107 S3600 PCS: Strengthening American Cybersecurity Act of 2022
U.S. Senate
2022-02-08
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.
1.This Act may be cited as the Strengthening American Cybersecurity Act of 2022
.2.The table of contents for this Act is as follows:Sec. 1. Short title.Sec. 2. Table of contents.TITLE I—Federal Information Security Modernization Act of 2022Sec. 101. Short title.Sec. 102. Definitions.Sec. 103. Title 44 amendments.Sec. 104. Amendments to subtitle III of title 40.Sec. 105. Actions to enhance Federal incident transparency.Sec. 106. Additional guidance to agencies on FISMA updates.Sec. 107. Agency requirements to notify private sector entities impacted by incidents.Sec. 108. Mobile security standards.Sec. 109. Data and logging retention for incident response.Sec. 110. CISA agency advisors.Sec. 111. Federal penetration testing policy.Sec. 112. Ongoing threat hunting program.Sec. 113. Codifying vulnerability disclosure programs.Sec. 114. Implementing zero trust architecture.Sec. 115. Automation reports.Sec. 116. Extension of Federal acquisition security council and software inventory.Sec. 117. Council of the Inspectors General on Integrity and Efficiency dashboard.Sec. 118. Quantitative cybersecurity metrics.Sec. 119. Establishment of risk-based budget model.Sec. 120. Active cyber defensive study.Sec. 121. Security operations center as a service pilot.Sec. 122. Extension of Chief Data Officer Council.TITLE II—Cyber Incident Reporting for Critical Infrastructure Act of 2022Sec. 201. Short title.Sec. 202. Definitions.Sec. 203. Cyber incident reporting.Sec. 204. Federal sharing of incident reports.Sec. 205. Ransomware vulnerability warning pilot program.Sec. 206. Ransomware threat mitigation activities.Sec. 207. Congressional reporting.TITLE III—Federal Secure Cloud Improvement and Jobs Act of 2022Sec. 301. Short title.Sec. 302. Findings.Sec. 303. Title 44 amendments.<enum>I</enum><header>Federal Information Security Modernization Act of 2022</header><section id="id17069F937C7A4690A9DDC60BAD07F9AF" changed="not-changed" commented="no" display-inline="no-display-inline" section-type="subsequent-section"><enum>101.</enum><header display-inline="yes-display-inline">Short title</header><text display-inline="no-display-inline">This title may be cited as the <quote><short-title>Federal Information Security Modernization Act of 2022</short-title></quote>. </text></section><section id="id710e9d81-8ef9-4d46-91ee-b774ebc67fd9" changed="not-changed"><enum>102.</enum><header>Definitions</header><text display-inline="no-display-inline">In this title, unless otherwise specified:</text><paragraph id="id16ba3ca9-3f0e-4455-b1c6-e234f0d1175b" changed="not-changed"><enum>(1)</enum><header>Additional cybersecurity procedure</header><text>The term <term>additional cybersecurity procedure</term> has the meaning given the term in section 3552(b) of title 44, United States Code, as amended by this title.</text></paragraph><paragraph id="id87eef4b8-666e-47cc-b991-2d16eab04f66" changed="not-changed"><enum>(2)</enum><header>Agency</header><text>The term <term>agency</term> has the meaning given the term in section 3502 of title 44, United States Code.</text></paragraph><paragraph id="id38d4421a-5ec3-4a44-9ee5-6dcafa2da734" changed="not-changed"><enum>(3)</enum><header>Appropriate congressional committees</header><text display-inline="yes-display-inline">The term <term>appropriate congressional committees</term> means—</text><subparagraph id="idcb3a498c-96aa-42b5-970e-329457782fad" changed="not-changed"><enum>(A)</enum><text display-inline="yes-display-inline">the <committee-name committee-id="SSGA00">Committee on Homeland Security and Governmental Affairs of the Senate</committee-name>;</text></subparagraph><subparagraph id="id0deb68d6-0c21-405f-a4c9-13034b08a056" changed="not-changed"><enum>(B)</enum><text>the <committee-name committee-id="">Committee on Oversight and Reform of the House of Representatives</committee-name>; and</text></subparagraph><subparagraph id="id5b351855-9115-45cf-b174-b454d2f526b3" changed="not-changed"><enum>(C)</enum><text>the <committee-name committee-id="">Committee on Homeland Security of the House of Representatives.</committee-name></text></subparagraph></paragraph><paragraph id="id9531ddcd-cca7-44cb-8bc6-67b6544a5a9b" changed="not-changed"><enum>(4)</enum><header>Director</header><text>The term <term>Director</term> means the Director of the Office of Management and Budget.</text></paragraph><paragraph id="id1900abcc-46d7-45ab-a640-410c1ff8f904" changed="not-changed"><enum>(5)</enum><header>Incident</header><text>The term <term>incident</term> has the meaning given the term in section 3552(b) of title 44, United States Code.</text></paragraph><paragraph id="idc851705fbcd14888a5eb251eeba306dd" changed="not-changed"><enum>(6)</enum><header>National security system</header><text>The term <term>national security system</term> has the meaning given the term in section 3552(b) of title 44, United States Code. </text></paragraph><paragraph id="idf5e438d8-9640-420b-b87e-f7cdf9384357" changed="not-changed"><enum>(7)</enum><header>Penetration test</header><text>The term <term>penetration test</term> has the meaning given the term in section 3552(b) of title 44, United States Code, as amended by this title.</text></paragraph><paragraph id="ideacda231-60ac-4bb2-b9eb-9963a104ecbf" changed="not-changed"><enum>(8)</enum><header>Threat hunting</header><text>The term <term>threat hunting</term> means proactively and iteratively searching systems for threats that evade detection by automated threat detection systems.</text></paragraph></section><section id="ideff19cb6-49ee-47f2-bdd8-88c90da12203" changed="not-changed"><enum>103.</enum><header>Title 44 amendments</header><subsection id="idee08cc1a-2405-4186-877c-8b623dd159a6" changed="not-changed"><enum>(a)</enum><header>Subchapter I amendments</header><text display-inline="yes-display-inline">Subchapter I of <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/44/35">chapter 35</external-xref> of title 44, United States Code, is amended—</text><paragraph id="idbb942b39-bea9-46ed-a7a0-1c05e661f198" changed="not-changed"><enum>(1)</enum><text>in section 3504—</text><subparagraph id="id941144cf01d5490b9acde529b9afede3" changed="not-changed"><enum>(A)</enum><text>in subsection (a)(1)(B)—</text><clause id="id96E0F96D76274242AA2A033F48DCBBFA" changed="not-changed"><enum>(i)</enum><text>by striking clause (v) and inserting the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="id5F132B7059DE458EB5FE4094E9C2C3C1" changed="not-changed"><clause id="id0441E298BC9F4550B88415A8FD86B295" indent="up1" changed="not-changed"><enum>(v)</enum><text>confidentiality, privacy, disclosure, and sharing of information;</text></clause><after-quoted-block>;</after-quoted-block></quoted-block></clause><clause id="id29fd9906057b4060a69be12e3c7c63f4" changed="not-changed"><enum>(ii)</enum><text>by redesignating clause (vi) as clause (vii); and</text></clause><clause id="id1a8de0b428d148a693d24fb51614047f" changed="not-changed"><enum>(iii)</enum><text>by inserting after clause (v) the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="id3d62f96123894b8ca568f46757d4c7da" changed="not-changed"><clause id="ide85a255fea4744dcb7b9ace2971827fd" indent="up1" changed="not-changed"><enum>(vi)</enum><text>in consultation with the National Cyber Director, security of information; and</text></clause><after-quoted-block>; and</after-quoted-block></quoted-block></clause></subparagraph><subparagraph id="ide0a87a96096c462d90e7ea21b47e9315" changed="not-changed"><enum>(B)</enum><text>in subsection (g), by striking paragraph (1) and inserting the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="id98c72362c5f04c1fae22861b229fee2a" changed="not-changed"><paragraph id="id39b364faa5524a57acca5a23c3294b18"><enum>(1)</enum><text>develop and oversee the implementation of policies, principles, standards, and guidelines on privacy, confidentiality, disclosure, and sharing, and in consultation with the National Cyber Director, oversee the implementation of policies, principles, standards, and guidelines on security, of information collected or maintained by or for agencies; and</text></paragraph><after-quoted-block>;</after-quoted-block></quoted-block></subparagraph></paragraph><paragraph id="id71552599-d869-482b-aa6c-877be713add8" changed="not-changed"><enum>(2)</enum><text>in section 3505—</text><subparagraph changed="not-changed" id="idD2EECDEEA66047978ACB76BBA5BD4A4A"><enum>(A)</enum><text>by striking the first subsection designated as subsection (c);</text></subparagraph><subparagraph id="id331c6c12bbbf478bac439c25db86a0e6"><enum>(B)</enum><text>in paragraph (2) of the second subsection designated as subsection (c), by inserting <quote>an identification of internet accessible information systems and</quote> after <quote>an inventory under this subsection shall include</quote>; </text></subparagraph><subparagraph id="ide540a6ed-33ee-43e9-8a3f-dfcb83138887" changed="not-changed"><enum>(C)</enum><text>in paragraph (3) of the second subsection designated as subsection (c)—</text><clause id="id172b67f3-a57e-4331-a877-58fb9188fdcf" changed="not-changed"><enum>(i)</enum><text>in subparagraph (B)—</text><subclause id="id0b26b92e69f64566af6605a938ee7b3b" changed="not-changed"><enum>(I)</enum><text>by inserting <quote>the Director of the Cybersecurity and Infrastructure Security Agency, the National Cyber Director, and</quote> before <quote>the Comptroller General</quote>; and </text></subclause><subclause id="id354a7bb4-b475-4a49-9238-cb95303ce4f8" changed="not-changed"><enum>(II)</enum><text>by striking <quote>and</quote> at the end;</text></subclause></clause><clause id="idf16942ea-0a9f-4e4f-b761-d8f1d0786c7e" changed="not-changed"><enum>(ii)</enum><text>in subparagraph (C)(v), by striking the period at the end and inserting <quote>; and</quote>; and</text></clause><clause id="id1114d1d0-db24-4f35-ab1f-51effaa0a12d" changed="not-changed"><enum>(iii)</enum><text>by adding at the end the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="ide91d8496-77f1-4651-b17b-4f6543c1462c" changed="not-changed"><subparagraph id="idd942a3ed-5f66-4081-b89f-bc35e0bf7d14" indent="up1" changed="not-changed"><enum>(D)</enum><text>maintained on a continual basis through the use of automation, machine-readable data, and scanning, wherever practicable.</text></subparagraph><after-quoted-block>;</after-quoted-block></quoted-block></clause></subparagraph></paragraph><paragraph id="idda4cae17-cd14-4b97-892f-a99d4a415d9b" changed="not-changed"><enum>(3)</enum><text>in section 3506—</text><subparagraph id="id2d8f506cb4214095862e16fab5746f15"><enum>(A)</enum><text>in subsection (a)(3), by inserting <quote>In carrying out these duties, the Chief Information Officer shall coordinate, as appropriate, with the Chief Data Officer in accordance with the designated functions under section 3520(c).</quote> after <quote>reduction of information collection burdens on the public.</quote>;</text></subparagraph><subparagraph id="iddbe1a031-2fc0-4d66-b8e0-7537b8d4dfc6" changed="not-changed"><enum>(B)</enum><text>in subsection (b)(1)(C), by inserting <quote>, availability</quote> after <quote>integrity</quote>; and</text></subparagraph><subparagraph id="id08f3285b-c16c-451f-bba5-e31f02dd8422" changed="not-changed"><enum>(C)</enum><text>in subsection (h)(3), by inserting <quote>security,</quote> after <quote>efficiency,</quote>; and</text></subparagraph></paragraph><paragraph id="id4aeb4b7f-eea6-4b5e-a927-10321bc47543" changed="not-changed"><enum>(4)</enum><text>in section 3513—</text><subparagraph id="id6e943a1a-9f45-433d-a4ba-dd9345e7210a" changed="not-changed"><enum>(A)</enum><text>by redesignating subsection (c) as subsection (d); and</text></subparagraph><subparagraph id="id96f0099c-c1c4-4551-8492-b6defe18de13" changed="not-changed"><enum>(B)</enum><text>by inserting after subsection (b) the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="id1680453f-c589-4863-9579-d013e52f61b4" changed="not-changed"><subsection id="id40f43d26-59cb-4dc2-8590-6901ceff6175" changed="not-changed"><enum>(c)</enum><text>Each agency providing a written plan under subsection (b) shall provide any portion of the written plan addressing information security to the Secretary of the Department of Homeland Security and the National Cyber Director. </text></subsection><after-quoted-block>.</after-quoted-block></quoted-block></subparagraph></paragraph></subsection><subsection id="idcc0c5a52-133a-4152-9dac-55824f5a6a3c" changed="not-changed"><enum>(b)</enum><header>Subchapter II definitions</header><paragraph id="ida93e3aa5-70cc-44fb-b82b-692e1955e1be" changed="not-changed"><enum>(1)</enum><header>In general</header><text>Section 3552(b) of title 44, United States Code, is amended—</text><subparagraph id="id6c852c9f-0dac-4d28-8597-4bc946daa6ef" changed="not-changed"><enum>(A)</enum><text>by redesignating paragraphs (1), (2), (3), (4), (5), (6), and (7) as paragraphs (2), (4), (5), (6), (7), (9), and (11), respectively;</text></subparagraph><subparagraph id="id5452da3b-0707-46dc-bebc-81c5b92cc0be" changed="not-changed"><enum>(B)</enum><text>by inserting before paragraph (2), as so redesignated, the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="id6f352304-e767-4e62-be84-abfc717c4f26" changed="not-changed"><paragraph id="ide03103f8-176c-4c60-a4d1-d1e4095e374b" changed="not-changed"><enum>(1)</enum><text>The term <term>additional cybersecurity procedure</term> means a process, procedure, or other activity that is established in excess of the information security standards promulgated under section 11331(b) of title 40 to increase the security and reduce the cybersecurity risk of agency systems.</text></paragraph><after-quoted-block>;</after-quoted-block></quoted-block></subparagraph><subparagraph id="idb1b98feb-8444-4b7b-a67a-1eef42c31753" changed="not-changed"><enum>(C)</enum><text>by inserting after paragraph (2), as so redesignated, the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="id18A5FBA698024746AB79B47FB18B74F0"><paragraph id="id5bc8f2821a974df6b746d39d40edd7e3"><enum>(3)</enum><text>The term <term>high value asset</term> means information or an information system that the head of an agency, using policies, principles, standards, or guidelines issued by the Director under section 3553(a), determines to be so critical to the agency that the loss or corruption of the information or the loss of access to the information system would have a serious impact on the ability of the agency to perform the mission of the agency or conduct business.</text></paragraph><after-quoted-block>;</after-quoted-block></quoted-block></subparagraph><subparagraph changed="not-changed" id="id03F9E7160705463980C7421E5C247336"><enum>(D)</enum><text>by inserting after paragraph (7), as so redesignated, the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="id9C6C634FA949471182E3EAAE11E90D65"><paragraph id="id3c6aa09e-40c4-4a6a-9cb1-777ec27f1474" changed="not-changed"><enum>(8)</enum><text>The term <term>major incident</term> has the meaning given the term in guidance issued by the Director under section 3598(a).</text></paragraph><after-quoted-block>;</after-quoted-block></quoted-block></subparagraph><subparagraph id="id2e6d3e2a-fc05-470d-ae6a-cb5eb9a9bce9" changed="not-changed"><enum>(E)</enum><text>by inserting after paragraph (9), as so redesignated, the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="id5804DF2499CF4B99B0D68EE792D8A56D"><paragraph id="ide07f521ee0d54833984891711093aa3a" commented="no"><enum>(10)</enum><text>The term <term>penetration test</term>—</text><subparagraph commented="no" id="id3C479526F10D4081A5BAC54854C98479"><enum>(A)</enum><text>means an authorized assessment that emulates attempts to gain unauthorized access to, or disrupt the operations of, an information system or component of an information system; and</text></subparagraph><subparagraph commented="no" id="id0BBB4EDBA57B42C39BDA2EB8EEB3C49F"><enum>(B)</enum><text>includes any additional meaning given the term in policies, principles, standards, or guidelines issued by the Director under section 3553(a).</text></subparagraph></paragraph><after-quoted-block>; and</after-quoted-block></quoted-block></subparagraph><subparagraph id="idca776728-9330-45c8-9dad-0ce8dce633b8" changed="not-changed"><enum>(F)</enum><text>by inserting after paragraph (11), as so redesignated, the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="idb34113c98c3e47eb805186e9ebd42d42" changed="not-changed"><paragraph id="id30ff5b7c7d6f49f0944b7db792859dc7" changed="not-changed"><enum>(12)</enum><text>The term <term>shared service</term> means a centralized business or mission capability that is provided to multiple organizations within an agency or to multiple agencies.</text></paragraph><after-quoted-block>.</after-quoted-block></quoted-block></subparagraph></paragraph><paragraph id="id76bea976-3311-4812-af38-98ef1eb415fa" changed="not-changed"><enum>(2)</enum><header>Conforming amendments</header><subparagraph id="ide1bf5d4e-e74f-4a5c-8cc2-340f9a9d55b0" changed="not-changed"><enum>(A)</enum><header>Homeland Security Act of 2002</header><text>Section 1001(c)(1)(A) of the Homeland Security Act of 2002 (<external-xref legal-doc="usc" parsable-cite="usc/6/511">6 U.S.C. 511(1)(A)</external-xref>) is amended by striking <quote>section 3552(b)(5)</quote> and inserting <quote>section 3552(b)</quote>.</text></subparagraph><subparagraph id="id4f6f4f84-8ed8-4a9d-859e-1e812f054975" changed="not-changed"><enum>(B)</enum><header>Title 10</header><clause id="id6eefa65a-a9c1-4bf4-9676-8b4bc37e6883" changed="not-changed"><enum>(i)</enum><header>Section 2222</header><text>Section 2222(i)(8) of title 10, United States Code, is amended by striking <quote>section 3552(b)(6)(A)</quote> and inserting <quote>section 3552(b)(9)(A)</quote>.</text></clause><clause id="id2672ec8d-81df-4838-98cf-15080e6a7287" changed="not-changed"><enum>(ii)</enum><header>Section 2223</header><text>Section 2223(c)(3) of title 10, United States Code, is amended by striking <quote>section 3552(b)(6)</quote> and inserting <quote>section 3552(b)</quote>.</text></clause><clause id="id9203ab71-e8c5-4135-ad25-4e046f4bf6c7" changed="not-changed"><enum>(iii)</enum><header>Section 2315</header><text>Section 2315 of title 10, United States Code, is amended by striking <quote>section 3552(b)(6)</quote> and inserting <quote>section 3552(b)</quote>.</text></clause><clause id="id65ba8e2f-ede6-4968-9dee-a019f3db42cc" changed="not-changed"><enum>(iv)</enum><header>Section 2339a</header><text>Section 2339a(e)(5) of title 10, United States Code, is amended by striking <quote>section 3552(b)(6)</quote> and inserting <quote>section 3552(b)</quote>.</text></clause></subparagraph><subparagraph id="id4bc95475-9a9d-4d9a-8117-ee19a43c48e7" changed="not-changed"><enum>(C)</enum><header>High-Performance Computing Act of 1991</header><text>Section 207(a) of the High-Performance Computing Act of 1991 (<external-xref legal-doc="usc" parsable-cite="usc/15/5527">15 U.S.C. 5527(a)</external-xref>) is amended by striking <quote>section 3552(b)(6)(A)(i)</quote> and inserting <quote>section 3552(b)(9)(A)(i)</quote>.</text></subparagraph><subparagraph commented="no" id="idc38e1b7b-d88c-49bd-a9e0-3c43298b7fbf" changed="not-changed"><enum>(D)</enum><header>Internet of Things Cybersecurity Improvement Act of 2020</header><text>Section 3(5) of the Internet of Things Cybersecurity Improvement Act of 2020 (<external-xref legal-doc="usc" parsable-cite="usc/15/278g-3a">15 U.S.C. 278g–3a</external-xref>) is amended by striking <quote>section 3552(b)(6)</quote> and inserting <quote>section 3552(b)</quote>.</text></subparagraph><subparagraph id="id3e336811-86fc-4632-ad24-19b37e7ba0e7" changed="not-changed"><enum>(E)</enum><header>National Defense Authorization Act for Fiscal Year 2013</header><text>Section 933(e)(1)(B) of the National Defense Authorization Act for Fiscal Year 2013 (<external-xref legal-doc="usc" parsable-cite="usc/10/2224">10 U.S.C. 2224</external-xref> note) is amended by striking <quote>section 3542(b)(2)</quote> and inserting <quote>section 3552(b)</quote>.</text></subparagraph><subparagraph id="idc569f1c5-f5ea-43b2-89ef-80f27185c517" changed="not-changed"><enum>(F)</enum><header>Ike Skelton National Defense Authorization Act for Fiscal Year 2011</header><text>The Ike Skelton National Defense Authorization Act for Fiscal Year 2011 (<external-xref legal-doc="public-law" parsable-cite="pl/111/383">Public Law 111–383</external-xref>) is amended—</text><clause id="id87397e95-7f71-4bce-8ce5-e82e3cfe3368" changed="not-changed"><enum>(i)</enum><text>in section 806(e)(5) (<external-xref legal-doc="usc" parsable-cite="usc/10/2304">10 U.S.C. 2304</external-xref> note), by striking <quote>section 3542(b)</quote> and inserting <quote>section 3552(b)</quote>;</text></clause><clause id="id22cfe253-b2fa-4345-a460-3b0b51654b25" changed="not-changed"><enum>(ii)</enum><text>in section 931(b)(3) (<external-xref legal-doc="usc" parsable-cite="usc/10/2223">10 U.S.C. 2223</external-xref> note), by striking <quote>section 3542(b)(2)</quote> and inserting <quote>section 3552(b)</quote>; and</text></clause><clause id="idb59ebc61-2935-4361-be8c-6fbb5a8ffb09" changed="not-changed"><enum>(iii)</enum><text>in section 932(b)(2) (<external-xref legal-doc="usc" parsable-cite="usc/10/2224">10 U.S.C. 2224</external-xref> note), by striking <quote>section 3542(b)(2)</quote> and inserting <quote>section 3552(b)</quote>.</text></clause></subparagraph><subparagraph id="id494cbcf7-7a54-4247-a8fa-17058b79cfbe" changed="not-changed"><enum>(G)</enum><header>E-Government Act of 2002</header><text>Section 301(c)(1)(A) of the E-Government Act of 2002 (<external-xref legal-doc="usc" parsable-cite="usc/44/3501">44 U.S.C. 3501</external-xref> note) is amended by striking <quote>section 3542(b)(2)</quote> and inserting <quote>section 3552(b)</quote>.</text></subparagraph><subparagraph id="id7113da92-ab99-4b80-a365-cb1a2e41b76f" changed="not-changed"><enum>(H)</enum><header>National Institute of Standards and Technology Act</header><text>Section 20 of the National Institute of Standards and Technology Act (<external-xref legal-doc="usc" parsable-cite="usc/15/278g-3">15 U.S.C. 278g–3</external-xref>) is amended—</text><clause id="id26c3535d-75cb-4981-8a66-16c8bb47861a" changed="not-changed"><enum>(i)</enum><text>in subsection (a)(2), by striking <quote>section 3552(b)(5)</quote> and inserting <quote>section 3552(b)</quote>; and</text></clause><clause id="id35a3b031-44f1-4d2e-b54c-f28ac9f70854" changed="not-changed"><enum>(ii)</enum><text>in subsection (f)—</text><subclause id="idc1190c9f-0687-4ce2-9752-17b9a3fb0e2b" changed="not-changed"><enum>(I)</enum><text>in paragraph (3), by striking <quote>section 3532(1)</quote> and inserting <quote>section 3552(b)</quote>; and</text></subclause><subclause id="idd9e83c3a-ffb0-4a78-8744-5d55795e2494" changed="not-changed"><enum>(II)</enum><text>in paragraph (5), by striking <quote>section 3532(b)(2)</quote> and inserting <quote>section 3552(b)</quote>.</text></subclause></clause></subparagraph></paragraph></subsection><subsection id="ida1f55391-2117-48a5-9feb-673644f94cdb" changed="not-changed"><enum>(c)</enum><header>Subchapter II amendments</header><text>Subchapter II of <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/44/35">chapter 35</external-xref> of title 44, United States Code, is amended—</text><paragraph id="idb95e91cc-9471-484c-a2fd-888ba4a5d09f" changed="not-changed"><enum>(1)</enum><text>in section 3551—</text><subparagraph id="id2807803a-3406-4077-b5e8-c76205406ade" changed="not-changed"><enum>(A)</enum><text>in paragraph (4), by striking <quote>diagnose and improve</quote> and inserting <quote>integrate, deliver, diagnose, and improve</quote>;</text></subparagraph><subparagraph id="id6b8b4258-c00e-46ef-9621-93bbda47acd8" changed="not-changed"><enum>(B)</enum><text>in paragraph (5), by striking <quote>and</quote> at the end;</text></subparagraph><subparagraph id="id0A32AD3962D0410B90167826410C6B85" changed="not-changed"><enum>(C)</enum><text>in paragraph (6), by striking the period at the end and inserting a semi colon; and</text></subparagraph><subparagraph id="idbea02759-98b9-4725-9534-d0a53a73571b" changed="not-changed"><enum>(D)</enum><text>by adding at the end the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="idd7da17df-c8cb-41e5-aa14-cc2a6486c221" changed="not-changed"><paragraph commented="no" id="id162b7a95-c611-4d33-b83d-25152be1e1ee" changed="not-changed"><enum>(7)</enum><text>recognize that each agency has specific mission requirements and, at times, unique cybersecurity requirements to meet the mission of the agency;</text></paragraph><paragraph commented="no" id="id3ec21a36-b935-4033-a621-98c1d4f403e7" changed="not-changed"><enum>(8)</enum><text>recognize that each agency does not have the same resources to secure agency systems, and an agency should not be expected to have the capability to secure the systems of the agency from advanced adversaries alone; and</text></paragraph><paragraph commented="no" id="id81e3806d-605b-4705-b042-dd9684040ef7" changed="not-changed"><enum>(9)</enum><text>recognize that a holistic Federal cybersecurity model is necessary to account for differences between the missions and capabilities of agencies.</text></paragraph><after-quoted-block>;</after-quoted-block></quoted-block></subparagraph></paragraph><paragraph id="id65d1df73-4417-4ecb-a401-3ff411c46447" changed="not-changed"><enum>(2)</enum><text>in section 3553—</text><subparagraph id="id8531bfa2-6486-47be-9dd7-7dc5beb058fb" changed="not-changed"><enum>(A)</enum><text>in subsection (a)—</text><clause id="idc92d9838-1ae6-4c44-9765-33e505b8695e" changed="not-changed"><enum>(i)</enum><text>in paragraph (1), by inserting <quote>, in consultation with the Secretary and the National Cyber Director,</quote> before <quote>overseeing</quote>; </text></clause><clause id="id27bfd4b82fd3426c84241babd63146b0" changed="not-changed"><enum>(ii)</enum><text>in paragraph (5), by striking <quote>and</quote> at the end; and</text></clause><clause id="idacfdafc601c54c9c830f0ebcaa73e4ab" changed="not-changed"><enum>(iii)</enum><text>by adding at the end the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="id0d7ba3260d0946dbbee8d9fd5e1dd598" changed="not-changed"><paragraph id="id75f9123661f140528e4f0161d3b54136" changed="not-changed"><enum>(8)</enum><text>promoting, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, the National Cyber Director, and the Director of the National Institute of Standards and Technology—</text><subparagraph id="ide544e23da7d64d31bd8ff9ef0d5561dc" changed="not-changed"><enum>(A)</enum><text>the use of automation to improve Federal cybersecurity and visibility with respect to the implementation of Federal cybersecurity; and</text></subparagraph><subparagraph id="id3befeba84be94a50b12156ed5be551f1" changed="not-changed"><enum>(B)</enum><text>the use of presumption of compromise and least privilege principles to improve resiliency and timely response actions to incidents on Federal systems.</text></subparagraph></paragraph><after-quoted-block>;</after-quoted-block></quoted-block></clause></subparagraph><subparagraph id="id15416f7ee0ff45fd808cd2ce6182bd18"><enum>(B)</enum><text>in subsection (b)—</text><clause id="id3DE21DD013904261830CF36C10C9BA8E"><enum>(i)</enum><text>in the matter preceding paragraph (1), by inserting <quote>and the National Cyber Director</quote> after <quote>Director</quote>; and</text></clause><clause id="id1be2b8d737944255a9a06e015901098f"><enum>(ii)</enum><text>in paragraph (2)(A), by inserting <quote>and reporting requirements under subchapter IV of this chapter</quote> after <quote>section 3556</quote>; and</text></clause></subparagraph><subparagraph id="id4b5a506f-1e95-4518-83e5-ac54d77c02ba" changed="not-changed"><enum>(C)</enum><text>in subsection (c)—</text><clause id="idE3A1C868617343A08089ABF20B6DAE89" changed="not-changed"><enum>(i)</enum><text>in the matter preceding paragraph (1)—</text><subclause changed="not-changed" id="id4DE71316E70A44EB84D191F00E3E4FEF"><enum>(I)</enum><text>by striking <quote>each year</quote> and inserting <quote>each year during which agencies are required to submit reports under section 3554(c)</quote>; and</text></subclause><subclause changed="not-changed" id="idDD9CFAAC5D4D4F9AA7037CD3C3E5B8CD"><enum>(II)</enum><text>by striking <quote>preceding year</quote> and inserting <quote>preceding 2 years</quote>;</text></subclause></clause><clause id="idD8363FEECB2B4ADBBA26CCA7B14D4E54" changed="not-changed"><enum>(ii)</enum><text>by striking paragraph (1);</text></clause><clause id="idBB591BEE379443EB92F4080A72B4FC56" changed="not-changed"><enum>(iii)</enum><text>by redesignating paragraphs (2), (3), and (4) as paragraphs (1), (2), and (3), respectively;</text></clause><clause id="id372a5810-ac36-4b88-8899-e6954c77769d" changed="not-changed"><enum>(iv)</enum><text>in paragraph (3), as so redesignated, by striking <quote>and</quote> at the end;</text></clause><clause id="idd6c42bf9-5e30-4e9a-bd44-0dd443e870bf" changed="not-changed"><enum>(v)</enum><text>by inserting after paragraph (3), as so redesignated the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="idc6cc8b7d-23a2-44ac-9383-55d7f65c27a5" changed="not-changed"><paragraph id="id6a66f70a-23f3-4bb7-88c2-31385d3575fa" changed="not-changed"><enum>(4)</enum><text>a summary of each assessment of Federal risk posture performed under subsection (i);</text></paragraph><after-quoted-block>; and</after-quoted-block></quoted-block></clause><clause id="id55ABD27C1C3E4B6AAFD1A6934482294D" changed="not-changed"><enum>(vi)</enum><text>in paragraph (5), by striking the period at the end and inserting <quote>; and</quote>;</text></clause></subparagraph><subparagraph id="id38824b64-2ab1-45b4-b918-f63b87f48e09" changed="not-changed"><enum>(D)</enum><text>by redesignating subsections (i), (j), (k), and (l) as subsections (j), (k), (l), and (m) respectively;</text></subparagraph><subparagraph id="id5bdc1105-5873-4202-8157-b2e5f339a7e3" changed="not-changed"><enum>(E)</enum><text>by inserting after subsection (h) the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="ida58e72196e724bbc8c8aa7b61fe85258" changed="not-changed"><subsection id="idfa586004c3da43ba92c1b2fbe588c2bb" changed="not-changed"><enum>(i)</enum><header>Federal risk assessments</header><text>On an ongoing and continuous basis, the Director of the Cybersecurity and Infrastructure Security Agency shall perform assessments of Federal risk posture using any available information on the cybersecurity posture of agencies, and brief the Director and National Cyber Director on the findings of those assessments including—</text><paragraph id="id7e51a7e6-21a2-48e6-af2e-8fa6f65b74f3" changed="not-changed"><enum>(1)</enum><text>the status of agency cybersecurity remedial actions described in section 3554(b)(7);</text></paragraph><paragraph id="id03d559f6-f01e-4b36-b477-605f3490131c" changed="not-changed"><enum>(2)</enum><text>any vulnerability information relating to the systems of an agency that is known by the agency;</text></paragraph><paragraph id="id078ec97c-47e4-4468-83b0-1c9c106dd397" changed="not-changed"><enum>(3)</enum><text>analysis of incident information under section 3597;</text></paragraph><paragraph id="id3efeb14a-1181-42d6-9bd8-c6b633685baa" changed="not-changed"><enum>(4)</enum><text>evaluation of penetration testing performed under section 3559A;</text></paragraph><paragraph id="idefcdcac4-22c3-44da-a36d-179ba33626fd" changed="not-changed"><enum>(5)</enum><text>evaluation of vulnerability disclosure program information under section 3559B;</text></paragraph><paragraph id="id5ca36d39-8ecb-4a9f-b61c-a8628285f456" changed="not-changed"><enum>(6)</enum><text>evaluation of agency threat hunting results;</text></paragraph><paragraph id="id7fba1e5e-fe74-43e3-9faa-7ff85d94f125" changed="not-changed"><enum>(7)</enum><text>evaluation of Federal and non-Federal cyber threat intelligence;</text></paragraph><paragraph id="id83129655-55be-4639-bd6d-a9d57e8ed9e8" changed="not-changed"><enum>(8)</enum><text>data on agency compliance with standards issued under section 11331 of title 40;</text></paragraph><paragraph id="iddae11a7a-0dfb-43d9-81d9-29a61ea0b9b5" changed="not-changed"><enum>(9)</enum><text>agency system risk assessments performed under section 3554(a)(1)(A); and</text></paragraph><paragraph id="id758967d5-f486-413b-bcbc-fcbb9b1db74c" changed="not-changed"><enum>(10)</enum><text>any other information the Director of the Cybersecurity and Infrastructure Security Agency determines relevant.</text></paragraph></subsection><after-quoted-block>;</after-quoted-block></quoted-block></subparagraph><subparagraph id="ideb2823e8-44e6-4021-abe2-fef558c58b04" changed="not-changed"><enum>(F)</enum><text>in subsection (j), as so redesignated—</text><clause id="id5b7f6801-ffeb-482b-876c-bfc7a7e33cea" changed="not-changed"><enum>(i)</enum><text>by striking <quote>regarding the specific</quote> and inserting “that includes a summary of—</text><quoted-block style="OLC" display-inline="no-display-inline" id="idc6d7b47a-fe0e-4a70-9c03-4066c4c48f49" changed="not-changed"><paragraph id="idecee93c3-69f0-48b7-923c-92e127e6429b" changed="not-changed"><enum>(1)</enum><text>the specific</text></paragraph><after-quoted-block>;</after-quoted-block></quoted-block></clause><clause id="id4205bd69-a5b7-4402-a7a0-d3d99975e9a0" changed="not-changed"><enum>(ii)</enum><text>in paragraph (1), as so designated, by striking the period at the end and inserting <quote>; and</quote> and</text></clause><clause id="id896a4774-b830-4f75-8be8-6f72c5c89423" changed="not-changed"><enum>(iii)</enum><text>by adding at the end the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="id67673916-51d4-410b-acd3-7d81ff3f2ad6" changed="not-changed"><paragraph id="id527fead8-4750-4aed-a1c9-211aeff4e130" changed="not-changed"><enum>(2)</enum><text>the trends identified in the Federal risk assessment performed under subsection (i).</text></paragraph><after-quoted-block>; and</after-quoted-block></quoted-block></clause></subparagraph><subparagraph id="id24F0AC5ADB1C46D4B502F73B6F3FB939" changed="not-changed"><enum>(G)</enum><text>by adding at the end the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="id6FC599D2AC274B81B7A1913AA3CC76CF" changed="not-changed"><subsection id="idA310B651540F440F9D7A78CC37B89017" changed="not-changed"><enum>(n)</enum><header>Binding operational directives</header><text>If the Director of the Cybersecurity and Infrastructure Security Agency issues a binding operational directive or an emergency directive under this section, not later than 4 days after the date on which the binding operational directive requires an agency to take an action, the Director of the Cybersecurity and Infrastructure Security Agency shall provide to the Director, National Cyber Director, the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Reform of the House of Representatives the status of the implementation of the binding operational directive at the agency. </text></subsection><after-quoted-block>;</after-quoted-block></quoted-block></subparagraph></paragraph><paragraph id="idf20f9353-d865-4160-bc68-a508b4c01935" changed="not-changed"><enum>(3)</enum><text>in section 3554—</text><subparagraph id="id35f60afd-1932-44db-93e1-87af8ac9b831" changed="not-changed"><enum>(A)</enum><text>in subsection (a)—</text><clause id="idcf59325c-ab58-4a48-bcf6-7dca6bab0b25" changed="not-changed"><enum>(i)</enum><text>in paragraph (1)—</text><subclause id="id3cc40410-ce3a-45a2-8c2a-aaf170a1b2b1" changed="not-changed"><enum>(I)</enum><text>by redesignating subparagraphs (A), (B), and (C) as subparagraphs (B), (C), and (D), respectively;</text></subclause><subclause id="ide06f9232-3a7a-4276-951b-f617b0f0211c" changed="not-changed"><enum>(II)</enum><text>by inserting before subparagraph (B), as so redesignated, the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="idf1bd5b20-5e1c-4892-ba73-1df38e6f99a9" changed="not-changed"><subparagraph id="id3906d602-1e11-4eef-9b89-2c7d10f8cc4f" changed="not-changed"><enum>(A)</enum><text>on an ongoing and continuous basis, performing agency system risk assessments that— </text><clause id="id4efedf08-2e43-44a4-8021-09abd6fdcd67" changed="not-changed"><enum>(i)</enum><text>identify and document the high value assets of the agency using guidance from the Director;</text></clause><clause id="id94b7944b-12ac-444e-a283-b07ebc17b4cf" changed="not-changed"><enum>(ii)</enum><text>evaluate the data assets inventoried under section 3511 for sensitivity to compromises in confidentiality, integrity, and availability;</text></clause><clause id="id67ddc101-2f82-4719-84f6-7a7843a64843" changed="not-changed"><enum>(iii)</enum><text>identify agency systems that have access to or hold the data assets inventoried under section 3511;</text></clause><clause id="id893d58d6-d521-4ba6-9083-423397c2f832" changed="not-changed"><enum>(iv)</enum><text>evaluate the threats facing agency systems and data, including high value assets, based on Federal and non-Federal cyber threat intelligence products, where available;</text></clause><clause id="ide416c4d8-0a18-432a-8d51-566c7435af2e" changed="not-changed"><enum>(v)</enum><text>evaluate the vulnerability of agency systems and data, including high value assets, including by analyzing—</text><subclause id="ide5a8ed25-1c35-4394-a545-956224a6b253" changed="not-changed"><enum>(I)</enum><text>the results of penetration testing performed by the Department of Homeland Security under section 3553(b)(9);</text></subclause><subclause id="id4a032f79-fe2c-4c33-893b-28730a12be4d" changed="not-changed"><enum>(II)</enum><text>the results of penetration testing performed under section 3559A;</text></subclause><subclause id="id7d84009c-5ea2-4a90-93bb-df7d617424d8" changed="not-changed"><enum>(III)</enum><text>information provided to the agency through the vulnerability disclosure program of the agency under section 3559B;</text></subclause><subclause id="id802761d7-7118-454c-8c3a-3f2e77073540" changed="not-changed"><enum>(IV)</enum><text>incidents; and</text></subclause><subclause id="ideaa5b873-be64-4105-af3b-966266d26a2a" changed="not-changed"><enum>(V)</enum><text>any other vulnerability information relating to agency systems that is known to the agency;</text></subclause></clause><clause id="idd8039431-edce-4081-8af6-c8b8b70e8f87" changed="not-changed"><enum>(vi)</enum><text>assess the impacts of potential agency incidents to agency systems, data, and operations based on the evaluations described in clauses (ii) and (iv) and the agency systems identified under clause (iii); and</text></clause><clause id="idc862abfe-77de-4622-8b11-d29f4229a99c" changed="not-changed"><enum>(vii)</enum><text>assess the consequences of potential incidents occurring on agency systems that would impact systems at other agencies, including due to interconnectivity between different agency systems or operational reliance on the operations of the system or data in the system;</text></clause></subparagraph><after-quoted-block>;</after-quoted-block></quoted-block></subclause><subclause id="id5bdbf62e-31a8-4b1b-a05c-e03b248d70a7" changed="not-changed"><enum>(III)</enum><text>in subparagraph (B), as so redesignated, in the matter preceding clause (i), by striking <quote>providing information</quote> and inserting <quote>using information from the assessment conducted under subparagraph (A), providing information</quote>;</text></subclause><subclause id="idfe0193e1-b5b8-4f06-9fff-227e2f98e058" changed="not-changed"><enum>(IV)</enum><text>in subparagraph (C), as so redesignated—</text><item id="idde96240a-9fab-46ba-9add-0249fbba823a" changed="not-changed"><enum>(aa)</enum><text>in clause (ii) by inserting <quote>binding</quote> before <quote>operational</quote>; and</text></item><item id="id61587b95-db60-41a6-bf64-389664fb4467" changed="not-changed"><enum>(bb)</enum><text>in clause (vi), by striking <quote>and</quote> at the end; and</text></item></subclause><subclause id="id8eaa47ea-92b0-4a30-b040-d6062a34fcd6" changed="not-changed"><enum>(V)</enum><text>by adding at the end the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="id3815f8f02c304f34851bb6a2f12dae2f" changed="not-changed"><subparagraph id="id4c29888043dc4298ac37bede14249f46" changed="not-changed"><enum>(E)</enum><text>providing an update on the ongoing and continuous assessment performed under subparagraph (A)—</text><clause id="id281121F3A0504B33BF8BEBDF7B0A1F28" changed="not-changed"><enum>(i)</enum><text>upon request, to the inspector general of the agency or the Comptroller General of the United States; and</text></clause><clause id="id33F81DCBB9384121B2F98CA1B42D7377" changed="not-changed"><enum>(ii)</enum><text>on a periodic basis, as determined by guidance issued by the Director but not less frequently than annually, to—</text><subclause id="id22543c64-ef03-4103-9a0e-2aa5e74d8456" changed="not-changed"><enum>(I)</enum><text>the Director;</text></subclause><subclause id="id12da0c93-9842-406d-ab15-ddcda3fde0e9" changed="not-changed"><enum>(II)</enum><text>the Director of the Cybersecurity and Infrastructure Security Agency; and</text></subclause><subclause id="id325ff018-6542-493d-a802-2abfd3ae2128" changed="not-changed"><enum>(III)</enum><text>the National Cyber Director;</text></subclause></clause></subparagraph><subparagraph id="idef929648-6330-4c3e-b1e9-7703315d3a98" changed="not-changed"><enum>(F)</enum><text>in consultation with the Director of the Cybersecurity and Infrastructure Security Agency and not less frequently than once every 3 years, performing an evaluation of whether additional cybersecurity procedures are appropriate for securing a system of, or under the supervision of, the agency, which shall—</text><clause id="idcd5572ce-ebaa-4209-965e-46e2ccf853df" changed="not-changed"><enum>(i)</enum><text>be completed considering the agency system risk assessment performed under subparagraph (A); and</text></clause><clause id="id8a0307df-6b63-4d45-a170-d3ce8dce3e40" changed="not-changed"><enum>(ii)</enum><text>include a specific evaluation for high value assets;</text></clause></subparagraph><subparagraph id="id49caf3cf-5f38-4128-9865-b85af923829d" changed="not-changed"><enum>(G)</enum><text>not later than 30 days after completing the evaluation performed under subparagraph (F), providing the evaluation and an implementation plan, if applicable, for using additional cybersecurity procedures determined to be appropriate to—</text><clause commented="no" display-inline="no-display-inline" id="idea7059de-11b2-4261-81e3-84d6661c19c4" changed="not-changed"><enum>(i)</enum><text>the Director of the Cybersecurity and Infrastructure Security Agency;</text></clause><clause commented="no" display-inline="no-display-inline" id="idbf6fe6d7-eac0-410c-8637-b43828713b88" changed="not-changed"><enum>(ii)</enum><text>the Director; and</text></clause><clause commented="no" display-inline="no-display-inline" id="id12c129af-dacb-418b-a7ef-519049c51e5f" changed="not-changed"><enum>(iii)</enum><text>the National Cyber Director; and</text></clause></subparagraph><subparagraph id="idf31ce8a3bd4242a8be61bcee73b45097" changed="not-changed"><enum>(H)</enum><text>if the head of the agency determines there is need for additional cybersecurity procedures, ensuring that those additional cybersecurity procedures are reflected in the budget request of the agency;</text></subparagraph><after-quoted-block>;</after-quoted-block></quoted-block></subclause></clause><clause id="id79f03079-53b4-4a9b-915c-0b4bdbd8a827" changed="not-changed"><enum>(ii)</enum><text>in paragraph (2)—</text><subclause id="id16f1028a-14eb-4f51-a95a-88615a8d70de" changed="not-changed"><enum>(I)</enum><text>in subparagraph (A), by inserting <quote>in accordance with the agency system risk assessment performed under paragraph (1)(A)</quote> after <quote>information systems</quote>;</text></subclause><subclause id="idd9504a29-3df1-4805-9c36-3dcae8c9dc53" changed="not-changed"><enum>(II)</enum><text>in subparagraph (B)—</text><item id="idef4f0a43-d366-4b58-8501-6e5e6a60d032" changed="not-changed"><enum>(aa)</enum><text>by striking <quote>in accordance with standards</quote> and inserting “in accordance with—</text><quoted-block style="OLC" display-inline="no-display-inline" id="id9759dafb-92e7-46eb-ae28-666a6a80311e" changed="not-changed"><clause id="ide0a6c65b-9fd2-4c8d-81e4-0abc8a0662c0" changed="not-changed"><enum>(i)</enum><text>standards</text></clause><after-quoted-block>; and</after-quoted-block></quoted-block></item><item id="iddcd4751d-9e00-44c6-9bc5-1e9d6e454fa0" changed="not-changed"><enum>(bb)</enum><text>by adding at the end the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="id8ec73c0e-73cf-4c96-9fec-4f7b4537e06a" changed="not-changed"><clause id="id77fc05cd-db7f-416d-9862-801aee112a5c" changed="not-changed"><enum>(ii)</enum><text>the evaluation performed under paragraph (1)(F); and</text></clause><clause id="idd85b50c6-638c-48f1-b447-9849e5a0d879" changed="not-changed"><enum>(iii)</enum><text>the implementation plan described in paragraph (1)(G);</text></clause><after-quoted-block>; and</after-quoted-block></quoted-block></item></subclause><subclause id="iddf92c922-5591-40dc-a56c-782a7d985e2a" changed="not-changed"><enum>(III)</enum><text>in subparagraph (D), by inserting <quote>, through the use of penetration testing, the vulnerability disclosure program established under section 3559B, and other means,</quote> after <quote>periodically</quote>;</text></subclause></clause><clause id="ida55f7dc6-0b28-4773-b9e8-e412d34ca674" changed="not-changed"><enum>(iii)</enum><text>in paragraph (3)—</text><subclause id="idc0196970537b490b84deed37a44579b2" changed="not-changed"><enum>(I)</enum><text>in subparagraph (A)—</text><item id="ide2e0faa78c05487eb700b7c3fdf9b7e0" changed="not-changed"><enum>(aa)</enum><text>in clause (iii), by striking <quote>and</quote> at the end;</text></item><item id="id06c9f051df214e59803f9a93b1607387" changed="not-changed"><enum>(bb)</enum><text>in clause (iv), by adding <quote>and</quote> at the end; and</text></item><item id="id0152a8af9e9c49fab996915e3216397d" changed="not-changed"><enum>(cc)</enum><text>by adding at the end the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="id3fc1de22dfc840ff9125e6f30f649a61" changed="not-changed"><clause id="id297117ad78f24c93a0bd5afcef2e430d" changed="not-changed"><enum>(v)</enum><text>ensure that—</text><subclause id="id11E3956E43D54E7C99AB6E9150C141A2" changed="not-changed"><enum>(I)</enum><text>senior agency information security officers of component agencies carry out responsibilities under this subchapter, as directed by the senior agency information security officer of the agency or an equivalent official; and</text></subclause><subclause id="id03C11335A2AD4EC6AA41036315E64F1B" changed="not-changed"><enum>(II)</enum><text>senior agency information security officers of component agencies report to—</text><item id="id526c0df8f8cd45ed8219fdd978d3a7b2" changed="not-changed"><enum>(aa)</enum><text>the senior information security officer of the agency or an equivalent official; and</text></item><item id="id42dbf9793f8f4945b2f84e64d281237f" changed="not-changed"><enum>(bb)</enum><text>the Chief Information Officer of the component agency or an equivalent official;</text></item></subclause></clause><after-quoted-block>; and</after-quoted-block></quoted-block></item></subclause></clause><clause id="id8c06a4f4-54f6-43b3-a5af-578e068ef577" changed="not-changed"><enum>(iv)</enum><text>in paragraph (5), by inserting <quote>and the Director of the Cybersecurity and Infrastructure Security Agency</quote> before <quote>on the effectiveness</quote>;</text></clause></subparagraph><subparagraph id="id25a6c67c-013b-4876-9389-8362d82a8de5" changed="not-changed"><enum>(B)</enum><text>in subsection (b)—</text><clause id="id9df329c5-5120-48c9-89c1-36dcb14519b5" changed="not-changed"><enum>(i)</enum><text>by striking paragraph (1) and inserting the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="idf63a3352910845ffb5f4bafb6545adaa" changed="not-changed"><paragraph id="id45be30b1eda7446fb0dab50d5f2a28df" changed="not-changed"><enum>(1)</enum><text>pursuant to subsection (a)(1)(A), performing ongoing and continuous agency system risk assessments, which may include using guidelines and automated tools consistent with standards and guidelines promulgated under section 11331 of title 40, as applicable;</text></paragraph><after-quoted-block>;</after-quoted-block></quoted-block></clause><clause id="id5a87f116-6a9d-4ad4-b9e4-2c8caa279654" changed="not-changed"><enum>(ii)</enum><text>in paragraph (2)—</text><subclause id="id454C2A0EB77E4A5CA5888885B64B8EC4" changed="not-changed"><enum>(I)</enum><text>by striking subparagraph (B) and inserting the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="id5783A4614E2D44EEB6F5BDFBF08F4AD6" changed="not-changed"><subparagraph id="id0586DBE9D0134991A067CC47EAB7D821" changed="not-changed"><enum>(B)</enum><text>comply with the risk-based cyber budget model developed pursuant to section 3553(a)(7);</text></subparagraph><after-quoted-block>; and</after-quoted-block></quoted-block></subclause><subclause id="id27866425D5514CEC86C72F0EC73437C6" changed="not-changed"><enum>(II)</enum><text>in subparagraph (D)—</text><item id="id22780ef0-fa82-4f91-8c07-de6a1ec67ec6" changed="not-changed"><enum>(aa)</enum><text>by redesignating clauses (iii) and (iv) as clauses (iv) and (v), respectively;</text></item><item id="id898d1395-4567-4393-ba8a-421bf4872539" changed="not-changed"><enum>(bb)</enum><text>by inserting after clause (ii) the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="idb6ca0ef5-65f9-442b-afad-d001b0d75b8b" changed="not-changed"><clause id="id8c60ab86-f4c2-45bc-9ed0-66adfce6c468" changed="not-changed"><enum>(iii)</enum><text>binding operational directives and emergency directives promulgated by the Director of the Cybersecurity and Infrastructure Security Agency under section 3553;</text></clause><after-quoted-block>; and</after-quoted-block></quoted-block></item><item id="id259895e7-1bd0-4707-aee0-ed5edb1a4bac" changed="not-changed"><enum>(cc)</enum><text>in clause (iv), as so redesignated, by striking <quote>as determined by the agency; and</quote> and inserting “as determined by the agency, considering—</text><quoted-block style="OLC" display-inline="no-display-inline" id="idA28B586174374DEA9704857FB9A67CD9" changed="not-changed"><subclause id="id5162e7e7d755413db7deabf6207b1d06" changed="not-changed"><enum>(I)</enum><text>the agency risk assessment performed under subsection (a)(1)(A); and</text></subclause><subclause id="id55ca4a80a56f47c5b1ca45bc33ac0874" changed="not-changed"><enum>(II)</enum><text>the determinations of applying more stringent standards and additional cybersecurity procedures pursuant to section 11331(c)(1) of title 40; and</text></subclause><after-quoted-block>;</after-quoted-block></quoted-block></item></subclause></clause><clause id="id74975cc0-3aaf-4e66-ae26-cd30cd1178be" changed="not-changed"><enum>(iii)</enum><text>in paragraph (5)(A), by inserting <quote>, including penetration testing, as appropriate,</quote> after <quote>shall include testing</quote>; </text></clause><clause id="idf5444132-99e6-46d4-b70f-909758a79e6e" changed="not-changed"><enum>(iv)</enum><text>in paragraph (6), by striking <quote>planning, implementing, evaluating, and documenting</quote> and inserting <quote>planning and implementing and, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, evaluating and documenting</quote>;</text></clause><clause id="ida4a59689-bbdd-46d9-b1b1-a9c506c27831" changed="not-changed"><enum>(v)</enum><text>by redesignating paragraphs (7) and (8) as paragraphs (8) and (9), respectively;</text></clause><clause id="id0fcb94bc-2361-4fcc-b9c3-365559018595" changed="not-changed"><enum>(vi)</enum><text>by inserting after paragraph (6) the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="ide1e32f6c-b043-42c5-b2a3-ea4ca61cefaa" changed="not-changed"><paragraph id="id2838bbb2-37c3-4119-a3d6-e46c93df341b" changed="not-changed"><enum>(7)</enum><text>a process for providing the status of every remedial action and unremediated identified system vulnerability to the Director and the Director of the Cybersecurity and Infrastructure Security Agency, using automation and machine-readable data to the greatest extent practicable;</text></paragraph><after-quoted-block>; and</after-quoted-block></quoted-block></clause><clause id="idb675e527-96f4-4bb5-b22b-7aaf0c3d6215" changed="not-changed"><enum>(vii)</enum><text>in paragraph (8)(C), as so redesignated—</text><subclause id="id96cbe9bb-d9be-4b7d-b24d-55ed893cdd09" changed="not-changed"><enum>(I)</enum><text>by striking clause (ii) and inserting the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="id3a9e7204-50aa-4da0-8e0a-568e00bb1879" changed="not-changed"><clause id="id6dcc7c01-20a0-45b0-8fbb-712d0732c9b8" changed="not-changed"><enum>(ii)</enum><text>notifying and consulting with the Federal information security incident center established under section 3556 pursuant to the requirements of section 3594;</text></clause><after-quoted-block>;</after-quoted-block></quoted-block></subclause><subclause id="ida7601345-a855-4412-a790-b78217813eba" changed="not-changed"><enum>(II)</enum><text>by redesignating clause (iii) as clause (iv);</text></subclause><subclause id="idae3c1ffa-7bb6-40c8-a6ff-1807e4c9e923" changed="not-changed"><enum>(III)</enum><text>by inserting after clause (ii) the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="idd03e7e75-0b1e-4035-a3f9-d4210b28e348" changed="not-changed"><clause id="id66a5e43b-60fc-4de1-97c0-9e62508b7310" changed="not-changed"><enum>(iii)</enum><text>performing the notifications and other activities required under subchapter IV of this chapter; and</text></clause><after-quoted-block>; and</after-quoted-block></quoted-block></subclause><subclause id="id6d8c4a4c-351d-437f-9b3a-4dff1146962f" changed="not-changed"><enum>(IV)</enum><text>in clause (iv), as so redesignated—</text><item id="id2613d157-3fd4-4459-9083-730c10ec1d51" changed="not-changed"><enum>(aa)</enum><text>in subclause (I), by striking <quote>and relevant offices of inspectors general</quote>;</text></item><item id="id984235ee-035f-41a6-b5e5-003e60bfe2af" changed="not-changed"><enum>(bb)</enum><text>in subclause (II), by adding <quote>and</quote> at the end;</text></item><item id="id61063357-c0a3-4be5-a9a4-4c2e12a1c037" changed="not-changed"><enum>(cc)</enum><text>by striking subclause (III); and</text></item><item id="idd2528671-9469-4cf1-83f0-3cd15f8a4b7e" changed="not-changed"><enum>(dd)</enum><text>by redesignating subclause (IV) as subclause (III);</text></item></subclause></clause></subparagraph><subparagraph id="id55fcc33c-fd71-4ef3-8e6f-7efa61562674" changed="not-changed"><enum>(C)</enum><text>in subsection (c)—</text><clause id="id59A91330BAA84826BA29304D03763CFB" changed="not-changed"><enum>(i)</enum><text>by redesignating paragraph (2) as paragraph (5);</text></clause><clause id="idFA7ED4D1F88445B0B794BA79CD442187" changed="not-changed"><enum>(ii)</enum><text>by striking paragraph (1) and inserting the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="idb5d642e2-53d3-4565-a290-963e3d9b1d27" changed="not-changed"><paragraph commented="no" id="id5326e4b2-66c2-4fbf-b2f1-95c8d64e05d0" changed="not-changed"><enum>(1)</enum><header>Biannual report</header><text>Not later than 2 years after the date of enactment of the <short-title>Federal Information Security Modernization Act of 2022</short-title> and not less frequently than once every 2 years thereafter, using the continuous and ongoing agency system risk assessment under subsection (a)(1)(A), the head of each agency shall submit to the Director, the Director of the Cybersecurity and Infrastructure Security Agency, the majority and minority leaders of the Senate, the Speaker and minority leader of the House of Representatives, the Committee on Homeland Security and Governmental Affairs of the Senate, the Committee on Oversight and Reform of the House of Representatives, the Committee on Homeland Security of the House of Representatives, the Committee on Commerce, Science, and Transportation of the Senate, the Committee on Science, Space, and Technology of the House of Representatives, the appropriate authorization and appropriations committees of Congress, the National Cyber Director, and the Comptroller General of the United States a report that—</text><subparagraph id="id24ce5534-b474-469d-87af-2a3639eedfe8" changed="not-changed"><enum>(A)</enum><text>summarizes the agency system risk assessment performed under subsection (a)(1)(A);</text></subparagraph><subparagraph id="id49e008e42fcb4e20a10391504c960f28"><enum>(B)</enum><text>evaluates the adequacy and effectiveness of information security policies, procedures, and practices of the agency to address the risks identified in the agency system risk assessment performed under subsection (a)(1)(A), including an analysis of the agency’s cybersecurity and incident response capabilities using the metrics established under section 224(c) of the Cybersecurity Act of 2015 (<external-xref legal-doc="usc" parsable-cite="usc/6/1522">6 U.S.C. 1522(c)</external-xref>); </text></subparagraph><subparagraph id="ide2c46e13-1b7e-4a72-95b8-b4f7298539bf" changed="not-changed"><enum>(C)</enum><text>summarizes the evaluation and implementation plans described in subparagraphs (F) and (G) of subsection (a)(1) and whether those evaluation and implementation plans call for the use of additional cybersecurity procedures determined to be appropriate by the agency; and</text></subparagraph><subparagraph id="idceb8c80b48314687abfe11c76cd10590" changed="not-changed"><enum>(D)</enum><text>summarizes the status of remedial actions identified by inspector general of the agency, the Comptroller General of the United States, and any other source determined appropriate by the head of the agency. </text></subparagraph></paragraph><paragraph id="idbb5d8931-6b07-4429-95b9-b77ec01ca8e0" changed="not-changed"><enum>(2)</enum><header>Unclassified reports</header><text>Each report submitted under paragraph (1)—</text><subparagraph id="idc34ddd60-93c9-4f83-84bc-16f6a994242b" changed="not-changed"><enum>(A)</enum><text>shall be, to the greatest extent practicable, in an unclassified and otherwise uncontrolled form; and </text></subparagraph><subparagraph id="id0dd91f91-c522-4a87-bdf6-29ba10095dea" changed="not-changed"><enum>(B)</enum><text>may include a classified annex.</text></subparagraph></paragraph><paragraph commented="no" id="id1e5f5b06094d458ea7194a7195c14f8e" changed="not-changed"><enum>(3)</enum><header>Access to information</header><text>The head of an agency shall ensure that, to the greatest extent practicable, information is included in the unclassified form of the report submitted by the agency under paragraph (2)(A).</text></paragraph><paragraph commented="no" id="idE6F814E7CA374A649F4B5A5E3F9F4A38" changed="not-changed"><enum>(4)</enum><header>Briefings</header><text>During each year during which a report is not required to be submitted under paragraph (1), the Director shall provide to the congressional committees described in paragraph (1) a briefing summarizing current agency and Federal risk postures.</text></paragraph><after-quoted-block>; and</after-quoted-block></quoted-block></clause><clause id="id493CEB7C2AD94AAF909DE36148B3BDBE" changed="not-changed"><enum>(iii)</enum><text>in paragraph (5), as so redesignated, by striking the period at the end and inserting <quote>, including the reporting procedures established under section 11315(d) of title 40 and subsection (a)(3)(A)(v) of this section</quote>; and</text></clause></subparagraph><subparagraph id="id79acba6907be457797387749dd14daa8"><enum>(D)</enum><text>in subsection (d)(1), in the matter preceding subparagraph (A), by inserting <quote>and the National Cyber Director</quote> after <quote>the Director</quote>; and</text></subparagraph><subparagraph id="idB7AB1DE9AB8F4B0B8300DB8FC648EEE5"><enum>(E)</enum><text>by adding at the end the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="id1731cf9dc7964eff89a3ac93ed932342"><subsection id="id04cdb22bfea2453485350faee7d4eb65"><enum>(f)</enum><header>Reporting structure exemption</header><paragraph id="idE81770E114C34AE69B66F46122E92C1B"><enum>(1)</enum><header>In general</header><text>On an annual basis, the Director may exempt an agency from the reporting structure requirement under subsection (a)(3)(A)(v)(II).</text></paragraph><paragraph id="id542398b721234c299484aebc556e2ade"><enum>(2)</enum><header>Report</header><text>On an annual basis, the Director shall submit a report to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Reform of the House of Representatives that includes a list of each exemption granted under paragraph (1) and the associated rationale for each exemption.</text></paragraph><paragraph id="id110b4f60fc3f4b488c863104ea6214e1"><enum>(3)</enum><header>Component of other report</header><text>The report required under paragraph (2) may be incorporated into any other annual report required under this chapter.</text></paragraph></subsection><after-quoted-block>;</after-quoted-block></quoted-block></subparagraph></paragraph><paragraph id="idef46a912-fbbc-471b-a6f3-4213567dfc16" changed="not-changed"><enum>(4)</enum><text>in section 3555—</text><subparagraph commented="no" id="idd234560ea3744296a3efcabbb105a11e" changed="not-changed"><enum>(A)</enum><text>in the section heading, by striking <quote><header-in-text level="section" style="OLC">Annual independent</header-in-text></quote> and inserting <quote><header-in-text level="section" style="OLC">Independent</header-in-text></quote>;</text></subparagraph><subparagraph commented="no" id="id7eb15845fc524f3ebeb95823dd2fe9ec" changed="not-changed"><enum>(B)</enum><text>in subsection (a)—</text><clause commented="no" id="id4A9C20B133224905A939B4420A8D9792" changed="not-changed"><enum>(i)</enum><text>in paragraph (1), by inserting <quote>during which a report is required to be submitted under section 3553(c),</quote> after <quote>Each year</quote>;</text></clause><clause commented="no" id="id3efc4913471241b7af05edbd07e655d3" changed="not-changed"><enum>(ii)</enum><text>in paragraph (2)(A), by inserting <quote>, including by penetration testing and analyzing the vulnerability disclosure program of the agency</quote> after <quote>information systems</quote>; and</text></clause><clause commented="no" id="id8840d65a8bc749fc9dc3c4ae771dd3d0" changed="not-changed"><enum>(iii)</enum><text>by adding at the end the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="idDF141EA242764F0DB13ACC95354CAB2A" changed="not-changed"><paragraph commented="no" id="id09DD03BC81414DB8B415E7DE9AC3AE12" indent="up1" changed="not-changed"><enum>(3)</enum><text>An evaluation under this section may include recommendations for improving the cybersecurity posture of the agency.</text></paragraph><after-quoted-block>;</after-quoted-block></quoted-block></clause></subparagraph><subparagraph commented="no" id="idccafc46e440f494b867027c4cdab935e" changed="not-changed"><enum>(C)</enum><text>in subsection (b)(1), by striking <quote>annual</quote>;</text></subparagraph><subparagraph commented="no" id="id0989f3ee2d1c49b5bc0c8454ca3d0a36" changed="not-changed"><enum>(D)</enum><text>in subsection (e)(1), by inserting <quote>during which a report is required to be submitted under section 3553(c)</quote> after <quote>Each year</quote>;</text></subparagraph><subparagraph id="idfb639fba-1ef7-4a1f-9ed9-34a938cb5aec" changed="not-changed"><enum>(E)</enum><text>by striking subsection (f) and inserting the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="id3a356b88-7a52-4065-9b35-ea78d287782a" changed="not-changed"><subsection id="id2cbdb1f1-55e4-468f-93ce-3d77b023811c" changed="not-changed"><enum>(f)</enum><header>Protection of information</header><paragraph commented="no" display-inline="yes-display-inline" id="id8f7dc3d6-9bf7-4260-ad00-d653de74ef04" changed="not-changed"><enum>(1)</enum><text>Agencies, evaluators, and other recipients of information that, if disclosed, may cause grave harm to the efforts of Federal information security officers, shall take appropriate steps to ensure the protection of that information, including safeguarding the information from public disclosure.</text></paragraph><paragraph id="id38899180-506f-4f64-87c4-cc78c1f7f31c" indent="up1" changed="not-changed"><enum>(2)</enum><text>The protections required under paragraph (1) shall be commensurate with the risk and comply with all applicable laws and regulations.</text></paragraph><paragraph id="idf7002156-561a-4be1-8d51-3e2dbc520e2f" indent="up1" changed="not-changed"><enum>(3)</enum><text>With respect to information that is not related to national security systems, agencies and evaluators shall make a summary of the information unclassified and publicly available, including information that does not identify—</text><subparagraph id="id7ee218d7-d850-4102-ac86-99d0cc8be73e" changed="not-changed"><enum>(A)</enum><text>specific information system incidents; or</text></subparagraph><subparagraph id="id5e855ee4-82cb-4020-8a51-29a4ceccd192" changed="not-changed"><enum>(B)</enum><text>specific information system vulnerabilities.</text></subparagraph></paragraph></subsection><after-quoted-block>;</after-quoted-block></quoted-block></subparagraph><subparagraph id="idfa235ea8-e59f-4530-b125-7f99769f37bc" changed="not-changed"><enum>(F)</enum><text>in subsection (g)(2)—</text><clause id="id3ed3dac2-ba96-4406-9b55-ad7d76999f78" changed="not-changed"><enum>(i)</enum><text>by striking <quote>this subsection shall</quote> and inserting “this subsection—</text><quoted-block style="OLC" display-inline="no-display-inline" id="idc864acb3-11bb-41de-8b2e-27580da4ed13" changed="not-changed"><subparagraph id="id8324f4ea-fbb3-449b-aaf1-c15afb28e5d6" indent="up1" changed="not-changed"><enum>(A)</enum><text>shall</text></subparagraph><after-quoted-block>;</after-quoted-block></quoted-block></clause><clause id="id74b8193e-f820-4156-b7ff-141165c916f2" changed="not-changed"><enum>(ii)</enum><text>in subparagraph (A), as so designated, by striking the period at the end and inserting <quote>; and</quote>; and</text></clause><clause id="id70cdf08d-3215-4237-b3f5-f2b52f18d5a4" changed="not-changed"><enum>(iii)</enum><text>by adding at the end the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="idc775e85e-a373-4ec8-80c5-47c5c1a1b6f3" changed="not-changed"><subparagraph id="id3a84130b-5e95-413e-9f39-fd67efe5e65d" indent="up1" changed="not-changed"><enum>(B)</enum><text>identify any entity that performs an independent evaluation under subsection (b).</text></subparagraph><after-quoted-block>; and</after-quoted-block></quoted-block></clause></subparagraph><subparagraph id="iddde49148-fde4-47f2-a967-07dc4b201e93" changed="not-changed"><enum>(G)</enum><text>by striking subsection (j) and inserting the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="idF3E2734B05024879938CC3F765386803" changed="not-changed"><subsection id="idDC79D013C3ED47F4A221FAF938CE8BA2" changed="not-changed"><enum>(j)</enum><header>Guidance</header><paragraph id="id04542E9832FC4078A071CE1969A857AB" changed="not-changed"><enum>(1)</enum><header>In general</header><text>The Director, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, the Chief Information Officers Council, the Council of the Inspectors General on Integrity and Efficiency, and other interested parties as appropriate, shall ensure the development of risk-based guidance for evaluating the effectiveness of an information security program and practices</text></paragraph><paragraph id="idc826f97d45aa4ed9bb8656f2fcd91946"><enum>(2)</enum><header>Priorities</header><text>The risk-based guidance developed under paragraph (1) shall include—</text><subparagraph id="id6da70848abd1413cb4b47d1d89ac75cd"><enum>(A)</enum><text>the identification of the most common successful threat patterns experienced by each agency;</text></subparagraph><subparagraph id="id3e4f43836d0445adbbb141e4c5bd2452"><enum>(B)</enum><text>the identification of security controls that address the threat patterns described in subparagraph (A);</text></subparagraph><subparagraph id="iddb0d8f9139eb46c482bd06a2fa5ee98f"><enum>(C)</enum><text>any other security risks unique to the networks of each agency; and</text></subparagraph><subparagraph id="id98b8e7b66a5a42b58e2b90950a12f341"><enum>(D)</enum><text>any other element the Director, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency and the Council of the Inspectors General on Integrity and Efficiency, determines appropriate.</text></subparagraph></paragraph></subsection><after-quoted-block>; and</after-quoted-block></quoted-block></subparagraph></paragraph><paragraph id="id27b6c25d-0bf0-47d8-a972-e160f7285860" changed="not-changed"><enum>(5)</enum><text>in section 3556(a)—</text><subparagraph id="idea3ea18a-e85b-4d9e-9431-1691a309725f" changed="not-changed"><enum>(A)</enum><text>in the matter preceding paragraph (1), by inserting <quote>within the Cybersecurity and Infrastructure Security Agency</quote> after <quote>incident center</quote>; and</text></subparagraph><subparagraph id="id801a6e5a-f99e-406e-bbf4-e4e6dea4979f" changed="not-changed"><enum>(B)</enum><text>in paragraph (4), by striking <quote>3554(b)</quote> and inserting <quote>3554(a)(1)(A)</quote>.</text></subparagraph></paragraph></subsection><subsection id="idFA391932B6E743A483AE23A0A770AA60" changed="not-changed"><enum>(d)</enum><header>Conforming amendments</header><paragraph id="idED9F539E7BA8492DBBB4AA9EB659C122" changed="not-changed"><enum>(1)</enum><header>Table of sections</header><text>The table of sections for <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/44/35">chapter 35</external-xref> of title 44, United States Code, is amended by striking the item relating to section 3555 and inserting the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="id4E7285E00E804DE8A2C9C81E9D79BB22" changed="not-changed"><toc changed="not-changed"><toc-entry bold="off" level="section" changed="not-changed">3555. Independent evaluation</toc-entry></toc><after-quoted-block>.</after-quoted-block></quoted-block></paragraph><paragraph commented="no" id="id5ca46e89337140418b10252b01083a6f" changed="not-changed"><enum>(2)</enum><header>OMB reports</header><text>Section 226(c) of the Cybersecurity Act of 2015 (<external-xref legal-doc="usc" parsable-cite="usc/6/1524">6 U.S.C. 1524(c)</external-xref>) is amended—</text><subparagraph commented="no" id="id899f75f426ca4572a9be5d857a274f05" changed="not-changed"><enum>(A)</enum><text>in paragraph (1)(B), in the matter preceding clause (i), by striking <quote>annually thereafter</quote> and inserting <quote>thereafter during the years during which a report is required to be submitted under section 3553(c) of title 44, United States Code</quote>; and</text></subparagraph><subparagraph commented="no" id="ide0f0f37fc0e74436b3bff404a1de2a3b" changed="not-changed"><enum>(B)</enum><text>in paragraph (2)(B), in the matter preceding clause (i)—</text><clause commented="no" id="idA1FE2F09A93D4A8BAB4B8D178F086B38" changed="not-changed"><enum>(i)</enum><text>by striking <quote>annually thereafter</quote> and inserting <quote>thereafter during the years during which a report is required to be submitted under section 3553(c) of title 44, United States Code</quote>; and</text></clause><clause commented="no" id="id3019F932DFC849DCBB4A20680143EE84" changed="not-changed"><enum>(ii)</enum><text>by striking <quote>the report required under section 3553(c) of title 44, United States Code</quote> and inserting <quote>that report</quote>.</text></clause></subparagraph></paragraph><paragraph commented="no" id="id67677fa2c4584ec6aa44620e78bb3864" changed="not-changed"><enum>(3)</enum><header>NIST responsibilities</header><text>Section 20(d)(3)(B) of the National Institute of Standards and Technology Act (<external-xref legal-doc="usc" parsable-cite="usc/15/278g-3">15 U.S.C. 278g–3(d)(3)(B)</external-xref>) is amended by striking <quote>annual</quote>.</text></paragraph></subsection><subsection id="idcd68f592-b908-4f0e-b39a-81c9faaf0b9b" changed="not-changed"><enum>(e)</enum><header>Federal system incident response</header><paragraph id="id5c5cfa48-51cd-45bd-9023-4bbefe17bbbe" changed="not-changed"><enum>(1)</enum><header>In general</header><text><external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/44/35">Chapter 35</external-xref> of title 44, United States Code, is amended by adding at the end the following:</text><quoted-block style="USC" display-inline="no-display-inline" id="idB784F698CC5A4419ACEAAA41B5B13444" changed="not-changed"><subchapter id="ide9047b04-f590-4f75-81de-d22a442e594d" style="USC" changed="not-changed"><enum>IV</enum><header>Federal System Incident Response</header><section section-type="subsequent-section" id="iddfc86ecf-ec25-4d4f-8a86-4d3a758593ca" changed="not-changed"><enum>3591.</enum><header>Definitions</header><subsection id="id3350d500-8ddf-4ead-9637-4de40c9fb52d" changed="not-changed"><enum>(a)</enum><header>In general</header><text>Except as provided in subsection (b), the definitions under sections 3502 and 3552 shall apply to this subchapter.</text></subsection><subsection id="id9c972761-7f37-4607-88b7-1f1aa5c5aa1a" changed="not-changed"><enum>(b)</enum><header>Additional definitions</header><text>As used in this subchapter:</text><paragraph id="id02de21b847474b94aba288314ca580c0" changed="not-changed"><enum>(1)</enum><header>Appropriate reporting entities</header><text>The term <term>appropriate reporting entities</term> means—</text><subparagraph id="idae4f968079b149f6b25cfb99e3484d2b" changed="not-changed"><enum>(A)</enum><text>the majority and minority leaders of the Senate;</text></subparagraph><subparagraph id="idca2bc10496ab4c8f85a8a3542db905df" changed="not-changed"><enum>(B)</enum><text>the Speaker and minority leader of the House of Representatives;</text></subparagraph><subparagraph id="idc91f73b7924241e29e763d6b4de638d0" changed="not-changed"><enum>(C)</enum><text>the Committee on Homeland Security and Governmental Affairs of the Senate;</text></subparagraph><subparagraph id="ida8c809fd6dd74840ab7eafcde5735442" changed="not-changed"><enum>(D)</enum><text>the Committee on Oversight and Reform of the House of Representatives;</text></subparagraph><subparagraph id="ida56e23bca90949eaa6e77887cac291e0" changed="not-changed"><enum>(E)</enum><text>the Committee on Homeland Security of the House of Representatives;</text></subparagraph><subparagraph id="id963aad492f9a4458ae8fc059d6014353" changed="not-changed"><enum>(F)</enum><text>the appropriate authorization and appropriations committees of Congress;</text></subparagraph><subparagraph id="id7e3a619bdeec44c6a87de3893cce0f36" changed="not-changed"><enum>(G)</enum><text>the Director;</text></subparagraph><subparagraph id="ida92d2ffbc5684b5aaa62227c2103930f" changed="not-changed"><enum>(H)</enum><text>the Director of the Cybersecurity and Infrastructure Security Agency;</text></subparagraph><subparagraph id="id5fcaf6048ccf46ac87c1b09cb3a845ae" changed="not-changed"><enum>(I)</enum><text>the National Cyber Director; </text></subparagraph><subparagraph id="id932ae72bbd90485ea8ab4c3f711fe694" changed="not-changed"><enum>(J)</enum><text>the Comptroller General of the United States; and</text></subparagraph><subparagraph id="idc26476d5700945bcab39349e94b9187b" changed="not-changed"><enum>(K)</enum><text>the inspector general of any impacted agency.</text></subparagraph></paragraph><paragraph id="id207dedbb415a499595d51fbb2d5272cb" changed="not-changed"><enum>(2)</enum><header>Awardee</header><text>The term <term>awardee</term>—</text><subparagraph id="idbb19a69b5eb4481e94b41324e845fa1b" changed="not-changed"><enum>(A)</enum><text>means a person, business, or other entity that receives a grant from, or is a party to a cooperative agreement or an other transaction agreement with, an agency; and</text></subparagraph><subparagraph id="id02629771bd8b4b06b10e2133f26fe389" changed="not-changed"><enum>(B)</enum><text>includes any subgrantee of a person, business, or other entity described in subparagraph (A).</text></subparagraph></paragraph><paragraph id="id417fba79d92546f2a5d0ce86923e2514"><enum>(3)</enum><header>Breach</header><text>The term <term>breach</term>—</text><subparagraph id="idae943f7bd2554ec5b48d4ea256512a67"><enum>(A)</enum><text>means the loss, control, compromise, unauthorized disclosure, or unauthorized acquisition of personally identifiable information or any similar occurrence; and</text></subparagraph><subparagraph id="id22878ee4eefb4af29d130b845e8a10df"><enum>(B)</enum><text>includes any additional meaning given the term in policies, principles, standards, or guidelines issued by the Director under section 3553(a).</text></subparagraph></paragraph><paragraph id="id0eb7fad5d0ba4b47a96f5ff62ac83cdc" changed="not-changed"><enum>(4)</enum><header>Contractor</header><text>The term <term>contractor</term> means a prime contractor of an agency or a subcontractor of a prime contractor of an agency.</text></paragraph><paragraph id="id541a003927824ae5a54dba85189bbd5b" changed="not-changed"><enum>(5)</enum><header>Federal information</header><text>The term <term>Federal information</term> means information created, collected, processed, maintained, disseminated, disclosed, or disposed of by or for the Federal Government in any medium or form.</text></paragraph><paragraph id="ideb037eaa192a438eafdcbeeb8f1cf61e" changed="not-changed"><enum>(6)</enum><header>Federal information system</header><text>The term <term>Federal information system</term> means an information system used or operated by an agency, a contractor, an awardee, or another organization on behalf of an agency.</text></paragraph><paragraph id="id7535664073d34b4a8beda713b3742adb" changed="not-changed"><enum>(7)</enum><header>Intelligence community</header><text>The term <term>intelligence community</term> has the meaning given the term in section 3 of the National Security Act of 1947 (<external-xref legal-doc="usc" parsable-cite="usc/50/3003">50 U.S.C. 3003</external-xref>).</text></paragraph><paragraph id="idf6ca35563b544ea787852d0a033b618e" changed="not-changed"><enum>(8)</enum><header>Nationwide consumer reporting agency</header><text>The term <term>nationwide consumer reporting agency</term> means a consumer reporting agency described in section 603(p) of the Fair Credit Reporting Act (<external-xref legal-doc="usc" parsable-cite="usc/15/1681a">15 U.S.C. 1681a(p)</external-xref>).</text></paragraph><paragraph id="id8e8838d0c2f745ef99e7295283a16b39" changed="not-changed"><enum>(9)</enum><header>Vulnerability disclosure</header><text>The term <term>vulnerability disclosure</term> means a vulnerability identified under section 3559B.</text></paragraph></subsection></section><section id="ide036192914414a49856c042bf1f0d5d8" changed="not-changed"><enum>3592.</enum><header>Notification of breach</header><subsection id="id874153581e85498fa74928bf1def8aa4" changed="not-changed"><enum>(a)</enum><header>Notification</header><text>As expeditiously as practicable and without unreasonable delay, and in any case not later than 45 days after an agency has a reasonable basis to conclude that a breach has occurred, the head of the agency, in consultation with a senior privacy officer of the agency, shall—</text><paragraph id="idd7528fb6ec8e4c96924f679665317b91" changed="not-changed"><enum>(1)</enum><text>determine whether notice to any individual potentially affected by the breach is appropriate based on an assessment of the risk of harm to the individual that considers—</text><subparagraph id="idE6E8C59AFA954BB19D9FB6F496124B9B" changed="not-changed"><enum>(A)</enum><text>the nature and sensitivity of the personally identifiable information affected by the breach;</text></subparagraph><subparagraph id="idB19D6ED342144D9FB08F51F7CB522C9A" changed="not-changed"><enum>(B)</enum><text>the likelihood of access to and use of the personally identifiable information affected by the breach;</text></subparagraph><subparagraph id="id8B2A170985E34EFFAEF0DBA26754482A" changed="not-changed"><enum>(C)</enum><text>the type of breach; and</text></subparagraph><subparagraph id="idC5151242ABAB4A47A1497AAE882CEC7B" changed="not-changed"><enum>(D)</enum><text>any other factors determined by the Director; and</text></subparagraph></paragraph><paragraph id="idfaa91a785a4b4c7496bd07c2ffe4cf51" changed="not-changed"><enum>(2)</enum><text>as appropriate, provide written notice in accordance with subsection (b) to each individual potentially affected by the breach—</text><subparagraph id="id92025263482341308DD32288A1379AC9" changed="not-changed"><enum>(A)</enum><text>to the last known mailing address of the individual; or</text></subparagraph><subparagraph id="id7D163CA010F749ED96D2022E6BF562EE" changed="not-changed"><enum>(B)</enum><text>through an appropriate alternative method of notification that the head of the agency or a designated senior-level individual of the agency selects based on factors determined by the Director.</text></subparagraph></paragraph></subsection><subsection id="id5970a0ce24d8460ab1c016b7d969df7e" changed="not-changed"><enum>(b)</enum><header>Contents of notice</header><text>Each notice of a breach provided to an individual under subsection (a)(2) shall include—</text><paragraph id="id3242da8c2f6f493b82923fed010e970f"><enum>(1)</enum><text>a brief description of the breach;</text></paragraph><paragraph id="ide94b3cd11bf841658b1dcd80caf2004e" changed="not-changed"><enum>(2)</enum><text>if possible, a description of the types of personally identifiable information affected by the breach;</text></paragraph><paragraph id="id54c2a8c712d5430b8e150bfa0248ffd2" changed="not-changed"><enum>(3)</enum><text>contact information of the agency that may be used to ask questions of the agency, which—</text><subparagraph id="id60489491185245A091AC2A7A4B653241" changed="not-changed"><enum>(A)</enum><text>shall include an e-mail address or another digital contact mechanism; and</text></subparagraph><subparagraph id="id130FB3D9E5034116AEF1E6DC2D2CFA89" changed="not-changed"><enum>(B)</enum><text>may include a telephone number, mailing address, or a website;</text></subparagraph></paragraph><paragraph id="id2c10694349d84be1b7e2b5b9f47c1f65" changed="not-changed"><enum>(4)</enum><text>information on any remedy being offered by the agency;</text></paragraph><paragraph id="iddb90f068e4e94e8492155f8486541018" changed="not-changed"><enum>(5)</enum><text>any applicable educational materials relating to what individuals can do in response to a breach that potentially affects their personally identifiable information, including relevant contact information for Federal law enforcement agencies and each nationwide consumer reporting agency; and</text></paragraph><paragraph id="iddfe49665fdd64af7bf387d5078f11ddd" changed="not-changed"><enum>(6)</enum><text>any other appropriate information, as determined by the head of the agency or established in guidance by the Director.</text></paragraph></subsection><subsection id="idb6dafb448e68452cba61e32320e37a1d" changed="not-changed"><enum>(c)</enum><header>Delay of notification</header><paragraph id="id9e711879398d41ebb30b301aa42979a1" changed="not-changed"><enum>(1)</enum><header>In general</header><text>The Attorney General, the Director of National Intelligence, or the Secretary of Homeland Security may delay a notification required under subsection (a) or (d) if the notification would—</text><subparagraph id="idA66092C269AB406E8B28472A8E2FEA0B" changed="not-changed"><enum>(A)</enum><text>impede a criminal investigation or a national security activity;</text></subparagraph><subparagraph id="id333EC8C0144148A3B380952EA2CBBE4B" changed="not-changed"><enum>(B)</enum><text>reveal sensitive sources and methods;</text></subparagraph><subparagraph id="id7CC50D347A6D4BD69F024C669E8F7EC1" changed="not-changed"><enum>(C)</enum><text>cause damage to national security; or</text></subparagraph><subparagraph id="id1367C1155D9C4B8D92C595814D060589" changed="not-changed"><enum>(D)</enum><text>hamper security remediation actions.</text></subparagraph></paragraph><paragraph id="id5944f5b8a1d84b4b96851263c88072bd" changed="not-changed"><enum>(2)</enum><header>Documentation</header><subparagraph id="id211e8cd24764451494f388b26b0fe264" changed="not-changed"><enum>(A)</enum><header>In general</header><text>Any delay under paragraph (1) shall be reported in writing to the Director, the Attorney General, the Director of National Intelligence, the Secretary of Homeland Security, the National Cyber Director, the Director of the Cybersecurity and Infrastructure Security Agency, and the head of the agency and the inspector general of the agency that experienced the breach.</text></subparagraph><subparagraph id="id263e5e04215a46abaf3563cfb328373d" changed="not-changed"><enum>(B)</enum><header>Contents</header><text>A report required under subparagraph (A) shall include a written statement from the entity that delayed the notification explaining the need for the delay.</text></subparagraph><subparagraph id="id0f6511b934614ba48e3d61f85a768f62" changed="not-changed"><enum>(C)</enum><header>Form</header><text>The report required under subparagraph (A) shall be unclassified but may include a classified annex.</text></subparagraph></paragraph><paragraph id="id82cbbc0d568e4690859442cd3c99386e" changed="not-changed"><enum>(3)</enum><header>Renewal</header><text>A delay under paragraph (1) shall be for a period of 60 days and may be renewed.</text></paragraph></subsection><subsection id="id120b2d4c77214098894ef379490aca7e" changed="not-changed"><enum>(d)</enum><header>Update notification</header><text>If an agency determines there is a significant change in the reasonable basis to conclude that a breach occurred, a significant change to the determination made under subsection (a)(1), or that it is necessary to update the details of the information provided to potentially affected individuals as described in subsection (b), the agency shall as expeditiously as practicable and without unreasonable delay, and in any case not later than 30 days after such a determination, notify each individual who received a notification pursuant to subsection (a) of those changes.</text></subsection><subsection id="id5e6c2c70499848f3bb6e91efda1488bc" changed="not-changed"><enum>(e)</enum><header>Rule of construction</header><text>Nothing in this section shall be construed to limit—</text><paragraph id="id4c01a626fc5a4278be9b9db1aa0704c8" changed="not-changed"><enum>(1)</enum><text>the Director from issuing guidance relating to notifications or the head of an agency from notifying individuals potentially affected by breaches that are not determined to be major incidents; or</text></paragraph><paragraph id="ida0ced500611d49e89b59e0c368e17f45" changed="not-changed"><enum>(2)</enum><text>the Director from issuing guidance relating to notifications of major incidents or the head of an agency from providing more information than described in subsection (b) when notifying individuals potentially affected by breaches.</text></paragraph></subsection></section><section id="id617d4d3a6b0c4530bbd71c35face436d" changed="not-changed"><enum>3593.</enum><header>Congressional and Executive Branch reports</header><subsection id="idd6154cf0bea94044b09546bdf06b2141" changed="not-changed"><enum>(a)</enum><header>Initial report</header><paragraph id="idc5add40818104be198ff273d5923161a" changed="not-changed"><enum>(1)</enum><header>In general</header><text>Not later than 72 hours after an agency has a reasonable basis to conclude that a major incident occurred, the head of the agency impacted by the major incident shall submit to the appropriate reporting entities a written report and, to the extent practicable, provide a briefing to the Committee on Homeland Security and Governmental Affairs of the Senate, the Committee on Oversight and Reform of the House of Representatives, the Committee on Homeland Security of the House of Representatives, and the appropriate authorization and appropriations committees of Congress, taking into account—</text><subparagraph id="idb83b1a2448934499ae6535bba42c0c77" changed="not-changed"><enum>(A)</enum><text>the information known at the time of the report;</text></subparagraph><subparagraph id="ida3b579ab52144ba085af62d47978e203" changed="not-changed"><enum>(B)</enum><text>the sensitivity of the details associated with the major incident; and</text></subparagraph><subparagraph id="id4e22d6ce8d2c42c38d5e879a3b7da87b" changed="not-changed"><enum>(C)</enum><text>the classification level of the information contained in the report.</text></subparagraph></paragraph><paragraph commented="no" id="id69af3eedda424c2baa2dd8b7a74dd283" changed="not-changed"><enum>(2)</enum><header>Contents</header><text>A report required under paragraph (1) shall include, in a manner that excludes or otherwise reasonably protects personally identifiable information and to the extent permitted by applicable law, including privacy and statistical laws—</text><subparagraph id="idd1fa610f970842c19e3fe78257c95ca7" changed="not-changed"><enum>(A)</enum><text>a summary of the information available about the major incident, including how the major incident occurred, information indicating that the major incident may be a breach, and information relating to the major incident as a breach, based on information available to agency officials as of the date on which the agency submits the report;</text></subparagraph><subparagraph id="id8a62dd1e07d9414b81988b1e67ca5772" changed="not-changed"><enum>(B)</enum><text>if applicable, a description and any associated documentation of any circumstances necessitating a delay in a notification to individuals potentially affected by the major incident under section 3592(c);</text></subparagraph><subparagraph id="id2f17999cd13b480e810567adc0ddca44" changed="not-changed"><enum>(C)</enum><text>if applicable, an assessment of the impacts to the agency, the Federal Government, or the security of the United States, based on information available to agency officials on the date on which the agency submits the report; and</text></subparagraph><subparagraph id="id5164f38b5c7a4de7bd91c0010dd74de1"><enum>(D)</enum><text>if applicable, whether any ransom has been demanded or paid, or plans to be paid, by any entity operating a Federal information system or with access to a Federal information system, unless disclosure of such information may disrupt an active Federal law enforcement or national security operation. </text></subparagraph></paragraph></subsection><subsection id="idfe73756438e14ff2b7930acaf9435954" changed="not-changed"><enum>(b)</enum><header>Supplemental report</header><text>Within a reasonable amount of time, but not later than 30 days after the date on which an agency submits a written report under subsection (a), the head of the agency shall provide to the appropriate reporting entities written updates, which may include classified annexes, on the major incident and, to the extent practicable, provide a briefing, which may include a classified component, to the congressional committees described in subsection (a)(1), including summaries of—</text><paragraph id="id42b741b57246468baba314dd3ef6b87a" changed="not-changed"><enum>(1)</enum><text>vulnerabilities, means by which the major incident occurred, and impacts to the agency relating to the major incident;</text></paragraph><paragraph id="id8979400312f74567bfa7a64daa62efd0" changed="not-changed"><enum>(2)</enum><text>any risk assessment and subsequent risk-based security implementation of the affected information system before the date on which the major incident occurred;</text></paragraph><paragraph id="id60db386fd7e845a8bac61e06d2b30aac"><enum>(3)</enum><text>the status of compliance of the affected information system with applicable security requirements that are directly related to the cause of the incident, at the time of the major incident;</text></paragraph><paragraph id="id43cdaa04d2704ef2839bfeb60184c835" changed="not-changed"><enum>(4)</enum><text>an estimate of the number of individuals potentially affected by the major incident based on information available to agency officials as of the date on which the agency provides the update;</text></paragraph><paragraph id="idb5a4d2f4f1a54776a0055aab6c3dfa95" changed="not-changed"><enum>(5)</enum><text>an assessment of the risk of harm to individuals potentially affected by the major incident based on information available to agency officials as of the date on which the agency provides the update;</text></paragraph><paragraph id="iddb8b8287f165401eb6037abeab331bf4" changed="not-changed"><enum>(6)</enum><text>an update to the assessment of the risk to agency operations, or to impacts on other agency or non-Federal entity operations, affected by the major incident based on information available to agency officials as of the date on which the agency provides the update;</text></paragraph><paragraph id="id5235f44c75084410aa83b02b675fdc06"><enum>(7)</enum><text>the detection, response, and remediation actions of the agency, including any support provided by the Cybersecurity and Infrastructure Security Agency under section 3594(d) and status updates on the notification process described in section 3592(a), including any delay described in section 3592(c), if applicable; and</text></paragraph><paragraph id="id1d20c78b2be94dcaa9041a08c7275483"><enum>(8)</enum><text>if applicable, a description of any circumstances or data leading the head of the agency to determine, pursuant to section 3592(a)(1), not to notify individuals potentially impacted by a breach.</text></paragraph></subsection><subsection id="idead7fbaf1acd4d3cba3752636c6a4a0f" changed="not-changed"><enum>(c)</enum><header>Update report</header><text>If the agency determines that there is any significant change in the understanding of the agency of the scope, scale, or consequence of a major incident for which an agency submitted a written report under subsection (a), the agency shall provide an updated report to the appropriate reporting entities that includes information relating to the change in understanding.</text></subsection><subsection id="idd5a7f8b372d94df18a10105857fe23c0" changed="not-changed"><enum>(d)</enum><header>Biannual report</header><text>Each agency shall submit as part of the biannual report required under section 3554(c)(1) of this title a description of each major incident that occurred during the 2-year period preceding the date on which the biannual report is submitted.</text></subsection><subsection id="idf97e48a9fa9d455f9b784a0bbed35c62" changed="not-changed"><enum>(e)</enum><header>Delay and lack of notification report</header><paragraph id="idebdfea29cb6e4857aada75f602dfd4f1"><enum>(1)</enum><header>In general</header><text>The Director shall submit to the appropriate reporting entities an annual report on all notification delays granted pursuant to section 3592(c).</text></paragraph><paragraph id="idccb44e61ccf24adfb1de4984e0961be9"><enum>(2)</enum><header>Lack of breach notification</header><text>The Director shall submit to the appropriate reporting entities an annual report on each breach with respect to which the head of an agency determined, pursuant to section 3592(a)(1), not to notify individuals potentially impacted by the breach.</text></paragraph><paragraph id="id4E4086FE22844DAE8FBDDF08A6FD7138" changed="not-changed"><enum>(3)</enum><header>Component of other report</header><text>The Director may submit the report required under paragraph (1) as a component of the annual report submitted under section 3597(b).</text></paragraph></subsection><subsection id="idb2ded82cbf754d058e7f193c8342b231" changed="not-changed"><enum>(f)</enum><header>Report delivery</header><text>Any written report required to be submitted under this section may be submitted in a paper or electronic format.</text></subsection><subsection id="id232fe9f71689458ab48cdac32b9c3a37" changed="not-changed"><enum>(g)</enum><header>Threat briefing</header><paragraph id="id435EE040EC5146668E1987AC105E0438" changed="not-changed"><enum>(1)</enum><header>In general</header><text>Not later than 7 days after the date on which an agency has a reasonable basis to conclude that a major incident occurred, the head of the agency, jointly with the Director, the National Cyber Director and any other Federal entity determined appropriate by the National Cyber Director, shall provide a briefing to the congressional committees described in subsection (a)(1) on the threat causing the major incident.</text></paragraph><paragraph id="idA440D5544DD444E385844B9239F52AE2" changed="not-changed"><enum>(2)</enum><header>Components</header><text>The briefing required under paragraph (1)—</text><subparagraph id="id9F049270F9BB4AEAB93DE805FAB998DB" changed="not-changed"><enum>(A)</enum><text>shall, to the greatest extent practicable, include an unclassified component; and</text></subparagraph><subparagraph id="id3BB10BFDDDD440D2B1361458D21B9520" changed="not-changed"><enum>(B)</enum><text>may include a classified component.</text></subparagraph></paragraph></subsection><subsection id="id2775f553635c4bb2bb3b62b2bda6dcaa" changed="not-changed"><enum>(h)</enum><header>Rule of construction</header><text>Nothing in this section shall be construed to limit—</text><paragraph id="id6f91fe8d75434d0aa252698c864064e6" changed="not-changed"><enum>(1)</enum><text>the ability of an agency to provide additional reports or briefings to Congress; or</text></paragraph><paragraph id="id6df78e53cfdc4e05b177530d7abe2d0a" changed="not-changed"><enum>(2)</enum><text>Congress from requesting additional information from agencies through reports, briefings, or other means.</text></paragraph></subsection></section><section id="ida429bf7d0f0f4d1b959d4adecc44a970" changed="not-changed"><enum>3594.</enum><header>Government information sharing and incident response</header><subsection id="idbaca5b2604e34f06810f7984b95dfa75" changed="not-changed"><enum>(a)</enum><header>In general</header><paragraph id="id0625d8bc8c2d4c3c9b1512e548d01b9b" changed="not-changed"><enum>(1)</enum><header>Incident reporting</header><text>Subject to the limitations described in subsection (b), the head of each agency shall provide any information relating to any incident affecting the agency, whether the information is obtained by the Federal Government directly or indirectly, to the Cybersecurity and Infrastructure Security Agency. </text></paragraph><paragraph id="id0954a79d3307403593484c4722e1d465" changed="not-changed"><enum>(2)</enum><header>Contents</header><text>A provision of information relating to an incident made by the head of an agency under paragraph (1) shall—</text><subparagraph id="id53bfb18eb4df439b8f46e8eb8df3e240" changed="not-changed"><enum>(A)</enum><text>include detailed information about the safeguards that were in place when the incident occurred;</text></subparagraph><subparagraph id="id4e9ee241bea04fc380e12e6dcbae9144" changed="not-changed"><enum>(B)</enum><text>whether the agency implemented the safeguards described in subparagraph (A) correctly;</text></subparagraph><subparagraph id="id4829a2519df041b1baf66b36fd896598" changed="not-changed"><enum>(C)</enum><text>in order to protect against a similar incident, identify—</text><clause id="id0c4414d8fd684303ace633eed0143c60" changed="not-changed"><enum>(i)</enum><text>how the safeguards described in subparagraph (A) should be implemented differently; and</text></clause><clause id="id9534ac4d73da45d08f874b74361370e3" changed="not-changed"><enum>(ii)</enum><text>additional necessary safeguards; and</text></clause></subparagraph><subparagraph id="idD9AC796120874F4BAC57A405D5E5A4B1" changed="not-changed"><enum>(D)</enum><text>include information to aid in incident response, such as—</text><clause id="idBBB1616D09784DBEB4A63B4EC28FAFD5" changed="not-changed"><enum>(i)</enum><text>a description of the affected systems or networks;</text></clause><clause id="id7643CAAEF79242848E09EC68FEC53769" changed="not-changed"><enum>(ii)</enum><text>the estimated dates of when the incident occurred; and</text></clause><clause id="idb01e9c35355243bea55b1836e9f7ec52"><enum>(iii)</enum><text>information that could reasonably help identify the party that conducted the incident or the cause of the incident, subject to appropriate privacy protections.</text></clause></subparagraph></paragraph><paragraph id="id8de1e166ce754a0d8493a529f4a698db"><enum>(3)</enum><header>Information sharing</header><text>The Director of the Cybersecurity and Infrastructure Security Agency shall—</text><subparagraph id="id1e109923bcb3458baf078057443ed825"><enum>(A)</enum><text>make incident information provided under paragraph (1) available to the Director and the National Cyber Director;</text></subparagraph><subparagraph id="id1cc0a73745c342cc81ef8024f0a06cac"><enum>(B)</enum><text>to the greatest extent practicable, share information relating to an incident with the head of any agency that may be—</text><clause id="idBC7C1036A18241A2A9F0C58B2ADD05DB"><enum>(i)</enum><text>impacted by the incident;</text></clause><clause id="id7E2C5816190D47BE9D36C85E079617C3"><enum>(ii)</enum><text>similarly susceptible to the incident; or</text></clause><clause id="id3313FBE1E579431C99552B643B269960"><enum>(iii)</enum><text>similarly targeted by the incident; and</text></clause></subparagraph><subparagraph id="ida99c9dd24823463e9b149eae4eebafda"><enum>(C)</enum><text>coordinate any necessary information sharing efforts relating to a major incident with the private sector. </text></subparagraph></paragraph><paragraph id="id85eeb3adf98b4287935c15d8e0895c49" changed="not-changed"><enum>(4)</enum><header>National security systems</header><text>Each agency operating or exercising control of a national security system shall share information about incidents that occur on national security systems with the Director of the Cybersecurity and Infrastructure Security Agency to the extent consistent with standards and guidelines for national security systems issued in accordance with law and as directed by the President. </text></paragraph></subsection><subsection id="idba4d0606718c419c981dda507adb5623" changed="not-changed"><enum>(b)</enum><header>Compliance</header><text>In providing information and selecting a method to provide information under subsection (a), the head of each agency shall take into account the level of classification of the information and any information sharing limitations and protections, such as limitations and protections relating to law enforcement, national security, privacy, statistical confidentiality, or other factors determined by the Director in order to implement subsection (a)(1) in a manner that enables automated and consistent reporting to the greatest extent practicable.</text></subsection><subsection id="id4e0949f3bb104793ae8513610edffa20" changed="not-changed"><enum>(c)</enum><header>Incident response</header><text>Each agency that has a reasonable basis to conclude that a major incident occurred involving Federal information in electronic medium or form that does not exclusively involve a national security system, regardless of delays from notification granted for a major incident that is also a breach, shall coordinate with the Cybersecurity and Infrastructure Security Agency to facilitate asset response activities and provide recommendations for mitigating future incidents.</text></subsection></section><section id="idb57d5aaf7bb7478fbfff861515e0a2f6" changed="not-changed"><enum>3595.</enum><header>Responsibilities of contractors and awardees</header><subsection id="id980b69f7c2694933a3c9d1251d177cd4" changed="not-changed"><enum>(a)</enum><header>Reporting</header><paragraph id="id8773e3f182e64d4e809b2a88d60820cb" changed="not-changed"><enum>(1)</enum><header>In general</header><text>Unless otherwise specified in a contract, grant, cooperative agreement, or an other transaction agreement, any contractor or awardee of an agency shall report to the agency within the same amount of time such agency is required to report an incident to the Cybersecurity and Infrastructure Security Agency, if the contractor or awardee has a reasonable basis to suspect or conclude that—</text><subparagraph id="id79865a13978a49c9b78d6a044b235fa6" changed="not-changed"><enum>(A)</enum><text>an incident or breach has occurred with respect to Federal information collected, used, or maintained by the contractor or awardee in connection with the contract, grant, cooperative agreement, or other transaction agreement of the contractor or awardee;</text></subparagraph><subparagraph id="idb57d673a5a5549119b81cc5e2a2d8de9"><enum>(B)</enum><text>an incident or breach has occurred with respect to a Federal information system used or operated by the contractor or awardee in connection with the contract, grant, cooperative agreement, or other transaction agreement of the contractor or awardee; or</text></subparagraph><subparagraph id="id4ef592ffa73b4729b40f2f47b850ce58"><enum>(C)</enum><text>the contractor or awardee has received information from the agency that the contractor or awardee is not authorized to receive in connection with the contract, grant, cooperative agreement, or other transaction agreement of the contractor or awardee. </text></subparagraph></paragraph><paragraph id="ida0c1192c038545b78e7a4f5c7b98fcfc" changed="not-changed"><enum>(2)</enum><header>Procedures</header><subparagraph id="id214d719619514b959ad0bc9e01dca96d" changed="not-changed"><enum>(A)</enum><header>Major incident</header><text>Following a report of a breach or major incident by a contractor or awardee under paragraph (1), the agency, in consultation with the contractor or awardee, shall carry out the requirements under sections 3592, 3593, and 3594 with respect to the major incident.</text></subparagraph><subparagraph id="id71811b76f5b8479290df8a7ac48db0a2" changed="not-changed"><enum>(B)</enum><header>Incident</header><text>Following a report of an incident by a contractor or awardee under paragraph (1), an agency, in consultation with the contractor or awardee, shall carry out the requirements under section 3594 with respect to the incident.</text></subparagraph></paragraph></subsection><subsection id="idf2efe0399fda4b1c8d5dcc7034c5aadf" changed="not-changed"><enum>(b)</enum><header>Effective date</header><text>This section shall apply—</text><paragraph changed="not-changed" id="idF50AB1A7901E438FB856951F34DA84B5"><enum>(1)</enum><text>on and after the date that is 1 year after the date of enactment of the <short-title>Federal Information Security Modernization Act of 2022</short-title>; and</text></paragraph><paragraph changed="not-changed" id="id091FFBC21CAC4359BF10A59CC99E5BEC"><enum>(2)</enum><text>with respect to any contract entered into on or after the date described in paragraph (1).</text></paragraph></subsection></section><section id="id66b3cc885f234dddb4442d794bf046f8" changed="not-changed"><enum>3596.</enum><header>Training</header><subsection id="idE18743C0922D4286A1C3A60473F7FF7F" changed="not-changed"><enum>(a)</enum><header>Covered individual defined</header><text>In this section, the term <quote>covered individual</quote> means an individual who obtains access to Federal information or Federal information systems because of the status of the individual as an employee, contractor, awardee, volunteer, or intern of an agency.</text></subsection><subsection id="id342254d78dd94ebfbbe25e44f59ecb31" changed="not-changed"><enum>(b)</enum><header>Requirement</header><text>The head of each agency shall develop training for covered individuals on how to identify and respond to an incident, including—</text><paragraph id="idffa489213a744897966b4605d031ff2c" changed="not-changed"><enum>(1)</enum><text>the internal process of the agency for reporting an incident; and</text></paragraph><paragraph id="idd72a1b0ef6bf47e48fe6262f9403fa40" changed="not-changed"><enum>(2)</enum><text>the obligation of a covered individual to report to the agency a confirmed major incident and any suspected incident involving information in any medium or form, including paper, oral, and electronic.</text></paragraph></subsection><subsection id="id0a12c95ff351473db1a35239426f02dc" changed="not-changed"><enum>(c)</enum><header>Inclusion in annual training</header><text>The training developed under subsection (b) may be included as part of an annual privacy or security awareness training of an agency.</text></subsection></section><section id="id57ca4b1fec454926b6e0ed4bfcbddcc4" changed="not-changed"><enum>3597.</enum><header>Analysis and report on Federal incidents</header><subsection id="ideb4846cb7b5f47338c3562314c1fee0d" changed="not-changed"><enum>(a)</enum><header>Analysis of federal incidents</header><paragraph id="id655630bd67ef4392a01e8b293ba70e6e" changed="not-changed"><enum>(1)</enum><header>Quantitative and qualitative analyses</header><text>The Director of the Cybersecurity and Infrastructure Security Agency shall develop, in consultation with the Director and the National Cyber Director, and perform continuous monitoring and quantitative and qualitative analyses of incidents at agencies, including major incidents, including—</text><subparagraph id="idc530b6a3e9af4ba0b04106812c3dbf59" changed="not-changed"><enum>(A)</enum><text>the causes of incidents, including—</text><clause id="id79bec0c246364ba1a9f36179bedb0b9e" changed="not-changed"><enum>(i)</enum><text>attacker tactics, techniques, and procedures; and</text></clause><clause id="idc56bfb4659f748408792bf1f15848a6b" changed="not-changed"><enum>(ii)</enum><text>system vulnerabilities, including zero days, unpatched systems, and information system misconfigurations;</text></clause></subparagraph><subparagraph id="idb7342f4fd7c041ed87e8b7ae5cc662e2" changed="not-changed"><enum>(B)</enum><text>the scope and scale of incidents at agencies;</text></subparagraph><subparagraph id="idba25daf34109483eaa7bc155eb6c6bbb"><enum>(C)</enum><text>common root causes of incidents across multiple Federal agencies;</text></subparagraph><subparagraph id="idecb2f35323d04532968e4faca11420a4"><enum>(D)</enum><text>agency incident response, recovery, and remediation actions and the effectiveness of those actions, as applicable;</text></subparagraph><subparagraph id="id173a5580693e4cf0aa4157bc85f87df1"><enum>(E)</enum><text>lessons learned and recommendations in responding to, recovering from, remediating, and mitigating future incidents; and</text></subparagraph><subparagraph id="id7877546be8cc41dd8d59062b2388c191"><enum>(F)</enum><text>trends across multiple Federal agencies to address intrusion detection and incident response capabilities using the metrics established under section 224(c) of the Cybersecurity Act of 2015 (<external-xref legal-doc="usc" parsable-cite="usc/6/1522">6 U.S.C. 1522(c)</external-xref>).</text></subparagraph></paragraph><paragraph id="id0e711ca18d6f4481a5bb547e55703df5" changed="not-changed"><enum>(2)</enum><header>Automated analysis</header><text>The analyses developed under paragraph (1) shall, to the greatest extent practicable, use machine readable data, automation, and machine learning processes.</text></paragraph><paragraph id="id1faf2a6319264f5f848b6479d064880e" changed="not-changed"><enum>(3)</enum><header>Sharing of data and analysis</header><subparagraph id="idc8d49429e9ea455a8e3c8fcb9a56a45d" changed="not-changed"><enum>(A)</enum><header>In general</header><text>The Director shall share on an ongoing basis the analyses required under this subsection with agencies and the National Cyber Director to—</text><clause id="id3e5553ecf56f4bdfb179be080cf2a2aa" changed="not-changed"><enum>(i)</enum><text>improve the understanding of cybersecurity risk of agencies; and</text></clause><clause id="id7b69961208d04facbf1aa489338ea2de" changed="not-changed"><enum>(ii)</enum><text>support the cybersecurity improvement efforts of agencies.</text></clause></subparagraph><subparagraph id="idc32f8258b5824b1686d3715b4a4f1171" changed="not-changed"><enum>(B)</enum><header>Format</header><text>In carrying out subparagraph (A), the Director shall share the analyses—</text><clause id="id29838664a42b4f4198898f928bb1f8bd" changed="not-changed"><enum>(i)</enum><text>in human-readable written products; and</text></clause><clause id="ide118aad71c10499aa3fe9c6a73284978" changed="not-changed"><enum>(ii)</enum><text>to the greatest extent practicable, in machine-readable formats in order to enable automated intake and use by agencies.</text></clause></subparagraph></paragraph></subsection><subsection id="id473ab22b690e41feb946901f7bb19017" changed="not-changed"><enum>(b)</enum><header>Annual report on Federal incidents</header><text>Not later than 2 years after the date of enactment of this section, and not less frequently than annually thereafter, the Director of the Cybersecurity and Infrastructure Security Agency, in consultation with the Director, the National Cyber Director and the heads of other Federal agencies, as appropriate, shall submit to the appropriate reporting entities a report that includes—</text><paragraph id="id418cc77785c74b2c87966b0623115856" changed="not-changed"><enum>(1)</enum><text>a summary of causes of incidents from across the Federal Government that categorizes those incidents as incidents or major incidents;</text></paragraph><paragraph id="idc5cae18e7206412eb20477f79bb62610"><enum>(2)</enum><text>the quantitative and qualitative analyses of incidents developed under subsection (a)(1) on an agency-by-agency basis and comprehensively across the Federal Government, including—</text><subparagraph id="id0c6fea65afb944b78a89c92b3055acce"><enum>(A)</enum><text>a specific analysis of breaches; and</text></subparagraph><subparagraph id="idc6ae01d80bca496089be2af9eeaddf1f"><enum>(B)</enum><text>an analysis of the Federal Government’s performance against the metrics established under section 224(c) of the Cybersecurity Act of 2015 (<external-xref legal-doc="usc" parsable-cite="usc/6/1522">6 U.S.C. 1522(c)</external-xref>); and</text></subparagraph></paragraph><paragraph id="id84c49027c6114c38b011923c2da8b3dc" changed="not-changed"><enum>(3)</enum><text>an annex for each agency that includes—</text><subparagraph id="id48CD5EBE5071466D88539EAE8A83DFF4" changed="not-changed"><enum>(A)</enum><text>a description of each major incident; </text></subparagraph><subparagraph id="idD08142C8CFB2489C837E6FF360A172C1" changed="not-changed"><enum>(B)</enum><text>the total number of incidents of the agency; and</text></subparagraph><subparagraph id="id8a684943efef4dda9c1b7baeff607734"><enum>(C)</enum><text>an analysis of the agency’s performance against the metrics established under section 224(c) of the Cybersecurity Act of 2015 (<external-xref legal-doc="usc" parsable-cite="usc/6/1522">6 U.S.C. 1522(c)</external-xref>). </text></subparagraph></paragraph></subsection><subsection id="id90bd9d14dadc4a88aee855aded864adf" changed="not-changed"><enum>(c)</enum><header>Publication</header><paragraph changed="not-changed" id="id55BA0D20C9FB4F028C3E9120731DA29B"><enum>(1)</enum><header>In general</header><text>A version of each report submitted under subsection (b) shall be made publicly available on the website of the Cybersecurity and Infrastructure Security Agency during the year in which the report is submitted.</text></paragraph><paragraph id="id61f2f926a5fe4e56bb2d34a1e29404e9"><enum>(2)</enum><header>Exemption</header><text>The Director of the Cybersecurity and Infrastructure Security Agency may exempt all or a portion of a report described in paragraph (1) from public publication if the Director of the Cybersecurity and Infrastructure Security Agency determines the exemption is in the interest of national security.</text></paragraph><paragraph id="id44f8bae154f14cf2816d4b11d7a56721"><enum>(3)</enum><header>Limitation on exemption</header><text>An exemption granted under paragraph (2) shall not apply to any version of a report submitted to the appropriate reporting entities under subsection (b). </text></paragraph></subsection><subsection id="id8a0981a11de64326a7bcdab9c15e2d67" changed="not-changed"><enum>(d)</enum><header>Information provided by agencies</header><paragraph id="iddcc3f362be514708ac01fc091645e38b" changed="not-changed"><enum>(1)</enum><header>In general</header><text>The analysis required under subsection (a) and each report submitted under subsection (b) shall use information provided by agencies under section 3594(a).</text></paragraph><paragraph id="id5670251766f943b8b1035351693aa725" changed="not-changed"><enum>(2)</enum><header>Noncompliance reports</header><subparagraph id="id68A06D7336FC4BB1A939092DF9B60BD3" changed="not-changed"><enum>(A)</enum><header>In general</header><text>Subject to subparagraph (B), during any year during which the head of an agency does not provide data for an incident to the Cybersecurity and Infrastructure Security Agency in accordance with section 3594(a), the head of the agency, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency and the Director, shall submit to the appropriate reporting entities a report that includes the information described in subsection (b) with respect to the agency.</text></subparagraph><subparagraph id="id95611D110BAF4D67945250B7F8F1E29E" changed="not-changed"><enum>(B)</enum><header>Exception for national security systems</header><text>The head of an agency that owns or exercises control of a national security system shall not include data for an incident that occurs on a national security system in any report submitted under subparagraph (A).</text></subparagraph></paragraph><paragraph id="id24cd53c4aa2e4920a521ee6191103ff6" changed="not-changed"><enum>(3)</enum><header>National security system reports</header><subparagraph id="id86DE1AD313744777B5511EDB2F593172" changed="not-changed"><enum>(A)</enum><header>In general</header><text>Annually, the head of an agency that operates or exercises control of a national security system shall submit a report that includes the information described in subsection (b) with respect to the national security system to the extent that the submission is consistent with standards and guidelines for national security systems issued in accordance with law and as directed by the President to—</text><clause id="id03919751DB664947AF54EEBBCBC1054F" changed="not-changed"><enum>(i)</enum><text>the majority and minority leaders of the Senate,</text></clause><clause id="idcf611ec355a34c919dc2dfb5eb64758b" changed="not-changed"><enum>(ii)</enum><text>the Speaker and minority leader of the House of Representatives;</text></clause><clause id="id12d84612728843f984dd133ce2042d33" changed="not-changed"><enum>(iii)</enum><text>the Committee on Homeland Security and Governmental Affairs of the Senate;</text></clause><clause id="idE18F04D52EB34C3E9E29636DD47D4A85" changed="not-changed"><enum>(iv)</enum><text>the Select Committee on Intelligence of the Senate;</text></clause><clause id="idB50B8D8845E942B3BED3B70F1B031CC3" changed="not-changed"><enum>(v)</enum><text>the Committee on Armed Services of the Senate;</text></clause><clause changed="not-changed" id="idCC13F232ECFD42B4B7C84BE10E5B1C5B"><enum>(vi)</enum><text>the Committee on Appropriations of the Senate;</text></clause><clause id="id5a474ddbb3f74bcd968e1624624bc7f6" changed="not-changed"><enum>(vii)</enum><text>the Committee on Oversight and Reform of the House of Representatives;</text></clause><clause id="id7ca750f0f0e54cedab96a301a8f82ce0" changed="not-changed"><enum>(viii)</enum><text>the Committee on Homeland Security of the House of Representatives;</text></clause><clause id="id9A3547639E73429EBCBCCFDF858AEA34" changed="not-changed"><enum>(ix)</enum><text>the Permanent Select Committee on Intelligence of the House of Representatives;</text></clause><clause id="idC4092A28C1B5421FA4F402604711A34E" changed="not-changed"><enum>(x)</enum><text>the Committee on Armed Services of the House of Representatives; and</text></clause><clause changed="not-changed" id="id5CCDE32EB85D4491AF529C1C087F2C08"><enum>(xi)</enum><text>the Committee on Appropriations of the House of Representatives.</text></clause></subparagraph><subparagraph id="id1B7EF26AAE704C8BBC719D3F88885537" changed="not-changed"><enum>(B)</enum><header>Classified form</header><text>A report required under subparagraph (A) may be submitted in a classified form.</text></subparagraph></paragraph></subsection><subsection id="id696AF34D3ACC41069ACF86087C1DD61B" changed="not-changed"><enum>(e)</enum><header>Requirement for compiling information</header><text>In publishing the public report required under subsection (c), the Director of the Cybersecurity and Infrastructure Security Agency shall sufficiently compile information such that no specific incident of an agency can be identified, except with the concurrence of the Director of the Office of Management and Budget and in consultation with the impacted agency.</text></subsection></section><section id="id87b0b898-6995-4478-9399-d017dd5e4ee9" changed="not-changed"><enum>3598.</enum><header>Major incident definition</header><subsection id="id7fba1c42-0647-4900-9818-5dd8e88b6c49" changed="not-changed"><enum>(a)</enum><header>In general</header><text>Not later than 180 days after the date of enactment of the <short-title>Federal Information Security Modernization Act of 2022</short-title>, the Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency and the National Cyber Director, shall develop and promulgate guidance on the definition of the term <quote>major incident</quote> for the purposes of subchapter II and this subchapter.</text></subsection><subsection id="id1adc7a15-eb80-4083-868b-e04fd2906228" changed="not-changed"><enum>(b)</enum><header>Requirements</header><text>With respect to the guidance issued under subsection (a), the definition of the term <term>major incident</term> shall—</text><paragraph id="id875ee793d1b546c08f139c7ac6fdd7d6" changed="not-changed"><enum>(1)</enum><text>include, with respect to any information collected or maintained by or on behalf of an agency or an information system used or operated by an agency or by a contractor of an agency or another organization on behalf of an agency—</text><subparagraph id="id3f8aeb78f18c42fc8a40c8dea5d1d4c8" changed="not-changed"><enum>(A)</enum><text>any incident the head of the agency determines is likely to have an impact on—</text><clause id="id086948B1865F4B039D31FFD07CFB7B2A" changed="not-changed"><enum>(i)</enum><text>the national security, homeland security, or economic security of the United States; or</text></clause><clause id="id5AD601D242A747E59E1400DA9BC73987" changed="not-changed"><enum>(ii)</enum><text>the civil liberties or public health and safety of the people of the United States;</text></clause></subparagraph><subparagraph id="id3110f6c5017742afa794b607eeffefe3" changed="not-changed"><enum>(B)</enum><text>any incident the head of the agency determines likely to result in an inability for the agency, a component of the agency, or the Federal Government, to provide 1 or more critical services;</text></subparagraph><subparagraph id="idb21668313c1b4a7b8d0d85f45326ca7c" changed="not-changed"><enum>(C)</enum><text>any incident that the head of an agency, in consultation with a senior privacy officer of the agency, determines is likely to have a significant privacy impact on 1 or more individual;</text></subparagraph><subparagraph id="idc7f535882c704b0a8c075e9c08ddf759" changed="not-changed"><enum>(D)</enum><text>any incident that the head of the agency, in consultation with a senior privacy official of the agency, determines is likely to have a substantial privacy impact on a significant number of individuals;</text></subparagraph><subparagraph id="ide96d55aa60c141dcafd5a2ec26faf299"><enum>(E)</enum><text>any incident the head of the agency determines substantially disrupts the operations of a high value asset owned or operated by the agency;</text></subparagraph><subparagraph id="idd1f115af02614fb88169c52cd1e9c189" changed="not-changed"><enum>(F)</enum><text>any incident involving the exposure of sensitive agency information to a foreign entity, such as the communications of the head of the agency, the head of a component of the agency, or the direct reports of the head of the agency or the head of a component of the agency; and</text></subparagraph><subparagraph id="id82537aa185af4ddab802edd64405f5be" changed="not-changed"><enum>(G)</enum><text>any other type of incident determined appropriate by the Director;</text></subparagraph></paragraph><paragraph id="idbc70e0eaa92d43a6afb78d89bb236891" changed="not-changed"><enum>(2)</enum><text>stipulate that the National Cyber Director, in consultation with the Director, shall declare a major incident at each agency impacted by an incident if it is determined that an incident—</text><subparagraph id="id342ae7a276114fedb5fcd7af2edf41d2" changed="not-changed"><enum>(A)</enum><text>occurs at not less than 2 agencies; and</text></subparagraph><subparagraph id="id871449290a8940c4ae4eb81a123fe1a7" changed="not-changed"><enum>(B)</enum><text>is enabled by—</text><clause id="idCA8053C2025649F1B5710DE24CA67DDA" changed="not-changed"><enum>(i)</enum><text>a common technical root cause, such as a supply chain compromise, a common software or hardware vulnerability; or</text></clause><clause id="idE0A9262A47DC4D53AB29A0BFF768D985" changed="not-changed"><enum>(ii)</enum><text>the related activities of a common threat actor; and</text></clause></subparagraph></paragraph><paragraph id="idece4f9a51ac644538aca086edbd62202"><enum>(3)</enum><text>stipulate that, in determining whether an incident constitutes a major incident because that incident is any incident described in paragraph (1), the head of the agency shall consult with the National Cyber Director and may consult with the Director of the Cybersecurity and Infrastructure Security Agency.</text></paragraph></subsection><subsection id="id975dc5b8-a5f8-4b6e-987f-3e651456c538" changed="not-changed"><enum>(c)</enum><header>Significant number of individuals</header><text>In determining what constitutes a significant number of individuals under subsection (b)(1)(D), the Director—</text><paragraph id="id3B577563E9204F75BD6F05E344C18D56" changed="not-changed"><enum>(1)</enum><text>may determine a threshold for a minimum number of individuals that constitutes a significant amount; and</text></paragraph><paragraph id="idB63DF28583AE4D33B930A4B41564EE04" changed="not-changed"><enum>(2)</enum><text>may not determine a threshold described in paragraph (1) that exceeds 5,000 individuals.</text></paragraph></subsection><subsection id="id796dba47-10fe-4d9c-b421-c79027385e4c" changed="not-changed"><enum>(d)</enum><header>Evaluation and updates</header><text>Not later than 2 years after the date of enactment of the <short-title>Federal Information Security Modernization Act of 2022</short-title>, and not less frequently than every 2 years thereafter, the Director shall provide a briefing to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Reform of the House of Representatives, which shall include—</text><paragraph id="id81e38e57dd974d6c837a249a4bb7e7ab"><enum>(1)</enum><text>an evaluation of any necessary updates to the guidance issued under subsection (a);</text></paragraph><paragraph id="idd1b18c30d70048ee81ba279401661bbb"><enum>(2)</enum><text>an evaluation of any necessary updates to the definition of the term <term>major incident</term> included in the guidance issued under subsection (a); and</text></paragraph><paragraph id="idd254c48c-767a-42c2-a4cd-9845872bcf5e" changed="not-changed"><enum>(3)</enum><text>an explanation of, and the analysis that led to, the definition described in paragraph (2).</text></paragraph></subsection></section></subchapter><after-quoted-block>.</after-quoted-block></quoted-block></paragraph><paragraph id="id1026a007-920c-448f-aeca-0fee1adf5cb7" changed="not-changed"><enum>(2)</enum><header>Clerical amendment</header><text>The table of sections for <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/44/35">chapter 35</external-xref> of title 44, United States Code, is amended by adding at the end the following:</text><quoted-block style="OLC" id="idf92947d1-faff-41c1-be94-2c40f557e8b3" changed="not-changed"><toc changed="not-changed"><toc-entry level="subchapter" changed="not-changed">SUBCHAPTER IV—Federal System Incident Response </toc-entry><toc-entry level="section" changed="not-changed">3591. Definitions</toc-entry><toc-entry level="section" idref="ide036192914414a49856c042bf1f0d5d8" changed="not-changed">3592. Notification of breach</toc-entry><toc-entry level="section" idref="id617d4d3a6b0c4530bbd71c35face436d" changed="not-changed">3593. Congressional and Executive Branch reports</toc-entry><toc-entry level="section" idref="ida429bf7d0f0f4d1b959d4adecc44a970" changed="not-changed">3594. Government information sharing and incident response</toc-entry><toc-entry level="section" idref="idb57d5aaf7bb7478fbfff861515e0a2f6" changed="not-changed">3595. Responsibilities of contractors and awardees</toc-entry><toc-entry level="section" idref="id66b3cc885f234dddb4442d794bf046f8" changed="not-changed">3596. Training</toc-entry><toc-entry level="section" idref="id57ca4b1fec454926b6e0ed4bfcbddcc4" changed="not-changed">3597. Analysis and report on Federal incidents</toc-entry><toc-entry level="section" changed="not-changed">3598. Major incident definition</toc-entry></toc><after-quoted-block>.</after-quoted-block></quoted-block></paragraph></subsection></section><section id="id776995ad-0aee-4a02-a889-dc45a0ca9f00" changed="not-changed"><enum>104.</enum><header>Amendments to subtitle III of title 40</header><subsection id="id7f8ddd40-95a7-4835-bccf-2398d512d3ec" changed="not-changed"><enum>(a)</enum><header>Modernizing Government Technology</header><text>Subtitle G of title X of Division A of the National Defense Authorization Act for Fiscal Year 2018 (<external-xref legal-doc="usc" parsable-cite="usc/40/11301">40 U.S.C. 11301</external-xref> note) is amended in section 1078—</text><paragraph id="id7e94145a-9675-448d-8566-e4757d614aea" changed="not-changed"><enum>(1)</enum><text>by striking subsection (a) and inserting the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="id9a48d8a9-a6c1-4f3c-8a8a-c2b18679ebe5" changed="not-changed"><subsection id="id3984aa7d-2a43-4c17-8b0d-eff95f910c97" changed="not-changed"><enum>(a)</enum><header>Definitions</header><text>In this section:</text><paragraph id="id8bf73629-f726-4e00-990b-7b405f54a2df" changed="not-changed"><enum>(1)</enum><header>Agency</header><text>The term <term>agency</term> has the meaning given the term in section 551 of title 5, United States Code.</text></paragraph><paragraph id="idb20c18eb-036b-43be-9846-a3b74485f782" changed="not-changed"><enum>(2)</enum><header>High value asset</header><text>The term <term>high value asset</term> has the meaning given the term in section 3552 of title 44, United States Code.</text></paragraph></subsection><after-quoted-block>;</after-quoted-block></quoted-block></paragraph><paragraph id="id612aeed0-6b66-4873-9409-1385a52140f5" changed="not-changed"><enum>(2)</enum><text>in subsection (b), by adding at the end the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="id3a1c4f60-0c09-4ddf-ae63-ea7b3d78c6fb" changed="not-changed"><paragraph id="id38e14282-f7cc-4ee2-9c77-8e3abc3ff188" changed="not-changed"><enum>(8)</enum><header>Proposal evaluation</header><text>The Director shall—</text><subparagraph id="idef7c65c8-14ad-4c2f-9cfb-1eacaa6ab937" changed="not-changed"><enum>(A)</enum><text>give consideration for the use of amounts in the Fund to improve the security of high value assets; and</text></subparagraph><subparagraph id="id700af71e-a2ab-46c5-95d8-71c514ba4be2" changed="not-changed"><enum>(B)</enum><text>require that any proposal for the use of amounts in the Fund includes a cybersecurity plan, including a supply chain risk management plan, to be reviewed by the member of the Technology Modernization Board described in subsection (c)(5)(C).</text></subparagraph></paragraph><after-quoted-block>; and</after-quoted-block></quoted-block></paragraph><paragraph id="id34fd2f9a-6618-40e9-a5f1-13d2edbc3eaa" changed="not-changed"><enum>(3)</enum><text>in subsection (c)—</text><subparagraph id="id754c3b6b-692e-4248-b089-3fd5b4356c43" changed="not-changed"><enum>(A)</enum><text>in paragraph (2)(A)(i), by inserting <quote>, including a consideration of the impact on high value assets</quote> after <quote>operational risks</quote>;</text></subparagraph><subparagraph id="idb5d95007-95ca-4f21-8c46-5b62a08f53f0" changed="not-changed"><enum>(B)</enum><text>in paragraph (5)—</text><clause id="ida7840cfa-d7a7-4a29-b1f8-690523ef4022" changed="not-changed"><enum>(i)</enum><text>in subparagraph (A), by striking <quote>and</quote> at the end;</text></clause><clause id="idf134a737-1501-444c-b907-5ca2777d2aea" changed="not-changed"><enum>(ii)</enum><text>in subparagraph (B), by striking the period at the end and inserting <quote>and</quote>; and</text></clause><clause id="id38caeda0-c0ab-41e8-91ab-63601aa9b190" changed="not-changed"><enum>(iii)</enum><text>by adding at the end the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="ida7e885d5-e6ab-4df6-8d04-7ac72d618816" changed="not-changed"><subparagraph id="id84e46c49-1df4-4b6c-903b-d8976b05f8a4" changed="not-changed"><enum>(C)</enum><text>a senior official from the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security, appointed by the Director.</text></subparagraph><after-quoted-block>; and</after-quoted-block></quoted-block></clause></subparagraph><subparagraph id="id0662353c-024b-477a-a9cd-32d46487129d" changed="not-changed"><enum>(C)</enum><text>in paragraph (6)(A), by striking <quote>shall be—</quote> and all that follows through <quote>4 employees</quote> and inserting <quote>shall be 4 employees</quote>.</text></subparagraph></paragraph></subsection><subsection id="idd4c4417b-7672-4124-98a4-8f12b76ca75b" changed="not-changed"><enum>(b)</enum><header>Subchapter I</header><text>Subchapter I of chapter 113 of subtitle III of title 40, United States Code, is amended—</text><paragraph id="idc4293443-38f7-4688-8295-a318b78e69f8" changed="not-changed"><enum>(1)</enum><text>in section 11302—</text><subparagraph id="id3692ce39a4d94bfbbb2492dc67ecd87e" changed="not-changed"><enum>(A)</enum><text>in subsection (b), by striking <quote>use, security, and disposal of</quote> and inserting <quote>use, and disposal of, and, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency and the National Cyber Director, promote and improve the security of,</quote>; </text></subparagraph><subparagraph id="id82e44b372d974a59a469de9f50841a74" changed="not-changed"><enum>(B)</enum><text>in subsection (c)—</text><clause id="id146a99850b4a4d30aea134a152024e50" changed="not-changed"><enum>(i)</enum><text>in paragraph (3)—</text><subclause id="id668957ef4f8044ac82efd160e90e68d2" changed="not-changed"><enum>(I)</enum><text>in subparagraph (A)—</text><item id="idbb8867c7a22e432d8f31fa0888e90042" changed="not-changed"><enum>(aa)</enum><text>by striking <quote>including data</quote> and inserting</text><quoted-block style="OLC" display-inline="yes-display-inline" id="ideb172d6793c54cb1a752a4bd06441a00" changed="not-changed"><text>which shall—</text><clause id="id2540b85036b942fabc613d2e772f8216" changed="not-changed"><enum>(i)</enum><text>include data</text></clause><after-quoted-block>; and</after-quoted-block></quoted-block></item><item id="id38ac39822ece4cff81eda25b94f4ece6" changed="not-changed"><enum>(bb)</enum><text>by adding at the end the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="id270972c113634d39b978bfb229a91d56" changed="not-changed"><clause id="idcf9f95b290b54b5da62978514c31d762" changed="not-changed"><enum>(ii)</enum><text>specifically denote cybersecurity funding under the risk-based cyber budget model developed pursuant to section 3553(a)(7) of title 44.</text></clause><after-quoted-block>; and</after-quoted-block></quoted-block></item></subclause><subclause id="id84cf270749cc41b29fbaf1208815729b" changed="not-changed"><enum>(II)</enum><text>in subparagraph (B), by adding at the end the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="id574d97ae9ebc4e0896c6abcbffcb07c2" changed="not-changed"><clause id="id2b963639336b40e489deb3979987330c" changed="not-changed"><enum>(iii)</enum><text>The Director shall provide to the National Cyber Director any cybersecurity funding information described in subparagraph (A)(ii) that is provided to the Director under clause (ii) of this subparagraph.</text></clause><after-quoted-block>;</after-quoted-block></quoted-block></subclause></clause></subparagraph><subparagraph id="id08db223a30a040f89d55ca78772e720b" changed="not-changed"><enum>(C)</enum><text>in subsection (f)—</text><clause id="id9559297e3e8043c5bf96783274fb146c" changed="not-changed"><enum>(i)</enum><text>by striking <quote>heads of executive agencies to develop</quote> and inserting “heads of executive agencies to—</text><quoted-block style="OLC" display-inline="no-display-inline" id="id14d4b08ff8bc4f95beef62cf7a15903b" changed="not-changed"><paragraph id="id17d92884c9924e2185024b549ea00765" changed="not-changed"><enum>(1)</enum><text>develop</text></paragraph><after-quoted-block>;</after-quoted-block></quoted-block></clause><clause id="id705f4e738cae4c9d8c0676c2cc706280" changed="not-changed"><enum>(ii)</enum><text>in paragraph (1), as so designated, by striking the period at the end and inserting <quote>; and</quote>; and</text></clause><clause id="idf48bb39675c54f1581232750d1f0b5d6" changed="not-changed"><enum>(iii)</enum><text>by adding at the end the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="idf7086450744e4b46957fbfc6c2a3ea4a" changed="not-changed"><paragraph id="idd188fb063d8744ce8bca5ec3e4e9d8ba" changed="not-changed"><enum>(2)</enum><text>consult with the Director of the Cybersecurity and Infrastructure Security Agency for the development and use of supply chain security best practices.</text></paragraph><after-quoted-block>; and</after-quoted-block></quoted-block></clause></subparagraph><subparagraph id="id87362d51079940d6a8e220f3aec68c21" changed="not-changed"><enum>(D)</enum><text>in subsection (h), by inserting <quote>, including cybersecurity performances,</quote> after <quote>the performances</quote>; and</text></subparagraph></paragraph><paragraph id="id717fee8743964832ba67b9a5d244c1e7" changed="not-changed"><enum>(2)</enum><text>in section 11303(b)—</text><subparagraph id="id0af485239c6340f986ca0abbea196a09" changed="not-changed"><enum>(A)</enum><text>in paragraph (2)(B)—</text><clause id="idcd839e54b32f4b118797fa01c2aafa02" changed="not-changed"><enum>(i)</enum><text>in clause (i), by striking <quote>or</quote> at the end;</text></clause><clause id="idec12addefb554d07b3c82de701d66739" changed="not-changed"><enum>(ii)</enum><text>in clause (ii), by adding <quote>or</quote> at the end; and</text></clause><clause id="id32f5c3ee166a4534a0816a20309d1eed" changed="not-changed"><enum>(iii)</enum><text>by adding at the end the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="id9d865657954b4a5fad382e8893b7565d" changed="not-changed"><clause id="id59fbd48b2cbe46c382f2fc21019e3403" changed="not-changed"><enum>(iii)</enum><text>whether the function should be performed by a shared service offered by another executive agency;</text></clause><after-quoted-block>; and</after-quoted-block></quoted-block></clause></subparagraph><subparagraph id="id7fcadd5fa33b42d1bbb14bce161927a7" changed="not-changed"><enum>(B)</enum><text>in paragraph (5)(B)(i), by inserting <quote>, while taking into account the risk-based cyber budget model developed pursuant to section 3553(a)(7) of title 44</quote> after <quote>title 31</quote>.</text></subparagraph></paragraph></subsection><subsection id="ide6f81aa481724f5ab0c6e5683f6d703f" changed="not-changed"><enum>(c)</enum><header>Subchapter II</header><text>Subchapter II of chapter 113 of subtitle III of title 40, United States Code, is amended—</text><paragraph id="idc1139c9824ea4d609d6a9a61856c291a" changed="not-changed"><enum>(1)</enum><text>in section 11312(a), by inserting <quote>, including security risks</quote> after <quote>managing the risks</quote>;</text></paragraph><paragraph id="idc410ea58249c4d8c87037586b5d01037" changed="not-changed"><enum>(2)</enum><text>in section 11313(1), by striking <quote>efficiency and effectiveness</quote> and inserting <quote>efficiency, security, and effectiveness</quote>;</text></paragraph><paragraph id="id3441867b22bb4573859895ec1770caec" changed="not-changed"><enum>(3)</enum><text>in section 11315, by adding at the end the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="idaa969ac062974d028e48cba279e93402" changed="not-changed"><subsection id="id907d96559bf844a5a2dbcaf5908fd37c" changed="not-changed"><enum>(d)</enum><header>Component agency chief information officers</header><text>The Chief Information Officer or an equivalent official of a component agency shall report to—</text><paragraph id="id8ba5f76c31f44b508ea0fc8786f69777" changed="not-changed"><enum>(1)</enum><text>the Chief Information Officer designated under section 3506(a)(2) of title 44 or an equivalent official of the agency of which the component agency is a component; and</text></paragraph><paragraph id="id18a248d104764c9691469a7680ec963a" changed="not-changed"><enum>(2)</enum><text>the head of the component agency.</text></paragraph></subsection><subsection id="id4eca7e37f0c2441f8eeec2c215dda60e"><enum>(e)</enum><header>Reporting structure exemption</header><paragraph id="id6BB16637682A4635B0A53933A98E33EC"><enum>(1)</enum><header>In general</header><text>On annual basis, the Director may exempt any agency from the reporting structure requirements under subsection (d).</text></paragraph><paragraph id="id28407ee4355e487ba12807d937d4733f"><enum>(2)</enum><header>Report</header><text>On an annual basis, the Director shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Reform of the House of Representatives a report that includes a list of each exemption granted under paragraph (1) and the associated rationale for each exemption.</text></paragraph><paragraph id="iddcdb036a91bc4297bf628b49f8540a09"><enum>(3)</enum><header>Component of other report</header><text>The report required under paragraph (2) may be incorporated into any other annual report required under <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/44/35">chapter 35</external-xref> of title 44, United States Code.</text></paragraph></subsection><after-quoted-block>;</after-quoted-block></quoted-block></paragraph><paragraph id="id01B2D7A31D8A41D094A09CAB6D0F3ADD" changed="not-changed"><enum>(4)</enum><text>in section 11317, by inserting <quote>security,</quote> before <quote>or schedule</quote>; and</text></paragraph><paragraph id="id8042992f4476486eb725154d700fec03" changed="not-changed"><enum>(5)</enum><text>in section 11319(b)(1), in the paragraph heading, by striking <quote><header-in-text level="paragraph" style="USC">CIOS</header-in-text></quote> and inserting <quote><header-in-text level="paragraph" style="USC">Chief Information Officers</header-in-text></quote>.</text></paragraph></subsection><subsection id="idaba2682c44b34b18aa3217c4b7308976" changed="not-changed"><enum>(d)</enum><header>Subchapter III</header><text>Section 11331 of title 40, United States Code, is amended—</text><paragraph id="idc5c54935e23c4fb5b883e487fbb44333" changed="not-changed"><enum>(1)</enum><text>in subsection (a), by striking <quote>section 3532(b)(1)</quote> and inserting <quote>section 3552(b)</quote>;</text></paragraph><paragraph id="id4644a2ceee8a40d597b792138e82efe8" changed="not-changed"><enum>(2)</enum><text>in subsection (b)(1)(A), by striking <quote>the Secretary of Homeland Security</quote> and inserting <quote>the Director of the Cybersecurity and Infrastructure Security Agency</quote>; </text></paragraph><paragraph id="idffbaad5cfc134278918a55dbd86cc405" changed="not-changed"><enum>(3)</enum><text>by striking subsection (c) and inserting the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="id161298ec02944db7aa3cda0d0e81ce2b" changed="not-changed"><subsection id="idca52cfc0101740a9a2eb4eba26357bf0" changed="not-changed"><enum>(c)</enum><header>Application of more stringent standards</header><paragraph id="idc710cfaf483c4748a0e3f9eef19211b7" changed="not-changed"><enum>(1)</enum><header>In general</header><text>The head of an agency shall—</text><subparagraph id="ida4ce8fc82f9b44458f40128e9b5c28f0" changed="not-changed"><enum>(A)</enum><text>evaluate, in consultation with the senior agency information security officers, the need to employ standards for cost-effective, risk-based information security for all systems, operations, and assets within or under the supervision of the agency that are more stringent than the standards promulgated by the Director under this section, if such standards contain, at a minimum, the provisions of those applicable standards made compulsory and binding by the Director; and</text></subparagraph><subparagraph id="id29dee9070b424981bb9f72e36865c717" changed="not-changed"><enum>(B)</enum><text>to the greatest extent practicable and if the head of the agency determines that the standards described in subparagraph (A) are necessary, employ those standards.</text></subparagraph></paragraph><paragraph id="idac10ce5d2fc543f8b79e082634405457" changed="not-changed"><enum>(2)</enum><header>Evaluation of more stringent standards</header><text>In evaluating the need to employ more stringent standards under paragraph (1), the head of an agency shall consider available risk information, such as—</text><subparagraph id="id4215915e8f1240e6a52a393b9ce8bb97" changed="not-changed"><enum>(A)</enum><text>the status of cybersecurity remedial actions of the agency;</text></subparagraph><subparagraph id="id6f39cb3c137c459085a0a78547af0191" changed="not-changed"><enum>(B)</enum><text>any vulnerability information relating to agency systems that is known to the agency;</text></subparagraph><subparagraph id="id7979b9720bb040b7af36845a0bd55921" changed="not-changed"><enum>(C)</enum><text>incident information of the agency;</text></subparagraph><subparagraph id="id185055fd5b3248c99fad0fd950742e4a" changed="not-changed"><enum>(D)</enum><text>information from—</text><clause id="idfd601d6b50be42d7bb6a1ac3c638b6ce" changed="not-changed"><enum>(i)</enum><text>penetration testing performed under section 3559A of title 44; and</text></clause><clause id="id9e721d41bab84567a92e0f91bf54227d" changed="not-changed"><enum>(ii)</enum><text>information from the vulnerability disclosure program established under section 3559B of title 44;</text></clause></subparagraph><subparagraph id="id39668b39d27040c593a85b581b8d1a6b" changed="not-changed"><enum>(E)</enum><text>agency threat hunting results under section 112 of the <short-title>Federal Information Security Modernization Act of 2022</short-title>;</text></subparagraph><subparagraph id="id35dd90a3fb204bd6bf1968c69eccb2b7" changed="not-changed"><enum>(F)</enum><text>Federal and non-Federal cyber threat intelligence;</text></subparagraph><subparagraph id="id6f0431966e6f434a922696d0ed6cd6b6" changed="not-changed"><enum>(G)</enum><text>data on compliance with standards issued under this section;</text></subparagraph><subparagraph id="idfefec75814b14016ba24fa08d8444451" changed="not-changed"><enum>(H)</enum><text>agency system risk assessments performed under section 3554(a)(1)(A) of title 44; and</text></subparagraph><subparagraph id="idbbab1f01f3654868a779e97be17bff9a" changed="not-changed"><enum>(I)</enum><text>any other information determined relevant by the head of the agency.</text></subparagraph></paragraph></subsection><after-quoted-block>;</after-quoted-block></quoted-block></paragraph><paragraph id="idcb1ca1cca3824450b6bb8c9ead30b20d" changed="not-changed"><enum>(4)</enum><text>in subsection (d)(2)—</text><subparagraph id="ide46a134bcd7045b290f6cf626d600dcf" changed="not-changed"><enum>(A)</enum><text>in the paragraph heading, by striking <quote><header-in-text level="paragraph" style="USC">Notice and comment</header-in-text></quote> and inserting <quote><header-in-text level="paragraph" style="USC">Consultation, notice, and comment</header-in-text></quote>;</text></subparagraph><subparagraph id="id8e1deb86d6714714bb31fc13672624bd" changed="not-changed"><enum>(B)</enum><text>by inserting <quote>promulgate,</quote> before <quote>significantly modify</quote>; and</text></subparagraph><subparagraph id="id41c3a24ac8a94c6fbea38360c01a29e5" changed="not-changed"><enum>(C)</enum><text>by striking <quote>shall be made after the public is given an opportunity to comment on the Director’s proposed decision.</quote> and inserting “shall be made—</text><quoted-block style="OLC" display-inline="no-display-inline" id="id50d9fa7be9804646a8e1eacf8b9e17f2" changed="not-changed"><subparagraph id="id1917339a699f401081c6c593d680e650" changed="not-changed"><enum>(A)</enum><text>for a decision to significantly modify or not promulgate such a proposed standard, after the public is given an opportunity to comment on the Director’s proposed decision;</text></subparagraph><subparagraph id="idb7afcbad37344d5cad785b5e35d70091" changed="not-changed"><enum>(B)</enum><text>in consultation with the Chief Information Officers Council, the Director of the Cybersecurity and Infrastructure Security Agency, the National Cyber Director, the Comptroller General of the United States, and the Council of the Inspectors General on Integrity and Efficiency;</text></subparagraph><subparagraph id="id88eeba71b0684b5c9563965756f267ba" changed="not-changed"><enum>(C)</enum><text>considering the Federal risk assessments performed under section 3553(i) of title 44; and</text></subparagraph><subparagraph id="id751ac4c8646f4dce86d1f2ed65baa090" changed="not-changed"><enum>(D)</enum><text>considering the extent to which the proposed standard reduces risk relative to the cost of implementation of the standard.</text></subparagraph><after-quoted-block>; and</after-quoted-block></quoted-block></subparagraph></paragraph><paragraph id="iddc16271d45bd42778a81079dcc606cf3" changed="not-changed"><enum>(5)</enum><text>by adding at the end the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="id78ffdaa33f7049b1a0e33cb2da2e2349" changed="not-changed"><subsection id="id15bc5ff2d6644c22add9cf52767336cb" changed="not-changed"><enum>(e)</enum><header>Review of office of management and budget guidance and policy</header><paragraph id="id92c4aad4650741f0a10a32ddce2eee43" changed="not-changed"><enum>(1)</enum><header>Conduct of review</header><subparagraph id="idA7E9150EBEB94255A4451D4048FB9033" changed="not-changed"><enum>(A)</enum><header>In general</header><text>Not less frequently than once every 3 years, the Director of the Office of Management and Budget, in consultation with the Chief Information Officers Council, the Director of the Cybersecurity and Infrastructure Security Agency, the National Cyber Director, the Comptroller General of the United States, and the Council of the Inspectors General on Integrity and Efficiency, shall review the efficacy of the guidance and policy promulgated by the Director in reducing cybersecurity risks, including an assessment of the requirements for agencies to report information to the Director, and determine whether any changes to that guidance or policy is appropriate.</text></subparagraph><subparagraph id="idef100b33ded544898cd1c76eca58875e" changed="not-changed"><enum>(B)</enum><header>Federal risk assessments</header><text>In conducting the review described in subparagraph (A), the Director shall consider the Federal risk assessments performed under section 3553(i) of title 44.</text></subparagraph><subparagraph id="id6d1b16a5ce3d433a8b9bb5fb431ae243"><enum>(C)</enum><header>Requirements burden reduction and clarity</header><text>In conducting the review described in subparagraph (A), the Director shall consider—</text><clause id="idA0505DD602674B5FA55E4A6DC9E27A22"><enum>(i)</enum><text>the cumulative reporting and compliance burden to agencies; and</text></clause><clause id="id035E69918C284C88B995307F8A305F52"><enum>(ii)</enum><text>the clarity of the requirements and deadlines contained in guidance and policy documents.</text></clause></subparagraph></paragraph><paragraph id="id2fd9d139f3444d42835ecb332455a44a" changed="not-changed"><enum>(2)</enum><header>Updated guidance</header><text>Not later than 90 days after the date on which a review is completed under paragraph (1), the Director of the Office of Management and Budget shall issue updated guidance or policy to agencies determined appropriate by the Director, based on the results of the review.</text></paragraph><paragraph id="id0398b896d2ab48758353ab433ae07200" changed="not-changed"><enum>(3)</enum><header>Public report</header><text>Not later than 30 days after the date on which a review is completed under paragraph (1), the Director of the Office of Management and Budget shall make publicly available a report that includes—</text><subparagraph id="id74edb63719574b8a9f560e579508aa4a" changed="not-changed"><enum>(A)</enum><text>an overview of the guidance and policy promulgated under this section that is currently in effect;</text></subparagraph><subparagraph id="idc1e98226365849c7856e7205515c0af5" changed="not-changed"><enum>(B)</enum><text>the cybersecurity risk mitigation, or other cybersecurity benefit, offered by each guidance or policy document described in subparagraph (A); and</text></subparagraph><subparagraph id="idbc1bf4736ac8496c85b53d7eaef1e9cb" changed="not-changed"><enum>(C)</enum><text>a summary of the guidance or policy to which changes were determined appropriate during the review and what the changes are anticipated to include.</text></subparagraph></paragraph><paragraph id="idf3254e40a6944b458f79a887cb930b64" changed="not-changed"><enum>(4)</enum><header>Congressional briefing</header><text>Not later than 60 days after the date on which a review is completed under paragraph (1), the Director shall provide to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Reform of the House of Representatives a briefing on the review.</text></paragraph></subsection><subsection id="id5d4ac59cd2b249f889b9509997a74ef3" changed="not-changed"><enum>(f)</enum><header>Automated standard implementation verification</header><text>When the Director of the National Institute of Standards and Technology issues a proposed standard pursuant to paragraphs (2) and (3) of section 20(a) of the National Institute of Standards and Technology Act (<external-xref legal-doc="usc" parsable-cite="usc/15/278g-3">15 U.S.C. 278g–3(a)</external-xref>), the Director of the National Institute of Standards and Technology shall consider developing and, if appropriate and practical, develop, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, specifications to enable the automated verification of the implementation of the controls within the standard.</text></subsection><after-quoted-block>.</after-quoted-block></quoted-block></paragraph></subsection></section><section id="id8ccc627da4bd46e0bdd48489ba7c6485" changed="not-changed"><enum>105.</enum><header>Actions to enhance Federal incident transparency</header><subsection id="id2cad402e61cc443d9c0ba8abf204cac4" changed="not-changed"><enum>(a)</enum><header>Responsibilities of the cybersecurity and infrastructure security agency</header><paragraph id="idbcb8b349ff6a48ff841d16c7e39455f3" changed="not-changed"><enum>(1)</enum><header>In general</header><text>Not later than 180 days after the date of enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency shall—</text><subparagraph id="id400dc1440f794dab957a98c1b3ff0a9a" changed="not-changed"><enum>(A)</enum><text>develop a plan for the development of the analysis required under section 3597(a) of title 44, United States Code, as added by this title, and the report required under subsection (b) of that section that includes—</text><clause id="idc4766ad0104e45d3bd873ff6d884637c" changed="not-changed"><enum>(i)</enum><text>a description of any challenges the Director of the Cybersecurity and Infrastructure Security Agency anticipates encountering; and</text></clause><clause id="id1f4e24ebd6e24d07b6649f412041f285" changed="not-changed"><enum>(ii)</enum><text>the use of automation and machine-readable formats for collecting, compiling, monitoring, and analyzing data; and</text></clause></subparagraph><subparagraph id="idb9e3deb51aae4e0991d0de3c1aff4be6" changed="not-changed"><enum>(B)</enum><text>provide to the appropriate congressional committees a briefing on the plan developed under subparagraph (A).</text></subparagraph></paragraph><paragraph id="ida35c481b2ad24c56bfafd76650112440" changed="not-changed"><enum>(2)</enum><header>Briefing</header><text>Not later than 1 year after the date of enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency shall provide to the appropriate congressional committees a briefing on—</text><subparagraph id="id4bea7f7775c7458aba6d6bc10d3177dc" changed="not-changed"><enum>(A)</enum><text>the execution of the plan required under paragraph (1)(A); and</text></subparagraph><subparagraph id="idbb84da2400694a87a520c7aacef98441" changed="not-changed"><enum>(B)</enum><text>the development of the report required under section 3597(b) of title 44, United States Code, as added by this title.</text></subparagraph></paragraph></subsection><subsection id="id6be5fc8e3d754bcb9014243f21943f82" changed="not-changed"><enum>(b)</enum><header>Responsibilities of the director of the office of management and budget</header><paragraph id="id0cc1d4b32d9b4e72a827f37437ea723a" changed="not-changed"><enum>(1)</enum><header>FISMA</header><text>Section 2 of the Federal Information Security Modernization Act of 2014 (<external-xref legal-doc="usc" parsable-cite="usc/44/3554">44 U.S.C. 3554</external-xref> note) is amended—</text><subparagraph id="id8726caca7e1247ae8738bcb52504f52d" changed="not-changed"><enum>(A)</enum><text>by striking subsection (b); and</text></subparagraph><subparagraph id="idd5135c327a774589a7aeb6cf178f30d2" changed="not-changed"><enum>(B)</enum><text>by redesignating subsections (c) through (f) as subsections (b) through (e), respectively.</text></subparagraph></paragraph><paragraph id="idbff167a7250f4fe58e27bf78a92a294c" changed="not-changed"><enum>(2)</enum><header>Incident data sharing</header><subparagraph id="id188bf89d7f8d4c318259a3b2ab84783e" changed="not-changed"><enum>(A)</enum><header>In general</header><text>The Director shall develop guidance, to be updated not less frequently than once every 2 years, on the content, timeliness, and format of the information provided by agencies under section 3594(a) of title 44, United States Code, as added by this title.</text></subparagraph><subparagraph id="id107da5e3258c41a690b9525df1fcc04c" changed="not-changed"><enum>(B)</enum><header>Requirements</header><text>The guidance developed under subparagraph (A) shall—</text><clause id="id5db858df54184b3895e06be5bff8de25" changed="not-changed"><enum>(i)</enum><text>prioritize the availability of data necessary to understand and analyze—</text><subclause id="idc7ddd1326cf3444abcaf88e4f1ab0b13" changed="not-changed"><enum>(I)</enum><text>the causes of incidents;</text></subclause><subclause id="iddaf887a0212d4e03b0a3c0d8f7063966" changed="not-changed"><enum>(II)</enum><text>the scope and scale of incidents within the environments and systems of an agency;</text></subclause><subclause id="idb691d2e254ea475daa6edea4f52365b6" changed="not-changed"><enum>(III)</enum><text>a root cause analysis of incidents that—</text><item id="id1DD6A7FE044340A991B216E73003E48A" changed="not-changed"><enum>(aa)</enum><text>are common across the Federal Government; or</text></item><item id="id3D7C0DF8841E424FA73EA399F62554C5" changed="not-changed"><enum>(bb)</enum><text>have a Government-wide impact;</text></item></subclause><subclause id="id626e4daec9ff4110ba9986712ca8537d" changed="not-changed"><enum>(IV)</enum><text>agency response, recovery, and remediation actions and the effectiveness of those actions; and</text></subclause><subclause id="id07eaf91e535344f58e2ae6c9f1199e61" changed="not-changed"><enum>(V)</enum><text>the impact of incidents;</text></subclause></clause><clause id="id1b095495e84248129a3630a96e094bc2" changed="not-changed"><enum>(ii)</enum><text>enable the efficient development of—</text><subclause id="id201d191fb9474aaa96fa0f8186af9d3d" changed="not-changed"><enum>(I)</enum><text>lessons learned and recommendations in responding to, recovering from, remediating, and mitigating future incidents; and</text></subclause><subclause id="id84b86e07a13a4126ae4f4e7c1f4ec0af" changed="not-changed"><enum>(II)</enum><text>the report on Federal incidents required under section 3597(b) of title 44, United States Code, as added by this title;</text></subclause></clause><clause id="id67a953b6a8a24b1283649777621334fc" changed="not-changed"><enum>(iii)</enum><text>include requirements for the timeliness of data production; and</text></clause><clause id="id9d0280a1aad54dcfae5fe25fcbef5871" changed="not-changed"><enum>(iv)</enum><text>include requirements for using automation and machine-readable data for data sharing and availability.</text></clause></subparagraph></paragraph><paragraph id="id52aa0853a640489382a338df4d747ed2" changed="not-changed"><enum>(3)</enum><header>Guidance on responding to information requests</header><text>Not later than 1 year after the date of enactment of this Act, the Director shall develop guidance for agencies to implement the requirement under section 3594(c) of title 44, United States Code, as added by this title, to provide information to other agencies experiencing incidents.</text></paragraph><paragraph id="id2d56b345e2d9404ca3778089b23e2ba1" changed="not-changed"><enum>(4)</enum><header>Standard guidance and templates</header><text>Not later than 1 year after the date of enactment of this Act, the Director, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, shall develop guidance and templates, to be reviewed and, if necessary, updated not less frequently than once every 2 years, for use by Federal agencies in the activities required under sections 3592, 3593, and 3596 of title 44, United States Code, as added by this title.</text></paragraph><paragraph id="ida4a3a40bd9754296b0b24ca9f4579a34" changed="not-changed"><enum>(5)</enum><header>Contractor and awardee guidance</header><subparagraph id="id4623e6fa0db549a8b213c3b7dd534348" changed="not-changed"><enum>(A)</enum><header>In general</header><text>Not later than 1 year after the date of enactment of this Act, the Director, in coordination with the Secretary of Homeland Security, the Secretary of Defense, the Administrator of General Services, and the heads of other agencies determined appropriate by the Director, shall issue guidance to Federal agencies on how to deconflict, to the greatest extent practicable, existing regulations, policies, and procedures relating to the responsibilities of contractors and awardees established under section 3595 of title 44, United States Code, as added by this title.</text></subparagraph><subparagraph id="idbb5aee79fe554bd88b24c4e68fcaefd2" changed="not-changed"><enum>(B)</enum><header>Existing processes</header><text>To the greatest extent practicable, the guidance issued under subparagraph (A) shall allow contractors and awardees to use existing processes for notifying Federal agencies of incidents involving information of the Federal Government.</text></subparagraph></paragraph><paragraph id="id710e2756548c45669682ccb909875911" changed="not-changed"><enum>(6)</enum><header>Updated briefings</header><text>Not less frequently than once every 2 years, the Director shall provide to the appropriate congressional committees an update on the guidance and templates developed under paragraphs (2) through (4).</text></paragraph></subsection><subsection id="id581b104c1a444b10935b3cb6a58c86af" changed="not-changed"><enum>(c)</enum><header>Update to the privacy act of 1974</header><text>Section 552a(b) of title 5, United States Code (commonly known as the <quote>Privacy Act of 1974</quote>) is amended—</text><paragraph id="idb32795a1d744419da6f429083575e8c3" changed="not-changed"><enum>(1)</enum><text>in paragraph (11), by striking <quote>or</quote> at the end;</text></paragraph><paragraph id="id06d168e1157e431fbea60983a8e2bdb0" changed="not-changed"><enum>(2)</enum><text>in paragraph (12), by striking the period at the end and inserting <quote>; or</quote>; and</text></paragraph><paragraph id="idb162553d2270422b9084a88f0e016e90" changed="not-changed"><enum>(3)</enum><text>by adding at the end the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="id592010804a4f4decb31bbdb74b610d77" changed="not-changed"><paragraph id="id27bc8e895ae74a0991492fcc12b8d252" changed="not-changed"><enum>(13)</enum><text>to another agency in furtherance of a response to an incident (as defined in section 3552 of title 44) and pursuant to the information sharing requirements in section 3594 of title 44 if the head of the requesting agency has made a written request to the agency that maintains the record specifying the particular portion desired and the activity for which the record is sought.</text></paragraph><after-quoted-block>.</after-quoted-block></quoted-block></paragraph></subsection></section><section id="id25f160a4-98e9-4e5e-b26f-20f2dd97cd4e" changed="not-changed"><enum>106.</enum><header>Additional guidance to agencies on FISMA updates</header><text display-inline="no-display-inline">Not later than 1 year after the date of enactment of this Act, the Director, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, shall issue guidance for agencies on—</text><paragraph id="id50632071f2f241f5a9dff2b4d318e020" changed="not-changed"><enum>(1)</enum><text>performing the ongoing and continuous agency system risk assessment required under section 3554(a)(1)(A) of title 44, United States Code, as amended by this title;</text></paragraph><paragraph id="id116536c27df64318832b06ded351eb70" changed="not-changed"><enum>(2)</enum><text>implementing additional cybersecurity procedures, which shall include resources for shared services;</text></paragraph><paragraph id="id7e63537e634148e3885c5e0aa0165c90" changed="not-changed"><enum>(3)</enum><text>establishing a process for providing the status of each remedial action under section 3554(b)(7) of title 44, United States Code, as amended by this title, to the Director and the Cybersecurity and Infrastructure Security Agency using automation and machine-readable data, as practicable, which shall include—</text><subparagraph id="idf6941056e96f4aef9a1d7c1437ccc18e" changed="not-changed"><enum>(A)</enum><text>specific guidance for the use of automation and machine-readable data; and</text></subparagraph><subparagraph id="id08fa028466a04d22be3dada921f3530d" changed="not-changed"><enum>(B)</enum><text>templates for providing the status of the remedial action; and</text></subparagraph></paragraph><paragraph id="idcc8a9721ac8a4be9876e8e9c8621a8ec" changed="not-changed"><enum>(4)</enum><text>a requirement to coordinate with inspectors general of agencies to ensure consistent understanding and application of agency policies for the purpose of evaluations by inspectors general.</text></paragraph></section><section id="id87c2d95a-b307-45ec-81dd-09e23e4addc4" changed="not-changed"><enum>107.</enum><header>Agency requirements to notify private sector entities impacted by incidents</header><subsection id="idD56C3840E37D46DC9B6BBB5F438F03B0" changed="not-changed"><enum>(a)</enum><header>Definitions</header><text>In this section:</text><paragraph id="idEC58058F1C51421194D97C5A734A4ACA" changed="not-changed"><enum>(1)</enum><header>Reporting entity</header><text>The term <term>reporting entity</term> means private organization or governmental unit that is required by statute or regulation to submit sensitive information to an agency.</text></paragraph><paragraph id="idBFD97365FA184CD8BDD643869931A7EB" changed="not-changed"><enum>(2)</enum><header>Sensitive information</header><text>The term <term>sensitive information</term> has the meaning given the term by the Director in guidance issued under subsection (b).</text></paragraph></subsection><subsection id="id69E6784665C64660B208972511F67BB7" changed="not-changed"><enum>(b)</enum><header>Guidance on notification of reporting entities</header><text>Not later than 180 days after the date of enactment of this Act, the Director shall issue guidance requiring the head of each agency to notify a reporting entity of an incident that is likely to substantially affect—</text><paragraph id="id94C3B8A55E524AA19EC3230429A3C71F" changed="not-changed"><enum>(1)</enum><text>the confidentiality or integrity of sensitive information submitted by the reporting entity to the agency pursuant to a statutory or regulatory requirement; or</text></paragraph><paragraph id="id95A0524DF8974477BDA26B6782B09E47" changed="not-changed"><enum>(2)</enum><text>the agency information system or systems used in the transmission or storage of the sensitive information described in paragraph (1).</text></paragraph></subsection></section><section section-type="subsequent-section" id="idcb1f5c81-6041-46c1-ac5e-f9028ab69e49" changed="not-changed"><enum>108.</enum><header>Mobile security standards</header><subsection id="id6b9cc043-9a39-4b4f-8a58-db9e0dc405a3" changed="not-changed"><enum>(a)</enum><header>In general</header><text>Not later than 1 year after the date of enactment of this Act, the Director shall—</text><paragraph id="id4a261559eea146d0bcb2f03f243c2bf1" changed="not-changed"><enum>(1)</enum><text>evaluate mobile application security guidance promulgated by the Director; and</text></paragraph><paragraph id="id171f832f086441329e148747983e924f" changed="not-changed"><enum>(2)</enum><text>issue guidance to secure mobile devices, including for mobile applications, for every agency.</text></paragraph></subsection><subsection id="idf9166b6c7e604e81881b3ab6f4bd23a6" changed="not-changed"><enum>(b)</enum><header>Contents</header><text>The guidance issued under subsection (a)(2) shall include—</text><paragraph id="id3183ba7add114a4faf9d63edaf293801" changed="not-changed"><enum>(1)</enum><text>a requirement, pursuant to section 3506(b)(4) of title 44, United States Code, for every agency to maintain a continuous inventory of every—</text><subparagraph id="id799cbc31ebe44babae83b91b2026b37f" changed="not-changed"><enum>(A)</enum><text>mobile device operated by or on behalf of the agency; and</text></subparagraph><subparagraph id="id01ab6958f9ba41d5a72620485820e35b" changed="not-changed"><enum>(B)</enum><text>vulnerability identified by the agency associated with a mobile device; and</text></subparagraph></paragraph><paragraph id="id79d077ab97004c3283bd9bdfe7be334c" changed="not-changed"><enum>(2)</enum><text>a requirement for every agency to perform continuous evaluation of the vulnerabilities described in paragraph (1)(B) and other risks associated with the use of applications on mobile devices.</text></paragraph></subsection><subsection id="id1632b6e8-27da-492c-93b6-225fe327bed8" changed="not-changed"><enum>(c)</enum><header>Information sharing</header><text>The Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, shall issue guidance to agencies for sharing the inventory of the agency required under subsection (b)(1) with the Director of the Cybersecurity and Infrastructure Security Agency, using automation and machine-readable data to the greatest extent practicable.</text></subsection><subsection id="id568e7020-91e1-457d-8d2c-c5673fdce709" changed="not-changed"><enum>(d)</enum><header>Briefing</header><text>Not later than 60 days after the date on which the Director issues guidance under subsection (a)(2), the Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, shall provide to the appropriate congressional committees a briefing on the guidance.</text></subsection></section><section id="idd5aff240-4ee2-4011-938d-981543512249" changed="not-changed"><enum>109.</enum><header>Data and logging retention for incident response</header><subsection id="id0f9d2b85fa674b4d93733cd27b1428ea" changed="not-changed"><enum>(a)</enum><header>Recommendations</header><text>Not later than 2 years after the date of enactment of this Act, and not less frequently than every 2 years thereafter, the Director of the Cybersecurity and Infrastructure Security Agency, in consultation with the Attorney General, shall submit to the Director recommendations on requirements for logging events on agency systems and retaining other relevant data within the systems and networks of an agency.</text></subsection><subsection id="idfd1f66e78f95498abf6701e2ba2aa98f" changed="not-changed"><enum>(b)</enum><header>Contents</header><text>The recommendations provided under subsection (a) shall include—</text><paragraph id="idf220b262e44447e799224a4506b6582e" changed="not-changed"><enum>(1)</enum><text>the types of logs to be maintained;</text></paragraph><paragraph id="id18e38880b50942678b736fc06dc4a56a"><enum>(2)</enum><text>the duration that logs and other relevant data should be retained;</text></paragraph><paragraph id="id0504458c15c841139cd0ada9411d8d05"><enum>(3)</enum><text>the time periods for agency implementation of recommended logging and security requirements;</text></paragraph><paragraph id="id0d554c0ec4884c37b66fbedb4f7e9e18" changed="not-changed"><enum>(4)</enum><text>how to ensure the confidentiality, integrity, and availability of logs; </text></paragraph><paragraph id="idc79013b2e43a41a9b312c4c3c7717d9d" changed="not-changed"><enum>(5)</enum><text>requirements to ensure that, upon request, in a manner that excludes or otherwise reasonably protects personally identifiable information, and to the extent permitted by applicable law (including privacy and statistical laws), agencies provide logs to—</text><subparagraph id="id36c6729273ed4a139ba2f914a8ebd4b7" changed="not-changed"><enum>(A)</enum><text>the Director of the Cybersecurity and Infrastructure Security Agency for a cybersecurity purpose; and</text></subparagraph><subparagraph id="idb8469bb7c06748a985766855326b8eba" changed="not-changed"><enum>(B)</enum><text>the Director of the Federal Bureau of Investigation, or the appropriate Federal law enforcement agency, to investigate potential criminal activity; and</text></subparagraph></paragraph><paragraph id="ide899e05802e64392ba641a3a57bb9a7c" changed="not-changed"><enum>(6)</enum><text>requirements to ensure that, subject to compliance with statistical laws and other relevant data protection requirements, the highest level security operations center of each agency has visibility into all agency logs.</text></paragraph></subsection><subsection id="id991d8f542e2a49809e1322c59fef7bff" changed="not-changed"><enum>(c)</enum><header>Guidance</header><text>Not later than 90 days after receiving the recommendations submitted under subsection (a), the Director, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency and the Attorney General, shall, as determined to be appropriate by the Director, update guidance to agencies regarding requirements for logging, log retention, log management, sharing of log data with other appropriate agencies, or any other logging activity determined to be appropriate by the Director.</text></subsection><subsection id="id8457efaa32c94bb983e604e62a387d41"><enum>(d)</enum><header>Sunset</header><text>This section shall cease to have force or effect on the date that is 10 years after the date of the enactment of this Act.</text></subsection></section><section id="id57f53189-fc83-42bb-aa2d-60a0dd4a8764" changed="not-changed"><enum>110.</enum><header>CISA agency advisors</header><subsection id="idc938a3d9-c12a-436a-9c9e-2ae05ca8ac57" changed="not-changed"><enum>(a)</enum><header>In general</header><text>Not later than 120 days after the date of enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency shall assign not less than 1 cybersecurity professional employed by the Cybersecurity and Infrastructure Security Agency to be the Cybersecurity and Infrastructure Security Agency advisor to the senior agency information security officer of each agency.</text></subsection><subsection id="id843b1b50-c72c-4f6e-aa2f-2775fe756208" changed="not-changed"><enum>(b)</enum><header>Qualifications</header><text>Each advisor assigned under subsection (a) shall have knowledge of—</text><paragraph id="id051b691c-e57a-49dd-9bab-398057a9df62" changed="not-changed"><enum>(1)</enum><text>cybersecurity threats facing agencies, including any specific threats to the assigned agency; </text></paragraph><paragraph id="id84fbb966-d079-46b8-ac0c-e32454bb30a6" changed="not-changed"><enum>(2)</enum><text>performing risk assessments of agency systems; and</text></paragraph><paragraph id="idfbfa1ece-cd0c-4be2-937c-7cfa23723ecc" changed="not-changed"><enum>(3)</enum><text>other Federal cybersecurity initiatives.</text></paragraph></subsection><subsection id="idf613a64a-5910-4d97-9d19-e140f97c5172" changed="not-changed"><enum>(c)</enum><header>Duties</header><text>The duties of each advisor assigned under subsection (a) shall include—</text><paragraph id="id6a8086c7-4129-4d2d-8e8a-0a153aeeb296" changed="not-changed"><enum>(1)</enum><text>providing ongoing assistance and advice, as requested, to the agency Chief Information Officer;</text></paragraph><paragraph id="id86cf563d-d4a0-4ffa-b1c7-f8111ecfcd41" changed="not-changed"><enum>(2)</enum><text>serving as an incident response point of contact between the assigned agency and the Cybersecurity and Infrastructure Security Agency; and</text></paragraph><paragraph id="id7077a924-2ba3-4e9c-8a59-4d01bb381adb" changed="not-changed"><enum>(3)</enum><text>familiarizing themselves with agency systems, processes, and procedures to better facilitate support to the agency in responding to incidents.</text></paragraph></subsection><subsection id="id99295e81-3071-4caa-9f22-e492b6a7c03a" changed="not-changed"><enum>(d)</enum><header>Limitation</header><text>An advisor assigned under subsection (a) shall not be a contractor.</text></subsection><subsection commented="no" display-inline="no-display-inline" id="idda922626-602e-4442-a6d3-8b7cc02b3f75" changed="not-changed"><enum>(e)</enum><header>Multiple assignments</header><text>One individual advisor may be assigned to multiple agency Chief Information Officers under subsection (a).</text></subsection></section><section id="idcb1d5c8b-d16c-44b2-b56b-ebdf3af17e8f" changed="not-changed"><enum>111.</enum><header>Federal penetration testing policy</header><subsection id="id34159670-044a-42b2-ae90-c659dd521168" changed="not-changed"><enum>(a)</enum><header>In general</header><text>Subchapter II of <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/44/35">chapter 35</external-xref> of title 44, United States Code, is amended by adding at the end the following:</text><quoted-block style="USC" display-inline="no-display-inline" id="id5706aa5c-cfd7-4db4-9d7e-0e9c09cb660f" changed="not-changed"><section id="id12fed049-238b-4e92-b078-df89b5a8350b" changed="not-changed"><enum>3559A.</enum><header>Federal penetration testing</header><subsection id="id6148e2e4-2738-4b44-96a4-00df707b3ca4" changed="not-changed"><enum>(a)</enum><header>Definitions</header><text>In this section:</text><paragraph id="idfb44ada9-9a38-4ae9-ab6c-81e3485cc3ba" changed="not-changed"><enum>(1)</enum><header>Agency operational plan</header><text>The term <term>agency operational plan</term> means a plan of an agency for the use of penetration testing.</text></paragraph><paragraph id="id0a5e81a0-806a-4178-9b27-1a3312c59e9b" changed="not-changed"><enum>(2)</enum><header>Rules of engagement</header><text>The term <term>rules of engagement</term> means a set of rules established by an agency for the use of penetration testing.</text></paragraph></subsection><subsection id="id52ae314b-d013-4a0e-af65-3e15016e563a" changed="not-changed"><enum>(b)</enum><header>Guidance</header><paragraph id="id4328390bcabe46eb94af60f055c5db66"><enum>(1)</enum><header>In general</header><text>The Director, in consultation with the Secretary, acting through the Director of the Cybersecurity and Infrastructure Security Agency, shall issue guidance to agencies that—</text><subparagraph id="id4d7422eec4a74568be7aef067e008012"><enum>(A)</enum><text>requires agencies to use, when and where appropriate, penetration testing on agency systems by both Federal and non-Federal entities; and</text></subparagraph><subparagraph id="idc41c7688-8356-480f-b4dc-fe90f082a31d" changed="not-changed"><enum>(B)</enum><text>requires agencies to develop an agency operational plan and rules of engagement that meet the requirements under subsection (c).</text></subparagraph></paragraph><paragraph id="id526daa5c-4ed4-4d59-8b3c-eaf7bac73c5f" changed="not-changed"><enum>(2)</enum><header>Penetration testing guidance</header><text>The guidance issued under this section shall—</text><subparagraph id="id09f40cb9-a8ba-48ee-8c8f-5ce32d33c91a" changed="not-changed"><enum>(A)</enum><text>permit an agency to use, for the purpose of performing penetration testing—</text><clause id="id9ebc1884-2dd0-4c42-8a9c-1f872966e8e8" changed="not-changed"><enum>(i)</enum><text>a shared service of the agency or another agency; or</text></clause><clause id="id7728dd32-98a6-444a-bf90-502c6368dd95" changed="not-changed"><enum>(ii)</enum><text>an external entity, such as a vendor; and</text></clause></subparagraph><subparagraph id="idaa700d44-7be5-44ae-af02-ec9f1e6f9e75" changed="not-changed"><enum>(B)</enum><text>require agencies to provide the rules of engagement and results of penetration testing to the Director and the Director of the Cybersecurity and Infrastructure Security Agency, without regard to the status of the entity that performs the penetration testing.</text></subparagraph></paragraph></subsection><subsection id="id015bf86c-8303-4e58-bd6a-6b0c2b4f2bc2" changed="not-changed"><enum>(c)</enum><header>Agency plans and rules of engagement</header><text>The agency operational plan and rules of engagement of an agency shall—</text><paragraph id="id566a092257454978870b8a79192a0510" changed="not-changed"><enum>(1)</enum><text>require the agency to— </text><subparagraph id="id94F6384BCEB1412193AE7BBB3FF4F9DF" changed="not-changed"><enum>(A)</enum><text>perform penetration testing, including on the high value assets of the agency; or </text></subparagraph><subparagraph id="id698EE165450A4689AB83AC21FC5785FB" changed="not-changed"><enum>(B)</enum><text>coordinate with the Director of the Cybersecurity and Infrastructure Security Agency to ensure that penetration testing is being performed;</text></subparagraph></paragraph><paragraph id="id4ac6e3c517254fb8b9f75dd3fb1defb8" changed="not-changed"><enum>(2)</enum><text>establish guidelines for avoiding, as a result of penetration testing—</text><subparagraph id="id6e04f9f2788a4cc9b0009318b29a15ca" changed="not-changed"><enum>(A)</enum><text>adverse impacts to the operations of the agency;</text></subparagraph><subparagraph id="id4b3782ab364c4958a712d98b8fd21398" changed="not-changed"><enum>(B)</enum><text>adverse impacts to operational environments and systems of the agency; and</text></subparagraph><subparagraph id="idaa7736b2-f3ae-4d09-9399-420e2c353288" changed="not-changed"><enum>(C)</enum><text>inappropriate access to data;</text></subparagraph></paragraph><paragraph id="id005b6177-0f96-45b2-9bca-1c95b10bb9dd" changed="not-changed"><enum>(3)</enum><text>require the results of penetration testing to include feedback to improve the cybersecurity of the agency; and</text></paragraph><paragraph id="idb9fa3557-f6c0-4f0a-b272-8377b05774c8" changed="not-changed"><enum>(4)</enum><text>include mechanisms for providing consistently formatted, and, if applicable, automated and machine-readable, data to the Director and the Director of the Cybersecurity and Infrastructure Security Agency.</text></paragraph></subsection><subsection id="id76840f3c-3cbc-4ff0-8ccd-9e68fb9c0064" changed="not-changed"><enum>(d)</enum><header>Responsibilities of CISA</header><text>The Director of the Cybersecurity and Infrastructure Security Agency shall—</text><paragraph id="idb482889a-0ab5-4298-abe6-d2e2c9cf7ec7" changed="not-changed"><enum>(1)</enum><text>establish a process to assess the performance of penetration testing by both Federal and non-Federal entities that establishes minimum quality controls for penetration testing; </text></paragraph><paragraph id="id357391d9-1451-4d6c-80b2-c0592df3d42d" changed="not-changed"><enum>(2)</enum><text>develop operational guidance for instituting penetration testing programs at agencies;</text></paragraph><paragraph id="id4ae7387d-d828-426c-bdca-2ee233aa2961" changed="not-changed"><enum>(3)</enum><text>develop and maintain a centralized capability to offer penetration testing as a service to Federal and non-Federal entities; and</text></paragraph><paragraph id="id81c5ad65-d50a-430b-a1ca-b18ec002c6e2" changed="not-changed"><enum>(4)</enum><text>provide guidance to agencies on the best use of penetration testing resources.</text></paragraph></subsection><subsection id="id1874bbe6-87a1-4a06-a14d-29afeb6150b5" changed="not-changed"><enum>(e)</enum><header>Responsibilities of OMB</header><text>The Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, shall—</text><paragraph id="id98618c68-f662-4482-8d3d-9601ca0aeae0" changed="not-changed"><enum>(1)</enum><text>not less frequently than annually, inventory all Federal penetration testing assets; and</text></paragraph><paragraph id="id3a5f06d1-17be-4a02-944b-e09fc34798de" changed="not-changed"><enum>(2)</enum><text>develop and maintain a standardized process for the use of penetration testing.</text></paragraph></subsection><subsection id="idaa59b285-3409-4757-b519-a4421450a85d" changed="not-changed"><enum>(f)</enum><header>Prioritization of penetration testing resources</header><paragraph id="idf2a4b00b-dd61-45ef-bde7-c62cfdbdc449" changed="not-changed"><enum>(1)</enum><header>In general</header><text>The Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, shall develop a framework for prioritizing Federal penetration testing resources among agencies.</text></paragraph><paragraph id="idc3faf56e-e883-4482-82ef-2a37322f0986" changed="not-changed"><enum>(2)</enum><header>Considerations</header><text>In developing the framework under this subsection, the Director shall consider—</text><subparagraph id="id2e5c86b7-763d-4a19-a780-f63a0117c4d1" changed="not-changed"><enum>(A)</enum><text>agency system risk assessments performed under section 3554(a)(1)(A);</text></subparagraph><subparagraph id="idc0997a72-5bef-4d62-adab-d90c9214c967" changed="not-changed"><enum>(B)</enum><text>the Federal risk assessment performed under section 3553(i);</text></subparagraph><subparagraph id="ide7828c3d-eefd-42bb-803c-a30c02e4058b" changed="not-changed"><enum>(C)</enum><text>the analysis of Federal incident data performed under section 3597; and</text></subparagraph><subparagraph id="id8a6a7a2e-2abd-45ff-af21-55a37cfc71da" changed="not-changed"><enum>(D)</enum><text>any other information determined appropriate by the Director or the Director of the Cybersecurity and Infrastructure Security Agency.</text></subparagraph></paragraph></subsection><subsection id="id1d979f939fa949b08bfef382883982ca" changed="not-changed"><enum>(g)</enum><header>Exception for national security systems</header><text>The guidance issued under subsection (b) shall not apply to national security systems.</text></subsection><subsection id="id5cc6409955d24b5a810e3493265601ed" changed="not-changed"><enum>(h)</enum><header>Delegation of authority for certain systems</header><text>The authorities of the Director described in subsection (b) shall be delegated— </text><paragraph id="id8E1E57C26DB24C3ABDBE1057BD8F1AEC" changed="not-changed"><enum>(1)</enum><text>to the Secretary of Defense in the case of systems described in section 3553(e)(2); and </text></paragraph><paragraph id="id56CF417D008D4B08A86FED819418F216" changed="not-changed"><enum>(2)</enum><text>to the Director of National Intelligence in the case of systems described in 3553(e)(3).</text></paragraph></subsection></section><after-quoted-block>.</after-quoted-block></quoted-block></subsection><subsection id="id95e2c232fe394bce96d288f45b1605c5" changed="not-changed"><enum>(b)</enum><header>Deadline for guidance</header><text>Not later than 180 days after the date of enactment of this Act, the Director shall issue the guidance required under section 3559A(b) of title 44, United States Code, as added by subsection (a). </text></subsection><subsection id="idd33995b8-b3e7-4941-8c34-c5f09b88a7e6" changed="not-changed"><enum>(c)</enum><header>Clerical amendment</header><text>The table of sections for <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/44/35">chapter 35</external-xref> of title 44, United States Code, is amended by adding after the item relating to section 3559 the following:</text><quoted-block style="USC" id="ida08a9f5b-a4cb-4b88-910d-9c26375e8351" changed="not-changed"><toc changed="not-changed"><toc-entry level="section" changed="not-changed">3559A. Federal penetration testing.</toc-entry></toc><after-quoted-block>.</after-quoted-block></quoted-block></subsection><subsection id="id3f924234c8704ff8abc681abf90e3031"><enum>(d)</enum><header>Sunset</header><paragraph id="id4A533222B5744F9BA64F8AF86DB5E0EC"><enum>(1)</enum><header>In general</header><text>Effective on the date that is 10 years after the date of enactment of this Act, subchapter II of <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/44/35">chapter 35</external-xref> of title 44, United States Code, is amended by striking section 3559A.</text></paragraph><paragraph id="id86F3D5F9FB074ADF93DB66D3B36C2F0A"><enum>(2)</enum><header>Clerical amendment</header><text>Effective on the date that is 10 years after the date of enactment of this Act, the table of sections for <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/44/35">chapter 35</external-xref> of title 44, United States Code, is amended by striking the item relating to section 3559A.</text></paragraph></subsection></section><section id="id8ac0efe9-c6c6-4290-b836-3e48c6b22cc4" changed="not-changed"><enum>112.</enum><header>Ongoing threat hunting program</header><subsection id="id6a0cb734-18f5-4b34-a908-2cd70aeb0e90" changed="not-changed"><enum>(a)</enum><header>Threat hunting program</header><paragraph id="idd27d01dd-4f45-48ee-854c-d3bee7f24c74" changed="not-changed"><enum>(1)</enum><header>In general</header><text>Not later than 540 days after the date of enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency shall establish a program to provide ongoing, hypothesis-driven threat-hunting services on the network of each agency.</text></paragraph><paragraph id="idaed14bce-1f2e-407c-b5d1-724988e6aabf" changed="not-changed"><enum>(2)</enum><header>Plan</header><text>Not later than 180 days after the date of enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency shall develop a plan to establish the program required under paragraph (1) that describes how the Director of the Cybersecurity and Infrastructure Security Agency plans to—</text><subparagraph id="idd8aa213d-62be-407c-9807-c5382e1b0dac" changed="not-changed"><enum>(A)</enum><text>determine the method for collecting, storing, accessing, analyzing, and safeguarding appropriate agency data;</text></subparagraph><subparagraph id="id72766359-9544-4e45-9b11-3100060753a2" changed="not-changed"><enum>(B)</enum><text>provide on-premises support to agencies;</text></subparagraph><subparagraph id="idcfa22088-7357-4ae3-b4a5-8eee33d9ca14" changed="not-changed"><enum>(C)</enum><text>staff threat hunting services;</text></subparagraph><subparagraph id="idbdb416d6-882f-417b-869b-2afb71372517" changed="not-changed"><enum>(D)</enum><text>allocate available human and financial resources to implement the plan; and</text></subparagraph><subparagraph id="id79084f13-b1ce-4cee-80f7-ebde945c9106" changed="not-changed"><enum>(E)</enum><text>provide input to the heads of agencies on the use of—</text><clause id="ide0f87131-6c04-4e69-9bf0-583dbfcf0067" changed="not-changed"><enum>(i)</enum><text>more stringent standards under section 11331(c)(1) of title 40, United States Code; and</text></clause><clause id="id88988633-827d-4a81-a4ea-7d3cab3f9754" changed="not-changed"><enum>(ii)</enum><text>additional cybersecurity procedures under section 3554 of title 44, United States Code.</text></clause></subparagraph></paragraph></subsection><subsection commented="no" id="idd35a2fb4-085f-405e-bbe4-b46bfd5b26f0" changed="not-changed"><enum>(b)</enum><header>Reports</header><text>The Director of the Cybersecurity and Infrastructure Security Agency shall submit to the appropriate congressional committees—</text><paragraph commented="no" id="ide51f7826-8a5c-4b72-b522-3ecefd72bbf1" changed="not-changed"><enum>(1)</enum><text>not later than 30 days after the date on which the Director of the Cybersecurity and Infrastructure Security Agency completes the plan required under subsection (a)(2), a report on the plan to provide threat hunting services to agencies;</text></paragraph><paragraph id="ide9e2cbae-e92f-4fae-b84f-8e2988e49315" changed="not-changed"><enum>(2)</enum><text>not less than 30 days before the date on which the Director of the Cybersecurity and Infrastructure Security Agency begins providing threat hunting services under the program under subsection (a)(1), a report providing any updates to the plan developed under subsection (a)(2); and</text></paragraph><paragraph id="id35b455b0-69bb-4977-8357-0f3b4a0b587c" changed="not-changed"><enum>(3)</enum><text>not later than 1 year after the date on which the Director of the Cybersecurity and Infrastructure Security Agency begins providing threat hunting services to agencies other than the Cybersecurity and Infrastructure Security Agency, a report describing lessons learned from providing those services.</text></paragraph></subsection></section><section id="idb10abbdc-108c-4af0-bc7c-43b1df5a7e70" changed="not-changed"><enum>113.</enum><header>Codifying vulnerability disclosure programs</header><subsection id="id81b60b6f-fbc1-49c5-b91c-4aaef24d468b" changed="not-changed"><enum>(a)</enum><header>In general</header><text><external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/44/35">Chapter 35</external-xref> of title 44, United States Code, is amended by inserting after <external-xref legal-doc="usc" parsable-cite="usc/44/3559A">section 3559A,</external-xref> as added by section 111 of this title, the following:</text><quoted-block style="USC" display-inline="no-display-inline" id="idd2c7a600-04e7-46cf-a5fa-cf4e7e095f61" changed="not-changed"><section id="idbfd45c00-c084-4656-af18-aabb596f38b4" changed="not-changed"><enum>3559B.</enum><header>Federal vulnerability disclosure programs</header><subsection changed="not-changed" id="id4A5E634EF0604A2491E0DA32360917A9"><enum>(a)</enum><header>Purpose; sense of Congress</header><paragraph changed="not-changed" id="idF5A63D40473D479786E5E65AF144AF81"><enum>(1)</enum><header>Purpose</header><text>The purpose of Federal vulnerability disclosure programs is to create a mechanism to use the expertise of the public to provide a service to Federal agencies by identifying information system vulnerabilities.</text></paragraph><paragraph changed="not-changed" id="idB273198BBC024031BB55955E003BAA4F"><enum>(2)</enum><header>Sense of Congress</header><text>It is the sense of Congress that, in implementing the requirements of this section, the Federal Government should take appropriate steps to reduce real and perceived burdens in communications between agencies and security researchers.</text></paragraph></subsection><subsection id="id1cd29b24-ca8b-4321-b0fb-7943c0b7ec7a" changed="not-changed"><enum>(b)</enum><header>Definitions</header><text>In this section:</text><paragraph id="id0d7a0a01-b25f-4480-8782-3c1404803db6" changed="not-changed"><enum>(1)</enum><header>Report</header><text>The term <term>report</term> means a vulnerability disclosure made to an agency by a reporter.</text></paragraph><paragraph id="id50c7002a-ecdd-42f5-991d-d87d944b3ff5" changed="not-changed"><enum>(2)</enum><header>Reporter</header><text>The term <term>reporter</term> means an individual that submits a vulnerability report pursuant to the vulnerability disclosure process of an agency.</text></paragraph></subsection><subsection id="id9d837eeb-fdad-450a-b973-20e31e8fe3f2" changed="not-changed"><enum>(c)</enum><header>Responsibilities of OMB</header><paragraph id="id9b1dd61d-8ebe-4ce5-bd98-4b939d75fbf9" changed="not-changed"><enum>(1)</enum><header>Limitation on legal action</header><text>The Director, in consultation with the Attorney General, shall issue guidance to agencies to not recommend or pursue legal action against a reporter or an individual that conducts a security research activity that the head of the agency determines—</text><subparagraph id="id253f6631-d0f8-4242-85b2-5152b84c49c5" changed="not-changed"><enum>(A)</enum><text>represents a good faith effort to follow the vulnerability disclosure policy of the agency developed under subsection (e)(2); and</text></subparagraph><subparagraph id="id888c648c-fd7a-4889-8d4f-9a736d43cc9d" changed="not-changed"><enum>(B)</enum><text>is authorized under the vulnerability disclosure policy of the agency developed under subsection (e)(2).</text></subparagraph></paragraph><paragraph id="ida2e68a41-1f0a-4ab7-8a58-688e823962ca" changed="not-changed"><enum>(2)</enum><header>Sharing information with CISA</header><text>The Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency and in consultation with the National Cyber Director, shall issue guidance to agencies on sharing relevant information in a consistent, automated, and machine readable manner with the Director of the Cybersecurity and Infrastructure Security Agency, including—</text><subparagraph id="id6068cb6f-f33b-458b-b7ad-cdb5e72e1144" changed="not-changed"><enum>(A)</enum><text>any valid or credible reports of newly discovered or not publicly known vulnerabilities (including misconfigurations) on Federal information systems that use commercial software or services;</text></subparagraph><subparagraph id="ida586a068-9112-4a36-a03a-88021c15b802" changed="not-changed"><enum>(B)</enum><text>information relating to vulnerability disclosure, coordination, or remediation activities of an agency, particularly as those activities relate to outside organizations—</text><clause id="ida792d656-d241-4beb-8172-bb9991091d94" changed="not-changed"><enum>(i)</enum><text>with which the head of the agency believes the Director of the Cybersecurity and Infrastructure Security Agency can assist; or</text></clause><clause id="id8cf110e3-bf13-44ff-bea1-3f99a0f2d028" changed="not-changed"><enum>(ii)</enum><text>about which the head of the agency believes the Director of the Cybersecurity and Infrastructure Security Agency should know; and</text></clause></subparagraph><subparagraph id="id1901478a-aeef-4996-bf6a-c1a5834fc00c" changed="not-changed"><enum>(C)</enum><text>any other information with respect to which the head of the agency determines helpful or necessary to involve the Director of the Cybersecurity and Infrastructure Security Agency.</text></subparagraph></paragraph><paragraph commented="no" id="id7ac1af0c-4ec8-4c3d-93c6-d2ffb15c7716" changed="not-changed"><enum>(3)</enum><header>Agency vulnerability disclosure policies</header><text>The Director shall issue guidance to agencies on the required minimum scope of agency systems covered by the vulnerability disclosure policy of an agency required under subsection (e)(2).</text></paragraph></subsection><subsection id="id55f5a204-298f-4e67-bd1f-b94ab0e2326c" changed="not-changed"><enum>(d)</enum><header>Responsibilities of CISA</header><text>The Director of the Cybersecurity and Infrastructure Security Agency shall—</text><paragraph id="id1dcac4cc-7348-4db9-a115-3663280647da" changed="not-changed"><enum>(1)</enum><text>provide support to agencies with respect to the implementation of the requirements of this section;</text></paragraph><paragraph id="idc07761d7-765f-4fa8-834e-26faff0448f5" changed="not-changed"><enum>(2)</enum><text>develop tools, processes, and other mechanisms determined appropriate to offer agencies capabilities to implement the requirements of this section; and</text></paragraph><paragraph id="id91f7956e-d559-4261-9935-0f05abcbb975" changed="not-changed"><enum>(3)</enum><text>upon a request by an agency, assist the agency in the disclosure to vendors of newly identified vulnerabilities in vendor products and services.</text></paragraph></subsection><subsection id="id90ab267d-767d-421e-a1f6-a8c37fc41374" changed="not-changed"><enum>(e)</enum><header>Responsibilities of agencies</header><paragraph id="id0c26245b-3579-4cc4-98d7-919565e32acf" changed="not-changed"><enum>(1)</enum><header>Public information</header><text>The head of each agency shall make publicly available, with respect to each internet domain under the control of the agency that is not a national security system—</text><subparagraph id="iddfb4555d-3f6d-4941-9bcb-ef6956712856" changed="not-changed"><enum>(A)</enum><text>an appropriate security contact; and</text></subparagraph><subparagraph id="id013b4dbb-ab40-4dc4-9184-1d883cc6ca10" changed="not-changed"><enum>(B)</enum><text>the component of the agency that is responsible for the internet accessible services offered at the domain.</text></subparagraph></paragraph><paragraph id="id2c8a66c6-af87-46ff-bc57-ad1e927cd3eb" changed="not-changed"><enum>(2)</enum><header>Vulnerability disclosure policy</header><text>The head of each agency shall develop and make publicly available a vulnerability disclosure policy for the agency, which shall—</text><subparagraph id="id7ed96a6c-2e86-4c07-b51d-d81840c61d28" changed="not-changed"><enum>(A)</enum><text>describe—</text><clause id="idff681c3b-2b21-4bf8-9f2b-053cda2646d7" changed="not-changed"><enum>(i)</enum><text>the scope of the systems of the agency included in the vulnerability disclosure policy;</text></clause><clause id="id4ac266be-b414-4398-9ce9-dcc7c18745d9" changed="not-changed"><enum>(ii)</enum><text>the type of information system testing that is authorized by the agency;</text></clause><clause id="id00e39778-0939-4d12-8a46-7d21c1790068" changed="not-changed"><enum>(iii)</enum><text>the type of information system testing that is not authorized by the agency; and</text></clause><clause id="idd545f69c-24ec-4fe9-8728-61bfe25416d0" changed="not-changed"><enum>(iv)</enum><text>the disclosure policy of the agency for sensitive information;</text></clause></subparagraph><subparagraph id="id98a3c7499ef24840b4eb29d238e28bf5" changed="not-changed"><enum>(B)</enum><text>with respect to a report to an agency, describe—</text><clause id="id55edbf0ec2cc435f853d9fa304031b56" changed="not-changed"><enum>(i)</enum><text>how the reporter should submit the report; and</text></clause><clause id="id01b0d61bf4e745f282a0133e6f20c49b" changed="not-changed"><enum>(ii)</enum><text>if the report is not anonymous, when the reporter should anticipate an acknowledgment of receipt of the report by the agency; </text></clause></subparagraph><subparagraph id="idaf99963069e740ba8531834c1513a624" changed="not-changed"><enum>(C)</enum><text>include any other relevant information; and</text></subparagraph><subparagraph id="idfeb7f786632b4455981e70919d924555" changed="not-changed"><enum>(D)</enum><text>be mature in scope and cover every internet accessible Federal information system used or operated by that agency or on behalf of that agency.</text></subparagraph></paragraph><paragraph id="idaa3cceb3-d355-4b76-8e22-53d0c31f5e45" changed="not-changed"><enum>(3)</enum><header>Identified vulnerabilities</header><text>The head of each agency shall incorporate any vulnerabilities reported under paragraph (2) into the vulnerability management process of the agency in order to track and remediate the vulnerability.</text></paragraph></subsection><subsection id="ida1510e95-469e-430a-9967-a99b04bd4adb" changed="not-changed"><enum>(f)</enum><header>Congressional reporting</header><text>Not later than 90 days after the date of enactment of the <short-title>Federal Information Security Modernization Act of 2022</short-title>, and annually thereafter for a 3-year period, the Director of the Cybersecurity and Infrastructure Security Agency, in consultation with the Director, shall provide to the <committee-name committee-id="SSGA00">Committee on Homeland Security and Governmental Affairs of the Senate</committee-name> and the <committee-name committee-id="">Committee on Oversight and Reform of the House of Representatives</committee-name> a briefing on the status of the use of vulnerability disclosure policies under this section at agencies, including, with respect to the guidance issued under subsection (c)(3), an identification of the agencies that are compliant and not compliant. </text></subsection><subsection id="id1826b922e7e14000957626b50dbfcf02" changed="not-changed"><enum>(g)</enum><header>Exemptions</header><text>The authorities and functions of the Director and Director of the Cybersecurity and Infrastructure Security Agency under this section shall not apply to national security systems.</text></subsection><subsection id="idC2F6C750DB024FC19A34C74BD2C60FAC" changed="not-changed"><enum>(h)</enum><header>Delegation of authority for certain systems</header><text>The authorities of the Director and the Director of the Cybersecurity and Infrastructure Security Agency described in this section shall be delegated— </text><paragraph id="idE69564DA113E40A29BB8266B51E7C65F" changed="not-changed"><enum>(1)</enum><text>to the Secretary of Defense in the case of systems described in section 3553(e)(2); and </text></paragraph><paragraph id="idB5C5EAE3B43D4BD79C4CD46F9057F4B6" changed="not-changed"><enum>(2)</enum><text>to the Director of National Intelligence in the case of systems described in section 3553(e)(3).</text></paragraph></subsection></section><after-quoted-block>.</after-quoted-block></quoted-block></subsection><subsection id="idfca3fac3-836e-466a-8157-47a9f672f1e2" changed="not-changed"><enum>(b)</enum><header>Clerical amendment</header><text>The table of sections for <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/44/35">chapter 35</external-xref> of title 44, United States Code, is amended by adding after the item relating to section 3559A, as added by section 111, the following:</text><quoted-block style="USC" id="id75b825b6-898f-4500-8557-11e73f887f9d" changed="not-changed"><toc changed="not-changed"><toc-entry level="section" changed="not-changed">3559B. Federal vulnerability disclosure programs.</toc-entry></toc><after-quoted-block>.</after-quoted-block></quoted-block></subsection><subsection id="idBE6FF417F15545A18F0B574155CD7D75"><enum>(c)</enum><header>Sunset</header><paragraph id="idC114819A3CC342AD80895D72876DFCFA"><enum>(1)</enum><header>In general</header><text>Effective on the date that is 10 years after the date of enactment of this Act, subchapter II of <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/44/35">chapter 35</external-xref> of title 44, United States Code, is amended by striking section 3559B.</text></paragraph><paragraph id="idD333DF7467024F5AB70FBBA6690D50BF" commented="no" display-inline="no-display-inline"><enum>(2)</enum><header>Clerical amendment</header><text>Effective on the date that is 10 years after the date of enactment of this Act, the table of sections for <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/44/35">chapter 35</external-xref> of title 44, United States Code, is amended by striking the item relating to section 3559B.</text></paragraph></subsection></section><section id="ide5684d3fad7e4f56b75dba6cd0e97ffb" changed="not-changed"><enum>114.</enum><header>Implementing zero trust architecture</header><subsection id="id4bdc8be904034692811818fee0a6d279" changed="not-changed"><enum>(a)</enum><header>Guidance</header><text>Not later than 18 months after the date of enactment of this Act, the Director shall provide an update to the appropriate congressional committees on progress in increasing the internal defenses of agency systems, including—</text><paragraph id="id81aebb397800497cb59a74789ec7f7bb" changed="not-changed"><enum>(1)</enum><text>shifting away from <quote>trusted networks</quote> to implement security controls based on a presumption of compromise;</text></paragraph><paragraph id="id22e40b388ca9420bb87b72753d386791" changed="not-changed"><enum>(2)</enum><text>implementing principles of least privilege in administering information security programs;</text></paragraph><paragraph id="idde0bae0f38bf44ec9ecaa6667938975a" changed="not-changed"><enum>(3)</enum><text>limiting the ability of entities that cause incidents to move laterally through or between agency systems;</text></paragraph><paragraph id="idf1d3fdeb5f12468dbc7a3c864e48a0dd" changed="not-changed"><enum>(4)</enum><text>identifying incidents quickly;</text></paragraph><paragraph id="id89acd576afc34221b8e00ee67c76333c" changed="not-changed"><enum>(5)</enum><text>isolating and removing unauthorized entities from agency systems as quickly as practicable, accounting for intelligence or law enforcement purposes;</text></paragraph><paragraph id="idef712e9810704f949a0e879eac011222" changed="not-changed"><enum>(6)</enum><text>otherwise increasing the resource costs for entities that cause incidents to be successful; and</text></paragraph><paragraph id="idc3251015893945bb91cf5be3a87c7ab9" changed="not-changed"><enum>(7)</enum><text>a summary of the agency progress reports required under subsection (b).</text></paragraph></subsection><subsection id="ide0e80aa450a94ec191062f6a2fd9a46b"><enum>(b)</enum><header>Agency progress reports</header><text>Not later than 270 days after the date of enactment of this Act, the head of each agency shall submit to the Director a progress report on implementing an information security program based on the presumption of compromise and least privilege principles, which shall include—</text><paragraph id="idb193872d0eac45fbba23a529ebe22a27"><enum>(1)</enum><text>a description of any steps the agency has completed, including progress toward achieving requirements issued by the Director, including the adoption of any models or reference architecture;</text></paragraph><paragraph id="id1de93e9242c24c7597589a293b4706bf"><enum>(2)</enum><text>an identification of activities that have not yet been completed and that would have the most immediate security impact; and</text></paragraph><paragraph id="id19df6622b5284321b15ce511d93f772e"><enum>(3)</enum><text>a schedule to implement any planned activities.</text></paragraph></subsection></section><section id="id8b0e41d840ae4395902d3df5effa3f05" changed="not-changed"><enum>115.</enum><header>Automation reports</header><subsection id="idd763fa23c6994651a96be8e3aa0ab982" changed="not-changed"><enum>(a)</enum><header>OMB report</header><text>Not later than 180 days after the date of enactment of this Act, the Director shall provide to the appropriate congressional committees an update on the use of automation under paragraphs (1), (5)(C), and (8)(B) of section 3554(b) of title 44, United States Code.</text></subsection><subsection id="id638258cae80d4f5586f224980af092d6" changed="not-changed"><enum>(b)</enum><header>GAO report</header><text>Not later than 1 year after the date of enactment of this Act, the Comptroller General of the United States shall perform a study on the use of automation and machine readable data across the Federal Government for cybersecurity purposes, including the automated updating of cybersecurity tools, sensors, or processes by agencies.</text></subsection></section><section id="id2f40a37b9a9146bf8ee9dac10c3b5fd9" commented="no"><enum>116.</enum><header>Extension of Federal acquisition security council and software inventory</header><subsection id="id12b5f697fd4949f3b8503d4519880246"><enum>(a)</enum><header>Extension</header><text>Section 1328 of title 41, United States Code, is amended by striking <quote>the date that</quote> and all that follows and inserting <quote>December 31, 2026.</quote>.</text></subsection><subsection id="idc7c377d98d19419d8b74b3032534c470"><enum>(b)</enum><header>Requirement</header><text>Subsection 1326(b) of title 41, United States Code, is amended—</text><paragraph id="ida78af7f133174c61b195e1362fc0ae49"><enum>(1)</enum><text>in paragraph (5), by striking <quote>and</quote> at the end;</text></paragraph><paragraph id="idc5b23976e8494628b8099f32dfe4c14b"><enum>(2)</enum><text>by redesignating paragraph (6) as paragraph (7); and</text></paragraph><paragraph id="id85e23c2d62e34815bc5bfcb18faee261"><enum>(3)</enum><text>by inserting after paragraph (5) the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="id878d300da6534a99932a8bc02408992b"><paragraph id="idb6cd7234c3ba456daf11c5a828803fc0"><enum>(6)</enum><text>maintaining an up-to-date and accurate inventory of software in use by the agency and, if available and applicable, the components of such software, that can be communicated at the request of the Federal Acquisition Security Council, the National Cyber Director, or the Secretary of Homeland Security, acting through the Director of Cybersecurity and Infrastructure Security Agency; and</text></paragraph><after-quoted-block>.</after-quoted-block></quoted-block></paragraph></subsection></section><section id="ida81471996a584d75940dabe4f8de9e29" changed="not-changed"><enum>117.</enum><header>Council of the Inspectors General on Integrity and Efficiency dashboard</header><subsection id="idac07d37cba7e47de8f8d92443e4d6ac9" changed="not-changed"><enum>(a)</enum><header>Dashboard required</header><text>Section 11(e)(2) of the Inspector General Act of 1978 (5 U.S.C. App.) is amended—</text><paragraph id="id29e239309cef4fe485d49882114e6626" changed="not-changed"><enum>(1)</enum><text>in subparagraph (A), by striking <quote>and</quote> at the end;</text></paragraph><paragraph id="id8418a520c05045318dffd446f13a6aa5" changed="not-changed"><enum>(2)</enum><text>by redesignating subparagraph (B) as subparagraph (C); and</text></paragraph><paragraph id="idc69774f40e9b458eb783bcc8720f2590" changed="not-changed"><enum>(3)</enum><text>by inserting after subparagraph (A) the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="id4448fc6f4416476ea065542478bc755c" changed="not-changed"><subparagraph id="ide56981bc076844bea2d1e09eda7b08ec" changed="not-changed"><enum>(B)</enum><text>that shall include a dashboard of open information security recommendations identified in the independent evaluations required by section 3555(a) of title 44, United States Code; and</text></subparagraph><after-quoted-block>.</after-quoted-block></quoted-block></paragraph></subsection></section><section id="id7868B49EA31349B9A1F18F5AB6EF05B9"><enum>118.</enum><header>Quantitative cybersecurity metrics</header><subsection id="idEEA6D63338924B1DB3ED200D7BD06AEF"><enum>(a)</enum><header>Definition of covered metrics</header><text>In this section, the term <term>covered metrics</term> means the metrics established, reviewed, and updated under section 224(c) of the Cybersecurity Act of 2015 (<external-xref legal-doc="usc" parsable-cite="usc/6/1522">6 U.S.C. 1522(c)</external-xref>).</text></subsection><subsection id="id716d0a7ce1f244cd8eb6de8ceb05bec8"><enum>(b)</enum><header>Updating and establishing metrics</header><text>Not later than 1 year after the date of enactment of this Act, and as appropriate thereafter, the Director of the Cybersecurity and Infrastructure Security Agency, in coordination with the Director, shall—</text><paragraph id="id2d32a6beb32748ed847e2fdfed27bfdb"><enum>(1)</enum><text>evaluate any covered metrics established as of the date of enactment of this Act; and</text></paragraph><paragraph id="id13cb58b566bb4bf09b8e184a57fef1b6"><enum>(2)</enum><text>as appropriate and pursuant to section 224(c) of the Cybersecurity Act of 2015 (<external-xref legal-doc="usc" parsable-cite="usc/6/1522">6 U.S.C. 1522(c)</external-xref>) update or establish new covered metrics.</text></paragraph></subsection><subsection commented="no" id="id5B2EE7BFF09C44298C690CE64D2F5EA8"><enum>(c)</enum><header>Implementation</header><paragraph commented="no" id="idD1E3841B49374BF3ADA99B4EC76190E5"><enum>(1)</enum><header>In general</header><text>Not later than 540 days after the date of enactment of this Act, the Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, shall promulgate guidance that requires each agency to use covered metrics to track trends in the cybersecurity and incident response capabilities of the agency.</text></paragraph><paragraph commented="no" id="id90E1F745341E49808EA306AC2AA11B15"><enum>(2)</enum><header>Performance demonstration</header><text>The guidance issued under paragraph (1) and any subsequent guidance shall require agencies to share with the Director of the Cybersecurity and Infrastructure Security Agency data demonstrating the performance of the agency using the covered metrics included in the guidance.</text></paragraph><paragraph commented="no" id="idFFFD62C8A67E49EB8742502CB7ABFA36"><enum>(3)</enum><header>Penetration tests</header><text>On not less than 2 occasions during the 2-year period following the date on which guidance is promulgated under paragraph (1), the Director shall ensure that not less than 3 agencies are subjected to substantially similar penetration tests, as determined by the Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, in order to validate the utility of the covered metrics.</text></paragraph><paragraph commented="no" id="id519BEC290F32495AB3A3CFD3C41B1429"><enum>(4)</enum><header>Analysis capacity</header><text>The Director of the Cybersecurity and Infrastructure Security Agency shall develop a capability that allows for the analysis of the covered metrics, including cross-agency performance of agency cybersecurity and incident response capability trends.</text></paragraph><paragraph id="id84010e4b5afc4a8a8fc648b5b703f33b"><enum>(5)</enum><header>Time-based metric</header><text>With respect the first update or establishment of covered metrics required under subsection (b)(2), the Director of the Cybersecurity and Infrastructure Security Agency shall establish covered metrics that include not less than 1 metric addressing the time it takes for agencies to identify and respond to incidents.</text></paragraph></subsection><subsection commented="no" id="id0E2891E3183E4821B128DA3FB620AC4E"><enum>(d)</enum><header>Congressional reports</header><text>Not later than 1 year after the date of enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency, in coordination with the Director, shall submit to the appropriate congressional committees a report on the utility and use of the covered metrics.</text></subsection></section><section id="id61d6ec96e759421ca9949058bbc78dd6" changed="not-changed"><enum>119.</enum><header>Establishment of risk-based budget model</header><subsection changed="not-changed" id="idA6D646DAEE6B4B47A86A73218A68627B"><enum>(a)</enum><header>Definitions</header><text display-inline="yes-display-inline">In this section:</text><paragraph id="idb9abc574126144f887ebac979deeefd3" changed="not-changed"><enum>(1)</enum><header>Appropriate congressional committees</header><text>The term <term>appropriate congressional committees</term> means—</text><subparagraph id="ida1f9d9946c4e4721a27127ab912a8cbb" changed="not-changed"><enum>(A)</enum><text>the Committee on Homeland Security and Governmental Affairs and the Committee on Appropriations of the Senate; and</text></subparagraph><subparagraph id="idebc31616daee4995836cd605ef5df6a1" changed="not-changed"><enum>(B)</enum><text>the Committee on Oversight and Reform, the Committee on Homeland Security, and the Committee on Appropriations of the House of Representatives.</text></subparagraph></paragraph><paragraph id="id08d40eb4b6f24271b5c6671c61355e4b" changed="not-changed"><enum>(2)</enum><header>Covered agency</header><text>The term <term>covered agency</term> has the meaning given the term <term>executive agency</term> in section 133 of title 41, United States Code.</text></paragraph><paragraph id="idc0779233548642bca684e4f84409925a" changed="not-changed"><enum>(3)</enum><header>Director</header><text>The term <term>Director</term> means the Director of the Office of Management and Budget.</text></paragraph><paragraph id="idb62ac6aef9e24153a5166b5881a14b90" changed="not-changed"><enum>(4)</enum><header>Information technology</header><text>The term <term>information technology</term>—</text><subparagraph id="id8988a1772d7240efb349621f64718f86" changed="not-changed"><enum>(A)</enum><text>has the meaning given the term in section 11101 of title 40, United States Code; and</text></subparagraph><subparagraph id="id5ce7cce11c87401790c2837371c956df" changed="not-changed"><enum>(B)</enum><text>includes the hardware and software systems of a Federal agency that monitor and control physical equipment and processes of the Federal agency.</text></subparagraph></paragraph><paragraph id="id72a2f2e2ccd14415b4e2192b8341fc95" changed="not-changed"><enum>(5)</enum><header>Risk-based budget</header><text>The term <term>risk-based budget</term> means a budget—</text><subparagraph id="id6e90ed1cd5a34eeaa3efb19ed2183f1d" changed="not-changed"><enum>(A)</enum><text>developed by identifying and prioritizing cybersecurity risks and vulnerabilities, including impact on agency operations in the case of a cyber attack, through analysis of cyber threat intelligence, incident data, and tactics, techniques, procedures, and capabilities of cyber threats; and</text></subparagraph><subparagraph id="ide009e326328946a0a8967519696951c8" changed="not-changed"><enum>(B)</enum><text>that allocates resources based on the risks identified and prioritized under subparagraph (A).</text></subparagraph></paragraph></subsection><subsection id="id8425fbd074984e3196cb527331f4167c" changed="not-changed"><enum>(b)</enum><header>Establishment of risk-based budget model</header><paragraph id="idae13440539584556ab47e663cee611b4" changed="not-changed"><enum>(1)</enum><header>In general</header><subparagraph id="id9a6cfcb949da4aaab905f235db89ce2d" changed="not-changed"><enum>(A)</enum><header>Model</header><text>Not later than 1 year after the first publication of the budget submitted by the President under section 1105 of title 31, United States Code, following the date of enactment of this Act, the Director, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency and the National Cyber Director and in coordination with the Director of the National Institute of Standards and Technology, shall develop a standard model for informing a risk-based budget for cybersecurity spending.</text></subparagraph><subparagraph id="id69ecfdb9df1c4a929a5830460d801ad9" changed="not-changed"><enum>(B)</enum><header>Responsibility of director</header><text>Section 3553(a) of title 44, United States Code, as amended by section 103 of this title, is further amended by inserting after paragraph (6) the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="id6df3f96db0004ac4bfc3be24eed0cdc9" changed="not-changed"><paragraph id="id9bdbf288009a4b478ef00d94e17a909c" changed="not-changed"><enum>(7)</enum><text>developing a standard risk-based budget model to inform Federal agency cybersecurity budget development; and</text></paragraph><after-quoted-block>.</after-quoted-block></quoted-block></subparagraph><subparagraph id="ideba7f555019943688711ef3518cfb002" changed="not-changed"><enum>(C)</enum><header>Contents of model</header><text>The model required to be developed under subparagraph (A) shall utilize appropriate information to evaluate risk, including, as determined appropriate by the Director—</text><clause id="id81afec9eb866425489d8e99f00365899" changed="not-changed"><enum>(i)</enum><text>Federal and non-Federal cyber threat intelligence products, where available, to identify threats, vulnerabilities, and risks;</text></clause><clause id="ida5096baf8dbf40379394193241aeb4cb" changed="not-changed"><enum>(ii)</enum><text>analysis of the impact of agency operations of compromise of systems, including the interconnectivity to other agency systems and the operations of other agencies; and</text></clause><clause id="idc68420fa28fb4a408aae5b2c87925640" changed="not-changed"><enum>(iii)</enum><text>to the greatest extent practicable, analysis of where resources should be allocated to have the greatest impact on mitigating current and future threats and current and future cybersecurity capabilities.</text></clause></subparagraph><subparagraph changed="not-changed" id="idEAAB43DCE127406E9C1852357B0B3C8C"><enum>(D)</enum><header>Use of model</header><text>The model required to be developed under subparagraph (A) shall be used to—</text><clause id="id2e148fe05ddc4d459afb91e7ec7c2c90" changed="not-changed"><enum>(i)</enum><text>inform acquisition and sustainment of—</text><subclause id="id104bb4bf6fb04427b01354337e6610be" changed="not-changed"><enum>(I)</enum><text>information technology and cybersecurity tools;</text></subclause><subclause id="id8909559045b34f998818a93e751d707a" changed="not-changed"><enum>(II)</enum><text>information technology and cybersecurity architectures;</text></subclause><subclause id="ida7f79dd83e364825bcfd4e71b90be37a" changed="not-changed"><enum>(III)</enum><text>information technology and cybersecurity personnel; and</text></subclause><subclause id="id11ee14b91f03409a9db45867c34d612d" changed="not-changed"><enum>(IV)</enum><text>cybersecurity and information technology concepts of operations; and</text></subclause></clause><clause id="id94a1e352563d4488a2fdb60f26e5f23b" changed="not-changed"><enum>(ii)</enum><text>evaluate and inform Government-wide cybersecurity programs.</text></clause></subparagraph><subparagraph id="id63310af7e8a547138146f36d19d551d9"><enum>(E)</enum><header>Model variation</header><text>The Director may develop multiple models under subparagraph (A) based on different agency characteristics, such as size or cybersecurity maturity. </text></subparagraph><subparagraph id="idb70be624cbd74684866b064d053f7eca" changed="not-changed"><enum>(F)</enum><header>Required updates</header><text>Not less frequently than once every 3 years, the Director shall review, and update as necessary, the model required to be developed under subparagraph (A).</text></subparagraph><subparagraph id="id130ef2b078ac448995511e1e589a02c8" changed="not-changed"><enum>(G)</enum><header>Publication</header><text>Not earlier than 5 years after the date on which the model developed under subparagraph (A) is completed, the Director shall, taking into account any classified or sensitive information, publish the model, and any updates necessary under subparagraph (F), on the public website of the Office of Management and Budget.</text></subparagraph><subparagraph id="id80164e65eae74a60afb60620f20118b3" changed="not-changed"><enum>(H)</enum><header>Reports</header><text>Not later than 2 years after the first publication of the budget submitted by the President under section 1105 of title 31, United States Code, following the date of enactment of this Act, and annually thereafter for each of the 2 following fiscal years or until the date on which the model required to be developed under subparagraph (A) is completed, whichever is sooner, the Director shall submit to the appropriate congressional committees a report on the development of the model.</text></subparagraph></paragraph><paragraph id="id6447a9f9d4a8439583a87a9e57bcaac7" changed="not-changed"><enum>(2)</enum><header>Phased implementation of risk-based budget model</header><subparagraph id="ideca2ca02c21b4de0b81dfa0cd882bd99" changed="not-changed"><enum>(A)</enum><header>Initial phase</header><clause changed="not-changed" id="id37737638963249DABC22137896B08FDD"><enum>(i)</enum><header>In general</header><text>Not later than 2 years after the date on which the model developed under paragraph (1) is completed, the Director shall require not less than 5 covered agencies to use the model to inform the development of the annual cybersecurity and information technology budget requests of those covered agencies.</text></clause><clause id="idaea66d781b104b3ca2a6b14232f7141e"><enum>(ii)</enum><header>Briefing</header><text>Not later than 1 year after the date on which the covered agencies selected under clause (i) begin using the model developed under paragraph (1), the Director shall provide to the appropriate congressional committees a briefing on implementation of risk-based budgeting for cybersecurity spending, an assessment of agency implementation, and an evaluation of whether the risk-based budget helps to mitigate cybersecurity vulnerabilities. </text></clause></subparagraph><subparagraph id="id9b61d5e280e842418e1ad8889cbcff5b"><enum>(B)</enum><header>Full deployment</header><text>Not later than 5 years after the date on which the model developed under paragraph (1) is completed, the head of each covered agency shall use the model, or any updated model pursuant to paragraph (1)(F), to the greatest extent practicable, to inform the development of the annual cybersecurity and information technology budget requests of the covered agency. </text></subparagraph><subparagraph id="id8a0392638deb434db176d704ccccdef0" changed="not-changed"><enum>(C)</enum><header>Agency performance plans</header><clause changed="not-changed" id="id2B93E37771EC42D994ACDB786A030A90"><enum>(i)</enum><header>Amendment</header><text>Section 3554(d)(2) of title 44, United States Code, is amended by inserting <quote>and the risk-based budget model required under section 3553(a)(7)</quote> after <quote>paragraph (1)</quote>.</text></clause><clause changed="not-changed" id="id498740EB168948D8B14EF2FA793113A0"><enum>(ii)</enum><header>Effective date</header><text>The amendment made by clause (i) shall take effect on the date that is 5 years after the date on which the model developed under paragraph (1) is completed.</text></clause></subparagraph></paragraph><paragraph id="id6e7cafa7c6ff4d0db3d7e8a1e2f7866b" changed="not-changed"><enum>(3)</enum><header>Verification</header><subparagraph id="idfbe6d312438144b6b236c274622e15d5" changed="not-changed"><enum>(A)</enum><header>In general</header><text>Section 1105(a)(35)(A)(i) of title 31, United States Code, is amended—</text><clause id="idf862e9dc40ef4c15a31255ab7b40687b" changed="not-changed"><enum>(i)</enum><text>in the matter preceding subclause (I), by striking <quote>by agency, and by initiative area (as determined by the administration)</quote> and inserting <quote>and by agency</quote>;</text></clause><clause id="ida8d32d9c7023497bab1fb422ffb79dd1" changed="not-changed"><enum>(ii)</enum><text>in subclause (III), by striking <quote>and</quote> at the end; and</text></clause><clause id="idf0ebd809e59f4b9e8dbd45a5ed307c12" changed="not-changed"><enum>(iii)</enum><text>by adding at the end the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="ide1455b595c3b448d907443d68cef0f4b" changed="not-changed"><subclause id="id8a692bbd21184c8da03cd463a8d8e394" changed="not-changed"><enum>(V)</enum><text>a validation that the budgets submitted were informed by using a risk-based methodology; and</text></subclause><subclause id="id6b6f6bbe5d704b1783ef7f348d2f6461" changed="not-changed"><enum>(VI)</enum><text>a report on the progress of each agency on closing recommendations identified under the independent evaluation required by section 3555(a)(1) of title 44.</text></subclause><after-quoted-block>.</after-quoted-block></quoted-block></clause></subparagraph><subparagraph id="ida0931978cc5a4a9bba86b3dcd3ae2392" changed="not-changed"><enum>(B)</enum><header>Effective date</header><text>The amendments made by subparagraph (A) shall take effect on the date that is 5 years after the date on which the model developed under paragraph (1) is completed.</text></subparagraph></paragraph><paragraph id="idb35deefffa414735b7748d73c82f7f18" changed="not-changed"><enum>(4)</enum><header>Reports</header><subparagraph id="idfd3d62a99cbe4800bcca07f466c1256d" changed="not-changed"><enum>(A)</enum><header>Independent evaluation</header><text>Section 3555(a)(2) of title 44, United States Code, is amended—</text><clause id="id4728e6e0b48e416f81385986d439f261" changed="not-changed"><enum>(i)</enum><text>in subparagraph (B), by striking <quote>and</quote> at the end;</text></clause><clause id="id7a62fb87cd084487a1450f8e1bbdf4e2" changed="not-changed"><enum>(ii)</enum><text>in subparagraph (C), by striking the period at the end and inserting <quote>; and</quote>; and</text></clause><clause id="id59a4763ec6bf4c688da372abeccc5f7d" changed="not-changed"><enum>(iii)</enum><text>by adding at the end the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="id73967006b9f44c55b5d45e09fb8578cc" changed="not-changed"><subparagraph id="idc115e50d09274d7b896017a0e0c7865d" changed="not-changed"><enum>(D)</enum><text>an assessment of how the agency was informed by the risk-based budget model required under section 3553(a)(7) and an evaluation of whether the model mitigates agency cyber vulnerabilities.</text></subparagraph><after-quoted-block>.</after-quoted-block></quoted-block></clause></subparagraph><subparagraph id="id832e92b9995649b59d63d05cdbaa4423" changed="not-changed"><enum>(B)</enum><header>Assessment</header><clause changed="not-changed" id="id20B9ECCC2A7C4488AF935A62F49E05A8"><enum>(i)</enum><header>Amendment</header><text>Section 3553(c) of title 44, United States Code, as amended by section 103 of this title, is further amended by inserting after paragraph (5) the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="id33f7d1fa278d46249bf1db904bfc8954" changed="not-changed"><paragraph id="id8f51d986dd5e4a7ba58bcd72e7fe4c3f" changed="not-changed"><enum>(6)</enum><text>an assessment of—</text><subparagraph id="idf7bd88a0434e43acbe91f4c78c4a6720" changed="not-changed"><enum>(A)</enum><text>Federal agency utilization of the model required under subsection (a)(7); and</text></subparagraph><subparagraph id="idf8c276c6fe6d41c895ab93c4fee7855d" changed="not-changed"><enum>(B)</enum><text>whether the model mitigates the cyber vulnerabilities of the Federal Government.</text></subparagraph></paragraph><after-quoted-block>.</after-quoted-block></quoted-block></clause><clause id="idA866EA60600F4C55AE0445129EF8462E" changed="not-changed"><enum>(ii)</enum><header>Effective date</header><text>The amendment made by clause (i) shall take effect on the date that is 5 years after the date on which the model developed under paragraph (1) is completed.</text></clause></subparagraph></paragraph><paragraph id="ide1279245c0cc43ab8599766b4dddfde6" changed="not-changed"><enum>(5)</enum><header>GAO report</header><text>Not later than 3 years after the date on which the first budget of the President is submitted to Congress containing the validation required under section 1105(a)(35)(A)(i)(V) of title 31, United States Code, as amended by paragraph (3), the Comptroller General of the United States shall submit to the appropriate congressional committees a report that includes—</text><subparagraph id="idb0c7dda822e54d558014e00b057a44f5" changed="not-changed"><enum>(A)</enum><text>an evaluation of the success of covered agencies in utilizing the risk-based budget model;</text></subparagraph><subparagraph id="idf0ce13e2719a4724a71173c9af83189d" changed="not-changed"><enum>(B)</enum><text>an evaluation of the success of covered agencies in implementing risk-based budgets;</text></subparagraph><subparagraph id="idbf82564ba93d4f9791edbeefab2f4a87" changed="not-changed"><enum>(C)</enum><text>an evaluation of whether the risk-based budgets developed by covered agencies are effective at informing Federal Government-wide cybersecurity programs; and</text></subparagraph><subparagraph id="idf8d17040945d42bc85f11fefe93e4ccd" commented="no" display-inline="no-display-inline" changed="not-changed"><enum>(D)</enum><text>any other information relating to risk-based budgets the Comptroller General determines appropriate.</text></subparagraph></paragraph></subsection></section><section id="idb880f204-10e6-4aff-8b89-7b9643bdf14d" changed="not-changed"><enum>120.</enum><header>Active cyber defensive study</header><subsection id="id950c6394-2f83-4e9b-bf51-78cca0c53f09" changed="not-changed"><enum>(a)</enum><header>Definition</header><text>In this section, the term <term>active defense technique</term>—</text><paragraph id="id50e222df-7893-4db5-8e65-c63256672333" changed="not-changed"><enum>(1)</enum><text>means an action taken on the systems of an entity to increase the security of information on the network of an agency by misleading an adversary; and</text></paragraph><paragraph id="id41163473-3e32-45be-93e8-33460e986a64" changed="not-changed"><enum>(2)</enum><text>includes a honeypot, deception, or purposefully feeding false or misleading data to an adversary when the adversary is on the systems of the entity.</text></paragraph></subsection><subsection id="idb5da2754f1c54de2a4e1511631e75256" changed="not-changed"><enum>(b)</enum><header>Study</header><text>Not later than 180 days after the date of enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency, in coordination with the Director and the National Cyber Director, shall perform a study on the use of active defense techniques to enhance the security of agencies, which shall include—</text><paragraph id="id366852ecb4774f53908d0d509c05048e" changed="not-changed"><enum>(1)</enum><text>a review of legal restrictions on the use of different active cyber defense techniques in Federal environments, in consultation with the Department of Justice;</text></paragraph><paragraph id="idf381ed1484724299b94a6ffa0914d5b7" changed="not-changed"><enum>(2)</enum><text>an evaluation of—</text><subparagraph id="ida944d9bfe98a43ae9056c5b94d132037" changed="not-changed"><enum>(A)</enum><text>the efficacy of a selection of active defense techniques determined by the Director of the Cybersecurity and Infrastructure Security Agency; and</text></subparagraph><subparagraph id="id5e1af42e4dab401fa0d291a30002f0aa" changed="not-changed"><enum>(B)</enum><text>factors that impact the efficacy of the active defense techniques evaluated under subparagraph (A);</text></subparagraph></paragraph><paragraph id="id6acea7d9c8e24ba3915449dab885955d" changed="not-changed"><enum>(3)</enum><text>recommendations on safeguards and procedures that shall be established to require that active defense techniques are adequately coordinated to ensure that active defense techniques do not impede agency operations and mission delivery, threat response efforts, criminal investigations, and national security activities, including intelligence collection; and</text></paragraph><paragraph id="idda0e32b2c81748c3ac25ab332019e4d6" changed="not-changed"><enum>(4)</enum><text>the development of a framework for the use of different active defense techniques by agencies.</text></paragraph></subsection></section><section id="ide28bd9bd-b880-470a-9369-73f95be82806" changed="not-changed"><enum>121.</enum><header>Security operations center as a service pilot</header><subsection id="id2ea889f5-5eca-4380-8859-4b9dfb94f9da" changed="not-changed"><enum>(a)</enum><header>Purpose</header><text>The purpose of this section is for the Cybersecurity and Infrastructure Security Agency to run a security operation center on behalf of another agency, alleviating the need to duplicate this function at every agency, and empowering a greater centralized cybersecurity capability. </text></subsection><subsection id="id59072d4e-2da1-4e39-bc59-0f1728e11ed5" changed="not-changed"><enum>(b)</enum><header>Plan</header><text>Not later than 1 year after the date of enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency shall develop a plan to establish a centralized Federal security operations center shared service offering within the Cybersecurity and Infrastructure Security Agency.</text></subsection><subsection id="id9bbfd027-8896-4c35-a0c0-2a4b9a7e8e02" changed="not-changed"><enum>(c)</enum><header>Contents</header><text>The plan required under subsection (b) shall include considerations for—</text><paragraph id="id3426c98e-c593-4cce-bf6a-b54e379da2ac" changed="not-changed"><enum>(1)</enum><text>collecting, organizing, and analyzing agency information system data in real time;</text></paragraph><paragraph id="id0ccabc11-bcd0-4ede-b2cb-ed47e93671b8" changed="not-changed"><enum>(2)</enum><text>staffing and resources; and</text></paragraph><paragraph id="id7ba59422-6d86-4b08-a09b-a1a84dd256b1" changed="not-changed"><enum>(3)</enum><text>appropriate interagency agreements, concepts of operations, and governance plans.</text></paragraph></subsection><subsection id="id722e4ba8-c1f1-4134-a74f-9bd3d2d70679" changed="not-changed"><enum>(d)</enum><header>Pilot program</header><paragraph id="id14667c90-3ec6-4429-8ce8-05649813d093" changed="not-changed"><enum>(1)</enum><header>In general</header><text>Not later than 180 days after the date on which the plan required under subsection (b) is developed, the Director of the Cybersecurity and Infrastructure Security Agency, in consultation with the Director, shall enter into a 1-year agreement with not less than 2 agencies to offer a security operations center as a shared service.</text></paragraph><paragraph id="ide4e1084c-beb5-4fab-9e12-97e04161a701" changed="not-changed"><enum>(2)</enum><header>Additional agreements</header><text>After the date on which the briefing required under subsection (e)(1) is provided, the Director of the Cybersecurity and Infrastructure Security Agency, in consultation with the Director, may enter into additional 1-year agreements described in paragraph (1) with agencies.</text></paragraph></subsection><subsection id="id2c347965-f6e1-4142-b756-b4dea95bf4d8" changed="not-changed"><enum>(e)</enum><header>Briefing and report</header><paragraph id="id4adf98a7-6592-4fd3-af47-98960156f598" changed="not-changed"><enum>(1)</enum><header>Briefing</header><text>Not later than 270 days after the date of enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency shall provide to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security and the Committee on Oversight and Reform of the House of Representatives a briefing on the parameters of any 1-year agreements entered into under subsection (d)(1).</text></paragraph><paragraph id="ided460a16-db30-45c7-b938-5b737c40b516" changed="not-changed"><enum>(2)</enum><header>Report</header><text>Not later than 90 days after the date on which the first 1-year agreement entered into under subsection (d) expires, the Director of the Cybersecurity and Infrastructure Security Agency shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security and the Committee on Oversight and Reform of the House of Representatives a report on—</text><subparagraph id="id06a737ad-6b58-44d1-963a-eac1e6d4f5d9" changed="not-changed"><enum>(A)</enum><text>the agreement; and</text></subparagraph><subparagraph id="id3d1bacf1-1f07-4b81-acf0-3bf7a2e3a2cb" changed="not-changed" commented="no" display-inline="no-display-inline"><enum>(B)</enum><text>any additional agreements entered into with agencies under subsection (d).</text></subparagraph></paragraph></subsection></section><section id="id0ac9925077314a6e85a9af2e78b982a4"><enum>122.</enum><header>Extension of Chief Data Officer Council</header><text display-inline="no-display-inline">Section 3520A(e)(2) of title 44, United States Code, is amended by striking <quote>upon the expiration of the 2-year period that begins on the date the Comptroller General submits the report under paragraph (1) to Congress</quote> and inserting <quote>January 31, 2030</quote>.</text></section><enum>II</enum><header>Cyber Incident Reporting for Critical Infrastructure Act of 2022</header><section section-type="subsequent-section" id="id14F9385D6BF546C683E9DF40CBE105C2"><enum>201.</enum><header>Short title</header><text display-inline="no-display-inline">This title may be cited as the <quote><short-title>Cyber Incident Reporting for Critical Infrastructure Act of 2022</short-title></quote>.</text></section><section id="H188C04E490024D02B64747F90DFBB4B1"><enum>202.</enum><header>Definitions</header><text display-inline="no-display-inline">In this title:</text><paragraph id="HD9245F90FDDD46BDB0351DBD2C3CECCA"><enum>(1)</enum><header>Covered cyber incident; covered entity; cyber incident; information system; ransom payment; ransomware attack; security vulnerability</header><text>The terms <term>covered cyber incident</term>, <term>covered entity</term>, <term>cyber incident</term>, <term>information system</term>, <term>ransom payment</term>, <term>ransomware attack</term>, and <term>security vulnerability</term> have the meanings given those terms in section 2240 of the Homeland Security Act of 2002, as added by section 203 of this title. </text></paragraph><paragraph id="HD0BCD3FD6F804C94A82CB98781CC2E96"><enum>(2)</enum><header>Director</header><text>The term <term>Director</term> means the Director of the Cybersecurity and Infrastructure Security Agency.</text></paragraph></section><section id="H726F16E30F05452193600342786445B4"><enum>203.</enum><header>Cyber incident reporting</header><subsection id="H5F8F699C710D4AB2A1CDFB559BAF2117"><enum>(a)</enum><header>Cyber incident reporting</header><text>Title XXII of the Homeland Security Act of 2002 (<external-xref legal-doc="usc" parsable-cite="usc/6/651">6 U.S.C. 651 et seq.</external-xref>) is amended—</text><paragraph id="H6CD89221DFE3478FB89AF020EFE59057"><enum>(1)</enum><text>in section 2209(c) (<external-xref legal-doc="usc" parsable-cite="usc/6/659">6 U.S.C. 659(c)</external-xref>)—</text><subparagraph id="H1018FE0C1D144158BDB9DC6FE26A6A52"><enum>(A)</enum><text>in paragraph (11), by striking <quote>; and</quote> and inserting a semicolon;</text></subparagraph><subparagraph id="H2F961379EDE7434BB1F525B9324C618E"><enum>(B)</enum><text>in paragraph (12), by striking the period at the end and inserting <quote>; and</quote>; and</text></subparagraph><subparagraph id="HE1C5D62865F747EB8DD36DC7B60633C2"><enum>(C)</enum><text>by adding at the end the following:</text><quoted-block style="OLC" id="H2F4E104C704C40DBAAC240E908549913"><paragraph id="H43EC7314CED54E398E0513F69C5F2089"><enum>(13)</enum><text>receiving, aggregating, and analyzing reports related to covered cyber incidents (as defined in section 2240) submitted by covered entities (as defined in section 2240) and reports related to ransom payments (as defined in section 2240) submitted by covered entities (as defined in section 2240) in furtherance of the activities specified in sections 2202(e), 2203, and 2241, this subsection, and any other authorized activity of the Director, to enhance the situational awareness of cybersecurity threats across critical infrastructure sectors.</text></paragraph><after-quoted-block>; and</after-quoted-block></quoted-block></subparagraph></paragraph><paragraph id="H78A0C751B9B64650A36404EB9691FF7E"><enum>(2)</enum><text>by adding at the end the following:</text><quoted-block style="OLC" display-inline="no-display-inline" id="H6CAEDD6AB64546A68F89322C9007CC4B"><subtitle id="H048D274292E3492485981A43E98851DA"><enum>D</enum><header>Cyber Incident Reporting</header><section id="H6BBE4902B9114E968484BABE77A98194"><enum>2240.</enum><header>Definitions</header><text display-inline="no-display-inline">In this subtitle:</text><paragraph id="HEEAB7093C65B4896AFF894A61D8F58D2"><enum>(1)</enum><header>Center</header><text>The term <term>Center</term> means the center established under section 2209.</text></paragraph><paragraph id="id9fbce8e1a03e4cad80e5b5906d9a238e"><enum>(2)</enum><header>Cloud service provider</header><text>The term <term>cloud service provider</term> means an entity offering products or services related to cloud computing, as defined by the National Institute of Standards and Technology in NIST Special Publication 800–145 and any amendatory or superseding document relating thereto. </text></paragraph><paragraph id="HE14B6BEF6F8641068DCE55D2FC3872F9"><enum>(3)</enum><header>Council</header><text>The term <term>Council</term> means the Cyber Incident Reporting Council described in section 2246.</text></paragraph><paragraph id="H62727CA8172048169D17F8BBB831D315"><enum>(4)</enum><header>Covered cyber incident</header><text>The term <term>covered cyber incident</term> means a substantial cyber incident experienced by a covered entity that satisfies the definition and criteria established by the Director in the final rule issued pursuant to section 2242(b).</text></paragraph><paragraph id="HA809244382B644DFB40376061FCA8802"><enum>(5)</enum><header>Covered entity</header><text>The term <term>covered entity</term> means an entity in a critical infrastructure sector, as defined in Presidential Policy Directive 21, that satisfies the definition established by the Director in the final rule issued pursuant to section 2242(b).</text></paragraph><paragraph id="HCD8DD96F221F45BD8FD1D1C394CD13AF"><enum>(6)</enum><header>Cyber incident</header><text>The term <term>cyber incident</term>—</text><subparagraph id="id41F25C00B6F140B091E4A97A0EC0595A"><enum>(A)</enum><text>has the meaning given the term <term>incident</term> in section 2209; and</text></subparagraph><subparagraph id="idD9D77B096AEF41FCBE25E4270CD9DB59"><enum>(B)</enum><text>does not include an occurrence that imminently, but not actually, jeopardizes—</text><clause id="HE0BDF8D63C9A453E84AD7490E34CF7E9"><enum>(i)</enum><text>information on information systems; or</text></clause><clause id="H15B8D08B4940424696AF76CAF8D3811D"><enum>(ii)</enum><text>information systems.</text></clause></subparagraph></paragraph><paragraph id="HE70026A4F2B047EE99B04376E8DDC0FA"><enum>(7)</enum><header>Cyber threat</header><text>The term <term>cyber threat</term> has the meaning given the term <term>cybersecurity threat</term> in section 2201.</text></paragraph><paragraph id="id13ABB383E6F64E198CF9E9B8781BC7E1"><enum>(8)</enum><header>Cyber threat indicator; cybersecurity purpose; defensive measure; Federal entity; security vulnerability</header><text>The terms <term>cyber threat indicator</term>, <term>cybersecurity purpose</term>, <term>defensive measure</term>, <term>Federal entity</term>, and <term>security vulnerability</term> have the meanings given those terms in section 102 of the Cybersecurity Act of 2015 (<external-xref legal-doc="usc" parsable-cite="usc/6/1501">6 U.S.C. 1501</external-xref>).</text></paragraph><paragraph id="id5BE98E23625745C08E4DC1F144F4CBC1"><enum>(9)</enum><header>Incident; sharing</header><text>The terms <term>incident</term> and <term>sharing</term> have the meanings given those terms in section 2209.</text></paragraph><paragraph id="id4DCCC2597ECE4127A89D5AA5238937A3"><enum>(10)</enum><header>Information Sharing and Analysis Organization</header><text>The term <term>Information Sharing and Analysis Organization</term> has the meaning given the term in section 2222.</text></paragraph><paragraph id="id81bd404696f14f27b5540a7a87252c9a"><enum>(11)</enum><header>Information system</header><text>The term <term>information system</term>—</text><subparagraph id="ida4731dff997e47a1a70ab52e697306d0"><enum>(A)</enum><text>has the meaning given the term in section 3502 of title 44, United States Code; and</text></subparagraph><subparagraph id="id8BC697F850884581A50C43C696F39AF4"><enum>(B)</enum><text>includes industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers.</text></subparagraph></paragraph><paragraph id="id16b2706042794ffd9b7f1f85b9ed188b"><enum>(12)</enum><header>Managed service provider</header><text>The term <term>managed service provider</term> means an entity that delivers services, such as network, application, infrastructure, or security services, via ongoing and regular support and active administration on the premises of a customer, in the data center of the entity (such as hosting), or in a third party data center. </text></paragraph><paragraph id="id1e77f8e161274f99ac3cf3d4f913ffea"><enum>(13)</enum><header>Ransom payment</header><text>The term <term>ransom payment</term> means the transmission of any money or other property or asset, including virtual currency, or any portion thereof, which has at any time been delivered as ransom in connection with a ransomware attack.</text></paragraph><paragraph id="id5694c1b64398453c9abbcea047fc22b1"><enum>(14)</enum><header>Ransomware attack</header><text>The term <term>ransomware attack</term>—</text><subparagraph id="id575aa941a4bc42afafaec34f7dfe7d32"><enum>(A)</enum><text>means an incident that includes the use or threat of use of unauthorized or malicious code on an information system, or the use or threat of use of another digital mechanism such as a denial of service attack, to interrupt or disrupt the operations of an information system or compromise the confidentiality, availability, or integrity of electronic data stored on, processed by, or transiting an information system to extort a demand for a ransom payment; and</text></subparagraph><subparagraph id="idbb76db7a7f244a4298a58b6705f34d05"><enum>(B)</enum><text>does not include any such event where the demand for payment is—</text><clause id="ida177920db1f34cf2994a8081a0f0f119"><enum>(i)</enum><text>not genuine; or</text></clause><clause id="ida1de2cd792cc45b484807b1b5692de7b"><enum>(ii)</enum><text>made in good faith by an entity in response to a specific request by the owner or operator of the information system.</text></clause></subparagraph></paragraph><paragraph id="idC90186E6F78C4C2187C98324A9352775"><enum>(15)</enum><header>Sector Risk Management Agency</header><text>The term <term>Sector Risk Management Agency</term> has the meaning given the term in section 2201.</text></paragraph><paragraph id="H0E332CE0EB744CE99DB5FB8314BB3444"><enum>(16)</enum><header>Significant cyber incident</header><text>The term <term>significant cyber incident</term> means a cyber incident, or a group of related cyber incidents, that the Secretary determines is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the people of the United States.</text></paragraph><paragraph id="ide9804a7599c34cd4bdbe8ff6b2454622"><enum>(17)</enum><header>Supply chain compromise</header><text>The term <term>supply chain compromise</term> means an incident within the supply chain of an information system that an adversary can leverage or does leverage to jeopardize the confidentiality, integrity, or availability of the information system or the information the system processes, stores, or transmits, and can occur at any point during the life cycle.</text></paragraph><paragraph id="idbef91c379cde4129a04af5d3bde8da35"><enum>(18)</enum><header>Virtual currency</header><text>The term <term>virtual currency</term> means the digital representation of value that functions as a medium of exchange, a unit of account, or a store of value.</text></paragraph><paragraph id="iddee3177c606948c1afb9d550d790c6a4"><enum>(19)</enum><header>Virtual currency address</header><text>The term <term>virtual currency address</term> means a unique public cryptographic key identifying the location to which a virtual currency payment can be made. </text></paragraph></section><section id="H4C710FF24FE2419DA047B784EA43A7E2"><enum>2241.</enum><header>Cyber incident review</header><subsection id="HE2D1EF8041DA49D29E97C9192324CA9C"><enum>(a)</enum><header>Activities</header><text>The Center shall—</text><paragraph id="HA48D4A93DD6343A487F2C5BEA255926F"><enum>(1)</enum><text>receive, aggregate, analyze, and secure, using processes consistent with the processes developed pursuant to the Cybersecurity Information Sharing Act of 2015 (<external-xref legal-doc="usc" parsable-cite="usc/6/1501">6 U.S.C. 1501 et seq.</external-xref>) reports from covered entities related to a covered cyber incident to assess the effectiveness of security controls, identify tactics, techniques, and procedures adversaries use to overcome those controls and other cybersecurity purposes, including to assess potential impact of cyber incidents on public health and safety and to enhance situational awareness of cyber threats across critical infrastructure sectors;</text></paragraph><paragraph id="HC59E4C9B94A04190AB89666783BCF723"><enum>(2)</enum><text>coordinate and share information with appropriate Federal departments and agencies to identify and track ransom payments, including those utilizing virtual currencies;</text></paragraph><paragraph id="H1DA33156A91C475B94E9704D948E352F"><enum>(3)</enum><text>leverage information gathered about cyber incidents to—</text><subparagraph id="H1ECD411F6C144DBAA6050D6D2035A78B"><enum>(A)</enum><text>enhance the quality and effectiveness of information sharing and coordination efforts with appropriate entities, including agencies, sector coordinating councils, Information Sharing and Analysis Organizations, State, local, Tribal, and territorial governments, technology providers, critical infrastructure owners and operators, cybersecurity and cyber incident response firms, and security researchers; and</text></subparagraph><subparagraph id="H5D1608A1D0E5461F82B519A06C0D659D"><enum>(B)</enum><text>provide appropriate entities, including sector coordinating councils, Information Sharing and Analysis Organizations, State, local, Tribal, and territorial governments, technology providers, cybersecurity and cyber incident response firms, and security researchers, with timely, actionable, and anonymized reports of cyber incident campaigns and trends, including, to the maximum extent practicable, related contextual information, cyber threat indicators, and defensive measures, pursuant to section 2245;</text></subparagraph></paragraph><paragraph id="H705E26958E774449AA6781775CE7917F"><enum>(4)</enum><text>establish mechanisms to receive feedback from stakeholders on how the Agency can most effectively receive covered cyber incident reports, ransom payment reports, and other voluntarily provided information, and how the Agency can most effectively support private sector cybersecurity;</text></paragraph><paragraph id="H4E2B1C17081F4243B26F41E6100700B4"><enum>(5)</enum><text>facilitate the timely sharing, on a voluntary basis, between relevant critical infrastructure owners and operators of information relating to covered cyber incidents and ransom payments, particularly with respect to ongoing cyber threats or security vulnerabilities and identify and disseminate ways to prevent or mitigate similar cyber incidents in the future;</text></paragraph><paragraph id="H7A0356E7F1CA4C72A674E1096FE041AE"><enum>(6)</enum><text>for a covered cyber incident, including a ransomware attack, that also satisfies the definition of a significant cyber incident, or is part of a group of related cyber incidents that together satisfy such definition, conduct a review of the details surrounding the covered cyber incident or group of those incidents and identify and disseminate ways to prevent or mitigate similar incidents in the future;</text></paragraph><paragraph id="HFA05E5FC1A194354BFE48FBE41FD9060"><enum>(7)</enum><text>with respect to covered cyber incident reports under section 2242(a) and 2243 involving an ongoing cyber threat or security vulnerability, immediately review those reports for cyber threat indicators that can be anonymized and disseminated, with defensive measures, to appropriate stakeholders, in coordination with other divisions within the Agency, as appropriate;</text></paragraph><paragraph id="H712ACC8B684748A89BB1944EB0DCC4CF"><enum>(8)</enum><text>publish quarterly unclassified, public reports that describe aggregated, anonymized observations, findings, and recommendations based on covered cyber incident reports, which may be based on the unclassified information contained in the briefings required under subsection (c);</text></paragraph><paragraph id="HFA11B65DED3B4DD6945E90826C17F027"><enum>(9)</enum><text>proactively identify opportunities, consistent with the protections in section 2245, to leverage and utilize data on cyber incidents in a manner that enables and strengthens cybersecurity research carried out by academic institutions and other private sector organizations, to the greatest extent practicable; and</text></paragraph><paragraph id="H84148FEDAB634EF2A292C581C55643DE"><enum>(10)</enum><text>in accordance with section 2245 and subsection (b) of this section, as soon as possible but not later than 24 hours after receiving a covered cyber incident report, ransom payment report, voluntarily submitted information pursuant to section 2243, or information received pursuant to a request for information or subpoena under section 2244, make available the information to appropriate Sector Risk Management Agencies and other appropriate Federal agencies.</text></paragraph></subsection><subsection id="H07104555FC78482C928B21FF4380DFCC"><enum>(b)</enum><header>Interagency sharing</header><text>The President or a designee of the President—</text><paragraph id="HB97718085ABB4E08932E3BEEAE82D868"><enum>(1)</enum><text>may establish a specific time requirement for sharing information under subsection (a)(11); and</text></paragraph><paragraph id="HC0E1F577FCD342A690BC9725A0C23149"><enum>(2)</enum><text>shall determine the appropriate Federal agencies under subsection (a)(11).</text></paragraph></subsection><subsection id="HCCE2F1D408F4439EBC9A7075F61FAFDC"><enum>(c)</enum><header>Periodic briefing</header><text>Not later than 60 days after the effective date of the final rule required under section 2242(b), and on the first day of each month thereafter, the Director, in consultation with the National Cyber Director, the Attorney General, and the Director of National Intelligence, shall provide to the majority leader of the Senate, the minority leader of the Senate, the Speaker of the House of Representatives, the minority leader of the House of Representatives, the Committee on Homeland Security and Governmental Affairs of the Senate, and the Committee on Homeland Security of the House of Representatives a briefing that characterizes the national cyber threat landscape, including the threat facing Federal agencies and covered entities, and applicable intelligence and law enforcement information, covered cyber incidents, and ransomware attacks, as of the date of the briefing, which shall—</text><paragraph id="HF3CA6ECAC05C4DBD821D0310EBE4EA0E"><enum>(1)</enum><text>include the total number of reports submitted under sections 2242 and 2243 during the preceding month, including a breakdown of required and voluntary reports;</text></paragraph><paragraph id="H8489A72A16F64876834DCF7CDABA6EA1"><enum>(2)</enum><text>include any identified trends in covered cyber incidents and ransomware attacks over the course of the preceding month and as compared to previous reports, including any trends related to the information collected in the reports submitted under sections 2242 and 2243, including—</text><subparagraph id="HFCF1612B31BA46D4AD96E4F7E4648C83"><enum>(A)</enum><text>the infrastructure, tactics, and techniques malicious cyber actors commonly use; and</text></subparagraph><subparagraph id="HD7ED2FE2C9A043ABA466766F6B8C3B10"><enum>(B)</enum><text>intelligence gaps that have impeded, or currently are impeding, the ability to counter covered cyber incidents and ransomware threats;</text></subparagraph></paragraph><paragraph id="HDFD0E4B1EC0E48AE931E9DC6D9EC78C4"><enum>(3)</enum><text>include a summary of the known uses of the information in reports submitted under sections 2242 and 2243; and</text></paragraph><paragraph id="H80E94D9153AE4C15A87B2CF67BB6A125"><enum>(4)</enum><text>include an unclassified portion, but may include a classified component.</text></paragraph></subsection></section><section id="H44BDC27E698A4CB8B610861FD2F27AD4"><enum>2242.</enum><header>Required reporting of certain cyber incidents</header><subsection id="H6FEE7179F3E341B6A883610A0AAF2B9C"><enum>(a)</enum><header>In general</header><paragraph id="H44905777BA89419A9D434AB952B41D1B"><enum>(1)</enum><header>Covered cyber incident reports</header><subparagraph id="id3A1449EF740146F9888078EBA3656B50"><enum>(A)</enum><header>In general</header><text>A covered entity that experiences a covered cyber incident shall report the covered cyber incident to the Agency not later than 72 hours after the covered entity reasonably believes that the covered cyber incident has occurred.</text></subparagraph><subparagraph id="id9DF13E59AF7C422ABF3584278B60CB11"><enum>(B)</enum><header>Limitation</header><text>The Director may not require reporting under subparagraph (A) any earlier than 72 hours after the covered entity reasonably believes that a covered cyber incident has occurred.</text></subparagraph></paragraph><paragraph id="H94C6EE47EDED488D9681A17BE7B1F5A8"><enum>(2)</enum><header>Ransom payment reports</header><subparagraph id="idAD82DA378D4743FC922F35D5DBB637B1"><enum>(A)</enum><header>In general</header><text>A covered entity that makes a ransom payment as the result of a ransomware attack against the covered entity shall report the payment to the Agency not later than 24 hours after the ransom payment has been made.</text></subparagraph><subparagraph id="id9bbf020e53904c61b319ae0afc563b4e"><enum>(B)</enum><header>Application</header><text>The requirements under subparagraph (A) shall apply even if the ransomware attack is not a covered cyber incident subject to the reporting requirements under paragraph (1). </text></subparagraph></paragraph><paragraph id="H3A125A187C9D46E0961192969A1E2B43"><enum>(3)</enum><header>Supplemental reports</header><text>A covered entity shall promptly submit to the Agency an update or supplement to a previously submitted covered cyber incident report if substantial new or different information becomes available or if the covered entity makes a ransom payment after submitting a covered cyber incident report required under paragraph (1), until such date that such covered entity notifies the Agency that the covered cyber incident at issue has concluded and has been fully mitigated and resolved.</text></paragraph><paragraph id="H6DAB686AD03140AC8C814FEF411556F3"><enum>(4)</enum><header>Preservation of information</header><text>Any covered entity subject to requirements of paragraph (1), (2), or (3) shall preserve data relevant to the covered cyber incident or ransom payment in accordance with procedures established in the final rule issued pursuant to subsection (b).</text></paragraph><paragraph id="HECF2360E6DFD442081F5CCB705A6AC9F"><enum>(5)</enum><header>Exceptions</header><subparagraph id="H284302F0A95D4C19A24610C995C6DCBF"><enum>(A)</enum><header>Reporting of covered cyber incident with ransom payment</header><text>If a covered entity is the victim of a covered cyber incident and makes a ransom payment prior to the 72 hour requirement under paragraph (1), such that the reporting requirements under paragraphs (1) and (2) both apply, the covered entity may submit a single report to satisfy the requirements of both paragraphs in accordance with procedures established in the final rule issued pursuant to subsection (b).</text></subparagraph><subparagraph id="HB59DE3422B2343DEB3CC0C91C11643E1"><enum>(B)</enum><header>Substantially similar reported information</header><clause id="H94BC123CAFA744C9ADC8706624602722"><enum>(i)</enum><header>In general</header><text>Subject to the limitation described in clause (ii), where the Agency has an agreement in place that satisfies the requirements of section 4(a) of the <short-title>Cyber Incident Reporting for Critical Infrastructure Act of 2022</short-title>, the requirements under paragraphs (1), (2), and (3) shall not apply to a covered entity required by law, regulation, or contract to report substantially similar information to another Federal agency within a substantially similar timeframe.</text></clause><clause id="HA376B4681C6448938CE09DFEECD79DCA"><enum>(ii)</enum><header>Limitation</header><text>The exemption in clause (i) shall take effect with respect to a covered entity once an agency agreement and sharing mechanism is in place between the Agency and the respective Federal agency, pursuant to section 4(a) of the <short-title>Cyber Incident Reporting for Critical Infrastructure Act of 2022</short-title>.</text></clause><clause id="HDEBB9231996A422FB5026A536BC8D597"><enum>(iii)</enum><header>Rules of construction</header><text>Nothing in this paragraph shall be construed to—</text><subclause id="H5F9B4F6909B041BD97BD75BE6576ECFF"><enum>(I)</enum><text>exempt a covered entity from the reporting requirements under paragraph (3) unless the supplemental report also meets the requirements of clauses (i) and (ii) of this paragraph;</text></subclause><subclause id="H54D06853E6E6488BBE651CB0DF43E2E1"><enum>(II)</enum><text>prevent the Agency from contacting an entity submitting information to another Federal agency that is provided to the Agency pursuant to section 4 of the <short-title>Cyber Incident Reporting for Critical Infrastructure Act of 2022</short-title>; or</text></subclause><subclause id="HB82256A76A4145FF813BE0BEB13FB6A5"><enum>(III)</enum><text>prevent an entity from communicating with the Agency.</text></subclause></clause></subparagraph><subparagraph id="H97198943C48D47469FAA3AEC43A073B1"><enum>(C)</enum><header>Domain name system</header><text>The requirements under paragraphs (1), (2) and (3) shall not apply to a covered entity or the functions of a covered entity that the Director determines constitute critical infrastructure owned, operated, or governed by multi-stakeholder organizations that develop, implement, and enforce policies concerning the Domain Name System, such as the Internet Corporation for Assigned Names and Numbers or the Internet Assigned Numbers Authority.</text></subparagraph></paragraph><paragraph id="H79A122B84BEB407AB60DA679721BB3AD"><enum>(6)</enum><header>Manner, timing, and form of reports</header><text>Reports made under paragraphs (1), (2), and (3) shall be made in the manner and form, and within the time period in the case of reports made under paragraph (3), prescribed in the final rule issued pursuant to subsection (b).</text></paragraph><paragraph id="H21611C8F930D4C5A9159514F08FBAC47"><enum>(7)</enum><header>Effective date</header><text>Paragraphs (1) through (4) shall take effect on the dates prescribed in the final rule issued pursuant to subsection (b).</text></paragraph></subsection><subsection id="HC7DE412C76B842D59002DD1CD2153309"><enum>(b)</enum><header>Rulemaking</header><paragraph id="H62BD4498D172485C98E3680CC4356536"><enum>(1)</enum><header>Notice of proposed rulemaking</header><text>Not later than 24 months after the date of enactment of this section, the Director, in consultation with Sector Risk Management Agencies, the Department of Justice, and other Federal agencies, shall publish in the Federal Register a notice of proposed rulemaking to implement subsection (a).</text></paragraph><paragraph id="H5AFE5B6184F24D28A4A27727A56DEC5F"><enum>(2)</enum><header>Final rule</header><text>Not later than 18 months after publication of the notice of proposed rulemaking under paragraph (1), the Director shall issue a final rule to implement subsection (a). </text></paragraph><paragraph id="HAC14B812941042D2A452801BF52823B4"><enum>(3)</enum><header>Subsequent rulemakings</header><subparagraph id="H6E647878A40945BC86A397443666EA7F"><enum>(A)</enum><header>In general</header><text>The Director is authorized to issue regulations to amend or revise the final rule issued pursuant to paragraph (2).</text></subparagraph><subparagraph id="H29FA0EC85F194BF396FA9613E46BC660"><enum>(B)</enum><header>Procedures</header><text>Any subsequent rules issued under subparagraph (A) shall comply with the requirements under <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/5/5">chapter 5</external-xref> of title 5, United States Code, including the issuance of a notice of proposed rulemaking under section 553 of such title.</text></subparagraph></paragraph></subsection><subsection id="H5C3CD95774D64747BF98F67D50D5A65F"><enum>(c)</enum><header>Elements</header><text>The final rule issued pursuant to subsection (b) shall be composed of the following elements:</text><paragraph id="H8579993067FB454D91179D63A5994F9A"><enum>(1)</enum><text>A clear description of the types of entities that constitute covered entities, based on—</text><subparagraph id="H0C8747A58EEC4F809B4F80DD4131272A"><enum>(A)</enum><text>the consequences that disruption to or compromise of such an entity could cause to national security, economic security, or public health and safety;</text></subparagraph><subparagraph id="HC5D3D58B911640BFB86BF2F1F418A2E3"><enum>(B)</enum><text>the likelihood that such an entity may be targeted by a malicious cyber actor, including a foreign country; and</text></subparagraph><subparagraph id="H73B8A0239FC3462ABF7C66BB6D5FDCB4"><enum>(C)</enum><text>the extent to which damage, disruption, or unauthorized access to such an entity, including the accessing of sensitive cybersecurity vulnerability information or penetration testing tools or techniques, will likely enable the disruption of the reliable operation of critical infrastructure.</text></subparagraph></paragraph><paragraph id="HCA4092D69BA64A729FDB76A3EC07A878"><enum>(2)</enum><text>A clear description of the types of substantial cyber incidents that constitute covered cyber incidents, which shall—</text><subparagraph id="H79F4F519D03F45B1936FAAA8EFEC6705"><enum>(A)</enum><text>at a minimum, require the occurrence of—</text><clause id="H919B307CCC3E4CC796B86067770F233A"><enum>(i)</enum><text>a cyber incident that leads to substantial loss of confidentiality, integrity, or availability of such information system or network, or a serious impact on the safety and resiliency of operational systems and processes;</text></clause><clause id="H56319BC98D2F4FA8A1C8E51622AD1A74"><enum>(ii)</enum><text>a disruption of business or industrial operations, including due to a denial of service attack, ransomware attack, or exploitation of a zero day vulnerability, against</text><subclause id="H16C323D154284385AD4A2E2DE222CA04"><enum>(I)</enum><text>an information system or network; or</text></subclause><subclause id="H5733BC66D58542FB8C8E0B7D5697901A"><enum>(II)</enum><text>an operational technology system or process; or</text></subclause></clause><clause id="HF1E84C6FDE904E4DBA1E64AC37227E91"><enum>(iii)</enum><text>unauthorized access or disruption of business or industrial operations due to loss of service facilitated through, or caused by, a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise;</text></clause></subparagraph><subparagraph id="H7A950C74C4304F0EBBB0E9E3E23B376F"><enum>(B)</enum><text>consider—</text><clause id="H2961B8406CB340348A451690A5FEBE34"><enum>(i)</enum><text>the sophistication or novelty of the tactics used to perpetrate such a cyber incident, as well as the type, volume, and sensitivity of the data at issue;</text></clause><clause id="H0211C3032DCB4C1ABFCC6B43915B525C"><enum>(ii)</enum><text>the number of individuals directly or indirectly affected or potentially affected by such a cyber incident; and</text></clause><clause id="H7C72C424F3A443C3A25354AE80D5487F"><enum>(iii)</enum><text>potential impacts on industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers; and</text></clause></subparagraph><subparagraph id="HD381FC3B57824B9A8954AECAA3DAD97F"><enum>(C)</enum><text>exclude—</text><clause id="HE62612A6556C4A02A5CA83EE9AA26B83"><enum>(i)</enum><text>any event where the cyber incident is perpetrated in good faith by an entity in response to a specific request by the owner or operator of the information system; and</text></clause><clause id="H115FB63299404987BD31C8F1955C7282"><enum>(ii)</enum><text>the threat of disruption as extortion, as described in section 2240(14)(A).</text></clause></subparagraph></paragraph><paragraph id="H410C7887CA4D4CCE931C7D652410E592"><enum>(3)</enum><text>A requirement that, if a covered cyber incident or a ransom payment occurs following an exempted threat described in paragraph (2)(C)(ii), the covered entity shall comply with the requirements in this subtitle in reporting the covered cyber incident or ransom payment.</text></paragraph><paragraph id="H43908516B9DC409081AF1BBEB4524DA6"><enum>(4)</enum><text>A clear description of the specific required contents of a report pursuant to subsection (a)(1), which shall include the following information, to the extent applicable and available, with respect to a covered cyber incident:</text><subparagraph id="HA6FBAFDF4F3041B4BAD644DF05DEE1B1"><enum>(A)</enum><text>A description of the covered cyber incident, including—</text><clause id="HFD2CA194E10B45B1894F2C82BC66707E"><enum>(i)</enum><text>identification and a description of the function of the affected information systems, networks, or devices that were, or are reasonably believed to have been, affected by such cyber incident;</text></clause><clause id="H7AA86E3FF7B8463E94887D0006EF87C0"><enum>(ii)</enum><text>a description of the unauthorized access with substantial loss of confidentiality, integrity, or availability of the affected information system or network or disruption of business or industrial operations;</text></clause><clause id="HD9DD4925A3EE407DBCB32BF2D49C86FF"><enum>(iii)</enum><text>the estimated date range of such incident; and</text></clause><clause id="H7C8AE4DAE7334423B4917EBF1571FEE6"><enum>(iv)</enum><text>the impact to the operations of the covered entity.</text></clause></subparagraph><subparagraph id="HD1B3C065C2C4401684C4D2B872F790FA"><enum>(B)</enum><text>Where applicable, a description of the vulnerabilities exploited and the security defenses that were in place, as well as the tactics, techniques, and procedures used to perpetrate the covered cyber incident.</text></subparagraph><subparagraph id="HF0E5DFDAEA2A416CAD71F9A0A4A8BAE6"><enum>(C)</enum><text>Where applicable, any identifying or contact information related to each actor reasonably believed to be responsible for such cyber incident.</text></subparagraph><subparagraph id="HE69A0D52C96B4A138CC49DC7F8CBDEE3"><enum>(D)</enum><text>Where applicable, identification of the category or categories of information that were, or are reasonably believed to have been, accessed or acquired by an unauthorized person.</text></subparagraph><subparagraph id="H1D7AC7A4C76D43E1AE4B1D6F6E08D364"><enum>(E)</enum><text>The name and other information that clearly identifies the covered entity impacted by the covered cyber incident, including, as applicable, the State of incorporation or formation of the covered entity, trade names, legal names, or other identifiers.</text></subparagraph><subparagraph id="H0F5E98EA4E21412AB7572DE0777B9974"><enum>(F)</enum><text>Contact information, such as telephone number or electronic mail address, that the Agency may use to contact the covered entity or an authorized agent of such covered entity, or, where applicable, the service provider of such covered entity acting with the express permission of, and at the direction of, the covered entity to assist with compliance with the requirements of this subtitle.</text></subparagraph></paragraph><paragraph id="HDE6F5C2BA5A24EFABD502581FF03EDE8"><enum>(5)</enum><text>A clear description of the specific required contents of a report pursuant to subsection (a)(2), which shall be the following information, to the extent applicable and available, with respect to a ransom payment:</text><subparagraph id="HF17337AABFE24397816F065FFD6CDAD3"><enum>(A)</enum><text>A description of the ransomware attack, including the estimated date range of the attack.</text></subparagraph><subparagraph id="HE6412352B744452683F63E68FC10922C"><enum>(B)</enum><text>Where applicable, a description of the vulnerabilities, tactics, techniques, and procedures used to perpetrate the ransomware attack.</text></subparagraph><subparagraph id="HD581B50EA6C643ADAFC2E893A2A024C5"><enum>(C)</enum><text>Where applicable, any identifying or contact information related to the actor or actors reasonably believed to be responsible for the ransomware attack.</text></subparagraph><subparagraph id="H8388F7989B974DB09555F10F084E0138"><enum>(D)</enum><text>The name and other information that clearly identifies the covered entity that made the ransom payment or on whose behalf the payment was made.</text></subparagraph><subparagraph id="HB5FB0BDDEC8A4E3D805454EFEA7EB0BF"><enum>(E)</enum><text>Contact information, such as telephone number or electronic mail address, that the Agency may use to contact the covered entity that made the ransom payment or an authorized agent of such covered entity, or, where applicable, the service provider of such covered entity acting with the express permission of, and at the direction of, that covered entity to assist with compliance with the requirements of this subtitle.</text></subparagraph><subparagraph id="H895EB44FB34B4E6B9F3F256B7434834E"><enum>(F)</enum><text>The date of the ransom payment.</text></subparagraph><subparagraph id="HC93E892C19914C77ABC335DB550CF85F"><enum>(G)</enum><text>The ransom payment demand, including the type of virtual currency or other commodity requested, if applicable.</text></subparagraph><subparagraph id="H7A4AB0049B7C4CB790A9E06DE2BA817C"><enum>(H)</enum><text>The ransom payment instructions, including information regarding where to send the payment, such as the virtual currency address or physical address the funds were requested to be sent to, if applicable.</text></subparagraph><subparagraph id="H4FE22C41DA3846208725539515BD29EE"><enum>(I)</enum><text>The amount of the ransom payment.</text></subparagraph></paragraph><paragraph id="H6EC7E47B6BD842AC8A0D1EBAEFBDE2CC"><enum>(6)</enum><text>A clear description of the types of data required to be preserved pursuant to subsection (a)(4), the period of time for which the data is required to be preserved, and allowable uses, processes, and procedures.</text></paragraph><paragraph id="H967A1CB0FCDA4E78871401D6EEA02F05"><enum>(7)</enum><text>Deadlines and criteria for submitting supplemental reports to the Agency required under subsection (a)(3), which shall—</text><subparagraph id="HE1AC41A059D54660BB06460542AD6252"><enum>(A)</enum><text>be established by the Director in consultation with the Council;</text></subparagraph><subparagraph id="H1572B57CAA85432DADB8A45EC02A794E"><enum>(B)</enum><text>consider any existing regulatory reporting requirements similar in scope, purpose, and timing to the reporting requirements to which such a covered entity may also be subject, and make efforts to harmonize the timing and contents of any such reports to the maximum extent practicable;</text></subparagraph><subparagraph id="HA21EFEE9214B4B94AAA4437F69769656"><enum>(C)</enum><text>balance the need for situational awareness with the ability of the covered entity to conduct cyber incident response and investigations; and</text></subparagraph><subparagraph id="H57CF6F7D111B4E62A13C64399DFA9385"><enum>(D)</enum><text>provide a clear description of what constitutes substantial new or different information.</text></subparagraph></paragraph><paragraph id="H83E30FEE337E474582F6D7D8B736AC42"><enum>(8)</enum><text>Procedures for—</text><subparagraph id="H93399C2E5AC2467DA8910780EAD8323C"><enum>(A)</enum><text>entities, including third parties pursuant to subsection (d)(1), to submit reports required by paragraphs (1), (2), and (3) of subsection (a), including the manner and form thereof, which shall include, at a minimum, a concise, user-friendly web-based form;</text></subparagraph><subparagraph id="HA07D9FC9D16C4A47A918A6F10F9BE6D8"><enum>(B)</enum><text>the Agency to carry out—</text><clause id="H52484F5C765C4F828E80C7685B2D41BF"><enum>(i)</enum><text>the enforcement provisions of section 2244, including with respect to the issuance, service, withdrawal, referral process, and enforcement of subpoenas, appeals and due process procedures; </text></clause><clause id="H6D822AA87AA949BEBDC462BF2B970E50"><enum>(ii)</enum><text>other available enforcement mechanisms including acquisition, suspension and debarment procedures; and</text></clause><clause id="H2AB5E645EB0D4696B055EB4D6CA2CBAB"><enum>(iii)</enum><text>other aspects of noncompliance;</text></clause></subparagraph><subparagraph id="HA5F351842A204A9EB98E92C4D6F757E5"><enum>(C)</enum><text>implementing the exceptions provided in subsection (a)(5); and</text></subparagraph><subparagraph id="H946497BD73FC4A3399B5E3A12E72A8B9"><enum>(D)</enum><text>protecting privacy and civil liberties consistent with processes adopted pursuant to section 105(b) of the Cybersecurity Act of 2015 (<external-xref legal-doc="usc" parsable-cite="usc/6/1504">6 U.S.C. 1504(b)</external-xref>) and anonymizing and safeguarding, or no longer retaining, information received and disclosed through covered cyber incident reports and ransom payment reports that is known to be personal information of a specific individual or information that identifies a specific individual that is not directly related to a cybersecurity threat.</text></subparagraph></paragraph><paragraph id="HB66E13C696784824A7F0F36CCF4D812F"><enum>(9)</enum><text>Other procedural measures directly necessary to implement subsection (a).</text></paragraph></subsection><subsection id="H8EB23CE2BC1C4537A53A7444D1FB9B1D"><enum>(d)</enum><header>Third party report submission and ransom payment</header><paragraph id="H796B390CB08540FDBF5B4C4726D20FC5"><enum>(1)</enum><header>Report submission</header><text>A covered entity that is required to submit a covered cyber incident report or a ransom payment report may use a third party, such as an incident response company, insurance provider, service provider, Information Sharing and Analysis Organization, or law firm, to submit the required report under subsection (a).</text></paragraph><paragraph id="HC2138AEFC65645FDB5087CE0213D87B4"><enum>(2)</enum><header>Ransom payment</header><text>If a covered entity impacted by a ransomware attack uses a third party to make a ransom payment, the third party shall not be required to submit a ransom payment report for itself under subsection (a)(2).</text></paragraph><paragraph id="H4CC845701F164851BF1F96A840956101"><enum>(3)</enum><header>Duty to report</header><text>Third-party reporting under this subparagraph does not relieve a covered entity from the duty to comply with the requirements for covered cyber incident report or ransom payment report submission.</text></paragraph><paragraph id="H143F129F4FFD44F89229949205B703B3"><enum>(4)</enum><header>Responsibility to advise</header><text>Any third party used by a covered entity that knowingly makes a ransom payment on behalf of a covered entity impacted by a ransomware attack shall advise the impacted covered entity of the responsibilities of the impacted covered entity regarding reporting ransom payments under this section.</text></paragraph></subsection><subsection id="HBBCC37881E6E42D1A55366EBE22A65B2"><enum>(e)</enum><header>Outreach to covered entities</header><paragraph id="H5AB898CB12F34C7CB0FA9CC332850710"><enum>(1)</enum><header>In general</header><text>The Agency shall conduct an outreach and education campaign to inform likely covered entities, entities that offer or advertise as a service to customers to make or facilitate ransom payments on behalf of covered entities impacted by ransomware attacks and other appropriate entities of the requirements of paragraphs (1), (2), and (3) of subsection (a).</text></paragraph><paragraph id="H2E1E1FF430934A1CA4025BF5D5AD7644"><enum>(2)</enum><header>Elements</header><text>The outreach and education campaign under paragraph (1) shall include the following:</text><subparagraph id="H791DE4D3308A4603A6EA566CAB55D523"><enum>(A)</enum><text>An overview of the final rule issued pursuant to subsection (b).</text></subparagraph><subparagraph id="H55F73FB53A1A416FB1904A71C368C2E0"><enum>(B)</enum><text>An overview of mechanisms to submit to the Agency covered cyber incident reports, ransom payment reports, and information relating to the disclosure, retention, and use of covered cyber incident reports and ransom payment reports under this section.</text></subparagraph><subparagraph id="H20C28DDD545C43D5A4C2FCC91596E980"><enum>(C)</enum><text>An overview of the protections afforded to covered entities for complying with the requirements under paragraphs (1), (2), and (3) of subsection (a).</text></subparagraph><subparagraph id="HE7F5D4040DE9454EBA4E8E947D8EAEB6"><enum>(D)</enum><text>An overview of the steps taken under section 2244 when a covered entity is not in compliance with the reporting requirements under subsection (a).</text></subparagraph><subparagraph id="H41B0216E592D4FBDA11A858F5F30AEA1"><enum>(E)</enum><text>Specific outreach to cybersecurity vendors, cyber incident response providers, cybersecurity insurance entities, and other entities that may support covered entities.</text></subparagraph><subparagraph id="HD2860C721E83418DAC62E95B8146BE65"><enum>(F)</enum><text>An overview of the privacy and civil liberties requirements in this subtitle.</text></subparagraph></paragraph><paragraph id="H0824D96762E44A47AD1C28A076D1DC2C"><enum>(3)</enum><header>Coordination</header><text>In conducting the outreach and education campaign required under paragraph (1), the Agency may coordinate with—</text><subparagraph id="H06CA1EA0DCCB4C878220816FEF35DD9A"><enum>(A)</enum><text>the Critical Infrastructure Partnership Advisory Council established under section 871;</text></subparagraph><subparagraph id="H07B912F679DA4505B66C6B85E5A8A031"><enum>(B)</enum><text>Information Sharing and Analysis Organizations;</text></subparagraph><subparagraph id="H1AC13FE49FFA4A53BF5F4103E679616B"><enum>(C)</enum><text>trade associations;</text></subparagraph><subparagraph id="H8523001C833C4275ADB34DA1BC9CA45B"><enum>(D)</enum><text>information sharing and analysis centers;</text></subparagraph><subparagraph id="HDC7D6581007D471C96D593468BB94D05"><enum>(E)</enum><text>sector coordinating councils; and</text></subparagraph><subparagraph id="HF18103A7DE3F444FA461E8636BCF3D55"><enum>(F)</enum><text>any other entity as determined appropriate by the Director.</text></subparagraph></paragraph></subsection><subsection id="HE695BFAADCD149F4B24C0EC5302E560E"><enum>(f)</enum><header>Exemption</header><text>Sections 3506(c), 3507, 3508, and 3509 of title 44, United States Code, shall not apply to any action to carry out this section.</text></subsection><subsection id="HF06188D7CFFA4DB9A8CB9F8ABDAC19B4"><enum>(g)</enum><header>Rule of construction</header><text>Nothing in this section shall affect the authorities of the Federal Government to implement the requirements of Executive Order 14028 (86 Fed. Reg. 26633; relating to improving the nation’s cybersecurity), including changes to the Federal Acquisition Regulations and remedies to include suspension and debarment. </text></subsection><subsection id="H823B9C58171B448F931238E7E891D9F3"><enum>(h)</enum><header>Savings provision</header><text>Nothing in this section shall be construed to supersede or to abrogate, modify, or otherwise limit the authority that is vested in any officer or any agency of the United States Government to regulate or take action with respect to the cybersecurity of an entity.</text></subsection></section><section id="HB9D060D56DCA4FC5AA39C5AB00D00BCD"><enum>2243.</enum><header>Voluntary reporting of other cyber incidents</header><subsection id="HEE9D34A280F941E3873CBF3BCC527ED7"><enum>(a)</enum><header>In general</header><text>Entities may voluntarily report cyber incidents or ransom payments to the Agency that are not required under paragraph (1), (2), or (3) of section 2242(a), but may enhance the situational awareness of cyber threats.</text></subsection><subsection id="HC76474590BE74078892409EE25218BC1"><enum>(b)</enum><header>Voluntary provision of additional information in required reports</header><text>Covered entities may voluntarily include in reports required under paragraph (1), (2), or (3) of section 2242(a) information that is not required to be included, but may enhance the situational awareness of cyber threats.</text></subsection><subsection id="H6CB8DA09BB064928BFBC51268CC80925"><enum>(c)</enum><header>Application of protections</header><text>The protections under section 2245 applicable to reports made under section 2242 shall apply in the same manner and to the same extent to reports and information submitted under subsections (a) and (b).</text></subsection></section><section id="HACA97DFD3EE641738E62602383AE1378"><enum>2244.</enum><header>Noncompliance with required reporting</header><subsection id="H8A9A590A12954F1E893DB6EC02913CAE"><enum>(a)</enum><header>Purpose</header><text>In the event that a covered entity that is required to submit a report under section 2242(a) fails to comply with the requirement to report, the Director may obtain information about the cyber incident or ransom payment by engaging the covered entity directly to request information about the cyber incident or ransom payment, and if the Director is unable to obtain information through such engagement, by issuing a subpoena to the covered entity, pursuant to subsection (c), to gather information sufficient to determine whether a covered cyber incident or ransom payment has occurred.</text></subsection><subsection id="HDA4E927B6609413E8019FE4053AC6A4C"><enum>(b)</enum><header>Initial request for information</header><paragraph id="H8CC214C5BAB546BD973E6C3268214FFA"><enum>(1)</enum><header>In general</header><text>If the Director has reason to believe, whether through public reporting or other information in the possession of the Federal Government, including through analysis performed pursuant to paragraph (1) or (2) of section 2241(a), that a covered entity has experienced a covered cyber incident or made a ransom payment but failed to report such cyber incident or payment to the Agency in accordance with section 2242(a), the Director may request additional information from the covered entity to confirm whether or not a covered cyber incident or ransom payment has occurred.</text></paragraph><paragraph id="H866DB331870E4179B50BD0CC9A2BF80E"><enum>(2)</enum><header>Treatment</header><text>Information provided to the Agency in response to a request under paragraph (1) shall be treated as if it was submitted through the reporting procedures established in section 2242.</text></paragraph></subsection><subsection id="HEED63A9687E74BC7BB2F6A5494BA9A1F"><enum>(c)</enum><header>Enforcement</header><paragraph id="HE2B2E60727EA4936811B956DC826420C"><enum>(1)</enum><header>In general</header><text>If, after the date that is 72 hours from the date on which the Director made the request for information in subsection (b), the Director has received no response from the covered entity from which such information was requested, or received an inadequate response, the Director may issue to such covered entity a subpoena to compel disclosure of information the Director deems necessary to determine whether a covered cyber incident or ransom payment has occurred and obtain the information required to be reported pursuant to section 2242 and any implementing regulations, and assess potential impacts to national security, economic security, or public health and safety.</text></paragraph><paragraph id="HAD1AFAB026F04C2FB0D28D11A12A0A52"><enum>(2)</enum><header>Civil action</header><subparagraph id="H7CAC125DDC874E4389D3FA1469D04595"><enum>(A)</enum><header>In general</header><text>If a covered entity fails to comply with a subpoena, the Director may refer the matter to the Attorney General to bring a civil action in a district court of the United States to enforce such subpoena.</text></subparagraph><subparagraph id="H2FD7F36AE6CC471AA9412F9DA88734D8"><enum>(B)</enum><header>Venue</header><text>An action under this paragraph may be brought in the judicial district in which the covered entity against which the action is brought resides, is found, or does business.</text></subparagraph><subparagraph id="H81F5E069786142A3BF77D57346832B84"><enum>(C)</enum><header>Contempt of court</header><text>A court may punish a failure to comply with a subpoena issued under this subsection as contempt of court.</text></subparagraph></paragraph><paragraph id="HE2C0DAF2B246414E864D8D40800C10FE"><enum>(3)</enum><header>Non-delegation</header><text>The authority of the Director to issue a subpoena under this subsection may not be delegated.</text></paragraph><paragraph id="HCEABB160F0E04006B5775718EF309DA1"><enum>(4)</enum><header>Authentication</header><subparagraph id="HDF39117B5623438FBEA27A3BFA55F5F6"><enum>(A)</enum><header>In general</header><text>Any subpoena issued electronically pursuant to this subsection shall be authenticated with a cryptographic digital signature of an authorized representative of the Agency, or other comparable successor technology, that allows the Agency to demonstrate that such subpoena was issued by the Agency and has not been altered or modified since such issuance.</text></subparagraph><subparagraph id="H8B16C0BA027F40B4B12930B907922C78"><enum>(B)</enum><header>Invalid if not authenticated</header><text>Any subpoena issued electronically pursuant to this subsection that is not authenticated in accordance with subparagraph (A) shall not be considered to be valid by the recipient of such subpoena.</text></subparagraph></paragraph></subsection><subsection id="H70ACE03A9574429A8B5D4B291D6E3469"><enum>(d)</enum><header>Provision of certain information to Attorney General</header><paragraph id="id7596504F59984CB7B9ACD1498FFB9DE2"><enum>(1)</enum><header>In general</header><text display-inline="yes-display-inline">Notwithstanding section 2245(a)(5) and paragraph (b)(2) of this section, if the Director determines, based on the information provided in response to a subpoena issued pursuant to subsection (c), that the facts relating to the cyber incident or ransom payment at issue may constitute grounds for a regulatory enforcement action or criminal prosecution, the Director may provide such information to the Attorney General or the head of the appropriate Federal regulatory agency, who may use such information for a regulatory enforcement action or criminal prosecution. </text></paragraph><paragraph id="idf53f78db8fd946c5862746db8b612daf"><enum>(2)</enum><header>Consultation</header><text>The Director may consult with the Attorney General or the head of the appropriate Federal regulatory agency when making the determination under paragraph (1). </text></paragraph></subsection><subsection id="HBDF5B974A47B447E9580AF46C5019CF9"><enum>(e)</enum><header>Considerations</header><text>When determining whether to exercise the authorities provided under this section, the Director shall take into consideration—</text><paragraph id="H843CB126AC3D4AB4B8D5283A183B2953"><enum>(1)</enum><text>the complexity in determining if a covered cyber incident has occurred; and</text></paragraph><paragraph id="H5DE4691BD4254187B3232D4E2B2C41A4"><enum>(2)</enum><text>prior interaction with the Agency or awareness of the covered entity of the policies and procedures of the Agency for reporting covered cyber incidents and ransom payments.</text></paragraph></subsection><subsection id="H6C12513B97F34AF48E52F079130E6CBE"><enum>(f)</enum><header>Exclusions</header><text>This section shall not apply to a State, local, Tribal, or territorial government entity.</text></subsection><subsection id="HF9197E555A6849A2844CB31510A50688"><enum>(g)</enum><header>Report to Congress</header><text>The Director shall submit to Congress an annual report on the number of times the Director—</text><paragraph id="H3730B60FAB89445E88C28D8B9BEE39D4"><enum>(1)</enum><text>issued an initial request for information pursuant to subsection (b);</text></paragraph><paragraph id="HDAE186DF641F490DB3EB2930D8DE3F0E"><enum>(2)</enum><text>issued a subpoena pursuant to subsection (c); or</text></paragraph><paragraph id="HB468286C6BB247D7A6D690BE24342633"><enum>(3)</enum><text>referred a matter to the Attorney General for a civil action pursuant to subsection (c)(2).</text></paragraph></subsection><subsection id="HE9C92893AC4944588C655B3D75CCF7B9"><enum>(h)</enum><header>Publication of the annual report</header><text>The Director shall publish a version of the annual report required under subsection (g) on the website of the Agency, which shall include, at a minimum, the number of times the Director—</text><paragraph id="H3B15591F82B0452DB76A8B5D7AD0AF51"><enum>(1)</enum><text>issued an initial request for information pursuant to subsection (b); or</text></paragraph><paragraph id="HC6B5FD6AE90F4E9C8E15B7C8D5BECB9C"><enum>(2)</enum><text>issued a subpoena pursuant to subsection (c).</text></paragraph></subsection><subsection id="H44582F7AC6B443F1AB98F6D94B14E65B"><enum>(i)</enum><header>Anonymization of reports</header><text>The Director shall ensure any victim information contained in a report required to be published under subsection (h) be anonymized before the report is published.</text></subsection></section><section id="H3769388E6A0C407F924B112ECFBB1520"><enum>2245.</enum><header>Information shared with or provided to the Federal Government</header><subsection id="H547AA1B68A084BC98F12FEBC947B02FD"><enum>(a)</enum><header>Disclosure, retention, and use</header><paragraph id="HE0E07CD314BA4B7F94F72B2F4E86909D"><enum>(1)</enum><header>Authorized activities</header><text>Information provided to the Agency pursuant to section 2242 or 2243 may be disclosed to, retained by, and used by, consistent with otherwise applicable provisions of Federal law, any Federal agency or department, component, officer, employee, or agent of the Federal Government solely for—</text><subparagraph id="HD8468B490C5A4C479AAA5A557EE0D438"><enum>(A)</enum><text>a cybersecurity purpose;</text></subparagraph><subparagraph id="H1C0B91CC61474EA3A69D8F9E1EC4F7B4"><enum>(B)</enum><text>the purpose of identifying—</text><clause id="H641CBA3B83A44DEE82D8F0E73D7836E9"><enum>(i)</enum><text>a cyber threat, including the source of the cyber threat; or</text></clause><clause id="H706B6D49AF43435994216CE5B8BA303B"><enum>(ii)</enum><text>a security vulnerability;</text></clause></subparagraph><subparagraph id="H47642D7A243648618A7E843424AD7896"><enum>(C)</enum><text>the purpose of responding to, or otherwise preventing or mitigating, a specific threat of death, a specific threat of serious bodily harm, or a specific threat of serious economic harm, including a terrorist act or use of a weapon of mass destruction;</text></subparagraph><subparagraph id="HD1E9C761FB4B4257A00219DDD2E86C95"><enum>(D)</enum><text>the purpose of responding to, investigating, prosecuting, or otherwise preventing or mitigating, a serious threat to a minor, including sexual exploitation and threats to physical safety; or</text></subparagraph><subparagraph id="H9702427075B84340AA706869AA4BCAF8"><enum>(E)</enum><text>the purpose of preventing, investigating, disrupting, or prosecuting an offense arising out of a cyber incident reported pursuant to section 2242 or 2243 or any of the offenses listed in section 105(d)(5)(A)(v) of the Cybersecurity Act of 2015 (<external-xref legal-doc="usc" parsable-cite="usc/6/1504">6 U.S.C. 1504(d)(5)(A)(v)</external-xref>).</text></subparagraph></paragraph><paragraph id="HE19A72BB2FF848FD9B546DE5DF41FEA2"><enum>(2)</enum><header>Agency actions after receipt</header><subparagraph id="H09DA2E3D0A594172A18871D2B39BFE40"><enum>(A)</enum><header>Rapid, confidential sharing of cyber threat indicators</header><text>Upon receiving a covered cyber incident or ransom payment report submitted pursuant to this section, the Agency shall immediately review the report to determine whether the cyber incident that is the subject of the report is connected to an ongoing cyber threat or security vulnerability and where applicable, use such report to identify, develop, and rapidly disseminate to appropriate stakeholders actionable, anonymized cyber threat indicators and defensive measures.</text></subparagraph><subparagraph id="H828C9468F8C64C07874468C7EC426073"><enum>(B)</enum><header>Principles for sharing security vulnerabilities</header><text>With respect to information in a covered cyber incident or ransom payment report regarding a security vulnerability referred to in paragraph (1)(B)(ii), the Director shall develop principles that govern the timing and manner in which information relating to security vulnerabilities may be shared, consistent with common industry best practices and United States and international standards.</text></subparagraph></paragraph><paragraph id="HB0E02D6432EC41EBBD279D9E5DA8F331"><enum>(3)</enum><header>Privacy and civil liberties</header><text>Information contained in covered cyber incident and ransom payment reports submitted to the Agency pursuant to section 2242 shall be retained, used, and disseminated, where permissible and appropriate, by the Federal Government in accordance with processes to be developed for the protection of personal information consistent with processes adopted pursuant to section 105 of the Cybersecurity Act of 2015 (<external-xref legal-doc="usc" parsable-cite="usc/6/1504">6 U.S.C. 1504</external-xref>) and in a manner that protects from unauthorized use or disclosure any information that may contain—</text><subparagraph id="HB77A5DE4A4EC4776A3059F210BCB2903"><enum>(A)</enum><text>personal information of a specific individual that is not directly related to a cybersecurity threat; or </text></subparagraph><subparagraph id="H54A1742B8189463BB630EF77D5EBAA9A"><enum>(B)</enum><text>information that identifies a specific individual that is not directly related to a cybersecurity threat.</text></subparagraph></paragraph><paragraph id="HB789434A404F49BBA92010272301D072"><enum>(4)</enum><header>Digital security</header><text>The Agency shall ensure that reports submitted to the Agency pursuant to section 2242, and any information contained in those reports, are collected, stored, and protected at a minimum in accordance with the requirements for moderate impact Federal information systems, as described in Federal Information Processing Standards Publication 199, or any successor document.</text></paragraph><paragraph id="H6E9D467C59B0496098C274D71391536B"><enum>(5)</enum><header>Prohibition on use of information in regulatory actions</header><subparagraph id="idB619C456162F476C977BCDE55E9C340E"><enum>(A)</enum><header>In general</header><text>A Federal, State, local, or Tribal government shall not use information about a covered cyber incident or ransom payment obtained solely through reporting directly to the Agency in accordance with this subtitle to regulate, including through an enforcement action, the activities of the covered entity or entity that made a ransom payment, unless the government entity expressly allows entities to submit reports to the Agency to meet regulatory reporting obligations of the entity.</text></subparagraph><subparagraph id="id3FEC849CF03941D1BAA1B1367DC5A9DC"><enum>(B)</enum><header>Clarification</header><text>A report submitted to the Agency pursuant to section 2242 or 2243 may, consistent with Federal or State regulatory authority specifically relating to the prevention and mitigation of cybersecurity threats to information systems, inform the development or implementation of regulations relating to such systems.</text></subparagraph></paragraph></subsection><subsection display-inline="no-display-inline" id="HEFE31B05F3D749A19287D9A2295D2323"><enum>(b)</enum><header>Protections for reporting entities and information</header><text display-inline="yes-display-inline">Reports describing covered cyber incidents or ransom payments submitted to the Agency by entities in accordance with section 2242, as well as voluntarily-submitted cyber incident reports submitted to the Agency pursuant to section 2243, shall—</text><paragraph id="HCC05522570EC4639952C9AE0EB08FD3C"><enum>(1)</enum><text>be considered the commercial, financial, and proprietary information of the covered entity when so designated by the covered entity;</text></paragraph><paragraph id="HE919053549694913AD32EE8640CDCAA0"><enum>(2)</enum><text>be exempt from disclosure under section 552(b)(3) of title 5, United States Code (commonly known as the <quote>Freedom of Information Act</quote>), as well as any provision of State, Tribal, or local freedom of information law, open government law, open meetings law, open records law, sunshine law, or similar law requiring disclosure of information or records;</text></paragraph><paragraph id="H8E140E53F2854CA4AAD6C4AFB6B1490B"><enum>(3)</enum><text>be considered not to constitute a waiver of any applicable privilege or protection provided by law, including trade secret protection; and</text></paragraph><paragraph id="H3A2BDCC99BC64D38850FA09EBB19E3F5"><enum>(4)</enum><text>not be subject to a rule of any Federal agency or department or any judicial doctrine regarding ex parte communications with a decision-making official.</text></paragraph></subsection><subsection commented="no" id="H0B1325A127554769AB58CC88757A7AF1"><enum>(c)</enum><header>Liability protections</header><paragraph commented="no" id="H55C61D0852FC4734930C1BBDEC3A9E8D"><enum>(1)</enum><header>In general</header><text>No cause of action shall lie or be maintained in any court by any person or entity and any such action shall be promptly dismissed for the submission of a report pursuant to section 2242(a) that is submitted in conformance with this subtitle and the rule promulgated under section 2242(b), except that this subsection shall not apply with regard to an action by the Federal Government pursuant to section 2244(c)(2).</text></paragraph><paragraph commented="no" id="H6681DF1CCBA14F7FAF9F7C65A8153EB6"><enum>(2)</enum><header>Scope</header><text>The liability protections provided in this subsection shall only apply to or affect litigation that is solely based on the submission of a covered cyber incident report or ransom payment report to the Agency.</text></paragraph><paragraph commented="no" id="H3EECA2950AD6495698445EA5BDC9596C"><enum>(3)</enum><header>Restrictions</header><text>Notwithstanding paragraph (2), no report submitted to the Agency pursuant to this subtitle or any communication, document, material, or other record, created for the sole purpose of preparing, drafting, or submitting such report, may be received in evidence, subject to discovery, or otherwise used in any trial, hearing, or other proceeding in or before any court, regulatory body, or other authority of the United States, a State, or a political subdivision thereof, provided that nothing in this subtitle shall create a defense to discovery or otherwise affect the discovery of any communication, document, material, or other record not created for the sole purpose of preparing, drafting, or submitting such report.</text></paragraph></subsection><subsection id="H77A5272B680B42E79ED2E5D084317C74"><enum>(d)</enum><header>Sharing with non-Federal entities</header><text>The Agency shall anonymize the victim who reported the information when making information provided in reports received under section 2242 available to critical infrastructure owners and operators and the general public.</text></subsection><subsection id="H99982FEA9E5B4CBF82A70C2F5FACAC2E"><enum>(e)</enum><header>Stored Communications Act</header><text>Nothing in this subtitle shall be construed to permit or require disclosure by a provider of a remote computing service or a provider of an electronic communication service to the public of information not otherwise permitted or required to be disclosed under <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/18/121">chapter 121</external-xref> of title 18, United States Code (commonly known as the <quote>Stored Communications Act</quote>).</text></subsection></section><section id="HF9CFCC2FED784581BFB632C1C5598D3B"><enum>2246.</enum><header>Cyber Incident Reporting Council</header><subsection id="H38828152AC664F7DADEBC36BC68E0E7A"><enum>(a)</enum><header>Responsibility of the secretary</header><text>The Secretary shall lead an intergovernmental Cyber Incident Reporting Council, in consultation with the Director of the Office of Management and Budget, the Attorney General, the National Director Cyber Director, Sector Risk Management Agencies, and other appropriate Federal agencies, to coordinate, deconflict, and harmonize Federal incident reporting requirements, including those issued through regulations.</text></subsection><subsection id="HED04C50D1B184641AE7D1DB1383706B4"><enum>(b)</enum><header>Rule of construction</header><text>Nothing in subsection (a) shall be construed to provide any additional regulatory authority to any Federal entity.</text></subsection></section></subtitle><after-quoted-block>.</after-quoted-block></quoted-block></paragraph></subsection><subsection id="H114BCEC656F84D02A65A8DBFA9B5E1E3"><enum>(b)</enum><header>Technical and conforming amendment</header><text>The table of contents in section 1(b) of the Homeland Security Act of 2002 (<external-xref legal-doc="public-law" parsable-cite="pl/107/296">Public Law 107–296</external-xref>; 116 Stat. 2135) is amended by inserting after the items relating to subtitle C of title XXII the following:</text><quoted-block style="OLC" id="H5575A86514AE4D6A87ABAE8B5E5C719A"><toc regeneration="no-regeneration"><toc-entry level="subtitle">Subtitle D—Cyber Incident Reporting</toc-entry><toc-entry level="section">Sec. 2240. Definitions.</toc-entry><toc-entry level="section">Sec. 2241. Cyber Incident Review.</toc-entry><toc-entry level="section">Sec. 2242. Required reporting of certain cyber incidents.</toc-entry><toc-entry level="section">Sec. 2243. Voluntary reporting of other cyber incidents.</toc-entry><toc-entry level="section">Sec. 2244. Noncompliance with required reporting.</toc-entry><toc-entry level="section">Sec. 2245. Information shared with or provided to the Federal Government.</toc-entry><toc-entry level="section">Sec. 2246. Cyber Incident Reporting Council.</toc-entry></toc><after-quoted-block>.</after-quoted-block></quoted-block></subsection></section><section id="HBBE60C855F0540D68B4714F8A4E501A2"><enum>204.</enum><header>Federal sharing of incident reports</header><subsection id="H3C4B7E039CAA467EA135A9C6607C6DE2"><enum>(a)</enum><header>Cyber incident reporting sharing</header><paragraph id="H1F9930E0E62A48A4BE058A3BC967323F"><enum>(1)</enum><header>In general</header><text>Notwithstanding any other provision of law or regulation, any Federal agency, including any independent establishment (as defined in section 104 of title 5, United States Code), that receives a report from an entity of a cyber incident, including a ransomware attack, shall provide the report to the Agency as soon as possible, but not later than 24 hours after receiving the report, unless a shorter period is required by an agreement made between the Department of Homeland Security (including the Cybersecurity and Infrastructure Security Agency) and the recipient Federal agency. The Director shall share and coordinate each report pursuant to section 2241(b) of the Homeland Security Act of 2002, as added by section 203 of this title.</text></paragraph><paragraph commented="no" id="H158442921469458ABD1A74D8E85B5304"><enum>(2)</enum><header>Rule of construction</header><text display-inline="yes-display-inline">The requirements described in paragraph (1) and section 2245(d) of the Homeland Security Act of 2002, as added by section 203 of this title, may not be construed to be a violation of any provision of law or policy that would otherwise prohibit disclosure or provision of information within the executive branch.</text></paragraph><paragraph id="H536ED37E8B2F46048823ECA36DB94F1F"><enum>(3)</enum><header>Protection of information</header><text>The Director shall comply with any obligations of the recipient Federal agency described in paragraph (1) to protect information, including with respect to privacy, confidentiality, or information security, if those obligations would impose greater protection requirements than this Act or the amendments made by this Act.</text></paragraph><paragraph id="HF7291470C5334BCC84C8BCFEC321F78E"><enum>(4)</enum><header>Effective date</header><text>This subsection shall take effect on the effective date of the final rule issued pursuant to section 2242(b) of the Homeland Security Act of 2002, as added by section 203 of this title.</text></paragraph><paragraph id="H30B2E8B9F5B24D04AED67CD122A30955"><enum>(5)</enum><header>Agency agreements</header><subparagraph id="HEFFEFDAFB0E7422184D5BC14F766B756"><enum>(A)</enum><header>In general</header><text>The Agency and any Federal agency, including any independent establishment (as defined in section 104 of title 5, United States Code) that receives incident reports from entities, including due to ransomware attacks, shall, as appropriate, enter into a documented agreement to establish policies, processes, procedures, and mechanisms to ensure reports are shared with the Agency pursuant to paragraph (1).</text></subparagraph><subparagraph id="HF4EDFAD42BC14130827BB5077349EE26"><enum>(B)</enum><header>Availability</header><text>To the maximum extent practicable, each documented agreement required under subparagraph (A) shall be made publicly available.</text></subparagraph><subparagraph id="H4BF59CEB8475442DA03A7B4423ABEDA7"><enum>(C)</enum><header>Requirement</header><text>The documented agreements required by subparagraph (A) shall require reports be shared from Federal agencies with the Agency in such time as to meet the overall timeline for covered entity reporting of covered cyber incidents and ransom payments established in section 2242 of the Homeland Security Act of 2002, as added by section 203 of this title.</text></subparagraph></paragraph></subsection><subsection id="H32BE64660BD844B889B95195680662AF"><enum>(b)</enum><header>Harmonizing reporting requirements</header><text>The Secretary of Homeland Security, acting through the Director, shall, in consultation with the Cyber Incident Reporting Council described in section 2246 of the Homeland Security Act of 2002, as added by section 203 of this title, to the maximum extent practicable—</text><paragraph id="H4438EAB77EDF49D09C26F22CA83FD484"><enum>(1)</enum><text>periodically review existing regulatory requirements, including the information required in such reports, to report incidents and ensure that any such reporting requirements and procedures avoid conflicting, duplicative, or burdensome requirements; and</text></paragraph><paragraph id="H3403487572E04902919E1331262BF342"><enum>(2)</enum><text>coordinate with appropriate Federal partners and regulatory authorities that receive reports relating to incidents to identify opportunities to streamline reporting processes, and where feasible, facilitate interagency agreements between such authorities to permit the sharing of such reports, consistent with applicable law and policy, without impacting the ability of the Agency to gain timely situational awareness of a covered cyber incident or ransom payment.</text></paragraph></subsection></section><section id="HA027BFA5A1B44BBEBAFC8AD700734BEA"><enum>205.</enum><header>Ransomware vulnerability warning pilot program</header><subsection id="HA5FF52C09F394663A22969023832B5D4"><enum>(a)</enum><header>Program</header><text>Not later than 1 year after the date of enactment of this Act, the Director shall establish a ransomware vulnerability warning pilot program to leverage existing authorities and technology to specifically develop processes and procedures for, and to dedicate resources to, identifying information systems that contain security vulnerabilities associated with common ransomware attacks, and to notify the owners of those vulnerable systems of their security vulnerability.</text></subsection><subsection id="H1D6CF0297C1846179721B242DD253B64"><enum>(b)</enum><header>Identification of vulnerable systems</header><text>The pilot program established under subsection (a) shall—</text><paragraph id="H6DEF127DD9FC4AE79728755A424CA8B3"><enum>(1)</enum><text>identify the most common security vulnerabilities utilized in ransomware attacks and mitigation techniques; and</text></paragraph><paragraph id="H6AB16538AD524F4BAABE9DF8197524C8"><enum>(2)</enum><text>utilize existing authorities to identify information systems that contain the security vulnerabilities identified in paragraph (1).</text></paragraph></subsection><subsection id="H3E6D730AA27D4B8695652FFCCD0D3F04"><enum>(c)</enum><header>Entity notification</header><paragraph id="H900035639B704EAEB1B2BFD29083FCF9"><enum>(1)</enum><header>Identification</header><text>If the Director is able to identify the entity at risk that owns or operates a vulnerable information system identified in subsection (b), the Director may notify the owner of the information system.</text></paragraph><paragraph id="HC557800DCE4148519B2ACC251E865AE5"><enum>(2)</enum><header>No identification</header><text>If the Director is not able to identify the entity at risk that owns or operates a vulnerable information system identified in subsection (b), the Director may utilize the subpoena authority pursuant to section 2209 of the Homeland Security Act of 2002 (<external-xref legal-doc="usc" parsable-cite="usc/6/659">6 U.S.C. 659</external-xref>) to identify and notify the entity at risk pursuant to the procedures under that section.</text></paragraph><paragraph id="H2EBE5FD2608E4A01904B82398DBE1C27"><enum>(3)</enum><header>Required information</header><text>A notification made under paragraph (1) shall include information on the identified security vulnerability and mitigation techniques.</text></paragraph></subsection><subsection id="H2C71223E0660404B9C2950B25B55EF20"><enum>(d)</enum><header>Prioritization of notifications</header><text>To the extent practicable, the Director shall prioritize covered entities for identification and notification activities under the pilot program established under this section.</text></subsection><subsection id="HC14BF72AF170407DBAAEF7394FDF57DB"><enum>(e)</enum><header>Limitation on procedures</header><text>No procedure, notification, or other authorities utilized in the execution of the pilot program established under subsection (a) shall require an owner or operator of a vulnerable information system to take any action as a result of a notice of a security vulnerability made pursuant to subsection (c).</text></subsection><subsection id="H362934DAF5D543B2ACB656DEF09C5070"><enum>(f)</enum><header>Rule of construction</header><text>Nothing in this section shall be construed to provide additional authorities to the Director to identify vulnerabilities or vulnerable systems.</text></subsection><subsection id="HB6FA66D61AFC4BF6858906AADD319611"><enum>(g)</enum><header>Termination</header><text>The pilot program established under subsection (a) shall terminate on the date that is 4 years after the date of enactment of this Act.</text></subsection></section><section id="H0C4BABA4C23F42F2813ECFEF960D1EFC"><enum>206.</enum><header>Ransomware threat mitigation activities</header><subsection id="H1064A03F7AE045C58DEB54A7BCA7C751"><enum>(a)</enum><header>Joint ransomware task force</header><paragraph id="H25FB0AB4BEA64CDAACCFEAE77CD7CCFC"><enum>(1)</enum><header>In general</header><text>Not later than 180 days after the date of enactment of this Act, the Director, in consultation with the National Cyber Director, the Attorney General, and the Director of the Federal Bureau of Investigation, shall establish and chair the Joint Ransomware Task Force to coordinate an ongoing nationwide campaign against ransomware attacks, and identify and pursue opportunities for international cooperation.</text></paragraph><paragraph id="HB7A92F4ACDE6426C888280D4A6D8A479"><enum>(2)</enum><header>Composition</header><text>The Joint Ransomware Task Force shall consist of participants from Federal agencies, as determined appropriate by the National Cyber Director in consultation with the Secretary of Homeland Security.</text></paragraph><paragraph id="HEDE2614A1048455584B89768A3E4B09B"><enum>(3)</enum><header>Responsibilities</header><text>The Joint Ransomware Task Force, utilizing only existing authorities of each participating Federal agency, shall coordinate across the Federal Government the following activities:</text><subparagraph id="H7E70FFCB2D774BCE9581D49315804BB9"><enum>(A)</enum><text>Prioritization of intelligence-driven operations to disrupt specific ransomware actors.</text></subparagraph><subparagraph id="H081E17154A124F7B822BB724458B603B"><enum>(B)</enum><text>Consult with relevant private sector, State, local, Tribal, and territorial governments and international stakeholders to identify needs and establish mechanisms for providing input into the Joint Ransomware Task Force.</text></subparagraph><subparagraph id="H238B220E2AF3448AB4E11791500DD0B5"><enum>(C)</enum><text>Identifying, in consultation with relevant entities, a list of highest threat ransomware entities updated on an ongoing basis, in order to facilitate—</text><clause id="HF9643046DDA841E599B6DE4B553F1EDD"><enum>(i)</enum><text>prioritization for Federal action by appropriate Federal agencies; and</text></clause><clause id="HA4DC1C3E5BD848E3AB55054871DFB171"><enum>(ii)</enum><text>identify metrics for success of said actions.</text></clause></subparagraph><subparagraph id="HEF7DF0D9B6C045B1AFA7DE125DDCB135"><enum>(D)</enum><text>Disrupting ransomware criminal actors, associated infrastructure, and their finances.</text></subparagraph><subparagraph id="HA7BDB3A4785E4052826EF14D968312BC"><enum>(E)</enum><text>Facilitating coordination and collaboration between Federal entities and relevant entities, including the private sector, to improve Federal actions against ransomware threats.</text></subparagraph><subparagraph id="H223F6B0913A94049AE9D7307ED5296F4"><enum>(F)</enum><text>Collection, sharing, and analysis of ransomware trends to inform Federal actions.</text></subparagraph><subparagraph id="H079B2E3A29CA4532ABE350BE2973CC50"><enum>(G)</enum><text>Creation of after-action reports and other lessons learned from Federal actions that identify successes and failures to improve subsequent actions.</text></subparagraph><subparagraph id="HAF5DC56050334B9FBF62FB98A9988041"><enum>(H)</enum><text>Any other activities determined appropriate by the Joint Ransomware Task Force to mitigate the threat of ransomware attacks.</text></subparagraph></paragraph></subsection><subsection id="H42153DFF14B7452098DADA42816573FB"><enum>(b)</enum><header>Rule of construction</header><text>Nothing in this section shall be construed to provide any additional authority to any Federal agency.</text></subsection></section><section id="H2C1034222BC149D0AE32FF1112F5ED85"><enum>207.</enum><header>Congressional reporting</header><subsection id="H9314315570264878963350161D4E5DEE"><enum>(a)</enum><header>Report on stakeholder engagement</header><text>Not later than 30 days after the date on which the Director issues the final rule under section 2242(b) of the Homeland Security Act of 2002, as added by section 203(b) of this title, the Director shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a report that describes how the Director engaged stakeholders in the development of the final rule.</text></subsection><subsection id="H01B77B695B9645CE80A9D5EC338E7BBA"><enum>(b)</enum><header>Report on opportunities to strengthen security research</header><text>Not later than 1 year after the date of enactment of this Act, the Director shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a report describing how the National Cybersecurity and Communications Integration Center established under section 2209 of the Homeland Security Act of 2002 (<external-xref legal-doc="usc" parsable-cite="usc/6/659">6 U.S.C. 659</external-xref>) has carried out activities under section 2241(a)(9) of the Homeland Security Act of 2002, as added by section 203(a) of this title, by proactively identifying opportunities to use cyber incident data to inform and enable cybersecurity research within the academic and private sector.</text></subsection><subsection id="H4FECF896FD124E1FBEFDBE857FCAA374"><enum>(c)</enum><header>Report on ransomware vulnerability warning pilot program</header><text>Not later than 1 year after the date of enactment of this Act, and annually thereafter for the duration of the pilot program established under section 205, the Director shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a report, which may include a classified annex, on the effectiveness of the pilot program, which shall include a discussion of the following:</text><paragraph id="HD483CEF94F6A463FA81E754A51DD6A46"><enum>(1)</enum><text>The effectiveness of the notifications under section 205(c) in mitigating security vulnerabilities and the threat of ransomware.</text></paragraph><paragraph id="H8845F4478F1049B6B9E694C2180B1418"><enum>(2)</enum><text>Identification of the most common vulnerabilities utilized in ransomware.</text></paragraph><paragraph id="HBD66D1F7A00B4D89A4462FD7254C4179"><enum>(3)</enum><text>The number of notifications issued during the preceding year.</text></paragraph><paragraph id="HEC4C2D0BD97E4760B528103D28DD0F10"><enum>(4)</enum><text>To the extent practicable, the number of vulnerable devices or systems mitigated under the pilot program by the Agency during the preceding year.</text></paragraph></subsection><subsection id="HE7F192E16F4C41D892E23BDCD24DC74D"><enum>(d)</enum><header>Report on harmonization of reporting regulations</header><paragraph id="H8F32A8D4B5BE439190CDEA7E29E1EADB"><enum>(1)</enum><header>In general</header><text>Not later than 180 days after the date on which the Secretary of Homeland Security convenes the Cyber Incident Reporting Council described in section 2246 of the Homeland Security Act of 2002, as added by section 203 of this title, the Secretary of Homeland Security shall submit to the appropriate congressional committees a report that includes—</text><subparagraph id="H27E97E571B3F4C129D98449B6A8D2B5F"><enum>(A)</enum><text>a list of duplicative Federal cyber incident reporting requirements on covered entities;</text></subparagraph><subparagraph id="HB3829EEA16E14242B38828D4A9ACB006"><enum>(B)</enum><text>a description of any challenges in harmonizing the duplicative reporting requirements;</text></subparagraph><subparagraph id="H5A2EA34C799B4DCC9D67026D686A1802"><enum>(C)</enum><text>any actions the Director intends to take to facilitate harmonizing the duplicative reporting requirements; and</text></subparagraph><subparagraph id="H294F52B0C9084022ACCBA86D66546513"><enum>(D)</enum><text>any proposed legislative changes necessary to address the duplicative reporting.</text></subparagraph></paragraph><paragraph id="H66B545741D4141E6B79100EA4CF2146C"><enum>(2)</enum><header>Rule of construction</header><text>Nothing in paragraph (1) shall be construed to provide any additional regulatory authority to any Federal agency.</text></paragraph></subsection><subsection id="H9833D1BB762C42359FB6EA2A0B3F417C"><enum>(e)</enum><header>GAO reports</header><paragraph id="HB9AA212C7EB14C5FA12202F22492396D"><enum>(1)</enum><header>Implementation of this Act</header><text>Not later than 2 years after the date of enactment of this Act, the Comptroller General of the United States shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a report on the implementation of this Act and the amendments made by this Act.</text></paragraph><paragraph id="H01047DA9AE5C42BEA4C105CA6BF547CD"><enum>(2)</enum><header>Exemptions to reporting</header><text>Not later than 1 year after the date on which the Director issues the final rule required under section 2242(b) of the Homeland Security Act of 2002, as added by section 203 of this title, the Comptroller General of the United States shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a report on the exemptions to reporting under paragraphs (2) and (5) of section 2242(a) of the Homeland Security Act of 2002, as added by section 203 of this title, which shall include—</text><subparagraph id="HDFEB544892CA4EF391F44F36DFA49F28"><enum>(A)</enum><text>to the extent practicable, an evaluation of the quantity of cyber incidents not reported to the Federal Government;</text></subparagraph><subparagraph id="H805E71C1D11447DFB35FEAFE76EC4F8A"><enum>(B)</enum><text>an evaluation of the impact on impacted entities, homeland security, and the national economy due to cyber incidents, ransomware attacks, and ransom payments, including a discussion on the scope of impact of cyber incidents that were not reported to the Federal Government;</text></subparagraph><subparagraph id="H374148D14E604C0BBA36F5D84F2B315B"><enum>(C)</enum><text>an evaluation of the burden, financial and otherwise, on entities required to report cyber incidents under this Act, including an analysis of entities that meet the definition of a small business concern under section 3 of the Small Business Act (<external-xref legal-doc="usc" parsable-cite="usc/15/632">15 U.S.C. 632</external-xref>); and</text></subparagraph><subparagraph id="HA9349AE8D4AE4B8DAFC6CE65C0BF84A6"><enum>(D)</enum><text>a description of the consequences and effects of limiting covered cyber incident and ransom payment reporting to only covered entities.</text></subparagraph></paragraph></subsection><subsection id="H6B650915668D4CC4BA2B1B01DEE6F5BE"><enum>(f)</enum><header>Report on effectiveness of enforcement mechanisms</header><text>Not later than 1 year after the date on which the Director issues the final rule required under section 2242(b) of the Homeland Security Act of 2002, as added by section 203 of this title, the Director shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a report on the effectiveness of the enforcement mechanisms within section 2244 of the Homeland Security Act of 2002, as added by section 203 of this title.</text></subsection></section><enum>III</enum><header>Federal Secure Cloud Improvement and Jobs Act of 2022</header><section id="id02F56E63AE60415E833D85A290E9CF52"><enum>301.</enum><header>Short title</header><text display-inline="no-display-inline">This title may be cited as the <quote><short-title>Federal Secure Cloud Improvement and Jobs Act of 2022</short-title></quote>.</text></section><section display-inline="no-display-inline" commented="no" id="idb01b5b3c-cd94-40a7-92fb-3e6f8ae04bed" changed="not-changed"><enum>302.</enum><header>Findings</header><text display-inline="no-display-inline">Congress finds the following:</text><paragraph id="idc0d3c611-9583-4bd3-a4d5-0ab10ab0b0d3" changed="not-changed"><enum>(1)</enum><text>Ensuring that the Federal Government can securely leverage cloud computing products and services is key to expediting the modernization of legacy information technology systems, increasing cybersecurity within and across departments and agencies, and supporting the continued leadership of the United States in technology innovation and job creation.</text></paragraph><paragraph id="idb3c6d231-d19d-4802-a28d-5c2676b0409d" changed="not-changed"><enum>(2)</enum><text>According to independent analysis, as of calendar year 2019, the size of the cloud computing market had tripled since 2004, enabling more than 2,000,000 jobs and adding more than $200,000,000,000 to the gross domestic product of the United States.</text></paragraph><paragraph id="id1a6de4fe-b3f9-4a51-bad0-6545e764b478" changed="not-changed"><enum>(3)</enum><text>The Federal Government, across multiple presidential administrations and Congresses, has continued to support the ability of agencies to move to the cloud, including through—</text><subparagraph id="id32476a35-38ee-4b17-ab44-4aeaf034f012" changed="not-changed"><enum>(A)</enum><text>President Barack Obama’s <quote>Cloud First Strategy</quote>;</text></subparagraph><subparagraph id="id2845d6a8-8eb2-4a0f-90f7-bb1c6be9157a" changed="not-changed"><enum>(B)</enum><text>President Donald Trump’s <quote>Cloud Smart Strategy</quote>;</text></subparagraph><subparagraph id="id3f0bd73b-a27c-4168-b25c-fdb9394eb39c" changed="not-changed"><enum>(C)</enum><text>the prioritization of cloud security in Executive Order 14028 (86 Fed. Reg. 26633; relating to improving the nation’s cybersecurity), which was issued by President Joe Biden; and</text></subparagraph><subparagraph id="id76d77934-de4c-465d-a2d7-5d29a3edf2be" changed="not-changed"><enum>(D)</enum><text>more than a decade of appropriations and authorization legislation that provides agencies with relevant authorities and appropriations to modernize on-premises information technology systems and more readily adopt cloud computing products and services.</text></subparagraph></paragraph><paragraph id="id55d4512b-c407-4911-bb99-c0209bebdc84" changed="not-changed"><enum>(4)</enum><text>Since it was created in 2011, the Federal Risk and Authorization Management Program (referred to in this section as <quote>FedRAMP</quote>) at the General Services Administration has made steady and sustained improvements in supporting the secure authorization and reuse of cloud computing products and services within the Federal Government, including by reducing the costs and burdens on both agencies and cloud companies to quickly and securely enter the Federal market.</text></paragraph><paragraph id="id790e91a3-603e-41e6-ac0e-92b46bed955b" changed="not-changed"><enum>(5)</enum><text>According to data from the General Services Administration, as of the end of fiscal year 2021, there were 239 cloud providers with FedRAMP authorizations, and those authorizations had been reused more than 2,700 times across various agencies.</text></paragraph><paragraph id="ide2a77deb-7a88-4412-a3af-39f8428f76bb" changed="not-changed"><enum>(6)</enum><text>Providing a legislative framework for FedRAMP and new authorities to the General Services Administration, the Office of Management and Budget, and Federal agencies will—</text><subparagraph id="idb946e81a-a765-42e2-9f0c-00ff9539dcb8" changed="not-changed"><enum>(A)</enum><text>improve the speed at which new cloud computing products and services can be securely authorized;</text></subparagraph><subparagraph id="id782d86de-4ccf-448a-9593-65372312f47e" changed="not-changed"><enum>(B)</enum><text>enhance the ability of agencies to effectively evaluate FedRAMP authorized providers for reuse;</text></subparagraph><subparagraph id="id44dc550b-9c1e-4bc9-9a65-b596df038f2e" changed="not-changed"><enum>(C)</enum><text>reduce the costs and burdens to cloud providers seeking a FedRAMP authorization; and</text></subparagraph><subparagraph id="id2fbf9d8f-6b0e-4ba2-beec-da427807a74b" changed="not-changed"><enum>(D)</enum><text>provide for more robust transparency and dialogue between industry and the Federal Government to drive stronger adoption of secure cloud capabilities, create jobs, and reduce wasteful legacy information technology.</text></subparagraph></paragraph></section><section display-inline="no-display-inline" commented="no" id="idb2493f5d-eef4-497f-a4c4-fa9b2b708326" changed="not-changed"><enum>303.</enum><header>Title 44 amendments</header><subsection id="idaec74142-a788-4d12-8230-61a93c5c4121" commented="no" display-inline="no-display-inline" changed="not-changed"><enum>(a)</enum><header>Amendment</header><text><external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/44/36">Chapter 36</external-xref> of title 44, United States Code, is amended by adding at the end the following:</text><quoted-block id="id7e0c5d4e-80e1-44c3-a34b-46988a9846ba" style="USC" changed="not-changed"><section id="id8d707228-c2e5-4df7-b9c1-bb4511d45836" changed="not-changed"><enum>3607.</enum><header>Definitions</header><subsection id="id9a1a846e-cf53-4353-b403-342a9f0b20f2" changed="not-changed"><enum>(a)</enum><header>In general</header><text>Except as provided under subsection (b), the definitions under sections 3502 and 3552 apply to this section through section 3616.</text></subsection><subsection id="idd51715e4-da94-49b4-9a0d-dcd4b2e52b7d" changed="not-changed"><enum>(b)</enum><header>Additional definitions</header><text>In this section through section 3616:</text><paragraph id="idFE757D6AF67A43A6BD4CCF64D55173F1" changed="not-changed"><enum>(1)</enum><header>Administrator</header><text>The term <term>Administrator</term> means the Administrator of General Services.</text></paragraph><paragraph id="id9E058D312A7648C681182D1B192A718A" changed="not-changed"><enum>(2)</enum><header>Appropriate congressional committees</header><text>The term <term>appropriate congressional committees</term> means the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Reform of the House of Representatives.</text></paragraph><paragraph id="id782F50634DD2418FBFF5B4B9F369C195" changed="not-changed"><enum>(3)</enum><header>Authorization to operate; Federal information</header><text>The terms <term>authorization to operate</term> and <term>Federal information</term> have the meaning given those term in Circular A–130 of the Office of Management and Budget entitled <quote>Managing Information as a Strategic Resource</quote>, or any successor document.</text></paragraph><paragraph id="id7bbaec8a-7f83-4ad1-b8ab-4a922174ac79" changed="not-changed"><enum>(4)</enum><header>Cloud computing</header><text>The term <term>cloud computing</term> has the meaning given the term in Special Publication 800–145 of the National Institute of Standards and Technology, or any successor document.</text></paragraph><paragraph id="id29994b87-6596-4960-8d6c-7d9656665efd" changed="not-changed"><enum>(5)</enum><header>Cloud service provider</header><text>The term <term>cloud service provider</term> means an entity offering cloud computing products or services to agencies.</text></paragraph><paragraph id="id9cfa2ba8-0900-4d97-911e-83a2cd79b735" changed="not-changed"><enum>(6)</enum><header>FedRAMP</header><text>The term <term>FedRAMP</term> means the Federal Risk and Authorization Management Program established under section 3608.</text></paragraph><paragraph id="id1734c19e-8a0b-4e60-967c-976b89fd94de" changed="not-changed"><enum>(7)</enum><header>FedRAMP authorization</header><text display-inline="yes-display-inline">The term <term>FedRAMP authorization</term> means a certification that a cloud computing product or service has—</text><subparagraph id="idd6d7b58b-3792-4d80-857f-30be32c5f845" changed="not-changed"><enum>(A)</enum><text display-inline="yes-display-inline">completed a FedRAMP authorization process, as determined by the Administrator; or</text></subparagraph><subparagraph id="idc2d13140-a0a2-4f57-93ff-a2aef7a573a1" changed="not-changed"><enum>(B)</enum><text display-inline="yes-display-inline">received a FedRAMP provisional authorization to operate, as determined by the FedRAMP Board.</text></subparagraph></paragraph><paragraph id="id4bee30d2-75c6-4aa9-9047-ab742aece7b3" changed="not-changed"><enum>(8)</enum><header>Fedramp authorization package</header><text>The term <term>FedRAMP authorization package</term> means the essential information that can be used by an agency to determine whether to authorize the operation of an information system or the use of a designated set of common controls for all cloud computing products and services authorized by FedRAMP.</text></paragraph><paragraph id="id32eaa32c-891d-4f18-90eb-463b6ce70dc5" commented="no" display-inline="no-display-inline" changed="not-changed"><enum>(9)</enum><header display-inline="yes-display-inline">FedRAMP Board</header><text display-inline="yes-display-inline">The term <term>FedRAMP Board</term> means the board established under section 3610.</text></paragraph><paragraph commented="no" display-inline="no-display-inline" id="idC72BED5130374DE389358B6D86C9FE70" changed="not-changed"><enum>(10)</enum><header>Independent assessment service</header><text display-inline="yes-display-inline">The term <term>independent assessment service</term> means a third-party organization accredited by the Administrator to undertake conformity assessments of cloud service providers and the products or services of cloud service providers. </text></paragraph><paragraph id="ide440806a-d60e-41b3-ad84-b434f573fa2b" commented="no" display-inline="no-display-inline" changed="not-changed"><enum>(11)</enum><header display-inline="yes-display-inline">Secretary</header><text display-inline="yes-display-inline">The term <term>Secretary</term> means the Secretary of Homeland Security. </text></paragraph></subsection></section><section id="idb5027c84-beb5-4be4-b904-3ecd74e6417c" changed="not-changed"><enum>3608.</enum><header>Federal Risk and Authorization Management Program</header><text display-inline="no-display-inline">There is established within the General Services Administration the Federal Risk and Authorization Management Program. The Administrator, subject to section 3614, shall establish a Government-wide program that provides a standardized, reusable approach to security assessment and authorization for cloud computing products and services that process unclassified information used by agencies.</text></section><section id="idfbffe3d4-f4d0-48b9-9f1f-b3fbfbd66d91" changed="not-changed"><enum>3609.</enum><header>Roles and responsibilities of the General Services Administration</header><subsection id="id6d1e9e42-4a9b-4fa5-b42a-0f264a66c0a3" changed="not-changed"><enum>(a)</enum><header>Roles and responsibilities</header><text>The Administrator shall—</text><paragraph id="idaaff9a6e-0b9d-4277-9912-747a3fb4a71f" changed="not-changed"><enum>(1)</enum><text>in consultation with the Secretary, develop, coordinate, and implement a process to support agency review, reuse, and standardization, where appropriate, of security assessments of cloud computing products and services, including, as appropriate, oversight of continuous monitoring of cloud computing products and services, pursuant to guidance issued by the Director pursuant to section 3614;</text></paragraph><paragraph id="idf9bf3412-410b-4ef7-8223-b7a0383332ef" changed="not-changed"><enum>(2)</enum><text display-inline="yes-display-inline">establish processes and identify criteria consistent with guidance issued by the Director under section 3614 to make a cloud computing product or service eligible for a FedRAMP authorization and validate whether a cloud computing product or service has a FedRAMP authorization;</text></paragraph><paragraph id="ide4285a5e-4c25-4b41-a06b-f0e015a6e83b" changed="not-changed"><enum>(3)</enum><text>develop and publish templates, best practices, technical assistance, and other materials to support the authorization of cloud computing products and services and increase the speed, effectiveness, and transparency of the authorization process, consistent with standards and guidelines established by the Director of the National Institute of Standards and Technology and relevant statutes;</text></paragraph><paragraph id="id973E43BD44314A03800A329AF3D3FE19" changed="not-changed"><enum>(4)</enum><text>establish and update guidance on the boundaries of FedRAMP authorization packages to enhance the security and protection of Federal information and promote transparency for agencies and users as to which services are included in the scope of a FedRAMP authorization;</text></paragraph><paragraph id="id42a1b912-1aeb-4e05-abc4-0f3e484a5faf" changed="not-changed"><enum>(5)</enum><text>grant FedRAMP authorizations to cloud computing products and services consistent with the guidance and direction of the FedRAMP Board;</text></paragraph><paragraph id="id7e2ee8f3-1e34-4c31-92aa-6be7198813ae" changed="not-changed"><enum>(6)</enum><text display-inline="yes-display-inline">establish and maintain a public comment process for proposed guidance and other FedRAMP directives that may have a direct impact on cloud service providers and agencies before the issuance of such guidance or other FedRAMP directives;</text></paragraph><paragraph id="id0a17b600-5459-4475-9531-2b48a8c51996" changed="not-changed"><enum>(7)</enum><text display-inline="yes-display-inline">coordinate with the FedRAMP Board, the Director of the Cybersecurity and Infrastructure Security Agency, and other entities identified by the Administrator, with the concurrence of the Director and the Secretary, to establish and regularly update a framework for continuous monitoring under section 3553;</text></paragraph><paragraph id="id8ed99fec-7a72-40c4-9886-9c9a184bd1c2" changed="not-changed"><enum>(8)</enum><text>provide a secure mechanism for storing and sharing necessary data, including FedRAMP authorization packages, to enable better reuse of such packages across agencies, including making available any information and data necessary for agencies to fulfill the requirements of section 3613;</text></paragraph><paragraph id="id6dee426c-481c-4835-b0f8-62c8b08b0e9d" changed="not-changed"><enum>(9)</enum><text display-inline="yes-display-inline">provide regular updates to applicant cloud service providers on the status of any cloud computing product or service during an assessment process;</text></paragraph><paragraph id="id824328a1-9285-4b25-9ea0-ed6785a63e5d" changed="not-changed"><enum>(10)</enum><text display-inline="yes-display-inline">regularly review, in consultation with the FedRAMP Board—</text><subparagraph id="id629924C9FA344345B293250CC703D4E0" changed="not-changed"><enum>(A)</enum><text display-inline="yes-display-inline">the costs associated with the independent assessment services described in section 3611; and</text></subparagraph><subparagraph id="id9C90FA3988E54067AE1A423670C4F942" changed="not-changed"><enum>(B)</enum><text>the information relating to foreign interests submitted pursuant to section 3612;</text></subparagraph></paragraph><paragraph id="id65F11B2CDCE245138E2A7F0F1DBE6E0C" changed="not-changed"><enum>(11)</enum><text>in coordination with the Director of the National Institute of Standards and Technology, the Director, the Secretary, and other stakeholders, as appropriate, determine the sufficiency of underlying standards and requirements to identify and assess the provenance of the software in cloud services and products;</text></paragraph><paragraph id="id67f0e9b8-0e9c-4b76-860c-9a5cf48d6a36" changed="not-changed"><enum>(12)</enum><text>support the Federal Secure Cloud Advisory Committee established pursuant to section 3616; and</text></paragraph><paragraph id="idf5bc85b0-3c72-4919-bd14-bca9f0fcdbb9" changed="not-changed"><enum>(13)</enum><text>take such other actions as the Administrator may determine necessary to carry out FedRAMP.</text></paragraph></subsection><subsection id="id09e04028-be0d-427a-b139-bec1992cbfb0" changed="not-changed"><enum>(b)</enum><header>Website</header><paragraph id="id7b2969e7-5180-4a8c-bb77-bbebcd99fd19" changed="not-changed"><enum>(1)</enum><header>In general</header><text>The Administrator shall maintain a public website to serve as the authoritative repository for FedRAMP, including the timely publication and updates for all relevant information, guidance, determinations, and other materials required under subsection (a).</text></paragraph><paragraph id="iddeb32ca7-bd70-4c4d-9390-3690da887284" changed="not-changed"><enum>(2)</enum><header>Criteria and process for FedRAMP authorization priorities</header><text display-inline="yes-display-inline">The Administrator shall develop and make publicly available on the website described in paragraph (1) the criteria and process for prioritizing and selecting cloud computing products and services that will receive a FedRAMP authorization, in consultation with the FedRAMP Board and the Chief Information Officers Council. </text></paragraph></subsection><subsection id="ida7b7e8f6-aa6c-44a6-ba9c-6ebffa81da9b" changed="not-changed"><enum>(c)</enum><header>Evaluation of automation procedures</header><paragraph id="id3d355e0e-e3f3-465a-b7cf-c7126407f313" changed="not-changed"><enum>(1)</enum><header>In general</header><text>The Administrator, in coordination with the Secretary, shall assess and evaluate available automation capabilities and procedures to improve the efficiency and effectiveness of the issuance of FedRAMP authorizations, including continuous monitoring of cloud computing products and services.</text></paragraph><paragraph id="id0fdadbe4-d54d-44a0-9dbb-f189a4fa33b4" changed="not-changed"><enum>(2)</enum><header>Means for automation</header><text>Not later than 1 year after the date of enactment of this section, and updated regularly thereafter, the Administrator shall establish a means for the automation of security assessments and reviews.</text></paragraph></subsection><subsection id="id688c215b-1961-4c8a-8e3a-5f2af807083b" changed="not-changed"><enum>(d)</enum><header>Metrics for authorization</header><text>The Administrator shall establish annual metrics regarding the time and quality of the assessments necessary for completion of a FedRAMP authorization process in a manner that can be consistently tracked over time in conjunction with the periodic testing and evaluation process pursuant to section 3554 in a manner that minimizes the agency reporting burden.</text></subsection></section><section id="idd7a8df42-0b45-4eee-941f-1e60c09eee90" changed="not-changed"><enum>3610.</enum><header>FedRAMP Board</header><subsection id="id32b9f93e-23a0-418a-9780-592bc6bcd5f3" changed="not-changed"><enum>(a)</enum><header>Establishment</header><text>There is established a FedRAMP Board to provide input and recommendations to the Administrator regarding the requirements and guidelines for, and the prioritization of, security assessments of cloud computing products and services.</text></subsection><subsection id="idedd94392-e480-4f4b-a608-408f0890315a" changed="not-changed"><enum>(b)</enum><header>Membership</header><text>The FedRAMP Board shall consist of not more than 7 senior officials or experts from agencies appointed by the Director, in consultation with the Administrator, from each of the following:</text><paragraph id="id54ba4c73-c1e2-4e68-9f3d-e9eed0e2b89e" changed="not-changed"><enum>(1)</enum><text>The Department of Defense.</text></paragraph><paragraph id="idac20f281-e466-41a3-8775-66fa9764fb50" changed="not-changed"><enum>(2)</enum><text>The Department of Homeland Security.</text></paragraph><paragraph id="ide539c3bb-987c-4e9e-8746-a9b30b6b1500" changed="not-changed"><enum>(3)</enum><text>The General Services Administration.</text></paragraph><paragraph id="id40deb2df-420b-4558-b691-68049b7e86ba" changed="not-changed"><enum>(4)</enum><text>Such other agencies as determined by the Director, in consultation with the Administrator.</text></paragraph></subsection><subsection id="idd985d0c7-875c-4551-9108-2abd0927a02c" changed="not-changed"><enum>(c)</enum><header>Qualifications</header><text>Members of the FedRAMP Board appointed under subsection (b) shall have technical expertise in domains relevant to FedRAMP, such as—</text><paragraph id="ida2729a9b-d6ae-480e-b6c7-5f01c32221c4" changed="not-changed"><enum>(1)</enum><text>cloud computing;</text></paragraph><paragraph id="id7bd3fe7b-caee-4146-b1e3-42160c1ebd4d" changed="not-changed"><enum>(2)</enum><text>cybersecurity;</text></paragraph><paragraph id="id64180c21-a01f-4a4a-90c2-c9a77cc991fc" changed="not-changed"><enum>(3)</enum><text>privacy;</text></paragraph><paragraph id="id4184f753-b6cf-4745-8886-63972968b2ef" changed="not-changed"><enum>(4)</enum><text>risk management; and</text></paragraph><paragraph id="id6cbdb0bf-36f6-411b-b3b5-aa348f19d8d2" changed="not-changed"><enum>(5)</enum><text>other competencies identified by the Director to support the secure authorization of cloud services and products.</text></paragraph></subsection><subsection id="idc496336f-d5a7-485b-b66d-8d1faa4e49cb" changed="not-changed"><enum>(d)</enum><header>Duties</header><text>The FedRAMP Board shall—</text><paragraph id="ide8eb76b4-b1af-451e-9f38-e7a369c6b284" changed="not-changed"><enum>(1)</enum><text>in consultation with the Administrator, serve as a resource for best practices to accelerate the process for obtaining a FedRAMP authorization;</text></paragraph><paragraph id="idd170352f-7717-4620-b27a-ee717da39043" changed="not-changed"><enum>(2)</enum><text display-inline="yes-display-inline">establish and regularly update requirements and guidelines for security authorizations of cloud computing products and services, consistent with standards and guidelines established by the Director of the National Institute of Standards and Technology, to be used in the determination of FedRAMP authorizations;</text></paragraph><paragraph id="idba753515-2e09-4a7e-b4a1-3b47ee2f2fac" changed="not-changed"><enum>(3)</enum><text display-inline="yes-display-inline">monitor and oversee, to the greatest extent practicable, the processes and procedures by which agencies determine and validate requirements for a FedRAMP authorization, including periodic review of the agency determinations described in section 3613(b);</text></paragraph><paragraph id="id6293e1f8-59cc-41b1-9b57-d02c1e6fab40" changed="not-changed"><enum>(4)</enum><text display-inline="yes-display-inline">ensure consistency and transparency between agencies and cloud service providers in a manner that minimizes confusion and engenders trust; and</text></paragraph><paragraph id="id4d91cd26-d1af-4468-896f-bb40c070af58" changed="not-changed"><enum>(5)</enum><text>perform such other roles and responsibilities as the Director may assign, with concurrence from the Administrator.</text></paragraph></subsection><subsection id="id476edd1b-7040-4c2d-be17-e78d888f3035" changed="not-changed"><enum>(e)</enum><header>Determinations of demand for cloud computing products and services</header><text>The FedRAMP Board may consult with the Chief Information Officers Council to establish a process, which may be made available on the website maintained under section 3609(b), for prioritizing and accepting the cloud computing products and services to be granted a FedRAMP authorization.</text></subsection></section><section id="id5475816B478042B6B53A396DB6E83D51" changed="not-changed"><enum>3611.</enum><header>Independent assessment</header><text display-inline="no-display-inline">The Administrator may determine whether FedRAMP may use an independent assessment service to analyze, validate, and attest to the quality and compliance of security assessment materials provided by cloud service providers during the course of a determination of whether to use a cloud computing product or service.</text></section><section id="id59088761-29ab-44ef-bf1d-7bda8f35c14c" changed="not-changed"><enum>3612.</enum><header>Declaration of foreign interests</header><subsection id="id9129CE15CEFC4A0381D3EBD7505D4E67" changed="not-changed"><enum>(a)</enum><header>In general</header><text display-inline="yes-display-inline">An independent assessment service that performs services described in section 3611 shall annually submit to the Administrator information relating to any foreign interest, foreign influence, or foreign control of the independent assessment service.</text></subsection><subsection id="id1065A9D21C3B470092EDDD3456ABD753" changed="not-changed"><enum>(b)</enum><header>Updates</header><text>Not later than 48 hours after there is a change in foreign ownership or control of an independent assessment service that performs services described in section 3611, the independent assessment service shall submit to the Administrator an update to the information submitted under subsection (a).</text></subsection><subsection id="id83F6262E0B734E7483BCB364EF3BFC86" changed="not-changed"><enum>(c)</enum><header>Certification</header><text display-inline="yes-display-inline">The Administrator may require a representative of an independent assessment service to certify the accuracy and completeness of any information submitted under this section.</text></subsection></section><section id="id7250b794-e393-411f-ad6d-ead9c4dce9af" changed="not-changed"><enum>3613.</enum><header>Roles and responsibilities of agencies</header><subsection id="iddb7ce26a-13de-476f-a23e-ec0a77dc21e1" changed="not-changed"><enum>(a)</enum><header>In general</header><text>In implementing the requirements of FedRAMP, the head of each agency shall, consistent with guidance issued by the Director pursuant to section 3614—</text><paragraph id="idba895628-fcb2-4308-a58e-196c9cadcdbf" changed="not-changed"><enum>(1)</enum><text>promote the use of cloud computing products and services that meet FedRAMP security requirements and other risk-based performance requirements as determined by the Director, in consultation with the Secretary;</text></paragraph><paragraph id="id9fa17315-4e8c-45be-8c1f-ca21f61a0844" changed="not-changed"><enum>(2)</enum><text>confirm whether there is a FedRAMP authorization in the secure mechanism provided under section 3609(a)(8) before beginning the process of granting a FedRAMP authorization for a cloud computing product or service;</text></paragraph><paragraph id="idbf6196a7-47b9-4337-8197-7ff2ed77aebd" changed="not-changed"><enum>(3)</enum><text>to the extent practicable, for any cloud computing product or service the agency seeks to authorize that has received a FedRAMP authorization, use the existing assessments of security controls and materials within any FedRAMP authorization package for that cloud computing product or service; and</text></paragraph><paragraph id="id7786178a-7a44-4b6e-84f6-14ab4985172b" changed="not-changed"><enum>(4)</enum><text>provide to the Director data and information required by the Director pursuant to section 3614 to determine how agencies are meeting metrics established by the Administrator.</text></paragraph></subsection><subsection id="id82f9ca3f-88d0-416e-a611-11fa098c8974" changed="not-changed"><enum>(b)</enum><header>Attestation</header><text display-inline="yes-display-inline">Upon completing an assessment or authorization activity with respect to a particular cloud computing product or service, if an agency determines that the information and data the agency has reviewed under paragraph (2) or (3) of subsection (a) is wholly or substantially deficient for the purposes of performing an authorization of the cloud computing product or service, the head of the agency shall document as part of the resulting FedRAMP authorization package the reasons for this determination.</text></subsection><subsection id="id3e7e0a6f-36b9-49aa-aa8b-f864bd9dd9dd" changed="not-changed"><enum>(c)</enum><header>Submission of authorizations to operate required</header><text>Upon issuance of an agency authorization to operate based on a FedRAMP authorization, the head of the agency shall provide a copy of its authorization to operate letter and any supplementary information required pursuant to section 3609(a) to the Administrator.</text></subsection><subsection id="id866108c8-9c20-40f1-b0b0-b69b969c3930" changed="not-changed"><enum>(d)</enum><header>Submission of policies required</header><text display-inline="yes-display-inline">Not later than 180 days after the date on which the Director issues guidance in accordance with section 3614(1), the head of each agency, acting through the chief information officer of the agency, shall submit to the Director all agency policies relating to the authorization of cloud computing products and services.</text></subsection><subsection id="id5f6ee4b5-5ca0-42ca-a9e3-8656b1b5373d" changed="not-changed"><enum>(e)</enum><header>Presumption of adequacy</header><paragraph id="idd1e0e08c-805e-46e6-9be2-c7521cebc967" changed="not-changed"><enum>(1)</enum><header>In general</header><text>The assessment of security controls and materials within the authorization package for a FedRAMP authorization shall be presumed adequate for use in an agency authorization to operate cloud computing products and services.</text></paragraph><paragraph id="ida6497325-4568-4885-9edf-861b710a7d14" changed="not-changed"><enum>(2)</enum><header>Information security requirements</header><text>The presumption under paragraph (1) does not modify or alter—</text><subparagraph id="idcb1dc1cd-1ffd-49fa-94d5-a85580a0aa5e" changed="not-changed"><enum>(A)</enum><text>the responsibility of any agency to ensure compliance with subchapter II of chapter 35 for any cloud computing product or service used by the agency; or</text></subparagraph><subparagraph id="id1ea70638-5e86-4bd7-9286-faf09d59810d" changed="not-changed"><enum>(B)</enum><text>the authority of the head of any agency to make a determination that there is a demonstrable need for additional security requirements beyond the security requirements included in a FedRAMP authorization for a particular control implementation.</text></subparagraph></paragraph></subsection></section><section id="id01e673ff-33e4-4344-b603-f792976693ef" changed="not-changed"><enum>3614.</enum><header>Roles and responsibilities of the Office of Management and Budget</header><text display-inline="no-display-inline">The Director shall—</text><paragraph id="idbe1a3952-5d35-4a84-82a5-3edd298d96e6" changed="not-changed"><enum>(1)</enum><text display-inline="yes-display-inline">in consultation with the Administrator and the Secretary, issue guidance that—</text><subparagraph id="id4cf7d0e2-54a1-44a5-a80e-5eb2f8d596ac" changed="not-changed"><enum>(A)</enum><text display-inline="yes-display-inline">specifies the categories or characteristics of cloud computing products and services that are within the scope of FedRAMP;</text></subparagraph><subparagraph id="ide756e4c0-f334-4f95-a4f4-1eddf0cb06e0" changed="not-changed"><enum>(B)</enum><text display-inline="yes-display-inline"> includes requirements for agencies to obtain a FedRAMP authorization when operating a cloud computing product or service described in subparagraph (A) as a Federal information system; and</text></subparagraph><subparagraph id="id03620dd8-742c-4339-91ec-222cb83c0ae4" changed="not-changed"><enum>(C)</enum><text display-inline="yes-display-inline">encompasses, to the greatest extent practicable, all necessary and appropriate cloud computing products and services;</text></subparagraph></paragraph><paragraph id="id5efbb209-5509-48af-ba79-fbb10dc8e067" changed="not-changed"><enum>(2)</enum><text>issue guidance describing additional responsibilities of FedRAMP and the FedRAMP Board to accelerate the adoption of secure cloud computing products and services by the Federal Government;</text></paragraph><paragraph id="id027A638C45E442CC819553D6B207777D" changed="not-changed"><enum>(3)</enum><text>in consultation with the Administrator, establish a process to periodically review FedRAMP authorization packages to support the secure authorization and reuse of secure cloud products and services;</text></paragraph><paragraph id="id2fccb57e-d79c-431b-afd6-c9f6f6e12a14" changed="not-changed"><enum>(4)</enum><text>oversee the effectiveness of FedRAMP and the FedRAMP Board, including the compliance by the FedRAMP Board with the duties described in section 3610(d); and</text></paragraph><paragraph id="id06da1bb6-e46a-49d8-b65e-a0b871a25104" changed="not-changed"><enum>(5)</enum><text>to the greatest extent practicable, encourage and promote consistency of the assessment, authorization, adoption, and use of secure cloud computing products and services within and across agencies.</text></paragraph></section><section id="idf1aaf16d-0759-47db-acf6-0929e5fb2220" changed="not-changed"><enum>3615.</enum><header>Reports to Congress; GAO report</header><subsection id="id9fa50d5e-2249-45db-a9fc-ecd944024b6c" changed="not-changed"><enum>(a)</enum><header>Reports to congress</header><text>Not later than 1 year after the date of enactment of this section, and annually thereafter, the Director shall submit to the appropriate congressional committees a report that includes the following:</text><paragraph id="idbe45c301-0ae0-48a4-83f4-3137b1426e63" changed="not-changed"><enum>(1)</enum><text>During the preceding year, the status, efficiency, and effectiveness of the General Services Administration under section 3609 and agencies under section 3613 and in supporting the speed, effectiveness, sharing, reuse, and security of authorizations to operate for secure cloud computing products and services.</text></paragraph><paragraph id="idda48d0bc-5442-480a-865e-9f9e0c398379" changed="not-changed"><enum>(2)</enum><text>Progress towards meeting the metrics required under section 3609(d).</text></paragraph><paragraph id="id144dc2e5-6292-42ac-aa59-2a982681add7" changed="not-changed"><enum>(3)</enum><text>Data on FedRAMP authorizations.</text></paragraph><paragraph id="id1ee20514-f674-407a-b5d6-7e28f79db0bb" changed="not-changed"><enum>(4)</enum><text>The average length of time to issue FedRAMP authorizations.</text></paragraph><paragraph id="id42ea1c2f-5562-4443-82fa-aeff9e83dcbd" changed="not-changed"><enum>(5)</enum><text>The number of FedRAMP authorizations submitted, issued, and denied for the preceding year.</text></paragraph><paragraph id="id0be13f29-a7d3-42e8-8f14-75500808ae75" changed="not-changed"><enum>(6)</enum><text>A review of progress made during the preceding year in advancing automation techniques to securely automate FedRAMP processes and to accelerate reporting under this section.</text></paragraph><paragraph id="id8f8cfea3-bcc1-48fc-af01-3aa92941caf3" changed="not-changed"><enum>(7)</enum><text>The number and characteristics of authorized cloud computing products and services in use at each agency consistent with guidance provided by the Director under section 3614.</text></paragraph><paragraph id="idFDFC5DA7D4654BAC8C349CA0B17CC099" changed="not-changed"><enum>(8)</enum><text>A review of FedRAMP measures to ensure the security of data stored or processed by cloud service providers, which may include—</text><subparagraph id="id075501715B9E492CAC2726695F1C992A" changed="not-changed"><enum>(A)</enum><text>geolocation restrictions for provided products or services;</text></subparagraph><subparagraph id="idAE71822785A9425EB687E4F3056E9193" changed="not-changed"><enum>(B)</enum><text>disclosures of foreign elements of supply chains of acquired products or services;</text></subparagraph><subparagraph id="id1336609BC34549358409A5A27DBD292C" changed="not-changed"><enum>(C)</enum><text>continued disclosures of ownership of cloud service providers by foreign entities; and</text></subparagraph><subparagraph id="idB98435CCC8A34DDD9325DAB97D971ABA" changed="not-changed"><enum>(D)</enum><text>encryption for data processed, stored, or transmitted by cloud service providers.</text></subparagraph></paragraph></subsection><subsection id="id28e57daf-82ad-412a-80b4-95d29ee76bc4" changed="not-changed"><enum>(b)</enum><header>GAO report</header><text>Not later than 180 days after the date of enactment of this section, the Comptroller General of the United States shall report to the appropriate congressional committees an assessment of the following:</text><paragraph id="id40c36318-c49e-4e0a-9160-61f7e74c1f39" changed="not-changed"><enum>(1)</enum><text>The costs incurred by agencies and cloud service providers relating to the issuance of FedRAMP authorizations.</text></paragraph><paragraph id="id10e5b74a-7d41-464b-b9fd-f84297e22042" changed="not-changed"><enum>(2)</enum><text>The extent to which agencies have processes in place to continuously monitor the implementation of cloud computing products and services operating as Federal information systems.</text></paragraph><paragraph id="ideaf5ef5c-b7a9-4680-8c22-76dcc1144582" changed="not-changed"><enum>(3)</enum><text>How often and for which categories of products and services agencies use FedRAMP authorizations.</text></paragraph><paragraph id="id1e853aaa-8fc5-45c0-bb86-f1a905709f1b" changed="not-changed"><enum>(4)</enum><text>The unique costs and potential burdens incurred by cloud computing companies that are small business concerns (as defined in section 3(a) of the Small Business Act (<external-xref legal-doc="usc" parsable-cite="usc/15/632">15 U.S.C. 632(a)</external-xref>) as a part of the FedRAMP authorization process.</text></paragraph></subsection></section><section id="id90dc5d8a-eeea-4cd2-9b09-15d9bbc028a6" changed="not-changed"><enum>3616.</enum><header>Federal Secure Cloud Advisory Committee</header><subsection id="idf1544ebb-d264-4a71-be75-354a2342ec71" changed="not-changed"><enum>(a)</enum><header>Establishment, purposes, and duties</header><paragraph id="id655066c5-7d8e-4e97-8a72-f1f5f8169c0d" changed="not-changed"><enum>(1)</enum><header>Establishment</header><text>There is established a Federal Secure Cloud Advisory Committee (referred to in this section as the <quote>Committee</quote>) to ensure effective and ongoing coordination of agency adoption, use, authorization, monitoring, acquisition, and security of cloud computing products and services to enable agency mission and administrative priorities.</text></paragraph><paragraph id="id41d24fe0-0428-4a3e-a61e-f78df7a8af36" changed="not-changed"><enum>(2)</enum><header>Purposes</header><text>The purposes of the Committee are the following:</text><subparagraph id="idd482c4b6-65d8-4879-930d-e7af5fce93a4" changed="not-changed"><enum>(A)</enum><text>To examine the operations of FedRAMP and determine ways that authorization processes can continuously be improved, including the following:</text><clause id="id8f127f19-e9b1-467f-8753-52cf53f5bac5" changed="not-changed"><enum>(i)</enum><text>Measures to increase agency reuse of FedRAMP authorizations.</text></clause><clause id="id07bbc998-fb1d-41c3-b7dc-06cf0d29ac97" changed="not-changed"><enum>(ii)</enum><text display-inline="yes-display-inline">Proposed actions that can be adopted to reduce the burden, confusion, and cost associated with FedRAMP authorizations for cloud service providers.</text></clause><clause id="id0b172e4f-09a0-41ce-a777-30fdb92dbe6d" changed="not-changed"><enum>(iii)</enum><text>Measures to increase the number of FedRAMP authorizations for cloud computing products and services offered by small businesses concerns (as defined by section 3(a) of the Small Business Act (<external-xref legal-doc="usc" parsable-cite="usc/15/632">15 U.S.C. 632(a)</external-xref>).</text></clause><clause id="id3c582c35-3905-462a-9fc7-55e1df80d5b4" changed="not-changed"><enum>(iv)</enum><text display-inline="yes-display-inline">Proposed actions that can be adopted to reduce the burden and cost of FedRAMP authorizations for agencies.</text></clause></subparagraph><subparagraph id="id48590dc8-960c-4696-8b4c-fe7b01f0a58e" changed="not-changed"><enum>(B)</enum><text>Collect information and feedback on agency compliance with and implementation of FedRAMP requirements.</text></subparagraph><subparagraph id="id41c0d7f6-d9ee-4320-b879-64d1f7bf4c3d" changed="not-changed"><enum>(C)</enum><text>Serve as a forum that facilitates communication and collaboration among the FedRAMP stakeholder community.</text></subparagraph></paragraph><paragraph id="id8535a84b-1cd2-4471-a2c9-39682957edd9" changed="not-changed"><enum>(3)</enum><header>Duties</header><text>The duties of the Committee include providing advice and recommendations to the Administrator, the FedRAMP Board, and agencies on technical, financial, programmatic, and operational matters regarding secure adoption of cloud computing products and services.</text></paragraph></subsection><subsection id="id7e50ab43-2603-45a9-b69b-8ae62db44f0d" changed="not-changed"><enum>(b)</enum><header>Members</header><paragraph id="ida5d01c54-af60-40a2-9741-7f5a9576245b" changed="not-changed"><enum>(1)</enum><header>Composition</header><text>The Committee shall be comprised of not more than 15 members who are qualified representatives from the public and private sectors, appointed by the Administrator, in consultation with the Director, as follows:</text><subparagraph id="idc211f393-ae45-4ce6-9467-0a7d238d175c" changed="not-changed"><enum>(A)</enum><text>The Administrator or the Administrator’s designee, who shall be the Chair of the Committee.</text></subparagraph><subparagraph id="idfeff7848-aa45-4f9b-b6bf-60d06506d0ef" changed="not-changed"><enum>(B)</enum><text>At least 1 representative each from the Cybersecurity and Infrastructure Security Agency and the National Institute of Standards and Technology.</text></subparagraph><subparagraph id="iddade6e42-7af4-4524-a19f-769da7637b58" changed="not-changed"><enum>(C)</enum><text>At least 2 officials who serve as the Chief Information Security Officer within an agency, who shall be required to maintain such a position throughout the duration of their service on the Committee.</text></subparagraph><subparagraph id="idf0f14cb4-9386-4ed8-8a29-f4225edafbf8" changed="not-changed"><enum>(D)</enum><text>At least 1 official serving as Chief Procurement Officer (or equivalent) in an agency, who shall be required to maintain such a position throughout the duration of their service on the Committee.</text></subparagraph><subparagraph id="id40a940b4-9bff-489e-9ef4-dec9f6b3e210" changed="not-changed"><enum>(E)</enum><text>At least 1 individual representing an independent assessment service.</text></subparagraph><subparagraph id="idcbf1a2ae-1b08-4b83-b56d-07285720a3c4" changed="not-changed"><enum>(F)</enum><text>At least 5 representatives from unique businesses that primarily provide cloud computing services or products, including at least 2 representatives from a small business concern (as defined by section 3(a) of the Small Business Act (<external-xref legal-doc="usc" parsable-cite="usc/15/632">15 U.S.C. 632(a)</external-xref>)).</text></subparagraph><subparagraph id="id11f81343-1d47-403b-b31e-5a3b82c3d6dc" changed="not-changed"><enum>(G)</enum><text>At least 2 other representatives of the Federal Government as the Administrator determines necessary to provide sufficient balance, insights, or expertise to the Committee.</text></subparagraph></paragraph><paragraph id="id35ae1acc-297d-4fa5-9335-e8c1992cd494" changed="not-changed"><enum>(2)</enum><header>Deadline for appointment</header><text>Each member of the Committee shall be appointed not later than 90 days after the date of enactment of this section.</text></paragraph><paragraph id="id402d5c15-359c-470e-b83f-4475919ca0ba" changed="not-changed"><enum>(3)</enum><header>Period of appointment; vacancies</header><subparagraph id="idbda8b955-bb9c-4a1b-a635-5fbdd8dad012" changed="not-changed"><enum>(A)</enum><header>In general</header><text>Each non-Federal member of the Committee shall be appointed for a term of 3 years, except that the initial terms for members may be staggered 1-, 2-, or 3-year terms to establish a rotation in which one-third of the members are selected each year. Any such member may be appointed for not more than 2 consecutive terms.</text></subparagraph><subparagraph id="id3d23b48e-b4d6-468a-8d14-2702c997b1ad" changed="not-changed"><enum>(B)</enum><header>Vacancies</header><text>Any vacancy in the Committee shall not affect its powers, but shall be filled in the same manner in which the original appointment was made. Any member appointed to fill a vacancy occurring before the expiration of the term for which the member’s predecessor was appointed shall be appointed only for the remainder of that term. A member may serve after the expiration of that member’s term until a successor has taken office.</text></subparagraph></paragraph></subsection><subsection id="id878cd17f-9f11-4e3f-bf4b-06eae5350360" changed="not-changed"><enum>(c)</enum><header>Meetings and rules of procedures</header><paragraph id="id26dbc8d7-55e4-4178-a39c-b415a3f02d54" changed="not-changed"><enum>(1)</enum><header>Meetings</header><text>The Committee shall hold not fewer than 3 meetings in a calendar year, at such time and place as determined by the Chair.</text></paragraph><paragraph id="id4e611964-1d2f-41c5-99e7-21d32a252e0b" changed="not-changed"><enum>(2)</enum><header>Initial meeting</header><text>Not later than 120 days after the date of enactment of this section, the Committee shall meet and begin the operations of the Committee.</text></paragraph><paragraph id="ida5eb30db-c0ff-4f5d-a13b-dab90fb7cfae" changed="not-changed"><enum>(3)</enum><header>Rules of procedure</header><text>The Committee may establish rules for the conduct of the business of the Committee if such rules are not inconsistent with this section or other applicable law.</text></paragraph></subsection><subsection id="id0c76aaac-2e9c-4945-80c9-99ff4e6ebb87" changed="not-changed"><enum>(d)</enum><header>Employee status</header><paragraph id="id2cbd2375-1b63-4beb-8c65-005f8a1429e5" changed="not-changed"><enum>(1)</enum><header>In general</header><text>A member of the Committee (other than a member who is appointed to the Committee in connection with another Federal appointment) shall not be considered an employee of the Federal Government by reason of any service as such a member, except for the purposes of section 5703 of title 5, relating to travel expenses.</text></paragraph><paragraph id="id7f92022c-41f8-4d41-8ded-34eb5a176be9" changed="not-changed"><enum>(2)</enum><header>Pay not permitted</header><text>A member of the Committee covered by paragraph (1) may not receive pay by reason of service on the Committee.</text></paragraph></subsection><subsection id="id3652bb47-2f6e-4291-8bef-c518430ff2ff" changed="not-changed"><enum>(e)</enum><header>Applicability to the federal advisory committee act</header><text>Section 14 of the Federal Advisory Committee Act (5 U.S.C. App.) shall not apply to the Committee.</text></subsection><subsection id="id19f9de2a-c45a-4048-bd4d-5242e2b8df0a" changed="not-changed"><enum>(f)</enum><header>Detail of employees</header><text>Any Federal Government employee may be detailed to the Committee without reimbursement from the Committee, and such detailee shall retain the rights, status, and privileges of his or her regular employment without interruption.</text></subsection><subsection id="id498aefbc-1168-433c-88b5-3349126fb107" changed="not-changed"><enum>(g)</enum><header>Postal services</header><text>The Committee may use the United States mails in the same manner and under the same conditions as agencies.</text></subsection><subsection id="id8897a880-02ce-48ac-83a9-cb3b754f53c3" changed="not-changed"><enum>(h)</enum><header>Reports</header><paragraph id="idec560c98-e330-4982-9b13-aa67fe2480fe" changed="not-changed"><enum>(1)</enum><header>Interim reports</header><text>The Committee may submit to the Administrator and Congress interim reports containing such findings, conclusions, and recommendations as have been agreed to by the Committee.</text></paragraph><paragraph id="ida967136d-2b7b-48d4-a6ca-ad34f9932bed" changed="not-changed"><enum>(2)</enum><header>Annual reports</header><text>Not later than 540 days after the date of enactment of this section, and annually thereafter, the Committee shall submit to the Administrator and Congress a report containing such findings, conclusions, and recommendations as have been agreed to by the Committee.</text></paragraph></subsection></section><after-quoted-block>.</after-quoted-block></quoted-block></subsection><subsection id="id1bdd60c9-33e1-45c2-9fdd-75292a55e6ee" changed="not-changed"><enum>(b)</enum><header>Technical and conforming amendment</header><text>The table of sections for <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/44/36">chapter 36</external-xref> of title 44, United States Code, is amended by adding at the end the following new items:</text><quoted-block style="USC" id="id2e1f4858-af80-478c-8e5e-25d97d0c7fa6" changed="not-changed"><toc changed="not-changed"><toc-entry level="section" changed="not-changed">3607. Definitions. </toc-entry><toc-entry level="section" changed="not-changed">3608. Federal Risk and Authorization Management Program. </toc-entry><toc-entry level="section" changed="not-changed">3609. Roles and responsibilities of the General Services Administration. </toc-entry><toc-entry level="section" changed="not-changed">3610. FedRAMP Board. </toc-entry><toc-entry level="section" idref="id5475816B478042B6B53A396DB6E83D51" changed="not-changed">3611. Independent assessment. </toc-entry><toc-entry level="section" changed="not-changed">3612. Declaration of foreign interests. </toc-entry><toc-entry level="section" changed="not-changed">3613. Roles and responsibilities of agencies. </toc-entry><toc-entry level="section" changed="not-changed">3614. Roles and responsibilities of the Office of Management and Budget. </toc-entry><toc-entry level="section" changed="not-changed">3615. Reports to Congress; GAO report. </toc-entry><toc-entry level="section" changed="not-changed">3616. Federal Secure Cloud Advisory Committee.</toc-entry></toc><after-quoted-block>.</after-quoted-block></quoted-block></subsection><subsection id="id4A6D4A35B3BD4C4D92D0BAAF00598CEA" changed="not-changed"><enum>(c)</enum><header>Sunset</header><paragraph id="id5B3BBD86A4C54738BDF6C5925AF4903E" changed="not-changed"><enum>(1)</enum><header>In general</header><text>Effective on the date that is 5 years after the date of enactment of this Act, <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/44/36">chapter 36</external-xref> of title 44, United States Code, is amended by striking sections 3607 through 3616.</text></paragraph><paragraph id="idf7939d5d-ba95-4f85-ab97-cf078eccb335" commented="no" display-inline="no-display-inline" changed="not-changed"><enum>(2)</enum><header>Conforming amendment</header><text>Effective on the date that is 5 years after the date of enactment of this Act, the table of sections for <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/44/36">chapter 36</external-xref> of title 44, United States Code, is amended by striking the items relating to sections 3607 through 3616.</text></paragraph></subsection><subsection id="id42827d14-1406-4d0a-ab75-2122b2e310d7" changed="not-changed" commented="no" display-inline="no-display-inline"><enum>(d)</enum><header>Rule of construction</header><text>Nothing in this section or any amendment made by this section shall be construed as altering or impairing the authorities of the Director of the Office of Management and Budget or the Secretary of Homeland Security under subchapter II of <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/44/35">chapter 35</external-xref> of title 44, United States Code.</text></subsection></section>February 9, 2022Read the second time and placed on the calendar