skip to main content

H.R. 1224 (115th): NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017

The text of the bill below is as of Oct 31, 2017 (Reported by House Committee).


IB

Union Calendar No. 276

115th CONGRESS

1st Session

H. R. 1224

[Report No. 115–376]

IN THE HOUSE OF REPRESENTATIVES

February 27, 2017

(for himself, Mr. Smith of Texas, Mr. Lucas, Mrs. Comstock, and Mr. Knight) introduced the following bill; which was referred to the Committee on Science, Space, and Technology

October 31, 2017

Additional sponsor: Mr. Sessions

October 31, 2017

Reported with an amendment, committed to the Committee of the Whole House on the State of the Union, and ordered to be printed

Strike out all after the enacting clause and insert the part printed in italic

For text of introduced bill, see copy of bill as introduced on February 27, 2017


A BILL

To amend the National Institute of Standards and Technology Act to implement a framework, assessment, and audits for improving United States cybersecurity.


1.

Short title

This Act may be cited as the NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017.

2.

NIST mission to address cybersecurity threats

Section 20(a)(1) of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3(a)(1)) is amended by inserting , emphasizing the principle that expanding cybersecurity threats require engineering security from the beginning of an information system’s life cycle, building more trustworthy and secure components and systems from the start, and applying well-defined security design principles throughout before the semicolon.

3.

Implementation of Cybersecurity Framework

The National Institute of Standards and Technology Act (15 U.S.C. 271 et seq.) is amended by inserting after section 20 the following:

20A.

Framework for Improving Critical Infrastructure Cybersecurity

(a)

Implementation by Federal agencies

The Institute shall promote the implementation by Federal agencies of the Framework for Improving Critical Infrastructure Cybersecurity (in this section and section 20B referred to as the Framework) by providing to the Office of Management and Budget, the Office of Science and Technology Policy, and all other Federal agencies, not later than 6 months after the date of enactment of the NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017, guidance that Federal agencies may use to incorporate the Framework into their information security risk management efforts, including practices related to compliance with chapter 35 of title 44, United States Code, and any other applicable Federal law.

(b)

Guidance

The guidance required under subsection (a) shall—

(1)

describe how the Framework aligns with or augments existing agency practices related to compliance with chapter 35 of title 44, United States Code, and any other applicable Federal law;

(2)

identify any areas of conflict or overlap between the Framework and existing cybersecurity requirements, including gap areas where additional policies, standards, guidelines, or programs may be needed to encourage Federal agencies to use the Framework and improve the ability of Federal agencies to manage cybersecurity risk;

(3)

include a template for Federal agencies on how to use the Framework, and recommend procedures for streamlining and harmonizing existing and future cybersecurity-related requirements, in support of the goal of using the Framework to supplant Federal agency practices in compliance with chapter 35 of title 44, United States Code;

(4)

recommend other procedures for compliance with cybersecurity reporting, oversight, and policy review and creation requirements under such chapter 35 and any other applicable Federal law; and

(5)

be updated, as the Institute considers necessary, to reflect what the Institute learns from ongoing research, the audits conducted pursuant to section 20B(c), the information compiled by the Federal working group established pursuant to subsection (c), and the annual reports published pursuant to subsection (d).

(c)

Federal working group

Not later than 3 months after the date of enactment of the NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017, the Institute shall establish and chair a working group (in this section referred to as the Federal working group), including representatives of the Office of Management and Budget, the Office of Science and Technology Policy, and other appropriate Federal agencies, which shall—

(1)

not later than 6 months after the date of enactment of the NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017, develop outcome-based and quantifiable metrics to help Federal agencies in their analysis and assessment of the effectiveness of the Framework in protecting their information and information systems;

(2)

update such metrics as the Federal working group considers necessary;

(3)

compile information from Federal agencies on their use of the Framework and the results of the analysis and assessment described in paragraph (1); and

(4)

assist the Office of Management and Budget and the Office of Science and Technology Policy in publishing the annual report required under subsection (d).

(d)

Report

The Office of Management and Budget and the Office of Science and Technology Policy shall develop and make publicly available an annual report on agency adoption rates and the effectiveness of the Framework. In preparing such report, the Offices shall use the information compiled by the Federal working group pursuant to subsection (c)(3).

20B.

Cybersecurity audits

(a)

Initial assessment

(1)

Requirement

Not later than 6 months after the date of enactment of the NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017, the Institute shall complete an initial assessment of the cybersecurity preparedness of the agencies described in paragraph (2). Such assessment shall be based on information security standards developed under section 20, and may also be informed by work done or reports published by other Federal agencies or officials.

(2)

Agencies

The agencies referred to in paragraph (1) are the agencies referred to in section 901(b) of title 31, United States Code, and any other agency that has reported a major incident (as defined in the Office of Management and Budget Memorandum—16—03, published on October 30, 2015, or any successor document).

(3)

National security systems

The requirement under paragraph (1) shall not apply to national security systems (as defined in section 3552(b) of title 44, United States Code).

(b)

Audit plan

Not later than 6 months after the date of enactment of this Act, the Institute shall prepare a needs-based plan for carrying out the audits of agencies as required under subsection (c). Such plan shall include a description of staffing plans, workforce capabilities, methods for conducting such audits, coordination with agencies to support such audits, expected timeframes for the completion of audits, and other information the Institute considers relevant. The plan shall be transmitted by the Institute to the congressional entities described in subsection (c)(4)(F).

(c)

Audits

(1)

Requirement

Not later than 6 months after the date of enactment of the NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017, the Institute shall initiate an individual cybersecurity audit of each agency described in subsection (a)(2), to assess the extent to which the agency is meeting the information security standards developed under section 20.

(2)

Relation to Framework

Audits conducted under this subsection shall—

(A)

to the extent applicable and available, be informed by the report on agency adoption rates and the effectiveness of the Framework described in section 20A(d); and

(B)

if the agency is required by law or executive order to adopt the Framework, be based on the guidance described in section 20A(b) and metrics developed under section 20A(c)(1).

(3)

Schedule

The Institute shall establish a schedule for completion of audits under this subsection to ensure that—

(A)

audits of agencies whose information security risk is high, based on the assessment conducted under subsection (a), are completed not later than 1 year after the date of enactment of the NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017, and are audited annually thereafter; and

(B)

audits of all other agencies described in subsection (a)(2) are completed not later than 2 years after the date of enactment of the NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017, and are audited biennially thereafter.

(4)

Report

A report of each audit conducted under this subsection shall be transmitted by the Institute to—

(A)

the Office of Management and Budget;

(B)

the Office of Science and Technology Policy;

(C)

the Government Accountability Office;

(D)

the agency being audited;

(E)

the Inspector General of such agency, if there is one; and

(F)

Congress, including the Committee on Science, Space, and Technology of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate.

.

October 31, 2017

Reported with an amendment, committed to the Committee of the Whole House on the State of the Union, and ordered to be printed