1670-NEW_IT Sector Survey_SS-A

1670-NEW_IT Sector Survey_SS-A.docx

Office of Cyber Security & Communications (CS&C) Information Technology (IT) Sector Small and Midsize Businesses (SMB) Cybersecurity Survey

OMB: 1670-0038

Document [docx]
Download: docx | pdf


Supporting Statement for Paperwork Reduction Act Submissions


Title: Department of Homeland Security (DHS)
Office of Cyber Security & Communications (CS&C)

Information Technology (IT) Sector

Small and Midsize Businesses (SMB) Cybersecurity Survey


OMB Control Number: 1670-NEW


Supporting Statement A


A. Justification




1. Explain the circumstances that make the collection of information necessary. Identify any legal or administrative requirements that necessitate the collection. Attach a copy of the appropriate section of each statute and regulation mandating or authorizing the collection of information.

Response…


Section 227 of the Homeland Security Act authorizes the National Cybersecurity and Communications Integration Center (NCCIC) within NPPD as a “Federal civilian interface for the multi-directional and cross-sector sharing of information related to … cybersecurity risks.” 6 U.S.C. § 148(c)(1). This authority applies to federal and non-federal entities, including the private sector, small and medium businesses, sectors of critical infrastructure, and information sharing organizations. This provision includes the authority to receive, analyze and disseminate information about cybersecurity risks and incidents and to provide guidance, assessments, incident response support, and other technical assistance upon request and codifies NPPD’s coordinating role among federal and non-federal entities. 6 U.S.C. § 148.


As part of its information sharing responsibilities with non-Federal entities, the National Defense Authorization Act For Fiscal Year 2017 amended the Homeland Security Act to authorize the Department to specifically focus on small businesses. See Pub. L. No. 114-328 (2017). Specifically, the Act authorizes NPPD to “leverage small business development centers to provide assistance to small business concerns by disseminating information on cyber threat indicators, defense measures, cybersecurity risks, incidents, analyses, and warnings to help small business concerns in developing or enhancing cybersecurity infrastructure, awareness of cyber threat indicators, and cyber training programs for employees.” 6 U.S.C. § 148(l); see also 15 U.S.C. § 648(g) (similarly authorizing DHS, “and any other federal department or agency in coordination with the Department of Homeland Security” to “leverage small business concerns by disseminating information relating to cybersecurity risks and other homeland security matters to help small business concerns in developing or enhancing cybersecurity infrastructure, awareness of cyber threat indicators, and cyber training programs for employees”).


Consistent with these authorities, Executive Order 13,636 directs the Department to increase its cybersecurity information sharing efforts with the private sector and consult on and promote the National Institute of Standards and Technology (NIST) Cybersecurity Framework. To facilitate the Department’s promotion of the NIST Cybersecurity Framework, the Executive Order directs the Secretary to establish a voluntary program to support the adoption of the Framework in coordination with Sector Specific Agencies, which in turn “shall coordinate with Sector Coordinating Councils to review the Cybersecurity Framework and, if necessary, develop implementation guidance or supplemental materials to address sector-specific risks and operating environments.” Exec. Order. No. 13,636, 78 Fed. Reg. 11739 (2013).


Accordingly, the Information Technology (IT) Sector, represented by industry via the IT Sector Coordinating Council (SCC) and by Government via the IT Government Coordinating Council (GCC), established the IT Sector Small and Midsized Business (SMB) Cybersecurity Best Practices Working Group (“Working Group”) to develop best practices for implementing the NIST Cybersecurity Framework in the SMB community. The Working Group, which consists of industry and government representatives, developed the SMB Cybersecurity Survey to determine Return on Investment (ROI) metrics for NIST Cybersecurity Framework adoption among SMB stakeholders. This process will assess the effectiveness of the NIST Cybersecurity Framework. This process will also establish a baseline for ROI metrics, which have not previously existed in the SMB community. The IT Sector-Specific Agency (SSA), headquartered in DHS’s Office of Cybersecurity and Communications (CS&C), is supporting the Working Group’s survey development.


2. Indicate how, by whom, and for what purpose the information is to be used. Except for a new collection, indicate the actual use the agency has made of the information received from the current collection.

Response…



The IT SCC will administer the survey and anonymize the data, which will then be sent to DHS for analysis. The analysis will determine ROI information for NIST Cybersecurity Framework adoption in the SMB community. The results of this analysis will be used to provide the SMB community with best practices on how to use the Cybersecurity Framework for business protection and risk management.

The questionnaire will be distributed to SMBs and is a two-part survey. Questions 1-11 of the survey are for an organization’s leadership, as these questions pertain to high level information about the company (core function, number of employees, etc.). The remaining questions are intended for the Chief Information Services Officer (CISO) and/or appropriate IT staff, as these questions are technical and ask about the IT security of the company.


The private sector will collect Point of Contact (POC) information through the survey instrument, but will not include that information on the anonymized dataset they submit to DHS. DHS will use anonymized data to conduct their analysis. The IT SCC will administer the survey.


3. Describe whether, and to what extent, the collection of information involves the use of automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g., permitting electronic submission of responses, and the basis for the decision for adopting this means of collection. Also describe any consideration of using information technology to reduce burden.


Response…

The intent was for DHS to only receive derivative products – anonymized micro-dataset to come up with the summary statistics, or aggregated summary results. The private sector side of the IT SCC partnership will deal with the actual data collection (administering the survey and processing raw inputs). DHS will aid with the statistical analysis where needed, but would not be working with the individual responses to the questionnaire. Even if the POC question does get included in the questionnaire, DHS would not be collecting or retaining that PII.

Once the survey is administered by the private sector partners of the IT SCC to the member organizations, the collected raw inputs will be compiled and the resulting dataset will be processed by the private sector partners to a) assign unique random identifiers to each of the responses, b) scrub any PII from the microdata, c) QA against the raw input. These processing steps (a-c) will be implemented PRIOR to handing the dataset over to DHS for statistical analysis.


4. Describe efforts to identify duplication. Show specifically why any similar information already available cannot be used or modified for use for the purposes described in Item 2 above.



Response…

CS&C:


In 2014 the CS&C conducted a survey, through the Federal Register Process, to determine if there are scalable and affordable cybersecurity solutions for SMBs. As part of the RFI input, the IT SCC recommended that DHS should focus on educating SMBs about cybersecurity risks and how the national Cybersecurity Framework can assist SMBs strengthen their overall cybersecurity posture. This initiative led to an ongoing joint IT SCC effort to develop and coordinate strategies to engage the SMB community. In light of these developments, Brigadier General (ret) Gregory Touhill, Deputy Assistant Secretary for CS&C, requested that DHS, as the SSA for IT and Communications, work in conjunction with the IT SCC to develop strategies, best practices and products to help the SMB community better leverage and implement the national Cybersecurity Framework. To the working group’s knowledge, no other body has determined ROI information on Cybersecurity Framework adoption in the SMB community.


The RFI in 2014 was drafted specifically to garner opinions concerning whether or not SMB’s would be interested in establishing the NIST Cybersecurity Framework (1.0). Now that it has been implemented in various aspects, DHS is looking into how companies are equipped to responding and mitigating cyberattacks. While some questions may appear similar, such as inquiring about what sources companies are using to reference cybersecurity best practices, the questionnaire is meant to collect information about companies’ specific assets and management practices, such as physical access management and cost of framework investment and implementation. Furthermore, it is vital for DHS to collect the most up to date information regarding the cybersecurity framework.


Other Department or Agency Initiatives


Other agencies, such as the Federal Trade Commission, have either discussed or in the beginning stages of efforts relating to Cybersecurity Framework adoption for SMB’s. However, none of these efforts appear to be collecting ROI information of companies, which this questionnaire looks to gather.


5. If the collection of information impacts small businesses or other small entities (Item 5 of OMB Form 83-I), describe any methods used to minimize.


Response…

This collection will look to provide a positive impact to SMBs. With the collection of this data, DHS will provide SMBs with more effective practices to mitigate the current cyber threats that could jeopardize company assets. Use of electronic submission should assist in minimizing any unforeseen impact for said entities.


6. Describe the consequence to Federal/DHS program or policy activities if the collection of information is not conducted, or is conducted less frequently, as well as any technical or legal obstacles to reducing burden.


Response…

Failure to carry out this survey would prohibit the progression of Executive Order 13636. Along with previously mentioned sections of the order, referenced here specifically is section 8(b), which states that “Sector-Specific Agencies, in consultation with the Secretary and other interested agencies, shall coordinate with the Sector Coordinating Councils to review the Cybersecurity Framework and, if necessary, develop implementation guidance or supplemental materials to address sector-specific risks and operating environments”. As a result of this survey and the data collected therein, DHS will be able to cater their outreach and products more appropriately to the SMB community.


7. Explain any special circumstances that would cause an information collection to be conducted in a manner:


(a) Requiring respondents to report information to the agency more often than quarterly.

(b) Requiring respondents to prepare a written response to a collection of information in fewer than 30 days after receipt of it.

(c) Requiring respondents to submit more than an original and two copies of any document.

(d) Requiring respondents to retain records, other than health, medical, government contract, grant-in-aid, or tax records for more than three years.

(e) In connection with a statistical survey, that is not designed to produce valid and reliable results that can be generalized to the universe of study.

(f) Requiring the use of a statistical data classification that has not been reviewed and approved by OMB.

(g) That includes a pledge of confidentiality that is not supported by authority established in statute or regulation, that is not supported by disclosure and data security policies that are consistent with the pledge, or which unnecessarily impedes sharing of data with other agencies for compatible confidential use.

(h) Requiring respondents to submit proprietary trade secret, or other confidential information unless the agency can demonstrate that it has instituted procedures to protect the information’s confidentiality to the extent permitted by law.



Response…

  1. N/A

  2. It is anticipated that respondents will have an excess of a month to complete it.

  3. N/A

  4. N/A

  5. N/A

  6. N/A

  7. To avoid triggering privacy concerns the survey will be conducted through the private sector. DHS will only view and analyze the aggregate data once it has been anonymized.

  8. This collection will not require responders to submit proprietary trade secrets and other confidential information.


8. Federal Register Notice:

a. Provide a copy and identify the date and page number of publication in the Federal Register of the agency’s notice soliciting comments on the information collection prior to submission to OMB. Summarize public comments received in response to that notice and describe actions taken by the agency in response to these comments. Specifically address comments received on cost and hour burden.

b. Describe efforts to consult with persons outside the agency to obtain their views on the availability of data, frequency of collection, the clarity of instructions and recordkeeping, disclosure, or reporting format (if any), and on the data elements to be recorded, disclosed, or reported.


 Response…


The IT SCC SMB working group will continue to work with SMBs for their voluntary feedback and cooperation, alongside other relevant stakeholder associations. The working group will utilize regular IT SCC meetings and other available opportunities for this purpose.




Date of Publication

Volume #

Number #

Page #

Comments Addressed

60Day Federal Register Notice:

July 18, 2017

82

136

32859 - 32860

8

30-Day Federal Register Notice:

December 18, 2017

82

241

60026 – 60027

0



9. Explain any decision to provide any payment or gift to respondents, other than remuneration of contractors or grantees.


Response…

There is no offer of monetary or material value for this information collection.


10. Describe any assurance of confidentiality provided to respondents and the basis for the assurance in statute, regulation, or agency policy.



Response…

There are no assurances of confidentiality. This collection is not affected by the Privacy Act and is not impacted by a PIA or SORN.


11.  Provide additional justification for any questions of a sensitive nature, such as sexual behavior and attitudes, religious beliefs, and other matters that are commonly considered private.  This justification should include the reasons why the agency considers the questions necessary, the specific uses to be made of the information, the explanation to be given to persons from whom the information is requested, and any steps to be taken to obtain their consent.


Response…

The instruments described in this collection do not request any information of a personally sensitive nature.


12. Provide estimates of the hour burden of the collection of information. The statement should:



a. Indicate the number of respondents, frequency of response, annual hour burden, and an explanation of how the burden was estimated. Unless directed to do so, agencies should not conduct special surveys to obtain information on which to base hour burden estimates. Consultation with a sample (fewer than 10) of potential respondents is desired. If the hour burden on respondents is expected to vary widely because of differences in activity, size, or complexity, show the range of estimated hour burden, and explain the reasons for the variance. Generally, estimates should not include burden hours for customary and usual business practices.

b. If this request for approval covers more than one form, provide separate hour burden estimates for each form and aggregate the hour burdens in Item 13 of OMB Form 83-I.

c. Provide estimates of annualized cost to respondents for the hour burdens for collections of information, identifying and using appropriate wage rate categories. The cost of contracting out or paying outside parties for information collection activities should not be included here. Instead, this cost should be included in Item 14.

Response…


  1. This survey is part of an ongoing joint IT SCC effort to develop and coordinate strategies to engage the SMB community on educating SMBs about cybersecurity risks and how the national Cybersecurity Framework can assist SMBs strengthen their overall cybersecurity posture. The questionnaire is meant to collect information about what sources IT SMBs are using to reference cybersecurity best practices, about companies’ specific assets and management practices, such as physical access management, and cost of NIST CSF adoption and implementation.


Therefore the respondent’s universe will include IT SMBs subset of the NAICS sector code 51 Information Services subsectors 518 and 519:


Subsector 518

Data Processing, Hosting, and Related Services

Subsector 519

Other Information Services


The overall number of SMBs firms with less than 500 employees in the IT sector NAICS 51 is estimated at 70K1. Number of small enterprises in the relevant subsectors are:


NAICS

NAICS Description

Number2

518

Data Processing, Hosting, and Related Services

9,099

519

Other Information Services

8,467


Total

17,566


Therefore the information collection’s population universe as a whole is calculated to be 17,566. With an estimated response rate of 25% - 30% the number of respondents is approximated at around 5,000.


  • Number of respondents: 5,000

  • Frequency of Response: Every five years

  • Annualized Number of respondents: 5,000 respondents/5 years = 1,000 respondents annually

  • Annualized hour burden: 500 hours

(30 minutes3 per response, 0.5 X 1,000 = 500 average burden hours per year)


  1. N/A

To monetize the respondents’ hour burden for collections of information, DHS will be using the formula: (Mean Hourly Wage Rate) x (Benefit Multiplier) x (Hours)


This formula determines the mean, fully-loaded hourly wage rate for SMBs in the relevant sector. The primary target respondents are CISOs or their equivalents for the SMBs within the IT sector, therefore no breakdown by discipline is necessary.


For the purposes of these calculations, DHS is using 2012 Statistics of U.S. Businesses Employment and Payroll Summary4. Average pay per employee at enterprises with fewer than 500 employees in Information Services equaled $66,232 in 2012, which is the latest year for which the subsector summary is available. Average pay per employee in the NAICS 518 small enterprises was $80,855.


Inability to drill down to the SMB segment of the occupational statistics within the subsector of interest suggests using the annual average pay for the targeted segment ($80,855) as a reasonable alternative. This annual average corresponds to the average hourly rate of $38.87 ($80,855/2080 hours = $38.87).


The Benefit Multiplier was designated as 1.462 based on the BLS Economic News Release. This source-compensation factor is calculated using the BLS Economic News Release with December 2016 data on Employee Compensation. Accordingly, the source-compensation factor was derived by applying the following formula: Total compensation divided by Wages and salaries = compensation factor (i.e. $34.90 total compensation ÷ $23.87 in wages and salaries = 1.462 compensation factor).


Total fully loaded hourly wage rate is $38.87 x 1.462 = $56.83.

Average Burden per Response is 30 minutes (0.5 hours), so $56.83 x 0.5 = $28.42

The total annualized number of expected respondents is 1,000, multiplied by an average fully-loaded half hourly wage rage of $28.42 per respondent = $28,420.


While the annualized cost of $28,240 is calculated by averaging response burden across 5 years based on the envisioned survey frequency, the overall survey cost for the total number of respondents (5000) is $141,200. The total burden will occur as a one-time cost within the first year of the 5-year survey cycle.

Table A.12: Estimated Annualized Burden Hours and Costs

Type of

Respondent

No. of

Respondents Annually

No. of

Responses per

Respondent

Avg. Burden per Response (in hours)

Total Annual Burden (in hours)

Average Hourly Wage Rate

Total Annual Respondent Cost

SMB CISOs

1000

1

0.5

500

56.83

$28,420

Total annualized cost

1000

1

0.5

500

56.83

$28,420



13. Provide an estimate of the total annual cost burden to respondents or record keepers resulting from the collection of information. (Do not include the cost of any hour burden shown in Items 12 and 14.)


The cost estimate should be split into two components: (1) a total capital and start-up cost component (annualized over its expected useful life); and (b) a total operation and maintenance and purchase of services component. The estimates should take into account costs associated with generating, maintaining, and disclosing or providing the information. Include descriptions of methods used to estimate major cost factors including system and technology acquisition, expected useful life of capital equipment, the discount rate(s), and the time period over which costs will be incurred. Capital and start-up costs include, among other items, preparations for collecting information such as purchasing computers and software; monitoring, sampling, drilling and testing equipment; and record storage facilities.



If cost estimates are expected to vary widely, agencies should present ranges of cost burdens and explain the reasons for the variance. The cost of purchasing or contracting out information collection services should be a part of this cost burden estimate. In developing cost burden estimates, agencies may consult with a sample of respondents (fewer than 10), utilize the 60-day pre-OMB submission public comment process and use existing economic or regulatory impact analysis associated with the rulemaking containing the information collection as appropriate.


Generally, estimates should not include purchases of equipment or services, or portions thereof, made: (1) prior to October 1, 1995, (2) to achieve regulatory compliance with requirements not associated with the information collection, (3) for reasons other than to provide information to keep records for the government, or (4) as part of customary and usual business or private practices.


Response…

There are no recordkeeping, capital, start-up, or maintenance costs associated with this information collection.


14. Provide estimates of annualized cost to the Federal Government. Also, provide a description of the method used to estimate cost, which should include quantification of hours, operational expenses (such as equipment, overhead, printing and support staff), and any other expense that would have been incurred without this collection of information. You may also aggregate cost estimates for Items 12, 13, and 14 in a single table.



Response…

Based on internal review, NPPD personnel estimate that one GS-15, Step-5 will spend approximately 3 minutes (0.05 hours) per survey for design and administration; one GS-14, Step-5 will spend approximately 3 minutes per survey for design and administration; and one GS-13, Step-5 will spend approximately 9 minutes (0.15 hours) per survey for design and administration. In addition, one GS-13 will spend approximately 15 minutes (0.25 hours) for survey analysis.


The hourly rates for the Washington, DC locality were obtained from the FY 2017 federal General Schedule (GS). GS-13, Step-5 is $107,435 * 1.462 = $157,069.97/2080 = $75.51 fully-loaded wage rate. GS-14, Step-5 is $126,958 * 1.462 = $185,612.60/2080 = $89.24 fully-loaded wage rate. GS-15, Step-5 is $149,337 * 1.462 = $218,330.70/2080 = $104.97 fully-loaded wage rate.5


The cost for Survey Monkey is $1020 for the duration of testing, administering, and analyzing the survey.

Total Annualized Estimated Cost to the Government = $40,934.50


Table A.14: Annual Cost to the Government

Cost

Category

Hours for

Design /

Administration per Survey

Hours per

Survey Analysis

Number of

Surveys

Total

Annual

Burden

(in hours)

Average Hourly Wage Rate (Step 5)

Total

Annual Cost

GS-15

.05

n/a

1,000

50

$104.97

$5,248.50

GS-14

.05

n/a

1,000

50

$89.24

$4,462.00

GS-13

.15

.25

1,000

400

$75.51

$30,204.00

Survey Monkey

n/a

n/a

n/a

n/a

n/a

$1,020.00

Total

0.25

0.25

3,000



$40,934.50


Annualized cost of processing to the government is $39,914.50.


While the annualized cost of survey to the government is calculated by averaging response burden across 5 years based on the envisioned survey frequency, the overall survey cost for the total number of respondents (5000) is $200,592 ($39,914.50 x 5 + $1,020.00). The total burden will occur as a one-time cost within the first year of the 5-year survey cycle.


15. Explain the reasons for any program changes or adjustments reported in Items 13 or 14 of the OMB Form 83-I. Changes in hour burden, i.e., program changes or adjustments made to annual reporting and recordkeeping hour and cost burden. A program change is the result of deliberate Federal government action. All new collections and any subsequent revisions of existing collections (e.g., the addition or deletion of questions) are recorded as program changes. An adjustment is a change that is not the result of a deliberate Federal government action. These changes that result from new estimates or actions not controllable by the Federal government are recorded as adjustments.



Response…

This survey represents a new collection.


16. For collections of information whose results will be published, outline plans for tabulation and publication. Address any complex analytical techniques that will be used. Provide the time schedule for the entire project, including beginning and ending dates of the collection of information, completion of report, publication dates, and other actions.



Response…

If appropriate for public distribution (e.g., no sensitive information when aggregated, etc.), DHS will publish the reports resulting from collection through its website and, when required by statute, through direct distribution to Congress through the appropriate channels. DHS intends to utilize statistical sampling and analysis to determine best practices of using the Cybersecurity Framework based upon region, company size, asset worth, and other relevant factors.


17. If seeking approval to not display the expiration date for OMB approval of the information collection, explain reasons that display would be inappropriate.



Response…

The IT SCC will display the expiration date for OMB approval of this information collection.


18. Explain each exception to the certification statement identified in Item 19 “Certification for Paperwork Reduction Act Submissions,” of OMB Form 83-I.


Response…

The IT SCC does not request an exception to the certification of this information collection.

1 Source: US Census Bureau. Number of Firms, Number of Establishments, Employment, and Annual Payroll by Small Enterprise Employment Sizes for the United States and States, NAICS Sectors: 2012 https://www2.census.gov/programs-surveys/susb/tables/2012/us_state_naicssector_small_emplsize_2012.xls


2 Source: US Census Bureau. Number of Firms, Number of Establishments, Employment, Annual Payroll, and Estimated Receipts by Enterprise Employment Size for the United States, All, 2012. https://www2.census.gov/programs-surveys/susb/tables/2012/us_6digitnaics_2012.xls

3 The agency took a sample of fewer than ten federal participants to do a “test-run” of the survey.

4 Source: US Census Bureau. Statistics of U.S. Businesses Employment and Payroll Summary: 2012. Released February 2015.https://www.census.gov/content/dam/Census/library/publications/2015/econ/g12-susb.pdf


5 Source: U.S. Office of Personnel Management. 2017. Pay and Leave: Salaries and Wages 2017 General Schedule Washington-Baltimore-Arlington, DC-MD-VA-WV-PA. Website: https://www.opm.gov/policy-data-oversight/pay-leave/salaries-wages/salary-tables/pdf/2017/DCB.pdf.

File Typeapplication/vnd.openxmlformats-officedocument.wordprocessingml.document
File TitleSupporting Statement A - Template
Authorfema user
File Modified0000-00-00
File Created2021-01-21

© 2024 OMB.report | Privacy Policy