SUPPORTING STATEMENT
U.S. Department of Commerce
National Institute of Standards and Technology (NIST)
NCCoE Participant Letter of Interest
OMB Control No. 0693-0075
A. JUSTIFICATION
1. Explain the circumstances that make the collection of information necessary.
In order to fulfill its core mission, the National Cybersecurity Center of Excellence (NCCoE) of the National Institute of Standards and Technology (NIST), publishes in the Federal Register announcements of new collaborative projects to address specific cybersecurity challenges. In the announcements, technology providers having an interest in participating in an announced project are invited to submit Letters of Interest (LoI) in participation. NIST provides a LoI template to technology providers that express a desire to participate in a project. These templates provide a uniform process for vendors to specify the product(s) being submitted for consideration, how the product(s) address(es) one or more of the requirements of the project, and contact information for the company’s representative. Subsequent to the submission of responsive LoIs, NIST invites companies to enter into a Collaborative Research and Development Agreement (CRADA) with NIST on a first come, first served basis.
If this information were not collected, NIST would not have an open and transparent mechanism to invite participation from industry. The LoIs provide all potential collaborators with an opportunity to participate in NCCoE projects, and the templates provide a uniform basis for determining responsiveness of the letters to the project description included in the Federal Register Notice (FRN).
2. Explain how, by whom, how frequently, and for what purpose the information will be used. If the information collected will be disseminated to the public or used to support information that will be disseminated to the public, then explain how the collection complies with all applicable Information Quality Guidelines.
The information collected will be used by NIST staff to evaluate the relevance of each potential NCCoE project collaborator’s proposed contribution to a project as described in an FRN. If the proposed contribution is relevant to the requirements described in the FRN’s project description, the potential collaborator that provided the information will be invited to participate or to enter into a CRADA with NIST for participation in the project. The information collected is not intended primarily for dissemination to the public but is considered to be in the public domain and may be included in publications that result from project activities. Where the NIST NCCoE staff is uncertain regarding the responsiveness of a potential collaborator’s LoI to the requirements an FRN, clarification regarding the potential collaborator’s contribution may be solicited directly from the technology provider (e.g., hardware or software interface characteristics or product performance specifications). The responses will be retained as evidence of even-handed treatment of potential collaborators in accordance with a stated NCCoE procedure.
3. Describe whether, and to what extent, the collection of information involves the use of automated, electronic, mechanical, or other technological techniques or other forms of information technology.
The initial information collection involves completion of a Microsoft Word template delivered as an electronic mail attachment sent by NIST NCCoE staff to determine the responsiveness of a LoI to requirements described in an FRN. Any subsequent requests for clarifications take the form of technical product specification questions directed in electronic mail to the point of contact identified by the proposed collaborator in its LoI. At the discretion of the proposed collaborator, responses may be provided in hard copy rather than electronically. Examples of possible requests for clarification might be “is the cryptography described in your [product identifier] implementation validated in accordance with FIPS 140-2 and employed in its evaluated mode?” and “does your [product identifier] support 2048-bit RSA cryptography?”
4. Describe efforts to identify duplication.
Due to the nature of NIST’s unique mission and programs to further that mission, no similar data exists. This information is unique since it is an expression of a company or other organization’s intent to support a project advertised in an FRN.
5. If the collection of information involves small businesses or other small entities, describe the methods used to minimize burden.
The information collected will create a minimal burden on all respondents. It is a short set of questions identifying the responding organization, acknowledgement of the terms of inclusion as a candidate project collaborator, and a 500 word or less description of the product that the respondent wishes to have included in the NCCoE project. Since a product must be commercially available to be included in an NCCoE project, the answers to these questions should be readily available.
6. Describe the consequences to the Federal program or policy activities if the collection is not conducted or is conducted less frequently.
If this information were not collected, NIST would not have an open and transparent mechanism to invite participation vendor participation in NCCoE use cases and building blocks, making it very difficult for the NCCoE to meet its core mission of increasing adoption of cybersecurity capabilities and addressing cybersecurity challenges across all sectors of the economy.
7. Explain any special circumstances that require the collection to be conducted in a manner inconsistent with OMB guidelines.
The data collection conducted under this clearance will be conducted in accordance with the guidelines in 5 CFR 1320.5.
8. Provide information of the PRA Federal Register Notice that solicited public comments on the information collection prior to this submission. Summarize the public comments received in response to that notice and describe the actions taken by the agency in response to those comments. Describe the efforts to consult with persons outside the agency to obtain their views on the availability of data, frequency of collection, the clarity of instructions and recordkeeping, disclosure, or reporting format (if any), and on the data elements to be recorded, disclosed, or reported.
A 60-day Federal Register Notice soliciting public comments was published on August 24, 2018 (Vol. 83, Number 165, page 42874). No comments were received.
A 30-Day Federal Register Notice soliciting public comments was published on November 6, 2018 (Vol. 83, Number 215, page 55522.
9. Explain any decisions to provide payments or gifts to respondents, other than remuneration of contractors or grantees.
NIST will not provide any payment or gift to respondents to any response received.
10. Describe any assurance of confidentiality provided to respondents and the basis for assurance in statute, regulation, or agency policy.
No assurances of confidentiality will be given. The request for information by respondents will be completely voluntary.
Information collected includes PII (such as name / contact information), however the data is referential in nature only. Records will not be retrieved by a personal identifier; therefore, this is not a Privacy Act System of Records and does not require a SORN or Privacy Act Statement.
11. Provide additional justification for any questions of a sensitive nature, such as sexual behavior and attitudes, religious beliefs, and other matters that are commonly considered private.
No sensitive data will be collected.
12. Provide an estimate in hours of the burden of the collection of information.
NIST will conduct an average of 12 separate Federal Register Notice (FRN) requests per year, seeking participation in or for proposed proposals related to cybersecurity.
Specifically, NIST will publish five (5) individual FRN’s seeking proposals related to “Use Case Instruments.” NIST would estimate to receive 10 responses per FRN, for an estimated 50 responses. The estimated time need to complete the instrument, would be 2 hours per response, for an estimated total of 100 burden hours.
Use Case Instrument:
5 FRNs X 10 estimated responses = 50 estimated Responses
50 estimated Responses x 2 hours = 100 estimated Burden Hours
NIST will publish seven (7) individual FRN’s seeking proposals related to “Building Block Instruments.” NIST would estimate to receive 10 responses per FRN. The estimated time needed to complete the instrument, would be 2 hours per response, for an estimated total of 140 burden hours.
Building Block Instrument
7 FRNs X 10 responses = 70 Responses
70 Responses x 2 hours = 140 Burden Hours
Total estimated number of responses: 50 (Use Case Proposal) + 70 (Building Block Proposal) for an estimated total of 120.
Total estimated time needed to complete an instrument: 2 hours.
Total Estimated Burden Hours: 120 x 2 = 240 hours.
13. Provide an estimate of the total annual cost burden to the respondents or record-keepers resulting from the collection (excluding the value of the burden hours in
Question 12 above).
The total annual cost to the public is $50.
14. Provide estimates of annualized cost to the Federal government.
Estimates of annualized costs to the Federal government:
|
Admin Hrs. |
Hourly Rate |
Per FRN |
# of FRNs |
TOTAL |
FRNs |
4.5 |
$57.18 |
$257.31 |
12 |
$3,087.72 |
|
8 |
$133 |
$1,063.20 |
12 |
$12,758.40 |
LOI Review |
15 |
$133 |
$1,995 |
120 |
$239,400 |
TOTAL |
|
|
|
|
$255,246 |
15. Explain the reasons for any program changes or adjustments.
Administrative updates for this renewal including address and contact information changes.
16. For collections whose results will be published, outline the plans for tabulation and publication.
The results from these data collection activities are not intended for general publication, however the results will/may be disseminated to NIST staff, key policy and management officials.
17. If seeking approval to not display the expiration date for OMB approval of the information collection, explain the reasons why display would be inappropriate.
The instrument will display the OMB Control# and expiration date along with the following notwithstanding statement.
OMB Control No. 0693-0075
Expiration Date: 11-30-2018
This collection of information contains Paperwork Reduction Act (PRA) requirements approved by the Office of Management and Budget (OMB). Notwithstanding any other provisions of law, no person is required to respond to, nor shall any person be subject to a penalty for failure to comply with, a collection of information subject to the requirements of the PRA unless that collection of information displays a currently valid OMB control number. Public reporting burden for this collection is estimated to be 2 hours per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed and completing and reviewing the collection of information. Persons wishing to comment on the burden estimate or any aspect of this collection of information, or offer suggestions for reducing this burden, should send their comments to Debbie Mowatt, telephone 301-975-0215, Deborah.Mowatt@nist.gov.
18. Explain each exception to the certification statement.
NIST does not require any exceptions.
B. COLLECTIONS OF INFORMATION EMPLOYING STATISTICAL METHODS
Collections will not employ statistical methods.
File Type | application/msword |
Author | dyonder |
Last Modified By | SYSTEM |
File Modified | 2018-12-19 |
File Created | 2018-12-19 |