CISA calls for input on foundational cybersecurity assessment tool for SLTT entities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published a submission for a new collection request (ICR) to the Office of Management and Budget (OMB) for review and clearance. The 60-day notice of information collection is accompanied by a request for comment on the new collection, which is called the Foundational Cybersecurity Assessment, which will guide State, Local, Territorial, and Tribal (SLTT) entities through the first 12–18 months of their cybersecurity plan development.

“The assessment contains 32 questions that are aligned to the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the Center for Internet Security (CIS) CIS Critical Security Controls,” according to a notice published Monday in the Federal Register. “Although not directly related, at least 20 of the questions on the Nationwide Cybersecurity Review (NCSR) will be covered by responses to the Foundational Cybersecurity Assessment, allowing it to serve as an excellent ‘assessment on-ramp’ for entities who have not yet been able to tackle and complete the NCSR.” 

The notice added that the entity participating in the Foundational Cybersecurity Assessment is positioned to take the NCSR and continue its security maturity journey year-over-year following participation in the Foundational Cybersecurity Assessment. 

Furthermore, CISA is authorized to receive and analyze cyber threat indicators, defensive measures, cybersecurity risks, and incidents, and to use this information to make recommendations to federal and non-federal entities regarding protective and support measures to reduce cyber risk. 

The Foundational Assessment implements these authorities concerning CISA’s analysis of and support to SLTT entities and is a new information collection. 

OMB is particularly interested in comments that evaluate whether the proposed collection of information is necessary for the proper performance of the functions of the agency, including whether the information will have practical utility. It also evaluates the accuracy of the agency’s estimate of the burden of the proposed collection of information, including the validity of the methodology and assumptions used, and enhances the quality, utility, and clarity of the information to be collected. 

The agency also seeks input to minimize the burden of the collection of information on those who are to respond, including through the use of appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g., permitting electronic submissions of responses.

The Federal Register notice analyzed the number of respondents for the foundational assessment would be 100, and that the estimated time per respondent for the Foundational Assessment would be one hour. Thus, the total burden would be 100 hours. The annualized respondent cost amounted to US$7,541; the total annualized respondent out-of-pocket cost was $0. However, the total annualized government cost stood at $182,459. 

Last week, CISA provided a sneak peek into the launch of a new way for organizations to understand their cyber risk and receive targeted, straightforward guidance built around the agency’s Cybersecurity Performance Goals (CPGs). Set to debut in early 2024, the new tool called ReadySetCyber will simplify the process of incorporating cybersecurity into an organization’s business decisions, regardless of the level of expertise or the number of personnel on staff.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.