TSA plans to request extension from OMB over public information collection of its PCSR program
The Transportation Security Administration (TSA) published on Monday a notice intending to request an extension from the OMB (Office of Management and Budget) over a current public information collection on its pipeline corporate security review (PCSR) program. The TSA is now seeking to renew the collection, which expires on Jan. 31, next year, with the incorporation of the subject of the emergency revision for the maximum three-year approval period.
The Information Collection Request (ICR) describes the nature of the information collection and its expected burden. The information collected allows TSA to assess the current security practices in the pipeline industry through TSA’s PCSR program. It also allows for the continued institution of mandatory cybersecurity requirements under the TSA Security Directive (SD) Pipeline 2021-02 series. The PCSR program is part of the larger domain awareness, prevention, and protection program supporting TSA’s and the missions of the Department of Homeland Security.
The updated ICR reflects changes to collection requirements based on TSA’s update to the TSA SD 2021-02 series, released in July, the TSA notice published on the Federal Register added.
The transport agency has provided a 60-day notice period and invites comments by Dec. 2. In line with the Paperwork Reduction Act of 1995, an agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a valid OMB control number. The ICR documentation will be available online upon submission to the OMB, the notice added.
In preparation for OMB review and approval of the information collection, TSA is soliciting comments to evaluate whether the proposed information requirement is necessary for the proper performance of the functions of the agency, including whether the information will have practical utility, and assess the accuracy of the agency’s estimate of the burden.
Furthermore, the move will enhance the quality, utility, and clarity of the information to be collected and minimize the burden of the collection of information on those who are to respond, including using appropriately automated, electronic, mechanical, or other technological collection techniques or other forms of information technology.
The TSA developed the PCSR program to assess the pipeline industry’s current security practices, focusing on the physical and cyber security of pipelines and crude oil and petroleum products moving through the system infrastructure. “In addition, TSA issued SD 2021-02 in July 2021 and revised the information collection requirements based on the mandatory requirements in SD 2021-02. This ICR was approved by OMB on July 15, 2021,” the notice added.
The PCSRs are voluntary, face-to-face visits, usually at the headquarters facility of the pipeline owner/operator, where the TSA has developed a question set to aid in the conducting of PCSRs. “The PCSR Question Set structures the TSA-Owner/Operator discussion and is the central data source for the security information TSA collects. TSA developed the PCSR Question Set based on input from government and industry stakeholders on how best to obtain relevant information from a pipeline Owner/Operator about its security plan and processes. This PCSR information collection provides TSA with real-time information on a company’s security posture,” the notice added.
While the PCSR collection supports security plans and processes, TSA has issued security directives with mandatory requirements to mitigate specific security concerns posed by current threats to national security.
The notice said that the TSA’s July 2022 SD 2021-02C amended the SD 2021-02 series, which provides flexibility to meet the intended security outcomes and work on maintaining cybersecurity enhancements. The revision was necessary to address the ongoing pipeline systems and associated infrastructure threats.
“Overall, SD 2021-02C changed the cybersecurity requirements from a prescriptive approach to a security outcome approach,” the notice said. “SD 2021-02C also changed the scope of requirements to Critical Cyber Systems, as defined in the SD, and changed cybersecurity assessment requirements. There was no change to the applicability of the SD to Owner/Operators of hazardous liquid and natural gas pipelines or a liquefied natural gas facility notified by TSA that their pipeline system or facility is critical,” it added.
Additionally, on July 29, the OMB approved TSA’s request for the emergency revision of this information collection, allowing for the institution of mandatory requirements issued within TSA SD 2021-02C.
The SD 2021-02C requires identified owners/operators to meet three requirements. They include establishing and implementing a TSA-approved cybersecurity implementation plan that describes the specific cybersecurity measures employed and the schedule for achieving the outcomes described in the SD and provided to TSA upon request.
The rules also call upon owners/operators to develop and maintain a record of an up-to-date cybersecurity incident response plan to reduce the risk of operational disruption or the risk of other significant impacts on necessary capacity. Furthermore, they must establish a cybersecurity assessment program and submit an annual plan that describes how the owner/operator will proactively and regularly assess the effectiveness of cybersecurity measures and identify and resolve device, network, and/or system vulnerabilities; and provide to TSA upon request.
The TSA estimates the total annual burden hours for the mandatory collection to be 20,220 hours, with the PCSR taking up 220 hours, the cybersecurity incident response plan accounting for 8,000 hours, the annual plan for cybersecurity assessment consuming 4,000 hours, and compliance documentation taking up 8,000 hours. In addition, the one-time burden for the development and submission to TSA of the owner/operator’s cybersecurity implementation plan is 40,000 hours.
The Cybersecurity and Infrastructure Security Agency (CISA) also issued on Monday a 60-day notice and requested comments on renewal information for the Nationwide Cyber Security Review (NCSR) assessment across SLTT (State, Local, Tribal, and Territorial) governments. Subsequently, the CISA will submit the renewal information for an existing collection request (ICR) to the OMB for review and clearance in accordance with the Paperwork Reduction Act.
As this is a renewal for an existing information collection not a new collection, the OMB is interested in comments that evaluate whether the proposed collection of information is necessary for the proper performance of the functions of the agency, including whether the information will have practical utility. It also looks into evaluating the accuracy of the agency’s estimate of the burden of the proposed collection of information, including the validity of the methodology and assumptions used.
Furthermore, the OMB seeks to enhance the quality, utility, and clarity of the information to be collected. It also looks to minimize the burden of the collection of information on those who are to respond, including through the use of appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology.
On Monday, the CISA also published a Binding Operational Directive that calls upon federal civilian executive branch (FCEB) agencies to make measurable progress toward enhancing visibility into asset discovery and vulnerability enumeration across their networks. The document assesses continuous and comprehensive asset visibility as an essential precondition for any organization to manage cybersecurity risk. It calls for accurate and up-to-date accounting of assets residing on federal networks to address cybersecurity for FCEB enterprises.
Related
