[Federal Register Volume 88, Number 81 (Thursday, April 27, 2023)]
[Notices]
[Pages 25670-25672]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-08823]


-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

[Docket No. CISA-2023-0001]


Agency Information Collection Activities: Request for Comment on 
Secure Software Development Attestation Common Form

AGENCY: Cybersecurity and Infrastructure Security Agency (CISA), 
Department of Homeland Security (DHS).

ACTION: 60-Day notice and request for comments; new collection (request 
for a new OMB control number).

-----------------------------------------------------------------------

[[Page 25671]]

SUMMARY: In accordance with the requirements of the Paperwork Reduction 
Act (PRA) of 1995, the Cybersecurity and Infrastructure Security Agency 
(CISA) of the Department of Homeland Security (DHS), is soliciting 
public comment on a self-attestation form to be used by software 
producers in accordance with the Executive Order on Improving the 
Nation's Cybersecurity and the Office of Management and Budget's 
guidance in OMB M-22-18, Enhancing the Security of the Software Supply 
Chain through Secure Software Development Practices. In accordance with 
OMB M-22-18, Section III.C, CISA has agreed to serve as steward for 
this collection. After obtaining and considering public comment, CISA 
will prepare the submission requesting clearance of this collection as 
a Common Form to permit other agencies beyond DHS to use this form in 
order to streamline the information collection process in coordination 
with OMB.

DATES: Comments are encouraged and will be accepted until June 26, 
2023.

ADDRESSES: You may submit comments, identified by docket number Docket 
# CISA-2023-0001, at:
    [cir] Federal eRulemaking Portal: https://www.regulations.gov. 
Please follow the instructions for submitting comments.
    Instructions: All submissions received must include the agency name 
and docket number Docket # CISA-2023-0001. All comments received will 
be posted without change to https://www.regulations.gov, including any 
contact information provided.
    Docket: For access to the docket to read background documents or 
comments received, go to https://www.regulations.gov.

SUPPLEMENTARY INFORMATION: 

I. Background

    In response to incidents such as the Colonial Pipeline and Solar 
Winds attacks, on May 12, 2021, President Biden signed E.O. 14028,\1\ 
Improving the Nation's Cybersecurity. This order outlines over 55 
actions. This Executive order addresses seven key points:
---------------------------------------------------------------------------

    \1\ 86 FR 26633, available at https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity.

 Remove barriers to cyber threat information sharing between 
government and the private sector
 Modernize and implement more robust cybersecurity standards in 
the Federal Government
 Improve software supply chain security
 Establish a Cybersecurity Safety Review Board
 Create a standard playbook for responding to cyber incidents
 Improve detection of cybersecurity incidents on Federal 
Government networks
 Improve investigative and remediation capabilities

    Section 4, Enhancing Software Supply Chain Security, observed, 
``The development of commercial software often lacks transparency, 
sufficient focus on the stability of the software to resist attack, and 
adequate controls to prevent tampering by malicious actors.'' To 
address these concerns, the Executive order required the National 
Institute of Standards and Technology (NIST) to issue guidance 
including standards, procedures, or criteria to strengthen the security 
of the software supply chain.
    To put this guidance into practice, the Executive order, through 
the Office of Management and Budget (OMB), requires agencies to only 
use software provided by software producers who can attest to complying 
with Federal Government-specified secure software development 
practices, as described in NIST Special Publication (SP) 800-218 Secure 
Software Development Framework.\2\ OMB implemented this requirement 
through OMB memorandum M-22-18 dated September 14, 2022.\3\ 
Specifically, M-22-18 requires agencies to ``obtain a self-attestation 
from the software producer before using the software.'' This 
requirement applies to new software developed after the date of memo 
issuance (September 14, 2022) as well as existing software that is 
modified by major version changes after the date of memo issuance. OMB 
M-22-18 brings into existence a new and sizeable conformity assessment 
community. The memorandum introduces conformity assessment expectations 
and activities for the supply chain starting with the software producer 
and ending with the federal agency putting the software in to use. 
CISA's common self-attestation form does not preclude agencies from 
adding agency-specific requirements to the minimum requirements in 
CISA's common self-attestation form. However, any agency specific 
attestation requirements, modification and/or supplementation of these 
common forms will require clearance by OMB/OIRA under the PRA process 
and are not covered by this notice.
---------------------------------------------------------------------------

    \2\ Nat'l. Institute of Standards & Tech., SP 800-218, Secure 
Software Development Framework (SSDF) Version 1.1 (2002), available 
at https://csrc.nist.gov/publications/detail/sp/800-218/final.
    \3\ Off. of Mgmt. & Budget, Exec. Off. of the President, M-22-
18, Enhancing the Security of the Software Supply Chain through 
Secure Software Development Practices (2022), available at https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf.
---------------------------------------------------------------------------

II. Invitation to Comment

    The following analysis of the burden associated with this proposed 
information collection is specific to DHS as the agency sponsoring the 
common form. For the purposes of estimating the number of respondents, 
DHS has made the following assumptions and welcomes comments on all 
assumptions.
    1. DHS is assuming vendors would have 2,689 initial form 
submissions and 1,345 resubmissions of the form, due to major software 
changes, per year. This estimate applies across DHS, including all 
component agencies. DHS based this estimate on initial contract award 
data for Fiscal Years 2019 through 2022 from DHS's Federal Procurement 
Data System (FPDS). DHS utilized data for contract awards that could, 
in the future, include a response to this collection based on FPDS 
Product and Service Code (PSC) of ``D'' Automatic Data Processing and 
Telecommunication and ``R'' Professional, Administrative and Management 
Support.
    Time burden for the attestation form includes time to review the 
form and understand requirements, gather information, review, and 
approve the release of information and submission. DHS assumes a three-
hour burden per initial submission \4\ for a software quality assurance 
analyst or tester and an additional 20 minutes per initial submission 
for a Chief Information Security Officer (CISO). Vendors would have to 
resubmit the attestation form for major software changes, and DHS 
assumes half the number of initial submissions will result in a 
resubmission. DHS assumes that resubmissions would take 1 hour and 30 
minutes for a software quality assurance analyst or tester and retains 
20 minutes for a CISO. DHS acknowledges the information collection 
request allows for a vendor to use a prior submitted form for multiple 
agencies. DHS welcomes public comment on how frequently this might 
happen and how

[[Page 25672]]

to reduce respondent burdens due to this collection, where feasible.
---------------------------------------------------------------------------

    \4\ DHS based the estimated 3 hours on an information collection 
request related to contractor information security for certain 
telecommunications and video surveillance services or equipment. 
While not exactly the same requirements or scope, DHS found the 
burdens of 0199 collection to be similar to the burden in this 
proposed new collection. For more information, see Supporting 
Statement for OMB Control Number 9000-0199. https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202009-9000-002.
---------------------------------------------------------------------------

    To estimate opportunity costs, DHS uses an hourly compensation rate 
of $67.90 for a software quality assurance analyst or tester and 
$177.66 for a CISO.\5\ DHS estimates software quality assurance analyst 
or tester annual hours would be 10,084 for initial and resubmissions by 
multiplying $67.90 compensation rate to estimate the opportunity cost 
of $684,733. DHS estimates CISO annual hourly burden of 1,345 hours and 
multiplying $177.66 compensation rate to a CISO estimate the 
opportunity cost of $238,890. DHS combines these two opportunity costs 
to calculate a total opportunity cost for the collection of $923,623.
---------------------------------------------------------------------------

    \5\ DHS uses wage estimates based on Bureau of Labor Statistics 
(BLS) Occupational Employment Statistics (OES). Within NAICS 
industry 541500--Computer Systems Design and Related Services, DHS 
uses mean hourly wage rates for Software Quality Assurance Analysts 
and Testers (SOC 15-1253) at $47.09 and Chief Executives (11-1011) 
at $123.21. DHS applies a compensation factor of 1.44191 based on 
total hourly compensation of $67.64 divided by $46.91 wages/salaries 
for Private Industry Workers Management, Professional, and Related 
Occupations Sources: https://www.bls.gov/oes/2021/may/naics4_541500.htm (BLS, OES: May 2021 National Industry Specific 
Occupational Employment and Wage Estimates.) BLS, Employer Cost for 
Employment Compensation (ECEC Table 4)): https://www.bls.gov/news.release/archives/ecec_03172023.htm (released March 17, 2023).
---------------------------------------------------------------------------

    2. DHS is assuming if a vendor needs to provide any additional 
attestation artifacts or documentation, including a Software Bill of 
Materials (SBOMs), that this information would be readily available and 
would not have to be generated specifically for doing business with the 
government. DHS is interested in comments on the burden and costs if 
SBOMs or additional artifacts materials need to be generated or 
reformatted to fulfill an agency/component request.
    3. For the purposes of this initial collection, DHS is proposing 
the common form be a fillable/fileable PDF form. Vendors could access 
the form on the DHS/CISA website and submit via the DHS website OR 
email the completed form to [email protected]. Other agencies will 
be required to seek approval to use the common form by submitting their 
agency-specific burden and cost analyses to OMB.
    Input is requested on any aspect of the proposed common form 
including the instructions. DHS/CISA is particularly interested in
    1. If the proposed collection of information to implement 
requirements of both the E.O. and the OMB guidance will have practical 
utility;
    2. If DHS has accurately estimated the burden of the proposed 
collection of information, including the validity of the methodology 
and assumptions used;
    3. Other ways for DHS to enhance the quality, utility, and clarity 
of the information to be collected; and
    4. How DHS could minimize the burden of the collection of 
information on those who are to respond, including through the use of 
appropriate automated, electronic, mechanical, or other technological 
collection techniques or other forms of information technology, e.g., 
permitting electronic submissions of responses.

Analysis

    Agency: Cybersecurity and Infrastructure Security Agency (CISA), 
Department of Homeland Security (DHS).
    Title: Secure Software Development Attestation.
    OMB Control Number: [Insert DHS/CISA 4 Digit Prefix Then XXX].
    Type of Review: Request for a new OMB Control Number, New Common 
Form.
    Expiration Date of Approval: Not Applicable.
    Frequency: Annually.
    Affected Public: Business--Software Producers.
    Estimated Number of Respondents: 2,689.
    Estimated Number of Responses per Respondent: 1.5.
    Estimated Number of Responses: 4,034.
    Estimated Time for Initial Submission per Respondent: 3 hours and 
20 minutes.
    Estimated Time for Resubmission per Respondent: 1 hour and 50 
minutes.
    Total Annualized Burden Hours for Initial Submissions: 8,963 hours.
    Total Annualized Burden Hours for Resubmissions: 2,466 hours.
    Total Annualized Burden Hours: 11,429 hours.
    Total Annualized Respondent Opportunity Cost: $923,623.

Robert J. Costello,
Chief Information Officer, Department of Homeland Security, 
Cybersecurity and Infrastructure Security Agency.
[FR Doc. 2023-08823 Filed 4-26-23; 8:45 am]
BILLING CODE 9110-9P-P