
	

114 HR 3664 IH: Promoting Good Cyber Hygiene Act of 2015
U.S. House of Representatives
2015-10-01
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.



		I
		114th CONGRESS
		1st Session
		H. R. 3664
		IN THE HOUSE OF REPRESENTATIVES
		
			October 1, 2015
			Ms. Eshoo introduced the following bill; which was referred to the Committee on Science, Space, and Technology
		
		A BILL
		To provide for the identification and documentation of best practices for cyber hygiene by the
			 National Institute of Standards and Technology, and for other purposes.
	
	
 1.Short titleThis Act may be cited as the Promoting Good Cyber Hygiene Act of 2015. 2.Cyber hygiene best practices (a)EstablishmentNot later than 1 year after the date of enactment of this Act, the National Institute of Standards and Technology, in consultation with the Federal Trade Commission and the Department of Homeland Security, after notice and an opportunity for public comment, shall establish a list of best practices for effective and usable cyber hygiene for use by the Federal Government, the private sector, and any individual or organization utilizing an information system or device. Such list shall—
 (1)be a list of simple, basic controls that have the most impact in defending against common cybersecurity threats and risks;
 (2)utilize technologies that are commercial off-the-shelf and based on international standards; and (3)be based on the Cybersecurity Framework contained in Executive Order 13636, entitled Improving Critical Infrastructure Cybersecurity, issued in February 2013.
 (b)Voluntary practicesThe best practices on the list established under this section shall be considered voluntary and are not intended to be construed as a list of mandatory actions.
 (c)BaselineThe best practices on the list established under this section are intended as a baseline for the Federal Government, the private sector, and any individual or organization utilizing an information system or device. Such entities are encouraged to use and improve on those best practices.
 (d)UpdatesThe National Institute of Standards and Technology shall review and update the list of best practices established under this section on an annual basis.
 (e)Public availabilityThe list of best practices established under this section shall be published in a clear and concise format and made available prominently on the public websites of the Federal Trade Commission and the Small Business Administration.
 (f)Other Federal cybersecurity requirementsNothing in this section shall be construed to supersede, alter, or otherwise affect any cybersecurity requirements applicable to Federal agencies.
			(g)Emerging concepts To provide effective cyber hygiene
 (1)StudyThe Secretary of Homeland Security, in coordination with the National Institute of Standards and Technology and the Federal Trade Commission, shall conduct a study on cybersecurity threats relating to mobile devices.
 (2)Matters studiedAs part of the study required under this subsection, the Secretary shall— (A)assess threats relating to mobile devices;
 (B)assess the effect such threats may have on the cybersecurity of the information systems and networks of the Federal Government (except for the information systems and networks of the Department of Defense and the Intelligence Community); and
 (C)develop recommendations for addressing such threats. (3)Report to CongressNot later than 1 year after the date of enactment of this Act, the Secretary shall—
 (A)complete the study under this subsection; and (B)submit a report to Congress that contains the findings of such study and the recommendations developed.
 (h)DefinitionIn this section, the term cyber hygiene means processes, procedures, and mechanisms that help protect information systems or devices against cybersecurity threats, including—
 (1)unauthorized access; (2)alteration of information or code running or intended to be running on such systems or devices; and
 (3)unauthorized denials of service to authorized users of these systems or devices.  