meaningfully increase the estimated SSP/ASP completion time.”
It will be interesting to see if CISA implements this as a simple change in the SSP manual and tool, or if they will engage in the public notice and comment process. DHS has used both techniques in the past, going with the notice and comment process when there seems to be industry concerns. This ICR would be a good way of determining if there were such concerns. If no comments are received on this issue in the ICR process, I suspect that CISA would just move forward with a simple administrative change as this is not a major change in the data collection process.
Help Desk
The table below outlines the differences between the current and proposed burden data for the Help Desk collection.
User Registration
The table below outlines the differences between the current and proposed burden data for the User Registration collection.
Identification of Additional Facilities
The table below outlines the differences between the current and proposed burden data for the Identification of Additional Facilities and Assets at Risk collection.
This is really the odd-man out collection in this ICR. Instead of being collected on-line in either the CSAT tool or the CFATS Knowledge Center (for at least some of the Help Desk collections), this information is collected by Chemical Security Inspectors during site visits. CSI collect that ‘identification of additional facilities’ information during compliance inspections when they ask facilities that ship DHS Chemicals of Interest to provide (voluntarily) a list of customers to which they make such shipments. This helps OCS identify chemical facilities that might not be aware of their responsibility for reporting COI inventory on Top Screens.
The second portion of the collection includes obtaining additional information about critical industrial control systems identified in the facility’s site security plan, information that is not collected as part of the SSP documentation. There is a full discussion about this in the 30-day ICR publication for the existing version of the ICR. This information is collected by CSI during any visit to a covered facility and is maintained in the individual facility case file.
It is interesting that that discussion reports that OCS, which had already been collecting the ‘additional facilities’ information, that they had received voluntary information in support of that collection from just 15 of the 845 facilities that had been requested to provide the information. Based on the collected information from those 15 facilities, CISA noted that:
“CISA received information on 172 facilities that had not previously submitted Top-Screens. CISA is currently working with those facilities to determine if they are required to submit a Top-Screen.”
This seems to be a worthwhile use of CSI time during compliance inspections.
Soliciting Comments
CISA is soliciting comments on this ICR revision. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # CISA-2022-0018). Comments should be submitted by February 27th, 2023.