Title 6 — Domestic SecurityRelease 119-73not60

§665h National Cyber Exercise Program

Title 6 › Chapter 1— HOMELAND SECURITY ORGANIZATION › Subchapter XVIII— CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY › Part A— Cybersecurity and Infrastructure Security › § 665h

Last updated Apr 3, 2026|Official source

Summary

Creates a National Cyber Exercise Program in the Agency to test the National Cyber Incident Response Plan and related plans. The program must use up-to-date risk info (threats, weaknesses, and likely harms). It must try to imitate partial or total failures of government or critical infrastructure networks caused by cyberattacks. The program must check how ready people and systems are, improve how response and information sharing work, and quickly make reports after exercises and plans to put lessons into practice. The program must offer model exercises that governments and private entities can adapt and must help them design, run, and evaluate exercises that meet these rules, align with national, State, local, or Tribal plans, and measure readiness. The Director can consult sector risk management agencies, the Office of the National Cyber Director, cyber research groups, and Sector Coordinating Councils. "State" covers the listed territories, and "private entity" is defined in section 1501. This does not change the FEMA Administrator’s authorities under section 748.

Full Legal Text

Title 6, §665h

Domestic Security — Source: USLM XML via OLRC

(a)(1)There is established in the Agency the National Cyber Exercise Program (referred to in this section as the “Exercise Program”) to evaluate the National Cyber Incident Response Plan, and other related plans and strategies.

(2)(A)The Exercise Program shall be—

(i)based on current risk assessments, including credible threats, vulnerabilities, and consequences;

(ii)designed, to the extent practicable, to simulate the partial or complete incapacitation of a government or critical infrastructure network resulting from a cyber incident;

(iii)designed to provide for the systematic evaluation of cyber readiness and enhance operational understanding of the cyber incident response system and relevant information sharing agreements; and

(iv)designed to promptly develop after-action reports and plans that can quickly incorporate lessons learned into future operations.

(B)The Exercise Program shall—

(i)include a selection of model exercises that government and private entities can readily adapt for use; and

(ii)aid such governments and private entities with the design, implementation, and evaluation of exercises that—

(I)conform to the requirements described in subparagraph (A);

(II)are consistent with any applicable national, State, local, or Tribal strategy or plan; and

(III)provide for systematic evaluation of readiness.

(3)In carrying out the Exercise Program, the Director may consult with appropriate representatives from Sector Risk Management Agencies, the Office of the National Cyber Director, cybersecurity research stakeholders, and Sector Coordinating Councils.

(b)In this section:

(1)The term “State” means any State of the United States, the District of Columbia, the Commonwealth of Puerto Rico, the Northern Mariana Islands, the United States Virgin Islands, Guam, American Samoa, and any other territory or possession of the United States.

(2)The term “private entity” has the meaning given such term in section 1501 of this title.

(c)Nothing in this section shall be construed to affect the authorities or responsibilities of the Administrator of the Federal Emergency Management Agency pursuant to section 748 of this title.

Reference

Citations & Metadata

Citation

6 U.S.C. § 665h

Title 6 — Domestic Security

Last Updated

Apr 3, 2026

Release point: 119-73not60