83 FR 31412 - Nationwide Cyber Security Review Assessment
DEPARTMENT OF HOMELAND SECURITY Federal Register Volume 83, Issue 129 (July 5, 2018)
Federal Register Volume 83, Issue 129 (July 5, 2018)
| Page Range | 31412-31413 | |
| FR Document | 2018-14352 |
[Federal Register Volume 83, Number 129 (Thursday, July 5, 2018)] [Notices] [Pages 31412-31413] From the Federal Register Online [www.thefederalregister.org] [FR Doc No: 2018-14352] ======================================================================= ----------------------------------------------------------------------- DEPARTMENT OF HOMELAND SECURITY [Docket No. DHS-2018-0023] Nationwide Cyber Security Review Assessment AGENCY: Office of Cybersecurity and Communications (CS&C), National Protection and Programs Directorate (NPPD), Department of Homeland Security (DHS). ACTION: 60-Day Notice and request for comments; New Collection, 1670-- NEW. ----------------------------------------------------------------------- SUMMARY: DHS NPPD CS&C will submit the following information collection request (ICR) to the Office of Management and Budget (OMB) for review and clearance in accordance with the Paperwork Reduction Act of 1995. DATES: Comments are encouraged and will be accepted until September 4, 2018. ADDRESSES: You may submit comments, identified by docket number DHS- 2018-0023, by one of the following methods:Federal eRulemaking Portal: http://www.regulations.gov. Please follow the instructions for submitting comments. Email: [email protected]. Please include docket number DHS-2018-0023 in the subject line of the message. Mail: Written comments and questions about this Information Collection Request should be forwarded to DHS/NPPD/CS&C, ATTN: 1670-NEW, Donna Beach, 245 Murray Lane, SW, Mail Stop 0612, Arlington, VA 20528. Instructions: All submissions received must include the words ``Department of Homeland Security'' and docket number DHS-2018-0023. Comments received will be posted without alteration at http://www.regulations.gov, including any personal information provided. Comments submitted in response to this notice may be made available to the public through relevant websites. For this reason, please do not include in your comments information of a confidential nature, such as sensitive personal information or proprietary information. If you send an email comment, your email address will be automatically captured and included as part of the comment that is placed in the public docket and made available on the internet. Please note that responses to this public comment request containing any routine notice about the confidentiality of the communication will be treated as public comments that may be made available to the public notwithstanding the inclusion of the routine notice. FOR FURTHER INFORMATION CONTACT: For specific questions related to collection activities, please contact Donna Beach at 703-705-6213 or at [email protected]. SUPPLEMENTARY INFORMATION: In its reports to the Department of Homeland Security Appropriations Act, 2010, Congress requested a Nationwide Cyber Security Review (NCSR) from the National Cyber Security Division (NCSD), the predecessor organization of the Stakeholder Engagement and Cyber Infrastructure Resilience (SECIR) division. S. Rep. No. 111-31, at 91 (2009), H.R. Rep. No. 111-298, at 96 (2009). The House Conference Report accompanying the Department of Homeland Security Appropriations Act, 2010 ``note[d] the importance of a comprehensive effort to assess the security level of cyberspace at all levels of government'' and directed DHS to ``develop the necessary tools for all levels of government to complete a cyber network security assessment so that a full measure of gaps and capabilities can be completed in the near future.'' H.R. Rep. No. 111-298, at 96 (2009). Concurrently, in its report accompanying the Department of Homeland Security Appropriations Bill, 2010, the Senate Committee on Appropriations recommended that DHS ``report on the status of cyber security measures in place, and gaps in all 50 States and the largest urban areas.'' S. Rep. No. 111-31, at 91 (2009). The Homeland Security Act of 2002, as amended, established ``a national cybersecurity and communications integration center [NCCIC] . . . to carry out certain responsibilities of the Under Secretary,'' including the provision of assessments. 6 U.S.C. 148(b). The Act also directs the composition of the NCCIC to include an entity that collaborates with State and local governments on cybersecurity risks and incidents, and has entered into a voluntary information sharing relationship with the NCCIC. 6 U.S.C. 148(d)(1)(E). The Multistate Information Sharing and Analysis Center (MS-ISAC) currently fulfills this function. NPPD funds the MS-ISAC through a Cooperative Agreement and maintains a close relationship with this entity. As part of the Cooperative Agreement, DHS directs the MS-ISAC to produce the NCSR as contemplated by Congress. Generally, NPPD has authority to perform risk and vulnerability assessments for Federal and non-Federal entities, with consent and upon request. The NCCIC performs these assessments in accordance with its authority to provide voluntary technical assistance to Federal and non- Federal entities. See 6 U.S.C. 148(c)(6), 143(2). This authority is consistent with the Department's responsibility to ``[c]onduct comprehensive assessments of the vulnerabilities of the Nation's critical infrastructure in coordination with the SSAs [Sector-Specific Agencies] and in collaboration with SLTT [State, Local, Tribal, and Territorial] entities and critical infrastructure owners and operators.'' Presidential Policy Directive (PPD)-21, at 3. A private sector entity or state and local government agency also has discretion to use a self-assessment tool offered by NPPD or request NPPD to perform an on-site risk and vulnerability assessment. See 6 U.S.C. 148(c)(6), 143(2), 6 U.S.C. 121(d)(2). The NCSR is a voluntary annual self-assessment. Upon submission of the first NCSR report in March 2012, Congress further clarified its expectation ``that this survey will be updated every other year so that progress may be charted and further areas of concern may be identified.'' S. Rep. No. 112-169, at 100 (2012). In each subsequent year, Congress has referenced this NCSR in its explanatory comments and recommendations accompanying the Department of Homeland Security Appropriations. Consistent with Congressional mandates, SECIR developed the NCSR to measure the gaps and capabilities of cybersecurity programs within SLTT governments. Using the anonymous results of the NCSR, DHS delivers a bi-annual summary report to Congress that provides a broad picture of the current cybersecurity gaps & capabilities of SLTT governments across the nation. The assessment allows SLTT governments to manage cybersecurity related risks through the NIST Cybersecurity Framework (CSF) which consists of best practices, standards and guidelines. In efforts of continuously providing Congress with an accurate representation of the SLTT [[Page 31413]] governments' cybersecurity programs gaps and capabilities the NCSR question set may slightly change from year-to-year. The NCSR is an annual voluntary self-assessment that is hosted on the RSA Archer Suite, which is a technology platform that provides a foundation for managing policies, controls, risks, assessments, and deficiencies across organizational lines of business. The NCSR self- assessment runs every year from October-December. In efforts of increasing participation, the deadline is sometimes extended. The target audience for the NCSR are personnel within the SLTT community who are responsible for the cybersecurity management within their organization. Through the NCSR, DHS & MS-ISAC will examine relationships, interactions, and processes governing IT management and the ability to effectively manage operational risk. Using the anonymous results of the NCSR, DHS delivers a bi-annual summary report to Congress that provides a broad picture of the cybersecurity gaps & capabilities of SLTT governments across the nation. The bi-annual summary report is shared with MS-ISAC members, NCSR End Users, and Congress. The report is also available on the MS-ISAC website, https://www.cisecurity.org/ms-isac/services/ncsr/. Upon submission of the NCSR self-assessment, participants will immediately receive access to several reports specific to their organization and their cybersecurity posture. Additionally, after the annual NCSR survey closes there will be a brief NCSR End User Survey offered to everyone who completed the NSCR assessment. The survey will provide feedback on participants' experiences, such as from how they heard about the NCSR, what they found or did not find useful, how they will utilize the results of their assessment, and other information about their current and future interactions with the NCSR. Additionally, MS-ISAC will administer a survey to those who were registered participants in the past and did not register or complete the most recent NCSR. The purpose of the Non-Response Survey is to solicit feedback on ways the NSCR could be improved to maximize benefits and increase response rates in the future. The NCSR assessment requires approximately two hours for completion and is located on the RSA Archer Suite. During the assessment period, participants can respond at their own pace with the ability to save their progress during each session. If additional support is needed, participants can contact the NCSR helpdesk via phone and email. The NCSR End User survey will be fully electronic. It contains less than 30 multiple choice and fill-in-the-blank answers and takes approximately 10 minutes to complete. The feedback survey will be administered via Survey Monkey and settings will be updated to opt out of collecting participants' IP addresses. The Non-Response Survey will be fully electronic and take approximately 10 minutes to complete. The survey will be administered via Survey Monkey and settings will be updated to opt out of collecting participants' IP addresses. This is a new information collection. OMB is particularly interested in comments that: 1. Evaluate whether the proposed collection of information is necessary for the proper performance of the functions of the agency, including whether the information will have practical utility; 2. Evaluate the accuracy of the agency's estimate of the burden of the proposed collection of information, including the validity of the methodology and assumptions used; 3. Enhance the quality, utility, and clarity of the information to be collected; and 4. Minimize the burden of the collection of information on those who are to respond, including through the use of appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g., permitting electronic submissions of responses. Title of Collection: Nationwide Cyber Security Review Assessment. OMB Control Number: 1670-NEW. Frequency: Annually. Affected Public: State, Local, Tribal, and Territorial entities. Number of Respondents: 591. Estimated Time per Respondent: 2 hours. Total Burden Hours: 1,278. Total Burden Cost (Capital/Startup): $0. Total Recordkeeping Burden: $0. Total Burden Cost (Operating/Maintaining): $0. David Epperson, Chief Information Officer. [FR Doc. 2018-14352 Filed 7-3-18; 8:45 am] BILLING CODE 9110-9P-P
![31412 Federal Register / Vol. 83, No. 129 / Thursday, July 5, 2018 / Notices
Contact: Pamela Foote, Designated this reason, please do not include in relationship with the NCCIC. 6 U.S.C.
Federal Official, SAMHSA CMHS your comments information of a 148(d)(1)(E). The Multistate Information
National Advisory Council, 5600 confidential nature, such as sensitive Sharing and Analysis Center (MS–ISAC)
Fishers Lane, Room 14E53C, Rockville, personal information or proprietary currently fulfills this function. NPPD
Maryland 20857, Telephone: (240) 276– information. If you send an email funds the MS–ISAC through a
1279, Fax: (301) 480–8491, Email: comment, your email address will be Cooperative Agreement and maintains a
pamela.foote@samhsa.hhs.gov. automatically captured and included as close relationship with this entity. As
part of the comment that is placed in the part of the Cooperative Agreement, DHS
Carlos Castillo,
public docket and made available on the directs the MS–ISAC to produce the
Committee Management Officer. internet. Please note that responses to NCSR as contemplated by Congress.
[FR Doc. 2018–14381 Filed 7–3–18; 8:45 am] this public comment request containing Generally, NPPD has authority to
BILLING CODE 4162–20–P any routine notice about the perform risk and vulnerability
confidentiality of the communication assessments for Federal and non-Federal
will be treated as public comments that entities, with consent and upon request.
DEPARTMENT OF HOMELAND may be made available to the public The NCCIC performs these assessments
SECURITY notwithstanding the inclusion of the in accordance with its authority to
routine notice. provide voluntary technical assistance
[Docket No. DHS–2018–0023]
FOR FURTHER INFORMATION CONTACT: For to Federal and non-Federal entities. See
Nationwide Cyber Security Review specific questions related to collection 6 U.S.C. 148(c)(6), 143(2). This authority
Assessment activities, please contact Donna Beach at is consistent with the Department’s
703–705–6213 or at SLTTCyber@ responsibility to ‘‘[c]onduct
AGENCY: Office of Cybersecurity and HQ.DHS.GOV. comprehensive assessments of the
Communications (CS&C), National vulnerabilities of the Nation’s critical
SUPPLEMENTARY INFORMATION: In its
Protection and Programs Directorate infrastructure in coordination with the
(NPPD), Department of Homeland reports to the Department of Homeland SSAs [Sector-Specific Agencies] and in
Security (DHS). Security Appropriations Act, 2010, collaboration with SLTT [State, Local,
Congress requested a Nationwide Cyber Tribal, and Territorial] entities and
ACTION: 60-Day Notice and request for
Security Review (NCSR) from the critical infrastructure owners and
comments; New Collection, 1670— National Cyber Security Division
NEW. operators.’’ Presidential Policy Directive
(NCSD), the predecessor organization of (PPD)–21, at 3. A private sector entity or
SUMMARY: DHS NPPD CS&C will submit the Stakeholder Engagement and Cyber state and local government agency also
the following information collection Infrastructure Resilience (SECIR) has discretion to use a self-assessment
request (ICR) to the Office of division. S. Rep. No. 111–31, at 91 tool offered by NPPD or request NPPD
Management and Budget (OMB) for (2009), H.R. Rep. No. 111–298, at 96 to perform an on-site risk and
review and clearance in accordance (2009). The House Conference Report vulnerability assessment. See 6 U.S.C.
with the Paperwork Reduction Act of accompanying the Department of 148(c)(6), 143(2), 6 U.S.C. 121(d)(2). The
1995. Homeland Security Appropriations Act, NCSR is a voluntary annual self-
2010 ‘‘note[d] the importance of a assessment.
DATES: Comments are encouraged and comprehensive effort to assess the Upon submission of the first NCSR
will be accepted until September 4, security level of cyberspace at all levels report in March 2012, Congress further
2018. of government’’ and directed DHS to clarified its expectation ‘‘that this
ADDRESSES: You may submit comments, ‘‘develop the necessary tools for all survey will be updated every other year
identified by docket number DHS– levels of government to complete a so that progress may be charted and
2018–0023, by one of the following cyber network security assessment so further areas of concern may be
methods: that a full measure of gaps and identified.’’ S. Rep. No. 112–169, at 100
• Federal eRulemaking Portal: http:// capabilities can be completed in the (2012). In each subsequent year,
www.regulations.gov. Please follow the near future.’’ H.R. Rep. No. 111–298, at Congress has referenced this NCSR in its
instructions for submitting comments. 96 (2009). Concurrently, in its report explanatory comments and
• Email: SLTTCyber@HQ.DHS.GOV. accompanying the Department of recommendations accompanying the
Please include docket number DHS– Homeland Security Appropriations Bill, Department of Homeland Security
2018–0023 in the subject line of the 2010, the Senate Committee on Appropriations. Consistent with
message. Appropriations recommended that DHS Congressional mandates, SECIR
• Mail: Written comments and ‘‘report on the status of cyber security developed the NCSR to measure the
questions about this Information measures in place, and gaps in all 50 gaps and capabilities of cybersecurity
Collection Request should be forwarded States and the largest urban areas.’’ S. programs within SLTT governments.
to DHS/NPPD/CS&C, ATTN: 1670– Rep. No. 111–31, at 91 (2009). Using the anonymous results of the
NEW, Donna Beach, 245 Murray Lane, The Homeland Security Act of 2002, NCSR, DHS delivers a bi-annual
SW, Mail Stop 0612, Arlington, VA as amended, established ‘‘a national summary report to Congress that
20528. cybersecurity and communications provides a broad picture of the current
Instructions: All submissions received integration center [NCCIC] . . . to carry cybersecurity gaps & capabilities of
must include the words ‘‘Department of out certain responsibilities of the Under SLTT governments across the nation.
Homeland Security’’ and docket number Secretary,’’ including the provision of The assessment allows SLTT
amozie on DSK3GDR082PROD with NOTICES1
DHS–2018–0023. Comments received assessments. 6 U.S.C. 148(b). The Act governments to manage cybersecurity
will be posted without alteration at also directs the composition of the related risks through the NIST
http://www.regulations.gov, including NCCIC to include an entity that Cybersecurity Framework (CSF) which
any personal information provided. collaborates with State and local consists of best practices, standards and
Comments submitted in response to governments on cybersecurity risks and guidelines. In efforts of continuously
this notice may be made available to the incidents, and has entered into a providing Congress with an accurate
public through relevant websites. For voluntary information sharing representation of the SLTT
VerDate Sep<11>2014 16:43 Jul 03, 2018 Jkt 244001 PO 00000 Frm 00054 Fmt 4703 Sfmt 4703 E:\FR\FM\05JYN1.SGM 05JYN1](https://thefederalregister.org/doc/83_FR_31541/page/1.svg)
![Federal Register / Vol. 83, No. 129 / Thursday, July 5, 2018 / Notices 31413
governments’ cybersecurity programs participants can contact the NCSR DEPARTMENT OF HOUSING AND
gaps and capabilities the NCSR question helpdesk via phone and email. URBAN DEVELOPMENT
set may slightly change from year-to- The NCSR End User survey will be [Docket No. FR–7002–N–09]
year. fully electronic. It contains less than 30
The NCSR is an annual voluntary self- multiple choice and fill-in-the-blank 60-Day Notice of Proposed Information
assessment that is hosted on the RSA answers and takes approximately 10 Collection: Housing Trust Fund (HTF)
Archer Suite, which is a technology minutes to complete. The feedback Program
platform that provides a foundation for survey will be administered via Survey
managing policies, controls, risks, Monkey and settings will be updated to AGENCY: The Office of Community
assessments, and deficiencies across Planning and Development, HUD.
opt out of collecting participants’ IP
organizational lines of business. The ACTION: Notice of proposed information
addresses.
NCSR self-assessment runs every year collection.
from October–December. In efforts of The Non-Response Survey will be
increasing participation, the deadline is fully electronic and take approximately SUMMARY: HUD is seeking approval from
sometimes extended. The target 10 minutes to complete. The survey will the Office of Management and Budget
audience for the NCSR are personnel be administered via Survey Monkey and (OMB) for the information collection
within the SLTT community who are settings will be updated to opt out of described below. In accordance with the
responsible for the cybersecurity collecting participants’ IP addresses. Paperwork Reduction Act, HUD is
management within their organization. This is a new information collection. requesting comment from all interested
Through the NCSR, DHS & MS–ISAC parties on the proposed collection of
OMB is particularly interested in
will examine relationships, interactions, information. The purpose of this notice
comments that:
and processes governing IT management is to allow for 60 days of public
and the ability to effectively manage 1. Evaluate whether the proposed comment.
operational risk. Using the anonymous collection of information is necessary
for the proper performance of the DATES: Comments Due Date: September
results of the NCSR, DHS delivers a bi- 4, 2018.
annual summary report to Congress that functions of the agency, including
whether the information will have ADDRESSES: Interested persons are
provides a broad picture of the
cybersecurity gaps & capabilities of practical utility; invited to submit comments regarding
SLTT governments across the nation. this proposal. Comments should refer to
2. Evaluate the accuracy of the the proposal by name and/or OMB
The bi-annual summary report is shared agency’s estimate of the burden of the
with MS–ISAC members, NCSR End Control Number and should be sent to:
proposed collection of information, Colette Pollard, Reports Management
Users, and Congress. The report is also including the validity of the
available on the MS–ISAC website, Officer, QDAM, Department of Housing
methodology and assumptions used; and Urban Development, 451 7th Street
https://www.cisecurity.org/ms-isac/
services/ncsr/. 3. Enhance the quality, utility, and SW, Room 4176, Washington, DC
Upon submission of the NCSR self- clarity of the information to be 20410–5000; telephone 202–402–3400
assessment, participants will collected; and (this is not a toll-free number) or email
immediately receive access to several 4. Minimize the burden of the at colette.pollard@hud.gov for a copy of
reports specific to their organization and collection of information on those who the proposed forms or other available
their cybersecurity posture. are to respond, including through the information. Persons with hearing or
Additionally, after the annual NCSR use of appropriate automated, speech impairments may access this
survey closes there will be a brief NCSR electronic, mechanical, or other number through TTY by calling the toll-
End User Survey offered to everyone technological collection techniques or free Federal Relay Service at (800) 877–
who completed the NSCR assessment. other forms of information technology, 8339.
The survey will provide feedback on e.g., permitting electronic submissions FOR FURTHER INFORMATION CONTACT:
participants’ experiences, such as from of responses. Quinn Warner, Affordable Housing
how they heard about the NCSR, what Title of Collection: Nationwide Cyber Specialist, Office of Affordable Housing
they found or did not find useful, how Security Review Assessment. Programs, 451 7th Street SW,
they will utilize the results of their Washington, DC 20410; email at
assessment, and other information about OMB Control Number: 1670–NEW. quinn.a.warner@hud.gov or telephone
their current and future interactions Frequency: Annually. 202–402–1401. This is not a toll-free
with the NCSR. Affected Public: State, Local, Tribal, number. Persons with hearing or speech
Additionally, MS–ISAC will and Territorial entities. impairments may access this number
administer a survey to those who were through TTY by calling the toll-free
registered participants in the past and Number of Respondents: 591.
Federal Relay Service at (800) 877–8339.
did not register or complete the most Estimated Time per Respondent: 2 Copies of available documents
recent NCSR. The purpose of the Non- hours. submitted to OMB may be obtained
Response Survey is to solicit feedback Total Burden Hours: 1,278. from Ms. Pollard.
on ways the NSCR could be improved SUPPLEMENTARY INFORMATION: This
Total Burden Cost (Capital/Startup):
to maximize benefits and increase notice informs the public that HUD is
$0.
response rates in the future. seeking approval from OMB for the
The NCSR assessment requires Total Recordkeeping Burden: $0. information collection described in
amozie on DSK3GDR082PROD with NOTICES1
approximately two hours for completion Total Burden Cost (Operating/ Section A.
and is located on the RSA Archer Suite. Maintaining): $0.
During the assessment period, A. Overview of Information Collection
participants can respond at their own David Epperson, Title of Information Collection:
pace with the ability to save their Chief Information Officer. Housing Trust Fund (HTF).
progress during each session. If [FR Doc. 2018–14352 Filed 7–3–18; 8:45 am] OMB Approval Number: 2506–New.
additional support is needed, BILLING CODE 9110–9P–P Type of Request: New collection.
VerDate Sep<11>2014 16:43 Jul 03, 2018 Jkt 244001 PO 00000 Frm 00055 Fmt 4703 Sfmt 4703 E:\FR\FM\05JYN1.SGM 05JYN1](https://thefederalregister.org/doc/83_FR_31541/page/2.svg)
Document Created: 2018-07-03 23:40:26
Document Modified: 2018-07-03 23:40:26
| Category | Regulatory Information | |
| Collection | Federal Register | |
| sudoc Class | AE 2.7: GS 4.107: AE 2.106: | |
| Publisher | Office of the Federal Register, National Archives and Records Administration | |
| Section | Notices | |
| Action | 60-Day Notice and request for comments; New Collection, 1670-- NEW. | |
| Dates | Comments are encouraged and will be accepted until September 4, 2018. | |
| Contact | For specific questions related to collection activities, please contact Donna Beach at 703-705-6213 or at [email protected] | |
| FR Citation | 83 FR 31412 |
2024 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR