Agency Information Collection Activities: Request for Comment on Secure Software Development Attestation Common Form, 25670-25672 [2023-08823]
Download as PDF
<![CDATA[
25670
Federal Register / Vol. 88, No. 81 / Thursday, April 27, 2023 / Notices
Estimated Total Annual Burden
Hours: 8.
Dated: April 24, 2023.
Seth D. Renkema,
Branch Chief, Economic Impact Analysis
Branch, U.S. Customs and Border Protection.
[FR Doc. 2023–08881 Filed 4–26–23; 8:45 am]
BILLING CODE 9111–14–P
DEPARTMENT OF HOMELAND
SECURITY
U.S. Customs and Border Protection
[1651–0093]
Declaration of Owner and Declaration
of Consignee When Entry Is Made by
an Agent
U.S. Customs and Border
Protection (CBP), Department of
Homeland Security.
ACTION: 30-Day notice and request for
comments; extension of an existing
collection of information.
AGENCY:
The Department of Homeland
Security, U.S. Customs and Border
Protection will be submitting the
following information collection request
to the Office of Management and Budget
(OMB) for review and approval in
accordance with the Paperwork
Reduction Act of 1995 (PRA). The
information collection is published in
the Federal Register to obtain comments
from the public and affected agencies.
DATES: Comments are encouraged and
must be submitted (no later than May
30, 2023) to be assured of consideration.
ADDRESSES: Written comments and/or
suggestions regarding the item(s)
contained in this notice should be sent
within 30 days of publication of this
notice to www.reginfo.gov/public/do/
PRAMain. Find this particular
information collection by selecting
‘‘Currently under 30-day Review—Open
for Public Comments’’ or by using the
search function.
FOR FURTHER INFORMATION CONTACT:
Requests for additional PRA information
should be directed to Seth Renkema,
Chief, Economic Impact Analysis
Branch, U.S. Customs and Border
Protection, Office of Trade, Regulations
and Rulings, 90 K Street NE, 10th Floor,
Washington, DC 20229–1177, telephone
number 202–325–0056 or via email
CBP_PRA@cbp.dhs.gov. Please note that
the contact information provided here is
solely for questions regarding this
notice. Individuals seeking information
about other CBP programs should
contact the CBP National Customer
Service Center at 877–227–5511, (TTY)
lotter on DSK11XQN23PROD with NOTICES1
SUMMARY:
VerDate Sep<11>2014
17:49 Apr 26, 2023
Jkt 259001
1–800–877–8339, or CBP website at
https://www.cbp.gov/.
SUPPLEMENTARY INFORMATION: CBP
invites the general public and other
Federal agencies to comment on the
proposed and/or continuing information
collections pursuant to the Paperwork
Reduction Act of 1995 (44 U.S.C. 3501
et seq.). This proposed information
collection was previously published in
the Federal Register (88 FR 9889) on
February 15, 2023, allowing for a 60-day
comment period. This notice allows for
an additional 30 days for public
comments. This process is conducted in
accordance with 5 CFR 1320.8. Written
comments and suggestions from the
public and affected agencies should
address one or more of the following
four points: (1) whether the proposed
collection of information is necessary
for the proper performance of the
functions of the agency, including
whether the information will have
practical utility; (2) the accuracy of the
agency’s estimate of the burden of the
proposed collection of information,
including the validity of the
methodology and assumptions used; (3)
suggestions to enhance the quality,
utility, and clarity of the information to
be collected; and (4) suggestions to
minimize the burden of the collection of
information on those who are to
respond, including through the use of
appropriate automated, electronic,
mechanical, or other technological
collection techniques or other forms of
information technology, e.g., permitting
electronic submission of responses. The
comments that are submitted will be
summarized and included in the request
for approval. All comments will become
a matter of public record.
Overview of This Information
Collection
Title: Declaration of Owner and
Declaration of Consignee When Entry is
made by an Agent.
OMB Number: 1651–0093.
Form Number: CBP Form 3347,
3347A.
Current Actions: CBP proposes to
extend the expiration date of this
information collection with no change
to the estimated burden hours or to the
information collected.
Type of Review: Extension (without
change).
Affected Public: Businesses and
Individuals.
Abstract: CBP Form 3347, Declaration
of Owner, is a declaration from the
owner of imported merchandise stating
that he/she agrees to pay additional and
increased duties, therefore releasing the
importer of record from paying such
duties. This form must be filed within
PO 00000
Frm 00054
Fmt 4703
Sfmt 4703
90 days after the date of entry. CBP
Form 3347 is provided for by 19 CFR
24.11 and 141.20.
When entry is made in a consignee’s
name by an agent who has knowledge
of the facts and who is authorized under
a proper power of attorney by that
consignee, a declaration from the
consignee on CBP Form 3347A,
Declaration of Consignee When Entry is
Made by an Agent, shall be filed with
the entry documentation or entry
summary. If this declaration is filed,
then no bond to produce a declaration
of the consignee is required. CBP Form
3347A is provided for by 19 CFR
141.19(b)(2).
CBP Forms 3347 and 3347A are
authorized by 19 U.S.C. 1485(d) and are
accessible at https://www.cbp.gov/
newsroom/publications/forms.
Type of Information Collection:
Declaration of Owner (Form 3347).
Estimated Number of Respondents:
900.
Estimated Number of Annual
Responses per Respondent: 6.
Estimated Number of Total Annual
Responses: 5,400.
Estimated Time per Response: 6
minutes.
Estimated Total Annual Burden
Hours: 540.
Type of Information Collection:
Declaration of Importer Form (3347A).
Estimated Number of Respondents:
50.
Estimated Number of Annual
Responses per Respondent: 6.
Estimated Number of Total Annual
Responses: 300.
Estimated Time per Response: 6
minutes.
Estimated Total Annual Burden
Hours: 30.
Dated: April 24, 2023.
Seth D. Renkema,
Branch Chief, Economic Impact Analysis
Branch, U.S. Customs and Border Protection.
[FR Doc. 2023–08883 Filed 4–26–23; 8:45 am]
BILLING CODE 9111–14–P
DEPARTMENT OF HOMELAND
SECURITY
[Docket No. CISA–2023–0001]
Agency Information Collection
Activities: Request for Comment on
Secure Software Development
Attestation Common Form
Cybersecurity and
Infrastructure Security Agency (CISA),
Department of Homeland Security
(DHS).
ACTION: 60-Day notice and request for
comments; new collection (request for a
new OMB control number).
AGENCY:
E:\FR\FM\27APN1.SGM
27APN1
Federal Register / Vol. 88, No. 81 / Thursday, April 27, 2023 / Notices
In accordance with the
requirements of the Paperwork
Reduction Act (PRA) of 1995, the
Cybersecurity and Infrastructure
Security Agency (CISA) of the
Department of Homeland Security
(DHS), is soliciting public comment on
a self-attestation form to be used by
software producers in accordance with
the Executive Order on Improving the
Nation’s Cybersecurity and the Office of
Management and Budget’s guidance in
OMB M–22–18, Enhancing the Security
of the Software Supply Chain through
Secure Software Development Practices.
In accordance with OMB M–22–18,
Section III.C, CISA has agreed to serve
as steward for this collection. After
obtaining and considering public
comment, CISA will prepare the
submission requesting clearance of this
collection as a Common Form to permit
other agencies beyond DHS to use this
form in order to streamline the
information collection process in
coordination with OMB.
DATES: Comments are encouraged and
will be accepted until June 26, 2023.
ADDRESSES: You may submit comments,
identified by docket number Docket #
CISA–2023–0001, at:
Æ Federal eRulemaking Portal:
https://www.regulations.gov. Please
follow the instructions for submitting
comments.
Instructions: All submissions received
must include the agency name and
docket number Docket # CISA–2023–
0001. All comments received will be
posted without change to https://
www.regulations.gov, including any
contact information provided.
Docket: For access to the docket to
read background documents or
comments received, go to https://
www.regulations.gov.
SUMMARY:
SUPPLEMENTARY INFORMATION:
lotter on DSK11XQN23PROD with NOTICES1
I. Background
In response to incidents such as the
Colonial Pipeline and Solar Winds
attacks, on May 12, 2021, President
Biden signed E.O. 14028,1 Improving
the Nation’s Cybersecurity. This order
outlines over 55 actions. This Executive
order addresses seven key points:
• Remove barriers to cyber threat
information sharing between
government and the private sector
• Modernize and implement more
robust cybersecurity standards in the
Federal Government
• Improve software supply chain
security
1 86 FR 26633, available at https://
www.federalregister.gov/documents/2021/05/17/
2021-10460/improving-the-nations-cybersecurity.
VerDate Sep<11>2014
17:49 Apr 26, 2023
Jkt 259001
• Establish a Cybersecurity Safety
Review Board
• Create a standard playbook for
responding to cyber incidents
• Improve detection of cybersecurity
incidents on Federal Government
networks
• Improve investigative and
remediation capabilities
Section 4, Enhancing Software Supply
Chain Security, observed, ‘‘The
development of commercial software
often lacks transparency, sufficient
focus on the stability of the software to
resist attack, and adequate controls to
prevent tampering by malicious actors.’’
To address these concerns, the
Executive order required the National
Institute of Standards and Technology
(NIST) to issue guidance including
standards, procedures, or criteria to
strengthen the security of the software
supply chain.
To put this guidance into practice, the
Executive order, through the Office of
Management and Budget (OMB),
requires agencies to only use software
provided by software producers who
can attest to complying with Federal
Government-specified secure software
development practices, as described in
NIST Special Publication (SP) 800–218
Secure Software Development
Framework.2 OMB implemented this
requirement through OMB
memorandum M–22–18 dated
September 14, 2022.3 Specifically, M–
22–18 requires agencies to ‘‘obtain a
self-attestation from the software
producer before using the software.’’
This requirement applies to new
software developed after the date of
memo issuance (September 14, 2022) as
well as existing software that is
modified by major version changes after
the date of memo issuance. OMB M–22–
18 brings into existence a new and
sizeable conformity assessment
community. The memorandum
introduces conformity assessment
expectations and activities for the
supply chain starting with the software
producer and ending with the federal
agency putting the software in to use.
CISA’s common self-attestation form
does not preclude agencies from adding
agency-specific requirements to the
minimum requirements in CISA’s
common self-attestation form. However,
2 Nat’l.
Institute of Standards & Tech., SP 800–
218, Secure Software Development Framework
(SSDF) Version 1.1 (2002), available at https://
csrc.nist.gov/publications/detail/sp/800-218/final.
3 Off. of Mgmt. & Budget, Exec. Off. of the
President, M–22–18, Enhancing the Security of the
Software Supply Chain through Secure Software
Development Practices (2022), available at https://
www.whitehouse.gov/wp-content/uploads/2022/09/
M-22-18.pdf.
PO 00000
Frm 00055
Fmt 4703
Sfmt 4703
25671
any agency specific attestation
requirements, modification and/or
supplementation of these common
forms will require clearance by OMB/
OIRA under the PRA process and are
not covered by this notice.
II. Invitation to Comment
The following analysis of the burden
associated with this proposed
information collection is specific to
DHS as the agency sponsoring the
common form. For the purposes of
estimating the number of respondents,
DHS has made the following
assumptions and welcomes comments
on all assumptions.
1. DHS is assuming vendors would
have 2,689 initial form submissions and
1,345 resubmissions of the form, due to
major software changes, per year. This
estimate applies across DHS, including
all component agencies. DHS based this
estimate on initial contract award data
for Fiscal Years 2019 through 2022 from
DHS’s Federal Procurement Data System
(FPDS). DHS utilized data for contract
awards that could, in the future, include
a response to this collection based on
FPDS Product and Service Code (PSC)
of ‘‘D’’ Automatic Data Processing and
Telecommunication and ‘‘R’’
Professional, Administrative and
Management Support.
Time burden for the attestation form
includes time to review the form and
understand requirements, gather
information, review, and approve the
release of information and submission.
DHS assumes a three-hour burden per
initial submission 4 for a software
quality assurance analyst or tester and
an additional 20 minutes per initial
submission for a Chief Information
Security Officer (CISO). Vendors would
have to resubmit the attestation form for
major software changes, and DHS
assumes half the number of initial
submissions will result in a
resubmission. DHS assumes that
resubmissions would take 1 hour and 30
minutes for a software quality assurance
analyst or tester and retains 20 minutes
for a CISO. DHS acknowledges the
information collection request allows
for a vendor to use a prior submitted
form for multiple agencies. DHS
welcomes public comment on how
frequently this might happen and how
4 DHS based the estimated 3 hours on an
information collection request related to contractor
information security for certain telecommunications
and video surveillance services or equipment.
While not exactly the same requirements or scope,
DHS found the burdens of 0199 collection to be
similar to the burden in this proposed new
collection. For more information, see Supporting
Statement for OMB Control Number 9000–0199.
https://www.reginfo.gov/public/do/PRAView
Document?ref_nbr=202009-9000-002.
E:\FR\FM\27APN1.SGM
27APN1
25672
Federal Register / Vol. 88, No. 81 / Thursday, April 27, 2023 / Notices
lotter on DSK11XQN23PROD with NOTICES1
to reduce respondent burdens due to
this collection, where feasible.
To estimate opportunity costs, DHS
uses an hourly compensation rate of
$67.90 for a software quality assurance
analyst or tester and $177.66 for a
CISO.5 DHS estimates software quality
assurance analyst or tester annual hours
would be 10,084 for initial and
resubmissions by multiplying $67.90
compensation rate to estimate the
opportunity cost of $684,733. DHS
estimates CISO annual hourly burden of
1,345 hours and multiplying $177.66
compensation rate to a CISO estimate
the opportunity cost of $238,890. DHS
combines these two opportunity costs to
calculate a total opportunity cost for the
collection of $923,623.
2. DHS is assuming if a vendor needs
to provide any additional attestation
artifacts or documentation, including a
Software Bill of Materials (SBOMs), that
this information would be readily
available and would not have to be
generated specifically for doing business
with the government. DHS is interested
in comments on the burden and costs if
SBOMs or additional artifacts materials
need to be generated or reformatted to
fulfill an agency/component request.
3. For the purposes of this initial
collection, DHS is proposing the
common form be a fillable/fileable PDF
form. Vendors could access the form on
the DHS/CISA website and submit via
the DHS website OR email the
completed form to CSCRM_PMO@
cisa.dhs.gov. Other agencies will be
required to seek approval to use the
common form by submitting their
agency-specific burden and cost
analyses to OMB.
Input is requested on any aspect of
the proposed common form including
the instructions. DHS/CISA is
particularly interested in
1. If the proposed collection of
information to implement requirements
of both the E.O. and the OMB guidance
will have practical utility;
2. If DHS has accurately estimated the
burden of the proposed collection of
5 DHS uses wage estimates based on Bureau of
Labor Statistics (BLS) Occupational Employment
Statistics (OES). Within NAICS industry 541500—
Computer Systems Design and Related Services,
DHS uses mean hourly wage rates for Software
Quality Assurance Analysts and Testers (SOC 15–
1253) at $47.09 and Chief Executives (11–1011) at
$123.21. DHS applies a compensation factor of
1.44191 based on total hourly compensation of
$67.64 divided by $46.91 wages/salaries for Private
Industry Workers Management, Professional, and
Related Occupations Sources: https://www.bls.gov/
oes/2021/may/naics4_541500.htm (BLS, OES: May
2021 National Industry Specific Occupational
Employment and Wage Estimates.) BLS, Employer
Cost for Employment Compensation (ECEC Table
4)): https://www.bls.gov/news.release/archives/
ecec_03172023.htm (released March 17, 2023).
VerDate Sep<11>2014
17:49 Apr 26, 2023
Jkt 259001
information, including the validity of
the methodology and assumptions used;
3. Other ways for DHS to enhance the
quality, utility, and clarity of the
information to be collected; and
4. How DHS could minimize the
burden of the collection of information
on those who are to respond, including
through the use of appropriate
automated, electronic, mechanical, or
other technological collection
techniques or other forms of information
technology, e.g., permitting electronic
submissions of responses.
Analysis
Agency: Cybersecurity and
Infrastructure Security Agency (CISA),
Department of Homeland Security
(DHS).
Title: Secure Software Development
Attestation.
OMB Control Number: [Insert DHS/
CISA 4 Digit Prefix Then XXX].
Type of Review: Request for a new
OMB Control Number, New Common
Form.
Expiration Date of Approval: Not
Applicable.
Frequency: Annually.
Affected Public: Business—Software
Producers.
Estimated Number of Respondents:
2,689.
Estimated Number of Responses per
Respondent: 1.5.
Estimated Number of Responses:
4,034.
Estimated Time for Initial Submission
per Respondent: 3 hours and 20
minutes.
Estimated Time for Resubmission per
Respondent: 1 hour and 50 minutes.
Total Annualized Burden Hours for
Initial Submissions: 8,963 hours.
Total Annualized Burden Hours for
Resubmissions: 2,466 hours.
Total Annualized Burden Hours:
11,429 hours.
Total Annualized Respondent
Opportunity Cost: $923,623.
Robert J. Costello,
Chief Information Officer, Department of
Homeland Security, Cybersecurity and
Infrastructure Security Agency.
[FR Doc. 2023–08823 Filed 4–26–23; 8:45 am]
BILLING CODE 9110–9P–P
PO 00000
Frm 00056
Fmt 4703
Sfmt 4703
DEPARTMENT OF THE INTERIOR
Fish and Wildlife Service
[Docket No. FWS–R4–ES–2023–0060;
FXES11140400000–234–FF04EF4000]
Receipt of Incidental Take Permit
Application and Proposed Habitat
Conservation Plan for the Sand Skink;
Orange County, FL; Categorical
Exclusion
Fish and Wildlife Service,
Interior.
ACTION: Notice of availability; request
for comments and information.
AGENCY:
We, the Fish and Wildlife
Service (Service), announce receipt of
an application from Ashton Orlando
Residential, LLC (applicant; Lake
Dennis project) for an incidental take
permit (ITP) under the Endangered
Species Act. The applicant requests the
ITP to take the federally listed sand
skink (Neoseps reynoldsi) incidental to
the construction of a residential
development in Orange County, Florida.
We request public comment on the
application, which includes the
applicant’s proposed habitat
conservation plan (HCP), and on the
Service’s preliminary determination that
the proposed permitting action may be
eligible for a categorical exclusion
pursuant to the Council on
Environmental Quality’s National
Environmental Policy Act (NEPA)
regulations, the Department of the
Interior’s (DOI) NEPA regulations, and
the DOI Departmental Manual. To make
this preliminary determination, we
prepared a draft environmental action
statement and low-effect screening form,
both of which are also available for
public review. We invite comment from
the public and local, State, Tribal, and
Federal agencies.
DATES: We must receive your written
comments on or before May 30, 2023.
ADDRESSES:
Obtaining Documents: You may
obtain copies of the documents online
in Docket No. FWS–R4–ES–2023–0060;
at https://www.regulations.gov.
Submitting Comments: If you wish to
submit comments on any of the
documents, you may do so in writing by
one of the following methods:
• Online: https://
www.regulations.gov. Follow the
instructions for submitting comments
on Docket No. FWS–R4–ES–2023–0060;
• U.S. Mail: Public Comments
Processing, Attn: Docket No. FWS–R4–
ES–2023–0060; U.S. Fish and Wildlife
Service, MS: PRB/3W, 5275 Leesburg
Pike, Falls Church, VA 22041–3803.
SUMMARY:
E:\FR\FM\27APN1.SGM
27APN1
]]>Agencies
[Federal Register Volume 88, Number 81 (Thursday, April 27, 2023)]
[Notices]
[Pages 25670-25672]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-08823]
-----------------------------------------------------------------------
DEPARTMENT OF HOMELAND SECURITY
[Docket No. CISA-2023-0001]
Agency Information Collection Activities: Request for Comment on
Secure Software Development Attestation Common Form
AGENCY: Cybersecurity and Infrastructure Security Agency (CISA),
Department of Homeland Security (DHS).
ACTION: 60-Day notice and request for comments; new collection (request
for a new OMB control number).
-----------------------------------------------------------------------
[[Page 25671]]
SUMMARY: In accordance with the requirements of the Paperwork Reduction
Act (PRA) of 1995, the Cybersecurity and Infrastructure Security Agency
(CISA) of the Department of Homeland Security (DHS), is soliciting
public comment on a self-attestation form to be used by software
producers in accordance with the Executive Order on Improving the
Nation's Cybersecurity and the Office of Management and Budget's
guidance in OMB M-22-18, Enhancing the Security of the Software Supply
Chain through Secure Software Development Practices. In accordance with
OMB M-22-18, Section III.C, CISA has agreed to serve as steward for
this collection. After obtaining and considering public comment, CISA
will prepare the submission requesting clearance of this collection as
a Common Form to permit other agencies beyond DHS to use this form in
order to streamline the information collection process in coordination
with OMB.
DATES: Comments are encouraged and will be accepted until June 26,
2023.
ADDRESSES: You may submit comments, identified by docket number Docket
# CISA-2023-0001, at:
[cir] Federal eRulemaking Portal: https://www.regulations.gov.
Please follow the instructions for submitting comments.
Instructions: All submissions received must include the agency name
and docket number Docket # CISA-2023-0001. All comments received will
be posted without change to https://www.regulations.gov, including any
contact information provided.
Docket: For access to the docket to read background documents or
comments received, go to https://www.regulations.gov.
SUPPLEMENTARY INFORMATION:
I. Background
In response to incidents such as the Colonial Pipeline and Solar
Winds attacks, on May 12, 2021, President Biden signed E.O. 14028,\1\
Improving the Nation's Cybersecurity. This order outlines over 55
actions. This Executive order addresses seven key points:
---------------------------------------------------------------------------
\1\ 86 FR 26633, available at https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity.
Remove barriers to cyber threat information sharing between
government and the private sector
Modernize and implement more robust cybersecurity standards in
the Federal Government
Improve software supply chain security
Establish a Cybersecurity Safety Review Board
Create a standard playbook for responding to cyber incidents
Improve detection of cybersecurity incidents on Federal
Government networks
Improve investigative and remediation capabilities
Section 4, Enhancing Software Supply Chain Security, observed,
``The development of commercial software often lacks transparency,
sufficient focus on the stability of the software to resist attack, and
adequate controls to prevent tampering by malicious actors.'' To
address these concerns, the Executive order required the National
Institute of Standards and Technology (NIST) to issue guidance
including standards, procedures, or criteria to strengthen the security
of the software supply chain.
To put this guidance into practice, the Executive order, through
the Office of Management and Budget (OMB), requires agencies to only
use software provided by software producers who can attest to complying
with Federal Government-specified secure software development
practices, as described in NIST Special Publication (SP) 800-218 Secure
Software Development Framework.\2\ OMB implemented this requirement
through OMB memorandum M-22-18 dated September 14, 2022.\3\
Specifically, M-22-18 requires agencies to ``obtain a self-attestation
from the software producer before using the software.'' This
requirement applies to new software developed after the date of memo
issuance (September 14, 2022) as well as existing software that is
modified by major version changes after the date of memo issuance. OMB
M-22-18 brings into existence a new and sizeable conformity assessment
community. The memorandum introduces conformity assessment expectations
and activities for the supply chain starting with the software producer
and ending with the federal agency putting the software in to use.
CISA's common self-attestation form does not preclude agencies from
adding agency-specific requirements to the minimum requirements in
CISA's common self-attestation form. However, any agency specific
attestation requirements, modification and/or supplementation of these
common forms will require clearance by OMB/OIRA under the PRA process
and are not covered by this notice.
---------------------------------------------------------------------------
\2\ Nat'l. Institute of Standards & Tech., SP 800-218, Secure
Software Development Framework (SSDF) Version 1.1 (2002), available
at https://csrc.nist.gov/publications/detail/sp/800-218/final.
\3\ Off. of Mgmt. & Budget, Exec. Off. of the President, M-22-
18, Enhancing the Security of the Software Supply Chain through
Secure Software Development Practices (2022), available at https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf.
---------------------------------------------------------------------------
II. Invitation to Comment
The following analysis of the burden associated with this proposed
information collection is specific to DHS as the agency sponsoring the
common form. For the purposes of estimating the number of respondents,
DHS has made the following assumptions and welcomes comments on all
assumptions.
1. DHS is assuming vendors would have 2,689 initial form
submissions and 1,345 resubmissions of the form, due to major software
changes, per year. This estimate applies across DHS, including all
component agencies. DHS based this estimate on initial contract award
data for Fiscal Years 2019 through 2022 from DHS's Federal Procurement
Data System (FPDS). DHS utilized data for contract awards that could,
in the future, include a response to this collection based on FPDS
Product and Service Code (PSC) of ``D'' Automatic Data Processing and
Telecommunication and ``R'' Professional, Administrative and Management
Support.
Time burden for the attestation form includes time to review the
form and understand requirements, gather information, review, and
approve the release of information and submission. DHS assumes a three-
hour burden per initial submission \4\ for a software quality assurance
analyst or tester and an additional 20 minutes per initial submission
for a Chief Information Security Officer (CISO). Vendors would have to
resubmit the attestation form for major software changes, and DHS
assumes half the number of initial submissions will result in a
resubmission. DHS assumes that resubmissions would take 1 hour and 30
minutes for a software quality assurance analyst or tester and retains
20 minutes for a CISO. DHS acknowledges the information collection
request allows for a vendor to use a prior submitted form for multiple
agencies. DHS welcomes public comment on how frequently this might
happen and how
[[Page 25672]]
to reduce respondent burdens due to this collection, where feasible.
---------------------------------------------------------------------------
\4\ DHS based the estimated 3 hours on an information collection
request related to contractor information security for certain
telecommunications and video surveillance services or equipment.
While not exactly the same requirements or scope, DHS found the
burdens of 0199 collection to be similar to the burden in this
proposed new collection. For more information, see Supporting
Statement for OMB Control Number 9000-0199. https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202009-9000-002.
---------------------------------------------------------------------------
To estimate opportunity costs, DHS uses an hourly compensation rate
of $67.90 for a software quality assurance analyst or tester and
$177.66 for a CISO.\5\ DHS estimates software quality assurance analyst
or tester annual hours would be 10,084 for initial and resubmissions by
multiplying $67.90 compensation rate to estimate the opportunity cost
of $684,733. DHS estimates CISO annual hourly burden of 1,345 hours and
multiplying $177.66 compensation rate to a CISO estimate the
opportunity cost of $238,890. DHS combines these two opportunity costs
to calculate a total opportunity cost for the collection of $923,623.
---------------------------------------------------------------------------
\5\ DHS uses wage estimates based on Bureau of Labor Statistics
(BLS) Occupational Employment Statistics (OES). Within NAICS
industry 541500--Computer Systems Design and Related Services, DHS
uses mean hourly wage rates for Software Quality Assurance Analysts
and Testers (SOC 15-1253) at $47.09 and Chief Executives (11-1011)
at $123.21. DHS applies a compensation factor of 1.44191 based on
total hourly compensation of $67.64 divided by $46.91 wages/salaries
for Private Industry Workers Management, Professional, and Related
Occupations Sources: https://www.bls.gov/oes/2021/may/naics4_541500.htm (BLS, OES: May 2021 National Industry Specific
Occupational Employment and Wage Estimates.) BLS, Employer Cost for
Employment Compensation (ECEC Table 4)): https://www.bls.gov/news.release/archives/ecec_03172023.htm (released March 17, 2023).
---------------------------------------------------------------------------
2. DHS is assuming if a vendor needs to provide any additional
attestation artifacts or documentation, including a Software Bill of
Materials (SBOMs), that this information would be readily available and
would not have to be generated specifically for doing business with the
government. DHS is interested in comments on the burden and costs if
SBOMs or additional artifacts materials need to be generated or
reformatted to fulfill an agency/component request.
3. For the purposes of this initial collection, DHS is proposing
the common form be a fillable/fileable PDF form. Vendors could access
the form on the DHS/CISA website and submit via the DHS website OR
email the completed form to [email protected]. Other agencies will
be required to seek approval to use the common form by submitting their
agency-specific burden and cost analyses to OMB.
Input is requested on any aspect of the proposed common form
including the instructions. DHS/CISA is particularly interested in
1. If the proposed collection of information to implement
requirements of both the E.O. and the OMB guidance will have practical
utility;
2. If DHS has accurately estimated the burden of the proposed
collection of information, including the validity of the methodology
and assumptions used;
3. Other ways for DHS to enhance the quality, utility, and clarity
of the information to be collected; and
4. How DHS could minimize the burden of the collection of
information on those who are to respond, including through the use of
appropriate automated, electronic, mechanical, or other technological
collection techniques or other forms of information technology, e.g.,
permitting electronic submissions of responses.
Analysis
Agency: Cybersecurity and Infrastructure Security Agency (CISA),
Department of Homeland Security (DHS).
Title: Secure Software Development Attestation.
OMB Control Number: [Insert DHS/CISA 4 Digit Prefix Then XXX].
Type of Review: Request for a new OMB Control Number, New Common
Form.
Expiration Date of Approval: Not Applicable.
Frequency: Annually.
Affected Public: Business--Software Producers.
Estimated Number of Respondents: 2,689.
Estimated Number of Responses per Respondent: 1.5.
Estimated Number of Responses: 4,034.
Estimated Time for Initial Submission per Respondent: 3 hours and
20 minutes.
Estimated Time for Resubmission per Respondent: 1 hour and 50
minutes.
Total Annualized Burden Hours for Initial Submissions: 8,963 hours.
Total Annualized Burden Hours for Resubmissions: 2,466 hours.
Total Annualized Burden Hours: 11,429 hours.
Total Annualized Respondent Opportunity Cost: $923,623.
Robert J. Costello,
Chief Information Officer, Department of Homeland Security,
Cybersecurity and Infrastructure Security Agency.
[FR Doc. 2023-08823 Filed 4-26-23; 8:45 am]
BILLING CODE 9110-9P-P
