[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 3600 Engrossed in Senate (ES)]

<DOC>
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
117th CONGRESS
  2d Session
                                S. 3600

_______________________________________________________________________

                                 AN ACT


 
 To improve the cybersecurity of the Federal Government, and for other 
                               purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Strengthening American Cybersecurity 
Act of 2022''.

SEC. 2. TABLE OF CONTENTS.

    The table of contents for this Act is as follows:

Sec. 1. Short title.
Sec. 2. Table of contents.
    TITLE I--FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2022

Sec. 101. Short title.
Sec. 102. Definitions.
Sec. 103. Title 44 amendments.
Sec. 104. Amendments to subtitle III of title 40.
Sec. 105. Actions to enhance Federal incident transparency.
Sec. 106. Additional guidance to agencies on FISMA updates.
Sec. 107. Agency requirements to notify private sector entities 
                            impacted by incidents.
Sec. 108. Mobile security standards.
Sec. 109. Data and logging retention for incident response.
Sec. 110. CISA agency advisors.
Sec. 111. Federal penetration testing policy.
Sec. 112. Ongoing threat hunting program.
Sec. 113. Codifying vulnerability disclosure programs.
Sec. 114. Implementing zero trust architecture.
Sec. 115. Automation reports.
Sec. 116. Extension of Federal acquisition security council and 
                            software inventory.
Sec. 117. Council of the Inspectors General on Integrity and Efficiency 
                            dashboard.
Sec. 118. Quantitative cybersecurity metrics.
Sec. 119. Establishment of risk-based budget model.
Sec. 120. Active cyber defensive study.
Sec. 121. Security operations center as a service pilot.
Sec. 122. Extension of Chief Data Officer Council.
Sec. 123. Federal Cybersecurity Requirements.
 TITLE II--CYBER INCIDENT REPORTING FOR CRITICAL INFRASTRUCTURE ACT OF 
                                  2022

Sec. 201. Short title.
Sec. 202. Definitions.
Sec. 203. Cyber incident reporting.
Sec. 204. Federal sharing of incident reports.
Sec. 205. Ransomware vulnerability warning pilot program.
Sec. 206. Ransomware threat mitigation activities.
Sec. 207. Congressional reporting.
    TITLE III--FEDERAL SECURE CLOUD IMPROVEMENT AND JOBS ACT OF 2022

Sec. 301. Short title.
Sec. 302. Findings.
Sec. 303. Title 44 amendments.

    TITLE I--FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2022

SEC. 101. SHORT TITLE.

    This title may be cited as the ``Federal Information Security 
Modernization Act of 2022''.

SEC. 102. DEFINITIONS.

    In this title, unless otherwise specified:
            (1) Additional cybersecurity procedure.--The term 
        ``additional cybersecurity procedure'' has the meaning given 
        the term in section 3552(b) of title 44, United States Code, as 
        amended by this title.
            (2) Agency.--The term ``agency'' has the meaning given the 
        term in section 3502 of title 44, United States Code.
            (3) Appropriate congressional committees.--The term 
        ``appropriate congressional committees'' means--
                    (A) the Committee on Homeland Security and 
                Governmental Affairs of the Senate;
                    (B) the Committee on Oversight and Reform of the 
                House of Representatives; and
                    (C) the Committee on Homeland Security of the House 
                of Representatives.
            (4) Director.--The term ``Director'' means the Director of 
        the Office of Management and Budget.
            (5) Incident.--The term ``incident'' has the meaning given 
        the term in section 3552(b) of title 44, United States Code.
            (6) National security system.--The term ``national security 
        system'' has the meaning given the term in section 3552(b) of 
        title 44, United States Code.
            (7) Penetration test.--The term ``penetration test'' has 
        the meaning given the term in section 3552(b) of title 44, 
        United States Code, as amended by this title.
            (8) Threat hunting.--The term ``threat hunting'' means 
        proactively and iteratively searching systems for threats that 
        evade detection by automated threat detection systems.

SEC. 103. TITLE 44 AMENDMENTS.

    (a) Subchapter I Amendments.--Subchapter I of chapter 35 of title 
44, United States Code, is amended--
            (1) in section 3504--
                    (A) in subsection (a)(1)(B)--
                            (i) by striking clause (v) and inserting 
                        the following:
                    ``(v) confidentiality, privacy, disclosure, and 
                sharing of information;'';
                            (ii) by redesignating clause (vi) as clause 
                        (vii); and
                            (iii) by inserting after clause (v) the 
                        following:
                    ``(vi) in consultation with the National Cyber 
                Director, security of information; and''; and
                    (B) in subsection (g), by striking paragraph (1) 
                and inserting the following:
            ``(1) develop and oversee the implementation of policies, 
        principles, standards, and guidelines on privacy, 
        confidentiality, disclosure, and sharing, and in consultation 
        with the National Cyber Director, oversee the implementation of 
        policies, principles, standards, and guidelines on security, of 
        information collected or maintained by or for agencies; and'';
            (2) in section 3505--
                    (A) by striking the first subsection designated as 
                subsection (c);
                    (B) in paragraph (2) of the second subsection 
                designated as subsection (c), by inserting ``an 
                identification of internet accessible information 
                systems and'' after ``an inventory under this 
                subsection shall include'';
                    (C) in paragraph (3) of the second subsection 
                designated as subsection (c)--
                            (i) in subparagraph (B)--
                                    (I) by inserting ``the Director of 
                                the Cybersecurity and Infrastructure 
                                Security Agency, the National Cyber 
                                Director, and'' before ``the 
                                Comptroller General''; and
                                    (II) by striking ``and'' at the 
                                end;
                            (ii) in subparagraph (C)(v), by striking 
                        the period at the end and inserting ``; and''; 
                        and
                            (iii) by adding at the end the following:
            ``(D) maintained on a continual basis through the use of 
        automation, machine-readable data, and scanning, wherever 
        practicable.'';
            (3) in section 3506--
                    (A) in subsection (a)(3), by inserting ``In 
                carrying out these duties, the Chief Information 
                Officer shall coordinate, as appropriate, with the 
                Chief Data Officer in accordance with the designated 
                functions under section 3520(c).'' after ``reduction of 
                information collection burdens on the public.'';
                    (B) in subsection (b)(1)(C), by inserting ``, 
                availability'' after ``integrity''; and
                    (C) in subsection (h)(3), by inserting 
                ``security,'' after ``efficiency,''; and
            (4) in section 3513--
                    (A) by redesignating subsection (c) as subsection 
                (d); and
                    (B) by inserting after subsection (b) the 
                following:
    ``(c) Each agency providing a written plan under subsection (b) 
shall provide any portion of the written plan addressing information 
security to the Secretary of the Department of Homeland Security and 
the National Cyber Director.''.
    (b) Subchapter II Definitions.--
            (1) In general.--Section 3552(b) of title 44, United States 
        Code, is amended--
                    (A) by redesignating paragraphs (1), (2), (3), (4), 
                (5), (6), and (7) as paragraphs (2), (4), (5), (6), 
                (7), (9), and (11), respectively;
                    (B) by inserting before paragraph (2), as so 
                redesignated, the following:
            ``(1) The term `additional cybersecurity procedure' means a 
        process, procedure, or other activity that is established in 
        excess of the information security standards promulgated under 
        section 11331(b) of title 40 to increase the security and 
        reduce the cybersecurity risk of agency systems.'';
                    (C) by inserting after paragraph (2), as so 
                redesignated, the following:
            ``(3) The term `high value asset' means information or an 
        information system that the head of an agency, using policies, 
        principles, standards, or guidelines issued by the Director 
        under section 3553(a), determines to be so critical to the 
        agency that the loss or corruption of the information or the 
        loss of access to the information system would have a serious 
        impact on the ability of the agency to perform the mission of 
        the agency or conduct business.'';
                    (D) by inserting after paragraph (7), as so 
                redesignated, the following:
            ``(8) The term `major incident' has the meaning given the 
        term in guidance issued by the Director under section 
        3598(a).'';
                    (E) by inserting after paragraph (9), as so 
                redesignated, the following:
            ``(10) The term `penetration test'--
                    ``(A) means an authorized assessment that emulates 
                attempts to gain unauthorized access to, or disrupt the 
                operations of, an information system or component of an 
                information system; and
                    ``(B) includes any additional meaning given the 
                term in policies, principles, standards, or guidelines 
                issued by the Director under section 3553(a).''; and
                    (F) by inserting after paragraph (11), as so 
                redesignated, the following:
            ``(12) The term `shared service' means a centralized 
        business or mission capability that is provided to multiple 
        organizations within an agency or to multiple agencies.''.
            (2) Conforming amendments.--
                    (A) Homeland security act of 2002.--Section 
                1001(c)(1)(A) of the Homeland Security Act of 2002 (6 
                U.S.C. 511(1)(A)) is amended by striking ``section 
                3552(b)(5)'' and inserting ``section 3552(b)''.
                    (B) Title 10.--
                            (i) Section 2222.--Section 2222(i)(8) of 
                        title 10, United States Code, is amended by 
                        striking ``section 3552(b)(6)(A)'' and 
                        inserting ``section 3552(b)(9)(A)''.
                            (ii) Section 2223.--Section 2223(c)(3) of 
                        title 10, United States Code, is amended by 
                        striking ``section 3552(b)(6)'' and inserting 
                        ``section 3552(b)''.
                            (iii) Section 2315.--Section 2315 of title 
                        10, United States Code, is amended by striking 
                        ``section 3552(b)(6)'' and inserting ``section 
                        3552(b)''.
                            (iv) Section 2339a.--Section 2339a(e)(5) of 
                        title 10, United States Code, is amended by 
                        striking ``section 3552(b)(6)'' and inserting 
                        ``section 3552(b)''.
                    (C) High-performance computing act of 1991.--
                Section 207(a) of the High-Performance Computing Act of 
                1991 (15 U.S.C. 5527(a)) is amended by striking 
                ``section 3552(b)(6)(A)(i)'' and inserting ``section 
                3552(b)(9)(A)(i)''.
                    (D) Internet of things cybersecurity improvement 
                act of 2020.--Section 3(5) of the Internet of Things 
                Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g-
                3a) is amended by striking ``section 3552(b)(6)'' and 
                inserting ``section 3552(b)''.
                    (E) National defense authorization act for fiscal 
                year 2013.--Section 933(e)(1)(B) of the National 
                Defense Authorization Act for Fiscal Year 2013 (10 
                U.S.C. 2224 note) is amended by striking ``section 
                3542(b)(2)'' and inserting ``section 3552(b)''.
                    (F) Ike skelton national defense authorization act 
                for fiscal year 2011.--The Ike Skelton National Defense 
                Authorization Act for Fiscal Year 2011 (Public Law 111-
                383) is amended--
                            (i) in section 806(e)(5) (10 U.S.C. 2304 
                        note), by striking ``section 3542(b)'' and 
                        inserting ``section 3552(b)'';
                            (ii) in section 931(b)(3) (10 U.S.C. 2223 
                        note), by striking ``section 3542(b)(2)'' and 
                        inserting ``section 3552(b)''; and
                            (iii) in section 932(b)(2) (10 U.S.C. 2224 
                        note), by striking ``section 3542(b)(2)'' and 
                        inserting ``section 3552(b)''.
                    (G) E-government act of 2002.--Section 301(c)(1)(A) 
                of the E-Government Act of 2002 (44 U.S.C. 3501 note) 
                is amended by striking ``section 3542(b)(2)'' and 
                inserting ``section 3552(b)''.
                    (H) National institute of standards and technology 
                act.--Section 20 of the National Institute of Standards 
                and Technology Act (15 U.S.C. 278g-3) is amended--
                            (i) in subsection (a)(2), by striking 
                        ``section 3552(b)(5)'' and inserting ``section 
                        3552(b)''; and
                            (ii) in subsection (f)--
                                    (I) in paragraph (3), by striking 
                                ``section 3532(1)'' and inserting 
                                ``section 3552(b)''; and
                                    (II) in paragraph (5), by striking 
                                ``section 3532(b)(2)'' and inserting 
                                ``section 3552(b)''.
    (c) Subchapter II Amendments.--Subchapter II of chapter 35 of title 
44, United States Code, is amended--
            (1) in section 3551--
                    (A) in paragraph (4), by striking ``diagnose and 
                improve'' and inserting ``integrate, deliver, diagnose, 
                and improve'';
                    (B) in paragraph (5), by striking ``and'' at the 
                end;
                    (C) in paragraph (6), by striking the period at the 
                end and inserting a semi colon; and
                    (D) by adding at the end the following:
            ``(7) recognize that each agency has specific mission 
        requirements and, at times, unique cybersecurity requirements 
        to meet the mission of the agency;
            ``(8) recognize that each agency does not have the same 
        resources to secure agency systems, and an agency should not be 
        expected to have the capability to secure the systems of the 
        agency from advanced adversaries alone; and
            ``(9) recognize that a holistic Federal cybersecurity model 
        is necessary to account for differences between the missions 
        and capabilities of agencies.'';
            (2) in section 3553--
                    (A) in subsection (a)--
                            (i) in paragraph (1), by inserting ``, in 
                        consultation with the Secretary and the 
                        National Cyber Director,'' before 
                        ``overseeing'';
                            (ii) in paragraph (5), by striking ``and'' 
                        at the end; and
                            (iii) by adding at the end the following:
            ``(8) promoting, in consultation with the Director of the 
        Cybersecurity and Infrastructure Security Agency, the National 
        Cyber Director, and the Director of the National Institute of 
        Standards and Technology--
                    ``(A) the use of automation to improve Federal 
                cybersecurity and visibility with respect to the 
                implementation of Federal cybersecurity; and
                    ``(B) the use of presumption of compromise and 
                least privilege principles to improve resiliency and 
                timely response actions to incidents on Federal 
                systems.'';
                    (B) in subsection (b)--
                            (i) in the matter preceding paragraph (1), 
                        by inserting ``and the National Cyber 
                        Director'' after ``Director''; and
                            (ii) in paragraph (2)(A), by inserting 
                        ``and reporting requirements under subchapter 
                        IV of this chapter'' after ``section 3556''; 
                        and
                    (C) in subsection (c)--
                            (i) in the matter preceding paragraph (1)--
                                    (I) by striking ``each year'' and 
                                inserting ``each year during which 
                                agencies are required to submit reports 
                                under section 3554(c)''; and
                                    (II) by striking ``preceding year'' 
                                and inserting ``preceding 2 years'';
                            (ii) by striking paragraph (1);
                            (iii) by redesignating paragraphs (2), (3), 
                        and (4) as paragraphs (1), (2), and (3), 
                        respectively;
                            (iv) in paragraph (3), as so redesignated, 
                        by striking ``and'' at the end;
                            (v) by inserting after paragraph (3), as so 
                        redesignated the following:
            ``(4) a summary of each assessment of Federal risk posture 
        performed under subsection (i);''; and
                            (vi) in paragraph (5), by striking the 
                        period at the end and inserting ``; and'';
                    (D) by redesignating subsections (i), (j), (k), and 
                (l) as subsections (j), (k), (l), and (m) respectively;
                    (E) by inserting after subsection (h) the 
                following:
    ``(i) Federal Risk Assessments.--On an ongoing and continuous 
basis, the Director of the Cybersecurity and Infrastructure Security 
Agency shall perform assessments of Federal risk posture using any 
available information on the cybersecurity posture of agencies, and 
brief the Director and National Cyber Director on the findings of those 
assessments including--
            ``(1) the status of agency cybersecurity remedial actions 
        described in section 3554(b)(7);
            ``(2) any vulnerability information relating to the systems 
        of an agency that is known by the agency;
            ``(3) analysis of incident information under section 3597;
            ``(4) evaluation of penetration testing performed under 
        section 3559A;
            ``(5) evaluation of vulnerability disclosure program 
        information under section 3559B;
            ``(6) evaluation of agency threat hunting results;
            ``(7) evaluation of Federal and non-Federal cyber threat 
        intelligence;
            ``(8) data on agency compliance with standards issued under 
        section 11331 of title 40;
            ``(9) agency system risk assessments performed under 
        section 3554(a)(1)(A); and
            ``(10) any other information the Director of the 
        Cybersecurity and Infrastructure Security Agency determines 
        relevant.'';
                    (F) in subsection (j), as so redesignated--
                            (i) by striking ``regarding the specific'' 
                        and inserting ``that includes a summary of--
            ``(1) the specific'';
                            (ii) in paragraph (1), as so designated, by 
                        striking the period at the end and inserting 
                        ``; and'' and
                            (iii) by adding at the end the following:
            ``(2) the trends identified in the Federal risk assessment 
        performed under subsection (i).''; and
                    (G) by adding at the end the following:
    ``(n) Binding Operational Directives.--If the Director of the 
Cybersecurity and Infrastructure Security Agency issues a binding 
operational directive or an emergency directive under this section, not 
later than 4 days after the date on which the binding operational 
directive requires an agency to take an action, the Director of the 
Cybersecurity and Infrastructure Security Agency shall provide to the 
Director, National Cyber Director, the Committee on Homeland Security 
and Governmental Affairs of the Senate and the Committee on Oversight 
and Reform of the House of Representatives the status of the 
implementation of the binding operational directive at the agency.
    ``(o) Review of Office of Management and Budget Guidance and 
Policy.--
            ``(1) Review.--
                    ``(A) In general.--Not less frequently than once 
                every 3 years, the Director, in consultation with the 
                Chief Information Officers Council, the Director of the 
                Cybersecurity and Infrastructure Security Agency, the 
                National Cyber Director, the Comptroller General of the 
                United States, and the Council of the Inspectors 
                General on Integrity and Efficiency, shall--
                            ``(i) review the efficacy of the guidance 
                        and policy developed by the Director under 
                        subsection (a)(1) in reducing cybersecurity 
                        risks, including an assessment of the 
                        requirements for agencies to report information 
                        to the Director; and
                            ``(ii) determine whether any changes to the 
                        guidance or policy developed under subsection 
                        (a)(1) is appropriate.
                    ``(B) Considerations.--In conducting the review 
                required under subparagraph (A), the Director shall 
                consider--
                            ``(i) the Federal risk assessments 
                        performed under subsection (i);
                            ``(ii) the cumulative reporting and 
                        compliance burden to agencies; and
                            ``(iii) the clarity of the requirements and 
                        deadlines contained in guidance and policy 
                        documents.
            ``(2) Updated guidance.--Not later than 90 days after the 
        date on which a review is completed under paragraph (1), the 
        Director shall issue updated guidance or policy to agencies 
        determined appropriate by the Director, based on the results of 
        the review.
            ``(3) Public report.--Not later than 30 days after the date 
        on which the Director completes a review under paragraph (1), 
        the Director shall make publicly available a report that 
        includes--
                    ``(A) an overview of the guidance and policy 
                developed under subsection (a)(1) that is in effect;
                    ``(B) the cybersecurity risk mitigation, or other 
                cybersecurity benefit, offered by each guidance or 
                policy described in subparagraph (A);
                    ``(C) a summary of the guidance or policy developed 
                under subsection (a)(1) to which changes were 
                determined appropriate during the review; and
                    ``(D) the changes that are anticipated to be 
                included in the updated guidance or policy issued under 
                paragraph (2).
            ``(4) Congressional briefing.--Not later than 60 days after 
        the date on which a review is completed under paragraph (1), 
        the Director shall provide to the Committee on Homeland 
        Security and Governmental Affairs of the Senate and the 
        Committee on Oversight and Reform of the House of 
        Representatives a briefing on the review.
    ``(p) Automated Standard Implementation Verification.--When the 
Director of the National Institute of Standards and Technology issues a 
proposed standard pursuant to paragraphs (2) or (3) of section 20(a) of 
the National Institute of Standards and Technology Act (15 U.S.C. 278g-
3(a)), the Director of the National Institute of Standards and 
Technology shall consider developing and, if appropriate and practical, 
develop, in consultation with the Director of the Cybersecurity and 
Infrastructure Security Agency, specifications to enable the automated 
verification of the implementation of the controls within the 
standard.'';
            (3) in section 3554--
                    (A) in subsection (a)--
                            (i) in paragraph (1)--
                                    (I) by redesignating subparagraphs 
                                (A), (B), and (C) as subparagraphs (B), 
                                (C), and (D), respectively;
                                    (II) by inserting before 
                                subparagraph (B), as so redesignated, 
                                the following:
                    ``(A) on an ongoing and continuous basis, 
                performing agency system risk assessments that--
                            ``(i) identify and document the high value 
                        assets of the agency using guidance from the 
                        Director;
                            ``(ii) evaluate the data assets inventoried 
                        under section 3511 for sensitivity to 
                        compromises in confidentiality, integrity, and 
                        availability;
                            ``(iii) identify agency systems that have 
                        access to or hold the data assets inventoried 
                        under section 3511;
                            ``(iv) evaluate the threats facing agency 
                        systems and data, including high value assets, 
                        based on Federal and non-Federal cyber threat 
                        intelligence products, where available;
                            ``(v) evaluate the vulnerability of agency 
                        systems and data, including high value assets, 
                        including by analyzing--
                                    ``(I) the results of penetration 
                                testing performed by the Department of 
                                Homeland Security under section 
                                3553(b)(9);
                                    ``(II) the results of penetration 
                                testing performed under section 3559A;
                                    ``(III) information provided to the 
                                agency through the vulnerability 
                                disclosure program of the agency under 
                                section 3559B;
                                    ``(IV) incidents; and
                                    ``(V) any other vulnerability 
                                information relating to agency systems 
                                that is known to the agency;
                            ``(vi) assess the impacts of potential 
                        agency incidents to agency systems, data, and 
                        operations based on the evaluations described 
                        in clauses (ii) and (iv) and the agency systems 
                        identified under clause (iii); and
                            ``(vii) assess the consequences of 
                        potential incidents occurring on agency systems 
                        that would impact systems at other agencies, 
                        including due to interconnectivity between 
                        different agency systems or operational 
                        reliance on the operations of the system or 
                        data in the system;'';
                                    (III) in subparagraph (B), as so 
                                redesignated, in the matter preceding 
                                clause (i), by striking ``providing 
                                information'' and inserting ``using 
                                information from the assessment 
                                conducted under subparagraph (A), 
                                providing information'';
                                    (IV) in subparagraph (C), as so 
                                redesignated--
                                            (aa) in clause (ii) by 
                                        inserting ``binding'' before 
                                        ``operational''; and
                                            (bb) in clause (vi), by 
                                        striking ``and'' at the end; 
                                        and
                                    (V) by adding at the end the 
                                following:
                    ``(E) providing an update on the ongoing and 
                continuous assessment performed under subparagraph 
                (A)--
                            ``(i) upon request, to the inspector 
                        general of the agency or the Comptroller 
                        General of the United States; and
                            ``(ii) on a periodic basis, as determined 
                        by guidance issued by the Director but not less 
                        frequently than annually, to--
                                    ``(I) the Director;
                                    ``(II) the Director of the 
                                Cybersecurity and Infrastructure 
                                Security Agency; and
                                    ``(III) the National Cyber 
                                Director;
                    ``(F) in consultation with the Director of the 
                Cybersecurity and Infrastructure Security Agency and 
                not less frequently than once every 3 years, performing 
                an evaluation of whether additional cybersecurity 
                procedures are appropriate for securing a system of, or 
                under the supervision of, the agency, which shall--
                            ``(i) be completed considering the agency 
                        system risk assessment performed under 
                        subparagraph (A); and
                            ``(ii) include a specific evaluation for 
                        high value assets;
                    ``(G) not later than 30 days after completing the 
                evaluation performed under subparagraph (F), providing 
                the evaluation and an implementation plan, if 
                applicable, for using additional cybersecurity 
                procedures determined to be appropriate to--
                            ``(i) the Director of the Cybersecurity and 
                        Infrastructure Security Agency;
                            ``(ii) the Director; and
                            ``(iii) the National Cyber Director; and
                    ``(H) if the head of the agency determines there is 
                need for additional cybersecurity procedures, ensuring 
                that those additional cybersecurity procedures are 
                reflected in the budget request of the agency;'';
                            (ii) in paragraph (2)--
                                    (I) in subparagraph (A), by 
                                inserting ``in accordance with the 
                                agency system risk assessment performed 
                                under paragraph (1)(A)'' after 
                                ``information systems'';
                                    (II) in subparagraph (B)--
                                            (aa) by striking ``in 
                                        accordance with standards'' and 
                                        inserting ``in accordance 
                                        with--
                            ``(i) standards''; and
                                            (bb) by adding at the end 
                                        the following:
                            ``(ii) the evaluation performed under 
                        paragraph (1)(F); and
                            ``(iii) the implementation plan described 
                        in paragraph (1)(G);''; and
                                    (III) in subparagraph (D), by 
                                inserting ``, through the use of 
                                penetration testing, the vulnerability 
                                disclosure program established under 
                                section 3559B, and other means,'' after 
                                ``periodically'';
                            (iii) in paragraph (3)--
                                    (I) in subparagraph (A)--
                                            (aa) in clause (iii), by 
                                        striking ``and'' at the end;
                                            (bb) in clause (iv), by 
                                        adding ``and'' at the end; and
                                            (cc) by adding at the end 
                                        the following:
                            ``(v) ensure that--
                                    ``(I) senior agency information 
                                security officers of component agencies 
                                carry out responsibilities under this 
                                subchapter, as directed by the senior 
                                agency information security officer of 
                                the agency or an equivalent official; 
                                and
                                    ``(II) senior agency information 
                                security officers of component agencies 
                                report to--
                                            ``(aa) the senior 
                                        information security officer of 
                                        the agency or an equivalent 
                                        official; and
                                            ``(bb) the Chief 
                                        Information Officer of the 
                                        component agency or an 
                                        equivalent official;''; and
                            (iv) in paragraph (5), by inserting ``and 
                        the Director of the Cybersecurity and 
                        Infrastructure Security Agency'' before ``on 
                        the effectiveness'';
                    (B) in subsection (b)--
                            (i) by striking paragraph (1) and inserting 
                        the following:
            ``(1) pursuant to subsection (a)(1)(A), performing ongoing 
        and continuous agency system risk assessments, which may 
        include using guidelines and automated tools consistent with 
        standards and guidelines promulgated under section 11331 of 
        title 40, as applicable;'';
                            (ii) in paragraph (2)--
                                    (I) by striking subparagraph (B) 
                                and inserting the following:
                    ``(B) comply with the risk-based cyber budget model 
                developed pursuant to section 3553(a)(7);''; and
                                    (II) in subparagraph (D)--
                                            (aa) by redesignating 
                                        clauses (iii) and (iv) as 
                                        clauses (iv) and (v), 
                                        respectively;
                                            (bb) by inserting after 
                                        clause (ii) the following:
                            ``(iii) binding operational directives and 
                        emergency directives promulgated by the 
                        Director of the Cybersecurity and 
                        Infrastructure Security Agency under section 
                        3553;''; and
                                            (cc) in clause (iv), as so 
                                        redesignated, by striking ``as 
                                        determined by the agency; and'' 
                                        and inserting ``as determined 
                                        by the agency, considering the 
                                        agency risk assessment 
                                        performed under subsection 
                                        (a)(1)(A); and
                            (iii) in paragraph (5)(A), by inserting ``, 
                        including penetration testing, as 
                        appropriate,'' after ``shall include testing'';
                            (iv) in paragraph (6), by striking 
                        ``planning, implementing, evaluating, and 
                        documenting'' and inserting ``planning and 
                        implementing and, in consultation with the 
                        Director of the Cybersecurity and 
                        Infrastructure Security Agency, evaluating and 
                        documenting'';
                            (v) by redesignating paragraphs (7) and (8) 
                        as paragraphs (8) and (9), respectively;
                            (vi) by inserting after paragraph (6) the 
                        following:
            ``(7) a process for providing the status of every remedial 
        action and unremediated identified system vulnerability to the 
        Director and the Director of the Cybersecurity and 
        Infrastructure Security Agency, using automation and machine-
        readable data to the greatest extent practicable;''; and
                            (vii) in paragraph (8)(C), as so 
                        redesignated--
                                    (I) by striking clause (ii) and 
                                inserting the following:
                            ``(ii) notifying and consulting with the 
                        Federal information security incident center 
                        established under section 3556 pursuant to the 
                        requirements of section 3594;'';
                                    (II) by redesignating clause (iii) 
                                as clause (iv);
                                    (III) by inserting after clause 
                                (ii) the following:
                            ``(iii) performing the notifications and 
                        other activities required under subchapter IV 
                        of this chapter; and''; and
                                    (IV) in clause (iv), as so 
                                redesignated--
                                            (aa) in subclause (I), by 
                                        striking ``and relevant offices 
                                        of inspectors general'';
                                            (bb) in subclause (II), by 
                                        adding ``and'' at the end;
                                            (cc) by striking subclause 
                                        (III); and
                                            (dd) by redesignating 
                                        subclause (IV) as subclause 
                                        (III);
                    (C) in subsection (c)--
                            (i) by redesignating paragraph (2) as 
                        paragraph (5);
                            (ii) by striking paragraph (1) and 
                        inserting the following:
            ``(1) Biannual report.--Not later than 2 years after the 
        date of enactment of the Federal Information Security 
        Modernization Act of 2022 and not less frequently than once 
        every 2 years thereafter, using the continuous and ongoing 
        agency system risk assessment under subsection (a)(1)(A), the 
        head of each agency shall submit to the Director, the Director 
        of the Cybersecurity and Infrastructure Security Agency, the 
        majority and minority leaders of the Senate, the Speaker and 
        minority leader of the House of Representatives, the Committee 
        on Homeland Security and Governmental Affairs of the Senate, 
        the Committee on Oversight and Reform of the House of 
        Representatives, the Committee on Homeland Security of the 
        House of Representatives, the Committee on Commerce, Science, 
        and Transportation of the Senate, the Committee on Science, 
        Space, and Technology of the House of Representatives, the 
        appropriate authorization and appropriations committees of 
        Congress, the National Cyber Director, and the Comptroller 
        General of the United States a report that--
                    ``(A) summarizes the agency system risk assessment 
                performed under subsection (a)(1)(A);
                    ``(B) evaluates the adequacy and effectiveness of 
                information security policies, procedures, and 
                practices of the agency to address the risks identified 
                in the agency system risk assessment performed under 
                subsection (a)(1)(A), including an analysis of the 
                agency's cybersecurity and incident response 
                capabilities using the metrics established under 
                section 224(c) of the Cybersecurity Act of 2015 (6 
                U.S.C. 1522(c));
                    ``(C) summarizes the evaluation and implementation 
                plans described in subparagraphs (F) and (G) of 
                subsection (a)(1) and whether those evaluation and 
                implementation plans call for the use of additional 
                cybersecurity procedures determined to be appropriate 
                by the agency; and
                    ``(D) summarizes the status of remedial actions 
                identified by inspector general of the agency, the 
                Comptroller General of the United States, and any other 
                source determined appropriate by the head of the 
                agency.
            ``(2) Unclassified reports.--Each report submitted under 
        paragraph (1)--
                    ``(A) shall be, to the greatest extent practicable, 
                in an unclassified and otherwise uncontrolled form; and
                    ``(B) may include a classified annex.
            ``(3) Access to information.--The head of an agency shall 
        ensure that, to the greatest extent practicable, information is 
        included in the unclassified form of the report submitted by 
        the agency under paragraph (2)(A).
            ``(4) Briefings.--During each year during which a report is 
        not required to be submitted under paragraph (1), the Director 
        shall provide to the congressional committees described in 
        paragraph (1) a briefing summarizing current agency and Federal 
        risk postures.''; and
                            (iii) in paragraph (5), as so redesignated, 
                        by striking the period at the end and inserting 
                        ``, including the reporting procedures 
                        established under section 11315(d) of title 40 
                        and subsection (a)(3)(A)(v) of this section''; 
                        and
                    (D) in subsection (d)(1), in the matter preceding 
                subparagraph (A), by inserting ``and the National Cyber 
                Director'' after ``the Director''; and
                    (E) by adding at the end the following:
    ``(f) Reporting Structure Exemption.--
            ``(1) In general.--On an annual basis, the Director may 
        exempt an agency from the reporting structure requirement under 
        subsection (a)(3)(A)(v)(II).
            ``(2) Report.--On an annual basis, the Director shall 
        submit a report to the Committee on Homeland Security and 
        Governmental Affairs of the Senate and the Committee on 
        Oversight and Reform of the House of Representatives that 
        includes a list of each exemption granted under paragraph (1) 
        and the associated rationale for each exemption.
            ``(3) Component of other report.--The report required under 
        paragraph (2) may be incorporated into any other annual report 
        required under this chapter.'';
            (4) in section 3555--
                    (A) in the section heading, by striking ``annual 
                independent'' and inserting ``independent'';
                    (B) in subsection (a)--
                            (i) in paragraph (1), by inserting ``during 
                        which a report is required to be submitted 
                        under section 3553(c),'' after ``Each year'';
                            (ii) in paragraph (2)(A), by inserting ``, 
                        including by penetration testing and analyzing 
                        the vulnerability disclosure program of the 
                        agency'' after ``information systems''; and
                            (iii) by adding at the end the following:
    ``(3) An evaluation under this section may include recommendations 
for improving the cybersecurity posture of the agency.'';
                    (C) in subsection (b)(1), by striking ``annual'';
                    (D) in subsection (e)(1), by inserting ``during 
                which a report is required to be submitted under 
                section 3553(c)'' after ``Each year'';
                    (E) by striking subsection (f) and inserting the 
                following:
    ``(f) Protection of Information.--(1) Agencies, evaluators, and 
other recipients of information that, if disclosed, may cause grave 
harm to the efforts of Federal information security officers, shall 
take appropriate steps to ensure the protection of that information, 
including safeguarding the information from public disclosure.
    ``(2) The protections required under paragraph (1) shall be 
commensurate with the risk and comply with all applicable laws and 
regulations.
    ``(3) With respect to information that is not related to national 
security systems, agencies and evaluators shall make a summary of the 
information unclassified and publicly available, including information 
that does not identify--
            ``(A) specific information system incidents; or
            ``(B) specific information system vulnerabilities.'';
                    (F) in subsection (g)(2)--
                            (i) by striking ``this subsection shall'' 
                        and inserting ``this subsection--
            ``(A) shall'';
                            (ii) in subparagraph (A), as so designated, 
                        by striking the period at the end and inserting 
                        ``; and''; and
                            (iii) by adding at the end the following:
            ``(B) identify any entity that performs an independent 
        evaluation under subsection (b).''; and
                    (G) by striking subsection (j) and inserting the 
                following:
    ``(j) Guidance.--
            ``(1) In general.--The Director, in consultation with the 
        Director of the Cybersecurity and Infrastructure Security 
        Agency, the Chief Information Officers Council, the Council of 
        the Inspectors General on Integrity and Efficiency, and other 
        interested parties as appropriate, shall ensure the development 
        of risk-based guidance for evaluating the effectiveness of an 
        information security program and practices
            ``(2) Priorities.--The risk-based guidance developed under 
        paragraph (1) shall include--
                    ``(A) the identification of the most common 
                successful threat patterns experienced by each agency;
                    ``(B) the identification of security controls that 
                address the threat patterns described in subparagraph 
                (A);
                    ``(C) any other security risks unique to the 
                networks of each agency; and
                    ``(D) any other element the Director, in 
                consultation with the Director of the Cybersecurity and 
                Infrastructure Security Agency and the Council of the 
                Inspectors General on Integrity and Efficiency, 
                determines appropriate.''; and
            (5) in section 3556(a)--
                    (A) in the matter preceding paragraph (1), by 
                inserting ``within the Cybersecurity and Infrastructure 
                Security Agency'' after ``incident center''; and
                    (B) in paragraph (4), by striking ``3554(b)'' and 
                inserting ``3554(a)(1)(A)''.
    (d) Conforming Amendments.--
            (1) Table of sections.--The table of sections for chapter 
        35 of title 44, United States Code, is amended by striking the 
        item relating to section 3555 and inserting the following:

``3555. Independent evaluation''.
            (2) OMB reports.--Section 226(c) of the Cybersecurity Act 
        of 2015 (6 U.S.C. 1524(c)) is amended--
                    (A) in paragraph (1)(B), in the matter preceding 
                clause (i), by striking ``annually thereafter'' and 
                inserting ``thereafter during the years during which a 
                report is required to be submitted under section 
                3553(c) of title 44, United States Code''; and
                    (B) in paragraph (2)(B), in the matter preceding 
                clause (i)--
                            (i) by striking ``annually thereafter'' and 
                        inserting ``thereafter during the years during 
                        which a report is required to be submitted 
                        under section 3553(c) of title 44, United 
                        States Code''; and
                            (ii) by striking ``the report required 
                        under section 3553(c) of title 44, United 
                        States Code'' and inserting ``that report''.
            (3) NIST responsibilities.--Section 20(d)(3)(B) of the 
        National Institute of Standards and Technology Act (15 U.S.C. 
        278g-3(d)(3)(B)) is amended by striking ``annual''.
    (e) Federal System Incident Response.--
            (1) In general.--Chapter 35 of title 44, United States 
        Code, is amended by adding at the end the following:

           ``SUBCHAPTER IV--FEDERAL SYSTEM INCIDENT RESPONSE

``Sec. 3591. Definitions
    ``(a) In General.--Except as provided in subsection (b), the 
definitions under sections 3502 and 3552 shall apply to this 
subchapter.
    ``(b) Additional Definitions.--As used in this subchapter:
            ``(1) Appropriate reporting entities.--The term 
        `appropriate reporting entities' means--
                    ``(A) the majority and minority leaders of the 
                Senate;
                    ``(B) the Speaker and minority leader of the House 
                of Representatives;
                    ``(C) the Committee on Homeland Security and 
                Governmental Affairs of the Senate;
                    ``(D) the Committee on Oversight and Reform of the 
                House of Representatives;
                    ``(E) the Committee on Homeland Security of the 
                House of Representatives;
                    ``(F) the appropriate authorization and 
                appropriations committees of Congress;
                    ``(G) the Director;
                    ``(H) the Director of the Cybersecurity and 
                Infrastructure Security Agency;
                    ``(I) the National Cyber Director;
                    ``(J) the Comptroller General of the United States; 
                and
                    ``(K) the inspector general of any impacted agency.
            ``(2) Awardee.--The term `awardee'--
                    ``(A) means a person, business, or other entity 
                that receives a grant from, or is a party to a 
                cooperative agreement or an other transaction agreement 
                with, an agency; and
                    ``(B) includes any subgrantee of a person, 
                business, or other entity described in subparagraph 
                (A).
            ``(3) Breach.--The term `breach'--
                    ``(A) means the loss, control, compromise, 
                unauthorized disclosure, or unauthorized acquisition of 
                personally identifiable information or any similar 
                occurrence; and
                    ``(B) includes any additional meaning given the 
                term in policies, principles, standards, or guidelines 
                issued by the Director under section 3553(a).
            ``(4) Contractor.--The term `contractor' means a prime 
        contractor of an agency or a subcontractor of a prime 
        contractor of an agency.
            ``(5) Federal information.--The term `Federal information' 
        means information created, collected, processed, maintained, 
        disseminated, disclosed, or disposed of by or for the Federal 
        Government in any medium or form.
            ``(6) Federal information system.--The term `Federal 
        information system' means an information system used or 
        operated by an agency, a contractor, an awardee, or another 
        organization on behalf of an agency.
            ``(7) Intelligence community.--The term `intelligence 
        community' has the meaning given the term in section 3 of the 
        National Security Act of 1947 (50 U.S.C. 3003).
            ``(8) Nationwide consumer reporting agency.--The term 
        `nationwide consumer reporting agency' means a consumer 
        reporting agency described in section 603(p) of the Fair Credit 
        Reporting Act (15 U.S.C. 1681a(p)).
            ``(9) Vulnerability disclosure.--The term `vulnerability 
        disclosure' means a vulnerability identified under section 
        3559B.
``Sec. 3592. Notification of breach
    ``(a) Notification.--As expeditiously as practicable and without 
unreasonable delay, and in any case not later than 45 days after an 
agency has a reasonable basis to conclude that a breach has occurred, 
the head of the agency, in consultation with a senior privacy officer 
of the agency, shall--
            ``(1) determine whether notice to any individual 
        potentially affected by the breach is appropriate based on an 
        assessment of the risk of harm to the individual that 
        considers--
                    ``(A) the nature and sensitivity of the personally 
                identifiable information affected by the breach;
                    ``(B) the likelihood of access to and use of the 
                personally identifiable information affected by the 
                breach;
                    ``(C) the type of breach; and
                    ``(D) any other factors determined by the Director; 
                and
            ``(2) as appropriate, provide written notice in accordance 
        with subsection (b) to each individual potentially affected by 
        the breach--
                    ``(A) to the last known mailing address of the 
                individual; or
                    ``(B) through an appropriate alternative method of 
                notification that the head of the agency or a 
                designated senior-level individual of the agency 
                selects based on factors determined by the Director.
    ``(b) Contents of Notice.--Each notice of a breach provided to an 
individual under subsection (a)(2) shall include--
            ``(1) a brief description of the breach;
            ``(2) if possible, a description of the types of personally 
        identifiable information affected by the breach;
            ``(3) contact information of the agency that may be used to 
        ask questions of the agency, which--
                    ``(A) shall include an e-mail address or another 
                digital contact mechanism; and
                    ``(B) may include a telephone number, mailing 
                address, or a website;
            ``(4) information on any remedy being offered by the 
        agency;
            ``(5) any applicable educational materials relating to what 
        individuals can do in response to a breach that potentially 
        affects their personally identifiable information, including 
        relevant contact information for Federal law enforcement 
        agencies and each nationwide consumer reporting agency; and
            ``(6) any other appropriate information, as determined by 
        the head of the agency or established in guidance by the 
        Director.
    ``(c) Delay of Notification.--
            ``(1) In general.--The Attorney General, the Director of 
        National Intelligence, or the Secretary of Homeland Security 
        may delay a notification required under subsection (a) or (d) 
        if the notification would--
                    ``(A) impede a criminal investigation or a national 
                security activity;
                    ``(B) reveal sensitive sources and methods;
                    ``(C) cause damage to national security; or
                    ``(D) hamper security remediation actions.
            ``(2) Documentation.--
                    ``(A) In general.--Any delay under paragraph (1) 
                shall be reported in writing to the Director, the 
                Attorney General, the Director of National 
                Intelligence, the Secretary of Homeland Security, the 
                National Cyber Director, the Director of the 
                Cybersecurity and Infrastructure Security Agency, and 
                the head of the agency and the inspector general of the 
                agency that experienced the breach.
                    ``(B) Contents.--A report required under 
                subparagraph (A) shall include a written statement from 
                the entity that delayed the notification explaining the 
                need for the delay.
                    ``(C) Form.--The report required under subparagraph 
                (A) shall be unclassified but may include a classified 
                annex.
            ``(3) Renewal.--A delay under paragraph (1) shall be for a 
        period of 60 days and may be renewed.
    ``(d) Update Notification.--If an agency determines there is a 
significant change in the reasonable basis to conclude that a breach 
occurred, a significant change to the determination made under 
subsection (a)(1), or that it is necessary to update the details of the 
information provided to potentially affected individuals as described 
in subsection (b), the agency shall as expeditiously as practicable and 
without unreasonable delay, and in any case not later than 30 days 
after such a determination, notify each individual who received a 
notification pursuant to subsection (a) of those changes.
    ``(e) Rule of Construction.--Nothing in this section shall be 
construed to limit--
            ``(1) the Director from issuing guidance relating to 
        notifications or the head of an agency from notifying 
        individuals potentially affected by breaches that are not 
        determined to be major incidents; or
            ``(2) the Director from issuing guidance relating to 
        notifications of major incidents or the head of an agency from 
        providing more information than described in subsection (b) 
        when notifying individuals potentially affected by breaches.
``Sec. 3593. Congressional and Executive Branch reports
    ``(a) Initial Report.--
            ``(1) In general.--Not later than 72 hours after an agency 
        has a reasonable basis to conclude that a major incident 
        occurred, the head of the agency impacted by the major incident 
        shall submit to the appropriate reporting entities a written 
        report and, to the extent practicable, provide a briefing to 
        the Committee on Homeland Security and Governmental Affairs of 
        the Senate, the Committee on Oversight and Reform of the House 
        of Representatives, the Committee on Homeland Security of the 
        House of Representatives, and the appropriate authorization and 
        appropriations committees of Congress, taking into account--
                    ``(A) the information known at the time of the 
                report;
                    ``(B) the sensitivity of the details associated 
                with the major incident; and
                    ``(C) the classification level of the information 
                contained in the report.
            ``(2) Contents.--A report required under paragraph (1) 
        shall include, in a manner that excludes or otherwise 
        reasonably protects personally identifiable information and to 
        the extent permitted by applicable law, including privacy and 
        statistical laws--
                    ``(A) a summary of the information available about 
                the major incident, including how the major incident 
                occurred, information indicating that the major 
                incident may be a breach, and information relating to 
                the major incident as a breach, based on information 
                available to agency officials as of the date on which 
                the agency submits the report;
                    ``(B) if applicable, a description and any 
                associated documentation of any circumstances 
                necessitating a delay in a notification to individuals 
                potentially affected by the major incident under 
                section 3592(c);
                    ``(C) if applicable, an assessment of the impacts 
                to the agency, the Federal Government, or the security 
                of the United States, based on information available to 
                agency officials on the date on which the agency 
                submits the report; and
                    ``(D) if applicable, whether any ransom has been 
                demanded or paid, or plans to be paid, by any entity 
                operating a Federal information system or with access 
                to a Federal information system, unless disclosure of 
                such information may disrupt an active Federal law 
                enforcement or national security operation.
    ``(b) Supplemental Report.--Within a reasonable amount of time, but 
not later than 30 days after the date on which an agency submits a 
written report under subsection (a), the head of the agency shall 
provide to the appropriate reporting entities written updates, which 
may include classified annexes, on the major incident and, to the 
extent practicable, provide a briefing, which may include a classified 
component, to the congressional committees described in subsection 
(a)(1), including summaries of--
            ``(1) vulnerabilities, means by which the major incident 
        occurred, and impacts to the agency relating to the major 
        incident;
            ``(2) any risk assessment and subsequent risk-based 
        security implementation of the affected information system 
        before the date on which the major incident occurred;
            ``(3) the status of compliance of the affected information 
        system with applicable security requirements that are directly 
        related to the cause of the incident, at the time of the major 
        incident;
            ``(4) an estimate of the number of individuals potentially 
        affected by the major incident based on information available 
        to agency officials as of the date on which the agency provides 
        the update;
            ``(5) an assessment of the risk of harm to individuals 
        potentially affected by the major incident based on information 
        available to agency officials as of the date on which the 
        agency provides the update;
            ``(6) an update to the assessment of the risk to agency 
        operations, or to impacts on other agency or non-Federal entity 
        operations, affected by the major incident based on information 
        available to agency officials as of the date on which the 
        agency provides the update;
            ``(7) the detection, response, and remediation actions of 
        the agency, including any support provided by the Cybersecurity 
        and Infrastructure Security Agency under section 3594(d) and 
        status updates on the notification process described in section 
        3592(a), including any delay described in section 3592(c), if 
        applicable; and
            ``(8) if applicable, a description of any circumstances or 
        data leading the head of the agency to determine, pursuant to 
        section 3592(a)(1), not to notify individuals potentially 
        impacted by a breach.
    ``(c) Update Report.--If the agency determines that there is any 
significant change in the understanding of the agency of the scope, 
scale, or consequence of a major incident for which an agency submitted 
a written report under subsection (a), the agency shall provide an 
updated report to the appropriate reporting entities that includes 
information relating to the change in understanding.
    ``(d) Biannual Report.--Each agency shall submit as part of the 
biannual report required under section 3554(c)(1) of this title a 
description of each major incident that occurred during the 2-year 
period preceding the date on which the biannual report is submitted.
    ``(e) Delay and Lack of Notification Report.--
            ``(1) In general.--The Director shall submit to the 
        appropriate reporting entities an annual report on all 
        notification delays granted pursuant to section 3592(c).
            ``(2) Lack of breach notification.--The Director shall 
        submit to the appropriate reporting entities an annual report 
        on each breach with respect to which the head of an agency 
        determined, pursuant to section 3592(a)(1), not to notify 
        individuals potentially impacted by the breach.
            ``(3) Component of other report.--The Director may submit 
        the report required under paragraph (1) as a component of the 
        annual report submitted under section 3597(b).
    ``(f) Report Delivery.--Any written report required to be submitted 
under this section may be submitted in a paper or electronic format.
    ``(g) Threat Briefing.--
            ``(1) In general.--Not later than 7 days after the date on 
        which an agency has a reasonable basis to conclude that a major 
        incident occurred, the head of the agency, jointly with the 
        Director, the National Cyber Director and any other Federal 
        entity determined appropriate by the National Cyber Director, 
        shall provide a briefing to the congressional committees 
        described in subsection (a)(1) on the threat causing the major 
        incident.
            ``(2) Components.--The briefing required under paragraph 
        (1)--
                    ``(A) shall, to the greatest extent practicable, 
                include an unclassified component; and
                    ``(B) may include a classified component.
    ``(h) Rule of Construction.--Nothing in this section shall be 
construed to limit--
            ``(1) the ability of an agency to provide additional 
        reports or briefings to Congress; or
            ``(2) Congress from requesting additional information from 
        agencies through reports, briefings, or other means.
``Sec. 3594. Government information sharing and incident response
    ``(a) In General.--
            ``(1) Incident reporting.--Subject to the limitations 
        described in subsection (b), the head of each agency shall 
        provide any information relating to any incident affecting the 
        agency, whether the information is obtained by the Federal 
        Government directly or indirectly, to the Cybersecurity and 
        Infrastructure Security Agency.
            ``(2) Contents.--A provision of information relating to an 
        incident made by the head of an agency under paragraph (1) 
        shall--
                    ``(A) include detailed information about the 
                safeguards that were in place when the incident 
                occurred;
                    ``(B) whether the agency implemented the safeguards 
                described in subparagraph (A) correctly;
                    ``(C) in order to protect against a similar 
                incident, identify--
                            ``(i) how the safeguards described in 
                        subparagraph (A) should be implemented 
                        differently; and
                            ``(ii) additional necessary safeguards; and
                    ``(D) include information to aid in incident 
                response, such as--
                            ``(i) a description of the affected systems 
                        or networks;
                            ``(ii) the estimated dates of when the 
                        incident occurred; and
                            ``(iii) information that could reasonably 
                        help identify the party that conducted the 
                        incident or the cause of the incident, subject 
                        to appropriate privacy protections.
            ``(3) Information sharing.--The Director of the 
        Cybersecurity and Infrastructure Security Agency shall--
                    ``(A) make incident information provided under 
                paragraph (1) available to the Director and the 
                National Cyber Director;
                    ``(B) to the greatest extent practicable, share 
                information relating to an incident with the head of 
                any agency that may be--
                            ``(i) impacted by the incident;
                            ``(ii) similarly susceptible to the 
                        incident; or
                            ``(iii) similarly targeted by the incident; 
                        and
                    ``(C) coordinate any necessary information sharing 
                efforts relating to a major incident with the private 
                sector.
            ``(4) National security systems.--Each agency operating or 
        exercising control of a national security system shall share 
        information about incidents that occur on national security 
        systems with the Director of the Cybersecurity and 
        Infrastructure Security Agency to the extent consistent with 
        standards and guidelines for national security systems issued 
        in accordance with law and as directed by the President.
    ``(b) Compliance.--In providing information and selecting a method 
to provide information under subsection (a), the head of each agency 
shall take into account the level of classification of the information 
and any information sharing limitations and protections, such as 
limitations and protections relating to law enforcement, national 
security, privacy, statistical confidentiality, or other factors 
determined by the Director in order to implement subsection (a)(1) in a 
manner that enables automated and consistent reporting to the greatest 
extent practicable.
    ``(c) Incident Response.--Each agency that has a reasonable basis 
to conclude that a major incident occurred involving Federal 
information in electronic medium or form that does not exclusively 
involve a national security system, regardless of delays from 
notification granted for a major incident that is also a breach, shall 
coordinate with the Cybersecurity and Infrastructure Security Agency to 
facilitate asset response activities and provide recommendations for 
mitigating future incidents.
``Sec. 3595. Responsibilities of contractors and awardees
    ``(a) Reporting.--
            ``(1) In general.--Unless otherwise specified in a 
        contract, grant, cooperative agreement, or an other transaction 
        agreement, any contractor or awardee of an agency shall report 
        to the agency within the same amount of time such agency is 
        required to report an incident to the Cybersecurity and 
        Infrastructure Security Agency, if the contractor or awardee 
        has a reasonable basis to suspect or conclude that--
                    ``(A) an incident or breach has occurred with 
                respect to Federal information collected, used, or 
                maintained by the contractor or awardee in connection 
                with the contract, grant, cooperative agreement, or 
                other transaction agreement of the contractor or 
                awardee;
                    ``(B) an incident or breach has occurred with 
                respect to a Federal information system used or 
                operated by the contractor or awardee in connection 
                with the contract, grant, cooperative agreement, or 
                other transaction agreement of the contractor or 
                awardee; or
                    ``(C) the contractor or awardee has received 
                information from the agency that the contractor or 
                awardee is not authorized to receive in connection with 
                the contract, grant, cooperative agreement, or other 
                transaction agreement of the contractor or awardee.
            ``(2) Procedures.--
                    ``(A) Major incident.--Following a report of a 
                breach or major incident by a contractor or awardee 
                under paragraph (1), the agency, in consultation with 
                the contractor or awardee, shall carry out the 
                requirements under sections 3592, 3593, and 3594 with 
                respect to the major incident.
                    ``(B) Incident.--Following a report of an incident 
                by a contractor or awardee under paragraph (1), an 
                agency, in consultation with the contractor or awardee, 
                shall carry out the requirements under section 3594 
                with respect to the incident.
    ``(b) Effective Date.--This section shall apply--
            ``(1) on and after the date that is 1 year after the date 
        of enactment of the Federal Information Security Modernization 
        Act of 2022; and
            ``(2) with respect to any contract entered into on or after 
        the date described in paragraph (1).
``Sec. 3596. Training
    ``(a) Covered Individual Defined.--In this section, the term 
`covered individual' means an individual who obtains access to Federal 
information or Federal information systems because of the status of the 
individual as an employee, contractor, awardee, volunteer, or intern of 
an agency.
    ``(b) Requirement.--The head of each agency shall develop training 
for covered individuals on how to identify and respond to an incident, 
including--
            ``(1) the internal process of the agency for reporting an 
        incident; and
            ``(2) the obligation of a covered individual to report to 
        the agency a confirmed major incident and any suspected 
        incident involving information in any medium or form, including 
        paper, oral, and electronic.
    ``(c) Inclusion in Annual Training.--The training developed under 
subsection (b) may be included as part of an annual privacy or security 
awareness training of an agency.
``Sec. 3597. Analysis and report on Federal incidents
    ``(a) Analysis of Federal Incidents.--
            ``(1) Quantitative and qualitative analyses.--The Director 
        of the Cybersecurity and Infrastructure Security Agency shall 
        develop, in consultation with the Director and the National 
        Cyber Director, and perform continuous monitoring and 
        quantitative and qualitative analyses of incidents at agencies, 
        including major incidents, including--
                    ``(A) the causes of incidents, including--
                            ``(i) attacker tactics, techniques, and 
                        procedures; and
                            ``(ii) system vulnerabilities, including 
                        zero days, unpatched systems, and information 
                        system misconfigurations;
                    ``(B) the scope and scale of incidents at agencies;
                    ``(C) common root causes of incidents across 
                multiple Federal agencies;
                    ``(D) agency incident response, recovery, and 
                remediation actions and the effectiveness of those 
                actions, as applicable;
                    ``(E) lessons learned and recommendations in 
                responding to, recovering from, remediating, and 
                mitigating future incidents; and
                    ``(F) trends across multiple Federal agencies to 
                address intrusion detection and incident response 
                capabilities using the metrics established under 
                section 224(c) of the Cybersecurity Act of 2015 (6 
                U.S.C. 1522(c)).
            ``(2) Automated analysis.--The analyses developed under 
        paragraph (1) shall, to the greatest extent practicable, use 
        machine readable data, automation, and machine learning 
        processes.
            ``(3) Sharing of data and analysis.--
                    ``(A) In general.--The Director shall share on an 
                ongoing basis the analyses required under this 
                subsection with agencies and the National Cyber 
                Director to--
                            ``(i) improve the understanding of 
                        cybersecurity risk of agencies; and
                            ``(ii) support the cybersecurity 
                        improvement efforts of agencies.
                    ``(B) Format.--In carrying out subparagraph (A), 
                the Director shall share the analyses--
                            ``(i) in human-readable written products; 
                        and
                            ``(ii) to the greatest extent practicable, 
                        in machine-readable formats in order to enable 
                        automated intake and use by agencies.
    ``(b) Annual Report on Federal Incidents.--Not later than 2 years 
after the date of enactment of this section, and not less frequently 
than annually thereafter, the Director of the Cybersecurity and 
Infrastructure Security Agency, in consultation with the Director, the 
National Cyber Director and the heads of other Federal agencies, as 
appropriate, shall submit to the appropriate reporting entities a 
report that includes--
            ``(1) a summary of causes of incidents from across the 
        Federal Government that categorizes those incidents as 
        incidents or major incidents;
            ``(2) the quantitative and qualitative analyses of 
        incidents developed under subsection (a)(1) on an agency-by-
        agency basis and comprehensively across the Federal Government, 
        including--
                    ``(A) a specific analysis of breaches; and
                    ``(B) an analysis of the Federal Government's 
                performance against the metrics established under 
                section 224(c) of the Cybersecurity Act of 2015 (6 
                U.S.C. 1522(c)); and
            ``(3) an annex for each agency that includes--
                    ``(A) a description of each major incident;
                    ``(B) the total number of incidents of the agency; 
                and
                    ``(C) an analysis of the agency's performance 
                against the metrics established under section 224(c) of 
                the Cybersecurity Act of 2015 (6 U.S.C. 1522(c)).
    ``(c) Publication.--
            ``(1) In general.--A version of each report submitted under 
        subsection (b) shall be made publicly available on the website 
        of the Cybersecurity and Infrastructure Security Agency during 
        the year in which the report is submitted.
            ``(2) Exemption.--The Director of the Cybersecurity and 
        Infrastructure Security Agency may exempt all or a portion of a 
        report described in paragraph (1) from public publication if 
        the Director of the Cybersecurity and Infrastructure Security 
        Agency determines the exemption is in the interest of national 
        security.
            ``(3) Limitation on exemption.--An exemption granted under 
        paragraph (2) shall not apply to any version of a report 
        submitted to the appropriate reporting entities under 
        subsection (b).
    ``(d) Information Provided by Agencies.--
            ``(1) In general.--The analysis required under subsection 
        (a) and each report submitted under subsection (b) shall use 
        information provided by agencies under section 3594(a).
            ``(2) Noncompliance reports.--
                    ``(A) In general.--Subject to subparagraph (B), 
                during any year during which the head of an agency does 
                not provide data for an incident to the Cybersecurity 
                and Infrastructure Security Agency in accordance with 
                section 3594(a), the head of the agency, in 
                coordination with the Director of the Cybersecurity and 
                Infrastructure Security Agency and the Director, shall 
                submit to the appropriate reporting entities a report 
                that includes the information described in subsection 
                (b) with respect to the agency.
                    ``(B) Exception for national security systems.--The 
                head of an agency that owns or exercises control of a 
                national security system shall not include data for an 
                incident that occurs on a national security system in 
                any report submitted under subparagraph (A).
            ``(3) National security system reports.--
                    ``(A) In general.--Annually, the head of an agency 
                that operates or exercises control of a national 
                security system shall submit a report that includes the 
                information described in subsection (b) with respect to 
                the national security system to the extent that the 
                submission is consistent with standards and guidelines 
                for national security systems issued in accordance with 
                law and as directed by the President to--
                            ``(i) the majority and minority leaders of 
                        the Senate,
                            ``(ii) the Speaker and minority leader of 
                        the House of Representatives;
                            ``(iii) the Committee on Homeland Security 
                        and Governmental Affairs of the Senate;
                            ``(iv) the Select Committee on Intelligence 
                        of the Senate;
                            ``(v) the Committee on Armed Services of 
                        the Senate;
                            ``(vi) the Committee on Appropriations of 
                        the Senate;
                            ``(vii) the Committee on Oversight and 
                        Reform of the House of Representatives;
                            ``(viii) the Committee on Homeland Security 
                        of the House of Representatives;
                            ``(ix) the Permanent Select Committee on 
                        Intelligence of the House of Representatives;
                            ``(x) the Committee on Armed Services of 
                        the House of Representatives; and
                            ``(xi) the Committee on Appropriations of 
                        the House of Representatives.
                    ``(B) Classified form.--A report required under 
                subparagraph (A) may be submitted in a classified form.
    ``(e) Requirement for Compiling Information.--In publishing the 
public report required under subsection (c), the Director of the 
Cybersecurity and Infrastructure Security Agency shall sufficiently 
compile information such that no specific incident of an agency can be 
identified, except with the concurrence of the Director of the Office 
of Management and Budget and in consultation with the impacted agency.
``Sec. 3598. Major incident definition
    ``(a) In General.--Not later than 180 days after the date of 
enactment of the Federal Information Security Modernization Act of 
2022, the Director, in coordination with the Director of the 
Cybersecurity and Infrastructure Security Agency and the National Cyber 
Director, shall develop and promulgate guidance on the definition of 
the term `major incident' for the purposes of subchapter II and this 
subchapter.
    ``(b) Requirements.--With respect to the guidance issued under 
subsection (a), the definition of the term `major incident' shall--
            ``(1) include, with respect to any information collected or 
        maintained by or on behalf of an agency or an information 
        system used or operated by an agency or by a contractor of an 
        agency or another organization on behalf of an agency--
                    ``(A) any incident the head of the agency 
                determines is likely to have an impact on--
                            ``(i) the national security, homeland 
                        security, or economic security of the United 
                        States; or
                            ``(ii) the civil liberties or public health 
                        and safety of the people of the United States;
                    ``(B) any incident the head of the agency 
                determines likely to result in an inability for the 
                agency, a component of the agency, or the Federal 
                Government, to provide 1 or more critical services;
                    ``(C) any incident that the head of an agency, in 
                consultation with a senior privacy officer of the 
                agency, determines is likely to have a significant 
                privacy impact on 1 or more individual;
                    ``(D) any incident that the head of the agency, in 
                consultation with a senior privacy official of the 
                agency, determines is likely to have a substantial 
                privacy impact on a significant number of individuals;
                    ``(E) any incident the head of the agency 
                determines substantially disrupts the operations of a 
                high value asset owned or operated by the agency;
                    ``(F) any incident involving the exposure of 
                sensitive agency information to a foreign entity, such 
                as the communications of the head of the agency, the 
                head of a component of the agency, or the direct 
                reports of the head of the agency or the head of a 
                component of the agency; and
                    ``(G) any other type of incident determined 
                appropriate by the Director;
            ``(2) stipulate that the National Cyber Director, in 
        consultation with the Director, shall declare a major incident 
        at each agency impacted by an incident if it is determined that 
        an incident--
                    ``(A) occurs at not less than 2 agencies; and
                    ``(B) is enabled by--
                            ``(i) a common technical root cause, such 
                        as a supply chain compromise, a common software 
                        or hardware vulnerability; or
                            ``(ii) the related activities of a common 
                        threat actor; and
            ``(3) stipulate that, in determining whether an incident 
        constitutes a major incident because that incident is any 
        incident described in paragraph (1), the head of the agency 
        shall consult with the National Cyber Director and may consult 
        with the Director of the Cybersecurity and Infrastructure 
        Security Agency.
    ``(c) Significant Number of Individuals.--In determining what 
constitutes a significant number of individuals under subsection 
(b)(1)(D), the Director--
            ``(1) may determine a threshold for a minimum number of 
        individuals that constitutes a significant amount; and
            ``(2) may not determine a threshold described in paragraph 
        (1) that exceeds 5,000 individuals.
    ``(d) Evaluation and Updates.--Not later than 2 years after the 
date of enactment of the Federal Information Security Modernization Act 
of 2022, and not less frequently than every 2 years thereafter, the 
Director shall provide a briefing to the Committee on Homeland Security 
and Governmental Affairs of the Senate and the Committee on Oversight 
and Reform of the House of Representatives, which shall include--
            ``(1) an evaluation of any necessary updates to the 
        guidance issued under subsection (a);
            ``(2) an evaluation of any necessary updates to the 
        definition of the term `major incident' included in the 
        guidance issued under subsection (a); and
            ``(3) an explanation of, and the analysis that led to, the 
        definition described in paragraph (2).''.
            (2) Clerical amendment.--The table of sections for chapter 
        35 of title 44, United States Code, is amended by adding at the 
        end the following:

           ``subchapter iv--federal system incident response

``3591. Definitions
``3592. Notification of breach
``3593. Congressional and Executive Branch reports
``3594. Government information sharing and incident response
``3595. Responsibilities of contractors and awardees
``3596. Training
``3597. Analysis and report on Federal incidents
``3598. Major incident definition''.

SEC. 104. AMENDMENTS TO SUBTITLE III OF TITLE 40.

    (a) Modernizing Government Technology.--Subtitle G of title X of 
Division A of the National Defense Authorization Act for Fiscal Year 
2018 (40 U.S.C. 11301 note) is amended in section 1078--
            (1) by striking subsection (a) and inserting the following:
    ``(a) Definitions.--In this section:
            ``(1) Agency.--The term `agency' has the meaning given the 
        term in section 551 of title 5, United States Code.
            ``(2) High value asset.--The term `high value asset' has 
        the meaning given the term in section 3552 of title 44, United 
        States Code.'';
            (2) in subsection (b), by adding at the end the following:
            ``(8) Proposal evaluation.--The Director shall--
                    ``(A) give consideration for the use of amounts in 
                the Fund to improve the security of high value assets; 
                and
                    ``(B) require that any proposal for the use of 
                amounts in the Fund includes a cybersecurity plan, 
                including a supply chain risk management plan, to be 
                reviewed by the member of the Technology Modernization 
                Board described in subsection (c)(5)(C).''; and
            (3) in subsection (c)--
                    (A) in paragraph (2)(A)(i), by inserting ``, 
                including a consideration of the impact on high value 
                assets'' after ``operational risks'';
                    (B) in paragraph (5)--
                            (i) in subparagraph (A), by striking 
                        ``and'' at the end;
                            (ii) in subparagraph (B), by striking the 
                        period at the end and inserting ``and''; and
                            (iii) by adding at the end the following:
                    ``(C) a senior official from the Cybersecurity and 
                Infrastructure Security Agency of the Department of 
                Homeland Security, appointed by the Director.''; and
                    (C) in paragraph (6)(A), by striking ``shall be--'' 
                and all that follows through ``4 employees'' and 
                inserting ``shall be 4 employees''.
    (b) Subchapter I.--Subchapter I of chapter 113 of subtitle III of 
title 40, United States Code, is amended--
            (1) in section 11302--
                    (A) in subsection (b), by striking ``use, security, 
                and disposal of'' and inserting ``use, and disposal of, 
                and, in consultation with the Director of the 
                Cybersecurity and Infrastructure Security Agency and 
                the National Cyber Director, promote and improve the 
                security of,'';
                    (B) in subsection (c)--
                            (i) in paragraph (3)--
                                    (I) in subparagraph (A)--
                                            (aa) by striking 
                                        ``including data'' and 
                                        inserting ``which shall--
                            ``(i) include data''; and
                                            (bb) by adding at the end 
                                        the following:
                            ``(ii) specifically denote cybersecurity 
                        funding under the risk-based cyber budget model 
                        developed pursuant to section 3553(a)(7) of 
                        title 44.''; and
                                    (II) in subparagraph (B), by adding 
                                at the end the following:
                            ``(iii) The Director shall provide to the 
                        National Cyber Director any cybersecurity 
                        funding information described in subparagraph 
                        (A)(ii) that is provided to the Director under 
                        clause (ii) of this subparagraph.'';
                    (C) in subsection (f)--
                            (i) by striking ``heads of executive 
                        agencies to develop'' and inserting ``heads of 
                        executive agencies to--
            ``(1) develop'';
                            (ii) in paragraph (1), as so designated, by 
                        striking the period at the end and inserting 
                        ``; and''; and
                            (iii) by adding at the end the following:
            ``(2) consult with the Director of the Cybersecurity and 
        Infrastructure Security Agency for the development and use of 
        supply chain security best practices.''; and
                    (D) in subsection (h), by inserting ``, including 
                cybersecurity performances,'' after ``the 
                performances''; and
            (2) in section 11303(b)--
                    (A) in paragraph (2)(B)--
                            (i) in clause (i), by striking ``or'' at 
                        the end;
                            (ii) in clause (ii), by adding ``or'' at 
                        the end; and
                            (iii) by adding at the end the following:
                            ``(iii) whether the function should be 
                        performed by a shared service offered by 
                        another executive agency;''; and
                    (B) in paragraph (5)(B)(i), by inserting ``, while 
                taking into account the risk-based cyber budget model 
                developed pursuant to section 3553(a)(7) of title 44'' 
                after ``title 31''.
    (c) Subchapter II.--Subchapter II of chapter 113 of subtitle III of 
title 40, United States Code, is amended--
            (1) in section 11312(a), by inserting ``, including 
        security risks'' after ``managing the risks'';
            (2) in section 11313(1), by striking ``efficiency and 
        effectiveness'' and inserting ``efficiency, security, and 
        effectiveness'';
            (3) in section 11315, by adding at the end the following:
    ``(d) Component Agency Chief Information Officers.--The Chief 
Information Officer or an equivalent official of a component agency 
shall report to--
            ``(1) the Chief Information Officer designated under 
        section 3506(a)(2) of title 44 or an equivalent official of the 
        agency of which the component agency is a component; and
            ``(2) the head of the component agency.
    ``(e) Reporting Structure Exemption.--
            ``(1) In general.--On annual basis, the Director may exempt 
        any agency from the reporting structure requirements under 
        subsection (d).
            ``(2) Report.--On an annual basis, the Director shall 
        submit to the Committee on Homeland Security and Governmental 
        Affairs of the Senate and the Committee on Oversight and Reform 
        of the House of Representatives a report that includes a list 
        of each exemption granted under paragraph (1) and the 
        associated rationale for each exemption.
            ``(3) Component of other report.--The report required under 
        paragraph (2) may be incorporated into any other annual report 
        required under chapter 35 of title 44, United States Code.'';
            (4) in section 11317, by inserting ``security,'' before 
        ``or schedule''; and
            (5) in section 11319(b)(1), in the paragraph heading, by 
        striking ``CIOS'' and inserting ``Chief information officers''.

SEC. 105. ACTIONS TO ENHANCE FEDERAL INCIDENT TRANSPARENCY.

    (a) Responsibilities of the Cybersecurity and Infrastructure 
Security Agency.--
            (1) In general.--Not later than 180 days after the date of 
        enactment of this Act, the Director of the Cybersecurity and 
        Infrastructure Security Agency shall--
                    (A) develop a plan for the development of the 
                analysis required under section 3597(a) of title 44, 
                United States Code, as added by this title, and the 
                report required under subsection (b) of that section 
                that includes--
                            (i) a description of any challenges the 
                        Director of the Cybersecurity and 
                        Infrastructure Security Agency anticipates 
                        encountering; and
                            (ii) the use of automation and machine-
                        readable formats for collecting, compiling, 
                        monitoring, and analyzing data; and
                    (B) provide to the appropriate congressional 
                committees a briefing on the plan developed under 
                subparagraph (A).
            (2) Briefing.--Not later than 1 year after the date of 
        enactment of this Act, the Director of the Cybersecurity and 
        Infrastructure Security Agency shall provide to the appropriate 
        congressional committees a briefing on--
                    (A) the execution of the plan required under 
                paragraph (1)(A); and
                    (B) the development of the report required under 
                section 3597(b) of title 44, United States Code, as 
                added by this title.
    (b) Responsibilities of the Director of the Office of Management 
and Budget.--
            (1) FISMA.--Section 2 of the Federal Information Security 
        Modernization Act of 2014 (44 U.S.C. 3554 note) is amended--
                    (A) by striking subsection (b); and
                    (B) by redesignating subsections (c) through (f) as 
                subsections (b) through (e), respectively.
            (2) Incident data sharing.--
                    (A) In general.--The Director shall develop 
                guidance, to be updated not less frequently than once 
                every 2 years, on the content, timeliness, and format 
                of the information provided by agencies under section 
                3594(a) of title 44, United States Code, as added by 
                this title.
                    (B) Requirements.--The guidance developed under 
                subparagraph (A) shall--
                            (i) prioritize the availability of data 
                        necessary to understand and analyze--
                                    (I) the causes of incidents;
                                    (II) the scope and scale of 
                                incidents within the environments and 
                                systems of an agency;
                                    (III) a root cause analysis of 
                                incidents that--
                                            (aa) are common across the 
                                        Federal Government; or
                                            (bb) have a Government-wide 
                                        impact;
                                    (IV) agency response, recovery, and 
                                remediation actions and the 
                                effectiveness of those actions; and
                                    (V) the impact of incidents;
                            (ii) enable the efficient development of--
                                    (I) lessons learned and 
                                recommendations in responding to, 
                                recovering from, remediating, and 
                                mitigating future incidents; and
                                    (II) the report on Federal 
                                incidents required under section 
                                3597(b) of title 44, United States 
                                Code, as added by this title;
                            (iii) include requirements for the 
                        timeliness of data production; and
                            (iv) include requirements for using 
                        automation and machine-readable data for data 
                        sharing and availability.
            (3) Guidance on responding to information requests.--Not 
        later than 1 year after the date of enactment of this Act, the 
        Director shall develop guidance for agencies to implement the 
        requirement under section 3594(c) of title 44, United States 
        Code, as added by this title, to provide information to other 
        agencies experiencing incidents.
            (4) Standard guidance and templates.--Not later than 1 year 
        after the date of enactment of this Act, the Director, in 
        consultation with the Director of the Cybersecurity and 
        Infrastructure Security Agency, shall develop guidance and 
        templates, to be reviewed and, if necessary, updated not less 
        frequently than once every 2 years, for use by Federal agencies 
        in the activities required under sections 3592, 3593, and 3596 
        of title 44, United States Code, as added by this title.
            (5) Contractor and awardee guidance.--
                    (A) In general.--Not later than 1 year after the 
                date of enactment of this Act, the Director, in 
                coordination with the Secretary of Homeland Security, 
                the Secretary of Defense, the Administrator of General 
                Services, and the heads of other agencies determined 
                appropriate by the Director, shall issue guidance to 
                Federal agencies on how to deconflict, to the greatest 
                extent practicable, existing regulations, policies, and 
                procedures relating to the responsibilities of 
                contractors and awardees established under section 3595 
                of title 44, United States Code, as added by this 
                title.
                    (B) Existing processes.--To the greatest extent 
                practicable, the guidance issued under subparagraph (A) 
                shall allow contractors and awardees to use existing 
                processes for notifying Federal agencies of incidents 
                involving information of the Federal Government.
            (6) Updated briefings.--Not less frequently than once every 
        2 years, the Director shall provide to the appropriate 
        congressional committees an update on the guidance and 
        templates developed under paragraphs (2) through (4).
    (c) Update to the Privacy Act of 1974.--Section 552a(b) of title 5, 
United States Code (commonly known as the ``Privacy Act of 1974'') is 
amended--
            (1) in paragraph (11), by striking ``or'' at the end;
            (2) in paragraph (12), by striking the period at the end 
        and inserting ``; or''; and
            (3) by adding at the end the following:
            ``(13) to another agency in furtherance of a response to an 
        incident (as defined in section 3552 of title 44) and pursuant 
        to the information sharing requirements in section 3594 of 
        title 44 if the head of the requesting agency has made a 
        written request to the agency that maintains the record 
        specifying the particular portion desired and the activity for 
        which the record is sought.''.

SEC. 106. ADDITIONAL GUIDANCE TO AGENCIES ON FISMA UPDATES.

    Not later than 1 year after the date of enactment of this Act, the 
Director, in consultation with the Director of the Cybersecurity and 
Infrastructure Security Agency, shall issue guidance for agencies on--
            (1) performing the ongoing and continuous agency system 
        risk assessment required under section 3554(a)(1)(A) of title 
        44, United States Code, as amended by this title;
            (2) implementing additional cybersecurity procedures, which 
        shall include resources for shared services;
            (3) establishing a process for providing the status of each 
        remedial action under section 3554(b)(7) of title 44, United 
        States Code, as amended by this title, to the Director and the 
        Cybersecurity and Infrastructure Security Agency using 
        automation and machine-readable data, as practicable, which 
        shall include--
                    (A) specific guidance for the use of automation and 
                machine-readable data; and
                    (B) templates for providing the status of the 
                remedial action; and
            (4) a requirement to coordinate with inspectors general of 
        agencies to ensure consistent understanding and application of 
        agency policies for the purpose of evaluations by inspectors 
        general.

SEC. 107. AGENCY REQUIREMENTS TO NOTIFY PRIVATE SECTOR ENTITIES 
              IMPACTED BY INCIDENTS.

    (a) Definitions.--In this section:
            (1) Reporting entity.--The term ``reporting entity'' means 
        private organization or governmental unit that is required by 
        statute or regulation to submit sensitive information to an 
        agency.
            (2) Sensitive information.--The term ``sensitive 
        information'' has the meaning given the term by the Director in 
        guidance issued under subsection (b).
    (b) Guidance on Notification of Reporting Entities.--Not later than 
180 days after the date of enactment of this Act, the Director shall 
issue guidance requiring the head of each agency to notify a reporting 
entity of an incident that is likely to substantially affect--
            (1) the confidentiality or integrity of sensitive 
        information submitted by the reporting entity to the agency 
        pursuant to a statutory or regulatory requirement; or
            (2) the agency information system or systems used in the 
        transmission or storage of the sensitive information described 
        in paragraph (1).

SEC. 108. MOBILE SECURITY STANDARDS.

    (a) In General.--Not later than 1 year after the date of enactment 
of this Act, the Director shall--
            (1) evaluate mobile application security guidance 
        promulgated by the Director; and
            (2) issue guidance to secure mobile devices, including for 
        mobile applications, for every agency.
    (b) Contents.--The guidance issued under subsection (a)(2) shall 
include--
            (1) a requirement, pursuant to section 3506(b)(4) of title 
        44, United States Code, for every agency to maintain a 
        continuous inventory of every--
                    (A) mobile device operated by or on behalf of the 
                agency; and
                    (B) vulnerability identified by the agency 
                associated with a mobile device; and
            (2) a requirement for every agency to perform continuous 
        evaluation of the vulnerabilities described in paragraph (1)(B) 
        and other risks associated with the use of applications on 
        mobile devices.
    (c) Information Sharing.--The Director, in coordination with the 
Director of the Cybersecurity and Infrastructure Security Agency, shall 
issue guidance to agencies for sharing the inventory of the agency 
required under subsection (b)(1) with the Director of the Cybersecurity 
and Infrastructure Security Agency, using automation and machine-
readable data to the greatest extent practicable.
    (d) Briefing.--Not later than 60 days after the date on which the 
Director issues guidance under subsection (a)(2), the Director, in 
coordination with the Director of the Cybersecurity and Infrastructure 
Security Agency, shall provide to the appropriate congressional 
committees a briefing on the guidance.

SEC. 109. DATA AND LOGGING RETENTION FOR INCIDENT RESPONSE.

    (a) Recommendations.--Not later than 2 years after the date of 
enactment of this Act, and not less frequently than every 2 years 
thereafter, the Director of the Cybersecurity and Infrastructure 
Security Agency, in consultation with the Attorney General, shall 
submit to the Director recommendations on requirements for logging 
events on agency systems and retaining other relevant data within the 
systems and networks of an agency.
    (b) Contents.--The recommendations provided under subsection (a) 
shall include--
            (1) the types of logs to be maintained;
            (2) the duration that logs and other relevant data should 
        be retained;
            (3) the time periods for agency implementation of 
        recommended logging and security requirements;
            (4) how to ensure the confidentiality, integrity, and 
        availability of logs;
            (5) requirements to ensure that, upon request, in a manner 
        that excludes or otherwise reasonably protects personally 
        identifiable information, and to the extent permitted by 
        applicable law (including privacy and statistical laws), 
        agencies provide logs to--
                    (A) the Director of the Cybersecurity and 
                Infrastructure Security Agency for a cybersecurity 
                purpose; and
                    (B) the Director of the Federal Bureau of 
                Investigation, or the appropriate Federal law 
                enforcement agency, to investigate potential criminal 
                activity; and
            (6) requirements to ensure that, subject to compliance with 
        statistical laws and other relevant data protection 
        requirements, the highest level security operations center of 
        each agency has visibility into all agency logs.
    (c) Guidance.--Not later than 90 days after receiving the 
recommendations submitted under subsection (a), the Director, in 
consultation with the Director of the Cybersecurity and Infrastructure 
Security Agency and the Attorney General, shall, as determined to be 
appropriate by the Director, update guidance to agencies regarding 
requirements for logging, log retention, log management, sharing of log 
data with other appropriate agencies, or any other logging activity 
determined to be appropriate by the Director.
    (d) Sunset.--This section shall cease to have force or effect on 
the date that is 10 years after the date of the enactment of this Act.

SEC. 110. CISA AGENCY ADVISORS.

    (a) In General.--Not later than 120 days after the date of 
enactment of this Act, the Director of the Cybersecurity and 
Infrastructure Security Agency shall assign not less than 1 
cybersecurity professional employed by the Cybersecurity and 
Infrastructure Security Agency to be the Cybersecurity and 
Infrastructure Security Agency advisor to the senior agency information 
security officer of each agency.
    (b) Qualifications.--Each advisor assigned under subsection (a) 
shall have knowledge of--
            (1) cybersecurity threats facing agencies, including any 
        specific threats to the assigned agency;
            (2) performing risk assessments of agency systems; and
            (3) other Federal cybersecurity initiatives.
    (c) Duties.--The duties of each advisor assigned under subsection 
(a) shall include--
            (1) providing ongoing assistance and advice, as requested, 
        to the agency Chief Information Officer;
            (2) serving as an incident response point of contact 
        between the assigned agency and the Cybersecurity and 
        Infrastructure Security Agency; and
            (3) familiarizing themselves with agency systems, 
        processes, and procedures to better facilitate support to the 
        agency in responding to incidents.
    (d) Limitation.--An advisor assigned under subsection (a) shall not 
be a contractor.
    (e) Multiple Assignments.--One individual advisor may be assigned 
to multiple agency Chief Information Officers under subsection (a).

SEC. 111. FEDERAL PENETRATION TESTING POLICY.

    (a) In General.--Subchapter II of chapter 35 of title 44, United 
States Code, is amended by adding at the end the following:
``Sec. 3559A. Federal penetration testing
    ``(a) Definitions.--In this section:
            ``(1) Agency operational plan.--The term `agency 
        operational plan' means a plan of an agency for the use of 
        penetration testing.
            ``(2) Rules of engagement.--The term `rules of engagement' 
        means a set of rules established by an agency for the use of 
        penetration testing.
    ``(b) Guidance.--
            ``(1) In general.--The Director, in consultation with the 
        Secretary, acting through the Director of the Cybersecurity and 
        Infrastructure Security Agency, shall issue guidance to 
        agencies that--
                    ``(A) requires agencies to use, when and where 
                appropriate, penetration testing on agency systems by 
                both Federal and non-Federal entities; and
                    ``(B) requires agencies to develop an agency 
                operational plan and rules of engagement that meet the 
                requirements under subsection (c).
            ``(2) Penetration testing guidance.--The guidance issued 
        under this section shall--
                    ``(A) permit an agency to use, for the purpose of 
                performing penetration testing--
                            ``(i) a shared service of the agency or 
                        another agency; or
                            ``(ii) an external entity, such as a 
                        vendor; and
                    ``(B) require agencies to provide the rules of 
                engagement and results of penetration testing to the 
                Director and the Director of the Cybersecurity and 
                Infrastructure Security Agency, without regard to the 
                status of the entity that performs the penetration 
                testing.
    ``(c) Agency Plans and Rules of Engagement.--The agency operational 
plan and rules of engagement of an agency shall--
            ``(1) require the agency to--
                    ``(A) perform penetration testing, including on the 
                high value assets of the agency; or
                    ``(B) coordinate with the Director of the 
                Cybersecurity and Infrastructure Security Agency to 
                ensure that penetration testing is being performed;
            ``(2) establish guidelines for avoiding, as a result of 
        penetration testing--
                    ``(A) adverse impacts to the operations of the 
                agency;
                    ``(B) adverse impacts to operational environments 
                and systems of the agency; and
                    ``(C) inappropriate access to data;
            ``(3) require the results of penetration testing to include 
        feedback to improve the cybersecurity of the agency; and
            ``(4) include mechanisms for providing consistently 
        formatted, and, if applicable, automated and machine-readable, 
        data to the Director and the Director of the Cybersecurity and 
        Infrastructure Security Agency.
    ``(d) Responsibilities of CISA.--The Director of the Cybersecurity 
and Infrastructure Security Agency shall--
            ``(1) establish a process to assess the performance of 
        penetration testing by both Federal and non-Federal entities 
        that establishes minimum quality controls for penetration 
        testing;
            ``(2) develop operational guidance for instituting 
        penetration testing programs at agencies;
            ``(3) develop and maintain a centralized capability to 
        offer penetration testing as a service to Federal and non-
        Federal entities; and
            ``(4) provide guidance to agencies on the best use of 
        penetration testing resources.
    ``(e) Responsibilities of OMB.--The Director, in coordination with 
the Director of the Cybersecurity and Infrastructure Security Agency, 
shall--
            ``(1) not less frequently than annually, inventory all 
        Federal penetration testing assets; and
            ``(2) develop and maintain a standardized process for the 
        use of penetration testing.
    ``(f) Prioritization of Penetration Testing Resources.--
            ``(1) In general.--The Director, in coordination with the 
        Director of the Cybersecurity and Infrastructure Security 
        Agency, shall develop a framework for prioritizing Federal 
        penetration testing resources among agencies.
            ``(2) Considerations.--In developing the framework under 
        this subsection, the Director shall consider--
                    ``(A) agency system risk assessments performed 
                under section 3554(a)(1)(A);
                    ``(B) the Federal risk assessment performed under 
                section 3553(i);
                    ``(C) the analysis of Federal incident data 
                performed under section 3597; and
                    ``(D) any other information determined appropriate 
                by the Director or the Director of the Cybersecurity 
                and Infrastructure Security Agency.
    ``(g) Exception for National Security Systems.--The guidance issued 
under subsection (b) shall not apply to national security systems.
    ``(h) Delegation of Authority for Certain Systems.--The authorities 
of the Director described in subsection (b) shall be delegated--
            ``(1) to the Secretary of Defense in the case of systems 
        described in section 3553(e)(2); and
            ``(2) to the Director of National Intelligence in the case 
        of systems described in 3553(e)(3).''.
    (b) Deadline for Guidance.--Not later than 180 days after the date 
of enactment of this Act, the Director shall issue the guidance 
required under section 3559A(b) of title 44, United States Code, as 
added by subsection (a).
    (c) Clerical Amendment.--The table of sections for chapter 35 of 
title 44, United States Code, is amended by adding after the item 
relating to section 3559 the following:

``3559A. Federal penetration testing.''.
    (d) Sunset.--
            (1) In general.--Effective on the date that is 10 years 
        after the date of enactment of this Act, subchapter II of 
        chapter 35 of title 44, United States Code, is amended by 
        striking section 3559A.
            (2) Clerical amendment.--Effective on the date that is 10 
        years after the date of enactment of this Act, the table of 
        sections for chapter 35 of title 44, United States Code, is 
        amended by striking the item relating to section 3559A.

SEC. 112. ONGOING THREAT HUNTING PROGRAM.

    (a) Threat Hunting Program.--
            (1) In general.--Not later than 540 days after the date of 
        enactment of this Act, the Director of the Cybersecurity and 
        Infrastructure Security Agency shall establish a program to 
        provide ongoing, hypothesis-driven threat-hunting services on 
        the network of each agency.
            (2) Plan.--Not later than 180 days after the date of 
        enactment of this Act, the Director of the Cybersecurity and 
        Infrastructure Security Agency shall develop a plan to 
        establish the program required under paragraph (1) that 
        describes how the Director of the Cybersecurity and 
        Infrastructure Security Agency plans to--
                    (A) determine the method for collecting, storing, 
                accessing, analyzing, and safeguarding appropriate 
                agency data;
                    (B) provide on-premises support to agencies;
                    (C) staff threat hunting services;
                    (D) allocate available human and financial 
                resources to implement the plan; and
                    (E) provide input to the heads of agencies on the 
                use of additional cybersecurity procedures under 
                section 3554 of title 44, United States Code.
    (b) Reports.--The Director of the Cybersecurity and Infrastructure 
Security Agency shall submit to the appropriate congressional 
committees--
            (1) not later than 30 days after the date on which the 
        Director of the Cybersecurity and Infrastructure Security 
        Agency completes the plan required under subsection (a)(2), a 
        report on the plan to provide threat hunting services to 
        agencies;
            (2) not less than 30 days before the date on which the 
        Director of the Cybersecurity and Infrastructure Security 
        Agency begins providing threat hunting services under the 
        program under subsection (a)(1), a report providing any updates 
        to the plan developed under subsection (a)(2); and
            (3) not later than 1 year after the date on which the 
        Director of the Cybersecurity and Infrastructure Security 
        Agency begins providing threat hunting services to agencies 
        other than the Cybersecurity and Infrastructure Security 
        Agency, a report describing lessons learned from providing 
        those services.

SEC. 113. CODIFYING VULNERABILITY DISCLOSURE PROGRAMS.

    (a) In General.--Chapter 35 of title 44, United States Code, is 
amended by inserting after section 3559A, as added by section 111 of 
this title, the following:
``Sec. 3559B. Federal vulnerability disclosure programs
    ``(a) Purpose; Sense of Congress.--
            ``(1) Purpose.--The purpose of Federal vulnerability 
        disclosure programs is to create a mechanism to use the 
        expertise of the public to provide a service to Federal 
        agencies by identifying information system vulnerabilities.
            ``(2) Sense of congress.--It is the sense of Congress that, 
        in implementing the requirements of this section, the Federal 
        Government should take appropriate steps to reduce real and 
        perceived burdens in communications between agencies and 
        security researchers.
    ``(b) Definitions.--In this section:
            ``(1) Report.--The term `report' means a vulnerability 
        disclosure made to an agency by a reporter.
            ``(2) Reporter.--The term `reporter' means an individual 
        that submits a vulnerability report pursuant to the 
        vulnerability disclosure process of an agency.
    ``(c) Responsibilities of OMB.--
            ``(1) Limitation on legal action.--The Director, in 
        consultation with the Attorney General, shall issue guidance to 
        agencies to not recommend or pursue legal action against a 
        reporter or an individual that conducts a security research 
        activity that the head of the agency determines--
                    ``(A) represents a good faith effort to follow the 
                vulnerability disclosure policy of the agency developed 
                under subsection (e)(2); and
                    ``(B) is authorized under the vulnerability 
                disclosure policy of the agency developed under 
                subsection (e)(2).
            ``(2) Sharing information with cisa.--The Director, in 
        coordination with the Director of the Cybersecurity and 
        Infrastructure Security Agency and in consultation with the 
        National Cyber Director, shall issue guidance to agencies on 
        sharing relevant information in a consistent, automated, and 
        machine readable manner with the Director of the Cybersecurity 
        and Infrastructure Security Agency, including--
                    ``(A) any valid or credible reports of newly 
                discovered or not publicly known vulnerabilities 
                (including misconfigurations) on Federal information 
                systems that use commercial software or services;
                    ``(B) information relating to vulnerability 
                disclosure, coordination, or remediation activities of 
                an agency, particularly as those activities relate to 
                outside organizations--
                            ``(i) with which the head of the agency 
                        believes the Director of the Cybersecurity and 
                        Infrastructure Security Agency can assist; or
                            ``(ii) about which the head of the agency 
                        believes the Director of the Cybersecurity and 
                        Infrastructure Security Agency should know; and
                    ``(C) any other information with respect to which 
                the head of the agency determines helpful or necessary 
                to involve the Director of the Cybersecurity and 
                Infrastructure Security Agency.
            ``(3) Agency vulnerability disclosure policies.--The 
        Director shall issue guidance to agencies on the required 
        minimum scope of agency systems covered by the vulnerability 
        disclosure policy of an agency required under subsection 
        (e)(2).
    ``(d) Responsibilities of CISA.--The Director of the Cybersecurity 
and Infrastructure Security Agency shall--
            ``(1) provide support to agencies with respect to the 
        implementation of the requirements of this section;
            ``(2) develop tools, processes, and other mechanisms 
        determined appropriate to offer agencies capabilities to 
        implement the requirements of this section; and
            ``(3) upon a request by an agency, assist the agency in the 
        disclosure to vendors of newly identified vulnerabilities in 
        vendor products and services.
    ``(e) Responsibilities of Agencies.--
            ``(1) Public information.--The head of each agency shall 
        make publicly available, with respect to each internet domain 
        under the control of the agency that is not a national security 
        system--
                    ``(A) an appropriate security contact; and
                    ``(B) the component of the agency that is 
                responsible for the internet accessible services 
                offered at the domain.
            ``(2) Vulnerability disclosure policy.--The head of each 
        agency shall develop and make publicly available a 
        vulnerability disclosure policy for the agency, which shall--
                    ``(A) describe--
                            ``(i) the scope of the systems of the 
                        agency included in the vulnerability disclosure 
                        policy;
                            ``(ii) the type of information system 
                        testing that is authorized by the agency;
                            ``(iii) the type of information system 
                        testing that is not authorized by the agency; 
                        and
                            ``(iv) the disclosure policy of the agency 
                        for sensitive information;
                    ``(B) with respect to a report to an agency, 
                describe--
                            ``(i) how the reporter should submit the 
                        report; and
                            ``(ii) if the report is not anonymous, when 
                        the reporter should anticipate an 
                        acknowledgment of receipt of the report by the 
                        agency;
                    ``(C) include any other relevant information; and
                    ``(D) be mature in scope and cover every internet 
                accessible Federal information system used or operated 
                by that agency or on behalf of that agency.
            ``(3) Identified vulnerabilities.--The head of each agency 
        shall incorporate any vulnerabilities reported under paragraph 
        (2) into the vulnerability management process of the agency in 
        order to track and remediate the vulnerability.
    ``(f) Congressional Reporting.--Not later than 90 days after the 
date of enactment of the Federal Information Security Modernization Act 
of 2022, and annually thereafter for a 3-year period, the Director of 
the Cybersecurity and Infrastructure Security Agency, in consultation 
with the Director, shall provide to the Committee on Homeland Security 
and Governmental Affairs of the Senate and the Committee on Oversight 
and Reform of the House of Representatives a briefing on the status of 
the use of vulnerability disclosure policies under this section at 
agencies, including, with respect to the guidance issued under 
subsection (c)(3), an identification of the agencies that are compliant 
and not compliant.
    ``(g) Exemptions.--The authorities and functions of the Director 
and Director of the Cybersecurity and Infrastructure Security Agency 
under this section shall not apply to national security systems.
    ``(h) Delegation of Authority for Certain Systems.--The authorities 
of the Director and the Director of the Cybersecurity and 
Infrastructure Security Agency described in this section shall be 
delegated--
            ``(1) to the Secretary of Defense in the case of systems 
        described in section 3553(e)(2); and
            ``(2) to the Director of National Intelligence in the case 
        of systems described in section 3553(e)(3).''.
    (b) Clerical Amendment.--The table of sections for chapter 35 of 
title 44, United States Code, is amended by adding after the item 
relating to section 3559A, as added by section 111, the following:

``3559B. Federal vulnerability disclosure programs.''.
    (c) Sunset.--
            (1) In general.--Effective on the date that is 10 years 
        after the date of enactment of this Act, subchapter II of 
        chapter 35 of title 44, United States Code, is amended by 
        striking section 3559B.
            (2) Clerical amendment.--Effective on the date that is 10 
        years after the date of enactment of this Act, the table of 
        sections for chapter 35 of title 44, United States Code, is 
        amended by striking the item relating to section 3559B.

SEC. 114. IMPLEMENTING ZERO TRUST ARCHITECTURE.

    (a) Guidance.--Not later than 18 months after the date of enactment 
of this Act, the Director shall provide an update to the appropriate 
congressional committees on progress in increasing the internal 
defenses of agency systems, including--
            (1) shifting away from ``trusted networks'' to implement 
        security controls based on a presumption of compromise;
            (2) implementing principles of least privilege in 
        administering information security programs;
            (3) limiting the ability of entities that cause incidents 
        to move laterally through or between agency systems;
            (4) identifying incidents quickly;
            (5) isolating and removing unauthorized entities from 
        agency systems as quickly as practicable, accounting for 
        intelligence or law enforcement purposes;
            (6) otherwise increasing the resource costs for entities 
        that cause incidents to be successful; and
            (7) a summary of the agency progress reports required under 
        subsection (b).
    (b) Agency Progress Reports.--Not later than 270 days after the 
date of enactment of this Act, the head of each agency shall submit to 
the Director a progress report on implementing an information security 
program based on the presumption of compromise and least privilege 
principles, which shall include--
            (1) a description of any steps the agency has completed, 
        including progress toward achieving requirements issued by the 
        Director, including the adoption of any models or reference 
        architecture;
            (2) an identification of activities that have not yet been 
        completed and that would have the most immediate security 
        impact; and
            (3) a schedule to implement any planned activities.

SEC. 115. AUTOMATION REPORTS.

    (a) OMB Report.--Not later than 180 days after the date of 
enactment of this Act, the Director shall provide to the appropriate 
congressional committees an update on the use of automation under 
paragraphs (1), (5)(C), and (8)(B) of section 3554(b) of title 44, 
United States Code.
    (b) GAO Report.--Not later than 1 year after the date of enactment 
of this Act, the Comptroller General of the United States shall perform 
a study on the use of automation and machine readable data across the 
Federal Government for cybersecurity purposes, including the automated 
updating of cybersecurity tools, sensors, or processes by agencies.

SEC. 116. EXTENSION OF FEDERAL ACQUISITION SECURITY COUNCIL AND 
              SOFTWARE INVENTORY.

    (a) Extension.--Section 1328 of title 41, United States Code, is 
amended by striking ``the date that'' and all that follows and 
inserting ``December 31, 2026.''.
    (b) Requirement.--Subsection 1326(b) of title 41, United States 
Code, is amended--
            (1) in paragraph (5), by striking ``and'' at the end;
            (2) by redesignating paragraph (6) as paragraph (7); and
            (3) by inserting after paragraph (5) the following:
            ``(6) maintaining an up-to-date and accurate inventory of 
        software in use by the agency and, if available and applicable, 
        the components of such software, that can be communicated at 
        the request of the Federal Acquisition Security Council, the 
        National Cyber Director, or the Secretary of Homeland Security, 
        acting through the Director of Cybersecurity and Infrastructure 
        Security Agency; and''.

SEC. 117. COUNCIL OF THE INSPECTORS GENERAL ON INTEGRITY AND EFFICIENCY 
              DASHBOARD.

    (a) Dashboard Required.--Section 11(e)(2) of the Inspector General 
Act of 1978 (5 U.S.C. App.) is amended--
            (1) in subparagraph (A), by striking ``and'' at the end;
            (2) by redesignating subparagraph (B) as subparagraph (C); 
        and
            (3) by inserting after subparagraph (A) the following:
                    ``(B) that shall include a dashboard of open 
                information security recommendations identified in the 
                independent evaluations required by section 3555(a) of 
                title 44, United States Code; and''.

SEC. 118. QUANTITATIVE CYBERSECURITY METRICS.

    (a) Definition of Covered Metrics.--In this section, the term 
``covered metrics'' means the metrics established, reviewed, and 
updated under section 224(c) of the Cybersecurity Act of 2015 (6 U.S.C. 
1522(c)).
    (b) Updating and Establishing Metrics.--Not later than 1 year after 
the date of enactment of this Act, and as appropriate thereafter, the 
Director of the Cybersecurity and Infrastructure Security Agency, in 
coordination with the Director, shall--
            (1) evaluate any covered metrics established as of the date 
        of enactment of this Act; and
            (2) as appropriate and pursuant to section 224(c) of the 
        Cybersecurity Act of 2015 (6 U.S.C. 1522(c)) update or 
        establish new covered metrics.
    (c) Implementation.--
            (1) In general.--Not later than 540 days after the date of 
        enactment of this Act, the Director, in coordination with the 
        Director of the Cybersecurity and Infrastructure Security 
        Agency, shall promulgate guidance that requires each agency to 
        use covered metrics to track trends in the cybersecurity and 
        incident response capabilities of the agency.
            (2) Performance demonstration.--The guidance issued under 
        paragraph (1) and any subsequent guidance shall require 
        agencies to share with the Director of the Cybersecurity and 
        Infrastructure Security Agency data demonstrating the 
        performance of the agency using the covered metrics included in 
        the guidance.
            (3) Penetration tests.--On not less than 2 occasions during 
        the 2-year period following the date on which guidance is 
        promulgated under paragraph (1), the Director shall ensure that 
        not less than 3 agencies are subjected to substantially similar 
        penetration tests, as determined by the Director, in 
        coordination with the Director of the Cybersecurity and 
        Infrastructure Security Agency, in order to validate the 
        utility of the covered metrics.
            (4) Analysis capacity.--The Director of the Cybersecurity 
        and Infrastructure Security Agency shall develop a capability 
        that allows for the analysis of the covered metrics, including 
        cross-agency performance of agency cybersecurity and incident 
        response capability trends.
            (5) Time-based metric.--With respect the first update or 
        establishment of covered metrics required under subsection 
        (b)(2), the Director of the Cybersecurity and Infrastructure 
        Security Agency shall establish covered metrics that include 
        not less than 1 metric addressing the time it takes for 
        agencies to identify and respond to incidents.
    (d) Congressional Reports.--Not later than 1 year after the date of 
enactment of this Act, the Director of the Cybersecurity and 
Infrastructure Security Agency, in coordination with the Director, 
shall submit to the appropriate congressional committees a report on 
the utility and use of the covered metrics.

SEC. 119. ESTABLISHMENT OF RISK-BASED BUDGET MODEL.

    (a) Definitions.--In this section:
            (1) Appropriate congressional committees.--The term 
        ``appropriate congressional committees'' means--
                    (A) the Committee on Homeland Security and 
                Governmental Affairs and the Committee on 
                Appropriations of the Senate; and
                    (B) the Committee on Oversight and Reform, the 
                Committee on Homeland Security, and the Committee on 
                Appropriations of the House of Representatives.
            (2) Covered agency.--The term ``covered agency'' has the 
        meaning given the term ``executive agency'' in section 133 of 
        title 41, United States Code.
            (3) Director.--The term ``Director'' means the Director of 
        the Office of Management and Budget.
            (4) Information technology.--The term ``information 
        technology''--
                    (A) has the meaning given the term in section 11101 
                of title 40, United States Code; and
                    (B) includes the hardware and software systems of a 
                Federal agency that monitor and control physical 
                equipment and processes of the Federal agency.
            (5) Risk-based budget.--The term ``risk-based budget'' 
        means a budget--
                    (A) developed by identifying and prioritizing 
                cybersecurity risks and vulnerabilities, including 
                impact on agency operations in the case of a cyber 
                attack, through analysis of cyber threat intelligence, 
                incident data, and tactics, techniques, procedures, and 
                capabilities of cyber threats; and
                    (B) that allocates resources based on the risks 
                identified and prioritized under subparagraph (A).
    (b) Establishment of Risk-based Budget Model.--
            (1) In general.--
                    (A) Model.--Not later than 1 year after the first 
                publication of the budget submitted by the President 
                under section 1105 of title 31, United States Code, 
                following the date of enactment of this Act, the 
                Director, in consultation with the Director of the 
                Cybersecurity and Infrastructure Security Agency and 
                the National Cyber Director and in coordination with 
                the Director of the National Institute of Standards and 
                Technology, shall develop a standard model for 
                informing a risk-based budget for cybersecurity 
                spending.
                    (B) Responsibility of director.--Section 3553(a) of 
                title 44, United States Code, as amended by section 103 
                of this title, is further amended by inserting after 
                paragraph (6) the following:
            ``(7) developing a standard risk-based budget model to 
        inform Federal agency cybersecurity budget development; and''.
                    (C) Contents of model.--The model required to be 
                developed under subparagraph (A) shall utilize 
                appropriate information to evaluate risk, including, as 
                determined appropriate by the Director--
                            (i) Federal and non-Federal cyber threat 
                        intelligence products, where available, to 
                        identify threats, vulnerabilities, and risks;
                            (ii) analysis of the impact of agency 
                        operations of compromise of systems, including 
                        the interconnectivity to other agency systems 
                        and the operations of other agencies; and
                            (iii) to the greatest extent practicable, 
                        analysis of where resources should be allocated 
                        to have the greatest impact on mitigating 
                        current and future threats and current and 
                        future cybersecurity capabilities.
                    (D) Use of model.--The model required to be 
                developed under subparagraph (A) shall be used to--
                            (i) inform acquisition and sustainment of--
                                    (I) information technology and 
                                cybersecurity tools;
                                    (II) information technology and 
                                cybersecurity architectures;
                                    (III) information technology and 
                                cybersecurity personnel; and
                                    (IV) cybersecurity and information 
                                technology concepts of operations; and
                            (ii) evaluate and inform Government-wide 
                        cybersecurity programs.
                    (E) Model variation.--The Director may develop 
                multiple models under subparagraph (A) based on 
                different agency characteristics, such as size or 
                cybersecurity maturity.
                    (F) Required updates.--Not less frequently than 
                once every 3 years, the Director shall review, and 
                update as necessary, the model required to be developed 
                under subparagraph (A).
                    (G) Publication.--Not earlier than 5 years after 
                the date on which the model developed under 
                subparagraph (A) is completed, the Director shall, 
                taking into account any classified or sensitive 
                information, publish the model, and any updates 
                necessary under subparagraph (F), on the public website 
                of the Office of Management and Budget.
                    (H) Reports.--Not later than 2 years after the 
                first publication of the budget submitted by the 
                President under section 1105 of title 31, United States 
                Code, following the date of enactment of this Act, and 
                annually thereafter for each of the 2 following fiscal 
                years or until the date on which the model required to 
                be developed under subparagraph (A) is completed, 
                whichever is sooner, the Director shall submit to the 
                appropriate congressional committees a report on the 
                development of the model.
            (2) Phased implementation of risk-based budget model.--
                    (A) Initial phase.--
                            (i) In general.--Not later than 2 years 
                        after the date on which the model developed 
                        under paragraph (1) is completed, the Director 
                        shall require not less than 5 covered agencies 
                        to use the model to inform the development of 
                        the annual cybersecurity and information 
                        technology budget requests of those covered 
                        agencies.
                            (ii) Briefing.--Not later than 1 year after 
                        the date on which the covered agencies selected 
                        under clause (i) begin using the model 
                        developed under paragraph (1), the Director 
                        shall provide to the appropriate congressional 
                        committees a briefing on implementation of 
                        risk-based budgeting for cybersecurity 
                        spending, an assessment of agency 
                        implementation, and an evaluation of whether 
                        the risk-based budget helps to mitigate 
                        cybersecurity vulnerabilities.
                    (B) Full deployment.--Not later than 5 years after 
                the date on which the model developed under paragraph 
                (1) is completed, the head of each covered agency shall 
                use the model, or any updated model pursuant to 
                paragraph (1)(F), to the greatest extent practicable, 
                to inform the development of the annual cybersecurity 
                and information technology budget requests of the 
                covered agency.
                    (C) Agency performance plans.--
                            (i) Amendment.--Section 3554(d)(2) of title 
                        44, United States Code, is amended by inserting 
                        ``and the risk-based budget model required 
                        under section 3553(a)(7)'' after ``paragraph 
                        (1)''.
                            (ii) Effective date.--The amendment made by 
                        clause (i) shall take effect on the date that 
                        is 5 years after the date on which the model 
                        developed under paragraph (1) is completed.
            (3) Verification.--
                    (A) In general.--Section 1105(a)(35)(A)(i) of title 
                31, United States Code, is amended--
                            (i) in the matter preceding subclause (I), 
                        by striking ``by agency, and by initiative area 
                        (as determined by the administration)'' and 
                        inserting ``and by agency'';
                            (ii) in subclause (III), by striking 
                        ``and'' at the end; and
                            (iii) by adding at the end the following:
                                    ``(V) a validation that the budgets 
                                submitted were informed by using a 
                                risk-based methodology; and
                                    ``(VI) a report on the progress of 
                                each agency on closing recommendations 
                                identified under the independent 
                                evaluation required by section 
                                3555(a)(1) of title 44.''.
                    (B) Effective date.--The amendments made by 
                subparagraph (A) shall take effect on the date that is 
                5 years after the date on which the model developed 
                under paragraph (1) is completed.
            (4) Reports.--
                    (A) Independent evaluation.--Section 3555(a)(2) of 
                title 44, United States Code, is amended--
                            (i) in subparagraph (B), by striking 
                        ``and'' at the end;
                            (ii) in subparagraph (C), by striking the 
                        period at the end and inserting ``; and''; and
                            (iii) by adding at the end the following:
                    ``(D) an assessment of how the agency was informed 
                by the risk-based budget model required under section 
                3553(a)(7) and an evaluation of whether the model 
                mitigates agency cyber vulnerabilities.''.
                    (B) Assessment.--
                            (i) Amendment.--Section 3553(c) of title 
                        44, United States Code, as amended by section 
                        103 of this title, is further amended by 
                        inserting after paragraph (5) the following:
            ``(6) an assessment of--
                    ``(A) Federal agency utilization of the model 
                required under subsection (a)(7); and
                    ``(B) whether the model mitigates the cyber 
                vulnerabilities of the Federal Government.''.
                            (ii) Effective date.--The amendment made by 
                        clause (i) shall take effect on the date that 
                        is 5 years after the date on which the model 
                        developed under paragraph (1) is completed.
            (5) GAO report.--Not later than 3 years after the date on 
        which the first budget of the President is submitted to 
        Congress containing the validation required under section 
        1105(a)(35)(A)(i)(V) of title 31, United States Code, as 
        amended by paragraph (3), the Comptroller General of the United 
        States shall submit to the appropriate congressional committees 
        a report that includes--
                    (A) an evaluation of the success of covered 
                agencies in utilizing the risk-based budget model;
                    (B) an evaluation of the success of covered 
                agencies in implementing risk-based budgets;
                    (C) an evaluation of whether the risk-based budgets 
                developed by covered agencies are effective at 
                informing Federal Government-wide cybersecurity 
                programs; and
                    (D) any other information relating to risk-based 
                budgets the Comptroller General determines appropriate.

SEC. 120. ACTIVE CYBER DEFENSIVE STUDY.

    (a) Definition.--In this section, the term ``active defense 
technique''--
            (1) means an action taken on the systems of an entity to 
        increase the security of information on the network of an 
        agency by misleading an adversary; and
            (2) includes a honeypot, deception, or purposefully feeding 
        false or misleading data to an adversary when the adversary is 
        on the systems of the entity.
    (b) Study.--Not later than 180 days after the date of enactment of 
this Act, the Director of the Cybersecurity and Infrastructure Security 
Agency, in coordination with the Director and the National Cyber 
Director, shall perform a study on the use of active defense techniques 
to enhance the security of agencies, which shall include--
            (1) a review of legal restrictions on the use of different 
        active cyber defense techniques in Federal environments, in 
        consultation with the Department of Justice;
            (2) an evaluation of--
                    (A) the efficacy of a selection of active defense 
                techniques determined by the Director of the 
                Cybersecurity and Infrastructure Security Agency; and
                    (B) factors that impact the efficacy of the active 
                defense techniques evaluated under subparagraph (A);
            (3) recommendations on safeguards and procedures that shall 
        be established to require that active defense techniques are 
        adequately coordinated to ensure that active defense techniques 
        do not impede agency operations and mission delivery, threat 
        response efforts, criminal investigations, and national 
        security activities, including intelligence collection; and
            (4) the development of a framework for the use of different 
        active defense techniques by agencies.

SEC. 121. SECURITY OPERATIONS CENTER AS A SERVICE PILOT.

    (a) Purpose.--The purpose of this section is for the Cybersecurity 
and Infrastructure Security Agency to run a security operation center 
on behalf of another agency, alleviating the need to duplicate this 
function at every agency, and empowering a greater centralized 
cybersecurity capability.
    (b) Plan.--Not later than 1 year after the date of enactment of 
this Act, the Director of the Cybersecurity and Infrastructure Security 
Agency shall develop a plan to establish a centralized Federal security 
operations center shared service offering within the Cybersecurity and 
Infrastructure Security Agency.
    (c) Contents.--The plan required under subsection (b) shall include 
considerations for--
            (1) collecting, organizing, and analyzing agency 
        information system data in real time;
            (2) staffing and resources; and
            (3) appropriate interagency agreements, concepts of 
        operations, and governance plans.
    (d) Pilot Program.--
            (1) In general.--Not later than 180 days after the date on 
        which the plan required under subsection (b) is developed, the 
        Director of the Cybersecurity and Infrastructure Security 
        Agency, in consultation with the Director, shall enter into a 
        1-year agreement with not less than 2 agencies to offer a 
        security operations center as a shared service.
            (2) Additional agreements.--After the date on which the 
        briefing required under subsection (e)(1) is provided, the 
        Director of the Cybersecurity and Infrastructure Security 
        Agency, in consultation with the Director, may enter into 
        additional 1-year agreements described in paragraph (1) with 
        agencies.
    (e) Briefing and Report.--
            (1) Briefing.--Not later than 270 days after the date of 
        enactment of this Act, the Director of the Cybersecurity and 
        Infrastructure Security Agency shall provide to the Committee 
        on Homeland Security and Governmental Affairs of the Senate and 
        the Committee on Homeland Security and the Committee on 
        Oversight and Reform of the House of Representatives a briefing 
        on the parameters of any 1-year agreements entered into under 
        subsection (d)(1).
            (2) Report.--Not later than 90 days after the date on which 
        the first 1-year agreement entered into under subsection (d) 
        expires, the Director of the Cybersecurity and Infrastructure 
        Security Agency shall submit to the Committee on Homeland 
        Security and Governmental Affairs of the Senate and the 
        Committee on Homeland Security and the Committee on Oversight 
        and Reform of the House of Representatives a report on--
                    (A) the agreement; and
                    (B) any additional agreements entered into with 
                agencies under subsection (d).

SEC. 122. EXTENSION OF CHIEF DATA OFFICER COUNCIL.

    Section 3520A(e)(2) of title 44, United States Code, is amended by 
striking ``upon the expiration of the 2-year period that begins on the 
date the Comptroller General submits the report under paragraph (1) to 
Congress'' and inserting ``January 31, 2030''.

SEC. 123. FEDERAL CYBERSECURITY REQUIREMENTS.

    (a) Exemption From Federal Requirements.--Section 225(b)(2) of the 
Federal Cybersecurity Enhancement Act of 2015 (6 U.S.C. 1523(b)(2)) is 
amended to read as follows:
            ``(2) Exception.--
                    ``(A) In general.--A particular requirement under 
                paragraph (1) shall not apply to an agency information 
                system of an agency if--
                            ``(i) with respect to the agency 
                        information system, the head of the agency 
                        submits to the Director an application for an 
                        exemption from the particular requirement, in 
                        which the head of the agency personally 
                        certifies to the Director with particularity 
                        that--
                                    ``(I) operational requirements 
                                articulated in the certification and 
                                related to the agency information 
                                system would make it excessively 
                                burdensome to implement the particular 
                                requirement;
                                    ``(II) the particular requirement 
                                is not necessary to secure the agency 
                                information system or agency 
                                information stored on or transiting the 
                                agency information system; and
                                    ``(III) the agency has taken all 
                                necessary steps to secure the agency 
                                information system and agency 
                                information stored on or transiting the 
                                agency information system;
                            ``(ii) the head of the agency or the 
                        designee of the head of the agency has 
                        submitted the certification described in clause 
                        (i) to the appropriate congressional committees 
                        and any other congressional committee with 
                        jurisdiction over the agency; and
                            ``(iii) the Director grants the exemption 
                        from the particular requirement.
                    ``(B) Duration of exemption.--
                            ``(i) In general.--An exemption granted 
                        under subparagraph (A) shall expire on the date 
                        that is 1 year after the date on which the 
                        Director granted the exemption.
                            ``(ii) Renewal.--Upon the expiration of an 
                        exemption granted to an agency under 
                        subparagraph (A), the head of the agency may 
                        apply for an additional exemption.''.
    (b) Report on Exemptions.--Section 3554(c)(1) of title 44, United 
States Code, as amended by section 103(c) of this title, is amended--
            (1) in subparagraph (C), by striking ``and'' at the end;
            (2) in subparagraph (D), by striking the period at the end 
        and inserting ``; and''; and
            (3) by adding at the end the following:
                    ``(E) with respect to any exemption the Director of 
                the Office of Management and Budget has granted the 
                agency under section 225(b)(2) of the Federal 
                Cybersecurity Enhancement Act of 2015 (6 U.S.C. 
                1523(b)(2)) that is effective on the date of submission 
                of the report--
                            ``(i) an identification of each particular 
                        requirement from which any agency information 
                        system (as defined in section 2210 of the 
                        Homeland Security Act of 2002 (6 U.S.C. 660)) 
                        is exempted; and
                            ``(ii) for each requirement identified 
                        under clause (i)--
                                    ``(I) an identification of the 
                                agency information system described in 
                                clause (i) exempted from the 
                                requirement; and
                                    ``(II) an estimate of the date on 
                                which the agency will to be able to 
                                comply with the requirement.''.
    (c) Effective Date.--The amendments made by this section shall take 
effect on the date that is 1 year after the date of enactment of this 
Act.

 TITLE II--CYBER INCIDENT REPORTING FOR CRITICAL INFRASTRUCTURE ACT OF 
                                  2022

SEC. 201. SHORT TITLE.

    This title may be cited as the ``Cyber Incident Reporting for 
Critical Infrastructure Act of 2022''.

SEC. 202. DEFINITIONS.

    In this title:
            (1) Covered cyber incident; covered entity; cyber incident; 
        information system; ransom payment; ransomware attack; security 
        vulnerability.--The terms ``covered cyber incident'', ``covered 
        entity'', ``cyber incident'', ``information system'', ``ransom 
        payment'', ``ransomware attack'', and ``security 
        vulnerability'' have the meanings given those terms in section 
        2240 of the Homeland Security Act of 2002, as added by section 
        203 of this title.
            (2) Director.--The term ``Director'' means the Director of 
        the Cybersecurity and Infrastructure Security Agency.

SEC. 203. CYBER INCIDENT REPORTING.

    (a) Cyber Incident Reporting.--Title XXII of the Homeland Security 
Act of 2002 (6 U.S.C. 651 et seq.) is amended--
            (1) in section 2209(c) (6 U.S.C. 659(c))--
                    (A) in paragraph (11), by striking ``; and'' and 
                inserting a semicolon;
                    (B) in paragraph (12), by striking the period at 
                the end and inserting ``; and''; and
                    (C) by adding at the end the following:
            ``(13) receiving, aggregating, and analyzing reports 
        related to covered cyber incidents (as defined in section 2240) 
        submitted by covered entities (as defined in section 2240) and 
        reports related to ransom payments (as defined in section 2240) 
        submitted by covered entities (as defined in section 2240) in 
        furtherance of the activities specified in sections 2202(e), 
        2203, and 2241, this subsection, and any other authorized 
        activity of the Director, to enhance the situational awareness 
        of cybersecurity threats across critical infrastructure 
        sectors.''; and
            (2) by adding at the end the following:

                 ``Subtitle D--Cyber Incident Reporting

``SEC. 2240. DEFINITIONS.

    ``In this subtitle:
            ``(1) Center.--The term `Center' means the center 
        established under section 2209.
            ``(2) Cloud service provider.--The term `cloud service 
        provider' means an entity offering products or services related 
        to cloud computing, as defined by the National Institute of 
        Standards and Technology in NIST Special Publication 800-145 
        and any amendatory or superseding document relating thereto.
            ``(3) Council.--The term `Council' means the Cyber Incident 
        Reporting Council described in section 2246.
            ``(4) Covered cyber incident.--The term `covered cyber 
        incident' means a substantial cyber incident experienced by a 
        covered entity that satisfies the definition and criteria 
        established by the Director in the final rule issued pursuant 
        to section 2242(b).
            ``(5) Covered entity.--The term `covered entity' means an 
        entity in a critical infrastructure sector, as defined in 
        Presidential Policy Directive 21, that satisfies the definition 
        established by the Director in the final rule issued pursuant 
        to section 2242(b).
            ``(6) Cyber incident.--The term `cyber incident'--
                    ``(A) has the meaning given the term `incident' in 
                section 2209; and
                    ``(B) does not include an occurrence that 
                imminently, but not actually, jeopardizes--
                            ``(i) information on information systems; 
                        or
                            ``(ii) information systems.
            ``(7) Cyber threat.--The term `cyber threat' has the 
        meaning given the term `cybersecurity threat' in section 2201.
            ``(8) Cyber threat indicator; cybersecurity purpose; 
        defensive measure; federal entity; security vulnerability.--The 
        terms `cyber threat indicator', `cybersecurity purpose', 
        `defensive measure', `Federal entity', and `security 
        vulnerability' have the meanings given those terms in section 
        102 of the Cybersecurity Act of 2015 (6 U.S.C. 1501).
            ``(9) Incident; sharing.--The terms `incident' and 
        `sharing' have the meanings given those terms in section 2209.
            ``(10) Information sharing and analysis organization.--The 
        term `Information Sharing and Analysis Organization' has the 
        meaning given the term in section 2222.
            ``(11) Information system.--The term `information system'--
                    ``(A) has the meaning given the term in section 
                3502 of title 44, United States Code; and
                    ``(B) includes industrial control systems, such as 
                supervisory control and data acquisition systems, 
                distributed control systems, and programmable logic 
                controllers.
            ``(12) Managed service provider.--The term `managed service 
        provider' means an entity that delivers services, such as 
        network, application, infrastructure, or security services, via 
        ongoing and regular support and active administration on the 
        premises of a customer, in the data center of the entity (such 
        as hosting), or in a third party data center.
            ``(13) Ransom payment.--The term `ransom payment' means the 
        transmission of any money or other property or asset, including 
        virtual currency, or any portion thereof, which has at any time 
        been delivered as ransom in connection with a ransomware 
        attack.
            ``(14) Ransomware attack.--The term `ransomware attack'--
                    ``(A) means an incident that includes the use or 
                threat of use of unauthorized or malicious code on an 
                information system, or the use or threat of use of 
                another digital mechanism such as a denial of service 
                attack, to interrupt or disrupt the operations of an 
                information system or compromise the confidentiality, 
                availability, or integrity of electronic data stored 
                on, processed by, or transiting an information system 
                to extort a demand for a ransom payment; and
                    ``(B) does not include any such event where the 
                demand for payment is--
                            ``(i) not genuine; or
                            ``(ii) made in good faith by an entity in 
                        response to a specific request by the owner or 
                        operator of the information system.
            ``(15) Sector risk management agency.--The term `Sector 
        Risk Management Agency' has the meaning given the term in 
        section 2201.
            ``(16) Significant cyber incident.--The term `significant 
        cyber incident' means a cyber incident, or a group of related 
        cyber incidents, that the Secretary determines is likely to 
        result in demonstrable harm to the national security interests, 
        foreign relations, or economy of the United States or to the 
        public confidence, civil liberties, or public health and safety 
        of the people of the United States.
            ``(17) Supply chain compromise.--The term `supply chain 
        compromise' means an incident within the supply chain of an 
        information system that an adversary can leverage or does 
        leverage to jeopardize the confidentiality, integrity, or 
        availability of the information system or the information the 
        system processes, stores, or transmits, and can occur at any 
        point during the life cycle.
            ``(18) Virtual currency.--The term `virtual currency' means 
        the digital representation of value that functions as a medium 
        of exchange, a unit of account, or a store of value.
            ``(19) Virtual currency address.--The term `virtual 
        currency address' means a unique public cryptographic key 
        identifying the location to which a virtual currency payment 
        can be made.

``SEC. 2241. CYBER INCIDENT REVIEW.

    ``(a) Activities.--The Center shall--
            ``(1) receive, aggregate, analyze, and secure, using 
        processes consistent with the processes developed pursuant to 
        the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 
        1501 et seq.) reports from covered entities related to a 
        covered cyber incident to assess the effectiveness of security 
        controls, identify tactics, techniques, and procedures 
        adversaries use to overcome those controls and other 
        cybersecurity purposes, including to assess potential impact of 
        cyber incidents on public health and safety and to enhance 
        situational awareness of cyber threats across critical 
        infrastructure sectors;
            ``(2) coordinate and share information with appropriate 
        Federal departments and agencies to identify and track ransom 
        payments, including those utilizing virtual currencies;
            ``(3) leverage information gathered about cyber incidents 
        to--
                    ``(A) enhance the quality and effectiveness of 
                information sharing and coordination efforts with 
                appropriate entities, including agencies, sector 
                coordinating councils, Information Sharing and Analysis 
                Organizations, State, local, Tribal, and territorial 
                governments, technology providers, critical 
                infrastructure owners and operators, cybersecurity and 
                cyber incident response firms, and security 
                researchers; and
                    ``(B) provide appropriate entities, including 
                sector coordinating councils, Information Sharing and 
                Analysis Organizations, State, local, Tribal, and 
                territorial governments, technology providers, 
                cybersecurity and cyber incident response firms, and 
                security researchers, with timely, actionable, and 
                anonymized reports of cyber incident campaigns and 
                trends, including, to the maximum extent practicable, 
                related contextual information, cyber threat 
                indicators, and defensive measures, pursuant to section 
                2245;
            ``(4) establish mechanisms to receive feedback from 
        stakeholders on how the Agency can most effectively receive 
        covered cyber incident reports, ransom payment reports, and 
        other voluntarily provided information, and how the Agency can 
        most effectively support private sector cybersecurity;
            ``(5) facilitate the timely sharing, on a voluntary basis, 
        between relevant critical infrastructure owners and operators 
        of information relating to covered cyber incidents and ransom 
        payments, particularly with respect to ongoing cyber threats or 
        security vulnerabilities and identify and disseminate ways to 
        prevent or mitigate similar cyber incidents in the future;
            ``(6) for a covered cyber incident, including a ransomware 
        attack, that also satisfies the definition of a significant 
        cyber incident, or is part of a group of related cyber 
        incidents that together satisfy such definition, conduct a 
        review of the details surrounding the covered cyber incident or 
        group of those incidents and identify and disseminate ways to 
        prevent or mitigate similar incidents in the future;
            ``(7) with respect to covered cyber incident reports under 
        section 2242(a) and 2243 involving an ongoing cyber threat or 
        security vulnerability, immediately review those reports for 
        cyber threat indicators that can be anonymized and 
        disseminated, with defensive measures, to appropriate 
        stakeholders, in coordination with other divisions within the 
        Agency, as appropriate;
            ``(8) publish quarterly unclassified, public reports that 
        describe aggregated, anonymized observations, findings, and 
        recommendations based on covered cyber incident reports, which 
        may be based on the unclassified information contained in the 
        briefings required under subsection (c);
            ``(9) proactively identify opportunities, consistent with 
        the protections in section 2245, to leverage and utilize data 
        on cyber incidents in a manner that enables and strengthens 
        cybersecurity research carried out by academic institutions and 
        other private sector organizations, to the greatest extent 
        practicable; and
            ``(10) in accordance with section 2245 and subsection (b) 
        of this section, as soon as possible but not later than 24 
        hours after receiving a covered cyber incident report, ransom 
        payment report, voluntarily submitted information pursuant to 
        section 2243, or information received pursuant to a request for 
        information or subpoena under section 2244, make available the 
        information to appropriate Sector Risk Management Agencies and 
        other appropriate Federal agencies.
    ``(b) Interagency Sharing.--The President or a designee of the 
President--
            ``(1) may establish a specific time requirement for sharing 
        information under subsection (a)(11); and
            ``(2) shall determine the appropriate Federal agencies 
        under subsection (a)(11).
    ``(c) Periodic Briefing.--Not later than 60 days after the 
effective date of the final rule required under section 2242(b), and on 
the first day of each month thereafter, the Director, in consultation 
with the National Cyber Director, the Attorney General, and the 
Director of National Intelligence, shall provide to the majority leader 
of the Senate, the minority leader of the Senate, the Speaker of the 
House of Representatives, the minority leader of the House of 
Representatives, the Committee on Homeland Security and Governmental 
Affairs of the Senate, and the Committee on Homeland Security of the 
House of Representatives a briefing that characterizes the national 
cyber threat landscape, including the threat facing Federal agencies 
and covered entities, and applicable intelligence and law enforcement 
information, covered cyber incidents, and ransomware attacks, as of the 
date of the briefing, which shall--
            ``(1) include the total number of reports submitted under 
        sections 2242 and 2243 during the preceding month, including a 
        breakdown of required and voluntary reports;
            ``(2) include any identified trends in covered cyber 
        incidents and ransomware attacks over the course of the 
        preceding month and as compared to previous reports, including 
        any trends related to the information collected in the reports 
        submitted under sections 2242 and 2243, including--
                    ``(A) the infrastructure, tactics, and techniques 
                malicious cyber actors commonly use; and
                    ``(B) intelligence gaps that have impeded, or 
                currently are impeding, the ability to counter covered 
                cyber incidents and ransomware threats;
            ``(3) include a summary of the known uses of the 
        information in reports submitted under sections 2242 and 2243; 
        and
            ``(4) include an unclassified portion, but may include a 
        classified component.

``SEC. 2242. REQUIRED REPORTING OF CERTAIN CYBER INCIDENTS.

    ``(a) In General.--
            ``(1) Covered cyber incident reports.--
                    ``(A) In general.--A covered entity that 
                experiences a covered cyber incident shall report the 
                covered cyber incident to the Agency not later than 72 
                hours after the covered entity reasonably believes that 
                the covered cyber incident has occurred.
                    ``(B) Limitation.--The Director may not require 
                reporting under subparagraph (A) any earlier than 72 
                hours after the covered entity reasonably believes that 
                a covered cyber incident has occurred.
            ``(2) Ransom payment reports.--
                    ``(A) In general.--A covered entity that makes a 
                ransom payment as the result of a ransomware attack 
                against the covered entity shall report the payment to 
                the Agency not later than 24 hours after the ransom 
                payment has been made.
                    ``(B) Application.--The requirements under 
                subparagraph (A) shall apply even if the ransomware 
                attack is not a covered cyber incident subject to the 
                reporting requirements under paragraph (1).
            ``(3) Supplemental reports.--A covered entity shall 
        promptly submit to the Agency an update or supplement to a 
        previously submitted covered cyber incident report if 
        substantial new or different information becomes available or 
        if the covered entity makes a ransom payment after submitting a 
        covered cyber incident report required under paragraph (1), 
        until such date that such covered entity notifies the Agency 
        that the covered cyber incident at issue has concluded and has 
        been fully mitigated and resolved.
            ``(4) Preservation of information.--Any covered entity 
        subject to requirements of paragraph (1), (2), or (3) shall 
        preserve data relevant to the covered cyber incident or ransom 
        payment in accordance with procedures established in the final 
        rule issued pursuant to subsection (b).
            ``(5) Exceptions.--
                    ``(A) Reporting of covered cyber incident with 
                ransom payment.--If a covered entity is the victim of a 
                covered cyber incident and makes a ransom payment prior 
                to the 72 hour requirement under paragraph (1), such 
                that the reporting requirements under paragraphs (1) 
                and (2) both apply, the covered entity may submit a 
                single report to satisfy the requirements of both 
                paragraphs in accordance with procedures established in 
                the final rule issued pursuant to subsection (b).
                    ``(B) Substantially similar reported information.--
                            ``(i) In general.--Subject to the 
                        limitation described in clause (ii), where the 
                        Agency has an agreement in place that satisfies 
                        the requirements of section 4(a) of the Cyber 
                        Incident Reporting for Critical Infrastructure 
                        Act of 2022, the requirements under paragraphs 
                        (1), (2), and (3) shall not apply to a covered 
                        entity required by law, regulation, or contract 
                        to report substantially similar information to 
                        another Federal agency within a substantially 
                        similar timeframe.
                            ``(ii) Limitation.--The exemption in clause 
                        (i) shall take effect with respect to a covered 
                        entity once an agency agreement and sharing 
                        mechanism is in place between the Agency and 
                        the respective Federal agency, pursuant to 
                        section 4(a) of the Cyber Incident Reporting 
                        for Critical Infrastructure Act of 2022.
                            ``(iii) Rules of construction.--Nothing in 
                        this paragraph shall be construed to--
                                    ``(I) exempt a covered entity from 
                                the reporting requirements under 
                                paragraph (3) unless the supplemental 
                                report also meets the requirements of 
                                clauses (i) and (ii) of this paragraph;
                                    ``(II) prevent the Agency from 
                                contacting an entity submitting 
                                information to another Federal agency 
                                that is provided to the Agency pursuant 
                                to section 4 of the Cyber Incident 
                                Reporting for Critical Infrastructure 
                                Act of 2022; or
                                    ``(III) prevent an entity from 
                                communicating with the Agency.
                    ``(C) Domain name system.--The requirements under 
                paragraphs (1), (2) and (3) shall not apply to a 
                covered entity or the functions of a covered entity 
                that the Director determines constitute critical 
                infrastructure owned, operated, or governed by multi-
                stakeholder organizations that develop, implement, and 
                enforce policies concerning the Domain Name System, 
                such as the Internet Corporation for Assigned Names and 
                Numbers or the Internet Assigned Numbers Authority.
            ``(6) Manner, timing, and form of reports.--Reports made 
        under paragraphs (1), (2), and (3) shall be made in the manner 
        and form, and within the time period in the case of reports 
        made under paragraph (3), prescribed in the final rule issued 
        pursuant to subsection (b).
            ``(7) Effective date.--Paragraphs (1) through (4) shall 
        take effect on the dates prescribed in the final rule issued 
        pursuant to subsection (b).
    ``(b) Rulemaking.--
            ``(1) Notice of proposed rulemaking.--Not later than 24 
        months after the date of enactment of this section, the 
        Director, in consultation with Sector Risk Management Agencies, 
        the Department of Justice, and other Federal agencies, shall 
        publish in the Federal Register a notice of proposed rulemaking 
        to implement subsection (a).
            ``(2) Final rule.--Not later than 18 months after 
        publication of the notice of proposed rulemaking under 
        paragraph (1), the Director shall issue a final rule to 
        implement subsection (a).
            ``(3) Subsequent rulemakings.--
                    ``(A) In general.--The Director is authorized to 
                issue regulations to amend or revise the final rule 
                issued pursuant to paragraph (2).
                    ``(B) Procedures.--Any subsequent rules issued 
                under subparagraph (A) shall comply with the 
                requirements under chapter 5 of title 5, United States 
                Code, including the issuance of a notice of proposed 
                rulemaking under section 553 of such title.
    ``(c) Elements.--The final rule issued pursuant to subsection (b) 
shall be composed of the following elements:
            ``(1) A clear description of the types of entities that 
        constitute covered entities, based on--
                    ``(A) the consequences that disruption to or 
                compromise of such an entity could cause to national 
                security, economic security, or public health and 
                safety;
                    ``(B) the likelihood that such an entity may be 
                targeted by a malicious cyber actor, including a 
                foreign country; and
                    ``(C) the extent to which damage, disruption, or 
                unauthorized access to such an entity, including the 
                accessing of sensitive cybersecurity vulnerability 
                information or penetration testing tools or techniques, 
                will likely enable the disruption of the reliable 
                operation of critical infrastructure.
            ``(2) A clear description of the types of substantial cyber 
        incidents that constitute covered cyber incidents, which 
        shall--
                    ``(A) at a minimum, require the occurrence of--
                            ``(i) a cyber incident that leads to 
                        substantial loss of confidentiality, integrity, 
                        or availability of such information system or 
                        network, or a serious impact on the safety and 
                        resiliency of operational systems and 
                        processes;
                            ``(ii) a disruption of business or 
                        industrial operations, including due to a 
                        denial of service attack, ransomware attack, or 
                        exploitation of a zero day vulnerability, 
                        against
                                    ``(I) an information system or 
                                network; or
                                    ``(II) an operational technology 
                                system or process; or
                            ``(iii) unauthorized access or disruption 
                        of business or industrial operations due to 
                        loss of service facilitated through, or caused 
                        by, a compromise of a cloud service provider, 
                        managed service provider, or other third-party 
                        data hosting provider or by a supply chain 
                        compromise;
                    ``(B) consider--
                            ``(i) the sophistication or novelty of the 
                        tactics used to perpetrate such a cyber 
                        incident, as well as the type, volume, and 
                        sensitivity of the data at issue;
                            ``(ii) the number of individuals directly 
                        or indirectly affected or potentially affected 
                        by such a cyber incident; and
                            ``(iii) potential impacts on industrial 
                        control systems, such as supervisory control 
                        and data acquisition systems, distributed 
                        control systems, and programmable logic 
                        controllers; and
                    ``(C) exclude--
                            ``(i) any event where the cyber incident is 
                        perpetrated in good faith by an entity in 
                        response to a specific request by the owner or 
                        operator of the information system; and
                            ``(ii) the threat of disruption as 
                        extortion, as described in section 2240(14)(A).
            ``(3) A requirement that, if a covered cyber incident or a 
        ransom payment occurs following an exempted threat described in 
        paragraph (2)(C)(ii), the covered entity shall comply with the 
        requirements in this subtitle in reporting the covered cyber 
        incident or ransom payment.
            ``(4) A clear description of the specific required contents 
        of a report pursuant to subsection (a)(1), which shall include 
        the following information, to the extent applicable and 
        available, with respect to a covered cyber incident:
                    ``(A) A description of the covered cyber incident, 
                including--
                            ``(i) identification and a description of 
                        the function of the affected information 
                        systems, networks, or devices that were, or are 
                        reasonably believed to have been, affected by 
                        such cyber incident;
                            ``(ii) a description of the unauthorized 
                        access with substantial loss of 
                        confidentiality, integrity, or availability of 
                        the affected information system or network or 
                        disruption of business or industrial 
                        operations;
                            ``(iii) the estimated date range of such 
                        incident; and
                            ``(iv) the impact to the operations of the 
                        covered entity.
                    ``(B) Where applicable, a description of the 
                vulnerabilities exploited and the security defenses 
                that were in place, as well as the tactics, techniques, 
                and procedures used to perpetrate the covered cyber 
                incident.
                    ``(C) Where applicable, any identifying or contact 
                information related to each actor reasonably believed 
                to be responsible for such cyber incident.
                    ``(D) Where applicable, identification of the 
                category or categories of information that were, or are 
                reasonably believed to have been, accessed or acquired 
                by an unauthorized person.
                    ``(E) The name and other information that clearly 
                identifies the covered entity impacted by the covered 
                cyber incident, including, as applicable, the State of 
                incorporation or formation of the covered entity, trade 
                names, legal names, or other identifiers.
                    ``(F) Contact information, such as telephone number 
                or electronic mail address, that the Agency may use to 
                contact the covered entity or an authorized agent of 
                such covered entity, or, where applicable, the service 
                provider of such covered entity acting with the express 
                permission of, and at the direction of, the covered 
                entity to assist with compliance with the requirements 
                of this subtitle.
            ``(5) A clear description of the specific required contents 
        of a report pursuant to subsection (a)(2), which shall be the 
        following information, to the extent applicable and available, 
        with respect to a ransom payment:
                    ``(A) A description of the ransomware attack, 
                including the estimated date range of the attack.
                    ``(B) Where applicable, a description of the 
                vulnerabilities, tactics, techniques, and procedures 
                used to perpetrate the ransomware attack.
                    ``(C) Where applicable, any identifying or contact 
                information related to the actor or actors reasonably 
                believed to be responsible for the ransomware attack.
                    ``(D) The name and other information that clearly 
                identifies the covered entity that made the ransom 
                payment or on whose behalf the payment was made.
                    ``(E) Contact information, such as telephone number 
                or electronic mail address, that the Agency may use to 
                contact the covered entity that made the ransom payment 
                or an authorized agent of such covered entity, or, 
                where applicable, the service provider of such covered 
                entity acting with the express permission of, and at 
                the direction of, that covered entity to assist with 
                compliance with the requirements of this subtitle.
                    ``(F) The date of the ransom payment.
                    ``(G) The ransom payment demand, including the type 
                of virtual currency or other commodity requested, if 
                applicable.
                    ``(H) The ransom payment instructions, including 
                information regarding where to send the payment, such 
                as the virtual currency address or physical address the 
                funds were requested to be sent to, if applicable.
                    ``(I) The amount of the ransom payment.
            ``(6) A clear description of the types of data required to 
        be preserved pursuant to subsection (a)(4), the period of time 
        for which the data is required to be preserved, and allowable 
        uses, processes, and procedures.
            ``(7) Deadlines and criteria for submitting supplemental 
        reports to the Agency required under subsection (a)(3), which 
        shall--
                    ``(A) be established by the Director in 
                consultation with the Council;
                    ``(B) consider any existing regulatory reporting 
                requirements similar in scope, purpose, and timing to 
                the reporting requirements to which such a covered 
                entity may also be subject, and make efforts to 
                harmonize the timing and contents of any such reports 
                to the maximum extent practicable;
                    ``(C) balance the need for situational awareness 
                with the ability of the covered entity to conduct cyber 
                incident response and investigations; and
                    ``(D) provide a clear description of what 
                constitutes substantial new or different information.
            ``(8) Procedures for--
                    ``(A) entities, including third parties pursuant to 
                subsection (d)(1), to submit reports required by 
                paragraphs (1), (2), and (3) of subsection (a), 
                including the manner and form thereof, which shall 
                include, at a minimum, a concise, user-friendly web-
                based form;
                    ``(B) the Agency to carry out--
                            ``(i) the enforcement provisions of section 
                        2244, including with respect to the issuance, 
                        service, withdrawal, referral process, and 
                        enforcement of subpoenas, appeals and due 
                        process procedures;
                            ``(ii) other available enforcement 
                        mechanisms including acquisition, suspension 
                        and debarment procedures; and
                            ``(iii) other aspects of noncompliance;
                    ``(C) implementing the exceptions provided in 
                subsection (a)(5); and
                    ``(D) protecting privacy and civil liberties 
                consistent with processes adopted pursuant to section 
                105(b) of the Cybersecurity Act of 2015 (6 U.S.C. 
                1504(b)) and anonymizing and safeguarding, or no longer 
                retaining, information received and disclosed through 
                covered cyber incident reports and ransom payment 
                reports that is known to be personal information of a 
                specific individual or information that identifies a 
                specific individual that is not directly related to a 
                cybersecurity threat.
            ``(9) Other procedural measures directly necessary to 
        implement subsection (a).
    ``(d) Third Party Report Submission and Ransom Payment.--
            ``(1) Report submission.--A covered entity that is required 
        to submit a covered cyber incident report or a ransom payment 
        report may use a third party, such as an incident response 
        company, insurance provider, service provider, Information 
        Sharing and Analysis Organization, or law firm, to submit the 
        required report under subsection (a).
            ``(2) Ransom payment.--If a covered entity impacted by a 
        ransomware attack uses a third party to make a ransom payment, 
        the third party shall not be required to submit a ransom 
        payment report for itself under subsection (a)(2).
            ``(3) Duty to report.--Third-party reporting under this 
        subparagraph does not relieve a covered entity from the duty to 
        comply with the requirements for covered cyber incident report 
        or ransom payment report submission.
            ``(4) Responsibility to advise.--Any third party used by a 
        covered entity that knowingly makes a ransom payment on behalf 
        of a covered entity impacted by a ransomware attack shall 
        advise the impacted covered entity of the responsibilities of 
        the impacted covered entity regarding reporting ransom payments 
        under this section.
    ``(e) Outreach to Covered Entities.--
            ``(1) In general.--The Agency shall conduct an outreach and 
        education campaign to inform likely covered entities, entities 
        that offer or advertise as a service to customers to make or 
        facilitate ransom payments on behalf of covered entities 
        impacted by ransomware attacks and other appropriate entities 
        of the requirements of paragraphs (1), (2), and (3) of 
        subsection (a).
            ``(2) Elements.--The outreach and education campaign under 
        paragraph (1) shall include the following:
                    ``(A) An overview of the final rule issued pursuant 
                to subsection (b).
                    ``(B) An overview of mechanisms to submit to the 
                Agency covered cyber incident reports, ransom payment 
                reports, and information relating to the disclosure, 
                retention, and use of covered cyber incident reports 
                and ransom payment reports under this section.
                    ``(C) An overview of the protections afforded to 
                covered entities for complying with the requirements 
                under paragraphs (1), (2), and (3) of subsection (a).
                    ``(D) An overview of the steps taken under section 
                2244 when a covered entity is not in compliance with 
                the reporting requirements under subsection (a).
                    ``(E) Specific outreach to cybersecurity vendors, 
                cyber incident response providers, cybersecurity 
                insurance entities, and other entities that may support 
                covered entities.
                    ``(F) An overview of the privacy and civil 
                liberties requirements in this subtitle.
            ``(3) Coordination.--In conducting the outreach and 
        education campaign required under paragraph (1), the Agency may 
        coordinate with--
                    ``(A) the Critical Infrastructure Partnership 
                Advisory Council established under section 871;
                    ``(B) Information Sharing and Analysis 
                Organizations;
                    ``(C) trade associations;
                    ``(D) information sharing and analysis centers;
                    ``(E) sector coordinating councils; and
                    ``(F) any other entity as determined appropriate by 
                the Director.
    ``(f) Exemption.--Sections 3506(c), 3507, 3508, and 3509 of title 
44, United States Code, shall not apply to any action to carry out this 
section.
    ``(g) Rule of Construction.--Nothing in this section shall affect 
the authorities of the Federal Government to implement the requirements 
of Executive Order 14028 (86 Fed. Reg. 26633; relating to improving the 
nation's cybersecurity), including changes to the Federal Acquisition 
Regulations and remedies to include suspension and debarment.
    ``(h) Savings Provision.--Nothing in this section shall be 
construed to supersede or to abrogate, modify, or otherwise limit the 
authority that is vested in any officer or any agency of the United 
States Government to regulate or take action with respect to the 
cybersecurity of an entity.

``SEC. 2243. VOLUNTARY REPORTING OF OTHER CYBER INCIDENTS.

    ``(a) In General.--Entities may voluntarily report cyber incidents 
or ransom payments to the Agency that are not required under paragraph 
(1), (2), or (3) of section 2242(a), but may enhance the situational 
awareness of cyber threats.
    ``(b) Voluntary Provision of Additional Information in Required 
Reports.--Covered entities may voluntarily include in reports required 
under paragraph (1), (2), or (3) of section 2242(a) information that is 
not required to be included, but may enhance the situational awareness 
of cyber threats.
    ``(c) Application of Protections.--The protections under section 
2245 applicable to reports made under section 2242 shall apply in the 
same manner and to the same extent to reports and information submitted 
under subsections (a) and (b).

``SEC. 2244. NONCOMPLIANCE WITH REQUIRED REPORTING.

    ``(a) Purpose.--In the event that a covered entity that is required 
to submit a report under section 2242(a) fails to comply with the 
requirement to report, the Director may obtain information about the 
cyber incident or ransom payment by engaging the covered entity 
directly to request information about the cyber incident or ransom 
payment, and if the Director is unable to obtain information through 
such engagement, by issuing a subpoena to the covered entity, pursuant 
to subsection (c), to gather information sufficient to determine 
whether a covered cyber incident or ransom payment has occurred.
    ``(b) Initial Request for Information.--
            ``(1) In general.--If the Director has reason to believe, 
        whether through public reporting or other information in the 
        possession of the Federal Government, including through 
        analysis performed pursuant to paragraph (1) or (2) of section 
        2241(a), that a covered entity has experienced a covered cyber 
        incident or made a ransom payment but failed to report such 
        cyber incident or payment to the Agency in accordance with 
        section 2242(a), the Director may request additional 
        information from the covered entity to confirm whether or not a 
        covered cyber incident or ransom payment has occurred.
            ``(2) Treatment.--Information provided to the Agency in 
        response to a request under paragraph (1) shall be treated as 
        if it was submitted through the reporting procedures 
        established in section 2242.
    ``(c) Enforcement.--
            ``(1) In general.--If, after the date that is 72 hours from 
        the date on which the Director made the request for information 
        in subsection (b), the Director has received no response from 
        the covered entity from which such information was requested, 
        or received an inadequate response, the Director may issue to 
        such covered entity a subpoena to compel disclosure of 
        information the Director deems necessary to determine whether a 
        covered cyber incident or ransom payment has occurred and 
        obtain the information required to be reported pursuant to 
        section 2242 and any implementing regulations, and assess 
        potential impacts to national security, economic security, or 
        public health and safety.
            ``(2) Civil action.--
                    ``(A) In general.--If a covered entity fails to 
                comply with a subpoena, the Director may refer the 
                matter to the Attorney General to bring a civil action 
                in a district court of the United States to enforce 
                such subpoena.
                    ``(B) Venue.--An action under this paragraph may be 
                brought in the judicial district in which the covered 
                entity against which the action is brought resides, is 
                found, or does business.
                    ``(C) Contempt of court.--A court may punish a 
                failure to comply with a subpoena issued under this 
                subsection as contempt of court.
            ``(3) Non-delegation.--The authority of the Director to 
        issue a subpoena under this subsection may not be delegated.
            ``(4) Authentication.--
                    ``(A) In general.--Any subpoena issued 
                electronically pursuant to this subsection shall be 
                authenticated with a cryptographic digital signature of 
                an authorized representative of the Agency, or other 
                comparable successor technology, that allows the Agency 
                to demonstrate that such subpoena was issued by the 
                Agency and has not been altered or modified since such 
                issuance.
                    ``(B) Invalid if not authenticated.--Any subpoena 
                issued electronically pursuant to this subsection that 
                is not authenticated in accordance with subparagraph 
                (A) shall not be considered to be valid by the 
                recipient of such subpoena.
    ``(d) Provision of Certain Information to Attorney General.--
            ``(1) In general.--Notwithstanding section 2245(a)(5) and 
        paragraph (b)(2) of this section, if the Director determines, 
        based on the information provided in response to a subpoena 
        issued pursuant to subsection (c), that the facts relating to 
        the cyber incident or ransom payment at issue may constitute 
        grounds for a regulatory enforcement action or criminal 
        prosecution, the Director may provide such information to the 
        Attorney General or the head of the appropriate Federal 
        regulatory agency, who may use such information for a 
        regulatory enforcement action or criminal prosecution.
            ``(2) Consultation.--The Director may consult with the 
        Attorney General or the head of the appropriate Federal 
        regulatory agency when making the determination under paragraph 
        (1).
    ``(e) Considerations.--When determining whether to exercise the 
authorities provided under this section, the Director shall take into 
consideration--
            ``(1) the complexity in determining if a covered cyber 
        incident has occurred; and
            ``(2) prior interaction with the Agency or awareness of the 
        covered entity of the policies and procedures of the Agency for 
        reporting covered cyber incidents and ransom payments.
    ``(f) Exclusions.--This section shall not apply to a State, local, 
Tribal, or territorial government entity.
    ``(g) Report to Congress.--The Director shall submit to Congress an 
annual report on the number of times the Director--
            ``(1) issued an initial request for information pursuant to 
        subsection (b);
            ``(2) issued a subpoena pursuant to subsection (c); or
            ``(3) referred a matter to the Attorney General for a civil 
        action pursuant to subsection (c)(2).
    ``(h) Publication of the Annual Report.--The Director shall publish 
a version of the annual report required under subsection (g) on the 
website of the Agency, which shall include, at a minimum, the number of 
times the Director--
            ``(1) issued an initial request for information pursuant to 
        subsection (b); or
            ``(2) issued a subpoena pursuant to subsection (c).
    ``(i) Anonymization of Reports.--The Director shall ensure any 
victim information contained in a report required to be published under 
subsection (h) be anonymized before the report is published.

``SEC. 2245. INFORMATION SHARED WITH OR PROVIDED TO THE FEDERAL 
              GOVERNMENT.

    ``(a) Disclosure, Retention, and Use.--
            ``(1) Authorized activities.--Information provided to the 
        Agency pursuant to section 2242 or 2243 may be disclosed to, 
        retained by, and used by, consistent with otherwise applicable 
        provisions of Federal law, any Federal agency or department, 
        component, officer, employee, or agent of the Federal 
        Government solely for--
                    ``(A) a cybersecurity purpose;
                    ``(B) the purpose of identifying--
                            ``(i) a cyber threat, including the source 
                        of the cyber threat; or
                            ``(ii) a security vulnerability;
                    ``(C) the purpose of responding to, or otherwise 
                preventing or mitigating, a specific threat of death, a 
                specific threat of serious bodily harm, or a specific 
                threat of serious economic harm, including a terrorist 
                act or use of a weapon of mass destruction;
                    ``(D) the purpose of responding to, investigating, 
                prosecuting, or otherwise preventing or mitigating, a 
                serious threat to a minor, including sexual 
                exploitation and threats to physical safety; or
                    ``(E) the purpose of preventing, investigating, 
                disrupting, or prosecuting an offense arising out of a 
                cyber incident reported pursuant to section 2242 or 
                2243 or any of the offenses listed in section 
                105(d)(5)(A)(v) of the Cybersecurity Act of 2015 (6 
                U.S.C. 1504(d)(5)(A)(v)).
            ``(2) Agency actions after receipt.--
                    ``(A) Rapid, confidential sharing of cyber threat 
                indicators.--Upon receiving a covered cyber incident or 
                ransom payment report submitted pursuant to this 
                section, the Agency shall immediately review the report 
                to determine whether the cyber incident that is the 
                subject of the report is connected to an ongoing cyber 
                threat or security vulnerability and where applicable, 
                use such report to identify, develop, and rapidly 
                disseminate to appropriate stakeholders actionable, 
                anonymized cyber threat indicators and defensive 
                measures.
                    ``(B) Principles for sharing security 
                vulnerabilities.--With respect to information in a 
                covered cyber incident or ransom payment report 
                regarding a security vulnerability referred to in 
                paragraph (1)(B)(ii), the Director shall develop 
                principles that govern the timing and manner in which 
                information relating to security vulnerabilities may be 
                shared, consistent with common industry best practices 
                and United States and international standards.
            ``(3) Privacy and civil liberties.--Information contained 
        in covered cyber incident and ransom payment reports submitted 
        to the Agency pursuant to section 2242 shall be retained, used, 
        and disseminated, where permissible and appropriate, by the 
        Federal Government in accordance with processes to be developed 
        for the protection of personal information consistent with 
        processes adopted pursuant to section 105 of the Cybersecurity 
        Act of 2015 (6 U.S.C. 1504) and in a manner that protects from 
        unauthorized use or disclosure any information that may 
        contain--
                    ``(A) personal information of a specific individual 
                that is not directly related to a cybersecurity threat; 
                or
                    ``(B) information that identifies a specific 
                individual that is not directly related to a 
                cybersecurity threat.
            ``(4) Digital security.--The Agency shall ensure that 
        reports submitted to the Agency pursuant to section 2242, and 
        any information contained in those reports, are collected, 
        stored, and protected at a minimum in accordance with the 
        requirements for moderate impact Federal information systems, 
        as described in Federal Information Processing Standards 
        Publication 199, or any successor document.
            ``(5) Prohibition on use of information in regulatory 
        actions.--
                    ``(A) In general.--A Federal, State, local, or 
                Tribal government shall not use information about a 
                covered cyber incident or ransom payment obtained 
                solely through reporting directly to the Agency in 
                accordance with this subtitle to regulate, including 
                through an enforcement action, the activities of the 
                covered entity or entity that made a ransom payment, 
                unless the government entity expressly allows entities 
                to submit reports to the Agency to meet regulatory 
                reporting obligations of the entity.
                    ``(B) Clarification.--A report submitted to the 
                Agency pursuant to section 2242 or 2243 may, consistent 
                with Federal or State regulatory authority specifically 
                relating to the prevention and mitigation of 
                cybersecurity threats to information systems, inform 
                the development or implementation of regulations 
                relating to such systems.
    ``(b) Protections for Reporting Entities and Information.--Reports 
describing covered cyber incidents or ransom payments submitted to the 
Agency by entities in accordance with section 2242, as well as 
voluntarily-submitted cyber incident reports submitted to the Agency 
pursuant to section 2243, shall--
            ``(1) be considered the commercial, financial, and 
        proprietary information of the covered entity when so 
        designated by the covered entity;
            ``(2) be exempt from disclosure under section 552(b)(3) of 
        title 5, United States Code (commonly known as the `Freedom of 
        Information Act'), as well as any provision of State, Tribal, 
        or local freedom of information law, open government law, open 
        meetings law, open records law, sunshine law, or similar law 
        requiring disclosure of information or records;
            ``(3) be considered not to constitute a waiver of any 
        applicable privilege or protection provided by law, including 
        trade secret protection; and
            ``(4) not be subject to a rule of any Federal agency or 
        department or any judicial doctrine regarding ex parte 
        communications with a decision-making official.
    ``(c) Liability Protections.--
            ``(1) In general.--No cause of action shall lie or be 
        maintained in any court by any person or entity and any such 
        action shall be promptly dismissed for the submission of a 
        report pursuant to section 2242(a) that is submitted in 
        conformance with this subtitle and the rule promulgated under 
        section 2242(b), except that this subsection shall not apply 
        with regard to an action by the Federal Government pursuant to 
        section 2244(c)(2).
            ``(2) Scope.--The liability protections provided in this 
        subsection shall only apply to or affect litigation that is 
        solely based on the submission of a covered cyber incident 
        report or ransom payment report to the Agency.
            ``(3) Restrictions.--Notwithstanding paragraph (2), no 
        report submitted to the Agency pursuant to this subtitle or any 
        communication, document, material, or other record, created for 
        the sole purpose of preparing, drafting, or submitting such 
        report, may be received in evidence, subject to discovery, or 
        otherwise used in any trial, hearing, or other proceeding in or 
        before any court, regulatory body, or other authority of the 
        United States, a State, or a political subdivision thereof, 
        provided that nothing in this subtitle shall create a defense 
        to discovery or otherwise affect the discovery of any 
        communication, document, material, or other record not created 
        for the sole purpose of preparing, drafting, or submitting such 
        report.
    ``(d) Sharing With Non-Federal Entities.--The Agency shall 
anonymize the victim who reported the information when making 
information provided in reports received under section 2242 available 
to critical infrastructure owners and operators and the general public.
    ``(e) Stored Communications Act.--Nothing in this subtitle shall be 
construed to permit or require disclosure by a provider of a remote 
computing service or a provider of an electronic communication service 
to the public of information not otherwise permitted or required to be 
disclosed under chapter 121 of title 18, United States Code (commonly 
known as the `Stored Communications Act').

``SEC. 2246. CYBER INCIDENT REPORTING COUNCIL.

    ``(a) Responsibility of the Secretary.--The Secretary shall lead an 
intergovernmental Cyber Incident Reporting Council, in consultation 
with the Director of the Office of Management and Budget, the Attorney 
General, the National Director Cyber Director, Sector Risk Management 
Agencies, and other appropriate Federal agencies, to coordinate, 
deconflict, and harmonize Federal incident reporting requirements, 
including those issued through regulations.
    ``(b) Rule of Construction.--Nothing in subsection (a) shall be 
construed to provide any additional regulatory authority to any Federal 
entity.''.
    (b) Technical and Conforming Amendment.--The table of contents in 
section 1(b) of the Homeland Security Act of 2002 (Public Law 107-296; 
116 Stat. 2135) is amended by inserting after the items relating to 
subtitle C of title XXII the following:

                 ``Subtitle D--Cyber Incident Reporting

``Sec. 2240. Definitions.
``Sec. 2241. Cyber Incident Review.
``Sec. 2242. Required reporting of certain cyber incidents.
``Sec. 2243. Voluntary reporting of other cyber incidents.
``Sec. 2244. Noncompliance with required reporting.
``Sec. 2245. Information shared with or provided to the Federal 
                            Government.
``Sec. 2246. Cyber Incident Reporting Council.''.

SEC. 204. FEDERAL SHARING OF INCIDENT REPORTS.

    (a) Cyber Incident Reporting Sharing.--
            (1) In general.--Notwithstanding any other provision of law 
        or regulation, any Federal agency, including any independent 
        establishment (as defined in section 104 of title 5, United 
        States Code), that receives a report from an entity of a cyber 
        incident, including a ransomware attack, shall provide the 
        report to the Agency as soon as possible, but not later than 24 
        hours after receiving the report, unless a shorter period is 
        required by an agreement made between the Department of 
        Homeland Security (including the Cybersecurity and 
        Infrastructure Security Agency) and the recipient Federal 
        agency. The Director shall share and coordinate each report 
        pursuant to section 2241(b) of the Homeland Security Act of 
        2002, as added by section 203 of this title.
            (2) Rule of construction.--The requirements described in 
        paragraph (1) and section 2245(d) of the Homeland Security Act 
        of 2002, as added by section 203 of this title, may not be 
        construed to be a violation of any provision of law or policy 
        that would otherwise prohibit disclosure or provision of 
        information within the executive branch.
            (3) Protection of information.--The Director shall comply 
        with any obligations of the recipient Federal agency described 
        in paragraph (1) to protect information, including with respect 
        to privacy, confidentiality, or information security, if those 
        obligations would impose greater protection requirements than 
        this Act or the amendments made by this Act.
            (4) Effective date.--This subsection shall take effect on 
        the effective date of the final rule issued pursuant to section 
        2242(b) of the Homeland Security Act of 2002, as added by 
        section 203 of this title.
            (5) Agency agreements.--
                    (A) In general.--The Agency and any Federal agency, 
                including any independent establishment (as defined in 
                section 104 of title 5, United States Code) that 
                receives incident reports from entities, including due 
                to ransomware attacks, shall, as appropriate, enter 
                into a documented agreement to establish policies, 
                processes, procedures, and mechanisms to ensure reports 
                are shared with the Agency pursuant to paragraph (1).
                    (B) Availability.--To the maximum extent 
                practicable, each documented agreement required under 
                subparagraph (A) shall be made publicly available.
                    (C) Requirement.--The documented agreements 
                required by subparagraph (A) shall require reports be 
                shared from Federal agencies with the Agency in such 
                time as to meet the overall timeline for covered entity 
                reporting of covered cyber incidents and ransom 
                payments established in section 2242 of the Homeland 
                Security Act of 2002, as added by section 203 of this 
                title.
    (b) Harmonizing Reporting Requirements.--The Secretary of Homeland 
Security, acting through the Director, shall, in consultation with the 
Cyber Incident Reporting Council described in section 2246 of the 
Homeland Security Act of 2002, as added by section 203 of this title, 
to the maximum extent practicable--
            (1) periodically review existing regulatory requirements, 
        including the information required in such reports, to report 
        incidents and ensure that any such reporting requirements and 
        procedures avoid conflicting, duplicative, or burdensome 
        requirements; and
            (2) coordinate with appropriate Federal partners and 
        regulatory authorities that receive reports relating to 
        incidents to identify opportunities to streamline reporting 
        processes, and where feasible, facilitate interagency 
        agreements between such authorities to permit the sharing of 
        such reports, consistent with applicable law and policy, 
        without impacting the ability of the Agency to gain timely 
        situational awareness of a covered cyber incident or ransom 
        payment.

SEC. 205. RANSOMWARE VULNERABILITY WARNING PILOT PROGRAM.

    (a) Program.--Not later than 1 year after the date of enactment of 
this Act, the Director shall establish a ransomware vulnerability 
warning pilot program to leverage existing authorities and technology 
to specifically develop processes and procedures for, and to dedicate 
resources to, identifying information systems that contain security 
vulnerabilities associated with common ransomware attacks, and to 
notify the owners of those vulnerable systems of their security 
vulnerability.
    (b) Identification of Vulnerable Systems.--The pilot program 
established under subsection (a) shall--
            (1) identify the most common security vulnerabilities 
        utilized in ransomware attacks and mitigation techniques; and
            (2) utilize existing authorities to identify information 
        systems that contain the security vulnerabilities identified in 
        paragraph (1).
    (c) Entity Notification.--
            (1) Identification.--If the Director is able to identify 
        the entity at risk that owns or operates a vulnerable 
        information system identified in subsection (b), the Director 
        may notify the owner of the information system.
            (2) No identification.--If the Director is not able to 
        identify the entity at risk that owns or operates a vulnerable 
        information system identified in subsection (b), the Director 
        may utilize the subpoena authority pursuant to section 2209 of 
        the Homeland Security Act of 2002 (6 U.S.C. 659) to identify 
        and notify the entity at risk pursuant to the procedures under 
        that section.
            (3) Required information.--A notification made under 
        paragraph (1) shall include information on the identified 
        security vulnerability and mitigation techniques.
    (d) Prioritization of Notifications.--To the extent practicable, 
the Director shall prioritize covered entities for identification and 
notification activities under the pilot program established under this 
section.
    (e) Limitation on Procedures.--No procedure, notification, or other 
authorities utilized in the execution of the pilot program established 
under subsection (a) shall require an owner or operator of a vulnerable 
information system to take any action as a result of a notice of a 
security vulnerability made pursuant to subsection (c).
    (f) Rule of Construction.--Nothing in this section shall be 
construed to provide additional authorities to the Director to identify 
vulnerabilities or vulnerable systems.
    (g) Termination.--The pilot program established under subsection 
(a) shall terminate on the date that is 4 years after the date of 
enactment of this Act.

SEC. 206. RANSOMWARE THREAT MITIGATION ACTIVITIES.

    (a) Joint Ransomware Task Force.--
            (1) In general.--Not later than 180 days after the date of 
        enactment of this Act, the Director, in consultation with the 
        National Cyber Director, the Attorney General, and the Director 
        of the Federal Bureau of Investigation, shall establish and 
        chair the Joint Ransomware Task Force to coordinate an ongoing 
        nationwide campaign against ransomware attacks, and identify 
        and pursue opportunities for international cooperation.
            (2) Composition.--The Joint Ransomware Task Force shall 
        consist of participants from Federal agencies, as determined 
        appropriate by the National Cyber Director in consultation with 
        the Secretary of Homeland Security.
            (3) Responsibilities.--The Joint Ransomware Task Force, 
        utilizing only existing authorities of each participating 
        Federal agency, shall coordinate across the Federal Government 
        the following activities:
                    (A) Prioritization of intelligence-driven 
                operations to disrupt specific ransomware actors.
                    (B) Consult with relevant private sector, State, 
                local, Tribal, and territorial governments and 
                international stakeholders to identify needs and 
                establish mechanisms for providing input into the Joint 
                Ransomware Task Force.
                    (C) Identifying, in consultation with relevant 
                entities, a list of highest threat ransomware entities 
                updated on an ongoing basis, in order to facilitate--
                            (i) prioritization for Federal action by 
                        appropriate Federal agencies; and
                            (ii) identify metrics for success of said 
                        actions.
                    (D) Disrupting ransomware criminal actors, 
                associated infrastructure, and their finances.
                    (E) Facilitating coordination and collaboration 
                between Federal entities and relevant entities, 
                including the private sector, to improve Federal 
                actions against ransomware threats.
                    (F) Collection, sharing, and analysis of ransomware 
                trends to inform Federal actions.
                    (G) Creation of after-action reports and other 
                lessons learned from Federal actions that identify 
                successes and failures to improve subsequent actions.
                    (H) Any other activities determined appropriate by 
                the Joint Ransomware Task Force to mitigate the threat 
                of ransomware attacks.
    (b) Rule of Construction.--Nothing in this section shall be 
construed to provide any additional authority to any Federal agency.

SEC. 207. CONGRESSIONAL REPORTING.

    (a) Report on Stakeholder Engagement.--Not later than 30 days after 
the date on which the Director issues the final rule under section 
2242(b) of the Homeland Security Act of 2002, as added by section 
203(b) of this title, the Director shall submit to the Committee on 
Homeland Security and Governmental Affairs of the Senate and the 
Committee on Homeland Security of the House of Representatives a report 
that describes how the Director engaged stakeholders in the development 
of the final rule.
    (b) Report on Opportunities to Strengthen Security Research.--Not 
later than 1 year after the date of enactment of this Act, the Director 
shall submit to the Committee on Homeland Security and Governmental 
Affairs of the Senate and the Committee on Homeland Security of the 
House of Representatives a report describing how the National 
Cybersecurity and Communications Integration Center established under 
section 2209 of the Homeland Security Act of 2002 (6 U.S.C. 659) has 
carried out activities under section 2241(a)(9) of the Homeland 
Security Act of 2002, as added by section 203(a) of this title, by 
proactively identifying opportunities to use cyber incident data to 
inform and enable cybersecurity research within the academic and 
private sector.
    (c) Report on Ransomware Vulnerability Warning Pilot Program.--Not 
later than 1 year after the date of enactment of this Act, and annually 
thereafter for the duration of the pilot program established under 
section 205, the Director shall submit to the Committee on Homeland 
Security and Governmental Affairs of the Senate and the Committee on 
Homeland Security of the House of Representatives a report, which may 
include a classified annex, on the effectiveness of the pilot program, 
which shall include a discussion of the following:
            (1) The effectiveness of the notifications under section 
        205(c) in mitigating security vulnerabilities and the threat of 
        ransomware.
            (2) Identification of the most common vulnerabilities 
        utilized in ransomware.
            (3) The number of notifications issued during the preceding 
        year.
            (4) To the extent practicable, the number of vulnerable 
        devices or systems mitigated under the pilot program by the 
        Agency during the preceding year.
    (d) Report on Harmonization of Reporting Regulations.--
            (1) In general.--Not later than 180 days after the date on 
        which the Secretary of Homeland Security convenes the Cyber 
        Incident Reporting Council described in section 2246 of the 
        Homeland Security Act of 2002, as added by section 203 of this 
        title, the Secretary of Homeland Security shall submit to the 
        appropriate congressional committees a report that includes--
                    (A) a list of duplicative Federal cyber incident 
                reporting requirements on covered entities;
                    (B) a description of any challenges in harmonizing 
                the duplicative reporting requirements;
                    (C) any actions the Director intends to take to 
                facilitate harmonizing the duplicative reporting 
                requirements; and
                    (D) any proposed legislative changes necessary to 
                address the duplicative reporting.
            (2) Rule of construction.--Nothing in paragraph (1) shall 
        be construed to provide any additional regulatory authority to 
        any Federal agency.
    (e) GAO Reports.--
            (1) Implementation of this act.--Not later than 2 years 
        after the date of enactment of this Act, the Comptroller 
        General of the United States shall submit to the Committee on 
        Homeland Security and Governmental Affairs of the Senate and 
        the Committee on Homeland Security of the House of 
        Representatives a report on the implementation of this Act and 
        the amendments made by this Act.
            (2) Exemptions to reporting.--Not later than 1 year after 
        the date on which the Director issues the final rule required 
        under section 2242(b) of the Homeland Security Act of 2002, as 
        added by section 203 of this title, the Comptroller General of 
        the United States shall submit to the Committee on Homeland 
        Security and Governmental Affairs of the Senate and the 
        Committee on Homeland Security of the House of Representatives 
        a report on the exemptions to reporting under paragraphs (2) 
        and (5) of section 2242(a) of the Homeland Security Act of 
        2002, as added by section 203 of this title, which shall 
        include--
                    (A) to the extent practicable, an evaluation of the 
                quantity of cyber incidents not reported to the Federal 
                Government;
                    (B) an evaluation of the impact on impacted 
                entities, homeland security, and the national economy 
                due to cyber incidents, ransomware attacks, and ransom 
                payments, including a discussion on the scope of impact 
                of cyber incidents that were not reported to the 
                Federal Government;
                    (C) an evaluation of the burden, financial and 
                otherwise, on entities required to report cyber 
                incidents under this Act, including an analysis of 
                entities that meet the definition of a small business 
                concern under section 3 of the Small Business Act (15 
                U.S.C. 632); and
                    (D) a description of the consequences and effects 
                of limiting covered cyber incident and ransom payment 
                reporting to only covered entities.
    (f) Report on Effectiveness of Enforcement Mechanisms.--Not later 
than 1 year after the date on which the Director issues the final rule 
required under section 2242(b) of the Homeland Security Act of 2002, as 
added by section 203 of this title, the Director shall submit to the 
Committee on Homeland Security and Governmental Affairs of the Senate 
and the Committee on Homeland Security of the House of Representatives 
a report on the effectiveness of the enforcement mechanisms within 
section 2244 of the Homeland Security Act of 2002, as added by section 
203 of this title.

    TITLE III--FEDERAL SECURE CLOUD IMPROVEMENT AND JOBS ACT OF 2022

SEC. 301. SHORT TITLE.

    This title may be cited as the ``Federal Secure Cloud Improvement 
and Jobs Act of 2022''.

SEC. 302. FINDINGS.

    Congress finds the following:
            (1) Ensuring that the Federal Government can securely 
        leverage cloud computing products and services is key to 
        expediting the modernization of legacy information technology 
        systems, increasing cybersecurity within and across departments 
        and agencies, and supporting the continued leadership of the 
        United States in technology innovation and job creation.
            (2) According to independent analysis, as of calendar year 
        2019, the size of the cloud computing market had tripled since 
        2004, enabling more than 2,000,000 jobs and adding more than 
        $200,000,000,000 to the gross domestic product of the United 
        States.
            (3) The Federal Government, across multiple presidential 
        administrations and Congresses, has continued to support the 
        ability of agencies to move to the cloud, including through--
                    (A) President Barack Obama's ``Cloud First 
                Strategy'';
                    (B) President Donald Trump's ``Cloud Smart 
                Strategy'';
                    (C) the prioritization of cloud security in 
                Executive Order 14028 (86 Fed. Reg. 26633; relating to 
                improving the nation's cybersecurity), which was issued 
                by President Joe Biden; and
                    (D) more than a decade of appropriations and 
                authorization legislation that provides agencies with 
                relevant authorities and appropriations to modernize 
                on-premises information technology systems and more 
                readily adopt cloud computing products and services.
            (4) Since it was created in 2011, the Federal Risk and 
        Authorization Management Program (referred to in this section 
        as ``FedRAMP'') at the General Services Administration has made 
        steady and sustained improvements in supporting the secure 
        authorization and reuse of cloud computing products and 
        services within the Federal Government, including by reducing 
        the costs and burdens on both agencies and cloud companies to 
        quickly and securely enter the Federal market.
            (5) According to data from the General Services 
        Administration, as of the end of fiscal year 2021, there were 
        239 cloud providers with FedRAMP authorizations, and those 
        authorizations had been reused more than 2,700 times across 
        various agencies.
            (6) Providing a legislative framework for FedRAMP and new 
        authorities to the General Services Administration, the Office 
        of Management and Budget, and Federal agencies will--
                    (A) improve the speed at which new cloud computing 
                products and services can be securely authorized;
                    (B) enhance the ability of agencies to effectively 
                evaluate FedRAMP authorized providers for reuse;
                    (C) reduce the costs and burdens to cloud providers 
                seeking a FedRAMP authorization; and
                    (D) provide for more robust transparency and 
                dialogue between industry and the Federal Government to 
                drive stronger adoption of secure cloud capabilities, 
                create jobs, and reduce wasteful legacy information 
                technology.

SEC. 303. TITLE 44 AMENDMENTS.

    (a) Amendment.--Chapter 36 of title 44, United States Code, is 
amended by adding at the end the following:
``Sec. 3607. Definitions
    ``(a) In General.--Except as provided under subsection (b), the 
definitions under sections 3502 and 3552 apply to this section through 
section 3616.
    ``(b) Additional Definitions.--In this section through section 
3616:
            ``(1) Administrator.--The term `Administrator' means the 
        Administrator of General Services.
            ``(2) Appropriate congressional committees.--The term 
        `appropriate congressional committees' means the Committee on 
        Homeland Security and Governmental Affairs of the Senate and 
        the Committee on Oversight and Reform of the House of 
        Representatives.
            ``(3) Authorization to operate; federal information.--The 
        terms `authorization to operate' and `Federal information' have 
        the meaning given those term in Circular A-130 of the Office of 
        Management and Budget entitled `Managing Information as a 
        Strategic Resource', or any successor document.
            ``(4) Cloud computing.--The term `cloud computing' has the 
        meaning given the term in Special Publication 800-145 of the 
        National Institute of Standards and Technology, or any 
        successor document.
            ``(5) Cloud service provider.--The term `cloud service 
        provider' means an entity offering cloud computing products or 
        services to agencies.
            ``(6) FedRAMP.--The term `FedRAMP' means the Federal Risk 
        and Authorization Management Program established under section 
        3608.
            ``(7) FedRAMP authorization.--The term `FedRAMP 
        authorization' means a certification that a cloud computing 
        product or service has--
                    ``(A) completed a FedRAMP authorization process, as 
                determined by the Administrator; or
                    ``(B) received a FedRAMP provisional authorization 
                to operate, as determined by the FedRAMP Board.
            ``(8) Fedramp authorization package.--The term `FedRAMP 
        authorization package' means the essential information that can 
        be used by an agency to determine whether to authorize the 
        operation of an information system or the use of a designated 
        set of common controls for all cloud computing products and 
        services authorized by FedRAMP.
            ``(9) FedRAMP board.--The term `FedRAMP Board' means the 
        board established under section 3610.
            ``(10) Independent assessment service.--The term 
        `independent assessment service' means a third-party 
        organization accredited by the Administrator to undertake 
        conformity assessments of cloud service providers and the 
        products or services of cloud service providers.
            ``(11) Secretary.--The term `Secretary' means the Secretary 
        of Homeland Security.
``Sec. 3608. Federal Risk and Authorization Management Program
    ``There is established within the General Services Administration 
the Federal Risk and Authorization Management Program. The 
Administrator, subject to section 3614, shall establish a Government-
wide program that provides a standardized, reusable approach to 
security assessment and authorization for cloud computing products and 
services that process unclassified information used by agencies.
``Sec. 3609. Roles and responsibilities of the General Services 
              Administration
    ``(a) Roles and Responsibilities.--The Administrator shall--
            ``(1) in consultation with the Secretary, develop, 
        coordinate, and implement a process to support agency review, 
        reuse, and standardization, where appropriate, of security 
        assessments of cloud computing products and services, 
        including, as appropriate, oversight of continuous monitoring 
        of cloud computing products and services, pursuant to guidance 
        issued by the Director pursuant to section 3614;
            ``(2) establish processes and identify criteria consistent 
        with guidance issued by the Director under section 3614 to make 
        a cloud computing product or service eligible for a FedRAMP 
        authorization and validate whether a cloud computing product or 
        service has a FedRAMP authorization;
            ``(3) develop and publish templates, best practices, 
        technical assistance, and other materials to support the 
        authorization of cloud computing products and services and 
        increase the speed, effectiveness, and transparency of the 
        authorization process, consistent with standards and guidelines 
        established by the Director of the National Institute of 
        Standards and Technology and relevant statutes;
            ``(4) establish and update guidance on the boundaries of 
        FedRAMP authorization packages to enhance the security and 
        protection of Federal information and promote transparency for 
        agencies and users as to which services are included in the 
        scope of a FedRAMP authorization;
            ``(5) grant FedRAMP authorizations to cloud computing 
        products and services consistent with the guidance and 
        direction of the FedRAMP Board;
            ``(6) establish and maintain a public comment process for 
        proposed guidance and other FedRAMP directives that may have a 
        direct impact on cloud service providers and agencies before 
        the issuance of such guidance or other FedRAMP directives;
            ``(7) coordinate with the FedRAMP Board, the Director of 
        the Cybersecurity and Infrastructure Security Agency, and other 
        entities identified by the Administrator, with the concurrence 
        of the Director and the Secretary, to establish and regularly 
        update a framework for continuous monitoring under section 
        3553;
            ``(8) provide a secure mechanism for storing and sharing 
        necessary data, including FedRAMP authorization packages, to 
        enable better reuse of such packages across agencies, including 
        making available any information and data necessary for 
        agencies to fulfill the requirements of section 3613;
            ``(9) provide regular updates to applicant cloud service 
        providers on the status of any cloud computing product or 
        service during an assessment process;
            ``(10) regularly review, in consultation with the FedRAMP 
        Board--
                    ``(A) the costs associated with the independent 
                assessment services described in section 3611; and
                    ``(B) the information relating to foreign interests 
                submitted pursuant to section 3612;
            ``(11) in coordination with the Director of the National 
        Institute of Standards and Technology, the Director, the 
        Secretary, and other stakeholders, as appropriate, determine 
        the sufficiency of underlying standards and requirements to 
        identify and assess the provenance of the software in cloud 
        services and products;
            ``(12) support the Federal Secure Cloud Advisory Committee 
        established pursuant to section 3616; and
            ``(13) take such other actions as the Administrator may 
        determine necessary to carry out FedRAMP.
    ``(b) Website.--
            ``(1) In general.--The Administrator shall maintain a 
        public website to serve as the authoritative repository for 
        FedRAMP, including the timely publication and updates for all 
        relevant information, guidance, determinations, and other 
        materials required under subsection (a).
            ``(2) Criteria and process for fedramp authorization 
        priorities.--The Administrator shall develop and make publicly 
        available on the website described in paragraph (1) the 
        criteria and process for prioritizing and selecting cloud 
        computing products and services that will receive a FedRAMP 
        authorization, in consultation with the FedRAMP Board and the 
        Chief Information Officers Council.
    ``(c) Evaluation of Automation Procedures.--
            ``(1) In general.--The Administrator, in coordination with 
        the Secretary, shall assess and evaluate available automation 
        capabilities and procedures to improve the efficiency and 
        effectiveness of the issuance of FedRAMP authorizations, 
        including continuous monitoring of cloud computing products and 
        services.
            ``(2) Means for automation.--Not later than 1 year after 
        the date of enactment of this section, and updated regularly 
        thereafter, the Administrator shall establish a means for the 
        automation of security assessments and reviews.
    ``(d) Metrics for Authorization.--The Administrator shall establish 
annual metrics regarding the time and quality of the assessments 
necessary for completion of a FedRAMP authorization process in a manner 
that can be consistently tracked over time in conjunction with the 
periodic testing and evaluation process pursuant to section 3554 in a 
manner that minimizes the agency reporting burden.
``Sec. 3610. FedRAMP Board
    ``(a) Establishment.--There is established a FedRAMP Board to 
provide input and recommendations to the Administrator regarding the 
requirements and guidelines for, and the prioritization of, security 
assessments of cloud computing products and services.
    ``(b) Membership.--The FedRAMP Board shall consist of not more than 
7 senior officials or experts from agencies appointed by the Director, 
in consultation with the Administrator, from each of the following:
            ``(1) The Department of Defense.
            ``(2) The Department of Homeland Security.
            ``(3) The General Services Administration.
            ``(4) Such other agencies as determined by the Director, in 
        consultation with the Administrator.
    ``(c) Qualifications.--Members of the FedRAMP Board appointed under 
subsection (b) shall have technical expertise in domains relevant to 
FedRAMP, such as--
            ``(1) cloud computing;
            ``(2) cybersecurity;
            ``(3) privacy;
            ``(4) risk management; and
            ``(5) other competencies identified by the Director to 
        support the secure authorization of cloud services and 
        products.
    ``(d) Duties.--The FedRAMP Board shall--
            ``(1) in consultation with the Administrator, serve as a 
        resource for best practices to accelerate the process for 
        obtaining a FedRAMP authorization;
            ``(2) establish and regularly update requirements and 
        guidelines for security authorizations of cloud computing 
        products and services, consistent with standards and guidelines 
        established by the Director of the National Institute of 
        Standards and Technology, to be used in the determination of 
        FedRAMP authorizations;
            ``(3) monitor and oversee, to the greatest extent 
        practicable, the processes and procedures by which agencies 
        determine and validate requirements for a FedRAMP 
        authorization, including periodic review of the agency 
        determinations described in section 3613(b);
            ``(4) ensure consistency and transparency between agencies 
        and cloud service providers in a manner that minimizes 
        confusion and engenders trust; and
            ``(5) perform such other roles and responsibilities as the 
        Director may assign, with concurrence from the Administrator.
    ``(e) Determinations of Demand for Cloud Computing Products and 
Services.--The FedRAMP Board may consult with the Chief Information 
Officers Council to establish a process, which may be made available on 
the website maintained under section 3609(b), for prioritizing and 
accepting the cloud computing products and services to be granted a 
FedRAMP authorization.
``Sec. 3611. Independent assessment
    ``The Administrator may determine whether FedRAMP may use an 
independent assessment service to analyze, validate, and attest to the 
quality and compliance of security assessment materials provided by 
cloud service providers during the course of a determination of whether 
to use a cloud computing product or service.
``Sec. 3612. Declaration of foreign interests
    ``(a) In General.--An independent assessment service that performs 
services described in section 3611 shall annually submit to the 
Administrator information relating to any foreign interest, foreign 
influence, or foreign control of the independent assessment service.
    ``(b) Updates.--Not later than 48 hours after there is a change in 
foreign ownership or control of an independent assessment service that 
performs services described in section 3611, the independent assessment 
service shall submit to the Administrator an update to the information 
submitted under subsection (a).
    ``(c) Certification.--The Administrator may require a 
representative of an independent assessment service to certify the 
accuracy and completeness of any information submitted under this 
section.
``Sec. 3613. Roles and responsibilities of agencies
    ``(a) In General.--In implementing the requirements of FedRAMP, the 
head of each agency shall, consistent with guidance issued by the 
Director pursuant to section 3614--
            ``(1) promote the use of cloud computing products and 
        services that meet FedRAMP security requirements and other 
        risk-based performance requirements as determined by the 
        Director, in consultation with the Secretary;
            ``(2) confirm whether there is a FedRAMP authorization in 
        the secure mechanism provided under section 3609(a)(8) before 
        beginning the process of granting a FedRAMP authorization for a 
        cloud computing product or service;
            ``(3) to the extent practicable, for any cloud computing 
        product or service the agency seeks to authorize that has 
        received a FedRAMP authorization, use the existing assessments 
        of security controls and materials within any FedRAMP 
        authorization package for that cloud computing product or 
        service; and
            ``(4) provide to the Director data and information required 
        by the Director pursuant to section 3614 to determine how 
        agencies are meeting metrics established by the Administrator.
    ``(b) Attestation.--Upon completing an assessment or authorization 
activity with respect to a particular cloud computing product or 
service, if an agency determines that the information and data the 
agency has reviewed under paragraph (2) or (3) of subsection (a) is 
wholly or substantially deficient for the purposes of performing an 
authorization of the cloud computing product or service, the head of 
the agency shall document as part of the resulting FedRAMP 
authorization package the reasons for this determination.
    ``(c) Submission of Authorizations to Operate Required.--Upon 
issuance of an agency authorization to operate based on a FedRAMP 
authorization, the head of the agency shall provide a copy of its 
authorization to operate letter and any supplementary information 
required pursuant to section 3609(a) to the Administrator.
    ``(d) Submission of Policies Required.--Not later than 180 days 
after the date on which the Director issues guidance in accordance with 
section 3614(1), the head of each agency, acting through the chief 
information officer of the agency, shall submit to the Director all 
agency policies relating to the authorization of cloud computing 
products and services.
    ``(e) Presumption of Adequacy.--
            ``(1) In general.--The assessment of security controls and 
        materials within the authorization package for a FedRAMP 
        authorization shall be presumed adequate for use in an agency 
        authorization to operate cloud computing products and services.
            ``(2) Information security requirements.--The presumption 
        under paragraph (1) does not modify or alter--
                    ``(A) the responsibility of any agency to ensure 
                compliance with subchapter II of chapter 35 for any 
                cloud computing product or service used by the agency; 
                or
                    ``(B) the authority of the head of any agency to 
                make a determination that there is a demonstrable need 
                for additional security requirements beyond the 
                security requirements included in a FedRAMP 
                authorization for a particular control implementation.
``Sec. 3614. Roles and responsibilities of the Office of Management and 
              Budget
    ``The Director shall--
            ``(1) in consultation with the Administrator and the 
        Secretary, issue guidance that--
                    ``(A) specifies the categories or characteristics 
                of cloud computing products and services that are 
                within the scope of FedRAMP;
                    ``(B) includes requirements for agencies to obtain 
                a FedRAMP authorization when operating a cloud 
                computing product or service described in subparagraph 
                (A) as a Federal information system; and
                    ``(C) encompasses, to the greatest extent 
                practicable, all necessary and appropriate cloud 
                computing products and services;
            ``(2) issue guidance describing additional responsibilities 
        of FedRAMP and the FedRAMP Board to accelerate the adoption of 
        secure cloud computing products and services by the Federal 
        Government;
            ``(3) in consultation with the Administrator, establish a 
        process to periodically review FedRAMP authorization packages 
        to support the secure authorization and reuse of secure cloud 
        products and services;
            ``(4) oversee the effectiveness of FedRAMP and the FedRAMP 
        Board, including the compliance by the FedRAMP Board with the 
        duties described in section 3610(d); and
            ``(5) to the greatest extent practicable, encourage and 
        promote consistency of the assessment, authorization, adoption, 
        and use of secure cloud computing products and services within 
        and across agencies.
``Sec. 3615. Reports to Congress; GAO report
    ``(a) Reports to Congress.--Not later than 1 year after the date of 
enactment of this section, and annually thereafter, the Director shall 
submit to the appropriate congressional committees a report that 
includes the following:
            ``(1) During the preceding year, the status, efficiency, 
        and effectiveness of the General Services Administration under 
        section 3609 and agencies under section 3613 and in supporting 
        the speed, effectiveness, sharing, reuse, and security of 
        authorizations to operate for secure cloud computing products 
        and services.
            ``(2) Progress towards meeting the metrics required under 
        section 3609(d).
            ``(3) Data on FedRAMP authorizations.
            ``(4) The average length of time to issue FedRAMP 
        authorizations.
            ``(5) The number of FedRAMP authorizations submitted, 
        issued, and denied for the preceding year.
            ``(6) A review of progress made during the preceding year 
        in advancing automation techniques to securely automate FedRAMP 
        processes and to accelerate reporting under this section.
            ``(7) The number and characteristics of authorized cloud 
        computing products and services in use at each agency 
        consistent with guidance provided by the Director under section 
        3614.
            ``(8) A review of FedRAMP measures to ensure the security 
        of data stored or processed by cloud service providers, which 
        may include--
                    ``(A) geolocation restrictions for provided 
                products or services;
                    ``(B) disclosures of foreign elements of supply 
                chains of acquired products or services;
                    ``(C) continued disclosures of ownership of cloud 
                service providers by foreign entities; and
                    ``(D) encryption for data processed, stored, or 
                transmitted by cloud service providers.
    ``(b) GAO Report.--Not later than 180 days after the date of 
enactment of this section, the Comptroller General of the United States 
shall report to the appropriate congressional committees an assessment 
of the following:
            ``(1) The costs incurred by agencies and cloud service 
        providers relating to the issuance of FedRAMP authorizations.
            ``(2) The extent to which agencies have processes in place 
        to continuously monitor the implementation of cloud computing 
        products and services operating as Federal information systems.
            ``(3) How often and for which categories of products and 
        services agencies use FedRAMP authorizations.
            ``(4) The unique costs and potential burdens incurred by 
        cloud computing companies that are small business concerns (as 
        defined in section 3(a) of the Small Business Act (15 U.S.C. 
        632(a)) as a part of the FedRAMP authorization process.
``Sec. 3616. Federal Secure Cloud Advisory Committee
    ``(a) Establishment, Purposes, and Duties.--
            ``(1) Establishment.--There is established a Federal Secure 
        Cloud Advisory Committee (referred to in this section as the 
        `Committee') to ensure effective and ongoing coordination of 
        agency adoption, use, authorization, monitoring, acquisition, 
        and security of cloud computing products and services to enable 
        agency mission and administrative priorities.
            ``(2) Purposes.--The purposes of the Committee are the 
        following:
                    ``(A) To examine the operations of FedRAMP and 
                determine ways that authorization processes can 
                continuously be improved, including the following:
                            ``(i) Measures to increase agency reuse of 
                        FedRAMP authorizations.
                            ``(ii) Proposed actions that can be adopted 
                        to reduce the burden, confusion, and cost 
                        associated with FedRAMP authorizations for 
                        cloud service providers.
                            ``(iii) Measures to increase the number of 
                        FedRAMP authorizations for cloud computing 
                        products and services offered by small 
                        businesses concerns (as defined by section 3(a) 
                        of the Small Business Act (15 U.S.C. 632(a)).
                            ``(iv) Proposed actions that can be adopted 
                        to reduce the burden and cost of FedRAMP 
                        authorizations for agencies.
                    ``(B) Collect information and feedback on agency 
                compliance with and implementation of FedRAMP 
                requirements.
                    ``(C) Serve as a forum that facilitates 
                communication and collaboration among the FedRAMP 
                stakeholder community.
            ``(3) Duties.--The duties of the Committee include 
        providing advice and recommendations to the Administrator, the 
        FedRAMP Board, and agencies on technical, financial, 
        programmatic, and operational matters regarding secure adoption 
        of cloud computing products and services.
    ``(b) Members.--
            ``(1) Composition.--The Committee shall be comprised of not 
        more than 15 members who are qualified representatives from the 
        public and private sectors, appointed by the Administrator, in 
        consultation with the Director, as follows:
                    ``(A) The Administrator or the Administrator's 
                designee, who shall be the Chair of the Committee.
                    ``(B) At least 1 representative each from the 
                Cybersecurity and Infrastructure Security Agency and 
                the National Institute of Standards and Technology.
                    ``(C) At least 2 officials who serve as the Chief 
                Information Security Officer within an agency, who 
                shall be required to maintain such a position 
                throughout the duration of their service on the 
                Committee.
                    ``(D) At least 1 official serving as Chief 
                Procurement Officer (or equivalent) in an agency, who 
                shall be required to maintain such a position 
                throughout the duration of their service on the 
                Committee.
                    ``(E) At least 1 individual representing an 
                independent assessment service.
                    ``(F) At least 5 representatives from unique 
                businesses that primarily provide cloud computing 
                services or products, including at least 2 
                representatives from a small business concern (as 
                defined by section 3(a) of the Small Business Act (15 
                U.S.C. 632(a))).
                    ``(G) At least 2 other representatives of the 
                Federal Government as the Administrator determines 
                necessary to provide sufficient balance, insights, or 
                expertise to the Committee.
            ``(2) Deadline for appointment.--Each member of the 
        Committee shall be appointed not later than 90 days after the 
        date of enactment of this section.
            ``(3) Period of appointment; vacancies.--
                    ``(A) In general.--Each non-Federal member of the 
                Committee shall be appointed for a term of 3 years, 
                except that the initial terms for members may be 
                staggered 1-, 2-, or 3-year terms to establish a 
                rotation in which one-third of the members are selected 
                each year. Any such member may be appointed for not 
                more than 2 consecutive terms.
                    ``(B) Vacancies.--Any vacancy in the Committee 
                shall not affect its powers, but shall be filled in the 
                same manner in which the original appointment was made. 
                Any member appointed to fill a vacancy occurring before 
                the expiration of the term for which the member's 
                predecessor was appointed shall be appointed only for 
                the remainder of that term. A member may serve after 
                the expiration of that member's term until a successor 
                has taken office.
    ``(c) Meetings and Rules of Procedures.--
            ``(1) Meetings.--The Committee shall hold not fewer than 3 
        meetings in a calendar year, at such time and place as 
        determined by the Chair.
            ``(2) Initial meeting.--Not later than 120 days after the 
        date of enactment of this section, the Committee shall meet and 
        begin the operations of the Committee.
            ``(3) Rules of procedure.--The Committee may establish 
        rules for the conduct of the business of the Committee if such 
        rules are not inconsistent with this section or other 
        applicable law.
    ``(d) Employee Status.--
            ``(1) In general.--A member of the Committee (other than a 
        member who is appointed to the Committee in connection with 
        another Federal appointment) shall not be considered an 
        employee of the Federal Government by reason of any service as 
        such a member, except for the purposes of section 5703 of title 
        5, relating to travel expenses.
            ``(2) Pay not permitted.--A member of the Committee covered 
        by paragraph (1) may not receive pay by reason of service on 
        the Committee.
    ``(e) Applicability to the Federal Advisory Committee Act.--Section 
14 of the Federal Advisory Committee Act (5 U.S.C. App.) shall not 
apply to the Committee.
    ``(f) Detail of Employees.--Any Federal Government employee may be 
detailed to the Committee without reimbursement from the Committee, and 
such detailee shall retain the rights, status, and privileges of his or 
her regular employment without interruption.
    ``(g) Postal Services.--The Committee may use the United States 
mails in the same manner and under the same conditions as agencies.
    ``(h) Reports.--
            ``(1) Interim reports.--The Committee may submit to the 
        Administrator and Congress interim reports containing such 
        findings, conclusions, and recommendations as have been agreed 
        to by the Committee.
            ``(2) Annual reports.--Not later than 540 days after the 
        date of enactment of this section, and annually thereafter, the 
        Committee shall submit to the Administrator and Congress a 
        report containing such findings, conclusions, and 
        recommendations as have been agreed to by the Committee.''.
    (b) Technical and Conforming Amendment.--The table of sections for 
chapter 36 of title 44, United States Code, is amended by adding at the 
end the following new items:

``3607. Definitions.
``3608. Federal Risk and Authorization Management Program.
``3609. Roles and responsibilities of the General Services 
                            Administration.
``3610. FedRAMP Board.
``3611. Independent assessment.
``3612. Declaration of foreign interests.
``3613. Roles and responsibilities of agencies.
``3614. Roles and responsibilities of the Office of Management and 
                            Budget.
``3615. Reports to Congress; GAO report.
``3616. Federal Secure Cloud Advisory Committee.''.
    (c) Sunset.--
            (1) In general.--Effective on the date that is 5 years 
        after the date of enactment of this Act, chapter 36 of title 
        44, United States Code, is amended by striking sections 3607 
        through 3616.
            (2) Conforming amendment.--Effective on the date that is 5 
        years after the date of enactment of this Act, the table of 
        sections for chapter 36 of title 44, United States Code, is 
        amended by striking the items relating to sections 3607 through 
        3616.
    (d) Rule of Construction.--Nothing in this section or any amendment 
made by this section shall be construed as altering or impairing the 
authorities of the Director of the Office of Management and Budget or 
the Secretary of Homeland Security under subchapter II of chapter 35 of 
title 44, United States Code.

            Passed the Senate March 1, 2022.

            Attest:

                                                             Secretary.
117th CONGRESS

  2d Session

                                S. 3600

_______________________________________________________________________

                                 AN ACT

 To improve the cybersecurity of the Federal Government, and for other 
                               purposes.