[Congressional Record Volume 168, Number 37 (Tuesday, March 1, 2022)]
[Senate]
[Page S890]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

  SA 4954. Mr. PETERS (for Mr. Wicker) proposed an amendment to the 
bill S. 3600, to improve the cybersecurity of the Federal Government, 
and for other purposes; as follows:

       On page 18, strike line 10 and insert the following:
     ``agency.
       ``(o) Review of Office of Management and Budget Guidance 
     and Policy.--
       ``(1) Review.--
       ``(A) In general.--Not less frequently than once every 3 
     years, the Director, in consultation with the Chief 
     Information Officers Council, the Director of the 
     Cybersecurity and Infrastructure Security Agency, the 
     National Cyber Director, the Comptroller General of the 
     United States, and the Council of the Inspectors General on 
     Integrity and Efficiency, shall--
       ``(i) review the efficacy of the guidance and policy 
     developed by the Director under subsection (a)(1) in reducing 
     cybersecurity risks, including an assessment of the 
     requirements for agencies to report information to the 
     Director; and
       ``(ii) determine whether any changes to the guidance or 
     policy developed under subsection (a)(1) is appropriate.
       ``(B) Considerations.--In conducting the review required 
     under subparagraph (A), the Director shall consider--
       ``(i) the Federal risk assessments performed under 
     subsection (i);
       ``(ii) the cumulative reporting and compliance burden to 
     agencies; and
       ``(iii) the clarity of the requirements and deadlines 
     contained in guidance and policy documents.
       ``(2) Updated guidance.--Not later than 90 days after the 
     date on which a review is completed under paragraph (1), the 
     Director shall issue updated guidance or policy to agencies 
     determined appropriate by the Director, based on the results 
     of the review.
       ``(3) Public report.--Not later than 30 days after the date 
     on which the Director completes a review under paragraph (1), 
     the Director shall make publicly available a report that 
     includes--
       ``(A) an overview of the guidance and policy developed 
     under subsection (a)(1) that is in effect;
       ``(B) the cybersecurity risk mitigation, or other 
     cybersecurity benefit, offered by each guidance or policy 
     described in subparagraph (A);
       ``(C) a summary of the guidance or policy developed under 
     subsection (a)(1) to which changes were determined 
     appropriate during the review; and
       ``(D) the changes that are anticipated to be included in 
     the updated guidance or policy issued under paragraph (2).
       ``(4) Congressional briefing.--Not later than 60 days after 
     the date on which a review is completed under paragraph (1), 
     the Director shall provide to the Committee on Homeland 
     Security and Governmental Affairs of the Senate and the 
     Committee on Oversight and Reform of the House of 
     Representatives a briefing on the review.
       ``(p) Automated Standard Implementation Verification.--When 
     the Director of the National Institute of Standards and 
     Technology issues a proposed standard pursuant to paragraphs 
     (2) or (3) of section 20(a) of the National Institute of 
     Standards and Technology Act (15 U.S.C. 278g-3(a)), the 
     Director of the National Institute of Standards and 
     Technology shall consider developing and, if appropriate and 
     practical, develop, in consultation with the Director of the 
     Cybersecurity and Infrastructure Security Agency, 
     specifications to enable the automated verification of the 
     implementation of the controls within the standard.'';
       On page 26, line 15, strike ``considering--'' and all that 
     follows through ``and'' on line 23 and insert ``considering 
     the agency risk assessment performed under subsection 
     (a)(1)(A); and''.
       On page 74, strike line 10 and all that follows through 
     page 80, line 19.
       On page 99, line 17, strike ``the use of--'' and all that 
     follows through ``additional'' on line 21 and insert ``the 
     use of additional''.
                                 ______