[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[H.R. 1224 Reported in House (RH)]

<DOC>





                                                 Union Calendar No. 276
115th CONGRESS
  1st Session
                                H. R. 1224

                          [Report No. 115-376]

  To amend the National Institute of Standards and Technology Act to 
  implement a framework, assessment, and audits for improving United 
                         States cybersecurity.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                           February 27, 2017

Mr. Abraham (for himself, Mr. Smith of Texas, Mr. Lucas, Mrs. Comstock, 
 and Mr. Knight) introduced the following bill; which was referred to 
            the Committee on Science, Space, and Technology

                            October 31, 2017

                    Additional sponsor: Mr. Sessions

                            October 31, 2017

  Reported with an amendment, committed to the Committee of the Whole 
       House on the State of the Union, and ordered to be printed
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]
    [For text of introduced bill, see copy of bill as introduced on 
                           February 27, 2017]


_______________________________________________________________________

                                 A BILL


 
  To amend the National Institute of Standards and Technology Act to 
  implement a framework, assessment, and audits for improving United 
                         States cybersecurity.


 


    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``NIST Cybersecurity Framework, 
Assessment, and Auditing Act of 2017''.

SEC. 2. NIST MISSION TO ADDRESS CYBERSECURITY THREATS.

    Section 20(a)(1) of the National Institute of Standards and 
Technology Act (15 U.S.C. 278g-3(a)(1)) is amended by inserting ``, 
emphasizing the principle that expanding cybersecurity threats require 
engineering security from the beginning of an information system's life 
cycle, building more trustworthy and secure components and systems from 
the start, and applying well-defined security design principles 
throughout'' before the semicolon.

SEC. 3. IMPLEMENTATION OF CYBERSECURITY FRAMEWORK.

    The National Institute of Standards and Technology Act (15 U.S.C. 
271 et seq.) is amended by inserting after section 20 the following:

``SEC. 20A. FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE 
              CYBERSECURITY.

    ``(a) Implementation by Federal Agencies.--The Institute shall 
promote the implementation by Federal agencies of the Framework for 
Improving Critical Infrastructure Cybersecurity (in this section and 
section 20B referred to as the `Framework') by providing to the Office 
of Management and Budget, the Office of Science and Technology Policy, 
and all other Federal agencies, not later than 6 months after the date 
of enactment of the NIST Cybersecurity Framework, Assessment, and 
Auditing Act of 2017, guidance that Federal agencies may use to 
incorporate the Framework into their information security risk 
management efforts, including practices related to compliance with 
chapter 35 of title 44, United States Code, and any other applicable 
Federal law.
    ``(b) Guidance.--The guidance required under subsection (a) shall--
            ``(1) describe how the Framework aligns with or augments 
        existing agency practices related to compliance with chapter 35 
        of title 44, United States Code, and any other applicable 
        Federal law;
            ``(2) identify any areas of conflict or overlap between the 
        Framework and existing cybersecurity requirements, including 
        gap areas where additional policies, standards, guidelines, or 
        programs may be needed to encourage Federal agencies to use the 
        Framework and improve the ability of Federal agencies to manage 
        cybersecurity risk;
            ``(3) include a template for Federal agencies on how to use 
        the Framework, and recommend procedures for streamlining and 
        harmonizing existing and future cybersecurity-related 
        requirements, in support of the goal of using the Framework to 
        supplant Federal agency practices in compliance with chapter 35 
        of title 44, United States Code;
            ``(4) recommend other procedures for compliance with 
        cybersecurity reporting, oversight, and policy review and 
        creation requirements under such chapter 35 and any other 
        applicable Federal law; and
            ``(5) be updated, as the Institute considers necessary, to 
        reflect what the Institute learns from ongoing research, the 
        audits conducted pursuant to section 20B(c), the information 
        compiled by the Federal working group established pursuant to 
        subsection (c), and the annual reports published pursuant to 
        subsection (d).
    ``(c) Federal Working Group.--Not later than 3 months after the 
date of enactment of the NIST Cybersecurity Framework, Assessment, and 
Auditing Act of 2017, the Institute shall establish and chair a working 
group (in this section referred to as the `Federal working group'), 
including representatives of the Office of Management and Budget, the 
Office of Science and Technology Policy, and other appropriate Federal 
agencies, which shall--
            ``(1) not later than 6 months after the date of enactment 
        of the NIST Cybersecurity Framework, Assessment, and Auditing 
        Act of 2017, develop outcome-based and quantifiable metrics to 
        help Federal agencies in their analysis and assessment of the 
        effectiveness of the Framework in protecting their information 
        and information systems;
            ``(2) update such metrics as the Federal working group 
        considers necessary;
            ``(3) compile information from Federal agencies on their 
        use of the Framework and the results of the analysis and 
        assessment described in paragraph (1); and
            ``(4) assist the Office of Management and Budget and the 
        Office of Science and Technology Policy in publishing the 
        annual report required under subsection (d).
    ``(d) Report.--The Office of Management and Budget and the Office 
of Science and Technology Policy shall develop and make publicly 
available an annual report on agency adoption rates and the 
effectiveness of the Framework. In preparing such report, the Offices 
shall use the information compiled by the Federal working group 
pursuant to subsection (c)(3).

``SEC. 20B. CYBERSECURITY AUDITS.

    ``(a) Initial Assessment.--
            ``(1) Requirement.--Not later than 6 months after the date 
        of enactment of the NIST Cybersecurity Framework, Assessment, 
        and Auditing Act of 2017, the Institute shall complete an 
        initial assessment of the cybersecurity preparedness of the 
        agencies described in paragraph (2). Such assessment shall be 
        based on information security standards developed under section 
        20, and may also be informed by work done or reports published 
        by other Federal agencies or officials.
            ``(2) Agencies.--The agencies referred to in paragraph (1) 
        are the agencies referred to in section 901(b) of title 31, 
        United States Code, and any other agency that has reported a 
        major incident (as defined in the Office of Management and 
        Budget Memorandum--16--03, published on October 30, 2015, or 
        any successor document).
            ``(3) National security systems.--The requirement under 
        paragraph (1) shall not apply to national security systems (as 
        defined in section 3552(b) of title 44, United States Code).
    ``(b) Audit Plan.--Not later than 6 months after the date of 
enactment of this Act, the Institute shall prepare a needs-based plan 
for carrying out the audits of agencies as required under subsection 
(c). Such plan shall include a description of staffing plans, workforce 
capabilities, methods for conducting such audits, coordination with 
agencies to support such audits, expected timeframes for the completion 
of audits, and other information the Institute considers relevant. The 
plan shall be transmitted by the Institute to the congressional 
entities described in subsection (c)(4)(F).
    ``(c) Audits.--
            ``(1) Requirement.--Not later than 6 months after the date 
        of enactment of the NIST Cybersecurity Framework, Assessment, 
        and Auditing Act of 2017, the Institute shall initiate an 
        individual cybersecurity audit of each agency described in 
        subsection (a)(2), to assess the extent to which the agency is 
        meeting the information security standards developed under 
        section 20.
            ``(2) Relation to framework.--Audits conducted under this 
        subsection shall--
                    ``(A) to the extent applicable and available, be 
                informed by the report on agency adoption rates and the 
                effectiveness of the Framework described in section 
                20A(d); and
                    ``(B) if the agency is required by law or executive 
                order to adopt the Framework, be based on the guidance 
                described in section 20A(b) and metrics developed under 
                section 20A(c)(1).
            ``(3) Schedule.--The Institute shall establish a schedule 
        for completion of audits under this subsection to ensure that--
                    ``(A) audits of agencies whose information security 
                risk is high, based on the assessment conducted under 
                subsection (a), are completed not later than 1 year 
                after the date of enactment of the NIST Cybersecurity 
                Framework, Assessment, and Auditing Act of 2017, and 
                are audited annually thereafter; and
                    ``(B) audits of all other agencies described in 
                subsection (a)(2) are completed not later than 2 years 
                after the date of enactment of the NIST Cybersecurity 
                Framework, Assessment, and Auditing Act of 2017, and 
                are audited biennially thereafter.
            ``(4) Report.--A report of each audit conducted under this 
        subsection shall be transmitted by the Institute to--
                    ``(A) the Office of Management and Budget;
                    ``(B) the Office of Science and Technology Policy;
                    ``(C) the Government Accountability Office;
                    ``(D) the agency being audited;
                    ``(E) the Inspector General of such agency, if 
                there is one; and
                    ``(F) Congress, including the Committee on Science, 
                Space, and Technology of the House of Representatives 
                and the Committee on Commerce, Science, and 
                Transportation of the Senate.''.
                                                 Union Calendar No. 276

115th CONGRESS

  1st Session

                               H. R. 1224

                          [Report No. 115-376]

_______________________________________________________________________

                                 A BILL

  To amend the National Institute of Standards and Technology Act to 
  implement a framework, assessment, and audits for improving United 
                         States cybersecurity.

_______________________________________________________________________

                            October 31, 2017

  Reported with an amendment, committed to the Committee of the Whole 
       House on the State of the Union, and ordered to be printed