[Federal Register Volume 88, Number 153 (Thursday, August 10, 2023)]
[Notices]
[Pages 54345-54346]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-17183]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

[Docket No. CISA-2023-0019]


Agency Information Collection Activities: ReadySetCyber 
Initiative Questionnaire

AGENCY: Cybersecurity and Infrastructure Security Agency (CISA), 
Department of Homeland Security (DHS).

ACTION: 60-Day notice and request for comments on a new collection.

-----------------------------------------------------------------------

SUMMARY: CISA will submit the following Information Collection Request 
(ICR) to the Office of Management and Budget (OMB) for review and 
clearance.

DATES: Comments are encouraged and will be accepted until October 10, 
2023.

ADDRESSES: You may submit comments, identified by docket number Docket 
# CISA-2023-0019, at:
    [cir] Federal eRulemaking Portal: http://www.regulations.gov. 
Please follow the instructions for submitting comments.
    Instructions: All submissions received must include the agency name 
and docket number Docket # CISA-2023-0019. All comments received will 
be posted without change to http://www.regulations.gov, including any 
personal information provided.
    Docket: For access to the docket to read background documents or 
comments received, go to http://www.regulations.gov.

SUPPLEMENTARY INFORMATION: Consistent with CISA's authorities to 
``carry out comprehensive assessments of the vulnerabilities of the key 
resources and critical infrastructure of the United States'' at 6 
U.S.C. 652(e)(1)(B) and provide federal and non-federal entities with 
``operational and timely technical assistance'' at 6 U.S.C. 659(c)(6) 
and ``recommendation on security and resilience measures'' at 6 U.S.C. 
659(c)(7), CISA's ReadySetCyber Initiative will collect information in 
order to provide tailored technical assistance, services and resources 
to critical infrastructure (CI) organizations and state, local, tribal, 
and territorial (SLTT) governments based on the characteristics of 
their respective cybersecurity programs. CISA seeks to collect this 
information from US CI and SLTT organizations on a voluntary and fully 
electronic basis so that each organization can be best supported in 
receiving tailored cybersecurity recommendations and services.
    The overarching goal of CISA's ReadySetCyber Initiative is to help 
CI and SLTT organizations access information and services that are 
tailored to their specific cybersecurity needs. In addition, CISA 
expects this initiative to yield several additional benefits, 
including:
     Further adoption of CISA's Cybersecurity Performance Goals 
(CPGs) as the default approach for assessing Organizational progress 
and identify prioritized cybersecurity gaps;
     Collection of information about organizations' 
cybersecurity posture and progress, enabling more targeted engagement 
with sectors, regions, and individual organizations;
     More effective allocation of capacity-constrained services 
to specific stakeholders;
     Provision of a simplified approach to the guiding 
stakeholders into enrollment for, scalable services and rapidly expand 
uptake thereof; and

[[Page 54346]]

     Furthering the development of relationships between CI and 
SLTT organizations and CISA's regional cybersecurity personnel.
    CISA's CPGs are a set of voluntary cybersecurity practices which 
aim to reduce the risk of cybersecurity threats to U.S. CI and SLTT 
organizations. CISA offers services and resources to aid CI and SLTT 
organizations in adopting the CPGs and seeks to make accessing 
appropriate services and resources as efficient as possible, especially 
for organizations whose cybersecurity programs operate at low levels of 
capability.
    For example, an organization that is unsure of its ability to 
enumerate all of its internet-facing sites and services could leverage 
CISA's highly scalable automated testing services to scan its entire 
network range. Organizations with cybersecurity programs with more 
advanced characteristics who wish to evaluate their network 
segmentation controls are better positioned to take advantage of CISA's 
more resource-intensive architecture assessments. All organizations 
completing the questionnaire will also be connected with a CISA 
cybersecurity representative in their jurisdiction to provide direct 
support and engagement.
    To measure adoption of the CPGs and assist CI and SLTT 
organizations in finding the most impactful services and resources for 
their cybersecurity programs, CISA is seeking to establish a voluntary 
information collection that uses respondents' answers to tailor a 
recommended package of services and resources most applicable to their 
evaluated level of program capability. Without collecting this 
information, CISA would be unable to tailor an appropriate suite of 
services, recommendations, and resources to assist the organization in 
protecting itself against cybersecurity threats, thereby creating 
burdens of inefficiency for service requesters and CISA alike.
    In addition, receipt of this information is critical to CISA's 
ability to measure the adoption of CISA's CPGs by CI and SLTT 
organizations. The information to be collected will address various 
inquiries, such as: whether an organization keeps a regularly updated 
inventory of all assets with an internet Protocol address; the types of 
incident reporting and vulnerability disclosures required by an 
organizations' contracts with its vendors and suppliers; and whether 
the entity requires a minimum password strength required for all 
password-protected assets.
    The Office of Management and Budget is particularly interested in 
comments which:
    1. Evaluate whether the proposed collection of information is 
necessary for the proper performance of the functions of the agency, 
including whether the information will have practical utility;
    2. Evaluate the accuracy of the agency's estimate of the burden of 
the proposed collection of information, including the validity of the 
methodology and assumptions used;
    3. Enhance the quality, utility, and clarity of the information to 
be collected; and
    4. Minimize the burden of the collection of information on those 
who are to respond, including via the use of appropriate automated, 
electronic, mechanical, or other technological collection techniques or 
other forms of information technology, e.g., permitting electronic 
submissions of responses.

Analysis

    Agency: Cybersecurity and Infrastructure Security Agency (CISA), 
Department of Homeland Security (DHS).
    Title: ReadySetCyber.
    OMB Number:
    Frequency: Upon each voluntary request for technical assistance, 
which CISA expects to occur on an annual basis.
    Affected Public: Critical Infrastructure Owners & Operators seeking 
CISA services.
    Number of Respondents: Approximately 2,000 per year.
    Estimated Time per Respondent: 20 Minutes.
    Total Burden Hours: 666.7 Hours.

Robert J. Costello,
Chief Information Officer, Department of Homeland Security, 
Cybersecurity and Infrastructure Security Agency.
[FR Doc. 2023-17183 Filed 8-9-23; 8:45 am]
BILLING CODE 9110-09-P