The Department of Homeland Security (DHS) is seeking comments on an Information Collection Request (ICR) to the Office of Management and Budget (OMB) to allow DHS to assist executive branch agencies in collecting cybersecurity vulnerability information and post the information on their own agency websites.
Pursuant to 44 US Code 3509, DHS is requesting that information collected for any Federal agencies utilize the standardized DHS online form to collect and disseminate the information. The form will include information on vulnerable hosts; information for reproducing the security vulnerability; remediation or recommendations for remediation of the vulnerability; and potential impact on host.
“Specifically, DHS and Federal cybersecurity agencies are working to address the recently discovered SolarWinds hack on Federal agencies and organizations around the world,” the Federal Register notice states. “While DHS had previously obtained approval to collect this information on its own behalf, recent cyberattacks exploiting vulnerabilities have exemplified the need to have this capability government-wide.”
According to the notice, the form will allow individuals, organizations, and/or companies who discover vulnerabilities in agency information systems to report their findings to the agency; provide agencies with initial insight into any newly discovered vulnerabilities; and benefit researchers and provide safe and lawful methods to practice and discover new cyber methods to discover vulnerabilities.
“The collection of this information related to the discovery of security vulnerabilities by individuals, organizations, and/or companies is needed to fulfill the congressional mandate in Section 101 of the SECURE Technologies Act related to creating Vulnerability Disclosure Policies,” the notice said.
The comment period for the posting will end on May 18, 2021.