[Federal Register Volume 88, Number 237 (Tuesday, December 12, 2023)]
[Notices]
[Pages 86142-86143]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-27216]


-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY


Agency Information Collection Activities: ReadySetCyber 
Initiative Questionnaire

AGENCY: Cybersecurity and Infrastructure Security Agency (CISA), 
Department of Homeland Security (DHS).

ACTION: 30-Day notice and request for comments; request for a new OMB 
control number, 1670-NEW.

-----------------------------------------------------------------------

SUMMARY: The Cyber Security Division's Vulnerability Management Sub-
Division within Cybersecurity and Infrastructure Security Agency (CISA) 
will submit the following information collection request (ICR) to the 
Office of Management and Budget (OMB) for review and clearance. CISA 
previously published this information collection request in the Federal 
Register on August 10, 2023 for a 60-day public comment period. 0 
comments were received by CISA. The purpose of this notice is to allow 
additional 30 days for public comments.

DATES: Comments are encouraged and will be accepted until January 11, 
2024.

ADDRESSES: Written comments and recommendations for the proposed 
information collection should be sent within 30 days of publication of 
this notice to www.reginfo.gov/public/do/PRAMain. Find this particular 
information collection by selecting ``Currently under 30-day Review--
Open for Public Comments'' or by using the search function.
    The Office of Management and Budget is particularly interested in 
comments which:
    1. Evaluate whether the proposed collection of information is 
necessary for the proper performance of the functions of the agency, 
including whether the information will have practical utility;
    2. Evaluate the accuracy of the agency's estimate of the burden of 
the proposed collection of information, including the validity of the 
methodology and assumptions used;
    3. Enhance the quality, utility, and clarity of the information to 
be collected; and
    4. Minimize the burden of the collection of information on those 
who are to respond, including through the use of appropriate automated, 
electronic, mechanical, or other technological collection techniques or 
other forms of information technology, e.g., permitting electronic 
submissions of responses.

FOR FURTHER INFORMATION CONTACT: Mark Robinson, 202-740-6114, 
[email protected].

SUPPLEMENTARY INFORMATION: Consistent with CISA's authorities to 
``carry out comprehensive assessments of the vulnerabilities of the key 
resources and critical infrastructure of the United States'' at 6 
U.S.C. 652(e)(1)(B) and provide Federal and non-Federal entities with 
``operational and timely technical assistance'' at 6 U.S.C. 659(c)(6) 
and ``recommendation on security and resilience measures'' at 6 U.S.C. 
659(c)(7), CSD VM's ReadySetCyber initiative will collect information 
in order to provide tailored technical assistance, services and 
resources to critical infrastructure organizations from all 16 critical 
infrastructure sectors based on the maturity of their respective 
cybersecurity programs.
    CISA seeks to collect this information from US critical 
infrastructure organizations on a strictly voluntary and fully 
electronic basis so that each organization can be best supported in 
meeting the CISA Cybersecurity Performance Goals. The CISA 
Cybersecurity Performance Goals are a set of 38 voluntary controls 
which aim to reduce the risk of cybersecurity threats to critical 
infrastructure.
    CISA offers a number of services and resources to aid critical 
infrastructure organizations in adopting the Cybersecurity Performance 
Goals and seeks to make discovery of the appropriate services and 
resources as easy as possible, especially for organizations that many 
have cybersecurity programs at low levels of capability. For example, 
an organization that is unsure of its ability to enumerate all its 
assets with Internet Protocol addresses can leverage CISA's highly 
scalable vulnerability scanning service to discover additional assets 
within its network range that may have been previously unknown. 
Organizations with more mature cybersecurity programs who wish to 
evaluate their network segmentation controls will be better positioned 
to take advantage of CISA's more resource-intensive architecture 
assessments.
    To measure adoption of the Cybersecurity Performance Goals and 
assist organizations in finding the best possible services and 
resources for their cybersecurity programs, CISA is seeking to 
establish a voluntary information collection that uses respondents' 
answers to tailor a package of services and resources most applicable 
for their level of program maturity.
    Without collecting this information, CSD VM will be unable to 
tailor an appropriate suite of services, recommendations, and resources 
to assist that organization in protecting itself against cybersecurity 
threats, thereby creating burdens of inefficiency for service 
requesters and CSD VM alike. In addition, this information is critical 
to CSD VM's ability to measure the adoption of CISA's Cybersecurity 
Performance Goals by critical infrastructure organizations and assess 
the maturity of critical infrastructure organizations' cybersecurity 
programs.
    The information to be collected includes: Identity and access 
management, device configuration and security, date security, 
governance and training, vulnerability management, supply chain risk 
management, and incident response.
    The Office of Management and Budget is particularly interested in 
comments which:
    1. Evaluate whether the proposed collection of information is 
necessary for the proper performance of the functions of the agency, 
including whether the information will have practical utility;
    2. Evaluate the accuracy of the agency's estimate of the burden of 
the proposed collection of information, including the validity of the 
methodology and assumptions used;

[[Page 86143]]

    3. Enhance the quality, utility, and clarity of the information to 
be collected; and
    4. Minimize the burden of the collection of information on those 
who are to respond, including through the use of appropriate automated, 
electronic, mechanical, or other technological collection techniques or 
other forms of information technology, e.g., permitting electronic 
submissions of responses.

Analysis

    Agency: Cybersecurity and Infrastructure Security Agency (CISA), 
Department of Homeland Security (DHS).
    Title: ReadySetCyber.
    OMB Number: 1670-NEW.
    Frequency: Upon each voluntary request for technical assistance, 
which CISA expects to occur on an annual basis.
    Affected Public: Critical Infrastructure Owners & Operators seeking 
CISA services.
    Number of Respondents: Approximately 2,000 per year.
    Estimated Time per Respondent: 20 minutes.
    Total Burden Hours: 667 hours.
    Annualized Respondent Cost: $59,663.60.
    Total Annualized Respondent Out-of-Pocket Cost: $0.00.
    Total Annualized Government Cost: $0.

Robert J. Costello,
Chief Information Officer, Department of Homeland Security, 
Cybersecurity and Infrastructure Security Agency.
[FR Doc. 2023-27216 Filed 12-11-23; 8:45 am]
BILLING CODE 9110-9P-P