Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 117th Congress · H.R. 6497 (Introduced in House) — To modernize Federal information security management and improve Federal cybersecurity to combat persisting and emerg... · Sec. 203

Sec. 203. Federal penetration testing policy

374 words·~2 min read·/bill/117/hr/6497/ih/section-203·

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

Subchapter II of chapter 35 of title 44, United States Code, is amended by adding at the end the following: The Director shall, in consultation with the Secretary of the Department of Homeland Security acting through the Director of the Cybersecurity and Infrastructure Security Agency, issue guidance to agencies that— requires agencies to use, when and where appropriate, penetration testing on agency systems by both Federal and non-Federal entities, with a focus on high value assets; provides policies governing agency development of an operational plan, rules of engagement for utilizing penetration testing, and procedures to utilize the results of penetration testing to improve the cybersecurity and risk management of the agency; and establishes a program under the Cybersecurity and Infrastructure Security Agency to ensure that penetration testing is being performed appropriately by agencies and to provide operational support or a shared service.
The Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, shall— not less frequently than annually, inventory all Federal penetration testing assets; and develop and maintain a standardized process for the use of penetration testing. The guidance issued under subsection
(a)shall not apply to national security systems. The authorities of the Director described in subsection
(a)shall be delegated— to the Secretary of Defense in the case of systems described in section 3553(e)(2); and to the Director of National Intelligence in the case of systems described in 3553(e)(3). . Not later than 180 days after the date of the enactment of this Act, the Director shall issue the guidance required under section 3559A(a) of title 44, United States Code, as added by subsection (a). This section shall sunset on the date that is 10 years after the date of the enactment of this Act. The table of sections for chapter 35 of title 44, United States Code, is amended by adding after the item relating to section 3559 the following: 3559A. Federal penetration testing. . Section 3553(b) of title 44, United States Code, as amended by section 5121, is further amended— in paragraph (8)(B), by striking and at the end; by redesignating paragraph
(9)as paragraph (10); and by inserting after paragraph
(8)the following: performing penetration testing to identify vulnerabilities within Federal information systems; and .
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.