[Congressional Record Volume 168, Number 37 (Tuesday, March 1, 2022)]
[Senate]
[Pages S896-S919]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]
STRENGTHENING AMERICAN CYBERSECURITY ACT OF 2022
Mr. SCHUMER. Mr. President, now, on something that is very important
to this country, Senator Peters, in a minute, will move to pass the
Strengthening American Cybersecurity Act.
As we all know, protecting America--our government, our businesses,
our utilities, and so many of our entities--from cyber attack has been
very, very important over the last decade. It becomes even more
important now. As the war in Ukraine goes on and as Putin mounts his
illegal, immoral, and unprovoked attack, he is escalating cyber attacks
on democracies around the world. So, as the need to protect this
country from cyber attack is always very, very, very important, it has
assumed even greater importance now with Putin's fighting in Ukraine
and threatening cyber attacks throughout the world.
Today, the Senate is taking an urgently needed step to protect the
American people, American critical infrastructure, and American
Government institutions from the dangerous threat of cyber attacks. The
most important part of this provision will require our companies--our
individual businesses--to report cyber attacks when they occur.
There has been a reluctance on the part of many in the business
community to want to do this because it may expose them to other kinds
of harm, and maybe the public will not want to be involved in these
businesses, but the importance of the reporting is vital. When our
authorities in the government know of the attacks, they can prepare
against future attacks. They will know who is attacking, where they are
attacking, and how they are attacking. That will allow them to
strengthen our defenses against future cyber attacks. So this knowledge
of cyber attacks, caused by foreign entities or domestic entities, is
vital as America seeks to protect itself.
This legislation has been around for a while. For too long, certain
business interests opposed it, but now they have come to see the light,
and, in fact, we have a bipartisan agreement--unanimous in this
Chamber--that this bill move forward. That is very important for
America's security. It is more important than it ever has been. Cyber
warfare is truly one of the dark arts--specialized by Putin and his
authoritarian regime--and this bill will help to protect us from
Putin's attempted cyber attacks against our country.
Last year, I asked Chairman Peters and other relevant committee
chairs to draft legislation to counter the increased threat, and
Senator Peters has done an outstanding job. I want to commend him and
Senator Portman and so many others--Senator Warner among them--for
being heavily involved in this issue.
Tonight, we will pass legislation by unanimous consent. When this
legislation passes and is signed into law, America will be a safer
place from one of the greatest scourges we worry about--cyber attack. I
am glad we are doing this, and I am glad both sides have agreed.
I yield to Senator Peters, who, as I said, as chair of the HSGAC
Committee, has done a terrific job in shepherding this legislation
through the Senate.
The PRESIDING OFFICER. The Senator from Michigan.
Mr. PETERS. Mr. President, I ask unanimous consent that the Senate
[[Page S897]]
proceed to the immediate consideration of Calendar No. 265, S. 3600.
The PRESIDING OFFICER. The clerk will report the bill by title.
The senior assistant legislative clerk read as follows:
A bill (S. 3600) to improve the cybersecurity of the
Federal Government, and for other purposes.
There being no objection, the Senate proceeded to consider the bill.
Mr. PETERS. Mr. President, I ask unanimous consent that the Wicker
and Peters amendments, which are at the desk, be considered and agreed
to; that the bill, as amended, be considered read a third time and
passed; and that the motion to reconsider be considered made and laid
upon the table.
The PRESIDING OFFICER. Without objection, it is so ordered.
The amendment (No. 4954) was agreed to, as follows:
(Purpose: To improve the bill)
On page 18, strike line 10 and insert the following:
``agency.
``(o) Review of Office of Management and Budget Guidance
and Policy.--
``(1) Review.--
``(A) In general.--Not less frequently than once every 3
years, the Director, in consultation with the Chief
Information Officers Council, the Director of the
Cybersecurity and Infrastructure Security Agency, the
National Cyber Director, the Comptroller General of the
United States, and the Council of the Inspectors General on
Integrity and Efficiency, shall--
``(i) review the efficacy of the guidance and policy
developed by the Director under subsection (a)(1) in reducing
cybersecurity risks, including an assessment of the
requirements for agencies to report information to the
Director; and
``(ii) determine whether any changes to the guidance or
policy developed under subsection (a)(1) is appropriate.
``(B) Considerations.--In conducting the review required
under subparagraph (A), the Director shall consider--
``(i) the Federal risk assessments performed under
subsection (i);
``(ii) the cumulative reporting and compliance burden to
agencies; and
``(iii) the clarity of the requirements and deadlines
contained in guidance and policy documents.
``(2) Updated guidance.--Not later than 90 days after the
date on which a review is completed under paragraph (1), the
Director shall issue updated guidance or policy to agencies
determined appropriate by the Director, based on the results
of the review.
``(3) Public report.--Not later than 30 days after the date
on which the Director completes a review under paragraph (1),
the Director shall make publicly available a report that
includes--
``(A) an overview of the guidance and policy developed
under subsection (a)(1) that is in effect;
``(B) the cybersecurity risk mitigation, or other
cybersecurity benefit, offered by each guidance or policy
described in subparagraph (A);
``(C) a summary of the guidance or policy developed under
subsection (a)(1) to which changes were determined
appropriate during the review; and
``(D) the changes that are anticipated to be included in
the updated guidance or policy issued under paragraph (2).
``(4) Congressional briefing.--Not later than 60 days after
the date on which a review is completed under paragraph (1),
the Director shall provide to the Committee on Homeland
Security and Governmental Affairs of the Senate and the
Committee on Oversight and Reform of the House of
Representatives a briefing on the review.
``(p) Automated Standard Implementation Verification.--When
the Director of the National Institute of Standards and
Technology issues a proposed standard pursuant to paragraphs
(2) or (3) of section 20(a) of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3(a)), the
Director of the National Institute of Standards and
Technology shall consider developing and, if appropriate and
practical, develop, in consultation with the Director of the
Cybersecurity and Infrastructure Security Agency,
specifications to enable the automated verification of the
implementation of the controls within the standard.'';
On page 26, line 15, strike ``considering--'' and all that
follows through ``and'' on line 23 and insert ``considering
the agency risk assessment performed under subsection
(a)(1)(A); and''.
On page 74, strike line 10 and all that follows through
page 80, line 19.
On page 99, line 17, strike ``the use of--'' and all that
follows through ``additional'' on line 21 and insert ``the
use of additional''.
The amendment (No. 4953) was agreed to, as follows:
(Purpose: To amend the Federal Cybersecurity Enhancement Act of 2015 to
require Federal agencies to obtain exemptions from certain
cybersecurity requirements in order to avoid compliance with those
requirements)
At the end of title I, add the following:
SEC. 123. FEDERAL CYBERSECURITY REQUIREMENTS.
(a) Exemption From Federal Requirements.--Section 225(b)(2)
of the Federal Cybersecurity Enhancement Act of 2015 (6
U.S.C. 1523(b)(2)) is amended to read as follows:
``(2) Exception.--
``(A) In general.--A particular requirement under paragraph
(1) shall not apply to an agency information system of an
agency if--
``(i) with respect to the agency information system, the
head of the agency submits to the Director an application for
an exemption from the particular requirement, in which the
head of the agency personally certifies to the Director with
particularity that--
``(I) operational requirements articulated in the
certification and related to the agency information system
would make it excessively burdensome to implement the
particular requirement;
``(II) the particular requirement is not necessary to
secure the agency information system or agency information
stored on or transiting the agency information system; and
``(III) the agency has taken all necessary steps to secure
the agency information system and agency information stored
on or transiting the agency information system;
``(ii) the head of the agency or the designee of the head
of the agency has submitted the certification described in
clause (i) to the appropriate congressional committees and
any other congressional committee with jurisdiction over the
agency; and
``(iii) the Director grants the exemption from the
particular requirement.
``(B) Duration of exemption.--
``(i) In general.--An exemption granted under subparagraph
(A) shall expire on the date that is 1 year after the date on
which the Director granted the exemption.
``(ii) Renewal.--Upon the expiration of an exemption
granted to an agency under subparagraph (A), the head of the
agency may apply for an additional exemption.''.
(b) Report on Exemptions.--Section 3554(c)(1) of title 44,
United States Code, as amended by section 103(c) of this
title, is amended--
(1) in subparagraph (C), by striking ``and'' at the end;
(2) in subparagraph (D), by striking the period at the end
and inserting ``; and''; and
(3) by adding at the end the following:
``(E) with respect to any exemption the Director of the
Office of Management and Budget has granted the agency under
section 225(b)(2) of the Federal Cybersecurity Enhancement
Act of 2015 (6 U.S.C. 1523(b)(2)) that is effective on the
date of submission of the report--
``(i) an identification of each particular requirement from
which any agency information system (as defined in section
2210 of the Homeland Security Act of 2002 (6 U.S.C. 660)) is
exempted; and
``(ii) for each requirement identified under clause (i)--
``(I) an identification of the agency information system
described in clause (i) exempted from the requirement; and
``(II) an estimate of the date on which the agency will to
be able to comply with the requirement.''.
(c) Effective Date.--The amendments made by this section
shall take effect on the date that is 1 year after the date
of enactment of this Act.
The bill (S. 3600), as amended, was ordered to be engrossed for a
third reading, was read the third time, and passed as follows:
S. 3600
Be it enacted by the Senate and House of Representatives of
the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Strengthening American
Cybersecurity Act of 2022''.
SEC. 2. TABLE OF CONTENTS.
The table of contents for this Act is as follows:
Sec. 1. Short title.
Sec. 2. Table of contents.
TITLE I--FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2022
Sec. 101. Short title.
Sec. 102. Definitions.
Sec. 103. Title 44 amendments.
Sec. 104. Amendments to subtitle III of title 40.
Sec. 105. Actions to enhance Federal incident transparency.
Sec. 106. Additional guidance to agencies on FISMA updates.
Sec. 107. Agency requirements to notify private sector entities
impacted by incidents.
Sec. 108. Mobile security standards.
Sec. 109. Data and logging retention for incident response.
Sec. 110. CISA agency advisors.
Sec. 111. Federal penetration testing policy.
Sec. 112. Ongoing threat hunting program.
Sec. 113. Codifying vulnerability disclosure programs.
Sec. 114. Implementing zero trust architecture.
Sec. 115. Automation reports.
Sec. 116. Extension of Federal acquisition security council and
software inventory.
Sec. 117. Council of the Inspectors General on Integrity and Efficiency
dashboard.
Sec. 118. Quantitative cybersecurity metrics.
Sec. 119. Establishment of risk-based budget model.
[[Page S898]]
Sec. 120. Active cyber defensive study.
Sec. 121. Security operations center as a service pilot.
Sec. 122. Extension of Chief Data Officer Council.
Sec. 123. Federal Cybersecurity Requirements.
TITLE II--CYBER INCIDENT REPORTING FOR CRITICAL INFRASTRUCTURE ACT OF
2022
Sec. 201. Short title.
Sec. 202. Definitions.
Sec. 203. Cyber incident reporting.
Sec. 204. Federal sharing of incident reports.
Sec. 205. Ransomware vulnerability warning pilot program.
Sec. 206. Ransomware threat mitigation activities.
Sec. 207. Congressional reporting.
TITLE III--FEDERAL SECURE CLOUD IMPROVEMENT AND JOBS ACT OF 2022
Sec. 301. Short title.
Sec. 302. Findings.
Sec. 303. Title 44 amendments.
TITLE I--FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2022
SEC. 101. SHORT TITLE.
This title may be cited as the ``Federal Information
Security Modernization Act of 2022''.
SEC. 102. DEFINITIONS.
In this title, unless otherwise specified:
(1) Additional cybersecurity procedure.--The term
``additional cybersecurity procedure'' has the meaning given
the term in section 3552(b) of title 44, United States Code,
as amended by this title.
(2) Agency.--The term ``agency'' has the meaning given the
term in section 3502 of title 44, United States Code.
(3) Appropriate congressional committees.--The term
``appropriate congressional committees'' means--
(A) the Committee on Homeland Security and Governmental
Affairs of the Senate;
(B) the Committee on Oversight and Reform of the House of
Representatives; and
(C) the Committee on Homeland Security of the House of
Representatives.
(4) Director.--The term ``Director'' means the Director of
the Office of Management and Budget.
(5) Incident.--The term ``incident'' has the meaning given
the term in section 3552(b) of title 44, United States Code.
(6) National security system.--The term ``national security
system'' has the meaning given the term in section 3552(b) of
title 44, United States Code.
(7) Penetration test.--The term ``penetration test'' has
the meaning given the term in section 3552(b) of title 44,
United States Code, as amended by this title.
(8) Threat hunting.--The term ``threat hunting'' means
proactively and iteratively searching systems for threats
that evade detection by automated threat detection systems.
SEC. 103. TITLE 44 AMENDMENTS.
(a) Subchapter I Amendments.--Subchapter I of chapter 35 of
title 44, United States Code, is amended--
(1) in section 3504--
(A) in subsection (a)(1)(B)--
(i) by striking clause (v) and inserting the following:
``(v) confidentiality, privacy, disclosure, and sharing of
information;'';
(ii) by redesignating clause (vi) as clause (vii); and
(iii) by inserting after clause (v) the following:
``(vi) in consultation with the National Cyber Director,
security of information; and''; and
(B) in subsection (g), by striking paragraph (1) and
inserting the following:
``(1) develop and oversee the implementation of policies,
principles, standards, and guidelines on privacy,
confidentiality, disclosure, and sharing, and in consultation
with the National Cyber Director, oversee the implementation
of policies, principles, standards, and guidelines on
security, of information collected or maintained by or for
agencies; and'';
(2) in section 3505--
(A) by striking the first subsection designated as
subsection (c);
(B) in paragraph (2) of the second subsection designated as
subsection (c), by inserting ``an identification of internet
accessible information systems and'' after ``an inventory
under this subsection shall include'';
(C) in paragraph (3) of the second subsection designated as
subsection (c)--
(i) in subparagraph (B)--
(I) by inserting ``the Director of the Cybersecurity and
Infrastructure Security Agency, the National Cyber Director,
and'' before ``the Comptroller General''; and
(II) by striking ``and'' at the end;
(ii) in subparagraph (C)(v), by striking the period at the
end and inserting ``; and''; and
(iii) by adding at the end the following:
``(D) maintained on a continual basis through the use of
automation, machine-readable data, and scanning, wherever
practicable.'';
(3) in section 3506--
(A) in subsection (a)(3), by inserting ``In carrying out
these duties, the Chief Information Officer shall coordinate,
as appropriate, with the Chief Data Officer in accordance
with the designated functions under section 3520(c).'' after
``reduction of information collection burdens on the
public.'';
(B) in subsection (b)(1)(C), by inserting ``,
availability'' after ``integrity''; and
(C) in subsection (h)(3), by inserting ``security,'' after
``efficiency,''; and
(4) in section 3513--
(A) by redesignating subsection (c) as subsection (d); and
(B) by inserting after subsection (b) the following:
``(c) Each agency providing a written plan under subsection
(b) shall provide any portion of the written plan addressing
information security to the Secretary of the Department of
Homeland Security and the National Cyber Director.''.
(b) Subchapter II Definitions.--
(1) In general.--Section 3552(b) of title 44, United States
Code, is amended--
(A) by redesignating paragraphs (1), (2), (3), (4), (5),
(6), and (7) as paragraphs (2), (4), (5), (6), (7), (9), and
(11), respectively;
(B) by inserting before paragraph (2), as so redesignated,
the following:
``(1) The term `additional cybersecurity procedure' means a
process, procedure, or other activity that is established in
excess of the information security standards promulgated
under section 11331(b) of title 40 to increase the security
and reduce the cybersecurity risk of agency systems.'';
(C) by inserting after paragraph (2), as so redesignated,
the following:
``(3) The term `high value asset' means information or an
information system that the head of an agency, using
policies, principles, standards, or guidelines issued by the
Director under section 3553(a), determines to be so critical
to the agency that the loss or corruption of the information
or the loss of access to the information system would have a
serious impact on the ability of the agency to perform the
mission of the agency or conduct business.'';
(D) by inserting after paragraph (7), as so redesignated,
the following:
``(8) The term `major incident' has the meaning given the
term in guidance issued by the Director under section
3598(a).'';
(E) by inserting after paragraph (9), as so redesignated,
the following:
``(10) The term `penetration test'--
``(A) means an authorized assessment that emulates attempts
to gain unauthorized access to, or disrupt the operations of,
an information system or component of an information system;
and
``(B) includes any additional meaning given the term in
policies, principles, standards, or guidelines issued by the
Director under section 3553(a).''; and
(F) by inserting after paragraph (11), as so redesignated,
the following:
``(12) The term `shared service' means a centralized
business or mission capability that is provided to multiple
organizations within an agency or to multiple agencies.''.
(2) Conforming amendments.--
(A) Homeland security act of 2002.--Section 1001(c)(1)(A)
of the Homeland Security Act of 2002 (6 U.S.C. 511(1)(A)) is
amended by striking ``section 3552(b)(5)'' and inserting
``section 3552(b)''.
(B) Title 10.--
(i) Section 2222.--Section 2222(i)(8) of title 10, United
States Code, is amended by striking ``section 3552(b)(6)(A)''
and inserting ``section 3552(b)(9)(A)''.
(ii) Section 2223.--Section 2223(c)(3) of title 10, United
States Code, is amended by striking ``section 3552(b)(6)''
and inserting ``section 3552(b)''.
(iii) Section 2315.--Section 2315 of title 10, United
States Code, is amended by striking ``section 3552(b)(6)''
and inserting ``section 3552(b)''.
(iv) Section 2339a.--Section 2339a(e)(5) of title 10,
United States Code, is amended by striking ``section
3552(b)(6)'' and inserting ``section 3552(b)''.
(C) High-performance computing act of 1991.--Section 207(a)
of the High-Performance Computing Act of 1991 (15 U.S.C.
5527(a)) is amended by striking ``section 3552(b)(6)(A)(i)''
and inserting ``section 3552(b)(9)(A)(i)''.
(D) Internet of things cybersecurity improvement act of
2020.--Section 3(5) of the Internet of Things Cybersecurity
Improvement Act of 2020 (15 U.S.C. 278g-3a) is amended by
striking ``section 3552(b)(6)'' and inserting ``section
3552(b)''.
(E) National defense authorization act for fiscal year
2013.--Section 933(e)(1)(B) of the National Defense
Authorization Act for Fiscal Year 2013 (10 U.S.C. 2224 note)
is amended by striking ``section 3542(b)(2)'' and inserting
``section 3552(b)''.
(F) Ike skelton national defense authorization act for
fiscal year 2011.--The Ike Skelton National Defense
Authorization Act for Fiscal Year 2011 (Public Law 111-383)
is amended--
(i) in section 806(e)(5) (10 U.S.C. 2304 note), by striking
``section 3542(b)'' and inserting ``section 3552(b)'';
(ii) in section 931(b)(3) (10 U.S.C. 2223 note), by
striking ``section 3542(b)(2)'' and inserting ``section
3552(b)''; and
(iii) in section 932(b)(2) (10 U.S.C. 2224 note), by
striking ``section 3542(b)(2)'' and inserting ``section
3552(b)''.
(G) E-government act of 2002.--Section 301(c)(1)(A) of the
E-Government Act of 2002 (44 U.S.C. 3501 note) is amended by
striking ``section 3542(b)(2)'' and inserting ``section
3552(b)''.
(H) National institute of standards and technology act.--
Section 20 of the National Institute of Standards and
Technology Act (15 U.S.C. 278g-3) is amended--
(i) in subsection (a)(2), by striking ``section
3552(b)(5)'' and inserting ``section 3552(b)''; and
(ii) in subsection (f)--
(I) in paragraph (3), by striking ``section 3532(1)'' and
inserting ``section 3552(b)''; and
[[Page S899]]
(II) in paragraph (5), by striking ``section 3532(b)(2)''
and inserting ``section 3552(b)''.
(c) Subchapter II Amendments.--Subchapter II of chapter 35
of title 44, United States Code, is amended--
(1) in section 3551--
(A) in paragraph (4), by striking ``diagnose and improve''
and inserting ``integrate, deliver, diagnose, and improve'';
(B) in paragraph (5), by striking ``and'' at the end;
(C) in paragraph (6), by striking the period at the end and
inserting a semi colon; and
(D) by adding at the end the following:
``(7) recognize that each agency has specific mission
requirements and, at times, unique cybersecurity requirements
to meet the mission of the agency;
``(8) recognize that each agency does not have the same
resources to secure agency systems, and an agency should not
be expected to have the capability to secure the systems of
the agency from advanced adversaries alone; and
``(9) recognize that a holistic Federal cybersecurity model
is necessary to account for differences between the missions
and capabilities of agencies.'';
(2) in section 3553--
(A) in subsection (a)--
(i) in paragraph (1), by inserting ``, in consultation with
the Secretary and the National Cyber Director,'' before
``overseeing'';
(ii) in paragraph (5), by striking ``and'' at the end; and
(iii) by adding at the end the following:
``(8) promoting, in consultation with the Director of the
Cybersecurity and Infrastructure Security Agency, the
National Cyber Director, and the Director of the National
Institute of Standards and Technology--
``(A) the use of automation to improve Federal
cybersecurity and visibility with respect to the
implementation of Federal cybersecurity; and
``(B) the use of presumption of compromise and least
privilege principles to improve resiliency and timely
response actions to incidents on Federal systems.'';
(B) in subsection (b)--
(i) in the matter preceding paragraph (1), by inserting
``and the National Cyber Director'' after ``Director''; and
(ii) in paragraph (2)(A), by inserting ``and reporting
requirements under subchapter IV of this chapter'' after
``section 3556''; and
(C) in subsection (c)--
(i) in the matter preceding paragraph (1)--
(I) by striking ``each year'' and inserting ``each year
during which agencies are required to submit reports under
section 3554(c)''; and
(II) by striking ``preceding year'' and inserting
``preceding 2 years'';
(ii) by striking paragraph (1);
(iii) by redesignating paragraphs (2), (3), and (4) as
paragraphs (1), (2), and (3), respectively;
(iv) in paragraph (3), as so redesignated, by striking
``and'' at the end;
(v) by inserting after paragraph (3), as so redesignated
the following:
``(4) a summary of each assessment of Federal risk posture
performed under subsection (i);''; and
(vi) in paragraph (5), by striking the period at the end
and inserting ``; and'';
(D) by redesignating subsections (i), (j), (k), and (l) as
subsections (j), (k), (l), and (m) respectively;
(E) by inserting after subsection (h) the following:
``(i) Federal Risk Assessments.--On an ongoing and
continuous basis, the Director of the Cybersecurity and
Infrastructure Security Agency shall perform assessments of
Federal risk posture using any available information on the
cybersecurity posture of agencies, and brief the Director and
National Cyber Director on the findings of those assessments
including--
``(1) the status of agency cybersecurity remedial actions
described in section 3554(b)(7);
``(2) any vulnerability information relating to the systems
of an agency that is known by the agency;
``(3) analysis of incident information under section 3597;
``(4) evaluation of penetration testing performed under
section 3559A;
``(5) evaluation of vulnerability disclosure program
information under section 3559B;
``(6) evaluation of agency threat hunting results;
``(7) evaluation of Federal and non-Federal cyber threat
intelligence;
``(8) data on agency compliance with standards issued under
section 11331 of title 40;
``(9) agency system risk assessments performed under
section 3554(a)(1)(A); and
``(10) any other information the Director of the
Cybersecurity and Infrastructure Security Agency determines
relevant.'';
(F) in subsection (j), as so redesignated--
(i) by striking ``regarding the specific'' and inserting
``that includes a summary of--
``(1) the specific'';
(ii) in paragraph (1), as so designated, by striking the
period at the end and inserting ``; and'' and
(iii) by adding at the end the following:
``(2) the trends identified in the Federal risk assessment
performed under subsection (i).''; and
(G) by adding at the end the following:
``(n) Binding Operational Directives.--If the Director of
the Cybersecurity and Infrastructure Security Agency issues a
binding operational directive or an emergency directive under
this section, not later than 4 days after the date on which
the binding operational directive requires an agency to take
an action, the Director of the Cybersecurity and
Infrastructure Security Agency shall provide to the Director,
National Cyber Director, the Committee on Homeland Security
and Governmental Affairs of the Senate and the Committee on
Oversight and Reform of the House of Representatives the
status of the implementation of the binding operational
directive at the agency.
``(o) Review of Office of Management and Budget Guidance
and Policy.--
``(1) Review.--
``(A) In general.--Not less frequently than once every 3
years, the Director, in consultation with the Chief
Information Officers Council, the Director of the
Cybersecurity and Infrastructure Security Agency, the
National Cyber Director, the Comptroller General of the
United States, and the Council of the Inspectors General on
Integrity and Efficiency, shall--
``(i) review the efficacy of the guidance and policy
developed by the Director under subsection (a)(1) in reducing
cybersecurity risks, including an assessment of the
requirements for agencies to report information to the
Director; and
``(ii) determine whether any changes to the guidance or
policy developed under subsection (a)(1) is appropriate.
``(B) Considerations.--In conducting the review required
under subparagraph (A), the Director shall consider--
``(i) the Federal risk assessments performed under
subsection (i);
``(ii) the cumulative reporting and compliance burden to
agencies; and
``(iii) the clarity of the requirements and deadlines
contained in guidance and policy documents.
``(2) Updated guidance.--Not later than 90 days after the
date on which a review is completed under paragraph (1), the
Director shall issue updated guidance or policy to agencies
determined appropriate by the Director, based on the results
of the review.
``(3) Public report.--Not later than 30 days after the date
on which the Director completes a review under paragraph (1),
the Director shall make publicly available a report that
includes--
``(A) an overview of the guidance and policy developed
under subsection (a)(1) that is in effect;
``(B) the cybersecurity risk mitigation, or other
cybersecurity benefit, offered by each guidance or policy
described in subparagraph (A);
``(C) a summary of the guidance or policy developed under
subsection (a)(1) to which changes were determined
appropriate during the review; and
``(D) the changes that are anticipated to be included in
the updated guidance or policy issued under paragraph (2).
``(4) Congressional briefing.--Not later than 60 days after
the date on which a review is completed under paragraph (1),
the Director shall provide to the Committee on Homeland
Security and Governmental Affairs of the Senate and the
Committee on Oversight and Reform of the House of
Representatives a briefing on the review.
``(p) Automated Standard Implementation Verification.--When
the Director of the National Institute of Standards and
Technology issues a proposed standard pursuant to paragraphs
(2) or (3) of section 20(a) of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3(a)), the
Director of the National Institute of Standards and
Technology shall consider developing and, if appropriate and
practical, develop, in consultation with the Director of the
Cybersecurity and Infrastructure Security Agency,
specifications to enable the automated verification of the
implementation of the controls within the standard.'';
(3) in section 3554--
(A) in subsection (a)--
(i) in paragraph (1)--
(I) by redesignating subparagraphs (A), (B), and (C) as
subparagraphs (B), (C), and (D), respectively;
(II) by inserting before subparagraph (B), as so
redesignated, the following:
``(A) on an ongoing and continuous basis, performing agency
system risk assessments that--
``(i) identify and document the high value assets of the
agency using guidance from the Director;
``(ii) evaluate the data assets inventoried under section
3511 for sensitivity to compromises in confidentiality,
integrity, and availability;
``(iii) identify agency systems that have access to or hold
the data assets inventoried under section 3511;
``(iv) evaluate the threats facing agency systems and data,
including high value assets, based on Federal and non-Federal
cyber threat intelligence products, where available;
``(v) evaluate the vulnerability of agency systems and
data, including high value assets, including by analyzing--
``(I) the results of penetration testing performed by the
Department of Homeland Security under section 3553(b)(9);
``(II) the results of penetration testing performed under
section 3559A;
``(III) information provided to the agency through the
vulnerability disclosure program of the agency under section
3559B;
``(IV) incidents; and
``(V) any other vulnerability information relating to
agency systems that is known to the agency;
``(vi) assess the impacts of potential agency incidents to
agency systems, data, and operations based on the evaluations
described
[[Page S900]]
in clauses (ii) and (iv) and the agency systems identified
under clause (iii); and
``(vii) assess the consequences of potential incidents
occurring on agency systems that would impact systems at
other agencies, including due to interconnectivity between
different agency systems or operational reliance on the
operations of the system or data in the system;'';
(III) in subparagraph (B), as so redesignated, in the
matter preceding clause (i), by striking ``providing
information'' and inserting ``using information from the
assessment conducted under subparagraph (A), providing
information'';
(IV) in subparagraph (C), as so redesignated--
(aa) in clause (ii) by inserting ``binding'' before
``operational''; and
(bb) in clause (vi), by striking ``and'' at the end; and
(V) by adding at the end the following:
``(E) providing an update on the ongoing and continuous
assessment performed under subparagraph (A)--
``(i) upon request, to the inspector general of the agency
or the Comptroller General of the United States; and
``(ii) on a periodic basis, as determined by guidance
issued by the Director but not less frequently than annually,
to--
``(I) the Director;
``(II) the Director of the Cybersecurity and Infrastructure
Security Agency; and
``(III) the National Cyber Director;
``(F) in consultation with the Director of the
Cybersecurity and Infrastructure Security Agency and not less
frequently than once every 3 years, performing an evaluation
of whether additional cybersecurity procedures are
appropriate for securing a system of, or under the
supervision of, the agency, which shall--
``(i) be completed considering the agency system risk
assessment performed under subparagraph (A); and
``(ii) include a specific evaluation for high value assets;
``(G) not later than 30 days after completing the
evaluation performed under subparagraph (F), providing the
evaluation and an implementation plan, if applicable, for
using additional cybersecurity procedures determined to be
appropriate to--
``(i) the Director of the Cybersecurity and Infrastructure
Security Agency;
``(ii) the Director; and
``(iii) the National Cyber Director; and
``(H) if the head of the agency determines there is need
for additional cybersecurity procedures, ensuring that those
additional cybersecurity procedures are reflected in the
budget request of the agency;'';
(ii) in paragraph (2)--
(I) in subparagraph (A), by inserting ``in accordance with
the agency system risk assessment performed under paragraph
(1)(A)'' after ``information systems'';
(II) in subparagraph (B)--
(aa) by striking ``in accordance with standards'' and
inserting ``in accordance with--
``(i) standards''; and
(bb) by adding at the end the following:
``(ii) the evaluation performed under paragraph (1)(F); and
``(iii) the implementation plan described in paragraph
(1)(G);''; and
(III) in subparagraph (D), by inserting ``, through the use
of penetration testing, the vulnerability disclosure program
established under section 3559B, and other means,'' after
``periodically'';
(iii) in paragraph (3)--
(I) in subparagraph (A)--
(aa) in clause (iii), by striking ``and'' at the end;
(bb) in clause (iv), by adding ``and'' at the end; and
(cc) by adding at the end the following:
``(v) ensure that--
``(I) senior agency information security officers of
component agencies carry out responsibilities under this
subchapter, as directed by the senior agency information
security officer of the agency or an equivalent official; and
``(II) senior agency information security officers of
component agencies report to--
``(aa) the senior information security officer of the
agency or an equivalent official; and
``(bb) the Chief Information Officer of the component
agency or an equivalent official;''; and
(iv) in paragraph (5), by inserting ``and the Director of
the Cybersecurity and Infrastructure Security Agency'' before
``on the effectiveness'';
(B) in subsection (b)--
(i) by striking paragraph (1) and inserting the following:
``(1) pursuant to subsection (a)(1)(A), performing ongoing
and continuous agency system risk assessments, which may
include using guidelines and automated tools consistent with
standards and guidelines promulgated under section 11331 of
title 40, as applicable;'';
(ii) in paragraph (2)--
(I) by striking subparagraph (B) and inserting the
following:
``(B) comply with the risk-based cyber budget model
developed pursuant to section 3553(a)(7);''; and
(II) in subparagraph (D)--
(aa) by redesignating clauses (iii) and (iv) as clauses
(iv) and (v), respectively;
(bb) by inserting after clause (ii) the following:
``(iii) binding operational directives and emergency
directives promulgated by the Director of the Cybersecurity
and Infrastructure Security Agency under section 3553;''; and
(cc) in clause (iv), as so redesignated, by striking ``as
determined by the agency; and'' and inserting ``as determined
by the agency, considering the agency risk assessment
performed under subsection (a)(1)(A); and
(iii) in paragraph (5)(A), by inserting ``, including
penetration testing, as appropriate,'' after ``shall include
testing'';
(iv) in paragraph (6), by striking ``planning,
implementing, evaluating, and documenting'' and inserting
``planning and implementing and, in consultation with the
Director of the Cybersecurity and Infrastructure Security
Agency, evaluating and documenting'';
(v) by redesignating paragraphs (7) and (8) as paragraphs
(8) and (9), respectively;
(vi) by inserting after paragraph (6) the following:
``(7) a process for providing the status of every remedial
action and unremediated identified system vulnerability to
the Director and the Director of the Cybersecurity and
Infrastructure Security Agency, using automation and machine-
readable data to the greatest extent practicable;''; and
(vii) in paragraph (8)(C), as so redesignated--
(I) by striking clause (ii) and inserting the following:
``(ii) notifying and consulting with the Federal
information security incident center established under
section 3556 pursuant to the requirements of section 3594;'';
(II) by redesignating clause (iii) as clause (iv);
(III) by inserting after clause (ii) the following:
``(iii) performing the notifications and other activities
required under subchapter IV of this chapter; and''; and
(IV) in clause (iv), as so redesignated--
(aa) in subclause (I), by striking ``and relevant offices
of inspectors general'';
(bb) in subclause (II), by adding ``and'' at the end;
(cc) by striking subclause (III); and
(dd) by redesignating subclause (IV) as subclause (III);
(C) in subsection (c)--
(i) by redesignating paragraph (2) as paragraph (5);
(ii) by striking paragraph (1) and inserting the following:
``(1) Biannual report.--Not later than 2 years after the
date of enactment of the Federal Information Security
Modernization Act of 2022 and not less frequently than once
every 2 years thereafter, using the continuous and ongoing
agency system risk assessment under subsection (a)(1)(A), the
head of each agency shall submit to the Director, the
Director of the Cybersecurity and Infrastructure Security
Agency, the majority and minority leaders of the Senate, the
Speaker and minority leader of the House of Representatives,
the Committee on Homeland Security and Governmental Affairs
of the Senate, the Committee on Oversight and Reform of the
House of Representatives, the Committee on Homeland Security
of the House of Representatives, the Committee on Commerce,
Science, and Transportation of the Senate, the Committee on
Science, Space, and Technology of the House of
Representatives, the appropriate authorization and
appropriations committees of Congress, the National Cyber
Director, and the Comptroller General of the United States a
report that--
``(A) summarizes the agency system risk assessment
performed under subsection (a)(1)(A);
``(B) evaluates the adequacy and effectiveness of
information security policies, procedures, and practices of
the agency to address the risks identified in the agency
system risk assessment performed under subsection (a)(1)(A),
including an analysis of the agency's cybersecurity and
incident response capabilities using the metrics established
under section 224(c) of the Cybersecurity Act of 2015 (6
U.S.C. 1522(c));
``(C) summarizes the evaluation and implementation plans
described in subparagraphs (F) and (G) of subsection (a)(1)
and whether those evaluation and implementation plans call
for the use of additional cybersecurity procedures determined
to be appropriate by the agency; and
``(D) summarizes the status of remedial actions identified
by inspector general of the agency, the Comptroller General
of the United States, and any other source determined
appropriate by the head of the agency.
``(2) Unclassified reports.--Each report submitted under
paragraph (1)--
``(A) shall be, to the greatest extent practicable, in an
unclassified and otherwise uncontrolled form; and
``(B) may include a classified annex.
``(3) Access to information.--The head of an agency shall
ensure that, to the greatest extent practicable, information
is included in the unclassified form of the report submitted
by the agency under paragraph (2)(A).
``(4) Briefings.--During each year during which a report is
not required to be submitted under paragraph (1), the
Director shall provide to the congressional committees
described in paragraph (1) a briefing summarizing current
agency and Federal risk postures.''; and
(iii) in paragraph (5), as so redesignated, by striking the
period at the end and inserting ``, including the reporting
procedures established under section 11315(d) of title 40 and
subsection (a)(3)(A)(v) of this section''; and
(D) in subsection (d)(1), in the matter preceding
subparagraph (A), by inserting ``and
[[Page S901]]
the National Cyber Director'' after ``the Director''; and
(E) by adding at the end the following:
``(f) Reporting Structure Exemption.--
``(1) In general.--On an annual basis, the Director may
exempt an agency from the reporting structure requirement
under subsection (a)(3)(A)(v)(II).
``(2) Report.--On an annual basis, the Director shall
submit a report to the Committee on Homeland Security and
Governmental Affairs of the Senate and the Committee on
Oversight and Reform of the House of Representatives that
includes a list of each exemption granted under paragraph (1)
and the associated rationale for each exemption.
``(3) Component of other report.--The report required under
paragraph (2) may be incorporated into any other annual
report required under this chapter.'';
(4) in section 3555--
(A) in the section heading, by striking ``annual
independent'' and inserting ``independent'';
(B) in subsection (a)--
(i) in paragraph (1), by inserting ``during which a report
is required to be submitted under section 3553(c),'' after
``Each year'';
(ii) in paragraph (2)(A), by inserting ``, including by
penetration testing and analyzing the vulnerability
disclosure program of the agency'' after ``information
systems''; and
(iii) by adding at the end the following:
``(3) An evaluation under this section may include
recommendations for improving the cybersecurity posture of
the agency.'';
(C) in subsection (b)(1), by striking ``annual'';
(D) in subsection (e)(1), by inserting ``during which a
report is required to be submitted under section 3553(c)''
after ``Each year'';
(E) by striking subsection (f) and inserting the following:
``(f) Protection of Information.--(1) Agencies, evaluators,
and other recipients of information that, if disclosed, may
cause grave harm to the efforts of Federal information
security officers, shall take appropriate steps to ensure the
protection of that information, including safeguarding the
information from public disclosure.
``(2) The protections required under paragraph (1) shall be
commensurate with the risk and comply with all applicable
laws and regulations.
``(3) With respect to information that is not related to
national security systems, agencies and evaluators shall make
a summary of the information unclassified and publicly
available, including information that does not identify--
``(A) specific information system incidents; or
``(B) specific information system vulnerabilities.'';
(F) in subsection (g)(2)--
(i) by striking ``this subsection shall'' and inserting
``this subsection--
``(A) shall'';
(ii) in subparagraph (A), as so designated, by striking the
period at the end and inserting ``; and''; and
(iii) by adding at the end the following:
``(B) identify any entity that performs an independent
evaluation under subsection (b).''; and
(G) by striking subsection (j) and inserting the following:
``(j) Guidance.--
``(1) In general.--The Director, in consultation with the
Director of the Cybersecurity and Infrastructure Security
Agency, the Chief Information Officers Council, the Council
of the Inspectors General on Integrity and Efficiency, and
other interested parties as appropriate, shall ensure the
development of risk-based guidance for evaluating the
effectiveness of an information security program and
practices
``(2) Priorities.--The risk-based guidance developed under
paragraph (1) shall include--
``(A) the identification of the most common successful
threat patterns experienced by each agency;
``(B) the identification of security controls that address
the threat patterns described in subparagraph (A);
``(C) any other security risks unique to the networks of
each agency; and
``(D) any other element the Director, in consultation with
the Director of the Cybersecurity and Infrastructure Security
Agency and the Council of the Inspectors General on Integrity
and Efficiency, determines appropriate.''; and
(5) in section 3556(a)--
(A) in the matter preceding paragraph (1), by inserting
``within the Cybersecurity and Infrastructure Security
Agency'' after ``incident center''; and
(B) in paragraph (4), by striking ``3554(b)'' and inserting
``3554(a)(1)(A)''.
(d) Conforming Amendments.--
(1) Table of sections.--The table of sections for chapter
35 of title 44, United States Code, is amended by striking
the item relating to section 3555 and inserting the
following:
``3555. Independent evaluation''.
(2) OMB reports.--Section 226(c) of the Cybersecurity Act
of 2015 (6 U.S.C. 1524(c)) is amended--
(A) in paragraph (1)(B), in the matter preceding clause
(i), by striking ``annually thereafter'' and inserting
``thereafter during the years during which a report is
required to be submitted under section 3553(c) of title 44,
United States Code''; and
(B) in paragraph (2)(B), in the matter preceding clause
(i)--
(i) by striking ``annually thereafter'' and inserting
``thereafter during the years during which a report is
required to be submitted under section 3553(c) of title 44,
United States Code''; and
(ii) by striking ``the report required under section
3553(c) of title 44, United States Code'' and inserting
``that report''.
(3) NIST responsibilities.--Section 20(d)(3)(B) of the
National Institute of Standards and Technology Act (15 U.S.C.
278g-3(d)(3)(B)) is amended by striking ``annual''.
(e) Federal System Incident Response.--
(1) In general.--Chapter 35 of title 44, United States
Code, is amended by adding at the end the following:
``SUBCHAPTER IV--FEDERAL SYSTEM INCIDENT RESPONSE
``Sec. 3591. Definitions
``(a) In General.--Except as provided in subsection (b),
the definitions under sections 3502 and 3552 shall apply to
this subchapter.
``(b) Additional Definitions.--As used in this subchapter:
``(1) Appropriate reporting entities.--The term
`appropriate reporting entities' means--
``(A) the majority and minority leaders of the Senate;
``(B) the Speaker and minority leader of the House of
Representatives;
``(C) the Committee on Homeland Security and Governmental
Affairs of the Senate;
``(D) the Committee on Oversight and Reform of the House of
Representatives;
``(E) the Committee on Homeland Security of the House of
Representatives;
``(F) the appropriate authorization and appropriations
committees of Congress;
``(G) the Director;
``(H) the Director of the Cybersecurity and Infrastructure
Security Agency;
``(I) the National Cyber Director;
``(J) the Comptroller General of the United States; and
``(K) the inspector general of any impacted agency.
``(2) Awardee.--The term `awardee'--
``(A) means a person, business, or other entity that
receives a grant from, or is a party to a cooperative
agreement or an other transaction agreement with, an agency;
and
``(B) includes any subgrantee of a person, business, or
other entity described in subparagraph (A).
``(3) Breach.--The term `breach'--
``(A) means the loss, control, compromise, unauthorized
disclosure, or unauthorized acquisition of personally
identifiable information or any similar occurrence; and
``(B) includes any additional meaning given the term in
policies, principles, standards, or guidelines issued by the
Director under section 3553(a).
``(4) Contractor.--The term `contractor' means a prime
contractor of an agency or a subcontractor of a prime
contractor of an agency.
``(5) Federal information.--The term `Federal information'
means information created, collected, processed, maintained,
disseminated, disclosed, or disposed of by or for the Federal
Government in any medium or form.
``(6) Federal information system.--The term `Federal
information system' means an information system used or
operated by an agency, a contractor, an awardee, or another
organization on behalf of an agency.
``(7) Intelligence community.--The term `intelligence
community' has the meaning given the term in section 3 of the
National Security Act of 1947 (50 U.S.C. 3003).
``(8) Nationwide consumer reporting agency.--The term
`nationwide consumer reporting agency' means a consumer
reporting agency described in section 603(p) of the Fair
Credit Reporting Act (15 U.S.C. 1681a(p)).
``(9) Vulnerability disclosure.--The term `vulnerability
disclosure' means a vulnerability identified under section
3559B.
``Sec. 3592. Notification of breach
``(a) Notification.--As expeditiously as practicable and
without unreasonable delay, and in any case not later than 45
days after an agency has a reasonable basis to conclude that
a breach has occurred, the head of the agency, in
consultation with a senior privacy officer of the agency,
shall--
``(1) determine whether notice to any individual
potentially affected by the breach is appropriate based on an
assessment of the risk of harm to the individual that
considers--
``(A) the nature and sensitivity of the personally
identifiable information affected by the breach;
``(B) the likelihood of access to and use of the personally
identifiable information affected by the breach;
``(C) the type of breach; and
``(D) any other factors determined by the Director; and
``(2) as appropriate, provide written notice in accordance
with subsection (b) to each individual potentially affected
by the breach--
``(A) to the last known mailing address of the individual;
or
``(B) through an appropriate alternative method of
notification that the head of the agency or a designated
senior-level individual of the agency selects based on
factors determined by the Director.
``(b) Contents of Notice.--Each notice of a breach provided
to an individual under subsection (a)(2) shall include--
``(1) a brief description of the breach;
``(2) if possible, a description of the types of personally
identifiable information affected by the breach;
[[Page S902]]
``(3) contact information of the agency that may be used to
ask questions of the agency, which--
``(A) shall include an e-mail address or another digital
contact mechanism; and
``(B) may include a telephone number, mailing address, or a
website;
``(4) information on any remedy being offered by the
agency;
``(5) any applicable educational materials relating to what
individuals can do in response to a breach that potentially
affects their personally identifiable information, including
relevant contact information for Federal law enforcement
agencies and each nationwide consumer reporting agency; and
``(6) any other appropriate information, as determined by
the head of the agency or established in guidance by the
Director.
``(c) Delay of Notification.--
``(1) In general.--The Attorney General, the Director of
National Intelligence, or the Secretary of Homeland Security
may delay a notification required under subsection (a) or (d)
if the notification would--
``(A) impede a criminal investigation or a national
security activity;
``(B) reveal sensitive sources and methods;
``(C) cause damage to national security; or
``(D) hamper security remediation actions.
``(2) Documentation.--
``(A) In general.--Any delay under paragraph (1) shall be
reported in writing to the Director, the Attorney General,
the Director of National Intelligence, the Secretary of
Homeland Security, the National Cyber Director, the Director
of the Cybersecurity and Infrastructure Security Agency, and
the head of the agency and the inspector general of the
agency that experienced the breach.
``(B) Contents.--A report required under subparagraph (A)
shall include a written statement from the entity that
delayed the notification explaining the need for the delay.
``(C) Form.--The report required under subparagraph (A)
shall be unclassified but may include a classified annex.
``(3) Renewal.--A delay under paragraph (1) shall be for a
period of 60 days and may be renewed.
``(d) Update Notification.--If an agency determines there
is a significant change in the reasonable basis to conclude
that a breach occurred, a significant change to the
determination made under subsection (a)(1), or that it is
necessary to update the details of the information provided
to potentially affected individuals as described in
subsection (b), the agency shall as expeditiously as
practicable and without unreasonable delay, and in any case
not later than 30 days after such a determination, notify
each individual who received a notification pursuant to
subsection (a) of those changes.
``(e) Rule of Construction.--Nothing in this section shall
be construed to limit--
``(1) the Director from issuing guidance relating to
notifications or the head of an agency from notifying
individuals potentially affected by breaches that are not
determined to be major incidents; or
``(2) the Director from issuing guidance relating to
notifications of major incidents or the head of an agency
from providing more information than described in subsection
(b) when notifying individuals potentially affected by
breaches.
``Sec. 3593. Congressional and Executive Branch reports
``(a) Initial Report.--
``(1) In general.--Not later than 72 hours after an agency
has a reasonable basis to conclude that a major incident
occurred, the head of the agency impacted by the major
incident shall submit to the appropriate reporting entities a
written report and, to the extent practicable, provide a
briefing to the Committee on Homeland Security and
Governmental Affairs of the Senate, the Committee on
Oversight and Reform of the House of Representatives, the
Committee on Homeland Security of the House of
Representatives, and the appropriate authorization and
appropriations committees of Congress, taking into account--
``(A) the information known at the time of the report;
``(B) the sensitivity of the details associated with the
major incident; and
``(C) the classification level of the information contained
in the report.
``(2) Contents.--A report required under paragraph (1)
shall include, in a manner that excludes or otherwise
reasonably protects personally identifiable information and
to the extent permitted by applicable law, including privacy
and statistical laws--
``(A) a summary of the information available about the
major incident, including how the major incident occurred,
information indicating that the major incident may be a
breach, and information relating to the major incident as a
breach, based on information available to agency officials as
of the date on which the agency submits the report;
``(B) if applicable, a description and any associated
documentation of any circumstances necessitating a delay in a
notification to individuals potentially affected by the major
incident under section 3592(c);
``(C) if applicable, an assessment of the impacts to the
agency, the Federal Government, or the security of the United
States, based on information available to agency officials on
the date on which the agency submits the report; and
``(D) if applicable, whether any ransom has been demanded
or paid, or plans to be paid, by any entity operating a
Federal information system or with access to a Federal
information system, unless disclosure of such information may
disrupt an active Federal law enforcement or national
security operation.
``(b) Supplemental Report.--Within a reasonable amount of
time, but not later than 30 days after the date on which an
agency submits a written report under subsection (a), the
head of the agency shall provide to the appropriate reporting
entities written updates, which may include classified
annexes, on the major incident and, to the extent
practicable, provide a briefing, which may include a
classified component, to the congressional committees
described in subsection (a)(1), including summaries of--
``(1) vulnerabilities, means by which the major incident
occurred, and impacts to the agency relating to the major
incident;
``(2) any risk assessment and subsequent risk-based
security implementation of the affected information system
before the date on which the major incident occurred;
``(3) the status of compliance of the affected information
system with applicable security requirements that are
directly related to the cause of the incident, at the time of
the major incident;
``(4) an estimate of the number of individuals potentially
affected by the major incident based on information available
to agency officials as of the date on which the agency
provides the update;
``(5) an assessment of the risk of harm to individuals
potentially affected by the major incident based on
information available to agency officials as of the date on
which the agency provides the update;
``(6) an update to the assessment of the risk to agency
operations, or to impacts on other agency or non-Federal
entity operations, affected by the major incident based on
information available to agency officials as of the date on
which the agency provides the update;
``(7) the detection, response, and remediation actions of
the agency, including any support provided by the
Cybersecurity and Infrastructure Security Agency under
section 3594(d) and status updates on the notification
process described in section 3592(a), including any delay
described in section 3592(c), if applicable; and
``(8) if applicable, a description of any circumstances or
data leading the head of the agency to determine, pursuant to
section 3592(a)(1), not to notify individuals potentially
impacted by a breach.
``(c) Update Report.--If the agency determines that there
is any significant change in the understanding of the agency
of the scope, scale, or consequence of a major incident for
which an agency submitted a written report under subsection
(a), the agency shall provide an updated report to the
appropriate reporting entities that includes information
relating to the change in understanding.
``(d) Biannual Report.--Each agency shall submit as part of
the biannual report required under section 3554(c)(1) of this
title a description of each major incident that occurred
during the 2-year period preceding the date on which the
biannual report is submitted.
``(e) Delay and Lack of Notification Report.--
``(1) In general.--The Director shall submit to the
appropriate reporting entities an annual report on all
notification delays granted pursuant to section 3592(c).
``(2) Lack of breach notification.--The Director shall
submit to the appropriate reporting entities an annual report
on each breach with respect to which the head of an agency
determined, pursuant to section 3592(a)(1), not to notify
individuals potentially impacted by the breach.
``(3) Component of other report.--The Director may submit
the report required under paragraph (1) as a component of the
annual report submitted under section 3597(b).
``(f) Report Delivery.--Any written report required to be
submitted under this section may be submitted in a paper or
electronic format.
``(g) Threat Briefing.--
``(1) In general.--Not later than 7 days after the date on
which an agency has a reasonable basis to conclude that a
major incident occurred, the head of the agency, jointly with
the Director, the National Cyber Director and any other
Federal entity determined appropriate by the National Cyber
Director, shall provide a briefing to the congressional
committees described in subsection (a)(1) on the threat
causing the major incident.
``(2) Components.--The briefing required under paragraph
(1)--
``(A) shall, to the greatest extent practicable, include an
unclassified component; and
``(B) may include a classified component.
``(h) Rule of Construction.--Nothing in this section shall
be construed to limit--
``(1) the ability of an agency to provide additional
reports or briefings to Congress; or
``(2) Congress from requesting additional information from
agencies through reports, briefings, or other means.
``Sec. 3594. Government information sharing and incident
response
``(a) In General.--
``(1) Incident reporting.--Subject to the limitations
described in subsection (b), the head of each agency shall
provide any information relating to any incident affecting
the agency, whether the information is obtained by the
Federal Government directly or indirectly, to the
Cybersecurity and Infrastructure Security Agency.
[[Page S903]]
``(2) Contents.--A provision of information relating to an
incident made by the head of an agency under paragraph (1)
shall--
``(A) include detailed information about the safeguards
that were in place when the incident occurred;
``(B) whether the agency implemented the safeguards
described in subparagraph (A) correctly;
``(C) in order to protect against a similar incident,
identify--
``(i) how the safeguards described in subparagraph (A)
should be implemented differently; and
``(ii) additional necessary safeguards; and
``(D) include information to aid in incident response, such
as--
``(i) a description of the affected systems or networks;
``(ii) the estimated dates of when the incident occurred;
and
``(iii) information that could reasonably help identify the
party that conducted the incident or the cause of the
incident, subject to appropriate privacy protections.
``(3) Information sharing.--The Director of the
Cybersecurity and Infrastructure Security Agency shall--
``(A) make incident information provided under paragraph
(1) available to the Director and the National Cyber
Director;
``(B) to the greatest extent practicable, share information
relating to an incident with the head of any agency that may
be--
``(i) impacted by the incident;
``(ii) similarly susceptible to the incident; or
``(iii) similarly targeted by the incident; and
``(C) coordinate any necessary information sharing efforts
relating to a major incident with the private sector.
``(4) National security systems.--Each agency operating or
exercising control of a national security system shall share
information about incidents that occur on national security
systems with the Director of the Cybersecurity and
Infrastructure Security Agency to the extent consistent with
standards and guidelines for national security systems issued
in accordance with law and as directed by the President.
``(b) Compliance.--In providing information and selecting a
method to provide information under subsection (a), the head
of each agency shall take into account the level of
classification of the information and any information sharing
limitations and protections, such as limitations and
protections relating to law enforcement, national security,
privacy, statistical confidentiality, or other factors
determined by the Director in order to implement subsection
(a)(1) in a manner that enables automated and consistent
reporting to the greatest extent practicable.
``(c) Incident Response.--Each agency that has a reasonable
basis to conclude that a major incident occurred involving
Federal information in electronic medium or form that does
not exclusively involve a national security system,
regardless of delays from notification granted for a major
incident that is also a breach, shall coordinate with the
Cybersecurity and Infrastructure Security Agency to
facilitate asset response activities and provide
recommendations for mitigating future incidents.
``Sec. 3595. Responsibilities of contractors and awardees
``(a) Reporting.--
``(1) In general.--Unless otherwise specified in a
contract, grant, cooperative agreement, or an other
transaction agreement, any contractor or awardee of an agency
shall report to the agency within the same amount of time
such agency is required to report an incident to the
Cybersecurity and Infrastructure Security Agency, if the
contractor or awardee has a reasonable basis to suspect or
conclude that--
``(A) an incident or breach has occurred with respect to
Federal information collected, used, or maintained by the
contractor or awardee in connection with the contract, grant,
cooperative agreement, or other transaction agreement of the
contractor or awardee;
``(B) an incident or breach has occurred with respect to a
Federal information system used or operated by the contractor
or awardee in connection with the contract, grant,
cooperative agreement, or other transaction agreement of the
contractor or awardee; or
``(C) the contractor or awardee has received information
from the agency that the contractor or awardee is not
authorized to receive in connection with the contract, grant,
cooperative agreement, or other transaction agreement of the
contractor or awardee.
``(2) Procedures.--
``(A) Major incident.--Following a report of a breach or
major incident by a contractor or awardee under paragraph
(1), the agency, in consultation with the contractor or
awardee, shall carry out the requirements under sections
3592, 3593, and 3594 with respect to the major incident.
``(B) Incident.--Following a report of an incident by a
contractor or awardee under paragraph (1), an agency, in
consultation with the contractor or awardee, shall carry out
the requirements under section 3594 with respect to the
incident.
``(b) Effective Date.--This section shall apply--
``(1) on and after the date that is 1 year after the date
of enactment of the Federal Information Security
Modernization Act of 2022; and
``(2) with respect to any contract entered into on or after
the date described in paragraph (1).
``Sec. 3596. Training
``(a) Covered Individual Defined.--In this section, the
term `covered individual' means an individual who obtains
access to Federal information or Federal information systems
because of the status of the individual as an employee,
contractor, awardee, volunteer, or intern of an agency.
``(b) Requirement.--The head of each agency shall develop
training for covered individuals on how to identify and
respond to an incident, including--
``(1) the internal process of the agency for reporting an
incident; and
``(2) the obligation of a covered individual to report to
the agency a confirmed major incident and any suspected
incident involving information in any medium or form,
including paper, oral, and electronic.
``(c) Inclusion in Annual Training.--The training developed
under subsection (b) may be included as part of an annual
privacy or security awareness training of an agency.
``Sec. 3597. Analysis and report on Federal incidents
``(a) Analysis of Federal Incidents.--
``(1) Quantitative and qualitative analyses.--The Director
of the Cybersecurity and Infrastructure Security Agency shall
develop, in consultation with the Director and the National
Cyber Director, and perform continuous monitoring and
quantitative and qualitative analyses of incidents at
agencies, including major incidents, including--
``(A) the causes of incidents, including--
``(i) attacker tactics, techniques, and procedures; and
``(ii) system vulnerabilities, including zero days,
unpatched systems, and information system misconfigurations;
``(B) the scope and scale of incidents at agencies;
``(C) common root causes of incidents across multiple
Federal agencies;
``(D) agency incident response, recovery, and remediation
actions and the effectiveness of those actions, as
applicable;
``(E) lessons learned and recommendations in responding to,
recovering from, remediating, and mitigating future
incidents; and
``(F) trends across multiple Federal agencies to address
intrusion detection and incident response capabilities using
the metrics established under section 224(c) of the
Cybersecurity Act of 2015 (6 U.S.C. 1522(c)).
``(2) Automated analysis.--The analyses developed under
paragraph (1) shall, to the greatest extent practicable, use
machine readable data, automation, and machine learning
processes.
``(3) Sharing of data and analysis.--
``(A) In general.--The Director shall share on an ongoing
basis the analyses required under this subsection with
agencies and the National Cyber Director to--
``(i) improve the understanding of cybersecurity risk of
agencies; and
``(ii) support the cybersecurity improvement efforts of
agencies.
``(B) Format.--In carrying out subparagraph (A), the
Director shall share the analyses--
``(i) in human-readable written products; and
``(ii) to the greatest extent practicable, in machine-
readable formats in order to enable automated intake and use
by agencies.
``(b) Annual Report on Federal Incidents.--Not later than 2
years after the date of enactment of this section, and not
less frequently than annually thereafter, the Director of the
Cybersecurity and Infrastructure Security Agency, in
consultation with the Director, the National Cyber Director
and the heads of other Federal agencies, as appropriate,
shall submit to the appropriate reporting entities a report
that includes--
``(1) a summary of causes of incidents from across the
Federal Government that categorizes those incidents as
incidents or major incidents;
``(2) the quantitative and qualitative analyses of
incidents developed under subsection (a)(1) on an agency-by-
agency basis and comprehensively across the Federal
Government, including--
``(A) a specific analysis of breaches; and
``(B) an analysis of the Federal Government's performance
against the metrics established under section 224(c) of the
Cybersecurity Act of 2015 (6 U.S.C. 1522(c)); and
``(3) an annex for each agency that includes--
``(A) a description of each major incident;
``(B) the total number of incidents of the agency; and
``(C) an analysis of the agency's performance against the
metrics established under section 224(c) of the Cybersecurity
Act of 2015 (6 U.S.C. 1522(c)).
``(c) Publication.--
``(1) In general.--A version of each report submitted under
subsection (b) shall be made publicly available on the
website of the Cybersecurity and Infrastructure Security
Agency during the year in which the report is submitted.
``(2) Exemption.--The Director of the Cybersecurity and
Infrastructure Security Agency may exempt all or a portion of
a report described in paragraph (1) from public publication
if the Director of the Cybersecurity and Infrastructure
Security Agency determines the exemption is in the interest
of national security.
``(3) Limitation on exemption.--An exemption granted under
paragraph (2) shall not apply to any version of a report
submitted to
[[Page S904]]
the appropriate reporting entities under subsection (b).
``(d) Information Provided by Agencies.--
``(1) In general.--The analysis required under subsection
(a) and each report submitted under subsection (b) shall use
information provided by agencies under section 3594(a).
``(2) Noncompliance reports.--
``(A) In general.--Subject to subparagraph (B), during any
year during which the head of an agency does not provide data
for an incident to the Cybersecurity and Infrastructure
Security Agency in accordance with section 3594(a), the head
of the agency, in coordination with the Director of the
Cybersecurity and Infrastructure Security Agency and the
Director, shall submit to the appropriate reporting entities
a report that includes the information described in
subsection (b) with respect to the agency.
``(B) Exception for national security systems.--The head of
an agency that owns or exercises control of a national
security system shall not include data for an incident that
occurs on a national security system in any report submitted
under subparagraph (A).
``(3) National security system reports.--
``(A) In general.--Annually, the head of an agency that
operates or exercises control of a national security system
shall submit a report that includes the information described
in subsection (b) with respect to the national security
system to the extent that the submission is consistent with
standards and guidelines for national security systems issued
in accordance with law and as directed by the President to--
``(i) the majority and minority leaders of the Senate,
``(ii) the Speaker and minority leader of the House of
Representatives;
``(iii) the Committee on Homeland Security and Governmental
Affairs of the Senate;
``(iv) the Select Committee on Intelligence of the Senate;
``(v) the Committee on Armed Services of the Senate;
``(vi) the Committee on Appropriations of the Senate;
``(vii) the Committee on Oversight and Reform of the House
of Representatives;
``(viii) the Committee on Homeland Security of the House of
Representatives;
``(ix) the Permanent Select Committee on Intelligence of
the House of Representatives;
``(x) the Committee on Armed Services of the House of
Representatives; and
``(xi) the Committee on Appropriations of the House of
Representatives.
``(B) Classified form.--A report required under
subparagraph (A) may be submitted in a classified form.
``(e) Requirement for Compiling Information.--In publishing
the public report required under subsection (c), the Director
of the Cybersecurity and Infrastructure Security Agency shall
sufficiently compile information such that no specific
incident of an agency can be identified, except with the
concurrence of the Director of the Office of Management and
Budget and in consultation with the impacted agency.
``Sec. 3598. Major incident definition
``(a) In General.--Not later than 180 days after the date
of enactment of the Federal Information Security
Modernization Act of 2022, the Director, in coordination with
the Director of the Cybersecurity and Infrastructure Security
Agency and the National Cyber Director, shall develop and
promulgate guidance on the definition of the term `major
incident' for the purposes of subchapter II and this
subchapter.
``(b) Requirements.--With respect to the guidance issued
under subsection (a), the definition of the term `major
incident' shall--
``(1) include, with respect to any information collected or
maintained by or on behalf of an agency or an information
system used or operated by an agency or by a contractor of an
agency or another organization on behalf of an agency--
``(A) any incident the head of the agency determines is
likely to have an impact on--
``(i) the national security, homeland security, or economic
security of the United States; or
``(ii) the civil liberties or public health and safety of
the people of the United States;
``(B) any incident the head of the agency determines likely
to result in an inability for the agency, a component of the
agency, or the Federal Government, to provide 1 or more
critical services;
``(C) any incident that the head of an agency, in
consultation with a senior privacy officer of the agency,
determines is likely to have a significant privacy impact on
1 or more individual;
``(D) any incident that the head of the agency, in
consultation with a senior privacy official of the agency,
determines is likely to have a substantial privacy impact on
a significant number of individuals;
``(E) any incident the head of the agency determines
substantially disrupts the operations of a high value asset
owned or operated by the agency;
``(F) any incident involving the exposure of sensitive
agency information to a foreign entity, such as the
communications of the head of the agency, the head of a
component of the agency, or the direct reports of the head of
the agency or the head of a component of the agency; and
``(G) any other type of incident determined appropriate by
the Director;
``(2) stipulate that the National Cyber Director, in
consultation with the Director, shall declare a major
incident at each agency impacted by an incident if it is
determined that an incident--
``(A) occurs at not less than 2 agencies; and
``(B) is enabled by--
``(i) a common technical root cause, such as a supply chain
compromise, a common software or hardware vulnerability; or
``(ii) the related activities of a common threat actor; and
``(3) stipulate that, in determining whether an incident
constitutes a major incident because that incident is any
incident described in paragraph (1), the head of the agency
shall consult with the National Cyber Director and may
consult with the Director of the Cybersecurity and
Infrastructure Security Agency.
``(c) Significant Number of Individuals.--In determining
what constitutes a significant number of individuals under
subsection (b)(1)(D), the Director--
``(1) may determine a threshold for a minimum number of
individuals that constitutes a significant amount; and
``(2) may not determine a threshold described in paragraph
(1) that exceeds 5,000 individuals.
``(d) Evaluation and Updates.--Not later than 2 years after
the date of enactment of the Federal Information Security
Modernization Act of 2022, and not less frequently than every
2 years thereafter, the Director shall provide a briefing to
the Committee on Homeland Security and Governmental Affairs
of the Senate and the Committee on Oversight and Reform of
the House of Representatives, which shall include--
``(1) an evaluation of any necessary updates to the
guidance issued under subsection (a);
``(2) an evaluation of any necessary updates to the
definition of the term `major incident' included in the
guidance issued under subsection (a); and
``(3) an explanation of, and the analysis that led to, the
definition described in paragraph (2).''.
(2) Clerical amendment.--The table of sections for chapter
35 of title 44, United States Code, is amended by adding at
the end the following:
``subchapter iv--federal system incident response
``3591. Definitions
``3592. Notification of breach
``3593. Congressional and Executive Branch reports
``3594. Government information sharing and incident response
``3595. Responsibilities of contractors and awardees
``3596. Training
``3597. Analysis and report on Federal incidents
``3598. Major incident definition''.
SEC. 104. AMENDMENTS TO SUBTITLE III OF TITLE 40.
(a) Modernizing Government Technology.--Subtitle G of title
X of Division A of the National Defense Authorization Act for
Fiscal Year 2018 (40 U.S.C. 11301 note) is amended in section
1078--
(1) by striking subsection (a) and inserting the following:
``(a) Definitions.--In this section:
``(1) Agency.--The term `agency' has the meaning given the
term in section 551 of title 5, United States Code.
``(2) High value asset.--The term `high value asset' has
the meaning given the term in section 3552 of title 44,
United States Code.'';
(2) in subsection (b), by adding at the end the following:
``(8) Proposal evaluation.--The Director shall--
``(A) give consideration for the use of amounts in the Fund
to improve the security of high value assets; and
``(B) require that any proposal for the use of amounts in
the Fund includes a cybersecurity plan, including a supply
chain risk management plan, to be reviewed by the member of
the Technology Modernization Board described in subsection
(c)(5)(C).''; and
(3) in subsection (c)--
(A) in paragraph (2)(A)(i), by inserting ``, including a
consideration of the impact on high value assets'' after
``operational risks'';
(B) in paragraph (5)--
(i) in subparagraph (A), by striking ``and'' at the end;
(ii) in subparagraph (B), by striking the period at the end
and inserting ``and''; and
(iii) by adding at the end the following:
``(C) a senior official from the Cybersecurity and
Infrastructure Security Agency of the Department of Homeland
Security, appointed by the Director.''; and
(C) in paragraph (6)(A), by striking ``shall be--'' and all
that follows through ``4 employees'' and inserting ``shall be
4 employees''.
(b) Subchapter I.--Subchapter I of chapter 113 of subtitle
III of title 40, United States Code, is amended--
(1) in section 11302--
(A) in subsection (b), by striking ``use, security, and
disposal of'' and inserting ``use, and disposal of, and, in
consultation with the Director of the Cybersecurity and
Infrastructure Security Agency and the National Cyber
Director, promote and improve the security of,'';
(B) in subsection (c)--
(i) in paragraph (3)--
(I) in subparagraph (A)--
(aa) by striking ``including data'' and inserting ``which
shall--
``(i) include data''; and
(bb) by adding at the end the following:
[[Page S905]]
``(ii) specifically denote cybersecurity funding under the
risk-based cyber budget model developed pursuant to section
3553(a)(7) of title 44.''; and
(II) in subparagraph (B), by adding at the end the
following:
``(iii) The Director shall provide to the National Cyber
Director any cybersecurity funding information described in
subparagraph (A)(ii) that is provided to the Director under
clause (ii) of this subparagraph.'';
(C) in subsection (f)--
(i) by striking ``heads of executive agencies to develop''
and inserting ``heads of executive agencies to--
``(1) develop'';
(ii) in paragraph (1), as so designated, by striking the
period at the end and inserting ``; and''; and
(iii) by adding at the end the following:
``(2) consult with the Director of the Cybersecurity and
Infrastructure Security Agency for the development and use of
supply chain security best practices.''; and
(D) in subsection (h), by inserting ``, including
cybersecurity performances,'' after ``the performances''; and
(2) in section 11303(b)--
(A) in paragraph (2)(B)--
(i) in clause (i), by striking ``or'' at the end;
(ii) in clause (ii), by adding ``or'' at the end; and
(iii) by adding at the end the following:
``(iii) whether the function should be performed by a
shared service offered by another executive agency;''; and
(B) in paragraph (5)(B)(i), by inserting ``, while taking
into account the risk-based cyber budget model developed
pursuant to section 3553(a)(7) of title 44'' after ``title
31''.
(c) Subchapter II.--Subchapter II of chapter 113 of
subtitle III of title 40, United States Code, is amended--
(1) in section 11312(a), by inserting ``, including
security risks'' after ``managing the risks'';
(2) in section 11313(1), by striking ``efficiency and
effectiveness'' and inserting ``efficiency, security, and
effectiveness'';
(3) in section 11315, by adding at the end the following:
``(d) Component Agency Chief Information Officers.--The
Chief Information Officer or an equivalent official of a
component agency shall report to--
``(1) the Chief Information Officer designated under
section 3506(a)(2) of title 44 or an equivalent official of
the agency of which the component agency is a component; and
``(2) the head of the component agency.
``(e) Reporting Structure Exemption.--
``(1) In general.--On annual basis, the Director may exempt
any agency from the reporting structure requirements under
subsection (d).
``(2) Report.--On an annual basis, the Director shall
submit to the Committee on Homeland Security and Governmental
Affairs of the Senate and the Committee on Oversight and
Reform of the House of Representatives a report that includes
a list of each exemption granted under paragraph (1) and the
associated rationale for each exemption.
``(3) Component of other report.--The report required under
paragraph (2) may be incorporated into any other annual
report required under chapter 35 of title 44, United States
Code.'';
(4) in section 11317, by inserting ``security,'' before
``or schedule''; and
(5) in section 11319(b)(1), in the paragraph heading, by
striking ``CIOS'' and inserting ``Chief information
officers''.
SEC. 105. ACTIONS TO ENHANCE FEDERAL INCIDENT TRANSPARENCY.
(a) Responsibilities of the Cybersecurity and
Infrastructure Security Agency.--
(1) In general.--Not later than 180 days after the date of
enactment of this Act, the Director of the Cybersecurity and
Infrastructure Security Agency shall--
(A) develop a plan for the development of the analysis
required under section 3597(a) of title 44, United States
Code, as added by this title, and the report required under
subsection (b) of that section that includes--
(i) a description of any challenges the Director of the
Cybersecurity and Infrastructure Security Agency anticipates
encountering; and
(ii) the use of automation and machine-readable formats for
collecting, compiling, monitoring, and analyzing data; and
(B) provide to the appropriate congressional committees a
briefing on the plan developed under subparagraph (A).
(2) Briefing.--Not later than 1 year after the date of
enactment of this Act, the Director of the Cybersecurity and
Infrastructure Security Agency shall provide to the
appropriate congressional committees a briefing on--
(A) the execution of the plan required under paragraph
(1)(A); and
(B) the development of the report required under section
3597(b) of title 44, United States Code, as added by this
title.
(b) Responsibilities of the Director of the Office of
Management and Budget.--
(1) FISMA.--Section 2 of the Federal Information Security
Modernization Act of 2014 (44 U.S.C. 3554 note) is amended--
(A) by striking subsection (b); and
(B) by redesignating subsections (c) through (f) as
subsections (b) through (e), respectively.
(2) Incident data sharing.--
(A) In general.--The Director shall develop guidance, to be
updated not less frequently than once every 2 years, on the
content, timeliness, and format of the information provided
by agencies under section 3594(a) of title 44, United States
Code, as added by this title.
(B) Requirements.--The guidance developed under
subparagraph (A) shall--
(i) prioritize the availability of data necessary to
understand and analyze--
(I) the causes of incidents;
(II) the scope and scale of incidents within the
environments and systems of an agency;
(III) a root cause analysis of incidents that--
(aa) are common across the Federal Government; or
(bb) have a Government-wide impact;
(IV) agency response, recovery, and remediation actions and
the effectiveness of those actions; and
(V) the impact of incidents;
(ii) enable the efficient development of--
(I) lessons learned and recommendations in responding to,
recovering from, remediating, and mitigating future
incidents; and
(II) the report on Federal incidents required under section
3597(b) of title 44, United States Code, as added by this
title;
(iii) include requirements for the timeliness of data
production; and
(iv) include requirements for using automation and machine-
readable data for data sharing and availability.
(3) Guidance on responding to information requests.--Not
later than 1 year after the date of enactment of this Act,
the Director shall develop guidance for agencies to implement
the requirement under section 3594(c) of title 44, United
States Code, as added by this title, to provide information
to other agencies experiencing incidents.
(4) Standard guidance and templates.--Not later than 1 year
after the date of enactment of this Act, the Director, in
consultation with the Director of the Cybersecurity and
Infrastructure Security Agency, shall develop guidance and
templates, to be reviewed and, if necessary, updated not less
frequently than once every 2 years, for use by Federal
agencies in the activities required under sections 3592,
3593, and 3596 of title 44, United States Code, as added by
this title.
(5) Contractor and awardee guidance.--
(A) In general.--Not later than 1 year after the date of
enactment of this Act, the Director, in coordination with the
Secretary of Homeland Security, the Secretary of Defense, the
Administrator of General Services, and the heads of other
agencies determined appropriate by the Director, shall issue
guidance to Federal agencies on how to deconflict, to the
greatest extent practicable, existing regulations, policies,
and procedures relating to the responsibilities of
contractors and awardees established under section 3595 of
title 44, United States Code, as added by this title.
(B) Existing processes.--To the greatest extent
practicable, the guidance issued under subparagraph (A) shall
allow contractors and awardees to use existing processes for
notifying Federal agencies of incidents involving information
of the Federal Government.
(6) Updated briefings.--Not less frequently than once every
2 years, the Director shall provide to the appropriate
congressional committees an update on the guidance and
templates developed under paragraphs (2) through (4).
(c) Update to the Privacy Act of 1974.--Section 552a(b) of
title 5, United States Code (commonly known as the ``Privacy
Act of 1974'') is amended--
(1) in paragraph (11), by striking ``or'' at the end;
(2) in paragraph (12), by striking the period at the end
and inserting ``; or''; and
(3) by adding at the end the following:
``(13) to another agency in furtherance of a response to an
incident (as defined in section 3552 of title 44) and
pursuant to the information sharing requirements in section
3594 of title 44 if the head of the requesting agency has
made a written request to the agency that maintains the
record specifying the particular portion desired and the
activity for which the record is sought.''.
SEC. 106. ADDITIONAL GUIDANCE TO AGENCIES ON FISMA UPDATES.
Not later than 1 year after the date of enactment of this
Act, the Director, in consultation with the Director of the
Cybersecurity and Infrastructure Security Agency, shall issue
guidance for agencies on--
(1) performing the ongoing and continuous agency system
risk assessment required under section 3554(a)(1)(A) of title
44, United States Code, as amended by this title;
(2) implementing additional cybersecurity procedures, which
shall include resources for shared services;
(3) establishing a process for providing the status of each
remedial action under section 3554(b)(7) of title 44, United
States Code, as amended by this title, to the Director and
the Cybersecurity and Infrastructure Security Agency using
automation and machine-readable data, as practicable, which
shall include--
(A) specific guidance for the use of automation and
machine-readable data; and
(B) templates for providing the status of the remedial
action; and
(4) a requirement to coordinate with inspectors general of
agencies to ensure consistent understanding and application
of agency policies for the purpose of evaluations by
inspectors general.
[[Page S906]]
SEC. 107. AGENCY REQUIREMENTS TO NOTIFY PRIVATE SECTOR
ENTITIES IMPACTED BY INCIDENTS.
(a) Definitions.--In this section:
(1) Reporting entity.--The term ``reporting entity'' means
private organization or governmental unit that is required by
statute or regulation to submit sensitive information to an
agency.
(2) Sensitive information.--The term ``sensitive
information'' has the meaning given the term by the Director
in guidance issued under subsection (b).
(b) Guidance on Notification of Reporting Entities.--Not
later than 180 days after the date of enactment of this Act,
the Director shall issue guidance requiring the head of each
agency to notify a reporting entity of an incident that is
likely to substantially affect--
(1) the confidentiality or integrity of sensitive
information submitted by the reporting entity to the agency
pursuant to a statutory or regulatory requirement; or
(2) the agency information system or systems used in the
transmission or storage of the sensitive information
described in paragraph (1).
SEC. 108. MOBILE SECURITY STANDARDS.
(a) In General.--Not later than 1 year after the date of
enactment of this Act, the Director shall--
(1) evaluate mobile application security guidance
promulgated by the Director; and
(2) issue guidance to secure mobile devices, including for
mobile applications, for every agency.
(b) Contents.--The guidance issued under subsection (a)(2)
shall include--
(1) a requirement, pursuant to section 3506(b)(4) of title
44, United States Code, for every agency to maintain a
continuous inventory of every--
(A) mobile device operated by or on behalf of the agency;
and
(B) vulnerability identified by the agency associated with
a mobile device; and
(2) a requirement for every agency to perform continuous
evaluation of the vulnerabilities described in paragraph
(1)(B) and other risks associated with the use of
applications on mobile devices.
(c) Information Sharing.--The Director, in coordination
with the Director of the Cybersecurity and Infrastructure
Security Agency, shall issue guidance to agencies for sharing
the inventory of the agency required under subsection (b)(1)
with the Director of the Cybersecurity and Infrastructure
Security Agency, using automation and machine-readable data
to the greatest extent practicable.
(d) Briefing.--Not later than 60 days after the date on
which the Director issues guidance under subsection (a)(2),
the Director, in coordination with the Director of the
Cybersecurity and Infrastructure Security Agency, shall
provide to the appropriate congressional committees a
briefing on the guidance.
SEC. 109. DATA AND LOGGING RETENTION FOR INCIDENT RESPONSE.
(a) Recommendations.--Not later than 2 years after the date
of enactment of this Act, and not less frequently than every
2 years thereafter, the Director of the Cybersecurity and
Infrastructure Security Agency, in consultation with the
Attorney General, shall submit to the Director
recommendations on requirements for logging events on agency
systems and retaining other relevant data within the systems
and networks of an agency.
(b) Contents.--The recommendations provided under
subsection (a) shall include--
(1) the types of logs to be maintained;
(2) the duration that logs and other relevant data should
be retained;
(3) the time periods for agency implementation of
recommended logging and security requirements;
(4) how to ensure the confidentiality, integrity, and
availability of logs;
(5) requirements to ensure that, upon request, in a manner
that excludes or otherwise reasonably protects personally
identifiable information, and to the extent permitted by
applicable law (including privacy and statistical laws),
agencies provide logs to--
(A) the Director of the Cybersecurity and Infrastructure
Security Agency for a cybersecurity purpose; and
(B) the Director of the Federal Bureau of Investigation, or
the appropriate Federal law enforcement agency, to
investigate potential criminal activity; and
(6) requirements to ensure that, subject to compliance with
statistical laws and other relevant data protection
requirements, the highest level security operations center of
each agency has visibility into all agency logs.
(c) Guidance.--Not later than 90 days after receiving the
recommendations submitted under subsection (a), the Director,
in consultation with the Director of the Cybersecurity and
Infrastructure Security Agency and the Attorney General,
shall, as determined to be appropriate by the Director,
update guidance to agencies regarding requirements for
logging, log retention, log management, sharing of log data
with other appropriate agencies, or any other logging
activity determined to be appropriate by the Director.
(d) Sunset.--This section shall cease to have force or
effect on the date that is 10 years after the date of the
enactment of this Act.
SEC. 110. CISA AGENCY ADVISORS.
(a) In General.--Not later than 120 days after the date of
enactment of this Act, the Director of the Cybersecurity and
Infrastructure Security Agency shall assign not less than 1
cybersecurity professional employed by the Cybersecurity and
Infrastructure Security Agency to be the Cybersecurity and
Infrastructure Security Agency advisor to the senior agency
information security officer of each agency.
(b) Qualifications.--Each advisor assigned under subsection
(a) shall have knowledge of--
(1) cybersecurity threats facing agencies, including any
specific threats to the assigned agency;
(2) performing risk assessments of agency systems; and
(3) other Federal cybersecurity initiatives.
(c) Duties.--The duties of each advisor assigned under
subsection (a) shall include--
(1) providing ongoing assistance and advice, as requested,
to the agency Chief Information Officer;
(2) serving as an incident response point of contact
between the assigned agency and the Cybersecurity and
Infrastructure Security Agency; and
(3) familiarizing themselves with agency systems,
processes, and procedures to better facilitate support to the
agency in responding to incidents.
(d) Limitation.--An advisor assigned under subsection (a)
shall not be a contractor.
(e) Multiple Assignments.--One individual advisor may be
assigned to multiple agency Chief Information Officers under
subsection (a).
SEC. 111. FEDERAL PENETRATION TESTING POLICY.
(a) In General.--Subchapter II of chapter 35 of title 44,
United States Code, is amended by adding at the end the
following:
``Sec. 3559A. Federal penetration testing
``(a) Definitions.--In this section:
``(1) Agency operational plan.--The term `agency
operational plan' means a plan of an agency for the use of
penetration testing.
``(2) Rules of engagement.--The term `rules of engagement'
means a set of rules established by an agency for the use of
penetration testing.
``(b) Guidance.--
``(1) In general.--The Director, in consultation with the
Secretary, acting through the Director of the Cybersecurity
and Infrastructure Security Agency, shall issue guidance to
agencies that--
``(A) requires agencies to use, when and where appropriate,
penetration testing on agency systems by both Federal and
non-Federal entities; and
``(B) requires agencies to develop an agency operational
plan and rules of engagement that meet the requirements under
subsection (c).
``(2) Penetration testing guidance.--The guidance issued
under this section shall--
``(A) permit an agency to use, for the purpose of
performing penetration testing--
``(i) a shared service of the agency or another agency; or
``(ii) an external entity, such as a vendor; and
``(B) require agencies to provide the rules of engagement
and results of penetration testing to the Director and the
Director of the Cybersecurity and Infrastructure Security
Agency, without regard to the status of the entity that
performs the penetration testing.
``(c) Agency Plans and Rules of Engagement.--The agency
operational plan and rules of engagement of an agency shall--
``(1) require the agency to--
``(A) perform penetration testing, including on the high
value assets of the agency; or
``(B) coordinate with the Director of the Cybersecurity and
Infrastructure Security Agency to ensure that penetration
testing is being performed;
``(2) establish guidelines for avoiding, as a result of
penetration testing--
``(A) adverse impacts to the operations of the agency;
``(B) adverse impacts to operational environments and
systems of the agency; and
``(C) inappropriate access to data;
``(3) require the results of penetration testing to include
feedback to improve the cybersecurity of the agency; and
``(4) include mechanisms for providing consistently
formatted, and, if applicable, automated and machine-
readable, data to the Director and the Director of the
Cybersecurity and Infrastructure Security Agency.
``(d) Responsibilities of CISA.--The Director of the
Cybersecurity and Infrastructure Security Agency shall--
``(1) establish a process to assess the performance of
penetration testing by both Federal and non-Federal entities
that establishes minimum quality controls for penetration
testing;
``(2) develop operational guidance for instituting
penetration testing programs at agencies;
``(3) develop and maintain a centralized capability to
offer penetration testing as a service to Federal and non-
Federal entities; and
``(4) provide guidance to agencies on the best use of
penetration testing resources.
``(e) Responsibilities of OMB.--The Director, in
coordination with the Director of the Cybersecurity and
Infrastructure Security Agency, shall--
``(1) not less frequently than annually, inventory all
Federal penetration testing assets; and
``(2) develop and maintain a standardized process for the
use of penetration testing.
[[Page S907]]
``(f) Prioritization of Penetration Testing Resources.--
``(1) In general.--The Director, in coordination with the
Director of the Cybersecurity and Infrastructure Security
Agency, shall develop a framework for prioritizing Federal
penetration testing resources among agencies.
``(2) Considerations.--In developing the framework under
this subsection, the Director shall consider--
``(A) agency system risk assessments performed under
section 3554(a)(1)(A);
``(B) the Federal risk assessment performed under section
3553(i);
``(C) the analysis of Federal incident data performed under
section 3597; and
``(D) any other information determined appropriate by the
Director or the Director of the Cybersecurity and
Infrastructure Security Agency.
``(g) Exception for National Security Systems.--The
guidance issued under subsection (b) shall not apply to
national security systems.
``(h) Delegation of Authority for Certain Systems.--The
authorities of the Director described in subsection (b) shall
be delegated--
``(1) to the Secretary of Defense in the case of systems
described in section 3553(e)(2); and
``(2) to the Director of National Intelligence in the case
of systems described in 3553(e)(3).''.
(b) Deadline for Guidance.--Not later than 180 days after
the date of enactment of this Act, the Director shall issue
the guidance required under section 3559A(b) of title 44,
United States Code, as added by subsection (a).
(c) Clerical Amendment.--The table of sections for chapter
35 of title 44, United States Code, is amended by adding
after the item relating to section 3559 the following:
``3559A. Federal penetration testing.''.
(d) Sunset.--
(1) In general.--Effective on the date that is 10 years
after the date of enactment of this Act, subchapter II of
chapter 35 of title 44, United States Code, is amended by
striking section 3559A.
(2) Clerical amendment.--Effective on the date that is 10
years after the date of enactment of this Act, the table of
sections for chapter 35 of title 44, United States Code, is
amended by striking the item relating to section 3559A.
SEC. 112. ONGOING THREAT HUNTING PROGRAM.
(a) Threat Hunting Program.--
(1) In general.--Not later than 540 days after the date of
enactment of this Act, the Director of the Cybersecurity and
Infrastructure Security Agency shall establish a program to
provide ongoing, hypothesis-driven threat-hunting services on
the network of each agency.
(2) Plan.--Not later than 180 days after the date of
enactment of this Act, the Director of the Cybersecurity and
Infrastructure Security Agency shall develop a plan to
establish the program required under paragraph (1) that
describes how the Director of the Cybersecurity and
Infrastructure Security Agency plans to--
(A) determine the method for collecting, storing,
accessing, analyzing, and safeguarding appropriate agency
data;
(B) provide on-premises support to agencies;
(C) staff threat hunting services;
(D) allocate available human and financial resources to
implement the plan; and
(E) provide input to the heads of agencies on the use of
additional cybersecurity procedures under section 3554 of
title 44, United States Code.
(b) Reports.--The Director of the Cybersecurity and
Infrastructure Security Agency shall submit to the
appropriate congressional committees--
(1) not later than 30 days after the date on which the
Director of the Cybersecurity and Infrastructure Security
Agency completes the plan required under subsection (a)(2), a
report on the plan to provide threat hunting services to
agencies;
(2) not less than 30 days before the date on which the
Director of the Cybersecurity and Infrastructure Security
Agency begins providing threat hunting services under the
program under subsection (a)(1), a report providing any
updates to the plan developed under subsection (a)(2); and
(3) not later than 1 year after the date on which the
Director of the Cybersecurity and Infrastructure Security
Agency begins providing threat hunting services to agencies
other than the Cybersecurity and Infrastructure Security
Agency, a report describing lessons learned from providing
those services.
SEC. 113. CODIFYING VULNERABILITY DISCLOSURE PROGRAMS.
(a) In General.--Chapter 35 of title 44, United States
Code, is amended by inserting after section 3559A, as added
by section 111 of this title, the following:
``Sec. 3559B. Federal vulnerability disclosure programs
``(a) Purpose; Sense of Congress.--
``(1) Purpose.--The purpose of Federal vulnerability
disclosure programs is to create a mechanism to use the
expertise of the public to provide a service to Federal
agencies by identifying information system vulnerabilities.
``(2) Sense of congress.--It is the sense of Congress that,
in implementing the requirements of this section, the Federal
Government should take appropriate steps to reduce real and
perceived burdens in communications between agencies and
security researchers.
``(b) Definitions.--In this section:
``(1) Report.--The term `report' means a vulnerability
disclosure made to an agency by a reporter.
``(2) Reporter.--The term `reporter' means an individual
that submits a vulnerability report pursuant to the
vulnerability disclosure process of an agency.
``(c) Responsibilities of OMB.--
``(1) Limitation on legal action.--The Director, in
consultation with the Attorney General, shall issue guidance
to agencies to not recommend or pursue legal action against a
reporter or an individual that conducts a security research
activity that the head of the agency determines--
``(A) represents a good faith effort to follow the
vulnerability disclosure policy of the agency developed under
subsection (e)(2); and
``(B) is authorized under the vulnerability disclosure
policy of the agency developed under subsection (e)(2).
``(2) Sharing information with cisa.--The Director, in
coordination with the Director of the Cybersecurity and
Infrastructure Security Agency and in consultation with the
National Cyber Director, shall issue guidance to agencies on
sharing relevant information in a consistent, automated, and
machine readable manner with the Director of the
Cybersecurity and Infrastructure Security Agency, including--
``(A) any valid or credible reports of newly discovered or
not publicly known vulnerabilities (including
misconfigurations) on Federal information systems that use
commercial software or services;
``(B) information relating to vulnerability disclosure,
coordination, or remediation activities of an agency,
particularly as those activities relate to outside
organizations--
``(i) with which the head of the agency believes the
Director of the Cybersecurity and Infrastructure Security
Agency can assist; or
``(ii) about which the head of the agency believes the
Director of the Cybersecurity and Infrastructure Security
Agency should know; and
``(C) any other information with respect to which the head
of the agency determines helpful or necessary to involve the
Director of the Cybersecurity and Infrastructure Security
Agency.
``(3) Agency vulnerability disclosure policies.--The
Director shall issue guidance to agencies on the required
minimum scope of agency systems covered by the vulnerability
disclosure policy of an agency required under subsection
(e)(2).
``(d) Responsibilities of CISA.--The Director of the
Cybersecurity and Infrastructure Security Agency shall--
``(1) provide support to agencies with respect to the
implementation of the requirements of this section;
``(2) develop tools, processes, and other mechanisms
determined appropriate to offer agencies capabilities to
implement the requirements of this section; and
``(3) upon a request by an agency, assist the agency in the
disclosure to vendors of newly identified vulnerabilities in
vendor products and services.
``(e) Responsibilities of Agencies.--
``(1) Public information.--The head of each agency shall
make publicly available, with respect to each internet domain
under the control of the agency that is not a national
security system--
``(A) an appropriate security contact; and
``(B) the component of the agency that is responsible for
the internet accessible services offered at the domain.
``(2) Vulnerability disclosure policy.--The head of each
agency shall develop and make publicly available a
vulnerability disclosure policy for the agency, which shall--
``(A) describe--
``(i) the scope of the systems of the agency included in
the vulnerability disclosure policy;
``(ii) the type of information system testing that is
authorized by the agency;
``(iii) the type of information system testing that is not
authorized by the agency; and
``(iv) the disclosure policy of the agency for sensitive
information;
``(B) with respect to a report to an agency, describe--
``(i) how the reporter should submit the report; and
``(ii) if the report is not anonymous, when the reporter
should anticipate an acknowledgment of receipt of the report
by the agency;
``(C) include any other relevant information; and
``(D) be mature in scope and cover every internet
accessible Federal information system used or operated by
that agency or on behalf of that agency.
``(3) Identified vulnerabilities.--The head of each agency
shall incorporate any vulnerabilities reported under
paragraph (2) into the vulnerability management process of
the agency in order to track and remediate the vulnerability.
``(f) Congressional Reporting.--Not later than 90 days
after the date of enactment of the Federal Information
Security Modernization Act of 2022, and annually thereafter
for a 3-year period, the Director of the Cybersecurity and
Infrastructure Security Agency, in consultation with the
Director, shall provide to the Committee on Homeland Security
and Governmental Affairs of the Senate and the Committee on
Oversight and Reform of the House of Representatives a
briefing on the status of the use of vulnerability disclosure
policies under this section at agencies,
[[Page S908]]
including, with respect to the guidance issued under
subsection (c)(3), an identification of the agencies that are
compliant and not compliant.
``(g) Exemptions.--The authorities and functions of the
Director and Director of the Cybersecurity and Infrastructure
Security Agency under this section shall not apply to
national security systems.
``(h) Delegation of Authority for Certain Systems.--The
authorities of the Director and the Director of the
Cybersecurity and Infrastructure Security Agency described in
this section shall be delegated--
``(1) to the Secretary of Defense in the case of systems
described in section 3553(e)(2); and
``(2) to the Director of National Intelligence in the case
of systems described in section 3553(e)(3).''.
(b) Clerical Amendment.--The table of sections for chapter
35 of title 44, United States Code, is amended by adding
after the item relating to section 3559A, as added by section
111, the following:
``3559B. Federal vulnerability disclosure programs.''.
(c) Sunset.--
(1) In general.--Effective on the date that is 10 years
after the date of enactment of this Act, subchapter II of
chapter 35 of title 44, United States Code, is amended by
striking section 3559B.
(2) Clerical amendment.--Effective on the date that is 10
years after the date of enactment of this Act, the table of
sections for chapter 35 of title 44, United States Code, is
amended by striking the item relating to section 3559B.
SEC. 114. IMPLEMENTING ZERO TRUST ARCHITECTURE.
(a) Guidance.--Not later than 18 months after the date of
enactment of this Act, the Director shall provide an update
to the appropriate congressional committees on progress in
increasing the internal defenses of agency systems,
including--
(1) shifting away from ``trusted networks'' to implement
security controls based on a presumption of compromise;
(2) implementing principles of least privilege in
administering information security programs;
(3) limiting the ability of entities that cause incidents
to move laterally through or between agency systems;
(4) identifying incidents quickly;
(5) isolating and removing unauthorized entities from
agency systems as quickly as practicable, accounting for
intelligence or law enforcement purposes;
(6) otherwise increasing the resource costs for entities
that cause incidents to be successful; and
(7) a summary of the agency progress reports required under
subsection (b).
(b) Agency Progress Reports.--Not later than 270 days after
the date of enactment of this Act, the head of each agency
shall submit to the Director a progress report on
implementing an information security program based on the
presumption of compromise and least privilege principles,
which shall include--
(1) a description of any steps the agency has completed,
including progress toward achieving requirements issued by
the Director, including the adoption of any models or
reference architecture;
(2) an identification of activities that have not yet been
completed and that would have the most immediate security
impact; and
(3) a schedule to implement any planned activities.
SEC. 115. AUTOMATION REPORTS.
(a) OMB Report.--Not later than 180 days after the date of
enactment of this Act, the Director shall provide to the
appropriate congressional committees an update on the use of
automation under paragraphs (1), (5)(C), and (8)(B) of
section 3554(b) of title 44, United States Code.
(b) GAO Report.--Not later than 1 year after the date of
enactment of this Act, the Comptroller General of the United
States shall perform a study on the use of automation and
machine readable data across the Federal Government for
cybersecurity purposes, including the automated updating of
cybersecurity tools, sensors, or processes by agencies.
SEC. 116. EXTENSION OF FEDERAL ACQUISITION SECURITY COUNCIL
AND SOFTWARE INVENTORY.
(a) Extension.--Section 1328 of title 41, United States
Code, is amended by striking ``the date that'' and all that
follows and inserting ``December 31, 2026.''.
(b) Requirement.--Subsection 1326(b) of title 41, United
States Code, is amended--
(1) in paragraph (5), by striking ``and'' at the end;
(2) by redesignating paragraph (6) as paragraph (7); and
(3) by inserting after paragraph (5) the following:
``(6) maintaining an up-to-date and accurate inventory of
software in use by the agency and, if available and
applicable, the components of such software, that can be
communicated at the request of the Federal Acquisition
Security Council, the National Cyber Director, or the
Secretary of Homeland Security, acting through the Director
of Cybersecurity and Infrastructure Security Agency; and''.
SEC. 117. COUNCIL OF THE INSPECTORS GENERAL ON INTEGRITY AND
EFFICIENCY DASHBOARD.
(a) Dashboard Required.--Section 11(e)(2) of the Inspector
General Act of 1978 (5 U.S.C. App.) is amended--
(1) in subparagraph (A), by striking ``and'' at the end;
(2) by redesignating subparagraph (B) as subparagraph (C);
and
(3) by inserting after subparagraph (A) the following:
``(B) that shall include a dashboard of open information
security recommendations identified in the independent
evaluations required by section 3555(a) of title 44, United
States Code; and''.
SEC. 118. QUANTITATIVE CYBERSECURITY METRICS.
(a) Definition of Covered Metrics.--In this section, the
term ``covered metrics'' means the metrics established,
reviewed, and updated under section 224(c) of the
Cybersecurity Act of 2015 (6 U.S.C. 1522(c)).
(b) Updating and Establishing Metrics.--Not later than 1
year after the date of enactment of this Act, and as
appropriate thereafter, the Director of the Cybersecurity and
Infrastructure Security Agency, in coordination with the
Director, shall--
(1) evaluate any covered metrics established as of the date
of enactment of this Act; and
(2) as appropriate and pursuant to section 224(c) of the
Cybersecurity Act of 2015 (6 U.S.C. 1522(c)) update or
establish new covered metrics.
(c) Implementation.--
(1) In general.--Not later than 540 days after the date of
enactment of this Act, the Director, in coordination with the
Director of the Cybersecurity and Infrastructure Security
Agency, shall promulgate guidance that requires each agency
to use covered metrics to track trends in the cybersecurity
and incident response capabilities of the agency.
(2) Performance demonstration.--The guidance issued under
paragraph (1) and any subsequent guidance shall require
agencies to share with the Director of the Cybersecurity and
Infrastructure Security Agency data demonstrating the
performance of the agency using the covered metrics included
in the guidance.
(3) Penetration tests.--On not less than 2 occasions during
the 2-year period following the date on which guidance is
promulgated under paragraph (1), the Director shall ensure
that not less than 3 agencies are subjected to substantially
similar penetration tests, as determined by the Director, in
coordination with the Director of the Cybersecurity and
Infrastructure Security Agency, in order to validate the
utility of the covered metrics.
(4) Analysis capacity.--The Director of the Cybersecurity
and Infrastructure Security Agency shall develop a capability
that allows for the analysis of the covered metrics,
including cross-agency performance of agency cybersecurity
and incident response capability trends.
(5) Time-based metric.--With respect the first update or
establishment of covered metrics required under subsection
(b)(2), the Director of the Cybersecurity and Infrastructure
Security Agency shall establish covered metrics that include
not less than 1 metric addressing the time it takes for
agencies to identify and respond to incidents.
(d) Congressional Reports.--Not later than 1 year after the
date of enactment of this Act, the Director of the
Cybersecurity and Infrastructure Security Agency, in
coordination with the Director, shall submit to the
appropriate congressional committees a report on the utility
and use of the covered metrics.
SEC. 119. ESTABLISHMENT OF RISK-BASED BUDGET MODEL.
(a) Definitions.--In this section:
(1) Appropriate congressional committees.--The term
``appropriate congressional committees'' means--
(A) the Committee on Homeland Security and Governmental
Affairs and the Committee on Appropriations of the Senate;
and
(B) the Committee on Oversight and Reform, the Committee on
Homeland Security, and the Committee on Appropriations of the
House of Representatives.
(2) Covered agency.--The term ``covered agency'' has the
meaning given the term ``executive agency'' in section 133 of
title 41, United States Code.
(3) Director.--The term ``Director'' means the Director of
the Office of Management and Budget.
(4) Information technology.--The term ``information
technology''--
(A) has the meaning given the term in section 11101 of
title 40, United States Code; and
(B) includes the hardware and software systems of a Federal
agency that monitor and control physical equipment and
processes of the Federal agency.
(5) Risk-based budget.--The term ``risk-based budget''
means a budget--
(A) developed by identifying and prioritizing cybersecurity
risks and vulnerabilities, including impact on agency
operations in the case of a cyber attack, through analysis of
cyber threat intelligence, incident data, and tactics,
techniques, procedures, and capabilities of cyber threats;
and
(B) that allocates resources based on the risks identified
and prioritized under subparagraph (A).
(b) Establishment of Risk-based Budget Model.--
(1) In general.--
(A) Model.--Not later than 1 year after the first
publication of the budget submitted by the President under
section 1105 of title 31,
[[Page S909]]
United States Code, following the date of enactment of this
Act, the Director, in consultation with the Director of the
Cybersecurity and Infrastructure Security Agency and the
National Cyber Director and in coordination with the Director
of the National Institute of Standards and Technology, shall
develop a standard model for informing a risk-based budget
for cybersecurity spending.
(B) Responsibility of director.--Section 3553(a) of title
44, United States Code, as amended by section 103 of this
title, is further amended by inserting after paragraph (6)
the following:
``(7) developing a standard risk-based budget model to
inform Federal agency cybersecurity budget development;
and''.
(C) Contents of model.--The model required to be developed
under subparagraph (A) shall utilize appropriate information
to evaluate risk, including, as determined appropriate by the
Director--
(i) Federal and non-Federal cyber threat intelligence
products, where available, to identify threats,
vulnerabilities, and risks;
(ii) analysis of the impact of agency operations of
compromise of systems, including the interconnectivity to
other agency systems and the operations of other agencies;
and
(iii) to the greatest extent practicable, analysis of where
resources should be allocated to have the greatest impact on
mitigating current and future threats and current and future
cybersecurity capabilities.
(D) Use of model.--The model required to be developed under
subparagraph (A) shall be used to--
(i) inform acquisition and sustainment of--
(I) information technology and cybersecurity tools;
(II) information technology and cybersecurity
architectures;
(III) information technology and cybersecurity personnel;
and
(IV) cybersecurity and information technology concepts of
operations; and
(ii) evaluate and inform Government-wide cybersecurity
programs.
(E) Model variation.--The Director may develop multiple
models under subparagraph (A) based on different agency
characteristics, such as size or cybersecurity maturity.
(F) Required updates.--Not less frequently than once every
3 years, the Director shall review, and update as necessary,
the model required to be developed under subparagraph (A).
(G) Publication.--Not earlier than 5 years after the date
on which the model developed under subparagraph (A) is
completed, the Director shall, taking into account any
classified or sensitive information, publish the model, and
any updates necessary under subparagraph (F), on the public
website of the Office of Management and Budget.
(H) Reports.--Not later than 2 years after the first
publication of the budget submitted by the President under
section 1105 of title 31, United States Code, following the
date of enactment of this Act, and annually thereafter for
each of the 2 following fiscal years or until the date on
which the model required to be developed under subparagraph
(A) is completed, whichever is sooner, the Director shall
submit to the appropriate congressional committees a report
on the development of the model.
(2) Phased implementation of risk-based budget model.--
(A) Initial phase.--
(i) In general.--Not later than 2 years after the date on
which the model developed under paragraph (1) is completed,
the Director shall require not less than 5 covered agencies
to use the model to inform the development of the annual
cybersecurity and information technology budget requests of
those covered agencies.
(ii) Briefing.--Not later than 1 year after the date on
which the covered agencies selected under clause (i) begin
using the model developed under paragraph (1), the Director
shall provide to the appropriate congressional committees a
briefing on implementation of risk-based budgeting for
cybersecurity spending, an assessment of agency
implementation, and an evaluation of whether the risk-based
budget helps to mitigate cybersecurity vulnerabilities.
(B) Full deployment.--Not later than 5 years after the date
on which the model developed under paragraph (1) is
completed, the head of each covered agency shall use the
model, or any updated model pursuant to paragraph (1)(F), to
the greatest extent practicable, to inform the development of
the annual cybersecurity and information technology budget
requests of the covered agency.
(C) Agency performance plans.--
(i) Amendment.--Section 3554(d)(2) of title 44, United
States Code, is amended by inserting ``and the risk-based
budget model required under section 3553(a)(7)'' after
``paragraph (1)''.
(ii) Effective date.--The amendment made by clause (i)
shall take effect on the date that is 5 years after the date
on which the model developed under paragraph (1) is
completed.
(3) Verification.--
(A) In general.--Section 1105(a)(35)(A)(i) of title 31,
United States Code, is amended--
(i) in the matter preceding subclause (I), by striking ``by
agency, and by initiative area (as determined by the
administration)'' and inserting ``and by agency'';
(ii) in subclause (III), by striking ``and'' at the end;
and
(iii) by adding at the end the following:
``(V) a validation that the budgets submitted were informed
by using a risk-based methodology; and
``(VI) a report on the progress of each agency on closing
recommendations identified under the independent evaluation
required by section 3555(a)(1) of title 44.''.
(B) Effective date.--The amendments made by subparagraph
(A) shall take effect on the date that is 5 years after the
date on which the model developed under paragraph (1) is
completed.
(4) Reports.--
(A) Independent evaluation.--Section 3555(a)(2) of title
44, United States Code, is amended--
(i) in subparagraph (B), by striking ``and'' at the end;
(ii) in subparagraph (C), by striking the period at the end
and inserting ``; and''; and
(iii) by adding at the end the following:
``(D) an assessment of how the agency was informed by the
risk-based budget model required under section 3553(a)(7) and
an evaluation of whether the model mitigates agency cyber
vulnerabilities.''.
(B) Assessment.--
(i) Amendment.--Section 3553(c) of title 44, United States
Code, as amended by section 103 of this title, is further
amended by inserting after paragraph (5) the following:
``(6) an assessment of--
``(A) Federal agency utilization of the model required
under subsection (a)(7); and
``(B) whether the model mitigates the cyber vulnerabilities
of the Federal Government.''.
(ii) Effective date.--The amendment made by clause (i)
shall take effect on the date that is 5 years after the date
on which the model developed under paragraph (1) is
completed.
(5) GAO report.--Not later than 3 years after the date on
which the first budget of the President is submitted to
Congress containing the validation required under section
1105(a)(35)(A)(i)(V) of title 31, United States Code, as
amended by paragraph (3), the Comptroller General of the
United States shall submit to the appropriate congressional
committees a report that includes--
(A) an evaluation of the success of covered agencies in
utilizing the risk-based budget model;
(B) an evaluation of the success of covered agencies in
implementing risk-based budgets;
(C) an evaluation of whether the risk-based budgets
developed by covered agencies are effective at informing
Federal Government-wide cybersecurity programs; and
(D) any other information relating to risk-based budgets
the Comptroller General determines appropriate.
SEC. 120. ACTIVE CYBER DEFENSIVE STUDY.
(a) Definition.--In this section, the term ``active defense
technique''--
(1) means an action taken on the systems of an entity to
increase the security of information on the network of an
agency by misleading an adversary; and
(2) includes a honeypot, deception, or purposefully feeding
false or misleading data to an adversary when the adversary
is on the systems of the entity.
(b) Study.--Not later than 180 days after the date of
enactment of this Act, the Director of the Cybersecurity and
Infrastructure Security Agency, in coordination with the
Director and the National Cyber Director, shall perform a
study on the use of active defense techniques to enhance the
security of agencies, which shall include--
(1) a review of legal restrictions on the use of different
active cyber defense techniques in Federal environments, in
consultation with the Department of Justice;
(2) an evaluation of--
(A) the efficacy of a selection of active defense
techniques determined by the Director of the Cybersecurity
and Infrastructure Security Agency; and
(B) factors that impact the efficacy of the active defense
techniques evaluated under subparagraph (A);
(3) recommendations on safeguards and procedures that shall
be established to require that active defense techniques are
adequately coordinated to ensure that active defense
techniques do not impede agency operations and mission
delivery, threat response efforts, criminal investigations,
and national security activities, including intelligence
collection; and
(4) the development of a framework for the use of different
active defense techniques by agencies.
SEC. 121. SECURITY OPERATIONS CENTER AS A SERVICE PILOT.
(a) Purpose.--The purpose of this section is for the
Cybersecurity and Infrastructure Security Agency to run a
security operation center on behalf of another agency,
alleviating the need to duplicate this function at every
agency, and empowering a greater centralized cybersecurity
capability.
(b) Plan.--Not later than 1 year after the date of
enactment of this Act, the Director of the Cybersecurity and
Infrastructure Security Agency shall develop a plan to
establish a centralized Federal security operations center
shared service offering within the Cybersecurity and
Infrastructure Security Agency.
(c) Contents.--The plan required under subsection (b) shall
include considerations for--
(1) collecting, organizing, and analyzing agency
information system data in real time;
(2) staffing and resources; and
[[Page S910]]
(3) appropriate interagency agreements, concepts of
operations, and governance plans.
(d) Pilot Program.--
(1) In general.--Not later than 180 days after the date on
which the plan required under subsection (b) is developed,
the Director of the Cybersecurity and Infrastructure Security
Agency, in consultation with the Director, shall enter into a
1-year agreement with not less than 2 agencies to offer a
security operations center as a shared service.
(2) Additional agreements.--After the date on which the
briefing required under subsection (e)(1) is provided, the
Director of the Cybersecurity and Infrastructure Security
Agency, in consultation with the Director, may enter into
additional 1-year agreements described in paragraph (1) with
agencies.
(e) Briefing and Report.--
(1) Briefing.--Not later than 270 days after the date of
enactment of this Act, the Director of the Cybersecurity and
Infrastructure Security Agency shall provide to the Committee
on Homeland Security and Governmental Affairs of the Senate
and the Committee on Homeland Security and the Committee on
Oversight and Reform of the House of Representatives a
briefing on the parameters of any 1-year agreements entered
into under subsection (d)(1).
(2) Report.--Not later than 90 days after the date on which
the first 1-year agreement entered into under subsection (d)
expires, the Director of the Cybersecurity and Infrastructure
Security Agency shall submit to the Committee on Homeland
Security and Governmental Affairs of the Senate and the
Committee on Homeland Security and the Committee on Oversight
and Reform of the House of Representatives a report on--
(A) the agreement; and
(B) any additional agreements entered into with agencies
under subsection (d).
SEC. 122. EXTENSION OF CHIEF DATA OFFICER COUNCIL.
Section 3520A(e)(2) of title 44, United States Code, is
amended by striking ``upon the expiration of the 2-year
period that begins on the date the Comptroller General
submits the report under paragraph (1) to Congress'' and
inserting ``January 31, 2030''.
SEC. 123. FEDERAL CYBERSECURITY REQUIREMENTS.
(a) Exemption From Federal Requirements.--Section 225(b)(2)
of the Federal Cybersecurity Enhancement Act of 2015 (6
U.S.C. 1523(b)(2)) is amended to read as follows:
``(2) Exception.--
``(A) In general.--A particular requirement under paragraph
(1) shall not apply to an agency information system of an
agency if--
``(i) with respect to the agency information system, the
head of the agency submits to the Director an application for
an exemption from the particular requirement, in which the
head of the agency personally certifies to the Director with
particularity that--
``(I) operational requirements articulated in the
certification and related to the agency information system
would make it excessively burdensome to implement the
particular requirement;
``(II) the particular requirement is not necessary to
secure the agency information system or agency information
stored on or transiting the agency information system; and
``(III) the agency has taken all necessary steps to secure
the agency information system and agency information stored
on or transiting the agency information system;
``(ii) the head of the agency or the designee of the head
of the agency has submitted the certification described in
clause (i) to the appropriate congressional committees and
any other congressional committee with jurisdiction over the
agency; and
``(iii) the Director grants the exemption from the
particular requirement.
``(B) Duration of exemption.--
``(i) In general.--An exemption granted under subparagraph
(A) shall expire on the date that is 1 year after the date on
which the Director granted the exemption.
``(ii) Renewal.--Upon the expiration of an exemption
granted to an agency under subparagraph (A), the head of the
agency may apply for an additional exemption.''.
(b) Report on Exemptions.--Section 3554(c)(1) of title 44,
United States Code, as amended by section 103(c) of this
title, is amended--
(1) in subparagraph (C), by striking ``and'' at the end;
(2) in subparagraph (D), by striking the period at the end
and inserting ``; and''; and
(3) by adding at the end the following:
``(E) with respect to any exemption the Director of the
Office of Management and Budget has granted the agency under
section 225(b)(2) of the Federal Cybersecurity Enhancement
Act of 2015 (6 U.S.C. 1523(b)(2)) that is effective on the
date of submission of the report--
``(i) an identification of each particular requirement from
which any agency information system (as defined in section
2210 of the Homeland Security Act of 2002 (6 U.S.C. 660)) is
exempted; and
``(ii) for each requirement identified under clause (i)--
``(I) an identification of the agency information system
described in clause (i) exempted from the requirement; and
``(II) an estimate of the date on which the agency will to
be able to comply with the requirement.''.
(c) Effective Date.--The amendments made by this section
shall take effect on the date that is 1 year after the date
of enactment of this Act.
TITLE II--CYBER INCIDENT REPORTING FOR CRITICAL INFRASTRUCTURE ACT OF
2022
SEC. 201. SHORT TITLE.
This title may be cited as the ``Cyber Incident Reporting
for Critical Infrastructure Act of 2022''.
SEC. 202. DEFINITIONS.
In this title:
(1) Covered cyber incident; covered entity; cyber incident;
information system; ransom payment; ransomware attack;
security vulnerability.--The terms ``covered cyber
incident'', ``covered entity'', ``cyber incident'',
``information system'', ``ransom payment'', ``ransomware
attack'', and ``security vulnerability'' have the meanings
given those terms in section 2240 of the Homeland Security
Act of 2002, as added by section 203 of this title.
(2) Director.--The term ``Director'' means the Director of
the Cybersecurity and Infrastructure Security Agency.
SEC. 203. CYBER INCIDENT REPORTING.
(a) Cyber Incident Reporting.--Title XXII of the Homeland
Security Act of 2002 (6 U.S.C. 651 et seq.) is amended--
(1) in section 2209(c) (6 U.S.C. 659(c))--
(A) in paragraph (11), by striking ``; and'' and inserting
a semicolon;
(B) in paragraph (12), by striking the period at the end
and inserting ``; and''; and
(C) by adding at the end the following:
``(13) receiving, aggregating, and analyzing reports
related to covered cyber incidents (as defined in section
2240) submitted by covered entities (as defined in section
2240) and reports related to ransom payments (as defined in
section 2240) submitted by covered entities (as defined in
section 2240) in furtherance of the activities specified in
sections 2202(e), 2203, and 2241, this subsection, and any
other authorized activity of the Director, to enhance the
situational awareness of cybersecurity threats across
critical infrastructure sectors.''; and
(2) by adding at the end the following:
``Subtitle D--Cyber Incident Reporting
``SEC. 2240. DEFINITIONS.
``In this subtitle:
``(1) Center.--The term `Center' means the center
established under section 2209.
``(2) Cloud service provider.--The term `cloud service
provider' means an entity offering products or services
related to cloud computing, as defined by the National
Institute of Standards and Technology in NIST Special
Publication 800-145 and any amendatory or superseding
document relating thereto.
``(3) Council.--The term `Council' means the Cyber Incident
Reporting Council described in section 2246.
``(4) Covered cyber incident.--The term `covered cyber
incident' means a substantial cyber incident experienced by a
covered entity that satisfies the definition and criteria
established by the Director in the final rule issued pursuant
to section 2242(b).
``(5) Covered entity.--The term `covered entity' means an
entity in a critical infrastructure sector, as defined in
Presidential Policy Directive 21, that satisfies the
definition established by the Director in the final rule
issued pursuant to section 2242(b).
``(6) Cyber incident.--The term `cyber incident'--
``(A) has the meaning given the term `incident' in section
2209; and
``(B) does not include an occurrence that imminently, but
not actually, jeopardizes--
``(i) information on information systems; or
``(ii) information systems.
``(7) Cyber threat.--The term `cyber threat' has the
meaning given the term `cybersecurity threat' in section
2201.
``(8) Cyber threat indicator; cybersecurity purpose;
defensive measure; federal entity; security vulnerability.--
The terms `cyber threat indicator', `cybersecurity purpose',
`defensive measure', `Federal entity', and `security
vulnerability' have the meanings given those terms in section
102 of the Cybersecurity Act of 2015 (6 U.S.C. 1501).
``(9) Incident; sharing.--The terms `incident' and
`sharing' have the meanings given those terms in section
2209.
``(10) Information sharing and analysis organization.--The
term `Information Sharing and Analysis Organization' has the
meaning given the term in section 2222.
``(11) Information system.--The term `information system'--
``(A) has the meaning given the term in section 3502 of
title 44, United States Code; and
``(B) includes industrial control systems, such as
supervisory control and data acquisition systems, distributed
control systems, and programmable logic controllers.
``(12) Managed service provider.--The term `managed service
provider' means an entity that delivers services, such as
network, application, infrastructure, or security services,
via ongoing and regular support and active administration on
the premises of a customer, in the data center of the entity
(such as hosting), or in a third party data center.
``(13) Ransom payment.--The term `ransom payment' means the
transmission of any money or other property or asset,
including virtual currency, or any portion thereof,
[[Page S911]]
which has at any time been delivered as ransom in connection
with a ransomware attack.
``(14) Ransomware attack.--The term `ransomware attack'--
``(A) means an incident that includes the use or threat of
use of unauthorized or malicious code on an information
system, or the use or threat of use of another digital
mechanism such as a denial of service attack, to interrupt or
disrupt the operations of an information system or compromise
the confidentiality, availability, or integrity of electronic
data stored on, processed by, or transiting an information
system to extort a demand for a ransom payment; and
``(B) does not include any such event where the demand for
payment is--
``(i) not genuine; or
``(ii) made in good faith by an entity in response to a
specific request by the owner or operator of the information
system.
``(15) Sector risk management agency.--The term `Sector
Risk Management Agency' has the meaning given the term in
section 2201.
``(16) Significant cyber incident.--The term `significant
cyber incident' means a cyber incident, or a group of related
cyber incidents, that the Secretary determines is likely to
result in demonstrable harm to the national security
interests, foreign relations, or economy of the United States
or to the public confidence, civil liberties, or public
health and safety of the people of the United States.
``(17) Supply chain compromise.--The term `supply chain
compromise' means an incident within the supply chain of an
information system that an adversary can leverage or does
leverage to jeopardize the confidentiality, integrity, or
availability of the information system or the information the
system processes, stores, or transmits, and can occur at any
point during the life cycle.
``(18) Virtual currency.--The term `virtual currency' means
the digital representation of value that functions as a
medium of exchange, a unit of account, or a store of value.
``(19) Virtual currency address.--The term `virtual
currency address' means a unique public cryptographic key
identifying the location to which a virtual currency payment
can be made.
``SEC. 2241. CYBER INCIDENT REVIEW.
``(a) Activities.--The Center shall--
``(1) receive, aggregate, analyze, and secure, using
processes consistent with the processes developed pursuant to
the Cybersecurity Information Sharing Act of 2015 (6 U.S.C.
1501 et seq.) reports from covered entities related to a
covered cyber incident to assess the effectiveness of
security controls, identify tactics, techniques, and
procedures adversaries use to overcome those controls and
other cybersecurity purposes, including to assess potential
impact of cyber incidents on public health and safety and to
enhance situational awareness of cyber threats across
critical infrastructure sectors;
``(2) coordinate and share information with appropriate
Federal departments and agencies to identify and track ransom
payments, including those utilizing virtual currencies;
``(3) leverage information gathered about cyber incidents
to--
``(A) enhance the quality and effectiveness of information
sharing and coordination efforts with appropriate entities,
including agencies, sector coordinating councils, Information
Sharing and Analysis Organizations, State, local, Tribal, and
territorial governments, technology providers, critical
infrastructure owners and operators, cybersecurity and cyber
incident response firms, and security researchers; and
``(B) provide appropriate entities, including sector
coordinating councils, Information Sharing and Analysis
Organizations, State, local, Tribal, and territorial
governments, technology providers, cybersecurity and cyber
incident response firms, and security researchers, with
timely, actionable, and anonymized reports of cyber incident
campaigns and trends, including, to the maximum extent
practicable, related contextual information, cyber threat
indicators, and defensive measures, pursuant to section 2245;
``(4) establish mechanisms to receive feedback from
stakeholders on how the Agency can most effectively receive
covered cyber incident reports, ransom payment reports, and
other voluntarily provided information, and how the Agency
can most effectively support private sector cybersecurity;
``(5) facilitate the timely sharing, on a voluntary basis,
between relevant critical infrastructure owners and operators
of information relating to covered cyber incidents and ransom
payments, particularly with respect to ongoing cyber threats
or security vulnerabilities and identify and disseminate ways
to prevent or mitigate similar cyber incidents in the future;
``(6) for a covered cyber incident, including a ransomware
attack, that also satisfies the definition of a significant
cyber incident, or is part of a group of related cyber
incidents that together satisfy such definition, conduct a
review of the details surrounding the covered cyber incident
or group of those incidents and identify and disseminate ways
to prevent or mitigate similar incidents in the future;
``(7) with respect to covered cyber incident reports under
section 2242(a) and 2243 involving an ongoing cyber threat or
security vulnerability, immediately review those reports for
cyber threat indicators that can be anonymized and
disseminated, with defensive measures, to appropriate
stakeholders, in coordination with other divisions within the
Agency, as appropriate;
``(8) publish quarterly unclassified, public reports that
describe aggregated, anonymized observations, findings, and
recommendations based on covered cyber incident reports,
which may be based on the unclassified information contained
in the briefings required under subsection (c);
``(9) proactively identify opportunities, consistent with
the protections in section 2245, to leverage and utilize data
on cyber incidents in a manner that enables and strengthens
cybersecurity research carried out by academic institutions
and other private sector organizations, to the greatest
extent practicable; and
``(10) in accordance with section 2245 and subsection (b)
of this section, as soon as possible but not later than 24
hours after receiving a covered cyber incident report, ransom
payment report, voluntarily submitted information pursuant to
section 2243, or information received pursuant to a request
for information or subpoena under section 2244, make
available the information to appropriate Sector Risk
Management Agencies and other appropriate Federal agencies.
``(b) Interagency Sharing.--The President or a designee of
the President--
``(1) may establish a specific time requirement for sharing
information under subsection (a)(11); and
``(2) shall determine the appropriate Federal agencies
under subsection (a)(11).
``(c) Periodic Briefing.--Not later than 60 days after the
effective date of the final rule required under section
2242(b), and on the first day of each month thereafter, the
Director, in consultation with the National Cyber Director,
the Attorney General, and the Director of National
Intelligence, shall provide to the majority leader of the
Senate, the minority leader of the Senate, the Speaker of the
House of Representatives, the minority leader of the House of
Representatives, the Committee on Homeland Security and
Governmental Affairs of the Senate, and the Committee on
Homeland Security of the House of Representatives a briefing
that characterizes the national cyber threat landscape,
including the threat facing Federal agencies and covered
entities, and applicable intelligence and law enforcement
information, covered cyber incidents, and ransomware attacks,
as of the date of the briefing, which shall--
``(1) include the total number of reports submitted under
sections 2242 and 2243 during the preceding month, including
a breakdown of required and voluntary reports;
``(2) include any identified trends in covered cyber
incidents and ransomware attacks over the course of the
preceding month and as compared to previous reports,
including any trends related to the information collected in
the reports submitted under sections 2242 and 2243,
including--
``(A) the infrastructure, tactics, and techniques malicious
cyber actors commonly use; and
``(B) intelligence gaps that have impeded, or currently are
impeding, the ability to counter covered cyber incidents and
ransomware threats;
``(3) include a summary of the known uses of the
information in reports submitted under sections 2242 and
2243; and
``(4) include an unclassified portion, but may include a
classified component.
``SEC. 2242. REQUIRED REPORTING OF CERTAIN CYBER INCIDENTS.
``(a) In General.--
``(1) Covered cyber incident reports.--
``(A) In general.--A covered entity that experiences a
covered cyber incident shall report the covered cyber
incident to the Agency not later than 72 hours after the
covered entity reasonably believes that the covered cyber
incident has occurred.
``(B) Limitation.--The Director may not require reporting
under subparagraph (A) any earlier than 72 hours after the
covered entity reasonably believes that a covered cyber
incident has occurred.
``(2) Ransom payment reports.--
``(A) In general.--A covered entity that makes a ransom
payment as the result of a ransomware attack against the
covered entity shall report the payment to the Agency not
later than 24 hours after the ransom payment has been made.
``(B) Application.--The requirements under subparagraph (A)
shall apply even if the ransomware attack is not a covered
cyber incident subject to the reporting requirements under
paragraph (1).
``(3) Supplemental reports.--A covered entity shall
promptly submit to the Agency an update or supplement to a
previously submitted covered cyber incident report if
substantial new or different information becomes available or
if the covered entity makes a ransom payment after submitting
a covered cyber incident report required under paragraph (1),
until such date that such covered entity notifies the Agency
that the covered cyber incident at issue has concluded and
has been fully mitigated and resolved.
``(4) Preservation of information.--Any covered entity
subject to requirements of paragraph (1), (2), or (3) shall
preserve data relevant to the covered cyber incident or
ransom payment in accordance with procedures established in
the final rule issued pursuant to subsection (b).
``(5) Exceptions.--
``(A) Reporting of covered cyber incident with ransom
payment.--If a covered entity is the victim of a covered
cyber incident and makes a ransom payment prior to
[[Page S912]]
the 72 hour requirement under paragraph (1), such that the
reporting requirements under paragraphs (1) and (2) both
apply, the covered entity may submit a single report to
satisfy the requirements of both paragraphs in accordance
with procedures established in the final rule issued pursuant
to subsection (b).
``(B) Substantially similar reported information.--
``(i) In general.--Subject to the limitation described in
clause (ii), where the Agency has an agreement in place that
satisfies the requirements of section 4(a) of the Cyber
Incident Reporting for Critical Infrastructure Act of 2022,
the requirements under paragraphs (1), (2), and (3) shall not
apply to a covered entity required by law, regulation, or
contract to report substantially similar information to
another Federal agency within a substantially similar
timeframe.
``(ii) Limitation.--The exemption in clause (i) shall take
effect with respect to a covered entity once an agency
agreement and sharing mechanism is in place between the
Agency and the respective Federal agency, pursuant to section
4(a) of the Cyber Incident Reporting for Critical
Infrastructure Act of 2022.
``(iii) Rules of construction.--Nothing in this paragraph
shall be construed to--
``(I) exempt a covered entity from the reporting
requirements under paragraph (3) unless the supplemental
report also meets the requirements of clauses (i) and (ii) of
this paragraph;
``(II) prevent the Agency from contacting an entity
submitting information to another Federal agency that is
provided to the Agency pursuant to section 4 of the Cyber
Incident Reporting for Critical Infrastructure Act of 2022;
or
``(III) prevent an entity from communicating with the
Agency.
``(C) Domain name system.--The requirements under
paragraphs (1), (2) and (3) shall not apply to a covered
entity or the functions of a covered entity that the Director
determines constitute critical infrastructure owned,
operated, or governed by multi-stakeholder organizations that
develop, implement, and enforce policies concerning the
Domain Name System, such as the Internet Corporation for
Assigned Names and Numbers or the Internet Assigned Numbers
Authority.
``(6) Manner, timing, and form of reports.--Reports made
under paragraphs (1), (2), and (3) shall be made in the
manner and form, and within the time period in the case of
reports made under paragraph (3), prescribed in the final
rule issued pursuant to subsection (b).
``(7) Effective date.--Paragraphs (1) through (4) shall
take effect on the dates prescribed in the final rule issued
pursuant to subsection (b).
``(b) Rulemaking.--
``(1) Notice of proposed rulemaking.--Not later than 24
months after the date of enactment of this section, the
Director, in consultation with Sector Risk Management
Agencies, the Department of Justice, and other Federal
agencies, shall publish in the Federal Register a notice of
proposed rulemaking to implement subsection (a).
``(2) Final rule.--Not later than 18 months after
publication of the notice of proposed rulemaking under
paragraph (1), the Director shall issue a final rule to
implement subsection (a).
``(3) Subsequent rulemakings.--
``(A) In general.--The Director is authorized to issue
regulations to amend or revise the final rule issued pursuant
to paragraph (2).
``(B) Procedures.--Any subsequent rules issued under
subparagraph (A) shall comply with the requirements under
chapter 5 of title 5, United States Code, including the
issuance of a notice of proposed rulemaking under section 553
of such title.
``(c) Elements.--The final rule issued pursuant to
subsection (b) shall be composed of the following elements:
``(1) A clear description of the types of entities that
constitute covered entities, based on--
``(A) the consequences that disruption to or compromise of
such an entity could cause to national security, economic
security, or public health and safety;
``(B) the likelihood that such an entity may be targeted by
a malicious cyber actor, including a foreign country; and
``(C) the extent to which damage, disruption, or
unauthorized access to such an entity, including the
accessing of sensitive cybersecurity vulnerability
information or penetration testing tools or techniques, will
likely enable the disruption of the reliable operation of
critical infrastructure.
``(2) A clear description of the types of substantial cyber
incidents that constitute covered cyber incidents, which
shall--
``(A) at a minimum, require the occurrence of--
``(i) a cyber incident that leads to substantial loss of
confidentiality, integrity, or availability of such
information system or network, or a serious impact on the
safety and resiliency of operational systems and processes;
``(ii) a disruption of business or industrial operations,
including due to a denial of service attack, ransomware
attack, or exploitation of a zero day vulnerability, against
``(I) an information system or network; or
``(II) an operational technology system or process; or
``(iii) unauthorized access or disruption of business or
industrial operations due to loss of service facilitated
through, or caused by, a compromise of a cloud service
provider, managed service provider, or other third-party data
hosting provider or by a supply chain compromise;
``(B) consider--
``(i) the sophistication or novelty of the tactics used to
perpetrate such a cyber incident, as well as the type,
volume, and sensitivity of the data at issue;
``(ii) the number of individuals directly or indirectly
affected or potentially affected by such a cyber incident;
and
``(iii) potential impacts on industrial control systems,
such as supervisory control and data acquisition systems,
distributed control systems, and programmable logic
controllers; and
``(C) exclude--
``(i) any event where the cyber incident is perpetrated in
good faith by an entity in response to a specific request by
the owner or operator of the information system; and
``(ii) the threat of disruption as extortion, as described
in section 2240(14)(A).
``(3) A requirement that, if a covered cyber incident or a
ransom payment occurs following an exempted threat described
in paragraph (2)(C)(ii), the covered entity shall comply with
the requirements in this subtitle in reporting the covered
cyber incident or ransom payment.
``(4) A clear description of the specific required contents
of a report pursuant to subsection (a)(1), which shall
include the following information, to the extent applicable
and available, with respect to a covered cyber incident:
``(A) A description of the covered cyber incident,
including--
``(i) identification and a description of the function of
the affected information systems, networks, or devices that
were, or are reasonably believed to have been, affected by
such cyber incident;
``(ii) a description of the unauthorized access with
substantial loss of confidentiality, integrity, or
availability of the affected information system or network or
disruption of business or industrial operations;
``(iii) the estimated date range of such incident; and
``(iv) the impact to the operations of the covered entity.
``(B) Where applicable, a description of the
vulnerabilities exploited and the security defenses that were
in place, as well as the tactics, techniques, and procedures
used to perpetrate the covered cyber incident.
``(C) Where applicable, any identifying or contact
information related to each actor reasonably believed to be
responsible for such cyber incident.
``(D) Where applicable, identification of the category or
categories of information that were, or are reasonably
believed to have been, accessed or acquired by an
unauthorized person.
``(E) The name and other information that clearly
identifies the covered entity impacted by the covered cyber
incident, including, as applicable, the State of
incorporation or formation of the covered entity, trade
names, legal names, or other identifiers.
``(F) Contact information, such as telephone number or
electronic mail address, that the Agency may use to contact
the covered entity or an authorized agent of such covered
entity, or, where applicable, the service provider of such
covered entity acting with the express permission of, and at
the direction of, the covered entity to assist with
compliance with the requirements of this subtitle.
``(5) A clear description of the specific required contents
of a report pursuant to subsection (a)(2), which shall be the
following information, to the extent applicable and
available, with respect to a ransom payment:
``(A) A description of the ransomware attack, including the
estimated date range of the attack.
``(B) Where applicable, a description of the
vulnerabilities, tactics, techniques, and procedures used to
perpetrate the ransomware attack.
``(C) Where applicable, any identifying or contact
information related to the actor or actors reasonably
believed to be responsible for the ransomware attack.
``(D) The name and other information that clearly
identifies the covered entity that made the ransom payment or
on whose behalf the payment was made.
``(E) Contact information, such as telephone number or
electronic mail address, that the Agency may use to contact
the covered entity that made the ransom payment or an
authorized agent of such covered entity, or, where
applicable, the service provider of such covered entity
acting with the express permission of, and at the direction
of, that covered entity to assist with compliance with the
requirements of this subtitle.
``(F) The date of the ransom payment.
``(G) The ransom payment demand, including the type of
virtual currency or other commodity requested, if applicable.
``(H) The ransom payment instructions, including
information regarding where to send the payment, such as the
virtual currency address or physical address the funds were
requested to be sent to, if applicable.
``(I) The amount of the ransom payment.
``(6) A clear description of the types of data required to
be preserved pursuant to subsection (a)(4), the period of
time for which the data is required to be preserved, and
allowable uses, processes, and procedures.
[[Page S913]]
``(7) Deadlines and criteria for submitting supplemental
reports to the Agency required under subsection (a)(3), which
shall--
``(A) be established by the Director in consultation with
the Council;
``(B) consider any existing regulatory reporting
requirements similar in scope, purpose, and timing to the
reporting requirements to which such a covered entity may
also be subject, and make efforts to harmonize the timing and
contents of any such reports to the maximum extent
practicable;
``(C) balance the need for situational awareness with the
ability of the covered entity to conduct cyber incident
response and investigations; and
``(D) provide a clear description of what constitutes
substantial new or different information.
``(8) Procedures for--
``(A) entities, including third parties pursuant to
subsection (d)(1), to submit reports required by paragraphs
(1), (2), and (3) of subsection (a), including the manner and
form thereof, which shall include, at a minimum, a concise,
user-friendly web-based form;
``(B) the Agency to carry out--
``(i) the enforcement provisions of section 2244, including
with respect to the issuance, service, withdrawal, referral
process, and enforcement of subpoenas, appeals and due
process procedures;
``(ii) other available enforcement mechanisms including
acquisition, suspension and debarment procedures; and
``(iii) other aspects of noncompliance;
``(C) implementing the exceptions provided in subsection
(a)(5); and
``(D) protecting privacy and civil liberties consistent
with processes adopted pursuant to section 105(b) of the
Cybersecurity Act of 2015 (6 U.S.C. 1504(b)) and anonymizing
and safeguarding, or no longer retaining, information
received and disclosed through covered cyber incident reports
and ransom payment reports that is known to be personal
information of a specific individual or information that
identifies a specific individual that is not directly related
to a cybersecurity threat.
``(9) Other procedural measures directly necessary to
implement subsection (a).
``(d) Third Party Report Submission and Ransom Payment.--
``(1) Report submission.--A covered entity that is required
to submit a covered cyber incident report or a ransom payment
report may use a third party, such as an incident response
company, insurance provider, service provider, Information
Sharing and Analysis Organization, or law firm, to submit the
required report under subsection (a).
``(2) Ransom payment.--If a covered entity impacted by a
ransomware attack uses a third party to make a ransom
payment, the third party shall not be required to submit a
ransom payment report for itself under subsection (a)(2).
``(3) Duty to report.--Third-party reporting under this
subparagraph does not relieve a covered entity from the duty
to comply with the requirements for covered cyber incident
report or ransom payment report submission.
``(4) Responsibility to advise.--Any third party used by a
covered entity that knowingly makes a ransom payment on
behalf of a covered entity impacted by a ransomware attack
shall advise the impacted covered entity of the
responsibilities of the impacted covered entity regarding
reporting ransom payments under this section.
``(e) Outreach to Covered Entities.--
``(1) In general.--The Agency shall conduct an outreach and
education campaign to inform likely covered entities,
entities that offer or advertise as a service to customers to
make or facilitate ransom payments on behalf of covered
entities impacted by ransomware attacks and other appropriate
entities of the requirements of paragraphs (1), (2), and (3)
of subsection (a).
``(2) Elements.--The outreach and education campaign under
paragraph (1) shall include the following:
``(A) An overview of the final rule issued pursuant to
subsection (b).
``(B) An overview of mechanisms to submit to the Agency
covered cyber incident reports, ransom payment reports, and
information relating to the disclosure, retention, and use of
covered cyber incident reports and ransom payment reports
under this section.
``(C) An overview of the protections afforded to covered
entities for complying with the requirements under paragraphs
(1), (2), and (3) of subsection (a).
``(D) An overview of the steps taken under section 2244
when a covered entity is not in compliance with the reporting
requirements under subsection (a).
``(E) Specific outreach to cybersecurity vendors, cyber
incident response providers, cybersecurity insurance
entities, and other entities that may support covered
entities.
``(F) An overview of the privacy and civil liberties
requirements in this subtitle.
``(3) Coordination.--In conducting the outreach and
education campaign required under paragraph (1), the Agency
may coordinate with--
``(A) the Critical Infrastructure Partnership Advisory
Council established under section 871;
``(B) Information Sharing and Analysis Organizations;
``(C) trade associations;
``(D) information sharing and analysis centers;
``(E) sector coordinating councils; and
``(F) any other entity as determined appropriate by the
Director.
``(f) Exemption.--Sections 3506(c), 3507, 3508, and 3509 of
title 44, United States Code, shall not apply to any action
to carry out this section.
``(g) Rule of Construction.--Nothing in this section shall
affect the authorities of the Federal Government to implement
the requirements of Executive Order 14028 (86 Fed. Reg.
26633; relating to improving the nation's cybersecurity),
including changes to the Federal Acquisition Regulations and
remedies to include suspension and debarment.
``(h) Savings Provision.--Nothing in this section shall be
construed to supersede or to abrogate, modify, or otherwise
limit the authority that is vested in any officer or any
agency of the United States Government to regulate or take
action with respect to the cybersecurity of an entity.
``SEC. 2243. VOLUNTARY REPORTING OF OTHER CYBER INCIDENTS.
``(a) In General.--Entities may voluntarily report cyber
incidents or ransom payments to the Agency that are not
required under paragraph (1), (2), or (3) of section 2242(a),
but may enhance the situational awareness of cyber threats.
``(b) Voluntary Provision of Additional Information in
Required Reports.--Covered entities may voluntarily include
in reports required under paragraph (1), (2), or (3) of
section 2242(a) information that is not required to be
included, but may enhance the situational awareness of cyber
threats.
``(c) Application of Protections.--The protections under
section 2245 applicable to reports made under section 2242
shall apply in the same manner and to the same extent to
reports and information submitted under subsections (a) and
(b).
``SEC. 2244. NONCOMPLIANCE WITH REQUIRED REPORTING.
``(a) Purpose.--In the event that a covered entity that is
required to submit a report under section 2242(a) fails to
comply with the requirement to report, the Director may
obtain information about the cyber incident or ransom payment
by engaging the covered entity directly to request
information about the cyber incident or ransom payment, and
if the Director is unable to obtain information through such
engagement, by issuing a subpoena to the covered entity,
pursuant to subsection (c), to gather information sufficient
to determine whether a covered cyber incident or ransom
payment has occurred.
``(b) Initial Request for Information.--
``(1) In general.--If the Director has reason to believe,
whether through public reporting or other information in the
possession of the Federal Government, including through
analysis performed pursuant to paragraph (1) or (2) of
section 2241(a), that a covered entity has experienced a
covered cyber incident or made a ransom payment but failed to
report such cyber incident or payment to the Agency in
accordance with section 2242(a), the Director may request
additional information from the covered entity to confirm
whether or not a covered cyber incident or ransom payment has
occurred.
``(2) Treatment.--Information provided to the Agency in
response to a request under paragraph (1) shall be treated as
if it was submitted through the reporting procedures
established in section 2242.
``(c) Enforcement.--
``(1) In general.--If, after the date that is 72 hours from
the date on which the Director made the request for
information in subsection (b), the Director has received no
response from the covered entity from which such information
was requested, or received an inadequate response, the
Director may issue to such covered entity a subpoena to
compel disclosure of information the Director deems necessary
to determine whether a covered cyber incident or ransom
payment has occurred and obtain the information required to
be reported pursuant to section 2242 and any implementing
regulations, and assess potential impacts to national
security, economic security, or public health and safety.
``(2) Civil action.--
``(A) In general.--If a covered entity fails to comply with
a subpoena, the Director may refer the matter to the Attorney
General to bring a civil action in a district court of the
United States to enforce such subpoena.
``(B) Venue.--An action under this paragraph may be brought
in the judicial district in which the covered entity against
which the action is brought resides, is found, or does
business.
``(C) Contempt of court.--A court may punish a failure to
comply with a subpoena issued under this subsection as
contempt of court.
``(3) Non-delegation.--The authority of the Director to
issue a subpoena under this subsection may not be delegated.
``(4) Authentication.--
``(A) In general.--Any subpoena issued electronically
pursuant to this subsection shall be authenticated with a
cryptographic digital signature of an authorized
representative of the Agency, or other comparable successor
technology, that allows the Agency to demonstrate that such
subpoena was issued by the Agency and has not been altered or
modified since such issuance.
``(B) Invalid if not authenticated.--Any subpoena issued
electronically pursuant to this subsection that is not
authenticated in accordance with subparagraph (A) shall not
be considered to be valid by the recipient of such subpoena.
``(d) Provision of Certain Information to Attorney
General.--
``(1) In general.--Notwithstanding section 2245(a)(5) and
paragraph (b)(2) of this section,
[[Page S914]]
if the Director determines, based on the information provided
in response to a subpoena issued pursuant to subsection (c),
that the facts relating to the cyber incident or ransom
payment at issue may constitute grounds for a regulatory
enforcement action or criminal prosecution, the Director may
provide such information to the Attorney General or the head
of the appropriate Federal regulatory agency, who may use
such information for a regulatory enforcement action or
criminal prosecution.
``(2) Consultation.--The Director may consult with the
Attorney General or the head of the appropriate Federal
regulatory agency when making the determination under
paragraph (1).
``(e) Considerations.--When determining whether to exercise
the authorities provided under this section, the Director
shall take into consideration--
``(1) the complexity in determining if a covered cyber
incident has occurred; and
``(2) prior interaction with the Agency or awareness of the
covered entity of the policies and procedures of the Agency
for reporting covered cyber incidents and ransom payments.
``(f) Exclusions.--This section shall not apply to a State,
local, Tribal, or territorial government entity.
``(g) Report to Congress.--The Director shall submit to
Congress an annual report on the number of times the
Director--
``(1) issued an initial request for information pursuant to
subsection (b);
``(2) issued a subpoena pursuant to subsection (c); or
``(3) referred a matter to the Attorney General for a civil
action pursuant to subsection (c)(2).
``(h) Publication of the Annual Report.--The Director shall
publish a version of the annual report required under
subsection (g) on the website of the Agency, which shall
include, at a minimum, the number of times the Director--
``(1) issued an initial request for information pursuant to
subsection (b); or
``(2) issued a subpoena pursuant to subsection (c).
``(i) Anonymization of Reports.--The Director shall ensure
any victim information contained in a report required to be
published under subsection (h) be anonymized before the
report is published.
``SEC. 2245. INFORMATION SHARED WITH OR PROVIDED TO THE
FEDERAL GOVERNMENT.
``(a) Disclosure, Retention, and Use.--
``(1) Authorized activities.--Information provided to the
Agency pursuant to section 2242 or 2243 may be disclosed to,
retained by, and used by, consistent with otherwise
applicable provisions of Federal law, any Federal agency or
department, component, officer, employee, or agent of the
Federal Government solely for--
``(A) a cybersecurity purpose;
``(B) the purpose of identifying--
``(i) a cyber threat, including the source of the cyber
threat; or
``(ii) a security vulnerability;
``(C) the purpose of responding to, or otherwise preventing
or mitigating, a specific threat of death, a specific threat
of serious bodily harm, or a specific threat of serious
economic harm, including a terrorist act or use of a weapon
of mass destruction;
``(D) the purpose of responding to, investigating,
prosecuting, or otherwise preventing or mitigating, a serious
threat to a minor, including sexual exploitation and threats
to physical safety; or
``(E) the purpose of preventing, investigating, disrupting,
or prosecuting an offense arising out of a cyber incident
reported pursuant to section 2242 or 2243 or any of the
offenses listed in section 105(d)(5)(A)(v) of the
Cybersecurity Act of 2015 (6 U.S.C. 1504(d)(5)(A)(v)).
``(2) Agency actions after receipt.--
``(A) Rapid, confidential sharing of cyber threat
indicators.--Upon receiving a covered cyber incident or
ransom payment report submitted pursuant to this section, the
Agency shall immediately review the report to determine
whether the cyber incident that is the subject of the report
is connected to an ongoing cyber threat or security
vulnerability and where applicable, use such report to
identify, develop, and rapidly disseminate to appropriate
stakeholders actionable, anonymized cyber threat indicators
and defensive measures.
``(B) Principles for sharing security vulnerabilities.--
With respect to information in a covered cyber incident or
ransom payment report regarding a security vulnerability
referred to in paragraph (1)(B)(ii), the Director shall
develop principles that govern the timing and manner in which
information relating to security vulnerabilities may be
shared, consistent with common industry best practices and
United States and international standards.
``(3) Privacy and civil liberties.--Information contained
in covered cyber incident and ransom payment reports
submitted to the Agency pursuant to section 2242 shall be
retained, used, and disseminated, where permissible and
appropriate, by the Federal Government in accordance with
processes to be developed for the protection of personal
information consistent with processes adopted pursuant to
section 105 of the Cybersecurity Act of 2015 (6 U.S.C. 1504)
and in a manner that protects from unauthorized use or
disclosure any information that may contain--
``(A) personal information of a specific individual that is
not directly related to a cybersecurity threat; or
``(B) information that identifies a specific individual
that is not directly related to a cybersecurity threat.
``(4) Digital security.--The Agency shall ensure that
reports submitted to the Agency pursuant to section 2242, and
any information contained in those reports, are collected,
stored, and protected at a minimum in accordance with the
requirements for moderate impact Federal information systems,
as described in Federal Information Processing Standards
Publication 199, or any successor document.
``(5) Prohibition on use of information in regulatory
actions.--
``(A) In general.--A Federal, State, local, or Tribal
government shall not use information about a covered cyber
incident or ransom payment obtained solely through reporting
directly to the Agency in accordance with this subtitle to
regulate, including through an enforcement action, the
activities of the covered entity or entity that made a ransom
payment, unless the government entity expressly allows
entities to submit reports to the Agency to meet regulatory
reporting obligations of the entity.
``(B) Clarification.--A report submitted to the Agency
pursuant to section 2242 or 2243 may, consistent with Federal
or State regulatory authority specifically relating to the
prevention and mitigation of cybersecurity threats to
information systems, inform the development or implementation
of regulations relating to such systems.
``(b) Protections for Reporting Entities and Information.--
Reports describing covered cyber incidents or ransom payments
submitted to the Agency by entities in accordance with
section 2242, as well as voluntarily-submitted cyber incident
reports submitted to the Agency pursuant to section 2243,
shall--
``(1) be considered the commercial, financial, and
proprietary information of the covered entity when so
designated by the covered entity;
``(2) be exempt from disclosure under section 552(b)(3) of
title 5, United States Code (commonly known as the `Freedom
of Information Act'), as well as any provision of State,
Tribal, or local freedom of information law, open government
law, open meetings law, open records law, sunshine law, or
similar law requiring disclosure of information or records;
``(3) be considered not to constitute a waiver of any
applicable privilege or protection provided by law, including
trade secret protection; and
``(4) not be subject to a rule of any Federal agency or
department or any judicial doctrine regarding ex parte
communications with a decision-making official.
``(c) Liability Protections.--
``(1) In general.--No cause of action shall lie or be
maintained in any court by any person or entity and any such
action shall be promptly dismissed for the submission of a
report pursuant to section 2242(a) that is submitted in
conformance with this subtitle and the rule promulgated under
section 2242(b), except that this subsection shall not apply
with regard to an action by the Federal Government pursuant
to section 2244(c)(2).
``(2) Scope.--The liability protections provided in this
subsection shall only apply to or affect litigation that is
solely based on the submission of a covered cyber incident
report or ransom payment report to the Agency.
``(3) Restrictions.--Notwithstanding paragraph (2), no
report submitted to the Agency pursuant to this subtitle or
any communication, document, material, or other record,
created for the sole purpose of preparing, drafting, or
submitting such report, may be received in evidence, subject
to discovery, or otherwise used in any trial, hearing, or
other proceeding in or before any court, regulatory body, or
other authority of the United States, a State, or a political
subdivision thereof, provided that nothing in this subtitle
shall create a defense to discovery or otherwise affect the
discovery of any communication, document, material, or other
record not created for the sole purpose of preparing,
drafting, or submitting such report.
``(d) Sharing With Non-Federal Entities.--The Agency shall
anonymize the victim who reported the information when making
information provided in reports received under section 2242
available to critical infrastructure owners and operators and
the general public.
``(e) Stored Communications Act.--Nothing in this subtitle
shall be construed to permit or require disclosure by a
provider of a remote computing service or a provider of an
electronic communication service to the public of information
not otherwise permitted or required to be disclosed under
chapter 121 of title 18, United States Code (commonly known
as the `Stored Communications Act').
``SEC. 2246. CYBER INCIDENT REPORTING COUNCIL.
``(a) Responsibility of the Secretary.--The Secretary shall
lead an intergovernmental Cyber Incident Reporting Council,
in consultation with the Director of the Office of Management
and Budget, the Attorney General, the National Director Cyber
Director, Sector Risk Management Agencies, and other
appropriate Federal agencies, to coordinate, deconflict, and
harmonize Federal incident reporting requirements, including
those issued through regulations.
``(b) Rule of Construction.--Nothing in subsection (a)
shall be construed to provide
[[Page S915]]
any additional regulatory authority to any Federal entity.''.
(b) Technical and Conforming Amendment.--The table of
contents in section 1(b) of the Homeland Security Act of 2002
(Public Law 107-296; 116 Stat. 2135) is amended by inserting
after the items relating to subtitle C of title XXII the
following:
``Subtitle D--Cyber Incident Reporting
``Sec. 2240. Definitions.
``Sec. 2241. Cyber Incident Review.
``Sec. 2242. Required reporting of certain cyber incidents.
``Sec. 2243. Voluntary reporting of other cyber incidents.
``Sec. 2244. Noncompliance with required reporting.
``Sec. 2245. Information shared with or provided to the Federal
Government.
``Sec. 2246. Cyber Incident Reporting Council.''.
SEC. 204. FEDERAL SHARING OF INCIDENT REPORTS.
(a) Cyber Incident Reporting Sharing.--
(1) In general.--Notwithstanding any other provision of law
or regulation, any Federal agency, including any independent
establishment (as defined in section 104 of title 5, United
States Code), that receives a report from an entity of a
cyber incident, including a ransomware attack, shall provide
the report to the Agency as soon as possible, but not later
than 24 hours after receiving the report, unless a shorter
period is required by an agreement made between the
Department of Homeland Security (including the Cybersecurity
and Infrastructure Security Agency) and the recipient Federal
agency. The Director shall share and coordinate each report
pursuant to section 2241(b) of the Homeland Security Act of
2002, as added by section 203 of this title.
(2) Rule of construction.--The requirements described in
paragraph (1) and section 2245(d) of the Homeland Security
Act of 2002, as added by section 203 of this title, may not
be construed to be a violation of any provision of law or
policy that would otherwise prohibit disclosure or provision
of information within the executive branch.
(3) Protection of information.--The Director shall comply
with any obligations of the recipient Federal agency
described in paragraph (1) to protect information, including
with respect to privacy, confidentiality, or information
security, if those obligations would impose greater
protection requirements than this Act or the amendments made
by this Act.
(4) Effective date.--This subsection shall take effect on
the effective date of the final rule issued pursuant to
section 2242(b) of the Homeland Security Act of 2002, as
added by section 203 of this title.
(5) Agency agreements.--
(A) In general.--The Agency and any Federal agency,
including any independent establishment (as defined in
section 104 of title 5, United States Code) that receives
incident reports from entities, including due to ransomware
attacks, shall, as appropriate, enter into a documented
agreement to establish policies, processes, procedures, and
mechanisms to ensure reports are shared with the Agency
pursuant to paragraph (1).
(B) Availability.--To the maximum extent practicable, each
documented agreement required under subparagraph (A) shall be
made publicly available.
(C) Requirement.--The documented agreements required by
subparagraph (A) shall require reports be shared from Federal
agencies with the Agency in such time as to meet the overall
timeline for covered entity reporting of covered cyber
incidents and ransom payments established in section 2242 of
the Homeland Security Act of 2002, as added by section 203 of
this title.
(b) Harmonizing Reporting Requirements.--The Secretary of
Homeland Security, acting through the Director, shall, in
consultation with the Cyber Incident Reporting Council
described in section 2246 of the Homeland Security Act of
2002, as added by section 203 of this title, to the maximum
extent practicable--
(1) periodically review existing regulatory requirements,
including the information required in such reports, to report
incidents and ensure that any such reporting requirements and
procedures avoid conflicting, duplicative, or burdensome
requirements; and
(2) coordinate with appropriate Federal partners and
regulatory authorities that receive reports relating to
incidents to identify opportunities to streamline reporting
processes, and where feasible, facilitate interagency
agreements between such authorities to permit the sharing of
such reports, consistent with applicable law and policy,
without impacting the ability of the Agency to gain timely
situational awareness of a covered cyber incident or ransom
payment.
SEC. 205. RANSOMWARE VULNERABILITY WARNING PILOT PROGRAM.
(a) Program.--Not later than 1 year after the date of
enactment of this Act, the Director shall establish a
ransomware vulnerability warning pilot program to leverage
existing authorities and technology to specifically develop
processes and procedures for, and to dedicate resources to,
identifying information systems that contain security
vulnerabilities associated with common ransomware attacks,
and to notify the owners of those vulnerable systems of their
security vulnerability.
(b) Identification of Vulnerable Systems.--The pilot
program established under subsection (a) shall--
(1) identify the most common security vulnerabilities
utilized in ransomware attacks and mitigation techniques; and
(2) utilize existing authorities to identify information
systems that contain the security vulnerabilities identified
in paragraph (1).
(c) Entity Notification.--
(1) Identification.--If the Director is able to identify
the entity at risk that owns or operates a vulnerable
information system identified in subsection (b), the Director
may notify the owner of the information system.
(2) No identification.--If the Director is not able to
identify the entity at risk that owns or operates a
vulnerable information system identified in subsection (b),
the Director may utilize the subpoena authority pursuant to
section 2209 of the Homeland Security Act of 2002 (6 U.S.C.
659) to identify and notify the entity at risk pursuant to
the procedures under that section.
(3) Required information.--A notification made under
paragraph (1) shall include information on the identified
security vulnerability and mitigation techniques.
(d) Prioritization of Notifications.--To the extent
practicable, the Director shall prioritize covered entities
for identification and notification activities under the
pilot program established under this section.
(e) Limitation on Procedures.--No procedure, notification,
or other authorities utilized in the execution of the pilot
program established under subsection (a) shall require an
owner or operator of a vulnerable information system to take
any action as a result of a notice of a security
vulnerability made pursuant to subsection (c).
(f) Rule of Construction.--Nothing in this section shall be
construed to provide additional authorities to the Director
to identify vulnerabilities or vulnerable systems.
(g) Termination.--The pilot program established under
subsection (a) shall terminate on the date that is 4 years
after the date of enactment of this Act.
SEC. 206. RANSOMWARE THREAT MITIGATION ACTIVITIES.
(a) Joint Ransomware Task Force.--
(1) In general.--Not later than 180 days after the date of
enactment of this Act, the Director, in consultation with the
National Cyber Director, the Attorney General, and the
Director of the Federal Bureau of Investigation, shall
establish and chair the Joint Ransomware Task Force to
coordinate an ongoing nationwide campaign against ransomware
attacks, and identify and pursue opportunities for
international cooperation.
(2) Composition.--The Joint Ransomware Task Force shall
consist of participants from Federal agencies, as determined
appropriate by the National Cyber Director in consultation
with the Secretary of Homeland Security.
(3) Responsibilities.--The Joint Ransomware Task Force,
utilizing only existing authorities of each participating
Federal agency, shall coordinate across the Federal
Government the following activities:
(A) Prioritization of intelligence-driven operations to
disrupt specific ransomware actors.
(B) Consult with relevant private sector, State, local,
Tribal, and territorial governments and international
stakeholders to identify needs and establish mechanisms for
providing input into the Joint Ransomware Task Force.
(C) Identifying, in consultation with relevant entities, a
list of highest threat ransomware entities updated on an
ongoing basis, in order to facilitate--
(i) prioritization for Federal action by appropriate
Federal agencies; and
(ii) identify metrics for success of said actions.
(D) Disrupting ransomware criminal actors, associated
infrastructure, and their finances.
(E) Facilitating coordination and collaboration between
Federal entities and relevant entities, including the private
sector, to improve Federal actions against ransomware
threats.
(F) Collection, sharing, and analysis of ransomware trends
to inform Federal actions.
(G) Creation of after-action reports and other lessons
learned from Federal actions that identify successes and
failures to improve subsequent actions.
(H) Any other activities determined appropriate by the
Joint Ransomware Task Force to mitigate the threat of
ransomware attacks.
(b) Rule of Construction.--Nothing in this section shall be
construed to provide any additional authority to any Federal
agency.
SEC. 207. CONGRESSIONAL REPORTING.
(a) Report on Stakeholder Engagement.--Not later than 30
days after the date on which the Director issues the final
rule under section 2242(b) of the Homeland Security Act of
2002, as added by section 203(b) of this title, the Director
shall submit to the Committee on Homeland Security and
Governmental Affairs of the Senate and the Committee on
Homeland Security of the House of Representatives a report
that describes how the Director engaged stakeholders in the
development of the final rule.
(b) Report on Opportunities to Strengthen Security
Research.--Not later than 1 year after the date of enactment
of this Act, the Director shall submit to the Committee on
Homeland Security and Governmental Affairs of the Senate and
the
[[Page S916]]
Committee on Homeland Security of the House of
Representatives a report describing how the National
Cybersecurity and Communications Integration Center
established under section 2209 of the Homeland Security Act
of 2002 (6 U.S.C. 659) has carried out activities under
section 2241(a)(9) of the Homeland Security Act of 2002, as
added by section 203(a) of this title, by proactively
identifying opportunities to use cyber incident data to
inform and enable cybersecurity research within the academic
and private sector.
(c) Report on Ransomware Vulnerability Warning Pilot
Program.--Not later than 1 year after the date of enactment
of this Act, and annually thereafter for the duration of the
pilot program established under section 205, the Director
shall submit to the Committee on Homeland Security and
Governmental Affairs of the Senate and the Committee on
Homeland Security of the House of Representatives a report,
which may include a classified annex, on the effectiveness of
the pilot program, which shall include a discussion of the
following:
(1) The effectiveness of the notifications under section
205(c) in mitigating security vulnerabilities and the threat
of ransomware.
(2) Identification of the most common vulnerabilities
utilized in ransomware.
(3) The number of notifications issued during the preceding
year.
(4) To the extent practicable, the number of vulnerable
devices or systems mitigated under the pilot program by the
Agency during the preceding year.
(d) Report on Harmonization of Reporting Regulations.--
(1) In general.--Not later than 180 days after the date on
which the Secretary of Homeland Security convenes the Cyber
Incident Reporting Council described in section 2246 of the
Homeland Security Act of 2002, as added by section 203 of
this title, the Secretary of Homeland Security shall submit
to the appropriate congressional committees a report that
includes--
(A) a list of duplicative Federal cyber incident reporting
requirements on covered entities;
(B) a description of any challenges in harmonizing the
duplicative reporting requirements;
(C) any actions the Director intends to take to facilitate
harmonizing the duplicative reporting requirements; and
(D) any proposed legislative changes necessary to address
the duplicative reporting.
(2) Rule of construction.--Nothing in paragraph (1) shall
be construed to provide any additional regulatory authority
to any Federal agency.
(e) GAO Reports.--
(1) Implementation of this act.--Not later than 2 years
after the date of enactment of this Act, the Comptroller
General of the United States shall submit to the Committee on
Homeland Security and Governmental Affairs of the Senate and
the Committee on Homeland Security of the House of
Representatives a report on the implementation of this Act
and the amendments made by this Act.
(2) Exemptions to reporting.--Not later than 1 year after
the date on which the Director issues the final rule required
under section 2242(b) of the Homeland Security Act of 2002,
as added by section 203 of this title, the Comptroller
General of the United States shall submit to the Committee on
Homeland Security and Governmental Affairs of the Senate and
the Committee on Homeland Security of the House of
Representatives a report on the exemptions to reporting under
paragraphs (2) and (5) of section 2242(a) of the Homeland
Security Act of 2002, as added by section 203 of this title,
which shall include--
(A) to the extent practicable, an evaluation of the
quantity of cyber incidents not reported to the Federal
Government;
(B) an evaluation of the impact on impacted entities,
homeland security, and the national economy due to cyber
incidents, ransomware attacks, and ransom payments, including
a discussion on the scope of impact of cyber incidents that
were not reported to the Federal Government;
(C) an evaluation of the burden, financial and otherwise,
on entities required to report cyber incidents under this
Act, including an analysis of entities that meet the
definition of a small business concern under section 3 of the
Small Business Act (15 U.S.C. 632); and
(D) a description of the consequences and effects of
limiting covered cyber incident and ransom payment reporting
to only covered entities.
(f) Report on Effectiveness of Enforcement Mechanisms.--Not
later than 1 year after the date on which the Director issues
the final rule required under section 2242(b) of the Homeland
Security Act of 2002, as added by section 203 of this title,
the Director shall submit to the Committee on Homeland
Security and Governmental Affairs of the Senate and the
Committee on Homeland Security of the House of
Representatives a report on the effectiveness of the
enforcement mechanisms within section 2244 of the Homeland
Security Act of 2002, as added by section 203 of this title.
TITLE III--FEDERAL SECURE CLOUD IMPROVEMENT AND JOBS ACT OF 2022
SEC. 301. SHORT TITLE.
This title may be cited as the ``Federal Secure Cloud
Improvement and Jobs Act of 2022''.
SEC. 302. FINDINGS.
Congress finds the following:
(1) Ensuring that the Federal Government can securely
leverage cloud computing products and services is key to
expediting the modernization of legacy information technology
systems, increasing cybersecurity within and across
departments and agencies, and supporting the continued
leadership of the United States in technology innovation and
job creation.
(2) According to independent analysis, as of calendar year
2019, the size of the cloud computing market had tripled
since 2004, enabling more than 2,000,000 jobs and adding more
than $200,000,000,000 to the gross domestic product of the
United States.
(3) The Federal Government, across multiple presidential
administrations and Congresses, has continued to support the
ability of agencies to move to the cloud, including through--
(A) President Barack Obama's ``Cloud First Strategy'';
(B) President Donald Trump's ``Cloud Smart Strategy'';
(C) the prioritization of cloud security in Executive Order
14028 (86 Fed. Reg. 26633; relating to improving the nation's
cybersecurity), which was issued by President Joe Biden; and
(D) more than a decade of appropriations and authorization
legislation that provides agencies with relevant authorities
and appropriations to modernize on-premises information
technology systems and more readily adopt cloud computing
products and services.
(4) Since it was created in 2011, the Federal Risk and
Authorization Management Program (referred to in this section
as ``FedRAMP'') at the General Services Administration has
made steady and sustained improvements in supporting the
secure authorization and reuse of cloud computing products
and services within the Federal Government, including by
reducing the costs and burdens on both agencies and cloud
companies to quickly and securely enter the Federal market.
(5) According to data from the General Services
Administration, as of the end of fiscal year 2021, there were
239 cloud providers with FedRAMP authorizations, and those
authorizations had been reused more than 2,700 times across
various agencies.
(6) Providing a legislative framework for FedRAMP and new
authorities to the General Services Administration, the
Office of Management and Budget, and Federal agencies will--
(A) improve the speed at which new cloud computing products
and services can be securely authorized;
(B) enhance the ability of agencies to effectively evaluate
FedRAMP authorized providers for reuse;
(C) reduce the costs and burdens to cloud providers seeking
a FedRAMP authorization; and
(D) provide for more robust transparency and dialogue
between industry and the Federal Government to drive stronger
adoption of secure cloud capabilities, create jobs, and
reduce wasteful legacy information technology.
SEC. 303. TITLE 44 AMENDMENTS.
(a) Amendment.--Chapter 36 of title 44, United States Code,
is amended by adding at the end the following:
``Sec. 3607. Definitions
``(a) In General.--Except as provided under subsection (b),
the definitions under sections 3502 and 3552 apply to this
section through section 3616.
``(b) Additional Definitions.--In this section through
section 3616:
``(1) Administrator.--The term `Administrator' means the
Administrator of General Services.
``(2) Appropriate congressional committees.--The term
`appropriate congressional committees' means the Committee on
Homeland Security and Governmental Affairs of the Senate and
the Committee on Oversight and Reform of the House of
Representatives.
``(3) Authorization to operate; federal information.--The
terms `authorization to operate' and `Federal information'
have the meaning given those term in Circular A-130 of the
Office of Management and Budget entitled `Managing
Information as a Strategic Resource', or any successor
document.
``(4) Cloud computing.--The term `cloud computing' has the
meaning given the term in Special Publication 800-145 of the
National Institute of Standards and Technology, or any
successor document.
``(5) Cloud service provider.--The term `cloud service
provider' means an entity offering cloud computing products
or services to agencies.
``(6) FedRAMP.--The term `FedRAMP' means the Federal Risk
and Authorization Management Program established under
section 3608.
``(7) FedRAMP authorization.--The term `FedRAMP
authorization' means a certification that a cloud computing
product or service has--
``(A) completed a FedRAMP authorization process, as
determined by the Administrator; or
``(B) received a FedRAMP provisional authorization to
operate, as determined by the FedRAMP Board.
``(8) Fedramp authorization package.--The term `FedRAMP
authorization package' means the essential information that
can be used by an agency to determine whether to authorize
the operation of an information system or the use of a
designated set of common controls for all cloud computing
products and services authorized by FedRAMP.
[[Page S917]]
``(9) FedRAMP board.--The term `FedRAMP Board' means the
board established under section 3610.
``(10) Independent assessment service.--The term
`independent assessment service' means a third-party
organization accredited by the Administrator to undertake
conformity assessments of cloud service providers and the
products or services of cloud service providers.
``(11) Secretary.--The term `Secretary' means the Secretary
of Homeland Security.
``Sec. 3608. Federal Risk and Authorization Management
Program
``There is established within the General Services
Administration the Federal Risk and Authorization Management
Program. The Administrator, subject to section 3614, shall
establish a Government-wide program that provides a
standardized, reusable approach to security assessment and
authorization for cloud computing products and services that
process unclassified information used by agencies.
``Sec. 3609. Roles and responsibilities of the General
Services Administration
``(a) Roles and Responsibilities.--The Administrator
shall--
``(1) in consultation with the Secretary, develop,
coordinate, and implement a process to support agency review,
reuse, and standardization, where appropriate, of security
assessments of cloud computing products and services,
including, as appropriate, oversight of continuous monitoring
of cloud computing products and services, pursuant to
guidance issued by the Director pursuant to section 3614;
``(2) establish processes and identify criteria consistent
with guidance issued by the Director under section 3614 to
make a cloud computing product or service eligible for a
FedRAMP authorization and validate whether a cloud computing
product or service has a FedRAMP authorization;
``(3) develop and publish templates, best practices,
technical assistance, and other materials to support the
authorization of cloud computing products and services and
increase the speed, effectiveness, and transparency of the
authorization process, consistent with standards and
guidelines established by the Director of the National
Institute of Standards and Technology and relevant statutes;
``(4) establish and update guidance on the boundaries of
FedRAMP authorization packages to enhance the security and
protection of Federal information and promote transparency
for agencies and users as to which services are included in
the scope of a FedRAMP authorization;
``(5) grant FedRAMP authorizations to cloud computing
products and services consistent with the guidance and
direction of the FedRAMP Board;
``(6) establish and maintain a public comment process for
proposed guidance and other FedRAMP directives that may have
a direct impact on cloud service providers and agencies
before the issuance of such guidance or other FedRAMP
directives;
``(7) coordinate with the FedRAMP Board, the Director of
the Cybersecurity and Infrastructure Security Agency, and
other entities identified by the Administrator, with the
concurrence of the Director and the Secretary, to establish
and regularly update a framework for continuous monitoring
under section 3553;
``(8) provide a secure mechanism for storing and sharing
necessary data, including FedRAMP authorization packages, to
enable better reuse of such packages across agencies,
including making available any information and data necessary
for agencies to fulfill the requirements of section 3613;
``(9) provide regular updates to applicant cloud service
providers on the status of any cloud computing product or
service during an assessment process;
``(10) regularly review, in consultation with the FedRAMP
Board--
``(A) the costs associated with the independent assessment
services described in section 3611; and
``(B) the information relating to foreign interests
submitted pursuant to section 3612;
``(11) in coordination with the Director of the National
Institute of Standards and Technology, the Director, the
Secretary, and other stakeholders, as appropriate, determine
the sufficiency of underlying standards and requirements to
identify and assess the provenance of the software in cloud
services and products;
``(12) support the Federal Secure Cloud Advisory Committee
established pursuant to section 3616; and
``(13) take such other actions as the Administrator may
determine necessary to carry out FedRAMP.
``(b) Website.--
``(1) In general.--The Administrator shall maintain a
public website to serve as the authoritative repository for
FedRAMP, including the timely publication and updates for all
relevant information, guidance, determinations, and other
materials required under subsection (a).
``(2) Criteria and process for fedramp authorization
priorities.--The Administrator shall develop and make
publicly available on the website described in paragraph (1)
the criteria and process for prioritizing and selecting cloud
computing products and services that will receive a FedRAMP
authorization, in consultation with the FedRAMP Board and the
Chief Information Officers Council.
``(c) Evaluation of Automation Procedures.--
``(1) In general.--The Administrator, in coordination with
the Secretary, shall assess and evaluate available automation
capabilities and procedures to improve the efficiency and
effectiveness of the issuance of FedRAMP authorizations,
including continuous monitoring of cloud computing products
and services.
``(2) Means for automation.--Not later than 1 year after
the date of enactment of this section, and updated regularly
thereafter, the Administrator shall establish a means for the
automation of security assessments and reviews.
``(d) Metrics for Authorization.--The Administrator shall
establish annual metrics regarding the time and quality of
the assessments necessary for completion of a FedRAMP
authorization process in a manner that can be consistently
tracked over time in conjunction with the periodic testing
and evaluation process pursuant to section 3554 in a manner
that minimizes the agency reporting burden.
``Sec. 3610. FedRAMP Board
``(a) Establishment.--There is established a FedRAMP Board
to provide input and recommendations to the Administrator
regarding the requirements and guidelines for, and the
prioritization of, security assessments of cloud computing
products and services.
``(b) Membership.--The FedRAMP Board shall consist of not
more than 7 senior officials or experts from agencies
appointed by the Director, in consultation with the
Administrator, from each of the following:
``(1) The Department of Defense.
``(2) The Department of Homeland Security.
``(3) The General Services Administration.
``(4) Such other agencies as determined by the Director, in
consultation with the Administrator.
``(c) Qualifications.--Members of the FedRAMP Board
appointed under subsection (b) shall have technical expertise
in domains relevant to FedRAMP, such as--
``(1) cloud computing;
``(2) cybersecurity;
``(3) privacy;
``(4) risk management; and
``(5) other competencies identified by the Director to
support the secure authorization of cloud services and
products.
``(d) Duties.--The FedRAMP Board shall--
``(1) in consultation with the Administrator, serve as a
resource for best practices to accelerate the process for
obtaining a FedRAMP authorization;
``(2) establish and regularly update requirements and
guidelines for security authorizations of cloud computing
products and services, consistent with standards and
guidelines established by the Director of the National
Institute of Standards and Technology, to be used in the
determination of FedRAMP authorizations;
``(3) monitor and oversee, to the greatest extent
practicable, the processes and procedures by which agencies
determine and validate requirements for a FedRAMP
authorization, including periodic review of the agency
determinations described in section 3613(b);
``(4) ensure consistency and transparency between agencies
and cloud service providers in a manner that minimizes
confusion and engenders trust; and
``(5) perform such other roles and responsibilities as the
Director may assign, with concurrence from the Administrator.
``(e) Determinations of Demand for Cloud Computing Products
and Services.--The FedRAMP Board may consult with the Chief
Information Officers Council to establish a process, which
may be made available on the website maintained under section
3609(b), for prioritizing and accepting the cloud computing
products and services to be granted a FedRAMP authorization.
``Sec. 3611. Independent assessment
``The Administrator may determine whether FedRAMP may use
an independent assessment service to analyze, validate, and
attest to the quality and compliance of security assessment
materials provided by cloud service providers during the
course of a determination of whether to use a cloud computing
product or service.
``Sec. 3612. Declaration of foreign interests
``(a) In General.--An independent assessment service that
performs services described in section 3611 shall annually
submit to the Administrator information relating to any
foreign interest, foreign influence, or foreign control of
the independent assessment service.
``(b) Updates.--Not later than 48 hours after there is a
change in foreign ownership or control of an independent
assessment service that performs services described in
section 3611, the independent assessment service shall submit
to the Administrator an update to the information submitted
under subsection (a).
``(c) Certification.--The Administrator may require a
representative of an independent assessment service to
certify the accuracy and completeness of any information
submitted under this section.
``Sec. 3613. Roles and responsibilities of agencies
``(a) In General.--In implementing the requirements of
FedRAMP, the head of each agency shall, consistent with
guidance issued by the Director pursuant to section 3614--
``(1) promote the use of cloud computing products and
services that meet FedRAMP security requirements and other
risk-based performance requirements as determined by
[[Page S918]]
the Director, in consultation with the Secretary;
``(2) confirm whether there is a FedRAMP authorization in
the secure mechanism provided under section 3609(a)(8) before
beginning the process of granting a FedRAMP authorization for
a cloud computing product or service;
``(3) to the extent practicable, for any cloud computing
product or service the agency seeks to authorize that has
received a FedRAMP authorization, use the existing
assessments of security controls and materials within any
FedRAMP authorization package for that cloud computing
product or service; and
``(4) provide to the Director data and information required
by the Director pursuant to section 3614 to determine how
agencies are meeting metrics established by the
Administrator.
``(b) Attestation.--Upon completing an assessment or
authorization activity with respect to a particular cloud
computing product or service, if an agency determines that
the information and data the agency has reviewed under
paragraph (2) or (3) of subsection (a) is wholly or
substantially deficient for the purposes of performing an
authorization of the cloud computing product or service, the
head of the agency shall document as part of the resulting
FedRAMP authorization package the reasons for this
determination.
``(c) Submission of Authorizations to Operate Required.--
Upon issuance of an agency authorization to operate based on
a FedRAMP authorization, the head of the agency shall provide
a copy of its authorization to operate letter and any
supplementary information required pursuant to section
3609(a) to the Administrator.
``(d) Submission of Policies Required.--Not later than 180
days after the date on which the Director issues guidance in
accordance with section 3614(1), the head of each agency,
acting through the chief information officer of the agency,
shall submit to the Director all agency policies relating to
the authorization of cloud computing products and services.
``(e) Presumption of Adequacy.--
``(1) In general.--The assessment of security controls and
materials within the authorization package for a FedRAMP
authorization shall be presumed adequate for use in an agency
authorization to operate cloud computing products and
services.
``(2) Information security requirements.--The presumption
under paragraph (1) does not modify or alter--
``(A) the responsibility of any agency to ensure compliance
with subchapter II of chapter 35 for any cloud computing
product or service used by the agency; or
``(B) the authority of the head of any agency to make a
determination that there is a demonstrable need for
additional security requirements beyond the security
requirements included in a FedRAMP authorization for a
particular control implementation.
``Sec. 3614. Roles and responsibilities of the Office of
Management and Budget
``The Director shall--
``(1) in consultation with the Administrator and the
Secretary, issue guidance that--
``(A) specifies the categories or characteristics of cloud
computing products and services that are within the scope of
FedRAMP;
``(B) includes requirements for agencies to obtain a
FedRAMP authorization when operating a cloud computing
product or service described in subparagraph (A) as a Federal
information system; and
``(C) encompasses, to the greatest extent practicable, all
necessary and appropriate cloud computing products and
services;
``(2) issue guidance describing additional responsibilities
of FedRAMP and the FedRAMP Board to accelerate the adoption
of secure cloud computing products and services by the
Federal Government;
``(3) in consultation with the Administrator, establish a
process to periodically review FedRAMP authorization packages
to support the secure authorization and reuse of secure cloud
products and services;
``(4) oversee the effectiveness of FedRAMP and the FedRAMP
Board, including the compliance by the FedRAMP Board with the
duties described in section 3610(d); and
``(5) to the greatest extent practicable, encourage and
promote consistency of the assessment, authorization,
adoption, and use of secure cloud computing products and
services within and across agencies.
``Sec. 3615. Reports to Congress; GAO report
``(a) Reports to Congress.--Not later than 1 year after the
date of enactment of this section, and annually thereafter,
the Director shall submit to the appropriate congressional
committees a report that includes the following:
``(1) During the preceding year, the status, efficiency,
and effectiveness of the General Services Administration
under section 3609 and agencies under section 3613 and in
supporting the speed, effectiveness, sharing, reuse, and
security of authorizations to operate for secure cloud
computing products and services.
``(2) Progress towards meeting the metrics required under
section 3609(d).
``(3) Data on FedRAMP authorizations.
``(4) The average length of time to issue FedRAMP
authorizations.
``(5) The number of FedRAMP authorizations submitted,
issued, and denied for the preceding year.
``(6) A review of progress made during the preceding year
in advancing automation techniques to securely automate
FedRAMP processes and to accelerate reporting under this
section.
``(7) The number and characteristics of authorized cloud
computing products and services in use at each agency
consistent with guidance provided by the Director under
section 3614.
``(8) A review of FedRAMP measures to ensure the security
of data stored or processed by cloud service providers, which
may include--
``(A) geolocation restrictions for provided products or
services;
``(B) disclosures of foreign elements of supply chains of
acquired products or services;
``(C) continued disclosures of ownership of cloud service
providers by foreign entities; and
``(D) encryption for data processed, stored, or transmitted
by cloud service providers.
``(b) GAO Report.--Not later than 180 days after the date
of enactment of this section, the Comptroller General of the
United States shall report to the appropriate congressional
committees an assessment of the following:
``(1) The costs incurred by agencies and cloud service
providers relating to the issuance of FedRAMP authorizations.
``(2) The extent to which agencies have processes in place
to continuously monitor the implementation of cloud computing
products and services operating as Federal information
systems.
``(3) How often and for which categories of products and
services agencies use FedRAMP authorizations.
``(4) The unique costs and potential burdens incurred by
cloud computing companies that are small business concerns
(as defined in section 3(a) of the Small Business Act (15
U.S.C. 632(a)) as a part of the FedRAMP authorization
process.
``Sec. 3616. Federal Secure Cloud Advisory Committee
``(a) Establishment, Purposes, and Duties.--
``(1) Establishment.--There is established a Federal Secure
Cloud Advisory Committee (referred to in this section as the
`Committee') to ensure effective and ongoing coordination of
agency adoption, use, authorization, monitoring, acquisition,
and security of cloud computing products and services to
enable agency mission and administrative priorities.
``(2) Purposes.--The purposes of the Committee are the
following:
``(A) To examine the operations of FedRAMP and determine
ways that authorization processes can continuously be
improved, including the following:
``(i) Measures to increase agency reuse of FedRAMP
authorizations.
``(ii) Proposed actions that can be adopted to reduce the
burden, confusion, and cost associated with FedRAMP
authorizations for cloud service providers.
``(iii) Measures to increase the number of FedRAMP
authorizations for cloud computing products and services
offered by small businesses concerns (as defined by section
3(a) of the Small Business Act (15 U.S.C. 632(a)).
``(iv) Proposed actions that can be adopted to reduce the
burden and cost of FedRAMP authorizations for agencies.
``(B) Collect information and feedback on agency compliance
with and implementation of FedRAMP requirements.
``(C) Serve as a forum that facilitates communication and
collaboration among the FedRAMP stakeholder community.
``(3) Duties.--The duties of the Committee include
providing advice and recommendations to the Administrator,
the FedRAMP Board, and agencies on technical, financial,
programmatic, and operational matters regarding secure
adoption of cloud computing products and services.
``(b) Members.--
``(1) Composition.--The Committee shall be comprised of not
more than 15 members who are qualified representatives from
the public and private sectors, appointed by the
Administrator, in consultation with the Director, as follows:
``(A) The Administrator or the Administrator's designee,
who shall be the Chair of the Committee.
``(B) At least 1 representative each from the Cybersecurity
and Infrastructure Security Agency and the National Institute
of Standards and Technology.
``(C) At least 2 officials who serve as the Chief
Information Security Officer within an agency, who shall be
required to maintain such a position throughout the duration
of their service on the Committee.
``(D) At least 1 official serving as Chief Procurement
Officer (or equivalent) in an agency, who shall be required
to maintain such a position throughout the duration of their
service on the Committee.
``(E) At least 1 individual representing an independent
assessment service.
``(F) At least 5 representatives from unique businesses
that primarily provide cloud computing services or products,
including at least 2 representatives from a small business
concern (as defined by section 3(a) of the Small Business Act
(15 U.S.C. 632(a))).
``(G) At least 2 other representatives of the Federal
Government as the Administrator determines necessary to
provide sufficient balance, insights, or expertise to the
Committee.
``(2) Deadline for appointment.--Each member of the
Committee shall be appointed not later than 90 days after the
date of enactment of this section.
[[Page S919]]
``(3) Period of appointment; vacancies.--
``(A) In general.--Each non-Federal member of the Committee
shall be appointed for a term of 3 years, except that the
initial terms for members may be staggered 1-, 2-, or 3-year
terms to establish a rotation in which one-third of the
members are selected each year. Any such member may be
appointed for not more than 2 consecutive terms.
``(B) Vacancies.--Any vacancy in the Committee shall not
affect its powers, but shall be filled in the same manner in
which the original appointment was made. Any member appointed
to fill a vacancy occurring before the expiration of the term
for which the member's predecessor was appointed shall be
appointed only for the remainder of that term. A member may
serve after the expiration of that member's term until a
successor has taken office.
``(c) Meetings and Rules of Procedures.--
``(1) Meetings.--The Committee shall hold not fewer than 3
meetings in a calendar year, at such time and place as
determined by the Chair.
``(2) Initial meeting.--Not later than 120 days after the
date of enactment of this section, the Committee shall meet
and begin the operations of the Committee.
``(3) Rules of procedure.--The Committee may establish
rules for the conduct of the business of the Committee if
such rules are not inconsistent with this section or other
applicable law.
``(d) Employee Status.--
``(1) In general.--A member of the Committee (other than a
member who is appointed to the Committee in connection with
another Federal appointment) shall not be considered an
employee of the Federal Government by reason of any service
as such a member, except for the purposes of section 5703 of
title 5, relating to travel expenses.
``(2) Pay not permitted.--A member of the Committee covered
by paragraph (1) may not receive pay by reason of service on
the Committee.
``(e) Applicability to the Federal Advisory Committee
Act.--Section 14 of the Federal Advisory Committee Act (5
U.S.C. App.) shall not apply to the Committee.
``(f) Detail of Employees.--Any Federal Government employee
may be detailed to the Committee without reimbursement from
the Committee, and such detailee shall retain the rights,
status, and privileges of his or her regular employment
without interruption.
``(g) Postal Services.--The Committee may use the United
States mails in the same manner and under the same conditions
as agencies.
``(h) Reports.--
``(1) Interim reports.--The Committee may submit to the
Administrator and Congress interim reports containing such
findings, conclusions, and recommendations as have been
agreed to by the Committee.
``(2) Annual reports.--Not later than 540 days after the
date of enactment of this section, and annually thereafter,
the Committee shall submit to the Administrator and Congress
a report containing such findings, conclusions, and
recommendations as have been agreed to by the Committee.''.
(b) Technical and Conforming Amendment.--The table of
sections for chapter 36 of title 44, United States Code, is
amended by adding at the end the following new items:
``3607. Definitions.
``3608. Federal Risk and Authorization Management Program.
``3609. Roles and responsibilities of the General Services
Administration.
``3610. FedRAMP Board.
``3611. Independent assessment.
``3612. Declaration of foreign interests.
``3613. Roles and responsibilities of agencies.
``3614. Roles and responsibilities of the Office of Management and
Budget.
``3615. Reports to Congress; GAO report.
``3616. Federal Secure Cloud Advisory Committee.''.
(c) Sunset.--
(1) In general.--Effective on the date that is 5 years
after the date of enactment of this Act, chapter 36 of title
44, United States Code, is amended by striking sections 3607
through 3616.
(2) Conforming amendment.--Effective on the date that is 5
years after the date of enactment of this Act, the table of
sections for chapter 36 of title 44, United States Code, is
amended by striking the items relating to sections 3607
through 3616.
(d) Rule of Construction.--Nothing in this section or any
amendment made by this section shall be construed as altering
or impairing the authorities of the Director of the Office of
Management and Budget or the Secretary of Homeland Security
under subchapter II of chapter 35 of title 44, United States
Code.
Mr. PETERS. Mr. President, S. 3600 is commonsense, bipartisan
legislation that will help protect critical infrastructure from the
absolute relentless cyber attacks that we see that threaten both our
economy as well as our national security.
I appreciate Senator Portman working with me to get this legislation
across the finish line. And I think this is especially important right
now as we face increased risk of cyber attacks from Russia and the
cyber criminals that they harbor in retaliation for our support for
Ukraine.
I appreciate the Senate for coming together here tonight to get this
important landmark bill done.
I yield the floor.
The PRESIDING OFFICER. The majority leader.
Mr. SCHUMER. Mr. President, just one more point.
As we have always said, we in the Democratic majority want to work
with our Republican colleagues on bipartisan legislation whenever we
can, and this is an example of that.
Obviously, there are times when we can't, and we will move forward.
But the more we can get done and accomplished in a bipartisan way on
important legislation like this, the better.
So, once again, let me salute the bipartisan coalition led by Gary
Peters and Rob Portman and so many others on both sides of the aisle
who contributed to this very important legislation.
____________________