Agency Information Collection Activities: Vulnerability Reporting Submission Form

Issuing agencies

Abstract

The Vulnerability Management (VM) subdivision within Cybersecurity and Infrastructure Security Agency (CISA) submits the following Information Collection Request (ICR) to the Office of Management and Budget (OMB) for review and clearance in accordance with the Paperwork Reduction Act of 1995. CISA previously published this ICR in the Federal Register on October 30, 2024, for a 60-day public comment period. CISA received one comment. The purpose of this notice is to allow an additional 30-days for public comments.

Full Text

<html>
<head>
<title>Federal Register, Volume 90 Issue 159 (Wednesday, August 20, 2025)</title>
</head>
<body><pre>
[Federal Register Volume 90, Number 159 (Wednesday, August 20, 2025)]
[Notices]
[Pages 40638-40639]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2025-15887]


-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY


Agency Information Collection Activities: Vulnerability Reporting 
Submission Form

AGENCY: Cybersecurity and Infrastructure Security Agency (CISA), 
Department of Homeland Security (DHS).

ACTION: 30-day notice and request for comments; new information 
collection request and OMB 1670-NEW.

-----------------------------------------------------------------------

SUMMARY: The Vulnerability Management (VM) subdivision within 
Cybersecurity and Infrastructure Security Agency (CISA) submits the 
following Information Collection Request (ICR) to the Office of 
Management and Budget (OMB) for review and clearance in accordance with 
the Paperwork Reduction Act of 1995. CISA previously published this ICR 
in the Federal Register on October 30, 2024, for a 60-day public 
comment period. CISA received one comment. The purpose of this notice 
is to allow an additional 30-days for public comments.

DATES: Comments are encouraged and will be accepted until September 19, 
2025.
    Submissions received after the deadline for receiving comments may 
not be considered.

[[Page 40639]]


ADDRESSES: Written comments for the proposed information collection 
should be sent within 30 days of publication of this notice to 
<a href="http://www.reginfo.gov/public/do/PRAMain">www.reginfo.gov/public/do/PRAMain</a>. Find this particular information 
collection by selecting ``Currently under 30-day Review--Open for 
Public Comments'' or by using the search function.
    The Office of Management and Budget is particularly interested in 
comments which:
    1. Evaluate whether the proposed collection of information is 
necessary for the proper performance of the functions of the agency, 
including whether the information will have practical utility;
    2. Evaluate the accuracy of the agency's estimate of the burden of 
the proposed collection of information, including the validity of the 
methodology and assumptions used;
    3. Enhance the quality, utility, and clarity of the information to 
be collected; and
    4. Minimize the burden of the collection of information on those 
who are to respond, including through the use of appropriate automated, 
electronic, mechanical, or other technological collection techniques or 
other forms of information technology, e.g., permitting electronic 
submissions of responses.

FOR FURTHER INFORMATION CONTACT: If additional information is required 
contact: Kevin Donovan, 202-505-6441, <a href="/cdn-cgi/l/email-protection#016a6477686f2f656e6f6e77606f416c60686d2f626872602f6569722f666e77"><span class="__cf_email__" data-cfemail="d7bcb2a1beb9f9b3b8b9b8a1b6b997bab6bebbf9b4bea4b6f9b3bfa4f9b0b8a1">[email&#160;protected]</span></a>.

SUPPLEMENTARY INFORMATION: The Cybersecurity and Infrastructure 
Security Agency (CISA) operates Coordinated Vulnerability Disclosure 
(CVD) in partnership with industry stakeholders and community 
researchers alike. Through this collaboration, CISA provides technical 
assistance and guidance on detecting and handling security 
Vulnerability Disclosures, compiles, and analyzes incident information 
that may threaten information security. 6 U.S.C. 659(c)(1), see also 6 
U.S.C. 659(c)(6) (providing for information sharing capabilities as the 
federal civilian interface for sharing of cybersecurity information and 
providing technical assistance and risk management support for both 
Federal Government and non-Federal Government entities). CISA is also 
authorized to carry out these CVD functions by 6 U.S.C. 659(n) on 
Coordinated Vulnerability Disclosure, which authorizes CISA to, in 
coordination with industry and other stakeholders, may develop and 
adhere to DHS policies and procedures for coordinating vulnerability 
disclosures.
    CISA is responsible for performing Coordinated Vulnerability 
Disclosure, which may originate outside the United States Government 
(USG) network/community and affect users within the USG and/or broader 
community or originate within the USG community and affect users both 
within and outside of it. Often, therefore, the effective handling of 
security incidents relies on information sharing among individual 
users, industry, and the USG, which may be facilitated by and through 
CISA. A dedicated form on the CISA website will allow for reporting of 
vulnerabilities that the reporting entity believes to be CISA 
Coordinated Vulnerability Disclosure (CVD) eligible. Upon submission, 
CISA will evaluate the information provided, and then will triage 
through the CVD process, if all CISA scoped CVD requirements are met.
    CISA received one comment during the 60-day comment period. The 
commentator provided comments on the reporting process and questioned 
the accuracy of the burden estimate to include the numbers and the 
terminology between the use of the word ``respondents'' as opposed to 
``response.'' The same commentator inquired as to what amount of 
preparation if any is given to those who advise on vendor 
vulnerabilities.
    CISA thanked the commentator on the feedback and analysis and 
clarified that CISA's Vulnerability Disclosure Submission Form is an 
effort to improve how CISA collects vulnerability information from the 
public. CISA explained that the form is designed to improve CISA's 
intake and triage capabilities and that the form builds upon existing 
processes and does not involve developing an entirely new or 
independent framework. As to the burden estimates, CISA explained that 
the estimates were derived from historical data and operational 
experience under CISA's existing vulnerability coordination efforts. 
CISA further noted the suggested term of ``responses'' instead of 
``respondents'' may better reflect number of submissions rather than 
unique individuals is noted and indicated the change to be incorporated 
into future communications on the effort to ensure clarity.

Analysis

    Agency: Cybersecurity and Infrastructure Security Agency (CISA), 
Department of Homeland Security (DHS).
    Title: Vulnerability Disclosure Submission Form.
    OMB Number: 1670-NEW.
    Frequency: Per report on a voluntary basis.
    Affected Public: State, local, Territorial, and Tribal, 
International, Private Sector Partners.
    Number of Respondents: 2,725.
    Estimated Time Per Respondent: 0.167 hours.
    Annualized Respondent Cost: $39,536.
    Total Annualized Respondent Out-of-Pocket Cost: $0.
    Total Annualized Government Cost: $63,447.

Robert J. Costello,
Chief Information Officer, Department of Homeland Security, 
Cybersecurity and Infrastructure Security Agency.
[FR Doc. 2025-15887 Filed 8-19-25; 8:45 am]
BILLING CODE 9111-LF-P


</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>