87 FR 248 pgs. 79899-79900 - Revision of Agency Information Collection Activity Under OMB Review: Pipeline Corporate Security Reviews and Security Directives

Type: NOTICEVolume: 87Number: 248Pages: 79899 - 79900
FR document: [FR Doc. 2022-28175 Filed 12-27-22; 8:45 am]
Agency: Homeland Security Department
Sub Agency: Transportation Security Administration
Official PDF Version:  PDF Version
Pages: 79899, 79900

[top] page 79899

DEPARTMENT OF HOMELAND SECURITY

Transportation Security Administration

Revision of Agency Information Collection Activity Under OMB Review: Pipeline Corporate Security Reviews and Security Directives

AGENCY:

Transportation Security Administration, DHS.

ACTION:

30-day notice.

SUMMARY:

This notice announces that the Transportation Security Administration (TSA) has forwarded the Information Collection Request (ICR), Office of Management and Budget (OMB) control number 1652-0056, abstracted below, to OMB for review and approval of a revision of the currently approved collection under the Paperwork Reduction Act (PRA). The ICR describes the nature of the information collection and its expected burden. This collection combines TSA's voluntary Pipeline Corporate Security Review (PCSR) program with the mandatory requirements under the TSA Security Directive (SD) Pipeline-2021-02 series. The collection allows TSA to assess the current security practices in the pipeline industry through TSA's PCSR program, which is part of the larger domain awareness, prevention, and protection program supporting TSA's and the Department of Homeland Security's missions. The collection also allows for the continued institution of mandatory cybersecurity requirements under the TSA SD Pipeline-2021-02 series. The updated ICR reflects changes to collection requirements based on TSA's update to the SD Pipline-2021-02 series, released on July 21, 2022.

DATES:

Send your comments by January 27, 2023. A comment to OMB is most effective if OMB receives it within 30 days of publication.

ADDRESSES:

Written comments and recommendations for the proposed information collection should be sent within 30 days of publication of this notice to www.reginfo.gov/public/do/PRAMain. Find this particular information collection by selecting "Currently under Review-Open for Public Comments" and by using the find function.

FOR FURTHER INFORMATION CONTACT:

Christina A. Walsh, TSA PRA Officer, Information Technology (IT), TSA-11, Transportation Security Administration, 6595 Springfield Center Drive, Springfield, VA 20598-6011; telephone (571) 227-2062; email TSAPRA@tsa.dhs.gov.

SUPPLEMENTARY INFORMATION:

TSA published a Federal Register notice, with a 60-day comment period soliciting comments, of the following collection of information on October 3, 2022, 87 FR 59816.

This collection is separate from those associated with the requirements of TSA SD Pipeline 2021-01. 1

Footnotes:

1 ?There are three information collection requirements associated with TSA Security Directive Pipeline 2021-01. OMB control number 1652-0055 addresses two of them and OMB control number 1652-0050 addresses the third.

Comments Invited

In accordance with the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq. ), an agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a valid OMB control number. The ICR documentation will be available at http://www.reginfo.gov upon its submission to OMB. Therefore, in preparation for OMB review and approval of the following information collection, TSA is soliciting comments to-

(1) Evaluate whether the proposed information requirement is necessary for the proper performance of the functions of the agency, including whether the information will have practical utility;

(2) Evaluate the accuracy of the agency's estimate of the burden;

(3) Enhance the quality, utility, and clarity of the information to be collected; and

(4) Minimize the burden of the collection of information on those who are to respond, including using appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology.

Information Collection Requirement

Title: Pipeline Corporate Security Reviews (PCSR) Security Directives.

Type of Request: Revision of a currently approved collection.

OMB Control Number: 1652-0056.

Forms(s): Pipeline Corporate Security Review (PCSR) Protocol Form and documents submitted to TSA pursuant to the requirements in the Security Directive.

Affected Public: Hazardous Liquids and Natural Gas Pipeline Industry.


[top] Abstract: Under the Aviation and Transportation Security Act? 2 and delegated authority from the Secretary of Homeland Security, TSA has broad responsibility and authority for "security in all modes of transportation . . . including security responsibilities . . . over modes of transportation that are exercised by the Department of Transportation."? 3 Congress' specific recognition of TSA's responsibility for pipeline security is reflected in Sec. 1557 of the Implementing Recommendations of the 9/11 Commission Act of 2007, Public Law 110-53 (121 Stat. 266; Aug. 3, 2007). In addition, TSA has statutory authority to issue security directives (SDs) as necessary to protect transportation page 79900 security and critical infrastructure. See 49 U.S.C. 114( l )(2).

Footnotes:

2 ?Public Law 107-71 (115 Stat. 597; Nov. 19, 2001), codified at 49 U.S.C. 114.

3 ? See 49 U.S.C. 114(d). The TSA Administrator's current authorities under the Aviation and Transportation Security Act have been delegated to him by the Secretary of Homeland Security. Section 403(2) of the Homeland Security Act (HSA) of 2002, Public Law 107-296 (116 Stat. 2135, Nov. 25, 2002), transferred all functions of TSA, including those of the Secretary of Transportation and the Under Secretary of Transportation of Security related to TSA, to the Secretary of Homeland Security. Pursuant to DHS Delegation Number 7060.2, the Secretary delegated to the Administrator of TSA, subject to the Secretary's guidance and control, the authority vested in the Secretary with respect to TSA, including that in section 403(2) of the HSA.

TSA has historically assessed industry security practices through its PCSR program. 4 The PCSR is a voluntary, face-to-face visit with a pipeline owner/operator during which TSA discusses an owner/operator's corporate security planning and the entries made by the owner/operator on the PCSR Form. The PCSR Form includes 150 questions concerning the owner/operator's corporate level security planning, covering security topics such as physical security, vulnerability assessments, training, and emergency communications. TSA uses the information collected during the PCSR process to determine baseline security standards, potential areas of security vulnerability, and industry "smart" practices throughout the pipeline mode. While the PCSR collection supports security plans and processes, TSA has issued the security directives with mandatory requirements in order to mitigate specific security concerns posed by current threats to national security.

Footnotes:

4 ? See section 1557 of Public Law 110-53 (121 Stat. 266; Aug. 3, 2007) as codified at 6 U.S.C. 1207.

Establishing Compliance With Mandatory Requirements in the TSA SD Pipeline-2021-02 Series; Information Collection Requirements (Emergency Revision)

On July 15, 2021, OMB approved TSA's requests for an emergency revision of this information collection, allowing for the institution of mandatory requirements issued in TSA SD Pipeline-2021-02 on July 19, 2021. See ICR Reference Number: 202107-1652-002. This SD mandated that critical pipeline owner/operators take the following actions: (1) Implement critically important mitigation measures to reduce the risk of compromise from a cyberattack; (2) develop and maintain an up-to-date Cybersecurity Contingency/Response Plan; and (3) test the effectiveness of the operator's cybersecurity practices through an annual cybersecurity architecture design review. Subsequently, on July 26, 2022, OMB approved TSA's request to extend the information collection. See ICR Reference Number: 202111-1652-001. On December 10, 2021, and December 17, 2021, TSA revised the SD Pipeline-2021-02 series. These updates did not affect the information collection requirements.

On July 21, 2022, TSA issued a substantive revision to the series, SD Pipeline 2021-02C. This revision provides owner/operators with more flexibility to meet the intended security outcomes while ensuring sustainment of the cybersecurity enhancements accomplished through this SD series. Overall, SD Pipeline-2021-02C changed the cybersecurity requirements from a prescriptive approach to a performance-based approach focused on certain security outcomes. The revision also clarified that the requirements apply to Critical Cyber Systems, as defined in the SD, and changed cybersecurity assessment requirements.

On July 29, 2022, OMB approved TSA's requests for the emergency revision of this information collection, allowing for the implementation of the revisions in SD Pipeline-2021-02C. See ICR Reference Number: 202207-1652-001.

SD Pipeline 2021-02C requires identified owner/operators to meet three general requirements: (1) Establish and implement a TSA-approved Cybersecurity Implementation Plan; (2) develop and maintain an up-to-date Cybersecurity Incident Response Plan; and (3) establish a Cybersecurity Assessment Program and submit an annual plan. In addition, owner/operators must make records to establish compliance with the SD available to TSA upon request for inspection and/or copying.

Submissions by pipeline owner/operators in compliance with the voluntary PCSR or the mandatory SD Pipeline-2021-02 series requirements are deemed Sensitive Security Information (SSI) and are protected in accordance with procedures meeting the transmission, handling, and storage requirements of SSI in 49 CFR part 1520.

Revision of the Collection

TSA is changing the name of OMB control number 1652-0056 from "Pipeline Corporate Security Review (PCSR)" to "Pipeline Corporate Security Reviews (PCSR) and Security Directives" to more accurately represent the information collection. TSA is also revising the information collection to remove a portion of the cybersecurity questions from the PCSR workbook, which are covered in a separate ICR, 1652-0050 Critical Facility Information of the Top 100 Most Critical Pipelines. As a result, TSA removed the majority (~ 60) of the cybersecurity questions in the PCSR workbook, moving from 210 to 160 questions, which resulted in a burden reduction to the voluntary collection.

TSA is seeking renewal of this information collection for the maximum three-year approval period.

Number of Respondents: 100 respondents annually.

Estimated Annual Burden Hours: 20,180 hours. 5

Footnotes:

5 ?In the 60-day notice, TSA reported the annual burden hours as 20,220. Since then, TSA has revised the voluntary collection, resulting in a reduction in the annual burden hours. TSA estimates the total annual burden hours for the collection to be 20,180 hours (PCSR-180, Cybersecurity Incident Response Plan-8,000, Annual Plan for Cybersecurity Assessment-4,000, Compliance Documentation-8,000). In addition, the one-time burden for the development and submission to TSA of the owner/operator's Cybersecurity Implementation Plan is 40,000 hours.

Dated: December 21, 2022.

Christina A. Walsh,

TSA Paperwork Reduction Act Officer, Information Technology.

[FR Doc. 2022-28175 Filed 12-27-22; 8:45 am]

BILLING CODE 9110-05-P