82 FR 60026 - The Department of Homeland Security, Stakeholder Engagement & Cyber Infrastructure Resilience Division (SECIR)
DEPARTMENT OF HOMELAND SECURITY Federal Register Volume 82, Issue 241 (December 18, 2017)
Federal Register Volume 82, Issue 241 (December 18, 2017)
| Page Range | 60026-60027 | |
| FR Document | 2017-27114 |
[Federal Register Volume 82, Number 241 (Monday, December 18, 2017)] [Notices] [Pages 60026-60027] From the Federal Register Online [www.thefederalregister.org] [FR Doc No: 2017-27114] ======================================================================= ----------------------------------------------------------------------- DEPARTMENT OF HOMELAND SECURITY The Department of Homeland Security, Stakeholder Engagement & Cyber Infrastructure Resilience Division (SECIR) AGENCY: National Protection and Programs Directorate (NPPD), Department of Homeland Security (DHS). ACTION: 30-Day notice and request for comments; new information collection request: 1670--NEW. ----------------------------------------------------------------------- SUMMARY: The DHS NPPD Office of Cybersecurity and Communications (CS&C), SECIR, will submit the following information collection request (ICR) to the Office of Management and Budget (OMB) for review and clearance in accordance with the Paperwork Reduction Act of 1995. DHS previously published this ICR in the Federal Register on Tuesday, July 18, 2017 at 82 FR 32859 for a 60-day public comment period. Ten comments from two commenters were received by DHS. The purpose of this notice is to allow an additional 30 days for public comments. DATES: Comments are encouraged and will be accepted until January 17, 2018. This process is conducted in accordance with 5 CFR part 1320. ADDRESSES: Interested persons are invited to submit written comments on the proposed information collection to the Office of Information and Regulatory Affairs, OMB. You may send comments, identified by the words ``Department of Homeland Security'' and ``OMB Control Number 1670--NEW (IT Sector Survey)'', by: [cir] Email: [email protected]. Include ``Department of Homeland Security'' and ``OMB Control Number 1670--NEW (IT Sector Survey)'' in the subject line of the message. Instructions: Comments submitted in response to this notice may be made available to the public through relevant websites. For this reason, please do not include in your comments information of a confidential nature, such as sensitive personal information or proprietary information. If you send an email comment, your email address will be automatically captured and included as part of the comment that is placed in the public docket and made available on the internet. Please note that responses to this public comment request containing any routine notice about the confidentiality of the communication will be treated as public comments that may be made available to the public notwithstanding the inclusion of the routine notice. FOR FURTHER INFORMATION CONTACT: For specific questions related to collection activities, please contact Reggie McKinney at 703-705-6277 or at [email protected]. SUPPLEMENTARY INFORMATION: Section 227 of the Homeland Security Act of 2002 authorizes the National Cybersecurity and Communications Integration Center (NCCIC) within NPPD as a ``Federal civilian interface for the multi-directional and cross-sector sharing of information related to . . . cybersecurity risks.'' 6 U.S.C. 148(c)(1). This authority applies to Federal and non-Federal entities, including the private sector, small and medium businesses, sectors of critical infrastructure, and information sharing organizations. This provision includes the authority to receive, analyze and disseminate information about cybersecurity risks and incidents and to provide guidance, assessments, incident response support, and other technical assistance upon request and codifies NPPD's coordinating role among Federal and non-Federal entities. 6 U.S.C. 148. As part of its information sharing responsibilities with non- Federal entities, the National Defense Authorization Act For Fiscal Year 2017 (NDAA) amended the Homeland Security Act to authorize the Department to specifically focus on small businesses. See Public Law 114-328 (2016). Specifically, the NDAA authorizes NPPD, through the Secretary, to ``leverage small business development centers to provide assistance to small business concerns by disseminating information on cyber threat indicators, defense measures, cybersecurity risks, incidents, analyses, and warnings to help small business concerns in developing or enhancing cybersecurity infrastructure, awareness of cyber threat indicators, and cyber training programs for employees.'' See 6 U.S.C. 148(l)(1); see also 15 U.S.C. 648(a)(8)(A) (similarly authorizing DHS ``and any other Federal department or agency in coordination with the Department of Homeland Security'' to ``leverage small business concerns by disseminating information relating to cybersecurity risks and other homeland security matters to help small business concerns in developing or enhancing cybersecurity infrastructure, awareness of cyber threat indicators, and cyber training programs for employees''). Consistent with these authorities, E.O. 13636 directs the Department to increase its cybersecurity information sharing efforts with the private sector and consult on and promote the National Institute of Standards and Technology (NIST) Cybersecurity Framework. To facilitate the Department's promotion of the NIST Cybersecurity Framework, the E.O. directs the Secretary to establish a voluntary program to support the adoption of the Framework in coordination with Sector Specific Agencies, which in turn ``shall coordinate with Sector Coordinating Councils to review the Cybersecurity Framework and, if necessary, develop implementation guidance or supplemental materials to address sector-specific risks and operating environments.'' E.O. 13636, 78 FR 11739 (2013). [[Page 60027]] Accordingly, the Information Technology (IT) Sector, represented by industry via the IT Sector Coordinating Council (SCC) and by government via the IT Government Coordinating Council (GCC), established the IT Sector Small and Midsized Business (SMB) Cybersecurity Best Practices Working Group (``Working Group'') to develop best practices for implementing the NIST Cybersecurity Framework in the SMB community. The Working Group, which consists of industry and government representatives, developed the SMB Cybersecurity Survey to determine return on investment (ROI) metrics for NIST Cybersecurity Framework adoption among SMB stakeholders. This process will assess the effectiveness of the NIST Cybersecurity Framework. This process will also establish a baseline for ROI metrics, which have not previously existed in the SMB community. The IT Sector-Specific Agency (SSA), headquartered in DHS NPPD CS&C, is supporting the Working Group's survey development. DHS is not administering, controlling or soliciting the collection of the information via the survey. The IT SCC will administer the survey and anonymize the data, which will then be sent to DHS for analysis. As part of the survey process, the IT SCC will collect point of contact (POC) information but will not include that information on the anonymized dataset they submit to DHS. As specified in more detail below, the IT SCC will not only anonymize the data but will also remove any personally identifiable information (PII) from the data prior to transmitting to DHS. DHS will aid with the statistical analysis where needed, but would not be working with the individual responses to the questionnaire. The questionnaire will be distributed to SMBs and is a two-part survey. Questions 1-11 of the survey are for an organization's leadership, as these questions pertain to high level information about the company (core function, number of employees, etc.). The remaining questions are intended for the Chief Information Security Officer (CISO) or appropriate IT staff, as these questions are technical and ask about the IT security of the company. As identified above, once the survey is administered by the private sector partners of the IT SCC to the member organizations, the private sector partners of the IT SCC will compile the collected raw inputs and will (a) assign unique random identifiers to each of the responses, (b) scrub any PII from the microdata, (c) conduct quality assurance against the raw input. These processing steps (a-c) will be implemented PRIOR to transmitting the resulting dataset to DHS for statistical analysis. This survey represents a new collection. DHS will use anonymized data to conduct their analysis. The intent is for DHS to only receive derivative products--anonymized micro- dataset to come up with the summary statistics, or aggregated summary results. The analysis will determine ROI information for NIST Cybersecurity Framework adoption in the SMB community. The results of this analysis will be available to the SMB community to develop best practices on how to use the Cybersecurity Framework for business protection and risk management. OMB is particularly interested in comments that: 1. Evaluate whether the proposed collection of information is necessary for the proper performance of the functions of the agency, including whether the information will have practical utility; 2. Evaluate the accuracy of the agency's estimate of the burden of the proposed collection of information, including the validity of the methodology and assumptions used; 3. Enhance the quality, utility, and clarity of the information to be collected; and 4. Minimize the burden of the collection of information on those who are to respond, including through the use of appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g., permitting electronic submissions of responses. Title of Collection: The Department of Homeland Security, Stakeholder Engagement & Cyber Infrastructure Resilience Division. OMB Control Number: 1670--NEW. Frequency: Once every five years. Affected Public: Private sector, Small & Midsize Businesses. Number of Respondents: 1,000 annually. Estimated Time per Respondent: 30 minutes. Total Burden Hours: 500 annual burden hours. Total Burden Cost (capital/startup): $0. Total Recordkeeping Burden: $0. Total Burden Cost (operating/maintaining): $0. David Epperson, Chief Information Officer. [FR Doc. 2017-27114 Filed 12-15-17; 8:45 am] BILLING CODE 9110-9P-P
![60026 Federal Register / Vol. 82, No. 241 / Monday, December 18, 2017 / Notices
applications, the disclosure of which following information collection request businesses, sectors of critical
would constitute a clearly unwarranted (ICR) to the Office of Management and infrastructure, and information sharing
invasion of personal privacy. Budget (OMB) for review and clearance organizations. This provision includes
Name of Committee: National Institute of in accordance with the Paperwork the authority to receive, analyze and
Child Health and Human Development Initial Reduction Act of 1995. DHS previously disseminate information about
Review Group; Population Sciences published this ICR in the Federal cybersecurity risks and incidents and to
Subcommittee. Register on Tuesday, July 18, 2017 at 82 provide guidance, assessments, incident
Date: February 9, 2017. FR 32859 for a 60-day public comment response support, and other technical
Time: 8:00 a.m. to 5:00 p.m. period. Ten comments from two assistance upon request and codifies
Agenda: To review and evaluate grant commenters were received by DHS. The NPPD’s coordinating role among Federal
applications. purpose of this notice is to allow an
Place: Residence Inn Bethesda, 7335
and non-Federal entities. 6 U.S.C. 148.
Wisconsin Avenue, Bethesda, MD 20814.
additional 30 days for public comments. As part of its information sharing
Contact Person: Minki Chatterji, Scientific DATES: Comments are encouraged and responsibilities with non-Federal
Review Officer, Scientific Review Branch, will be accepted until January 17, 2018. entities, the National Defense
Eunice Kennedy Shriver National Institute of This process is conducted in accordance Authorization Act For Fiscal Year 2017
Child Health and Human Development, NIH, with 5 CFR part 1320. (NDAA) amended the Homeland
DHHS, 6710B Rockledge Drive, Rm. 2121D, ADDRESSES: Interested persons are Security Act to authorize the
Bethesda, MD 20892–7501, 301–827–5435,
minki.chatterji@nih.gov.
invited to submit written comments on Department to specifically focus on
the proposed information collection to small businesses. See Public Law 114–
Name of Committee: National Institute of
Child Health and Human Development the Office of Information and Regulatory 328 (2016). Specifically, the NDAA
Special Emphasis Panel; Archiving and Affairs, OMB. You may send comments, authorizes NPPD, through the Secretary,
Documenting Child Health and Human identified by the words ‘‘Department of to ‘‘leverage small business
Development Data Sets. Homeland Security’’ and ‘‘OMB Control development centers to provide
Date: February 9, 2018. Number 1670—NEW (IT Sector assistance to small business concerns by
Time: 8:00 a.m. to 5:00 p.m. Survey)’’, by: disseminating information on cyber
Agenda: To review and evaluate grant Æ Email: dhsdeskofficer@ threat indicators, defense measures,
applications. omb.eop.gov. Include ‘‘Department of cybersecurity risks, incidents, analyses,
Place: Residence Inn Bethesda, 7335 Homeland Security’’ and ‘‘OMB Control and warnings to help small business
Wisconsin Avenue, Bethesda, MD 20814.
Number 1670—NEW (IT Sector concerns in developing or enhancing
Contact Person: Minki Chatterji, Scientific
Review Officer, Scientific Review Branch, Survey)’’ in the subject line of the cybersecurity infrastructure, awareness
Eunice Kennedy Shriver National Institute of message. of cyber threat indicators, and cyber
Child Health and Human Development, NIH, Instructions: Comments submitted in training programs for employees.’’ See 6
DHHS, 6710B Rockledge Drive, Rm. 2121D, response to this notice may be made U.S.C. 148(l)(1); see also 15 U.S.C.
Bethesda, MD 20892–7501, 301–827–5435, available to the public through relevant 648(a)(8)(A) (similarly authorizing DHS
minki.chatterji@nih.gov. websites. For this reason, please do not ‘‘and any other Federal department or
(Catalogue of Federal Domestic Assistance include in your comments information agency in coordination with the
Program Nos. 93.864, Population Research; of a confidential nature, such as Department of Homeland Security’’ to
93.865, Research for Mothers and Children; sensitive personal information or ‘‘leverage small business concerns by
93.929, Center for Medical Rehabilitation proprietary information. If you send an disseminating information relating to
Research; 93.209, Contraception and email comment, your email address will
Infertility Loan Repayment Program, National
cybersecurity risks and other homeland
be automatically captured and included security matters to help small business
Institutes of Health, HHS)
as part of the comment that is placed in concerns in developing or enhancing
Dated: December 12, 2017. the public docket and made available on cybersecurity infrastructure, awareness
Michelle Trout, the internet. Please note that responses of cyber threat indicators, and cyber
Program Analyst, Office of Federal Advisory to this public comment request training programs for employees’’).
Committee Policy. containing any routine notice about the Consistent with these authorities, E.O.
[FR Doc. 2017–27129 Filed 12–15–17; 8:45 am] confidentiality of the communication 13636 directs the Department to
BILLING CODE 4140–01–P will be treated as public comments that increase its cybersecurity information
may be made available to the public sharing efforts with the private sector
notwithstanding the inclusion of the and consult on and promote the
DEPARTMENT OF HOMELAND routine notice. National Institute of Standards and
SECURITY FOR FURTHER INFORMATION CONTACT: For Technology (NIST) Cybersecurity
specific questions related to collection Framework. To facilitate the
The Department of Homeland Security, activities, please contact Reggie Department’s promotion of the NIST
Stakeholder Engagement & Cyber McKinney at 703–705–6277 or at Cybersecurity Framework, the E.O.
Infrastructure Resilience Division reggie.mckinney@hq.dhs.gov. directs the Secretary to establish a
(SECIR) SUPPLEMENTARY INFORMATION: Section voluntary program to support the
AGENCY: National Protection and 227 of the Homeland Security Act of adoption of the Framework in
Programs Directorate (NPPD), 2002 authorizes the National coordination with Sector Specific
Department of Homeland Security Cybersecurity and Communications Agencies, which in turn ‘‘shall
(DHS). Integration Center (NCCIC) within NPPD coordinate with Sector Coordinating
daltland on DSKBBV9HB2PROD with NOTICES
ACTION: 30-Day notice and request for as a ‘‘Federal civilian interface for the Councils to review the Cybersecurity
comments; new information collection multi-directional and cross-sector Framework and, if necessary, develop
request: 1670—NEW. sharing of information related to . . . implementation guidance or
cybersecurity risks.’’ 6 U.S.C. 148(c)(1). supplemental materials to address
SUMMARY: The DHS NPPD Office of This authority applies to Federal and sector-specific risks and operating
Cybersecurity and Communications non-Federal entities, including the environments.’’ E.O. 13636, 78 FR
(CS&C), SECIR, will submit the private sector, small and medium 11739 (2013).
VerDate Sep<11>2014 17:53 Dec 15, 2017 Jkt 244001 PO 00000 Frm 00027 Fmt 4703 Sfmt 4703 E:\FR\FM\18DEN1.SGM 18DEN1](https://thefederalregister.org/doc/82_FR_60267/page/1.svg)
![Federal Register / Vol. 82, No. 241 / Monday, December 18, 2017 / Notices 60027
Accordingly, the Information steps (a–c) will be implemented PRIOR DEPARTMENT OF HOUSING AND
Technology (IT) Sector, represented by to transmitting the resulting dataset to URBAN DEVELOPMENT
industry via the IT Sector Coordinating DHS for statistical analysis. This survey
[Docket No. FR–5997–N–80]
Council (SCC) and by government via represents a new collection.
the IT Government Coordinating DHS will use anonymized data to 30-Day Notice of Proposed Information
Council (GCC), established the IT Sector conduct their analysis. The intent is for Collection: Continuation of Interest
Small and Midsized Business (SMB) DHS to only receive derivative Reduction Payments After Refinancing
Cybersecurity Best Practices Working products—anonymized micro-dataset to Section 236 Projects
Group (‘‘Working Group’’) to develop come up with the summary statistics, or
best practices for implementing the aggregated summary results. The AGENCY: Office of the Chief Information
NIST Cybersecurity Framework in the analysis will determine ROI information Officer, HUD.
SMB community. The Working Group, for NIST Cybersecurity Framework ACTION: Notice.
which consists of industry and adoption in the SMB community. The
government representatives, developed SUMMARY: HUD submitted the proposed
results of this analysis will be available information collection requirement
the SMB Cybersecurity Survey to to the SMB community to develop best
determine return on investment (ROI) described below to the Office of
practices on how to use the Management and Budget (OMB) for
metrics for NIST Cybersecurity Cybersecurity Framework for business
Framework adoption among SMB review, in accordance with the
protection and risk management. Paperwork Reduction Act. The purpose
stakeholders. This process will assess OMB is particularly interested in
the effectiveness of the NIST of this notice is to allow for 30 days of
comments that: public comment.
Cybersecurity Framework. This process
1. Evaluate whether the proposed DATES: Comments Due Date: January 17,
will also establish a baseline for ROI
collection of information is necessary 2018.
metrics, which have not previously
for the proper performance of the ADDRESSES: Interested persons are
existed in the SMB community. The IT
functions of the agency, including invited to submit comments regarding
Sector-Specific Agency (SSA),
whether the information will have this proposal. Comments should refer to
headquartered in DHS NPPD CS&C, is
practical utility; the proposal by name and/or OMB
supporting the Working Group’s survey
development. 2. Evaluate the accuracy of the Control Number and should be sent to:
DHS is not administering, controlling agency’s estimate of the burden of the HUD Desk Officer, Office of
or soliciting the collection of the proposed collection of information, Management and Budget, New
information via the survey. The IT SCC including the validity of the Executive Office Building, Washington,
will administer the survey and methodology and assumptions used; DC 20503; fax:202–395–5806, Email:
anonymize the data, which will then be 3. Enhance the quality, utility, and OIRA Submission@omb.eop.gov
sent to DHS for analysis. As part of the clarity of the information to be FOR FURTHER INFORMATION CONTACT: Inez
survey process, the IT SCC will collect collected; and C. Downs, Reports Management Officer,
point of contact (POC) information but 4. Minimize the burden of the QMAC, Department of Housing and
will not include that information on the collection of information on those who Urban Development, 451 7th Street, SW,
anonymized dataset they submit to are to respond, including through the Washington, DC 20410; email Inez. C.
DHS. As specified in more detail below, use of appropriate automated, Downs@hud.gov, or telephone 202–402–
the IT SCC will not only anonymize the electronic, mechanical, or other 8046. This is not a toll-free number.
data but will also remove any personally technological collection techniques or Person with hearing or speech
identifiable information (PII) from the other forms of information technology, impairments may access this number
data prior to transmitting to DHS. DHS e.g., permitting electronic submissions through TTY by calling the toll-free
will aid with the statistical analysis of responses. Federal Relay Service at (800) 877–8339.
where needed, but would not be Title of Collection: The Department of Copies of available documents
working with the individual responses Homeland Security, Stakeholder submitted to OMB may be obtained
to the questionnaire. Engagement & Cyber Infrastructure from Ms. Downs.
The questionnaire will be distributed Resilience Division. SUPPLEMENTARY INFORMATION: This
to SMBs and is a two-part survey. OMB Control Number: 1670—NEW. notice informs the public that HUD is
Questions 1–11 of the survey are for an Frequency: Once every five years. seeking approval from OMB for the
organization’s leadership, as these information collection described in
Affected Public: Private sector, Small
questions pertain to high level Section A.
information about the company (core & Midsize Businesses.
Number of Respondents: 1,000 The Federal Register notice that
function, number of employees, etc.). solicited public comment on the
The remaining questions are intended annually.
Estimated Time per Respondent: 30 information collection for a period of 60
for the Chief Information Security days was published on September 5,
Officer (CISO) or appropriate IT staff, as minutes.
2017 at 82 FR 41976.
these questions are technical and ask Total Burden Hours: 500 annual
about the IT security of the company. burden hours. A. Overview of Information Collection
As identified above, once the survey Total Burden Cost (capital/startup): Title of Information Collection:
is administered by the private sector $0. Continuation of Interest Reduction
partners of the IT SCC to the member Total Recordkeeping Burden: $0. Payments After Refinancing Section 236
daltland on DSKBBV9HB2PROD with NOTICES
organizations, the private sector Total Burden Cost (operating/ Projects.
partners of the IT SCC will compile the maintaining): $0. OMB Approval Number: 2502–0572.
collected raw inputs and will (a) assign Type of Request: Revision of a
unique random identifiers to each of the David Epperson, currently approved collection.
responses, (b) scrub any PII from the Chief Information Officer. Form Number: HUD–93173
microdata, (c) conduct quality assurance [FR Doc. 2017–27114 Filed 12–15–17; 8:45 am] Agreement for Interest Reduction
against the raw input. These processing BILLING CODE 9110–9P–P Payments (§ 236(e)(2).
VerDate Sep<11>2014 17:53 Dec 15, 2017 Jkt 244001 PO 00000 Frm 00028 Fmt 4703 Sfmt 4703 E:\FR\FM\18DEN1.SGM 18DEN1](https://thefederalregister.org/doc/82_FR_60267/page/2.svg)
Document Created: 2017-12-15 23:54:49
Document Modified: 2017-12-15 23:54:49
| Category | Regulatory Information | |
| Collection | Federal Register | |
| sudoc Class | AE 2.7: GS 4.107: AE 2.106: | |
| Publisher | Office of the Federal Register, National Archives and Records Administration | |
| Section | Notices | |
| Action | 30-Day notice and request for comments; new information collection request: 1670--NEW. | |
| Dates | Comments are encouraged and will be accepted until January 17, 2018. This process is conducted in accordance with 5 CFR part 1320. | |
| Contact | For specific questions related to collection activities, please contact Reggie McKinney at 703-705-6277 or at [email protected] | |
| FR Citation | 82 FR 60026 |
2025 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR