The U.S. Department of Homeland Security (DHS), through the Cybersecurity and Infrastructure Security Agency (CISA), moved forward with a proposed information collection request (ICR) for its voluntary ChemLock program, which helps facilities handling hazardous chemicals strengthen security measures and reduce risk. Published as a 30-day notice in the Federal Register on Tuesday under the Paperwork Reduction Act, the proposal will be submitted to the Office of Management and Budget (OMB) for review and clearance. CISA said the information collection is intended to consolidate and clarify data gathering across existing ChemLock services while also enabling an additional service offering under the program.
While some ChemLock services are currently available leveraging other approved information collections, this ICR, when approved, will allow for an additional ChemLock service. CISA proposes three instruments within this information collection, including ChemLock Request for Services, ChemLock Service Registration and Preparation, and ChemLock Service Feedback.
The instrument collects basic contact information from individuals requesting a ChemLock service, such as security consultations, technical consultations, onsite assessments and assistance, exercises and drills, training courses, access to other tailored resources, and risk assessments. In addition, the instrument will collect facility identifying information, facility description information, and information about the chemicals present at the facility.
The agency noted that it had previously sought public input through a 60-day notice published in December 2024 and received no comments.
As the Sector Risk Management Agency for the chemical sector, CISA said ChemLock supports critical infrastructure owners and operators through voluntary security assistance related to facilities that handle hazardous chemicals. The agency is accepting comments on the proposed information collection through July 2, 2026, and emphasized that submissions containing protected information, including Chemical-terrorism Vulnerability Information, Sensitive Security Information, or Protected Critical Infrastructure Information, should not be filed through the public docket.
The latest notice is part of the agency’s effort to formalize and standardize information collection associated with ChemLock service requests, registrations, preparation activities, and feedback collection.
“This instrument collected information to enable the ChemLock services, which need additional information to be performed. The ChemLock services, which need additional information to be performed, are security consultations, onsite assessments and assistance, and risk assessments,” Winfield P. Werntz, acting chief information officer at the agency, detailed in the Federal Register notice. “This instrument will collect information related to feedback about ChemLock-related services, such as which ChemLock service was provided and when, program outcomes, satisfaction, and performance of the staff involved in providing the ChemLock service.”
Werntz said that the proposed information collection would affect state, local, Tribal, and territorial governments, as well as private-sector entities. For one component of the collection, CISA estimates 450 respondents, with each response requiring approximately 0.25 hour to complete. The agency projects a total annual burden of 112.5 hours and an annual burden cost of $10,838.06, with no capital, startup, or recordkeeping costs.
For the ChemLock Service Registration and Preparation instrument, CISA estimates 300 respondents from state, local, Tribal, and territorial governments and the private sector. Responses would be submitted on an ‘on occasion’ or ‘other’ basis, with each respondent spending an estimated 3.17 hours completing the requirements. The agency projects a total annual burden of 952 hours and an annual burden cost of $91,714.10, with no associated capital, startup, or recordkeeping expenses.
For the ChemLock Service Feedback instrument, CISA estimates 225 respondents from the same stakeholder groups. Responses would also be collected on an ‘on occasion’ or ‘other’ basis, with each respondent spending approximately 0.25 hour providing feedback. The agency estimates a total annual burden of 56.26 hours and an annual burden cost of $5,419.03, with no capital, startup, or recordkeeping costs.
The CISA also launched a study to evaluate the implementation and effectiveness of the State and Local Cybersecurity Grant Program (SLCGP) this week. The study will collect quantitative and qualitative feedback to assess how state, local, and territorial (SLT) governments use the program and approach cybersecurity planning and implementation. The effort was announced through a 60-day notice and request for comments published as part of a new ICR.
