[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[H.R. 6497 Introduced in House (IH)]

<DOC>






117th CONGRESS
  2d Session
                                H. R. 6497

   To modernize Federal information security management and improve 
 Federal cybersecurity to combat persisting and emerging threats, and 
                          for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                            January 25, 2022

   Mrs. Carolyn B. Maloney of New York (for herself, Mr. Comer, Mr. 
Connolly, Mr. Sessions, Ms. Norton, Mr. Keller, Ms. Wasserman Schultz, 
Mr. Hice of Georgia, Mr. Cooper, Mr. C. Scott Franklin of Florida, Ms. 
  Brown of Ohio, Mr. Gibbs, Mr. Lynch, and Mr. Raskin) introduced the 
 following bill; which was referred to the Committee on Oversight and 
    Reform, and in addition to the Committee on Science, Space, and 
Technology, for a period to be subsequently determined by the Speaker, 
 in each case for consideration of such provisions as fall within the 
                jurisdiction of the committee concerned

_______________________________________________________________________

                                 A BILL


 
   To modernize Federal information security management and improve 
 Federal cybersecurity to combat persisting and emerging threats, and 
                          for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Federal Information Security 
Modernization Act of 2022''.

SEC. 2. TABLE OF CONTENTS.

    The table of contents for this Act is as follows:

Sec. 1. Short title.
Sec. 2. Table of contents.
Sec. 3. Definitions.
                       TITLE I--UPDATES TO FISMA

Sec. 101. Title 44 amendments.
Sec. 102. Amendments to subtitle III of title 40.
Sec. 103. Actions to enhance Federal incident response.
Sec. 104. Additional guidance to agencies on FISMA updates.
Sec. 105. Agency requirements to notify private sector entities 
                            impacted by incidents.
               TITLE II--IMPROVING FEDERAL CYBERSECURITY

Sec. 201. Mobile security standards.
Sec. 202. Data and logging retention for incident response.
Sec. 203. Federal penetration testing policy.
Sec. 204. Ongoing threat hunting program.
Sec. 205. Codifying vulnerability disclosure programs.
Sec. 206. Implementing zero trust architecture.
Sec. 207. GAO automation report.
Sec. 208. Extension of Federal Acquisition Security Council.
Sec. 209. Federal chief information security officer.
Sec. 210. Extension of Chief Data Officer Council.
Sec. 211. Council of the inspectors general on integrity and efficiency 
                            dashboard.
Sec. 212. Quantitative cybersecurity metrics.
       TITLE III--PILOT PROGRAMS TO ENHANCE FEDERAL CYBERSECURITY

Sec. 301. Risk-based budget pilot.
Sec. 302. Active cyber defensive study.
Sec. 303. Security operations center as a service pilot.
Sec. 304. Endpoint detection and response as a service pilot.

SEC. 3. DEFINITIONS.

    In this Act, unless otherwise specified:
            (1) Additional cybersecurity procedure.--The term 
        ``additional cybersecurity procedure'' has the meaning given 
        the term in section 3552(b) of title 44, United States Code, as 
        amended by this Act.
            (2) Agency.--The term ``agency'' has the meaning given the 
        term in section 3502 of title 44, United States Code.
            (3) Appropriate congressional committees.--The term 
        ``appropriate congressional committees'' means--
                    (A) the Committee on Homeland Security and 
                Governmental Affairs of the Senate;
                    (B) the Committee on Oversight and Reform of the 
                House of Representatives; and
                    (C) the Committee on Homeland Security of the House 
                of Representatives.
            (4) Director.--The term ``Director'' means the Director of 
        the Office of Management and Budget.
            (5) Incident.--The term ``incident'' has the meaning given 
        the term in section 3552(b) of title 44, United States Code.
            (6) National security system.--The term ``national security 
        system'' has the meaning given the term in section 3552(b) of 
        title 44, United States Code.
            (7) Penetration test.--The term ``penetration test'' has 
        the meaning given the term in section 3552(b) of title 44, 
        United States Code, as amended by this Act.
            (8) Threat hunting.--The term ``threat hunting'' means 
        iteratively searching systems for threats that evade detection 
        by automated threat detection systems.
            (9) Zero trust architecture.--The term ``zero trust 
        architecture'' means a security model, a set of system design 
        principles, and a coordinated cybersecurity and system 
        management strategy that employs continuous monitoring, risk-
        based access controls, or system security automation techniques 
        to address the cybersecurity principle that threats exist both 
        inside and outside traditional network boundaries with an 
        assumption that a breach is inevitable or has likely already 
        occurred, and therefore employs least-privileged access for 
        network or system users while monitoring for anomalous or 
        malicious activity.

                       TITLE I--UPDATES TO FISMA

SEC. 101. TITLE 44 AMENDMENTS.

    (a) Subchapter I Amendments.--Subchapter I of chapter 35 of title 
44, United States Code, is amended--
            (1) in subsection (a)(1)(B) of section 3504--
                    (A) by striking clause (v) and inserting the 
                following:
                            ``(v) confidentiality, privacy, disclosure, 
                        and sharing of information;'';
                    (B) by redesignating clause (vi) as clause (vii); 
                and
                    (C) by inserting after clause (v) the following:
                            ``(vi) in consultation with the National 
                        Cyber Director, confidentiality and security of 
                        information; and'';
            (2) in section 3505--
                    (A) in paragraph (2) of the first subsection 
                designated as subsection (c) by adding ``discovery of 
                internet-accessible information systems and assets, as 
                well as'' after ``an inventory under this subsection 
                shall include'';
                    (B) in paragraph (3) of the first subsection 
                designated as subsection (c)--
                            (i) in subparagraph (B)--
                                    (I) by inserting ``the Secretary of 
                                Homeland Security acting through the 
                                Director of the Cybersecurity and 
                                Infrastructure Security Agency, the 
                                National Cyber Director, and'' before 
                                ``the Comptroller General''; and
                                    (II) by striking ``and'' at the 
                                end;
                            (ii) in subparagraph (C)(v), by striking 
                        the period at the end and inserting ``; and''; 
                        and
                            (iii) by adding at the end the following:
                    ``(D) maintained on a continual basis through the 
                use of automation, machine-readable data, and scanning 
                wherever practicable.''; and
                    (C) by striking the second subsection designated as 
                subsection (c);
            (3) in section 3506--
                    (A) in subsection (a)(3), by inserting ``In 
                carrying out these duties, the Chief Information 
                Officer shall coordinate, as appropriate, with the 
                Chief Data Officer in accordance with the designated 
                functions under section 3520(c).'' after ``reduction of 
                information collection burdens on the public.''; and
                    (B) in subsection (b)(1)(C), by inserting ``, 
                availability'' after ``integrity''; and
            (4) in section 3513--
                    (A) by redesignating subsection (c) as subsection 
                (d); and
                    (B) by inserting after subsection (b) the 
                following:
    ``(c) Each agency providing a written plan under subsection (b) 
shall provide any portion of the written plan addressing information 
security to the National Cyber Director.''.
    (b) Subchapter II Definitions.--
            (1) In general.--Section 3552(b) of title 44, United States 
        Code, is amended--
                    (A) by redesignating paragraphs (1), (2), (3), (4), 
                (5), (6), and (7) as paragraphs (2), (4), (5), (6), 
                (7), (9), and (11), respectively;
                    (B) by inserting before paragraph (2), as so 
                redesignated, the following:
            ``(1) The term `additional cybersecurity procedure' means a 
        process, procedure, or other activity that is established in 
        excess of the information security standards promulgated under 
        section 11331(b) of title 40 to increase the security and 
        reduce the cybersecurity risk of agency systems.'';
                    (C) by inserting after paragraph (2), as so 
                redesignated, the following:
            ``(3) The term `high value asset' means information or an 
        information system that the head of an agency determines, using 
        policies, principles, standards, or guidelines issued by the 
        Director under section 3553(a), to be so critical to the agency 
        that the loss or corruption of the information or the loss of 
        access to the information system would have a serious impact on 
        the ability of the agency to perform the mission of the agency 
        or conduct business.'';
                    (D) by inserting after paragraph (7), as so 
                redesignated, the following:
            ``(8) The term `major incident' has the meaning given the 
        term in guidance issued by the Director under section 
        3598(a).'';
                    (E) by inserting after paragraph (9), as so 
                redesignated, the following:
            ``(10) The term `penetration test' has the meaning given 
        the term in guidance issued by the Director.''; and
                    (F) by inserting after paragraph (11), as so 
                redesignated, the following:
            ``(12) The term `shared service' means a centralized 
        business or mission capability that is provided to multiple 
        organizations within an agency or to multiple agencies.''.
            (2) Conforming amendments.--
                    (A) Homeland security act of 2002.--Section 
                1001(c)(1)(A) of the Homeland Security Act of 2002 (6 
                U.S.C. 511(1)(A)) is amended by striking ``section 
                3552(b)(5)'' and inserting ``section 3552(b)''.
                    (B) Title 10.--
                            (i) Section 2222.--Section 2222(i)(8) of 
                        title 10, United States Code, is amended by 
                        striking ``section 3552(b)(6)(A)'' and 
                        inserting ``section 3552(b)(9)(A)''.
                            (ii) Section 2223.--Section 2223(c)(3) of 
                        title 10, United States Code, is amended by 
                        striking ``section 3552(b)(6)'' and inserting 
                        ``section 3552(b)''.
                            (iii) Section 2315.--Section 2315 of title 
                        10, United States Code, is amended by striking 
                        ``section 3552(b)(6)'' and inserting ``section 
                        3552(b)''.
                            (iv) Section 2339a.--Section 2339a(e)(5) of 
                        title 10, United States Code, is amended by 
                        striking ``section 3552(b)(6)'' and inserting 
                        ``section 3552(b)''.
                    (C) High-performance computing act of 1991.--
                Section 207(a) of the High-Performance Computing Act of 
                1991 (15 U.S.C. 5527(a)) is amended by striking 
                ``section 3552(b)(6)(A)(i)'' and inserting ``section 
                3552(b)(9)(A)(i)''.
                    (D) Internet of things cybersecurity improvement 
                act of 2020.--Section 3(5) of the Internet of Things 
                Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g-
                3a) is amended by striking ``section 3552(b)(6)'' and 
                inserting ``section 3552(b)''.
                    (E) National defense authorization act for fiscal 
                year 2013.--Section 933(e)(1)(B) of the National 
                Defense Authorization Act for Fiscal Year 2013 (10 
                U.S.C. 2224 note) is amended by striking ``section 
                3542(b)(2)'' and inserting ``section 3552(b)''.
                    (F) Ike skelton national defense authorization act 
                for fiscal year 2011.--The Ike Skelton National Defense 
                Authorization Act for Fiscal Year 2011 (Public Law 111-
                383) is amended--
                            (i) in section 806(e)(5) (10 U.S.C. 2304 
                        note), by striking ``section 3542(b)'' and 
                        inserting ``section 3552(b)'';
                            (ii) in section 931(b)(3) (10 U.S.C. 2223 
                        note), by striking ``section 3542(b)(2)'' and 
                        inserting ``section 3552(b)''; and
                            (iii) in section 932(b)(2) (10 U.S.C. 2224 
                        note), by striking ``section 3542(b)(2)'' and 
                        inserting ``section 3552(b)''.
                    (G) E-government act of 2002.--Section 301(c)(1)(A) 
                of the E-Government Act of 2002 (44 U.S.C. 3501 note) 
                is amended by striking ``section 3542(b)(2)'' and 
                inserting ``section 3552(b)''.
                    (H) National institute of standards and technology 
                act.--Section 20 of the National Institute of Standards 
                and Technology Act (15 U.S.C. 278g-3) is amended--
                            (i) in subsection (a)(2), by striking 
                        ``section 3552(b)(5)'' and inserting ``section 
                        3552(b)''; and
                            (ii) in subsection (f)--
                                    (I) in paragraph (3), by striking 
                                ``section 3532(1)'' and inserting 
                                ``section 3552(b)''; and
                                    (II) in paragraph (5), by striking 
                                ``section 3532(b)(2)'' and inserting 
                                ``section 3552(b)''.
    (c) Subchapter II Amendments.--Subchapter II of chapter 35 of title 
44, United States Code, is amended--
            (1) in section 3551--
                    (A) in paragraph (4), by striking ``diagnose and 
                improve'' and inserting ``integrate, deliver, diagnose, 
                and improve'';
                    (B) in paragraph (5), by striking ``and'' at the 
                end;
                    (C) in paragraph (6), by striking the period at the 
                end and inserting a semicolon; and
                    (D) by adding at the end the following:
            ``(7) recognize that each agency has specific mission 
        requirements and, at times, unique cybersecurity requirements 
        to meet the mission of the agency;
            ``(8) recognize that each agency does not have the same 
        resources to secure agency systems, and an agency should not be 
        expected to have the capability to secure the systems of the 
        agency from advanced adversaries alone; and
            ``(9) recognize that a holistic Federal cybersecurity model 
        is necessary to account for differences between the missions 
        and capabilities of agencies.'';
            (2) in section 3553--
                    (A) in subsection (a)--
                            (i) in paragraph (5), by striking ``and'' 
                        at the end;
                            (ii) in paragraph (6), by striking the 
                        period at the end and inserting ``; and''; and
                            (iii) by adding at the end the following:
            ``(7) promoting, in consultation with the Director of the 
        Cybersecurity and Infrastructure Security Agency, the National 
        Cyber Director, and the Director of the National Institute of 
        Standards and Technology--
                    ``(A) the use of automation to improve Federal 
                cybersecurity and visibility with respect to the 
                implementation of Federal cybersecurity; and
                    ``(B) the use of zero trust architecture to improve 
                resiliency and timely response actions to incidents on 
                Federal systems.'';
                    (B) in subsection (b)--
                            (i) in the matter preceding paragraph (1), 
                        by striking ``The Secretary, in consultation 
                        with the Director'' and inserting ``The 
                        Secretary of Homeland Security, acting through 
                        the Director of the Cybersecurity and 
                        Infrastructure Security Agency and in 
                        consultation with the Director and the National 
                        Cyber Director'';
                            (ii) in paragraph (2)(A), by inserting 
                        ``and reporting requirements under subchapter 
                        IV of this chapter'' after ``section 3556'';
                            (iii) redesignate paragraphs (8) and (9) as 
                        paragraphs (9) and (10); and
                            (iv) insert a new paragraph (8):
            ``(8) expeditiously seek opportunities to reduce costs, 
        administrative burdens, and other barriers to information 
        technology security and modernization for Federal agencies, 
        including through--
                    ``(A) central shared services contracts for 
                cybersecurity capabilities identified as optimal by the 
                Director, in coordination with the Secretary acting 
                through the Director of the Cybersecurity and 
                Infrastructure Security Agency and other agencies as 
                appropriate; and
                    ``(B) offering technical assistance and expertise 
                to agencies on the selection and successful engagement 
                of highly adaptive cybersecurity service contracts and 
                other relevant contracts provided by the U.S. General 
                Services Administration.'';
                    (C) in subsection (c)--
                            (i) in the matter preceding paragraph (1), 
                        by striking ``each year'' and inserting ``each 
                        year during which agencies are required to 
                        submit reports under section 3554(c)'' and by 
                        striking ``preceding year'' and inserting 
                        ``preceding two years'';
                            (ii) by striking paragraph (1);
                            (iii) by redesignating paragraphs (2), (3), 
                        and (4) as paragraphs (1), (2), and (3), 
                        respectively;
                            (iv) in paragraph (3), as so redesignated, 
                        by striking ``and'' at the end; and
                            (v) by inserting after paragraph (3), as so 
                        redesignated, the following:
            ``(4) a summary of each assessment of Federal risk posture 
        performed under subsection (i); and'';
                    (D) by redesignating subsections (i), (j), (k), and 
                (l) as subsections (j), (k), (l), and (m) respectively;
                    (E) in subsection (h)--
                            (i) in paragraph (2), subparagraph (A) 
                        adding ``and the National Cyber Director'' 
                        after ``in coordination with the Director'';
                            (ii) in paragraph (2), subparagraph (D) 
                        adding ``, the National Cyber Director,'' after 
                        ``notify the Director''; and
                            (iii) in paragraph (3), subparagraph (A), 
                        clause (iv) adding ``, the National Cyber 
                        Director,'' after ``the Secretary provides 
                        prior notice to the Director'';
                    (F) by inserting after subsection (h) the 
                following:
    ``(i) Federal Risk Assessments.--On an ongoing and continuous 
basis, the Director of the Cybersecurity and Infrastructure Security 
Agency shall perform assessments using any available information on the 
cybersecurity posture of agencies, and brief the Director and National 
Cyber Director on the findings of those assessments including--
            ``(1) the status of agency cybersecurity remedial actions 
        described in section 3554(b)(7);
            ``(2) any vulnerability information relating to the systems 
        of an agency that is known by the agency;
            ``(3) analysis of incident information under section 3597;
            ``(4) evaluation of penetration testing performed under 
        section 3559A;
            ``(5) evaluation of vulnerability disclosure program 
        information under section 3559B;
            ``(6) evaluation of agency threat hunting results;
            ``(7) evaluation of Federal and non-Federal cyber threat 
        intelligence;
            ``(8) data on agency compliance with standards issued under 
        section 11331 of title 40;
            ``(9) agency system risk assessments performed under 
        section 3554(a)(1)(A); and
            ``(10) any other information the Director of the 
        Cybersecurity and Infrastructure Security Agency determines 
        relevant.'';
                    (G) in subsection (j), as so redesignated--
                            (i) by striking ``Not later than'' and 
                        inserting:
            ``(1) In general.--Not later than'';
                            (ii) by striking ``regarding the specific'' 
                        and inserting ``that includes a summary of--
                    ``(A) the specific'';
                            (iii) in paragraph (1), as so designated, 
                        by striking the period at the end and inserting 
                        ``; and''; and
                            (iv) by adding at the end the following:
                    ``(B) the trends identified in the Federal risk 
                assessments performed under subsection (i).
            ``(2) Form.--The report required under paragraph (1) shall 
        be unclassified but may include a classified annex.''; and
                    (H) by adding at the end the following:
    ``(n) Binding Operational Directives.--If the Director of the 
Cybersecurity and Infrastructure Security Agency issues a binding 
operational directive or an emergency directive under this section, not 
later than 7 days after the date on which the binding operational 
directive requires an agency to take an action, the Director of the 
Cybersecurity and Infrastructure Security Agency shall provide to the 
Director and National Cyber Director the status of the implementation 
of the binding operational directive at the agency.'';
            (3) in section 3554--
                    (A) in subsection (a)--
                            (i) in paragraph (1)--
                                    (I) by redesignating subparagraphs 
                                (A), (B), and (C) as subparagraphs (B), 
                                (C), and (D), respectively;
                                    (II) by inserting before 
                                subparagraph (B), as so redesignated, 
                                the following:
                    ``(A) on an ongoing and continuous basis, 
                performing an agency system risk assessment that--
                            ``(i) identifies and documents the high 
                        value assets of the agency using guidance from 
                        the Director;
                            ``(ii) evaluates the data assets 
                        inventoried under section 3511 for sensitivity 
                        to compromises in confidentiality, integrity, 
                        and availability;
                            ``(iii) identifies agency systems that have 
                        access to or hold the data assets inventoried 
                        under section 3511;
                            ``(iv) evaluates the threats facing agency 
                        systems and data, including high value assets, 
                        based on Federal and non-Federal cyber threat 
                        intelligence products, where available;
                            ``(v) evaluates the vulnerability of agency 
                        systems and data, including high value assets, 
                        including by analyzing--
                                    ``(I) the results of penetration 
                                testing performed by the Department of 
                                Homeland Security under section 
                                3553(b)(9);
                                    ``(II) the results of penetration 
                                testing performed under section 3559A;
                                    ``(III) information provided to the 
                                agency through the vulnerability 
                                disclosure program of the agency under 
                                section 3559B;
                                    ``(IV) incidents; and
                                    ``(V) any other vulnerability 
                                information relating to agency systems 
                                that is known to the agency;
                            ``(vi) assesses the impacts of potential 
                        agency incidents to agency systems, data, and 
                        operations based on the evaluations described 
                        in clauses (ii) and (iv) and the agency systems 
                        identified under clause (iii); and
                            ``(vii) assesses the consequences of 
                        potential incidents occurring on agency systems 
                        that would impact systems at other agencies, 
                        including due to interconnectivity between 
                        different agency systems or operational 
                        reliance on the operations of the system or 
                        data in the system;'';
                                    (III) in subparagraph (B), as so 
                                redesignated, in the matter preceding 
                                clause (i), by striking ``providing 
                                information'' and inserting ``using 
                                information from the assessment 
                                conducted under subparagraph (A), 
                                providing information'';
                                    (IV) in subparagraph (C), as so 
                                redesignated--
                                            (aa) in clause (ii) by 
                                        inserting ``binding'' before 
                                        ``operational''; and
                                            (bb) in clause (vi), by 
                                        striking ``and'' at the end; 
                                        and
                                    (V) by adding at the end the 
                                following:
                    ``(E) providing an update on the ongoing and 
                continuous assessment performed under subparagraph 
                (A)--
                            ``(i) upon request, to the inspector 
                        general of the agency or the Comptroller 
                        General of the United States; and
                            ``(ii) on a periodic basis, as determined 
                        by guidance issued by the Director but not less 
                        frequently than every 2 years, to--
                                    ``(I) the Director;
                                    ``(II) the Director of the 
                                Cybersecurity and Infrastructure 
                                Security Agency; and
                                    ``(III) the National Cyber 
                                Director;
                    ``(F) in consultation with the Director of the 
                Cybersecurity and Infrastructure Security Agency and 
                not less frequently than once every 3 years, performing 
                an evaluation of whether additional cybersecurity 
                procedures are appropriate for securing a system of, or 
                under the supervision of, the agency, which shall--
                            ``(i) be completed considering the agency 
                        system risk assessment performed under 
                        subparagraph (A); and
                            ``(ii) include a specific evaluation for 
                        high value assets;
                    ``(G) not later than 30 days after completing the 
                evaluation performed under subparagraph (F), providing 
                the evaluation and an implementation plan, if 
                applicable, for using additional cybersecurity 
                procedures determined to be appropriate to--
                            ``(i) the Director of the Cybersecurity and 
                        Infrastructure Security Agency;
                            ``(ii) the Director; and
                            ``(iii) the National Cyber Director; and
                    ``(H) if the head of the agency determines there is 
                need for additional cybersecurity procedures, ensuring 
                that those additional cybersecurity procedures are 
                reflected in the budget request of the agency;''; and
                            (ii) in paragraph (2)--
                                    (I) in subparagraph (A), by 
                                inserting ``in accordance with the 
                                agency system risk assessment performed 
                                under paragraph (1)(A)'' after 
                                ``information systems'';
                                    (II) in subparagraph (B)--
                                            (aa) by striking ``in 
                                        accordance with standards'' and 
                                        inserting ``in accordance 
                                        with--
                            ``(i) standards''; and
                                            (bb) by adding at the end 
                                        the following:
                            ``(ii) the evaluation performed under 
                        paragraph (1)(F); and
                            ``(iii) the implementation plan described 
                        in paragraph (1)(G);''; and
                                    (III) in subparagraph (D), by 
                                inserting ``, through the use of 
                                penetration testing, the vulnerability 
                                disclosure program established under 
                                section 3559B, and other means,'' after 
                                ``periodically'';
                    (B) in subsection (b)--
                            (i) by striking paragraph (1) and inserting 
                        the following:
            ``(1) pursuant to subsection (a)(1)(A), performing ongoing 
        and continuous agency system risk assessment, which may include 
        using automated tools consistent with standards and guidelines 
        promulgated under section 11331 of title 40, as applicable;'';
                            (ii) in paragraph (2)(D)--
                                    (I) by redesignating clauses (iii) 
                                and (iv) as clauses (iv) and (v), 
                                respectively;
                                    (II) by inserting after clause (ii) 
                                the following:
                            ``(iii) binding operational directives and 
                        emergency directives promulgated by the 
                        Director of the Cybersecurity and 
                        Infrastructure Security Agency under section 
                        3553;''; and
                                    (III) in clause (iv), as so 
                                redesignated, by striking ``as 
                                determined by the agency; and'' and 
                                inserting ``as determined by the 
                                agency, considering the agency risk 
                                assessment performed under subsection 
                                (a)(1)(A).'';
                            (iii) in paragraph (5)(A), by inserting ``, 
                        including penetration testing, as 
                        appropriate,'' after ``shall include testing'';
                            (iv) by redesignating paragraphs (7) and 
                        (8) as paragraphs (8) and (9), respectively;
                            (v) by inserting after paragraph (6) the 
                        following:
            ``(7) a process for providing the status of every remedial 
        action, as well as unremediated identified system 
        vulnerabilities, to the Director and the Director of the 
        Cybersecurity and Infrastructure Security Agency, using 
        automation and machine-readable data to the greatest extent 
        practicable;''; and
                            (vi) in paragraph (8)(C), as so 
                        redesignated--
                                    (I) by striking clause (ii) and 
                                inserting the following:
                            ``(ii) notifying and consulting with the 
                        Federal information security incident center 
                        established under section 3556 pursuant to the 
                        requirements of section 3594;'';
                                    (II) by redesignating clause (iii) 
                                as clause (iv);
                                    (III) by inserting after clause 
                                (ii) the following:
                            ``(iii) performing the notifications and 
                        other activities required under subchapter IV 
                        of this chapter; and''; and
                                    (IV) in clause (iv), as so 
                                redesignated--
                                            (aa) in subclause (II), by 
                                        adding ``and'' at the end;
                                            (bb) by striking subclause 
                                        (III); and
                                            (cc) by redesignating 
                                        subclause (IV) as subclause 
                                        (III); and
                    (C) in subsection (c)--
                            (i) by redesignating paragraph (2) as 
                        paragraph (5);
                            (ii) by striking paragraph (1) and 
                        inserting the following:
            ``(1) Biannual report.--Not later than 2 years after the 
        date of the enactment of the Federal Information Security 
        Modernization Act of 2022 and not less frequently than once 
        every 2 years thereafter, using the continuous and ongoing 
        agency system risk assessment under subsection (a)(1)(A), the 
        head of each agency shall submit to the Director, the Director 
        of the Cybersecurity and Infrastructure Security Agency, the 
        majority and minority leaders of the Senate, the Speaker and 
        minority leader of the House of Representatives, the Committee 
        on Homeland Security and Governmental Affairs of the Senate, 
        the Committee on Oversight and Reform of the House of 
        Representatives, the Committee on Homeland Security of the 
        House of Representatives, the Committee on Commerce, Science, 
        and Transportation of the Senate, the Committee on Science, 
        Space, and Technology of the House of Representatives, the 
        appropriate authorization and appropriations committees of 
        Congress, the National Cyber Director, and the Comptroller 
        General of the United States a report that--
                    ``(A) summarizes the agency system risk assessment 
                performed under subsection (a)(1)(A);
                    ``(B) evaluates the adequacy and effectiveness of 
                information security policies, procedures, and 
                practices of the agency to address the risks identified 
                in the agency system risk assessment performed under 
                subsection (a)(1)(A), including an analysis of the 
                agency's cybersecurity and incident response 
                capabilities using the metrics established under 
                section 224(c) of the Cybersecurity Act of 2015 (6 
                U.S.C. 1522(c));
                    ``(C) summarizes the evaluation and implementation 
                plans described in subparagraphs (F) and (G) of 
                subsection (a)(1) and whether those evaluation and 
                implementation plans call for the use of additional 
                cybersecurity procedures determined to be appropriate 
                by the agency; and
                    ``(D) summarizes the status of remedial actions 
                identified by inspector general of the agency, the 
                Comptroller General of the United States, and any other 
                source determined appropriate by the head of the 
                agency.
            ``(2) Unclassified reports.--Each report submitted under 
        paragraph (1)--
                    ``(A) shall be, to the greatest extent practicable, 
                in an unclassified and otherwise uncontrolled form; and
                    ``(B) may include a classified annex.
            ``(3) Access to information.--The head of an agency shall 
        ensure that, to the greatest extent practicable, information is 
        included in the unclassified form of the report submitted by 
        the agency under paragraph (2)(A).
            ``(4) Briefings.--During each year during which a report is 
        not required to be submitted under paragraph (1), the Director 
        shall provide to the congressional committees described in 
        paragraph (1) a briefing summarizing current cybersecurity 
        posture of agencies.''; and
                            (iii) in paragraph (5), as so redesignated, 
                        by inserting ``, including the reporting 
                        procedures established under section 11315(d) 
                        of title 40 and subsection (a)(3)(A)(v) of this 
                        section,'' after ``policies, procedures, and 
                        practices''; and
            (4) in section 3555--
                    (A) in the section heading, by striking ``annual 
                independent'' and inserting ``independent'';
                    (B) in subsection (a)--
                            (i) in paragraph (1), by inserting ``during 
                        which a report is required to be submitted 
                        under section 3553(c),'' after ``Each year'';
                            (ii) in paragraph (2)(A), by inserting ``, 
                        including by penetration testing and analyzing 
                        the vulnerability disclosure program of the 
                        agency'' after ``information systems''; and
                            (iii) by adding at the end the following:
            ``(3) An evaluation under this section may include 
        recommendations for improving the cybersecurity posture of the 
        agency.'';
                    (C) in subsection (b)(1), by striking ``annual'';
                    (D) in subsection (e)(1), by inserting ``during 
                which a report is required to be submitted under 
                section 3553(c)'' after ``Each year'';
                    (E) by striking subsection (f) and inserting the 
                following:
    ``(f) Protection of Information.--(1) Agencies, evaluators, and 
other recipients of information that, if disclosed, may cause grave 
harm to the efforts of Federal information security officers, shall 
take appropriate steps to ensure the protection of that information, 
including safeguarding the information from public disclosure.
    ``(2) The protections required under paragraph (1) shall be 
commensurate with the risk and comply with all applicable laws and 
regulations.
    ``(3) With respect to information that is not related to national 
security systems, agencies and evaluators shall make a summary of the 
information unclassified and publicly available, including information 
that does not identify--
            ``(A) specific information system incidents; or
            ``(B) specific information system vulnerabilities.'';
                    (F) in subsection (g)(2)--
                            (i) by striking ``this subsection shall'' 
                        and inserting ``this subsection--
                    ``(A) shall'';
                            (ii) in subparagraph (A), as so designated, 
                        by striking the period at the end and inserting 
                        ``; and''; and
                            (iii) by adding at the end the following:
                    ``(B) identify any entity that performs an 
                independent evaluation under subsection (b).''; and
                    (G) striking subsection (j); and
            (5) in section 3556(a)(4) by striking ``3554(b)'' and 
        inserting ``3554(a)(1)(A)''.
    (d) Conforming Amendments.--
            (1) Table of sections.--The table of sections for chapter 
        35 of title 44, United States Code, is amended--
                    (A) by striking the item relating to section 3553 
                and inserting the following:

``3553. Authority and functions of the Director and the Director of the 
                            Cybersecurity and Infrastructure Security 
                            Agency.'';
                and
                    (B) by striking the item relating to section 3555 
                and inserting the following:

``3555. Independent evaluation.''.
            (2) OMB reports.--Section 226(c) of the Cybersecurity Act 
        of 2015 (6 U.S.C. 1524(c)) is amended--
                    (A) in paragraph (1)(B), in the matter preceding 
                clause (i), by striking ``annually thereafter'' and 
                inserting ``thereafter during the years during which a 
                report is required to be submitted under section 
                3553(c) of title 44, United States Code''; and
                    (B) in paragraph (2)(B), in the matter preceding 
                clause (i)--
                            (i) by striking ``annually thereafter'' and 
                        inserting ``thereafter during the years during 
                        which a report is required to be submitted 
                        under section 3553(c) of title 44, United 
                        States Code''; and
                            (ii) by striking ``the report required 
                        under section 3553(c) of title 44, United 
                        States Code'' and inserting ``that report''.
            (3) NIST responsibilities.--Section 20(d)(3)(B) of the 
        National Institute of Standards and Technology Act (15 U.S.C. 
        278g-3(d)(3)(B)) is amended by striking ``annual''.
    (e) Federal System Incident Response.--
            (1) In general.--Chapter 35 of title 44, United States 
        Code, is amended by adding at the end the following:

           ``SUBCHAPTER IV--FEDERAL SYSTEM INCIDENT RESPONSE

``Sec. 3591. Definitions
    ``(a) In General.--Except as provided in subsection (b), the 
definitions under sections 3502 and 3552 shall apply to this 
subchapter.
    ``(b) Additional Definitions.--As used in this subchapter:
            ``(1) Appropriate reporting entities.--The term 
        `appropriate reporting entities' means--
                    ``(A) the majority and minority leaders of the 
                Senate;
                    ``(B) the Speaker and minority leader of the House 
                of Representatives;
                    ``(C) the Committee on Homeland Security and 
                Governmental Affairs of the Senate;
                    ``(D) the Committee on Oversight and Reform of the 
                House of Representatives;
                    ``(E) the Committee on Homeland Security of the 
                House of Representatives;
                    ``(F) the appropriate authorization and 
                appropriations committees of Congress;
                    ``(G) the Director;
                    ``(H) the Director of the Cybersecurity and 
                Infrastructure Security Agency;
                    ``(I) the National Cyber Director;
                    ``(J) the Comptroller General of the United States; 
                and
                    ``(K) the inspector general of any impacted agency.
            ``(2) Awardee.--The term `awardee'--
                    ``(A) means a person, business, or other entity 
                that receives a grant from, or is a party to a 
                cooperative agreement or an other transaction agreement 
                with, an agency; and
                    ``(B) includes any subgrantee of a person, 
                business, or other entity described in subparagraph 
                (A).
            ``(3) Breach.--The term `breach' shall be defined by the 
        Director.
            ``(4) Contractor.--The term `contractor' means a prime 
        contractor of an agency or a subcontractor of a prime 
        contractor of an agency.
            ``(5) Federal information.--The term `Federal information' 
        means information created, collected, processed, maintained, 
        disseminated, disclosed, or disposed of by or for the Federal 
        Government in any medium or form.
            ``(6) Federal information system.--The term `Federal 
        information system' means an information system used or 
        operated by an agency, a contractor, or another organization on 
        behalf of an agency.
            ``(7) Intelligence community.--The term `intelligence 
        community' has the meaning given the term in section 3 of the 
        National Security Act of 1947 (50 U.S.C. 3003).
            ``(8) Nationwide consumer reporting agency.--The term 
        `nationwide consumer reporting agency' means a consumer 
        reporting agency described in section 603(p) of the Fair Credit 
        Reporting Act (15 U.S.C. 1681a(p)).
            ``(9) Vulnerability disclosure.--The term `vulnerability 
        disclosure' means a vulnerability identified under section 
        3559B.
``Sec. 3592. Notification of breach
    ``(a) Notification.--As expeditiously as practicable and without 
unreasonable delay, and in any case not later than 45 days after an 
agency has a reasonable basis to conclude that a breach has occurred, 
the head of the agency, in consultation with the chief privacy officer 
of the agency, shall--
            ``(1) determine whether notice to any individual 
        potentially affected by the breach is appropriate based on an 
        assessment of the risk of harm to the individual that 
        considers--
                    ``(A) the nature and sensitivity of the personally 
                identifiable information affected by the breach;
                    ``(B) the likelihood of access to and use of the 
                personally identifiable information affected by the 
                breach;
                    ``(C) the type of breach; and
                    ``(D) any other factors determined by the Director; 
                and
            ``(2) as appropriate, provide written notice in accordance 
        with subsection (b) to each individual potentially affected by 
        the breach--
                    ``(A) to the last known mailing address of the 
                individual; or
                    ``(B) through an appropriate alternative method of 
                notification that the head of the agency or a 
                designated senior-level individual of the agency 
                selects based on factors determined by the Director.
    ``(b) Contents of Notice.--Each notice of a breach provided to an 
individual under subsection (a)(2) shall include--
            ``(1) a brief description of the breach;
            ``(2) if possible, a description of the types of personally 
        identifiable information affected by the breach;
            ``(3) contact information of the agency that may be used to 
        ask questions of the agency, which--
                    ``(A) shall include an e-mail address or another 
                digital contact mechanism; and
                    ``(B) may include a telephone number, mailing 
                address, or a website;
            ``(4) information on any remedy being offered by the 
        agency;
            ``(5) any applicable educational materials relating to what 
        individuals can do in response to a breach that potentially 
        affects their personally identifiable information, including 
        relevant contact information for Federal law enforcement 
        agencies and each nationwide consumer reporting agency; and
            ``(6) any other appropriate information, as determined by 
        the head of the agency or established in guidance by the 
        Director.
    ``(c) Delay of Notification.--
            ``(1) In general.--The Attorney General, the Director of 
        National Intelligence, or the Secretary of Homeland Security 
        may delay a notification required under subsection (a) if the 
        notification would--
                    ``(A) impede a criminal investigation or a national 
                security activity;
                    ``(B) reveal sensitive sources and methods;
                    ``(C) cause damage to national security; or
                    ``(D) hamper security remediation actions.
            ``(2) Documentation.--
                    ``(A) In general.--Any delay under paragraph (1) 
                shall be reported in writing to the Director, the 
                Attorney General, the Director of National 
                Intelligence, the Secretary of Homeland Security, the 
                National Cyber Director, the Director of the 
                Cybersecurity and Infrastructure Security Agency, and 
                the head of the agency and the inspector general of the 
                agency that experienced the breach.
                    ``(B) Contents.--A report required under 
                subparagraph (A) shall include a written statement from 
                the entity that delayed the notification explaining the 
                need for the delay.
                    ``(C) Form.--The report required under subparagraph 
                (A) shall be unclassified but may include a classified 
                annex.
            ``(3) Renewal.--A delay under paragraph (1) shall be for a 
        period of 60 days and may be renewed.
    ``(d) Update Notification.--If an agency determines there is a 
significant change in the reasonable basis to conclude that a breach 
occurred, a significant change to the determination made under 
subsection (a)(1), or that it is necessary to update the details of the 
information provided to potentially affected individuals as described 
in subsection (b), the agency shall as expeditiously as practicable and 
without unreasonable delay, and in any case not later than 30 days 
after such a determination, notify each individual who received a 
notification pursuant to subsection (a) of those changes.
    ``(e) Rule of Construction.--Nothing in this section shall be 
construed to limit--
            ``(1) the Director from issuing guidance relating to 
        notifications or the head of an agency from notifying 
        individuals potentially affected by breaches that are not 
        determined to be major incidents; or
            ``(2) the Director from issuing guidance relating to 
        notifications of major incidents or the head of an agency from 
        providing more information than described in subsection (b) 
        when notifying individuals potentially affected by breaches.
``Sec. 3593. Congressional and executive branch reports
    ``(a) Initial Report.--
            ``(1) In general.--Not later than 72 hours after an agency 
        has a reasonable basis to conclude that a major incident 
        occurred, the head of the agency impacted by the major incident 
        shall submit to the appropriate reporting entities a written 
        report. Within 7 days of a major incident determination, the 
        head of the agency impacted shall coordinate with the National 
        Cyber Director, or their designee, to provide a briefing, along 
        with any other Federal entity determined appropriate by the 
        National Cyber Director, to the Committee on Homeland Security 
        and Governmental Affairs of the Senate, the Committee on 
        Oversight and Reform of the House of Representatives, the 
        Committee on Homeland Security of the House of Representatives, 
        and the appropriate authorization and appropriations committees 
        of Congress, in the manner requested by the Congressional 
        entities, taking into account--
                    ``(A) the information known at the time of the 
                report, including the threat having likely caused the 
                major incident;
                    ``(B) the sensitivity of the details associated 
                with the major incident; and
                    ``(C) the classification level of the information 
                contained in the report.
            ``(2) Contents.--A report required under paragraph (1) 
        shall include, in a manner that excludes or otherwise 
        reasonably protects personally identifiable information and to 
        the extent permitted by applicable law, including privacy and 
        statistical laws--
                    ``(A) a summary of the information available about 
                the major incident, including how the major incident 
                occurred and, if applicable, information relating to 
                the major incident as a breach, based on information 
                available to agency officials as of the date on which 
                the agency submits the report;
                    ``(B) if applicable, whether any ransom has been 
                demanded or paid, or plans to be paid, by any entity 
                operating a Federal information system or with access 
                to a Federal information system, unless disclosure of 
                such information may disrupt an active Federal law 
                enforcement or national security operation;
                    ``(C) if applicable, a description and any 
                associated documentation of any circumstances 
                necessitating a delay in notification to individuals 
                potentially affected by the major incident under 
                subsection (c) of section 3592; and
                    ``(D) if applicable, an assessment of the impacts 
                to the agency, the Federal Government, or the security 
                of the United States, based on information available to 
                agency officials on the date on which the agency 
                submits the report.
            ``(3) Components of briefing.--The 7 day briefing required 
        under paragraph (1)--
                    ``(A) shall, to the greatest extent practicable, 
                include an unclassified component; and
                    ``(B) may include a classified component.
    ``(b) Supplemental Report.--Within a reasonable amount of time, but 
not later than 30 days after the date on which an agency submits a 
written report under subsection (a), the head of the agency shall 
provide to the appropriate reporting entities written updates on the 
major incident and, to the extent practicable, provide a briefing to 
the congressional committees described in subsection (a)(1), including 
summaries of--
            ``(1) vulnerabilities, means by which the major incident 
        occurred, and impacts to the agency relating to the major 
        incident;
            ``(2) any risk assessment and subsequent risk-based 
        security implementation of the affected information system 
        before the date on which the major incident occurred;
            ``(3) an estimate of the number of individuals potentially 
        affected by the major incident based on information available 
        to agency officials as of the date on which the agency provides 
        the update;
            ``(4) an assessment of the risk of harm to individuals 
        potentially affected by the major incident based on information 
        available to agency officials as of the date on which the 
        agency provides the update;
            ``(5) an update to the assessment of the risk to agency 
        operations, or to impacts on other agency or non-Federal entity 
        operations, affected by the major incident based on information 
        available to agency officials as of the date on which the 
        agency provides the update; and
            ``(6) the detection, response, and remediation actions of 
        the agency, including any support provided by the Cybersecurity 
        and Infrastructure Security Agency under section 3594(d) and 
        status updates on the notification process described in section 
        3592(a), including any delay described in subsection (c) of 
        section 3592, if applicable.
    ``(c) Update Report.--If the agency, or the National Cyber 
Director, determines that there is any significant change in the 
understanding of the agency of the scope, scale, or consequence of a 
major incident for which an agency submitted a written report under 
subsection (a), the agency shall provide an updated report to the 
appropriate reporting entities that includes information relating to 
the change in understanding.
    ``(d) Biannual Report.--Each agency shall submit as part of the 
biannual report required under section 3554(c)(1) of this title a 
description of each major incident that occurred during the 2-year 
period preceding the date on which the biannual report is submitted.
    ``(e) Delay Report.--
            ``(1) In general.--The Director shall submit to the 
        appropriate reporting entities an annual report on all 
        notification delays granted pursuant to subsection (c) of 
        section 3592.
            ``(2) Component of other report.--The Director may submit 
        the report required under paragraph (1) as a component of the 
        annual report submitted under section 3597(b).
    ``(f) Report and Briefing Consistency.--In carrying out the duties 
under this section, and to achieve consistent and understandable agency 
reporting to Congress, the National Cyber Director shall--
            ``(1) provide to agencies formatting guidelines and 
        recommended contents of information to be included in the 
        reports and briefings required under this section, including 
        recommendations for the use of plain language terminology and 
        consistent formats for presenting any associated metrics; and
            ``(2) maintain a historical archive and major incident log 
        of all reports and briefings provided under the requirements of 
        this section, which shall include at a minimum an archive of 
        the full contents of any written report and associated 
        documentation, the reporting agency, the date of submission, 
        and a list of the recipient Congressional entities, which shall 
        be made available upon request to the Congressional entities 
        listed under subsection (a)(1) and may, to the extent 
        practicable, utilize an internet accessible portal for 
        appropriate Congressional staff to directly access the log and 
        archived materials required to be maintained under this 
        paragraph.
    ``(g) Report Delivery.--Any written report required to be submitted 
under this section may be submitted in a paper or electronic format.
    ``(h) Rule of Construction.--Nothing in this section shall be 
construed to limit--
            ``(1) the ability of an agency to provide additional 
        reports or briefings to Congress; or
            ``(2) Congress from requesting additional information from 
        agencies through reports, briefings, or other means.
``Sec. 3594. Government information sharing and incident response
    ``(a) In General.--
            ``(1) Incident reporting.--Subject to limitations in 
        subsection (b), the head of each agency shall provide the 
        information described in paragraph (2) relating to an incident 
        affecting the agency, whether the information is obtained by 
        the Federal Government directly or indirectly, to the 
        Cybersecurity and Infrastructure Security Agency, the Office of 
        Management and Budget, and the Office of the National Cyber 
        Director in a manner specified by the Director under subsection 
        (b).
            ``(2) Contents.--A provision of information relating to an 
        incident made by the head of an agency under paragraph (1) 
        shall--
                    ``(A) include detailed information about the 
                safeguards that were in place when the incident 
                occurred;
                    ``(B) whether the agency implemented the safeguards 
                described in subparagraph (A) correctly;
                    ``(C) in order to protect against a similar 
                incident, identify--
                            ``(i) how the safeguards described in 
                        subparagraph (A) should be implemented 
                        differently; and
                            ``(ii) additional necessary safeguards; and
                    ``(D) include information to aid in incident 
                response, such as--
                            ``(i) a description of the affected systems 
                        or networks;
                            ``(ii) the estimated dates of when the 
                        incident occurred; and
                            ``(iii) information that could reasonably 
                        help identify the party that conducted the 
                        incident, as appropriate.
            ``(3) Information sharing.--To the greatest extent 
        practicable, the Director of the Cybersecurity and 
        Infrastructure Security Agency shall--
                    ``(A) share information relating to an incident 
                with any agencies that may be impacted by the incident, 
                or are potentially susceptible or similarly targeted, 
                as well as with appropriate Federal law enforcement 
                agencies to facilitate any necessary threat response 
                activities as requested; and
                    ``(B) coordinate, in consultation with the National 
                Cyber Director, any necessary information sharing 
                efforts related to a major incident with the private 
                sector.
            ``(4) National security systems.--Each agency operating or 
        exercising control of a national security system shall share 
        information about incidents that occur on national security 
        systems with the Director of the Cybersecurity and 
        Infrastructure Security Agency to the extent consistent with 
        standards and guidelines for national security systems issued 
        in accordance with law and as directed by the President.
    ``(b) Compliance.--The information provided and method of reporting 
under subsection (a) shall take into account the level of 
classification of the information and any information sharing 
limitations and protections, such as limitations and protections 
relating to law enforcement, national security, privacy, statistical 
confidentiality, or other factors determined by the Director in order 
to implement subsection (a)(1) in a manner that enables automated and 
consistent reporting.
    ``(c) Incident Response.--Each agency that has a reasonable basis 
to conclude that a major incident occurred involving Federal 
information in electronic medium or form, as defined by the Director 
and not involving a national security system, regardless of delays from 
notification granted for a major incident, shall coordinate with the 
Cybersecurity and Infrastructure Security Agency to facilitate asset 
response activities and recommendations for mitigating future 
incidents, and with appropriate Federal law enforcement agencies to 
facilitate threat response activities, consistent with relevant 
policies, principles, standards, and guidelines on information 
security.
``Sec. 3595. Responsibilities of contractors and awardees
    ``(a) Reporting.--
            ``(1) In general.--Unless otherwise specified in a 
        contract, grant, cooperative agreement, or any other 
        transaction agreement, any contractor or awardee of an agency 
        shall report to the agency within the same amount of time such 
        agency is required to report an incident to the Cybersecurity 
        and Infrastructure Security Agency, if the contractor or 
        awardee has a reasonable basis to suspect or conclude that--
                    ``(A) an incident or breach has occurred with 
                respect to Federal information collected, used, or 
                maintained by the contractor or awardee in connection 
                with the contract, grant, cooperative agreement, or 
                other transaction agreement of the contractor or 
                awardee;
                    ``(B) an incident or breach has occurred with 
                respect to a Federal information system used or 
                operated by the contractor or awardee in connection 
                with the contract, grant, cooperative agreement, or 
                other transaction agreement of the contractor or 
                awardee;
                    ``(C) a component of any Federal information 
                system, or a system able to access, store, or process 
                Federal information, contains a security vulnerability, 
                including a supply chain compromise or an identified 
                software or hardware vulnerability; or
                    ``(D) the contractor or awardee has received 
                information from the agency that the contractor or 
                awardee is not authorized to receive in connection with 
                the contract, grant, cooperative agreement, or other 
                transaction agreement of the contractor or awardee.
            ``(2) Procedures.--
                    ``(A) Major incident.--Following a report of a 
                breach or major incident by a contractor or awardee 
                under paragraph (1), the agency, in consultation with 
                the contractor or awardee, shall carry out the 
                requirements under sections 3592, 3593, and 3594 with 
                respect to the major incident.
                    ``(B) Incident.--Following a report of an incident 
                by a contractor or awardee under paragraph (1), an 
                agency, in consultation with the contractor or awardee, 
                shall carry out the requirements under section 3594 
                with respect to the incident.
    ``(b) Effective Date.--This section shall apply on and after the 
date that is 1 year after the date of the enactment of the Federal 
Information Security Modernization Act of 2022 and shall apply with 
respect to any contract entered into on or after such effective date.
``Sec. 3596. Training
    ``(a) Covered Individual Defined.--In this section, the term 
`covered individual' means an individual who obtains access to Federal 
information or Federal information systems because of the status of the 
individual as an employee, contractor, awardee, volunteer, or intern of 
an agency.
    ``(b) Requirement.--The head of each agency shall develop training 
for covered individuals on how to identify and respond to an incident, 
including--
            ``(1) the internal process of the agency for reporting an 
        incident; and
            ``(2) the obligation of a covered individual to report to 
        the agency a confirmed major incident and any suspected 
        incident involving information in any medium or form, including 
        paper, oral, and electronic.
    ``(c) Inclusion in Annual Training.--The training developed under 
subsection (b) may be included as part of an annual privacy or security 
awareness training of an agency.
``Sec. 3597. Analysis and report on Federal incidents
    ``(a) Analysis of Federal Incidents.--
            ``(1) Quantitative and qualitative analyses.--The Director 
        of the Cybersecurity and Infrastructure Security Agency shall 
        develop, in consultation with the Director and the National 
        Cyber Director, and perform continuous monitoring and 
        quantitative and qualitative analyses of incidents at agencies, 
        including major incidents, including--
                    ``(A) the causes of incidents, including--
                            ``(i) attacker tactics, techniques, and 
                        procedures; and
                            ``(ii) system vulnerabilities, including 
                        previously unknown zero day exploitations, 
                        unpatched systems, and information system 
                        misconfigurations;
                    ``(B) the scope and scale of incidents at agencies;
                    ``(C) common root causes of incidents across 
                multiple agencies;
                    ``(D) agency incident response, recovery, and 
                remediation actions and the effectiveness of those 
                actions, as applicable;
                    ``(E) lessons learned and recommendations in 
                responding to, recovering from, remediating, and 
                mitigating future incidents; and
                    ``(F) trends across multiple Federal agencies to 
                address intrusion detection and incident response 
                capabilities using the metrics established under 
                section 224(c) of the Cybersecurity Act of 2015 (6 
                U.S.C. 1522(c)).
            ``(2) Automated analysis.--The analyses developed under 
        paragraph (1) shall, to the greatest extent practicable, use 
        machine readable data, automation, and machine learning 
        processes.
            ``(3) Sharing of data and analysis.--
                    ``(A) In general.--The Director shall share on an 
                ongoing basis the analyses required under this 
                subsection with agencies and the National Cyber 
                Director to--
                            ``(i) improve the understanding of 
                        cybersecurity risk of agencies; and
                            ``(ii) support the cybersecurity 
                        improvement efforts of agencies.
                    ``(B) Format.--In carrying out subparagraph (A), 
                the Director shall share the analyses--
                            ``(i) in human-readable written products; 
                        and
                            ``(ii) to the greatest extent practicable, 
                        in machine-readable formats in order to enable 
                        automated intake and use by agencies.
    ``(b) Annual Report on Federal Incidents.--Not later than 2 years 
after the date of the enactment of this section, and not less 
frequently than annually thereafter, the Director of the Cybersecurity 
and Infrastructure Security Agency, in consultation with the Director, 
the National Cyber Director, and the heads of other agencies as 
appropriate, shall submit to the appropriate reporting entities a 
report that includes--
            ``(1) a summary of causes of incidents from across the 
        Federal Government that categorizes those incidents as 
        incidents or major incidents;
            ``(2) the quantitative and qualitative analyses of 
        incidents developed under subsection (a)(1) on an agency-by-
        agency basis and comprehensively across the Federal Government, 
        including--
                    ``(A) a specific analysis of breaches; and
                    ``(B) an analysis of the Federal Government's 
                performance against the metrics established under 
                section 224(c) of the Cybersecurity Act of 2015 (6 
                U.S.C. 1522(c)); and
            ``(3) an annex for each agency that includes--
                    ``(A) a description of each major incident; and
                    ``(B) an analysis of the agency's performance 
                against the metrics established under section 224(c) of 
                the Cybersecurity Act of 2015 (6 U.S.C. 1522(c)).
    ``(c) Publication.--To the extent that publication is consistent 
with national security interests, a version of each report submitted 
under subsection (b) shall be made publicly available on the website of 
the Cybersecurity and Infrastructure Security Agency during the year in 
which the report is submitted.
    ``(d) Information Provided by Agencies.--
            ``(1) In general.--The analysis required under subsection 
        (a) and each report submitted under subsection (b) shall use 
        information provided by agencies under section 3594(a).
            ``(2) National security system reports.--
                    ``(A) In general.--Annually, the head of an agency 
                that operates or exercises control of a national 
                security system shall submit a report that includes the 
                information described in subsection (b) with respect to 
                the agency to the extent that the submission is 
                consistent with standards and guidelines for national 
                security systems issued in accordance with law and as 
                directed by the President to--
                            ``(i) the majority and minority leaders of 
                        the Senate;
                            ``(ii) the Speaker and minority leader of 
                        the House of Representatives;
                            ``(iii) the Committee on Homeland Security 
                        and Governmental Affairs of the Senate;
                            ``(iv) the Select Committee on Intelligence 
                        of the Senate;
                            ``(v) the Committee on Armed Services of 
                        the Senate;
                            ``(vi) the Committee on Appropriations of 
                        the Senate;
                            ``(vii) the Committee on Oversight and 
                        Reform of the House of Representatives;
                            ``(viii) the Committee on Homeland Security 
                        of the House of Representatives;
                            ``(ix) the Permanent Select Committee on 
                        Intelligence of the House of Representatives;
                            ``(x) the Committee on Armed Services of 
                        the House of Representatives; and
                            ``(xi) the Committee on Appropriations of 
                        the House of Representatives.
                    ``(B) Classified form.--A report required under 
                subparagraph (A) may be submitted in a classified form.
    ``(e) Requirement for Compiling Information.--In publishing the 
public report required under subsection (c), the Director of the 
Cybersecurity and Infrastructure Security Agency shall sufficiently 
compile information such that no specific incident of an agency can be 
identified, except with the concurrence of the Director of the Office 
of Management and Budget, the National Cyber Director, and in 
consultation with the impacted agency.
``Sec. 3598. Major incident definition
    ``(a) In General.--Not later than 180 days after the date of the 
enactment of the Federal Information Security Modernization Act of 
2022, the Director, in coordination with the Director of the 
Cybersecurity and Infrastructure Security Agency and the National Cyber 
Director, shall develop and promulgate guidance on the definition of 
the term `major incident' for the purposes of subchapter II and this 
subchapter.
    ``(b) Requirements.--With respect to the guidance issued under 
subsection (a), the definition of the term `major incident' shall--
            ``(1) include, with respect to any information collected or 
        maintained by or on behalf of an agency or an information 
        system used or operated by an agency or by a contractor of an 
        agency or another organization on behalf of an agency, any 
        incident the head of the agency determines is likely to result 
        in demonstrable harm to--
                    ``(A) the national security interests, foreign 
                relations, or the economy of the United States;
                    ``(B) the public confidence, civil liberties, or 
                public health and safety of the people of the United 
                States;
                    ``(C) the integrity of personally identifiable 
                information, including the exfiltration, modification, 
                or deletion of such information; or
                    ``(D) any other type of incident determined 
                appropriate by the Director; and
            ``(2) stipulate that the Director, in coordination with the 
        National Cyber Director, shall declare a major incident at each 
        agency impacted by an incident if it is determined that an 
        incident--
                    ``(A) occurs at not less than 2 agencies;
                    ``(B) is enabled by--
                            ``(i) a common technical root cause, such 
                        as a supply chain compromise or a common 
                        software or hardware vulnerability; or
                            ``(ii) the related activities of a common 
                        threat actor; or
                    ``(C) has a significant impact on the 
                confidentiality, integrity, or availability of a high 
                value asset.
    ``(c) Evaluation and Updates.--Not later than 2 years after the 
date of the enactment of the Federal Information Security Modernization 
Act of 2022, and not less frequently than every 2 years thereafter, the 
Director shall submit to the Committee on Homeland Security and 
Governmental Affairs of the Senate and the Committee on Oversight and 
Reform of the House of Representatives an evaluation, which shall 
include--
            ``(1) an update, if necessary, to the guidance issued under 
        subsection (a);
            ``(2) the definition of the term `major incident' included 
        in the guidance issued under subsection (a); and
            ``(3) an explanation of, and the analysis that led to, the 
        definition described in paragraph (2).''.
            (2) Clerical amendment.--The table of sections for chapter 
        35 of title 44, United States Code, is amended by adding at the 
        end the following:

            ``subchapter iv--federal system incident response

``3591. Definitions.
``3592. Notification of breach.
``3593. Congressional and executive branch reports.
``3594. Government information sharing and incident response.
``3595. Responsibilities of contractors and awardees.
``3596. Training.
``3597. Analysis and report on Federal incidents.
``3598. Major incident definition.''.

SEC. 102. AMENDMENTS TO SUBTITLE III OF TITLE 40.

    (a) Modernizing Government Technology.--Subtitle G of title X of 
Division A of the National Defense Authorization Act for Fiscal Year 
2018 (Public Law 115-91; 40 U.S.C. 11301 note) is amended in section 
1078--
            (1) by striking subsection (a) and inserting the following:
    ``(a) Definitions.--In this section:
            ``(1) Agency.--The term `agency' has the meaning given the 
        term in section 551 of title 5, United States Code.
            ``(2) High value asset.--The term `high value asset' has 
        the meaning given the term in section 3552 of title 44, United 
        States Code.''; and
            (2) in subsection (c)--
                    (A) in paragraph (2)(A)(i), by inserting ``, 
                including a consideration of the impact on high value 
                assets'' after ``operational risks'';
                    (B) in paragraph (5)--
                            (i) in subparagraph (A), by striking 
                        ``and'' at the end;
                            (ii) in subparagraph (B), by striking the 
                        period at the end and inserting ``and''; and
                            (iii) by adding at the end the following:
                    ``(C) a senior official from the Cybersecurity and 
                Infrastructure Security Agency of the Department of 
                Homeland Security, appointed by the Director.''; and
                    (C) in paragraph (6)(A), by striking ``shall be--'' 
                and all that follows through ``4 employees'' and 
                inserting ``shall be 4 employees''.
    (b) Subchapter I.--Subchapter I of chapter 113 of subtitle III of 
title 40, United States Code, is amended--
            (1) in section 11302--
                    (A) in subsection (b), by striking ``use, security, 
                and disposal of'' and inserting ``use, and disposal of, 
                and, in consultation with the Director of the 
                Cybersecurity and Infrastructure Security Agency and 
                the National Cyber Director, promote and improve the 
                security of,'';
                    (B) in subsection (c)(3)(B), by adding at the end 
                the following:
                            ``(iii) The Director may make available, 
                        upon request, to the National Cyber Director 
                        any cybersecurity funding information provided 
                        to the Director under clause (ii) of this 
                        subparagraph.'';
                    (C) in subsection (f), by striking ``The Director 
                shall'' and inserting ``The Director shall--
            ``(1) encourage the heads of the executive agencies to 
        develop and use the best practices in the acquisition of 
        information technology, including supply chain risk management 
        standards, guidelines, and practices developed by the National 
        Institute of Standards and Technology; and
            ``(2) consult with the Federal Chief Information Security 
        Officer appointed by the President under section 3607 of title 
        44, for the development and use of risk management standards, 
        guidelines, and practices developed by the National Institute 
        of Standards and Technology.''; and
                    (D) in subsection (h), by inserting ``, including 
                cybersecurity performances,'' after ``the 
                performances''; and
            (2) in section 11303(b), in paragraph (2)(B)--
                    (A) in clause (i), by striking ``or'' at the end;
                    (B) in clause (ii), by adding ``or'' at the end; 
                and
                    (C) by adding at the end the following:
                            ``(iii) whether the function should be 
                        performed by a shared service offered by 
                        another executive agency.''.
    (c) Subchapter II.--Subchapter II of chapter 113 of subtitle III of 
title 40, United States Code, is amended--
            (1) in section 11312(a), by inserting ``, including 
        security risks'' after ``managing the risks'';
            (2) in section 11313(1), by striking ``efficiency and 
        effectiveness'' and inserting ``efficiency, security, and 
        effectiveness'';
            (3) in section 11315, by adding at the end the following:
    ``(d) Component Agency Chief Information Officers.--The Chief 
Information Officer or an equivalent official of a component agency 
shall report to--
            ``(1) the Chief Information Officer designated under 
        section 3506(a)(2) of title 44 or an equivalent official of the 
        agency of which the component agency is a component; and
            ``(2) the head of the component agency.'';
            (4) in section 11317, by inserting ``security,'' before 
        ``or schedule''; and
            (5) in section 11319(b)(1), in the paragraph heading, by 
        striking ``CIOS'' and inserting ``Chief information officers''.
    (d) Subchapter III.--Section 11331 of title 40, United States Code, 
is amended--
            (1) in subsection (a), by striking ``section 3532(b)(1)'' 
        and inserting ``section 3552(b)'';
            (2) in subsection (b)(1)(A), by striking ``the Secretary of 
        Homeland Security'' and inserting ``the Director of the 
        Cybersecurity and Infrastructure Security Agency''; and
            (3) by adding at the end the following:
    ``(e) Review of Office of Management and Budget Guidance and 
Policy.--
            ``(1) Conduct of review.--
                    ``(A) In general.--Not less frequently than once 
                every 3 years, the Director of the Office of Management 
                and Budget, in consultation with, as available, the 
                Chief Information Officers Council, the Director of the 
                Cybersecurity and Infrastructure Security Agency, the 
                National Cyber Director, the Comptroller General of the 
                United States, and the Council of the Inspectors 
                General on Integrity and Efficiency, shall review the 
                efficacy of the guidance and policy promulgated by the 
                Director in reducing cybersecurity risks, including an 
                assessment of the requirements for agencies to report 
                information to the Director, and determine whether any 
                changes to that guidance or policy is appropriate.
                    ``(B) Federal risk assessments.--In conducting the 
                review described in subparagraph (A), the Director 
                shall consider the Federal risk assessments performed 
                under section 3553(i) of title 44.
                    ``(C) Requirements burden reduction and clarity.--
                In conducting the review described in subparagraph (A), 
                the Director shall consider the cumulative reporting 
                and compliance burden to agencies as well as the 
                clarity of the requirements and deadlines contained in 
                guidance and policy documents.
            ``(2) Updated guidance.--Not later than 90 days after the 
        date on which a review is completed under paragraph (1), the 
        Director of the Office of Management and Budget shall issue 
        updated guidance or policy to agencies determined appropriate 
        by the Director, based on the results of the review.
            ``(3) Congressional briefing.--Not later than 60 days after 
        the date on which a review is completed under paragraph (1), 
        the Director is expected to provide to the Committee on 
        Homeland Security and Governmental Affairs of the Senate and 
        the Committee on Oversight and Reform of the House of 
        Representatives a briefing on the review and any newly issued 
        guidance or policy, which shall include--
                    ``(A) an overview of the guidance and policy 
                promulgated under this section that is currently in 
                effect;
                    ``(B) the cybersecurity risk mitigation, or other 
                cybersecurity benefit, offered by each guidance or 
                policy document described in subparagraph (A); and
                    ``(C) a summary of the guidance or policy to which 
                changes were determined appropriate during the review 
                and what the changes include.
    ``(f) Automated Standard Implementation Verification.--When the 
Director of the National Institute of Standards and Technology issues a 
proposed standard pursuant to paragraphs (2) and (3) of section 20(a) 
of the National Institute of Standards and Technology Act (15 U.S.C. 
278g-3(a)), the Director of the National Institute of Standards and 
Technology shall consider developing and, if appropriate and practical, 
develop, in consultation with the Director of the Cybersecurity and 
Infrastructure Security Agency, specifications to enable the automated 
verification of the implementation of controls.''.

SEC. 103. ACTIONS TO ENHANCE FEDERAL INCIDENT RESPONSE.

    (a) Responsibilities of the Cybersecurity and Infrastructure 
Security Agency.--
            (1) In general.--Not later than 180 days after the date of 
        the enactment of this Act, the Director of the Cybersecurity 
        and Infrastructure Security Agency shall--
                    (A) develop a plan for the development of the 
                analysis required under section 3597(a) of title 44, 
                United States Code, as added by this Act, and the 
                report required under subsection (b) of that section 
                that includes--
                            (i) a description of any challenges the 
                        Director anticipates encountering; and
                            (ii) the use of automation and machine-
                        readable formats for collecting, compiling, 
                        monitoring, and analyzing data; and
                    (B) provide to the appropriate congressional 
                committees a briefing on the plan developed under 
                subparagraph (A).
            (2) Briefing.--Not later than 1 year after the date of the 
        enactment of this Act, the Director of the Cybersecurity and 
        Infrastructure Security Agency shall provide to the appropriate 
        congressional committees a briefing on--
                    (A) the execution of the plan required under 
                paragraph (1)(A); and
                    (B) the development of the report required under 
                section 3597(b) of title 44, United States Code, as 
                added by this Act.
    (b) Responsibilities of the Director of the Office of Management 
and Budget.--
            (1) FISMA.--Section 2 of the Federal Information Security 
        Modernization Act of 2014 (Public Law 113-283; 44 U.S.C. 3554 
        note) is amended--
                    (A) by striking subsection (b); and
                    (B) by redesignating subsections (c) through (f) as 
                subsections (b) through (e), respectively.
            (2) In general.--The Director shall develop guidance, to be 
        updated not less frequently than once every 2 years, on the 
        content, timeliness, and format of the information provided by 
        agencies under section 3594(a) of title 44, United States Code, 
        as added by this Act.
            (3) Guidance on responding to information requests.--Not 
        later than 1 year after the date of the enactment of this Act, 
        the Director shall develop guidance for agencies to implement 
        the requirement under section 3594(c) of title 44, United 
        States Code, as added by this Act, to provide information to 
        other agencies experiencing incidents.
            (4) Standard guidance and templates.--Not later than 1 year 
        after the date of the enactment of this Act, the Director, in 
        consultation with the Director of the Cybersecurity and 
        Infrastructure Security Agency, shall develop guidance and 
        templates, to be reviewed and, if necessary, updated not less 
        frequently than once every 2 years, for use by Federal agencies 
        in the activities required under sections 3592, 3593, and 3596 
        of title 44, United States Code, as added by this Act.
            (5) Contractor and awardee guidance.--
                    (A) In general.--Not later than 1 year after the 
                date of the enactment of this Act, the Director, in 
                coordination with the Secretary of Homeland Security, 
                the Secretary of Defense, the Administrator of General 
                Services, and the heads of other agencies determined 
                appropriate by the Director, shall issue guidance to 
                Federal agencies on how to deconflict, to the greatest 
                extent practicable, existing regulations, policies, and 
                procedures relating to the responsibilities of 
                contractors and awardees established under section 3595 
                of title 44, United States Code, as added by this Act.
                    (B) Existing processes.--To the greatest extent 
                practicable, the guidance issued under subparagraph (A) 
                shall allow contractors and awardees to use existing 
                processes for notifying Federal agencies of incidents 
                involving information of the Federal Government.
            (6) Updated briefings.--Not less frequently than once every 
        2 years, the Director shall provide to the appropriate 
        congressional committees an update on the guidance and 
        templates developed under paragraphs (2) through (4).
    (c) Update to the Privacy Act of 1974.--Section 552a(b) of title 5, 
United States Code (commonly known as the ``Privacy Act of 1974'') is 
amended--
            (1) in paragraph (11), by striking ``or'' at the end;
            (2) in paragraph (12), by striking the period at the end 
        and inserting ``; or''; and
            (3) by adding at the end the following:
            ``(13) to another agency in furtherance of a response to an 
        incident (as defined in section 3552 of title 44) and pursuant 
        to the information sharing requirements in section 3594 of 
        title 44, if the head of the requesting agency has made a 
        written request to the agency that maintains the record 
        specifying the particular portion desired and the activity for 
        which the record is sought.''.

SEC. 104. ADDITIONAL GUIDANCE TO AGENCIES ON FISMA UPDATES.

    Not later than 1 year after the date of the enactment of this Act, 
the Director shall issue guidance for agencies on--
            (1) performing the ongoing and continuous agency system 
        risk assessment required under section 3554(a)(1)(A) of title 
        44, United States Code, as amended by this Act;
            (2) implementing additional cybersecurity procedures, which 
        shall include resources for shared services;
            (3) establishing a process for providing the status of each 
        remedial action under section 3554(b)(7) of title 44, United 
        States Code, as amended by this Act, to the Director and the 
        Director of the Cybersecurity and Infrastructure Security 
        Agency using automation and machine-readable data, as 
        practicable, which shall include--
                    (A) specific guidance for the use of automation and 
                machine-readable data; and
                    (B) templates for providing the status of the 
                remedial action;
            (4) interpreting the definition of ``high value asset'' 
        under section 3552 of title 44, United States Code, as amended 
        by this Act; and
            (5) a requirement to coordinate with inspectors general of 
        agencies to ensure consistent understanding and application of 
        agency policies for the purpose of evaluations by inspectors 
        general.

SEC. 105. AGENCY REQUIREMENTS TO NOTIFY PRIVATE SECTOR ENTITIES 
              IMPACTED BY INCIDENTS.

    (a) Definitions.--In this section:
            (1) Reporting entity.--The term ``reporting entity'' means 
        private organization or governmental unit that is required by 
        statute or regulation to submit sensitive information to an 
        agency.
            (2) Sensitive information.--The term ``sensitive 
        information'' has the meaning given the term by the Director in 
        guidance issued under subsection (b).
    (b) Guidance on Notification of Reporting Entities.--Not later than 
180 days after the date of the enactment of this Act, the Director 
shall issue guidance requiring the head of each agency to notify a 
reporting entity of an incident that is likely to substantially 
affect--
            (1) the confidentiality or integrity of sensitive 
        information submitted by the reporting entity to the agency 
        pursuant to a statutory or regulatory requirement; or
            (2) the agency information system or systems used in the 
        transmission or storage of the sensitive information described 
        in paragraph (1).

               TITLE II--IMPROVING FEDERAL CYBERSECURITY

SEC. 201. MOBILE SECURITY STANDARDS.

    (a) In General.--Not later than 1 year after the date of the 
enactment of this Act, the Director shall--
            (1) evaluate mobile application security guidance 
        promulgated by the Director; and
            (2) issue guidance to secure mobile devices, including for 
        mobile applications, for every agency.
    (b) Contents.--The guidance issued under subsection (a)(2) shall 
include--
            (1) a requirement, pursuant to section 3506(b)(4) of title 
        44, United States Code, for every agency to maintain a 
        continuous inventory of every--
                    (A) mobile device operated by or on behalf of the 
                agency; and
                    (B) vulnerability identified by the agency 
                associated with a mobile device; and
            (2) a requirement for every agency to perform continuous 
        evaluation of the vulnerabilities described in paragraph (1)(B) 
        and other risks associated with the use of applications on 
        mobile devices.
    (c) Information Sharing.--The Director, in coordination with the 
Director of the Cybersecurity and Infrastructure Security Agency, shall 
issue guidance to agencies for sharing the inventory of the agency 
required under subsection (b)(1) with the Director of the Cybersecurity 
and Infrastructure Security Agency, using automation and machine-
readable data to the greatest extent practicable.
    (d) Briefing.--Not later than 60 days after the date on which the 
Director issues guidance under subsection (a)(2), the Director, in 
coordination with the Director of the Cybersecurity and Infrastructure 
Security Agency, shall provide to the appropriate congressional 
committees a briefing on the guidance.

SEC. 202. DATA AND LOGGING RETENTION FOR INCIDENT RESPONSE.

    (a) Recommendations.--Not later than 2 years after the date of the 
enactment of this Act, and not less frequently than every 2 years 
thereafter, the Director of the Cybersecurity and Infrastructure 
Security Agency, in consultation with the Attorney General, shall 
submit to the Director recommendations on requirements for logging 
events on agency systems and retaining other relevant data within the 
systems and networks of an agency.
    (b) Contents.--The recommendations provided under subsection (a) 
shall include--
            (1) the types of logs to be maintained;
            (2) the duration that logs and other relevant data should 
        be retained;
            (3) the time periods for agency implementation of 
        recommended logging and security requirements;
            (4) how to ensure the confidentiality, integrity, and 
        availability of logs;
            (5) requirements to ensure that, upon request, in a manner 
        that excludes or otherwise reasonably protects personally 
        identifiable information, and to the extent permitted by 
        applicable law (including privacy and statistical laws), 
        agencies provide logs to--
                    (A) the Director of the Cybersecurity and 
                Infrastructure Security Agency for a cybersecurity 
                purpose; and
                    (B) the Director of the Federal Bureau of 
                Investigation, or the appropriate Federal law 
                enforcement agency, to investigate potential criminal 
                activity; and
            (6) requirements to ensure that, subject to compliance with 
        statistical laws and other relevant data protection 
        requirements, the highest level security operations center of 
        each agency has visibility into all agency logs.
    (c) Guidance.--Not later than 90 days after receiving the 
recommendations submitted under subsection (a), the Director, in 
consultation with the Director of the Cybersecurity and Infrastructure 
Security Agency and the Attorney General, shall, as determined to be 
appropriate by the Director, update guidance to agencies regarding 
requirements for logging, log retention, log management, sharing of log 
data with other appropriate agencies, or any other logging activity 
determined to be appropriate by the Director.
    (d) Sunset.--This section will cease to be in effect on the date 
that is 10 years after the date of the enactment of this Act.

SEC. 203. FEDERAL PENETRATION TESTING POLICY.

    (a) In General.--Subchapter II of chapter 35 of title 44, United 
States Code, is amended by adding at the end the following:
``Sec. 3559A. Federal penetration testing
    ``(a) Guidance.--
            ``(1) In general.--The Director shall, in consultation with 
        the Secretary of the Department of Homeland Security acting 
        through the Director of the Cybersecurity and Infrastructure 
        Security Agency, issue guidance to agencies that--
                    ``(A) requires agencies to use, when and where 
                appropriate, penetration testing on agency systems by 
                both Federal and non-Federal entities, with a focus on 
                high value assets;
                    ``(B) provides policies governing agency 
                development of an operational plan, rules of engagement 
                for utilizing penetration testing, and procedures to 
                utilize the results of penetration testing to improve 
                the cybersecurity and risk management of the agency; 
                and
                    ``(C) establishes a program under the Cybersecurity 
                and Infrastructure Security Agency to ensure that 
                penetration testing is being performed appropriately by 
                agencies and to provide operational support or a shared 
                service.
    ``(b) Responsibilities of OMB.--The Director, in coordination with 
the Director of the Cybersecurity and Infrastructure Security Agency, 
shall--
            ``(1) not less frequently than annually, inventory all 
        Federal penetration testing assets; and
            ``(2) develop and maintain a standardized process for the 
        use of penetration testing.
    ``(c) Exception for National Security Systems.--The guidance issued 
under subsection (a) shall not apply to national security systems.
    ``(d) Delegation of Authority for Certain Systems.--The authorities 
of the Director described in subsection (a) shall be delegated--
            ``(1) to the Secretary of Defense in the case of systems 
        described in section 3553(e)(2); and
            ``(2) to the Director of National Intelligence in the case 
        of systems described in 3553(e)(3).''.
    (b) Deadline for Guidance.--Not later than 180 days after the date 
of the enactment of this Act, the Director shall issue the guidance 
required under section 3559A(a) of title 44, United States Code, as 
added by subsection (a).
    (c) Sunset.--This section shall sunset on the date that is 10 years 
after the date of the enactment of this Act.
    (d) Clerical Amendment.--The table of sections for chapter 35 of 
title 44, United States Code, is amended by adding after the item 
relating to section 3559 the following:

``3559A. Federal penetration testing.''.
    (e) Penetration Testing by the Secretary of Homeland Security.--
Section 3553(b) of title 44, United States Code, as amended by section 
5121, is further amended--
            (1) in paragraph (8)(B), by striking ``and'' at the end;
            (2) by redesignating paragraph (9) as paragraph (10); and
            (3) by inserting after paragraph (8) the following:
            ``(9) performing penetration testing to identify 
        vulnerabilities within Federal information systems; and''.

SEC. 204. ONGOING THREAT HUNTING PROGRAM.

    (a) Threat Hunting Program.--
            (1) In general.--Not later than 540 days after the date of 
        the enactment of this Act, the Director of the Cybersecurity 
        and Infrastructure Security Agency shall, in accordance with 
        the authorities granted the Secretary under sections 
        3553(b)(7)-(8) and 3553(m) of title 44, United States Code (as 
        redesignated by this Act), establish a program to provide 
        ongoing, hypothesis-driven threat-hunting services on the 
        network of each agency.
            (2) Plan.--Not later than 180 days after the date of the 
        enactment of this Act, the Director of the Cybersecurity and 
        Infrastructure Security Agency shall develop a plan to 
        establish the program required under paragraph (1) that 
        describes how the Director of the Cybersecurity and 
        Infrastructure Security Agency plans to--
                    (A) determine the method for collecting, storing, 
                accessing, analyzing, and safeguarding appropriate 
                agency data;
                    (B) provide on-premises support to agencies;
                    (C) staff threat hunting services;
                    (D) allocate available human and financial 
                resources to implement the plan; and
                    (E) provide input to the heads of agencies on the 
                use of--
                            (i) more stringent standards under section 
                        11331(c)(1) of title 40, United States Code; 
                        and
                            (ii) additional cybersecurity procedures 
                        under section 3554 of title 44, United States 
                        Code.
    (b) Reports.--The Director of the Cybersecurity and Infrastructure 
Security Agency, in consultation with the Director, shall submit to the 
appropriate congressional committees--
            (1) not later than 30 days after the date on which the 
        Director of the Cybersecurity and Infrastructure Security 
        Agency completes the plan required under subsection (a)(2), a 
        report on the plan to provide threat hunting services to 
        agencies;
            (2) not less than 30 days before the date on which the 
        Director of the Cybersecurity and Infrastructure Security 
        Agency begins providing threat hunting services under the 
        program under subsection (a)(1), a report providing any updates 
        to the plan developed under subsection (a)(2); and
            (3) not later than 1 year after the date on which the 
        Director of the Cybersecurity and Infrastructure Security 
        Agency begins providing threat hunting services to agencies 
        other than the Cybersecurity and Infrastructure Security 
        Agency, a report describing lessons learned from providing 
        those services.

SEC. 205. CODIFYING VULNERABILITY DISCLOSURE PROGRAMS.

    (a) In General.--Subchapter II of Chapter 35 of title 44, United 
States Code, is amended by inserting after section 3559A, as added by 
section 204, the following:
``Sec. 3559B. Federal vulnerability disclosure programs
    ``(a) Definitions.--In this section:
            ``(1) Report.--The term `report' means a vulnerability 
        disclosure made to an agency by a reporter.
            ``(2) Reporter.--The term `reporter' means an individual 
        that submits a vulnerability report pursuant to the 
        vulnerability disclosure process of an agency.
    ``(b) Responsibilities of OMB.--
            ``(1) Limitation on legal action.--The Director of the 
        Office of Management and Budget, in consultation with the 
        Attorney General, shall issue guidance to agencies to not 
        recommend or pursue legal action against a reporter or an 
        individual that conducts a security research activity that the 
        head of the agency determines--
                    ``(A) represents a good faith effort to follow the 
                vulnerability disclosure policy of the agency developed 
                under subsection (d)(2); and
                    ``(B) is authorized under the vulnerability 
                disclosure policy of the agency developed under 
                subsection (d)(2).
            ``(2) Sharing information with cisa.--The Director of the 
        Office of Management and Budget, in coordination with the 
        Director of the Cybersecurity and Infrastructure Security 
        Agency and in consultation with the National Cyber Director, 
        shall issue guidance to agencies on sharing relevant 
        information in a consistent, automated, and machine readable 
        manner with the Director of the Cybersecurity and 
        Infrastructure Security Agency, including--
                    ``(A) any valid or credible reports of newly 
                discovered or not publicly known vulnerabilities 
                (including misconfigurations) on Federal information 
                systems that use commercial software or services;
                    ``(B) information relating to vulnerability 
                disclosure, coordination, or remediation activities of 
                an agency, particularly as those activities relate to 
                outside organizations--
                            ``(i) with which the head of the agency 
                        believes the Director of the Cybersecurity and 
                        Infrastructure Security Agency can assist; or
                            ``(ii) about which the head of the agency 
                        believes the Director of the Cybersecurity and 
                        Infrastructure Security Agency should know; and
                    ``(C) any other information with respect to which 
                the head of the agency determines helpful or necessary 
                to involve the Director of the Cybersecurity and 
                Infrastructure Security Agency.
            ``(3) Agency vulnerability disclosure policies.--The 
        Director shall issue guidance to agencies on the required 
        minimum scope of agency systems covered by the vulnerability 
        disclosure policy of an agency required under subsection 
        (d)(2).
    ``(c) Responsibilities of CISA.--The Director of the Cybersecurity 
and Infrastructure Security Agency shall--
            ``(1) provide support to agencies with respect to the 
        implementation of the requirements of this section;
            ``(2) develop tools, processes, and other mechanisms 
        determined appropriate to offer agencies capabilities to 
        implement the requirements of this section; and
            ``(3) upon a request by an agency, assist the agency in the 
        disclosure to vendors of newly identified vulnerabilities in 
        vendor products and services.
    ``(d) Responsibilities of Agencies.--
            ``(1) Public information.--The head of each agency shall 
        make publicly available, with respect to each internet domain 
        under the control of the agency that is not a national security 
        system--
                    ``(A) an appropriate security contact; and
                    ``(B) the component of the agency that is 
                responsible for the internet accessible services 
                offered at the domain.
            ``(2) Vulnerability disclosure policy.--The head of each 
        agency shall develop and make publicly available a 
        vulnerability disclosure policy for the agency, which shall--
                    ``(A) describe--
                            ``(i) the scope of the systems of the 
                        agency included in the vulnerability disclosure 
                        policy;
                            ``(ii) the type of information system 
                        testing that is authorized by the agency;
                            ``(iii) the type of information system 
                        testing that is not authorized by the agency; 
                        and
                            ``(iv) the disclosure policy of the agency 
                        for sensitive information;
                    ``(B) with respect to a report to an agency, 
                describe--
                            ``(i) how the reporter should submit the 
                        report; and
                            ``(ii) if the report is not anonymous, when 
                        the reporter should anticipate an 
                        acknowledgment of receipt of the report by the 
                        agency;
                    ``(C) include any other relevant information; and
                    ``(D) be mature in scope, covering all internet 
                accessible Federal information systems used or operated 
                by that agency or on behalf of that agency.
            ``(3) Identified vulnerabilities.--The head of each agency 
        shall incorporate any vulnerabilities reported under paragraph 
        (2) into the vulnerability management process of the agency in 
        order to track and remediate the vulnerability.
    ``(e) Congressional Reporting.--Not later than 90 days after the 
date of the enactment of the Federal Information Security Modernization 
Act of 2022, and annually thereafter for a 3-year period, the Director 
of the Cybersecurity and Infrastructure Security Agency, in 
consultation with the Director, shall provide to the Committee on 
Homeland Security and Governmental Affairs of the Senate and the 
Committee on Oversight and Reform of the House of Representatives a 
briefing on the status of the use of vulnerability disclosure policies 
under this section at agencies, including, with respect to the guidance 
issued under subsection (b)(3), an identification of the agencies that 
are compliant and not compliant.
    ``(f) Exemptions.--The authorities and functions of the Director 
and Director of the Cybersecurity and Infrastructure Security Agency 
under this section shall not apply to national security systems.
    ``(g) Delegation of Authority for Certain Systems.--The authorities 
of the Director and the Director of the Cybersecurity and 
Infrastructure Security Agency described in this section shall be 
delegated--
            ``(1) to the Secretary of Defense in the case of systems 
        described in section 3553(e)(2); and
            ``(2) to the Director of National Intelligence in the case 
        of systems described in section 3553(e)(3).''.
    (b) Sunset.--This section shall sunset on the date that is 10 years 
after the date of the enactment of this Act.
    (c) Clerical Amendment.--The table of sections for chapter 35 of 
title 44, United States Code, is amended by adding after the item 
relating to section 3559A, as added by this Act, the following:

``3559B. Federal vulnerability disclosure programs.''.

SEC. 206. IMPLEMENTING ZERO TRUST ARCHITECTURE.

    (a) Guidance.--The Director shall maintain guidance on the adoption 
of zero trust architecture and not later than 2 years after the date of 
the enactment of this Act, provide an update to the appropriate 
congressional committees on progress in increasing the internal 
defenses of agency systems through such adoption across the government, 
including--
            (1) shifting away from ``trusted networks'' to implement 
        security controls based on a presumption of compromise;
            (2) implementing principles of least privilege in 
        administering information security programs;
            (3) limiting the ability of entities that cause incidents 
        to move laterally through or between agency systems;
            (4) identifying incidents quickly;
            (5) isolating and removing unauthorized entities from 
        agency systems as quickly as practicable, accounting for 
        intelligence or law enforcement purposes;
            (6) otherwise increasing the resource costs for entities 
        that cause incidents to be successful; and
            (7) a summary of the agency progress reports required under 
        subsection (b).
    (b) Agency Progress Reports.--Not later than 270 days after the 
date of the enactment of this Act, the head of each agency shall submit 
to the Director a progress report on implementing an information 
security program based on a zero trust architecture, which shall 
include--
            (1) a description of any steps the agency has completed, 
        including progress toward achieving any requirements issued by 
        the Director, including the adoption of any models or reference 
        architecture;
            (2) an identification of activities that have not yet been 
        completed and that would have the most immediate security 
        impact; and
            (3) a schedule to implement any planned activities.

SEC. 207. GAO AUTOMATION REPORT.

    Not later than 2 years after the date of the enactment of this Act, 
the Comptroller General of the United States shall perform a study on 
the use of automation and machine-readable data across the Federal 
Government for cybersecurity purposes, including the automated updating 
of cybersecurity tools, sensors, or processes employed by agencies 
under paragraphs (1), (5)(C), and (8)(B) of section 3554(b) of title 
44, United States Code.

SEC. 208. EXTENSION OF FEDERAL ACQUISITION SECURITY COUNCIL.

    (a) Extension.--Section 1328 of title 41, United States Code, is 
amended by striking ``the date that'' and all that follows and 
inserting ``December 31, 2026''.
    (b) Designation.--Section 1322(c)(1) of title 41, United States 
Code, is amended by striking ``Not later than'' and all that follows 
through the end of the paragraph and inserting the following: ``The 
Director of OMB shall designate the Federal Chief Information Security 
Officer appointed by the President under section 3607 of title 44, or 
an equivalent senior-level official from the Office of Management and 
Budget if the position is vacant, to serve as the Chairperson of the 
Council.''.
    (c) Requirement.--Subsection 1326(b) of title 41, United States 
Code, is amended--
            (1) in paragraph (5), by striking ``; and'' and inserting a 
        semicolon;
            (2) by redesignating paragraph (6) as paragraph (7); and
            (3) by inserting after paragraph (5) the following new 
        paragraph:
            ``(6) maintaining an up-to-date and accurate inventory of 
        software in use by the agency and, when available, the 
        components of such software, including any available Software 
        Bills of Materials, as applicable, that can be communicated 
        when requested to the Federal Acquisition Security Council, the 
        National Cybersecurity Director, or the Secretary of Homeland 
        Security acting through the Director of Cybersecurity and 
        Infrastructure Security Agency.''.

SEC. 209. FEDERAL CHIEF INFORMATION SECURITY OFFICER.

    (a) Amendment.--Chapter 36 of title 44, United States Code, is 
amended by inserting at the end:
``Sec. 3607. Federal chief information security officer
    ``(a) Establishment.--There is established in the Office of the 
Federal Chief Information Officer of the Office of Management and 
Budget a Federal Chief Information Security Officer, who shall be 
appointed by the President.
    ``(b) Duties.--The Federal Chief Information Security Officer shall 
report to the Federal Chief Information Officer, and assist the Chief 
Information Officer in carrying out--
            ``(1) all functions under this chapter;
            ``(2) all functions assigned to the Director under title II 
        of the E-Government Act of 2002;
            ``(3) other electronic government initiatives, consistent 
        with other statutes;
            ``(4) assisting the Director with carrying out budget 
        formation duties under subtitle II of title 31 as it pertains 
        to the information technology, operations, and workforce 
        resources of Federal agencies to fulfill cybersecurity 
        responsibilities under section 3554, and the duties of the 
        Department of Homeland Security duties designated under section 
        3553; and
            ``(5) other initiatives determined by the Chief Information 
        Officer.
    ``(c) Additional Duties.--The Federal Chief Information Security 
Officer shall work with the Chief Information Officer to oversee 
implementation of electronic Government under the E-Government Act of 
2002, and other relevant statutes, in a manner consistent with law, 
relating to--
            ``(1) cybersecurity strategy, policy, and operations, 
        including the performance of the duties of the Director under 
        subchapter II of chapter 35;
            ``(2) the development of enterprise architectures;
            ``(3) information security;
            ``(4) privacy;
            ``(5) access to, dissemination of, and preservation of 
        Government information; and
            ``(6) other areas of electronic Government as determined by 
        the Administrator.
    ``(d) Assistance.--The Federal Chief Information Security Officer 
shall assist the Administrator in the performance of electronic 
Government functions as described in section 3602(f).''.
    (b) Deputy National Cyber Director.--Section 1752 of the William M. 
(Mac) Thornberry National Defense Authorization Act for Fiscal Year 
2021 (6 U.S.C. 1500; 134 Stat. 4144) is amended by adding at the end 
the following new subsection:
    ``(d) Deputy Director.--There shall be a Deputy National Cyber 
Director for Agency Strategy, Capabilities, and Budget, who shall be 
the Federal Chief Information Security Officer appointed by the 
President under section 3607 of title 44, United States Code, and shall 
report to the Director and assist the office in carrying out the 
following duties as it applies to the protection of Federal information 
systems by the agencies--
            ``(1) the preparation and oversight over the implementation 
        of national cyber policy and strategy under subsection 
        (c)(1)(C)(i);
            ``(2) the formation and issuance of recommendations to 
        agencies on resource allocations and policies under subsection 
        (c)(1)(C)(ii);
            ``(3) reviewing annual budget proposals and making related 
        recommendations under subsection (c)(1)(C)(iii);
            ``(4) the functions, as determined necessary, of the 
        National Cyber Director under subchapter II of chapter 35 of 
        title 44, United States Code; and
            ``(5) other initiatives determined by the Director, or to 
        be necessary to coordinate with the Office by the Federal Chief 
        Information Officer.''.
    (c) Clerical Amendment.--The table of sections for chapter 36 of 
title 44, United States Code, is amended by adding after the item 
relating to section 3606 the following:

``3607. Federal chief information security officer.''.

SEC. 210. EXTENSION OF CHIEF DATA OFFICER COUNCIL.

    Section 2520A(e)(2) of title 44, United States Code, is amended by 
striking ``upon the expiration of the 2-year period that begins on the 
date the Comptroller General submits the report under paragraph (1) to 
Congress'' and inserting ``January 31, 2030''.

SEC. 211. COUNCIL OF THE INSPECTORS GENERAL ON INTEGRITY AND EFFICIENCY 
              DASHBOARD.

    Section 11(e)(2) of the Inspector General Act of 1978 (5 U.S.C. 
App.) is amended--
            (1) in subparagraph (A), by striking ``and'' at the end;
            (2) by redesignating subparagraph (B) as subparagraph (C); 
        and
            (3) by inserting after subparagraph (A) the following:
                    ``(B) that shall include a dashboard of open 
                information security recommendations identified in the 
                independent evaluations required by section 3555(a) of 
                title 44, United States Code; and''.

SEC. 212. QUANTITATIVE CYBERSECURITY METRICS.

    (a) Definition of Covered Metrics.--In this section, the term 
``covered metrics'' means the metrics established, reviewed, and 
updated under section 224(c) of the Cybersecurity Act of 2015 (6 U.S.C. 
1522(c)).
    (b) Updating and Establishing Metrics.--Not later than 1 year after 
the date of the enactment of this Act, the Director of the 
Cybersecurity and Infrastructure Security Agency, in coordination with 
the Director and consulting with the Director of the National Institute 
of Standards and Technology, shall--
            (1) evaluate any covered metrics established as of the date 
        of the enactment of this Act; and
            (2) as appropriate and pursuant to section 224(c) of the 
        Cybersecurity Act of 2015 (6 U.S.C. 1522(c))--
                    (A) update the covered metrics; and
                    (B) establish new covered metrics.
    (c) Implementation.--
            (1) In general.--Not later than 540 days after the date of 
        the enactment of this Act, the Director, in coordination with 
        the Director of the Cybersecurity and Infrastructure Security 
        Agency, shall promulgate guidance that requires each agency to 
        use covered metrics to track trends in the cybersecurity and 
        incident response capabilities of the agency.
            (2) Performance demonstration.--The guidance issued under 
        paragraph (1) and any subsequent guidance shall require 
        agencies to share with the Director of the Cybersecurity and 
        Infrastructure Security Agency data demonstrating the 
        performance of the agency using the covered metrics included in 
        the guidance.
            (3) Penetration tests.--On not less than 2 occasions during 
        the 2-year period following the date on which guidance is 
        promulgated under paragraph (1), the Director shall ensure that 
        not less than 3 agencies are subjected to substantially similar 
        penetration tests, as determined by the Director, in 
        coordination with the Director of the Cybersecurity and 
        Infrastructure Security Agency, in order to validate the 
        utility of the covered metrics.
            (4) Analysis capacity.--The Director of the Cybersecurity 
        and Infrastructure Security Agency shall develop a capability 
        that allows for the analysis of the covered metrics, including 
        cross-agency performance of agency cybersecurity and incident 
        response capability trends.
    (d) Congressional Reports.--
            (1) Utility of metrics.--Not later than 1 year after the 
        date of the enactment of this Act, the Director of the 
        Cybersecurity and Infrastructure Security Agency, in 
        coordination with the Director, shall submit to the appropriate 
        congressional committees a report on the utility of the covered 
        metrics.
            (2) Use of metrics.--Not later than 180 days after the date 
        on which the Director promulgates guidance under subsection 
        (c)(1), the Director shall submit to the appropriate 
        congressional committees a report on the results of the use of 
        the covered metrics by agencies.
    (e) Federal Cybersecurity Enhancement Act of 2015 Updates.--The 
Federal Cybersecurity Enhancement Act of 2015 (6 U.S.C. 1521 et seq.) 
is amended--
            (1) in section 222(3)(B), by inserting ``and the Committee 
        on Oversight and Reform'' before ``of the House of 
        Representatives''; and
            (2) in section 224--
                    (A) by amending subsection (c) to read as follows:
    ``(c) Improved Metrics.--The Director of the Cybersecurity and 
Infrastructure Security Agency, in coordination with the Director, 
shall establish, review, and update metrics to measure the 
cybersecurity and incident response capabilities of agencies in 
accordance with the responsibilities of agencies under section 3554 of 
title 44, United States Code.'';
                    (B) by striking subsection (e); and
                    (C) by redesignating subsection (f) as subsection 
                (e).

       TITLE III--PILOT PROGRAMS TO ENHANCE FEDERAL CYBERSECURITY

SEC. 301. RISK-BASED BUDGET PILOT.

    (a) Definitions.--In this section:
            (1) Appropriate congressional committees.--The term 
        ``appropriate congressional committees'' means--
                    (A) the Committee on Homeland Security and 
                Governmental Affairs and the Committee on 
                Appropriations of the Senate; and
                    (B) the Committee on Homeland Security, the 
                Committee on Oversight and Reform, and the Committee on 
                Appropriations of the House of Representatives.
            (2) Information technology.--The term ``information 
        technology''--
                    (A) has the meaning given the term in section 11101 
                of title 40, United States Code; and
                    (B) includes the hardware and software systems of a 
                Federal agency that monitor and control physical 
                equipment and processes of the Federal agency.
            (3) Risk-based budget.--The term ``risk-based budget'' 
        means a budget--
                    (A) developed by identifying and prioritizing 
                cybersecurity risks and vulnerabilities, including 
                impact on agency operations in the case of a cyber 
                attack, through analysis of cyber threat intelligence, 
                incident data, and tactics, techniques, procedures, and 
                capabilities of cyber threats; and
                    (B) that allocates resources based on the risks 
                identified and prioritized under subparagraph (A).
    (b) Establishment of Risk-Based Budget Pilot.--
            (1) In general.--
                    (A) Model.--Not later than 1 year after the first 
                publication of the budget submitted by the President 
                under section 1105 of title 31, United States Code, 
                following the date of the enactment of this Act, the 
                Director, in consultation with the Director of the 
                Cybersecurity and Infrastructure Security Agency and 
                the National Cyber Director and in coordination with 
                the Director of the National Institute of Standards and 
                Technology, shall conduct a pilot for creating a risk-
                based budget for cybersecurity spending.
                    (B) Contents of pilot.--The pilot required to be 
                developed under this paragraph shall--
                            (i) consider Federal and non-Federal cyber 
                        threat intelligence products, where available, 
                        to identify threats, vulnerabilities, and 
                        risks;
                            (ii) consider the impact on agency 
                        operations of incidents, including the 
                        interconnectivity to other agency systems and 
                        the operations of other agencies;
                            (iii) indicate where resources should be 
                        allocated to have the greatest impact on 
                        mitigating current and future threats and 
                        current and future cybersecurity capabilities;
                            (iv) be used to inform acquisition and 
                        sustainment of--
                                    (I) information technology and 
                                cybersecurity tools;
                                    (II) information technology and 
                                cybersecurity architectures;
                                    (III) information technology and 
                                cybersecurity personnel; and
                                    (IV) cybersecurity and information 
                                technology concepts of operations; and
                            (v) be used to evaluate and inform 
                        government-wide cybersecurity programs of the 
                        Department of Homeland Security.
            (2) Reports.--Not later than 2 years after the first 
        publication of the budget submitted by the President under 
        section 1105 of title 31, United States Code, following the 
        date of the enactment of this Act, the Director shall submit a 
        report to Congress on the implementation of the pilot for risk-
        based budgeting for cybersecurity spending, an assessment of 
        agency implementation, and an evaluation of whether the risk-
        based budget helps to mitigate cybersecurity vulnerabilities.
            (3) GAO report.--Not later than 3 years after the date on 
        which the first budget of the President is submitted to 
        Congress containing the validation required under section 
        1105(a)(35)(A)(i)(V) of title 31, United States Code, as 
        amended by subsection (c), the Comptroller General of the 
        United States shall submit to the appropriate congressional 
        committees a report that includes--
                    (A) an evaluation of the success of pilot agencies 
                in implementing risk-based budgets;
                    (B) an evaluation of whether the risk-based budgets 
                developed by pilot agencies are effective at informing 
                Federal Government-wide cybersecurity programs; and
                    (C) any other information relating to risk-based 
                budgets the Comptroller General determines appropriate.

SEC. 302. ACTIVE CYBER DEFENSIVE STUDY.

    (a) Definition.--In this section, the term ``active defense 
technique'' has the meaning given in guidance issued by the Director, 
in coordination with the Attorney General.
    (b) Study.--Not later than 180 days after the date of the enactment 
of this Act, the Director of the Cybersecurity and Infrastructure 
Security Agency, in coordination with the Director and the National 
Cyber Director, shall perform a study on the use of active defense 
techniques to enhance the security of agencies, which shall include--
            (1) a review of legal restrictions on the use of different 
        active cyber defense techniques in Federal environments, in 
        consultation with the Attorney General;
            (2) an evaluation of--
                    (A) the efficacy of a selection of active defense 
                techniques determined by the Director of the 
                Cybersecurity and Infrastructure Security Agency; and
                    (B) factors that impact the efficacy of the active 
                defense techniques evaluated under subparagraph (A);
            (3) recommendations on safeguards and procedures that shall 
        be established to require that active defense techniques are 
        adequately coordinated to ensure that active defense techniques 
        do not impede agency operations and mission delivery, threat 
        response efforts, criminal investigations, and national 
        security activities, including intelligence collection; and
            (4) the development of a framework for the use of different 
        active defense techniques by agencies.

SEC. 303. SECURITY OPERATIONS CENTER AS A SERVICE PILOT.

    (a) Purpose.--The purpose of this section is for the Director of 
the Cybersecurity and Infrastructure Security Agency to run a security 
operation center on behalf of the head of another agency, alleviating 
the need to duplicate this function at every agency, and empowering a 
greater centralized cybersecurity capability.
    (b) Plan.--Not later than 1 year after the date of the enactment of 
this Act, the Director of the Cybersecurity and Infrastructure Security 
Agency shall develop a plan to establish a centralized Federal security 
operations center shared service offering within the Cybersecurity and 
Infrastructure Security Agency.
    (c) Contents.--The plan required under subsection (b) shall include 
considerations for--
            (1) collecting, organizing, and analyzing agency 
        information system data in real time;
            (2) staffing and resources; and
            (3) appropriate interagency agreements, concepts of 
        operations, and governance plans.
    (d) Pilot Program.--
            (1) In general.--Not later than 180 days after the date on 
        which the plan required under subsection (b) is developed, the 
        Director of the Cybersecurity and Infrastructure Security 
        Agency, in consultation with the Director of the Office of 
        Management and Budget, shall enter into a 1-year agreement with 
        not less than 2 agencies to offer a security operations center 
        as a shared service.
            (2) Additional agreements.--After the date on which the 
        briefing required under subsection (e)(1) is provided, the 
        Director of the Cybersecurity and Infrastructure Security 
        Agency, in consultation with the Director of the Office of 
        Management and Budget, may enter into additional 1-year 
        agreements described in paragraph (1) with agencies.
    (e) Briefing and Report.--
            (1) Briefing.--Not later than 270 days after the date of 
        the enactment of this Act, the Director of the Cybersecurity 
        and Infrastructure Security Agency shall provide to appropriate 
        congressional committees a briefing on the parameters of any 1-
        year agreements entered into under subsection (d)(1).
            (2) Report.--Not later than 90 days after the date on which 
        the first 1-year agreement entered into under subsection (d) 
        expires, the Director of the Cybersecurity and Infrastructure 
        Security Agency shall submit to appropriate congressional 
        committees a report on--
                    (A) the agreement; and
                    (B) any additional agreements entered into with 
                agencies under subsection (d).

SEC. 304. ENDPOINT DETECTION AND RESPONSE AS A SERVICE PILOT.

    (a) Purpose.--The Cybersecurity and Infrastructure Security Agency 
is directed to establish and conduct a pilot to determine the 
feasibility, value, and efficacy of providing endpoint detection and 
response capabilities as a shared service to Federal agencies to reduce 
costs, enhance interoperability, and continuously detect and mitigate 
threat activity on Federal networks.
    (b) Plan.--Not later than 90 days after the date of the enactment 
of this Act, the Director of the Cybersecurity and Infrastructure 
Security Agency shall develop a plan to establish a centralized 
endpoint detection and response shared service offering within the 
Cybersecurity and Infrastructure Security Agency.
    (c) Contents.--The plan required under subsection (b) shall include 
considerations for--
            (1) understanding and assessing the full extent of 
        endpoints across the Federal civilian environment;
            (2) maximizing the value of existing agency investments in 
        endpoint detection and response tools and services;
            (3) aggregating the available contract vehicles and options 
        that provide agencies with appropriate capability for their 
        environment and architecture;
            (4) equipping all endpoints and services of pilot agencies 
        with endpoint detection and response programs;
            (5) aggregating network, cloud, and endpoint data from both 
        within the agency and across agencies to provide enterprise-
        wide monitoring of the network to detect abnormal network 
        behavior and automate defensive capabilities; and
            (6) appropriate interagency agreements, concepts of 
        operations, and governance plans.
    (d) Pilot Program.--
            (1) In general.--Not later than 180 days after the date on 
        which the plan required under subsection (b) is developed, the 
        Director of the Cybersecurity and Infrastructure Security 
        Agency, in consultation with the Director, shall enter into a 
        1-year agreement with not less than 2 agencies to offer 
        endpoint detection and response as a shared service.
            (2) Additional agreements.--After the date on which the 
        briefing required under subsection (e)(1) is provided, the 
        Director of the Cybersecurity and Infrastructure Security 
        Agency, in consultation with the Director, may enter into 
        additional 1-year agreements described in paragraph (1) with 
        agencies.
    (e) Briefing and Report.--
            (1) Briefing.--Not later than 270 days after the date of 
        the enactment of this Act, the Director of the Cybersecurity 
        and Infrastructure Security Agency shall provide to the 
        Committee on Homeland Security and Governmental Affairs of the 
        Senate and the Committee on Homeland Security and the Committee 
        on Oversight and Reform of the House of Representatives a 
        briefing on the parameters of any 1-year agreements entered 
        into under subsection (d)(1).
            (2) Report.--Not later than 90 days after the date on which 
        the first 1-year agreement entered into under subsection (d) 
        expires, the Director of the Cybersecurity and Infrastructure 
        Security Agency shall submit to the Committee on Homeland 
        Security and Governmental Affairs of the Senate and the 
        Committee on Homeland Security and the Committee on Oversight 
        and Reform of the House of Representatives a report on--
                    (A) the agreement; and
                    (B) any additional agreements entered into with 
                agencies under subsection (d).
                                 <all>