Sec. 101. PUBLIC-PRIVATE COLLABORATION ON CYBERSECURITY
928 words·~4 min read·
/statute-compilations/comps-12455/sec-101A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
## SEC. 101 PUBLIC-PRIVATE COLLABORATION ON CYBERSECURITY ###
(a)Cybersecurity Section 2(c) of the National Institute of Standards and Technology Act (15 U.S.C. 272(c)) is amended— ####
(1)by redesignating paragraphs
(15)through
(22)as paragraphs
(16)through (23), respectively; and ####
(2)by inserting after paragraph
(14)the following: > > #### “(15) > > on an ongoing basis, facilitate and support the development of a voluntary, consensus-based, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to cost-effectively reduce cyber risks to critical infrastructure (as defined under subsection (e));” > . ###
(b)Scope and Limitations Section 2 of the National Institute of Standards and Technology Act (15 U.S.C. 272) is amended by adding at the end the following: > > ### “(e) Cyber Risks > > > #### “(1) In General > > In carrying out the activities under subsection (c)(15), the Director— > > > ##### “(A) > > shall— > > > ###### “(i) > > coordinate closely and regularly with relevant private sector personnel and entities, critical infrastructure owners and operators, and other relevant industry organizations, including Sector Coordinating Councils and Information Sharing and Analysis Centers, and incorporate industry expertise; > > > ###### “(ii) > > consult with the heads of agencies with national security responsibilities, sector-specific agencies and other appropriate agencies, State and local governments, the governments of other nations, and international organizations; > > > ###### “(iii) > > identify a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, that may be voluntarily adopted by owners and operators of critical infrastructure to help them identify, assess, and manage cyber risks; > > > ###### “(iv) > > include methodologies— > > > ###### “(I) > > to identify and mitigate impacts of the cybersecurity measures or controls on business confidentiality; and > > > ###### “(II) > > to protect individual privacy and civil liberties; > > > ###### “(v) > > incorporate voluntary consensus standards and industry best practices; > > > ###### “(vi) > > align with voluntary international standards to the fullest extent possible; > > > ###### “(vii) > > prevent duplication of regulatory processes and prevent conflict with or superseding of regulatory requirements, mandatory standards, and related processes; and > > > ###### “(viii) > > include such other similar and consistent elements as the Director considers necessary; and > > > ##### “(B) > > shall not prescribe or otherwise require— > > > ###### “(i) > > the use of specific solutions; > > > ###### “(ii) > > the use of specific information or communications technology products or services; or > > > ###### “(iii) > > that information or communications technology products or services be designed, developed, or manufactured in a particular manner. > > > #### “(2) Limitation > > Information shared with or provided to the Institute for the purpose of the activities described under subsection (c)(15) shall not be used by any Federal, State, tribal, or local department or agency to regulate the activity of any entity. Nothing in this paragraph shall be construed to modify any regulatory requirement to report or submit information to a Federal, State, tribal, or local department or agency. > > > #### “(3) Definitions > > In this subsection: > > > ##### “(A) Critical infrastructure > > The term ‘critical infrastructure’ has the meaning given the term in section 1016(e) of the USA PATRIOT Act of 2001 (42 U.S.C. 5195c(e)). > > > ##### “(B) Sector-specific agency > > The term ‘sector-specific agency’ means the Federal department or agency responsible for providing institutional knowledge and specialized expertise as well as leading, facilitating, or supporting the security and resilience programs and associated activities of its designated critical infrastructure sector in the all-hazards environment.” > . ###
(c)Study and Reports ####
(1)Study The Comptroller General of the United States shall conduct a study that assesses— #####
(A)the progress made by the Director of the National Institute of Standards and Technology in facilitating the development of standards and procedures to reduce cyber risks to critical infrastructure in accordance with section 2(c)(15) of the National Institute of Standards and Technology Act, as added by this section; #####
(B)the extent to which the Director’s facilitation efforts are consistent with the directive in such section that the development of such standards and procedures be voluntary and led by industry representatives; #####
(C)the extent to which other Federal agencies have promoted and sectors of critical infrastructure (as defined in section 1016(e) of the USA PATRIOT Act of 2001 (42 U.S.C. 5195c(e))) have adopted a voluntary, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to reduce cyber risks to critical infrastructure in accordance with such section 2(c)(15); #####
(D)the reasons behind the decisions of sectors of critical infrastructure (as defined in subparagraph (C)) to adopt or to not adopt the voluntary standards described in subparagraph (C); and #####
(E)the extent to which such voluntary standards have proved successful in protecting critical infrastructure from cyber threats. ####
(2)Reports Not later than 1 year after the date of the enactment of this Act, and every 2 years thereafter for the following 6 years, the Comptroller General shall submit a report, which summarizes the findings of the study conducted under paragraph (1), to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Science, Space, and Technology of the House of Representatives. # TITLE II CYBERSECURITY RESEARCH AND DEVELOPMENT
Connectionstraces to 2
Traces to 2 documents
Citation graph
cites case law
Cites 2Cited by 0 across 0 sources