Yesterday the OMB’s Office of Information and Regulatory
Affairs (OIRA)
announced
that it had approved an emergency information collection request
(ICR) revision for the DHS Vulnerability Discovery Program (VDP). This unusual ICR
revision would allow all other agencies in the Federal government to utilize
the DHS OMB Control Number (1601-0028) for their own vulnerability discovery
programs that were mandated by CISA’s Binding
Operational Directive 20-01
. It would also authorize those agencies to use the
same on-line
form
[.DOCX download link] used by DHS for their Program.

360 Mobile Vision - 360mobilevision.com North & South Carolina Security products and Systems Installations for Commercial and Residential - $55 Hourly Rate. ACCESS CONTROL, INTRUSION ALARM, ACCESS CONTROLLED GATES, INTERCOMS AND CCTV INSTALL OR REPAIR 360 Mobile Vision - 360mobilevision.com is committed to excellence in every aspect of our business. We uphold a standard of integrity bound by fairness, honesty and personal responsibility. Our distinction is the quality of service we bring to our customers. Accurate knowledge of our trade combined with ability is what makes us true professionals. Above all, we are watchful of our customers interests, and make their concerns the basis of our business.

Any government agency that collects information is required
by law to include on the collection document the OMB control number that shows
that the agency has taken actions to ensure that its collection effort is authorized
and effective. This action by DHS and OIRA allows government agencies to
short-cut the 60-day and 30-day notice requirements in standing up their VDPs.

According to a
letter
from the DHS CIO to OIRA included in the emergency request packet,
this action was actually suggested by OMB. It is not clear from any of the
documentation available on the OIRA site if/when each agency would have to
submit their own ICR for their unique VDP. This emergency update did not make
any changes to the burden estimate provided by DHS. The 3,000 reports per year
expected by DHS would be a reasonable guess (the DHS program has only been in
effect since August 2020) for any large agency standing up their own VDP and
requesting ICR approval for that program.

The DHS ICR is due for update in August of this year in any
case. It will be interesting to see what figure DHS uses for the expected
number of reports.

By admin