83 FR 52499 - Nationwide Cyber Security Review Assessment
DEPARTMENT OF HOMELAND SECURITY Federal Register Volume 83, Issue 201 (October 17, 2018)
Federal Register Volume 83, Issue 201 (October 17, 2018)
| Page Range | 52499-52500 | |
| FR Document | 2018-22548 |
[Federal Register Volume 83, Number 201 (Wednesday, October 17, 2018)] [Notices] [Pages 52499-52500] From the Federal Register Online [www.thefederalregister.org] [FR Doc No: 2018-22548] ----------------------------------------------------------------------- DEPARTMENT OF HOMELAND SECURITY Nationwide Cyber Security Review Assessment AGENCY: Office of Cybersecurity and Communications (CS&C), National Protection and Programs Directorate (NPPD), Department of Homeland Security (DHS). ACTION: 30-Day Notice and request for comments; New Collection, 1670- NEW. ----------------------------------------------------------------------- SUMMARY: DHS NPPD CS&C will submit the following information collection request (ICR) to the Office of Management and Budget (OMB) for review and clearance in accordance with the Paperwork Reduction Act of 1995. DHS previously published this information collection request (ICR) in the Federal Register on Thursday, July 5, 2018 at 83 FR 31412 for a 60- day public comment period. 0 comments were received by DHS. The purpose of this notice is to allow an additional 30 days for public comments. DATES: Comments are encouraged and will be accepted until November 16, 2018. ADDRESSES: Interested persons are invited to submit written comments on the proposed information collection to the Office of Information and Regulatory Affairs, Office of Management and Budget. Comments should be addressed to OMB Desk Officer, Department of Homeland Security and sent via electronic mail to [email protected]. All submissions must include the words ``Department of Homeland Security'' and the OMB Control Number 1670-NEW--Nationwide Cyber Security Review Assessment. Comments submitted in response to this notice may be made available to the public through relevant websites. For this reason, please do not include in your comments information of a confidential nature, such as sensitive personal information or proprietary information. If you send an email comment, your email address will be automatically captured and included as part of the comment that is placed in the public docket and made available on the internet. Please note that responses to this public comment request containing any routine notice about the confidentiality of the communication will be treated as public comments that may be made available to the public notwithstanding the inclusion of the routine notice. FOR FURTHER INFORMATION CONTACT: For specific questions related to collection activities, please contact Donna Beach at 703-705-6213 or at [email protected]. SUPPLEMENTARY INFORMATION: In its reports to the Department of Homeland Security Appropriations Act, 2010, Congress requested a Nationwide Cyber Security Review (NCSR) from the National Cyber Security Division (NCSD), the predecessor organization of the Stakeholder Engagement and Cyber Infrastructure Resilience (SECIR) division. S. Rep. No. 111-31, at 91 (2009), H.R. Rep. No. 111-298, at 96 (2009). The House Conference Report accompanying the Department of Homeland Security Appropriations Act, 2010 ``note[d] the importance of a comprehensive effort to assess the security level of cyberspace at all levels of government'' and directed DHS to ``develop the necessary tools for all levels of government to complete a cyber network security assessment so that a full measure of gaps and capabilities can be completed in the near future.'' H.R. Rep. No. 111-298, at 96 (2009). Concurrently, in its report accompanying the Department of Homeland Security Appropriations Bill, 2010, the Senate Committee on Appropriations recommended that DHS ``report on the status of cyber security measures in place, and gaps in all 50 States and the largest urban areas.'' S. Rep. No. 111-31, at 91 (2009). The Homeland Security Act of 2002, as amended, established ``a national cybersecurity and communications integration center [NCCIC] . . . to carry out certain responsibilities of the Under Secretary,'' including the provision of assessments. 6 U.S.C. 148(b). The Act also directs the composition of the NCCIC to include an entity that collaborates with State and local governments on cybersecurity risks and incidents, and has entered into a voluntary information sharing relationship with the NCCIC. 6 U.S.C. 148(d)(1)(E). The Multistate Information Sharing and Analysis Center (MS-ISAC) currently fulfills this function. NPPD funds the MS-ISAC through a Cooperative Agreement and maintains a close relationship with this entity. As part of the Cooperative Agreement, DHS directs the MS-ISAC to produce the NCSR as contemplated by Congress. Generally, NPPD has authority to perform risk and vulnerability assessments for Federal and non-Federal entities, with consent and upon request. The NCCIC performs these assessments in accordance with its authority to provide voluntary technical assistance to Federal and non- Federal entities. See 6 U.S.C. 148(c)(6), 143(2). This authority [[Page 52500]] is consistent with the Department's responsibility to ``[c]onduct comprehensive assessments of the vulnerabilities of the Nation's critical infrastructure in coordination with the SSAs [Sector-Specific Agencies] and in collaboration with SLTT [State, Local, Tribal, and Territorial] entities and critical infrastructure owners and operators.'' Presidential Policy Directive (PPD)-21, at 3. A private sector entity or state and local government agency also has discretion to use a self-assessment tool offered by NPPD or request NPPD to perform an on-site risk and vulnerability assessment. See 6 U.S.C. 148(c)(6), 143(2), 6 U.S.C. 121(d)(2). The NCSR is a voluntary annual self-assessment. Upon submission of the first NCSR report in March 2012, Congress further clarified its expectation ``that this survey will be updated every other year so that progress may be charted and further areas of concern may be identified.'' S. Rep. No. 112-169, at 100 (2012). In each subsequent year, Congress has referenced this NCSR in its explanatory comments and recommendations accompanying the Department of Homeland Security Appropriations. Consistent with Congressional mandates, SECIR developed the NCSR to measure the gaps and capabilities of cybersecurity programs within SLTT governments. Using the anonymous results of the NCSR, DHS delivers a bi-annual summary report to Congress that provides a broad picture of the current cybersecurity gaps & capabilities of SLTT governments across the nation. The assessment allows SLTT governments to manage cybersecurity related risks through the NIST Cybersecurity Framework (CSF) which consists of best practices, standards and guidelines. In efforts of continuously providing Congress with an accurate representation of the SLTT governments' cybersecurity programs gaps and capabilities the NCSR question sets and surveys may slightly change from year-to-year to accurately reflect the current cybersecurity environment. The NCSR is an annual voluntary self-assessment that is hosted on the RSA Archer Suite, which is a technology platform that provides a foundation for managing policies, controls, risks, assessments, and deficiencies across organizational lines of business. The NCSR self- assessment runs every year from October-December. In efforts of increasing participation, the deadline is sometimes extended. The target audience for the NCSR are personnel within the SLTT community who are responsible for the cybersecurity management within their organization. Through the NCSR, DHS & MS-ISAC will examine relationships, interactions, and processes governing IT management and the ability to effectively manage operational risk. Using the anonymous results of the NCSR, DHS delivers a bi-annual summary report to Congress that provides a broad picture of the cybersecurity gaps & capabilities of SLTT governments across the nation. The bi-annual summary report is shared with MS-ISAC members, NCSR End Users, and Congress. The report is also available on the MS-ISAC website, https://www.cisecurity.org/ms-isac/services/ncsr/. Upon submission of the NCSR self-assessment, participants will immediately receive access to several reports specific to their organization and their cybersecurity posture. Additionally, after the annual NCSR survey closes there will be a brief NCSR End User Survey offered to everyone who completed the NSCR assessment. The survey will provide feedback on participants' experiences, such as from how they heard about the NCSR, what they found or did not find useful, how they will utilize the results of their assessment, and other information about their current and future interactions with the NCSR. Additionally, MS-ISAC will administer a survey to those who were registered participants in the past and did not register or complete the most recent NCSR. The purpose of the Non-Response Survey is to solicit feedback on ways the NSCR could be improved to maximize benefits and increase response rates in the future. The NCSR assessment requires approximately two hours for completion and is located on the RSA Archer Suite. During the assessment period, participants can respond at their own pace with the ability to save their progress during each session. If additional support is needed, participants can contact the NCSR helpdesk via phone and email. The NCSR End User survey will be fully electronic. It contains less than 30 multiple choice and fill-in-the-blank answers and takes approximately 10 minutes to complete. The feedback survey will be administered via Survey Monkey and settings will be updated to opt out of collecting participants' IP addresses. The Non-Response Survey will be fully electronic and take approximately 10 minutes to complete. The survey will be administered via Survey Monkey and settings will be updated to opt out of collecting participants' IP addresses. This is a new information collection. OMB is particularly interested in comments that: 1. Evaluate whether the proposed collection of information is necessary for the proper performance of the functions of the agency, including whether the information will have practical utility; 2. Evaluate the accuracy of the agency's estimate of the burden of the proposed collection of information, including the validity of the methodology and assumptions used; 3. Enhance the quality, utility, and clarity of the information to be collected; and 4. Minimize the burden of the collection of information on those who are to respond, including through the use of appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g., permitting electronic submissions of responses. Title of Collection: Nationwide Cyber Security Review Assessment. OMB Control Number: 1670-NEW. Frequency: Annually. Affected Public: State, Local, Tribal, and Territorial entities. Number of Respondents: 591. Estimated Time per Respondent: 2 hours. Total Burden Hours: 1,278. Total Burden Cost (capital/startup): $0. Total Recordkeeping Burden: $0. Total Burden Cost (operating/maintaining): $0. David Epperson, Chief Information Officer. [FR Doc. 2018-22548 Filed 10-16-18; 8:45 am] BILLING CODE 9110-9P-P
![Federal Register / Vol. 83, No. 201 / Wednesday, October 17, 2018 / Notices 52499
for the proper performance of the DEPARTMENT OF HOMELAND activities, please contact Donna Beach at
functions of the agency, including SECURITY 703–705–6213 or at SLTTCyber@
whether the information will have HQ.DHS.GOV.
practical utility; (2) the accuracy of the Nationwide Cyber Security Review SUPPLEMENTARY INFORMATION: In its
agency’s estimate of the burden of the Assessment reports to the Department of Homeland
proposed collection of information, Security Appropriations Act, 2010,
AGENCY: Office of Cybersecurity and
including the validity of the Congress requested a Nationwide Cyber
methodology and assumptions used; (3) Communications (CS&C), National
Protection and Programs Directorate Security Review (NCSR) from the
suggestions to enhance the quality, National Cyber Security Division
utility, and clarity of the information to (NPPD), Department of Homeland
Security (DHS). (NCSD), the predecessor organization of
be collected; and (4) suggestions to the Stakeholder Engagement and Cyber
minimize the burden of the collection of ACTION: 30-Day Notice and request for
comments; New Collection, 1670–NEW. Infrastructure Resilience (SECIR)
information on those who are to division. S. Rep. No. 111–31, at 91
respond, including through the use of
SUMMARY: DHS NPPD CS&C will submit (2009), H.R. Rep. No. 111–298, at 96
appropriate automated, electronic,
the following information collection (2009). The House Conference Report
mechanical, or other technological
request (ICR) to the Office of accompanying the Department of
collection techniques or other forms of
Management and Budget (OMB) for Homeland Security Appropriations Act,
information technology, e.g., permitting
review and clearance in accordance 2010 ‘‘note[d] the importance of a
electronic submission of responses. The
with the Paperwork Reduction Act of comprehensive effort to assess the
comments that are submitted will be
1995. DHS previously published this security level of cyberspace at all levels
summarized and included in the request
information collection request (ICR) in of government’’ and directed DHS to
for approval. All comments will become
the Federal Register on Thursday, July ‘‘develop the necessary tools for all
a matter of public record.
5, 2018 at 83 FR 31412 for a 60-day levels of government to complete a
Overview of This Information public comment period. 0 comments cyber network security assessment so
Collection were received by DHS. The purpose of that a full measure of gaps and
Title: Application for Extension of this notice is to allow an additional 30 capabilities can be completed in the
Bond for Temporary Importation. days for public comments. near future.’’ H.R. Rep. No. 111–298, at
OMB Number: 1651–0015. DATES: Comments are encouraged and 96 (2009). Concurrently, in its report
Form Number: CBP Form 3173. will be accepted until November 16, accompanying the Department of
Abstract: Imported merchandise 2018. Homeland Security Appropriations Bill,
which is to remain in the customs 2010, the Senate Committee on
territory for a period of one year or less ADDRESSES: Interested persons are Appropriations recommended that DHS
without the payment of duties is entered invited to submit written comments on ‘‘report on the status of cyber security
as a temporary importation, as the proposed information collection to measures in place, and gaps in all 50
authorized under the Harmonized Tariff the Office of Information and Regulatory States and the largest urban areas.’’ S.
Schedule of the United States (19 U.S.C. Affairs, Office of Management and Rep. No. 111–31, at 91 (2009).
1202). When this time period is not Budget. Comments should be addressed The Homeland Security Act of 2002,
sufficient, it may be extended by to OMB Desk Officer, Department of as amended, established ‘‘a national
submitting an application on CBP Form Homeland Security and sent via cybersecurity and communications
3173, ‘‘Application for Extension of electronic mail to dhsdeskofficer@ integration center [NCCIC] . . . to carry
Bond for Temporary Importation.’’ This omb.eop.gov. All submissions must out certain responsibilities of the Under
form is provided for by 19 CFR 10.37 include the words ‘‘Department of Secretary,’’ including the provision of
and is accessible at: https:// Homeland Security’’ and the OMB assessments. 6 U.S.C. 148(b). The Act
www.cbp.gov/newsroom/publications/ Control Number 1670–NEW— also directs the composition of the
forms?title=3173. Nationwide Cyber Security Review NCCIC to include an entity that
Current Actions: CBP proposes to Assessment. collaborates with State and local
extend the expiration date of this Comments submitted in response to governments on cybersecurity risks and
information collection with no changes this notice may be made available to the incidents, and has entered into a
to the burden hours or to Form 3173. public through relevant websites. For voluntary information sharing
Type of Review: Extension (without this reason, please do not include in relationship with the NCCIC. 6 U.S.C.
change). your comments information of a 148(d)(1)(E). The Multistate Information
Affected Public: Businesses. confidential nature, such as sensitive Sharing and Analysis Center (MS–ISAC)
Estimated Number of Respondents: personal information or proprietary currently fulfills this function. NPPD
1,200. information. If you send an email funds the MS–ISAC through a
Estimated Number of Annual comment, your email address will be Cooperative Agreement and maintains a
Responses per Respondent: 14. automatically captured and included as close relationship with this entity. As
Estimated Total Annual Responses: part of the comment that is placed in the part of the Cooperative Agreement, DHS
16,800. public docket and made available on the directs the MS–ISAC to produce the
Estimated Time per Response: 13 internet. Please note that responses to NCSR as contemplated by Congress.
minutes. this public comment request containing Generally, NPPD has authority to
Estimated Total Annual Burden any routine notice about the perform risk and vulnerability
daltland on DSKBBV9HB2PROD with NOTICES
Hours: 3,646. confidentiality of the communication assessments for Federal and non-Federal
Dated: October 11, 2018. will be treated as public comments that entities, with consent and upon request.
Seth D. Renkema, may be made available to the public The NCCIC performs these assessments
Branch Chief, Economic Impact Analysis notwithstanding the inclusion of the in accordance with its authority to
Branch, U.S. Customs and Border Protection. routine notice. provide voluntary technical assistance
[FR Doc. 2018–22512 Filed 10–16–18; 8:45 am] FOR FURTHER INFORMATION CONTACT: For to Federal and non-Federal entities. See
BILLING CODE 9111–14–P specific questions related to collection 6 U.S.C. 148(c)(6), 143(2). This authority
VerDate Sep<11>2014 19:46 Oct 16, 2018 Jkt 247001 PO 00000 Frm 00124 Fmt 4703 Sfmt 4703 E:\FR\FM\17OCN1.SGM 17OCN1](https://thefederalregister.org/doc/83_FR_52700/page/1.svg)
![52500 Federal Register / Vol. 83, No. 201 / Wednesday, October 17, 2018 / Notices
is consistent with the Department’s responsible for the cybersecurity This is a new information collection.
responsibility to ‘‘[c]onduct management within their organization. OMB is particularly interested in
comprehensive assessments of the Through the NCSR, DHS & MS–ISAC comments that:
vulnerabilities of the Nation’s critical will examine relationships, interactions, 1. Evaluate whether the proposed
infrastructure in coordination with the and processes governing IT management collection of information is necessary
SSAs [Sector-Specific Agencies] and in and the ability to effectively manage for the proper performance of the
collaboration with SLTT [State, Local, operational risk. Using the anonymous functions of the agency, including
Tribal, and Territorial] entities and results of the NCSR, DHS delivers a bi- whether the information will have
critical infrastructure owners and annual summary report to Congress that practical utility;
operators.’’ Presidential Policy Directive provides a broad picture of the 2. Evaluate the accuracy of the
(PPD)–21, at 3. A private sector entity or cybersecurity gaps & capabilities of agency’s estimate of the burden of the
state and local government agency also SLTT governments across the nation. proposed collection of information,
has discretion to use a self-assessment The bi-annual summary report is shared including the validity of the
tool offered by NPPD or request NPPD with MS–ISAC members, NCSR End methodology and assumptions used;
to perform an on-site risk and Users, and Congress. The report is also 3. Enhance the quality, utility, and
vulnerability assessment. See 6 U.S.C. available on the MS–ISAC website, clarity of the information to be
148(c)(6), 143(2), 6 U.S.C. 121(d)(2). The https://www.cisecurity.org/ms-isac/ collected; and
NCSR is a voluntary annual self- services/ncsr/. 4. Minimize the burden of the
assessment. Upon submission of the NCSR self- collection of information on those who
Upon submission of the first NCSR assessment, participants will are to respond, including through the
report in March 2012, Congress further immediately receive access to several use of appropriate automated,
clarified its expectation ‘‘that this reports specific to their organization and electronic, mechanical, or other
survey will be updated every other year their cybersecurity posture. technological collection techniques or
so that progress may be charted and Additionally, after the annual NCSR other forms of information technology,
survey closes there will be a brief NCSR e.g., permitting electronic submissions
further areas of concern may be
End User Survey offered to everyone of responses.
identified.’’ S. Rep. No. 112–169, at 100
who completed the NSCR assessment. Title of Collection: Nationwide Cyber
(2012). In each subsequent year,
The survey will provide feedback on Security Review Assessment.
Congress has referenced this NCSR in its OMB Control Number: 1670–NEW.
participants’ experiences, such as from
explanatory comments and Frequency: Annually.
how they heard about the NCSR, what
recommendations accompanying the Affected Public: State, Local, Tribal,
they found or did not find useful, how
Department of Homeland Security and Territorial entities.
they will utilize the results of their
Appropriations. Consistent with Number of Respondents: 591.
assessment, and other information about
Congressional mandates, SECIR Estimated Time per Respondent: 2
their current and future interactions
developed the NCSR to measure the with the NCSR. hours.
gaps and capabilities of cybersecurity Additionally, MS–ISAC will Total Burden Hours: 1,278.
programs within SLTT governments. administer a survey to those who were Total Burden Cost (capital/startup):
Using the anonymous results of the registered participants in the past and $0.
NCSR, DHS delivers a bi-annual did not register or complete the most Total Recordkeeping Burden: $0.
summary report to Congress that Total Burden Cost (operating/
recent NCSR. The purpose of the Non-
provides a broad picture of the current maintaining): $0.
Response Survey is to solicit feedback
cybersecurity gaps & capabilities of on ways the NSCR could be improved David Epperson,
SLTT governments across the nation. to maximize benefits and increase Chief Information Officer.
The assessment allows SLTT response rates in the future. [FR Doc. 2018–22548 Filed 10–16–18; 8:45 am]
governments to manage cybersecurity The NCSR assessment requires BILLING CODE 9110–9P–P
related risks through the NIST approximately two hours for completion
Cybersecurity Framework (CSF) which and is located on the RSA Archer Suite.
consists of best practices, standards and During the assessment period, DEPARTMENT OF HOMELAND
guidelines. In efforts of continuously participants can respond at their own SECURITY
providing Congress with an accurate pace with the ability to save their
representation of the SLTT progress during each session. If [Docket No. DHS–2018–0058]
governments’ cybersecurity programs additional support is needed,
gaps and capabilities the NCSR question Telecommunications Service Priority
participants can contact the NCSR
sets and surveys may slightly change System
helpdesk via phone and email.
from year-to-year to accurately reflect The NCSR End User survey will be AGENCY: Office of Cybersecurity and
the current cybersecurity environment. fully electronic. It contains less than 30 Communications (CS&C), National
The NCSR is an annual voluntary self- multiple choice and fill-in-the-blank Protection and Programs Directorate
assessment that is hosted on the RSA answers and takes approximately 10 (NPPD), Department of Homeland
Archer Suite, which is a technology minutes to complete. The feedback Security (DHS).
platform that provides a foundation for survey will be administered via Survey ACTION: 60-Day Notice and request for
managing policies, controls, risks, Monkey and settings will be updated to comments; Extension, 1670–0005.
assessments, and deficiencies across opt out of collecting participants’ IP
daltland on DSKBBV9HB2PROD with NOTICES
organizational lines of business. The addresses. SUMMARY: DHS NPPD CS&C will submit
NCSR self-assessment runs every year The Non-Response Survey will be the following Information Collection
from October–December. In efforts of fully electronic and take approximately Request (ICR) to the Office of
increasing participation, the deadline is 10 minutes to complete. The survey will Management and Budget (OMB) for
sometimes extended. The target be administered via Survey Monkey and review and clearance in accordance
audience for the NCSR are personnel settings will be updated to opt out of with the Paperwork Reduction Act of
within the SLTT community who are collecting participants’ IP addresses. 1995.
VerDate Sep<11>2014 19:46 Oct 16, 2018 Jkt 247001 PO 00000 Frm 00125 Fmt 4703 Sfmt 4703 E:\FR\FM\17OCN1.SGM 17OCN1](https://thefederalregister.org/doc/83_FR_52700/page/2.svg)
Document Created: 2018-10-17 01:47:26
Document Modified: 2018-10-17 01:47:26
| Category | Regulatory Information | |
| Collection | Federal Register | |
| sudoc Class | AE 2.7: GS 4.107: AE 2.106: | |
| Publisher | Office of the Federal Register, National Archives and Records Administration | |
| Section | Notices | |
| Action | 30-Day Notice and request for comments; New Collection, 1670- NEW. | |
| Dates | Comments are encouraged and will be accepted until November 16, 2018. | |
| Contact | For specific questions related to collection activities, please contact Donna Beach at 703-705-6213 or at [email protected] | |
| FR Citation | 83 FR 52499 |
2025 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR