IB
Union Calendar No. 276
115th CONGRESS
1st Session
H. R. 1224
[Report No. 115–376]
IN THE HOUSE OF REPRESENTATIVES
February 27, 2017
Mr. Abraham (for himself, Mr. Smith of Texas, Mr. Lucas, Mrs. Comstock, and Mr. Knight) introduced the following bill; which was referred to the Committee on Science, Space, and Technology
October 31, 2017
Additional sponsor: Mr. Sessions
October 31, 2017
Reported with an amendment, committed to the Committee of the Whole House on the State of the Union, and ordered to be printed
Strike out all after the enacting clause and insert the part printed in italic
For text of introduced bill, see copy of bill as introduced on February 27, 2017
A BILL
To amend the National Institute of Standards and Technology Act to implement a framework, assessment, and audits for improving United States cybersecurity.
Short title
This Act may be cited as the NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017
.
NIST mission to address cybersecurity threats
Section 20(a)(1) of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3(a)(1)) is amended by inserting , emphasizing the principle that expanding cybersecurity threats require engineering security from the beginning of an information system’s life cycle, building more trustworthy and secure components and systems from the start, and applying well-defined security design principles throughout
before the semicolon.
Implementation of Cybersecurity Framework
The National Institute of Standards and Technology Act (15 U.S.C. 271 et seq.) is amended by inserting after section 20 the following:
Framework for Improving Critical Infrastructure Cybersecurity
Implementation by Federal agencies
The Institute shall promote the implementation by Federal agencies of the Framework for Improving Critical Infrastructure Cybersecurity (in this section and section 20B referred to as the Framework
) by providing to the Office of Management and Budget, the Office of Science and Technology Policy, and all other Federal agencies, not later than 6 months after the date of enactment of the NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017, guidance that Federal agencies may use to incorporate the Framework into their information security risk management efforts, including practices related to compliance with chapter 35 of title 44, United States Code, and any other applicable Federal law.
Guidance
The guidance required under subsection (a) shall—
describe how the Framework aligns with or augments existing agency practices related to compliance with chapter 35 of title 44, United States Code, and any other applicable Federal law;
identify any areas of conflict or overlap between the Framework and existing cybersecurity requirements, including gap areas where additional policies, standards, guidelines, or programs may be needed to encourage Federal agencies to use the Framework and improve the ability of Federal agencies to manage cybersecurity risk;
include a template for Federal agencies on how to use the Framework, and recommend procedures for streamlining and harmonizing existing and future cybersecurity-related requirements, in support of the goal of using the Framework to supplant Federal agency practices in compliance with chapter 35 of title 44, United States Code;
recommend other procedures for compliance with cybersecurity reporting, oversight, and policy review and creation requirements under such chapter 35 and any other applicable Federal law; and
be updated, as the Institute considers necessary, to reflect what the Institute learns from ongoing research, the audits conducted pursuant to section 20B(c), the information compiled by the Federal working group established pursuant to subsection (c), and the annual reports published pursuant to subsection (d).
Federal working group
Not later than 3 months after the date of enactment of the NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017, the Institute shall establish and chair a working group (in this section referred to as the Federal working group
), including representatives of the Office of Management and Budget, the Office of Science and Technology Policy, and other appropriate Federal agencies, which shall—
not later than 6 months after the date of enactment of the NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017, develop outcome-based and quantifiable metrics to help Federal agencies in their analysis and assessment of the effectiveness of the Framework in protecting their information and information systems;
update such metrics as the Federal working group considers necessary;
compile information from Federal agencies on their use of the Framework and the results of the analysis and assessment described in paragraph (1); and
assist the Office of Management and Budget and the Office of Science and Technology Policy in publishing the annual report required under subsection (d).
Report
The Office of Management and Budget and the Office of Science and Technology Policy shall develop and make publicly available an annual report on agency adoption rates and the effectiveness of the Framework. In preparing such report, the Offices shall use the information compiled by the Federal working group pursuant to subsection (c)(3).
Cybersecurity audits
Initial assessment
Requirement
Not later than 6 months after the date of enactment of the NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017, the Institute shall complete an initial assessment of the cybersecurity preparedness of the agencies described in paragraph (2). Such assessment shall be based on information security standards developed under section 20, and may also be informed by work done or reports published by other Federal agencies or officials.
Agencies
The agencies referred to in paragraph (1) are the agencies referred to in section 901(b) of title 31, United States Code, and any other agency that has reported a major incident (as defined in the Office of Management and Budget Memorandum—16—03, published on October 30, 2015, or any successor document).
National security systems
The requirement under paragraph (1) shall not apply to national security systems (as defined in section 3552(b) of title 44, United States Code).
Audit plan
Not later than 6 months after the date of enactment of this Act, the Institute shall prepare a needs-based plan for carrying out the audits of agencies as required under subsection (c). Such plan shall include a description of staffing plans, workforce capabilities, methods for conducting such audits, coordination with agencies to support such audits, expected timeframes for the completion of audits, and other information the Institute considers relevant. The plan shall be transmitted by the Institute to the congressional entities described in subsection (c)(4)(F).
Audits
Requirement
Not later than 6 months after the date of enactment of the NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017, the Institute shall initiate an individual cybersecurity audit of each agency described in subsection (a)(2), to assess the extent to which the agency is meeting the information security standards developed under section 20.
Relation to Framework
Audits conducted under this subsection shall—
to the extent applicable and available, be informed by the report on agency adoption rates and the effectiveness of the Framework described in section 20A(d); and
if the agency is required by law or executive order to adopt the Framework, be based on the guidance described in section 20A(b) and metrics developed under section 20A(c)(1).
Schedule
The Institute shall establish a schedule for completion of audits under this subsection to ensure that—
audits of agencies whose information security risk is high, based on the assessment conducted under subsection (a), are completed not later than 1 year after the date of enactment of the NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017, and are audited annually thereafter; and
audits of all other agencies described in subsection (a)(2) are completed not later than 2 years after the date of enactment of the NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017, and are audited biennially thereafter.
Report
A report of each audit conducted under this subsection shall be transmitted by the Institute to—
the Office of Management and Budget;
the Office of Science and Technology Policy;
the Government Accountability Office;
the agency being audited;
the Inspector General of such agency, if there is one; and
Congress, including the Committee on Science, Space, and Technology of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate.
.
October 31, 2017
Reported with an amendment, committed to the Committee of the Whole House on the State of the Union, and ordered to be printed
