[Congressional Record Volume 168, Number 37 (Tuesday, March 1, 2022)]
[Senate]
[Page S890]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

  SA 4953. Mr. PETERS (for himself and Mr. Portman) proposed an 
amendment to the bill S. 3600, to improve the cybersecurity of the 
Federal Government, and for other purposes; as follows:

       At the end of title I, add the following:

     SEC. 123. FEDERAL CYBERSECURITY REQUIREMENTS.

       (a) Exemption From Federal Requirements.--Section 225(b)(2) 
     of the Federal Cybersecurity Enhancement Act of 2015 (6 
     U.S.C. 1523(b)(2)) is amended to read as follows:
       ``(2) Exception.--
       ``(A) In general.--A particular requirement under paragraph 
     (1) shall not apply to an agency information system of an 
     agency if--
       ``(i) with respect to the agency information system, the 
     head of the agency submits to the Director an application for 
     an exemption from the particular requirement, in which the 
     head of the agency personally certifies to the Director with 
     particularity that--

       ``(I) operational requirements articulated in the 
     certification and related to the agency information system 
     would make it excessively burdensome to implement the 
     particular requirement;
       ``(II) the particular requirement is not necessary to 
     secure the agency information system or agency information 
     stored on or transiting the agency information system; and
       ``(III) the agency has taken all necessary steps to secure 
     the agency information system and agency information stored 
     on or transiting the agency information system;

       ``(ii) the head of the agency or the designee of the head 
     of the agency has submitted the certification described in 
     clause (i) to the appropriate congressional committees and 
     any other congressional committee with jurisdiction over the 
     agency; and
       ``(iii) the Director grants the exemption from the 
     particular requirement.
       ``(B) Duration of exemption.--
       ``(i) In general.--An exemption granted under subparagraph 
     (A) shall expire on the date that is 1 year after the date on 
     which the Director granted the exemption.
       ``(ii) Renewal.--Upon the expiration of an exemption 
     granted to an agency under subparagraph (A), the head of the 
     agency may apply for an additional exemption.''.
       (b) Report on Exemptions.--Section 3554(c)(1) of title 44, 
     United States Code, as amended by section 103(c) of this 
     title, is amended--
       (1) in subparagraph (C), by striking ``and'' at the end;
       (2) in subparagraph (D), by striking the period at the end 
     and inserting ``; and''; and
       (3) by adding at the end the following:
       ``(E) with respect to any exemption the Director of the 
     Office of Management and Budget has granted the agency under 
     section 225(b)(2) of the Federal Cybersecurity Enhancement 
     Act of 2015 (6 U.S.C. 1523(b)(2)) that is effective on the 
     date of submission of the report--
       ``(i) an identification of each particular requirement from 
     which any agency information system (as defined in section 
     2210 of the Homeland Security Act of 2002 (6 U.S.C. 660)) is 
     exempted; and
       ``(ii) for each requirement identified under clause (i)--

       ``(I) an identification of the agency information system 
     described in clause (i) exempted from the requirement; and
       ``(II) an estimate of the date on which the agency will to 
     be able to comply with the requirement.''.

       (c) Effective Date.--The amendments made by this section 
     shall take effect on the date that is 1 year after the date 
     of enactment of this Act.
                                 ______