Yesterday the OMB’s Office of Information and Regulatory
announced that it had approved an emergency information collection request
(ICR) revision for the DHS Vulnerability Discovery Program (VDP). This unusual ICR
revision would allow all other agencies in the Federal government to utilize
the DHS OMB Control Number (1601-0028) for their own vulnerability discovery
programs that were mandated by CISA’s Binding
Operational Directive 20-01. It would also authorize those agencies to use the
form [.DOCX download link] used by DHS for their Program.
Any government agency that collects information is required
by law to include on the collection document the OMB control number that shows
that the agency has taken actions to ensure that its collection effort is authorized
and effective. This action by DHS and OIRA allows government agencies to
short-cut the 60-day and 30-day notice requirements in standing up their VDPs.
According to a
letter from the DHS CIO to OIRA included in the emergency request packet,
this action was actually suggested by OMB. It is not clear from any of the
documentation available on the OIRA site if/when each agency would have to
submit their own ICR for their unique VDP. This emergency update did not make
any changes to the burden estimate provided by DHS. The 3,000 reports per year
expected by DHS would be a reasonable guess (the DHS program has only been in
effect since August 2020) for any large agency standing up their own VDP and
requesting ICR approval for that program.
The DHS ICR is due for update in August of this year in any
case. It will be interesting to see what figure DHS uses for the expected
number of reports.