Wednesday, March 3, 2021

DHS and OMB Update Vulnerability Disclosure ICR

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved an emergency information collection request (ICR) revision for the DHS Vulnerability Discovery Program (VDP). This unusual ICR revision would allow all other agencies in the Federal government to utilize the DHS OMB Control Number (1601-0028) for their own vulnerability discovery programs that were mandated by CISA’s Binding Operational Directive 20-01. It would also authorize those agencies to use the same on-line form [.DOCX download link] used by DHS for their Program.

Any government agency that collects information is required by law to include on the collection document the OMB control number that shows that the agency has taken actions to ensure that its collection effort is authorized and effective. This action by DHS and OIRA allows government agencies to short-cut the 60-day and 30-day notice requirements in standing up their VDPs.

According to a letter from the DHS CIO to OIRA included in the emergency request packet, this action was actually suggested by OMB. It is not clear from any of the documentation available on the OIRA site if/when each agency would have to submit their own ICR for their unique VDP. This emergency update did not make any changes to the burden estimate provided by DHS. The 3,000 reports per year expected by DHS would be a reasonable guess (the DHS program has only been in effect since August 2020) for any large agency standing up their own VDP and requesting ICR approval for that program.

The DHS ICR is due for update in August of this year in any case. It will be interesting to see what figure DHS uses for the expected number of reports.

No comments:

/* Use this with templates/template-twocol.html */