Quiero saber acerca de...

lotter on DSK11XQN23PROD with NOTICES1

48240

Federal Register / Vol. 86, No. 164 / Friday, August 27, 2021 / Notices
the pipeline industry and government stakeholders.
Through this engagement, TSA is also able to establish and maintain productive working relationships with key pipeline security personnel. This engagement and access to pipeline facilities also enables TSA to identify and share smart security practices observed at one facility to help enhance and improve the security of the pipeline industry. As a result, participation in the voluntary PCSR program enhances pipeline security at both specific facilities and across the industry.
TSA has developed a Question Set to aid in the conducting of PCSRs. The PCSR Question Set structures the TSAowner/operator discussion and is the central data source for the security information TSA collects. TSA
developed the PCSR Question Set based on input from government and industry stakeholders on how best to obtain relevant information from a pipeline owner/operator about its security plan and processes. The questions are designed to examine the companys current state of security, as well as to address measures that are applied if there is a change in the National Terrorism Advisory System. The PCSR
Question Set also includes sections for facility site visits and owner/operator contact information. By asking questions related to specific topics such as security program management, vulnerability assessments, components of the security plan, security training, and emergency communications, TSA
is able to assess the strength of owner/
operators physical security, cyber security, emergency communication capabilities, and security training.
This PCSR information collection provides TSA with real-time information on a companys security posture. The relationships these face-toface contacts foster are critical to the Federal governments ability to reach out to the pipeline stakeholders affected by the PCSRs. In addition, TSA follows up via email with owner/operators on specific recommendations made by TSA
during the PCSR.
When combined with information from other companies across the sector, TSA can identify and develop recommended smart practices and security recommendations for the pipeline mode. This information allows TSA to adapt programs to the changing security threat, while incorporating an understanding of the improvements owners/operators make in their security measures. Without this information, the ability of TSA to perform its security mission would be severely hindered.

VerDate Sep<11>2014

17:52 Aug 26, 2021

Jkt 253001

Establishing Compliance With Mandatory Requirements Emergency Revision While the above listed collections are voluntary, on July 15, 2021, OMB
approved TSAs request for an emergency revision of this information collection, allowing for the institution of mandatory requirements. See ICR
Reference Number: 2021071652002.
TSA is now seeking renewal of this information collection for the maximum three-year approval period.
The revision was necessary as a result of actions TSA took to address the ongoing cybersecurity threat to pipeline systems and associated infrastructure.
On July 19, 2021, TSA issued a Security Directive SD applicable to owners/
operators of critical hazardous liquid and natural pipelines and liquefied natural gas facilities.8 These owners/
operators are required to develop and adopt a Cybersecurity Contingency/
Response Plan to ensure the resiliency of their operations in the event of a cybersecurity attack. Owners/operators must provide evidence of compliance to TSA upon request. In addition, owner/
operators are required to have a thirdparty complete an evaluation of their industrial control system design and architecture to identify previously unrecognized vulnerabilities. This evaluation must include a written report detailing the results of the evaluation and the acceptance or rejection of any recommendations provided by the evaluator to address vulnerabilities.
This written report must be made available to TSA upon request and retained for no less than 2 years from the date of completion. Finally, within 7 days of each deadline set forth in the SD, owner/operators must ensure that their Cybersecurity Coordinator or other accountable executive submits a statement to TSA via email certifying that the owner/operator has met the requirements of the SD. For convenience, TSA will provide an optional form TSA Security Directive Pipeline 202102 Statement of Completion for each submission 8 On May 28, 2021, TSA issued another SD which included three information collections. OMB
control number 16520055, includes two of these information collections, requiring owner/operators to report cybersecurity incidents to CISA, and to designate a Cybersecurity Coordinator, who is required to be available to the TSA 24/7 to coordinate cybersecurity practices and address any incidents that arise, and who must submit contact information to TSA. OMB control number 1652
0050 contains the remaining information collection, requiring owner/operators to conduct a cybersecurity assessment, to address cyber risk, and identify remediation measures that will be taken to fill those gaps and a time frame for achieving those measures.

PO 00000

Frm 00127

Fmt 4703

Sfmt 9990

deadline that owner/operators can complete and submit via email. This form is Sensitive Security Information SSI and will only be shared with the owner/operators and others with the need to know. TSA requires that certifications be made in a timely way.
Documentation of compliance must be provided upon request.
Portions of PCSR responses that are deemed SSI are protected in accordance with procedures meeting the transmission, handling, and storage requirements of SSI set forth in parts 15
and 1520 of title 49, Code of Federal Regulations CFR. Information developed and submitted pursuant to TSAs SD is also SSI.
The annual hour burden for the voluntary information collection is estimated to be 220 hours based upon 20 PCSR visits per year, each lasting a total of eight hours and the follow-up regarding security recommendations, lasting up to three hours, 20 8 = 160
hours + 20 3 = 60 hours = 220
hours.
For the mandatory information collection, TSA estimates a total of 97
owner/operators will provide the responses for the Cybersecurity Contingency/Response Plan; ThirdParty Evaluation; and Certification of Completion. TSA estimates the total annual burden hours for the mandatory collection to be 12,610 hours.
TSA estimates that it will take approximately 80 hours to complete the response for the Cybersecurity Contingency/Response Plan, totaling 7,760 hours 97 respondents 80 hours = 7,760 hours. In addition, TSA
estimates that it will require approximately 42 hours to complete the Third-Party Evaluation, totaling 4,074
hours 97 respondents 42 hours =
4,074 hours. Finally, TSA estimates that it will take eight 8 hours to complete the Certification of completion of SD requirements, totaling 776 hours 97 respondents 8 hours = 776 hours.
Thus, the total annual burden hours for the mandatory collection is 12,610
hours 7,760 + 4,074 + 776 = 12,610.
TSA estimates the total respondents for the information collection is 97 and the combined annual burden hours for the voluntary and mandatory collections are 12,830 hours 220 + 7,760 + 4,074
+ 776 = 12,830.
Dated: August 24, 2021.
Christina A. Walsh, TSA Paperwork Reduction Act Officer, Information Technology.
FR Doc. 202118533 Filed 82621; 8:45 am BILLING CODE 911005P

E:FRFM27AUN1.SGM

27AUN1