Download: docx | pdf

Supporting Statement for Paperwork Reduction Act Submissions

Title: ReadySetCyber

OMB Control Number: 1670-NEW

A. Justification

1. Explain the circumstances that make the collection of information necessary. Identify any legal or administrative requirements that necessitate the collection. Attach a copy of the appropriate section of each statute and regulation mandating or authorizing the collection of information.

CISA seeks to collect information from US critical infrastructure organizations on a strictly voluntary basis in order to provide tailored services so that each organization can be best supported in meeting the CISA Cybersecurity Performance Goals. The CISA Cybersecurity Performance Goals are a set of 38 voluntary controls which aim to reduce the risk of cybersecurity threats to critical infrastructure. These controls include minimum password strength, networked asset inventory, supply chain incident reporting, network segmentation, and much more.

CISA offers a number of services and resources to aid critical infrastructure organizations in adopting the Cybersecurity Performance Goals and seeks to make discovery of the appropriate services and resources as easy as possible, especially for organizations that may have cybersecurity programs at lower levels of capability. To measure adoption of the Cybersecurity Performance Goals and assist organizations in finding the best possible services and resources for their cybersecurity programs, CISA is seeking to establish a voluntary information collection that uses respondents’ answers to tailor a package of services and resources most applicable for their level of program maturity.

This collection of information furthers activities authorized by 6 U.S.C. § 652(c)(5), “upon request, provide analyses, expertise, and other technical assistance to critical infrastructure owners and operators…” 6 U.S.C. § § 652(e)(1)(B), “To carry out comprehensive assessments of the vulnerabilities of the key resources and critical infrastructure of the United States, including the performance of risk assessments to determine the risks posed by particular types of terrorist attacks within the United States, including an assessment of the probability of success of those attacks and the feasibility and potential efficacy of various countermeasures to those attacks…” and to provide federal and non-federal entities with “operational and timely technical assistance” at 6 U.S.C. § 659(c)(6) and “recommendation on security and resilience measures” at 6 U.S.C. § 659(c)(7).

This is a new Information Collection for approval from OMB/OIRA.

2. Indicate how, by whom, and for what purpose the information is to be used. Except for a new collection, indicate the actual use the agency has made of the information received from the current collection.

This is a new information collection request that is used to 1) tailor the provision of services and resources to critical infrastructure organizations based on the maturity of their cybersecurity programs, and 2) measure the adoption of the CISA Cybersecurity Performance Goals throughout critical infrastructure.

3. Describe whether, and to what extent, the collection of information involves the use of automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g., permitting electronic submission of responses, and the basis for the decision for adopting this means of collection. Also describe any consideration of using information technology to reduce burden.

This collection of information will be performed online via a specially designed web form to ensure that submission of the information minimizes the burden on all critical infrastructure organizations seeking tailored services and resources from CISA. Usability testing was conducted to help with the determination of the burden hours and to verify the ease of use. The user testing helped shape the question set without compromise to the information collected.

4. Describe efforts to identify duplication. Show specifically why any similar information already available cannot be used or modified for use for the purposes described in Item 2 above.



CISA has evaluated its current data sources, as well as those available to other Sector Risk Management Agencies, and has determined that without this additional collection, the mission needs described in Item 2 cannot be accomplished.

5. If the collection of information impacts small businesses or other small entities (Item 5 of OMB Form 83-I), describe any methods used to minimize.

The collection is voluntary.

6. Describe the consequence to Federal/DHS program or policy activities if the collection of information is not conducted, or is conducted less frequently, as well as any technical or legal obstacles to reducing burden.

Without the collection of this information, CISA cannot offer tailored packages of services and resources that are best suited to assisting critical infrastructure organizations in the achievement of the CISA Cybersecurity Performance Goals and the associated risk reductions. In addition, without this information, CISA cannot effectively measure or report on the adoption of the Cybersecurity Performance Goals by critical infrastructure organizations.

7. Explain any special circumstances that would cause an information collection to be conducted in a manner:

1. Requiring respondents to report information to the agency more often than quarterly.

Not required.

2. Requiring respondents to prepare a written response to a collection of information in fewer than 30 days after receipt of it.

Not required.

3. Requiring respondents to submit more than an original and two copies of any document.

Not required.

4. Requiring respondents to retain records, other than health, medical, government contract, grant-in-aid, or tax records for more than three years.

Not required.

5. In connection with a statistical survey, that is not designed to produce valid and reliable results that can be generalized to the universe of study.

Not required.

6. Requiring the use of a statistical data classification that has not been reviewed and approved by OMB.

Not required.

7. That includes a pledge of confidentiality that is not supported by authority established in statute or regulation, that is not supported by disclosure and data security policies that are consistent with the pledge, or which unnecessarily impedes sharing of data with other agencies for compatible confidential use.

Not required.

(h) Requiring respondents to submit proprietary trade secret, or other confidential information unless the agency can demonstrate that it has instituted procedures to protect the information’s confidentiality to the extent permitted by law.



Not required.

8. Federal Register Notice:

a. Provide a copy and identify the date and page number of publication in the Federal Register of the agency’s notice soliciting comments on the information collection prior to submission to OMB. Summarize public comments received in response to that notice and describe actions taken by the agency in response to these comments. Specifically address comments received on cost and hour burden.

b. Describe efforts to consult with persons outside the agency to obtain their views on the availability of data, frequency of collection, the clarity of instructions and recordkeeping, disclosure, or reporting format (if any), and on the data elements to be recorded, disclosed, or reported.

c. Describe consultations with representatives of those from whom information is to be obtained or those who must compile records. Consultation should occur at least once every three years, even if the collection of information activities is the same as in prior periods. There may be circumstances that may preclude consultation in a specific situation. These circumstances should be explained.



	Date of Publication	Volume #	Number #	Page #	Comments Addressed
60-Day Federal Register Notice:	8/10/2023	88	54345	54345-54346	0
30-Day Federal Register Notice	12/12/2023	88	86142	86142-86143	0

A 60 day notice for comments was published in the Federal Register on 08/10/2023. No comments were received.

A 30 day notice for comments was published in the Federal Register on 12/12/2023.

9. Explain any decision to provide any payment or gift to respondents, other than remuneration of contractors or grantees.

No payment or gifts to respondents.

10. Describe any assurance of confidentiality provided to respondents and the basis for the assurance in statute, regulation, or agency policy.



Respondents’ answers regarding the maturity of their cybersecurity program, based on the CISA Cybersecurity Performance Goals, will not be publicly associated with the respondents or their organization.

11. Provide additional justification for any questions of a sensitive nature, such as sexual behavior and attitudes, religious beliefs, and other matters that are commonly considered private. This justification should include the reasons why the agency considers the questions necessary, the specific uses to be made of the information, the explanation to be given to persons from whom the information is requested, and any steps to be taken to obtain their consent.

No such questions are necessary.

12. Provide estimates of the hour burden of the collection of information. The statement should:



1. Indicate the number of respondents, frequency of response, annual hour burden, and an explanation of how the burden was estimated. Unless directed to do so, agencies should not conduct special surveys to obtain information on which to base hour burden estimates. Consultation with a sample (fewer than 10) of potential respondents is desired. If the hour burden on respondents is expected to vary widely because of differences in activity, size, or complexity, show the range of estimated hour burden, and explain the reasons for the variance. Generally, estimates should not include burden hours for customary and usual business practices.

CISA estimates that at least 2,000 critical organizations may voluntarily use this collection instrument on an annual basis at a total annual hour burden of approximately 667 hours (20 minutes per respondent). CISA uses Bureau of Labor Statistics (BLS) wage data for all management occupations to estimate the cost of this collection. The average wage for all management occupations is $63.08.¹ This wage is multiplied by a compensation factor of 1.41805² to account for benefits and non-wage compensation, for an hourly compensation rate of $89.45. Multiplying the hourly compensation rate by the estimated total burden hours of 666.7 provides an estimated annual respondent cost of $59,633.6 for this collection.

Form Name & Number	Number of Respondents	Number of Responses per Respondent	Average Burden per Response (in hours)	Total Annual Burden (in hours)	Loaded Average Hourly Wage Rate	Total Annual Respondent Cost
ReadySetCyber Self-Assessment	2,000	1	0.33	667	$89.45	$59,633.60

13. Provide an estimate of the total annual cost burden to respondents or record keepers resulting from the collection of information. (Do not include the cost of any hour burden shown in Items 12 and 14.)

There are no recordkeeping, capital, start-up, or maintenance costs to respondents associated with this information collection.

 14. Provide estimates of annualized cost to the Federal Government. Also, provide a description of the method used to estimate cost, which should include quantification of hours, operational expenses (such as equipment, overhead, printing and support staff), and any other expense that would have been incurred without this collection of information. You may also aggregate cost estimates for Items 12, 13, and 14 in a single table.



Collection of this information incurs minimal additional burden to the federal government due to the use of the information being fully automated and/or incorporated into existing analysis workflows. It is expected that any burdens associated with this collection can be managed by the Federal Government at the current staffing levels. As such, CISA expects no additional cost to the Federal Government as a result of this collection.

15. Explain the reasons for any program changes or adjustments reported in Items 13 or 14 of the OMB Form 83-I. Changes in hour burden, i.e., program changes or adjustments made to annual reporting and recordkeeping hour and cost burden. A program change is the result of deliberate Federal government action. All new collections and any subsequent revisions of existing collections (e.g., the addition or deletion of questions) are recorded as program changes. An adjustment is a change that is not the result of a deliberate Federal government action. These changes that result from new estimates or actions not controllable by the Federal government are recorded as adjustments.



This is a new collection.

16. For collections of information whose results will be published, outline plans for tabulation and publication. Address any complex analytical techniques that will be used. Provide the time schedule for the entire project, including beginning and ending dates of the collection of information, completion of report, publication dates, and other actions.



CISA may periodically issue reports analyzing summary data of the adoption of the Cybersecurity Performance Goals by critical infrastructure sector.

17. If seeking approval to not display the expiration date for OMB approval of the information collection, explain reasons that display would be inappropriate.



Not seeking approval.

18. Explain each exception to the certification statement identified in Item 19 “Certification for Paperwork Reduction Act Submissions,” of OMB Form 83-I.

No exception needed.

File Type	application/vnd.openxmlformats-officedocument.wordprocessingml.document
File Title	Supporting Statement A - Template
Author	fema user
File Modified	0000-00-00
File Created	2023-12-14