Download:
docx |
pdf
Supporting
Statement for Paperwork Reduction Act Submissions
Title:
Department of Homeland Security (DHS)
Office of Cyber Security &
Communications (CS&C)
Information
Technology (IT) Sector
Small and
Midsize Businesses (SMB) Cybersecurity Survey
OMB Control
Number: 1670-NEW
Supporting
Statement A
A.
Justification
���
1.
Explain the circumstances that make the collection of information
necessary. Identify any legal or administrative requirements that
necessitate the collection. Attach a copy of the appropriate section
of each statute and regulation mandating or authorizing the
collection of information.
Response…
Section 227 of the
Homeland Security Act authorizes the National Cybersecurity and
Communications Integration Center (NCCIC) within NPPD as a “Federal
civilian interface for the multi-directional and cross-sector sharing
of information related to … cybersecurity risks.” 6
U.S.C. § 148(c)(1). This authority applies to federal and
non-federal entities, including the private sector, small and medium
businesses, sectors of critical infrastructure, and information
sharing organizations. This provision includes the authority to
receive, analyze and disseminate information about cybersecurity
risks and incidents and to provide guidance, assessments, incident
response support, and other technical assistance upon request and
codifies NPPD’s coordinating role among federal and non-federal
entities. 6 U.S.C. § 148.
As part of its
information sharing responsibilities with non-Federal entities, the
National Defense Authorization Act For Fiscal Year 2017 amended the
Homeland Security Act to authorize the Department to specifically
focus on small businesses. See Pub. L. No. 114-328
(2017). Specifically, the Act authorizes NPPD
to “leverage small business development centers to provide
assistance to small business concerns by disseminating information on
cyber threat indicators, defense measures, cybersecurity risks,
incidents, analyses, and warnings to help small business concerns in
developing or enhancing cybersecurity infrastructure, awareness of
cyber threat indicators, and cyber training programs for employees.”
6 U.S.C. § 148(l); see also 15 U.S.C. § 648(g)
(similarly authorizing DHS, “and any other federal department
or agency in coordination with the Department of Homeland Security”
to “leverage small business concerns by disseminating
information relating to cybersecurity risks and other homeland
security matters to help small business concerns in developing or
enhancing cybersecurity infrastructure, awareness of cyber threat
indicators, and cyber training programs for employees”).
Consistent with
these authorities, Executive Order 13,636 directs the Department to
increase its cybersecurity information sharing efforts with the
private sector and consult on and promote the National Institute of
Standards and Technology (NIST) Cybersecurity Framework. To
facilitate the Department’s promotion of the NIST Cybersecurity
Framework, the Executive Order directs the Secretary to establish a
voluntary program to support the adoption of the Framework in
coordination with Sector Specific Agencies, which in turn “shall
coordinate with Sector Coordinating Councils to review the
Cybersecurity Framework and, if necessary, develop implementation
guidance or supplemental materials to address sector-specific risks
and operating environments.” Exec. Order. No. 13,636, 78 Fed.
Reg. 11739 (2013).
Accordingly,
the Information Technology (IT) Sector, represented by
industry via the IT Sector Coordinating Council (SCC) and by
Government via the IT Government Coordinating Council (GCC),
established the IT Sector Small and Midsized Business (SMB)
Cybersecurity Best Practices Working Group (“Working Group”)
to develop best practices for implementing the NIST Cybersecurity
Framework in the SMB community. The Working Group, which consists of
industry and government representatives, developed the SMB
Cybersecurity Survey to determine Return on Investment (ROI) metrics
for NIST Cybersecurity Framework adoption among SMB stakeholders.
This process will assess the effectiveness of the NIST Cybersecurity
Framework. This process will also establish a baseline for ROI
metrics, which have not previously existed in the SMB community. The
IT Sector-Specific Agency (SSA), headquartered in DHS’s Office
of Cybersecurity and Communications (CS&C), is supporting the
Working Group’s survey development.
���2. Indicate how,
by whom, and for what purpose the information is to be used. Except
for a new collection, indicate the actual use the agency has made of
the information received from the current collection.
Response…
The
IT SCC will administer the survey and anonymize the data, which will
then be sent to DHS for analysis. The analysis will determine ROI
information for NIST Cybersecurity Framework adoption in the SMB
community. The results of this analysis will be used to provide the
SMB community with best practices on how to use the Cybersecurity
Framework for business protection and risk management.
The questionnaire
will be distributed to SMBs and is a two-part survey. Questions 1-11
of the survey are for an organization’s leadership, as these
questions pertain to high level information about the company (core
function, number of employees, etc.). The remaining questions are
intended for the Chief Information Services Officer (CISO) and/or
appropriate IT staff, as these questions are technical and ask about
the IT security of the company.
The private sector
will collect Point of Contact (POC) information through the survey
instrument, but will not include that information on the anonymized
dataset they submit to DHS. DHS will use anonymized data to conduct
their analysis. The IT SCC will administer the survey.
���3. Describe
whether, and to what extent, the collection of information involves
the use of automated, electronic, mechanical, or other technological
collection techniques or other forms of information technology, e.g.,
permitting electronic submission of responses, and the basis for the
decision for adopting this means of collection. Also describe any
consideration of using information technology to reduce burden.
Response…
The intent was for
DHS to only receive derivative products – anonymized
micro-dataset to come up with the summary statistics, or aggregated
summary results. The private sector side of the IT SCC partnership
will deal with the actual data collection (administering the survey
and processing raw inputs). DHS will aid with the statistical
analysis where needed, but would not be working with the individual
responses to the questionnaire. Even if the POC question does get
included in the questionnaire, DHS would not be collecting or
retaining that PII.
Once the survey is
administered by the private sector partners of the IT SCC to the
member organizations, the collected raw inputs will be compiled and
the resulting dataset will be processed by the private sector
partners to a) assign unique random identifiers to each of the
responses, b) scrub any PII from the microdata, c) QA against the raw
input. These processing steps (a-c) will be implemented PRIOR to
handing the dataset over to DHS for statistical analysis.
���4. Describe
efforts to identify duplication. Show specifically why any similar
information already available cannot be used or modified for use for
the purposes described in Item 2 above.
���
Response…
CS&C:
In 2014 the CS&C
conducted a survey, through the Federal Register Process, to
determine if there are scalable and affordable cybersecurity
solutions for SMBs. As part of the RFI input, the IT SCC recommended
that DHS should focus on educating SMBs about cybersecurity risks and
how the national Cybersecurity Framework can assist SMBs strengthen
their overall cybersecurity posture. This initiative led to an
ongoing joint IT SCC effort to develop and coordinate strategies to
engage the SMB community. In light of these developments, Brigadier
General (ret) Gregory Touhill, Deputy Assistant Secretary for CS&C,
requested that DHS, as the SSA for IT and Communications, work in
conjunction with the IT SCC to develop strategies, best practices and
products to help the SMB community better leverage and implement the
national Cybersecurity Framework. To the working group’s
knowledge, no other body has determined ROI information on
Cybersecurity Framework adoption in the SMB community.
The RFI in 2014
was drafted specifically to garner opinions concerning whether or not
SMB’s would be interested in establishing the NIST
Cybersecurity Framework (1.0). Now that it has been implemented in
various aspects, DHS is looking into how companies are equipped to
responding and mitigating cyberattacks. While some questions may
appear similar, such as inquiring about what sources companies are
using to reference cybersecurity best practices, the questionnaire is
meant to collect information about companies’ specific assets
and management practices, such as physical access management and cost
of framework investment and implementation. Furthermore, it is vital
for DHS to collect the most up to date information regarding the
cybersecurity framework.
Other
Department or Agency Initiatives
Other agencies,
such as the Federal Trade Commission, have either discussed or in the
beginning stages of efforts relating to Cybersecurity Framework
adoption for SMB’s. However, none of these efforts appear to be
collecting ROI information of companies, which this questionnaire
looks to gather.
���5. If the
collection of information impacts small businesses or other small
entities (Item 5 of OMB Form 83-I), describe any methods used to
minimize.
Response…
This
collection will look to provide a positive impact to SMBs. With the
collection of this data, DHS will provide SMBs with more effective
practices to mitigate the current cyber threats that could jeopardize
company assets. Use of electronic submission should assist in
minimizing any unforeseen impact for said entities.
���6. Describe the
consequence to Federal/DHS program or policy activities if the
collection of information is not conducted, or is conducted less
frequently, as well as any technical or legal obstacles to reducing
burden.
Response…
Failure
to carry out this survey would prohibit the progression of Executive
Order 13636. Along with previously mentioned sections of the order,
referenced here specifically is section 8(b), which states that
“Sector-Specific
Agencies, in consultation with the Secretary and other interested
agencies, shall coordinate with the Sector Coordinating Councils to
review the Cybersecurity Framework and, if necessary, develop
implementation guidance or supplemental materials to address
sector-specific risks and operating environments”.
As a result of this survey and the data collected therein, DHS will
be able to cater their outreach and products more appropriately to
the SMB community.
���7. Explain any
special circumstances that would cause an information collection to
be conducted in a manner:
���(a) Requiring
respondents to report information to the agency more often than
quarterly.
������(b) Requiring respondents to
prepare a written response to a collection of information in fewer
than 30 days after receipt of it.
���(c) Requiring
respondents to submit more than an original and two copies of any
document.
���(d) Requiring
respondents to retain records, other than health, medical, government
contract, grant-in-aid, or tax records for more than three years.
���(e) In connection
with a statistical survey, that is not designed to produce valid and
reliable results that can be generalized to the universe of study.
������(f) Requiring
the use of a statistical data classification that has not been
reviewed and approved by OMB.
���(g) That includes a
pledge of confidentiality that is not supported by authority
established in statute or regulation, that is not supported by
disclosure and data security policies that are consistent with the
pledge, or which unnecessarily impedes sharing of data with other
agencies for compatible confidential use.
���(h)
Requiring respondents to submit proprietary trade secret, or other
confidential information unless the agency can demonstrate that it
has instituted procedures to protect the information’s
confidentiality to the extent permitted by law.
���
Response…
N/A
It
is anticipated that respondents will have an excess of a month to
complete it.
N/A
N/A
N/A
N/A
To
avoid triggering privacy concerns the survey will be conducted
through the private sector. DHS will only view and analyze the
aggregate data once it has been anonymized.
This
collection will not require responders to submit proprietary trade
secrets and other confidential information.
���8. Federal
Register Notice:
������a. Provide a
copy and identify the date and page number of publication in the
Federal Register of the agency’s notice soliciting comments on
the information collection prior to submission to OMB. Summarize
public comments received in response to that notice and describe
actions taken by the agency in response to these comments.
Specifically address comments received on cost and hour burden.
������b. Describe
efforts to consult with persons outside the agency to obtain their
views on the availability of data, frequency of collection, the
clarity of instructions and recordkeeping, disclosure, or reporting
format (if any), and on the data elements to be recorded, disclosed,
or reported.
���
Response…
The IT SCC SMB
working group will continue to work with SMBs for their voluntary
feedback and cooperation, alongside other relevant stakeholder
associations. The working group will utilize regular IT SCC meetings
and other available opportunities for this purpose.
|
Date of Publication
|
Volume #
|
Number #
|
Page #
|
Comments Addressed
|
60Day Federal Register Notice:
|
July 18, 2017
|
82
|
136
|
32859 - 32860
|
8
|
30-Day Federal Register Notice:
|
December 18, 2017
|
82
|
241
|
60026 – 60027
|
0
|
���9. Explain any
decision to provide any payment or gift to respondents, other than
remuneration of contractors or grantees.
Response…
There is no offer
of monetary or material value for this information collection.
���10. Describe any
assurance of confidentiality provided to respondents and the basis
for the assurance in statute, regulation, or agency policy.
���
Response…
There are no
assurances of confidentiality. This collection is not affected by
the Privacy Act and is not impacted by a PIA or SORN.
11. Provide
additional justification for any questions of a sensitive nature,
such as sexual behavior and attitudes, religious beliefs, and other
matters that are commonly considered private. This
justification should include the reasons why the agency considers the
questions necessary, the specific uses to be made of the information,
the explanation to be given to persons from whom the information is
requested, and any steps to be taken to obtain their consent.
Response…
The
instruments described in this collection do not request any
information of a personally sensitive nature.
������12. Provide
estimates of the hour burden of the collection of information. The
statement should:
���
���a. Indicate the
number of respondents, frequency of response, annual hour burden, and
an explanation of how the burden was estimated. Unless directed to do
so, agencies should not conduct special surveys to obtain information
on which to base hour burden estimates. Consultation with a sample
(fewer than 10) of potential respondents is desired. If the hour
burden on respondents is expected to vary widely because of
differences in activity, size, or complexity, show the range of
estimated hour burden, and explain the reasons for the variance.
Generally, estimates should not include burden hours for customary
and usual business practices.
���b.
If this request for approval covers more than one form, provide
separate hour burden estimates for each form and aggregate the hour
burdens in Item 13 of OMB Form 83-I.
c. Provide estimates
of annualized cost to respondents for the hour burdens for
collections of information, identifying and using appropriate wage
rate categories. The cost of contracting out or paying outside
parties for information collection activities should not be included
here. Instead, this cost should be included in Item 14.
Response…
This survey
is part of an ongoing joint IT SCC effort to develop and coordinate
strategies to engage the SMB community on educating SMBs about
cybersecurity risks and how the national Cybersecurity Framework can
assist SMBs strengthen their overall cybersecurity posture. The
questionnaire is meant to collect information about what sources IT
SMBs are using to reference cybersecurity best practices, about
companies’ specific assets and management practices, such as
physical access management, and cost of NIST CSF adoption and
implementation.
Therefore the respondent’s universe will include IT SMBs subset
of the NAICS sector code 51 Information Services subsectors 518 and
519:
-
Subsector 518
|
Data Processing, Hosting, and Related Services
|
Subsector 519
|
Other Information Services
|
The overall number of SMBs firms with less than 500 employees in the
IT sector NAICS 51 is estimated at 70K.
Number of small enterprises in the relevant subsectors are:
-
NAICS
|
NAICS Description
|
Number
|
518
|
Data Processing, Hosting, and Related Services
|
9,099
|
519
|
Other Information Services
|
8,467
|
|
Total
|
17,566
|
Therefore the information collection’s population universe as a
whole is calculated to be 17,566. With an estimated response rate of
25% - 30% the number of respondents is approximated at around 5,000.
Number of
respondents: 5,000
Frequency of
Response: Every five years
Annualized
Number of respondents: 5,000 respondents/5 years = 1,000 respondents
annually
Annualized
hour burden: 500 hours
(30 minutes
per response, 0.5 X 1,000 = 500 average burden hours per year)
N/A
-
To monetize
the respondents’ hour burden for collections of information,
DHS will be using the formula: (Mean Hourly Wage Rate) x (Benefit
Multiplier) x (Hours)
This formula determines the mean, fully-loaded hourly wage rate for
SMBs in the relevant sector. The primary target respondents are CISOs
or their equivalents for the SMBs within the IT sector, therefore no
breakdown by discipline is necessary.
For the purposes of these calculations, DHS is using 2012 Statistics
of U.S. Businesses Employment and Payroll Summary.
Average pay per employee at enterprises with fewer than 500 employees
in Information Services equaled $66,232 in 2012, which is the latest
year for which the subsector summary is available. Average pay per
employee in the NAICS 518 small enterprises was $80,855.
Inability to drill down to the SMB segment of the occupational
statistics within the subsector of interest suggests using the annual
average pay for the targeted segment ($80,855) as a reasonable
alternative. This annual average corresponds to the average hourly
rate of $38.87 ($80,855/2080 hours = $38.87).
The Benefit Multiplier was designated as 1.462 based on the BLS
Economic News Release. This source-compensation factor is calculated
using the BLS Economic News Release with December 2016 data on
Employee Compensation. Accordingly, the source-compensation factor
was derived by applying the following formula: Total compensation
divided by Wages and salaries = compensation factor (i.e. $34.90
total compensation ÷ $23.87 in wages and salaries = 1.462
compensation factor).
Total fully loaded hourly wage rate is $38.87 x 1.462 = $56.83.
Average Burden per Response is 30 minutes (0.5 hours), so $56.83 x
0.5 = $28.42
The total annualized number of expected respondents is 1,000,
multiplied by an average fully-loaded half hourly wage rage of $28.42
per respondent = $28,420.
While the annualized cost of $28,240 is calculated by averaging
response burden across 5 years based on the envisioned survey
frequency, the overall survey cost for the total number of
respondents (5000) is $141,200. The total burden will occur as a
one-time cost within the first year of the 5-year survey cycle.
Table A.12: Estimated Annualized
Burden Hours and Costs
Type of
Respondent
|
No. of
Respondents
Annually
|
No. of
Responses
per
Respondent
|
Avg. Burden per Response
(in hours)
|
Total Annual Burden (in
hours)
|
Average Hourly Wage Rate
|
Total Annual Respondent
Cost
|
SMB CISOs
|
1000
|
1
|
0.5
|
500
|
56.83
|
$28,420
|
Total annualized cost
|
1000
|
1
|
0.5
|
500
|
56.83
|
$28,420
|
���13. Provide an
estimate of the total annual cost burden to respondents or record
keepers resulting from the collection of information. (Do not
include the cost of any hour burden shown in Items 12 and 14.)
The
cost estimate should be split into two components: (1) a total
capital and start-up cost component (annualized over its expected
useful life); and (b) a total operation and maintenance and purchase
of services component. The estimates should take into account costs
associated with generating, maintaining, and disclosing or providing
the information. Include descriptions of methods used to estimate
major cost factors including system and technology acquisition,
expected useful life of capital equipment, the discount rate(s), and
the time period over which costs will be incurred. Capital and
start-up costs include, among other items, preparations for
collecting information such as purchasing computers and software;
monitoring, sampling, drilling and testing equipment; and record
storage facilities.
���
If cost estimates are
expected to vary widely, agencies should present ranges of cost
burdens and explain the reasons for the variance. The cost of
purchasing or contracting out information collection services should
be a part of this cost burden estimate. In developing cost burden
estimates, agencies may consult with a sample of respondents (fewer
than 10), utilize the 60-day pre-OMB submission public comment
process and use existing economic or regulatory impact analysis
associated with the rulemaking containing the information collection
as appropriate.
Generally, estimates
should not include purchases of equipment or services, or portions
thereof, made: (1) prior to October 1, 1995, (2) to achieve
regulatory compliance with requirements not associated with the
information collection, (3) for reasons other than to provide
information to keep records for the government, or (4) as part of
customary and usual business or private practices.
Response…
There
are no recordkeeping, capital, start-up, or maintenance costs
associated with this information collection.
���14. Provide
estimates of annualized cost to the Federal Government. Also,
provide a description of the method used to estimate cost, which
should include quantification of hours, operational expenses (such as
equipment, overhead, printing and support staff), and any other
expense that would have been incurred without this collection of
information. You may also aggregate cost estimates for Items 12,
13, and 14 in a single table.
���
Response…
Based on
internal review, NPPD personnel estimate that one GS-15, Step-5 will
spend approximately 3 minutes (0.05 hours) per survey for design and
administration; one GS-14, Step-5 will spend approximately 3 minutes
per survey for design and administration; and one GS-13, Step-5 will
spend approximately 9 minutes (0.15 hours) per survey for design and
administration. In addition, one GS-13 will spend approximately 15
minutes (0.25 hours) for survey analysis.
The hourly
rates for the Washington, DC locality were obtained from the FY 2017
federal General Schedule (GS). GS-13, Step-5 is $107,435 * 1.462 =
$157,069.97/2080 = $75.51 fully-loaded wage rate. GS-14, Step-5 is
$126,958 * 1.462 = $185,612.60/2080 = $89.24 fully-loaded wage rate.
GS-15, Step-5 is $149,337 * 1.462 = $218,330.70/2080 = $104.97
fully-loaded wage rate.
The cost for
Survey Monkey is $1020 for the duration of testing, administering,
and analyzing the survey.
Total
Annualized Estimated Cost to the Government = $40,934.50
Table A.14: Annual Cost to the
Government
Cost
Category
|
Hours for
Design
/
Administration
per Survey
|
Hours per
Survey
Analysis
|
Number of
Surveys
|
Total
Annual
Burden
(in
hours)
|
Average Hourly Wage Rate
(Step 5)
|
Total
Annual
Cost
|
GS-15
|
.05
|
n/a
|
1,000
|
50
|
$104.97
|
$5,248.50
|
GS-14
|
.05
|
n/a
|
1,000
|
50
|
$89.24
|
$4,462.00
|
GS-13
|
.15
|
.25
|
1,000
|
400
|
$75.51
|
$30,204.00
|
Survey Monkey
|
n/a
|
n/a
|
n/a
|
n/a
|
n/a
|
$1,020.00
|
Total
|
0.25
|
0.25
|
3,000
|
|
|
$40,934.50
|
Annualized
cost of processing to the government is $39,914.50.
While the annualized cost of
survey to the government is calculated by averaging response burden
across 5 years based on the envisioned survey frequency, the overall
survey cost for the total number of respondents (5000) is $200,592
($39,914.50 x 5 + $1,020.00). The total burden will occur as a
one-time cost within the first year of the 5-year survey cycle.
���15. Explain the
reasons for any program changes or adjustments reported in Items 13
or 14 of the OMB Form 83-I. Changes in hour burden, i.e., program
changes or adjustments made to annual reporting and recordkeeping
hour and cost burden. A program change is the result
of deliberate Federal government action. All new collections and any
subsequent revisions of existing collections (e.g., the addition or
deletion of questions) are recorded as program changes. An
adjustment is a change that is not the result of a deliberate Federal
government action. These changes that result from new estimates or
actions not controllable by the Federal government are recorded as
adjustments.
���
Response…
This survey
represents a new collection.
���16. For
collections of information whose results will be published, outline
plans for tabulation and publication. Address any complex analytical
techniques that will be used. Provide the time schedule for the
entire project, including beginning and ending dates of the
collection of information, completion of report, publication dates,
and other actions.
���
Response…
If
appropriate for public distribution (e.g., no sensitive information
when aggregated, etc.), DHS will publish the reports resulting from
collection through its website and, when required by statute, through
direct distribution to Congress through the appropriate channels.
DHS intends to utilize statistical sampling and analysis to determine
best practices of using the Cybersecurity Framework based upon
region, company size, asset worth, and other relevant factors.
���17. If seeking
approval to not display the expiration date for OMB approval of the
information collection, explain reasons that display would be
inappropriate.
���
Response…
The IT SCC will
display the expiration date for OMB approval of this information
collection.
���18. Explain each
exception to the certification statement identified in Item 19
“Certification for Paperwork Reduction Act Submissions,”
of OMB Form 83-I.
Response…
The IT SCC does
not request an exception to the certification of this information
collection.
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| File Title | Supporting Statement A - Template |
| Author | fema user |
| File Modified | 0000-00-00 |
| File Created | 2021-01-21 |