Sec. 212. Quantitative cybersecurity metrics
495 words·~2 min read·
/bill/117/hr/6497/ih/section-212A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
In this section, the term covered metrics means the metrics established, reviewed, and updated under section 224(c) of the Cybersecurity Act of 2015 ( 6 U.S.C. 1522(c) ). Not later than 1 year after the date of the enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency, in coordination with the Director and consulting with the Director of the National Institute of Standards and Technology, shall— evaluate any covered metrics established as of the date of the enactment of this Act; and as appropriate and pursuant to section 224(c) of the Cybersecurity Act of 2015 ( 6 U.S.C. 1522(c) )— update the covered metrics; and establish new covered metrics.
Not later than 540 days after the date of the enactment of this Act, the Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, shall promulgate guidance that requires each agency to use covered metrics to track trends in the cybersecurity and incident response capabilities of the agency. The guidance issued under paragraph
(1)and any subsequent guidance shall require agencies to share with the Director of the Cybersecurity and Infrastructure Security Agency data demonstrating the performance of the agency using the covered metrics included in the guidance. On not less than 2 occasions during the 2-year period following the date on which guidance is promulgated under paragraph (1), the Director shall ensure that not less than 3 agencies are subjected to substantially similar penetration tests, as determined by the Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, in order to validate the utility of the covered metrics. The Director of the Cybersecurity and Infrastructure Security Agency shall develop a capability that allows for the analysis of the covered metrics, including cross-agency performance of agency cybersecurity and incident response capability trends. Not later than 1 year after the date of the enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency, in coordination with the Director, shall submit to the appropriate congressional committees a report on the utility of the covered metrics. Not later than 180 days after the date on which the Director promulgates guidance under subsection (c)(1), the Director shall submit to the appropriate congressional committees a report on the results of the use of the covered metrics by agencies. 2015 updates The Federal Cybersecurity Enhancement Act of 2015 ( 6 U.S.C. 1521 et seq. ) is amended— in section 222(3)(B), by inserting and the Committee on Oversight and Reform before of the House of Representatives ; and in section 224— by amending subsection
(c)to read as follows: The Director of the Cybersecurity and Infrastructure Security Agency, in coordination with the Director, shall establish, review, and update metrics to measure the cybersecurity and incident response capabilities of agencies in accordance with the responsibilities of agencies under section 3554 of title 44, United States Code. ; by striking subsection (e); and by redesignating subsection
(f)as subsection (e).
Connectionstraces to 2
Traces to 2 documents
Citation graph
cites case law
Cites 2Cited by 0 across 0 sources