[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[H.R. 9228 Introduced in House (IH)]

<DOC>






117th CONGRESS
  2d Session
                                H. R. 9228

To amend the Public Health Service Act with respect to the information 
 security policies and practices of the National Institutes of Health, 
                        and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                            October 25, 2022

 Mr. Griffith introduced the following bill; which was referred to the 
                    Committee on Energy and Commerce

_______________________________________________________________________

                                 A BILL


 
To amend the Public Health Service Act with respect to the information 
 security policies and practices of the National Institutes of Health, 
                        and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Ensuring Cybersecurity at the NIH 
Act of 2022''.

SEC. 2. NIH INFORMATION SECURITY POLICIES AND PRACTICES.

    Section 402(b) of the Public Health Service Act (42 U.S.C. 282(b)) 
is amended--
            (1) in paragraph (24), by striking ``and'' at the end;
            (2) in paragraph (25), by striking the period at the end 
        and inserting ``; and''; and
            (3) by adding at the end the following:
            ``(26) shall, in consultation with the Office of the Chief 
        Information Officer, oversee information security policies and 
        practices of the National Institutes of Health, including--
                    ``(A) developing and overseeing the implementation 
                of policies, principles, standards, and guidelines on 
                information security, including through ensuring timely 
                adoption of and compliance with standards promulgated 
                under section 11331 of title 40, United States Code, 
                including--
                            ``(i) developing and reporting a complete 
                        inventory of all major information systems;
                            ``(ii) fully developing a risk management 
                        strategy and assessing risks for reviewed 
                        systems;
                            ``(iii) fully developing and documenting 
                        system security plans; and
                            ``(iv) consistently authorizing systems 
                        based on defined system boundaries; and
                    ``(B) identifying and providing information 
                security protections commensurate with the risk and 
                magnitude of the harm that could result from the 
                unauthorized access, use, disclosure, disruptions, 
                modification, or destruction of--
                            ``(i) information collected or maintained 
                        by or on behalf of the National Institutes of 
                        Health;
                            ``(ii) information systems used or operated 
                        by the National Institutes of Health or by a 
                        contractor of the agency or other organization 
                        on behalf of the agency; and
                            ``(iii) coordinating information security 
                        policies and procedures with related 
                        information resources management policies and 
                        procedures.''.
                                 <all>