§1524 — Title 6 Domestic Security | U.S. Code

Summary

Requires several federal officials to study and report on how the government finds and stops intruders in agency computer systems. It defines some key terms in one line each: agency information (the data agencies hold); cyber threat indicator and defensive measure (types of cyber threat data and defensive actions); intrusion assessments (actions to find and remove intruders); intrusion assessment plan (the required plan for those actions); and intrusion detection and prevention capabilities (the tools and systems to spot and stop intrusions). The Comptroller General must do a study and report on effectiveness not later than 3 years after December 18, 2015. The Secretary must report to the congressional committees not later than 6 months after December 18, 2015 and every year after that on how the detection and prevention tools are being implemented, including privacy controls; the detection and prevention technologies used (commercial or not); the kinds and counts of indicators or techniques used; how many times risks were detected and how many times traffic was blocked; and details of the pilot testing new technologies and participating agencies. The Director must, starting not later than 18 months after December 18, 2015 and annually, report to Congress on how each agency uses these tools and the numbers and types of detections and preventions. The Federal Chief Information Officer must review and report between 18 months and 2 years after December 18, 2015 on how well the tools work (including against advanced persistent threats), whether they and related systems secure federal systems, costs and benefits versus commercial tools, and agencies’ ability to protect sensitive indicators if shared unclassified. The Director must also send the intrusion assessment plan to Congress within 6 months after December 18, 2015 (and within 30 days of updates), and must provide other plan copies, implementation findings, tool descriptions, compliance lists, and improved metrics within 1 year and annually as required. All reports should be unclassified but may include a classified annex.

Title 6, §1524

Domestic Security — Source: USLM XML via OLRC

(a)In this section:

(1)The term “agency information” has the meaning given the term in section 2213 of the Homeland Security Act of 2002 [6 U.S.C. 663].

(2)The terms “cyber threat indicator” and “defensive measure” have the meanings given those terms in section 650 of this title.

(3)The term “intrusion assessments” means actions taken under the intrusion assessment plan to identify and remove intruders in agency information systems.

(4)The term “intrusion assessment plan” means the plan required under section 2210(b)(1) of the Homeland Security Act of 2002 [6 U.S.C. 660(b)(1)].

(5)The term “intrusion detection and prevention capabilities” means the capabilities required under section 2213(b) of the Homeland Security Act of 2002 [6 U.S.C. 663(b)].

(b)Not later than 3 years after December 18, 2015, the Comptroller General of the United States shall conduct a study and publish a report on the effectiveness of the approach and strategy of the Federal Government to securing agency information systems, including the intrusion detection and prevention capabilities and the intrusion assessment plan.

(c)(1)(A)Not later than 6 months after December 18, 2015, and annually thereafter, the Secretary shall submit to the appropriate congressional committees a report on the status of implementation of the intrusion detection and prevention capabilities, including—

(i)a description of privacy controls;

(ii)a description of the technologies and capabilities utilized to detect cybersecurity risks in network traffic, including the extent to which those technologies and capabilities include existing commercial and noncommercial technologies;

(iii)a description of the technologies and capabilities utilized to prevent network traffic associated with cybersecurity risks from transiting or traveling to or from agency information systems, including the extent to which those technologies and capabilities include existing commercial and noncommercial technologies;

(iv)a list of the types of indicators or other identifiers or techniques used to detect cybersecurity risks in network traffic transiting or traveling to or from agency information systems on each iteration of the intrusion detection and prevention capabilities and the number of each such type of indicator, identifier, and technique;

(v)the number of instances in which the intrusion detection and prevention capabilities detected a cybersecurity risk in network traffic transiting or traveling to or from agency information systems and the number of times the intrusion detection and prevention capabilities blocked network traffic associated with cybersecurity risk; and

(vi)a description of the pilot established under section 2213(c)(5) of the Homeland Security Act of 2002 [6 U.S.C. 663(c)(5)], including the number of new technologies tested and the number of participating agencies.

(B)Not later than 18 months after December 18, 2015, and annually thereafter, the Director shall submit to Congress, as part of the report required under section 3553(c) of title 44, an analysis of agency application of the intrusion detection and prevention capabilities, including—

(i)a list of each agency and the degree to which each agency has applied the intrusion detection and prevention capabilities to an agency information system; and

(ii)a list by agency of—

(I)the number of instances in which the intrusion detection and prevention capabilities detected a cybersecurity risk in network traffic transiting or traveling to or from an agency information system and the types of indicators, identifiers, and techniques used to detect such cybersecurity risks; and

(II)the number of instances in which the intrusion detection and prevention capabilities prevented network traffic associated with a cybersecurity risk from transiting or traveling to or from an agency information system and the types of indicators, identifiers, and techniques used to detect such agency information systems.

(C)Not earlier than 18 months after December 18, 2015, and not later than 2 years after December 18, 2015, the Federal Chief Information Officer shall review and submit to the appropriate congressional committees a report assessing the intrusion detection and intrusion prevention capabilities, including—

(i)the effectiveness of the system in detecting, disrupting, and preventing cyber-threat actors, including advanced persistent threats, from accessing agency information and agency information systems;

(ii)whether the intrusion detection and prevention capabilities, continuous diagnostics and mitigation, and other systems deployed under subtitle D 11 See References in Text note below. of title II of the Homeland Security Act of 2002 (6 U.S.C. 231 et seq.) are effective in securing Federal information systems;

(iii)the costs and benefits of the intrusion detection and prevention capabilities, including as compared to commercial technologies and tools and including the value of classified cyber threat indicators; and

(iv)the capability of agencies to protect sensitive cyber threat indicators and defensive measures if they were shared through unclassified mechanisms for use in commercial technologies and tools.

(2)The Director shall—

(A)not later than 6 months after December 18, 2015, and 30 days after any update thereto, submit the intrusion assessment plan to the appropriate congressional committees;

(B)not later than 1 year after December 18, 2015, and annually thereafter, submit to Congress, as part of the report required under section 3553(c) of title 44—

(i)a description of the implementation of the intrusion assessment plan;

(ii)the findings of the intrusion assessments conducted pursuant to the intrusion assessment plan;

(iii)a description of the advanced network security tools included in the efforts to continuously diagnose and mitigate cybersecurity risks pursuant to section 1522(a)(1) of this title; and

(iv)a list by agency of compliance with the requirements of section 1523(b) of this title; and

(C)not later than 1 year after December 18, 2015, submit to the appropriate congressional committees—

(i)a copy of the plan developed pursuant to section 1522(a)(2) of this title; and

(ii)the improved metrics developed pursuant to section 1522(c) of this title.

(d)Each report required under this section shall be submitted in unclassified form, but may include a classified annex.

Notes & Related Subsidiaries

Editorial Notes

References in Text

Subtitle D of title II of the Homeland Security Act of 2002, referred to in subsec. (c)(1)(C)(ii), is subtitle D (§§ 231–237) of title II of Pub. L. 107–296, Nov. 25, 2002, 116 Stat. 2159, which enacted part D (§ 161 et seq.) of subchapter II of chapter 1 of this title and amended section 10102 and 10122 of Title 34, Crime Control and Law

Enforcement

. Subtitle D was redesignated subtitle C of title II of the Homeland Security Act of 2002 by Pub. L. 115–278, § 2(g)(2)(K), Nov. 16, 2018, 132 Stat. 4178, and is classified principally to part C (§ 161 et seq.) of subchapter II of chapter 1 of this title. For complete classification of subtitle C to the Code, see Tables.

Amendments

2022—Subsec. (a)(2). Pub. L. 117–263 substituted “section 650 of this title” for “section 1501 of this title”. 2018—Subsec. (a)(1). Pub. L. 115–278, § 2(h)(1)(F)(i)(I), substituted “section 2213” for “section 230” and struck out before period at end “, as added by section 223(a)(6) of this division”. Subsec. (a)(4). Pub. L. 115–278, § 2(h)(1)(F)(i)(II), substituted “section 2210(b)(1)” for “section 228(b)(1)” and struck out before period at end “, as added by section 223(a)(4) of this division”. Subsec. (a)(5). Pub. L. 115–278, § 2(h)(1)(F)(i)(III), substituted “section 2213(b)” for “section 230(b)” and struck out before period at end “, as added by section 223(a)(6) of this division”. Subsec. (c)(1)(A)(vi). Pub. L. 115–278, § 2(h)(1)(F)(ii), substituted “section 2213(c)(5)” for “section 230(c)(5)” and struck out “, as added by section 223(a)(6) of this division” after “Homeland Security Act of 2002”.

§1524 Assessment; Reports