CISA Publishes 60-day ICR Notice for ‘ReadySetCyber’ Program
Today, CISA published a 60-day information collection request notice in the Federal Register (88 FR 54345-54346) for a new program being developed by CISA, “ReadySetCyber Initiative Questionnaire”. According to the notice:
“CISA's ReadySetCyber Initiative will collect information in order to provide tailored technical assistance, services and resources to critical infrastructure (CI) organizations and state, local, tribal, and territorial (SLTT) governments based on the characteristics of their respective cybersecurity programs. CISA seeks to collect this information from US CI and SLTT organizations on a voluntary and fully electronic basis so that each organization can be best supported in receiving tailored cybersecurity recommendations and services.”
As a long-term goal, CISA expects this initiative to yield several additional benefits, including:
Further adoption of CISA's Cybersecurity Performance Goals (CPGs) as the default approach for assessing Organizational progress and identify prioritized cybersecurity gaps,
Collection of information about organizations' cybersecurity posture and progress, enabling more targeted engagement with sectors, regions, and individual organizations, and
More effective allocation of capacity-constrained services to specific stakeholders.
The only information about what information will be collected is provided in very broad strokes:
Whether an organization keeps a regularly updated inventory of all assets with an internet Protocol address,
The types of incident reporting and vulnerability disclosures required by an organizations' contracts with its vendors and suppliers, and
Whether the entity requires a minimum password strength required for all password-protected assets.
Burden Information
The following burden is provided in the Notice:
Public Comments
CISA is soliciting public comments on this ICR. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket #CISA–2023–0019). Comments need to be submitted by October 10th, 2023.
Commentary
There is not much information in this ICR notice upon which to base comments. I wish that the folks at the Office of Chemical Security could teach the responsible parties at CISA how to provide information on ICR notices.
BTW:
A quick Google search of ‘ReadySetCyber’ shows that there is already a program (actually it appears to be a set of webinars) run by Traitware. I wonder if the folks at CISA bothered searching their new program name for conflicts. I wonder if the folks at Traitware will object.