Sec. 101. Public-private collaboration on cybersecurity
427 words·~2 min read·
/bill/113/s/1353/rs/section-101A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Section 2(c) of the National Institute of Standards and Technology Act (15 U.S.C. 272(c)) is amended— by redesignating paragraphs
(15)through
(22)as paragraphs
(16)through (23), respectively; and by inserting after paragraph
(14)the following: on an ongoing basis, facilitate and support the development of a voluntary, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to reduce cyber risks to critical infrastructure (as defined under subsection (e)); . Section 2 of the National Institute of Standards and Technology Act ( 15 U.S.C. 272 ) is amended by adding at the end the following: In carrying out the activities under subsection (c)(15), the Director— shall— coordinate closely and continuously with relevant private sector personnel and entities, critical infrastructure owners and operators, sector coordinating councils, Information Sharing and Analysis Centers, and other relevant industry organizations, and incorporate industry expertise; consult with the heads of agencies with national security responsibilities, sector-specific agencies, State and local governments, the governments of other nations, and international organizations; identify a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, that may be voluntarily adopted by owners and operators of critical infrastructure to help them identify, assess, and manage cyber risks; include methodologies— to identify and mitigate impacts of the cybersecurity measures or controls on business confidentiality; and to protect individual privacy and civil liberties; incorporate voluntary consensus standards and industry best practices; align with voluntary international standards to the fullest extent possible; prevent duplication of regulatory processes and prevent conflict with or superseding of regulatory requirements, mandatory standards, and related processes; and include such other similar and consistent elements as the Director considers necessary; and shall not prescribe or otherwise require— the use of specific solutions; the use of specific information or communications technology products or services; or that information or communications technology products or services be designed, developed, or manufactured in a particular manner. Information shared with or provided to the Institute for the purpose of the activities described under subsection (c)(15) shall not be used by any Federal, State, tribal, or local department or agency to regulate the activity of any entity. In this subsection: The term critical infrastructure has the meaning given the term in section 1016(e) of the USA PATRIOT Act of 2001 ( 42 U.S.C. 5195c(e) ). The term sector-specific agency means the Federal department or agency responsible for providing institutional knowledge and specialized expertise as well as leading, facilitating, or supporting the security and resilience programs and associated activities of its designated critical infrastructure sector in the all-hazards environment. .
Connectionstraces to 2
Traces to 2 documents
Citation graph
cites case law
Cites 2Cited by 0 across 0 sources