Advancing Cybersecurity Diagnostics and Mitigation Act
This bill requires the Department of Homeland Security (DHS) to establish a program to assist agencies with continuously diagnosing and mitigating cyber threats and vulnerabilities.
Pursuant to this program, DHS shall (1) develop the capability to collect, analyze, and visualize information relating to security data and cybersecurity risks at agencies; (2) make program capabilities available for use by civilian agencies, states, and local governments; (3) assist such entities in setting information security priorities and assessing and managing cybersecurity risks; and (4) develop policies and procedures for reporting systemic risks and potential incidents. DHS must also regularly deploy new technologies to improve the program.
In addition, the Government Accountability Office must report on the potential impacts and benefits of replacing existing reporting requirements under the federal information policy with periodical real-time data provided by the program.
[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[H.R. 4237 Introduced in House (IH)]
<DOC>
116th CONGRESS
1st Session
H. R. 4237
To amend the Homeland Security Act of 2002 to authorize the Secretary
of Homeland Security to establish a continuous diagnostics and
mitigation program in the Cybersecurity and Infrastructure Security
Agency of the Department of Homeland Security, and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
September 6, 2019
Mr. Ratcliffe (for himself and Mr. Khanna) introduced the following
bill; which was referred to the Committee on Oversight and Reform, and
in addition to the Committee on Homeland Security, for a period to be
subsequently determined by the Speaker, in each case for consideration
of such provisions as fall within the jurisdiction of the committee
concerned
_______________________________________________________________________
A BILL
To amend the Homeland Security Act of 2002 to authorize the Secretary
of Homeland Security to establish a continuous diagnostics and
mitigation program in the Cybersecurity and Infrastructure Security
Agency of the Department of Homeland Security, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Advancing Cybersecurity Diagnostics
and Mitigation Act''.
SEC. 2. ESTABLISHMENT OF CONTINUOUS DIAGNOSTICS AND MITIGATION PROGRAM
IN THE CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY.
(a) In General.--Section 2213 of the Homeland Security Act of 2002
(6 U.S.C. 663) is amended by adding at the end the following:
``(g) Continuous Diagnostics and Mitigation.--
``(1) Program.--
``(A) In general.--The Secretary, acting through
the Director of Cybersecurity and Infrastructure
Security, shall deploy, operate, and maintain a
continuous diagnostics and mitigation program for
agencies. Under such program, the Secretary shall--
``(i) assist agencies to continuously
diagnose and mitigate cyber threats and
vulnerabilities;
``(ii) develop and provide the capability
to collect, analyze, and visualize information
relating to security data and cybersecurity
risks at agencies;
``(iii) make program capabilities available
for use, with or without reimbursement, to
civilian agencies and State, local, Tribal, and
territorial governments;
``(iv) employ shared services, collective
purchasing, blanket purchase agreements, and
any other economic or procurement models the
Secretary determines appropriate to maximize
the costs savings associated with implementing
an information system;
``(v) assist entities in setting
information security priorities and assessing
and managing cybersecurity risks; and
``(vi) develop policies and procedures for
reporting systemic cybersecurity risks and
potential incidents based upon data collected
under such program.
``(B) Regular improvement.--The Secretary shall
regularly deploy new technologies and modify existing
technologies to the continuous diagnostics and
mitigation program required under subparagraph (A), as
appropriate, to improve the program.
``(2) Agency responsibilities.--Notwithstanding any other
provision of law, each agency that uses the continuous
diagnostics and mitigation program under paragraph (1) shall,
continuously and in real time, provide to the Secretary all
information, assessments, analyses, and raw data collected by
the program, in a manner specified by the Secretary.
``(3) Responsibilities of the secretary.--In carrying out
the continuous diagnostics and mitigation program under
paragraph (1), the Secretary shall, as appropriate--
``(A) share with agencies relevant analysis and
products developed under such program;
``(B) provide regular reports on cybersecurity
risks to agencies; and
``(C) provide comparative assessments of
cybersecurity risks for agencies.''.
(b) Continuous Diagnostics and Mitigation Strategy.--
(1) In general.--Not later than 180 days after the date of
the enactment of this Act, the Secretary of Homeland Security
shall develop a comprehensive continuous diagnostics and
mitigation strategy to carry out the continuous diagnostics and
mitigation program required under subsection (g) of section
2213 of the Homeland Security Act of 2002 (6 U.S.C. 663), as
added by subsection (a).
(2) Scope.--The strategy required under paragraph (1) shall
include the following:
(A) A description of the continuous diagnostics and
mitigation program, including efforts by the Secretary
of Homeland Security to assist with the deployment of
program tools, capabilities, and services, from the
inception of the program referred to in paragraph (1)
to the date of enactment of this Act.
(B) A description of the coordination and funding
required to deploy, install, and maintain the tools,
capabilities, and services that the Secretary of
Homeland Security determines to be necessary to satisfy
the requirements of such program.
(C) A description of any obstacles facing the
deployment, installation, and maintenance of tools,
capabilities, and services under such program.
(D) Recommendations and guidelines to help maintain
and continuously upgrade tools, capabilities, and
services provided under such program.
(E) Recommendations for using the data collected by
such program for creating a common framework for data
analytics, visualization of enterprise-wide risks, and
real-time reporting, and comparative assessments for
cybersecurity risks.
(F) Recommendations for future efforts and
activities, including for the rollout of new and
emerging tools, capabilities and services, proposed
timelines for delivery, and whether to continue the use
of phased rollout plans, related to securing networks,
devices, data, and information and operational
technology assets through the use of such program.
(3) Form.--The strategy required under paragraph (1) shall
be submitted in an unclassified form, but may contain a
classified annex.
(c) Report.--Not later than 180 days after the development of the
strategy required under subsection (b), the Secretary of Homeland
Security shall submit to the Committee on Homeland Security and
Governmental Affairs of the Senate and the Committee on Homeland
Security of the House of Representative a report on cybersecurity risk
posture based on the data collected through the continuous diagnostics
and mitigation program under subsection (g) of section 2213 of the
Homeland Security Act of 2002 (6 U.S.C. 663), as added by subsection
(a).
(d) GAO Report.--Not later than 1 year after the date of enactment
of this Act, the Comptroller General of the United States shall submit
a report to Congress on the potential impacts and benefits of replacing
the reporting requirements under chapter 35 of title 44, United States
Code, with periodical real-time data provided by the continuous
diagnostics and mitigation program under subsection (g) of section 2213
of the Homeland Security Act of 2002 (6 U.S.C. 663), as added by
subsection (a).
<all>
Introduced in House
Introduced in House
Referred to the Committee on Oversight and Reform, and in addition to the Committee on Homeland Security, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
Referred to the Committee on Oversight and Reform, and in addition to the Committee on Homeland Security, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
Referred to the Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation.
Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation Discharged.
Committee Consideration and Mark-up Session Held.
Ordered to be Reported (Amended).
Llama 3.2 · runs locally in your browser
Ask anything about this bill. The AI reads the full text to answer.
Enter to send · Shift+Enter for new line