Yesterday the OMB’s Office of Information and Regulatory
Affairs (OIRA) announced
that the DHS National Protection and Programs Directorate (NPPD) had withdrawn
their information collection request (ICR) for a questionnaire to be used by
State Protected Critical Infrastructure Information (PCII) Officers to conduct
a self-assessment of the protections applied to PCII at the State level.
NPPD has been having a number of administrative problems
with this ICR since it was
initiated last year. I noted
back in May that they ignored a public comment posted in response to their
60-day ICR. Then OIRA rejected
their initial submission of the ICR in July as being ‘improperly submitted’.
The actual questionnaire being proposed for the
self-assessment program (down-loadable
here) seems to address the issues that one would expect that someone
conducting a compliance audit of the program would be looking at. Too many of
the questions, however, solicit ‘Yes’ or ‘No’ answers and the wording of the
question usually indicates the ‘proper’ response. Since only an inappropriate
response requires an explanation, a cursory appropriate response is encouraged
when filling out the form. This is a typical problem with a self-assessment
program.
As I have repeatedly noted in the earlier posts about this
ICR, I have concerns about the use of a self-assessment questionnaire in
evaluating the protections put in place for the State level PCII programs.
Critical infrastructure organizations are relying on NPPD and the Federal
Government to ensure that the critical information that they are voluntarily
submitting is properly protected.
Since that PCII must, in most cases, be shared with State
and local agencies to ensure that those critical infrastructure facilities are
appropriately protected, NPPD has an overarching requirement to ensure that the
PCII programs are being properly administered at the State and local levels.
Simply requiring that a self-assessment form be completed is not adequately
ensuring that the protections are in place.
I wonder, how long has it been since Congress has exercised
their oversight responsibility of this important information sharing program? I
don’t recall the last time any committee has held hearings on the PCII program.
With Congress interested in encouraging information sharing about cybersecurity
matters, may be they ought to take a look at how well the government is
protecting information already being shared by the same organizations.
Posts
No comments:
Post a Comment