82 FR 32859 - Information Collection Request: The Department of Homeland Security, Stakeholder Engagement and Cyber Infrastructure Resilience Division (SECIR)
DEPARTMENT OF HOMELAND SECURITY Federal Register Volume 82, Issue 136 (July 18, 2017)
Federal Register Volume 82, Issue 136 (July 18, 2017)
| Page Range | 32859-32860 | |
| FR Document | 2017-15068 |
[Federal Register Volume 82, Number 136 (Tuesday, July 18, 2017)] [Notices] [Pages 32859-32860] From the Federal Register Online [www.thefederalregister.org] [FR Doc No: 2017-15068] ----------------------------------------------------------------------- DEPARTMENT OF HOMELAND SECURITY [Docket No. DHS-2017-0034] Information Collection Request: The Department of Homeland Security, Stakeholder Engagement and Cyber Infrastructure Resilience Division (SECIR) AGENCY: National Protection and Programs Directorate, DHS. ACTION: 60-day notice and request for comments. ----------------------------------------------------------------------- SUMMARY: The Department of Homeland Security (DHS), National Protection and Programs Directorate (NPPD), Office of Cybersecurity and Communications (CS&C), Stakeholder Engagement & Cyber Infrastructure Resilience Division (SECIR), will submit the following Information Collection Request to the Office of Management and Budget (OMB) for review and clearance in accordance with the Paperwork Reduction Act of 1995. DATES: Comments are encouraged and will be accepted until September 18, 2017. This process is conducted in accordance with 5 CFR 1320.1. ADDRESSES: Written comments and questions about this Information Collection Request should be forwarded to DHS/NPPD/CS&C/SECIR, 4200 Wilson Blvd., Mail Stop 0412, Arlington,VA 22203-0412. Emailed requests should go to [email protected]. Written comments should reach the contact person listed no later than September 18, 2017. Comments must be identified by ``DHS-2017-0034''and may be submitted by one of the following methods:Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting written comments. Email: [email protected]. Please include the docket number DHS-2017-0034 in the subject line of the message. Instructions: All submissions received must include the words ``Department of Homeland Security'' and the docket number for this action. Comments received will be posted without alteration at http://www.regulations.gov. SUPPLEMENTARY INFORMATION: Section 227 of the Homeland Security Act authorizes the National Cybersecurity and Communications Integration Center (NCCIC) within NPPD as a ``Federal civilian interface for the multi-directional and cross-sector sharing of information related to . . . cybersecurity risks.'' 6 U.S.C. 148(c)(1). This authority applies to Federal and non-Federal entities, including the private sector, small and medium businesses, sectors of critical infrastructure, and information sharing organizations. This provision includes the authority to receive, analyze and disseminate information about cybersecurity risks and incidents and to provide guidance, assessments, incident response support, and other technical assistance upon request and codifies NPPD's coordinating role among federal and non-federal entities. 6 U.S.C. 148. As part of its information sharing responsibilities with non- Federal entities, the National Defense Authorization Act For Fiscal Year 2017 amended the Homeland Security Act to authorize the Department to specifically focus on small businesses. See Public Law 114-328 (2017). Specifically, the Act authorizes NPPD to ``leverage small business development centers to provide assistance to small business concerns by disseminating information [[Page 32860]] on cyber threat indicators, defense measures, cybersecurity risks, incidents, analyses, and warnings to help small business concerns in developing or enhancing cybersecurity infrastructure, awareness of cyber threat indicators, and cyber training programs for employees.'' 6 U.S.C. 148(l); see also 15 U.S.C. 648(g) (similarly authorizing DHS, ``and any other Federal department or agency in coordination with the Department of Homeland Security'' to ``leverage small business concerns by disseminating information relating to cybersecurity risks and other homeland security matters to help small business concerns in developing or enhancing cybersecurity infrastructure, awareness of cyber threat indicators, and cyber training programs for employees''). Consistent with these authorities, E.O. 13636 directs the Department to increase its cybersecurity information sharing efforts with the private sector and consult on and promote the National Institute of Standards and Technology (NIST) Cybersecurity Framework. To facilitate the Department's promotion of the NIST Cybersecurity Framework, the E.O. directs the Secretary to establish a voluntary program to support the adoption of the Framework in coordination with Sector Specific Agencies, which in turn ``shall coordinate with Sector Coordinating Councils to review the Cybersecurity Framework and, if necessary, develop implementation guidance or supplemental materials to address sector-specific risks and operating environments.'' E.O. No. 13636, 78 FR 11739 (2013). Accordingly, the Information Technology (IT) Sector, represented by industry via the IT Sector Coordinating Council (SCC) and by Government via the IT Government Coordinating Council (GCC), established the IT Sector Small and Midsized Business (SMB) Cybersecurity Best Practices Working Group (``Working Group'') to develop best practices for implementing the NIST Cybersecurity Framework in the SMB community. The Working Group, which consists of industry and government representatives, developed the SMB Cybersecurity Survey to determine Return on Investment (ROI) metrics for NIST Cybersecurity Framework adoption among SMB stakeholders. This process will assess the effectiveness of the NIST Cybersecurity Framework. This process will also establish a baseline for ROI metrics, which have not previously existed in the SMB community. The IT Sector-Specific Agency (SSA), headquartered in DHS CS&C, is supporting the Working Group's survey development. DHS is not administering, controlling or soliciting the collection of the information via the survey. The IT SCC will administer the survey and anonymize the data, which will then be sent to DHS for analysis. DHS is not administering or soliciting the collection of information via the survey. The analysis will determine ROI information for NIST Cybersecurity Framework adoption in the SMB community. The results of this analysis will be used to provide the SMB community with best practices on how to use the Cybersecurity Framework for business protection and risk management. The questionnaire will be distributed to SMBs and is a two-part survey. Questions 1-11 of the survey are for an organization's leadership, as these questions pertain to high level information about the company (core function, number of employees, etc.). The remaining questions are intended for the Chief Information Services Officer (CISO) and/or appropriate IT staff, as these questions are technical and ask about the IT security of the company. The private sector will collect Point of Contact (POC) information through the survey instrument, but will not include that information on the anonymized dataset they submit to DHS. DHS will use anonymized data to conduct their analysis. The IT SCC will administer the survey. The intent is for DHS to only receive derivative products-- anonymized micro-dataset to come up with the summary statistics, or aggregated summary results. The IT SCC will conduct the actual data collection. DHS will aid with the statistical analysis where needed, but would not be working with the individual responses to the questionnaire. Even if the POC question does get included in the questionnaire, DHS would not be collecting or retaining PII. Once the survey is administered by the private sector partners of the IT SCC to the member organizations, the collected raw inputs will be compiled and the resulting dataset will be processed by the private sector partners to (a) assign unique random identifiers to each of the responses, (b) scrub any PII from the microdata, (c) QA against the raw input. These processing steps (a-c) will be implemented PRIOR to handing the dataset to DHS for statistical analysis. This survey represents a new collection. OMB is particularly interested in comments that: 1. Evaluate whether the proposed collection of information is necessary for the proper performance of the functions of the agency, including whether the information will have practical utility; 2. Evaluate the accuracy of the agency's estimate of the burden of the proposed collection of information, including the validity of the methodology and assumptions used; 3. Enhance the quality, utility, and clarity of the information to be collected; and 4. Minimize the burden of the collection of information on those who are to respond, including through the use of appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g., permitting electronic submissions of responses. Analysis Agency: Department of Homeland Security, National Protection and Programs Directorate, Office of Cybersecurity and Communications, Stakeholder Engagement & Cyber Infrastructure Resilience Division. Title: The Department of Homeland Security, Stakeholder Engagement & Cyber Infrastructure Resilience Division. OMB Number: 1670--NEW. Frequency: Once every five years. Affected Public: Private sector, Small & Midsize Business (SMB). Number of Respondents: 1,000 annually. Estimated Time per Respondent: 30 minutes. Total Burden Hours: 500 annual burden hours. Total Burden Cost (capital/startup): $0. Total Recordkeeping Burden: $0. Total Burden Cost (operating/maintaining): $0. Dated: July 12, 2017. David Epperson, Chief Information Officer. [FR Doc. 2017-15068 Filed 7-17-17; 8:45 am] BILLING CODE 9110-9P-P
![Federal Register / Vol. 82, No. 136 / Tuesday, July 18, 2017 / Notices 32859
• Federal eRulemaking Portal: http:// 3. Enhance the quality, utility, and clarity accordance with the Paperwork
www.regulations.gov. of the information to be collected; and Reduction Act of 1995.
• Email: info@us-cert.gov Include the 4. Minimize the burden of the collection of
DATES: Comments are encouraged and
docket number ‘‘DHS–2017–0032’’ in information on those who are to respond,
including through the use of appropriate will be accepted until September 18,
the subject line of the message. 2017. This process is conducted in
automated, electronic, mechanical, or other
Instructions: All submissions received accordance with 5 CFR 1320.1.
technological collection techniques or other
must include the words ‘‘Department of forms of information technology, e.g., ADDRESSES: Written comments and
Homeland Security’’ and the docket permitting electronic submissions of questions about this Information
number for this action. Comments responses. Collection Request should be forwarded
received will be posted without to DHS/NPPD/CS&C/SECIR, 4200
alteration at http://www.regulations.gov, Analysis
Wilson Blvd., Mail Stop 0412,
including any personal information Agency: Department of Homeland Arlington,VA 22203–0412. Emailed
provided. Security, National Protection and requests should go to nppd-prac@
SUPPLEMENTARY INFORMATION: US–CERT Programs Directorate, Office of HQ.DHS.GOV. Written comments
is responsible for performing, Cybersecurity and Communications, should reach the contact person listed
coordinating, and supporting response National Cybersecurity and no later than September 18, 2017.
to information security incidents, which Communications Integration Center, Comments must be identified by ‘‘DHS–
may originate outside the Federal United States Computer Emergency 2017–0034’’and may be submitted by
community and affect users within it, or Readiness Team. one of the following methods:
originate within the Federal community Title: Clearance for the Collection of • Federal eRulemaking Portal: http://
and affect users outside of it. Often, Routine Feedback through US- www.regulations.gov. Follow the
therefore, the effective handling of CERT.gov. instructions for submitting written
security incidents relies on information OMB Number: 1670—NEW. comments.
sharing among individual users, Frequency: Ongoing. • Email: nppd-prac@HQ.DHS.GOV.
industry, and the Federal Government, Affected Public: Voluntary Please include the docket number DHS–
which may be facilitated by and through respondents. 2017–0034 in the subject line of the
US–CERT. Number of Respondents: 126,325 message.
US–CERT fulfills the role of the respondents (estimate). Instructions: All submissions received
Federal information security incident Estimated Time per Respondent: 3 must include the words ‘‘Department of
center for the United States Federal minutes. Homeland Security’’ and the docket
Government as defined in the Federal Total Burden Hours: 6,140 annual number for this action. Comments
Information Security Modernization Act burden hours. received will be posted without
of 2014. Each Federal agency is required Total Burden Cost (capital/startup): alteration at http://www.regulations.gov.
to notify and consult with US–CERT $0. SUPPLEMENTARY INFORMATION: Section
regarding information security incidents Total Recordkeeping Burden: $0.
227 of the Homeland Security Act
involving the information and Total Burden Cost (operating/
authorizes the National Cybersecurity
information systems (managed by a maintaining): $0.
and Communications Integration Center
Federal agency, contractor, or other David Epperson, (NCCIC) within NPPD as a ‘‘Federal
source) that support the operations and Chief Information Officer. civilian interface for the multi-
assets of the agency. Additional entities [FR Doc. 2017–15067 Filed 7–17–17; 8:45 am] directional and cross-sector sharing of
report incident information to US–CERT information related to . . .
BILLING CODE 4410–10–P
voluntarily. cybersecurity risks.’’ 6 U.S.C. 148(c)(1).
Per the Federal Information Security This authority applies to Federal and
Modernization Act of 2014, as codified DEPARTMENT OF HOMELAND non-Federal entities, including the
in subchapter II of chapter 35 of title 44 SECURITY private sector, small and medium
of the United States Code, US–CERT businesses, sectors of critical
must inform operators of agency [Docket No. DHS–2017–0034] infrastructure, and information sharing
information systems about current and organizations. This provision includes
potential information security threats Information Collection Request: The
Department of Homeland Security, the authority to receive, analyze and
and vulnerabilities. Per the Homeland disseminate information about
Security Act, as amended, the NCCIC, of Stakeholder Engagement and Cyber
Infrastructure Resilience Division cybersecurity risks and incidents and to
which US–CERT and ICS–CERT are a provide guidance, assessments, incident
part, is required to be the Federal (SECIR)
response support, and other technical
civilian interface for sharing AGENCY: National Protection and assistance upon request and codifies
cybersecurity risks, incidents, analysis, Programs Directorate, DHS. NPPD’s coordinating role among federal
and warnings for federal and non- and non-federal entities. 6 U.S.C. 148.
ACTION: 60-day notice and request for
Federal entities. As part of its information sharing
OMB is particularly interested in comments.
responsibilities with non-Federal
comments that: SUMMARY: The Department of Homeland entities, the National Defense
1. Evaluate whether the proposed Security (DHS), National Protection and Authorization Act For Fiscal Year 2017
collection of information is necessary for the Programs Directorate (NPPD), Office of amended the Homeland Security Act to
sradovich on DSK3GMQ082PROD with NOTICES
proper performance of the functions of the Cybersecurity and Communications authorize the Department to specifically
agency, including whether the information (CS&C), Stakeholder Engagement & focus on small businesses. See Public
will have practical utility;
2. Evaluate the accuracy of the agency’s
Cyber Infrastructure Resilience Division Law 114–328 (2017). Specifically, the
estimate of the burden of the proposed (SECIR), will submit the following Act authorizes NPPD to ‘‘leverage small
collection of information, including the Information Collection Request to the business development centers to
validity of the methodology and assumptions Office of Management and Budget provide assistance to small business
used; (OMB) for review and clearance in concerns by disseminating information
VerDate Sep<11>2014 17:47 Jul 17, 2017 Jkt 241001 PO 00000 Frm 00075 Fmt 4703 Sfmt 4703 E:\FR\FM\18JYN1.SGM 18JYN1](https://thefederalregister.org/doc/82_FR_32995/page/1.svg)
![32860 Federal Register / Vol. 82, No. 136 / Tuesday, July 18, 2017 / Notices
on cyber threat indicators, defense headquartered in DHS CS&C, is OMB is particularly interested in
measures, cybersecurity risks, incidents, supporting the Working Group’s survey comments that:
analyses, and warnings to help small development. 1. Evaluate whether the proposed
business concerns in developing or DHS is not administering, controlling collection of information is necessary for the
enhancing cybersecurity infrastructure, or soliciting the collection of the proper performance of the functions of the
awareness of cyber threat indicators, information via the survey. The IT SCC agency, including whether the information
and cyber training programs for will administer the survey and will have practical utility;
employees.’’ 6 U.S.C. 148(l); see also 15 anonymize the data, which will then be 2. Evaluate the accuracy of the agency’s
U.S.C. 648(g) (similarly authorizing sent to DHS for analysis. DHS is not estimate of the burden of the proposed
DHS, ‘‘and any other Federal collection of information, including the
administering or soliciting the
validity of the methodology and assumptions
department or agency in coordination collection of information via the survey. used;
with the Department of Homeland The analysis will determine ROI 3. Enhance the quality, utility, and clarity
Security’’ to ‘‘leverage small business information for NIST Cybersecurity of the information to be collected; and
concerns by disseminating information Framework adoption in the SMB 4. Minimize the burden of the collection of
relating to cybersecurity risks and other community. The results of this analysis information on those who are to respond,
homeland security matters to help small will be used to provide the SMB including through the use of appropriate
business concerns in developing or community with best practices on how automated, electronic, mechanical, or other
enhancing cybersecurity infrastructure, to use the Cybersecurity Framework for technological collection techniques or other
awareness of cyber threat indicators, forms of information technology, e.g.,
business protection and risk
and cyber training programs for permitting electronic submissions of
management. responses.
employees’’). The questionnaire will be distributed
Consistent with these authorities, E.O. to SMBs and is a two-part survey. Analysis
13636 directs the Department to Questions 1–11 of the survey are for an
increase its cybersecurity information Agency: Department of Homeland
organization’s leadership, as these Security, National Protection and
sharing efforts with the private sector questions pertain to high level
and consult on and promote the Programs Directorate, Office of
information about the company (core Cybersecurity and Communications,
National Institute of Standards and function, number of employees, etc.).
Technology (NIST) Cybersecurity Stakeholder Engagement & Cyber
The remaining questions are intended Infrastructure Resilience Division.
Framework. To facilitate the for the Chief Information Services
Department’s promotion of the NIST Title: The Department of Homeland
Officer (CISO) and/or appropriate IT Security, Stakeholder Engagement &
Cybersecurity Framework, the E.O. staff, as these questions are technical
directs the Secretary to establish a Cyber Infrastructure Resilience Division.
and ask about the IT security of the OMB Number: 1670—NEW.
voluntary program to support the
company. Frequency: Once every five years.
adoption of the Framework in
The private sector will collect Point of Affected Public: Private sector, Small
coordination with Sector Specific
Contact (POC) information through the & Midsize Business (SMB).
Agencies, which in turn ‘‘shall Number of Respondents: 1,000
survey instrument, but will not include
coordinate with Sector Coordinating
that information on the anonymized annually.
Councils to review the Cybersecurity Estimated Time per Respondent: 30
Framework and, if necessary, develop dataset they submit to DHS. DHS will
use anonymized data to conduct their minutes.
implementation guidance or Total Burden Hours: 500 annual
supplemental materials to address analysis. The IT SCC will administer the
survey. burden hours.
sector-specific risks and operating Total Burden Cost (capital/startup):
environments.’’ E.O. No. 13636, 78 FR The intent is for DHS to only receive
derivative products—anonymized $0.
11739 (2013). Total Recordkeeping Burden: $0.
Accordingly, the Information micro-dataset to come up with the
summary statistics, or aggregated Total Burden Cost (operating/
Technology (IT) Sector, represented by maintaining): $0.
industry via the IT Sector Coordinating summary results. The IT SCC will
Council (SCC) and by Government via conduct the actual data collection. DHS Dated: July 12, 2017.
the IT Government Coordinating will aid with the statistical analysis David Epperson,
Council (GCC), established the IT Sector where needed, but would not be Chief Information Officer.
Small and Midsized Business (SMB) working with the individual responses [FR Doc. 2017–15068 Filed 7–17–17; 8:45 am]
Cybersecurity Best Practices Working to the questionnaire. Even if the POC BILLING CODE 9110–9P–P
Group (‘‘Working Group’’) to develop question does get included in the
best practices for implementing the questionnaire, DHS would not be
NIST Cybersecurity Framework in the collecting or retaining PII. DEPARTMENT OF HOMELAND
SMB community. The Working Group, Once the survey is administered by SECURITY
which consists of industry and the private sector partners of the IT SCC
government representatives, developed to the member organizations, the Transportation Security Administration
the SMB Cybersecurity Survey to collected raw inputs will be compiled
determine Return on Investment (ROI) and the resulting dataset will be Intent To Request Approval From OMB
metrics for NIST Cybersecurity processed by the private sector partners of One New Public Collection of
to (a) assign unique random identifiers Information: Military Severely Injured
sradovich on DSK3GMQ082PROD with NOTICES
Framework adoption among SMB
stakeholders. This process will assess to each of the responses, (b) scrub any Joint Support Operations Center
the effectiveness of the NIST PII from the microdata, (c) QA against (MSIJSOC) and Travel Protocol Office
Cybersecurity Framework. This process the raw input. These processing steps (TPO) Programs
will also establish a baseline for ROI (a–c) will be implemented PRIOR to AGENCY: Transportation Security
metrics, which have not previously handing the dataset to DHS for Administration, DHS.
existed in the SMB community. The IT statistical analysis. This survey
ACTION: 60-Day notice.
Sector-Specific Agency (SSA), represents a new collection.
VerDate Sep<11>2014 17:47 Jul 17, 2017 Jkt 241001 PO 00000 Frm 00076 Fmt 4703 Sfmt 4703 E:\FR\FM\18JYN1.SGM 18JYN1](https://thefederalregister.org/doc/82_FR_32995/page/2.svg)
Document Created: 2018-10-24 11:24:20
Document Modified: 2018-10-24 11:24:20
| Category | Regulatory Information | |
| Collection | Federal Register | |
| sudoc Class | AE 2.7: GS 4.107: AE 2.106: | |
| Publisher | Office of the Federal Register, National Archives and Records Administration | |
| Section | Notices | |
| Action | 60-day notice and request for comments. | |
| Dates | Comments are encouraged and will be accepted until September 18, 2017. This process is conducted in accordance with 5 CFR 1320.1. | |
| FR Citation | 82 FR 32859 |
2025 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR