Federal Register - August 23, 2021
Version en texte Qu'est-ce que c'est?Dateas est un site Web indépendant, non affilié à un organisme gouvernemental. La source des documents PDF que nous publions est l'agence officielle indiquée dans chacun d'eux. Les versions en texte sont des transcriptions non officielles que nous faisons pour fournir de meilleurs outils d'accès et de recherche d'informations, mais peuvent contenir des erreurs ou peuvent ne pas être complètes.
Source: Federal Register
47132
Federal Register / Vol. 86, No. 160 / Monday, August 23, 2021 / Notices
Comments are encouraged and will be accepted until September 22, 2021. This process is conducted in accordance with 5 CFR 1320.1
ADDRESSES: Written comments and recommendations for the proposed information collection should be sent within 30 days of publication of this notice to www.reginfo.gov/public/do/
PRAMain. Find this particular information collection by selecting Currently under 30-day ReviewOpen for Public Comments or by using the search function.
SUPPLEMENTARY INFORMATION: Security vulnerabilities, defined in section 10217 of the Cybersecurity Information Sharing Act of 2015, are any attribute of hardware, software, process, or procedure that could enable or facilitate the defeat of a security control. Security vulnerability mitigation is a process starting with discovery of the vulnerability leading to applying some solution to resolve the vulnerability.
There is constantly a search for security vulnerabilities within information systems, from individuals or nation states wishing to bypass security controls to gain invaluable information, to researchers seeking knowledge in the field of cyber security. Bypassing such security controls in the DHS and other Federal Agencies information systems can cause catastrophic damage including but not limited to loss in Personally Identifiable Information PII, sensitive information gathering, and data manipulation.
Pursuant to section 101 of the Strengthening and Enhancing Cybercapabilities by Utilizing Risk Exposure Technology Act, commonly known as the SECURE Technologies Act individuals, organizations, and/or companies may submit any discovered security vulnerabilities found associated with the information system of any Federal agency. This collection would be used by these individuals, organizations, and/or companies who choose to submit a discovered vulnerability found associated with the information system of any Federal agency.
Specifically, DHS and Federal cybersecurity agencies are working to address the recently discovered SolarWinds hack on Federal agencies and organizations around the world.
While DHS had previously obtained approval to collect this information on its own behalf, recent cyber attacks exploiting vulnerabilities have exemplified the need to have this capability government-wide. In 2020, a major cyberattack, nicknamed the SolarWinds cyberattack, by a group
jbell on DSKJLSW7X2PROD with NOTICES
DATES:
VerDate Sep<11>2014
18:11 Aug 20, 2021
Jkt 253001
backed by a foreign government penetrated thousands of organizations globally including multiple parts of the United States federal government, leading to a series of data breaches. The cyberattack and data breach were reported to be among the worst cyberespionage incidents ever suffered by the U.S., due to the sensitivity and high profile of the targets and the long duration eight to nine months in which the hackers had access. Affected organizations worldwide included NATO, the U.K. government, the European Parliament, Microsoft and others.
Public Law 116283, Sec. 1705
which amended 44 U.S.C. 3553
permits extensive sharing of information regarding cybersecurity and the protection of information and information systems from cybersecurity risks between Federal Agencies covered by the Federal Information Security Modernization Act and the Department of Homeland Security. This unique authority makes DHS well positioned to host the approval of this information collection on behalf of other Federal agencies.
DHS is requesting pursuant to 44 US
Code 3509, that the information collection be designated for any Federal agencies ability to utilize the standardized DHS online form to collect their own agencys vulnerability information and post the information on their own agency websites.
The form will include the following essential information:
Vulnerable hosts Necessary information for reproducing the security vulnerability Remediation or suggestions for remediation of the vulnerability Potential impact on host, if not remediated This form will allow Federal agencies to complete the following actions; 1
allow the individuals, organizations, and/or companies who discover vulnerabilities in the information systems to report their findings to the agency, and 2 provide the agencies initial insight into any newly discovered vulnerabilities, as well as zero-day vulnerabilities in order to mitigate the security issues prior to malicious actors acting upon the vulnerability for malicious intent.
The form will also benefit researchers and will provide a safe and lawful method to practice and discover new cyber methods to discover the vulnerabilities. It will provide the same benefit to Federal agencies and will promote the enhancement of Federal information system security policies.
PO 00000
Frm 00083
Fmt 4703
Sfmt 4703
Respondents will be able to submit their information directly to the agency in which they would like to report a vulnerability. Federal Agencies will provide the form electronically via their agencies website.
The information collected does not have an impact on small business or other small entities.
The collection of this information related to the discovery of security vulnerabilities by individuals, organizations, and/or companies is needed to fulfill the congressional mandate in Section 101 of the SECURE
Technologies Act related to creating Vulnerability Disclosure Policies. In addition, without the ability to collect information on newly discovered security vulnerabilities associated with Federal agency information systems, Federal agencies will rely solely on the internal security personnel and/or the discovery through a post occurrence breach of security controls.
There are no assurances of confidentiality provide. Any PII that is collected will be for the sole purpose of feedback and dialogue. Federal Agencies will ensure the collection of information is covered by a Systems of Record Notice and will display a Privacy Notice to the respondents.
There are no changes to the information being collected.
The Office of Management and Budget is particularly interested in comments which:
1. Evaluate whether the proposed collection of information is necessary for the proper performance of the functions of the agency, including whether the information will have practical utility;
2. Evaluate the accuracy of the agencys estimate of the burden of the proposed collection of information, including the validity of the methodology and assumptions used;
3. Enhance the quality, utility, and clarity of the information to be collected; and 4. Minimize the burden of the collection of information on those who are to respond, including through the use of appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g., permitting electronic submissions of responses.
Analysis Agency: Department of Homeland Security, DHS.
Title: Vulnerability Discovery Program.
OMB Number: 16010028.
Frequency: On Occasion.
E:FRFM23AUN1.SGM
23AUN1
