OMB Approves Emergency ICR Revision for DHS Vulnerability Discovery Program

On Thursday the OMB’s Office of Information and Regulatory
Affairs (OIRA) announced
that it had approved an emergency request for a revision of the DHS information
collection request (ICR) for their Vulnerability Discovery Program. Like the
emergency request that I
discussed
earlier this week, this approval would allow other Federal Agencies
and Departments to establish their own cybersecurity vulnerability reporting
programs under the approved ICR for the DHS program.

Justification for Expanding Scope of ICR

It turns out that the earlier request was not actually
approved, but rather reported as “Improperly submitted and continue”; essentially
OIRA was telling DHS to resubmit the request while continuing to allow DHS to
collect information under the existing ICR. The new request
for emergency approval
(.DOCX download link) includes a three-part
justification for the broader application of the ICR. First it establishes the
DHS authority to establish the Vulnerability Discovery Program:

“Pursuant to section 101 of the
Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure
Technology Act, (commonly known as the SECURE Technologies Act) [PL
115-390
] individuals, organizations, and/or companies may submit any
discovered security vulnerabilities found associated with the information
system of any Federal agency
[emphasis added]. This collection would be
used by these individuals, organizations, and/or companies who choose to submit
a discovered vulnerability found associated with the information system of any
Federal agency.”

This claim is a tad bit stretched. The language of §101
actually specifically applies to “appropriate information systems of Department
of Homeland Security” {§101(a)}. The stretch may be justified by the definition
of ‘appropriate information system’ in §101(f)(3); that is defined as “an information
system that the Secretary of Homeland Security selects for inclusion under the
vulnerability disclosure policy required by subsection (a)”. That is still a
long stretch as the term is still specifically applied to systems of “Department
of Homeland Security” in (a).

The second portion of the claim relates to the need for the
expansion of the 1601-0028
ICR because of the SolarWinds attack:

“DHS and Federal cybersecurity
agencies are working to address the recently discovered SolarWinds hack on
Federal agencies and organizations around the world. While DHS had previously
obtained approval to collect this information on its own behalf, recent cyber
attacks exploiting vulnerabilities have exemplified the need to have this
capability government-wide. In 2020, a major cyberattack, nicknamed the
SolarWinds cyberattack, by a group backed by a foreign government penetrated
thousands of organizations globally including multiple parts of the United
States federal government, leading to a series of data breaches. The
cyberattack and data breach were reported to be among the worst cyber-espionage
incidents ever suffered by the U.S., due to the sensitivity and high profile of
the targets and the long duration (eight to nine months) in which the hackers
had access.”

While an investigation of the extent of the SolarWinds
attack would not require an expanded Vulnerability Discovery Program, it could
certainly be argued that such an expansion could help prevent future attacks of
this scope. It should be noted that if this justification letter had been
written just a couple of days later, it could have also referenced the exploits
of the zero-day Microsoft email server vulnerabilities.

Finally, the justification references the recent changes made
to 44
USC 3553
(b) made by§1705 of PL
116-283
that expanded the scope of the DHS responsibilities for the
security of information systems throughout the federal government. While the DHS
letter specifically references the ‘information sharing’ provisions of §1705’s
new paragraph (l) added to §3553, a better argument can be made that the new subparagraph
(b)(8)(B) added by §1705(1):

“(B) deploying, operating, and
maintaining secure technology platforms and tools, including networks and
common business applications, for use by the agency to perform agency
functions, including collecting, maintaining, storing, processing,
disseminating, and analyzing information; and”

Moving Forward

With this week’s approval of the emergency expansion of 1601-0028,
DHS will be required 60-day and 30-day information collection request revision
notices in the Federal Register, seeking public comment on the revised
collection. It will be interesting to see what basis DHS will use for estimating
the burden for the vastly expanded collection.