Final - OMB 2535- New - HUD SCRM Supporting Statement A

Download: docx | pdf

Supporting Statement for Paperwork Reduction Act Submission

Supply Chain Risk Management (SCRM) Questionnaire

OMB Control # 2535-XXXX

A. Justification

1. Explain the circumstances that make the collection of information necessary. Identify any legal or administrative requirements that necessitate the collection. Attach a copy of the appropriate section of each statute and regulation mandating or authorizing the collection of information.

In accordance with Executive Order 14017, America’s Supply Chains; Executive Order 14028, Improving the Nation’s Cybersecurity; the Federal Acquisition Supply Chain Security Act (FASCSA); and incorporating guidance published in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-161, Cyber Security Supply Chain Risk Management Practices for Systems and Organizations; the U.S. Department of Housing and Urban Development (HUD) has implemented a Department-wide supply chain risk management (SCRM) program.¹

Additionally, FASCSA grants heads of Executive Branch departments and agencies the authority to evaluate the supply chain risk management practices of its vendors, including performing supply chain risk assessments of its vendors supplying information and communications technology (ICT) products or services. Further, FASCSA authorizes heads of agencies, and in extension Contracting Officers, to prioritize vendor risk assessments prior to procuring ICT products or services related to mission critical systems, critical software, and mission essential functions. The risk assessment enables HUD to assess the landscape of current and future vendors to understand what supply chain risks are present in their ICT and procurement processes.

Using guidance from the documents listed above, as well as preparation between key stakeholders and the SCRM Program Team, HUD is implementing an enterprise-wide SCRM Program. This initiative will include updated and applicable policy, procedures, and documentation that present the structure of the HUD SCRM Program and establish the guidance for performing vendor supply chain risk assessments. The HUD SCRM Program enables the Department to implement executive orders, legal authorities, regulatory orders, and federal guidance which includes a consistent process for identifying supply chain risk in current and future vendor relationships.

2. Indicate how, by whom and for what purpose the information is to be used. Except for a new collection, indicate the actual use the agency has made of the information received from the current collection.

This is a new collection. The Program Offices or the HUD SCRM Program Team distribute the Vendor SCRM Questionnaire to current and prospective ICT vendors and will aid the SCRM Program Team in assessing the supply chain risk management practices of these vendors. Their responses will be recorded and stored in Microsoft SharePoint.

The HUD SCRM Program Team is co-managed by the Office of the Chief Procurement Officer (OCPO) and the Office of the Chief Information Security Officer (OCISO). Representatives from either the SCRM Program Team or OCISO will analyze the vendors’ responses to the SCRM Questionnaire and incorporate the results of the analysis into the final vendor supply chain risk assessment.

The SCRM Program Team collects information from ICT vendors pre-award. For existing ICT vendors, HUD will collect completed SCRM questionnaires either annually, if that vendor supports a mission critical operation or system, or triennially otherwise.

3. Describe whether, and to what extent, the collection of information involves the use of automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g., permitting electronic submission of responses, and the basis for the decision for adopting this means of collection. Also describe any consideration of using information technology to reduce burden.

Throughout the supply chain risk assessment process, SCRM Questionnaire responses that are received from vendors will be in the form of either a Microsoft Word document or a PDF. ICT Vendors will submit their responses via email to the HUD SCRM Program Team inbox. The HUD SCRM Program Team will then share the vendor’s response with the appropriate stakeholders in either the respective Program Office or OCISO and incorporate the results of the response analysis into the vendor’s supply chain risk assessment. If necessary, either the HUD SCRM Program Team or the Program Office may contact the vendor to inquire about further detail or clarification on responses previously submitted.

Pre-award, all prospective ICT vendors must complete the SCRM Questionnaire when submitting a proposal in response to a solicitation. If the prospective vendor is already contracted with HUD and has already completed a SCRM Questionnaire in the last 12 months or 3 years, as appropriate, that vendor does not need to re-submit a new SCRM Questionnaire, except in the course of the normal annual or triennial refresh. If the prospective vendor does not meet the criteria just described and declines to submit a completed SCRM Questionnaire, that vendor shall not be considered for contract award.

Submitting SCRM Questionnaire responses via email allows for a more efficient and expedited process of information collection of the SCRM Questionnaire from vendors. This collection method creates an automated and consistent method of collecting responses from prospective ICT vendors that will not hinder or delay the procurement process.

4. Describe efforts to identify duplication. Show specifically why any similar information already available cannot be used or modified for use for the purposes described in Item 2 above.

After collecting initial SCRM Questionnaire responses from ICT vendors the SCRM Program Team will store the SCRM Questionnaire on the SCRM Program Team SharePoint site. Either annually or triennially, as described above, ICT vendors must refresh the SCRM Questionnaire and submit the responses to the SCRM Program Team. For each proposal or contract an ICT vendor is bidding on within the applicable timeframe, only one SCRM Questionnaire must be submitted.

Neither HUD nor the HUD SCRM Program Team is aware of any other collection processes for which this process represents a duplicate effort.

5. If the collection of information impacts small businesses or other small entities describe any methods used to minimize burden.

HUD expects only minimal (if any) impact of this data collection on small business entities. The Questionnaire being sent is delivered to ICT vendors or contracting entities equally. The SCRM Questionnaire will also minimize the burden by having pre-populated responses sections as well as instructions for how to fill out the response areas.

6. Describe the consequence to Federal program or policy activities if the collection is not conducted or is conducted less frequently, as well as any technical or legal obstacles to reducing burden.

The collection of the SCRM Questionnaire from HUD vendors is an important component of supply chain risk management activities within the Department. Not collecting this information from vendors may result in an increased level of supply chain risk in excesses of the Department’s risk appetite. Additionally, HUD has an obligation and a duty to ensure its interests, partners, employees, and projects are protected from potential risk.

A variety of executive orders, congressional legislation, regulatory orders, and federal standards detail actions that federal agencies should and shall take to ensure secure and resilient supply chains. Not implementing these would potentially increase supply chain risk at HUD. If the information is not collected on a consistent basis as outlined above, risk may become present and undetected until it has risen above the risk appetite of HUD.

7. Explain any special circumstances that would cause an information collection to be conducted in a manner:

The proposed data collection activities are consistent with the guidelines set forth in 5 CFR 1320 (Controlling Paperwork Burdens on the Public). There are no special circumstances that require deviation from these guidelines. The following below are “Not Applicable” to this collection:

• requiring respondents to report information to the agency more than quarterly – “Not Applicable”;

• requiring respondents to prepare a written response to a collection of information in fewer than 30 days after receipt of it – “Not Applicable”;

• requiring respondents to submit more than an original and two copies of any document – “Not Applicable”;

• requiring respondents to retain records other than health, medical, government contract, grant-in-aid, or tax records for more than three years – “Not Applicable”;

• in connection with a statistical survey, that is not designed to produce valid and reliable results than can be generalized to the universe of study – “Not Applicable”;

• requiring the use of a statistical data classification that has not been reviewed and approved by OMB – “Not Applicable”;

• that includes a pledge of confidentiality that is not supported by authority established in statute or regulation, that is not supported by disclosure and data security policies that are consistent with the pledge, or which unnecessarily impedes sharing of data with other agencies for compatible confidential use – “Not Applicable”; or

• requiring respondents to submit proprietary trade secret, or other confidential information unless the agency can demonstrate that it has instituted procedures to protect the information's confidentiality to the extent permitted by law – “Not Applicable”.

8. If applicable, provide a copy and identify the date and page number of publication in the Federal Register of the agency's notice, required by 5 CFR 1320.8(d), soliciting comments on the information collection prior to submission to OMB. Summarize public comments received in response to that notice and describe actions taken by the agency in response to these comments. Specifically address comments received on cost and hour burden.

• Describe efforts to consult with persons outside the agency to obtain their views on the availability of data, frequency of collection, the clarity of instructions and recordkeeping disclosure, or reporting format (if any) and the data elements to be recorded, disclosed, or reported.

• Consultation with representatives of those from whom information is to be obtained or those who must compile records should occur at least once every 3 years -- even if the collection of information activity is the same as in prior periods. There may be circumstances that preclude consultation in a specific situation. These circumstances should be explained.

In accordance with 5 CFR 1320.8(d), a 60-day Federal Register Notice soliciting public comments was announced in the Federal Register on March 26, 2025, Volume 90, Page 13775. No comments were received.

1. Explain any decision to provide any payment or gift to respondents, other than remuneration of contractors or grantees.

HUD will not provide any payment or gift to respondents.

9. Describe any assurance of confidentiality provided to respondents and the basis for assurance in statute, regulation, or agency policy. If the collection requires a system of records notice (SORN) or privacy impact assessment (PIA), those should be cited and described here.

HUD will make every effort to maintain the privacy and confidentiality of respondents, to the extent possible. The information collected may be considered proprietary or confidential, and as such, may be subject to 5 U.S.C. 552 (Freedom of Information Act), 5 U.S.C. 552a (Privacy Act of 1974) and OMB Circular No. A-130. If required by HUD’s Chief Privacy Officer, HUD will publish a System of Records Notice (SORN) in the Federal Register prior to data collection and comply with all aspects of the Privacy Act and agency policy.

9. Provide additional justification for any questions of a sensitive nature, such as sexual behavior and attitudes, religious beliefs, and other matters that are commonly considered private. This justification should include the reasons why the agency considers the questions necessary, the specific uses to be made of the information, the explanation to be given to persons from whom the information is requested, and any steps to be taken to obtain their consent.

No information collected may be considered private or personal information, as described in question 11 above. The information collected in this questionnaire relates to corporate entities and businesses and is necessary to effectively manage HUD’s supply chain risk by evaluating and understanding the supply chain risk management practices of its vendors.

12. Provide estimates of the hour burden of the collection of information. The statement should:

• Indicate the number of respondents, frequency of response, annual hour burden, and an explanation of how the burden was estimated. Unless directed to do so, agencies should not conduct special surveys to obtain information on which to base hour burden estimates. Consultation with a sample (fewer than 10) of potential respondents is desirable. If the hour burden on respondents is expected to vary widely because of differences in activity, size, or complexity, show the range of estimated hour burden, and explain the reasons for the variance. Generally, estimates should not include burden hours for customary and usual business practices;

• If this request covers more than one form, provide separate hour burden estimates for each form and aggregate the hour burdens in chart below; and

• Provide estimates of annualized cost to respondents for the hour burdens for collections of information, identifying and using appropriate wage rate categories. The cost of contracting out or paying outside parties for information collection activities should not be included here. Instead, this cost should be included in Item 13.

The SCRM Program Team estimates the total annual hour burden across all respondents to be 1,180 hours. This includes the annual SCRM Questionnaire refreshes as described in earlier sections of this document, as well as an estimate of the total number of unique vendors responding to a solicitation for HUD over the course of a fiscal year. This estimate is based on the current number of information and communications technology (ICT) HUD vendors, both competitively and sole-sourced, and the average number of respondents per ICT contract award.

Number of pre-award vendor questionnaire respondents was calculated by:

Where:

• T_respondents = the total number of respondents to the questionnaire pre-award;

• Avg_r = the average number of respondents per contract award in Fiscal Year (FY) 2023;

• C_comp = the total number of active contracts with HUD in FY 2023; and

• C_sole = the total number of sole-sourced contracts with HUD in FY 2023.

The number of annual current questionnaire respondents is equal to the number of ICT contractors currently contracted with HUD in FY 2023. Table 2 shows a breakdown of these calculations.

Table 2: Calculation of Labor Hour and Cost Burden on Respondents

Information Collection	Number of Respondents	Frequency of Response	Responses Per Annum	Burden Hour Per Response	Annual Burden Hour	Hourly Cost Per Response2	Annual Cost
Pre-Award Vendor Questionnaire Response	240	1	240	4	960	$55.06	$52,857.60
Annual Current Vendor Questionnaire Response	110	1	110	2	220	$55.06	$12,113.20
Total	350	1	350	6	1,180		$64,970.80

13. Provide an estimate of the total annual cost burden to respondents or recordkeepers resulting from the collection of information (do not include the cost of any hour burden shown in Items 12 and 14).

• The cost estimate should be split into two components: (a) a total capital and start-up cost component (annualized over its expected useful life); and (b) a total operation and maintenance purchase of services component. The estimates should take into account costs associated with generating, maintaining, and disclosing or providing the information. Include descriptions of methods used to estimate major cost factors including system and technology acquisition, expected useful life of capital equipment, the discount rate(s) and the time period over which costs will be incurred. Capital and start-up costs include, among other items, preparations for collecting information such as purchasing computers and software; monitoring, sampling, drilling and testing equipment; and record storage facilities;

• If cost estimates are expected to vary widely, agencies should present ranges of cost burdens and explain the reasons for the variance. The cost of purchasing or contracting out information collection services should be a part of this cost burden estimate. In developing cost burden estimates, agencies may consult with a sample of respondents (fewer than 10) utilize the 60-day pre-OMB submission public comment process and use existing economic or regulatory impact analysis associated with the rulemaking containing the information collection, as appropriate.

• generally, estimates should not include purchases of equipment or services, or portions thereof made: (1) prior to October 1, 1995, (2) to achieve regulatory compliance with requirements not associated with the information collection, (3) for reasons other than to provide information or keep records for the government, or (4) as part of customary and usual business or private practices.

This data collection effort involves no recordkeeping or reporting cost for respondents other than the time burden to respond to questions on the date collection instruments as described in item 12. There is no known cost burden to the respondents.

14. Provide estimates of annualized cost to the Federal government. Also, provide a description of the method used to estimate cost, which should include quantification of hours, operational expenses (such as equipment, overhead, printing, and support staff), and any other expense that would not have been incurred without this collection of information. Agencies also may aggregate cost estimates from Items 12, 13, and 14 in a single table.

The total annual cost burden to the Federal Government is expected to be $39,530.00. This estimate is based on two hours of analysis per SCRM Questionnaire received and a General Schedule (GS) wage level of GS-9, Step 1, broken into an hourly wage of $33.50. Table 3 below shows a breakdown of the cost and hour burden to the Federal Government for the collection and analysis of SCRM Questionnaires.

Table 3: Cost and Hour Burden to the Federal Government

Information Collection	Number of Respondents	Frequency of Response	Responses Per Annum	Burden Hour Per Response	Annual Burden Hour	Hourly Cost Per Response	Annual Cost
Pre-Award Vendor Questionnaire Response	240	1	240	4	960	$33.50	$32,160.00
Annual Current Vendor Questionnaire Response	110	1	110	2	220	$33.50	$7,370.00
Total	350	1	350	6	1,180	$33.50	$39,530.00

15. Explain the reasons for any program changes or adjustments reported in Items 12 and 14 of the Supporting Statement.

This is a new collection.

16. For collection of information whose results will be published, outline plans for tabulation and publication. Address any complex analytical techniques that will be used. Provide the time schedule for the entire project, including beginning and ending dates of the collection of information, completion of report, publication dates, and other actions.

The results of this collection will not be published.

17. If seeking approval to not display the expiration date for OMB approval of the information collection, explain the reasons that display would be inappropriate.

The expiration date for OMB approval will be displayed.

18. Explain each exception to the certification statement identified in item 19. If no exceptions are present, please include the response “N/A”.

N/A

File Type	application/vnd.openxmlformats-officedocument.wordprocessingml.document
Author	Guido, Anna P
File Modified	0000-00-00
File Created	2025-07-24