[Congressional Record Volume 168, Number 37 (Tuesday, March 1, 2022)]
[Senate]
[Pages S896-S919]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




            STRENGTHENING AMERICAN CYBERSECURITY ACT OF 2022

  Mr. SCHUMER. Mr. President, now, on something that is very important 
to this country, Senator Peters, in a minute, will move to pass the 
Strengthening American Cybersecurity Act.
  As we all know, protecting America--our government, our businesses, 
our utilities, and so many of our entities--from cyber attack has been 
very, very important over the last decade. It becomes even more 
important now. As the war in Ukraine goes on and as Putin mounts his 
illegal, immoral, and unprovoked attack, he is escalating cyber attacks 
on democracies around the world. So, as the need to protect this 
country from cyber attack is always very, very, very important, it has 
assumed even greater importance now with Putin's fighting in Ukraine 
and threatening cyber attacks throughout the world.
  Today, the Senate is taking an urgently needed step to protect the 
American people, American critical infrastructure, and American 
Government institutions from the dangerous threat of cyber attacks. The 
most important part of this provision will require our companies--our 
individual businesses--to report cyber attacks when they occur.
  There has been a reluctance on the part of many in the business 
community to want to do this because it may expose them to other kinds 
of harm, and maybe the public will not want to be involved in these 
businesses, but the importance of the reporting is vital. When our 
authorities in the government know of the attacks, they can prepare 
against future attacks. They will know who is attacking, where they are 
attacking, and how they are attacking. That will allow them to 
strengthen our defenses against future cyber attacks. So this knowledge 
of cyber attacks, caused by foreign entities or domestic entities, is 
vital as America seeks to protect itself.
  This legislation has been around for a while. For too long, certain 
business interests opposed it, but now they have come to see the light, 
and, in fact, we have a bipartisan agreement--unanimous in this 
Chamber--that this bill move forward. That is very important for 
America's security. It is more important than it ever has been. Cyber 
warfare is truly one of the dark arts--specialized by Putin and his 
authoritarian regime--and this bill will help to protect us from 
Putin's attempted cyber attacks against our country.
  Last year, I asked Chairman Peters and other relevant committee 
chairs to draft legislation to counter the increased threat, and 
Senator Peters has done an outstanding job. I want to commend him and 
Senator Portman and so many others--Senator Warner among them--for 
being heavily involved in this issue.
  Tonight, we will pass legislation by unanimous consent. When this 
legislation passes and is signed into law, America will be a safer 
place from one of the greatest scourges we worry about--cyber attack. I 
am glad we are doing this, and I am glad both sides have agreed.
  I yield to Senator Peters, who, as I said, as chair of the HSGAC 
Committee, has done a terrific job in shepherding this legislation 
through the Senate.
  The PRESIDING OFFICER. The Senator from Michigan.
  Mr. PETERS. Mr. President, I ask unanimous consent that the Senate

[[Page S897]]

proceed to the immediate consideration of Calendar No. 265, S. 3600.
  The PRESIDING OFFICER. The clerk will report the bill by title.
  The senior assistant legislative clerk read as follows:

       A bill (S. 3600) to improve the cybersecurity of the 
     Federal Government, and for other purposes.

  There being no objection, the Senate proceeded to consider the bill.
  Mr. PETERS. Mr. President, I ask unanimous consent that the Wicker 
and Peters amendments, which are at the desk, be considered and agreed 
to; that the bill, as amended, be considered read a third time and 
passed; and that the motion to reconsider be considered made and laid 
upon the table.
  The PRESIDING OFFICER. Without objection, it is so ordered.
  The amendment (No. 4954) was agreed to, as follows:

                     (Purpose: To improve the bill)

       On page 18, strike line 10 and insert the following:
     ``agency.
       ``(o) Review of Office of Management and Budget Guidance 
     and Policy.--
       ``(1) Review.--
       ``(A) In general.--Not less frequently than once every 3 
     years, the Director, in consultation with the Chief 
     Information Officers Council, the Director of the 
     Cybersecurity and Infrastructure Security Agency, the 
     National Cyber Director, the Comptroller General of the 
     United States, and the Council of the Inspectors General on 
     Integrity and Efficiency, shall--
       ``(i) review the efficacy of the guidance and policy 
     developed by the Director under subsection (a)(1) in reducing 
     cybersecurity risks, including an assessment of the 
     requirements for agencies to report information to the 
     Director; and
       ``(ii) determine whether any changes to the guidance or 
     policy developed under subsection (a)(1) is appropriate.
       ``(B) Considerations.--In conducting the review required 
     under subparagraph (A), the Director shall consider--
       ``(i) the Federal risk assessments performed under 
     subsection (i);
       ``(ii) the cumulative reporting and compliance burden to 
     agencies; and
       ``(iii) the clarity of the requirements and deadlines 
     contained in guidance and policy documents.
       ``(2) Updated guidance.--Not later than 90 days after the 
     date on which a review is completed under paragraph (1), the 
     Director shall issue updated guidance or policy to agencies 
     determined appropriate by the Director, based on the results 
     of the review.
       ``(3) Public report.--Not later than 30 days after the date 
     on which the Director completes a review under paragraph (1), 
     the Director shall make publicly available a report that 
     includes--
       ``(A) an overview of the guidance and policy developed 
     under subsection (a)(1) that is in effect;
       ``(B) the cybersecurity risk mitigation, or other 
     cybersecurity benefit, offered by each guidance or policy 
     described in subparagraph (A);
       ``(C) a summary of the guidance or policy developed under 
     subsection (a)(1) to which changes were determined 
     appropriate during the review; and
       ``(D) the changes that are anticipated to be included in 
     the updated guidance or policy issued under paragraph (2).
       ``(4) Congressional briefing.--Not later than 60 days after 
     the date on which a review is completed under paragraph (1), 
     the Director shall provide to the Committee on Homeland 
     Security and Governmental Affairs of the Senate and the 
     Committee on Oversight and Reform of the House of 
     Representatives a briefing on the review.
       ``(p) Automated Standard Implementation Verification.--When 
     the Director of the National Institute of Standards and 
     Technology issues a proposed standard pursuant to paragraphs 
     (2) or (3) of section 20(a) of the National Institute of 
     Standards and Technology Act (15 U.S.C. 278g-3(a)), the 
     Director of the National Institute of Standards and 
     Technology shall consider developing and, if appropriate and 
     practical, develop, in consultation with the Director of the 
     Cybersecurity and Infrastructure Security Agency, 
     specifications to enable the automated verification of the 
     implementation of the controls within the standard.'';
       On page 26, line 15, strike ``considering--'' and all that 
     follows through ``and'' on line 23 and insert ``considering 
     the agency risk assessment performed under subsection 
     (a)(1)(A); and''.
       On page 74, strike line 10 and all that follows through 
     page 80, line 19.
       On page 99, line 17, strike ``the use of--'' and all that 
     follows through ``additional'' on line 21 and insert ``the 
     use of additional''.

  The amendment (No. 4953) was agreed to, as follows:

(Purpose: To amend the Federal Cybersecurity Enhancement Act of 2015 to 
      require Federal agencies to obtain exemptions from certain 
  cybersecurity requirements in order to avoid compliance with those 
                             requirements)

       At the end of title I, add the following:

     SEC. 123. FEDERAL CYBERSECURITY REQUIREMENTS.

       (a) Exemption From Federal Requirements.--Section 225(b)(2) 
     of the Federal Cybersecurity Enhancement Act of 2015 (6 
     U.S.C. 1523(b)(2)) is amended to read as follows:
       ``(2) Exception.--
       ``(A) In general.--A particular requirement under paragraph 
     (1) shall not apply to an agency information system of an 
     agency if--
       ``(i) with respect to the agency information system, the 
     head of the agency submits to the Director an application for 
     an exemption from the particular requirement, in which the 
     head of the agency personally certifies to the Director with 
     particularity that--

       ``(I) operational requirements articulated in the 
     certification and related to the agency information system 
     would make it excessively burdensome to implement the 
     particular requirement;
       ``(II) the particular requirement is not necessary to 
     secure the agency information system or agency information 
     stored on or transiting the agency information system; and
       ``(III) the agency has taken all necessary steps to secure 
     the agency information system and agency information stored 
     on or transiting the agency information system;

       ``(ii) the head of the agency or the designee of the head 
     of the agency has submitted the certification described in 
     clause (i) to the appropriate congressional committees and 
     any other congressional committee with jurisdiction over the 
     agency; and
       ``(iii) the Director grants the exemption from the 
     particular requirement.
       ``(B) Duration of exemption.--
       ``(i) In general.--An exemption granted under subparagraph 
     (A) shall expire on the date that is 1 year after the date on 
     which the Director granted the exemption.
       ``(ii) Renewal.--Upon the expiration of an exemption 
     granted to an agency under subparagraph (A), the head of the 
     agency may apply for an additional exemption.''.
       (b) Report on Exemptions.--Section 3554(c)(1) of title 44, 
     United States Code, as amended by section 103(c) of this 
     title, is amended--
       (1) in subparagraph (C), by striking ``and'' at the end;
       (2) in subparagraph (D), by striking the period at the end 
     and inserting ``; and''; and
       (3) by adding at the end the following:
       ``(E) with respect to any exemption the Director of the 
     Office of Management and Budget has granted the agency under 
     section 225(b)(2) of the Federal Cybersecurity Enhancement 
     Act of 2015 (6 U.S.C. 1523(b)(2)) that is effective on the 
     date of submission of the report--
       ``(i) an identification of each particular requirement from 
     which any agency information system (as defined in section 
     2210 of the Homeland Security Act of 2002 (6 U.S.C. 660)) is 
     exempted; and
       ``(ii) for each requirement identified under clause (i)--

       ``(I) an identification of the agency information system 
     described in clause (i) exempted from the requirement; and
       ``(II) an estimate of the date on which the agency will to 
     be able to comply with the requirement.''.

       (c) Effective Date.--The amendments made by this section 
     shall take effect on the date that is 1 year after the date 
     of enactment of this Act.

  The bill (S. 3600), as amended, was ordered to be engrossed for a 
third reading, was read the third time, and passed as follows:

                                S. 3600

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Strengthening American 
     Cybersecurity Act of 2022''.

     SEC. 2. TABLE OF CONTENTS.

       The table of contents for this Act is as follows:

Sec. 1. Short title.
Sec. 2. Table of contents.

    TITLE I--FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2022

Sec. 101. Short title.
Sec. 102. Definitions.
Sec. 103. Title 44 amendments.
Sec. 104. Amendments to subtitle III of title 40.
Sec. 105. Actions to enhance Federal incident transparency.
Sec. 106. Additional guidance to agencies on FISMA updates.
Sec. 107. Agency requirements to notify private sector entities 
              impacted by incidents.
Sec. 108. Mobile security standards.
Sec. 109. Data and logging retention for incident response.
Sec. 110. CISA agency advisors.
Sec. 111. Federal penetration testing policy.
Sec. 112. Ongoing threat hunting program.
Sec. 113. Codifying vulnerability disclosure programs.
Sec. 114. Implementing zero trust architecture.
Sec. 115. Automation reports.
Sec. 116. Extension of Federal acquisition security council and 
              software inventory.
Sec. 117. Council of the Inspectors General on Integrity and Efficiency 
              dashboard.
Sec. 118. Quantitative cybersecurity metrics.
Sec. 119. Establishment of risk-based budget model.

[[Page S898]]

Sec. 120. Active cyber defensive study.
Sec. 121. Security operations center as a service pilot.
Sec. 122. Extension of Chief Data Officer Council.
Sec. 123. Federal Cybersecurity Requirements.

 TITLE II--CYBER INCIDENT REPORTING FOR CRITICAL INFRASTRUCTURE ACT OF 
                                  2022

Sec. 201. Short title.
Sec. 202. Definitions.
Sec. 203. Cyber incident reporting.
Sec. 204. Federal sharing of incident reports.
Sec. 205. Ransomware vulnerability warning pilot program.
Sec. 206. Ransomware threat mitigation activities.
Sec. 207. Congressional reporting.

    TITLE III--FEDERAL SECURE CLOUD IMPROVEMENT AND JOBS ACT OF 2022

Sec. 301. Short title.
Sec. 302. Findings.
Sec. 303. Title 44 amendments.

    TITLE I--FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2022

     SEC. 101. SHORT TITLE.

       This title may be cited as the ``Federal Information 
     Security Modernization Act of 2022''.

     SEC. 102. DEFINITIONS.

       In this title, unless otherwise specified:
       (1) Additional cybersecurity procedure.--The term 
     ``additional cybersecurity procedure'' has the meaning given 
     the term in section 3552(b) of title 44, United States Code, 
     as amended by this title.
       (2) Agency.--The term ``agency'' has the meaning given the 
     term in section 3502 of title 44, United States Code.
       (3) Appropriate congressional committees.--The term 
     ``appropriate congressional committees'' means--
       (A) the Committee on Homeland Security and Governmental 
     Affairs of the Senate;
       (B) the Committee on Oversight and Reform of the House of 
     Representatives; and
       (C) the Committee on Homeland Security of the House of 
     Representatives.
       (4) Director.--The term ``Director'' means the Director of 
     the Office of Management and Budget.
       (5) Incident.--The term ``incident'' has the meaning given 
     the term in section 3552(b) of title 44, United States Code.
       (6) National security system.--The term ``national security 
     system'' has the meaning given the term in section 3552(b) of 
     title 44, United States Code.
       (7) Penetration test.--The term ``penetration test'' has 
     the meaning given the term in section 3552(b) of title 44, 
     United States Code, as amended by this title.
       (8) Threat hunting.--The term ``threat hunting'' means 
     proactively and iteratively searching systems for threats 
     that evade detection by automated threat detection systems.

     SEC. 103. TITLE 44 AMENDMENTS.

       (a) Subchapter I Amendments.--Subchapter I of chapter 35 of 
     title 44, United States Code, is amended--
       (1) in section 3504--
       (A) in subsection (a)(1)(B)--
       (i) by striking clause (v) and inserting the following:
       ``(v) confidentiality, privacy, disclosure, and sharing of 
     information;'';
       (ii) by redesignating clause (vi) as clause (vii); and
       (iii) by inserting after clause (v) the following:
       ``(vi) in consultation with the National Cyber Director, 
     security of information; and''; and
       (B) in subsection (g), by striking paragraph (1) and 
     inserting the following:
       ``(1) develop and oversee the implementation of policies, 
     principles, standards, and guidelines on privacy, 
     confidentiality, disclosure, and sharing, and in consultation 
     with the National Cyber Director, oversee the implementation 
     of policies, principles, standards, and guidelines on 
     security, of information collected or maintained by or for 
     agencies; and'';
       (2) in section 3505--
       (A) by striking the first subsection designated as 
     subsection (c);
       (B) in paragraph (2) of the second subsection designated as 
     subsection (c), by inserting ``an identification of internet 
     accessible information systems and'' after ``an inventory 
     under this subsection shall include'';
       (C) in paragraph (3) of the second subsection designated as 
     subsection (c)--
       (i) in subparagraph (B)--

       (I) by inserting ``the Director of the Cybersecurity and 
     Infrastructure Security Agency, the National Cyber Director, 
     and'' before ``the Comptroller General''; and
       (II) by striking ``and'' at the end;

       (ii) in subparagraph (C)(v), by striking the period at the 
     end and inserting ``; and''; and
       (iii) by adding at the end the following:
       ``(D) maintained on a continual basis through the use of 
     automation, machine-readable data, and scanning, wherever 
     practicable.'';
       (3) in section 3506--
       (A) in subsection (a)(3), by inserting ``In carrying out 
     these duties, the Chief Information Officer shall coordinate, 
     as appropriate, with the Chief Data Officer in accordance 
     with the designated functions under section 3520(c).'' after 
     ``reduction of information collection burdens on the 
     public.'';
       (B) in subsection (b)(1)(C), by inserting ``, 
     availability'' after ``integrity''; and
       (C) in subsection (h)(3), by inserting ``security,'' after 
     ``efficiency,''; and
       (4) in section 3513--
       (A) by redesignating subsection (c) as subsection (d); and
       (B) by inserting after subsection (b) the following:
       ``(c) Each agency providing a written plan under subsection 
     (b) shall provide any portion of the written plan addressing 
     information security to the Secretary of the Department of 
     Homeland Security and the National Cyber Director.''.
       (b) Subchapter II Definitions.--
       (1) In general.--Section 3552(b) of title 44, United States 
     Code, is amended--
       (A) by redesignating paragraphs (1), (2), (3), (4), (5), 
     (6), and (7) as paragraphs (2), (4), (5), (6), (7), (9), and 
     (11), respectively;
       (B) by inserting before paragraph (2), as so redesignated, 
     the following:
       ``(1) The term `additional cybersecurity procedure' means a 
     process, procedure, or other activity that is established in 
     excess of the information security standards promulgated 
     under section 11331(b) of title 40 to increase the security 
     and reduce the cybersecurity risk of agency systems.'';
       (C) by inserting after paragraph (2), as so redesignated, 
     the following:
       ``(3) The term `high value asset' means information or an 
     information system that the head of an agency, using 
     policies, principles, standards, or guidelines issued by the 
     Director under section 3553(a), determines to be so critical 
     to the agency that the loss or corruption of the information 
     or the loss of access to the information system would have a 
     serious impact on the ability of the agency to perform the 
     mission of the agency or conduct business.'';
       (D) by inserting after paragraph (7), as so redesignated, 
     the following:
       ``(8) The term `major incident' has the meaning given the 
     term in guidance issued by the Director under section 
     3598(a).'';
       (E) by inserting after paragraph (9), as so redesignated, 
     the following:
       ``(10) The term `penetration test'--
       ``(A) means an authorized assessment that emulates attempts 
     to gain unauthorized access to, or disrupt the operations of, 
     an information system or component of an information system; 
     and
       ``(B) includes any additional meaning given the term in 
     policies, principles, standards, or guidelines issued by the 
     Director under section 3553(a).''; and
       (F) by inserting after paragraph (11), as so redesignated, 
     the following:
       ``(12) The term `shared service' means a centralized 
     business or mission capability that is provided to multiple 
     organizations within an agency or to multiple agencies.''.
       (2) Conforming amendments.--
       (A) Homeland security act of 2002.--Section 1001(c)(1)(A) 
     of the Homeland Security Act of 2002 (6 U.S.C. 511(1)(A)) is 
     amended by striking ``section 3552(b)(5)'' and inserting 
     ``section 3552(b)''.
       (B) Title 10.--
       (i) Section 2222.--Section 2222(i)(8) of title 10, United 
     States Code, is amended by striking ``section 3552(b)(6)(A)'' 
     and inserting ``section 3552(b)(9)(A)''.
       (ii) Section 2223.--Section 2223(c)(3) of title 10, United 
     States Code, is amended by striking ``section 3552(b)(6)'' 
     and inserting ``section 3552(b)''.
       (iii) Section 2315.--Section 2315 of title 10, United 
     States Code, is amended by striking ``section 3552(b)(6)'' 
     and inserting ``section 3552(b)''.
       (iv) Section 2339a.--Section 2339a(e)(5) of title 10, 
     United States Code, is amended by striking ``section 
     3552(b)(6)'' and inserting ``section 3552(b)''.
       (C) High-performance computing act of 1991.--Section 207(a) 
     of the High-Performance Computing Act of 1991 (15 U.S.C. 
     5527(a)) is amended by striking ``section 3552(b)(6)(A)(i)'' 
     and inserting ``section 3552(b)(9)(A)(i)''.
       (D) Internet of things cybersecurity improvement act of 
     2020.--Section 3(5) of the Internet of Things Cybersecurity 
     Improvement Act of 2020 (15 U.S.C. 278g-3a) is amended by 
     striking ``section 3552(b)(6)'' and inserting ``section 
     3552(b)''.
       (E) National defense authorization act for fiscal year 
     2013.--Section 933(e)(1)(B) of the National Defense 
     Authorization Act for Fiscal Year 2013 (10 U.S.C. 2224 note) 
     is amended by striking ``section 3542(b)(2)'' and inserting 
     ``section 3552(b)''.
       (F) Ike skelton national defense authorization act for 
     fiscal year 2011.--The Ike Skelton National Defense 
     Authorization Act for Fiscal Year 2011 (Public Law 111-383) 
     is amended--
       (i) in section 806(e)(5) (10 U.S.C. 2304 note), by striking 
     ``section 3542(b)'' and inserting ``section 3552(b)'';
       (ii) in section 931(b)(3) (10 U.S.C. 2223 note), by 
     striking ``section 3542(b)(2)'' and inserting ``section 
     3552(b)''; and
       (iii) in section 932(b)(2) (10 U.S.C. 2224 note), by 
     striking ``section 3542(b)(2)'' and inserting ``section 
     3552(b)''.
       (G) E-government act of 2002.--Section 301(c)(1)(A) of the 
     E-Government Act of 2002 (44 U.S.C. 3501 note) is amended by 
     striking ``section 3542(b)(2)'' and inserting ``section 
     3552(b)''.
       (H) National institute of standards and technology act.--
     Section 20 of the National Institute of Standards and 
     Technology Act (15 U.S.C. 278g-3) is amended--
       (i) in subsection (a)(2), by striking ``section 
     3552(b)(5)'' and inserting ``section 3552(b)''; and
       (ii) in subsection (f)--

       (I) in paragraph (3), by striking ``section 3532(1)'' and 
     inserting ``section 3552(b)''; and

[[Page S899]]

       (II) in paragraph (5), by striking ``section 3532(b)(2)'' 
     and inserting ``section 3552(b)''.

       (c) Subchapter II Amendments.--Subchapter II of chapter 35 
     of title 44, United States Code, is amended--
       (1) in section 3551--
       (A) in paragraph (4), by striking ``diagnose and improve'' 
     and inserting ``integrate, deliver, diagnose, and improve'';
       (B) in paragraph (5), by striking ``and'' at the end;
       (C) in paragraph (6), by striking the period at the end and 
     inserting a semi colon; and
       (D) by adding at the end the following:
       ``(7) recognize that each agency has specific mission 
     requirements and, at times, unique cybersecurity requirements 
     to meet the mission of the agency;
       ``(8) recognize that each agency does not have the same 
     resources to secure agency systems, and an agency should not 
     be expected to have the capability to secure the systems of 
     the agency from advanced adversaries alone; and
       ``(9) recognize that a holistic Federal cybersecurity model 
     is necessary to account for differences between the missions 
     and capabilities of agencies.'';
       (2) in section 3553--
       (A) in subsection (a)--
       (i) in paragraph (1), by inserting ``, in consultation with 
     the Secretary and the National Cyber Director,'' before 
     ``overseeing'';
       (ii) in paragraph (5), by striking ``and'' at the end; and
       (iii) by adding at the end the following:
       ``(8) promoting, in consultation with the Director of the 
     Cybersecurity and Infrastructure Security Agency, the 
     National Cyber Director, and the Director of the National 
     Institute of Standards and Technology--
       ``(A) the use of automation to improve Federal 
     cybersecurity and visibility with respect to the 
     implementation of Federal cybersecurity; and
       ``(B) the use of presumption of compromise and least 
     privilege principles to improve resiliency and timely 
     response actions to incidents on Federal systems.'';
       (B) in subsection (b)--
       (i) in the matter preceding paragraph (1), by inserting 
     ``and the National Cyber Director'' after ``Director''; and
       (ii) in paragraph (2)(A), by inserting ``and reporting 
     requirements under subchapter IV of this chapter'' after 
     ``section 3556''; and
       (C) in subsection (c)--
       (i) in the matter preceding paragraph (1)--

       (I) by striking ``each year'' and inserting ``each year 
     during which agencies are required to submit reports under 
     section 3554(c)''; and
       (II) by striking ``preceding year'' and inserting 
     ``preceding 2 years'';

       (ii) by striking paragraph (1);
       (iii) by redesignating paragraphs (2), (3), and (4) as 
     paragraphs (1), (2), and (3), respectively;
       (iv) in paragraph (3), as so redesignated, by striking 
     ``and'' at the end;
       (v) by inserting after paragraph (3), as so redesignated 
     the following:
       ``(4) a summary of each assessment of Federal risk posture 
     performed under subsection (i);''; and
       (vi) in paragraph (5), by striking the period at the end 
     and inserting ``; and'';
       (D) by redesignating subsections (i), (j), (k), and (l) as 
     subsections (j), (k), (l), and (m) respectively;
       (E) by inserting after subsection (h) the following:
       ``(i) Federal Risk Assessments.--On an ongoing and 
     continuous basis, the Director of the Cybersecurity and 
     Infrastructure Security Agency shall perform assessments of 
     Federal risk posture using any available information on the 
     cybersecurity posture of agencies, and brief the Director and 
     National Cyber Director on the findings of those assessments 
     including--
       ``(1) the status of agency cybersecurity remedial actions 
     described in section 3554(b)(7);
       ``(2) any vulnerability information relating to the systems 
     of an agency that is known by the agency;
       ``(3) analysis of incident information under section 3597;
       ``(4) evaluation of penetration testing performed under 
     section 3559A;
       ``(5) evaluation of vulnerability disclosure program 
     information under section 3559B;
       ``(6) evaluation of agency threat hunting results;
       ``(7) evaluation of Federal and non-Federal cyber threat 
     intelligence;
       ``(8) data on agency compliance with standards issued under 
     section 11331 of title 40;
       ``(9) agency system risk assessments performed under 
     section 3554(a)(1)(A); and
       ``(10) any other information the Director of the 
     Cybersecurity and Infrastructure Security Agency determines 
     relevant.'';
       (F) in subsection (j), as so redesignated--
       (i) by striking ``regarding the specific'' and inserting 
     ``that includes a summary of--
       ``(1) the specific'';
       (ii) in paragraph (1), as so designated, by striking the 
     period at the end and inserting ``; and'' and
       (iii) by adding at the end the following:
       ``(2) the trends identified in the Federal risk assessment 
     performed under subsection (i).''; and
       (G) by adding at the end the following:
       ``(n) Binding Operational Directives.--If the Director of 
     the Cybersecurity and Infrastructure Security Agency issues a 
     binding operational directive or an emergency directive under 
     this section, not later than 4 days after the date on which 
     the binding operational directive requires an agency to take 
     an action, the Director of the Cybersecurity and 
     Infrastructure Security Agency shall provide to the Director, 
     National Cyber Director, the Committee on Homeland Security 
     and Governmental Affairs of the Senate and the Committee on 
     Oversight and Reform of the House of Representatives the 
     status of the implementation of the binding operational 
     directive at the agency.
       ``(o) Review of Office of Management and Budget Guidance 
     and Policy.--
       ``(1) Review.--
       ``(A) In general.--Not less frequently than once every 3 
     years, the Director, in consultation with the Chief 
     Information Officers Council, the Director of the 
     Cybersecurity and Infrastructure Security Agency, the 
     National Cyber Director, the Comptroller General of the 
     United States, and the Council of the Inspectors General on 
     Integrity and Efficiency, shall--
       ``(i) review the efficacy of the guidance and policy 
     developed by the Director under subsection (a)(1) in reducing 
     cybersecurity risks, including an assessment of the 
     requirements for agencies to report information to the 
     Director; and
       ``(ii) determine whether any changes to the guidance or 
     policy developed under subsection (a)(1) is appropriate.
       ``(B) Considerations.--In conducting the review required 
     under subparagraph (A), the Director shall consider--
       ``(i) the Federal risk assessments performed under 
     subsection (i);
       ``(ii) the cumulative reporting and compliance burden to 
     agencies; and
       ``(iii) the clarity of the requirements and deadlines 
     contained in guidance and policy documents.
       ``(2) Updated guidance.--Not later than 90 days after the 
     date on which a review is completed under paragraph (1), the 
     Director shall issue updated guidance or policy to agencies 
     determined appropriate by the Director, based on the results 
     of the review.
       ``(3) Public report.--Not later than 30 days after the date 
     on which the Director completes a review under paragraph (1), 
     the Director shall make publicly available a report that 
     includes--
       ``(A) an overview of the guidance and policy developed 
     under subsection (a)(1) that is in effect;
       ``(B) the cybersecurity risk mitigation, or other 
     cybersecurity benefit, offered by each guidance or policy 
     described in subparagraph (A);
       ``(C) a summary of the guidance or policy developed under 
     subsection (a)(1) to which changes were determined 
     appropriate during the review; and
       ``(D) the changes that are anticipated to be included in 
     the updated guidance or policy issued under paragraph (2).
       ``(4) Congressional briefing.--Not later than 60 days after 
     the date on which a review is completed under paragraph (1), 
     the Director shall provide to the Committee on Homeland 
     Security and Governmental Affairs of the Senate and the 
     Committee on Oversight and Reform of the House of 
     Representatives a briefing on the review.
       ``(p) Automated Standard Implementation Verification.--When 
     the Director of the National Institute of Standards and 
     Technology issues a proposed standard pursuant to paragraphs 
     (2) or (3) of section 20(a) of the National Institute of 
     Standards and Technology Act (15 U.S.C. 278g-3(a)), the 
     Director of the National Institute of Standards and 
     Technology shall consider developing and, if appropriate and 
     practical, develop, in consultation with the Director of the 
     Cybersecurity and Infrastructure Security Agency, 
     specifications to enable the automated verification of the 
     implementation of the controls within the standard.'';
       (3) in section 3554--
       (A) in subsection (a)--
       (i) in paragraph (1)--

       (I) by redesignating subparagraphs (A), (B), and (C) as 
     subparagraphs (B), (C), and (D), respectively;
       (II) by inserting before subparagraph (B), as so 
     redesignated, the following:

       ``(A) on an ongoing and continuous basis, performing agency 
     system risk assessments that--
       ``(i) identify and document the high value assets of the 
     agency using guidance from the Director;
       ``(ii) evaluate the data assets inventoried under section 
     3511 for sensitivity to compromises in confidentiality, 
     integrity, and availability;
       ``(iii) identify agency systems that have access to or hold 
     the data assets inventoried under section 3511;
       ``(iv) evaluate the threats facing agency systems and data, 
     including high value assets, based on Federal and non-Federal 
     cyber threat intelligence products, where available;
       ``(v) evaluate the vulnerability of agency systems and 
     data, including high value assets, including by analyzing--

       ``(I) the results of penetration testing performed by the 
     Department of Homeland Security under section 3553(b)(9);
       ``(II) the results of penetration testing performed under 
     section 3559A;
       ``(III) information provided to the agency through the 
     vulnerability disclosure program of the agency under section 
     3559B;
       ``(IV) incidents; and
       ``(V) any other vulnerability information relating to 
     agency systems that is known to the agency;

       ``(vi) assess the impacts of potential agency incidents to 
     agency systems, data, and operations based on the evaluations 
     described

[[Page S900]]

     in clauses (ii) and (iv) and the agency systems identified 
     under clause (iii); and
       ``(vii) assess the consequences of potential incidents 
     occurring on agency systems that would impact systems at 
     other agencies, including due to interconnectivity between 
     different agency systems or operational reliance on the 
     operations of the system or data in the system;'';

       (III) in subparagraph (B), as so redesignated, in the 
     matter preceding clause (i), by striking ``providing 
     information'' and inserting ``using information from the 
     assessment conducted under subparagraph (A), providing 
     information'';
       (IV) in subparagraph (C), as so redesignated--

       (aa) in clause (ii) by inserting ``binding'' before 
     ``operational''; and
       (bb) in clause (vi), by striking ``and'' at the end; and

       (V) by adding at the end the following:

       ``(E) providing an update on the ongoing and continuous 
     assessment performed under subparagraph (A)--
       ``(i) upon request, to the inspector general of the agency 
     or the Comptroller General of the United States; and
       ``(ii) on a periodic basis, as determined by guidance 
     issued by the Director but not less frequently than annually, 
     to--

       ``(I) the Director;
       ``(II) the Director of the Cybersecurity and Infrastructure 
     Security Agency; and
       ``(III) the National Cyber Director;

       ``(F) in consultation with the Director of the 
     Cybersecurity and Infrastructure Security Agency and not less 
     frequently than once every 3 years, performing an evaluation 
     of whether additional cybersecurity procedures are 
     appropriate for securing a system of, or under the 
     supervision of, the agency, which shall--
       ``(i) be completed considering the agency system risk 
     assessment performed under subparagraph (A); and
       ``(ii) include a specific evaluation for high value assets;
       ``(G) not later than 30 days after completing the 
     evaluation performed under subparagraph (F), providing the 
     evaluation and an implementation plan, if applicable, for 
     using additional cybersecurity procedures determined to be 
     appropriate to--
       ``(i) the Director of the Cybersecurity and Infrastructure 
     Security Agency;
       ``(ii) the Director; and
       ``(iii) the National Cyber Director; and
       ``(H) if the head of the agency determines there is need 
     for additional cybersecurity procedures, ensuring that those 
     additional cybersecurity procedures are reflected in the 
     budget request of the agency;'';
       (ii) in paragraph (2)--

       (I) in subparagraph (A), by inserting ``in accordance with 
     the agency system risk assessment performed under paragraph 
     (1)(A)'' after ``information systems'';
       (II) in subparagraph (B)--

       (aa) by striking ``in accordance with standards'' and 
     inserting ``in accordance with--
       ``(i) standards''; and
       (bb) by adding at the end the following:
       ``(ii) the evaluation performed under paragraph (1)(F); and
       ``(iii) the implementation plan described in paragraph 
     (1)(G);''; and

       (III) in subparagraph (D), by inserting ``, through the use 
     of penetration testing, the vulnerability disclosure program 
     established under section 3559B, and other means,'' after 
     ``periodically'';

       (iii) in paragraph (3)--

       (I) in subparagraph (A)--

       (aa) in clause (iii), by striking ``and'' at the end;
       (bb) in clause (iv), by adding ``and'' at the end; and
       (cc) by adding at the end the following:
       ``(v) ensure that--

       ``(I) senior agency information security officers of 
     component agencies carry out responsibilities under this 
     subchapter, as directed by the senior agency information 
     security officer of the agency or an equivalent official; and
       ``(II) senior agency information security officers of 
     component agencies report to--

       ``(aa) the senior information security officer of the 
     agency or an equivalent official; and
       ``(bb) the Chief Information Officer of the component 
     agency or an equivalent official;''; and
       (iv) in paragraph (5), by inserting ``and the Director of 
     the Cybersecurity and Infrastructure Security Agency'' before 
     ``on the effectiveness'';
       (B) in subsection (b)--
       (i) by striking paragraph (1) and inserting the following:
       ``(1) pursuant to subsection (a)(1)(A), performing ongoing 
     and continuous agency system risk assessments, which may 
     include using guidelines and automated tools consistent with 
     standards and guidelines promulgated under section 11331 of 
     title 40, as applicable;'';
       (ii) in paragraph (2)--

       (I) by striking subparagraph (B) and inserting the 
     following:

       ``(B) comply with the risk-based cyber budget model 
     developed pursuant to section 3553(a)(7);''; and

       (II) in subparagraph (D)--

       (aa) by redesignating clauses (iii) and (iv) as clauses 
     (iv) and (v), respectively;
       (bb) by inserting after clause (ii) the following:
       ``(iii) binding operational directives and emergency 
     directives promulgated by the Director of the Cybersecurity 
     and Infrastructure Security Agency under section 3553;''; and
       (cc) in clause (iv), as so redesignated, by striking ``as 
     determined by the agency; and'' and inserting ``as determined 
     by the agency, considering the agency risk assessment 
     performed under subsection (a)(1)(A); and
       (iii) in paragraph (5)(A), by inserting ``, including 
     penetration testing, as appropriate,'' after ``shall include 
     testing'';
       (iv) in paragraph (6), by striking ``planning, 
     implementing, evaluating, and documenting'' and inserting 
     ``planning and implementing and, in consultation with the 
     Director of the Cybersecurity and Infrastructure Security 
     Agency, evaluating and documenting'';
       (v) by redesignating paragraphs (7) and (8) as paragraphs 
     (8) and (9), respectively;
       (vi) by inserting after paragraph (6) the following:
       ``(7) a process for providing the status of every remedial 
     action and unremediated identified system vulnerability to 
     the Director and the Director of the Cybersecurity and 
     Infrastructure Security Agency, using automation and machine-
     readable data to the greatest extent practicable;''; and
       (vii) in paragraph (8)(C), as so redesignated--

       (I) by striking clause (ii) and inserting the following:

       ``(ii) notifying and consulting with the Federal 
     information security incident center established under 
     section 3556 pursuant to the requirements of section 3594;'';

       (II) by redesignating clause (iii) as clause (iv);
       (III) by inserting after clause (ii) the following:

       ``(iii) performing the notifications and other activities 
     required under subchapter IV of this chapter; and''; and

       (IV) in clause (iv), as so redesignated--

       (aa) in subclause (I), by striking ``and relevant offices 
     of inspectors general'';
       (bb) in subclause (II), by adding ``and'' at the end;
       (cc) by striking subclause (III); and
       (dd) by redesignating subclause (IV) as subclause (III);
       (C) in subsection (c)--
       (i) by redesignating paragraph (2) as paragraph (5);
       (ii) by striking paragraph (1) and inserting the following:
       ``(1) Biannual report.--Not later than 2 years after the 
     date of enactment of the Federal Information Security 
     Modernization Act of 2022 and not less frequently than once 
     every 2 years thereafter, using the continuous and ongoing 
     agency system risk assessment under subsection (a)(1)(A), the 
     head of each agency shall submit to the Director, the 
     Director of the Cybersecurity and Infrastructure Security 
     Agency, the majority and minority leaders of the Senate, the 
     Speaker and minority leader of the House of Representatives, 
     the Committee on Homeland Security and Governmental Affairs 
     of the Senate, the Committee on Oversight and Reform of the 
     House of Representatives, the Committee on Homeland Security 
     of the House of Representatives, the Committee on Commerce, 
     Science, and Transportation of the Senate, the Committee on 
     Science, Space, and Technology of the House of 
     Representatives, the appropriate authorization and 
     appropriations committees of Congress, the National Cyber 
     Director, and the Comptroller General of the United States a 
     report that--
       ``(A) summarizes the agency system risk assessment 
     performed under subsection (a)(1)(A);
       ``(B) evaluates the adequacy and effectiveness of 
     information security policies, procedures, and practices of 
     the agency to address the risks identified in the agency 
     system risk assessment performed under subsection (a)(1)(A), 
     including an analysis of the agency's cybersecurity and 
     incident response capabilities using the metrics established 
     under section 224(c) of the Cybersecurity Act of 2015 (6 
     U.S.C. 1522(c));
       ``(C) summarizes the evaluation and implementation plans 
     described in subparagraphs (F) and (G) of subsection (a)(1) 
     and whether those evaluation and implementation plans call 
     for the use of additional cybersecurity procedures determined 
     to be appropriate by the agency; and
       ``(D) summarizes the status of remedial actions identified 
     by inspector general of the agency, the Comptroller General 
     of the United States, and any other source determined 
     appropriate by the head of the agency.
       ``(2) Unclassified reports.--Each report submitted under 
     paragraph (1)--
       ``(A) shall be, to the greatest extent practicable, in an 
     unclassified and otherwise uncontrolled form; and
       ``(B) may include a classified annex.
       ``(3) Access to information.--The head of an agency shall 
     ensure that, to the greatest extent practicable, information 
     is included in the unclassified form of the report submitted 
     by the agency under paragraph (2)(A).
       ``(4) Briefings.--During each year during which a report is 
     not required to be submitted under paragraph (1), the 
     Director shall provide to the congressional committees 
     described in paragraph (1) a briefing summarizing current 
     agency and Federal risk postures.''; and
       (iii) in paragraph (5), as so redesignated, by striking the 
     period at the end and inserting ``, including the reporting 
     procedures established under section 11315(d) of title 40 and 
     subsection (a)(3)(A)(v) of this section''; and
       (D) in subsection (d)(1), in the matter preceding 
     subparagraph (A), by inserting ``and

[[Page S901]]

     the National Cyber Director'' after ``the Director''; and
       (E) by adding at the end the following:
       ``(f) Reporting Structure Exemption.--
       ``(1) In general.--On an annual basis, the Director may 
     exempt an agency from the reporting structure requirement 
     under subsection (a)(3)(A)(v)(II).
       ``(2) Report.--On an annual basis, the Director shall 
     submit a report to the Committee on Homeland Security and 
     Governmental Affairs of the Senate and the Committee on 
     Oversight and Reform of the House of Representatives that 
     includes a list of each exemption granted under paragraph (1) 
     and the associated rationale for each exemption.
       ``(3) Component of other report.--The report required under 
     paragraph (2) may be incorporated into any other annual 
     report required under this chapter.'';
       (4) in section 3555--
       (A) in the section heading, by striking ``annual 
     independent'' and inserting ``independent'';
       (B) in subsection (a)--
       (i) in paragraph (1), by inserting ``during which a report 
     is required to be submitted under section 3553(c),'' after 
     ``Each year'';
       (ii) in paragraph (2)(A), by inserting ``, including by 
     penetration testing and analyzing the vulnerability 
     disclosure program of the agency'' after ``information 
     systems''; and
       (iii) by adding at the end the following:
       ``(3) An evaluation under this section may include 
     recommendations for improving the cybersecurity posture of 
     the agency.'';
       (C) in subsection (b)(1), by striking ``annual'';
       (D) in subsection (e)(1), by inserting ``during which a 
     report is required to be submitted under section 3553(c)'' 
     after ``Each year'';
       (E) by striking subsection (f) and inserting the following:
       ``(f) Protection of Information.--(1) Agencies, evaluators, 
     and other recipients of information that, if disclosed, may 
     cause grave harm to the efforts of Federal information 
     security officers, shall take appropriate steps to ensure the 
     protection of that information, including safeguarding the 
     information from public disclosure.
       ``(2) The protections required under paragraph (1) shall be 
     commensurate with the risk and comply with all applicable 
     laws and regulations.
       ``(3) With respect to information that is not related to 
     national security systems, agencies and evaluators shall make 
     a summary of the information unclassified and publicly 
     available, including information that does not identify--
       ``(A) specific information system incidents; or
       ``(B) specific information system vulnerabilities.'';
       (F) in subsection (g)(2)--
       (i) by striking ``this subsection shall'' and inserting 
     ``this subsection--
       ``(A) shall'';
       (ii) in subparagraph (A), as so designated, by striking the 
     period at the end and inserting ``; and''; and
       (iii) by adding at the end the following:
       ``(B) identify any entity that performs an independent 
     evaluation under subsection (b).''; and
       (G) by striking subsection (j) and inserting the following:
       ``(j) Guidance.--
       ``(1) In general.--The Director, in consultation with the 
     Director of the Cybersecurity and Infrastructure Security 
     Agency, the Chief Information Officers Council, the Council 
     of the Inspectors General on Integrity and Efficiency, and 
     other interested parties as appropriate, shall ensure the 
     development of risk-based guidance for evaluating the 
     effectiveness of an information security program and 
     practices
       ``(2) Priorities.--The risk-based guidance developed under 
     paragraph (1) shall include--
       ``(A) the identification of the most common successful 
     threat patterns experienced by each agency;
       ``(B) the identification of security controls that address 
     the threat patterns described in subparagraph (A);
       ``(C) any other security risks unique to the networks of 
     each agency; and
       ``(D) any other element the Director, in consultation with 
     the Director of the Cybersecurity and Infrastructure Security 
     Agency and the Council of the Inspectors General on Integrity 
     and Efficiency, determines appropriate.''; and
       (5) in section 3556(a)--
       (A) in the matter preceding paragraph (1), by inserting 
     ``within the Cybersecurity and Infrastructure Security 
     Agency'' after ``incident center''; and
       (B) in paragraph (4), by striking ``3554(b)'' and inserting 
     ``3554(a)(1)(A)''.
       (d) Conforming Amendments.--
       (1) Table of sections.--The table of sections for chapter 
     35 of title 44, United States Code, is amended by striking 
     the item relating to section 3555 and inserting the 
     following:

``3555. Independent evaluation''.
       (2) OMB reports.--Section 226(c) of the Cybersecurity Act 
     of 2015 (6 U.S.C. 1524(c)) is amended--
       (A) in paragraph (1)(B), in the matter preceding clause 
     (i), by striking ``annually thereafter'' and inserting 
     ``thereafter during the years during which a report is 
     required to be submitted under section 3553(c) of title 44, 
     United States Code''; and
       (B) in paragraph (2)(B), in the matter preceding clause 
     (i)--
       (i) by striking ``annually thereafter'' and inserting 
     ``thereafter during the years during which a report is 
     required to be submitted under section 3553(c) of title 44, 
     United States Code''; and
       (ii) by striking ``the report required under section 
     3553(c) of title 44, United States Code'' and inserting 
     ``that report''.
       (3) NIST responsibilities.--Section 20(d)(3)(B) of the 
     National Institute of Standards and Technology Act (15 U.S.C. 
     278g-3(d)(3)(B)) is amended by striking ``annual''.
       (e) Federal System Incident Response.--
       (1) In general.--Chapter 35 of title 44, United States 
     Code, is amended by adding at the end the following:

           ``SUBCHAPTER IV--FEDERAL SYSTEM INCIDENT RESPONSE

     ``Sec. 3591. Definitions

       ``(a) In General.--Except as provided in subsection (b), 
     the definitions under sections 3502 and 3552 shall apply to 
     this subchapter.
       ``(b) Additional Definitions.--As used in this subchapter:
       ``(1) Appropriate reporting entities.--The term 
     `appropriate reporting entities' means--
       ``(A) the majority and minority leaders of the Senate;
       ``(B) the Speaker and minority leader of the House of 
     Representatives;
       ``(C) the Committee on Homeland Security and Governmental 
     Affairs of the Senate;
       ``(D) the Committee on Oversight and Reform of the House of 
     Representatives;
       ``(E) the Committee on Homeland Security of the House of 
     Representatives;
       ``(F) the appropriate authorization and appropriations 
     committees of Congress;
       ``(G) the Director;
       ``(H) the Director of the Cybersecurity and Infrastructure 
     Security Agency;
       ``(I) the National Cyber Director;
       ``(J) the Comptroller General of the United States; and
       ``(K) the inspector general of any impacted agency.
       ``(2) Awardee.--The term `awardee'--
       ``(A) means a person, business, or other entity that 
     receives a grant from, or is a party to a cooperative 
     agreement or an other transaction agreement with, an agency; 
     and
       ``(B) includes any subgrantee of a person, business, or 
     other entity described in subparagraph (A).
       ``(3) Breach.--The term `breach'--
       ``(A) means the loss, control, compromise, unauthorized 
     disclosure, or unauthorized acquisition of personally 
     identifiable information or any similar occurrence; and
       ``(B) includes any additional meaning given the term in 
     policies, principles, standards, or guidelines issued by the 
     Director under section 3553(a).
       ``(4) Contractor.--The term `contractor' means a prime 
     contractor of an agency or a subcontractor of a prime 
     contractor of an agency.
       ``(5) Federal information.--The term `Federal information' 
     means information created, collected, processed, maintained, 
     disseminated, disclosed, or disposed of by or for the Federal 
     Government in any medium or form.
       ``(6) Federal information system.--The term `Federal 
     information system' means an information system used or 
     operated by an agency, a contractor, an awardee, or another 
     organization on behalf of an agency.
       ``(7) Intelligence community.--The term `intelligence 
     community' has the meaning given the term in section 3 of the 
     National Security Act of 1947 (50 U.S.C. 3003).
       ``(8) Nationwide consumer reporting agency.--The term 
     `nationwide consumer reporting agency' means a consumer 
     reporting agency described in section 603(p) of the Fair 
     Credit Reporting Act (15 U.S.C. 1681a(p)).
       ``(9) Vulnerability disclosure.--The term `vulnerability 
     disclosure' means a vulnerability identified under section 
     3559B.

     ``Sec. 3592. Notification of breach

       ``(a) Notification.--As expeditiously as practicable and 
     without unreasonable delay, and in any case not later than 45 
     days after an agency has a reasonable basis to conclude that 
     a breach has occurred, the head of the agency, in 
     consultation with a senior privacy officer of the agency, 
     shall--
       ``(1) determine whether notice to any individual 
     potentially affected by the breach is appropriate based on an 
     assessment of the risk of harm to the individual that 
     considers--
       ``(A) the nature and sensitivity of the personally 
     identifiable information affected by the breach;
       ``(B) the likelihood of access to and use of the personally 
     identifiable information affected by the breach;
       ``(C) the type of breach; and
       ``(D) any other factors determined by the Director; and
       ``(2) as appropriate, provide written notice in accordance 
     with subsection (b) to each individual potentially affected 
     by the breach--
       ``(A) to the last known mailing address of the individual; 
     or
       ``(B) through an appropriate alternative method of 
     notification that the head of the agency or a designated 
     senior-level individual of the agency selects based on 
     factors determined by the Director.
       ``(b) Contents of Notice.--Each notice of a breach provided 
     to an individual under subsection (a)(2) shall include--
       ``(1) a brief description of the breach;
       ``(2) if possible, a description of the types of personally 
     identifiable information affected by the breach;

[[Page S902]]

       ``(3) contact information of the agency that may be used to 
     ask questions of the agency, which--
       ``(A) shall include an e-mail address or another digital 
     contact mechanism; and
       ``(B) may include a telephone number, mailing address, or a 
     website;
       ``(4) information on any remedy being offered by the 
     agency;
       ``(5) any applicable educational materials relating to what 
     individuals can do in response to a breach that potentially 
     affects their personally identifiable information, including 
     relevant contact information for Federal law enforcement 
     agencies and each nationwide consumer reporting agency; and
       ``(6) any other appropriate information, as determined by 
     the head of the agency or established in guidance by the 
     Director.
       ``(c) Delay of Notification.--
       ``(1) In general.--The Attorney General, the Director of 
     National Intelligence, or the Secretary of Homeland Security 
     may delay a notification required under subsection (a) or (d) 
     if the notification would--
       ``(A) impede a criminal investigation or a national 
     security activity;
       ``(B) reveal sensitive sources and methods;
       ``(C) cause damage to national security; or
       ``(D) hamper security remediation actions.
       ``(2) Documentation.--
       ``(A) In general.--Any delay under paragraph (1) shall be 
     reported in writing to the Director, the Attorney General, 
     the Director of National Intelligence, the Secretary of 
     Homeland Security, the National Cyber Director, the Director 
     of the Cybersecurity and Infrastructure Security Agency, and 
     the head of the agency and the inspector general of the 
     agency that experienced the breach.
       ``(B) Contents.--A report required under subparagraph (A) 
     shall include a written statement from the entity that 
     delayed the notification explaining the need for the delay.
       ``(C) Form.--The report required under subparagraph (A) 
     shall be unclassified but may include a classified annex.
       ``(3) Renewal.--A delay under paragraph (1) shall be for a 
     period of 60 days and may be renewed.
       ``(d) Update Notification.--If an agency determines there 
     is a significant change in the reasonable basis to conclude 
     that a breach occurred, a significant change to the 
     determination made under subsection (a)(1), or that it is 
     necessary to update the details of the information provided 
     to potentially affected individuals as described in 
     subsection (b), the agency shall as expeditiously as 
     practicable and without unreasonable delay, and in any case 
     not later than 30 days after such a determination, notify 
     each individual who received a notification pursuant to 
     subsection (a) of those changes.
       ``(e) Rule of Construction.--Nothing in this section shall 
     be construed to limit--
       ``(1) the Director from issuing guidance relating to 
     notifications or the head of an agency from notifying 
     individuals potentially affected by breaches that are not 
     determined to be major incidents; or
       ``(2) the Director from issuing guidance relating to 
     notifications of major incidents or the head of an agency 
     from providing more information than described in subsection 
     (b) when notifying individuals potentially affected by 
     breaches.

     ``Sec. 3593. Congressional and Executive Branch reports

       ``(a) Initial Report.--
       ``(1) In general.--Not later than 72 hours after an agency 
     has a reasonable basis to conclude that a major incident 
     occurred, the head of the agency impacted by the major 
     incident shall submit to the appropriate reporting entities a 
     written report and, to the extent practicable, provide a 
     briefing to the Committee on Homeland Security and 
     Governmental Affairs of the Senate, the Committee on 
     Oversight and Reform of the House of Representatives, the 
     Committee on Homeland Security of the House of 
     Representatives, and the appropriate authorization and 
     appropriations committees of Congress, taking into account--
       ``(A) the information known at the time of the report;
       ``(B) the sensitivity of the details associated with the 
     major incident; and
       ``(C) the classification level of the information contained 
     in the report.
       ``(2) Contents.--A report required under paragraph (1) 
     shall include, in a manner that excludes or otherwise 
     reasonably protects personally identifiable information and 
     to the extent permitted by applicable law, including privacy 
     and statistical laws--
       ``(A) a summary of the information available about the 
     major incident, including how the major incident occurred, 
     information indicating that the major incident may be a 
     breach, and information relating to the major incident as a 
     breach, based on information available to agency officials as 
     of the date on which the agency submits the report;
       ``(B) if applicable, a description and any associated 
     documentation of any circumstances necessitating a delay in a 
     notification to individuals potentially affected by the major 
     incident under section 3592(c);
       ``(C) if applicable, an assessment of the impacts to the 
     agency, the Federal Government, or the security of the United 
     States, based on information available to agency officials on 
     the date on which the agency submits the report; and
       ``(D) if applicable, whether any ransom has been demanded 
     or paid, or plans to be paid, by any entity operating a 
     Federal information system or with access to a Federal 
     information system, unless disclosure of such information may 
     disrupt an active Federal law enforcement or national 
     security operation.
       ``(b) Supplemental Report.--Within a reasonable amount of 
     time, but not later than 30 days after the date on which an 
     agency submits a written report under subsection (a), the 
     head of the agency shall provide to the appropriate reporting 
     entities written updates, which may include classified 
     annexes, on the major incident and, to the extent 
     practicable, provide a briefing, which may include a 
     classified component, to the congressional committees 
     described in subsection (a)(1), including summaries of--
       ``(1) vulnerabilities, means by which the major incident 
     occurred, and impacts to the agency relating to the major 
     incident;
       ``(2) any risk assessment and subsequent risk-based 
     security implementation of the affected information system 
     before the date on which the major incident occurred;
       ``(3) the status of compliance of the affected information 
     system with applicable security requirements that are 
     directly related to the cause of the incident, at the time of 
     the major incident;
       ``(4) an estimate of the number of individuals potentially 
     affected by the major incident based on information available 
     to agency officials as of the date on which the agency 
     provides the update;
       ``(5) an assessment of the risk of harm to individuals 
     potentially affected by the major incident based on 
     information available to agency officials as of the date on 
     which the agency provides the update;
       ``(6) an update to the assessment of the risk to agency 
     operations, or to impacts on other agency or non-Federal 
     entity operations, affected by the major incident based on 
     information available to agency officials as of the date on 
     which the agency provides the update;
       ``(7) the detection, response, and remediation actions of 
     the agency, including any support provided by the 
     Cybersecurity and Infrastructure Security Agency under 
     section 3594(d) and status updates on the notification 
     process described in section 3592(a), including any delay 
     described in section 3592(c), if applicable; and
       ``(8) if applicable, a description of any circumstances or 
     data leading the head of the agency to determine, pursuant to 
     section 3592(a)(1), not to notify individuals potentially 
     impacted by a breach.
       ``(c) Update Report.--If the agency determines that there 
     is any significant change in the understanding of the agency 
     of the scope, scale, or consequence of a major incident for 
     which an agency submitted a written report under subsection 
     (a), the agency shall provide an updated report to the 
     appropriate reporting entities that includes information 
     relating to the change in understanding.
       ``(d) Biannual Report.--Each agency shall submit as part of 
     the biannual report required under section 3554(c)(1) of this 
     title a description of each major incident that occurred 
     during the 2-year period preceding the date on which the 
     biannual report is submitted.
       ``(e) Delay and Lack of Notification Report.--
       ``(1) In general.--The Director shall submit to the 
     appropriate reporting entities an annual report on all 
     notification delays granted pursuant to section 3592(c).
       ``(2) Lack of breach notification.--The Director shall 
     submit to the appropriate reporting entities an annual report 
     on each breach with respect to which the head of an agency 
     determined, pursuant to section 3592(a)(1), not to notify 
     individuals potentially impacted by the breach.
       ``(3) Component of other report.--The Director may submit 
     the report required under paragraph (1) as a component of the 
     annual report submitted under section 3597(b).
       ``(f) Report Delivery.--Any written report required to be 
     submitted under this section may be submitted in a paper or 
     electronic format.
       ``(g) Threat Briefing.--
       ``(1) In general.--Not later than 7 days after the date on 
     which an agency has a reasonable basis to conclude that a 
     major incident occurred, the head of the agency, jointly with 
     the Director, the National Cyber Director and any other 
     Federal entity determined appropriate by the National Cyber 
     Director, shall provide a briefing to the congressional 
     committees described in subsection (a)(1) on the threat 
     causing the major incident.
       ``(2) Components.--The briefing required under paragraph 
     (1)--
       ``(A) shall, to the greatest extent practicable, include an 
     unclassified component; and
       ``(B) may include a classified component.
       ``(h) Rule of Construction.--Nothing in this section shall 
     be construed to limit--
       ``(1) the ability of an agency to provide additional 
     reports or briefings to Congress; or
       ``(2) Congress from requesting additional information from 
     agencies through reports, briefings, or other means.

     ``Sec. 3594. Government information sharing and incident 
       response

       ``(a) In General.--
       ``(1) Incident reporting.--Subject to the limitations 
     described in subsection (b), the head of each agency shall 
     provide any information relating to any incident affecting 
     the agency, whether the information is obtained by the 
     Federal Government directly or indirectly, to the 
     Cybersecurity and Infrastructure Security Agency.

[[Page S903]]

       ``(2) Contents.--A provision of information relating to an 
     incident made by the head of an agency under paragraph (1) 
     shall--
       ``(A) include detailed information about the safeguards 
     that were in place when the incident occurred;
       ``(B) whether the agency implemented the safeguards 
     described in subparagraph (A) correctly;
       ``(C) in order to protect against a similar incident, 
     identify--
       ``(i) how the safeguards described in subparagraph (A) 
     should be implemented differently; and
       ``(ii) additional necessary safeguards; and
       ``(D) include information to aid in incident response, such 
     as--
       ``(i) a description of the affected systems or networks;
       ``(ii) the estimated dates of when the incident occurred; 
     and
       ``(iii) information that could reasonably help identify the 
     party that conducted the incident or the cause of the 
     incident, subject to appropriate privacy protections.
       ``(3) Information sharing.--The Director of the 
     Cybersecurity and Infrastructure Security Agency shall--
       ``(A) make incident information provided under paragraph 
     (1) available to the Director and the National Cyber 
     Director;
       ``(B) to the greatest extent practicable, share information 
     relating to an incident with the head of any agency that may 
     be--
       ``(i) impacted by the incident;
       ``(ii) similarly susceptible to the incident; or
       ``(iii) similarly targeted by the incident; and
       ``(C) coordinate any necessary information sharing efforts 
     relating to a major incident with the private sector.
       ``(4) National security systems.--Each agency operating or 
     exercising control of a national security system shall share 
     information about incidents that occur on national security 
     systems with the Director of the Cybersecurity and 
     Infrastructure Security Agency to the extent consistent with 
     standards and guidelines for national security systems issued 
     in accordance with law and as directed by the President.
       ``(b) Compliance.--In providing information and selecting a 
     method to provide information under subsection (a), the head 
     of each agency shall take into account the level of 
     classification of the information and any information sharing 
     limitations and protections, such as limitations and 
     protections relating to law enforcement, national security, 
     privacy, statistical confidentiality, or other factors 
     determined by the Director in order to implement subsection 
     (a)(1) in a manner that enables automated and consistent 
     reporting to the greatest extent practicable.
       ``(c) Incident Response.--Each agency that has a reasonable 
     basis to conclude that a major incident occurred involving 
     Federal information in electronic medium or form that does 
     not exclusively involve a national security system, 
     regardless of delays from notification granted for a major 
     incident that is also a breach, shall coordinate with the 
     Cybersecurity and Infrastructure Security Agency to 
     facilitate asset response activities and provide 
     recommendations for mitigating future incidents.

     ``Sec. 3595. Responsibilities of contractors and awardees

       ``(a) Reporting.--
       ``(1) In general.--Unless otherwise specified in a 
     contract, grant, cooperative agreement, or an other 
     transaction agreement, any contractor or awardee of an agency 
     shall report to the agency within the same amount of time 
     such agency is required to report an incident to the 
     Cybersecurity and Infrastructure Security Agency, if the 
     contractor or awardee has a reasonable basis to suspect or 
     conclude that--
       ``(A) an incident or breach has occurred with respect to 
     Federal information collected, used, or maintained by the 
     contractor or awardee in connection with the contract, grant, 
     cooperative agreement, or other transaction agreement of the 
     contractor or awardee;
       ``(B) an incident or breach has occurred with respect to a 
     Federal information system used or operated by the contractor 
     or awardee in connection with the contract, grant, 
     cooperative agreement, or other transaction agreement of the 
     contractor or awardee; or
       ``(C) the contractor or awardee has received information 
     from the agency that the contractor or awardee is not 
     authorized to receive in connection with the contract, grant, 
     cooperative agreement, or other transaction agreement of the 
     contractor or awardee.
       ``(2) Procedures.--
       ``(A) Major incident.--Following a report of a breach or 
     major incident by a contractor or awardee under paragraph 
     (1), the agency, in consultation with the contractor or 
     awardee, shall carry out the requirements under sections 
     3592, 3593, and 3594 with respect to the major incident.
       ``(B) Incident.--Following a report of an incident by a 
     contractor or awardee under paragraph (1), an agency, in 
     consultation with the contractor or awardee, shall carry out 
     the requirements under section 3594 with respect to the 
     incident.
       ``(b) Effective Date.--This section shall apply--
       ``(1) on and after the date that is 1 year after the date 
     of enactment of the Federal Information Security 
     Modernization Act of 2022; and
       ``(2) with respect to any contract entered into on or after 
     the date described in paragraph (1).

     ``Sec. 3596. Training

       ``(a) Covered Individual Defined.--In this section, the 
     term `covered individual' means an individual who obtains 
     access to Federal information or Federal information systems 
     because of the status of the individual as an employee, 
     contractor, awardee, volunteer, or intern of an agency.
       ``(b) Requirement.--The head of each agency shall develop 
     training for covered individuals on how to identify and 
     respond to an incident, including--
       ``(1) the internal process of the agency for reporting an 
     incident; and
       ``(2) the obligation of a covered individual to report to 
     the agency a confirmed major incident and any suspected 
     incident involving information in any medium or form, 
     including paper, oral, and electronic.
       ``(c) Inclusion in Annual Training.--The training developed 
     under subsection (b) may be included as part of an annual 
     privacy or security awareness training of an agency.

     ``Sec. 3597. Analysis and report on Federal incidents

       ``(a) Analysis of Federal Incidents.--
       ``(1) Quantitative and qualitative analyses.--The Director 
     of the Cybersecurity and Infrastructure Security Agency shall 
     develop, in consultation with the Director and the National 
     Cyber Director, and perform continuous monitoring and 
     quantitative and qualitative analyses of incidents at 
     agencies, including major incidents, including--
       ``(A) the causes of incidents, including--
       ``(i) attacker tactics, techniques, and procedures; and
       ``(ii) system vulnerabilities, including zero days, 
     unpatched systems, and information system misconfigurations;
       ``(B) the scope and scale of incidents at agencies;
       ``(C) common root causes of incidents across multiple 
     Federal agencies;
       ``(D) agency incident response, recovery, and remediation 
     actions and the effectiveness of those actions, as 
     applicable;
       ``(E) lessons learned and recommendations in responding to, 
     recovering from, remediating, and mitigating future 
     incidents; and
       ``(F) trends across multiple Federal agencies to address 
     intrusion detection and incident response capabilities using 
     the metrics established under section 224(c) of the 
     Cybersecurity Act of 2015 (6 U.S.C. 1522(c)).
       ``(2) Automated analysis.--The analyses developed under 
     paragraph (1) shall, to the greatest extent practicable, use 
     machine readable data, automation, and machine learning 
     processes.
       ``(3) Sharing of data and analysis.--
       ``(A) In general.--The Director shall share on an ongoing 
     basis the analyses required under this subsection with 
     agencies and the National Cyber Director to--
       ``(i) improve the understanding of cybersecurity risk of 
     agencies; and
       ``(ii) support the cybersecurity improvement efforts of 
     agencies.
       ``(B) Format.--In carrying out subparagraph (A), the 
     Director shall share the analyses--
       ``(i) in human-readable written products; and
       ``(ii) to the greatest extent practicable, in machine-
     readable formats in order to enable automated intake and use 
     by agencies.
       ``(b) Annual Report on Federal Incidents.--Not later than 2 
     years after the date of enactment of this section, and not 
     less frequently than annually thereafter, the Director of the 
     Cybersecurity and Infrastructure Security Agency, in 
     consultation with the Director, the National Cyber Director 
     and the heads of other Federal agencies, as appropriate, 
     shall submit to the appropriate reporting entities a report 
     that includes--
       ``(1) a summary of causes of incidents from across the 
     Federal Government that categorizes those incidents as 
     incidents or major incidents;
       ``(2) the quantitative and qualitative analyses of 
     incidents developed under subsection (a)(1) on an agency-by-
     agency basis and comprehensively across the Federal 
     Government, including--
       ``(A) a specific analysis of breaches; and
       ``(B) an analysis of the Federal Government's performance 
     against the metrics established under section 224(c) of the 
     Cybersecurity Act of 2015 (6 U.S.C. 1522(c)); and
       ``(3) an annex for each agency that includes--
       ``(A) a description of each major incident;
       ``(B) the total number of incidents of the agency; and
       ``(C) an analysis of the agency's performance against the 
     metrics established under section 224(c) of the Cybersecurity 
     Act of 2015 (6 U.S.C. 1522(c)).
       ``(c) Publication.--
       ``(1) In general.--A version of each report submitted under 
     subsection (b) shall be made publicly available on the 
     website of the Cybersecurity and Infrastructure Security 
     Agency during the year in which the report is submitted.
       ``(2) Exemption.--The Director of the Cybersecurity and 
     Infrastructure Security Agency may exempt all or a portion of 
     a report described in paragraph (1) from public publication 
     if the Director of the Cybersecurity and Infrastructure 
     Security Agency determines the exemption is in the interest 
     of national security.
       ``(3) Limitation on exemption.--An exemption granted under 
     paragraph (2) shall not apply to any version of a report 
     submitted to

[[Page S904]]

     the appropriate reporting entities under subsection (b).
       ``(d) Information Provided by Agencies.--
       ``(1) In general.--The analysis required under subsection 
     (a) and each report submitted under subsection (b) shall use 
     information provided by agencies under section 3594(a).
       ``(2) Noncompliance reports.--
       ``(A) In general.--Subject to subparagraph (B), during any 
     year during which the head of an agency does not provide data 
     for an incident to the Cybersecurity and Infrastructure 
     Security Agency in accordance with section 3594(a), the head 
     of the agency, in coordination with the Director of the 
     Cybersecurity and Infrastructure Security Agency and the 
     Director, shall submit to the appropriate reporting entities 
     a report that includes the information described in 
     subsection (b) with respect to the agency.
       ``(B) Exception for national security systems.--The head of 
     an agency that owns or exercises control of a national 
     security system shall not include data for an incident that 
     occurs on a national security system in any report submitted 
     under subparagraph (A).
       ``(3) National security system reports.--
       ``(A) In general.--Annually, the head of an agency that 
     operates or exercises control of a national security system 
     shall submit a report that includes the information described 
     in subsection (b) with respect to the national security 
     system to the extent that the submission is consistent with 
     standards and guidelines for national security systems issued 
     in accordance with law and as directed by the President to--
       ``(i) the majority and minority leaders of the Senate,
       ``(ii) the Speaker and minority leader of the House of 
     Representatives;
       ``(iii) the Committee on Homeland Security and Governmental 
     Affairs of the Senate;
       ``(iv) the Select Committee on Intelligence of the Senate;
       ``(v) the Committee on Armed Services of the Senate;
       ``(vi) the Committee on Appropriations of the Senate;
       ``(vii) the Committee on Oversight and Reform of the House 
     of Representatives;
       ``(viii) the Committee on Homeland Security of the House of 
     Representatives;
       ``(ix) the Permanent Select Committee on Intelligence of 
     the House of Representatives;
       ``(x) the Committee on Armed Services of the House of 
     Representatives; and
       ``(xi) the Committee on Appropriations of the House of 
     Representatives.
       ``(B) Classified form.--A report required under 
     subparagraph (A) may be submitted in a classified form.
       ``(e) Requirement for Compiling Information.--In publishing 
     the public report required under subsection (c), the Director 
     of the Cybersecurity and Infrastructure Security Agency shall 
     sufficiently compile information such that no specific 
     incident of an agency can be identified, except with the 
     concurrence of the Director of the Office of Management and 
     Budget and in consultation with the impacted agency.

     ``Sec. 3598. Major incident definition

       ``(a) In General.--Not later than 180 days after the date 
     of enactment of the Federal Information Security 
     Modernization Act of 2022, the Director, in coordination with 
     the Director of the Cybersecurity and Infrastructure Security 
     Agency and the National Cyber Director, shall develop and 
     promulgate guidance on the definition of the term `major 
     incident' for the purposes of subchapter II and this 
     subchapter.
       ``(b) Requirements.--With respect to the guidance issued 
     under subsection (a), the definition of the term `major 
     incident' shall--
       ``(1) include, with respect to any information collected or 
     maintained by or on behalf of an agency or an information 
     system used or operated by an agency or by a contractor of an 
     agency or another organization on behalf of an agency--
       ``(A) any incident the head of the agency determines is 
     likely to have an impact on--
       ``(i) the national security, homeland security, or economic 
     security of the United States; or
       ``(ii) the civil liberties or public health and safety of 
     the people of the United States;
       ``(B) any incident the head of the agency determines likely 
     to result in an inability for the agency, a component of the 
     agency, or the Federal Government, to provide 1 or more 
     critical services;
       ``(C) any incident that the head of an agency, in 
     consultation with a senior privacy officer of the agency, 
     determines is likely to have a significant privacy impact on 
     1 or more individual;
       ``(D) any incident that the head of the agency, in 
     consultation with a senior privacy official of the agency, 
     determines is likely to have a substantial privacy impact on 
     a significant number of individuals;
       ``(E) any incident the head of the agency determines 
     substantially disrupts the operations of a high value asset 
     owned or operated by the agency;
       ``(F) any incident involving the exposure of sensitive 
     agency information to a foreign entity, such as the 
     communications of the head of the agency, the head of a 
     component of the agency, or the direct reports of the head of 
     the agency or the head of a component of the agency; and
       ``(G) any other type of incident determined appropriate by 
     the Director;
       ``(2) stipulate that the National Cyber Director, in 
     consultation with the Director, shall declare a major 
     incident at each agency impacted by an incident if it is 
     determined that an incident--
       ``(A) occurs at not less than 2 agencies; and
       ``(B) is enabled by--
       ``(i) a common technical root cause, such as a supply chain 
     compromise, a common software or hardware vulnerability; or
       ``(ii) the related activities of a common threat actor; and
       ``(3) stipulate that, in determining whether an incident 
     constitutes a major incident because that incident is any 
     incident described in paragraph (1), the head of the agency 
     shall consult with the National Cyber Director and may 
     consult with the Director of the Cybersecurity and 
     Infrastructure Security Agency.
       ``(c) Significant Number of Individuals.--In determining 
     what constitutes a significant number of individuals under 
     subsection (b)(1)(D), the Director--
       ``(1) may determine a threshold for a minimum number of 
     individuals that constitutes a significant amount; and
       ``(2) may not determine a threshold described in paragraph 
     (1) that exceeds 5,000 individuals.
       ``(d) Evaluation and Updates.--Not later than 2 years after 
     the date of enactment of the Federal Information Security 
     Modernization Act of 2022, and not less frequently than every 
     2 years thereafter, the Director shall provide a briefing to 
     the Committee on Homeland Security and Governmental Affairs 
     of the Senate and the Committee on Oversight and Reform of 
     the House of Representatives, which shall include--
       ``(1) an evaluation of any necessary updates to the 
     guidance issued under subsection (a);
       ``(2) an evaluation of any necessary updates to the 
     definition of the term `major incident' included in the 
     guidance issued under subsection (a); and
       ``(3) an explanation of, and the analysis that led to, the 
     definition described in paragraph (2).''.
       (2) Clerical amendment.--The table of sections for chapter 
     35 of title 44, United States Code, is amended by adding at 
     the end the following:

           ``subchapter iv--federal system incident response

``3591. Definitions
``3592. Notification of breach
``3593. Congressional and Executive Branch reports
``3594. Government information sharing and incident response
``3595. Responsibilities of contractors and awardees
``3596. Training
``3597. Analysis and report on Federal incidents
``3598. Major incident definition''.

     SEC. 104. AMENDMENTS TO SUBTITLE III OF TITLE 40.

       (a) Modernizing Government Technology.--Subtitle G of title 
     X of Division A of the National Defense Authorization Act for 
     Fiscal Year 2018 (40 U.S.C. 11301 note) is amended in section 
     1078--
       (1) by striking subsection (a) and inserting the following:
       ``(a) Definitions.--In this section:
       ``(1) Agency.--The term `agency' has the meaning given the 
     term in section 551 of title 5, United States Code.
       ``(2) High value asset.--The term `high value asset' has 
     the meaning given the term in section 3552 of title 44, 
     United States Code.'';
       (2) in subsection (b), by adding at the end the following:
       ``(8) Proposal evaluation.--The Director shall--
       ``(A) give consideration for the use of amounts in the Fund 
     to improve the security of high value assets; and
       ``(B) require that any proposal for the use of amounts in 
     the Fund includes a cybersecurity plan, including a supply 
     chain risk management plan, to be reviewed by the member of 
     the Technology Modernization Board described in subsection 
     (c)(5)(C).''; and
       (3) in subsection (c)--
       (A) in paragraph (2)(A)(i), by inserting ``, including a 
     consideration of the impact on high value assets'' after 
     ``operational risks'';
       (B) in paragraph (5)--
       (i) in subparagraph (A), by striking ``and'' at the end;
       (ii) in subparagraph (B), by striking the period at the end 
     and inserting ``and''; and
       (iii) by adding at the end the following:
       ``(C) a senior official from the Cybersecurity and 
     Infrastructure Security Agency of the Department of Homeland 
     Security, appointed by the Director.''; and
       (C) in paragraph (6)(A), by striking ``shall be--'' and all 
     that follows through ``4 employees'' and inserting ``shall be 
     4 employees''.
       (b) Subchapter I.--Subchapter I of chapter 113 of subtitle 
     III of title 40, United States Code, is amended--
       (1) in section 11302--
       (A) in subsection (b), by striking ``use, security, and 
     disposal of'' and inserting ``use, and disposal of, and, in 
     consultation with the Director of the Cybersecurity and 
     Infrastructure Security Agency and the National Cyber 
     Director, promote and improve the security of,'';
       (B) in subsection (c)--
       (i) in paragraph (3)--

       (I) in subparagraph (A)--

       (aa) by striking ``including data'' and inserting ``which 
     shall--
       ``(i) include data''; and
       (bb) by adding at the end the following:

[[Page S905]]

       ``(ii) specifically denote cybersecurity funding under the 
     risk-based cyber budget model developed pursuant to section 
     3553(a)(7) of title 44.''; and

       (II) in subparagraph (B), by adding at the end the 
     following:

       ``(iii) The Director shall provide to the National Cyber 
     Director any cybersecurity funding information described in 
     subparagraph (A)(ii) that is provided to the Director under 
     clause (ii) of this subparagraph.'';
       (C) in subsection (f)--
       (i) by striking ``heads of executive agencies to develop'' 
     and inserting ``heads of executive agencies to--
       ``(1) develop'';
       (ii) in paragraph (1), as so designated, by striking the 
     period at the end and inserting ``; and''; and
       (iii) by adding at the end the following:
       ``(2) consult with the Director of the Cybersecurity and 
     Infrastructure Security Agency for the development and use of 
     supply chain security best practices.''; and
       (D) in subsection (h), by inserting ``, including 
     cybersecurity performances,'' after ``the performances''; and
       (2) in section 11303(b)--
       (A) in paragraph (2)(B)--
       (i) in clause (i), by striking ``or'' at the end;
       (ii) in clause (ii), by adding ``or'' at the end; and
       (iii) by adding at the end the following:
       ``(iii) whether the function should be performed by a 
     shared service offered by another executive agency;''; and
       (B) in paragraph (5)(B)(i), by inserting ``, while taking 
     into account the risk-based cyber budget model developed 
     pursuant to section 3553(a)(7) of title 44'' after ``title 
     31''.
       (c) Subchapter II.--Subchapter II of chapter 113 of 
     subtitle III of title 40, United States Code, is amended--
       (1) in section 11312(a), by inserting ``, including 
     security risks'' after ``managing the risks'';
       (2) in section 11313(1), by striking ``efficiency and 
     effectiveness'' and inserting ``efficiency, security, and 
     effectiveness'';
       (3) in section 11315, by adding at the end the following:
       ``(d) Component Agency Chief Information Officers.--The 
     Chief Information Officer or an equivalent official of a 
     component agency shall report to--
       ``(1) the Chief Information Officer designated under 
     section 3506(a)(2) of title 44 or an equivalent official of 
     the agency of which the component agency is a component; and
       ``(2) the head of the component agency.
       ``(e) Reporting Structure Exemption.--
       ``(1) In general.--On annual basis, the Director may exempt 
     any agency from the reporting structure requirements under 
     subsection (d).
       ``(2) Report.--On an annual basis, the Director shall 
     submit to the Committee on Homeland Security and Governmental 
     Affairs of the Senate and the Committee on Oversight and 
     Reform of the House of Representatives a report that includes 
     a list of each exemption granted under paragraph (1) and the 
     associated rationale for each exemption.
       ``(3) Component of other report.--The report required under 
     paragraph (2) may be incorporated into any other annual 
     report required under chapter 35 of title 44, United States 
     Code.'';
       (4) in section 11317, by inserting ``security,'' before 
     ``or schedule''; and
       (5) in section 11319(b)(1), in the paragraph heading, by 
     striking ``CIOS'' and inserting ``Chief information 
     officers''.

     SEC. 105. ACTIONS TO ENHANCE FEDERAL INCIDENT TRANSPARENCY.

       (a) Responsibilities of the Cybersecurity and 
     Infrastructure Security Agency.--
       (1) In general.--Not later than 180 days after the date of 
     enactment of this Act, the Director of the Cybersecurity and 
     Infrastructure Security Agency shall--
       (A) develop a plan for the development of the analysis 
     required under section 3597(a) of title 44, United States 
     Code, as added by this title, and the report required under 
     subsection (b) of that section that includes--
       (i) a description of any challenges the Director of the 
     Cybersecurity and Infrastructure Security Agency anticipates 
     encountering; and
       (ii) the use of automation and machine-readable formats for 
     collecting, compiling, monitoring, and analyzing data; and
       (B) provide to the appropriate congressional committees a 
     briefing on the plan developed under subparagraph (A).
       (2) Briefing.--Not later than 1 year after the date of 
     enactment of this Act, the Director of the Cybersecurity and 
     Infrastructure Security Agency shall provide to the 
     appropriate congressional committees a briefing on--
       (A) the execution of the plan required under paragraph 
     (1)(A); and
       (B) the development of the report required under section 
     3597(b) of title 44, United States Code, as added by this 
     title.
       (b) Responsibilities of the Director of the Office of 
     Management and Budget.--
       (1) FISMA.--Section 2 of the Federal Information Security 
     Modernization Act of 2014 (44 U.S.C. 3554 note) is amended--
       (A) by striking subsection (b); and
       (B) by redesignating subsections (c) through (f) as 
     subsections (b) through (e), respectively.
       (2) Incident data sharing.--
       (A) In general.--The Director shall develop guidance, to be 
     updated not less frequently than once every 2 years, on the 
     content, timeliness, and format of the information provided 
     by agencies under section 3594(a) of title 44, United States 
     Code, as added by this title.
       (B) Requirements.--The guidance developed under 
     subparagraph (A) shall--
       (i) prioritize the availability of data necessary to 
     understand and analyze--

       (I) the causes of incidents;
       (II) the scope and scale of incidents within the 
     environments and systems of an agency;
       (III) a root cause analysis of incidents that--

       (aa) are common across the Federal Government; or
       (bb) have a Government-wide impact;

       (IV) agency response, recovery, and remediation actions and 
     the effectiveness of those actions; and
       (V) the impact of incidents;

       (ii) enable the efficient development of--

       (I) lessons learned and recommendations in responding to, 
     recovering from, remediating, and mitigating future 
     incidents; and
       (II) the report on Federal incidents required under section 
     3597(b) of title 44, United States Code, as added by this 
     title;

       (iii) include requirements for the timeliness of data 
     production; and
       (iv) include requirements for using automation and machine-
     readable data for data sharing and availability.
       (3) Guidance on responding to information requests.--Not 
     later than 1 year after the date of enactment of this Act, 
     the Director shall develop guidance for agencies to implement 
     the requirement under section 3594(c) of title 44, United 
     States Code, as added by this title, to provide information 
     to other agencies experiencing incidents.
       (4) Standard guidance and templates.--Not later than 1 year 
     after the date of enactment of this Act, the Director, in 
     consultation with the Director of the Cybersecurity and 
     Infrastructure Security Agency, shall develop guidance and 
     templates, to be reviewed and, if necessary, updated not less 
     frequently than once every 2 years, for use by Federal 
     agencies in the activities required under sections 3592, 
     3593, and 3596 of title 44, United States Code, as added by 
     this title.
       (5) Contractor and awardee guidance.--
       (A) In general.--Not later than 1 year after the date of 
     enactment of this Act, the Director, in coordination with the 
     Secretary of Homeland Security, the Secretary of Defense, the 
     Administrator of General Services, and the heads of other 
     agencies determined appropriate by the Director, shall issue 
     guidance to Federal agencies on how to deconflict, to the 
     greatest extent practicable, existing regulations, policies, 
     and procedures relating to the responsibilities of 
     contractors and awardees established under section 3595 of 
     title 44, United States Code, as added by this title.
       (B) Existing processes.--To the greatest extent 
     practicable, the guidance issued under subparagraph (A) shall 
     allow contractors and awardees to use existing processes for 
     notifying Federal agencies of incidents involving information 
     of the Federal Government.
       (6) Updated briefings.--Not less frequently than once every 
     2 years, the Director shall provide to the appropriate 
     congressional committees an update on the guidance and 
     templates developed under paragraphs (2) through (4).
       (c) Update to the Privacy Act of 1974.--Section 552a(b) of 
     title 5, United States Code (commonly known as the ``Privacy 
     Act of 1974'') is amended--
       (1) in paragraph (11), by striking ``or'' at the end;
       (2) in paragraph (12), by striking the period at the end 
     and inserting ``; or''; and
       (3) by adding at the end the following:
       ``(13) to another agency in furtherance of a response to an 
     incident (as defined in section 3552 of title 44) and 
     pursuant to the information sharing requirements in section 
     3594 of title 44 if the head of the requesting agency has 
     made a written request to the agency that maintains the 
     record specifying the particular portion desired and the 
     activity for which the record is sought.''.

     SEC. 106. ADDITIONAL GUIDANCE TO AGENCIES ON FISMA UPDATES.

       Not later than 1 year after the date of enactment of this 
     Act, the Director, in consultation with the Director of the 
     Cybersecurity and Infrastructure Security Agency, shall issue 
     guidance for agencies on--
       (1) performing the ongoing and continuous agency system 
     risk assessment required under section 3554(a)(1)(A) of title 
     44, United States Code, as amended by this title;
       (2) implementing additional cybersecurity procedures, which 
     shall include resources for shared services;
       (3) establishing a process for providing the status of each 
     remedial action under section 3554(b)(7) of title 44, United 
     States Code, as amended by this title, to the Director and 
     the Cybersecurity and Infrastructure Security Agency using 
     automation and machine-readable data, as practicable, which 
     shall include--
       (A) specific guidance for the use of automation and 
     machine-readable data; and
       (B) templates for providing the status of the remedial 
     action; and
       (4) a requirement to coordinate with inspectors general of 
     agencies to ensure consistent understanding and application 
     of agency policies for the purpose of evaluations by 
     inspectors general.

[[Page S906]]

  


     SEC. 107. AGENCY REQUIREMENTS TO NOTIFY PRIVATE SECTOR 
                   ENTITIES IMPACTED BY INCIDENTS.

       (a) Definitions.--In this section:
       (1) Reporting entity.--The term ``reporting entity'' means 
     private organization or governmental unit that is required by 
     statute or regulation to submit sensitive information to an 
     agency.
       (2) Sensitive information.--The term ``sensitive 
     information'' has the meaning given the term by the Director 
     in guidance issued under subsection (b).
       (b) Guidance on Notification of Reporting Entities.--Not 
     later than 180 days after the date of enactment of this Act, 
     the Director shall issue guidance requiring the head of each 
     agency to notify a reporting entity of an incident that is 
     likely to substantially affect--
       (1) the confidentiality or integrity of sensitive 
     information submitted by the reporting entity to the agency 
     pursuant to a statutory or regulatory requirement; or
       (2) the agency information system or systems used in the 
     transmission or storage of the sensitive information 
     described in paragraph (1).

     SEC. 108. MOBILE SECURITY STANDARDS.

       (a) In General.--Not later than 1 year after the date of 
     enactment of this Act, the Director shall--
       (1) evaluate mobile application security guidance 
     promulgated by the Director; and
       (2) issue guidance to secure mobile devices, including for 
     mobile applications, for every agency.
       (b) Contents.--The guidance issued under subsection (a)(2) 
     shall include--
       (1) a requirement, pursuant to section 3506(b)(4) of title 
     44, United States Code, for every agency to maintain a 
     continuous inventory of every--
       (A) mobile device operated by or on behalf of the agency; 
     and
       (B) vulnerability identified by the agency associated with 
     a mobile device; and
       (2) a requirement for every agency to perform continuous 
     evaluation of the vulnerabilities described in paragraph 
     (1)(B) and other risks associated with the use of 
     applications on mobile devices.
       (c) Information Sharing.--The Director, in coordination 
     with the Director of the Cybersecurity and Infrastructure 
     Security Agency, shall issue guidance to agencies for sharing 
     the inventory of the agency required under subsection (b)(1) 
     with the Director of the Cybersecurity and Infrastructure 
     Security Agency, using automation and machine-readable data 
     to the greatest extent practicable.
       (d) Briefing.--Not later than 60 days after the date on 
     which the Director issues guidance under subsection (a)(2), 
     the Director, in coordination with the Director of the 
     Cybersecurity and Infrastructure Security Agency, shall 
     provide to the appropriate congressional committees a 
     briefing on the guidance.

     SEC. 109. DATA AND LOGGING RETENTION FOR INCIDENT RESPONSE.

       (a) Recommendations.--Not later than 2 years after the date 
     of enactment of this Act, and not less frequently than every 
     2 years thereafter, the Director of the Cybersecurity and 
     Infrastructure Security Agency, in consultation with the 
     Attorney General, shall submit to the Director 
     recommendations on requirements for logging events on agency 
     systems and retaining other relevant data within the systems 
     and networks of an agency.
       (b) Contents.--The recommendations provided under 
     subsection (a) shall include--
       (1) the types of logs to be maintained;
       (2) the duration that logs and other relevant data should 
     be retained;
       (3) the time periods for agency implementation of 
     recommended logging and security requirements;
       (4) how to ensure the confidentiality, integrity, and 
     availability of logs;
       (5) requirements to ensure that, upon request, in a manner 
     that excludes or otherwise reasonably protects personally 
     identifiable information, and to the extent permitted by 
     applicable law (including privacy and statistical laws), 
     agencies provide logs to--
       (A) the Director of the Cybersecurity and Infrastructure 
     Security Agency for a cybersecurity purpose; and
       (B) the Director of the Federal Bureau of Investigation, or 
     the appropriate Federal law enforcement agency, to 
     investigate potential criminal activity; and
       (6) requirements to ensure that, subject to compliance with 
     statistical laws and other relevant data protection 
     requirements, the highest level security operations center of 
     each agency has visibility into all agency logs.
       (c) Guidance.--Not later than 90 days after receiving the 
     recommendations submitted under subsection (a), the Director, 
     in consultation with the Director of the Cybersecurity and 
     Infrastructure Security Agency and the Attorney General, 
     shall, as determined to be appropriate by the Director, 
     update guidance to agencies regarding requirements for 
     logging, log retention, log management, sharing of log data 
     with other appropriate agencies, or any other logging 
     activity determined to be appropriate by the Director.
       (d) Sunset.--This section shall cease to have force or 
     effect on the date that is 10 years after the date of the 
     enactment of this Act.

     SEC. 110. CISA AGENCY ADVISORS.

       (a) In General.--Not later than 120 days after the date of 
     enactment of this Act, the Director of the Cybersecurity and 
     Infrastructure Security Agency shall assign not less than 1 
     cybersecurity professional employed by the Cybersecurity and 
     Infrastructure Security Agency to be the Cybersecurity and 
     Infrastructure Security Agency advisor to the senior agency 
     information security officer of each agency.
       (b) Qualifications.--Each advisor assigned under subsection 
     (a) shall have knowledge of--
       (1) cybersecurity threats facing agencies, including any 
     specific threats to the assigned agency;
       (2) performing risk assessments of agency systems; and
       (3) other Federal cybersecurity initiatives.
       (c) Duties.--The duties of each advisor assigned under 
     subsection (a) shall include--
       (1) providing ongoing assistance and advice, as requested, 
     to the agency Chief Information Officer;
       (2) serving as an incident response point of contact 
     between the assigned agency and the Cybersecurity and 
     Infrastructure Security Agency; and
       (3) familiarizing themselves with agency systems, 
     processes, and procedures to better facilitate support to the 
     agency in responding to incidents.
       (d) Limitation.--An advisor assigned under subsection (a) 
     shall not be a contractor.
       (e) Multiple Assignments.--One individual advisor may be 
     assigned to multiple agency Chief Information Officers under 
     subsection (a).

     SEC. 111. FEDERAL PENETRATION TESTING POLICY.

       (a) In General.--Subchapter II of chapter 35 of title 44, 
     United States Code, is amended by adding at the end the 
     following:

     ``Sec. 3559A. Federal penetration testing

       ``(a) Definitions.--In this section:
       ``(1) Agency operational plan.--The term `agency 
     operational plan' means a plan of an agency for the use of 
     penetration testing.
       ``(2) Rules of engagement.--The term `rules of engagement' 
     means a set of rules established by an agency for the use of 
     penetration testing.
       ``(b) Guidance.--
       ``(1) In general.--The Director, in consultation with the 
     Secretary, acting through the Director of the Cybersecurity 
     and Infrastructure Security Agency, shall issue guidance to 
     agencies that--
       ``(A) requires agencies to use, when and where appropriate, 
     penetration testing on agency systems by both Federal and 
     non-Federal entities; and
       ``(B) requires agencies to develop an agency operational 
     plan and rules of engagement that meet the requirements under 
     subsection (c).
       ``(2) Penetration testing guidance.--The guidance issued 
     under this section shall--
       ``(A) permit an agency to use, for the purpose of 
     performing penetration testing--
       ``(i) a shared service of the agency or another agency; or
       ``(ii) an external entity, such as a vendor; and
       ``(B) require agencies to provide the rules of engagement 
     and results of penetration testing to the Director and the 
     Director of the Cybersecurity and Infrastructure Security 
     Agency, without regard to the status of the entity that 
     performs the penetration testing.
       ``(c) Agency Plans and Rules of Engagement.--The agency 
     operational plan and rules of engagement of an agency shall--
       ``(1) require the agency to--
       ``(A) perform penetration testing, including on the high 
     value assets of the agency; or
       ``(B) coordinate with the Director of the Cybersecurity and 
     Infrastructure Security Agency to ensure that penetration 
     testing is being performed;
       ``(2) establish guidelines for avoiding, as a result of 
     penetration testing--
       ``(A) adverse impacts to the operations of the agency;
       ``(B) adverse impacts to operational environments and 
     systems of the agency; and
       ``(C) inappropriate access to data;
       ``(3) require the results of penetration testing to include 
     feedback to improve the cybersecurity of the agency; and
       ``(4) include mechanisms for providing consistently 
     formatted, and, if applicable, automated and machine-
     readable, data to the Director and the Director of the 
     Cybersecurity and Infrastructure Security Agency.
       ``(d) Responsibilities of CISA.--The Director of the 
     Cybersecurity and Infrastructure Security Agency shall--
       ``(1) establish a process to assess the performance of 
     penetration testing by both Federal and non-Federal entities 
     that establishes minimum quality controls for penetration 
     testing;
       ``(2) develop operational guidance for instituting 
     penetration testing programs at agencies;
       ``(3) develop and maintain a centralized capability to 
     offer penetration testing as a service to Federal and non-
     Federal entities; and
       ``(4) provide guidance to agencies on the best use of 
     penetration testing resources.
       ``(e) Responsibilities of OMB.--The Director, in 
     coordination with the Director of the Cybersecurity and 
     Infrastructure Security Agency, shall--
       ``(1) not less frequently than annually, inventory all 
     Federal penetration testing assets; and
       ``(2) develop and maintain a standardized process for the 
     use of penetration testing.

[[Page S907]]

       ``(f) Prioritization of Penetration Testing Resources.--
       ``(1) In general.--The Director, in coordination with the 
     Director of the Cybersecurity and Infrastructure Security 
     Agency, shall develop a framework for prioritizing Federal 
     penetration testing resources among agencies.
       ``(2) Considerations.--In developing the framework under 
     this subsection, the Director shall consider--
       ``(A) agency system risk assessments performed under 
     section 3554(a)(1)(A);
       ``(B) the Federal risk assessment performed under section 
     3553(i);
       ``(C) the analysis of Federal incident data performed under 
     section 3597; and
       ``(D) any other information determined appropriate by the 
     Director or the Director of the Cybersecurity and 
     Infrastructure Security Agency.
       ``(g) Exception for National Security Systems.--The 
     guidance issued under subsection (b) shall not apply to 
     national security systems.
       ``(h) Delegation of Authority for Certain Systems.--The 
     authorities of the Director described in subsection (b) shall 
     be delegated--
       ``(1) to the Secretary of Defense in the case of systems 
     described in section 3553(e)(2); and
       ``(2) to the Director of National Intelligence in the case 
     of systems described in 3553(e)(3).''.
       (b) Deadline for Guidance.--Not later than 180 days after 
     the date of enactment of this Act, the Director shall issue 
     the guidance required under section 3559A(b) of title 44, 
     United States Code, as added by subsection (a).
       (c) Clerical Amendment.--The table of sections for chapter 
     35 of title 44, United States Code, is amended by adding 
     after the item relating to section 3559 the following:

``3559A. Federal penetration testing.''.
       (d) Sunset.--
       (1) In general.--Effective on the date that is 10 years 
     after the date of enactment of this Act, subchapter II of 
     chapter 35 of title 44, United States Code, is amended by 
     striking section 3559A.
       (2) Clerical amendment.--Effective on the date that is 10 
     years after the date of enactment of this Act, the table of 
     sections for chapter 35 of title 44, United States Code, is 
     amended by striking the item relating to section 3559A.

     SEC. 112. ONGOING THREAT HUNTING PROGRAM.

       (a) Threat Hunting Program.--
       (1) In general.--Not later than 540 days after the date of 
     enactment of this Act, the Director of the Cybersecurity and 
     Infrastructure Security Agency shall establish a program to 
     provide ongoing, hypothesis-driven threat-hunting services on 
     the network of each agency.
       (2) Plan.--Not later than 180 days after the date of 
     enactment of this Act, the Director of the Cybersecurity and 
     Infrastructure Security Agency shall develop a plan to 
     establish the program required under paragraph (1) that 
     describes how the Director of the Cybersecurity and 
     Infrastructure Security Agency plans to--
       (A) determine the method for collecting, storing, 
     accessing, analyzing, and safeguarding appropriate agency 
     data;
       (B) provide on-premises support to agencies;
       (C) staff threat hunting services;
       (D) allocate available human and financial resources to 
     implement the plan; and
       (E) provide input to the heads of agencies on the use of 
     additional cybersecurity procedures under section 3554 of 
     title 44, United States Code.
       (b) Reports.--The Director of the Cybersecurity and 
     Infrastructure Security Agency shall submit to the 
     appropriate congressional committees--
       (1) not later than 30 days after the date on which the 
     Director of the Cybersecurity and Infrastructure Security 
     Agency completes the plan required under subsection (a)(2), a 
     report on the plan to provide threat hunting services to 
     agencies;
       (2) not less than 30 days before the date on which the 
     Director of the Cybersecurity and Infrastructure Security 
     Agency begins providing threat hunting services under the 
     program under subsection (a)(1), a report providing any 
     updates to the plan developed under subsection (a)(2); and
       (3) not later than 1 year after the date on which the 
     Director of the Cybersecurity and Infrastructure Security 
     Agency begins providing threat hunting services to agencies 
     other than the Cybersecurity and Infrastructure Security 
     Agency, a report describing lessons learned from providing 
     those services.

     SEC. 113. CODIFYING VULNERABILITY DISCLOSURE PROGRAMS.

       (a) In General.--Chapter 35 of title 44, United States 
     Code, is amended by inserting after section 3559A, as added 
     by section 111 of this title, the following:

     ``Sec. 3559B. Federal vulnerability disclosure programs

       ``(a) Purpose; Sense of Congress.--
       ``(1) Purpose.--The purpose of Federal vulnerability 
     disclosure programs is to create a mechanism to use the 
     expertise of the public to provide a service to Federal 
     agencies by identifying information system vulnerabilities.
       ``(2) Sense of congress.--It is the sense of Congress that, 
     in implementing the requirements of this section, the Federal 
     Government should take appropriate steps to reduce real and 
     perceived burdens in communications between agencies and 
     security researchers.
       ``(b) Definitions.--In this section:
       ``(1) Report.--The term `report' means a vulnerability 
     disclosure made to an agency by a reporter.
       ``(2) Reporter.--The term `reporter' means an individual 
     that submits a vulnerability report pursuant to the 
     vulnerability disclosure process of an agency.
       ``(c) Responsibilities of OMB.--
       ``(1) Limitation on legal action.--The Director, in 
     consultation with the Attorney General, shall issue guidance 
     to agencies to not recommend or pursue legal action against a 
     reporter or an individual that conducts a security research 
     activity that the head of the agency determines--
       ``(A) represents a good faith effort to follow the 
     vulnerability disclosure policy of the agency developed under 
     subsection (e)(2); and
       ``(B) is authorized under the vulnerability disclosure 
     policy of the agency developed under subsection (e)(2).
       ``(2) Sharing information with cisa.--The Director, in 
     coordination with the Director of the Cybersecurity and 
     Infrastructure Security Agency and in consultation with the 
     National Cyber Director, shall issue guidance to agencies on 
     sharing relevant information in a consistent, automated, and 
     machine readable manner with the Director of the 
     Cybersecurity and Infrastructure Security Agency, including--
       ``(A) any valid or credible reports of newly discovered or 
     not publicly known vulnerabilities (including 
     misconfigurations) on Federal information systems that use 
     commercial software or services;
       ``(B) information relating to vulnerability disclosure, 
     coordination, or remediation activities of an agency, 
     particularly as those activities relate to outside 
     organizations--
       ``(i) with which the head of the agency believes the 
     Director of the Cybersecurity and Infrastructure Security 
     Agency can assist; or
       ``(ii) about which the head of the agency believes the 
     Director of the Cybersecurity and Infrastructure Security 
     Agency should know; and
       ``(C) any other information with respect to which the head 
     of the agency determines helpful or necessary to involve the 
     Director of the Cybersecurity and Infrastructure Security 
     Agency.
       ``(3) Agency vulnerability disclosure policies.--The 
     Director shall issue guidance to agencies on the required 
     minimum scope of agency systems covered by the vulnerability 
     disclosure policy of an agency required under subsection 
     (e)(2).
       ``(d) Responsibilities of CISA.--The Director of the 
     Cybersecurity and Infrastructure Security Agency shall--
       ``(1) provide support to agencies with respect to the 
     implementation of the requirements of this section;
       ``(2) develop tools, processes, and other mechanisms 
     determined appropriate to offer agencies capabilities to 
     implement the requirements of this section; and
       ``(3) upon a request by an agency, assist the agency in the 
     disclosure to vendors of newly identified vulnerabilities in 
     vendor products and services.
       ``(e) Responsibilities of Agencies.--
       ``(1) Public information.--The head of each agency shall 
     make publicly available, with respect to each internet domain 
     under the control of the agency that is not a national 
     security system--
       ``(A) an appropriate security contact; and
       ``(B) the component of the agency that is responsible for 
     the internet accessible services offered at the domain.
       ``(2) Vulnerability disclosure policy.--The head of each 
     agency shall develop and make publicly available a 
     vulnerability disclosure policy for the agency, which shall--
       ``(A) describe--
       ``(i) the scope of the systems of the agency included in 
     the vulnerability disclosure policy;
       ``(ii) the type of information system testing that is 
     authorized by the agency;
       ``(iii) the type of information system testing that is not 
     authorized by the agency; and
       ``(iv) the disclosure policy of the agency for sensitive 
     information;
       ``(B) with respect to a report to an agency, describe--
       ``(i) how the reporter should submit the report; and
       ``(ii) if the report is not anonymous, when the reporter 
     should anticipate an acknowledgment of receipt of the report 
     by the agency;
       ``(C) include any other relevant information; and
       ``(D) be mature in scope and cover every internet 
     accessible Federal information system used or operated by 
     that agency or on behalf of that agency.
       ``(3) Identified vulnerabilities.--The head of each agency 
     shall incorporate any vulnerabilities reported under 
     paragraph (2) into the vulnerability management process of 
     the agency in order to track and remediate the vulnerability.
       ``(f) Congressional Reporting.--Not later than 90 days 
     after the date of enactment of the Federal Information 
     Security Modernization Act of 2022, and annually thereafter 
     for a 3-year period, the Director of the Cybersecurity and 
     Infrastructure Security Agency, in consultation with the 
     Director, shall provide to the Committee on Homeland Security 
     and Governmental Affairs of the Senate and the Committee on 
     Oversight and Reform of the House of Representatives a 
     briefing on the status of the use of vulnerability disclosure 
     policies under this section at agencies,

[[Page S908]]

     including, with respect to the guidance issued under 
     subsection (c)(3), an identification of the agencies that are 
     compliant and not compliant.
       ``(g) Exemptions.--The authorities and functions of the 
     Director and Director of the Cybersecurity and Infrastructure 
     Security Agency under this section shall not apply to 
     national security systems.
       ``(h) Delegation of Authority for Certain Systems.--The 
     authorities of the Director and the Director of the 
     Cybersecurity and Infrastructure Security Agency described in 
     this section shall be delegated--
       ``(1) to the Secretary of Defense in the case of systems 
     described in section 3553(e)(2); and
       ``(2) to the Director of National Intelligence in the case 
     of systems described in section 3553(e)(3).''.
       (b) Clerical Amendment.--The table of sections for chapter 
     35 of title 44, United States Code, is amended by adding 
     after the item relating to section 3559A, as added by section 
     111, the following:

``3559B. Federal vulnerability disclosure programs.''.
       (c) Sunset.--
       (1) In general.--Effective on the date that is 10 years 
     after the date of enactment of this Act, subchapter II of 
     chapter 35 of title 44, United States Code, is amended by 
     striking section 3559B.
       (2) Clerical amendment.--Effective on the date that is 10 
     years after the date of enactment of this Act, the table of 
     sections for chapter 35 of title 44, United States Code, is 
     amended by striking the item relating to section 3559B.

     SEC. 114. IMPLEMENTING ZERO TRUST ARCHITECTURE.

       (a) Guidance.--Not later than 18 months after the date of 
     enactment of this Act, the Director shall provide an update 
     to the appropriate congressional committees on progress in 
     increasing the internal defenses of agency systems, 
     including--
       (1) shifting away from ``trusted networks'' to implement 
     security controls based on a presumption of compromise;
       (2) implementing principles of least privilege in 
     administering information security programs;
       (3) limiting the ability of entities that cause incidents 
     to move laterally through or between agency systems;
       (4) identifying incidents quickly;
       (5) isolating and removing unauthorized entities from 
     agency systems as quickly as practicable, accounting for 
     intelligence or law enforcement purposes;
       (6) otherwise increasing the resource costs for entities 
     that cause incidents to be successful; and
       (7) a summary of the agency progress reports required under 
     subsection (b).
       (b) Agency Progress Reports.--Not later than 270 days after 
     the date of enactment of this Act, the head of each agency 
     shall submit to the Director a progress report on 
     implementing an information security program based on the 
     presumption of compromise and least privilege principles, 
     which shall include--
       (1) a description of any steps the agency has completed, 
     including progress toward achieving requirements issued by 
     the Director, including the adoption of any models or 
     reference architecture;
       (2) an identification of activities that have not yet been 
     completed and that would have the most immediate security 
     impact; and
       (3) a schedule to implement any planned activities.

     SEC. 115. AUTOMATION REPORTS.

       (a) OMB Report.--Not later than 180 days after the date of 
     enactment of this Act, the Director shall provide to the 
     appropriate congressional committees an update on the use of 
     automation under paragraphs (1), (5)(C), and (8)(B) of 
     section 3554(b) of title 44, United States Code.
       (b) GAO Report.--Not later than 1 year after the date of 
     enactment of this Act, the Comptroller General of the United 
     States shall perform a study on the use of automation and 
     machine readable data across the Federal Government for 
     cybersecurity purposes, including the automated updating of 
     cybersecurity tools, sensors, or processes by agencies.

     SEC. 116. EXTENSION OF FEDERAL ACQUISITION SECURITY COUNCIL 
                   AND SOFTWARE INVENTORY.

       (a) Extension.--Section 1328 of title 41, United States 
     Code, is amended by striking ``the date that'' and all that 
     follows and inserting ``December 31, 2026.''.
       (b) Requirement.--Subsection 1326(b) of title 41, United 
     States Code, is amended--
       (1) in paragraph (5), by striking ``and'' at the end;
       (2) by redesignating paragraph (6) as paragraph (7); and
       (3) by inserting after paragraph (5) the following:
       ``(6) maintaining an up-to-date and accurate inventory of 
     software in use by the agency and, if available and 
     applicable, the components of such software, that can be 
     communicated at the request of the Federal Acquisition 
     Security Council, the National Cyber Director, or the 
     Secretary of Homeland Security, acting through the Director 
     of Cybersecurity and Infrastructure Security Agency; and''.

     SEC. 117. COUNCIL OF THE INSPECTORS GENERAL ON INTEGRITY AND 
                   EFFICIENCY DASHBOARD.

       (a) Dashboard Required.--Section 11(e)(2) of the Inspector 
     General Act of 1978 (5 U.S.C. App.) is amended--
       (1) in subparagraph (A), by striking ``and'' at the end;
       (2) by redesignating subparagraph (B) as subparagraph (C); 
     and
       (3) by inserting after subparagraph (A) the following:
       ``(B) that shall include a dashboard of open information 
     security recommendations identified in the independent 
     evaluations required by section 3555(a) of title 44, United 
     States Code; and''.

     SEC. 118. QUANTITATIVE CYBERSECURITY METRICS.

       (a) Definition of Covered Metrics.--In this section, the 
     term ``covered metrics'' means the metrics established, 
     reviewed, and updated under section 224(c) of the 
     Cybersecurity Act of 2015 (6 U.S.C. 1522(c)).
       (b) Updating and Establishing Metrics.--Not later than 1 
     year after the date of enactment of this Act, and as 
     appropriate thereafter, the Director of the Cybersecurity and 
     Infrastructure Security Agency, in coordination with the 
     Director, shall--
       (1) evaluate any covered metrics established as of the date 
     of enactment of this Act; and
       (2) as appropriate and pursuant to section 224(c) of the 
     Cybersecurity Act of 2015 (6 U.S.C. 1522(c)) update or 
     establish new covered metrics.
       (c) Implementation.--
       (1) In general.--Not later than 540 days after the date of 
     enactment of this Act, the Director, in coordination with the 
     Director of the Cybersecurity and Infrastructure Security 
     Agency, shall promulgate guidance that requires each agency 
     to use covered metrics to track trends in the cybersecurity 
     and incident response capabilities of the agency.
       (2) Performance demonstration.--The guidance issued under 
     paragraph (1) and any subsequent guidance shall require 
     agencies to share with the Director of the Cybersecurity and 
     Infrastructure Security Agency data demonstrating the 
     performance of the agency using the covered metrics included 
     in the guidance.
       (3) Penetration tests.--On not less than 2 occasions during 
     the 2-year period following the date on which guidance is 
     promulgated under paragraph (1), the Director shall ensure 
     that not less than 3 agencies are subjected to substantially 
     similar penetration tests, as determined by the Director, in 
     coordination with the Director of the Cybersecurity and 
     Infrastructure Security Agency, in order to validate the 
     utility of the covered metrics.
       (4) Analysis capacity.--The Director of the Cybersecurity 
     and Infrastructure Security Agency shall develop a capability 
     that allows for the analysis of the covered metrics, 
     including cross-agency performance of agency cybersecurity 
     and incident response capability trends.
       (5) Time-based metric.--With respect the first update or 
     establishment of covered metrics required under subsection 
     (b)(2), the Director of the Cybersecurity and Infrastructure 
     Security Agency shall establish covered metrics that include 
     not less than 1 metric addressing the time it takes for 
     agencies to identify and respond to incidents.
       (d) Congressional Reports.--Not later than 1 year after the 
     date of enactment of this Act, the Director of the 
     Cybersecurity and Infrastructure Security Agency, in 
     coordination with the Director, shall submit to the 
     appropriate congressional committees a report on the utility 
     and use of the covered metrics.

     SEC. 119. ESTABLISHMENT OF RISK-BASED BUDGET MODEL.

       (a) Definitions.--In this section:
       (1) Appropriate congressional committees.--The term 
     ``appropriate congressional committees'' means--
       (A) the Committee on Homeland Security and Governmental 
     Affairs and the Committee on Appropriations of the Senate; 
     and
       (B) the Committee on Oversight and Reform, the Committee on 
     Homeland Security, and the Committee on Appropriations of the 
     House of Representatives.
       (2) Covered agency.--The term ``covered agency'' has the 
     meaning given the term ``executive agency'' in section 133 of 
     title 41, United States Code.
       (3) Director.--The term ``Director'' means the Director of 
     the Office of Management and Budget.
       (4) Information technology.--The term ``information 
     technology''--
       (A) has the meaning given the term in section 11101 of 
     title 40, United States Code; and
       (B) includes the hardware and software systems of a Federal 
     agency that monitor and control physical equipment and 
     processes of the Federal agency.
       (5) Risk-based budget.--The term ``risk-based budget'' 
     means a budget--
       (A) developed by identifying and prioritizing cybersecurity 
     risks and vulnerabilities, including impact on agency 
     operations in the case of a cyber attack, through analysis of 
     cyber threat intelligence, incident data, and tactics, 
     techniques, procedures, and capabilities of cyber threats; 
     and
       (B) that allocates resources based on the risks identified 
     and prioritized under subparagraph (A).
       (b) Establishment of Risk-based Budget Model.--
       (1) In general.--
       (A) Model.--Not later than 1 year after the first 
     publication of the budget submitted by the President under 
     section 1105 of title 31,

[[Page S909]]

     United States Code, following the date of enactment of this 
     Act, the Director, in consultation with the Director of the 
     Cybersecurity and Infrastructure Security Agency and the 
     National Cyber Director and in coordination with the Director 
     of the National Institute of Standards and Technology, shall 
     develop a standard model for informing a risk-based budget 
     for cybersecurity spending.
       (B) Responsibility of director.--Section 3553(a) of title 
     44, United States Code, as amended by section 103 of this 
     title, is further amended by inserting after paragraph (6) 
     the following:
       ``(7) developing a standard risk-based budget model to 
     inform Federal agency cybersecurity budget development; 
     and''.
       (C) Contents of model.--The model required to be developed 
     under subparagraph (A) shall utilize appropriate information 
     to evaluate risk, including, as determined appropriate by the 
     Director--
       (i) Federal and non-Federal cyber threat intelligence 
     products, where available, to identify threats, 
     vulnerabilities, and risks;
       (ii) analysis of the impact of agency operations of 
     compromise of systems, including the interconnectivity to 
     other agency systems and the operations of other agencies; 
     and
       (iii) to the greatest extent practicable, analysis of where 
     resources should be allocated to have the greatest impact on 
     mitigating current and future threats and current and future 
     cybersecurity capabilities.
       (D) Use of model.--The model required to be developed under 
     subparagraph (A) shall be used to--
       (i) inform acquisition and sustainment of--

       (I) information technology and cybersecurity tools;
       (II) information technology and cybersecurity 
     architectures;
       (III) information technology and cybersecurity personnel; 
     and
       (IV) cybersecurity and information technology concepts of 
     operations; and

       (ii) evaluate and inform Government-wide cybersecurity 
     programs.
       (E) Model variation.--The Director may develop multiple 
     models under subparagraph (A) based on different agency 
     characteristics, such as size or cybersecurity maturity.
       (F) Required updates.--Not less frequently than once every 
     3 years, the Director shall review, and update as necessary, 
     the model required to be developed under subparagraph (A).
       (G) Publication.--Not earlier than 5 years after the date 
     on which the model developed under subparagraph (A) is 
     completed, the Director shall, taking into account any 
     classified or sensitive information, publish the model, and 
     any updates necessary under subparagraph (F), on the public 
     website of the Office of Management and Budget.
       (H) Reports.--Not later than 2 years after the first 
     publication of the budget submitted by the President under 
     section 1105 of title 31, United States Code, following the 
     date of enactment of this Act, and annually thereafter for 
     each of the 2 following fiscal years or until the date on 
     which the model required to be developed under subparagraph 
     (A) is completed, whichever is sooner, the Director shall 
     submit to the appropriate congressional committees a report 
     on the development of the model.
       (2) Phased implementation of risk-based budget model.--
       (A) Initial phase.--
       (i) In general.--Not later than 2 years after the date on 
     which the model developed under paragraph (1) is completed, 
     the Director shall require not less than 5 covered agencies 
     to use the model to inform the development of the annual 
     cybersecurity and information technology budget requests of 
     those covered agencies.
       (ii) Briefing.--Not later than 1 year after the date on 
     which the covered agencies selected under clause (i) begin 
     using the model developed under paragraph (1), the Director 
     shall provide to the appropriate congressional committees a 
     briefing on implementation of risk-based budgeting for 
     cybersecurity spending, an assessment of agency 
     implementation, and an evaluation of whether the risk-based 
     budget helps to mitigate cybersecurity vulnerabilities.
       (B) Full deployment.--Not later than 5 years after the date 
     on which the model developed under paragraph (1) is 
     completed, the head of each covered agency shall use the 
     model, or any updated model pursuant to paragraph (1)(F), to 
     the greatest extent practicable, to inform the development of 
     the annual cybersecurity and information technology budget 
     requests of the covered agency.
       (C) Agency performance plans.--
       (i) Amendment.--Section 3554(d)(2) of title 44, United 
     States Code, is amended by inserting ``and the risk-based 
     budget model required under section 3553(a)(7)'' after 
     ``paragraph (1)''.
       (ii) Effective date.--The amendment made by clause (i) 
     shall take effect on the date that is 5 years after the date 
     on which the model developed under paragraph (1) is 
     completed.
       (3) Verification.--
       (A) In general.--Section 1105(a)(35)(A)(i) of title 31, 
     United States Code, is amended--
       (i) in the matter preceding subclause (I), by striking ``by 
     agency, and by initiative area (as determined by the 
     administration)'' and inserting ``and by agency'';
       (ii) in subclause (III), by striking ``and'' at the end; 
     and
       (iii) by adding at the end the following:

       ``(V) a validation that the budgets submitted were informed 
     by using a risk-based methodology; and
       ``(VI) a report on the progress of each agency on closing 
     recommendations identified under the independent evaluation 
     required by section 3555(a)(1) of title 44.''.

       (B) Effective date.--The amendments made by subparagraph 
     (A) shall take effect on the date that is 5 years after the 
     date on which the model developed under paragraph (1) is 
     completed.
       (4) Reports.--
       (A) Independent evaluation.--Section 3555(a)(2) of title 
     44, United States Code, is amended--
       (i) in subparagraph (B), by striking ``and'' at the end;
       (ii) in subparagraph (C), by striking the period at the end 
     and inserting ``; and''; and
       (iii) by adding at the end the following:
       ``(D) an assessment of how the agency was informed by the 
     risk-based budget model required under section 3553(a)(7) and 
     an evaluation of whether the model mitigates agency cyber 
     vulnerabilities.''.
       (B) Assessment.--
       (i) Amendment.--Section 3553(c) of title 44, United States 
     Code, as amended by section 103 of this title, is further 
     amended by inserting after paragraph (5) the following:
       ``(6) an assessment of--
       ``(A) Federal agency utilization of the model required 
     under subsection (a)(7); and
       ``(B) whether the model mitigates the cyber vulnerabilities 
     of the Federal Government.''.
       (ii) Effective date.--The amendment made by clause (i) 
     shall take effect on the date that is 5 years after the date 
     on which the model developed under paragraph (1) is 
     completed.
       (5) GAO report.--Not later than 3 years after the date on 
     which the first budget of the President is submitted to 
     Congress containing the validation required under section 
     1105(a)(35)(A)(i)(V) of title 31, United States Code, as 
     amended by paragraph (3), the Comptroller General of the 
     United States shall submit to the appropriate congressional 
     committees a report that includes--
       (A) an evaluation of the success of covered agencies in 
     utilizing the risk-based budget model;
       (B) an evaluation of the success of covered agencies in 
     implementing risk-based budgets;
       (C) an evaluation of whether the risk-based budgets 
     developed by covered agencies are effective at informing 
     Federal Government-wide cybersecurity programs; and
       (D) any other information relating to risk-based budgets 
     the Comptroller General determines appropriate.

     SEC. 120. ACTIVE CYBER DEFENSIVE STUDY.

       (a) Definition.--In this section, the term ``active defense 
     technique''--
       (1) means an action taken on the systems of an entity to 
     increase the security of information on the network of an 
     agency by misleading an adversary; and
       (2) includes a honeypot, deception, or purposefully feeding 
     false or misleading data to an adversary when the adversary 
     is on the systems of the entity.
       (b) Study.--Not later than 180 days after the date of 
     enactment of this Act, the Director of the Cybersecurity and 
     Infrastructure Security Agency, in coordination with the 
     Director and the National Cyber Director, shall perform a 
     study on the use of active defense techniques to enhance the 
     security of agencies, which shall include--
       (1) a review of legal restrictions on the use of different 
     active cyber defense techniques in Federal environments, in 
     consultation with the Department of Justice;
       (2) an evaluation of--
       (A) the efficacy of a selection of active defense 
     techniques determined by the Director of the Cybersecurity 
     and Infrastructure Security Agency; and
       (B) factors that impact the efficacy of the active defense 
     techniques evaluated under subparagraph (A);
       (3) recommendations on safeguards and procedures that shall 
     be established to require that active defense techniques are 
     adequately coordinated to ensure that active defense 
     techniques do not impede agency operations and mission 
     delivery, threat response efforts, criminal investigations, 
     and national security activities, including intelligence 
     collection; and
       (4) the development of a framework for the use of different 
     active defense techniques by agencies.

     SEC. 121. SECURITY OPERATIONS CENTER AS A SERVICE PILOT.

       (a) Purpose.--The purpose of this section is for the 
     Cybersecurity and Infrastructure Security Agency to run a 
     security operation center on behalf of another agency, 
     alleviating the need to duplicate this function at every 
     agency, and empowering a greater centralized cybersecurity 
     capability.
       (b) Plan.--Not later than 1 year after the date of 
     enactment of this Act, the Director of the Cybersecurity and 
     Infrastructure Security Agency shall develop a plan to 
     establish a centralized Federal security operations center 
     shared service offering within the Cybersecurity and 
     Infrastructure Security Agency.
       (c) Contents.--The plan required under subsection (b) shall 
     include considerations for--
       (1) collecting, organizing, and analyzing agency 
     information system data in real time;
       (2) staffing and resources; and

[[Page S910]]

       (3) appropriate interagency agreements, concepts of 
     operations, and governance plans.
       (d) Pilot Program.--
       (1) In general.--Not later than 180 days after the date on 
     which the plan required under subsection (b) is developed, 
     the Director of the Cybersecurity and Infrastructure Security 
     Agency, in consultation with the Director, shall enter into a 
     1-year agreement with not less than 2 agencies to offer a 
     security operations center as a shared service.
       (2) Additional agreements.--After the date on which the 
     briefing required under subsection (e)(1) is provided, the 
     Director of the Cybersecurity and Infrastructure Security 
     Agency, in consultation with the Director, may enter into 
     additional 1-year agreements described in paragraph (1) with 
     agencies.
       (e) Briefing and Report.--
       (1) Briefing.--Not later than 270 days after the date of 
     enactment of this Act, the Director of the Cybersecurity and 
     Infrastructure Security Agency shall provide to the Committee 
     on Homeland Security and Governmental Affairs of the Senate 
     and the Committee on Homeland Security and the Committee on 
     Oversight and Reform of the House of Representatives a 
     briefing on the parameters of any 1-year agreements entered 
     into under subsection (d)(1).
       (2) Report.--Not later than 90 days after the date on which 
     the first 1-year agreement entered into under subsection (d) 
     expires, the Director of the Cybersecurity and Infrastructure 
     Security Agency shall submit to the Committee on Homeland 
     Security and Governmental Affairs of the Senate and the 
     Committee on Homeland Security and the Committee on Oversight 
     and Reform of the House of Representatives a report on--
       (A) the agreement; and
       (B) any additional agreements entered into with agencies 
     under subsection (d).

     SEC. 122. EXTENSION OF CHIEF DATA OFFICER COUNCIL.

       Section 3520A(e)(2) of title 44, United States Code, is 
     amended by striking ``upon the expiration of the 2-year 
     period that begins on the date the Comptroller General 
     submits the report under paragraph (1) to Congress'' and 
     inserting ``January 31, 2030''.

     SEC. 123. FEDERAL CYBERSECURITY REQUIREMENTS.

       (a) Exemption From Federal Requirements.--Section 225(b)(2) 
     of the Federal Cybersecurity Enhancement Act of 2015 (6 
     U.S.C. 1523(b)(2)) is amended to read as follows:
       ``(2) Exception.--
       ``(A) In general.--A particular requirement under paragraph 
     (1) shall not apply to an agency information system of an 
     agency if--
       ``(i) with respect to the agency information system, the 
     head of the agency submits to the Director an application for 
     an exemption from the particular requirement, in which the 
     head of the agency personally certifies to the Director with 
     particularity that--

       ``(I) operational requirements articulated in the 
     certification and related to the agency information system 
     would make it excessively burdensome to implement the 
     particular requirement;
       ``(II) the particular requirement is not necessary to 
     secure the agency information system or agency information 
     stored on or transiting the agency information system; and
       ``(III) the agency has taken all necessary steps to secure 
     the agency information system and agency information stored 
     on or transiting the agency information system;

       ``(ii) the head of the agency or the designee of the head 
     of the agency has submitted the certification described in 
     clause (i) to the appropriate congressional committees and 
     any other congressional committee with jurisdiction over the 
     agency; and
       ``(iii) the Director grants the exemption from the 
     particular requirement.
       ``(B) Duration of exemption.--
       ``(i) In general.--An exemption granted under subparagraph 
     (A) shall expire on the date that is 1 year after the date on 
     which the Director granted the exemption.
       ``(ii) Renewal.--Upon the expiration of an exemption 
     granted to an agency under subparagraph (A), the head of the 
     agency may apply for an additional exemption.''.
       (b) Report on Exemptions.--Section 3554(c)(1) of title 44, 
     United States Code, as amended by section 103(c) of this 
     title, is amended--
       (1) in subparagraph (C), by striking ``and'' at the end;
       (2) in subparagraph (D), by striking the period at the end 
     and inserting ``; and''; and
       (3) by adding at the end the following:
       ``(E) with respect to any exemption the Director of the 
     Office of Management and Budget has granted the agency under 
     section 225(b)(2) of the Federal Cybersecurity Enhancement 
     Act of 2015 (6 U.S.C. 1523(b)(2)) that is effective on the 
     date of submission of the report--
       ``(i) an identification of each particular requirement from 
     which any agency information system (as defined in section 
     2210 of the Homeland Security Act of 2002 (6 U.S.C. 660)) is 
     exempted; and
       ``(ii) for each requirement identified under clause (i)--

       ``(I) an identification of the agency information system 
     described in clause (i) exempted from the requirement; and
       ``(II) an estimate of the date on which the agency will to 
     be able to comply with the requirement.''.

       (c) Effective Date.--The amendments made by this section 
     shall take effect on the date that is 1 year after the date 
     of enactment of this Act.

 TITLE II--CYBER INCIDENT REPORTING FOR CRITICAL INFRASTRUCTURE ACT OF 
                                  2022

     SEC. 201. SHORT TITLE.

       This title may be cited as the ``Cyber Incident Reporting 
     for Critical Infrastructure Act of 2022''.

     SEC. 202. DEFINITIONS.

       In this title:
       (1) Covered cyber incident; covered entity; cyber incident; 
     information system; ransom payment; ransomware attack; 
     security vulnerability.--The terms ``covered cyber 
     incident'', ``covered entity'', ``cyber incident'', 
     ``information system'', ``ransom payment'', ``ransomware 
     attack'', and ``security vulnerability'' have the meanings 
     given those terms in section 2240 of the Homeland Security 
     Act of 2002, as added by section 203 of this title.
       (2) Director.--The term ``Director'' means the Director of 
     the Cybersecurity and Infrastructure Security Agency.

     SEC. 203. CYBER INCIDENT REPORTING.

       (a) Cyber Incident Reporting.--Title XXII of the Homeland 
     Security Act of 2002 (6 U.S.C. 651 et seq.) is amended--
       (1) in section 2209(c) (6 U.S.C. 659(c))--
       (A) in paragraph (11), by striking ``; and'' and inserting 
     a semicolon;
       (B) in paragraph (12), by striking the period at the end 
     and inserting ``; and''; and
       (C) by adding at the end the following:
       ``(13) receiving, aggregating, and analyzing reports 
     related to covered cyber incidents (as defined in section 
     2240) submitted by covered entities (as defined in section 
     2240) and reports related to ransom payments (as defined in 
     section 2240) submitted by covered entities (as defined in 
     section 2240) in furtherance of the activities specified in 
     sections 2202(e), 2203, and 2241, this subsection, and any 
     other authorized activity of the Director, to enhance the 
     situational awareness of cybersecurity threats across 
     critical infrastructure sectors.''; and
       (2) by adding at the end the following:

                 ``Subtitle D--Cyber Incident Reporting

     ``SEC. 2240. DEFINITIONS.

       ``In this subtitle:
       ``(1) Center.--The term `Center' means the center 
     established under section 2209.
       ``(2) Cloud service provider.--The term `cloud service 
     provider' means an entity offering products or services 
     related to cloud computing, as defined by the National 
     Institute of Standards and Technology in NIST Special 
     Publication 800-145 and any amendatory or superseding 
     document relating thereto.
       ``(3) Council.--The term `Council' means the Cyber Incident 
     Reporting Council described in section 2246.
       ``(4) Covered cyber incident.--The term `covered cyber 
     incident' means a substantial cyber incident experienced by a 
     covered entity that satisfies the definition and criteria 
     established by the Director in the final rule issued pursuant 
     to section 2242(b).
       ``(5) Covered entity.--The term `covered entity' means an 
     entity in a critical infrastructure sector, as defined in 
     Presidential Policy Directive 21, that satisfies the 
     definition established by the Director in the final rule 
     issued pursuant to section 2242(b).
       ``(6) Cyber incident.--The term `cyber incident'--
       ``(A) has the meaning given the term `incident' in section 
     2209; and
       ``(B) does not include an occurrence that imminently, but 
     not actually, jeopardizes--
       ``(i) information on information systems; or
       ``(ii) information systems.
       ``(7) Cyber threat.--The term `cyber threat' has the 
     meaning given the term `cybersecurity threat' in section 
     2201.
       ``(8) Cyber threat indicator; cybersecurity purpose; 
     defensive measure; federal entity; security vulnerability.--
     The terms `cyber threat indicator', `cybersecurity purpose', 
     `defensive measure', `Federal entity', and `security 
     vulnerability' have the meanings given those terms in section 
     102 of the Cybersecurity Act of 2015 (6 U.S.C. 1501).
       ``(9) Incident; sharing.--The terms `incident' and 
     `sharing' have the meanings given those terms in section 
     2209.
       ``(10) Information sharing and analysis organization.--The 
     term `Information Sharing and Analysis Organization' has the 
     meaning given the term in section 2222.
       ``(11) Information system.--The term `information system'--
       ``(A) has the meaning given the term in section 3502 of 
     title 44, United States Code; and
       ``(B) includes industrial control systems, such as 
     supervisory control and data acquisition systems, distributed 
     control systems, and programmable logic controllers.
       ``(12) Managed service provider.--The term `managed service 
     provider' means an entity that delivers services, such as 
     network, application, infrastructure, or security services, 
     via ongoing and regular support and active administration on 
     the premises of a customer, in the data center of the entity 
     (such as hosting), or in a third party data center.
       ``(13) Ransom payment.--The term `ransom payment' means the 
     transmission of any money or other property or asset, 
     including virtual currency, or any portion thereof,

[[Page S911]]

     which has at any time been delivered as ransom in connection 
     with a ransomware attack.
       ``(14) Ransomware attack.--The term `ransomware attack'--
       ``(A) means an incident that includes the use or threat of 
     use of unauthorized or malicious code on an information 
     system, or the use or threat of use of another digital 
     mechanism such as a denial of service attack, to interrupt or 
     disrupt the operations of an information system or compromise 
     the confidentiality, availability, or integrity of electronic 
     data stored on, processed by, or transiting an information 
     system to extort a demand for a ransom payment; and
       ``(B) does not include any such event where the demand for 
     payment is--
       ``(i) not genuine; or
       ``(ii) made in good faith by an entity in response to a 
     specific request by the owner or operator of the information 
     system.
       ``(15) Sector risk management agency.--The term `Sector 
     Risk Management Agency' has the meaning given the term in 
     section 2201.
       ``(16) Significant cyber incident.--The term `significant 
     cyber incident' means a cyber incident, or a group of related 
     cyber incidents, that the Secretary determines is likely to 
     result in demonstrable harm to the national security 
     interests, foreign relations, or economy of the United States 
     or to the public confidence, civil liberties, or public 
     health and safety of the people of the United States.
       ``(17) Supply chain compromise.--The term `supply chain 
     compromise' means an incident within the supply chain of an 
     information system that an adversary can leverage or does 
     leverage to jeopardize the confidentiality, integrity, or 
     availability of the information system or the information the 
     system processes, stores, or transmits, and can occur at any 
     point during the life cycle.
       ``(18) Virtual currency.--The term `virtual currency' means 
     the digital representation of value that functions as a 
     medium of exchange, a unit of account, or a store of value.
       ``(19) Virtual currency address.--The term `virtual 
     currency address' means a unique public cryptographic key 
     identifying the location to which a virtual currency payment 
     can be made.

     ``SEC. 2241. CYBER INCIDENT REVIEW.

       ``(a) Activities.--The Center shall--
       ``(1) receive, aggregate, analyze, and secure, using 
     processes consistent with the processes developed pursuant to 
     the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 
     1501 et seq.) reports from covered entities related to a 
     covered cyber incident to assess the effectiveness of 
     security controls, identify tactics, techniques, and 
     procedures adversaries use to overcome those controls and 
     other cybersecurity purposes, including to assess potential 
     impact of cyber incidents on public health and safety and to 
     enhance situational awareness of cyber threats across 
     critical infrastructure sectors;
       ``(2) coordinate and share information with appropriate 
     Federal departments and agencies to identify and track ransom 
     payments, including those utilizing virtual currencies;
       ``(3) leverage information gathered about cyber incidents 
     to--
       ``(A) enhance the quality and effectiveness of information 
     sharing and coordination efforts with appropriate entities, 
     including agencies, sector coordinating councils, Information 
     Sharing and Analysis Organizations, State, local, Tribal, and 
     territorial governments, technology providers, critical 
     infrastructure owners and operators, cybersecurity and cyber 
     incident response firms, and security researchers; and
       ``(B) provide appropriate entities, including sector 
     coordinating councils, Information Sharing and Analysis 
     Organizations, State, local, Tribal, and territorial 
     governments, technology providers, cybersecurity and cyber 
     incident response firms, and security researchers, with 
     timely, actionable, and anonymized reports of cyber incident 
     campaigns and trends, including, to the maximum extent 
     practicable, related contextual information, cyber threat 
     indicators, and defensive measures, pursuant to section 2245;
       ``(4) establish mechanisms to receive feedback from 
     stakeholders on how the Agency can most effectively receive 
     covered cyber incident reports, ransom payment reports, and 
     other voluntarily provided information, and how the Agency 
     can most effectively support private sector cybersecurity;
       ``(5) facilitate the timely sharing, on a voluntary basis, 
     between relevant critical infrastructure owners and operators 
     of information relating to covered cyber incidents and ransom 
     payments, particularly with respect to ongoing cyber threats 
     or security vulnerabilities and identify and disseminate ways 
     to prevent or mitigate similar cyber incidents in the future;
       ``(6) for a covered cyber incident, including a ransomware 
     attack, that also satisfies the definition of a significant 
     cyber incident, or is part of a group of related cyber 
     incidents that together satisfy such definition, conduct a 
     review of the details surrounding the covered cyber incident 
     or group of those incidents and identify and disseminate ways 
     to prevent or mitigate similar incidents in the future;
       ``(7) with respect to covered cyber incident reports under 
     section 2242(a) and 2243 involving an ongoing cyber threat or 
     security vulnerability, immediately review those reports for 
     cyber threat indicators that can be anonymized and 
     disseminated, with defensive measures, to appropriate 
     stakeholders, in coordination with other divisions within the 
     Agency, as appropriate;
       ``(8) publish quarterly unclassified, public reports that 
     describe aggregated, anonymized observations, findings, and 
     recommendations based on covered cyber incident reports, 
     which may be based on the unclassified information contained 
     in the briefings required under subsection (c);
       ``(9) proactively identify opportunities, consistent with 
     the protections in section 2245, to leverage and utilize data 
     on cyber incidents in a manner that enables and strengthens 
     cybersecurity research carried out by academic institutions 
     and other private sector organizations, to the greatest 
     extent practicable; and
       ``(10) in accordance with section 2245 and subsection (b) 
     of this section, as soon as possible but not later than 24 
     hours after receiving a covered cyber incident report, ransom 
     payment report, voluntarily submitted information pursuant to 
     section 2243, or information received pursuant to a request 
     for information or subpoena under section 2244, make 
     available the information to appropriate Sector Risk 
     Management Agencies and other appropriate Federal agencies.
       ``(b) Interagency Sharing.--The President or a designee of 
     the President--
       ``(1) may establish a specific time requirement for sharing 
     information under subsection (a)(11); and
       ``(2) shall determine the appropriate Federal agencies 
     under subsection (a)(11).
       ``(c) Periodic Briefing.--Not later than 60 days after the 
     effective date of the final rule required under section 
     2242(b), and on the first day of each month thereafter, the 
     Director, in consultation with the National Cyber Director, 
     the Attorney General, and the Director of National 
     Intelligence, shall provide to the majority leader of the 
     Senate, the minority leader of the Senate, the Speaker of the 
     House of Representatives, the minority leader of the House of 
     Representatives, the Committee on Homeland Security and 
     Governmental Affairs of the Senate, and the Committee on 
     Homeland Security of the House of Representatives a briefing 
     that characterizes the national cyber threat landscape, 
     including the threat facing Federal agencies and covered 
     entities, and applicable intelligence and law enforcement 
     information, covered cyber incidents, and ransomware attacks, 
     as of the date of the briefing, which shall--
       ``(1) include the total number of reports submitted under 
     sections 2242 and 2243 during the preceding month, including 
     a breakdown of required and voluntary reports;
       ``(2) include any identified trends in covered cyber 
     incidents and ransomware attacks over the course of the 
     preceding month and as compared to previous reports, 
     including any trends related to the information collected in 
     the reports submitted under sections 2242 and 2243, 
     including--
       ``(A) the infrastructure, tactics, and techniques malicious 
     cyber actors commonly use; and
       ``(B) intelligence gaps that have impeded, or currently are 
     impeding, the ability to counter covered cyber incidents and 
     ransomware threats;
       ``(3) include a summary of the known uses of the 
     information in reports submitted under sections 2242 and 
     2243; and
       ``(4) include an unclassified portion, but may include a 
     classified component.

     ``SEC. 2242. REQUIRED REPORTING OF CERTAIN CYBER INCIDENTS.

       ``(a) In General.--
       ``(1) Covered cyber incident reports.--
       ``(A) In general.--A covered entity that experiences a 
     covered cyber incident shall report the covered cyber 
     incident to the Agency not later than 72 hours after the 
     covered entity reasonably believes that the covered cyber 
     incident has occurred.
       ``(B) Limitation.--The Director may not require reporting 
     under subparagraph (A) any earlier than 72 hours after the 
     covered entity reasonably believes that a covered cyber 
     incident has occurred.
       ``(2) Ransom payment reports.--
       ``(A) In general.--A covered entity that makes a ransom 
     payment as the result of a ransomware attack against the 
     covered entity shall report the payment to the Agency not 
     later than 24 hours after the ransom payment has been made.
       ``(B) Application.--The requirements under subparagraph (A) 
     shall apply even if the ransomware attack is not a covered 
     cyber incident subject to the reporting requirements under 
     paragraph (1).
       ``(3) Supplemental reports.--A covered entity shall 
     promptly submit to the Agency an update or supplement to a 
     previously submitted covered cyber incident report if 
     substantial new or different information becomes available or 
     if the covered entity makes a ransom payment after submitting 
     a covered cyber incident report required under paragraph (1), 
     until such date that such covered entity notifies the Agency 
     that the covered cyber incident at issue has concluded and 
     has been fully mitigated and resolved.
       ``(4) Preservation of information.--Any covered entity 
     subject to requirements of paragraph (1), (2), or (3) shall 
     preserve data relevant to the covered cyber incident or 
     ransom payment in accordance with procedures established in 
     the final rule issued pursuant to subsection (b).
       ``(5) Exceptions.--
       ``(A) Reporting of covered cyber incident with ransom 
     payment.--If a covered entity is the victim of a covered 
     cyber incident and makes a ransom payment prior to

[[Page S912]]

     the 72 hour requirement under paragraph (1), such that the 
     reporting requirements under paragraphs (1) and (2) both 
     apply, the covered entity may submit a single report to 
     satisfy the requirements of both paragraphs in accordance 
     with procedures established in the final rule issued pursuant 
     to subsection (b).
       ``(B) Substantially similar reported information.--
       ``(i) In general.--Subject to the limitation described in 
     clause (ii), where the Agency has an agreement in place that 
     satisfies the requirements of section 4(a) of the Cyber 
     Incident Reporting for Critical Infrastructure Act of 2022, 
     the requirements under paragraphs (1), (2), and (3) shall not 
     apply to a covered entity required by law, regulation, or 
     contract to report substantially similar information to 
     another Federal agency within a substantially similar 
     timeframe.
       ``(ii) Limitation.--The exemption in clause (i) shall take 
     effect with respect to a covered entity once an agency 
     agreement and sharing mechanism is in place between the 
     Agency and the respective Federal agency, pursuant to section 
     4(a) of the Cyber Incident Reporting for Critical 
     Infrastructure Act of 2022.
       ``(iii) Rules of construction.--Nothing in this paragraph 
     shall be construed to--

       ``(I) exempt a covered entity from the reporting 
     requirements under paragraph (3) unless the supplemental 
     report also meets the requirements of clauses (i) and (ii) of 
     this paragraph;
       ``(II) prevent the Agency from contacting an entity 
     submitting information to another Federal agency that is 
     provided to the Agency pursuant to section 4 of the Cyber 
     Incident Reporting for Critical Infrastructure Act of 2022; 
     or
       ``(III) prevent an entity from communicating with the 
     Agency.

       ``(C) Domain name system.--The requirements under 
     paragraphs (1), (2) and (3) shall not apply to a covered 
     entity or the functions of a covered entity that the Director 
     determines constitute critical infrastructure owned, 
     operated, or governed by multi-stakeholder organizations that 
     develop, implement, and enforce policies concerning the 
     Domain Name System, such as the Internet Corporation for 
     Assigned Names and Numbers or the Internet Assigned Numbers 
     Authority.
       ``(6) Manner, timing, and form of reports.--Reports made 
     under paragraphs (1), (2), and (3) shall be made in the 
     manner and form, and within the time period in the case of 
     reports made under paragraph (3), prescribed in the final 
     rule issued pursuant to subsection (b).
       ``(7) Effective date.--Paragraphs (1) through (4) shall 
     take effect on the dates prescribed in the final rule issued 
     pursuant to subsection (b).
       ``(b) Rulemaking.--
       ``(1) Notice of proposed rulemaking.--Not later than 24 
     months after the date of enactment of this section, the 
     Director, in consultation with Sector Risk Management 
     Agencies, the Department of Justice, and other Federal 
     agencies, shall publish in the Federal Register a notice of 
     proposed rulemaking to implement subsection (a).
       ``(2) Final rule.--Not later than 18 months after 
     publication of the notice of proposed rulemaking under 
     paragraph (1), the Director shall issue a final rule to 
     implement subsection (a).
       ``(3) Subsequent rulemakings.--
       ``(A) In general.--The Director is authorized to issue 
     regulations to amend or revise the final rule issued pursuant 
     to paragraph (2).
       ``(B) Procedures.--Any subsequent rules issued under 
     subparagraph (A) shall comply with the requirements under 
     chapter 5 of title 5, United States Code, including the 
     issuance of a notice of proposed rulemaking under section 553 
     of such title.
       ``(c) Elements.--The final rule issued pursuant to 
     subsection (b) shall be composed of the following elements:
       ``(1) A clear description of the types of entities that 
     constitute covered entities, based on--
       ``(A) the consequences that disruption to or compromise of 
     such an entity could cause to national security, economic 
     security, or public health and safety;
       ``(B) the likelihood that such an entity may be targeted by 
     a malicious cyber actor, including a foreign country; and
       ``(C) the extent to which damage, disruption, or 
     unauthorized access to such an entity, including the 
     accessing of sensitive cybersecurity vulnerability 
     information or penetration testing tools or techniques, will 
     likely enable the disruption of the reliable operation of 
     critical infrastructure.
       ``(2) A clear description of the types of substantial cyber 
     incidents that constitute covered cyber incidents, which 
     shall--
       ``(A) at a minimum, require the occurrence of--
       ``(i) a cyber incident that leads to substantial loss of 
     confidentiality, integrity, or availability of such 
     information system or network, or a serious impact on the 
     safety and resiliency of operational systems and processes;
       ``(ii) a disruption of business or industrial operations, 
     including due to a denial of service attack, ransomware 
     attack, or exploitation of a zero day vulnerability, against

       ``(I) an information system or network; or
       ``(II) an operational technology system or process; or

       ``(iii) unauthorized access or disruption of business or 
     industrial operations due to loss of service facilitated 
     through, or caused by, a compromise of a cloud service 
     provider, managed service provider, or other third-party data 
     hosting provider or by a supply chain compromise;
       ``(B) consider--
       ``(i) the sophistication or novelty of the tactics used to 
     perpetrate such a cyber incident, as well as the type, 
     volume, and sensitivity of the data at issue;
       ``(ii) the number of individuals directly or indirectly 
     affected or potentially affected by such a cyber incident; 
     and
       ``(iii) potential impacts on industrial control systems, 
     such as supervisory control and data acquisition systems, 
     distributed control systems, and programmable logic 
     controllers; and
       ``(C) exclude--
       ``(i) any event where the cyber incident is perpetrated in 
     good faith by an entity in response to a specific request by 
     the owner or operator of the information system; and
       ``(ii) the threat of disruption as extortion, as described 
     in section 2240(14)(A).
       ``(3) A requirement that, if a covered cyber incident or a 
     ransom payment occurs following an exempted threat described 
     in paragraph (2)(C)(ii), the covered entity shall comply with 
     the requirements in this subtitle in reporting the covered 
     cyber incident or ransom payment.
       ``(4) A clear description of the specific required contents 
     of a report pursuant to subsection (a)(1), which shall 
     include the following information, to the extent applicable 
     and available, with respect to a covered cyber incident:
       ``(A) A description of the covered cyber incident, 
     including--
       ``(i) identification and a description of the function of 
     the affected information systems, networks, or devices that 
     were, or are reasonably believed to have been, affected by 
     such cyber incident;
       ``(ii) a description of the unauthorized access with 
     substantial loss of confidentiality, integrity, or 
     availability of the affected information system or network or 
     disruption of business or industrial operations;
       ``(iii) the estimated date range of such incident; and
       ``(iv) the impact to the operations of the covered entity.
       ``(B) Where applicable, a description of the 
     vulnerabilities exploited and the security defenses that were 
     in place, as well as the tactics, techniques, and procedures 
     used to perpetrate the covered cyber incident.
       ``(C) Where applicable, any identifying or contact 
     information related to each actor reasonably believed to be 
     responsible for such cyber incident.
       ``(D) Where applicable, identification of the category or 
     categories of information that were, or are reasonably 
     believed to have been, accessed or acquired by an 
     unauthorized person.
       ``(E) The name and other information that clearly 
     identifies the covered entity impacted by the covered cyber 
     incident, including, as applicable, the State of 
     incorporation or formation of the covered entity, trade 
     names, legal names, or other identifiers.
       ``(F) Contact information, such as telephone number or 
     electronic mail address, that the Agency may use to contact 
     the covered entity or an authorized agent of such covered 
     entity, or, where applicable, the service provider of such 
     covered entity acting with the express permission of, and at 
     the direction of, the covered entity to assist with 
     compliance with the requirements of this subtitle.
       ``(5) A clear description of the specific required contents 
     of a report pursuant to subsection (a)(2), which shall be the 
     following information, to the extent applicable and 
     available, with respect to a ransom payment:
       ``(A) A description of the ransomware attack, including the 
     estimated date range of the attack.
       ``(B) Where applicable, a description of the 
     vulnerabilities, tactics, techniques, and procedures used to 
     perpetrate the ransomware attack.
       ``(C) Where applicable, any identifying or contact 
     information related to the actor or actors reasonably 
     believed to be responsible for the ransomware attack.
       ``(D) The name and other information that clearly 
     identifies the covered entity that made the ransom payment or 
     on whose behalf the payment was made.
       ``(E) Contact information, such as telephone number or 
     electronic mail address, that the Agency may use to contact 
     the covered entity that made the ransom payment or an 
     authorized agent of such covered entity, or, where 
     applicable, the service provider of such covered entity 
     acting with the express permission of, and at the direction 
     of, that covered entity to assist with compliance with the 
     requirements of this subtitle.
       ``(F) The date of the ransom payment.
       ``(G) The ransom payment demand, including the type of 
     virtual currency or other commodity requested, if applicable.
       ``(H) The ransom payment instructions, including 
     information regarding where to send the payment, such as the 
     virtual currency address or physical address the funds were 
     requested to be sent to, if applicable.
       ``(I) The amount of the ransom payment.
       ``(6) A clear description of the types of data required to 
     be preserved pursuant to subsection (a)(4), the period of 
     time for which the data is required to be preserved, and 
     allowable uses, processes, and procedures.

[[Page S913]]

       ``(7) Deadlines and criteria for submitting supplemental 
     reports to the Agency required under subsection (a)(3), which 
     shall--
       ``(A) be established by the Director in consultation with 
     the Council;
       ``(B) consider any existing regulatory reporting 
     requirements similar in scope, purpose, and timing to the 
     reporting requirements to which such a covered entity may 
     also be subject, and make efforts to harmonize the timing and 
     contents of any such reports to the maximum extent 
     practicable;
       ``(C) balance the need for situational awareness with the 
     ability of the covered entity to conduct cyber incident 
     response and investigations; and
       ``(D) provide a clear description of what constitutes 
     substantial new or different information.
       ``(8) Procedures for--
       ``(A) entities, including third parties pursuant to 
     subsection (d)(1), to submit reports required by paragraphs 
     (1), (2), and (3) of subsection (a), including the manner and 
     form thereof, which shall include, at a minimum, a concise, 
     user-friendly web-based form;
       ``(B) the Agency to carry out--
       ``(i) the enforcement provisions of section 2244, including 
     with respect to the issuance, service, withdrawal, referral 
     process, and enforcement of subpoenas, appeals and due 
     process procedures;
       ``(ii) other available enforcement mechanisms including 
     acquisition, suspension and debarment procedures; and
       ``(iii) other aspects of noncompliance;
       ``(C) implementing the exceptions provided in subsection 
     (a)(5); and
       ``(D) protecting privacy and civil liberties consistent 
     with processes adopted pursuant to section 105(b) of the 
     Cybersecurity Act of 2015 (6 U.S.C. 1504(b)) and anonymizing 
     and safeguarding, or no longer retaining, information 
     received and disclosed through covered cyber incident reports 
     and ransom payment reports that is known to be personal 
     information of a specific individual or information that 
     identifies a specific individual that is not directly related 
     to a cybersecurity threat.
       ``(9) Other procedural measures directly necessary to 
     implement subsection (a).
       ``(d) Third Party Report Submission and Ransom Payment.--
       ``(1) Report submission.--A covered entity that is required 
     to submit a covered cyber incident report or a ransom payment 
     report may use a third party, such as an incident response 
     company, insurance provider, service provider, Information 
     Sharing and Analysis Organization, or law firm, to submit the 
     required report under subsection (a).
       ``(2) Ransom payment.--If a covered entity impacted by a 
     ransomware attack uses a third party to make a ransom 
     payment, the third party shall not be required to submit a 
     ransom payment report for itself under subsection (a)(2).
       ``(3) Duty to report.--Third-party reporting under this 
     subparagraph does not relieve a covered entity from the duty 
     to comply with the requirements for covered cyber incident 
     report or ransom payment report submission.
       ``(4) Responsibility to advise.--Any third party used by a 
     covered entity that knowingly makes a ransom payment on 
     behalf of a covered entity impacted by a ransomware attack 
     shall advise the impacted covered entity of the 
     responsibilities of the impacted covered entity regarding 
     reporting ransom payments under this section.
       ``(e) Outreach to Covered Entities.--
       ``(1) In general.--The Agency shall conduct an outreach and 
     education campaign to inform likely covered entities, 
     entities that offer or advertise as a service to customers to 
     make or facilitate ransom payments on behalf of covered 
     entities impacted by ransomware attacks and other appropriate 
     entities of the requirements of paragraphs (1), (2), and (3) 
     of subsection (a).
       ``(2) Elements.--The outreach and education campaign under 
     paragraph (1) shall include the following:
       ``(A) An overview of the final rule issued pursuant to 
     subsection (b).
       ``(B) An overview of mechanisms to submit to the Agency 
     covered cyber incident reports, ransom payment reports, and 
     information relating to the disclosure, retention, and use of 
     covered cyber incident reports and ransom payment reports 
     under this section.
       ``(C) An overview of the protections afforded to covered 
     entities for complying with the requirements under paragraphs 
     (1), (2), and (3) of subsection (a).
       ``(D) An overview of the steps taken under section 2244 
     when a covered entity is not in compliance with the reporting 
     requirements under subsection (a).
       ``(E) Specific outreach to cybersecurity vendors, cyber 
     incident response providers, cybersecurity insurance 
     entities, and other entities that may support covered 
     entities.
       ``(F) An overview of the privacy and civil liberties 
     requirements in this subtitle.
       ``(3) Coordination.--In conducting the outreach and 
     education campaign required under paragraph (1), the Agency 
     may coordinate with--
       ``(A) the Critical Infrastructure Partnership Advisory 
     Council established under section 871;
       ``(B) Information Sharing and Analysis Organizations;
       ``(C) trade associations;
       ``(D) information sharing and analysis centers;
       ``(E) sector coordinating councils; and
       ``(F) any other entity as determined appropriate by the 
     Director.
       ``(f) Exemption.--Sections 3506(c), 3507, 3508, and 3509 of 
     title 44, United States Code, shall not apply to any action 
     to carry out this section.
       ``(g) Rule of Construction.--Nothing in this section shall 
     affect the authorities of the Federal Government to implement 
     the requirements of Executive Order 14028 (86 Fed. Reg. 
     26633; relating to improving the nation's cybersecurity), 
     including changes to the Federal Acquisition Regulations and 
     remedies to include suspension and debarment.
       ``(h) Savings Provision.--Nothing in this section shall be 
     construed to supersede or to abrogate, modify, or otherwise 
     limit the authority that is vested in any officer or any 
     agency of the United States Government to regulate or take 
     action with respect to the cybersecurity of an entity.

     ``SEC. 2243. VOLUNTARY REPORTING OF OTHER CYBER INCIDENTS.

       ``(a) In General.--Entities may voluntarily report cyber 
     incidents or ransom payments to the Agency that are not 
     required under paragraph (1), (2), or (3) of section 2242(a), 
     but may enhance the situational awareness of cyber threats.
       ``(b) Voluntary Provision of Additional Information in 
     Required Reports.--Covered entities may voluntarily include 
     in reports required under paragraph (1), (2), or (3) of 
     section 2242(a) information that is not required to be 
     included, but may enhance the situational awareness of cyber 
     threats.
       ``(c) Application of Protections.--The protections under 
     section 2245 applicable to reports made under section 2242 
     shall apply in the same manner and to the same extent to 
     reports and information submitted under subsections (a) and 
     (b).

     ``SEC. 2244. NONCOMPLIANCE WITH REQUIRED REPORTING.

       ``(a) Purpose.--In the event that a covered entity that is 
     required to submit a report under section 2242(a) fails to 
     comply with the requirement to report, the Director may 
     obtain information about the cyber incident or ransom payment 
     by engaging the covered entity directly to request 
     information about the cyber incident or ransom payment, and 
     if the Director is unable to obtain information through such 
     engagement, by issuing a subpoena to the covered entity, 
     pursuant to subsection (c), to gather information sufficient 
     to determine whether a covered cyber incident or ransom 
     payment has occurred.
       ``(b) Initial Request for Information.--
       ``(1) In general.--If the Director has reason to believe, 
     whether through public reporting or other information in the 
     possession of the Federal Government, including through 
     analysis performed pursuant to paragraph (1) or (2) of 
     section 2241(a), that a covered entity has experienced a 
     covered cyber incident or made a ransom payment but failed to 
     report such cyber incident or payment to the Agency in 
     accordance with section 2242(a), the Director may request 
     additional information from the covered entity to confirm 
     whether or not a covered cyber incident or ransom payment has 
     occurred.
       ``(2) Treatment.--Information provided to the Agency in 
     response to a request under paragraph (1) shall be treated as 
     if it was submitted through the reporting procedures 
     established in section 2242.
       ``(c) Enforcement.--
       ``(1) In general.--If, after the date that is 72 hours from 
     the date on which the Director made the request for 
     information in subsection (b), the Director has received no 
     response from the covered entity from which such information 
     was requested, or received an inadequate response, the 
     Director may issue to such covered entity a subpoena to 
     compel disclosure of information the Director deems necessary 
     to determine whether a covered cyber incident or ransom 
     payment has occurred and obtain the information required to 
     be reported pursuant to section 2242 and any implementing 
     regulations, and assess potential impacts to national 
     security, economic security, or public health and safety.
       ``(2) Civil action.--
       ``(A) In general.--If a covered entity fails to comply with 
     a subpoena, the Director may refer the matter to the Attorney 
     General to bring a civil action in a district court of the 
     United States to enforce such subpoena.
       ``(B) Venue.--An action under this paragraph may be brought 
     in the judicial district in which the covered entity against 
     which the action is brought resides, is found, or does 
     business.
       ``(C) Contempt of court.--A court may punish a failure to 
     comply with a subpoena issued under this subsection as 
     contempt of court.
       ``(3) Non-delegation.--The authority of the Director to 
     issue a subpoena under this subsection may not be delegated.
       ``(4) Authentication.--
       ``(A) In general.--Any subpoena issued electronically 
     pursuant to this subsection shall be authenticated with a 
     cryptographic digital signature of an authorized 
     representative of the Agency, or other comparable successor 
     technology, that allows the Agency to demonstrate that such 
     subpoena was issued by the Agency and has not been altered or 
     modified since such issuance.
       ``(B) Invalid if not authenticated.--Any subpoena issued 
     electronically pursuant to this subsection that is not 
     authenticated in accordance with subparagraph (A) shall not 
     be considered to be valid by the recipient of such subpoena.
       ``(d) Provision of Certain Information to Attorney 
     General.--
       ``(1) In general.--Notwithstanding section 2245(a)(5) and 
     paragraph (b)(2) of this section,

[[Page S914]]

     if the Director determines, based on the information provided 
     in response to a subpoena issued pursuant to subsection (c), 
     that the facts relating to the cyber incident or ransom 
     payment at issue may constitute grounds for a regulatory 
     enforcement action or criminal prosecution, the Director may 
     provide such information to the Attorney General or the head 
     of the appropriate Federal regulatory agency, who may use 
     such information for a regulatory enforcement action or 
     criminal prosecution.
       ``(2) Consultation.--The Director may consult with the 
     Attorney General or the head of the appropriate Federal 
     regulatory agency when making the determination under 
     paragraph (1).
       ``(e) Considerations.--When determining whether to exercise 
     the authorities provided under this section, the Director 
     shall take into consideration--
       ``(1) the complexity in determining if a covered cyber 
     incident has occurred; and
       ``(2) prior interaction with the Agency or awareness of the 
     covered entity of the policies and procedures of the Agency 
     for reporting covered cyber incidents and ransom payments.
       ``(f) Exclusions.--This section shall not apply to a State, 
     local, Tribal, or territorial government entity.
       ``(g) Report to Congress.--The Director shall submit to 
     Congress an annual report on the number of times the 
     Director--
       ``(1) issued an initial request for information pursuant to 
     subsection (b);
       ``(2) issued a subpoena pursuant to subsection (c); or
       ``(3) referred a matter to the Attorney General for a civil 
     action pursuant to subsection (c)(2).
       ``(h) Publication of the Annual Report.--The Director shall 
     publish a version of the annual report required under 
     subsection (g) on the website of the Agency, which shall 
     include, at a minimum, the number of times the Director--
       ``(1) issued an initial request for information pursuant to 
     subsection (b); or
       ``(2) issued a subpoena pursuant to subsection (c).
       ``(i) Anonymization of Reports.--The Director shall ensure 
     any victim information contained in a report required to be 
     published under subsection (h) be anonymized before the 
     report is published.

     ``SEC. 2245. INFORMATION SHARED WITH OR PROVIDED TO THE 
                   FEDERAL GOVERNMENT.

       ``(a) Disclosure, Retention, and Use.--
       ``(1) Authorized activities.--Information provided to the 
     Agency pursuant to section 2242 or 2243 may be disclosed to, 
     retained by, and used by, consistent with otherwise 
     applicable provisions of Federal law, any Federal agency or 
     department, component, officer, employee, or agent of the 
     Federal Government solely for--
       ``(A) a cybersecurity purpose;
       ``(B) the purpose of identifying--
       ``(i) a cyber threat, including the source of the cyber 
     threat; or
       ``(ii) a security vulnerability;
       ``(C) the purpose of responding to, or otherwise preventing 
     or mitigating, a specific threat of death, a specific threat 
     of serious bodily harm, or a specific threat of serious 
     economic harm, including a terrorist act or use of a weapon 
     of mass destruction;
       ``(D) the purpose of responding to, investigating, 
     prosecuting, or otherwise preventing or mitigating, a serious 
     threat to a minor, including sexual exploitation and threats 
     to physical safety; or
       ``(E) the purpose of preventing, investigating, disrupting, 
     or prosecuting an offense arising out of a cyber incident 
     reported pursuant to section 2242 or 2243 or any of the 
     offenses listed in section 105(d)(5)(A)(v) of the 
     Cybersecurity Act of 2015 (6 U.S.C. 1504(d)(5)(A)(v)).
       ``(2) Agency actions after receipt.--
       ``(A) Rapid, confidential sharing of cyber threat 
     indicators.--Upon receiving a covered cyber incident or 
     ransom payment report submitted pursuant to this section, the 
     Agency shall immediately review the report to determine 
     whether the cyber incident that is the subject of the report 
     is connected to an ongoing cyber threat or security 
     vulnerability and where applicable, use such report to 
     identify, develop, and rapidly disseminate to appropriate 
     stakeholders actionable, anonymized cyber threat indicators 
     and defensive measures.
       ``(B) Principles for sharing security vulnerabilities.--
     With respect to information in a covered cyber incident or 
     ransom payment report regarding a security vulnerability 
     referred to in paragraph (1)(B)(ii), the Director shall 
     develop principles that govern the timing and manner in which 
     information relating to security vulnerabilities may be 
     shared, consistent with common industry best practices and 
     United States and international standards.
       ``(3) Privacy and civil liberties.--Information contained 
     in covered cyber incident and ransom payment reports 
     submitted to the Agency pursuant to section 2242 shall be 
     retained, used, and disseminated, where permissible and 
     appropriate, by the Federal Government in accordance with 
     processes to be developed for the protection of personal 
     information consistent with processes adopted pursuant to 
     section 105 of the Cybersecurity Act of 2015 (6 U.S.C. 1504) 
     and in a manner that protects from unauthorized use or 
     disclosure any information that may contain--
       ``(A) personal information of a specific individual that is 
     not directly related to a cybersecurity threat; or
       ``(B) information that identifies a specific individual 
     that is not directly related to a cybersecurity threat.
       ``(4) Digital security.--The Agency shall ensure that 
     reports submitted to the Agency pursuant to section 2242, and 
     any information contained in those reports, are collected, 
     stored, and protected at a minimum in accordance with the 
     requirements for moderate impact Federal information systems, 
     as described in Federal Information Processing Standards 
     Publication 199, or any successor document.
       ``(5) Prohibition on use of information in regulatory 
     actions.--
       ``(A) In general.--A Federal, State, local, or Tribal 
     government shall not use information about a covered cyber 
     incident or ransom payment obtained solely through reporting 
     directly to the Agency in accordance with this subtitle to 
     regulate, including through an enforcement action, the 
     activities of the covered entity or entity that made a ransom 
     payment, unless the government entity expressly allows 
     entities to submit reports to the Agency to meet regulatory 
     reporting obligations of the entity.
       ``(B) Clarification.--A report submitted to the Agency 
     pursuant to section 2242 or 2243 may, consistent with Federal 
     or State regulatory authority specifically relating to the 
     prevention and mitigation of cybersecurity threats to 
     information systems, inform the development or implementation 
     of regulations relating to such systems.
       ``(b) Protections for Reporting Entities and Information.--
     Reports describing covered cyber incidents or ransom payments 
     submitted to the Agency by entities in accordance with 
     section 2242, as well as voluntarily-submitted cyber incident 
     reports submitted to the Agency pursuant to section 2243, 
     shall--
       ``(1) be considered the commercial, financial, and 
     proprietary information of the covered entity when so 
     designated by the covered entity;
       ``(2) be exempt from disclosure under section 552(b)(3) of 
     title 5, United States Code (commonly known as the `Freedom 
     of Information Act'), as well as any provision of State, 
     Tribal, or local freedom of information law, open government 
     law, open meetings law, open records law, sunshine law, or 
     similar law requiring disclosure of information or records;
       ``(3) be considered not to constitute a waiver of any 
     applicable privilege or protection provided by law, including 
     trade secret protection; and
       ``(4) not be subject to a rule of any Federal agency or 
     department or any judicial doctrine regarding ex parte 
     communications with a decision-making official.
       ``(c) Liability Protections.--
       ``(1) In general.--No cause of action shall lie or be 
     maintained in any court by any person or entity and any such 
     action shall be promptly dismissed for the submission of a 
     report pursuant to section 2242(a) that is submitted in 
     conformance with this subtitle and the rule promulgated under 
     section 2242(b), except that this subsection shall not apply 
     with regard to an action by the Federal Government pursuant 
     to section 2244(c)(2).
       ``(2) Scope.--The liability protections provided in this 
     subsection shall only apply to or affect litigation that is 
     solely based on the submission of a covered cyber incident 
     report or ransom payment report to the Agency.
       ``(3) Restrictions.--Notwithstanding paragraph (2), no 
     report submitted to the Agency pursuant to this subtitle or 
     any communication, document, material, or other record, 
     created for the sole purpose of preparing, drafting, or 
     submitting such report, may be received in evidence, subject 
     to discovery, or otherwise used in any trial, hearing, or 
     other proceeding in or before any court, regulatory body, or 
     other authority of the United States, a State, or a political 
     subdivision thereof, provided that nothing in this subtitle 
     shall create a defense to discovery or otherwise affect the 
     discovery of any communication, document, material, or other 
     record not created for the sole purpose of preparing, 
     drafting, or submitting such report.
       ``(d) Sharing With Non-Federal Entities.--The Agency shall 
     anonymize the victim who reported the information when making 
     information provided in reports received under section 2242 
     available to critical infrastructure owners and operators and 
     the general public.
       ``(e) Stored Communications Act.--Nothing in this subtitle 
     shall be construed to permit or require disclosure by a 
     provider of a remote computing service or a provider of an 
     electronic communication service to the public of information 
     not otherwise permitted or required to be disclosed under 
     chapter 121 of title 18, United States Code (commonly known 
     as the `Stored Communications Act').

     ``SEC. 2246. CYBER INCIDENT REPORTING COUNCIL.

       ``(a) Responsibility of the Secretary.--The Secretary shall 
     lead an intergovernmental Cyber Incident Reporting Council, 
     in consultation with the Director of the Office of Management 
     and Budget, the Attorney General, the National Director Cyber 
     Director, Sector Risk Management Agencies, and other 
     appropriate Federal agencies, to coordinate, deconflict, and 
     harmonize Federal incident reporting requirements, including 
     those issued through regulations.
       ``(b) Rule of Construction.--Nothing in subsection (a) 
     shall be construed to provide

[[Page S915]]

     any additional regulatory authority to any Federal entity.''.
       (b) Technical and Conforming Amendment.--The table of 
     contents in section 1(b) of the Homeland Security Act of 2002 
     (Public Law 107-296; 116 Stat. 2135) is amended by inserting 
     after the items relating to subtitle C of title XXII the 
     following:

                 ``Subtitle D--Cyber Incident Reporting

``Sec. 2240. Definitions.
``Sec. 2241. Cyber Incident Review.
``Sec. 2242. Required reporting of certain cyber incidents.
``Sec. 2243. Voluntary reporting of other cyber incidents.
``Sec. 2244. Noncompliance with required reporting.
``Sec. 2245. Information shared with or provided to the Federal 
              Government.
``Sec. 2246. Cyber Incident Reporting Council.''.

     SEC. 204. FEDERAL SHARING OF INCIDENT REPORTS.

       (a) Cyber Incident Reporting Sharing.--
       (1) In general.--Notwithstanding any other provision of law 
     or regulation, any Federal agency, including any independent 
     establishment (as defined in section 104 of title 5, United 
     States Code), that receives a report from an entity of a 
     cyber incident, including a ransomware attack, shall provide 
     the report to the Agency as soon as possible, but not later 
     than 24 hours after receiving the report, unless a shorter 
     period is required by an agreement made between the 
     Department of Homeland Security (including the Cybersecurity 
     and Infrastructure Security Agency) and the recipient Federal 
     agency. The Director shall share and coordinate each report 
     pursuant to section 2241(b) of the Homeland Security Act of 
     2002, as added by section 203 of this title.
       (2) Rule of construction.--The requirements described in 
     paragraph (1) and section 2245(d) of the Homeland Security 
     Act of 2002, as added by section 203 of this title, may not 
     be construed to be a violation of any provision of law or 
     policy that would otherwise prohibit disclosure or provision 
     of information within the executive branch.
       (3) Protection of information.--The Director shall comply 
     with any obligations of the recipient Federal agency 
     described in paragraph (1) to protect information, including 
     with respect to privacy, confidentiality, or information 
     security, if those obligations would impose greater 
     protection requirements than this Act or the amendments made 
     by this Act.
       (4) Effective date.--This subsection shall take effect on 
     the effective date of the final rule issued pursuant to 
     section 2242(b) of the Homeland Security Act of 2002, as 
     added by section 203 of this title.
       (5) Agency agreements.--
       (A) In general.--The Agency and any Federal agency, 
     including any independent establishment (as defined in 
     section 104 of title 5, United States Code) that receives 
     incident reports from entities, including due to ransomware 
     attacks, shall, as appropriate, enter into a documented 
     agreement to establish policies, processes, procedures, and 
     mechanisms to ensure reports are shared with the Agency 
     pursuant to paragraph (1).
       (B) Availability.--To the maximum extent practicable, each 
     documented agreement required under subparagraph (A) shall be 
     made publicly available.
       (C) Requirement.--The documented agreements required by 
     subparagraph (A) shall require reports be shared from Federal 
     agencies with the Agency in such time as to meet the overall 
     timeline for covered entity reporting of covered cyber 
     incidents and ransom payments established in section 2242 of 
     the Homeland Security Act of 2002, as added by section 203 of 
     this title.
       (b) Harmonizing Reporting Requirements.--The Secretary of 
     Homeland Security, acting through the Director, shall, in 
     consultation with the Cyber Incident Reporting Council 
     described in section 2246 of the Homeland Security Act of 
     2002, as added by section 203 of this title, to the maximum 
     extent practicable--
       (1) periodically review existing regulatory requirements, 
     including the information required in such reports, to report 
     incidents and ensure that any such reporting requirements and 
     procedures avoid conflicting, duplicative, or burdensome 
     requirements; and
       (2) coordinate with appropriate Federal partners and 
     regulatory authorities that receive reports relating to 
     incidents to identify opportunities to streamline reporting 
     processes, and where feasible, facilitate interagency 
     agreements between such authorities to permit the sharing of 
     such reports, consistent with applicable law and policy, 
     without impacting the ability of the Agency to gain timely 
     situational awareness of a covered cyber incident or ransom 
     payment.

     SEC. 205. RANSOMWARE VULNERABILITY WARNING PILOT PROGRAM.

       (a) Program.--Not later than 1 year after the date of 
     enactment of this Act, the Director shall establish a 
     ransomware vulnerability warning pilot program to leverage 
     existing authorities and technology to specifically develop 
     processes and procedures for, and to dedicate resources to, 
     identifying information systems that contain security 
     vulnerabilities associated with common ransomware attacks, 
     and to notify the owners of those vulnerable systems of their 
     security vulnerability.
       (b) Identification of Vulnerable Systems.--The pilot 
     program established under subsection (a) shall--
       (1) identify the most common security vulnerabilities 
     utilized in ransomware attacks and mitigation techniques; and
       (2) utilize existing authorities to identify information 
     systems that contain the security vulnerabilities identified 
     in paragraph (1).
       (c) Entity Notification.--
       (1) Identification.--If the Director is able to identify 
     the entity at risk that owns or operates a vulnerable 
     information system identified in subsection (b), the Director 
     may notify the owner of the information system.
       (2) No identification.--If the Director is not able to 
     identify the entity at risk that owns or operates a 
     vulnerable information system identified in subsection (b), 
     the Director may utilize the subpoena authority pursuant to 
     section 2209 of the Homeland Security Act of 2002 (6 U.S.C. 
     659) to identify and notify the entity at risk pursuant to 
     the procedures under that section.
       (3) Required information.--A notification made under 
     paragraph (1) shall include information on the identified 
     security vulnerability and mitigation techniques.
       (d) Prioritization of Notifications.--To the extent 
     practicable, the Director shall prioritize covered entities 
     for identification and notification activities under the 
     pilot program established under this section.
       (e) Limitation on Procedures.--No procedure, notification, 
     or other authorities utilized in the execution of the pilot 
     program established under subsection (a) shall require an 
     owner or operator of a vulnerable information system to take 
     any action as a result of a notice of a security 
     vulnerability made pursuant to subsection (c).
       (f) Rule of Construction.--Nothing in this section shall be 
     construed to provide additional authorities to the Director 
     to identify vulnerabilities or vulnerable systems.
       (g) Termination.--The pilot program established under 
     subsection (a) shall terminate on the date that is 4 years 
     after the date of enactment of this Act.

     SEC. 206. RANSOMWARE THREAT MITIGATION ACTIVITIES.

       (a) Joint Ransomware Task Force.--
       (1) In general.--Not later than 180 days after the date of 
     enactment of this Act, the Director, in consultation with the 
     National Cyber Director, the Attorney General, and the 
     Director of the Federal Bureau of Investigation, shall 
     establish and chair the Joint Ransomware Task Force to 
     coordinate an ongoing nationwide campaign against ransomware 
     attacks, and identify and pursue opportunities for 
     international cooperation.
       (2) Composition.--The Joint Ransomware Task Force shall 
     consist of participants from Federal agencies, as determined 
     appropriate by the National Cyber Director in consultation 
     with the Secretary of Homeland Security.
       (3) Responsibilities.--The Joint Ransomware Task Force, 
     utilizing only existing authorities of each participating 
     Federal agency, shall coordinate across the Federal 
     Government the following activities:
       (A) Prioritization of intelligence-driven operations to 
     disrupt specific ransomware actors.
       (B) Consult with relevant private sector, State, local, 
     Tribal, and territorial governments and international 
     stakeholders to identify needs and establish mechanisms for 
     providing input into the Joint Ransomware Task Force.
       (C) Identifying, in consultation with relevant entities, a 
     list of highest threat ransomware entities updated on an 
     ongoing basis, in order to facilitate--
       (i) prioritization for Federal action by appropriate 
     Federal agencies; and
       (ii) identify metrics for success of said actions.
       (D) Disrupting ransomware criminal actors, associated 
     infrastructure, and their finances.
       (E) Facilitating coordination and collaboration between 
     Federal entities and relevant entities, including the private 
     sector, to improve Federal actions against ransomware 
     threats.
       (F) Collection, sharing, and analysis of ransomware trends 
     to inform Federal actions.
       (G) Creation of after-action reports and other lessons 
     learned from Federal actions that identify successes and 
     failures to improve subsequent actions.
       (H) Any other activities determined appropriate by the 
     Joint Ransomware Task Force to mitigate the threat of 
     ransomware attacks.
       (b) Rule of Construction.--Nothing in this section shall be 
     construed to provide any additional authority to any Federal 
     agency.

     SEC. 207. CONGRESSIONAL REPORTING.

       (a) Report on Stakeholder Engagement.--Not later than 30 
     days after the date on which the Director issues the final 
     rule under section 2242(b) of the Homeland Security Act of 
     2002, as added by section 203(b) of this title, the Director 
     shall submit to the Committee on Homeland Security and 
     Governmental Affairs of the Senate and the Committee on 
     Homeland Security of the House of Representatives a report 
     that describes how the Director engaged stakeholders in the 
     development of the final rule.
       (b) Report on Opportunities to Strengthen Security 
     Research.--Not later than 1 year after the date of enactment 
     of this Act, the Director shall submit to the Committee on 
     Homeland Security and Governmental Affairs of the Senate and 
     the

[[Page S916]]

     Committee on Homeland Security of the House of 
     Representatives a report describing how the National 
     Cybersecurity and Communications Integration Center 
     established under section 2209 of the Homeland Security Act 
     of 2002 (6 U.S.C. 659) has carried out activities under 
     section 2241(a)(9) of the Homeland Security Act of 2002, as 
     added by section 203(a) of this title, by proactively 
     identifying opportunities to use cyber incident data to 
     inform and enable cybersecurity research within the academic 
     and private sector.
       (c) Report on Ransomware Vulnerability Warning Pilot 
     Program.--Not later than 1 year after the date of enactment 
     of this Act, and annually thereafter for the duration of the 
     pilot program established under section 205, the Director 
     shall submit to the Committee on Homeland Security and 
     Governmental Affairs of the Senate and the Committee on 
     Homeland Security of the House of Representatives a report, 
     which may include a classified annex, on the effectiveness of 
     the pilot program, which shall include a discussion of the 
     following:
       (1) The effectiveness of the notifications under section 
     205(c) in mitigating security vulnerabilities and the threat 
     of ransomware.
       (2) Identification of the most common vulnerabilities 
     utilized in ransomware.
       (3) The number of notifications issued during the preceding 
     year.
       (4) To the extent practicable, the number of vulnerable 
     devices or systems mitigated under the pilot program by the 
     Agency during the preceding year.
       (d) Report on Harmonization of Reporting Regulations.--
       (1) In general.--Not later than 180 days after the date on 
     which the Secretary of Homeland Security convenes the Cyber 
     Incident Reporting Council described in section 2246 of the 
     Homeland Security Act of 2002, as added by section 203 of 
     this title, the Secretary of Homeland Security shall submit 
     to the appropriate congressional committees a report that 
     includes--
       (A) a list of duplicative Federal cyber incident reporting 
     requirements on covered entities;
       (B) a description of any challenges in harmonizing the 
     duplicative reporting requirements;
       (C) any actions the Director intends to take to facilitate 
     harmonizing the duplicative reporting requirements; and
       (D) any proposed legislative changes necessary to address 
     the duplicative reporting.
       (2) Rule of construction.--Nothing in paragraph (1) shall 
     be construed to provide any additional regulatory authority 
     to any Federal agency.
       (e) GAO Reports.--
       (1) Implementation of this act.--Not later than 2 years 
     after the date of enactment of this Act, the Comptroller 
     General of the United States shall submit to the Committee on 
     Homeland Security and Governmental Affairs of the Senate and 
     the Committee on Homeland Security of the House of 
     Representatives a report on the implementation of this Act 
     and the amendments made by this Act.
       (2) Exemptions to reporting.--Not later than 1 year after 
     the date on which the Director issues the final rule required 
     under section 2242(b) of the Homeland Security Act of 2002, 
     as added by section 203 of this title, the Comptroller 
     General of the United States shall submit to the Committee on 
     Homeland Security and Governmental Affairs of the Senate and 
     the Committee on Homeland Security of the House of 
     Representatives a report on the exemptions to reporting under 
     paragraphs (2) and (5) of section 2242(a) of the Homeland 
     Security Act of 2002, as added by section 203 of this title, 
     which shall include--
       (A) to the extent practicable, an evaluation of the 
     quantity of cyber incidents not reported to the Federal 
     Government;
       (B) an evaluation of the impact on impacted entities, 
     homeland security, and the national economy due to cyber 
     incidents, ransomware attacks, and ransom payments, including 
     a discussion on the scope of impact of cyber incidents that 
     were not reported to the Federal Government;
       (C) an evaluation of the burden, financial and otherwise, 
     on entities required to report cyber incidents under this 
     Act, including an analysis of entities that meet the 
     definition of a small business concern under section 3 of the 
     Small Business Act (15 U.S.C. 632); and
       (D) a description of the consequences and effects of 
     limiting covered cyber incident and ransom payment reporting 
     to only covered entities.
       (f) Report on Effectiveness of Enforcement Mechanisms.--Not 
     later than 1 year after the date on which the Director issues 
     the final rule required under section 2242(b) of the Homeland 
     Security Act of 2002, as added by section 203 of this title, 
     the Director shall submit to the Committee on Homeland 
     Security and Governmental Affairs of the Senate and the 
     Committee on Homeland Security of the House of 
     Representatives a report on the effectiveness of the 
     enforcement mechanisms within section 2244 of the Homeland 
     Security Act of 2002, as added by section 203 of this title.

    TITLE III--FEDERAL SECURE CLOUD IMPROVEMENT AND JOBS ACT OF 2022

     SEC. 301. SHORT TITLE.

       This title may be cited as the ``Federal Secure Cloud 
     Improvement and Jobs Act of 2022''.

     SEC. 302. FINDINGS.

       Congress finds the following:
       (1) Ensuring that the Federal Government can securely 
     leverage cloud computing products and services is key to 
     expediting the modernization of legacy information technology 
     systems, increasing cybersecurity within and across 
     departments and agencies, and supporting the continued 
     leadership of the United States in technology innovation and 
     job creation.
       (2) According to independent analysis, as of calendar year 
     2019, the size of the cloud computing market had tripled 
     since 2004, enabling more than 2,000,000 jobs and adding more 
     than $200,000,000,000 to the gross domestic product of the 
     United States.
       (3) The Federal Government, across multiple presidential 
     administrations and Congresses, has continued to support the 
     ability of agencies to move to the cloud, including through--
       (A) President Barack Obama's ``Cloud First Strategy'';
       (B) President Donald Trump's ``Cloud Smart Strategy'';
       (C) the prioritization of cloud security in Executive Order 
     14028 (86 Fed. Reg. 26633; relating to improving the nation's 
     cybersecurity), which was issued by President Joe Biden; and
       (D) more than a decade of appropriations and authorization 
     legislation that provides agencies with relevant authorities 
     and appropriations to modernize on-premises information 
     technology systems and more readily adopt cloud computing 
     products and services.
       (4) Since it was created in 2011, the Federal Risk and 
     Authorization Management Program (referred to in this section 
     as ``FedRAMP'') at the General Services Administration has 
     made steady and sustained improvements in supporting the 
     secure authorization and reuse of cloud computing products 
     and services within the Federal Government, including by 
     reducing the costs and burdens on both agencies and cloud 
     companies to quickly and securely enter the Federal market.
       (5) According to data from the General Services 
     Administration, as of the end of fiscal year 2021, there were 
     239 cloud providers with FedRAMP authorizations, and those 
     authorizations had been reused more than 2,700 times across 
     various agencies.
       (6) Providing a legislative framework for FedRAMP and new 
     authorities to the General Services Administration, the 
     Office of Management and Budget, and Federal agencies will--
       (A) improve the speed at which new cloud computing products 
     and services can be securely authorized;
       (B) enhance the ability of agencies to effectively evaluate 
     FedRAMP authorized providers for reuse;
       (C) reduce the costs and burdens to cloud providers seeking 
     a FedRAMP authorization; and
       (D) provide for more robust transparency and dialogue 
     between industry and the Federal Government to drive stronger 
     adoption of secure cloud capabilities, create jobs, and 
     reduce wasteful legacy information technology.

     SEC. 303. TITLE 44 AMENDMENTS.

       (a) Amendment.--Chapter 36 of title 44, United States Code, 
     is amended by adding at the end the following:

     ``Sec. 3607. Definitions

       ``(a) In General.--Except as provided under subsection (b), 
     the definitions under sections 3502 and 3552 apply to this 
     section through section 3616.
       ``(b) Additional Definitions.--In this section through 
     section 3616:
       ``(1) Administrator.--The term `Administrator' means the 
     Administrator of General Services.
       ``(2) Appropriate congressional committees.--The term 
     `appropriate congressional committees' means the Committee on 
     Homeland Security and Governmental Affairs of the Senate and 
     the Committee on Oversight and Reform of the House of 
     Representatives.
       ``(3) Authorization to operate; federal information.--The 
     terms `authorization to operate' and `Federal information' 
     have the meaning given those term in Circular A-130 of the 
     Office of Management and Budget entitled `Managing 
     Information as a Strategic Resource', or any successor 
     document.
       ``(4) Cloud computing.--The term `cloud computing' has the 
     meaning given the term in Special Publication 800-145 of the 
     National Institute of Standards and Technology, or any 
     successor document.
       ``(5) Cloud service provider.--The term `cloud service 
     provider' means an entity offering cloud computing products 
     or services to agencies.
       ``(6) FedRAMP.--The term `FedRAMP' means the Federal Risk 
     and Authorization Management Program established under 
     section 3608.
       ``(7) FedRAMP authorization.--The term `FedRAMP 
     authorization' means a certification that a cloud computing 
     product or service has--
       ``(A) completed a FedRAMP authorization process, as 
     determined by the Administrator; or
       ``(B) received a FedRAMP provisional authorization to 
     operate, as determined by the FedRAMP Board.
       ``(8) Fedramp authorization package.--The term `FedRAMP 
     authorization package' means the essential information that 
     can be used by an agency to determine whether to authorize 
     the operation of an information system or the use of a 
     designated set of common controls for all cloud computing 
     products and services authorized by FedRAMP.

[[Page S917]]

       ``(9) FedRAMP board.--The term `FedRAMP Board' means the 
     board established under section 3610.
       ``(10) Independent assessment service.--The term 
     `independent assessment service' means a third-party 
     organization accredited by the Administrator to undertake 
     conformity assessments of cloud service providers and the 
     products or services of cloud service providers.
       ``(11) Secretary.--The term `Secretary' means the Secretary 
     of Homeland Security.

     ``Sec. 3608. Federal Risk and Authorization Management 
       Program

       ``There is established within the General Services 
     Administration the Federal Risk and Authorization Management 
     Program. The Administrator, subject to section 3614, shall 
     establish a Government-wide program that provides a 
     standardized, reusable approach to security assessment and 
     authorization for cloud computing products and services that 
     process unclassified information used by agencies.

     ``Sec. 3609. Roles and responsibilities of the General 
       Services Administration

       ``(a) Roles and Responsibilities.--The Administrator 
     shall--
       ``(1) in consultation with the Secretary, develop, 
     coordinate, and implement a process to support agency review, 
     reuse, and standardization, where appropriate, of security 
     assessments of cloud computing products and services, 
     including, as appropriate, oversight of continuous monitoring 
     of cloud computing products and services, pursuant to 
     guidance issued by the Director pursuant to section 3614;
       ``(2) establish processes and identify criteria consistent 
     with guidance issued by the Director under section 3614 to 
     make a cloud computing product or service eligible for a 
     FedRAMP authorization and validate whether a cloud computing 
     product or service has a FedRAMP authorization;
       ``(3) develop and publish templates, best practices, 
     technical assistance, and other materials to support the 
     authorization of cloud computing products and services and 
     increase the speed, effectiveness, and transparency of the 
     authorization process, consistent with standards and 
     guidelines established by the Director of the National 
     Institute of Standards and Technology and relevant statutes;
       ``(4) establish and update guidance on the boundaries of 
     FedRAMP authorization packages to enhance the security and 
     protection of Federal information and promote transparency 
     for agencies and users as to which services are included in 
     the scope of a FedRAMP authorization;
       ``(5) grant FedRAMP authorizations to cloud computing 
     products and services consistent with the guidance and 
     direction of the FedRAMP Board;
       ``(6) establish and maintain a public comment process for 
     proposed guidance and other FedRAMP directives that may have 
     a direct impact on cloud service providers and agencies 
     before the issuance of such guidance or other FedRAMP 
     directives;
       ``(7) coordinate with the FedRAMP Board, the Director of 
     the Cybersecurity and Infrastructure Security Agency, and 
     other entities identified by the Administrator, with the 
     concurrence of the Director and the Secretary, to establish 
     and regularly update a framework for continuous monitoring 
     under section 3553;
       ``(8) provide a secure mechanism for storing and sharing 
     necessary data, including FedRAMP authorization packages, to 
     enable better reuse of such packages across agencies, 
     including making available any information and data necessary 
     for agencies to fulfill the requirements of section 3613;
       ``(9) provide regular updates to applicant cloud service 
     providers on the status of any cloud computing product or 
     service during an assessment process;
       ``(10) regularly review, in consultation with the FedRAMP 
     Board--
       ``(A) the costs associated with the independent assessment 
     services described in section 3611; and
       ``(B) the information relating to foreign interests 
     submitted pursuant to section 3612;
       ``(11) in coordination with the Director of the National 
     Institute of Standards and Technology, the Director, the 
     Secretary, and other stakeholders, as appropriate, determine 
     the sufficiency of underlying standards and requirements to 
     identify and assess the provenance of the software in cloud 
     services and products;
       ``(12) support the Federal Secure Cloud Advisory Committee 
     established pursuant to section 3616; and
       ``(13) take such other actions as the Administrator may 
     determine necessary to carry out FedRAMP.
       ``(b) Website.--
       ``(1) In general.--The Administrator shall maintain a 
     public website to serve as the authoritative repository for 
     FedRAMP, including the timely publication and updates for all 
     relevant information, guidance, determinations, and other 
     materials required under subsection (a).
       ``(2) Criteria and process for fedramp authorization 
     priorities.--The Administrator shall develop and make 
     publicly available on the website described in paragraph (1) 
     the criteria and process for prioritizing and selecting cloud 
     computing products and services that will receive a FedRAMP 
     authorization, in consultation with the FedRAMP Board and the 
     Chief Information Officers Council.
       ``(c) Evaluation of Automation Procedures.--
       ``(1) In general.--The Administrator, in coordination with 
     the Secretary, shall assess and evaluate available automation 
     capabilities and procedures to improve the efficiency and 
     effectiveness of the issuance of FedRAMP authorizations, 
     including continuous monitoring of cloud computing products 
     and services.
       ``(2) Means for automation.--Not later than 1 year after 
     the date of enactment of this section, and updated regularly 
     thereafter, the Administrator shall establish a means for the 
     automation of security assessments and reviews.
       ``(d) Metrics for Authorization.--The Administrator shall 
     establish annual metrics regarding the time and quality of 
     the assessments necessary for completion of a FedRAMP 
     authorization process in a manner that can be consistently 
     tracked over time in conjunction with the periodic testing 
     and evaluation process pursuant to section 3554 in a manner 
     that minimizes the agency reporting burden.

     ``Sec. 3610. FedRAMP Board

       ``(a) Establishment.--There is established a FedRAMP Board 
     to provide input and recommendations to the Administrator 
     regarding the requirements and guidelines for, and the 
     prioritization of, security assessments of cloud computing 
     products and services.
       ``(b) Membership.--The FedRAMP Board shall consist of not 
     more than 7 senior officials or experts from agencies 
     appointed by the Director, in consultation with the 
     Administrator, from each of the following:
       ``(1) The Department of Defense.
       ``(2) The Department of Homeland Security.
       ``(3) The General Services Administration.
       ``(4) Such other agencies as determined by the Director, in 
     consultation with the Administrator.
       ``(c) Qualifications.--Members of the FedRAMP Board 
     appointed under subsection (b) shall have technical expertise 
     in domains relevant to FedRAMP, such as--
       ``(1) cloud computing;
       ``(2) cybersecurity;
       ``(3) privacy;
       ``(4) risk management; and
       ``(5) other competencies identified by the Director to 
     support the secure authorization of cloud services and 
     products.
       ``(d) Duties.--The FedRAMP Board shall--
       ``(1) in consultation with the Administrator, serve as a 
     resource for best practices to accelerate the process for 
     obtaining a FedRAMP authorization;
       ``(2) establish and regularly update requirements and 
     guidelines for security authorizations of cloud computing 
     products and services, consistent with standards and 
     guidelines established by the Director of the National 
     Institute of Standards and Technology, to be used in the 
     determination of FedRAMP authorizations;
       ``(3) monitor and oversee, to the greatest extent 
     practicable, the processes and procedures by which agencies 
     determine and validate requirements for a FedRAMP 
     authorization, including periodic review of the agency 
     determinations described in section 3613(b);
       ``(4) ensure consistency and transparency between agencies 
     and cloud service providers in a manner that minimizes 
     confusion and engenders trust; and
       ``(5) perform such other roles and responsibilities as the 
     Director may assign, with concurrence from the Administrator.
       ``(e) Determinations of Demand for Cloud Computing Products 
     and Services.--The FedRAMP Board may consult with the Chief 
     Information Officers Council to establish a process, which 
     may be made available on the website maintained under section 
     3609(b), for prioritizing and accepting the cloud computing 
     products and services to be granted a FedRAMP authorization.

     ``Sec. 3611. Independent assessment

       ``The Administrator may determine whether FedRAMP may use 
     an independent assessment service to analyze, validate, and 
     attest to the quality and compliance of security assessment 
     materials provided by cloud service providers during the 
     course of a determination of whether to use a cloud computing 
     product or service.

     ``Sec. 3612. Declaration of foreign interests

       ``(a) In General.--An independent assessment service that 
     performs services described in section 3611 shall annually 
     submit to the Administrator information relating to any 
     foreign interest, foreign influence, or foreign control of 
     the independent assessment service.
       ``(b) Updates.--Not later than 48 hours after there is a 
     change in foreign ownership or control of an independent 
     assessment service that performs services described in 
     section 3611, the independent assessment service shall submit 
     to the Administrator an update to the information submitted 
     under subsection (a).
       ``(c) Certification.--The Administrator may require a 
     representative of an independent assessment service to 
     certify the accuracy and completeness of any information 
     submitted under this section.

     ``Sec. 3613. Roles and responsibilities of agencies

       ``(a) In General.--In implementing the requirements of 
     FedRAMP, the head of each agency shall, consistent with 
     guidance issued by the Director pursuant to section 3614--
       ``(1) promote the use of cloud computing products and 
     services that meet FedRAMP security requirements and other 
     risk-based performance requirements as determined by

[[Page S918]]

     the Director, in consultation with the Secretary;
       ``(2) confirm whether there is a FedRAMP authorization in 
     the secure mechanism provided under section 3609(a)(8) before 
     beginning the process of granting a FedRAMP authorization for 
     a cloud computing product or service;
       ``(3) to the extent practicable, for any cloud computing 
     product or service the agency seeks to authorize that has 
     received a FedRAMP authorization, use the existing 
     assessments of security controls and materials within any 
     FedRAMP authorization package for that cloud computing 
     product or service; and
       ``(4) provide to the Director data and information required 
     by the Director pursuant to section 3614 to determine how 
     agencies are meeting metrics established by the 
     Administrator.
       ``(b) Attestation.--Upon completing an assessment or 
     authorization activity with respect to a particular cloud 
     computing product or service, if an agency determines that 
     the information and data the agency has reviewed under 
     paragraph (2) or (3) of subsection (a) is wholly or 
     substantially deficient for the purposes of performing an 
     authorization of the cloud computing product or service, the 
     head of the agency shall document as part of the resulting 
     FedRAMP authorization package the reasons for this 
     determination.
       ``(c) Submission of Authorizations to Operate Required.--
     Upon issuance of an agency authorization to operate based on 
     a FedRAMP authorization, the head of the agency shall provide 
     a copy of its authorization to operate letter and any 
     supplementary information required pursuant to section 
     3609(a) to the Administrator.
       ``(d) Submission of Policies Required.--Not later than 180 
     days after the date on which the Director issues guidance in 
     accordance with section 3614(1), the head of each agency, 
     acting through the chief information officer of the agency, 
     shall submit to the Director all agency policies relating to 
     the authorization of cloud computing products and services.
       ``(e) Presumption of Adequacy.--
       ``(1) In general.--The assessment of security controls and 
     materials within the authorization package for a FedRAMP 
     authorization shall be presumed adequate for use in an agency 
     authorization to operate cloud computing products and 
     services.
       ``(2) Information security requirements.--The presumption 
     under paragraph (1) does not modify or alter--
       ``(A) the responsibility of any agency to ensure compliance 
     with subchapter II of chapter 35 for any cloud computing 
     product or service used by the agency; or
       ``(B) the authority of the head of any agency to make a 
     determination that there is a demonstrable need for 
     additional security requirements beyond the security 
     requirements included in a FedRAMP authorization for a 
     particular control implementation.

     ``Sec. 3614. Roles and responsibilities of the Office of 
       Management and Budget

       ``The Director shall--
       ``(1) in consultation with the Administrator and the 
     Secretary, issue guidance that--
       ``(A) specifies the categories or characteristics of cloud 
     computing products and services that are within the scope of 
     FedRAMP;
       ``(B) includes requirements for agencies to obtain a 
     FedRAMP authorization when operating a cloud computing 
     product or service described in subparagraph (A) as a Federal 
     information system; and
       ``(C) encompasses, to the greatest extent practicable, all 
     necessary and appropriate cloud computing products and 
     services;
       ``(2) issue guidance describing additional responsibilities 
     of FedRAMP and the FedRAMP Board to accelerate the adoption 
     of secure cloud computing products and services by the 
     Federal Government;
       ``(3) in consultation with the Administrator, establish a 
     process to periodically review FedRAMP authorization packages 
     to support the secure authorization and reuse of secure cloud 
     products and services;
       ``(4) oversee the effectiveness of FedRAMP and the FedRAMP 
     Board, including the compliance by the FedRAMP Board with the 
     duties described in section 3610(d); and
       ``(5) to the greatest extent practicable, encourage and 
     promote consistency of the assessment, authorization, 
     adoption, and use of secure cloud computing products and 
     services within and across agencies.

     ``Sec. 3615. Reports to Congress; GAO report

       ``(a) Reports to Congress.--Not later than 1 year after the 
     date of enactment of this section, and annually thereafter, 
     the Director shall submit to the appropriate congressional 
     committees a report that includes the following:
       ``(1) During the preceding year, the status, efficiency, 
     and effectiveness of the General Services Administration 
     under section 3609 and agencies under section 3613 and in 
     supporting the speed, effectiveness, sharing, reuse, and 
     security of authorizations to operate for secure cloud 
     computing products and services.
       ``(2) Progress towards meeting the metrics required under 
     section 3609(d).
       ``(3) Data on FedRAMP authorizations.
       ``(4) The average length of time to issue FedRAMP 
     authorizations.
       ``(5) The number of FedRAMP authorizations submitted, 
     issued, and denied for the preceding year.
       ``(6) A review of progress made during the preceding year 
     in advancing automation techniques to securely automate 
     FedRAMP processes and to accelerate reporting under this 
     section.
       ``(7) The number and characteristics of authorized cloud 
     computing products and services in use at each agency 
     consistent with guidance provided by the Director under 
     section 3614.
       ``(8) A review of FedRAMP measures to ensure the security 
     of data stored or processed by cloud service providers, which 
     may include--
       ``(A) geolocation restrictions for provided products or 
     services;
       ``(B) disclosures of foreign elements of supply chains of 
     acquired products or services;
       ``(C) continued disclosures of ownership of cloud service 
     providers by foreign entities; and
       ``(D) encryption for data processed, stored, or transmitted 
     by cloud service providers.
       ``(b) GAO Report.--Not later than 180 days after the date 
     of enactment of this section, the Comptroller General of the 
     United States shall report to the appropriate congressional 
     committees an assessment of the following:
       ``(1) The costs incurred by agencies and cloud service 
     providers relating to the issuance of FedRAMP authorizations.
       ``(2) The extent to which agencies have processes in place 
     to continuously monitor the implementation of cloud computing 
     products and services operating as Federal information 
     systems.
       ``(3) How often and for which categories of products and 
     services agencies use FedRAMP authorizations.
       ``(4) The unique costs and potential burdens incurred by 
     cloud computing companies that are small business concerns 
     (as defined in section 3(a) of the Small Business Act (15 
     U.S.C. 632(a)) as a part of the FedRAMP authorization 
     process.

     ``Sec. 3616. Federal Secure Cloud Advisory Committee

       ``(a) Establishment, Purposes, and Duties.--
       ``(1) Establishment.--There is established a Federal Secure 
     Cloud Advisory Committee (referred to in this section as the 
     `Committee') to ensure effective and ongoing coordination of 
     agency adoption, use, authorization, monitoring, acquisition, 
     and security of cloud computing products and services to 
     enable agency mission and administrative priorities.
       ``(2) Purposes.--The purposes of the Committee are the 
     following:
       ``(A) To examine the operations of FedRAMP and determine 
     ways that authorization processes can continuously be 
     improved, including the following:
       ``(i) Measures to increase agency reuse of FedRAMP 
     authorizations.
       ``(ii) Proposed actions that can be adopted to reduce the 
     burden, confusion, and cost associated with FedRAMP 
     authorizations for cloud service providers.
       ``(iii) Measures to increase the number of FedRAMP 
     authorizations for cloud computing products and services 
     offered by small businesses concerns (as defined by section 
     3(a) of the Small Business Act (15 U.S.C. 632(a)).
       ``(iv) Proposed actions that can be adopted to reduce the 
     burden and cost of FedRAMP authorizations for agencies.
       ``(B) Collect information and feedback on agency compliance 
     with and implementation of FedRAMP requirements.
       ``(C) Serve as a forum that facilitates communication and 
     collaboration among the FedRAMP stakeholder community.
       ``(3) Duties.--The duties of the Committee include 
     providing advice and recommendations to the Administrator, 
     the FedRAMP Board, and agencies on technical, financial, 
     programmatic, and operational matters regarding secure 
     adoption of cloud computing products and services.
       ``(b) Members.--
       ``(1) Composition.--The Committee shall be comprised of not 
     more than 15 members who are qualified representatives from 
     the public and private sectors, appointed by the 
     Administrator, in consultation with the Director, as follows:
       ``(A) The Administrator or the Administrator's designee, 
     who shall be the Chair of the Committee.
       ``(B) At least 1 representative each from the Cybersecurity 
     and Infrastructure Security Agency and the National Institute 
     of Standards and Technology.
       ``(C) At least 2 officials who serve as the Chief 
     Information Security Officer within an agency, who shall be 
     required to maintain such a position throughout the duration 
     of their service on the Committee.
       ``(D) At least 1 official serving as Chief Procurement 
     Officer (or equivalent) in an agency, who shall be required 
     to maintain such a position throughout the duration of their 
     service on the Committee.
       ``(E) At least 1 individual representing an independent 
     assessment service.
       ``(F) At least 5 representatives from unique businesses 
     that primarily provide cloud computing services or products, 
     including at least 2 representatives from a small business 
     concern (as defined by section 3(a) of the Small Business Act 
     (15 U.S.C. 632(a))).
       ``(G) At least 2 other representatives of the Federal 
     Government as the Administrator determines necessary to 
     provide sufficient balance, insights, or expertise to the 
     Committee.
       ``(2) Deadline for appointment.--Each member of the 
     Committee shall be appointed not later than 90 days after the 
     date of enactment of this section.

[[Page S919]]

       ``(3) Period of appointment; vacancies.--
       ``(A) In general.--Each non-Federal member of the Committee 
     shall be appointed for a term of 3 years, except that the 
     initial terms for members may be staggered 1-, 2-, or 3-year 
     terms to establish a rotation in which one-third of the 
     members are selected each year. Any such member may be 
     appointed for not more than 2 consecutive terms.
       ``(B) Vacancies.--Any vacancy in the Committee shall not 
     affect its powers, but shall be filled in the same manner in 
     which the original appointment was made. Any member appointed 
     to fill a vacancy occurring before the expiration of the term 
     for which the member's predecessor was appointed shall be 
     appointed only for the remainder of that term. A member may 
     serve after the expiration of that member's term until a 
     successor has taken office.
       ``(c) Meetings and Rules of Procedures.--
       ``(1) Meetings.--The Committee shall hold not fewer than 3 
     meetings in a calendar year, at such time and place as 
     determined by the Chair.
       ``(2) Initial meeting.--Not later than 120 days after the 
     date of enactment of this section, the Committee shall meet 
     and begin the operations of the Committee.
       ``(3) Rules of procedure.--The Committee may establish 
     rules for the conduct of the business of the Committee if 
     such rules are not inconsistent with this section or other 
     applicable law.
       ``(d) Employee Status.--
       ``(1) In general.--A member of the Committee (other than a 
     member who is appointed to the Committee in connection with 
     another Federal appointment) shall not be considered an 
     employee of the Federal Government by reason of any service 
     as such a member, except for the purposes of section 5703 of 
     title 5, relating to travel expenses.
       ``(2) Pay not permitted.--A member of the Committee covered 
     by paragraph (1) may not receive pay by reason of service on 
     the Committee.
       ``(e) Applicability to the Federal Advisory Committee 
     Act.--Section 14 of the Federal Advisory Committee Act (5 
     U.S.C. App.) shall not apply to the Committee.
       ``(f) Detail of Employees.--Any Federal Government employee 
     may be detailed to the Committee without reimbursement from 
     the Committee, and such detailee shall retain the rights, 
     status, and privileges of his or her regular employment 
     without interruption.
       ``(g) Postal Services.--The Committee may use the United 
     States mails in the same manner and under the same conditions 
     as agencies.
       ``(h) Reports.--
       ``(1) Interim reports.--The Committee may submit to the 
     Administrator and Congress interim reports containing such 
     findings, conclusions, and recommendations as have been 
     agreed to by the Committee.
       ``(2) Annual reports.--Not later than 540 days after the 
     date of enactment of this section, and annually thereafter, 
     the Committee shall submit to the Administrator and Congress 
     a report containing such findings, conclusions, and 
     recommendations as have been agreed to by the Committee.''.
       (b) Technical and Conforming Amendment.--The table of 
     sections for chapter 36 of title 44, United States Code, is 
     amended by adding at the end the following new items:

``3607. Definitions.
``3608. Federal Risk and Authorization Management Program.
``3609. Roles and responsibilities of the General Services 
              Administration.
``3610. FedRAMP Board.
``3611. Independent assessment.
``3612. Declaration of foreign interests.
``3613. Roles and responsibilities of agencies.
``3614. Roles and responsibilities of the Office of Management and 
              Budget.
``3615. Reports to Congress; GAO report.
``3616. Federal Secure Cloud Advisory Committee.''.
       (c) Sunset.--
       (1) In general.--Effective on the date that is 5 years 
     after the date of enactment of this Act, chapter 36 of title 
     44, United States Code, is amended by striking sections 3607 
     through 3616.
       (2) Conforming amendment.--Effective on the date that is 5 
     years after the date of enactment of this Act, the table of 
     sections for chapter 36 of title 44, United States Code, is 
     amended by striking the items relating to sections 3607 
     through 3616.
       (d) Rule of Construction.--Nothing in this section or any 
     amendment made by this section shall be construed as altering 
     or impairing the authorities of the Director of the Office of 
     Management and Budget or the Secretary of Homeland Security 
     under subchapter II of chapter 35 of title 44, United States 
     Code.

  Mr. PETERS. Mr. President, S. 3600 is commonsense, bipartisan 
legislation that will help protect critical infrastructure from the 
absolute relentless cyber attacks that we see that threaten both our 
economy as well as our national security.
  I appreciate Senator Portman working with me to get this legislation 
across the finish line. And I think this is especially important right 
now as we face increased risk of cyber attacks from Russia and the 
cyber criminals that they harbor in retaliation for our support for 
Ukraine.
  I appreciate the Senate for coming together here tonight to get this 
important landmark bill done.
  I yield the floor.
  The PRESIDING OFFICER. The majority leader.
  Mr. SCHUMER. Mr. President, just one more point.
  As we have always said, we in the Democratic majority want to work 
with our Republican colleagues on bipartisan legislation whenever we 
can, and this is an example of that.
  Obviously, there are times when we can't, and we will move forward. 
But the more we can get done and accomplished in a bipartisan way on 
important legislation like this, the better.
  So, once again, let me salute the bipartisan coalition led by Gary 
Peters and Rob Portman and so many others on both sides of the aisle 
who contributed to this very important legislation.

                          ____________________