Cybersecurity and Infrastructure Security Agency, DHS.
60-Day notice and request for comments; revision of information collection request: 1670-0029.
6 U.S.C. 621-629.
The Infrastructure Security Division (ISD) within the Cybersecurity and Infrastructure Security Agency (CISA) is issuing a 60-day notice and request for comments to revise Information Collection Request (ICR) 1670-0029. CISA will submit the ICR to the Office of Management and Budget (OMB) for review and clearance in accordance with the Paperwork Reduction Act of 1995.
Comments are due August 23, 2021.
You may submit comments, identified by docket number CISA-2021-0009 through the Federal eRulemaking Portal available at
Do not submit comments that include trade secrets, confidential commercial or financial information, Chemical-terrorism Vulnerability Information (CVI), Protected Critical Infrastructure Information (PCII), or Sensitive Security Information (SSI) directly to the public regulatory docket. Contact the individual listed in the
Lona Saccomando, 202-579-0590,
The CFATS Program identifies chemical facilities of interest and regulates the security of high-risk chemical facilities through a risk-based approach. The CFATS Program is authorized under the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014
High-risk chemical facilities regulated by CISA under the CFATS Program must submit a Site Security Plan (SSP) or an Alternative Security Program (ASP) that describes how they will meet or exceed 18 risk-based performance standards (RBPS), including RBPS 12—Personnel Surety. Under RBPS 12, high-risk chemical facilities regulated under CFATS are required to account for the conduct of certain types of background checks in their Site Security Plans. Specifically, RBPS 12 requires high-risk chemical facilities to:
Perform appropriate background checks on and ensure appropriate credentials for facility personnel, and as appropriate, for unescorted visitors with access to restricted areas or critical assets, including, (i) Measures designed to verify and validate identity; (ii) Measures designed to check criminal history; (iii) Measures designed to verify and validate legal authorization to work; and (iv) Measures designed to identify people with terrorist ties[.]6 CFR 27.230(a)(12).
The first three aspects of RBPS 12 (checks for identity, criminal history, and legal authorization to work) are performed by the facility. The fourth aspect (
As required by the Notice of Action issued by OMB on May 23, 2019, CISA “phased in gradually” the CFATS Personnel Surety Program.
High-risk chemical facilities have flexibility to tailor their implementation of the CFATS Personnel Surety Program to fit their individual circumstances and, in this regard, to best balance who qualifies as an affected individual, unique security issues, costs, and burden. For example, a high-risk chemical facility may, in its Site Security Plan:
• Restrict the number and types of persons allowed to access its restricted areas and critical assets, thus limiting the number of persons who will need to be checked for terrorist ties.
• Define its restricted areas and critical assets, thus potentially limiting the number of persons who will need to be checked for terrorist ties.
• Choose to escort visitors accessing restricted areas and critical assets in lieu of performing terrorist ties background checks under the CFATS Personnel Surety Program. The high-risk chemical facility may propose in its SSP or ASP traditional escorting solutions and/or innovative escorting alternatives such as video monitoring (which may reduce facility security costs), as appropriate, to address the unique security risks present at the facility.
As described in the July 2019 Implementation Notice, the CFATS Personnel Surety Program provides high-risk chemical facilities several options to comply with RBPS 12(iv). In addition to the alternatives expressly described in the July 2019 Implementation notice, CISA permits high-risk chemical facilities to propose alternative measures for terrorist ties identification in their SSPs or ASPs, which CISA will consider on a case-by-case basis in evaluating high-risk chemical facilities' SSPs or ASPs. In addition, a high-risk chemical facility may choose one option or a combination of options to comply with RBPS 12(iv).
Identifying affected individuals who have terrorist ties is an inherently governmental function and requires the use of information held in government-maintained databases that are unavailable to high-risk chemical facilities. 72 FR 17688, 17709 (April 9, 2007). Thus, under RBPS 12(iv), CISA and high-risk chemical facilities must work together to satisfy the “terrorist ties” aspect of the Personnel Surety performance standard. To implement the provisions of RBPS 12(iv), and in accordance with Title XXI of the Homeland Security Act of 2002, as amended,
Since the implementation of the CFATS Personnel Surety Program and by the end of 2020; the CISA reviewed the activity of 1,666 unique facilities at which the program had been implemented. Of the 1,666 facilities, 1,547 selected a single option, 102 selected two options, and 17 facilities selected three options. Four of the 1,666 facilities proposed alternative measures for terrorist ties identification in their SSPs or ASPs, which CISA considered and subsequently approved. CISA's review also found that facilities overwhelmingly selected Option 1 as a means to comply with RBPS 12(iv). Specifically, a total of 1,635 facilities out of the 1,666 facilities reviewed selected Option 1 as a method to comply with the check for terrorist ties in their SSP or ASP.
If high-risk chemical facilities select Option 1 to satisfy RBPS 12(iv) for an affected individual, the following information about the affected individual would be submitted to CISA:
To reduce the likelihood of false positives in matching against records in the Federal Government's consolidated and integrated terrorist watch list, high-risk chemical facilities would also be able to submit the following optional
High-risk chemical facilities have the option to create user defined fields to collect and store additional information to assist with the management of an affected individual's records. Any information collected in user defined fields will not be used to support vetting activities. Table 1 summarizes the biographic data that would be submitted to CISA under Option 1.
In lieu of submitting information to CISA under Option 1 for vetting of terrorist ties, high-risk chemical facilities also have the option, where appropriate, to submit information to CISA to electronically verify that an affected individual is currently enrolled in another DHS program that vets for terrorist ties.
To verify an affected individual's enrollment in one of these programs under Option 2, CISA would collect the following information about the affected individual:
To reduce the likelihood of false positives, high-risk chemical facilities may also submit the following optional information about affected individuals to CISA:
High-risk chemical facilities have the option to create a user defined field to collect and store additional information to assist with the management of an affected individual's records. Any information collected in user defined fields will not be used to support vetting activities. Table 2 summarizes the biographic data that would be submitted to CISA under Option 2.
CISA may also contact a high-risk chemical facility or its designees to request additional information (
CISA may also collect information provided by individuals or high-risk chemical facilities in support of any adjudication requests under Subpart C of the CFATS regulation,
The information that is collected is used by CISA (1) to compare affected individuals information to known and suspected terrorists, or (2) to electronically verify and validate that the affected individual is enrolled in another DHS program that compares an
The revisions proposed in this ICR are minor revisions to the instrument that: (1) Reflect the passage of the Cybersecurity and Infrastructure Security Act of 2018, 6 U.S.C. 651-74, such as updating the Agency name to conform with the Agency's new designation as CISA; (2) increase the number of annual respondents from 72,607 respondents to 149,271 respondents; (3) increase the annual burden from 12,101 hours to 24,879 hours; (4) remove the costs associated with capital/startup costs because they are incorporated within the estimated number of respondents; and (4) update the average hourly wage rate of Site Security Officers. CISA is not proposing any revision to the scope of the instrument.
The current information collection estimates that 72,607 respondents (
The “initial respondents” are those affected individuals with existing access at a high-risk chemical facility and will be submitted by the facility after receiving authorization or approval of an SSP or ASP requiring the facility to implement measures to comply with RBPS 12(iv). “Annual respondents” are the number of respondents CISA estimates will be submitted each year by high-risk chemical facilities that have completed the initial respondent's submission and are now in the maintenance phase (
CISA has generally assumed that new facilities implementing the Personnel Surety Program for the first time as a high-risk chemical facility under CFATS will have a one-time requirement to submit information about initial respondents with existing access to the restricted areas or critical assets at the high-risk chemical facility. In the current Information Collection, this one-time cost was estimated as a startup cost. However, based on CISA's experience implementing the Personnel Surety Program, CISA has determined that the per submission burden associated with first time submissions (
In this collection, CISA will include the average number of facilities to be determined high risk for the first time in the number of annual respondents. As shown in the table below, there is, on average over the past four years, 134.5 facilities which are determined to be high-risk for the first time each year.
Since implementing the Personnel Surety Program, CISA has received information about affected individuals from 1,666 facilities, totaling 228,337 respondents, for an average of 137.1 respondents per facility.
Therefore, CISA estimates the number of annual respondents for facilities determined to be high risk for the first time by multiplying the average number of respondents per facility (137.1) by the average number of new facilities per year (134.5) for an average of 18,434 annual respondents per year.
In the current Information Collection, the annual number of respondents at high-risk chemical facilities at which the Personnel Surety Program has been implemented was estimated based on the annual hires rates for total private industry. The annual hire rate accounts for the replacement of employee separations as well as new hires. CISA is retaining this methodology. CISA applied the annual hires rate of 57.3% for total private industry, as estimated from the Bureau of Labor Statistics (BLS)
Using the methodology above, the total number of annual respondents for this collection is the sum of: (a) The number of annual respondents from first time high risk facilities (
In the current information collection, the estimated time per respondent is 10 minutes (0.1667 hours) per affected individual. This conservative estimate includes the time to edit or remove a record if a high-risk chemical facility opts to subsequently notify the CISA that an affected individual no longer has access. The current estimate also assumes that each record includes both optional and required data elements. Thus, a revision to modify which data fields are required versus optional does not increase the estimated time per response. Thus, CISA is choosing to retain an estimate of 10 minutes (0.1667 hours) per affected individual.
In the current information collection, the estimated annual burden is 12,101 hours. To estimate the annual burden hours for this collection, CISA multiplied the number of annual respondents by the estimated time burden of 0.1667 hours (10 minutes), for an estimated annual burden of 24,879 hours (
CISA provides access to the CFATS Personnel Surety Program application free of charge and assumes that each high-risk chemical facility already has access to the internet for basic business needs. As described earlier in this notice, CISA expects that all high-risk chemical facilities will have implemented the CFATS Personnel Surety Program prior to the end of CY 2021.
In the current collection, CISA assumed that new facilities implementing the Personnel Surety program for the first time as a high-risk chemical facility under CFATS will have a one-time requirement to submit information about initial respondents with existing access to the restricted areas or critical assets at the high-risk chemical facility. While this was considered a start-up cost in previous collections, for this ICR, CISA no longer considers new facilities submitting as a start-up cost, as the cost for an initial respondent does not differ from the cost of an annual respondent.
This information collection request maintains the existing assumptions found in the current information collection request with regard to activities listed in 5 CFR 1320.3(b)(1). Specifically, that 5 CFR 1320.3(b)(1) and 5 CFR 1320.8 require CISA to estimate the total time, effort, or financial resources expended by persons to generate, maintain, retain, disclose, or provide information to or for a Federal agency. Therefore, many costs (
Furthermore, CISA maintains the same assumptions found in the current information collection request with regards to estimating certain high-risk chemical facility capital costs, such as: (1) Capital costs for computer, telecommunications equipment, software, and storage to manage the data collection, submissions, and tracking; (2) capital and ongoing costs for designing, deploying, and operating information technology (IT) systems necessary to maintain the data collection, submissions, and tracking; (3) cost of training high-risk chemical facility personnel to maintain the data collection, submissions, and tracking; and (4) site security officer time to manage the data collection, submissions, and tracking. CISA continues to exclude these costs in accordance with 5 CFR 1320.3(b)(2), which directs Federal agencies to not count the costs associated with the time, effort, and financial resources incurred in the normal course of their activities (
CISA continues to exclude these usual and customary costs because the time, effort, and financial resources are costs that high-risk chemical facilities incur to conduct background checks for identity, criminal history, and legal authorization to work under 6 CFR 27.230(a)(12)(i)-(iii), and also under various other Federal, State, or local laws or regulations.
The current information collection does not have any recordkeeping costs because the recordkeeping costs, if any, to create, keep, or retain records pertaining to background checks as part of a high-risk chemical facility's SSP or ASP, are properly estimated in the recordkeeping estimates associated with the SSP Instrument under Information Collection 1670-0007. CISA retains this assumption and estimate of no recordkeeping costs.
CISA assumes that Site Security Officers (SSOs) are responsible for submitting about affected individuals. For the purpose of this notice, CISA maintains this assumption.
To estimate the total annual burden, CISA multiplied the annual burden of 24,879 hours by the average hourly wage rate of Site Security Officers of $88.48
OMB is particularly interested in comments that:
1. Evaluate whether the proposed collection of information is necessary for the proper performance of the functions of the agency, including whether the information will have practical utility;
2. Evaluate the accuracy of the agency's estimate of the burden of the proposed collection of information, including the validity of the methodology and assumptions used;
3. Enhance the quality, utility, and clarity of the information to be collected; and
4. Minimize the burden of the collection of information on those who are to respond, including through the use of appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology (