Sec. 301. Risk-based budget pilot
517 words·~2 min read·
/bill/117/hr/6497/ih/section-301A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
In this section: The term appropriate congressional committees means— the Committee on Homeland Security and Governmental Affairs and the Committee on Appropriations of the Senate; and the Committee on Homeland Security, the Committee on Oversight and Reform, and the Committee on Appropriations of the House of Representatives. The term information technology — has the meaning given the term in section 11101 of title 40, United States Code; and includes the hardware and software systems of a Federal agency that monitor and control physical equipment and processes of the Federal agency.
The term risk-based budget means a budget— developed by identifying and prioritizing cybersecurity risks and vulnerabilities, including impact on agency operations in the case of a cyber attack, through analysis of cyber threat intelligence, incident data, and tactics, techniques, procedures, and capabilities of cyber threats; and that allocates resources based on the risks identified and prioritized under subparagraph (A). Not later than 1 year after the first publication of the budget submitted by the President under section 1105 of title 31, United States Code, following the date of the enactment of this Act, the Director, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency and the National Cyber Director and in coordination with the Director of the National Institute of Standards and Technology, shall conduct a pilot for creating a risk-based budget for cybersecurity spending.
The pilot required to be developed under this paragraph shall— consider Federal and non-Federal cyber threat intelligence products, where available, to identify threats, vulnerabilities, and risks; consider the impact on agency operations of incidents, including the interconnectivity to other agency systems and the operations of other agencies; indicate where resources should be allocated to have the greatest impact on mitigating current and future threats and current and future cybersecurity capabilities; be used to inform acquisition and sustainment of— information technology and cybersecurity tools; information technology and cybersecurity architectures; information technology and cybersecurity personnel; and cybersecurity and information technology concepts of operations; and be used to evaluate and inform government-wide cybersecurity programs of the Department of Homeland Security.
Not later than 2 years after the first publication of the budget submitted by the President under section 1105 of title 31, United States Code, following the date of the enactment of this Act, the Director shall submit a report to Congress on the implementation of the pilot for risk-based budgeting for cybersecurity spending, an assessment of agency implementation, and an evaluation of whether the risk-based budget helps to mitigate cybersecurity vulnerabilities. Not later than 3 years after the date on which the first budget of the President is submitted to Congress containing the validation required under section 1105(a)(35)(A)(i)(V) of title 31, United States Code, as amended by subsection (c), the Comptroller General of the United States shall submit to the appropriate congressional committees a report that includes— an evaluation of the success of pilot agencies in implementing risk-based budgets; an evaluation of whether the risk-based budgets developed by pilot agencies are effective at informing Federal Government-wide cybersecurity programs; and any other information relating to risk-based budgets the Comptroller General determines appropriate.