Agency Information Collection Activities: Incident Reporting Form

Issuing agencies

Abstract

The Cybersecurity Division (CSD) within the Cybersecurity and Infrastructure Security Agency (CISA) submits the following Information Collection Request (ICR) to the Office of Management and Budget (OMB) for review and clearance in accordance with the Paperwork Reduction Act of 1995. This is a replacement to an existing collection and is a new collection request. This ICR collects cybersecurity incident reports related to Federal agency information systems, mandatory reports on behalf of certain Federal regulatory agencies, mandatory reports due to contractual requirements, and voluntary reports from members of the public. This ICR, which is authorized by the Federal Information Security Modernization Act of 2014 (FISMA) and the Homeland Security Act, is distinct from incident reporting under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). CISA will use a different information collection instrument for CIRCIA incident reports after the effective date of CIRCIA implementing regulations. The questions included in this package for public review represent the universe of all possible questions CISA may use for incident report information collection purposes across multiple use cases; no respondent will be presented all the questions.

Full Text

<html>
<head>
<title>Federal Register, Volume 89 Issue 194 (Monday, October 7, 2024)</title>
</head>
<body><pre>
[Federal Register Volume 89, Number 194 (Monday, October 7, 2024)]
[Notices]
[Pages 81097-81098]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2024-23070]


-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

[Docket No. CISA-2024-0025]


Agency Information Collection Activities: Incident Reporting Form

AGENCY: Cybersecurity and Infrastructure Security Agency (CISA), 
Department of Homeland Security (DHS).

ACTION: 60-Day notice and request for comments; new Information 
Collection Request, 1670-NEW.

-----------------------------------------------------------------------

SUMMARY: The Cybersecurity Division (CSD) within the Cybersecurity and 
Infrastructure Security Agency (CISA) submits the following Information 
Collection Request (ICR) to the Office of Management and Budget (OMB) 
for review and clearance in accordance with the Paperwork Reduction Act 
of 1995. This is a replacement to an existing collection and is a new 
collection request. This ICR collects cybersecurity incident reports 
related to Federal agency information systems, mandatory reports on 
behalf of certain Federal regulatory agencies, mandatory reports due to 
contractual requirements, and voluntary reports from members of the 
public. This ICR, which is authorized by the Federal Information 
Security Modernization Act of 2014 (FISMA) and the Homeland Security 
Act, is distinct from incident reporting under the Cyber Incident 
Reporting for Critical Infrastructure Act (CIRCIA). CISA will use a 
different information collection instrument for CIRCIA incident reports 
after the effective date of CIRCIA implementing regulations. The 
questions included in this package for public review represent the 
universe of all possible questions CISA may use for incident report 
information collection purposes across multiple use cases; no 
respondent will be presented all the questions.

DATES: Comments are encouraged and will be accepted until December 6, 
2024.

ADDRESSES: You may submit comments, identified by docket number Docket 
-CISA-2024-0025, by following the instructions below for submitting 
comment via the Federal eRulemaking Portal at <a href="http://www.regulations.gov">http://www.regulations.gov</a>.
    Instructions: All comments received must include the agency name 
and docket number Docket #CISA-2024-0025. All comments received will be 
posted without change to <a href="http://www.regulations.gov">http://www.regulations.gov</a>, including any 
personal information provided.
    Docket: For access to the docket to read background documents or 
comments received, go to <a href="http://www.regulations.gov">http://www.regulations.gov</a>.

FOR FURTHER INFORMATION CONTACT: Brian DeWyngaert; 202-657-1360; 
<a href="/cdn-cgi/l/email-protection#ce8cbca7afa0e0aaabb9b7a0a9afabbcba8eada7bdafe0aaa6bde0a9a1b8"><span class="__cf_email__" data-cfemail="1755657e7679397372606e79707672656357747e647639737f6439707861">[email&#160;protected]</span></a>.

SUPPLEMENTARY INFORMATION: CISA serves as ``a Federal civilian 
interface for the multi-directional and cross-sector sharing of 
information related to cyber threat indicators, defensive measures, 
cybersecurity risks, incidents, analysis, and warnings for Federal and 
non-Federal entities.'' 6 U.S.C. 659(c)(1).
    CISA is responsible for performing, coordinating, and supporting 
response to information security incidents, which may originate outside 
the Federal community and affect users within it, or originate within 
the Federal community and affect users outside of it. CISA uses the 
information from incident reports to develop timely and actionable 
information for distribution to Federal departments and agencies; 
State, local, Tribal and territorial (SLTT) governments; critical 
infrastructure owners and operators; private industry; and 
international organizations. Often, the effective handling of security 
incidents relies on information sharing among individual users, 
industry, and the Federal Government, which may be facilitated by and 
through CISA.
    Pursuant to the Federal Information Security Modernization Act of 
2014 (FISMA), 44 U.S.C. 3552 et seq., CISA operates the Federal 
information security incident center for the United States Federal 
Government. 44 U.S.C. 3556. Federal agencies notify and consult with 
CISA regarding information security incidents involving Federal 
information systems. CISA provides Federal agencies with technical 
assistance and guidance on detecting and handling security incidents, 
compiles and analyze incident information that threatens information 
security, informs agencies of current and potential threats and 
vulnerabilities, and provides intelligence or other information about 
cyber threats, vulnerabilities, and incidents to agencies. 44 U.S.C. 
3556(a). CISA also receives incident reports from non-Federal entities 
who are reporting to satisfy existing regulatory, statutory, and/or 
contractual requirements. Finally, CISA receives voluntary incident 
reports from non-Federal entities.
    CISA's website (at <a href="https://www.cisa.gov/">https://www.cisa.gov/</a>) is a primary tool used by 
constituents to report incident information, access information sharing 
products and services, and interact with CISA. Constituents, which may 
include anyone or any entity in the public, use forms located on the 
website to complete these activities. Incident reports are primarily 
submitted using CISA's current Incident Reporting Portal, available at 
<a href="https://www.cisa.gov/forms/report">https://www.cisa.gov/forms/report</a>. This new collection instrument will 
replace the current form once the new collection instrument is online 
and active.
    By accepting incident reports and feedback, and interacting among 
Federal agencies, industry, the research community, State and local 
governments, and others to disseminate reasoned and actionable 
cybersecurity information to the public, CISA has provided a way for 
citizens, businesses, and other institutions to communicate and 
coordinate directly with the Federal Government about cybersecurity.
    Incident reports are collected through the Incident Reporting 
Portal, which enables end users to report incidents and indicators as 
well as submit malware artifacts associated with incidents to CISA. 
This information is used by CISA to conduct analyses and provide 
warnings of system threats and vulnerabilities, and to develop 
mitigation strategies as appropriate. This ICR also requests the user's 
name, email address, organization, and infrastructure sector. The 
primary purpose for the collection of this contact and industry 
information is to allow CISA to contact requestors regarding their 
report.
    In addition to web-based electronic forms, information may be 
collected through email or telephone. These methods enable individuals, 
private sector entities, personnel working at other Federal or State 
agencies, and international entities, including individuals, companies 
and other nations' governments to submit information.
    This collection of information will replace CISA's current Incident 
Reporting Form. There are significant changes to the current set of 
questions asked. The questions included in this package for public 
review represent the universe of all possible questions CISA may use 
for incident report information collection purposes across the multiple 
use cases outlined above; no respondent will be presented all the 
questions. In the Incident Reporting Portal respondents will be 
directed to answer a subset of the questions based on the 
characteristics of the reporting entity, the reasons for which they are 
reporting, and the nature of the incident. The dynamic design of the 
Incident

[[Page 81098]]

Reporting Portal means that the user experience flow from question to 
question is driven by the individual respondent's responses. No 
respondent will be prompted to answer all the questions included in 
this package for review and approval.
    This collection of information is distinct from CISA's efforts to 
implement the Cyber Incident Reporting for Critical Infrastructure Act 
of 2022 (CIRCIA) covered cyber incident and ransom payment reporting 
requirements. On April 4, 2024, CISA published the CIRCIA Notice of 
Proposed Rulemaking (NPRM). 89 FR 23644 (Apr. 4, 2024). Among other 
aspects of the proposed rulemaking, the CIRCIA NPRM described the 
proposed required content of CIRCIA reports. The public comment for 
that NPRM closed on July 3, 2024, and CISA is currently reviewing and 
considering comments as it develops the CIRCIA Final Rule. However, 
CISA clarifies that reporting under CIRCIA will not go into effect 
until the effective date of the CIRCIA Final Rule, which is anticipated 
to be late 2025 or early 2026.
    As described above, the purpose of this ICR is to replace CISA's 
current Incident Reporting Form (approved under OMB control number 
1670-037) which is used to collect incident reports under CISA's non-
CIRCIA authorities (including FISMA) or other existing regulatory, 
statutory, and/or contractual requirements that provide for reporting 
of incidents to CISA. This collection is intended to replace the 
current Incident Reporting Form, prior to the effective date of the 
CIRCIA Final Rule, with a revised question set that will enrich the 
value and analytical capabilities on the data collected under these 
other incident reporting and information sharing authorities.
    Because this effort is distinct from the CIRCIA Final Rule 
development, comments submitted in response to this Federal Register 
notice will not be considered comments on the CIRCIA NPRM or otherwise 
considered as part of the development of the CIRCIA Final Rule. 
Further, because CISA is still actively in the process of considering 
comments received in response to the CIRCIA NPRM, this ICR should not 
be viewed as indicating how CISA will resolve such comments as part the 
Final Rule.
    This collection of information will not have a significant economic 
impact on a substantial number of small entities. Based on an average 
of 26,000 respondents and the current hourly compensation rates, the 
burden and cost estimates are as follows: the burden hour estimate for 
an initial report is 52,000 hours and 146,250 hours for subsequent 
updates to the initial report. The annual burden cost is $8,870,611. 
The annual government cost is $4,351,165.
    The Office of Management and Budget is particularly interested in 
comments which:
    1. Evaluate whether the proposed collection of information is 
necessary for the proper performance of the functions of the agency, 
including whether the information will have practical utility;
    2. Evaluate the accuracy of the agency's estimate of the burden of 
the proposed collection of information, including the validity of the 
methodology and assumptions used;
    3. Enhance the quality, utility, and clarity of the information to 
be collected; and
    4. Minimize the burden of the collection of information on those 
who are to respond, including through the use of appropriate automated, 
electronic, mechanical, or other technological collection techniques or 
other forms of information technology, e.g., permitting electronic 
submissions of responses.

Analysis

    Agency: Cybersecurity and Infrastructure Security Agency (CISA), 
Department of Homeland Security (DHS).
    Title: Clearance for the Collection of Information through CISA 
Reporting Form.
    OMB Number: 1670-NEW.
    Frequency: Annually.
    Affected Public: State, Local, Tribal, and Territorial Governments, 
Private Sector, and Academia.
    Number of Respondents: 26,000.
    Estimated Time per Respondent: 3 hours (Initial Report) 7.5 hours 
(Updated Report).
    Total Burden Hours: 198,250.
    Total Annualized Respondent Cost: $8,870,611.
    Total Annualized Government Cost: $4,351,162.

Robert J. Costello,
Chief Information Officer, Department of Homeland Security, 
Cybersecurity and Infrastructure Security Agency.
[FR Doc. 2024-23070 Filed 10-4-24; 8:45 am]
BILLING CODE 9111-LF-P


</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>