Review - CISA Publishes Coordinated Vulnerability Disclosure 60-day ICR Notice

Today, CISA published a 60-day information collection request (ICR) notice in the Federal Register (89 FR 86352) for a new ICR on Vulnerability Reporting Submission Form. According to the discussion in this notice:

“CISA is responsible for performing Coordinated Vulnerability Disclosure, which may originate outside the United States Government (USG) network/community and affect users within the USG and/or broader community, or originate within the USG community and affect users both within and outside of it. Often, therefore, the effective handling of security incidents relies on information sharing among individual users, industry, and the USG, which may be facilitated by and through CISA. A dedicated form on the CISA website will allow for reporting of vulnerabilities that the reporting entity believe to be CISA Coordinated Vulnerability Disclosure (CVD) eligible. Upon submission, CISA will evaluate the information provided, and then will triage through the CVD process, if all CISA scoped CVD requirements are met.”

CISA provides the following initial estimate of the annual burden that will be imposed by this collection:

Public Comments

CISA is soliciting public comments on this information collection request. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket #CISA-2024-0027). Comments should be submitted by December 30^th, 2024.

Commentary

What is not clear in this relatively brief ICR notice is whether CISA is owning up to the ‘sponsorship’ of Carnegie Mellon’s reporting process (see the ‘sponsored by’ notice on the bottom of the KB.CERT.org reporting page) or if CISA is going to be standing up a vulnerability coordination process separate from the MITRE system. From the perspective of a response to this ICR, this is an important distinction. If CISA is simply taking ownership of the MITRE process, then we have public access to the data collection documentation and can appropriately comment on that collection effort and the burden estimate based upon that system.

On the other hand, if CISA is starting a new program from scratch, there is no way that we can comment on the appropriateness of, for instance, the estimate of 10 minutes per response upon which the burden estimate is predicated. We would need to see a copy of the reporting format to be able to judge the accuracy of the estimate. 

 

For more information on this ICR notice, including additional commentary about missing burden elements, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/cisa-publishes-coordinated-vulnerability - subscription required.