Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 117th Congress · S. 3600 (Placed on Calendar Senate) — To improve the cybersecurity of the Federal Government, and for other purposes. · Sec. 118

Sec. 118. Quantitative cybersecurity metrics

380 words·~2 min read·/bill/117/s/3600/pcs/section-118

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

In this section, the term covered metrics means the metrics established, reviewed, and updated under section 224(c) of the Cybersecurity Act of 2015 ( 6 U.S.C. 1522(c) ). Not later than 1 year after the date of enactment of this Act, and as appropriate thereafter, the Director of the Cybersecurity and Infrastructure Security Agency, in coordination with the Director, shall— evaluate any covered metrics established as of the date of enactment of this Act; and as appropriate and pursuant to section 224(c) of the Cybersecurity Act of 2015 ( 6 U.S.C. 1522(c) ) update or establish new covered metrics.
Not later than 540 days after the date of enactment of this Act, the Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, shall promulgate guidance that requires each agency to use covered metrics to track trends in the cybersecurity and incident response capabilities of the agency. The guidance issued under paragraph
(1)and any subsequent guidance shall require agencies to share with the Director of the Cybersecurity and Infrastructure Security Agency data demonstrating the performance of the agency using the covered metrics included in the guidance. On not less than 2 occasions during the 2-year period following the date on which guidance is promulgated under paragraph (1), the Director shall ensure that not less than 3 agencies are subjected to substantially similar penetration tests, as determined by the Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, in order to validate the utility of the covered metrics. The Director of the Cybersecurity and Infrastructure Security Agency shall develop a capability that allows for the analysis of the covered metrics, including cross-agency performance of agency cybersecurity and incident response capability trends. With respect the first update or establishment of covered metrics required under subsection (b)(2), the Director of the Cybersecurity and Infrastructure Security Agency shall establish covered metrics that include not less than 1 metric addressing the time it takes for agencies to identify and respond to incidents. Not later than 1 year after the date of enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency, in coordination with the Director, shall submit to the appropriate congressional committees a report on the utility and use of the covered metrics.
Connectionstraces to 1
Traces to 1 document
Citation graph
cites case law
Sec. 118
Quantitative cybersecurity metrics
U.S.C.§ 1522
Cites 1Cited by 0 across 0 sources
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.