Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 117th Congress · S. 3600 (Engrossed in Senate) — To improve the cybersecurity of the Federal Government, and for other purposes. · Sec. 111

Sec. 111. Federal penetration testing policy

711 words·~3 min read·/bill/117/s/3600/es/section-111·

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

Subchapter II of chapter 35 of title 44, United States Code, is amended by adding at the end the following: In this section: The term agency operational plan means a plan of an agency for the use of penetration testing. The term rules of engagement means a set of rules established by an agency for the use of penetration testing. The Director, in consultation with the Secretary, acting through the Director of the Cybersecurity and Infrastructure Security Agency, shall issue guidance to agencies that— requires agencies to use, when and where appropriate, penetration testing on agency systems by both Federal and non-Federal entities; and requires agencies to develop an agency operational plan and rules of engagement that meet the requirements under subsection (c).
The guidance issued under this section shall— permit an agency to use, for the purpose of performing penetration testing— a shared service of the agency or another agency; or an external entity, such as a vendor; and require agencies to provide the rules of engagement and results of penetration testing to the Director and the Director of the Cybersecurity and Infrastructure Security Agency, without regard to the status of the entity that performs the penetration testing. The agency operational plan and rules of engagement of an agency shall— require the agency to— perform penetration testing, including on the high value assets of the agency; or coordinate with the Director of the Cybersecurity and Infrastructure Security Agency to ensure that penetration testing is being performed; establish guidelines for avoiding, as a result of penetration testing— adverse impacts to the operations of the agency; adverse impacts to operational environments and systems of the agency; and inappropriate access to data; require the results of penetration testing to include feedback to improve the cybersecurity of the agency; and include mechanisms for providing consistently formatted, and, if applicable, automated and machine-readable, data to the Director and the Director of the Cybersecurity and Infrastructure Security Agency.
The Director of the Cybersecurity and Infrastructure Security Agency shall— establish a process to assess the performance of penetration testing by both Federal and non-Federal entities that establishes minimum quality controls for penetration testing; develop operational guidance for instituting penetration testing programs at agencies; develop and maintain a centralized capability to offer penetration testing as a service to Federal and non-Federal entities; and provide guidance to agencies on the best use of penetration testing resources.
The Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, shall— not less frequently than annually, inventory all Federal penetration testing assets; and develop and maintain a standardized process for the use of penetration testing. The Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, shall develop a framework for prioritizing Federal penetration testing resources among agencies.
In developing the framework under this subsection, the Director shall consider— agency system risk assessments performed under section 3554(a)(1)(A); the Federal risk assessment performed under section 3553(i); the analysis of Federal incident data performed under section 3597; and any other information determined appropriate by the Director or the Director of the Cybersecurity and Infrastructure Security Agency. The guidance issued under subsection
(b)shall not apply to national security systems. The authorities of the Director described in subsection
(b)shall be delegated— to the Secretary of Defense in the case of systems described in section 3553(e)(2); and to the Director of National Intelligence in the case of systems described in 3553(e)(3). . Not later than 180 days after the date of enactment of this Act, the Director shall issue the guidance required under section 3559A(b) of title 44, United States Code, as added by subsection (a). The table of sections for chapter 35 of title 44, United States Code, is amended by adding after the item relating to section 3559 the following: 3559A. Federal penetration testing. . Effective on the date that is 10 years after the date of enactment of this Act, subchapter II of chapter 35 of title 44, United States Code, is amended by striking section 3559A. Effective on the date that is 10 years after the date of enactment of this Act, the table of sections for chapter 35 of title 44, United States Code, is amended by striking the item relating to section 3559A.
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.