Sec. 2. Establishment of continuous diagnostics and mitigation program in the Cybersecurity and Infrastructure Security Agency
743 words·~3 min read·
/bill/116/hr/4237/ih/section-2A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Section 2213 of the Homeland Security Act of 2002 ( 6 U.S.C. 663 ) is amended by adding at the end the following: The Secretary, acting through the Director of Cybersecurity and Infrastructure Security, shall deploy, operate, and maintain a continuous diagnostics and mitigation program for agencies. Under such program, the Secretary shall— assist agencies to continuously diagnose and mitigate cyber threats and vulnerabilities; develop and provide the capability to collect, analyze, and visualize information relating to security data and cybersecurity risks at agencies; make program capabilities available for use, with or without reimbursement, to civilian agencies and State, local, Tribal, and territorial governments; employ shared services, collective purchasing, blanket purchase agreements, and any other economic or procurement models the Secretary determines appropriate to maximize the costs savings associated with implementing an information system; assist entities in setting information security priorities and assessing and managing cybersecurity risks; and develop policies and procedures for reporting systemic cybersecurity risks and potential incidents based upon data collected under such program.
The Secretary shall regularly deploy new technologies and modify existing technologies to the continuous diagnostics and mitigation program required under subparagraph (A), as appropriate, to improve the program. Notwithstanding any other provision of law, each agency that uses the continuous diagnostics and mitigation program under paragraph
(1)shall, continuously and in real time, provide to the Secretary all information, assessments, analyses, and raw data collected by the program, in a manner specified by the Secretary. In carrying out the continuous diagnostics and mitigation program under paragraph (1), the Secretary shall, as appropriate— share with agencies relevant analysis and products developed under such program; provide regular reports on cybersecurity risks to agencies; and provide comparative assessments of cybersecurity risks for agencies. . Not later than 180 days after the date of the enactment of this Act, the Secretary of Homeland Security shall develop a comprehensive continuous diagnostics and mitigation strategy to carry out the continuous diagnostics and mitigation program required under subsection
(g)of section 2213 of the Homeland Security Act of 2002 ( 6 U.S.C. 663 ), as added by subsection (a). The strategy required under paragraph
(1)shall include the following: A description of the continuous diagnostics and mitigation program, including efforts by the Secretary of Homeland Security to assist with the deployment of program tools, capabilities, and services, from the inception of the program referred to in paragraph
(1)to the date of enactment of this Act. A description of the coordination and funding required to deploy, install, and maintain the tools, capabilities, and services that the Secretary of Homeland Security determines to be necessary to satisfy the requirements of such program. A description of any obstacles facing the deployment, installation, and maintenance of tools, capabilities, and services under such program. Recommendations and guidelines to help maintain and continuously upgrade tools, capabilities, and services provided under such program. Recommendations for using the data collected by such program for creating a common framework for data analytics, visualization of enterprise-wide risks, and real-time reporting, and comparative assessments for cybersecurity risks. Recommendations for future efforts and activities, including for the rollout of new and emerging tools, capabilities and services, proposed timelines for delivery, and whether to continue the use of phased rollout plans, related to securing networks, devices, data, and information and operational technology assets through the use of such program. The strategy required under paragraph
(1)shall be submitted in an unclassified form, but may contain a classified annex. Not later than 180 days after the development of the strategy required under subsection (b), the Secretary of Homeland Security shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representative a report on cybersecurity risk posture based on the data collected through the continuous diagnostics and mitigation program under subsection
(g)of section 2213 of the Homeland Security Act of 2002 ( 6 U.S.C. 663 ), as added by subsection (a). Not later than 1 year after the date of enactment of this Act, the Comptroller General of the United States shall submit a report to Congress on the potential impacts and benefits of replacing the reporting requirements under chapter 35 of title 44, United States Code, with periodical real-time data provided by the continuous diagnostics and mitigation program under subsection
(g)of section 2213 of the Homeland Security Act of 2002 ( 6 U.S.C. 663 ), as added by subsection (a).
Connectionstraces to 1
Traces to 1 document
Citation graph
cites case law
Sec. 2
Establishment of continuous diagnostics and mitigation program in the Cybersecurity and Infrastructure Security Agency
Cites 1Cited by 0 across 0 sources