SUPPLEMENTARY INFORMATION:

Security vulnerabilities, defined in section 102(17) of the Cybersecurity Information Sharing Act of 2015, are any attribute of hardware, software, process, or procedure that could enable or facilitate the defeat of a security control. Security vulnerability mitigation is a process starting with discovery of the vulnerability leading to applying some solution to resolve the vulnerability. There is constantly a search for security vulnerabilities within information systems, from individuals or nation states wishing to bypass security controls to gain invaluable information, to researchers seeking knowledge in the field of cyber security. Bypassing such security controls in the DHS and other Federal Agencies information systems can cause catastrophic damage including but not limited to loss in Personally Identifiable Information (PII), sensitive information gathering, and data manipulation.

Pursuant to section 101 of the Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology Act, (commonly known as the SECURE Technologies Act) individuals, organizations, and/or companies may submit any discovered security vulnerabilities found associated with the information system of any Federal agency. This collection is used by these individuals, organizations, and/or companies who choose to submit a discovered vulnerability found associated with the information system of any Federal agency.

Specifically, DHS and Federal cybersecurity agencies are working to address vulnerabilities within DHS's components. While DHS had previously obtained approval to collect this information on its own behalf, recent cyberattacks and trends exploiting vulnerabilities have exemplified the need to have this capability government-wide. In June 2023, a major and widespread cyberattack occurred by Russian cybercriminals, that impacted multiple U.S. federal government agencies. This was reported to be a result of cybercriminals exploiting a vulnerability in widely used software known as MOVEit. Cybercriminals gained the opportunity exploit the software that agencies use to transfer data. This attack was reported to be widespread and allowed for cybercriminals to break into multiple networks due to lack of remediation. Impacted organizations included The Energy Department, Johns Hopkins University, and University of Georgia. The MOVEit exploitation appears to have affected at least 122 organizations and exposed the data of roughly 15 million people. These numbers are based on posts from CL0P, the Russian ransomware group that has claimed responsibility for the attacks. This is just a single example among a myriad of vulnerabilities and incidents that we strive to avoid.

Public Law 116-283, Sec. 1705 (which amended 44 U.S.C. 3553) permits extensive sharing of information regarding cybersecurity and the protection of information and information systems from cybersecurity risks between Federal Agencies covered by the Federal Information Security Modernization Act and the Department of Homeland Security. This unique authority makes DHS well positioned to host the approval of this information collection on behalf of other Federal agencies

DHS is requesting pursuant to 44 US Code 33554(a)(1)(B), that the information collection continue to be designated for any Federal agency's ability to utilize the standardized DHS online Vulnerability Disclosure Form to collect their own agency's vulnerability information and post the information on their own agency websites.

DHS leverages the form to collect information about vulnerabilities impacting DHS assets. The form includes the following: vulnerable host(s), necessary information for reproducing the security vulnerability, remediation or suggestions for remediation of the vulnerability, and potential impact on host, if not remediated.

This form allows Federal agencies to complete the following actions; (1) allow the individuals, organizations, and/or companies who discover vulnerabilities in the information systems to report their findings to the agency, and (2) provide the agencies initial insight into any newly discovered vulnerabilities, as well as zero-day vulnerabilities in order to mitigate the security issues prior to malicious actors acting upon the vulnerability for malicious intent.

The form also benefits researchers and provides a safe and lawful method to practice and discover new cyber methods to discover the vulnerabilities. It provides the same benefit to Federal agencies and promotes the enhancement of Federal information system security policies.

Respondents may electively submit their information directly to the agency in which they would like to report a vulnerability. Federal Agencies provide the form electronically via their agency's website. The information collected does not have an impact on small business or other small entities.

The collection of this information is related to the discovery of security vulnerabilities by individuals, organizations, and/or companies is needed to fulfill the congressional mandate in Section 101 of the SECURE Technologies Act related to creating Vulnerability Disclosure Policies. In addition, without the ability to collect information on newly discovered security vulnerabilities associated with Federal agency information systems, Federal agencies will rely solely on the internal security personnel and/or the discovery through a post occurrence breach of security controls.

There are no assurances of confidentiality provide. Any PII that is collected is for the sole purpose of feedback and dialogue. This information collection is covered by a Privacy Impact Assessment (PIA), DHS/ALL/PIA-006 DHS General Contacts List (June 15, 2007), and a System of Records Notice, DHS/ALL-002 Department of Homeland Security (DHS) Mailing and Other Lists System, 73 FR 71659 (November 25, 2008).

The Office of Management and Budget is particularly interested in comments which:

1. Evaluate whether the proposed collection of information is necessary for the proper performance of the functions of the agency, including whether the information will have practical utility;

2. Evaluate the accuracy of the agency's estimate of the burden of the proposed collection of information, including the validity of the methodology and assumptions used;

3. Enhance the quality, utility, and clarity of the information to be collected; and

4. Minimize the burden of the collection of information on those who are to respond, including through the use of appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g., permitting electronic submissions of responses.

Analysis

Agency: Department of Homeland Security (DHS).

Title: VULNERABILITY DISCOVERY PROGRAM.

OMB Number: 1601-0028.

Frequency: Annually.

Affected Public: Individuals, Organizations, and/or Companies.

Number of Respondents: 3,000.

Estimated Time per Respondent: 3 hours.

Total Burden Hours: 9,000.