[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[S. 5008 Introduced in Senate (IS)]

<DOC>






116th CONGRESS
  2d Session
                                S. 5008

 To require notification of incidents at agencies involving sensitive 
             personal information, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                           December 10, 2020

Mr. Peters (for himself and Mr. Portman) introduced the following bill; 
which was read twice and referred to the Committee on Homeland Security 
                        and Governmental Affairs

_______________________________________________________________________

                                 A BILL


 
 To require notification of incidents at agencies involving sensitive 
             personal information, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Federal System Incident Response Act 
of 2020''.

SEC. 2. DEFINITIONS.

    In this Act:
            (1) Appropriate congressional committees.--The term 
        ``appropriate congressional committees'' means--
                    (A) the Committee on Homeland Security and 
                Governmental Affairs of the Senate;
                    (B) the Committee on Oversight and Reform of the 
                House of Representatives; and
                    (C) the Committee on Homeland Security of the House 
                of Representatives.
            (2) Director.--The term ``Director'' means the Director of 
        the Office of Management and Budget.

SEC. 3. FEDERAL INFORMATION SYSTEM INCIDENT RESPONSE.

    (a) In General.--Chapter 35 of title 44, United States Code, is 
amended by adding at the end the following:

     ``Subchapter IV--Federal Information System Incident Response

``Sec. 3591. Definitions
    ``(a) In General.--Except as provided under subsection (b), the 
definitions under section 3502 shall apply to this subchapter.
    ``(b) Additional Definitions.--As used in this subchapter:
            ``(1) Appropriate notification entities.--The term 
        `appropriate notification entities' means--
                    ``(A) the Committee on Homeland Security and 
                Governmental Affairs of the Senate;
                    ``(B) the Committee on Commerce, Science, and 
                Transportation of the Senate;
                    ``(C) the Committee on Oversight and Reform of the 
                House of Representatives;
                    ``(D) the Committee on Homeland Security of the 
                House of Representatives;
                    ``(E) the Committee on Science, Space, and 
                Technology of the House of Representatives;
                    ``(F) the appropriate authorization and 
                appropriations committees of Congress;
                    ``(G) the Director;
                    ``(H) the Secretary of Homeland Security; and
                    ``(I) the Comptroller General of the United States.
            ``(2) Incident.--The term `incident' has the meaning given 
        the term in section 3552 of this title.
            ``(3) Contractor.--The term `contractor'--
                    ``(A) means any person or business that collects or 
                maintains information that includes personally 
                identifiable information or sensitive personal 
                information on behalf of an agency; and
                    ``(B) includes any subcontractor of a person or 
                business described in subparagraph (A).
            ``(4) Covered incident.--The term `covered incident' means, 
        with respect to any information collected or maintained by or 
        on behalf of an agency or information system used or operated 
        by an agency or by a contractor of an agency or other 
        organization on behalf of an agency--
                    ``(A) a major incident, as defined by the Director 
                pursuant to section 2(b) of the Federal Information 
                Security Modernization Act of 2014 (44 U.S.C. 3554 
                note);
                    ``(B) any incident determined likely to have a 
                significant impact on national security, homeland 
                security, or economic security of the United States;
                    ``(C) any incident determined likely to have a 
                significant impact on the operations of the agency or 
                the Federal Government; or
                    ``(D) any incident that is determined to have 
                involved any sensitive personal information, regardless 
                of the number of impacted individuals.
            ``(5) Intelligence community.--The term `intelligence 
        community' has the meaning given the term in section 3 of the 
        National Security Act of 1947 (50 U.S.C. 3003).
            ``(6) Nationwide consumer reporting agency.--The term 
        `nationwide consumer reporting agency' means a consumer 
        reporting agency described in section 603(p) of the Fair Credit 
        Reporting Act (15 U.S.C. 1681a(p)).
            ``(7) Sensitive personal information.--The term `sensitive 
        personal information' means, with respect to an individual--
                    ``(A) any combination of data or information that, 
                if exposed, could result in substantial harm, physical 
                harm, embarrassment, or unfairness to the individual, 
                including biometric, genetic, or other data; and
                    ``(B) any other information as determined by the 
                Director.
            ``(8) Substantial harm.--The term `substantial harm', with 
        respect to an individual, means identity theft, financial 
        fraud, or other financial harm to the individual.
``Sec. 3592. Notification to impacted individuals involving sensitive 
              personal information
    ``(a) Notification.--As expeditiously as practicable and without 
unreasonable delay, and in any case not later than 30 days after an 
agency has a reasonable basis to conclude that a covered incident 
described in section 3591(b)(4)(D) has occurred, the head of the agency 
shall provide notice of the incident in accordance with subsection (b) 
in writing to the last known home mailing address of each impacted 
individual.
    ``(b) Contents of Notice.--Each notice required under subsection 
(a) shall include--
            ``(1) a description of the categories of sensitive personal 
        information that were, or are reasonably believed to have been, 
        involved in the covered incident, including a list of all data 
        elements;
            ``(2) a description of the substantial harm, embarrassment, 
        inconvenience, or unfairness to the individual that an 
        individual may reasonably expect to experience based on the 
        information or combination of information involved in the 
        covered incident;
            ``(3) contact information for the Federal Bureau of 
        Investigation or other appropriate entity;
            ``(4) the contact information of each nationwide consumer 
        reporting agency;
            ``(5) the contact information for questions to the agency, 
        including a telephone number, e-mail address, and website;
            ``(6) information on any remedy being offered by the 
        agency;
            ``(7) consolidated Federal Government recommendations on 
        what to do in the event of a covered incident; and
            ``(8) any other appropriate information as determined by 
        the head of the agency.
    ``(c) Delay of Notification.--
            ``(1) In general.--The Inspector General of the agency that 
        experienced the covered incident, the Attorney General, the 
        Director of National Intelligence, or the Secretary of Homeland 
        Security may impose a delay of a notification required under 
        subsection (a) if the notification would disrupt a law 
        enforcement investigation, endanger national security, or 
        hamper security remediation actions.
            ``(2) Documentation.--
                    ``(A) In general.--Any delay under paragraph (1) 
                shall be reported in writing to the head of the agency, 
                the Director, the Director of the Cybersecurity and 
                Infrastructure Security Agency, and the Office of 
                Inspector General of the agency that experienced the 
                covered incident.
                    ``(B) Contents.--A statement required under 
                subparagraph (A) shall include a written statement from 
                the entity that delayed the notification explaining the 
                need for the delay.
                    ``(C) Form.--The statement required under 
                subparagraph (A) shall be unclassified, but may include 
                a classified annex.
            ``(3) Renewal.--A delay under paragraph (1) shall be for a 
        period of 2 months and may be renewed.
    ``(d) Exemption for Notification.--
            ``(1) In general.--The head of an agency, in consultation 
        with the Inspector General of the agency, may request an 
        exemption from the Director from complying with the 
        notification requirements under subsection (a) if--
                    ``(A) the information affected by the covered 
                incident is determined by an independent evaluation to 
                be unreadable, including instances when the information 
                is encrypted or when the encryption key has not been 
                acquired; or
                    ``(B) the covered incident has otherwise been 
                determined by an independent evaluation to be of de 
                minimis threat to those individuals whose sensitive 
                personal information was involved in the incident.
            ``(2) Approval.--The Director shall make a determination 
        for granting an exemption in consultation with--
                    ``(A) the Director of the Cybersecurity and 
                Infrastructure Security Agency; and
                    ``(B) the Attorney General.
            ``(3) Documentation.--Any exemption granted by the Director 
        under subparagraph (A) or (B) of paragraph (1) shall be 
        reported in writing to the head of the agency that experienced 
        the covered incident, the Office of Inspector General of the 
        agency that experienced the covered incident, and the Director 
        of the Cybersecurity and Infrastructure Security Agency.
    ``(e) Update Notification.--If an agency determines there is a 
change in the reasonable basis to conclude that a covered incident 
occurred, or that there is a change in the details of the information 
provided to impacted individuals as described in subsection (b), the 
agency shall as expeditiously as practicable and without unreasonable 
delay, and in any case not later than 30 days after such a 
determination, notify all such individuals who received a notification 
pursuant to subsection (a) of those changes.
    ``(f) Rule of Construction.--Nothing in this section shall be 
construed to limit--
            ``(1) the Director from issuing guidance regarding 
        notifications or the head of an agency from sending 
        notifications to individuals impacted by incidents not 
        determined to be covered incidents, as described in section 
        3591(b)(4)(D); or
            ``(2) the Director from issuing guidance regarding 
        notifications for covered incidents meeting the criteria in 
        section 3591(b)(4)(D) or the head of an agency from issuing 
        notifications to individuals impacted by covered incidents 
        meeting the criteria in section 3591(b)(4)(D) that contain more 
        information than described in subsection (b).
``Sec. 3593. Congressional notifications and reports
    ``(a) Initial Report.--
            ``(1) In general.--Not later than 7 days after the date on 
        which an agency has a reasonable basis to conclude that a 
        covered incident occurred, the head of the agency shall submit 
        a written notification and, to the extent practicable, provide 
        a briefing, to the appropriate notification entities, taking 
        into account the information known at the time of the 
        notification, the sensitivity of the details associated with 
        the covered incident, and the classification level of the 
        information contained in the notification.
            ``(2) Contents.--A notification required under paragraph 
        (1) shall include--
                    ``(A) a summary of the information available about 
                the covered incident, including how the covered 
                incident occurred, based on information available to 
                agency officials as of the date which the agency 
                submits the report;
                    ``(B) if applicable, an estimate of the number of 
                individuals impacted by the covered incident, including 
                an assessment of the risk of harm to impacted 
                individuals based on information available to agency 
                officials on the date on which the agency submits the 
                report;
                    ``(C) if applicable, a description and any 
                associated documentation of any circumstances 
                necessitating a delay in or exemption to notification 
                granted under subsection (c) or (d) of section 3592; 
                and
                    ``(D) if applicable, an assessment of the impacts 
                to the agency, the Federal Government, or the security 
                of the United States as identified in section 
                3591(b)(4), based on information available to agency 
                officials on the date on which the agency submits the 
                report.
    ``(b) Supplemental Report.--Within a reasonable amount of time, but 
not later than 45 days after the date on which additional information 
relating to a covered incident for which an agency submitted a written 
notification under subsection (a) is discovered by the agency, the head 
of the agency shall submit to the appropriate congressional committees 
updates to the written notification that include summaries of--
            ``(1) the threats and threat actors, vulnerabilities, means 
        by which the covered incident occurred, and impacts to the 
        agency relating to the covered incident;
            ``(2) any risk assessment and subsequent risk-based 
        security implementation of the affected information system 
        before the date on which the covered incident occurred;
            ``(3) the status of compliance of the affected information 
        system with applicable security requirements at the time of the 
        covered incident;
            ``(4) an estimate of the number of individuals affected by 
        the covered incident based on information available to agency 
        officials as of the date on which the agency submits the 
        update;
            ``(5) an update to the assessment of the risk of harm to 
        impacted individuals affected by the covered incident based on 
        information available to agency officials as of the date on 
        which the agency submits the update;
            ``(6) an update to the assessment of the risk to agency 
        operations, or to impacts on other agency or non-Federal entity 
        operations, affected by the covered incident based on 
        information available to agency officials as of the date on 
        which the agency submits the update; and
            ``(7) the detection, response, and remediation actions of 
        the agency, including any support provided by the Cybersecurity 
        and Infrastructure Security Agency under section 3594(d) and 
        status updates on the notification process described in section 
        3592(a), including any delay or exemption described in 
        subsection (c) or (d), respectively, of section 3592, if 
        applicable.
    ``(c) Update Report.--If the agency determines that there is any 
significant change in the scope, scale, or consequence of the covered 
incident, or a change in the inclusion of the criteria described in 
section 3591(b)(4), the agency shall provide an updated report to the 
appropriate congressional committees that includes those changes.
    ``(d) Annual Report.--Each agency shall submit as part of the 
annual report required under section 3554(c)(1) of this title a 
description of each covered incident that occurred during the 1-year 
period preceding the date on which the report is submitted.
    ``(e) Delay and Exemption Report.--The Director shall submit to the 
appropriate notification entities an annual report on all notification 
delays and exemptions granted pursuant to subsections (c) and (d) of 
section 3592.
    ``(f) Report Delivery.--Any written notification or report required 
to be submitted under this section may be submitted in a paper or 
electronic format.
    ``(g) Rule of Construction.--Nothing in this section shall be 
construed to limit--
            ``(1) the ability of an agency to provide additional 
        reports or briefings to Congress; or
            ``(2) Congress from requesting additional information from 
        agencies through reports, briefings, or other means.
``Sec. 3594. Government information sharing and incident response
    ``(a) In General.--The head of each agency shall make available any 
information relating to an incident, whether obtained by the Federal 
Government or a private entity contracted by the Federal Government, to 
the Cybersecurity and Infrastructure Security Agency, the Department of 
Defense, and the Office of Management and Budget to help mitigate 
future incidents.
    ``(b) Compliance.--The information made available under subsection 
(a) shall--
            ``(1) take into account the level of classification of the 
        information and any information sharing limitations relating to 
        law enforcement; and
            ``(2) be in compliance with the requirements limiting the 
        release of information under section 552a of title 5 (commonly 
        known as the `Privacy Act of 1974').
    ``(c) Responding to Information Requests From Agencies Experiencing 
Incidents.--An agency that receives a request from another agency or 
Federal entity for information specifically intended to assist in the 
remediation or notification requirements due to an incident shall 
provide that information to the greatest extent possible, in accordance 
with guidance issued by the Director and taking into account 
classification, law enforcement, national security, and compliance with 
section 552a of title 5 (commonly known as the `Privacy Act of 1974').
    ``(d) Incident Response.--Each agency that has a reasonable basis 
to conclude that a covered incident occurred, regardless of delays or 
exemptions from notification granted for a covered incident, shall 
consult with the Cybersecurity and Infrastructure Security Agency 
regarding--
            ``(1) incident response and recovery; and
            ``(2) recommendations for mitigating future incidents.
``Sec. 3595. Responsibilities of contractors and grant recipients
    ``(a) Notification.--
            ``(1) In general.--Subject to paragraph (3), any contractor 
        of an agency or recipient of a grant from an agency that has a 
        reasonable basis to conclude that an incident involving Federal 
        information has occurred shall immediately notify the agency.
            ``(2) Procedures.--
                    ``(A) Covered incident.--Following notification of 
                a covered incident by a contractor or recipient of a 
                grant under paragraph (1), an agency, in consultation 
                with the contractor or grant recipient, as applicable, 
                shall carry out the requirements under sections 3592, 
                3593, and 3594 with respect to the covered incident.
                    ``(B) Incident.--Following notification of an 
                incident by a contractor or recipient of a grant under 
                paragraph (1), an agency, in consultation with the 
                contractor or grant recipient, as applicable, shall 
                carry out the requirements under section 3594 with 
                respect to the incident.
            ``(3) Applicability.--This subsection shall apply to a 
        contractor of an agency or a recipient of a grant from an 
        agency that--
                    ``(A) receives information from the agency that the 
                contractor or recipient, as applicable, is not 
                contractually authorized to receive;
                    ``(B) experiences an incident relating to Federal 
                information on an information system of the contractor 
                or recipient, as applicable; or
                    ``(C) identifies an incident involving a Federal 
                information system.
    ``(b) Incident Response.--Any contractor of an agency or recipient 
of a grant from an agency that has a reasonable basis to conclude that 
a covered incident occurred shall, in coordination with the agency, 
consult with the Cybersecurity and Infrastructure Security Agency 
regarding--
            ``(1) incident response assistance; and
            ``(2) recommendations for mitigating future incidents at 
        the agency.
    ``(c) Effective Date.--This section shall apply on and after the 
date that is 1 year after the date of enactment of the Federal System 
Incident Response Act of 2020.
``Sec. 3596. Training
    ``(a) In General.--Each agency shall develop training for 
individuals at the agency with access to Federal information or 
information systems on how to identify and respond to an incident, 
including--
            ``(1) the internal process at the agency for reporting an 
        incident; and
            ``(2) the obligation of the individual to report to the 
        agency not only a confirmed covered incident, but also a 
        suspected incident, involving information in any medium or 
        form, including paper, oral, and electronic.
    ``(b) Applicability.--The training developed under subsection (a) 
shall--
            ``(1) be required for an individual before the individual 
        may access Federal information or information systems; and
            ``(2) apply to individuals with temporary access to Federal 
        information or information systems, such as detailees, 
        contractors, subcontractors, grantees, volunteers, and interns.
    ``(c) Inclusion in Annual Training.--The training developed under 
subsection (a) may be included as part of an annual privacy or security 
awareness training of the agency, as applicable.
``Sec. 3597. Analysis and report on Federal incidents
    ``(a) Analysis of Federal Incidents.--
            ``(1) In general.--The Director of the Cybersecurity and 
        Infrastructure Security Agency shall perform continuous 
        monitoring of incidents of Federal information systems.
            ``(2) Quantitative and qualitative analyses.--The Director 
        of the Cybersecurity and Infrastructure Security Agency, in 
        consultation with the Director, shall develop and perform 
        quantitative and qualitative analyses of incidents of Federal 
        information systems, including--
                    ``(A) the causes of incidents, including--
                            ``(i) attacker tactics, techniques, and 
                        procedures; and
                            ``(ii) system vulnerabilities, including 
                        zero days, unpatched systems, and information 
                        system misconfigurations;
                    ``(B) the scope and scale of incidents within the 
                agency networks and systems;
                    ``(C) cross Federal Government root causes of 
                incidents;
                    ``(D) agency response, recovery, and remediation 
                actions and effectiveness of incidents; and
                    ``(E) lessons learned and recommendations in 
                responding, recovering, remediating, and mitigating 
                future incidents.
            ``(3) Sharing of analysis.--The Director shall share on an 
        ongoing basis the analyses required under this subsection with 
        Federal agencies.
    ``(b) Report on Federal Incidents.--Not later than 2 years after 
the date of enactment of this section, and not less frequently than 
every year thereafter, the Director of the Cybersecurity and 
Infrastructure Security Agency, in consultation with the Director and 
the Director of the Federal Bureau of Investigation, shall submit to 
the appropriate congressional committees a report that includes--
            ``(1) a summary of causes of incidents from across the 
        Federal Government; and
            ``(2) the quantitative and qualitative analyses of 
        incidents developed under subsection (a)(2).
    ``(c) Publication.--A version of each report submitted under 
subsection (b) shall be made publicly available on the website of the 
Cybersecurity and Infrastructure Security Agency during the year in 
which the report is submitted.
    ``(d) Information Provided by Agencies.--The analysis required 
under subsection (a) and each report submitted under subsection (b) 
shall utilize information provided by agencies pursuant to section 
3594(d).
    ``(e) Requirement To Anonymize Information.--In sharing the 
analysis required under subsection (a) and preparing each report under 
subsection (b), the Director of the Cybersecurity and Infrastructure 
Security Agency shall sufficiently anonymize and compile information 
such that no specific incidents of an agency can be identified, except 
with the concurrence of the Director of the Office of Management and 
Budget.''.
    (b) Responsibilities of the Cybersecurity and Infrastructure 
Security Agency.--
            (1) Recommendations.--Not later than 180 days after the 
        date of enactment of this Act, the Director of the 
        Cybersecurity and Infrastructure Security Agency, in 
        coordination with the Director of the Federal Trade Commission, 
        the Director of the Securities and Exchange Commission, the 
        Secretary of the Treasury, the Director of the Federal Bureau 
        of Investigation, the Director of the National Institute of 
        Standards and Technology, and the head of any other appropriate 
        Federal or non-Federal entity, shall consolidate, maintain, and 
        make publicly available recommendations for individuals whose 
        sensitive personal information, as defined in section 3591 of 
        title 44, United States Code, as added by this Act, is 
        inappropriately exposed.
            (2) Plan for analysis of, and report on, federal 
        incidents.--
                    (A) In general.--Not later than 180 days after the 
                date of enactment of this Act, the Director of the 
                Cybersecurity and Infrastructure Security Agency 
                shall--
                            (i) develop a plan for the development of 
                        the analysis required under section 3597(a) of 
                        title 44, United States Code, as added by 
                        subsection (a), and the report required under 
                        subsection (b) of that section that includes--
                                    (I) a description of any challenges 
                                the Director anticipates encountering; 
                                and
                                    (II) the use of automation for 
                                collecting, compiling, monitoring, and 
                                analyzing data; and
                            (ii) provide to the appropriate 
                        congressional committees a briefing on the plan 
                        developed under clause (ii).
                    (B) Briefing.--Not later than 1 year after the date 
                of enactment of this Act, the Director of the 
                Cybersecurity and Infrastructure Security Agency shall 
                provide to the appropriate congressional committees a 
                briefing on--
                            (i) the execution of the plan required 
                        under subparagraph (A); and
                            (ii) the development of the report required 
                        under section 3597(b) of title 44, United 
                        States Code, as added by this Act.
    (c) Responsibilities of the Director of the Office of Management 
and Budget.--
            (1) FISMA.--Section 2(b) of the Federal Information 
        Security Modernization Act of 2014 (44 U.S.C. 3554 note) is 
        amended to read as follows:
    ``(b) Major Incident.--
            ``(1) In general.--The Director of the Office of Management 
        and Budget shall develop guidance on what constitutes a major 
        incident for purposes of section 3554(b) of title 44, United 
        States Code, as added by subsection (a).
            ``(2) Evaluation and updates.--Not later than 2 years after 
        the date of enactment of the Federal System Incident Response 
        Act of 2020, and not less frequently than every 2 years 
        thereafter, the Director of the Office of Management and Budget 
        shall submit to the Committee on Homeland Security and 
        Governmental Affairs of the Senate and the Committee on 
        Oversight and Reform of the House of Representatives an 
        evaluation, which shall include--
                    ``(A) an update, if necessary, the definition of a 
                major incident, as defined by the Director pursuant to 
                section 3554(b) of this title;
                    ``(B) the criteria of an incident that designates 
                such an incident as a major incident;
                    ``(C) an explanation for the analysis leading to 
                the criteria in subparagraph (B); and
                    ``(D) an assessment of any additional datasets that 
                may be considered sensitive personal information, as 
                defined in section 3591 of this title.''.
            (2) Incident data sharing.--
                    (A) In general.--The Director shall develop 
                guidance, to be updated not less than frequently every 
                2 years, on the content and format of the data to be 
                made available by agencies pursuant to section 3594(a) 
                of title 44, United States Code, as added by this Act.
                    (B) Requirements.--The guidance developed under 
                subparagraph (A) shall--
                            (i) prioritize data availability necessary 
                        to understand and analyze--
                                    (I) the causes of incidents, as 
                                defined in section 3591 of title 44, 
                                United States Code, as added by this 
                                Act;
                                    (II) the scope and scale of 
                                incidents within the agency networks 
                                and systems;
                                    (III) cross Federal Government root 
                                causes of incidents; and
                                    (IV) agency response, recovery, and 
                                remediation actions and effectiveness 
                                of incidents;
                            (ii) enable the efficient development of--
                                    (I) lessons learned and 
                                recommendations in responding, 
                                recovering, remediating, and mitigating 
                                future incidents; and
                                    (II) the report of Federal 
                                incidents pursuant to section 3597 of 
                                title 44, United States Code, as added 
                                by this Act;
                            (iii) include requirements for the 
                        timeliness of data availability; and
                            (iv) include requirements for using 
                        automation for data sharing and availability.
            (3) Definition guidance.--Not later than 1 year after the 
        date of enactment of this Act, the Director, in coordination 
        with the Director of the Cybersecurity and Infrastructure 
        Security Agency and in consultation with the Privacy and Civil 
        Liberties Oversight Board, shall develop guidance, to be 
        reviewed and, if necessary, updated not less frequently than 
        once every 2 years, on the interpretation of the terms 
        ``substantial harm'', ``physical harm'', ``embarrassment'', or 
        ``unfairness to an individual'', as used in the definition of 
        the term ``sensitive personal information'' in section 3591 of 
        title 44, United States Code, as added by this Act.
            (4) Standard guidance and templates.--Not later than 1 year 
        after the date of enactment of this Act, the Director, in 
        coordination with the Director of the Cybersecurity and 
        Infrastructure Security Agency, shall develop guidance and 
        templates, to be reviewed and, if necessary, updated not less 
        frequently than once every 2 years, for use by Federal agencies 
        in the activities required under sections 3592, 3593, and 3596 
        of title 44, United States Code, as added by this Act.
            (5) Contractor and grantee guidance.--
                    (A) In general.--Not later than 1 year after the 
                date of enactment of this Act, the Director, in 
                coordination with the Secretary of Homeland Security, 
                the Secretary of Defense, the Administrator of General 
                Services, and the heads of other agencies determined 
                appropriate by the Director, shall issue guidance to 
                Federal agencies on how to deconflict existing 
                regulations, policies, and procedures relating to the 
                responsibilities of contractors and grant recipients 
                established under section 3595 of title 44, United 
                States Code, as added by this Act.
                    (B) Existing processes.--To the greatest extent 
                practicable, the guidance issued under subparagraph (A) 
                shall allow contractors and grantees to utilize 
                existing processes for notifying Federal agencies of 
                incidents involving information of the Federal 
                Government.
            (6) Updated briefings.--Not less frequently than once every 
        2 years, the Director shall provide to the appropriate 
        congressional committees an update on the guidance and 
        templates developed under paragraphs (2), (3), and (4).
    (d) Update to the Privacy Act of 1974.--Section 552a(b) of title 5, 
United States Code (commonly known as the ``Privacy Act of 1974'') is 
amended--
            (1) in paragraph (11), by striking ``or'' at the end;
            (2) in paragraph (12), by striking the period at the end 
        and inserting ``; and''; and
            (3) by adding at the end the following:
            ``(13) to another agency in furtherance of a response to an 
        incident (as defined in section 3552 of title 44) and pursuant 
        to the information sharing requirements in section 3594 of 
        title 44 if the head of the requesting agency has made a 
        written request to the agency that maintains the record 
        specifying the particular portion desired and the activity for 
        which the record is sought.''.
    (e) Technical and Conforming Amendment.--The table of sections for 
chapter 35 of title 44, United States Code, is amended by adding at the 
end the following:

     ``subchapter iv--federal information system incident response

``3591. Definitions.
``3592. Notification to impacted individuals involving sensitive 
                            personal information.
``3593. Congressional notifications and reports.
``3594. Government information sharing and incident response.
``3595. Responsibilities of contractors and grant recipients.
``3596. Training.
``3597. Analysis and report on Federal incidents.''.
                                 <all>