DHS Requests Comments on Cyber Infrastructure Protection Program
The Department of Homeland Security (DHS) has requested a 30-day extension for agency and public comments on the effectiveness of the vulnerability assessment program run by the Cybersecurity and Infrastructure Security Agency (CISA). The extension and message to agencies comes after DHS received no initial comments in the first 60-day period after the request was submitted.
The DHS request for comment cites both a presidential policy directive and the National Infrastructure Protection Plan for the need for a “centrally managed repository of infrastructure attributes capable of assessing risks and facilitating data sharing.” To meet that need, DHS created several programs to conduct voluntary assessments on critical infrastructure facilities.
“These assessments are web-based and are used to collect an organization’s basic, high-level information, and its dependencies. This data is then used to determine a Protective Measures Index (PMI) and a Resilience Measures Index (RMI) for the assessed organization. This information allows an organization to see how it compares to other organizations within the same sector as well as allows them to see how adjusting certain aspects would change their score,” the request explains. “This allows the organization to then determine where best to allocate funding and perform other high-level decision-making processes pertaining to the security and resiliency of the organization.”
Each time a group uses the assessment, they complete a Post-Assessment Questionnaire. The data from the questionnaire is used internally at DHS to improve the programs. While the questionnaire provides some feedback, DHS is requesting additional insight into perception of the program.
The agency is requesting comments to determine (1) whether the proposed collection of information is necessary, (2) the accuracy of the agency's estimate of the burden of the proposed collection of information, (3) the quality, utility, and clarity of the information to be collected, and (4) to minimize the burden of the collection of information on those who are to respond, including through the use of appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology.
Comments are due by December 16, 2019.