Sec. 1733. PILOT PROGRAM ON CYBERSECURITY CAPABILITY METRICS
511 words·~2 min read·
/statute-compilations/comps-16736/sec-1733A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
## SEC. 1733 PILOT PROGRAM ON CYBERSECURITY CAPABILITY METRICS **[**[10 U.S.C. 2224 note](/us/usc/t10/s2224)**]** ###
(a)Pilot Program Required The Secretary of Defense, acting through the Chief Information Officer of the Department of Defense and the Commander of United States Cyber Command, shall conduct a pilot program to assess the feasibility and advisability of developing and using speed-based metrics to measure the performance and effectiveness of security operations centers and cyber security service providers in the Department of Defense. ###
(b)Requirements ####
(1)Development of metrics #####
(A)Not later than July 1, 2021, the Chief Information Officer and the Commander shall jointly develop metrics described in subsection
(a)to carry out the pilot program under such subsection. #####
(B)The Chief Information Officer and the Commander shall ensure that the metrics developed under subparagraph
(A)are commensurate with the representative timelines of nation-state and non-nation-state actors when gaining access to, and compromising, Department networks. ####
(2)Use of metrics #####
(A)Not later than December 1, 2021, the Secretary shall, in carrying out the pilot program required by subsection (a), begin using the metrics developed under paragraph
(1)of this subsection to assess select security operations centers and cyber security service providers, which the Secretary shall select specifically for purposes of the pilot program, for a period of not less than four months. #####
(B)In carrying out the pilot program under subsection (a), the Secretary shall evaluate the effectiveness of operators, capabilities available to operators, and operators’ tactics, techniques, and procedures. ###
(c)Authorities In carrying out the pilot program under subsection (a), the Secretary may— ####
(1)assess select security operations centers and cyber security service providers— #####
(A)over the course of their mission performance; or #####
(B)in the testing and accreditation of cybersecurity products and services on test networks designated pursuant to section 1658 of the National Defense Authorization Act for Fiscal Year 2020 (Public Law 116-92); and ####
(2)assess select elements’ use of security orchestration and response technologies, modern endpoint security technologies, Big Data Platform instantiations, and technologies relevant to zero trust architectures. ###
(d)Briefing ####
(1)In general Not later than March 1, 2022, the Secretary shall brief the Committee on Armed Services of the Senate and the Committee on Armed Services of the House of Representatives on the findings of the Secretary with respect to the pilot program required by subsection (a). ####
(2)Elements The briefing provided under paragraph
(1)shall include the following: #####
(A)The pilot metrics developed under subsection (b)(1). #####
(B)The findings of the Secretary with respect to the assessments carried out under subsection (b)(2). #####
(C)An analysis of the utility of speed-based metrics in assessing security operations centers and cyber security service providers. #####
(D)An analysis of the utility of the extension of the pilot metrics to or speed-based assessment of the Cyber Mission Forces. #####
(E)An assessment of the technical and procedural measures that would be necessary to meet the speed-based metrics developed and applied in the pilot program.
Connectionstraces to 2
Traces to 2 documents
Citation graph
cites case law
Cites 2Cited by 0 across 0 sources