[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 3618 Introduced in Senate (IS)]
<DOC>
117th CONGRESS
2d Session
S. 3618
To amend the Federal Cybersecurity Enhancement Act of 2015 to require
Federal agencies to obtain exemptions from certain cybersecurity
requirements in order to avoid compliance with those requirements, and
for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
February 9, 2022
Mr. Wyden introduced the following bill; which was read twice and
referred to the Committee on Homeland Security and Governmental Affairs
_______________________________________________________________________
A BILL
To amend the Federal Cybersecurity Enhancement Act of 2015 to require
Federal agencies to obtain exemptions from certain cybersecurity
requirements in order to avoid compliance with those requirements, and
for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Federal Cybersecurity Oversight Act
of 2022''.
SEC. 2. FEDERAL CYBERSECURITY REQUIREMENTS.
(a) Exemption From Federal Requirements.--Section 225(b)(2) of the
Federal Cybersecurity Enhancement Act of 2015 (6 U.S.C. 1523(b)(2)) is
amended to read as follows:
``(2) Exception.--
``(A) In general.--A particular requirement under
paragraph (1) shall not apply to an agency information
system of an agency if--
``(i) with respect to the agency
information system, the head of the agency
submits to the Director an application for an
exemption from the particular requirement, in
which the head of the agency personally
certifies to the Director with particularity
that--
``(I) operational requirements
articulated in the certification and
related to the agency information
system would make it excessively
burdensome to implement the particular
requirement;
``(II) the particular requirement
is not necessary to secure the agency
information system or agency
information stored on or transiting the
agency information system; and
``(III) the agency has taken all
necessary steps to secure the agency
information system and agency
information stored on or transiting the
agency information system;
``(ii) the head of the agency or the
designee of the head of the agency has
submitted the certification described in clause
(i) to the appropriate congressional committees
and any other congressional committee with
jurisdiction over the agency; and
``(iii) the Director grants the exemption
from the particular requirement.
``(B) Duration of exemption.--
``(i) In general.--An exemption granted
under subparagraph (A) shall expire on the date
that is 1 year after the date on which the
Director granted the exemption.
``(ii) Renewal.--Upon the expiration of an
exemption granted to an agency under
subparagraph (A), the head of the agency may
apply for an additional exemption.''.
(b) Report on Exemptions.--Section 3554(c)(1)(A) of title 44,
United States Code, is amended--
(1) in clause (iii), by striking ``and'' at the end;
(2) by redesignating clause (iv) as clause (v); and
(3) by inserting after clause (iii) the following:
``(iv) with respect to any exemption the
Director of the Office of Management and Budget
has granted the agency under section 225(b)(2)
of the Federal Cybersecurity Enhancement Act of
2015 (6 U.S.C. 1523(b)(2)) that is effective on
the date of submission of the report--
``(I) an identification of each
particular requirement from which any
agency information system (as defined
in section 2210 of the Homeland
Security Act of 2002 (6 U.S.C. 660)) is
exempted; and
``(II) for each requirement
identified under subclause (I)--
``(aa) an identification of
the agency information system
described in subclause (I)
exempted from the requirement;
and
``(bb) an estimate of the
date on which the agency will
to be able to comply with the
requirement; and''.
(c) Effective Date.--This Act and the amendments made by this Act
shall take effect on the date that is 1 year after the date of
enactment of this Act.
<all>