Title 6 — Domestic SecurityRelease 119-73

§665h National Cyber Exercise Program

Title 6 › Chapter CHAPTER 1— - HOMELAND SECURITY ORGANIZATION › Subchapter SUBCHAPTER XVIII— - CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY › Part Part A— - Cybersecurity and Infrastructure Security › § 665h

Last updated Apr 6, 2026|Official source

Summary

Creates a National Cyber Exercise Program inside the Agency to test the National Cyber Incident Response Plan and related strategies. The program must use current risk information (threats, vulnerabilities, and likely harms). It should, when possible, mimic partial or total loss of government or critical infrastructure networks from a cyber incident. The program must check cyber readiness, improve how responders share information, quickly make after-action reports and follow-up plans, and provide model exercises and help public and private groups design, run, and evaluate exercises that match national, State, local, or Tribal plans. The Director may consult Sector Risk Management Agencies, the Office of the National Cyber Director, cyber research stakeholders, and Sector Coordinating Councils. Definitions: "State" — includes the 50 states, the District of Columbia, Puerto Rico, the Northern Mariana Islands, the U.S. Virgin Islands, Guam, American Samoa, and other U.S. territories. "Private entity" — defined in section 1501. The program does not change the FEMA Administrator’s authorities under section 748.

Full Legal Text

Title 6, §665h

Domestic Security — Source: USLM XML via OLRC

(a)(1)There is established in the Agency the National Cyber Exercise Program (referred to in this section as the “Exercise Program”) to evaluate the National Cyber Incident Response Plan, and other related plans and strategies.

(2)(A)The Exercise Program shall be—

(i)based on current risk assessments, including credible threats, vulnerabilities, and consequences;

(ii)designed, to the extent practicable, to simulate the partial or complete incapacitation of a government or critical infrastructure network resulting from a cyber incident;

(iii)designed to provide for the systematic evaluation of cyber readiness and enhance operational understanding of the cyber incident response system and relevant information sharing agreements; and

(iv)designed to promptly develop after-action reports and plans that can quickly incorporate lessons learned into future operations.

(B)The Exercise Program shall—

(i)include a selection of model exercises that government and private entities can readily adapt for use; and

(ii)aid such governments and private entities with the design, implementation, and evaluation of exercises that—

(I)conform to the requirements described in subparagraph (A);

(II)are consistent with any applicable national, State, local, or Tribal strategy or plan; and

(III)provide for systematic evaluation of readiness.

(3)In carrying out the Exercise Program, the Director may consult with appropriate representatives from Sector Risk Management Agencies, the Office of the National Cyber Director, cybersecurity research stakeholders, and Sector Coordinating Councils.

(b)In this section:

(1)The term “State” means any State of the United States, the District of Columbia, the Commonwealth of Puerto Rico, the Northern Mariana Islands, the United States Virgin Islands, Guam, American Samoa, and any other territory or possession of the United States.

(2)The term “private entity” has the meaning given such term in section 1501 of this title.

(c)Nothing in this section shall be construed to affect the authorities or responsibilities of the Administrator of the Federal Emergency Management Agency pursuant to section 748 of this title.

Reference

Citations & Metadata

Citation

6 U.S.C. § 665h

Title 6 — Domestic Security

Last Updated

Apr 6, 2026

Release point: 119-73