The DHS National Protection and Programs Directorate’s
Infrastructure Information Collection Division (IICD) published a 60-Day
information collection request (ICR) notice in Monday’s Federal Register (78 FR 29375-29376;
available on-line today) supporting a questionnaire targeted at State and local
Protected Critical Infrastructure Information (PCII) Officers. The
questionnaire would help
the Department “to gather information from PCII Officers that can be used
to assess their programs, their compliance with PCII rules and requirements,
and the specific needs of their accredited programs”.
The Importance of
PCII Programs
The Department posted a 60-day
ICR notice in the Federal Register back in November, 2012. In a
post about that notice I expressed some concerns about the Department’s
just now getting around to assessing these State and local programs with which
DHS shares selected PCII information. Since the promise of limited disclosure
is the only incentive that DHS can provide critical infrastructure
organizations to share security information with DHS, any questions about the
efficacy of State and local PCII programs will act as a disincentive to
information sharing.
The new Cybersecurity Framework under development will
depend on PCII programs to protect the information about critical
infrastructure computer systems and networks provided to the government. This
means that the PCII protections are going to have to be a critical part of the
Framework. Again, this makes assessment of State and local PCII programs all
that more important.
Earlier Comments
The current notice states that “DHS received no comments”. A
review of the Docket (DHS-2012-0046) at www.Regulations.gov
shows that there was a
comment submitted on November 28th. Terry Frank from Shell Oil
Company noted that it would be difficult to assess the accuracy of the
collection effort since a copy of the questionnaire is not made available. This
is a point I also made in my earlier blog post. This is particularly aggravating
since NPPD is required to include the questionnaire when it files this ICR with
OMB. It could easily be placed in the current docket.
Mr. Frank also notes a discrepancy in the description of information
disclosure protections provided by the PCII program. Since that comment is not
really germane to the ICR in question, I suppose that DHS was justified in
ignoring that portion of the comment. Still the comment should have been noted
in this ICR notice.
Public Comments
NPPD is soliciting public
comments on this 30-day ICR notice. Comments may be filed via the Federal
eRulemaking Portal (www.Regulations.gov;
Docket # DHS-2012-0046). The notice does not contain the customary ‘submit
comments by’ information, but this is a 30-day notice so comments should be
filed within 30 days of the publishing of the notice on Monday; so June 18th,
2013.
NOTE: With the failure to acknowledge the comment filed on
the 60-day notice and the failure to include a comment closure date in this
notice, perhaps NPPD should consider re-submitting this 30-day ICR notice in
proper form.
Posts
No comments:
Post a Comment