DHS Publishes 60 ICR Revision Notice for CSAT – 02-07-19

Yesterday the DHS Cybersecurity and Infrastructure Security Agency (CISA) published a 60-day information collection request notice (ICR) in the Federal Register (84 FR 2558-2564) for the Chemical Facility Anti-Terrorism Standards (CFATS) program Chemical Security Assessment Tool (CSAT). The CSAT is an online tool that the Agency (via the Infrastructure Security Compliance Division) uses to collect information from chemical facilities to oversee the CFATS program.

ICR Data

The previous ICR for this program was initiated to allow the ISCD to implement CSAT 2.0, the revised information collection and assessment tool that was introduced in 2016. Yesterday’s ICR notice is intended to revise collection and burden estimate to reflect on-going collection requirements now that the CSAT 2.0 implementation is complete. Table 1 below provides a comparison between the currently approved ICR and the new estimate from CISA.

	Current	Proposed
Total Responses	18,450	22,543
Total Burden Hours	22,239	14,359
Total Burden $	$15.3 M	$1.1 M

Table 1: Burden Comparison

The data in Table 1 is not directly provided in the ICR notice; it is compiled from the information provided for in the notice for each of the six data collection tools included in CSAT. Table 2 provides a summary of the data provided. The links in the table are to the detailed discussion in the ICR notice explaining how CISA arrived at the figures.

	Responses	Hours	Dollars
Top Screen	2,332	2,553	$203,450
SVA	1,683	2,083	$166,028
SSP	1,683	4,582	$365,141
Help Desk	15,000	2,500	$199,233
User Registration	1,000	2,500	$199,233
Risk Identification	845	141	$11,223
Total	22,543	14,359	$1,144,308

Table 2: ICR Burden Details

Risk Identification

The one tool that may not be immediately familiar to folks in the CFATS community is the risk identification tool. Actually, the ICR notice provides a more complete title; Identification of Additional Facilities and Assets at Risk. In the currently approved ICR the document [.DOCX download] describing this data collection shows two different types of information being collected as a result of compliance inspections.

The first addresses identification of facilities at risk. At facilities that receive, or ship DHS chemicals of interest are requested to voluntarily provide data on:

• Shipping and/or receiving procedures

• Invoices and receipts

• Company names and locations that COI is shipped to and/or received from

The discussion in the ICR notice would seem to indicate that CISA will only be collecting the above information from facilities that ship COI.

The second addresses assets at risk. Facilities that are identified as having “SCADA, DCS, PCS, or ICS” are requested to voluntarily provide information on:

• Details on the system(s) that controls, monitors, and/or manages small to large production systems as well as how the system(s) operates.

• If it is standalone or connected to other systems or networks and document the specific brand and name of the system(s)

This ICR notice only mentions the description of the facilities at risk data collection. Neither the 60-day ICR notice for the existing ICR nor does the supporting document [.DOCX download] provided to OMB describes either risk data collection. They only mention that the data collection is voluntary and expect that each facility providing a site security plan (SSP) will provide data under this collection.

Commentary

This ICR notice provides a look at the interesting problem agencies have in preparing their burden estimates for data collections that are not strictly periodic. When programs start up (or significant changes are made) the collection requirements are generally going to be higher as the affected entities have to put reporting (and the internal data collection) processes into place. Presumably, after that initial effort is complete, presumably the burden will decrease for subsequent data submissions.

In the detailed discussions in this notice CISA continues the established process that has been used throughout the history of the CFATS program in providing detailed information in its ICR notices. With the level of information provided, interested parties have enough information to determine if they have specific questions about the burden estimates or have suggestions on how the agency can improve those estimates. That, after all, is the whole purpose of publishing these ICR notices.

I find it interesting to see that the CFATS program attempted to gain additional information on industrial control systems used at covered facilities. This bears further investigation.