Chemical Security Assessment Tool (CSAT)

AGENCY:

National Protection and Programs Directorate, DHS.

ACTION:

30-Day Notice and request for comments; Revision of Information Collection Request: 1670-0007.

SUMMARY:

The Department of Homeland Security (DHS or the Department), National Protection and Programs Directorate (NPPD), Office of Infrastructure Protection (IP), Infrastructure Security Compliance Division (ISCD), will submit the following Information Collection Request (ICR) to the Office of Management and Budget (OMB) for review and clearance in accordance with the Paperwork Reduction Act of 1995 (Pub. L. 104-13, 44 U.S.C. chapter 35). The Department previously published this ICR, in the Federal Register on November 18, 2015, for a 60-day public comment period.

In this notice NPPD is: (1) Responding to two commenters who submitted comments in response to the 60-day notice previously published for this ICR and (2) inviting public comment concerning this ICR for an additional 30 days.

DATES:

Comments are encouraged and will be accepted until May 13, 2016. This process is conducted in accordance with 5 CFR 1320.8.

ADDRESSES:

Interested persons are invited to submit written comments on the proposed information collection to the Office of Information and Regulatory Affairs, OMB. Comments should be addressed to OMB Desk Officer, Department of Homeland Security, National Protection and Programs Directorate. Comments must be identified by the docket number DHS-2015-0058 and may be submitted using one of the following methods:

• Federal eRulemaking Portal: http://www.regulations.gov.
• Email: oira_submission@omb.eop.gov. Include the docket number in the subject line of the message.
• Fax: (202) 395-5806.

Instructions: All submissions received must include the words “Department of Homeland Security” and the docket number for this action. Comments received will be posted without alteration at http://www.regulations.gov,, including any personal information provided.

Comments that include trade secrets, confidential commercial or financial information, Chemical-terrorism Vulnerability Information (CVI), Sensitive Security Information (SSI), or Protected Critical Infrastructure Information (PCII) should not be submitted to the public regulatory docket. Please submit such comments separately from other comments in response to this notice. Comments containing trade secrets, confidential commercial or financial information, CVI, SSI, or PCII should be appropriately marked and packaged in accordance with applicable requirements and submitted by mail to the Office of Information and Regulatory Affairs, OMB. Comments should be addressed to OMB Desk Officer, Department of Homeland Security, National Protection and Programs Directorate. Comments must be identified by the docket number DHS-2015-0058.

The Office of Management and Budget is particularly interested in comments that:

1. Evaluate whether the proposed collection of information is necessary for the proper performance of the functions of the agency, including whether the information will have practical utility;

2. Evaluate the accuracy of the agency's estimate of the burden of the proposed collection of information, including the validity of the methodology and assumptions used;

3. Enhance the quality, utility, and clarity of the information to be collected; and

4. Minimize the burden of the collection of information on those who are to respond, including through the use of appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g., permitting electronic submissions of responses.

FOR FURTHER INFORMATION CONTACT:

Chemical Facility Anti-Terrorism Standards (CFATS) Program Manager, DHS/NPPD/IP/ISCD, CFATS@hq.dhs.gov.

SUPPLEMENTARY INFORMATION:

Section 550 of the Homeland Security Appropriations Act of 2007, Public Law 109-295 (2006), provided the Department with the authority to regulate the security of high-risk chemical facilities. On April 9, 2007, the Department issued an Interim Final Rule (IFR), implementing this statutory mandate at 72 FR 17688. In December 2014, the President signed into law the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014 (the CFATS Act of 2014), Public Law 113-254, which authorized the Chemical Facility Anti-Terrorism Standards program in the Homeland Security Act of 2002, as amended, Public Law 107-296.

The CFATS regulations (available at 6 CFR part 27) govern the security at covered chemical facilities that have been determined by the Department to be at high risk for terrorist attack. See 6 CFR part 27. The CFATS represent national-level effort to minimize the terrorism risk to such facilities. Its design and implementation balance maintaining economic vitality with securing facilities and their surrounding communities. The regulations were designed to take advantage of protective measures already in place and to allow facilities to employ a wide range of tailored measures to satisfy the regulations' Risk-Based Performance Standards (RBPS).

The Department collects the core regulatory data necessary to implement CFATS through the portions of the CSAT covered under this collection. For more information about CFATS and CSAT, you may access www.dhs.gov/chemicalsecurity. The current information collection for CSAT (IC 1670-0007) will expire on April 30, 2016.

Responses To Comments Submitted During 60-Day Comment Period

The Department invited comments on four questions:

(1) Evaluate whether the proposed collection of information is necessary for the proper performance of the functions of the agency, including whether the information will have practical utility;

(2) Evaluate the accuracy of the agency's estimate of the burden of the proposed collection of information, including the validity of the methodology and assumptions used;

(3) Enhance the quality, utility, and clarity of the information to be collected; and

(4) Minimize the burden of the collection of information on those who are to respond, including through the use of appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g., permitting electronic submissions of responses.

In response to the 60-Day Notice that solicited comments about the CSAT ICR, the Department received 12 comments from 2 commenters. The 2 commenters were 1 private citizen and 1 industry association.

Comments Related to Whether the Proposed Collection of Information is Necessary for the Proper Performance of the Function of the Agency, Including Whether the Information Will Have Practical Utility

The Department did not receive any comments suggesting that the proposed collection of information was not necessary for the proper performance of the functions of the agency.

Comments Related to the Accuracy of the Agency's Estimate of the Burden of the Proposed Collection of Information, Including the Validity of the Methodology and Assumptions Used

Comment: Private Citizen commented, “It is impossible for any individual or entity to make an adequate determination or estimation of the time and costs associated with the submission of the revised Top-Screen document. Although the revised document is available to DHS it has not been published and is not available to this commenter or other interested entity.”

Response: The Department calculated the reduction in Top-Screen time and costs by measuring the time users were logged into the CSAT system completing a Top-Screen between Calendar Year 2012-2014. DHS expects that this level of time will remain the same with the new Top-Screen survey.

Comment: Private Citizen commented, “It is impossible for any individual or entity to make an adequate determination or estimation of the time and costs associated with the submission of the revised Security Vulnerability Assessment document. Although the revised document is available to DHS it has not been published and is not available to this commenter or other interested entity.”

Response: The Department calculated the reduction in time and cost for the new Security Vulnerability Assessment (SVA) and Alternative Security Program (ASP) surveys submitted in lieu of the SVA by measuring the time users were logged into the CSAT system completing the previous SVA/ASP between Calendar Year 2012-2014, and subtracting time for the removal of duplicate questions from the current survey and removal of the attack scenarios from the current survey.

Comment: Private Citizen commented, “The Collection Request document also states the Department is considering requesting chemical facilities of interest that have chemical holdings at or above the non-screening threshold quantities on Appendix of the CFATS complete a Top Screen, even if the facility has previously completed a Top-Screen and been determined not to be high-risk. It is understood that a new baseline for all assets must be established however for entities with a large number of registered facilities with a minimal number of tiered facilities this will be a costly undertaking. Again as in 1 above, it is impossible for any individual or entity to make an adequate determination or estimation of the time and costs associated with the submission of the revised Top-Screen document. Although the revised document is available to DHS it has not been published and is not available to this commenter or other interested entity.”

Response: The Department is only considering requesting facilities that have chemical holdings at or above screening threshold quantities on Appendix A to submit a new Top-Screen. The Department calculated this cost by taking the total number of unique facilities 36,930 that have submitted a Top-Screen since the inception of the regulation in 2007 and applying the time users were logged into the system completing a Top-Screen between Calendar Year 2012-2014.

Comment: Private Citizen commented, “The assumption that Site Security Officers are the only individuals responsible for submitting Top-Screens in many instances may not be a valid assumption. There are costs associated with other individuals that may be involved in the process and in other designated positions such as Submitters and Authorizers. In many instances the Site Security Officer position is not a dedicated separate position. These duties may be/are assigned as additional duties to facility supervisory, management, and operations positions as well as engineers. The cost curve for these individuals is much greater.”

Response: The Department agrees that the actual cost to a facility may vary by the number of people involved, the type of people involved, and the unique facility business operations. Since 2007, the Department has published multiple ICRs and received a significant number of comments about the costs and burdens associated with how to best estimate the facility burden. Those commenters have consistently accepted the use of a Site Security Officer as a reasonable baseline to estimate the costs for most facilities. As a result, the Department has elected to retain this assumption.

Comments Related to the Quality, Utility, and Clarity of the Information To Be Collected

Comment: Industry Association commented, “Some of the questions are phrased as a double negative, making the question unnecessarily confusing. The questions should be phrased in such a way that the expected answer is abundantly evident. If the answer is a simple yes or no, indicate that in the question and provide a text box. If the question requires supporting information, indicate what types of supporting documentation would be acceptable and unacceptable.”

Response: The Department has redesigned the CSAT tool suite. As part of this redesign, the Department changed the question wording where possible to make it clearer and easier to understand.

Comments Related to Minimizing the Burden of the Collection of the Information on Those Who Are To Respond, Including Through the Use of Appropriate Automated, Electronic Mechanical, or Other Technological Collection Techniques or Other Forms of Information Technology, e.g., Permitting Electronic Submissions of Responses

Comment: Industry Association commented, “The CSAT tool has repetitive questions throughout the document that extend the time to complete. For example, Risk-Based Performance Standard (RBPS) 4, repeats questions from RBPS 1, 2 and 3. If the questions must be asked multiple times, it would be helpful to identify questions that would elicit a similar response.”

Response: The Department has redesigned the CSAT tool suite. As part of this redesign, the Department removed repetitive questions.

Comment: Industry Association commented, “DHS should consider the format of RBPS 18. RBPS 18 stipulates that every answer to every question must be yes. Instead of filling out a form by checking a series of boxes, those requirements could be explicitly stated with a simple signature or check box at the bottom.”

Response: The Department has taken this recommendation and merged the retention of records questions that must be answered with a yes into one question that is an affirmation statement.

Other Comments Submitted in Response to the Information Collection Request

Comment: Industry Association commented, “DHS should consider removing the chlorine rail car as a theft issue in the tiering process. Chlorine rail cars weigh between 83,000 and 93,000 lbs. when empty. Loaded rail cars weigh in excess of 263,000 lbs. Due to the extreme weight and the necessity to transport them on permanent rails using powerful mechanized systems, chlorine rail cars should not be considered man-portable.”

Response: The Department has developed an improved risk methodology. As part of this improved risk methodology, the Department will consider packaging size and type in the new vulnerability factor. Although loaded rail cars, which are considered bulk transportation items, are extremely heavy and bulky, the potential for the theft of these rail cars cannot be ruled out.

Comment: Industry Association commented, “Additionally, CI [Chlorine Institute] members have received feedback on Top Screens regarding the release volume. For EPA's RMP submissions, the single largest container is used as the release scenario. When this volume was submitted on a Top Screen, CI members were asked to instead use the full inventory of the COI [Chemical of Interest] within a 170 foot radius. Especially for members who package chlorine into multiple smaller containers, such as cylinders and ton containers, this scenario is highly impractical and improbable and has the potential to affect tier determination. It is also unclear the origins of the 170-foot radius specification.”

Response: The CFATS program is a security-based regulation that is focused on mitigating the risk of intentional acts which generate high consequences. It is possible that these acts may involve multiple cylinders, containers, etc. In contrast, the EPA Risk Management Program is a safety-based regulation that is focused on accidental releases. Thus, it is appropriate for the DHS modeling to take into account the possibility and consequences of an intentional act that results in the release of multiple cylinders/containers.

Comment: Industry Association commented, “Since 2013, CI has had a Cooperative Research and Development Agreement (CRADA) with Chemical Security Analysis Center (CSAC) within DHS. With the support of the Chlorine Institute, CSAC has conducted a series of field experiments to study the dispersion patterns and the nature of reactivity of chlorine to its surroundings. From these tests, CSAC then modeled chlorine releases and contributed those results to the newly updated Chlorine Institute Pamphlet 74, Guidance on Estimating the Area Affected By A Chlorine Release. These models are based on real-world, large-scale chlorine releases, modeled by DHS scientists. For this reason, some members have elected to use the release estimates of Pamphlet 74 in lieu of RMP*COMP, and have received notification from DHS that RMP*COMP must be used. The RMP*COMP is based on a computational model, not real-world tests studied by DHS scientists. DHS should consider, for chlorine, allowing the use of Pamphlet 74 dispersion estimates in lieu of RMP*COMP due to the higher level of accuracy and to conserve resources by using already existing dispersion analysis.”

Response: The Department has developed an improved risk methodology. As part of this improved risk methodology, DHS will employ an atmospheric dispersion model, thus eliminating the need for facilities to use the EPA RMP*Comp Tool.

Comment: Industry Association commented, “DHS should develop a Compliance Guide for performing audits at each Tier Level. This will assist regulated communities in preparing for audits and achieving the intended objectives of CFATS. Additionally, some CI members have observed that some DHS auditors completely ignore CSAT questions during an audit; a Compliance Guide could standardize the auditing process.”

Response: The Department will consider developing a Compliance Guide for performing audits, at each Tier Level.

Comment: Industry Association commented, “DHS should consider combining the Top Screen and Security Vulnerability Assessment processes. Combining the processes would save time for both the regulated community and DHS as each process has similar goals. DHS should also consider factors/measures/conditions that if existing or present would effectively lower the risk ranking of the security issue and effectively lower the Tier Level. This may reduce the number of facilities that are reassigned to a different tier later in the process.”

Response: The Department has redesigned the CSAT tool suite. As part of this redesign, the Department has moved the questions relevant to tiering determinations from the Security Vulnerability Assessment survey to the Top-Screen survey. Along with the redesign of the CSAT tool suite DHS has also developed an improved risk methodology. In this improved risk methodology, DHS has included a new vulnerability metric, based on inherent facility characteristics that reduce vulnerability.

The Department's Methodology in Estimating the Burden for the Top-Screen

This 30-Day Notice relies on the analysis and resulting burden estimates in the 60-day notice for this instrument. The Department also understands CVI training may be required for some Site Security Officer's before being able to submit a Top-Screen. The burden for CVI training is accounted for in ICR: 1670- 30-Day Notice published, in the Federal Register, on March 18, 2013.

The Department's Methodology in Estimating the Burden for the Security Vulnerability Assessment (SVA) & Alternative Security Program (ASP) Submitted in Lieu of the Security Vulnerability Assessment

This 30-Day notice relies on the analysis and resulting burden estimates in the 60-day notice for this instrument.

The Department's Methodology in Estimating the Burden for Site Security Plan (SSP) & Alternative Security Program (ASP) Submitted in Lieu of the Site Security Plan

This 30-Day Notice relies on the analysis and resulting burden estimates in the 60-day notice for this instrument.

The Department's Methodology in Estimating the Burden for the Helpdesk

This 30-Day Notice relies on the analysis and resulting burden estimates in the 60-day notice for this instrument.

The Department's Methodology in Estimating the Burden for Identification of Additional Facilities and Assets at Risk

This 30-Day Notice relies on the analysis and resulting burden estimates in the 60-day notice for this instrument.

Analysis

Agency: Department of Homeland Security, National Protection and Programs Directorate, Office of Infrastructure Protection, Infrastructure Security Compliance Division.

Title: Chemical Security Assessment Tool.

OMB Number: 1670-0007.

Instrument: CSAT Top-Screen.

Frequency: “On occasion” and “Other.”

Affected Public: Business or other for-profit.

Number of Respondents: 1,000 respondents (estimate).

Estimated Time per Respondent: 6.00 hours.

Total Burden Hours: 9,200 hours.

Total Burden Cost (capital/startup): $15,005,400.

Total Recordkeeping Burden: $0.

Total Burden Cost: $15,623,400.

Instrument: Security Vulnerability Assessment and Alternative Security Program Submitted in Lieu of the Security Vulnerability Assessment.

Frequency: “On occasion” and “Other.”

Affected Public: Business or other for-profit.

Number of Respondents: 211 respondents.

Estimated Time per Respondent: 2.65 hours.

Total Burden Hours: 900 hours.

Total Burden Cost (capital/startup): $0.

Total Recordkeeping Burden: $0.

Total Burden Cost: $58,600.

Instrument: Site Security Plan and Alternative Security Program Submitted in Lieu of the Site Security Plan.

Frequency: “On occasion” and “Other.”

Affected Public: Business or other for-profit.

Number of Respondents: 211 respondents.

Estimated Time per Respondent: 18.75 hours.

Total Burden Hours: 8,000 hours.

Total Burden Cost (capital/startup): $0.

Total Recordkeeping Burden: $438,800.

Total Burden Cost: $976,400.

Instrument: CFATS Helpdesk.

Frequency: “On occasion” and “Other.”

Affected Public: Business or other for-profit.

Number of Respondents: 15,000 respondents.

Estimated Time per Respondent: 0.17 hours.

Total Burden Hours: 2,550 annual burden hours.

Total Burden Cost (capital/startup): $0.

Total Recordkeeping Burden: $0.

Total Burden Cost: $172,700.

Instrument: CSAT User Registration.

Frequency: “On occasion” and “Other.”

Affected Public: Business or other for-profit.

Number of Respondents: 1000 respondents.

Estimated Time per Respondent: 2 hours.

Total Burden Hours: 2,000 hours.

Total Burden Cost (capital/startup): $283,600.

Total Recordkeeping Burden: $0.

Total Burden Cost: $419,000.

Instrument: Identification of Facilities and Assets At Risk.

Frequency: “On occasion” and “Other.”

Affected Public: Business or other for-profit.

Number of Respondents: 211 respondents.

Estimated Time per Respondent: 0.17 hours.

Total Burden Hours: 40 hours.

Total Burden Cost (capital/startup): $34,600.

Total Recordkeeping Burden: $0.

Total Burden Cost: $37,000.