Defense

H.R.1224 – NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017

Short Titles as Introduced:

NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017

Official Title as Introduced:

To amend the National Institute of Standards and Technology Act to implement a framework, assessment, and audits for improving United States cybersecurity.

Summary:
Introduced in House (02/27/2017)

NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017

This bill amends the National Institute of Standards and Technology Act to require the National Institute of Standards and Technology (NIST), in developing standards for information systems, to emphasize the principle that expanding cybersecurity threats require: (1) engineering security from the beginning of a system’s life cycle, (2) building more trustworthy and secure components and systems from the start, and (3) applying well-defined security design principles throughout systems.

NIST must provide guidance for agencies to incorporate into their information security risk management efforts the Framework for Improving Critical Infrastructure Cybersecurity, which was prepared by NIST with input from the private sector in response to an executive order.

NIST must chair a federal working group and establish a public-private working group to coordinate the development of metrics and tools to measure the effectiveness of the cybersecurity framework for: (1) federal agencies protecting their information and information systems, and (2) private entities voluntarily analyzing their individual corporate risks.

The public-private working group must provide information voluntarily submitted by private entities to NIST and other private entities to improve the cybersecurity framework and enable private entities to use the framework more effectively.

The federal working group and the public-private working group must assist the Office of Science and Technology Policy (OSTP) in publishing annual reports on agency and industry framework adoption rates.

NIST must initiate an individual cybersecurity audit of certain agencies to assess the extent to which they meet information security standards. NIST must report on the audit of each agency to: (1) the Office of Management and Budget, (2) the OSTP, (3) the Government Accountability Office, (4) the agency being audited and its inspector general, and (5) Congress.