24-06867b - 1670-0037-CISA Reporting Forms_2_30-day FRN_SSA_v2_Updated

24-06867b - 1670-0037-CISA Reporting Forms_2_30-day FRN_SSA_v2_Updated.docx

CISA Reporting Forms

OMB: 1670-0037

Document [docx]
Download: docx | pdf

Supporting Statement for Paperwork Reduction Act Submissions


Title:

Clearance for the Collection of Information through


CISA Reporting Forms


OMB Control Number: 1670-0037


Supporting Statement A


A. Justification


1. Explain the circumstances that make the collection of information necessary. Identify any legal or administrative requirements that necessitate the collection. Attach a copy of the appropriate section of each statute and regulation mandating or authorizing the collection of information.


Section 2209 of the Homeland Security Act, as amended, established a national cybersecurity and communications integration center to function as “a Federal civilian interface for the multi-directional and cross-sector sharing of information related to cyber threat indicators, defensive measures, cybersecurity risks, incidents, analysis, and warnings for Federal and non-Federal entities.” 6 U.S.C. § 659(c)(1). The Federal Information Security Modernization Act of 2014 (FISMA) established a federal information security incident center and required the Department to operate it. 44 U.S.C. § 3556(a).


The Cybersecurity and Infrastructure Security Agency (CISA) operates the federal information security incident center. Through this center, FISMA required the Department to provide technical assistance and guidance on detecting and handling security incidents, compile and analyze incident information that threatens information security, inform agencies of current and potential threats and vulnerabilities, and provide intelligence or other information about cyber threats, vulnerabilities, and incidents to agencies. 44 U.S.C. § 3556(a). FISMA also required agencies to report information security incidents, major incidents, and data breaches to the federal information security incident center. 44 U.S.C. § 3556(b) (information security incidents), 44 U.S.C. § 3554(b)(7)(C)(iii)(III) (major incidents); Pub. L. No. 113-283, § 2(d) (2014) (codified at 44 U.S.C. § 3553, note (Breaches)). The Cybersecurity Information Sharing Act of 2015 (CISA 2015) requires DHS, in consultation with interagency partners, to establish the Federal Government’s capability and process for receiving cyber threat indicators and defensive measures, and directs DHS to further share cyber threat indicators and defensive measures it receives with certain federal entities in an automated and real-time manner. 6 U.S.C. § 1504(c).

CISA’s critical mission activities also include:

  • Providing cybersecurity protection to Federal civilian executive branch agencies through intrusion detection and prevention capabilities.

  • Responding to incidents and analyzing data about emerging cyber threats.

  • Collaborating with foreign governments and international entities to enhance the nation’s cybersecurity posture.

  • Responding to and analyzing control systems-related incidents.

  • Conducting vulnerability, malware, and digital media analysis.

  • Providing onsite incident response services.

  • Providing situational awareness in the form of actionable intelligence.

  • Coordinating the responsible disclosure of vulnerabilities and associated mitigations.

  • Sharing and coordinating vulnerability information and threat analysis through information products and alerts.

CISA is responsible for performing, coordinating, and supporting response to information security incidents, which may originate outside the Federal community and affect users within it, or originate within the Federal community and affect users outside of it. Often, therefore, the effective handling of security incidents relies on information sharing among individual users, industry, and the Federal Government, which may be facilitated by and through CISA.


CISA’s website (at https://www.cisa.gov/) is a primary tool used by constituents to report incident information, access information sharing products and services, and interact with CISA. Constituents, which may include anyone or any entity in the public, use forms located on the website to complete these activities.


2. Indicate how, by whom, and for what purpose the information is to be used. Except for a new collection, indicate the actual use the agency has made of the information received from the current collection.


By accepting incident reports and feedback, and interacting among federal agencies, industry, the research community, state and local governments, and others to disseminate reasoned and actionable cyber security information to the public, CISA has provided a way for citizens, businesses, and other institutions to communicate and coordinate directly with the Federal Government about cybersecurity. This information collection request is a renewal of an existing collection of information. There are minor changes to the forms, questions, or other collection instruments. These changes reflect the addition of questions for reporting purposes. With this renewal, CISA is replacing the current Advanced Malware Analysis Capability (AMAC) submission form with the Malware Analysis Submission Form (“Malware Next-Gen”), but that form’s questions will not change. The changes to the collection since the previous OMB approval also include updated burden and cost estimates discussed later in this submission.


The information is collected via the following forms:


  1. The Incident Reporting Form, DHS Cyber Threat Indicator and Defensive Measure Submission System and Malware Analysis Submission Form enable end users to report incidents and indicators as well as submit malware artifacts associated with incidents to CISA. This information is used by DHS to conduct analyses and provide warnings of system threats and vulnerabilities, and to develop mitigation strategies as appropriate. These forms also request the user’s name, e-mail address, organization, and infrastructure sector. The primary purpose for the collection of this information is to allow DHS to contact requestors regarding their request.


  1. The Mail Lists Form enables end users to subscribe to the National Cyber Awareness System’s mailing lists, which deliver the content of and links to CISA’s information sharing products. The user must provide an e-mail address in order to subscribe or unsubscribe, though subscribing or unsubscribing are optional. The primary purpose for the collection of this information is to allow DHS to contact requestors regarding their request.


  1. The Cyber Security Evaluation Tool (CSET) Download Form, which requests the name, e-mail address, organization, infrastructure sector, country, and intended use of those seeking to download the CSET. All requested fields are optional. The primary purpose for the collection of this information is to allow DHS to contact requestors regarding their request.




3. Describe whether, and to what extent, the collection of information involves the use of automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g., permitting electronic submission of responses, and the basis for the decision for adopting this means of collection. Also describe any consideration of using information technology to reduce burden.


Incident reports are primarily submitted using CISA’s incident auto-submission interface. Alternately, information may be collected through web-based electronic forms, email, or telephone. Web form submission is also used as the collection method for the other forms listed. These methods enable individuals, private sector entities, personnel working at other federal or state agencies, and international entities, including individuals, companies and other nations’ governments to submit information.


CISA conducted usability testing on all forms to help with the verification of the burden hours and to verify the ease of use.  Usability testing participants had no difficulty traversing through the documents. Based on their suggestions, CISA did not adjust the burden hours for this collection.


4. Describe efforts to identify duplication. Show specifically why any similar information already available cannot be used or modified for use for the purposes described in Item 2 above.



The forms enable users to submit incident information as new incidents occur, provide feedback as corrective action information is published, and register for new subscriptions or upcoming events. Similar information made already pertains to past incidents, products, and events. New submissions contain unique information.


A search of reginfo.gov provided a few incident reporting collections; however, none of the other incident reporting collections were related to providing a mechanism for reporting cyber incidents outside of the Federal community.


5. If the collection of information impacts small businesses or other small entities (Item 5 of OMB Form 83-I), describe any methods used to minimize.


The collection will not have a significant economic impact on a substantial number of small entities, as indicated in item five of OMB Form 83-I.


6. Describe the consequence to Federal/DHS program or policy activities if the collection of information is not conducted, or is conducted less frequently, as well as any technical or legal obstacles to reducing burden.


It is necessary to the proper performance of agency functions. Without active participation from users, the effectiveness of CISA’s services will be greatly diminished. This is particularly the case with reporting. FISMA requires agencies to report information security incidents, major incidents, and data breaches to the federal information security incident center within CISA and CISA is consequently authorized to receive them. CISA’s legal obligations, particularly with respect to reporting of cybersecurity incidents, are dependent upon CISA’s ability to collect certain information.



7. Explain any special circumstances that would cause an information collection to be conducted in a manner:


(a) Requiring respondents to report information to the agency more often than quarterly.

(b) Requiring respondents to prepare a written response to a collection of information in fewer than 30 days after receipt of it.

(c) Requiring respondents to submit more than an original and two copies of any document.

(d) Requiring respondents to retain records, other than health, medical, government contract, grant-in-aid, or tax records for more than three years.

(e) In connection with a statistical survey, that is not designed to produce valid and reliable results that can be generalized to the universe of study.

(f) Requiring the use of a statistical data classification that has not been reviewed and approved by OMB.

(g) That includes a pledge of confidentiality that is not supported by authority established in statute or regulation, that is not supported by disclosure and data security policies that are consistent with the pledge, or which unnecessarily impedes sharing of data with other agencies for compatible confidential use.

(h) Requiring respondents to submit proprietary trade secret, or other confidential information unless the agency can demonstrate that it has instituted procedures to protect the information’s confidentiality to the extent permitted by law.



  1. CISA must be notified of all computer security incidents, as defined, involving a Federal Government information system within one hour of being positively identified by the agency’s Computer Security Incident Response Team (CSIRT), Security Operations Center (SOC), or Information Technology (IT) department.

  2. N/A

  3. N/A

  4. N/A

  5. N/A

  6. N/A

  7. N/A

  8. N/A


8. Federal Register Notice:

a. Provide a copy and identify the date and page number of publication in the Federal Register of the agency’s notice soliciting comments on the information collection prior to submission to OMB. Summarize public comments received in response to that notice and describe actions taken by the agency in response to these comments. Specifically address comments received on cost and hour burden.

b. Describe efforts to consult with persons outside the agency to obtain their views on the availability of data, frequency of collection, the clarity of instructions and recordkeeping, disclosure, or reporting format (if any), and on the data elements to be recorded, disclosed, or reported.

c. Describe consultations with representatives of those from whom information is to be obtained or those who must compile records. Consultation should occur at least once every three years, even if the collection of information activities is the same as in prior periods. There may be circumstances that may preclude consultation in a specific situation. These circumstances should be explained.




Date of Publication

Volume #

Number #

Page #

Comments Addressed

60-Day Federal Register Notice:

6/24/2024

89

123

53436-53437

0

30-Day Federal Register Notice

10/21/2024

89

203

84183-84184

0


A 60-day notice for comments was published in the Federal Register on June 24, 2024. 0 comments were received related to the 60-day notice.

A 30-day notice for comments was published in the Federal Register on 10/21/2024. 0 comments were received related to the 30-day notice.



9. Explain any decision to provide any payment or gift to respondents, other than remuneration of contractors or grantees.


There is no offer of monetary or material value for this information.


10. Describe any assurance of confidentiality provided to respondents and the basis for the assurance in statute, regulation, or agency policy.



For cyber threat indicators shared under CISA 2015, Federal entities are required to apply appropriate controls to protect the confidentiality of cyber threat indicators that contain personal information of a specific individual or information that identifies a specific individual that is directly related to a cybersecurity threat or a use authorized under CISA 2015 to the greatest extent practicable. See 6 U.S.C. § 1504(b); Department of Homeland Security and Department of Justice, Privacy and Civil Liberties Final Guidelines: Cybersecurity Information Sharing Act of 2015, June 15, 2018. CISA 2015 also provides additional protections for cyber threat indicators and defensive measures shared consistent with CISA 2015, including considering the cyber threat indicator or defensive measure the commercial, financial, and proprietary information of the submitting non-Federal entity when so designated by the non-Federal entity and exempting the cyber threat indicator and defensive measure from disclosure under section 552 of title 5, U.S. Code, and any state, tribal, or local provision of law requiring disclosure of information or records. 6 U.S.C. § 1504(d). The information collected may be disclosed as generally permitted under 5 U.S.C. § 552a(b) of the Privacy Act of 1974, as amended.




11. Provide additional justification for any questions of a sensitive nature, such as sexual behavior and attitudes, religious beliefs, and other matters that are commonly considered private. This justification should include the reasons why the agency considers the questions necessary, the specific uses to be made of the information, the explanation to be given to persons from whom the information is requested, and any steps to be taken to obtain their consent.


There are no questions of sensitive nature.


12. Provide estimates of the hour burden of the collection of information. The statement should:



a. Indicate the number of respondents, frequency of response, annual hour burden, and an explanation of how the burden was estimated. Unless directed to do so, agencies should not conduct special surveys to obtain information on which to base hour burden estimates. Consultation with a sample (fewer than 10) of potential respondents is desired. If the hour burden on respondents is expected to vary widely because of differences in activity, size, or complexity, show the range of estimated hour burden, and explain the reasons for the variance. Generally, estimates should not include burden hours for customary and usual business practices.

b. If this request for approval covers more than one form, provide separate hour burden estimates for each form and aggregate the hour burdens in Item 13 of OMB Form 83-I.

c. Provide estimates of annualized cost to respondents for the hour burdens for collections of information, identifying and using appropriate wage rate categories. The cost of contracting out or paying outside parties for information collection activities should not be included here. Instead, this cost should be included in Item 14.


The Cybersecurity and Infrastructure Security Agency (CISA) estimates that a total of 26,000 respondents will respond to this collection per year. This includes respondents for only the incident reporting form. For the purpose of estimating the burden of this collection, we assume one response per respondent, regardless of the form.


These time burdens, as well as the numbers of respondents, are shown in Table 1. CISA estimates that the Incident Reporting Form will take 0.33 hours (20 minutes) to complete; the DHS Cyber Threat Indicator and Defensive Measure Submission System Form will take 0.17 hours (10 minutes) to complete; and the Malware Analysis Submission, Mail Lists, and CSET Download forms will each take 0.02 hours (1 minute) to complete.


To estimate the cost of this collection, CISA multiplies the estimated annual hour burden by the hourly compensation rate for all occupations within the United States, based on Bureau of Labor Statistics (BLS) data. According to BLS, the mean hourly wage for all occupations is $29.76.1 To account for benefits and other compensation, this wage rate was multiplied by a compensation factor of 1.4214, to produce an hourly compensation rate of $42.30.2 Multiplying the total annual hour burden (13,852) by this hourly compensation rate ($42.30) provides an estimated annual cost of $585,941. The cost is displayed in Table 1.

Table 1: Estimated Annualized Burden Hours and Costs


Form Name

Number of Respondents

Number of Responses per Respondent

Average Burden per Response

(hours)

Total Annual Burden

(hours)

Average Hourly Comp. Rate 

Total Annual Respondent Cost

A

B

C

D = A× B × C

E

F = D × E

Incident Reporting Form

26,000

1

0.3333

8,667

$42.30

$366,598

DHS Cyber Threat Indicator and Defensive Measure Submission System

22,000

1

0.1667

3,667

$155,099

Malware Analysis Submission Form

2,725

1

0.0167

45

$1,921

Mail Lists Form

75,000

1

0.0167

1,250

$52,875

CSET Download Form

13,400

1

0.0167

223

$9,447

 Total

139,125


 

13,852

 

$585,941

Note: Numbers may not total due to rounding.




13. Provide an estimate of the total annual cost burden to respondents or record keepers resulting from the collection of information. (Do not include the cost of any hour burden shown in Items 12 and 14.)


The cost estimate should be split into two components: (1) a total capital and start-up cost component (annualized over its expected useful life); and (b) a total operation and maintenance and purchase of services component. The estimates should take into account costs associated with generating, maintaining, and disclosing or providing the information. Include descriptions of methods used to estimate major cost factors including system and technology acquisition, expected useful life of capital equipment, the discount rate(s), and the time period over which costs will be incurred. Capital and start-up costs include, among other items, preparations for collecting information such as purchasing computers and software; monitoring, sampling, drilling and testing equipment; and record storage facilities.



If cost estimates are expected to vary widely, agencies should present ranges of cost burdens and explain the reasons for the variance. The cost of purchasing or contracting out information collection services should be a part of this cost burden estimate. In developing cost burden estimates, agencies may consult with a sample of respondents (fewer than 10), utilize the 60-day pre-OMB submission public comment process and use existing economic or regulatory impact analysis associated with the rulemaking containing the information collection as appropriate.


Generally, estimates should not include purchases of equipment or services, or portions thereof, made: (1) prior to October 1, 1995, (2) to achieve regulatory compliance with requirements not associated with the information collection, (3) for reasons other than to provide information to keep records for the government, or (4) as part of customary and usual business or private practices.


There are no recordkeeping, capital, start-up, or maintenance costs associated with this information collection.


 14. Provide estimates of annualized cost to the Federal Government. Also, provide a description of the method used to estimate cost, which should include quantification of hours, operational expenses (such as equipment, overhead, printing and support staff), and any other expense that would have been incurred without this collection of information. You may also aggregate cost estimates for Items 12, 13, and 14 in a single table.



To determine the cost to the federal government for this collection, CISA estimated the time burden required for the government to review the collected information. The total estimated annual time burden for this collection is 26,108 hours across all eight instruments. CISA assumes that the person handling the forms will be a GS-13 equivalent employee (Step 1) and have an average hourly wage of $56.523 To account for benefits and other compensation, this wage was multiplied by a compensation factor of 1.6919.4 This equates to an hourly wage of $95.63, which we multiply by the total hours of 26,108 to obtain a cost estimate of $2,496,707. Table 2 below shows the cost breakdown by instrument.

Table 2: Annual Government Cost, by Instrument


Form Name

Number of Responses

Average Burden per Response

(hours)

Total Time Burden

(hours)

Loaded Hourly

Compensation Wage

Annual Burden

A

B

C = A× B

D

E = C × D

Incident Reporting Form

26,000

1

26,000

$95.63

$2,486,380

DHS Cyber Threat Indicator and Defensive Measure Submission System

22,000

0.0019

42

$4,016

Malware Analysis Submission Form

2,725

0

0

$0

Mail Lists Form

75,000

0.00034

26

$2,486

CSET Download Form

13,400

0.0030

40

$3,825

Total

139,125

 

26,108

 

$2,496,707

Note: Numbers may not total due to rounding.


The government costs described in this section are difficult to estimate since nearly all the forms do not generate output in the form of a report but rather as input to much larger systems. As such, the estimated $2,496,707 government cost is a component of a larger cost associated with operating and maintaining the entire system.



15. Explain the reasons for any program changes or adjustments reported in Items 13 or 14 of the OMB Form 83-I. Changes in hour burden, i.e., program changes or adjustments made to annual reporting and recordkeeping hour and cost burden. A program change is the result of deliberate Federal government action. All new collections and any subsequent revisions of existing collections (e.g., the addition or deletion of questions) are recorded as program changes. An adjustment is a change that is not the result of a deliberate Federal government action. These changes that result from new estimates or actions not controllable by the Federal government are recorded as adjustments.



This is a revision to an existing form. The changes to the collection since the previous OMB approval include updating the cost estimates. There were no changes to the burden hours for the public.


Based on the increased hourly compensation rates, the cost estimates have increased. The annual burden cost increased by $42,540, from $543,401 to $585,941. The annual government cost increased by $610,548, from $1,886,112 to $2,496,707.



16. For collections of information whose results will be published, outline plans for tabulation and publication. Address any complex analytical techniques that will be used. Provide the time schedule for the entire project, including beginning and ending dates of the collection of information, completion of report, publication dates, and other actions.



The results of the information collection will not be published for statistical purposes.



17. If seeking approval to not display the expiration date for OMB approval of the information collection, explain reasons that display would be inappropriate.



DHS will display the expiration date for OMB approval of this information collection.


18. Explain each exception to the certification statement identified in Item 19 “Certification for Paperwork Reduction Act Submissions,” of OMB Form 83-I.


DHS does not request an exception to the certificate of this information collection.

1
BLS. Occupational Employment Statistics. May 2022. All Occupations (00-0000). May 2022 National Occupational Employment and Wage Estimates (bls.gov)

2
The load factor is estimated by dividing Total compensation ($43.11) by Salaries and wages ($30.33) = 1.4214, based on the 2023 Q4 Bureau of Labor Statistics Employer Costs for Employee Compensation News Release, Table 4: Employer Cost for Employee Compensation for Private Industry Workers by Occupational and Industry Group.

2).

3
Office of Personnel Management. Salary Table 2024-DCB. Average hourly wage rate for GS-13, Step 1 for the locality pay area of Washington-Baltimore-Arlington, DC-MD-VA-WV-PA. Pay & Leave : Salaries & Wages - OPM.gov

4
Congressional Budget Office. Comparing the Compensation of Federal and Private-Sector Employees, 2011 to 2015. April 2017. https://www.cbo.gov/publication/52637. According to Table 4, average total compensation for all levels of education is $64.80. According to Table 2, average wages for all levels of education is $38.30. DHS estimates the compensation factor by dividing total compensation by average wages.

File Typeapplication/vnd.openxmlformats-officedocument.wordprocessingml.document
File TitleSupporting Statement A - Template
Authorfema user
File Modified0000-00-00
File Created2024-10-26

© 2024 OMB.report | Privacy Policy