National Protection and Programs Directorate; National Protection and Programs Directorate Seeks Comments on Cyber Incident Data Repository White Papers, 17193-17194 [2016-06856]

Download as PDF 17193 Federal Register / Vol. 81, No. 59 / Monday, March 28, 2016 / Notices TABLE 1—ESTIMATES OF ANNUAL BURDEN HOURS Number of respondents Average time per response (hours) Frequency of response Annual hour burden Type of respondent Instrument Nuclear Medicine Technologists ....... Nuclear Medicine Questionnaire ...... Consent ............................................ 250 250 1 1 20/60 10/60 83 42 Total ........................................... ........................................................... 250 250 ........................ 125 Dated: March 21, 2016. Karla Bailey, Project Clearance Liaison, National Cancer Institute, NIH. consumption at the rate of 6.0 percent ad valorem under subheading 1604.14.22, Harmonized Tariff Schedule of the United States (HTSUS) during the Calendar Year 2016. Any such tuna which is entered, or withdrawn from warehouse, for consumption during the current calendar year in excess of this quota will be dutiable at the rate of 12.5 percent ad valorem under subheading 1604.14.30 HTSUS. [FR Doc. 2016–06867 Filed 3–25–16; 8:45 am] BILLING CODE 4140–01–P DEPARTMENT OF HOMELAND SECURITY U.S. Customs and Border Protection [CBP Dec. 16–07] Tuna-Tariff Rate Quota; the Tariff-Rate Quota for Calendar Year 2016 Tuna Classifiable Under Subheading 1604.14.22, Harmonized Tariff Schedule of the United States (HTSUS) Each year, the tariff-rate quota for tuna described in subheading 1604.14.22, Harmonized Tariff Schedule of the United States (HTSUS), is calculated as a percentage of the tuna in airtight containers entered, or withdrawn from warehouse, for consumption during the preceding Calendar Year. This document sets forth the tariff-rate quota for Calendar Year 2016. DATES: Effective Dates: The 2016 tariffrate quota is applicable to tuna in airtight containers entered, or withdrawn from warehouse, for consumption during the period January 1, 2016 through December 31, 2016. FOR FURTHER INFORMATION CONTACT: Headquarters Quota Branch, Interagency Collaboration Division, Trade Policy and Programs, Office of International Trade, U.S. Customs and Border Protection, Washington, DC 20229– 1155, (202) 863–6560. Lhorne on DSK5TPTVN1PROD with NOTICES Background It has been determined that 15,350,636 kilograms of tuna in airtight containers may be entered, or withdrawn from warehouse, for Jkt 238001 BILLING CODE 9111–14–P SUPPLEMENTARY INFORMATION: [Docket No. DHS–2015–0068] SUMMARY: 14:52 Mar 25, 2016 [FR Doc. 2016–06944 Filed 3–25–16; 8:45 am] DEPARTMENT OF HOMELAND SECURITY U.S. Customs and Border Protection, Department of Homeland Security. ACTION: Announcement of the quota quantity of tuna in airtight containers for Calendar Year 2016. AGENCY: VerDate Sep<11>2014 Dated: March 23, 2016. Brenda B. Smith, Assistant Commissioner, Office of International Trade. National Protection and Programs Directorate; National Protection and Programs Directorate Seeks Comments on Cyber Incident Data Repository White Papers National Protection and Programs Directorate, DHS. ACTION: Notice. AGENCY: The Department of Homeland Security’s (DHS’s) National Protection and Programs Directorate (NPPD) announces that it is seeking comments on three white papers prepared by NPPD staff from any interested party, including, but not limited to: members of the cybersecurity and insurance communities; chief information security officers (CISOs); chief security officers (CSOs); academia; Federal, State, and local governments; industry; and professional organizations/societies. Links to the white papers are posted on the cybersecurity insurance section of DHS.gov: http://www.dhs.gov/ publication/cyber-incident-data-andanalysis-working-group-white-papers. Comments will assist NPPD further refine the content of the white papers to address the critical need for information sharing as a means to create a more robust cybersecurity insurance marketplace and improve enterprise SUMMARY: PO 00000 Frm 00061 Fmt 4703 cyber hygiene practices across the public and private sectors. DATES: The suggested dates for submission of comments on the white papers are: March 24, 2016 through May 24, 2016. ADDRESSES: Comments on the white papers must be submitted to NPPD via email to the following address: cyber.security.insurance@hq.dhs.gov. FOR FURTHER INFORMATION CONTACT: Matt Shabat, Director, Performance Management, Office of Cybersecurity and Communications at 703–235–5338 or by email at Matthew.Shabat@ hq.dhs.gov. Sfmt 4703 Background: Cybersecurity insurance is designed to mitigate losses from a variety of cyber incidents, including data breaches, business interruption, and network damage. A robust cybersecurity insurance market could help reduce the number of successful cyber attacks by: (1) Promoting the adoption of preventative measures in return for more coverage; and (2) encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection. Many companies forego available policies; however, citing as rationales the perceived high cost of those policies, confusion about what they cover, and uncertainty that their organizations will suffer a cyber attack. In recent years, NPPD has engaged key stakeholders to address this emerging cyber risk area. Between October 2012 and April 2014, DHS NPPD conducted several workshops, which brought together a diverse group of private and public sector stakeholders—including insurers, risk managers, CISOs, critical infrastructure owners, and social scientists. Workshop participants examined the current state of the cybersecurity insurance market and how to best advance its capacity to incentivize better cyber risk management. During those workshops, participants expressed strong support for the creation of a trusted cyber incident data repository. As envisioned, the repository would store, aggregate, and E:\FR\FM\28MRN1.SGM 28MRN1 Lhorne on DSK5TPTVN1PROD with NOTICES 17194 Federal Register / Vol. 81, No. 59 / Monday, March 28, 2016 / Notices analyze cyber incident data relevant to the cyber risk management community, including risk mitigation experts (CISOs, CSOs, cybersecurity solutions providers); risk transfer experts (insurers); and other cybersecurity subject matter experts (the academic and scientific communities). As further envisioned, DHS or other Federal departments or agencies would not build or manage such a repository. A resulting repository could potentially be managed by a private organization. In February 2015, as a follow-on to the workshops, NPPD established a Cyber Incident Data and Analysis Working Group (CIDAWG), comprised of CISOs and CSOs from various critical infrastructure sectors, insurers, and other cybersecurity professionals. The CIDAWG is currently exploring how anonymous cyber incident data sharing could help grow the cybersecurity insurance marketplace through a legally compliant, privacy respecting, and trusted cyber incident data repository and repository data supported analyses. In turn, this would work to improve cybersecurity for U.S. public sector agencies and private sector companies. To accomplish this, the CIDAWG has worked to develop key findings about: 1. The value proposition of a cyber incident data repository; 2. The cyber incident data points that should be shared into a repository to support needed analysis; 3. Overcoming perceived obstacles to sharing into a Cyber Incident data Repository; and 4. A potential repository’s structure and functions. The findings of this effort to date are summarized in a series of three white papers. This announcement explains the process for submitting comments on the white papers. Comments on the white papers are valued and will enable NPPD to incorporate input from a wide audience. Each white paper is briefly detailed below, followed by questions on which NPPD seeks comments. (1) The Value Proposition. Details how a cyber incident data repository could help advance the cause of cyber risk management and, with the right repository data, the kinds of analysis that would be useful to CISOs, CSOs, insurers, and other cybersecurity professionals. NPPD seeks comments on the following: a. What value would an anonymized and trusted cyber incident data repository, as described in the white paper, have in terms of informing and improving cyber risk management practices? VerDate Sep<11>2014 14:52 Mar 25, 2016 Jkt 238001 b. Do you agree with the potential benefits of an anonymized and trusted repository, as outlined in the white paper, that enterprise risk owners and insurers could use to share, store, aggregate, and analyze sensitive cyber incident data? c. Are there additional benefits of an anonymized and trusted repository that are not mentioned in the white paper? Please explain them briefly. d. What kinds of analysis from an anonymized and trusted repository would be most useful to your organization? (2) Cyber Incident Data Points and Repository-Supported Analysis. Addresses the kinds of prioritized data categories and associated data points that should be shared among repository users to promote new kinds of needed cyber risk analysis. NPPD seeks comments on the following: a. Could specific data points within the 16 data categories effectively inform analysis to bolster cyber risk management activities? b. Are the 16 data categories accurately defined? c. What additional data categories could inform useful analysis to improve cyber risk management practices? d. What do these additional data categories mean from a CISO or other cybersecurity professional perspective? e. Please rank the level of importance for each data category, including any additional data categories that you have identified. f. What value does each data category and associated data points bring to a better understanding of cyber incidents and their impacts? g. What does each data point actually mean (and to whom); and which ones are the greatest priority, to which stakeholders, and why? h. How easy/difficult would it be to access data associated with these categories in your organization and then share it into a repository and why? (3) Overcoming perceived obstacles to sharing into a Cyber Incident data Repository. Identifies perceived obstacles to voluntary cyber incident data sharing and offers potential approaches to overcoming those obstacles. NPPD seeks comments on the following: a. Would your organization be interested in contributing to a cyber incident data repository and using repository-supported analysis to improve your organization’s risk management practices? b. What obstacles do you anticipate— both internal and external to your organization—that might prevent the PO 00000 Frm 00062 Fmt 4703 Sfmt 9990 sharing of cyber incident data into a repository? i. Who might say ‘no’ to sharing and why? c. What mechanisms, policies, and procedures could help overcome these obstacles to sharing? In this call for comments on the white papers, NPPD is seeking input on any or all of the above listed questions. NPPD may use comments to further develop the content of each white paper as appropriate. Do not include ideas for specific proposals in your comments on the white papers (i.e., do not discuss your specific solution to the repository concept). This solicitation for comments on white papers is neither a Request for Proposals (RFPs) nor should it be viewed as a request for pre-proposals. Rather, it is a way to include ideas from the public to enhance the research and findings of the CIDAWG to better understand the potential of an anonymized and trusted cyber incident data repository to address the cybersecurity needs of the public and private sectors. Comments on white papers must not contain proprietary information. Submission of comments on any of the white papers means that the author(s) agrees that all the information in the comments on the white papers can be made available to the public. Information contained in these comments on the white papers will be considered and combined with information from other resources, including NPPD, the CIDAWG, other government agencies, cybersecurity and insurance communities, and other stakeholders to refine the focus of the white papers and are part of NPPD’s collaborative outreach. Comments on the white papers are a valuable resource that adds to NPPD’s understanding of the significance and scope of national cybersecurity and critical infrastructure needs. NPPD’s statutory authority is the Critical Infrastructure Partnership Advisory Council, which is consistent with sec. 201 of the Homeland Security Act of 2002 (the ‘‘Act’’), 6 U.S.C. 121, and pursuant to sec. 871(a) of the Act, 6 U.S.C. 451(a). Dated: March 16, 2016. Matthew Shabat, Director, Performance Management, Office of Cybersecurity and Communications, National Protection and Programs Directorate, Department of Homeland Security. [FR Doc. 2016–06856 Filed 3–25–16; 8:45 am] BILLING CODE 9110–9P–P E:\FR\FM\28MRN1.SGM 28MRN1

Agencies

[Federal Register Volume 81, Number 59 (Monday, March 28, 2016)]
[Notices]
[Pages 17193-17194]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-06856]


-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

[Docket No. DHS-2015-0068]


National Protection and Programs Directorate; National Protection 
and Programs Directorate Seeks Comments on Cyber Incident Data 
Repository White Papers

AGENCY: National Protection and Programs Directorate, DHS.

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: The Department of Homeland Security's (DHS's) National 
Protection and Programs Directorate (NPPD) announces that it is seeking 
comments on three white papers prepared by NPPD staff from any 
interested party, including, but not limited to: members of the 
cybersecurity and insurance communities; chief information security 
officers (CISOs); chief security officers (CSOs); academia; Federal, 
State, and local governments; industry; and professional organizations/
societies. Links to the white papers are posted on the cybersecurity 
insurance section of DHS.gov: http://www.dhs.gov/publication/cyber-incident-data-and-analysis-working-group-white-papers. Comments will 
assist NPPD further refine the content of the white papers to address 
the critical need for information sharing as a means to create a more 
robust cybersecurity insurance marketplace and improve enterprise cyber 
hygiene practices across the public and private sectors.

DATES: The suggested dates for submission of comments on the white 
papers are: March 24, 2016 through May 24, 2016.

ADDRESSES: Comments on the white papers must be submitted to NPPD via 
email to the following address: cyber.security.insurance@hq.dhs.gov.

FOR FURTHER INFORMATION CONTACT: Matt Shabat, Director, Performance 
Management, Office of Cybersecurity and Communications at 703-235-5338 
or by email at Matthew.Shabat@hq.dhs.gov.

SUPPLEMENTARY INFORMATION: 
    Background: Cybersecurity insurance is designed to mitigate losses 
from a variety of cyber incidents, including data breaches, business 
interruption, and network damage. A robust cybersecurity insurance 
market could help reduce the number of successful cyber attacks by: (1) 
Promoting the adoption of preventative measures in return for more 
coverage; and (2) encouraging the implementation of best practices by 
basing premiums on an insured's level of self-protection. Many 
companies forego available policies; however, citing as rationales the 
perceived high cost of those policies, confusion about what they cover, 
and uncertainty that their organizations will suffer a cyber attack. In 
recent years, NPPD has engaged key stakeholders to address this 
emerging cyber risk area.
    Between October 2012 and April 2014, DHS NPPD conducted several 
workshops, which brought together a diverse group of private and public 
sector stakeholders--including insurers, risk managers, CISOs, critical 
infrastructure owners, and social scientists. Workshop participants 
examined the current state of the cybersecurity insurance market and 
how to best advance its capacity to incentivize better cyber risk 
management.
    During those workshops, participants expressed strong support for 
the creation of a trusted cyber incident data repository. As 
envisioned, the repository would store, aggregate, and

[[Page 17194]]

analyze cyber incident data relevant to the cyber risk management 
community, including risk mitigation experts (CISOs, CSOs, 
cybersecurity solutions providers); risk transfer experts (insurers); 
and other cybersecurity subject matter experts (the academic and 
scientific communities). As further envisioned, DHS or other Federal 
departments or agencies would not build or manage such a repository. A 
resulting repository could potentially be managed by a private 
organization.
    In February 2015, as a follow-on to the workshops, NPPD established 
a Cyber Incident Data and Analysis Working Group (CIDAWG), comprised of 
CISOs and CSOs from various critical infrastructure sectors, insurers, 
and other cybersecurity professionals. The CIDAWG is currently 
exploring how anonymous cyber incident data sharing could help grow the 
cybersecurity insurance marketplace through a legally compliant, 
privacy respecting, and trusted cyber incident data repository and 
repository data supported analyses. In turn, this would work to improve 
cybersecurity for U.S. public sector agencies and private sector 
companies. To accomplish this, the CIDAWG has worked to develop key 
findings about:
    1. The value proposition of a cyber incident data repository;
    2. The cyber incident data points that should be shared into a 
repository to support needed analysis;
    3. Overcoming perceived obstacles to sharing into a Cyber Incident 
data Repository; and
    4. A potential repository's structure and functions.

The findings of this effort to date are summarized in a series of three 
white papers.
    This announcement explains the process for submitting comments on 
the white papers. Comments on the white papers are valued and will 
enable NPPD to incorporate input from a wide audience. Each white paper 
is briefly detailed below, followed by questions on which NPPD seeks 
comments.
    (1) The Value Proposition. Details how a cyber incident data 
repository could help advance the cause of cyber risk management and, 
with the right repository data, the kinds of analysis that would be 
useful to CISOs, CSOs, insurers, and other cybersecurity professionals. 
NPPD seeks comments on the following:
    a. What value would an anonymized and trusted cyber incident data 
repository, as described in the white paper, have in terms of informing 
and improving cyber risk management practices?
    b. Do you agree with the potential benefits of an anonymized and 
trusted repository, as outlined in the white paper, that enterprise 
risk owners and insurers could use to share, store, aggregate, and 
analyze sensitive cyber incident data?
    c. Are there additional benefits of an anonymized and trusted 
repository that are not mentioned in the white paper? Please explain 
them briefly.
    d. What kinds of analysis from an anonymized and trusted repository 
would be most useful to your organization?
    (2) Cyber Incident Data Points and Repository-Supported Analysis. 
Addresses the kinds of prioritized data categories and associated data 
points that should be shared among repository users to promote new 
kinds of needed cyber risk analysis. NPPD seeks comments on the 
following:
    a. Could specific data points within the 16 data categories 
effectively inform analysis to bolster cyber risk management 
activities?
    b. Are the 16 data categories accurately defined?
    c. What additional data categories could inform useful analysis to 
improve cyber risk management practices?
    d. What do these additional data categories mean from a CISO or 
other cybersecurity professional perspective?
    e. Please rank the level of importance for each data category, 
including any additional data categories that you have identified.
    f. What value does each data category and associated data points 
bring to a better understanding of cyber incidents and their impacts?
    g. What does each data point actually mean (and to whom); and which 
ones are the greatest priority, to which stakeholders, and why?
    h. How easy/difficult would it be to access data associated with 
these categories in your organization and then share it into a 
repository and why?
    (3) Overcoming perceived obstacles to sharing into a Cyber Incident 
data Repository. Identifies perceived obstacles to voluntary cyber 
incident data sharing and offers potential approaches to overcoming 
those obstacles. NPPD seeks comments on the following:
    a. Would your organization be interested in contributing to a cyber 
incident data repository and using repository-supported analysis to 
improve your organization's risk management practices?
    b. What obstacles do you anticipate--both internal and external to 
your organization--that might prevent the sharing of cyber incident 
data into a repository?
    i. Who might say `no' to sharing and why?
    c. What mechanisms, policies, and procedures could help overcome 
these obstacles to sharing?
    In this call for comments on the white papers, NPPD is seeking 
input on any or all of the above listed questions. NPPD may use 
comments to further develop the content of each white paper as 
appropriate. Do not include ideas for specific proposals in your 
comments on the white papers (i.e., do not discuss your specific 
solution to the repository concept). This solicitation for comments on 
white papers is neither a Request for Proposals (RFPs) nor should it be 
viewed as a request for pre-proposals. Rather, it is a way to include 
ideas from the public to enhance the research and findings of the 
CIDAWG to better understand the potential of an anonymized and trusted 
cyber incident data repository to address the cybersecurity needs of 
the public and private sectors.
    Comments on white papers must not contain proprietary information. 
Submission of comments on any of the white papers means that the 
author(s) agrees that all the information in the comments on the white 
papers can be made available to the public. Information contained in 
these comments on the white papers will be considered and combined with 
information from other resources, including NPPD, the CIDAWG, other 
government agencies, cybersecurity and insurance communities, and other 
stakeholders to refine the focus of the white papers and are part of 
NPPD's collaborative outreach. Comments on the white papers are a 
valuable resource that adds to NPPD's understanding of the significance 
and scope of national cybersecurity and critical infrastructure needs. 
NPPD's statutory authority is the Critical Infrastructure Partnership 
Advisory Council, which is consistent with sec. 201 of the Homeland 
Security Act of 2002 (the ``Act''), 6 U.S.C. 121, and pursuant to sec. 
871(a) of the Act, 6 U.S.C. 451(a).

    Dated: March 16, 2016.
Matthew Shabat,
Director, Performance Management, Office of Cybersecurity and 
Communications, National Protection and Programs Directorate, 
Department of Homeland Security.
[FR Doc. 2016-06856 Filed 3-25-16; 8:45 am]
 BILLING CODE 9110-9P-P