Thursday, April 8, 2021

TSA Publishes 60-Day ICR Revision Notice for Pipeline Info

Today the Transportation Security Administration published a 60-day information collection request revision notice in the Federal Register (86 FR 18291-18292) for their “Critical Facility Information of the Top 100 Most Critical Pipelines” program. The revision is necessitated by changes being made to the Critical Facility Security Review (CFSR) Form and the resulting changes to the burden estimate for this ICR.

The Revision

According to the Notice:

“TSA is revising the information collection to align the CFSR question set with the revised Pipeline Security Guidelines, and to capture additional criticality criteria. As a result, the question set has been edited by removing, adding and rewriting several questions, to meet the Pipeline Security Guidelines [link added] and criticality needs. Further, TSA is moving the collection instrument from a PDF format to an Excel Workbook format.”

The table below shows the current burden estimate and the revised estimate provided in this Notice.







Time Burden






NOTE: There is an apparent typo in the Notices burden estimate calculations; 80 x 2 x 3 = 480 not 4800.

Public Feedback

The TSA is soliciting public comments on this ICR revision. The TSA is not using the Federal eRulemaking Portal to receive comments on this ICR. Instead, respondents are asked to email their comments to


Failure by the TSA to use the public commenting option ensures that the TSA has control of what public responses will be shown to the OMB when this revision is submitted.

Long time readers of this blog will undoubtedly be aware that I have had many concerns about TSA ICR notices over the years. This notice is another example of TSA’s unwillingness or incapability to provide adequate information in the notice to allow for commentors to provide effective feedback on the required questions about the efficacy of this ICR. The public cannot assess the accuracy of the TSA’s burden estimate because we have no way of knowing what changes have been made to the Critical Facility Security Review.

The paperwork that the TSA submitted to OMB’s Office of Information and Regulatory Affairs when this ICR was last updated (in 2017) included a copy of the CFSR [.DOCX download link], but access to that form was never provided to the public in either the 60-day nor 30-day ICR notice. Furthermore, TSA provides a cost estimate for the burden when they submit the ICR to OIRA but does not publish that estimate in their notices to allow for public comment.

Okay, enough ranting; substantive comments now. The current CFSR does not include any questions about cybersecurity for these critical pipeline facilities. I would presume that this is because the earlier version of the Pipeline Security Guidelines that were being used when that CFSR was submitted to ORIA did not mention cybersecurity. The current version of the Guidelines, however, does include an extensive listing (see pages 16 thru 21) of baseline and enhanced cybersecurity measures that are recommended by TSA. If the new CFSR reflects these cybersecurity guidelines with additional questions, then there should be a substantial increase in the number of questions on the CFSR and a concomitant increase in the time necessary to complete the CFSR. That is not reflected in the burden estimate.

Further, TSA does not explain the change in the number of expected responses from 180 to 160.

TSA needs to address these issues when they publish their 30-day ICR notice later this year.

I will be submitting a copy of this blog post to the TSA as a comment on this ICR notice. 

No comments:

/* Use this with templates/template-twocol.html */