Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 117th Congress · S. 2902 (Introduced in Senate) — To modernize Federal information security management, and for other purposes. · Sec. 206

Sec. 206. Federal penetration testing policy

627 words·~3 min read·/bill/117/s/2902/is/section-206·

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

Subchapter II of chapter 35 of title 44, United States Code, is amended by adding at the end the following: In this section: The term agency operational plan means a plan of an agency for the use of penetration testing. The term rules of engagement means a set of rules established by an agency for the use of penetration testing. Not later than 180 days after the date of enactment of this Act, the Director shall issue guidance that— requires agencies to use, when and where appropriate, penetration testing on agency systems; and requires agencies to develop an agency operational plan and rules of engagement that meet the requirements under subsection (c).
The guidance issued under this section shall— permit an agency to use, for the purpose of performing penetration testing— a shared service of the agency or another agency; or an external entity, such as a vendor; include templates and frameworks for reporting the results of penetration testing, without regard to the status of the entity that performs the penetration testing; and require agencies to provide the rules of engagement and results of penetration testing to the Director and the Director of the Cybersecurity and Infrastructure Security Agency, without regard to the status of the entity that performs the penetration testing.
The agency operational plan and rules of engagement of an agency shall— require the agency to perform penetration testing on the high value assets of the agency; establish guidelines for avoiding, as a result of penetration testing— adverse impacts to the operations of the agency; adverse impacts to operational networks and systems of the agency; and inappropriate access to data; require the results of penetration testing to include feedback to improve the cybersecurity of the agency; and include mechanisms for providing consistently formatted, and, if applicable, automated and machine-readable, data to the Director and the Director of the Cybersecurity and Infrastructure Security Agency.
The Director of the Cybersecurity and Infrastructure Security Agency shall— establish a certification process for the performance of penetration testing by both Federal and non-Federal entities that establishes minimum quality controls for penetration testing; develop operational guidance for instituting penetration testing programs at agencies; develop and maintain a centralized capability to offer penetration testing as a service to Federal and non-Federal entities; and provide guidance to agencies on the best use of penetration testing resources.
The Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, shall— not less frequently than annually, inventory all Federal penetration testing assets; and develop and maintain a Federal strategy for the use of penetration testing. The Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, shall develop a framework for prioritizing Federal penetration testing resources among agencies. In developing the framework under this subsection, the Director shall consider— agency system risk assessments performed under section 3554(a)(1)(A); the Federal risk assessment performed under section 3553(i); the analysis of Federal incident data performed under section 3597; and any other information determined appropriate by the Director or the Director of the Cybersecurity and Infrastructure Security Agency. .
The table of sections for chapter 35 of title 44, United States Code, is amended by adding after the item relating to section 3559 the following: 3559A. Federal penetration testing. . Section 3553(b) of title 44, United States Code, as amended by section 1705 of the William M.
(Mac)Thornberry National Defense Authorization Act for Fiscal Year 2021 ( Public Law 116–283 ) and section 101, is further amended— in paragraph (8)(B), by striking and at the end; by redesignating paragraph
(9)as paragraph (10); and by inserting after paragraph
(8)the following: performing penetration testing with or without advance notice to, or authorization from, agencies, to identify vulnerabilities within Federal information systems; and .
Connectionstraces to 1
Citation graph
cites case law
Sec. 206
Federal penetration testing policy
Pub. L.Public Law 116-283
Cites 1Cited by 0 across 0 sources
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.