Sec. 301. Establish a National Cybersecurity Certification and Labeling Authority
1,344 words·~6 min read·
/bill/117/s/2491/is/section-301A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
In this section: The term accredited certifying agent means any person who is accredited by the Authority as a certifying agent for the purposes of certifying a specific class of critical information and communications technology. The term Authority means the National Cybersecurity Certification and Labeling Authority established under subsection (b)(1). The term certification means a seal or symbol provided by the Authority or an accredited certifying agent, that results from passage of a comprehensive evaluation of an information and communications technology that establishes the extent to which a particular design and implementation meets a set of specified security standards.
The term critical information and communications technology means information and communications technology that is in use in critical infrastructure sectors and that underpins the resilience of national critical functions, as determined by the Secretary. The term critical infrastructure has the meaning given that term in section 1016(e) of the Critical Infrastructure Protection Act of 2001 ( 42 U.S.C. 5195c(e) ). The term label means a clear, visual, and easy to understand symbol or list that conveys specific information about a product’s security attributes, characteristics, functionality, components, or other features.
The term Program means the program administered under subsection (b)(1). The term Secretary means the Secretary of Homeland Security. There is established a National Cybersecurity Certification and Labeling Authority for the purpose of establishing and administering a voluntary national cybersecurity certification and labeling program for critical information and communications technology in order to bolster the resilience of the networks and critical infrastructure of the United States.
As part of the Program, the Authority shall define and publish a process whereby governmental and nongovernmental entities may apply to become accredited certifying agents for the certification of specific critical information and communications technology, including— smartphones; tablets; laptop computers; operating systems; routers; software-as-a-service; infrastructure-as-a-service; platform-as-a-service; programmable logic controllers; intelligent electronic devices; and programmable automation controllers.
As part of the Program, the Authority shall work in coordination with accredited certifying agents, the Secretary, and subject matter experts from the Federal Government, academia, nongovernmental organizations, and the private sector to identify and harmonize common security standards, frameworks, and benchmarks against which the security of critical information and communications technologies may be measured. As part of the Program, the Authority, in consultation with the Secretary and other experts from the Federal Government, academia, nongovernmental organizations, and the private sector, shall— develop, and disseminate to accredited certifying agents, guidelines to standardize the presentation of certifications to communicate the level of security for critical information and communications technologies; develop, or permit accredited certifying agents to develop, certification criteria for critical information and communications technologies based on identified security standards, frameworks, and benchmarks, through the work conducted under subparagraph (B); issue, or permit accredited certifying agents to issue, certifications for critical information and communications technology that meet and comply with security standards, frameworks, and benchmarks identified through the work conducted under subparagraph (B); permit a manufacturer or distributor of critical information and communications technology to display a certificate reflecting the extent to which the critical information and communications technology meets security standards, frameworks, and benchmarks identified through the work conducted under subparagraph (B); remove the certification of a critical information and communications technology as a critical information and communications technology certified under the Program if the manufacturer of the certified critical information and communications technology falls out of conformity with the benchmarks security standards, frameworks, or benchmarks identified through the work conducted under subparagraph
(B)for the critical information and communications technology; work to enhance public awareness of the certification and labeling efforts of the Authority and accredited certifying agents, including through public outreach, education, research and development, and other means; and publicly display a list of labels and certified critical information and communications technology, along with their respective certification information. A certification shall remain valid for 1 year from the date of issuance. In developing the guidelines and criteria required under subparagraph (C)(i), the Authority shall designate at least 3 classes of certifications, including the following: For critical information and communications technology which the product manufacturer or service provider attests meets the criteria for a certification, attestation-based certification. For critical information and communications technology products and services that have undergone third-party accreditation of criteria for certification, accreditation-based certification. For critical information and communications technology that has undergone a security evaluation and testing process by a qualifying third party, as determined by the Authority, test-based certification. The Authority, in consultation with the Secretary and other experts from the Federal Government, academia, nongovernmental organizations, and the private sector, shall— collaborate with the private sector to standardize language and define a labeling schema to provide transparent information on the security characteristics and constituent components of a software or hardware product; and establish a mechanism by which product developers can provide this information for both product labeling and public posting. It shall be unlawful for a product manufacturer, distributor, or seller to— falsely attest to, or falsify an audit or test for, a security standard, framework, or benchmark for certification; intentionally mislabel a product; or fail to maintain the security standard, framework, or benchmark to which the manufacturer, distributor, or seller attested. A violation of subparagraph
(A)shall be treated as an unfair and deceptive act or practice in violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act ( 15 U.S.C. 57a(a)(1)(B) ) regarding unfair or deceptive acts or practices. The Federal Trade Commission shall enforce this paragraph in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act ( 15 U.S.C. 41 et seq. ) were incorporated into and made a part of this paragraph. Any person who violates this paragraph shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act ( 15 U.S.C. 41 et seq. ). The Secretary shall issue a notice of funding opportunity and select, on a competitive basis, a nonprofit, nongovernmental organization to serve as the Authority for a period of 5 years. The Secretary may only select an organization to serve as the Authority if such organization— is a nongovernmental, nonprofit organization that is— exempt from taxation under section 501(a) of the Internal Revenue Code of 1986; and described in sections 501(c)(3) and 170(b)(1)(A)(vi) of that Code; has a demonstrable track record of work on cybersecurity and information security standards, frameworks, and benchmarks; and possesses requisite staffing and expertise, with demonstrable prior experience in technology security or safety standards, frameworks, and benchmarks, as well as certification. The Secretary shall establish a process by which a nonprofit, nongovernmental organization that seeks to be selected as the Authority may apply for consideration. Not later than the date that is 4 years after the initial selection pursuant paragraph (1), and every 4 years thereafter, the Secretary shall— assess the effectiveness of the labels and certificates produced by the Authority, including— assessing the costs to businesses that manufacture critical information and communications technology participating in the Program; evaluating the level of participation in the Program by businesses that manufacture critical information and communications technology; and assessing the level of public awareness and consumer awareness of the label; audit the impartiality and fairness of the Authority’s activities conducted under this section; issue a public report on the assessment most recently carried out under subparagraph
(A)and the audit most recently carried out under subparagraph (B); and brief Congress on the findings of the Secretary with respect to the most recent assessment under subparagraph
(A)and the most recent audit under subparagraph (B). After the initial selection pursuant to paragraph (1), the Secretary shall, every 5 years— accept applications from nonprofit, nongovernmental organizations seeking selection as the Authority; and following competitive consideration of all applications— renew the selection of the organization serving as the Authority; or select another applicant organization to serve as the Authority. There are authorized to be appropriated to carry out this section $25,000,000 for each of fiscal years 2022 through 2026.
Connectionstraces to 3
Citation graph
cites case law
Sec. 301
Establish a National Cybersecurity Certification and Labeling Authority
Cites 3Cited by 0 across 0 sources