[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 2902 Reported in Senate (RS)]
<DOC>
Calendar No. 673
117th CONGRESS
2d Session
S. 2902
[Report No. 117-274]
To modernize Federal information security management, and for other
purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
September 29, 2021
Mr. Peters (for himself, Mr. Portman, and Mr. Carper) introduced the
following bill; which was read twice and referred to the Committee on
Homeland Security and Governmental Affairs
December 19, 2022
Reported by Mr. Peters, with an amendment
[Strike out all after the enacting clause and insert the part printed
in italic]
_______________________________________________________________________
A BILL
To modernize Federal information security management, and for other
purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
<DELETED>SECTION 1. SHORT TITLE.</DELETED>
<DELETED> This Act may be cited as the ``Federal Information
Security Modernization Act of 2021''.</DELETED>
<DELETED>SEC. 2. TABLE OF CONTENTS.</DELETED>
<DELETED> The table of contents for this Act is as
follows:</DELETED>
<DELETED>Sec. 1. Short title.
<DELETED>Sec. 2. Table of contents.
<DELETED>Sec. 3. Definitions.
<DELETED>TITLE I--UPDATES TO FISMA
<DELETED>Sec. 101. Title 44 amendments.
<DELETED>Sec. 102. Amendments to subtitle III of title 40.
<DELETED>Sec. 103. Actions to enhance Federal incident response.
<DELETED>Sec. 104. Additional guidance to agencies on FISMA updates.
<DELETED>Sec. 105. Agency requirements to notify entities impacted by
incidents.
<DELETED>TITLE II--IMPROVING FEDERAL CYBERSECURITY
<DELETED>Sec. 201. Evaluation of effectiveness of standards.
<DELETED>Sec. 202. Mobile security standards.
<DELETED>Sec. 203. Quantitative cybersecurity metrics.
<DELETED>Sec. 204. Data and logging retention for incident response.
<DELETED>Sec. 205. CISA agency advisors.
<DELETED>Sec. 206. Federal penetration testing policy.
<DELETED>Sec. 207. Ongoing threat hunting program.
<DELETED>Sec. 208. Codifying vulnerability disclosure programs.
<DELETED>Sec. 209. Implementing presumption of compromise and zero
trust architectures.
<DELETED>Sec. 210. Automation reports.
<DELETED>Sec. 211. Extension of Federal Acquisition Security Council.
<DELETED>TITLE III--PILOT PROGRAMS TO ENHANCE FEDERAL CYBERSECURITY
<DELETED>Sec. 301. Continuous independent FISMA evaluation pilot.
<DELETED>Sec. 302. Active cyber defensive pilot.
<DELETED>Sec. 303. Security operations center as a service pilot.
<DELETED>SEC. 3. DEFINITIONS.</DELETED>
<DELETED> In this Act, unless otherwise specified:</DELETED>
<DELETED> (1) Additional cybersecurity procedure.--The term
``additional cybersecurity procedure'' has the meaning given
the term in section 3552(b) of title 44, United States Code, as
amended by this Act.</DELETED>
<DELETED> (2) Agency.--The term ``agency'' has the meaning
given the term in section 3502 of title 44, United States
Code.</DELETED>
<DELETED> (3) Appropriate congressional committees.--The
term ``appropriate congressional committees'' means--</DELETED>
<DELETED> (A) the Committee on Homeland Security and
Governmental Affairs of the Senate;</DELETED>
<DELETED> (B) the Committee on Oversight and Reform
of the House of Representatives; and</DELETED>
<DELETED> (C) the Committee on Homeland Security of
the House of Representatives.</DELETED>
<DELETED> (4) Director.--The term ``Director'' means the
Director of the Office of Management and Budget.</DELETED>
<DELETED> (5) Incident.--The term ``incident'' has the
meaning given the term in section 3552(b) of title 44, United
States Code.</DELETED>
<DELETED> (6) Penetration test.--The term ``penetration
test'' has the meaning given the term in section 3552(b) of
title 44, United States Code, as amended by this Act.</DELETED>
<DELETED> (7) Threat hunting.--The term ``threat hunting''
means proactively and iteratively searching for threats to
systems that evade detection by automated threat detection
systems.</DELETED>
<DELETED> (8) Verification specification.--The term
``verification specification'' means a specification developed
under section 11331(f) of title 40, United States Code, as
amended by this Act.</DELETED>
<DELETED>TITLE I--UPDATES TO FISMA</DELETED>
<DELETED>SEC. 101. TITLE 44 AMENDMENTS.</DELETED>
<DELETED> (a) Subchapter I Amendments.--Subchapter I of chapter 35
of title 44, United States Code, is amended--</DELETED>
<DELETED> (1) in section 3504--</DELETED>
<DELETED> (A) in subsection (a)(1)(B)(v), by
striking ``confidentiality, security, disclosure, and
sharing of information'' and inserting ``disclosure,
sharing of information, and, in consultation with the
Director of the Cybersecurity and Infrastructure
Security Agency, confidentiality and
security'';</DELETED>
<DELETED> (B) in subsection (b)(2)(B), by inserting
``in coordination with the Director of the
Cybersecurity and Infrastructure Security Agency''
after ``standards for security'';</DELETED>
<DELETED> (C) in subsection (g), by striking
paragraph (1) and inserting the following:</DELETED>
<DELETED> ``(1) with respect to information collected or
maintained by or for agencies--</DELETED>
<DELETED> ``(A) develop and oversee the
implementation of policies, principles, standards, and
guidelines on privacy, disclosure, and sharing of the
information; and</DELETED>
<DELETED> ``(B) in consultation with the Director of
the Cybersecurity and Infrastructure Security Agency,
develop and oversee policies, principles, standards,
and guidelines on confidentiality and security of the
information; and''; and</DELETED>
<DELETED> (D) in subsection (h)(1)--</DELETED>
<DELETED> (i) in the matter preceding
subparagraph (A)--</DELETED>
<DELETED> (I) by inserting ``the
Director of the Cybersecurity and
Infrastructure Security Agency,''
before ``the Director''; and</DELETED>
<DELETED> (II) by inserting a comma
before ``and the Administrator'';
and</DELETED>
<DELETED> (ii) in subparagraph (A), by
inserting ``security and'' after ``information
technology'';</DELETED>
<DELETED> (2) in section 3505--</DELETED>
<DELETED> (A) in paragraph (3) of the first
subsection designated as subsection (c)--</DELETED>
<DELETED> (i) in subparagraph (B)--
</DELETED>
<DELETED> (I) by inserting ``and the
Director of the Cybersecurity and
Infrastructure Security Agency'' after
``Comptroller General''; and</DELETED>
<DELETED> (II) by striking ``and''
at the end;</DELETED>
<DELETED> (ii) in subparagraph (C)(v), by
striking the period at the end and inserting
``; and''; and</DELETED>
<DELETED> (iii) by adding at the end the
following:</DELETED>
<DELETED> ``(D) maintained on a continual basis through the
use of automation, machine-readable data, and scanning.'';
and</DELETED>
<DELETED> (B) by striking the second subsection
designated as subsection (c);</DELETED>
<DELETED> (3) in section 3506--</DELETED>
<DELETED> (A) in subsection (b)--</DELETED>
<DELETED> (i) in paragraph (1)(C), by
inserting ``, availability'' after
``integrity''; and</DELETED>
<DELETED> (ii) in paragraph (4), by
inserting ``the Director of the Cybersecurity
and Infrastructure Security Agency,'' after
``General Services,''; and</DELETED>
<DELETED> (B) in subsection (h)(3), by inserting
``security,'' after ``efficiency,'';</DELETED>
<DELETED> (4) in section 3513--</DELETED>
<DELETED> (A) in subsection (a), by inserting ``the
Director of the Cybersecurity and Infrastructure
Security Agency,'' before ``the Administrator of
General Services'';</DELETED>
<DELETED> (B) by redesignating subsection (c) as
subsection (d); and</DELETED>
<DELETED> (C) by inserting after subsection (b) the
following:</DELETED>
<DELETED> ``(c) Each agency providing a written plan under
subsection (b) shall provide any portion of the written plan addressing
information security or cybersecurity to the Director of the
Cybersecurity and Infrastructure Security Agency.''; and</DELETED>
<DELETED> (5) in section 3520A(b)--</DELETED>
<DELETED> (A) in paragraph (1), by striking ``,
protection'';</DELETED>
<DELETED> (B) by redesignating paragraphs (2), (3),
(4), and (5) as paragraphs (3), (4), (5), and (6),
respectively; and</DELETED>
<DELETED> (C) by inserting after paragraph (1) the
following:</DELETED>
<DELETED> ``(2) in consultation with the Director of the
Cybersecurity and Infrastructure Security Agency, establish
Governmentwide best practices for the protection of
data;''.</DELETED>
<DELETED> (b) Suchapter II Definitions.--</DELETED>
<DELETED> (1) In general.--Section 3552(b) of title 44,
United States Code, is amended--</DELETED>
<DELETED> (A) by redesignating paragraphs (1), (2),
(3), (4), (5), (6), and (7) as paragraphs (2), (3),
(4), (5), (6), (9), and (11), respectively;</DELETED>
<DELETED> (B) by inserting before paragraph (2), as
so redesignated, the following:</DELETED>
<DELETED> ``(1) The term `additional cybersecurity
procedure' means a process, procedure, or other activity that
is established in excess of the information security standards
promulgated under section 11331(b) of title 40 to increase the
security and reduce the cybersecurity risk of agency systems,
such as continuous threat hunting, increased network
segmentation, endpoint detection and response, or persistent
penetration testing.'';</DELETED>
<DELETED> (C) by inserting after paragraph (6), as
so redesignated, the following:</DELETED>
<DELETED> ``(7) The term `high value asset' means
information or an information system that the head of an agency
determines so critical to the agency that the loss or
corruption of the information or the loss of access to the
information system would have a serious impact on the ability
of the agency to perform the mission of the agency or conduct
business.</DELETED>
<DELETED> ``(8) The term `major incident' has the meaning
given the term in guidance issued by the Director under section
3598(a).'';</DELETED>
<DELETED> (D) by inserting after paragraph (9), as
so redesignated, the following:</DELETED>
<DELETED> ``(10) The term `penetration test' means a
specialized type of assessment that--</DELETED>
<DELETED> ``(A) is conducted on an information
system or a component of an information system;
and</DELETED>
<DELETED> ``(B) emulates an attack or other
exploitation capability of a potential adversary,
typically under specific constraints, in order to
identify any vulnerabilities of an information system
or a component of an information system that could be
exploited.''; and</DELETED>
<DELETED> (E) by inserting after paragraph (11), as
so redesignated, the following:</DELETED>
<DELETED> ``(12) The term `shared service' means a business
or mission function that is provided for use by multiple
organizations within or between agencies.</DELETED>
<DELETED> ``(13) The term `verification specification' means
a specification developed under section 11331(f) of title
40.''.</DELETED>
<DELETED> (2) Conforming amendments.--</DELETED>
<DELETED> (A) Homeland security act of 2002.--
Section 1001(c)(1)(A) of the Homeland Security Act of
2002 (6 U.S.C. 511(1)(A)) is amended by striking
``section 3552(b)(5)'' and inserting ``section
3552(b)''.</DELETED>
<DELETED> (B) Title 10.--</DELETED>
<DELETED> (i) Section 2222.--Section
2222(i)(8) of title 10, United States Code, is
amended by striking ``section 3552(b)(6)(A)''
and inserting ``section
3552(b)(9)(A)''.</DELETED>
<DELETED> (ii) Section 2223.--Section
2223(c)(3) of title 10, United States Code, is
amended by striking ``section 3552(b)(6)'' and
inserting ``section 3552(b)''.</DELETED>
<DELETED> (iii) Section 2315.--Section 2315
of title 10, United States Code, is amended by
striking ``section 3552(b)(6)'' and inserting
``section 3552(b)''.</DELETED>
<DELETED> (iv) Section 2339a.--Section
2339a(e)(5) of title 10, United States Code, is
amended by striking ``section 3552(b)(6)'' and
inserting ``section 3552(b)''.</DELETED>
<DELETED> (C) High-performance computing act of
1991.--Section 207(a) of the High-Performance Computing
Act of 1991 (15 U.S.C. 5527(a)) is amended by striking
``section 3552(b)(6)(A)(i)'' and inserting ``section
3552(b)(9)(A)(i)''.</DELETED>
<DELETED> (D) Internet of things cybersecurity
improvement act of 2020.--Section 3(5) of the Internet
of Things Cybersecurity Improvement Act of 2020 (15
U.S.C. 278g-3a) is amended by striking ``section
3552(b)(6)'' and inserting ``section
3552(b)''.</DELETED>
<DELETED> (E) National defense authorization act for
fiscal year 2013.--Section 933(e)(1)(B) of the National
Defense Authorization Act for Fiscal Year 2013 (10
U.S.C. 2224 note) is amended by striking ``section
3542(b)(2)'' and inserting ``section
3552(b)''.</DELETED>
<DELETED> (F) Ike skelton national defense
authorization act for fiscal year 2011.--The Ike
Skelton National Defense Authorization Act for Fiscal
Year 2011 (Public Law 111-383) is amended--</DELETED>
<DELETED> (i) in section 806(e)(5) (10
U.S.C. 2304 note), by striking ``section
3542(b)'' and inserting ``section
3552(b)'';</DELETED>
<DELETED> (ii) in section 931(b)(3) (10
U.S.C. 2223 note), by striking ``section
3542(b)(2)'' and inserting ``section 3552(b)'';
and</DELETED>
<DELETED> (iii) in section 932(b)(2) (10
U.S.C. 2224 note), by striking ``section
3542(b)(2)'' and inserting ``section
3552(b)''.</DELETED>
<DELETED> (G) E-government act of 2002.--Section
301(c)(1)(A) of the E-Government Act of 2002 (44 U.S.C.
3501 note) is amended by striking ``section
3542(b)(2)'' and inserting ``section
3552(b)''.</DELETED>
<DELETED> (H) National institute of standards and
technology act.--Section 20 of the National Institute
of Standards and Technology Act (15 U.S.C. 278g-3) is
amended--</DELETED>
<DELETED> (i) in subsection (a)(2), by
striking ``section 3552(b)(5)'' and inserting
``section 3552(b)''; and</DELETED>
<DELETED> (ii) in subsection (f)--</DELETED>
<DELETED> (I) in paragraph (3), by
striking ``section 3532(1)'' and
inserting ``section 3552(b)'';
and</DELETED>
<DELETED> (II) in paragraph (5), by
striking ``section 3532(b)(2)'' and
inserting ``section
3552(b)''.</DELETED>
<DELETED> (c) Subchapter II Amendments.--Subchapter II of chapter 35
of title 44, United States Code, is amended--</DELETED>
<DELETED> (1) in section 3551--</DELETED>
<DELETED> (A) by redesignating paragraphs (3), (4),
(5), and (6) as paragraphs (4), (5), (6), and (7),
respectively;</DELETED>
<DELETED> (B) by inserting after paragraph (2) the
following:</DELETED>
<DELETED> ``(3) recognize the role of the Cybersecurity and
Infrastructure Security Agency as the lead cybersecurity entity
for operational coordination across the Federal
Government;'';</DELETED>
<DELETED> (C) in paragraph (5), as so redesignated,
by striking ``diagnose and improve'' and inserting
``integrate, deliver, diagnose, and
improve'';</DELETED>
<DELETED> (D) in paragraph (6), as so redesignated,
by striking ``and'' at the end; and</DELETED>
<DELETED> (E) by adding at the end the
following:</DELETED>
<DELETED> ``(8) recognize that each agency has specific
mission requirements and, at times, unique cybersecurity
requirements to meet the mission of the agency;</DELETED>
<DELETED> ``(9) recognize that each agency does not have the
same resources to secure agency systems, and an agency should
not be expected to have the capability to secure the systems of
the agency from advanced adversaries alone; and</DELETED>
<DELETED> ``(10) recognize that--</DELETED>
<DELETED> ``(A) a holistic Federal cybersecurity
model is necessary to account for differences between
the missions and capabilities of agencies;
and</DELETED>
<DELETED> ``(B) in accounting for the differences
described in subparagraph (A) and ensuring overall
Federal cybersecurity--</DELETED>
<DELETED> ``(i) the Office of Management and
Budget is the leader for policy development and
oversight of Federal cybersecurity;</DELETED>
<DELETED> ``(ii) the Cybersecurity and
Infrastructure Security Agency is the leader
for implementing operations at agencies;
and</DELETED>
<DELETED> ``(iii) the National Cyber
Director is responsible for developing the
overall cybersecurity strategy of the United
States and advising the President on matters
relating to cybersecurity.'';</DELETED>
<DELETED> (2) in section 3553, as amended by section 1705 of
the William M. (Mac) Thornberry National Defense Authorization
Act for Fiscal Year 2021 (Public Law 116-283)--</DELETED>
<DELETED> (A) in subsection (a)--</DELETED>
<DELETED> (i) in paragraph (1)--</DELETED>
<DELETED> (I) by striking
``developing and'' and inserting ``in
coordination with the Director of the
Cybersecurity and Infrastructure
Security Agency,''; and</DELETED>
<DELETED> (II) by inserting ``and
associated verification
specifications'' before
``promulgated''; and</DELETED>
<DELETED> (ii) in paragraph (5), by
inserting ``, in coordination with the Director
of the Cybersecurity and Infrastructure
Security Agency,'' before ``agency
compliance'';</DELETED>
<DELETED> (B) in subsection (b)--</DELETED>
<DELETED> (i) by striking the subsection
heading and inserting ``Cybersecurity and
Infrastructure Security Agency'';</DELETED>
<DELETED> (ii) in the matter preceding
paragraph (1), by striking ``the Secretary''
and inserting ``the Director of the
Cybersecurity and Infrastructure Security
Agency'';</DELETED>
<DELETED> (iii) in paragraph (2)--</DELETED>
<DELETED> (I) in subparagraph (A),
by inserting ``and reporting
requirements under subchapter IV of
this title'' after ``section 3556'';
and</DELETED>
<DELETED> (II) in subparagraph (D),
by striking ``the Director or
Secretary'' and inserting ``the
Director of the Cybersecurity and
Infrastructure Security
Agency'';</DELETED>
<DELETED> (iv) in paragraph (5), by striking
``coordinating'' and inserting ``leading the
coordination of'';</DELETED>
<DELETED> (v) in paragraph (6)--</DELETED>
<DELETED> (I) in the matter
preceding subparagraph (A), by
inserting ``and verifications
specifications'' before ``promulgated
under'';</DELETED>
<DELETED> (II) in subparagraph (C),
by striking ``and'' at the
end;</DELETED>
<DELETED> (III) in subparagraph (D),
by adding ``and'' at the end;
and</DELETED>
<DELETED> (IV) by adding at the end
the following:</DELETED>
<DELETED> ``(E) taking any other action that the
Director of the Cybersecurity and Infrastructure
Security Agency, in consultation with the Director--
</DELETED>
<DELETED> ``(i) may determine necessary;
and</DELETED>
<DELETED> ``(ii) is authorized to
perform;'';</DELETED>
<DELETED> (vi) in paragraph (8), by striking
``the Secretary's discretion'' and inserting
``the Director of the Cybersecurity and
Infrastructure Security Agency's discretion'';
and</DELETED>
<DELETED> (vii) in paragraph (9), by
striking ``as the Director or the Secretary, in
consultation with the Director,'' and inserting
``as the Director of the Cybersecurity and
Infrastructure Security Agency'';</DELETED>
<DELETED> (C) in subsection (c)--</DELETED>
<DELETED> (i) in paragraph (4), by striking
``and'' at the end;</DELETED>
<DELETED> (ii) by redesignating paragraph
(5) as paragraph (7); and</DELETED>
<DELETED> (iii) by inserting after paragraph
(4) the following:</DELETED>
<DELETED> ``(5) an assessment of agency use of automated
verification of standards for the standards promulgated under
section 11331 of title 40 using verification
specifications;</DELETED>
<DELETED> ``(6) a summary of each assessment of Federal risk
posture performed under subsection (i); and'';</DELETED>
<DELETED> (D) in subsection (f)(2)(B), by striking
``conflict with'' and inserting ``reduce the security
posture of agencies established under'';</DELETED>
<DELETED> (E) by redesignating subsections (i), (j),
(k), and (l) as subsections (j), (k), (l), and (m)
respectively;</DELETED>
<DELETED> (F) by inserting after subsection (h) the
following:</DELETED>
<DELETED> ``(i) Federal Risk Assessments.--The Director of the
Cybersecurity and Infrastructure Security Agency, in coordination with
the Director, shall perform, on an ongoing and continuous basis,
assessments of Federal risk posture using any available information on
the cybersecurity posture of agencies, including--</DELETED>
<DELETED> ``(1) the status of agency cybersecurity remedial
actions described in section 3554(b)(7);</DELETED>
<DELETED> ``(2) any vulnerability information relating to
the systems of an agency that is known by the agency;</DELETED>
<DELETED> ``(3) analysis of incident information under
section 3597;</DELETED>
<DELETED> ``(4) evaluation of penetration testing performed
under section 3559A;</DELETED>
<DELETED> ``(5) evaluation of vulnerability disclosure
program information under section 3559B;</DELETED>
<DELETED> ``(6) evaluation of agency threat hunting
results;</DELETED>
<DELETED> ``(7) evaluation of Federal and non-Federal threat
intelligence;</DELETED>
<DELETED> ``(8) data on compliance with standards issued
under section 11331 of title 40 that, when appropriate, uses
verification specifications;</DELETED>
<DELETED> ``(9) agency system risk assessments performed
under section 3554(a)(1)(A); and</DELETED>
<DELETED> ``(10) any other information the Secretary
determines relevant.''; and</DELETED>
<DELETED> (G) in subsection (j), as so
redesignated--</DELETED>
<DELETED> (i) by striking ``regarding the
specific'' and inserting ``that includes a
summary of--</DELETED>
<DELETED> ``(1) the specific'';</DELETED>
<DELETED> (ii) in paragraph (1), as so
designated, by striking the period at the end
and inserting ``; and'' and</DELETED>
<DELETED> (iii) by adding at the end the
following:</DELETED>
<DELETED> ``(2) the trends identified in the Federal risk
assessment performed under subsection (i).'';</DELETED>
<DELETED> (3) in section 3554--</DELETED>
<DELETED> (A) in subsection (a)--</DELETED>
<DELETED> (i) in paragraph (1)--</DELETED>
<DELETED> (I) by redesignating
subparagraphs (A), (B), and (C) as
subparagraphs (B), (C), and (D),
respectively;</DELETED>
<DELETED> (II) by inserting before
subparagraph (B), as so redesignated,
the following:</DELETED>
<DELETED> ``(A) performing, not less frequently than
once every 2 years or based on a significant change to
system architecture or security posture, an agency
system risk assessment that--</DELETED>
<DELETED> ``(i) identifies and documents the
high value assets of the agency using guidance
from the Director;</DELETED>
<DELETED> ``(ii) evaluates the data assets
inventoried under section 3511 of title 44 for
sensitivity to compromises in confidentiality,
integrity, and availability;</DELETED>
<DELETED> ``(iii) identifies agency systems
that have access to or hold the data assets
inventoried under section 3511 of title
44;</DELETED>
<DELETED> ``(iv) evaluates the threats
facing agency systems and data, including high
value assets, based on Federal and non-Federal
cyber threat intelligence products, where
available;</DELETED>
<DELETED> ``(v) evaluates the vulnerability
of agency systems and data, including high
value assets, based on--</DELETED>
<DELETED> ``(I) the results of
penetration testing performed by the
Department of Homeland Security under
section 3553(b)(9);</DELETED>
<DELETED> ``(II) the results of
penetration testing performed under
section 3559A;</DELETED>
<DELETED> ``(III) information
provided to the agency through the
vulnerability disclosure program of the
agency under section 3559B;</DELETED>
<DELETED> ``(IV) incidents;
and</DELETED>
<DELETED> ``(V) any other
vulnerability information relating to
agency systems that is known to the
agency;</DELETED>
<DELETED> ``(vi) assesses the impacts of
potential agency incidents to agency systems,
data, and operations based on the evaluations
described in clauses (ii) and (iv) and the
agency systems identified under clause (iii);
and</DELETED>
<DELETED> ``(vii) assesses the consequences
of potential incidents occurring on agency
systems that would impact systems at other
agencies, including due to interconnectivity
between different agency systems or operational
reliance on the operations of the system or
data in the system;'';</DELETED>
<DELETED> (III) in subparagraph (B),
as so redesignated--</DELETED>
<DELETED> (aa) in the matter
preceding clause (i), by
striking ``providing
information'' and inserting
``using information from the
assessment conducted under
subparagraph (A), providing, in
coordination with the Director
of the Cybersecurity and
Infrastructure Security Agency,
information'';</DELETED>
<DELETED> (bb) in clause
(i), by striking ``and'' at the
end;</DELETED>
<DELETED> (cc) in clause
(ii), by adding ``and'' at the
end; and</DELETED>
<DELETED> (dd) by adding at
the end the
following:</DELETED>
<DELETED> ``(iii) in consultation with the
Director and the Director of the Cybersecurity
and Infrastructure Security Agency, information
or information systems used by agencies through
shared services, memoranda of understanding, or
other agreements;'';</DELETED>
<DELETED> (IV) in subparagraph (C),
as so redesignated--</DELETED>
<DELETED> (aa) in clause
(ii) by inserting ``binding''
before ``operational'';
and</DELETED>
<DELETED> (bb) in clause
(vi), by striking ``and'' at
the end; and</DELETED>
<DELETED> (V) by adding at the end
the following:</DELETED>
<DELETED> ``(E) not later than 30 days after the
date on which an agency system risk assessment is
performed under subparagraph (A), providing the
assessment to--</DELETED>
<DELETED> ``(i) the Director;</DELETED>
<DELETED> ``(ii) the Director of the
Cybersecurity and Infrastructure Security
Agency; and</DELETED>
<DELETED> ``(iii) the National Cyber
Director;</DELETED>
<DELETED> ``(F) in consultation with the Director of
the Cybersecurity and Infrastructure Security Agency
and not less frequently than annually, performing an
evaluation of whether additional cybersecurity
procedures are appropriate for securing a system of, or
under the supervision of, the agency, which shall--
</DELETED>
<DELETED> ``(i) be completed considering the
agency system risk assessment performed under
subparagraph (A); and</DELETED>
<DELETED> ``(ii) include a specific
evaluation for high value assets; and</DELETED>
<DELETED> ``(G) not later than 30 days after
completing the evaluation performed under subparagraph
(F), providing the evaluation and an implementation
plan for using additional cybersecurity procedures
determined to be appropriate to--</DELETED>
<DELETED> ``(i) the Director of the
Cybersecurity and Infrastructure Security
Agency;</DELETED>
<DELETED> ``(ii) the Director; and</DELETED>
<DELETED> ``(iii) the National Cyber
Director.'';</DELETED>
<DELETED> (ii) in paragraph (2)--</DELETED>
<DELETED> (I) in subparagraph (A),
by inserting ``in accordance with the
agency system risk assessment performed
under paragraph (1)(A)'' after
``information systems'';</DELETED>
<DELETED> (II) in subparagraph (B)--
</DELETED>
<DELETED> (aa) by striking
``in accordance with
standards'' and inserting ``in
accordance with--</DELETED>
<DELETED> ``(i) standards''; and</DELETED>
<DELETED> (bb) by adding at
the end the
following:</DELETED>
<DELETED> ``(ii) the evaluation performed
under paragraph (1)(F); and</DELETED>
<DELETED> ``(iii) the implementation plan
described in paragraph (1)(G);''; and</DELETED>
<DELETED> (III) in subparagraph (D),
by inserting ``, through the use of
penetration testing, the vulnerability
disclosure program established under
section 3559B, and other means,'' after
``periodically'';</DELETED>
<DELETED> (iii) in paragraph (3)--</DELETED>
<DELETED> (I) in subparagraph (B),
by inserting ``, in coordination with
the Director of the Cybersecurity and
Infrastructure Security Agency,'' after
``maintaining'';</DELETED>
<DELETED> (II) in subparagraph (D),
by striking ``and'' at the
end;</DELETED>
<DELETED> (III) in subparagraph (E),
by adding ``and'' at the end;
and</DELETED>
<DELETED> (IV) by adding at the end
the following:</DELETED>
<DELETED> ``(F) implementing mechanisms for using
verification specifications, or alternate verification
specifications validated by the Director of the
Cybersecurity and Infrastructure Security Agency, in
consultation with the Director of the National
Institute of Standards and Technology, to automatically
verify the implementation of standards of agency
systems promulgated under section 11331 of title 40 or
any additional cybersecurity procedures, as
applicable;''; and</DELETED>
<DELETED> (iv) in paragraph (5), by
inserting ``and the Director of the
Cybersecurity and Infrastructure Security
Agency'' before ``on the
effectiveness'';</DELETED>
<DELETED> (B) in subsection (b)--</DELETED>
<DELETED> (i) by striking paragraph (1) and
inserting the following:</DELETED>
<DELETED> ``(1) pursuant to subsection (a)(1)(A), performing
an agency system risk assessment, which shall include using
automated tools consistent with standards, verification
specifications, and guidelines promulgated under section 11331
of title 40, as applicable;'';</DELETED>
<DELETED> (ii) in paragraph (2)(D)--
</DELETED>
<DELETED> (I) by redesignating
clauses (iii) and (iv) as clauses (iv)
and (v), respectively;</DELETED>
<DELETED> (II) by inserting after
clause (ii) the following:</DELETED>
<DELETED> ``(iii) binding operational
directives and emergency directives promulgated
by the Director of the Cybersecurity and
Infrastructure Security Agency under section
3553 of title 44;''; and</DELETED>
<DELETED> (III) in clause (iv), as
so redesignated, by striking ``as
determined by the agency; and'' and
inserting ``as determined by the
agency--</DELETED>
<DELETED> ``(I) in coordination with
the Director of the Cybersecurity and
Infrastructure Security Agency;
and</DELETED>
<DELETED> ``(II) in consideration
of--</DELETED>
<DELETED> ``(aa) the agency
risk assessment performed under
subsection (a)(1)(A);
and</DELETED>
<DELETED> ``(bb) the
determinations of applying more
stringent standards and
additional cybersecurity
procedures pursuant to section
11331(c)(1) of title 40;
and'';</DELETED>
<DELETED> (iii) in paragraph (5)--</DELETED>
<DELETED> (I) in subparagraph (A),
by inserting ``, including penetration
testing, as appropriate,'' after
``shall include testing'';
and</DELETED>
<DELETED> (II) in subparagraph (C),
by inserting ``, verification
specifications,'' after ``with
standards'';</DELETED>
<DELETED> (iv) in paragraph (6), by striking
``planning, implementing, evaluating, and
documenting'' and inserting ``planning and
implementing and, in consultation with the
Director of the Cybersecurity and
Infrastructure Security Agency, evaluating and
documenting'';</DELETED>
<DELETED> (v) by redesignating paragraphs
(7) and (8) as paragraphs (9) and (10),
respectively;</DELETED>
<DELETED> (vi) by inserting after paragraph
(6) the following:</DELETED>
<DELETED> ``(7) a process for providing the status of every
remedial action and known system vulnerability to the Director
and the Director of the Cybersecurity and Infrastructure
Security Agency, using automation and machine-readable data to
the greatest extent practicable;</DELETED>
<DELETED> ``(8) a process for providing the verification of
the implementation of standards promulgated under section 11331
of title 40 using verification specifications, automation, and
machine-readable data, to the Director and the Director of the
Cybersecurity and Infrastructure Security Agency;'';
and</DELETED>
<DELETED> (vii) in paragraph (9)(C), as so
redesignated--</DELETED>
<DELETED> (I) by striking clause
(ii) and inserting the
following:</DELETED>
<DELETED> ``(ii) notifying and consulting
with the Federal information security incident
center established under section 3556 pursuant
to the requirements of section
3594;'';</DELETED>
<DELETED> (II) by redesignating
clause (iii) as clause (iv);</DELETED>
<DELETED> (III) by inserting after
clause (ii) the following:</DELETED>
<DELETED> ``(iii) performing the
notifications and other activities required
under subchapter IV of this title; and'';
and</DELETED>
<DELETED> (IV) in clause (iv), as so
redesignated--</DELETED>
<DELETED> (aa) in subclause
(I), by striking ``and relevant
Offices of Inspector
General'';</DELETED>
<DELETED> (bb) in subclause
(II), by adding ``and'' at the
end;</DELETED>
<DELETED> (cc) by striking
subclause (III); and</DELETED>
<DELETED> (dd) by
redesignating subclause (IV) as
subclause (III);</DELETED>
<DELETED> (C) in subsection (c)--</DELETED>
<DELETED> (i) in paragraph (1)--</DELETED>
<DELETED> (I) in subparagraph (A)--
</DELETED>
<DELETED> (aa) in the matter
preceding clause (i), by
striking ``on the adequacy and
effectiveness of information
security policies, procedures,
and practices, including'' and
inserting ``that includes'';
and</DELETED>
<DELETED> (bb) in clause
(ii), by inserting ``unless the
Director issues a waiver to the
agency under subparagraph
(B)(iii),'' before ``the total
number''; and</DELETED>
<DELETED> (II) by striking
subparagraph (B) and inserting the
following:</DELETED>
<DELETED> ``(B) Incident reporting waiver.--
</DELETED>
<DELETED> ``(i) Certification of agency
information sharing.--If the Director, in
consultation with the Director of the
Cybersecurity and Infrastructure Security
Agency, determines that an agency shares any
information relating to any incident pursuant
to section 3594(a), the Director shall certify
that the agency is in compliance with that
section.</DELETED>
<DELETED> ``(ii) Certification of issuing
report.--If the Director determines that the
Director of the Cybersecurity and
Infrastructure Security Agency uses the
information described in clause (i) with
respect to a particular agency to submit to
Congress an annex required under section
3597(c)(3) for that agency, the Director shall
certify that the Cybersecurity and
Infrastructure Security Agency is in compliance
with that section with respect to that
agency.</DELETED>
<DELETED> ``(iii) Waiver.--The Director may
waive the reporting requirement with respect to
the information required to be included in the
report under subparagraph (A)(ii) for a
particular agency if--</DELETED>
<DELETED> ``(I) the Director has
issued a certification for the agency
under clause (i); and</DELETED>
<DELETED> ``(II) the Director has
issued a certification with respect to
the annex of the agency under clause
(ii).</DELETED>
<DELETED> ``(iv) Revocation of waiver or
certifications.--</DELETED>
<DELETED> ``(I) Waiver.--If, at any
time, the Director determines that the
Director of the Cybersecurity and
Infrastructure Security Agency cannot
submit to Congress an annex for a
particular agency under section
3597(c)(3)--</DELETED>
<DELETED> ``(aa) any waiver
previously issued under clause
(iii) with respect to that
agency shall be considered
void; and</DELETED>
<DELETED> ``(bb) the
Director shall revoke the
certification for the annex of
that agency under clause
(ii).</DELETED>
<DELETED> ``(II) Certifications.--
If, at any time, the Director
determines that an agency has not
provided to the Director of the
Cybersecurity and Infrastructure
Security Agency the totality of
incident information required under
section 3594(a)--</DELETED>
<DELETED> ``(aa) any waiver
previously issued under clause
(iii) with respect to that
agency shall be considered
void; and</DELETED>
<DELETED> ``(bb) the
Director shall revoke the
certification for that agency
under clause (i).</DELETED>
<DELETED> ``(III) Reissuance.--If
the Director revokes a waiver under
this clause, the Director may issue a
subsequent waiver if the Director
issues new certifications under clauses
(i) and (ii).'';</DELETED>
<DELETED> (ii) by redesignating paragraphs
(2) through (5) as paragraphs (4) through (7),
respectively; and</DELETED>
<DELETED> (iii) by inserting after paragraph
(1) the following:</DELETED>
<DELETED> ``(2) Biannual report.--Not later than 180 days
after the date on which an agency completes an agency system
risk assessment under subsection (a)(1)(A) and not less
frequently than every 2 years, each agency shall submit to the
Director, the Secretary, the Committee on Homeland Security and
Governmental Affairs of the Senate, the Committee on Oversight
and Reform of the House of Representatives, the Committee on
Homeland Security of the House of Representatives, the
appropriate authorization and appropriations committees of
Congress, the National Cyber Director, and the Comptroller
General of the United States a report that--</DELETED>
<DELETED> ``(A) summarizes the agency system risk
assessment performed under subsection
(a)(1)(A);</DELETED>
<DELETED> ``(B) evaluates the adequacy and
effectiveness of information security policies,
procedures, and practices of the agency to address the
risks identified in the system risk assessment
performed under subsection (a)(1)(A); and</DELETED>
<DELETED> ``(C) summarizes the evaluations and
implementation plans described in subparagraphs (F) and
(G) of subsection (a)(1) and whether those evaluations
and implementation plans call for the use of additional
cybersecurity procedures determined to be appropriate
by the agency.</DELETED>
<DELETED> ``(3) Unclassified reports.--Each report submitted
under paragraphs (1) and (2)--</DELETED>
<DELETED> ``(A) shall be, to the greatest extent
practicable, in an unclassified and otherwise
uncontrolled form; and</DELETED>
<DELETED> ``(B) may include a classified annex.'';
and</DELETED>
<DELETED> (D) in subsection (d)(1), in the matter
preceding subparagraph (A), by inserting ``and the
Director of the Cybersecurity and Infrastructure
Security Agency'' after ``the Director'';</DELETED>
<DELETED> (4) in section 3555--</DELETED>
<DELETED> (A) in subsection (a)(2)(A), by inserting
``, including by penetration testing and analyzing the
vulnerability disclosure program of the agency'' after
``information systems'';</DELETED>
<DELETED> (B) by striking subsection (f) and
inserting the following:</DELETED>
<DELETED> ``(f) Protection of Information.--(1) Agencies and
evaluators shall take appropriate steps to ensure the protection of
information which, if disclosed, may adversely affect information
security.</DELETED>
<DELETED> ``(2) The protections required under paragraph (1) shall
be commensurate with the risk and comply with all applicable laws and
regulations.</DELETED>
<DELETED> ``(3) With respect to information that is not related to
national security systems, agencies and evaluators shall make a summary
of the information unclassified and publicly available, including
information that does not identify--</DELETED>
<DELETED> ``(A) specific information system incidents;
or</DELETED>
<DELETED> ``(B) specific information system
vulnerabilities.'';</DELETED>
<DELETED> (C) in subsection (g)(2)--</DELETED>
<DELETED> (i) by striking ``this subsection
shall'' and inserting ``this subsection--
</DELETED>
<DELETED> ``(A) shall'';</DELETED>
<DELETED> (ii) in subparagraph (A), as so
designated, by striking the period at the end
and inserting ``; and''; and</DELETED>
<DELETED> (iii) by adding at the end the
following:</DELETED>
<DELETED> ``(B) identify any entity that performs an
independent audit under subsection (b).''; and</DELETED>
<DELETED> (D) in subsection (j), by striking ``the
Secretary'' and inserting ``the Director of the Cyber
Security and Infrastructure Security Agency'';
and</DELETED>
<DELETED> (5) in section 3556(a)--</DELETED>
<DELETED> (A) in the matter preceding paragraph (1),
by inserting ``within the Cybersecurity and
Infrastructure Security Agency'' after ``incident
center''; and</DELETED>
<DELETED> (B) in paragraph (4), by striking
``3554(b)'' and inserting ``3554(a)(1)(A)''.</DELETED>
<DELETED> (d) Federal System Incident Response.--</DELETED>
<DELETED> (1) In general.--Chapter 35 of title 44, United
States Code, is amended by adding at the end the
following:</DELETED>
<DELETED>``SUBCHAPTER IV--FEDERAL SYSTEM INCIDENT RESPONSE</DELETED>
<DELETED>``Sec. 3591. Definitions</DELETED>
<DELETED> ``(a) In General.--Except as provided in subsection (b),
the definitions under sections 3502 and 3552 shall apply to this
subchapter.</DELETED>
<DELETED> ``(b) Additional Definitions.--As used in this
subchapter:</DELETED>
<DELETED> ``(1) Appropriate notification entities.--The term
`appropriate notification entities' means--</DELETED>
<DELETED> ``(A) the Committee on Homeland Security
and Governmental Affairs of the Senate;</DELETED>
<DELETED> ``(B) the Committee on Oversight and
Reform of the House of Representatives;</DELETED>
<DELETED> ``(C) the Committee on Homeland Security
of the House of Representatives;</DELETED>
<DELETED> ``(D) the appropriate authorization and
appropriations committees of Congress;</DELETED>
<DELETED> ``(E) the Director;</DELETED>
<DELETED> ``(F) the Director of the Cybersecurity
and Infrastructure Security Agency;</DELETED>
<DELETED> ``(G) the National Cyber Director;
and</DELETED>
<DELETED> ``(H) the Comptroller General of the
United States.</DELETED>
<DELETED> ``(2) Contractor.--The term `contractor'--
</DELETED>
<DELETED> ``(A) means any person or business that
collects or maintains information that includes
personally identifiable information or sensitive
personal information on behalf of an agency;
and</DELETED>
<DELETED> ``(B) includes any subcontractor of a
person or business described in subparagraph
(A).</DELETED>
<DELETED> ``(3) Intelligence community.--The term
`intelligence community' has the meaning given the term in
section 3 of the National Security Act of 1947 (50 U.S.C.
3003).</DELETED>
<DELETED> ``(4) Nationwide consumer reporting agency.--The
term `nationwide consumer reporting agency' means a consumer
reporting agency described in section 603(p) of the Fair Credit
Reporting Act (15 U.S.C. 1681a(p)).</DELETED>
<DELETED> ``(5) Vulnerability disclosure.--The term
`vulnerability disclosure' means a vulnerability identified
under section 3559B.</DELETED>
<DELETED>``Sec. 3592. Notification of high risk exposure after major
incident</DELETED>
<DELETED> ``(a) Notification.--As expeditiously as practicable and
without unreasonable delay, and in any case not later than 30 days
after an agency has a reasonable basis to conclude that a major
incident has occurred due to a high risk exposure of personal
identifiable information, as described in section 3598(c)(2), the head
of the agency shall provide notice of the major incident in accordance
with subsection (b) in writing to the last known home mailing address
of each individual whom the major incident may have impacted.</DELETED>
<DELETED> ``(b) Contents of Notice.--Each notice to an individual
required under subsection (a) shall include--</DELETED>
<DELETED> ``(1) a description of the rationale for the
determination that the major incident resulted in a high risk
of exposure of the personal information of the
individual;</DELETED>
<DELETED> ``(2) an assessment of the type of risk the
individual may face as a result of an exposure;</DELETED>
<DELETED> ``(3) contact information for the Federal Bureau
of Investigation or other appropriate entity;</DELETED>
<DELETED> ``(4) the contact information of each nationwide
consumer reporting agency;</DELETED>
<DELETED> ``(5) the contact information for questions to the
agency, including a telephone number, e-mail address, and
website;</DELETED>
<DELETED> ``(6) information on any remedy being offered by
the agency;</DELETED>
<DELETED> ``(7) consolidated Federal Government
recommendations on what to do in the event of a major incident;
and</DELETED>
<DELETED> ``(8) any other appropriate information as
determined by the head of the agency.</DELETED>
<DELETED> ``(c) Delay of Notification.--</DELETED>
<DELETED> ``(1) In general.--The Attorney General, the
Director of National Intelligence, or the Secretary of Homeland
Security may impose a delay of a notification required under
subsection (a) if the notification would disrupt a law
enforcement investigation, endanger national security, or
hamper security remediation actions.</DELETED>
<DELETED> ``(2) Documentation.--</DELETED>
<DELETED> ``(A) In general.--Any delay under
paragraph (1) shall be reported in writing to the head
of the agency, the Director, the Director of the
Cybersecurity and Infrastructure Security Agency, and
the Office of Inspector General of the agency that
experienced the major incident.</DELETED>
<DELETED> ``(B) Contents.--A statement required
under subparagraph (A) shall include a written
statement from the entity that delayed the notification
explaining the need for the delay.</DELETED>
<DELETED> ``(C) Form.--The statement required under
subparagraph (A) shall be unclassified, but may include
a classified annex.</DELETED>
<DELETED> ``(3) Renewal.--A delay under paragraph (1) shall
be for a period of 2 months and may be renewed.</DELETED>
<DELETED> ``(d) Update Notification.--If an agency determines there
is a change in the reasonable basis to conclude that a major incident
occurred, or that there is a change in the details of the information
provided to impacted individuals as described in subsection (b), the
agency shall as expeditiously as practicable and without unreasonable
delay, and in any case not later than 30 days after such a
determination, notify all such individuals who received a notification
pursuant to subsection (a) of those changes.</DELETED>
<DELETED> ``(e) Rule of Construction.--Nothing in this section shall
be construed to limit--</DELETED>
<DELETED> ``(1) the Director from issuing guidance regarding
notifications or the head of an agency from sending
notifications to individuals impacted by incidents not
determined to be major incidents; or</DELETED>
<DELETED> ``(2) the Director from issuing guidance regarding
notifications of major incidents or the head of an agency from
issuing notifications to individuals impacted by major
incidents that contain more information than described in
subsection (b).</DELETED>
<DELETED>``Sec. 3593. Congressional notifications and reports</DELETED>
<DELETED> ``(a) Initial Report.--</DELETED>
<DELETED> ``(1) In general.--Not later than 5 days after the
date on which an agency has a reasonable basis to conclude that
a major incident occurred, the head of the agency shall submit
a written notification and, to the extent practicable, provide
a briefing, to the appropriate notification entities, taking
into account--</DELETED>
<DELETED> ``(A) the information known at the time of
the notification;</DELETED>
<DELETED> ``(B) the sensitivity of the details
associated with the major incident; and</DELETED>
<DELETED> ``(C) the classification level of the
information contained in the notification.</DELETED>
<DELETED> ``(2) Contents.--A notification required under
paragraph (1) shall include--</DELETED>
<DELETED> ``(A) a summary of the information
available about the major incident, including how the
major incident occurred, based on information available
to agency officials as of the date on which the agency
submits the report;</DELETED>
<DELETED> ``(B) if applicable, an estimate of the
number of individuals impacted by the major incident,
including an assessment of the risk level to impacted
individuals based on the guidance promulgated under
section 3598(c)(1) and any information available to
agency officials on the date on which the agency
submits the report;</DELETED>
<DELETED> ``(C) if applicable, a description and any
associated documentation of any circumstances
necessitating a delay in or exemption to notification
granted under subsection (c) or (d) of section 3592;
and</DELETED>
<DELETED> ``(D) if applicable, an assessment of the
impacts to the agency, the Federal Government, or the
security of the United States, based on information
available to agency officials on the date on which the
agency submits the report.</DELETED>
<DELETED> ``(b) Supplemental Report.--Within a reasonable amount of
time, but not later than 45 days after the date on which additional
information relating to a major incident for which an agency submitted
a written notification under subsection (a) is discovered by the
agency, the head of the agency shall submit to the appropriate
notification entities updates to the written notification that include
summaries of--</DELETED>
<DELETED> ``(1) the threats and threat actors,
vulnerabilities, means by which the major incident occurred,
and impacts to the agency relating to the major
incident;</DELETED>
<DELETED> ``(2) any risk assessment and subsequent risk-
based security implementation of the affected information
system before the date on which the major incident
occurred;</DELETED>
<DELETED> ``(3) the status of compliance of the affected
information system with applicable security requirements at the
time of the major incident;</DELETED>
<DELETED> ``(4) an estimate of the number of individuals
affected by the major incident based on information available
to agency officials as of the date on which the agency submits
the update;</DELETED>
<DELETED> ``(5) an update to the assessment of the risk of
harm to impacted individuals affected by the major incident
based on information available to agency officials as of the
date on which the agency submits the update;</DELETED>
<DELETED> ``(6) an update to the assessment of the risk to
agency operations, or to impacts on other agency or non-Federal
entity operations, affected by the major incident based on
information available to agency officials as of the date on
which the agency submits the update; and</DELETED>
<DELETED> ``(7) the detection, response, and remediation
actions of the agency, including any support provided by the
Cybersecurity and Infrastructure Security Agency under section
3594(d) and status updates on the notification process
described in section 3592(a), including any delay or exemption
described in subsection (c) or (d), respectively, of section
3592, if applicable.</DELETED>
<DELETED> ``(c) Update Report.--If the agency determines that there
is any significant change in the understanding of the agency of the
scope, scale, or consequence of a major incident for which an agency
submitted a written notification under subsection (a), the agency shall
provide an updated report to the appropriate notification entities that
includes information relating to the change in understanding.</DELETED>
<DELETED> ``(d) Annual Report.--Each agency shall submit as part of
the annual report required under section 3554(c)(1) of this title a
description of each major incident that occurred during the 1-year
period preceding the date on which the report is submitted.</DELETED>
<DELETED> ``(e) Delay and Exemption Report.--The Director shall
submit to the appropriate notification entities an annual report on all
notification delays and exemptions granted pursuant to subsections (c)
and (d) of section 3592.</DELETED>
<DELETED> ``(f) Report Delivery.--Any written notification or report
required to be submitted under this section may be submitted in a paper
or electronic format.</DELETED>
<DELETED> ``(g) Rule of Construction.--Nothing in this section shall
be construed to limit--</DELETED>
<DELETED> ``(1) the ability of an agency to provide
additional reports or briefings to Congress; or</DELETED>
<DELETED> ``(2) Congress from requesting additional
information from agencies through reports, briefings, or other
means.</DELETED>
<DELETED> ``(h) Binding Operational Directive.--If the Director of
the Cybersecurity and Infrastructure Security Agency issues a binding
operational directive or an emergency directive under section 3553, not
later than 2 days after the date on which the binding operational
directive requires an agency to take an action, each agency shall
provide to the appropriate notification entities the status of the
implementation of the binding operational directive at the
agency.</DELETED>
<DELETED>``Sec. 3594. Government information sharing and incident
response</DELETED>
<DELETED> ``(a) In General.--</DELETED>
<DELETED> ``(1) Incident reporting.--The head of each agency
shall provide any information relating to any incident, whether
the information is obtained by the Federal Government directly
or indirectly, to the Cybersecurity and Infrastructure Security
Agency and the Office of Management and Budget.</DELETED>
<DELETED> ``(2) Contents.--A provision of information
relating to an incident made by the head of an agency under
paragraph (1) shall--</DELETED>
<DELETED> ``(A) include detailed information about
the safeguards that were in place when the incident
occurred;</DELETED>
<DELETED> ``(B) whether the agency implemented the
safeguards described in subparagraph (A) correctly;
and</DELETED>
<DELETED> ``(C) in order to protect against a
similar incident, identify--</DELETED>
<DELETED> ``(i) how the safeguards described
in subparagraph (A) should be implemented
differently; and</DELETED>
<DELETED> ``(ii) additional necessary
safeguards.</DELETED>
<DELETED> ``(b) Compliance.--The information provided under
subsection (a) shall--</DELETED>
<DELETED> ``(1) take into account the level of
classification of the information and any information sharing
limitations relating to law enforcement; and</DELETED>
<DELETED> ``(2) be in compliance with the requirements
limiting the release of information under section 552a of title
5 (commonly known as the `Privacy Act of 1974').</DELETED>
<DELETED> ``(c) Responding to Information Requests From Agencies
Experiencing Incidents.--An agency that receives a request from another
agency or Federal entity for information specifically intended to
assist in the remediation or notification requirements due to an
incident shall provide that information to the greatest extent
possible, in accordance with guidance issued by the Director and taking
into account classification, law enforcement, national security, and
compliance with section 552a of title 5 (commonly known as the `Privacy
Act of 1974').</DELETED>
<DELETED> ``(d) Incident Response.--Each agency that has a
reasonable basis to conclude that a major incident occurred, regardless
of delays from notification granted for a major incident, shall consult
with the Cybersecurity and Infrastructure Security Agency regarding--
</DELETED>
<DELETED> ``(1) incident response and recovery;
and</DELETED>
<DELETED> ``(2) recommendations for mitigating future
incidents.</DELETED>
<DELETED>``Sec. 3595. Responsibilities of contractors and grant
recipients</DELETED>
<DELETED> ``(a) Notification.--</DELETED>
<DELETED> ``(1) In general.--Subject to paragraph (3), any
contractor of an agency or recipient of a grant from an agency
that has a reasonable basis to conclude that an incident
involving Federal information has occurred shall immediately
notify the agency.</DELETED>
<DELETED> ``(2) Procedures.--</DELETED>
<DELETED> ``(A) Major incident.--Following
notification of a major incident by a contractor or
recipient of a grant under paragraph (1), an agency, in
consultation with the contractor or grant recipient, as
applicable, shall carry out the requirements under
sections 3592, 3593, and 3594 with respect to the major
incident.</DELETED>
<DELETED> ``(B) Incident.--Following notification of
an incident by a contractor or recipient of a grant
under paragraph (1), an agency, in consultation with
the contractor or grant recipient, as applicable, shall
carry out the requirements under section 3594 with
respect to the incident.</DELETED>
<DELETED> ``(3) Applicability.--This subsection shall apply
to a contractor of an agency or a recipient of a grant from an
agency that--</DELETED>
<DELETED> ``(A) receives information from the agency
that the contractor or recipient, as applicable, is not
contractually authorized to receive;</DELETED>
<DELETED> ``(B) experiences an incident relating to
Federal information on an information system of the
contractor or recipient, as applicable; or</DELETED>
<DELETED> ``(C) identifies an incident involving a
Federal information system.</DELETED>
<DELETED> ``(b) Incident Response.--Any contractor of an agency or
recipient of a grant from an agency that has a reasonable basis to
conclude that a major incident occurred shall, in coordination with the
agency, consult with the Cybersecurity and Infrastructure Security
Agency regarding--</DELETED>
<DELETED> ``(1) incident response assistance; and</DELETED>
<DELETED> ``(2) recommendations for mitigating future
incidents at the agency.</DELETED>
<DELETED> ``(c) Effective Date.--This section shall apply on and
after the date that is 1 year after the date of enactment of the
Federal Information Security Modernization Act of 2021.</DELETED>
<DELETED>``Sec. 3596. Training</DELETED>
<DELETED> ``(a) In General.--Each agency shall develop training for
individuals at the agency with access to Federal information or
information systems on how to identify and respond to an incident,
including--</DELETED>
<DELETED> ``(1) the internal process at the agency for
reporting an incident; and</DELETED>
<DELETED> ``(2) the obligation of the individual to report
to the agency a confirmed major incident and any suspected
incident, involving information in any medium or form,
including paper, oral, and electronic.</DELETED>
<DELETED> ``(b) Applicability.--The training developed under
subsection (a) shall--</DELETED>
<DELETED> ``(1) be required for an individual before the
individual may access Federal information or information
systems; and</DELETED>
<DELETED> ``(2) apply to individuals with temporary access
to Federal information or information systems, such as
detailees, contractors, subcontractors, grantees, volunteers,
and interns.</DELETED>
<DELETED> ``(c) Inclusion in Annual Training.--The training
developed under subsection (a) may be included as part of an annual
privacy or security awareness training of the agency, as
applicable.</DELETED>
<DELETED>``Sec. 3597. Analysis and report on Federal
incidents</DELETED>
<DELETED> ``(a) Definition of Compromise.--In this section, the term
`compromise' means--</DELETED>
<DELETED> ``(1) an incident;</DELETED>
<DELETED> ``(2) a result of a penetration test in which the
tester successfully gains access to a system within the
standards under section 3559A;</DELETED>
<DELETED> ``(3) a vulnerability disclosure; or</DELETED>
<DELETED> ``(4) any other event that the Director of the
Cybersecurity and Infrastructure Security Agency determines
identifies an exploitable vulnerability in an agency
system.</DELETED>
<DELETED> ``(b) Analysis of Federal Incidents.--</DELETED>
<DELETED> ``(1) In general.--The Director of the
Cybersecurity and Infrastructure Security Agency shall perform
continuous monitoring of compromises of agencies.</DELETED>
<DELETED> ``(2) Quantitative and qualitative analyses.--The
Director of the Cybersecurity and Infrastructure Security
Agency, in consultation with the Director, shall develop and
perform continuous monitoring and quantitative and qualitative
analyses of compromises of agencies, including--</DELETED>
<DELETED> ``(A) the causes of successful
compromises, including--</DELETED>
<DELETED> ``(i) attacker tactics,
techniques, and procedures; and</DELETED>
<DELETED> ``(ii) system vulnerabilities,
including zero days, unpatched systems, and
information system misconfigurations;</DELETED>
<DELETED> ``(B) the scope and scale of compromises
of agencies;</DELETED>
<DELETED> ``(C) cross Federal Government root causes
of compromises of agencies;</DELETED>
<DELETED> ``(D) agency response, recovery, and
remediation actions and effectiveness of incidents, as
applicable; and</DELETED>
<DELETED> ``(E) lessons learned and recommendations
in responding, recovering, remediating, and mitigating
future incidents.</DELETED>
<DELETED> ``(3) Automated analysis.--The analyses developed
under paragraph (2) shall, to the greatest extent practicable,
use machine readable data, automation, and machine learning
processes.</DELETED>
<DELETED> ``(4) Sharing of data and analysis.--</DELETED>
<DELETED> ``(A) In general.--The Director shall
share on an ongoing basis the analyses required under
this subsection with agencies to--</DELETED>
<DELETED> ``(i) improve the understanding of
agencies with respect to risk; and</DELETED>
<DELETED> ``(ii) support the cybersecurity
improvement efforts of agencies.</DELETED>
<DELETED> ``(B) Format.--In carrying out
subparagraph (A), the Director shall share the
analyses--</DELETED>
<DELETED> ``(i) in human-readable written
products; and</DELETED>
<DELETED> ``(ii) to the greatest extent
practicable, in machine-readable formats in
order to enable automated intake and use by
agencies.</DELETED>
<DELETED> ``(c) Annual Report on Federal Compromises.--Not later
than 2 years after the date of enactment of this section, and not less
frequently than annually thereafter, the Director of the Cybersecurity
and Infrastructure Security Agency, in consultation with the Director,
shall submit to the appropriate notification entities a report that
includes--</DELETED>
<DELETED> ``(1) a summary of causes of compromises from
across the Federal Government that categorizes those
compromises by the items described in paragraphs (1) through
(4) of subsection (a);</DELETED>
<DELETED> ``(2) the quantitative and qualitative analyses of
compromises developed under subsection (b)(2) on an agency-by-
agency basis and comprehensively; and</DELETED>
<DELETED> ``(3) an annex for each agency that includes the
total number of compromises of the agency and categorizes those
compromises by the items described in paragraphs (1) through
(4) of subsection (a).</DELETED>
<DELETED> ``(d) Publication.--A version of each report submitted
under subsection (c) shall be made publicly available on the website of
the Cybersecurity and Infrastructure Security Agency during the year in
which the report is submitted.</DELETED>
<DELETED> ``(e) Information Provided by Agencies.--The analysis
required under subsection (b) and each report submitted under
subsection (c) shall utilize information provided by agencies pursuant
to section 3594(d).</DELETED>
<DELETED> ``(f) Requirement To Anonymize Information.--In publishing
the public report required under subsection (d), the Director of the
Cybersecurity and Infrastructure Security Agency shall sufficiently
anonymize and compile information such that no specific incidents of an
agency can be identified, except with the concurrence of the Director
of the Office of Management and Budget and in consultation with the
impacted agency.</DELETED>
<DELETED>``Sec. 3598. Major incident guidance</DELETED>
<DELETED> ``(a) In General.--Not later than 90 days after the date
of enactment of the Federal Information Security Management Act of
2021, the Director, in coordination with the Director of the
Cybersecurity and Infrastructure Security Agency, shall develop and
promulgate guidance on the definition of the term `major incident' for
the purposes of subchapter II and this subchapter.</DELETED>
<DELETED> ``(b) Requirements.--With respect to the guidance issued
under subsection (a), the definition of the term `major incident'
shall--</DELETED>
<DELETED> ``(1) include, with respect to any information
collected or maintained by or on behalf of an agency or an
information system used or operated by an agency or by a
contractor of an agency or another organization on behalf of an
agency--</DELETED>
<DELETED> ``(A) any incident the head of the agency
determines is likely to have an impact on the national
security, homeland security, or economic security of
the United States;</DELETED>
<DELETED> ``(B) any incident the head of the agency
determines is likely to have an impact on the
operations of the agency, a component of the agency, or
the Federal Government, including an impact on the
efficiency or effectiveness of agency information
systems;</DELETED>
<DELETED> ``(C) any incident that the head of an
agency, in consultation with the Chief Privacy Officer
of the agency, determines involves a high risk incident
in accordance with the guidance issued under subsection
(c)(1);</DELETED>
<DELETED> ``(D) any incident that involves the
unauthorized disclosure of personally identifiable
information of not less than 500 individuals,
regardless of the risk level determined under the
guidance issued under subsection (c)(1);</DELETED>
<DELETED> ``(E) any incident the head of the agency
determines involves a high value asset owned or
operated by the agency; and</DELETED>
<DELETED> ``(F) any other type of incident
determined appropriate by the Director;</DELETED>
<DELETED> ``(2) stipulate that every agency shall be
considered to have experienced a major incident if the Director
of the Cybersecurity and Infrastructure Security Agency
determines that an incident that occurs at not less than 2
agencies--</DELETED>
<DELETED> ``(A) is enabled by a common technical
root cause, such as a supply chain compromise, a common
software or hardware vulnerability; or</DELETED>
<DELETED> ``(B) is enabled by the related activities
of a common actor; and</DELETED>
<DELETED> ``(3) stipulate that, in determining whether an
incident constitutes a major incident because that incident--
</DELETED>
<DELETED> ``(A) is any incident described in
paragraph (1), the head of an agency shall consult with
the Director of the Cybersecurity and Infrastructure
Security Agency;</DELETED>
<DELETED> ``(B) is an incident described in
paragraph (1)(A), the head of the agency shall consult
with the National Cyber Director; and</DELETED>
<DELETED> ``(C) is an incident described in
subparagraph (C) or (D) of paragraph (1), the head of
the agency shall consult with--</DELETED>
<DELETED> ``(i) the Privacy and Civil
Liberties Oversight Board; and</DELETED>
<DELETED> ``(ii) the Executive Director of
the Federal Trade Commission.</DELETED>
<DELETED> ``(c) Guidance on Risk to Individuals.--</DELETED>
<DELETED> ``(1) In general.--Not later than 90 days after
the date of enactment of the Federal Information Security
Modernization Act of 2021, the Director, in coordination with
the Director of the Cybersecurity and Infrastructure Security
Agency, the Privacy and Civil Liberties Oversight Board, and
the Executive Director of the Federal Trade Commission, shall
develop and issue guidance to agencies that establishes a risk-
based framework for determining the level of risk that an
incident involving personally identifiable information could
result in substantial harm, physical harm, embarrassment, or
unfairness to an individual.</DELETED>
<DELETED> ``(2) Risk levels and considerations.--The risk-
based framework included in the guidance issued under paragraph
(1) shall--</DELETED>
<DELETED> ``(A) include a range of risk levels,
including a high risk level; and</DELETED>
<DELETED> ``(B) consider--</DELETED>
<DELETED> ``(i) any personally identifiable
information that was exposed as a result of an
incident;</DELETED>
<DELETED> ``(ii) the circumstances under
which the exposure of personally identifiable
information of an individual occurred;
and</DELETED>
<DELETED> ``(iii) whether an independent
evaluation of the information affected by an
incident determines that the information is
unreadable, including, as appropriate,
instances in which the information is--
</DELETED>
<DELETED> ``(I) encrypted;
and</DELETED>
<DELETED> ``(II) determined by the
Director of the Cybersecurity and
Infrastructure Security Agency to be of
sufficiently low risk of
exposure.</DELETED>
<DELETED> ``(3) Approval.--</DELETED>
<DELETED> ``(A) In general.--The guidance issued
under paragraph (1) shall include a process by which
the Director, jointly with the Director of the
Cybersecurity and Infrastructure Security Agency and
the Attorney General, may approve the designation of an
incident that would be considered high risk as lower
risk if information exposed by the incident is
unreadable, as described in paragraph
(2)(B)(iii).</DELETED>
<DELETED> ``(B) Documentation.--The Director shall
report any approval of an incident granted by the
Director under subparagraph (A) to--</DELETED>
<DELETED> ``(i) the head of the agency that
experienced the incident;</DELETED>
<DELETED> ``(ii) the inspector general of
the agency that experienced the incident;
and</DELETED>
<DELETED> ``(iii) the Director of the
Cybersecurity and Infrastructure Security
Agency.</DELETED>
<DELETED> ``(d) Evaluation and Updates.--Not later than 2 years
after the date of enactment of the Federal Information Security
Modernization Act of 2021, and not less frequently than every 2 years
thereafter, the Director shall submit to the Committee on Homeland
Security and Governmental Affairs of the Senate and the Committee on
Oversight and Reform of the House of Representatives an evaluation,
which shall include--</DELETED>
<DELETED> ``(1) an update, if necessary, to the guidance
issued under subsections (a) and (c);</DELETED>
<DELETED> ``(2) the definition of the term `major incident'
included in the guidance issued under subsection (a);</DELETED>
<DELETED> ``(3) an explanation of, and the analysis that led
to, the definition described in paragraph (2); and</DELETED>
<DELETED> ``(4) an assessment of any additional datasets or
risk evaluation criteria that should be included in the risk-
based framework included in the guidance issued under
subsection (c)(1).''.</DELETED>
<DELETED> (2) Clerical amendment.--The table of sections for
chapter 35 of title 44, United States Code, is amended by
adding at the end the following:</DELETED>
<DELETED> ``subchapter iv--federal system incident response
<DELETED>``3591. Definitions.
<DELETED>``3592. Notification of high risk exposure after major
incident.
<DELETED>``3593. Congressional notifications and reports.
<DELETED>``3594. Government information sharing and incident response.
<DELETED>``3595. Responsibilities of contractors and grant recipients.
<DELETED>``3596. Training.
<DELETED>``3597. Analysis and report on Federal incidents.
<DELETED>``3598. Major incident guidance.''.
<DELETED>SEC. 102. AMENDMENTS TO SUBTITLE III OF TITLE 40.</DELETED>
<DELETED> (a) Information Technology Modernization Centers of
Excellence Program Act.--Section 2(c)(4)(A)(ii) of the Information
Technology Modernization Centers of Excellence Program Act (40 U.S.C.
11301 note) is amended by striking the period at the end and inserting
``, which shall be provided in coordination with the Director of the
Cybersecurity and Infrastructure Security Agency.''.</DELETED>
<DELETED> (b) Modernizing Government Technology.--Subtitle G of
title X of Division A of the National Defense Authorization Act for
Fiscal Year 2018 (40 U.S.C. 11301 note) is amended--</DELETED>
<DELETED> (1) in section 1077(b)--</DELETED>
<DELETED> (A) in paragraph (5)(A), by inserting
``improving the cybersecurity of systems and'' before
``cost savings activities''; and</DELETED>
<DELETED> (B) in paragraph (7)--</DELETED>
<DELETED> (i) in the paragraph heading, by
striking ``cio'' and inserting
``CIO'';</DELETED>
<DELETED> (ii) by striking ``In evaluating
projects'' and inserting the
following:</DELETED>
<DELETED> ``(A) Consideration of guidance.--In
evaluating projects'';</DELETED>
<DELETED> (iii) in subparagraph (A), as so
designated, by striking ``under section
1094(b)(1)'' and inserting ``guidance issued by
the Director''; and</DELETED>
<DELETED> (iv) by adding at the end the
following:</DELETED>
<DELETED> ``(B) Consultation.--In using funds under
paragraph (3)(A), the Chief Information Officer of the
covered agency shall consult with the Director of the
Cybersecurity and Infrastructure Security Agency.'';
and</DELETED>
<DELETED> (2) in section 1078--</DELETED>
<DELETED> (A) by striking subsection (a) and
inserting the following:</DELETED>
<DELETED> ``(a) Definitions.--In this section:</DELETED>
<DELETED> ``(1) Agency.--The term `agency' has the meaning
given the term in section 551 of title 5, United States
Code.</DELETED>
<DELETED> ``(2) High value asset.--The term `high value
asset' has the meaning given the term in section 3552 of title
44, United States Code.'';</DELETED>
<DELETED> (B) in subsection (b), by adding at the
end the following:</DELETED>
<DELETED> ``(8) Proposal evaluation.--The Director shall--
</DELETED>
<DELETED> ``(A) give consideration for the use of
amounts in the Fund to improve the security of high
value assets; and</DELETED>
<DELETED> ``(B) require that any proposal for the
use of amounts in the Fund includes a cybersecurity
plan, including a chain risk management plan, to be
reviewed by the member of the Technology Modernization
Board described in subsection (c)(5)(C).'';
and</DELETED>
<DELETED> (C) in subsection (c)--</DELETED>
<DELETED> (i) in paragraph (2)(A)(i), by
inserting ``, including a consideration of the
impact on high value assets'' after
``operational risks'';</DELETED>
<DELETED> (ii) in paragraph (5)--</DELETED>
<DELETED> (I) in subparagraph (A),
by striking ``and'' at the
end;</DELETED>
<DELETED> (II) in subparagraph (B),
by striking the period at the end and
inserting ``and''; and</DELETED>
<DELETED> (III) by adding at the end
the following:</DELETED>
<DELETED> ``(C) a senior official from the
Cybersecurity and Infrastructure Security Agency of the
Department of Homeland Security, appointed by the
Director.''; and</DELETED>
<DELETED> (iii) in paragraph (6)(A), by
striking ``shall be--'' and all that follows
through ``4 employees'' and inserting ``shall
be 4 employees''.</DELETED>
<DELETED> (c) Subchapter I.--Subchapter I of subtitle III of title
40, United States Code, is amended--</DELETED>
<DELETED> (1) in section 11302--</DELETED>
<DELETED> (A) in subsection (b), by striking ``use,
security, and disposal of'' and inserting ``use, and
disposal, and, in coordination with the Director of the
Cybersecurity and Infrastructure Security Agency,
promote and improve the security, of'';</DELETED>
<DELETED> (B) in subsection (c)--</DELETED>
<DELETED> (i) in paragraph (2), by inserting
``in consultation with the Director of the
Cybersecurity and Infrastructure Security
Agency'' before ``, and results of'';</DELETED>
<DELETED> (ii) in paragraph (3)--</DELETED>
<DELETED> (I) in subparagraph (A),
by striking ``, and performance'' and
inserting ``security, and
performance''; and</DELETED>
<DELETED> (II) in subparagraph (C)--
</DELETED>
<DELETED> (aa) by striking
``For each major'' and
inserting the
following:</DELETED>
<DELETED> ``(i) In general.--For each
major''; and</DELETED>
<DELETED> (bb) by adding at
the end the
following:</DELETED>
<DELETED> ``(ii) Cybersecurity.--In
categorizing an investment according to risk
under clause (i), the Chief Information Officer
of the covered agency shall consult with the
Director of the Cybersecurity and
Infrastructure Security Agency on the
cybersecurity or supply chain risk.</DELETED>
<DELETED> ``(iii) Security risk guidance.--
The Director, in coordination with the Director
of the Cybersecurity and Infrastructure
Security Agency, shall issue guidance for the
categorization of an investment under clause
(i) according to the cybersecurity or supply
chain risk.''; and</DELETED>
<DELETED> (iii) in paragraph (4)--</DELETED>
<DELETED> (I) in subparagraph (A)--
</DELETED>
<DELETED> (aa) in clause
(ii), by striking ``and'' at
the end;</DELETED>
<DELETED> (bb) in clause
(iii), by striking the period
at the end and inserting ``;
and''; and</DELETED>
<DELETED> (cc) by adding at
the end the
following:</DELETED>
<DELETED> ``(iv) in consultation with the
Director of the Cybersecurity and
Infrastructure Security Agency, the
cybersecurity risks of the investment.'';
and</DELETED>
<DELETED> (II) in subparagraph (B),
in the matter preceding clause (i), by
inserting ``not later than 30 days
after the date on which the review
under subparagraph (A) is completed,''
before ``the Administrator'';</DELETED>
<DELETED> (C) in subsection (f)--</DELETED>
<DELETED> (i) by striking ``heads of
executive agencies to develop'' and inserting
``heads of executive agencies to--</DELETED>
<DELETED> ``(1) develop'';</DELETED>
<DELETED> (ii) in paragraph (1), as so
designated, by striking the period at the end
and inserting ``; and''; and</DELETED>
<DELETED> (iii) by adding at the end the
following:</DELETED>
<DELETED> ``(2) consult with the Director of the
Cybersecurity and Infrastructure Security Agency for the
development and use of supply chain security best practices.'';
and</DELETED>
<DELETED> (D) in subsection (h), by inserting ``,
including cybersecurity performances,'' after ``the
performances''; and</DELETED>
<DELETED> (2) in section 11303(b)(2)(B)--</DELETED>
<DELETED> (A) in clause (i), by striking ``or'' at
the end;</DELETED>
<DELETED> (B) in clause (ii), by adding ``or'' at
the end; and</DELETED>
<DELETED> (C) by adding at the end the
following:</DELETED>
<DELETED> ``(iii) whether the function
should be performed by a shared service offered
by another executive agency;''.</DELETED>
<DELETED> (d) Subchapter II.--Subchapter II of subtitle III of title
40, United States Code, is amended--</DELETED>
<DELETED> (1) in section 11312(a), by inserting ``,
including security risks'' after ``managing the
risks'';</DELETED>
<DELETED> (2) in section 11313(1), by striking ``efficiency
and effectiveness'' and inserting ``efficiency, security, and
effectiveness'';</DELETED>
<DELETED> (3) in section 11317, by inserting ``security,''
before ``or schedule''; and</DELETED>
<DELETED> (4) in section 11319(b)(1), in the paragraph
heading, by striking ``cios'' and inserting ``Chief information
officers''.</DELETED>
<DELETED> (e) Subchapter III.--Section 11331 of title 40, United
States Code, is amended--</DELETED>
<DELETED> (1) in subsection (a), by striking ``section
3532(b)(1)'' and inserting ``section 3552(b)'';</DELETED>
<DELETED> (2) in subsection (b)(1)(A)--</DELETED>
<DELETED> (A) by striking ``in consultation'' and
inserting ``in coordination'';</DELETED>
<DELETED> (B) by striking ``the Secretary of
Homeland Security'' and inserting ``the Director of the
Cybersecurity and Infrastructure Security Agency'';
and</DELETED>
<DELETED> (C) by inserting ``and associated
verification specifications developed under subsection
(g)'' before ``pertaining to Federal'';</DELETED>
<DELETED> (3) by striking subsection (c) and inserting the
following:</DELETED>
<DELETED> ``(c) Application of More Stringent Standards.--</DELETED>
<DELETED> ``(1) In general.--The head of an agency shall--
</DELETED>
<DELETED> ``(A) evaluate the need to employ
standards for cost-effective, risk-based information
security for all systems, operations, and assets within
or under the supervision of the agency that are more
stringent than the standards promulgated by the
Director under this section, if such standards contain,
at a minimum, the provisions of those applicable
standards made compulsory and binding by the Director;
and</DELETED>
<DELETED> ``(B) to the greatest extent practicable
and if the head of the agency determines that the
standards described in subparagraph (A) are necessary,
employ those standards.</DELETED>
<DELETED> ``(2) Evaluation of more stringent standards.--In
evaluating the need to employ more stringent standards under
paragraph (1), the head of an agency shall consider available
risk information, including--</DELETED>
<DELETED> ``(A) the status of cybersecurity remedial
actions of the agency;</DELETED>
<DELETED> ``(B) any vulnerability information
relating to agency systems that is known to the
agency;</DELETED>
<DELETED> ``(C) incident information of the
agency;</DELETED>
<DELETED> ``(D) information from--</DELETED>
<DELETED> ``(i) penetration testing
performed under section 3559A of title 44;
and</DELETED>
<DELETED> ``(ii) information from the
verification disclosure program established
under section 3559B of title 44;</DELETED>
<DELETED> ``(E) agency threat hunting results under
section 207 of the Federal Information Security
Modernization Act of 2021;</DELETED>
<DELETED> ``(F) Federal and non-Federal threat
intelligence;</DELETED>
<DELETED> ``(G) data on compliance with standards
issued under this section, using the verification
specifications developed under subsection (f) when
appropriate;</DELETED>
<DELETED> ``(H) agency system risk assessments of
the agency performed under section 3554(a)(1)(A) of
title 44; and</DELETED>
<DELETED> ``(I) any other information determined
relevant by the head of the agency.'';</DELETED>
<DELETED> (4) in subsection (d)(2)--</DELETED>
<DELETED> (A) by striking the paragraph heading and
inserting ``Consultation, notice, and
comment'';</DELETED>
<DELETED> (B) by inserting ``promulgate,'' before
``significantly modify''; and</DELETED>
<DELETED> (C) by striking ``shall be made after the
public is given an opportunity to comment on the
Director's proposed decision.'' and inserting ``shall
be made--</DELETED>
<DELETED> ``(A) for a decision to significantly
modify or not promulgate such a proposed standard,
after the public is given an opportunity to comment on
the Director's proposed decision;</DELETED>
<DELETED> ``(B) in consultation with the Chief
Information Officers Council, the Director of the
Cybersecurity and Infrastructure Security Agency, the
National Cyber Director, the Comptroller General of the
United States, and the Council of the Inspectors
General on Integrity and Efficiency;</DELETED>
<DELETED> ``(C) considering the Federal risk
assessments performed under section 3553(i) of title
44; and</DELETED>
<DELETED> ``(D) considering the extent to which the
proposed standard reduces risk relative to the cost of
implementation of the standard.''; and</DELETED>
<DELETED> (5) by adding at the end the following:</DELETED>
<DELETED> ``(e) Review of Promulgated Standards.--</DELETED>
<DELETED> ``(1) In general.--Not less frequently than once
every 2 years, the Director of the Office of Management and
Budget, in consultation with the Chief Information Officers
Council, the Director of the Cybersecurity and Infrastructure
Security Agency, the National Cyber Director, the Comptroller
General of the United States, and the Council of the Inspectors
General on Integrity and Efficiency shall review the efficacy
of the standards in effect promulgated under this section in
reducing cybersecurity risks and determine whether any changes
to those standards are appropriate based on--</DELETED>
<DELETED> ``(A) the Federal risk assessment
developed under section 3553(i) of title 44;</DELETED>
<DELETED> ``(B) public comment; and</DELETED>
<DELETED> ``(C) an assessment of the extent to which
the proposed standards reduce risk relative to the cost
of implementation of the standards.</DELETED>
<DELETED> ``(2) Updated guidance.--Not later than 90 days
after the date of the completion of the review under paragraph
(1), the Director of the Office of Management and Budget shall
issue guidance to agencies to make any necessary updates to the
standards in effect promulgated under this section based on the
results of the review.</DELETED>
<DELETED> ``(3) Congressional report.--Not later than 30
days after the date on which a review is completed under
paragraph (1), the Director shall submit to the Committee on
Homeland Security and Governmental Affairs of the Senate and
the Committee on Oversight and Reform of the House of
Representatives a report that includes--</DELETED>
<DELETED> ``(A) the review of the standards in
effect promulgated under this section conducted under
paragraph (1);</DELETED>
<DELETED> ``(B) the risk mitigation offered by each
standard described in subparagraph (A); and</DELETED>
<DELETED> ``(C) a summary of--</DELETED>
<DELETED> ``(i) the standards to which
changes were determined appropriate during the
review; and</DELETED>
<DELETED> ``(ii) anticipated changes to the
standards under this section in guidance issued
under paragraph (2).</DELETED>
<DELETED> ``(f) Verification Specifications.--Not later than 1 year
after the date on which the Director of the National Institute of
Standards and Technology issues a proposed standard pursuant to
paragraphs (2) and (3) of section 20(a) of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3(a)), the Director of the
Cybersecurity and Infrastructure Security Agency, in consultation with
the Director of the National Institute of Standards and Technology, as
practicable, shall develop technical specifications to enable the
automated verification of the implementation of the controls within the
standard.''.</DELETED>
<DELETED>SEC. 103. ACTIONS TO ENHANCE FEDERAL INCIDENT
RESPONSE.</DELETED>
<DELETED> (a) Responsibilities of the Cybersecurity and
Infrastructure Security Agency.--</DELETED>
<DELETED> (1) Recommendations.--Not later than 180 days
after the date of enactment of this Act, the Director of the
Cybersecurity and Infrastructure Security Agency, in
coordination with the Chair of the Federal Trade Commission,
the Chair of the Securities and Exchange Commission, the
Secretary of the Treasury, the Director of the Federal Bureau
of Investigation, the Director of the National Institute of
Standards and Technology, and the head of any other appropriate
Federal or non-Federal entity, shall consolidate, maintain, and
make publicly available recommendations for individuals whose
personal information, as defined in section 3591 of title 44,
United States Code, as added by this Act, is inappropriately
exposed as a result of a high risk incident described in
section 3598(c)(2) of title 44, United States Code.</DELETED>
<DELETED> (2) Plan for analysis of, and report on, federal
incidents.--</DELETED>
<DELETED> (A) In general.--Not later than 180 days
after the date of enactment of this Act, the Director
of the Cybersecurity and Infrastructure Security Agency
shall--</DELETED>
<DELETED> (i) develop a plan for the
development of the analysis required under
section 3597(b) of title 44, United States
Code, as added by this Act, and the report
required under subsection (c) of that section
that includes--</DELETED>
<DELETED> (I) a description of any
challenges the Director anticipates
encountering; and</DELETED>
<DELETED> (II) the use of automation
and machine-readable formats for
collecting, compiling, monitoring, and
analyzing data; and</DELETED>
<DELETED> (ii) provide to the appropriate
congressional committees a briefing on the plan
developed under clause (i).</DELETED>
<DELETED> (B) Briefing.--Not later than 1 year after
the date of enactment of this Act, the Director of the
Cybersecurity and Infrastructure Security Agency shall
provide to the appropriate congressional committees a
briefing on--</DELETED>
<DELETED> (i) the execution of the plan
required under subparagraph (A); and</DELETED>
<DELETED> (ii) the development of the report
required under section 3597(c) of title 44,
United States Code, as added by this
Act.</DELETED>
<DELETED> (b) Responsibilities of the Director of the Office of
Management and Budget.--</DELETED>
<DELETED> (1) FISMA.--Section 2 of the Federal Information
Security Modernization Act of 2014 (44 U.S.C. 3554 note) is
amended--</DELETED>
<DELETED> (A) by striking subsection (b);
and</DELETED>
<DELETED> (B) by redesignating subsections (c)
through (f) as subsections (b) through (e),
respectively.</DELETED>
<DELETED> (2) Incident data sharing.--</DELETED>
<DELETED> (A) In general.--The Director shall
develop guidance, to be updated not less frequently
than once every 2 years, on the content, timeliness,
and format of the information provided by agencies
under section 3594(a) of title 44, United States Code,
as added by this Act.</DELETED>
<DELETED> (B) Requirements.--The guidance developed
under subparagraph (A) shall--</DELETED>
<DELETED> (i) prioritize the availability of
data necessary to understand and analyze--
</DELETED>
<DELETED> (I) the causes of
incidents;</DELETED>
<DELETED> (II) the scope and scale
of incidents within the agency networks
and systems;</DELETED>
<DELETED> (III) cross Federal
Government root causes of
incidents;</DELETED>
<DELETED> (IV) agency response,
recovery, and remediation actions;
and</DELETED>
<DELETED> (V) the effectiveness of
incidents;</DELETED>
<DELETED> (ii) enable the efficient
development of--</DELETED>
<DELETED> (I) lessons learned and
recommendations in responding to,
recovering from, remediating, and
mitigating future incidents;
and</DELETED>
<DELETED> (II) the report on Federal
compromises required under section
3597(c) of title 44, United States
Code, as added by this Act;</DELETED>
<DELETED> (iii) include requirements for the
timeliness of data production; and</DELETED>
<DELETED> (iv) include requirements for
using automation and machine-readable data for
data sharing and availability.</DELETED>
<DELETED> (3) Guidance on responding to information
requests.--Not later than 1 year after the date of enactment of
this Act, the Director shall develop guidance for agencies to
implement the requirement under section 3594(c) of title 44,
United States Code, as added by this Act, to provide
information to other agencies experiencing incidents.</DELETED>
<DELETED> (4) Standard guidance and templates.--Not later
than 1 year after the date of enactment of this Act, the
Director, in coordination with the Director of the
Cybersecurity and Infrastructure Security Agency, shall develop
guidance and templates, to be reviewed and, if necessary,
updated not less frequently than once every 2 years, for use by
Federal agencies in the activities required under sections
3592, 3593, and 3596 of title 44, United States Code, as added
by this Act.</DELETED>
<DELETED> (5) Contractor and grantee guidance.--</DELETED>
<DELETED> (A) In general.--Not later than 1 year
after the date of enactment of this Act, the Director,
in coordination with the Secretary of Homeland
Security, the Secretary of Defense, the Administrator
of General Services, and the heads of other agencies
determined appropriate by the Director, shall issue
guidance to Federal agencies on how to deconflict
existing regulations, policies, and procedures relating
to the responsibilities of contractors and grant
recipients established under section 3595 of title 44,
United States Code, as added by this Act.</DELETED>
<DELETED> (B) Existing processes.--To the greatest
extent practicable, the guidance issued under
subparagraph (A) shall allow contractors and grantees
to use existing processes for notifying Federal
agencies of incidents involving information of the
Federal Government.</DELETED>
<DELETED> (6) Updated briefings.--Not less frequently than
once every 2 years, the Director shall provide to the
appropriate congressional committees an update on the guidance
and templates developed under paragraphs (2) through
(4).</DELETED>
<DELETED> (c) Update to the Privacy Act of 1974.--Section 552a(b) of
title 5, United States Code (commonly known as the ``Privacy Act of
1974'') is amended--</DELETED>
<DELETED> (1) in paragraph (11), by striking ``or'' at the
end;</DELETED>
<DELETED> (2) in paragraph (12), by striking the period at
the end and inserting ``; and''; and</DELETED>
<DELETED> (3) by adding at the end the following:</DELETED>
<DELETED> ``(13) to another agency in furtherance of a
response to an incident (as defined in section 3552 of title
44) and pursuant to the information sharing requirements in
section 3594 of title 44 if the head of the requesting agency
has made a written request to the agency that maintains the
record specifying the particular portion desired and the
activity for which the record is sought.''.</DELETED>
<DELETED>SEC. 104. ADDITIONAL GUIDANCE TO AGENCIES ON FISMA
UPDATES.</DELETED>
<DELETED> Not later than 1 year after the date of enactment of this
Act, the Director, in coordination with the Director of the
Cybersecurity and Infrastructure Security Agency, shall issue guidance
for agencies on--</DELETED>
<DELETED> (1) completing the agency system risk assessment
required under section 3554(a)(1)(A) of title 44, United States
Code, as amended by this Act;</DELETED>
<DELETED> (2) implementing additional cybersecurity
procedures, which shall include resources for shared
services;</DELETED>
<DELETED> (3) establishing a process for providing the
status of each remedial action under section 3554(b)(7) of
title 44, United States Code, as amended by this Act, to the
Director and the Cybersecurity and Infrastructure Security
Agency using automation and machine-readable data, as
practicable, which shall include--</DELETED>
<DELETED> (A) specific standards for the automation
and machine-readable data; and</DELETED>
<DELETED> (B) templates for providing the status of
the remedial action;</DELETED>
<DELETED> (4) interpreting the definition of ``high value
asset'' in section 3552 of title 44, United States Code, as
amended by this Act;</DELETED>
<DELETED> (5) implementing standards in agency authorization
processes to encourage the tailoring of processes to agency and
system risk that are proportionate to the sensitivity of
systems, which shall include--</DELETED>
<DELETED> (A) a clarification of--</DELETED>
<DELETED> (i) the acceptable use and
development of customization of standards
promulgated under section 11331 of title 40,
United States Code; and</DELETED>
<DELETED> (ii) the acceptable use of risk-
based authorization procedures authorized on
the date of enactment of this Act;
and</DELETED>
<DELETED> (B) a requirement to coordinate with
Inspectors Generals of agencies to ensure consistent
understanding and application of agency policies for
the purpose of Inspector General audits; and</DELETED>
<DELETED> (6) requiring, as practicable and pursuant to
section 203, an evaluation of agency cybersecurity using
metrics that are--</DELETED>
<DELETED> (A) based on outcomes; and</DELETED>
<DELETED> (B) based on time.</DELETED>
<DELETED>SEC. 105. AGENCY REQUIREMENTS TO NOTIFY ENTITIES IMPACTED BY
INCIDENTS.</DELETED>
<DELETED> Not later than 180 days after the date of enactment of
this Act, the Director shall issue guidance that requires agencies to
notify entities that are compelled to share sensitive information with
the agency of an incident that impacts--</DELETED>
<DELETED> (1) sensitive information shared with the agency
by the entity; or</DELETED>
<DELETED> (2) the systems used to the transmit sensitive
information described in paragraph (1) to the agency.</DELETED>
<DELETED>TITLE II--IMPROVING FEDERAL CYBERSECURITY</DELETED>
<DELETED>SEC. 201. EVALUATION OF EFFECTIVENESS OF STANDARDS.</DELETED>
<DELETED> (a) In General.--As a component of the evaluation and
report required under section 3555(h) of title 44, United States Code,
and not later than 1 year after the date of enactment of this Act, the
Comptroller General of the United States shall perform a study that--
</DELETED>
<DELETED> (1) assesses the standards promulgated under
section 11331(b) of title 40, United States Code to determine
the degree to which agencies use the authority under section
11331(c)(1) of title 40, United States Code to customize the
standards relative to the risks facing each agency and agency
system;</DELETED>
<DELETED> (2) assesses the effectiveness of the standards
described in paragraph (1), including any standards customized
by agencies under section 11331(c)(1) of title 40, United
States Code, at improving agency cybersecurity;</DELETED>
<DELETED> (3) examines the quantification of cybersecurity
risk in the private sector for any applicability for use by the
Federal Government;</DELETED>
<DELETED> (4) examines cybersecurity metrics existing as of
the date of enactment of this Act used by the Director, the
Director of the Cybersecurity and Infrastructure Security
Agency, and the heads of other agencies to evaluate the
effectiveness of information security policies and practices;
and</DELETED>
<DELETED> (5) with respect to the standards described in
paragraph (1), provides recommendations for--</DELETED>
<DELETED> (A) the addition or removal of standards;
or</DELETED>
<DELETED> (B) the customization of--</DELETED>
<DELETED> (i) the standards by agencies
under section 11331(c)(1) of title 40, United
States Code; or</DELETED>
<DELETED> (ii) specific controls within the
standards.</DELETED>
<DELETED> (b) Incorporation of Study.--The Director shall
incorporate the results of the study performed under subsection (a)
into the review of standards required under section 11331(e) of title
40, United States Code.</DELETED>
<DELETED> (c) Briefing.--Not later than 30 days after the date on
which the study performed under subsection (a) is completed, the
Comptroller General of the United States shall provide to the
appropriate congressional committees a briefing on the study.</DELETED>
<DELETED>SEC. 202. MOBILE SECURITY STANDARDS.</DELETED>
<DELETED> (a) In General.--Not later than 1 year after the date of
enactment of this Act, the Director shall--</DELETED>
<DELETED> (1) evaluate mobile application security standards
promulgated under section 11331(b) of title 44, United States
Code; and</DELETED>
<DELETED> (2) issue guidance to implement mobile security
standards in effect on the date of enactment of this Act
promulgated under section 11331(b) of title 40, United States
Code, including for mobile applications, for every
agency.</DELETED>
<DELETED> (b) Contents.--The guidance issued under subsection (a)(2)
shall include--</DELETED>
<DELETED> (1) a requirement, pursuant to section 3506(b)(4)
of title 44, United States Code, for every agency to maintain a
continuous inventory of every--</DELETED>
<DELETED> (A) mobile device operated by or on behalf
of the agency;</DELETED>
<DELETED> (B) mobile application installed on a
mobile device described in subparagraph (A);
and</DELETED>
<DELETED> (C) vulnerability identified by the agency
associated with a mobile device or mobile application
described in subparagraphs (A) and (B); and</DELETED>
<DELETED> (2) a requirement for every agency to perform
continuous evaluation of the vulnerabilities described in
paragraph (1)(C) and other risks.</DELETED>
<DELETED> (c) Information Sharing.--The Director, in coordination
with the Director of the Cybersecurity and Infrastructure Security
Agency, shall issue guidance to agencies for sharing the inventory of
the agency required under subsection (b)(1) with the Director of the
Cybersecurity and Infrastructure Security Agency, using automation and
machine-readable data to the greatest extent practicable.</DELETED>
<DELETED> (d) Briefing.--Not later than 60 days after the date on
which the Director issues guidance under subsection (a)(2), the
Director, in coordination with the Director of the Cybersecurity and
Infrastructure Security Agency, shall provide to the appropriate
congressional committees a briefing on the guidance.</DELETED>
<DELETED>SEC. 203. QUANTITATIVE CYBERSECURITY METRICS.</DELETED>
<DELETED> (a) Establishing Time-Based Metrics.--</DELETED>
<DELETED> (1) In general.--Not later than 1 year after the
date of enactment of this Act, the Director of the
Cybersecurity and Infrastructure Security Agency shall--
</DELETED>
<DELETED> (A) update the metrics used to measure
security under section 3554 of title 44, United States
Code, including any metrics developed pursuant to
section 224(c) of the Cybersecurity Act of 2015 (6
U.S.C. 1522(c)), to include standardized metrics to
quantitatively evaluate and identify trends in agency
cybersecurity performance, including performance for
incident response; and</DELETED>
<DELETED> (B) evaluate the metrics described in
subparagraph (A).</DELETED>
<DELETED> (2) Qualities.--With respect to the updated
metrics required under paragraph (1)--</DELETED>
<DELETED> (A) not less than 2 of the metrics shall
be time-based; and</DELETED>
<DELETED> (B) the metrics may include other
measurable outcomes.</DELETED>
<DELETED> (3) Evaluation.--The evaluation required under
paragraph (1)(B) shall evaluate--</DELETED>
<DELETED> (A) the amount of time it takes for an
agency to detect an incident; and</DELETED>
<DELETED> (B) the amount of time that passes
between--</DELETED>
<DELETED> (i) the detection and remediation
of an incident; and</DELETED>
<DELETED> (ii) the remediation of an
incident and the recovery from the
incident.</DELETED>
<DELETED> (b) Implementation.--</DELETED>
<DELETED> (1) In general.--The Director, in coordination
with the Director of the Cybersecurity and Infrastructure
Security Agency, shall promulgate guidance that requires the
use of the updated metrics developed under subsection (a)(1)(A)
by every agency over a 4-year period beginning on the date on
which the metrics are developed to track trends in the incident
response capabilities of agencies.</DELETED>
<DELETED> (2) Penetration tests.--On not less than 2
occasions during the 2-year period following the date on which
guidance is promulgated under paragraph (1), not less than 3
agencies shall be subjected to substantially similar
penetration tests in order to validate the utility of the
metrics developed under subsection (a)(1)(A).</DELETED>
<DELETED> (3) Database.--The Director of the Cybersecurity
and Infrastructure Security Agency shall develop and use a
database that--</DELETED>
<DELETED> (A) stores agency metrics information;
and</DELETED>
<DELETED> (B) allows for the performance of cross-
agency comparison of agency incident response
capability trends.</DELETED>
<DELETED> (c) Updated Metrics.--</DELETED>
<DELETED> (1) In general.--The Director may issue guidance
that updates the metrics developed under subsection (a)(1)(A)
if the updated metrics--</DELETED>
<DELETED> (A) have the qualities described in
subsection (a)(2); and</DELETED>
<DELETED> (B) can be evaluated under subsection
(a)(3).</DELETED>
<DELETED> (2) Data sharing.--The guidance issued under
paragraph (1) shall require agencies to share with the Director
of the Cybersecurity and Infrastructure Security Agency data
demonstrating the performance of the agency with the updated
metrics included in that guidance against the metrics developed
under subsection (a)(1)(A).</DELETED>
<DELETED> (d) Congressional Reports.--</DELETED>
<DELETED> (1) Updated metrics.--Not later than 30 days after
the date on which the Director of the Cybersecurity and
Infrastructure Security completes the evaluation required under
subsection (a)(1)(B), the Director of the Cybersecurity and
Infrastructure Security Agency shall submit to the appropriate
congressional committees a report on the updated metrics
developed under subsection (a)(1)(A).</DELETED>
<DELETED> (2) Program.--Not later than 180 days after the
date on which guidance is promulgated under subsection (b)(1),
the Director shall submit to the appropriate congressional
committees a report on the results of the use of the updated
metrics developed under subsection (a)(1)(A) by
agencies.</DELETED>
<DELETED>SEC. 204. DATA AND LOGGING RETENTION FOR INCIDENT
RESPONSE.</DELETED>
<DELETED> (a) Recommendations.--Not later than 60 days after the
date of enactment of this Act, the Director of the Cybersecurity and
Infrastructure Security Agency, in consultation with the Attorney
General and the National Cyber Director, shall submit to the Director
recommendations on requirements for logging events on agency systems
and retaining other relevant data within the systems and networks of an
agency.</DELETED>
<DELETED> (b) Contents.--The recommendations provided under
subsection (a) shall include--</DELETED>
<DELETED> (1) the types of logs to be maintained;</DELETED>
<DELETED> (2) the time periods to retain the logs and other
relevant data;</DELETED>
<DELETED> (3) the time periods for agencies to enable
recommended logging and security requirements;</DELETED>
<DELETED> (4) how to ensure the confidentiality, integrity,
and availability of logs;</DELETED>
<DELETED> (5) requirements to ensure that, upon request,
agencies provide logs to--</DELETED>
<DELETED> (A) the Director of the Cybersecurity and
Infrastructure Security Agency for a cybersecurity
purpose; and</DELETED>
<DELETED> (B) the Federal Bureau of Investigation to
investigate potential criminal activity; and</DELETED>
<DELETED> (6) ensuring the highest level security operations
center of each agency has visibility into all agency
logs.</DELETED>
<DELETED> (c) Guidance.--Not later than 90 days after receiving the
recommendations submitted under subsection (a), the Director, in
consultation with the Director of the Cybersecurity and Infrastructure
Security Agency and the Attorney General, shall promulgate guidance to
agencies to establish requirements for logging, log retention, log
management, and sharing of log data with other appropriate
agencies.</DELETED>
<DELETED> (d) Periodic Review.--Not later than 2 years after the
date on which the Director of the Cybersecurity and Infrastructure
Security Agency submits the recommendations required under subsection
(a), and not less frequently than every 2 years thereafter, the
Director of the Cybersecurity and Infrastructure Security Agency, in
consultation with the Attorney General, shall evaluate the
recommendations and provide an update on the recommendations to the
Director as necessary.</DELETED>
<DELETED>SEC. 205. CISA AGENCY ADVISORS.</DELETED>
<DELETED> (a) In General.--Not later than 120 days after the date of
enactment of this Act, the Director of the Cybersecurity and
Infrastructure Security Agency shall assign not less than 1
cybersecurity professional employed by the Cybersecurity and
Infrastructure Security Agency to be the Cybersecurity and
Infrastructure Security Agency advisor to the Chief Information Officer
of each agency.</DELETED>
<DELETED> (b) Qualifications.--Each advisor assigned under
subsection (a) shall have knowledge of--</DELETED>
<DELETED> (1) cybersecurity threats facing agencies,
including any specific threats to the assigned
agency;</DELETED>
<DELETED> (2) performing risk assessments of agency systems;
and</DELETED>
<DELETED> (3) other Federal cybersecurity
initiatives.</DELETED>
<DELETED> (c) Duties.--The duties of each advisor assigned under
subsection (a) shall include--</DELETED>
<DELETED> (1) providing ongoing assistance and advice, as
requested, to the agency Chief Information Officer;</DELETED>
<DELETED> (2) serving as an incident response point of
contact between the assigned agency and the Cybersecurity and
Infrastructure Security Agency; and</DELETED>
<DELETED> (3) familiarizing themselves with agency systems,
processes, and procedures to better facilitate support to the
agency in responding to incidents.</DELETED>
<DELETED> (d) Limitation.--An advisor assigned under subsection (a)
shall not be a contractor.</DELETED>
<DELETED> (e) Multiple Assignments.--One individual advisor made be
assigned to multiple agency Chief Information Officers under subsection
(a).</DELETED>
<DELETED>SEC. 206. FEDERAL PENETRATION TESTING POLICY.</DELETED>
<DELETED> (a) In General.--Subchapter II of chapter 35 of title 44,
United States Code, is amended by adding at the end the
following:</DELETED>
<DELETED>``Sec. 3559A. Federal penetration testing</DELETED>
<DELETED> ``(a) Definitions.--In this section:</DELETED>
<DELETED> ``(1) Agency operational plan.--The term `agency
operational plan' means a plan of an agency for the use of
penetration testing.</DELETED>
<DELETED> ``(2) Rules of engagement.--The term `rules of
engagement' means a set of rules established by an agency for
the use of penetration testing.</DELETED>
<DELETED> ``(b) Guidance.--</DELETED>
<DELETED> ``(1) In general.--Not later than 180 days after
the date of enactment of this Act, the Director shall issue
guidance that--</DELETED>
<DELETED> ``(A) requires agencies to use, when and
where appropriate, penetration testing on agency
systems; and</DELETED>
<DELETED> ``(B) requires agencies to develop an
agency operational plan and rules of engagement that
meet the requirements under subsection (c).</DELETED>
<DELETED> ``(2) Penetration testing guidance.--The guidance
issued under this section shall--</DELETED>
<DELETED> ``(A) permit an agency to use, for the
purpose of performing penetration testing--</DELETED>
<DELETED> ``(i) a shared service of the
agency or another agency; or</DELETED>
<DELETED> ``(ii) an external entity, such as
a vendor;</DELETED>
<DELETED> ``(B) include templates and frameworks for
reporting the results of penetration testing, without
regard to the status of the entity that performs the
penetration testing; and</DELETED>
<DELETED> ``(C) require agencies to provide the
rules of engagement and results of penetration testing
to the Director and the Director of the Cybersecurity
and Infrastructure Security Agency, without regard to
the status of the entity that performs the penetration
testing.</DELETED>
<DELETED> ``(c) Agency Plans and Rules of Engagement.--The agency
operational plan and rules of engagement of an agency shall--</DELETED>
<DELETED> ``(1) require the agency to perform penetration
testing on the high value assets of the agency;</DELETED>
<DELETED> ``(2) establish guidelines for avoiding, as a
result of penetration testing--</DELETED>
<DELETED> ``(A) adverse impacts to the operations of
the agency;</DELETED>
<DELETED> ``(B) adverse impacts to operational
networks and systems of the agency; and</DELETED>
<DELETED> ``(C) inappropriate access to
data;</DELETED>
<DELETED> ``(3) require the results of penetration testing
to include feedback to improve the cybersecurity of the agency;
and</DELETED>
<DELETED> ``(4) include mechanisms for providing
consistently formatted, and, if applicable, automated and
machine-readable, data to the Director and the Director of the
Cybersecurity and Infrastructure Security Agency.</DELETED>
<DELETED> ``(d) Responsibilities of CISA.--The Director of the
Cybersecurity and Infrastructure Security Agency shall--</DELETED>
<DELETED> ``(1) establish a certification process for the
performance of penetration testing by both Federal and non-
Federal entities that establishes minimum quality controls for
penetration testing;</DELETED>
<DELETED> ``(2) develop operational guidance for instituting
penetration testing programs at agencies;</DELETED>
<DELETED> ``(3) develop and maintain a centralized
capability to offer penetration testing as a service to Federal
and non-Federal entities; and</DELETED>
<DELETED> ``(4) provide guidance to agencies on the best use
of penetration testing resources.</DELETED>
<DELETED> ``(e) Responsibilities of OMB.--The Director, in
coordination with the Director of the Cybersecurity and Infrastructure
Security Agency, shall--</DELETED>
<DELETED> ``(1) not less frequently than annually, inventory
all Federal penetration testing assets; and</DELETED>
<DELETED> ``(2) develop and maintain a Federal strategy for
the use of penetration testing.</DELETED>
<DELETED> ``(f) Prioritization of Penetration Testing Resources.--
</DELETED>
<DELETED> ``(1) In general.--The Director, in coordination
with the Director of the Cybersecurity and Infrastructure
Security Agency, shall develop a framework for prioritizing
Federal penetration testing resources among agencies.</DELETED>
<DELETED> ``(2) Considerations.--In developing the framework
under this subsection, the Director shall consider--</DELETED>
<DELETED> ``(A) agency system risk assessments
performed under section 3554(a)(1)(A);</DELETED>
<DELETED> ``(B) the Federal risk assessment
performed under section 3553(i);</DELETED>
<DELETED> ``(C) the analysis of Federal incident
data performed under section 3597; and</DELETED>
<DELETED> ``(D) any other information determined
appropriate by the Director or the Director of the
Cybersecurity and Infrastructure Security
Agency.''.</DELETED>
<DELETED> (b) Clerical Amendment.--The table of sections for chapter
35 of title 44, United States Code, is amended by adding after the item
relating to section 3559 the following:</DELETED>
<DELETED>``3559A. Federal penetration testing.''.
<DELETED> (c) Penetration Testing by the Secretary of Homeland
Security.--Section 3553(b) of title 44, United States Code, as amended
by section 1705 of the William M. (Mac) Thornberry National Defense
Authorization Act for Fiscal Year 2021 (Public Law 116-283) and section
101, is further amended--</DELETED>
<DELETED> (1) in paragraph (8)(B), by striking ``and'' at
the end;</DELETED>
<DELETED> (2) by redesignating paragraph (9) as paragraph
(10); and</DELETED>
<DELETED> (3) by inserting after paragraph (8) the
following:</DELETED>
<DELETED> ``(9) performing penetration testing with or
without advance notice to, or authorization from, agencies, to
identify vulnerabilities within Federal information systems;
and''.</DELETED>
<DELETED>SEC. 207. ONGOING THREAT HUNTING PROGRAM.</DELETED>
<DELETED> (a) Threat Hunting Program.--</DELETED>
<DELETED> (1) In general.--Not later than 540 days after the
date of enactment of this Act, the Director of the
Cybersecurity and Infrastructure Security Agency shall
establish a program to provide ongoing, hypothesis-driven
threat-hunting services on the network of each
agency.</DELETED>
<DELETED> (2) Plan.--Not later than 180 days after the date
of enactment of this Act, the Director of the Cybersecurity and
Infrastructure Security Agency shall develop a plan to
establish the program required under paragraph (1) that
describes how the Director of the Cybersecurity and
Infrastructure Security Agency plans to--</DELETED>
<DELETED> (A) determine the method for collecting,
storing, accessing, and analyzing appropriate agency
data;</DELETED>
<DELETED> (B) provide on-premises support to
agencies;</DELETED>
<DELETED> (C) staff threat hunting
services;</DELETED>
<DELETED> (D) allocate available human and financial
resources to implement the plan; and</DELETED>
<DELETED> (E) provide input to the heads of agencies
on the use of--</DELETED>
<DELETED> (i) more stringent standards under
section 11331(c)(1) of title 40, United States
Code; and</DELETED>
<DELETED> (ii) additional cybersecurity
procedures under section 3554 of title 44,
United States Code.</DELETED>
<DELETED> (b) Reports.--The Director of the Cybersecurity and
Infrastructure Security Agency shall submit to the appropriate
congressional committees--</DELETED>
<DELETED> (1) not later than 30 days after the date on which
the Director of the Cybersecurity and Infrastructure Security
Agency completes the plan required under subsection (a)(2), a
report on the plan to provide threat hunting services to
agencies;</DELETED>
<DELETED> (2) not less than 30 days before the date on which
the Director of the Cybersecurity and Infrastructure Security
Agency begins providing threat hunting services under the
program, a report providing any updates to the plan developed
under subsection (a)(2); and</DELETED>
<DELETED> (3) not later than 1 year after the date on which
the Director of the Cybersecurity and Infrastructure Security
Agency begins providing threat hunting services to agencies
other than the Cybersecurity and Infrastructure Security
Agency, a report describing lessons learned from providing
those services.</DELETED>
<DELETED>SEC. 208. CODIFYING VULNERABILITY DISCLOSURE
PROGRAMS.</DELETED>
<DELETED> (a) In General.--Chapter 35 of title 44 of United States
Code is amended by inserting after section 3559A, as added by section
206 of this Act, the following:</DELETED>
<DELETED>``Sec. 3559B. Federal vulnerability disclosure
programs</DELETED>
<DELETED> ``(a) Definitions.--In this section:</DELETED>
<DELETED> ``(1) Report.--The term `report' means a
vulnerability disclosure made to an agency by a
reporter.</DELETED>
<DELETED> ``(2) Reporter.--The term `reporter' means an
individual that submits a vulnerability report pursuant to the
vulnerability disclosure process of an agency.</DELETED>
<DELETED> ``(b) Responsibilities of OMB.--</DELETED>
<DELETED> ``(1) Limitation on legal action.--The Director,
in consultation with the Attorney General, shall issue guidance
to agencies to not recommend or pursue legal action against a
reporter or an individual that conducts a security research
activity that the head of the agency determines--</DELETED>
<DELETED> ``(A) represents a good faith effort to
follow the vulnerability disclosure policy developed
under subsection (d)(2) of the agency; and</DELETED>
<DELETED> ``(B) is authorized under the
vulnerability disclosure policy developed under
subsection (d)(2) of the agency.</DELETED>
<DELETED> ``(2) Sharing information with cisa.--The
Director, in coordination with the Director of the
Cybersecurity and Infrastructure Security Agency, shall issue
guidance to agencies on sharing relevant information in a
consistent, automated, and machine readable manner with the
Cybersecurity and Infrastructure Security Agency, including--
</DELETED>
<DELETED> ``(A) any valid or credible reports of
newly discovered or not publicly known vulnerabilities
(including misconfigurations) on an agency information
system that uses commercial software or
services;</DELETED>
<DELETED> ``(B) information relating to
vulnerability disclosure, coordination, or remediation
activities of an agency, particularly as those
activities relate to outside organizations--</DELETED>
<DELETED> ``(i) with which the head of the
agency believes the Director of the
Cybersecurity and Infrastructure Security can
assist; or</DELETED>
<DELETED> ``(ii) about which the head of the
agency believes the Director of the
Cybersecurity and Infrastructure Security
should know; and</DELETED>
<DELETED> ``(C) any other information with respect
to which the head of the agency determines helpful or
necessary to involve the Cybersecurity and
Infrastructure Security Agency.</DELETED>
<DELETED> ``(3) Agency vulnerability disclosure policies.--
</DELETED>
<DELETED> ``(A) In general.--The Director shall
issue guidance to agencies on the required minimum
scope of agency systems covered by the vulnerability
disclosure policy of an agency required under
subsection (d)(2).</DELETED>
<DELETED> ``(B) Deadline.--Not later than 2 years
after the date of enactment of the Federal Information
Security Modernization Act of 2021, the Director shall
update the guidance issued under subparagraph (A) to
require that every agency system that is connected to
the internet is covered by the vulnerability disclosure
policy of the agency.</DELETED>
<DELETED> ``(c) Responsibilities of CISA.--The Director of the
Cybersecurity and Infrastructure Security Agency shall--</DELETED>
<DELETED> ``(1) provide support to agencies with respect to
the implementation of the requirements of this
section;</DELETED>
<DELETED> ``(2) develop tools, processes, and other
mechanisms determined appropriate to offer agencies
capabilities to implement the requirements of this section;
and</DELETED>
<DELETED> ``(3) upon a request by an agency, assist the
agency in the disclosure to vendors of newly identified
vulnerabilities in vendor products and services.</DELETED>
<DELETED> ``(d) Responsibilities of Agencies.--</DELETED>
<DELETED> ``(1) Public information.--The head of each agency
shall make publicly available, with respect to each internet
domain under the control of the agency that is not a national
security system--</DELETED>
<DELETED> ``(A) an appropriate security contact;
and</DELETED>
<DELETED> ``(B) the component of the agency that is
responsible for the internet accessible services
offered at the domain.</DELETED>
<DELETED> ``(2) Vulnerability disclosure policy.--The head
of each agency shall develop and make publicly available a
vulnerability disclosure policy for the agency, which shall--
</DELETED>
<DELETED> ``(A) describe--</DELETED>
<DELETED> ``(i) the scope of the systems of
the agency included in the vulnerability
disclosure policy;</DELETED>
<DELETED> ``(ii) the type of information
system testing that is authorized by the
agency;</DELETED>
<DELETED> ``(iii) the type of information
system testing that is not authorized by the
agency; and</DELETED>
<DELETED> ``(iv) the disclosure policy of
the agency for sensitive information;</DELETED>
<DELETED> ``(B) include a provision that authorizes
the anonymous submission of a vulnerability by a
reporter;</DELETED>
<DELETED> ``(C) with respect to a report to an
agency, describe--</DELETED>
<DELETED> ``(i) how the reporter should
submit the report; and</DELETED>
<DELETED> ``(ii) if the report is not
anonymous under subparagraph (B), when the
reporter should anticipate an acknowledgment of
receipt of the report by the agency;
and</DELETED>
<DELETED> ``(D) include any other relevant
information.</DELETED>
<DELETED> ``(3) Identified vulnerabilities.--The head of
each agency shall incorporate any vulnerabilities reported
under paragraph (2) into the vulnerability management process
of the agency in order to track and remediate the
vulnerability.</DELETED>
<DELETED> ``(e) Paperwork Reduction Act Exemption.--The requirements
of subchapter I (commonly known as the `Paperwork Reduction Act') shall
not apply to a vulnerability disclosure program established under this
section.</DELETED>
<DELETED> ``(f) Congressional Reporting.--Not later than 90 days
after the date of enactment of the Federal Information Security
Modernization Act of 2021, and annually thereafter for a 3-year period,
the Director shall provide to the Committee on Homeland Security and
Governmental Affairs of the Senate and the Committee on Oversight and
Reform of the House of Representatives a briefing on the status of the
use of vulnerability disclosure policies under this section at
agencies, including, with respect to the guidance issued under
subsection (b)(3), an identification of the agencies that are compliant
and not compliant.''.</DELETED>
<DELETED> (b) Clerical Amendment.--The table of sections for chapter
35 of title 44, United States Code, is amended by adding after the item
relating to section 3559A the following:</DELETED>
<DELETED>``3559B. Federal vulnerability disclosure programs.''.
<DELETED>SEC. 209. IMPLEMENTING PRESUMPTION OF COMPROMISE AND ZERO
TRUST ARCHITECTURES.</DELETED>
<DELETED> (a) Recommendations.--Not later than 60 days after the
date of enactment of this Act, the Director of the Cybersecurity and
Infrastructure Security Agency, in consultation with the Director of
the National Institute of Standards and Technology, shall develop
recommendations to increase the internal defenses of agency systems
to--</DELETED>
<DELETED> (1) limit the ability of entities that cause
incidents to move laterally through or between agency
systems;</DELETED>
<DELETED> (2) identify incidents more quickly;</DELETED>
<DELETED> (3) isolate and remove unauthorized entities from
agency systems more quickly;</DELETED>
<DELETED> (4) implement zero trust architecture;
and</DELETED>
<DELETED> (5) otherwise increase the resource costs for
entities that cause incidents; and</DELETED>
<DELETED> (b) OMB Guidance.--Not later than 180 days after the date
on which the recommendations under subsection (a) are completed, the
Director shall issue guidance to agencies that requires the
implementation of the recommendations.</DELETED>
<DELETED> (c) Agency Implementation Plans.--Not later than 60 days
after the date on which the Director issues guidance under subsection
(b), the head of each agency shall submit to the Director a plan to
implement zero trust architecture that includes--</DELETED>
<DELETED> (1) a description of any steps the agency has
completed;</DELETED>
<DELETED> (2) an identification of activities that will have
the most immediate security impact; and</DELETED>
<DELETED> (3) a schedule to implement the plan.</DELETED>
<DELETED> (d) Report and Briefing.--Not later than 90 days after the
date on which the Director issues guidance required under subsection
(b), the Director shall provide a briefing to the appropriate
congressional committees on the guidance and the agency implementation
plans submitted under subsection (c).</DELETED>
<DELETED>SEC. 210. AUTOMATION REPORTS.</DELETED>
<DELETED> (a) OMB Report.--Not later than 180 days after the date of
enactment of this Act, the Director shall submit to the appropriate
congressional committees a report on the use of automation under
paragraphs (1), (5)(C) and (7)(B) of section 3554(b) of title 44,
United States Code.</DELETED>
<DELETED> (b) GAO Report.--Not later than 1 year after the date of
enactment of this Act, the Comptroller General of the United States
shall perform a study on the use of automation and machine readable
data across the Federal Government for cybersecurity purposes,
including the automated updating of cybersecurity tools, sensors, or
processes by agencies.</DELETED>
<DELETED>SEC. 211. EXTENSION OF FEDERAL ACQUISITION SECURITY
COUNCIL.</DELETED>
<DELETED> Section 1328 of title 41, United States Code, is amended
by striking ``the date'' and all that follows and inserting ``December
31, 2026.''.</DELETED>
<DELETED>TITLE III--PILOT PROGRAMS TO ENHANCE FEDERAL
CYBERSECURITY</DELETED>
<DELETED>SEC. 301. CONTINUOUS INDEPENDENT FISMA EVALUATION
PILOT.</DELETED>
<DELETED> (a) In General.--Not later than 2 years after the date of
enactment of this Act, the Director, in coordination with the Director
of the Cybersecurity and Infrastructure Security Agency, shall
establish a pilot program to perform continual agency auditing of the
standards promulgated under section 11331 of title 40, United States
Code.</DELETED>
<DELETED> (b) Purpose.--</DELETED>
<DELETED> (1) In general.--The purpose of the pilot program
established under subsection (a) shall be to develop the
capability to continuously audit agency cybersecurity postures,
rather than performing an annual audit.</DELETED>
<DELETED> (2) Use of information.--It is the sense of
Congress that information relating to agency cybersecurity
postures should be used, on an ongoing basis, to increase
agency understanding of cybersecurity risk and improve agency
cybersecurity.</DELETED>
<DELETED> (c) Participating Agencies.--</DELETED>
<DELETED> (1) In general.--The Director, in coordination
with the Council of the Inspectors General on Integrity and
Efficiency and in consultation with the Director of the
Cybersecurity and Infrastructure Security Agency, shall
identify not less than 1 agency and the Inspector General of
each identified agency to participate in the pilot program
established under subsection (a).</DELETED>
<DELETED> (2) Capabilities of agency.--An agency selected
under paragraph (1) shall have advanced cybersecurity
capabilities, including the capability to implement
verification specifications and other automated and machine-
readable means of sharing information.</DELETED>
<DELETED> (3) Capabilities of inspector general.--The
Inspector General of an agency selected under paragraph (1)
shall have advanced cybersecurity capabilities, including the
ability--</DELETED>
<DELETED> (A) to perform real-time or almost real-
time and continuous analysis of the use of verification
specifications by the agency to assess compliance with
standards promulgated under section 11331 of title 40,
United States Code; and</DELETED>
<DELETED> (B) to assess the impact and deployment of
additional cybersecurity procedures.</DELETED>
<DELETED> (d) Duties.--The Director, in coordination with the
Council of the Inspectors General on Integrity and Efficiency, the
Director of the Cybersecurity and Infrastructure Security Agency, and
the head of each agency participating in the pilot program under
subsection (c), shall develop processes and procedures to perform a
continuous independent evaluation of--</DELETED>
<DELETED> (1) the compliance of the agency with--</DELETED>
<DELETED> (A) the standards promulgated under
section 11331 of title 40, United States Code, using
verification specifications to the greatest extent
practicable; and</DELETED>
<DELETED> (B) any additional cybersecurity
procedures implemented by the agency as a result of the
evaluation performed under section 3554(a)(1)(F) of
title 44, United States Code; and</DELETED>
<DELETED> (2) the overall cybersecurity posture of the
agency, which may include an evaluation of--</DELETED>
<DELETED> (A) the status of cybersecurity remedial
actions of the agency;</DELETED>
<DELETED> (B) any vulnerability information relating
to agency systems that is known to the
agency;</DELETED>
<DELETED> (C) incident information of the
agency;</DELETED>
<DELETED> (D) penetration testing performed by an
external entity under section 3559A of title 44, United
States Code;</DELETED>
<DELETED> (E) information from the vulnerability
disclosure program information established under
section 3559B of title 44, United States
Code;</DELETED>
<DELETED> (F) agency threat hunting results;
and</DELETED>
<DELETED> (G) any other information determined
relevant by the Director.</DELETED>
<DELETED> (e) Independent Evaluation Waiver.--With respect to an
agency that participates in the pilot program under subsection (a)
during any year other than the first year during which the pilot
program is conducted, the Director, with the concurrence of the
Director of the Cybersecurity and Infrastructure Security Agency, may
waive any requirement of the agency with respect to the annual
independent evaluation under section 3555 of title 44, United States
Code.</DELETED>
<DELETED> (f) Duration.--The pilot program established under this
section--</DELETED>
<DELETED> (1) shall be performed over a period of not less
than 2 years at each agency that participates in the pilot
program under subsection (c), unless the Director, in
consultation with the Director of the Cybersecurity and
Infrastructure Security Agency and the Council of the
Inspectors General on Integrity and Efficiency, determines that
continuing the pilot program would reduce the cybersecurity of
the agency; and</DELETED>
<DELETED> (2) may be extended by the Director, in
consultation with the Director of the Cybersecurity and
Infrastructure Security Agency and the Council of the
Inspectors General on Integrity and Efficiency, if the Director
makes the determination described in paragraph (1).</DELETED>
<DELETED> (g) Reports.--</DELETED>
<DELETED> (1) Pilot program plan.--Before identifying any
agencies to participate in the pilot program under subsection
(c), the Director, in coordination with the Director of the
Cybersecurity and Infrastructure Security Agency and the
Council of the Inspectors General on Integrity and Efficiency,
shall submit to the appropriate congressional committees a plan
for the pilot program that outlines selection criteria and
preliminary plans to implement the pilot program.</DELETED>
<DELETED> (2) Briefing.--Before commencing a continuous
independent evaluation of any agency under the pilot program
established under subsection (a), the Director shall provide to
the appropriate congressional committees a briefing on--
</DELETED>
<DELETED> (A) the selection of agencies to
participate in the pilot program; and</DELETED>
<DELETED> (B) processes and procedures to perform a
continuous independent evaluation of
agencies.</DELETED>
<DELETED> (3) Pilot results.--Not later than 60 days after
the final day of each year during which an agency participates
in the pilot program established under subsection (a), the
Director, in coordination with the Director of the
Cybersecurity and Infrastructure Security Agency and the
Council of the Inspectors General on Integrity and Efficiency,
shall submit to the appropriate congressional committees a
report on the results of the pilot program for each agency that
participates in the pilot program during that year.</DELETED>
<DELETED>SEC. 302. ACTIVE CYBER DEFENSIVE PILOT.</DELETED>
<DELETED> (a) Definition.--In this section, the term ``active
defense technique''--</DELETED>
<DELETED> (1) means an action taken on the systems of an
entity to increase the security of information on the network
of an agency by misleading an adversary; and</DELETED>
<DELETED> (2) includes a honeypot, deception, or
purposefully feeding false or misleading data to an adversary
when the adversary is on the systems of the entity.</DELETED>
<DELETED> (b) Study.--Not later than 180 days after the date of
enactment of this Act, the Director of the Cybersecurity and
Infrastructure Security Agency shall perform a study on the use of
active defense techniques to enhance the security of agencies, which
shall include--</DELETED>
<DELETED> (1) a review of legal restrictions on the use of
different active cyber defense techniques on Federal
networks;</DELETED>
<DELETED> (2) an evaluation of--</DELETED>
<DELETED> (A) the efficacy of a selection of active
defense techniques determined by the Director of the
Cybersecurity and Infrastructure Security Agency;
and</DELETED>
<DELETED> (B) factors that impact the efficacy of
the active defense techniques evaluated under
subparagraph (A); and</DELETED>
<DELETED> (3) the development of a framework for the use of
different active defense techniques by agencies.</DELETED>
<DELETED> (c) Pilot Program.--Not later than 180 days after the date
of enactment of this Act, the Director, in coordination with the
Director of the Cybersecurity and Infrastructure Security Agency, shall
establish a pilot program at not less than 2 agencies to implement, and
assess the effectiveness of, not less than 1 active cyber defense
technique.</DELETED>
<DELETED> (d) Purpose.--The purpose of the pilot program established
under subsection (c) shall be to--</DELETED>
<DELETED> (1) identify any statutory or policy limitations
on using active defense techniques;</DELETED>
<DELETED> (2) understand the efficacy of using active
defense techniques; and</DELETED>
<DELETED> (3) implement the use of effective techniques to
improve agency systems.</DELETED>
<DELETED> (e) Plan.--Not later than 360 days after the date of
enactment of this Act, the Director of the Cybersecurity and
Infrastructure Security Agency, in coordination with the Director,
shall develop a plan to offer any active defense technique determined
to be successful during the pilot program established under subsection
(c) as a shared service to other agencies.</DELETED>
<DELETED> (f) Reports.--Not later than 1 year after the date of
enactment of this Act, the Director of the Cybersecurity and
Infrastructure Security Agency shall--</DELETED>
<DELETED> (1) provide to the appropriate congressional
committees a briefing on--</DELETED>
<DELETED> (A) the results of the study performed
under subsection (b); and</DELETED>
<DELETED> (B) the agencies selected to participate
in the pilot program established under subsection
(c);</DELETED>
<DELETED> (2) submit to the appropriate congressional
committees a report on the results of the pilot program
established under subsection (c), including any recommendations
developed from the results of the pilot program; and</DELETED>
<DELETED> (3) submit to the appropriate congressional
committees a copy of the plan developed under subsection
(e).</DELETED>
<DELETED> (g) Sunset.--</DELETED>
<DELETED> (1) In general.--The requirements of this section
shall terminate on the date that is 3 years after the date of
enactment of this Act.</DELETED>
<DELETED> (2) Authority to continue use of techniques.--
Notwithstanding paragraph (1), after the date described in
paragraph (1), the Director of the Cybersecurity and
Infrastructure Security Agency may continue to offer any active
defense technique determined to be successful during the pilot
program established under subsection (c) as a shared service to
agencies.</DELETED>
<DELETED>SEC. 303. SECURITY OPERATIONS CENTER AS A SERVICE
PILOT.</DELETED>
<DELETED> (a) Purpose.--The purpose of this section is for the
Cybersecurity and Infrastructure Security Agency to run a security
operation center on behalf of another agency, alleviating the need to
duplicate this function at every agency, and empowering a greater
centralized cybersecurity capability.</DELETED>
<DELETED> (b) Plan.--Not later than 1 year after the date of
enactment of this Act, the Director of the Cybersecurity and
Infrastructure Security Agency shall develop a plan to establish a
centralized Federal security operations center shared service offering
within the Cybersecurity and Infrastructure Security Agency.</DELETED>
<DELETED> (c) Contents.--The plan required under subsection (b)
shall include considerations for--</DELETED>
<DELETED> (1) collecting, organizing, and analyzing agency
information system data in real time;</DELETED>
<DELETED> (2) staffing and resources; and</DELETED>
<DELETED> (3) appropriate interagency agreements, concepts
of operations, and governance plans.</DELETED>
<DELETED> (d) Pilot Program.--</DELETED>
<DELETED> (1) In general.--Not later than 180 days after the
date on which the plan required under subsection (b) is
developed, the Director of the Cybersecurity and Infrastructure
Security Agency, in consultation with the Director, shall enter
into a 1-year agreement with not less than 2 agencies to offer
a security operations center as a shared service.</DELETED>
<DELETED> (2) Additional agreements.--After the date on
which the briefing required under subsection (e)(1) is
provided, the Director of the Cybersecurity and Infrastructure
Security Agency, in consultation with the Director, may enter
into additional 1-year agreements described in paragraph (1)
with agencies.</DELETED>
<DELETED> (e) Briefing and Report.--</DELETED>
<DELETED> (1) Briefing.--Not later than 260 days after the
date of enactment of this Act, the Director of the
Cybersecurity and Infrastructure Security Agency shall provide
to the Committee on Homeland Security and Governmental Affairs
of the Senate and the Committee on Homeland Security and the
Committee on Oversight and Reform of the House of
Representatives a briefing on the parameters of any 1-year
agreements entered into under subsection (d)(1).</DELETED>
<DELETED> (2) Report.--Not later than 90 days after the date
on which the first 1-year agreement entered into under
subsection (d) expires, the Director of the Cybersecurity and
Infrastructure Security Agency shall submit to the Committee on
Homeland Security and Governmental Affairs of the Senate and
the Committee on Homeland Security and the Committee on
Oversight and Reform of the House of Representatives a report
on--</DELETED>
<DELETED> (A) the agreement; and</DELETED>
<DELETED> (B) any additional agreements entered into
with agencies under subsection (d).</DELETED>
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Federal Information Security
Modernization Act of 2021''.
SEC. 2. TABLE OF CONTENTS.
The table of contents for this Act is as follows:
Sec. 1. Short title.
Sec. 2. Table of contents.
Sec. 3. Definitions.
TITLE I--UPDATES TO FISMA
Sec. 101. Title 44 amendments.
Sec. 102. Amendments to subtitle III of title 40.
Sec. 103. Actions to enhance Federal incident response.
Sec. 104. Additional guidance to agencies on FISMA updates.
Sec. 105. Agency requirements to notify private sector entities
impacted by incidents.
TITLE II--IMPROVING FEDERAL CYBERSECURITY
Sec. 201. Mobile security standards.
Sec. 202. Data and logging retention for incident response.
Sec. 203. CISA agency advisors.
Sec. 204. Federal penetration testing policy.
Sec. 205. Ongoing threat hunting program.
Sec. 206. Codifying vulnerability disclosure programs.
Sec. 207. Implementing presumption of compromise and least privilege
principles.
Sec. 208. Automation reports.
Sec. 209. Extension of Federal acquisition security council.
Sec. 210. Council of the Inspectors General on Integrity and Efficiency
dashboard.
TITLE III--RISK-BASED BUDGET MODEL
Sec. 301. Definitions.
Sec. 302. Establishment of risk-based budget model.
TITLE IV--PILOT PROGRAMS TO ENHANCE FEDERAL CYBERSECURITY
Sec. 401. Active cyber defensive study.
Sec. 402. Security operations center as a service pilot.
SEC. 3. DEFINITIONS.
In this Act, unless otherwise specified:
(1) Additional cybersecurity procedure.--The term
``additional cybersecurity procedure'' has the meaning given
the term in section 3552(b) of title 44, United States Code, as
amended by this Act.
(2) Agency.--The term ``agency'' has the meaning given the
term in section 3502 of title 44, United States Code.
(3) Appropriate congressional committees.--The term
``appropriate congressional committees'' means--
(A) the Committee on Homeland Security and
Governmental Affairs of the Senate;
(B) the Committee on Oversight and Reform of the
House of Representatives; and
(C) the Committee on Homeland Security of the House
of Representatives.
(4) Director.--The term ``Director'' means the Director of
the Office of Management and Budget.
(5) Incident.--The term ``incident'' has the meaning given
the term in section 3552(b) of title 44, United States Code.
(6) National security system.--The term ``national security
system'' has the meaning given the term in section 3552(b) of
title 44, United States Code.
(7) Penetration test.--The term ``penetration test'' has
the meaning given the term in section 3552(b) of title 44,
United States Code, as amended by this Act.
(8) Threat hunting.--The term ``threat hunting'' means
proactively and iteratively searching for threats to systems
that evade detection by automated threat detection systems.
TITLE I--UPDATES TO FISMA
SEC. 101. TITLE 44 AMENDMENTS.
(a) Subchapter I Amendments.--Subchapter I of chapter 35 of title
44, United States Code, is amended--
(1) in section 3504--
(A) in subsection (a)(1)(B)--
(i) by striking clause (v) and inserting
the following:
``(v) confidentiality, disclosure, and sharing of
information;'';
(ii) by redesignating clause (vi) as clause
(vii); and
(iii) by inserting after clause (v) the
following:
``(vi) in consultation with the National Cyber
Director and the Director of the Cybersecurity and
Infrastructure Security Agency, security of
information; and'';
(B) in subsection (g), by striking paragraph (1)
and inserting the following:
``(1) with respect to information collected or maintained
by or for agencies--
``(A) develop and oversee the implementation of
policies, principles, standards, and guidelines on
privacy, confidentiality, disclosure, and sharing of
the information; and
``(B) in consultation with the National Cyber
Director and the Director of the Cybersecurity and
Infrastructure Security Agency, develop and oversee
policies, principles, standards, and guidelines on
security of the information; and''; and
(C) in subsection (h)(1)--
(i) in the matter preceding subparagraph
(A)--
(I) by inserting ``the Director of
the Cybersecurity and Infrastructure
Security Agency and the National Cyber
Director,'' before ``the Director'';
and
(II) by inserting a comma before
``and the Administrator''; and
(ii) in subparagraph (A), by inserting
``security and'' after ``information
technology'';
(2) in section 3505--
(A) in paragraph (3) of the first subsection
designated as subsection (c)--
(i) in subparagraph (B)--
(I) by inserting ``the Director of
the Cybersecurity and Infrastructure
Security Agency, the National Cyber
Director, and'' before ``the
Comptroller General''; and
(II) by striking ``and'' at the
end;
(ii) in subparagraph (C)(v), by striking
the period at the end and inserting ``; and'';
and
(iii) by adding at the end the following:
``(D) maintained on a continual basis through the use of
automation, machine-readable data, and scanning.''; and
(B) by striking the second subsection designated as
subsection (c);
(3) in section 3506--
(A) in subsection (b)(1)(C), by inserting ``,
availability'' after ``integrity''; and
(B) in subsection (h)(3), by inserting
``security,'' after ``efficiency,''; and
(4) in section 3513--
(A) by redesignating subsection (c) as subsection
(d); and
(B) by inserting after subsection (b) the
following:
``(c) Each agency providing a written plan under subsection (b)
shall provide any portion of the written plan addressing information
security or cybersecurity to the Director of the Cybersecurity and
Infrastructure Security Agency.''.
(b) Subchapter II Definitions.--
(1) In general.--Section 3552(b) of title 44, United States
Code, is amended--
(A) by redesignating paragraphs (1), (2), (3), (4),
(5), (6), and (7) as paragraphs (2), (3), (4), (5),
(6), (9), and (11), respectively;
(B) by inserting before paragraph (2), as so
redesignated, the following:
``(1) The term `additional cybersecurity procedure' means a
process, procedure, or other activity that is established in
excess of the information security standards promulgated under
section 11331(b) of title 40 to increase the security and
reduce the cybersecurity risk of agency systems.'';
(C) by inserting after paragraph (6), as so
redesignated, the following:
``(7) The term `high value asset' means information or an
information system that the head of an agency determines so
critical to the agency that the loss or corruption of the
information or the loss of access to the information system
would have a serious impact on the ability of the agency to
perform the mission of the agency or conduct business.
``(8) The term `major incident' has the meaning given the
term in guidance issued by the Director under section
3598(a).'';
(D) by inserting after paragraph (9), as so
redesignated, the following:
``(10) The term `penetration test' means a specialized type
of assessment that--
``(A) is conducted on an information system or a
component of an information system; and
``(B) emulates an attack or other exploitation
capability of a potential adversary, typically under
specific constraints, in order to identify any
vulnerabilities of an information system or a component
of an information system that could be exploited.'';
and
(E) by inserting after paragraph (11), as so
redesignated, the following:
``(12) The term `shared service' means a centralized
business or mission capability that is provided to multiple
organizations within an agency or to multiple agencies.''.
(2) Conforming amendments.--
(A) Homeland security act of 2002.--Section
1001(c)(1)(A) of the Homeland Security Act of 2002 (6
U.S.C. 511(1)(A)) is amended by striking ``section
3552(b)(5)'' and inserting ``section 3552(b)''.
(B) Title 10.--
(i) Section 2222.--Section 2222(i)(8) of
title 10, United States Code, is amended by
striking ``section 3552(b)(6)(A)'' and
inserting ``section 3552(b)(9)(A)''.
(ii) Section 2223.--Section 2223(c)(3) of
title 10, United States Code, is amended by
striking ``section 3552(b)(6)'' and inserting
``section 3552(b)''.
(iii) Section 2315.--Section 2315 of title
10, United States Code, is amended by striking
``section 3552(b)(6)'' and inserting ``section
3552(b)''.
(iv) Section 2339a.--Section 2339a(e)(5) of
title 10, United States Code, is amended by
striking ``section 3552(b)(6)'' and inserting
``section 3552(b)''.
(C) High-performance computing act of 1991.--
Section 207(a) of the High-Performance Computing Act of
1991 (15 U.S.C. 5527(a)) is amended by striking
``section 3552(b)(6)(A)(i)'' and inserting ``section
3552(b)(9)(A)(i)''.
(D) Internet of things cybersecurity improvement
act of 2020.--Section 3(5) of the Internet of Things
Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g-
3a) is amended by striking ``section 3552(b)(6)'' and
inserting ``section 3552(b)''.
(E) National defense authorization act for fiscal
year 2013.--Section 933(e)(1)(B) of the National
Defense Authorization Act for Fiscal Year 2013 (10
U.S.C. 2224 note) is amended by striking ``section
3542(b)(2)'' and inserting ``section 3552(b)''.
(F) Ike skelton national defense authorization act
for fiscal year 2011.--The Ike Skelton National Defense
Authorization Act for Fiscal Year 2011 (Public Law 111-
383) is amended--
(i) in section 806(e)(5) (10 U.S.C. 2304
note), by striking ``section 3542(b)'' and
inserting ``section 3552(b)'';
(ii) in section 931(b)(3) (10 U.S.C. 2223
note), by striking ``section 3542(b)(2)'' and
inserting ``section 3552(b)''; and
(iii) in section 932(b)(2) (10 U.S.C. 2224
note), by striking ``section 3542(b)(2)'' and
inserting ``section 3552(b)''.
(G) E-government act of 2002.--Section 301(c)(1)(A)
of the E-Government Act of 2002 (44 U.S.C. 3501 note)
is amended by striking ``section 3542(b)(2)'' and
inserting ``section 3552(b)''.
(H) National institute of standards and technology
act.--Section 20 of the National Institute of Standards
and Technology Act (15 U.S.C. 278g-3) is amended--
(i) in subsection (a)(2), by striking
``section 3552(b)(5)'' and inserting ``section
3552(b)''; and
(ii) in subsection (f)--
(I) in paragraph (3), by striking
``section 3532(1)'' and inserting
``section 3552(b)''; and
(II) in paragraph (5), by striking
``section 3532(b)(2)'' and inserting
``section 3552(b)''.
(c) Subchapter II Amendments.--Subchapter II of chapter 35 of title
44, United States Code, is amended--
(1) in section 3551--
(A) by redesignating paragraphs (3), (4), (5), and
(6) as paragraphs (4), (5), (6), and (7), respectively;
(B) by inserting after paragraph (2) the following:
``(3) recognize the role of the Cybersecurity and
Infrastructure Security Agency as the lead entity for
operational cybersecurity coordination across the Federal
Government;'';
(C) in paragraph (5), as so redesignated, by
striking ``diagnose and improve'' and inserting
``integrate, deliver, diagnose, and improve'';
(D) in paragraph (6), as so redesignated, by
striking ``and'' at the end;
(E) in paragraph (7), as so redesignated, by
striking the period at the end and inserting a semi
colon; and
(F) by adding at the end the following:
``(8) recognize that each agency has specific mission
requirements and, at times, unique cybersecurity requirements
to meet the mission of the agency;
``(9) recognize that each agency does not have the same
resources to secure agency systems, and an agency should not be
expected to have the capability to secure the systems of the
agency from advanced adversaries alone; and
``(10) recognize that--
``(A) a holistic Federal cybersecurity model is
necessary to account for differences between the
missions and capabilities of agencies; and
``(B) in accounting for the differences described
in subparagraph (A) and ensuring overall Federal
cybersecurity--
``(i) the Office of Management and Budget
is the leader for policy development and
oversight of Federal cybersecurity;
``(ii) the Cybersecurity and Infrastructure
Security Agency is the leader for implementing
operations at agencies; and
``(iii) the National Cyber Director is
responsible for developing the overall
cybersecurity strategy of the United States and
advising the President on matters relating to
cybersecurity.'';
(2) in section 3553--
(A) by striking the section heading and inserting
``Authority and functions of the Director and the
Director of the Cybersecurity and Infrastructure
Security Agency''.
(B) in subsection (a)--
(i) in paragraph (1), by inserting ``in
coordination with the Director of the
Cybersecurity and Infrastructure Security
Agency and the National Cyber Director,''
before ``developing and overseeing'';
(ii) in paragraph (5)--
(I) by inserting ``, in
consultation with the Director of the
Cybersecurity and Infrastructure
Security Agency and the National Cyber
Director,'' before ``agency
compliance''; and
(II) by striking ``and'' at the
end; and
(iii) by adding at the end the following:
``(8) promoting, in consultation with the Director of the
Cybersecurity and Infrastructure Security Agency and the
Director of the National Institute of Standards and
Technology--
``(A) the use of automation to improve Federal
cybersecurity and visibility with respect to the
implementation of Federal cybersecurity; and
``(B) the use of presumption of compromise and
least privilege principles to improve resiliency and
timely response actions to incidents on Federal
systems.'';
(C) in subsection (b)--
(i) by striking the subsection heading and
inserting ``Cybersecurity and Infrastructure
Security Agency'';
(ii) in the matter preceding paragraph (1),
by striking ``The Secretary, in consultation
with the Director'' and inserting ``The
Director of the Cybersecurity and
Infrastructure Security Agency, in consultation
with the Director and the National Cyber
Director'';
(iii) in paragraph (2)--
(I) in subparagraph (A), by
inserting ``and reporting requirements
under subchapter IV of this title''
after ``section 3556''; and
(II) in subparagraph (D), by
striking ``the Director or Secretary''
and inserting ``the Director of the
Cybersecurity and Infrastructure
Security Agency'';
(iv) in paragraph (5), by striking
``coordinating'' and inserting ``leading the
coordination of'';
(v) in paragraph (8), by striking ``the
Secretary's discretion'' and inserting ``the
Director of the Cybersecurity and
Infrastructure Security Agency's discretion'';
and
(vi) in paragraph (9), by striking ``as the
Director or the Secretary, in consultation with
the Director,'' and inserting ``as the Director
of the Cybersecurity and Infrastructure
Security Agency'';
(D) in subsection (c)--
(i) in the matter preceding paragraph (1),
by striking ``each year'' and inserting ``each
year during which agencies are required to
submit reports under section 3554(c)'';
(ii) by striking paragraph (1);
(iii) by redesignating paragraphs (2), (3),
and (4) as paragraphs (1), (2), and (3),
respectively;
(iv) in paragraph (3), as so redesignated,
by striking ``and'' at the end;
(v) by inserting after paragraph (3), as so
redesignated the following:
``(4) a summary of each assessment of Federal risk posture
performed under subsection (i);''; and
(vi) in paragraph (5), by striking the
period at the end and inserting ``; and'';
(E) by redesignating subsections (i), (j), (k), and
(l) as subsections (j), (k), (l), and (m) respectively;
(F) by inserting after subsection (h) the
following:
``(i) Federal Risk Assessments.--On an ongoing and continuous
basis, the Director of the Cybersecurity and Infrastructure Security
Agency shall perform assessments of Federal risk posture using any
available information on the cybersecurity posture of agencies, and
brief the Director and National Cyber Director on the findings of those
assessments including--
``(1) the status of agency cybersecurity remedial actions
described in section 3554(b)(7);
``(2) any vulnerability information relating to the systems
of an agency that is known by the agency;
``(3) analysis of incident information under section 3597;
``(4) evaluation of penetration testing performed under
section 3559A;
``(5) evaluation of vulnerability disclosure program
information under section 3559B;
``(6) evaluation of agency threat hunting results;
``(7) evaluation of Federal and non-Federal threat
intelligence;
``(8) data on agency compliance with standards issued under
section 11331 of title 40;
``(9) agency system risk assessments performed under
section 3554(a)(1)(A); and
``(10) any other information the Director of the
Cybersecurity and Infrastructure Security Agency determines
relevant.''; and
(G) in subsection (j), as so redesignated--
(i) by striking ``regarding the specific''
and inserting ``that includes a summary of--
``(1) the specific'';
(ii) in paragraph (1), as so designated, by
striking the period at the end and inserting
``; and'' and
(iii) by adding at the end the following:
``(2) the trends identified in the Federal risk assessment
performed under subsection (i).''; and
(H) by adding at the end the following:
``(n) Binding Operational Directives.--If the Director of the
Cybersecurity and Infrastructure Security Agency issues a binding
operational directive or an emergency directive under this section, not
later than 2 days after the date on which the binding operational
directive requires an agency to take an action, the Director of the
Cybersecurity and Infrastructure Security Agency shall provide to the
appropriate reporting entities the status of the implementation of the
binding operational directive at the agency.'';
(3) in section 3554--
(A) in subsection (a)--
(i) in paragraph (1)--
(I) by redesignating subparagraphs
(A), (B), and (C) as subparagraphs (B),
(C), and (D), respectively;
(II) by inserting before
subparagraph (B), as so redesignated,
the following:
``(A) on an ongoing and continuous basis,
performing agency system risk assessments that--
``(i) identify and document the high value
assets of the agency using guidance from the
Director;
``(ii) evaluate the data assets inventoried
under section 3511 for sensitivity to
compromises in confidentiality, integrity, and
availability;
``(iii) identify agency systems that have
access to or hold the data assets inventoried
under section 3511;
``(iv) evaluate the threats facing agency
systems and data, including high value assets,
based on Federal and non-Federal cyber threat
intelligence products, where available;
``(v) evaluate the vulnerability of agency
systems and data, including high value assets,
including by analyzing--
``(I) the results of penetration
testing performed by the Department of
Homeland Security under section
3553(b)(9);
``(II) the results of penetration
testing performed under section 3559A;
``(III) information provided to the
agency through the vulnerability
disclosure program of the agency under
section 3559B;
``(IV) incidents; and
``(V) any other vulnerability
information relating to agency systems
that is known to the agency;
``(vi) assess the impacts of potential
agency incidents to agency systems, data, and
operations based on the evaluations described
in clauses (ii) and (iv) and the agency systems
identified under clause (iii); and
``(vii) assess the consequences of
potential incidents occurring on agency systems
that would impact systems at other agencies,
including due to interconnectivity between
different agency systems or operational
reliance on the operations of the system or
data in the system;'';
(III) in subparagraph (B), as so
redesignated, in the matter preceding
clause (i), by striking ``providing
information'' and inserting ``using
information from the assessment
conducted under subparagraph (A),
providing, in coordination with the
Director of the Cybersecurity and
Infrastructure Security Agency,
information'';
(IV) in subparagraph (C), as so
redesignated--
(aa) in clause (ii) by
inserting ``binding'' before
``operational''; and
(bb) in clause (vi), by
striking ``and'' at the end;
and
(V) by adding at the end the
following:
``(E) providing an update on the ongoing and
continuous assessment performed under subparagraph
(A)--
``(i) upon request, to the inspector
general of the agency or the Comptroller
General of the United States; and
``(ii) on a periodic basis, as determined
by guidance issued by the Director but not less
frequently than annually, to--
``(I) the Director;
``(II) the Director of the
Cybersecurity and Infrastructure
Security Agency; and
``(III) the National Cyber
Director;
``(F) in consultation with the Director of the
Cybersecurity and Infrastructure Security Agency and
not less frequently than once every 3 years, performing
an evaluation of whether additional cybersecurity
procedures are appropriate for securing a system of, or
under the supervision of, the agency, which shall--
``(i) be completed considering the agency
system risk assessment performed under
subparagraph (A); and
``(ii) include a specific evaluation for
high value assets;
``(G) not later than 30 days after completing the
evaluation performed under subparagraph (F), providing
the evaluation and an implementation plan, if
applicable, for using additional cybersecurity
procedures determined to be appropriate to--
``(i) the Director of the Cybersecurity and
Infrastructure Security Agency;
``(ii) the Director; and
``(iii) the National Cyber Director; and
``(H) if the head of the agency determines there is
need for additional cybersecurity procedures, ensuring
that those additional cybersecurity procedures are
reflected in the budget request of the agency in
accordance with the risk-based cyber budget model
developed pursuant to section 3553(a)(7);'';
(ii) in paragraph (2)--
(I) in subparagraph (A), by
inserting ``in accordance with the
agency system risk assessment performed
under paragraph (1)(A)'' after
``information systems'';
(II) in subparagraph (B)--
(aa) by striking ``in
accordance with standards'' and
inserting ``in accordance
with--
``(i) standards''; and
(bb) by adding at the end
the following:
``(ii) the evaluation performed under
paragraph (1)(F); and
``(iii) the implementation plan described
in paragraph (1)(G);''; and
(III) in subparagraph (D), by
inserting ``, through the use of
penetration testing, the vulnerability
disclosure program established under
section 3559B, and other means,'' after
``periodically'';
(iii) in paragraph (3)--
(I) in subparagraph (A)--
(aa) in clause (iii), by
striking ``and'' at the end;
(bb) in clause (iv), by
adding ``and'' at the end; and
(cc) by adding at the end
the following:
``(v) ensure that--
``(I) senior agency information
security officers of component agencies
carry out responsibilities under this
subchapter, as directed by the senior
agency information security officer of
the agency or an equivalent official;
and
``(II) senior agency information
security officers of component agencies
report to--
``(aa) the senior
information security officer of
the agency or an equivalent
official; and
``(bb) the Chief
Information Officer of the
component agency or an
equivalent official;''; and
(iv) in paragraph (5), by inserting ``and
the Director of the Cybersecurity and
Infrastructure Security Agency'' before ``on
the effectiveness'';
(B) in subsection (b)--
(i) by striking paragraph (1) and inserting
the following:
``(1) pursuant to subsection (a)(1)(A), performing ongoing
and continuous agency system risk assessments, which may
include using guidelines and automated tools consistent with
standards and guidelines promulgated under section 11331 of
title 40, as applicable;'';
(ii) in paragraph (2)--
(I) by striking subparagraph (B)
and inserting the following:
``(B) comply with the risk-based cyber budget model
developed pursuant to section 3553(a)(7);''; and
(II) in subparagraph (D)--
(aa) by redesignating
clauses (iii) and (iv) as
clauses (iv) and (v),
respectively;
(bb) by inserting after
clause (ii) the following:
``(iii) binding operational directives and
emergency directives promulgated by the
Director of the Cybersecurity and
Infrastructure Security Agency under section
3553;''; and
(cc) in clause (iv), as so
redesignated, by striking ``as
determined by the agency; and''
and inserting ``as determined
by the agency, considering--
``(I) the agency risk assessment
performed under subsection (a)(1)(A);
and
``(II) the determinations of
applying more stringent standards and
additional cybersecurity procedures
pursuant to section 11331(c)(1) of
title 40; and'';
(iii) in paragraph (5)(A), by inserting ``,
including penetration testing, as
appropriate,'' after ``shall include testing'';
(iv) in paragraph (6), by striking
``planning, implementing, evaluating, and
documenting'' and inserting ``planning and
implementing and, in consultation with the
Director of the Cybersecurity and
Infrastructure Security Agency, evaluating and
documenting'';
(v) by redesignating paragraphs (7) and (8)
as paragraphs (8) and (9), respectively;
(vi) by inserting after paragraph (6) the
following:
``(7) a process for providing the status of every remedial
action and known system vulnerability to the Director and the
Director of the Cybersecurity and Infrastructure Security
Agency, using automation and machine-readable data to the
greatest extent practicable;''; and
(vii) in paragraph (8)(C), as so
redesignated--
(I) by striking clause (ii) and
inserting the following:
``(ii) notifying and consulting with the
Federal information security incident center
established under section 3556 pursuant to the
requirements of section 3594;'';
(II) by redesignating clause (iii)
as clause (iv);
(III) by inserting after clause
(ii) the following:
``(iii) performing the notifications and
other activities required under subchapter IV
of this title; and''; and
(IV) in clause (iv), as so
redesignated--
(aa) in subclause (I), by
striking ``and relevant offices
of inspectors general'';
(bb) in subclause (II), by
adding ``and'' at the end;
(cc) by striking subclause
(III); and
(dd) by redesignating
subclause (IV) as subclause
(III);
(C) in subsection (c)--
(i) by redesignating paragraph (2) as
paragraph (5);
(ii) by striking paragraph (1) and
inserting the following:
``(1) Biannual report.--Not later than 2 years after the
date of enactment of the Federal Information Security
Modernization Act of 2021 and not less frequently than once
every 2 years thereafter, using the continuous and ongoing
agency system risk assessment under subsection (a)(1)(A), the
head of each agency shall submit to the Director, the Director
of the Cybersecurity and Infrastructure Security Agency, the
Committee on Homeland Security and Governmental Affairs of the
Senate, the Committee on Oversight and Reform of the House of
Representatives, the Committee on Homeland Security of the
House of Representatives, the appropriate authorization and
appropriations committees of Congress, the National Cyber
Director, and the Comptroller General of the United States a
report that--
``(A) summarizes the agency system risk assessment
performed under subsection (a)(1)(A);
``(B) evaluates the adequacy and effectiveness of
information security policies, procedures, and
practices of the agency to address the risks identified
in the agency system risk assessment performed under
subsection (a)(1)(A);
``(C) summarizes the evaluation and implementation
plans described in subparagraphs (F) and (G) of
subsection (a)(1) and whether those evaluation and
implementation plans call for the use of additional
cybersecurity procedures determined to be appropriate
by the agency; and
``(D) summarizes the status of remedial actions
identified by inspector general of the agency, the
Comptroller General of the United States, and any other
source determined appropriate by the head of the
agency.
``(2) Unclassified reports.--Each report submitted under
paragraph (1)--
``(A) shall be, to the greatest extent practicable,
in an unclassified and otherwise uncontrolled form; and
``(B) may include a classified annex.
``(3) Access to information.--The head of an agency shall
ensure that, to the greatest extent practicable, information is
included in the unclassified form of the report submitted by
the agency under paragraph (2)(A).
``(4) Briefings.--During each year during which a report is
not required to be submitted under paragraph (1), the Director
shall provide to the congressional committees described in
paragraph (1) a briefing summarizing current agency and Federal
risk postures.''; and
(iii) in paragraph (5), as so redesignated,
by inserting ``including the reporting
procedures established under section 11315(d)
of title 40 and subsection (a)(3)(A)(v) of this
section''; and
(D) in subsection (d)(1), in the matter preceding
subparagraph (A), by inserting ``and the Director of
the Cybersecurity and Infrastructure Security Agency''
after ``the Director''; and
(4) in section 3555--
(A) in the section heading, by striking ``annual
independent'' and inserting ``independent'';
(B) in subsection (a)--
(i) in paragraph (1), by inserting ``during
which a report is required to be submitted
under section 3553(c),'' after ``Each year'';
(ii) in paragraph (2)(A), by inserting ``,
including by penetration testing and analyzing
the vulnerability disclosure program of the
agency'' after ``information systems''; and
(iii) by adding at the end the following:
``(3) An evaluation under this section may include recommendations
for improving the cybersecurity posture of the agency.'';
(C) in subsection (b)(1), by striking ``annual'';
(D) in subsection (e)(1), by inserting ``during
which a report is required to be submitted under
section 3553(c)'' after ``Each year'';
(E) by striking subsection (f) and inserting the
following:
``(f) Protection of Information.--(1) Agencies, evaluators, and
other recipients of information that, if disclosed, may cause grave
harm to the efforts of Federal information security officers, including
the appropriate congressional committees, shall take appropriate steps
to ensure the protection of that information, including safeguarding
the information from public disclosure.
``(2) The protections required under paragraph (1) shall be
commensurate with the risk and comply with all applicable laws and
regulations.
``(3) With respect to information that is not related to national
security systems, agencies and evaluators shall make a summary of the
information unclassified and publicly available, including information
that does not identify--
``(A) specific information system incidents; or
``(B) specific information system vulnerabilities.'';
(F) in subsection (g)(2)--
(i) by striking ``this subsection shall''
and inserting ``this subsection--
``(A) shall'';
(ii) in subparagraph (A), as so designated,
by striking the period at the end and inserting
``; and''; and
(iii) by adding at the end the following:
``(B) identify any entity that performs an independent
evaluation under subsection (b).''; and
(G) by striking subsection (j) and inserting the
following:
``(j) Guidance.--
``(1) In general.--The Director, in consultation with the
Director of the Cybersecurity and Infrastructure Security
Agency, the Chief Information Officers Council, the Council of
the Inspectors General on Integrity and Efficiency, and other
interested parties as appropriate, shall ensure the development
of guidance for evaluating the effectiveness of an information
security program and practices
``(2) Priorities.--The guidance developed under paragraph
(1) shall prioritize the identification of--
``(A) the most common threat patterns experienced
by each agency;
``(B) the security controls that address the threat
patterns described in subparagraph (A); and
``(C) any other security risks unique to the
networks of each agency.''; and
(5) in section 3556(a)--
(A) in the matter preceding paragraph (1), by
inserting ``within the Cybersecurity and Infrastructure
Security Agency'' after ``incident center''; and
(B) in paragraph (4), by striking ``3554(b)'' and
inserting ``3554(a)(1)(A)''.
(d) Conforming Amendments.--
(1) Table of sections.--The table of sections for chapter
35 of title 44, United States Code, is amended--
(A) by striking the item relating to section 3553
and inserting the following:
``3553. Authority and functions of the Director and the Director of the
Cybersecurity and Infrastructure Security
Agency.''; and
(B) by striking the item relating to section 3555
and inserting the following:
``3555. Independent evaluation.''.
(2) OMB reports.--Section 226(c) of the Cybersecurity Act
of 2015 (6 U.S.C. 1524(c)) is amended--
(A) in paragraph (1)(B), in the matter preceding
clause (i), by striking ``annually thereafter'' and
inserting ``thereafter during the years during which a
report is required to be submitted under section
3553(c) of title 44, United States Code''; and
(B) in paragraph (2)(B), in the matter preceding
clause (i)--
(i) by striking ``annually thereafter'' and
inserting ``thereafter during the years during
which a report is required to be submitted
under section 3553(c) of title 44, United
States Code''; and
(ii) by striking ``the report required
under section 3553(c) of title 44, United
States Code'' and inserting ``that report''.
(3) NIST responsibilities.--Section 20(d)(3)(B) of the
National Institute of Standards and Technology Act (15 U.S.C.
278g-3(d)(3)(B)) is amended by striking ``annual''.
(e) Federal System Incident Response.--
(1) In general.--Chapter 35 of title 44, United States
Code, is amended by adding at the end the following:
``SUBCHAPTER IV--FEDERAL SYSTEM INCIDENT RESPONSE
``Sec. 3591. Definitions
``(a) In General.--Except as provided in subsection (b), the
definitions under sections 3502 and 3552 shall apply to this
subchapter.
``(b) Additional Definitions.--As used in this subchapter:
``(1) Appropriate reporting entities.--The term
`appropriate reporting entities' means--
``(A) the majority and minority leaders of the
Senate;
``(B) the Speaker and minority leader of the House
of Representatives;
``(C) the Committee on Homeland Security and
Governmental Affairs of the Senate;
``(D) the Committee on Oversight and Reform of the
House of Representatives;
``(E) the Committee on Homeland Security of the
House of Representatives;
``(F) the appropriate authorization and
appropriations committees of Congress;
``(G) the Director;
``(H) the Director of the Cybersecurity and
Infrastructure Security Agency;
``(I) the National Cyber Director;
``(J) the Comptroller General of the United States;
and
``(K) the inspector general of any impacted agency.
``(2) Awardee.--The term `awardee'--
``(A) means a person, business, or other entity
that receives a grant from, or is a party to a
cooperative agreement with, an agency; and
``(B) includes any subgrantee of a person,
business, or other entity described in subparagraph
(A).
``(3) Breach.--The term `breach' means--
``(A) a compromise of the security,
confidentiality, or integrity of data in electronic
form that results in unauthorized access to, or an
acquisition of, personal information; or
``(B) a loss of data in electronic form that
results in unauthorized access to, or an acquisition
of, personal information.
``(4) Contractor.--The term `contractor' means--
``(A) a prime contractor of an agency or a
subcontractor of a prime contractor of an agency; and
``(B) any person or business that collects or
maintains information, including personally
identifiable information, on behalf of an agency.
``(5) Federal information.--The term `Federal information'
means information created, collected, processed, maintained,
disseminated, disclosed, or disposed of by or for the Federal
Government in any medium or form.
``(6) Federal information system.--The term `Federal
information system' means an information system used or
operated by an agency, a contractor, or another organization on
behalf of an agency.
``(7) Intelligence community.--The term `intelligence
community' has the meaning given the term in section 3 of the
National Security Act of 1947 (50 U.S.C. 3003).
``(8) Nationwide consumer reporting agency.--The term
`nationwide consumer reporting agency' means a consumer
reporting agency described in section 603(p) of the Fair Credit
Reporting Act (15 U.S.C. 1681a(p)).
``(9) Vulnerability disclosure.--The term `vulnerability
disclosure' means a vulnerability identified under section
3559B.
``Sec. 3592. Notification of breach
``(a) Notification.--As expeditiously as practicable and without
unreasonable delay, and in any case not later than 45 days after an
agency has a reasonable basis to conclude that a breach has occurred,
the head of the agency, in consultation with a senior privacy officer
of the agency, shall--
``(1) determine whether notice to any individual
potentially affected by the breach is appropriate based on an
assessment of the risk of harm to the individual that
considers--
``(A) the nature and sensitivity of the personally
identifiable information affected by the breach;
``(B) the likelihood of access to and use of the
personally identifiable information affected by the
breach;
``(C) the type of breach; and
``(D) any other factors determined by the Director;
and
``(2) as appropriate, provide written notice in accordance
with subsection (b) to each individual potentially affected by
the breach--
``(A) to the last known mailing address of the
individual; or
``(B) through an appropriate alternative method of
notification that the head of the agency or a
designated senior-level individual of the agency
selects based on factors determined by the Director.
``(b) Contents of Notice.--Each notice of a breach provided to an
individual under subsection (a)(2) shall include--
``(1) a brief description of the rationale for the
determination that notice should be provided under subsection
(a);
``(2) if possible, a description of the types of personally
identifiable information affected by the breach;
``(3) contact information of the agency that may be used to
ask questions of the agency, which--
``(A) shall include an e-mail address or another
digital contact mechanism; and
``(B) may include a telephone number or a website;
``(4) information on any remedy being offered by the
agency;
``(5) any applicable educational materials relating to what
individuals can do in response to a breach that potentially
affects their personally identifiable information, including
relevant information to contact Federal law enforcement
agencies and each nationwide consumer reporting agency; and
``(6) any other appropriate information, as determined by
the head of the agency or established in guidance by the
Director.
``(c) Delay of Notification.--
``(1) In general.--The Attorney General, the Director of
National Intelligence, or the Secretary of Homeland Security
may delay a notification required under subsection (a) if the
notification would--
``(A) impede a criminal investigation or a national
security activity;
``(B) reveal sensitive sources and methods;
``(C) cause damage to national security; or
``(D) hamper security remediation actions.
``(2) Documentation.--
``(A) In general.--Any delay under paragraph (1)
shall be reported in writing to the Director, the
Attorney General, the Director of National
Intelligence, the Secretary of Homeland Security, the
Director of the Cybersecurity and Infrastructure
Security Agency, and the head of the agency and the
inspector general of the agency that experienced the
breach.
``(B) Contents.--A report required under
subparagraph (A) shall include a written statement from
the entity that delayed the notification explaining the
need for the delay.
``(C) Form.--The report required under subparagraph
(A) shall be unclassified but may include a classified
annex.
``(3) Renewal.--A delay under paragraph (1) shall be for a
period of 60 days and may be renewed.
``(d) Update Notification.--If an agency determines there is a
significant change in the reasonable basis to conclude that a breach
occurred, a significant change to the determination made under
subsection (a)(1), or that it is necessary to update the details of the
information provided to impacted individuals as described in subsection
(b), the agency shall as expeditiously as practicable and without
unreasonable delay, and in any case not later than 30 days after such a
determination, notify each individual who received a notification
pursuant to subsection (a) of those changes.
``(e) Exemption From Notification.--
``(1) In general.--The head of an agency, in consultation
with the inspector general of the agency, may request an
exemption from the Director from complying with the
notification requirements under subsection (a) if the
information affected by the breach is determined by an
independent evaluation to be unreadable, including, as
appropriate, instances in which the information is--
``(A) encrypted; and
``(B) determined by the Director of the
Cybersecurity and Infrastructure Security Agency to be
of sufficiently low risk of exposure.
``(2) Approval.--The Director shall determine whether to
grant an exemption requested under paragraph (1) in
consultation with--
``(A) the Director of the Cybersecurity and
Infrastructure Security Agency; and
``(B) the Attorney General.
``(3) Documentation.--Any exemption granted by the Director
under paragraph (1) shall be reported in writing to the head of
the agency and the inspector general of the agency that
experienced the breach and the Director of the Cybersecurity
and Infrastructure Security Agency.
``(f) Rule of Construction.--Nothing in this section shall be
construed to limit--
``(1) the Director from issuing guidance relating to
notifications or the head of an agency from notifying
individuals potentially affected by breaches that are not
determined to be major incidents; or
``(2) the Director from issuing guidance relating to
notifications of major incidents or the head of an agency from
providing more information than described in subsection (b)
when notifying individuals potentially affected by breaches.
``Sec. 3593. Congressional and Executive Branch reports
``(a) Initial Report.--
``(1) In general.--Not later than 72 hours after an agency
has a reasonable basis to conclude that a major incident
occurred, the head of the agency impacted by the major incident
shall submit to the appropriate reporting entities a written
report and, to the extent practicable, provide a briefing to
the Committee on Homeland Security and Governmental Affairs of
the Senate, the Committee on Oversight and Reform of the House
of Representatives, the Committee on Homeland Security of the
House of Representatives, and the appropriate authorization and
appropriations committees of Congress, taking into account--
``(A) the information known at the time of the
report;
``(B) the sensitivity of the details associated
with the major incident; and
``(C) the classification level of the information
contained in the report.
``(2) Contents.--A report required under paragraph (1)
shall include, in a manner that excludes or otherwise
reasonably protects personally identifiable information and to
the extent permitted by applicable law, including privacy and
statistical laws--
``(A) a summary of the information available about
the major incident, including how the major incident
occurred, information indicating that the major
incident may be a breach, and information relating to
the major incident as a breach, based on information
available to agency officials as of the date on which
the agency submits the report;
``(B) if applicable, a description and any
associated documentation of any circumstances
necessitating a delay in or exemption to notification
to individuals potentially affected by the major
incident under subsection (c) or (e) of section 3592;
and
``(C) if applicable, an assessment of the impacts
to the agency, the Federal Government, or the security
of the United States, based on information available to
agency officials on the date on which the agency
submits the report.
``(b) Supplemental Report.--Within a reasonable amount of time, but
not later than 30 days after the date on which an agency submits a
written report under subsection (a), the head of the agency shall
provide to the appropriate reporting entities written updates on the
major incident and, to the extent practicable, provide a briefing to
the congressional committees described in subsection (a)(1), including
summaries of--
``(1) vulnerabilities, means by which the major incident
occurred, and impacts to the agency relating to the major
incident;
``(2) any risk assessment and subsequent risk-based
security implementation of the affected information system
before the date on which the major incident occurred;
``(3) the status of compliance of the affected information
system with applicable security requirements at the time of the
major incident;
``(4) an estimate of the number of individuals potentially
affected by the major incident based on information available
to agency officials as of the date on which the agency provides
the update;
``(5) an assessment of the risk of harm to individuals
potentially affected by the major incident based on information
available to agency officials as of the date on which the
agency provides the update;
``(6) an update to the assessment of the risk to agency
operations, or to impacts on other agency or non-Federal entity
operations, affected by the major incident based on information
available to agency officials as of the date on which the
agency provides the update; and
``(7) the detection, response, and remediation actions of
the agency, including any support provided by the Cybersecurity
and Infrastructure Security Agency under section 3594(d) and
status updates on the notification process described in section
3592(a), including any delay or exemption described in
subsection (c) or (e), respectively, of section 3592, if
applicable.
``(c) Update Report.--If the agency determines that there is any
significant change in the understanding of the agency of the scope,
scale, or consequence of a major incident for which an agency submitted
a written report under subsection (a), the agency shall provide an
updated report to the appropriate reporting entities that includes
information relating to the change in understanding.
``(d) Annual Report.--Each agency shall submit as part of the
annual report required under section 3554(c)(1) of this title a
description of each major incident that occurred during the 1-year
period preceding the date on which the report is submitted.
``(e) Delay and Exemption Report.--
``(1) In general.--The Director shall submit to the
appropriate notification entities an annual report on all
notification delays and exemptions granted pursuant to
subsections (c) and (d) of section 3592.
``(2) Component of other report.--The Director may submit
the report required under paragraph (1) as a component of the
annual report submitted under section 3597(b).
``(f) Report Delivery.--Any written report required to be submitted
under this section may be submitted in a paper or electronic format.
``(g) Threat Briefing.--
``(1) In general.--Not later than 7 days after the date on
which an agency has a reasonable basis to conclude that a major
incident occurred, the head of the agency, jointly with the
National Cyber Director and any other Federal entity determined
appropriate by the National Cyber Director, shall provide a
briefing to the congressional committees described in
subsection (a)(1) on the threat causing the major incident.
``(2) Components.--The briefing required under paragraph
(1)--
``(A) shall, to the greatest extent practicable,
include an unclassified component; and
``(B) may include a classified component.
``(h) Rule of Construction.--Nothing in this section shall be
construed to limit--
``(1) the ability of an agency to provide additional
reports or briefings to Congress; or
``(2) Congress from requesting additional information from
agencies through reports, briefings, or other means.
``Sec. 3594. Government information sharing and incident response
``(a) In General.--
``(1) Incident reporting.--The head of each agency shall
provide any information relating to any incident, whether the
information is obtained by the Federal Government directly or
indirectly, to the Cybersecurity and Infrastructure Security
Agency and the Office of Management and Budget.
``(2) Contents.--A provision of information relating to an
incident made by the head of an agency under paragraph (1)
shall--
``(A) include detailed information about the
safeguards that were in place when the incident
occurred;
``(B) whether the agency implemented the safeguards
described in subparagraph (A) correctly;
``(C) in order to protect against a similar
incident, identify--
``(i) how the safeguards described in
subparagraph (A) should be implemented
differently; and
``(ii) additional necessary safeguards; and
``(D) include information to aid in incident
response, such as--
``(i) a description of the affected systems
or networks;
``(ii) the estimated dates of when the
incident occurred; and
``(iii) information that could reasonably
help identify the party that conducted the
incident.
``(3) Information sharing.--To the greatest extent
practicable, the Director of the Cybersecurity and
Infrastructure Security Agency shall share information relating
to an incident with any agencies that may be impacted by the
incident.
``(4) National security systems.--Each agency operating or
exercising control of a national security system shall share
information about incidents with the Director of the
Cybersecurity and Infrastructure Security Agency to the extent
consistent with standards and guidelines for national security
systems issued in accordance with law and as directed by the
President.
``(b) Compliance.--The information provided under subsection (a)
shall take into account the level of classification of the information
and any information sharing limitations and protections, such as
limitations and protections relating to law enforcement, national
security, privacy, statistical confidentiality, or other factors
determined by the Director
``(c) Incident Response.--Each agency that has a reasonable basis
to conclude that a major incident occurred involving Federal
information in electronic medium or form, as defined by the Director
and not involving a national security system, regardless of delays from
notification granted for a major incident, shall coordinate with the
Cybersecurity and Infrastructure Security Agency regarding--
``(1) incident response and recovery; and
``(2) recommendations for mitigating future incidents.
``Sec. 3595. Responsibilities of contractors and awardees
``(a) Notification.--
``(1) In general.--Unless otherwise specified in a
contract, grant, or cooperative agreement, any contractor or
awardee of an agency shall report to the agency within the same
amount of time such agency is required to report an incident to
the Cybersecurity and Infrastructure Security Agency, if the
contractor or awardee has a reasonable basis to conclude that--
``(A) an incident or breach has occurred with
respect to Federal information collected, used, or
maintained by the contractor or awardee in connection
with the contract, grant, or cooperative agreement of
the contractor or awardee;
``(B) an incident or breach has occurred with
respect to a Federal information system used or
operated by the contractor or awardee in connection
with the contract, grant, or cooperative agreement of
the contractor or awardee; or
``(C) the contractor or awardee has received
information from the agency that the contractor or
awardee is not authorized to receive in connection with
the contract, grant, or cooperative agreement of the
contractor or awardee.
``(2) Procedures.--
``(A) Major incident.--Following a report of a
breach or major incident by a contractor or awardee
under paragraph (1), the agency, in consultation with
the contractor or awardee, shall carry out the
requirements under sections 3592, 3593, and 3594 with
respect to the major incident.
``(B) Incident.--Following a report of an incident
by a contractor or awardee under paragraph (1), an
agency, in consultation with the contractor or awardee,
shall carry out the requirements under section 3594
with respect to the incident.
``(b) Effective Date.--This section shall apply on and after the
date that is 1 year after the date of enactment of the Federal
Information Security Modernization Act of 2021.
``Sec. 3596. Training
``(a) Covered Individual Defined.--In this section, the term
`covered individual' means an individual who obtains access to Federal
information or Federal information systems because of the status of the
individual as an employee, contractor, awardee, volunteer, or intern of
an agency.
``(b) Requirement.--The head of each agency shall develop training
for covered individuals on how to identify and respond to an incident,
including--
``(1) the internal process of the agency for reporting an
incident; and
``(2) the obligation of a covered individual to report to
the agency a confirmed major incident and any suspected
incident involving information in any medium or form, including
paper, oral, and electronic.
``(c) Inclusion in Annual Training.--The training developed under
subsection (b) may be included as part of an annual privacy or security
awareness training of an agency.
``Sec. 3597. Analysis and report on Federal incidents
``(a) Analysis of Federal Incidents.--
``(1) Quantitative and qualitative analyses.--The Director
of the Cybersecurity and Infrastructure Security Agency shall
develop, in consultation with the Director and the National
Cyber Director, and perform continuous monitoring and
quantitative and qualitative analyses of incidents at agencies,
including major incidents, including--
``(A) the causes of incidents, including--
``(i) attacker tactics, techniques, and
procedures; and
``(ii) system vulnerabilities, including
zero days, unpatched systems, and information
system misconfigurations;
``(B) the scope and scale of incidents at agencies;
``(C) cross Federal Government root causes of
incidents at agencies;
``(D) agency incident response, recovery, and
remediation actions and the effectiveness of those
actions, as applicable; and
``(E) lessons learned and recommendations in
responding to, recovering from, remediating, and
mitigating future incidents.
``(2) Automated analysis.--The analyses developed under
paragraph (1) shall, to the greatest extent practicable, use
machine readable data, automation, and machine learning
processes.
``(3) Sharing of data and analysis.--
``(A) In general.--The Director shall share on an
ongoing basis the analyses required under this
subsection with agencies and the National Cyber
Director to--
``(i) improve the understanding of
cybersecurity risk of agencies; and
``(ii) support the cybersecurity
improvement efforts of agencies.
``(B) Format.--In carrying out subparagraph (A),
the Director shall share the analyses--
``(i) in human-readable written products;
and
``(ii) to the greatest extent practicable,
in machine-readable formats in order to enable
automated intake and use by agencies.
``(b) Annual Report on Federal Incidents.--Not later than 2 years
after the date of enactment of this section, and not less frequently
than annually thereafter, the Director of the Cybersecurity and
Infrastructure Security Agency, in consultation with the Director and
other Federal agencies as appropriate, shall submit to the appropriate
notification entities a report that includes--
``(1) a summary of causes of incidents from across the
Federal Government that categorizes those incidents as
incidents or major incidents;
``(2) the quantitative and qualitative analyses of
incidents developed under subsection (a)(1), including specific
analysis of breaches, on an agency-by-agency basis and
comprehensively across the Federal Government; and
``(3) an annex for each agency that includes--
``(A) a description of each major incident; and
``(B) the total number of compromises of the
agency.
``(c) Publication.--A version of each report submitted under
subsection (b) shall be made publicly available on the website of the
Cybersecurity and Infrastructure Security Agency during the year in
which the report is submitted.
``(d) Information Provided by Agencies.--
``(1) In general.--The analysis required under subsection
(a) and each report submitted under subsection (b) shall use
information provided by agencies under section 3594(a).
``(2) Noncompliance reports.--
``(A) In general.--Subject to subparagraph (B),
during any year during which the head of an agency does
not provide data for an incident to the Cybersecurity
and Infrastructure Security Agency in accordance with
section 3594(a), the head of the agency, in
coordination with the Director of the Cybersecurity and
Infrastructure Security Agency and the Director, shall
submit to the appropriate reporting entities a report
that includes--
``(i) data for the incident; and
``(ii) the information described in
subsection (b) with respect to the agency.
``(B) Exception for national security systems.--The
head of an agency that owns or exercises control of a
national security system shall not include data for an
incident that occurs on a national security system in
any report submitted under subparagraph (A).
``(3) National security system reports.--
``(A) In general.--Annually, the head of an agency
that operates or exercises control of a national
security system shall submit a report that includes the
information described in subsection (b) with respect to
the agency to the extent that the submission is
consistent with standards and guidelines for national
security systems issued in accordance with law and as
directed by the President to--
``(i) the the majority and minority leaders
of the Senate,
``(ii) the Speaker and minority leader of
the House of Representatives;
``(iii) the Committee on Homeland Security
and Governmental Affairs of the Senate;
``(iv) the Select Committee on Intelligence
of the Senate;
``(v) the Committee on Armed Services of
the Senate;
``(vi) the Committee on Oversight and
Reform of the House of Representatives;
``(vii) the Committee on Homeland Security
of the House of Representatives;
``(viii) the Permanent Select Committee on
Intelligence of the House of Representatives;
and
``(ix) the Committee on Armed Services of
the House of Representatives.
``(B) Classified form.--A report required under
subparagraph (A) may be submitted in a classified form.
``(e) Requirement for Compiling Information.--In publishing the
public report required under subsection (c), the Director of the
Cybersecurity and Infrastructure Security Agency shall sufficiently
compile information such that no specific incident of an agency can be
identified, except with the concurrence of the Director of the Office
of Management and Budget and in consultation with the impacted agency.
``Sec. 3598. Major incident definition
``(a) In General.--Not later than 180 days after the date of
enactment of the Federal Information Security Modernization Act of
2021, the Director, in coordination with the Director of the
Cybersecurity and Infrastructure Security Agency and the National Cyber
Director, shall develop and promulgate guidance on the definition of
the term `major incident' for the purposes of subchapter II and this
subchapter.
``(b) Requirements.--With respect to the guidance issued under
subsection (a), the definition of the term `major incident' shall--
``(1) include, with respect to any information collected or
maintained by or on behalf of an agency or an information
system used or operated by an agency or by a contractor of an
agency or another organization on behalf of an agency--
``(A) any incident the head of the agency
determines is likely to have an impact on--
``(i) the national security, homeland
security, or economic security of the United
States; or
``(ii) the civil liberties or public health
and safety of the people of the United States;
``(B) any incident the head of the agency
determines likely to result in an inability for the
agency, a component of the agency, or the Federal
Government, to provide 1 or more critical services;
``(C) any incident that the head of an agency, in
consultation with a senior privacy officer of the
agency, determines is likely to have a significant
privacy impact on 1 or more individual;
``(D) any incident that the head of the agency, in
consultation with a senior privacy official of the
agency, determines is likely to have a substantial
privacy impact on a significant number of individuals;
``(E) any incident the head of the agency
determines impacts the operations of a high value asset
owned or operated by the agency;
``(F) any incident involving the exposure of
sensitive agency information to a foreign entity, such
as the communications of the head of the agency, the
head of a component of the agency, or the direct
reports of the head of the agency or the head of a
component of the agency; and
``(G) any other type of incident determined
appropriate by the Director;
``(2) stipulate that the National Cyber Director shall
declare a major incident at each agency impacted by an incident
if the Director of the Cybersecurity and Infrastructure
Security Agency determines that an incident--
``(A) occurs at not less than 2 agencies; and
``(B) is enabled by--
``(i) a common technical root cause, such
as a supply chain compromise, a common software
or hardware vulnerability; or
``(ii) the related activities of a common
threat actor; and
``(3) stipulate that, in determining whether an incident
constitutes a major incident because that incident--
``(A) is any incident described in paragraph (1),
the head of an agency shall consult with the Director
of the Cybersecurity and Infrastructure Security
Agency;
``(B) is an incident described in paragraph (1)(A),
the head of the agency shall consult with the National
Cyber Director; and
``(C) is an incident described in subparagraph (C)
or (D) of paragraph (1), the head of the agency shall
consult with--
``(i) the Privacy and Civil Liberties
Oversight Board; and
``(ii) the Executive Director of the
Federal Trade Commission.
``(c) Significant Number of Individuals.--In determining what
constitutes a significant number of individuals under subsection
(b)(1)(D), the Director--
``(1) may determine a threshold for a minimum number of
individuals that constitutes a significant amount; and
``(2) may not determine a threshold described in paragraph
(1) that exceeds 5,000 individuals.
``(d) Evaluation and Updates.--Not later than 2 years after the
date of enactment of the Federal Information Security Modernization Act
of 2021, and not less frequently than every 2 years thereafter, the
Director shall submit to the Committee on Homeland Security and
Governmental Affairs of the Senate and the Committee on Oversight and
Reform of the House of Representatives an evaluation, which shall
include--
``(1) an update, if necessary, to the guidance issued under
subsection (a);
``(2) the definition of the term `major incident' included
in the guidance issued under subsection (a); and
``(3) an explanation of, and the analysis that led to, the
definition described in paragraph (2).''.
(2) Clerical amendment.--The table of sections for chapter
35 of title 44, United States Code, is amended by adding at the
end the following:
``subchapter iv--federal system incident response
``3591. Definitions.
``3592. Notification of breach.
``3593. Congressional and Executive Branch reports.
``3594. Government information sharing and incident response.
``3595. Responsibilities of contractors and awardees.
``3596. Training.
``3597. Analysis and report on Federal incidents.
``3598. Major incident definition.''.
SEC. 102. AMENDMENTS TO SUBTITLE III OF TITLE 40.
(a) Information Technology Modernization Centers of Excellence
Program Act.--Section 2(c)(4)(A)(ii) of the Information Technology
Modernization Centers of Excellence Program Act (40 U.S.C. 11301 note)
is amended by striking the period at the end and inserting ``, which
shall be provided in coordination with the Director of the
Cybersecurity and Infrastructure Security Agency.''.
(b) Modernizing Government Technology.--Subtitle G of title X of
Division A of the National Defense Authorization Act for Fiscal Year
2018 (40 U.S.C. 11301 note) is amended--
(1) in section 1077(b)--
(A) in paragraph (5)(A), by inserting ``improving
the cybersecurity of systems and'' before ``cost
savings activities''; and
(B) in paragraph (7)--
(i) in the paragraph heading, by striking
``cio'' and inserting ``CIO'';
(ii) by striking ``In evaluating projects''
and inserting the following:
``(A) Consideration of guidance.--In evaluating
projects'';
(iii) in subparagraph (A), as so
designated, by striking ``under section
1094(b)(1)'' and inserting ``by the Director'';
and
(iv) by adding at the end the following:
``(B) Consultation.--In using funds under paragraph
(3)(A), the Chief Information Officer of the covered
agency shall consult with the necessary stakeholders to
ensure the project appropriately addresses
cybersecurity risks, including the Director of the
Cybersecurity and Infrastructure Security Agency, as
appropriate.''; and
(2) in section 1078--
(A) by striking subsection (a) and inserting the
following:
``(a) Definitions.--In this section:
``(1) Agency.--The term `agency' has the meaning given the
term in section 551 of title 5, United States Code.
``(2) High value asset.--The term `high value asset' has
the meaning given the term in section 3552 of title 44, United
States Code.'';
(B) in subsection (b), by adding at the end the
following:
``(8) Proposal evaluation.--The Director shall--
``(A) give consideration for the use of amounts in
the Fund to improve the security of high value assets;
and
``(B) require that any proposal for the use of
amounts in the Fund includes a cybersecurity plan,
including a supply chain risk management plan, to be
reviewed by the member of the Technology Modernization
Board described in subsection (c)(5)(C).''; and
(C) in subsection (c)--
(i) in paragraph (2)(A)(i), by inserting
``, including a consideration of the impact on
high value assets'' after ``operational
risks'';
(ii) in paragraph (5)--
(I) in subparagraph (A), by
striking ``and'' at the end;
(II) in subparagraph (B), by
striking the period at the end and
inserting ``and''; and
(III) by adding at the end the
following:
``(C) a senior official from the Cybersecurity and
Infrastructure Security Agency of the Department of
Homeland Security, appointed by the Director.''; and
(iii) in paragraph (6)(A), by striking
``shall be--'' and all that follows through ``4
employees'' and inserting ``shall be 4
employees''.
(c) Subchapter I.--Subchapter I of subtitle III of title 40, United
States Code, is amended--
(1) in section 11302--
(A) in subsection (b), by striking ``use, security,
and disposal of'' and inserting ``use, and disposal of,
and, in consultation with the Director of the
Cybersecurity and Infrastructure Security Agency and
the National Cyber Director, promote and improve the
security of,'';
(B) in subsection (c)--
(i) in paragraph (3)--
(I) in subparagraph (A)--
(aa) by striking
``including data'' and
inserting ``which shall--
``(i) include data'';
(bb) in clause (i), as so
designated, by striking ``, and
performance'' and inserting
``security, and performance;
and''; and
(cc) by adding at the end
the following:
``(ii) specifically denote cybersecurity
funding under the risk-based cyber budget model
developed pursuant to section 3553(a)(7) of
title 44.''; and
(II) in subparagraph (B), adding at
the end the following:
``(iii) The Director shall provide to the
National Cyber Director any cybersecurity
funding information described in subparagraph
(A)(ii) that is provided to the Director under
clause (ii) of this subparagraph.''; and
(ii) in paragraph (4)(B), in the matter
preceding clause (i), by inserting ``not later
than 30 days after the date on which the review
under subparagraph (A) is completed,'' before
``the Administrator'';
(C) in subsection (f)--
(i) by striking ``heads of executive
agencies to develop'' and inserting ``heads of
executive agencies to--
``(1) develop'';
(ii) in paragraph (1), as so designated, by
striking the period at the end and inserting
``; and''; and
(iii) by adding at the end the following:
``(2) consult with the Director of the Cybersecurity and
Infrastructure Security Agency for the development and use of
supply chain security best practices.''; and
(D) in subsection (h), by inserting ``, including
cybersecurity performances,'' after ``the
performances''; and
(2) in section 11303(b)--
(A) in paragraph (2)(B)--
(i) in clause (i), by striking ``or'' at
the end;
(ii) in clause (ii), by adding ``or'' at
the end; and
(iii) by adding at the end the following:
``(iii) whether the function should be
performed by a shared service offered by
another executive agency;''; and
(B) in paragraph (5)(B)(i), by inserting ``, while
taking into account the risk-based cyber budget model
developed pursuant to section 3553(a)(7) of title 44''
after ``title 31''.
(d) Subchapter II.--Subchapter II of subtitle III of title 40,
United States Code, is amended--
(1) in section 11312(a), by inserting ``, including
security risks'' after ``managing the risks'';
(2) in section 11313(1), by striking ``efficiency and
effectiveness'' and inserting ``efficiency, security, and
effectiveness'';
(3) in section 11315, by adding at the end the following:
``(d) Component Agency Chief Information Officers.--The Chief
Information Officer or an equivalent official of a component agency
shall report to--
``(1) the Chief Information Officer designated under
section 3506(a)(2) of title 44 or an equivalent official of the
agency of which the component agency is a component; and
``(2) the head of the component agency.'';
(4) in section 11317, by inserting ``security,'' before
``or schedule''; and
(5) in section 11319(b)(1), in the paragraph heading, by
striking ``CIOS'' and inserting ``Chief information officers''.
(e) Subchapter III.--Section 11331 of title 40, United States Code,
is amended--
(1) in subsection (a), by striking ``section 3532(b)(1)''
and inserting ``section 3552(b)'';
(2) in subsection (b)(1)(A)--
(A) by striking ``in consultation'' and inserting
``in coordination''; and
(B) by striking ``the Secretary of Homeland
Security'' and inserting ``the Director of the
Cybersecurity and Infrastructure Security Agency'';
(3) by striking subsection (c) and inserting the following:
``(c) Application of More Stringent Standards.--
``(1) In general.--The head of an agency shall--
``(A) evaluate, in consultation with the senior
agency information security officers, the need to
employ standards for cost-effective, risk-based
information security for all systems, operations, and
assets within or under the supervision of the agency
that are more stringent than the standards promulgated
by the Director under this section, if such standards
contain, at a minimum, the provisions of those
applicable standards made compulsory and binding by the
Director; and
``(B) to the greatest extent practicable and if the
head of the agency determines that the standards
described in subparagraph (A) are necessary, employ
those standards.
``(2) Evaluation of more stringent standards.--In
evaluating the need to employ more stringent standards under
paragraph (1), the head of an agency shall consider available
risk information, such as--
``(A) the status of cybersecurity remedial actions
of the agency;
``(B) any vulnerability information relating to
agency systems that is known to the agency;
``(C) incident information of the agency;
``(D) information from--
``(i) penetration testing performed under
section 3559A of title 44; and
``(ii) information from the vulnerability
disclosure program established under section
3559B of title 44;
``(E) agency threat hunting results under section
205 of the Federal Information Security Modernization
Act of 2021;
``(F) Federal and non-Federal threat intelligence;
``(G) data on compliance with standards issued
under this section;
``(H) agency system risk assessments performed
under section 3554(a)(1)(A) of title 44; and
``(I) any other information determined relevant by
the head of the agency.'';
(4) in subsection (d)(2)--
(A) in the paragraph heading, by striking ``Notice
and comment'' and inserting ``Consultation, notice, and
comment'';
(B) by inserting ``promulgate,'' before
``significantly modify''; and
(C) by striking ``shall be made after the public is
given an opportunity to comment on the Director's
proposed decision.'' and inserting ``shall be made--
``(A) for a decision to significantly modify or not
promulgate such a proposed standard, after the public
is given an opportunity to comment on the Director's
proposed decision;
``(B) in consultation with the Chief Information
Officers Council, the Director of the Cybersecurity and
Infrastructure Security Agency, the National Cyber
Director, the Comptroller General of the United States,
and the Council of the Inspectors General on Integrity
and Efficiency;
``(C) considering the Federal risk assessments
performed under section 3553(i) of title 44; and
``(D) considering the extent to which the proposed
standard reduces risk relative to the cost of
implementation of the standard.''; and
(5) by adding at the end the following:
``(e) Review of Office of Management and Budget Guidance and
Policy.--
``(1) Conduct of review.--
``(A) In general.--Not less frequently than once
every 3 years, the Director of the Office of Management
and Budget, in consultation with the Chief Information
Officers Council, the Director of the Cybersecurity and
Infrastructure Security Agency, the National Cyber
Director, the Comptroller General of the United States,
and the Council of the Inspectors General on Integrity
and Efficiency shall review the efficacy of the
guidance and policy promulgated by the Director in
reducing cybersecurity risks, including an assessment
of the requirements for agencies to report information
to the Director, and determine whether any changes to
that guidance or policy is appropriate.
``(B) Federal risk assessments.--In conducting the
review described in subparagraph (A), the Director
shall consider the Federal risk assessments performed
under section 3553(i) of title 44.
``(2) Updated guidance.--Not later than 90 days after the
date on which a review is completed under paragraph (1), the
Director of the Office of Management and Budget shall issue
updated guidance or policy to agencies determined appropriate
by the Director, based on the results of the review.
``(3) Public report.--Not later than 30 days after the date
on which a review is completed under paragraph (1), the
Director of the Office of Management and Budget shall make
publicly available a report that includes--
``(A) an overview of the guidance and policy
promulgated under this section that is currently in
effect;
``(B) the cybersecurity risk mitigation, or other
cybersecurity benefit, offered by each guidance or
policy document described in subparagraph (A); and
``(C) a summary of the guidance or policy to which
changes were determined appropriate during the review
and what the changes are anticipated to include.
``(4) Congressional briefing.--Not later than 30 days after
the date on which a review is completed under paragraph (1),
the Director shall provide to the Committee on Homeland
Security and Governmental Affairs of the Senate and the
Committee on Oversight and Reform of the House of
Representatives a briefing on the review.
``(f) Automated Standard Implementation Verification.--When the
Director of the National Institute of Standards and Technology issues a
proposed standard pursuant to paragraphs (2) and (3) of section 20(a)
of the National Institute of Standards and Technology Act (15 U.S.C.
278g-3(a)), the Director of the National Institute of Standards and
Technology shall consider developing and, if appropriate and practical,
develop, in consultation with the Director of the Cybersecurity and
Infrastructure Security Agency, specifications to enable the automated
verification of the implementation of the controls within the
standard.''.
SEC. 103. ACTIONS TO ENHANCE FEDERAL INCIDENT RESPONSE.
(a) Responsibilities of the Cybersecurity and Infrastructure
Security Agency.--
(1) In general.--Not later than 180 days after the date of
enactment of this Act, the Director of the Cybersecurity and
Infrastructure Security Agency shall--
(A) develop a plan for the development of the
analysis required under section 3597(a) of title 44,
United States Code, as added by this Act, and the
report required under subsection (b) of that section
that includes--
(i) a description of any challenges the
Director anticipates encountering; and
(ii) the use of automation and machine-
readable formats for collecting, compiling,
monitoring, and analyzing data; and
(B) provide to the appropriate congressional
committees a briefing on the plan developed under
subparagraph (A).
(2) Briefing.--Not later than 1 year after the date of
enactment of this Act, the Director of the Cybersecurity and
Infrastructure Security Agency shall provide to the appropriate
congressional committees a briefing on--
(A) the execution of the plan required under
paragraph (1)(A); and
(B) the development of the report required under
section 3597(b) of title 44, United States Code, as
added by this Act.
(b) Responsibilities of the Director of the Office of Management
and Budget.--
(1) FISMA.--Section 2 of the Federal Information Security
Modernization Act of 2014 (44 U.S.C. 3554 note) is amended--
(A) by striking subsection (b); and
(B) by redesignating subsections (c) through (f) as
subsections (b) through (e), respectively.
(2) Incident data sharing.--
(A) In general.--The Director shall develop
guidance, to be updated not less frequently than once
every 2 years, on the content, timeliness, and format
of the information provided by agencies under section
3594(a) of title 44, United States Code, as added by
this Act.
(B) Requirements.--The guidance developed under
subparagraph (A) shall--
(i) prioritize the availability of data
necessary to understand and analyze--
(I) the causes of incidents;
(II) the scope and scale of
incidents within the environments and
systems of an agency;
(III) a root cause analysis of
incidents that--
(aa) are common across the
Federal Government; or
(bb) have a Government-wide
impact;
(IV) agency response, recovery, and
remediation actions and the
effectiveness of those actions; and
(V) the impact of incidents;
(ii) enable the efficient development of--
(I) lessons learned and
recommendations in responding to,
recovering from, remediating, and
mitigating future incidents; and
(II) the report on Federal
incidents required under section
3597(b) of title 44, United States
Code, as added by this Act;
(iii) include requirements for the
timeliness of data production; and
(iv) include requirements for using
automation and machine-readable data for data
sharing and availability.
(3) Guidance on responding to information requests.--Not
later than 1 year after the date of enactment of this Act, the
Director shall develop guidance for agencies to implement the
requirement under section 3594(c) of title 44, United States
Code, as added by this Act, to provide information to other
agencies experiencing incidents.
(4) Standard guidance and templates.--Not later than 1 year
after the date of enactment of this Act, the Director, in
consultation with the Director of the Cybersecurity and
Infrastructure Security Agency, shall develop guidance and
templates, to be reviewed and, if necessary, updated not less
frequently than once every 2 years, for use by Federal agencies
in the activities required under sections 3592, 3593, and 3596
of title 44, United States Code, as added by this Act.
(5) Contractor and awardee guidance.--
(A) In general.--Not later than 1 year after the
date of enactment of this Act, the Director, in
coordination with the Secretary of Homeland Security,
the Secretary of Defense, the Administrator of General
Services, and the heads of other agencies determined
appropriate by the Director, shall issue guidance to
Federal agencies on how to deconflict, to the greatest
extent practicable, existing regulations, policies, and
procedures relating to the responsibilities of
contractors and awardees established under section 3595
of title 44, United States Code, as added by this Act.
(B) Existing processes.--To the greatest extent
practicable, the guidance issued under subparagraph (A)
shall allow contractors and awardees to use existing
processes for notifying Federal agencies of incidents
involving information of the Federal Government.
(6) Updated briefings.--Not less frequently than once every
2 years, the Director shall provide to the appropriate
congressional committees an update on the guidance and
templates developed under paragraphs (2) through (4).
(c) Update to the Privacy Act of 1974.--Section 552a(b) of title 5,
United States Code (commonly known as the ``Privacy Act of 1974'') is
amended--
(1) in paragraph (11), by striking ``or'' at the end;
(2) in paragraph (12), by striking the period at the end
and inserting ``; or''; and
(3) by adding at the end the following:
``(13) to another agency in furtherance of a response to an
incident (as defined in section 3552 of title 44) and pursuant
to the information sharing requirements in section 3594 of
title 44 if the head of the requesting agency has made a
written request to the agency that maintains the record
specifying the particular portion desired and the activity for
which the record is sought.''.
SEC. 104. ADDITIONAL GUIDANCE TO AGENCIES ON FISMA UPDATES.
Not later than 1 year after the date of enactment of this Act, the
Director, in coordination with the Director of the Cybersecurity and
Infrastructure Security Agency, shall issue guidance for agencies on--
(1) performing the ongoing and continuous agency system
risk assessment required under section 3554(a)(1)(A) of title
44, United States Code, as amended by this Act;
(2) implementing additional cybersecurity procedures, which
shall include resources for shared services;
(3) establishing a process for providing the status of each
remedial action under section 3554(b)(7) of title 44, United
States Code, as amended by this Act, to the Director and the
Cybersecurity and Infrastructure Security Agency using
automation and machine-readable data, as practicable, which
shall include--
(A) specific guidance for the use of automation and
machine-readable data; and
(B) templates for providing the status of the
remedial action;
(4) interpreting the definition of ``high value asset''
under section 3552 of title 44, United States Code, as amended
by this Act; and
(5) a requirement to coordinate with inspectors general of
agencies to ensure consistent understanding and application of
agency policies for the purpose of evaluations by inspectors
general.
SEC. 105. AGENCY REQUIREMENTS TO NOTIFY PRIVATE SECTOR ENTITIES
IMPACTED BY INCIDENTS.
(a) Definitions.--In this section:
(1) Reporting entity.--The term ``reporting entity'' means
private organization or governmental unit that is required by
statute or regulation to submit sensitive information to an
agency.
(2) Sensitive information.--The term ``sensitive
information'' has the meaning given the term by the Director in
guidance issued under subsection (b).
(b) Guidance on Notification of Reporting Entities.--Not later than
180 days after the date of enactment of this Act, the Director shall
issue guidance requiring the head of each agency to notify a reporting
entity of an incident that is likely to substantially affect--
(1) the confidentiality or integrity of sensitive
information submitted by the reporting entity to the agency
pursuant to a statutory or regulatory requirement; or
(2) the agency information system or systems used in the
transmission or storage of the sensitive information described
in paragraph (1).
TITLE II--IMPROVING FEDERAL CYBERSECURITY
SEC. 201. MOBILE SECURITY STANDARDS.
(a) In General.--Not later than 1 year after the date of enactment
of this Act, the Director shall--
(1) evaluate mobile application security guidance
promulgated by the Director; and
(2) issue guidance to secure mobile devices, including for
mobile applications, for every agency.
(b) Contents.--The guidance issued under subsection (a)(2) shall
include--
(1) a requirement, pursuant to section 3506(b)(4) of title
44, United States Code, for every agency to maintain a
continuous inventory of every--
(A) mobile device operated by or on behalf of the
agency; and
(B) vulnerability identified by the agency
associated with a mobile device; and
(2) a requirement for every agency to perform continuous
evaluation of the vulnerabilities described in paragraph (1)(B)
and other risks associated with the use of applications on
mobile devices.
(c) Information Sharing.--The Director, in coordination with the
Director of the Cybersecurity and Infrastructure Security Agency, shall
issue guidance to agencies for sharing the inventory of the agency
required under subsection (b)(1) with the Director of the Cybersecurity
and Infrastructure Security Agency, using automation and machine-
readable data to the greatest extent practicable.
(d) Briefing.--Not later than 60 days after the date on which the
Director issues guidance under subsection (a)(2), the Director, in
coordination with the Director of the Cybersecurity and Infrastructure
Security Agency, shall provide to the appropriate congressional
committees a briefing on the guidance.
SEC. 202. DATA AND LOGGING RETENTION FOR INCIDENT RESPONSE.
(a) Recommendations.--Not later than 2 years after the date of
enactment of this Act, and not less frequently than every 2 years
thereafter, the Director of the Cybersecurity and Infrastructure
Security Agency, in consultation with the Attorney General, shall
submit to the Director recommendations on requirements for logging
events on agency systems and retaining other relevant data within the
systems and networks of an agency.
(b) Contents.--The recommendations provided under subsection (a)
shall include--
(1) the types of logs to be maintained;
(2) the time periods to retain the logs and other relevant
data;
(3) the time periods for agencies to enable recommended
logging and security requirements;
(4) how to ensure the confidentiality, integrity, and
availability of logs;
(5) requirements to ensure that, upon request, in a manner
that excludes or otherwise reasonably protects personally
identifiable information, and to the extent permitted by
applicable law (including privacy and statistical laws),
agencies provide logs to--
(A) the Director of the Cybersecurity and
Infrastructure Security Agency for a cybersecurity
purpose; and
(B) the Federal Bureau of Investigation to
investigate potential criminal activity; and
(6) requirements to ensure that, subject to compliance with
statistical laws and other relevant data protection
requirements, the highest level security operations center of
each agency has visibility into all agency logs.
(c) Guidance.--Not later than 90 days after receiving the
recommendations submitted under subsection (a), the Director, in
consultation with the Director of the Cybersecurity and Infrastructure
Security Agency and the Attorney General, shall, as determined to be
appropriate by the Director, update guidance to agencies regarding
requirements for logging, log retention, log management, sharing of log
data with other appropriate agencies, or any other logging activity
determined to be appropriate by the Director.
SEC. 203. CISA AGENCY ADVISORS.
(a) In General.--Not later than 120 days after the date of
enactment of this Act, the Director of the Cybersecurity and
Infrastructure Security Agency shall assign not less than 1
cybersecurity professional employed by the Cybersecurity and
Infrastructure Security Agency to be the Cybersecurity and
Infrastructure Security Agency advisor to the senior agency information
security officer of each agency.
(b) Qualifications.--Each advisor assigned under subsection (a)
shall have knowledge of--
(1) cybersecurity threats facing agencies, including any
specific threats to the assigned agency;
(2) performing risk assessments of agency systems; and
(3) other Federal cybersecurity initiatives.
(c) Duties.--The duties of each advisor assigned under subsection
(a) shall include--
(1) providing ongoing assistance and advice, as requested,
to the agency Chief Information Officer;
(2) serving as an incident response point of contact
between the assigned agency and the Cybersecurity and
Infrastructure Security Agency; and
(3) familiarizing themselves with agency systems,
processes, and procedures to better facilitate support to the
agency in responding to incidents.
(d) Limitation.--An advisor assigned under subsection (a) shall not
be a contractor.
(e) Multiple Assignments.--One individual advisor may be assigned
to multiple agency Chief Information Officers under subsection (a).
SEC. 204. FEDERAL PENETRATION TESTING POLICY.
(a) In General.--Subchapter II of chapter 35 of title 44, United
States Code, is amended by adding at the end the following:
``Sec. 3559A. Federal penetration testing
``(a) Definitions.--In this section:
``(1) Agency operational plan.--The term `agency
operational plan' means a plan of an agency for the use of
penetration testing.
``(2) Rules of engagement.--The term `rules of engagement'
means a set of rules established by an agency for the use of
penetration testing.
``(b) Guidance.--
``(1) In general.--The Director shall issue guidance that--
``(A) requires agencies to use, when and where
appropriate, penetration testing on agency systems; and
``(B) requires agencies to develop an agency
operational plan and rules of engagement that meet the
requirements under subsection (c).
``(2) Penetration testing guidance.--The guidance issued
under this section shall--
``(A) permit an agency to use, for the purpose of
performing penetration testing--
``(i) a shared service of the agency or
another agency; or
``(ii) an external entity, such as a
vendor; and
``(B) require agencies to provide the rules of
engagement and results of penetration testing to the
Director and the Director of the Cybersecurity and
Infrastructure Security Agency, without regard to the
status of the entity that performs the penetration
testing.
``(c) Agency Plans and Rules of Engagement.--The agency operational
plan and rules of engagement of an agency shall--
``(1) require the agency to--
``(A) perform penetration testing on the high value
assets of the agency; or
``(B) coordinate with the Director of the
Cybersecurity and Infrastructure Security Agency to
ensure that penetration testing is being performed;
``(2) establish guidelines for avoiding, as a result of
penetration testing--
``(A) adverse impacts to the operations of the
agency;
``(B) adverse impacts to operational environments
and systems of the agency; and
``(C) inappropriate access to data;
``(3) require the results of penetration testing to include
feedback to improve the cybersecurity of the agency; and
``(4) include mechanisms for providing consistently
formatted, and, if applicable, automated and machine-readable,
data to the Director and the Director of the Cybersecurity and
Infrastructure Security Agency.
``(d) Responsibilities of CISA.--The Director of the Cybersecurity
and Infrastructure Security Agency shall--
``(1) establish a process to assess the performance of
penetration testing by both Federal and non-Federal entities
that establishes minimum quality controls for penetration
testing;
``(2) develop operational guidance for instituting
penetration testing programs at agencies;
``(3) develop and maintain a centralized capability to
offer penetration testing as a service to Federal and non-
Federal entities; and
``(4) provide guidance to agencies on the best use of
penetration testing resources.
``(e) Responsibilities of OMB.--The Director, in coordination with
the Director of the Cybersecurity and Infrastructure Security Agency,
shall--
``(1) not less frequently than annually, inventory all
Federal penetration testing assets; and
``(2) develop and maintain a standardized process for the
use of penetration testing.
``(f) Prioritization of Penetration Testing Resources.--
``(1) In general.--The Director, in coordination with the
Director of the Cybersecurity and Infrastructure Security
Agency, shall develop a framework for prioritizing Federal
penetration testing resources among agencies.
``(2) Considerations.--In developing the framework under
this subsection, the Director shall consider--
``(A) agency system risk assessments performed
under section 3554(a)(1)(A);
``(B) the Federal risk assessment performed under
section 3553(i);
``(C) the analysis of Federal incident data
performed under section 3597; and
``(D) any other information determined appropriate
by the Director or the Director of the Cybersecurity
and Infrastructure Security Agency.
``(g) Exception for National Security Systems.--The guidance issued
under subsection (b) shall not apply to national security systems.
``(h) Delegation of Authority for Certain Systems.--The authorities
of the Director described in subsection (b) shall be delegated--
``(1) to the Secretary of Defense in the case of systems
described in section 3553(e)(2); and
``(2) to the Director of National Intelligence in the case
of systems described in 3553(e)(3).''.
(b) Deadline for Guidance.--Not later than 180 days after the date
of enactment of this Act, the Director shall issue the guidance
required under section 3559A(b) of title 44, United States Code, as
added by subsection (a).
(c) Clerical Amendment.--The table of sections for chapter 35 of
title 44, United States Code, is amended by adding after the item
relating to section 3559 the following:
``3559A. Federal penetration testing.''.
(d) Penetration Testing by the Secretary of Homeland Security.--
Section 3553(b) of title 44, United States Code, as amended by section
101, is further amended--
(1) in paragraph (8)(B), by striking ``and'' at the end;
(2) by redesignating paragraph (9) as paragraph (10); and
(3) by inserting after paragraph (8) the following:
``(9) performing penetration testing with or without
advance notice to, or authorization from, agencies, to identify
vulnerabilities within Federal information systems; and''.
SEC. 205. ONGOING THREAT HUNTING PROGRAM.
(a) Threat Hunting Program.--
(1) In general.--Not later than 540 days after the date of
enactment of this Act, the Director of the Cybersecurity and
Infrastructure Security Agency shall establish a program to
provide ongoing, hypothesis-driven threat-hunting services on
the network of each agency.
(2) Plan.--Not later than 180 days after the date of
enactment of this Act, the Director of the Cybersecurity and
Infrastructure Security Agency shall develop a plan to
establish the program required under paragraph (1) that
describes how the Director of the Cybersecurity and
Infrastructure Security Agency plans to--
(A) determine the method for collecting, storing,
accessing, and analyzing appropriate agency data;
(B) provide on-premises support to agencies;
(C) staff threat hunting services;
(D) allocate available human and financial
resources to implement the plan; and
(E) provide input to the heads of agencies on the
use of--
(i) more stringent standards under section
11331(c)(1) of title 40, United States Code;
and
(ii) additional cybersecurity procedures
under section 3554 of title 44, United States
Code.
(b) Reports.--The Director of the Cybersecurity and Infrastructure
Security Agency shall submit to the appropriate congressional
committees--
(1) not later than 30 days after the date on which the
Director of the Cybersecurity and Infrastructure Security
Agency completes the plan required under subsection (a)(2), a
report on the plan to provide threat hunting services to
agencies;
(2) not less than 30 days before the date on which the
Director of the Cybersecurity and Infrastructure Security
Agency begins providing threat hunting services under the
program under subsection (a)(1), a report providing any updates
to the plan developed under subsection (a)(2); and
(3) not later than 1 year after the date on which the
Director of the Cybersecurity and Infrastructure Security
Agency begins providing threat hunting services to agencies
other than the Cybersecurity and Infrastructure Security
Agency, a report describing lessons learned from providing
those services.
SEC. 206. CODIFYING VULNERABILITY DISCLOSURE PROGRAMS.
(a) In General.--Chapter 35 of title 44, United States Code, is
amended by inserting after section 3559A, as added by section 204 of
this Act, the following:
``Sec. 3559B. Federal vulnerability disclosure programs
``(a) Definitions.--In this section:
``(1) Report.--The term `report' means a vulnerability
disclosure made to an agency by a reporter.
``(2) Reporter.--The term `reporter' means an individual
that submits a vulnerability report pursuant to the
vulnerability disclosure process of an agency.
``(b) Responsibilities of OMB.--
``(1) Limitation on legal action.--The Director, in
consultation with the Attorney General, shall issue guidance to
agencies to not recommend or pursue legal action against a
reporter or an individual that conducts a security research
activity that the head of the agency determines--
``(A) represents a good faith effort to follow the
vulnerability disclosure policy of the agency developed
under subsection (d)(2); and
``(B) is authorized under the vulnerability
disclosure policy of the agency developed under
subsection (d)(2).
``(2) Sharing information with cisa.--The Director, in
coordination with the Director of the Cybersecurity and
Infrastructure Security Agency and the National Cyber Director,
shall issue guidance to agencies on sharing relevant
information in a consistent, automated, and machine readable
manner with the Cybersecurity and Infrastructure Security
Agency, including--
``(A) any valid or credible reports of newly
discovered or not publicly known vulnerabilities
(including misconfigurations) on Federal information
systems that use commercial software or services;
``(B) information relating to vulnerability
disclosure, coordination, or remediation activities of
an agency, particularly as those activities relate to
outside organizations--
``(i) with which the head of the agency
believes the Director of the Cybersecurity and
Infrastructure Security Agency can assist; or
``(ii) about which the head of the agency
believes the Director of the Cybersecurity and
Infrastructure Security Agency should know; and
``(C) any other information with respect to which
the head of the agency determines helpful or necessary
to involve the Cybersecurity and Infrastructure
Security Agency.
``(3) Agency vulnerability disclosure policies.--The
Director shall issue guidance to agencies on the required
minimum scope of agency systems covered by the vulnerability
disclosure policy of an agency required under subsection
(d)(2).
``(c) Responsibilities of CISA.--The Director of the Cybersecurity
and Infrastructure Security Agency shall--
``(1) provide support to agencies with respect to the
implementation of the requirements of this section;
``(2) develop tools, processes, and other mechanisms
determined appropriate to offer agencies capabilities to
implement the requirements of this section; and
``(3) upon a request by an agency, assist the agency in the
disclosure to vendors of newly identified vulnerabilities in
vendor products and services.
``(d) Responsibilities of Agencies.--
``(1) Public information.--The head of each agency shall
make publicly available, with respect to each internet domain
under the control of the agency that is not a national security
system--
``(A) an appropriate security contact; and
``(B) the component of the agency that is
responsible for the internet accessible services
offered at the domain.
``(2) Vulnerability disclosure policy.--The head of each
agency shall develop and make publicly available a
vulnerability disclosure policy for the agency, which shall--
``(A) describe--
``(i) the scope of the systems of the
agency included in the vulnerability disclosure
policy;
``(ii) the type of information system
testing that is authorized by the agency;
``(iii) the type of information system
testing that is not authorized by the agency;
and
``(iv) the disclosure policy of the agency
for sensitive information;
``(B) with respect to a report to an agency,
describe--
``(i) how the reporter should submit the
report; and
``(ii) if the report is not anonymous, when
the reporter should anticipate an
acknowledgment of receipt of the report by the
agency;
``(C) include any other relevant information; and
``(D) be mature in scope, to cover all Federal
information systems used or operated by that agency or
on behalf of that agency.
``(3) Identified vulnerabilities.--The head of each agency
shall incorporate any vulnerabilities reported under paragraph
(2) into the vulnerability management process of the agency in
order to track and remediate the vulnerability.
``(e) Paperwork Reduction Act Exemption.--The requirements of
subchapter I (commonly known as the `Paperwork Reduction Act') shall
not apply to a vulnerability disclosure program established under this
section.
``(f) Congressional Reporting.--Not later than 90 days after the
date of enactment of the Federal Information Security Modernization Act
of 2021, and annually thereafter for a 3-year period, the Director
shall provide to the Committee on Homeland Security and Governmental
Affairs of the Senate and the Committee on Oversight and Reform of the
House of Representatives a briefing on the status of the use of
vulnerability disclosure policies under this section at agencies,
including, with respect to the guidance issued under subsection (b)(3),
an identification of the agencies that are compliant and not compliant.
``(g) Exemptions.--The authorities and functions of the Director
and Director of the Cybersecurity and Infrastructure Security Agency
under this section shall not apply to national security systems.
``(h) Delegation of Authority for Certain Systems.--The authorities
of the Director and the Director of the Cybersecurity and
Infrastructure Security Agency described in this section shall be
delegated--
``(1) to the Secretary of Defense in the case of systems
described in section 3553(e)(2); and
``(2) to the Director of National Intelligence in the case
of systems described in section 3553(e)(3).''.
(b) Clerical Amendment.--The table of sections for chapter 35 of
title 44, United States Code, is amended by adding after the item
relating to section 3559A, as added by section 204, the following:
``3559B. Federal vulnerability disclosure programs.''.
SEC. 207. IMPLEMENTING PRESUMPTION OF COMPROMISE AND LEAST PRIVILEGE
PRINCIPLES.
(a) Guidance.--Not later than 1 year after the date of enactment of
this Act, the Director shall provide an update to the appropriate
congressional committees on progress in increasing the internal
defenses of agency systems, including--
(1) shifting away from ``trusted networks'' to implement
security controls based on a presumption of compromise;
(2) implementing principles of least privilege in
administering information security programs;
(3) limiting the ability of entities that cause incidents
to move laterally through or between agency systems;
(4) identifying incidents quickly;
(5) isolating and removing unauthorized entities from
agency systems quickly;
(6) otherwise increasing the resource costs for entities
that cause incidents to be successful; and
(7) a summary of the agency progress reports required under
subsection (b).
(b) Agency Progress Reports.--Not later than 1 year after the date
of enactment of this Act, the head of each agency shall submit to the
Director a progress report on implementing an information security
program based on the presumption of compromise and least privilege
principles, which shall include--
(1) a description of any steps the agency has completed,
including progress toward achieving requirements issued by the
Director;
(2) an identification of activities that have not yet been
completed and that would have the most immediate security
impact; and
(3) a schedule to implement any planned activities.
SEC. 208. AUTOMATION REPORTS.
(a) OMB Report.--Not later than 180 days after the date of
enactment of this Act, the Director shall submit to the appropriate
congressional committees a report on the use of automation under
paragraphs (1), (5)(C) and (8)(B) of section 3554(b) of title 44,
United States Code.
(b) GAO Report.--Not later than 1 year after the date of enactment
of this Act, the Comptroller General of the United States shall perform
a study on the use of automation and machine readable data across the
Federal Government for cybersecurity purposes, including the automated
updating of cybersecurity tools, sensors, or processes by agencies.
SEC. 209. EXTENSION OF FEDERAL ACQUISITION SECURITY COUNCIL.
Section 1328 of title 41, United States Code, is amended by
striking ``the date that'' and all that follows and inserting
``December 31, 2026.''.
SEC. 210. COUNCIL OF THE INSPECTORS GENERAL ON INTEGRITY AND EFFICIENCY
DASHBOARD.
(a) Dashboard Required.--Section 11(e)(2) of the Inspector General
Act of 1978 (5 U.S.C. App.) is amended--
(1) in subparagraph (A), by striking ``and'' at the end;
(2) by redesignating subparagraph (B) as subparagraph (C);
and
(3) by inserting after subparagraph (A) the following:
``(B) that shall include a dashboard of open
information security recommendations identified in the
independent evaluations required by section 3555(a) of
title 44, United States Code; and''.
TITLE III--RISK-BASED BUDGET MODEL
SEC. 301. DEFINITIONS.
In this title:
(1) Appropriate congressional committees.--The term
``appropriate congressional committees'' means--
(A) the Committee on Homeland Security and
Governmental Affairs and the Committee on
Appropriations of the Senate; and
(B) the Committee on Homeland Security and the
Committee on Appropriations of the House of
Representatives.
(2) Covered agency.--The term ``covered agency'' has the
meaning given the term ``executive agency'' in section 133 of
title 41, United States Code.
(3) Director.--The term ``Director'' means the Director of
the Office of Management and Budget.
(4) Information technology.--The term ``information
technology''--
(A) has the meaning given the term in section 11101
of title 40, United States Code; and
(B) includes the hardware and software systems of a
Federal agency that monitor and control physical
equipment and processes of the Federal agency.
(5) Risk-based budget.--The term ``risk-based budget''
means a budget--
(A) developed by identifying and prioritizing
cybersecurity risks and vulnerabilities, including
impact on agency operations in the case of a cyber
attack, through analysis of threat intelligence,
incident data, and tactics, techniques, procedures, and
capabilities of cyber threats; and
(B) that allocates resources based on the risks
identified and prioritized under subparagraph (A).
SEC. 302. ESTABLISHMENT OF RISK-BASED BUDGET MODEL.
(a) In General.--
(1) Model.--Not later than 1 year after the first
publication of the budget submitted by the President under
section 1105 of title 31, United States Code, following the
date of enactment of this Act, the Director, in consultation
with the Director of the Cybersecurity and Infrastructure
Security Agency and the National Cyber Director and in
coordination with the Director of the National Institute of
Standards and Technology, shall develop a standard model for
creating a risk-based budget for cybersecurity spending.
(2) Responsibility of director.--Section 3553(a) of title
44, United States Code, as amended by section 101, is further
amended by inserting after paragraph (6) the following:
``(7) developing a standard risk-based budget model to
inform Federal agency cybersecurity budget development; and''.
(3) Contents of model.--The model required to be developed
under paragraph (1) shall--
(A) consider Federal and non-Federal cyber threat
intelligence products, where available, to identify
threats, vulnerabilities, and risks;
(B) consider the impact of agency operations of
compromise of systems, including the interconnectivity
to other agency systems and the operations of other
agencies;
(C) indicate where resources should be allocated to
have the greatest impact on mitigating current and
future threats and current and future cybersecurity
capabilities;
(D) be used to inform acquisition and sustainment
of--
(i) information technology and
cybersecurity tools;
(ii) information technology and
cybersecurity architectures;
(iii) information technology and
cybersecurity personnel; and
(iv) cybersecurity and information
technology concepts of operations; and
(E) be used to evaluate and inform Government-wide
cybersecurity programs of the Department of Homeland
Security.
(4) Required updates.--Not less frequently than once every
3 years, the Director shall review, and update as necessary,
the model required to be developed under this subsection.
(5) Publication.--The Director shall publish the model
required to be developed under this subsection, and any updates
necessary under paragraph (4), on the public website of the
Office of Management and Budget.
(6) Reports.--Not later than 1 year after the date of
enactment of this Act, and annually thereafter for each of the
2 following fiscal years or until the date on which the model
required to be developed under this subsection is completed,
whichever is sooner, the Director shall submit a report to
Congress on the development of the model.
(b) Required Use of Risk-based Budget Model.--
(1) In general.--Not later than 2 years after the date on
which the model developed under subsection (a) is published,
the head of each covered agency shall use the model to develop
the annual cybersecurity and information technology budget
requests of the agency.
(2) Agency performance plans.--Section 3554(d)(2) of title
44, United States Code, is amended by inserting ``and the risk-
based budget model required under section 3553(a)(7)'' after
``paragraph (1)''.
(c) Verification.--
(1) In general.--Section 1105(a)(35)(A)(i) of title 31,
United States Code, is amended--
(A) in the matter preceding subclause (I), by
striking ``by agency, and by initiative area (as
determined by the administration)'' and inserting ``and
by agency'';
(B) in subclause (III), by striking ``and'' at the
end; and
(C) by adding at the end the following:
``(V) a validation that the budgets
submitted were developed using a risk-
based methodology; and
``(VI) a report on the progress of
each agency on closing recommendations
identified under the independent
evaluation required by section
3555(a)(1) of title 44.''.
(2) Effective date.--The amendments made by paragraph (1)
shall take effect on the date that is 2 years after the date on
which the model developed under subsection (a) is published.
(d) Reports.--
(1) Independent evaluation.--Section 3555(a)(2) of title
44, United States Code, is amended--
(A) in subparagraph (B), by striking ``and'' at the
end;
(B) in subparagraph (C), by striking the period at
the end and inserting ``; and''; and
(C) by adding at the end the following:
``(D) an assessment of how the agency implemented
the risk-based budget model required under section
3553(a)(7) and an evaluation of whether the model
mitigates agency cyber vulnerabilities.''.
(2) Assessment.--Section 3553(c) of title 44, United States
Code, as amended by section 101, is further amended by
inserting after paragraph (5) the following:
``(6) an assessment of--
``(A) Federal agency implementation of the model
required under subsection (a)(7);
``(B) how cyber vulnerabilities of Federal agencies
changed from the previous year; and
``(C) whether the model mitigates the cyber
vulnerabilities of the Federal Government.''.
(e) GAO Report.--Not later than 3 years after the date on which the
first budget of the President is submitted to Congress containing the
validation required under section 1105(a)(35)(A)(i)(V) of title 31,
United States Code, as amended by subsection (c), the Comptroller
General of the United States shall submit to the appropriate
congressional committees a report that includes--
(1) an evaluation of the success of covered agencies in
developing risk-based budgets;
(2) an evaluation of the success of covered agencies in
implementing risk-based budgets;
(3) an evaluation of whether the risk-based budgets
developed by covered agencies mitigate cyber vulnerability,
including the extent to which the risk-based budgets inform
Federal Government-wide cybersecurity programs; and
(4) any other information relating to risk-based budgets
the Comptroller General determines appropriate.
TITLE IV--PILOT PROGRAMS TO ENHANCE FEDERAL CYBERSECURITY
SEC. 401. ACTIVE CYBER DEFENSIVE STUDY.
(a) Definition.--In this section, the term ``active defense
technique''--
(1) means an action taken on the systems of an entity to
increase the security of information on the network of an
agency by misleading an adversary; and
(2) includes a honeypot, deception, or purposefully feeding
false or misleading data to an adversary when the adversary is
on the systems of the entity.
(b) Study.--Not later than 180 days after the date of enactment of
this Act, the Director of the Cybersecurity and Infrastructure Security
Agency, in coordination with the Director, shall perform a study on the
use of active defense techniques to enhance the security of agencies,
which shall include--
(1) a review of legal restrictions on the use of different
active cyber defense techniques in Federal environments, in
consultation with the Department of Justice;
(2) an evaluation of--
(A) the efficacy of a selection of active defense
techniques determined by the Director of the
Cybersecurity and Infrastructure Security Agency; and
(B) factors that impact the efficacy of the active
defense techniques evaluated under subparagraph (A);
(3) recommendations on safeguards and procedures that shall
be established to require that active defense techniques are
adequately coordinated to ensure that active defense techniques
do not impede threat response efforts, criminal investigations,
and national security activities, including intelligence
collection; and
(4) the development of a framework for the use of different
active defense techniques by agencies.
SEC. 402. SECURITY OPERATIONS CENTER AS A SERVICE PILOT.
(a) Purpose.--The purpose of this section is for the Cybersecurity
and Infrastructure Security Agency to run a security operation center
on behalf of another agency, alleviating the need to duplicate this
function at every agency, and empowering a greater centralized
cybersecurity capability.
(b) Plan.--Not later than 1 year after the date of enactment of
this Act, the Director of the Cybersecurity and Infrastructure Security
Agency shall develop a plan to establish a centralized Federal security
operations center shared service offering within the Cybersecurity and
Infrastructure Security Agency.
(c) Contents.--The plan required under subsection (b) shall include
considerations for--
(1) collecting, organizing, and analyzing agency
information system data in real time;
(2) staffing and resources; and
(3) appropriate interagency agreements, concepts of
operations, and governance plans.
(d) Pilot Program.--
(1) In general.--Not later than 180 days after the date on
which the plan required under subsection (b) is developed, the
Director of the Cybersecurity and Infrastructure Security
Agency, in consultation with the Director, shall enter into a
1-year agreement with not less than 2 agencies to offer a
security operations center as a shared service.
(2) Additional agreements.--After the date on which the
briefing required under subsection (e)(1) is provided, the
Director of the Cybersecurity and Infrastructure Security
Agency, in consultation with the Director, may enter into
additional 1-year agreements described in paragraph (1) with
agencies.
(e) Briefing and Report.--
(1) Briefing.--Not later than 260 days after the date of
enactment of this Act, the Director of the Cybersecurity and
Infrastructure Security Agency shall provide to the Committee
on Homeland Security and Governmental Affairs of the Senate and
the Committee on Homeland Security and the Committee on
Oversight and Reform of the House of Representatives a briefing
on the parameters of any 1-year agreements entered into under
subsection (d)(1).
(2) Report.--Not later than 90 days after the date on which
the first 1-year agreement entered into under subsection (d)
expires, the Director of the Cybersecurity and Infrastructure
Security Agency shall submit to the Committee on Homeland
Security and Governmental Affairs of the Senate and the
Committee on Homeland Security and the Committee on Oversight
and Reform of the House of Representatives a report on--
(A) the agreement; and
(B) any additional agreements entered into with
agencies under subsection (d).
Calendar No. 673
117th CONGRESS
2d Session
S. 2902
[Report No. 117-274]
_______________________________________________________________________
A BILL
To modernize Federal information security management, and for other
purposes.
_______________________________________________________________________
December 19, 2022
Reported with an amendment