[Congressional Bills 113th Congress]
[From the U.S. Government Publishing Office]
[S. 2521 Enrolled Bill (ENR)]

        S.2521

                     One Hundred Thirteenth Congress

                                 of the

                        United States of America


                          AT THE SECOND SESSION

           Begun and held at the City of Washington on Friday,
           the third day of January, two thousand and fourteen


                                 An Act


 
  To amend chapter 35 of title 44, United States Code, to provide for 
                 reform to Federal information security.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
    This Act may be cited as the ``Federal Information Security 
Modernization Act of 2014''.
SEC. 2. FISMA REFORM.
    (a) In General.--Chapter 35 of title 44, United States Code, is 
amended by striking subchapters II and III and inserting the following:

                 ``SUBCHAPTER II--INFORMATION SECURITY

``Sec. 3551. Purposes
    ``The purposes of this subchapter are to--
        ``(1) provide a comprehensive framework for ensuring the 
    effectiveness of information security controls over information 
    resources that support Federal operations and assets;
        ``(2) recognize the highly networked nature of the current 
    Federal computing environment and provide effective governmentwide 
    management and oversight of the related information security risks, 
    including coordination of information security efforts throughout 
    the civilian, national security, and law enforcement communities;
        ``(3) provide for development and maintenance of minimum 
    controls required to protect Federal information and information 
    systems;
        ``(4) provide a mechanism for improved oversight of Federal 
    agency information security programs, including through automated 
    security tools to continuously diagnose and improve security;
        ``(5) acknowledge that commercially developed information 
    security products offer advanced, dynamic, robust, and effective 
    information security solutions, reflecting market solutions for the 
    protection of critical information infrastructures important to the 
    national defense and economic security of the nation that are 
    designed, built, and operated by the private sector; and
        ``(6) recognize that the selection of specific technical 
    hardware and software information security solutions should be left 
    to individual agencies from among commercially developed products.
``Sec. 3552. Definitions
    ``(a) In General.--Except as provided under subsection (b), the 
definitions under section 3502 shall apply to this subchapter.
    ``(b) Additional Definitions.--As used in this subchapter:
        ``(1) The term `binding operational directive' means a 
    compulsory direction to an agency that--
            ``(A) is for purposes of safeguarding Federal information 
        and information systems from a known or reasonably suspected 
        information security threat, vulnerability, or risk;
            ``(B) shall be in accordance with policies, principles, 
        standards, and guidelines issued by the Director; and
            ``(C) may be revised or repealed by the Director if the 
        direction issued on behalf of the Director is not in accordance 
        with policies and principles developed by the Director.
        ``(2) The term `incident' means an occurrence that--
            ``(A) actually or imminently jeopardizes, without lawful 
        authority, the integrity, confidentiality, or availability of 
        information or an information system; or
            ``(B) constitutes a violation or imminent threat of 
        violation of law, security policies, security procedures, or 
        acceptable use policies.
        ``(3) The term `information security' means protecting 
    information and information systems from unauthorized access, use, 
    disclosure, disruption, modification, or destruction in order to 
    provide--
            ``(A) integrity, which means guarding against improper 
        information modification or destruction, and includes ensuring 
        information nonrepudiation and authenticity;
            ``(B) confidentiality, which means preserving authorized 
        restrictions on access and disclosure, including means for 
        protecting personal privacy and proprietary information; and
            ``(C) availability, which means ensuring timely and 
        reliable access to and use of information.
        ``(4) The term `information technology' has the meaning given 
    that term in section 11101 of title 40.
        ``(5) The term `intelligence community' has the meaning given 
    that term in section 3(4) of the National Security Act of 1947 (50 
    U.S.C. 3003(4)).
        ``(6)(A) The term `national security system' means any 
    information system (including any telecommunications system) used 
    or operated by an agency or by a contractor of an agency, or other 
    organization on behalf of an agency--
            ``(i) the function, operation, or use of which--
                ``(I) involves intelligence activities;
                ``(II) involves cryptologic activities related to 
            national security;
                ``(III) involves command and control of military 
            forces;
                ``(IV) involves equipment that is an integral part of a 
            weapon or weapons system; or
                ``(V) subject to subparagraph (B), is critical to the 
            direct fulfillment of military or intelligence missions; or
            ``(ii) is protected at all times by procedures established 
        for information that have been specifically authorized under 
        criteria established by an Executive order or an Act of 
        Congress to be kept classified in the interest of national 
        defense or foreign policy.
        ``(B) Subparagraph (A)(i)(V) does not include a system that is 
    to be used for routine administrative and business applications 
    (including payroll, finance, logistics, and personnel management 
    applications).
        ``(7) The term `Secretary' means the Secretary of Homeland 
    Security.
``Sec. 3553. Authority and functions of the Director and the Secretary
    ``(a) Director.--The Director shall oversee agency information 
security policies and practices, including--
        ``(1) developing and overseeing the implementation of policies, 
    principles, standards, and guidelines on information security, 
    including through ensuring timely agency adoption of and compliance 
    with standards promulgated under section 11331 of title 40;
        ``(2) requiring agencies, consistent with the standards 
    promulgated under such section 11331 and the requirements of this 
    subchapter, to identify and provide information security 
    protections commensurate with the risk and magnitude of the harm 
    resulting from the unauthorized access, use, disclosure, 
    disruption, modification, or destruction of--
            ``(A) information collected or maintained by or on behalf 
        of an agency; or
            ``(B) information systems used or operated by an agency or 
        by a contractor of an agency or other organization on behalf of 
        an agency;
        ``(3) ensuring that the Secretary carries out the authorities 
    and functions under subsection (b);
        ``(4) coordinating the development of standards and guidelines 
    under section 20 of the National Institute of Standards and 
    Technology Act (15 U.S.C. 278g-3) with agencies and offices 
    operating or exercising control of national security systems 
    (including the National Security Agency) to assure, to the maximum 
    extent feasible, that such standards and guidelines are 
    complementary with standards and guidelines developed for national 
    security systems;
        ``(5) overseeing agency compliance with the requirements of 
    this subchapter, including through any authorized action under 
    section 11303 of title 40, to enforce accountability for compliance 
    with such requirements; and
        ``(6) coordinating information security policies and procedures 
    with related information resources management policies and 
    procedures.
    ``(b) Secretary.--The Secretary, in consultation with the Director, 
shall administer the implementation of agency information security 
policies and practices for information systems, except for national 
security systems and information systems described in paragraph (2) or 
(3) of subsection (e), including--
        ``(1) assisting the Director in carrying out the authorities 
    and functions under paragraphs (1), (2), (3), (5), and (6) of 
    subsection (a);
        ``(2) developing and overseeing the implementation of binding 
    operational directives to agencies to implement the policies, 
    principles, standards, and guidelines developed by the Director 
    under subsection (a)(1) and the requirements of this subchapter, 
    which may be revised or repealed by the Director if the operational 
    directives issued on behalf of the Director are not in accordance 
    with policies, principles, standards, and guidelines developed by 
    the Director, including--
            ``(A) requirements for reporting security incidents to the 
        Federal information security incident center established under 
        section 3556;
            ``(B) requirements for the contents of the annual reports 
        required to be submitted under section 3554(c)(1);
            ``(C) requirements for the mitigation of exigent risks to 
        information systems; and
            ``(D) other operational requirements as the Director or 
        Secretary, in consultation with the Director, may determine 
        necessary;
        ``(3) monitoring agency implementation of information security 
    policies and practices;
        ``(4) convening meetings with senior agency officials to help 
    ensure effective implementation of information security policies 
    and practices;
        ``(5) coordinating Government-wide efforts on information 
    security policies and practices, including consultation with the 
    Chief Information Officers Council established under section 3603 
    and the Director of the National Institute of Standards and 
    Technology;
        ``(6) providing operational and technical assistance to 
    agencies in implementing policies, principles, standards, and 
    guidelines on information security, including implementation of 
    standards promulgated under section 11331 of title 40, including 
    by--
            ``(A) operating the Federal information security incident 
        center established under section 3556;
            ``(B) upon request by an agency, deploying technology to 
        assist the agency to continuously diagnose and mitigate against 
        cyber threats and vulnerabilities, with or without 
        reimbursement;
            ``(C) compiling and analyzing data on agency information 
        security; and
            ``(D) developing and conducting targeted operational 
        evaluations, including threat and vulnerability assessments, on 
        the information systems; and
        ``(7) other actions as the Director or the Secretary, in 
    consultation with the Director, may determine necessary to carry 
    out this subsection.
    ``(c) Report.--Not later than March 1 of each year, the Director, 
in consultation with the Secretary, shall submit to Congress a report 
on the effectiveness of information security policies and practices 
during the preceding year, including--
        ``(1) a summary of the incidents described in the annual 
    reports required to be submitted under section 3554(c)(1), 
    including a summary of the information required under section 
    3554(c)(1)(A)(iii);
        ``(2) a description of the threshold for reporting major 
    information security incidents;
        ``(3) a summary of the results of evaluations required to be 
    performed under section 3555;
        ``(4) an assessment of agency compliance with standards 
    promulgated under section 11331 of title 40; and
        ``(5) an assessment of agency compliance with data breach 
    notification policies and procedures issued by the Director.
    ``(d) National Security Systems.--Except for the authorities and 
functions described in subsection (a)(5) and subsection (c), the 
authorities and functions of the Director and the Secretary under this 
section shall not apply to national security systems.
    ``(e) Department of Defense and Intelligence Community Systems.--
(1) The authorities of the Director described in paragraphs (1) and (2) 
of subsection (a) shall be delegated to the Secretary of Defense in the 
case of systems described in paragraph (2) and to the Director of 
National Intelligence in the case of systems described in paragraph 
(3).
    ``(2) The systems described in this paragraph are systems that are 
operated by the Department of Defense, a contractor of the Department 
of Defense, or another entity on behalf of the Department of Defense 
that processes any information the unauthorized access, use, 
disclosure, disruption, modification, or destruction of which would 
have a debilitating impact on the mission of the Department of Defense.
    ``(3) The systems described in this paragraph are systems that are 
operated by an element of the intelligence community, a contractor of 
an element of the intelligence community, or another entity on behalf 
of an element of the intelligence community that processes any 
information the unauthorized access, use, disclosure, disruption, 
modification, or destruction of which would have a debilitating impact 
on the mission of an element of the intelligence community.
    ``(f) Consideration.--
        ``(1) In general.--In carrying out the responsibilities under 
    subsection (b), the Secretary shall consider any applicable 
    standards or guidelines developed by the National Institute of 
    Standards and Technology and issued by the Secretary of Commerce 
    under section 11331 of title 40.
        ``(2) Directives.--The Secretary shall--
            ``(A) consult with the Director of the National Institute 
        of Standards and Technology regarding any binding operational 
        directive that implements standards and guidelines developed by 
        the National Institute of Standards and Technology; and
            ``(B) ensure that binding operational directives issued 
        under subsection (b)(2) do not conflict with the standards and 
        guidelines issued under section 11331 of title 40.
        ``(3) Rule of construction.--Nothing in this subchapter shall 
    be construed as authorizing the Secretary to direct the Secretary 
    of Commerce in the development and promulgation of standards and 
    guidelines under section 11331 of title 40.
    ``(g) Exercise of Authority.--To ensure fiscal and policy 
consistency, the Secretary shall exercise the authority under this 
section subject to direction by the President, in coordination with the 
Director.
``Sec. 3554. Federal agency responsibilities
    ``(a) In General.--The head of each agency shall--
        ``(1) be responsible for--
            ``(A) providing information security protections 
        commensurate with the risk and magnitude of the harm resulting 
        from unauthorized access, use, disclosure, disruption, 
        modification, or destruction of--
                ``(i) information collected or maintained by or on 
            behalf of the agency; and
                ``(ii) information systems used or operated by an 
            agency or by a contractor of an agency or other 
            organization on behalf of an agency;
            ``(B) complying with the requirements of this subchapter 
        and related policies, procedures, standards, and guidelines, 
        including--
                ``(i) information security standards promulgated under 
            section 11331 of title 40;
                ``(ii) operational directives developed by the 
            Secretary under section 3553(b);
                ``(iii) policies and procedures issued by the Director; 
            and
                ``(iv) information security standards and guidelines 
            for national security systems issued in accordance with law 
            and as directed by the President; and
            ``(C) ensuring that information security management 
        processes are integrated with agency strategic, operational, 
        and budgetary planning processes;
        ``(2) ensure that senior agency officials provide information 
    security for the information and information systems that support 
    the operations and assets under their control, including through--
            ``(A) assessing the risk and magnitude of the harm that 
        could result from the unauthorized access, use, disclosure, 
        disruption, modification, or destruction of such information or 
        information systems;
            ``(B) determining the levels of information security 
        appropriate to protect such information and information systems 
        in accordance with standards promulgated under section 11331 of 
        title 40, for information security classifications and related 
        requirements;
            ``(C) implementing policies and procedures to cost-
        effectively reduce risks to an acceptable level; and
            ``(D) periodically testing and evaluating information 
        security controls and techniques to ensure that they are 
        effectively implemented;
        ``(3) delegate to the agency Chief Information Officer 
    established under section 3506 (or comparable official in an agency 
    not covered by such section) the authority to ensure compliance 
    with the requirements imposed on the agency under this subchapter, 
    including--
            ``(A) designating a senior agency information security 
        officer who shall--
                ``(i) carry out the Chief Information Officer's 
            responsibilities under this section;
                ``(ii) possess professional qualifications, including 
            training and experience, required to administer the 
            functions described under this section;
                ``(iii) have information security duties as that 
            official's primary duty; and
                ``(iv) head an office with the mission and resources to 
            assist in ensuring agency compliance with this section;
            ``(B) developing and maintaining an agencywide information 
        security program as required by subsection (b);
            ``(C) developing and maintaining information security 
        policies, procedures, and control techniques to address all 
        applicable requirements, including those issued under section 
        3553 of this title and section 11331 of title 40;
            ``(D) training and overseeing personnel with significant 
        responsibilities for information security with respect to such 
        responsibilities; and
            ``(E) assisting senior agency officials concerning their 
        responsibilities under paragraph (2);
        ``(4) ensure that the agency has trained personnel sufficient 
    to assist the agency in complying with the requirements of this 
    subchapter and related policies, procedures, standards, and 
    guidelines;
        ``(5) ensure that the agency Chief Information Officer, in 
    coordination with other senior agency officials, reports annually 
    to the agency head on the effectiveness of the agency information 
    security program, including progress of remedial actions;
        ``(6) ensure that senior agency officials, including chief 
    information officers of component agencies or equivalent officials, 
    carry out responsibilities under this subchapter as directed by the 
    official delegated authority under paragraph (3); and
        ``(7) ensure that all personnel are held accountable for 
    complying with the agency-wide information security program 
    implemented under subsection (b).
    ``(b) Agency Program.--Each agency shall develop, document, and 
implement an agency-wide information security program to provide 
information security for the information and information systems that 
support the operations and assets of the agency, including those 
provided or managed by another agency, contractor, or other source, 
that includes--
        ``(1) periodic assessments of the risk and magnitude of the 
    harm that could result from the unauthorized access, use, 
    disclosure, disruption, modification, or destruction of information 
    and information systems that support the operations and assets of 
    the agency, which may include using automated tools consistent with 
    standards and guidelines promulgated under section 11331 of title 
    40;
        ``(2) policies and procedures that--
            ``(A) are based on the risk assessments required by 
        paragraph (1);
            ``(B) cost-effectively reduce information security risks to 
        an acceptable level;
            ``(C) ensure that information security is addressed 
        throughout the life cycle of each agency information system; 
        and
            ``(D) ensure compliance with--
                ``(i) the requirements of this subchapter;
                ``(ii) policies and procedures as may be prescribed by 
            the Director, and information security standards 
            promulgated under section 11331 of title 40;
                ``(iii) minimally acceptable system configuration 
            requirements, as determined by the agency; and
                ``(iv) any other applicable requirements, including 
            standards and guidelines for national security systems 
            issued in accordance with law and as directed by the 
            President;
        ``(3) subordinate plans for providing adequate information 
    security for networks, facilities, and systems or groups of 
    information systems, as appropriate;
        ``(4) security awareness training to inform personnel, 
    including contractors and other users of information systems that 
    support the operations and assets of the agency, of--
            ``(A) information security risks associated with their 
        activities; and
            ``(B) their responsibilities in complying with agency 
        policies and procedures designed to reduce these risks;
        ``(5) periodic testing and evaluation of the effectiveness of 
    information security policies, procedures, and practices, to be 
    performed with a frequency depending on risk, but no less than 
    annually, of which such testing--
            ``(A) shall include testing of management, operational, and 
        technical controls of every information system identified in 
        the inventory required under section 3505(c);
            ``(B) may include testing relied on in an evaluation under 
        section 3555; and
            ``(C) shall include using automated tools, consistent with 
        standards and guidelines promulgated under section 11331 of 
        title 40;
        ``(6) a process for planning, implementing, evaluating, and 
    documenting remedial action to address any deficiencies in the 
    information security policies, procedures, and practices of the 
    agency;
        ``(7) procedures for detecting, reporting, and responding to 
    security incidents, which--
            ``(A) shall be consistent with the standards and guidelines 
        described in section 3556(b);
            ``(B) may include using automated tools; and
            ``(C) shall include--
                ``(i) mitigating risks associated with such incidents 
            before substantial damage is done;
                ``(ii) notifying and consulting with the Federal 
            information security incident center established in section 
            3556; and
                ``(iii) notifying and consulting with, as appropriate--

                    ``(I) law enforcement agencies and relevant Offices 
                of Inspector General and Offices of General Counsel;
                    ``(II) an office designated by the President for 
                any incident involving a national security system;
                    ``(III) for a major incident, the committees of 
                Congress described in subsection (c)(1)--

                        ``(aa) not later than 7 days after the date on 
                    which there is a reasonable basis to conclude that 
                    the major incident has occurred; and
                        ``(bb) after the initial notification under 
                    item (aa), within a reasonable period of time after 
                    additional information relating to the incident is 
                    discovered, including the summary required under 
                    subsection (c)(1)(A)(i); and

                    ``(IV) any other agency or office, in accordance 
                with law or as directed by the President; and

        ``(8) plans and procedures to ensure continuity of operations 
    for information systems that support the operations and assets of 
    the agency.
    ``(c) Agency Reporting.--
        ``(1) Annual report.--
            ``(A) In general.--Each agency shall submit to the 
        Director, the Secretary, the Committee on Government Reform, 
        the Committee on Homeland Security, and the Committee on 
        Science of the House of Representatives, the Committee on 
        Homeland Security and Governmental Affairs and the Committee on 
        Commerce, Science, and Transportation of the Senate, the 
        appropriate authorization and appropriations committees of 
        Congress, and the Comptroller General a report on the adequacy 
        and effectiveness of information security policies, procedures, 
        and practices, including--
                ``(i) a description of each major information security 
            incident or related sets of incidents, including summaries 
            of--

                    ``(I) the threats and threat actors, 
                vulnerabilities, and impacts relating to the incident;
                    ``(II) the risk assessments conducted under section 
                3554(a)(2)(A) of the affected information systems 
                before the date on which the incident occurred;
                    ``(III) the status of compliance of the affected 
                information systems with applicable security 
                requirements at the time of the incident; and
                    ``(IV) the detection, response, and remediation 
                actions;

                ``(ii) the total number of information security 
            incidents, including a description of incidents resulting 
            in significant compromise of information security, system 
            impact levels, types of incident, and locations of affected 
            systems;
                ``(iii) a description of each major information 
            security incident that involved a breach of personally 
            identifiable information, as defined by the Director, 
            including--

                    ``(I) the number of individuals whose information 
                was affected by the major information security 
                incident; and
                    ``(II) a description of the information that was 
                breached or exposed; and

                ``(iv) any other information as the Director or the 
            Secretary, in consultation with the Director, may require.
            ``(B) Unclassified report.--
                ``(i) In general.--Each report submitted under 
            subparagraph (A) shall be in unclassified form, but may 
            include a classified annex.
                ``(ii) Access to information.--The head of an agency 
            shall ensure that, to the greatest extent practicable, 
            information is included in the unclassified version of the 
            reports submitted by the agency under subparagraph (A).
        ``(2) Other plans and reports.--Each agency shall address the 
    adequacy and effectiveness of information security policies, 
    procedures, and practices in management plans and reports.
    ``(d) Performance Plan.--(1) In addition to the requirements of 
subsection (c), each agency, in consultation with the Director, shall 
include as part of the performance plan required under section 1115 of 
title 31 a description of--
        ``(A) the time periods; and
        ``(B) the resources, including budget, staffing, and training,
that are necessary to implement the program required under subsection 
(b).
    ``(2) The description under paragraph (1) shall be based on the 
risk assessments required under subsection (b)(1).
    ``(e) Public Notice and Comment.--Each agency shall provide the 
public with timely notice and opportunities for comment on proposed 
information security policies and procedures to the extent that such 
policies and procedures affect communication with the public.
``Sec. 3555. Annual independent evaluation
    ``(a) In General.--(1) Each year each agency shall have performed 
an independent evaluation of the information security program and 
practices of that agency to determine the effectiveness of such program 
and practices.
    ``(2) Each evaluation under this section shall include--
        ``(A) testing of the effectiveness of information security 
    policies, procedures, and practices of a representative subset of 
    the agency's information systems;
        ``(B) an assessment of the effectiveness of the information 
    security policies, procedures, and practices of the agency; and
        ``(C) separate presentations, as appropriate, regarding 
    information security relating to national security systems.
    ``(b) Independent Auditor.--Subject to subsection (c)--
        ``(1) for each agency with an Inspector General appointed under 
    the Inspector General Act of 1978, the annual evaluation required 
    by this section shall be performed by the Inspector General or by 
    an independent external auditor, as determined by the Inspector 
    General of the agency; and
        ``(2) for each agency to which paragraph (1) does not apply, 
    the head of the agency shall engage an independent external auditor 
    to perform the evaluation.
    ``(c) National Security Systems.--For each agency operating or 
exercising control of a national security system, that portion of the 
evaluation required by this section directly relating to a national 
security system shall be performed--
        ``(1) only by an entity designated by the agency head; and
        ``(2) in such a manner as to ensure appropriate protection for 
    information associated with any information security vulnerability 
    in such system commensurate with the risk and in accordance with 
    all applicable laws.
    ``(d) Existing Evaluations.--The evaluation required by this 
section may be based in whole or in part on an audit, evaluation, or 
report relating to programs or practices of the applicable agency.
    ``(e) Agency Reporting.--(1) Each year, not later than such date 
established by the Director, the head of each agency shall submit to 
the Director the results of the evaluation required under this section.
    ``(2) To the extent an evaluation required under this section 
directly relates to a national security system, the evaluation results 
submitted to the Director shall contain only a summary and assessment 
of that portion of the evaluation directly relating to a national 
security system.
    ``(f) Protection of Information.--Agencies and evaluators shall 
take appropriate steps to ensure the protection of information which, 
if disclosed, may adversely affect information security. Such 
protections shall be commensurate with the risk and comply with all 
applicable laws and regulations.
    ``(g) OMB Reports to Congress.--(1) The Director shall summarize 
the results of the evaluations conducted under this section in the 
report to Congress required under section 3553(c).
    ``(2) The Director's report to Congress under this subsection shall 
summarize information regarding information security relating to 
national security systems in such a manner as to ensure appropriate 
protection for information associated with any information security 
vulnerability in such system commensurate with the risk and in 
accordance with all applicable laws.
    ``(3) Evaluations and any other descriptions of information systems 
under the authority and control of the Director of National 
Intelligence or of National Foreign Intelligence Programs systems under 
the authority and control of the Secretary of Defense shall be made 
available to Congress only through the appropriate oversight committees 
of Congress, in accordance with applicable laws.
    ``(h) Comptroller General.--The Comptroller General shall 
periodically evaluate and report to Congress on--
        ``(1) the adequacy and effectiveness of agency information 
    security policies and practices; and
        ``(2) implementation of the requirements of this subchapter.
    ``(i) Assessment Technical Assistance.--The Comptroller General may 
provide technical assistance to an Inspector General or the head of an 
agency, as applicable, to assist the Inspector General or head of an 
agency in carrying out the duties under this section, including by 
testing information security controls and procedures.
    ``(j) Guidance.--The Director, in consultation with the Secretary, 
the Chief Information Officers Council established under section 3603, 
the Council of the Inspectors General on Integrity and Efficiency, and 
other interested parties as appropriate, shall ensure the development 
of guidance for evaluating the effectiveness of an information security 
program and practices.
``Sec. 3556. Federal information security incident center
    ``(a) In General.--The Secretary shall ensure the operation of a 
central Federal information security incident center to--
        ``(1) provide timely technical assistance to operators of 
    agency information systems regarding security incidents, including 
    guidance on detecting and handling information security incidents;
        ``(2) compile and analyze information about incidents that 
    threaten information security;
        ``(3) inform operators of agency information systems about 
    current and potential information security threats, and 
    vulnerabilities;
        ``(4) provide, as appropriate, intelligence and other 
    information about cyber threats, vulnerabilities, and incidents to 
    agencies to assist in risk assessments conducted under section 
    3554(b); and
        ``(5) consult with the National Institute of Standards and 
    Technology, agencies or offices operating or exercising control of 
    national security systems (including the National Security Agency), 
    and such other agencies or offices in accordance with law and as 
    directed by the President regarding information security incidents 
    and related matters.
    ``(b) National Security Systems.--Each agency operating or 
exercising control of a national security system shall share 
information about information security incidents, threats, and 
vulnerabilities with the Federal information security incident center 
to the extent consistent with standards and guidelines for national 
security systems, issued in accordance with law and as directed by the 
President.
``Sec. 3557. National security systems
    ``The head of each agency operating or exercising control of a 
national security system shall be responsible for ensuring that the 
agency--
        ``(1) provides information security protections commensurate 
    with the risk and magnitude of the harm resulting from the 
    unauthorized access, use, disclosure, disruption, modification, or 
    destruction of the information contained in such system;
        ``(2) implements information security policies and practices as 
    required by standards and guidelines for national security systems, 
    issued in accordance with law and as directed by the President; and
        ``(3) complies with the requirements of this subchapter.
``Sec. 3558. Effect on existing law
    ``Nothing in this subchapter, section 11331 of title 40, or section 
20 of the National Standards and Technology Act (15 U.S.C. 278g-3) may 
be construed as affecting the authority of the President, the Office of 
Management and Budget or the Director thereof, the National Institute 
of Standards and Technology, or the head of any agency, with respect to 
the authorized use or disclosure of information, including with regard 
to the protection of personal privacy under section 552a of title 5, 
the disclosure of information under section 552 of title 5, the 
management and disposition of records under chapters 29, 31, or 33 of 
title 44, the management of information resources under subchapter I of 
chapter 35 of this title, or the disclosure of information to the 
Congress or the Comptroller General of the United States.''.
    (b) Major Incident.--The Director of the Office of Management and 
Budget shall--
        (1) develop guidance on what constitutes a major incident for 
    purposes of section 3554(b) of title 44, United States Code, as 
    added by subsection (a); and
        (2) provide to Congress periodic briefings on the status of the 
    developing of the guidance until the date on which the guidance is 
    issued.
    (c) Continuous Diagnostics.--During the 2 year period beginning on 
the date of enactment of this Act, the Director of the Office of 
Management and Budget, with the assistance of the Secretary of Homeland 
Security, shall include in each report submitted under section 3553(c) 
of title 44, United States Code, as added by subsection (a), an 
assessment of the adoption by agencies of continuous diagnostics 
technologies, including through the Continuous Diagnostics and 
Mitigation program, and other advanced security tools to provide 
information security, including challenges to the adoption of such 
technologies or security tools.
    (d) Breaches.--
        (1) Requirements.--The Director of the Office of Management and 
    Budget shall ensure that data breach notification policies and 
    guidelines are updated periodically and require--
            (A) except as provided in paragraph (4), notice by the 
        affected agency to each committee of Congress described in 
        section 3554(c)(1) of title 44, United States Code, as added by 
        subsection (a), the Committee on the Judiciary of the Senate, 
        and the Committee on the Judiciary of the House of 
        Representatives, which shall--
                (i) be provided expeditiously and not later than 30 
            days after the date on which the agency discovered the 
            unauthorized acquisition or access; and
                (ii) include--

                    (I) information about the breach, including a 
                summary of any information that the agency knows on the 
                date on which notification is provided about how the 
                breach occurred;
                    (II) an estimate of the number of individuals 
                affected by the breach, based on information that the 
                agency knows on the date on which notification is 
                provided, including an assessment of the risk of harm 
                to affected individuals;
                    (III) a description of any circumstances 
                necessitating a delay in providing notice to affected 
                individuals; and
                    (IV) an estimate of whether and when the agency 
                will provide notice to affected individuals; and

            (B) notice by the affected agency to affected individuals, 
        pursuant to data breach notification policies and guidelines, 
        which shall be provided as expeditiously as practicable and 
        without unreasonable delay after the agency discovers the 
        unauthorized acquisition or access.
        (2) National security; law enforcement; remediation.--The 
    Attorney General, the head of an element of the intelligence 
    community (as such term is defined under section 3(4) of the 
    National Security Act of 1947 (50 U.S.C. 3003(4)), or the Secretary 
    of Homeland Security may delay the notice to affected individuals 
    under paragraph (1)(B) if the notice would disrupt a law 
    enforcement investigation, endanger national security, or hamper 
    security remediation actions.
        (3) Reports.--
            (A) Director of omb.--During the first 2 years beginning 
        after the date of enactment of this Act, the Director of the 
        Office of Management and Budget shall, on an annual basis--
                (i) assess agency implementation of data breach 
            notification policies and guidelines in aggregate; and
                (ii) include the assessment described in clause (i) in 
            the report required under section 3553(c) of title 44, 
            United States Code.
            (B) Secretary of homeland security.--During the first 2 
        years beginning after the date of enactment of this Act, the 
        Secretary of Homeland Security shall include an assessment of 
        the status of agency implementation of data breach notification 
        policies and guidelines in the requirements under section 
        3553(b)(2)(B) of title 44, United States Code.
        (4) Exception.--Any element of the intelligence community (as 
    such term is defined under section 3(4) of the National Security 
    Act of 1947 (50 U.S.C. 3003(4)) that is required to provide notice 
    under paragraph (1)(A) shall only provide such notice to 
    appropriate committees of Congress.
        (5) Rule of construction.--Nothing in paragraph (1) shall be 
    construed to alter any authority of a Federal agency or department.
    (e) Technical and Conforming Amendments.--
        (1) Table of sections.--The table of sections for chapter 35 of 
    title 44, United States Code is amended by striking the matter 
    relating to subchapters II and III and inserting the following:

                  ``subchapter ii--information security

``3551. Purposes.
``3552. Definitions.
``3553. Authority and functions of the Director and the Secretary.
``3554. Federal agency responsibilities.
``3555. Annual independent evaluation.
``3556. Federal information security incident center.
``3557. National security systems.
``3558. Effect on existing law.''.

        (2) Cybersecurity research and development act.--Section 
    8(d)(1) of the Cybersecurity Research and Development Act (15 
    U.S.C. 7406) is amended by striking ``section 3534'' and inserting 
    ``section 3554''.
        (3) Homeland security act of 2002.--The Homeland Security Act 
    of 2002 (6 U.S.C. 101 et seq.) is amended--
            (A) in section 223 (6 U.S.C. 143)
                (i) in the section heading, by inserting ``federal 
            and'' before ``non-federal'';
                (ii) in the matter preceding paragraph (1), by striking 
            ``the Under Secretary for Intelligence and Analysis, in 
            cooperation with the Assistant Secretary for Infrastructure 
            Protection'' and inserting ``the Under Secretary appointed 
            under section 103(a)(1)(H)'';
                (iii) in paragraph (2), by striking the period at the 
            end and inserting ``; and''; and
                (iv) by adding at the end the following:
        ``(3) fulfill the responsibilities of the Secretary to protect 
    Federal information systems under subchapter II of chapter 35 of 
    title 44, United States Code.'';
            (B) in section 1001(c)(1)(A) (6 U.S.C. 511(c)(1)(A)), by 
        striking ``section 3532(3)'' and inserting ``section 
        3552(b)(5)''; and
            (C) in the table of contents in section 1(b), by striking 
        the item relating to section 223 and inserting the following:

``Sec. 223. Enhancement of Federal and non-Federal cybersecurity.''.

        (4) National institute of standards and technology act.--
    Section 20 of the National Institute of Standards and Technology 
    Act (15 U.S.C. 278g-3) is amended--
            (A) in subsection (a)(2), by striking ``section 
        3532(b)(2)'' and inserting ``section 3552(b)(5)''; and
            (B) in subsection (e)--
                (i) in paragraph (2), by striking ``section 3532(1)'' 
            and inserting ``section 3552(b)(2)''; and
                (ii) in paragraph (5), by striking ``section 
            3532(b)(2)'' and inserting ``section 3552(b)(5)''.
        (5) Title 10.--Title 10, United States Code, is amended--
            (A) in section 2222(j)(5), by striking ``section 
        3542(b)(2)'' and inserting ``section 3552(b)(5)'';
            (B) in section 2223(c)(3), by striking ``section 
        3542(b)(2)'' and inserting ``section 3552(b)(5)''; and
            (C) in section 2315, by striking ``section 3542(b)(2)'' and 
        inserting ``section 3552(b)(5)''.
    (f) Other Provisions.--
        (1) Circular a-130.--Not later than 1 year after the date of 
    enactment of this Act, the Director of the Office of Management and 
    Budget shall amend or revise Office of Management and Budget 
    Circular A-130 to eliminate inefficient or wasteful reporting. The 
    Director of the Office of Management and Budget shall provide 
    quarterly briefings to Congress on the status of the amendment or 
    revision required under this paragraph.
        (2) ISPAB.--Section 21(b) of the National Institute of 
    Standards and Technology Act (15 U.S.C. 278g-4(b)) is amended--
            (A) in paragraph (2), by inserting ``, the Secretary of 
        Homeland Security,'' after ``the Institute''; and
            (B) in paragraph (3), by inserting ``the Secretary of 
        Homeland Security,'' after ``the Secretary of Commerce,''.

                               Speaker of the House of Representatives.

                            Vice President of the United States and    
                                               President of the Senate.