Download: docx | pdf

Supporting Statement for Paperwork Reduction Act Submissions

Title:

OMB Control Number:

Service Request Form for Enterprise Assessment Services

A. Justification

1. Explain the circumstances that make the collection of information necessary. Identify any legal or administrative requirements that necessitate the collection. Attach a copy of the appropriate section of each statute and regulation mandating or authorizing the collection of information.

The Cybersecurity and Infrastructure Security Agency (CISA) Cybersecurity Division (CSD) offers cybersecurity assessments to help reduce risk for federal, state, local, tribal, territorial and private sector critical infrastructure partners. The information collected is required for CISA Vulnerability Management staff to engage with customers and determine the appropriate cybersecurity assessment service for customers.

Pursuant to 6 U.S.C. § 659(c)(6), CISA has authority to provide, “…timely technical assistance, risk management support, and incident response capabilities to Federal and non-Federal entities with respect to cyber threat indicators, defensive measures, cybersecurity risks, and incidents, which may include attribution, mitigation, and remediation…” The entities seeking these services must request them.

2. Indicate how, by whom, and for what purpose the information is to be used. Except for a new collection, indicate the actual use the agency has made of the information received from the current collection.

This is a new collection. The instrument that comprises this collection is the Service Request Form for Enterprise Assessment Services.

All information collected supports CISA’s effort to help organizations reduce the risk and exposure of federal, SLTT, and private critical infrastructure stakeholders to cyber threats by taking a proactive approach to mitigating attack vectors. CISA offers several scanning and testing services, and they are provided at no cost. The Service Request Form is the primary vehicle through which stakeholders request specific assessment services from CISA and provide information allowing CISA to properly prioritize and evaluate requests for CISA’s very limited assessment resources.

3. Describe whether, and to what extent, the collection of information involves the use of automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g., permitting electronic submission of responses, and the basis for the decision for adopting this means of collection. Also describe any consideration of using information technology to reduce burden.

CISA collects information primarily in electronic format. Efforts are in process to reduce the paperwork burden for potential partners and provide a publicly accessible service portal to request cyber assessments. We will collect PDF files until the launch of the system, or when a customer is unable to use the portal.

CISA conducted usability testing on all forms to help with the verification of the burden hours and to verify the ease of use. Usability testing participants had no difficulty traversing through the documents. Based on their suggestions, CISA did not need to adjust the initial estimate of burden hours for this collection.

4. Describe efforts to identify duplication. Show specifically why any similar information already available cannot be used or modified for use for the purposes described in Item 2 above.



This is a new collection. CISA CSD is the primary provider of cybersecurity assessments offered by CISA. This information collection obtains information in order to support decisions to provide free assessment services.

CISA is not aware of any separate sources for this information, whether within the agency or within the federal government.

5. If the collection of information impacts small businesses or other small entities (Item 5 of OMB Form 83-I), describe any methods used to minimize.

No unique methods will be used to minimize the burden to small businesses.

6. Describe the consequence to Federal/DHS program or policy activities if the collection of information is not conducted, or is conducted less frequently, as well as any technical or legal obstacles to reducing burden.

The collection of information allows CISA CSD to provide relevant assessment offerings to critical infrastructure entities. Because these are voluntary services, critical infrastructure entities will only provide the requested information if they stand to benefit from the assessment services. If the collection were not conducted, CISA CSD would not be able to provide statutorily authorized assessment services to requesters in a prioritized or efficient manner. Fewer entities would benefit.

7. Explain any special circumstances that would cause an information collection to be conducted in a manner:

1. Requiring respondents to report information to the agency more often than quarterly.

2. Requiring respondents to prepare a written response to a collection of information in fewer than 30 days after receipt of it.

3. Requiring respondents to submit more than an original and two copies of any document.

4. Requiring respondents to retain records, other than health, medical, government contract, grant-in-aid, or tax records for more than three years.

5. In connection with a statistical survey, that is not designed to produce valid and reliable results that can be generalized to the universe of study.

6. Requiring the use of a statistical data classification that has not been reviewed and approved by OMB.

7. That includes a pledge of confidentiality that is not supported by authority established in statute or regulation, that is not supported by disclosure and data security policies that are consistent with the pledge, or which unnecessarily impedes sharing of data with other agencies for compatible confidential use.

8. Requiring respondents to submit proprietary trade secret, or other confidential information unless the agency can demonstrate that it has instituted procedures to protect the information’s confidentiality to the extent permitted by law.



No special circumstances are involved with this collection.

8. Federal Register Notice:

a. Provide a copy and identify the date and page number of publication in the Federal Register of the agency’s notice soliciting comments on the information collection prior to submission to OMB. Summarize public comments received in response to that notice and describe actions taken by the agency in response to these comments. Specifically address comments received on cost and hour burden.

b. Describe efforts to consult with persons outside the agency to obtain their views on the availability of data, frequency of collection, the clarity of instructions and recordkeeping, disclosure, or reporting format (if any), and on the data elements to be recorded, disclosed, or reported.

c. Describe consultations with representatives of those from whom information is to be obtained or those who must compile records. Consultation should occur at least once every three years, even if the collection of information activities is the same as in prior periods. There may be circumstances that may preclude consultation in a specific situation. These circumstances should be explained.



	Date of Publication	Volume #	Number #	Page #	Comments Addressed
60-Day Federal Register Notice:	02/15/2024	89	32	11861-11862	0
30-Day Federal Register Notice	10/22/2024	89	204	84372-	0

A 60-day notice for comments was published in the Federal Register on February 15, 2024. 0 comment were received related to the 60-day notice.

A 30-day notice for comments was published in the Federal Register on 10/22/2024. 0 comments were received related to the 30-day notice.

9. Explain any decision to provide any payment or gift to respondents, other than remuneration of contractors or grantees.

No payment or gift of any kind is provided to any respondents.

10. Describe any assurance of confidentiality provided to respondents and the basis for the assurance in statute, regulation, or agency policy.



Apart from the scoping of routine uses disclosed in the applicable SORN, CISA provides no additional assurances of privacy for information collected through the Service Request Form. However, if CISA moves forward with approving and fulfilling certain requests for assessment services made by stakeholders in the Service Request Form, then the fact that a stakeholder is receiving or has received a CISA Assessment may be protected under the cognizant assessment legal agreement that is put into place between the stakeholder and CISA.

11. Provide additional justification for any questions of a sensitive nature, such as sexual behavior and attitudes, religious beliefs, and other matters that are commonly considered private. This justification should include the reasons why the agency considers the questions necessary, the specific uses to be made of the information, the explanation to be given to persons from whom the information is requested, and any steps to be taken to obtain their consent.

The instrument described in this collection does not request any information of a personally sensitive nature.

12. Provide estimates of the hour burden of the collection of information. The statement should:



1. Indicate the number of respondents, frequency of response, annual hour burden, and an explanation of how the burden was estimated. Unless directed to do so, agencies should not conduct special surveys to obtain information on which to base hour burden estimates. Consultation with a sample (fewer than 10) of potential respondents is desired. If the hour burden on respondents is expected to vary widely because of differences in activity, size, or complexity, show the range of estimated hour burden, and explain the reasons for the variance. Generally, estimates should not include burden hours for customary and usual business practices.

To estimate the average annual reporting burden associated with his collection, CISA multiplies the number of respondents by the annual number of responses per respondent and the estimated time needed to respond. For these collections, CISA estimates that there will be 5,000 respondents per year, and that each respondent will submit an average of 1.5 responses per year, for a total of 7,500 responses. Using an average burden per response or 0.11 hours (6.6 minutes), CISA estimates the total burden of 825 hours (7,500 responses x 0.11 hours).

To estimate the cost associated with this collection, CISA multiplies the total burden hours (825) by the average fully loaded wage rate of the respondents. For this collection, CISA assumes the majority of individuals who will complete this form are CIOs or equivalent. Using Bureau of Labor Statistics OES data, CISA identifies an average hourly wage of a computer and information systems manager of $83.49¹. To account for benefits and other non-wage compensation, CISA multiplies the wage by a load factor of 1.41805² to obtain a fully loaded wage rate of $118.39.

As presented in Table 1, CISA estimates a total annual cost of $97,674.

Form Name & Number	Number of Respondents	Number of Responses per Respondent	Average Burden per Response (in hours)	Total Annual Burden (in hours)	Loaded Average Hourly Wage Rate	Total Annual Respondent Cost
Service Request Form for Enterprise Assessment Services	5,000	1.5	0.11	825	$118.39	$97,674.03

13. Provide an estimate of the total annual cost burden to respondents or record keepers resulting from the collection of information. (Do not include the cost of any hour burden shown in Items 12 and 14.)

There are no recordkeeping, capital, or maintenance costs associated with this information collection.

14. Provide estimates of annualized cost to the Federal Government. Also, provide a description of the method used to estimate cost, which should include quantification of hours, operational expenses (such as equipment, overhead, printing and support staff), and any other expense that would have been incurred without this collection of information. You may also aggregate cost estimates for Items 12, 13, and 14 in a single table.

 The Federal Government will rely on an existing contract to process the forms that are submitted under this collection. CISA estimates that it will take 0.333 hours (20 minutes) for a junior or mid-level contractor analyst to process the forms at an average loaded hourly wage rate of $65.26. Based on a total number of 7,500 submissions, CISA estimates a cost to the Federal Government of $163,150.³

15. Explain the reasons for any program changes or adjustments reported in Items 13 or 14 of the OMB Form 83-I. Changes in hour burden, i.e., program changes or adjustments made to annual reporting and recordkeeping hour and cost burden. A program change is the result of deliberate Federal government action. All new collections and any subsequent revisions of existing collections (e.g., the addition or deletion of questions) are recorded as program changes. An adjustment is a change that is not the result of a deliberate Federal government action. These changes that result from new estimates or actions not controllable by the Federal government are recorded as adjustments.



There are no program changes or adjustments reported in Items 13 or 14.

16. For collections of information whose results will be published, outline plans for tabulation and publication. Address any complex analytical techniques that will be used. Provide the time schedule for the entire project, including beginning and ending dates of the collection of information, completion of report, publication dates, and other actions.



No plans exist for the use of statistical analysis or to publish this information.

17. If seeking approval to not display the expiration date for OMB approval of the information collection, explain reasons that display would be inappropriate.



The expiration date will be displayed in the instruments.

18. Explain each exception to the certification statement identified in Item 19 “Certification for Paperwork Reduction Act Submissions,” of OMB Form 83-I.

No exceptions have been requested.

File Type	application/vnd.openxmlformats-officedocument.wordprocessingml.document
File Title	Supporting Statement A - Template
Author	fema user
File Modified	0000-00-00
File Created	2024-10-29