§ 660. Cybersecurity plans
1,568 words·~7 min read·
/usc/title-6/section-660A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
(a)Definitions In this section, the term “agency information system” means an information system used or operated by an agency or by another entity on behalf of an agency.
(b)Intrusion assessment plan
(1)Requirement The Secretary, in coordination with the Director of the Office of Management and Budget, shall—
(A)develop and implement an intrusion assessment plan to proactively detect, identify, and remove intruders in agency information systems on a routine basis; and
(B)update such plan as necessary.
(2)Exception The intrusion assessment plan required under paragraph
(1)shall not apply to the Department of Defense, a national security system, or an element of the intelligence community.
(c)Cyber incident response plan The Director of the Cybersecurity and Infrastructure Security Agency shall, in coordination with appropriate Federal departments and agencies, State and local governments, sector coordinating councils, Information Sharing and Analysis Organizations, owners and operators of critical infrastructure, and other appropriate entities and individuals, develop, update not less often than biennially, maintain, and exercise adaptable cyber incident response plans to address cybersecurity risks to critical infrastructure. The Director, in consultation with relevant Sector Risk Management Agencies and the National Cyber Director, shall develop mechanisms to engage with stakeholders to educate such stakeholders regarding Federal Government cybersecurity roles and responsibilities for cyber incident response.
(d)National Response Framework The Secretary, in coordination with the heads of other appropriate Federal departments and agencies, and in accordance with the National Cybersecurity Incident Response Plan required under subsection (c), shall regularly update, maintain, and exercise the Cyber Incident Annex to the National Response Framework of the Department.
(e)Homeland Security Strategy to Improve the Cybersecurity of State, Local, Tribal, and Territorial Governments
(1)In general
(A)Requirement Not later than one year after December 27, 2021, the Secretary, acting through the Director, shall, in coordination with the heads of appropriate Federal agencies, State, local, Tribal, and territorial governments, and other stakeholders, as appropriate, develop and make publicly available a Homeland Security Strategy to Improve the Cybersecurity of State, Local, Tribal, and Territorial Governments.
(B)Recommendations and requirements The strategy required under subparagraph
(A)shall provide recommendations relating to the ways in which the Federal Government should support and promote the ability of State, local, Tribal, and territorial governments to identify, mitigate against, protect against, detect, respond to, and recover from cybersecurity risks, cybersecurity threats, and incidents.
(2)Contents The strategy required under paragraph
(1)shall—
(A)identify capability gaps in the ability of State, local, Tribal, and territorial governments to identify, protect against, detect, respond to, and recover from cybersecurity risks, cybersecurity threats, incidents, and ransomware incidents;
(B)identify Federal resources and capabilities that are available or could be made available to State, local, Tribal, and territorial governments to help those governments identify, protect against, detect, respond to, and recover from cybersecurity risks, cybersecurity threats, incidents, and ransomware incidents;
(C)identify and assess the limitations of Federal resources and capabilities available to State, local, Tribal, and territorial governments to help those governments identify, protect against, detect, respond to, and recover from cybersecurity risks, cybersecurity threats, incidents, and ransomware incidents and make recommendations to address such limitations;
(D)identify opportunities to improve the coordination of the Agency with Federal and non-Federal entities, such as the Multi-State Information Sharing and Analysis Center, to improve—
(i)incident exercises, information sharing and incident notification procedures;
(ii)the ability for State, local, Tribal, and territorial governments to voluntarily adapt and implement guidance in Federal binding operational directives; and
(iii)opportunities to leverage Federal schedules for cybersecurity investments under section 502 of title 40;
(E)recommend new initiatives the Federal Government should undertake to improve the ability of State, local, Tribal, and territorial governments to identify, protect against, detect, respond to, and recover from cybersecurity risks, cybersecurity threats, incidents, and ransomware incidents;
(F)set short-term and long-term goals that will improve the ability of State, local, Tribal, and territorial governments to identify, protect against, detect, respond to, and recover from cybersecurity risks, cybersecurity threats, incidents, and ransomware incidents; and
(G)set dates, including interim benchmarks, as appropriate for State, local, Tribal, and territorial governments to establish baseline capabilities to identify, protect against, detect, respond to, and recover from cybersecurity risks, cybersecurity threats, incidents, and ransomware incidents.
(3)Considerations In developing the strategy required under paragraph (1), the Director, in coordination with the heads of appropriate Federal agencies, State, local, Tribal, and territorial governments, and other stakeholders, as appropriate, shall consider—
(A)lessons learned from incidents that have affected State, local, Tribal, and territorial governments, and exercises with Federal and non-Federal entities;
(B)the impact of incidents that have affected State, local, Tribal, and territorial governments, including the resulting costs to such governments;
(C)the information related to the interest and ability of state and non-state threat actors to compromise information systems owned or operated by State, local, Tribal, and territorial governments; and
(D)emerging cybersecurity risks and cybersecurity threats to State, local, Tribal, and territorial governments resulting from the deployment of new technologies.
(4)Exemption Chapter 35 of title 44 (commonly known as the “Paperwork Reduction Act”) shall not apply to any action to implement this subsection.
(Pub. L. 107–296, title XXII, § 2210, formerly title II, § 228, as added and amended Pub. L. 114–113, div. N, title II, §§ 205, 223(a)(2), (4), (5), Dec. 18, 2015, 129 Stat. 2961, 2963, 2964; renumbered title XXII, § 2210, and amended Pub. L. 115–278, § 2(g)(2)(I), (9)(A)(iv), Nov. 16, 2018, 132 Stat. 4178, 4181; Pub. L. 117–81, div. A, title XV, §§ 1545, 1546, Dec. 27, 2021, 135 Stat. 2057, 2059; Pub. L. 117–263, div. G, title LXXI, § 7143(b)(2)(E), (c)(8), Dec. 23, 2022, 136 Stat. 3660, 3663.)
Connections76 cite this · traces to 14
Cited by 76 sections · top 60
public-private-law
U.S. Code
statute-compilations
- Sec. 2NATIONAL CYBERSECURITY PREPAREDNESS CONSORTIUM
- Sec. 2811COORDINATION OF PREPAREDNESS FOR AND RESPONSE TO ALL-HAZARDS PUBLIC HEALTH EMERGENCIES
- Sec. 7124REPORT ON CYBERSECURITY ROLES AND RESPONSIBILITIES OF THE DEPARTMENT OF HOMELAND SECURITY
- Sec. 1546CYBER INCIDENT RESPONSE PLAN
- Sec. 1545STRATEGY
- Sec. 2811COORDINATION OF PREPAREDNESS FOR AND RESPONSE TO ALL-HAZARDS PUBLIC HEALTH EMERGENCIES
- Sec. 7143CISA TECHNICAL CORRECTIONS AND IMPROVEMENTS
- Sec. 2210CYBERSECURITY PLANS
statutes-at-large
- Public Law 117–263To authorize appropriations for fiscal year 2023 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes
- Public Law 117–122To authorize the Secretary of Homeland Security to work with cybersecurity consortia for training, and for other purposes
- Public Law 117–81To authorize appropriations for fiscal year 2022 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes
bill
- Sec. 3National cybersecurity preparedness consortium
- Sec. 3National cybersecurity preparedness consortium
- Sec. 3National cybersecurity preparedness consortium
- Sec. 3National cybersecurity preparedness consortium
- Sec. 3National cybersecurity preparedness consortium
- Sec. 3Strategy
- Sec. 3Strategy
- Sec. 3Strategy
- Sec. 3Strategy
- Sec. 6Strategy
- Sec. 2Federal cybersecurity requirements
- Sec. 2Federal cybersecurity requirements
- Sec. 3Strategy
- Sec. 3Strategy
- Sec. 3Strategy
- Sec. 1538Cyber incident response plan
- Sec. 6223Strategy
- Sec. 1538Cyber incident response plan
- Sec. 6223Strategy
- Sec. 3Report on cybersecurity roles and responsibilities of the Department of Homeland Security
- Sec. 1545Strategy
- Sec. 1546Cyber incident response plan
- Sec. 1545Strategy
- Sec. 1546Cyber incident response plan
- Sec. 3National cybersecurity preparedness consortium
- Sec. 3National cybersecurity preparedness consortium
- Sec. 3National cybersecurity preparedness consortium
- Sec. 3National cybersecurity preparedness consortium
- Sec. 3Report on cybersecurity roles and responsibilities of the Department of Homeland Security
- Sec. 3Report on cybersecurity roles and responsibilities of the Department of Homeland Security
- Sec. 3Report on cybersecurity roles and responsibilities of the Department of Homeland Security
- Sec. 7124Report on cybersecurity roles and responsibilities of the Department of Homeland Security
- Sec. 7143CISA technical corrections and improvements
- Sec. 5203Report on cybersecurity roles and responsibilities of the Department of Homeland Security
- Sec. 5203Report on cybersecurity roles and responsibilities of the Department of Homeland Security
- Sec. 5203Report on cybersecurity roles and responsibilities of the Department of Homeland Security
- Sec. 2Report on cybersecurity roles and responsibilities of the Department of Homeland Security
- Sec. 7124Report on cybersecurity roles and responsibilities of the Department of Homeland Security
- Sec. 7143CISA technical corrections and improvements
- Sec. 123Federal cybersecurity requirements
- Sec. 2Federal cybersecurity requirements
- Sec. 2National cybersecurity preparedness consortium
Traces to 14 documents
U.S. Code
public-private-law
- Consolidated Appropriations Act, 2016Public Law 114-113
- Cybersecurity and Infrastructure Security Agency Act of 2018Public Law 115-278
- National Defense Authorization Act for Fiscal Year 2022Public Law 117-81
- James M. Inhofe National Defense Authorization Act for Fiscal Year 2023Public Law 117-263
- National Cybersecurity Protection Act of 2014Public Law 113-282
- Federal Information Security Modernization Act of 2014Public Law 113-283
14 references not yet in our index
- Pub. L. 107–296, title XXII, § 2210
- 129 Stat. 2961
- 132 Stat. 4178
- 135 Stat. 2057
- 136 Stat. 3660
- section 149 of this title
- 129 Stat. 2963
- Pub. L. 107–296, title II, § 227
- 128 Stat. 3070
- section 148 of this title
- section 131(5) of this title
- 128 Stat. 3072
- section 150 of this title
- section 3543 of Title 44
Citation graph
cites case law
§ 660
Cybersecurity plans
Bills×46
Stat. Comp.×10
Pub. L.×7
Stat.×7
U.S.C.×6
Pub. L.Pub. L. 107–296, title XXII, § 2210
Stat.129 Stat. 2961
Stat.132 Stat. 4178
Cites 28 · showing 12Cited by 76 across 5 sources