2011 Ncsr Faq

Department of Homeland Security

2011
NATIONWIDE CYBER SECURITY REVIEW

Frequently Asked Questions

Department of Homeland Security
National Protection and Programs Directorate
National Cyber Security Division

2011 NCSR Frequently Asked Questions

______________________________________________________________________________

Questions
1.

What is the Nationwide Cyber Security Review (NCSR)? ................................................................................................... 3

3.

Does participation in the NCSR create a cost my organization? ...................................................................................... 3

2.

Is participation in the NCSR mandatory?................................................................................................................................... 3

4.

What are the benefits of participating in the 2011 NCSR? ................................................................................................. 3

6.

Which organizations can participate in the NCSR? ............................................................................................................... 4

5.

How is the NCSR different from other audits, surveys, assessments, reviews, etc.? .............................................. 3

7. Why does DHS target participation from only those agencies responsible for the Information
Technology, Health, Revenue, and Transportation services/functions? ................................................................................ 4

8. What if more than one agency within my State or local government is responsible for the targeted
services/functions? (For example, what if multiple State agencies within my State provide Health services?) 4
9.

10.

Who from my organization should participate in the 2011 NCSR? ............................................................................... 5
Where is the 2011 NCSR located, and how do I register for it? .................................................................................. 5

11.

What is the timeframe to complete and submit the 2011 NCSR?.............................................................................. 5

13.

How long will the 2011 NCSR take to complete? .............................................................................................................. 6

12.
Will I still have access to the NCSR Compartment of the US-CERT Secure Portal after the 2011 NCSR
execution period ends? ................................................................................................................................................................................. 6
14.

How is DHS protecting the data associated with the 2011 NCSR?............................................................................ 6

15.

Can I share my 2011 NCSR Individual Report with other individuals, organizations, or entities? ............ 6

17.

How will DHS use my results, and will my organization be identified? ................................................................. 6

16.
Can DHS share the 2011 NCSR Individual Reports with other individuals, organizations, or entities?
(For example, if I am a State CIO, can DHS provide the individual reports for the State agencies or
cities/counties/municipalities that participated within my State?) ........................................................................................ 6
18.

How can I use my NCSR results? .............................................................................................................................................. 6

19.
Does participation in the 2011 NCSR impact or align with funding awarded under the Federal
Emergency Management Agency (FEMA) Homeland Security Grant Program (HSGP)? ................................................ 7

20.

Who do I contact for NCSR-related questions or concerns? ........................................................................................ 7

21.
Where can I obtain information on additional cybersecurity services offered by the DHS National
Cyber Security Division (NCSD)?.............................................................................................................................................................. 7

Page 2 of 7

2011 NCSR Frequently Asked Questions

______________________________________________________________________________
1. What is the Nationwide Cyber Security Review (NCSR)?
Answer: The NCSR is an effort to evaluate cyber security management within States and
local governments. The NCSR addresses the requirement in House Report 111-298 for
Public Law 111-83 that states “[the National Protection and Programs Directorate] (NPPD),
in cooperation with the [Federal Emergency Management Agency] (FEMA) and relevant
stakeholders, shall develop the necessary tools for all levels of government to complete a cyber
network security assessment”. The responsibility for addressing this requirement has been
delegated to the National Cyber Security Division (NCSD) within NPPD.

2. Is participation in the NCSR mandatory?

Answer: No, the NCSR is a voluntary review (i.e., participation is not federally mandated).
However, (for example) State Chief Information Officers are free to encourage participation
from their State agencies in order to support this Congressional initiative.

3. Does participation in the NCSR create a cost my organization?

Answer: There is no cost to the participating organization beyond the time and effort taken
by personnel to complete and submit the NCSR.

4. What are the benefits of participating in the 2011 NCSR?

Answer: Benefits of participating in the 2011 NCSR include:
•

•

•

Each participant will be provided access to the NCSR Compartment within the
United States Computer Emergency Readiness Team (US-CERT) Secure Portal.
The NCSR Compartment contains cybersecurity resources and references to best
practices, as well as information regarding other NCSD programs and services.

Each participant will be provided an NCSR Individual Report, which contains the
NCSR questions, participant responses to the questions, and associated options for
consideration based on the participant’s response. This report is automatically
generated after submission of the NCSR and will be available for download within
the user’s “Private Document Library” within the NCSR Compartment. Each
participant’s report is visible only to the user who submitted a response to the 2011
NCSR (i.e., NCSR participants cannot view the Individual Reports of other
participants).

Each participant will have access to the 2011 NCSR Summary Report, which
provides a high-level overview of the Nation’s cybersecurity posture and will allow
organizations to compare their results (within the Individual Report) to the
aggregated responses of other NCSR participants. This report is targeted for release
in the first quarter of calendar year 2012 and participants will be notified when the
report is completed. The report will be available for download through the user’s
“Public Document Library” within the NCSR Compartment.

5. How is the NCSR different from other audits, surveys, assessments, reviews, etc.?

Answer: The NCSR focuses on the security practices adopted within an organization, as
well as the degree to which risk is used to select and manage security controls. The NCSR is
not designed to audit an organization’s compliance towards any specific regulation,
standard, or model, and will not be used for regulatory purposes.

Page 3 of 7

2011 NCSR Frequently Asked Questions

______________________________________________________________________________
6. Which organizations can participate in the NCSR?
Answer: All States, State Agencies, and local governments (e.g., cities, counties,
municipalities, etc.) within the United States and its territories can participate in the NCSR.

For the inaugural 2011 NCSR, DHS is targeting participation from the entities listed below
to specifically address requirements within the House Report 111-298.
•

•

•

All 50 States, and the District of Columbia

The State Agencies within each of the 50 States (and the District of Columbia)
responsible for the following four services/functions:
o Information Technology
 Usually, this is the Department of Information Technology, or its
equivalent (such as Department of Information Services, Office of
Information Technology, Information Services Division, etc.)
o Health
 Usually, this is the Department of Health, or its equivalent (such as
Department of Human Services, Department of Health and Human
Services, Department of Health and Social Services, etc.)
o Revenue
 Usually, this is the Department of Revenue, or its equivalent (such as
Department of Taxation, Department of Finance, etc.)
o Transportation
 Usually, this is the Department of Transportation, or its equivalent
(such as Department of Highway Safety, etc.)

Cities, counties, and municipalities within the 31 Large Urban Areas (LUAs)
defined in the Urban Areas Security Initiative (UASI) of FEMA’s Fiscal Year 2011
Homeland Security Grant Program (HSGP).

Future iterations of the NCSR may extend targeted outreach beyond those listed above.

7. Why does DHS target participation from only those agencies responsible for the
Information Technology, Health, Revenue, and Transportation services/functions?
Answer: For the inaugural 2011 NCSR, DHS worked with various stakeholders, to include
the Multi-State Information Sharing and Analysis Center (MS-ISAC) and the National
Association of State Chief Information Officers (NASCIO), to determine which agencies to
target for participation. We attempted to select agencies that utilize information systems to
capture, store, and process sensitive information (such as healthcare data and personally
identifiable information). Future iterations of the NCSR will consider targeting participation
beyond agencies responsible for these four services/functions.

8. What if more than one agency within my State or local government is responsible for the
targeted services/functions? (For example, what if multiple State agencies within my
State provide Health services?)
Answer: We are aware that not all states have a single agency responsible for each of the
four targeted services/functions. In cases where multiple agencies are responsible for (for
example) Health services, we will defer to the State CIO/CISO (or their delegate) to
determine which one agency would be the best representative to complete the 2011 NCSR
on behalf of the (for example) “Health” service.

However, as the 2011 NCSR is open to all State governments, State Agencies, and local
governments within the United States and its territories, we welcome participation from
other agencies that may also perform (for example) “Health”-related services/functions.
Page 4 of 7

2011 NCSR Frequently Asked Questions

______________________________________________________________________________
9. Who from my organization should participate in the 2011 NCSR?
Answer: The 2011 NCSR seeks participation from personnel serving in any of the following
roles within their organization:
• Chief Information Officer (CIO);
• Chief Information Security Officer (CISO);
• Chief Security Officer (CSO);
• Chief Technology Officer (CTO);
• Director of Information Technology (IT)/Information Systems (IS); or
• Individuals responsible for Information Technology (IT) management.

Please Note: For the inaugural 2011 NCSR, completion and submission of the NCSR is
open to only one individual per organization (e.g., one individual at the State-level, one
individual from each State Agency, and one individual from each city/county/municipality
within a State). If more than one individual from a single organization is interested in
participating in the 2011 NCSR, it is recommended that those individuals work together to
complete and submit a single response to the 2011 NCSR.
For example, if both the CIO and CISO from a State wish to participate, we recommend that
the State selects one individual (e.g., the State’s CISO) to register for an account and submit
the 2011 NCSR. A copy of the 2011 NCSR question set is available for download within the
NCSR Compartment to allow other individuals (e.g., the State’s CIO) to collaboratively
address responses to the questions before submission.

Sample respondents for the State of XYZ:
• CIO for the State of XYZ
• CISO for the State of XYZ Dept. of IT
• Director of IT for the State of XYZ Dept. of Health
• Director of IT for the State of XYZ Dept. of Revenue
• CSO for the State of XYZ Dept. of Transportation

•
•
•
•

CIO for ABC County within the State of XYZ
CTO for City of ABC within the State of XYZ
CISO for the City of XYZ within the State of XYZ
…and other State agencies, counties, cities,
municipalities.

10. Where is the 2011 NCSR located, and how do I register for it?
Answer: The 2011 NCSR is accessible via the “2011 NCSR” link located on the homepage of
the NCSR Compartment within the US-CERT Secure Portal (https://portal.us-cert.gov).

To register for a US-CERT Secure Portal account, please send a request to
[email protected]. We will email you an invitation to register for the US-CERT Secure Portal
and grant you access to the NCSR Compartment. If you already have a US-CERT Secure
Portal account, please let us know and we will add the NCSR Compartment to your existing
account.

11. What is the timeframe to complete and submit the 2011 NCSR?

Answer: The timeframe to complete and submit the 2011 NCSR starts on October 1, 2011
and ends on November 15, 2011. However, you may register and access the NCSR
Compartment anytime before and after this timeframe. Please note, though, that the link to
the 2011 NCSR questions will be accessible only during the 2011 NCSR execution period
(October 1, 2011 – November 15, 2011).
As this is the first iteration of the NCSR, we have planned it to coincide with DHS’ National
Cyber Security Awareness Month, which occurs annually in October. During this timeframe,
you will be able to access the 2011 NCSR questions, save your progress, and resume the
review anytime by logging back into the US-CERT Secure Portal. However, please complete
and submit the 2011 NCSR by November 15, 2011.

Page 5 of 7

2011 NCSR Frequently Asked Questions

______________________________________________________________________________
12. Will I still have access to the NCSR Compartment of the US-CERT Secure Portal after the
2011 NCSR execution period ends?
Answer: Yes, you will have access to the NCSR Compartment after the 2011 NCSR execution
period concludes. You will still be able to access resources contained within the NCSR
Compartment itself, including the document libraries. The only item you will not have
access to after November 15, 2011 is the link (within the NCSR Compartment) to complete
the 2011 NCSR.

13. How long will the 2011 NCSR take to complete?

Answer: The 2011 NCSR consists of 70 questions. We estimate that it should take
approximately 1 – 2 hours to complete. The questions consist of 6 “NCSR Demographic”
questions; 59 “NCSR” questions; and 5 (optional) “Post-NCSR” questions.

14. How is DHS protecting the data associated with the 2011 NCSR?

Answer: All information provided during the 2011 NCSR is safeguarded in accordance with
the DHS Protected Critical Infrastructure Information (PCII) Program. DHS cannot
disseminate information designated as PCII, and this information is not subject to Freedom
of Information Act requests, State and local disclosure laws, and use in civil litigation. PCII
cannot be used for regulatory purposes and can only be accessed only in accordance with
strict safeguarding and handling requirements.
For more information, please visit http://www.dhs.gov/pcii.

15. Can I share my 2011 NCSR Individual Report with other individuals, organizations, or
entities?
Answer: Yes, the decision to disseminate each 2011 NCSR Individual Report is up to each
NCSR participant (and/or their organization).

16. Can DHS share the 2011 NCSR Individual Reports with other individuals, organizations,
or entities? (For example, if I am a State CIO, can DHS provide the individual reports for
the State agencies or cities/counties/municipalities that participated within my State?)
Answer: No, because the data collected during the NCSR (and the Individual Report
generated as a result of that data) is protected under the DHS PCII Program. For example, if
you are interested in how participants within your State responded, it is recommended that
you send an inquiry to your State agencies or cities/counties/municipalities within your
State to see if those entities participated in the 2011 NCSR.

17. How will DHS use my results, and will my organization be identified?

Answer: Once the 2011 NCSR concludes on November 15, 2011, DHS will aggregate all
responses and analyze the results to produce the 2011 NCSR Summary Report. Because the
data gathered during the NCSR is protected under the DHS PCII Program, the 2011 NCSR
Summary Report will be non-attributable to individual participants. Participant names, and
their organizations, will not be identified within the 2011 NCSR Summary Report.

18. How can I use my NCSR results?

Answer: The results contained within your 2011 NCSR Individual Report may help you and
your organization identify metrics that can be used in risk management decisions or
cybersecurity investment justifications.

Once the 2011 NCSR Summary Report is released, participants are encouraged to compare
their Individual Report to the Summary Report to benchmark their organization’s
performance in relation to the national average of those who participated in this review.
Page 6 of 7

2011 NCSR Frequently Asked Questions

______________________________________________________________________________
19. Does participation in the 2011 NCSR impact or align with funding awarded under the
Federal Emergency Management Agency (FEMA) Homeland Security Grant Program
(HSGP)?
Answer: No, the 2011 NCSR will not directly impact funding awarded under the FEMA
HSGP. Participation in the 2011 NCSR, and the resulting reports, will not guarantee
cybersecurity funding awarded under the FEMA HSGP. However, DHS is exploring the
possibility of incorporating future iterations of the NCSR into the FEMA grants process.

20. Who do I contact for NCSR-related questions or concerns?

Answer: Please email us at [email protected]. You can also call us at (703) 235-2894, the
operating hours are Monday – Friday from 0900 – 1700 Eastern Standard Time (EST).

21. Where can I obtain information on additional cybersecurity services offered by the DHS
National Cyber Security Division (NCSD)?
Answer: Information sheets for various NCSD programs and services can be obtained
within the “Public Document Library” of the NCSR Compartment. If you are interested in
additional information, please email us at [email protected].

Page 7 of 7