Skip to main content
HR 1224 115th Congress House Science, Technology, Communications Accounting and auditing Computer security and identity theft Department of Commerce Government information and archives Government studies and investigations Performance measurement Public-private cooperation Technology assessment

NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017

Introduced: February 27, 2017 See on congress.gov
Sign in to write a letter Sign in to watch
 Everywhere this bill has been 6 steps
Introduced
In committee
Reported out
Passed House
Passed Senate
To President
Became law
Oct 31, 2017
Placed on the Union Calendar, Calendar No. 276.
Oct 31, 2017
Reported (Amended) by the Committee on Science, Space, and Technology. H. Rept. 115-376.
Mar 1, 2017
Ordered to be Reported (Amended) by the Yeas and Nays: 19 - 14.
Mar 1, 2017
Committee Consideration and Mark-up Session Held.
Feb 27, 2017
Referred to the House Committee on Science, Space, and Technology.
Feb 27, 2017
Introduced in House
 Plain-English summary Congressional Research Service

NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017

(Sec. 2) This bill amends the National Institute of Standards and Technology Act to require the National Institute of Standards and Technology (NIST), in developing standards for information systems, to emphasize the principle that expanding cybersecurity threats require: (1) engineering security from the beginning of a system's life cycle, (2) building more trustworthy and secure components and systems from the start, and (3) applying well-defined security design principles throughout systems.

(Sec. 3) NIST must provide guidance for agencies to incorporate into their information security risk management efforts the Framework for Improving Critical Infrastructure Cybersecurity (Framework). Such guidance shall:

  • describe how the Framework aligns or augments existing agency practices;
  • identify any areas of conflict or overlap between the Framework and existing cybersecurity requirements;
  • include a template for federal agencies on how to use the Framework and recommend procedures for streamlining and harmonizing existing and future cybersecurity-related requirements;
  • recommend other procedures for compliance with cybersecurity reporting, oversight, and policy review; and
  • be updated to reflect what NIST learns from ongoing research, cybersecurity audits, information compiled by the federal working group, and annual reports.

NIST must chair a federal working group to coordinate the development of metrics and tools to measure the effectiveness of the Framework for federal agencies protecting their information and information systems.

The federal working group must assist the Office of Management and Budget (OMB) and Office of Science and Technology Policy (OSTP) in publishing annual reports on agency adoption rates and the effectiveness of the Framework.

NIST must initiate an individual cybersecurity audit of certain agencies to assess the extent to which each agency meets information security standards. NIST shall prepare a needs-based plan for the audits that includes: (1) a description of staffing plans, (2) workforce capabilities, (3) methods of conducting such audits, (4) coordination with agencies to support such audits, (5) expected timeframe for the completion of the audits, and (6) other relevant information.

NIST must report on the audit of each agency to: (1) OMB, (2) the OSTP, (3) the Government Accountability Office, (4) the agency being audited and its inspector general, and (5) Congress.

What's happening now October 31, 2017

Placed on the Union Calendar, Calendar No. 276.

 Committees of jurisdiction 1
 Cosponsors 2
All 2 Republican 2