Agency Information Collection Activities: ReadySetCyber Initiative Questionnaire

AGENCY:

Cybersecurity and Infrastructure Security Agency (CISA), Department of Homeland Security (DHS).

ACTION:

30-Day notice and request for comments; request for a new OMB control number, 1670–NEW.

SUMMARY:

The Cyber Security Division's Vulnerability Management Sub-Division within Cybersecurity and Infrastructure Security Agency (CISA) will submit the following information collection request (ICR) to the Office of Management and Budget (OMB) for review and clearance. CISA previously published this information collection request in the Federal Register on August 10, 2023 for a 60-day public comment period. 0 comments were received by CISA. The purpose of this notice is to allow additional 30 days for public comments.

DATES:

Comments are encouraged and will be accepted until January 11, 2024.

ADDRESSES:

Written comments and recommendations for the proposed information collection should be sent within 30 days of publication of this notice to www.reginfo.gov/public/do/PRAMain. Find this particular information collection by selecting “Currently under 30-day Review—Open for Public Comments” or by using the search function.

The Office of Management and Budget is particularly interested in comments which:

1. Evaluate whether the proposed collection of information is necessary for the proper performance of the functions of the agency, including whether the information will have practical utility;

2. Evaluate the accuracy of the agency's estimate of the burden of the proposed collection of information, including the validity of the methodology and assumptions used;

3. Enhance the quality, utility, and clarity of the information to be collected; and

4. Minimize the burden of the collection of information on those who are to respond, including through the use of appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g., permitting electronic submissions of responses.

FOR FURTHER INFORMATION CONTACT:

Mark Robinson, 202–740–6114, mark.robinson@hq.dhs.gov.

SUPPLEMENTARY INFORMATION:

Consistent with CISA's authorities to “carry out comprehensive assessments of the vulnerabilities of the key resources and critical infrastructure of the United States” at 6 U.S.C. 652(e)(1)(B) and provide Federal and non-Federal entities with “operational and timely technical assistance” at 6 U.S.C. 659(c)(6) and “recommendation on security and resilience measures” at 6 U.S.C. 659(c)(7), CSD VM's ReadySetCyber initiative will collect information in order to provide tailored technical assistance, services and resources to critical infrastructure organizations from all 16 critical infrastructure sectors based on the maturity of their respective cybersecurity programs.

CISA seeks to collect this information from US critical infrastructure organizations on a strictly voluntary and fully electronic basis so that each organization can be best supported in meeting the CISA Cybersecurity Performance Goals. The CISA Cybersecurity Performance Goals are a set of 38 voluntary controls which aim to reduce the risk of cybersecurity threats to critical infrastructure.

CISA offers a number of services and resources to aid critical infrastructure organizations in adopting the Cybersecurity Performance Goals and seeks to make discovery of the appropriate services and resources as easy as possible, especially for organizations that many have cybersecurity programs at low levels of capability. For example, an organization that is unsure of its ability to enumerate all its assets with Internet Protocol addresses can leverage CISA's highly scalable vulnerability scanning service to discover additional assets within its network range that may have been previously unknown. Organizations with more mature cybersecurity programs who wish to evaluate their network segmentation controls will be better positioned to take advantage of CISA's more resource-intensive architecture assessments.

To measure adoption of the Cybersecurity Performance Goals and assist organizations in finding the best possible services and resources for their cybersecurity programs, CISA is seeking to establish a voluntary information collection that uses respondents' answers to tailor a package of services and resources most applicable for their level of program maturity.

Without collecting this information, CSD VM will be unable to tailor an appropriate suite of services, recommendations, and resources to assist that organization in protecting itself against cybersecurity threats, thereby creating burdens of inefficiency for service requesters and CSD VM alike. In addition, this information is critical to CSD VM's ability to measure the adoption of CISA's Cybersecurity Performance Goals by critical infrastructure organizations and assess the maturity of critical infrastructure organizations' cybersecurity programs.

The information to be collected includes: Identity and access management, device configuration and security, date security, governance and training, vulnerability management, supply chain risk management, and incident response.

The Office of Management and Budget is particularly interested in comments which:

1. Evaluate whether the proposed collection of information is necessary for the proper performance of the functions of the agency, including whether the information will have practical utility;

2. Evaluate the accuracy of the agency's estimate of the burden of the proposed collection of information, including the validity of the methodology and assumptions used;

3. Enhance the quality, utility, and clarity of the information to be collected; and

4. Minimize the burden of the collection of information on those who are to respond, including through the use of appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g., permitting electronic submissions of responses.

Analysis

Agency: Cybersecurity and Infrastructure Security Agency (CISA), Department of Homeland Security (DHS).

Title: ReadySetCyber.

OMB Number: 1670–NEW.

Frequency: Upon each voluntary request for technical assistance, which CISA expects to occur on an annual basis.

Affected Public: Critical Infrastructure Owners & Operators seeking CISA services.

Number of Respondents: Approximately 2,000 per year.

Estimated Time per Respondent: 20 minutes.

Total Burden Hours: 667 hours.

Annualized Respondent Cost: $59,663.60.

Total Annualized Respondent Out-of-Pocket Cost: $0.00.

Total Annualized Government Cost: $0.