Agency Information Collection Activities: Information Collection Renewal; Submission for Review; FFIEC Cybersecurity Assessment Tool, 78285-78289 [2015-31583]
Download as PDF
<![CDATA[
Federal Register / Vol. 80, No. 241 / Wednesday, December 16, 2015 / Notices
DEPARTMENT OF TRANSPORTATION
National Highway Traffic Safety
Administration
[Docket No. NHTSA–2015–0071]
Reports, Forms, and Recordkeeping
Requirements
National Highway Traffic
Safety Administration (NHTSA),
Department of Transportation.
ACTION: Request for public comment on
proposed collection of information.
AGENCY:
In compliance with the
Paperwork Reduction Act of 1995 (44
U.S.C. 3501 et seq.), this notice
announces that the Information
Collection Request (ICR) abstracted
below is being forwarded to the Office
of Management and Budget (OMB) for
review and comments.
DATES: Comments must be received on
or before January 15, 2016.
ADDRESSES: Send comments to the
Office of Information and Regulatory
Affairs, Office of Management and
Budget, 725–17th Street NW.,
Washington, DC 20503, Attention:
NHTSA Desk Officer.
FOR FURTHER INFORMATION CONTACT: For
additional information or access to
background documents, contact
Timothy M. Pickrell, NHTSA, 1200 New
Jersey Avenue SE., W55–320, NVS–
421,Washington, DC 20590. Mr.
Pickrell’s telephone number is (202)
366–2903. Please identify the relevant
collection of information by referring to
its OMB Control Number.
SUPPLEMENTARY INFORMATION: Before a
Federal agency can collect certain
information from the public, it must
receive approval from the Office of
Management and Budget (OMB). In
compliance with these requirements,
this notice announces that the following
information collection request has been
forwarded to OMB. A Federal Register
Notice soliciting comments on the
following information collection was
published on July 30, 2015 (Volume 80,
Number 146; Pages 45585–86). The
agency received no comments on the 60
day notice.
Title: The National Survey on the Use
of Booster Seats.
OMB Control Number: 2127–0644.
Affected Public: Motorists in
passenger vehicles at gas stations, fast
food restaurants, and other types of sites
frequented by children during the time
in which the survey is conducted.
Form Number: NHTSA Form 1010.
Abstract: The National Survey of the
Use of Booster Seats is being conducted
to respond to the Section 14(i) of the
tkelley on DSK9F6TC42PROD with NOTICES
SUMMARY:
VerDate Sep<11>2014
17:21 Dec 15, 2015
Jkt 238001
Transportation Recall Enhancement,
Accountability, and Documentation
(TREAD) Act of 2000. The act directs
the Department of Transportation to
reduce the deaths and injuries among
children in the 4 to 8 year old age group
that are caused by failure to use a
booster seat by 25%. Conducting the
National Survey of the Use of Booster
Seats provides the Department with
invaluable information on who is and is
not using booster seats, helping the
Department better direct its outreach
programs to ensure that children are
protected to the greatest degree possible
when they ride in motor vehicles. The
OMB approval for this survey is
scheduled to expire on 1/31/16. NHTSA
seeks an extension to this approval in
order to obtain this important survey
data, save more children and help to
comply with the TREAD Act
requirement.
Estimated Annual Burden: 320 hours.
Estimated Number of Respondents:
Approximately 4,800 adult motorists in
passenger vehicles at gas stations, fast
food restaurants, and other types of sites
frequented by children during the time
in which the survey is conducted.
Comments are invited on: whether the
proposed collection of information is
necessary for the proper performance of
the functions of the Department,
including whether the information will
have practical utility; the accuracy of
the Department’s estimate of the burden
of the proposed information collection;
ways to enhance the quality, utility and
clarity of the information to be
collected; and ways to minimize the
burden of the collection of information
on respondents, including the use of
automated collection techniques or
other forms of information technology.
Terry Shelton,
Associate Administrator, National Center for
Statistics and Analysis.
[FR Doc. 2015–31633 Filed 12–15–15; 8:45 am]
BILLING CODE 4910–59–P
DEPARTMENT OF THE TREASURY
Office of the Comptroller of the
Currency
Agency Information Collection
Activities: Information Collection
Renewal; Submission for Review;
FFIEC Cybersecurity Assessment Tool
Office of the Comptroller of the
Currency (OCC), Treasury.
ACTION: Notice and request for comment.
AGENCY:
The OCC, the Board of
Governors of the Federal Reserve
System (Board), the Federal Deposit
SUMMARY:
PO 00000
Frm 00125
Fmt 4703
Sfmt 4703
78285
Insurance Corporation (FDIC), and the
National Credit Union Administration
(NCUA) (collectively, the Agencies), as
part of their continuing effort to reduce
paperwork and respondent burden,
invite the general public and other
Federal agencies to comment on a
continuing information collection, as
required by the Paperwork Reduction
Act of 1995 (PRA).
In accordance with the requirements
of the PRA, the Agencies may not
conduct or sponsor, and the respondent
is not required to respond to, an
information collection unless it displays
a currently valid Office of Management
and Budget (OMB) control number.
The OCC is soliciting comment on
behalf of the Agencies concerning
renewal of the information collection
titled ‘‘FFIEC Cybersecurity Assessment
Tool’’ (‘‘Assessment’’). The OCC also is
giving notice that it has sent the
collection to OMB for review.
DATES: Comments must be received by
January 15, 2016.
ADDRESSES: Because paper mail in the
Washington, DC area and at the OCC is
subject to delay, commenters are
encouraged to submit comments by
email, if possible. Comments may be
sent to: Legislative and Regulatory
Activities Division, Office of the
Comptroller of the Currency, Attention:
1557–0328, 400 7th Street SW., Suite
3E–218, Mail Stop 9W–11, Washington,
DC 20219. In addition, comments may
be sent by fax to (571) 465–4326 or by
electronic mail to prainfo@occ.treas.gov.
You may personally inspect and
photocopy comments at the OCC, 400
7th Street SW., Washington, DC 20219.
For security reasons, the OCC requires
that visitors make an appointment to
inspect comments. You may do so by
calling (202) 649–6700, for persons who
are deaf or hard of hearing, TTY, (202)
649–5597. Upon arrival, visitors will be
required to present valid governmentissued photo identification and to
submit to security screening in order to
inspect and photocopy comments.
All comments received, including
attachments and other supporting
materials, are part of the public record
and subject to public disclosure. Do not
enclose any information in your
comment or supporting materials that
you consider confidential or
inappropriate for public disclosure.
Additionally, please send a copy of
your comments by mail to: OCC Desk
Officer, 1557–0328, U.S. Office of
Management and Budget, 725 17th
Street NW., #10235, Washington, DC
20503, or by email to: oira_submission@
omb.eop.gov.
E:\FR\FM\16DEN1.SGM
16DEN1
78286
Federal Register / Vol. 80, No. 241 / Wednesday, December 16, 2015 / Notices
FOR FURTHER INFORMATION CONTACT:
Shaquita Merritt, OCC Clearance
Officer, or Beth Knickerbocker, Counsel
(202) 649–5490, Legislative and
Regulatory Activities Division, for
persons who are deaf or hard of hearing,
TTY, (202) 649–5597, Office of the
Comptroller of the Currency, 400 7th
Street SW., Suite 3E–218, Mail Stop
9W–11, Washington, DC 20219.
SUPPLEMENTARY INFORMATION: Under the
PRA (44 U.S.C. 3501–3520), Federal
agencies must obtain approval from
OMB for each collection of information
they conduct or sponsor. ‘‘Collection of
information’’ is defined in 44 U.S.C.
3502(3) and 5 CFR 1320.3(c) to include
agency requests or requirements that
members of the public submit reports,
keep records, or provide information to
a third party. The definition contained
in 5 CFR 1320.3(c) also includes a
voluntary collection of information.
In connection with issuance of the
Assessment,1 OMB provided a sixmonth approval for this information
collection. On behalf of the Agencies,
the OCC is proposing to extend OMB
approval of the collection for the
standard three years.
Title: FFIEC Cybersecurity
Assessment Tool.
OMB Number: 1557–0328.
Description: Cyber threats have
evolved and increased exponentially
with greater sophistication than ever
before. Financial institutions 2 are
exposed to cyber risks because they are
dependent on information technology to
deliver services to consumers and
businesses every day. Cyber attacks on
financial institutions may not only
result in access to, and the compromise
of, confidential information, but also the
destruction of critical data and systems.
Disruption, degradation, or
unauthorized alteration of information
and systems can affect a financial
institution’s operations and core
processes and undermine confidence in
the nation’s financial services sector.
Absent immediate attention to these
rapidly increasing threats, financial
institutions and the financial sector as a
whole are at risk.
For this reason, the Agencies, under
the auspices of the Federal Financial
Institutions Examination Council
(‘‘FFIEC’’), have accelerated efforts to
assess and enhance the state of the
financial industry’s cyber preparedness
and to improve the Agencies’
examination procedures and training
that can strengthen the oversight of
financial industry cybersecurity
readiness. The Agencies also have
focused on improving their abilities to
provide financial institutions with
resources that can assist in protecting
financial institutions and their
customers from the growing risks posed
by cyber attacks.
As part of these increased efforts, the
Agencies developed the Assessment to
assist financial institutions of all sizes
in assessing their inherent cyber risks
and their risk management capabilities.
The Assessment allows a financial
institution to identify its inherent cyber
risk profile based on the financial
institution’s technologies and
connection types, delivery channels,
online/mobile products and technology
services that it offers to its customers, its
organizational characteristics, and the
cyber threats it is likely to face. Once a
financial institution identifies its
inherent cyber risk profile, it will be
able to use the Assessment’s maturity
matrix to evaluate its level of
cybersecurity preparedness based on the
financial institution’s cyber risk
management and oversight, threat
intelligence capabilities, cybersecurity
controls, external dependency
management, and cyber incident
management and resiliency planning. A
financial institution may use the
matrix’s maturity levels to identify
opportunities for improving the
financial institution’s cyber risk
management based on its inherent risk
profile. The Assessment also enables a
financial institution to identify areas
more rapidly that could improve the
financial institution’s cyber risk
management and response programs, if
needed. Use of the Assessment by
financial institutions is voluntary.
Type of Review: Regular.
Affected Public: Businesses or other
for-profit.
Estimated Burdens: 3
Assessment burden estimate
Estimated number of
respondents less
than $500 million @
80 hours
Estimated number of respondents $500 million–$10 billion
@120 hours
Estimated number of respondents $10 billion–
$50 billion @160
hours
Estimated number of respondents over $50 billion @180 hours
Estimated total respondents and total annual
burden hours
OCC National Banks and Federal
Savings Associations.
FDIC State Non-Member Banks
and State Savings Associations.
Board State Member Banks and
Bank Holding Companies.
NCUA Federally-Insured Credit
Unions.
1,102 × 80 = 88,160
hours.
3,224 × 80 =
257,920 hours.
4,083 × 80 =
326,640 hours.
5,622 × 80 =
449,760 hours.
149 × 120 =
17,880 hours.
728 × 120 =
87,360 hours.
1,083 × 120 =
129,960 hours.
463 × 120 =
55,560 hours.
132 × 160 =
21,120 hours.
22 × 160 = 3,520
hours.
74 × 160 =
11,840 hours.
4 × 160 = 640
hours.
87 × 180 =
15,660 hours.
5 × 180 = 900
hours.
42 × 180 = 7,560
hours.
1 × 180 = 180
hours.
1,470 respondents
142,820 hours.
3,979 respondents
349,700 hours.
5,282 respondents
476,000 hours.
6,090 respondents
506,140 hours.
14,031 × 80 =
1,122,480 hours.
2,423 × 120 =
290,760 hours.
232 × 160 =
37,120 hours.
135 × 180 =
24,300 hours.
16,821 respondents
1,474,660 hours.
Total .........................................
tkelley on DSK9F6TC42PROD with NOTICES
On July 22, 2015, (80 FR 4355), the
Office of the Comptroller of the
Currency (OCC), on behalf of itself, the
Board of Governors of the Federal
Reserve System (Board), the Federal
Deposit Insurance Corporation (FDIC),
and the National Credit Union
Administration (NCUA) (collectively,
the Agencies) published a 60-day notice
requesting comment on the collection of
information titled ‘‘FFIEC Cybersecurity
Assessment Tool (Assessment).’’ The
Agencies received eighteen comments:
Twelve comments from individuals, five
from industry trade associations, and
1 https://www.ffiec.gov/cyberassessmenttool.htm.
3 Burden is estimated conservatively and assumes
all financial institutions will complete the
Assessment. Therefore, the estimated burden may
exceed the actual burden because use of the
Assessment by financial institutions is not
mandatory. The Agencies intend to address their
review of the cybersecurity readiness and
preparedness of financial institutions’ technology
service providers (TSPs) separately and therefore
are no longer including a separate estimated burden
for TSPs. However, the burden estimates for
financial institutions does include that of TSPs who
may assist financial institutions in completing their
Assessment.
2 For
purposes of this information collection, the
term ‘‘financial institution’’ includes banks, savings
associations, credit unions, and bank holding
companies.
VerDate Sep<11>2014
17:21 Dec 15, 2015
Jkt 238001
PO 00000
Frm 00126
Fmt 4703
Sfmt 4703
E:\FR\FM\16DEN1.SGM
16DEN1
Federal Register / Vol. 80, No. 241 / Wednesday, December 16, 2015 / Notices
one from the Financial Services Sector
Coordinating Council. The comments
described below address concerns
related to the collection of information.
The commenters also mentioned aspects
of the Assessment unrelated to the
collection of information; these views
are not relevant to this notice or the
paperwork burden analysis and,
accordingly, they are not addressed
below. However, the comments
unrelated to the paperwork burden
analysis were provided to Agency
personnel responsible for the
Assessment for possible consideration
in future updates of the Assessment.
tkelley on DSK9F6TC42PROD with NOTICES
1. Request for More Information on the
Information Being Collected
Eight of the commenters requested
that the Agencies provide additional
clarity and interpretative information
regarding the Assessment. Several of
these commenters requested that the
Agencies clarify some of the statements
in the Inherent Risk Profile.4
Commenters also stated that many of the
declarative statements in the
Cybersecurity Maturity 5 were subjective
and susceptible to different
interpretation. Other commenters
requested the Agencies provide
additional information regarding the
relationship between the Inherent Risk
Profile and the Cybersecurity Maturity
parts of the Assessment.
Five commenters requested that the
Agencies publish information clarifying
the Assessment, such as an appendix to
the Assessment or a separate frequently
asked questions (FAQ) document. One
commenter requested that the Agencies
issue a separate document describing
the assumptions the Agencies used in
developing the Assessment. Another
commenter requested that the Agencies
provide examples of how community
financial institutions might satisfy
certain declarative statements.
Additionally, one commenter requested
that the Agencies develop a 12–18
month collaborative process with the
commenter to improve the Assessment
prior to finalizing the Assessment or
using the Assessment on examinations.
The Agencies appreciate the feedback
and comments received from the
commenters. The Agencies recognize
that there may be a need to clarify
certain aspects of the Assessment and
will consider developing an FAQ
4 Part One of the Assessment, the Inherent Risk
Profile, assists a financial institution in identifying
its inherent risk before implementing controls.
5 Part Two of the Assessment, the Cybersecurity
Maturity, assists a financial institution in
determining its current state of cybersecurity
preparedness represented by maturity levels across
five domains.
VerDate Sep<11>2014
17:21 Dec 15, 2015
Jkt 238001
document to address questions and
requests for clarification that they have
received since the publication of the
Assessment, including from
commenters. Additionally, the Agencies
are developing a process to update the
Assessment on a periodic basis. The
update process will consider comments
from interested parties.
2. Usability and Format of the
Assessment
Four commenters suggested changes
to the format of the Assessment to
increase usability. The commenters
requested that the Agencies develop an
automated or editable form of the
Assessment. Commenters stated that the
ability to save and edit responses
contained in the Assessment would
improve a financial institution’s ability
to use the Assessment on an ongoing
basis.
One commenter also recommended
that the Agencies revise the Assessment
to include hyperlinks to the Assessment
Glossary and User Guide instructions.
Another commenter suggested that the
Agencies revise the Assessment to
assign a maturity level 6 automatically to
the financial institution once it
completes the Inherent Risk Profile
portion of the Assessment. In addition,
this commenter suggests that once a
financial institution answers ‘‘no’’ to a
declarative statement in a particular
domain of the Cybersecurity Maturity,
the Assessment should automatically
prevent the financial institution from
responding to the remainder of the
declarative statements within that
domain. The commenter also stated the
Assessment should automatically
populate answers to similar questions
across domains and maturity levels.
The Agencies acknowledge the
potential value of an automated or
editable form of the Assessment for
financial institutions that choose to use
the Assessment and are exploring the
possibility of developing an automated
form in the future, including the
possibility of hyperlinking to definitions
and instructions. Any automation of the
form, however, would not include the
automatic assignment of a maturity level
as the Agencies do not have
expectations for any financial
institution to reach a specific maturity
level within the Assessment, and a
financial institution may find value in
identifying activities it is already
performing at a higher maturity level.
6 Within the five domains of the Cybersecurity
Maturity, declarative statements describe the
requirements for achieving five possible maturity
levels for each domain.
PO 00000
Frm 00127
Fmt 4703
Sfmt 4703
78287
3. Utility of the Assessment
Two commenters stated that there are
a number of cybersecurity assessment
frameworks available to financial
institutions to use in determining their
inherent risk and cybersecurity
preparedness. These commenters
questioned the need for the
development of an additional
framework. One commenter focused on
the potential duplication between the
National Institute of Standards and
Technology’s Cybersecurity Framework
(NIST Framework) and the Assessment.
This commenter stated that use of the
Assessment by financial institutions,
instead of the NIST Framework, could
dilute the value of the NIST Framework
as a tool for cross-sector collaboration.
The Agencies, under the auspices of
the FFIEC, developed the Assessment to
assist financial institutions in
addressing the cyber risks unique to the
financial industry. The Assessment
supports financial institutions by giving
them a systematic way to assess their
cybersecurity preparedness and evaluate
their progress. Unlike other frameworks,
the Assessment is specifically tailored
to the products and services offered by
financial institutions and the control
and risk mitigation techniques used by
the industry. In addition, the Agencies
have received many requests from
financial institutions, particularly
smaller financial institutions, to provide
them with a meaningful way to assess
cyber risks themselves based on
financial sector-specific risks and
mitigation techniques. The Agencies
developed the Assessment, in part, to
address those requests and received
several positive comments about how
the Assessment met this need. As
discussed more fully below, a financial
institution is not required to use the
Assessment and may choose any
method the financial institution
determines is relevant and meaningful
to assess its inherent risk and
cybersecurity preparedness.
The Agencies agree that the NIST
Framework is a valuable tool and the
Agencies incorporated concepts from
the NIST Framework into the
Assessment. The Assessment contains
an appendix that maps the NIST
Framework to the Assessment. NIST
reviewed and provided input on the
mapping to ensure consistency with the
NIST Framework’s principles and to
highlight the complementary nature of
the two resources. The Agencies also
agree that the NIST Framework provides
a mechanism for cross-sector
coordination. However, because of the
unique cyber risks facing the financial
industry, the Agencies identified a need
E:\FR\FM\16DEN1.SGM
16DEN1
78288
Federal Register / Vol. 80, No. 241 / Wednesday, December 16, 2015 / Notices
tkelley on DSK9F6TC42PROD with NOTICES
to develop a more granular framework
that is more specific to the financial
services industry to assist financial
institutions in evaluating themselves.
Several commenters also raised
questions regarding the Agencies’ use of
a maturity model as a part of the
Assessment. Four commenters were
concerned with the ‘‘all or nothing’’
approach to achieving a maturity level,
particularly insofar as a financial
institution might not be credited for
activities taken at a higher level that
might mitigate risks at a lower level.
Some commenters stated that a maturity
model is too prescriptive and does not
adequately account for compensating
controls or risk tolerance and others
questioned why the Assessment does
not discuss the concept of residual risk.
The Agencies designed the
Cybersecurity Maturity contained in the
Assessment to assist financial
institutions in understanding the ranges
of controls and practices needed to
manage cyber risk. As previously stated,
use of the tool is voluntary and a
financial institution may use any
method to assess inherent risk and
cybersecurity preparedness that it
considers relevant and meaningful.
The User Guide does provide general
parameters to assist financial
institutions that choose to use the
Assessment in considering how to align
inherent risk with the financial
institution’s processes and control
maturity.
4. Accuracy of Burden Estimate
The Agencies estimated that,
annually, it would take a financial
institution 80 burden hours, on average,
to complete the Assessment. Five
comment letters addressed the accuracy
of the Agencies’ burden estimate. These
letters generally stated that the
Agencies’ burden estimate understated
the burden involved. One commenter
stated that credit unions that choose to
use the Assessment could take 80–100
hours to complete it. However, other
commenters stated that it may take a
financial institution several hundred
hours to complete the Assessment in the
first year of use.
One commenter stated that the
estimated burden will vary based on
financial institution size, with smaller
financial institutions requiring
hundreds of hours to complete the
Assessment, medium-sized financial
institutions approaching 1,000–2,000
hours, and the large financial
institutions investing 1,000–2,000 hours
or more. This commenter stated that the
burden estimate includes the amount of
time needed to collect information and
documentation sufficient to provide
VerDate Sep<11>2014
17:21 Dec 15, 2015
Jkt 238001
answers supportable in the examination
context, report to internal steering
committees and prepare for
examinations. Another commenter
stated that the Agencies’ evaluation of
80 hours ‘‘largely underestimates’’ the
time required to complete the
Assessment. This commenter stated that
the initial completion of the Assessment
would include collecting data,
discussing and verifying responses,
performing gap analysis, preparing and
implementing action plans, where
needed, and presenting results to
executives.
In light of the comments received and
recent supervisory experience
performing information technology
examinations, the Agencies are revising
their burden estimates. In revisiting the
burden estimates, the Agencies are
taking a more conservative approach to
estimating the potential burden
involved in using the Assessment. The
Agencies recognize that size and
complexity of a financial institution, as
noted by some of the commenters,
impacts the amount of time and
resources to complete the Assessment
and therefore the Agencies have further
refined their burden estimates based on
financial institution asset size.
The Agencies note that the revised
burden estimates assume that the
Assessment is completed by
knowledgeable individuals at the
financial institution who have readilyavailable information to complete the
Assessment. The Agencies’ revised
burden estimates do not include the
amount of time associated with
reporting to management and internal
committees, developing and
implementing action plans, and
preparing for examination as such time
and resources are outside the scope of
the PRA.
5. Information Storage and
Confidentiality
Two commenters requested
information on how the Agencies will
use and store the Assessment
information that financial institutions
provide to the Agencies.
The Agencies are subject to
compliance with the Federal
Information Security Management Act
(FISMA) and they operate cybersecurity
programs to protect critical information
resources, including sensitive financial
institution information obtained or
created during their supervision
activities. The programs include
policies, standards and controls,
monitoring, technical controls, and
other information assurance processes.
If a financial institution provides the
Assessment, or any other, confidential
PO 00000
Frm 00128
Fmt 4703
Sfmt 4703
information to an examiner as part of
the supervisory process, the storage and
use of such information would be
subject to the Agencies’ cybersecurity
programs.
6. Benchmarking
One commenter suggested that the
Agencies collect, anonymize, and share
Assessment information to allow
financial institutions to benchmark
themselves against comparably sized
financial institutions. Since use of the
Assessment by financial institutions is
voluntary, the Agencies do not to intend
to collect the Assessment from financial
institutions or publish the results.
7. Voluntary Use of the Assessment
Several commenters expressed
concern that since some of the Agencies
will be using the Assessment as an aid
in their examination processes, financial
institutions may believe that their use of
the Assessment is mandated by the
Agencies. Another commenter requested
that the Agencies ensure that examiners
do not force financial institutions to use
the Assessment or require financial
institutions to justify their decisions to
use an alternative cybersecurity
assessment. Several commenters
requested that the Agencies reiterate to
examiners and to financial institutions
that use of the Assessment by a financial
institution is voluntary.
As the Agencies stated when the
Assessment was first published, use of
the Assessment by financial institutions
is voluntary. Financial institutions may
use the Assessment or any other
framework or process to identify their
inherent risk and cybersecurity
preparedness. The Agencies’ examiners
will not require a financial institution to
complete the Assessment. However, if a
financial institution has completed an
Assessment, examiners may ask the
financial institution for a copy, as they
would for any risk self-assessment
performed by the financial institution.
The Agencies are educating examiners
on the voluntary nature of the
Assessment and including statements
about its voluntary nature in examiner
training materials.
Additional Comments Welcome:
Comments continue to be invited on:
(a) Whether the collection of
information is necessary for the proper
performance of the functions of the
Agencies, including whether the
information has practical utility;
(b) The accuracy of the Agencies’
estimates of the burden of the collection
of information;
(c) Ways to enhance the quality,
utility, and clarity of the information to
be collected;
E:\FR\FM\16DEN1.SGM
16DEN1
Federal Register / Vol. 80, No. 241 / Wednesday, December 16, 2015 / Notices
(d) Ways to minimize the burden of
the collection on respondents, including
through the use of automated collection
techniques or other forms of information
technology; and
(e) Estimates of capital or start-up
costs and costs of operation,
maintenance, and purchase of services
to provide information.
Dated: December 10, 2015.
Stuart E. Feldstein,
Director, Legislative and Regulatory Activities
Division, Office of the Comptroller of the
Currency.
[FR Doc. 2015–31583 Filed 12–15–15; 8:45 am]
BILLING CODE 4810–33–P
DEPARTMENT OF THE TREASURY
Office of Foreign Assets Control
Additional Designations, Foreign
Narcotics Kingpin Designation Act
Office of Foreign Assets
Control, Treasury.
ACTION: Notice.
AGENCY:
The U.S. Department of the
Treasury’s Office of Foreign Assets
Control (OFAC) is publishing the names
of three individuals and two entities
whose property and interests in
property have been blocked pursuant to
the Foreign Narcotics Kingpin
Designation Act (Kingpin Act) (21
U.S.C. 1901–1908, 8 U.S.C. 1182).
DATES: The designation by the Acting
Director of OFAC of the three
individuals and two entities identified
in this notice pursuant to section 805(b)
of the Kingpin Act is effective on
December 10, 2015.
FOR FURTHER INFORMATION CONTACT:
Assistant Director, Sanctions
Compliance & Evaluation, Office of
Foreign Assets Control, U.S. Department
of the Treasury, Washington, DC 20220,
Tel: (202) 622–2490.
SUPPLEMENTARY INFORMATION:
SUMMARY:
tkelley on DSK9F6TC42PROD with NOTICES
Electronic and Facsimile Availability
This document and additional
information concerning OFAC are
available on OFAC’s Web site at
https://www.treasury.gov/ofac or via
facsimile through a 24-hour fax-ondemand service at (202) 622–0077.
Background
The Kingpin Act became law on
December 3, 1999. The Kingpin Act
establishes a program targeting the
activities of significant foreign narcotics
traffickers and their organizations on a
worldwide basis. It provides a statutory
framework for the imposition of
sanctions against significant foreign
VerDate Sep<11>2014
17:21 Dec 15, 2015
Jkt 238001
narcotics traffickers and their
organizations on a worldwide basis,
with the objective of denying their
businesses and agents access to the U.S.
financial system and the benefits of
trade and transactions involving U.S.
companies and individuals.
The Kingpin Act blocks all property
and interests in property, subject to U.S.
jurisdiction, owned or controlled by
significant foreign narcotics traffickers
as identified by the President. In
addition, the Secretary of the Treasury,
in consultation with the Attorney
General, the Director of the Central
Intelligence Agency, the Director of the
Federal Bureau of Investigation, the
Administrator of the Drug Enforcement
Administration, the Secretary of
Defense, the Secretary of State, and the
Secretary of Homeland Security, may
designate and block the property and
interests in property, subject to U.S.
jurisdiction, of persons who are found
to be: (1) Materially assisting in, or
providing financial or technological
support for or to, or providing goods or
services in support of, the international
narcotics trafficking activities of a
person designated pursuant to the
Kingpin Act; (2) owned, controlled, or
directed by, or acting for or on behalf of,
a person designated pursuant to the
Kingpin Act; or (3) playing a significant
role in international narcotics
trafficking.
On December 10, 2015, the Acting
Director of OFAC designated the
following three individuals and two
entities whose property and interests in
property are blocked pursuant to section
805(b) of the Kingpin Act.
Individuals
1. BURITICA HINCAPIE, Geova (a.k.a.
‘‘CAMILO CHATA’’; a.k.a. ‘‘MI VIEJO’’);
DOB 18 Sep 1970; POB San Rafael,
Antioquia, Colombia; Cedula No.
71215823 (Colombia) (individual)
[SDNTK]. Designated for acting for or on
behalf of Juan Carlos MESA VALLEJO,
LA OFICINA DE ENVIGADO, and/or
LOS CHATAS pursuant to section
805(b)(3) of the Kingpin Act, 21 U.S.C.
1904(b)(3).
2. MAYA RIOS, Edison (a.k.a.
‘‘GOMELO’’); DOB 01 Apr 1974; POB
Medellin, Antioquia, Colombia; Cedula
No. 98568816 (Colombia) (individual)
[SDNTK]. Designated for acting for or on
behalf of Juan Carlos MESA VALLEJO,
LA OFICINA DE ENVIGADO, and/or
LOS CHATAS pursuant to section
805(b)(3) of the Kingpin Act, 21 U.S.C.
1904(b)(3).
3. ZAPATA BERRIO, Jorge Oswaldo
(a.k.a. ‘‘JONAS’’); DOB 15 May 1979;
POB Bello, Antioquia, Colombia; Cedula
No. 71216000 (Colombia) (individual)
PO 00000
Frm 00129
Fmt 4703
Sfmt 4703
78289
[SDNTK] (Linked To: MOTOS Y
REPUESTOS JOTA). Designated for
acting for or on behalf of Juan Carlos
MESA VALLEJO, LA OFICINA DE
ENVIGADO, and/or LOS CHATAS
pursuant to section 805(b)(3) of the
Kingpin Act, 21 U.S.C. 1904(b)(3).
Entities
4. LOS CHATAS, Bello, Antioquia,
Colombia [SDNTK]. Designated for
being controlled, directed by, or acting
for or on behalf of, Juan Carlos MESA
VALLEJO and/or LA OFICINA DE
ENVIGADO pursuant to section
805(b)(3) of the Kingpin Act, 21 U.S.C.
1904(b)(3).
5. MOTOS Y REPUESTOS JOTA,
Calle 49 AA 99 EE 58, Medellin,
Antioquia, Colombia; Matricula
Mercantil No. 21–567083–02 (Medellin)
[SDNTK]. Designated for being owned,
controlled, or directed by Jorge Oswaldo
ZAPATA BERRIO pursuant to section
805(b)(3) of the Kingpin Act, 21 U.S.C.
1904(b)(3).
Dated: December 10, 2015.
John E. Smith,
Acting Director, Office of Foreign Assets
Control.
[FR Doc. 2015–31569 Filed 12–15–15; 8:45 am]
BILLING CODE 4810–AL–P
DEPARTMENT OF VETERANS
AFFAIRS
[OMB Control No. 2900–NEW (VA Forms
10–10131, 10–10132, 10–10133)]
Proposed Information Collection
(Patient Aligned Care Team (PACT):
Helping Veterans Manage Chronic
Pain, Engaging Caregivers Veterans
With Dementia, Patient Centered
Medical Home Operation Enduring
Freedom/Operation Iraqi Freedom
(OEF/OIF) Veterans With Post
Traumatic Stress Disorder (PTSD):
Bridging Primary and Behavioral
Health Care (BP–BHC))
Activity: Comment Request.
Veterans Health
Administration, Department of Veterans
Affairs.
ACTION: Notice.
AGENCY:
The Veterans Health
Administration (VHA), Department of
Veterans Affairs (VA), is announcing an
opportunity for public comment on the
proposed collection of certain
information by the agency. Under the
Paperwork Reduction Act (PRA) of
1995, Federal agencies are required to
publish notice in the Federal Register
concerning each proposed collection of
information, including each new
SUMMARY:
E:\FR\FM\16DEN1.SGM
16DEN1
]]>Agencies
[Federal Register Volume 80, Number 241 (Wednesday, December 16, 2015)]
[Notices]
[Pages 78285-78289]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2015-31583]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF THE TREASURY
Office of the Comptroller of the Currency
Agency Information Collection Activities: Information Collection
Renewal; Submission for Review; FFIEC Cybersecurity Assessment Tool
AGENCY: Office of the Comptroller of the Currency (OCC), Treasury.
ACTION: Notice and request for comment.
-----------------------------------------------------------------------
SUMMARY: The OCC, the Board of Governors of the Federal Reserve System
(Board), the Federal Deposit Insurance Corporation (FDIC), and the
National Credit Union Administration (NCUA) (collectively, the
Agencies), as part of their continuing effort to reduce paperwork and
respondent burden, invite the general public and other Federal agencies
to comment on a continuing information collection, as required by the
Paperwork Reduction Act of 1995 (PRA).
In accordance with the requirements of the PRA, the Agencies may
not conduct or sponsor, and the respondent is not required to respond
to, an information collection unless it displays a currently valid
Office of Management and Budget (OMB) control number.
The OCC is soliciting comment on behalf of the Agencies concerning
renewal of the information collection titled ``FFIEC Cybersecurity
Assessment Tool'' (``Assessment''). The OCC also is giving notice that
it has sent the collection to OMB for review.
DATES: Comments must be received by January 15, 2016.
ADDRESSES: Because paper mail in the Washington, DC area and at the OCC
is subject to delay, commenters are encouraged to submit comments by
email, if possible. Comments may be sent to: Legislative and Regulatory
Activities Division, Office of the Comptroller of the Currency,
Attention: 1557-0328, 400 7th Street SW., Suite 3E-218, Mail Stop 9W-
11, Washington, DC 20219. In addition, comments may be sent by fax to
(571) 465-4326 or by electronic mail to prainfo@occ.treas.gov. You may
personally inspect and photocopy comments at the OCC, 400 7th Street
SW., Washington, DC 20219. For security reasons, the OCC requires that
visitors make an appointment to inspect comments. You may do so by
calling (202) 649-6700, for persons who are deaf or hard of hearing,
TTY, (202) 649-5597. Upon arrival, visitors will be required to present
valid government-issued photo identification and to submit to security
screening in order to inspect and photocopy comments.
All comments received, including attachments and other supporting
materials, are part of the public record and subject to public
disclosure. Do not enclose any information in your comment or
supporting materials that you consider confidential or inappropriate
for public disclosure.
Additionally, please send a copy of your comments by mail to: OCC
Desk Officer, 1557-0328, U.S. Office of Management and Budget, 725 17th
Street NW., #10235, Washington, DC 20503, or by email to:
oira_submission@omb.eop.gov.
[[Page 78286]]
FOR FURTHER INFORMATION CONTACT: Shaquita Merritt, OCC Clearance
Officer, or Beth Knickerbocker, Counsel (202) 649-5490, Legislative and
Regulatory Activities Division, for persons who are deaf or hard of
hearing, TTY, (202) 649-5597, Office of the Comptroller of the
Currency, 400 7th Street SW., Suite 3E-218, Mail Stop 9W-11,
Washington, DC 20219.
SUPPLEMENTARY INFORMATION: Under the PRA (44 U.S.C. 3501-3520), Federal
agencies must obtain approval from OMB for each collection of
information they conduct or sponsor. ``Collection of information'' is
defined in 44 U.S.C. 3502(3) and 5 CFR 1320.3(c) to include agency
requests or requirements that members of the public submit reports,
keep records, or provide information to a third party. The definition
contained in 5 CFR 1320.3(c) also includes a voluntary collection of
information.
In connection with issuance of the Assessment,\1\ OMB provided a
six-month approval for this information collection. On behalf of the
Agencies, the OCC is proposing to extend OMB approval of the collection
for the standard three years.
---------------------------------------------------------------------------
\1\ https://www.ffiec.gov/cyberassessmenttool.htm.
---------------------------------------------------------------------------
Title: FFIEC Cybersecurity Assessment Tool.
OMB Number: 1557-0328.
Description: Cyber threats have evolved and increased exponentially
with greater sophistication than ever before. Financial institutions
\2\ are exposed to cyber risks because they are dependent on
information technology to deliver services to consumers and businesses
every day. Cyber attacks on financial institutions may not only result
in access to, and the compromise of, confidential information, but also
the destruction of critical data and systems. Disruption, degradation,
or unauthorized alteration of information and systems can affect a
financial institution's operations and core processes and undermine
confidence in the nation's financial services sector. Absent immediate
attention to these rapidly increasing threats, financial institutions
and the financial sector as a whole are at risk.
---------------------------------------------------------------------------
\2\ For purposes of this information collection, the term
``financial institution'' includes banks, savings associations,
credit unions, and bank holding companies.
---------------------------------------------------------------------------
For this reason, the Agencies, under the auspices of the Federal
Financial Institutions Examination Council (``FFIEC''), have
accelerated efforts to assess and enhance the state of the financial
industry's cyber preparedness and to improve the Agencies' examination
procedures and training that can strengthen the oversight of financial
industry cybersecurity readiness. The Agencies also have focused on
improving their abilities to provide financial institutions with
resources that can assist in protecting financial institutions and
their customers from the growing risks posed by cyber attacks.
As part of these increased efforts, the Agencies developed the
Assessment to assist financial institutions of all sizes in assessing
their inherent cyber risks and their risk management capabilities. The
Assessment allows a financial institution to identify its inherent
cyber risk profile based on the financial institution's technologies
and connection types, delivery channels, online/mobile products and
technology services that it offers to its customers, its organizational
characteristics, and the cyber threats it is likely to face. Once a
financial institution identifies its inherent cyber risk profile, it
will be able to use the Assessment's maturity matrix to evaluate its
level of cybersecurity preparedness based on the financial
institution's cyber risk management and oversight, threat intelligence
capabilities, cybersecurity controls, external dependency management,
and cyber incident management and resiliency planning. A financial
institution may use the matrix's maturity levels to identify
opportunities for improving the financial institution's cyber risk
management based on its inherent risk profile. The Assessment also
enables a financial institution to identify areas more rapidly that
could improve the financial institution's cyber risk management and
response programs, if needed. Use of the Assessment by financial
institutions is voluntary.
Type of Review: Regular.
Affected Public: Businesses or other for-profit.
Estimated Burdens: \3\
---------------------------------------------------------------------------
\3\ Burden is estimated conservatively and assumes all financial
institutions will complete the Assessment. Therefore, the estimated
burden may exceed the actual burden because use of the Assessment by
financial institutions is not mandatory. The Agencies intend to
address their review of the cybersecurity readiness and preparedness
of financial institutions' technology service providers (TSPs)
separately and therefore are no longer including a separate
estimated burden for TSPs. However, the burden estimates for
financial institutions does include that of TSPs who may assist
financial institutions in completing their Assessment.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Estimated number of Estimated number of
Estimated number of respondents $500 respondents $10 Estimated number of Estimated total
Assessment burden estimate respondents less than million-$10 billion billion-$50 billion respondents over $50 respondents and total
$500 million @80 hours @120 hours @160 hours billion @180 hours annual burden hours
--------------------------------------------------------------------------------------------------------------------------------------------------------
OCC National Banks and Federal 1,102 x 80 = 88,160 149 x 120 = 17,880 132 x 160 = 21,120 87 x 180 = 15,660 1,470 respondents
Savings Associations. hours. hours. hours. hours. 142,820 hours.
FDIC State Non-Member Banks and 3,224 x 80 = 257,920 728 x 120 = 87,360 22 x 160 = 3,520 5 x 180 = 900 hours.. 3,979 respondents
State Savings Associations. hours. hours. hours. 349,700 hours.
Board State Member Banks and Bank 4,083 x 80 = 326,640 1,083 x 120 = 129,960 74 x 160 = 11,840 42 x 180 = 7,560 5,282 respondents
Holding Companies. hours. hours. hours. hours. 476,000 hours.
NCUA Federally-Insured Credit 5,622 x 80 = 449,760 463 x 120 = 55,560 4 x 160 = 640 hours.. 1 x 180 = 180 hours.. 6,090 respondents
Unions. hours. hours. 506,140 hours.
--------------------------------------------------------------------------------------------------------------------
Total.......................... 14,031 x 80 = 2,423 x 120 = 290,760 232 x 160 = 37,120 135 x 180 = 24,300 16,821 respondents
1,122,480 hours. hours. hours. hours. 1,474,660 hours.
--------------------------------------------------------------------------------------------------------------------------------------------------------
On July 22, 2015, (80 FR 4355), the Office of the Comptroller of
the Currency (OCC), on behalf of itself, the Board of Governors of the
Federal Reserve System (Board), the Federal Deposit Insurance
Corporation (FDIC), and the National Credit Union Administration (NCUA)
(collectively, the Agencies) published a 60-day notice requesting
comment on the collection of information titled ``FFIEC Cybersecurity
Assessment Tool (Assessment).'' The Agencies received eighteen
comments: Twelve comments from individuals, five from industry trade
associations, and
[[Page 78287]]
one from the Financial Services Sector Coordinating Council. The
comments described below address concerns related to the collection of
information. The commenters also mentioned aspects of the Assessment
unrelated to the collection of information; these views are not
relevant to this notice or the paperwork burden analysis and,
accordingly, they are not addressed below. However, the comments
unrelated to the paperwork burden analysis were provided to Agency
personnel responsible for the Assessment for possible consideration in
future updates of the Assessment.
1. Request for More Information on the Information Being Collected
Eight of the commenters requested that the Agencies provide
additional clarity and interpretative information regarding the
Assessment. Several of these commenters requested that the Agencies
clarify some of the statements in the Inherent Risk Profile.\4\
Commenters also stated that many of the declarative statements in the
Cybersecurity Maturity \5\ were subjective and susceptible to different
interpretation. Other commenters requested the Agencies provide
additional information regarding the relationship between the Inherent
Risk Profile and the Cybersecurity Maturity parts of the Assessment.
---------------------------------------------------------------------------
\4\ Part One of the Assessment, the Inherent Risk Profile,
assists a financial institution in identifying its inherent risk
before implementing controls.
\5\ Part Two of the Assessment, the Cybersecurity Maturity,
assists a financial institution in determining its current state of
cybersecurity preparedness represented by maturity levels across
five domains.
---------------------------------------------------------------------------
Five commenters requested that the Agencies publish information
clarifying the Assessment, such as an appendix to the Assessment or a
separate frequently asked questions (FAQ) document. One commenter
requested that the Agencies issue a separate document describing the
assumptions the Agencies used in developing the Assessment. Another
commenter requested that the Agencies provide examples of how community
financial institutions might satisfy certain declarative statements.
Additionally, one commenter requested that the Agencies develop a 12-18
month collaborative process with the commenter to improve the
Assessment prior to finalizing the Assessment or using the Assessment
on examinations.
The Agencies appreciate the feedback and comments received from the
commenters. The Agencies recognize that there may be a need to clarify
certain aspects of the Assessment and will consider developing an FAQ
document to address questions and requests for clarification that they
have received since the publication of the Assessment, including from
commenters. Additionally, the Agencies are developing a process to
update the Assessment on a periodic basis. The update process will
consider comments from interested parties.
2. Usability and Format of the Assessment
Four commenters suggested changes to the format of the Assessment
to increase usability. The commenters requested that the Agencies
develop an automated or editable form of the Assessment. Commenters
stated that the ability to save and edit responses contained in the
Assessment would improve a financial institution's ability to use the
Assessment on an ongoing basis.
One commenter also recommended that the Agencies revise the
Assessment to include hyperlinks to the Assessment Glossary and User
Guide instructions. Another commenter suggested that the Agencies
revise the Assessment to assign a maturity level \6\ automatically to
the financial institution once it completes the Inherent Risk Profile
portion of the Assessment. In addition, this commenter suggests that
once a financial institution answers ``no'' to a declarative statement
in a particular domain of the Cybersecurity Maturity, the Assessment
should automatically prevent the financial institution from responding
to the remainder of the declarative statements within that domain. The
commenter also stated the Assessment should automatically populate
answers to similar questions across domains and maturity levels.
---------------------------------------------------------------------------
\6\ Within the five domains of the Cybersecurity Maturity,
declarative statements describe the requirements for achieving five
possible maturity levels for each domain.
---------------------------------------------------------------------------
The Agencies acknowledge the potential value of an automated or
editable form of the Assessment for financial institutions that choose
to use the Assessment and are exploring the possibility of developing
an automated form in the future, including the possibility of
hyperlinking to definitions and instructions. Any automation of the
form, however, would not include the automatic assignment of a maturity
level as the Agencies do not have expectations for any financial
institution to reach a specific maturity level within the Assessment,
and a financial institution may find value in identifying activities it
is already performing at a higher maturity level.
3. Utility of the Assessment
Two commenters stated that there are a number of cybersecurity
assessment frameworks available to financial institutions to use in
determining their inherent risk and cybersecurity preparedness. These
commenters questioned the need for the development of an additional
framework. One commenter focused on the potential duplication between
the National Institute of Standards and Technology's Cybersecurity
Framework (NIST Framework) and the Assessment. This commenter stated
that use of the Assessment by financial institutions, instead of the
NIST Framework, could dilute the value of the NIST Framework as a tool
for cross-sector collaboration.
The Agencies, under the auspices of the FFIEC, developed the
Assessment to assist financial institutions in addressing the cyber
risks unique to the financial industry. The Assessment supports
financial institutions by giving them a systematic way to assess their
cybersecurity preparedness and evaluate their progress. Unlike other
frameworks, the Assessment is specifically tailored to the products and
services offered by financial institutions and the control and risk
mitigation techniques used by the industry. In addition, the Agencies
have received many requests from financial institutions, particularly
smaller financial institutions, to provide them with a meaningful way
to assess cyber risks themselves based on financial sector-specific
risks and mitigation techniques. The Agencies developed the Assessment,
in part, to address those requests and received several positive
comments about how the Assessment met this need. As discussed more
fully below, a financial institution is not required to use the
Assessment and may choose any method the financial institution
determines is relevant and meaningful to assess its inherent risk and
cybersecurity preparedness.
The Agencies agree that the NIST Framework is a valuable tool and
the Agencies incorporated concepts from the NIST Framework into the
Assessment. The Assessment contains an appendix that maps the NIST
Framework to the Assessment. NIST reviewed and provided input on the
mapping to ensure consistency with the NIST Framework's principles and
to highlight the complementary nature of the two resources. The
Agencies also agree that the NIST Framework provides a mechanism for
cross-sector coordination. However, because of the unique cyber risks
facing the financial industry, the Agencies identified a need
[[Page 78288]]
to develop a more granular framework that is more specific to the
financial services industry to assist financial institutions in
evaluating themselves.
Several commenters also raised questions regarding the Agencies'
use of a maturity model as a part of the Assessment. Four commenters
were concerned with the ``all or nothing'' approach to achieving a
maturity level, particularly insofar as a financial institution might
not be credited for activities taken at a higher level that might
mitigate risks at a lower level. Some commenters stated that a maturity
model is too prescriptive and does not adequately account for
compensating controls or risk tolerance and others questioned why the
Assessment does not discuss the concept of residual risk.
The Agencies designed the Cybersecurity Maturity contained in the
Assessment to assist financial institutions in understanding the ranges
of controls and practices needed to manage cyber risk. As previously
stated, use of the tool is voluntary and a financial institution may
use any method to assess inherent risk and cybersecurity preparedness
that it considers relevant and meaningful.
The User Guide does provide general parameters to assist financial
institutions that choose to use the Assessment in considering how to
align inherent risk with the financial institution's processes and
control maturity.
4. Accuracy of Burden Estimate
The Agencies estimated that, annually, it would take a financial
institution 80 burden hours, on average, to complete the Assessment.
Five comment letters addressed the accuracy of the Agencies' burden
estimate. These letters generally stated that the Agencies' burden
estimate understated the burden involved. One commenter stated that
credit unions that choose to use the Assessment could take 80-100 hours
to complete it. However, other commenters stated that it may take a
financial institution several hundred hours to complete the Assessment
in the first year of use.
One commenter stated that the estimated burden will vary based on
financial institution size, with smaller financial institutions
requiring hundreds of hours to complete the Assessment, medium-sized
financial institutions approaching 1,000-2,000 hours, and the large
financial institutions investing 1,000-2,000 hours or more. This
commenter stated that the burden estimate includes the amount of time
needed to collect information and documentation sufficient to provide
answers supportable in the examination context, report to internal
steering committees and prepare for examinations. Another commenter
stated that the Agencies' evaluation of 80 hours ``largely
underestimates'' the time required to complete the Assessment. This
commenter stated that the initial completion of the Assessment would
include collecting data, discussing and verifying responses, performing
gap analysis, preparing and implementing action plans, where needed,
and presenting results to executives.
In light of the comments received and recent supervisory experience
performing information technology examinations, the Agencies are
revising their burden estimates. In revisiting the burden estimates,
the Agencies are taking a more conservative approach to estimating the
potential burden involved in using the Assessment. The Agencies
recognize that size and complexity of a financial institution, as noted
by some of the commenters, impacts the amount of time and resources to
complete the Assessment and therefore the Agencies have further refined
their burden estimates based on financial institution asset size.
The Agencies note that the revised burden estimates assume that the
Assessment is completed by knowledgeable individuals at the financial
institution who have readily-available information to complete the
Assessment. The Agencies' revised burden estimates do not include the
amount of time associated with reporting to management and internal
committees, developing and implementing action plans, and preparing for
examination as such time and resources are outside the scope of the
PRA.
5. Information Storage and Confidentiality
Two commenters requested information on how the Agencies will use
and store the Assessment information that financial institutions
provide to the Agencies.
The Agencies are subject to compliance with the Federal Information
Security Management Act (FISMA) and they operate cybersecurity programs
to protect critical information resources, including sensitive
financial institution information obtained or created during their
supervision activities. The programs include policies, standards and
controls, monitoring, technical controls, and other information
assurance processes. If a financial institution provides the
Assessment, or any other, confidential information to an examiner as
part of the supervisory process, the storage and use of such
information would be subject to the Agencies' cybersecurity programs.
6. Benchmarking
One commenter suggested that the Agencies collect, anonymize, and
share Assessment information to allow financial institutions to
benchmark themselves against comparably sized financial institutions.
Since use of the Assessment by financial institutions is voluntary, the
Agencies do not to intend to collect the Assessment from financial
institutions or publish the results.
7. Voluntary Use of the Assessment
Several commenters expressed concern that since some of the
Agencies will be using the Assessment as an aid in their examination
processes, financial institutions may believe that their use of the
Assessment is mandated by the Agencies. Another commenter requested
that the Agencies ensure that examiners do not force financial
institutions to use the Assessment or require financial institutions to
justify their decisions to use an alternative cybersecurity assessment.
Several commenters requested that the Agencies reiterate to examiners
and to financial institutions that use of the Assessment by a financial
institution is voluntary.
As the Agencies stated when the Assessment was first published, use
of the Assessment by financial institutions is voluntary. Financial
institutions may use the Assessment or any other framework or process
to identify their inherent risk and cybersecurity preparedness. The
Agencies' examiners will not require a financial institution to
complete the Assessment. However, if a financial institution has
completed an Assessment, examiners may ask the financial institution
for a copy, as they would for any risk self-assessment performed by the
financial institution. The Agencies are educating examiners on the
voluntary nature of the Assessment and including statements about its
voluntary nature in examiner training materials.
Additional Comments Welcome: Comments continue to be invited on:
(a) Whether the collection of information is necessary for the
proper performance of the functions of the Agencies, including whether
the information has practical utility;
(b) The accuracy of the Agencies' estimates of the burden of the
collection of information;
(c) Ways to enhance the quality, utility, and clarity of the
information to be collected;
[[Page 78289]]
(d) Ways to minimize the burden of the collection on respondents,
including through the use of automated collection techniques or other
forms of information technology; and
(e) Estimates of capital or start-up costs and costs of operation,
maintenance, and purchase of services to provide information.
Dated: December 10, 2015.
Stuart E. Feldstein,
Director, Legislative and Regulatory Activities Division, Office of the
Comptroller of the Currency.
[FR Doc. 2015-31583 Filed 12-15-15; 8:45 am]
BILLING CODE 4810-33-P
