CSAT 60-Day ICR Comment

Last week the DHS Cybersecurity and Infrastructure Security Agency published a 60-day information collection request (ICR) for the Chemical Security Assessment Tool (CSAT) for the Chemical Facility Anti-Terrorism Standards (CFATS) program. In my post on the ICR I noted that there was a little known collection included in the ICR: “Identification of Additional Facilities and Assets at Risk”. As is typical in a well-constructed ICR notice, there is little detail provided about the actual collection; the details provided only apply to the burden estimate associated with the collection.

Questions on Collection

I attempted to gather some information on this collection from official sources at the DHS Infrastructure Security Compliance Division. My questions were forwarded to Bardha Azari of the CISA Office of External Affairs. Azari responded and told me that in order to “consolidate all questions and concerns regarding the CSAT ICR, and to maintain a transparent public process, your questions and comments on the ICR should be submitted through the Federal eRulemaking Portal”. This post will form that ICR response.

Unfortunately, not having answers to the question that will be asked below, I will not be able to provide a proper response to the question of the adequacy of the burden estimate or the need of the agency to collect the information as envisioned in the Paperwork Reduction Act of 1995. An adequate response will have to wait until the 30-day ICR notice is published.

Data on the Current ICR

Looking at the Reginfo.gov website for the current ICR there is a link to a document [DOCX. Download] explaining the current collection tool. It explains that there are two sections for the current ‘instrument’ involved in this collection;

• Identification of Facilities at Risk; and

• Assets at Risks

Because these resources are not available until the approved ICR is published, respondents to the current ICR notice are forced to rely on information provided in the current ICR data. A detailed look at the existing data leads to questions that should be answered before the adequacy of the revised ICR can be assessed.

Identification of Facilities

The explanation document explains that:

“In this section the instrument will collect, on a voluntary basis, the following information when the facility identifies it ships and/or receives COI:

• Shipping and/or receiving procedures

• Invoices and receipts

• Company names and locations that COI is shipped to and/or received from”

The new ICR notice reports that the voluntary collection will be limited to only 845 respondents, “because CISA only requests this information from covered chemical facilities that undergo compliance inspections and ship chemicals of interest (COI)”. This would seem to indicate that ISCD is changing the focus of this collection to just identify facilities that receive DHS chemicals of interest (COI).

To adequately assess the appropriateness of this collection, I think that the community needs answers to the following questions:

1. How many facilities were asked to provide responses to this collection since October 2016?

2. How many facilities voluntarily provided information on the vendors that shipped COI to the inspected facility?

3. How many facilities voluntarily provided information on the customers to whom they shipped COI from the inspected facility?

4. How many of those facilities identified in the voluntary collection had not previously completed Top Screen submissions to ISCD?

5. Of those previously unidentified facilities, how many subsequently submitted Top Screens?

6. Of those previously unidentified facilities that submitted Top Screens, how many were subsequently identified as being at high-risk?

7. Why wasn’t this data collection mentioned in the FY 2019 CFATS Outreach Implementation Plan?

Assets At Risk

The explanation document explains that:

“In this section the instrument will collect, on a voluntary basis, the following information when the facility identifies a SCADA, DCS, PCS, or ICS:

• Provide details on the system(s) that controls, monitors, and/or manages small to large production systems as well as how the system(s) operates.

• If it is standalone or connected to other systems or networks and document the specific brand and name of the system(s).”

There is no mention of an industrial control system data collection in the ICR notice and only asking for voluntary data submissions from “facilities that undergo compliance inspections and ship chemicals of interest (COI)”. That would hardly be a limited category of facilities from which ISCD would wish to collect the above described data.

To adequately comment on the removal of this information from the collection, the community would need answers to the following questions:

1. Has the section actually been removed from the collection? If so, why?

2. How many facilities were asked to voluntarily provide the information since October 2016?

3. What criteria was used to select the facilities that were asked to provide the information?

4. How many facilities responded to the information collection?

5. Was any data provided in this information collection that had not bee previously provided in the approved facility site security plan?