TSA Pipeline Corporate Security Review 30-Day ICR

Yesterday the Transportation Security Administration (TSA) published a 30-day information collection request (ICR) notice in the Federal Register for the proposed Pipeline Corporate Security Review (PCSR) program. This would be a follow-up to their 60-day notice that I discussed back in August. TSA proposes to conduct “likely 12” (75 FR 73117) of these PCSRs each year at selected facilities from up to 2,200 potential locations.

Public comments on this ICR are being solicited and should be submitted by December 29th, 2010. Comments should be submitted the Office of Management and Budget’s Office of Information and Regulatory Affairs. Those comment submissions should be addressed to Desk Officer, Department of Homeland Security/TSA, and sent via electronic mail to oira_submission@omb.eop.gov or faxed to (202) 395-6974.

ICR Description Revised

The information provided in this ICR notice is substantially less complete than that provided in the earlier 60-day notice (75 FR 42086-87). Since the reference to the earlier notice does not mention if comments were received, it is not clear if this constitutes a change in the ICR because of comments received on the original notice or if this is just due to a condensation of the description. To be fair the current notice lists the description as an ‘Abstract’ rather than a full listing of the ‘Purpose and Description of the Data Collection’.

There are, however, two apparent substantive differences in the descriptions of the information collection processes. The first difference involves the scope of the information collection. In the 60-day notice the on-site visit is specifically described as a two-phase visit. The first portion would be conducted at the corporate headquarters with follow-ups at “one or two of the owners/operators assets to further assess the implementation of the owner's/operator's security plan” (75 FR 42086). There is no such reference to assessing security plan implementation in the current notice.

To my mind the most important difference in the two ICR notices is that the current notice contains no mention of TSA’s responsibility to protect the information collected. The original submission contains the following language:

“TSA assures respondents that the portion of their responses that is deemed Sensitive Security Information (SSI) will be protected in accordance with procedures meeting the transmission, handling, and storage requirements of SSI set forth in 49 CFR parts 15 and 1520.” (75 FR 42087)

One would like to assume that this lack of SSI language is merely a bureaucratic oversight, but if I were a pipeline operator I would prefer to have this clearly documented since there is no specific regulatory mention of such protections, there being no current pipeline security regulations.