[Federal Register Volume 87, Number 248 (Wednesday, December 28, 2022)]
[Notices]
[Pages 79899-79900]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-28175]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF HOMELAND SECURITY
Transportation Security Administration
Revision of Agency Information Collection Activity Under OMB
Review: Pipeline Corporate Security Reviews and Security Directives
AGENCY: Transportation Security Administration, DHS.
ACTION: 30-day notice.
-----------------------------------------------------------------------
SUMMARY: This notice announces that the Transportation Security
Administration (TSA) has forwarded the Information Collection Request
(ICR), Office of Management and Budget (OMB) control number 1652-0056,
abstracted below, to OMB for review and approval of a revision of the
currently approved collection under the Paperwork Reduction Act (PRA).
The ICR describes the nature of the information collection and its
expected burden. This collection combines TSA's voluntary Pipeline
Corporate Security Review (PCSR) program with the mandatory
requirements under the TSA Security Directive (SD) Pipeline-2021-02
series. The collection allows TSA to assess the current security
practices in the pipeline industry through TSA's PCSR program, which is
part of the larger domain awareness, prevention, and protection program
supporting TSA's and the Department of Homeland Security's missions.
The collection also allows for the continued institution of mandatory
cybersecurity requirements under the TSA SD Pipeline-2021-02 series.
The updated ICR reflects changes to collection requirements based on
TSA's update to the SD Pipline-2021-02 series, released on July 21,
2022.
DATES: Send your comments by January 27, 2023. A comment to OMB is most
effective if OMB receives it within 30 days of publication.
ADDRESSES: Written comments and recommendations for the proposed
information collection should be sent within 30 days of publication of
this notice to www.reginfo.gov/public/do/PRAMain. Find this particular
information collection by selecting ``Currently under Review--Open for
Public Comments'' and by using the find function.
FOR FURTHER INFORMATION CONTACT: Christina A. Walsh, TSA PRA Officer,
Information Technology (IT), TSA-11, Transportation Security
Administration, 6595 Springfield Center Drive, Springfield, VA 20598-
6011; telephone (571) 227-2062; email [email protected].
SUPPLEMENTARY INFORMATION: TSA published a Federal Register notice,
with a 60-day comment period soliciting comments, of the following
collection of information on October 3, 2022, 87 FR 59816.
This collection is separate from those associated with the
requirements of TSA SD Pipeline 2021-01.\1\
---------------------------------------------------------------------------
\1\ There are three information collection requirements
associated with TSA Security Directive Pipeline 2021-01. OMB control
number 1652-0055 addresses two of them and OMB control number 1652-
0050 addresses the third.
---------------------------------------------------------------------------
Comments Invited
In accordance with the Paperwork Reduction Act of 1995 (44 U.S.C.
3501 et seq.), an agency may not conduct or sponsor, and a person is
not required to respond to, a collection of information unless it
displays a valid OMB control number. The ICR documentation will be
available at http://www.reginfo.gov upon its submission to OMB.
Therefore, in preparation for OMB review and approval of the following
information collection, TSA is soliciting comments to--
(1) Evaluate whether the proposed information requirement is
necessary for the proper performance of the functions of the agency,
including whether the information will have practical utility;
(2) Evaluate the accuracy of the agency's estimate of the burden;
(3) Enhance the quality, utility, and clarity of the information to
be collected; and
(4) Minimize the burden of the collection of information on those
who are to respond, including using appropriate automated, electronic,
mechanical, or other technological collection techniques or other forms
of information technology.
Information Collection Requirement
Title: Pipeline Corporate Security Reviews (PCSR) Security
Directives.
Type of Request: Revision of a currently approved collection.
OMB Control Number: 1652-0056.
Forms(s): Pipeline Corporate Security Review (PCSR) Protocol Form
and documents submitted to TSA pursuant to the requirements in the
Security Directive.
Affected Public: Hazardous Liquids and Natural Gas Pipeline
Industry.
Abstract: Under the Aviation and Transportation Security Act \2\
and delegated authority from the Secretary of Homeland Security, TSA
has broad responsibility and authority for ``security in all modes of
transportation . . . including security responsibilities . . . over
modes of transportation that are exercised by the Department of
Transportation.'' \3\ Congress' specific recognition of TSA's
responsibility for pipeline security is reflected in Sec. 1557 of the
Implementing Recommendations of the 9/11 Commission Act of 2007, Public
Law 110-53 (121 Stat. 266; Aug. 3, 2007). In addition, TSA has
statutory authority to issue security directives (SDs) as necessary to
protect transportation
[[Page 79900]]
security and critical infrastructure. See 49 U.S.C. 114(l)(2).
---------------------------------------------------------------------------
\2\ Public Law 107-71 (115 Stat. 597; Nov. 19, 2001), codified
at 49 U.S.C. 114.
\3\ See 49 U.S.C. 114(d). The TSA Administrator's current
authorities under the Aviation and Transportation Security Act have
been delegated to him by the Secretary of Homeland Security. Section
403(2) of the Homeland Security Act (HSA) of 2002, Public Law 107-
296 (116 Stat. 2135, Nov. 25, 2002), transferred all functions of
TSA, including those of the Secretary of Transportation and the
Under Secretary of Transportation of Security related to TSA, to the
Secretary of Homeland Security. Pursuant to DHS Delegation Number
7060.2, the Secretary delegated to the Administrator of TSA, subject
to the Secretary's guidance and control, the authority vested in the
Secretary with respect to TSA, including that in section 403(2) of
the HSA.
---------------------------------------------------------------------------
TSA has historically assessed industry security practices through
its PCSR program.\4\ The PCSR is a voluntary, face-to-face visit with a
pipeline owner/operator during which TSA discusses an owner/operator's
corporate security planning and the entries made by the owner/operator
on the PCSR Form. The PCSR Form includes 150 questions concerning the
owner/operator's corporate level security planning, covering security
topics such as physical security, vulnerability assessments, training,
and emergency communications. TSA uses the information collected during
the PCSR process to determine baseline security standards, potential
areas of security vulnerability, and industry ``smart'' practices
throughout the pipeline mode. While the PCSR collection supports
security plans and processes, TSA has issued the security directives
with mandatory requirements in order to mitigate specific security
concerns posed by current threats to national security.
---------------------------------------------------------------------------
\4\ See section 1557 of Public Law 110-53 (121 Stat. 266; Aug.
3, 2007) as codified at 6 U.S.C. 1207.
---------------------------------------------------------------------------
Establishing Compliance With Mandatory Requirements in the TSA SD
Pipeline-2021-02 Series; Information Collection Requirements (Emergency
Revision)
On July 15, 2021, OMB approved TSA's requests for an emergency
revision of this information collection, allowing for the institution
of mandatory requirements issued in TSA SD Pipeline-2021-02 on July 19,
2021. See ICR Reference Number: 202107-1652-002. This SD mandated that
critical pipeline owner/operators take the following actions: (1)
Implement critically important mitigation measures to reduce the risk
of compromise from a cyberattack; (2) develop and maintain an up-to-
date Cybersecurity Contingency/Response Plan; and (3) test the
effectiveness of the operator's cybersecurity practices through an
annual cybersecurity architecture design review. Subsequently, on July
26, 2022, OMB approved TSA's request to extend the information
collection. See ICR Reference Number: 202111-1652-001. On December 10,
2021, and December 17, 2021, TSA revised the SD Pipeline-2021-02
series. These updates did not affect the information collection
requirements.
On July 21, 2022, TSA issued a substantive revision to the series,
SD Pipeline 2021-02C. This revision provides owner/operators with more
flexibility to meet the intended security outcomes while ensuring
sustainment of the cybersecurity enhancements accomplished through this
SD series. Overall, SD Pipeline-2021-02C changed the cybersecurity
requirements from a prescriptive approach to a performance-based
approach focused on certain security outcomes. The revision also
clarified that the requirements apply to Critical Cyber Systems, as
defined in the SD, and changed cybersecurity assessment requirements.
On July 29, 2022, OMB approved TSA's requests for the emergency
revision of this information collection, allowing for the
implementation of the revisions in SD Pipeline-2021-02C. See ICR
Reference Number: 202207-1652-001.
SD Pipeline 2021-02C requires identified owner/operators to meet
three general requirements: (1) Establish and implement a TSA-approved
Cybersecurity Implementation Plan; (2) develop and maintain an up-to-
date Cybersecurity Incident Response Plan; and (3) establish a
Cybersecurity Assessment Program and submit an annual plan. In
addition, owner/operators must make records to establish compliance
with the SD available to TSA upon request for inspection and/or
copying.
Submissions by pipeline owner/operators in compliance with the
voluntary PCSR or the mandatory SD Pipeline-2021-02 series requirements
are deemed Sensitive Security Information (SSI) and are protected in
accordance with procedures meeting the transmission, handling, and
storage requirements of SSI in 49 CFR part 1520.
Revision of the Collection
TSA is changing the name of OMB control number 1652-0056 from
``Pipeline Corporate Security Review (PCSR)'' to ``Pipeline Corporate
Security Reviews (PCSR) and Security Directives'' to more accurately
represent the information collection. TSA is also revising the
information collection to remove a portion of the cybersecurity
questions from the PCSR workbook, which are covered in a separate ICR,
1652-0050 Critical Facility Information of the Top 100 Most Critical
Pipelines. As a result, TSA removed the majority (~ 60) of the
cybersecurity questions in the PCSR workbook, moving from 210 to 160
questions, which resulted in a burden reduction to the voluntary
collection.
TSA is seeking renewal of this information collection for the
maximum three-year approval period.
Number of Respondents: 100 respondents annually.
Estimated Annual Burden Hours: 20,180 hours.\5\
---------------------------------------------------------------------------
\5\ In the 60-day notice, TSA reported the annual burden hours
as 20,220. Since then, TSA has revised the voluntary collection,
resulting in a reduction in the annual burden hours. TSA estimates
the total annual burden hours for the collection to be 20,180 hours
(PCSR-180, Cybersecurity Incident Response Plan-8,000, Annual Plan
for Cybersecurity Assessment-4,000, Compliance Documentation-8,000).
In addition, the one-time burden for the development and submission
to TSA of the owner/operator's Cybersecurity Implementation Plan is
40,000 hours.
Dated: December 21, 2022.
Christina A. Walsh,
TSA Paperwork Reduction Act Officer, Information Technology.
[FR Doc. 2022-28175 Filed 12-27-22; 8:45 am]
BILLING CODE 9110-05-P