[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[H.R. 1224 Introduced in House (IH)]

<DOC>






115th CONGRESS
  1st Session
                                H. R. 1224

  To amend the National Institute of Standards and Technology Act to 
  implement a framework, assessment, and audits for improving United 
                         States cybersecurity.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                           February 27, 2017

Mr. Abraham (for himself, Mr. Smith of Texas, Mr. Lucas, Mrs. Comstock, 
 and Mr. Knight) introduced the following bill; which was referred to 
            the Committee on Science, Space, and Technology

_______________________________________________________________________

                                 A BILL


 
  To amend the National Institute of Standards and Technology Act to 
  implement a framework, assessment, and audits for improving United 
                         States cybersecurity.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``NIST Cybersecurity Framework, 
Assessment, and Auditing Act of 2017''.

SEC. 2. NIST MISSION TO ADDRESS CYBERSECURITY THREATS.

    Section 20(a)(1) of the National Institute of Standards and 
Technology Act (15 U.S.C. 278g-3(a)(1)) is amended by inserting ``, 
emphasizing the principle that expanding cybersecurity threats require 
engineering security from the beginning of an information system's life 
cycle, building more trustworthy and secure components and systems from 
the start, and applying well-defined security design principles 
throughout'' before the semicolon.

SEC. 3. IMPLEMENTATION OF CYBERSECURITY FRAMEWORK.

    The National Institute of Standards and Technology Act (15 U.S.C. 
271 et seq.) is amended by inserting after section 20 the following:

``SEC. 20A. FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE 
              CYBERSECURITY.

    ``(a) Implementation by Federal Agencies.--
            ``(1) In general.--The Institute shall promote the 
        implementation by Federal agencies of the Framework for 
        Improving Critical Infrastructure Cybersecurity (in this 
        section and section 20B referred to as the `Framework') by 
        providing to the Office of Management and Budget, the Office of 
        Science and Technology Policy, and all other Federal agencies, 
        not later than 6 months after the date of enactment of the NIST 
        Cybersecurity Framework, Assessment, and Auditing Act of 2017, 
        guidance that Federal agencies may use to incorporate the 
        Framework into their information security risk management 
        efforts, including practices related to compliance with chapter 
        35 of title 44, United States Code, and any other applicable 
        Federal law.
            ``(2) Guidance.--The guidance required under paragraph (1) 
        shall--
                    ``(A) describe how the Framework aligns with or 
                augments existing agency practices related to 
                compliance with chapter 35 of title 44, United States 
                Code, and any other applicable Federal law;
                    ``(B) identify any areas of conflict or overlap 
                between the Framework and existing cybersecurity 
                requirements, including gap areas where additional 
                policies, standards, guidelines, or programs may be 
                needed to encourage Federal agencies to use the 
                Framework and improve the ability of Federal agencies 
                to manage cybersecurity risk;
                    ``(C) include a template for Federal agencies on 
                how to use the Framework, and recommend procedures for 
                streamlining and harmonizing existing and future 
                cybersecurity-related requirements, in support of the 
                goal of using the Framework to supplant Federal agency 
                practices in compliance with chapter 35 of title 44, 
                United States Code;
                    ``(D) recommend other procedures for compliance 
                with cybersecurity reporting, oversight, and policy 
                review and creation requirements under such chapter 35 
                and any other applicable Federal law; and
                    ``(E) be updated, as the Institute considers 
                necessary, to reflect what the Institute learns from 
                ongoing research, the audits conducted pursuant to 
                section 20B(b), the information compiled by the Federal 
                working group established pursuant to paragraph (3), 
                the information compiled by the public-private working 
                group established pursuant to subsection (b)(1), the 
                annual reports published pursuant to paragraph (4), and 
                the annual reports published pursuant to subsection 
                (b)(2).
            ``(3) Federal working group.--Not later than 3 months after 
        the date of enactment of the NIST Cybersecurity Framework, 
        Assessment, and Auditing Act of 2017, the Institute shall 
        establish and chair a working group (in this section referred 
        to as the `Federal working group'), including representatives 
        of the Office of Science and Technology Policy and other 
        appropriate Federal agencies, which shall--
                    ``(A) not later than 6 months after the date of 
                enactment of the NIST Cybersecurity Framework, 
                Assessment, and Auditing Act of 2017, develop outcome-
                based and quantifiable metrics, in coordination with 
                the public-private working group established pursuant 
                to subsection (b), to help Federal agencies in their 
                analysis and assessment of the effectiveness of the 
                Framework in protecting their information and 
                information systems;
                    ``(B) update such metrics as the Federal working 
                group considers necessary;
                    ``(C) compile information from Federal agencies on 
                their use of the Framework and the results of the 
                analysis and assessment described in subparagraph (A); 
                and
                    ``(D) assist the Office of Science and Technology 
                Policy in publishing the annual report required under 
                paragraph (4).
            ``(4) Report.--The Office of Science and Technology Policy 
        shall develop and make publicly available an annual report on 
        agency adoption rates and the effectiveness of the Framework. 
        In preparing such report, the Office shall use the information 
        compiled by the Federal working group pursuant to paragraph 
        (3)(C).
    ``(b) Implementation by Private Entities.--
            ``(1) Public-private working group.--Not later than 6 
        months after the date of enactment of the NIST Cybersecurity 
        Framework, Assessment, and Auditing Act of 2017, the Institute 
        shall, in coordination with industry stakeholders, establish a 
        working group (in this section referred to as the `public-
        private working group') which shall--
                    ``(A) not later than 1 year after the date of 
                enactment of the NIST Cybersecurity Framework, 
                Assessment, and Auditing Act of 2017, develop specific 
                Framework implementation models and measurement tools 
                that private entities can use to adopt the Framework;
                    ``(B) not later than 1 year after the date of 
                enactment of the NIST Cybersecurity Framework, 
                Assessment, and Auditing Act of 2017, develop, in 
                coordination with the Federal working group, industry-
                led, consensus and outcome-based metrics that quantify 
                the effectiveness and benefits of the Framework to 
                enable private entities to voluntarily analyze and 
                assess their individual corporate cybersecurity risks;
                    ``(C) update the models and tools developed 
                pursuant to subparagraph (A) and the metrics developed 
                pursuant to subparagraph (B), as the public-private 
                working group considers necessary;
                    ``(D) compile information, derived from the metrics 
                developed pursuant to subparagraph (B), voluntarily 
                submitted by private entities on their use of the 
                Framework and on the effectiveness and benefits of such 
                use;
                    ``(E) analyze the information compiled pursuant to 
                subparagraph (D) and provide such information and 
                analysis to--
                            ``(i) the Institute, for the purpose of 
                        enabling the Institute to make improvements to 
                        the Framework; and
                            ``(ii) private entities, for the purpose of 
                        providing such entities with a greater 
                        understanding of the benefits of the Framework 
                        to enable them to use the Framework more 
                        effectively to improve their cybersecurity; and
                    ``(F) assist the Office of Science and Technology 
                Policy in publishing the annual report required under 
                paragraph (2).
            ``(2) Report.--The Office of Science and Technology Policy 
        shall develop and make publicly available an annual report on 
        industry adoption rates and the effectiveness of the Framework. 
        In preparing such report, the Office shall use information 
        compiled by the public-private working group pursuant to 
        paragraph (1)(D).

``SEC. 20B. CYBERSECURITY AUDITS.

    ``(a) Initial Assessment.--
            ``(1) Requirement.--Not later than 6 months after the date 
        of enactment of the NIST Cybersecurity Framework, Assessment, 
        and Auditing Act of 2017, the Institute shall complete an 
        initial assessment of the cybersecurity preparedness of the 
        agencies described in paragraph (2). Such assessment shall be 
        based on information security standards developed under section 
        20, and may also be informed by work done or reports published 
        by other Federal agencies or officials.
            ``(2) Agencies.--The agencies referred to in paragraph (1) 
        are the agencies referred to in section 901(b) of title 31, 
        United States Code, and any other agency that has reported a 
        major incident (as defined in the Office of Management and 
        Budget Memorandum--16-03, published on October 30, 2015, or any 
        successor document).
            ``(3) National security systems.--The requirement under 
        paragraph (1) shall not apply to national security systems (as 
        defined in section 3552(b) of title 44, United States Code).
    ``(b) Audits.--
            ``(1) Requirement.--Not later than 6 months after the date 
        of enactment of the NIST Cybersecurity Framework, Assessment, 
        and Auditing Act of 2017, the Institute shall initiate an 
        individual cybersecurity audit of each agency described in 
        subsection (a)(2), to assess the extent to which the agency is 
        meeting the information security standards developed under 
        section 20.
            ``(2) Relation to framework.--Audits conducted under this 
        subsection shall--
                    ``(A) to the extent applicable and available, be 
                informed by the report on agency adoption rates and the 
                effectiveness of the Framework described in section 
                20A(a)(4); and
                    ``(B) if the agency is required by law or Executive 
                order to adopt the Framework, be based on the guidance 
                described in section 20A(a)(2) and metrics developed 
                under section 20A(a)(3)(A).
            ``(3) Schedule.--The Institute shall establish a schedule 
        for completion of audits under this subsection to ensure that--
                    ``(A) audits of agencies whose information security 
                risk is high, based on the assessment conducted under 
                subsection (a), are completed not later than 1 year 
                after the date of enactment of the NIST Cybersecurity 
                Framework, Assessment, and Auditing Act of 2017, and 
                are audited annually thereafter; and
                    ``(B) audits of all other agencies described in 
                subsection (a)(2) are completed not later than 2 years 
                after the date of enactment of the NIST Cybersecurity 
                Framework, Assessment, and Auditing Act of 2017, and 
                are audited biennially thereafter.
            ``(4) Report.--A report of each audit conducted under this 
        subsection shall be transmitted by the Institute to--
                    ``(A) the Office of Management and Budget;
                    ``(B) the Office of Science and Technology Policy;
                    ``(C) the Government Accountability Office;
                    ``(D) the agency being audited;
                    ``(E) the Inspector General of such agency, if 
                there is one; and
                    ``(F) Congress, including the Committee on Science, 
                Space, and Technology of the House of Representatives 
                and the Committee on Commerce, Science, and 
                Transportation of the Senate.''.
                                 <all>