Agency Information Collection Activities: Vulnerability Discovery Program, 1601-0028, 47131-47133 [2021-18059]

Download as PDF Federal Register / Vol. 86, No. 160 / Monday, August 23, 2021 / Notices rainfall, changing weather patterns, riverine and coastal erosion, and shifts in future development. • Particularly where comments relate to the CRS program’s costs or benefits, comments will be most useful if there are data and experience under the program available to ascertain the program’s actual impact. C. List of Questions for Commenters jbell on DSKJLSW7X2PROD with NOTICES The below non-exhaustive list of questions is meant to assist members of the public in the formulation of comments and is not intended to restrict the issues that commenters may address: (1) What are the strengths of the current CRS program? What components of the program are currently working well and why? (2) What are the challenges with the current CRS program that need to be addressed and why? How can the CRS program be modified, expanded, or streamlined to better address or resolve these challenges? (3) While the CRS program is technically available to all compliant NFIP communities, is access to the CRS program equitable for all communities? If not, what changes to the CRS program could make it more equitable for all communities? How could the CRS program provide better outreach to disadvantaged communities to encourage participation? How could the CRS program provide better outreach to households in disadvantaged communities to encourage participation in the NFIP? (4) How could the CRS program better promote and/or incentivize improved reduction of future conditions and risks such as climate change, sea-level rise, urban flooding, and future development? (5) How could the CRS program better address the mitigation of repetitive loss/ severe repetitive loss 14 properties and how could FEMA further leverage the CRS program to achieve mitigation of 14 ‘‘Repetitive loss properties’’ are those properties for which two or more claims of more than $1,000 have been paid by the NFIP within any 10-year period since 1978. ‘‘Severe repetitive loss properties’’ are those as defined in the Flood Insurance Reform Act of 2004 that are one-four family properties that have had four or more claims of more than $5,000 or two to three claims that cumulatively exceed the building’s value. CRS considers non-residential buildings that also meet these criteria to be severe repetitive loss properties. See National Flood Insurance Program Community Rating System Coordinator’s Manual 2017 and National Flood Insurance Program Community Rating System Addendum to the 2017 CRS Coordinator’s Manual at https://www.fema.gov/ floodplain-management/community-rating-system (last accessed May 20, 2021). VerDate Sep<11>2014 18:11 Aug 20, 2021 Jkt 253001 repetitive loss/severe repetitive loss properties? (6) How can the CRS program be modified, expanded, or streamlined to best incentivize participation by communities and flood insurance policyholders to become more resilient and lower their vulnerability to flood risk? (7) How can the CRS program better incentivize floodplain management, risk management, and/or risk reduction efforts for communities through CRS discounts, grants, trainings, technical assistance or other means? Which efforts are most critical for the CRS program to support? (8) What existing sources of data can FEMA leverage to better assist communities to assess, communicate, and drive the reduction of current and future flood risk? Can FEMA leverage new technologies to modify or streamline the CRS program? If so, what are they and how can FEMA use new technologies to achieve the statutory objectives of the program? (9) The CRS program provides credits for flood risk reduction activities. Are there flood risk reduction activities that are not currently given credit within the CRS program that should be? If so, what are they and why? Are there flood risk reduction activities that are currently given excessive credit within the CRS program than they should be given? If so, what are they and why? Should the CRS program provide a list of optional risk reduction activities for communities to choose from or a list of required risk reduction activities, and why? (10) What successful approaches have been taken by State, local, Tribal, and Territorial governments that the CRS program could leverage to better support community participation in the CRS program? In what ways could the CRS program better support States, Tribes, Territories and Regions, and flood control and water management districts to improve community participation in the program? What innovative changes could the CRS program make to be simpler for communities to join and maintain participation? (11) How could the CRS program provide better outreach to disadvantaged communities to encourage participation? How could the CRS program provide better outreach to households in disadvantaged communities to encourage participation in the NFIP? (11) In what ways could the CRS program facilitate collaboration across jurisdictional boundaries to support a community’s ability to reduce flood risk? How could the CRS program be PO 00000 Frm 00082 Fmt 4703 Sfmt 4703 47131 modified, expanded, or streamlined to allow for multi-jurisdictional collaboration efforts to receive credit under the CRS program? (12) What opportunities exist for the CRS program to better integrate with other entities and/or programs? For example, in what specific ways could the CRS program better work and integrate with State, local, Tribal, and Territorial programs, including but not limited to, floodplain management, emergency services, land use planning and building code administration capital improvement, transportation, redevelopment, pre- and post-disaster recovery, climate adaptation, hazard mitigation planning, watershed management, and/or wetlands, riparian, or environmental management programs? In what specific ways could the CRS program better work and integrate with Federal disaster assistance programs or Federal mitigation programs? FEMA notes that this notice is issued solely for information and programplanning purposes. Responses to this notice do not bind FEMA to any further actions related to the response. Deanne Criswell, Administrator, Federal Emergency Management Agency. [FR Doc. 2021–18167 Filed 8–20–21; 8:45 am] BILLING CODE 9111–47–P DEPARTMENT OF HOMELAND SECURITY [Docket Number DHS–2021–0009] Agency Information Collection Activities: Vulnerability Discovery Program, 1601–0028 Department of Homeland Security, (DHS). ACTION: 30-Day notice and request for comments; extension without change of a currently approved collection, 1601– 0028. AGENCY: The Department of Homeland Security, will submit the following Information Collection Request (ICR) to the Office of Management and Budget (OMB) for review and clearance in accordance with the Paperwork Reduction Act of 1995. DHS previously published this information collection request (ICR) in the Federal Register on Friday, March 19, 2021 for a 60-day public comment period. There were three public comments received by DHS. The purpose of this notice is to allow additional 30-days for public comments. SUMMARY: E:\FR\FM\23AUN1.SGM 23AUN1 47132 Federal Register / Vol. 86, No. 160 / Monday, August 23, 2021 / Notices Comments are encouraged and will be accepted until September 22, 2021. This process is conducted in accordance with 5 CFR 1320.1 ADDRESSES: Written comments and recommendations for the proposed information collection should be sent within 30 days of publication of this notice to www.reginfo.gov/public/do/ PRAMain. Find this particular information collection by selecting ‘‘Currently under 30-day Review—Open for Public Comments’’ or by using the search function. SUPPLEMENTARY INFORMATION: Security vulnerabilities, defined in section 102(17) of the Cybersecurity Information Sharing Act of 2015, are any attribute of hardware, software, process, or procedure that could enable or facilitate the defeat of a security control. Security vulnerability mitigation is a process starting with discovery of the vulnerability leading to applying some solution to resolve the vulnerability. There is constantly a search for security vulnerabilities within information systems, from individuals or nation states wishing to bypass security controls to gain invaluable information, to researchers seeking knowledge in the field of cyber security. Bypassing such security controls in the DHS and other Federal Agencies information systems can cause catastrophic damage including but not limited to loss in Personally Identifiable Information (PII), sensitive information gathering, and data manipulation. Pursuant to section 101 of the Strengthening and Enhancing Cybercapabilities by Utilizing Risk Exposure Technology Act, (commonly known as the SECURE Technologies Act) individuals, organizations, and/or companies may submit any discovered security vulnerabilities found associated with the information system of any Federal agency. This collection would be used by these individuals, organizations, and/or companies who choose to submit a discovered vulnerability found associated with the information system of any Federal agency. Specifically, DHS and Federal cybersecurity agencies are working to address the recently discovered SolarWinds hack on Federal agencies and organizations around the world. While DHS had previously obtained approval to collect this information on its own behalf, recent cyber attacks exploiting vulnerabilities have exemplified the need to have this capability government-wide. In 2020, a major cyberattack, nicknamed the SolarWinds cyberattack, by a group jbell on DSKJLSW7X2PROD with NOTICES DATES: VerDate Sep<11>2014 18:11 Aug 20, 2021 Jkt 253001 backed by a foreign government penetrated thousands of organizations globally including multiple parts of the United States federal government, leading to a series of data breaches. The cyberattack and data breach were reported to be among the worst cyberespionage incidents ever suffered by the U.S., due to the sensitivity and high profile of the targets and the long duration (eight to nine months) in which the hackers had access. Affected organizations worldwide included NATO, the U.K. government, the European Parliament, Microsoft and others. Public Law 116–283, Sec. 1705 (which amended 44 U.S.C. 3553) permits extensive sharing of information regarding cybersecurity and the protection of information and information systems from cybersecurity risks between Federal Agencies covered by the Federal Information Security Modernization Act and the Department of Homeland Security. This unique authority makes DHS well positioned to host the approval of this information collection on behalf of other Federal agencies. DHS is requesting pursuant to 44 US Code 3509, that the information collection be designated for any Federal agencies ability to utilize the standardized DHS online form to collect their own agency’s vulnerability information and post the information on their own agency websites. The form will include the following essential information: • Vulnerable host(s) • Necessary information for reproducing the security vulnerability • Remediation or suggestions for remediation of the vulnerability • Potential impact on host, if not remediated This form will allow Federal agencies to complete the following actions; (1) allow the individuals, organizations, and/or companies who discover vulnerabilities in the information systems to report their findings to the agency, and (2) provide the agencies initial insight into any newly discovered vulnerabilities, as well as zero-day vulnerabilities in order to mitigate the security issues prior to malicious actors acting upon the vulnerability for malicious intent. The form will also benefit researchers and will provide a safe and lawful method to practice and discover new cyber methods to discover the vulnerabilities. It will provide the same benefit to Federal agencies and will promote the enhancement of Federal information system security policies. PO 00000 Frm 00083 Fmt 4703 Sfmt 4703 Respondents will be able to submit their information directly to the agency in which they would like to report a vulnerability. Federal Agencies will provide the form electronically via their agencies website. The information collected does not have an impact on small business or other small entities. The collection of this information related to the discovery of security vulnerabilities by individuals, organizations, and/or companies is needed to fulfill the congressional mandate in Section 101 of the SECURE Technologies Act related to creating Vulnerability Disclosure Policies. In addition, without the ability to collect information on newly discovered security vulnerabilities associated with Federal agency information systems, Federal agencies will rely solely on the internal security personnel and/or the discovery through a post occurrence breach of security controls. There are no assurances of confidentiality provide. Any PII that is collected will be for the sole purpose of feedback and dialogue. Federal Agencies will ensure the collection of information is covered by a Systems of Record Notice and will display a Privacy Notice to the respondents. There are no changes to the information being collected. The Office of Management and Budget is particularly interested in comments which: 1. Evaluate whether the proposed collection of information is necessary for the proper performance of the functions of the agency, including whether the information will have practical utility; 2. Evaluate the accuracy of the agency’s estimate of the burden of the proposed collection of information, including the validity of the methodology and assumptions used; 3. Enhance the quality, utility, and clarity of the information to be collected; and 4. Minimize the burden of the collection of information on those who are to respond, including through the use of appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g., permitting electronic submissions of responses. Analysis Agency: Department of Homeland Security, (DHS). Title: Vulnerability Discovery Program. OMB Number: 1601–0028. Frequency: On Occasion. E:\FR\FM\23AUN1.SGM 23AUN1 Federal Register / Vol. 86, No. 160 / Monday, August 23, 2021 / Notices Affected Public: State, Local and Tribal Government. Number of Respondents: 3,000. Estimated Time per Respondent: 1 Hour. Total Burden Hours: 3,000. Robert Dorr, Executive Director, Business Management Directorate. [FR Doc. 2021–18059 Filed 8–20–21; 8:45 am] BILLING CODE P DEPARTMENT OF HOMELAND SECURITY [Docket Number DHS–2021–0027] Agency Information Collection Activities: DHS Civil Rights and Civil Liberties Complaint and Privacy Waiver Form Department of Homeland Security (DHS). ACTION: 30-Day notice and request for comments. AGENCY: The Department of Homeland Security, will submit the following Information Collection Request (ICR) to the Office of Management and Budget (OMB) for review and clearance in accordance with the Paperwork Reduction Act of 1995. DATES: Comments are encouraged and will be accepted until September 22, 2021. This process is conducted in accordance with 5 CFR 1320.1. ADDRESSES: Written comments and recommendations for the proposed information collection should be sent within 30 days of publication of this notice to www.reginfo.gov/public/do/ PRAMain. Find this specific information collection by selecting ‘‘Currently under 30-day Review—Open for Public Comments’’ or by using the search function. SUPPLEMENTARY INFORMATION: The U.S. Department of Homeland Security (DHS), Office for Civil Rights and Civil Liberties (CRCL) reviews and investigates civil rights and civil liberties complaints filed by the public regarding U.S. Department of Homeland Security (DHS) policies and activities. Under 6 U.S.C. 345 and 42 U.S.C. 2000ee–1, CRCL reviews and assesses allegations involving a range of alleged civil rights and civil liberties abuses, such as: • Discrimination based on race, ethnicity, national origin, religion, sex, sexual orientation, gender identity, or disability; • Violation of rights while in immigration detention or as subject of immigration enforcement; jbell on DSKJLSW7X2PROD with NOTICES SUMMARY: VerDate Sep<11>2014 18:11 Aug 20, 2021 Jkt 253001 • Discrimination or inappropriate questioning related to entry into the United States; • Violation of due process rights, such as the right to timely notice of charges or access to lawyer; • Violation of confidentiality provisions of the Violence Against Women Act; • Physical abuse or any other type of abuse; • Denial of meaningful access to DHS or DHS-supported programs, activities, or services due to limited English proficiency and • Any other civil rights, civil liberties, or human rights violation related to a Department program or activity, including allegations of discrimination by an organization or program that receives financial assistance from DHS. CRCL also reviews and investigates human rights complaints under Executive Order 13107, disability accommodation complaints under Section 504 of the Rehabilitation Act of 1973, and inaccessible Information and Communication Technology (ICT) complaints under Section 508 of the Rehabilitation Act, as amended by the Workforce Investment Act of 1998 (Pub. L. 105–220), codified at 29 U.S.C. 794. The information collected on this form will allow CRCL to review and investigate civil rights and civil liberties complaints filed by the public regarding DHS programs and activities. CRCL submits copies all external allegations of civil rights and civil liberties violations within its jurisdiction that it receives to the DHS Office of Inspector General (OIG) for review because OIG has the right of first refusal to investigate any allegations. If the OIG declines to investigate the allegations, CRCL may investigate. CRCL coordinates with DHS Components and the OIG regarding matters that CRCL opens as complaint investigations as well as some it decides not to investigate. In general, CRCL shares the incoming information with the Components involved and coordinates with the Components throughout a CRCL investigation. As a result of its complaint investigations, CRCL issues recommendations to DHS Components to address issues of concern and to enhance the agency’s civil rights and civil liberties protections. CRCL has also engaged with Components on the implementation of such recommendations. In addition, the information provided is entered into a CRCL complaint management system (CMS) and may be used by CRCL to track allegations and identify trends and systemic issues that PO 00000 Frm 00084 Fmt 4703 Sfmt 4703 47133 are within CRCL’s jurisdiction regardless of whether CRCL investigates an individual allegation. CRCL has used information from these database records to notify DHS Components of issue areas and locations that may warrant closer attention. Information can be submitted to CRCL via U.S. mail, email, fax, or telephone and may be initiated by members of the public, federal agencies, or agency personnel, non-governmental organizations, media reports or other sources. The use of the complaint form is optional. The form is in a fillable accessible PDF format and can be submitted by U.S. mail, email, or fax to CRCL. The use of this form provides an efficient means for collecting and processing required data and information useful to conduct an investigation. To minimize administrative burden on complainants and the Department, submission of information electronically, via email, is the fastest way to reach CRCL. Information provided by complainants is maintained in electronic format, so provided the information electronically will further minimize administrative burden. If a complainant is unable to or does not wish to submit their information electronically, information can be submitted via U.S. mail, fax, or phone call. It is noted on CRCL’s website that postal mail can take up to 20 business days. CRCL is about the launch a new CMS that would support other means of submitting a complaint (e.g., web portal) and these are enhancements that will be considered in the future. This information collection does not have an impact on small businesses or other small entities. If the information collection is not conducted or is conducted less frequently, CRCL may not be able to effectively fulfill its statutory obligation to the public to review and investigate allegations involving alleged civil rights and civil liberties abuses regarding DHS polices and activities. Consequences for not using the fillable form include overall delays in processing and an increased frequency in need to follow up with complainants to obtain the types of information requested on the form. The assurance of confidentiality provided to the respondents for this information collection will be provided by: CRCL’s statute under 6 U.S.C. 345, 42 U.S.C. 2000ee–1; the Privacy Impact Assessment for the CRCL Complaint Form and Privacy Waiver; and the Systems of Record Notice: Department of Homeland Security/ALL–029 Civil Rights and Civil Liberties Records E:\FR\FM\23AUN1.SGM 23AUN1

Agencies

[Federal Register Volume 86, Number 160 (Monday, August 23, 2021)]
[Notices]
[Pages 47131-47133]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-18059]


-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

[Docket Number DHS-2021-0009]


Agency Information Collection Activities: Vulnerability Discovery 
Program, 1601-0028

AGENCY: Department of Homeland Security, (DHS).

ACTION: 30-Day notice and request for comments; extension without 
change of a currently approved collection, 1601-0028.

-----------------------------------------------------------------------

SUMMARY: The Department of Homeland Security, will submit the following 
Information Collection Request (ICR) to the Office of Management and 
Budget (OMB) for review and clearance in accordance with the Paperwork 
Reduction Act of 1995. DHS previously published this information 
collection request (ICR) in the Federal Register on Friday, March 19, 
2021 for a 60-day public comment period. There were three public 
comments received by DHS. The purpose of this notice is to allow 
additional 30-days for public comments.

[[Page 47132]]


DATES: Comments are encouraged and will be accepted until September 22, 
2021. This process is conducted in accordance with 5 CFR 1320.1

ADDRESSES: Written comments and recommendations for the proposed 
information collection should be sent within 30 days of publication of 
this notice to www.reginfo.gov/public/do/PRAMain. Find this particular 
information collection by selecting ``Currently under 30-day Review--
Open for Public Comments'' or by using the search function.

SUPPLEMENTARY INFORMATION: Security vulnerabilities, defined in section 
102(17) of the Cybersecurity Information Sharing Act of 2015, are any 
attribute of hardware, software, process, or procedure that could 
enable or facilitate the defeat of a security control. Security 
vulnerability mitigation is a process starting with discovery of the 
vulnerability leading to applying some solution to resolve the 
vulnerability. There is constantly a search for security 
vulnerabilities within information systems, from individuals or nation 
states wishing to bypass security controls to gain invaluable 
information, to researchers seeking knowledge in the field of cyber 
security. Bypassing such security controls in the DHS and other Federal 
Agencies information systems can cause catastrophic damage including 
but not limited to loss in Personally Identifiable Information (PII), 
sensitive information gathering, and data manipulation.
    Pursuant to section 101 of the Strengthening and Enhancing Cyber-
capabilities by Utilizing Risk Exposure Technology Act, (commonly known 
as the SECURE Technologies Act) individuals, organizations, and/or 
companies may submit any discovered security vulnerabilities found 
associated with the information system of any Federal agency. This 
collection would be used by these individuals, organizations, and/or 
companies who choose to submit a discovered vulnerability found 
associated with the information system of any Federal agency.
    Specifically, DHS and Federal cybersecurity agencies are working to 
address the recently discovered SolarWinds hack on Federal agencies and 
organizations around the world. While DHS had previously obtained 
approval to collect this information on its own behalf, recent cyber 
attacks exploiting vulnerabilities have exemplified the need to have 
this capability government-wide. In 2020, a major cyberattack, 
nicknamed the SolarWinds cyberattack, by a group backed by a foreign 
government penetrated thousands of organizations globally including 
multiple parts of the United States federal government, leading to a 
series of data breaches. The cyberattack and data breach were reported 
to be among the worst cyber-espionage incidents ever suffered by the 
U.S., due to the sensitivity and high profile of the targets and the 
long duration (eight to nine months) in which the hackers had access. 
Affected organizations worldwide included NATO, the U.K. government, 
the European Parliament, Microsoft and others.
    Public Law 116-283, Sec. 1705 (which amended 44 U.S.C. 3553) 
permits extensive sharing of information regarding cybersecurity and 
the protection of information and information systems from 
cybersecurity risks between Federal Agencies covered by the Federal 
Information Security Modernization Act and the Department of Homeland 
Security. This unique authority makes DHS well positioned to host the 
approval of this information collection on behalf of other Federal 
agencies.
    DHS is requesting pursuant to 44 US Code 3509, that the information 
collection be designated for any Federal agencies ability to utilize 
the standardized DHS online form to collect their own agency's 
vulnerability information and post the information on their own agency 
websites.
    The form will include the following essential information:

 Vulnerable host(s)
 Necessary information for reproducing the security 
vulnerability
 Remediation or suggestions for remediation of the 
vulnerability
 Potential impact on host, if not remediated

    This form will allow Federal agencies to complete the following 
actions; (1) allow the individuals, organizations, and/or companies who 
discover vulnerabilities in the information systems to report their 
findings to the agency, and (2) provide the agencies initial insight 
into any newly discovered vulnerabilities, as well as zero-day 
vulnerabilities in order to mitigate the security issues prior to 
malicious actors acting upon the vulnerability for malicious intent.
    The form will also benefit researchers and will provide a safe and 
lawful method to practice and discover new cyber methods to discover 
the vulnerabilities. It will provide the same benefit to Federal 
agencies and will promote the enhancement of Federal information system 
security policies.
    Respondents will be able to submit their information directly to 
the agency in which they would like to report a vulnerability. Federal 
Agencies will provide the form electronically via their agencies 
website.
    The information collected does not have an impact on small business 
or other small entities.
    The collection of this information related to the discovery of 
security vulnerabilities by individuals, organizations, and/or 
companies is needed to fulfill the congressional mandate in Section 101 
of the SECURE Technologies Act related to creating Vulnerability 
Disclosure Policies. In addition, without the ability to collect 
information on newly discovered security vulnerabilities associated 
with Federal agency information systems, Federal agencies will rely 
solely on the internal security personnel and/or the discovery through 
a post occurrence breach of security controls.
    There are no assurances of confidentiality provide. Any PII that is 
collected will be for the sole purpose of feedback and dialogue. 
Federal Agencies will ensure the collection of information is covered 
by a Systems of Record Notice and will display a Privacy Notice to the 
respondents.
    There are no changes to the information being collected.
    The Office of Management and Budget is particularly interested in 
comments which:
    1. Evaluate whether the proposed collection of information is 
necessary for the proper performance of the functions of the agency, 
including whether the information will have practical utility;
    2. Evaluate the accuracy of the agency's estimate of the burden of 
the proposed collection of information, including the validity of the 
methodology and assumptions used;
    3. Enhance the quality, utility, and clarity of the information to 
be collected; and
    4. Minimize the burden of the collection of information on those 
who are to respond, including through the use of appropriate automated, 
electronic, mechanical, or other technological collection techniques or 
other forms of information technology, e.g., permitting electronic 
submissions of responses.

Analysis

    Agency: Department of Homeland Security, (DHS).
    Title: Vulnerability Discovery Program.
    OMB Number: 1601-0028.
    Frequency: On Occasion.

[[Page 47133]]

    Affected Public: State, Local and Tribal Government.
    Number of Respondents: 3,000.
    Estimated Time per Respondent: 1 Hour.
    Total Burden Hours: 3,000.

Robert Dorr,
Executive Director, Business Management Directorate.
[FR Doc. 2021-18059 Filed 8-20-21; 8:45 am]
BILLING CODE P