115 HR 6497 IH: Federal Information Security Modernization Act of 2022
U.S. House of Representatives
2022-01-25
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.
1.This Act may be cited as the Federal Information Security Modernization Act of 2022
.2.The table of contents for this Act is as follows:Sec. 1. Short title.Sec. 2. Table of contents.Sec. 3. Definitions.Title I—UPDATES TO FISMASec. 101. Title 44 amendments.Sec. 102. Amendments to subtitle III of title 40.Sec. 103. Actions to enhance Federal incident response.Sec. 104. Additional guidance to agencies on FISMA updates.Sec. 105. Agency requirements to notify private sector entities impacted by incidents.Title II—IMPROVING FEDERAL CYBERSECURITYSec. 201. Mobile security standards.Sec. 202. Data and logging retention for incident response.Sec. 203. Federal penetration testing policy.Sec. 204. Ongoing threat hunting program.Sec. 205. Codifying vulnerability disclosure programs.Sec. 206. Implementing zero trust architecture.Sec. 207. GAO automation report.Sec. 208. Extension of Federal Acquisition Security Council.Sec. 209. Federal chief information security officer.Sec. 210. Extension of Chief Data Officer Council.Sec. 211. Council of the inspectors general on integrity and efficiency dashboard.Sec. 212. Quantitative cybersecurity metrics.Title III—PILOT PROGRAMS TO ENHANCE FEDERAL CYBERSECURITYSec. 301. Risk-based budget pilot.Sec. 302. Active cyber defensive study.Sec. 303. Security operations center as a service pilot.Sec. 304. Endpoint detection and response as a service pilot.3.In this Act, unless otherwise specified:(1)Additional cybersecurity procedureThe term additional cybersecurity procedure has the meaning given the term in section 3552(b) of title 44, United States Code, as amended by this Act.(2)The term agency has the meaning given the term in section 3502 of title 44, United States Code.(3)Appropriate congressional committeesThe term appropriate congressional committees means—(A)the Committee on Homeland Security and Governmental Affairs of the Senate;(B)the Committee on Oversight and Reform of the House of Representatives; and(C)the Committee on Homeland Security of the House of Representatives.(4)The term Director means the Director of the Office of Management and Budget.(5)The term incident has the meaning given the term in section 3552(b) of title 44, United States Code.(6)The term national security system has the meaning given the term in section 3552(b) of title 44, United States Code.(7)The term penetration test has the meaning given the term in section 3552(b) of title 44, United States Code, as amended by this Act.(8)The term threat hunting means iteratively searching systems for threats that evade detection by automated threat detection systems.(9)The term zero trust architecture means a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy that employs continuous monitoring, risk-based access controls, or system security automation techniques to address the cybersecurity principle that threats exist both inside and outside traditional network boundaries with an assumption that a breach is inevitable or has likely already occurred, and therefore employs least-privileged access for network or system users while monitoring for anomalous or malicious activity.<enum>I</enum><header>UPDATES TO FISMA</header><section id="H5F9C49EE3BED4F5085DE84BBFBAB0C06"><enum>101.</enum><header>Title 44 amendments</header><subsection id="H8EAA06AA14D24B6CA77166B3665ACA94"><enum>(a)</enum><header>Subchapter I amendments</header><text>Subchapter I of <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/44/35">chapter 35</external-xref> of title 44, United States Code, is amended—</text><paragraph id="H439C1490A5EE45D6991B6C089A970709"><enum>(1)</enum><text>in subsection (a)(1)(B) of section 3504—</text><subparagraph id="H8A427723252E47A3B40EDFC9D98CF418"><enum>(A)</enum><text>by striking clause (v) and inserting the following:</text><quoted-block id="H1D6A92619CC2496594E6D5C20D71B393" style="OLC"><clause id="H758F0ACF02FB4C85AFB895E28A8F1F66"><enum>(v)</enum><text>confidentiality, privacy, disclosure, and sharing of information;</text></clause><after-quoted-block>;</after-quoted-block></quoted-block></subparagraph><subparagraph id="H9C9A54375B4F4DBC9FB1CA10A9F7B3EE"><enum>(B)</enum><text>by redesignating clause (vi) as clause (vii); and</text></subparagraph><subparagraph id="H3B4A415310664C748C33F1164BF7245D"><enum>(C)</enum><text>by inserting after clause (v) the following:</text><quoted-block id="HB8394CB556C34FE8B7E559750DAC1FF1" style="OLC"><clause id="HD34C143622C84708B4C1CC597A6342B8"><enum>(vi)</enum><text display-inline="yes-display-inline">in consultation with the National Cyber Director, confidentiality and security of information; and</text></clause><after-quoted-block>;</after-quoted-block></quoted-block></subparagraph></paragraph><paragraph id="HC6B20C8B903741A39935472848856EBA"><enum>(2)</enum><text>in section 3505—</text><subparagraph id="HE91FE1F2BD8D4D59AA58327CC845993D"><enum>(A)</enum><text>in paragraph (2) of the first subsection designated as subsection (c) by adding <quote>discovery of internet-accessible information systems and assets, as well as</quote> after <quote>an inventory under this subsection shall include</quote>;</text></subparagraph><subparagraph id="HCDD608F5DC55444FBE0B255851A4DFD1"><enum>(B)</enum><text>in paragraph (3) of the first subsection designated as subsection (c)—</text><clause id="H1D930E1904FC4BEEA174F2BB7CE51511"><enum>(i)</enum><text>in subparagraph (B)—</text><subclause id="HD531DE768488493FBEAA3DE70FA6C4EB"><enum>(I)</enum><text>by inserting <quote>the Secretary of Homeland Security acting through the Director of the Cybersecurity and Infrastructure Security Agency, the National Cyber Director, and</quote> before <quote>the Comptroller General</quote>; and</text></subclause><subclause id="HCC55B53BADBF4D1F861DBEC01D6BC4FB"><enum>(II)</enum><text>by striking <quote>and</quote> at the end;</text></subclause></clause><clause id="H25CCCDCC58C947B9945337CB12502F59"><enum>(ii)</enum><text>in subparagraph (C)(v), by striking the period at the end and inserting <quote>; and</quote>; and</text></clause><clause id="H1208E29FCCFC4CEAB95C3A9DAC50B7D5"><enum>(iii)</enum><text>by adding at the end the following:</text><quoted-block id="H60FCDE40500741608C5DC9399F7D92F4" style="OLC"><subparagraph id="H0DB1AA8B93E24C33962F2F80A0F23DCE"><enum>(D)</enum><text>maintained on a continual basis through the use of automation, machine-readable data, and scanning wherever practicable.</text></subparagraph><after-quoted-block>; and</after-quoted-block></quoted-block></clause></subparagraph><subparagraph id="H4125579545C44370B515D855E8DD678D"><enum>(C)</enum><text>by striking the second subsection designated as subsection (c);</text></subparagraph></paragraph><paragraph id="HFDF027B4731A44F88320A479D3150B4C"><enum>(3)</enum><text>in section 3506—</text><subparagraph id="HD14EE722D4B1471D9BF9F296057C920C"><enum>(A)</enum><text>in subsection (a)(3), by inserting <quote>In carrying out these duties, the Chief Information Officer shall coordinate, as appropriate, with the Chief Data Officer in accordance with the designated functions under section 3520(c).</quote> after <quote>reduction of information collection burdens on the public.</quote>; and</text></subparagraph><subparagraph id="H06F3DDA816894377B3B708D18240365E"><enum>(B)</enum><text>in subsection (b)(1)(C), by inserting <quote>, availability</quote> after <quote>integrity</quote>; and</text></subparagraph></paragraph><paragraph id="H226EAFE1DD8F464FBAECEFC30082BB04"><enum>(4)</enum><text>in section 3513—</text><subparagraph id="H7A572A3F14B34AC1B185F2EBCC12A832"><enum>(A)</enum><text>by redesignating subsection (c) as subsection (d); and</text></subparagraph><subparagraph id="H5404BEC8BB0C4022A8BBB3ABF49D9F03"><enum>(B)</enum><text>by inserting after subsection (b) the following:</text><quoted-block id="H727F25346DB14BAA926A2AA548B13C01" style="OLC"><subsection id="H8271991EE32E4A0BBF142A9C7A061D40"><enum>(c)</enum><text>Each agency providing a written plan under subsection (b) shall provide any portion of the written plan addressing information security to the National Cyber Director.</text></subsection><after-quoted-block>.</after-quoted-block></quoted-block></subparagraph></paragraph></subsection><subsection id="H88FD40DE0B9B4E0B94E2FA98D873BC11"><enum>(b)</enum><header>Subchapter II definitions</header><paragraph id="HE5790F942A8E4D27934D445A74BC5408"><enum>(1)</enum><header>In general</header><text>Section 3552(b) of title 44, United States Code, is amended—</text><subparagraph id="HCDB2740D37B54B0BAB595F372649569A"><enum>(A)</enum><text>by redesignating paragraphs (1), (2), (3), (4), (5), (6), and (7) as paragraphs (2), (4), (5), (6), (7), (9), and (11), respectively;</text></subparagraph><subparagraph id="H2ED0C8A619774BA38C126CD79E20A329"><enum>(B)</enum><text>by inserting before paragraph (2), as so redesignated, the following:</text><quoted-block id="H872216B108B84183A439657B862DC562" style="OLC"><paragraph id="H818A2781C25A4CFFBC5513A4052E8D95"><enum>(1)</enum><text>The term <term>additional cybersecurity procedure</term> means a process, procedure, or other activity that is established in excess of the information security standards promulgated under section 11331(b) of title 40 to increase the security and reduce the cybersecurity risk of agency systems.</text></paragraph><after-quoted-block>;</after-quoted-block></quoted-block></subparagraph><subparagraph id="H30D02A2991F64793AC41E7EF50C7EEAF"><enum>(C)</enum><text>by inserting after paragraph (2), as so redesignated, the following:</text><quoted-block id="HF82F3DA5D9E84DB3975E64499533B41E" style="OLC"><paragraph id="H41A3AF1BD80C44A7AE3632ADC6F5F07D"><enum>(3)</enum><text>The term <term>high value asset</term> means information or an information system that the head of an agency determines, using policies, principles, standards, or guidelines issued by the Director under section 3553(a), to be so critical to the agency that the loss or corruption of the information or the loss of access to the information system would have a serious impact on the ability of the agency to perform the mission of the agency or conduct business.</text></paragraph><after-quoted-block>;</after-quoted-block></quoted-block></subparagraph><subparagraph id="H516F6B6AD2064D259C5E23ECC4806C08"><enum>(D)</enum><text>by inserting after paragraph (7), as so redesignated, the following:</text><quoted-block style="USC" id="HE2FCE72409D54DF6999D1EAEB8CDE3E6" display-inline="no-display-inline"><paragraph id="H67B46C62972945D193ADDBC9025ED85A"><enum>(8)</enum><text display-inline="yes-display-inline">The term <term>major incident</term> has the meaning given the term in guidance issued by the Director under section 3598(a).</text></paragraph><after-quoted-block>;</after-quoted-block></quoted-block></subparagraph><subparagraph id="H7A463954EDA14308A617E0C205AC32EC"><enum>(E)</enum><text>by inserting after paragraph (9), as so redesignated, the following:</text><quoted-block id="HB98A6BEFC917489098B8A4B14E2F1947" style="OLC"><paragraph id="H971E2CE4E7424897AEA0FCE7A960B59D"><enum>(10)</enum><text>The term <term>penetration test</term> has the meaning given the term in guidance issued by the Director.</text></paragraph><after-quoted-block>; and</after-quoted-block></quoted-block></subparagraph><subparagraph id="HAA75CB26FFBF4A8D9AA57D49DC9C40BC"><enum>(F)</enum><text>by inserting after paragraph (11), as so redesignated, the following:</text><quoted-block id="H82A4CB5C6406495CB30C3F957ED7E6CF" style="OLC"><paragraph id="H78BEA0C7171C4665A10F9E04E0FCDDAF"><enum>(12)</enum><text>The term <term>shared service</term> means a centralized business or mission capability that is provided to multiple organizations within an agency or to multiple agencies.</text></paragraph><after-quoted-block>.</after-quoted-block></quoted-block></subparagraph></paragraph><paragraph id="H6003A82F636B404BA4834A0956859EFB"><enum>(2)</enum><header>Conforming amendments</header><subparagraph id="H61081F39A121459E8F1DB5B87596D0AA"><enum>(A)</enum><header>Homeland security act of 2002</header><text>Section 1001(c)(1)(A) of the Homeland Security Act of 2002 (<external-xref legal-doc="usc" parsable-cite="usc/6/511">6 U.S.C. 511(1)(A)</external-xref>) is amended by striking <quote>section 3552(b)(5)</quote> and inserting <quote>section 3552(b)</quote>.</text></subparagraph><subparagraph id="H957C4933534A40F98508553ACE6F0214"><enum>(B)</enum><header>Title 10</header><clause id="H5D0649F64DAD42D992832A7D89398E85"><enum>(i)</enum><header>Section 2222</header><text>Section 2222(i)(8) of title 10, United States Code, is amended by striking <quote>section 3552(b)(6)(A)</quote> and inserting <quote>section 3552(b)(9)(A)</quote>.</text></clause><clause id="H5F48FE474D0144C281FD4DB1FD3B7171"><enum>(ii)</enum><header>Section 2223</header><text>Section 2223(c)(3) of title 10, United States Code, is amended by striking <quote>section 3552(b)(6)</quote> and inserting <quote>section 3552(b)</quote>.</text></clause><clause id="H8EA2CB91CA9546D5B99CAA96773F1567"><enum>(iii)</enum><header>Section 2315</header><text>Section 2315 of title 10, United States Code, is amended by striking <quote>section 3552(b)(6)</quote> and inserting <quote>section 3552(b)</quote>.</text></clause><clause id="H664EEB4D773E42CA8161121EC824E141"><enum>(iv)</enum><header>Section 2339a</header><text>Section 2339a(e)(5) of title 10, United States Code, is amended by striking <quote>section 3552(b)(6)</quote> and inserting <quote>section 3552(b)</quote>.</text></clause></subparagraph><subparagraph id="H5F35D64DDAA747749B671E7F93B906D5"><enum>(C)</enum><header>High-performance computing act of 1991</header><text>Section 207(a) of the High-Performance Computing Act of 1991 (<external-xref legal-doc="usc" parsable-cite="usc/15/5527">15 U.S.C. 5527(a)</external-xref>) is amended by striking <quote>section 3552(b)(6)(A)(i)</quote> and inserting <quote>section 3552(b)(9)(A)(i)</quote>.</text></subparagraph><subparagraph id="H8CA7B49CD883489BA6B44D0D5AA83815"><enum>(D)</enum><header>Internet of things cybersecurity improvement act of 2020</header><text>Section 3(5) of the Internet of Things Cybersecurity Improvement Act of 2020 (<external-xref legal-doc="usc" parsable-cite="usc/15/278g-3a">15 U.S.C. 278g–3a</external-xref>) is amended by striking <quote>section 3552(b)(6)</quote> and inserting <quote>section 3552(b)</quote>.</text></subparagraph><subparagraph id="H07BF26A1341046D59FBDF03EA7555DAE"><enum>(E)</enum><header>National defense authorization act for fiscal year 2013</header><text>Section 933(e)(1)(B) of the National Defense Authorization Act for Fiscal Year 2013 (<external-xref legal-doc="usc" parsable-cite="usc/10/2224">10 U.S.C. 2224</external-xref> note) is amended by striking <quote>section 3542(b)(2)</quote> and inserting <quote>section 3552(b)</quote>.</text></subparagraph><subparagraph id="HE2CD3EBB1CBE4E9EBFCAFFA3BA3E0A45"><enum>(F)</enum><header>Ike skelton national defense authorization act for fiscal year 2011</header><text>The Ike Skelton National Defense Authorization Act for Fiscal Year 2011 (<external-xref legal-doc="public-law" parsable-cite="pl/111/383">Public Law 111–383</external-xref>) is amended—</text><clause id="H3EF6B4D545954BA294B2D264639BD7D0"><enum>(i)</enum><text>in section 806(e)(5) (<external-xref legal-doc="usc" parsable-cite="usc/10/2304">10 U.S.C. 2304</external-xref> note), by striking <quote>section 3542(b)</quote> and inserting <quote>section 3552(b)</quote>;</text></clause><clause id="H28E329D74BF94E6E831A1EB772F97CE9"><enum>(ii)</enum><text>in section 931(b)(3) (<external-xref legal-doc="usc" parsable-cite="usc/10/2223">10 U.S.C. 2223</external-xref> note), by striking <quote>section 3542(b)(2)</quote> and inserting <quote>section 3552(b)</quote>; and</text></clause><clause id="H9F3F9FE4F8614ABCB4D7DA2584FCE881"><enum>(iii)</enum><text>in section 932(b)(2) (<external-xref legal-doc="usc" parsable-cite="usc/10/2224">10 U.S.C. 2224</external-xref> note), by striking <quote>section 3542(b)(2)</quote> and inserting <quote>section 3552(b)</quote>.</text></clause></subparagraph><subparagraph id="H55216F1B64DD45A6B82444BA92C0E156"><enum>(G)</enum><header>E-government act of 2002</header><text>Section 301(c)(1)(A) of the E–Government Act of 2002 (<external-xref legal-doc="usc" parsable-cite="usc/44/3501">44 U.S.C. 3501</external-xref> note) is amended by striking <quote>section 3542(b)(2)</quote> and inserting <quote>section 3552(b)</quote>.</text></subparagraph><subparagraph id="H315228E0BD0E486D853E2871392AED5B"><enum>(H)</enum><header>National institute of standards and technology act</header><text>Section 20 of the National Institute of Standards and Technology Act (<external-xref legal-doc="usc" parsable-cite="usc/15/278g-3">15 U.S.C. 278g–3</external-xref>) is amended—</text><clause id="H118BDC3A40214B79B7DCAE6652991DA3"><enum>(i)</enum><text>in subsection (a)(2), by striking <quote>section 3552(b)(5)</quote> and inserting <quote>section 3552(b)</quote>; and</text></clause><clause id="HFD239091FB3248919B13AC17B1044441"><enum>(ii)</enum><text>in subsection (f)—</text><subclause id="H7A79C74B1FD8453BB1ABFC281356FE1B"><enum>(I)</enum><text>in paragraph (3), by striking <quote>section 3532(1)</quote> and inserting <quote>section 3552(b)</quote>; and</text></subclause><subclause id="H5AD806B3435245F4B4355EB97646A813"><enum>(II)</enum><text>in paragraph (5), by striking <quote>section 3532(b)(2)</quote> and inserting <quote>section 3552(b)</quote>.</text></subclause></clause></subparagraph></paragraph></subsection><subsection id="H7C81BCE7636146AEBCD9F08B84E408E2"><enum>(c)</enum><header>Subchapter II amendments</header><text>Subchapter II of <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/44/35">chapter 35</external-xref> of title 44, United States Code, is amended—</text><paragraph id="HFCD86131C96F489E86FCA302961A7CDE"><enum>(1)</enum><text>in section 3551—</text><subparagraph id="H51AF8612E5004CB1A2D91B33678ABC16"><enum>(A)</enum><text>in paragraph (4), by striking <quote>diagnose and improve</quote> and inserting <quote>integrate, deliver, diagnose, and improve</quote>;</text></subparagraph><subparagraph id="H45076A7DC52A42E8B66972DC712F9A96"><enum>(B)</enum><text>in paragraph (5), by striking <quote>and</quote> at the end;</text></subparagraph><subparagraph id="HD2215AAF1BF24C2495C8946647437B86"><enum>(C)</enum><text>in paragraph (6), by striking the period at the end and inserting a semicolon; and</text></subparagraph><subparagraph id="H6AF82DF3284842DA90BF5BB727754F7A"><enum>(D)</enum><text>by adding at the end the following:</text><quoted-block id="H3A4DDAD2698A400EBBE067D7D65B0F4E" style="OLC"><paragraph id="H55F8484257084643A21141E3CE07704E"><enum>(7)</enum><text>recognize that each agency has specific mission requirements and, at times, unique cybersecurity requirements to meet the mission of the agency;</text></paragraph><paragraph id="H73007950402E47CEB266F71B32303E1F"><enum>(8)</enum><text>recognize that each agency does not have the same resources to secure agency systems, and an agency should not be expected to have the capability to secure the systems of the agency from advanced adversaries alone; and</text></paragraph><paragraph id="HC9DE15CAFACF4A019A2EF555AAB6805E"><enum>(9)</enum><text>recognize that a holistic Federal cybersecurity model is necessary to account for differences between the missions and capabilities of agencies.</text></paragraph><after-quoted-block>;</after-quoted-block></quoted-block></subparagraph></paragraph><paragraph id="H87DC7E0D5B674350954439BA36EC470A" commented="no"><enum>(2)</enum><text>in section 3553—</text><subparagraph id="H113C71903A0E463D8CF539D25539C3AF" commented="no"><enum>(A)</enum><text>in subsection (a)—</text><clause id="H14869C0177784B61AC63920749CBE539" commented="no"><enum>(i)</enum><text>in paragraph (5), by striking <quote>and</quote> at the end;</text></clause><clause id="HA269215235994DC08612D852FABC4359" commented="no"><enum>(ii)</enum><text>in paragraph (6), by striking the period at the end and inserting <quote>; and</quote>; and</text></clause><clause id="H81A5605D04094265B4DDBC53526299D6" commented="no"><enum>(iii)</enum><text>by adding at the end the following:</text><quoted-block id="HF949509AA93540659776D685D74E89BE" style="OLC"><paragraph id="H6D71D14ED17A475C9AF92430F843C350" commented="no"><enum>(7)</enum><text>promoting, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, the National Cyber Director, and the Director of the National Institute of Standards and Technology—</text><subparagraph id="H2675D394F1A849198BBDCBA5B0536586" commented="no"><enum>(A)</enum><text>the use of automation to improve Federal cybersecurity and visibility with respect to the implementation of Federal cybersecurity; and</text></subparagraph><subparagraph id="H7B7A22F73E74473A9D523F5AA7720BC4" commented="no"><enum>(B)</enum><text display-inline="yes-display-inline">the use of zero trust architecture to improve resiliency and timely response actions to incidents on Federal systems.</text></subparagraph></paragraph><after-quoted-block>;</after-quoted-block></quoted-block></clause></subparagraph><subparagraph id="H30D73DD5801F422F8573623902049588" commented="no"><enum>(B)</enum><text>in subsection (b)—</text><clause id="HEA49F17AC43645EC94AF3B091C3109A5" commented="no"><enum>(i)</enum><text>in the matter preceding paragraph (1), by striking <quote>The Secretary, in consultation with the Director</quote> and inserting <quote>The Secretary of Homeland Security, acting through the Director of the Cybersecurity and Infrastructure Security Agency and in consultation with the Director and the National Cyber Director</quote>;</text></clause><clause id="H49D70B0DF0EF4884BA036EF68580CC83" commented="no"><enum>(ii)</enum><text>in paragraph (2)(A), by inserting <quote>and reporting requirements under subchapter IV of this chapter</quote> after <quote>section 3556</quote>; </text></clause><clause id="HE93AC7AA905943628159018F276538DB"><enum>(iii)</enum><text>redesignate paragraphs (8) and (9) as paragraphs (9) and (10); and</text></clause><clause id="H0E163FDD5AAD474FA3A6A184CCB8E357"><enum>(iv)</enum><text>insert a new paragraph (8):</text><quoted-block id="HE520355D532F442A8306D5B6090069D2" style="OLC"><paragraph id="H99F2DC2F06564B3EBA8FF78EDA1DAA40"><enum>(8)</enum><text>expeditiously seek opportunities to reduce costs, administrative burdens, and other barriers to information technology security and modernization for Federal agencies, including through—</text><subparagraph id="HA4DEF83590DC4F25ACC99BB8C9E44994"><enum>(A)</enum><text>central shared services contracts for cybersecurity capabilities identified as optimal by the Director, in coordination with the Secretary acting through the Director of the Cybersecurity and Infrastructure Security Agency and other agencies as appropriate; and</text></subparagraph><subparagraph id="H54F4C0EA03E74202BB24AC591C5ADFDD"><enum>(B)</enum><text>offering technical assistance and expertise to agencies on the selection and successful engagement of highly adaptive cybersecurity service contracts and other relevant contracts provided by the U.S. General Services Administration.</text></subparagraph></paragraph><after-quoted-block>;</after-quoted-block></quoted-block></clause></subparagraph><subparagraph id="H1D01EB70764844E8A0C9E38691FE87B9" commented="no"><enum>(C)</enum><text>in subsection (c)—</text><clause id="H021116185E55404B8D70E2DDC53380CE" commented="no"><enum>(i)</enum><text>in the matter preceding paragraph (1), by striking <quote>each year</quote> and inserting <quote>each year during which agencies are required to submit reports under section 3554(c)</quote> and by striking <quote>preceding year</quote> and inserting <quote>preceding two years</quote>;</text></clause><clause id="H76A50C0F0E6C461892460D447EFDFAA5" commented="no"><enum>(ii)</enum><text>by striking paragraph (1);</text></clause><clause id="H50ABAC865E2647878AC4A815E9B9BFA6" commented="no"><enum>(iii)</enum><text>by redesignating paragraphs (2), (3), and (4) as paragraphs (1), (2), and (3), respectively;</text></clause><clause id="H147B6494D16940DBB48315B6F4D1FF72" commented="no"><enum>(iv)</enum><text>in paragraph (3), as so redesignated, by striking <quote>and</quote> at the end; and</text></clause><clause id="HFD114C50056B4A77A036A481F3C559EF" commented="no"><enum>(v)</enum><text>by inserting after paragraph (3), as so redesignated, the following:</text><quoted-block id="H67E18ED46C5F401BB97A5B1187D06A97" style="OLC"><paragraph id="H4E4A96A4543F4397B54B734757B55D9A" commented="no"><enum>(4)</enum><text>a summary of each assessment of Federal risk posture performed under subsection (i); and</text></paragraph><after-quoted-block>;</after-quoted-block></quoted-block></clause></subparagraph><subparagraph id="HE8306E88B436463DAF29AB92630B618D" commented="no"><enum>(D)</enum><text>by redesignating subsections (i), (j), (k), and (l) as subsections (j), (k), (l), and (m) respectively;</text></subparagraph><subparagraph id="H5D4FF2019A7244758872E29DF7B90A80"><enum>(E)</enum><text>in subsection (h)—</text><clause id="H024ECFBD3B064580B9D2590F61A2A1F2"><enum>(i)</enum><text>in paragraph (2), subparagraph (A) adding <quote>and the National Cyber Director</quote> after <quote>in coordination with the Director</quote>;</text></clause><clause id="H78A2FD4D28CF4A4EA5DEF1A10F4FA3AE"><enum>(ii)</enum><text>in paragraph (2), subparagraph (D) adding <quote>, the National Cyber Director,</quote> after <quote>notify the Director</quote>; and</text></clause><clause id="H78069F75E6D4477CABC45795175D752B"><enum>(iii)</enum><text>in paragraph (3), subparagraph (A), clause (iv) adding <quote>, the National Cyber Director,</quote> after <quote>the Secretary provides prior notice to the Director</quote>;</text></clause></subparagraph><subparagraph id="H1A72A316B15844789159AD7B05B43858" commented="no"><enum>(F)</enum><text>by inserting after subsection (h) the following:</text><quoted-block id="H6DBA81E034AC4233B36783F079E4F737" style="OLC"><subsection id="HB399C9E8BDBF41AAB6C38BE39CCF3AAF" commented="no"><enum>(i)</enum><header>Federal risk assessments</header><text>On an ongoing and continuous basis, the Director of the Cybersecurity and Infrastructure Security Agency shall perform assessments using any available information on the cybersecurity posture of agencies, and brief the Director and National Cyber Director on the findings of those assessments including—</text><paragraph id="H5106FE445E85418FB78C79E92A096CE1" commented="no"><enum>(1)</enum><text>the status of agency cybersecurity remedial actions described in section 3554(b)(7);</text></paragraph><paragraph id="H505DFBC7141E4DFB8F5D7807AE1DBDFE" commented="no"><enum>(2)</enum><text>any vulnerability information relating to the systems of an agency that is known by the agency;</text></paragraph><paragraph id="H1447A5ED892942BFBD0E48E788334121" commented="no"><enum>(3)</enum><text>analysis of incident information under section 3597;</text></paragraph><paragraph id="H545CB11979A14AA5988E7688924B3458" commented="no"><enum>(4)</enum><text>evaluation of penetration testing performed under section 3559A;</text></paragraph><paragraph id="HA83AB911B7504B25B063C42A1B256A20" commented="no"><enum>(5)</enum><text>evaluation of vulnerability disclosure program information under section 3559B;</text></paragraph><paragraph id="H40F29BC25E3B40809DE248FACEBF8A07" commented="no"><enum>(6)</enum><text>evaluation of agency threat hunting results;</text></paragraph><paragraph id="H6E76D4E43AB54147ABEF54BE5F5B0E18" commented="no"><enum>(7)</enum><text>evaluation of Federal and non-Federal cyber threat intelligence;</text></paragraph><paragraph id="H323C7FB1A4AD42D8A6ACAC3F8FA9CA28" commented="no"><enum>(8)</enum><text>data on agency compliance with standards issued under section 11331 of title 40;</text></paragraph><paragraph id="HD9C126CDDADE4A5B86278699D5820409" commented="no"><enum>(9)</enum><text>agency system risk assessments performed under section 3554(a)(1)(A); and</text></paragraph><paragraph id="HC4838D42A44749F29D668A704E496BC4" commented="no"><enum>(10)</enum><text>any other information the Director of the Cybersecurity and Infrastructure Security Agency determines relevant.</text></paragraph></subsection><after-quoted-block>;</after-quoted-block></quoted-block></subparagraph><subparagraph id="H6545307DEB574AE5B53B443C8F614816" commented="no"><enum>(G)</enum><text>in subsection (j), as so redesignated—</text><clause id="H5C20C6583E66499EBC701A4B0ACA4440"><enum>(i)</enum><text display-inline="yes-display-inline">by striking <quote>Not later than</quote> and inserting:</text><quoted-block style="OLC" id="H6A6CF6048E324838B4ECEDB7C8568A21" display-inline="no-display-inline"><paragraph id="H4127EC08080742348ABBAB7E4007EED3"><enum>(1)</enum><header>In general</header><text display-inline="yes-display-inline">Not later than</text></paragraph><after-quoted-block>;</after-quoted-block></quoted-block></clause><clause id="HE6773FDAC47C4C7F99ECE487F2A0CF6F" commented="no"><enum>(ii)</enum><text>by striking <quote>regarding the specific</quote> and inserting </text><quoted-block id="H3623279EE0944E43A3EAE8DB4AB951BC" style="OLC" display-inline="yes-display-inline"><text>that includes a summary of—</text><subparagraph id="H64962F92274A4210B004ADDD1B8C79FE" commented="no"><enum>(A)</enum><text>the specific</text></subparagraph><after-quoted-block>;</after-quoted-block></quoted-block></clause><clause id="H640E05C477D7419CB847157F98C4EA00" commented="no"><enum>(iii)</enum><text>in paragraph (1), as so designated, by striking the period at the end and inserting <quote>; and</quote>; and </text></clause><clause id="HDCA85E838F7E440CB3FC1B7C188DA3D1" commented="no"><enum>(iv)</enum><text>by adding at the end the following:</text><quoted-block id="H62C2F8F5A29245D0958C03CB21436C95" style="OLC"><subparagraph id="HC0E7F691F8254666A0939ADCA8C0186E" commented="no"><enum>(B)</enum><text>the trends identified in the Federal risk assessments performed under subsection (i).</text></subparagraph><paragraph id="H2988DFD3C8604AEDBF26A1D5F1997D56"><enum>(2)</enum><header>Form</header><text display-inline="yes-display-inline">The report required under paragraph (1) shall be unclassified but may include a classified annex.</text></paragraph><after-quoted-block>; and</after-quoted-block></quoted-block></clause></subparagraph><subparagraph id="H1102391A3DE24535BBC8A8664967493A" commented="no"><enum>(H)</enum><text>by adding at the end the following:</text><quoted-block id="HF2A1675BB21D4706B52E7314D3E198CE" style="OLC"><subsection id="H14DCFCA3BD38418EB0970D745313C626" commented="no"><enum>(n)</enum><header>Binding operational directives</header><text>If the Director of the Cybersecurity and Infrastructure Security Agency issues a binding operational directive or an emergency directive under this section, not later than 7 days after the date on which the binding operational directive requires an agency to take an action, the Director of the Cybersecurity and Infrastructure Security Agency shall provide to the Director and National Cyber Director the status of the implementation of the binding operational directive at the agency.</text></subsection><after-quoted-block>;</after-quoted-block></quoted-block></subparagraph></paragraph><paragraph id="H6C01C679DF6D4E65A3362474AD7E6610"><enum>(3)</enum><text>in section 3554—</text><subparagraph id="HA6BE13CF48E64B7D9DBE9D45143DF4EE"><enum>(A)</enum><text>in subsection (a)—</text><clause id="H0ABDBB08AB0E49F1B89944229AEBC07E"><enum>(i)</enum><text>in paragraph (1)—</text><subclause id="H909732020D824A65B24D1DECE798D842"><enum>(I)</enum><text>by redesignating subparagraphs (A), (B), and (C) as subparagraphs (B), (C), and (D), respectively;</text></subclause><subclause id="H6B0F5C7C6C79422FB1583472A48E9F94"><enum>(II)</enum><text>by inserting before subparagraph (B), as so redesignated, the following:</text><quoted-block id="H421513DCF556439C871F38AF662A9B82" style="OLC"><subparagraph id="HD220D4208EA7490692D959A57FC0AD29"><enum>(A)</enum><text>on an ongoing and continuous basis, performing an agency system risk assessment that—</text><clause id="H643B3FF6825C42CABB1418539791E4E1"><enum>(i)</enum><text>identifies and documents the high value assets of the agency using guidance from the Director;</text></clause><clause id="H67AD5F4DD0CC4DFA8A33C3554C5F906B"><enum>(ii)</enum><text>evaluates the data assets inventoried under section 3511 for sensitivity to compromises in confidentiality, integrity, and availability;</text></clause><clause id="H55FE81D857B040B0B3C1D32AEEA102FF"><enum>(iii)</enum><text>identifies agency systems that have access to or hold the data assets inventoried under section 3511;</text></clause><clause id="H9E813F783C4246AD87AF47C184A5A6FD"><enum>(iv)</enum><text>evaluates the threats facing agency systems and data, including high value assets, based on Federal and non-Federal cyber threat intelligence products, where available;</text></clause><clause id="H94909EB4F5FB418C9013F768EBE8BD20"><enum>(v)</enum><text>evaluates the vulnerability of agency systems and data, including high value assets, including by analyzing—</text><subclause id="HE3DFF783ACEE4ABA8C350A52AFA31236"><enum>(I)</enum><text>the results of penetration testing performed by the Department of Homeland Security under section 3553(b)(9);</text></subclause><subclause id="HE3AFB95F91064B3AB269809675EFB490"><enum>(II)</enum><text>the results of penetration testing performed under section 3559A;</text></subclause><subclause id="H47B3CAFB9F884D53BD577B1A0F3F6351"><enum>(III)</enum><text>information provided to the agency through the vulnerability disclosure program of the agency under section 3559B;</text></subclause><subclause id="H2E1F78CC3A3644DBA4CD3A8917097813"><enum>(IV)</enum><text>incidents; and</text></subclause><subclause id="HFEBF0A6A584E425986EF0CC3D09DA8E7"><enum>(V)</enum><text>any other vulnerability information relating to agency systems that is known to the agency;</text></subclause></clause><clause id="HC170CB0390AB4867963479EB682307C5"><enum>(vi)</enum><text>assesses the impacts of potential agency incidents to agency systems, data, and operations based on the evaluations described in clauses (ii) and (iv) and the agency systems identified under clause (iii); and</text></clause><clause id="H34DAE76C9F304404B71B1E011AA4AAFE"><enum>(vii)</enum><text>assesses the consequences of potential incidents occurring on agency systems that would impact systems at other agencies, including due to interconnectivity between different agency systems or operational reliance on the operations of the system or data in the system;</text></clause></subparagraph><after-quoted-block>;</after-quoted-block></quoted-block></subclause><subclause id="HDF49A76C0A764074A09EA7179DBE192A"><enum>(III)</enum><text>in subparagraph (B), as so redesignated, in the matter preceding clause (i), by striking <quote>providing information</quote> and inserting <quote>using information from the assessment conducted under subparagraph (A), providing information</quote>;</text></subclause><subclause id="HFD22DF401C324583B831C3C9633D3816"><enum>(IV)</enum><text>in subparagraph (C), as so redesignated—</text><item id="H36DD470B2F414B5D958C1394F9169A2E"><enum>(aa)</enum><text>in clause (ii) by inserting <quote>binding</quote> before <quote>operational</quote>; and</text></item><item id="HA2A57CC30FC649FB812473770B611B4B"><enum>(bb)</enum><text>in clause (vi), by striking <quote>and</quote> at the end; and</text></item></subclause><subclause id="HBBA56794431247EDB9681B41BC822B72"><enum>(V)</enum><text>by adding at the end the following:</text><quoted-block id="H404AC40DBFD747FA8A78DA6C0211AD78" style="OLC"><subparagraph id="HD8AFA34A52EE4BF28B53B6FC62AD67D1"><enum>(E)</enum><text>providing an update on the ongoing and continuous assessment performed under subparagraph (A)—</text><clause id="HB49822C454B04B47862EE50D4B4C0167"><enum>(i)</enum><text>upon request, to the inspector general of the agency or the Comptroller General of the United States; and</text></clause><clause id="H13008571246E41E3A788B0461189A0EE"><enum>(ii)</enum><text>on a periodic basis, as determined by guidance issued by the Director but not less frequently than every 2 years, to—</text><subclause id="HA3FB2A3AB19A49B38AC6978335DF665E"><enum>(I)</enum><text>the Director;</text></subclause><subclause id="H236AE36A9ED74E4CBE5AE0CD0F010D55"><enum>(II)</enum><text>the Director of the Cybersecurity and Infrastructure Security Agency; and</text></subclause><subclause id="HC6581374DD374861810B0D38A3A60496"><enum>(III)</enum><text>the National Cyber Director;</text></subclause></clause></subparagraph><subparagraph id="H2920E2577FCE4FEE91A98022061E88F1"><enum>(F)</enum><text>in consultation with the Director of the Cybersecurity and Infrastructure Security Agency and not less frequently than once every 3 years, performing an evaluation of whether additional cybersecurity procedures are appropriate for securing a system of, or under the supervision of, the agency, which shall—</text><clause id="H8A9BCF027B094E6A98D98B20DEAE1A40"><enum>(i)</enum><text>be completed considering the agency system risk assessment performed under subparagraph (A); and</text></clause><clause id="H6FD61F987A5B4B06A023C9289E828397"><enum>(ii)</enum><text>include a specific evaluation for high value assets;</text></clause></subparagraph><subparagraph id="H03C1B8886DF74B839C46B85C5B57C2B1"><enum>(G)</enum><text>not later than 30 days after completing the evaluation performed under subparagraph (F), providing the evaluation and an implementation plan, if applicable, for using additional cybersecurity procedures determined to be appropriate to—</text><clause id="H83490B6C08294FBABBE2FFF1A2E080B2"><enum>(i)</enum><text>the Director of the Cybersecurity and Infrastructure Security Agency;</text></clause><clause id="HBCB95B03E947449FAECB81FDBAC80553"><enum>(ii)</enum><text>the Director; and</text></clause><clause id="HAAF223FDAD5045A69511B61E27C2A242"><enum>(iii)</enum><text>the National Cyber Director; and</text></clause></subparagraph><subparagraph id="H81464E66081944E28B3D3C9791447302"><enum>(H)</enum><text>if the head of the agency determines there is need for additional cybersecurity procedures, ensuring that those additional cybersecurity procedures are reflected in the budget request of the agency;</text></subparagraph><after-quoted-block>; and</after-quoted-block></quoted-block></subclause></clause><clause id="HCA9916BA893041E8B5BE007469792FCE"><enum>(ii)</enum><text>in paragraph (2)—</text><subclause id="H3E8FF73CCDE14438A60BAD116959C91E"><enum>(I)</enum><text>in subparagraph (A), by inserting <quote>in accordance with the agency system risk assessment performed under paragraph (1)(A)</quote> after <quote>information systems</quote>;</text></subclause><subclause id="HE7BB92CA5A7446168F4B3F4FFAC25165"><enum>(II)</enum><text>in subparagraph (B)—</text><item id="HF42BA54927B74942947E78FFBC9E17E2"><enum>(aa)</enum><text>by striking <quote>in accordance with standards</quote> and inserting </text><quoted-block id="H42044CE035654739875780EF692486BF" style="OLC" display-inline="yes-display-inline"><text>in accordance with—</text><clause id="H8E5E3643863642A1B77DC9DDCE860670"><enum>(i)</enum><text>standards</text></clause><after-quoted-block>; and</after-quoted-block></quoted-block></item><item id="HE387F198F57C498CBADB82AC0D71837C"><enum>(bb)</enum><text>by adding at the end the following:</text><quoted-block id="H5A49954BA21847C88AA07E156AFA4E50" style="OLC"><clause id="H8BC012A3A48A42E29C873618689F7F79"><enum>(ii)</enum><text>the evaluation performed under paragraph (1)(F); and</text></clause><clause id="H40744C2CFFF54BCA9FD9A1A34D52EE65"><enum>(iii)</enum><text>the implementation plan described in paragraph (1)(G);</text></clause><after-quoted-block>; and</after-quoted-block></quoted-block></item></subclause><subclause id="H04F9482258C6484E8E1E88A2B14EBC43"><enum>(III)</enum><text>in subparagraph (D), by inserting <quote>, through the use of penetration testing, the vulnerability disclosure program established under section 3559B, and other means,</quote> after <quote>periodically</quote>;</text></subclause></clause></subparagraph><subparagraph id="HBAE11F8D0C9F447DAEF4E23D70E1E256"><enum>(B)</enum><text>in subsection (b)—</text><clause id="HB3A7EF7D4F0146E790A2F4FC5E50ADC4"><enum>(i)</enum><text>by striking paragraph (1) and inserting the following:</text><quoted-block id="H401B1783431449AFBD647D34F24CD45A" style="OLC"><paragraph id="HA4BC094CEB81462692E0C616E104AB68"><enum>(1)</enum><text>pursuant to subsection (a)(1)(A), performing ongoing and continuous agency system risk assessment, which may include using automated tools consistent with standards and guidelines promulgated under section 11331 of title 40, as applicable;</text></paragraph><after-quoted-block>;</after-quoted-block></quoted-block></clause><clause id="H84040AA9A0C848899232280C87849AB9"><enum>(ii)</enum><text>in paragraph (2)(D)—</text><subclause id="H1F97F345A11E4CE4AFAEF1E1C2C3ADE4"><enum>(I)</enum><text>by redesignating clauses (iii) and (iv) as clauses (iv) and (v), respectively;</text></subclause><subclause id="HD9F68800E3E1497191D1E183D2A8BA5B"><enum>(II)</enum><text>by inserting after clause (ii) the following:</text><quoted-block id="HB8AA1108FC6A42A79EB5F076E81C437C" style="OLC"><clause id="H98B22081D72D4C60A1394A5815E82033"><enum>(iii)</enum><text>binding operational directives and emergency directives promulgated by the Director of the Cybersecurity and Infrastructure Security Agency under section 3553;</text></clause><after-quoted-block>; and</after-quoted-block></quoted-block></subclause><subclause id="H6C55C6C3AF5748F4BAA312F4FD8B5D43"><enum>(III)</enum><text>in clause (iv), as so redesignated, by striking <quote>as determined by the agency; and</quote> and inserting <quote>as determined by the agency, considering the agency risk assessment performed under subsection (a)(1)(A).</quote>;</text></subclause></clause><clause id="H9D634BC493474EACACBD17EFA4480E38"><enum>(iii)</enum><text>in paragraph (5)(A), by inserting <quote>, including penetration testing, as appropriate,</quote> after <quote>shall include testing</quote>;</text></clause><clause id="H570D5057DD864789BED1392A8AF4D469"><enum>(iv)</enum><text>by redesignating paragraphs (7) and (8) as paragraphs (8) and (9), respectively;</text></clause><clause id="HE0BE87330C544DEC91E337C9C3D22FAA"><enum>(v)</enum><text>by inserting after paragraph (6) the following:</text><quoted-block id="H69D156A4A7B24A85942B6AAE3F22C2C5" style="OLC"><paragraph id="H46B6259414304AA7A43D12F79A02E325"><enum>(7)</enum><text>a process for providing the status of every remedial action, as well as unremediated identified system vulnerabilities, to the Director and the Director of the Cybersecurity and Infrastructure Security Agency, using automation and machine-readable data to the greatest extent practicable;</text></paragraph><after-quoted-block>; and</after-quoted-block></quoted-block></clause><clause id="HB46A6156710041F7A0ABE4B1EDEA9728"><enum>(vi)</enum><text>in paragraph (8)(C), as so redesignated—</text><subclause id="HD3BFB683E09E4C54A3298DB51D43BBA5"><enum>(I)</enum><text>by striking clause (ii) and inserting the following:</text><quoted-block id="HAD09617ADB3F4FC081412A4E2B8AE88A" style="OLC"><clause id="H7F066679E1974634B6A1E9566193454C"><enum>(ii)</enum><text>notifying and consulting with the Federal information security incident center established under section 3556 pursuant to the requirements of section 3594;</text></clause><after-quoted-block>;</after-quoted-block></quoted-block></subclause><subclause id="HC90B5A5771E04DF8B01F47A3114C4B2C"><enum>(II)</enum><text>by redesignating clause (iii) as clause (iv);</text></subclause><subclause id="HA9DC5B30DE0B486687F99A6F4A50CA0A"><enum>(III)</enum><text>by inserting after clause (ii) the following:</text><quoted-block id="H8C9352887A7448679FE3861C37BF450D" style="OLC"><clause id="H852D87B1A76F48609122637E7FBD9776"><enum>(iii)</enum><text>performing the notifications and other activities required under subchapter IV of this chapter; and</text></clause><after-quoted-block>; and</after-quoted-block></quoted-block></subclause><subclause id="H7CD2E925E6684861943425E6E27D4F46"><enum>(IV)</enum><text>in clause (iv), as so redesignated—</text><item id="H31632C1E2C6844BEB2CDD5203C79C563"><enum>(aa)</enum><text>in subclause (II), by adding <quote>and</quote> at the end;</text></item><item id="HD654B0CAAD014672AF56865FFFCF77DF"><enum>(bb)</enum><text>by striking subclause (III); and</text></item><item id="H46E3D324B3DA4DE39FDBC46C5BF1A539"><enum>(cc)</enum><text>by redesignating subclause (IV) as subclause (III); and</text></item></subclause></clause></subparagraph><subparagraph id="HBFF60209150B4EB5A7959E3FACAA422F"><enum>(C)</enum><text>in subsection (c)—</text><clause id="H19F4C310384F467DB92C51487F322FEF"><enum>(i)</enum><text>by redesignating paragraph (2) as paragraph (5);</text></clause><clause id="H58474789C20046DFB4411AC632E324BB"><enum>(ii)</enum><text>by striking paragraph (1) and inserting the following:</text><quoted-block id="HA9B5F488B61440F78BA0A36BA43A537E" style="OLC"><paragraph id="HC84FCB9F0FEA4CBB8E80A3793E8F6E11"><enum>(1)</enum><header>Biannual report</header><text>Not later than 2 years after the date of the enactment of the Federal Information Security Modernization Act of 2022 and not less frequently than once every 2 years thereafter, using the continuous and ongoing agency system risk assessment under subsection (a)(1)(A), the head of each agency shall submit to the Director, the Director of the Cybersecurity and Infrastructure Security Agency, the majority and minority leaders of the Senate, the Speaker and minority leader of the House of Representatives, the Committee on Homeland Security and Governmental Affairs of the Senate, the Committee on Oversight and Reform of the House of Representatives, the Committee on Homeland Security of the House of Representatives, the Committee on Commerce, Science, and Transportation of the Senate, the Committee on Science, Space, and Technology of the House of Representatives, the appropriate authorization and appropriations committees of Congress, the National Cyber Director, and the Comptroller General of the United States a report that—</text><subparagraph id="H50156393F88B4589A703A597F4378EC8"><enum>(A)</enum><text>summarizes the agency system risk assessment performed under subsection (a)(1)(A);</text></subparagraph><subparagraph id="HA89175BFEAEB493C9A3F3CD1E542689A"><enum>(B)</enum><text>evaluates the adequacy and effectiveness of information security policies, procedures, and practices of the agency to address the risks identified in the agency system risk assessment performed under subsection (a)(1)(A), including an analysis of the agency’s cybersecurity and incident response capabilities using the metrics established under section 224(c) of the Cybersecurity Act of 2015 (<external-xref legal-doc="usc" parsable-cite="usc/6/1522">6 U.S.C. 1522(c)</external-xref>);</text></subparagraph><subparagraph id="HAE858A29ACFC4F4E806E53C47D269738"><enum>(C)</enum><text>summarizes the evaluation and implementation plans described in subparagraphs (F) and (G) of subsection (a)(1) and whether those evaluation and implementation plans call for the use of additional cybersecurity procedures determined to be appropriate by the agency; and</text></subparagraph><subparagraph id="H90A0C812CB3E40C6A9A9688E6F4E595F"><enum>(D)</enum><text>summarizes the status of remedial actions identified by inspector general of the agency, the Comptroller General of the United States, and any other source determined appropriate by the head of the agency.</text></subparagraph></paragraph><paragraph id="H44753527E50945CD81BD2E01A27ABB66"><enum>(2)</enum><header>Unclassified reports</header><text>Each report submitted under paragraph (1)—</text><subparagraph id="HF92143EB2F3B4D57814067BCF74038B5"><enum>(A)</enum><text>shall be, to the greatest extent practicable, in an unclassified and otherwise uncontrolled form; and</text></subparagraph><subparagraph id="H807E9DE368BB41398E0F31A6ABCDBE1E"><enum>(B)</enum><text>may include a classified annex.</text></subparagraph></paragraph><paragraph id="HBA012FC3BD3A44F99A617F6484BF1946"><enum>(3)</enum><header>Access to information</header><text>The head of an agency shall ensure that, to the greatest extent practicable, information is included in the unclassified form of the report submitted by the agency under paragraph (2)(A).</text></paragraph><paragraph id="H42966A9EB5ED4AD080C3FFA47E9934F9"><enum>(4)</enum><header>Briefings</header><text display-inline="yes-display-inline">During each year during which a report is not required to be submitted under paragraph (1), the Director shall provide to the congressional committees described in paragraph (1) a briefing summarizing current cybersecurity posture of agencies.</text></paragraph><after-quoted-block>; and</after-quoted-block></quoted-block></clause><clause id="H401DB56CAAAD4411BA29CDAE475022E2"><enum>(iii)</enum><text>in paragraph (5), as so redesignated, by inserting <quote>, including the reporting procedures established under section 11315(d) of title 40 and subsection (a)(3)(A)(v) of this section,</quote> after <quote>policies, procedures, and practices</quote>; and</text></clause></subparagraph></paragraph><paragraph id="HE50FDF82DCE94C159B58A9001211F731"><enum>(4)</enum><text>in section 3555—</text><subparagraph id="H9063ACC763564967864D259226E2377C"><enum>(A)</enum><text>in the section heading, by striking <quote><header-in-text level="section" style="OLC">Annual independent</header-in-text></quote> and inserting <quote><header-in-text level="section" style="OLC">Independent</header-in-text></quote>;</text></subparagraph><subparagraph id="HEB8463CF2AD1472D94E90D6C6D133E7A"><enum>(B)</enum><text>in subsection (a)—</text><clause id="H2DF40A12A884470D96C45F647EC673AD"><enum>(i)</enum><text>in paragraph (1), by inserting <quote>during which a report is required to be submitted under section 3553(c),</quote> after <quote>Each year</quote>;</text></clause><clause id="HB96C5529068E472A899A800F69246596"><enum>(ii)</enum><text>in paragraph (2)(A), by inserting <quote>, including by penetration testing and analyzing the vulnerability disclosure program of the agency</quote> after <quote>information systems</quote>; and</text></clause><clause id="H6B2610BC6857498DB3077050A66165BA"><enum>(iii)</enum><text>by adding at the end the following:</text><quoted-block id="HCD6A48D190A34331BEDC172E8D6B757D" style="OLC"><paragraph id="H2A6F77A354F54EE4B72B664CFCA2D88F"><enum>(3)</enum><text>An evaluation under this section may include recommendations for improving the cybersecurity posture of the agency.</text></paragraph><after-quoted-block>;</after-quoted-block></quoted-block></clause></subparagraph><subparagraph id="HE23F97413B3E43058CCBFA13FB1C537B"><enum>(C)</enum><text>in subsection (b)(1), by striking <quote>annual</quote>;</text></subparagraph><subparagraph id="H43D6DF771EA24264BC65BDE3BF78A95C"><enum>(D)</enum><text>in subsection (e)(1), by inserting <quote>during which a report is required to be submitted under section 3553(c)</quote> after <quote>Each year</quote>;</text></subparagraph><subparagraph id="H3C8CAC4F78224E399D0EB1A7F75B2390"><enum>(E)</enum><text>by striking subsection (f) and inserting the following:</text><quoted-block id="H151B2725590042898D75FB09C37AE42A" style="OLC"><subsection id="HC2634DAFA29D481283DEDDA43D484E4A"><enum>(f)</enum><header>Protection of information</header><paragraph commented="no" display-inline="yes-display-inline" id="H99BEFC8B641A49E4BC94DC895688271D"><enum>(1)</enum><text>Agencies, evaluators, and other recipients of information that, if disclosed, may cause grave harm to the efforts of Federal information security officers, shall take appropriate steps to ensure the protection of that information, including safeguarding the information from public disclosure.</text></paragraph><paragraph id="H833F079D0CF94F0099E4CA5CD08ACD4A" indent="up1"><enum>(2)</enum><text>The protections required under paragraph (1) shall be commensurate with the risk and comply with all applicable laws and regulations.</text></paragraph><paragraph id="H4F61D9834D5F4D52B3BCF09E33E7F2EE" indent="up1"><enum>(3)</enum><text>With respect to information that is not related to national security systems, agencies and evaluators shall make a summary of the information unclassified and publicly available, including information that does not identify—</text><subparagraph id="H44248262F4CE4242A1480477F323A35A"><enum>(A)</enum><text>specific information system incidents; or</text></subparagraph><subparagraph id="H2889ED62D6394478AC769E424788FF0E"><enum>(B)</enum><text>specific information system vulnerabilities.</text></subparagraph></paragraph></subsection><after-quoted-block>;</after-quoted-block></quoted-block></subparagraph><subparagraph id="HC7D154C1A5F94A2EBDE7A85B4EE3569E"><enum>(F)</enum><text>in subsection (g)(2)—</text><clause id="H7BAD8243D9CF4262A91AD303F77007F9"><enum>(i)</enum><text>by striking <quote>this subsection shall</quote> and inserting </text><quoted-block id="H563D8F8657834727A16154BA74594E97" style="OLC" display-inline="yes-display-inline"><text>this subsection—</text><subparagraph id="H0002C8A3436F45A9AB077644A735EC2B"><enum>(A)</enum><text>shall</text></subparagraph><after-quoted-block>;</after-quoted-block></quoted-block></clause><clause id="H0E0DD7DE454244F89E213C53A7C9050C"><enum>(ii)</enum><text>in subparagraph (A), as so designated, by striking the period at the end and inserting <quote>; and</quote>; and</text></clause><clause id="HA8780147FF4B47ABB9DC7C5E26A33DB3"><enum>(iii)</enum><text>by adding at the end the following:</text><quoted-block id="HADFEB2436C24454F8A29709B6B1412EB" style="OLC"><subparagraph id="HB2D9970665A949AD84707846273E3149"><enum>(B)</enum><text>identify any entity that performs an independent evaluation under subsection (b).</text></subparagraph><after-quoted-block>; and</after-quoted-block></quoted-block></clause></subparagraph><subparagraph id="HF0F0597A11F94F2ABA3ADDA37B26163F"><enum>(G)</enum><text>striking subsection (j); and</text></subparagraph></paragraph><paragraph id="H98402C629A704DC581EBAD089F06A7F5"><enum>(5)</enum><text display-inline="yes-display-inline">in section 3556(a)(4) by striking <quote>3554(b)</quote> and inserting <quote>3554(a)(1)(A)</quote>.</text></paragraph></subsection><subsection id="H77DD9ABA1B1D4169921CE86B33152824"><enum>(d)</enum><header>Conforming amendments</header><paragraph id="HA4DAAFEFA9834084830BFA4231AABD84"><enum>(1)</enum><header>Table of sections</header><text>The table of sections for <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/44/35">chapter 35</external-xref> of title 44, United States Code, is amended—</text><subparagraph id="H61A3377BC7724859B3D90E62FFE40D1E"><enum>(A)</enum><text>by striking the item relating to section 3553 and inserting the following:</text><quoted-block id="H856044011576403E8366E58D9224AD9D" style="USC"><toc regeneration="no-regeneration"><toc-entry level="section">3553. Authority and functions of the Director and the Director of the Cybersecurity and Infrastructure Security Agency.</toc-entry></toc><after-quoted-block>;</after-quoted-block></quoted-block><continuation-text continuation-text-level="subparagraph">and</continuation-text></subparagraph><subparagraph id="H7A7AC846C8C94A8CB5B9336FDB271A88"><enum>(B)</enum><text>by striking the item relating to section 3555 and inserting the following:</text><quoted-block id="HFE899F11087F4C6BA9B91642CAECA7EA" style="USC"><toc regeneration="no-regeneration"><toc-entry level="section">3555. Independent evaluation.</toc-entry></toc><after-quoted-block>.</after-quoted-block></quoted-block></subparagraph></paragraph><paragraph id="H33B7BF3B759F4B56B826A95C9B2E8C77"><enum>(2)</enum><header>OMB reports</header><text>Section 226(c) of the Cybersecurity Act of 2015 (<external-xref legal-doc="usc" parsable-cite="usc/6/1524">6 U.S.C. 1524(c)</external-xref>) is amended—</text><subparagraph id="H843223C7179540CD8255445A7BFF3175"><enum>(A)</enum><text>in paragraph (1)(B), in the matter preceding clause (i), by striking <quote>annually thereafter</quote> and inserting <quote>thereafter during the years during which a report is required to be submitted under section 3553(c) of title 44, United States Code</quote>; and</text></subparagraph><subparagraph id="H71A745AEC2D14DBBB21AFF11CE45D62A"><enum>(B)</enum><text>in paragraph (2)(B), in the matter preceding clause (i)—</text><clause id="H349EA30102404D6B8DBA1300D5F616A4"><enum>(i)</enum><text>by striking <quote>annually thereafter</quote> and inserting <quote>thereafter during the years during which a report is required to be submitted under section 3553(c) of title 44, United States Code</quote>; and</text></clause><clause id="H94F71D245C1C45968B4B123AB3562F33"><enum>(ii)</enum><text>by striking <quote>the report required under section 3553(c) of title 44, United States Code</quote> and inserting <quote>that report</quote>.</text></clause></subparagraph></paragraph><paragraph id="HD5C35DFA3DD24ED79B9BA092D9F842A4"><enum>(3)</enum><header>NIST responsibilities</header><text>Section 20(d)(3)(B) of the National Institute of Standards and Technology Act (<external-xref legal-doc="usc" parsable-cite="usc/15/278g-3">15 U.S.C. 278g–3(d)(3)(B)</external-xref>) is amended by striking <quote>annual</quote>.</text></paragraph></subsection><subsection id="HD1CAC715AA0B44E59E2296FAD8EC1BC9"><enum>(e)</enum><header>Federal system incident response</header><paragraph id="H8AF3FAD1644445E1AF5716F065C15F01"><enum>(1)</enum><header>In general</header><text><external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/44/35">Chapter 35</external-xref> of title 44, United States Code, is amended by adding at the end the following:</text><quoted-block style="USC" id="H5FCC8672E0264B2B81E70C66DE3F985B" display-inline="no-display-inline"><subchapter id="H6083655060A9487C9AF4FC216CB6CC14"><enum>IV</enum><header>Federal System Incident Response</header><section id="HBDA0E1F69F92442883F6EBC71CB86989"><enum>3591.</enum><header>Definitions</header><subsection id="H89C155628D6540E394C3B6153B2809C9"><enum>(a)</enum><header>In general</header><text>Except as provided in subsection (b), the definitions under sections 3502 and 3552 shall apply to this subchapter.</text></subsection><subsection id="H9CF7F4E3612349EEAC279199BA7D50FF"><enum>(b)</enum><header>Additional definitions</header><text>As used in this subchapter:</text><paragraph id="HA0DB9C0373D94DF8BCC034D084904CE0"><enum>(1)</enum><header>Appropriate reporting entities</header><text>The term <term>appropriate reporting entities</term> means—</text><subparagraph id="H3F29E09EEC9D4D80889877FDD470336D"><enum>(A)</enum><text>the majority and minority leaders of the Senate;</text></subparagraph><subparagraph id="HC8A6AD72CEE545E0A16CD4A53CF3D8AE"><enum>(B)</enum><text>the Speaker and minority leader of the House of Representatives;</text></subparagraph><subparagraph id="HD28C6EC743494D1BB3EAFDD6999F8576"><enum>(C)</enum><text>the Committee on Homeland Security and Governmental Affairs of the Senate;</text></subparagraph><subparagraph id="HC12E4771EC534DD29285ECCE3B6DCF25"><enum>(D)</enum><text>the Committee on Oversight and Reform of the House of Representatives;</text></subparagraph><subparagraph id="H792129D3ABDF4FE7BBC83C28FC637997"><enum>(E)</enum><text>the Committee on Homeland Security of the House of Representatives;</text></subparagraph><subparagraph id="H7BC9D84CA3A1421CBC054F17D8DA31D2"><enum>(F)</enum><text>the appropriate authorization and appropriations committees of Congress;</text></subparagraph><subparagraph id="H7FE44BB855464D84B3FDDE34B0410937"><enum>(G)</enum><text>the Director;</text></subparagraph><subparagraph id="H25A3578247EC449090F527FC8545A9EE"><enum>(H)</enum><text>the Director of the Cybersecurity and Infrastructure Security Agency;</text></subparagraph><subparagraph id="H51D6BB3DD6584F5096DA1224C7B7D4F1"><enum>(I)</enum><text>the National Cyber Director;</text></subparagraph><subparagraph id="H0DA12216B8F24B89BAFA006B7137EDD2"><enum>(J)</enum><text>the Comptroller General of the United States; and</text></subparagraph><subparagraph id="H86B9C9540A5B4E8E9067B71DEF4A0339"><enum>(K)</enum><text display-inline="yes-display-inline">the inspector general of any impacted agency.</text></subparagraph></paragraph><paragraph id="HB9F23DB0DB654C42B353F8E6DFEE92A5"><enum>(2)</enum><header>Awardee</header><text>The term <term>awardee</term>—</text><subparagraph id="H507673BBAC15489AADB8963998A8988A"><enum>(A)</enum><text>means a person, business, or other entity that receives a grant from, or is a party to a cooperative agreement or an other transaction agreement with, an agency; and</text></subparagraph><subparagraph id="H7E18CA2136A44C0792A7A1CDFCCC86EC"><enum>(B)</enum><text>includes any subgrantee of a person, business, or other entity described in subparagraph (A).</text></subparagraph></paragraph><paragraph id="H3007D62AB08F4105AD2C6A142BD3B0F6"><enum>(3)</enum><header>Breach</header><text>The term <term>breach</term> shall be defined by the Director.</text></paragraph><paragraph id="H46D39366962F41AD9E8B33E6D87485F9"><enum>(4)</enum><header>Contractor</header><text>The term <term>contractor</term> means a prime contractor of an agency or a subcontractor of a prime contractor of an agency.</text></paragraph><paragraph id="H09B5F195D8384740BE6D611B8C50FA6B"><enum>(5)</enum><header>Federal information</header><text>The term <term>Federal information</term> means information created, collected, processed, maintained, disseminated, disclosed, or disposed of by or for the Federal Government in any medium or form.</text></paragraph><paragraph id="H1326285C91284B76BB71F84A9E8525FD"><enum>(6)</enum><header>Federal information system</header><text>The term <term>Federal information system</term> means an information system used or operated by an agency, a contractor, or another organization on behalf of an agency.</text></paragraph><paragraph id="H51E2AD486C774C9CB3F7AB11D2CA2B23"><enum>(7)</enum><header>Intelligence community</header><text>The term <term>intelligence community</term> has the meaning given the term in section 3 of the National Security Act of 1947 (<external-xref legal-doc="usc" parsable-cite="usc/50/3003">50 U.S.C. 3003</external-xref>).</text></paragraph><paragraph id="H68D63D101DC4499FA29B49767F6CEC0C"><enum>(8)</enum><header>Nationwide consumer reporting agency</header><text>The term <term>nationwide consumer reporting agency</term> means a consumer reporting agency described in section 603(p) of the Fair Credit Reporting Act (<external-xref legal-doc="usc" parsable-cite="usc/15/1681a">15 U.S.C. 1681a(p)</external-xref>).</text></paragraph><paragraph id="HBFEB411C2519428294ABF5551D0E7C80"><enum>(9)</enum><header>Vulnerability disclosure</header><text>The term <term>vulnerability disclosure</term> means a vulnerability identified under section 3559B.</text></paragraph></subsection></section><section id="HFB69D435E63140FB87C31D1220E09E6B"><enum>3592.</enum><header>Notification of breach</header><subsection id="H7459D7A1813A484AA957083AF462F7E3"><enum>(a)</enum><header>Notification</header><text>As expeditiously as practicable and without unreasonable delay, and in any case not later than 45 days after an agency has a reasonable basis to conclude that a breach has occurred, the head of the agency, in consultation with the chief privacy officer of the agency, shall—</text><paragraph id="H7536F42C72904654A29B0A5A4FF3A80F"><enum>(1)</enum><text>determine whether notice to any individual potentially affected by the breach is appropriate based on an assessment of the risk of harm to the individual that considers—</text><subparagraph id="H03254E8EEC9042D2BDEBEB290105EAFE"><enum>(A)</enum><text>the nature and sensitivity of the personally identifiable information affected by the breach;</text></subparagraph><subparagraph id="HC2D21D15FE3A46B9ABDA703F2A29CEDD"><enum>(B)</enum><text>the likelihood of access to and use of the personally identifiable information affected by the breach;</text></subparagraph><subparagraph id="H88C2137F27A245A999BAA966E0C96E2A"><enum>(C)</enum><text>the type of breach; and</text></subparagraph><subparagraph id="HDF9F96CC867B4A22866FB65CCC58CFF2"><enum>(D)</enum><text>any other factors determined by the Director; and</text></subparagraph></paragraph><paragraph id="HB40C37C382C044DE8B20A71A5F885371"><enum>(2)</enum><text>as appropriate, provide written notice in accordance with subsection (b) to each individual potentially affected by the breach—</text><subparagraph id="H92AE86892E98464DA44EC83C3FC4E90D"><enum>(A)</enum><text>to the last known mailing address of the individual; or</text></subparagraph><subparagraph id="H7DFC67F87B414F7FB9B9721B8AAEC390"><enum>(B)</enum><text>through an appropriate alternative method of notification that the head of the agency or a designated senior-level individual of the agency selects based on factors determined by the Director.</text></subparagraph></paragraph></subsection><subsection id="H80B0982D7A1642F6A48EDA72C4339158"><enum>(b)</enum><header>Contents of notice</header><text>Each notice of a breach provided to an individual under subsection (a)(2) shall include—</text><paragraph id="HB0832E8C125D4505AAFD7C40E8A57763"><enum>(1)</enum><text>a brief description of the breach;</text></paragraph><paragraph id="H9B26EF6C696C411E8C8F8AAFDB042549"><enum>(2)</enum><text>if possible, a description of the types of personally identifiable information affected by the breach;</text></paragraph><paragraph id="HF71D0F87E9574520B02AF2CDDD622E8A"><enum>(3)</enum><text>contact information of the agency that may be used to ask questions of the agency, which—</text><subparagraph id="HDFA7C4FBCAF14E9ABF6C1CF700EC1029"><enum>(A)</enum><text>shall include an e-mail address or another digital contact mechanism; and</text></subparagraph><subparagraph id="HADF3D268739B4E89B6109A00012B7B14"><enum>(B)</enum><text>may include a telephone number, mailing address, or a website;</text></subparagraph></paragraph><paragraph id="HE2357CF06DCE4C728210E7101DC33AFE"><enum>(4)</enum><text>information on any remedy being offered by the agency;</text></paragraph><paragraph id="H0F946DA4C8824969B4B32915A80F6480"><enum>(5)</enum><text>any applicable educational materials relating to what individuals can do in response to a breach that potentially affects their personally identifiable information, including relevant contact information for Federal law enforcement agencies and each nationwide consumer reporting agency; and</text></paragraph><paragraph id="H068E0AE0E7034171AD7B9CC9E0142D42"><enum>(6)</enum><text>any other appropriate information, as determined by the head of the agency or established in guidance by the Director.</text></paragraph></subsection><subsection id="H6DE5F015BF0145C8ACA5C262A3B38522"><enum>(c)</enum><header>Delay of notification</header><paragraph id="H271024DBD13644C7A9F089D096F5A3E8"><enum>(1)</enum><header>In general</header><text>The Attorney General, the Director of National Intelligence, or the Secretary of Homeland Security may delay a notification required under subsection (a) if the notification would—</text><subparagraph id="HDDECD1EB424449288B9DF1C0C82E36AE"><enum>(A)</enum><text>impede a criminal investigation or a national security activity;</text></subparagraph><subparagraph id="H6B419BBD2BD246D2A81FBA2DA230D63F"><enum>(B)</enum><text>reveal sensitive sources and methods;</text></subparagraph><subparagraph id="HC7B2E3A0F7544042970876809090B9DD"><enum>(C)</enum><text>cause damage to national security; or</text></subparagraph><subparagraph id="HC4AA6512AC0945BA9FA0C77F597A7471"><enum>(D)</enum><text>hamper security remediation actions.</text></subparagraph></paragraph><paragraph id="HAA371CFFA60A4432988870C0A2D782DC"><enum>(2)</enum><header>Documentation</header><subparagraph id="H69209742DAEB45EEA7545A7E114DB9F5"><enum>(A)</enum><header>In general</header><text>Any delay under paragraph (1) shall be reported in writing to the Director, the Attorney General, the Director of National Intelligence, the Secretary of Homeland Security, the National Cyber Director, the Director of the Cybersecurity and Infrastructure Security Agency, and the head of the agency and the inspector general of the agency that experienced the breach.</text></subparagraph><subparagraph id="HB32D893617E04AB29E9C46BC4472A16C"><enum>(B)</enum><header>Contents</header><text>A report required under subparagraph (A) shall include a written statement from the entity that delayed the notification explaining the need for the delay.</text></subparagraph><subparagraph id="HDD90E468FCA147CFBDD9CCA1A43A757A"><enum>(C)</enum><header>Form</header><text>The report required under subparagraph (A) shall be unclassified but may include a classified annex.</text></subparagraph></paragraph><paragraph id="HDFB7DE222E6848A19F23B1D615C60629"><enum>(3)</enum><header>Renewal</header><text>A delay under paragraph (1) shall be for a period of 60 days and may be renewed.</text></paragraph></subsection><subsection id="H105B022010ED415FB5AC6058A3F2465F"><enum>(d)</enum><header>Update notification</header><text>If an agency determines there is a significant change in the reasonable basis to conclude that a breach occurred, a significant change to the determination made under subsection (a)(1), or that it is necessary to update the details of the information provided to potentially affected individuals as described in subsection (b), the agency shall as expeditiously as practicable and without unreasonable delay, and in any case not later than 30 days after such a determination, notify each individual who received a notification pursuant to subsection (a) of those changes.</text></subsection><subsection id="H563207DB6F494004859BDA334684E148"><enum>(e)</enum><header>Rule of construction</header><text>Nothing in this section shall be construed to limit—</text><paragraph id="H15EFB9C5180B492F884593740F735F9E"><enum>(1)</enum><text>the Director from issuing guidance relating to notifications or the head of an agency from notifying individuals potentially affected by breaches that are not determined to be major incidents; or</text></paragraph><paragraph id="H28923408EF8846CCA723FDCF1AB2699E"><enum>(2)</enum><text>the Director from issuing guidance relating to notifications of major incidents or the head of an agency from providing more information than described in subsection (b) when notifying individuals potentially affected by breaches.</text></paragraph></subsection></section><section id="HC967D79A176848DDB2631C86E828AEFD"><enum>3593.</enum><header>Congressional and executive branch reports</header><subsection id="HA39807FD40F249A28D5F92418490DC58"><enum>(a)</enum><header>Initial report</header><paragraph id="HD5CFD566D98D4044A9423106CF34D94A"><enum>(1)</enum><header>In general</header><text>Not later than 72 hours after an agency has a reasonable basis to conclude that a major incident occurred, the head of the agency impacted by the major incident shall submit to the appropriate reporting entities a written report. Within 7 days of a major incident determination, the head of the agency impacted shall coordinate with the National Cyber Director, or their designee, to provide a briefing, along with any other Federal entity determined appropriate by the National Cyber Director, to the Committee on Homeland Security and Governmental Affairs of the Senate, the Committee on Oversight and Reform of the House of Representatives, the Committee on Homeland Security of the House of Representatives, and the appropriate authorization and appropriations committees of Congress, in the manner requested by the Congressional entities, taking into account—</text><subparagraph id="H8BE8FBDDFF62443E92D013B19BA88E18"><enum>(A)</enum><text>the information known at the time of the report, including the threat having likely caused the major incident;</text></subparagraph><subparagraph id="HE20E7583FF1140299158DCA76B2870B3"><enum>(B)</enum><text>the sensitivity of the details associated with the major incident; and</text></subparagraph><subparagraph id="H08CB1C9766D54325899C62B2616BA7F9"><enum>(C)</enum><text>the classification level of the information contained in the report.</text></subparagraph></paragraph><paragraph id="H55F37388D794441E9996BA7C9FB06DC2"><enum>(2)</enum><header>Contents</header><text>A report required under paragraph (1) shall include, in a manner that excludes or otherwise reasonably protects personally identifiable information and to the extent permitted by applicable law, including privacy and statistical laws—</text><subparagraph id="HABEE8BFC85DA4A91BAA711945C00D26A"><enum>(A)</enum><text>a summary of the information available about the major incident, including how the major incident occurred and, if applicable, information relating to the major incident as a breach, based on information available to agency officials as of the date on which the agency submits the report;</text></subparagraph><subparagraph id="H731A5DF47C4B432DBAB07EFB49227E52"><enum>(B)</enum><text>if applicable, whether any ransom has been demanded or paid, or plans to be paid, by any entity operating a Federal information system or with access to a Federal information system, unless disclosure of such information may disrupt an active Federal law enforcement or national security operation;</text></subparagraph><subparagraph id="HD28EEA2D5909499FBF6DEA1E90A46F1D"><enum>(C)</enum><text>if applicable, a description and any associated documentation of any circumstances necessitating a delay in notification to individuals potentially affected by the major incident under subsection (c) of section 3592; and</text></subparagraph><subparagraph id="HC076CF166AF348AB8F246607874B612C"><enum>(D)</enum><text>if applicable, an assessment of the impacts to the agency, the Federal Government, or the security of the United States, based on information available to agency officials on the date on which the agency submits the report.</text></subparagraph></paragraph><paragraph id="HB8664AE5AB9B4C0B8A6E2B8A57E0252D"><enum>(3)</enum><header>Components of briefing</header><text>The 7 day briefing required under paragraph (1)—</text><subparagraph id="HA34C0A33225E4E588A3A1AACB52A95DE"><enum>(A)</enum><text>shall, to the greatest extent practicable, include an unclassified component; and</text></subparagraph><subparagraph id="HD2CB7910318D41EDA03ACFF61A1882C0"><enum>(B)</enum><text>may include a classified component.</text></subparagraph></paragraph></subsection><subsection id="HDB7227CF98314B5C9D846070D41F5727"><enum>(b)</enum><header>Supplemental report</header><text>Within a reasonable amount of time, but not later than 30 days after the date on which an agency submits a written report under subsection (a), the head of the agency shall provide to the appropriate reporting entities written updates on the major incident and, to the extent practicable, provide a briefing to the congressional committees described in subsection (a)(1), including summaries of—</text><paragraph id="H3290B07A1160421095FC445FC280A8CD"><enum>(1)</enum><text>vulnerabilities, means by which the major incident occurred, and impacts to the agency relating to the major incident;</text></paragraph><paragraph id="H11015AAA809248FF8DFDEA7A88F40C38"><enum>(2)</enum><text>any risk assessment and subsequent risk-based security implementation of the affected information system before the date on which the major incident occurred;</text></paragraph><paragraph id="H0BE9ADFB167045F7A8DA8AD3FBFCE68C"><enum>(3)</enum><text>an estimate of the number of individuals potentially affected by the major incident based on information available to agency officials as of the date on which the agency provides the update;</text></paragraph><paragraph id="H34451C0B4C804B558F314EACEAA5B40E"><enum>(4)</enum><text>an assessment of the risk of harm to individuals potentially affected by the major incident based on information available to agency officials as of the date on which the agency provides the update;</text></paragraph><paragraph id="HC92C0FB579EC4A9EBD48BE8EE7625D91"><enum>(5)</enum><text>an update to the assessment of the risk to agency operations, or to impacts on other agency or non-Federal entity operations, affected by the major incident based on information available to agency officials as of the date on which the agency provides the update; and</text></paragraph><paragraph id="H18A3B6DA41B947BA85857C1B50C89344"><enum>(6)</enum><text>the detection, response, and remediation actions of the agency, including any support provided by the Cybersecurity and Infrastructure Security Agency under section 3594(d) and status updates on the notification process described in section 3592(a), including any delay described in subsection (c) of section 3592, if applicable.</text></paragraph></subsection><subsection id="H37F791EDA01D4EA9BAD7964381E5B1D2"><enum>(c)</enum><header>Update report</header><text display-inline="yes-display-inline">If the agency, or the National Cyber Director, determines that there is any significant change in the understanding of the agency of the scope, scale, or consequence of a major incident for which an agency submitted a written report under subsection (a), the agency shall provide an updated report to the appropriate reporting entities that includes information relating to the change in understanding.</text></subsection><subsection id="H30B7D72793B2417EBD969C552CCAE31A"><enum>(d)</enum><header>Biannual report</header><text>Each agency shall submit as part of the biannual report required under section 3554(c)(1) of this title a description of each major incident that occurred during the 2-year period preceding the date on which the biannual report is submitted.</text></subsection><subsection id="H8281E0DCEFB14E95A79A90DFA2C39CDD"><enum>(e)</enum><header>Delay report</header><paragraph id="HA7E8DF5051C64191AC3FB99961890797"><enum>(1)</enum><header>In general</header><text>The Director shall submit to the appropriate reporting entities an annual report on all notification delays granted pursuant to subsection (c) of section 3592.</text></paragraph><paragraph id="H850F9A9BD65D4831A1E3ACD3F61E2279"><enum>(2)</enum><header>Component of other report</header><text>The Director may submit the report required under paragraph (1) as a component of the annual report submitted under section 3597(b).</text></paragraph></subsection><subsection id="H87B0D1B9CFC74391BA866BB90A42E54F"><enum>(f)</enum><header>Report and briefing consistency</header><text>In carrying out the duties under this section, and to achieve consistent and understandable agency reporting to Congress, the National Cyber Director shall—</text><paragraph id="H3EC8189B5DA84064BA69EF1742397416"><enum>(1)</enum><text>provide to agencies formatting guidelines and recommended contents of information to be included in the reports and briefings required under this section, including recommendations for the use of plain language terminology and consistent formats for presenting any associated metrics; and</text></paragraph><paragraph id="HA42C98F5B5F24AEAACE7A15437BEAF76"><enum>(2)</enum><text>maintain a historical archive and major incident log of all reports and briefings provided under the requirements of this section, which shall include at a minimum an archive of the full contents of any written report and associated documentation, the reporting agency, the date of submission, and a list of the recipient Congressional entities, which shall be made available upon request to the Congressional entities listed under subsection (a)(1) and may, to the extent practicable, utilize an internet accessible portal for appropriate Congressional staff to directly access the log and archived materials required to be maintained under this paragraph.</text></paragraph></subsection><subsection id="H2ABA4C2A18D04AB0935B182D4DEAA12F"><enum>(g)</enum><header>Report delivery</header><text>Any written report required to be submitted under this section may be submitted in a paper or electronic format.</text></subsection><subsection id="H906C85AA83C241519A39F2B31B30409C"><enum>(h)</enum><header>Rule of construction</header><text>Nothing in this section shall be construed to limit—</text><paragraph id="H9CC6A7BBFBF14F26A2AD4CF57F4FFD63"><enum>(1)</enum><text>the ability of an agency to provide additional reports or briefings to Congress; or</text></paragraph><paragraph id="HAA5A0A7B876C4AE9B152C5D2FE55ECD5"><enum>(2)</enum><text>Congress from requesting additional information from agencies through reports, briefings, or other means.</text></paragraph></subsection></section><section id="H50A6D21112C148FFAEDF5471949D4A86"><enum>3594.</enum><header>Government information sharing and incident response</header><subsection id="H19748E7A6997436C9554535DC97198B2"><enum>(a)</enum><header>In general</header><paragraph id="H9A637A437ADF48BC950331B1FCA3A303"><enum>(1)</enum><header>Incident reporting</header><text display-inline="yes-display-inline">Subject to limitations in subsection (b), the head of each agency shall provide the information described in paragraph (2) relating to an incident affecting the agency, whether the information is obtained by the Federal Government directly or indirectly, to the Cybersecurity and Infrastructure Security Agency, the Office of Management and Budget, and the Office of the National Cyber Director in a manner specified by the Director under subsection (b).</text></paragraph><paragraph id="HCE9150A668CA4679815C2179BEC6D0FF"><enum>(2)</enum><header>Contents</header><text>A provision of information relating to an incident made by the head of an agency under paragraph (1) shall—</text><subparagraph id="H4B41E048548E4BD78E40964B63CBC190"><enum>(A)</enum><text>include detailed information about the safeguards that were in place when the incident occurred;</text></subparagraph><subparagraph id="HA67B9087603D4994AEFE949AB0E95620"><enum>(B)</enum><text>whether the agency implemented the safeguards described in subparagraph (A) correctly;</text></subparagraph><subparagraph id="H024066171E884F06BC0C4AE826BF7C4B"><enum>(C)</enum><text>in order to protect against a similar incident, identify—</text><clause id="H9948E679CF654B2287E0B2E38F2FE728"><enum>(i)</enum><text>how the safeguards described in subparagraph (A) should be implemented differently; and</text></clause><clause id="HBF81BA5F750841F3A7AED6F55BEC6B39"><enum>(ii)</enum><text>additional necessary safeguards; and</text></clause></subparagraph><subparagraph id="HF0A753C5FD4243B8BF743FECE36556CF"><enum>(D)</enum><text>include information to aid in incident response, such as—</text><clause id="HFD5359D5B1E943BAB9FC70A3FDF22271"><enum>(i)</enum><text>a description of the affected systems or networks;</text></clause><clause id="H5597B43A07094E7CADCF2A50CE1DCFA7"><enum>(ii)</enum><text>the estimated dates of when the incident occurred; and</text></clause><clause id="HF47CDEBFBE02459BB777DA8D4B2F9130"><enum>(iii)</enum><text>information that could reasonably help identify the party that conducted the incident, as appropriate.</text></clause></subparagraph></paragraph><paragraph id="H268A3EA441174B2FA13F8BB45AB94DE0"><enum>(3)</enum><header>Information sharing</header><text>To the greatest extent practicable, the Director of the Cybersecurity and Infrastructure Security Agency shall—</text><subparagraph id="HA790F1BA8D7D42868C31705294185624"><enum>(A)</enum><text>share information relating to an incident with any agencies that may be impacted by the incident, or are potentially susceptible or similarly targeted, as well as with appropriate Federal law enforcement agencies to facilitate any necessary threat response activities as requested; and</text></subparagraph><subparagraph id="H9CF7FF099CF642D6BC08CCE9F0F7237F"><enum>(B)</enum><text>coordinate, in consultation with the National Cyber Director, any necessary information sharing efforts related to a major incident with the private sector.</text></subparagraph></paragraph><paragraph id="H3DACE3D50E16452F87D720F3E9A79077"><enum>(4)</enum><header>National security systems</header><text>Each agency operating or exercising control of a national security system shall share information about incidents that occur on national security systems with the Director of the Cybersecurity and Infrastructure Security Agency to the extent consistent with standards and guidelines for national security systems issued in accordance with law and as directed by the President.</text></paragraph></subsection><subsection id="HDFC8EC9D9CDC4E44961F005ACB4351C1"><enum>(b)</enum><header>Compliance</header><text>The information provided and method of reporting under subsection (a) shall take into account the level of classification of the information and any information sharing limitations and protections, such as limitations and protections relating to law enforcement, national security, privacy, statistical confidentiality, or other factors determined by the Director in order to implement subsection (a)(1) in a manner that enables automated and consistent reporting.</text></subsection><subsection id="H2C2B70BB71CB4376A107C1CF635C3ECE"><enum>(c)</enum><header>Incident response</header><text display-inline="yes-display-inline">Each agency that has a reasonable basis to conclude that a major incident occurred involving Federal information in electronic medium or form, as defined by the Director and not involving a national security system, regardless of delays from notification granted for a major incident, shall coordinate with the Cybersecurity and Infrastructure Security Agency to facilitate asset response activities and recommendations for mitigating future incidents, and with appropriate Federal law enforcement agencies to facilitate threat response activities, consistent with relevant policies, principles, standards, and guidelines on information security.</text></subsection></section><section id="HB31B1D0F24084A11A54FFF9763DF46B5"><enum>3595.</enum><header>Responsibilities of contractors and awardees</header><subsection id="H8577C4B5D194455581272FD76500E9F7"><enum>(a)</enum><header>Reporting</header><paragraph id="H7C17E8F23CF44D7CB4BC3BB3C052FE94"><enum>(1)</enum><header>In general</header><text>Unless otherwise specified in a contract, grant, cooperative agreement, or any other transaction agreement, any contractor or awardee of an agency shall report to the agency within the same amount of time such agency is required to report an incident to the Cybersecurity and Infrastructure Security Agency, if the contractor or awardee has a reasonable basis to suspect or conclude that—</text><subparagraph id="H4C60F3E8D4FB41A0B0D99E46667A0810"><enum>(A)</enum><text>an incident or breach has occurred with respect to Federal information collected, used, or maintained by the contractor or awardee in connection with the contract, grant, cooperative agreement, or other transaction agreement of the contractor or awardee;</text></subparagraph><subparagraph id="HBAE86F40D41B4934B6DAD674E725DE81"><enum>(B)</enum><text>an incident or breach has occurred with respect to a Federal information system used or operated by the contractor or awardee in connection with the contract, grant, cooperative agreement, or other transaction agreement of the contractor or awardee;</text></subparagraph><subparagraph id="H0B426B9AA6984565B4D4024AD50CACA5"><enum>(C)</enum><text>a component of any Federal information system, or a system able to access, store, or process Federal information, contains a security vulnerability, including a supply chain compromise or an identified software or hardware vulnerability; or</text></subparagraph><subparagraph id="HED23AA3635254598B07E592AD89306B1"><enum>(D)</enum><text>the contractor or awardee has received information from the agency that the contractor or awardee is not authorized to receive in connection with the contract, grant, cooperative agreement, or other transaction agreement of the contractor or awardee.</text></subparagraph></paragraph><paragraph id="H5D5F298A80DC45898806FFC2FB3B7B10"><enum>(2)</enum><header>Procedures</header><subparagraph id="HD2749C855DC14ACAA0F472EEE6E1830F"><enum>(A)</enum><header>Major incident</header><text>Following a report of a breach or major incident by a contractor or awardee under paragraph (1), the agency, in consultation with the contractor or awardee, shall carry out the requirements under sections 3592, 3593, and 3594 with respect to the major incident.</text></subparagraph><subparagraph id="HF8D8EDC8BFCB455CBF2A3FC7E41C4A07"><enum>(B)</enum><header>Incident</header><text>Following a report of an incident by a contractor or awardee under paragraph (1), an agency, in consultation with the contractor or awardee, shall carry out the requirements under section 3594 with respect to the incident.</text></subparagraph></paragraph></subsection><subsection id="HED54AD24B3B84761A668E5D49DDBC977"><enum>(b)</enum><header>Effective date</header><text>This section shall apply on and after the date that is 1 year after the date of the enactment of the Federal Information Security Modernization Act of 2022 and shall apply with respect to any contract entered into on or after such effective date.</text></subsection></section><section id="H1587692030CB45F0A8054796CA12EF29"><enum>3596.</enum><header>Training</header><subsection id="HC4DDB63ABAEB4F82802F99BB04FCD5BD"><enum>(a)</enum><header>Covered individual defined</header><text>In this section, the term <term>covered individual</term> means an individual who obtains access to Federal information or Federal information systems because of the status of the individual as an employee, contractor, awardee, volunteer, or intern of an agency.</text></subsection><subsection id="HEB4F5556DCCC4A8FA0D5C39CE6750722"><enum>(b)</enum><header>Requirement</header><text>The head of each agency shall develop training for covered individuals on how to identify and respond to an incident, including—</text><paragraph id="H8693ADBC0B2A41BDB73B1F41083CD6FD"><enum>(1)</enum><text>the internal process of the agency for reporting an incident; and</text></paragraph><paragraph id="H0292BF969AAC40A18EBA04800916DF77"><enum>(2)</enum><text>the obligation of a covered individual to report to the agency a confirmed major incident and any suspected incident involving information in any medium or form, including paper, oral, and electronic.</text></paragraph></subsection><subsection id="H3A52D12355B647218FD7699380C5E2F5"><enum>(c)</enum><header>Inclusion in annual training</header><text>The training developed under subsection (b) may be included as part of an annual privacy or security awareness training of an agency.</text></subsection></section><section id="H9D058B860E9D4D1B926EF393E7FA5121"><enum>3597.</enum><header>Analysis and report on Federal incidents</header><subsection id="H8425B98B9D6F4864B7B48B7D57CAE7F9"><enum>(a)</enum><header>Analysis of Federal incidents</header><paragraph id="H79ACE80C535E46F4AA34DFFD91D98458"><enum>(1)</enum><header>Quantitative and qualitative analyses</header><text>The Director of the Cybersecurity and Infrastructure Security Agency shall develop, in consultation with the Director and the National Cyber Director, and perform continuous monitoring and quantitative and qualitative analyses of incidents at agencies, including major incidents, including—</text><subparagraph id="HE6AF40ADA9D647649617B6804E9563F5"><enum>(A)</enum><text>the causes of incidents, including—</text><clause id="H4F3E1B5391EF4A6285D64B37C66133BE"><enum>(i)</enum><text>attacker tactics, techniques, and procedures; and</text></clause><clause id="HA35D29ABE6AC4743BCBAFEFE1020A22D"><enum>(ii)</enum><text display-inline="yes-display-inline">system vulnerabilities, including previously unknown zero day exploitations, unpatched systems, and information system misconfigurations;</text></clause></subparagraph><subparagraph id="HC14253895C5548A9B85EA7614FC93AC4"><enum>(B)</enum><text>the scope and scale of incidents at agencies;</text></subparagraph><subparagraph id="HDADAC8B5B9D044F98E14CA8DA7FDB1B7" commented="no"><enum>(C)</enum><text display-inline="yes-display-inline">common root causes of incidents across multiple agencies;</text></subparagraph><subparagraph id="HB8754F44CE774BE0963699FC84F644D4"><enum>(D)</enum><text>agency incident response, recovery, and remediation actions and the effectiveness of those actions, as applicable;</text></subparagraph><subparagraph id="H6C1EBC393B1F4ACC9360DDF0764D1054"><enum>(E)</enum><text>lessons learned and recommendations in responding to, recovering from, remediating, and mitigating future incidents; and</text></subparagraph><subparagraph id="H246F868FAFCB4DC497CFE024725DA154"><enum>(F)</enum><text display-inline="yes-display-inline">trends across multiple Federal agencies to address intrusion detection and incident response capabilities using the metrics established under section 224(c) of the Cybersecurity Act of 2015 (<external-xref legal-doc="usc" parsable-cite="usc/6/1522">6 U.S.C. 1522(c)</external-xref>).</text></subparagraph></paragraph><paragraph id="H4E0EFCA10E784AEA8BFF483F680A6AAE"><enum>(2)</enum><header>Automated analysis</header><text>The analyses developed under paragraph (1) shall, to the greatest extent practicable, use machine readable data, automation, and machine learning processes.</text></paragraph><paragraph id="HB2AFF0E0D9064355B511A7F35FE1A617"><enum>(3)</enum><header>Sharing of data and analysis</header><subparagraph id="H10E787CA8A4A4089939502C0CDDDFAD1"><enum>(A)</enum><header>In general</header><text>The Director shall share on an ongoing basis the analyses required under this subsection with agencies and the National Cyber Director to—</text><clause id="HD4FEDB9343434D1B9C03B95D7071E754"><enum>(i)</enum><text>improve the understanding of cybersecurity risk of agencies; and</text></clause><clause id="HF773E4B76A5D4C869F542D10470AE415"><enum>(ii)</enum><text>support the cybersecurity improvement efforts of agencies.</text></clause></subparagraph><subparagraph id="HB08FB84D2C64423FA1FB46478029AEAF"><enum>(B)</enum><header>Format</header><text>In carrying out subparagraph (A), the Director shall share the analyses—</text><clause id="HEDD930A952E0486B8C38794DFC5647F2"><enum>(i)</enum><text>in human-readable written products; and</text></clause><clause id="HB6D04FDE5739452C8534DB6FE3B04916"><enum>(ii)</enum><text>to the greatest extent practicable, in machine-readable formats in order to enable automated intake and use by agencies.</text></clause></subparagraph></paragraph></subsection><subsection id="H1C1DB933402A449EA9300392B79E5DF4"><enum>(b)</enum><header>Annual report on Federal incidents</header><text display-inline="yes-display-inline">Not later than 2 years after the date of the enactment of this section, and not less frequently than annually thereafter, the Director of the Cybersecurity and Infrastructure Security Agency, in consultation with the Director, the National Cyber Director, and the heads of other agencies as appropriate, shall submit to the appropriate reporting entities a report that includes—</text><paragraph id="HD055F523202E4582ABE3AD3E9D94BC58"><enum>(1)</enum><text>a summary of causes of incidents from across the Federal Government that categorizes those incidents as incidents or major incidents;</text></paragraph><paragraph id="HB14A5E24AA3547309CC9FC765800781B"><enum>(2)</enum><text>the quantitative and qualitative analyses of incidents developed under subsection (a)(1) on an agency-by-agency basis and comprehensively across the Federal Government, including—</text><subparagraph id="H218C91ACE68D4D868C6AAC942F0C4BB1"><enum>(A)</enum><text>a specific analysis of breaches; and</text></subparagraph><subparagraph id="H80E0AC4F2EBC4C2FAD0387B897C2E839"><enum>(B)</enum><text>an analysis of the Federal Government’s performance against the metrics established under section 224(c) of the Cybersecurity Act of 2015 (<external-xref legal-doc="usc" parsable-cite="usc/6/1522">6 U.S.C. 1522(c)</external-xref>); and</text></subparagraph></paragraph><paragraph id="H95B5E9B8FD3D437090DB72A6817B3983"><enum>(3)</enum><text>an annex for each agency that includes—</text><subparagraph id="H7026900E3D4649ED8698D2F9595A3689"><enum>(A)</enum><text>a description of each major incident; and</text></subparagraph><subparagraph id="H7DA536EA61104B3FACF2506B81CCE28C"><enum>(B)</enum><text>an analysis of the agency’s performance against the metrics established under section 224(c) of the Cybersecurity Act of 2015 (<external-xref legal-doc="usc" parsable-cite="usc/6/1522">6 U.S.C. 1522(c)</external-xref>).</text></subparagraph></paragraph></subsection><subsection id="H589E2A7E48734335AD49050B6A00888A"><enum>(c)</enum><header>Publication</header><text>To the extent that publication is consistent with national security interests, a version of each report submitted under subsection (b) shall be made publicly available on the website of the Cybersecurity and Infrastructure Security Agency during the year in which the report is submitted.</text></subsection><subsection id="HBE8C6F85726542E0B6A3F1DC55425B89"><enum>(d)</enum><header>Information provided by agencies</header><paragraph id="H213039414E7A471EBFB247C7453A5659"><enum>(1)</enum><header>In general</header><text>The analysis required under subsection (a) and each report submitted under subsection (b) shall use information provided by agencies under section 3594(a).</text></paragraph><paragraph id="HB1B05CE21ED748B8AC38613BAD7531FE"><enum>(2)</enum><header>National security system reports</header><subparagraph id="HC3F3B511C1414C9E890413F1C324DCF6"><enum>(A)</enum><header>In general</header><text>Annually, the head of an agency that operates or exercises control of a national security system shall submit a report that includes the information described in subsection (b) with respect to the agency to the extent that the submission is consistent with standards and guidelines for national security systems issued in accordance with law and as directed by the President to—</text><clause id="H5209513C2E944C4F96EF98F41CD72418"><enum>(i)</enum><text>the majority and minority leaders of the Senate;</text></clause><clause id="H130A9D4EA8E84F1BA3B6914F614649B0"><enum>(ii)</enum><text>the Speaker and minority leader of the House of Representatives;</text></clause><clause id="H40DD79BAA6FC4B73B9AC4E724591A064"><enum>(iii)</enum><text>the Committee on Homeland Security and Governmental Affairs of the Senate;</text></clause><clause id="HB94716064063477F8B62F04AF831D333"><enum>(iv)</enum><text>the Select Committee on Intelligence of the Senate;</text></clause><clause id="HF2D48CC7B63C4697B474A48AA06BCAA8"><enum>(v)</enum><text>the Committee on Armed Services of the Senate;</text></clause><clause id="HC8BF02DA577F48139BBDAA47A17177A0"><enum>(vi)</enum><text>the Committee on Appropriations of the Senate;</text></clause><clause id="H53945F1E5B794A189F592C2B4AEFF948"><enum>(vii)</enum><text>the Committee on Oversight and Reform of the House of Representatives;</text></clause><clause id="H2A25ADBBD71140009D98F43AD526C8A4"><enum>(viii)</enum><text>the Committee on Homeland Security of the House of Representatives;</text></clause><clause id="H348BEAB6E2874680BE8775FD1CCB5D08"><enum>(ix)</enum><text>the Permanent Select Committee on Intelligence of the House of Representatives;</text></clause><clause id="HF8CE1E6BC0334239A19E747B3CC15128"><enum>(x)</enum><text>the Committee on Armed Services of the House of Representatives; and</text></clause><clause id="H53769B8EC42146238BF0D54D8C3518C5"><enum>(xi)</enum><text>the Committee on Appropriations of the House of Representatives.</text></clause></subparagraph><subparagraph id="H074397268462407EAB456E0996D42042"><enum>(B)</enum><header>Classified form</header><text>A report required under subparagraph (A) may be submitted in a classified form.</text></subparagraph></paragraph></subsection><subsection id="HEEA0172695B54E05A8B47675C2B4881D"><enum>(e)</enum><header>Requirement for compiling information</header><text display-inline="yes-display-inline">In publishing the public report required under subsection (c), the Director of the Cybersecurity and Infrastructure Security Agency shall sufficiently compile information such that no specific incident of an agency can be identified, except with the concurrence of the Director of the Office of Management and Budget, the National Cyber Director, and in consultation with the impacted agency.</text></subsection></section><section id="H8F8E0EE59ACD4A928E3C64B55B40F329"><enum>3598.</enum><header>Major incident definition</header><subsection id="H994579B5D98C41EF88095E79A2744428"><enum>(a)</enum><header>In general</header><text>Not later than 180 days after the date of the enactment of the Federal Information Security Modernization Act of 2022, the Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency and the National Cyber Director, shall develop and promulgate guidance on the definition of the term <term>major incident</term> for the purposes of subchapter II and this subchapter.</text></subsection><subsection id="HD1E25AA7E4D245D8AC8FDE536C5A5D84"><enum>(b)</enum><header>Requirements</header><text>With respect to the guidance issued under subsection (a), the definition of the term <term>major incident</term> shall—</text><paragraph id="H6115FA099F514EDCB99547D4CDB4EDB2"><enum>(1)</enum><text display-inline="yes-display-inline">include, with respect to any information collected or maintained by or on behalf of an agency or an information system used or operated by an agency or by a contractor of an agency or another organization on behalf of an agency, any incident the head of the agency determines is likely to result in demonstrable harm to—</text><subparagraph id="H3822685A318E49C29A27C6F23EB1A488"><enum>(A)</enum><text>the national security interests, foreign relations, or the economy of the United States;</text></subparagraph><subparagraph id="HB36C7111C0B249CB85AA9A9AF0A44F24"><enum>(B)</enum><text>the public confidence, civil liberties, or public health and safety of the people of the United States;</text></subparagraph><subparagraph id="HA4EBBA01A0DC4DC3B3DAAA8733039060"><enum>(C)</enum><text>the integrity of personally identifiable information, including the exfiltration, modification, or deletion of such information; or</text></subparagraph><subparagraph id="HA3CFD2DF537342CFAD7D05086728FF94"><enum>(D)</enum><text>any other type of incident determined appropriate by the Director; and</text></subparagraph></paragraph><paragraph id="H66BBB6EA6E354A07BEAD6CED67C07B26"><enum>(2)</enum><text>stipulate that the Director, in coordination with the National Cyber Director, shall declare a major incident at each agency impacted by an incident if it is determined that an incident—</text><subparagraph id="H550C7C0AE6BF4C4BAC690AE7E9F84FB0"><enum>(A)</enum><text>occurs at not less than 2 agencies;</text></subparagraph><subparagraph id="HD455A28939D446739F82C1FD5DB79F2D"><enum>(B)</enum><text>is enabled by—</text><clause id="H0FF26208157649C08541887D3DD3A158"><enum>(i)</enum><text>a common technical root cause, such as a supply chain compromise or a common software or hardware vulnerability; or</text></clause><clause id="H4A19B2D447F348029A1619E0AF55282E"><enum>(ii)</enum><text>the related activities of a common threat actor; or</text></clause></subparagraph><subparagraph id="H270F9C508FDD43AC91E9B663372CE0E9"><enum>(C)</enum><text>has a significant impact on the confidentiality, integrity, or availability of a high value asset.</text></subparagraph></paragraph></subsection><subsection id="HA969B876BA284AFE8E71830FCE7ECDAB"><enum>(c)</enum><header>Evaluation and updates</header><text>Not later than 2 years after the date of the enactment of the Federal Information Security Modernization Act of 2022, and not less frequently than every 2 years thereafter, the Director shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Reform of the House of Representatives an evaluation, which shall include—</text><paragraph id="H5B8A64B1E6634B39AD1C4A6CCFB55C98"><enum>(1)</enum><text>an update, if necessary, to the guidance issued under subsection (a);</text></paragraph><paragraph id="HA81093CFE678410B8A58372E2D329E54"><enum>(2)</enum><text>the definition of the term <term>major incident</term> included in the guidance issued under subsection (a); and</text></paragraph><paragraph id="HD5607471657F4124AF772BA7A58AFB25"><enum>(3)</enum><text>an explanation of, and the analysis that led to, the definition described in paragraph (2).</text></paragraph></subsection></section></subchapter><after-quoted-block>.</after-quoted-block></quoted-block></paragraph><paragraph id="H03DA9F09B491468A8E52384EF3C28AF1"><enum>(2)</enum><header>Clerical amendment</header><text>The table of sections for <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/44/35">chapter 35</external-xref> of title 44, United States Code, is amended by adding at the end the following:</text><quoted-block style="USC" id="HF46572E5C61E4447B05E793518344E01" display-inline="no-display-inline"><toc regeneration="no-regeneration"><toc-entry idref="H6083655060A9487C9AF4FC216CB6CC14" level="subchapter">Subchapter IV—FEDERAL SYSTEM INCIDENT RESPONSE </toc-entry><toc-entry idref="HBDA0E1F69F92442883F6EBC71CB86989" level="section">3591. Definitions. </toc-entry><toc-entry idref="HFB69D435E63140FB87C31D1220E09E6B" level="section">3592. Notification of breach. </toc-entry><toc-entry idref="HC967D79A176848DDB2631C86E828AEFD" level="section">3593. Congressional and executive branch reports. </toc-entry><toc-entry idref="H50A6D21112C148FFAEDF5471949D4A86" level="section">3594. Government information sharing and incident response. </toc-entry><toc-entry idref="HB31B1D0F24084A11A54FFF9763DF46B5" level="section">3595. Responsibilities of contractors and awardees. </toc-entry><toc-entry idref="H1587692030CB45F0A8054796CA12EF29" level="section">3596. Training. </toc-entry><toc-entry idref="H9D058B860E9D4D1B926EF393E7FA5121" level="section">3597. Analysis and report on Federal incidents. </toc-entry><toc-entry idref="H8F8E0EE59ACD4A928E3C64B55B40F329" level="section">3598. Major incident definition.</toc-entry></toc><after-quoted-block>.</after-quoted-block></quoted-block></paragraph></subsection></section><section id="H7020D9633F68409CB585DB09B61C6A27"><enum>102.</enum><header>Amendments to subtitle III of title 40</header><subsection id="HB85AFADB71BF400F9336217A25C738F1"><enum>(a)</enum><header>Modernizing government technology</header><text>Subtitle G of title X of Division A of the National Defense Authorization Act for Fiscal Year 2018 (<external-xref legal-doc="public-law" parsable-cite="pl/115/91">Public Law 115–91</external-xref>; <external-xref legal-doc="usc" parsable-cite="usc/40/11301">40 U.S.C. 11301</external-xref> note) is amended in section 1078—</text><paragraph id="HD30F02A4CCC04912876D751350A020A3"><enum>(1)</enum><text>by striking subsection (a) and inserting the following:</text><quoted-block id="H609E05BBE9CE4A73A8C6075C68CD00F3" style="OLC"><subsection id="HD7E5C4E8A2ED43F8A2AA8D229254DB8F"><enum>(a)</enum><header>Definitions</header><text>In this section:</text><paragraph id="HDFDCBF28491E46D1BD4842C5E0E30641"><enum>(1)</enum><header>Agency</header><text>The term <term>agency</term> has the meaning given the term in section 551 of title 5, United States Code.</text></paragraph><paragraph id="HEB40933CD16F497BA2C4C2AE3B7286E1"><enum>(2)</enum><header>High value asset</header><text>The term <term>high value asset</term> has the meaning given the term in section 3552 of title 44, United States Code.</text></paragraph></subsection><after-quoted-block>; and</after-quoted-block></quoted-block></paragraph><paragraph id="H3F683F853EE645FFBA1EA5A7DE26DE99"><enum>(2)</enum><text>in subsection (c)—</text><subparagraph id="H12BBBE09149A498CB54062144129AAA0"><enum>(A)</enum><text>in paragraph (2)(A)(i), by inserting <quote>, including a consideration of the impact on high value assets</quote> after <quote>operational risks</quote>;</text></subparagraph><subparagraph id="H67FEC3658AB34A1988D786E94251F0EE"><enum>(B)</enum><text>in paragraph (5)—</text><clause id="H081E43EB279E49D49EE99193DAD83491"><enum>(i)</enum><text>in subparagraph (A), by striking <quote>and</quote> at the end;</text></clause><clause id="H8A35ED7F7F454E6C97799E4118A496BA"><enum>(ii)</enum><text>in subparagraph (B), by striking the period at the end and inserting <quote>and</quote>; and</text></clause><clause id="HF6D4871A02B24556AEC6155F0193FB3C"><enum>(iii)</enum><text>by adding at the end the following:</text><quoted-block id="H5FCDC0C1FBF54F59A62048560D95642A" style="OLC"><subparagraph id="H4062D16FD02D4441B425BC4B66D43840"><enum>(C)</enum><text>a senior official from the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security, appointed by the Director.</text></subparagraph><after-quoted-block>; and</after-quoted-block></quoted-block></clause></subparagraph><subparagraph id="H9C7CA01E81FF425EA1FD305A86BC13AB"><enum>(C)</enum><text>in paragraph (6)(A), by striking <quote>shall be—</quote> and all that follows through <quote>4 employees</quote> and inserting <quote>shall be 4 employees</quote>.</text></subparagraph></paragraph></subsection><subsection id="HFFCC9E67C6864E81A76E40BBF4F98EF8"><enum>(b)</enum><header>Subchapter I</header><text>Subchapter I of chapter 113 of subtitle III of title 40, United States Code, is amended—</text><paragraph id="HC4C1BF222B484B398A0BE96DDD686864"><enum>(1)</enum><text>in section 11302—</text><subparagraph id="H4E624970788449E09E7B99B64D61660D"><enum>(A)</enum><text>in subsection (b), by striking <quote>use, security, and disposal of</quote> and inserting <quote>use, and disposal of, and, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency and the National Cyber Director, promote and improve the security of,</quote>;</text></subparagraph><subparagraph id="H843A2D668AE5429687176E1844011440"><enum>(B)</enum><text display-inline="yes-display-inline">in subsection (c)(3)(B), by adding at the end the following:</text><quoted-block id="H59E993F77E0744A080AB8B6B2EB5E6FD" style="OLC"><clause id="HE8E6BFFDD3CD4A2980D6E263236E0D34"><enum>(iii)</enum><text display-inline="yes-display-inline">The Director may make available, upon request, to the National Cyber Director any cybersecurity funding information provided to the Director under clause (ii) of this subparagraph.</text></clause><after-quoted-block>;</after-quoted-block></quoted-block></subparagraph><subparagraph id="HD1BBE704F94846A7BCF9320E539B561A"><enum>(C)</enum><text display-inline="yes-display-inline">in subsection (f), by striking <quote>The Director shall</quote> and inserting </text><quoted-block id="H38C86ED3CEA04CF2956AD3F8ADF7E647" style="OLC" display-inline="yes-display-inline"><text>The Director shall—</text><paragraph id="H7E42A918EC0A416EA0F714C2C9C0B5CF"><enum>(1)</enum><text display-inline="yes-display-inline">encourage the heads of the executive agencies to develop and use the best practices in the acquisition of information technology, including supply chain risk management standards, guidelines, and practices developed by the National Institute of Standards and Technology; and</text></paragraph><paragraph id="H45E2BC22AD01494DA84E725E81FB6155"><enum>(2)</enum><text display-inline="yes-display-inline">consult with the Federal Chief Information Security Officer appointed by the President under section 3607 of title 44, for the development and use of risk management standards, guidelines, and practices developed by the National Institute of Standards and Technology.</text></paragraph><after-quoted-block>; and</after-quoted-block></quoted-block></subparagraph><subparagraph id="HDACDAEC5860F40048CC3A0CBA3AE9A45"><enum>(D)</enum><text>in subsection (h), by inserting <quote>, including cybersecurity performances,</quote> after <quote>the performances</quote>; and</text></subparagraph></paragraph><paragraph id="H37F402EA1DEF4BE8B6BAE30BA0791999"><enum>(2)</enum><text>in section 11303(b), in paragraph (2)(B)—</text><subparagraph id="HAB23A2E3DB204544A9D6BA18576CC48F"><enum>(A)</enum><text>in clause (i), by striking <quote>or</quote> at the end;</text></subparagraph><subparagraph id="HA4BC2D5B079B46B399E8481774E5B8D0"><enum>(B)</enum><text>in clause (ii), by adding <quote>or</quote> at the end; and</text></subparagraph><subparagraph id="H44DDF3EA335940359BF9D81DDFFA56AB"><enum>(C)</enum><text>by adding at the end the following:</text><quoted-block id="H65B4CD82EE704947A73D8BADD43F6270" style="OLC"><clause id="H5334851DC7B14F34A162825B16A61DDF"><enum>(iii)</enum><text>whether the function should be performed by a shared service offered by another executive agency.</text></clause><after-quoted-block>.</after-quoted-block></quoted-block></subparagraph></paragraph></subsection><subsection id="H6EA1FC1B283D43AB8909CA75361D4059"><enum>(c)</enum><header>Subchapter II</header><text>Subchapter II of chapter 113 of subtitle III of title 40, United States Code, is amended—</text><paragraph id="HFC1B3004EEC1405D8B811B6F5942AEA0"><enum>(1)</enum><text>in section 11312(a), by inserting <quote>, including security risks</quote> after <quote>managing the risks</quote>;</text></paragraph><paragraph id="HF2438A43105F4798A5D088207BEA83D9"><enum>(2)</enum><text>in section 11313(1), by striking <quote>efficiency and effectiveness</quote> and inserting <quote>efficiency, security, and effectiveness</quote>;</text></paragraph><paragraph id="H3DE5B21B8DD34957975944A22C9A4CC1"><enum>(3)</enum><text>in section 11315, by adding at the end the following:</text><quoted-block id="H5B31E8BE465D435084A03C190C505F2B" style="OLC"><subsection id="HF781882B43E042BC82AB2BDBACFDAEAE"><enum>(d)</enum><header>Component agency chief information officers</header><text>The Chief Information Officer or an equivalent official of a component agency shall report to—</text><paragraph id="HF36B698D3875467AAE19CC1E7B33B434"><enum>(1)</enum><text>the Chief Information Officer designated under section 3506(a)(2) of title 44 or an equivalent official of the agency of which the component agency is a component; and</text></paragraph><paragraph id="H1ABBF243471D4535B421541385F59FB8"><enum>(2)</enum><text>the head of the component agency.</text></paragraph></subsection><after-quoted-block>;</after-quoted-block></quoted-block></paragraph><paragraph id="HAB0372C0BBEB4641ABA628BA988CE452"><enum>(4)</enum><text>in section 11317, by inserting <quote>security,</quote> before <quote>or schedule</quote>; and</text></paragraph><paragraph id="H8D04345A002F40B483728B1AE02C49A1"><enum>(5)</enum><text>in section 11319(b)(1), in the paragraph heading, by striking <quote><header-in-text level="paragraph" style="OLC">CIOS</header-in-text></quote> and inserting <quote><header-in-text level="paragraph" style="OLC">Chief Information Officers</header-in-text></quote>.</text></paragraph></subsection><subsection id="HEAAFA74E21444ECBA5B6AE04F348DDA4"><enum>(d)</enum><header>Subchapter III</header><text>Section 11331 of title 40, United States Code, is amended—</text><paragraph id="HDF5D40EFE2AA4CF9BD964F604892B15C"><enum>(1)</enum><text>in subsection (a), by striking <quote>section 3532(b)(1)</quote> and inserting <quote>section 3552(b)</quote>;</text></paragraph><paragraph id="H9F9D9CE8335C43F8BC43F56616B94198"><enum>(2)</enum><text>in subsection (b)(1)(A), by striking <quote>the Secretary of Homeland Security</quote> and inserting <quote>the Director of the Cybersecurity and Infrastructure Security Agency</quote>; and</text></paragraph><paragraph id="H2FB66CCAF6CF4604B9F96E9B68188B52"><enum>(3)</enum><text>by adding at the end the following:</text><quoted-block id="H4BAD526F2A2549BD8AC355B91D05BDC6" style="OLC"><subsection id="H2AA6C24E82CA42D0B8A9789145BA9776"><enum>(e)</enum><header>Review of office of management and budget guidance and policy</header><paragraph id="H41611FCD8DF3497286C1148DC8E3B287"><enum>(1)</enum><header>Conduct of review</header><subparagraph id="HE34A228C03DC40A281C11FE5056276C5"><enum>(A)</enum><header>In general</header><text>Not less frequently than once every 3 years, the Director of the Office of Management and Budget, in consultation with, as available, the Chief Information Officers Council, the Director of the Cybersecurity and Infrastructure Security Agency, the National Cyber Director, the Comptroller General of the United States, and the Council of the Inspectors General on Integrity and Efficiency, shall review the efficacy of the guidance and policy promulgated by the Director in reducing cybersecurity risks, including an assessment of the requirements for agencies to report information to the Director, and determine whether any changes to that guidance or policy is appropriate.</text></subparagraph><subparagraph id="H3E11588FDFA948FDBA7EA51198B5855F"><enum>(B)</enum><header>Federal risk assessments</header><text>In conducting the review described in subparagraph (A), the Director shall consider the Federal risk assessments performed under section 3553(i) of title 44.</text></subparagraph><subparagraph id="HF11B93CE8D4D415385BD97F8E205311A"><enum>(C)</enum><header>Requirements burden reduction and clarity</header><text>In conducting the review described in subparagraph (A), the Director shall consider the cumulative reporting and compliance burden to agencies as well as the clarity of the requirements and deadlines contained in guidance and policy documents.</text></subparagraph></paragraph><paragraph id="H67B033360DEA4F168641FC24986F410F"><enum>(2)</enum><header>Updated guidance</header><text>Not later than 90 days after the date on which a review is completed under paragraph (1), the Director of the Office of Management and Budget shall issue updated guidance or policy to agencies determined appropriate by the Director, based on the results of the review.</text></paragraph><paragraph id="H855511F925E1448896C7619518851788"><enum>(3)</enum><header>Congressional briefing</header><text>Not later than 60 days after the date on which a review is completed under paragraph (1), the Director is expected to provide to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Reform of the House of Representatives a briefing on the review and any newly issued guidance or policy, which shall include—</text><subparagraph id="H130B545694BA4B059CDB17B2C4DEE79F"><enum>(A)</enum><text>an overview of the guidance and policy promulgated under this section that is currently in effect;</text></subparagraph><subparagraph id="H82A8D91E425A483E9C112E88105347C5"><enum>(B)</enum><text>the cybersecurity risk mitigation, or other cybersecurity benefit, offered by each guidance or policy document described in subparagraph (A); and</text></subparagraph><subparagraph id="H34C58A27109448C0913859712C3496C9"><enum>(C)</enum><text>a summary of the guidance or policy to which changes were determined appropriate during the review and what the changes include.</text></subparagraph></paragraph></subsection><subsection id="H709C6BCCED15404DBF723C8387B6338A"><enum>(f)</enum><header>Automated standard implementation verification</header><text>When the Director of the National Institute of Standards and Technology issues a proposed standard pursuant to paragraphs (2) and (3) of section 20(a) of the National Institute of Standards and Technology Act (<external-xref legal-doc="usc" parsable-cite="usc/15/278g-3">15 U.S.C. 278g–3(a)</external-xref>), the Director of the National Institute of Standards and Technology shall consider developing and, if appropriate and practical, develop, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, specifications to enable the automated verification of the implementation of controls.</text></subsection><after-quoted-block>.</after-quoted-block></quoted-block></paragraph></subsection></section><section id="HD3CCD9076BF44E298F1D05D3B4DA5493"><enum>103.</enum><header>Actions to enhance Federal incident response</header><subsection id="H43FB5F200A0C47EAA10903D83A7F1BC4"><enum>(a)</enum><header>Responsibilities of the cybersecurity and infrastructure security agency</header><paragraph id="H72AE03A562C54FC08A9F326372FBF188"><enum>(1)</enum><header>In general</header><text>Not later than 180 days after the date of the enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency shall—</text><subparagraph id="H7F33CFE2C983476DBAAEFA29E658EF56"><enum>(A)</enum><text>develop a plan for the development of the analysis required under section 3597(a) of title 44, United States Code, as added by this Act, and the report required under subsection (b) of that section that includes—</text><clause id="HE64BDA8ADF854142B806103105A17430"><enum>(i)</enum><text>a description of any challenges the Director anticipates encountering; and</text></clause><clause id="HD32A171C51E24CE983F28C800797BFC1"><enum>(ii)</enum><text>the use of automation and machine-readable formats for collecting, compiling, monitoring, and analyzing data; and</text></clause></subparagraph><subparagraph id="H6FC3CCFBF271490FA66910E5DE2F629A"><enum>(B)</enum><text>provide to the appropriate congressional committees a briefing on the plan developed under subparagraph (A).</text></subparagraph></paragraph><paragraph id="H4E4FCE4B47B442FA902DC0F7D7D7E5AC"><enum>(2)</enum><header>Briefing</header><text>Not later than 1 year after the date of the enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency shall provide to the appropriate congressional committees a briefing on—</text><subparagraph id="HC79578DD7B29471C94339E842A53E160"><enum>(A)</enum><text>the execution of the plan required under paragraph (1)(A); and</text></subparagraph><subparagraph id="H113D6007A03044D3BE6045219A60BAE8"><enum>(B)</enum><text>the development of the report required under section 3597(b) of title 44, United States Code, as added by this Act.</text></subparagraph></paragraph></subsection><subsection id="HB9DB394F1C8647FB9758100CCCF08C33"><enum>(b)</enum><header>Responsibilities of the director of the office of management and budget</header><paragraph id="HE89A902BDE4949139744C322F9B0A1C6"><enum>(1)</enum><header>FISMA</header><text>Section 2 of the Federal Information Security Modernization Act of 2014 (<external-xref legal-doc="public-law" parsable-cite="pl/113/283">Public Law 113–283</external-xref>; <external-xref legal-doc="usc" parsable-cite="usc/44/3554">44 U.S.C. 3554</external-xref> note) is amended—</text><subparagraph id="H01A0276430C845DFA4ED3157D3A4C6F4"><enum>(A)</enum><text>by striking subsection (b); and</text></subparagraph><subparagraph id="HBEBCDDABAAC24576A8B5F171B2446006"><enum>(B)</enum><text>by redesignating subsections (c) through (f) as subsections (b) through (e), respectively.</text></subparagraph></paragraph><paragraph id="HFEE806C87F0D44378C37548806A050FD"><enum>(2)</enum><header>In general</header><text>The Director shall develop guidance, to be updated not less frequently than once every 2 years, on the content, timeliness, and format of the information provided by agencies under section 3594(a) of title 44, United States Code, as added by this Act.</text></paragraph><paragraph id="HFF68AB21131E49CC802860093BE8E3E1"><enum>(3)</enum><header>Guidance on responding to information requests</header><text>Not later than 1 year after the date of the enactment of this Act, the Director shall develop guidance for agencies to implement the requirement under section 3594(c) of title 44, United States Code, as added by this Act, to provide information to other agencies experiencing incidents.</text></paragraph><paragraph id="HDB8B7FF6F10A484AAD826F18266A1842"><enum>(4)</enum><header>Standard guidance and templates</header><text>Not later than 1 year after the date of the enactment of this Act, the Director, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, shall develop guidance and templates, to be reviewed and, if necessary, updated not less frequently than once every 2 years, for use by Federal agencies in the activities required under sections 3592, 3593, and 3596 of title 44, United States Code, as added by this Act.</text></paragraph><paragraph id="HC9687390839A4411A5E5715DE2C04C75"><enum>(5)</enum><header>Contractor and awardee guidance</header><subparagraph id="HD087DA0CB9C149F6859513B85EBDDBF0"><enum>(A)</enum><header>In general</header><text>Not later than 1 year after the date of the enactment of this Act, the Director, in coordination with the Secretary of Homeland Security, the Secretary of Defense, the Administrator of General Services, and the heads of other agencies determined appropriate by the Director, shall issue guidance to Federal agencies on how to deconflict, to the greatest extent practicable, existing regulations, policies, and procedures relating to the responsibilities of contractors and awardees established under section 3595 of title 44, United States Code, as added by this Act.</text></subparagraph><subparagraph id="HF47166D0D02544AF90AAA4748D1EC1FB"><enum>(B)</enum><header>Existing processes</header><text>To the greatest extent practicable, the guidance issued under subparagraph (A) shall allow contractors and awardees to use existing processes for notifying Federal agencies of incidents involving information of the Federal Government.</text></subparagraph></paragraph><paragraph id="HD3CF31592D404389BCD28B4800BD4FEE"><enum>(6)</enum><header>Updated briefings</header><text>Not less frequently than once every 2 years, the Director shall provide to the appropriate congressional committees an update on the guidance and templates developed under paragraphs (2) through (4).</text></paragraph></subsection><subsection id="H49E77A318CDF44129F856AB814CDB421"><enum>(c)</enum><header>Update to the privacy act of 1974</header><text>Section 552a(b) of title 5, United States Code (commonly known as the <quote>Privacy Act of 1974</quote>) is amended—</text><paragraph id="H60A8ABFFC9B04047A96D34C83EBAC146"><enum>(1)</enum><text>in paragraph (11), by striking <quote>or</quote> at the end;</text></paragraph><paragraph id="HEFEE90A053F24A76BBF88BEB65C5DDFE"><enum>(2)</enum><text>in paragraph (12), by striking the period at the end and inserting <quote>; or</quote>; and</text></paragraph><paragraph id="H3816415300C9461CA8C0A681F1C0F1D5"><enum>(3)</enum><text>by adding at the end the following:</text><quoted-block id="HAB2F449F9BBF4D52BC8A03DD09AEF85D" style="OLC"><paragraph id="H6522F24B6F22469D9658A9B0D08735CF"><enum>(13)</enum><text>to another agency in furtherance of a response to an incident (as defined in section 3552 of title 44) and pursuant to the information sharing requirements in section 3594 of title 44, if the head of the requesting agency has made a written request to the agency that maintains the record specifying the particular portion desired and the activity for which the record is sought.</text></paragraph><after-quoted-block>.</after-quoted-block></quoted-block></paragraph></subsection></section><section id="H78BEA894978549E4A1F77095DF5E85B0"><enum>104.</enum><header>Additional guidance to agencies on FISMA updates</header><text display-inline="no-display-inline">Not later than 1 year after the date of the enactment of this Act, the Director shall issue guidance for agencies on—</text><paragraph id="H55D184035AD04033964E9DDE1CA8A6E9"><enum>(1)</enum><text>performing the ongoing and continuous agency system risk assessment required under section 3554(a)(1)(A) of title 44, United States Code, as amended by this Act;</text></paragraph><paragraph id="HBD678FAC6BAE4E7EB32C23FC6CBAD72B"><enum>(2)</enum><text>implementing additional cybersecurity procedures, which shall include resources for shared services;</text></paragraph><paragraph id="H9A2C6C2BE0F8474491E859179127BA1E"><enum>(3)</enum><text>establishing a process for providing the status of each remedial action under section 3554(b)(7) of title 44, United States Code, as amended by this Act, to the Director and the Director of the Cybersecurity and Infrastructure Security Agency using automation and machine-readable data, as practicable, which shall include—</text><subparagraph id="HD4096B7F18E54278998EDCC54A5FBBF3"><enum>(A)</enum><text>specific guidance for the use of automation and machine-readable data; and</text></subparagraph><subparagraph id="H95DEDDA7472D4C67AACD28363EE47FCB"><enum>(B)</enum><text>templates for providing the status of the remedial action;</text></subparagraph></paragraph><paragraph id="H4E29FC3B4E944E24BB703E832AC10ED7"><enum>(4)</enum><text>interpreting the definition of <quote>high value asset</quote> under section 3552 of title 44, United States Code, as amended by this Act; and</text></paragraph><paragraph id="H50A5B711757D4F66AECCA452F99BD017"><enum>(5)</enum><text>a requirement to coordinate with inspectors general of agencies to ensure consistent understanding and application of agency policies for the purpose of evaluations by inspectors general.</text></paragraph></section><section id="H5EB6C4058EA04EAFB5F3DA6EBC688003"><enum>105.</enum><header>Agency requirements to notify private sector entities impacted by incidents</header><subsection id="H4D96DBE9148243C1809C050C2FEDBB6C"><enum>(a)</enum><header>Definitions</header><text>In this section:</text><paragraph id="H550709418D7B4BD59995DBA288040504"><enum>(1)</enum><header>Reporting entity</header><text>The term <term>reporting entity</term> means private organization or governmental unit that is required by statute or regulation to submit sensitive information to an agency.</text></paragraph><paragraph id="H40AF7ABE6EBD48A0AF480FC41A89004C"><enum>(2)</enum><header>Sensitive information</header><text>The term <term>sensitive information</term> has the meaning given the term by the Director in guidance issued under subsection (b).</text></paragraph></subsection><subsection id="H8D54D11C48C7478FBA5E784F445EB8D4"><enum>(b)</enum><header>Guidance on notification of reporting entities</header><text>Not later than 180 days after the date of the enactment of this Act, the Director shall issue guidance requiring the head of each agency to notify a reporting entity of an incident that is likely to substantially affect—</text><paragraph id="H7BCECDF819B34B2790309AFBE3A13887"><enum>(1)</enum><text>the confidentiality or integrity of sensitive information submitted by the reporting entity to the agency pursuant to a statutory or regulatory requirement; or</text></paragraph><paragraph id="HC85AD7F60C834567B21B960723592B3A"><enum>(2)</enum><text>the agency information system or systems used in the transmission or storage of the sensitive information described in paragraph (1).</text></paragraph></subsection></section><enum>II</enum><header>IMPROVING FEDERAL CYBERSECURITY</header><section id="HF032500C82B64E9B83F8578E14B2FD77"><enum>201.</enum><header>Mobile security standards</header><subsection id="HF82CE8A14FED4317B59CB85A1F6C8A17"><enum>(a)</enum><header>In general</header><text>Not later than 1 year after the date of the enactment of this Act, the Director shall—</text><paragraph id="H53352CC47EF747598F5EBCE716F2E2F5"><enum>(1)</enum><text>evaluate mobile application security guidance promulgated by the Director; and</text></paragraph><paragraph id="H5BF565429ECF4A168A6FC3F88FF1D35A"><enum>(2)</enum><text>issue guidance to secure mobile devices, including for mobile applications, for every agency.</text></paragraph></subsection><subsection id="H5F4CF37E9BF84EE68FC281583AB17578"><enum>(b)</enum><header>Contents</header><text>The guidance issued under subsection (a)(2) shall include—</text><paragraph id="H896DAF2B8F6545B1A2DCBCC7795DF3B5"><enum>(1)</enum><text>a requirement, pursuant to section 3506(b)(4) of title 44, United States Code, for every agency to maintain a continuous inventory of every—</text><subparagraph id="H2AC633743526488CBA187B683C26B0FF"><enum>(A)</enum><text>mobile device operated by or on behalf of the agency; and</text></subparagraph><subparagraph id="H234F0C5E6A2D4696A4C31F68E6738F22"><enum>(B)</enum><text>vulnerability identified by the agency associated with a mobile device; and</text></subparagraph></paragraph><paragraph id="HB2F4D18900B24F18B4205DC9CE92FA2B"><enum>(2)</enum><text>a requirement for every agency to perform continuous evaluation of the vulnerabilities described in paragraph (1)(B) and other risks associated with the use of applications on mobile devices.</text></paragraph></subsection><subsection id="H4AFC22526CA144A2A50623FA01C914ED"><enum>(c)</enum><header>Information sharing</header><text>The Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, shall issue guidance to agencies for sharing the inventory of the agency required under subsection (b)(1) with the Director of the Cybersecurity and Infrastructure Security Agency, using automation and machine-readable data to the greatest extent practicable.</text></subsection><subsection id="H00B51E86AC6A4A15A1A58B39A88943F4"><enum>(d)</enum><header>Briefing</header><text>Not later than 60 days after the date on which the Director issues guidance under subsection (a)(2), the Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, shall provide to the appropriate congressional committees a briefing on the guidance.</text></subsection></section><section id="HF67A05FF8B11493F83A55660D0AE7503"><enum>202.</enum><header>Data and logging retention for incident response</header><subsection id="HF960AB3383F3426AA2F2F736E4D5311A"><enum>(a)</enum><header>Recommendations</header><text>Not later than 2 years after the date of the enactment of this Act, and not less frequently than every 2 years thereafter, the Director of the Cybersecurity and Infrastructure Security Agency, in consultation with the Attorney General, shall submit to the Director recommendations on requirements for logging events on agency systems and retaining other relevant data within the systems and networks of an agency.</text></subsection><subsection id="H3F6CBBE85D2E4080A4EB9E3340E36723"><enum>(b)</enum><header>Contents</header><text>The recommendations provided under subsection (a) shall include—</text><paragraph id="H5205853CFC574DAA843BBC2C97DB1A21"><enum>(1)</enum><text>the types of logs to be maintained;</text></paragraph><paragraph id="H1A2142E4095B47C4992B3963C645EF67"><enum>(2)</enum><text>the duration that logs and other relevant data should be retained;</text></paragraph><paragraph id="H4F9F6E9862D14B8C803885103CD007E6"><enum>(3)</enum><text>the time periods for agency implementation of recommended logging and security requirements;</text></paragraph><paragraph id="H6A8D3B68BEAE4416AC76FF669A6893AD"><enum>(4)</enum><text>how to ensure the confidentiality, integrity, and availability of logs;</text></paragraph><paragraph id="H06F9059515684579994F1A03AD9C3A10"><enum>(5)</enum><text>requirements to ensure that, upon request, in a manner that excludes or otherwise reasonably protects personally identifiable information, and to the extent permitted by applicable law (including privacy and statistical laws), agencies provide logs to—</text><subparagraph id="H3F907119F32744279D4AA50AC94B938D"><enum>(A)</enum><text>the Director of the Cybersecurity and Infrastructure Security Agency for a cybersecurity purpose; and</text></subparagraph><subparagraph id="H760C0743E39047BEAB85B8749426081C"><enum>(B)</enum><text display-inline="yes-display-inline">the Director of the Federal Bureau of Investigation, or the appropriate Federal law enforcement agency, to investigate potential criminal activity; and</text></subparagraph></paragraph><paragraph id="H4026FC5F6471409594BBE4B425B3E029"><enum>(6)</enum><text>requirements to ensure that, subject to compliance with statistical laws and other relevant data protection requirements, the highest level security operations center of each agency has visibility into all agency logs.</text></paragraph></subsection><subsection id="HEAA5D4338C6840A0B671A0BA6751C8CB"><enum>(c)</enum><header>Guidance</header><text>Not later than 90 days after receiving the recommendations submitted under subsection (a), the Director, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency and the Attorney General, shall, as determined to be appropriate by the Director, update guidance to agencies regarding requirements for logging, log retention, log management, sharing of log data with other appropriate agencies, or any other logging activity determined to be appropriate by the Director.</text></subsection><subsection id="HAD845FA93003411CBB7E9F69338C69EF"><enum>(d)</enum><header>Sunset</header><text>This section will cease to be in effect on the date that is 10 years after the date of the enactment of this Act.</text></subsection></section><section id="H51F7A645A8754CCDA842117F80E5290B"><enum>203.</enum><header>Federal penetration testing policy</header><subsection id="HBE63295976C7407290FC351CFF2A630A"><enum>(a)</enum><header>In general</header><text>Subchapter II of <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/44/35">chapter 35</external-xref> of title 44, United States Code, is amended by adding at the end the following:</text><quoted-block id="HEB01505653644D82A7975ABB869790C1" style="USC"><section id="HA67C8CBB5E29413081F544F6B7E569C6"><enum>3559A.</enum><header>Federal penetration testing</header><subsection id="H1AB64E2BAB6A4A90AE3821E95DD0C1FB"><enum>(a)</enum><header>Guidance</header><paragraph id="H664950EF806B43F29819932AC35B222F"><enum>(1)</enum><header>In general</header><text display-inline="yes-display-inline">The Director shall, in consultation with the Secretary of the Department of Homeland Security acting through the Director of the Cybersecurity and Infrastructure Security Agency, issue guidance to agencies that—</text><subparagraph id="HCBEF542CE0EA44A6A6AEB8B95F11ED0C"><enum>(A)</enum><text>requires agencies to use, when and where appropriate, penetration testing on agency systems by both Federal and non-Federal entities, with a focus on high value assets;</text></subparagraph><subparagraph id="H67CBF53FBDF14C4582D8372505925B41"><enum>(B)</enum><text>provides policies governing agency development of an operational plan, rules of engagement for utilizing penetration testing, and procedures to utilize the results of penetration testing to improve the cybersecurity and risk management of the agency; and</text></subparagraph><subparagraph id="H803567BC6DA144B7AF7B8939342969F4"><enum>(C)</enum><text>establishes a program under the Cybersecurity and Infrastructure Security Agency to ensure that penetration testing is being performed appropriately by agencies and to provide operational support or a shared service.</text></subparagraph></paragraph></subsection><subsection id="H354006DADF0B48D2BE60FD8E8ACBA32B"><enum>(b)</enum><header>Responsibilities of OMB</header><text>The Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, shall—</text><paragraph id="H08133118D02E4A96B7612BFDD0F6F0F0"><enum>(1)</enum><text>not less frequently than annually, inventory all Federal penetration testing assets; and</text></paragraph><paragraph id="H54616AD76CF84943B14077D939C0841C"><enum>(2)</enum><text>develop and maintain a standardized process for the use of penetration testing.</text></paragraph></subsection><subsection id="HA555C3C68D224DB380B14CDD0FD3F539"><enum>(c)</enum><header>Exception for national security systems</header><text>The guidance issued under subsection (a) shall not apply to national security systems.</text></subsection><subsection id="H00DE86FBCA26499DA9D4194AB3EB6550"><enum>(d)</enum><header>Delegation of authority for certain systems</header><text>The authorities of the Director described in subsection (a) shall be delegated—</text><paragraph id="HBB0223DC6B9C4CBEB3FF6E5279409B7A"><enum>(1)</enum><text>to the Secretary of Defense in the case of systems described in section 3553(e)(2); and</text></paragraph><paragraph id="H7BC4562B015B465BAAFBBE2F70605C4E"><enum>(2)</enum><text>to the Director of National Intelligence in the case of systems described in 3553(e)(3).</text></paragraph></subsection></section><after-quoted-block>.</after-quoted-block></quoted-block></subsection><subsection id="H838C0545DF3C4B61995F6B86BDB05121"><enum>(b)</enum><header>Deadline for guidance</header><text>Not later than 180 days after the date of the enactment of this Act, the Director shall issue the guidance required under section 3559A(a) of title 44, United States Code, as added by subsection (a).</text></subsection><subsection id="HBB83BDF8B2984EAB852C1EB3329D67B1"><enum>(c)</enum><header>Sunset</header><text>This section shall sunset on the date that is 10 years after the date of the enactment of this Act.</text></subsection><subsection id="H1EA555E566A643F7A7296E0E59D15441"><enum>(d)</enum><header>Clerical amendment</header><text>The table of sections for <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/44/35">chapter 35</external-xref> of title 44, United States Code, is amended by adding after the item relating to section 3559 the following:</text><quoted-block id="HD3AB87A0B1E4437085F14CE8685D25FB" style="USC"><toc regeneration="no-regeneration"><toc-entry level="section">3559A. Federal penetration testing.</toc-entry></toc><after-quoted-block>.</after-quoted-block></quoted-block></subsection><subsection id="H75E916DF592E47FF9CD0CB553910D02A"><enum>(e)</enum><header>Penetration testing by the secretary of homeland security</header><text>Section 3553(b) of title 44, United States Code, as amended by section 5121, is further amended—</text><paragraph id="H2F925CFADD844726B9770E83538A14EC"><enum>(1)</enum><text>in paragraph (8)(B), by striking <quote>and</quote> at the end;</text></paragraph><paragraph id="H8CCDFC53655C4D308BC93847905B388F"><enum>(2)</enum><text>by redesignating paragraph (9) as paragraph (10); and</text></paragraph><paragraph id="HBF5932888E124C53BF73112EA7E621CD"><enum>(3)</enum><text>by inserting after paragraph (8) the following:</text><quoted-block id="H7D8944201C9E45F0BA2736CDE12B234E" style="OLC"><paragraph id="H8162C14311B643699118C888954FE97B"><enum>(9)</enum><text>performing penetration testing to identify vulnerabilities within Federal information systems; and</text></paragraph><after-quoted-block>.</after-quoted-block></quoted-block></paragraph></subsection></section><section id="H04A374CA03464CC0A355C1E7A3E1D8A1"><enum>204.</enum><header>Ongoing threat hunting program</header><subsection id="H24208E1BD439412AB358736248E802EA"><enum>(a)</enum><header>Threat hunting program</header><paragraph id="HDF36D8F3F4AD4A34A333CC19B4FC8142"><enum>(1)</enum><header>In general</header><text>Not later than 540 days after the date of the enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency shall, in accordance with the authorities granted the Secretary under sections 3553(b)(7)–(8) and 3553(m) of title 44, United States Code (as redesignated by this Act), establish a program to provide ongoing, hypothesis-driven threat-hunting services on the network of each agency.</text></paragraph><paragraph id="H3AFFC3F8276145FE82CC28651013A97C"><enum>(2)</enum><header>Plan</header><text>Not later than 180 days after the date of the enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency shall develop a plan to establish the program required under paragraph (1) that describes how the Director of the Cybersecurity and Infrastructure Security Agency plans to—</text><subparagraph id="HECE24E376A0A4C5097822D68A658B44E"><enum>(A)</enum><text>determine the method for collecting, storing, accessing, analyzing, and safeguarding appropriate agency data;</text></subparagraph><subparagraph id="HAE71218497AD493DB11773D3D37AB2BB"><enum>(B)</enum><text>provide on-premises support to agencies;</text></subparagraph><subparagraph id="HBD7009122997410885B404EA092F648F"><enum>(C)</enum><text>staff threat hunting services;</text></subparagraph><subparagraph id="H04798C64689845878A7CF1133802039C"><enum>(D)</enum><text>allocate available human and financial resources to implement the plan; and</text></subparagraph><subparagraph id="HF2D16F7DA543422093044792C89644CC"><enum>(E)</enum><text>provide input to the heads of agencies on the use of—</text><clause id="H0B4516F5BC144B1BB1CEB6B31CAB9E98"><enum>(i)</enum><text>more stringent standards under section 11331(c)(1) of title 40, United States Code; and</text></clause><clause id="H6895CEFC78C843499E661864E450D110"><enum>(ii)</enum><text>additional cybersecurity procedures under section 3554 of title 44, United States Code.</text></clause></subparagraph></paragraph></subsection><subsection id="H4E5F1C1839334081ACAD17DC382AECBA"><enum>(b)</enum><header>Reports</header><text>The Director of the Cybersecurity and Infrastructure Security Agency, in consultation with the Director, shall submit to the appropriate congressional committees—</text><paragraph id="H28BDE13E9DA240D5BCCABBDAA9492B23"><enum>(1)</enum><text>not later than 30 days after the date on which the Director of the Cybersecurity and Infrastructure Security Agency completes the plan required under subsection (a)(2), a report on the plan to provide threat hunting services to agencies;</text></paragraph><paragraph id="H1D454BDED6E24ACAB76155A7FE418323"><enum>(2)</enum><text>not less than 30 days before the date on which the Director of the Cybersecurity and Infrastructure Security Agency begins providing threat hunting services under the program under subsection (a)(1), a report providing any updates to the plan developed under subsection (a)(2); and</text></paragraph><paragraph id="H5DABBEE1BEDB4C9BABE40B8F4F9622B7"><enum>(3)</enum><text>not later than 1 year after the date on which the Director of the Cybersecurity and Infrastructure Security Agency begins providing threat hunting services to agencies other than the Cybersecurity and Infrastructure Security Agency, a report describing lessons learned from providing those services.</text></paragraph></subsection></section><section id="H141F0E55B68E4D35BC50F5E865194D48"><enum>205.</enum><header>Codifying vulnerability disclosure programs</header><subsection id="HF5501A29740A47368FB2CD8B70F0D1D8"><enum>(a)</enum><header>In general</header><text>Subchapter II of <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/44/35">Chapter 35</external-xref> of title 44, United States Code, is amended by inserting after section 3559A, as added by section 204, the following:</text><quoted-block id="H2C00BAC88D0C44C8B2F00441954B5684" style="USC"><section id="HC3B312083AF047B69C8D27B0446B5FE5"><enum>3559B.</enum><header>Federal vulnerability disclosure programs</header><subsection id="H95AD21FD65794C2C86610C17F6146C32"><enum>(a)</enum><header>Definitions</header><text>In this section:</text><paragraph id="HC159408DD235471D8BDB59BB732FE314"><enum>(1)</enum><header>Report</header><text>The term <term>report</term> means a vulnerability disclosure made to an agency by a reporter.</text></paragraph><paragraph id="H72E39A0E5F2844418E3EF72818641E77"><enum>(2)</enum><header>Reporter</header><text>The term <term>reporter</term> means an individual that submits a vulnerability report pursuant to the vulnerability disclosure process of an agency.</text></paragraph></subsection><subsection id="HD4C35CA48B694E39B6EF1987BB4280B2"><enum>(b)</enum><header>Responsibilities of OMB</header><paragraph id="HB58B86DD91784A67A8B4F31F292284F6"><enum>(1)</enum><header>Limitation on legal action</header><text>The Director of the Office of Management and Budget, in consultation with the Attorney General, shall issue guidance to agencies to not recommend or pursue legal action against a reporter or an individual that conducts a security research activity that the head of the agency determines—</text><subparagraph id="H34271B8B63C64331B0645E13099418BC"><enum>(A)</enum><text>represents a good faith effort to follow the vulnerability disclosure policy of the agency developed under subsection (d)(2); and</text></subparagraph><subparagraph id="H834FCD022CBD4FF99CCF818AC6D4B8E0"><enum>(B)</enum><text>is authorized under the vulnerability disclosure policy of the agency developed under subsection (d)(2).</text></subparagraph></paragraph><paragraph id="H8FEC1854ED07433CA282AFE8B6570111"><enum>(2)</enum><header>Sharing information with CISA</header><text display-inline="yes-display-inline">The Director of the Office of Management and Budget, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency and in consultation with the National Cyber Director, shall issue guidance to agencies on sharing relevant information in a consistent, automated, and machine readable manner with the Director of the Cybersecurity and Infrastructure Security Agency, including—</text><subparagraph id="HAEA5B7FFE9A64CF6A904C388478ED9F4"><enum>(A)</enum><text>any valid or credible reports of newly discovered or not publicly known vulnerabilities (including misconfigurations) on Federal information systems that use commercial software or services;</text></subparagraph><subparagraph id="H81482793D1A143BEB891E3A33963EBCE"><enum>(B)</enum><text>information relating to vulnerability disclosure, coordination, or remediation activities of an agency, particularly as those activities relate to outside organizations—</text><clause id="HE108CE99AC43489BBE5DB32C888EE809"><enum>(i)</enum><text>with which the head of the agency believes the Director of the Cybersecurity and Infrastructure Security Agency can assist; or</text></clause><clause id="HA25809C4FB2E4132B3F903BD6065AD04"><enum>(ii)</enum><text>about which the head of the agency believes the Director of the Cybersecurity and Infrastructure Security Agency should know; and</text></clause></subparagraph><subparagraph id="H6FECF449BBAE4559A3A225D61AE7AB47"><enum>(C)</enum><text>any other information with respect to which the head of the agency determines helpful or necessary to involve the Director of the Cybersecurity and Infrastructure Security Agency.</text></subparagraph></paragraph><paragraph id="HAB6C3EA30A60421F83E11ED2FF2E9F31"><enum>(3)</enum><header>Agency vulnerability disclosure policies</header><text>The Director shall issue guidance to agencies on the required minimum scope of agency systems covered by the vulnerability disclosure policy of an agency required under subsection (d)(2).</text></paragraph></subsection><subsection id="H75B971AB029446879C014992262C6297"><enum>(c)</enum><header>Responsibilities of CISA</header><text>The Director of the Cybersecurity and Infrastructure Security Agency shall—</text><paragraph id="H3989D057B53B471CB83BDDCD8244BDB2"><enum>(1)</enum><text>provide support to agencies with respect to the implementation of the requirements of this section;</text></paragraph><paragraph id="H02F40588010C45FA8657AE2378C2AF64"><enum>(2)</enum><text>develop tools, processes, and other mechanisms determined appropriate to offer agencies capabilities to implement the requirements of this section; and</text></paragraph><paragraph id="H85F90143459244D39243047AB009C9C3"><enum>(3)</enum><text>upon a request by an agency, assist the agency in the disclosure to vendors of newly identified vulnerabilities in vendor products and services.</text></paragraph></subsection><subsection id="HFA28BA764A6B4CD796EA5750D8CE39AA"><enum>(d)</enum><header>Responsibilities of agencies</header><paragraph id="H59732E62FFFD46CF8B350D0BFC59CCAF"><enum>(1)</enum><header>Public information</header><text>The head of each agency shall make publicly available, with respect to each internet domain under the control of the agency that is not a national security system—</text><subparagraph id="HFAFED7D8028F4938A2BB6E9FDE289CFA"><enum>(A)</enum><text>an appropriate security contact; and</text></subparagraph><subparagraph id="H8838E1213E294CEAAF069CF3FC5F66E5"><enum>(B)</enum><text>the component of the agency that is responsible for the internet accessible services offered at the domain.</text></subparagraph></paragraph><paragraph id="HCF1F36FEE4CB4F9AA43C095865E2400A"><enum>(2)</enum><header>Vulnerability disclosure policy</header><text>The head of each agency shall develop and make publicly available a vulnerability disclosure policy for the agency, which shall—</text><subparagraph id="H91FBDA4CAEC94C62A482E60FE07A8F0D"><enum>(A)</enum><text>describe—</text><clause id="HDD70EDEAC2534130BA46AFD6DFAD0262"><enum>(i)</enum><text>the scope of the systems of the agency included in the vulnerability disclosure policy;</text></clause><clause id="H385E680490A941BA89FC56DCC2F4ADAC"><enum>(ii)</enum><text>the type of information system testing that is authorized by the agency;</text></clause><clause id="HD76A1B78D6E9407C8D54D01092694D7C"><enum>(iii)</enum><text>the type of information system testing that is not authorized by the agency; and</text></clause><clause id="H8301BB66CC7C436EAC4265BECBC14186"><enum>(iv)</enum><text>the disclosure policy of the agency for sensitive information;</text></clause></subparagraph><subparagraph id="H3ABFE5DDA3464F94B9339AABE73FB539"><enum>(B)</enum><text>with respect to a report to an agency, describe—</text><clause id="HD4E6287B82F04BB19C96549511587CD7"><enum>(i)</enum><text>how the reporter should submit the report; and</text></clause><clause id="H7AB7C55B096E4FEA8130B79C98338761"><enum>(ii)</enum><text>if the report is not anonymous, when the reporter should anticipate an acknowledgment of receipt of the report by the agency;</text></clause></subparagraph><subparagraph id="H19A2DEA29F144840A5A610B945807267"><enum>(C)</enum><text>include any other relevant information; and</text></subparagraph><subparagraph id="H2D90E16512F246369BE7DD2D596B7D81"><enum>(D)</enum><text>be mature in scope, covering all internet accessible Federal information systems used or operated by that agency or on behalf of that agency.</text></subparagraph></paragraph><paragraph id="HF728391D3738410294CFE3AEFECA5688"><enum>(3)</enum><header>Identified vulnerabilities</header><text>The head of each agency shall incorporate any vulnerabilities reported under paragraph (2) into the vulnerability management process of the agency in order to track and remediate the vulnerability.</text></paragraph></subsection><subsection id="H986C212B739A4B30B9F1919C3EC02C40"><enum>(e)</enum><header>Congressional reporting</header><text>Not later than 90 days after the date of the enactment of the Federal Information Security Modernization Act of 2022, and annually thereafter for a 3-year period, the Director of the Cybersecurity and Infrastructure Security Agency, in consultation with the Director, shall provide to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Reform of the House of Representatives a briefing on the status of the use of vulnerability disclosure policies under this section at agencies, including, with respect to the guidance issued under subsection (b)(3), an identification of the agencies that are compliant and not compliant.</text></subsection><subsection id="H46D8009B655141D683E435D8F90BDB0B"><enum>(f)</enum><header>Exemptions</header><text>The authorities and functions of the Director and Director of the Cybersecurity and Infrastructure Security Agency under this section shall not apply to national security systems.</text></subsection><subsection id="HB417AEF656574515BB05FEBB39C57CC1"><enum>(g)</enum><header>Delegation of authority for certain systems</header><text>The authorities of the Director and the Director of the Cybersecurity and Infrastructure Security Agency described in this section shall be delegated—</text><paragraph id="H7FB5228067AF4DE9B4D35412E8B3DC4B"><enum>(1)</enum><text>to the Secretary of Defense in the case of systems described in section 3553(e)(2); and</text></paragraph><paragraph id="H43E896531CD24EA2B38DBAB4AD4307E3"><enum>(2)</enum><text>to the Director of National Intelligence in the case of systems described in section 3553(e)(3).</text></paragraph></subsection></section><after-quoted-block>.</after-quoted-block></quoted-block></subsection><subsection id="H56C9CFA392884FFFAADB325831CC2836"><enum>(b)</enum><header>Sunset</header><text>This section shall sunset on the date that is 10 years after the date of the enactment of this Act.</text></subsection><subsection id="H2CFE36E415704411BEF3A0F53BCBCEE5"><enum>(c)</enum><header>Clerical amendment</header><text>The table of sections for <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/44/35">chapter 35</external-xref> of title 44, United States Code, is amended by adding after the item relating to section 3559A, as added by this Act, the following:</text><quoted-block id="H3125006689E7400FA3BDCCD650DF3D4A" style="USC"><toc regeneration="no-regeneration"><toc-entry level="section">3559B. Federal vulnerability disclosure programs.</toc-entry></toc><after-quoted-block>.</after-quoted-block></quoted-block></subsection></section><section id="HA2BC7C2ED6E247D087B3C1F10A1FBC58"><enum>206.</enum><header>Implementing zero trust architecture</header><subsection id="H89C2C27330764C638034DC219EA3CC3E"><enum>(a)</enum><header>Guidance</header><text display-inline="yes-display-inline">The Director shall maintain guidance on the adoption of zero trust architecture and not later than 2 years after the date of the enactment of this Act, provide an update to the appropriate congressional committees on progress in increasing the internal defenses of agency systems through such adoption across the government, including—</text><paragraph id="H5581AC46440D44C2A06460E07F9EAB44"><enum>(1)</enum><text>shifting away from <quote>trusted networks</quote> to implement security controls based on a presumption of compromise;</text></paragraph><paragraph id="H16299C96C57244DD9989CAAD05544414"><enum>(2)</enum><text>implementing principles of least privilege in administering information security programs;</text></paragraph><paragraph id="HD5D9B05A8E254E0C9632D5F5996ACB1B"><enum>(3)</enum><text>limiting the ability of entities that cause incidents to move laterally through or between agency systems;</text></paragraph><paragraph id="H9B1A4114C343407190AB5DFAD6D59EA0"><enum>(4)</enum><text>identifying incidents quickly;</text></paragraph><paragraph id="H8FF57C9C282649678E643ED23E3C9A2F"><enum>(5)</enum><text display-inline="yes-display-inline">isolating and removing unauthorized entities from agency systems as quickly as practicable, accounting for intelligence or law enforcement purposes;</text></paragraph><paragraph id="H324272DA14E64B1A926F182296287E4D"><enum>(6)</enum><text>otherwise increasing the resource costs for entities that cause incidents to be successful; and</text></paragraph><paragraph id="HC5A06C9186794B44B1FF2B4A6D8874FF"><enum>(7)</enum><text>a summary of the agency progress reports required under subsection (b).</text></paragraph></subsection><subsection id="HB8ED474BEC5840DE80F191AD3578D91D"><enum>(b)</enum><header>Agency progress reports</header><text>Not later than 270 days after the date of the enactment of this Act, the head of each agency shall submit to the Director a progress report on implementing an information security program based on a zero trust architecture, which shall include—</text><paragraph id="H9C32D372866746588F795959ED217911"><enum>(1)</enum><text>a description of any steps the agency has completed, including progress toward achieving any requirements issued by the Director, including the adoption of any models or reference architecture;</text></paragraph><paragraph id="H12B4B6B46EB34D6FA578B23328D08B9C"><enum>(2)</enum><text>an identification of activities that have not yet been completed and that would have the most immediate security impact; and</text></paragraph><paragraph id="HD3AA3F83F36E45E4927DB99611F32D10"><enum>(3)</enum><text>a schedule to implement any planned activities.</text></paragraph></subsection></section><section id="HEFCA3610BC3B4100AA0A8BAA2F0893DF"><enum>207.</enum><header>GAO automation report</header><text display-inline="no-display-inline">Not later than 2 years after the date of the enactment of this Act, the Comptroller General of the United States shall perform a study on the use of automation and machine-readable data across the Federal Government for cybersecurity purposes, including the automated updating of cybersecurity tools, sensors, or processes employed by agencies under paragraphs (1), (5)(C), and (8)(B) of section 3554(b) of title 44, United States Code.</text></section><section id="H47677DEB2DC4497E9857DC0FD9E4C72C"><enum>208.</enum><header>Extension of Federal Acquisition Security Council</header><subsection id="H198F051BD07C4400B08D2BB9CD06F4BC"><enum>(a)</enum><header>Extension</header><text>Section 1328 of title 41, United States Code, is amended by striking <quote>the date that</quote> and all that follows and inserting <quote>December 31, 2026</quote>.</text></subsection><subsection id="H9DA52F54487C40BFB8D711F6F96C0AFC"><enum>(b)</enum><header>Designation</header><text>Section 1322(c)(1) of title 41, United States Code, is amended by striking <quote>Not later than</quote> and all that follows through the end of the paragraph and inserting the following: <quote>The Director of OMB shall designate the Federal Chief Information Security Officer appointed by the President under section 3607 of title 44, or an equivalent senior-level official from the Office of Management and Budget if the position is vacant, to serve as the Chairperson of the Council.</quote>.</text></subsection><subsection id="HD1A647F658E04716B4FD2C3F58CE06F9"><enum>(c)</enum><header>Requirement</header><text>Subsection 1326(b) of title 41, United States Code, is amended—</text><paragraph id="H8273976A1D32404EA1C0CC81B725DD1C"><enum>(1)</enum><text>in paragraph (5), by striking <quote>; and</quote> and inserting a semicolon;</text></paragraph><paragraph id="H7586811569A44FEBA16EAC264092BF63"><enum>(2)</enum><text>by redesignating paragraph (6) as paragraph (7); and</text></paragraph><paragraph id="H6E05E66632E649BD9322D5F66DF6F2DE"><enum>(3)</enum><text>by inserting after paragraph (5) the following new paragraph:</text><quoted-block id="H07683157FD3C4684BBA22F8644BD4AF2" style="OLC"><paragraph id="H124283A59ED746EB8D50F2EF966C00DE"><enum>(6)</enum><text>maintaining an up-to-date and accurate inventory of software in use by the agency and, when available, the components of such software, including any available Software Bills of Materials, as applicable, that can be communicated when requested to the Federal Acquisition Security Council, the National Cybersecurity Director, or the Secretary of Homeland Security acting through the Director of Cybersecurity and Infrastructure Security Agency.</text></paragraph><after-quoted-block>.</after-quoted-block></quoted-block></paragraph></subsection></section><section id="HCCFE8C672525482989D8F7D0C736FBE7"><enum>209.</enum><header>Federal chief information security officer</header><subsection id="H340D2653477E484A9B49A4483089480F"><enum>(a)</enum><header>Amendment</header><text><external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/44/36">Chapter 36</external-xref> of title 44, United States Code, is amended by inserting at the end:</text><quoted-block id="H0885A7FD5FB74BB4BDF441AD2FA2D2E5" style="USC"><section id="H2FE1EAC1A7C147ACAC385E91E09B5211"><enum>3607.</enum><header>Federal chief information security officer</header><subsection id="H565095E8E789403E8AB378D176F5D434"><enum>(a)</enum><header>Establishment</header><text>There is established in the Office of the Federal Chief Information Officer of the Office of Management and Budget a Federal Chief Information Security Officer, who shall be appointed by the President.</text></subsection><subsection id="H057524831E7D4B18B74B460DA90542C3"><enum>(b)</enum><header>Duties</header><text>The Federal Chief Information Security Officer shall report to the Federal Chief Information Officer, and assist the Chief Information Officer in carrying out—</text><paragraph id="H441431155C0C4001B6679FEBFD83820B"><enum>(1)</enum><text>all functions under this chapter;</text></paragraph><paragraph id="H3316D7F42CCD473287D490CBD422FB12"><enum>(2)</enum><text>all functions assigned to the Director under title II of the E–Government Act of 2002;</text></paragraph><paragraph id="H9039A1C032BF46F4A3600F59D908C197"><enum>(3)</enum><text>other electronic government initiatives, consistent with other statutes;</text></paragraph><paragraph id="HAB3EDBE0A62A49A0AECA4B0FBE0F463A"><enum>(4)</enum><text>assisting the Director with carrying out budget formation duties under subtitle II of title 31 as it pertains to the information technology, operations, and workforce resources of Federal agencies to fulfill cybersecurity responsibilities under section 3554, and the duties of the Department of Homeland Security duties designated under section 3553; and</text></paragraph><paragraph id="H014C3F54996B41968D2DFF9316CE5CF9"><enum>(5)</enum><text>other initiatives determined by the Chief Information Officer.</text></paragraph></subsection><subsection id="H97215D91D0244ACBAC533AC86DAA6490"><enum>(c)</enum><header>Additional Duties</header><text>The Federal Chief Information Security Officer shall work with the Chief Information Officer to oversee implementation of electronic Government under the E–Government Act of 2002, and other relevant statutes, in a manner consistent with law, relating to—</text><paragraph id="HA3A4985889254F68BAC8501D19430DC5"><enum>(1)</enum><text display-inline="yes-display-inline">cybersecurity strategy, policy, and operations, including the performance of the duties of the Director under subchapter II of chapter 35;</text></paragraph><paragraph id="H9DAB4633BF8B4A35AF28CC90A726C120"><enum>(2)</enum><text>the development of enterprise architectures;</text></paragraph><paragraph id="HEB9FD3CFCD4D43E9AB1AC0AD88013CD0"><enum>(3)</enum><text>information security;</text></paragraph><paragraph id="HAC402672CDC940EAB6D482E2593E60D6"><enum>(4)</enum><text>privacy;</text></paragraph><paragraph id="HF9B7840D0A314D57BF242DC28478743E"><enum>(5)</enum><text>access to, dissemination of, and preservation of Government information; and</text></paragraph><paragraph id="HB934107C065B49CC85279D5B2B3E2FC0"><enum>(6)</enum><text>other areas of electronic Government as determined by the Administrator.</text></paragraph></subsection><subsection id="HD40ADAC6224D44E4B6DE63433B294E34"><enum>(d)</enum><header>Assistance</header><text>The Federal Chief Information Security Officer shall assist the Administrator in the performance of electronic Government functions as described in section 3602(f).</text></subsection></section><after-quoted-block>.</after-quoted-block></quoted-block></subsection><subsection id="H43FFAF0EA8C34D1F84B04CCEADFA4296"><enum>(b)</enum><header>Deputy National Cyber Director</header><text display-inline="yes-display-inline">Section 1752 of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (<external-xref legal-doc="usc" parsable-cite="usc/6/1500">6 U.S.C. 1500</external-xref>; 134 Stat. 4144) is amended by adding at the end the following new subsection:</text><quoted-block id="H55820B81BA904D48A72639E7775BA75C" style="OLC"><subsection id="H9C7B5F740EF8461D93649B907A573EF6"><enum>(d)</enum><header>Deputy Director</header><text>There shall be a Deputy National Cyber Director for Agency Strategy, Capabilities, and Budget, who shall be the Federal Chief Information Security Officer appointed by the President under section 3607 of title 44, United States Code, and shall report to the Director and assist the office in carrying out the following duties as it applies to the protection of Federal information systems by the agencies—</text><paragraph id="HBCED3881E61A4ABBBF69E75A3B5E81C5"><enum>(1)</enum><text>the preparation and oversight over the implementation of national cyber policy and strategy under subsection (c)(1)(C)(i);</text></paragraph><paragraph id="HD5BBD3387D7B48B8B1CFD9A788527805"><enum>(2)</enum><text>the formation and issuance of recommendations to agencies on resource allocations and policies under subsection (c)(1)(C)(ii);</text></paragraph><paragraph id="H6667D12B07FB480A94AF5A5B3A875EA5"><enum>(3)</enum><text>reviewing annual budget proposals and making related recommendations under subsection (c)(1)(C)(iii);</text></paragraph><paragraph id="H88FE767C15D7433E96884DC9D2EC3578"><enum>(4)</enum><text>the functions, as determined necessary, of the National Cyber Director under subchapter II of <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/44/35">chapter 35</external-xref> of title 44, United States Code; and</text></paragraph><paragraph id="HDEEEFB23F790426C9B26DDB7EAB93550"><enum>(5)</enum><text>other initiatives determined by the Director, or to be necessary to coordinate with the Office by the Federal Chief Information Officer.</text></paragraph></subsection><after-quoted-block>.</after-quoted-block></quoted-block></subsection><subsection id="HA6AEDF92C3A14D71AF312B005687A6A2"><enum>(c)</enum><header>Clerical amendment</header><text>The table of sections for <external-xref legal-doc="usc-chapter" parsable-cite="usc-chapter/44/36">chapter 36</external-xref> of title 44, United States Code, is amended by adding after the item relating to section 3606 the following:</text><quoted-block style="USC" id="H3855AC0E581B4DC9AFBAE00420FF0C36"><toc regeneration="no-regeneration"><toc-entry level="section">3607. Federal chief information security officer.</toc-entry></toc><after-quoted-block>.</after-quoted-block></quoted-block></subsection></section><section id="H4ACC2B7BA7FE4B629F7A7750AA2EE2B4"><enum>210.</enum><header>Extension of Chief Data Officer Council</header><text display-inline="no-display-inline">Section 2520A(e)(2) of title 44, United States Code, is amended by striking <quote>upon the expiration of the 2-year period that begins on the date the Comptroller General submits the report under paragraph (1) to Congress</quote> and inserting <quote>January 31, 2030</quote>. </text></section><section id="H606BF863370E47FB92F04899DF87FF15"><enum>211.</enum><header>Council of the inspectors general on integrity and efficiency dashboard</header><text display-inline="no-display-inline">Section 11(e)(2) of the Inspector General Act of 1978 (5 U.S.C. App.) is amended—</text><paragraph id="H44006F5C2367464A87EABE04F1926BA8"><enum>(1)</enum><text>in subparagraph (A), by striking <quote>and</quote> at the end;</text></paragraph><paragraph id="HAFB1E0989DB543F2B626F4C9DC201AA3"><enum>(2)</enum><text>by redesignating subparagraph (B) as subparagraph (C); and</text></paragraph><paragraph id="H96E51C95BD6643A19B1942FDDB72F1E9"><enum>(3)</enum><text>by inserting after subparagraph (A) the following:</text><quoted-block id="H365F8ECEA8EF4226BC00E969BA2CFDA2" style="OLC"><subparagraph id="H69DD53877A7D4583AF7C7FBE3382ADE5"><enum>(B)</enum><text>that shall include a dashboard of open information security recommendations identified in the independent evaluations required by section 3555(a) of title 44, United States Code; and</text></subparagraph><after-quoted-block>.</after-quoted-block></quoted-block></paragraph></section><section id="H0E0311EA3F234A86A9448C2D8B1A164C"><enum>212.</enum><header>Quantitative cybersecurity metrics</header><subsection id="H5E147683E96C46A7864CD624DAE15503"><enum>(a)</enum><header>Definition of covered metrics</header><text>In this section, the term <term>covered metrics</term> means the metrics established, reviewed, and updated under section 224(c) of the Cybersecurity Act of 2015 (<external-xref legal-doc="usc" parsable-cite="usc/6/1522">6 U.S.C. 1522(c)</external-xref>).</text></subsection><subsection id="H8ED5735414154CA58E7705DF0E8E3202"><enum>(b)</enum><header>Updating and establishing metrics</header><text display-inline="yes-display-inline">Not later than 1 year after the date of the enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency, in coordination with the Director and consulting with the Director of the National Institute of Standards and Technology, shall—</text><paragraph id="H69AD1A08682644B5BED13E472D84742B"><enum>(1)</enum><text>evaluate any covered metrics established as of the date of the enactment of this Act; and</text></paragraph><paragraph id="H3FA819D8222243ADAC1B8C02EBD1D3BC"><enum>(2)</enum><text>as appropriate and pursuant to section 224(c) of the Cybersecurity Act of 2015 (<external-xref legal-doc="usc" parsable-cite="usc/6/1522">6 U.S.C. 1522(c)</external-xref>)—</text><subparagraph id="H18A3C3B3F9CD470EA5DD45ACCD5AC02D"><enum>(A)</enum><text>update the covered metrics; and</text></subparagraph><subparagraph id="H2C81A27646E446919ABDB2A6AB5DB77B"><enum>(B)</enum><text>establish new covered metrics.</text></subparagraph></paragraph></subsection><subsection id="H596CC6F2FB3043FC9F51161AAA1F6BCF"><enum>(c)</enum><header>Implementation</header><paragraph id="H59805F9C223643DF8CD9CA483889F7C0"><enum>(1)</enum><header>In general</header><text>Not later than 540 days after the date of the enactment of this Act, the Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, shall promulgate guidance that requires each agency to use covered metrics to track trends in the cybersecurity and incident response capabilities of the agency.</text></paragraph><paragraph id="HEA3C81D775EA4F2498689C679881727C"><enum>(2)</enum><header>Performance demonstration</header><text>The guidance issued under paragraph (1) and any subsequent guidance shall require agencies to share with the Director of the Cybersecurity and Infrastructure Security Agency data demonstrating the performance of the agency using the covered metrics included in the guidance.</text></paragraph><paragraph id="H71482B66820942C3A0F10259C3A4BFBE"><enum>(3)</enum><header>Penetration tests</header><text>On not less than 2 occasions during the 2-year period following the date on which guidance is promulgated under paragraph (1), the Director shall ensure that not less than 3 agencies are subjected to substantially similar penetration tests, as determined by the Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, in order to validate the utility of the covered metrics.</text></paragraph><paragraph id="H7B28AEFEA2234AD1A2FF3DF921912515"><enum>(4)</enum><header>Analysis capacity</header><text>The Director of the Cybersecurity and Infrastructure Security Agency shall develop a capability that allows for the analysis of the covered metrics, including cross-agency performance of agency cybersecurity and incident response capability trends.</text></paragraph></subsection><subsection id="HF4C6BA24298B4F22BF5C8D93983DAE91"><enum>(d)</enum><header>Congressional reports</header><paragraph id="H82F6E889F8C648E98EB9A47E22E9DE83"><enum>(1)</enum><header>Utility of metrics</header><text>Not later than 1 year after the date of the enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency, in coordination with the Director, shall submit to the appropriate congressional committees a report on the utility of the covered metrics.</text></paragraph><paragraph id="H854017E6BCDC468B88E7B45287369EBB"><enum>(2)</enum><header>Use of metrics</header><text>Not later than 180 days after the date on which the Director promulgates guidance under subsection (c)(1), the Director shall submit to the appropriate congressional committees a report on the results of the use of the covered metrics by agencies.</text></paragraph></subsection><subsection id="H2C5CD9AEF6884D84AD6CA17B59669427"><enum>(e)</enum><header>Federal Cybersecurity Enhancement Act of <enum-in-header>2015</enum-in-header> updates</header><text display-inline="yes-display-inline">The Federal Cybersecurity Enhancement Act of 2015 (<external-xref legal-doc="usc" parsable-cite="usc/6/1521">6 U.S.C. 1521 et seq.</external-xref>) is amended—</text><paragraph id="H98C02461BFE24068B61F0C3A53F29BC8"><enum>(1)</enum><text>in section 222(3)(B), by inserting <quote>and the Committee on Oversight and Reform</quote> before <quote>of the House of Representatives</quote>; and</text></paragraph><paragraph id="H4793B02531C049629B89049EB172E8B9"><enum>(2)</enum><text>in section 224—</text><subparagraph id="H64AE285C06B540B483457FCA206CF167"><enum>(A)</enum><text>by amending subsection (c) to read as follows:</text><quoted-block id="H7B815EB7205D488E96045A74721ACA77" style="OLC"><subsection id="H6A951A0B5E7A4FA29626523513EFCB5C"><enum>(c)</enum><header>Improved metrics</header><text>The Director of the Cybersecurity and Infrastructure Security Agency, in coordination with the Director, shall establish, review, and update metrics to measure the cybersecurity and incident response capabilities of agencies in accordance with the responsibilities of agencies under section 3554 of title 44, United States Code.</text></subsection><after-quoted-block>;</after-quoted-block></quoted-block></subparagraph><subparagraph id="H6A9DD1CDFA4849878527154EEE0C6A68"><enum>(B)</enum><text>by striking subsection (e); and</text></subparagraph><subparagraph id="H3CD65F0E8C4E4258958ECC5B6C518A05"><enum>(C)</enum><text>by redesignating subsection (f) as subsection (e).</text></subparagraph></paragraph></subsection></section><enum>III</enum><header>PILOT PROGRAMS TO ENHANCE FEDERAL CYBERSECURITY</header><section id="HF68426EB71404A13B547738812A92BFD"><enum>301.</enum><header>Risk-based budget pilot</header><subsection id="H7FC693BAB000434C930CB766958BCD15"><enum>(a)</enum><header>Definitions</header><text>In this section:</text><paragraph id="HBA1A8BAFF26A4FC68A25E779DF12BE5C"><enum>(1)</enum><header>Appropriate congressional committees</header><text>The term <term>appropriate congressional committees</term> means—</text><subparagraph id="HA0587C4107074B75B83E75B1E86F1A09"><enum>(A)</enum><text>the Committee on Homeland Security and Governmental Affairs and the Committee on Appropriations of the Senate; and</text></subparagraph><subparagraph id="H695CD59DD1FC4ACE854F20A5B0BA3761"><enum>(B)</enum><text>the Committee on Homeland Security, the Committee on Oversight and Reform, and the Committee on Appropriations of the House of Representatives.</text></subparagraph></paragraph><paragraph id="H3C4CD12747104843B0E06FBE2A915808"><enum>(2)</enum><header>Information technology</header><text>The term <term>information technology</term>—</text><subparagraph id="H2780F7F222884E479A51CEA327A636BC"><enum>(A)</enum><text>has the meaning given the term in section 11101 of title 40, United States Code; and</text></subparagraph><subparagraph id="HDF4E29EBF3CC4EF88B72416D811161A0"><enum>(B)</enum><text>includes the hardware and software systems of a Federal agency that monitor and control physical equipment and processes of the Federal agency.</text></subparagraph></paragraph><paragraph id="H882D851B6346492692ED2405044FF415"><enum>(3)</enum><header>Risk-based budget</header><text>The term <term>risk-based budget</term> means a budget—</text><subparagraph id="H8788D03527254E52B3DC84346A3853C9"><enum>(A)</enum><text>developed by identifying and prioritizing cybersecurity risks and vulnerabilities, including impact on agency operations in the case of a cyber attack, through analysis of cyber threat intelligence, incident data, and tactics, techniques, procedures, and capabilities of cyber threats; and</text></subparagraph><subparagraph id="H432369BB6FA94D94B382759EB320F3D4"><enum>(B)</enum><text>that allocates resources based on the risks identified and prioritized under subparagraph (A).</text></subparagraph></paragraph></subsection><subsection id="HB11DEF05777442E7B42AD49AC2E9CAA3"><enum>(b)</enum><header>Establishment of risk-Based budget pilot</header><paragraph id="H91FEDF5742354AAF929C8B7208CEEB85"><enum>(1)</enum><header>In general</header><subparagraph id="H84FB3F4A7BD44D71968AAF7ED2E01F66"><enum>(A)</enum><header>Model</header><text>Not later than 1 year after the first publication of the budget submitted by the President under section 1105 of title 31, United States Code, following the date of the enactment of this Act, the Director, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency and the National Cyber Director and in coordination with the Director of the National Institute of Standards and Technology, shall conduct a pilot for creating a risk-based budget for cybersecurity spending.</text></subparagraph><subparagraph id="H2431594DF3754CE39211020175473329"><enum>(B)</enum><header>Contents of pilot</header><text>The pilot required to be developed under this paragraph shall—</text><clause id="H65E52F4A5DB8443C84F60596EB1ECFC8"><enum>(i)</enum><text>consider Federal and non-Federal cyber threat intelligence products, where available, to identify threats, vulnerabilities, and risks;</text></clause><clause id="H205B7535660D416AAA3640715EAA8811"><enum>(ii)</enum><text display-inline="yes-display-inline">consider the impact on agency operations of incidents, including the interconnectivity to other agency systems and the operations of other agencies;</text></clause><clause id="HE9DED6AC63E144AA971AD847939D02B4"><enum>(iii)</enum><text>indicate where resources should be allocated to have the greatest impact on mitigating current and future threats and current and future cybersecurity capabilities;</text></clause><clause id="H0E60FD800214489E86475594E5EFD100"><enum>(iv)</enum><text>be used to inform acquisition and sustainment of—</text><subclause id="HDC20081248F04975900F24B08C96D340"><enum>(I)</enum><text>information technology and cybersecurity tools;</text></subclause><subclause id="H47BF86B53DD74E4E99FC60E99D3EEF69"><enum>(II)</enum><text>information technology and cybersecurity architectures;</text></subclause><subclause id="H1D9853C0D8274999A30D7B5E57743A85"><enum>(III)</enum><text>information technology and cybersecurity personnel; and</text></subclause><subclause id="HB1B4BD3EA72B4DE08EDEBFC4B2A3AFCE"><enum>(IV)</enum><text>cybersecurity and information technology concepts of operations; and</text></subclause></clause><clause id="H7E644D72A8404240A85591FEA35A210B"><enum>(v)</enum><text>be used to evaluate and inform government-wide cybersecurity programs of the Department of Homeland Security.</text></clause></subparagraph></paragraph><paragraph id="H6BA9A67BE96A4010BDF8D04610F8195A"><enum>(2)</enum><header>Reports</header><text>Not later than 2 years after the first publication of the budget submitted by the President under section 1105 of title 31, United States Code, following the date of the enactment of this Act, the Director shall submit a report to Congress on the implementation of the pilot for risk-based budgeting for cybersecurity spending, an assessment of agency implementation, and an evaluation of whether the risk-based budget helps to mitigate cybersecurity vulnerabilities.</text></paragraph><paragraph id="H88C2FF1933CB4B05AE8E68517F92B6BF"><enum>(3)</enum><header>GAO report</header><text>Not later than 3 years after the date on which the first budget of the President is submitted to Congress containing the validation required under section 1105(a)(35)(A)(i)(V) of title 31, United States Code, as amended by subsection (c), the Comptroller General of the United States shall submit to the appropriate congressional committees a report that includes—</text><subparagraph id="H8DFEBA920E4C4BAEB314C56EB299CF57"><enum>(A)</enum><text>an evaluation of the success of pilot agencies in implementing risk-based budgets;</text></subparagraph><subparagraph id="H10339DE0A2624ABAA558BEA673FFD0BD"><enum>(B)</enum><text>an evaluation of whether the risk-based budgets developed by pilot agencies are effective at informing Federal Government-wide cybersecurity programs; and</text></subparagraph><subparagraph id="H2C313A7353D441E7BC97C83F8F266B19"><enum>(C)</enum><text>any other information relating to risk-based budgets the Comptroller General determines appropriate.</text></subparagraph></paragraph></subsection></section><section id="H09E29A81D876498092795F2409618812"><enum>302.</enum><header>Active cyber defensive study</header><subsection id="HC83E97CA0F884092B86BDF3DBF5A0D08"><enum>(a)</enum><header>Definition</header><text>In this section, the term <term>active defense technique</term> has the meaning given in guidance issued by the Director, in coordination with the Attorney General.</text></subsection><subsection id="H1418500BED704E49B790D94B18F7A89C"><enum>(b)</enum><header>Study</header><text>Not later than 180 days after the date of the enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency, in coordination with the Director and the National Cyber Director, shall perform a study on the use of active defense techniques to enhance the security of agencies, which shall include—</text><paragraph id="HE4E6C6AACD204EDCA574FD19E715C3E6"><enum>(1)</enum><text>a review of legal restrictions on the use of different active cyber defense techniques in Federal environments, in consultation with the Attorney General;</text></paragraph><paragraph id="H4512CDCAED43408C91C87C5402278C3D"><enum>(2)</enum><text>an evaluation of—</text><subparagraph id="H8557F1420115451AA644CD853F546F8B"><enum>(A)</enum><text>the efficacy of a selection of active defense techniques determined by the Director of the Cybersecurity and Infrastructure Security Agency; and</text></subparagraph><subparagraph id="HF05B68C5CA584E1EB793D96D4C564B11"><enum>(B)</enum><text>factors that impact the efficacy of the active defense techniques evaluated under subparagraph (A);</text></subparagraph></paragraph><paragraph id="H587BDF87F684417382EA7B1BBDC828B2"><enum>(3)</enum><text>recommendations on safeguards and procedures that shall be established to require that active defense techniques are adequately coordinated to ensure that active defense techniques do not impede agency operations and mission delivery, threat response efforts, criminal investigations, and national security activities, including intelligence collection; and</text></paragraph><paragraph id="H28CE28645B024186B22B5D430537D461"><enum>(4)</enum><text>the development of a framework for the use of different active defense techniques by agencies.</text></paragraph></subsection></section><section id="H1146AAA9774F41D8BEA6B17799D21F86"><enum>303.</enum><header>Security operations center as a service pilot</header><subsection id="H7008B0090A394FCDA4E646FC9207E378"><enum>(a)</enum><header>Purpose</header><text>The purpose of this section is for the Director of the Cybersecurity and Infrastructure Security Agency to run a security operation center on behalf of the head of another agency, alleviating the need to duplicate this function at every agency, and empowering a greater centralized cybersecurity capability.</text></subsection><subsection id="H6EBBB40CCA4C4CFBBFD94ADC0B51598A"><enum>(b)</enum><header>Plan</header><text>Not later than 1 year after the date of the enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency shall develop a plan to establish a centralized Federal security operations center shared service offering within the Cybersecurity and Infrastructure Security Agency.</text></subsection><subsection id="H8F5FF0D8FCA04C0A9486DF4D3E2FF035"><enum>(c)</enum><header>Contents</header><text>The plan required under subsection (b) shall include considerations for—</text><paragraph id="H58780DA2E5A0456ABA01088CFF634B76"><enum>(1)</enum><text>collecting, organizing, and analyzing agency information system data in real time;</text></paragraph><paragraph id="HD61883A599244C5286A2DCD53C6DA952"><enum>(2)</enum><text>staffing and resources; and</text></paragraph><paragraph id="H13459B2C42A2463180D1BDD2F00284B1"><enum>(3)</enum><text>appropriate interagency agreements, concepts of operations, and governance plans.</text></paragraph></subsection><subsection id="HDC5112F48ED6487A9267185A59B5A32D"><enum>(d)</enum><header>Pilot program</header><paragraph id="HE2CEF2E729D945CCBC14A5384C30C3C9"><enum>(1)</enum><header>In general</header><text>Not later than 180 days after the date on which the plan required under subsection (b) is developed, the Director of the Cybersecurity and Infrastructure Security Agency, in consultation with the Director of the Office of Management and Budget, shall enter into a 1-year agreement with not less than 2 agencies to offer a security operations center as a shared service.</text></paragraph><paragraph id="HF3EE5627BD4B4AD9AA3D67658CBB4B8E"><enum>(2)</enum><header>Additional agreements</header><text display-inline="yes-display-inline">After the date on which the briefing required under subsection (e)(1) is provided, the Director of the Cybersecurity and Infrastructure Security Agency, in consultation with the Director of the Office of Management and Budget, may enter into additional 1-year agreements described in paragraph (1) with agencies.</text></paragraph></subsection><subsection id="H7579F4EFA52945A297C559C2914A1F32"><enum>(e)</enum><header>Briefing and report</header><paragraph id="HCFBFB9BC1AC54116B008410DC5882453"><enum>(1)</enum><header>Briefing</header><text>Not later than 270 days after the date of the enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency shall provide to appropriate congressional committees a briefing on the parameters of any 1-year agreements entered into under subsection (d)(1).</text></paragraph><paragraph id="HB8FB026A56F84F22B0BF7C682210EA4C"><enum>(2)</enum><header>Report</header><text>Not later than 90 days after the date on which the first 1-year agreement entered into under subsection (d) expires, the Director of the Cybersecurity and Infrastructure Security Agency shall submit to appropriate congressional committees a report on—</text><subparagraph id="HBE1D8AD308704D9095B30FA45E1CB376"><enum>(A)</enum><text>the agreement; and</text></subparagraph><subparagraph id="H4AF4AC21B6374B82BFC0B051066ADBFA"><enum>(B)</enum><text>any additional agreements entered into with agencies under subsection (d).</text></subparagraph></paragraph></subsection></section><section id="H9CB93E1EA9AF4BACAD88D4242AD9EFF7"><enum>304.</enum><header>Endpoint detection and response as a service pilot</header><subsection id="H6FCEE4487AB4474DA73C647EA3EEDB3F"><enum>(a)</enum><header>Purpose</header><text>The Cybersecurity and Infrastructure Security Agency is directed to establish and conduct a pilot to determine the feasibility, value, and efficacy of providing endpoint detection and response capabilities as a shared service to Federal agencies to reduce costs, enhance interoperability, and continuously detect and mitigate threat activity on Federal networks.</text></subsection><subsection id="H5B27CE16268F4190B385964BE6F6BCDD"><enum>(b)</enum><header>Plan</header><text>Not later than 90 days after the date of the enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency shall develop a plan to establish a centralized endpoint detection and response shared service offering within the Cybersecurity and Infrastructure Security Agency.</text></subsection><subsection id="H383127F88CFB4E4A890759EFECB0121F"><enum>(c)</enum><header>Contents</header><text>The plan required under subsection (b) shall include considerations for—</text><paragraph id="H60FDE45F5D9C43A680560310F6E5E161"><enum>(1)</enum><text>understanding and assessing the full extent of endpoints across the Federal civilian environment;</text></paragraph><paragraph id="HD6C652746F3541E48F55F960ABA05306"><enum>(2)</enum><text>maximizing the value of existing agency investments in endpoint detection and response tools and services;</text></paragraph><paragraph id="H0A85E9F4A8A5436F90D6C56EF7EFAC99"><enum>(3)</enum><text>aggregating the available contract vehicles and options that provide agencies with appropriate capability for their environment and architecture;</text></paragraph><paragraph id="H4C1FF13CBC5B4BFEAE725BFA51055FA3"><enum>(4)</enum><text>equipping all endpoints and services of pilot agencies with endpoint detection and response programs;</text></paragraph><paragraph id="H8D83FCB62EFB473EB192E3FCA32789C4"><enum>(5)</enum><text display-inline="yes-display-inline">aggregating network, cloud, and endpoint data from both within the agency and across agencies to provide enterprise-wide monitoring of the network to detect abnormal network behavior and automate defensive capabilities; and</text></paragraph><paragraph id="HD874E19F0D5C405F86358BC25A1C6A84"><enum>(6)</enum><text>appropriate interagency agreements, concepts of operations, and governance plans.</text></paragraph></subsection><subsection id="H26C5B6D6F4474D61BDCE79870152EFE7"><enum>(d)</enum><header>Pilot program</header><paragraph id="H8BABB06DCF19490CAF4F892363B2E860"><enum>(1)</enum><header>In general</header><text>Not later than 180 days after the date on which the plan required under subsection (b) is developed, the Director of the Cybersecurity and Infrastructure Security Agency, in consultation with the Director, shall enter into a 1-year agreement with not less than 2 agencies to offer endpoint detection and response as a shared service.</text></paragraph><paragraph id="H62C445B14692402F95D538C00F33ED03"><enum>(2)</enum><header>Additional agreements</header><text>After the date on which the briefing required under subsection (e)(1) is provided, the Director of the Cybersecurity and Infrastructure Security Agency, in consultation with the Director, may enter into additional 1-year agreements described in paragraph (1) with agencies.</text></paragraph></subsection><subsection id="H0CA737A9D4574850850640A15C27E039"><enum>(e)</enum><header>Briefing and report</header><paragraph id="H56FAF78AC51E433584C5E8B398023253"><enum>(1)</enum><header>Briefing</header><text>Not later than 270 days after the date of the enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency shall provide to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security and the Committee on Oversight and Reform of the House of Representatives a briefing on the parameters of any 1-year agreements entered into under subsection (d)(1).</text></paragraph><paragraph id="HDF5F54A1FF5145A1BC0A4D3724D9F979"><enum>(2)</enum><header>Report</header><text>Not later than 90 days after the date on which the first 1-year agreement entered into under subsection (d) expires, the Director of the Cybersecurity and Infrastructure Security Agency shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security and the Committee on Oversight and Reform of the House of Representatives a report on—</text><subparagraph id="H6FA60D0E942D4A49A26F969D0E747E4A"><enum>(A)</enum><text>the agreement; and</text></subparagraph><subparagraph id="H57EF7F3F9A704D93A94D33E00BEF283B"><enum>(B)</enum><text>any additional agreements entered into with agencies under subsection (d).</text></subparagraph></paragraph></subsection></section>