Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved the reinstatement of an information collection request (ICR) from CISA on “CISA Vulnerability Assessments”. The 60-day ICR notice was published on July 10th, 2019. The 30-day ICR notice was published on November 14th, 2019. CISA allowed this ICR to lapse in 2020, not submitting the ICR to OIRA until May 16th, 2023.
According to the ICR abstract:
“Protective Security Advisors (PSAs) and Cyber Security Advisors (CSAs) conduct voluntary assessments on Critical Infrastructure (CI) facilities. These assessments are web-based and are used to collect an organization’s basic, high-level information, and its dependencies. This data is then used to determine a Protective Measures Index (PMI) and a Resilience Measures Index (RMI) for the assessed organization. This information allows an organization to see how it compares to other organizations within the same sector as well as allows them to see how adjusting certain aspects would change their score. This allows the organization to then determine where best to allocate funding and perform other high-level decision-making processes pertaining to the security and resiliency of the organization.”
The ICR record does not provide a copy of the on-line questionnaires used by the PSA’s and CSA’s, but it does provide links to the three follow-up questionnaires used to checkup on how well the CSA program is working. Interestingly, there are no post-assessment questionnaires for the assessments done by PSA’s Those CSA related questionnaires are:
• External
Dependency Management (EDM) Cyber Security Advisors (CSA) Post-Assessment
Questionnaire,
• Cyber
Infrastructure Survey (CIS) Cyber Security Advisors (CSA) Post-Assessment
Questionnaire, and
• Cyber
Resilience Review (CRR) Cyber Security Advisors (CSA) Post-Assessment
Questionnaire
Posts
No comments:
Post a Comment