Review - TSA Publishes Two Pipeline Security ICR Revisions – 6-30-21

 Yesterday the TSA published two information collection request revision notices in the Federal Register (86 FR 34775-34777 and 86 FR 34777-34778) for two pipeline security related ICRs. These are the same two ICRs for which OMB’s Office of Information and Regulatory Affairs approved emergency ICRs for increased cybersecurity reporting requirements in the TSA’s Pipeline Cybersecurity Directive back in late May. The submission of yesterday’s ICR change notices was mandated by OIRA as part of that earlier approval.

Critical Facility Information ICR

In this notice TSA provides an updated burden estimate that includes the new Pipeline Cybersecurity Self-Assessment form. The only change from the emergency approval ICR is the additional data for the PCSA. TSA expects that each of the 100 critical pipeline facilities covered in the ICR will take six hours to complete the PCSA for a 600 hour increase in the burden estimate.

Pipeline Operator Security Information ICR

In this notice TSA provides an updated burden estimate that includes both the new mandatory cybersecurity incident reporting and the new security point-of-contact information reporting requirement. Neither of the new reporting requirements were included in the emergency approval of revised ICR in May. There was no change to the ‘Other Incident’ reporting burden estimate.

TSA expects that each of the 100 critical pipeline facilities covered in the ICR will take 30 minutes to complete the point-of-contact reporting requirement. Additionally, TSA expects that each facility will be expected to report 20 cybersecurity incidents under the new reporting requirements, with two hours required for each report. The total addition burden described in this ICR notice is 4,050 hours.

TSA is soliciting public comments on both of these ICR revision notices. As is usual for the TSA, they do not us the Federal eRulemaking Portal (www.Regulations.gov) site for comment submission. They require that comments be emailed (or delivered) to TSAPRA@dhs.gov. Comments should be submitted by August 30^th, 2021.

For a more detailed discussion of these two ICR notices, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/tsa-publishes-two-pipeline-security - subscription required.