[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 2902 Introduced in Senate (IS)]

<DOC>






117th CONGRESS
  1st Session
                                S. 2902

  To modernize Federal information security management, and for other 
                               purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                           September 29, 2021

Mr. Peters (for himself and Mr. Portman) introduced the following bill; 
which was read twice and referred to the Committee on Homeland Security 
                        and Governmental Affairs

_______________________________________________________________________

                                 A BILL


 
  To modernize Federal information security management, and for other 
                               purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Federal Information Security 
Modernization Act of 2021''.

SEC. 2. TABLE OF CONTENTS.

    The table of contents for this Act is as follows:

Sec. 1. Short title.
Sec. 2. Table of contents.
Sec. 3. Definitions.
                       TITLE I--UPDATES TO FISMA

Sec. 101. Title 44 amendments.
Sec. 102. Amendments to subtitle III of title 40.
Sec. 103. Actions to enhance Federal incident response.
Sec. 104. Additional guidance to agencies on FISMA updates.
Sec. 105. Agency requirements to notify entities impacted by incidents.
               TITLE II--IMPROVING FEDERAL CYBERSECURITY

Sec. 201. Evaluation of effectiveness of standards.
Sec. 202. Mobile security standards.
Sec. 203. Quantitative cybersecurity metrics.
Sec. 204. Data and logging retention for incident response.
Sec. 205. CISA agency advisors.
Sec. 206. Federal penetration testing policy.
Sec. 207. Ongoing threat hunting program.
Sec. 208. Codifying vulnerability disclosure programs.
Sec. 209. Implementing presumption of compromise and zero trust 
                            architectures.
Sec. 210. Automation reports.
Sec. 211. Extension of Federal Acquisition Security Council.
       TITLE III--PILOT PROGRAMS TO ENHANCE FEDERAL CYBERSECURITY

Sec. 301. Continuous independent FISMA evaluation pilot.
Sec. 302. Active cyber defensive pilot.
Sec. 303. Security operations center as a service pilot.

SEC. 3. DEFINITIONS.

    In this Act, unless otherwise specified:
            (1) Additional cybersecurity procedure.--The term 
        ``additional cybersecurity procedure'' has the meaning given 
        the term in section 3552(b) of title 44, United States Code, as 
        amended by this Act.
            (2) Agency.--The term ``agency'' has the meaning given the 
        term in section 3502 of title 44, United States Code.
            (3) Appropriate congressional committees.--The term 
        ``appropriate congressional committees'' means--
                    (A) the Committee on Homeland Security and 
                Governmental Affairs of the Senate;
                    (B) the Committee on Oversight and Reform of the 
                House of Representatives; and
                    (C) the Committee on Homeland Security of the House 
                of Representatives.
            (4) Director.--The term ``Director'' means the Director of 
        the Office of Management and Budget.
            (5) Incident.--The term ``incident'' has the meaning given 
        the term in section 3552(b) of title 44, United States Code.
            (6) Penetration test.--The term ``penetration test'' has 
        the meaning given the term in section 3552(b) of title 44, 
        United States Code, as amended by this Act.
            (7) Threat hunting.--The term ``threat hunting'' means 
        proactively and iteratively searching for threats to systems 
        that evade detection by automated threat detection systems.
            (8) Verification specification.--The term ``verification 
        specification'' means a specification developed under section 
        11331(f) of title 40, United States Code, as amended by this 
        Act.

                       TITLE I--UPDATES TO FISMA

SEC. 101. TITLE 44 AMENDMENTS.

    (a) Subchapter I Amendments.--Subchapter I of chapter 35 of title 
44, United States Code, is amended--
            (1) in section 3504--
                    (A) in subsection (a)(1)(B)(v), by striking 
                ``confidentiality, security, disclosure, and sharing of 
                information'' and inserting ``disclosure, sharing of 
                information, and, in consultation with the Director of 
                the Cybersecurity and Infrastructure Security Agency, 
                confidentiality and security'';
                    (B) in subsection (b)(2)(B), by inserting ``in 
                coordination with the Director of the Cybersecurity and 
                Infrastructure Security Agency'' after ``standards for 
                security'';
                    (C) in subsection (g), by striking paragraph (1) 
                and inserting the following:
            ``(1) with respect to information collected or maintained 
        by or for agencies--
                    ``(A) develop and oversee the implementation of 
                policies, principles, standards, and guidelines on 
                privacy, disclosure, and sharing of the information; 
                and
                    ``(B) in consultation with the Director of the 
                Cybersecurity and Infrastructure Security Agency, 
                develop and oversee policies, principles, standards, 
                and guidelines on confidentiality and security of the 
                information; and''; and
                    (D) in subsection (h)(1)--
                            (i) in the matter preceding subparagraph 
                        (A)--
                                    (I) by inserting ``the Director of 
                                the Cybersecurity and Infrastructure 
                                Security Agency,'' before ``the 
                                Director''; and
                                    (II) by inserting a comma before 
                                ``and the Administrator''; and
                            (ii) in subparagraph (A), by inserting 
                        ``security and'' after ``information 
                        technology'';
            (2) in section 3505--
                    (A) in paragraph (3) of the first subsection 
                designated as subsection (c)--
                            (i) in subparagraph (B)--
                                    (I) by inserting ``and the Director 
                                of the Cybersecurity and Infrastructure 
                                Security Agency'' after ``Comptroller 
                                General''; and
                                    (II) by striking ``and'' at the 
                                end;
                            (ii) in subparagraph (C)(v), by striking 
                        the period at the end and inserting ``; and''; 
                        and
                            (iii) by adding at the end the following:
            ``(D) maintained on a continual basis through the use of 
        automation, machine-readable data, and scanning.''; and
                    (B) by striking the second subsection designated as 
                subsection (c);
            (3) in section 3506--
                    (A) in subsection (b)--
                            (i) in paragraph (1)(C), by inserting ``, 
                        availability'' after ``integrity''; and
                            (ii) in paragraph (4), by inserting ``the 
                        Director of the Cybersecurity and 
                        Infrastructure Security Agency,'' after 
                        ``General Services,''; and
                    (B) in subsection (h)(3), by inserting 
                ``security,'' after ``efficiency,'';
            (4) in section 3513--
                    (A) in subsection (a), by inserting ``the Director 
                of the Cybersecurity and Infrastructure Security 
                Agency,'' before ``the Administrator of General 
                Services'';
                    (B) by redesignating subsection (c) as subsection 
                (d); and
                    (C) by inserting after subsection (b) the 
                following:
    ``(c) Each agency providing a written plan under subsection (b) 
shall provide any portion of the written plan addressing information 
security or cybersecurity to the Director of the Cybersecurity and 
Infrastructure Security Agency.''; and
            (5) in section 3520A(b)--
                    (A) in paragraph (1), by striking ``, protection'';
                    (B) by redesignating paragraphs (2), (3), (4), and 
                (5) as paragraphs (3), (4), (5), and (6), respectively; 
                and
                    (C) by inserting after paragraph (1) the following:
            ``(2) in consultation with the Director of the 
        Cybersecurity and Infrastructure Security Agency, establish 
        Governmentwide best practices for the protection of data;''.
    (b) Suchapter II Definitions.--
            (1) In general.--Section 3552(b) of title 44, United States 
        Code, is amended--
                    (A) by redesignating paragraphs (1), (2), (3), (4), 
                (5), (6), and (7) as paragraphs (2), (3), (4), (5), 
                (6), (9), and (11), respectively;
                    (B) by inserting before paragraph (2), as so 
                redesignated, the following:
            ``(1) The term `additional cybersecurity procedure' means a 
        process, procedure, or other activity that is established in 
        excess of the information security standards promulgated under 
        section 11331(b) of title 40 to increase the security and 
        reduce the cybersecurity risk of agency systems, such as 
        continuous threat hunting, increased network segmentation, 
        endpoint detection and response, or persistent penetration 
        testing.'';
                    (C) by inserting after paragraph (6), as so 
                redesignated, the following:
            ``(7) The term `high value asset' means information or an 
        information system that the head of an agency determines so 
        critical to the agency that the loss or corruption of the 
        information or the loss of access to the information system 
        would have a serious impact on the ability of the agency to 
        perform the mission of the agency or conduct business.
            ``(8) The term `major incident' has the meaning given the 
        term in guidance issued by the Director under section 
        3598(a).'';
                    (D) by inserting after paragraph (9), as so 
                redesignated, the following:
            ``(10) The term `penetration test' means a specialized type 
        of assessment that--
                    ``(A) is conducted on an information system or a 
                component of an information system; and
                    ``(B) emulates an attack or other exploitation 
                capability of a potential adversary, typically under 
                specific constraints, in order to identify any 
                vulnerabilities of an information system or a component 
                of an information system that could be exploited.''; 
                and
                    (E) by inserting after paragraph (11), as so 
                redesignated, the following:
            ``(12) The term `shared service' means a business or 
        mission function that is provided for use by multiple 
        organizations within or between agencies.
            ``(13) The term `verification specification' means a 
        specification developed under section 11331(f) of title 40.''.
            (2) Conforming amendments.--
                    (A) Homeland security act of 2002.--Section 
                1001(c)(1)(A) of the Homeland Security Act of 2002 (6 
                U.S.C. 511(1)(A)) is amended by striking ``section 
                3552(b)(5)'' and inserting ``section 3552(b)''.
                    (B) Title 10.--
                            (i) Section 2222.--Section 2222(i)(8) of 
                        title 10, United States Code, is amended by 
                        striking ``section 3552(b)(6)(A)'' and 
                        inserting ``section 3552(b)(9)(A)''.
                            (ii) Section 2223.--Section 2223(c)(3) of 
                        title 10, United States Code, is amended by 
                        striking ``section 3552(b)(6)'' and inserting 
                        ``section 3552(b)''.
                            (iii) Section 2315.--Section 2315 of title 
                        10, United States Code, is amended by striking 
                        ``section 3552(b)(6)'' and inserting ``section 
                        3552(b)''.
                            (iv) Section 2339a.--Section 2339a(e)(5) of 
                        title 10, United States Code, is amended by 
                        striking ``section 3552(b)(6)'' and inserting 
                        ``section 3552(b)''.
                    (C) High-performance computing act of 1991.--
                Section 207(a) of the High-Performance Computing Act of 
                1991 (15 U.S.C. 5527(a)) is amended by striking 
                ``section 3552(b)(6)(A)(i)'' and inserting ``section 
                3552(b)(9)(A)(i)''.
                    (D) Internet of things cybersecurity improvement 
                act of 2020.--Section 3(5) of the Internet of Things 
                Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g-
                3a) is amended by striking ``section 3552(b)(6)'' and 
                inserting ``section 3552(b)''.
                    (E) National defense authorization act for fiscal 
                year 2013.--Section 933(e)(1)(B) of the National 
                Defense Authorization Act for Fiscal Year 2013 (10 
                U.S.C. 2224 note) is amended by striking ``section 
                3542(b)(2)'' and inserting ``section 3552(b)''.
                    (F) Ike skelton national defense authorization act 
                for fiscal year 2011.--The Ike Skelton National Defense 
                Authorization Act for Fiscal Year 2011 (Public Law 111-
                383) is amended--
                            (i) in section 806(e)(5) (10 U.S.C. 2304 
                        note), by striking ``section 3542(b)'' and 
                        inserting ``section 3552(b)'';
                            (ii) in section 931(b)(3) (10 U.S.C. 2223 
                        note), by striking ``section 3542(b)(2)'' and 
                        inserting ``section 3552(b)''; and
                            (iii) in section 932(b)(2) (10 U.S.C. 2224 
                        note), by striking ``section 3542(b)(2)'' and 
                        inserting ``section 3552(b)''.
                    (G) E-government act of 2002.--Section 301(c)(1)(A) 
                of the E-Government Act of 2002 (44 U.S.C. 3501 note) 
                is amended by striking ``section 3542(b)(2)'' and 
                inserting ``section 3552(b)''.
                    (H) National institute of standards and technology 
                act.--Section 20 of the National Institute of Standards 
                and Technology Act (15 U.S.C. 278g-3) is amended--
                            (i) in subsection (a)(2), by striking 
                        ``section 3552(b)(5)'' and inserting ``section 
                        3552(b)''; and
                            (ii) in subsection (f)--
                                    (I) in paragraph (3), by striking 
                                ``section 3532(1)'' and inserting 
                                ``section 3552(b)''; and
                                    (II) in paragraph (5), by striking 
                                ``section 3532(b)(2)'' and inserting 
                                ``section 3552(b)''.
    (c) Subchapter II Amendments.--Subchapter II of chapter 35 of title 
44, United States Code, is amended--
            (1) in section 3551--
                    (A) by redesignating paragraphs (3), (4), (5), and 
                (6) as paragraphs (4), (5), (6), and (7), respectively;
                    (B) by inserting after paragraph (2) the following:
            ``(3) recognize the role of the Cybersecurity and 
        Infrastructure Security Agency as the lead cybersecurity entity 
        for operational coordination across the Federal Government;'';
                    (C) in paragraph (5), as so redesignated, by 
                striking ``diagnose and improve'' and inserting 
                ``integrate, deliver, diagnose, and improve'';
                    (D) in paragraph (6), as so redesignated, by 
                striking ``and'' at the end; and
                    (E) by adding at the end the following:
            ``(8) recognize that each agency has specific mission 
        requirements and, at times, unique cybersecurity requirements 
        to meet the mission of the agency;
            ``(9) recognize that each agency does not have the same 
        resources to secure agency systems, and an agency should not be 
        expected to have the capability to secure the systems of the 
        agency from advanced adversaries alone; and
            ``(10) recognize that--
                    ``(A) a holistic Federal cybersecurity model is 
                necessary to account for differences between the 
                missions and capabilities of agencies; and
                    ``(B) in accounting for the differences described 
                in subparagraph (A) and ensuring overall Federal 
                cybersecurity--
                            ``(i) the Office of Management and Budget 
                        is the leader for policy development and 
                        oversight of Federal cybersecurity;
                            ``(ii) the Cybersecurity and Infrastructure 
                        Security Agency is the leader for implementing 
                        operations at agencies; and
                            ``(iii) the National Cyber Director is 
                        responsible for developing the overall 
                        cybersecurity strategy of the United States and 
                        advising the President on matters relating to 
                        cybersecurity.'';
            (2) in section 3553, as amended by section 1705 of the 
        William M. (Mac) Thornberry National Defense Authorization Act 
        for Fiscal Year 2021 (Public Law 116-283)--
                    (A) in subsection (a)--
                            (i) in paragraph (1)--
                                    (I) by striking ``developing and'' 
                                and inserting ``in coordination with 
                                the Director of the Cybersecurity and 
                                Infrastructure Security Agency,''; and
                                    (II) by inserting ``and associated 
                                verification specifications'' before 
                                ``promulgated''; and
                            (ii) in paragraph (5), by inserting ``, in 
                        coordination with the Director of the 
                        Cybersecurity and Infrastructure Security 
                        Agency,'' before ``agency compliance'';
                    (B) in subsection (b)--
                            (i) by striking the subsection heading and 
                        inserting ``Cybersecurity and Infrastructure 
                        Security Agency'';
                            (ii) in the matter preceding paragraph (1), 
                        by striking ``the Secretary'' and inserting 
                        ``the Director of the Cybersecurity and 
                        Infrastructure Security Agency'';
                            (iii) in paragraph (2)--
                                    (I) in subparagraph (A), by 
                                inserting ``and reporting requirements 
                                under subchapter IV of this title'' 
                                after ``section 3556''; and
                                    (II) in subparagraph (D), by 
                                striking ``the Director or Secretary'' 
                                and inserting ``the Director of the 
                                Cybersecurity and Infrastructure 
                                Security Agency'';
                            (iv) in paragraph (5), by striking 
                        ``coordinating'' and inserting ``leading the 
                        coordination of'';
                            (v) in paragraph (6)--
                                    (I) in the matter preceding 
                                subparagraph (A), by inserting ``and 
                                verifications specifications'' before 
                                ``promulgated under'';
                                    (II) in subparagraph (C), by 
                                striking ``and'' at the end;
                                    (III) in subparagraph (D), by 
                                adding ``and'' at the end; and
                                    (IV) by adding at the end the 
                                following:
                    ``(E) taking any other action that the Director of 
                the Cybersecurity and Infrastructure Security Agency, 
                in consultation with the Director--
                            ``(i) may determine necessary; and
                            ``(ii) is authorized to perform;'';
                            (vi) in paragraph (8), by striking ``the 
                        Secretary's discretion'' and inserting ``the 
                        Director of the Cybersecurity and 
                        Infrastructure Security Agency's discretion''; 
                        and
                            (vii) in paragraph (9), by striking ``as 
                        the Director or the Secretary, in consultation 
                        with the Director,'' and inserting ``as the 
                        Director of the Cybersecurity and 
                        Infrastructure Security Agency'';
                    (C) in subsection (c)--
                            (i) in paragraph (4), by striking ``and'' 
                        at the end;
                            (ii) by redesignating paragraph (5) as 
                        paragraph (7); and
                            (iii) by inserting after paragraph (4) the 
                        following:
            ``(5) an assessment of agency use of automated verification 
        of standards for the standards promulgated under section 11331 
        of title 40 using verification specifications;
            ``(6) a summary of each assessment of Federal risk posture 
        performed under subsection (i); and'';
                    (D) in subsection (f)(2)(B), by striking ``conflict 
                with'' and inserting ``reduce the security posture of 
                agencies established under'';
                    (E) by redesignating subsections (i), (j), (k), and 
                (l) as subsections (j), (k), (l), and (m) respectively;
                    (F) by inserting after subsection (h) the 
                following:
    ``(i) Federal Risk Assessments.--The Director of the Cybersecurity 
and Infrastructure Security Agency, in coordination with the Director, 
shall perform, on an ongoing and continuous basis, assessments of 
Federal risk posture using any available information on the 
cybersecurity posture of agencies, including--
            ``(1) the status of agency cybersecurity remedial actions 
        described in section 3554(b)(7);
            ``(2) any vulnerability information relating to the systems 
        of an agency that is known by the agency;
            ``(3) analysis of incident information under section 3597;
            ``(4) evaluation of penetration testing performed under 
        section 3559A;
            ``(5) evaluation of vulnerability disclosure program 
        information under section 3559B;
            ``(6) evaluation of agency threat hunting results;
            ``(7) evaluation of Federal and non-Federal threat 
        intelligence;
            ``(8) data on compliance with standards issued under 
        section 11331 of title 40 that, when appropriate, uses 
        verification specifications;
            ``(9) agency system risk assessments performed under 
        section 3554(a)(1)(A); and
            ``(10) any other information the Secretary determines 
        relevant.''; and
                    (G) in subsection (j), as so redesignated--
                            (i) by striking ``regarding the specific'' 
                        and inserting ``that includes a summary of--
            ``(1) the specific'';
                            (ii) in paragraph (1), as so designated, by 
                        striking the period at the end and inserting 
                        ``; and'' and
                            (iii) by adding at the end the following:
            ``(2) the trends identified in the Federal risk assessment 
        performed under subsection (i).'';
            (3) in section 3554--
                    (A) in subsection (a)--
                            (i) in paragraph (1)--
                                    (I) by redesignating subparagraphs 
                                (A), (B), and (C) as subparagraphs (B), 
                                (C), and (D), respectively;
                                    (II) by inserting before 
                                subparagraph (B), as so redesignated, 
                                the following:
                    ``(A) performing, not less frequently than once 
                every 2 years or based on a significant change to 
                system architecture or security posture, an agency 
                system risk assessment that--
                            ``(i) identifies and documents the high 
                        value assets of the agency using guidance from 
                        the Director;
                            ``(ii) evaluates the data assets 
                        inventoried under section 3511 of title 44 for 
                        sensitivity to compromises in confidentiality, 
                        integrity, and availability;
                            ``(iii) identifies agency systems that have 
                        access to or hold the data assets inventoried 
                        under section 3511 of title 44;
                            ``(iv) evaluates the threats facing agency 
                        systems and data, including high value assets, 
                        based on Federal and non-Federal cyber threat 
                        intelligence products, where available;
                            ``(v) evaluates the vulnerability of agency 
                        systems and data, including high value assets, 
                        based on--
                                    ``(I) the results of penetration 
                                testing performed by the Department of 
                                Homeland Security under section 
                                3553(b)(9);
                                    ``(II) the results of penetration 
                                testing performed under section 3559A;
                                    ``(III) information provided to the 
                                agency through the vulnerability 
                                disclosure program of the agency under 
                                section 3559B;
                                    ``(IV) incidents; and
                                    ``(V) any other vulnerability 
                                information relating to agency systems 
                                that is known to the agency;
                            ``(vi) assesses the impacts of potential 
                        agency incidents to agency systems, data, and 
                        operations based on the evaluations described 
                        in clauses (ii) and (iv) and the agency systems 
                        identified under clause (iii); and
                            ``(vii) assesses the consequences of 
                        potential incidents occurring on agency systems 
                        that would impact systems at other agencies, 
                        including due to interconnectivity between 
                        different agency systems or operational 
                        reliance on the operations of the system or 
                        data in the system;'';
                                    (III) in subparagraph (B), as so 
                                redesignated--
                                            (aa) in the matter 
                                        preceding clause (i), by 
                                        striking ``providing 
                                        information'' and inserting 
                                        ``using information from the 
                                        assessment conducted under 
                                        subparagraph (A), providing, in 
                                        coordination with the Director 
                                        of the Cybersecurity and 
                                        Infrastructure Security Agency, 
                                        information'';
                                            (bb) in clause (i), by 
                                        striking ``and'' at the end;
                                            (cc) in clause (ii), by 
                                        adding ``and'' at the end; and
                                            (dd) by adding at the end 
                                        the following:
                            ``(iii) in consultation with the Director 
                        and the Director of the Cybersecurity and 
                        Infrastructure Security Agency, information or 
                        information systems used by agencies through 
                        shared services, memoranda of understanding, or 
                        other agreements;'';
                                    (IV) in subparagraph (C), as so 
                                redesignated--
                                            (aa) in clause (ii) by 
                                        inserting ``binding'' before 
                                        ``operational''; and
                                            (bb) in clause (vi), by 
                                        striking ``and'' at the end; 
                                        and
                                    (V) by adding at the end the 
                                following:
                    ``(E) not later than 30 days after the date on 
                which an agency system risk assessment is performed 
                under subparagraph (A), providing the assessment to--
                            ``(i) the Director;
                            ``(ii) the Director of the Cybersecurity 
                        and Infrastructure Security Agency; and
                            ``(iii) the National Cyber Director;
                    ``(F) in consultation with the Director of the 
                Cybersecurity and Infrastructure Security Agency and 
                not less frequently than annually, performing an 
                evaluation of whether additional cybersecurity 
                procedures are appropriate for securing a system of, or 
                under the supervision of, the agency, which shall--
                            ``(i) be completed considering the agency 
                        system risk assessment performed under 
                        subparagraph (A); and
                            ``(ii) include a specific evaluation for 
                        high value assets; and
                    ``(G) not later than 30 days after completing the 
                evaluation performed under subparagraph (F), providing 
                the evaluation and an implementation plan for using 
                additional cybersecurity procedures determined to be 
                appropriate to--
                            ``(i) the Director of the Cybersecurity and 
                        Infrastructure Security Agency;
                            ``(ii) the Director; and
                            ``(iii) the National Cyber Director.'';
                            (ii) in paragraph (2)--
                                    (I) in subparagraph (A), by 
                                inserting ``in accordance with the 
                                agency system risk assessment performed 
                                under paragraph (1)(A)'' after 
                                ``information systems'';
                                    (II) in subparagraph (B)--
                                            (aa) by striking ``in 
                                        accordance with standards'' and 
                                        inserting ``in accordance 
                                        with--
                            ``(i) standards''; and
                                            (bb) by adding at the end 
                                        the following:
                            ``(ii) the evaluation performed under 
                        paragraph (1)(F); and
                            ``(iii) the implementation plan described 
                        in paragraph (1)(G);''; and
                                    (III) in subparagraph (D), by 
                                inserting ``, through the use of 
                                penetration testing, the vulnerability 
                                disclosure program established under 
                                section 3559B, and other means,'' after 
                                ``periodically'';
                            (iii) in paragraph (3)--
                                    (I) in subparagraph (B), by 
                                inserting ``, in coordination with the 
                                Director of the Cybersecurity and 
                                Infrastructure Security Agency,'' after 
                                ``maintaining'';
                                    (II) in subparagraph (D), by 
                                striking ``and'' at the end;
                                    (III) in subparagraph (E), by 
                                adding ``and'' at the end; and
                                    (IV) by adding at the end the 
                                following:
                    ``(F) implementing mechanisms for using 
                verification specifications, or alternate verification 
                specifications validated by the Director of the 
                Cybersecurity and Infrastructure Security Agency, in 
                consultation with the Director of the National 
                Institute of Standards and Technology, to automatically 
                verify the implementation of standards of agency 
                systems promulgated under section 11331 of title 40 or 
                any additional cybersecurity procedures, as 
                applicable;''; and
                            (iv) in paragraph (5), by inserting ``and 
                        the Director of the Cybersecurity and 
                        Infrastructure Security Agency'' before ``on 
                        the effectiveness'';
                    (B) in subsection (b)--
                            (i) by striking paragraph (1) and inserting 
                        the following:
            ``(1) pursuant to subsection (a)(1)(A), performing an 
        agency system risk assessment, which shall include using 
        automated tools consistent with standards, verification 
        specifications, and guidelines promulgated under section 11331 
        of title 40, as applicable;'';
                            (ii) in paragraph (2)(D)--
                                    (I) by redesignating clauses (iii) 
                                and (iv) as clauses (iv) and (v), 
                                respectively;
                                    (II) by inserting after clause (ii) 
                                the following:
                            ``(iii) binding operational directives and 
                        emergency directives promulgated by the 
                        Director of the Cybersecurity and 
                        Infrastructure Security Agency under section 
                        3553 of title 44;''; and
                                    (III) in clause (iv), as so 
                                redesignated, by striking ``as 
                                determined by the agency; and'' and 
                                inserting ``as determined by the 
                                agency--
                                    ``(I) in coordination with the 
                                Director of the Cybersecurity and 
                                Infrastructure Security Agency; and
                                    ``(II) in consideration of--
                                            ``(aa) the agency risk 
                                        assessment performed under 
                                        subsection (a)(1)(A); and
                                            ``(bb) the determinations 
                                        of applying more stringent 
                                        standards and additional 
                                        cybersecurity procedures 
                                        pursuant to section 11331(c)(1) 
                                        of title 40; and'';
                            (iii) in paragraph (5)--
                                    (I) in subparagraph (A), by 
                                inserting ``, including penetration 
                                testing, as appropriate,'' after 
                                ``shall include testing''; and
                                    (II) in subparagraph (C), by 
                                inserting ``, verification 
                                specifications,'' after ``with 
                                standards'';
                            (iv) in paragraph (6), by striking 
                        ``planning, implementing, evaluating, and 
                        documenting'' and inserting ``planning and 
                        implementing and, in consultation with the 
                        Director of the Cybersecurity and 
                        Infrastructure Security Agency, evaluating and 
                        documenting'';
                            (v) by redesignating paragraphs (7) and (8) 
                        as paragraphs (9) and (10), respectively;
                            (vi) by inserting after paragraph (6) the 
                        following:
            ``(7) a process for providing the status of every remedial 
        action and known system vulnerability to the Director and the 
        Director of the Cybersecurity and Infrastructure Security 
        Agency, using automation and machine-readable data to the 
        greatest extent practicable;
            ``(8) a process for providing the verification of the 
        implementation of standards promulgated under section 11331 of 
        title 40 using verification specifications, automation, and 
        machine-readable data, to the Director and the Director of the 
        Cybersecurity and Infrastructure Security Agency;''; and
                            (vii) in paragraph (9)(C), as so 
                        redesignated--
                                    (I) by striking clause (ii) and 
                                inserting the following:
                            ``(ii) notifying and consulting with the 
                        Federal information security incident center 
                        established under section 3556 pursuant to the 
                        requirements of section 3594;'';
                                    (II) by redesignating clause (iii) 
                                as clause (iv);
                                    (III) by inserting after clause 
                                (ii) the following:
                            ``(iii) performing the notifications and 
                        other activities required under subchapter IV 
                        of this title; and''; and
                                    (IV) in clause (iv), as so 
                                redesignated--
                                            (aa) in subclause (I), by 
                                        striking ``and relevant Offices 
                                        of Inspector General'';
                                            (bb) in subclause (II), by 
                                        adding ``and'' at the end;
                                            (cc) by striking subclause 
                                        (III); and
                                            (dd) by redesignating 
                                        subclause (IV) as subclause 
                                        (III);
                    (C) in subsection (c)--
                            (i) in paragraph (1)--
                                    (I) in subparagraph (A)--
                                            (aa) in the matter 
                                        preceding clause (i), by 
                                        striking ``on the adequacy and 
                                        effectiveness of information 
                                        security policies, procedures, 
                                        and practices, including'' and 
                                        inserting ``that includes''; 
                                        and
                                            (bb) in clause (ii), by 
                                        inserting ``unless the Director 
                                        issues a waiver to the agency 
                                        under subparagraph (B)(iii),'' 
                                        before ``the total number''; 
                                        and
                                    (II) by striking subparagraph (B) 
                                and inserting the following:
                    ``(B) Incident reporting waiver.--
                            ``(i) Certification of agency information 
                        sharing.--If the Director, in consultation with 
                        the Director of the Cybersecurity and 
                        Infrastructure Security Agency, determines that 
                        an agency shares any information relating to 
                        any incident pursuant to section 3594(a), the 
                        Director shall certify that the agency is in 
                        compliance with that section.
                            ``(ii) Certification of issuing report.--If 
                        the Director determines that the Director of 
                        the Cybersecurity and Infrastructure Security 
                        Agency uses the information described in clause 
                        (i) with respect to a particular agency to 
                        submit to Congress an annex required under 
                        section 3597(c)(3) for that agency, the 
                        Director shall certify that the Cybersecurity 
                        and Infrastructure Security Agency is in 
                        compliance with that section with respect to 
                        that agency.
                            ``(iii) Waiver.--The Director may waive the 
                        reporting requirement with respect to the 
                        information required to be included in the 
                        report under subparagraph (A)(ii) for a 
                        particular agency if--
                                    ``(I) the Director has issued a 
                                certification for the agency under 
                                clause (i); and
                                    ``(II) the Director has issued a 
                                certification with respect to the annex 
                                of the agency under clause (ii).
                            ``(iv) Revocation of waiver or 
                        certifications.--
                                    ``(I) Waiver.--If, at any time, the 
                                Director determines that the Director 
                                of the Cybersecurity and Infrastructure 
                                Security Agency cannot submit to 
                                Congress an annex for a particular 
                                agency under section 3597(c)(3)--
                                            ``(aa) any waiver 
                                        previously issued under clause 
                                        (iii) with respect to that 
                                        agency shall be considered 
                                        void; and
                                            ``(bb) the Director shall 
                                        revoke the certification for 
                                        the annex of that agency under 
                                        clause (ii).
                                    ``(II) Certifications.--If, at any 
                                time, the Director determines that an 
                                agency has not provided to the Director 
                                of the Cybersecurity and Infrastructure 
                                Security Agency the totality of 
                                incident information required under 
                                section 3594(a)--
                                            ``(aa) any waiver 
                                        previously issued under clause 
                                        (iii) with respect to that 
                                        agency shall be considered 
                                        void; and
                                            ``(bb) the Director shall 
                                        revoke the certification for 
                                        that agency under clause (i).
                                    ``(III) Reissuance.--If the 
                                Director revokes a waiver under this 
                                clause, the Director may issue a 
                                subsequent waiver if the Director 
                                issues new certifications under clauses 
                                (i) and (ii).'';
                            (ii) by redesignating paragraphs (2) 
                        through (5) as paragraphs (4) through (7), 
                        respectively; and
                            (iii) by inserting after paragraph (1) the 
                        following:
            ``(2) Biannual report.--Not later than 180 days after the 
        date on which an agency completes an agency system risk 
        assessment under subsection (a)(1)(A) and not less frequently 
        than every 2 years, each agency shall submit to the Director, 
        the Secretary, the Committee on Homeland Security and 
        Governmental Affairs of the Senate, the Committee on Oversight 
        and Reform of the House of Representatives, the Committee on 
        Homeland Security of the House of Representatives, the 
        appropriate authorization and appropriations committees of 
        Congress, the National Cyber Director, and the Comptroller 
        General of the United States a report that--
                    ``(A) summarizes the agency system risk assessment 
                performed under subsection (a)(1)(A);
                    ``(B) evaluates the adequacy and effectiveness of 
                information security policies, procedures, and 
                practices of the agency to address the risks identified 
                in the system risk assessment performed under 
                subsection (a)(1)(A); and
                    ``(C) summarizes the evaluations and implementation 
                plans described in subparagraphs (F) and (G) of 
                subsection (a)(1) and whether those evaluations and 
                implementation plans call for the use of additional 
                cybersecurity procedures determined to be appropriate 
                by the agency.
            ``(3) Unclassified reports.--Each report submitted under 
        paragraphs (1) and (2)--
                    ``(A) shall be, to the greatest extent practicable, 
                in an unclassified and otherwise uncontrolled form; and
                    ``(B) may include a classified annex.''; and
                    (D) in subsection (d)(1), in the matter preceding 
                subparagraph (A), by inserting ``and the Director of 
                the Cybersecurity and Infrastructure Security Agency'' 
                after ``the Director'';
            (4) in section 3555--
                    (A) in subsection (a)(2)(A), by inserting ``, 
                including by penetration testing and analyzing the 
                vulnerability disclosure program of the agency'' after 
                ``information systems'';
                    (B) by striking subsection (f) and inserting the 
                following:
    ``(f) Protection of Information.--(1) Agencies and evaluators shall 
take appropriate steps to ensure the protection of information which, 
if disclosed, may adversely affect information security.
    ``(2) The protections required under paragraph (1) shall be 
commensurate with the risk and comply with all applicable laws and 
regulations.
    ``(3) With respect to information that is not related to national 
security systems, agencies and evaluators shall make a summary of the 
information unclassified and publicly available, including information 
that does not identify--
            ``(A) specific information system incidents; or
            ``(B) specific information system vulnerabilities.'';
                    (C) in subsection (g)(2)--
                            (i) by striking ``this subsection shall'' 
                        and inserting ``this subsection--
            ``(A) shall'';
                            (ii) in subparagraph (A), as so designated, 
                        by striking the period at the end and inserting 
                        ``; and''; and
                            (iii) by adding at the end the following:
            ``(B) identify any entity that performs an independent 
        audit under subsection (b).''; and
                    (D) in subsection (j), by striking ``the 
                Secretary'' and inserting ``the Director of the Cyber 
                Security and Infrastructure Security Agency''; and
            (5) in section 3556(a)--
                    (A) in the matter preceding paragraph (1), by 
                inserting ``within the Cybersecurity and Infrastructure 
                Security Agency'' after ``incident center''; and
                    (B) in paragraph (4), by striking ``3554(b)'' and 
                inserting ``3554(a)(1)(A)''.
    (d) Federal System Incident Response.--
            (1) In general.--Chapter 35 of title 44, United States 
        Code, is amended by adding at the end the following:

           ``SUBCHAPTER IV--FEDERAL SYSTEM INCIDENT RESPONSE

``Sec. 3591. Definitions
    ``(a) In General.--Except as provided in subsection (b), the 
definitions under sections 3502 and 3552 shall apply to this 
subchapter.
    ``(b) Additional Definitions.--As used in this subchapter:
            ``(1) Appropriate notification entities.--The term 
        `appropriate notification entities' means--
                    ``(A) the Committee on Homeland Security and 
                Governmental Affairs of the Senate;
                    ``(B) the Committee on Oversight and Reform of the 
                House of Representatives;
                    ``(C) the Committee on Homeland Security of the 
                House of Representatives;
                    ``(D) the appropriate authorization and 
                appropriations committees of Congress;
                    ``(E) the Director;
                    ``(F) the Director of the Cybersecurity and 
                Infrastructure Security Agency;
                    ``(G) the National Cyber Director; and
                    ``(H) the Comptroller General of the United States.
            ``(2) Contractor.--The term `contractor'--
                    ``(A) means any person or business that collects or 
                maintains information that includes personally 
                identifiable information or sensitive personal 
                information on behalf of an agency; and
                    ``(B) includes any subcontractor of a person or 
                business described in subparagraph (A).
            ``(3) Intelligence community.--The term `intelligence 
        community' has the meaning given the term in section 3 of the 
        National Security Act of 1947 (50 U.S.C. 3003).
            ``(4) Nationwide consumer reporting agency.--The term 
        `nationwide consumer reporting agency' means a consumer 
        reporting agency described in section 603(p) of the Fair Credit 
        Reporting Act (15 U.S.C. 1681a(p)).
            ``(5) Vulnerability disclosure.--The term `vulnerability 
        disclosure' means a vulnerability identified under section 
        3559B.
``Sec. 3592. Notification of high risk exposure after major incident
    ``(a) Notification.--As expeditiously as practicable and without 
unreasonable delay, and in any case not later than 30 days after an 
agency has a reasonable basis to conclude that a major incident has 
occurred due to a high risk exposure of personal identifiable 
information, as described in section 3598(c)(2), the head of the agency 
shall provide notice of the major incident in accordance with 
subsection (b) in writing to the last known home mailing address of 
each individual whom the major incident may have impacted.
    ``(b) Contents of Notice.--Each notice to an individual required 
under subsection (a) shall include--
            ``(1) a description of the rationale for the determination 
        that the major incident resulted in a high risk of exposure of 
        the personal information of the individual;
            ``(2) an assessment of the type of risk the individual may 
        face as a result of an exposure;
            ``(3) contact information for the Federal Bureau of 
        Investigation or other appropriate entity;
            ``(4) the contact information of each nationwide consumer 
        reporting agency;
            ``(5) the contact information for questions to the agency, 
        including a telephone number, e-mail address, and website;
            ``(6) information on any remedy being offered by the 
        agency;
            ``(7) consolidated Federal Government recommendations on 
        what to do in the event of a major incident; and
            ``(8) any other appropriate information as determined by 
        the head of the agency.
    ``(c) Delay of Notification.--
            ``(1) In general.--The Attorney General, the Director of 
        National Intelligence, or the Secretary of Homeland Security 
        may impose a delay of a notification required under subsection 
        (a) if the notification would disrupt a law enforcement 
        investigation, endanger national security, or hamper security 
        remediation actions.
            ``(2) Documentation.--
                    ``(A) In general.--Any delay under paragraph (1) 
                shall be reported in writing to the head of the agency, 
                the Director, the Director of the Cybersecurity and 
                Infrastructure Security Agency, and the Office of 
                Inspector General of the agency that experienced the 
                major incident.
                    ``(B) Contents.--A statement required under 
                subparagraph (A) shall include a written statement from 
                the entity that delayed the notification explaining the 
                need for the delay.
                    ``(C) Form.--The statement required under 
                subparagraph (A) shall be unclassified, but may include 
                a classified annex.
            ``(3) Renewal.--A delay under paragraph (1) shall be for a 
        period of 2 months and may be renewed.
    ``(d) Update Notification.--If an agency determines there is a 
change in the reasonable basis to conclude that a major incident 
occurred, or that there is a change in the details of the information 
provided to impacted individuals as described in subsection (b), the 
agency shall as expeditiously as practicable and without unreasonable 
delay, and in any case not later than 30 days after such a 
determination, notify all such individuals who received a notification 
pursuant to subsection (a) of those changes.
    ``(e) Rule of Construction.--Nothing in this section shall be 
construed to limit--
            ``(1) the Director from issuing guidance regarding 
        notifications or the head of an agency from sending 
        notifications to individuals impacted by incidents not 
        determined to be major incidents; or
            ``(2) the Director from issuing guidance regarding 
        notifications of major incidents or the head of an agency from 
        issuing notifications to individuals impacted by major 
        incidents that contain more information than described in 
        subsection (b).
``Sec. 3593. Congressional notifications and reports
    ``(a) Initial Report.--
            ``(1) In general.--Not later than 5 days after the date on 
        which an agency has a reasonable basis to conclude that a major 
        incident occurred, the head of the agency shall submit a 
        written notification and, to the extent practicable, provide a 
        briefing, to the appropriate notification entities, taking into 
        account--
                    ``(A) the information known at the time of the 
                notification;
                    ``(B) the sensitivity of the details associated 
                with the major incident; and
                    ``(C) the classification level of the information 
                contained in the notification.
            ``(2) Contents.--A notification required under paragraph 
        (1) shall include--
                    ``(A) a summary of the information available about 
                the major incident, including how the major incident 
                occurred, based on information available to agency 
                officials as of the date on which the agency submits 
                the report;
                    ``(B) if applicable, an estimate of the number of 
                individuals impacted by the major incident, including 
                an assessment of the risk level to impacted individuals 
                based on the guidance promulgated under section 
                3598(c)(1) and any information available to agency 
                officials on the date on which the agency submits the 
                report;
                    ``(C) if applicable, a description and any 
                associated documentation of any circumstances 
                necessitating a delay in or exemption to notification 
                granted under subsection (c) or (d) of section 3592; 
                and
                    ``(D) if applicable, an assessment of the impacts 
                to the agency, the Federal Government, or the security 
                of the United States, based on information available to 
                agency officials on the date on which the agency 
                submits the report.
    ``(b) Supplemental Report.--Within a reasonable amount of time, but 
not later than 45 days after the date on which additional information 
relating to a major incident for which an agency submitted a written 
notification under subsection (a) is discovered by the agency, the head 
of the agency shall submit to the appropriate notification entities 
updates to the written notification that include summaries of--
            ``(1) the threats and threat actors, vulnerabilities, means 
        by which the major incident occurred, and impacts to the agency 
        relating to the major incident;
            ``(2) any risk assessment and subsequent risk-based 
        security implementation of the affected information system 
        before the date on which the major incident occurred;
            ``(3) the status of compliance of the affected information 
        system with applicable security requirements at the time of the 
        major incident;
            ``(4) an estimate of the number of individuals affected by 
        the major incident based on information available to agency 
        officials as of the date on which the agency submits the 
        update;
            ``(5) an update to the assessment of the risk of harm to 
        impacted individuals affected by the major incident based on 
        information available to agency officials as of the date on 
        which the agency submits the update;
            ``(6) an update to the assessment of the risk to agency 
        operations, or to impacts on other agency or non-Federal entity 
        operations, affected by the major incident based on information 
        available to agency officials as of the date on which the 
        agency submits the update; and
            ``(7) the detection, response, and remediation actions of 
        the agency, including any support provided by the Cybersecurity 
        and Infrastructure Security Agency under section 3594(d) and 
        status updates on the notification process described in section 
        3592(a), including any delay or exemption described in 
        subsection (c) or (d), respectively, of section 3592, if 
        applicable.
    ``(c) Update Report.--If the agency determines that there is any 
significant change in the understanding of the agency of the scope, 
scale, or consequence of a major incident for which an agency submitted 
a written notification under subsection (a), the agency shall provide 
an updated report to the appropriate notification entities that 
includes information relating to the change in understanding.
    ``(d) Annual Report.--Each agency shall submit as part of the 
annual report required under section 3554(c)(1) of this title a 
description of each major incident that occurred during the 1-year 
period preceding the date on which the report is submitted.
    ``(e) Delay and Exemption Report.--The Director shall submit to the 
appropriate notification entities an annual report on all notification 
delays and exemptions granted pursuant to subsections (c) and (d) of 
section 3592.
    ``(f) Report Delivery.--Any written notification or report required 
to be submitted under this section may be submitted in a paper or 
electronic format.
    ``(g) Rule of Construction.--Nothing in this section shall be 
construed to limit--
            ``(1) the ability of an agency to provide additional 
        reports or briefings to Congress; or
            ``(2) Congress from requesting additional information from 
        agencies through reports, briefings, or other means.
    ``(h) Binding Operational Directive.--If the Director of the 
Cybersecurity and Infrastructure Security Agency issues a binding 
operational directive or an emergency directive under section 3553, not 
later than 2 days after the date on which the binding operational 
directive requires an agency to take an action, each agency shall 
provide to the appropriate notification entities the status of the 
implementation of the binding operational directive at the agency.
``Sec. 3594. Government information sharing and incident response
    ``(a) In General.--
            ``(1) Incident reporting.--The head of each agency shall 
        provide any information relating to any incident, whether the 
        information is obtained by the Federal Government directly or 
        indirectly, to the Cybersecurity and Infrastructure Security 
        Agency and the Office of Management and Budget.
            ``(2) Contents.--A provision of information relating to an 
        incident made by the head of an agency under paragraph (1) 
        shall--
                    ``(A) include detailed information about the 
                safeguards that were in place when the incident 
                occurred;
                    ``(B) whether the agency implemented the safeguards 
                described in subparagraph (A) correctly; and
                    ``(C) in order to protect against a similar 
                incident, identify--
                            ``(i) how the safeguards described in 
                        subparagraph (A) should be implemented 
                        differently; and
                            ``(ii) additional necessary safeguards.
    ``(b) Compliance.--The information provided under subsection (a) 
shall--
            ``(1) take into account the level of classification of the 
        information and any information sharing limitations relating to 
        law enforcement; and
            ``(2) be in compliance with the requirements limiting the 
        release of information under section 552a of title 5 (commonly 
        known as the `Privacy Act of 1974').
    ``(c) Responding to Information Requests From Agencies Experiencing 
Incidents.--An agency that receives a request from another agency or 
Federal entity for information specifically intended to assist in the 
remediation or notification requirements due to an incident shall 
provide that information to the greatest extent possible, in accordance 
with guidance issued by the Director and taking into account 
classification, law enforcement, national security, and compliance with 
section 552a of title 5 (commonly known as the `Privacy Act of 1974').
    ``(d) Incident Response.--Each agency that has a reasonable basis 
to conclude that a major incident occurred, regardless of delays from 
notification granted for a major incident, shall consult with the 
Cybersecurity and Infrastructure Security Agency regarding--
            ``(1) incident response and recovery; and
            ``(2) recommendations for mitigating future incidents.
``Sec. 3595. Responsibilities of contractors and grant recipients
    ``(a) Notification.--
            ``(1) In general.--Subject to paragraph (3), any contractor 
        of an agency or recipient of a grant from an agency that has a 
        reasonable basis to conclude that an incident involving Federal 
        information has occurred shall immediately notify the agency.
            ``(2) Procedures.--
                    ``(A) Major incident.--Following notification of a 
                major incident by a contractor or recipient of a grant 
                under paragraph (1), an agency, in consultation with 
                the contractor or grant recipient, as applicable, shall 
                carry out the requirements under sections 3592, 3593, 
                and 3594 with respect to the major incident.
                    ``(B) Incident.--Following notification of an 
                incident by a contractor or recipient of a grant under 
                paragraph (1), an agency, in consultation with the 
                contractor or grant recipient, as applicable, shall 
                carry out the requirements under section 3594 with 
                respect to the incident.
            ``(3) Applicability.--This subsection shall apply to a 
        contractor of an agency or a recipient of a grant from an 
        agency that--
                    ``(A) receives information from the agency that the 
                contractor or recipient, as applicable, is not 
                contractually authorized to receive;
                    ``(B) experiences an incident relating to Federal 
                information on an information system of the contractor 
                or recipient, as applicable; or
                    ``(C) identifies an incident involving a Federal 
                information system.
    ``(b) Incident Response.--Any contractor of an agency or recipient 
of a grant from an agency that has a reasonable basis to conclude that 
a major incident occurred shall, in coordination with the agency, 
consult with the Cybersecurity and Infrastructure Security Agency 
regarding--
            ``(1) incident response assistance; and
            ``(2) recommendations for mitigating future incidents at 
        the agency.
    ``(c) Effective Date.--This section shall apply on and after the 
date that is 1 year after the date of enactment of the Federal 
Information Security Modernization Act of 2021.
``Sec. 3596. Training
    ``(a) In General.--Each agency shall develop training for 
individuals at the agency with access to Federal information or 
information systems on how to identify and respond to an incident, 
including--
            ``(1) the internal process at the agency for reporting an 
        incident; and
            ``(2) the obligation of the individual to report to the 
        agency a confirmed major incident and any suspected incident, 
        involving information in any medium or form, including paper, 
        oral, and electronic.
    ``(b) Applicability.--The training developed under subsection (a) 
shall--
            ``(1) be required for an individual before the individual 
        may access Federal information or information systems; and
            ``(2) apply to individuals with temporary access to Federal 
        information or information systems, such as detailees, 
        contractors, subcontractors, grantees, volunteers, and interns.
    ``(c) Inclusion in Annual Training.--The training developed under 
subsection (a) may be included as part of an annual privacy or security 
awareness training of the agency, as applicable.
``Sec. 3597. Analysis and report on Federal incidents
    ``(a) Definition of Compromise.--In this section, the term 
`compromise' means--
            ``(1) an incident;
            ``(2) a result of a penetration test in which the tester 
        successfully gains access to a system within the standards 
        under section 3559A;
            ``(3) a vulnerability disclosure; or
            ``(4) any other event that the Director of the 
        Cybersecurity and Infrastructure Security Agency determines 
        identifies an exploitable vulnerability in an agency system.
    ``(b) Analysis of Federal Incidents.--
            ``(1) In general.--The Director of the Cybersecurity and 
        Infrastructure Security Agency shall perform continuous 
        monitoring of compromises of agencies.
            ``(2) Quantitative and qualitative analyses.--The Director 
        of the Cybersecurity and Infrastructure Security Agency, in 
        consultation with the Director, shall develop and perform 
        continuous monitoring and quantitative and qualitative analyses 
        of compromises of agencies, including--
                    ``(A) the causes of successful compromises, 
                including--
                            ``(i) attacker tactics, techniques, and 
                        procedures; and
                            ``(ii) system vulnerabilities, including 
                        zero days, unpatched systems, and information 
                        system misconfigurations;
                    ``(B) the scope and scale of compromises of 
                agencies;
                    ``(C) cross Federal Government root causes of 
                compromises of agencies;
                    ``(D) agency response, recovery, and remediation 
                actions and effectiveness of incidents, as applicable; 
                and
                    ``(E) lessons learned and recommendations in 
                responding, recovering, remediating, and mitigating 
                future incidents.
            ``(3) Automated analysis.--The analyses developed under 
        paragraph (2) shall, to the greatest extent practicable, use 
        machine readable data, automation, and machine learning 
        processes.
            ``(4) Sharing of data and analysis.--
                    ``(A) In general.--The Director shall share on an 
                ongoing basis the analyses required under this 
                subsection with agencies to--
                            ``(i) improve the understanding of agencies 
                        with respect to risk; and
                            ``(ii) support the cybersecurity 
                        improvement efforts of agencies.
                    ``(B) Format.--In carrying out subparagraph (A), 
                the Director shall share the analyses--
                            ``(i) in human-readable written products; 
                        and
                            ``(ii) to the greatest extent practicable, 
                        in machine-readable formats in order to enable 
                        automated intake and use by agencies.
    ``(c) Annual Report on Federal Compromises.--Not later than 2 years 
after the date of enactment of this section, and not less frequently 
than annually thereafter, the Director of the Cybersecurity and 
Infrastructure Security Agency, in consultation with the Director, 
shall submit to the appropriate notification entities a report that 
includes--
            ``(1) a summary of causes of compromises from across the 
        Federal Government that categorizes those compromises by the 
        items described in paragraphs (1) through (4) of subsection 
        (a);
            ``(2) the quantitative and qualitative analyses of 
        compromises developed under subsection (b)(2) on an agency-by-
        agency basis and comprehensively; and
            ``(3) an annex for each agency that includes the total 
        number of compromises of the agency and categorizes those 
        compromises by the items described in paragraphs (1) through 
        (4) of subsection (a).
    ``(d) Publication.--A version of each report submitted under 
subsection (c) shall be made publicly available on the website of the 
Cybersecurity and Infrastructure Security Agency during the year in 
which the report is submitted.
    ``(e) Information Provided by Agencies.--The analysis required 
under subsection (b) and each report submitted under subsection (c) 
shall utilize information provided by agencies pursuant to section 
3594(d).
    ``(f) Requirement To Anonymize Information.--In publishing the 
public report required under subsection (d), the Director of the 
Cybersecurity and Infrastructure Security Agency shall sufficiently 
anonymize and compile information such that no specific incidents of an 
agency can be identified, except with the concurrence of the Director 
of the Office of Management and Budget and in consultation with the 
impacted agency.
``Sec. 3598. Major incident guidance
    ``(a) In General.--Not later than 90 days after the date of 
enactment of the Federal Information Security Management Act of 2021, 
the Director, in coordination with the Director of the Cybersecurity 
and Infrastructure Security Agency, shall develop and promulgate 
guidance on the definition of the term `major incident' for the 
purposes of subchapter II and this subchapter.
    ``(b) Requirements.--With respect to the guidance issued under 
subsection (a), the definition of the term `major incident' shall--
            ``(1) include, with respect to any information collected or 
        maintained by or on behalf of an agency or an information 
        system used or operated by an agency or by a contractor of an 
        agency or another organization on behalf of an agency--
                    ``(A) any incident the head of the agency 
                determines is likely to have an impact on the national 
                security, homeland security, or economic security of 
                the United States;
                    ``(B) any incident the head of the agency 
                determines is likely to have an impact on the 
                operations of the agency, a component of the agency, or 
                the Federal Government, including an impact on the 
                efficiency or effectiveness of agency information 
                systems;
                    ``(C) any incident that the head of an agency, in 
                consultation with the Chief Privacy Officer of the 
                agency, determines involves a high risk incident in 
                accordance with the guidance issued under subsection 
                (c)(1);
                    ``(D) any incident that involves the unauthorized 
                disclosure of personally identifiable information of 
                not less than 500 individuals, regardless of the risk 
                level determined under the guidance issued under 
                subsection (c)(1);
                    ``(E) any incident the head of the agency 
                determines involves a high value asset owned or 
                operated by the agency; and
                    ``(F) any other type of incident determined 
                appropriate by the Director;
            ``(2) stipulate that every agency shall be considered to 
        have experienced a major incident if the Director of the 
        Cybersecurity and Infrastructure Security Agency determines 
        that an incident that occurs at not less than 2 agencies--
                    ``(A) is enabled by a common technical root cause, 
                such as a supply chain compromise, a common software or 
                hardware vulnerability; or
                    ``(B) is enabled by the related activities of a 
                common actor; and
            ``(3) stipulate that, in determining whether an incident 
        constitutes a major incident because that incident--
                    ``(A) is any incident described in paragraph (1), 
                the head of an agency shall consult with the Director 
                of the Cybersecurity and Infrastructure Security 
                Agency;
                    ``(B) is an incident described in paragraph (1)(A), 
                the head of the agency shall consult with the National 
                Cyber Director; and
                    ``(C) is an incident described in subparagraph (C) 
                or (D) of paragraph (1), the head of the agency shall 
                consult with--
                            ``(i) the Privacy and Civil Liberties 
                        Oversight Board; and
                            ``(ii) the Executive Director of the 
                        Federal Trade Commission.
    ``(c) Guidance on Risk to Individuals.--
            ``(1) In general.--Not later than 90 days after the date of 
        enactment of the Federal Information Security Modernization Act 
        of 2021, the Director, in coordination with the Director of the 
        Cybersecurity and Infrastructure Security Agency, the Privacy 
        and Civil Liberties Oversight Board, and the Executive Director 
        of the Federal Trade Commission, shall develop and issue 
        guidance to agencies that establishes a risk-based framework 
        for determining the level of risk that an incident involving 
        personally identifiable information could result in substantial 
        harm, physical harm, embarrassment, or unfairness to an 
        individual.
            ``(2) Risk levels and considerations.--The risk-based 
        framework included in the guidance issued under paragraph (1) 
        shall--
                    ``(A) include a range of risk levels, including a 
                high risk level; and
                    ``(B) consider--
                            ``(i) any personally identifiable 
                        information that was exposed as a result of an 
                        incident;
                            ``(ii) the circumstances under which the 
                        exposure of personally identifiable information 
                        of an individual occurred; and
                            ``(iii) whether an independent evaluation 
                        of the information affected by an incident 
                        determines that the information is unreadable, 
                        including, as appropriate, instances in which 
                        the information is--
                                    ``(I) encrypted; and
                                    ``(II) determined by the Director 
                                of the Cybersecurity and Infrastructure 
                                Security Agency to be of sufficiently 
                                low risk of exposure.
            ``(3) Approval.--
                    ``(A) In general.--The guidance issued under 
                paragraph (1) shall include a process by which the 
                Director, jointly with the Director of the 
                Cybersecurity and Infrastructure Security Agency and 
                the Attorney General, may approve the designation of an 
                incident that would be considered high risk as lower 
                risk if information exposed by the incident is 
                unreadable, as described in paragraph (2)(B)(iii).
                    ``(B) Documentation.--The Director shall report any 
                approval of an incident granted by the Director under 
                subparagraph (A) to--
                            ``(i) the head of the agency that 
                        experienced the incident;
                            ``(ii) the inspector general of the agency 
                        that experienced the incident; and
                            ``(iii) the Director of the Cybersecurity 
                        and Infrastructure Security Agency.
    ``(d) Evaluation and Updates.--Not later than 2 years after the 
date of enactment of the Federal Information Security Modernization Act 
of 2021, and not less frequently than every 2 years thereafter, the 
Director shall submit to the Committee on Homeland Security and 
Governmental Affairs of the Senate and the Committee on Oversight and 
Reform of the House of Representatives an evaluation, which shall 
include--
            ``(1) an update, if necessary, to the guidance issued under 
        subsections (a) and (c);
            ``(2) the definition of the term `major incident' included 
        in the guidance issued under subsection (a);
            ``(3) an explanation of, and the analysis that led to, the 
        definition described in paragraph (2); and
            ``(4) an assessment of any additional datasets or risk 
        evaluation criteria that should be included in the risk-based 
        framework included in the guidance issued under subsection 
        (c)(1).''.
            (2) Clerical amendment.--The table of sections for chapter 
        35 of title 44, United States Code, is amended by adding at the 
        end the following:

            ``subchapter iv--federal system incident response

``3591. Definitions.
``3592. Notification of high risk exposure after major incident.
``3593. Congressional notifications and reports.
``3594. Government information sharing and incident response.
``3595. Responsibilities of contractors and grant recipients.
``3596. Training.
``3597. Analysis and report on Federal incidents.
``3598. Major incident guidance.''.

SEC. 102. AMENDMENTS TO SUBTITLE III OF TITLE 40.

    (a) Information Technology Modernization Centers of Excellence 
Program Act.--Section 2(c)(4)(A)(ii) of the Information Technology 
Modernization Centers of Excellence Program Act (40 U.S.C. 11301 note) 
is amended by striking the period at the end and inserting ``, which 
shall be provided in coordination with the Director of the 
Cybersecurity and Infrastructure Security Agency.''.
    (b) Modernizing Government Technology.--Subtitle G of title X of 
Division A of the National Defense Authorization Act for Fiscal Year 
2018 (40 U.S.C. 11301 note) is amended--
            (1) in section 1077(b)--
                    (A) in paragraph (5)(A), by inserting ``improving 
                the cybersecurity of systems and'' before ``cost 
                savings activities''; and
                    (B) in paragraph (7)--
                            (i) in the paragraph heading, by striking 
                        ``cio'' and inserting ``CIO'';
                            (ii) by striking ``In evaluating projects'' 
                        and inserting the following:
                    ``(A) Consideration of guidance.--In evaluating 
                projects'';
                            (iii) in subparagraph (A), as so 
                        designated, by striking ``under section 
                        1094(b)(1)'' and inserting ``guidance issued by 
                        the Director''; and
                            (iv) by adding at the end the following:
                    ``(B) Consultation.--In using funds under paragraph 
                (3)(A), the Chief Information Officer of the covered 
                agency shall consult with the Director of the 
                Cybersecurity and Infrastructure Security Agency.''; 
                and
            (2) in section 1078--
                    (A) by striking subsection (a) and inserting the 
                following:
    ``(a) Definitions.--In this section:
            ``(1) Agency.--The term `agency' has the meaning given the 
        term in section 551 of title 5, United States Code.
            ``(2) High value asset.--The term `high value asset' has 
        the meaning given the term in section 3552 of title 44, United 
        States Code.'';
                    (B) in subsection (b), by adding at the end the 
                following:
            ``(8) Proposal evaluation.--The Director shall--
                    ``(A) give consideration for the use of amounts in 
                the Fund to improve the security of high value assets; 
                and
                    ``(B) require that any proposal for the use of 
                amounts in the Fund includes a cybersecurity plan, 
                including a chain risk management plan, to be reviewed 
                by the member of the Technology Modernization Board 
                described in subsection (c)(5)(C).''; and
                    (C) in subsection (c)--
                            (i) in paragraph (2)(A)(i), by inserting 
                        ``, including a consideration of the impact on 
                        high value assets'' after ``operational 
                        risks'';
                            (ii) in paragraph (5)--
                                    (I) in subparagraph (A), by 
                                striking ``and'' at the end;
                                    (II) in subparagraph (B), by 
                                striking the period at the end and 
                                inserting ``and''; and
                                    (III) by adding at the end the 
                                following:
                    ``(C) a senior official from the Cybersecurity and 
                Infrastructure Security Agency of the Department of 
                Homeland Security, appointed by the Director.''; and
                            (iii) in paragraph (6)(A), by striking 
                        ``shall be--'' and all that follows through ``4 
                        employees'' and inserting ``shall be 4 
                        employees''.
    (c) Subchapter I.--Subchapter I of subtitle III of title 40, United 
States Code, is amended--
            (1) in section 11302--
                    (A) in subsection (b), by striking ``use, security, 
                and disposal of'' and inserting ``use, and disposal, 
                and, in coordination with the Director of the 
                Cybersecurity and Infrastructure Security Agency, 
                promote and improve the security, of'';
                    (B) in subsection (c)--
                            (i) in paragraph (2), by inserting ``in 
                        consultation with the Director of the 
                        Cybersecurity and Infrastructure Security 
                        Agency'' before ``, and results of'';
                            (ii) in paragraph (3)--
                                    (I) in subparagraph (A), by 
                                striking ``, and performance'' and 
                                inserting ``security, and 
                                performance''; and
                                    (II) in subparagraph (C)--
                                            (aa) by striking ``For each 
                                        major'' and inserting the 
                                        following:
                            ``(i) In general.--For each major''; and
                                            (bb) by adding at the end 
                                        the following:
                            ``(ii) Cybersecurity.--In categorizing an 
                        investment according to risk under clause (i), 
                        the Chief Information Officer of the covered 
                        agency shall consult with the Director of the 
                        Cybersecurity and Infrastructure Security 
                        Agency on the cybersecurity or supply chain 
                        risk.
                            ``(iii) Security risk guidance.--The 
                        Director, in coordination with the Director of 
                        the Cybersecurity and Infrastructure Security 
                        Agency, shall issue guidance for the 
                        categorization of an investment under clause 
                        (i) according to the cybersecurity or supply 
                        chain risk.''; and
                            (iii) in paragraph (4)--
                                    (I) in subparagraph (A)--
                                            (aa) in clause (ii), by 
                                        striking ``and'' at the end;
                                            (bb) in clause (iii), by 
                                        striking the period at the end 
                                        and inserting ``; and''; and
                                            (cc) by adding at the end 
                                        the following:
                            ``(iv) in consultation with the Director of 
                        the Cybersecurity and Infrastructure Security 
                        Agency, the cybersecurity risks of the 
                        investment.''; and
                                    (II) in subparagraph (B), in the 
                                matter preceding clause (i), by 
                                inserting ``not later than 30 days 
                                after the date on which the review 
                                under subparagraph (A) is completed,'' 
                                before ``the Administrator'';
                    (C) in subsection (f)--
                            (i) by striking ``heads of executive 
                        agencies to develop'' and inserting ``heads of 
                        executive agencies to--
            ``(1) develop'';
                            (ii) in paragraph (1), as so designated, by 
                        striking the period at the end and inserting 
                        ``; and''; and
                            (iii) by adding at the end the following:
            ``(2) consult with the Director of the Cybersecurity and 
        Infrastructure Security Agency for the development and use of 
        supply chain security best practices.''; and
                    (D) in subsection (h), by inserting ``, including 
                cybersecurity performances,'' after ``the 
                performances''; and
            (2) in section 11303(b)(2)(B)--
                    (A) in clause (i), by striking ``or'' at the end;
                    (B) in clause (ii), by adding ``or'' at the end; 
                and
                    (C) by adding at the end the following:
                            ``(iii) whether the function should be 
                        performed by a shared service offered by 
                        another executive agency;''.
    (d) Subchapter II.--Subchapter II of subtitle III of title 40, 
United States Code, is amended--
            (1) in section 11312(a), by inserting ``, including 
        security risks'' after ``managing the risks'';
            (2) in section 11313(1), by striking ``efficiency and 
        effectiveness'' and inserting ``efficiency, security, and 
        effectiveness'';
            (3) in section 11317, by inserting ``security,'' before 
        ``or schedule''; and
            (4) in section 11319(b)(1), in the paragraph heading, by 
        striking ``cios'' and inserting ``Chief information officers''.
    (e) Subchapter III.--Section 11331 of title 40, United States Code, 
is amended--
            (1) in subsection (a), by striking ``section 3532(b)(1)'' 
        and inserting ``section 3552(b)'';
            (2) in subsection (b)(1)(A)--
                    (A) by striking ``in consultation'' and inserting 
                ``in coordination'';
                    (B) by striking ``the Secretary of Homeland 
                Security'' and inserting ``the Director of the 
                Cybersecurity and Infrastructure Security Agency''; and
                    (C) by inserting ``and associated verification 
                specifications developed under subsection (g)'' before 
                ``pertaining to Federal'';
            (3) by striking subsection (c) and inserting the following:
    ``(c) Application of More Stringent Standards.--
            ``(1) In general.--The head of an agency shall--
                    ``(A) evaluate the need to employ standards for 
                cost-effective, risk-based information security for all 
                systems, operations, and assets within or under the 
                supervision of the agency that are more stringent than 
                the standards promulgated by the Director under this 
                section, if such standards contain, at a minimum, the 
                provisions of those applicable standards made 
                compulsory and binding by the Director; and
                    ``(B) to the greatest extent practicable and if the 
                head of the agency determines that the standards 
                described in subparagraph (A) are necessary, employ 
                those standards.
            ``(2) Evaluation of more stringent standards.--In 
        evaluating the need to employ more stringent standards under 
        paragraph (1), the head of an agency shall consider available 
        risk information, including--
                    ``(A) the status of cybersecurity remedial actions 
                of the agency;
                    ``(B) any vulnerability information relating to 
                agency systems that is known to the agency;
                    ``(C) incident information of the agency;
                    ``(D) information from--
                            ``(i) penetration testing performed under 
                        section 3559A of title 44; and
                            ``(ii) information from the verification 
                        disclosure program established under section 
                        3559B of title 44;
                    ``(E) agency threat hunting results under section 
                207 of the Federal Information Security Modernization 
                Act of 2021;
                    ``(F) Federal and non-Federal threat intelligence;
                    ``(G) data on compliance with standards issued 
                under this section, using the verification 
                specifications developed under subsection (f) when 
                appropriate;
                    ``(H) agency system risk assessments of the agency 
                performed under section 3554(a)(1)(A) of title 44; and
                    ``(I) any other information determined relevant by 
                the head of the agency.'';
            (4) in subsection (d)(2)--
                    (A) by striking the paragraph heading and inserting 
                ``Consultation, notice, and comment'';
                    (B) by inserting ``promulgate,'' before 
                ``significantly modify''; and
                    (C) by striking ``shall be made after the public is 
                given an opportunity to comment on the Director's 
                proposed decision.'' and inserting ``shall be made--
                    ``(A) for a decision to significantly modify or not 
                promulgate such a proposed standard, after the public 
                is given an opportunity to comment on the Director's 
                proposed decision;
                    ``(B) in consultation with the Chief Information 
                Officers Council, the Director of the Cybersecurity and 
                Infrastructure Security Agency, the National Cyber 
                Director, the Comptroller General of the United States, 
                and the Council of the Inspectors General on Integrity 
                and Efficiency;
                    ``(C) considering the Federal risk assessments 
                performed under section 3553(i) of title 44; and
                    ``(D) considering the extent to which the proposed 
                standard reduces risk relative to the cost of 
                implementation of the standard.''; and
            (5) by adding at the end the following:
    ``(e) Review of Promulgated Standards.--
            ``(1) In general.--Not less frequently than once every 2 
        years, the Director of the Office of Management and Budget, in 
        consultation with the Chief Information Officers Council, the 
        Director of the Cybersecurity and Infrastructure Security 
        Agency, the National Cyber Director, the Comptroller General of 
        the United States, and the Council of the Inspectors General on 
        Integrity and Efficiency shall review the efficacy of the 
        standards in effect promulgated under this section in reducing 
        cybersecurity risks and determine whether any changes to those 
        standards are appropriate based on--
                    ``(A) the Federal risk assessment developed under 
                section 3553(i) of title 44;
                    ``(B) public comment; and
                    ``(C) an assessment of the extent to which the 
                proposed standards reduce risk relative to the cost of 
                implementation of the standards.
            ``(2) Updated guidance.--Not later than 90 days after the 
        date of the completion of the review under paragraph (1), the 
        Director of the Office of Management and Budget shall issue 
        guidance to agencies to make any necessary updates to the 
        standards in effect promulgated under this section based on the 
        results of the review.
            ``(3) Congressional report.--Not later than 30 days after 
        the date on which a review is completed under paragraph (1), 
        the Director shall submit to the Committee on Homeland Security 
        and Governmental Affairs of the Senate and the Committee on 
        Oversight and Reform of the House of Representatives a report 
        that includes--
                    ``(A) the review of the standards in effect 
                promulgated under this section conducted under 
                paragraph (1);
                    ``(B) the risk mitigation offered by each standard 
                described in subparagraph (A); and
                    ``(C) a summary of--
                            ``(i) the standards to which changes were 
                        determined appropriate during the review; and
                            ``(ii) anticipated changes to the standards 
                        under this section in guidance issued under 
                        paragraph (2).
    ``(f) Verification Specifications.--Not later than 1 year after the 
date on which the Director of the National Institute of Standards and 
Technology issues a proposed standard pursuant to paragraphs (2) and 
(3) of section 20(a) of the National Institute of Standards and 
Technology Act (15 U.S.C. 278g-3(a)), the Director of the Cybersecurity 
and Infrastructure Security Agency, in consultation with the Director 
of the National Institute of Standards and Technology, as practicable, 
shall develop technical specifications to enable the automated 
verification of the implementation of the controls within the 
standard.''.

SEC. 103. ACTIONS TO ENHANCE FEDERAL INCIDENT RESPONSE.

    (a) Responsibilities of the Cybersecurity and Infrastructure 
Security Agency.--
            (1) Recommendations.--Not later than 180 days after the 
        date of enactment of this Act, the Director of the 
        Cybersecurity and Infrastructure Security Agency, in 
        coordination with the Chair of the Federal Trade Commission, 
        the Chair of the Securities and Exchange Commission, the 
        Secretary of the Treasury, the Director of the Federal Bureau 
        of Investigation, the Director of the National Institute of 
        Standards and Technology, and the head of any other appropriate 
        Federal or non-Federal entity, shall consolidate, maintain, and 
        make publicly available recommendations for individuals whose 
        personal information, as defined in section 3591 of title 44, 
        United States Code, as added by this Act, is inappropriately 
        exposed as a result of a high risk incident described in 
        section 3598(c)(2) of title 44, United States Code.
            (2) Plan for analysis of, and report on, federal 
        incidents.--
                    (A) In general.--Not later than 180 days after the 
                date of enactment of this Act, the Director of the 
                Cybersecurity and Infrastructure Security Agency 
                shall--
                            (i) develop a plan for the development of 
                        the analysis required under section 3597(b) of 
                        title 44, United States Code, as added by this 
                        Act, and the report required under subsection 
                        (c) of that section that includes--
                                    (I) a description of any challenges 
                                the Director anticipates encountering; 
                                and
                                    (II) the use of automation and 
                                machine-readable formats for 
                                collecting, compiling, monitoring, and 
                                analyzing data; and
                            (ii) provide to the appropriate 
                        congressional committees a briefing on the plan 
                        developed under clause (i).
                    (B) Briefing.--Not later than 1 year after the date 
                of enactment of this Act, the Director of the 
                Cybersecurity and Infrastructure Security Agency shall 
                provide to the appropriate congressional committees a 
                briefing on--
                            (i) the execution of the plan required 
                        under subparagraph (A); and
                            (ii) the development of the report required 
                        under section 3597(c) of title 44, United 
                        States Code, as added by this Act.
    (b) Responsibilities of the Director of the Office of Management 
and Budget.--
            (1) FISMA.--Section 2 of the Federal Information Security 
        Modernization Act of 2014 (44 U.S.C. 3554 note) is amended--
                    (A) by striking subsection (b); and
                    (B) by redesignating subsections (c) through (f) as 
                subsections (b) through (e), respectively.
            (2) Incident data sharing.--
                    (A) In general.--The Director shall develop 
                guidance, to be updated not less frequently than once 
                every 2 years, on the content, timeliness, and format 
                of the information provided by agencies under section 
                3594(a) of title 44, United States Code, as added by 
                this Act.
                    (B) Requirements.--The guidance developed under 
                subparagraph (A) shall--
                            (i) prioritize the availability of data 
                        necessary to understand and analyze--
                                    (I) the causes of incidents;
                                    (II) the scope and scale of 
                                incidents within the agency networks 
                                and systems;
                                    (III) cross Federal Government root 
                                causes of incidents;
                                    (IV) agency response, recovery, and 
                                remediation actions; and
                                    (V) the effectiveness of incidents;
                            (ii) enable the efficient development of--
                                    (I) lessons learned and 
                                recommendations in responding to, 
                                recovering from, remediating, and 
                                mitigating future incidents; and
                                    (II) the report on Federal 
                                compromises required under section 
                                3597(c) of title 44, United States 
                                Code, as added by this Act;
                            (iii) include requirements for the 
                        timeliness of data production; and
                            (iv) include requirements for using 
                        automation and machine-readable data for data 
                        sharing and availability.
            (3) Guidance on responding to information requests.--Not 
        later than 1 year after the date of enactment of this Act, the 
        Director shall develop guidance for agencies to implement the 
        requirement under section 3594(c) of title 44, United States 
        Code, as added by this Act, to provide information to other 
        agencies experiencing incidents.
            (4) Standard guidance and templates.--Not later than 1 year 
        after the date of enactment of this Act, the Director, in 
        coordination with the Director of the Cybersecurity and 
        Infrastructure Security Agency, shall develop guidance and 
        templates, to be reviewed and, if necessary, updated not less 
        frequently than once every 2 years, for use by Federal agencies 
        in the activities required under sections 3592, 3593, and 3596 
        of title 44, United States Code, as added by this Act.
            (5) Contractor and grantee guidance.--
                    (A) In general.--Not later than 1 year after the 
                date of enactment of this Act, the Director, in 
                coordination with the Secretary of Homeland Security, 
                the Secretary of Defense, the Administrator of General 
                Services, and the heads of other agencies determined 
                appropriate by the Director, shall issue guidance to 
                Federal agencies on how to deconflict existing 
                regulations, policies, and procedures relating to the 
                responsibilities of contractors and grant recipients 
                established under section 3595 of title 44, United 
                States Code, as added by this Act.
                    (B) Existing processes.--To the greatest extent 
                practicable, the guidance issued under subparagraph (A) 
                shall allow contractors and grantees to use existing 
                processes for notifying Federal agencies of incidents 
                involving information of the Federal Government.
            (6) Updated briefings.--Not less frequently than once every 
        2 years, the Director shall provide to the appropriate 
        congressional committees an update on the guidance and 
        templates developed under paragraphs (2) through (4).
    (c) Update to the Privacy Act of 1974.--Section 552a(b) of title 5, 
United States Code (commonly known as the ``Privacy Act of 1974'') is 
amended--
            (1) in paragraph (11), by striking ``or'' at the end;
            (2) in paragraph (12), by striking the period at the end 
        and inserting ``; and''; and
            (3) by adding at the end the following:
            ``(13) to another agency in furtherance of a response to an 
        incident (as defined in section 3552 of title 44) and pursuant 
        to the information sharing requirements in section 3594 of 
        title 44 if the head of the requesting agency has made a 
        written request to the agency that maintains the record 
        specifying the particular portion desired and the activity for 
        which the record is sought.''.

SEC. 104. ADDITIONAL GUIDANCE TO AGENCIES ON FISMA UPDATES.

    Not later than 1 year after the date of enactment of this Act, the 
Director, in coordination with the Director of the Cybersecurity and 
Infrastructure Security Agency, shall issue guidance for agencies on--
            (1) completing the agency system risk assessment required 
        under section 3554(a)(1)(A) of title 44, United States Code, as 
        amended by this Act;
            (2) implementing additional cybersecurity procedures, which 
        shall include resources for shared services;
            (3) establishing a process for providing the status of each 
        remedial action under section 3554(b)(7) of title 44, United 
        States Code, as amended by this Act, to the Director and the 
        Cybersecurity and Infrastructure Security Agency using 
        automation and machine-readable data, as practicable, which 
        shall include--
                    (A) specific standards for the automation and 
                machine-readable data; and
                    (B) templates for providing the status of the 
                remedial action;
            (4) interpreting the definition of ``high value asset'' in 
        section 3552 of title 44, United States Code, as amended by 
        this Act;
            (5) implementing standards in agency authorization 
        processes to encourage the tailoring of processes to agency and 
        system risk that are proportionate to the sensitivity of 
        systems, which shall include--
                    (A) a clarification of--
                            (i) the acceptable use and development of 
                        customization of standards promulgated under 
                        section 11331 of title 40, United States Code; 
                        and
                            (ii) the acceptable use of risk-based 
                        authorization procedures authorized on the date 
                        of enactment of this Act; and
                    (B) a requirement to coordinate with Inspectors 
                Generals of agencies to ensure consistent understanding 
                and application of agency policies for the purpose of 
                Inspector General audits; and
            (6) requiring, as practicable and pursuant to section 203, 
        an evaluation of agency cybersecurity using metrics that are--
                    (A) based on outcomes; and
                    (B) based on time.

SEC. 105. AGENCY REQUIREMENTS TO NOTIFY ENTITIES IMPACTED BY INCIDENTS.

    Not later than 180 days after the date of enactment of this Act, 
the Director shall issue guidance that requires agencies to notify 
entities that are compelled to share sensitive information with the 
agency of an incident that impacts--
            (1) sensitive information shared with the agency by the 
        entity; or
            (2) the systems used to the transmit sensitive information 
        described in paragraph (1) to the agency.

               TITLE II--IMPROVING FEDERAL CYBERSECURITY

SEC. 201. EVALUATION OF EFFECTIVENESS OF STANDARDS.

    (a) In General.--As a component of the evaluation and report 
required under section 3555(h) of title 44, United States Code, and not 
later than 1 year after the date of enactment of this Act, the 
Comptroller General of the United States shall perform a study that--
            (1) assesses the standards promulgated under section 
        11331(b) of title 40, United States Code to determine the 
        degree to which agencies use the authority under section 
        11331(c)(1) of title 40, United States Code to customize the 
        standards relative to the risks facing each agency and agency 
        system;
            (2) assesses the effectiveness of the standards described 
        in paragraph (1), including any standards customized by 
        agencies under section 11331(c)(1) of title 40, United States 
        Code, at improving agency cybersecurity;
            (3) examines the quantification of cybersecurity risk in 
        the private sector for any applicability for use by the Federal 
        Government;
            (4) examines cybersecurity metrics existing as of the date 
        of enactment of this Act used by the Director, the Director of 
        the Cybersecurity and Infrastructure Security Agency, and the 
        heads of other agencies to evaluate the effectiveness of 
        information security policies and practices; and
            (5) with respect to the standards described in paragraph 
        (1), provides recommendations for--
                    (A) the addition or removal of standards; or
                    (B) the customization of--
                            (i) the standards by agencies under section 
                        11331(c)(1) of title 40, United States Code; or
                            (ii) specific controls within the 
                        standards.
    (b) Incorporation of Study.--The Director shall incorporate the 
results of the study performed under subsection (a) into the review of 
standards required under section 11331(e) of title 40, United States 
Code.
    (c) Briefing.--Not later than 30 days after the date on which the 
study performed under subsection (a) is completed, the Comptroller 
General of the United States shall provide to the appropriate 
congressional committees a briefing on the study.

SEC. 202. MOBILE SECURITY STANDARDS.

    (a) In General.--Not later than 1 year after the date of enactment 
of this Act, the Director shall--
            (1) evaluate mobile application security standards 
        promulgated under section 11331(b) of title 44, United States 
        Code; and
            (2) issue guidance to implement mobile security standards 
        in effect on the date of enactment of this Act promulgated 
        under section 11331(b) of title 40, United States Code, 
        including for mobile applications, for every agency.
    (b) Contents.--The guidance issued under subsection (a)(2) shall 
include--
            (1) a requirement, pursuant to section 3506(b)(4) of title 
        44, United States Code, for every agency to maintain a 
        continuous inventory of every--
                    (A) mobile device operated by or on behalf of the 
                agency;
                    (B) mobile application installed on a mobile device 
                described in subparagraph (A); and
                    (C) vulnerability identified by the agency 
                associated with a mobile device or mobile application 
                described in subparagraphs (A) and (B); and
            (2) a requirement for every agency to perform continuous 
        evaluation of the vulnerabilities described in paragraph (1)(C) 
        and other risks.
    (c) Information Sharing.--The Director, in coordination with the 
Director of the Cybersecurity and Infrastructure Security Agency, shall 
issue guidance to agencies for sharing the inventory of the agency 
required under subsection (b)(1) with the Director of the Cybersecurity 
and Infrastructure Security Agency, using automation and machine-
readable data to the greatest extent practicable.
    (d) Briefing.--Not later than 60 days after the date on which the 
Director issues guidance under subsection (a)(2), the Director, in 
coordination with the Director of the Cybersecurity and Infrastructure 
Security Agency, shall provide to the appropriate congressional 
committees a briefing on the guidance.

SEC. 203. QUANTITATIVE CYBERSECURITY METRICS.

    (a) Establishing Time-Based Metrics.--
            (1) In general.--Not later than 1 year after the date of 
        enactment of this Act, the Director of the Cybersecurity and 
        Infrastructure Security Agency shall--
                    (A) update the metrics used to measure security 
                under section 3554 of title 44, United States Code, 
                including any metrics developed pursuant to section 
                224(c) of the Cybersecurity Act of 2015 (6 U.S.C. 
                1522(c)), to include standardized metrics to 
                quantitatively evaluate and identify trends in agency 
                cybersecurity performance, including performance for 
                incident response; and
                    (B) evaluate the metrics described in subparagraph 
                (A).
            (2) Qualities.--With respect to the updated metrics 
        required under paragraph (1)--
                    (A) not less than 2 of the metrics shall be time-
                based; and
                    (B) the metrics may include other measurable 
                outcomes.
            (3) Evaluation.--The evaluation required under paragraph 
        (1)(B) shall evaluate--
                    (A) the amount of time it takes for an agency to 
                detect an incident; and
                    (B) the amount of time that passes between--
                            (i) the detection and remediation of an 
                        incident; and
                            (ii) the remediation of an incident and the 
                        recovery from the incident.
    (b) Implementation.--
            (1) In general.--The Director, in coordination with the 
        Director of the Cybersecurity and Infrastructure Security 
        Agency, shall promulgate guidance that requires the use of the 
        updated metrics developed under subsection (a)(1)(A) by every 
        agency over a 4-year period beginning on the date on which the 
        metrics are developed to track trends in the incident response 
        capabilities of agencies.
            (2) Penetration tests.--On not less than 2 occasions during 
        the 2-year period following the date on which guidance is 
        promulgated under paragraph (1), not less than 3 agencies shall 
        be subjected to substantially similar penetration tests in 
        order to validate the utility of the metrics developed under 
        subsection (a)(1)(A).
            (3) Database.--The Director of the Cybersecurity and 
        Infrastructure Security Agency shall develop and use a database 
        that--
                    (A) stores agency metrics information; and
                    (B) allows for the performance of cross-agency 
                comparison of agency incident response capability 
                trends.
    (c) Updated Metrics.--
            (1) In general.--The Director may issue guidance that 
        updates the metrics developed under subsection (a)(1)(A) if the 
        updated metrics--
                    (A) have the qualities described in subsection 
                (a)(2); and
                    (B) can be evaluated under subsection (a)(3).
            (2) Data sharing.--The guidance issued under paragraph (1) 
        shall require agencies to share with the Director of the 
        Cybersecurity and Infrastructure Security Agency data 
        demonstrating the performance of the agency with the updated 
        metrics included in that guidance against the metrics developed 
        under subsection (a)(1)(A).
    (d) Congressional Reports.--
            (1) Updated metrics.--Not later than 30 days after the date 
        on which the Director of the Cybersecurity and Infrastructure 
        Security completes the evaluation required under subsection 
        (a)(1)(B), the Director of the Cybersecurity and Infrastructure 
        Security Agency shall submit to the appropriate congressional 
        committees a report on the updated metrics developed under 
        subsection (a)(1)(A).
            (2) Program.--Not later than 180 days after the date on 
        which guidance is promulgated under subsection (b)(1), the 
        Director shall submit to the appropriate congressional 
        committees a report on the results of the use of the updated 
        metrics developed under subsection (a)(1)(A) by agencies.

SEC. 204. DATA AND LOGGING RETENTION FOR INCIDENT RESPONSE.

    (a) Recommendations.--Not later than 60 days after the date of 
enactment of this Act, the Director of the Cybersecurity and 
Infrastructure Security Agency, in consultation with the Attorney 
General and the National Cyber Director, shall submit to the Director 
recommendations on requirements for logging events on agency systems 
and retaining other relevant data within the systems and networks of an 
agency.
    (b) Contents.--The recommendations provided under subsection (a) 
shall include--
            (1) the types of logs to be maintained;
            (2) the time periods to retain the logs and other relevant 
        data;
            (3) the time periods for agencies to enable recommended 
        logging and security requirements;
            (4) how to ensure the confidentiality, integrity, and 
        availability of logs;
            (5) requirements to ensure that, upon request, agencies 
        provide logs to--
                    (A) the Director of the Cybersecurity and 
                Infrastructure Security Agency for a cybersecurity 
                purpose; and
                    (B) the Federal Bureau of Investigation to 
                investigate potential criminal activity; and
            (6) ensuring the highest level security operations center 
        of each agency has visibility into all agency logs.
    (c) Guidance.--Not later than 90 days after receiving the 
recommendations submitted under subsection (a), the Director, in 
consultation with the Director of the Cybersecurity and Infrastructure 
Security Agency and the Attorney General, shall promulgate guidance to 
agencies to establish requirements for logging, log retention, log 
management, and sharing of log data with other appropriate agencies.
    (d) Periodic Review.--Not later than 2 years after the date on 
which the Director of the Cybersecurity and Infrastructure Security 
Agency submits the recommendations required under subsection (a), and 
not less frequently than every 2 years thereafter, the Director of the 
Cybersecurity and Infrastructure Security Agency, in consultation with 
the Attorney General, shall evaluate the recommendations and provide an 
update on the recommendations to the Director as necessary.

SEC. 205. CISA AGENCY ADVISORS.

    (a) In General.--Not later than 120 days after the date of 
enactment of this Act, the Director of the Cybersecurity and 
Infrastructure Security Agency shall assign not less than 1 
cybersecurity professional employed by the Cybersecurity and 
Infrastructure Security Agency to be the Cybersecurity and 
Infrastructure Security Agency advisor to the Chief Information Officer 
of each agency.
    (b) Qualifications.--Each advisor assigned under subsection (a) 
shall have knowledge of--
            (1) cybersecurity threats facing agencies, including any 
        specific threats to the assigned agency;
            (2) performing risk assessments of agency systems; and
            (3) other Federal cybersecurity initiatives.
    (c) Duties.--The duties of each advisor assigned under subsection 
(a) shall include--
            (1) providing ongoing assistance and advice, as requested, 
        to the agency Chief Information Officer;
            (2) serving as an incident response point of contact 
        between the assigned agency and the Cybersecurity and 
        Infrastructure Security Agency; and
            (3) familiarizing themselves with agency systems, 
        processes, and procedures to better facilitate support to the 
        agency in responding to incidents.
    (d) Limitation.--An advisor assigned under subsection (a) shall not 
be a contractor.
    (e) Multiple Assignments.--One individual advisor made be assigned 
to multiple agency Chief Information Officers under subsection (a).

SEC. 206. FEDERAL PENETRATION TESTING POLICY.

    (a) In General.--Subchapter II of chapter 35 of title 44, United 
States Code, is amended by adding at the end the following:
``Sec. 3559A. Federal penetration testing
    ``(a) Definitions.--In this section:
            ``(1) Agency operational plan.--The term `agency 
        operational plan' means a plan of an agency for the use of 
        penetration testing.
            ``(2) Rules of engagement.--The term `rules of engagement' 
        means a set of rules established by an agency for the use of 
        penetration testing.
    ``(b) Guidance.--
            ``(1) In general.--Not later than 180 days after the date 
        of enactment of this Act, the Director shall issue guidance 
        that--
                    ``(A) requires agencies to use, when and where 
                appropriate, penetration testing on agency systems; and
                    ``(B) requires agencies to develop an agency 
                operational plan and rules of engagement that meet the 
                requirements under subsection (c).
            ``(2) Penetration testing guidance.--The guidance issued 
        under this section shall--
                    ``(A) permit an agency to use, for the purpose of 
                performing penetration testing--
                            ``(i) a shared service of the agency or 
                        another agency; or
                            ``(ii) an external entity, such as a 
                        vendor;
                    ``(B) include templates and frameworks for 
                reporting the results of penetration testing, without 
                regard to the status of the entity that performs the 
                penetration testing; and
                    ``(C) require agencies to provide the rules of 
                engagement and results of penetration testing to the 
                Director and the Director of the Cybersecurity and 
                Infrastructure Security Agency, without regard to the 
                status of the entity that performs the penetration 
                testing.
    ``(c) Agency Plans and Rules of Engagement.--The agency operational 
plan and rules of engagement of an agency shall--
            ``(1) require the agency to perform penetration testing on 
        the high value assets of the agency;
            ``(2) establish guidelines for avoiding, as a result of 
        penetration testing--
                    ``(A) adverse impacts to the operations of the 
                agency;
                    ``(B) adverse impacts to operational networks and 
                systems of the agency; and
                    ``(C) inappropriate access to data;
            ``(3) require the results of penetration testing to include 
        feedback to improve the cybersecurity of the agency; and
            ``(4) include mechanisms for providing consistently 
        formatted, and, if applicable, automated and machine-readable, 
        data to the Director and the Director of the Cybersecurity and 
        Infrastructure Security Agency.
    ``(d) Responsibilities of CISA.--The Director of the Cybersecurity 
and Infrastructure Security Agency shall--
            ``(1) establish a certification process for the performance 
        of penetration testing by both Federal and non-Federal entities 
        that establishes minimum quality controls for penetration 
        testing;
            ``(2) develop operational guidance for instituting 
        penetration testing programs at agencies;
            ``(3) develop and maintain a centralized capability to 
        offer penetration testing as a service to Federal and non-
        Federal entities; and
            ``(4) provide guidance to agencies on the best use of 
        penetration testing resources.
    ``(e) Responsibilities of OMB.--The Director, in coordination with 
the Director of the Cybersecurity and Infrastructure Security Agency, 
shall--
            ``(1) not less frequently than annually, inventory all 
        Federal penetration testing assets; and
            ``(2) develop and maintain a Federal strategy for the use 
        of penetration testing.
    ``(f) Prioritization of Penetration Testing Resources.--
            ``(1) In general.--The Director, in coordination with the 
        Director of the Cybersecurity and Infrastructure Security 
        Agency, shall develop a framework for prioritizing Federal 
        penetration testing resources among agencies.
            ``(2) Considerations.--In developing the framework under 
        this subsection, the Director shall consider--
                    ``(A) agency system risk assessments performed 
                under section 3554(a)(1)(A);
                    ``(B) the Federal risk assessment performed under 
                section 3553(i);
                    ``(C) the analysis of Federal incident data 
                performed under section 3597; and
                    ``(D) any other information determined appropriate 
                by the Director or the Director of the Cybersecurity 
                and Infrastructure Security Agency.''.
    (b) Clerical Amendment.--The table of sections for chapter 35 of 
title 44, United States Code, is amended by adding after the item 
relating to section 3559 the following:

``3559A. Federal penetration testing.''.
    (c) Penetration Testing by the Secretary of Homeland Security.--
Section 3553(b) of title 44, United States Code, as amended by section 
1705 of the William M. (Mac) Thornberry National Defense Authorization 
Act for Fiscal Year 2021 (Public Law 116-283) and section 101, is 
further amended--
            (1) in paragraph (8)(B), by striking ``and'' at the end;
            (2) by redesignating paragraph (9) as paragraph (10); and
            (3) by inserting after paragraph (8) the following:
            ``(9) performing penetration testing with or without 
        advance notice to, or authorization from, agencies, to identify 
        vulnerabilities within Federal information systems; and''.

SEC. 207. ONGOING THREAT HUNTING PROGRAM.

    (a) Threat Hunting Program.--
            (1) In general.--Not later than 540 days after the date of 
        enactment of this Act, the Director of the Cybersecurity and 
        Infrastructure Security Agency shall establish a program to 
        provide ongoing, hypothesis-driven threat-hunting services on 
        the network of each agency.
            (2) Plan.--Not later than 180 days after the date of 
        enactment of this Act, the Director of the Cybersecurity and 
        Infrastructure Security Agency shall develop a plan to 
        establish the program required under paragraph (1) that 
        describes how the Director of the Cybersecurity and 
        Infrastructure Security Agency plans to--
                    (A) determine the method for collecting, storing, 
                accessing, and analyzing appropriate agency data;
                    (B) provide on-premises support to agencies;
                    (C) staff threat hunting services;
                    (D) allocate available human and financial 
                resources to implement the plan; and
                    (E) provide input to the heads of agencies on the 
                use of--
                            (i) more stringent standards under section 
                        11331(c)(1) of title 40, United States Code; 
                        and
                            (ii) additional cybersecurity procedures 
                        under section 3554 of title 44, United States 
                        Code.
    (b) Reports.--The Director of the Cybersecurity and Infrastructure 
Security Agency shall submit to the appropriate congressional 
committees--
            (1) not later than 30 days after the date on which the 
        Director of the Cybersecurity and Infrastructure Security 
        Agency completes the plan required under subsection (a)(2), a 
        report on the plan to provide threat hunting services to 
        agencies;
            (2) not less than 30 days before the date on which the 
        Director of the Cybersecurity and Infrastructure Security 
        Agency begins providing threat hunting services under the 
        program, a report providing any updates to the plan developed 
        under subsection (a)(2); and
            (3) not later than 1 year after the date on which the 
        Director of the Cybersecurity and Infrastructure Security 
        Agency begins providing threat hunting services to agencies 
        other than the Cybersecurity and Infrastructure Security 
        Agency, a report describing lessons learned from providing 
        those services.

SEC. 208. CODIFYING VULNERABILITY DISCLOSURE PROGRAMS.

    (a) In General.--Chapter 35 of title 44 of United States Code is 
amended by inserting after section 3559A, as added by section 206 of 
this Act, the following:
``Sec. 3559B. Federal vulnerability disclosure programs
    ``(a) Definitions.--In this section:
            ``(1) Report.--The term `report' means a vulnerability 
        disclosure made to an agency by a reporter.
            ``(2) Reporter.--The term `reporter' means an individual 
        that submits a vulnerability report pursuant to the 
        vulnerability disclosure process of an agency.
    ``(b) Responsibilities of OMB.--
            ``(1) Limitation on legal action.--The Director, in 
        consultation with the Attorney General, shall issue guidance to 
        agencies to not recommend or pursue legal action against a 
        reporter or an individual that conducts a security research 
        activity that the head of the agency determines--
                    ``(A) represents a good faith effort to follow the 
                vulnerability disclosure policy developed under 
                subsection (d)(2) of the agency; and
                    ``(B) is authorized under the vulnerability 
                disclosure policy developed under subsection (d)(2) of 
                the agency.
            ``(2) Sharing information with cisa.--The Director, in 
        coordination with the Director of the Cybersecurity and 
        Infrastructure Security Agency, shall issue guidance to 
        agencies on sharing relevant information in a consistent, 
        automated, and machine readable manner with the Cybersecurity 
        and Infrastructure Security Agency, including--
                    ``(A) any valid or credible reports of newly 
                discovered or not publicly known vulnerabilities 
                (including misconfigurations) on an agency information 
                system that uses commercial software or services;
                    ``(B) information relating to vulnerability 
                disclosure, coordination, or remediation activities of 
                an agency, particularly as those activities relate to 
                outside organizations--
                            ``(i) with which the head of the agency 
                        believes the Director of the Cybersecurity and 
                        Infrastructure Security can assist; or
                            ``(ii) about which the head of the agency 
                        believes the Director of the Cybersecurity and 
                        Infrastructure Security should know; and
                    ``(C) any other information with respect to which 
                the head of the agency determines helpful or necessary 
                to involve the Cybersecurity and Infrastructure 
                Security Agency.
            ``(3) Agency vulnerability disclosure policies.--
                    ``(A) In general.--The Director shall issue 
                guidance to agencies on the required minimum scope of 
                agency systems covered by the vulnerability disclosure 
                policy of an agency required under subsection (d)(2).
                    ``(B) Deadline.--Not later than 2 years after the 
                date of enactment of the Federal Information Security 
                Modernization Act of 2021, the Director shall update 
                the guidance issued under subparagraph (A) to require 
                that every agency system that is connected to the 
                internet is covered by the vulnerability disclosure 
                policy of the agency.
    ``(c) Responsibilities of CISA.--The Director of the Cybersecurity 
and Infrastructure Security Agency shall--
            ``(1) provide support to agencies with respect to the 
        implementation of the requirements of this section;
            ``(2) develop tools, processes, and other mechanisms 
        determined appropriate to offer agencies capabilities to 
        implement the requirements of this section; and
            ``(3) upon a request by an agency, assist the agency in the 
        disclosure to vendors of newly identified vulnerabilities in 
        vendor products and services.
    ``(d) Responsibilities of Agencies.--
            ``(1) Public information.--The head of each agency shall 
        make publicly available, with respect to each internet domain 
        under the control of the agency that is not a national security 
        system--
                    ``(A) an appropriate security contact; and
                    ``(B) the component of the agency that is 
                responsible for the internet accessible services 
                offered at the domain.
            ``(2) Vulnerability disclosure policy.--The head of each 
        agency shall develop and make publicly available a 
        vulnerability disclosure policy for the agency, which shall--
                    ``(A) describe--
                            ``(i) the scope of the systems of the 
                        agency included in the vulnerability disclosure 
                        policy;
                            ``(ii) the type of information system 
                        testing that is authorized by the agency;
                            ``(iii) the type of information system 
                        testing that is not authorized by the agency; 
                        and
                            ``(iv) the disclosure policy of the agency 
                        for sensitive information;
                    ``(B) include a provision that authorizes the 
                anonymous submission of a vulnerability by a reporter;
                    ``(C) with respect to a report to an agency, 
                describe--
                            ``(i) how the reporter should submit the 
                        report; and
                            ``(ii) if the report is not anonymous under 
                        subparagraph (B), when the reporter should 
                        anticipate an acknowledgment of receipt of the 
                        report by the agency; and
                    ``(D) include any other relevant information.
            ``(3) Identified vulnerabilities.--The head of each agency 
        shall incorporate any vulnerabilities reported under paragraph 
        (2) into the vulnerability management process of the agency in 
        order to track and remediate the vulnerability.
    ``(e) Paperwork Reduction Act Exemption.--The requirements of 
subchapter I (commonly known as the `Paperwork Reduction Act') shall 
not apply to a vulnerability disclosure program established under this 
section.
    ``(f) Congressional Reporting.--Not later than 90 days after the 
date of enactment of the Federal Information Security Modernization Act 
of 2021, and annually thereafter for a 3-year period, the Director 
shall provide to the Committee on Homeland Security and Governmental 
Affairs of the Senate and the Committee on Oversight and Reform of the 
House of Representatives a briefing on the status of the use of 
vulnerability disclosure policies under this section at agencies, 
including, with respect to the guidance issued under subsection (b)(3), 
an identification of the agencies that are compliant and not 
compliant.''.
    (b) Clerical Amendment.--The table of sections for chapter 35 of 
title 44, United States Code, is amended by adding after the item 
relating to section 3559A the following:

``3559B. Federal vulnerability disclosure programs.''.

SEC. 209. IMPLEMENTING PRESUMPTION OF COMPROMISE AND ZERO TRUST 
              ARCHITECTURES.

    (a) Recommendations.--Not later than 60 days after the date of 
enactment of this Act, the Director of the Cybersecurity and 
Infrastructure Security Agency, in consultation with the Director of 
the National Institute of Standards and Technology, shall develop 
recommendations to increase the internal defenses of agency systems 
to--
            (1) limit the ability of entities that cause incidents to 
        move laterally through or between agency systems;
            (2) identify incidents more quickly;
            (3) isolate and remove unauthorized entities from agency 
        systems more quickly;
            (4) implement zero trust architecture; and
            (5) otherwise increase the resource costs for entities that 
        cause incidents; and
    (b) OMB Guidance.--Not later than 180 days after the date on which 
the recommendations under subsection (a) are completed, the Director 
shall issue guidance to agencies that requires the implementation of 
the recommendations.
    (c) Agency Implementation Plans.--Not later than 60 days after the 
date on which the Director issues guidance under subsection (b), the 
head of each agency shall submit to the Director a plan to implement 
zero trust architecture that includes--
            (1) a description of any steps the agency has completed;
            (2) an identification of activities that will have the most 
        immediate security impact; and
            (3) a schedule to implement the plan.
    (d) Report and Briefing.--Not later than 90 days after the date on 
which the Director issues guidance required under subsection (b), the 
Director shall provide a briefing to the appropriate congressional 
committees on the guidance and the agency implementation plans 
submitted under subsection (c).

SEC. 210. AUTOMATION REPORTS.

    (a) OMB Report.--Not later than 180 days after the date of 
enactment of this Act, the Director shall submit to the appropriate 
congressional committees a report on the use of automation under 
paragraphs (1), (5)(C) and (7)(B) of section 3554(b) of title 44, 
United States Code.
    (b) GAO Report.--Not later than 1 year after the date of enactment 
of this Act, the Comptroller General of the United States shall perform 
a study on the use of automation and machine readable data across the 
Federal Government for cybersecurity purposes, including the automated 
updating of cybersecurity tools, sensors, or processes by agencies.

SEC. 211. EXTENSION OF FEDERAL ACQUISITION SECURITY COUNCIL.

    Section 1328 of title 41, United States Code, is amended by 
striking ``the date'' and all that follows and inserting ``December 31, 
2026.''.

       TITLE III--PILOT PROGRAMS TO ENHANCE FEDERAL CYBERSECURITY

SEC. 301. CONTINUOUS INDEPENDENT FISMA EVALUATION PILOT.

    (a) In General.--Not later than 2 years after the date of enactment 
of this Act, the Director, in coordination with the Director of the 
Cybersecurity and Infrastructure Security Agency, shall establish a 
pilot program to perform continual agency auditing of the standards 
promulgated under section 11331 of title 40, United States Code.
    (b) Purpose.--
            (1) In general.--The purpose of the pilot program 
        established under subsection (a) shall be to develop the 
        capability to continuously audit agency cybersecurity postures, 
        rather than performing an annual audit.
            (2) Use of information.--It is the sense of Congress that 
        information relating to agency cybersecurity postures should be 
        used, on an ongoing basis, to increase agency understanding of 
        cybersecurity risk and improve agency cybersecurity.
    (c) Participating Agencies.--
            (1) In general.--The Director, in coordination with the 
        Council of the Inspectors General on Integrity and Efficiency 
        and in consultation with the Director of the Cybersecurity and 
        Infrastructure Security Agency, shall identify not less than 1 
        agency and the Inspector General of each identified agency to 
        participate in the pilot program established under subsection 
        (a).
            (2) Capabilities of agency.--An agency selected under 
        paragraph (1) shall have advanced cybersecurity capabilities, 
        including the capability to implement verification 
        specifications and other automated and machine-readable means 
        of sharing information.
            (3) Capabilities of inspector general.--The Inspector 
        General of an agency selected under paragraph (1) shall have 
        advanced cybersecurity capabilities, including the ability--
                    (A) to perform real-time or almost real-time and 
                continuous analysis of the use of verification 
                specifications by the agency to assess compliance with 
                standards promulgated under section 11331 of title 40, 
                United States Code; and
                    (B) to assess the impact and deployment of 
                additional cybersecurity procedures.
    (d) Duties.--The Director, in coordination with the Council of the 
Inspectors General on Integrity and Efficiency, the Director of the 
Cybersecurity and Infrastructure Security Agency, and the head of each 
agency participating in the pilot program under subsection (c), shall 
develop processes and procedures to perform a continuous independent 
evaluation of--
            (1) the compliance of the agency with--
                    (A) the standards promulgated under section 11331 
                of title 40, United States Code, using verification 
                specifications to the greatest extent practicable; and
                    (B) any additional cybersecurity procedures 
                implemented by the agency as a result of the evaluation 
                performed under section 3554(a)(1)(F) of title 44, 
                United States Code; and
            (2) the overall cybersecurity posture of the agency, which 
        may include an evaluation of--
                    (A) the status of cybersecurity remedial actions of 
                the agency;
                    (B) any vulnerability information relating to 
                agency systems that is known to the agency;
                    (C) incident information of the agency;
                    (D) penetration testing performed by an external 
                entity under section 3559A of title 44, United States 
                Code;
                    (E) information from the vulnerability disclosure 
                program information established under section 3559B of 
                title 44, United States Code;
                    (F) agency threat hunting results; and
                    (G) any other information determined relevant by 
                the Director.
    (e) Independent Evaluation Waiver.--With respect to an agency that 
participates in the pilot program under subsection (a) during any year 
other than the first year during which the pilot program is conducted, 
the Director, with the concurrence of the Director of the Cybersecurity 
and Infrastructure Security Agency, may waive any requirement of the 
agency with respect to the annual independent evaluation under section 
3555 of title 44, United States Code.
    (f) Duration.--The pilot program established under this section--
            (1) shall be performed over a period of not less than 2 
        years at each agency that participates in the pilot program 
        under subsection (c), unless the Director, in consultation with 
        the Director of the Cybersecurity and Infrastructure Security 
        Agency and the Council of the Inspectors General on Integrity 
        and Efficiency, determines that continuing the pilot program 
        would reduce the cybersecurity of the agency; and
            (2) may be extended by the Director, in consultation with 
        the Director of the Cybersecurity and Infrastructure Security 
        Agency and the Council of the Inspectors General on Integrity 
        and Efficiency, if the Director makes the determination 
        described in paragraph (1).
    (g) Reports.--
            (1) Pilot program plan.--Before identifying any agencies to 
        participate in the pilot program under subsection (c), the 
        Director, in coordination with the Director of the 
        Cybersecurity and Infrastructure Security Agency and the 
        Council of the Inspectors General on Integrity and Efficiency, 
        shall submit to the appropriate congressional committees a plan 
        for the pilot program that outlines selection criteria and 
        preliminary plans to implement the pilot program.
            (2) Briefing.--Before commencing a continuous independent 
        evaluation of any agency under the pilot program established 
        under subsection (a), the Director shall provide to the 
        appropriate congressional committees a briefing on--
                    (A) the selection of agencies to participate in the 
                pilot program; and
                    (B) processes and procedures to perform a 
                continuous independent evaluation of agencies.
            (3) Pilot results.--Not later than 60 days after the final 
        day of each year during which an agency participates in the 
        pilot program established under subsection (a), the Director, 
        in coordination with the Director of the Cybersecurity and 
        Infrastructure Security Agency and the Council of the 
        Inspectors General on Integrity and Efficiency, shall submit to 
        the appropriate congressional committees a report on the 
        results of the pilot program for each agency that participates 
        in the pilot program during that year.

SEC. 302. ACTIVE CYBER DEFENSIVE PILOT.

    (a) Definition.--In this section, the term ``active defense 
technique''--
            (1) means an action taken on the systems of an entity to 
        increase the security of information on the network of an 
        agency by misleading an adversary; and
            (2) includes a honeypot, deception, or purposefully feeding 
        false or misleading data to an adversary when the adversary is 
        on the systems of the entity.
    (b) Study.--Not later than 180 days after the date of enactment of 
this Act, the Director of the Cybersecurity and Infrastructure Security 
Agency shall perform a study on the use of active defense techniques to 
enhance the security of agencies, which shall include--
            (1) a review of legal restrictions on the use of different 
        active cyber defense techniques on Federal networks;
            (2) an evaluation of--
                    (A) the efficacy of a selection of active defense 
                techniques determined by the Director of the 
                Cybersecurity and Infrastructure Security Agency; and
                    (B) factors that impact the efficacy of the active 
                defense techniques evaluated under subparagraph (A); 
                and
            (3) the development of a framework for the use of different 
        active defense techniques by agencies.
    (c) Pilot Program.--Not later than 180 days after the date of 
enactment of this Act, the Director, in coordination with the Director 
of the Cybersecurity and Infrastructure Security Agency, shall 
establish a pilot program at not less than 2 agencies to implement, and 
assess the effectiveness of, not less than 1 active cyber defense 
technique.
    (d) Purpose.--The purpose of the pilot program established under 
subsection (c) shall be to--
            (1) identify any statutory or policy limitations on using 
        active defense techniques;
            (2) understand the efficacy of using active defense 
        techniques; and
            (3) implement the use of effective techniques to improve 
        agency systems.
    (e) Plan.--Not later than 360 days after the date of enactment of 
this Act, the Director of the Cybersecurity and Infrastructure Security 
Agency, in coordination with the Director, shall develop a plan to 
offer any active defense technique determined to be successful during 
the pilot program established under subsection (c) as a shared service 
to other agencies.
    (f) Reports.--Not later than 1 year after the date of enactment of 
this Act, the Director of the Cybersecurity and Infrastructure Security 
Agency shall--
            (1) provide to the appropriate congressional committees a 
        briefing on--
                    (A) the results of the study performed under 
                subsection (b); and
                    (B) the agencies selected to participate in the 
                pilot program established under subsection (c);
            (2) submit to the appropriate congressional committees a 
        report on the results of the pilot program established under 
        subsection (c), including any recommendations developed from 
        the results of the pilot program; and
            (3) submit to the appropriate congressional committees a 
        copy of the plan developed under subsection (e).
    (g) Sunset.--
            (1) In general.--The requirements of this section shall 
        terminate on the date that is 3 years after the date of 
        enactment of this Act.
            (2) Authority to continue use of techniques.--
        Notwithstanding paragraph (1), after the date described in 
        paragraph (1), the Director of the Cybersecurity and 
        Infrastructure Security Agency may continue to offer any active 
        defense technique determined to be successful during the pilot 
        program established under subsection (c) as a shared service to 
        agencies.

SEC. 303. SECURITY OPERATIONS CENTER AS A SERVICE PILOT.

    (a) Purpose.--The purpose of this section is for the Cybersecurity 
and Infrastructure Security Agency to run a security operation center 
on behalf of another agency, alleviating the need to duplicate this 
function at every agency, and empowering a greater centralized 
cybersecurity capability.
    (b) Plan.--Not later than 1 year after the date of enactment of 
this Act, the Director of the Cybersecurity and Infrastructure Security 
Agency shall develop a plan to establish a centralized Federal security 
operations center shared service offering within the Cybersecurity and 
Infrastructure Security Agency.
    (c) Contents.--The plan required under subsection (b) shall include 
considerations for--
            (1) collecting, organizing, and analyzing agency 
        information system data in real time;
            (2) staffing and resources; and
            (3) appropriate interagency agreements, concepts of 
        operations, and governance plans.
    (d) Pilot Program.--
            (1) In general.--Not later than 180 days after the date on 
        which the plan required under subsection (b) is developed, the 
        Director of the Cybersecurity and Infrastructure Security 
        Agency, in consultation with the Director, shall enter into a 
        1-year agreement with not less than 2 agencies to offer a 
        security operations center as a shared service.
            (2) Additional agreements.--After the date on which the 
        briefing required under subsection (e)(1) is provided, the 
        Director of the Cybersecurity and Infrastructure Security 
        Agency, in consultation with the Director, may enter into 
        additional 1-year agreements described in paragraph (1) with 
        agencies.
    (e) Briefing and Report.--
            (1) Briefing.--Not later than 260 days after the date of 
        enactment of this Act, the Director of the Cybersecurity and 
        Infrastructure Security Agency shall provide to the Committee 
        on Homeland Security and Governmental Affairs of the Senate and 
        the Committee on Homeland Security and the Committee on 
        Oversight and Reform of the House of Representatives a briefing 
        on the parameters of any 1-year agreements entered into under 
        subsection (d)(1).
            (2) Report.--Not later than 90 days after the date on which 
        the first 1-year agreement entered into under subsection (d) 
        expires, the Director of the Cybersecurity and Infrastructure 
        Security Agency shall submit to the Committee on Homeland 
        Security and Governmental Affairs of the Senate and the 
        Committee on Homeland Security and the Committee on Oversight 
        and Reform of the House of Representatives a report on--
                    (A) the agreement; and
                    (B) any additional agreements entered into with 
                agencies under subsection (d).
                                 <all>