CISA Publishes 60-Day ICR Revision Notice for Vulnerability Discovery Program

On Friday, DHS published a 60-day information collection request (ICR) revision notice in the Federal Register (86 FR 19499-14945) for the DHS Vulnerability Discovery Program (RIN #: 1601-0028).

The Information Collection

According to the notice:

“DHS is requesting pursuant to 44 US Code 3509 [link added], that the information collection be designated for any Federal agencies ability to utilize the standardized DHS online form to collect their own agency's vulnerability information and post the information on their own agency websites.”

Each agency collecting information under this ICR would use the DHS collection form but would post it on the agency web site. The information collected will include:

• Vulnerable host(s),

• Necessary information for reproducing the security vulnerability,

• Remediation or suggestions for remediation of the vulnerability, and

• Potential impact on host, if not remediated.

DHS estimates no change in the burden due to this expansion of the coverage of the ICR.

Public Comments

 

DHS is soliciting public comment on this revision. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # DHS-2021-0009). Comments should be submitted by May 18^th, 2020.

Commentary

Earlier this month the OMB’s Office of Information and Regulatory Affairs (OIRA) approved an emergency revision of this DHS ICR that would allow other Federal agencies to use the same ICR for their individual vulnerability discovery programs. That emergency approval came with the proviso that DHS submit an ICR revision in the normal manner to confirm the expanded collection effort. This is the direct response to that proviso.

In this notice DHS continues to rely on the ‘information sharing’ provisions of 44 USC 3553(l) (added by §1705(2) 1705 of PL 116-283 ). This language allows DHS to “access, use, retain, and disclose, and the head of an agency may disclose to the Secretary, information, for the purpose of protecting information and information systems from cybersecurity risks.” That does not really pertain to collecting voluntarily supplied information from outside of the government for a vulnerability discover program. A more appropriate justification would be the newly added §3553(b)(8)(B) {added by §1705(1)}: that gives DHS authority for “deploying, operating, and maintaining secure technology platforms and tools, including networks and common business applications, for use by the agency to perform agency functions, including collecting, maintaining, storing, processing, disseminating, and analyzing information [emphasis added]”.

Unfortunately, this justification and the reliance in the Notice upon 44 US Code 3509, would seem to run counter to the concept of each agency collecting, processing and analyzing data from its own vulnerability discovery program using the DHS provided form. Section 3509 does allow OMB to “designate a central collection agency to obtain information for two or more agencies”, but it specifically prohibits an agency from collecting “for itself information for the agency which is the duty of the collection agency to obtain.” Thus, under §3509, DHS would run the data collection under the multi-agency VDP and either provide the raw data to the agency for processing and analysis or would provide the processed and/or analyzed data to the client agency for action. Neither of those options were described in this 60-day ICR notice.

One final objection to the data presented in this ICR revision request, it presents inadequate information on the burden of the data collection and this is arguably one of the most important parts of the ICR process. The current burden estimate is identical with the burden estimate for the DHS only Vulnerability Discovery Program that was approved by OIRA back in August of last year; 3,000 annual responses with an estimated time spent on each response being three hours for a total burden of 9,000 hours with a total annual responder cost of $647,280. It only seems reasonable to assume that a multi-agency VDP would have a larger number of responses, burden and cost.

Granted, DHS has not been running their own VDP long enough to have a solid history to even semi-accurately estimate the number of future responses that they would expect to receive in the future, but the ICR process demands that a reasonable effort be made to project the burden and revise the estimate in future renewals based upon actual program data.

At this point, DHS is not even sure how many agencies will be utilizing this DHS ICR to support their own program. So, what DHS should have probably done is to establish a reasonable estimate for an agency VDP for agencies of different sizes {eg, small (think FDA), medium (think DHS) and large (think HHS)} and then estimate the number of each size agency that will adopt the DHS VDP, calculating the burden from there. Subsequent ICR revisions would refine the future estimates from the collected data.

NOTE: A copy of this blog post will be submitted as a comment on this ICR notice.

OMB Approves Emergency ICR Revision for DHS Vulnerability Discovery Program

On Thursday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved an emergency request for a revision of the DHS information collection request (ICR) for their Vulnerability Discovery Program. Like the emergency request that I discussed earlier this week, this approval would allow other Federal Agencies and Departments to establish their own cybersecurity vulnerability reporting programs under the approved ICR for the DHS program.

Justification for Expanding Scope of ICR

It turns out that the earlier request was not actually approved, but rather reported as “Improperly submitted and continue”; essentially OIRA was telling DHS to resubmit the request while continuing to allow DHS to collect information under the existing ICR. The new request for emergency approval (.DOCX download link) includes a three-part justification for the broader application of the ICR. First it establishes the DHS authority to establish the Vulnerability Discovery Program:

“Pursuant to section 101 of the Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology Act, (commonly known as the SECURE Technologies Act) [PL 115-390] individuals, organizations, and/or companies may submit any discovered security vulnerabilities found associated with the information system of any Federal agency [emphasis added]. This collection would be used by these individuals, organizations, and/or companies who choose to submit a discovered vulnerability found associated with the information system of any Federal agency.”

This claim is a tad bit stretched. The language of §101 actually specifically applies to “appropriate information systems of Department of Homeland Security” {§101(a)}. The stretch may be justified by the definition of ‘appropriate information system’ in §101(f)(3); that is defined as “an information system that the Secretary of Homeland Security selects for inclusion under the vulnerability disclosure policy required by subsection (a)”. That is still a long stretch as the term is still specifically applied to systems of “Department of Homeland Security” in (a).

The second portion of the claim relates to the need for the expansion of the 1601-0028 ICR because of the SolarWinds attack:

“DHS and Federal cybersecurity agencies are working to address the recently discovered SolarWinds hack on Federal agencies and organizations around the world. While DHS had previously obtained approval to collect this information on its own behalf, recent cyber attacks exploiting vulnerabilities have exemplified the need to have this capability government-wide. In 2020, a major cyberattack, nicknamed the SolarWinds cyberattack, by a group backed by a foreign government penetrated thousands of organizations globally including multiple parts of the United States federal government, leading to a series of data breaches. The cyberattack and data breach were reported to be among the worst cyber-espionage incidents ever suffered by the U.S., due to the sensitivity and high profile of the targets and the long duration (eight to nine months) in which the hackers had access.”

While an investigation of the extent of the SolarWinds attack would not require an expanded Vulnerability Discovery Program, it could certainly be argued that such an expansion could help prevent future attacks of this scope. It should be noted that if this justification letter had been written just a couple of days later, it could have also referenced the exploits of the zero-day Microsoft email server vulnerabilities.

Finally, the justification references the recent changes made to 44 USC 3553(b) made by§1705 of PL 116-283 that expanded the scope of the DHS responsibilities for the security of information systems throughout the federal government. While the DHS letter specifically references the ‘information sharing’ provisions of §1705’s new paragraph (l) added to §3553, a better argument can be made that the new subparagraph (b)(8)(B) added by §1705(1):

“(B) deploying, operating, and maintaining secure technology platforms and tools, including networks and common business applications, for use by the agency to perform agency functions, including collecting, maintaining, storing, processing, disseminating, and analyzing information; and”

Moving Forward

With this week’s approval of the emergency expansion of 1601-0028, DHS will be required 60-day and 30-day information collection request revision notices in the Federal Register, seeking public comment on the revised collection. It will be interesting to see what basis DHS will use for estimating the burden for the vastly expanded collection.

DHS and OMB Update Vulnerability Disclosure ICR

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved an emergency information collection request (ICR) revision for the DHS Vulnerability Discovery Program (VDP). This unusual ICR revision would allow all other agencies in the Federal government to utilize the DHS OMB Control Number (1601-0028) for their own vulnerability discovery programs that were mandated by CISA’s Binding Operational Directive 20-01. It would also authorize those agencies to use the same on-line form [.DOCX download link] used by DHS for their Program.

Any government agency that collects information is required by law to include on the collection document the OMB control number that shows that the agency has taken actions to ensure that its collection effort is authorized and effective. This action by DHS and OIRA allows government agencies to short-cut the 60-day and 30-day notice requirements in standing up their VDPs.

According to a letter from the DHS CIO to OIRA included in the emergency request packet, this action was actually suggested by OMB. It is not clear from any of the documentation available on the OIRA site if/when each agency would have to submit their own ICR for their unique VDP. This emergency update did not make any changes to the burden estimate provided by DHS. The 3,000 reports per year expected by DHS would be a reasonable guess (the DHS program has only been in effect since August 2020) for any large agency standing up their own VDP and requesting ICR approval for that program.

The DHS ICR is due for update in August of this year in any case. It will be interesting to see what figure DHS uses for the expected number of reports.