Sec. 203. Quantitative cybersecurity metrics
466 words·~2 min read·
/bill/117/s/2902/is/section-203A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Not later than 1 year after the date of enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency shall— update the metrics used to measure security under section 3554 of title 44, United States Code, including any metrics developed pursuant to section 224(c) of the Cybersecurity Act of 2015 ( 6 U.S.C. 1522(c) ), to include standardized metrics to quantitatively evaluate and identify trends in agency cybersecurity performance, including performance for incident response; and evaluate the metrics described in subparagraph (A).
With respect to the updated metrics required under paragraph (1)— not less than 2 of the metrics shall be time-based; and the metrics may include other measurable outcomes. The evaluation required under paragraph (1)(B) shall evaluate— the amount of time it takes for an agency to detect an incident; and the amount of time that passes between— the detection and remediation of an incident; and the remediation of an incident and the recovery from the incident. The Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, shall promulgate guidance that requires the use of the updated metrics developed under subsection (a)(1)(A) by every agency over a 4-year period beginning on the date on which the metrics are developed to track trends in the incident response capabilities of agencies.
On not less than 2 occasions during the 2-year period following the date on which guidance is promulgated under paragraph (1), not less than 3 agencies shall be subjected to substantially similar penetration tests in order to validate the utility of the metrics developed under subsection (a)(1)(A). The Director of the Cybersecurity and Infrastructure Security Agency shall develop and use a database that— stores agency metrics information; and allows for the performance of cross-agency comparison of agency incident response capability trends.
The Director may issue guidance that updates the metrics developed under subsection (a)(1)(A) if the updated metrics— have the qualities described in subsection (a)(2); and can be evaluated under subsection (a)(3). The guidance issued under paragraph
(1)shall require agencies to share with the Director of the Cybersecurity and Infrastructure Security Agency data demonstrating the performance of the agency with the updated metrics included in that guidance against the metrics developed under subsection (a)(1)(A). Not later than 30 days after the date on which the Director of the Cybersecurity and Infrastructure Security completes the evaluation required under subsection (a)(1)(B), the Director of the Cybersecurity and Infrastructure Security Agency shall submit to the appropriate congressional committees a report on the updated metrics developed under subsection (a)(1)(A). Not later than 180 days after the date on which guidance is promulgated under subsection (b)(1), the Director shall submit to the appropriate congressional committees a report on the results of the use of the updated metrics developed under subsection (a)(1)(A) by agencies.
Connectionstraces to 1
Traces to 1 document
U.S. Code
Citation graph
cites case law
Sec. 203
Quantitative cybersecurity metrics
Cites 1Cited by 0 across 0 sources