Today the Transportation Security Administration published a
60-day information collection request revision notice in the Federal Register (86
FR 18291-18292) for their “Critical Facility Information of the Top 100 Most
Critical Pipelines” program. The revision is necessitated by changes being made
to the Critical Facility Security Review (CFSR) Form and the resulting changes
to the burden estimate for this ICR.
According to the Notice:
“TSA is revising the information
collection to align the CFSR question set with the revised Pipeline Security
Guidelines, and to capture additional criticality criteria. As a result, the
question set has been edited by removing, adding and rewriting several
questions, to meet the
Pipeline Security Guidelines [link added] and criticality needs. Further,
TSA is moving the collection instrument from a PDF format to an Excel Workbook
The table below shows the current
burden estimate and the revised estimate provided in this Notice.
NOTE: There is an apparent typo in the Notices burden estimate calculations;
80 x 2 x 3 = 480 not 4800.
The TSA is soliciting public comments on this ICR revision. The
TSA is not using the Federal eRulemaking Portal to receive comments on this
ICR. Instead, respondents are asked to email their comments to TSAPRA@dhs.gov.
Failure by the TSA to use the public commenting option
ensures that the TSA has control of what public responses will be shown to the OMB
when this revision is submitted.
Long time readers of this blog will undoubtedly be aware
that I have had many concerns about TSA ICR notices over the years. This notice
is another example of TSA’s unwillingness or incapability to provide adequate
information in the notice to allow for commentors to provide effective feedback
on the required questions
about the efficacy of this ICR. The public cannot assess the accuracy of the
TSA’s burden estimate because we have no way of knowing what changes have been
made to the Critical Facility Security Review.
The paperwork that the TSA submitted to OMB’s Office of Information
and Regulatory Affairs when this ICR was last updated (in 2017) included a copy
of the CFSR [.DOCX download link], but access to that form was never
provided to the public in either the 60-day nor 30-day ICR notice. Furthermore,
TSA provides a cost estimate for the burden when they submit the ICR to OIRA
but does not publish that estimate in their notices to allow for public
Okay, enough ranting; substantive comments now. The current CFSR
does not include any questions about cybersecurity for these critical pipeline
facilities. I would presume that this is because the earlier version of the
Pipeline Security Guidelines that were being used when that CFSR was submitted
to ORIA did not mention cybersecurity. The current version of the Guidelines,
however, does include an extensive listing (see pages 16 thru 21) of baseline
and enhanced cybersecurity measures that are recommended by TSA. If the new
CFSR reflects these cybersecurity guidelines with additional questions, then
there should be a substantial increase in the number of questions on the CFSR
and a concomitant increase in the time necessary to complete the CFSR. That is
not reflected in the burden estimate.
Further, TSA does not explain the change in the number of
expected responses from 180 to 160.
TSA needs to address these issues when they publish their
30-day ICR notice later this year.
I will be submitting a copy of this blog post to the TSA as
a comment on this ICR notice.