(a) Establishment of program(1) In generalThere is established in the Agency the National Cyber Exercise Program (referred to in this section as the “Exercise Program”) to evaluate the National Cyber Incident Response Plan, and other related plans and strategies.
(2) Requirements(A) In generalThe Exercise Program shall be—(i) based on current risk assessments, including credible threats, vulnerabilities, and consequences;
(ii) designed, to the extent practicable, to simulate the partial or complete incapacitation of a government or critical infrastructure network resulting from a cyber incident;
(iii) designed to provide for the systematic evaluation of cyber readiness and enhance operational understanding of the cyber incident response system and relevant information sharing agreements; and
(iv) designed to promptly develop after-action reports and plans that can quickly incorporate lessons learned into future operations.
(B) Model exercise selectionThe Exercise Program shall—(i) include a selection of model exercises that government and private entities can readily adapt for use; and
(ii) aid such governments and private entities with the design, implementation, and evaluation of exercises that—(I) conform to the requirements described in subparagraph (A);
(II) are consistent with any applicable national, State, local, or Tribal strategy or plan; and
(III) provide for systematic evaluation of readiness.
(3) ConsultationIn carrying out the Exercise Program, the Director may consult with appropriate representatives from Sector Risk Management Agencies, the Office of the National Cyber Director, cybersecurity research stakeholders, and Sector Coordinating Councils.
(b) DefinitionsIn this section:(1) StateThe term “State” means any State of the United States, the District of Columbia, the Commonwealth of Puerto Rico, the Northern Mariana Islands, the United States Virgin Islands, Guam, American Samoa, and any other territory or possession of the United States.
(2) Private entityThe term “private entity” has the meaning given such term in section 1501 of this title.
(c) Rule of constructionNothing in this section shall be construed to affect the authorities or responsibilities of the Administrator of the Federal Emergency Management Agency pursuant to section 748 of this title.
Structure US Code
CHAPTER 1— HOMELAND SECURITY ORGANIZATION
SUBCHAPTER XVIII— CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY
Part A— Cybersecurity and Infrastructure Security
§ 652. Cybersecurity and Infrastructure Security Agency
§ 652a. Sector Risk Management Agencies
§ 654. Infrastructure Security Division
§ 655. Enhancement of Federal and non-Federal cybersecurity
§ 657. Cyber Security Enhancement Act of 2002
§ 658. Cybersecurity recruitment and retention
§ 659. National cybersecurity and communications integration center
§ 663. Federal intrusion detection and prevention system
§ 664. National asset database
§ 665. Duties and authorities relating to .gov internet domain
§ 665a. Intelligence and cybersecurity diversity fellowship program
§ 665b. Joint cyber planning office
§ 665c. Cybersecurity State Coordinator
§ 665d. Sector Risk Management Agencies
§ 665e. Cybersecurity Advisory Committee
§ 665f. Cybersecurity education and training programs
§ 665g. State and Local Cybersecurity Grant Program
§ 665h. National Cyber Exercise Program
§ 665j. Ransomware threat mitigation activities
§ 665k. Federal Clearinghouse on School Safety Evidence-based Practices
§ 665l. School and daycare protection
§ 665m. President’s Cup Cybersecurity Competition
§ 665n. Industrial Control Systems Cybersecurity Training Initiative