Agency Information Collection Activities: Information Collection Renewal; Submission for Review; FFIEC Cybersecurity Assessment Tool, 78285-78289 [2015-31583]

Download as PDF Federal Register / Vol. 80, No. 241 / Wednesday, December 16, 2015 / Notices DEPARTMENT OF TRANSPORTATION National Highway Traffic Safety Administration [Docket No. NHTSA–2015–0071] Reports, Forms, and Recordkeeping Requirements National Highway Traffic Safety Administration (NHTSA), Department of Transportation. ACTION: Request for public comment on proposed collection of information. AGENCY: In compliance with the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.), this notice announces that the Information Collection Request (ICR) abstracted below is being forwarded to the Office of Management and Budget (OMB) for review and comments. DATES: Comments must be received on or before January 15, 2016. ADDRESSES: Send comments to the Office of Information and Regulatory Affairs, Office of Management and Budget, 725–17th Street NW., Washington, DC 20503, Attention: NHTSA Desk Officer. FOR FURTHER INFORMATION CONTACT: For additional information or access to background documents, contact Timothy M. Pickrell, NHTSA, 1200 New Jersey Avenue SE., W55–320, NVS– 421,Washington, DC 20590. Mr. Pickrell’s telephone number is (202) 366–2903. Please identify the relevant collection of information by referring to its OMB Control Number. SUPPLEMENTARY INFORMATION: Before a Federal agency can collect certain information from the public, it must receive approval from the Office of Management and Budget (OMB). In compliance with these requirements, this notice announces that the following information collection request has been forwarded to OMB. A Federal Register Notice soliciting comments on the following information collection was published on July 30, 2015 (Volume 80, Number 146; Pages 45585–86). The agency received no comments on the 60 day notice. Title: The National Survey on the Use of Booster Seats. OMB Control Number: 2127–0644. Affected Public: Motorists in passenger vehicles at gas stations, fast food restaurants, and other types of sites frequented by children during the time in which the survey is conducted. Form Number: NHTSA Form 1010. Abstract: The National Survey of the Use of Booster Seats is being conducted to respond to the Section 14(i) of the tkelley on DSK9F6TC42PROD with NOTICES SUMMARY: VerDate Sep<11>2014 17:21 Dec 15, 2015 Jkt 238001 Transportation Recall Enhancement, Accountability, and Documentation (TREAD) Act of 2000. The act directs the Department of Transportation to reduce the deaths and injuries among children in the 4 to 8 year old age group that are caused by failure to use a booster seat by 25%. Conducting the National Survey of the Use of Booster Seats provides the Department with invaluable information on who is and is not using booster seats, helping the Department better direct its outreach programs to ensure that children are protected to the greatest degree possible when they ride in motor vehicles. The OMB approval for this survey is scheduled to expire on 1/31/16. NHTSA seeks an extension to this approval in order to obtain this important survey data, save more children and help to comply with the TREAD Act requirement. Estimated Annual Burden: 320 hours. Estimated Number of Respondents: Approximately 4,800 adult motorists in passenger vehicles at gas stations, fast food restaurants, and other types of sites frequented by children during the time in which the survey is conducted. Comments are invited on: whether the proposed collection of information is necessary for the proper performance of the functions of the Department, including whether the information will have practical utility; the accuracy of the Department’s estimate of the burden of the proposed information collection; ways to enhance the quality, utility and clarity of the information to be collected; and ways to minimize the burden of the collection of information on respondents, including the use of automated collection techniques or other forms of information technology. Terry Shelton, Associate Administrator, National Center for Statistics and Analysis. [FR Doc. 2015–31633 Filed 12–15–15; 8:45 am] BILLING CODE 4910–59–P DEPARTMENT OF THE TREASURY Office of the Comptroller of the Currency Agency Information Collection Activities: Information Collection Renewal; Submission for Review; FFIEC Cybersecurity Assessment Tool Office of the Comptroller of the Currency (OCC), Treasury. ACTION: Notice and request for comment. AGENCY: The OCC, the Board of Governors of the Federal Reserve System (Board), the Federal Deposit SUMMARY: PO 00000 Frm 00125 Fmt 4703 Sfmt 4703 78285 Insurance Corporation (FDIC), and the National Credit Union Administration (NCUA) (collectively, the Agencies), as part of their continuing effort to reduce paperwork and respondent burden, invite the general public and other Federal agencies to comment on a continuing information collection, as required by the Paperwork Reduction Act of 1995 (PRA). In accordance with the requirements of the PRA, the Agencies may not conduct or sponsor, and the respondent is not required to respond to, an information collection unless it displays a currently valid Office of Management and Budget (OMB) control number. The OCC is soliciting comment on behalf of the Agencies concerning renewal of the information collection titled ‘‘FFIEC Cybersecurity Assessment Tool’’ (‘‘Assessment’’). The OCC also is giving notice that it has sent the collection to OMB for review. DATES: Comments must be received by January 15, 2016. ADDRESSES: Because paper mail in the Washington, DC area and at the OCC is subject to delay, commenters are encouraged to submit comments by email, if possible. Comments may be sent to: Legislative and Regulatory Activities Division, Office of the Comptroller of the Currency, Attention: 1557–0328, 400 7th Street SW., Suite 3E–218, Mail Stop 9W–11, Washington, DC 20219. In addition, comments may be sent by fax to (571) 465–4326 or by electronic mail to prainfo@occ.treas.gov. You may personally inspect and photocopy comments at the OCC, 400 7th Street SW., Washington, DC 20219. For security reasons, the OCC requires that visitors make an appointment to inspect comments. You may do so by calling (202) 649–6700, for persons who are deaf or hard of hearing, TTY, (202) 649–5597. Upon arrival, visitors will be required to present valid governmentissued photo identification and to submit to security screening in order to inspect and photocopy comments. All comments received, including attachments and other supporting materials, are part of the public record and subject to public disclosure. Do not enclose any information in your comment or supporting materials that you consider confidential or inappropriate for public disclosure. Additionally, please send a copy of your comments by mail to: OCC Desk Officer, 1557–0328, U.S. Office of Management and Budget, 725 17th Street NW., #10235, Washington, DC 20503, or by email to: oira_submission@ omb.eop.gov. E:\FR\FM\16DEN1.SGM 16DEN1 78286 Federal Register / Vol. 80, No. 241 / Wednesday, December 16, 2015 / Notices FOR FURTHER INFORMATION CONTACT: Shaquita Merritt, OCC Clearance Officer, or Beth Knickerbocker, Counsel (202) 649–5490, Legislative and Regulatory Activities Division, for persons who are deaf or hard of hearing, TTY, (202) 649–5597, Office of the Comptroller of the Currency, 400 7th Street SW., Suite 3E–218, Mail Stop 9W–11, Washington, DC 20219. SUPPLEMENTARY INFORMATION: Under the PRA (44 U.S.C. 3501–3520), Federal agencies must obtain approval from OMB for each collection of information they conduct or sponsor. ‘‘Collection of information’’ is defined in 44 U.S.C. 3502(3) and 5 CFR 1320.3(c) to include agency requests or requirements that members of the public submit reports, keep records, or provide information to a third party. The definition contained in 5 CFR 1320.3(c) also includes a voluntary collection of information. In connection with issuance of the Assessment,1 OMB provided a sixmonth approval for this information collection. On behalf of the Agencies, the OCC is proposing to extend OMB approval of the collection for the standard three years. Title: FFIEC Cybersecurity Assessment Tool. OMB Number: 1557–0328. Description: Cyber threats have evolved and increased exponentially with greater sophistication than ever before. Financial institutions 2 are exposed to cyber risks because they are dependent on information technology to deliver services to consumers and businesses every day. Cyber attacks on financial institutions may not only result in access to, and the compromise of, confidential information, but also the destruction of critical data and systems. Disruption, degradation, or unauthorized alteration of information and systems can affect a financial institution’s operations and core processes and undermine confidence in the nation’s financial services sector. Absent immediate attention to these rapidly increasing threats, financial institutions and the financial sector as a whole are at risk. For this reason, the Agencies, under the auspices of the Federal Financial Institutions Examination Council (‘‘FFIEC’’), have accelerated efforts to assess and enhance the state of the financial industry’s cyber preparedness and to improve the Agencies’ examination procedures and training that can strengthen the oversight of financial industry cybersecurity readiness. The Agencies also have focused on improving their abilities to provide financial institutions with resources that can assist in protecting financial institutions and their customers from the growing risks posed by cyber attacks. As part of these increased efforts, the Agencies developed the Assessment to assist financial institutions of all sizes in assessing their inherent cyber risks and their risk management capabilities. The Assessment allows a financial institution to identify its inherent cyber risk profile based on the financial institution’s technologies and connection types, delivery channels, online/mobile products and technology services that it offers to its customers, its organizational characteristics, and the cyber threats it is likely to face. Once a financial institution identifies its inherent cyber risk profile, it will be able to use the Assessment’s maturity matrix to evaluate its level of cybersecurity preparedness based on the financial institution’s cyber risk management and oversight, threat intelligence capabilities, cybersecurity controls, external dependency management, and cyber incident management and resiliency planning. A financial institution may use the matrix’s maturity levels to identify opportunities for improving the financial institution’s cyber risk management based on its inherent risk profile. The Assessment also enables a financial institution to identify areas more rapidly that could improve the financial institution’s cyber risk management and response programs, if needed. Use of the Assessment by financial institutions is voluntary. Type of Review: Regular. Affected Public: Businesses or other for-profit. Estimated Burdens: 3 Assessment burden estimate Estimated number of respondents less than $500 million @ 80 hours Estimated number of respondents $500 million–$10 billion @120 hours Estimated number of respondents $10 billion– $50 billion @160 hours Estimated number of respondents over $50 billion @180 hours Estimated total respondents and total annual burden hours OCC National Banks and Federal Savings Associations. FDIC State Non-Member Banks and State Savings Associations. Board State Member Banks and Bank Holding Companies. NCUA Federally-Insured Credit Unions. 1,102 × 80 = 88,160 hours. 3,224 × 80 = 257,920 hours. 4,083 × 80 = 326,640 hours. 5,622 × 80 = 449,760 hours. 149 × 120 = 17,880 hours. 728 × 120 = 87,360 hours. 1,083 × 120 = 129,960 hours. 463 × 120 = 55,560 hours. 132 × 160 = 21,120 hours. 22 × 160 = 3,520 hours. 74 × 160 = 11,840 hours. 4 × 160 = 640 hours. 87 × 180 = 15,660 hours. 5 × 180 = 900 hours. 42 × 180 = 7,560 hours. 1 × 180 = 180 hours. 1,470 respondents 142,820 hours. 3,979 respondents 349,700 hours. 5,282 respondents 476,000 hours. 6,090 respondents 506,140 hours. 14,031 × 80 = 1,122,480 hours. 2,423 × 120 = 290,760 hours. 232 × 160 = 37,120 hours. 135 × 180 = 24,300 hours. 16,821 respondents 1,474,660 hours. Total ......................................... tkelley on DSK9F6TC42PROD with NOTICES On July 22, 2015, (80 FR 4355), the Office of the Comptroller of the Currency (OCC), on behalf of itself, the Board of Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), and the National Credit Union Administration (NCUA) (collectively, the Agencies) published a 60-day notice requesting comment on the collection of information titled ‘‘FFIEC Cybersecurity Assessment Tool (Assessment).’’ The Agencies received eighteen comments: Twelve comments from individuals, five from industry trade associations, and 1 http://www.ffiec.gov/cyberassessmenttool.htm. 3 Burden is estimated conservatively and assumes all financial institutions will complete the Assessment. Therefore, the estimated burden may exceed the actual burden because use of the Assessment by financial institutions is not mandatory. The Agencies intend to address their review of the cybersecurity readiness and preparedness of financial institutions’ technology service providers (TSPs) separately and therefore are no longer including a separate estimated burden for TSPs. However, the burden estimates for financial institutions does include that of TSPs who may assist financial institutions in completing their Assessment. 2 For purposes of this information collection, the term ‘‘financial institution’’ includes banks, savings associations, credit unions, and bank holding companies. VerDate Sep<11>2014 17:21 Dec 15, 2015 Jkt 238001 PO 00000 Frm 00126 Fmt 4703 Sfmt 4703 E:\FR\FM\16DEN1.SGM 16DEN1 Federal Register / Vol. 80, No. 241 / Wednesday, December 16, 2015 / Notices one from the Financial Services Sector Coordinating Council. The comments described below address concerns related to the collection of information. The commenters also mentioned aspects of the Assessment unrelated to the collection of information; these views are not relevant to this notice or the paperwork burden analysis and, accordingly, they are not addressed below. However, the comments unrelated to the paperwork burden analysis were provided to Agency personnel responsible for the Assessment for possible consideration in future updates of the Assessment. tkelley on DSK9F6TC42PROD with NOTICES 1. Request for More Information on the Information Being Collected Eight of the commenters requested that the Agencies provide additional clarity and interpretative information regarding the Assessment. Several of these commenters requested that the Agencies clarify some of the statements in the Inherent Risk Profile.4 Commenters also stated that many of the declarative statements in the Cybersecurity Maturity 5 were subjective and susceptible to different interpretation. Other commenters requested the Agencies provide additional information regarding the relationship between the Inherent Risk Profile and the Cybersecurity Maturity parts of the Assessment. Five commenters requested that the Agencies publish information clarifying the Assessment, such as an appendix to the Assessment or a separate frequently asked questions (FAQ) document. One commenter requested that the Agencies issue a separate document describing the assumptions the Agencies used in developing the Assessment. Another commenter requested that the Agencies provide examples of how community financial institutions might satisfy certain declarative statements. Additionally, one commenter requested that the Agencies develop a 12–18 month collaborative process with the commenter to improve the Assessment prior to finalizing the Assessment or using the Assessment on examinations. The Agencies appreciate the feedback and comments received from the commenters. The Agencies recognize that there may be a need to clarify certain aspects of the Assessment and will consider developing an FAQ 4 Part One of the Assessment, the Inherent Risk Profile, assists a financial institution in identifying its inherent risk before implementing controls. 5 Part Two of the Assessment, the Cybersecurity Maturity, assists a financial institution in determining its current state of cybersecurity preparedness represented by maturity levels across five domains. VerDate Sep<11>2014 17:21 Dec 15, 2015 Jkt 238001 document to address questions and requests for clarification that they have received since the publication of the Assessment, including from commenters. Additionally, the Agencies are developing a process to update the Assessment on a periodic basis. The update process will consider comments from interested parties. 2. Usability and Format of the Assessment Four commenters suggested changes to the format of the Assessment to increase usability. The commenters requested that the Agencies develop an automated or editable form of the Assessment. Commenters stated that the ability to save and edit responses contained in the Assessment would improve a financial institution’s ability to use the Assessment on an ongoing basis. One commenter also recommended that the Agencies revise the Assessment to include hyperlinks to the Assessment Glossary and User Guide instructions. Another commenter suggested that the Agencies revise the Assessment to assign a maturity level 6 automatically to the financial institution once it completes the Inherent Risk Profile portion of the Assessment. In addition, this commenter suggests that once a financial institution answers ‘‘no’’ to a declarative statement in a particular domain of the Cybersecurity Maturity, the Assessment should automatically prevent the financial institution from responding to the remainder of the declarative statements within that domain. The commenter also stated the Assessment should automatically populate answers to similar questions across domains and maturity levels. The Agencies acknowledge the potential value of an automated or editable form of the Assessment for financial institutions that choose to use the Assessment and are exploring the possibility of developing an automated form in the future, including the possibility of hyperlinking to definitions and instructions. Any automation of the form, however, would not include the automatic assignment of a maturity level as the Agencies do not have expectations for any financial institution to reach a specific maturity level within the Assessment, and a financial institution may find value in identifying activities it is already performing at a higher maturity level. 6 Within the five domains of the Cybersecurity Maturity, declarative statements describe the requirements for achieving five possible maturity levels for each domain. PO 00000 Frm 00127 Fmt 4703 Sfmt 4703 78287 3. Utility of the Assessment Two commenters stated that there are a number of cybersecurity assessment frameworks available to financial institutions to use in determining their inherent risk and cybersecurity preparedness. These commenters questioned the need for the development of an additional framework. One commenter focused on the potential duplication between the National Institute of Standards and Technology’s Cybersecurity Framework (NIST Framework) and the Assessment. This commenter stated that use of the Assessment by financial institutions, instead of the NIST Framework, could dilute the value of the NIST Framework as a tool for cross-sector collaboration. The Agencies, under the auspices of the FFIEC, developed the Assessment to assist financial institutions in addressing the cyber risks unique to the financial industry. The Assessment supports financial institutions by giving them a systematic way to assess their cybersecurity preparedness and evaluate their progress. Unlike other frameworks, the Assessment is specifically tailored to the products and services offered by financial institutions and the control and risk mitigation techniques used by the industry. In addition, the Agencies have received many requests from financial institutions, particularly smaller financial institutions, to provide them with a meaningful way to assess cyber risks themselves based on financial sector-specific risks and mitigation techniques. The Agencies developed the Assessment, in part, to address those requests and received several positive comments about how the Assessment met this need. As discussed more fully below, a financial institution is not required to use the Assessment and may choose any method the financial institution determines is relevant and meaningful to assess its inherent risk and cybersecurity preparedness. The Agencies agree that the NIST Framework is a valuable tool and the Agencies incorporated concepts from the NIST Framework into the Assessment. The Assessment contains an appendix that maps the NIST Framework to the Assessment. NIST reviewed and provided input on the mapping to ensure consistency with the NIST Framework’s principles and to highlight the complementary nature of the two resources. The Agencies also agree that the NIST Framework provides a mechanism for cross-sector coordination. However, because of the unique cyber risks facing the financial industry, the Agencies identified a need E:\FR\FM\16DEN1.SGM 16DEN1 78288 Federal Register / Vol. 80, No. 241 / Wednesday, December 16, 2015 / Notices tkelley on DSK9F6TC42PROD with NOTICES to develop a more granular framework that is more specific to the financial services industry to assist financial institutions in evaluating themselves. Several commenters also raised questions regarding the Agencies’ use of a maturity model as a part of the Assessment. Four commenters were concerned with the ‘‘all or nothing’’ approach to achieving a maturity level, particularly insofar as a financial institution might not be credited for activities taken at a higher level that might mitigate risks at a lower level. Some commenters stated that a maturity model is too prescriptive and does not adequately account for compensating controls or risk tolerance and others questioned why the Assessment does not discuss the concept of residual risk. The Agencies designed the Cybersecurity Maturity contained in the Assessment to assist financial institutions in understanding the ranges of controls and practices needed to manage cyber risk. As previously stated, use of the tool is voluntary and a financial institution may use any method to assess inherent risk and cybersecurity preparedness that it considers relevant and meaningful. The User Guide does provide general parameters to assist financial institutions that choose to use the Assessment in considering how to align inherent risk with the financial institution’s processes and control maturity. 4. Accuracy of Burden Estimate The Agencies estimated that, annually, it would take a financial institution 80 burden hours, on average, to complete the Assessment. Five comment letters addressed the accuracy of the Agencies’ burden estimate. These letters generally stated that the Agencies’ burden estimate understated the burden involved. One commenter stated that credit unions that choose to use the Assessment could take 80–100 hours to complete it. However, other commenters stated that it may take a financial institution several hundred hours to complete the Assessment in the first year of use. One commenter stated that the estimated burden will vary based on financial institution size, with smaller financial institutions requiring hundreds of hours to complete the Assessment, medium-sized financial institutions approaching 1,000–2,000 hours, and the large financial institutions investing 1,000–2,000 hours or more. This commenter stated that the burden estimate includes the amount of time needed to collect information and documentation sufficient to provide VerDate Sep<11>2014 17:21 Dec 15, 2015 Jkt 238001 answers supportable in the examination context, report to internal steering committees and prepare for examinations. Another commenter stated that the Agencies’ evaluation of 80 hours ‘‘largely underestimates’’ the time required to complete the Assessment. This commenter stated that the initial completion of the Assessment would include collecting data, discussing and verifying responses, performing gap analysis, preparing and implementing action plans, where needed, and presenting results to executives. In light of the comments received and recent supervisory experience performing information technology examinations, the Agencies are revising their burden estimates. In revisiting the burden estimates, the Agencies are taking a more conservative approach to estimating the potential burden involved in using the Assessment. The Agencies recognize that size and complexity of a financial institution, as noted by some of the commenters, impacts the amount of time and resources to complete the Assessment and therefore the Agencies have further refined their burden estimates based on financial institution asset size. The Agencies note that the revised burden estimates assume that the Assessment is completed by knowledgeable individuals at the financial institution who have readilyavailable information to complete the Assessment. The Agencies’ revised burden estimates do not include the amount of time associated with reporting to management and internal committees, developing and implementing action plans, and preparing for examination as such time and resources are outside the scope of the PRA. 5. Information Storage and Confidentiality Two commenters requested information on how the Agencies will use and store the Assessment information that financial institutions provide to the Agencies. The Agencies are subject to compliance with the Federal Information Security Management Act (FISMA) and they operate cybersecurity programs to protect critical information resources, including sensitive financial institution information obtained or created during their supervision activities. The programs include policies, standards and controls, monitoring, technical controls, and other information assurance processes. If a financial institution provides the Assessment, or any other, confidential PO 00000 Frm 00128 Fmt 4703 Sfmt 4703 information to an examiner as part of the supervisory process, the storage and use of such information would be subject to the Agencies’ cybersecurity programs. 6. Benchmarking One commenter suggested that the Agencies collect, anonymize, and share Assessment information to allow financial institutions to benchmark themselves against comparably sized financial institutions. Since use of the Assessment by financial institutions is voluntary, the Agencies do not to intend to collect the Assessment from financial institutions or publish the results. 7. Voluntary Use of the Assessment Several commenters expressed concern that since some of the Agencies will be using the Assessment as an aid in their examination processes, financial institutions may believe that their use of the Assessment is mandated by the Agencies. Another commenter requested that the Agencies ensure that examiners do not force financial institutions to use the Assessment or require financial institutions to justify their decisions to use an alternative cybersecurity assessment. Several commenters requested that the Agencies reiterate to examiners and to financial institutions that use of the Assessment by a financial institution is voluntary. As the Agencies stated when the Assessment was first published, use of the Assessment by financial institutions is voluntary. Financial institutions may use the Assessment or any other framework or process to identify their inherent risk and cybersecurity preparedness. The Agencies’ examiners will not require a financial institution to complete the Assessment. However, if a financial institution has completed an Assessment, examiners may ask the financial institution for a copy, as they would for any risk self-assessment performed by the financial institution. The Agencies are educating examiners on the voluntary nature of the Assessment and including statements about its voluntary nature in examiner training materials. Additional Comments Welcome: Comments continue to be invited on: (a) Whether the collection of information is necessary for the proper performance of the functions of the Agencies, including whether the information has practical utility; (b) The accuracy of the Agencies’ estimates of the burden of the collection of information; (c) Ways to enhance the quality, utility, and clarity of the information to be collected; E:\FR\FM\16DEN1.SGM 16DEN1 Federal Register / Vol. 80, No. 241 / Wednesday, December 16, 2015 / Notices (d) Ways to minimize the burden of the collection on respondents, including through the use of automated collection techniques or other forms of information technology; and (e) Estimates of capital or start-up costs and costs of operation, maintenance, and purchase of services to provide information. Dated: December 10, 2015. Stuart E. Feldstein, Director, Legislative and Regulatory Activities Division, Office of the Comptroller of the Currency. [FR Doc. 2015–31583 Filed 12–15–15; 8:45 am] BILLING CODE 4810–33–P DEPARTMENT OF THE TREASURY Office of Foreign Assets Control Additional Designations, Foreign Narcotics Kingpin Designation Act Office of Foreign Assets Control, Treasury. ACTION: Notice. AGENCY: The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) is publishing the names of three individuals and two entities whose property and interests in property have been blocked pursuant to the Foreign Narcotics Kingpin Designation Act (Kingpin Act) (21 U.S.C. 1901–1908, 8 U.S.C. 1182). DATES: The designation by the Acting Director of OFAC of the three individuals and two entities identified in this notice pursuant to section 805(b) of the Kingpin Act is effective on December 10, 2015. FOR FURTHER INFORMATION CONTACT: Assistant Director, Sanctions Compliance & Evaluation, Office of Foreign Assets Control, U.S. Department of the Treasury, Washington, DC 20220, Tel: (202) 622–2490. SUPPLEMENTARY INFORMATION: SUMMARY: tkelley on DSK9F6TC42PROD with NOTICES Electronic and Facsimile Availability This document and additional information concerning OFAC are available on OFAC’s Web site at http://www.treasury.gov/ofac or via facsimile through a 24-hour fax-ondemand service at (202) 622–0077. Background The Kingpin Act became law on December 3, 1999. The Kingpin Act establishes a program targeting the activities of significant foreign narcotics traffickers and their organizations on a worldwide basis. It provides a statutory framework for the imposition of sanctions against significant foreign VerDate Sep<11>2014 17:21 Dec 15, 2015 Jkt 238001 narcotics traffickers and their organizations on a worldwide basis, with the objective of denying their businesses and agents access to the U.S. financial system and the benefits of trade and transactions involving U.S. companies and individuals. The Kingpin Act blocks all property and interests in property, subject to U.S. jurisdiction, owned or controlled by significant foreign narcotics traffickers as identified by the President. In addition, the Secretary of the Treasury, in consultation with the Attorney General, the Director of the Central Intelligence Agency, the Director of the Federal Bureau of Investigation, the Administrator of the Drug Enforcement Administration, the Secretary of Defense, the Secretary of State, and the Secretary of Homeland Security, may designate and block the property and interests in property, subject to U.S. jurisdiction, of persons who are found to be: (1) Materially assisting in, or providing financial or technological support for or to, or providing goods or services in support of, the international narcotics trafficking activities of a person designated pursuant to the Kingpin Act; (2) owned, controlled, or directed by, or acting for or on behalf of, a person designated pursuant to the Kingpin Act; or (3) playing a significant role in international narcotics trafficking. On December 10, 2015, the Acting Director of OFAC designated the following three individuals and two entities whose property and interests in property are blocked pursuant to section 805(b) of the Kingpin Act. Individuals 1. BURITICA HINCAPIE, Geova (a.k.a. ‘‘CAMILO CHATA’’; a.k.a. ‘‘MI VIEJO’’); DOB 18 Sep 1970; POB San Rafael, Antioquia, Colombia; Cedula No. 71215823 (Colombia) (individual) [SDNTK]. Designated for acting for or on behalf of Juan Carlos MESA VALLEJO, LA OFICINA DE ENVIGADO, and/or LOS CHATAS pursuant to section 805(b)(3) of the Kingpin Act, 21 U.S.C. 1904(b)(3). 2. MAYA RIOS, Edison (a.k.a. ‘‘GOMELO’’); DOB 01 Apr 1974; POB Medellin, Antioquia, Colombia; Cedula No. 98568816 (Colombia) (individual) [SDNTK]. Designated for acting for or on behalf of Juan Carlos MESA VALLEJO, LA OFICINA DE ENVIGADO, and/or LOS CHATAS pursuant to section 805(b)(3) of the Kingpin Act, 21 U.S.C. 1904(b)(3). 3. ZAPATA BERRIO, Jorge Oswaldo (a.k.a. ‘‘JONAS’’); DOB 15 May 1979; POB Bello, Antioquia, Colombia; Cedula No. 71216000 (Colombia) (individual) PO 00000 Frm 00129 Fmt 4703 Sfmt 4703 78289 [SDNTK] (Linked To: MOTOS Y REPUESTOS JOTA). Designated for acting for or on behalf of Juan Carlos MESA VALLEJO, LA OFICINA DE ENVIGADO, and/or LOS CHATAS pursuant to section 805(b)(3) of the Kingpin Act, 21 U.S.C. 1904(b)(3). Entities 4. LOS CHATAS, Bello, Antioquia, Colombia [SDNTK]. Designated for being controlled, directed by, or acting for or on behalf of, Juan Carlos MESA VALLEJO and/or LA OFICINA DE ENVIGADO pursuant to section 805(b)(3) of the Kingpin Act, 21 U.S.C. 1904(b)(3). 5. MOTOS Y REPUESTOS JOTA, Calle 49 AA 99 EE 58, Medellin, Antioquia, Colombia; Matricula Mercantil No. 21–567083–02 (Medellin) [SDNTK]. Designated for being owned, controlled, or directed by Jorge Oswaldo ZAPATA BERRIO pursuant to section 805(b)(3) of the Kingpin Act, 21 U.S.C. 1904(b)(3). Dated: December 10, 2015. John E. Smith, Acting Director, Office of Foreign Assets Control. [FR Doc. 2015–31569 Filed 12–15–15; 8:45 am] BILLING CODE 4810–AL–P DEPARTMENT OF VETERANS AFFAIRS [OMB Control No. 2900–NEW (VA Forms 10–10131, 10–10132, 10–10133)] Proposed Information Collection (Patient Aligned Care Team (PACT): Helping Veterans Manage Chronic Pain, Engaging Caregivers Veterans With Dementia, Patient Centered Medical Home Operation Enduring Freedom/Operation Iraqi Freedom (OEF/OIF) Veterans With Post Traumatic Stress Disorder (PTSD): Bridging Primary and Behavioral Health Care (BP–BHC)) Activity: Comment Request. Veterans Health Administration, Department of Veterans Affairs. ACTION: Notice. AGENCY: The Veterans Health Administration (VHA), Department of Veterans Affairs (VA), is announcing an opportunity for public comment on the proposed collection of certain information by the agency. Under the Paperwork Reduction Act (PRA) of 1995, Federal agencies are required to publish notice in the Federal Register concerning each proposed collection of information, including each new SUMMARY: E:\FR\FM\16DEN1.SGM 16DEN1

Agencies

[Federal Register Volume 80, Number 241 (Wednesday, December 16, 2015)]
[Notices]
[Pages 78285-78289]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2015-31583]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency


Agency Information Collection Activities: Information Collection 
Renewal; Submission for Review; FFIEC Cybersecurity Assessment Tool

AGENCY: Office of the Comptroller of the Currency (OCC), Treasury.

ACTION: Notice and request for comment.

-----------------------------------------------------------------------

SUMMARY: The OCC, the Board of Governors of the Federal Reserve System 
(Board), the Federal Deposit Insurance Corporation (FDIC), and the 
National Credit Union Administration (NCUA) (collectively, the 
Agencies), as part of their continuing effort to reduce paperwork and 
respondent burden, invite the general public and other Federal agencies 
to comment on a continuing information collection, as required by the 
Paperwork Reduction Act of 1995 (PRA).
    In accordance with the requirements of the PRA, the Agencies may 
not conduct or sponsor, and the respondent is not required to respond 
to, an information collection unless it displays a currently valid 
Office of Management and Budget (OMB) control number.
    The OCC is soliciting comment on behalf of the Agencies concerning 
renewal of the information collection titled ``FFIEC Cybersecurity 
Assessment Tool'' (``Assessment''). The OCC also is giving notice that 
it has sent the collection to OMB for review.

DATES: Comments must be received by January 15, 2016.

ADDRESSES: Because paper mail in the Washington, DC area and at the OCC 
is subject to delay, commenters are encouraged to submit comments by 
email, if possible. Comments may be sent to: Legislative and Regulatory 
Activities Division, Office of the Comptroller of the Currency, 
Attention: 1557-0328, 400 7th Street SW., Suite 3E-218, Mail Stop 9W-
11, Washington, DC 20219. In addition, comments may be sent by fax to 
(571) 465-4326 or by electronic mail to prainfo@occ.treas.gov. You may 
personally inspect and photocopy comments at the OCC, 400 7th Street 
SW., Washington, DC 20219. For security reasons, the OCC requires that 
visitors make an appointment to inspect comments. You may do so by 
calling (202) 649-6700, for persons who are deaf or hard of hearing, 
TTY, (202) 649-5597. Upon arrival, visitors will be required to present 
valid government-issued photo identification and to submit to security 
screening in order to inspect and photocopy comments.
    All comments received, including attachments and other supporting 
materials, are part of the public record and subject to public 
disclosure. Do not enclose any information in your comment or 
supporting materials that you consider confidential or inappropriate 
for public disclosure.
    Additionally, please send a copy of your comments by mail to: OCC 
Desk Officer, 1557-0328, U.S. Office of Management and Budget, 725 17th 
Street NW., #10235, Washington, DC 20503, or by email to: 
oira_submission@omb.eop.gov.

[[Page 78286]]


FOR FURTHER INFORMATION CONTACT: Shaquita Merritt, OCC Clearance 
Officer, or Beth Knickerbocker, Counsel (202) 649-5490, Legislative and 
Regulatory Activities Division, for persons who are deaf or hard of 
hearing, TTY, (202) 649-5597, Office of the Comptroller of the 
Currency, 400 7th Street SW., Suite 3E-218, Mail Stop 9W-11, 
Washington, DC 20219.

SUPPLEMENTARY INFORMATION: Under the PRA (44 U.S.C. 3501-3520), Federal 
agencies must obtain approval from OMB for each collection of 
information they conduct or sponsor. ``Collection of information'' is 
defined in 44 U.S.C. 3502(3) and 5 CFR 1320.3(c) to include agency 
requests or requirements that members of the public submit reports, 
keep records, or provide information to a third party. The definition 
contained in 5 CFR 1320.3(c) also includes a voluntary collection of 
information.
    In connection with issuance of the Assessment,\1\ OMB provided a 
six-month approval for this information collection. On behalf of the 
Agencies, the OCC is proposing to extend OMB approval of the collection 
for the standard three years.
---------------------------------------------------------------------------

    \1\ http://www.ffiec.gov/cyberassessmenttool.htm.
---------------------------------------------------------------------------

    Title: FFIEC Cybersecurity Assessment Tool.
    OMB Number: 1557-0328.
    Description: Cyber threats have evolved and increased exponentially 
with greater sophistication than ever before. Financial institutions 
\2\ are exposed to cyber risks because they are dependent on 
information technology to deliver services to consumers and businesses 
every day. Cyber attacks on financial institutions may not only result 
in access to, and the compromise of, confidential information, but also 
the destruction of critical data and systems. Disruption, degradation, 
or unauthorized alteration of information and systems can affect a 
financial institution's operations and core processes and undermine 
confidence in the nation's financial services sector. Absent immediate 
attention to these rapidly increasing threats, financial institutions 
and the financial sector as a whole are at risk.
---------------------------------------------------------------------------

    \2\ For purposes of this information collection, the term 
``financial institution'' includes banks, savings associations, 
credit unions, and bank holding companies.
---------------------------------------------------------------------------

    For this reason, the Agencies, under the auspices of the Federal 
Financial Institutions Examination Council (``FFIEC''), have 
accelerated efforts to assess and enhance the state of the financial 
industry's cyber preparedness and to improve the Agencies' examination 
procedures and training that can strengthen the oversight of financial 
industry cybersecurity readiness. The Agencies also have focused on 
improving their abilities to provide financial institutions with 
resources that can assist in protecting financial institutions and 
their customers from the growing risks posed by cyber attacks.
    As part of these increased efforts, the Agencies developed the 
Assessment to assist financial institutions of all sizes in assessing 
their inherent cyber risks and their risk management capabilities. The 
Assessment allows a financial institution to identify its inherent 
cyber risk profile based on the financial institution's technologies 
and connection types, delivery channels, online/mobile products and 
technology services that it offers to its customers, its organizational 
characteristics, and the cyber threats it is likely to face. Once a 
financial institution identifies its inherent cyber risk profile, it 
will be able to use the Assessment's maturity matrix to evaluate its 
level of cybersecurity preparedness based on the financial 
institution's cyber risk management and oversight, threat intelligence 
capabilities, cybersecurity controls, external dependency management, 
and cyber incident management and resiliency planning. A financial 
institution may use the matrix's maturity levels to identify 
opportunities for improving the financial institution's cyber risk 
management based on its inherent risk profile. The Assessment also 
enables a financial institution to identify areas more rapidly that 
could improve the financial institution's cyber risk management and 
response programs, if needed. Use of the Assessment by financial 
institutions is voluntary.
    Type of Review: Regular.
    Affected Public: Businesses or other for-profit.
    Estimated Burdens: \3\
---------------------------------------------------------------------------

    \3\ Burden is estimated conservatively and assumes all financial 
institutions will complete the Assessment. Therefore, the estimated 
burden may exceed the actual burden because use of the Assessment by 
financial institutions is not mandatory. The Agencies intend to 
address their review of the cybersecurity readiness and preparedness 
of financial institutions' technology service providers (TSPs) 
separately and therefore are no longer including a separate 
estimated burden for TSPs. However, the burden estimates for 
financial institutions does include that of TSPs who may assist 
financial institutions in completing their Assessment.

--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                               Estimated number of    Estimated number of
                                       Estimated number of      respondents $500        respondents $10      Estimated number of      Estimated total
     Assessment burden estimate       respondents less than    million-$10 billion    billion-$50 billion    respondents over $50  respondents and total
                                     $500 million @80 hours        @120 hours              @160 hours         billion @180 hours    annual burden hours
--------------------------------------------------------------------------------------------------------------------------------------------------------
OCC National Banks and Federal       1,102 x 80 = 88,160     149 x 120 = 17,880      132 x 160 = 21,120     87 x 180 = 15,660      1,470 respondents
 Savings Associations.                hours.                  hours.                  hours.                 hours.                 142,820 hours.
FDIC State Non-Member Banks and      3,224 x 80 = 257,920    728 x 120 = 87,360      22 x 160 = 3,520       5 x 180 = 900 hours..  3,979 respondents
 State Savings Associations.          hours.                  hours.                  hours.                                        349,700 hours.
Board State Member Banks and Bank    4,083 x 80 = 326,640    1,083 x 120 = 129,960   74 x 160 = 11,840      42 x 180 = 7,560       5,282 respondents
 Holding Companies.                   hours.                  hours.                  hours.                 hours.                 476,000 hours.
NCUA Federally-Insured Credit        5,622 x 80 = 449,760    463 x 120 = 55,560      4 x 160 = 640 hours..  1 x 180 = 180 hours..  6,090 respondents
 Unions.                              hours.                  hours.                                                                506,140 hours.
                                    --------------------------------------------------------------------------------------------------------------------
    Total..........................  14,031 x 80 =           2,423 x 120 = 290,760   232 x 160 = 37,120     135 x 180 = 24,300     16,821 respondents
                                      1,122,480 hours.        hours.                  hours.                 hours.                 1,474,660 hours.
--------------------------------------------------------------------------------------------------------------------------------------------------------

    On July 22, 2015, (80 FR 4355), the Office of the Comptroller of 
the Currency (OCC), on behalf of itself, the Board of Governors of the 
Federal Reserve System (Board), the Federal Deposit Insurance 
Corporation (FDIC), and the National Credit Union Administration (NCUA) 
(collectively, the Agencies) published a 60-day notice requesting 
comment on the collection of information titled ``FFIEC Cybersecurity 
Assessment Tool (Assessment).'' The Agencies received eighteen 
comments: Twelve comments from individuals, five from industry trade 
associations, and

[[Page 78287]]

one from the Financial Services Sector Coordinating Council. The 
comments described below address concerns related to the collection of 
information. The commenters also mentioned aspects of the Assessment 
unrelated to the collection of information; these views are not 
relevant to this notice or the paperwork burden analysis and, 
accordingly, they are not addressed below. However, the comments 
unrelated to the paperwork burden analysis were provided to Agency 
personnel responsible for the Assessment for possible consideration in 
future updates of the Assessment.

1. Request for More Information on the Information Being Collected

    Eight of the commenters requested that the Agencies provide 
additional clarity and interpretative information regarding the 
Assessment. Several of these commenters requested that the Agencies 
clarify some of the statements in the Inherent Risk Profile.\4\ 
Commenters also stated that many of the declarative statements in the 
Cybersecurity Maturity \5\ were subjective and susceptible to different 
interpretation. Other commenters requested the Agencies provide 
additional information regarding the relationship between the Inherent 
Risk Profile and the Cybersecurity Maturity parts of the Assessment.
---------------------------------------------------------------------------

    \4\ Part One of the Assessment, the Inherent Risk Profile, 
assists a financial institution in identifying its inherent risk 
before implementing controls.
    \5\ Part Two of the Assessment, the Cybersecurity Maturity, 
assists a financial institution in determining its current state of 
cybersecurity preparedness represented by maturity levels across 
five domains.
---------------------------------------------------------------------------

    Five commenters requested that the Agencies publish information 
clarifying the Assessment, such as an appendix to the Assessment or a 
separate frequently asked questions (FAQ) document. One commenter 
requested that the Agencies issue a separate document describing the 
assumptions the Agencies used in developing the Assessment. Another 
commenter requested that the Agencies provide examples of how community 
financial institutions might satisfy certain declarative statements. 
Additionally, one commenter requested that the Agencies develop a 12-18 
month collaborative process with the commenter to improve the 
Assessment prior to finalizing the Assessment or using the Assessment 
on examinations.
    The Agencies appreciate the feedback and comments received from the 
commenters. The Agencies recognize that there may be a need to clarify 
certain aspects of the Assessment and will consider developing an FAQ 
document to address questions and requests for clarification that they 
have received since the publication of the Assessment, including from 
commenters. Additionally, the Agencies are developing a process to 
update the Assessment on a periodic basis. The update process will 
consider comments from interested parties.

2. Usability and Format of the Assessment

    Four commenters suggested changes to the format of the Assessment 
to increase usability. The commenters requested that the Agencies 
develop an automated or editable form of the Assessment. Commenters 
stated that the ability to save and edit responses contained in the 
Assessment would improve a financial institution's ability to use the 
Assessment on an ongoing basis.
    One commenter also recommended that the Agencies revise the 
Assessment to include hyperlinks to the Assessment Glossary and User 
Guide instructions. Another commenter suggested that the Agencies 
revise the Assessment to assign a maturity level \6\ automatically to 
the financial institution once it completes the Inherent Risk Profile 
portion of the Assessment. In addition, this commenter suggests that 
once a financial institution answers ``no'' to a declarative statement 
in a particular domain of the Cybersecurity Maturity, the Assessment 
should automatically prevent the financial institution from responding 
to the remainder of the declarative statements within that domain. The 
commenter also stated the Assessment should automatically populate 
answers to similar questions across domains and maturity levels.
---------------------------------------------------------------------------

    \6\ Within the five domains of the Cybersecurity Maturity, 
declarative statements describe the requirements for achieving five 
possible maturity levels for each domain.
---------------------------------------------------------------------------

    The Agencies acknowledge the potential value of an automated or 
editable form of the Assessment for financial institutions that choose 
to use the Assessment and are exploring the possibility of developing 
an automated form in the future, including the possibility of 
hyperlinking to definitions and instructions. Any automation of the 
form, however, would not include the automatic assignment of a maturity 
level as the Agencies do not have expectations for any financial 
institution to reach a specific maturity level within the Assessment, 
and a financial institution may find value in identifying activities it 
is already performing at a higher maturity level.

3. Utility of the Assessment

    Two commenters stated that there are a number of cybersecurity 
assessment frameworks available to financial institutions to use in 
determining their inherent risk and cybersecurity preparedness. These 
commenters questioned the need for the development of an additional 
framework. One commenter focused on the potential duplication between 
the National Institute of Standards and Technology's Cybersecurity 
Framework (NIST Framework) and the Assessment. This commenter stated 
that use of the Assessment by financial institutions, instead of the 
NIST Framework, could dilute the value of the NIST Framework as a tool 
for cross-sector collaboration.
    The Agencies, under the auspices of the FFIEC, developed the 
Assessment to assist financial institutions in addressing the cyber 
risks unique to the financial industry. The Assessment supports 
financial institutions by giving them a systematic way to assess their 
cybersecurity preparedness and evaluate their progress. Unlike other 
frameworks, the Assessment is specifically tailored to the products and 
services offered by financial institutions and the control and risk 
mitigation techniques used by the industry. In addition, the Agencies 
have received many requests from financial institutions, particularly 
smaller financial institutions, to provide them with a meaningful way 
to assess cyber risks themselves based on financial sector-specific 
risks and mitigation techniques. The Agencies developed the Assessment, 
in part, to address those requests and received several positive 
comments about how the Assessment met this need. As discussed more 
fully below, a financial institution is not required to use the 
Assessment and may choose any method the financial institution 
determines is relevant and meaningful to assess its inherent risk and 
cybersecurity preparedness.
    The Agencies agree that the NIST Framework is a valuable tool and 
the Agencies incorporated concepts from the NIST Framework into the 
Assessment. The Assessment contains an appendix that maps the NIST 
Framework to the Assessment. NIST reviewed and provided input on the 
mapping to ensure consistency with the NIST Framework's principles and 
to highlight the complementary nature of the two resources. The 
Agencies also agree that the NIST Framework provides a mechanism for 
cross-sector coordination. However, because of the unique cyber risks 
facing the financial industry, the Agencies identified a need

[[Page 78288]]

to develop a more granular framework that is more specific to the 
financial services industry to assist financial institutions in 
evaluating themselves.
    Several commenters also raised questions regarding the Agencies' 
use of a maturity model as a part of the Assessment. Four commenters 
were concerned with the ``all or nothing'' approach to achieving a 
maturity level, particularly insofar as a financial institution might 
not be credited for activities taken at a higher level that might 
mitigate risks at a lower level. Some commenters stated that a maturity 
model is too prescriptive and does not adequately account for 
compensating controls or risk tolerance and others questioned why the 
Assessment does not discuss the concept of residual risk.
    The Agencies designed the Cybersecurity Maturity contained in the 
Assessment to assist financial institutions in understanding the ranges 
of controls and practices needed to manage cyber risk. As previously 
stated, use of the tool is voluntary and a financial institution may 
use any method to assess inherent risk and cybersecurity preparedness 
that it considers relevant and meaningful.
    The User Guide does provide general parameters to assist financial 
institutions that choose to use the Assessment in considering how to 
align inherent risk with the financial institution's processes and 
control maturity.

4. Accuracy of Burden Estimate

    The Agencies estimated that, annually, it would take a financial 
institution 80 burden hours, on average, to complete the Assessment. 
Five comment letters addressed the accuracy of the Agencies' burden 
estimate. These letters generally stated that the Agencies' burden 
estimate understated the burden involved. One commenter stated that 
credit unions that choose to use the Assessment could take 80-100 hours 
to complete it. However, other commenters stated that it may take a 
financial institution several hundred hours to complete the Assessment 
in the first year of use.
    One commenter stated that the estimated burden will vary based on 
financial institution size, with smaller financial institutions 
requiring hundreds of hours to complete the Assessment, medium-sized 
financial institutions approaching 1,000-2,000 hours, and the large 
financial institutions investing 1,000-2,000 hours or more. This 
commenter stated that the burden estimate includes the amount of time 
needed to collect information and documentation sufficient to provide 
answers supportable in the examination context, report to internal 
steering committees and prepare for examinations. Another commenter 
stated that the Agencies' evaluation of 80 hours ``largely 
underestimates'' the time required to complete the Assessment. This 
commenter stated that the initial completion of the Assessment would 
include collecting data, discussing and verifying responses, performing 
gap analysis, preparing and implementing action plans, where needed, 
and presenting results to executives.
    In light of the comments received and recent supervisory experience 
performing information technology examinations, the Agencies are 
revising their burden estimates. In revisiting the burden estimates, 
the Agencies are taking a more conservative approach to estimating the 
potential burden involved in using the Assessment. The Agencies 
recognize that size and complexity of a financial institution, as noted 
by some of the commenters, impacts the amount of time and resources to 
complete the Assessment and therefore the Agencies have further refined 
their burden estimates based on financial institution asset size.
    The Agencies note that the revised burden estimates assume that the 
Assessment is completed by knowledgeable individuals at the financial 
institution who have readily-available information to complete the 
Assessment. The Agencies' revised burden estimates do not include the 
amount of time associated with reporting to management and internal 
committees, developing and implementing action plans, and preparing for 
examination as such time and resources are outside the scope of the 
PRA.

5. Information Storage and Confidentiality

    Two commenters requested information on how the Agencies will use 
and store the Assessment information that financial institutions 
provide to the Agencies.
    The Agencies are subject to compliance with the Federal Information 
Security Management Act (FISMA) and they operate cybersecurity programs 
to protect critical information resources, including sensitive 
financial institution information obtained or created during their 
supervision activities. The programs include policies, standards and 
controls, monitoring, technical controls, and other information 
assurance processes. If a financial institution provides the 
Assessment, or any other, confidential information to an examiner as 
part of the supervisory process, the storage and use of such 
information would be subject to the Agencies' cybersecurity programs.

6. Benchmarking

    One commenter suggested that the Agencies collect, anonymize, and 
share Assessment information to allow financial institutions to 
benchmark themselves against comparably sized financial institutions. 
Since use of the Assessment by financial institutions is voluntary, the 
Agencies do not to intend to collect the Assessment from financial 
institutions or publish the results.

7. Voluntary Use of the Assessment

    Several commenters expressed concern that since some of the 
Agencies will be using the Assessment as an aid in their examination 
processes, financial institutions may believe that their use of the 
Assessment is mandated by the Agencies. Another commenter requested 
that the Agencies ensure that examiners do not force financial 
institutions to use the Assessment or require financial institutions to 
justify their decisions to use an alternative cybersecurity assessment. 
Several commenters requested that the Agencies reiterate to examiners 
and to financial institutions that use of the Assessment by a financial 
institution is voluntary.
    As the Agencies stated when the Assessment was first published, use 
of the Assessment by financial institutions is voluntary. Financial 
institutions may use the Assessment or any other framework or process 
to identify their inherent risk and cybersecurity preparedness. The 
Agencies' examiners will not require a financial institution to 
complete the Assessment. However, if a financial institution has 
completed an Assessment, examiners may ask the financial institution 
for a copy, as they would for any risk self-assessment performed by the 
financial institution. The Agencies are educating examiners on the 
voluntary nature of the Assessment and including statements about its 
voluntary nature in examiner training materials.
    Additional Comments Welcome: Comments continue to be invited on:
    (a) Whether the collection of information is necessary for the 
proper performance of the functions of the Agencies, including whether 
the information has practical utility;
    (b) The accuracy of the Agencies' estimates of the burden of the 
collection of information;
    (c) Ways to enhance the quality, utility, and clarity of the 
information to be collected;

[[Page 78289]]

    (d) Ways to minimize the burden of the collection on respondents, 
including through the use of automated collection techniques or other 
forms of information technology; and
    (e) Estimates of capital or start-up costs and costs of operation, 
maintenance, and purchase of services to provide information.

    Dated: December 10, 2015.
Stuart E. Feldstein,
Director, Legislative and Regulatory Activities Division, Office of the 
Comptroller of the Currency.
[FR Doc. 2015-31583 Filed 12-15-15; 8:45 am]
BILLING CODE 4810-33-P