NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017

NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017

(Sec. 2) This bill amends the National Institute of Standards and Technology Act to require the National Institute of Standards and Technology (NIST), in developing standards for information systems, to emphasize the principle that expanding cybersecurity threats require: (1) engineering security from the beginning of a system's life cycle, (2) building more trustworthy and secure components and systems from the start, and (3) applying well-defined security design principles throughout systems.

(Sec. 3) NIST must provide guidance for agencies to incorporate into their information security risk management efforts the Framework for Improving Critical Infrastructure Cybersecurity (Framework). Such guidance shall:

• describe how the Framework aligns or augments existing agency practices;
• identify any areas of conflict or overlap between the Framework and existing cybersecurity requirements;
• include a template for federal agencies on how to use the Framework and recommend procedures for streamlining and harmonizing existing and future cybersecurity-related requirements;
• recommend other procedures for compliance with cybersecurity reporting, oversight, and policy review; and
• be updated to reflect what NIST learns from ongoing research, cybersecurity audits, information compiled by the federal working group, and annual reports.

NIST must chair a federal working group to coordinate the development of metrics and tools to measure the effectiveness of the Framework for federal agencies protecting their information and information systems.

The federal working group must assist the Office of Management and Budget (OMB) and Office of Science and Technology Policy (OSTP) in publishing annual reports on agency adoption rates and the effectiveness of the Framework.

NIST must initiate an individual cybersecurity audit of certain agencies to assess the extent to which each agency meets information security standards. NIST shall prepare a needs-based plan for the audits that includes: (1) a description of staffing plans, (2) workforce capabilities, (3) methods of conducting such audits, (4) coordination with agencies to support such audits, (5) expected timeframe for the completion of the audits, and (6) other relevant information.

NIST must report on the audit of each agency to: (1) OMB, (2) the OSTP, (3) the Government Accountability Office, (4) the agency being audited and its inspector general, and (5) Congress.