Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced [.PDF download link] that it had approved an information collection request (ICR) from the DHS Cybersecurity and Infrastructure Security Agency (CISA) for a “COVID-19 Tracing Reporting Form”. CISA will use this ICR to collect voluntary information on digital contact tracing tools (DCTT) used by various State and local government agencies to track potentially affected personnel during the COVID-19 pandemic. This ICR was submitted to OIRA earlier this week on an emergency basis without the standard publish, comment and review process.
According to the ICR supporting document [.PDF download link], CISA will use this information to conduct an initial assessment of “the vulnerabilities and mitigation options needed to conduct a safe digital contact tracing campaign in order to provide best practices for the public for the most popular types of tools used by stakeholders”. That document further explains (pg 1):
“In response to the enduring nature of the pandemic, state, local, tribal and territorial (SLTT) governments and owners and operators of critical infrastructure, have been developing, promoting, and using various forms digital contact tracing tools as a key part of their virus response. However, this is the first use of these digital tools at a large scale or for the purposes of contact tracing. This novel use of existing technology paired with the federal nature of the United States creates a patchwork of digital contact tracing programs and tools that use different means, have different security, and collect different information. To help provide order to this issue and best practices on how to employ these new technologies, CISA needs to know what digital contact tracing tools these entities are employing. Many SLTT governments have already employed or are considering employing a digital contact tracing tool. CISA needs additional back-end development information, which can only be done through a survey, on the type of contact tracing tool used in order to provide cybersecurity and best practices for the large and varied digital contact tracing landscape.”
CISA expects to receive 166 responses to this voluntary survey (draft form located here - .PDF download link, file can only be read via Adobe Reader 8 or higher, it will not download if you are using another .PDF reader). They expect 60 responses from State, local, tribal, and territorial (SLTT) government agencies and 106 responses from the private sector (presumably application developers?).
CISA is expected to publish an ICR collection notice in the
Federal Register in the coming week to support this emergency ICR.