[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 2902 Reported in Senate (RS)]

<DOC>





                                                       Calendar No. 673
117th CONGRESS
  2d Session
                                S. 2902

                          [Report No. 117-274]

  To modernize Federal information security management, and for other 
                               purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                           September 29, 2021

 Mr. Peters (for himself, Mr. Portman, and Mr. Carper) introduced the 
 following bill; which was read twice and referred to the Committee on 
               Homeland Security and Governmental Affairs

                           December 19, 2022

               Reported by Mr. Peters, with an amendment
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]

_______________________________________________________________________

                                 A BILL


 
  To modernize Federal information security management, and for other 
                               purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

<DELETED>SECTION 1. SHORT TITLE.</DELETED>

<DELETED>    This Act may be cited as the ``Federal Information 
Security Modernization Act of 2021''.</DELETED>

<DELETED>SEC. 2. TABLE OF CONTENTS.</DELETED>

<DELETED>    The table of contents for this Act is as 
follows:</DELETED>

<DELETED>Sec. 1. Short title.
<DELETED>Sec. 2. Table of contents.
<DELETED>Sec. 3. Definitions.
                   <DELETED>TITLE I--UPDATES TO FISMA

<DELETED>Sec. 101. Title 44 amendments.
<DELETED>Sec. 102. Amendments to subtitle III of title 40.
<DELETED>Sec. 103. Actions to enhance Federal incident response.
<DELETED>Sec. 104. Additional guidance to agencies on FISMA updates.
<DELETED>Sec. 105. Agency requirements to notify entities impacted by 
                            incidents.
           <DELETED>TITLE II--IMPROVING FEDERAL CYBERSECURITY

<DELETED>Sec. 201. Evaluation of effectiveness of standards.
<DELETED>Sec. 202. Mobile security standards.
<DELETED>Sec. 203. Quantitative cybersecurity metrics.
<DELETED>Sec. 204. Data and logging retention for incident response.
<DELETED>Sec. 205. CISA agency advisors.
<DELETED>Sec. 206. Federal penetration testing policy.
<DELETED>Sec. 207. Ongoing threat hunting program.
<DELETED>Sec. 208. Codifying vulnerability disclosure programs.
<DELETED>Sec. 209. Implementing presumption of compromise and zero 
                            trust architectures.
<DELETED>Sec. 210. Automation reports.
<DELETED>Sec. 211. Extension of Federal Acquisition Security Council.
  <DELETED>TITLE III--PILOT PROGRAMS TO ENHANCE FEDERAL CYBERSECURITY

<DELETED>Sec. 301. Continuous independent FISMA evaluation pilot.
<DELETED>Sec. 302. Active cyber defensive pilot.
<DELETED>Sec. 303. Security operations center as a service pilot.

<DELETED>SEC. 3. DEFINITIONS.</DELETED>

<DELETED>    In this Act, unless otherwise specified:</DELETED>
        <DELETED>    (1) Additional cybersecurity procedure.--The term 
        ``additional cybersecurity procedure'' has the meaning given 
        the term in section 3552(b) of title 44, United States Code, as 
        amended by this Act.</DELETED>
        <DELETED>    (2) Agency.--The term ``agency'' has the meaning 
        given the term in section 3502 of title 44, United States 
        Code.</DELETED>
        <DELETED>    (3) Appropriate congressional committees.--The 
        term ``appropriate congressional committees'' means--</DELETED>
                <DELETED>    (A) the Committee on Homeland Security and 
                Governmental Affairs of the Senate;</DELETED>
                <DELETED>    (B) the Committee on Oversight and Reform 
                of the House of Representatives; and</DELETED>
                <DELETED>    (C) the Committee on Homeland Security of 
                the House of Representatives.</DELETED>
        <DELETED>    (4) Director.--The term ``Director'' means the 
        Director of the Office of Management and Budget.</DELETED>
        <DELETED>    (5) Incident.--The term ``incident'' has the 
        meaning given the term in section 3552(b) of title 44, United 
        States Code.</DELETED>
        <DELETED>    (6) Penetration test.--The term ``penetration 
        test'' has the meaning given the term in section 3552(b) of 
        title 44, United States Code, as amended by this Act.</DELETED>
        <DELETED>    (7) Threat hunting.--The term ``threat hunting'' 
        means proactively and iteratively searching for threats to 
        systems that evade detection by automated threat detection 
        systems.</DELETED>
        <DELETED>    (8) Verification specification.--The term 
        ``verification specification'' means a specification developed 
        under section 11331(f) of title 40, United States Code, as 
        amended by this Act.</DELETED>

              <DELETED>TITLE I--UPDATES TO FISMA</DELETED>

<DELETED>SEC. 101. TITLE 44 AMENDMENTS.</DELETED>

<DELETED>    (a) Subchapter I Amendments.--Subchapter I of chapter 35 
of title 44, United States Code, is amended--</DELETED>
        <DELETED>    (1) in section 3504--</DELETED>
                <DELETED>    (A) in subsection (a)(1)(B)(v), by 
                striking ``confidentiality, security, disclosure, and 
                sharing of information'' and inserting ``disclosure, 
                sharing of information, and, in consultation with the 
                Director of the Cybersecurity and Infrastructure 
                Security Agency, confidentiality and 
                security'';</DELETED>
                <DELETED>    (B) in subsection (b)(2)(B), by inserting 
                ``in coordination with the Director of the 
                Cybersecurity and Infrastructure Security Agency'' 
                after ``standards for security'';</DELETED>
                <DELETED>    (C) in subsection (g), by striking 
                paragraph (1) and inserting the following:</DELETED>
        <DELETED>    ``(1) with respect to information collected or 
        maintained by or for agencies--</DELETED>
                <DELETED>    ``(A) develop and oversee the 
                implementation of policies, principles, standards, and 
                guidelines on privacy, disclosure, and sharing of the 
                information; and</DELETED>
                <DELETED>    ``(B) in consultation with the Director of 
                the Cybersecurity and Infrastructure Security Agency, 
                develop and oversee policies, principles, standards, 
                and guidelines on confidentiality and security of the 
                information; and''; and</DELETED>
                <DELETED>    (D) in subsection (h)(1)--</DELETED>
                        <DELETED>    (i) in the matter preceding 
                        subparagraph (A)--</DELETED>
                                <DELETED>    (I) by inserting ``the 
                                Director of the Cybersecurity and 
                                Infrastructure Security Agency,'' 
                                before ``the Director''; and</DELETED>
                                <DELETED>    (II) by inserting a comma 
                                before ``and the Administrator''; 
                                and</DELETED>
                        <DELETED>    (ii) in subparagraph (A), by 
                        inserting ``security and'' after ``information 
                        technology'';</DELETED>
        <DELETED>    (2) in section 3505--</DELETED>
                <DELETED>    (A) in paragraph (3) of the first 
                subsection designated as subsection (c)--</DELETED>
                        <DELETED>    (i) in subparagraph (B)--
                        </DELETED>
                                <DELETED>    (I) by inserting ``and the 
                                Director of the Cybersecurity and 
                                Infrastructure Security Agency'' after 
                                ``Comptroller General''; and</DELETED>
                                <DELETED>    (II) by striking ``and'' 
                                at the end;</DELETED>
                        <DELETED>    (ii) in subparagraph (C)(v), by 
                        striking the period at the end and inserting 
                        ``; and''; and</DELETED>
                        <DELETED>    (iii) by adding at the end the 
                        following:</DELETED>
        <DELETED>    ``(D) maintained on a continual basis through the 
        use of automation, machine-readable data, and scanning.''; 
        and</DELETED>
                <DELETED>    (B) by striking the second subsection 
                designated as subsection (c);</DELETED>
        <DELETED>    (3) in section 3506--</DELETED>
                <DELETED>    (A) in subsection (b)--</DELETED>
                        <DELETED>    (i) in paragraph (1)(C), by 
                        inserting ``, availability'' after 
                        ``integrity''; and</DELETED>
                        <DELETED>    (ii) in paragraph (4), by 
                        inserting ``the Director of the Cybersecurity 
                        and Infrastructure Security Agency,'' after 
                        ``General Services,''; and</DELETED>
                <DELETED>    (B) in subsection (h)(3), by inserting 
                ``security,'' after ``efficiency,'';</DELETED>
        <DELETED>    (4) in section 3513--</DELETED>
                <DELETED>    (A) in subsection (a), by inserting ``the 
                Director of the Cybersecurity and Infrastructure 
                Security Agency,'' before ``the Administrator of 
                General Services'';</DELETED>
                <DELETED>    (B) by redesignating subsection (c) as 
                subsection (d); and</DELETED>
                <DELETED>    (C) by inserting after subsection (b) the 
                following:</DELETED>
<DELETED>    ``(c) Each agency providing a written plan under 
subsection (b) shall provide any portion of the written plan addressing 
information security or cybersecurity to the Director of the 
Cybersecurity and Infrastructure Security Agency.''; and</DELETED>
        <DELETED>    (5) in section 3520A(b)--</DELETED>
                <DELETED>    (A) in paragraph (1), by striking ``, 
                protection'';</DELETED>
                <DELETED>    (B) by redesignating paragraphs (2), (3), 
                (4), and (5) as paragraphs (3), (4), (5), and (6), 
                respectively; and</DELETED>
                <DELETED>    (C) by inserting after paragraph (1) the 
                following:</DELETED>
        <DELETED>    ``(2) in consultation with the Director of the 
        Cybersecurity and Infrastructure Security Agency, establish 
        Governmentwide best practices for the protection of 
        data;''.</DELETED>
<DELETED>    (b) Suchapter II Definitions.--</DELETED>
        <DELETED>    (1) In general.--Section 3552(b) of title 44, 
        United States Code, is amended--</DELETED>
                <DELETED>    (A) by redesignating paragraphs (1), (2), 
                (3), (4), (5), (6), and (7) as paragraphs (2), (3), 
                (4), (5), (6), (9), and (11), respectively;</DELETED>
                <DELETED>    (B) by inserting before paragraph (2), as 
                so redesignated, the following:</DELETED>
        <DELETED>    ``(1) The term `additional cybersecurity 
        procedure' means a process, procedure, or other activity that 
        is established in excess of the information security standards 
        promulgated under section 11331(b) of title 40 to increase the 
        security and reduce the cybersecurity risk of agency systems, 
        such as continuous threat hunting, increased network 
        segmentation, endpoint detection and response, or persistent 
        penetration testing.'';</DELETED>
                <DELETED>    (C) by inserting after paragraph (6), as 
                so redesignated, the following:</DELETED>
        <DELETED>    ``(7) The term `high value asset' means 
        information or an information system that the head of an agency 
        determines so critical to the agency that the loss or 
        corruption of the information or the loss of access to the 
        information system would have a serious impact on the ability 
        of the agency to perform the mission of the agency or conduct 
        business.</DELETED>
        <DELETED>    ``(8) The term `major incident' has the meaning 
        given the term in guidance issued by the Director under section 
        3598(a).'';</DELETED>
                <DELETED>    (D) by inserting after paragraph (9), as 
                so redesignated, the following:</DELETED>
        <DELETED>    ``(10) The term `penetration test' means a 
        specialized type of assessment that--</DELETED>
                <DELETED>    ``(A) is conducted on an information 
                system or a component of an information system; 
                and</DELETED>
                <DELETED>    ``(B) emulates an attack or other 
                exploitation capability of a potential adversary, 
                typically under specific constraints, in order to 
                identify any vulnerabilities of an information system 
                or a component of an information system that could be 
                exploited.''; and</DELETED>
                <DELETED>    (E) by inserting after paragraph (11), as 
                so redesignated, the following:</DELETED>
        <DELETED>    ``(12) The term `shared service' means a business 
        or mission function that is provided for use by multiple 
        organizations within or between agencies.</DELETED>
        <DELETED>    ``(13) The term `verification specification' means 
        a specification developed under section 11331(f) of title 
        40.''.</DELETED>
        <DELETED>    (2) Conforming amendments.--</DELETED>
                <DELETED>    (A) Homeland security act of 2002.--
                Section 1001(c)(1)(A) of the Homeland Security Act of 
                2002 (6 U.S.C. 511(1)(A)) is amended by striking 
                ``section 3552(b)(5)'' and inserting ``section 
                3552(b)''.</DELETED>
                <DELETED>    (B) Title 10.--</DELETED>
                        <DELETED>    (i) Section 2222.--Section 
                        2222(i)(8) of title 10, United States Code, is 
                        amended by striking ``section 3552(b)(6)(A)'' 
                        and inserting ``section 
                        3552(b)(9)(A)''.</DELETED>
                        <DELETED>    (ii) Section 2223.--Section 
                        2223(c)(3) of title 10, United States Code, is 
                        amended by striking ``section 3552(b)(6)'' and 
                        inserting ``section 3552(b)''.</DELETED>
                        <DELETED>    (iii) Section 2315.--Section 2315 
                        of title 10, United States Code, is amended by 
                        striking ``section 3552(b)(6)'' and inserting 
                        ``section 3552(b)''.</DELETED>
                        <DELETED>    (iv) Section 2339a.--Section 
                        2339a(e)(5) of title 10, United States Code, is 
                        amended by striking ``section 3552(b)(6)'' and 
                        inserting ``section 3552(b)''.</DELETED>
                <DELETED>    (C) High-performance computing act of 
                1991.--Section 207(a) of the High-Performance Computing 
                Act of 1991 (15 U.S.C. 5527(a)) is amended by striking 
                ``section 3552(b)(6)(A)(i)'' and inserting ``section 
                3552(b)(9)(A)(i)''.</DELETED>
                <DELETED>    (D) Internet of things cybersecurity 
                improvement act of 2020.--Section 3(5) of the Internet 
                of Things Cybersecurity Improvement Act of 2020 (15 
                U.S.C. 278g-3a) is amended by striking ``section 
                3552(b)(6)'' and inserting ``section 
                3552(b)''.</DELETED>
                <DELETED>    (E) National defense authorization act for 
                fiscal year 2013.--Section 933(e)(1)(B) of the National 
                Defense Authorization Act for Fiscal Year 2013 (10 
                U.S.C. 2224 note) is amended by striking ``section 
                3542(b)(2)'' and inserting ``section 
                3552(b)''.</DELETED>
                <DELETED>    (F) Ike skelton national defense 
                authorization act for fiscal year 2011.--The Ike 
                Skelton National Defense Authorization Act for Fiscal 
                Year 2011 (Public Law 111-383) is amended--</DELETED>
                        <DELETED>    (i) in section 806(e)(5) (10 
                        U.S.C. 2304 note), by striking ``section 
                        3542(b)'' and inserting ``section 
                        3552(b)'';</DELETED>
                        <DELETED>    (ii) in section 931(b)(3) (10 
                        U.S.C. 2223 note), by striking ``section 
                        3542(b)(2)'' and inserting ``section 3552(b)''; 
                        and</DELETED>
                        <DELETED>    (iii) in section 932(b)(2) (10 
                        U.S.C. 2224 note), by striking ``section 
                        3542(b)(2)'' and inserting ``section 
                        3552(b)''.</DELETED>
                <DELETED>    (G) E-government act of 2002.--Section 
                301(c)(1)(A) of the E-Government Act of 2002 (44 U.S.C. 
                3501 note) is amended by striking ``section 
                3542(b)(2)'' and inserting ``section 
                3552(b)''.</DELETED>
                <DELETED>    (H) National institute of standards and 
                technology act.--Section 20 of the National Institute 
                of Standards and Technology Act (15 U.S.C. 278g-3) is 
                amended--</DELETED>
                        <DELETED>    (i) in subsection (a)(2), by 
                        striking ``section 3552(b)(5)'' and inserting 
                        ``section 3552(b)''; and</DELETED>
                        <DELETED>    (ii) in subsection (f)--</DELETED>
                                <DELETED>    (I) in paragraph (3), by 
                                striking ``section 3532(1)'' and 
                                inserting ``section 3552(b)''; 
                                and</DELETED>
                                <DELETED>    (II) in paragraph (5), by 
                                striking ``section 3532(b)(2)'' and 
                                inserting ``section 
                                3552(b)''.</DELETED>
<DELETED>    (c) Subchapter II Amendments.--Subchapter II of chapter 35 
of title 44, United States Code, is amended--</DELETED>
        <DELETED>    (1) in section 3551--</DELETED>
                <DELETED>    (A) by redesignating paragraphs (3), (4), 
                (5), and (6) as paragraphs (4), (5), (6), and (7), 
                respectively;</DELETED>
                <DELETED>    (B) by inserting after paragraph (2) the 
                following:</DELETED>
        <DELETED>    ``(3) recognize the role of the Cybersecurity and 
        Infrastructure Security Agency as the lead cybersecurity entity 
        for operational coordination across the Federal 
        Government;'';</DELETED>
                <DELETED>    (C) in paragraph (5), as so redesignated, 
                by striking ``diagnose and improve'' and inserting 
                ``integrate, deliver, diagnose, and 
                improve'';</DELETED>
                <DELETED>    (D) in paragraph (6), as so redesignated, 
                by striking ``and'' at the end; and</DELETED>
                <DELETED>    (E) by adding at the end the 
                following:</DELETED>
        <DELETED>    ``(8) recognize that each agency has specific 
        mission requirements and, at times, unique cybersecurity 
        requirements to meet the mission of the agency;</DELETED>
        <DELETED>    ``(9) recognize that each agency does not have the 
        same resources to secure agency systems, and an agency should 
        not be expected to have the capability to secure the systems of 
        the agency from advanced adversaries alone; and</DELETED>
        <DELETED>    ``(10) recognize that--</DELETED>
                <DELETED>    ``(A) a holistic Federal cybersecurity 
                model is necessary to account for differences between 
                the missions and capabilities of agencies; 
                and</DELETED>
                <DELETED>    ``(B) in accounting for the differences 
                described in subparagraph (A) and ensuring overall 
                Federal cybersecurity--</DELETED>
                        <DELETED>    ``(i) the Office of Management and 
                        Budget is the leader for policy development and 
                        oversight of Federal cybersecurity;</DELETED>
                        <DELETED>    ``(ii) the Cybersecurity and 
                        Infrastructure Security Agency is the leader 
                        for implementing operations at agencies; 
                        and</DELETED>
                        <DELETED>    ``(iii) the National Cyber 
                        Director is responsible for developing the 
                        overall cybersecurity strategy of the United 
                        States and advising the President on matters 
                        relating to cybersecurity.'';</DELETED>
        <DELETED>    (2) in section 3553, as amended by section 1705 of 
        the William M. (Mac) Thornberry National Defense Authorization 
        Act for Fiscal Year 2021 (Public Law 116-283)--</DELETED>
                <DELETED>    (A) in subsection (a)--</DELETED>
                        <DELETED>    (i) in paragraph (1)--</DELETED>
                                <DELETED>    (I) by striking 
                                ``developing and'' and inserting ``in 
                                coordination with the Director of the 
                                Cybersecurity and Infrastructure 
                                Security Agency,''; and</DELETED>
                                <DELETED>    (II) by inserting ``and 
                                associated verification 
                                specifications'' before 
                                ``promulgated''; and</DELETED>
                        <DELETED>    (ii) in paragraph (5), by 
                        inserting ``, in coordination with the Director 
                        of the Cybersecurity and Infrastructure 
                        Security Agency,'' before ``agency 
                        compliance'';</DELETED>
                <DELETED>    (B) in subsection (b)--</DELETED>
                        <DELETED>    (i) by striking the subsection 
                        heading and inserting ``Cybersecurity and 
                        Infrastructure Security Agency'';</DELETED>
                        <DELETED>    (ii) in the matter preceding 
                        paragraph (1), by striking ``the Secretary'' 
                        and inserting ``the Director of the 
                        Cybersecurity and Infrastructure Security 
                        Agency'';</DELETED>
                        <DELETED>    (iii) in paragraph (2)--</DELETED>
                                <DELETED>    (I) in subparagraph (A), 
                                by inserting ``and reporting 
                                requirements under subchapter IV of 
                                this title'' after ``section 3556''; 
                                and</DELETED>
                                <DELETED>    (II) in subparagraph (D), 
                                by striking ``the Director or 
                                Secretary'' and inserting ``the 
                                Director of the Cybersecurity and 
                                Infrastructure Security 
                                Agency'';</DELETED>
                        <DELETED>    (iv) in paragraph (5), by striking 
                        ``coordinating'' and inserting ``leading the 
                        coordination of'';</DELETED>
                        <DELETED>    (v) in paragraph (6)--</DELETED>
                                <DELETED>    (I) in the matter 
                                preceding subparagraph (A), by 
                                inserting ``and verifications 
                                specifications'' before ``promulgated 
                                under'';</DELETED>
                                <DELETED>    (II) in subparagraph (C), 
                                by striking ``and'' at the 
                                end;</DELETED>
                                <DELETED>    (III) in subparagraph (D), 
                                by adding ``and'' at the end; 
                                and</DELETED>
                                <DELETED>    (IV) by adding at the end 
                                the following:</DELETED>
                <DELETED>    ``(E) taking any other action that the 
                Director of the Cybersecurity and Infrastructure 
                Security Agency, in consultation with the Director--
                </DELETED>
                        <DELETED>    ``(i) may determine necessary; 
                        and</DELETED>
                        <DELETED>    ``(ii) is authorized to 
                        perform;'';</DELETED>
                        <DELETED>    (vi) in paragraph (8), by striking 
                        ``the Secretary's discretion'' and inserting 
                        ``the Director of the Cybersecurity and 
                        Infrastructure Security Agency's discretion''; 
                        and</DELETED>
                        <DELETED>    (vii) in paragraph (9), by 
                        striking ``as the Director or the Secretary, in 
                        consultation with the Director,'' and inserting 
                        ``as the Director of the Cybersecurity and 
                        Infrastructure Security Agency'';</DELETED>
                <DELETED>    (C) in subsection (c)--</DELETED>
                        <DELETED>    (i) in paragraph (4), by striking 
                        ``and'' at the end;</DELETED>
                        <DELETED>    (ii) by redesignating paragraph 
                        (5) as paragraph (7); and</DELETED>
                        <DELETED>    (iii) by inserting after paragraph 
                        (4) the following:</DELETED>
        <DELETED>    ``(5) an assessment of agency use of automated 
        verification of standards for the standards promulgated under 
        section 11331 of title 40 using verification 
        specifications;</DELETED>
        <DELETED>    ``(6) a summary of each assessment of Federal risk 
        posture performed under subsection (i); and'';</DELETED>
                <DELETED>    (D) in subsection (f)(2)(B), by striking 
                ``conflict with'' and inserting ``reduce the security 
                posture of agencies established under'';</DELETED>
                <DELETED>    (E) by redesignating subsections (i), (j), 
                (k), and (l) as subsections (j), (k), (l), and (m) 
                respectively;</DELETED>
                <DELETED>    (F) by inserting after subsection (h) the 
                following:</DELETED>
<DELETED>    ``(i) Federal Risk Assessments.--The Director of the 
Cybersecurity and Infrastructure Security Agency, in coordination with 
the Director, shall perform, on an ongoing and continuous basis, 
assessments of Federal risk posture using any available information on 
the cybersecurity posture of agencies, including--</DELETED>
        <DELETED>    ``(1) the status of agency cybersecurity remedial 
        actions described in section 3554(b)(7);</DELETED>
        <DELETED>    ``(2) any vulnerability information relating to 
        the systems of an agency that is known by the agency;</DELETED>
        <DELETED>    ``(3) analysis of incident information under 
        section 3597;</DELETED>
        <DELETED>    ``(4) evaluation of penetration testing performed 
        under section 3559A;</DELETED>
        <DELETED>    ``(5) evaluation of vulnerability disclosure 
        program information under section 3559B;</DELETED>
        <DELETED>    ``(6) evaluation of agency threat hunting 
        results;</DELETED>
        <DELETED>    ``(7) evaluation of Federal and non-Federal threat 
        intelligence;</DELETED>
        <DELETED>    ``(8) data on compliance with standards issued 
        under section 11331 of title 40 that, when appropriate, uses 
        verification specifications;</DELETED>
        <DELETED>    ``(9) agency system risk assessments performed 
        under section 3554(a)(1)(A); and</DELETED>
        <DELETED>    ``(10) any other information the Secretary 
        determines relevant.''; and</DELETED>
                <DELETED>    (G) in subsection (j), as so 
                redesignated--</DELETED>
                        <DELETED>    (i) by striking ``regarding the 
                        specific'' and inserting ``that includes a 
                        summary of--</DELETED>
        <DELETED>    ``(1) the specific'';</DELETED>
                        <DELETED>    (ii) in paragraph (1), as so 
                        designated, by striking the period at the end 
                        and inserting ``; and'' and</DELETED>
                        <DELETED>    (iii) by adding at the end the 
                        following:</DELETED>
        <DELETED>    ``(2) the trends identified in the Federal risk 
        assessment performed under subsection (i).'';</DELETED>
        <DELETED>    (3) in section 3554--</DELETED>
                <DELETED>    (A) in subsection (a)--</DELETED>
                        <DELETED>    (i) in paragraph (1)--</DELETED>
                                <DELETED>    (I) by redesignating 
                                subparagraphs (A), (B), and (C) as 
                                subparagraphs (B), (C), and (D), 
                                respectively;</DELETED>
                                <DELETED>    (II) by inserting before 
                                subparagraph (B), as so redesignated, 
                                the following:</DELETED>
                <DELETED>    ``(A) performing, not less frequently than 
                once every 2 years or based on a significant change to 
                system architecture or security posture, an agency 
                system risk assessment that--</DELETED>
                        <DELETED>    ``(i) identifies and documents the 
                        high value assets of the agency using guidance 
                        from the Director;</DELETED>
                        <DELETED>    ``(ii) evaluates the data assets 
                        inventoried under section 3511 of title 44 for 
                        sensitivity to compromises in confidentiality, 
                        integrity, and availability;</DELETED>
                        <DELETED>    ``(iii) identifies agency systems 
                        that have access to or hold the data assets 
                        inventoried under section 3511 of title 
                        44;</DELETED>
                        <DELETED>    ``(iv) evaluates the threats 
                        facing agency systems and data, including high 
                        value assets, based on Federal and non-Federal 
                        cyber threat intelligence products, where 
                        available;</DELETED>
                        <DELETED>    ``(v) evaluates the vulnerability 
                        of agency systems and data, including high 
                        value assets, based on--</DELETED>
                                <DELETED>    ``(I) the results of 
                                penetration testing performed by the 
                                Department of Homeland Security under 
                                section 3553(b)(9);</DELETED>
                                <DELETED>    ``(II) the results of 
                                penetration testing performed under 
                                section 3559A;</DELETED>
                                <DELETED>    ``(III) information 
                                provided to the agency through the 
                                vulnerability disclosure program of the 
                                agency under section 3559B;</DELETED>
                                <DELETED>    ``(IV) incidents; 
                                and</DELETED>
                                <DELETED>    ``(V) any other 
                                vulnerability information relating to 
                                agency systems that is known to the 
                                agency;</DELETED>
                        <DELETED>    ``(vi) assesses the impacts of 
                        potential agency incidents to agency systems, 
                        data, and operations based on the evaluations 
                        described in clauses (ii) and (iv) and the 
                        agency systems identified under clause (iii); 
                        and</DELETED>
                        <DELETED>    ``(vii) assesses the consequences 
                        of potential incidents occurring on agency 
                        systems that would impact systems at other 
                        agencies, including due to interconnectivity 
                        between different agency systems or operational 
                        reliance on the operations of the system or 
                        data in the system;'';</DELETED>
                                <DELETED>    (III) in subparagraph (B), 
                                as so redesignated--</DELETED>
                                        <DELETED>    (aa) in the matter 
                                        preceding clause (i), by 
                                        striking ``providing 
                                        information'' and inserting 
                                        ``using information from the 
                                        assessment conducted under 
                                        subparagraph (A), providing, in 
                                        coordination with the Director 
                                        of the Cybersecurity and 
                                        Infrastructure Security Agency, 
                                        information'';</DELETED>
                                        <DELETED>    (bb) in clause 
                                        (i), by striking ``and'' at the 
                                        end;</DELETED>
                                        <DELETED>    (cc) in clause 
                                        (ii), by adding ``and'' at the 
                                        end; and</DELETED>
                                        <DELETED>    (dd) by adding at 
                                        the end the 
                                        following:</DELETED>
                        <DELETED>    ``(iii) in consultation with the 
                        Director and the Director of the Cybersecurity 
                        and Infrastructure Security Agency, information 
                        or information systems used by agencies through 
                        shared services, memoranda of understanding, or 
                        other agreements;'';</DELETED>
                                <DELETED>    (IV) in subparagraph (C), 
                                as so redesignated--</DELETED>
                                        <DELETED>    (aa) in clause 
                                        (ii) by inserting ``binding'' 
                                        before ``operational''; 
                                        and</DELETED>
                                        <DELETED>    (bb) in clause 
                                        (vi), by striking ``and'' at 
                                        the end; and</DELETED>
                                <DELETED>    (V) by adding at the end 
                                the following:</DELETED>
                <DELETED>    ``(E) not later than 30 days after the 
                date on which an agency system risk assessment is 
                performed under subparagraph (A), providing the 
                assessment to--</DELETED>
                        <DELETED>    ``(i) the Director;</DELETED>
                        <DELETED>    ``(ii) the Director of the 
                        Cybersecurity and Infrastructure Security 
                        Agency; and</DELETED>
                        <DELETED>    ``(iii) the National Cyber 
                        Director;</DELETED>
                <DELETED>    ``(F) in consultation with the Director of 
                the Cybersecurity and Infrastructure Security Agency 
                and not less frequently than annually, performing an 
                evaluation of whether additional cybersecurity 
                procedures are appropriate for securing a system of, or 
                under the supervision of, the agency, which shall--
                </DELETED>
                        <DELETED>    ``(i) be completed considering the 
                        agency system risk assessment performed under 
                        subparagraph (A); and</DELETED>
                        <DELETED>    ``(ii) include a specific 
                        evaluation for high value assets; and</DELETED>
                <DELETED>    ``(G) not later than 30 days after 
                completing the evaluation performed under subparagraph 
                (F), providing the evaluation and an implementation 
                plan for using additional cybersecurity procedures 
                determined to be appropriate to--</DELETED>
                        <DELETED>    ``(i) the Director of the 
                        Cybersecurity and Infrastructure Security 
                        Agency;</DELETED>
                        <DELETED>    ``(ii) the Director; and</DELETED>
                        <DELETED>    ``(iii) the National Cyber 
                        Director.'';</DELETED>
                        <DELETED>    (ii) in paragraph (2)--</DELETED>
                                <DELETED>    (I) in subparagraph (A), 
                                by inserting ``in accordance with the 
                                agency system risk assessment performed 
                                under paragraph (1)(A)'' after 
                                ``information systems'';</DELETED>
                                <DELETED>    (II) in subparagraph (B)--
                                </DELETED>
                                        <DELETED>    (aa) by striking 
                                        ``in accordance with 
                                        standards'' and inserting ``in 
                                        accordance with--</DELETED>
                        <DELETED>    ``(i) standards''; and</DELETED>
                                        <DELETED>    (bb) by adding at 
                                        the end the 
                                        following:</DELETED>
                        <DELETED>    ``(ii) the evaluation performed 
                        under paragraph (1)(F); and</DELETED>
                        <DELETED>    ``(iii) the implementation plan 
                        described in paragraph (1)(G);''; and</DELETED>
                                <DELETED>    (III) in subparagraph (D), 
                                by inserting ``, through the use of 
                                penetration testing, the vulnerability 
                                disclosure program established under 
                                section 3559B, and other means,'' after 
                                ``periodically'';</DELETED>
                        <DELETED>    (iii) in paragraph (3)--</DELETED>
                                <DELETED>    (I) in subparagraph (B), 
                                by inserting ``, in coordination with 
                                the Director of the Cybersecurity and 
                                Infrastructure Security Agency,'' after 
                                ``maintaining'';</DELETED>
                                <DELETED>    (II) in subparagraph (D), 
                                by striking ``and'' at the 
                                end;</DELETED>
                                <DELETED>    (III) in subparagraph (E), 
                                by adding ``and'' at the end; 
                                and</DELETED>
                                <DELETED>    (IV) by adding at the end 
                                the following:</DELETED>
                <DELETED>    ``(F) implementing mechanisms for using 
                verification specifications, or alternate verification 
                specifications validated by the Director of the 
                Cybersecurity and Infrastructure Security Agency, in 
                consultation with the Director of the National 
                Institute of Standards and Technology, to automatically 
                verify the implementation of standards of agency 
                systems promulgated under section 11331 of title 40 or 
                any additional cybersecurity procedures, as 
                applicable;''; and</DELETED>
                        <DELETED>    (iv) in paragraph (5), by 
                        inserting ``and the Director of the 
                        Cybersecurity and Infrastructure Security 
                        Agency'' before ``on the 
                        effectiveness'';</DELETED>
                <DELETED>    (B) in subsection (b)--</DELETED>
                        <DELETED>    (i) by striking paragraph (1) and 
                        inserting the following:</DELETED>
        <DELETED>    ``(1) pursuant to subsection (a)(1)(A), performing 
        an agency system risk assessment, which shall include using 
        automated tools consistent with standards, verification 
        specifications, and guidelines promulgated under section 11331 
        of title 40, as applicable;'';</DELETED>
                        <DELETED>    (ii) in paragraph (2)(D)--
                        </DELETED>
                                <DELETED>    (I) by redesignating 
                                clauses (iii) and (iv) as clauses (iv) 
                                and (v), respectively;</DELETED>
                                <DELETED>    (II) by inserting after 
                                clause (ii) the following:</DELETED>
                        <DELETED>    ``(iii) binding operational 
                        directives and emergency directives promulgated 
                        by the Director of the Cybersecurity and 
                        Infrastructure Security Agency under section 
                        3553 of title 44;''; and</DELETED>
                                <DELETED>    (III) in clause (iv), as 
                                so redesignated, by striking ``as 
                                determined by the agency; and'' and 
                                inserting ``as determined by the 
                                agency--</DELETED>
                                <DELETED>    ``(I) in coordination with 
                                the Director of the Cybersecurity and 
                                Infrastructure Security Agency; 
                                and</DELETED>
                                <DELETED>    ``(II) in consideration 
                                of--</DELETED>
                                        <DELETED>    ``(aa) the agency 
                                        risk assessment performed under 
                                        subsection (a)(1)(A); 
                                        and</DELETED>
                                        <DELETED>    ``(bb) the 
                                        determinations of applying more 
                                        stringent standards and 
                                        additional cybersecurity 
                                        procedures pursuant to section 
                                        11331(c)(1) of title 40; 
                                        and'';</DELETED>
                        <DELETED>    (iii) in paragraph (5)--</DELETED>
                                <DELETED>    (I) in subparagraph (A), 
                                by inserting ``, including penetration 
                                testing, as appropriate,'' after 
                                ``shall include testing''; 
                                and</DELETED>
                                <DELETED>    (II) in subparagraph (C), 
                                by inserting ``, verification 
                                specifications,'' after ``with 
                                standards'';</DELETED>
                        <DELETED>    (iv) in paragraph (6), by striking 
                        ``planning, implementing, evaluating, and 
                        documenting'' and inserting ``planning and 
                        implementing and, in consultation with the 
                        Director of the Cybersecurity and 
                        Infrastructure Security Agency, evaluating and 
                        documenting'';</DELETED>
                        <DELETED>    (v) by redesignating paragraphs 
                        (7) and (8) as paragraphs (9) and (10), 
                        respectively;</DELETED>
                        <DELETED>    (vi) by inserting after paragraph 
                        (6) the following:</DELETED>
        <DELETED>    ``(7) a process for providing the status of every 
        remedial action and known system vulnerability to the Director 
        and the Director of the Cybersecurity and Infrastructure 
        Security Agency, using automation and machine-readable data to 
        the greatest extent practicable;</DELETED>
        <DELETED>    ``(8) a process for providing the verification of 
        the implementation of standards promulgated under section 11331 
        of title 40 using verification specifications, automation, and 
        machine-readable data, to the Director and the Director of the 
        Cybersecurity and Infrastructure Security Agency;''; 
        and</DELETED>
                        <DELETED>    (vii) in paragraph (9)(C), as so 
                        redesignated--</DELETED>
                                <DELETED>    (I) by striking clause 
                                (ii) and inserting the 
                                following:</DELETED>
                        <DELETED>    ``(ii) notifying and consulting 
                        with the Federal information security incident 
                        center established under section 3556 pursuant 
                        to the requirements of section 
                        3594;'';</DELETED>
                                <DELETED>    (II) by redesignating 
                                clause (iii) as clause (iv);</DELETED>
                                <DELETED>    (III) by inserting after 
                                clause (ii) the following:</DELETED>
                        <DELETED>    ``(iii) performing the 
                        notifications and other activities required 
                        under subchapter IV of this title; and''; 
                        and</DELETED>
                                <DELETED>    (IV) in clause (iv), as so 
                                redesignated--</DELETED>
                                        <DELETED>    (aa) in subclause 
                                        (I), by striking ``and relevant 
                                        Offices of Inspector 
                                        General'';</DELETED>
                                        <DELETED>    (bb) in subclause 
                                        (II), by adding ``and'' at the 
                                        end;</DELETED>
                                        <DELETED>    (cc) by striking 
                                        subclause (III); and</DELETED>
                                        <DELETED>    (dd) by 
                                        redesignating subclause (IV) as 
                                        subclause (III);</DELETED>
                <DELETED>    (C) in subsection (c)--</DELETED>
                        <DELETED>    (i) in paragraph (1)--</DELETED>
                                <DELETED>    (I) in subparagraph (A)--
                                </DELETED>
                                        <DELETED>    (aa) in the matter 
                                        preceding clause (i), by 
                                        striking ``on the adequacy and 
                                        effectiveness of information 
                                        security policies, procedures, 
                                        and practices, including'' and 
                                        inserting ``that includes''; 
                                        and</DELETED>
                                        <DELETED>    (bb) in clause 
                                        (ii), by inserting ``unless the 
                                        Director issues a waiver to the 
                                        agency under subparagraph 
                                        (B)(iii),'' before ``the total 
                                        number''; and</DELETED>
                                <DELETED>    (II) by striking 
                                subparagraph (B) and inserting the 
                                following:</DELETED>
                <DELETED>    ``(B) Incident reporting waiver.--
                </DELETED>
                        <DELETED>    ``(i) Certification of agency 
                        information sharing.--If the Director, in 
                        consultation with the Director of the 
                        Cybersecurity and Infrastructure Security 
                        Agency, determines that an agency shares any 
                        information relating to any incident pursuant 
                        to section 3594(a), the Director shall certify 
                        that the agency is in compliance with that 
                        section.</DELETED>
                        <DELETED>    ``(ii) Certification of issuing 
                        report.--If the Director determines that the 
                        Director of the Cybersecurity and 
                        Infrastructure Security Agency uses the 
                        information described in clause (i) with 
                        respect to a particular agency to submit to 
                        Congress an annex required under section 
                        3597(c)(3) for that agency, the Director shall 
                        certify that the Cybersecurity and 
                        Infrastructure Security Agency is in compliance 
                        with that section with respect to that 
                        agency.</DELETED>
                        <DELETED>    ``(iii) Waiver.--The Director may 
                        waive the reporting requirement with respect to 
                        the information required to be included in the 
                        report under subparagraph (A)(ii) for a 
                        particular agency if--</DELETED>
                                <DELETED>    ``(I) the Director has 
                                issued a certification for the agency 
                                under clause (i); and</DELETED>
                                <DELETED>    ``(II) the Director has 
                                issued a certification with respect to 
                                the annex of the agency under clause 
                                (ii).</DELETED>
                        <DELETED>    ``(iv) Revocation of waiver or 
                        certifications.--</DELETED>
                                <DELETED>    ``(I) Waiver.--If, at any 
                                time, the Director determines that the 
                                Director of the Cybersecurity and 
                                Infrastructure Security Agency cannot 
                                submit to Congress an annex for a 
                                particular agency under section 
                                3597(c)(3)--</DELETED>
                                        <DELETED>    ``(aa) any waiver 
                                        previously issued under clause 
                                        (iii) with respect to that 
                                        agency shall be considered 
                                        void; and</DELETED>
                                        <DELETED>    ``(bb) the 
                                        Director shall revoke the 
                                        certification for the annex of 
                                        that agency under clause 
                                        (ii).</DELETED>
                                <DELETED>    ``(II) Certifications.--
                                If, at any time, the Director 
                                determines that an agency has not 
                                provided to the Director of the 
                                Cybersecurity and Infrastructure 
                                Security Agency the totality of 
                                incident information required under 
                                section 3594(a)--</DELETED>
                                        <DELETED>    ``(aa) any waiver 
                                        previously issued under clause 
                                        (iii) with respect to that 
                                        agency shall be considered 
                                        void; and</DELETED>
                                        <DELETED>    ``(bb) the 
                                        Director shall revoke the 
                                        certification for that agency 
                                        under clause (i).</DELETED>
                                <DELETED>    ``(III) Reissuance.--If 
                                the Director revokes a waiver under 
                                this clause, the Director may issue a 
                                subsequent waiver if the Director 
                                issues new certifications under clauses 
                                (i) and (ii).'';</DELETED>
                        <DELETED>    (ii) by redesignating paragraphs 
                        (2) through (5) as paragraphs (4) through (7), 
                        respectively; and</DELETED>
                        <DELETED>    (iii) by inserting after paragraph 
                        (1) the following:</DELETED>
        <DELETED>    ``(2) Biannual report.--Not later than 180 days 
        after the date on which an agency completes an agency system 
        risk assessment under subsection (a)(1)(A) and not less 
        frequently than every 2 years, each agency shall submit to the 
        Director, the Secretary, the Committee on Homeland Security and 
        Governmental Affairs of the Senate, the Committee on Oversight 
        and Reform of the House of Representatives, the Committee on 
        Homeland Security of the House of Representatives, the 
        appropriate authorization and appropriations committees of 
        Congress, the National Cyber Director, and the Comptroller 
        General of the United States a report that--</DELETED>
                <DELETED>    ``(A) summarizes the agency system risk 
                assessment performed under subsection 
                (a)(1)(A);</DELETED>
                <DELETED>    ``(B) evaluates the adequacy and 
                effectiveness of information security policies, 
                procedures, and practices of the agency to address the 
                risks identified in the system risk assessment 
                performed under subsection (a)(1)(A); and</DELETED>
                <DELETED>    ``(C) summarizes the evaluations and 
                implementation plans described in subparagraphs (F) and 
                (G) of subsection (a)(1) and whether those evaluations 
                and implementation plans call for the use of additional 
                cybersecurity procedures determined to be appropriate 
                by the agency.</DELETED>
        <DELETED>    ``(3) Unclassified reports.--Each report submitted 
        under paragraphs (1) and (2)--</DELETED>
                <DELETED>    ``(A) shall be, to the greatest extent 
                practicable, in an unclassified and otherwise 
                uncontrolled form; and</DELETED>
                <DELETED>    ``(B) may include a classified annex.''; 
                and</DELETED>
                <DELETED>    (D) in subsection (d)(1), in the matter 
                preceding subparagraph (A), by inserting ``and the 
                Director of the Cybersecurity and Infrastructure 
                Security Agency'' after ``the Director'';</DELETED>
        <DELETED>    (4) in section 3555--</DELETED>
                <DELETED>    (A) in subsection (a)(2)(A), by inserting 
                ``, including by penetration testing and analyzing the 
                vulnerability disclosure program of the agency'' after 
                ``information systems'';</DELETED>
                <DELETED>    (B) by striking subsection (f) and 
                inserting the following:</DELETED>
<DELETED>    ``(f) Protection of Information.--(1) Agencies and 
evaluators shall take appropriate steps to ensure the protection of 
information which, if disclosed, may adversely affect information 
security.</DELETED>
<DELETED>    ``(2) The protections required under paragraph (1) shall 
be commensurate with the risk and comply with all applicable laws and 
regulations.</DELETED>
<DELETED>    ``(3) With respect to information that is not related to 
national security systems, agencies and evaluators shall make a summary 
of the information unclassified and publicly available, including 
information that does not identify--</DELETED>
        <DELETED>    ``(A) specific information system incidents; 
        or</DELETED>
        <DELETED>    ``(B) specific information system 
        vulnerabilities.'';</DELETED>
                <DELETED>    (C) in subsection (g)(2)--</DELETED>
                        <DELETED>    (i) by striking ``this subsection 
                        shall'' and inserting ``this subsection--
                        </DELETED>
        <DELETED>    ``(A) shall'';</DELETED>
                        <DELETED>    (ii) in subparagraph (A), as so 
                        designated, by striking the period at the end 
                        and inserting ``; and''; and</DELETED>
                        <DELETED>    (iii) by adding at the end the 
                        following:</DELETED>
        <DELETED>    ``(B) identify any entity that performs an 
        independent audit under subsection (b).''; and</DELETED>
                <DELETED>    (D) in subsection (j), by striking ``the 
                Secretary'' and inserting ``the Director of the Cyber 
                Security and Infrastructure Security Agency''; 
                and</DELETED>
        <DELETED>    (5) in section 3556(a)--</DELETED>
                <DELETED>    (A) in the matter preceding paragraph (1), 
                by inserting ``within the Cybersecurity and 
                Infrastructure Security Agency'' after ``incident 
                center''; and</DELETED>
                <DELETED>    (B) in paragraph (4), by striking 
                ``3554(b)'' and inserting ``3554(a)(1)(A)''.</DELETED>
<DELETED>    (d) Federal System Incident Response.--</DELETED>
        <DELETED>    (1) In general.--Chapter 35 of title 44, United 
        States Code, is amended by adding at the end the 
        following:</DELETED>

  <DELETED>``SUBCHAPTER IV--FEDERAL SYSTEM INCIDENT RESPONSE</DELETED>

<DELETED>``Sec. 3591. Definitions</DELETED>
<DELETED>    ``(a) In General.--Except as provided in subsection (b), 
the definitions under sections 3502 and 3552 shall apply to this 
subchapter.</DELETED>
<DELETED>    ``(b) Additional Definitions.--As used in this 
subchapter:</DELETED>
        <DELETED>    ``(1) Appropriate notification entities.--The term 
        `appropriate notification entities' means--</DELETED>
                <DELETED>    ``(A) the Committee on Homeland Security 
                and Governmental Affairs of the Senate;</DELETED>
                <DELETED>    ``(B) the Committee on Oversight and 
                Reform of the House of Representatives;</DELETED>
                <DELETED>    ``(C) the Committee on Homeland Security 
                of the House of Representatives;</DELETED>
                <DELETED>    ``(D) the appropriate authorization and 
                appropriations committees of Congress;</DELETED>
                <DELETED>    ``(E) the Director;</DELETED>
                <DELETED>    ``(F) the Director of the Cybersecurity 
                and Infrastructure Security Agency;</DELETED>
                <DELETED>    ``(G) the National Cyber Director; 
                and</DELETED>
                <DELETED>    ``(H) the Comptroller General of the 
                United States.</DELETED>
        <DELETED>    ``(2) Contractor.--The term `contractor'--
        </DELETED>
                <DELETED>    ``(A) means any person or business that 
                collects or maintains information that includes 
                personally identifiable information or sensitive 
                personal information on behalf of an agency; 
                and</DELETED>
                <DELETED>    ``(B) includes any subcontractor of a 
                person or business described in subparagraph 
                (A).</DELETED>
        <DELETED>    ``(3) Intelligence community.--The term 
        `intelligence community' has the meaning given the term in 
        section 3 of the National Security Act of 1947 (50 U.S.C. 
        3003).</DELETED>
        <DELETED>    ``(4) Nationwide consumer reporting agency.--The 
        term `nationwide consumer reporting agency' means a consumer 
        reporting agency described in section 603(p) of the Fair Credit 
        Reporting Act (15 U.S.C. 1681a(p)).</DELETED>
        <DELETED>    ``(5) Vulnerability disclosure.--The term 
        `vulnerability disclosure' means a vulnerability identified 
        under section 3559B.</DELETED>
<DELETED>``Sec. 3592. Notification of high risk exposure after major 
              incident</DELETED>
<DELETED>    ``(a) Notification.--As expeditiously as practicable and 
without unreasonable delay, and in any case not later than 30 days 
after an agency has a reasonable basis to conclude that a major 
incident has occurred due to a high risk exposure of personal 
identifiable information, as described in section 3598(c)(2), the head 
of the agency shall provide notice of the major incident in accordance 
with subsection (b) in writing to the last known home mailing address 
of each individual whom the major incident may have impacted.</DELETED>
<DELETED>    ``(b) Contents of Notice.--Each notice to an individual 
required under subsection (a) shall include--</DELETED>
        <DELETED>    ``(1) a description of the rationale for the 
        determination that the major incident resulted in a high risk 
        of exposure of the personal information of the 
        individual;</DELETED>
        <DELETED>    ``(2) an assessment of the type of risk the 
        individual may face as a result of an exposure;</DELETED>
        <DELETED>    ``(3) contact information for the Federal Bureau 
        of Investigation or other appropriate entity;</DELETED>
        <DELETED>    ``(4) the contact information of each nationwide 
        consumer reporting agency;</DELETED>
        <DELETED>    ``(5) the contact information for questions to the 
        agency, including a telephone number, e-mail address, and 
        website;</DELETED>
        <DELETED>    ``(6) information on any remedy being offered by 
        the agency;</DELETED>
        <DELETED>    ``(7) consolidated Federal Government 
        recommendations on what to do in the event of a major incident; 
        and</DELETED>
        <DELETED>    ``(8) any other appropriate information as 
        determined by the head of the agency.</DELETED>
<DELETED>    ``(c) Delay of Notification.--</DELETED>
        <DELETED>    ``(1) In general.--The Attorney General, the 
        Director of National Intelligence, or the Secretary of Homeland 
        Security may impose a delay of a notification required under 
        subsection (a) if the notification would disrupt a law 
        enforcement investigation, endanger national security, or 
        hamper security remediation actions.</DELETED>
        <DELETED>    ``(2) Documentation.--</DELETED>
                <DELETED>    ``(A) In general.--Any delay under 
                paragraph (1) shall be reported in writing to the head 
                of the agency, the Director, the Director of the 
                Cybersecurity and Infrastructure Security Agency, and 
                the Office of Inspector General of the agency that 
                experienced the major incident.</DELETED>
                <DELETED>    ``(B) Contents.--A statement required 
                under subparagraph (A) shall include a written 
                statement from the entity that delayed the notification 
                explaining the need for the delay.</DELETED>
                <DELETED>    ``(C) Form.--The statement required under 
                subparagraph (A) shall be unclassified, but may include 
                a classified annex.</DELETED>
        <DELETED>    ``(3) Renewal.--A delay under paragraph (1) shall 
        be for a period of 2 months and may be renewed.</DELETED>
<DELETED>    ``(d) Update Notification.--If an agency determines there 
is a change in the reasonable basis to conclude that a major incident 
occurred, or that there is a change in the details of the information 
provided to impacted individuals as described in subsection (b), the 
agency shall as expeditiously as practicable and without unreasonable 
delay, and in any case not later than 30 days after such a 
determination, notify all such individuals who received a notification 
pursuant to subsection (a) of those changes.</DELETED>
<DELETED>    ``(e) Rule of Construction.--Nothing in this section shall 
be construed to limit--</DELETED>
        <DELETED>    ``(1) the Director from issuing guidance regarding 
        notifications or the head of an agency from sending 
        notifications to individuals impacted by incidents not 
        determined to be major incidents; or</DELETED>
        <DELETED>    ``(2) the Director from issuing guidance regarding 
        notifications of major incidents or the head of an agency from 
        issuing notifications to individuals impacted by major 
        incidents that contain more information than described in 
        subsection (b).</DELETED>
<DELETED>``Sec. 3593. Congressional notifications and reports</DELETED>
<DELETED>    ``(a) Initial Report.--</DELETED>
        <DELETED>    ``(1) In general.--Not later than 5 days after the 
        date on which an agency has a reasonable basis to conclude that 
        a major incident occurred, the head of the agency shall submit 
        a written notification and, to the extent practicable, provide 
        a briefing, to the appropriate notification entities, taking 
        into account--</DELETED>
                <DELETED>    ``(A) the information known at the time of 
                the notification;</DELETED>
                <DELETED>    ``(B) the sensitivity of the details 
                associated with the major incident; and</DELETED>
                <DELETED>    ``(C) the classification level of the 
                information contained in the notification.</DELETED>
        <DELETED>    ``(2) Contents.--A notification required under 
        paragraph (1) shall include--</DELETED>
                <DELETED>    ``(A) a summary of the information 
                available about the major incident, including how the 
                major incident occurred, based on information available 
                to agency officials as of the date on which the agency 
                submits the report;</DELETED>
                <DELETED>    ``(B) if applicable, an estimate of the 
                number of individuals impacted by the major incident, 
                including an assessment of the risk level to impacted 
                individuals based on the guidance promulgated under 
                section 3598(c)(1) and any information available to 
                agency officials on the date on which the agency 
                submits the report;</DELETED>
                <DELETED>    ``(C) if applicable, a description and any 
                associated documentation of any circumstances 
                necessitating a delay in or exemption to notification 
                granted under subsection (c) or (d) of section 3592; 
                and</DELETED>
                <DELETED>    ``(D) if applicable, an assessment of the 
                impacts to the agency, the Federal Government, or the 
                security of the United States, based on information 
                available to agency officials on the date on which the 
                agency submits the report.</DELETED>
<DELETED>    ``(b) Supplemental Report.--Within a reasonable amount of 
time, but not later than 45 days after the date on which additional 
information relating to a major incident for which an agency submitted 
a written notification under subsection (a) is discovered by the 
agency, the head of the agency shall submit to the appropriate 
notification entities updates to the written notification that include 
summaries of--</DELETED>
        <DELETED>    ``(1) the threats and threat actors, 
        vulnerabilities, means by which the major incident occurred, 
        and impacts to the agency relating to the major 
        incident;</DELETED>
        <DELETED>    ``(2) any risk assessment and subsequent risk-
        based security implementation of the affected information 
        system before the date on which the major incident 
        occurred;</DELETED>
        <DELETED>    ``(3) the status of compliance of the affected 
        information system with applicable security requirements at the 
        time of the major incident;</DELETED>
        <DELETED>    ``(4) an estimate of the number of individuals 
        affected by the major incident based on information available 
        to agency officials as of the date on which the agency submits 
        the update;</DELETED>
        <DELETED>    ``(5) an update to the assessment of the risk of 
        harm to impacted individuals affected by the major incident 
        based on information available to agency officials as of the 
        date on which the agency submits the update;</DELETED>
        <DELETED>    ``(6) an update to the assessment of the risk to 
        agency operations, or to impacts on other agency or non-Federal 
        entity operations, affected by the major incident based on 
        information available to agency officials as of the date on 
        which the agency submits the update; and</DELETED>
        <DELETED>    ``(7) the detection, response, and remediation 
        actions of the agency, including any support provided by the 
        Cybersecurity and Infrastructure Security Agency under section 
        3594(d) and status updates on the notification process 
        described in section 3592(a), including any delay or exemption 
        described in subsection (c) or (d), respectively, of section 
        3592, if applicable.</DELETED>
<DELETED>    ``(c) Update Report.--If the agency determines that there 
is any significant change in the understanding of the agency of the 
scope, scale, or consequence of a major incident for which an agency 
submitted a written notification under subsection (a), the agency shall 
provide an updated report to the appropriate notification entities that 
includes information relating to the change in understanding.</DELETED>
<DELETED>    ``(d) Annual Report.--Each agency shall submit as part of 
the annual report required under section 3554(c)(1) of this title a 
description of each major incident that occurred during the 1-year 
period preceding the date on which the report is submitted.</DELETED>
<DELETED>    ``(e) Delay and Exemption Report.--The Director shall 
submit to the appropriate notification entities an annual report on all 
notification delays and exemptions granted pursuant to subsections (c) 
and (d) of section 3592.</DELETED>
<DELETED>    ``(f) Report Delivery.--Any written notification or report 
required to be submitted under this section may be submitted in a paper 
or electronic format.</DELETED>
<DELETED>    ``(g) Rule of Construction.--Nothing in this section shall 
be construed to limit--</DELETED>
        <DELETED>    ``(1) the ability of an agency to provide 
        additional reports or briefings to Congress; or</DELETED>
        <DELETED>    ``(2) Congress from requesting additional 
        information from agencies through reports, briefings, or other 
        means.</DELETED>
<DELETED>    ``(h) Binding Operational Directive.--If the Director of 
the Cybersecurity and Infrastructure Security Agency issues a binding 
operational directive or an emergency directive under section 3553, not 
later than 2 days after the date on which the binding operational 
directive requires an agency to take an action, each agency shall 
provide to the appropriate notification entities the status of the 
implementation of the binding operational directive at the 
agency.</DELETED>
<DELETED>``Sec. 3594. Government information sharing and incident 
              response</DELETED>
<DELETED>    ``(a) In General.--</DELETED>
        <DELETED>    ``(1) Incident reporting.--The head of each agency 
        shall provide any information relating to any incident, whether 
        the information is obtained by the Federal Government directly 
        or indirectly, to the Cybersecurity and Infrastructure Security 
        Agency and the Office of Management and Budget.</DELETED>
        <DELETED>    ``(2) Contents.--A provision of information 
        relating to an incident made by the head of an agency under 
        paragraph (1) shall--</DELETED>
                <DELETED>    ``(A) include detailed information about 
                the safeguards that were in place when the incident 
                occurred;</DELETED>
                <DELETED>    ``(B) whether the agency implemented the 
                safeguards described in subparagraph (A) correctly; 
                and</DELETED>
                <DELETED>    ``(C) in order to protect against a 
                similar incident, identify--</DELETED>
                        <DELETED>    ``(i) how the safeguards described 
                        in subparagraph (A) should be implemented 
                        differently; and</DELETED>
                        <DELETED>    ``(ii) additional necessary 
                        safeguards.</DELETED>
<DELETED>    ``(b) Compliance.--The information provided under 
subsection (a) shall--</DELETED>
        <DELETED>    ``(1) take into account the level of 
        classification of the information and any information sharing 
        limitations relating to law enforcement; and</DELETED>
        <DELETED>    ``(2) be in compliance with the requirements 
        limiting the release of information under section 552a of title 
        5 (commonly known as the `Privacy Act of 1974').</DELETED>
<DELETED>    ``(c) Responding to Information Requests From Agencies 
Experiencing Incidents.--An agency that receives a request from another 
agency or Federal entity for information specifically intended to 
assist in the remediation or notification requirements due to an 
incident shall provide that information to the greatest extent 
possible, in accordance with guidance issued by the Director and taking 
into account classification, law enforcement, national security, and 
compliance with section 552a of title 5 (commonly known as the `Privacy 
Act of 1974').</DELETED>
<DELETED>    ``(d) Incident Response.--Each agency that has a 
reasonable basis to conclude that a major incident occurred, regardless 
of delays from notification granted for a major incident, shall consult 
with the Cybersecurity and Infrastructure Security Agency regarding--
</DELETED>
        <DELETED>    ``(1) incident response and recovery; 
        and</DELETED>
        <DELETED>    ``(2) recommendations for mitigating future 
        incidents.</DELETED>
<DELETED>``Sec. 3595. Responsibilities of contractors and grant 
              recipients</DELETED>
<DELETED>    ``(a) Notification.--</DELETED>
        <DELETED>    ``(1) In general.--Subject to paragraph (3), any 
        contractor of an agency or recipient of a grant from an agency 
        that has a reasonable basis to conclude that an incident 
        involving Federal information has occurred shall immediately 
        notify the agency.</DELETED>
        <DELETED>    ``(2) Procedures.--</DELETED>
                <DELETED>    ``(A) Major incident.--Following 
                notification of a major incident by a contractor or 
                recipient of a grant under paragraph (1), an agency, in 
                consultation with the contractor or grant recipient, as 
                applicable, shall carry out the requirements under 
                sections 3592, 3593, and 3594 with respect to the major 
                incident.</DELETED>
                <DELETED>    ``(B) Incident.--Following notification of 
                an incident by a contractor or recipient of a grant 
                under paragraph (1), an agency, in consultation with 
                the contractor or grant recipient, as applicable, shall 
                carry out the requirements under section 3594 with 
                respect to the incident.</DELETED>
        <DELETED>    ``(3) Applicability.--This subsection shall apply 
        to a contractor of an agency or a recipient of a grant from an 
        agency that--</DELETED>
                <DELETED>    ``(A) receives information from the agency 
                that the contractor or recipient, as applicable, is not 
                contractually authorized to receive;</DELETED>
                <DELETED>    ``(B) experiences an incident relating to 
                Federal information on an information system of the 
                contractor or recipient, as applicable; or</DELETED>
                <DELETED>    ``(C) identifies an incident involving a 
                Federal information system.</DELETED>
<DELETED>    ``(b) Incident Response.--Any contractor of an agency or 
recipient of a grant from an agency that has a reasonable basis to 
conclude that a major incident occurred shall, in coordination with the 
agency, consult with the Cybersecurity and Infrastructure Security 
Agency regarding--</DELETED>
        <DELETED>    ``(1) incident response assistance; and</DELETED>
        <DELETED>    ``(2) recommendations for mitigating future 
        incidents at the agency.</DELETED>
<DELETED>    ``(c) Effective Date.--This section shall apply on and 
after the date that is 1 year after the date of enactment of the 
Federal Information Security Modernization Act of 2021.</DELETED>
<DELETED>``Sec. 3596. Training</DELETED>
<DELETED>    ``(a) In General.--Each agency shall develop training for 
individuals at the agency with access to Federal information or 
information systems on how to identify and respond to an incident, 
including--</DELETED>
        <DELETED>    ``(1) the internal process at the agency for 
        reporting an incident; and</DELETED>
        <DELETED>    ``(2) the obligation of the individual to report 
        to the agency a confirmed major incident and any suspected 
        incident, involving information in any medium or form, 
        including paper, oral, and electronic.</DELETED>
<DELETED>    ``(b) Applicability.--The training developed under 
subsection (a) shall--</DELETED>
        <DELETED>    ``(1) be required for an individual before the 
        individual may access Federal information or information 
        systems; and</DELETED>
        <DELETED>    ``(2) apply to individuals with temporary access 
        to Federal information or information systems, such as 
        detailees, contractors, subcontractors, grantees, volunteers, 
        and interns.</DELETED>
<DELETED>    ``(c) Inclusion in Annual Training.--The training 
developed under subsection (a) may be included as part of an annual 
privacy or security awareness training of the agency, as 
applicable.</DELETED>
<DELETED>``Sec. 3597. Analysis and report on Federal 
              incidents</DELETED>
<DELETED>    ``(a) Definition of Compromise.--In this section, the term 
`compromise' means--</DELETED>
        <DELETED>    ``(1) an incident;</DELETED>
        <DELETED>    ``(2) a result of a penetration test in which the 
        tester successfully gains access to a system within the 
        standards under section 3559A;</DELETED>
        <DELETED>    ``(3) a vulnerability disclosure; or</DELETED>
        <DELETED>    ``(4) any other event that the Director of the 
        Cybersecurity and Infrastructure Security Agency determines 
        identifies an exploitable vulnerability in an agency 
        system.</DELETED>
<DELETED>    ``(b) Analysis of Federal Incidents.--</DELETED>
        <DELETED>    ``(1) In general.--The Director of the 
        Cybersecurity and Infrastructure Security Agency shall perform 
        continuous monitoring of compromises of agencies.</DELETED>
        <DELETED>    ``(2) Quantitative and qualitative analyses.--The 
        Director of the Cybersecurity and Infrastructure Security 
        Agency, in consultation with the Director, shall develop and 
        perform continuous monitoring and quantitative and qualitative 
        analyses of compromises of agencies, including--</DELETED>
                <DELETED>    ``(A) the causes of successful 
                compromises, including--</DELETED>
                        <DELETED>    ``(i) attacker tactics, 
                        techniques, and procedures; and</DELETED>
                        <DELETED>    ``(ii) system vulnerabilities, 
                        including zero days, unpatched systems, and 
                        information system misconfigurations;</DELETED>
                <DELETED>    ``(B) the scope and scale of compromises 
                of agencies;</DELETED>
                <DELETED>    ``(C) cross Federal Government root causes 
                of compromises of agencies;</DELETED>
                <DELETED>    ``(D) agency response, recovery, and 
                remediation actions and effectiveness of incidents, as 
                applicable; and</DELETED>
                <DELETED>    ``(E) lessons learned and recommendations 
                in responding, recovering, remediating, and mitigating 
                future incidents.</DELETED>
        <DELETED>    ``(3) Automated analysis.--The analyses developed 
        under paragraph (2) shall, to the greatest extent practicable, 
        use machine readable data, automation, and machine learning 
        processes.</DELETED>
        <DELETED>    ``(4) Sharing of data and analysis.--</DELETED>
                <DELETED>    ``(A) In general.--The Director shall 
                share on an ongoing basis the analyses required under 
                this subsection with agencies to--</DELETED>
                        <DELETED>    ``(i) improve the understanding of 
                        agencies with respect to risk; and</DELETED>
                        <DELETED>    ``(ii) support the cybersecurity 
                        improvement efforts of agencies.</DELETED>
                <DELETED>    ``(B) Format.--In carrying out 
                subparagraph (A), the Director shall share the 
                analyses--</DELETED>
                        <DELETED>    ``(i) in human-readable written 
                        products; and</DELETED>
                        <DELETED>    ``(ii) to the greatest extent 
                        practicable, in machine-readable formats in 
                        order to enable automated intake and use by 
                        agencies.</DELETED>
<DELETED>    ``(c) Annual Report on Federal Compromises.--Not later 
than 2 years after the date of enactment of this section, and not less 
frequently than annually thereafter, the Director of the Cybersecurity 
and Infrastructure Security Agency, in consultation with the Director, 
shall submit to the appropriate notification entities a report that 
includes--</DELETED>
        <DELETED>    ``(1) a summary of causes of compromises from 
        across the Federal Government that categorizes those 
        compromises by the items described in paragraphs (1) through 
        (4) of subsection (a);</DELETED>
        <DELETED>    ``(2) the quantitative and qualitative analyses of 
        compromises developed under subsection (b)(2) on an agency-by-
        agency basis and comprehensively; and</DELETED>
        <DELETED>    ``(3) an annex for each agency that includes the 
        total number of compromises of the agency and categorizes those 
        compromises by the items described in paragraphs (1) through 
        (4) of subsection (a).</DELETED>
<DELETED>    ``(d) Publication.--A version of each report submitted 
under subsection (c) shall be made publicly available on the website of 
the Cybersecurity and Infrastructure Security Agency during the year in 
which the report is submitted.</DELETED>
<DELETED>    ``(e) Information Provided by Agencies.--The analysis 
required under subsection (b) and each report submitted under 
subsection (c) shall utilize information provided by agencies pursuant 
to section 3594(d).</DELETED>
<DELETED>    ``(f) Requirement To Anonymize Information.--In publishing 
the public report required under subsection (d), the Director of the 
Cybersecurity and Infrastructure Security Agency shall sufficiently 
anonymize and compile information such that no specific incidents of an 
agency can be identified, except with the concurrence of the Director 
of the Office of Management and Budget and in consultation with the 
impacted agency.</DELETED>
<DELETED>``Sec. 3598. Major incident guidance</DELETED>
<DELETED>    ``(a) In General.--Not later than 90 days after the date 
of enactment of the Federal Information Security Management Act of 
2021, the Director, in coordination with the Director of the 
Cybersecurity and Infrastructure Security Agency, shall develop and 
promulgate guidance on the definition of the term `major incident' for 
the purposes of subchapter II and this subchapter.</DELETED>
<DELETED>    ``(b) Requirements.--With respect to the guidance issued 
under subsection (a), the definition of the term `major incident' 
shall--</DELETED>
        <DELETED>    ``(1) include, with respect to any information 
        collected or maintained by or on behalf of an agency or an 
        information system used or operated by an agency or by a 
        contractor of an agency or another organization on behalf of an 
        agency--</DELETED>
                <DELETED>    ``(A) any incident the head of the agency 
                determines is likely to have an impact on the national 
                security, homeland security, or economic security of 
                the United States;</DELETED>
                <DELETED>    ``(B) any incident the head of the agency 
                determines is likely to have an impact on the 
                operations of the agency, a component of the agency, or 
                the Federal Government, including an impact on the 
                efficiency or effectiveness of agency information 
                systems;</DELETED>
                <DELETED>    ``(C) any incident that the head of an 
                agency, in consultation with the Chief Privacy Officer 
                of the agency, determines involves a high risk incident 
                in accordance with the guidance issued under subsection 
                (c)(1);</DELETED>
                <DELETED>    ``(D) any incident that involves the 
                unauthorized disclosure of personally identifiable 
                information of not less than 500 individuals, 
                regardless of the risk level determined under the 
                guidance issued under subsection (c)(1);</DELETED>
                <DELETED>    ``(E) any incident the head of the agency 
                determines involves a high value asset owned or 
                operated by the agency; and</DELETED>
                <DELETED>    ``(F) any other type of incident 
                determined appropriate by the Director;</DELETED>
        <DELETED>    ``(2) stipulate that every agency shall be 
        considered to have experienced a major incident if the Director 
        of the Cybersecurity and Infrastructure Security Agency 
        determines that an incident that occurs at not less than 2 
        agencies--</DELETED>
                <DELETED>    ``(A) is enabled by a common technical 
                root cause, such as a supply chain compromise, a common 
                software or hardware vulnerability; or</DELETED>
                <DELETED>    ``(B) is enabled by the related activities 
                of a common actor; and</DELETED>
        <DELETED>    ``(3) stipulate that, in determining whether an 
        incident constitutes a major incident because that incident--
        </DELETED>
                <DELETED>    ``(A) is any incident described in 
                paragraph (1), the head of an agency shall consult with 
                the Director of the Cybersecurity and Infrastructure 
                Security Agency;</DELETED>
                <DELETED>    ``(B) is an incident described in 
                paragraph (1)(A), the head of the agency shall consult 
                with the National Cyber Director; and</DELETED>
                <DELETED>    ``(C) is an incident described in 
                subparagraph (C) or (D) of paragraph (1), the head of 
                the agency shall consult with--</DELETED>
                        <DELETED>    ``(i) the Privacy and Civil 
                        Liberties Oversight Board; and</DELETED>
                        <DELETED>    ``(ii) the Executive Director of 
                        the Federal Trade Commission.</DELETED>
<DELETED>    ``(c) Guidance on Risk to Individuals.--</DELETED>
        <DELETED>    ``(1) In general.--Not later than 90 days after 
        the date of enactment of the Federal Information Security 
        Modernization Act of 2021, the Director, in coordination with 
        the Director of the Cybersecurity and Infrastructure Security 
        Agency, the Privacy and Civil Liberties Oversight Board, and 
        the Executive Director of the Federal Trade Commission, shall 
        develop and issue guidance to agencies that establishes a risk-
        based framework for determining the level of risk that an 
        incident involving personally identifiable information could 
        result in substantial harm, physical harm, embarrassment, or 
        unfairness to an individual.</DELETED>
        <DELETED>    ``(2) Risk levels and considerations.--The risk-
        based framework included in the guidance issued under paragraph 
        (1) shall--</DELETED>
                <DELETED>    ``(A) include a range of risk levels, 
                including a high risk level; and</DELETED>
                <DELETED>    ``(B) consider--</DELETED>
                        <DELETED>    ``(i) any personally identifiable 
                        information that was exposed as a result of an 
                        incident;</DELETED>
                        <DELETED>    ``(ii) the circumstances under 
                        which the exposure of personally identifiable 
                        information of an individual occurred; 
                        and</DELETED>
                        <DELETED>    ``(iii) whether an independent 
                        evaluation of the information affected by an 
                        incident determines that the information is 
                        unreadable, including, as appropriate, 
                        instances in which the information is--
                        </DELETED>
                                <DELETED>    ``(I) encrypted; 
                                and</DELETED>
                                <DELETED>    ``(II) determined by the 
                                Director of the Cybersecurity and 
                                Infrastructure Security Agency to be of 
                                sufficiently low risk of 
                                exposure.</DELETED>
        <DELETED>    ``(3) Approval.--</DELETED>
                <DELETED>    ``(A) In general.--The guidance issued 
                under paragraph (1) shall include a process by which 
                the Director, jointly with the Director of the 
                Cybersecurity and Infrastructure Security Agency and 
                the Attorney General, may approve the designation of an 
                incident that would be considered high risk as lower 
                risk if information exposed by the incident is 
                unreadable, as described in paragraph 
                (2)(B)(iii).</DELETED>
                <DELETED>    ``(B) Documentation.--The Director shall 
                report any approval of an incident granted by the 
                Director under subparagraph (A) to--</DELETED>
                        <DELETED>    ``(i) the head of the agency that 
                        experienced the incident;</DELETED>
                        <DELETED>    ``(ii) the inspector general of 
                        the agency that experienced the incident; 
                        and</DELETED>
                        <DELETED>    ``(iii) the Director of the 
                        Cybersecurity and Infrastructure Security 
                        Agency.</DELETED>
<DELETED>    ``(d) Evaluation and Updates.--Not later than 2 years 
after the date of enactment of the Federal Information Security 
Modernization Act of 2021, and not less frequently than every 2 years 
thereafter, the Director shall submit to the Committee on Homeland 
Security and Governmental Affairs of the Senate and the Committee on 
Oversight and Reform of the House of Representatives an evaluation, 
which shall include--</DELETED>
        <DELETED>    ``(1) an update, if necessary, to the guidance 
        issued under subsections (a) and (c);</DELETED>
        <DELETED>    ``(2) the definition of the term `major incident' 
        included in the guidance issued under subsection (a);</DELETED>
        <DELETED>    ``(3) an explanation of, and the analysis that led 
        to, the definition described in paragraph (2); and</DELETED>
        <DELETED>    ``(4) an assessment of any additional datasets or 
        risk evaluation criteria that should be included in the risk-
        based framework included in the guidance issued under 
        subsection (c)(1).''.</DELETED>
        <DELETED>    (2) Clerical amendment.--The table of sections for 
        chapter 35 of title 44, United States Code, is amended by 
        adding at the end the following:</DELETED>

      <DELETED> ``subchapter iv--federal system incident response

<DELETED>``3591. Definitions.
<DELETED>``3592. Notification of high risk exposure after major 
                            incident.
<DELETED>``3593. Congressional notifications and reports.
<DELETED>``3594. Government information sharing and incident response.
<DELETED>``3595. Responsibilities of contractors and grant recipients.
<DELETED>``3596. Training.
<DELETED>``3597. Analysis and report on Federal incidents.
<DELETED>``3598. Major incident guidance.''.

<DELETED>SEC. 102. AMENDMENTS TO SUBTITLE III OF TITLE 40.</DELETED>

<DELETED>    (a) Information Technology Modernization Centers of 
Excellence Program Act.--Section 2(c)(4)(A)(ii) of the Information 
Technology Modernization Centers of Excellence Program Act (40 U.S.C. 
11301 note) is amended by striking the period at the end and inserting 
``, which shall be provided in coordination with the Director of the 
Cybersecurity and Infrastructure Security Agency.''.</DELETED>
<DELETED>    (b) Modernizing Government Technology.--Subtitle G of 
title X of Division A of the National Defense Authorization Act for 
Fiscal Year 2018 (40 U.S.C. 11301 note) is amended--</DELETED>
        <DELETED>    (1) in section 1077(b)--</DELETED>
                <DELETED>    (A) in paragraph (5)(A), by inserting 
                ``improving the cybersecurity of systems and'' before 
                ``cost savings activities''; and</DELETED>
                <DELETED>    (B) in paragraph (7)--</DELETED>
                        <DELETED>    (i) in the paragraph heading, by 
                        striking ``cio'' and inserting 
                        ``CIO'';</DELETED>
                        <DELETED>    (ii) by striking ``In evaluating 
                        projects'' and inserting the 
                        following:</DELETED>
                <DELETED>    ``(A) Consideration of guidance.--In 
                evaluating projects'';</DELETED>
                        <DELETED>    (iii) in subparagraph (A), as so 
                        designated, by striking ``under section 
                        1094(b)(1)'' and inserting ``guidance issued by 
                        the Director''; and</DELETED>
                        <DELETED>    (iv) by adding at the end the 
                        following:</DELETED>
                <DELETED>    ``(B) Consultation.--In using funds under 
                paragraph (3)(A), the Chief Information Officer of the 
                covered agency shall consult with the Director of the 
                Cybersecurity and Infrastructure Security Agency.''; 
                and</DELETED>
        <DELETED>    (2) in section 1078--</DELETED>
                <DELETED>    (A) by striking subsection (a) and 
                inserting the following:</DELETED>
<DELETED>    ``(a) Definitions.--In this section:</DELETED>
        <DELETED>    ``(1) Agency.--The term `agency' has the meaning 
        given the term in section 551 of title 5, United States 
        Code.</DELETED>
        <DELETED>    ``(2) High value asset.--The term `high value 
        asset' has the meaning given the term in section 3552 of title 
        44, United States Code.'';</DELETED>
                <DELETED>    (B) in subsection (b), by adding at the 
                end the following:</DELETED>
        <DELETED>    ``(8) Proposal evaluation.--The Director shall--
        </DELETED>
                <DELETED>    ``(A) give consideration for the use of 
                amounts in the Fund to improve the security of high 
                value assets; and</DELETED>
                <DELETED>    ``(B) require that any proposal for the 
                use of amounts in the Fund includes a cybersecurity 
                plan, including a chain risk management plan, to be 
                reviewed by the member of the Technology Modernization 
                Board described in subsection (c)(5)(C).''; 
                and</DELETED>
                <DELETED>    (C) in subsection (c)--</DELETED>
                        <DELETED>    (i) in paragraph (2)(A)(i), by 
                        inserting ``, including a consideration of the 
                        impact on high value assets'' after 
                        ``operational risks'';</DELETED>
                        <DELETED>    (ii) in paragraph (5)--</DELETED>
                                <DELETED>    (I) in subparagraph (A), 
                                by striking ``and'' at the 
                                end;</DELETED>
                                <DELETED>    (II) in subparagraph (B), 
                                by striking the period at the end and 
                                inserting ``and''; and</DELETED>
                                <DELETED>    (III) by adding at the end 
                                the following:</DELETED>
                <DELETED>    ``(C) a senior official from the 
                Cybersecurity and Infrastructure Security Agency of the 
                Department of Homeland Security, appointed by the 
                Director.''; and</DELETED>
                        <DELETED>    (iii) in paragraph (6)(A), by 
                        striking ``shall be--'' and all that follows 
                        through ``4 employees'' and inserting ``shall 
                        be 4 employees''.</DELETED>
<DELETED>    (c) Subchapter I.--Subchapter I of subtitle III of title 
40, United States Code, is amended--</DELETED>
        <DELETED>    (1) in section 11302--</DELETED>
                <DELETED>    (A) in subsection (b), by striking ``use, 
                security, and disposal of'' and inserting ``use, and 
                disposal, and, in coordination with the Director of the 
                Cybersecurity and Infrastructure Security Agency, 
                promote and improve the security, of'';</DELETED>
                <DELETED>    (B) in subsection (c)--</DELETED>
                        <DELETED>    (i) in paragraph (2), by inserting 
                        ``in consultation with the Director of the 
                        Cybersecurity and Infrastructure Security 
                        Agency'' before ``, and results of'';</DELETED>
                        <DELETED>    (ii) in paragraph (3)--</DELETED>
                                <DELETED>    (I) in subparagraph (A), 
                                by striking ``, and performance'' and 
                                inserting ``security, and 
                                performance''; and</DELETED>
                                <DELETED>    (II) in subparagraph (C)--
                                </DELETED>
                                        <DELETED>    (aa) by striking 
                                        ``For each major'' and 
                                        inserting the 
                                        following:</DELETED>
                        <DELETED>    ``(i) In general.--For each 
                        major''; and</DELETED>
                                        <DELETED>    (bb) by adding at 
                                        the end the 
                                        following:</DELETED>
                        <DELETED>    ``(ii) Cybersecurity.--In 
                        categorizing an investment according to risk 
                        under clause (i), the Chief Information Officer 
                        of the covered agency shall consult with the 
                        Director of the Cybersecurity and 
                        Infrastructure Security Agency on the 
                        cybersecurity or supply chain risk.</DELETED>
                        <DELETED>    ``(iii) Security risk guidance.--
                        The Director, in coordination with the Director 
                        of the Cybersecurity and Infrastructure 
                        Security Agency, shall issue guidance for the 
                        categorization of an investment under clause 
                        (i) according to the cybersecurity or supply 
                        chain risk.''; and</DELETED>
                        <DELETED>    (iii) in paragraph (4)--</DELETED>
                                <DELETED>    (I) in subparagraph (A)--
                                </DELETED>
                                        <DELETED>    (aa) in clause 
                                        (ii), by striking ``and'' at 
                                        the end;</DELETED>
                                        <DELETED>    (bb) in clause 
                                        (iii), by striking the period 
                                        at the end and inserting ``; 
                                        and''; and</DELETED>
                                        <DELETED>    (cc) by adding at 
                                        the end the 
                                        following:</DELETED>
                        <DELETED>    ``(iv) in consultation with the 
                        Director of the Cybersecurity and 
                        Infrastructure Security Agency, the 
                        cybersecurity risks of the investment.''; 
                        and</DELETED>
                                <DELETED>    (II) in subparagraph (B), 
                                in the matter preceding clause (i), by 
                                inserting ``not later than 30 days 
                                after the date on which the review 
                                under subparagraph (A) is completed,'' 
                                before ``the Administrator'';</DELETED>
                <DELETED>    (C) in subsection (f)--</DELETED>
                        <DELETED>    (i) by striking ``heads of 
                        executive agencies to develop'' and inserting 
                        ``heads of executive agencies to--</DELETED>
        <DELETED>    ``(1) develop'';</DELETED>
                        <DELETED>    (ii) in paragraph (1), as so 
                        designated, by striking the period at the end 
                        and inserting ``; and''; and</DELETED>
                        <DELETED>    (iii) by adding at the end the 
                        following:</DELETED>
        <DELETED>    ``(2) consult with the Director of the 
        Cybersecurity and Infrastructure Security Agency for the 
        development and use of supply chain security best practices.''; 
        and</DELETED>
                <DELETED>    (D) in subsection (h), by inserting ``, 
                including cybersecurity performances,'' after ``the 
                performances''; and</DELETED>
        <DELETED>    (2) in section 11303(b)(2)(B)--</DELETED>
                <DELETED>    (A) in clause (i), by striking ``or'' at 
                the end;</DELETED>
                <DELETED>    (B) in clause (ii), by adding ``or'' at 
                the end; and</DELETED>
                <DELETED>    (C) by adding at the end the 
                following:</DELETED>
                        <DELETED>    ``(iii) whether the function 
                        should be performed by a shared service offered 
                        by another executive agency;''.</DELETED>
<DELETED>    (d) Subchapter II.--Subchapter II of subtitle III of title 
40, United States Code, is amended--</DELETED>
        <DELETED>    (1) in section 11312(a), by inserting ``, 
        including security risks'' after ``managing the 
        risks'';</DELETED>
        <DELETED>    (2) in section 11313(1), by striking ``efficiency 
        and effectiveness'' and inserting ``efficiency, security, and 
        effectiveness'';</DELETED>
        <DELETED>    (3) in section 11317, by inserting ``security,'' 
        before ``or schedule''; and</DELETED>
        <DELETED>    (4) in section 11319(b)(1), in the paragraph 
        heading, by striking ``cios'' and inserting ``Chief information 
        officers''.</DELETED>
<DELETED>    (e) Subchapter III.--Section 11331 of title 40, United 
States Code, is amended--</DELETED>
        <DELETED>    (1) in subsection (a), by striking ``section 
        3532(b)(1)'' and inserting ``section 3552(b)'';</DELETED>
        <DELETED>    (2) in subsection (b)(1)(A)--</DELETED>
                <DELETED>    (A) by striking ``in consultation'' and 
                inserting ``in coordination'';</DELETED>
                <DELETED>    (B) by striking ``the Secretary of 
                Homeland Security'' and inserting ``the Director of the 
                Cybersecurity and Infrastructure Security Agency''; 
                and</DELETED>
                <DELETED>    (C) by inserting ``and associated 
                verification specifications developed under subsection 
                (g)'' before ``pertaining to Federal'';</DELETED>
        <DELETED>    (3) by striking subsection (c) and inserting the 
        following:</DELETED>
<DELETED>    ``(c) Application of More Stringent Standards.--</DELETED>
        <DELETED>    ``(1) In general.--The head of an agency shall--
        </DELETED>
                <DELETED>    ``(A) evaluate the need to employ 
                standards for cost-effective, risk-based information 
                security for all systems, operations, and assets within 
                or under the supervision of the agency that are more 
                stringent than the standards promulgated by the 
                Director under this section, if such standards contain, 
                at a minimum, the provisions of those applicable 
                standards made compulsory and binding by the Director; 
                and</DELETED>
                <DELETED>    ``(B) to the greatest extent practicable 
                and if the head of the agency determines that the 
                standards described in subparagraph (A) are necessary, 
                employ those standards.</DELETED>
        <DELETED>    ``(2) Evaluation of more stringent standards.--In 
        evaluating the need to employ more stringent standards under 
        paragraph (1), the head of an agency shall consider available 
        risk information, including--</DELETED>
                <DELETED>    ``(A) the status of cybersecurity remedial 
                actions of the agency;</DELETED>
                <DELETED>    ``(B) any vulnerability information 
                relating to agency systems that is known to the 
                agency;</DELETED>
                <DELETED>    ``(C) incident information of the 
                agency;</DELETED>
                <DELETED>    ``(D) information from--</DELETED>
                        <DELETED>    ``(i) penetration testing 
                        performed under section 3559A of title 44; 
                        and</DELETED>
                        <DELETED>    ``(ii) information from the 
                        verification disclosure program established 
                        under section 3559B of title 44;</DELETED>
                <DELETED>    ``(E) agency threat hunting results under 
                section 207 of the Federal Information Security 
                Modernization Act of 2021;</DELETED>
                <DELETED>    ``(F) Federal and non-Federal threat 
                intelligence;</DELETED>
                <DELETED>    ``(G) data on compliance with standards 
                issued under this section, using the verification 
                specifications developed under subsection (f) when 
                appropriate;</DELETED>
                <DELETED>    ``(H) agency system risk assessments of 
                the agency performed under section 3554(a)(1)(A) of 
                title 44; and</DELETED>
                <DELETED>    ``(I) any other information determined 
                relevant by the head of the agency.'';</DELETED>
        <DELETED>    (4) in subsection (d)(2)--</DELETED>
                <DELETED>    (A) by striking the paragraph heading and 
                inserting ``Consultation, notice, and 
                comment'';</DELETED>
                <DELETED>    (B) by inserting ``promulgate,'' before 
                ``significantly modify''; and</DELETED>
                <DELETED>    (C) by striking ``shall be made after the 
                public is given an opportunity to comment on the 
                Director's proposed decision.'' and inserting ``shall 
                be made--</DELETED>
                <DELETED>    ``(A) for a decision to significantly 
                modify or not promulgate such a proposed standard, 
                after the public is given an opportunity to comment on 
                the Director's proposed decision;</DELETED>
                <DELETED>    ``(B) in consultation with the Chief 
                Information Officers Council, the Director of the 
                Cybersecurity and Infrastructure Security Agency, the 
                National Cyber Director, the Comptroller General of the 
                United States, and the Council of the Inspectors 
                General on Integrity and Efficiency;</DELETED>
                <DELETED>    ``(C) considering the Federal risk 
                assessments performed under section 3553(i) of title 
                44; and</DELETED>
                <DELETED>    ``(D) considering the extent to which the 
                proposed standard reduces risk relative to the cost of 
                implementation of the standard.''; and</DELETED>
        <DELETED>    (5) by adding at the end the following:</DELETED>
<DELETED>    ``(e) Review of Promulgated Standards.--</DELETED>
        <DELETED>    ``(1) In general.--Not less frequently than once 
        every 2 years, the Director of the Office of Management and 
        Budget, in consultation with the Chief Information Officers 
        Council, the Director of the Cybersecurity and Infrastructure 
        Security Agency, the National Cyber Director, the Comptroller 
        General of the United States, and the Council of the Inspectors 
        General on Integrity and Efficiency shall review the efficacy 
        of the standards in effect promulgated under this section in 
        reducing cybersecurity risks and determine whether any changes 
        to those standards are appropriate based on--</DELETED>
                <DELETED>    ``(A) the Federal risk assessment 
                developed under section 3553(i) of title 44;</DELETED>
                <DELETED>    ``(B) public comment; and</DELETED>
                <DELETED>    ``(C) an assessment of the extent to which 
                the proposed standards reduce risk relative to the cost 
                of implementation of the standards.</DELETED>
        <DELETED>    ``(2) Updated guidance.--Not later than 90 days 
        after the date of the completion of the review under paragraph 
        (1), the Director of the Office of Management and Budget shall 
        issue guidance to agencies to make any necessary updates to the 
        standards in effect promulgated under this section based on the 
        results of the review.</DELETED>
        <DELETED>    ``(3) Congressional report.--Not later than 30 
        days after the date on which a review is completed under 
        paragraph (1), the Director shall submit to the Committee on 
        Homeland Security and Governmental Affairs of the Senate and 
        the Committee on Oversight and Reform of the House of 
        Representatives a report that includes--</DELETED>
                <DELETED>    ``(A) the review of the standards in 
                effect promulgated under this section conducted under 
                paragraph (1);</DELETED>
                <DELETED>    ``(B) the risk mitigation offered by each 
                standard described in subparagraph (A); and</DELETED>
                <DELETED>    ``(C) a summary of--</DELETED>
                        <DELETED>    ``(i) the standards to which 
                        changes were determined appropriate during the 
                        review; and</DELETED>
                        <DELETED>    ``(ii) anticipated changes to the 
                        standards under this section in guidance issued 
                        under paragraph (2).</DELETED>
<DELETED>    ``(f) Verification Specifications.--Not later than 1 year 
after the date on which the Director of the National Institute of 
Standards and Technology issues a proposed standard pursuant to 
paragraphs (2) and (3) of section 20(a) of the National Institute of 
Standards and Technology Act (15 U.S.C. 278g-3(a)), the Director of the 
Cybersecurity and Infrastructure Security Agency, in consultation with 
the Director of the National Institute of Standards and Technology, as 
practicable, shall develop technical specifications to enable the 
automated verification of the implementation of the controls within the 
standard.''.</DELETED>

<DELETED>SEC. 103. ACTIONS TO ENHANCE FEDERAL INCIDENT 
              RESPONSE.</DELETED>

<DELETED>    (a) Responsibilities of the Cybersecurity and 
Infrastructure Security Agency.--</DELETED>
        <DELETED>    (1) Recommendations.--Not later than 180 days 
        after the date of enactment of this Act, the Director of the 
        Cybersecurity and Infrastructure Security Agency, in 
        coordination with the Chair of the Federal Trade Commission, 
        the Chair of the Securities and Exchange Commission, the 
        Secretary of the Treasury, the Director of the Federal Bureau 
        of Investigation, the Director of the National Institute of 
        Standards and Technology, and the head of any other appropriate 
        Federal or non-Federal entity, shall consolidate, maintain, and 
        make publicly available recommendations for individuals whose 
        personal information, as defined in section 3591 of title 44, 
        United States Code, as added by this Act, is inappropriately 
        exposed as a result of a high risk incident described in 
        section 3598(c)(2) of title 44, United States Code.</DELETED>
        <DELETED>    (2) Plan for analysis of, and report on, federal 
        incidents.--</DELETED>
                <DELETED>    (A) In general.--Not later than 180 days 
                after the date of enactment of this Act, the Director 
                of the Cybersecurity and Infrastructure Security Agency 
                shall--</DELETED>
                        <DELETED>    (i) develop a plan for the 
                        development of the analysis required under 
                        section 3597(b) of title 44, United States 
                        Code, as added by this Act, and the report 
                        required under subsection (c) of that section 
                        that includes--</DELETED>
                                <DELETED>    (I) a description of any 
                                challenges the Director anticipates 
                                encountering; and</DELETED>
                                <DELETED>    (II) the use of automation 
                                and machine-readable formats for 
                                collecting, compiling, monitoring, and 
                                analyzing data; and</DELETED>
                        <DELETED>    (ii) provide to the appropriate 
                        congressional committees a briefing on the plan 
                        developed under clause (i).</DELETED>
                <DELETED>    (B) Briefing.--Not later than 1 year after 
                the date of enactment of this Act, the Director of the 
                Cybersecurity and Infrastructure Security Agency shall 
                provide to the appropriate congressional committees a 
                briefing on--</DELETED>
                        <DELETED>    (i) the execution of the plan 
                        required under subparagraph (A); and</DELETED>
                        <DELETED>    (ii) the development of the report 
                        required under section 3597(c) of title 44, 
                        United States Code, as added by this 
                        Act.</DELETED>
<DELETED>    (b) Responsibilities of the Director of the Office of 
Management and Budget.--</DELETED>
        <DELETED>    (1) FISMA.--Section 2 of the Federal Information 
        Security Modernization Act of 2014 (44 U.S.C. 3554 note) is 
        amended--</DELETED>
                <DELETED>    (A) by striking subsection (b); 
                and</DELETED>
                <DELETED>    (B) by redesignating subsections (c) 
                through (f) as subsections (b) through (e), 
                respectively.</DELETED>
        <DELETED>    (2) Incident data sharing.--</DELETED>
                <DELETED>    (A) In general.--The Director shall 
                develop guidance, to be updated not less frequently 
                than once every 2 years, on the content, timeliness, 
                and format of the information provided by agencies 
                under section 3594(a) of title 44, United States Code, 
                as added by this Act.</DELETED>
                <DELETED>    (B) Requirements.--The guidance developed 
                under subparagraph (A) shall--</DELETED>
                        <DELETED>    (i) prioritize the availability of 
                        data necessary to understand and analyze--
                        </DELETED>
                                <DELETED>    (I) the causes of 
                                incidents;</DELETED>
                                <DELETED>    (II) the scope and scale 
                                of incidents within the agency networks 
                                and systems;</DELETED>
                                <DELETED>    (III) cross Federal 
                                Government root causes of 
                                incidents;</DELETED>
                                <DELETED>    (IV) agency response, 
                                recovery, and remediation actions; 
                                and</DELETED>
                                <DELETED>    (V) the effectiveness of 
                                incidents;</DELETED>
                        <DELETED>    (ii) enable the efficient 
                        development of--</DELETED>
                                <DELETED>    (I) lessons learned and 
                                recommendations in responding to, 
                                recovering from, remediating, and 
                                mitigating future incidents; 
                                and</DELETED>
                                <DELETED>    (II) the report on Federal 
                                compromises required under section 
                                3597(c) of title 44, United States 
                                Code, as added by this Act;</DELETED>
                        <DELETED>    (iii) include requirements for the 
                        timeliness of data production; and</DELETED>
                        <DELETED>    (iv) include requirements for 
                        using automation and machine-readable data for 
                        data sharing and availability.</DELETED>
        <DELETED>    (3) Guidance on responding to information 
        requests.--Not later than 1 year after the date of enactment of 
        this Act, the Director shall develop guidance for agencies to 
        implement the requirement under section 3594(c) of title 44, 
        United States Code, as added by this Act, to provide 
        information to other agencies experiencing incidents.</DELETED>
        <DELETED>    (4) Standard guidance and templates.--Not later 
        than 1 year after the date of enactment of this Act, the 
        Director, in coordination with the Director of the 
        Cybersecurity and Infrastructure Security Agency, shall develop 
        guidance and templates, to be reviewed and, if necessary, 
        updated not less frequently than once every 2 years, for use by 
        Federal agencies in the activities required under sections 
        3592, 3593, and 3596 of title 44, United States Code, as added 
        by this Act.</DELETED>
        <DELETED>    (5) Contractor and grantee guidance.--</DELETED>
                <DELETED>    (A) In general.--Not later than 1 year 
                after the date of enactment of this Act, the Director, 
                in coordination with the Secretary of Homeland 
                Security, the Secretary of Defense, the Administrator 
                of General Services, and the heads of other agencies 
                determined appropriate by the Director, shall issue 
                guidance to Federal agencies on how to deconflict 
                existing regulations, policies, and procedures relating 
                to the responsibilities of contractors and grant 
                recipients established under section 3595 of title 44, 
                United States Code, as added by this Act.</DELETED>
                <DELETED>    (B) Existing processes.--To the greatest 
                extent practicable, the guidance issued under 
                subparagraph (A) shall allow contractors and grantees 
                to use existing processes for notifying Federal 
                agencies of incidents involving information of the 
                Federal Government.</DELETED>
        <DELETED>    (6) Updated briefings.--Not less frequently than 
        once every 2 years, the Director shall provide to the 
        appropriate congressional committees an update on the guidance 
        and templates developed under paragraphs (2) through 
        (4).</DELETED>
<DELETED>    (c) Update to the Privacy Act of 1974.--Section 552a(b) of 
title 5, United States Code (commonly known as the ``Privacy Act of 
1974'') is amended--</DELETED>
        <DELETED>    (1) in paragraph (11), by striking ``or'' at the 
        end;</DELETED>
        <DELETED>    (2) in paragraph (12), by striking the period at 
        the end and inserting ``; and''; and</DELETED>
        <DELETED>    (3) by adding at the end the following:</DELETED>
        <DELETED>    ``(13) to another agency in furtherance of a 
        response to an incident (as defined in section 3552 of title 
        44) and pursuant to the information sharing requirements in 
        section 3594 of title 44 if the head of the requesting agency 
        has made a written request to the agency that maintains the 
        record specifying the particular portion desired and the 
        activity for which the record is sought.''.</DELETED>

<DELETED>SEC. 104. ADDITIONAL GUIDANCE TO AGENCIES ON FISMA 
              UPDATES.</DELETED>

<DELETED>    Not later than 1 year after the date of enactment of this 
Act, the Director, in coordination with the Director of the 
Cybersecurity and Infrastructure Security Agency, shall issue guidance 
for agencies on--</DELETED>
        <DELETED>    (1) completing the agency system risk assessment 
        required under section 3554(a)(1)(A) of title 44, United States 
        Code, as amended by this Act;</DELETED>
        <DELETED>    (2) implementing additional cybersecurity 
        procedures, which shall include resources for shared 
        services;</DELETED>
        <DELETED>    (3) establishing a process for providing the 
        status of each remedial action under section 3554(b)(7) of 
        title 44, United States Code, as amended by this Act, to the 
        Director and the Cybersecurity and Infrastructure Security 
        Agency using automation and machine-readable data, as 
        practicable, which shall include--</DELETED>
                <DELETED>    (A) specific standards for the automation 
                and machine-readable data; and</DELETED>
                <DELETED>    (B) templates for providing the status of 
                the remedial action;</DELETED>
        <DELETED>    (4) interpreting the definition of ``high value 
        asset'' in section 3552 of title 44, United States Code, as 
        amended by this Act;</DELETED>
        <DELETED>    (5) implementing standards in agency authorization 
        processes to encourage the tailoring of processes to agency and 
        system risk that are proportionate to the sensitivity of 
        systems, which shall include--</DELETED>
                <DELETED>    (A) a clarification of--</DELETED>
                        <DELETED>    (i) the acceptable use and 
                        development of customization of standards 
                        promulgated under section 11331 of title 40, 
                        United States Code; and</DELETED>
                        <DELETED>    (ii) the acceptable use of risk-
                        based authorization procedures authorized on 
                        the date of enactment of this Act; 
                        and</DELETED>
                <DELETED>    (B) a requirement to coordinate with 
                Inspectors Generals of agencies to ensure consistent 
                understanding and application of agency policies for 
                the purpose of Inspector General audits; and</DELETED>
        <DELETED>    (6) requiring, as practicable and pursuant to 
        section 203, an evaluation of agency cybersecurity using 
        metrics that are--</DELETED>
                <DELETED>    (A) based on outcomes; and</DELETED>
                <DELETED>    (B) based on time.</DELETED>

<DELETED>SEC. 105. AGENCY REQUIREMENTS TO NOTIFY ENTITIES IMPACTED BY 
              INCIDENTS.</DELETED>

<DELETED>    Not later than 180 days after the date of enactment of 
this Act, the Director shall issue guidance that requires agencies to 
notify entities that are compelled to share sensitive information with 
the agency of an incident that impacts--</DELETED>
        <DELETED>    (1) sensitive information shared with the agency 
        by the entity; or</DELETED>
        <DELETED>    (2) the systems used to the transmit sensitive 
        information described in paragraph (1) to the agency.</DELETED>

      <DELETED>TITLE II--IMPROVING FEDERAL CYBERSECURITY</DELETED>

<DELETED>SEC. 201. EVALUATION OF EFFECTIVENESS OF STANDARDS.</DELETED>

<DELETED>    (a) In General.--As a component of the evaluation and 
report required under section 3555(h) of title 44, United States Code, 
and not later than 1 year after the date of enactment of this Act, the 
Comptroller General of the United States shall perform a study that--
</DELETED>
        <DELETED>    (1) assesses the standards promulgated under 
        section 11331(b) of title 40, United States Code to determine 
        the degree to which agencies use the authority under section 
        11331(c)(1) of title 40, United States Code to customize the 
        standards relative to the risks facing each agency and agency 
        system;</DELETED>
        <DELETED>    (2) assesses the effectiveness of the standards 
        described in paragraph (1), including any standards customized 
        by agencies under section 11331(c)(1) of title 40, United 
        States Code, at improving agency cybersecurity;</DELETED>
        <DELETED>    (3) examines the quantification of cybersecurity 
        risk in the private sector for any applicability for use by the 
        Federal Government;</DELETED>
        <DELETED>    (4) examines cybersecurity metrics existing as of 
        the date of enactment of this Act used by the Director, the 
        Director of the Cybersecurity and Infrastructure Security 
        Agency, and the heads of other agencies to evaluate the 
        effectiveness of information security policies and practices; 
        and</DELETED>
        <DELETED>    (5) with respect to the standards described in 
        paragraph (1), provides recommendations for--</DELETED>
                <DELETED>    (A) the addition or removal of standards; 
                or</DELETED>
                <DELETED>    (B) the customization of--</DELETED>
                        <DELETED>    (i) the standards by agencies 
                        under section 11331(c)(1) of title 40, United 
                        States Code; or</DELETED>
                        <DELETED>    (ii) specific controls within the 
                        standards.</DELETED>
<DELETED>    (b) Incorporation of Study.--The Director shall 
incorporate the results of the study performed under subsection (a) 
into the review of standards required under section 11331(e) of title 
40, United States Code.</DELETED>
<DELETED>    (c) Briefing.--Not later than 30 days after the date on 
which the study performed under subsection (a) is completed, the 
Comptroller General of the United States shall provide to the 
appropriate congressional committees a briefing on the study.</DELETED>

<DELETED>SEC. 202. MOBILE SECURITY STANDARDS.</DELETED>

<DELETED>    (a) In General.--Not later than 1 year after the date of 
enactment of this Act, the Director shall--</DELETED>
        <DELETED>    (1) evaluate mobile application security standards 
        promulgated under section 11331(b) of title 44, United States 
        Code; and</DELETED>
        <DELETED>    (2) issue guidance to implement mobile security 
        standards in effect on the date of enactment of this Act 
        promulgated under section 11331(b) of title 40, United States 
        Code, including for mobile applications, for every 
        agency.</DELETED>
<DELETED>    (b) Contents.--The guidance issued under subsection (a)(2) 
shall include--</DELETED>
        <DELETED>    (1) a requirement, pursuant to section 3506(b)(4) 
        of title 44, United States Code, for every agency to maintain a 
        continuous inventory of every--</DELETED>
                <DELETED>    (A) mobile device operated by or on behalf 
                of the agency;</DELETED>
                <DELETED>    (B) mobile application installed on a 
                mobile device described in subparagraph (A); 
                and</DELETED>
                <DELETED>    (C) vulnerability identified by the agency 
                associated with a mobile device or mobile application 
                described in subparagraphs (A) and (B); and</DELETED>
        <DELETED>    (2) a requirement for every agency to perform 
        continuous evaluation of the vulnerabilities described in 
        paragraph (1)(C) and other risks.</DELETED>
<DELETED>    (c) Information Sharing.--The Director, in coordination 
with the Director of the Cybersecurity and Infrastructure Security 
Agency, shall issue guidance to agencies for sharing the inventory of 
the agency required under subsection (b)(1) with the Director of the 
Cybersecurity and Infrastructure Security Agency, using automation and 
machine-readable data to the greatest extent practicable.</DELETED>
<DELETED>    (d) Briefing.--Not later than 60 days after the date on 
which the Director issues guidance under subsection (a)(2), the 
Director, in coordination with the Director of the Cybersecurity and 
Infrastructure Security Agency, shall provide to the appropriate 
congressional committees a briefing on the guidance.</DELETED>

<DELETED>SEC. 203. QUANTITATIVE CYBERSECURITY METRICS.</DELETED>

<DELETED>    (a) Establishing Time-Based Metrics.--</DELETED>
        <DELETED>    (1) In general.--Not later than 1 year after the 
        date of enactment of this Act, the Director of the 
        Cybersecurity and Infrastructure Security Agency shall--
        </DELETED>
                <DELETED>    (A) update the metrics used to measure 
                security under section 3554 of title 44, United States 
                Code, including any metrics developed pursuant to 
                section 224(c) of the Cybersecurity Act of 2015 (6 
                U.S.C. 1522(c)), to include standardized metrics to 
                quantitatively evaluate and identify trends in agency 
                cybersecurity performance, including performance for 
                incident response; and</DELETED>
                <DELETED>    (B) evaluate the metrics described in 
                subparagraph (A).</DELETED>
        <DELETED>    (2) Qualities.--With respect to the updated 
        metrics required under paragraph (1)--</DELETED>
                <DELETED>    (A) not less than 2 of the metrics shall 
                be time-based; and</DELETED>
                <DELETED>    (B) the metrics may include other 
                measurable outcomes.</DELETED>
        <DELETED>    (3) Evaluation.--The evaluation required under 
        paragraph (1)(B) shall evaluate--</DELETED>
                <DELETED>    (A) the amount of time it takes for an 
                agency to detect an incident; and</DELETED>
                <DELETED>    (B) the amount of time that passes 
                between--</DELETED>
                        <DELETED>    (i) the detection and remediation 
                        of an incident; and</DELETED>
                        <DELETED>    (ii) the remediation of an 
                        incident and the recovery from the 
                        incident.</DELETED>
<DELETED>    (b) Implementation.--</DELETED>
        <DELETED>    (1) In general.--The Director, in coordination 
        with the Director of the Cybersecurity and Infrastructure 
        Security Agency, shall promulgate guidance that requires the 
        use of the updated metrics developed under subsection (a)(1)(A) 
        by every agency over a 4-year period beginning on the date on 
        which the metrics are developed to track trends in the incident 
        response capabilities of agencies.</DELETED>
        <DELETED>    (2) Penetration tests.--On not less than 2 
        occasions during the 2-year period following the date on which 
        guidance is promulgated under paragraph (1), not less than 3 
        agencies shall be subjected to substantially similar 
        penetration tests in order to validate the utility of the 
        metrics developed under subsection (a)(1)(A).</DELETED>
        <DELETED>    (3) Database.--The Director of the Cybersecurity 
        and Infrastructure Security Agency shall develop and use a 
        database that--</DELETED>
                <DELETED>    (A) stores agency metrics information; 
                and</DELETED>
                <DELETED>    (B) allows for the performance of cross-
                agency comparison of agency incident response 
                capability trends.</DELETED>
<DELETED>    (c) Updated Metrics.--</DELETED>
        <DELETED>    (1) In general.--The Director may issue guidance 
        that updates the metrics developed under subsection (a)(1)(A) 
        if the updated metrics--</DELETED>
                <DELETED>    (A) have the qualities described in 
                subsection (a)(2); and</DELETED>
                <DELETED>    (B) can be evaluated under subsection 
                (a)(3).</DELETED>
        <DELETED>    (2) Data sharing.--The guidance issued under 
        paragraph (1) shall require agencies to share with the Director 
        of the Cybersecurity and Infrastructure Security Agency data 
        demonstrating the performance of the agency with the updated 
        metrics included in that guidance against the metrics developed 
        under subsection (a)(1)(A).</DELETED>
<DELETED>    (d) Congressional Reports.--</DELETED>
        <DELETED>    (1) Updated metrics.--Not later than 30 days after 
        the date on which the Director of the Cybersecurity and 
        Infrastructure Security completes the evaluation required under 
        subsection (a)(1)(B), the Director of the Cybersecurity and 
        Infrastructure Security Agency shall submit to the appropriate 
        congressional committees a report on the updated metrics 
        developed under subsection (a)(1)(A).</DELETED>
        <DELETED>    (2) Program.--Not later than 180 days after the 
        date on which guidance is promulgated under subsection (b)(1), 
        the Director shall submit to the appropriate congressional 
        committees a report on the results of the use of the updated 
        metrics developed under subsection (a)(1)(A) by 
        agencies.</DELETED>

<DELETED>SEC. 204. DATA AND LOGGING RETENTION FOR INCIDENT 
              RESPONSE.</DELETED>

<DELETED>    (a) Recommendations.--Not later than 60 days after the 
date of enactment of this Act, the Director of the Cybersecurity and 
Infrastructure Security Agency, in consultation with the Attorney 
General and the National Cyber Director, shall submit to the Director 
recommendations on requirements for logging events on agency systems 
and retaining other relevant data within the systems and networks of an 
agency.</DELETED>
<DELETED>    (b) Contents.--The recommendations provided under 
subsection (a) shall include--</DELETED>
        <DELETED>    (1) the types of logs to be maintained;</DELETED>
        <DELETED>    (2) the time periods to retain the logs and other 
        relevant data;</DELETED>
        <DELETED>    (3) the time periods for agencies to enable 
        recommended logging and security requirements;</DELETED>
        <DELETED>    (4) how to ensure the confidentiality, integrity, 
        and availability of logs;</DELETED>
        <DELETED>    (5) requirements to ensure that, upon request, 
        agencies provide logs to--</DELETED>
                <DELETED>    (A) the Director of the Cybersecurity and 
                Infrastructure Security Agency for a cybersecurity 
                purpose; and</DELETED>
                <DELETED>    (B) the Federal Bureau of Investigation to 
                investigate potential criminal activity; and</DELETED>
        <DELETED>    (6) ensuring the highest level security operations 
        center of each agency has visibility into all agency 
        logs.</DELETED>
<DELETED>    (c) Guidance.--Not later than 90 days after receiving the 
recommendations submitted under subsection (a), the Director, in 
consultation with the Director of the Cybersecurity and Infrastructure 
Security Agency and the Attorney General, shall promulgate guidance to 
agencies to establish requirements for logging, log retention, log 
management, and sharing of log data with other appropriate 
agencies.</DELETED>
<DELETED>    (d) Periodic Review.--Not later than 2 years after the 
date on which the Director of the Cybersecurity and Infrastructure 
Security Agency submits the recommendations required under subsection 
(a), and not less frequently than every 2 years thereafter, the 
Director of the Cybersecurity and Infrastructure Security Agency, in 
consultation with the Attorney General, shall evaluate the 
recommendations and provide an update on the recommendations to the 
Director as necessary.</DELETED>

<DELETED>SEC. 205. CISA AGENCY ADVISORS.</DELETED>

<DELETED>    (a) In General.--Not later than 120 days after the date of 
enactment of this Act, the Director of the Cybersecurity and 
Infrastructure Security Agency shall assign not less than 1 
cybersecurity professional employed by the Cybersecurity and 
Infrastructure Security Agency to be the Cybersecurity and 
Infrastructure Security Agency advisor to the Chief Information Officer 
of each agency.</DELETED>
<DELETED>    (b) Qualifications.--Each advisor assigned under 
subsection (a) shall have knowledge of--</DELETED>
        <DELETED>    (1) cybersecurity threats facing agencies, 
        including any specific threats to the assigned 
        agency;</DELETED>
        <DELETED>    (2) performing risk assessments of agency systems; 
        and</DELETED>
        <DELETED>    (3) other Federal cybersecurity 
        initiatives.</DELETED>
<DELETED>    (c) Duties.--The duties of each advisor assigned under 
subsection (a) shall include--</DELETED>
        <DELETED>    (1) providing ongoing assistance and advice, as 
        requested, to the agency Chief Information Officer;</DELETED>
        <DELETED>    (2) serving as an incident response point of 
        contact between the assigned agency and the Cybersecurity and 
        Infrastructure Security Agency; and</DELETED>
        <DELETED>    (3) familiarizing themselves with agency systems, 
        processes, and procedures to better facilitate support to the 
        agency in responding to incidents.</DELETED>
<DELETED>    (d) Limitation.--An advisor assigned under subsection (a) 
shall not be a contractor.</DELETED>
<DELETED>    (e) Multiple Assignments.--One individual advisor made be 
assigned to multiple agency Chief Information Officers under subsection 
(a).</DELETED>

<DELETED>SEC. 206. FEDERAL PENETRATION TESTING POLICY.</DELETED>

<DELETED>    (a) In General.--Subchapter II of chapter 35 of title 44, 
United States Code, is amended by adding at the end the 
following:</DELETED>
<DELETED>``Sec. 3559A. Federal penetration testing</DELETED>
<DELETED>    ``(a) Definitions.--In this section:</DELETED>
        <DELETED>    ``(1) Agency operational plan.--The term `agency 
        operational plan' means a plan of an agency for the use of 
        penetration testing.</DELETED>
        <DELETED>    ``(2) Rules of engagement.--The term `rules of 
        engagement' means a set of rules established by an agency for 
        the use of penetration testing.</DELETED>
<DELETED>    ``(b) Guidance.--</DELETED>
        <DELETED>    ``(1) In general.--Not later than 180 days after 
        the date of enactment of this Act, the Director shall issue 
        guidance that--</DELETED>
                <DELETED>    ``(A) requires agencies to use, when and 
                where appropriate, penetration testing on agency 
                systems; and</DELETED>
                <DELETED>    ``(B) requires agencies to develop an 
                agency operational plan and rules of engagement that 
                meet the requirements under subsection (c).</DELETED>
        <DELETED>    ``(2) Penetration testing guidance.--The guidance 
        issued under this section shall--</DELETED>
                <DELETED>    ``(A) permit an agency to use, for the 
                purpose of performing penetration testing--</DELETED>
                        <DELETED>    ``(i) a shared service of the 
                        agency or another agency; or</DELETED>
                        <DELETED>    ``(ii) an external entity, such as 
                        a vendor;</DELETED>
                <DELETED>    ``(B) include templates and frameworks for 
                reporting the results of penetration testing, without 
                regard to the status of the entity that performs the 
                penetration testing; and</DELETED>
                <DELETED>    ``(C) require agencies to provide the 
                rules of engagement and results of penetration testing 
                to the Director and the Director of the Cybersecurity 
                and Infrastructure Security Agency, without regard to 
                the status of the entity that performs the penetration 
                testing.</DELETED>
<DELETED>    ``(c) Agency Plans and Rules of Engagement.--The agency 
operational plan and rules of engagement of an agency shall--</DELETED>
        <DELETED>    ``(1) require the agency to perform penetration 
        testing on the high value assets of the agency;</DELETED>
        <DELETED>    ``(2) establish guidelines for avoiding, as a 
        result of penetration testing--</DELETED>
                <DELETED>    ``(A) adverse impacts to the operations of 
                the agency;</DELETED>
                <DELETED>    ``(B) adverse impacts to operational 
                networks and systems of the agency; and</DELETED>
                <DELETED>    ``(C) inappropriate access to 
                data;</DELETED>
        <DELETED>    ``(3) require the results of penetration testing 
        to include feedback to improve the cybersecurity of the agency; 
        and</DELETED>
        <DELETED>    ``(4) include mechanisms for providing 
        consistently formatted, and, if applicable, automated and 
        machine-readable, data to the Director and the Director of the 
        Cybersecurity and Infrastructure Security Agency.</DELETED>
<DELETED>    ``(d) Responsibilities of CISA.--The Director of the 
Cybersecurity and Infrastructure Security Agency shall--</DELETED>
        <DELETED>    ``(1) establish a certification process for the 
        performance of penetration testing by both Federal and non-
        Federal entities that establishes minimum quality controls for 
        penetration testing;</DELETED>
        <DELETED>    ``(2) develop operational guidance for instituting 
        penetration testing programs at agencies;</DELETED>
        <DELETED>    ``(3) develop and maintain a centralized 
        capability to offer penetration testing as a service to Federal 
        and non-Federal entities; and</DELETED>
        <DELETED>    ``(4) provide guidance to agencies on the best use 
        of penetration testing resources.</DELETED>
<DELETED>    ``(e) Responsibilities of OMB.--The Director, in 
coordination with the Director of the Cybersecurity and Infrastructure 
Security Agency, shall--</DELETED>
        <DELETED>    ``(1) not less frequently than annually, inventory 
        all Federal penetration testing assets; and</DELETED>
        <DELETED>    ``(2) develop and maintain a Federal strategy for 
        the use of penetration testing.</DELETED>
<DELETED>    ``(f) Prioritization of Penetration Testing Resources.--
</DELETED>
        <DELETED>    ``(1) In general.--The Director, in coordination 
        with the Director of the Cybersecurity and Infrastructure 
        Security Agency, shall develop a framework for prioritizing 
        Federal penetration testing resources among agencies.</DELETED>
        <DELETED>    ``(2) Considerations.--In developing the framework 
        under this subsection, the Director shall consider--</DELETED>
                <DELETED>    ``(A) agency system risk assessments 
                performed under section 3554(a)(1)(A);</DELETED>
                <DELETED>    ``(B) the Federal risk assessment 
                performed under section 3553(i);</DELETED>
                <DELETED>    ``(C) the analysis of Federal incident 
                data performed under section 3597; and</DELETED>
                <DELETED>    ``(D) any other information determined 
                appropriate by the Director or the Director of the 
                Cybersecurity and Infrastructure Security 
                Agency.''.</DELETED>
<DELETED>    (b) Clerical Amendment.--The table of sections for chapter 
35 of title 44, United States Code, is amended by adding after the item 
relating to section 3559 the following:</DELETED>

<DELETED>``3559A. Federal penetration testing.''.
<DELETED>    (c) Penetration Testing by the Secretary of Homeland 
Security.--Section 3553(b) of title 44, United States Code, as amended 
by section 1705 of the William M. (Mac) Thornberry National Defense 
Authorization Act for Fiscal Year 2021 (Public Law 116-283) and section 
101, is further amended--</DELETED>
        <DELETED>    (1) in paragraph (8)(B), by striking ``and'' at 
        the end;</DELETED>
        <DELETED>    (2) by redesignating paragraph (9) as paragraph 
        (10); and</DELETED>
        <DELETED>    (3) by inserting after paragraph (8) the 
        following:</DELETED>
        <DELETED>    ``(9) performing penetration testing with or 
        without advance notice to, or authorization from, agencies, to 
        identify vulnerabilities within Federal information systems; 
        and''.</DELETED>

<DELETED>SEC. 207. ONGOING THREAT HUNTING PROGRAM.</DELETED>

<DELETED>    (a) Threat Hunting Program.--</DELETED>
        <DELETED>    (1) In general.--Not later than 540 days after the 
        date of enactment of this Act, the Director of the 
        Cybersecurity and Infrastructure Security Agency shall 
        establish a program to provide ongoing, hypothesis-driven 
        threat-hunting services on the network of each 
        agency.</DELETED>
        <DELETED>    (2) Plan.--Not later than 180 days after the date 
        of enactment of this Act, the Director of the Cybersecurity and 
        Infrastructure Security Agency shall develop a plan to 
        establish the program required under paragraph (1) that 
        describes how the Director of the Cybersecurity and 
        Infrastructure Security Agency plans to--</DELETED>
                <DELETED>    (A) determine the method for collecting, 
                storing, accessing, and analyzing appropriate agency 
                data;</DELETED>
                <DELETED>    (B) provide on-premises support to 
                agencies;</DELETED>
                <DELETED>    (C) staff threat hunting 
                services;</DELETED>
                <DELETED>    (D) allocate available human and financial 
                resources to implement the plan; and</DELETED>
                <DELETED>    (E) provide input to the heads of agencies 
                on the use of--</DELETED>
                        <DELETED>    (i) more stringent standards under 
                        section 11331(c)(1) of title 40, United States 
                        Code; and</DELETED>
                        <DELETED>    (ii) additional cybersecurity 
                        procedures under section 3554 of title 44, 
                        United States Code.</DELETED>
<DELETED>    (b) Reports.--The Director of the Cybersecurity and 
Infrastructure Security Agency shall submit to the appropriate 
congressional committees--</DELETED>
        <DELETED>    (1) not later than 30 days after the date on which 
        the Director of the Cybersecurity and Infrastructure Security 
        Agency completes the plan required under subsection (a)(2), a 
        report on the plan to provide threat hunting services to 
        agencies;</DELETED>
        <DELETED>    (2) not less than 30 days before the date on which 
        the Director of the Cybersecurity and Infrastructure Security 
        Agency begins providing threat hunting services under the 
        program, a report providing any updates to the plan developed 
        under subsection (a)(2); and</DELETED>
        <DELETED>    (3) not later than 1 year after the date on which 
        the Director of the Cybersecurity and Infrastructure Security 
        Agency begins providing threat hunting services to agencies 
        other than the Cybersecurity and Infrastructure Security 
        Agency, a report describing lessons learned from providing 
        those services.</DELETED>

<DELETED>SEC. 208. CODIFYING VULNERABILITY DISCLOSURE 
              PROGRAMS.</DELETED>

<DELETED>    (a) In General.--Chapter 35 of title 44 of United States 
Code is amended by inserting after section 3559A, as added by section 
206 of this Act, the following:</DELETED>
<DELETED>``Sec. 3559B. Federal vulnerability disclosure 
              programs</DELETED>
<DELETED>    ``(a) Definitions.--In this section:</DELETED>
        <DELETED>    ``(1) Report.--The term `report' means a 
        vulnerability disclosure made to an agency by a 
        reporter.</DELETED>
        <DELETED>    ``(2) Reporter.--The term `reporter' means an 
        individual that submits a vulnerability report pursuant to the 
        vulnerability disclosure process of an agency.</DELETED>
<DELETED>    ``(b) Responsibilities of OMB.--</DELETED>
        <DELETED>    ``(1) Limitation on legal action.--The Director, 
        in consultation with the Attorney General, shall issue guidance 
        to agencies to not recommend or pursue legal action against a 
        reporter or an individual that conducts a security research 
        activity that the head of the agency determines--</DELETED>
                <DELETED>    ``(A) represents a good faith effort to 
                follow the vulnerability disclosure policy developed 
                under subsection (d)(2) of the agency; and</DELETED>
                <DELETED>    ``(B) is authorized under the 
                vulnerability disclosure policy developed under 
                subsection (d)(2) of the agency.</DELETED>
        <DELETED>    ``(2) Sharing information with cisa.--The 
        Director, in coordination with the Director of the 
        Cybersecurity and Infrastructure Security Agency, shall issue 
        guidance to agencies on sharing relevant information in a 
        consistent, automated, and machine readable manner with the 
        Cybersecurity and Infrastructure Security Agency, including--
        </DELETED>
                <DELETED>    ``(A) any valid or credible reports of 
                newly discovered or not publicly known vulnerabilities 
                (including misconfigurations) on an agency information 
                system that uses commercial software or 
                services;</DELETED>
                <DELETED>    ``(B) information relating to 
                vulnerability disclosure, coordination, or remediation 
                activities of an agency, particularly as those 
                activities relate to outside organizations--</DELETED>
                        <DELETED>    ``(i) with which the head of the 
                        agency believes the Director of the 
                        Cybersecurity and Infrastructure Security can 
                        assist; or</DELETED>
                        <DELETED>    ``(ii) about which the head of the 
                        agency believes the Director of the 
                        Cybersecurity and Infrastructure Security 
                        should know; and</DELETED>
                <DELETED>    ``(C) any other information with respect 
                to which the head of the agency determines helpful or 
                necessary to involve the Cybersecurity and 
                Infrastructure Security Agency.</DELETED>
        <DELETED>    ``(3) Agency vulnerability disclosure policies.--
        </DELETED>
                <DELETED>    ``(A) In general.--The Director shall 
                issue guidance to agencies on the required minimum 
                scope of agency systems covered by the vulnerability 
                disclosure policy of an agency required under 
                subsection (d)(2).</DELETED>
                <DELETED>    ``(B) Deadline.--Not later than 2 years 
                after the date of enactment of the Federal Information 
                Security Modernization Act of 2021, the Director shall 
                update the guidance issued under subparagraph (A) to 
                require that every agency system that is connected to 
                the internet is covered by the vulnerability disclosure 
                policy of the agency.</DELETED>
<DELETED>    ``(c) Responsibilities of CISA.--The Director of the 
Cybersecurity and Infrastructure Security Agency shall--</DELETED>
        <DELETED>    ``(1) provide support to agencies with respect to 
        the implementation of the requirements of this 
        section;</DELETED>
        <DELETED>    ``(2) develop tools, processes, and other 
        mechanisms determined appropriate to offer agencies 
        capabilities to implement the requirements of this section; 
        and</DELETED>
        <DELETED>    ``(3) upon a request by an agency, assist the 
        agency in the disclosure to vendors of newly identified 
        vulnerabilities in vendor products and services.</DELETED>
<DELETED>    ``(d) Responsibilities of Agencies.--</DELETED>
        <DELETED>    ``(1) Public information.--The head of each agency 
        shall make publicly available, with respect to each internet 
        domain under the control of the agency that is not a national 
        security system--</DELETED>
                <DELETED>    ``(A) an appropriate security contact; 
                and</DELETED>
                <DELETED>    ``(B) the component of the agency that is 
                responsible for the internet accessible services 
                offered at the domain.</DELETED>
        <DELETED>    ``(2) Vulnerability disclosure policy.--The head 
        of each agency shall develop and make publicly available a 
        vulnerability disclosure policy for the agency, which shall--
        </DELETED>
                <DELETED>    ``(A) describe--</DELETED>
                        <DELETED>    ``(i) the scope of the systems of 
                        the agency included in the vulnerability 
                        disclosure policy;</DELETED>
                        <DELETED>    ``(ii) the type of information 
                        system testing that is authorized by the 
                        agency;</DELETED>
                        <DELETED>    ``(iii) the type of information 
                        system testing that is not authorized by the 
                        agency; and</DELETED>
                        <DELETED>    ``(iv) the disclosure policy of 
                        the agency for sensitive information;</DELETED>
                <DELETED>    ``(B) include a provision that authorizes 
                the anonymous submission of a vulnerability by a 
                reporter;</DELETED>
                <DELETED>    ``(C) with respect to a report to an 
                agency, describe--</DELETED>
                        <DELETED>    ``(i) how the reporter should 
                        submit the report; and</DELETED>
                        <DELETED>    ``(ii) if the report is not 
                        anonymous under subparagraph (B), when the 
                        reporter should anticipate an acknowledgment of 
                        receipt of the report by the agency; 
                        and</DELETED>
                <DELETED>    ``(D) include any other relevant 
                information.</DELETED>
        <DELETED>    ``(3) Identified vulnerabilities.--The head of 
        each agency shall incorporate any vulnerabilities reported 
        under paragraph (2) into the vulnerability management process 
        of the agency in order to track and remediate the 
        vulnerability.</DELETED>
<DELETED>    ``(e) Paperwork Reduction Act Exemption.--The requirements 
of subchapter I (commonly known as the `Paperwork Reduction Act') shall 
not apply to a vulnerability disclosure program established under this 
section.</DELETED>
<DELETED>    ``(f) Congressional Reporting.--Not later than 90 days 
after the date of enactment of the Federal Information Security 
Modernization Act of 2021, and annually thereafter for a 3-year period, 
the Director shall provide to the Committee on Homeland Security and 
Governmental Affairs of the Senate and the Committee on Oversight and 
Reform of the House of Representatives a briefing on the status of the 
use of vulnerability disclosure policies under this section at 
agencies, including, with respect to the guidance issued under 
subsection (b)(3), an identification of the agencies that are compliant 
and not compliant.''.</DELETED>
<DELETED>    (b) Clerical Amendment.--The table of sections for chapter 
35 of title 44, United States Code, is amended by adding after the item 
relating to section 3559A the following:</DELETED>

<DELETED>``3559B. Federal vulnerability disclosure programs.''.

<DELETED>SEC. 209. IMPLEMENTING PRESUMPTION OF COMPROMISE AND ZERO 
              TRUST ARCHITECTURES.</DELETED>

<DELETED>    (a) Recommendations.--Not later than 60 days after the 
date of enactment of this Act, the Director of the Cybersecurity and 
Infrastructure Security Agency, in consultation with the Director of 
the National Institute of Standards and Technology, shall develop 
recommendations to increase the internal defenses of agency systems 
to--</DELETED>
        <DELETED>    (1) limit the ability of entities that cause 
        incidents to move laterally through or between agency 
        systems;</DELETED>
        <DELETED>    (2) identify incidents more quickly;</DELETED>
        <DELETED>    (3) isolate and remove unauthorized entities from 
        agency systems more quickly;</DELETED>
        <DELETED>    (4) implement zero trust architecture; 
        and</DELETED>
        <DELETED>    (5) otherwise increase the resource costs for 
        entities that cause incidents; and</DELETED>
<DELETED>    (b) OMB Guidance.--Not later than 180 days after the date 
on which the recommendations under subsection (a) are completed, the 
Director shall issue guidance to agencies that requires the 
implementation of the recommendations.</DELETED>
<DELETED>    (c) Agency Implementation Plans.--Not later than 60 days 
after the date on which the Director issues guidance under subsection 
(b), the head of each agency shall submit to the Director a plan to 
implement zero trust architecture that includes--</DELETED>
        <DELETED>    (1) a description of any steps the agency has 
        completed;</DELETED>
        <DELETED>    (2) an identification of activities that will have 
        the most immediate security impact; and</DELETED>
        <DELETED>    (3) a schedule to implement the plan.</DELETED>
<DELETED>    (d) Report and Briefing.--Not later than 90 days after the 
date on which the Director issues guidance required under subsection 
(b), the Director shall provide a briefing to the appropriate 
congressional committees on the guidance and the agency implementation 
plans submitted under subsection (c).</DELETED>

<DELETED>SEC. 210. AUTOMATION REPORTS.</DELETED>

<DELETED>    (a) OMB Report.--Not later than 180 days after the date of 
enactment of this Act, the Director shall submit to the appropriate 
congressional committees a report on the use of automation under 
paragraphs (1), (5)(C) and (7)(B) of section 3554(b) of title 44, 
United States Code.</DELETED>
<DELETED>    (b) GAO Report.--Not later than 1 year after the date of 
enactment of this Act, the Comptroller General of the United States 
shall perform a study on the use of automation and machine readable 
data across the Federal Government for cybersecurity purposes, 
including the automated updating of cybersecurity tools, sensors, or 
processes by agencies.</DELETED>

<DELETED>SEC. 211. EXTENSION OF FEDERAL ACQUISITION SECURITY 
              COUNCIL.</DELETED>

<DELETED>    Section 1328 of title 41, United States Code, is amended 
by striking ``the date'' and all that follows and inserting ``December 
31, 2026.''.</DELETED>

         <DELETED>TITLE III--PILOT PROGRAMS TO ENHANCE FEDERAL 
                        CYBERSECURITY</DELETED>

<DELETED>SEC. 301. CONTINUOUS INDEPENDENT FISMA EVALUATION 
              PILOT.</DELETED>

<DELETED>    (a) In General.--Not later than 2 years after the date of 
enactment of this Act, the Director, in coordination with the Director 
of the Cybersecurity and Infrastructure Security Agency, shall 
establish a pilot program to perform continual agency auditing of the 
standards promulgated under section 11331 of title 40, United States 
Code.</DELETED>
<DELETED>    (b) Purpose.--</DELETED>
        <DELETED>    (1) In general.--The purpose of the pilot program 
        established under subsection (a) shall be to develop the 
        capability to continuously audit agency cybersecurity postures, 
        rather than performing an annual audit.</DELETED>
        <DELETED>    (2) Use of information.--It is the sense of 
        Congress that information relating to agency cybersecurity 
        postures should be used, on an ongoing basis, to increase 
        agency understanding of cybersecurity risk and improve agency 
        cybersecurity.</DELETED>
<DELETED>    (c) Participating Agencies.--</DELETED>
        <DELETED>    (1) In general.--The Director, in coordination 
        with the Council of the Inspectors General on Integrity and 
        Efficiency and in consultation with the Director of the 
        Cybersecurity and Infrastructure Security Agency, shall 
        identify not less than 1 agency and the Inspector General of 
        each identified agency to participate in the pilot program 
        established under subsection (a).</DELETED>
        <DELETED>    (2) Capabilities of agency.--An agency selected 
        under paragraph (1) shall have advanced cybersecurity 
        capabilities, including the capability to implement 
        verification specifications and other automated and machine-
        readable means of sharing information.</DELETED>
        <DELETED>    (3) Capabilities of inspector general.--The 
        Inspector General of an agency selected under paragraph (1) 
        shall have advanced cybersecurity capabilities, including the 
        ability--</DELETED>
                <DELETED>    (A) to perform real-time or almost real-
                time and continuous analysis of the use of verification 
                specifications by the agency to assess compliance with 
                standards promulgated under section 11331 of title 40, 
                United States Code; and</DELETED>
                <DELETED>    (B) to assess the impact and deployment of 
                additional cybersecurity procedures.</DELETED>
<DELETED>    (d) Duties.--The Director, in coordination with the 
Council of the Inspectors General on Integrity and Efficiency, the 
Director of the Cybersecurity and Infrastructure Security Agency, and 
the head of each agency participating in the pilot program under 
subsection (c), shall develop processes and procedures to perform a 
continuous independent evaluation of--</DELETED>
        <DELETED>    (1) the compliance of the agency with--</DELETED>
                <DELETED>    (A) the standards promulgated under 
                section 11331 of title 40, United States Code, using 
                verification specifications to the greatest extent 
                practicable; and</DELETED>
                <DELETED>    (B) any additional cybersecurity 
                procedures implemented by the agency as a result of the 
                evaluation performed under section 3554(a)(1)(F) of 
                title 44, United States Code; and</DELETED>
        <DELETED>    (2) the overall cybersecurity posture of the 
        agency, which may include an evaluation of--</DELETED>
                <DELETED>    (A) the status of cybersecurity remedial 
                actions of the agency;</DELETED>
                <DELETED>    (B) any vulnerability information relating 
                to agency systems that is known to the 
                agency;</DELETED>
                <DELETED>    (C) incident information of the 
                agency;</DELETED>
                <DELETED>    (D) penetration testing performed by an 
                external entity under section 3559A of title 44, United 
                States Code;</DELETED>
                <DELETED>    (E) information from the vulnerability 
                disclosure program information established under 
                section 3559B of title 44, United States 
                Code;</DELETED>
                <DELETED>    (F) agency threat hunting results; 
                and</DELETED>
                <DELETED>    (G) any other information determined 
                relevant by the Director.</DELETED>
<DELETED>    (e) Independent Evaluation Waiver.--With respect to an 
agency that participates in the pilot program under subsection (a) 
during any year other than the first year during which the pilot 
program is conducted, the Director, with the concurrence of the 
Director of the Cybersecurity and Infrastructure Security Agency, may 
waive any requirement of the agency with respect to the annual 
independent evaluation under section 3555 of title 44, United States 
Code.</DELETED>
<DELETED>    (f) Duration.--The pilot program established under this 
section--</DELETED>
        <DELETED>    (1) shall be performed over a period of not less 
        than 2 years at each agency that participates in the pilot 
        program under subsection (c), unless the Director, in 
        consultation with the Director of the Cybersecurity and 
        Infrastructure Security Agency and the Council of the 
        Inspectors General on Integrity and Efficiency, determines that 
        continuing the pilot program would reduce the cybersecurity of 
        the agency; and</DELETED>
        <DELETED>    (2) may be extended by the Director, in 
        consultation with the Director of the Cybersecurity and 
        Infrastructure Security Agency and the Council of the 
        Inspectors General on Integrity and Efficiency, if the Director 
        makes the determination described in paragraph (1).</DELETED>
<DELETED>    (g) Reports.--</DELETED>
        <DELETED>    (1) Pilot program plan.--Before identifying any 
        agencies to participate in the pilot program under subsection 
        (c), the Director, in coordination with the Director of the 
        Cybersecurity and Infrastructure Security Agency and the 
        Council of the Inspectors General on Integrity and Efficiency, 
        shall submit to the appropriate congressional committees a plan 
        for the pilot program that outlines selection criteria and 
        preliminary plans to implement the pilot program.</DELETED>
        <DELETED>    (2) Briefing.--Before commencing a continuous 
        independent evaluation of any agency under the pilot program 
        established under subsection (a), the Director shall provide to 
        the appropriate congressional committees a briefing on--
        </DELETED>
                <DELETED>    (A) the selection of agencies to 
                participate in the pilot program; and</DELETED>
                <DELETED>    (B) processes and procedures to perform a 
                continuous independent evaluation of 
                agencies.</DELETED>
        <DELETED>    (3) Pilot results.--Not later than 60 days after 
        the final day of each year during which an agency participates 
        in the pilot program established under subsection (a), the 
        Director, in coordination with the Director of the 
        Cybersecurity and Infrastructure Security Agency and the 
        Council of the Inspectors General on Integrity and Efficiency, 
        shall submit to the appropriate congressional committees a 
        report on the results of the pilot program for each agency that 
        participates in the pilot program during that year.</DELETED>

<DELETED>SEC. 302. ACTIVE CYBER DEFENSIVE PILOT.</DELETED>

<DELETED>    (a) Definition.--In this section, the term ``active 
defense technique''--</DELETED>
        <DELETED>    (1) means an action taken on the systems of an 
        entity to increase the security of information on the network 
        of an agency by misleading an adversary; and</DELETED>
        <DELETED>    (2) includes a honeypot, deception, or 
        purposefully feeding false or misleading data to an adversary 
        when the adversary is on the systems of the entity.</DELETED>
<DELETED>    (b) Study.--Not later than 180 days after the date of 
enactment of this Act, the Director of the Cybersecurity and 
Infrastructure Security Agency shall perform a study on the use of 
active defense techniques to enhance the security of agencies, which 
shall include--</DELETED>
        <DELETED>    (1) a review of legal restrictions on the use of 
        different active cyber defense techniques on Federal 
        networks;</DELETED>
        <DELETED>    (2) an evaluation of--</DELETED>
                <DELETED>    (A) the efficacy of a selection of active 
                defense techniques determined by the Director of the 
                Cybersecurity and Infrastructure Security Agency; 
                and</DELETED>
                <DELETED>    (B) factors that impact the efficacy of 
                the active defense techniques evaluated under 
                subparagraph (A); and</DELETED>
        <DELETED>    (3) the development of a framework for the use of 
        different active defense techniques by agencies.</DELETED>
<DELETED>    (c) Pilot Program.--Not later than 180 days after the date 
of enactment of this Act, the Director, in coordination with the 
Director of the Cybersecurity and Infrastructure Security Agency, shall 
establish a pilot program at not less than 2 agencies to implement, and 
assess the effectiveness of, not less than 1 active cyber defense 
technique.</DELETED>
<DELETED>    (d) Purpose.--The purpose of the pilot program established 
under subsection (c) shall be to--</DELETED>
        <DELETED>    (1) identify any statutory or policy limitations 
        on using active defense techniques;</DELETED>
        <DELETED>    (2) understand the efficacy of using active 
        defense techniques; and</DELETED>
        <DELETED>    (3) implement the use of effective techniques to 
        improve agency systems.</DELETED>
<DELETED>    (e) Plan.--Not later than 360 days after the date of 
enactment of this Act, the Director of the Cybersecurity and 
Infrastructure Security Agency, in coordination with the Director, 
shall develop a plan to offer any active defense technique determined 
to be successful during the pilot program established under subsection 
(c) as a shared service to other agencies.</DELETED>
<DELETED>    (f) Reports.--Not later than 1 year after the date of 
enactment of this Act, the Director of the Cybersecurity and 
Infrastructure Security Agency shall--</DELETED>
        <DELETED>    (1) provide to the appropriate congressional 
        committees a briefing on--</DELETED>
                <DELETED>    (A) the results of the study performed 
                under subsection (b); and</DELETED>
                <DELETED>    (B) the agencies selected to participate 
                in the pilot program established under subsection 
                (c);</DELETED>
        <DELETED>    (2) submit to the appropriate congressional 
        committees a report on the results of the pilot program 
        established under subsection (c), including any recommendations 
        developed from the results of the pilot program; and</DELETED>
        <DELETED>    (3) submit to the appropriate congressional 
        committees a copy of the plan developed under subsection 
        (e).</DELETED>
<DELETED>    (g) Sunset.--</DELETED>
        <DELETED>    (1) In general.--The requirements of this section 
        shall terminate on the date that is 3 years after the date of 
        enactment of this Act.</DELETED>
        <DELETED>    (2) Authority to continue use of techniques.--
        Notwithstanding paragraph (1), after the date described in 
        paragraph (1), the Director of the Cybersecurity and 
        Infrastructure Security Agency may continue to offer any active 
        defense technique determined to be successful during the pilot 
        program established under subsection (c) as a shared service to 
        agencies.</DELETED>

<DELETED>SEC. 303. SECURITY OPERATIONS CENTER AS A SERVICE 
              PILOT.</DELETED>

<DELETED>    (a) Purpose.--The purpose of this section is for the 
Cybersecurity and Infrastructure Security Agency to run a security 
operation center on behalf of another agency, alleviating the need to 
duplicate this function at every agency, and empowering a greater 
centralized cybersecurity capability.</DELETED>
<DELETED>    (b) Plan.--Not later than 1 year after the date of 
enactment of this Act, the Director of the Cybersecurity and 
Infrastructure Security Agency shall develop a plan to establish a 
centralized Federal security operations center shared service offering 
within the Cybersecurity and Infrastructure Security Agency.</DELETED>
<DELETED>    (c) Contents.--The plan required under subsection (b) 
shall include considerations for--</DELETED>
        <DELETED>    (1) collecting, organizing, and analyzing agency 
        information system data in real time;</DELETED>
        <DELETED>    (2) staffing and resources; and</DELETED>
        <DELETED>    (3) appropriate interagency agreements, concepts 
        of operations, and governance plans.</DELETED>
<DELETED>    (d) Pilot Program.--</DELETED>
        <DELETED>    (1) In general.--Not later than 180 days after the 
        date on which the plan required under subsection (b) is 
        developed, the Director of the Cybersecurity and Infrastructure 
        Security Agency, in consultation with the Director, shall enter 
        into a 1-year agreement with not less than 2 agencies to offer 
        a security operations center as a shared service.</DELETED>
        <DELETED>    (2) Additional agreements.--After the date on 
        which the briefing required under subsection (e)(1) is 
        provided, the Director of the Cybersecurity and Infrastructure 
        Security Agency, in consultation with the Director, may enter 
        into additional 1-year agreements described in paragraph (1) 
        with agencies.</DELETED>
<DELETED>    (e) Briefing and Report.--</DELETED>
        <DELETED>    (1) Briefing.--Not later than 260 days after the 
        date of enactment of this Act, the Director of the 
        Cybersecurity and Infrastructure Security Agency shall provide 
        to the Committee on Homeland Security and Governmental Affairs 
        of the Senate and the Committee on Homeland Security and the 
        Committee on Oversight and Reform of the House of 
        Representatives a briefing on the parameters of any 1-year 
        agreements entered into under subsection (d)(1).</DELETED>
        <DELETED>    (2) Report.--Not later than 90 days after the date 
        on which the first 1-year agreement entered into under 
        subsection (d) expires, the Director of the Cybersecurity and 
        Infrastructure Security Agency shall submit to the Committee on 
        Homeland Security and Governmental Affairs of the Senate and 
        the Committee on Homeland Security and the Committee on 
        Oversight and Reform of the House of Representatives a report 
        on--</DELETED>
                <DELETED>    (A) the agreement; and</DELETED>
                <DELETED>    (B) any additional agreements entered into 
                with agencies under subsection (d).</DELETED>

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Federal Information Security 
Modernization Act of 2021''.

SEC. 2. TABLE OF CONTENTS.

    The table of contents for this Act is as follows:

Sec. 1. Short title.
Sec. 2. Table of contents.
Sec. 3. Definitions.

                       TITLE I--UPDATES TO FISMA

Sec. 101. Title 44 amendments.
Sec. 102. Amendments to subtitle III of title 40.
Sec. 103. Actions to enhance Federal incident response.
Sec. 104. Additional guidance to agencies on FISMA updates.
Sec. 105. Agency requirements to notify private sector entities 
                            impacted by incidents.

               TITLE II--IMPROVING FEDERAL CYBERSECURITY

Sec. 201. Mobile security standards.
Sec. 202. Data and logging retention for incident response.
Sec. 203. CISA agency advisors.
Sec. 204. Federal penetration testing policy.
Sec. 205. Ongoing threat hunting program.
Sec. 206. Codifying vulnerability disclosure programs.
Sec. 207. Implementing presumption of compromise and least privilege 
                            principles.
Sec. 208. Automation reports.
Sec. 209. Extension of Federal acquisition security council.
Sec. 210. Council of the Inspectors General on Integrity and Efficiency 
                            dashboard.

                   TITLE III--RISK-BASED BUDGET MODEL

Sec. 301. Definitions.
Sec. 302. Establishment of risk-based budget model.

       TITLE IV--PILOT PROGRAMS TO ENHANCE FEDERAL CYBERSECURITY

Sec. 401. Active cyber defensive study.
Sec. 402. Security operations center as a service pilot.

SEC. 3. DEFINITIONS.

    In this Act, unless otherwise specified:
            (1) Additional cybersecurity procedure.--The term 
        ``additional cybersecurity procedure'' has the meaning given 
        the term in section 3552(b) of title 44, United States Code, as 
        amended by this Act.
            (2) Agency.--The term ``agency'' has the meaning given the 
        term in section 3502 of title 44, United States Code.
            (3) Appropriate congressional committees.--The term 
        ``appropriate congressional committees'' means--
                    (A) the Committee on Homeland Security and 
                Governmental Affairs of the Senate;
                    (B) the Committee on Oversight and Reform of the 
                House of Representatives; and
                    (C) the Committee on Homeland Security of the House 
                of Representatives.
            (4) Director.--The term ``Director'' means the Director of 
        the Office of Management and Budget.
            (5) Incident.--The term ``incident'' has the meaning given 
        the term in section 3552(b) of title 44, United States Code.
            (6) National security system.--The term ``national security 
        system'' has the meaning given the term in section 3552(b) of 
        title 44, United States Code.
            (7) Penetration test.--The term ``penetration test'' has 
        the meaning given the term in section 3552(b) of title 44, 
        United States Code, as amended by this Act.
            (8) Threat hunting.--The term ``threat hunting'' means 
        proactively and iteratively searching for threats to systems 
        that evade detection by automated threat detection systems.

                       TITLE I--UPDATES TO FISMA

SEC. 101. TITLE 44 AMENDMENTS.

    (a) Subchapter I Amendments.--Subchapter I of chapter 35 of title 
44, United States Code, is amended--
            (1) in section 3504--
                    (A) in subsection (a)(1)(B)--
                            (i) by striking clause (v) and inserting 
                        the following:
                    ``(v) confidentiality, disclosure, and sharing of 
                information;'';
                            (ii) by redesignating clause (vi) as clause 
                        (vii); and
                            (iii) by inserting after clause (v) the 
                        following:
                    ``(vi) in consultation with the National Cyber 
                Director and the Director of the Cybersecurity and 
                Infrastructure Security Agency, security of 
                information; and'';
                    (B) in subsection (g), by striking paragraph (1) 
                and inserting the following:
            ``(1) with respect to information collected or maintained 
        by or for agencies--
                    ``(A) develop and oversee the implementation of 
                policies, principles, standards, and guidelines on 
                privacy, confidentiality, disclosure, and sharing of 
                the information; and
                    ``(B) in consultation with the National Cyber 
                Director and the Director of the Cybersecurity and 
                Infrastructure Security Agency, develop and oversee 
                policies, principles, standards, and guidelines on 
                security of the information; and''; and
                    (C) in subsection (h)(1)--
                            (i) in the matter preceding subparagraph 
                        (A)--
                                    (I) by inserting ``the Director of 
                                the Cybersecurity and Infrastructure 
                                Security Agency and the National Cyber 
                                Director,'' before ``the Director''; 
                                and
                                    (II) by inserting a comma before 
                                ``and the Administrator''; and
                            (ii) in subparagraph (A), by inserting 
                        ``security and'' after ``information 
                        technology'';
            (2) in section 3505--
                    (A) in paragraph (3) of the first subsection 
                designated as subsection (c)--
                            (i) in subparagraph (B)--
                                    (I) by inserting ``the Director of 
                                the Cybersecurity and Infrastructure 
                                Security Agency, the National Cyber 
                                Director, and'' before ``the 
                                Comptroller General''; and
                                    (II) by striking ``and'' at the 
                                end;
                            (ii) in subparagraph (C)(v), by striking 
                        the period at the end and inserting ``; and''; 
                        and
                            (iii) by adding at the end the following:
            ``(D) maintained on a continual basis through the use of 
        automation, machine-readable data, and scanning.''; and
                    (B) by striking the second subsection designated as 
                subsection (c);
            (3) in section 3506--
                    (A) in subsection (b)(1)(C), by inserting ``, 
                availability'' after ``integrity''; and
                    (B) in subsection (h)(3), by inserting 
                ``security,'' after ``efficiency,''; and
            (4) in section 3513--
                    (A) by redesignating subsection (c) as subsection 
                (d); and
                    (B) by inserting after subsection (b) the 
                following:
    ``(c) Each agency providing a written plan under subsection (b) 
shall provide any portion of the written plan addressing information 
security or cybersecurity to the Director of the Cybersecurity and 
Infrastructure Security Agency.''.
    (b) Subchapter II Definitions.--
            (1) In general.--Section 3552(b) of title 44, United States 
        Code, is amended--
                    (A) by redesignating paragraphs (1), (2), (3), (4), 
                (5), (6), and (7) as paragraphs (2), (3), (4), (5), 
                (6), (9), and (11), respectively;
                    (B) by inserting before paragraph (2), as so 
                redesignated, the following:
            ``(1) The term `additional cybersecurity procedure' means a 
        process, procedure, or other activity that is established in 
        excess of the information security standards promulgated under 
        section 11331(b) of title 40 to increase the security and 
        reduce the cybersecurity risk of agency systems.'';
                    (C) by inserting after paragraph (6), as so 
                redesignated, the following:
            ``(7) The term `high value asset' means information or an 
        information system that the head of an agency determines so 
        critical to the agency that the loss or corruption of the 
        information or the loss of access to the information system 
        would have a serious impact on the ability of the agency to 
        perform the mission of the agency or conduct business.
            ``(8) The term `major incident' has the meaning given the 
        term in guidance issued by the Director under section 
        3598(a).'';
                    (D) by inserting after paragraph (9), as so 
                redesignated, the following:
            ``(10) The term `penetration test' means a specialized type 
        of assessment that--
                    ``(A) is conducted on an information system or a 
                component of an information system; and
                    ``(B) emulates an attack or other exploitation 
                capability of a potential adversary, typically under 
                specific constraints, in order to identify any 
                vulnerabilities of an information system or a component 
                of an information system that could be exploited.''; 
                and
                    (E) by inserting after paragraph (11), as so 
                redesignated, the following:
            ``(12) The term `shared service' means a centralized 
        business or mission capability that is provided to multiple 
        organizations within an agency or to multiple agencies.''.
            (2) Conforming amendments.--
                    (A) Homeland security act of 2002.--Section 
                1001(c)(1)(A) of the Homeland Security Act of 2002 (6 
                U.S.C. 511(1)(A)) is amended by striking ``section 
                3552(b)(5)'' and inserting ``section 3552(b)''.
                    (B) Title 10.--
                            (i) Section 2222.--Section 2222(i)(8) of 
                        title 10, United States Code, is amended by 
                        striking ``section 3552(b)(6)(A)'' and 
                        inserting ``section 3552(b)(9)(A)''.
                            (ii) Section 2223.--Section 2223(c)(3) of 
                        title 10, United States Code, is amended by 
                        striking ``section 3552(b)(6)'' and inserting 
                        ``section 3552(b)''.
                            (iii) Section 2315.--Section 2315 of title 
                        10, United States Code, is amended by striking 
                        ``section 3552(b)(6)'' and inserting ``section 
                        3552(b)''.
                            (iv) Section 2339a.--Section 2339a(e)(5) of 
                        title 10, United States Code, is amended by 
                        striking ``section 3552(b)(6)'' and inserting 
                        ``section 3552(b)''.
                    (C) High-performance computing act of 1991.--
                Section 207(a) of the High-Performance Computing Act of 
                1991 (15 U.S.C. 5527(a)) is amended by striking 
                ``section 3552(b)(6)(A)(i)'' and inserting ``section 
                3552(b)(9)(A)(i)''.
                    (D) Internet of things cybersecurity improvement 
                act of 2020.--Section 3(5) of the Internet of Things 
                Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g-
                3a) is amended by striking ``section 3552(b)(6)'' and 
                inserting ``section 3552(b)''.
                    (E) National defense authorization act for fiscal 
                year 2013.--Section 933(e)(1)(B) of the National 
                Defense Authorization Act for Fiscal Year 2013 (10 
                U.S.C. 2224 note) is amended by striking ``section 
                3542(b)(2)'' and inserting ``section 3552(b)''.
                    (F) Ike skelton national defense authorization act 
                for fiscal year 2011.--The Ike Skelton National Defense 
                Authorization Act for Fiscal Year 2011 (Public Law 111-
                383) is amended--
                            (i) in section 806(e)(5) (10 U.S.C. 2304 
                        note), by striking ``section 3542(b)'' and 
                        inserting ``section 3552(b)'';
                            (ii) in section 931(b)(3) (10 U.S.C. 2223 
                        note), by striking ``section 3542(b)(2)'' and 
                        inserting ``section 3552(b)''; and
                            (iii) in section 932(b)(2) (10 U.S.C. 2224 
                        note), by striking ``section 3542(b)(2)'' and 
                        inserting ``section 3552(b)''.
                    (G) E-government act of 2002.--Section 301(c)(1)(A) 
                of the E-Government Act of 2002 (44 U.S.C. 3501 note) 
                is amended by striking ``section 3542(b)(2)'' and 
                inserting ``section 3552(b)''.
                    (H) National institute of standards and technology 
                act.--Section 20 of the National Institute of Standards 
                and Technology Act (15 U.S.C. 278g-3) is amended--
                            (i) in subsection (a)(2), by striking 
                        ``section 3552(b)(5)'' and inserting ``section 
                        3552(b)''; and
                            (ii) in subsection (f)--
                                    (I) in paragraph (3), by striking 
                                ``section 3532(1)'' and inserting 
                                ``section 3552(b)''; and
                                    (II) in paragraph (5), by striking 
                                ``section 3532(b)(2)'' and inserting 
                                ``section 3552(b)''.
    (c) Subchapter II Amendments.--Subchapter II of chapter 35 of title 
44, United States Code, is amended--
            (1) in section 3551--
                    (A) by redesignating paragraphs (3), (4), (5), and 
                (6) as paragraphs (4), (5), (6), and (7), respectively;
                    (B) by inserting after paragraph (2) the following:
            ``(3) recognize the role of the Cybersecurity and 
        Infrastructure Security Agency as the lead entity for 
        operational cybersecurity coordination across the Federal 
        Government;'';
                    (C) in paragraph (5), as so redesignated, by 
                striking ``diagnose and improve'' and inserting 
                ``integrate, deliver, diagnose, and improve'';
                    (D) in paragraph (6), as so redesignated, by 
                striking ``and'' at the end;
                    (E) in paragraph (7), as so redesignated, by 
                striking the period at the end and inserting a semi 
                colon; and
                    (F) by adding at the end the following:
            ``(8) recognize that each agency has specific mission 
        requirements and, at times, unique cybersecurity requirements 
        to meet the mission of the agency;
            ``(9) recognize that each agency does not have the same 
        resources to secure agency systems, and an agency should not be 
        expected to have the capability to secure the systems of the 
        agency from advanced adversaries alone; and
            ``(10) recognize that--
                    ``(A) a holistic Federal cybersecurity model is 
                necessary to account for differences between the 
                missions and capabilities of agencies; and
                    ``(B) in accounting for the differences described 
                in subparagraph (A) and ensuring overall Federal 
                cybersecurity--
                            ``(i) the Office of Management and Budget 
                        is the leader for policy development and 
                        oversight of Federal cybersecurity;
                            ``(ii) the Cybersecurity and Infrastructure 
                        Security Agency is the leader for implementing 
                        operations at agencies; and
                            ``(iii) the National Cyber Director is 
                        responsible for developing the overall 
                        cybersecurity strategy of the United States and 
                        advising the President on matters relating to 
                        cybersecurity.'';
            (2) in section 3553--
                    (A) by striking the section heading and inserting 
                ``Authority and functions of the Director and the 
                Director of the Cybersecurity and Infrastructure 
                Security Agency''.
                    (B) in subsection (a)--
                            (i) in paragraph (1), by inserting ``in 
                        coordination with the Director of the 
                        Cybersecurity and Infrastructure Security 
                        Agency and the National Cyber Director,'' 
                        before ``developing and overseeing'';
                            (ii) in paragraph (5)--
                                    (I) by inserting ``, in 
                                consultation with the Director of the 
                                Cybersecurity and Infrastructure 
                                Security Agency and the National Cyber 
                                Director,'' before ``agency 
                                compliance''; and
                                    (II) by striking ``and'' at the 
                                end; and
                            (iii) by adding at the end the following:
            ``(8) promoting, in consultation with the Director of the 
        Cybersecurity and Infrastructure Security Agency and the 
        Director of the National Institute of Standards and 
        Technology--
                    ``(A) the use of automation to improve Federal 
                cybersecurity and visibility with respect to the 
                implementation of Federal cybersecurity; and
                    ``(B) the use of presumption of compromise and 
                least privilege principles to improve resiliency and 
                timely response actions to incidents on Federal 
                systems.'';
                    (C) in subsection (b)--
                            (i) by striking the subsection heading and 
                        inserting ``Cybersecurity and Infrastructure 
                        Security Agency'';
                            (ii) in the matter preceding paragraph (1), 
                        by striking ``The Secretary, in consultation 
                        with the Director'' and inserting ``The 
                        Director of the Cybersecurity and 
                        Infrastructure Security Agency, in consultation 
                        with the Director and the National Cyber 
                        Director'';
                            (iii) in paragraph (2)--
                                    (I) in subparagraph (A), by 
                                inserting ``and reporting requirements 
                                under subchapter IV of this title'' 
                                after ``section 3556''; and
                                    (II) in subparagraph (D), by 
                                striking ``the Director or Secretary'' 
                                and inserting ``the Director of the 
                                Cybersecurity and Infrastructure 
                                Security Agency'';
                            (iv) in paragraph (5), by striking 
                        ``coordinating'' and inserting ``leading the 
                        coordination of'';
                            (v) in paragraph (8), by striking ``the 
                        Secretary's discretion'' and inserting ``the 
                        Director of the Cybersecurity and 
                        Infrastructure Security Agency's discretion''; 
                        and
                            (vi) in paragraph (9), by striking ``as the 
                        Director or the Secretary, in consultation with 
                        the Director,'' and inserting ``as the Director 
                        of the Cybersecurity and Infrastructure 
                        Security Agency'';
                    (D) in subsection (c)--
                            (i) in the matter preceding paragraph (1), 
                        by striking ``each year'' and inserting ``each 
                        year during which agencies are required to 
                        submit reports under section 3554(c)'';
                            (ii) by striking paragraph (1);
                            (iii) by redesignating paragraphs (2), (3), 
                        and (4) as paragraphs (1), (2), and (3), 
                        respectively;
                            (iv) in paragraph (3), as so redesignated, 
                        by striking ``and'' at the end;
                            (v) by inserting after paragraph (3), as so 
                        redesignated the following:
            ``(4) a summary of each assessment of Federal risk posture 
        performed under subsection (i);''; and
                            (vi) in paragraph (5), by striking the 
                        period at the end and inserting ``; and'';
                    (E) by redesignating subsections (i), (j), (k), and 
                (l) as subsections (j), (k), (l), and (m) respectively;
                    (F) by inserting after subsection (h) the 
                following:
    ``(i) Federal Risk Assessments.--On an ongoing and continuous 
basis, the Director of the Cybersecurity and Infrastructure Security 
Agency shall perform assessments of Federal risk posture using any 
available information on the cybersecurity posture of agencies, and 
brief the Director and National Cyber Director on the findings of those 
assessments including--
            ``(1) the status of agency cybersecurity remedial actions 
        described in section 3554(b)(7);
            ``(2) any vulnerability information relating to the systems 
        of an agency that is known by the agency;
            ``(3) analysis of incident information under section 3597;
            ``(4) evaluation of penetration testing performed under 
        section 3559A;
            ``(5) evaluation of vulnerability disclosure program 
        information under section 3559B;
            ``(6) evaluation of agency threat hunting results;
            ``(7) evaluation of Federal and non-Federal threat 
        intelligence;
            ``(8) data on agency compliance with standards issued under 
        section 11331 of title 40;
            ``(9) agency system risk assessments performed under 
        section 3554(a)(1)(A); and
            ``(10) any other information the Director of the 
        Cybersecurity and Infrastructure Security Agency determines 
        relevant.''; and
                    (G) in subsection (j), as so redesignated--
                            (i) by striking ``regarding the specific'' 
                        and inserting ``that includes a summary of--
            ``(1) the specific'';
                            (ii) in paragraph (1), as so designated, by 
                        striking the period at the end and inserting 
                        ``; and'' and
                            (iii) by adding at the end the following:
            ``(2) the trends identified in the Federal risk assessment 
        performed under subsection (i).''; and
                    (H) by adding at the end the following:
    ``(n) Binding Operational Directives.--If the Director of the 
Cybersecurity and Infrastructure Security Agency issues a binding 
operational directive or an emergency directive under this section, not 
later than 2 days after the date on which the binding operational 
directive requires an agency to take an action, the Director of the 
Cybersecurity and Infrastructure Security Agency shall provide to the 
appropriate reporting entities the status of the implementation of the 
binding operational directive at the agency.'';
            (3) in section 3554--
                    (A) in subsection (a)--
                            (i) in paragraph (1)--
                                    (I) by redesignating subparagraphs 
                                (A), (B), and (C) as subparagraphs (B), 
                                (C), and (D), respectively;
                                    (II) by inserting before 
                                subparagraph (B), as so redesignated, 
                                the following:
                    ``(A) on an ongoing and continuous basis, 
                performing agency system risk assessments that--
                            ``(i) identify and document the high value 
                        assets of the agency using guidance from the 
                        Director;
                            ``(ii) evaluate the data assets inventoried 
                        under section 3511 for sensitivity to 
                        compromises in confidentiality, integrity, and 
                        availability;
                            ``(iii) identify agency systems that have 
                        access to or hold the data assets inventoried 
                        under section 3511;
                            ``(iv) evaluate the threats facing agency 
                        systems and data, including high value assets, 
                        based on Federal and non-Federal cyber threat 
                        intelligence products, where available;
                            ``(v) evaluate the vulnerability of agency 
                        systems and data, including high value assets, 
                        including by analyzing--
                                    ``(I) the results of penetration 
                                testing performed by the Department of 
                                Homeland Security under section 
                                3553(b)(9);
                                    ``(II) the results of penetration 
                                testing performed under section 3559A;
                                    ``(III) information provided to the 
                                agency through the vulnerability 
                                disclosure program of the agency under 
                                section 3559B;
                                    ``(IV) incidents; and
                                    ``(V) any other vulnerability 
                                information relating to agency systems 
                                that is known to the agency;
                            ``(vi) assess the impacts of potential 
                        agency incidents to agency systems, data, and 
                        operations based on the evaluations described 
                        in clauses (ii) and (iv) and the agency systems 
                        identified under clause (iii); and
                            ``(vii) assess the consequences of 
                        potential incidents occurring on agency systems 
                        that would impact systems at other agencies, 
                        including due to interconnectivity between 
                        different agency systems or operational 
                        reliance on the operations of the system or 
                        data in the system;'';
                                    (III) in subparagraph (B), as so 
                                redesignated, in the matter preceding 
                                clause (i), by striking ``providing 
                                information'' and inserting ``using 
                                information from the assessment 
                                conducted under subparagraph (A), 
                                providing, in coordination with the 
                                Director of the Cybersecurity and 
                                Infrastructure Security Agency, 
                                information'';
                                    (IV) in subparagraph (C), as so 
                                redesignated--
                                            (aa) in clause (ii) by 
                                        inserting ``binding'' before 
                                        ``operational''; and
                                            (bb) in clause (vi), by 
                                        striking ``and'' at the end; 
                                        and
                                    (V) by adding at the end the 
                                following:
                    ``(E) providing an update on the ongoing and 
                continuous assessment performed under subparagraph 
                (A)--
                            ``(i) upon request, to the inspector 
                        general of the agency or the Comptroller 
                        General of the United States; and
                            ``(ii) on a periodic basis, as determined 
                        by guidance issued by the Director but not less 
                        frequently than annually, to--
                                    ``(I) the Director;
                                    ``(II) the Director of the 
                                Cybersecurity and Infrastructure 
                                Security Agency; and
                                    ``(III) the National Cyber 
                                Director;
                    ``(F) in consultation with the Director of the 
                Cybersecurity and Infrastructure Security Agency and 
                not less frequently than once every 3 years, performing 
                an evaluation of whether additional cybersecurity 
                procedures are appropriate for securing a system of, or 
                under the supervision of, the agency, which shall--
                            ``(i) be completed considering the agency 
                        system risk assessment performed under 
                        subparagraph (A); and
                            ``(ii) include a specific evaluation for 
                        high value assets;
                    ``(G) not later than 30 days after completing the 
                evaluation performed under subparagraph (F), providing 
                the evaluation and an implementation plan, if 
                applicable, for using additional cybersecurity 
                procedures determined to be appropriate to--
                            ``(i) the Director of the Cybersecurity and 
                        Infrastructure Security Agency;
                            ``(ii) the Director; and
                            ``(iii) the National Cyber Director; and
                    ``(H) if the head of the agency determines there is 
                need for additional cybersecurity procedures, ensuring 
                that those additional cybersecurity procedures are 
                reflected in the budget request of the agency in 
                accordance with the risk-based cyber budget model 
                developed pursuant to section 3553(a)(7);'';
                            (ii) in paragraph (2)--
                                    (I) in subparagraph (A), by 
                                inserting ``in accordance with the 
                                agency system risk assessment performed 
                                under paragraph (1)(A)'' after 
                                ``information systems'';
                                    (II) in subparagraph (B)--
                                            (aa) by striking ``in 
                                        accordance with standards'' and 
                                        inserting ``in accordance 
                                        with--
                            ``(i) standards''; and
                                            (bb) by adding at the end 
                                        the following:
                            ``(ii) the evaluation performed under 
                        paragraph (1)(F); and
                            ``(iii) the implementation plan described 
                        in paragraph (1)(G);''; and
                                    (III) in subparagraph (D), by 
                                inserting ``, through the use of 
                                penetration testing, the vulnerability 
                                disclosure program established under 
                                section 3559B, and other means,'' after 
                                ``periodically'';
                            (iii) in paragraph (3)--
                                    (I) in subparagraph (A)--
                                            (aa) in clause (iii), by 
                                        striking ``and'' at the end;
                                            (bb) in clause (iv), by 
                                        adding ``and'' at the end; and
                                            (cc) by adding at the end 
                                        the following:
                            ``(v) ensure that--
                                    ``(I) senior agency information 
                                security officers of component agencies 
                                carry out responsibilities under this 
                                subchapter, as directed by the senior 
                                agency information security officer of 
                                the agency or an equivalent official; 
                                and
                                    ``(II) senior agency information 
                                security officers of component agencies 
                                report to--
                                            ``(aa) the senior 
                                        information security officer of 
                                        the agency or an equivalent 
                                        official; and
                                            ``(bb) the Chief 
                                        Information Officer of the 
                                        component agency or an 
                                        equivalent official;''; and
                            (iv) in paragraph (5), by inserting ``and 
                        the Director of the Cybersecurity and 
                        Infrastructure Security Agency'' before ``on 
                        the effectiveness'';
                    (B) in subsection (b)--
                            (i) by striking paragraph (1) and inserting 
                        the following:
            ``(1) pursuant to subsection (a)(1)(A), performing ongoing 
        and continuous agency system risk assessments, which may 
        include using guidelines and automated tools consistent with 
        standards and guidelines promulgated under section 11331 of 
        title 40, as applicable;'';
                            (ii) in paragraph (2)--
                                    (I) by striking subparagraph (B) 
                                and inserting the following:
                    ``(B) comply with the risk-based cyber budget model 
                developed pursuant to section 3553(a)(7);''; and
                                    (II) in subparagraph (D)--
                                            (aa) by redesignating 
                                        clauses (iii) and (iv) as 
                                        clauses (iv) and (v), 
                                        respectively;
                                            (bb) by inserting after 
                                        clause (ii) the following:
                            ``(iii) binding operational directives and 
                        emergency directives promulgated by the 
                        Director of the Cybersecurity and 
                        Infrastructure Security Agency under section 
                        3553;''; and
                                            (cc) in clause (iv), as so 
                                        redesignated, by striking ``as 
                                        determined by the agency; and'' 
                                        and inserting ``as determined 
                                        by the agency, considering--
                                    ``(I) the agency risk assessment 
                                performed under subsection (a)(1)(A); 
                                and
                                    ``(II) the determinations of 
                                applying more stringent standards and 
                                additional cybersecurity procedures 
                                pursuant to section 11331(c)(1) of 
                                title 40; and'';
                            (iii) in paragraph (5)(A), by inserting ``, 
                        including penetration testing, as 
                        appropriate,'' after ``shall include testing'';
                            (iv) in paragraph (6), by striking 
                        ``planning, implementing, evaluating, and 
                        documenting'' and inserting ``planning and 
                        implementing and, in consultation with the 
                        Director of the Cybersecurity and 
                        Infrastructure Security Agency, evaluating and 
                        documenting'';
                            (v) by redesignating paragraphs (7) and (8) 
                        as paragraphs (8) and (9), respectively;
                            (vi) by inserting after paragraph (6) the 
                        following:
            ``(7) a process for providing the status of every remedial 
        action and known system vulnerability to the Director and the 
        Director of the Cybersecurity and Infrastructure Security 
        Agency, using automation and machine-readable data to the 
        greatest extent practicable;''; and
                            (vii) in paragraph (8)(C), as so 
                        redesignated--
                                    (I) by striking clause (ii) and 
                                inserting the following:
                            ``(ii) notifying and consulting with the 
                        Federal information security incident center 
                        established under section 3556 pursuant to the 
                        requirements of section 3594;'';
                                    (II) by redesignating clause (iii) 
                                as clause (iv);
                                    (III) by inserting after clause 
                                (ii) the following:
                            ``(iii) performing the notifications and 
                        other activities required under subchapter IV 
                        of this title; and''; and
                                    (IV) in clause (iv), as so 
                                redesignated--
                                            (aa) in subclause (I), by 
                                        striking ``and relevant offices 
                                        of inspectors general'';
                                            (bb) in subclause (II), by 
                                        adding ``and'' at the end;
                                            (cc) by striking subclause 
                                        (III); and
                                            (dd) by redesignating 
                                        subclause (IV) as subclause 
                                        (III);
                    (C) in subsection (c)--
                            (i) by redesignating paragraph (2) as 
                        paragraph (5);
                            (ii) by striking paragraph (1) and 
                        inserting the following:
            ``(1) Biannual report.--Not later than 2 years after the 
        date of enactment of the Federal Information Security 
        Modernization Act of 2021 and not less frequently than once 
        every 2 years thereafter, using the continuous and ongoing 
        agency system risk assessment under subsection (a)(1)(A), the 
        head of each agency shall submit to the Director, the Director 
        of the Cybersecurity and Infrastructure Security Agency, the 
        Committee on Homeland Security and Governmental Affairs of the 
        Senate, the Committee on Oversight and Reform of the House of 
        Representatives, the Committee on Homeland Security of the 
        House of Representatives, the appropriate authorization and 
        appropriations committees of Congress, the National Cyber 
        Director, and the Comptroller General of the United States a 
        report that--
                    ``(A) summarizes the agency system risk assessment 
                performed under subsection (a)(1)(A);
                    ``(B) evaluates the adequacy and effectiveness of 
                information security policies, procedures, and 
                practices of the agency to address the risks identified 
                in the agency system risk assessment performed under 
                subsection (a)(1)(A);
                    ``(C) summarizes the evaluation and implementation 
                plans described in subparagraphs (F) and (G) of 
                subsection (a)(1) and whether those evaluation and 
                implementation plans call for the use of additional 
                cybersecurity procedures determined to be appropriate 
                by the agency; and
                    ``(D) summarizes the status of remedial actions 
                identified by inspector general of the agency, the 
                Comptroller General of the United States, and any other 
                source determined appropriate by the head of the 
                agency.
            ``(2) Unclassified reports.--Each report submitted under 
        paragraph (1)--
                    ``(A) shall be, to the greatest extent practicable, 
                in an unclassified and otherwise uncontrolled form; and
                    ``(B) may include a classified annex.
            ``(3) Access to information.--The head of an agency shall 
        ensure that, to the greatest extent practicable, information is 
        included in the unclassified form of the report submitted by 
        the agency under paragraph (2)(A).
            ``(4) Briefings.--During each year during which a report is 
        not required to be submitted under paragraph (1), the Director 
        shall provide to the congressional committees described in 
        paragraph (1) a briefing summarizing current agency and Federal 
        risk postures.''; and
                            (iii) in paragraph (5), as so redesignated, 
                        by inserting ``including the reporting 
                        procedures established under section 11315(d) 
                        of title 40 and subsection (a)(3)(A)(v) of this 
                        section''; and
                    (D) in subsection (d)(1), in the matter preceding 
                subparagraph (A), by inserting ``and the Director of 
                the Cybersecurity and Infrastructure Security Agency'' 
                after ``the Director''; and
            (4) in section 3555--
                    (A) in the section heading, by striking ``annual 
                independent'' and inserting ``independent'';
                    (B) in subsection (a)--
                            (i) in paragraph (1), by inserting ``during 
                        which a report is required to be submitted 
                        under section 3553(c),'' after ``Each year'';
                            (ii) in paragraph (2)(A), by inserting ``, 
                        including by penetration testing and analyzing 
                        the vulnerability disclosure program of the 
                        agency'' after ``information systems''; and
                            (iii) by adding at the end the following:
    ``(3) An evaluation under this section may include recommendations 
for improving the cybersecurity posture of the agency.'';
                    (C) in subsection (b)(1), by striking ``annual'';
                    (D) in subsection (e)(1), by inserting ``during 
                which a report is required to be submitted under 
                section 3553(c)'' after ``Each year'';
                    (E) by striking subsection (f) and inserting the 
                following:
    ``(f) Protection of Information.--(1) Agencies, evaluators, and 
other recipients of information that, if disclosed, may cause grave 
harm to the efforts of Federal information security officers, including 
the appropriate congressional committees, shall take appropriate steps 
to ensure the protection of that information, including safeguarding 
the information from public disclosure.
    ``(2) The protections required under paragraph (1) shall be 
commensurate with the risk and comply with all applicable laws and 
regulations.
    ``(3) With respect to information that is not related to national 
security systems, agencies and evaluators shall make a summary of the 
information unclassified and publicly available, including information 
that does not identify--
            ``(A) specific information system incidents; or
            ``(B) specific information system vulnerabilities.'';
                    (F) in subsection (g)(2)--
                            (i) by striking ``this subsection shall'' 
                        and inserting ``this subsection--
            ``(A) shall'';
                            (ii) in subparagraph (A), as so designated, 
                        by striking the period at the end and inserting 
                        ``; and''; and
                            (iii) by adding at the end the following:
            ``(B) identify any entity that performs an independent 
        evaluation under subsection (b).''; and
                    (G) by striking subsection (j) and inserting the 
                following:
    ``(j) Guidance.--
            ``(1) In general.--The Director, in consultation with the 
        Director of the Cybersecurity and Infrastructure Security 
        Agency, the Chief Information Officers Council, the Council of 
        the Inspectors General on Integrity and Efficiency, and other 
        interested parties as appropriate, shall ensure the development 
        of guidance for evaluating the effectiveness of an information 
        security program and practices
            ``(2) Priorities.--The guidance developed under paragraph 
        (1) shall prioritize the identification of--
                    ``(A) the most common threat patterns experienced 
                by each agency;
                    ``(B) the security controls that address the threat 
                patterns described in subparagraph (A); and
                    ``(C) any other security risks unique to the 
                networks of each agency.''; and
            (5) in section 3556(a)--
                    (A) in the matter preceding paragraph (1), by 
                inserting ``within the Cybersecurity and Infrastructure 
                Security Agency'' after ``incident center''; and
                    (B) in paragraph (4), by striking ``3554(b)'' and 
                inserting ``3554(a)(1)(A)''.
    (d) Conforming Amendments.--
            (1) Table of sections.--The table of sections for chapter 
        35 of title 44, United States Code, is amended--
                    (A) by striking the item relating to section 3553 
                and inserting the following:

``3553. Authority and functions of the Director and the Director of the 
                            Cybersecurity and Infrastructure Security 
                            Agency.''; and
                    (B) by striking the item relating to section 3555 
                and inserting the following:

``3555. Independent evaluation.''.
            (2) OMB reports.--Section 226(c) of the Cybersecurity Act 
        of 2015 (6 U.S.C. 1524(c)) is amended--
                    (A) in paragraph (1)(B), in the matter preceding 
                clause (i), by striking ``annually thereafter'' and 
                inserting ``thereafter during the years during which a 
                report is required to be submitted under section 
                3553(c) of title 44, United States Code''; and
                    (B) in paragraph (2)(B), in the matter preceding 
                clause (i)--
                            (i) by striking ``annually thereafter'' and 
                        inserting ``thereafter during the years during 
                        which a report is required to be submitted 
                        under section 3553(c) of title 44, United 
                        States Code''; and
                            (ii) by striking ``the report required 
                        under section 3553(c) of title 44, United 
                        States Code'' and inserting ``that report''.
            (3) NIST responsibilities.--Section 20(d)(3)(B) of the 
        National Institute of Standards and Technology Act (15 U.S.C. 
        278g-3(d)(3)(B)) is amended by striking ``annual''.
    (e) Federal System Incident Response.--
            (1) In general.--Chapter 35 of title 44, United States 
        Code, is amended by adding at the end the following:

           ``SUBCHAPTER IV--FEDERAL SYSTEM INCIDENT RESPONSE

``Sec. 3591. Definitions
    ``(a) In General.--Except as provided in subsection (b), the 
definitions under sections 3502 and 3552 shall apply to this 
subchapter.
    ``(b) Additional Definitions.--As used in this subchapter:
            ``(1) Appropriate reporting entities.--The term 
        `appropriate reporting entities' means--
                    ``(A) the majority and minority leaders of the 
                Senate;
                    ``(B) the Speaker and minority leader of the House 
                of Representatives;
                    ``(C) the Committee on Homeland Security and 
                Governmental Affairs of the Senate;
                    ``(D) the Committee on Oversight and Reform of the 
                House of Representatives;
                    ``(E) the Committee on Homeland Security of the 
                House of Representatives;
                    ``(F) the appropriate authorization and 
                appropriations committees of Congress;
                    ``(G) the Director;
                    ``(H) the Director of the Cybersecurity and 
                Infrastructure Security Agency;
                    ``(I) the National Cyber Director;
                    ``(J) the Comptroller General of the United States; 
                and
                    ``(K) the inspector general of any impacted agency.
            ``(2) Awardee.--The term `awardee'--
                    ``(A) means a person, business, or other entity 
                that receives a grant from, or is a party to a 
                cooperative agreement with, an agency; and
                    ``(B) includes any subgrantee of a person, 
                business, or other entity described in subparagraph 
                (A).
            ``(3) Breach.--The term `breach' means--
                    ``(A) a compromise of the security, 
                confidentiality, or integrity of data in electronic 
                form that results in unauthorized access to, or an 
                acquisition of, personal information; or
                    ``(B) a loss of data in electronic form that 
                results in unauthorized access to, or an acquisition 
                of, personal information.
            ``(4) Contractor.--The term `contractor' means--
                    ``(A) a prime contractor of an agency or a 
                subcontractor of a prime contractor of an agency; and
                    ``(B) any person or business that collects or 
                maintains information, including personally 
                identifiable information, on behalf of an agency.
            ``(5) Federal information.--The term `Federal information' 
        means information created, collected, processed, maintained, 
        disseminated, disclosed, or disposed of by or for the Federal 
        Government in any medium or form.
            ``(6) Federal information system.--The term `Federal 
        information system' means an information system used or 
        operated by an agency, a contractor, or another organization on 
        behalf of an agency.
            ``(7) Intelligence community.--The term `intelligence 
        community' has the meaning given the term in section 3 of the 
        National Security Act of 1947 (50 U.S.C. 3003).
            ``(8) Nationwide consumer reporting agency.--The term 
        `nationwide consumer reporting agency' means a consumer 
        reporting agency described in section 603(p) of the Fair Credit 
        Reporting Act (15 U.S.C. 1681a(p)).
            ``(9) Vulnerability disclosure.--The term `vulnerability 
        disclosure' means a vulnerability identified under section 
        3559B.
``Sec. 3592. Notification of breach
    ``(a) Notification.--As expeditiously as practicable and without 
unreasonable delay, and in any case not later than 45 days after an 
agency has a reasonable basis to conclude that a breach has occurred, 
the head of the agency, in consultation with a senior privacy officer 
of the agency, shall--
            ``(1) determine whether notice to any individual 
        potentially affected by the breach is appropriate based on an 
        assessment of the risk of harm to the individual that 
        considers--
                    ``(A) the nature and sensitivity of the personally 
                identifiable information affected by the breach;
                    ``(B) the likelihood of access to and use of the 
                personally identifiable information affected by the 
                breach;
                    ``(C) the type of breach; and
                    ``(D) any other factors determined by the Director; 
                and
            ``(2) as appropriate, provide written notice in accordance 
        with subsection (b) to each individual potentially affected by 
        the breach--
                    ``(A) to the last known mailing address of the 
                individual; or
                    ``(B) through an appropriate alternative method of 
                notification that the head of the agency or a 
                designated senior-level individual of the agency 
                selects based on factors determined by the Director.
    ``(b) Contents of Notice.--Each notice of a breach provided to an 
individual under subsection (a)(2) shall include--
            ``(1) a brief description of the rationale for the 
        determination that notice should be provided under subsection 
        (a);
            ``(2) if possible, a description of the types of personally 
        identifiable information affected by the breach;
            ``(3) contact information of the agency that may be used to 
        ask questions of the agency, which--
                    ``(A) shall include an e-mail address or another 
                digital contact mechanism; and
                    ``(B) may include a telephone number or a website;
            ``(4) information on any remedy being offered by the 
        agency;
            ``(5) any applicable educational materials relating to what 
        individuals can do in response to a breach that potentially 
        affects their personally identifiable information, including 
        relevant information to contact Federal law enforcement 
        agencies and each nationwide consumer reporting agency; and
            ``(6) any other appropriate information, as determined by 
        the head of the agency or established in guidance by the 
        Director.
    ``(c) Delay of Notification.--
            ``(1) In general.--The Attorney General, the Director of 
        National Intelligence, or the Secretary of Homeland Security 
        may delay a notification required under subsection (a) if the 
        notification would--
                    ``(A) impede a criminal investigation or a national 
                security activity;
                    ``(B) reveal sensitive sources and methods;
                    ``(C) cause damage to national security; or
                    ``(D) hamper security remediation actions.
            ``(2) Documentation.--
                    ``(A) In general.--Any delay under paragraph (1) 
                shall be reported in writing to the Director, the 
                Attorney General, the Director of National 
                Intelligence, the Secretary of Homeland Security, the 
                Director of the Cybersecurity and Infrastructure 
                Security Agency, and the head of the agency and the 
                inspector general of the agency that experienced the 
                breach.
                    ``(B) Contents.--A report required under 
                subparagraph (A) shall include a written statement from 
                the entity that delayed the notification explaining the 
                need for the delay.
                    ``(C) Form.--The report required under subparagraph 
                (A) shall be unclassified but may include a classified 
                annex.
            ``(3) Renewal.--A delay under paragraph (1) shall be for a 
        period of 60 days and may be renewed.
    ``(d) Update Notification.--If an agency determines there is a 
significant change in the reasonable basis to conclude that a breach 
occurred, a significant change to the determination made under 
subsection (a)(1), or that it is necessary to update the details of the 
information provided to impacted individuals as described in subsection 
(b), the agency shall as expeditiously as practicable and without 
unreasonable delay, and in any case not later than 30 days after such a 
determination, notify each individual who received a notification 
pursuant to subsection (a) of those changes.
    ``(e) Exemption From Notification.--
            ``(1) In general.--The head of an agency, in consultation 
        with the inspector general of the agency, may request an 
        exemption from the Director from complying with the 
        notification requirements under subsection (a) if the 
        information affected by the breach is determined by an 
        independent evaluation to be unreadable, including, as 
        appropriate, instances in which the information is--
                    ``(A) encrypted; and
                    ``(B) determined by the Director of the 
                Cybersecurity and Infrastructure Security Agency to be 
                of sufficiently low risk of exposure.
            ``(2) Approval.--The Director shall determine whether to 
        grant an exemption requested under paragraph (1) in 
        consultation with--
                    ``(A) the Director of the Cybersecurity and 
                Infrastructure Security Agency; and
                    ``(B) the Attorney General.
            ``(3) Documentation.--Any exemption granted by the Director 
        under paragraph (1) shall be reported in writing to the head of 
        the agency and the inspector general of the agency that 
        experienced the breach and the Director of the Cybersecurity 
        and Infrastructure Security Agency.
    ``(f) Rule of Construction.--Nothing in this section shall be 
construed to limit--
            ``(1) the Director from issuing guidance relating to 
        notifications or the head of an agency from notifying 
        individuals potentially affected by breaches that are not 
        determined to be major incidents; or
            ``(2) the Director from issuing guidance relating to 
        notifications of major incidents or the head of an agency from 
        providing more information than described in subsection (b) 
        when notifying individuals potentially affected by breaches.
``Sec. 3593. Congressional and Executive Branch reports
    ``(a) Initial Report.--
            ``(1) In general.--Not later than 72 hours after an agency 
        has a reasonable basis to conclude that a major incident 
        occurred, the head of the agency impacted by the major incident 
        shall submit to the appropriate reporting entities a written 
        report and, to the extent practicable, provide a briefing to 
        the Committee on Homeland Security and Governmental Affairs of 
        the Senate, the Committee on Oversight and Reform of the House 
        of Representatives, the Committee on Homeland Security of the 
        House of Representatives, and the appropriate authorization and 
        appropriations committees of Congress, taking into account--
                    ``(A) the information known at the time of the 
                report;
                    ``(B) the sensitivity of the details associated 
                with the major incident; and
                    ``(C) the classification level of the information 
                contained in the report.
            ``(2) Contents.--A report required under paragraph (1) 
        shall include, in a manner that excludes or otherwise 
        reasonably protects personally identifiable information and to 
        the extent permitted by applicable law, including privacy and 
        statistical laws--
                    ``(A) a summary of the information available about 
                the major incident, including how the major incident 
                occurred, information indicating that the major 
                incident may be a breach, and information relating to 
                the major incident as a breach, based on information 
                available to agency officials as of the date on which 
                the agency submits the report;
                    ``(B) if applicable, a description and any 
                associated documentation of any circumstances 
                necessitating a delay in or exemption to notification 
                to individuals potentially affected by the major 
                incident under subsection (c) or (e) of section 3592; 
                and
                    ``(C) if applicable, an assessment of the impacts 
                to the agency, the Federal Government, or the security 
                of the United States, based on information available to 
                agency officials on the date on which the agency 
                submits the report.
    ``(b) Supplemental Report.--Within a reasonable amount of time, but 
not later than 30 days after the date on which an agency submits a 
written report under subsection (a), the head of the agency shall 
provide to the appropriate reporting entities written updates on the 
major incident and, to the extent practicable, provide a briefing to 
the congressional committees described in subsection (a)(1), including 
summaries of--
            ``(1) vulnerabilities, means by which the major incident 
        occurred, and impacts to the agency relating to the major 
        incident;
            ``(2) any risk assessment and subsequent risk-based 
        security implementation of the affected information system 
        before the date on which the major incident occurred;
            ``(3) the status of compliance of the affected information 
        system with applicable security requirements at the time of the 
        major incident;
            ``(4) an estimate of the number of individuals potentially 
        affected by the major incident based on information available 
        to agency officials as of the date on which the agency provides 
        the update;
            ``(5) an assessment of the risk of harm to individuals 
        potentially affected by the major incident based on information 
        available to agency officials as of the date on which the 
        agency provides the update;
            ``(6) an update to the assessment of the risk to agency 
        operations, or to impacts on other agency or non-Federal entity 
        operations, affected by the major incident based on information 
        available to agency officials as of the date on which the 
        agency provides the update; and
            ``(7) the detection, response, and remediation actions of 
        the agency, including any support provided by the Cybersecurity 
        and Infrastructure Security Agency under section 3594(d) and 
        status updates on the notification process described in section 
        3592(a), including any delay or exemption described in 
        subsection (c) or (e), respectively, of section 3592, if 
        applicable.
    ``(c) Update Report.--If the agency determines that there is any 
significant change in the understanding of the agency of the scope, 
scale, or consequence of a major incident for which an agency submitted 
a written report under subsection (a), the agency shall provide an 
updated report to the appropriate reporting entities that includes 
information relating to the change in understanding.
    ``(d) Annual Report.--Each agency shall submit as part of the 
annual report required under section 3554(c)(1) of this title a 
description of each major incident that occurred during the 1-year 
period preceding the date on which the report is submitted.
    ``(e) Delay and Exemption Report.--
            ``(1) In general.--The Director shall submit to the 
        appropriate notification entities an annual report on all 
        notification delays and exemptions granted pursuant to 
        subsections (c) and (d) of section 3592.
            ``(2) Component of other report.--The Director may submit 
        the report required under paragraph (1) as a component of the 
        annual report submitted under section 3597(b).
    ``(f) Report Delivery.--Any written report required to be submitted 
under this section may be submitted in a paper or electronic format.
    ``(g) Threat Briefing.--
            ``(1) In general.--Not later than 7 days after the date on 
        which an agency has a reasonable basis to conclude that a major 
        incident occurred, the head of the agency, jointly with the 
        National Cyber Director and any other Federal entity determined 
        appropriate by the National Cyber Director, shall provide a 
        briefing to the congressional committees described in 
        subsection (a)(1) on the threat causing the major incident.
            ``(2) Components.--The briefing required under paragraph 
        (1)--
                    ``(A) shall, to the greatest extent practicable, 
                include an unclassified component; and
                    ``(B) may include a classified component.
    ``(h) Rule of Construction.--Nothing in this section shall be 
construed to limit--
            ``(1) the ability of an agency to provide additional 
        reports or briefings to Congress; or
            ``(2) Congress from requesting additional information from 
        agencies through reports, briefings, or other means.
``Sec. 3594. Government information sharing and incident response
    ``(a) In General.--
            ``(1) Incident reporting.--The head of each agency shall 
        provide any information relating to any incident, whether the 
        information is obtained by the Federal Government directly or 
        indirectly, to the Cybersecurity and Infrastructure Security 
        Agency and the Office of Management and Budget.
            ``(2) Contents.--A provision of information relating to an 
        incident made by the head of an agency under paragraph (1) 
        shall--
                    ``(A) include detailed information about the 
                safeguards that were in place when the incident 
                occurred;
                    ``(B) whether the agency implemented the safeguards 
                described in subparagraph (A) correctly;
                    ``(C) in order to protect against a similar 
                incident, identify--
                            ``(i) how the safeguards described in 
                        subparagraph (A) should be implemented 
                        differently; and
                            ``(ii) additional necessary safeguards; and
                    ``(D) include information to aid in incident 
                response, such as--
                            ``(i) a description of the affected systems 
                        or networks;
                            ``(ii) the estimated dates of when the 
                        incident occurred; and
                            ``(iii) information that could reasonably 
                        help identify the party that conducted the 
                        incident.
            ``(3) Information sharing.--To the greatest extent 
        practicable, the Director of the Cybersecurity and 
        Infrastructure Security Agency shall share information relating 
        to an incident with any agencies that may be impacted by the 
        incident.
            ``(4) National security systems.--Each agency operating or 
        exercising control of a national security system shall share 
        information about incidents with the Director of the 
        Cybersecurity and Infrastructure Security Agency to the extent 
        consistent with standards and guidelines for national security 
        systems issued in accordance with law and as directed by the 
        President.
    ``(b) Compliance.--The information provided under subsection (a) 
shall take into account the level of classification of the information 
and any information sharing limitations and protections, such as 
limitations and protections relating to law enforcement, national 
security, privacy, statistical confidentiality, or other factors 
determined by the Director
    ``(c) Incident Response.--Each agency that has a reasonable basis 
to conclude that a major incident occurred involving Federal 
information in electronic medium or form, as defined by the Director 
and not involving a national security system, regardless of delays from 
notification granted for a major incident, shall coordinate with the 
Cybersecurity and Infrastructure Security Agency regarding--
            ``(1) incident response and recovery; and
            ``(2) recommendations for mitigating future incidents.
``Sec. 3595. Responsibilities of contractors and awardees
    ``(a) Notification.--
            ``(1) In general.--Unless otherwise specified in a 
        contract, grant, or cooperative agreement, any contractor or 
        awardee of an agency shall report to the agency within the same 
        amount of time such agency is required to report an incident to 
        the Cybersecurity and Infrastructure Security Agency, if the 
        contractor or awardee has a reasonable basis to conclude that--
                    ``(A) an incident or breach has occurred with 
                respect to Federal information collected, used, or 
                maintained by the contractor or awardee in connection 
                with the contract, grant, or cooperative agreement of 
                the contractor or awardee;
                    ``(B) an incident or breach has occurred with 
                respect to a Federal information system used or 
                operated by the contractor or awardee in connection 
                with the contract, grant, or cooperative agreement of 
                the contractor or awardee; or
                    ``(C) the contractor or awardee has received 
                information from the agency that the contractor or 
                awardee is not authorized to receive in connection with 
                the contract, grant, or cooperative agreement of the 
                contractor or awardee.
            ``(2) Procedures.--
                    ``(A) Major incident.--Following a report of a 
                breach or major incident by a contractor or awardee 
                under paragraph (1), the agency, in consultation with 
                the contractor or awardee, shall carry out the 
                requirements under sections 3592, 3593, and 3594 with 
                respect to the major incident.
                    ``(B) Incident.--Following a report of an incident 
                by a contractor or awardee under paragraph (1), an 
                agency, in consultation with the contractor or awardee, 
                shall carry out the requirements under section 3594 
                with respect to the incident.
    ``(b) Effective Date.--This section shall apply on and after the 
date that is 1 year after the date of enactment of the Federal 
Information Security Modernization Act of 2021.
``Sec. 3596. Training
    ``(a) Covered Individual Defined.--In this section, the term 
`covered individual' means an individual who obtains access to Federal 
information or Federal information systems because of the status of the 
individual as an employee, contractor, awardee, volunteer, or intern of 
an agency.
    ``(b) Requirement.--The head of each agency shall develop training 
for covered individuals on how to identify and respond to an incident, 
including--
            ``(1) the internal process of the agency for reporting an 
        incident; and
            ``(2) the obligation of a covered individual to report to 
        the agency a confirmed major incident and any suspected 
        incident involving information in any medium or form, including 
        paper, oral, and electronic.
    ``(c) Inclusion in Annual Training.--The training developed under 
subsection (b) may be included as part of an annual privacy or security 
awareness training of an agency.
``Sec. 3597. Analysis and report on Federal incidents
    ``(a) Analysis of Federal Incidents.--
            ``(1) Quantitative and qualitative analyses.--The Director 
        of the Cybersecurity and Infrastructure Security Agency shall 
        develop, in consultation with the Director and the National 
        Cyber Director, and perform continuous monitoring and 
        quantitative and qualitative analyses of incidents at agencies, 
        including major incidents, including--
                    ``(A) the causes of incidents, including--
                            ``(i) attacker tactics, techniques, and 
                        procedures; and
                            ``(ii) system vulnerabilities, including 
                        zero days, unpatched systems, and information 
                        system misconfigurations;
                    ``(B) the scope and scale of incidents at agencies;
                    ``(C) cross Federal Government root causes of 
                incidents at agencies;
                    ``(D) agency incident response, recovery, and 
                remediation actions and the effectiveness of those 
                actions, as applicable; and
                    ``(E) lessons learned and recommendations in 
                responding to, recovering from, remediating, and 
                mitigating future incidents.
            ``(2) Automated analysis.--The analyses developed under 
        paragraph (1) shall, to the greatest extent practicable, use 
        machine readable data, automation, and machine learning 
        processes.
            ``(3) Sharing of data and analysis.--
                    ``(A) In general.--The Director shall share on an 
                ongoing basis the analyses required under this 
                subsection with agencies and the National Cyber 
                Director to--
                            ``(i) improve the understanding of 
                        cybersecurity risk of agencies; and
                            ``(ii) support the cybersecurity 
                        improvement efforts of agencies.
                    ``(B) Format.--In carrying out subparagraph (A), 
                the Director shall share the analyses--
                            ``(i) in human-readable written products; 
                        and
                            ``(ii) to the greatest extent practicable, 
                        in machine-readable formats in order to enable 
                        automated intake and use by agencies.
    ``(b) Annual Report on Federal Incidents.--Not later than 2 years 
after the date of enactment of this section, and not less frequently 
than annually thereafter, the Director of the Cybersecurity and 
Infrastructure Security Agency, in consultation with the Director and 
other Federal agencies as appropriate, shall submit to the appropriate 
notification entities a report that includes--
            ``(1) a summary of causes of incidents from across the 
        Federal Government that categorizes those incidents as 
        incidents or major incidents;
            ``(2) the quantitative and qualitative analyses of 
        incidents developed under subsection (a)(1), including specific 
        analysis of breaches, on an agency-by-agency basis and 
        comprehensively across the Federal Government; and
            ``(3) an annex for each agency that includes--
                    ``(A) a description of each major incident; and
                    ``(B) the total number of compromises of the 
                agency.
    ``(c) Publication.--A version of each report submitted under 
subsection (b) shall be made publicly available on the website of the 
Cybersecurity and Infrastructure Security Agency during the year in 
which the report is submitted.
    ``(d) Information Provided by Agencies.--
            ``(1) In general.--The analysis required under subsection 
        (a) and each report submitted under subsection (b) shall use 
        information provided by agencies under section 3594(a).
            ``(2) Noncompliance reports.--
                    ``(A) In general.--Subject to subparagraph (B), 
                during any year during which the head of an agency does 
                not provide data for an incident to the Cybersecurity 
                and Infrastructure Security Agency in accordance with 
                section 3594(a), the head of the agency, in 
                coordination with the Director of the Cybersecurity and 
                Infrastructure Security Agency and the Director, shall 
                submit to the appropriate reporting entities a report 
                that includes--
                            ``(i) data for the incident; and
                            ``(ii) the information described in 
                        subsection (b) with respect to the agency.
                    ``(B) Exception for national security systems.--The 
                head of an agency that owns or exercises control of a 
                national security system shall not include data for an 
                incident that occurs on a national security system in 
                any report submitted under subparagraph (A).
            ``(3) National security system reports.--
                    ``(A) In general.--Annually, the head of an agency 
                that operates or exercises control of a national 
                security system shall submit a report that includes the 
                information described in subsection (b) with respect to 
                the agency to the extent that the submission is 
                consistent with standards and guidelines for national 
                security systems issued in accordance with law and as 
                directed by the President to--
                            ``(i) the the majority and minority leaders 
                        of the Senate,
                            ``(ii) the Speaker and minority leader of 
                        the House of Representatives;
                            ``(iii) the Committee on Homeland Security 
                        and Governmental Affairs of the Senate;
                            ``(iv) the Select Committee on Intelligence 
                        of the Senate;
                            ``(v) the Committee on Armed Services of 
                        the Senate;
                            ``(vi) the Committee on Oversight and 
                        Reform of the House of Representatives;
                            ``(vii) the Committee on Homeland Security 
                        of the House of Representatives;
                            ``(viii) the Permanent Select Committee on 
                        Intelligence of the House of Representatives; 
                        and
                            ``(ix) the Committee on Armed Services of 
                        the House of Representatives.
                    ``(B) Classified form.--A report required under 
                subparagraph (A) may be submitted in a classified form.
    ``(e) Requirement for Compiling Information.--In publishing the 
public report required under subsection (c), the Director of the 
Cybersecurity and Infrastructure Security Agency shall sufficiently 
compile information such that no specific incident of an agency can be 
identified, except with the concurrence of the Director of the Office 
of Management and Budget and in consultation with the impacted agency.
``Sec. 3598. Major incident definition
    ``(a) In General.--Not later than 180 days after the date of 
enactment of the Federal Information Security Modernization Act of 
2021, the Director, in coordination with the Director of the 
Cybersecurity and Infrastructure Security Agency and the National Cyber 
Director, shall develop and promulgate guidance on the definition of 
the term `major incident' for the purposes of subchapter II and this 
subchapter.
    ``(b) Requirements.--With respect to the guidance issued under 
subsection (a), the definition of the term `major incident' shall--
            ``(1) include, with respect to any information collected or 
        maintained by or on behalf of an agency or an information 
        system used or operated by an agency or by a contractor of an 
        agency or another organization on behalf of an agency--
                    ``(A) any incident the head of the agency 
                determines is likely to have an impact on--
                            ``(i) the national security, homeland 
                        security, or economic security of the United 
                        States; or
                            ``(ii) the civil liberties or public health 
                        and safety of the people of the United States;
                    ``(B) any incident the head of the agency 
                determines likely to result in an inability for the 
                agency, a component of the agency, or the Federal 
                Government, to provide 1 or more critical services;
                    ``(C) any incident that the head of an agency, in 
                consultation with a senior privacy officer of the 
                agency, determines is likely to have a significant 
                privacy impact on 1 or more individual;
                    ``(D) any incident that the head of the agency, in 
                consultation with a senior privacy official of the 
                agency, determines is likely to have a substantial 
                privacy impact on a significant number of individuals;
                    ``(E) any incident the head of the agency 
                determines impacts the operations of a high value asset 
                owned or operated by the agency;
                    ``(F) any incident involving the exposure of 
                sensitive agency information to a foreign entity, such 
                as the communications of the head of the agency, the 
                head of a component of the agency, or the direct 
                reports of the head of the agency or the head of a 
                component of the agency; and
                    ``(G) any other type of incident determined 
                appropriate by the Director;
            ``(2) stipulate that the National Cyber Director shall 
        declare a major incident at each agency impacted by an incident 
        if the Director of the Cybersecurity and Infrastructure 
        Security Agency determines that an incident--
                    ``(A) occurs at not less than 2 agencies; and
                    ``(B) is enabled by--
                            ``(i) a common technical root cause, such 
                        as a supply chain compromise, a common software 
                        or hardware vulnerability; or
                            ``(ii) the related activities of a common 
                        threat actor; and
            ``(3) stipulate that, in determining whether an incident 
        constitutes a major incident because that incident--
                    ``(A) is any incident described in paragraph (1), 
                the head of an agency shall consult with the Director 
                of the Cybersecurity and Infrastructure Security 
                Agency;
                    ``(B) is an incident described in paragraph (1)(A), 
                the head of the agency shall consult with the National 
                Cyber Director; and
                    ``(C) is an incident described in subparagraph (C) 
                or (D) of paragraph (1), the head of the agency shall 
                consult with--
                            ``(i) the Privacy and Civil Liberties 
                        Oversight Board; and
                            ``(ii) the Executive Director of the 
                        Federal Trade Commission.
    ``(c) Significant Number of Individuals.--In determining what 
constitutes a significant number of individuals under subsection 
(b)(1)(D), the Director--
            ``(1) may determine a threshold for a minimum number of 
        individuals that constitutes a significant amount; and
            ``(2) may not determine a threshold described in paragraph 
        (1) that exceeds 5,000 individuals.
    ``(d) Evaluation and Updates.--Not later than 2 years after the 
date of enactment of the Federal Information Security Modernization Act 
of 2021, and not less frequently than every 2 years thereafter, the 
Director shall submit to the Committee on Homeland Security and 
Governmental Affairs of the Senate and the Committee on Oversight and 
Reform of the House of Representatives an evaluation, which shall 
include--
            ``(1) an update, if necessary, to the guidance issued under 
        subsection (a);
            ``(2) the definition of the term `major incident' included 
        in the guidance issued under subsection (a); and
            ``(3) an explanation of, and the analysis that led to, the 
        definition described in paragraph (2).''.
            (2) Clerical amendment.--The table of sections for chapter 
        35 of title 44, United States Code, is amended by adding at the 
        end the following:

           ``subchapter iv--federal system incident response

``3591. Definitions.
``3592. Notification of breach.
``3593. Congressional and Executive Branch reports.
``3594. Government information sharing and incident response.
``3595. Responsibilities of contractors and awardees.
``3596. Training.
``3597. Analysis and report on Federal incidents.
``3598. Major incident definition.''.

SEC. 102. AMENDMENTS TO SUBTITLE III OF TITLE 40.

    (a) Information Technology Modernization Centers of Excellence 
Program Act.--Section 2(c)(4)(A)(ii) of the Information Technology 
Modernization Centers of Excellence Program Act (40 U.S.C. 11301 note) 
is amended by striking the period at the end and inserting ``, which 
shall be provided in coordination with the Director of the 
Cybersecurity and Infrastructure Security Agency.''.
    (b) Modernizing Government Technology.--Subtitle G of title X of 
Division A of the National Defense Authorization Act for Fiscal Year 
2018 (40 U.S.C. 11301 note) is amended--
            (1) in section 1077(b)--
                    (A) in paragraph (5)(A), by inserting ``improving 
                the cybersecurity of systems and'' before ``cost 
                savings activities''; and
                    (B) in paragraph (7)--
                            (i) in the paragraph heading, by striking 
                        ``cio'' and inserting ``CIO'';
                            (ii) by striking ``In evaluating projects'' 
                        and inserting the following:
                    ``(A) Consideration of guidance.--In evaluating 
                projects'';
                            (iii) in subparagraph (A), as so 
                        designated, by striking ``under section 
                        1094(b)(1)'' and inserting ``by the Director''; 
                        and
                            (iv) by adding at the end the following:
                    ``(B) Consultation.--In using funds under paragraph 
                (3)(A), the Chief Information Officer of the covered 
                agency shall consult with the necessary stakeholders to 
                ensure the project appropriately addresses 
                cybersecurity risks, including the Director of the 
                Cybersecurity and Infrastructure Security Agency, as 
                appropriate.''; and
            (2) in section 1078--
                    (A) by striking subsection (a) and inserting the 
                following:
    ``(a) Definitions.--In this section:
            ``(1) Agency.--The term `agency' has the meaning given the 
        term in section 551 of title 5, United States Code.
            ``(2) High value asset.--The term `high value asset' has 
        the meaning given the term in section 3552 of title 44, United 
        States Code.'';
                    (B) in subsection (b), by adding at the end the 
                following:
            ``(8) Proposal evaluation.--The Director shall--
                    ``(A) give consideration for the use of amounts in 
                the Fund to improve the security of high value assets; 
                and
                    ``(B) require that any proposal for the use of 
                amounts in the Fund includes a cybersecurity plan, 
                including a supply chain risk management plan, to be 
                reviewed by the member of the Technology Modernization 
                Board described in subsection (c)(5)(C).''; and
                    (C) in subsection (c)--
                            (i) in paragraph (2)(A)(i), by inserting 
                        ``, including a consideration of the impact on 
                        high value assets'' after ``operational 
                        risks'';
                            (ii) in paragraph (5)--
                                    (I) in subparagraph (A), by 
                                striking ``and'' at the end;
                                    (II) in subparagraph (B), by 
                                striking the period at the end and 
                                inserting ``and''; and
                                    (III) by adding at the end the 
                                following:
                    ``(C) a senior official from the Cybersecurity and 
                Infrastructure Security Agency of the Department of 
                Homeland Security, appointed by the Director.''; and
                            (iii) in paragraph (6)(A), by striking 
                        ``shall be--'' and all that follows through ``4 
                        employees'' and inserting ``shall be 4 
                        employees''.
    (c) Subchapter I.--Subchapter I of subtitle III of title 40, United 
States Code, is amended--
            (1) in section 11302--
                    (A) in subsection (b), by striking ``use, security, 
                and disposal of'' and inserting ``use, and disposal of, 
                and, in consultation with the Director of the 
                Cybersecurity and Infrastructure Security Agency and 
                the National Cyber Director, promote and improve the 
                security of,'';
                    (B) in subsection (c)--
                            (i) in paragraph (3)--
                                    (I) in subparagraph (A)--
                                            (aa) by striking 
                                        ``including data'' and 
                                        inserting ``which shall--
                            ``(i) include data'';
                                            (bb) in clause (i), as so 
                                        designated, by striking ``, and 
                                        performance'' and inserting 
                                        ``security, and performance; 
                                        and''; and
                                            (cc) by adding at the end 
                                        the following:
                            ``(ii) specifically denote cybersecurity 
                        funding under the risk-based cyber budget model 
                        developed pursuant to section 3553(a)(7) of 
                        title 44.''; and
                                    (II) in subparagraph (B), adding at 
                                the end the following:
                            ``(iii) The Director shall provide to the 
                        National Cyber Director any cybersecurity 
                        funding information described in subparagraph 
                        (A)(ii) that is provided to the Director under 
                        clause (ii) of this subparagraph.''; and
                            (ii) in paragraph (4)(B), in the matter 
                        preceding clause (i), by inserting ``not later 
                        than 30 days after the date on which the review 
                        under subparagraph (A) is completed,'' before 
                        ``the Administrator'';
                    (C) in subsection (f)--
                            (i) by striking ``heads of executive 
                        agencies to develop'' and inserting ``heads of 
                        executive agencies to--
            ``(1) develop'';
                            (ii) in paragraph (1), as so designated, by 
                        striking the period at the end and inserting 
                        ``; and''; and
                            (iii) by adding at the end the following:
            ``(2) consult with the Director of the Cybersecurity and 
        Infrastructure Security Agency for the development and use of 
        supply chain security best practices.''; and
                    (D) in subsection (h), by inserting ``, including 
                cybersecurity performances,'' after ``the 
                performances''; and
            (2) in section 11303(b)--
                    (A) in paragraph (2)(B)--
                            (i) in clause (i), by striking ``or'' at 
                        the end;
                            (ii) in clause (ii), by adding ``or'' at 
                        the end; and
                            (iii) by adding at the end the following:
                            ``(iii) whether the function should be 
                        performed by a shared service offered by 
                        another executive agency;''; and
                    (B) in paragraph (5)(B)(i), by inserting ``, while 
                taking into account the risk-based cyber budget model 
                developed pursuant to section 3553(a)(7) of title 44'' 
                after ``title 31''.
    (d) Subchapter II.--Subchapter II of subtitle III of title 40, 
United States Code, is amended--
            (1) in section 11312(a), by inserting ``, including 
        security risks'' after ``managing the risks'';
            (2) in section 11313(1), by striking ``efficiency and 
        effectiveness'' and inserting ``efficiency, security, and 
        effectiveness'';
            (3) in section 11315, by adding at the end the following:
    ``(d) Component Agency Chief Information Officers.--The Chief 
Information Officer or an equivalent official of a component agency 
shall report to--
            ``(1) the Chief Information Officer designated under 
        section 3506(a)(2) of title 44 or an equivalent official of the 
        agency of which the component agency is a component; and
            ``(2) the head of the component agency.'';
            (4) in section 11317, by inserting ``security,'' before 
        ``or schedule''; and
            (5) in section 11319(b)(1), in the paragraph heading, by 
        striking ``CIOS'' and inserting ``Chief information officers''.
    (e) Subchapter III.--Section 11331 of title 40, United States Code, 
is amended--
            (1) in subsection (a), by striking ``section 3532(b)(1)'' 
        and inserting ``section 3552(b)'';
            (2) in subsection (b)(1)(A)--
                    (A) by striking ``in consultation'' and inserting 
                ``in coordination''; and
                    (B) by striking ``the Secretary of Homeland 
                Security'' and inserting ``the Director of the 
                Cybersecurity and Infrastructure Security Agency'';
            (3) by striking subsection (c) and inserting the following:
    ``(c) Application of More Stringent Standards.--
            ``(1) In general.--The head of an agency shall--
                    ``(A) evaluate, in consultation with the senior 
                agency information security officers, the need to 
                employ standards for cost-effective, risk-based 
                information security for all systems, operations, and 
                assets within or under the supervision of the agency 
                that are more stringent than the standards promulgated 
                by the Director under this section, if such standards 
                contain, at a minimum, the provisions of those 
                applicable standards made compulsory and binding by the 
                Director; and
                    ``(B) to the greatest extent practicable and if the 
                head of the agency determines that the standards 
                described in subparagraph (A) are necessary, employ 
                those standards.
            ``(2) Evaluation of more stringent standards.--In 
        evaluating the need to employ more stringent standards under 
        paragraph (1), the head of an agency shall consider available 
        risk information, such as--
                    ``(A) the status of cybersecurity remedial actions 
                of the agency;
                    ``(B) any vulnerability information relating to 
                agency systems that is known to the agency;
                    ``(C) incident information of the agency;
                    ``(D) information from--
                            ``(i) penetration testing performed under 
                        section 3559A of title 44; and
                            ``(ii) information from the vulnerability 
                        disclosure program established under section 
                        3559B of title 44;
                    ``(E) agency threat hunting results under section 
                205 of the Federal Information Security Modernization 
                Act of 2021;
                    ``(F) Federal and non-Federal threat intelligence;
                    ``(G) data on compliance with standards issued 
                under this section;
                    ``(H) agency system risk assessments performed 
                under section 3554(a)(1)(A) of title 44; and
                    ``(I) any other information determined relevant by 
                the head of the agency.'';
            (4) in subsection (d)(2)--
                    (A) in the paragraph heading, by striking ``Notice 
                and comment'' and inserting ``Consultation, notice, and 
                comment'';
                    (B) by inserting ``promulgate,'' before 
                ``significantly modify''; and
                    (C) by striking ``shall be made after the public is 
                given an opportunity to comment on the Director's 
                proposed decision.'' and inserting ``shall be made--
                    ``(A) for a decision to significantly modify or not 
                promulgate such a proposed standard, after the public 
                is given an opportunity to comment on the Director's 
                proposed decision;
                    ``(B) in consultation with the Chief Information 
                Officers Council, the Director of the Cybersecurity and 
                Infrastructure Security Agency, the National Cyber 
                Director, the Comptroller General of the United States, 
                and the Council of the Inspectors General on Integrity 
                and Efficiency;
                    ``(C) considering the Federal risk assessments 
                performed under section 3553(i) of title 44; and
                    ``(D) considering the extent to which the proposed 
                standard reduces risk relative to the cost of 
                implementation of the standard.''; and
            (5) by adding at the end the following:
    ``(e) Review of Office of Management and Budget Guidance and 
Policy.--
            ``(1) Conduct of review.--
                    ``(A) In general.--Not less frequently than once 
                every 3 years, the Director of the Office of Management 
                and Budget, in consultation with the Chief Information 
                Officers Council, the Director of the Cybersecurity and 
                Infrastructure Security Agency, the National Cyber 
                Director, the Comptroller General of the United States, 
                and the Council of the Inspectors General on Integrity 
                and Efficiency shall review the efficacy of the 
                guidance and policy promulgated by the Director in 
                reducing cybersecurity risks, including an assessment 
                of the requirements for agencies to report information 
                to the Director, and determine whether any changes to 
                that guidance or policy is appropriate.
                    ``(B) Federal risk assessments.--In conducting the 
                review described in subparagraph (A), the Director 
                shall consider the Federal risk assessments performed 
                under section 3553(i) of title 44.
            ``(2) Updated guidance.--Not later than 90 days after the 
        date on which a review is completed under paragraph (1), the 
        Director of the Office of Management and Budget shall issue 
        updated guidance or policy to agencies determined appropriate 
        by the Director, based on the results of the review.
            ``(3) Public report.--Not later than 30 days after the date 
        on which a review is completed under paragraph (1), the 
        Director of the Office of Management and Budget shall make 
        publicly available a report that includes--
                    ``(A) an overview of the guidance and policy 
                promulgated under this section that is currently in 
                effect;
                    ``(B) the cybersecurity risk mitigation, or other 
                cybersecurity benefit, offered by each guidance or 
                policy document described in subparagraph (A); and
                    ``(C) a summary of the guidance or policy to which 
                changes were determined appropriate during the review 
                and what the changes are anticipated to include.
            ``(4) Congressional briefing.--Not later than 30 days after 
        the date on which a review is completed under paragraph (1), 
        the Director shall provide to the Committee on Homeland 
        Security and Governmental Affairs of the Senate and the 
        Committee on Oversight and Reform of the House of 
        Representatives a briefing on the review.
    ``(f) Automated Standard Implementation Verification.--When the 
Director of the National Institute of Standards and Technology issues a 
proposed standard pursuant to paragraphs (2) and (3) of section 20(a) 
of the National Institute of Standards and Technology Act (15 U.S.C. 
278g-3(a)), the Director of the National Institute of Standards and 
Technology shall consider developing and, if appropriate and practical, 
develop, in consultation with the Director of the Cybersecurity and 
Infrastructure Security Agency, specifications to enable the automated 
verification of the implementation of the controls within the 
standard.''.

SEC. 103. ACTIONS TO ENHANCE FEDERAL INCIDENT RESPONSE.

    (a) Responsibilities of the Cybersecurity and Infrastructure 
Security Agency.--
            (1) In general.--Not later than 180 days after the date of 
        enactment of this Act, the Director of the Cybersecurity and 
        Infrastructure Security Agency shall--
                    (A) develop a plan for the development of the 
                analysis required under section 3597(a) of title 44, 
                United States Code, as added by this Act, and the 
                report required under subsection (b) of that section 
                that includes--
                            (i) a description of any challenges the 
                        Director anticipates encountering; and
                            (ii) the use of automation and machine-
                        readable formats for collecting, compiling, 
                        monitoring, and analyzing data; and
                    (B) provide to the appropriate congressional 
                committees a briefing on the plan developed under 
                subparagraph (A).
            (2) Briefing.--Not later than 1 year after the date of 
        enactment of this Act, the Director of the Cybersecurity and 
        Infrastructure Security Agency shall provide to the appropriate 
        congressional committees a briefing on--
                    (A) the execution of the plan required under 
                paragraph (1)(A); and
                    (B) the development of the report required under 
                section 3597(b) of title 44, United States Code, as 
                added by this Act.
    (b) Responsibilities of the Director of the Office of Management 
and Budget.--
            (1) FISMA.--Section 2 of the Federal Information Security 
        Modernization Act of 2014 (44 U.S.C. 3554 note) is amended--
                    (A) by striking subsection (b); and
                    (B) by redesignating subsections (c) through (f) as 
                subsections (b) through (e), respectively.
            (2) Incident data sharing.--
                    (A) In general.--The Director shall develop 
                guidance, to be updated not less frequently than once 
                every 2 years, on the content, timeliness, and format 
                of the information provided by agencies under section 
                3594(a) of title 44, United States Code, as added by 
                this Act.
                    (B) Requirements.--The guidance developed under 
                subparagraph (A) shall--
                            (i) prioritize the availability of data 
                        necessary to understand and analyze--
                                    (I) the causes of incidents;
                                    (II) the scope and scale of 
                                incidents within the environments and 
                                systems of an agency;
                                    (III) a root cause analysis of 
                                incidents that--
                                            (aa) are common across the 
                                        Federal Government; or
                                            (bb) have a Government-wide 
                                        impact;
                                    (IV) agency response, recovery, and 
                                remediation actions and the 
                                effectiveness of those actions; and
                                    (V) the impact of incidents;
                            (ii) enable the efficient development of--
                                    (I) lessons learned and 
                                recommendations in responding to, 
                                recovering from, remediating, and 
                                mitigating future incidents; and
                                    (II) the report on Federal 
                                incidents required under section 
                                3597(b) of title 44, United States 
                                Code, as added by this Act;
                            (iii) include requirements for the 
                        timeliness of data production; and
                            (iv) include requirements for using 
                        automation and machine-readable data for data 
                        sharing and availability.
            (3) Guidance on responding to information requests.--Not 
        later than 1 year after the date of enactment of this Act, the 
        Director shall develop guidance for agencies to implement the 
        requirement under section 3594(c) of title 44, United States 
        Code, as added by this Act, to provide information to other 
        agencies experiencing incidents.
            (4) Standard guidance and templates.--Not later than 1 year 
        after the date of enactment of this Act, the Director, in 
        consultation with the Director of the Cybersecurity and 
        Infrastructure Security Agency, shall develop guidance and 
        templates, to be reviewed and, if necessary, updated not less 
        frequently than once every 2 years, for use by Federal agencies 
        in the activities required under sections 3592, 3593, and 3596 
        of title 44, United States Code, as added by this Act.
            (5) Contractor and awardee guidance.--
                    (A) In general.--Not later than 1 year after the 
                date of enactment of this Act, the Director, in 
                coordination with the Secretary of Homeland Security, 
                the Secretary of Defense, the Administrator of General 
                Services, and the heads of other agencies determined 
                appropriate by the Director, shall issue guidance to 
                Federal agencies on how to deconflict, to the greatest 
                extent practicable, existing regulations, policies, and 
                procedures relating to the responsibilities of 
                contractors and awardees established under section 3595 
                of title 44, United States Code, as added by this Act.
                    (B) Existing processes.--To the greatest extent 
                practicable, the guidance issued under subparagraph (A) 
                shall allow contractors and awardees to use existing 
                processes for notifying Federal agencies of incidents 
                involving information of the Federal Government.
            (6) Updated briefings.--Not less frequently than once every 
        2 years, the Director shall provide to the appropriate 
        congressional committees an update on the guidance and 
        templates developed under paragraphs (2) through (4).
    (c) Update to the Privacy Act of 1974.--Section 552a(b) of title 5, 
United States Code (commonly known as the ``Privacy Act of 1974'') is 
amended--
            (1) in paragraph (11), by striking ``or'' at the end;
            (2) in paragraph (12), by striking the period at the end 
        and inserting ``; or''; and
            (3) by adding at the end the following:
            ``(13) to another agency in furtherance of a response to an 
        incident (as defined in section 3552 of title 44) and pursuant 
        to the information sharing requirements in section 3594 of 
        title 44 if the head of the requesting agency has made a 
        written request to the agency that maintains the record 
        specifying the particular portion desired and the activity for 
        which the record is sought.''.

SEC. 104. ADDITIONAL GUIDANCE TO AGENCIES ON FISMA UPDATES.

    Not later than 1 year after the date of enactment of this Act, the 
Director, in coordination with the Director of the Cybersecurity and 
Infrastructure Security Agency, shall issue guidance for agencies on--
            (1) performing the ongoing and continuous agency system 
        risk assessment required under section 3554(a)(1)(A) of title 
        44, United States Code, as amended by this Act;
            (2) implementing additional cybersecurity procedures, which 
        shall include resources for shared services;
            (3) establishing a process for providing the status of each 
        remedial action under section 3554(b)(7) of title 44, United 
        States Code, as amended by this Act, to the Director and the 
        Cybersecurity and Infrastructure Security Agency using 
        automation and machine-readable data, as practicable, which 
        shall include--
                    (A) specific guidance for the use of automation and 
                machine-readable data; and
                    (B) templates for providing the status of the 
                remedial action;
            (4) interpreting the definition of ``high value asset'' 
        under section 3552 of title 44, United States Code, as amended 
        by this Act; and
            (5) a requirement to coordinate with inspectors general of 
        agencies to ensure consistent understanding and application of 
        agency policies for the purpose of evaluations by inspectors 
        general.

SEC. 105. AGENCY REQUIREMENTS TO NOTIFY PRIVATE SECTOR ENTITIES 
              IMPACTED BY INCIDENTS.

    (a) Definitions.--In this section:
            (1) Reporting entity.--The term ``reporting entity'' means 
        private organization or governmental unit that is required by 
        statute or regulation to submit sensitive information to an 
        agency.
            (2) Sensitive information.--The term ``sensitive 
        information'' has the meaning given the term by the Director in 
        guidance issued under subsection (b).
    (b) Guidance on Notification of Reporting Entities.--Not later than 
180 days after the date of enactment of this Act, the Director shall 
issue guidance requiring the head of each agency to notify a reporting 
entity of an incident that is likely to substantially affect--
            (1) the confidentiality or integrity of sensitive 
        information submitted by the reporting entity to the agency 
        pursuant to a statutory or regulatory requirement; or
            (2) the agency information system or systems used in the 
        transmission or storage of the sensitive information described 
        in paragraph (1).

               TITLE II--IMPROVING FEDERAL CYBERSECURITY

SEC. 201. MOBILE SECURITY STANDARDS.

    (a) In General.--Not later than 1 year after the date of enactment 
of this Act, the Director shall--
            (1) evaluate mobile application security guidance 
        promulgated by the Director; and
            (2) issue guidance to secure mobile devices, including for 
        mobile applications, for every agency.
    (b) Contents.--The guidance issued under subsection (a)(2) shall 
include--
            (1) a requirement, pursuant to section 3506(b)(4) of title 
        44, United States Code, for every agency to maintain a 
        continuous inventory of every--
                    (A) mobile device operated by or on behalf of the 
                agency; and
                    (B) vulnerability identified by the agency 
                associated with a mobile device; and
            (2) a requirement for every agency to perform continuous 
        evaluation of the vulnerabilities described in paragraph (1)(B) 
        and other risks associated with the use of applications on 
        mobile devices.
    (c) Information Sharing.--The Director, in coordination with the 
Director of the Cybersecurity and Infrastructure Security Agency, shall 
issue guidance to agencies for sharing the inventory of the agency 
required under subsection (b)(1) with the Director of the Cybersecurity 
and Infrastructure Security Agency, using automation and machine-
readable data to the greatest extent practicable.
    (d) Briefing.--Not later than 60 days after the date on which the 
Director issues guidance under subsection (a)(2), the Director, in 
coordination with the Director of the Cybersecurity and Infrastructure 
Security Agency, shall provide to the appropriate congressional 
committees a briefing on the guidance.

SEC. 202. DATA AND LOGGING RETENTION FOR INCIDENT RESPONSE.

    (a) Recommendations.--Not later than 2 years after the date of 
enactment of this Act, and not less frequently than every 2 years 
thereafter, the Director of the Cybersecurity and Infrastructure 
Security Agency, in consultation with the Attorney General, shall 
submit to the Director recommendations on requirements for logging 
events on agency systems and retaining other relevant data within the 
systems and networks of an agency.
    (b) Contents.--The recommendations provided under subsection (a) 
shall include--
            (1) the types of logs to be maintained;
            (2) the time periods to retain the logs and other relevant 
        data;
            (3) the time periods for agencies to enable recommended 
        logging and security requirements;
            (4) how to ensure the confidentiality, integrity, and 
        availability of logs;
            (5) requirements to ensure that, upon request, in a manner 
        that excludes or otherwise reasonably protects personally 
        identifiable information, and to the extent permitted by 
        applicable law (including privacy and statistical laws), 
        agencies provide logs to--
                    (A) the Director of the Cybersecurity and 
                Infrastructure Security Agency for a cybersecurity 
                purpose; and
                    (B) the Federal Bureau of Investigation to 
                investigate potential criminal activity; and
            (6) requirements to ensure that, subject to compliance with 
        statistical laws and other relevant data protection 
        requirements, the highest level security operations center of 
        each agency has visibility into all agency logs.
    (c) Guidance.--Not later than 90 days after receiving the 
recommendations submitted under subsection (a), the Director, in 
consultation with the Director of the Cybersecurity and Infrastructure 
Security Agency and the Attorney General, shall, as determined to be 
appropriate by the Director, update guidance to agencies regarding 
requirements for logging, log retention, log management, sharing of log 
data with other appropriate agencies, or any other logging activity 
determined to be appropriate by the Director.

SEC. 203. CISA AGENCY ADVISORS.

    (a) In General.--Not later than 120 days after the date of 
enactment of this Act, the Director of the Cybersecurity and 
Infrastructure Security Agency shall assign not less than 1 
cybersecurity professional employed by the Cybersecurity and 
Infrastructure Security Agency to be the Cybersecurity and 
Infrastructure Security Agency advisor to the senior agency information 
security officer of each agency.
    (b) Qualifications.--Each advisor assigned under subsection (a) 
shall have knowledge of--
            (1) cybersecurity threats facing agencies, including any 
        specific threats to the assigned agency;
            (2) performing risk assessments of agency systems; and
            (3) other Federal cybersecurity initiatives.
    (c) Duties.--The duties of each advisor assigned under subsection 
(a) shall include--
            (1) providing ongoing assistance and advice, as requested, 
        to the agency Chief Information Officer;
            (2) serving as an incident response point of contact 
        between the assigned agency and the Cybersecurity and 
        Infrastructure Security Agency; and
            (3) familiarizing themselves with agency systems, 
        processes, and procedures to better facilitate support to the 
        agency in responding to incidents.
    (d) Limitation.--An advisor assigned under subsection (a) shall not 
be a contractor.
    (e) Multiple Assignments.--One individual advisor may be assigned 
to multiple agency Chief Information Officers under subsection (a).

SEC. 204. FEDERAL PENETRATION TESTING POLICY.

    (a) In General.--Subchapter II of chapter 35 of title 44, United 
States Code, is amended by adding at the end the following:
``Sec. 3559A. Federal penetration testing
    ``(a) Definitions.--In this section:
            ``(1) Agency operational plan.--The term `agency 
        operational plan' means a plan of an agency for the use of 
        penetration testing.
            ``(2) Rules of engagement.--The term `rules of engagement' 
        means a set of rules established by an agency for the use of 
        penetration testing.
    ``(b) Guidance.--
            ``(1) In general.--The Director shall issue guidance that--
                    ``(A) requires agencies to use, when and where 
                appropriate, penetration testing on agency systems; and
                    ``(B) requires agencies to develop an agency 
                operational plan and rules of engagement that meet the 
                requirements under subsection (c).
            ``(2) Penetration testing guidance.--The guidance issued 
        under this section shall--
                    ``(A) permit an agency to use, for the purpose of 
                performing penetration testing--
                            ``(i) a shared service of the agency or 
                        another agency; or
                            ``(ii) an external entity, such as a 
                        vendor; and
                    ``(B) require agencies to provide the rules of 
                engagement and results of penetration testing to the 
                Director and the Director of the Cybersecurity and 
                Infrastructure Security Agency, without regard to the 
                status of the entity that performs the penetration 
                testing.
    ``(c) Agency Plans and Rules of Engagement.--The agency operational 
plan and rules of engagement of an agency shall--
            ``(1) require the agency to--
                    ``(A) perform penetration testing on the high value 
                assets of the agency; or
                    ``(B) coordinate with the Director of the 
                Cybersecurity and Infrastructure Security Agency to 
                ensure that penetration testing is being performed;
            ``(2) establish guidelines for avoiding, as a result of 
        penetration testing--
                    ``(A) adverse impacts to the operations of the 
                agency;
                    ``(B) adverse impacts to operational environments 
                and systems of the agency; and
                    ``(C) inappropriate access to data;
            ``(3) require the results of penetration testing to include 
        feedback to improve the cybersecurity of the agency; and
            ``(4) include mechanisms for providing consistently 
        formatted, and, if applicable, automated and machine-readable, 
        data to the Director and the Director of the Cybersecurity and 
        Infrastructure Security Agency.
    ``(d) Responsibilities of CISA.--The Director of the Cybersecurity 
and Infrastructure Security Agency shall--
            ``(1) establish a process to assess the performance of 
        penetration testing by both Federal and non-Federal entities 
        that establishes minimum quality controls for penetration 
        testing;
            ``(2) develop operational guidance for instituting 
        penetration testing programs at agencies;
            ``(3) develop and maintain a centralized capability to 
        offer penetration testing as a service to Federal and non-
        Federal entities; and
            ``(4) provide guidance to agencies on the best use of 
        penetration testing resources.
    ``(e) Responsibilities of OMB.--The Director, in coordination with 
the Director of the Cybersecurity and Infrastructure Security Agency, 
shall--
            ``(1) not less frequently than annually, inventory all 
        Federal penetration testing assets; and
            ``(2) develop and maintain a standardized process for the 
        use of penetration testing.
    ``(f) Prioritization of Penetration Testing Resources.--
            ``(1) In general.--The Director, in coordination with the 
        Director of the Cybersecurity and Infrastructure Security 
        Agency, shall develop a framework for prioritizing Federal 
        penetration testing resources among agencies.
            ``(2) Considerations.--In developing the framework under 
        this subsection, the Director shall consider--
                    ``(A) agency system risk assessments performed 
                under section 3554(a)(1)(A);
                    ``(B) the Federal risk assessment performed under 
                section 3553(i);
                    ``(C) the analysis of Federal incident data 
                performed under section 3597; and
                    ``(D) any other information determined appropriate 
                by the Director or the Director of the Cybersecurity 
                and Infrastructure Security Agency.
    ``(g) Exception for National Security Systems.--The guidance issued 
under subsection (b) shall not apply to national security systems.
    ``(h) Delegation of Authority for Certain Systems.--The authorities 
of the Director described in subsection (b) shall be delegated--
            ``(1) to the Secretary of Defense in the case of systems 
        described in section 3553(e)(2); and
            ``(2) to the Director of National Intelligence in the case 
        of systems described in 3553(e)(3).''.
    (b) Deadline for Guidance.--Not later than 180 days after the date 
of enactment of this Act, the Director shall issue the guidance 
required under section 3559A(b) of title 44, United States Code, as 
added by subsection (a).
    (c) Clerical Amendment.--The table of sections for chapter 35 of 
title 44, United States Code, is amended by adding after the item 
relating to section 3559 the following:

``3559A. Federal penetration testing.''.
    (d) Penetration Testing by the Secretary of Homeland Security.--
Section 3553(b) of title 44, United States Code, as amended by section 
101, is further amended--
            (1) in paragraph (8)(B), by striking ``and'' at the end;
            (2) by redesignating paragraph (9) as paragraph (10); and
            (3) by inserting after paragraph (8) the following:
            ``(9) performing penetration testing with or without 
        advance notice to, or authorization from, agencies, to identify 
        vulnerabilities within Federal information systems; and''.

SEC. 205. ONGOING THREAT HUNTING PROGRAM.

    (a) Threat Hunting Program.--
            (1) In general.--Not later than 540 days after the date of 
        enactment of this Act, the Director of the Cybersecurity and 
        Infrastructure Security Agency shall establish a program to 
        provide ongoing, hypothesis-driven threat-hunting services on 
        the network of each agency.
            (2) Plan.--Not later than 180 days after the date of 
        enactment of this Act, the Director of the Cybersecurity and 
        Infrastructure Security Agency shall develop a plan to 
        establish the program required under paragraph (1) that 
        describes how the Director of the Cybersecurity and 
        Infrastructure Security Agency plans to--
                    (A) determine the method for collecting, storing, 
                accessing, and analyzing appropriate agency data;
                    (B) provide on-premises support to agencies;
                    (C) staff threat hunting services;
                    (D) allocate available human and financial 
                resources to implement the plan; and
                    (E) provide input to the heads of agencies on the 
                use of--
                            (i) more stringent standards under section 
                        11331(c)(1) of title 40, United States Code; 
                        and
                            (ii) additional cybersecurity procedures 
                        under section 3554 of title 44, United States 
                        Code.
    (b) Reports.--The Director of the Cybersecurity and Infrastructure 
Security Agency shall submit to the appropriate congressional 
committees--
            (1) not later than 30 days after the date on which the 
        Director of the Cybersecurity and Infrastructure Security 
        Agency completes the plan required under subsection (a)(2), a 
        report on the plan to provide threat hunting services to 
        agencies;
            (2) not less than 30 days before the date on which the 
        Director of the Cybersecurity and Infrastructure Security 
        Agency begins providing threat hunting services under the 
        program under subsection (a)(1), a report providing any updates 
        to the plan developed under subsection (a)(2); and
            (3) not later than 1 year after the date on which the 
        Director of the Cybersecurity and Infrastructure Security 
        Agency begins providing threat hunting services to agencies 
        other than the Cybersecurity and Infrastructure Security 
        Agency, a report describing lessons learned from providing 
        those services.

SEC. 206. CODIFYING VULNERABILITY DISCLOSURE PROGRAMS.

    (a) In General.--Chapter 35 of title 44, United States Code, is 
amended by inserting after section 3559A, as added by section 204 of 
this Act, the following:
``Sec. 3559B. Federal vulnerability disclosure programs
    ``(a) Definitions.--In this section:
            ``(1) Report.--The term `report' means a vulnerability 
        disclosure made to an agency by a reporter.
            ``(2) Reporter.--The term `reporter' means an individual 
        that submits a vulnerability report pursuant to the 
        vulnerability disclosure process of an agency.
    ``(b) Responsibilities of OMB.--
            ``(1) Limitation on legal action.--The Director, in 
        consultation with the Attorney General, shall issue guidance to 
        agencies to not recommend or pursue legal action against a 
        reporter or an individual that conducts a security research 
        activity that the head of the agency determines--
                    ``(A) represents a good faith effort to follow the 
                vulnerability disclosure policy of the agency developed 
                under subsection (d)(2); and
                    ``(B) is authorized under the vulnerability 
                disclosure policy of the agency developed under 
                subsection (d)(2).
            ``(2) Sharing information with cisa.--The Director, in 
        coordination with the Director of the Cybersecurity and 
        Infrastructure Security Agency and the National Cyber Director, 
        shall issue guidance to agencies on sharing relevant 
        information in a consistent, automated, and machine readable 
        manner with the Cybersecurity and Infrastructure Security 
        Agency, including--
                    ``(A) any valid or credible reports of newly 
                discovered or not publicly known vulnerabilities 
                (including misconfigurations) on Federal information 
                systems that use commercial software or services;
                    ``(B) information relating to vulnerability 
                disclosure, coordination, or remediation activities of 
                an agency, particularly as those activities relate to 
                outside organizations--
                            ``(i) with which the head of the agency 
                        believes the Director of the Cybersecurity and 
                        Infrastructure Security Agency can assist; or
                            ``(ii) about which the head of the agency 
                        believes the Director of the Cybersecurity and 
                        Infrastructure Security Agency should know; and
                    ``(C) any other information with respect to which 
                the head of the agency determines helpful or necessary 
                to involve the Cybersecurity and Infrastructure 
                Security Agency.
            ``(3) Agency vulnerability disclosure policies.--The 
        Director shall issue guidance to agencies on the required 
        minimum scope of agency systems covered by the vulnerability 
        disclosure policy of an agency required under subsection 
        (d)(2).
    ``(c) Responsibilities of CISA.--The Director of the Cybersecurity 
and Infrastructure Security Agency shall--
            ``(1) provide support to agencies with respect to the 
        implementation of the requirements of this section;
            ``(2) develop tools, processes, and other mechanisms 
        determined appropriate to offer agencies capabilities to 
        implement the requirements of this section; and
            ``(3) upon a request by an agency, assist the agency in the 
        disclosure to vendors of newly identified vulnerabilities in 
        vendor products and services.
    ``(d) Responsibilities of Agencies.--
            ``(1) Public information.--The head of each agency shall 
        make publicly available, with respect to each internet domain 
        under the control of the agency that is not a national security 
        system--
                    ``(A) an appropriate security contact; and
                    ``(B) the component of the agency that is 
                responsible for the internet accessible services 
                offered at the domain.
            ``(2) Vulnerability disclosure policy.--The head of each 
        agency shall develop and make publicly available a 
        vulnerability disclosure policy for the agency, which shall--
                    ``(A) describe--
                            ``(i) the scope of the systems of the 
                        agency included in the vulnerability disclosure 
                        policy;
                            ``(ii) the type of information system 
                        testing that is authorized by the agency;
                            ``(iii) the type of information system 
                        testing that is not authorized by the agency; 
                        and
                            ``(iv) the disclosure policy of the agency 
                        for sensitive information;
                    ``(B) with respect to a report to an agency, 
                describe--
                            ``(i) how the reporter should submit the 
                        report; and
                            ``(ii) if the report is not anonymous, when 
                        the reporter should anticipate an 
                        acknowledgment of receipt of the report by the 
                        agency;
                    ``(C) include any other relevant information; and
                    ``(D) be mature in scope, to cover all Federal 
                information systems used or operated by that agency or 
                on behalf of that agency.
            ``(3) Identified vulnerabilities.--The head of each agency 
        shall incorporate any vulnerabilities reported under paragraph 
        (2) into the vulnerability management process of the agency in 
        order to track and remediate the vulnerability.
    ``(e) Paperwork Reduction Act Exemption.--The requirements of 
subchapter I (commonly known as the `Paperwork Reduction Act') shall 
not apply to a vulnerability disclosure program established under this 
section.
    ``(f) Congressional Reporting.--Not later than 90 days after the 
date of enactment of the Federal Information Security Modernization Act 
of 2021, and annually thereafter for a 3-year period, the Director 
shall provide to the Committee on Homeland Security and Governmental 
Affairs of the Senate and the Committee on Oversight and Reform of the 
House of Representatives a briefing on the status of the use of 
vulnerability disclosure policies under this section at agencies, 
including, with respect to the guidance issued under subsection (b)(3), 
an identification of the agencies that are compliant and not compliant.
    ``(g) Exemptions.--The authorities and functions of the Director 
and Director of the Cybersecurity and Infrastructure Security Agency 
under this section shall not apply to national security systems.
    ``(h) Delegation of Authority for Certain Systems.--The authorities 
of the Director and the Director of the Cybersecurity and 
Infrastructure Security Agency described in this section shall be 
delegated--
            ``(1) to the Secretary of Defense in the case of systems 
        described in section 3553(e)(2); and
            ``(2) to the Director of National Intelligence in the case 
        of systems described in section 3553(e)(3).''.
    (b) Clerical Amendment.--The table of sections for chapter 35 of 
title 44, United States Code, is amended by adding after the item 
relating to section 3559A, as added by section 204, the following:

``3559B. Federal vulnerability disclosure programs.''.

SEC. 207. IMPLEMENTING PRESUMPTION OF COMPROMISE AND LEAST PRIVILEGE 
              PRINCIPLES.

    (a) Guidance.--Not later than 1 year after the date of enactment of 
this Act, the Director shall provide an update to the appropriate 
congressional committees on progress in increasing the internal 
defenses of agency systems, including--
            (1) shifting away from ``trusted networks'' to implement 
        security controls based on a presumption of compromise;
            (2) implementing principles of least privilege in 
        administering information security programs;
            (3) limiting the ability of entities that cause incidents 
        to move laterally through or between agency systems;
            (4) identifying incidents quickly;
            (5) isolating and removing unauthorized entities from 
        agency systems quickly;
            (6) otherwise increasing the resource costs for entities 
        that cause incidents to be successful; and
            (7) a summary of the agency progress reports required under 
        subsection (b).
    (b) Agency Progress Reports.--Not later than 1 year after the date 
of enactment of this Act, the head of each agency shall submit to the 
Director a progress report on implementing an information security 
program based on the presumption of compromise and least privilege 
principles, which shall include--
            (1) a description of any steps the agency has completed, 
        including progress toward achieving requirements issued by the 
        Director;
            (2) an identification of activities that have not yet been 
        completed and that would have the most immediate security 
        impact; and
            (3) a schedule to implement any planned activities.

SEC. 208. AUTOMATION REPORTS.

    (a) OMB Report.--Not later than 180 days after the date of 
enactment of this Act, the Director shall submit to the appropriate 
congressional committees a report on the use of automation under 
paragraphs (1), (5)(C) and (8)(B) of section 3554(b) of title 44, 
United States Code.
    (b) GAO Report.--Not later than 1 year after the date of enactment 
of this Act, the Comptroller General of the United States shall perform 
a study on the use of automation and machine readable data across the 
Federal Government for cybersecurity purposes, including the automated 
updating of cybersecurity tools, sensors, or processes by agencies.

SEC. 209. EXTENSION OF FEDERAL ACQUISITION SECURITY COUNCIL.

    Section 1328 of title 41, United States Code, is amended by 
striking ``the date that'' and all that follows and inserting 
``December 31, 2026.''.

SEC. 210. COUNCIL OF THE INSPECTORS GENERAL ON INTEGRITY AND EFFICIENCY 
              DASHBOARD.

    (a) Dashboard Required.--Section 11(e)(2) of the Inspector General 
Act of 1978 (5 U.S.C. App.) is amended--
            (1) in subparagraph (A), by striking ``and'' at the end;
            (2) by redesignating subparagraph (B) as subparagraph (C); 
        and
            (3) by inserting after subparagraph (A) the following:
                    ``(B) that shall include a dashboard of open 
                information security recommendations identified in the 
                independent evaluations required by section 3555(a) of 
                title 44, United States Code; and''.

                   TITLE III--RISK-BASED BUDGET MODEL

SEC. 301. DEFINITIONS.

    In this title:
            (1) Appropriate congressional committees.--The term 
        ``appropriate congressional committees'' means--
                    (A) the Committee on Homeland Security and 
                Governmental Affairs and the Committee on 
                Appropriations of the Senate; and
                    (B) the Committee on Homeland Security and the 
                Committee on Appropriations of the House of 
                Representatives.
            (2) Covered agency.--The term ``covered agency'' has the 
        meaning given the term ``executive agency'' in section 133 of 
        title 41, United States Code.
            (3) Director.--The term ``Director'' means the Director of 
        the Office of Management and Budget.
            (4) Information technology.--The term ``information 
        technology''--
                    (A) has the meaning given the term in section 11101 
                of title 40, United States Code; and
                    (B) includes the hardware and software systems of a 
                Federal agency that monitor and control physical 
                equipment and processes of the Federal agency.
            (5) Risk-based budget.--The term ``risk-based budget'' 
        means a budget--
                    (A) developed by identifying and prioritizing 
                cybersecurity risks and vulnerabilities, including 
                impact on agency operations in the case of a cyber 
                attack, through analysis of threat intelligence, 
                incident data, and tactics, techniques, procedures, and 
                capabilities of cyber threats; and
                    (B) that allocates resources based on the risks 
                identified and prioritized under subparagraph (A).

SEC. 302. ESTABLISHMENT OF RISK-BASED BUDGET MODEL.

    (a) In General.--
            (1) Model.--Not later than 1 year after the first 
        publication of the budget submitted by the President under 
        section 1105 of title 31, United States Code, following the 
        date of enactment of this Act, the Director, in consultation 
        with the Director of the Cybersecurity and Infrastructure 
        Security Agency and the National Cyber Director and in 
        coordination with the Director of the National Institute of 
        Standards and Technology, shall develop a standard model for 
        creating a risk-based budget for cybersecurity spending.
            (2) Responsibility of director.--Section 3553(a) of title 
        44, United States Code, as amended by section 101, is further 
        amended by inserting after paragraph (6) the following:
            ``(7) developing a standard risk-based budget model to 
        inform Federal agency cybersecurity budget development; and''.
            (3) Contents of model.--The model required to be developed 
        under paragraph (1) shall--
                    (A) consider Federal and non-Federal cyber threat 
                intelligence products, where available, to identify 
                threats, vulnerabilities, and risks;
                    (B) consider the impact of agency operations of 
                compromise of systems, including the interconnectivity 
                to other agency systems and the operations of other 
                agencies;
                    (C) indicate where resources should be allocated to 
                have the greatest impact on mitigating current and 
                future threats and current and future cybersecurity 
                capabilities;
                    (D) be used to inform acquisition and sustainment 
                of--
                            (i) information technology and 
                        cybersecurity tools;
                            (ii) information technology and 
                        cybersecurity architectures;
                            (iii) information technology and 
                        cybersecurity personnel; and
                            (iv) cybersecurity and information 
                        technology concepts of operations; and
                    (E) be used to evaluate and inform Government-wide 
                cybersecurity programs of the Department of Homeland 
                Security.
            (4) Required updates.--Not less frequently than once every 
        3 years, the Director shall review, and update as necessary, 
        the model required to be developed under this subsection.
            (5) Publication.--The Director shall publish the model 
        required to be developed under this subsection, and any updates 
        necessary under paragraph (4), on the public website of the 
        Office of Management and Budget.
            (6) Reports.--Not later than 1 year after the date of 
        enactment of this Act, and annually thereafter for each of the 
        2 following fiscal years or until the date on which the model 
        required to be developed under this subsection is completed, 
        whichever is sooner, the Director shall submit a report to 
        Congress on the development of the model.
    (b) Required Use of Risk-based Budget Model.--
            (1) In general.--Not later than 2 years after the date on 
        which the model developed under subsection (a) is published, 
        the head of each covered agency shall use the model to develop 
        the annual cybersecurity and information technology budget 
        requests of the agency.
            (2) Agency performance plans.--Section 3554(d)(2) of title 
        44, United States Code, is amended by inserting ``and the risk-
        based budget model required under section 3553(a)(7)'' after 
        ``paragraph (1)''.
    (c) Verification.--
            (1) In general.--Section 1105(a)(35)(A)(i) of title 31, 
        United States Code, is amended--
                    (A) in the matter preceding subclause (I), by 
                striking ``by agency, and by initiative area (as 
                determined by the administration)'' and inserting ``and 
                by agency'';
                    (B) in subclause (III), by striking ``and'' at the 
                end; and
                    (C) by adding at the end the following:
                                    ``(V) a validation that the budgets 
                                submitted were developed using a risk-
                                based methodology; and
                                    ``(VI) a report on the progress of 
                                each agency on closing recommendations 
                                identified under the independent 
                                evaluation required by section 
                                3555(a)(1) of title 44.''.
            (2) Effective date.--The amendments made by paragraph (1) 
        shall take effect on the date that is 2 years after the date on 
        which the model developed under subsection (a) is published.
    (d) Reports.--
            (1) Independent evaluation.--Section 3555(a)(2) of title 
        44, United States Code, is amended--
                    (A) in subparagraph (B), by striking ``and'' at the 
                end;
                    (B) in subparagraph (C), by striking the period at 
                the end and inserting ``; and''; and
                    (C) by adding at the end the following:
                    ``(D) an assessment of how the agency implemented 
                the risk-based budget model required under section 
                3553(a)(7) and an evaluation of whether the model 
                mitigates agency cyber vulnerabilities.''.
            (2) Assessment.--Section 3553(c) of title 44, United States 
        Code, as amended by section 101, is further amended by 
        inserting after paragraph (5) the following:
            ``(6) an assessment of--
                    ``(A) Federal agency implementation of the model 
                required under subsection (a)(7);
                    ``(B) how cyber vulnerabilities of Federal agencies 
                changed from the previous year; and
                    ``(C) whether the model mitigates the cyber 
                vulnerabilities of the Federal Government.''.
    (e) GAO Report.--Not later than 3 years after the date on which the 
first budget of the President is submitted to Congress containing the 
validation required under section 1105(a)(35)(A)(i)(V) of title 31, 
United States Code, as amended by subsection (c), the Comptroller 
General of the United States shall submit to the appropriate 
congressional committees a report that includes--
            (1) an evaluation of the success of covered agencies in 
        developing risk-based budgets;
            (2) an evaluation of the success of covered agencies in 
        implementing risk-based budgets;
            (3) an evaluation of whether the risk-based budgets 
        developed by covered agencies mitigate cyber vulnerability, 
        including the extent to which the risk-based budgets inform 
        Federal Government-wide cybersecurity programs; and
            (4) any other information relating to risk-based budgets 
        the Comptroller General determines appropriate.

       TITLE IV--PILOT PROGRAMS TO ENHANCE FEDERAL CYBERSECURITY

SEC. 401. ACTIVE CYBER DEFENSIVE STUDY.

    (a) Definition.--In this section, the term ``active defense 
technique''--
            (1) means an action taken on the systems of an entity to 
        increase the security of information on the network of an 
        agency by misleading an adversary; and
            (2) includes a honeypot, deception, or purposefully feeding 
        false or misleading data to an adversary when the adversary is 
        on the systems of the entity.
    (b) Study.--Not later than 180 days after the date of enactment of 
this Act, the Director of the Cybersecurity and Infrastructure Security 
Agency, in coordination with the Director, shall perform a study on the 
use of active defense techniques to enhance the security of agencies, 
which shall include--
            (1) a review of legal restrictions on the use of different 
        active cyber defense techniques in Federal environments, in 
        consultation with the Department of Justice;
            (2) an evaluation of--
                    (A) the efficacy of a selection of active defense 
                techniques determined by the Director of the 
                Cybersecurity and Infrastructure Security Agency; and
                    (B) factors that impact the efficacy of the active 
                defense techniques evaluated under subparagraph (A);
            (3) recommendations on safeguards and procedures that shall 
        be established to require that active defense techniques are 
        adequately coordinated to ensure that active defense techniques 
        do not impede threat response efforts, criminal investigations, 
        and national security activities, including intelligence 
        collection; and
            (4) the development of a framework for the use of different 
        active defense techniques by agencies.

SEC. 402. SECURITY OPERATIONS CENTER AS A SERVICE PILOT.

    (a) Purpose.--The purpose of this section is for the Cybersecurity 
and Infrastructure Security Agency to run a security operation center 
on behalf of another agency, alleviating the need to duplicate this 
function at every agency, and empowering a greater centralized 
cybersecurity capability.
    (b) Plan.--Not later than 1 year after the date of enactment of 
this Act, the Director of the Cybersecurity and Infrastructure Security 
Agency shall develop a plan to establish a centralized Federal security 
operations center shared service offering within the Cybersecurity and 
Infrastructure Security Agency.
    (c) Contents.--The plan required under subsection (b) shall include 
considerations for--
            (1) collecting, organizing, and analyzing agency 
        information system data in real time;
            (2) staffing and resources; and
            (3) appropriate interagency agreements, concepts of 
        operations, and governance plans.
    (d) Pilot Program.--
            (1) In general.--Not later than 180 days after the date on 
        which the plan required under subsection (b) is developed, the 
        Director of the Cybersecurity and Infrastructure Security 
        Agency, in consultation with the Director, shall enter into a 
        1-year agreement with not less than 2 agencies to offer a 
        security operations center as a shared service.
            (2) Additional agreements.--After the date on which the 
        briefing required under subsection (e)(1) is provided, the 
        Director of the Cybersecurity and Infrastructure Security 
        Agency, in consultation with the Director, may enter into 
        additional 1-year agreements described in paragraph (1) with 
        agencies.
    (e) Briefing and Report.--
            (1) Briefing.--Not later than 260 days after the date of 
        enactment of this Act, the Director of the Cybersecurity and 
        Infrastructure Security Agency shall provide to the Committee 
        on Homeland Security and Governmental Affairs of the Senate and 
        the Committee on Homeland Security and the Committee on 
        Oversight and Reform of the House of Representatives a briefing 
        on the parameters of any 1-year agreements entered into under 
        subsection (d)(1).
            (2) Report.--Not later than 90 days after the date on which 
        the first 1-year agreement entered into under subsection (d) 
        expires, the Director of the Cybersecurity and Infrastructure 
        Security Agency shall submit to the Committee on Homeland 
        Security and Governmental Affairs of the Senate and the 
        Committee on Homeland Security and the Committee on Oversight 
        and Reform of the House of Representatives a report on--
                    (A) the agreement; and
                    (B) any additional agreements entered into with 
                agencies under subsection (d).
                                                       Calendar No. 673

117th CONGRESS

  2d Session

                                S. 2902

                          [Report No. 117-274]

_______________________________________________________________________

                                 A BILL

  To modernize Federal information security management, and for other 
                               purposes.

_______________________________________________________________________

                           December 19, 2022

                       Reported with an amendment