{"identifier":"/us/usc/t50/s2412","title":50,"num":"\u00a7\u202f2412.","heading":"Cybersecurity Risk Inventory, Assessment, and Mitigation Working Group","text":"\u00a7\u202f2412.\nCybersecurity Risk Inventory, Assessment, and Mitigation Working Group\n(a)\nEstablishment\nThere is in the Administration a working group, to be known as the \u201cCybersecurity Risk Inventory, Assessment, and Mitigation Working Group\u201d (referred to in this section as the \u201cworking group\u201d).\n(b)\nMembership\nMembers of the working group shall include\u2014\n(1) the Deputy Administrator for Defense Programs;\n(2) the Associate Administrator for Information Management and Chief Information Officer; and\n(3) such other personnel of the Administration as are determined appropriate for inclusion in the working group by the Chairperson.\n(c)\nChairperson\nThe Deputy Administrator for Defense Programs shall serve as the Chairperson of the working group, except that the Administrator may designate another member of the working group to serve as Chairperson in lieu of the Deputy Administrator if the Administrator determines it is appropriate to do so.\n(d)\nComprehensive strategy\nThe working group shall prepare a comprehensive strategy for inventorying the range of systems of the Administration that are potentially at risk in the operational technology and nuclear weapons information technology environments, assessing the systems at risk based on mission impact, and implementing risk mitigation actions. Such strategy shall incorporate key elements of effective cybersecurity risk management strategies, as identified by the Government Accountability Office, including the specification of\u2014\n(1) goals, objectives, activities, and performance measures;\n(2) organizational roles, responsibilities, and coordination;\n(3) resources needed to implement the strategy through 2034; and\n(4) detailed milestones and schedules for completion of tasks.\n(e)\nSubmission to Congress\n(1)\nInterim briefing\nNot later than 120 days after\nDecember 22, 2023\n(2)\nCompleted strategy\nNot later than\nApril 1, 2025\n(f)\nTermination\nThe working group shall terminate on a date determined by the Administrator that is not earlier than the date that is five years after\nDecember 22, 2023","url":"https://projectusc.org/usc/t50/s2412.html","content":[{"t":"sec","id":"/us/usc/t50/s2412","children":[{"t":"num","text":"\u00a7\u202f2412."},{"t":"heading","text":"Cybersecurity Risk Inventory, Assessment, and Mitigation Working Group"},{"t":"subsec","id":"/us/usc/t50/s2412/a","children":[{"t":"num","text":"(a)"},{"t":"heading","text":"Establishment"},{"t":"content","children":[{"t":"p","text":"There is in the Administration a working group, to be known as the \u201cCybersecurity Risk Inventory, Assessment, and Mitigation Working Group\u201d (referred to in this section as the \u201cworking group\u201d).","tail":"\n"}],"tail":"\n"}],"tail":"\n"},{"t":"subsec","id":"/us/usc/t50/s2412/b","children":[{"t":"num","text":"(b)"},{"t":"heading","text":"Membership"},{"t":"chapeau","text":"Members of the working group shall include\u2014"},{"t":"para","id":"/us/usc/t50/s2412/b/1","children":[{"t":"num","text":"(1)"},{"t":"content","text":" the Deputy Administrator for Defense Programs;","tail":"\n"}],"tail":"\n"},{"t":"para","id":"/us/usc/t50/s2412/b/2","children":[{"t":"num","text":"(2)"},{"t":"content","text":" the Associate Administrator for Information Management and Chief Information Officer; and","tail":"\n"}],"tail":"\n"},{"t":"para","id":"/us/usc/t50/s2412/b/3","children":[{"t":"num","text":"(3)"},{"t":"content","text":" such other personnel of the Administration as are determined appropriate for inclusion in the working group by the Chairperson.","tail":"\n"}],"tail":"\n"}],"tail":"\n"},{"t":"subsec","id":"/us/usc/t50/s2412/c","children":[{"t":"num","text":"(c)"},{"t":"heading","text":"Chairperson"},{"t":"content","children":[{"t":"p","text":"The Deputy Administrator for Defense Programs shall serve as the Chairperson of the working group, except that the Administrator may designate another member of the working group to serve as Chairperson in lieu of the Deputy Administrator if the Administrator determines it is appropriate to do so.","tail":"\n"}],"tail":"\n"}],"tail":"\n"},{"t":"subsec","id":"/us/usc/t50/s2412/d","children":[{"t":"num","text":"(d)"},{"t":"heading","text":"Comprehensive strategy"},{"t":"chapeau","text":"The working group shall prepare a comprehensive strategy for inventorying the range of systems of the Administration that are potentially at risk in the operational technology and nuclear weapons information technology environments, assessing the systems at risk based on mission impact, and implementing risk mitigation actions. Such strategy shall incorporate key elements of effective cybersecurity risk management strategies, as identified by the Government Accountability Office, including the specification of\u2014"},{"t":"para","id":"/us/usc/t50/s2412/d/1","children":[{"t":"num","text":"(1)"},{"t":"content","text":" goals, objectives, activities, and performance measures;","tail":"\n"}],"tail":"\n"},{"t":"para","id":"/us/usc/t50/s2412/d/2","children":[{"t":"num","text":"(2)"},{"t":"content","text":" organizational roles, responsibilities, and coordination;","tail":"\n"}],"tail":"\n"},{"t":"para","id":"/us/usc/t50/s2412/d/3","children":[{"t":"num","text":"(3)"},{"t":"content","text":" resources needed to implement the strategy through 2034; and","tail":"\n"}],"tail":"\n"},{"t":"para","id":"/us/usc/t50/s2412/d/4","children":[{"t":"num","text":"(4)"},{"t":"content","text":" detailed milestones and schedules for completion of tasks.","tail":"\n"}],"tail":"\n"}],"tail":"\n"},{"t":"subsec","id":"/us/usc/t50/s2412/e","children":[{"t":"num","text":"(e)"},{"t":"heading","text":"Submission to Congress"},{"t":"para","id":"/us/usc/t50/s2412/e/1","children":[{"t":"num","text":"(1)"},{"t":"heading","text":"Interim briefing"},{"t":"content","children":[{"t":"p","text":"Not later than 120 days after ","children":[{"t":"text","text":"December 22, 2023","tail":", the working group shall provide to the congressional defense committees a briefing on the plan of the working group to develop the strategy required under subsection (d)."}],"tail":"\n"}],"tail":"\n"}],"tail":"\n"},{"t":"para","id":"/us/usc/t50/s2412/e/2","children":[{"t":"num","text":"(2)"},{"t":"heading","text":"Completed strategy"},{"t":"content","children":[{"t":"p","text":"Not later than ","children":[{"t":"text","text":"April 1, 2025","tail":", the working group shall submit the congressional defense committees a copy of the completed strategy."}],"tail":"\n"}],"tail":"\n"}],"tail":"\n"}],"tail":"\n"},{"t":"subsec","id":"/us/usc/t50/s2412/f","children":[{"t":"num","text":"(f)"},{"t":"heading","text":"Termination"},{"t":"content","children":[{"t":"p","text":"The working group shall terminate on a date determined by the Administrator that is not earlier than the date that is five years after ","children":[{"t":"text","text":"December 22, 2023","tail":"."}],"tail":"\n"}],"tail":"\n"}],"tail":"\n"},{"t":"text","text":"\n"}]}]}