[Federal Register Volume 86, Number 52 (Friday, March 19, 2021)]
[Notices]
[Pages 14944-14945]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-05767]
-----------------------------------------------------------------------
DEPARTMENT OF HOMELAND SECURITY
[Docket Number DHS-2021-0009]
Agency Information Collection Activities: Vulnerability Discovery
Program, 1601-0028
AGENCY: Department of Homeland Security (DHS).
ACTION: 60-Day notice and request for comments; extension without
change of a currently approved collection, 1601-0028
-----------------------------------------------------------------------
SUMMARY: The Department of Homeland Security, will submit the following
Information Collection Request (ICR) to the Office of Management and
Budget (OMB) for review and clearance in accordance with the Paperwork
Reduction Act of 1995.
DATES: Comments are encouraged and will be accepted until May 18, 2021.
This process is conducted in accordance with 5 CFR 1320.1
ADDRESSES: You may submit comments, identified by docket number Docket
# DHS-2021-0009, at:
[cir] Federal eRulemaking Portal: http://www.regulations.gov.
Please follow the instructions for submitting comments.
Instructions: All submissions received must include the agency name
and docket number Docket # DHS-2021-0009. All comments received will be
posted without change to http://www.regulations.gov, including any
personal information provided.
Docket: For access to the docket to read background documents or
comments received, go to http://ww.regulations.gov.
SUPPLEMENTARY INFORMATION: Security vulnerabilities, defined in section
102(17) of the Cybersecurity Information Sharing Act of 2015, are any
attribute of hardware, software, process, or procedure that could
enable or facilitate the defeat of a security control. Security
vulnerability mitigation is a process starting with discovery of the
[[Page 14945]]
vulnerability leading to applying some solution to resolve the
vulnerability. There is constantly a search for security
vulnerabilities within information systems, from individuals or nation
states wishing to bypass security controls to gain invaluable
information, to researchers seeking knowledge in the field of cyber
security. Bypassing such security controls in the DHS and other Federal
Agencies information systems can cause catastrophic damage including
but not limited to loss in Personally Identifiable Information (PII),
sensitive information gathering, and data manipulation.
Pursuant to section 101 of the Strengthening and Enhancing Cyber-
capabilities by Utilizing Risk Exposure Technology Act, (commonly known
as the SECURE Technologies Act) individuals, organizations, and/or
companies may submit any discovered security vulnerabilities found
associated with the information system of any Federal agency. This
collection would be used by these individuals, organizations, and/or
companies who choose to submit a discovered vulnerability found
associated with the information system of any Federal agency.
Specifically, DHS and Federal cybersecurity agencies are working to
address the recently discovered SolarWinds hack on Federal agencies and
organizations around the world. While DHS had previously obtained
approval to collect this information on its own behalf, recent cyber
attacks exploiting vulnerabilities have exemplified the need to have
this capability government-wide. In 2020, a major cyberattack,
nicknamed the SolarWinds cyberattack, by a group backed by a foreign
government penetrated thousands of organizations globally including
multiple parts of the United States federal government, leading to a
series of data breaches. The cyberattack and data breach were reported
to be among the worst cyber-espionage incidents ever suffered by the
U.S., due to the sensitivity and high profile of the targets and the
long duration (eight to nine months) in which the hackers had access.
Affected organizations worldwide included NATO, the U.K. government,
the European Parliament, Microsoft and others
Public Law 116-283, Sec. 1705 (which amended 44 U.S.C. 3553)
permits extensive sharing of information regarding cybersecurity and
the protection of information and information systems from
cybersecurity risks between Federal Agencies covered by the Federal
Information Security Modernization Act and the Department of Homeland
Security. This unique authority makes DHS well positioned to host the
approval of this information collection on behalf of other Federal
agencies
DHS is requesting pursuant to 44 US Code 3509, that the information
collection be designated for any Federal agencies ability to utilize
the standardized DHS online form to collect their own agency's
vulnerability information and post the information on their own agency
websites.
The form will include the following essential information:
Vulnerable host(s)
Necessary information for reproducing the security
vulnerability
Remediation or suggestions for remediation of the
vulnerability
Potential impact on host, if not remediated
This form will allow Federal agencies to complete the following
actions; (1) allow the individuals, organizations, and/or companies who
discover vulnerabilities in the information systems to report their
findings to the agency, and (2) provide the agencies initial insight
into any newly discovered vulnerabilities, as well as zero-day
vulnerabilities in order to mitigate the security issues prior to
malicious actors acting upon the vulnerability for malicious intent.
The form will also benefit researchers and will provide a safe and
lawful method to practice and discover new cyber methods to discover
the vulnerabilities. It will provide the same benefit to Federal
agencies and will promote the enhancement of Federal information system
security policies.
Respondents will be able to submit their information directly to
the agency in which they would like to report a vulnerability. Federal
Agencies will provide the form electronically via their agencies
website.
The information collected does not have an impact on small business
or other small entities.
The collection of this information related to the discovery of
security vulnerabilities by individuals, organizations, and/or
companies is needed to fulfill the congressional mandate in Section 101
of the SECURE Technologies Act related to creating Vulnerability
Disclosure Policies. In addition, without the ability to collect
information on newly discovered security vulnerabilities associated
with Federal agency information systems, Federal agencies will rely
solely on the internal security personnel and/or the discovery through
a post occurrence breach of security controls.
There are no assurances of confidentiality provide. Any PII that is
collected will be for the sole purpose of feedback and dialogue.
Federal Agencies will ensure the collection of information is covered
by a Systems of Record Notice and will display a Privacy Notice to the
respondents.
There are no changes to the information being collected.
The Office of Management and Budget is particularly interested in
comments which:
1. Evaluate whether the proposed collection of information is
necessary for the proper performance of the functions of the agency,
including whether the information will have practical utility;
2. Evaluate the accuracy of the agency's estimate of the burden of
the proposed collection of information, including the validity of the
methodology and assumptions used;
3. Enhance the quality, utility, and clarity of the information to
be collected; and
4. Minimize the burden of the collection of information on those
who are to respond, including through the use of appropriate automated,
electronic, mechanical, or other technological collection techniques or
other forms of information technology, e.g., permitting electronic
submissions of responses.
Analysis:
Agency: Department of Homeland Security, (DHS)
Title: Vulnerability Discovery Program
OMB Number: 1601-0028
Frequency: On Occasion
Affected Public: State, Local and Tribal Government
Number of Respondents: 3,000
Estimated Time per Respondent: 1 Hour
Total Burden Hours: 3,000
Robert Dorr,
Executive Director, Business Management Directorate.
[FR Doc. 2021-05767 Filed 3-18-21; 8:45 am]
BILLING CODE 9112-FL-P