OMB Approves Emergency ICR Revision for DHS Vulnerability Discovery Program

On Thursday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved an emergency request for a revision of the DHS information collection request (ICR) for their Vulnerability Discovery Program. Like the emergency request that I discussed earlier this week, this approval would allow other Federal Agencies and Departments to establish their own cybersecurity vulnerability reporting programs under the approved ICR for the DHS program.

Justification for Expanding Scope of ICR

It turns out that the earlier request was not actually approved, but rather reported as “Improperly submitted and continue”; essentially OIRA was telling DHS to resubmit the request while continuing to allow DHS to collect information under the existing ICR. The new request for emergency approval (.DOCX download link) includes a three-part justification for the broader application of the ICR. First it establishes the DHS authority to establish the Vulnerability Discovery Program:

“Pursuant to section 101 of the Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology Act, (commonly known as the SECURE Technologies Act) [PL 115-390] individuals, organizations, and/or companies may submit any discovered security vulnerabilities found associated with the information system of any Federal agency [emphasis added]. This collection would be used by these individuals, organizations, and/or companies who choose to submit a discovered vulnerability found associated with the information system of any Federal agency.”

This claim is a tad bit stretched. The language of §101 actually specifically applies to “appropriate information systems of Department of Homeland Security” {§101(a)}. The stretch may be justified by the definition of ‘appropriate information system’ in §101(f)(3); that is defined as “an information system that the Secretary of Homeland Security selects for inclusion under the vulnerability disclosure policy required by subsection (a)”. That is still a long stretch as the term is still specifically applied to systems of “Department of Homeland Security” in (a).

The second portion of the claim relates to the need for the expansion of the 1601-0028 ICR because of the SolarWinds attack:

“DHS and Federal cybersecurity agencies are working to address the recently discovered SolarWinds hack on Federal agencies and organizations around the world. While DHS had previously obtained approval to collect this information on its own behalf, recent cyber attacks exploiting vulnerabilities have exemplified the need to have this capability government-wide. In 2020, a major cyberattack, nicknamed the SolarWinds cyberattack, by a group backed by a foreign government penetrated thousands of organizations globally including multiple parts of the United States federal government, leading to a series of data breaches. The cyberattack and data breach were reported to be among the worst cyber-espionage incidents ever suffered by the U.S., due to the sensitivity and high profile of the targets and the long duration (eight to nine months) in which the hackers had access.”

While an investigation of the extent of the SolarWinds attack would not require an expanded Vulnerability Discovery Program, it could certainly be argued that such an expansion could help prevent future attacks of this scope. It should be noted that if this justification letter had been written just a couple of days later, it could have also referenced the exploits of the zero-day Microsoft email server vulnerabilities.

Finally, the justification references the recent changes made to 44 USC 3553(b) made by§1705 of PL 116-283 that expanded the scope of the DHS responsibilities for the security of information systems throughout the federal government. While the DHS letter specifically references the ‘information sharing’ provisions of §1705’s new paragraph (l) added to §3553, a better argument can be made that the new subparagraph (b)(8)(B) added by §1705(1):

“(B) deploying, operating, and maintaining secure technology platforms and tools, including networks and common business applications, for use by the agency to perform agency functions, including collecting, maintaining, storing, processing, disseminating, and analyzing information; and”

Moving Forward

With this week’s approval of the emergency expansion of 1601-0028, DHS will be required 60-day and 30-day information collection request revision notices in the Federal Register, seeking public comment on the revised collection. It will be interesting to see what basis DHS will use for estimating the burden for the vastly expanded collection.