Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 118th Congress · H.R. 4552 (Reported in House) — To improve the cybersecurity of the Federal Government, and for other purposes. · Sec. 7

Sec. 7. Federal penetration testing policy

399 words·~2 min read·/bill/118/hr/4552/rh/section-7

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

Subchapter II of chapter 35 of title 44, United States Code, is amended by adding at the end the following: The Director, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, shall issue guidance to agencies that— requires agencies to perform penetration testing on information systems, as appropriate, including on high value assets; provides policies governing the development of— rules of engagement for using penetration testing; and procedures to use the results of penetration testing to improve the cybersecurity and risk management of the agency; ensures that operational support or a shared service is available; and in no manner restricts the authority of the Secretary of Homeland Security or the Director of the Cybersecurity and Infrastructure Agency to conduct threat hunting pursuant to section 3553, or penetration testing under this chapter.
The guidance issued under subsection
(a)shall not apply to national security systems. The authorities of the Director described in subsection
(a)shall be delegated to— the Secretary of Defense in the case of a system described in section 3553(e)(2); and the Director of National Intelligence in the case of a system described in section 3553(e)(3). . Compliance with guidance issued by the Director relating to penetration testing before the date of enactment of this Act shall be deemed to be compliant with section 3559A of title 44, United States Code, as added by this Act. Nothing in section 3559A of title 44, United States Code, as added by this Act, shall be construed to require the Director to issue new guidance to agencies relating to penetration testing before the date described in paragraph (3). Notwithstanding paragraphs
(1)and (2), not later than 2 years after the date of enactment of this Act, the Director shall review and, as appropriate, update existing guidance requiring penetration testing by agencies. The table of sections for chapter 35 of title 44, United States Code, is amended by adding after the item relating to section 3559 the following: 3559A. Federal penetration testing. . Section 3553(b) of title 44, United States Code, as amended by this Act, is further amended by inserting after paragraph
(8)the following: performing penetration testing that may leverage manual expert analysis to identify threats and vulnerabilities within information systems— without consent or authorization from agencies; and with prior consultation with the head of the agency at least 72 hours in advance of such testing; .
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.