CISA releases 60-day notice on ReadySetCyber Initiative questionnaire, input to be submitted by Oct. 10

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published Thursday a 60-day notice and agency information collection activities dealing with the ReadySetCyber Initiative Questionnaire. The agency aims to leverage the ReadySetCyber Initiative to provide specialized services that address the unique cybersecurity needs of governments and critical infrastructure entities. Comments will be accepted until Oct. 10, 2023.

The CISA’s ReadySetCyber Initiative will collect information in order to provide tailored technical assistance, services, and resources to critical infrastructure (CI) organizations and state, local, tribal, and territorial (SLTT) governments based on the characteristics of their respective cybersecurity programs. CISA seeks to collect this information from U.S. CI and SLTT organizations on a voluntary and fully electronic basis so that each organization can be best supported in receiving tailored cybersecurity recommendations and services.

In a Federal Register notice, the Department of Homeland Security (DHS) outlined that the overarching goal of CISA’s ReadySetCyber Initiative is to help CI and SLTT organizations access information and services that are tailored to their specific cybersecurity needs. Also, the CISA will submit the Information Collection Request (ICR) to the Office of Management and Budget (OMB) for review and clearance.

The notice identified that the OMB is particularly interested in comments which evaluate whether the proposed collection of information is necessary for the proper performance of the functions of the agency, including whether the information will have practical utility; while also evaluating the accuracy of the agency’s estimate of the burden of the proposed collection of information, including the validity of the methodology and assumptions used. 

It also is looking for feedback on enhancing the quality, utility, and clarity of the information to be collected; and minimizing the burden of the collection of information on those who are to respond, including via the use of appropriate automated, electronic, mechanical, or other technological collection techniques.

Additionally, CISA expects this initiative to yield several additional benefits, including further adoption of CISA’s Cybersecurity Performance Goals (CPGs) as the default approach for assessing organizational progress and identifying prioritized cybersecurity gaps; collection of information about organizations’ cybersecurity posture and progress, enabling more targeted engagement with sectors, regions, and individual organizations; and more effective allocation of capacity-constrained services to specific stakeholders. 

Furthermore, the provision of a simplified approach to guiding stakeholders into enrollment for, scalable services and rapidly expanding uptake thereof; furthering the development of relationships between CI and SLTT organizations and CISA’s regional cybersecurity personnel.

CISA’s CPGs are a set of voluntary cybersecurity practices which aim to reduce the risk of cybersecurity threats to the U.S. CI and SLTT organizations. The security agency offers services and resources to aid CI and SLTT organizations in adopting the CPGs. It seeks to make accessing appropriate services and resources as efficient as possible, especially for organizations whose cybersecurity programs operate at low levels of capability.

The notice said that, for example, an organization that is unsure of its ability to enumerate all of its internet-facing sites and services could leverage CISA’s highly scalable automated testing services to scan its entire network range. “Organizations with cybersecurity programs with more advanced characteristics who wish to evaluate their network segmentation controls are better positioned to take advantage of CISA’s more resource-intensive architecture assessments. All organizations completing the questionnaire will also be connected with a CISA cybersecurity representative in their jurisdiction to provide direct support and engagement.”

It added that to measure the adoption of the CPGs and assist CI and SLTT organizations in finding the most impactful services and resources for their cybersecurity programs, CISA is seeking to establish a voluntary information collection that uses respondents’ answers to tailor a recommended package of services and resources most applicable to their evaluated level of program capability. 

Without collecting this information, CISA would be unable to tailor an appropriate suite of services, recommendations, and resources to assist the organization in protecting itself against cybersecurity threats, thereby creating burdens of inefficiency for service requesters and CISA alike.

In addition, receipt of this information is critical to CISA’s ability to measure the adoption of CISA’s CPGs by CI and SLTT organizations. The information to be collected will address various inquiries, such as: whether an organization keeps a regularly updated inventory of all assets with an Internet Protocol address; the types of incident reporting and vulnerability disclosures required by an organization’s contracts with its vendors and suppliers; and whether the entity requires a minimum password strength required for all password-protected assets.

Last week, the CISA published its Cybersecurity Strategic Plan FY2024-2026 outlining the agency’s central role in advancing toward a future where robust collaboration is the norm. It also works on rebalancing the responsibility for cybersecurity to be more effective and more equitable. The agency yet again highlighted the need to change how technology products are designed and developed so that exploitable conditions are uncommon and secure controls are enabled before products reach the market.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.