[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 2251 Reported in Senate (RS)]
<DOC>
Calendar No. 674
118th CONGRESS
2d Session
S. 2251
[Report No. 118-271]
To improve the cybersecurity of the Federal Government, and for other
purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
July 11, 2023
Mr. Peters (for himself and Mr. Hawley) introduced the following bill;
which was read twice and referred to the Committee on Homeland Security
and Governmental Affairs
December 9, 2024
Reported by Mr. Peters, with an amendment
[Strike out all after the enacting clause and insert the part printed
in italic]
_______________________________________________________________________
A BILL
To improve the cybersecurity of the Federal Government, and for other
purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
<DELETED>SECTION 1. SHORT TITLE; TABLE OF CONTENTS.</DELETED>
<DELETED> (a) Short Title.--This Act may be cited as the ``Federal
Information Security Modernization Act of 2023''.</DELETED>
<DELETED> (b) Table of Contents.--The table of contents for this Act
is as follows:</DELETED>
<DELETED>Sec. 1. Short title; table of contents.
<DELETED>Sec. 2. Definitions.
<DELETED>Sec. 3. Amendments to title 44.
<DELETED>Sec. 4. Amendments to subtitle III of title 40.
<DELETED>Sec. 5. Actions to enhance Federal incident transparency.
<DELETED>Sec. 6. Additional guidance to agencies on FISMA updates.
<DELETED>Sec. 7. Agency requirements to notify private sector entities
impacted by incidents.
<DELETED>Sec. 8. Mobile security briefings.
<DELETED>Sec. 9. Data and logging retention for incident response.
<DELETED>Sec. 10. CISA agency liaisons.
<DELETED>Sec. 11. Federal penetration testing policy.
<DELETED>Sec. 12. Vulnerability disclosure policies.
<DELETED>Sec. 13. Implementing zero trust architecture.
<DELETED>Sec. 14. Automation and artificial intelligence.
<DELETED>Sec. 15. Extension of chief data officer council.
<DELETED>Sec. 16. Council of the inspectors general on integrity and
efficiency dashboard.
<DELETED>Sec. 17. Security operations center shared service.
<DELETED>Sec. 18. Federal cybersecurity requirements.
<DELETED>Sec. 19. Federal chief information security officer.
<DELETED>Sec. 20. Renaming office of the Federal Chief Information
Officer.
<DELETED>Sec. 21. Rules of construction.
<DELETED>SEC. 2. DEFINITIONS.</DELETED>
<DELETED> In this Act, unless otherwise specified:</DELETED>
<DELETED> (1) Agency.--The term ``agency'' has the meaning
given the term in section 3502 of title 44, United States
Code.</DELETED>
<DELETED> (2) Appropriate congressional committees.--The
term ``appropriate congressional committees'' means--</DELETED>
<DELETED> (A) the Committee on Homeland Security and
Governmental Affairs of the Senate;</DELETED>
<DELETED> (B) the Committee on Oversight and
Accountability of the House of Representatives;
and</DELETED>
<DELETED> (C) the Committee on Homeland Security of
the House of Representatives.</DELETED>
<DELETED> (3) Awardee.--The term ``awardee'' has the meaning
given the term in section 3591 of title 44, United States Code,
as added by this Act.</DELETED>
<DELETED> (4) Contractor.--The term ``contractor'' has the
meaning given the term in section 3591 of title 44, United
States Code, as added by this Act.</DELETED>
<DELETED> (5) Director.--The term ``Director'' means the
Director of the Office of Management and Budget.</DELETED>
<DELETED> (6) Federal information system.--The term
``Federal information system'' has the meaning give the term in
section 3591 of title 44, United States Code, as added by this
Act.</DELETED>
<DELETED> (7) Incident.--The term ``incident'' has the
meaning given the term in section 3552(b) of title 44, United
States Code.</DELETED>
<DELETED> (8) National security system.--The term ``national
security system'' has the meaning given the term in section
3552(b) of title 44, United States Code.</DELETED>
<DELETED> (9) Penetration test.--The term ``penetration
test'' has the meaning given the term in section 3552(b) of
title 44, United States Code, as amended by this Act.</DELETED>
<DELETED> (10) Threat hunting.--The term ``threat hunting''
means proactively and iteratively searching systems for threats
and vulnerabilities, including threats or vulnerabilities that
may evade detection by automated threat detection
systems.</DELETED>
<DELETED> (11) Zero trust architecture.--The term ``zero
trust architecture'' has the meaning given the term in Special
Publication 800-207 of the National Institute of Standards and
Technology, or any successor document.</DELETED>
<DELETED>SEC. 3. AMENDMENTS TO TITLE 44.</DELETED>
<DELETED> (a) Subchapter I Amendments.--Subchapter I of chapter 35
of title 44, United States Code, is amended--</DELETED>
<DELETED> (1) in section 3504--</DELETED>
<DELETED> (A) in subsection (a)(1)(B)--</DELETED>
<DELETED> (i) by striking clause (v) and
inserting the following:</DELETED>
<DELETED> ``(v) privacy, confidentiality,
disclosure, and sharing of
information;'';</DELETED>
<DELETED> (ii) by redesignating clause (vi)
as clause (vii); and</DELETED>
<DELETED> (iii) by inserting after clause
(v) the following:</DELETED>
<DELETED> ``(vi) in consultation with the
National Cyber Director, security of
information; and''; and</DELETED>
<DELETED> (B) in subsection (g)--</DELETED>
<DELETED> (i) by redesignating paragraph (2)
as paragraph (3); and</DELETED>
<DELETED> (ii) by striking paragraph (1) and
inserting the following:</DELETED>
<DELETED> ``(1) develop and oversee the implementation of
policies, principles, standards, and guidelines on privacy,
confidentiality, disclosure, and sharing of information
collected or maintained by or for agencies;</DELETED>
<DELETED> ``(2) in consultation with the National Cyber
Director, oversee the implementation of policies, principles,
standards, and guidelines on security, of information collected
or maintained by or for agencies; and'';</DELETED>
<DELETED> (2) in section 3505--</DELETED>
<DELETED> (A) by striking the first subsection
designated as subsection (c);</DELETED>
<DELETED> (B) in paragraph (2) of the second
subsection designated as subsection (c), by inserting
``an identification of internet accessible information
systems and'' after ``an inventory under this
subsection shall include'';</DELETED>
<DELETED> (C) in paragraph (3) of the second
subsection designated as subsection (c)--</DELETED>
<DELETED> (i) in subparagraph (B)--
</DELETED>
<DELETED> (I) by inserting ``the
Director of the Cybersecurity and
Infrastructure Security Agency, the
National Cyber Director, and'' before
``the Comptroller General'';
and</DELETED>
<DELETED> (II) by striking ``and''
at the end;</DELETED>
<DELETED> (ii) in subparagraph (C)(v), by
striking the period at the end and inserting
``; and''; and</DELETED>
<DELETED> (iii) by adding at the end the
following:</DELETED>
<DELETED> ``(D) maintained on a continual basis
through the use of automation, machine-readable data,
and scanning, wherever practicable.'';</DELETED>
<DELETED> (3) in section 3506--</DELETED>
<DELETED> (A) in subsection (a)(3), by inserting
``In carrying out these duties, the Chief Information
Officer shall consult, as appropriate, with the Chief
Data Officer in accordance with the designated
functions under section 3520(c).'' after ``reduction of
information collection burdens on the
public.'';</DELETED>
<DELETED> (B) in subsection (b)(1)(C), by inserting
``availability,'' after ``integrity,'';</DELETED>
<DELETED> (C) in subsection (h)(3), by inserting
``security,'' after ``efficiency,''; and</DELETED>
<DELETED> (D) by adding at the end the
following:</DELETED>
<DELETED> ``(j)(1) Nothwithstanding paragraphs (2) and (3) of
subsection (a), the head of each agency shall designate a Chief Privacy
Officer with the necessary skills, knowledge, and expertise, who shall
have the authority and responsibility to--</DELETED>
<DELETED> ``(A) lead the privacy program of the agency;
and</DELETED>
<DELETED> ``(B) carry out the privacy responsibilities of
the agency under this chapter, section 552a of title 5, and
guidance issued by the Director.</DELETED>
<DELETED> ``(2) The Chief Privacy Officer of each agency shall--
</DELETED>
<DELETED> ``(A) serve in a central leadership position
within the agency;</DELETED>
<DELETED> ``(B) have visibility into relevant agency
operations; and</DELETED>
<DELETED> ``(C) be positioned highly enough within the
agency to regularly engage with other agency leaders and
officials, including the head of the agency.</DELETED>
<DELETED> ``(3) A privacy officer of an agency established under a
statute enacted before the date of enactment of the Federal Information
Security Modernization Act of 2023 may carry out the responsibilities
under this subsection for the agency.''; and</DELETED>
<DELETED> (4) in section 3513--</DELETED>
<DELETED> (A) by redesignating subsection (c) as
subsection (d); and</DELETED>
<DELETED> (B) by inserting after subsection (b) the
following:</DELETED>
<DELETED> ``(c) Each agency providing a written plan under
subsection (b) shall provide any portion of the written plan addressing
information security to the Secretary of Homeland Security and the
National Cyber Director.''.</DELETED>
<DELETED> (b) Subchapter II Definitions.--</DELETED>
<DELETED> (1) In general.--Section 3552(b) of title 44,
United States Code, is amended--</DELETED>
<DELETED> (A) by redesignating paragraphs (2), (3),
(4), (5), (6), and (7) as paragraphs (3), (4), (5),
(6), (8), and (10), respectively;</DELETED>
<DELETED> (B) by inserting after paragraph (1) the
following:</DELETED>
<DELETED> ``(2) The term `high value asset' means
information or an information system that the head of an
agency, using policies, principles, standards, or guidelines
issued by the Director under section 3553(a), determines to be
so critical to the agency that the loss or degradation of the
confidentiality, integrity, or availability of such information
or information system would have a serious impact on the
ability of the agency to perform the mission of the agency or
conduct business.'';</DELETED>
<DELETED> (C) by inserting after paragraph (6), as
so redesignated, the following:</DELETED>
<DELETED> ``(7) The term `major incident' has the meaning
given the term in guidance issued by the Director under section
3598(a).'';</DELETED>
<DELETED> (D) in paragraph (8)(A), as so
redesignated, by striking ``used'' and inserting
``owned, managed,'';</DELETED>
<DELETED> (E) by inserting after paragraph (8), as
so redesignated, the following:</DELETED>
<DELETED> ``(9) The term `penetration test'--</DELETED>
<DELETED> ``(A) means an authorized assessment that
emulates attempts to gain unauthorized access to, or
disrupt the operations of, an information system or
component of an information system; and</DELETED>
<DELETED> ``(B) includes any additional meaning
given the term in policies, principles, standards, or
guidelines issued by the Director under section
3553(a).''; and</DELETED>
<DELETED> (F) by inserting after paragraph (10), as
so redesignated, the following:</DELETED>
<DELETED> ``(11) The term `shared service' means a
centralized mission capability or consolidated business
function that is provided to multiple organizations within an
agency or to multiple agencies.</DELETED>
<DELETED> ``(12) The term `zero trust architecture' has the
meaning given the term in Special Publication 800-207 of the
National Institute of Standards and Technology, or any
successor document.''.</DELETED>
<DELETED> (2) Conforming amendments.--</DELETED>
<DELETED> (A) Homeland security act of 2002.--
Section 1001(c)(1)(A) of the Homeland Security Act of
2002 (6 U.S.C. 511(c)(1)(A)) is amended by striking
``section 3552(b)(5)'' and inserting ``section
3552(b)''.</DELETED>
<DELETED> (B) Title 10.--</DELETED>
<DELETED> (i) Section 2222.--Section
2222(i)(8) of title 10, United States Code, is
amended by striking ``section 3552(b)(6)(A)''
and inserting ``section
3552(b)(8)(A)''.</DELETED>
<DELETED> (ii) Section 2223.--Section
2223(c)(3) of title 10, United States Code, is
amended by striking ``section 3552(b)(6)'' and
inserting ``section 3552(b)''.</DELETED>
<DELETED> (iii) Section 2315.--Section 2315
of title 10, United States Code, is amended by
striking ``section 3552(b)(6)'' and inserting
``section 3552(b)''.</DELETED>
<DELETED> (iv) Section 2339a.--Section
2339a(e)(5) of title 10, United States Code, is
amended by striking ``section 3552(b)(6)'' and
inserting ``section 3552(b)''.</DELETED>
<DELETED> (C) High-performance computing act of
1991.--Section 207(a) of the High-Performance Computing
Act of 1991 (15 U.S.C. 5527(a)) is amended by striking
``section 3552(b)(6)(A)(i)'' and inserting ``section
3552(b)(8)(A)(i)''.</DELETED>
<DELETED> (D) Internet of things cybersecurity
improvement act of 2020.--Section 3(5) of the Internet
of Things Cybersecurity Improvement Act of 2020 (15
U.S.C. 278g-3a(5)) is amended by striking ``section
3552(b)(6)'' and inserting ``section
3552(b)''.</DELETED>
<DELETED> (E) National defense authorization act for
fiscal year 2013.--Section 933(e)(1)(B) of the National
Defense Authorization Act for Fiscal Year 2013 (10
U.S.C. 2224 note) is amended by striking ``section
3542(b)(2)'' and inserting ``section
3552(b)''.</DELETED>
<DELETED> (F) Ike skelton national defense
authorization act for fiscal year 2011.--The Ike
Skelton National Defense Authorization Act for Fiscal
Year 2011 (Public Law 111-383) is amended--</DELETED>
<DELETED> (i) in section 806(e)(5) (10
U.S.C. 2304 note), by striking ``section
3542(b)'' and inserting ``section
3552(b)'';</DELETED>
<DELETED> (ii) in section 931(b)(3) (10
U.S.C. 2223 note), by striking ``section
3542(b)(2)'' and inserting ``section 3552(b)'';
and</DELETED>
<DELETED> (iii) in section 932(b)(2) (10
U.S.C. 2224 note), by striking ``section
3542(b)(2)'' and inserting ``section
3552(b)''.</DELETED>
<DELETED> (G) E-government act of 2002.--Section
301(c)(1)(A) of the E-Government Act of 2002 (44 U.S.C.
3501 note) is amended by striking ``section
3542(b)(2)'' and inserting ``section
3552(b)''.</DELETED>
<DELETED> (H) National institute of standards and
technology act.--Section 20 of the National Institute
of Standards and Technology Act (15 U.S.C. 278g-3) is
amended--</DELETED>
<DELETED> (i) in subsection (a)(2), by
striking ``section 3552(b)(5)'' and inserting
``section 3552(b)''; and</DELETED>
<DELETED> (ii) in subsection (f)--</DELETED>
<DELETED> (I) in paragraph (3), by
striking ``section 3532(1)'' and
inserting ``section 3552(b)'';
and</DELETED>
<DELETED> (II) in paragraph (5), by
striking ``section 3532(b)(2)'' and
inserting ``section
3552(b)''.</DELETED>
<DELETED> (c) Subchapter II Amendments.--Subchapter II of chapter 35
of title 44, United States Code, is amended--</DELETED>
<DELETED> (1) in section 3551--</DELETED>
<DELETED> (A) in paragraph (4), by striking
``diagnose and improve'' and inserting ``integrate,
deliver, diagnose, and improve'';</DELETED>
<DELETED> (B) in paragraph (5), by striking ``and''
at the end;</DELETED>
<DELETED> (C) in paragraph (6), by striking the
period at the end and inserting a semicolon;
and</DELETED>
<DELETED> (D) by adding at the end the
following:</DELETED>
<DELETED> ``(7) recognize that each agency has specific
mission requirements and, at times, unique cybersecurity
requirements to meet the mission of the agency;</DELETED>
<DELETED> ``(8) recognize that each agency does not have the
same resources to secure agency systems, and an agency should
not be expected to have the capability to secure the systems of
the agency from advanced adversaries alone; and</DELETED>
<DELETED> ``(9) recognize that a holistic Federal
cybersecurity model is necessary to account for differences
between the missions and capabilities of agencies.'';</DELETED>
<DELETED> (2) in section 3553--</DELETED>
<DELETED> (A) in subsection (a)--</DELETED>
<DELETED> (i) in paragraph (5), by striking
``and'' at the end;</DELETED>
<DELETED> (ii) in paragraph (6), by striking
the period at the end and inserting ``; and'';
and</DELETED>
<DELETED> (iii) by adding at the end the
following:</DELETED>
<DELETED> ``(7) promoting, in consultation with the Director
of the Cybersecurity and Infrastructure Security Agency, the
National Cyber Director, and the Director of the National
Institute of Standards and Technology--</DELETED>
<DELETED> ``(A) the use of automation to improve
Federal cybersecurity and visibility with respect to
the implementation of Federal cybersecurity;
and</DELETED>
<DELETED> ``(B) the use of presumption of compromise
and least privilege principles, such as zero trust
architecture, to improve resiliency and timely response
actions to incidents on Federal systems.'';</DELETED>
<DELETED> (B) in subsection (b)--</DELETED>
<DELETED> (i) in the matter preceding
paragraph (1), by inserting ``and the National
Cyber Director'' after ``Director'';</DELETED>
<DELETED> (ii) in paragraph (2)(A), by
inserting ``and reporting requirements under
subchapter IV of this chapter'' after ``section
3556'';</DELETED>
<DELETED> (iii) by redesignating paragraphs
(8) and (9) as paragraphs (10) and (11),
respectively; and</DELETED>
<DELETED> (iv) by inserting after paragraph
(7) the following:</DELETED>
<DELETED> ``(8) expeditiously seeking opportunities to
reduce costs, administrative burdens, and other barriers to
information technology security and modernization for agencies,
including through shared services for cybersecurity
capabilities identified as appropriate by the Director, in
coordination with the Director of the Cybersecurity and
Infrastructure Security Agency and other agencies as
appropriate;'';</DELETED>
<DELETED> (C) in subsection (c)--</DELETED>
<DELETED> (i) in the matter preceding
paragraph (1)--</DELETED>
<DELETED> (I) by striking ``each
year'' and inserting ``each year during
which agencies are required to submit
reports under section
3554(c)'';</DELETED>
<DELETED> (II) by inserting ``,
which shall be unclassified but may
include 1 or more annexes that contain
classified or other sensitive
information, as appropriate'' after ``a
report''; and</DELETED>
<DELETED> (III) by striking
``preceding year'' and inserting
``preceding 2 years'';</DELETED>
<DELETED> (ii) by striking paragraph
(1);</DELETED>
<DELETED> (iii) by redesignating paragraphs
(2), (3), and (4) as paragraphs (1), (2), and
(3), respectively;</DELETED>
<DELETED> (iv) in paragraph (3), as so
redesignated, by striking ``and'' at the end;
and</DELETED>
<DELETED> (v) by inserting after paragraph
(3), as so redesignated, the
following:</DELETED>
<DELETED> ``(4) a summary of the risks and trends identified
in the Federal risk assessment required under subsection (i);
and'';</DELETED>
<DELETED> (D) in subsection (h)--</DELETED>
<DELETED> (i) in paragraph (2)--</DELETED>
<DELETED> (I) in subparagraph (A),
by inserting ``and the National Cyber
Director'' after ``in coordination with
the Director''; and</DELETED>
<DELETED> (II) in subparagraph (D),
by inserting ``, the National Cyber
Director,'' after ``notify the
Director''; and</DELETED>
<DELETED> (ii) in paragraph (3)(A)(iv), by
inserting ``, the National Cyber Director,''
after ``the Secretary provides prior notice to
the Director'';</DELETED>
<DELETED> (E) by amending subsection (i) to read as
follows:</DELETED>
<DELETED> ``(i) Federal Risk Assessment.--On an ongoing and
continuous basis, the Director of the Cybersecurity and Infrastructure
Security Agency shall assess the Federal risk posture using any
available information on the cybersecurity posture of agencies, and
brief the Director and National Cyber Director on the findings of such
assessment, including--</DELETED>
<DELETED> ``(1) the status of agency cybersecurity remedial
actions for high value assets described in section
3554(b)(7);</DELETED>
<DELETED> ``(2) any vulnerability information relating to
the systems of an agency that is known by the agency;</DELETED>
<DELETED> ``(3) analysis of incident information under
section 3597;</DELETED>
<DELETED> ``(4) evaluation of penetration testing performed
under section 3559A;</DELETED>
<DELETED> ``(5) evaluation of vulnerability disclosure
program information under section 3559B;</DELETED>
<DELETED> ``(6) evaluation of agency threat hunting
results;</DELETED>
<DELETED> ``(7) evaluation of Federal and non-Federal cyber
threat intelligence;</DELETED>
<DELETED> ``(8) data on agency compliance with standards
issued under section 11331 of title 40;</DELETED>
<DELETED> ``(9) agency system risk assessments required
under section 3554(a)(1)(A);</DELETED>
<DELETED> ``(10) relevant reports from inspectors general of
agencies and the Government Accountability Office;
and</DELETED>
<DELETED> ``(11) any other information the Director of the
Cybersecurity and Infrastructure Security Agency determines
relevant.''; and</DELETED>
<DELETED> (F) by adding at the end the
following:</DELETED>
<DELETED> ``(m) Directives.--</DELETED>
<DELETED> ``(1) Emergency directive updates.--If the
Secretary issues an emergency directive under this section, the
Director of the Cybersecurity and Infrastructure Security
Agency shall submit to the Director, the National Cyber
Director, the Committee on Homeland Security and Governmental
Affairs of the Senate, and the Committees on Oversight and
Accountability and Homeland Security of the House of
Representatives an update on the status of the implementation
of the emergency directive at agencies not later than 7 days
after the date on which the emergency directive requires an
agency to complete a requirement specified by the emergency
directive, and every 30 days thereafter until--</DELETED>
<DELETED> ``(A) the date on which every agency has
fully implemented the emergency directive;</DELETED>
<DELETED> ``(B) the Secretary determines that an
emergency directive no longer requires active reporting
from agencies or additional implementation;
or</DELETED>
<DELETED> ``(C) the date that is 1 year after the
issuance of the directive.</DELETED>
<DELETED> ``(2) Binding operational directive updates.--If
the Secretary issues a binding operational directive under this
section, the Director of the Cybersecurity and Infrastructure
Security Agency shall submit to the Director, the National
Cyber Director, the Committee on Homeland Security and
Governmental Affairs of the Senate, and the Committees on
Oversight and Accountability and Homeland Security of the House
of Representatives an update on the status of the
implementation of the binding operational directive at agencies
not later than 30 days after the issuance of the binding
operational directive, and every 90 days thereafter until--
</DELETED>
<DELETED> ``(A) the date on which every agency has
fully implemented the binding operational
directive;</DELETED>
<DELETED> ``(B) the Secretary determines that a
binding operational directive no longer requires active
reporting from agencies or additional implementation;
or</DELETED>
<DELETED> ``(C) the date that is 1 year after the
issuance or substantive update of the
directive.</DELETED>
<DELETED> ``(3) Report.--If the Director of the
Cybersecurity and Infrastructure Security Agency ceases
submitting updates required under paragraphs (1) or (2) on the
date described in paragraph (1)(C) or (2)(C), the Director of
the Cybersecurity and Infrastructure Security Agency shall
submit to the Director, the National Cyber Director, the
Committee on Homeland Security and Governmental Affairs of the
Senate, and the Committees on Oversight and Accountability and
Homeland Security of the House of Representatives a list of
every agency that, at the time of the report--</DELETED>
<DELETED> ``(A) has not completed a requirement
specified by an emergency directive; or</DELETED>
<DELETED> ``(B) has not implemented a binding
operational directive.</DELETED>
<DELETED> ``(n) Review of Office of Management and Budget Guidance
and Policy.--</DELETED>
<DELETED> ``(1) Conduct of review.--Not less frequently than
once every 3 years, the Director of the Office of Management
and Budget shall review the efficacy of the guidance and policy
promulgated by the Director in reducing cybersecurity risks,
including a consideration of reporting and compliance burden on
agencies.</DELETED>
<DELETED> ``(2) Congressional notification.--The Director of
the Office of Management and Budget shall notify the Committee
on Homeland Security and Governmental Affairs of the Senate and
the Committee on Oversight and Accountability of the House of
Representatives of changes to guidance or policy resulting from
the review under paragraph (1).</DELETED>
<DELETED> ``(3) GAO review.--The Government Accountability
Office shall review guidance and policy promulgated by the
Director to assess its efficacy in risk reduction and burden on
agencies.</DELETED>
<DELETED> ``(o) Automated Standard Implementation Verification.--
When the Director of the National Institute of Standards and Technology
issues a proposed standard or guideline pursuant to paragraphs (2) or
(3) of section 20(a) of the National Institute of Standards and
Technology Act (15 U.S.C. 278g-3(a)), the Director of the National
Institute of Standards and Technology shall consider developing and, if
appropriate and practical, develop specifications to enable the
automated verification of the implementation of the controls.</DELETED>
<DELETED> ``(p) Inspectors General Access to Federal Risk
Assessments.--The Director of the Cybersecurity and Infrastructure
Security Agency shall, upon request, make available Federal risk
assessment information under subsection (i) to the Inspector General of
the Department of Homeland Security and the inspector general of any
agency that was included in the Federal risk assessment.'';</DELETED>
<DELETED> (3) in section 3554--</DELETED>
<DELETED> (A) in subsection (a)--</DELETED>
<DELETED> (i) in paragraph (1)--</DELETED>
<DELETED> (I) by redesignating
subparagraphs (A), (B), and (C) as
subparagraphs (B), (C), and (D),
respectively;</DELETED>
<DELETED> (II) by inserting before
subparagraph (B), as so redesignated,
the following:</DELETED>
<DELETED> ``(A) on an ongoing and continuous basis,
assessing agency system risk, as applicable, by--
</DELETED>
<DELETED> ``(i) identifying and documenting
the high value assets of the agency using
guidance from the Director;</DELETED>
<DELETED> ``(ii) evaluating the data assets
inventoried under section 3511 for sensitivity
to compromises in confidentiality, integrity,
and availability;</DELETED>
<DELETED> ``(iii) identifying whether the
agency is participating in federally offered
cybersecurity shared services
programs;</DELETED>
<DELETED> ``(iv) identifying agency systems
that have access to or hold the data assets
inventoried under section 3511;</DELETED>
<DELETED> ``(v) evaluating the threats
facing agency systems and data, including high
value assets, based on Federal and non-Federal
cyber threat intelligence products, where
available;</DELETED>
<DELETED> ``(vi) evaluating the
vulnerability of agency systems and data,
including high value assets, including by
analyzing--</DELETED>
<DELETED> ``(I) the results of
penetration testing performed by the
Department of Homeland Security under
section 3553(b)(9);</DELETED>
<DELETED> ``(II) the results of
penetration testing performed under
section 3559A;</DELETED>
<DELETED> ``(III) information
provided to the agency through the
vulnerability disclosure program of the
agency under section 3559B;</DELETED>
<DELETED> ``(IV) incidents;
and</DELETED>
<DELETED> ``(V) any other
vulnerability information relating to
agency systems that is known to the
agency;</DELETED>
<DELETED> ``(vii) assessing the impacts of
potential agency incidents to agency systems,
data, and operations based on the evaluations
described in clauses (ii) and (v) and the
agency systems identified under clause (iv);
and</DELETED>
<DELETED> ``(viii) assessing the
consequences of potential incidents occurring
on agency systems that would impact systems at
other agencies, including due to
interconnectivity between different agency
systems or operational reliance on the
operations of the system or data in the
system;'';</DELETED>
<DELETED> (III) in subparagraph (B),
as so redesignated, in the matter
preceding clause (i), by striking
``providing information'' and inserting
``using information from the assessment
required under subparagraph (A),
providing information'';</DELETED>
<DELETED> (IV) in subparagraph (C),
as so redesignated--</DELETED>
<DELETED> (aa) in clause
(ii) by inserting ``binding''
before ``operational'';
and</DELETED>
<DELETED> (bb) in clause
(vi), by striking ``and'' at
the end; and</DELETED>
<DELETED> (V) by adding at the end
the following:</DELETED>
<DELETED> ``(E) providing an update on the ongoing
and continuous assessment required under subparagraph
(A)--</DELETED>
<DELETED> ``(i) upon request, to the
inspector general of the agency or the
Comptroller General of the United States;
and</DELETED>
<DELETED> ``(ii) at intervals determined by
guidance issued by the Director, and to the
extent appropriate and practicable using
automation, to--</DELETED>
<DELETED> ``(I) the
Director;</DELETED>
<DELETED> ``(II) the Director of the
Cybersecurity and Infrastructure
Security Agency; and</DELETED>
<DELETED> ``(III) the National Cyber
Director;'';</DELETED>
<DELETED> (ii) in paragraph (2)--</DELETED>
<DELETED> (I) in subparagraph (A),
by inserting ``in accordance with the
agency system risk assessment required
under paragraph (1)(A)'' after
``information systems'';</DELETED>
<DELETED> (II) in subparagraph (D),
by inserting ``, through the use of
penetration testing, the vulnerability
disclosure program established under
section 3559B, and other means,'' after
``periodically'';</DELETED>
<DELETED> (iii) in paragraph (3)(A)--
</DELETED>
<DELETED> (I) in the matter
preceding clause (i), by striking
``senior agency information security
officer'' and inserting ``Chief
Information Security
Officer'';</DELETED>
<DELETED> (II) in clause (i), by
striking ``this section'' and inserting
``subsections (a) through
(c)'';</DELETED>
<DELETED> (III) in clause (ii), by
striking ``training and'' and inserting
``skills, training, and'';</DELETED>
<DELETED> (IV) by redesignating
clauses (iii) and (iv) as (iv) and (v),
respectively;</DELETED>
<DELETED> (V) by inserting after
clause (ii) the following:</DELETED>
<DELETED> ``(iii) manage information
security, cybersecurity budgets, and risk and
compliance activities and explain those
concepts to the head of the agency and the
executive team of the agency;''; and</DELETED>
<DELETED> (VI) in clause (iv), as so
redesignated, by striking ``information
security duties as that official's
primary duty'' and inserting
``information, computer network, and
technology security duties as the Chief
Information Security Officers' primary
duty'';</DELETED>
<DELETED> (iv) in paragraph (5), by striking
``annually'' and inserting ``not less
frequently than quarterly''; and</DELETED>
<DELETED> (v) in paragraph (6), by striking
``official delegated'' and inserting ``Chief
Information Security Officer delegated'';
and</DELETED>
<DELETED> (B) in subsection (b)--</DELETED>
<DELETED> (i) by striking paragraph (1) and
inserting the following:</DELETED>
<DELETED> ``(1) the ongoing and continuous assessment of
agency system risk required under subsection (a)(1)(A), which
may include using guidance and automated tools consistent with
standards and guidelines promulgated under section 11331 of
title 40, as applicable;'';</DELETED>
<DELETED> (ii) in paragraph (2)--</DELETED>
<DELETED> (I) by striking
subparagraph (B);</DELETED>
<DELETED> (II) by redesignating
subparagraphs (C) and (D) as
subparagraphs (B) and (C),
respectively;</DELETED>
<DELETED> (III) in subparagraph (B),
as so redesignated, by striking ``and''
at the end; and</DELETED>
<DELETED> (IV) in subparagraph (C),
as so redesignated--</DELETED>
<DELETED> (aa) by
redesignating clauses (iii) and
(iv) as clauses (iv) and (v),
respectively;</DELETED>
<DELETED> (bb) by inserting
after clause (ii) the
following:</DELETED>
<DELETED> ``(iii) binding operational
directives and emergency directives issued by
the Secretary under section 3553;'';
and</DELETED>
<DELETED> (cc) in clause
(iv), as so redesignated, by
striking ``as determined by the
agency; and'' and inserting
``as determined by the agency,
considering the agency risk
assessment required under
subsection (a)(1)(A);</DELETED>
<DELETED> (iii) in paragraph (5)(A), by
inserting ``, including penetration testing, as
appropriate,'' after ``shall include
testing'';</DELETED>
<DELETED> (iv) by redesignating paragraphs
(7) and (8) as paragraphs (8) and (9),
respectively;</DELETED>
<DELETED> (v) by inserting after paragraph
(6) the following:</DELETED>
<DELETED> ``(7) a secure process for providing the status of
every remedial action and unremediated identified system
vulnerability of a high value asset to the Director and the
Director of the Cybersecurity and Infrastructure Security
Agency, using automation and machine-readable data to the
greatest extent practicable;''; and</DELETED>
<DELETED> (vi) in paragraph (8)(C), as so
redesignated--</DELETED>
<DELETED> (I) by striking clause
(ii) and inserting the
following:</DELETED>
<DELETED> ``(ii) notifying and consulting
with the Federal information security incident
center established under section 3556 pursuant
to the requirements of section
3594;'';</DELETED>
<DELETED> (II) by redesignating
clause (iii) as clause (iv);</DELETED>
<DELETED> (III) by inserting after
clause (ii) the following:</DELETED>
<DELETED> ``(iii) performing the
notifications and other activities required
under subchapter IV of this chapter; and'';
and</DELETED>
<DELETED> (IV) in clause (iv), as so
redesignated--</DELETED>
<DELETED> (aa) in subclause
(II), by adding ``and'' at the
end;</DELETED>
<DELETED> (bb) by striking
subclause (III); and</DELETED>
<DELETED> (cc) by
redesignating subclause (IV) as
subclause (III); and</DELETED>
<DELETED> (C) in subsection (c)--</DELETED>
<DELETED> (i) by redesignating paragraph (2)
as paragraph (5);</DELETED>
<DELETED> (ii) by striking paragraph (1) and
inserting the following:</DELETED>
<DELETED> ``(1) Biennial report.--Not later than 2 years
after the date of enactment of the Federal Information Security
Modernization Act of 2023 and not less frequently than once
every 2 years thereafter, using the continuous and ongoing
agency system risk assessment required under subsection
(a)(1)(A), the head of each agency shall submit to the
Director, the National Cyber Director, the Director of the
Cybersecurity and Infrastructure Security Agency, the
Comptroller General of the United States, the majority and
minority leaders of the Senate, the Speaker and minority leader
of the House of Representatives, the Committee on Homeland
Security and Governmental Affairs of the Senate, the Committee
on Oversight and Accountability of the House of
Representatives, the Committee on Homeland Security of the
House of Representatives, the Committee on Commerce, Science,
and Transportation of the Senate, the Committee on Science,
Space, and Technology of the House of Representatives, and the
appropriate authorization and appropriations committees of
Congress a report that--</DELETED>
<DELETED> ``(A) summarizes the agency system risk
assessment required under subsection
(a)(1)(A);</DELETED>
<DELETED> ``(B) evaluates the adequacy and
effectiveness of information security policies,
procedures, and practices of the agency to address the
risks identified in the agency system risk assessment
required under subsection (a)(1)(A), including an
analysis of the agency's cybersecurity and incident
response capabilities using the metrics established
under section 224(c) of the Cybersecurity Act of 2015
(6 U.S.C. 1522(c)); and</DELETED>
<DELETED> ``(C) summarizes the status of remedial
actions identified by inspector general of the agency,
the Comptroller General of the United States, and any
other source determined appropriate by the head of the
agency.</DELETED>
<DELETED> ``(2) Unclassified reports.--Each report submitted
under paragraph (1)--</DELETED>
<DELETED> ``(A) shall be, to the greatest extent
practicable, in an unclassified and otherwise
uncontrolled form; and</DELETED>
<DELETED> ``(B) may include 1 or more annexes that
contain classified or other sensitive information, as
appropriate.</DELETED>
<DELETED> ``(3) Briefings.--During each year during which a
report is not required to be submitted under paragraph (1), the
Director shall provide to the congressional committees
described in paragraph (1) a briefing summarizing current
agency and Federal risk postures.''; and</DELETED>
<DELETED> (iii) in paragraph (5), as so
redesignated, by striking the period at the end
and inserting ``, including the reporting
procedures established under section 11315(d)
of title 40 and subsection (a)(3)(A)(v) of this
section'';</DELETED>
<DELETED> (4) in section 3555--</DELETED>
<DELETED> (A) in the section heading, by striking
``annual independent'' and inserting
``independent'';</DELETED>
<DELETED> (B) in subsection (a)--</DELETED>
<DELETED> (i) in paragraph (1), by inserting
``during which a report is required to be
submitted under section 3553(c),'' after ``Each
year'';</DELETED>
<DELETED> (ii) in paragraph (2)(A), by
inserting ``, including by performing, or
reviewing the results of, agency penetration
testing and analyzing the vulnerability
disclosure program of the agency'' after
``information systems''; and</DELETED>
<DELETED> (iii) by adding at the end the
following:</DELETED>
<DELETED> ``(3) An evaluation under this section may include
recommendations for improving the cybersecurity posture of the
agency.'';</DELETED>
<DELETED> (C) in subsection (b)(1), by striking
``annual'';</DELETED>
<DELETED> (D) in subsection (e)(1), by inserting
``during which a report is required to be submitted
under section 3553(c)'' after ``Each year'';</DELETED>
<DELETED> (E) in subsection (g)(2)--</DELETED>
<DELETED> (i) by striking ``this subsection
shall'' and inserting ``this subsection--
</DELETED>
<DELETED> ``(A) shall'';</DELETED>
<DELETED> (ii) in subparagraph (A), as so
designated, by striking the period at the end
and inserting ``; and''; and</DELETED>
<DELETED> (iii) by adding at the end the
following:</DELETED>
<DELETED> ``(B) identify any entity that performs an
independent evaluation under subsection (b).'';
and</DELETED>
<DELETED> (F) by striking subsection (j) and
inserting the following:</DELETED>
<DELETED> ``(j) Guidance.--</DELETED>
<DELETED> ``(1) In general.--The Director, in consultation
with the Director of the Cybersecurity and Infrastructure
Security Agency, the Chief Information Officers Council, the
Council of the Inspectors General on Integrity and Efficiency,
and other interested parties as appropriate, shall ensure the
development of risk-based guidance for evaluating the
effectiveness of an information security program and
practices.</DELETED>
<DELETED> ``(2) Priorities.--The risk-based guidance
developed under paragraph (1) shall include--</DELETED>
<DELETED> ``(A) the identification of the most
common successful threat patterns;</DELETED>
<DELETED> ``(B) the identification of security
controls that address the threat patterns described in
subparagraph (A);</DELETED>
<DELETED> ``(C) any other security risks unique to
Federal systems; and</DELETED>
<DELETED> ``(D) any other element the Director
determines appropriate.''; and</DELETED>
<DELETED> (5) in section 3556(a)--</DELETED>
<DELETED> (A) in the matter preceding paragraph (1),
by inserting ``within the Cybersecurity and
Infrastructure Security Agency'' after ``incident
center''; and</DELETED>
<DELETED> (B) in paragraph (4), by striking
``3554(b)'' and inserting ``3554(a)(1)(A)''.</DELETED>
<DELETED> (d) Conforming Amendments.--</DELETED>
<DELETED> (1) Table of sections.--The table of sections for
chapter 35 of title 44, United States Code, is amended by
striking the item relating to section 3555 and inserting the
following:</DELETED>
<DELETED>``3555. Independent evaluation.''.
<DELETED> (2) OMB reports.--Section 226(c) of the
Cybersecurity Act of 2015 (6 U.S.C. 1524(c)) is amended--
</DELETED>
<DELETED> (A) in paragraph (1)(B), in the matter
preceding clause (i), by striking ``annually
thereafter'' and inserting ``thereafter during the
years during which a report is required to be submitted
under section 3553(c) of title 44, United States
Code''; and</DELETED>
<DELETED> (B) in paragraph (2)(B), in the matter
preceding clause (i)--</DELETED>
<DELETED> (i) by striking ``annually
thereafter'' and inserting ``thereafter during
the years during which a report is required to
be submitted under section 3553(c) of title 44,
United States Code''; and</DELETED>
<DELETED> (ii) by striking ``the report
required under section 3553(c) of title 44,
United States Code'' and inserting ``that
report''.</DELETED>
<DELETED> (3) NIST responsibilities.--Section 20(d)(3)(B) of
the National Institute of Standards and Technology Act (15
U.S.C. 278g-3(d)(3)(B)) is amended by striking
``annual''.</DELETED>
<DELETED> (e) Federal System Incident Response.--</DELETED>
<DELETED> (1) In general.--Chapter 35 of title 44, United
States Code, is amended by adding at the end the
following:</DELETED>
<DELETED>``SUBCHAPTER IV--FEDERAL SYSTEM INCIDENT RESPONSE</DELETED>
<DELETED>``Sec. 3591. Definitions</DELETED>
<DELETED> ``(a) In General.--Except as provided in subsection (b),
the definitions under sections 3502 and 3552 shall apply to this
subchapter.</DELETED>
<DELETED> ``(b) Additional Definitions.--As used in this
subchapter:</DELETED>
<DELETED> ``(1) Appropriate reporting entities.--The term
`appropriate reporting entities' means--</DELETED>
<DELETED> ``(A) the majority and minority leaders of
the Senate;</DELETED>
<DELETED> ``(B) the Speaker and minority leader of
the House of Representatives;</DELETED>
<DELETED> ``(C) the Committee on Homeland Security
and Governmental Affairs of the Senate;</DELETED>
<DELETED> ``(D) the Committee on Commerce, Science,
and Transportation of the Senate;</DELETED>
<DELETED> ``(E) the Committee on Oversight and
Accountability of the House of
Representatives;</DELETED>
<DELETED> ``(F) the Committee on Homeland Security
of the House of Representatives;</DELETED>
<DELETED> ``(G) the Committee on Science, Space, and
Technology of the House of Representatives;</DELETED>
<DELETED> ``(H) the appropriate authorization and
appropriations committees of Congress;</DELETED>
<DELETED> ``(I) the Director;</DELETED>
<DELETED> ``(J) the Director of the Cybersecurity
and Infrastructure Security Agency;</DELETED>
<DELETED> ``(K) the National Cyber
Director;</DELETED>
<DELETED> ``(L) the Comptroller General of the
United States; and</DELETED>
<DELETED> ``(M) the inspector general of any
impacted agency.</DELETED>
<DELETED> ``(2) Awardee.--The term `awardee', with respect
to an agency--</DELETED>
<DELETED> ``(A) means--</DELETED>
<DELETED> ``(i) the recipient of a grant
from an agency;</DELETED>
<DELETED> ``(ii) a party to a cooperative
agreement with an agency; and</DELETED>
<DELETED> ``(iii) a party to an other
transaction agreement with an agency;
and</DELETED>
<DELETED> ``(B) includes a subawardee of an entity
described in subparagraph (A).</DELETED>
<DELETED> ``(3) Breach.--The term `breach'--</DELETED>
<DELETED> ``(A) means the compromise, unauthorized
disclosure, unauthorized acquisition, or loss of
control of personally identifiable information or any
similar occurrence; and</DELETED>
<DELETED> ``(B) includes any additional meaning
given the term in policies, principles, standards, or
guidelines issued by the Director.</DELETED>
<DELETED> ``(4) Contractor.--The term `contractor' means a
prime contractor of an agency or a subcontractor of a prime
contractor of an agency that creates, collects, stores,
processes, maintains, or transmits Federal information on
behalf of an agency.</DELETED>
<DELETED> ``(5) Federal information.--The term `Federal
information' means information created, collected, processed,
maintained, disseminated, disclosed, or disposed of by or for
the Federal Government in any medium or form.</DELETED>
<DELETED> ``(6) Federal information system.--The term
`Federal information system' means an information system owned,
managed, or operated by an agency, or on behalf of an agency by
a contractor, an awardee, or another organization.</DELETED>
<DELETED> ``(7) Intelligence community.--The term
`intelligence community' has the meaning given the term in
section 3 of the National Security Act of 1947 (50 U.S.C.
3003).</DELETED>
<DELETED> ``(8) Nationwide consumer reporting agency.--The
term `nationwide consumer reporting agency' means a consumer
reporting agency described in section 603(p) of the Fair Credit
Reporting Act (15 U.S.C. 1681a(p)).</DELETED>
<DELETED> ``(9) Vulnerability disclosure.--The term
`vulnerability disclosure' means a vulnerability identified
under section 3559B.</DELETED>
<DELETED>``Sec. 3592. Notification of breach</DELETED>
<DELETED> ``(a) Definition.--In this section, the term `covered
breach' means a breach--</DELETED>
<DELETED> ``(1) involving not less than 50,000 potentially
affected individuals; or</DELETED>
<DELETED> ``(2) the result of which the head of an agency
determines that notifying potentially affected individuals is
necessary pursuant to subsection (b)(1), regardless of
whether--</DELETED>
<DELETED> ``(A) the number of potentially affected
individuals is less than 50,000; or</DELETED>
<DELETED> ``(B) the notification is delayed under
subsection (d).</DELETED>
<DELETED> ``(b) Notification.--As expeditiously as practicable and
without unreasonable delay, and in any case not later than 45 days
after an agency has a reasonable basis to conclude that a breach has
occurred, the head of the agency, in consultation with the Chief
Information Officer and Chief Privacy Officer of the agency, shall--
</DELETED>
<DELETED> ``(1) determine whether notice to any individual
potentially affected by the breach is appropriate, including by
conducting an assessment of the risk of harm to the individual
that considers--</DELETED>
<DELETED> ``(A) the nature and sensitivity of the
personally identifiable information affected by the
breach;</DELETED>
<DELETED> ``(B) the likelihood of access to and use
of the personally identifiable information affected by
the breach;</DELETED>
<DELETED> ``(C) the type of breach; and</DELETED>
<DELETED> ``(D) any other factors determined by the
Director; and</DELETED>
<DELETED> ``(2) if the head of the agency determines
notification is necessary pursuant to paragraph (1), provide
written notification in accordance with subsection (c) to each
individual potentially affected by the breach--</DELETED>
<DELETED> ``(A) to the last known mailing address of
the individual; or</DELETED>
<DELETED> ``(B) through an appropriate alternative
method of notification.</DELETED>
<DELETED> ``(c) Contents of Notification.--Each notification of a
breach provided to an individual under subsection (b)(2) shall include,
to the maximum extent practicable--</DELETED>
<DELETED> ``(1) a brief description of the breach;</DELETED>
<DELETED> ``(2) if possible, a description of the types of
personally identifiable information affected by the
breach;</DELETED>
<DELETED> ``(3) contact information of the agency that may
be used to ask questions of the agency, which--</DELETED>
<DELETED> ``(A) shall include an e-mail address or
another digital contact mechanism; and</DELETED>
<DELETED> ``(B) may include a telephone number,
mailing address, or a website;</DELETED>
<DELETED> ``(4) information on any remedy being offered by
the agency;</DELETED>
<DELETED> ``(5) any applicable educational materials
relating to what individuals can do in response to a breach
that potentially affects their personally identifiable
information, including relevant contact information for the
appropriate Federal law enforcement agencies and each
nationwide consumer reporting agency; and</DELETED>
<DELETED> ``(6) any other appropriate information, as
determined by the head of the agency or established in guidance
by the Director.</DELETED>
<DELETED> ``(d) Delay of Notification.--</DELETED>
<DELETED> ``(1) In general.--The head of an agency, in
coordination with the Director and the National Cyber Director,
and as appropriate, the Attorney General, the Director of
National Intelligence, or the Secretary of Homeland Security,
may delay a notification required under subsection (b) or (e)
if the notification would--</DELETED>
<DELETED> ``(A) impede a criminal investigation or a
national security activity;</DELETED>
<DELETED> ``(B) cause an adverse result (as
described in section 2705(a)(2) of title 18);</DELETED>
<DELETED> ``(C) reveal sensitive sources and
methods;</DELETED>
<DELETED> ``(D) cause damage to national security;
or</DELETED>
<DELETED> ``(E) hamper security remediation
actions.</DELETED>
<DELETED> ``(2) Renewal.--A delay under paragraph (1) shall
be for a period of 60 days and may be renewed.</DELETED>
<DELETED> ``(3) National security systems.--The head of an
agency delaying notification under this subsection with respect
to a breach exclusively of a national security system shall
coordinate such delay with the Secretary of Defense.</DELETED>
<DELETED> ``(e) Update Notification.--If an agency determines there
is a significant change in the reasonable basis to conclude that a
breach occurred, a significant change to the determination made under
subsection (b)(1), or that it is necessary to update the details of the
information provided to potentially affected individuals as described
in subsection (c), the agency shall as expeditiously as practicable and
without unreasonable delay, and in any case not later than 30 days
after such a determination, notify each individual who received a
notification pursuant to subsection (b) of those changes.</DELETED>
<DELETED> ``(f) Delay of Notification Report.--</DELETED>
<DELETED> ``(1) In general.--Not later than 1 year after the
date of enactment of the Federal Information Security
Modernization Act of 2023, and annually thereafter, the head of
an agency, in coordination with any official who delays a
notification under subsection (d), shall submit to the
appropriate reporting entities a report on each delay that
occurred during the previous 2 years.</DELETED>
<DELETED> ``(2) Component of other report.--The head of an
agency may submit the report required under paragraph (1) as a
component of the report submitted under section
3554(c).</DELETED>
<DELETED> ``(g) Congressional Reporting Requirements.--</DELETED>
<DELETED> ``(1) Review and update.--On a periodic basis, the
Director of the Office of Management and Budget shall review,
and update as appropriate, breach notification policies and
guidelines for agencies.</DELETED>
<DELETED> ``(2) Required notice from agencies.--Subject to
paragraph (4), the Director of the Office of Management and
Budget shall require the head of an agency affected by a
covered breach to expeditiously and not later than 30 days
after the date on which the agency discovers the covered breach
give notice of the breach, which may be provided
electronically, to--</DELETED>
<DELETED> ``(A) each congressional committee
described in section 3554(c)(1); and</DELETED>
<DELETED> ``(B) the Committee on the Judiciary of
the Senate and the Committee on the Judiciary of the
House of Representatives.</DELETED>
<DELETED> ``(3) Contents of notice.--Notice of a covered
breach provided by the head of an agency pursuant to paragraph
(2) shall include, to the extent practicable--</DELETED>
<DELETED> ``(A) information about the covered
breach, including a summary of any information about
how the covered breach occurred known by the agency as
of the date of the notice;</DELETED>
<DELETED> ``(B) an estimate of the number of
individuals affected by covered the breach based on
information known by the agency as of the date of the
notice, including an assessment of the risk of harm to
affected individuals;</DELETED>
<DELETED> ``(C) a description of any circumstances
necessitating a delay in providing notice to
individuals affected by the covered breach in
accordance with subsection (d); and</DELETED>
<DELETED> ``(D) an estimate of when the agency will
provide notice to individuals affected by the covered
breach, if applicable.</DELETED>
<DELETED> ``(4) Exception.--Any agency that is required to
provide notice to Congress pursuant to paragraph (2) due to a
covered breach exclusively on a national security system shall
only provide such notice to--</DELETED>
<DELETED> ``(A) the majority and minority leaders of
the Senate;</DELETED>
<DELETED> ``(B) the Speaker and minority leader of
the House of Representatives;</DELETED>
<DELETED> ``(C) the appropriations committees of
Congress;</DELETED>
<DELETED> ``(D) the Committee on Homeland Security
and Governmental Affairs of the Senate;</DELETED>
<DELETED> ``(E) the Select Committee on Intelligence
of the Senate;</DELETED>
<DELETED> ``(F) the Committee on Oversight and
Accountability of the House of Representatives;
and</DELETED>
<DELETED> ``(G) the Permanent Select Committee on
Intelligence of the House of Representatives.</DELETED>
<DELETED> ``(5) Rule of construction.--Nothing in paragraphs
(1) through (3) shall be construed to alter any authority of an
agency.</DELETED>
<DELETED> ``(h) Rule of Construction.--Nothing in this section shall
be construed to--</DELETED>
<DELETED> ``(1) limit--</DELETED>
<DELETED> ``(A) the authority of the Director to
issue guidance relating to notifications of, or the
head of an agency to notify individuals potentially
affected by, breaches that are not determined to be
covered breaches or major incidents;</DELETED>
<DELETED> ``(B) the authority of the Director to
issue guidance relating to notifications and reporting
of breaches, covered breaches, or major
incidents;</DELETED>
<DELETED> ``(C) the authority of the head of an
agency to provide more information than required under
subsection (b) when notifying individuals potentially
affected by a breach;</DELETED>
<DELETED> ``(D) the timing of incident reporting or
the types of information included in incident reports
provided, pursuant to this subchapter, to--</DELETED>
<DELETED> ``(i) the Director;</DELETED>
<DELETED> ``(ii) the National Cyber
Director;</DELETED>
<DELETED> ``(iii) the Director of the
Cybersecurity and Infrastructure Security
Agency; or</DELETED>
<DELETED> ``(iv) any other agency;</DELETED>
<DELETED> ``(E) the authority of the head of an
agency to provide information to Congress about agency
breaches, including--</DELETED>
<DELETED> ``(i) breaches that are not
covered breaches; and</DELETED>
<DELETED> ``(ii) additional information
beyond the information described in subsection
(g)(3); or</DELETED>
<DELETED> ``(F) any Congressional reporting
requirements of agencies under any other law;
or</DELETED>
<DELETED> ``(2) limit or supersede any existing privacy
protections in existing law.</DELETED>
<DELETED>``Sec. 3593. Congressional and Executive Branch reports on
major incidents</DELETED>
<DELETED> ``(a) Appropriate Congressional Entities.--In this
section, the term `appropriate congressional entities' means--
</DELETED>
<DELETED> ``(1) the majority and minority leaders of the
Senate;</DELETED>
<DELETED> ``(2) the Speaker and minority leader of the House
of Representatives;</DELETED>
<DELETED> ``(3) the Committee on Homeland Security and
Governmental Affairs of the Senate;</DELETED>
<DELETED> ``(4) the Committee on Commerce, Science, and
Transportation of the Senate;</DELETED>
<DELETED> ``(5) the Committee on Oversight and
Accountability of the House of Representatives;</DELETED>
<DELETED> ``(6) the Committee on Homeland Security of the
House of Representatives;</DELETED>
<DELETED> ``(7) the Committee on Science, Space, and
Technology of the House of Representatives; and</DELETED>
<DELETED> ``(8) the appropriate authorization and
appropriations committees of Congress</DELETED>
<DELETED> ``(b) Initial Notification.--</DELETED>
<DELETED> ``(1) In general.--Not later than 72 hours after
an agency has a reasonable basis to conclude that a major
incident occurred, the head of the agency impacted by the major
incident shall submit to the appropriate reporting entities a
written notification, which may be submitted electronically and
include 1 or more annexes that contain classified or other
sensitive information, as appropriate.</DELETED>
<DELETED> ``(2) Contents.--A notification required under
paragraph (1) with respect to a major incident shall include
the following, based on information available to agency
officials as of the date on which the agency submits the
notification:</DELETED>
<DELETED> ``(A) A summary of the information
available about the major incident, including how the
major incident occurred and the threat causing the
major incident.</DELETED>
<DELETED> ``(B) If applicable, information relating
to any breach associated with the major incident,
regardless of whether--</DELETED>
<DELETED> ``(i) the breach was the reason
the incident was determined to be a major
incident; and</DELETED>
<DELETED> ``(ii) head of the agency
determined it was appropriate to provide
notification to potentially impacted
individuals pursuant to section
3592(b)(1).</DELETED>
<DELETED> ``(C) A preliminary assessment of the
impacts to--</DELETED>
<DELETED> ``(i) the agency;</DELETED>
<DELETED> ``(ii) the Federal
Government;</DELETED>
<DELETED> ``(iii) the national security,
foreign relations, homeland security, and
economic security of the United States;
and</DELETED>
<DELETED> ``(iv) the civil liberties, public
confidence, privacy, and public health and
safety of the people of the United
States.</DELETED>
<DELETED> ``(D) If applicable, whether any ransom
has been demanded or paid, or is expected to be paid,
by any entity operating a Federal information system or
with access to Federal information or a Federal
information system, including, as available, the name
of the entity demanding ransom, the date of the demand,
and the amount and type of currency demanded, unless
disclosure of such information will disrupt an active
Federal law enforcement or national security
operation.</DELETED>
<DELETED> ``(c) Supplemental Update.--Within a reasonable amount of
time, but not later than 30 days after the date on which the head of an
agency submits a written notification under subsection (a), the head of
the agency shall provide to the appropriate congressional entities an
unclassified and written update, which may include 1 or more annexes
that contain classified or other sensitive information, as appropriate,
on the major incident, based on information available to agency
officials as of the date on which the agency provides the update, on--
</DELETED>
<DELETED> ``(1) system vulnerabilities relating to the major
incident, where applicable, means by which the major incident
occurred, the threat causing the major incident, where
applicable, and impacts of the major incident to--</DELETED>
<DELETED> ``(A) the agency;</DELETED>
<DELETED> ``(B) other Federal agencies, Congress, or
the judicial branch;</DELETED>
<DELETED> ``(C) the national security, foreign
relations, homeland security, or economic security of
the United States; or</DELETED>
<DELETED> ``(D) the civil liberties, public
confidence, privacy, or public health and safety of the
people of the United States;</DELETED>
<DELETED> ``(2) the status of compliance of the affected
Federal information system with applicable security
requirements at the time of the major incident;</DELETED>
<DELETED> ``(3) if the major incident involved a breach, a
description of the affected information, an estimate of the
number of individuals potentially impacted, and any assessment
to the risk of harm to such individuals;</DELETED>
<DELETED> ``(4) an update to the assessment of the risk to
agency operations, or to impacts on other agency or non-Federal
entity operations, affected by the major incident;
and</DELETED>
<DELETED> ``(5) the detection, response, and remediation
actions of the agency, including any support provided by the
Cybersecurity and Infrastructure Security Agency under section
3594(d), if applicable.</DELETED>
<DELETED> ``(d) Additional Update.--If the head of an agency, the
Director, or the National Cyber Director determines that there is any
significant change in the understanding of the scope, scale, or
consequence of a major incident for which the head of the agency
submitted a written notification and update under subsections (b) and
(c), the head of the agency shall submit to the appropriate
congressional entities a written update that includes information
relating to the change in understanding.</DELETED>
<DELETED> ``(e) Biennial Report.--Each agency shall submit as part
of the biennial report required under section 3554(c)(1) a description
of each major incident that occurred during the 2-year period preceding
the date on which the biennial report is submitted.</DELETED>
<DELETED> ``(f) Report Delivery.--</DELETED>
<DELETED> ``(1) In general.--Any written notification or
update required to be submitted under this section--</DELETED>
<DELETED> ``(A) shall be submitted in an electronic
format; and</DELETED>
<DELETED> ``(B) may be submitted in a paper
format.</DELETED>
<DELETED> ``(2) Classification status.--Any written
notification or update required to be submitted under this
section--</DELETED>
<DELETED> ``(A) shall be--</DELETED>
<DELETED> ``(i) unclassified; and</DELETED>
<DELETED> ``(ii) submitted through
unclassified electronic means pursuant to
paragraph (1)(A); and</DELETED>
<DELETED> ``(B) may include classified annexes, as
appropriate.</DELETED>
<DELETED> ``(g) Report Consistency.--To achieve consistent and
coherent agency reporting to Congress, the National Cyber Director, in
coordination with the Director, shall--</DELETED>
<DELETED> ``(1) provide recommendations to agencies on
formatting and the contents of information to be included in
the reports required under this section, including
recommendations for consistent formats for presenting any
associated metrics; and</DELETED>
<DELETED> ``(2) maintain a comprehensive record of each
major incident notification, update, and briefing provided
under this section, which shall--</DELETED>
<DELETED> ``(A) include, at a minimum--</DELETED>
<DELETED> ``(i) the full contents of the
written notification or update;</DELETED>
<DELETED> ``(ii) the identity of the
reporting agency; and</DELETED>
<DELETED> ``(iii) the date of submission;
and</DELETED>
<DELETED> ``(iv) a list of the recipient
congressional entities; and</DELETED>
<DELETED> ``(B) be made available upon request to
the majority and minority leaders of the Senate, the
Speaker and minority leader of the House of
Representatives, the Committee on Homeland Security and
Governmental Affairs of the Senate, and the Committee
on Oversight and Accountability of the House of
Representatives.</DELETED>
<DELETED> ``(h) National Security Systems Congressional Reporting
Exemption.--With respect to a major incident that occurs exclusively on
a national security system, the head of the affected agency shall
submit the notifications and reports required to be submitted to
Congress under this section only to--</DELETED>
<DELETED> ``(1) the majority and minority leaders of the
Senate;</DELETED>
<DELETED> ``(2) the Speaker and minority leader of the House
of Representatives;</DELETED>
<DELETED> ``(3) the appropriations committees of
Congress;</DELETED>
<DELETED> ``(4) the appropriate authorization committees of
Congress;</DELETED>
<DELETED> ``(5) the Committee on Homeland Security and
Governmental Affairs of the Senate;</DELETED>
<DELETED> ``(6) the Select Committee on Intelligence of the
Senate;</DELETED>
<DELETED> ``(7) the Committee on Oversight and
Accountability of the House of Representatives; and</DELETED>
<DELETED> ``(8) the Permanent Select Committee on
Intelligence of the House of Representatives.</DELETED>
<DELETED> ``(i) Major Incidents Including Breaches.--If a major
incident constitutes a covered breach, as defined in section 3592(a),
information on the covered breach required to be submitted to Congress
pursuant to section 3592(g) may--</DELETED>
<DELETED> ``(1) be included in the notifications required
under subsection (b) or (c); or</DELETED>
<DELETED> ``(2) be reported to Congress under the process
established under section 3592(g).</DELETED>
<DELETED> ``(j) Rule of Construction.--Nothing in this section shall
be construed to--</DELETED>
<DELETED> ``(1) limit--</DELETED>
<DELETED> ``(A) the ability of an agency to provide
additional reports or briefings to Congress;</DELETED>
<DELETED> ``(B) Congress from requesting additional
information from agencies through reports, briefings,
or other means;</DELETED>
<DELETED> ``(C) any congressional reporting
requirements of agencies under any other law;
or</DELETED>
<DELETED> ``(2) limit or supersede any privacy protections
under any other law.</DELETED>
<DELETED>``Sec. 3594. Government information sharing and incident
response</DELETED>
<DELETED> ``(a) In General.--</DELETED>
<DELETED> ``(1) Incident sharing.--Subject to paragraph (4)
and subsection (b), and in accordance with the applicable
requirements pursuant to section 3553(b)(2)(A) for reporting to
the Federal information security incident center established
under section 3556, the head of each agency shall provide to
the Cybersecurity and Infrastructure Security Agency
information relating to any incident affecting the agency,
whether the information is obtained by the Federal Government
directly or indirectly.</DELETED>
<DELETED> ``(2) Contents.--A provision of information
relating to an incident made by the head of an agency under
paragraph (1) shall include, at a minimum--</DELETED>
<DELETED> ``(A) a full description of the incident,
including--</DELETED>
<DELETED> ``(i) all indicators of compromise
and tactics, techniques, and
procedures;</DELETED>
<DELETED> ``(ii) an indicator of how the
intruder gained initial access, accessed agency
data or systems, and undertook additional
actions on the network of the agency;
and</DELETED>
<DELETED> ``(iii) information that would
support enabling defensive measures;
and</DELETED>
<DELETED> ``(iv) other information that may
assist in identifying other victims;</DELETED>
<DELETED> ``(B) information to help prevent similar
incidents, such as information about relevant
safeguards in place when the incident occurred and the
effectiveness of those safeguards; and</DELETED>
<DELETED> ``(C) information to aid in incident
response, such as--</DELETED>
<DELETED> ``(i) a description of the
affected systems or networks;</DELETED>
<DELETED> ``(ii) the estimated dates of when
the incident occurred; and</DELETED>
<DELETED> ``(iii) information that could
reasonably help identify any malicious actor
that may have conducted or caused the incident,
subject to appropriate privacy
protections.</DELETED>
<DELETED> ``(3) Information sharing.--The Director of the
Cybersecurity and Infrastructure Security Agency shall--
</DELETED>
<DELETED> ``(A) make incident information provided
under paragraph (1) available to the Director and the
National Cyber Director;</DELETED>
<DELETED> ``(B) to the greatest extent practicable,
share information relating to an incident with--
</DELETED>
<DELETED> ``(i) the head of any agency that
may be--</DELETED>
<DELETED> ``(I) impacted by the
incident;</DELETED>
<DELETED> ``(II) particularly
susceptible to the incident;
or</DELETED>
<DELETED> ``(III) similarly targeted
by the incident; and</DELETED>
<DELETED> ``(ii) appropriate Federal law
enforcement agencies to facilitate any
necessary threat response activities, as
requested;</DELETED>
<DELETED> ``(C) coordinate any necessary information
sharing efforts relating to a major incident with the
private sector; and</DELETED>
<DELETED> ``(D) notify the National Cyber Director
of any efforts described in subparagraph (C).</DELETED>
<DELETED> ``(4) National security systems exemption.--
</DELETED>
<DELETED> ``(A) In general.--Notwithstanding
paragraphs (1) and (3), each agency operating or
exercising control of a national security system shall
share information about an incident that occurs
exclusively on a national security system with the
Secretary of Defense, the Director, the National Cyber
Director, and the Director of the Cybersecurity and
Infrastructure Security Agency to the extent consistent
with standards and guidelines for national security
systems issued in accordance with law and as directed
by the President.</DELETED>
<DELETED> ``(B) Protections.--Any information
sharing and handling of information under this
paragraph shall be appropriately protected consistent
with procedures authorized for the protection of
sensitive sources and methods or by procedures
established for information that have been specifically
authorized under criteria established by an Executive
order or an Act of Congress to be kept classified in
the interest of national defense or foreign
policy.</DELETED>
<DELETED> ``(b) Automation.--In providing information and selecting
a method to provide information under subsection (a), the head of each
agency shall implement subsection (a)(1) in a manner that provides such
information to the Cybersecurity and Infrastructure Security Agency in
an automated and machine-readable format, to the greatest extent
practicable.</DELETED>
<DELETED> ``(c) Incident Response.--Each agency that has a
reasonable basis to suspect or conclude that a major incident occurred
involving Federal information in electronic medium or form that does
not exclusively involve a national security system shall coordinate
with--</DELETED>
<DELETED> ``(1) the Cybersecurity and Infrastructure
Security Agency to facilitate asset response activities and
provide recommendations for mitigating future incidents;
and</DELETED>
<DELETED> ``(2) consistent with relevant policies,
appropriate Federal law enforcement agencies to facilitate
threat response activities.</DELETED>
<DELETED>``Sec. 3595. Responsibilities of contractors and
awardees</DELETED>
<DELETED> ``(a) Reporting.--</DELETED>
<DELETED> ``(1) In general.--Any contractor or awardee of an
agency shall report to the agency if the contractor or awardee
has a reasonable basis to conclude that--</DELETED>
<DELETED> ``(A) an incident or breach has occurred
with respect to Federal information the contractor or
awardee collected, used, or maintained on behalf of an
agency;</DELETED>
<DELETED> ``(B) an incident or breach has occurred
with respect to a Federal information system used,
operated, managed, or maintained on behalf of an agency
by the contractor or awardee;</DELETED>
<DELETED> ``(C) a component of any Federal
information system operated, managed, or maintained by
a contractor or awardee contains a security
vulnerability, including a supply chain compromise or
an identified software or hardware vulnerability, for
which there is reliable evidence of attempted or
successful exploitation of the vulnerability by an
actor without authorization of the Federal information
system owner; or</DELETED>
<DELETED> ``(D) the contractor or awardee has
received personally identifiable information, personal
health information, or other clearly sensitive
information that is beyond the scope of the contract or
agreement with the agency from the agency that the
contractor or awardee is not authorized to
receive.</DELETED>
<DELETED> ``(2) Third-party reports of vulnerabilities.--
Subject to the guidance issued by the Director pursuant to
paragraph (4), any contractor or awardee of an agency shall
report to the agency and the Cybersecurity and Infrastructure
Security Agency if the contractor or awardee has a reasonable
basis to suspect or conclude that a component of any Federal
information system operated, managed, or maintained on behalf
of an agency by the contractor or awardee on behalf of the
agency contains a security vulnerability, including a supply
chain compromise or an identified software or hardware
vulnerability, that has been reported to the contractor or
awardee by a third party, including through a vulnerability
disclosure program.</DELETED>
<DELETED> ``(3) Procedures.--</DELETED>
<DELETED> ``(A) Sharing with cisa.--As soon as
practicable following a report of an incident to an
agency by a contractor or awardee under paragraph (1),
the head of the agency shall provide, pursuant to
section 3594, information about the incident to the
Director of the Cybersecurity and Infrastructure
Security Agency.</DELETED>
<DELETED> ``(B) Time for reporting.--Unless a
different time for reporting is specified in a
contract, grant, cooperative agreement, or other
transaction agreement, a contractor or awardee shall--
</DELETED>
<DELETED> ``(i) make a report required under
paragraph (1) not later than 1 day after the
date on which the contractor or awardee has
reasonable basis to suspect or conclude that
the criteria under paragraph (1) have been met;
and</DELETED>
<DELETED> ``(ii) make a report required
under paragraph (2) within a reasonable time,
but not later than 90 days after the date on
which the contractor or awardee has reasonable
basis to suspect or conclude that the criteria
under paragraph (2) have been met.</DELETED>
<DELETED> ``(C) Procedures.--Following a report of a
breach or incident to an agency by a contractor or
awardee under paragraph (1), the head of the agency, in
consultation with the contractor or awardee, shall
carry out the applicable requirements under sections
3592, 3593, and 3594 with respect to the breach or
incident.</DELETED>
<DELETED> ``(D) Rule of construction.--Nothing in
subparagraph (B) shall be construed to allow the
negation of the requirements to report vulnerabilities
under paragraph (1) or (2) through a contract, grant,
cooperative agreement, or other transaction
agreement.</DELETED>
<DELETED> ``(4) Guidance.--The Director shall issue guidance
to agencies relating to the scope of vulnerabilities to be
reported under paragraph (2), such as the minimum severity of a
vulnerability required to be reported or whether
vulnerabilities that are already publicly disclosed must be
reported.</DELETED>
<DELETED> ``(b) Regulations; Modifications.--</DELETED>
<DELETED> ``(1) In general.--Not later than 1 year after the
date of enactment of the Federal Information Security
Modernization Act of 2023--</DELETED>
<DELETED> ``(A) the Federal Acquisition Regulatory
Council shall promulgate regulations, as appropriate,
relating to the responsibilities of contractors and
recipients of other transaction agreements and
cooperative agreements to comply with this section;
and</DELETED>
<DELETED> ``(B) the Office of Federal Financial
Management shall promulgate regulations under title 2,
Code Federal Regulations, as appropriate, relating to
the responsibilities of grantees to comply with this
section.</DELETED>
<DELETED> ``(2) Implementation.--Not later than 1 year after
the date on which the Federal Acquisition Regulatory Council
and the Office of Federal Financial Management promulgates
regulations under paragraph (1), the head of each agency shall
implement policies and procedures, as appropriate, necessary to
implement those regulations.</DELETED>
<DELETED> ``(3) Congressional notification.--</DELETED>
<DELETED> ``(A) In general.--The head of each agency
head shall notify the Director upon implementation of
policies and procedures necessary to implement the
regulations promulgated under paragraph (1).</DELETED>
<DELETED> ``(B) OMB notification.-- Not later than
30 days after the date described in paragraph (2), the
Director shall notify the Committee on Homeland
Security and Governmental Affairs of the Senate and the
Committees on Oversight and Accountability and Homeland
Security of the House of Representatives on the status
of the implementation by each agency of the regulations
promulgated under paragraph (1).</DELETED>
<DELETED> ``(c) National Security Systems Exemption.--
Notwithstanding any other provision of this section, a contractor or
awardee of an agency that would be required to report an incident or
vulnerability pursuant to this section that occurs exclusively on a
national security system shall--</DELETED>
<DELETED> ``(1) report the incident or vulnerability to the
head of the agency and the Secretary of Defense; and</DELETED>
<DELETED> ``(2) comply with applicable laws and policies
relating to national security systems.</DELETED>
<DELETED>``Sec. 3596. Training</DELETED>
<DELETED> ``(a) Covered Individual Defined.--In this section, the
term `covered individual' means an individual who obtains access to a
Federal information system because of the status of the individual as--
</DELETED>
<DELETED> ``(1) an employee, contractor, awardee, volunteer,
or intern of an agency; or</DELETED>
<DELETED> ``(2) an employee of a contractor or awardee of an
agency.</DELETED>
<DELETED> ``(b) Best Practices and Consistency.--The Director of the
Cybersecurity and Infrastructure Security Agency, in consultation with
the Director, the National Cyber Director, and the Director of the
National Institute of Standards and Technology, shall develop best
practices to support consistency across agencies in cybersecurity
incident response training, including--</DELETED>
<DELETED> ``(1) information to be collected and shared with
the Cybersecurity and Infrastructure Security Agency pursuant
to section 3594(a) and processes for sharing such information;
and</DELETED>
<DELETED> ``(2) appropriate training and qualifications for
cyber incident responders.</DELETED>
<DELETED> ``(c) Agency Training.--The head of each agency shall
develop training for covered individuals on how to identify and respond
to an incident, including--</DELETED>
<DELETED> ``(1) the internal process of the agency for
reporting an incident; and</DELETED>
<DELETED> ``(2) the obligation of a covered individual to
report to the agency any suspected or confirmed incident
involving Federal information in any medium or form, including
paper, oral, and electronic.</DELETED>
<DELETED> ``(d) Inclusion in Annual Training.--The training
developed under subsection (c) may be included as part of an annual
privacy, security awareness, or other appropriate training of an
agency.</DELETED>
<DELETED>``Sec. 3597. Analysis and report on Federal
incidents</DELETED>
<DELETED> ``(a) Analysis of Federal Incidents.--</DELETED>
<DELETED> ``(1) Quantitative and qualitative analyses.--The
Director of the Cybersecurity and Infrastructure Security
Agency shall perform and, in coordination with the Director and
the National Cyber Director, develop, continuous monitoring and
quantitative and qualitative analyses of incidents at agencies,
including major incidents, including--</DELETED>
<DELETED> ``(A) the causes of incidents, including--
</DELETED>
<DELETED> ``(i) attacker tactics,
techniques, and procedures; and</DELETED>
<DELETED> ``(ii) system vulnerabilities,
including zero days, unpatched systems, and
information system misconfigurations;</DELETED>
<DELETED> ``(B) the scope and scale of incidents at
agencies;</DELETED>
<DELETED> ``(C) common root causes of incidents
across multiple agencies;</DELETED>
<DELETED> ``(D) agency incident response, recovery,
and remediation actions and the effectiveness of those
actions, as applicable;</DELETED>
<DELETED> ``(E) lessons learned and recommendations
in responding to, recovering from, remediating, and
mitigating future incidents; and</DELETED>
<DELETED> ``(F) trends across multiple agencies to
address intrusion detection and incident response
capabilities using the metrics established under
section 224(c) of the Cybersecurity Act of 2015 (6
U.S.C. 1522(c)).</DELETED>
<DELETED> ``(2) Automated analysis.--The analyses developed
under paragraph (1) shall, to the greatest extent practicable,
use machine readable data, automation, and machine learning
processes.</DELETED>
<DELETED> ``(3) Sharing of data and analysis.--</DELETED>
<DELETED> ``(A) In general.--The Director of the
Cybersecurity and Infrastructure Security Agency shall
share on an ongoing basis the analyses and underlying
data required under this subsection with agencies, the
Director, and the National Cyber Director to--
</DELETED>
<DELETED> ``(i) improve the understanding of
cybersecurity risk of agencies; and</DELETED>
<DELETED> ``(ii) support the cybersecurity
improvement efforts of agencies.</DELETED>
<DELETED> ``(B) Format.--In carrying out
subparagraph (A), the Director of the Cybersecurity and
Infrastructure Security Agency shall share the
analyses--</DELETED>
<DELETED> ``(i) in human-readable written
products; and</DELETED>
<DELETED> ``(ii) to the greatest extent
practicable, in machine-readable formats in
order to enable automated intake and use by
agencies.</DELETED>
<DELETED> ``(C) Exemption.--This subsection shall
not apply to incidents that occur exclusively on
national security systems.</DELETED>
<DELETED> ``(b) Annual Report on Federal Incidents.--Not later than
2 years after the date of enactment of this section, and not less
frequently than annually thereafter, the Director of the Cybersecurity
and Infrastructure Security Agency, in consultation with the Director,
the National Cyber Director and the heads of other agencies, as
appropriate, shall submit to the appropriate reporting entities a
report that includes--</DELETED>
<DELETED> ``(1) a summary of causes of incidents from across
the Federal Government that categorizes those incidents as
incidents or major incidents;</DELETED>
<DELETED> ``(2) the quantitative and qualitative analyses of
incidents developed under subsection (a)(1) on an agency-by-
agency basis and comprehensively across the Federal Government,
including--</DELETED>
<DELETED> ``(A) a specific analysis of breaches;
and</DELETED>
<DELETED> ``(B) an analysis of the Federal
Government's performance against the metrics
established under section 224(c) of the Cybersecurity
Act of 2015 (6 U.S.C. 1522(c)); and</DELETED>
<DELETED> ``(3) an annex for each agency that includes--
</DELETED>
<DELETED> ``(A) a description of each major
incident;</DELETED>
<DELETED> ``(B) the total number of incidents of the
agency; and</DELETED>
<DELETED> ``(C) an analysis of the agency's
performance against the metrics established under
section 224(c) of the Cybersecurity Act of 2015 (6
U.S.C. 1522(c)).</DELETED>
<DELETED> ``(c) Publication.--</DELETED>
<DELETED> ``(1) In general.--The Director of the
Cybersecurity and Infrastructure Security Agency shall make a
version of each report submitted under subsection (b) publicly
available on the website of the Cybersecurity and
Infrastructure Security Agency during the year during which the
report is submitted.</DELETED>
<DELETED> ``(2) Exemption.--The publication requirement
under paragraph (1) shall not apply to a portion of a report
that contains content that should be protected in the interest
of national security, as determined by the Director, the
Director of the Cybersecurity and Infrastructure Security
Agency, or the National Cyber Director.</DELETED>
<DELETED> ``(3) Limitation on exemption.--The exemption
under paragraph (2) shall not apply to any version of a report
submitted to the appropriate reporting entities under
subsection (b).</DELETED>
<DELETED> ``(4) Requirement for compiling information.--
</DELETED>
<DELETED> ``(A) Compilation.--Subject to
subparagraph (B), in making a report publicly available
under paragraph (1), the Director of the Cybersecurity
and Infrastructure Security Agency shall sufficiently
compile information so that no specific incident of an
agency can be identified.</DELETED>
<DELETED> ``(B) Exception.--The Director of the
Cybersecurity and Infrastructure Security Agency may
include information that enables a specific incident of
an agency to be identified in a publicly available
report--</DELETED>
<DELETED> ``(i) with the concurrence of the
Director and the National Cyber
Director;</DELETED>
<DELETED> ``(ii) in consultation with the
impacted agency; and</DELETED>
<DELETED> ``(iii) in consultation with the
inspector general of the impacted
agency.</DELETED>
<DELETED> ``(d) Information Provided by Agencies.--</DELETED>
<DELETED> ``(1) In general.--The analysis required under
subsection (a) and each report submitted under subsection (b)
shall use information provided by agencies under section
3594(a).</DELETED>
<DELETED> ``(2) Noncompliance reports.--During any year
during which the head of an agency does not provide data for an
incident to the Cybersecurity and Infrastructure Security
Agency in accordance with section 3594(a), the head of the
agency, in coordination with the Director of the Cybersecurity
and Infrastructure Security Agency and the Director, shall
submit to the appropriate reporting entities a report that
includes the information described in subsection (b) with
respect to the agency.</DELETED>
<DELETED> ``(e) National Security System Reports.--</DELETED>
<DELETED> ``(1) In general.--Notwithstanding any other
provision of this section, the Secretary of Defense, in
consultation with the Director, the National Cyber Director,
the Director of National Intelligence, and the Director of
Cybersecurity and Infrastructure Security shall annually submit
a report that includes the information described in subsection
(b) with respect to national security systems, to the extent
that the submission is consistent with standards and guidelines
for national security systems issued in accordance with law and
as directed by the President, to--</DELETED>
<DELETED> ``(A) the majority and minority leaders of
the Senate,</DELETED>
<DELETED> ``(B) the Speaker and minority leader of
the House of Representatives;</DELETED>
<DELETED> ``(C) the Committee on Homeland Security
and Governmental Affairs of the Senate;</DELETED>
<DELETED> ``(D) the Select Committee on Intelligence
of the Senate;</DELETED>
<DELETED> ``(E) the Committee on Armed Services of
the Senate;</DELETED>
<DELETED> ``(F) the Committee on Appropriations of
the Senate;</DELETED>
<DELETED> ``(G) the Committee on Oversight and
Accountability of the House of
Representatives;</DELETED>
<DELETED> ``(H) the Committee on Homeland Security
of the House of Representatives;</DELETED>
<DELETED> ``(I) the Permanent Select Committee on
Intelligence of the House of Representatives;</DELETED>
<DELETED> ``(J) the Committee on Armed Services of
the House of Representatives; and</DELETED>
<DELETED> ``(K) the Committee on Appropriations of
the House of Representatives.</DELETED>
<DELETED> ``(2) Classified form.--A report required under
paragraph (1) may be submitted in a classified form.</DELETED>
<DELETED>``Sec. 3598. Major incident definition</DELETED>
<DELETED> ``(a) In General.--Not later than 1 year after the later
of the date of enactment of the Federal Information Security
Modernization Act of 2023 and the most recent publication by the
Director of guidance to agencies regarding major incidents as of the
date of enactment of the Federal Information Security Modernization Act
of 2023, the Director shall develop, in coordination with the National
Cyber Director, and promulgate guidance on the definition of the term
`major incident' for the purposes of subchapter II and this
subchapter.</DELETED>
<DELETED> ``(b) Requirements.--With respect to the guidance issued
under subsection (a), the definition of the term `major incident'
shall--</DELETED>
<DELETED> ``(1) include, with respect to any information
collected or maintained by or on behalf of an agency or a
Federal information system--</DELETED>
<DELETED> ``(A) any incident the head of the agency
determines is likely to result in demonstrable harm
to--</DELETED>
<DELETED> ``(i) the national security
interests, foreign relations, homeland
security, or economic security of the United
States; or</DELETED>
<DELETED> ``(ii) the civil liberties, public
confidence, privacy, or public health and
safety of the people of the United
States;</DELETED>
<DELETED> ``(B) any incident the head of the agency
determines likely to result in an inability or
substantial disruption for the agency, a component of
the agency, or the Federal Government, to provide 1 or
more critical services;</DELETED>
<DELETED> ``(C) any incident the head of the agency
determines substantially disrupts or substantially
degrades the operations of a high value asset owned or
operated by the agency;</DELETED>
<DELETED> ``(D) any incident involving the exposure
to a foreign entity of sensitive agency information,
such as the communications of the head of the agency,
the head of a component of the agency, or the direct
reports of the head of the agency or the head of a
component of the agency; and</DELETED>
<DELETED> ``(E) any other type of incident
determined appropriate by the Director;</DELETED>
<DELETED> ``(2) stipulate that the National Cyber Director,
in consultation with the Director and the Director of the
Cybersecurity and Infrastructure Security Agency, may declare a
major incident at any agency, and such a declaration shall be
considered if it is determined that an incident--</DELETED>
<DELETED> ``(A) occurs at not less than 2 agencies;
and</DELETED>
<DELETED> ``(B) is enabled by--</DELETED>
<DELETED> ``(i) a common technical root
cause, such as a supply chain compromise, or a
common software or hardware vulnerability;
or</DELETED>
<DELETED> ``(ii) the related activities of a
common threat actor;</DELETED>
<DELETED> ``(3) stipulate that, in determining whether an
incident constitutes a major incident under the standards
described in paragraph (1), the head of the agency shall
consult with the National Cyber Director; and</DELETED>
<DELETED> ``(4) stipulate that the mere report of a
vulnerability discovered or disclosed without a loss of
confidentiality, integrity, or availability shall not on its
own constitute a major incident.</DELETED>
<DELETED> ``(c) Evaluation and Updates.--Not later than 60 days
after the date on which the Director first promulgates the guidance
required under subsection (a), and not less frequently than once during
the first 90 days of each evenly numbered Congress thereafter, the
Director shall provide to the Committee on Homeland Security and
Governmental Affairs of the Senate and the Committees on Oversight and
Accountability and Homeland Security of the House of Representatives a
briefing that includes--</DELETED>
<DELETED> ``(1) an evaluation of any necessary updates to
the guidance;</DELETED>
<DELETED> ``(2) an evaluation of any necessary updates to
the definition of the term `major incident' included in the
guidance; and</DELETED>
<DELETED> ``(3) an explanation of, and the analysis that led
to, the definition described in paragraph (2).''.</DELETED>
<DELETED> (2) Clerical amendment.--The table of sections for
chapter 35 of title 44, United States Code, is amended by
adding at the end the following:</DELETED>
<DELETED> ``subchapter iv--federal system incident response
<DELETED>``3591. Definitions.
<DELETED>``3592. Notification of breach.
<DELETED>``3593. Congressional and Executive Branch reports.
<DELETED>``3594. Government information sharing and incident response.
<DELETED>``3595. Responsibilities of contractors and awardees.
<DELETED>``3596. Training.
<DELETED>``3597. Analysis and report on Federal incidents.
<DELETED>``3598. Major incident definition.''.
<DELETED>SEC. 4. AMENDMENTS TO SUBTITLE III OF TITLE 40.</DELETED>
<DELETED> (a) Modernizing Government Technology.--Subtitle G of
title X of division A of the National Defense Authorization Act for
Fiscal Year 2018 (40 U.S.C. 11301 note) is amended in section 1078--
</DELETED>
<DELETED> (1) by striking subsection (a) and inserting the
following:</DELETED>
<DELETED> ``(a) Definitions.--In this section:</DELETED>
<DELETED> ``(1) Agency.--The term `agency' has the meaning
given the term in section 551 of title 5, United States
Code.</DELETED>
<DELETED> ``(2) High value asset.--The term `high value
asset' has the meaning given the term in section 3552 of title
44, United States Code.'';</DELETED>
<DELETED> (2) in subsection (b), by adding at the end the
following:</DELETED>
<DELETED> ``(8) Proposal evaluation.--The Director shall--
</DELETED>
<DELETED> ``(A) give consideration for the use of
amounts in the Fund to improve the security of high
value assets; and</DELETED>
<DELETED> ``(B) require that any proposal for the
use of amounts in the Fund includes, as appropriate--
</DELETED>
<DELETED> ``(i) a cybersecurity risk
management plan; and</DELETED>
<DELETED> ``(ii) a supply chain risk
assessment in accordance with section 1326 of
title 41.''; and</DELETED>
<DELETED> (3) in subsection (c)--</DELETED>
<DELETED> (A) in paragraph (2)(A)(i), by inserting
``, including a consideration of the impact on high
value assets'' after ``operational risks'';</DELETED>
<DELETED> (B) in paragraph (5)--</DELETED>
<DELETED> (i) in subparagraph (A), by
striking ``and'' at the end;</DELETED>
<DELETED> (ii) in subparagraph (B), by
striking the period at the end and inserting
``and''; and</DELETED>
<DELETED> (iii) by adding at the end the
following:</DELETED>
<DELETED> ``(C) a senior official from the
Cybersecurity and Infrastructure Security Agency of the
Department of Homeland Security, appointed by the
Director.''; and</DELETED>
<DELETED> (C) in paragraph (6)(A), by striking
``shall be--'' and all that follows through ``4
employees'' and inserting ``shall be 4
employees''.</DELETED>
<DELETED> (b) Subchapter I.--Subchapter I of chapter 113 of subtitle
III of title 40, United States Code, is amended--</DELETED>
<DELETED> (1) in section 11302--</DELETED>
<DELETED> (A) in subsection (b), by striking ``use,
security, and disposal of'' and inserting ``use, and
disposal of, and, in consultation with the Director of
the Cybersecurity and Infrastructure Security Agency
and the National Cyber Director, promote and improve
the security of,''; and</DELETED>
<DELETED> (B) in subsection (h), by inserting ``,
including cybersecurity performances,'' after ``the
performances''; and</DELETED>
<DELETED> (2) in section 11303(b)(2)(B)--</DELETED>
<DELETED> (A) in clause (i), by striking ``or'' at
the end;</DELETED>
<DELETED> (B) in clause (ii), by adding ``or'' at
the end; and</DELETED>
<DELETED> (C) by adding at the end the
following:</DELETED>
<DELETED> ``(iii) whether the function
should be performed by a shared service offered
by another executive agency;''.</DELETED>
<DELETED> (c) Subchapter II.--Subchapter II of chapter 113 of
subtitle III of title 40, United States Code, is amended--</DELETED>
<DELETED> (1) in section 11312(a), by inserting ``,
including security risks'' after ``managing the
risks'';</DELETED>
<DELETED> (2) in section 11313(1), by striking ``efficiency
and effectiveness'' and inserting ``efficiency, security, and
effectiveness'';</DELETED>
<DELETED> (3) in section 11317, by inserting ``security,''
before ``or schedule''; and</DELETED>
<DELETED> (4) in section 11319(b)(1), in the paragraph
heading, by striking ``CIOS'' and inserting ``Chief information
officers''.</DELETED>
<DELETED>SEC. 5. ACTIONS TO ENHANCE FEDERAL INCIDENT
TRANSPARENCY.</DELETED>
<DELETED> (a) Responsibilities of the Cybersecurity and
Infrastructure Security Agency.--</DELETED>
<DELETED> (1) In general.--Not later than 180 days after the
date of enactment of this Act, the Director of the
Cybersecurity and Infrastructure Security Agency shall--
</DELETED>
<DELETED> (A) develop a plan for the development of
the analysis required under section 3597(a) of title
44, United States Code, as added by this Act, and the
report required under subsection (b) of that section
that includes--</DELETED>
<DELETED> (i) a description of any
challenges the Director of the Cybersecurity
and Infrastructure Security Agency anticipates
encountering; and</DELETED>
<DELETED> (ii) the use of automation and
machine-readable formats for collecting,
compiling, monitoring, and analyzing data;
and</DELETED>
<DELETED> (B) provide to the appropriate
congressional committees a briefing on the plan
developed under subparagraph (A).</DELETED>
<DELETED> (2) Briefing.--Not later than 1 year after the
date of enactment of this Act, the Director of the
Cybersecurity and Infrastructure Security Agency shall provide
to the appropriate congressional committees a briefing on--
</DELETED>
<DELETED> (A) the execution of the plan required
under paragraph (1)(A); and</DELETED>
<DELETED> (B) the development of the report required
under section 3597(b) of title 44, United States Code,
as added by this Act.</DELETED>
<DELETED> (b) Responsibilities of the Director of the Office of
Management and Budget.--</DELETED>
<DELETED> (1) Updating fisma 2014.--Section 2 of the Federal
Information Security Modernization Act of 2014 (Public Law 113-
283; 128 Stat. 3073) is amended--</DELETED>
<DELETED> (A) by striking subsections (b) and (d);
and</DELETED>
<DELETED> (B) by redesignating subsections (c), (e),
and (f) as subsections (b), (c), and (d),
respectively.</DELETED>
<DELETED> (2) Incident data sharing.--</DELETED>
<DELETED> (A) In general.--The Director, in
coordination with the Director of the Cybersecurity and
Infrastructure Security Agency, shall develop, and as
appropriate update, guidance, on the content,
timeliness, and format of the information provided by
agencies under section 3594(a) of title 44, United
States Code, as added by this Act.</DELETED>
<DELETED> (B) Requirements.--The guidance developed
under subparagraph (A) shall--</DELETED>
<DELETED> (i) enable the efficient
development of--</DELETED>
<DELETED> (I) lessons learned and
recommendations in responding to,
recovering from, remediating, and
mitigating future incidents;
and</DELETED>
<DELETED> (II) the report on Federal
incidents required under section
3597(b) of title 44, United States
Code, as added by this Act;
and</DELETED>
<DELETED> (ii) include requirements for the
timeliness of data production.</DELETED>
<DELETED> (C) Automation.--The Director, in
coordination with the Director of the Cybersecurity and
Infrastructure Security Agency, shall promote, as
feasible, the use of automation and machine-readable
data for data sharing under section 3594(a) of title
44, United States Code, as added by this Act.</DELETED>
<DELETED> (3) Contractor and awardee guidance.--</DELETED>
<DELETED> (A) In general.--Not later than 1 year
after the date of enactment of this Act, the Director
shall issue guidance to agencies on how to deconflict,
to the greatest extent practicable, existing
regulations, policies, and procedures relating to the
responsibilities of contractors and awardees
established under section 3595 of title 44, United
States Code, as added by this Act.</DELETED>
<DELETED> (B) Existing processes.--To the greatest
extent practicable, the guidance issued under
subparagraph (A) shall allow contractors and awardees
to use existing processes for notifying agencies of
incidents involving information of the Federal
Government.</DELETED>
<DELETED> (c) Update to the Privacy Act of 1974.--Section 552a(b) of
title 5, United States Code (commonly known as the ``Privacy Act of
1974'') is amended--</DELETED>
<DELETED> (1) in paragraph (11), by striking ``or'' at the
end;</DELETED>
<DELETED> (2) in paragraph (12), by striking the period at
the end and inserting ``; or''; and</DELETED>
<DELETED> (3) by adding at the end the following:</DELETED>
<DELETED> ``(13) to another agency, to the extent necessary,
to assist the recipient agency in responding to an incident (as
defined in section 3552 of title 44) or breach (as defined in
section 3591 of title 44) or to fulfill the information sharing
requirements under section 3594 of title 44.''.</DELETED>
<DELETED>SEC. 6. ADDITIONAL GUIDANCE TO AGENCIES ON FISMA
UPDATES.</DELETED>
<DELETED> (a) In General.--Not later than 1 year after the date of
enactment of this Act, the Director shall issue guidance for agencies
on--</DELETED>
<DELETED> (1) performing the ongoing and continuous agency
system risk assessment required under section 3554(a)(1)(A) of
title 44, United States Code, as amended by this Act;
and</DELETED>
<DELETED> (2) establishing a process for securely providing
the status of each remedial action for high value assets under
section 3554(b)(7) of title 44, United States Code, as amended
by this Act, to the Director and the Director of the
Cybersecurity and Infrastructure Security Agency using
automation and machine-readable data, as practicable, which
shall include--</DELETED>
<DELETED> (A) specific guidance for the use of
automation and machine-readable data; and</DELETED>
<DELETED> (B) templates for providing the status of
the remedial action.</DELETED>
<DELETED> (b) Coordination.--The head of each agency shall
coordinate with the inspector general of the agency, as applicable, to
ensure consistent understanding of agency policies for the purpose of
evaluations conducted by the inspector general.</DELETED>
<DELETED>SEC. 7. AGENCY REQUIREMENTS TO NOTIFY PRIVATE SECTOR ENTITIES
IMPACTED BY INCIDENTS.</DELETED>
<DELETED> (a) Definitions.--In this section:</DELETED>
<DELETED> (1) Reporting entity.--The term ``reporting
entity'' means private organization or governmental unit that
is required by statute or regulation to submit sensitive
information to an agency.</DELETED>
<DELETED> (2) Sensitive information.--The term ``sensitive
information'' has the meaning given the term by the Director in
guidance issued under subsection (b).</DELETED>
<DELETED> (b) Guidance on Notification of Reporting Entities.--Not
later than 1 year after the date of enactment of this Act, the Director
shall develop, in consultation with the National Cyber Director, and
issue guidance requiring the head of each agency to notify a reporting
entity, and take into consideration the need to coordinate with Sector
Risk Management Agencies (as defined in section 2200 of the Homeland
Security Act of 2002 (6 U.S.C. 650)), as appropriate, of an incident at
the agency that is likely to substantially affect--</DELETED>
<DELETED> (1) the confidentiality or integrity of sensitive
information submitted by the reporting entity to the agency
pursuant to a statutory or regulatory requirement; or</DELETED>
<DELETED> (2) any information system (as defined in section
3502 of title 44, United States Code) used in the transmission
or storage of the sensitive information described in paragraph
(1).</DELETED>
<DELETED>SEC. 8. MOBILE SECURITY BRIEFINGS.</DELETED>
<DELETED> (a) In General.--Not later than 180 days after the date of
enactment of this Act, the Director shall provide to the appropriate
congressional committees--</DELETED>
<DELETED> (1) a briefing on the compliance of agencies with
the No TikTok on Government Devices Act (44 U.S.C. 3553 note;
Public Law 117-328); and</DELETED>
<DELETED> (2) as a component of the briefing required under
paragraph (1), a list of each exception of an agency from the
No TikTok on Government Devices Act (44 U.S.C. 3553 note;
Public Law 117-328), which may include a classified
annex.</DELETED>
<DELETED> (b) Additional Briefing.--Not later than 1 year after the
date of the briefing required under subsection (a)(1), the Director
shall provide to the appropriate congressional committees--</DELETED>
<DELETED> (1) a briefing on the compliance of any agency
that was not compliant with the No TikTok on Government Devices
Act (44 U.S.C. 3553 note; Public Law 117-328) at the time of
the briefing required under subsection (a)(1); and</DELETED>
<DELETED> (2) as a component of the briefing required under
paragraph (1), an update to the list required under subsection
(a)(2).</DELETED>
<DELETED>SEC. 9. DATA AND LOGGING RETENTION FOR INCIDENT
RESPONSE.</DELETED>
<DELETED> (a) Guidance.--Not later than 2 years after the date of
enactment of this Act the Director, in consultation with the National
Cyber Director and the Director of the Cybersecurity and Infrastructure
Security Agency, shall update guidance to agencies regarding
requirements for logging, log retention, log management, sharing of log
data with other appropriate agencies, or any other logging activity
determined to be appropriate by the Director.</DELETED>
<DELETED> (b) National Security Systems.--The Secretary of Defense
shall issue guidance that meets or exceeds the standards required in
guidance issued under subsection (a) for National Security
Systems.</DELETED>
<DELETED>SEC. 10. CISA AGENCY LIAISONS.</DELETED>
<DELETED> (a) In General.--Not later than 120 days after the date of
enactment of this Act, the Director of the Cybersecurity and
Infrastructure Security Agency shall assign not less than 1
cybersecurity professional employed by the Cybersecurity and
Infrastructure Security Agency to be the Cybersecurity and
Infrastructure Security Agency liaison to the Chief Information
Security Officer of each agency.</DELETED>
<DELETED> (b) Qualifications.--Each liaison assigned under
subsection (a) shall have knowledge of--</DELETED>
<DELETED> (1) cybersecurity threats facing agencies,
including any specific threats to the assigned
agency;</DELETED>
<DELETED> (2) risk assessments of agency systems;
and</DELETED>
<DELETED> (3) other Federal cybersecurity
initiatives.</DELETED>
<DELETED> (c) Duties.--The duties of each liaison assigned under
subsection (a) shall include--</DELETED>
<DELETED> (1) providing, as requested, assistance and advice
to the agency Chief Information Security Officer;</DELETED>
<DELETED> (2) supporting, as requested, incident response
coordination between the assigned agency and the Cybersecurity
and Infrastructure Security Agency;</DELETED>
<DELETED> (3) becoming familiar with assigned agency
systems, processes, and procedures to better facilitate support
to the agency; and</DELETED>
<DELETED> (4) other liaison duties to the assigned agency
solely in furtherance of Federal cybersecurity or support to
the assigned agency as a Sector Risk Management Agency, as
assigned by the Director of the Cybersecurity and
Infrastructure Security Agency in consultation with the head of
the assigned agency.</DELETED>
<DELETED> (d) Limitation.--A liaison assigned under subsection (a)
shall not be a contractor.</DELETED>
<DELETED> (e) Multiple Assignments.--One individual liaison may be
assigned to multiple agency Chief Information Security Officers under
subsection (a).</DELETED>
<DELETED> (f) Coordination of Activities.--The Director of the
Cybersecurity and Infrastructure Security Agency shall consult with the
Director on the execution of the duties of the Cybersecurity and
Infrastructure Security Agency liaisons to ensure that there is no
inappropriate duplication of activities among--</DELETED>
<DELETED> (1) Federal cybersecurity support to agencies of
the Office of Management and Budget; and</DELETED>
<DELETED> (2) the Cybersecurity and Infrastructure Security
Agency liaison.</DELETED>
<DELETED> (g) Rule of Construction.--Nothing in this section shall
be construed impact the ability of the Director to support agency
implementation of Federal cybersecurity requirements pursuant to
subchapter II of chapter 35 of title 44, United States Code, as amended
by this Act.</DELETED>
<DELETED>SEC. 11. FEDERAL PENETRATION TESTING POLICY.</DELETED>
<DELETED> (a) In General.--Subchapter II of chapter 35 of title 44,
United States Code, is amended by adding at the end the
following:</DELETED>
<DELETED>``Sec. 3559A. Federal penetration testing</DELETED>
<DELETED> ``(a) Guidance.--The Director, in consultation with the
Director of the Cybersecurity and Infrastructure Security Agency, shall
issue guidance to agencies that--</DELETED>
<DELETED> ``(1) requires agencies to perform penetration
testing on information systems, as appropriate, including on
high value assets;</DELETED>
<DELETED> ``(2) provides policies governing the development
of--</DELETED>
<DELETED> ``(A) rules of engagement for using
penetration testing; and</DELETED>
<DELETED> ``(B) procedures to use the results of
penetration testing to improve the cybersecurity and
risk management of the agency;</DELETED>
<DELETED> ``(3) ensures that operational support or a shared
service is available; and</DELETED>
<DELETED> ``(4) in no manner restricts the authority of the
Secretary of Homeland Security or the Director of the
Cybersecurity and Infrastructure Agency to conduct threat
hunting pursuant to section 3553 of title 44, United States
Code, or penetration testing under this chapter.</DELETED>
<DELETED> ``(b) Exception for National Security Systems.--The
guidance issued under subsection (a) shall not apply to national
security systems.</DELETED>
<DELETED> ``(c) Delegation of Authority for Certain Systems.--The
authorities of the Director described in subsection (a) shall be
delegated to--</DELETED>
<DELETED> ``(1) the Secretary of Defense in the case of a
system described in section 3553(e)(2); and</DELETED>
<DELETED> ``(2) the Director of National Intelligence in the
case of a system described in section 3553(e)(3).''.</DELETED>
<DELETED> (b) Existing Guidance.--</DELETED>
<DELETED> (1) In general.--Compliance with guidance issued
by the Director relating to penetration testing before the date
of enactment of this Act shall be deemed to be compliance with
section 3559A of title 44, United States Code, as added by this
Act.</DELETED>
<DELETED> (2) Immediate new guidance not required.--Nothing
in section 3559A of title 44, United States Code, as added by
this Act, shall be construed to require the Director to issue
new guidance to agencies relating to penetration testing before
the date described in paragraph (3).</DELETED>
<DELETED> (3) Guidance updates.--Notwithstanding paragraphs
(1) and (2), not later than 2 years after the date of enactment
of this Act, the Director shall review and, as appropriate,
update existing guidance requiring penetration testing by
agencies.</DELETED>
<DELETED> (c) Clerical Amendment.--The table of sections for chapter
35 of title 44, United States Code, is amended by adding after the item
relating to section 3559 the following:</DELETED>
<DELETED>``3559A. Federal penetration testing.''.
<DELETED> (d) Penetration Testing by the Secretary of Homeland
Security.--Section 3553(b) of title 44, United States Code, as amended
by this Act, is further amended by inserting after paragraph (8) the
following:</DELETED>
<DELETED> ``(9) performing penetration testing that may
leverage manual expert analysis to identify threats and
vulnerabilities within information systems--</DELETED>
<DELETED> ``(A) without consent or authorization
from agencies; and</DELETED>
<DELETED> ``(B) with prior notification to the head
of the agency;''.</DELETED>
<DELETED>SEC. 12. VULNERABILITY DISCLOSURE POLICIES.</DELETED>
<DELETED> (a) In General.--Chapter 35 of title 44, United States
Code, is amended by inserting after section 3559A, as added by this
Act, the following:</DELETED>
<DELETED>``Sec. 3559B. Federal vulnerability disclosure
policies</DELETED>
<DELETED> ``(a) Purpose; Sense of Congress.--</DELETED>
<DELETED> ``(1) Purpose.--The purpose of Federal
vulnerability disclosure policies is to create a mechanism to
enable the public to inform agencies of vulnerabilities in
Federal information systems.</DELETED>
<DELETED> ``(2) Sense of congress.--It is the sense of
Congress that, in implementing the requirements of this
section, the Federal Government should take appropriate steps
to reduce real and perceived burdens in communications between
agencies and security researchers.</DELETED>
<DELETED> ``(b) Definitions.--In this section:</DELETED>
<DELETED> ``(1) Contractor.--The term `contractor' has the
meaning given the term in section 3591.</DELETED>
<DELETED> ``(2) Internet of things.--The term `internet of
things' has the meaning given the term in Special Publication
800-213 of the National Institute of Standards and Technology,
entitled `IoT Device Cybersecurity Guidance for the Federal
Government: Establishing IoT Device Cybersecurity
Requirements', or any successor document.</DELETED>
<DELETED> ``(3) Security vulnerability.--The term `security
vulnerability' has the meaning given the term in section 102 of
the Cybersecurity Information Sharing Act of 2015 (6 U.S.C.
1501).</DELETED>
<DELETED> ``(4) Submitter.--The term `submitter' means an
individual that submits a vulnerability disclosure report
pursuant to the vulnerability disclosure process of an
agency.</DELETED>
<DELETED> ``(5) Vulnerability disclosure report.--The term
`vulnerability disclosure report' means a disclosure of a
security vulnerability made to an agency by a
submitter.</DELETED>
<DELETED> ``(c) Guidance.--The Director shall issue guidance to
agencies that includes--</DELETED>
<DELETED> ``(1) use of the information system security
vulnerabilities disclosure process guidelines established under
section 4(a)(1) of the IoT Cybersecurity Improvement Act of
2020 (15 U.S.C. 278g-3b(a)(1));</DELETED>
<DELETED> ``(2) direction to not recommend or pursue legal
action against a submitter or an individual that conducts a
security research activity that--</DELETED>
<DELETED> ``(A) represents a good faith effort to
identify and report security vulnerabilities in
information systems; or</DELETED>
<DELETED> ``(B) otherwise represents a good faith
effort to follow the vulnerability disclosure policy of
the agency developed under subsection (f)(2);</DELETED>
<DELETED> ``(3) direction on sharing relevant information in
a consistent, automated, and machine readable manner with the
Director of the Cybersecurity and Infrastructure Security
Agency;</DELETED>
<DELETED> ``(4) the minimum scope of agency systems required
to be covered by the vulnerability disclosure policy of an
agency required under subsection (f)(2), including exemptions
under subsection (g);</DELETED>
<DELETED> ``(5) requirements for providing information to
the submitter of a vulnerability disclosure report on the
resolution of the vulnerability disclosure report;</DELETED>
<DELETED> ``(6) a stipulation that the mere identification
by a submitter of a security vulnerability, without a
significant compromise of confidentiality, integrity, or
availability, does not constitute a major incident;
and</DELETED>
<DELETED> ``(7) the applicability of the guidance to
Internet of things devices owned or controlled by an
agency.</DELETED>
<DELETED> ``(d) Consultation.--In developing the guidance required
under subsection (c)(3), the Director shall consult with the Director
of the Cybersecurity and Infrastructure Security Agency.</DELETED>
<DELETED> ``(e) Responsibilities of CISA.--The Director of the
Cybersecurity and Infrastructure Security Agency shall--</DELETED>
<DELETED> ``(1) provide support to agencies with respect to
the implementation of the requirements of this
section;</DELETED>
<DELETED> ``(2) develop tools, processes, and other
mechanisms determined appropriate to offer agencies
capabilities to implement the requirements of this
section;</DELETED>
<DELETED> ``(3) upon a request by an agency, assist the
agency in the disclosure to vendors of newly identified
security vulnerabilities in vendor products and services;
and</DELETED>
<DELETED> ``(4) as appropriate, implement the requirements
of this section, in accordance with the authority under section
3553(b)(8), as a shared service available to
agencies.</DELETED>
<DELETED> ``(f) Responsibilities of Agencies.--</DELETED>
<DELETED> ``(1) Public information.--The head of each agency
shall make publicly available, with respect to each internet
domain under the control of the agency that is not a national
security system and to the extent consistent with the security
of information systems but with the presumption of disclosure--
</DELETED>
<DELETED> ``(A) an appropriate security contact;
and</DELETED>
<DELETED> ``(B) the component of the agency that is
responsible for the internet accessible services
offered at the domain.</DELETED>
<DELETED> ``(2) Vulnerability disclosure policy.--The head
of each agency shall develop and make publicly available a
vulnerability disclosure policy for the agency, which shall--
</DELETED>
<DELETED> ``(A) describe--</DELETED>
<DELETED> ``(i) the scope of the systems of
the agency included in the vulnerability
disclosure policy, including for Internet of
things devices owned or controlled by the
agency;</DELETED>
<DELETED> ``(ii) the type of information
system testing that is authorized by the
agency;</DELETED>
<DELETED> ``(iii) the type of information
system testing that is not authorized by the
agency;</DELETED>
<DELETED> ``(iv) the disclosure policy for a
contractor; and</DELETED>
<DELETED> ``(v) the disclosure policy of the
agency for sensitive information;</DELETED>
<DELETED> ``(B) with respect to a vulnerability
disclosure report to an agency, describe--</DELETED>
<DELETED> ``(i) how the submitter should
submit the vulnerability disclosure report;
and</DELETED>
<DELETED> ``(ii) if the report is not
anonymous, when the reporter should anticipate
an acknowledgment of receipt of the report by
the agency;</DELETED>
<DELETED> ``(C) include any other relevant
information; and</DELETED>
<DELETED> ``(D) be mature in scope and cover every
internet accessible information system used or operated
by that agency or on behalf of that agency.</DELETED>
<DELETED> ``(3) Identified security vulnerabilities.--The
head of each agency shall--</DELETED>
<DELETED> ``(A) consider security vulnerabilities
reported in accordance with paragraph (2);</DELETED>
<DELETED> ``(B) commensurate with the risk posed by
the security vulnerability, address such security
vulnerability using the security vulnerability
management process of the agency; and</DELETED>
<DELETED> ``(C) in accordance with subsection
(c)(5), provide information to the submitter of a
vulnerability disclosure report.</DELETED>
<DELETED> ``(g) Exemptions.--</DELETED>
<DELETED> ``(1) In general.--The Director and the head of
each agency shall carry out this section in a manner consistent
with the protection of national security information.</DELETED>
<DELETED> ``(2) Limitation.--The Director and the head of
each agency may not publish under subsection (f)(1) or include
in a vulnerability disclosure policy under subsection (f)(2)
host names, services, information systems, or other information
that the Director or the head of an agency, in coordination
with the Director and other appropriate heads of agencies,
determines would--</DELETED>
<DELETED> ``(A) disrupt a law enforcement
investigation;</DELETED>
<DELETED> ``(B) endanger national security or
intelligence activities; or</DELETED>
<DELETED> ``(C) impede national defense activities
or military operations.</DELETED>
<DELETED> ``(3) National security systems.--This section
shall not apply to national security systems.</DELETED>
<DELETED> ``(h) Delegation of Authority for Certain Systems.--The
authorities of the Director and the Director of the Cybersecurity and
Infrastructure Security Agency described in this section shall be
delegated--</DELETED>
<DELETED> ``(1) to the Secretary of Defense in the case of
systems described in section 3553(e)(2); and</DELETED>
<DELETED> ``(2) to the Director of National Intelligence in
the case of systems described in section 3553(e)(3).</DELETED>
<DELETED> ``(i) Revision of Federal Acquisition Regulation.--The
Federal Acquisition Regulation shall be revised as necessary to
implement the provisions under this section.''.</DELETED>
<DELETED> (b) Clerical Amendment.--The table of sections for chapter
35 of title 44, United States Code, is amended by adding after the item
relating to section 3559A, as added by this Act, the
following:</DELETED>
<DELETED>``3559B. Federal vulnerability disclosure policies.''.
<DELETED> (c) Conforming Update and Repeal.--</DELETED>
<DELETED> (1) Guidelines on the disclosure process for
security vulnerabilities relating to information systems,
including internet of things devices.--Section 5 of the IoT
Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g-3c) is
amended by striking subsections (d) and (e).</DELETED>
<DELETED> (2) Implementation and contractor compliance.--The
IoT Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g-3a et
seq.) is amended--</DELETED>
<DELETED> (A) by striking section 6 (15 U.S.C. 278g-
3d); and</DELETED>
<DELETED> (B) by striking section 7 (15 U.S.C. 278g-
3e).</DELETED>
<DELETED>SEC. 13. IMPLEMENTING ZERO TRUST ARCHITECTURE.</DELETED>
<DELETED> (a) Briefings.--Not later than 1 year after the date of
enactment of this Act, the Director shall provide to the Committee on
Homeland Security and Governmental Affairs of the Senate and the
Committees on Oversight and Accountability and Homeland Security of the
House of Representatives a briefing on progress in increasing the
internal defenses of agency systems, including--</DELETED>
<DELETED> (1) shifting away from trusted networks to
implement security controls based on a presumption of
compromise, including through the transition to zero trust
architecture;</DELETED>
<DELETED> (2) implementing principles of least privilege in
administering information security programs;</DELETED>
<DELETED> (3) limiting the ability of entities that cause
incidents to move laterally through or between agency
systems;</DELETED>
<DELETED> (4) identifying incidents quickly;</DELETED>
<DELETED> (5) isolating and removing unauthorized entities
from agency systems as quickly as practicable, accounting for
intelligence or law enforcement purposes; and</DELETED>
<DELETED> (6) otherwise increasing the resource costs for
entities that cause incidents to be successful.</DELETED>
<DELETED> (b) Progress Report.--As a part of each report required to
be submitted under section 3553(c) of title 44, United States Code,
during the period beginning on the date that is 4 years after the date
of enactment of this Act and ending on the date that is 10 years after
the date of enactment of this Act, the Director shall include an update
on agency implementation of zero trust architecture, which shall
include--</DELETED>
<DELETED> (1) a description of steps agencies have
completed, including progress toward achieving any requirements
issued by the Director, including the adoption of any models or
reference architecture;</DELETED>
<DELETED> (2) an identification of activities that have not
yet been completed and that would have the most immediate
security impact; and</DELETED>
<DELETED> (3) a schedule to implement any planned
activities.</DELETED>
<DELETED> (c) Classified Annex.--Each update required under
subsection (b) may include 1 or more annexes that contain classified or
other sensitive information, as appropriate.</DELETED>
<DELETED> (d) National Security Systems.--</DELETED>
<DELETED> (1) Briefing.--Not later than 1 year after the
date of enactment of this Act, the Secretary of Defense shall
provide to the Committee on Homeland Security and Governmental
Affairs of the Senate, the Committee on Oversight and
Accountability of the House of Representatives, the Committee
on Armed Services of the Senate, the Committee on Armed
Services of the House of Representatives, the Select Committee
on Intelligence of the Senate, and the Permanent Select
Committee on Intelligence of the House of Representatives a
briefing on the implementation of zero trust architecture with
respect to national security systems.</DELETED>
<DELETED> (2) Progress report.--Not later than the date on
which each update is required to be submitted under subsection
(b), the Secretary of Defense shall submit to the congressional
committees described in paragraph (1) a progress report on the
implementation of zero trust architecture with respect to
national security systems.</DELETED>
<DELETED>SEC. 14. AUTOMATION AND ARTIFICIAL INTELLIGENCE.</DELETED>
<DELETED> (a) Definition.--In this section, the term ``information
system'' has the meaning given the term in section 3502 of title 44,
United States Code.</DELETED>
<DELETED> (b) Use of Artificial Intelligence.--</DELETED>
<DELETED> (1) In general.--As appropriate, the Director
shall issue guidance on the use of artificial intelligence by
agencies to improve the cybersecurity of information
systems.</DELETED>
<DELETED> (2) Considerations.--The Director and head of each
agency shall consider the use and capabilities of artificial
intelligence systems wherever automation is used in furtherance
of the cybersecurity of information systems.</DELETED>
<DELETED> (3) Report.--Not later than 1 year after the date
of enactment of this Act, and annually thereafter until the
date that is 5 years after the date of enactment of this Act,
the Director shall submit to the appropriate congressional
committees a report on the use of artificial intelligence to
further the cybersecurity of information systems.</DELETED>
<DELETED> (c) Comptroller General Reports.--</DELETED>
<DELETED> (1) In general.--Not later than 2 years after the
date of enactment of this Act, the Comptroller General of the
United States shall submit to the appropriate congressional
committees a report on the risks to the privacy of individuals
and the cybersecurity of information systems associated with
the use by Federal agencies of artificial intelligence systems
or capabilities.</DELETED>
<DELETED> (2) Study.--Not later than 2 years after the date
of enactment of this Act, the Comptroller General of the United
States shall perform a study, and submit to the Committees on
Homeland Security and Governmental Affairs and Commerce,
Science, and Transportation of the Senate and the Committees on
Oversight and Accountability, Homeland Security, and Science,
Space, and Technology of the House of Representatives a report,
on the use of automation, including artificial intelligence,
and machine-readable data across the Federal Government for
cybersecurity purposes, including the automated updating of
cybersecurity tools, sensors, or processes employed by agencies
under paragraphs (1), (5)(C), and (8)(B) of section 3554(b) of
title 44, United States Code, as amended by this Act.</DELETED>
<DELETED>SEC. 15. EXTENSION OF CHIEF DATA OFFICER COUNCIL.</DELETED>
<DELETED> Section 3520A(e)(2) of title 44, United States Code, is
amended by striking ``upon the expiration of the 2-year period that
begins on the date the Comptroller General submits the report under
paragraph (1) to Congress'' and inserting ``December 31,
2031''.</DELETED>
<DELETED>SEC. 16. COUNCIL OF THE INSPECTORS GENERAL ON INTEGRITY AND
EFFICIENCY DASHBOARD.</DELETED>
<DELETED> (a) Dashboard Required.--Section 424(e) of title 5, United
States Code, is amended--</DELETED>
<DELETED> (1) in paragraph (2)--</DELETED>
<DELETED> (A) in subparagraph (A), by striking
``and'' at the end;</DELETED>
<DELETED> (B) by redesignating subparagraph (B) as
subparagraph (C);</DELETED>
<DELETED> (C) by inserting after subparagraph (A)
the following:</DELETED>
<DELETED> ``(B) that shall include a dashboard of
open information security recommendations identified in
the independent evaluations required by section 3555(a)
of title 44; and''; and</DELETED>
<DELETED> (2) by adding at the end the following:</DELETED>
<DELETED> ``(5) Rule of construction.--Nothing in this
subsection shall be construed to require the publication of
information that is exempted from disclosure under section 552
of this title.''.</DELETED>
<DELETED>SEC. 17. SECURITY OPERATIONS CENTER SHARED SERVICE.</DELETED>
<DELETED> (a) Briefing.--Not later than 180 days after the date of
enactment of this Act, the Director of the Cybersecurity and
Infrastructure Security Agency shall provide to the Committee on
Homeland Security and Governmental Affairs of the Senate and the
Committee on Homeland Security and the Committee on Oversight and
Accountability of the House of Representatives a briefing on--
</DELETED>
<DELETED> (1) existing security operations center shared
services;</DELETED>
<DELETED> (2) the capability for such shared service to
offer centralized and simultaneous support to multiple
agencies;</DELETED>
<DELETED> (3) the capability for such shared service to
integrate with or support agency threat hunting activities
authorized under section 3553 of title 44, United States Code,
as amended by this Act;</DELETED>
<DELETED> (4) the capability for such shared service to
integrate with or support Federal vulnerability management
activities; and</DELETED>
<DELETED> (5) future plans for expansion and maturation of
such shared service.</DELETED>
<DELETED> (b) GAO Report.--Not less than 540 days after the date of
enactment of this Act, the Comptroller General of the United States
shall submit to the appropriate congressional committees a report on
Federal cybersecurity security operations centers that--</DELETED>
<DELETED> (1) identifies Federal agency best practices for
efficiency and effectiveness;</DELETED>
<DELETED> (2) identifies non-Federal best practices used by
large entity operations centers and entities providing
operation centers as a service; and</DELETED>
<DELETED> (3) includes recommendations for the Cybersecurity
and Infrastructure Security Agency and any other relevant
agency to improve the efficiency and effectiveness of security
operations centers shared service offerings.</DELETED>
<DELETED>SEC. 18. FEDERAL CYBERSECURITY REQUIREMENTS.</DELETED>
<DELETED> (a) Codifying Federal Cybersecurity Requirements in Title
44.--</DELETED>
<DELETED> (1) Amendment to federal cybersecurity enhancement
act of 2015.--Section 225 of the Federal Cybersecurity
Enhancement Act of 2015 (6 U.S.C. 1523) is amended by striking
subsections (b) and (c).</DELETED>
<DELETED> (2) Title 44.--Section 3554 of title 44, United
States Code, as amended by this Act, is further amended by
adding at the end the following:</DELETED>
<DELETED> ``(f) Specific Cybersecurity Requirements at Agencies.--
</DELETED>
<DELETED> ``(1) In general.--Consistent with policies,
standards, guidelines, and directives on information security
under this subchapter, and except as provided under paragraph
(3), the head of each agency shall--</DELETED>
<DELETED> ``(A) identify sensitive and mission
critical data stored by the agency consistent with the
inventory required under section 3505(c);</DELETED>
<DELETED> ``(B) assess access controls to the data
described in subparagraph (A), the need for readily
accessible storage of the data, and the need of
individuals to access the data;</DELETED>
<DELETED> ``(C) encrypt or otherwise render
indecipherable to unauthorized users the data described
in subparagraph (A) that is stored on or transiting
agency information systems;</DELETED>
<DELETED> ``(D) implement a single sign-on trusted
identity platform for individuals accessing each public
website of the agency that requires user
authentication, as developed by the Administrator of
General Services in collaboration with the Secretary;
and</DELETED>
<DELETED> ``(E) implement identity management
consistent with section 504 of the Cybersecurity
Enhancement Act of 2014 (15 U.S.C. 7464), including
multi-factor authentication, for--</DELETED>
<DELETED> ``(i) remote access to a
information system; and</DELETED>
<DELETED> ``(ii) each user account with
elevated privileges on a information
system.</DELETED>
<DELETED> ``(2) Prohibition.--</DELETED>
<DELETED> ``(A) Definition.--In this paragraph, the
term `Internet of things' has the meaning given the
term in section 3559B.</DELETED>
<DELETED> ``(B) Prohibition.--Consistent with
policies, standards, guidelines, and directives on
information security under this subchapter, and except
as provided under paragraph (3), the head of an agency
may not procure, obtain, renew a contract to procure or
obtain in any amount, notwithstanding section 1905 of
title 41, United States Code, or use an Internet of
things device if the Chief Information Officer of the
agency determines during a review required under
section 11319(b)(1)(C) of title 40 of a contract for an
Internet of things device that the use of the device
prevents compliance with the standards and guidelines
developed under section 4 of the IoT Cybersecurity
Improvement Act (15 U.S.C. 278g-3b) with respect to the
device.</DELETED>
<DELETED> ``(3) Exception.--The requirements under paragraph
(1) shall not apply to a information system for which--
</DELETED>
<DELETED> ``(A) the head of the agency, without
delegation, has certified to the Director with
particularity that--</DELETED>
<DELETED> ``(i) operational requirements
articulated in the certification and related to
the information system would make it
excessively burdensome to implement the
cybersecurity requirement;</DELETED>
<DELETED> ``(ii) the cybersecurity
requirement is not necessary to secure the
information system or agency information stored
on or transiting it; and</DELETED>
<DELETED> ``(iii) the agency has taken all
necessary steps to secure the information
system and agency information stored on or
transiting it; and</DELETED>
<DELETED> ``(B) the head of the agency has submitted
the certification described in subparagraph (A) to the
appropriate congressional committees and the
authorizing committees of the agency.</DELETED>
<DELETED> ``(4) Duration of certification.--</DELETED>
<DELETED> ``(A) In general.--A certification and
corresponding exemption of an agency under paragraph
(3) shall expire on the date that is 4 years after the
date on which the head of the agency submits the
certification under paragraph (3)(A).</DELETED>
<DELETED> ``(B) Renewal.--Upon the expiration of a
certification of an agency under paragraph (3), the
head of the agency may submit an additional
certification in accordance with that
paragraph.</DELETED>
<DELETED> ``(5) Rules of construction.--Nothing in this
subsection shall be construed--</DELETED>
<DELETED> ``(A) to alter the authority of the
Secretary, the Director, or the Director of the
National Institute of Standards and Technology in
implementing subchapter II of this title;</DELETED>
<DELETED> ``(B) to affect the standards or process
of the National Institute of Standards and
Technology;</DELETED>
<DELETED> ``(C) to affect the requirement under
section 3553(a)(4); or</DELETED>
<DELETED> ``(D) to discourage continued improvements
and advancements in the technology, standards,
policies, and guidelines used to promote Federal
information security.</DELETED>
<DELETED> ``(g) Exception.--</DELETED>
<DELETED> ``(1) Requirements.--The requirements under
subsection (f)(1) shall not apply to--</DELETED>
<DELETED> ``(A) the Department of Defense;</DELETED>
<DELETED> ``(B) a national security system;
or</DELETED>
<DELETED> ``(C) an element of the intelligence
community.</DELETED>
<DELETED> ``(2) Prohibition.--The prohibition under
subsection (f)(2) shall not apply to--</DELETED>
<DELETED> ``(A) Internet of things devices that are
or comprise a national security system;</DELETED>
<DELETED> ``(B) national security systems;
or</DELETED>
<DELETED> ``(C) a procured Internet of things device
described in subsection (f)(2)(B) that the Chief
Information Officer of an agency determines is--
</DELETED>
<DELETED> ``(i) necessary for research
purposes; or</DELETED>
<DELETED> ``(ii) secured using alternative
and effective methods appropriate to the
function of the Internet of things
device.''.</DELETED>
<DELETED> (b) Report on Exemptions.--Section 3554(c)(1) of title 44,
United States Code, as amended by this Act, is further amended--
</DELETED>
<DELETED> (1) in subparagraph (C), by striking ``and'' at
the end;</DELETED>
<DELETED> (2) in subparagraph (D), by striking the period at
the end and inserting ``; and''; and</DELETED>
<DELETED> (3) by adding at the end the following:</DELETED>
<DELETED> ``(E) with respect to any exemption from
the requirements of subsection (f)(3) that is effective
on the date of submission of the report, the number of
information systems that have received an exemption
from those requirements.''.</DELETED>
<DELETED> (c) Duration of Certification Effective Date.--Paragraph
(3) of section 3554(f) of title 44, United States Code, as added by
this Act, shall take effect on the date that is 1 year after the date
of enactment of this Act.</DELETED>
<DELETED> (d) Federal Cybersecurity Enhancement Act of 2015
Update.--Section 222(3)(B) of the Federal Cybersecurity Enhancement Act
of 2015 (6 U.S.C. 1521(3)(B)) is amended by inserting ``and the
Committee on Oversight and Accountability'' before ``of the House of
Representatives.''</DELETED>
<DELETED>SEC. 19. FEDERAL CHIEF INFORMATION SECURITY OFFICER.</DELETED>
<DELETED> (a) Amendment.--Chapter 36 of title 44, United States
Code, is amended by adding at the end the following:</DELETED>
<DELETED>``Sec. 3617. Federal chief information security
officer</DELETED>
<DELETED> ``(a) Establishment.--There is established a Federal Chief
Information Security Officer, who shall serve in--</DELETED>
<DELETED> ``(1) the Office of the Federal Chief Information
Officer of the Office of Management and Budget; and</DELETED>
<DELETED> ``(2) the Office of the National Cyber
Director.</DELETED>
<DELETED> ``(b) Appointment.--The Federal Chief Information Security
Officer shall be appointed by the President.</DELETED>
<DELETED> ``(c) OMB Duties.--The Federal Chief Information Security
Officer shall report to the Federal Chief Information Officer and
assist the Federal Chief Information Officer in carrying out--
</DELETED>
<DELETED> ``(1) every function under this chapter;</DELETED>
<DELETED> ``(2) every function assigned to the Director
under title II of the E-Government Act of 2002 (44 U.S.C. 3501
note; Public Law 107-347);</DELETED>
<DELETED> ``(3) other electronic government initiatives
consistent with other statutes; and</DELETED>
<DELETED> ``(4) other Federal cybersecurity initiatives
determined by the Federal Chief Information Officer.</DELETED>
<DELETED> ``(d) Additional Duties.--The Federal Chief Information
Security Officer shall--</DELETED>
<DELETED> ``(1) support the Federal Chief Information
Officer in overseeing and implementing Federal cybersecurity
under the E-Government Act of 2002 (Public Law 107-347; 116
Stat. 2899) and other relevant statutes in a manner consistent
with law; and</DELETED>
<DELETED> ``(2) perform every function assigned to the
Director under sections 1321 through 1328 of title 41, United
States Code.</DELETED>
<DELETED> ``(e) Coordination With ONCD.--The Federal Chief
Information Security Officer shall support initiatives determined by
the Federal Chief Information Officer necessary to coordinate with the
Office of the National Cyber Director.''.</DELETED>
<DELETED> (b) National Cyber Director Duties.--Section 1752 of the
William M. (Mac) Thornberry National Defense Authorization Act for
Fiscal Year 2021 (6 U.S.C. 1500) is amended--</DELETED>
<DELETED> (1) by redesignating subsection (g) as subsection
(h); and</DELETED>
<DELETED> (2) by inserting after subsection (f) the
following:</DELETED>
<DELETED> ``(g) Senior Federal Cybersecurity Officer.--The Federal
Chief Information Security Officer appointed by the President under
section 3617 of title 44, United States Code, shall be a senior
official within the Office and carry out duties applicable to the
protection of information technology (as defined in section 11101 of
title 40, United States Code), including initiatives determined by the
Director necessary to coordinate with the Office of the Federal Chief
Information Officer.''.</DELETED>
<DELETED> (c) Treatment of Incumbent.--The individual serving as the
Federal Chief Information Security Officer appointed by the President
as of the date of the enactment of this Act may serve as the Federal
Chief Information Security Officer under section 3617 of title 44,
United States Code, as added by this Act, beginning on the date of
enactment of this Act, without need for a further or additional
appointment under such section.</DELETED>
<DELETED> (d) Clerical Amendment.--The table of sections for chapter
36 of title 44, United States Code, is amended by adding at the end the
following:</DELETED>
<DELETED>``Sec. 3617. Federal chief information security officer''.
<DELETED>SEC. 20. RENAMING OFFICE OF THE FEDERAL CHIEF INFORMATION
OFFICER.</DELETED>
<DELETED> (a) Definitions.--</DELETED>
<DELETED> (1) In general.--Section 3601 of title 44, United
States Code, is amended--</DELETED>
<DELETED> (A) by striking paragraph (1);
and</DELETED>
<DELETED> (B) by redesignating paragraphs (2)
through (8) as paragraphs (1) through (7),
respectively.</DELETED>
<DELETED> (2) Conforming amendments.--</DELETED>
<DELETED> (A) Title 10.--Section 2222(i)(6) of title
10, United States Code, is amended by striking
``section 3601(4)'' and inserting ``section
3601''.</DELETED>
<DELETED> (B) National security act of 1947.--
Section 506D(k)(1) of the National Security Act of 1947
(50 U.S.C. 3100(k)(1)) is amended by striking ``section
3601(4)'' and inserting ``section 3601''.</DELETED>
<DELETED> (b) Office of Electronic Government.--Section 3602 of
title 44, United States Code, is amended--</DELETED>
<DELETED> (1) in the heading, by striking ``office of
electronic government'' and inserting ``office of the federal
chief information officer'';</DELETED>
<DELETED> (2) in subsection (a), by striking ``Office of
Electronic Government'' and inserting ``Office of the Federal
Chief Information Officer'';</DELETED>
<DELETED> (3) in subsection (b), by striking ``an
Administrator'' and inserting ``a Federal Chief Information
Officer'';</DELETED>
<DELETED> (4) in subsection (c), in the matter preceding
paragraph (1), by striking ``The Administrator'' and inserting
``The Federal Chief Information Officer'';</DELETED>
<DELETED> (5) in subsection (d), in the matter preceding
paragraph (1), by striking ``The Administrator'' and inserting
``The Federal Chief Information Officer'';</DELETED>
<DELETED> (6) in subsection (e), in the matter preceding
paragraph (1), by striking ``The Administrator'' and inserting
``The Federal Chief Information Officer'';</DELETED>
<DELETED> (7) in subsection (f)--</DELETED>
<DELETED> (A) in the matter preceding paragraph (1),
by striking ``the Administrator'' and inserting ``the
Federal Chief Information Officer'';</DELETED>
<DELETED> (B) in paragraph (16), by striking ``the
Office of Electronic Government'' and inserting ``the
Office of the Federal Chief Information Officer'';
and</DELETED>
<DELETED> (8) in subsection (g), by striking ``the Office of
Electronic Government'' and inserting ``the Office of the
Federal Chief Information Officer''.</DELETED>
<DELETED> (c) Chief Information Officers Council.--Section 3603 of
title 44, United States Code, is amended--</DELETED>
<DELETED> (1) in subsection (b)(2), by striking ``The
Administrator of the Office of Electronic Government'' and
inserting ``The Federal Chief Information Officer'';</DELETED>
<DELETED> (2) in subsection (c)(1), by striking ``The
Administrator of the Office of Electronic Government'' and
inserting ``The Federal Chief Information Officer'';
and</DELETED>
<DELETED> (3) in subsection (f)--</DELETED>
<DELETED> (A) in paragraph (3), by striking ``the
Administrator'' and inserting ``the Federal Chief
Information Officer''; and</DELETED>
<DELETED> (B) in paragraph (5), by striking ``the
Administrator'' and inserting ``the Federal Chief
Information Officer''.</DELETED>
<DELETED> (d) E-Government Fund.--Section 3604 of title 44, United
States Code, is amended--</DELETED>
<DELETED> (1) in subsection (a)(2), by striking ``the
Administrator of the Office of Electronic Government'' and
inserting ``the Federal Chief Information Officer'';</DELETED>
<DELETED> (2) in subsection (b), by striking
``Administrator'' each place it appears and inserting ``Federal
Chief Information Officer''; and</DELETED>
<DELETED> (3) in subsection (c), in the matter preceding
paragraph (1), by striking ``the Administrator'' and inserting
``the Federal Chief Information Officer''.</DELETED>
<DELETED> (e) Program To Encourage Innovative Solutions To Enhance
Electronic Government Services and Processes.--Section 3605 of title
44, United States Code, is amended--</DELETED>
<DELETED> (1) in subsection (a), by striking ``The
Administrator'' and inserting ``The Federal Chief Information
Officer'';</DELETED>
<DELETED> (2) in subsection (b), by striking ``, the
Administrator,'' and inserting ``, the Federal Chief
Information Officer,''; and</DELETED>
<DELETED> (3) in subsection (c)--</DELETED>
<DELETED> (A) in paragraph (1)--</DELETED>
<DELETED> (i) by striking ``The
Administrator'' and inserting ``The Federal
Chief Information Officer''; and</DELETED>
<DELETED> (ii) by striking ``proposals
submitted to the Administrator'' and inserting
``proposals submitted to the Federal Chief
Information Officer'';</DELETED>
<DELETED> (B) in paragraph (2)(B), by striking ``the
Administrator'' and inserting ``the Federal Chief
Information Officer''; and</DELETED>
<DELETED> (C) in paragraph (4), by striking ``the
Administrator'' and inserting ``the Federal Chief
Information Officer''.</DELETED>
<DELETED> (f) E-Government Report.--Section 3606 of title 44, United
States Code, is amended in the section heading by striking ``E-
Government'' and inserting ``Annual''.</DELETED>
<DELETED> (g) Treatment of Incumbent.--The individual serving as the
Administrator of the Office of Electronic Government under section 3602
of title 44, United States Code, as of the date of the enactment of
this Act, may continue to serve as the Federal Chief Information
Officer commencing as of that date, without need for a further or
additional appointment under such section.</DELETED>
<DELETED> (h) Technical and Conforming Amendments.--The table of
sections for chapter 36 of title 44, United States Code, is amended--
</DELETED>
<DELETED> (1) by striking the item relating to section 3602
and inserting the following:</DELETED>
<DELETED>``3602. Office of the Federal Chief Information Officer.'';
and
<DELETED> (2) in the item relating to section 3606, by
striking ``E-Government'' and inserting ``Annual''.</DELETED>
<DELETED> (i) References.--</DELETED>
<DELETED> (1) Administrator.--Any reference to the
Administrator of the Office of Electronic Government in any
law, regulation, map, document, record, or other paper of the
United States shall be deemed to be a reference to the Federal
Chief Information Officer.</DELETED>
<DELETED> (2) Office of electronic government.--Any
reference to the Office of Electronic Government in any law,
regulation, map, document, record, or other paper of the United
States shall be deemed to be a reference to the Office of the
Federal Chief Information Officer.</DELETED>
<DELETED>SEC. 21. RULES OF CONSTRUCTION.</DELETED>
<DELETED> (a) Agency Actions.--Nothing in this Act, or an amendment
made by this Act, shall be construed to authorize the head of an agency
to take an action that is not authorized by this Act, an amendment made
by this Act, or existing law.</DELETED>
<DELETED> (b) Protection of Rights.--Nothing in this Act, or an
amendment made by this Act, shall be construed to permit the violation
of the rights of any individual protected by the Constitution of the
United States, including through censorship of speech protected by the
Constitution of the United States or unauthorized
surveillance.</DELETED>
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the ``Cybersecurity Act
of 2023''.
(b) Table of Contents.--The table of contents for this Act is as
follows:
Sec. 1. Short title; table of contents.
TITLE I--FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2023
Sec. 101. Short title.
Sec. 102. Definitions.
Sec. 103. Amendments to title 44.
Sec. 104. Amendments to subtitle III of title 40.
Sec. 105. Actions to enhance Federal incident transparency.
Sec. 106. Additional guidance to agencies on FISMA updates.
Sec. 107. Agency requirements to notify private sector entities
impacted by incidents.
Sec. 108. Mobile security briefings.
Sec. 109. Data and logging retention for incident response.
Sec. 110. CISA agency liaisons.
Sec. 111. Federal penetration testing policy.
Sec. 112. Vulnerability disclosure policies.
Sec. 113. Implementing zero trust architecture.
Sec. 114. Automation and artificial intelligence.
Sec. 115. Extension of chief data officer council.
Sec. 116. Council of the inspectors general on integrity and efficiency
dashboard.
Sec. 117. Security operations center shared service.
Sec. 118. Federal cybersecurity requirements.
Sec. 119. Federal chief information security officer.
Sec. 120. Renaming office of the Federal Chief Information Officer.
Sec. 121. Rules of construction.
TITLE II--RURAL HOSPITAL CYBERSECURITY ENHANCEMENT ACT
Sec. 201. Short title.
Sec. 202. Definitions.
Sec. 203. Rural hospital cybersecurity workforce development strategy.
Sec. 204. Instructional materials for rural hospitals.
Sec. 205. No additional funds.
TITLE I--FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2023
SEC. 101. SHORT TITLE.
This title may be cited as the ``Federal Information Security
Modernization Act of 2023''.
SEC. 102. DEFINITIONS.
In this title, unless otherwise specified:
(1) Agency.--The term ``agency'' has the meaning given the
term in section 3502 of title 44, United States Code.
(2) Appropriate congressional committees.--The term
``appropriate congressional committees'' means--
(A) the Committee on Homeland Security and
Governmental Affairs of the Senate;
(B) the Committee on Oversight and Accountability
of the House of Representatives; and
(C) the Committee on Homeland Security of the House
of Representatives.
(3) Awardee.--The term ``awardee'' has the meaning given
the term in section 3591 of title 44, United States Code, as
added by this title.
(4) Contractor.--The term ``contractor'' has the meaning
given the term in section 3591 of title 44, United States Code,
as added by this title.
(5) Director.--The term ``Director'' means the Director of
the Office of Management and Budget.
(6) Federal information system.--The term ``Federal
information system'' has the meaning give the term in section
3591 of title 44, United States Code, as added by this title.
(7) Incident.--The term ``incident'' has the meaning given
the term in section 3552(b) of title 44, United States Code.
(8) National security system.--The term ``national security
system'' has the meaning given the term in section 3552(b) of
title 44, United States Code.
(9) Penetration test.--The term ``penetration test'' has
the meaning given the term in section 3552(b) of title 44,
United States Code, as amended by this title.
(10) Threat hunting.--The term ``threat hunting'' means
proactively and iteratively searching systems for threats and
vulnerabilities, including threats or vulnerabilities that may
evade detection by automated threat detection systems.
(11) Zero trust architecture.--The term ``zero trust
architecture'' has the meaning given the term in Special
Publication 800-207 of the National Institute of Standards and
Technology, or any successor document.
SEC. 103. AMENDMENTS TO TITLE 44.
(a) Subchapter I Amendments.--Subchapter I of chapter 35 of title
44, United States Code, is amended--
(1) in section 3504--
(A) in subsection (a)(1)(B)--
(i) by striking clause (v) and inserting
the following:
``(v) privacy, confidentiality, disclosure,
and sharing of information;'';
(ii) by redesignating clause (vi) as clause
(vii); and
(iii) by inserting after clause (v) the
following:
``(vi) in consultation with the National
Cyber Director, security of information; and'';
and
(B) in subsection (g)--
(i) by redesignating paragraph (2) as
paragraph (3); and
(ii) by striking paragraph (1) and
inserting the following:
``(1) develop and oversee the implementation of policies,
principles, standards, and guidelines on privacy,
confidentiality, disclosure, and sharing of information
collected or maintained by or for agencies;
``(2) in consultation with the National Cyber Director,
oversee the implementation of policies, principles, standards,
and guidelines on security, of information collected or
maintained by or for agencies; and'';
(2) in section 3505--
(A) by striking the first subsection designated as
subsection (c);
(B) in paragraph (2) of the second subsection
designated as subsection (c), by inserting ``an
identification of internet accessible information
systems and'' after ``an inventory under this
subsection shall include'';
(C) in paragraph (3) of the second subsection
designated as subsection (c)--
(i) in subparagraph (B)--
(I) by inserting ``the Director of
the Cybersecurity and Infrastructure
Security Agency, the National Cyber
Director, and'' before ``the
Comptroller General''; and
(II) by striking ``and'' at the
end;
(ii) in subparagraph (C)(v), by striking
the period at the end and inserting ``; and'';
and
(iii) by adding at the end the following:
``(D) maintained on a continual basis through the
use of automation, machine-readable data, and scanning,
wherever practicable.'';
(3) in section 3506--
(A) in subsection (a)(3), by inserting ``In
carrying out these duties, the Chief Information
Officer shall consult, as appropriate, with the Chief
Data Officer in accordance with the designated
functions under section 3520(c).'' after ``reduction of
information collection burdens on the public.'';
(B) in subsection (b)(1)(C), by inserting
``availability,'' after ``integrity,'';
(C) in subsection (h)(3), by inserting
``security,'' after ``efficiency,''; and
(D) by adding at the end the following:
``(j)(1) Nothwithstanding paragraphs (2) and (3) of subsection (a),
the head of each agency shall, in accordance with section 522(a) of
division H of the Consolidated Appropriations Act, 2005 (42 U.S.C.
2000ee-2), designate a Chief Privacy Officer with the necessary skills,
knowledge, and expertise, who shall have the authority and
responsibility to--
``(A) lead the privacy program of the agency; and
``(B) carry out the privacy responsibilities of the agency
under this chapter, section 552a of title 5, and guidance
issued by the Director.
``(2) The Chief Privacy Officer of each agency shall--
``(A) serve in a central leadership position within the
agency;
``(B) have visibility into relevant agency operations; and
``(C) be positioned highly enough within the agency to
regularly engage with other agency leaders and officials,
including the head of the agency.
``(3) A privacy officer of an agency established under a statute
enacted before the date of enactment of the Federal Information
Security Modernization Act of 2023 may carry out the responsibilities
under this subsection for the agency.''; and
(4) in section 3513--
(A) by redesignating subsection (c) as subsection
(d); and
(B) by inserting after subsection (b) the
following:
``(c) Each agency providing a written plan under subsection (b)
shall provide any portion of the written plan addressing information
security to the Secretary of Homeland Security and the National Cyber
Director.''.
(b) Subchapter II Definitions.--
(1) In general.--Section 3552(b) of title 44, United States
Code, is amended--
(A) by redesignating paragraphs (2), (3), (4), (5),
(6), and (7) as paragraphs (3), (4), (5), (6), (8), and
(10), respectively;
(B) by inserting after paragraph (1) the following:
``(2) The term `high value asset' means information or an
information system that the head of an agency, using policies,
principles, standards, or guidelines issued by the Director
under section 3553(a), determines to be so critical to the
agency that the loss or degradation of the confidentiality,
integrity, or availability of such information or information
system would have a serious impact on the ability of the agency
to perform the mission of the agency or conduct business.'';
(C) by inserting after paragraph (6), as so
redesignated, the following:
``(7) The term `major incident' has the meaning given the
term in guidance issued by the Director under section
3598(a).'';
(D) in paragraph (8)(A), as so redesignated, in the
matter preceding clause (i), by striking ``used'' and
inserting ``owned, managed,'';
(E) by inserting after paragraph (8), as so
redesignated, the following:
``(9) The term `penetration test'--
``(A) means an authorized assessment that emulates
attempts to gain unauthorized access to, or disrupt the
operations of, an information system or component of an
information system; and
``(B) includes any additional meaning given the
term in policies, principles, standards, or guidelines
issued by the Director under section 3553(a).''; and
(F) by inserting after paragraph (10), as so
redesignated, the following:
``(11) The term `shared service' means a centralized
mission capability or consolidated business function that is
provided to multiple organizations within an agency or to
multiple agencies.
``(12) The term `zero trust architecture' has the meaning
given the term in Special Publication 800-207 of the National
Institute of Standards and Technology, or any successor
document.''.
(2) Conforming amendments.--
(A) Homeland security act of 2002.--Section
1001(c)(1)(A) of the Homeland Security Act of 2002 (6
U.S.C. 511(c)(1)(A)) is amended by striking ``section
3552(b)(5)'' and inserting ``section 3552(b)''.
(B) Title 10.--
(i) Section 2222.--Section 2222(i)(8) of
title 10, United States Code, is amended by
striking ``section 3552(b)(6)(A)'' and
inserting ``section 3552(b)(8)(A)''.
(ii) Section 2223.--Section 2223(c)(3) of
title 10, United States Code, is amended by
striking ``section 3552(b)(6)'' and inserting
``section 3552(b)''.
(iii) Section 3068.--Section 3068(b) of
title 10, United States Code, is amended by
striking ``section 3552(b)(6)'' and inserting
``section 3552(b)''.
(iv) Section 3252.--Section 3252(e)(5) of
title 10, United States Code, is amended by
striking ``section 3552(b)(6)'' and inserting
``section 3552(b)''.
(C) High-performance computing act of 1991.--
Section 207(a) of the High-Performance Computing Act of
1991 (15 U.S.C. 5527(a)) is amended by striking
``section 3552(b)(6)(A)(i)'' and inserting ``section
3552(b)(8)(A)(i)''.
(D) Internet of things cybersecurity improvement
act of 2020.--Section 3(5) of the Internet of Things
Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g-
3a(5)) is amended by striking ``section 3552(b)(6)''
and inserting ``section 3552(b)''.
(E) National defense authorization act for fiscal
year 2013.--Section 933(e)(1)(B) of the National
Defense Authorization Act for Fiscal Year 2013 (10
U.S.C. 2224 note) is amended by striking ``section
3542(b)(2)'' and inserting ``section 3552(b)''.
(F) Ike skelton national defense authorization act
for fiscal year 2011.--The Ike Skelton National Defense
Authorization Act for Fiscal Year 2011 (Public Law 111-
383) is amended--
(i) in section 806(e)(5) (10 U.S.C. 2304
note), by striking ``section 3542(b)'' and
inserting ``section 3552(b)'';
(ii) in section 931(b)(3) (10 U.S.C. 2223
note), by striking ``section 3542(b)(2)'' and
inserting ``section 3552(b)''; and
(iii) in section 932(b)(2) (10 U.S.C. 2224
note), by striking ``section 3542(b)(2)'' and
inserting ``section 3552(b)''.
(G) E-government act of 2002.--Section 301(c)(1)(A)
of the E-Government Act of 2002 (44 U.S.C. 3501 note)
is amended by striking ``section 3542(b)(2)'' and
inserting ``section 3552(b)''.
(H) National institute of standards and technology
act.--Section 20 of the National Institute of Standards
and Technology Act (15 U.S.C. 278g-3) is amended--
(i) in subsection (a)(2), by striking
``section 3552(b)(6)'' and inserting ``section
3552(b)''; and
(ii) in subsection (f)--
(I) in paragraph (2), by striking
``section 3552(b)(2)'' and inserting
``section 3552(b)''; and
(II) in paragraph (5), by striking
``section 3532(b)(5)'' and inserting
``section 3552(b)''.
(c) Subchapter II Amendments.--Subchapter II of chapter 35 of title
44, United States Code, is amended--
(1) in section 3551--
(A) in paragraph (4), by striking ``diagnose and
improve'' and inserting ``integrate, deliver, diagnose,
and improve'';
(B) in paragraph (5), by striking ``and'' at the
end;
(C) in paragraph (6), by striking the period at the
end and inserting a semicolon; and
(D) by adding at the end the following:
``(7) recognize that each agency has specific mission
requirements and, at times, unique cybersecurity requirements
to meet the mission of the agency;
``(8) recognize that each agency does not have the same
resources to secure agency systems, and an agency should not be
expected to have the capability to secure the systems of the
agency from advanced adversaries alone; and
``(9) recognize that a holistic Federal cybersecurity model
is necessary to account for differences between the missions
and capabilities of agencies.'';
(2) in section 3553--
(A) in subsection (a)--
(i) in paragraph (5), by striking ``and''
at the end;
(ii) in paragraph (6), by striking the
period at the end and inserting ``; and''; and
(iii) by adding at the end the following:
``(7) promoting, in consultation with the Director of the
Cybersecurity and Infrastructure Security Agency, the National
Cyber Director, and the Director of the National Institute of
Standards and Technology--
``(A) the use of automation to improve Federal
cybersecurity and visibility with respect to the
implementation of Federal cybersecurity; and
``(B) the use of presumption of compromise and
least privilege principles, such as zero trust
architecture, to improve resiliency and timely response
actions to incidents on Federal systems.'';
(B) in subsection (b)--
(i) in the matter preceding paragraph (1),
by inserting ``and the National Cyber
Director'' after ``Director'';
(ii) in paragraph (2)(A), by inserting
``and reporting requirements under subchapter
IV of this chapter'' after ``section 3556'';
(iii) by redesignating paragraphs (8) and
(9) as paragraphs (10) and (11), respectively;
and
(iv) by inserting after paragraph (7) the
following:
``(8) expeditiously seeking opportunities to reduce costs,
administrative burdens, and other barriers to information
technology security and modernization for agencies, including
through shared services for cybersecurity capabilities
identified as appropriate by the Director, in coordination with
the Director of the Cybersecurity and Infrastructure Security
Agency and other agencies as appropriate;'';
(C) in subsection (c)--
(i) in the matter preceding paragraph (1)--
(I) by striking ``each year'' and
inserting ``each year during which
agencies are required to submit reports
under section 3554(c)'';
(II) by inserting ``, which shall
be unclassified but may include 1 or
more annexes that contain classified or
other sensitive information, as
appropriate'' after ``a report''; and
(III) by striking ``preceding
year'' and inserting ``preceding 2
years'';
(ii) by striking paragraph (1);
(iii) by redesignating paragraphs (2), (3),
and (4) as paragraphs (1), (2), and (3),
respectively;
(iv) in paragraph (3), as so redesignated,
by striking ``and'' at the end; and
(v) by inserting after paragraph (3), as so
redesignated, the following:
``(4) a summary of the risks and trends identified in the
Federal risk assessment required under subsection (i); and'';
(D) in subsection (h)--
(i) in paragraph (2)--
(I) in subparagraph (A), by
inserting ``and the National Cyber
Director'' after ``in coordination with
the Director''; and
(II) in subparagraph (D), by
inserting ``, the National Cyber
Director,'' after ``notify the
Director''; and
(ii) in paragraph (3)(A)(iv), by inserting
``, the National Cyber Director,'' after ``the
Secretary provides prior notice to the
Director'';
(E) by amending subsection (i) to read as follows:
``(i) Federal Risk Assessment.--On an ongoing and continuous basis,
the Director of the Cybersecurity and Infrastructure Security Agency
shall assess the Federal risk posture using any available information
on the cybersecurity posture of agencies, and brief the Director and
National Cyber Director on the findings of such assessment, including--
``(1) the status of agency cybersecurity remedial actions
for high value assets described in section 3554(b)(7);
``(2) any vulnerability information relating to the systems
of an agency that is known by the agency;
``(3) analysis of incident information under section 3597;
``(4) evaluation of penetration testing performed under
section 3559A;
``(5) evaluation of vulnerability disclosure program
information under section 3559B;
``(6) evaluation of agency threat hunting results;
``(7) evaluation of Federal and non-Federal cyber threat
intelligence;
``(8) data on agency compliance with standards issued under
section 11331 of title 40;
``(9) agency system risk assessments required under section
3554(a)(1)(A);
``(10) relevant reports from inspectors general of agencies
and the Government Accountability Office; and
``(11) any other information the Director of the
Cybersecurity and Infrastructure Security Agency determines
relevant.''; and
(F) by adding at the end the following:
``(m) Directives.--
``(1) Emergency directive updates.--If the Secretary issues
an emergency directive under this section, the Director of the
Cybersecurity and Infrastructure Security Agency shall submit
to the Director, the National Cyber Director, the Committee on
Homeland Security and Governmental Affairs of the Senate, and
the Committees on Oversight and Accountability and Homeland
Security of the House of Representatives an update on the
status of the implementation of the emergency directive at
agencies not later than 7 days after the date on which the
emergency directive requires an agency to complete a
requirement specified by the emergency directive, and every 30
days thereafter until--
``(A) the date on which every agency has fully
implemented the emergency directive;
``(B) the Secretary determines that an emergency
directive no longer requires active reporting from
agencies or additional implementation; or
``(C) the date that is 1 year after the issuance of
the directive.
``(2) Binding operational directive updates.--If the
Secretary issues a binding operational directive under this
section, the Director of the Cybersecurity and Infrastructure
Security Agency shall submit to the Director, the National
Cyber Director, the Committee on Homeland Security and
Governmental Affairs of the Senate, and the Committees on
Oversight and Accountability and Homeland Security of the House
of Representatives an update on the status of the
implementation of the binding operational directive at agencies
not later than 30 days after the issuance of the binding
operational directive, and every 90 days thereafter until--
``(A) the date on which every agency has fully
implemented the binding operational directive;
``(B) the Secretary determines that a binding
operational directive no longer requires active
reporting from agencies or additional implementation;
or
``(C) the date that is 1 year after the issuance or
substantive update of the directive.
``(3) Report.--If the Director of the Cybersecurity and
Infrastructure Security Agency ceases submitting updates
required under paragraphs (1) or (2) on the date described in
paragraph (1)(C) or (2)(C), the Director of the Cybersecurity
and Infrastructure Security Agency shall submit to the
Director, the National Cyber Director, the Committee on
Homeland Security and Governmental Affairs of the Senate, and
the Committees on Oversight and Accountability and Homeland
Security of the House of Representatives a list of every agency
that, at the time of the report--
``(A) has not completed a requirement specified by
an emergency directive; or
``(B) has not implemented a binding operational
directive.
``(n) Review of Office of Management and Budget Guidance and
Policy.--
``(1) Conduct of review.--Not less frequently than once
every 3 years, the Director of the Office of Management and
Budget shall review the efficacy of the guidance and policy
promulgated by the Director in reducing cybersecurity risks,
including a consideration of reporting and compliance burden on
agencies.
``(2) Congressional notification.--The Director of the
Office of Management and Budget shall notify the Committee on
Homeland Security and Governmental Affairs of the Senate and
the Committee on Oversight and Accountability of the House of
Representatives of changes to guidance or policy resulting from
the review under paragraph (1).
``(3) GAO review.--The Government Accountability Office
shall review guidance and policy promulgated by the Director to
assess its efficacy in risk reduction and burden on agencies.
``(o) Automated Standard Implementation Verification.--When the
Director of the National Institute of Standards and Technology issues a
proposed standard or guideline pursuant to paragraphs (2) or (3) of
section 20(a) of the National Institute of Standards and Technology Act
(15 U.S.C. 278g-3(a)), the Director of the National Institute of
Standards and Technology shall consider developing and, if appropriate
and practical, develop specifications to enable the automated
verification of the implementation of the controls.
``(p) Inspectors General Access to Federal Risk Assessments.--The
Director of the Cybersecurity and Infrastructure Security Agency shall,
upon request, make available Federal risk assessment information under
subsection (i) to the Inspector General of the Department of Homeland
Security and the inspector general of any agency that was included in
the Federal risk assessment.'';
(3) in section 3554--
(A) in subsection (a)--
(i) in paragraph (1)--
(I) by redesignating subparagraphs
(A), (B), and (C) as subparagraphs (B),
(C), and (D), respectively;
(II) by inserting before
subparagraph (B), as so redesignated,
the following:
``(A) on an ongoing and continuous basis, assessing
agency system risk, as applicable, by--
``(i) identifying and documenting the high
value assets of the agency using guidance from
the Director;
``(ii) evaluating the data assets
inventoried under section 3511 for sensitivity
to compromises in confidentiality, integrity,
and availability;
``(iii) identifying whether the agency is
participating in federally offered
cybersecurity shared services programs;
``(iv) identifying agency systems that have
access to or hold the data assets inventoried
under section 3511;
``(v) evaluating the threats facing agency
systems and data, including high value assets,
based on Federal and non-Federal cyber threat
intelligence products, where available;
``(vi) evaluating the vulnerability of
agency systems and data, including high value
assets, including by analyzing--
``(I) the results of penetration
testing performed by the Department of
Homeland Security under section
3553(b)(9);
``(II) the results of penetration
testing performed under section 3559A;
``(III) information provided to the
agency through the vulnerability
disclosure program of the agency under
section 3559B;
``(IV) incidents; and
``(V) any other vulnerability
information relating to agency systems
that is known to the agency;
``(vii) assessing the impacts of potential
agency incidents to agency systems, data, and
operations based on the evaluations described
in clauses (ii) and (v) and the agency systems
identified under clause (iv); and
``(viii) assessing the consequences of
potential incidents occurring on agency systems
that would impact systems at other agencies,
including due to interconnectivity between
different agency systems or operational
reliance on the operations of the system or
data in the system;'';
(III) in subparagraph (B), as so
redesignated, in the matter preceding
clause (i), by striking ``providing
information'' and inserting ``using
information from the assessment
required under subparagraph (A),
providing information'';
(IV) in subparagraph (C), as so
redesignated--
(aa) in clause (ii) by
inserting ``binding'' before
``operational''; and
(bb) in clause (vi), by
striking ``and'' at the end;
and
(V) by adding at the end the
following:
``(E) providing an update on the ongoing and
continuous assessment required under subparagraph (A)--
``(i) upon request, to the inspector
general of the agency or the Comptroller
General of the United States; and
``(ii) at intervals determined by guidance
issued by the Director, and to the extent
appropriate and practicable using automation,
to--
``(I) the Director;
``(II) the Director of the
Cybersecurity and Infrastructure
Security Agency; and
``(III) the National Cyber
Director;'';
(ii) in paragraph (2)--
(I) in subparagraph (A), by
inserting ``in accordance with the
agency system risk assessment required
under paragraph (1)(A)'' after
``information systems'';
(II) in subparagraph (D), by
inserting ``, through the use of
penetration testing, the vulnerability
disclosure program established under
section 3559B, and other means,'' after
``periodically'';
(iii) in paragraph (3)(A)--
(I) in the matter preceding clause
(i), by striking ``senior agency
information security officer'' and
inserting ``Chief Information Security
Officer'';
(II) in clause (i), by striking
``this section'' and inserting
``subsections (a) through (c)'';
(III) in clause (ii), by striking
``training and'' and inserting
``skills, training, and'';
(IV) by redesignating clauses (iii)
and (iv) as (iv) and (v), respectively;
(V) by inserting after clause (ii)
the following:
``(iii) manage information security,
cybersecurity budgets, and risk and compliance
activities and explain those concepts to the
head of the agency and the executive team of
the agency;''; and
(VI) in clause (iv), as so
redesignated, by striking ``information
security duties as that official's
primary duty'' and inserting
``information, computer network, and
technology security duties as the Chief
Information Security Officers' primary
duty'';
(iv) in paragraph (5), by striking
``annually'' and inserting ``not less
frequently than quarterly''; and
(v) in paragraph (6), by striking
``official delegated'' and inserting ``Chief
Information Security Officer delegated''; and
(B) in subsection (b)--
(i) by striking paragraph (1) and inserting
the following:
``(1) the ongoing and continuous assessment of agency
system risk required under subsection (a)(1)(A), which may
include using guidance and automated tools consistent with
standards and guidelines promulgated under section 11331 of
title 40, as applicable;'';
(ii) in paragraph (2)--
(I) by striking subparagraph (B);
(II) by redesignating subparagraphs
(C) and (D) as subparagraphs (B) and
(C), respectively;
(III) in subparagraph (B), as so
redesignated, by striking ``and'' at
the end; and
(IV) in subparagraph (C), as so
redesignated--
(aa) by redesignating
clauses (iii) and (iv) as
clauses (iv) and (v),
respectively;
(bb) by inserting after
clause (ii) the following:
``(iii) binding operational directives and
emergency directives issued by the Secretary
under section 3553;''; and
(cc) in clause (iv), as so
redesignated, by striking ``as
determined by the agency; and''
and inserting ``as determined
by the agency, considering the
agency risk assessment required
under subsection (a)(1)(A);
(iii) in paragraph (5)(A), by inserting ``,
including penetration testing, as
appropriate,'' after ``shall include testing'';
(iv) by redesignating paragraphs (7) and
(8) as paragraphs (8) and (9), respectively;
(v) by inserting after paragraph (6) the
following:
``(7) a secure process for providing the status of every
remedial action and unremediated identified system
vulnerability of a high value asset to the Director and the
Director of the Cybersecurity and Infrastructure Security
Agency, using automation and machine-readable data to the
greatest extent practicable;''; and
(vi) in paragraph (8)(C), as so
redesignated--
(I) by striking clause (ii) and
inserting the following:
``(ii) notifying and consulting with the
Federal information security incident center
established under section 3556 pursuant to the
requirements of section 3594;'';
(II) by redesignating clause (iii)
as clause (iv);
(III) by inserting after clause
(ii) the following:
``(iii) performing the notifications and
other activities required under subchapter IV
of this chapter; and''; and
(IV) in clause (iv), as so
redesignated--
(aa) in subclause (II), by
adding ``and'' at the end;
(bb) by striking subclause
(III); and
(cc) by redesignating
subclause (IV) as subclause
(III); and
(C) in subsection (c)--
(i) by redesignating paragraph (2) as
paragraph (4);
(ii) by striking paragraph (1) and
inserting the following:
``(1) Biennial report.--Not later than 2 years after the
date of enactment of the Federal Information Security
Modernization Act of 2023 and not less frequently than once
every 2 years thereafter, using the continuous and ongoing
agency system risk assessment required under subsection
(a)(1)(A), the head of each agency shall submit to the
Director, the National Cyber Director, the Director of the
Cybersecurity and Infrastructure Security Agency, the
Comptroller General of the United States, the majority and
minority leaders of the Senate, the Speaker and minority leader
of the House of Representatives, the Committee on Homeland
Security and Governmental Affairs of the Senate, the Committee
on Oversight and Accountability of the House of
Representatives, the Committee on Homeland Security of the
House of Representatives, the Committee on Commerce, Science,
and Transportation of the Senate, the Committee on Science,
Space, and Technology of the House of Representatives, and the
appropriate authorization and appropriations committees of
Congress a report that--
``(A) summarizes the agency system risk assessment
required under subsection (a)(1)(A);
``(B) evaluates the adequacy and effectiveness of
information security policies, procedures, and
practices of the agency to address the risks identified
in the agency system risk assessment required under
subsection (a)(1)(A), including an analysis of the
agency's cybersecurity and incident response
capabilities using the metrics established under
section 224(c) of the Cybersecurity Act of 2015 (6
U.S.C. 1522(c)); and
``(C) summarizes the status of remedial actions
identified by inspector general of the agency, the
Comptroller General of the United States, and any other
source determined appropriate by the head of the
agency.
``(2) Unclassified reports.--Each report submitted under
paragraph (1)--
``(A) shall be, to the greatest extent practicable,
in an unclassified and otherwise uncontrolled form; and
``(B) may include 1 or more annexes that contain
classified or other sensitive information, as
appropriate.
``(3) Briefings.--During each year during which a report is
not required to be submitted under paragraph (1), the Director
shall provide to the congressional committees described in
paragraph (1) a briefing summarizing current agency and Federal
risk postures.''; and
(iii) in paragraph (4), as so redesignated,
by striking the period at the end and inserting
``, including the reporting procedures
established under section 11315(d) of title 40
and subsection (a)(3)(A)(v) of this section.'';
(4) in section 3555--
(A) in the section heading, by striking ``annual
independent'' and inserting ``independent'';
(B) in subsection (a)--
(i) in paragraph (1), by inserting ``during
which a report is required to be submitted
under section 3553(c),'' after ``Each year'';
(ii) in paragraph (2)(A), by inserting ``,
including by performing, or reviewing the
results of, agency penetration testing and
analyzing the vulnerability disclosure program
of the agency'' after ``information systems'';
and
(iii) by adding at the end the following:
``(3) An evaluation under this section may include
recommendations for improving the cybersecurity posture of the
agency.'';
(C) in subsection (b)(1), by striking ``annual'';
(D) in subsection (e)(1), by inserting ``during
which a report is required to be submitted under
section 3553(c)'' after ``Each year'';
(E) in subsection (g)(2)--
(i) by striking ``this subsection shall''
and inserting ``this subsection--
``(A) shall'';
(ii) in subparagraph (A), as so designated,
by striking the period at the end and inserting
``; and''; and
(iii) by adding at the end the following:
``(B) identify any entity that performs an
independent evaluation under subsection (b).''; and
(F) by striking subsection (j) and inserting the
following:
``(j) Guidance.--
``(1) In general.--The Director, in consultation with the
Director of the Cybersecurity and Infrastructure Security
Agency, the Chief Information Officers Council, the Council of
the Inspectors General on Integrity and Efficiency, and other
interested parties as appropriate, shall ensure the development
of risk-based guidance for evaluating the effectiveness of an
information security program and practices.
``(2) Priorities.--The risk-based guidance developed under
paragraph (1) shall include--
``(A) the identification of the most common
successful threat patterns;
``(B) the identification of security controls that
address the threat patterns described in subparagraph
(A);
``(C) any other security risks unique to Federal
systems; and
``(D) any other element the Director determines
appropriate.''; and
(5) in section 3556(a)--
(A) in the matter preceding paragraph (1), by
inserting ``within the Cybersecurity and Infrastructure
Security Agency'' after ``incident center''; and
(B) in paragraph (4), by striking ``3554(b)'' and
inserting ``3554(a)(1)(A)''.
(d) Conforming Amendments.--
(1) Table of sections.--The table of sections for chapter
35 of title 44, United States Code, is amended by striking the
item relating to section 3555 and inserting the following:
``3555. Independent evaluation.''.
(2) OMB reports.--Section 226(c) of the Cybersecurity Act
of 2015 (6 U.S.C. 1524(c)) is amended--
(A) in paragraph (1)(B), in the matter preceding
clause (i), by striking ``annually thereafter'' and
inserting ``thereafter during the years during which a
report is required to be submitted under section
3553(c) of title 44, United States Code''; and
(B) in paragraph (2)(B), in the matter preceding
clause (i)--
(i) by striking ``annually thereafter'' and
inserting ``thereafter during the years during
which a report is required to be submitted
under section 3553(c) of title 44, United
States Code''; and
(ii) by striking ``the report required
under section 3553(c) of title 44, United
States Code'' and inserting ``that report''.
(3) NIST responsibilities.--Section 20(d)(3)(B) of the
National Institute of Standards and Technology Act (15 U.S.C.
278g-3(d)(3)(B)) is amended by striking ``annual''.
(e) Federal System Incident Response.--
(1) In general.--Chapter 35 of title 44, United States
Code, is amended by adding at the end the following:
``SUBCHAPTER IV--FEDERAL SYSTEM INCIDENT RESPONSE
``Sec. 3591. Definitions
``(a) In General.--Except as provided in subsection (b), the
definitions under sections 3502 and 3552 shall apply to this
subchapter.
``(b) Additional Definitions.--As used in this subchapter:
``(1) Appropriate reporting entities.--The term
`appropriate reporting entities' means--
``(A) the majority and minority leaders of the
Senate;
``(B) the Speaker and minority leader of the House
of Representatives;
``(C) the Committee on Homeland Security and
Governmental Affairs of the Senate;
``(D) the Committee on Commerce, Science, and
Transportation of the Senate;
``(E) the Committee on Oversight and Accountability
of the House of Representatives;
``(F) the Committee on Homeland Security of the
House of Representatives;
``(G) the Committee on Science, Space, and
Technology of the House of Representatives;
``(H) the appropriate authorization and
appropriations committees of Congress;
``(I) the Director;
``(J) the Director of the Cybersecurity and
Infrastructure Security Agency;
``(K) the National Cyber Director;
``(L) the Comptroller General of the United States;
and
``(M) the inspector general of any impacted agency.
``(2) Awardee.--The term `awardee', with respect to an
agency--
``(A) means--
``(i) the recipient of a grant from an
agency;
``(ii) a party to a cooperative agreement
with an agency; and
``(iii) a party to an other transaction
agreement with an agency; and
``(B) includes a subawardee of an entity described
in subparagraph (A).
``(3) Breach.--The term `breach'--
``(A) means the compromise, unauthorized
disclosure, unauthorized acquisition, or loss of
control of personally identifiable information or any
similar occurrence; and
``(B) includes any additional meaning given the
term in policies, principles, standards, or guidelines
issued by the Director.
``(4) Contractor.--The term `contractor' means a prime
contractor of an agency or a subcontractor of a prime
contractor of an agency that creates, collects, stores,
processes, maintains, or transmits Federal information on
behalf of an agency.
``(5) Federal information.--The term `Federal information'
means information created, collected, processed, maintained,
disseminated, disclosed, or disposed of by or for the Federal
Government in any medium or form.
``(6) Federal information system.--The term `Federal
information system' means an information system owned, managed,
or operated by an agency, or on behalf of an agency by a
contractor, an awardee, or another organization.
``(7) Intelligence community.--The term `intelligence
community' has the meaning given the term in section 3 of the
National Security Act of 1947 (50 U.S.C. 3003).
``(8) Nationwide consumer reporting agency.--The term
`nationwide consumer reporting agency' means a consumer
reporting agency described in section 603(p) of the Fair Credit
Reporting Act (15 U.S.C. 1681a(p)).
``(9) Vulnerability disclosure.--The term `vulnerability
disclosure' means a vulnerability identified under section
3559B.
``Sec. 3592. Notification of breach
``(a) Definition.--In this section, the term `covered breach' means
a breach--
``(1) involving not less than 50,000 potentially affected
individuals; or
``(2) the result of which the head of an agency determines
that notifying potentially affected individuals is necessary
pursuant to subsection (b)(1), regardless of whether--
``(A) the number of potentially affected
individuals is less than 50,000; or
``(B) the notification is delayed under subsection
(d).
``(b) Notification.--As expeditiously as practicable and without
unreasonable delay, and in any case not later than 45 days after an
agency has a reasonable basis to conclude that a breach has occurred,
the head of the agency, in consultation with the Chief Information
Officer and Chief Privacy Officer of the agency, shall--
``(1) determine whether notice to any individual
potentially affected by the breach is appropriate, including by
conducting an assessment of the risk of harm to the individual
that considers--
``(A) the nature and sensitivity of the personally
identifiable information affected by the breach;
``(B) the likelihood of access to and use of the
personally identifiable information affected by the
breach;
``(C) the type of breach; and
``(D) any other factors determined by the Director;
and
``(2) if the head of the agency determines notification is
necessary pursuant to paragraph (1), provide written
notification in accordance with subsection (c) to each
individual potentially affected by the breach--
``(A) to the last known mailing address of the
individual; or
``(B) through an appropriate alternative method of
notification.
``(c) Contents of Notification.--Each notification of a breach
provided to an individual under subsection (b)(2) shall include, to the
maximum extent practicable--
``(1) a brief description of the breach;
``(2) if possible, a description of the types of personally
identifiable information affected by the breach;
``(3) contact information of the agency that may be used to
ask questions of the agency, which--
``(A) shall include an e-mail address or another
digital contact mechanism; and
``(B) may include a telephone number, mailing
address, or a website;
``(4) information on any remedy being offered by the
agency;
``(5) any applicable educational materials relating to what
individuals can do in response to a breach that potentially
affects their personally identifiable information, including
relevant contact information for the appropriate Federal law
enforcement agencies and each nationwide consumer reporting
agency; and
``(6) any other appropriate information, as determined by
the head of the agency or established in guidance by the
Director.
``(d) Delay of Notification.--
``(1) In general.--The head of an agency, in coordination
with the Director and the National Cyber Director, and as
appropriate, the Attorney General, the Director of National
Intelligence, or the Secretary of Homeland Security, may delay
a notification required under subsection (b) or (e) if the
notification would--
``(A) impede a criminal investigation or a national
security activity;
``(B) cause an adverse result (as described in
section 2705(a)(2) of title 18);
``(C) reveal sensitive sources and methods;
``(D) cause damage to national security; or
``(E) hamper security remediation actions.
``(2) Renewal.--A delay under paragraph (1) shall be for a
period of 60 days and may be renewed.
``(3) National security systems.--The head of an agency
delaying notification under this subsection with respect to a
breach exclusively of a national security system shall
coordinate such delay with the Secretary of Defense.
``(e) Update Notification.--If an agency determines there is a
significant change in the reasonable basis to conclude that a breach
occurred, a significant change to the determination made under
subsection (b)(1), or that it is necessary to update the details of the
information provided to potentially affected individuals as described
in subsection (c), the agency shall as expeditiously as practicable and
without unreasonable delay, and in any case not later than 30 days
after such a determination, notify each individual who received a
notification pursuant to subsection (b) of those changes.
``(f) Delay of Notification Report.--
``(1) In general.--Not later than 1 year after the date of
enactment of the Federal Information Security Modernization Act
of 2023, and annually thereafter, the head of an agency, in
coordination with any official who delays a notification under
subsection (d), shall submit to the appropriate reporting
entities a report on each delay that occurred during the
previous 2 years.
``(2) Component of other report.--The head of an agency may
submit the report required under paragraph (1) as a component
of the report submitted under section 3554(c).
``(g) Congressional Reporting Requirements.--
``(1) Review and update.--On a periodic basis, the Director
of the Office of Management and Budget shall review, and update
as appropriate, breach notification policies and guidelines for
agencies.
``(2) Required notice from agencies.--Subject to paragraph
(4), the Director of the Office of Management and Budget shall
require the head of an agency affected by a covered breach to
expeditiously and not later than 30 days after the date on
which the agency discovers the covered breach give notice of
the breach, which may be provided electronically, to--
``(A) each congressional committee described in
section 3554(c)(1); and
``(B) the Committee on the Judiciary of the Senate
and the Committee on the Judiciary of the House of
Representatives.
``(3) Contents of notice.--Notice of a covered breach
provided by the head of an agency pursuant to paragraph (2)
shall include, to the extent practicable--
``(A) information about the covered breach,
including a summary of any information about how the
covered breach occurred known by the agency as of the
date of the notice;
``(B) an estimate of the number of individuals
affected by covered the breach based on information
known by the agency as of the date of the notice,
including an assessment of the risk of harm to affected
individuals;
``(C) a description of any circumstances
necessitating a delay in providing notice to
individuals affected by the covered breach in
accordance with subsection (d); and
``(D) an estimate of when the agency will provide
notice to individuals affected by the covered breach,
if applicable.
``(4) Exception.--Any agency that is required to provide
notice to Congress pursuant to paragraph (2) due to a covered
breach exclusively on a national security system shall only
provide such notice to--
``(A) the majority and minority leaders of the
Senate;
``(B) the Speaker and minority leader of the House
of Representatives;
``(C) the appropriations committees of Congress;
``(D) the Committee on Homeland Security and
Governmental Affairs of the Senate;
``(E) the Select Committee on Intelligence of the
Senate;
``(F) the Committee on Oversight and Accountability
of the House of Representatives; and
``(G) the Permanent Select Committee on
Intelligence of the House of Representatives.
``(5) Rule of construction.--Nothing in paragraphs (1)
through (3) shall be construed to alter any authority of an
agency.
``(h) Rule of Construction.--Nothing in this section shall be
construed to--
``(1) limit--
``(A) the authority of the Director to issue
guidance relating to notifications of, or the head of
an agency to notify individuals potentially affected
by, breaches that are not determined to be covered
breaches or major incidents;
``(B) the authority of the Director to issue
guidance relating to notifications and reporting of
breaches, covered breaches, or major incidents;
``(C) the authority of the head of an agency to
provide more information than required under subsection
(b) when notifying individuals potentially affected by
a breach;
``(D) the timing of incident reporting or the types
of information included in incident reports provided,
pursuant to this subchapter, to--
``(i) the Director;
``(ii) the National Cyber Director;
``(iii) the Director of the Cybersecurity
and Infrastructure Security Agency; or
``(iv) any other agency;
``(E) the authority of the head of an agency to
provide information to Congress about agency breaches,
including--
``(i) breaches that are not covered
breaches; and
``(ii) additional information beyond the
information described in subsection (g)(3); or
``(F) any Congressional reporting requirements of
agencies under any other law; or
``(2) limit or supersede any existing privacy protections
in existing law.
``Sec. 3593. Congressional and Executive Branch reports on major
incidents
``(a) Appropriate Congressional Entities.--In this section, the
term `appropriate congressional entities' means--
``(1) the majority and minority leaders of the Senate;
``(2) the Speaker and minority leader of the House of
Representatives;
``(3) the Committee on Homeland Security and Governmental
Affairs of the Senate;
``(4) the Committee on Commerce, Science, and
Transportation of the Senate;
``(5) the Committee on Oversight and Accountability of the
House of Representatives;
``(6) the Committee on Homeland Security of the House of
Representatives;
``(7) the Committee on Science, Space, and Technology of
the House of Representatives; and
``(8) the appropriate authorization and appropriations
committees of Congress
``(b) Initial Notification.--
``(1) In general.--Not later than 72 hours after an agency
has a reasonable basis to conclude that a major incident
occurred, the head of the agency impacted by the major incident
shall submit to the appropriate reporting entities a written
notification, which may be submitted electronically and include
1 or more annexes that contain classified or other sensitive
information, as appropriate.
``(2) Contents.--A notification required under paragraph
(1) with respect to a major incident shall include the
following, based on information available to agency officials
as of the date on which the agency submits the notification:
``(A) A summary of the information available about
the major incident, including how the major incident
occurred and the threat causing the major incident.
``(B) If applicable, information relating to any
breach associated with the major incident, regardless
of whether--
``(i) the breach was the reason the
incident was determined to be a major incident;
and
``(ii) head of the agency determined it was
appropriate to provide notification to
potentially impacted individuals pursuant to
section 3592(b)(1).
``(C) A preliminary assessment of the impacts to--
``(i) the agency;
``(ii) the Federal Government;
``(iii) the national security, foreign
relations, homeland security, and economic
security of the United States; and
``(iv) the civil liberties, public
confidence, privacy, and public health and
safety of the people of the United States.
``(D) If applicable, whether any ransom has been
demanded or paid, or is expected to be paid, by any
entity operating a Federal information system or with
access to Federal information or a Federal information
system, including, as available, the name of the entity
demanding ransom, the date of the demand, and the
amount and type of currency demanded, unless disclosure
of such information will disrupt an active Federal law
enforcement or national security operation.
``(c) Supplemental Update.--Within a reasonable amount of time, but
not later than 30 days after the date on which the head of an agency
submits a written notification under subsection (a), the head of the
agency shall provide to the appropriate congressional entities an
unclassified and written update, which may include 1 or more annexes
that contain classified or other sensitive information, as appropriate,
on the major incident, based on information available to agency
officials as of the date on which the agency provides the update, on--
``(1) system vulnerabilities relating to the major
incident, where applicable, means by which the major incident
occurred, the threat causing the major incident, where
applicable, and impacts of the major incident to--
``(A) the agency;
``(B) other Federal agencies, Congress, or the
judicial branch;
``(C) the national security, foreign relations,
homeland security, or economic security of the United
States; or
``(D) the civil liberties, public confidence,
privacy, or public health and safety of the people of
the United States;
``(2) the status of compliance of the affected Federal
information system with applicable security requirements at the
time of the major incident;
``(3) if the major incident involved a breach, a
description of the affected information, an estimate of the
number of individuals potentially impacted, and any assessment
to the risk of harm to such individuals;
``(4) an update to the assessment of the risk to agency
operations, or to impacts on other agency or non-Federal entity
operations, affected by the major incident; and
``(5) the detection, response, and remediation actions of
the agency, including any support provided by the Cybersecurity
and Infrastructure Security Agency under section 3594(d), if
applicable.
``(d) Additional Update.--If the head of an agency, the Director,
or the National Cyber Director determines that there is any significant
change in the understanding of the scope, scale, or consequence of a
major incident for which the head of the agency submitted a written
notification and update under subsections (b) and (c), the head of the
agency shall submit to the appropriate congressional entities a written
update that includes information relating to the change in
understanding.
``(e) Biennial Report.--Each agency shall submit as part of the
biennial report required under section 3554(c)(1) a description of each
major incident that occurred during the 2-year period preceding the
date on which the biennial report is submitted.
``(f) Report Delivery.--
``(1) In general.--Any written notification or update
required to be submitted under this section--
``(A) shall be submitted in an electronic format;
and
``(B) may be submitted in a paper format.
``(2) Classification status.--Any written notification or
update required to be submitted under this section--
``(A) shall be--
``(i) unclassified; and
``(ii) submitted through unclassified
electronic means pursuant to paragraph (1)(A);
and
``(B) may include classified annexes, as
appropriate.
``(g) Report Consistency.--To achieve consistent and coherent
agency reporting to Congress, the National Cyber Director, in
coordination with the Director, shall--
``(1) provide recommendations to agencies on formatting and
the contents of information to be included in the reports
required under this section, including recommendations for
consistent formats for presenting any associated metrics; and
``(2) maintain a comprehensive record of each major
incident notification, update, and briefing provided under this
section, which shall--
``(A) include, at a minimum--
``(i) the full contents of the written
notification or update;
``(ii) the identity of the reporting
agency; and
``(iii) the date of submission; and
``(iv) a list of the recipient
congressional entities; and
``(B) be made available upon request to the
majority and minority leaders of the Senate, the
Speaker and minority leader of the House of
Representatives, the Committee on Homeland Security and
Governmental Affairs of the Senate, and the Committee
on Oversight and Accountability of the House of
Representatives.
``(h) National Security Systems Congressional Reporting
Exemption.--With respect to a major incident that occurs exclusively on
a national security system, the head of the affected agency shall
submit the notifications and reports required to be submitted to
Congress under this section only to--
``(1) the majority and minority leaders of the Senate;
``(2) the Speaker and minority leader of the House of
Representatives;
``(3) the appropriations committees of Congress;
``(4) the appropriate authorization committees of Congress;
``(5) the Committee on Homeland Security and Governmental
Affairs of the Senate;
``(6) the Select Committee on Intelligence of the Senate;
``(7) the Committee on Oversight and Accountability of the
House of Representatives; and
``(8) the Permanent Select Committee on Intelligence of the
House of Representatives.
``(i) Major Incidents Including Breaches.--If a major incident
constitutes a covered breach, as defined in section 3592(a),
information on the covered breach required to be submitted to Congress
pursuant to section 3592(g) may--
``(1) be included in the notifications required under
subsection (b) or (c); or
``(2) be reported to Congress under the process established
under section 3592(g).
``(j) Rule of Construction.--Nothing in this section shall be
construed to--
``(1) limit--
``(A) the ability of an agency to provide
additional reports or briefings to Congress;
``(B) Congress from requesting additional
information from agencies through reports, briefings,
or other means;
``(C) any congressional reporting requirements of
agencies under any other law; or
``(2) limit or supersede any privacy protections under any
other law.
``Sec. 3594. Government information sharing and incident response
``(a) In General.--
``(1) Incident sharing.--Subject to paragraph (4) and
subsection (b), and in accordance with the applicable
requirements pursuant to section 3553(b)(2)(A) for reporting to
the Federal information security incident center established
under section 3556, the head of each agency shall provide to
the Cybersecurity and Infrastructure Security Agency
information relating to any incident affecting the agency,
whether the information is obtained by the Federal Government
directly or indirectly.
``(2) Contents.--A provision of information relating to an
incident made by the head of an agency under paragraph (1)
shall include, at a minimum--
``(A) a full description of the incident,
including--
``(i) all indicators of compromise and
tactics, techniques, and procedures;
``(ii) an indicator of how the intruder
gained initial access, accessed agency data or
systems, and undertook additional actions on
the network of the agency; and
``(iii) information that would support
enabling defensive measures; and
``(iv) other information that may assist in
identifying other victims;
``(B) information to help prevent similar
incidents, such as information about relevant
safeguards in place when the incident occurred and the
effectiveness of those safeguards; and
``(C) information to aid in incident response, such
as--
``(i) a description of the affected systems
or networks;
``(ii) the estimated dates of when the
incident occurred; and
``(iii) information that could reasonably
help identify any malicious actor that may have
conducted or caused the incident, subject to
appropriate privacy protections.
``(3) Information sharing.--The Director of the
Cybersecurity and Infrastructure Security Agency shall--
``(A) make incident information provided under
paragraph (1) available to the Director and the
National Cyber Director;
``(B) to the greatest extent practicable, share
information relating to an incident with--
``(i) the head of any agency that may be--
``(I) impacted by the incident;
``(II) particularly susceptible to
the incident; or
``(III) similarly targeted by the
incident; and
``(ii) appropriate Federal law enforcement
agencies to facilitate any necessary threat
response activities, as requested;
``(C) coordinate any necessary information sharing
efforts relating to a major incident with the private
sector; and
``(D) notify the National Cyber Director of any
efforts described in subparagraph (C).
``(4) National security systems exemption.--
``(A) In general.--Notwithstanding paragraphs (1)
and (3), each agency operating or exercising control of
a national security system shall share information
about an incident that occurs exclusively on a national
security system with the Secretary of Defense, the
Director, the National Cyber Director, and the Director
of the Cybersecurity and Infrastructure Security Agency
to the extent consistent with standards and guidelines
for national security systems issued in accordance with
law and as directed by the President.
``(B) Protections.--Any information sharing and
handling of information under this paragraph shall be
appropriately protected consistent with procedures
authorized for the protection of sensitive sources and
methods or by procedures established for information
that have been specifically authorized under criteria
established by an Executive order or an Act of Congress
to be kept classified in the interest of national
defense or foreign policy.
``(b) Automation.--In providing information and selecting a method
to provide information under subsection (a), the head of each agency
shall implement subsection (a)(1) in a manner that provides such
information to the Cybersecurity and Infrastructure Security Agency in
an automated and machine-readable format, to the greatest extent
practicable.
``(c) Incident Response.--Each agency that has a reasonable basis
to suspect or conclude that a major incident occurred involving Federal
information in electronic medium or form that does not exclusively
involve a national security system shall coordinate with--
``(1) the Cybersecurity and Infrastructure Security Agency
to facilitate asset response activities and provide
recommendations for mitigating future incidents; and
``(2) consistent with relevant policies, appropriate
Federal law enforcement agencies to facilitate threat response
activities.
``Sec. 3595. Responsibilities of contractors and awardees
``(a) Reporting.--
``(1) In general.--Any contractor or awardee of an agency
shall report to the agency if the contractor or awardee has a
reasonable basis to conclude that--
``(A) an incident or breach has occurred with
respect to Federal information the contractor or
awardee collected, used, or maintained on behalf of an
agency;
``(B) an incident or breach has occurred with
respect to a Federal information system used, operated,
managed, or maintained on behalf of an agency by the
contractor or awardee;
``(C) a component of any Federal information system
operated, managed, or maintained by a contractor or
awardee contains a security vulnerability, including a
supply chain compromise or an identified software or
hardware vulnerability, for which there is reliable
evidence of attempted or successful exploitation of the
vulnerability by an actor without authorization of the
Federal information system owner; or
``(D) the contractor or awardee has received
personally identifiable information, personal health
information, or other clearly sensitive information
that is beyond the scope of the contract or agreement
with the agency from the agency that the contractor or
awardee is not authorized to receive.
``(2) Third-party reports of vulnerabilities.--Subject to
the guidance issued by the Director pursuant to paragraph (4),
any contractor or awardee of an agency shall report to the
agency and the Cybersecurity and Infrastructure Security Agency
if the contractor or awardee has a reasonable basis to suspect
or conclude that a component of any Federal information system
operated, managed, or maintained on behalf of an agency by the
contractor or awardee on behalf of the agency contains a
security vulnerability, including a supply chain compromise or
an identified software or hardware vulnerability, that has been
reported to the contractor or awardee by a third party,
including through a vulnerability disclosure program.
``(3) Procedures.--
``(A) Sharing with cisa.--As soon as practicable
following a report of an incident to an agency by a
contractor or awardee under paragraph (1), the head of
the agency shall provide, pursuant to section 3594,
information about the incident to the Director of the
Cybersecurity and Infrastructure Security Agency.
``(B) Time for reporting.--Unless a different time
for reporting is specified in a contract, grant,
cooperative agreement, or other transaction agreement,
a contractor or awardee shall--
``(i) make a report required under
paragraph (1) not later than 1 day after the
date on which the contractor or awardee has
reasonable basis to suspect or conclude that
the criteria under paragraph (1) have been met;
and
``(ii) make a report required under
paragraph (2) within a reasonable time, but not
later than 90 days after the date on which the
contractor or awardee has reasonable basis to
suspect or conclude that the criteria under
paragraph (2) have been met.
``(C) Procedures.--Following a report of a breach
or incident to an agency by a contractor or awardee
under paragraph (1), the head of the agency, in
consultation with the contractor or awardee, shall
carry out the applicable requirements under sections
3592, 3593, and 3594 with respect to the breach or
incident.
``(D) Rule of construction.--Nothing in
subparagraph (B) shall be construed to allow the
negation of the requirements to report vulnerabilities
under paragraph (1) or (2) through a contract, grant,
cooperative agreement, or other transaction agreement.
``(4) Guidance.--The Director shall issue guidance to
agencies relating to the scope of vulnerabilities to be
reported under paragraph (2), such as the minimum severity of a
vulnerability required to be reported or whether
vulnerabilities that are already publicly disclosed must be
reported.
``(b) Regulations; Modifications.--
``(1) In general.--Not later than 1 year after the date of
enactment of the Federal Information Security Modernization Act
of 2023--
``(A) the Federal Acquisition Regulatory Council
shall promulgate regulations, as appropriate, relating
to the responsibilities of contractors and recipients
of other transaction agreements and cooperative
agreements to comply with this section; and
``(B) the Office of Federal Financial Management
shall promulgate regulations under title 2, Code
Federal Regulations, as appropriate, relating to the
responsibilities of grantees to comply with this
section.
``(2) Implementation.--Not later than 1 year after the date
on which the Federal Acquisition Regulatory Council and the
Office of Federal Financial Management promulgates regulations
under paragraph (1), the head of each agency shall implement
policies and procedures, as appropriate, necessary to implement
those regulations.
``(3) Congressional notification.--
``(A) In general.--The head of each agency head
shall notify the Director upon implementation of
policies and procedures necessary to implement the
regulations promulgated under paragraph (1).
``(B) OMB notification.-- Not later than 30 days
after the date described in paragraph (2), the Director
shall notify the Committee on Homeland Security and
Governmental Affairs of the Senate and the Committees
on Oversight and Accountability and Homeland Security
of the House of Representatives on the status of the
implementation by each agency of the regulations
promulgated under paragraph (1).
``(c) National Security Systems Exemption.--Notwithstanding any
other provision of this section, a contractor or awardee of an agency
that would be required to report an incident or vulnerability pursuant
to this section that occurs exclusively on a national security system
shall--
``(1) report the incident or vulnerability to the head of
the agency and the Secretary of Defense; and
``(2) comply with applicable laws and policies relating to
national security systems.
``Sec. 3596. Training
``(a) Covered Individual Defined.--In this section, the term
`covered individual' means an individual who obtains access to a
Federal information system because of the status of the individual as--
``(1) an employee, contractor, awardee, volunteer, or
intern of an agency; or
``(2) an employee of a contractor or awardee of an agency.
``(b) Best Practices and Consistency.--The Director of the
Cybersecurity and Infrastructure Security Agency, in consultation with
the Director, the National Cyber Director, and the Director of the
National Institute of Standards and Technology, shall develop best
practices to support consistency across agencies in cybersecurity
incident response training, including--
``(1) information to be collected and shared with the
Cybersecurity and Infrastructure Security Agency pursuant to
section 3594(a) and processes for sharing such information; and
``(2) appropriate training and qualifications for cyber
incident responders.
``(c) Agency Training.--The head of each agency shall develop
training for covered individuals on how to identify and respond to an
incident, including--
``(1) the internal process of the agency for reporting an
incident; and
``(2) the obligation of a covered individual to report to
the agency any suspected or confirmed incident involving
Federal information in any medium or form, including paper,
oral, and electronic.
``(d) Inclusion in Annual Training.--The training developed under
subsection (c) may be included as part of an annual privacy, security
awareness, or other appropriate training of an agency.
``Sec. 3597. Analysis and report on Federal incidents
``(a) Analysis of Federal Incidents.--
``(1) Quantitative and qualitative analyses.--The Director
of the Cybersecurity and Infrastructure Security Agency shall
perform and, in coordination with the Director and the National
Cyber Director, develop, continuous monitoring and quantitative
and qualitative analyses of incidents at agencies, including
major incidents, including--
``(A) the causes of incidents, including--
``(i) attacker tactics, techniques, and
procedures; and
``(ii) system vulnerabilities, including
zero days, unpatched systems, and information
system misconfigurations;
``(B) the scope and scale of incidents at agencies;
``(C) common root causes of incidents across
multiple agencies;
``(D) agency incident response, recovery, and
remediation actions and the effectiveness of those
actions, as applicable;
``(E) lessons learned and recommendations in
responding to, recovering from, remediating, and
mitigating future incidents; and
``(F) trends across multiple agencies to address
intrusion detection and incident response capabilities
using the metrics established under section 224(c) of
the Cybersecurity Act of 2015 (6 U.S.C. 1522(c)).
``(2) Automated analysis.--The analyses developed under
paragraph (1) shall, to the greatest extent practicable, use
machine readable data, automation, and machine learning
processes.
``(3) Sharing of data and analysis.--
``(A) In general.--The Director of the
Cybersecurity and Infrastructure Security Agency shall
share on an ongoing basis the analyses and underlying
data required under this subsection with agencies, the
Director, and the National Cyber Director to--
``(i) improve the understanding of
cybersecurity risk of agencies; and
``(ii) support the cybersecurity
improvement efforts of agencies.
``(B) Format.--In carrying out subparagraph (A),
the Director of the Cybersecurity and Infrastructure
Security Agency shall share the analyses--
``(i) in human-readable written products;
and
``(ii) to the greatest extent practicable,
in machine-readable formats in order to enable
automated intake and use by agencies.
``(C) Exemption.--This subsection shall not apply
to incidents that occur exclusively on national
security systems.
``(b) Annual Report on Federal Incidents.--Not later than 2 years
after the date of enactment of this section, and not less frequently
than annually thereafter, the Director of the Cybersecurity and
Infrastructure Security Agency, in consultation with the Director, the
National Cyber Director and the heads of other agencies, as
appropriate, shall submit to the appropriate reporting entities a
report that includes--
``(1) a summary of causes of incidents from across the
Federal Government that categorizes those incidents as
incidents or major incidents;
``(2) the quantitative and qualitative analyses of
incidents developed under subsection (a)(1) on an agency-by-
agency basis and comprehensively across the Federal Government,
including--
``(A) a specific analysis of breaches; and
``(B) an analysis of the Federal Government's
performance against the metrics established under
section 224(c) of the Cybersecurity Act of 2015 (6
U.S.C. 1522(c)); and
``(3) an annex for each agency that includes--
``(A) a description of each major incident;
``(B) the total number of incidents of the agency;
and
``(C) an analysis of the agency's performance
against the metrics established under section 224(c) of
the Cybersecurity Act of 2015 (6 U.S.C. 1522(c)).
``(c) Publication.--
``(1) In general.--The Director of the Cybersecurity and
Infrastructure Security Agency shall make a version of each
report submitted under subsection (b) publicly available on the
website of the Cybersecurity and Infrastructure Security Agency
during the year during which the report is submitted.
``(2) Exemption.--The publication requirement under
paragraph (1) shall not apply to a portion of a report that
contains content that should be protected in the interest of
national security, as determined by the Director, the Director
of the Cybersecurity and Infrastructure Security Agency, or the
National Cyber Director.
``(3) Limitation on exemption.--The exemption under
paragraph (2) shall not apply to any version of a report
submitted to the appropriate reporting entities under
subsection (b).
``(4) Requirement for compiling information.--
``(A) Compilation.--Subject to subparagraph (B), in
making a report publicly available under paragraph (1),
the Director of the Cybersecurity and Infrastructure
Security Agency shall sufficiently compile information
so that no specific incident of an agency can be
identified.
``(B) Exception.--The Director of the Cybersecurity
and Infrastructure Security Agency may include
information that enables a specific incident of an
agency to be identified in a publicly available
report--
``(i) with the concurrence of the Director
and the National Cyber Director;
``(ii) in consultation with the impacted
agency; and
``(iii) in consultation with the inspector
general of the impacted agency.
``(d) Information Provided by Agencies.--
``(1) In general.--The analysis required under subsection
(a) and each report submitted under subsection (b) shall use
information provided by agencies under section 3594(a).
``(2) Noncompliance reports.--During any year during which
the head of an agency does not provide data for an incident to
the Cybersecurity and Infrastructure Security Agency in
accordance with section 3594(a), the head of the agency, in
coordination with the Director of the Cybersecurity and
Infrastructure Security Agency and the Director, shall submit
to the appropriate reporting entities a report that includes
the information described in subsection (b) with respect to the
agency.
``(e) National Security System Reports.--
``(1) In general.--Notwithstanding any other provision of
this section, the Secretary of Defense, in consultation with
the Director, the National Cyber Director, the Director of
National Intelligence, and the Director of Cybersecurity and
Infrastructure Security shall annually submit a report that
includes the information described in subsection (b) with
respect to national security systems, to the extent that the
submission is consistent with standards and guidelines for
national security systems issued in accordance with law and as
directed by the President, to--
``(A) the majority and minority leaders of the
Senate,
``(B) the Speaker and minority leader of the House
of Representatives;
``(C) the Committee on Homeland Security and
Governmental Affairs of the Senate;
``(D) the Select Committee on Intelligence of the
Senate;
``(E) the Committee on Armed Services of the
Senate;
``(F) the Committee on Appropriations of the
Senate;
``(G) the Committee on Oversight and Accountability
of the House of Representatives;
``(H) the Committee on Homeland Security of the
House of Representatives;
``(I) the Permanent Select Committee on
Intelligence of the House of Representatives;
``(J) the Committee on Armed Services of the House
of Representatives; and
``(K) the Committee on Appropriations of the House
of Representatives.
``(2) Classified form.--A report required under paragraph
(1) may be submitted in a classified form.
``Sec. 3598. Major incident definition
``(a) In General.--Not later than 1 year after the later of the
date of enactment of the Federal Information Security Modernization Act
of 2023 and the most recent publication by the Director of guidance to
agencies regarding major incidents as of the date of enactment of the
Federal Information Security Modernization Act of 2023, the Director
shall develop, in coordination with the National Cyber Director, and
promulgate guidance on the definition of the term `major incident' for
the purposes of subchapter II and this subchapter.
``(b) Requirements.--With respect to the guidance issued under
subsection (a), the definition of the term `major incident' shall--
``(1) include, with respect to any information collected or
maintained by or on behalf of an agency or a Federal
information system--
``(A) any incident the head of the agency
determines is likely to result in demonstrable harm
to--
``(i) the national security interests,
foreign relations, homeland security, or
economic security of the United States; or
``(ii) the civil liberties, public
confidence, privacy, or public health and
safety of the people of the United States;
``(B) any incident the head of the agency
determines likely to result in an inability or
substantial disruption for the agency, a component of
the agency, or the Federal Government, to provide 1 or
more critical services;
``(C) any incident the head of the agency
determines substantially disrupts or substantially
degrades the operations of a high value asset owned or
operated by the agency;
``(D) any incident involving the exposure to a
foreign entity of sensitive agency information, such as
the communications of the head of the agency, the head
of a component of the agency, or the direct reports of
the head of the agency or the head of a component of
the agency; and
``(E) any other type of incident determined
appropriate by the Director;
``(2) stipulate that the National Cyber Director, in
consultation with the Director and the Director of the
Cybersecurity and Infrastructure Security Agency, may declare a
major incident at any agency, and such a declaration shall be
considered if it is determined that an incident--
``(A) occurs at not less than 2 agencies; and
``(B) is enabled by--
``(i) a common technical root cause, such
as a supply chain compromise, or a common
software or hardware vulnerability; or
``(ii) the related activities of a common
threat actor;
``(3) stipulate that, in determining whether an incident
constitutes a major incident under the standards described in
paragraph (1), the head of the agency shall consult with the
National Cyber Director; and
``(4) stipulate that the mere report of a vulnerability
discovered or disclosed without a loss of confidentiality,
integrity, or availability shall not on its own constitute a
major incident.
``(c) Evaluation and Updates.--Not later than 60 days after the
date on which the Director first promulgates the guidance required
under subsection (a), and not less frequently than once during the
first 90 days of each evenly numbered Congress thereafter, the Director
shall provide to the Committee on Homeland Security and Governmental
Affairs of the Senate and the Committees on Oversight and
Accountability and Homeland Security of the House of Representatives a
briefing that includes--
``(1) an evaluation of any necessary updates to the
guidance;
``(2) an evaluation of any necessary updates to the
definition of the term `major incident' included in the
guidance; and
``(3) an explanation of, and the analysis that led to, the
definition described in paragraph (2).''.
(2) Clerical amendment.--The table of sections for chapter
35 of title 44, United States Code, is amended by adding at the
end the following:
``subchapter iv--federal system incident response
``3591. Definitions.
``3592. Notification of breach.
``3593. Congressional and Executive Branch reports.
``3594. Government information sharing and incident response.
``3595. Responsibilities of contractors and awardees.
``3596. Training.
``3597. Analysis and report on Federal incidents.
``3598. Major incident definition.''.
SEC. 104. AMENDMENTS TO SUBTITLE III OF TITLE 40.
(a) Modernizing Government Technology.--Subtitle G of title X of
division A of the National Defense Authorization Act for Fiscal Year
2018 (40 U.S.C. 11301 note) is amended in section 1078--
(1) by striking subsection (a) and inserting the following:
``(a) Definitions.--In this section:
``(1) Agency.--The term `agency' has the meaning given the
term in section 551 of title 5, United States Code.
``(2) High value asset.--The term `high value asset' has
the meaning given the term in section 3552 of title 44, United
States Code.'';
(2) in subsection (b), by adding at the end the following:
``(8) Proposal evaluation.--The Director shall--
``(A) give consideration for the use of amounts in
the Fund to improve the security of high value assets;
and
``(B) require that any proposal for the use of
amounts in the Fund includes, as appropriate--
``(i) a cybersecurity risk management plan;
and
``(ii) a supply chain risk assessment in
accordance with section 1326 of title 41.'';
and
(3) in subsection (c)--
(A) in paragraph (2)(A)(i), by inserting ``,
including a consideration of the impact on high value
assets'' after ``operational risks'';
(B) in paragraph (5)--
(i) in subparagraph (A), by striking
``and'' at the end;
(ii) in subparagraph (B), by striking the
period at the end and inserting ``and''; and
(iii) by adding at the end the following:
``(C) a senior official from the Cybersecurity and
Infrastructure Security Agency of the Department of
Homeland Security, appointed by the Director.''; and
(C) in paragraph (6)(A), by striking ``shall be--''
and all that follows through ``4 employees'' and
inserting ``shall be 4 employees''.
(b) Subchapter I.--Subchapter I of chapter 113 of subtitle III of
title 40, United States Code, is amended--
(1) in section 11302--
(A) in subsection (b), by striking ``use, security,
and disposal of'' and inserting ``use, and disposal of,
and, in consultation with the Director of the
Cybersecurity and Infrastructure Security Agency and
the National Cyber Director, promote and improve the
security of,''; and
(B) in subsection (h), by inserting ``, including
cybersecurity performances,'' after ``the
performances''; and
(2) in section 11303(b)(2)(B)--
(A) in clause (i), by striking ``or'' at the end;
(B) in clause (ii), by adding ``or'' at the end;
and
(C) by adding at the end the following:
``(iii) whether the function should be
performed by a shared service offered by
another executive agency;''.
(c) Subchapter II.--Subchapter II of chapter 113 of subtitle III of
title 40, United States Code, is amended--
(1) in section 11312(a), by inserting ``, including
security risks'' after ``managing the risks'';
(2) in section 11313(1), by striking ``efficiency and
effectiveness'' and inserting ``efficiency, security, and
effectiveness'';
(3) in section 11317, by inserting ``security,'' before
``or schedule''; and
(4) in section 11319(b)(1), in the paragraph heading, by
striking ``CIOS'' and inserting ``Chief information officers''.
SEC. 105. ACTIONS TO ENHANCE FEDERAL INCIDENT TRANSPARENCY.
(a) Responsibilities of the Cybersecurity and Infrastructure
Security Agency.--
(1) In general.--Not later than 180 days after the date of
enactment of this Act, the Director of the Cybersecurity and
Infrastructure Security Agency shall--
(A) develop a plan for the development of the
analysis required under section 3597(a) of title 44,
United States Code, as added by this title, and the
report required under subsection (b) of that section
that includes--
(i) a description of any challenges the
Director of the Cybersecurity and
Infrastructure Security Agency anticipates
encountering; and
(ii) the use of automation and machine-
readable formats for collecting, compiling,
monitoring, and analyzing data; and
(B) provide to the appropriate congressional
committees a briefing on the plan developed under
subparagraph (A).
(2) Briefing.--Not later than 1 year after the date of
enactment of this Act, the Director of the Cybersecurity and
Infrastructure Security Agency shall provide to the appropriate
congressional committees a briefing on--
(A) the execution of the plan required under
paragraph (1)(A); and
(B) the development of the report required under
section 3597(b) of title 44, United States Code, as
added by this title.
(b) Responsibilities of the Director of the Office of Management
and Budget.--
(1) Updating fisma 2014.--Section 2 of the Federal
Information Security Modernization Act of 2014 (Public Law 113-
283; 128 Stat. 3073) is amended--
(A) by striking subsections (b) and (d); and
(B) by redesignating subsections (c), (e), and (f)
as subsections (b), (c), and (d), respectively.
(2) Incident data sharing.--
(A) In general.--The Director, in coordination with
the Director of the Cybersecurity and Infrastructure
Security Agency, shall develop, and as appropriate
update, guidance, on the content, timeliness, and
format of the information provided by agencies under
section 3594(a) of title 44, United States Code, as
added by this title.
(B) Requirements.--The guidance developed under
subparagraph (A) shall--
(i) enable the efficient development of--
(I) lessons learned and
recommendations in responding to,
recovering from, remediating, and
mitigating future incidents; and
(II) the report on Federal
incidents required under section
3597(b) of title 44, United States
Code, as added by this title; and
(ii) include requirements for the
timeliness of data production.
(C) Automation.--The Director, in coordination with
the Director of the Cybersecurity and Infrastructure
Security Agency, shall promote, as feasible, the use of
automation and machine-readable data for data sharing
under section 3594(a) of title 44, United States Code,
as added by this title.
(3) Contractor and awardee guidance.--
(A) In general.--Not later than 1 year after the
date of enactment of this Act, the Director shall issue
guidance to agencies on how to deconflict, to the
greatest extent practicable, existing regulations,
policies, and procedures relating to the
responsibilities of contractors and awardees
established under section 3595 of title 44, United
States Code, as added by this title.
(B) Existing processes.--To the greatest extent
practicable, the guidance issued under subparagraph (A)
shall allow contractors and awardees to use existing
processes for notifying agencies of incidents involving
information of the Federal Government.
(c) Update to the Privacy Act of 1974.--Section 552a(b) of title 5,
United States Code (commonly known as the ``Privacy Act of 1974'') is
amended--
(1) in paragraph (11), by striking ``or'' at the end;
(2) in paragraph (12), by striking the period at the end
and inserting ``; or''; and
(3) by adding at the end the following:
``(13) to another agency, to the extent necessary, to
assist the recipient agency in responding to an incident (as
defined in section 3552 of title 44) or breach (as defined in
section 3591 of title 44) or to fulfill the information sharing
requirements under section 3594 of title 44.''.
SEC. 106. ADDITIONAL GUIDANCE TO AGENCIES ON FISMA UPDATES.
(a) In General.--Not later than 1 year after the date of enactment
of this Act, the Director shall issue guidance for agencies on--
(1) performing the ongoing and continuous agency system
risk assessment required under section 3554(a)(1)(A) of title
44, United States Code, as amended by this title; and
(2) establishing a process for securely providing the
status of each remedial action for high value assets under
section 3554(b)(7) of title 44, United States Code, as amended
by this title, to the Director and the Director of the
Cybersecurity and Infrastructure Security Agency using
automation and machine-readable data, as practicable, which
shall include--
(A) specific guidance for the use of automation and
machine-readable data; and
(B) templates for providing the status of the
remedial action.
(b) Coordination.--The head of each agency shall coordinate with
the inspector general of the agency, as applicable, to ensure
consistent understanding of agency policies for the purpose of
evaluations conducted by the inspector general.
SEC. 107. AGENCY REQUIREMENTS TO NOTIFY PRIVATE SECTOR ENTITIES
IMPACTED BY INCIDENTS.
(a) Definitions.--In this section:
(1) Reporting entity.--The term ``reporting entity'' means
a private organization or governmental unit that is required by
statute or regulation to submit sensitive information to an
agency.
(2) Sensitive information.--The term ``sensitive
information'' has the meaning given the term by the Director in
guidance issued under subsection (b).
(b) Guidance on Notification of Reporting Entities.--Not later than
1 year after the date of enactment of this Act, the Director shall
develop, in consultation with the National Cyber Director, and issue
guidance requiring the head of each agency to notify a reporting
entity, and take into consideration the need to coordinate with Sector
Risk Management Agencies (as defined in section 2200 of the Homeland
Security Act of 2002 (6 U.S.C. 650)), as appropriate, of an incident at
the agency that is likely to substantially affect--
(1) the confidentiality or integrity of sensitive
information submitted by the reporting entity to the agency
pursuant to a statutory or regulatory requirement; or
(2) any information system (as defined in section 3502 of
title 44, United States Code) used in the transmission or
storage of the sensitive information described in paragraph
(1).
SEC. 108. MOBILE SECURITY BRIEFINGS.
(a) In General.--Not later than 180 days after the date of
enactment of this Act, the Director shall provide to the appropriate
congressional committees--
(1) a briefing on the compliance of agencies with the No
TikTok on Government Devices Act (44 U.S.C. 3553 note; Public
Law 117-328); and
(2) as a component of the briefing required under paragraph
(1), a list of each exception of an agency from the No TikTok
on Government Devices Act (44 U.S.C. 3553 note; Public Law 117-
328), which may include a classified annex.
(b) Additional Briefing.--Not later than 1 year after the date of
the briefing required under subsection (a)(1), the Director shall
provide to the appropriate congressional committees--
(1) a briefing on the compliance of any agency that was not
compliant with the No TikTok on Government Devices Act (44
U.S.C. 3553 note; Public Law 117-328) at the time of the
briefing required under subsection (a)(1); and
(2) as a component of the briefing required under paragraph
(1), an update to the list required under subsection (a)(2).
SEC. 109. DATA AND LOGGING RETENTION FOR INCIDENT RESPONSE.
(a) Guidance.--Not later than 2 years after the date of enactment
of this Act, the Director, in consultation with the National Cyber
Director and the Director of the Cybersecurity and Infrastructure
Security Agency, shall update guidance to agencies regarding
requirements for logging, log retention, log management, sharing of log
data with other appropriate agencies, or any other logging activity
determined to be appropriate by the Director.
(b) National Security Systems.--The Secretary of Defense shall
issue guidance that meets or exceeds the standards required in guidance
issued under subsection (a) for National Security Systems.
SEC. 110. CISA AGENCY LIAISONS.
(a) In General.--Not later than 120 days after the date of
enactment of this Act, the Director of the Cybersecurity and
Infrastructure Security Agency shall assign not less than 1
cybersecurity professional employed by the Cybersecurity and
Infrastructure Security Agency to be the Cybersecurity and
Infrastructure Security Agency liaison to the Chief Information
Security Officer of each agency.
(b) Qualifications.--Each liaison assigned under subsection (a)
shall have knowledge of--
(1) cybersecurity threats facing agencies, including any
specific threats to the assigned agency;
(2) risk assessments of agency systems; and
(3) other Federal cybersecurity initiatives.
(c) Duties.--The duties of each liaison assigned under subsection
(a) shall include--
(1) providing, as requested, assistance and advice to the
agency Chief Information Security Officer;
(2) supporting, as requested, incident response
coordination between the assigned agency and the Cybersecurity
and Infrastructure Security Agency;
(3) becoming familiar with assigned agency systems,
processes, and procedures to better facilitate support to the
agency; and
(4) other liaison duties to the assigned agency solely in
furtherance of Federal cybersecurity or support to the assigned
agency as a Sector Risk Management Agency, as assigned by the
Director of the Cybersecurity and Infrastructure Security
Agency in consultation with the head of the assigned agency.
(d) Limitation.--A liaison assigned under subsection (a) shall not
be a contractor.
(e) Multiple Assignments.--One individual liaison may be assigned
to multiple agency Chief Information Security Officers under subsection
(a).
(f) Coordination of Activities.--The Director of the Cybersecurity
and Infrastructure Security Agency shall consult with the Director on
the execution of the duties of the Cybersecurity and Infrastructure
Security Agency liaisons to ensure that there is no inappropriate
duplication of activities among--
(1) Federal cybersecurity support to agencies of the Office
of Management and Budget; and
(2) the Cybersecurity and Infrastructure Security Agency
liaison.
(g) Rule of Construction.--Nothing in this section shall be
construed impact the ability of the Director to support agency
implementation of Federal cybersecurity requirements pursuant to
subchapter II of chapter 35 of title 44, United States Code, as amended
by this title.
SEC. 111. FEDERAL PENETRATION TESTING POLICY.
(a) In General.--Subchapter II of chapter 35 of title 44, United
States Code, is amended by adding at the end the following:
``Sec. 3559A. Federal penetration testing
``(a) Guidance.--The Director, in consultation with the Director of
the Cybersecurity and Infrastructure Security Agency, shall issue
guidance to agencies that--
``(1) requires agencies to perform penetration testing on
information systems, as appropriate, including on high value
assets;
``(2) provides policies governing the development of--
``(A) rules of engagement for using penetration
testing; and
``(B) procedures to use the results of penetration
testing to improve the cybersecurity and risk
management of the agency;
``(3) ensures that operational support or a shared service
is available; and
``(4) in no manner restricts the authority of the Secretary
of Homeland Security or the Director of the Cybersecurity and
Infrastructure Agency to conduct threat hunting pursuant to
section 3553 or penetration testing under this chapter.
``(b) Exception for National Security Systems.--The guidance issued
under subsection (a) shall not apply to national security systems.
``(c) Delegation of Authority for Certain Systems.--The authorities
of the Director described in subsection (a) shall be delegated to--
``(1) the Secretary of Defense in the case of a system
described in section 3553(e)(2); and
``(2) the Director of National Intelligence in the case of
a system described in section 3553(e)(3).''.
(b) Existing Guidance.--
(1) In general.--Compliance with guidance issued by the
Director relating to penetration testing before the date of
enactment of this Act shall be deemed to be compliance with
section 3559A of title 44, United States Code, as added by this
title.
(2) Immediate new guidance not required.--Nothing in
section 3559A of title 44, United States Code, as added by this
title, shall be construed to require the Director to issue new
guidance to agencies relating to penetration testing before the
date described in paragraph (3).
(3) Guidance updates.--Notwithstanding paragraphs (1) and
(2), not later than 2 years after the date of enactment of this
Act, the Director shall review and, as appropriate, update
existing guidance requiring penetration testing by agencies.
(c) Clerical Amendment.--The table of sections for chapter 35 of
title 44, United States Code, is amended by adding after the item
relating to section 3559 the following:
``3559A. Federal penetration testing.''.
(d) Penetration Testing by the Secretary of Homeland Security.--
Section 3553(b) of title 44, United States Code, as amended by this
title, is further amended by inserting after paragraph (8) the
following:
``(9) performing penetration testing that may leverage
manual expert analysis to identify threats and vulnerabilities
within information systems--
``(A) without consent or authorization from
agencies; and
``(B) with prior notification to the head of the
agency;''.
SEC. 112. VULNERABILITY DISCLOSURE POLICIES.
(a) In General.--Chapter 35 of title 44, United States Code, is
amended by inserting after section 3559A, as added by this title, the
following:
``Sec. 3559B. Federal vulnerability disclosure policies
``(a) Purpose; Sense of Congress.--
``(1) Purpose.--The purpose of Federal vulnerability
disclosure policies is to create a mechanism to enable the
public to inform agencies of vulnerabilities in Federal
information systems.
``(2) Sense of congress.--It is the sense of Congress that,
in implementing the requirements of this section, the Federal
Government should take appropriate steps to reduce real and
perceived burdens in communications between agencies and
security researchers.
``(b) Definitions.--In this section:
``(1) Contractor.--The term `contractor' has the meaning
given the term in section 3591.
``(2) Internet of things.--The term `internet of things'
has the meaning given the term in Special Publication 800-213
of the National Institute of Standards and Technology, entitled
`IoT Device Cybersecurity Guidance for the Federal Government:
Establishing IoT Device Cybersecurity Requirements', or any
successor document.
``(3) Security vulnerability.--The term `security
vulnerability' has the meaning given the term in section 102 of
the Cybersecurity Information Sharing Act of 2015 (6 U.S.C.
1501).
``(4) Submitter.--The term `submitter' means an individual
that submits a vulnerability disclosure report pursuant to the
vulnerability disclosure process of an agency.
``(5) Vulnerability disclosure report.--The term
`vulnerability disclosure report' means a disclosure of a
security vulnerability made to an agency by a submitter.
``(c) Guidance.--The Director shall issue guidance to agencies that
includes--
``(1) use of the information system security
vulnerabilities disclosure process guidelines established under
section 4(a)(1) of the IoT Cybersecurity Improvement Act of
2020 (15 U.S.C. 278g-3b(a)(1));
``(2) direction to not recommend or pursue legal action
against a submitter or an individual that conducts a security
research activity that--
``(A) represents a good faith effort to identify
and report security vulnerabilities in information
systems; or
``(B) otherwise represents a good faith effort to
follow the vulnerability disclosure policy of the
agency developed under subsection (f)(2);
``(3) direction on sharing relevant information in a
consistent, automated, and machine readable manner with the
Director of the Cybersecurity and Infrastructure Security
Agency;
``(4) the minimum scope of agency systems required to be
covered by the vulnerability disclosure policy of an agency
required under subsection (f)(2), including exemptions under
subsection (g);
``(5) requirements for providing information to the
submitter of a vulnerability disclosure report on the
resolution of the vulnerability disclosure report;
``(6) a stipulation that the mere identification by a
submitter of a security vulnerability, without a significant
compromise of confidentiality, integrity, or availability, does
not constitute a major incident; and
``(7) the applicability of the guidance to Internet of
things devices owned or controlled by an agency.
``(d) Consultation.--In developing the guidance required under
subsection (c)(3), the Director shall consult with the Director of the
Cybersecurity and Infrastructure Security Agency.
``(e) Responsibilities of CISA.--The Director of the Cybersecurity
and Infrastructure Security Agency shall--
``(1) provide support to agencies with respect to the
implementation of the requirements of this section;
``(2) develop tools, processes, and other mechanisms
determined appropriate to offer agencies capabilities to
implement the requirements of this section;
``(3) upon a request by an agency, assist the agency in the
disclosure to vendors of newly identified security
vulnerabilities in vendor products and services; and
``(4) as appropriate, implement the requirements of this
section, in accordance with the authority under section
3553(b)(8), as a shared service available to agencies.
``(f) Responsibilities of Agencies.--
``(1) Public information.--The head of each agency shall
make publicly available, with respect to each internet domain
under the control of the agency that is not a national security
system and to the extent consistent with the security of
information systems but with the presumption of disclosure--
``(A) an appropriate security contact; and
``(B) the component of the agency that is
responsible for the internet accessible services
offered at the domain.
``(2) Vulnerability disclosure policy.--The head of each
agency shall develop and make publicly available a
vulnerability disclosure policy for the agency, which shall--
``(A) describe--
``(i) the scope of the systems of the
agency included in the vulnerability disclosure
policy, including for Internet of things
devices owned or controlled by the agency;
``(ii) the type of information system
testing that is authorized by the agency;
``(iii) the type of information system
testing that is not authorized by the agency;
``(iv) the disclosure policy for a
contractor; and
``(v) the disclosure policy of the agency
for sensitive information;
``(B) with respect to a vulnerability disclosure
report to an agency, describe--
``(i) how the submitter should submit the
vulnerability disclosure report; and
``(ii) if the report is not anonymous, when
the reporter should anticipate an
acknowledgment of receipt of the report by the
agency;
``(C) include any other relevant information; and
``(D) be mature in scope and cover every internet
accessible information system used or operated by that
agency or on behalf of that agency.
``(3) Identified security vulnerabilities.--The head of
each agency shall--
``(A) consider security vulnerabilities reported in
accordance with paragraph (2);
``(B) commensurate with the risk posed by the
security vulnerability, address such security
vulnerability using the security vulnerability
management process of the agency; and
``(C) in accordance with subsection (c)(5), provide
information to the submitter of a vulnerability
disclosure report.
``(g) Exemptions.--
``(1) In general.--The Director and the head of each agency
shall carry out this section in a manner consistent with the
protection of national security information.
``(2) Limitation.--The Director and the head of each agency
may not publish under subsection (f)(1) or include in a
vulnerability disclosure policy under subsection (f)(2) host
names, services, information systems, or other information that
the Director or the head of an agency, in coordination with the
Director and other appropriate heads of agencies, determines
would--
``(A) disrupt a law enforcement investigation;
``(B) endanger national security or intelligence
activities; or
``(C) impede national defense activities or
military operations.
``(3) National security systems.--This section shall not
apply to national security systems.
``(h) Delegation of Authority for Certain Systems.--The authorities
of the Director and the Director of the Cybersecurity and
Infrastructure Security Agency described in this section shall be
delegated--
``(1) to the Secretary of Defense in the case of systems
described in section 3553(e)(2); and
``(2) to the Director of National Intelligence in the case
of systems described in section 3553(e)(3).
``(i) Revision of Federal Acquisition Regulation.--The Federal
Acquisition Regulation shall be revised as necessary to implement the
provisions under this section.''.
(b) Clerical Amendment.--The table of sections for chapter 35 of
title 44, United States Code, is amended by adding after the item
relating to section 3559A, as added by this title, the following:
``3559B. Federal vulnerability disclosure policies.''.
(c) Conforming Update and Repeal.--
(1) Guidelines on the disclosure process for security
vulnerabilities relating to information systems, including
internet of things devices.--Section 5 of the IoT Cybersecurity
Improvement Act of 2020 (15 U.S.C. 278g-3c) is amended by
striking subsections (d) and (e).
(2) Implementation and contractor compliance.--The IoT
Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g-3a et
seq.) is amended--
(A) by striking section 6 (15 U.S.C. 278g-3d); and
(B) by striking section 7 (15 U.S.C. 278g-3e).
SEC. 113. IMPLEMENTING ZERO TRUST ARCHITECTURE.
(a) Briefings.--Not later than 1 year after the date of enactment
of this Act, the Director shall provide to the Committee on Homeland
Security and Governmental Affairs of the Senate and the Committees on
Oversight and Accountability and Homeland Security of the House of
Representatives a briefing on progress in increasing the internal
defenses of agency systems, including--
(1) shifting away from trusted networks to implement
security controls based on a presumption of compromise,
including through the transition to zero trust architecture;
(2) implementing principles of least privilege in
administering information security programs;
(3) limiting the ability of entities that cause incidents
to move laterally through or between agency systems;
(4) identifying incidents quickly;
(5) isolating and removing unauthorized entities from
agency systems as quickly as practicable, accounting for
intelligence or law enforcement purposes; and
(6) otherwise increasing the resource costs for entities
that cause incidents to be successful.
(b) Progress Report.--As a part of each report required to be
submitted under section 3553(c) of title 44, United States Code, during
the period beginning on the date that is 4 years after the date of
enactment of this Act and ending on the date that is 10 years after the
date of enactment of this Act, the Director shall include an update on
agency implementation of zero trust architecture, which shall include--
(1) a description of steps agencies have completed,
including progress toward achieving any requirements issued by
the Director, including the adoption of any models or reference
architecture;
(2) an identification of activities that have not yet been
completed and that would have the most immediate security
impact; and
(3) a schedule to implement any planned activities.
(c) Classified Annex.--Each update required under subsection (b)
may include 1 or more annexes that contain classified or other
sensitive information, as appropriate.
(d) National Security Systems.--
(1) Briefing.--Not later than 1 year after the date of
enactment of this Act, the Secretary of Defense shall provide
to the Committee on Homeland Security and Governmental Affairs
of the Senate, the Committee on Oversight and Accountability of
the House of Representatives, the Committee on Armed Services
of the Senate, the Committee on Armed Services of the House of
Representatives, the Select Committee on Intelligence of the
Senate, and the Permanent Select Committee on Intelligence of
the House of Representatives a briefing on the implementation
of zero trust architecture with respect to national security
systems.
(2) Progress report.--Not later than the date on which each
update is required to be submitted under subsection (b), the
Secretary of Defense shall submit to the congressional
committees described in paragraph (1) a progress report on the
implementation of zero trust architecture with respect to
national security systems.
SEC. 114. AUTOMATION AND ARTIFICIAL INTELLIGENCE.
(a) Definition.--In this section, the term ``information system''
has the meaning given the term in section 3502 of title 44, United
States Code.
(b) Use of Artificial Intelligence.--
(1) In general.--As appropriate, the Director shall issue
guidance on the use of artificial intelligence by agencies to
improve the cybersecurity of information systems.
(2) Considerations.--The Director and head of each agency
shall consider the use and capabilities of artificial
intelligence systems wherever automation is used in furtherance
of the cybersecurity of information systems.
(3) Report.--Not later than 1 year after the date of
enactment of this Act, and annually thereafter until the date
that is 5 years after the date of enactment of this Act, the
Director shall submit to the appropriate congressional
committees a report on the use of artificial intelligence to
further the cybersecurity of information systems.
(c) Comptroller General Reports.--
(1) In general.--Not later than 2 years after the date of
enactment of this Act, the Comptroller General of the United
States shall submit to the appropriate congressional committees
a report on the risks to the privacy of individuals and the
cybersecurity of information systems associated with the use by
Federal agencies of artificial intelligence systems or
capabilities.
(2) Study.--Not later than 2 years after the date of
enactment of this Act, the Comptroller General of the United
States shall perform a study, and submit to the Committees on
Homeland Security and Governmental Affairs and Commerce,
Science, and Transportation of the Senate and the Committees on
Oversight and Accountability, Homeland Security, and Science,
Space, and Technology of the House of Representatives a report,
on the use of automation, including artificial intelligence,
and machine-readable data across the Federal Government for
cybersecurity purposes, including the automated updating of
cybersecurity tools, sensors, or processes employed by agencies
under paragraphs (1), (5)(C), and (8)(B) of section 3554(b) of
title 44, United States Code, as amended by this title.
SEC. 115. EXTENSION OF CHIEF DATA OFFICER COUNCIL.
Section 3520A(e)(2) of title 44, United States Code, is amended by
striking ``upon the expiration of the 2-year period that begins on the
date the Comptroller General submits the report under paragraph (1) to
Congress'' and inserting ``December 31, 2031''.
SEC. 116. COUNCIL OF THE INSPECTORS GENERAL ON INTEGRITY AND EFFICIENCY
DASHBOARD.
(a) Dashboard Required.--Section 424(e) of title 5, United States
Code, is amended--
(1) in paragraph (2)--
(A) in subparagraph (A), by striking ``and'' at the
end;
(B) by redesignating subparagraph (B) as
subparagraph (C);
(C) by inserting after subparagraph (A) the
following:
``(B) that shall include a dashboard of open
information security recommendations identified in the
independent evaluations required by section 3555(a) of
title 44; and''; and
(2) by adding at the end the following:
``(5) Rule of construction.--Nothing in this subsection
shall be construed to require the publication of information
that is exempted from disclosure under section 552 of this
title.''.
SEC. 117. SECURITY OPERATIONS CENTER SHARED SERVICE.
(a) Briefing.--Not later than 180 days after the date of enactment
of this Act, the Director of the Cybersecurity and Infrastructure
Security Agency shall provide to the Committee on Homeland Security and
Governmental Affairs of the Senate and the Committee on Homeland
Security and the Committee on Oversight and Accountability of the House
of Representatives a briefing on--
(1) existing security operations center shared services;
(2) the capability for such shared service to offer
centralized and simultaneous support to multiple agencies;
(3) the capability for such shared service to integrate
with or support agency threat hunting activities authorized
under section 3553 of title 44, United States Code, as amended
by this title;
(4) the capability for such shared service to integrate
with or support Federal vulnerability management activities;
and
(5) future plans for expansion and maturation of such
shared service.
(b) GAO Report.--Not less than 540 days after the date of enactment
of this Act, the Comptroller General of the United States shall submit
to the appropriate congressional committees a report on Federal
cybersecurity security operations centers that--
(1) identifies Federal agency best practices for efficiency
and effectiveness;
(2) identifies non-Federal best practices used by large
entity operations centers and entities providing operation
centers as a service; and
(3) includes recommendations for the Cybersecurity and
Infrastructure Security Agency and any other relevant agency to
improve the efficiency and effectiveness of security operations
centers shared service offerings.
SEC. 118. FEDERAL CYBERSECURITY REQUIREMENTS.
(a) Codifying Federal Cybersecurity Requirements in Title 44.--
(1) Amendment to federal cybersecurity enhancement act of
2015.--Section 225 of the Federal Cybersecurity Enhancement Act
of 2015 (6 U.S.C. 1523) is amended by striking subsections (b)
and (c).
(2) Title 44.--Section 3554 of title 44, United States
Code, as amended by this title, is further amended by adding at
the end the following:
``(f) Specific Cybersecurity Requirements at Agencies.--
``(1) In general.--Consistent with policies, standards,
guidelines, and directives on information security under this
subchapter, and except as provided under paragraph (3), the
head of each agency shall--
``(A) identify sensitive and mission critical data
stored by the agency consistent with the inventory
required under section 3505(c);
``(B) assess access controls to the data described
in subparagraph (A), the need for readily accessible
storage of the data, and the need of individuals to
access the data;
``(C) encrypt or otherwise render indecipherable to
unauthorized users the data described in subparagraph
(A) that is stored on or transiting agency information
systems;
``(D) implement a single sign-on trusted identity
platform for individuals accessing each public website
of the agency that requires user authentication, as
developed by the Administrator of General Services in
collaboration with the Secretary; and
``(E) implement identity management consistent with
section 504 of the Cybersecurity Enhancement Act of
2014 (15 U.S.C. 7464), including multi-factor
authentication, for--
``(i) remote access to an information
system; and
``(ii) each user account with elevated
privileges on a information system.
``(2) Prohibition.--
``(A) Definition.--In this paragraph, the term
`Internet of things' has the meaning given the term in
section 3559B.
``(B) Prohibition.--Consistent with policies,
standards, guidelines, and directives on information
security under this subchapter, and except as provided
under paragraph (3), the head of an agency may not
procure, obtain, renew a contract to procure or obtain
in any amount, notwithstanding section 1905 of title 41
or use an Internet of things device if the Chief
Information Officer of the agency determines during a
review required under section 11319(b)(1)(C) of title
40 of a contract for an Internet of things device that
the use of the device prevents compliance with the
standards and guidelines developed under section 4 of
the IoT Cybersecurity Improvement Act (15 U.S.C. 278g-
3b) with respect to the device.
``(3) Exception.--The requirements under paragraph (1)
shall not apply to an information system for which--
``(A) the head of the agency, without delegation,
has certified to the Director with particularity that--
``(i) operational requirements articulated
in the certification and related to the
information system would make it excessively
burdensome to implement the cybersecurity
requirement;
``(ii) the cybersecurity requirement is not
necessary to secure the information system or
agency information stored on or transiting it;
and
``(iii) the agency has taken all necessary
steps to secure the information system and
agency information stored on or transiting it;
and
``(B) the head of the agency has submitted the
certification described in subparagraph (A) to the
appropriate congressional committees and the
authorizing committees of the agency.
``(4) Duration of certification.--
``(A) In general.--A certification and
corresponding exemption of an agency under paragraph
(3) shall expire on the date that is 4 years after the
date on which the head of the agency submits the
certification under paragraph (3)(A).
``(B) Renewal.--Upon the expiration of a
certification of an agency under paragraph (3), the
head of the agency may submit an additional
certification in accordance with that paragraph.
``(5) Rules of construction.--Nothing in this subsection
shall be construed--
``(A) to alter the authority of the Secretary, the
Director, or the Director of the National Institute of
Standards and Technology in implementing subchapter II
of this title;
``(B) to affect the standards or process of the
National Institute of Standards and Technology;
``(C) to affect the requirement under section
3553(a)(4); or
``(D) to discourage continued improvements and
advancements in the technology, standards, policies,
and guidelines used to promote Federal information
security.
``(g) Exception.--
``(1) Requirements.--The requirements under subsection
(f)(1) shall not apply to--
``(A) the Department of Defense;
``(B) a national security system; or
``(C) an element of the intelligence community.
``(2) Prohibition.--The prohibition under subsection (f)(2)
shall not apply to--
``(A) Internet of things devices that are or
comprise a national security system;
``(B) national security systems; or
``(C) a procured Internet of things device
described in subsection (f)(2)(B) that the Chief
Information Officer of an agency determines is--
``(i) necessary for research purposes; or
``(ii) secured using alternative and
effective methods appropriate to the function
of the Internet of things device.''.
(b) Report on Exemptions.--Section 3554(c)(1) of title 44, United
States Code, as amended by this title, is further amended--
(1) in subparagraph (B), by striking ``and'' at the end;
(2) in subparagraph (C), by striking the period at the end
and inserting ``; and''; and
(3) by adding at the end the following:
``(D) with respect to any exemption from the
requirements of subsection (f)(3) that is effective on
the date of submission of the report, includes the
number of information systems that have received an
exemption from those requirements.''.
(c) Duration of Certification Effective Date.--Paragraph (3) of
section 3554(f) of title 44, United States Code, as added by this
title, shall take effect on the date that is 1 year after the date of
enactment of this Act.
(d) Federal Cybersecurity Enhancement Act of 2015 Update.--Section
222(3)(B) of the Federal Cybersecurity Enhancement Act of 2015 (6
U.S.C. 1521(3)(B)) is amended by inserting ``and the Committee on
Oversight and Accountability'' before ``of the House of
Representatives.''
SEC. 119. FEDERAL CHIEF INFORMATION SECURITY OFFICER.
(a) Amendment.--Chapter 36 of title 44, United States Code, is
amended by adding at the end the following:
``Sec. 3617. Federal chief information security officer
``(a) Establishment.--There is established a Federal Chief
Information Security Officer, who shall serve in--
``(1) the Office of the Federal Chief Information Officer
of the Office of Management and Budget; and
``(2) the Office of the National Cyber Director.
``(b) Appointment.--The Federal Chief Information Security Officer
shall be appointed by the President.
``(c) OMB Duties.--The Federal Chief Information Security Officer
shall report to the Federal Chief Information Officer and assist the
Federal Chief Information Officer in carrying out--
``(1) every function under this chapter;
``(2) every function assigned to the Director under title
II of the E-Government Act of 2002 (44 U.S.C. 3501 note; Public
Law 107-347);
``(3) other electronic government initiatives consistent
with other statutes; and
``(4) other Federal cybersecurity initiatives determined by
the Federal Chief Information Officer.
``(d) Additional Duties.--The Federal Chief Information Security
Officer shall--
``(1) support the Federal Chief Information Officer in
overseeing and implementing Federal cybersecurity under the E-
Government Act of 2002 (Public Law 107-347; 116 Stat. 2899) and
other relevant statutes in a manner consistent with law; and
``(2) perform every function assigned to the Director under
sections 1321 through 1328 of title 41, United States Code.
``(e) Coordination With ONCD.--The Federal Chief Information
Security Officer shall support initiatives determined by the Federal
Chief Information Officer necessary to coordinate with the Office of
the National Cyber Director.''.
(b) National Cyber Director Duties.--Section 1752 of the William M.
(Mac) Thornberry National Defense Authorization Act for Fiscal Year
2021 (6 U.S.C. 1500) is amended--
(1) by redesignating subsection (g) as subsection (h); and
(2) by inserting after subsection (f) the following:
``(g) Senior Federal Cybersecurity Officer.--The Federal Chief
Information Security Officer appointed by the President under section
3617 of title 44, United States Code, shall be a senior official within
the Office and carry out duties applicable to the protection of
information technology (as defined in section 11101 of title 40, United
States Code), including initiatives determined by the Director
necessary to coordinate with the Office of the Federal Chief
Information Officer.''.
(c) Treatment of Incumbent.--The individual serving as the Federal
Chief Information Security Officer appointed by the President as of the
date of the enactment of this Act may serve as the Federal Chief
Information Security Officer under section 3617 of title 44, United
States Code, as added by this title, beginning on the date of enactment
of this Act, without need for a further or additional appointment under
such section.
(d) Clerical Amendment.--The table of sections for chapter 36 of
title 44, United States Code, is amended by adding at the end the
following:
``Sec. 3617. Federal chief information security officer''.
SEC. 120. RENAMING OFFICE OF THE FEDERAL CHIEF INFORMATION OFFICER.
(a) Definitions.--
(1) In general.--Section 3601 of title 44, United States
Code, is amended--
(A) by striking paragraph (1); and
(B) by redesignating paragraphs (2) through (8) as
paragraphs (1) through (7), respectively.
(2) Conforming amendments.--
(A) Title 10.--Section 2222(i)(6) of title 10,
United States Code, is amended by striking ``section
3601(4)'' and inserting ``section 3601''.
(B) National security act of 1947.--Section
506D(k)(1) of the National Security Act of 1947 (50
U.S.C. 3100(k)(1)) is amended by striking ``section
3601(4)'' and inserting ``section 3601''.
(b) Office of Electronic Government.--Section 3602 of title 44,
United States Code, is amended--
(1) in the heading, by striking ``office of electronic
government'' and inserting ``office of the federal chief
information officer'';
(2) in subsection (a), by striking ``Office of Electronic
Government'' and inserting ``Office of the Federal Chief
Information Officer'';
(3) in subsection (b), by striking ``an Administrator'' and
inserting ``a Federal Chief Information Officer'';
(4) in subsection (c), in the matter preceding paragraph
(1), by striking ``The Administrator'' and inserting ``The
Federal Chief Information Officer'';
(5) in subsection (d), in the matter preceding paragraph
(1), by striking ``The Administrator'' and inserting ``The
Federal Chief Information Officer'';
(6) in subsection (e), in the matter preceding paragraph
(1), by striking ``The Administrator'' and inserting ``The
Federal Chief Information Officer'';
(7) in subsection (f)--
(A) in the matter preceding paragraph (1), by
striking ``the Administrator'' and inserting ``the
Federal Chief Information Officer'';
(B) in paragraph (16), by striking ``the Office of
Electronic Government'' and inserting ``the Office of
the Federal Chief Information Officer''; and
(C) in paragraph (17), by striking ``E-Government''
and inserting ``annual''; and
(8) in subsection (g), by striking ``the Office of
Electronic Government'' and inserting ``the Office of the
Federal Chief Information Officer''.
(c) Chief Information Officers Council.--Section 3603 of title 44,
United States Code, is amended--
(1) in subsection (b)(2), by striking ``The Administrator
of the Office of Electronic Government'' and inserting ``The
Federal Chief Information Officer'';
(2) in subsection (c)(1), by striking ``The Administrator
of the Office of Electronic Government'' and inserting ``The
Federal Chief Information Officer''; and
(3) in subsection (f)--
(A) in paragraph (3), by striking ``the
Administrator'' and inserting ``the Federal Chief
Information Officer''; and
(B) in paragraph (5), by striking ``the
Administrator'' and inserting ``the Federal Chief
Information Officer''.
(d) E-Government Fund.--Section 3604 of title 44, United States
Code, is amended--
(1) in subsection (a)(2), by striking ``the Administrator
of the Office of Electronic Government'' and inserting ``the
Federal Chief Information Officer'';
(2) in subsection (b), by striking ``Administrator'' each
place it appears and inserting ``Federal Chief Information
Officer''; and
(3) in subsection (c), in the matter preceding paragraph
(1), by striking ``the Administrator'' and inserting ``the
Federal Chief Information Officer''.
(e) Program to Encourage Innovative Solutions to Enhance Electronic
Government Services and Processes.--Section 3605 of title 44, United
States Code, is amended--
(1) in subsection (a), by striking ``The Administrator''
and inserting ``The Federal Chief Information Officer'';
(2) in subsection (b), by striking ``, the Administrator,''
and inserting ``, the Federal Chief Information Officer,''; and
(3) in subsection (c)--
(A) in paragraph (1)--
(i) by striking ``The Administrator'' and
inserting ``The Federal Chief Information
Officer''; and
(ii) by striking ``proposals submitted to
the Administrator'' and inserting ``proposals
submitted to the Federal Chief Information
Officer'';
(B) in paragraph (2)(B), by striking ``the
Administrator'' and inserting ``the Federal Chief
Information Officer''; and
(C) in paragraph (4), by striking ``the
Administrator'' and inserting ``the Federal Chief
Information Officer''.
(f) E-Government Report.--Section 3606 of title 44, United States
Code, is amended--
(1) in the section heading by striking ``E-Government'' and
inserting ``Annual'';
(2) in subsection (a), by striking ``E-Government'' and
inserting ``annual''; and
(3) in subsection (b)(1), by striking ``202(f)'' and
inserting ``202(g)''.
(g) Treatment of Incumbent.--The individual serving as the
Administrator of the Office of Electronic Government under section 3602
of title 44, United States Code, as of the date of the enactment of
this Act, may continue to serve as the Federal Chief Information
Officer commencing as of that date, without need for a further or
additional appointment under such section.
(h) Technical and Conforming Amendments.--The table of sections for
chapter 36 of title 44, United States Code, is amended--
(1) by striking the item relating to section 3602 and
inserting the following:
``3602. Office of the Federal Chief Information Officer.''; and
(2) in the item relating to section 3606, by striking ``E-
Government'' and inserting ``Annual''.
(i) References.--
(1) Administrator.--Any reference to the Administrator of
the Office of Electronic Government in any law, regulation,
map, document, record, or other paper of the United States
shall be deemed to be a reference to the Federal Chief
Information Officer.
(2) Office of electronic government.--Any reference to the
Office of Electronic Government in any law, regulation, map,
document, record, or other paper of the United States shall be
deemed to be a reference to the Office of the Federal Chief
Information Officer.
SEC. 121. RULES OF CONSTRUCTION.
(a) Agency Actions.--Nothing in this title, or an amendment made by
this title, shall be construed to authorize the head of an agency to
take an action that is not authorized by this title, an amendment made
by this title, or existing law.
(b) Protection of Rights.--Nothing in this title, or an amendment
made by this title, shall be construed to permit the violation of the
rights of any individual protected by the Constitution of the United
States, including through censorship of speech protected by the
Constitution of the United States or unauthorized surveillance.
(c) Protection of Privacy.--Nothing in this title, or an amendment
made by this title, shall be construed to--
(1) impinge on the privacy rights of individuals; or
(2) allow the unauthorized access, sharing, or use of
personal data.
TITLE II--RURAL HOSPITAL CYBERSECURITY ENHANCEMENT ACT
SEC. 201. SHORT TITLE.
This title may be cited as the ``Rural Hospital Cybersecurity
Enhancement Act''.
SEC. 202. DEFINITIONS.
In this title:
(1) Agency.--The term ``agency'' has the meaning given the
term in section 551 of title 5, United States Code.
(2) Appropriate committees of congress.--The term
``appropriate committees of Congress'' means--
(A) the Committee on Homeland Security and
Governmental Affairs of the Senate; and
(B) the Committee on Homeland Security of the House
of Representatives.
(3) Director.--The term ``Director'' means the Director of
the Cybersecurity and Infrastructure Security Agency.
(4) Geographic division.--The term ``geographic division''
means a geographic division that is among the 9 geographic
divisions determined by the Bureau of the Census.
(5) Rural hospital.--The term ``rural hospital'' means a
healthcare facility that--
(A) is located in a non-urbanized area, as
determined by the Bureau of the Census; and
(B) provides inpatient and outpatient healthcare
services, including primary care, emergency care, and
diagnostic services.
(6) Secretary.--The term ``Secretary'' means the Secretary
of Homeland Security.
SEC. 203. RURAL HOSPITAL CYBERSECURITY WORKFORCE DEVELOPMENT STRATEGY.
(a) In General.--Not later than 1 year after the date of enactment
of this Act, the Secretary, acting through the Director, shall develop
and transmit to the appropriate committees of Congress a comprehensive
rural hospital cybersecurity workforce development strategy to address
the growing need for skilled cybersecurity professionals in rural
hospitals.
(b) Consultation.--
(1) Agencies.--In carrying out subsection (a), the
Secretary and Director may consult with the Secretary of Health
and Human Services, the Secretary of Education, the Secretary
of Labor, and any other appropriate head of an agency.
(2) Providers.--In carrying out subsection (a), the
Secretary shall consult with not less than 2 representatives of
rural healthcare providers from each geographic division in the
United States.
(c) Considerations.--The rural hospital cybersecurity workforce
development strategy developed under subsection (a) shall, at a
minimum, consider the following components:
(1) Partnerships between rural hospitals, non-rural
healthcare systems, educational institutions, private sector
entities, and nonprofit organizations to develop, promote, and
expand the rural hospital cybersecurity workforce, including
through education and training programs tailored to the needs
of rural hospitals.
(2) The development of a cybersecurity curriculum and
teaching resources that focus on teaching technical skills and
abilities related to cybersecurity in rural hospitals for use
in community colleges, vocational schools, and other
educational institutions located in rural areas.
(3) Identification of--
(A) cybersecurity workforce challenges that are
specific to rural hospitals, as well as challenges that
are relative to hospitals generally; and
(B) common practices to mitigate both sets of
challenges described in subparagraph (A).
(4) Recommendations for legislation, rulemaking, or
guidance to implement the components of the rural hospital
cybersecurity workforce development strategy.
(d) Annual Briefing.--Not later than 60 days after the date on
which the first full fiscal year ends following the date on which the
Secretary transmits the rural hospital cybersecurity workforce
development strategy developed under subsection (a), and not later than
60 days after the date on which each fiscal year thereafter ends, the
Secretary shall provide a briefing to the appropriate committees of
Congress that includes, at a minimum, information relating to--
(1) updates to the rural hospital cybersecurity workforce
development strategy, as appropriate;
(2) any programs or initiatives established pursuant to the
rural hospital cybersecurity workforce development strategy, as
well as the number of individuals trained or educated through
such programs or initiatives;
(3) additional recommendations for legislation, rulemaking,
or guidance to implement the components of the rural hospital
cybersecurity workforce development strategy; and
(4) the effectiveness of the rural hospital cybersecurity
workforce development strategy in addressing the need for
skilled cybersecurity professionals in rural hospitals.
SEC. 204. INSTRUCTIONAL MATERIALS FOR RURAL HOSPITALS.
(a) In General.--Not later than 1 year after the date of enactment
of this Act, the Director shall make available instructional materials
for rural hospitals that can be used to train staff on fundamental
cybersecurity efforts.
(b) Duties.--In carrying out subsection (a), the Director shall--
(1) consult with appropriate heads of agencies, experts in
cybersecurity education, and rural healthcare experts;
(2) identify existing cybersecurity instructional materials
that can be adapted for use in rural hospitals and create new
materials as needed; and
(3) conduct an awareness campaign to promote the materials
available to rural hospitals developed under subsection (a).
SEC. 205. NO ADDITIONAL FUNDS.
No additional funds are authorized to be appropriated for the
purpose of carrying out this title.
Calendar No. 674
118th CONGRESS
2d Session
S. 2251
[Report No. 118-271]
_______________________________________________________________________
A BILL
To improve the cybersecurity of the Federal Government, and for other
purposes.
_______________________________________________________________________
December 9, 2024
Reported with an amendment