Officer of the Chief Information Security Officer, DHS.
60-Day notice and request for comments; new collection, 1601-NEW.
The Department of Homeland Security, Office of the Chief Information Security Officer, will submit the following Information Collection Request (ICR) to the Office of Management and Budget (OMB) for review and clearance in accordance with the Paperwork Reduction Act of 1995.
Comments are encouraged and will be accepted until October 28, 2019. This process is conducted in accordance with 5 CFR 1320.1.
You may submit comments identified by docket number DHS-2019-0041 http://www.regulations.gov. Please follow the instructions for submitting comments.
Start Supplemental Information
Security vulnerabilities, defined in section 102(17) of the Cybersecurity Information Sharing Act of 2015, are any attribute of hardware, software, process, or procedure that could enable or facilitate the defeat of a security control. Security vulnerability mitigation is a process starting with discovery of the vulnerability leading to applying some solution to resolve the vulnerability. There is constantly a search for security vulnerabilities within information systems, from individuals or nation states wishing to bypass security controls to gain invaluable information, to researchers seeking knowledge in the field of cyber security. Bypassing such security controls in the DHS information systems can cause catastrophic damage including but not limited to loss in Personally Identifiable Information (PII), sensitive information gathering, and data manipulation.
Pursuant to section 101 of the Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology Act commonly known as the SECURE Technologies Act individuals, organizations, and companies will be able to submit discovered security vulnerabilities on the Department of Homeland Security (DHS) Information Systems. This collection would be used by these individuals, organizations, and companies who choose to submit a discovered vulnerability in the information system of the DHS.
The form will include the following essential information:
- Vulnerable host(s)
- Necessary information for reproducing the security vulnerability
- Remediation or suggestions for remediation of the vulnerability
- Potential impact on host, if not remediated
This form will allow the DHS to do two things (1) allow the individuals, organizations, and companies who discover vulnerabilities in the information systems of DHS to report their findings to the DHS. (2) give DHS first insight into newly discovered vulnerabilities, as well as zero-day vulnerabilities in order to mitigate the security issues prior to malicious actors acting on the vulnerability for malicious intent. The form will benefit researchers as it will provide a safe and lawful way for them to practice and discover new skills while discovering the vulnerabilities. Meanwhile, it will provide the same benefit to the DHS, in addition to enhanced information system security following the vulnerability mitigation.
Respondents will be able to fill the form out online at https://www.dhs.gov and submit it thereafter. Links to the form will also be available at any of the DHS components websites (https://www.tsa.gov/, https://www.ice.gov/, etc.).
The collection of this information regarding to discovered security vulnerabilities by individuals, organizations, and companies is needed to fulfil the congressional mandate in Section 101 of the SECURE Technologies Act regarding a Vulnerability Disclosure Policy. In addition, without the ability to collect information on newly discovered security vulnerabilities in DHS information systems, the DHS will rely solely on the internal security personnel and or discovery through post occurrence of such a breach on security controls.
The is new collection.
The Office of Management and Budget is particularly interested in comments which:
1. Evaluate whether the proposed collection of information is necessary for the proper performance of the functions of the agency, including whether the information will have practical utility;
2. Evaluate the accuracy of the agency's estimate of the burden of the proposed collection of information, including the validity of the methodology and assumptions used;
3. Enhance the quality, utility, and clarity of the information to be collected; and
4. Minimize the burden of the collection of information on those who are to respond, including through the use of appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g., permitting electronic submissions of responses.Start Printed Page 45167
Agency: The Department of Homeland Security, Officer of the Chief Information Security Officer.
Title: Vulnerability Discovery Program.
OMB Number: 1601-New.
Frequency: On Occasion.
Affected Public: Private Sector.
Number of Respondents: 3000.
Estimated Time Per Respondent: 3 Hours.
Total Burden Hours: 9000.
End Supplemental Information
Dated: August 15, 2019.
Executive Director, Business Management Office.
[FR Doc. 2019-18576 Filed 8-27-19; 8:45 am]
BILLING CODE 9110-9B-P