Cybersecurity and Infrastructure Security Agency, DHS.
60-Day notice and request for comments; revision of information collection request: 1670-0029.
The Infrastructure Security Division (ISD) within the Cybersecurity and Infrastructure Security Agency (CISA) is issuing a 60-day notice and request for comments to revise Information Collection Request (ICR) 1670-0029. CISA will submit the ICR to the Office of Management and Budget (OMB) for review and clearance in accordance with the Paperwork Reduction Act of 1995.
Comments are due August 23, 2021.
You may submit comments, identified by docket number CISA-2021-0009 through the Federal eRulemaking Portal available at http://www.regulations.gov. Follow the instructions for submitting comments.
Instructions: All comments received via https://www.regulations.gov will be posted to the public docket at https://www.regulations.gov, including any personal information provided.
Do not submit comments that include trade secrets, confidential commercial or financial information, Chemical-terrorism Vulnerability Information (CVI), Protected Critical Infrastructure Information (PCII), or Sensitive Security Information (SSI) directly to the public regulatory docket. Contact the individual listed in the FOR FURTHER INFORMATION CONTACT section below with questions about comments containing such protected information. CISA will not place comments containing such protected information in the public docket and will handle them in accordance with applicable safeguards and restrictions on access. Additionally, CISA will hold them in a separate file to which the public does not have access and place a note in the public docket that CISA has received such protected materials from the commenter. If CISA receives a request to examine or copy this information, CISA will treat it as any other request under the Freedom of Information Act (FOIA).
Start Further Info
FOR FURTHER INFORMATION CONTACT:
Lona Saccomando, 202-579-0590, CISARegulations@cisa.dhs.gov.
End Further Info
Start Supplemental Information
The CFATS Program identifies chemical facilities of interest and regulates the security of high-risk chemical facilities through a risk-based approach. The CFATS Program is authorized under the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014 
or “CFATS Act of 2014”. CISA collects necessary information through 1670-0029 to implement the CFATS Personnel Surety Program.
High-risk chemical facilities regulated by CISA under the CFATS Program must submit a Site Security Plan (SSP) or an Alternative Security Program (ASP) that describes how they will meet or exceed 18 risk-based performance standards (RBPS), including RBPS 12—Personnel Surety. Under RBPS 12, high-risk chemical facilities regulated under CFATS are required to account for the conduct of certain types of background checks in their Site Security Plans. Specifically, RBPS 12 requires high-risk chemical facilities to:
Perform appropriate background checks on and ensure appropriate credentials for facility personnel, and as appropriate, for unescorted visitors with access to restricted areas or critical assets, including, (i) Measures designed to verify and validate identity; (ii) Measures designed to check criminal history; (iii) Measures designed to verify and validate legal authorization to work; and (iv) Measures designed to identify people with terrorist ties[.]6 CFR 27.230(a)(12).
The first three aspects of RBPS 12 (checks for identity, criminal history, and legal authorization to work) are performed by the facility. The fourth aspect (i.e., the check for terrorist ties) was implemented in December 2016 at Tier 1 and Tier 2 facilities.
In July of 2019 the Department implemented the CFATS Personnel Surety Program for all tiers.
A complete description of the CFATS Personnel Surety Program is provided in the July 2019 notice and Start Printed Page 32961additional information can be found on CISA's website.
As required by the Notice of Action issued by OMB on May 23, 2019, CISA “phased in gradually” the CFATS Personnel Surety Program.
Since July of 2019, when CISA published the implementation notice for the CFATS Personnel Surety Program announcing full implementation, CISA has selected between 50 to 100 facilities a month to update their SSP or ASP to implement security measures designed to ensure that certain individuals with or seeking access to the restricted areas or critical assets at those chemical facilities are screened for terrorist ties. CISA expects to complete implementing the CFATS Personnel Surety Program at every high-risk chemical facility by the second quarter of FY2022
High-Risk Chemical Facilities Have Flexibility When Implementing the CFATS Personnel Surety Program
High-risk chemical facilities have flexibility to tailor their implementation of the CFATS Personnel Surety Program to fit their individual circumstances and, in this regard, to best balance who qualifies as an affected individual, unique security issues, costs, and burden. For example, a high-risk chemical facility may, in its Site Security Plan:
- Restrict the number and types of persons allowed to access its restricted areas and critical assets, thus limiting the number of persons who will need to be checked for terrorist ties.
- Define its restricted areas and critical assets, thus potentially limiting the number of persons who will need to be checked for terrorist ties.
- Choose to escort visitors accessing restricted areas and critical assets in lieu of performing terrorist ties background checks under the CFATS Personnel Surety Program. The high-risk chemical facility may propose in its SSP or ASP traditional escorting solutions and/or innovative escorting alternatives such as video monitoring (which may reduce facility security costs), as appropriate, to address the unique security risks present at the facility.
Options Available to High-Risk Chemical Facilities To Comply With RBPS 12(iv)
As described in the July 2019 Implementation Notice, the CFATS Personnel Surety Program provides high-risk chemical facilities several options to comply with RBPS 12(iv). In addition to the alternatives expressly described in the July 2019 Implementation notice, CISA permits high-risk chemical facilities to propose alternative measures for terrorist ties identification in their SSPs or ASPs, which CISA will consider on a case-by-case basis in evaluating high-risk chemical facilities' SSPs or ASPs. In addition, a high-risk chemical facility may choose one option or a combination of options to comply with RBPS 12(iv).
Identifying affected individuals who have terrorist ties is an inherently governmental function and requires the use of information held in government-maintained databases that are unavailable to high-risk chemical facilities. 72 FR 17688, 17709 (April 9, 2007). Thus, under RBPS 12(iv), CISA and high-risk chemical facilities must work together to satisfy the “terrorist ties” aspect of the Personnel Surety performance standard. To implement the provisions of RBPS 12(iv), and in accordance with Title XXI of the Homeland Security Act of 2002, as amended,
the following options will be available to enable high-risk chemical facilities to facilitate terrorist-ties vetting of affected individuals.
Option 1. High-risk chemical facilities may submit certain information about affected individuals that CISA will use to vet those individuals for terrorist ties. Specifically, the identifying information about affected individuals will be compared against identifying information of known or suspected terrorists contained in the federal government's consolidated and integrated terrorist watchlist, the Terrorist Screening Database (TSDB), which is maintained by the Department of Justice (DOJ) Federal Bureau of Investigation (FBI) in the Terrorist Screening Center (TSC).
Option 2. High-risk chemical facilities may submit information about affected individuals who already possess certain credentials that rely on security threat assessments conducted by the Department. See 72 FR 17688, 17709 (April 9, 2007). This will enable CISA to verify the continuing validity of these credentials.
Option 3. High-risk chemical facilities may comply with RBPS 12(iv) without submitting to CISA information about affected individuals who possess Transportation Worker Identification Credentials (TWICs), if a high-risk chemical facility electronically verifies and validates the affected individual's TWICs through the use of TWIC readers (or other technology that is periodically updated using the Canceled Card List).
Option 4. High-risk chemical facilities may visually verify certain credentials or documents that are issued by a Federal screening program that periodically vets enrolled individuals against the Terrorist Screening Database (TSDB). CISA continues to believe that visual verification has significant security limitations and, accordingly, encourages high-risk chemical facilities choosing this option to identify in their Site Security Plans the means by which they plan to address these limitations.
Since the implementation of the CFATS Personnel Surety Program and by the end of 2020; the CISA reviewed the activity of 1,666 unique facilities at which the program had been implemented. Of the 1,666 facilities, 1,547 selected a single option, 102 selected two options, and 17 facilities selected three options. Four of the 1,666 facilities proposed alternative measures for terrorist ties identification in their SSPs or ASPs, which CISA considered and subsequently approved. CISA's review also found that facilities overwhelmingly selected Option 1 as a means to comply with RBPS 12(iv). Specifically, a total of 1,635 facilities out of the 1,666 facilities reviewed selected Option 1 as a method to comply with the check for terrorist ties in their SSP or ASP.
Information Collected About Affected Individuals
Option 1: Collecting Information To Conduct Direct Vetting
If high-risk chemical facilities select Option 1 to satisfy RBPS 12(iv) for an affected individual, the following information about the affected individual would be submitted to CISA:
- For U.S. Persons (U.S. citizens and nationals, as well as U.S. lawful permanent residents):
○ Full Name;
○ Date of Birth; and
○ Citizenship or Gender.
○ Full Name;
○ Date of Birth;
○ Citizenship; and
○ Passport information and/or alien registration number.
To reduce the likelihood of false positives in matching against records in the Federal Government's consolidated and integrated terrorist watch list, high-risk chemical facilities would also be able to submit the following optional Start Printed Page 32962information about an affected individual to CISA:
- Gender (for Non-U.S. Persons);
- Place of Birth; and/or
- Redress Number.
High-risk chemical facilities have the option to create user defined fields to collect and store additional information to assist with the management of an affected individual's records. Any information collected in user defined fields will not be used to support vetting activities. Table 1 summarizes the biographic data that would be submitted to CISA under Option 1.
Table 1—Required and Optional Data for an Affected Individual Under Option 1
|Data elements submitted to CISA||For a U.S. person||For a non-U.S. person|
|Date of Birth||Required.|
|Gender||Must provide Citizenship or Gender||Optional.|
|Passport Information and/or Alien Registration Number||N/A||Required.|
|Place of Birth||Optional.|
|User Defined Field(s)||Optional (Not used for vetting purposes).|
Option 2: Collecting Information To Use Vetting Conducted Under Other DHS Programs
In lieu of submitting information to CISA under Option 1 for vetting of terrorist ties, high-risk chemical facilities also have the option, where appropriate, to submit information to CISA to electronically verify that an affected individual is currently enrolled in another DHS program that vets for terrorist ties.
To verify an affected individual's enrollment in one of these programs under Option 2, CISA would collect the following information about the affected individual:
- Full Name;
- Date of Birth; and
- Program-specific information or credential information, such as expiration date, unique number, or issuing entity (e.g., state for Commercial Driver's License [CDL] associated with an Hazardous Materials Endorsement [HME]).
To reduce the likelihood of false positives, high-risk chemical facilities may also submit the following optional information about affected individuals to CISA:
- Place of Birth; and/or
High-risk chemical facilities have the option to create a user defined field to collect and store additional information to assist with the management of an affected individual's records. Any information collected in user defined fields will not be used to support vetting activities. Table 2 summarizes the biographic data that would be submitted to CISA under Option 2.
Table 2—Required and Optional Data for an Affected Individual Under Option 2
|Data Elements Submitted to CISA|
|Date of Birth||Required.|
|Program-specific information or credential information, such as expiration date, unique number, or issuing entity||Required.|
|Place of Birth||Optional.|
|User Defined Field(s)||Optional (Not used for vetting purposes).|
Other Information Collected
CISA may also contact a high-risk chemical facility or its designees to request additional information (e.g., visa information) pertaining to an affected individual in order to clarify suspected data errors or resolve potential matches (e.g., an affected individual has a common name). Such requests will not imply, and should not be construed to indicate, that an affected individual's information has been confirmed as a match to a record of an individual with terrorist ties.
CISA may also collect information provided by individuals or high-risk chemical facilities in support of any adjudication requests under Subpart C of the CFATS regulation,
or in support of any other redress requests.
The information that is collected is used by CISA (1) to compare affected individuals information to known and suspected terrorists, or (2) to electronically verify and validate that the affected individual is enrolled in another DHS program that compares an Start Printed Page 32963affected individual's information to known and suspected terrorists.
Proposed Revisions to the CFATS Personnel Surety Program Information Collection Request
The revisions proposed in this ICR are minor revisions to the instrument that: (1) Reflect the passage of the Cybersecurity and Infrastructure Security Act of 2018, 6 U.S.C. 651-74, such as updating the Agency name to conform with the Agency's new designation as CISA; (2) increase the number of annual respondents from 72,607 respondents to 149,271 respondents; (3) increase the annual burden from 12,101 hours to 24,879 hours; (4) remove the costs associated with capital/startup costs because they are incorporated within the estimated number of respondents; and (4) update the average hourly wage rate of Site Security Officers. CISA is not proposing any revision to the scope of the instrument.
CISA's Methodology in Estimating the Burden for the Personnel Surety Program
Number of Respondents
The current information collection estimates that 72,607 respondents (i.e., affected individuals) would be submitted annually. The current estimate was calculated by adding the estimated the number of initial respondents and the number of annual respondents.
The “initial respondents” are those affected individuals with existing access at a high-risk chemical facility and will be submitted by the facility after receiving authorization or approval of an SSP or ASP requiring the facility to implement measures to comply with RBPS 12(iv). “Annual respondents” are the number of respondents CISA estimates will be submitted each year by high-risk chemical facilities that have completed the initial respondent's submission and are now in the maintenance phase (e.g., adding new affected individuals due to employee hires).
1. Revision to Methodology on How Respondents Are Estimated
CISA has generally assumed that new facilities implementing the Personnel Surety Program for the first time as a high-risk chemical facility under CFATS will have a one-time requirement to submit information about initial respondents with existing access to the restricted areas or critical assets at the high-risk chemical facility. In the current Information Collection, this one-time cost was estimated as a startup cost. However, based on CISA's experience implementing the Personnel Surety Program, CISA has determined that the per submission burden associated with first time submissions (i.e., “initial respondents”) does not differ from the burdens associated with the per submission burdens associated with subsequent submissions to maintain the program (i.e., “annual respondents”). As such, starting with this revision, CISA will no longer consider initial respondents as start-up costs.
Instead, as discussed below, new facilities submitting information about affected individuals to CISA for the first time will be consolidated into the number of annual respondents, based on the observed numbers of new facilities per year. Therefore, although this collection will include one respondent type (i.e., “annual respondents”), the annual number of respondents for this collection will continue to include both historical categories of “initial” and “annual” respondents.
2. Annual Respondents From New Facilities
In this collection, CISA will include the average number of facilities to be determined high risk for the first time in the number of annual respondents. As shown in the table below, there is, on average over the past four years, 134.5 facilities which are determined to be high-risk for the first time each year.
Table 3—Number of First Time High-Risk Chemical Facilities by Calendar Year
|Calendar year||Number of facilities
the first time|
Since implementing the Personnel Surety Program, CISA has received information about affected individuals from 1,666 facilities, totaling 228,337 respondents, for an average of 137.1 respondents per facility.
Therefore, CISA estimates the number of annual respondents for facilities determined to be high risk for the first time by multiplying the average number of respondents per facility (137.1) by the average number of new facilities per year (134.5) for an average of 18,434 annual respondents per year.
3. Annual Respondents From Facilities at Which the CFATS Personnel Surety Program Has Been Implemented
In the current Information Collection, the annual number of respondents at high-risk chemical facilities at which the Personnel Surety Program has been implemented was estimated based on the annual hires rates for total private industry. The annual hire rate accounts for the replacement of employee separations as well as new hires. CISA is retaining this methodology. CISA applied the annual hires rate of 57.3% for total private industry, as estimated from the Bureau of Labor Statistics (BLS) 
to the total number of respondents that have already been checked for terrorist ties, resulting in 130,837 annual respondents.
4. Revised Estimate of the Annual Respondents
Using the methodology above, the total number of annual respondents for this collection is the sum of: (a) The number of annual respondents from first time high risk facilities (i.e., 18,434 annual respondents), and (b) the number of annual respondents from new hires 
at high-risk chemical facilities at which the CFATS Personnel Surety program has been implemented (i.e., 130,837 respondents), which totals to an estimated 149,271 annual respondents. Table 05 presents the number of annual respondents.
Start Printed Page 32964
Table 4—Annual Number of Respondents
|Type of submission||Number of respondents|
|First Time High Risk Facilities||18,434|
Estimated Time per Respondent
In the current information collection, the estimated time per respondent is 10 minutes (0.1667 hours) per affected individual. This conservative estimate includes the time to edit or remove a record if a high-risk chemical facility opts to subsequently notify the CISA that an affected individual no longer has access. The current estimate also assumes that each record includes both optional and required data elements. Thus, a revision to modify which data fields are required versus optional does not increase the estimated time per response. Thus, CISA is choosing to retain an estimate of 10 minutes (0.1667 hours) per affected individual.
Annual Burden Hours
In the current information collection, the estimated annual burden is 12,101 hours. To estimate the annual burden hours for this collection, CISA multiplied the number of annual respondents by the estimated time burden of 0.1667 hours (10 minutes), for an estimated annual burden of 24,879 hours (i.e., 0.1667 hours multiplied by 149,271 annual respondents).
Total Capital/Startup Burden Cost
CISA provides access to the CFATS Personnel Surety Program application free of charge and assumes that each high-risk chemical facility already has access to the internet for basic business needs. As described earlier in this notice, CISA expects that all high-risk chemical facilities will have implemented the CFATS Personnel Surety Program prior to the end of CY 2021.
In the current collection, CISA assumed that new facilities implementing the Personnel Surety program for the first time as a high-risk chemical facility under CFATS will have a one-time requirement to submit information about initial respondents with existing access to the restricted areas or critical assets at the high-risk chemical facility. While this was considered a start-up cost in previous collections, for this ICR, CISA no longer considers new facilities submitting as a start-up cost, as the cost for an initial respondent does not differ from the cost of an annual respondent.
Consideration of Other Capital Costs
This information collection request maintains the existing assumptions found in the current information collection request with regard to activities listed in 5 CFR 1320.3(b)(1). Specifically, that 5 CFR 1320.3(b)(1) and 5 CFR 1320.8 require CISA to estimate the total time, effort, or financial resources expended by persons to generate, maintain, retain, disclose, or provide information to or for a Federal agency. Therefore, many costs (e.g., physical modification of the facility layout) a high-risk chemical facility may choose to incur to develop or implement its SSP or ASP should not be accounted for when estimating the capital costs associated with this information collection.
Furthermore, CISA maintains the same assumptions found in the current information collection request with regards to estimating certain high-risk chemical facility capital costs, such as: (1) Capital costs for computer, telecommunications equipment, software, and storage to manage the data collection, submissions, and tracking; (2) capital and ongoing costs for designing, deploying, and operating information technology (IT) systems necessary to maintain the data collection, submissions, and tracking; (3) cost of training high-risk chemical facility personnel to maintain the data collection, submissions, and tracking; and (4) site security officer time to manage the data collection, submissions, and tracking. CISA continues to exclude these costs in accordance with 5 CFR 1320.3(b)(2), which directs Federal agencies to not count the costs associated with the time, effort, and financial resources incurred in the normal course of their activities (e.g., in compiling and maintaining business records) if the reporting, recordkeeping, or disclosure activities are usual and customary.
CISA continues to exclude these usual and customary costs because the time, effort, and financial resources are costs that high-risk chemical facilities incur to conduct background checks for identity, criminal history, and legal authorization to work under 6 CFR 27.230(a)(12)(i)-(iii), and also under various other Federal, State, or local laws or regulations.
Total Recordkeeping Burden
The current information collection does not have any recordkeeping costs because the recordkeeping costs, if any, to create, keep, or retain records pertaining to background checks as part of a high-risk chemical facility's SSP or ASP, are properly estimated in the recordkeeping estimates associated with the SSP Instrument under Information Collection 1670-0007. CISA retains this assumption and estimate of no recordkeeping costs.
Total Annual Burden Cost
CISA assumes that Site Security Officers (SSOs) are responsible for submitting about affected individuals. For the purpose of this notice, CISA maintains this assumption.
To estimate the total annual burden, CISA multiplied the annual burden of 24,879 hours by the average hourly wage rate of Site Security Officers of $88.48 
per hour. Therefore, the total annual burden cost for the CFATS Personnel Surety Program is $2,201,152 (i.e., 24,879 hours multiplied by $88.48 per hour). For the three-year period for which this collection will be approved, the total cost burden would be $6,603,456 (i.e., $2,201,152 annual cost multiplied by 3 years).
OMB is particularly interested in comments that:
1. Evaluate whether the proposed collection of information is necessary for the proper performance of the functions of the agency, including whether the information will have practical utility;
2. Evaluate the accuracy of the agency's estimate of the burden of the proposed collection of information, including the validity of the methodology and assumptions used;
3. Enhance the quality, utility, and clarity of the information to be collected; and
4. Minimize the burden of the collection of information on those who are to respond, including through the use of appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology (e.g., permitting electronic submissions of responses).
Agency: Department of Homeland Security, Cybersecurity and Infrastructure Security Agency.
Title: Chemical Facility Anti-Terrorism Standards (CFATS) Personnel Surety Program.
OMB Number: 1670-0029.
Instrument: CFATS Personnel Surety Program.
Affected Public: Business or other for-profit.
Number of Respondents: 149,271 respondents.
Estimated Time per Respondent: 0.1667 hours (10 minutes).Start Printed Page 32965
Total Burden Hours: 24,879 annual burden hours.
Total Burden Cost (capital/startup): $0.
Total Recordkeeping Burden: $0.
Total Burden Cost: $2,201,152.
End Supplemental Information
Acting Chief Information Officer, Department of Homeland Security, Cybersecurity and Infrastructure Security Agency.
[FR Doc. 2021-13110 Filed 6-22-21; 8:45 am]
BILLING CODE 9110-9P-P