[Federal Register Volume 84, Number 132 (Wednesday, July 10, 2019)]
[Notices]
[Pages 32930-32931]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-14698]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

[Docket No. CISA-2019-0007]


Cybersecurity and Infrastructure Security Agency Vulnerability 
Assessments

AGENCY: Infrastructure Security Division (ISD), Cybersecurity and 
Infrastructure Security Agency (CISA), Department of Homeland Security 
(DHS).

ACTION: 60-Day notice and request for comments; Revision, 1670-0035.

-----------------------------------------------------------------------

SUMMARY: DHS CISA ISD will submit the following information collection 
request (ICR) to the Office of Management and Budget (OMB) for review 
and clearance in accordance with the Paperwork Reduction Act of 1995.

DATES: Comments are due by September 9, 2019.

ADDRESSES: You may submit comments, identified by docket number CISA-
2019-0007, by one of the following methods:
     Federal eRulemaking Portal: http://www.regulations.gov. 
Please follow the instructions for submitting comments.
     Email: [email protected]. Please include docket 
number CISA-2019-0007 in the subject line of the message.
     Mail: Written comments and questions about this 
Information Collection Request should be forwarded to DHS/CISA/ISD, 
ATTN: 1670-0035, 245 Murray Lane SW, Mail Stop 0602, Washington, DC 
20598-0602.
    Instructions: All submissions received must include the words 
``Department of Homeland Security'' and the docket number for this 
action. Comments received will be posted without alteration at http://www.regulations.gov, including any personal information provided.
    Docket: For access to the docket and comments received, please go 
to www.regulations.gov and enter docket number CISA-2019-0007.
    Comments submitted in response to this notice may be made available 
to the public through relevant websites. For this reason, please do not 
include in your comments information of a confidential nature, such as 
sensitive personal information or proprietary information. If you send 
an email comment, your email address will be automatically captured and 
included as part of the comment that is placed in the public docket and 
made available on the internet. Please note that responses to this 
public comment request containing any routine notice about the 
confidentiality of the communication will be treated as public comments 
that may be made available to the public notwithstanding the inclusion 
of the routine notice.

FOR FURTHER INFORMATION CONTACT: Ricky Morgan, 866-844-8163, 
[email protected].

SUPPLEMENTARY INFORMATION: The Homeland Security Presidential 
Directive-7, the Presidential Policy Directive-21, and the National 
Infrastructure Protection Plan highlight the need for a centrally 
managed repository of infrastructure attributes capable of assessing 
risks and facilitating data sharing. To support this mission need, the 
DHS CISA ISD has developed a data collection system that contains 
several capabilities which support the homeland security mission in the 
area of critical infrastructure (CI) protection.
    Protective Security Advisors (PSAs) and Cyber Security Advisors 
(CSAs) conduct voluntary assessments on CI facilities. These 
assessments are web-based and are used to collect an organization's 
basic, high-level information, and its dependencies. This data is then 
used to determine a Protective Measures Index (PMI) and a Resilience 
Measures Index (RMI) for the assessed organization. This information 
allows an organization to see how it compares to other organizations 
within the same sector as well as allows them to see how adjusting 
certain aspects

[[Page 32931]]

would change their score. This allows the organization to then 
determine where best to allocate funding and perform other high level 
decision making processes pertaining to the security and resiliency of 
the organization.
    The information will be gathered by site visits, arranged between 
the organization owners and DHS PSAs or CSAs. The PSA or CSA will then 
visit the site and perform the assessment, as requested. They then 
return to complete the vulnerability assessment and input the data into 
the system where the data is then accessible to system users. Once 
available, the organization and other relevant system users can then 
review the data and use it for planning, risk identification, 
mitigation and decision making. All data is captured electronically by 
the PSA, CSA or by the organization as a self-assessment. The 
vulnerability assessments are voluntary but are required in order for 
the organization to receive an evaluation of their security posture.
    After assessments are input into the system, the user is prompted 
to participate in a feedback questionnaire. Every user is prompted to 
participate in the Post Assessment questionnaire after entering an 
assessment. Participation in the Post Assessment questionnaire is 
voluntary. The Post Assessment Questionnaires are designed to capture 
feedback about a vulnerability assessment and the system. There are 
three different questionnaires correlated and prompted after entering a 
particular assessment into the database. The results are used 
internally within DHS to make programmatic improvements.
    The collection of information uses automated electronic 
vulnerability assessments and questionnaires. The vulnerability 
assessments and questionnaires are electronic in nature and include 
questions that measure the security, resiliency and dependencies of an 
organization. The vulnerability assessments are arranged at the request 
of an organization and are then scheduled and performed by a PSA or 
CSA.
    The changes to the collection since the previous OMB approval 
include: Updating the title of the collection, adding three customer 
feedback questionnaires, increase in burden estimates and costs. The 
three questionnaires were added to the collection to provide user 
feedback on the content and functionality of the system. The addition 
of the questionnaires have increased the burden estimates by $3,861.
    The annual burden cost for the collection has increased by 
$121,591, from $1,786,166 to $1,907,757, due to the addition of the 
Post Assessment Questionnaires and updated wage rates.
    The annual government cost for the collection has increased by 
$509,195, from $1,710,959 to $2,220,152, due to the addition of the 
Post Assessment Questionnaires and updated wage rates.
    This is a revision and renewal of an information collection.
    OMB is particularly interested in comments that:
    1. Evaluate whether the proposed collection of information is 
necessary for the proper performance of the functions of the agency, 
including whether the information will have practical utility;
    2. Evaluate the accuracy of the agency's estimate of the burden of 
the proposed collection of information, including the validity of the 
methodology and assumptions used;
    3. Enhance the quality, utility, and clarity of the information to 
be collected; and
    4. Minimize the burden of the collection of information on those 
who are to respond, including through the use of appropriate automated, 
electronic, mechanical, or other technological collection techniques or 
other forms of information technology, e.g., permitting electronic 
submissions of responses.
    Title of Collection: Cybersecurity and Infrastructure Security 
Agency Vulnerability Assessments.
    OMB Control Number: 1670-0035.
    Frequency: Annually.
    Affected Public: State, Local, Tribal, and Territorial Governments 
and Private Sector Individuals.
    Number of Annualized Respondents: 3,181.
    Estimated Time per Respondent: 7.5 hours, 0.17 hours.
    Total Annualized Burden Hours: 21,907 hours.
    Total Annualized Respondent Opportunity Cost: $1,907,757.
    Total Annualized Respondent Out-of-Pocket Cost: $0.
    Total Annualized Government Cost: $2,220,152.

Scott Libby,
Deputy Chief Information Officer.
[FR Doc. 2019-14698 Filed 7-9-19; 8:45 am]
 BILLING CODE 9910-9P-P