DHS Publishes 30-Day CSAT ICR Change Notice – 05-07-19

Today the DHS Infrastructure Security Division of CISA published a 30-day Information Collection Request (ICR) revision notice for the Chemical Security Assessment Tool in the Federal register (84 FR 19929-19933). The 60-day ICR revision notice was published on February 7^th, 2019. This notice includes a detailed response to questions submitted by an unnamed commenter (official comment here) on the 60-day ICR notice.

The 30-day ICR Comments

Alert readers will recall that I pointed out two discrepancies in an otherwise detailed ICR notice. Those discrepancies are related to incomplete data being presented on two of the information collections covered in this ICR:

• Identification of Facilities at Risk; and

• Assets at Risks

The first deals with information collected from facilities that ship DHS chemicals of interest (COI) about facilities to which they ship COI. The second deals with information collected about industrial control systems that are related to the use, storage or loading of COI at the facility. I posed a number of questions about each of those collections and todays ICR notice provides detailed answers to those questions.

Identification of Facilities at Risk

While the full set of comments concerning the Identification of Facilities at Risk information collection is well worth reading, particularly by facilities that have thought that DHS would not be able to find out that they had COI and thus could get away without filing a Top Screen, the data that I found interesting was presented in response to my questions about the history of this information collection. I’ll briefly summarize it below:

• Number of potential responses per year – 845

• Number of voluntary responses that identified facilities actually received – 15

• Number of facilities of concern identified – 172

• Number of Top Screens from newly identified facilities – 27 (to date, may be more pending)

• Number of new CFATS covered facilities from those Top Screens – 18

This final data section on the Identification of Facilities at Risk data collection concludes with the following editorial comment:

CISA believes that voluntarily supplied customer and suppliers lists are an excellent source of information to identify chemical facilities of interest and covered chemical facilities.

Assets at Risk

This is the data collection that was completely overlooked in the 60-day notice. Again, the full response to the questions I asked about this data collection are worth reading, particularly by anyone interested in the regulation of industrial control system security. I will highlight a few of the more interesting data points here.

The number of times Chemical Security Inspectors requested information about assets at risk:

◦ FY 2017 – 2,018

◦ FY 2018 – 3,328

◦ FY 2019 (to date) – 1,107

The number of voluntary responses – all requested facilities;

The following comment was provided about the information collected:

CISA has found that the information generally collected under the section (Assets at Risk) is not information previously provided in an approved facility's SSP or ASP. The information collected through the second section of the instrument generally supplements the information provided by covered chemical facilities in their SSP or ASP. Information collected through this instrument is recorded in case files created by CISA employees outside of the SSP or ASP (e.g., Compliance Inspection Reports).

Commentary

Once again, I would like to commend the folks at DHS for the way that they have dealt with these questions and ICRs related to the Chemical Anti-Terrorism Standards (CFATS) program in general. The wealth of information provided to the regulated community to justify the information collection requests is a model that other agencies in the Federal Government should follow.

The differences in the response rates to the two voluntary information collections is more than a little interesting. The 100% response rate to the questions about industrial control system security issues seems to me to be indicative of the industry’s cooperative compliance with the CFATS program. The Infrastructure Security Compliance Division (ISCD) has worked very hard to foster a strong working relationship with the regulated industry and this is a great indicator of how well that hard work has paid off.

The very low voluntary compliance rate on the facility identification collection poses an interesting conundrum for the folks at ISCD. First, the success rate for identifying facilities that have not followed the law (for what ever reason) and completed a Top Screen is phenomenal. That combined with the higher than normal conversion of initial Top Screen submissions to identification of submitting facilities as CFATS covered facilities means that this is a very effective tool for achieving the congressional mandate in 6 USC 629, Outreach to chemical facilities of interest.

The low voluntary compliance rate for this collection is almost certainly based upon organizations wanting to protect customer relationships. Non-complying companies are probably trying to avoid the appearance of ‘ratting out’ their customers, and this is certainly understandable. ISCD recognition of this concern is also why this is a voluntary information collection.

During the CFATS reauthorization Congress might want to take a look at whether or not they might want to mandate this information collection. Being able to collect this information from each covered facility that ships COI domestically will certainly bring ISCD much closer to 100% identification of facilities of interest. Whether or not this is worth the political cost of mandating the disclosure is something that only Congress can answer.