Sunday, April 1, 2012

OMB Receives Emergency ICR from DOE on Cybersecurity Model

According to the Office of Management and Budget web site, the Department of Energy submitted an emergency information collection request (ICR) to the OMB on the same day that it was first published in the Federal Register. In fact the submission was so hurried that it did not even include the Federal Register page number (77 FR 19276-19277) for official publication of the ICR.

According to the Federal Register submission the ICR the “proposed collection will be used by the Department and electric sector owners and operators to identify best practices and potential resource allocations for cybersecurity in terms of supply chain management, information sharing, asset, change and configuration management, and risk management, among others”.

The ICR will target a limited number of participants (17 according to the OMB request) that will evaluate a proposed ‘maturity model’ that is “designed to measure the sector's cybersecurity posture and to enable utilities to make strategic investments that will increase cybersecurity throughout the electricity sector” (77 FR 19277).

While the OMB web site maintains that the Federal Register publication is a 30-day ICR notice, the actual publication requires that comments be submitted within “15 days from the date of publication” and does not (as is typically done) provide an actual date for the close of the comment period. DOE is requesting actual approval of the ICR by April 17th, 2012. That would not give any time for review of public comments on the request.

The DOE justification for an emergency ICR request is not found in the Federal Register Notice (which does not actually say that this is an ‘emergency’ request) but it is found on the OMB web site. That site notes that:

“The Electric Sector Cybersecurity Risk Management Maturity Initiative is under development with public and private sector partners to provide this capability to the sector as soon as possible. The initiative pilot, for which the emergency ICR is being requested, will test and validate the model and assessment tool so that it can be revised and improved. The results of the pilot can then be provided to the sector as whole to help them immediately begin to identify areas of their systems and processes where investments or resources can be made or reconfigured to bolster the security of their systems further protecting the reliability of the electric grid from disruptive or costly cyber threats.”

While I certainly applaud any federal initiative that legitimately increases the cyber security of the electric grid, the justification above hardly provides any information that makes it clear why the normal publish and comment procedures for information collection requests should be circumvented to allow evaluation of this model. Furthermore, the ICR does not provide any information on what entities may be selected for this evaluation process, or the criteria used for their selection.

This is clearly a hurried, knee-jerk, and very incomplete submission that should be rejected out of hand by the OMB.

No comments:

/* Use this with templates/template-twocol.html */