Ask AI
Bill115th CongressFiled Feb 27, 2017Science, Technology, Communications
H.R. 1224

NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017

Bill journey · stage 2 of 5

Under committee review

Filed
Comm.
Floor
Both
Law

What it doesSummary reported to house with amendment(s) (Oct 31, 2017)

NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017

(Sec. 2) This bill amends the National Institute of Standards and Technology Act to require the National Institute of Standards and Technology (NIST), in developing standards for information systems, to emphasize the principle that expanding cybersecurity threats require: (1) engineering security from the beginning of a system's life cycle, (2) building more trustworthy and secure components and systems from the start, and (3) applying well-defined security design principles throughout systems.

(Sec. 3) NIST must provide guidance for agencies to incorporate into their information security risk management efforts the Framework for Improving Critical Infrastructure Cybersecurity (Framework). Such guidance shall:

  • describe how the Framework aligns or augments existing agency practices;
  • identify any areas of conflict or overlap between the Framework and existing cybersecurity requirements;
  • include a template for federal agencies on how to use the Framework and recommend procedures for streamlining and harmonizing existing and future cybersecurity-related requirements;
  • recommend other procedures for compliance with cybersecurity reporting, oversight, and policy review; and
  • be updated to reflect what NIST learns from ongoing research, cybersecurity audits, information compiled by the federal working group, and annual reports.

NIST must chair a federal working group to coordinate the development of metrics and tools to measure the effectiveness of the Framework for federal agencies protecting their information and information systems.

The federal working group must assist the Office of Management and Budget (OMB) and Office of Science and Technology Policy (OSTP) in publishing annual reports on agency adoption rates and the effectiveness of the Framework.

NIST must initiate an individual cybersecurity audit of certain agencies to assess the extent to which each agency meets information security standards. NIST shall prepare a needs-based plan for the audits that includes: (1) a description of staffing plans, (2) workforce capabilities, (3) methods of conducting such audits, (4) coordination with agencies to support such audits, (5) expected timeframe for the completion of the audits, and (6) other relevant information.

NIST must report on the audit of each agency to: (1) OMB, (2) the OSTP, (3) the Government Accountability Office, (4) the agency being audited and its inspector general, and (5) Congress.

What just happenedOct 31, 2017

Placed on the Union Calendar, Calendar No. 276.

Who’s behind it

Rep. Abraham, Ralph Lee [R-LA-5](R-LA)Sponsor
5 cosponsors5 R
Read on Congress.gov
5cosponsors1committees8actions8subjects
  1. Oct 31, 2017CalendarsH12410

    Placed on the Union Calendar, Calendar No. 276.

  2. Oct 31, 2017CommitteeH12200

    Reported (Amended) by the Committee on Science, Space, and Technology. H. Rept. 115-376.

    Science, Space, and Technology Committee
  3. Oct 31, 2017Committee5000

    Reported (Amended) by the Committee on Science, Space, and Technology. H. Rept. 115-376.

    Science, Space, and Technology Committee
  4. Mar 1, 2017Committee

    Ordered to be Reported (Amended) by the Yeas and Nays: 19 - 14.

    Science, Space, and Technology Committee
  5. Mar 1, 2017Committee

    Committee Consideration and Mark-up Session Held.

    Science, Space, and Technology Committee
  6. Feb 27, 2017IntroReferralH11100

    Referred to the House Committee on Science, Space, and Technology.

    Science, Space, and Technology Committee
  7. Feb 27, 2017IntroReferralIntro-H

    Introduced in House

  8. Feb 27, 2017IntroReferral1000

    Introduced in House

Reported to House with amendment(s)Oct 31, 201717

NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017

(Sec. 2) This bill amends the National Institute of Standards and Technology Act to require the National Institute of Standards and Technology (NIST), in developing standards for information systems, to emphasize the principle that expanding cybersecurity threats require: (1) engineering security from the beginning of a system's life cycle, (2) building more trustworthy and secure components and systems from the start, and (3) applying well-defined security design principles throughout systems.

(Sec. 3) NIST must provide guidance for agencies to incorporate into their information security risk management efforts the Framework for Improving Critical Infrastructure Cybersecurity (Framework). Such guidance shall:

  • describe how the Framework aligns or augments existing agency practices;
  • identify any areas of conflict or overlap between the Framework and existing cybersecurity requirements;
  • include a template for federal agencies on how to use the Framework and recommend procedures for streamlining and harmonizing existing and future cybersecurity-related requirements;
  • recommend other procedures for compliance with cybersecurity reporting, oversight, and policy review; and
  • be updated to reflect what NIST learns from ongoing research, cybersecurity audits, information compiled by the federal working group, and annual reports.

NIST must chair a federal working group to coordinate the development of metrics and tools to measure the effectiveness of the Framework for federal agencies protecting their information and information systems.

The federal working group must assist the Office of Management and Budget (OMB) and Office of Science and Technology Policy (OSTP) in publishing annual reports on agency adoption rates and the effectiveness of the Framework.

NIST must initiate an individual cybersecurity audit of certain agencies to assess the extent to which each agency meets information security standards. NIST shall prepare a needs-based plan for the audits that includes: (1) a description of staffing plans, (2) workforce capabilities, (3) methods of conducting such audits, (4) coordination with agencies to support such audits, (5) expected timeframe for the completion of the audits, and (6) other relevant information.

NIST must report on the audit of each agency to: (1) OMB, (2) the OSTP, (3) the Government Accountability Office, (4) the agency being audited and its inspector general, and (5) Congress.

Introduced in HouseFeb 27, 2017

NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017

This bill amends the National Institute of Standards and Technology Act to require the National Institute of Standards and Technology (NIST), in developing standards for information systems, to emphasize the principle that expanding cybersecurity threats require: (1) engineering security from the beginning of a system's life cycle, (2) building more trustworthy and secure components and systems from the start, and (3) applying well-defined security design principles throughout systems.

NIST must provide guidance for agencies to incorporate into their information security risk management efforts the Framework for Improving Critical Infrastructure Cybersecurity, which was prepared by NIST with input from the private sector in response to an executive order.

NIST must chair a federal working group and establish a public-private working group to coordinate the development of metrics and tools to measure the effectiveness of the cybersecurity framework for: (1) federal agencies protecting their information and information systems, and (2) private entities voluntarily analyzing their individual corporate risks.

The public-private working group must provide information voluntarily submitted by private entities to NIST and other private entities to improve the cybersecurity framework and enable private entities to use the framework more effectively.

The federal working group and the public-private working group must assist the Office of Science and Technology Policy (OSTP) in publishing annual reports on agency and industry framework adoption rates.

NIST must initiate an individual cybersecurity audit of certain agencies to assess the extent to which they meet information security standards. NIST must report on the audit of each agency to: (1) the Office of Management and Budget, (2) the OSTP, (3) the Government Accountability Office, (4) the agency being audited and its inspector general, and (5) Congress.

NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017 — Informed