Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · U.S. Code · Title 15 - COMMERCE AND TRADE · CHAPTER 100— CYBER SECURITY RESEARCH AND DEVELOPMENT · § 7406

§ 7406. National Institute of Standards and Technology programs

784 words·~4 min read·/usc/title-15/section-7406

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

(a),
(b)Omitted
(c)Security automation and checklists for Government systems
(1)In general The Director of the National Institute of Standards and Technology shall, as necessary, develop and revise security automation standards, associated reference materials (including protocols), and checklists providing settings and option selections that minimize the security risks associated with each information technology hardware or software system and security tool that is, or is likely to become, widely used within the Federal Government, thereby enabling standardized and interoperable technologies, architectures, and frameworks for continuous monitoring of information security within the Federal Government.
(2)Priorities for development The Director of the National Institute of Standards and Technology shall establish priorities for the development of standards, reference materials, and checklists under this subsection on the basis of—
(A)the security risks associated with the use of the system;
(B)the number of agencies that use a particular system or security tool;
(C)the usefulness of the standards, reference materials, or checklists to Federal agencies that are users or potential users of the system;
(D)the effectiveness of the associated standard, reference material, or checklist in creating or enabling continuous monitoring of information security; or
(E)such other factors as the Director of the National Institute of Standards and Technology determines to be appropriate.
(3)Excluded systems The Director of the National Institute of Standards and Technology may exclude from the application of paragraph
(1)any information technology hardware or software system or security tool for which such Director determines that the development of a standard, reference material, or checklist is inappropriate because of the infrequency of use of the system, the obsolescence of the system, or the lack of utility or impracticability of developing a standard, reference material, or checklist for the system.
(4)Dissemination of standards and related materials The Director of the National Institute of Standards and Technology shall ensure that Federal agencies are informed of the availability of any standard, reference material, checklist, or other item developed under this subsection.
(5)Agency use requirements The development of standards, reference materials, and checklists under paragraph
(1)for an information technology hardware or software system or tool does not—
(A)require any Federal agency to select the specific settings or options recommended by the standard, reference material, or checklist for the system;
(B)establish conditions or prerequisites for Federal agency procurement or deployment of any such system;
(C)imply an endorsement of any such system by the Director of the National Institute of Standards and Technology; or
(D)preclude any Federal agency from procuring or deploying other information technology hardware or software systems for which no such standard, reference material, or checklist has been developed or identified under paragraph (1).
(d)Federal agency information security programs
(1)In general In developing the agencywide information security program required by section 3554(b) of title 44, an agency that deploys a computer hardware or software system for which the Director of the National Institute of Standards and Technology has developed a checklist under subsection
(c)of this section—
(A)shall include in that program an explanation of how the agency has considered such checklist in deploying that system; and
(B)may treat the explanation as if it were a portion of the agency’s annual performance plan properly classified under criteria established by an Executive Order (within the meaning of section 1115(d) of title 31).
(2)Limitation Paragraph
(1)does not apply to any computer hardware or software system for which the National Institute of Standards and Technology does not have responsibility under section 278g–3(a)(3) of this title.
(Pub. L. 107–305, § 8, Nov. 27, 2002, 116 Stat. 2375; Pub. L. 113–274, title II, § 203, Dec. 18, 2014, 128 Stat. 2979; Pub. L. 113–283, § 2(e)(2), Dec. 18, 2014, 128 Stat. 3086.)
Connections19 cite this · traces to 7
Cited by 19 sections
5 references not yet in our index
  • Pub. L. 107–305, § 8
  • 116 Stat. 2375
  • 128 Stat. 2979
  • 128 Stat. 3086
  • section 8 of Pub. L. 107–305
Citation graph
cites case law
§ 7406
National Institute of Standards and Technology programs
Bills×14
Pub. L.×2
Stat. Comp.×2
Stat.×1
U.S.C.§ 3554
U.S.C.§ 1115
U.S.C.§ 278g
Pub. L.Public Law 113-274
Pub. L.Public Law 113-283
U.S.C.§ 278h
U.S.C.§ 278q
Pub. L.Pub. L. 107–305, § 8
Stat.116 Stat. 2375
Stat.128 Stat. 2979
Stat.128 Stat. 3086
Pub. L.section 8 of Pub. L. 107–305
Cites 12Cited by 19 across 4 sources
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.