Sec. 119. Establishment of risk-based budget model
1,227 words·~6 min read·
/bill/117/s/3600/pcs/section-119A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
In this section: The term appropriate congressional committees means— the Committee on Homeland Security and Governmental Affairs and the Committee on Appropriations of the Senate; and the Committee on Oversight and Reform, the Committee on Homeland Security, and the Committee on Appropriations of the House of Representatives. The term covered agency has the meaning given the term executive agency in section 133 of title 41, United States Code. The term Director means the Director of the Office of Management and Budget.
The term information technology — has the meaning given the term in section 11101 of title 40, United States Code; and includes the hardware and software systems of a Federal agency that monitor and control physical equipment and processes of the Federal agency. The term risk-based budget means a budget— developed by identifying and prioritizing cybersecurity risks and vulnerabilities, including impact on agency operations in the case of a cyber attack, through analysis of cyber threat intelligence, incident data, and tactics, techniques, procedures, and capabilities of cyber threats; and that allocates resources based on the risks identified and prioritized under subparagraph (A).
Not later than 1 year after the first publication of the budget submitted by the President under section 1105 of title 31, United States Code, following the date of enactment of this Act, the Director, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency and the National Cyber Director and in coordination with the Director of the National Institute of Standards and Technology, shall develop a standard model for informing a risk-based budget for cybersecurity spending.
Section 3553(a) of title 44, United States Code, as amended by section 103 of this title, is further amended by inserting after paragraph
(6)the following: developing a standard risk-based budget model to inform Federal agency cybersecurity budget development; and . The model required to be developed under subparagraph
(A)shall utilize appropriate information to evaluate risk, including, as determined appropriate by the Director— Federal and non-Federal cyber threat intelligence products, where available, to identify threats, vulnerabilities, and risks; analysis of the impact of agency operations of compromise of systems, including the interconnectivity to other agency systems and the operations of other agencies; and to the greatest extent practicable, analysis of where resources should be allocated to have the greatest impact on mitigating current and future threats and current and future cybersecurity capabilities. The model required to be developed under subparagraph
(A)shall be used to— inform acquisition and sustainment of— information technology and cybersecurity tools; information technology and cybersecurity architectures; information technology and cybersecurity personnel; and cybersecurity and information technology concepts of operations; and evaluate and inform Government-wide cybersecurity programs. The Director may develop multiple models under subparagraph
(A)based on different agency characteristics, such as size or cybersecurity maturity. Not less frequently than once every 3 years, the Director shall review, and update as necessary, the model required to be developed under subparagraph (A). Not earlier than 5 years after the date on which the model developed under subparagraph
(A)is completed, the Director shall, taking into account any classified or sensitive information, publish the model, and any updates necessary under subparagraph (F), on the public website of the Office of Management and Budget. Not later than 2 years after the first publication of the budget submitted by the President under section 1105 of title 31, United States Code, following the date of enactment of this Act, and annually thereafter for each of the 2 following fiscal years or until the date on which the model required to be developed under subparagraph
(A)is completed, whichever is sooner, the Director shall submit to the appropriate congressional committees a report on the development of the model. Not later than 2 years after the date on which the model developed under paragraph
(1)is completed, the Director shall require not less than 5 covered agencies to use the model to inform the development of the annual cybersecurity and information technology budget requests of those covered agencies. Not later than 1 year after the date on which the covered agencies selected under clause
(i)begin using the model developed under paragraph (1), the Director shall provide to the appropriate congressional committees a briefing on implementation of risk-based budgeting for cybersecurity spending, an assessment of agency implementation, and an evaluation of whether the risk-based budget helps to mitigate cybersecurity vulnerabilities. Not later than 5 years after the date on which the model developed under paragraph
(1)is completed, the head of each covered agency shall use the model, or any updated model pursuant to paragraph (1)(F), to the greatest extent practicable, to inform the development of the annual cybersecurity and information technology budget requests of the covered agency. Section 3554(d)(2) of title 44, United States Code, is amended by inserting and the risk-based budget model required under section 3553(a)(7) after paragraph
(1). The amendment made by clause
(i)shall take effect on the date that is 5 years after the date on which the model developed under paragraph
(1)is completed. Section 1105(a)(35)(A)(i) of title 31, United States Code, is amended— in the matter preceding subclause (I), by striking by agency, and by initiative area (as determined by the administration) and inserting and by agency ; in subclause (III), by striking and at the end; and by adding at the end the following: a validation that the budgets submitted were informed by using a risk-based methodology; and a report on the progress of each agency on closing recommendations identified under the independent evaluation required by section 3555(a)(1) of title 44. . The amendments made by subparagraph
(A)shall take effect on the date that is 5 years after the date on which the model developed under paragraph
(1)is completed. Section 3555(a)(2) of title 44, United States Code, is amended— in subparagraph (B), by striking and at the end; in subparagraph (C), by striking the period at the end and inserting ; and ; and by adding at the end the following: an assessment of how the agency was informed by the risk-based budget model required under section 3553(a)(7) and an evaluation of whether the model mitigates agency cyber vulnerabilities. . Section 3553(c) of title 44, United States Code, as amended by section 103 of this title, is further amended by inserting after paragraph
(5)the following: an assessment of— Federal agency utilization of the model required under subsection (a)(7); and whether the model mitigates the cyber vulnerabilities of the Federal Government. . The amendment made by clause
(i)shall take effect on the date that is 5 years after the date on which the model developed under paragraph
(1)is completed. Not later than 3 years after the date on which the first budget of the President is submitted to Congress containing the validation required under section 1105(a)(35)(A)(i)(V) of title 31, United States Code, as amended by paragraph (3), the Comptroller General of the United States shall submit to the appropriate congressional committees a report that includes— an evaluation of the success of covered agencies in utilizing the risk-based budget model; an evaluation of the success of covered agencies in implementing risk-based budgets; an evaluation of whether the risk-based budgets developed by covered agencies are effective at informing Federal Government-wide cybersecurity programs; and any other information relating to risk-based budgets the Comptroller General determines appropriate.