90 FR 159 pgs. 40638-40639 - Agency Information Collection Activities: Vulnerability Reporting Submission Form
Type: NOTICEVolume: 90Number: 159Pages: 40638 - 40639
Pages: 40638, 40639FR document: [FR Doc. 2025-15887 Filed 8-19-25; 8:45 am]
Agency: Homeland Security Department
Official PDF Version: PDF Version
[top]
DEPARTMENT OF HOMELAND SECURITY
Agency Information Collection Activities: Vulnerability Reporting Submission Form
AGENCY:
Cybersecurity and Infrastructure Security Agency (CISA), Department of Homeland Security (DHS).
ACTION:
30-day notice and request for comments; new information collection request and OMB 1670-NEW.
SUMMARY:
The Vulnerability Management (VM) subdivision within Cybersecurity and Infrastructure Security Agency (CISA) submits the following Information Collection Request (ICR) to the Office of Management and Budget (OMB) for review and clearance in accordance with the Paperwork Reduction Act of 1995. CISA previously published this ICR in the Federal Register on October 30, 2024, for a 60-day public comment period. CISA received one comment. The purpose of this notice is to allow an additional 30-days for public comments.
DATES:
Comments are encouraged and will be accepted until September 19, 2025.
Submissions received after the deadline for receiving comments may not be considered.
[top]
ADDRESSES:
Written comments for the proposed information collection should be sent within 30 days of publication of this notice to www.reginfo.gov/public/do/PRAMain. Find this particular information collection by selecting "Currently under 30-day Review-Open for Public Comments" or by using the search function.
The Office of Management and Budget is particularly interested in comments which:
1. Evaluate whether the proposed collection of information is necessary for the proper performance of the functions of the agency, including whether the information will have practical utility;
2. Evaluate the accuracy of the agency's estimate of the burden of the proposed collection of information, including the validity of the methodology and assumptions used;
3. Enhance the quality, utility, and clarity of the information to be collected; and
4. Minimize the burden of the collection of information on those who are to respond, including through the use of appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g., permitting electronic submissions of responses.
FOR FURTHER INFORMATION CONTACT:
If additional information is required contact: Kevin Donovan, 202-505-6441, kevin.donovan@mail.cisa.dhs.gov.
SUPPLEMENTARY INFORMATION:
The Cybersecurity and Infrastructure Security Agency (CISA) operates Coordinated Vulnerability Disclosure (CVD) in partnership with industry stakeholders and community researchers alike. Through this collaboration, CISA provides technical assistance and guidance on detecting and handling security Vulnerability Disclosures, compiles, and analyzes incident information that may threaten information security. 6 U.S.C. 659(c)(1), see also 6 U.S.C. 659(c)(6) (providing for information sharing capabilities as the federal civilian interface for sharing of cybersecurity information and providing technical assistance and risk management support for both Federal Government and non-Federal Government entities). CISA is also authorized to carry out these CVD functions by 6 U.S.C. 659(n) on Coordinated Vulnerability Disclosure, which authorizes CISA to, in coordination with industry and other stakeholders, may develop and adhere to DHS policies and procedures for coordinating vulnerability disclosures.
CISA is responsible for performing Coordinated Vulnerability Disclosure, which may originate outside the United States Government (USG) network/community and affect users within the USG and/or broader community or originate within the USG community and affect users both within and outside of it. Often, therefore, the effective handling of security incidents relies on information sharing among individual users, industry, and the USG, which may be facilitated by and through CISA. A dedicated form on the CISA website will allow for reporting of vulnerabilities that the reporting entity believes to be CISA Coordinated Vulnerability Disclosure (CVD) eligible. Upon submission, CISA will evaluate the information provided, and then will triage through the CVD process, if all CISA scoped CVD requirements are met.
CISA received one comment during the 60-day comment period. The commentator provided comments on the reporting process and questioned the accuracy of the burden estimate to include the numbers and the terminology between the use of the word "respondents" as opposed to "response." The same commentator inquired as to what amount of preparation if any is given to those who advise on vendor vulnerabilities.
CISA thanked the commentator on the feedback and analysis and clarified that CISA's Vulnerability Disclosure Submission Form is an effort to improve how CISA collects vulnerability information from the public. CISA explained that the form is designed to improve CISA's intake and triage capabilities and that the form builds upon existing processes and does not involve developing an entirely new or independent framework. As to the burden estimates, CISA explained that the estimates were derived from historical data and operational experience under CISA's existing vulnerability coordination efforts. CISA further noted the suggested term of "responses" instead of "respondents" may better reflect number of submissions rather than unique individuals is noted and indicated the change to be incorporated into future communications on the effort to ensure clarity.
Analysis
Agency: Cybersecurity and Infrastructure Security Agency (CISA), Department of Homeland Security (DHS).
Title: Vulnerability Disclosure Submission Form.
OMB Number: 1670-NEW.
Frequency: Per report on a voluntary basis.
Affected Public: State, local, Territorial, and Tribal, International, Private Sector Partners.
Number of Respondents: 2,725.
Estimated Time Per Respondent: 0.167 hours.
Annualized Respondent Cost: $39,536.
Total Annualized Respondent Out-of-Pocket Cost: $0.
Total Annualized Government Cost: $63,447.
Robert J. Costello,
Chief Information Officer, Department of Homeland Security, Cybersecurity and Infrastructure Security Agency.
[FR Doc. 2025-15887 Filed 8-19-25; 8:45 am]
BILLING CODE 9111-LF-P