Sec. 6. Coordinated disclosure of security vulnerabilities relating to covered devices
407 words·~2 min read·
/bill/116/hr/1668/rh/section-6·A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Not later than 180 days after the date of the enactment of this Act, the Director of the Institute, in consultation with the Director of Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security, shall develop under section 20 of the National Institute of Standards and Technology Act ( 15 U.S.C. 278g-3 ) and submit to the Director of OMB, guidelines— for the reporting, coordinating, publishing, and receiving of information about— a security vulnerability relating to a covered device owned or controlled by an agency; and the resolution of such security vulnerability; for contractors providing a covered device to the Federal Government, and any subcontractor thereof at any tier providing such device to such contractors on— receiving information about a potential security vulnerability relating to the covered device; and disseminating information about the resolution of a security vulnerability relating to the covered device; and on the type of information about security vulnerabilities that should be reported to the Federal Government, including examples thereof.
In developing the guidelines under subsection (a), the Director of the Institute shall— consult with such cybersecurity researchers and private sector industry experts as the Director considers appropriate; to the maximum extent practicable, align such guidelines with Standards 29147 and 30111 of the International Standards Organization, or any successor standards thereof; and ensure such guidelines are consistent with the policies and procedures developed under section 2209(m) of the Homeland Security Act of 2002 ( 6 U.S.C. 659(m) ).
Not later than 180 days after the date on which the guidelines under subsection
(a)are submitted, the Director of OMB, in consultation with the Administrator of General Services and the Secretary of Homeland Security, shall promulgate standards on the basis of such guidelines. The standards promulgated under paragraph
(1)shall include a requirement for any contract related to a covered device to include a clause that requires each contractor that provides a covered device under the contract to an agency to ensure that any covered device obtained through a subcontract, at any tier, complies with the standards and regulations promulgated under this section with respect to such covered device. The Director of OMB shall ensure that the standards promulgated under paragraph
(1)are consistent with section 101 of the Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology Act ( 6 U.S.C. 663 note; Public Law 115–390 ). The Federal Acquisition Regulation shall be revised to implement the standards promulgated under subsection (c).
Connectionstraces to 4
Traces to 4 documents
Citation graph
cites case law
Sec. 6
Coordinated disclosure of security vulnerabilities relating to covered devices
Cites 4Cited by 0 across 0 sources