[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[S. 4912 Introduced in Senate (IS)]

<DOC>






116th CONGRESS
  2d Session
                                S. 4912

 To amend the Federal Cybersecurity Enhancement Act of 2015 to require 
   Federal agencies to obtain exemptions from certain cybersecurity 
requirements in order to avoid compliance with those requirements, and 
                          for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                           November 18, 2020

   Mr. Wyden introduced the following bill; which was read twice and 
referred to the Committee on Homeland Security and Governmental Affairs

_______________________________________________________________________

                                 A BILL


 
 To amend the Federal Cybersecurity Enhancement Act of 2015 to require 
   Federal agencies to obtain exemptions from certain cybersecurity 
requirements in order to avoid compliance with those requirements, and 
                          for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Federal Cybersecurity Oversight Act 
of 2020''.

SEC. 2. FEDERAL CYBERSECURITY REQUIREMENTS.

    (a) Exemption From Federal Requirements.--Section 225(b)(2) of the 
Federal Cybersecurity Enhancement Act of 2015 (6 U.S.C. 1523(b)(2)) is 
amended to read as follows:
            ``(2) Exception.--
                    ``(A) In general.--A particular requirement under 
                paragraph (1) shall not apply to an agency information 
                system of an agency if--
                            ``(i) with respect to the agency 
                        information system, the head of the agency 
                        submits to the Director an application for an 
                        exemption from the particular requirement, in 
                        which the head of the agency personally 
                        certifies to the Director with particularity 
                        that--
                                    ``(I) operational requirements 
                                articulated in the certification and 
                                related to the agency information 
                                system would make it excessively 
                                burdensome to implement the particular 
                                requirement;
                                    ``(II) the particular requirement 
                                is not necessary to secure the agency 
                                information system or agency 
                                information stored on or transiting the 
                                agency information system; and
                                    ``(III) the agency has taken all 
                                necessary steps to secure the agency 
                                information system and agency 
                                information stored on or transiting the 
                                agency information system;
                            ``(ii) the head of the agency or the 
                        designee of the head of the agency has 
                        submitted the certification described in clause 
                        (i) to the appropriate congressional committees 
                        and any other congressional committee with 
                        jurisdiction over the agency; and
                            ``(iii) the Director grants the exemption 
                        from the particular requirement.
                    ``(B) Duration of exemption.--
                            ``(i) In general.--An exemption granted 
                        under subparagraph (A) shall expire on the date 
                        that is 1 year after the date on which the 
                        Director grants the exemption.
                            ``(ii) Renewal.--Upon the expiration of an 
                        exemption granted to an agency under 
                        subparagraph (A), the head of the agency may 
                        apply for an additional exemption.''.
    (b) Report on Exemptions.--Section 3554(c)(1)(A) of title 44, 
United States Code, is amended--
            (1) in clause (iii), by striking ``and'' at the end;
            (2) by redesignating clause (iv) as clause (v); and
            (3) by inserting after clause (iii) the following:
                            ``(iv) with respect to any exemptions the 
                        agency is granted by the Director of the Office 
                        of Management and Budget under section 
                        225(b)(2) of the Federal Cybersecurity 
                        Enhancement Act of 2015 (6 U.S.C. 1523(b)(2)) 
                        that is effective on the date of submission of 
                        the report--
                                    ``(I) an identification of the 
                                particular requirements from which any 
                                agency information system (as defined 
                                in section 2210 of the Homeland 
                                Security Act of 2002 (6 U.S.C. 660)) is 
                                exempted; and
                                    ``(II) for each requirement 
                                identified under subclause (I)--
                                            ``(aa) an identification of 
                                        the agency information system 
                                        described in subclause (I) 
                                        exempted from the requirement; 
                                        and
                                            ``(bb) an estimate of the 
                                        date on which the agency will 
                                        to be able to comply with the 
                                        requirement; and''.
    (c) Effective Date.--This Act and the amendments made by this Act 
shall take effect on the date that is 1 year after the date of 
enactment of this Act.
                                 <all>