[Congressional Bills 114th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3664 Introduced in House (IH)]

<DOC>






114th CONGRESS
  1st Session
                                H. R. 3664

 To provide for the identification and documentation of best practices 
     for cyber hygiene by the National Institute of Standards and 
                  Technology, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                            October 1, 2015

  Ms. Eshoo introduced the following bill; which was referred to the 
              Committee on Science, Space, and Technology

_______________________________________________________________________

                                 A BILL


 
 To provide for the identification and documentation of best practices 
     for cyber hygiene by the National Institute of Standards and 
                  Technology, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Promoting Good Cyber Hygiene Act of 
2015''.

SEC. 2. CYBER HYGIENE BEST PRACTICES.

    (a) Establishment.--Not later than 1 year after the date of 
enactment of this Act, the National Institute of Standards and 
Technology, in consultation with the Federal Trade Commission and the 
Department of Homeland Security, after notice and an opportunity for 
public comment, shall establish a list of best practices for effective 
and usable cyber hygiene for use by the Federal Government, the private 
sector, and any individual or organization utilizing an information 
system or device. Such list shall--
            (1) be a list of simple, basic controls that have the most 
        impact in defending against common cybersecurity threats and 
        risks;
            (2) utilize technologies that are commercial off-the-shelf 
        and based on international standards; and
            (3) be based on the Cybersecurity Framework contained in 
        Executive Order 13636, entitled Improving Critical 
        Infrastructure Cybersecurity, issued in February 2013.
    (b) Voluntary Practices.--The best practices on the list 
established under this section shall be considered voluntary and are 
not intended to be construed as a list of mandatory actions.
    (c) Baseline.--The best practices on the list established under 
this section are intended as a baseline for the Federal Government, the 
private sector, and any individual or organization utilizing an 
information system or device. Such entities are encouraged to use and 
improve on those best practices.
    (d) Updates.--The National Institute of Standards and Technology 
shall review and update the list of best practices established under 
this section on an annual basis.
    (e) Public Availability.--The list of best practices established 
under this section shall be published in a clear and concise format and 
made available prominently on the public websites of the Federal Trade 
Commission and the Small Business Administration.
    (f) Other Federal Cybersecurity Requirements.--Nothing in this 
section shall be construed to supersede, alter, or otherwise affect any 
cybersecurity requirements applicable to Federal agencies.
    (g) Emerging Concepts To Provide Effective Cyber Hygiene.--
            (1) Study.--The Secretary of Homeland Security, in 
        coordination with the National Institute of Standards and 
        Technology and the Federal Trade Commission, shall conduct a 
        study on cybersecurity threats relating to mobile devices.
            (2) Matters studied.--As part of the study required under 
        this subsection, the Secretary shall--
                    (A) assess threats relating to mobile devices;
                    (B) assess the effect such threats may have on the 
                cybersecurity of the information systems and networks 
                of the Federal Government (except for the information 
                systems and networks of the Department of Defense and 
                the Intelligence Community); and
                    (C) develop recommendations for addressing such 
                threats.
            (3) Report to congress.--Not later than 1 year after the 
        date of enactment of this Act, the Secretary shall--
                    (A) complete the study under this subsection; and
                    (B) submit a report to Congress that contains the 
                findings of such study and the recommendations 
                developed.
    (h) Definition.--In this section, the term ``cyber hygiene'' means 
processes, procedures, and mechanisms that help protect information 
systems or devices against cybersecurity threats, including--
            (1) unauthorized access;
            (2) alteration of information or code running or intended 
        to be running on such systems or devices; and
            (3) unauthorized denials of service to authorized users of 
        these systems or devices.
                                 <all>