SUPPORTING STATEMENT
U.S. Department of Commerce
National Institute of Standards and Technology
NCCoE Participant Letter of Interest
OMB Control No. 0693-0075
SUPPORTING STATEMENT PART A
Abstract
In order to fulfill its core mission, the National Cybersecurity Center of Excellence (NCCoE) publishes announcements in the Federal Register of new collaborative projects to address cybersecurity challenges. In response to these announcements, technology vendors are invited to submit Letters of Interest (LoI) for technologies relevant to the challenge. These letters specify the product(s) that the potential collaborator is submitting for consideration, how the product(s) address(es) one or more of the requirements of the project, and contact information for the company’s representative. Subsequent to the submission of LoIs, NIST invites companies with relevant technology to enter into a Collaborative Research and Development Agreement (CRADA) with NIST.
Justification
1. Explain the circumstances that make the collection of information necessary. Identify any legal or administrative requirements that necessitate the collection. Attach a copy of the appropriate section of each statute and regulation mandating or authorizing the collection of information.
As stated in the abstract, in order to fulfill its core mission, the National Cybersecurity Center of Excellence (NCCoE) of the National Institute of Standards and Technology (NIST), publishes in the Federal Register announcements of new collaborative projects to address specific cybersecurity challenges. In the announcements, technology providers having an interest in participating in an announced project are invited to submit Letters of Interest (LoI) in participation. NIST provides a LoI template to technology providers that express a desire to participate in a project. This template provides a uniform process for vendors to specify the product(s) being submitted for consideration, how the product(s) address(es) one or more of the requirements of the project, and contact information for the company’s representative. Subsequent to the submission of responsive LoIs, NIST invites companies to enter into a Collaborative Research and Development Agreement (CRADA) with NIST on a first come, first served basis.
If this information were not collected, NIST would not have an open and transparent mechanism to invite participation from industry. The LoIs provide all potential collaborators with an opportunity to participate in NCCoE projects, and the templates provide a uniform basis for determining responsiveness of the letters to the project description included in the Federal Register Notice (FRN).
2. Indicate how, by whom, and for what purpose the information is to be used. Except for a new collection, indicate the actual use the agency has made of the information received from the current collection.
The information collected will be used by NIST staff to evaluate the relevance of each potential NCCoE project collaborator’s proposed contribution to a project as described in an FRN. If the proposed contribution is relevant to the requirements described in the FRN’s project description, the potential collaborator that provided the information will be invited to participate or to enter into a CRADA with NIST for participation in the project. The information collected is not intended primarily for dissemination to the public but is considered to be in the public domain and may be included in publications that result from project activities. Where the NIST NCCoE staff is uncertain regarding the responsiveness of a potential collaborator’s LoI to the requirements an FRN, clarification regarding the potential collaborator’s contribution may be solicited directly from the technology provider (e.g., hardware or software interface characteristics or product performance specifications). The responses will be retained as evidence of even-handed treatment of potential collaborators in accordance with a stated NCCoE procedure.
3. Describe whether, and to what extent, the collection of information involves the use of automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g., permitting electronic submission of responses, and the basis for the decision for adopting this means of collection. Also describe any consideration of using information technology to reduce burden.
The initial information collection involves completion of a Microsoft Word template delivered as an electronic mail attachment sent by NIST NCCoE staff to determine the responsiveness of a LoI to requirements described in an FRN. Any subsequent requests for clarifications take the form of technical product specification questions directed in electronic mail to the point of contact identified by the proposed collaborator in its LoI. At the discretion of the proposed collaborator, responses may be provided in hard copy rather than electronically. Examples of possible requests for clarification might be “is the cryptography described in your [product identifier] implementation validated in accordance with FIPS 140-2 and employed in its evaluated mode?” and “does your [product identifier] support 2048-bit RSA cryptography?”
4. Describe efforts to identify duplication. Show specifically why any similar information already available cannot be used or modified for use for the purposes described in Item 2 above.
Due to the nature of NIST’s unique mission and programs to further that mission, no similar data exists. This information is unique since it is an expression of a company or other organization’s intent to support a project advertised in an FRN.
5. If the collection of information impacts small businesses or other small entities, describe any methods used to minimize burden.
The information collected will create a minimal burden on all respondents. It is a short set of questions identifying the responding organization, acknowledgement of the terms of inclusion as a candidate project collaborator, and a 500 word or less description of the product that the respondent wishes to have included in the NCCoE project. Since a product must be commercially available to be included in an NCCoE project, the answers to these questions should be readily available.
6.
Describe the consequence to Federal program or policy activities if
the collection is not conducted or is conducted less frequently, as
well as any technical or legal obstacles to reducing burden.
If this information were not collected, NIST would not have an open and transparent mechanism to invite participation vendor participation in NCCoE use cases and building blocks, making it very difficult for the NCCoE to meet its core mission of increasing adoption of cybersecurity capabilities and addressing cybersecurity challenges across all sectors of the economy.
7. Explain any special circumstances that would cause an information collection to be conducted in a manner: requiring respondents to report information to the agency more often than quarterly; requiring respondents to prepare a written response to a collection of information in fewer than 30 days after receipt of it; requiring respondents to submit more than an original and two copies of any document; requiring respondents to retain records, other than health, medical, government contract; grant-in-aid, or tax records, for more than three years; in connection with a statistical survey, that is not designed to produce valid and reliable results that can be generalized to the universe of study; requiring the use of a statistical data classification that has not been reviewed and approved by OMB; that includes a pledge of confidentiality that is not supported by authority established in statute or regulation, that is not supported by disclosure and data security policies that are consistent with the pledge, or which unnecessarily impedes sharing of data with other agencies for compatible confidential use; or requiring respondents to submit proprietary trade secrets, or other confidential information unless the agency can demonstrate that it has instituted procedures to protect the information's confidentiality to the extent permitted by law.
The data collection conducted under this clearance will be conducted in accordance with the guidelines in 5 CFR 1320.5.
8. If applicable, provide a copy and identify the date and page number of publication in the Federal Register of the agency's notice, required by 5 CFR 1320.8(d), soliciting comments on the information collection prior to submission to OMB. Summarize public comments received in response to that notice and describe actions taken by the agency in response to these comments. Consultation with representatives of those from whom information is to be obtained or those who must compile records should occur at least once every 3 years - even if the collection of information activity is the same as in prior periods. There may be circumstances that may preclude consultation in a specific situation. These circumstances should be explained.
A 60-day Federal Register Notice soliciting public comments was published on September 30, 2021 (Vol. 86, Number 187, pages 54168-54169). No comments were received.
A 30-Day Federal Register Notice soliciting public comments was published on December 17, 2021 (Vol. 86, Number 240, page 71618.
Interested
parties formally respond to the Federal Register Notice through
Letter of Interest. Upon completion of the webform, interested
parties receive access to the letter of interest template, which the
party must complete, certify as accurate, and submit to NIST by email
or hardcopy. NIST will contact interested parties if there are
questions regarding the responsiveness of the letters of interest to
the project objective or requirements identified below. NIST will
select participants who have submitted complete letters of interest
on a first come, first served basis within each category of product
components or capabilities listed below up to the number of
participants in each category necessary to carry out this project.
The selected participants will be required to enter into a consortium
Cooperative Research and Development Agreement CRADA with NIST. The
selected participants meet with and participates with NIST staff on a
regular basis and a constant feedback loop in regard to the project.
9. Explain any decision to provide any payment or gift to respondents, other than remuneration of contractors or grantees.
NIST will not provide any payment or gift to respondents to any response received.
10. Describe any assurance of confidentiality provided to respondents and the basis for the assurance in statute, regulation, or agency policy. If the collection requires a systems of records notice (SORN) or privacy impact assessment (PIA), those should be cited and described here.
No assurances of confidentiality will be given. The request for information by respondents will be completely voluntary.
Information collected includes PII (such as name / contact information), however the data is referential in nature only. Records will not be retrieved by a personal identifier; therefore, this is not a Privacy Act System of Records and does not require a SORN or Privacy Act Statement.
11. Provide additional justification for any questions of a sensitive nature, such as sexual behavior and attitudes, religious beliefs, and other matters that are commonly considered private. This justification should include the reasons why the agency considers the questions necessary, the specific uses to be made of the information, the explanation to be given to persons from whom the information is requested, and any steps to be taken to obtain their consent.
No sensitive data will be collected.
12. Provide estimates of the hour burden of the collection of information.
NIST will conduct an average of 12 separate Federal Register Notice (FRN) requests per year, seeking participation in or for proposed proposals related to applied cybersecurity projects. NIST would estimate to receive 10 responses per FRN, for an estimated 120 responses. The estimated time needed to complete the instrument would be 2 hours per response, for an estimated total of 240 burden hours.
Total estimated number of responses: 120.
Total estimated time needed to complete an instrument: 2 hours.
Total Estimated Burden Hours: 120 x 2 = 240 hours.
13. Provide an estimate for the total annual cost burden to respondents or record keepers resulting from the collection of information. (Do not include the cost of any hour burden already reflected on the burden worksheet).
The total annual cost to the public is $50.
14. Provide estimates of annualized costs to the Federal government. Also, provide a description of the method used to estimate cost, which should include quantification of hours, operational expenses (such as equipment, overhead, printing, and support staff), and any other expense that would not have been incurred without this collection of information. Agencies may also aggregate cost estimates from Items 12, 13, and 14 in a single table.
Estimates of annualized costs to the Federal government:
|
Admin Hrs. |
Hourly Rate |
Per FRN |
# of FRNs |
TOTAL |
FRNs |
4.5 |
$57.18 |
$257.31 |
12 |
$3,087.72 |
|
8 |
$133 |
$1,063.20 |
12 |
$12,758.40 |
LOI Review |
15 |
$133 |
$1,995 |
120 |
$239,400 |
TOTAL |
|
|
|
|
$255,246 |
15. Explain the reasons for any program changes or adjustments reported on the burden worksheet.
To simplify the administrative process, NIST has combined the previously approved “Building Block” and “Use Case” LoI templates into one “Project” LoI template. No questions have been altered, added or deleted. The only change to the template (collection instrument) is replacing the name “Building Block” or “Use Case” to “The Project” in the title of template and throughout the collection instrument.
16. For collections of information whose results will be published, outline plans for tabulation and publication. Address any complex analytical techniques that will be used. Provide the time schedule for the entire project, including beginning and ending dates of the collection of information, completion of report, publication dates, and other actions.
The results from these data collection activities are not intended for general publication, however the results will/may be disseminated to NIST staff, key policy and management officials.
17. If seeking approval to not display the expiration date for OMB approval of the information collection, explain the reasons that display would be inappropriate.
The instrument will display the OMB Control# and expiration date along with the following notwithstanding statement.
OMB Control No. 0693-0075
Expiration Date: 12-31-2021
A Federal agency may not conduct or sponsor, and a person is not required to respond to, nor shall a person be subject to a penalty for failure to comply with an information collection subject to the requirements of the Paperwork Reduction Act of 1995 unless the information collection has a currently valid OMB Control Number. The approved OMB Control Number for this information collection is 0693-0075. Without this approval, we could not conduct this survey/information collection. Public reporting for this information collection is estimated to be approximately 2 hours per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the information collection. All responses to this information collection are voluntary. Send comments regarding this burden estimate or any other aspect of this information collection, including suggestions for reducing this burden to NIST NCCoE, 9700 Great Seneca Highway, Rockville, MD 20850, Attn: Keri Bray, [email protected].
18. Explain each exception to the topics of the certification statement identified in “Certification or Paperwork Reduction Act Submissions.”
NIST does not require any exceptions.
B. COLLECTIONS OF INFORMATION EMPLOYING STATISTICAL METHODS
Collections will not employ statistical methods.
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| Author | Reinhart, Liz (Fed) |
| File Modified | 0000-00-00 |
| File Created | 2021-12-21 |