Cybersecurity Enhancement Act of 2014

From Privacy Wiki
Jump to navigation Jump to search
Cybersecurity Enhancement Act of 2014
Short Title Cybersecurity Enhancement Act of 2014
Official Text Cybersecurity Enhancement Act of 2014
Country/Jurisdiction United States
State or Province
Regulatory Bodies
Date Enacted 2014/12/18

Scope of the Law Individuals
Information

Taxonomy Disclosure, Insecurity, Secondary Use
Strategies

Cybersecurity Enhancement Act of 2014 regulates cybersecurity threats and individuals' privacy and civil liberties. The Act protects individuals from cyber risks which may cause negative impacts on individuals' privacy. In addition, the Act ensures individuals' personal information is maintained and confidential.

Text of the law

TITLE I--PUBLIC-PRIVATE COLLABORATION ON CYBERSECURITY

SEC. 101. PUBLIC-PRIVATE COLLABORATION ON CYBERSECURITY. Insecurity


(a) Cybersecurity.--Section 2(c) of the National Institute of Standards and Technology Act (15 U.S.C. 272(c)) is amended--

(1) by redesignating paragraphs (15) through (22) as paragraphs (16) through (23), respectively; and

(2) by inserting after paragraph (14) the following: ``(15) on an ongoing basis, facilitate and support the development of a voluntary, consensus-based, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to cost-effectively reduce cyber risks to critical infrastructure (as defined under subsection (e));.

(b) Scope and Limitations.--Section 2 of the National Institute of Standards and Technology Act (15 U.S.C. 272) is amended by adding at the end the following:

``(e) Cyber Risks.--

``(1) In general.--In carrying out the activities under subsection (c)(15), the Director--

``(A) shall--

``(i) <<NOTE: Coordination.>> coordinate closely and regularly with relevant private sector personnel and entities, critical infrastructure owners and operators, and other relevant industry organizations, including Sector Coordinating Councils and Information Sharing and Analysis Centers, and incorporate industry expertise;

``(ii) <<NOTE: Consultation.>> consult with the heads of agencies with national security responsibilities, sector-specific agencies and other appropriate agencies, State and local governments, the governments of other nations, and international organizations;

``(iii) identify a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, that may be voluntarily adopted by owners and operators of critical infrastructure to help them identify, assess, and manage cyber risks;

``(iv) include methodologies--

``(I) to identify and mitigate impacts of the cybersecurity measures or controls on business confidentiality; and

``(II) to protect individual privacy and civil liberties;

``(v) incorporate voluntary consensus standards and industry best practices;

``(vi) align with voluntary international standards to the fullest extent possible;

``(vii) prevent duplication of regulatory processes and prevent conflict with or superseding of regulatory requirements, mandatory standards, and related processes; and

``(viii) include such other similar and consistent elements as the Director considers necessary; and

``(B) shall not prescribe or otherwise require--

``(i) the use of specific solutions;

``(ii) the use of specific information or communications technology products or services; or

``(iii) that information or communications technology products or services be designed, developed, or manufactured in a particular manner.

``(2) Limitation.--Information shared with or provided to the Institute for the purpose of the activities described under subsection (c)(15) shall not be used by any Federal, State, tribal, or local department or agency to regulate the activity of any entity. Nothing in this paragraph shall be construed to modify any regulatory requirement to report or submit information to a Federal, State, tribal, or local department or agency. Disclosure, Secondary Use


``(3) Definitions.--In this subsection:

``(A) Critical infrastructure.--The term `critical infrastructure' has the meaning given the term in section 1016(e) of the USA PATRIOT Act of 2001 (42 U.S.C. 5195c(e)).

``(B) Sector-specific agency.--The term `sector- specific agency' means the Federal department or agency responsible for providing institutional knowledge and specialized expertise as well as leading, facilitating, or supporting the security and resilience programs and associated activities of its designated critical infrastructure sector in the all-hazards environment..

(c) Study and Reports.-- (1) Study.--The Comptroller General of the United States shall conduct a study that assesses--

(A) the progress made by the Director of the National Institute of Standards and Technology in facilitating the development of standards and procedures to reduce cyber risks to critical infrastructure in accordance with section 2(c)(15) of the National Institute of Standards and Technology Act, as added by this section;

(B) the extent to which the Director's facilitation efforts are consistent with the directive in such section that the development of such standards and procedures be voluntary and led by industry representatives;

(C) the extent to which other Federal agencies have promoted and sectors of critical infrastructure (as defined in section 1016(e) of the USA PATRIOT Act of 2001 (42 U.S.C. 5195c(e))) have adopted a voluntary, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to reduce cyber risks to critical infrastructure in accordance with such section 2(c)(15);

(D) the reasons behind the decisions of sectors of critical infrastructure (as defined in subparagraph (C)) to adopt or to not adopt the voluntary standards described in subparagraph (C); and

(E) the extent to which such voluntary standards have proved successful in protecting critical infrastructure from cyber threats.

(2) Reports.--Not later than 1 year after the date of the enactment of this Act, and every 2 years thereafter for the following 6 years, the Comptroller General shall submit a report, which summarizes the findings of the study conducted under paragraph (1), to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Science, Space, and Technology of the House of Representatives.

TITLE <<NOTE: 15 USC prec. 7431.>> II--CYBERSECURITY RESEARCH AND DEVELOPMENT

SEC. 201. <<NOTE: 15 USC 7431.>> FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT. Insecurity


(a) Fundamental Cybersecurity Research.--

(1) Federal cybersecurity research and development strategic plan.--The heads <<NOTE: Deadline.>> of the applicable agencies and departments, working through the National Science and Technology Council and the Networking and Information Technology Research and Development Program, shall develop and update every 4 years a Federal cybersecurity research and development strategic plan (referred to in this subsection as the ``strategic plan) based on an assessment of cybersecurity risk to guide the overall direction of Federal cybersecurity and information assurance research and development for information technology and networking systems. The heads of the applicable agencies and departments shall build upon existing programs and plans to develop the strategic plan to meet objectives in cybersecurity, such as--

(A) how to design and build complex software- intensive systems that are secure and reliable when first deployed;

(B) how to test and verify that software and hardware, whether developed locally or obtained from a third party, is free of significant known security flaws;

(C) how to test and verify that software and hardware obtained from a third party correctly implements stated functionality, and only that functionality;

(D) how to guarantee the privacy of an individual, including that individual's identity, information, and lawful transactions when stored in distributed systems or transmitted over networks;

(E) how to build new protocols to enable the Internet to have robust security as one of the key capabilities of the Internet;

(F) how to determine the origin of a message transmitted over the Internet;

(G) how to support privacy in conjunction with improved security;

(H) how to address the problem of insider threats;

(I) how improved consumer education and digital literacy initiatives can address human factors that contribute to cybersecurity;

(J) how to protect information processed, transmitted, or stored using cloud computing or transmitted through wireless services; and

(K) any additional objectives the heads of the applicable agencies and departments, in coordination with the head of any relevant Federal agency and with input from stakeholders, including appropriate national laboratories, industry, and academia, determine appropriate.

(2) Requirements.--

(A) Contents of plan.--The strategic plan shall--

(i) specify and prioritize near-term, mid- term, and long-term research objectives, including objectives associated with the research identified in section 4(a)(1) of the Cyber Security Research and Development Act (15 U.S.C. 7403(a)(1));

(ii) specify how the near-term objectives described in clause (i) complement research and development areas in which the private sector is actively engaged;

(iii) describe how the heads of the applicable agencies and departments will focus on innovative, transformational technologies with the potential to enhance the security, reliability, resilience, and trustworthiness of the digital infrastructure, and to protect consumer privacy;

(iv) describe how the heads of the applicable agencies and departments will foster the rapid transfer of research and development results into new cybersecurity technologies and applications for the timely benefit of society and the national interest, including through the dissemination of best practices and other outreach activities;

(v) describe how the heads of the applicable agencies and departments will establish and maintain a national research infrastructure for creating, testing, and evaluating the next generation of secure networking and information technology systems; and

(vi) describe how the heads of the applicable agencies and departments will facilitate access by academic researchers to the infrastructure described in clause (v), as well as to relevant data, including event data.

(B) Private sector efforts.--In developing, implementing, and updating the strategic plan, the heads of the applicable agencies and departments, working through the National Science and Technology Council and Networking and Information Technology Research and Development Program, shall work in close cooperation with industry, academia, and other interested stakeholders to ensure, to the extent possible, that Federal cybersecurity research and development is not duplicative of private sector efforts.

(C) Recommendations.--In developing and updating the strategic plan the heads of the applicable agencies and departments shall solicit recommendations and advice from--

(i) the advisory committee established under section 101(b)(1) of the High-Performance Computing Act of 1991 (15 U.S.C. 5511(b)(1)); and

(ii) a wide range of stakeholders, including industry, academia, including representatives of minority serving institutions and community colleges, National Laboratories, and other relevant organizations and institutions. (D) <<NOTE: Deadline.>> Implementation roadmap.--

The heads of the applicable agencies and departments, working through the National Science and Technology Council and Networking and Information Technology Research and Development Program, shall develop and annually update an implementation roadmap for the strategic plan. The implementation roadmap shall--

(i) specify the role of each Federal agency in carrying out or sponsoring research and development to meet the research objectives of the strategic plan, including a description of how progress toward the research objectives will be evaluated;

SEC. 503. <<NOTE: 15 USC 7463.>> CLOUD COMPUTING STRATEGY. Insecurity


(a) <<NOTE: Coordination. Collaboration. Consultation.>> In General.--The Director, in coordination with the Office of Management and Budget, in collaboration with the Federal Chief Information Officers Council, and in consultation with other relevant Federal agencies and stakeholders from the private sector, shall continue to develop and encourage the implementation of a comprehensive strategy for the use and adoption of cloud computing services by the Federal Government.

(b) Activities.--In carrying out the strategy described under subsection (a), the Director shall give consideration to activities that--

(1) accelerate the development, in collaboration with the private sector, of standards that address interoperability and portability of cloud computing services;

(2) advance the development of conformance testing performed by the private sector in support of cloud computing standardization; and

(3) <<NOTE: Coordination. Consultation.>> support, in coordination with the Office of Management and Budget, and in consultation with the private sector, the development of appropriate security frameworks and reference materials, and the identification of best practices, for use by Federal agencies to address security and privacy requirements to enable the use and adoption of cloud computing services, including activities--

(A) to ensure the physical security of cloud computing data centers and the data stored in such centers;

(B) to ensure secure access to the data stored in cloud computing data centers;

(C) to develop security standards as required under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3); and

(D) to support the development of the automation of continuous monitoring systems.

SEC. 504. <<NOTE: 15 USC 7464.>> IDENTITY MANAGEMENT RESEARCH AND DEVELOPMENT. Insecurity


The Director shall continue a program to support the development of voluntary and cost-effective technical standards, metrology, testbeds, and conformance criteria, taking into account appropriate user concerns--

(1) to improve interoperability among identity management technologies;

(2) to strengthen authentication methods of identity management systems;

(3) to improve privacy protection in identity management systems, including health information technology systems, through authentication and security protocols; and

(4) to improve the usability of identity management systems.



Disclaimer: The text of this law may not be the most recent version. We make no warranties or representations about the accuracy, completeness, or adequacy of the information contained on this site. Please check official sources.