Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 113th Congress · H.R. 3032 (Introduced in House) — To amend chapter 35 of title 44, United States Code, to create the National Office for Cyberspace, to revise requirem... · Sec. 102

Sec. 102. Information security acquisition requirements

658 words·~3 min read·/bill/113/hr/3032/ih/section-102

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

Chapter 113 of title 40, United States Code, is amended by adding at the end of subchapter II the following new section: Notwithstanding any other provision of law, beginning one year after the date of the enactment of the Executive Cyberspace Coordination Act of 2013 , no agency may enter into a contract, an order under a contract, or an interagency agreement for— the collection, use, management, storage, or dissemination of information on behalf of the agency; the use or operation of an information system or information infrastructure on behalf of the agency; or information technology; unless such contract, order, or agreement includes requirements to provide effective information security that supports the operations and assets under the control of the agency, in compliance with the policies, standards, and guidance developed under subsection (b), and otherwise ensures compliance with this section.
The Director of the Office of Management and Budget, in consultation with the Director of the National Institute of Standards and Technology, the Director of the National Office for Cyberspace, and the Administrator of General Services, shall oversee the development and implementation of policies, standards, and guidance, including through revisions to the Federal Acquisition Regulation and the Department of Defense supplement to the Federal Acquisition Regulation, to cost effectively enhance agency information security, including— minimum information security requirements for agency procurement of information technology products and services; and approaches for evaluating and mitigating significant supply chain security risks associated with products or services to be acquired by agencies.
Not later than two years after the date of the enactment of the Executive Cyberspace Coordination Act of 2013 , the Director of the Office of Management and Budget shall submit to Congress a report describing— actions taken to improve the information security associated with the procurement of products and services by the Federal Government; and plans for overseeing and coordinating efforts of agencies to use best practice approaches for cost-effectively purchasing more secure products and services.
The Director of the Office of Management and Budget shall require each agency to conduct an initial vulnerability assessment for any major system and its significant items of supply prior to the development of the system. The initial vulnerability assessment of a major system and its significant items of supply shall include use of an analysis-based approach to— identify vulnerabilities; define exploitation potential; examine the system's potential effectiveness; determine overall vulnerability; and make recommendations for risk reduction.
The Director shall require a subsequent vulnerability assessment of each major system and its significant items of supply within a program if the Director determines that circumstances warrant the issuance of an additional vulnerability assessment. Upon the request of a congressional committee, the Director may require a subsequent vulnerability assessment of a particular major system and its significant items of supply within the program. Any subsequent vulnerability assessment of a major system and its significant items of supply shall include use of an analysis-based approach and, if applicable, a testing-based approach, to monitor the exploitation potential of such system and reexamine the factors described in subparagraphs
(A)through
(E)of paragraph (1). The Director shall provide to the appropriate congressional committees a copy of each vulnerability assessment conducted under paragraph
(1)or
(2)not later than 10 days after the date of the completion of such assessment. In this section: The term item of supply — means any individual part, component, subassembly, assembly, or subsystem integral to a major system, and other property which may be replaced during the service life of the major system, including a spare part or replenishment part; and does not include packaging or labeling associated with shipment or identification of an item. The term vulnerability assessment means the process of identifying and quantifying vulnerabilities in a major system and its significant items of supply. The term major system has the meaning given that term in section 4 of the Office of Federal Procurement Policy Act ( 41 U.S.C. 403 ). .
Connections1 off-index
1 reference not yet in our index
  • 41 USC 403
Citation graph
cites case law
Sec. 102
Information security acquisition requirements
Cite41 USC 403
Cites 1Cited by 0 across 0 sources
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.