[Congressional Record Volume 170, Number 114 (Wednesday, July 10, 2024)]
[Senate]
[Pages S4356-S4370]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

  SA 2121. Mr. PETERS (for himself and Mr. Hawley) submitted an 
amendment intended to be proposed by him to the bill S. 4638, to 
authorize appropriations for fiscal year 2025 for military activities 
of the Department of Defense, for military construction, and for 
defense activities of the Department of Energy, to prescribe military 
personnel strengths for such fiscal year, and for other purposes; which 
was ordered to lie on the table; as follows:

       At the end of subtitle H of title X, add the following:

     SEC. 1095. FEDERAL INFORMATION SECURITY MODERNIZATION.

       (a) Amendments to Title 44.--
       (1) Subchapter i amendments.--Subchapter I of chapter 35 of 
     title 44, United States Code, is amended--
       (A) in section 3504--
       (i) in subsection (a)(1)(B)--

       (I) by striking clause (v) and inserting the following:

       ``(v) privacy, confidentiality, disclosure, and sharing of 
     information;'';

       (II) by redesignating clause (vi) as clause (vii); and
       (III) by inserting after clause (v) the following:

       ``(vi) in consultation with the National Cyber Director, 
     security of information; and''; and
       (ii) in subsection (g)--

       (I) by redesignating paragraph (2) as paragraph (3); and
       (II) by striking paragraph (1) and inserting the following:

       ``(1) develop and oversee the implementation of policies, 
     principles, standards, and guidelines on privacy, 
     confidentiality, disclosure, and sharing of information 
     collected or maintained by or for agencies;
       ``(2) in consultation with the National Cyber Director, 
     oversee the implementation of policies, principles, 
     standards, and guidelines on security, of information 
     collected or maintained by or for agencies; and'';
       (B) in section 3505--
       (i) by striking the first subsection designated as 
     subsection (c);
       (ii) in paragraph (2) of the second subsection designated 
     as subsection (c), by inserting ``an identification of 
     internet accessible information systems and'' after ``an 
     inventory under this subsection shall include'';
       (iii) in paragraph (3) of the second subsection designated 
     as subsection (c)--

       (I) in subparagraph (B)--

       (aa) by inserting ``the Director of the Cybersecurity and 
     Infrastructure Security Agency, the National Cyber Director, 
     and'' before ``the Comptroller General''; and
       (bb) by striking ``and'' at the end;

       (II) in subparagraph (C)(v), by striking the period at the 
     end and inserting ``; and''; and
       (III) by adding at the end the following:

       ``(D) maintained on a continual basis through the use of 
     automation, machine-readable data, and scanning, wherever 
     practicable.'';
       (C) in section 3506--
       (i) in subsection (a)(3), by inserting ``In carrying out 
     these duties, the Chief Information Officer shall consult, as 
     appropriate, with the Chief Data Officer in accordance

[[Page S4357]]

     with the designated functions under section 3520(c).'' after 
     ``reduction of information collection burdens on the 
     public.'';
       (ii) in subsection (b)(1)(C), by inserting 
     ``availability,'' after ``integrity,'';
       (iii) in subsection (h)(3), by inserting ``security,'' 
     after ``efficiency,''; and
       (iv) by adding at the end the following:
       ``(j)(1) Notwithstanding paragraphs (2) and (3) of 
     subsection (a), the head of each agency shall, in accordance 
     with section 522(a) of division H of the Consolidated 
     Appropriations Act, 2005 (42 U.S.C. 2000ee-2), designate a 
     Chief Privacy Officer with the necessary skills, knowledge, 
     and expertise, who shall have the authority and 
     responsibility to--
       ``(A) lead the privacy program of the agency; and
       ``(B) carry out the privacy responsibilities of the agency 
     under this chapter, section 552a of title 5, and guidance 
     issued by the Director.
       ``(2) The Chief Privacy Officer of each agency shall--
       ``(A) serve in a central leadership position within the 
     agency;
       ``(B) have visibility into relevant agency operations; and
       ``(C) be positioned highly enough within the agency to 
     regularly engage with other agency leaders and officials, 
     including the head of the agency.
       ``(3) A privacy officer of an agency established under a 
     statute enacted before the date of enactment of the Federal 
     Information Security Modernization Act of 2024 may carry out 
     the responsibilities under this subsection for the agency.''; 
     and
       (D) in section 3513--
       (i) by redesignating subsection (c) as subsection (d); and
       (ii) by inserting after subsection (b) the following:
       ``(c) Each agency providing a written plan under subsection 
     (b) shall provide any portion of the written plan addressing 
     information security to the Secretary of Homeland Security 
     and the National Cyber Director.''.
       (2) Subchapter ii definitions.--
       (A) In general.--Section 3552(b) of title 44, United States 
     Code, is amended--
       (i) by redesignating paragraphs (2), (3), (4), (5), (6), 
     and (7) as paragraphs (3), (4), (5), (6), (8), and (10), 
     respectively;
       (ii) by inserting after paragraph (1) the following:
       ``(2) The term `high value asset' means information or an 
     information system that the head of an agency, using 
     policies, principles, standards, or guidelines issued by the 
     Director under section 3553(a), determines to be so critical 
     to the agency that the loss or degradation of the 
     confidentiality, integrity, or availability of such 
     information or information system would have a serious impact 
     on the ability of the agency to perform the mission of the 
     agency or conduct business.'';
       (iii) by inserting after paragraph (6), as so redesignated, 
     the following:
       ``(7) The term `major incident' has the meaning given the 
     term in guidance issued by the Director under section 
     3598(a).'';
       (iv) in paragraph (8)(A), as so redesignated, in the matter 
     preceding clause (i), by striking ``used'' and inserting 
     ``owned, managed,'';
       (v) by inserting after paragraph (8), as so redesignated, 
     the following:
       ``(9) The term `penetration test'--
       ``(A) means an authorized assessment that emulates attempts 
     to gain unauthorized access to, or disrupt the operations of, 
     an information system or component of an information system; 
     and
       ``(B) includes any additional meaning given the term in 
     policies, principles, standards, or guidelines issued by the 
     Director under section 3553(a).''; and
       (vi) by inserting after paragraph (10), as so redesignated, 
     the following:
       ``(11) The term `shared service' means a centralized 
     mission capability or consolidated business function that is 
     provided to multiple organizations within an agency or to 
     multiple agencies.
       ``(12) The term `zero trust architecture' has the meaning 
     given the term in Special Publication 800-207 of the National 
     Institute of Standards and Technology, or any successor 
     document.''.
       (B) Conforming amendments.--
       (i) Homeland security act of 2002.--Section 1001(c)(1)(A) 
     of the Homeland Security Act of 2002 (6 U.S.C. 511(c)(1)(A)) 
     is amended by striking ``section 3552(b)(5)'' and inserting 
     ``section 3552(b)''.
       (ii) Title 10.--

       (I) Section 2222.--Section 2222(i)(8) of title 10, United 
     States Code, is amended by striking ``section 3552(b)(6)(A)'' 
     and inserting ``section 3552(b)(8)(A)''.
       (II) Section 2223.--Section 2223(c)(3) of title 10, United 
     States Code, is amended by striking ``section 3552(b)(6)'' 
     and inserting ``section 3552(b)''.
       (III) Section 3068.--Section 3068(b) of title 10, United 
     States Code, is amended by striking ``section 3552(b)(6)'' 
     and inserting ``section 3552(b)''.
       (IV) Section 3252.--Section 3252(e)(5) of title 10, United 
     States Code, is amended by striking ``section 3552(b)(6)'' 
     and inserting ``section 3552(b)''.

       (iii) High-performance computing act of 1991.--Section 
     207(a) of the High-Performance Computing Act of 1991 (15 
     U.S.C. 5527(a)) is amended by striking ``section 
     3552(b)(6)(A)(i)'' and inserting ``section 
     3552(b)(8)(A)(i)''.
       (iv) Internet of things cybersecurity improvement act of 
     2020.--Section 3(5) of the Internet of Things Cybersecurity 
     Improvement Act of 2020 (15 U.S.C. 278g-3a(5)) is amended by 
     striking ``section 3552(b)(6)'' and inserting ``section 
     3552(b)''.
       (v) National defense authorization act for fiscal year 
     2013.--Section 933(e)(1)(B) of the National Defense 
     Authorization Act for Fiscal Year 2013 (10 U.S.C. 2224 note) 
     is amended by striking ``section 3542(b)(2)'' and inserting 
     ``section 3552(b)''.
       (vi) Ike skelton national defense authorization act for 
     fiscal year 2011.--The Ike Skelton National Defense 
     Authorization Act for Fiscal Year 2011 (Public Law 111-383) 
     is amended--

       (I) in section 931(b)(3) (10 U.S.C. 2223 note), by striking 
     ``section 3542(b)(2)'' and inserting ``section 3552(b)''; and
       (II) in section 932(b)(2) (10 U.S.C. 2224 note), by 
     striking ``section 3542(b)(2)'' and inserting ``section 
     3552(b)''.

       (vii) E-Government act of 2002.--Section 301(c)(1)(A) of 
     the E-Government Act of 2002 (44 U.S.C. 3501 note) is amended 
     by striking ``section 3542(b)(2)'' and inserting ``section 
     3552(b)''.
       (viii) National institute of standards and technology 
     act.--Section 20 of the National Institute of Standards and 
     Technology Act (15 U.S.C. 278g-3) is amended--

       (I) in subsection (a)(2), by striking ``section 
     3552(b)(6)'' and inserting ``section 3552(b)''; and
       (II) in subsection (f)--

       (aa) in paragraph (2), by striking ``section 3532(1)'' and 
     inserting ``section 3552(b)''; and
       (bb) in paragraph (5), by striking ``section 3532(b)(2)'' 
     and inserting ``section 3552(b)''.
       (3) Subchapter ii amendments.--Subchapter II of chapter 35 
     of title 44, United States Code, is amended--
       (A) in section 3551--
       (i) in paragraph (4), by striking ``diagnose and improve'' 
     and inserting ``integrate, deliver, diagnose, and improve'';
       (ii) in paragraph (5), by striking ``and'' at the end;
       (iii) in paragraph (6), by striking the period at the end 
     and inserting a semicolon; and
       (iv) by adding at the end the following:
       ``(7) recognize that each agency has specific mission 
     requirements and, at times, unique cybersecurity requirements 
     to meet the mission of the agency;
       ``(8) recognize that each agency does not have the same 
     resources to secure agency systems, and an agency should not 
     be expected to have the capability to secure the systems of 
     the agency from advanced adversaries alone; and
       ``(9) recognize that a holistic Federal cybersecurity model 
     is necessary to account for differences between the missions 
     and capabilities of agencies.'';
       (B) in section 3553--
       (i) in subsection (a)--

       (I) in paragraph (5), by striking ``and'' at the end;
       (II) in paragraph (6), by striking the period at the end 
     and inserting ``; and''; and
       (III) by adding at the end the following:

       ``(7) promoting, in consultation with the Director of the 
     Cybersecurity and Infrastructure Security Agency, the 
     National Cyber Director, and the Director of the National 
     Institute of Standards and Technology--
       ``(A) the use of automation to improve Federal 
     cybersecurity and visibility with respect to the 
     implementation of Federal cybersecurity; and
       ``(B) the use of presumption of compromise and least 
     privilege principles, such as zero trust architecture, to 
     improve resiliency and timely response actions to incidents 
     on Federal systems.'';
       (ii) in subsection (b)--

       (I) in the matter preceding paragraph (1), by inserting 
     ``and the National Cyber Director'' after ``Director'';
       (II) in paragraph (2)(A), by inserting ``and reporting 
     requirements under subchapter IV of this chapter'' after 
     ``section 3556'';
       (III) by redesignating paragraphs (8) and (9) as paragraphs 
     (10) and (11), respectively; and
       (IV) by inserting after paragraph (7) the following:

       ``(8) expeditiously seeking opportunities to reduce costs, 
     administrative burdens, and other barriers to information 
     technology security and modernization for agencies, including 
     through shared services (and appropriate commercial off the 
     shelf options for such shared services) for cybersecurity 
     capabilities identified as appropriate by the Director, in 
     coordination with the Director of the Cybersecurity and 
     Infrastructure Security Agency and other agencies as 
     appropriate;'';
       (iii) in subsection (c)--

       (I) in the matter preceding paragraph (1)--

       (aa) by striking ``each year'' and inserting ``each year 
     during which agencies are required to submit reports under 
     section 3554(c)'';
       (bb) by inserting ``, which shall be unclassified but may 
     include 1 or more annexes that contain classified or other 
     sensitive information, as appropriate'' after ``a report''; 
     and
       (cc) by striking ``preceding year'' and inserting 
     ``preceding 2 years'';

       (II) by striking paragraph (1);
       (III) by redesignating paragraphs (2), (3), and (4) as 
     paragraphs (1), (2), and (3), respectively;
       (IV) in paragraph (3), as so redesignated, by striking 
     ``and'' at the end; and
       (V) by inserting after paragraph (3), as so redesignated, 
     the following:

       ``(4) a summary of the risks and trends identified in the 
     Federal risk assessment required under subsection (i); and'';
       (iv) in subsection (h)--

       (I) in paragraph (2)--

[[Page S4358]]

       (aa) in subparagraph (A), by inserting ``and the National 
     Cyber Director'' after ``in coordination with the Director'';
       (bb) in subparagraph (B), by inserting ``, the scope of the 
     required action (such as applicable software, firmware, or 
     hardware versions),'' after ``reasons for the required 
     action''; and
       (cc) in subparagraph (D), by inserting ``, the National 
     Cyber Director,'' after ``notify the Director''; and

       (II) in paragraph (3)(A)(iv), by inserting ``, the National 
     Cyber Director'' after ``the Secretary provides prior notice 
     to the Director'';

       (v) by amending subsection (i) to read as follows:
       ``(i) Federal Risk Assessment.--On an ongoing and continual 
     basis, the Director of the Cybersecurity and Infrastructure 
     Security Agency shall assess the Federal risk posture using 
     any available information on the cybersecurity posture of 
     agencies, and brief the Director and National Cyber Director 
     on the findings of such assessment, including--
       ``(1) the status of agency cybersecurity remedial actions 
     for high value assets described in section 3554(b)(7);
       ``(2) any vulnerability information relating to the systems 
     of an agency that is known by the agency;
       ``(3) analysis of incident information under section 3597;
       ``(4) evaluation of penetration testing performed under 
     section 3559A;
       ``(5) evaluation of vulnerability disclosure program 
     information under section 3559B;
       ``(6) evaluation of agency threat hunting results;
       ``(7) evaluation of Federal and non-Federal cyber threat 
     intelligence;
       ``(8) data on agency compliance with standards issued under 
     section 11331 of title 40;
       ``(9) agency system risk assessments required under section 
     3554(a)(1)(A);
       ``(10) relevant reports from inspectors general of agencies 
     and the Government Accountability Office; and
       ``(11) any other information the Director of the 
     Cybersecurity and Infrastructure Security Agency determines 
     relevant.''; and
       (vi) by adding at the end the following:
       ``(m) Directives.--
       ``(1) Emergency directive updates.--If the Secretary issues 
     an emergency directive under this section, the Director of 
     the Cybersecurity and Infrastructure Security Agency shall 
     submit to the Director, the National Cyber Director, the 
     Committee on Homeland Security and Governmental Affairs of 
     the Senate, and the Committees on Oversight and 
     Accountability and Homeland Security of the House of 
     Representatives an update on the status of the implementation 
     of the emergency directive at agencies not later than 7 days 
     after the date on which the emergency directive requires an 
     agency to complete a requirement specified by the emergency 
     directive, and every 30 days thereafter until--
       ``(A) the date on which every agency has fully implemented 
     the emergency directive;
       ``(B) the Secretary determines that an emergency directive 
     no longer requires active reporting from agencies or 
     additional implementation; or
       ``(C) the date that is 1 year after the issuance of the 
     directive.
       ``(2) Binding operational directive updates.--If the 
     Secretary issues a binding operational directive under this 
     section, the Director of the Cybersecurity and Infrastructure 
     Security Agency shall submit to the Director, the National 
     Cyber Director, the Committee on Homeland Security and 
     Governmental Affairs of the Senate, and the Committees on 
     Oversight and Accountability and Homeland Security of the 
     House of Representatives an update on the status of the 
     implementation of the binding operational directive at 
     agencies not later than 30 days after the issuance of the 
     binding operational directive, and every 90 days thereafter 
     until--
       ``(A) the date on which every agency has fully implemented 
     the binding operational directive;
       ``(B) the Secretary determines that a binding operational 
     directive no longer requires active reporting from agencies 
     or additional implementation; or
       ``(C) the date that is 1 year after the issuance or 
     substantive update of the directive.
       ``(3) Report.--If the Director of the Cybersecurity and 
     Infrastructure Security Agency ceases submitting updates 
     required under paragraphs (1) or (2) on the date described in 
     paragraph (1)(C) or (2)(C), the Director of the Cybersecurity 
     and Infrastructure Security Agency shall submit to the 
     Director, the National Cyber Director, the Committee on 
     Homeland Security and Governmental Affairs of the Senate, and 
     the Committees on Oversight and Accountability and Homeland 
     Security of the House of Representatives a list of every 
     agency that, at the time of the report--
       ``(A) has not completed a requirement specified by an 
     emergency directive; or
       ``(B) has not implemented a binding operational directive.
       ``(n) Review of Office of Management and Budget Guidance 
     and Policy.--
       ``(1) Conduct of review.--Not less frequently than once 
     every 3 years, the Director of the Office of Management and 
     Budget shall review the efficacy of the guidance and policy 
     promulgated by the Director in reducing cybersecurity risks, 
     including a consideration of reporting and compliance burden 
     on agencies.
       ``(2) Congressional notification.--The Director of the 
     Office of Management and Budget shall notify the Committee on 
     Homeland Security and Governmental Affairs of the Senate and 
     the Committee on Oversight and Accountability of the House of 
     Representatives of the results of the review under paragraph 
     (1).
       ``(3) GAO review.--The Government Accountability Office 
     shall review guidance and policy promulgated by the Director 
     to assess its efficacy in risk reduction and burden on 
     agencies.
       ``(o) Automated Standard Implementation Verification.--When 
     the Director of the National Institute of Standards and 
     Technology issues a proposed standard or guideline pursuant 
     to paragraphs (2) or (3) of section 20(a) of the National 
     Institute of Standards and Technology Act (15 U.S.C. 278g-
     3(a)), the Director of the National Institute of Standards 
     and Technology shall consider developing and, if appropriate 
     and practical, develop specifications to enable the automated 
     verification of the implementation of the controls.
       ``(p) Inspectors General Access to Federal Risk 
     Assessments.--The Director of the Cybersecurity and 
     Infrastructure Security Agency shall, upon request, make 
     available Federal risk assessment information under 
     subsection (i) to the Inspector General of the Department of 
     Homeland Security and the inspector general of any agency 
     that was included in the Federal risk assessment.'';
       (C) in section 3554--
       (i) in subsection (a)--

       (I) in paragraph (1)--

       (aa) by redesignating subparagraphs (A), (B), and (C) as 
     subparagraphs (B), (C), and (D), respectively;
       (bb) by inserting before subparagraph (B), as so 
     redesignated, the following:
       ``(A) on an ongoing and continual basis, assessing agency 
     system risk, as applicable, by--
       ``(i) identifying and documenting the high value assets of 
     the agency using guidance from the Director;
       ``(ii) evaluating the data assets inventoried under section 
     3511 for sensitivity to compromises in confidentiality, 
     integrity, and availability;
       ``(iii) identifying whether the agency is participating in 
     federally offered cybersecurity shared services programs;
       ``(iv) identifying agency systems that have access to or 
     hold the data assets inventoried under section 3511;
       ``(v) evaluating the threats facing agency systems and 
     data, including high value assets, based on Federal and non-
     Federal cyber threat intelligence products, where available;
       ``(vi) evaluating the vulnerability of agency systems and 
     data, including high value assets, including by analyzing--

       ``(I) the results of penetration testing performed by the 
     Department of Homeland Security under section 3553(b)(9);
       ``(II) the results of penetration testing performed under 
     section 3559A;
       ``(III) information provided to the agency through the 
     vulnerability disclosure program of the agency under section 
     3559B;
       ``(IV) incidents; and
       ``(V) any other vulnerability information relating to 
     agency systems that is known to the agency;

       ``(vii) assessing the impacts of potential agency incidents 
     to agency systems, data, and operations based on the 
     evaluations described in clauses (ii) and (v) and the agency 
     systems identified under clause (iv); and
       ``(viii) assessing the consequences of potential incidents 
     occurring on agency systems that would impact systems at 
     other agencies, including due to interconnectivity between 
     different agency systems or operational reliance on the 
     operations of the system or data in the system;'';
       (cc) in subparagraph (B), as so redesignated, in the matter 
     preceding clause (i), by striking ``providing information'' 
     and inserting ``using information from the assessment 
     required under subparagraph (A), providing information'';
       (dd) in subparagraph (C), as so redesignated--
       (AA) in clause (ii) by inserting ``binding'' before 
     ``operational''; and
       (BB) in clause (vi), by striking ``and'' at the end;
       (ee) in subparagraph (D), as so redesignated, by inserting 
     ``and'' after the semicolon at the end; and
       (ff) by adding at the end the following:
       ``(E) providing an update on the ongoing and continual 
     assessment required under subparagraph (A)--
       ``(i) upon request, to the inspector general of the agency 
     or the Comptroller General of the United States; and
       ``(ii) at intervals determined by guidance issued by the 
     Director, and to the extent appropriate and practicable using 
     automation, to--

       ``(I) the Director;
       ``(II) the Director of the Cybersecurity and Infrastructure 
     Security Agency; and
       ``(III) the National Cyber Director;'';
       (II) in paragraph (2)--

       (aa) in subparagraph (A), by inserting ``in accordance with 
     the agency system risk assessment required under paragraph 
     (1)(A)'' after ``information systems''; and
       (bb) in subparagraph (D), by inserting ``, through the use 
     of penetration testing, the vulnerability disclosure program 
     established under section 3559B, and other means,'' after 
     ``periodically'';

[[Page S4359]]

       (III) in paragraph (3)(A)--

       (aa) in the matter preceding clause (i), by striking 
     ``senior agency information security officer'' and inserting 
     ``Chief Information Security Officer'';
       (bb) in clause (i), by striking ``this section'' and 
     inserting ``subsections (a) through (c)'';
       (cc) in clause (ii), by striking ``training and'' and 
     inserting ``skills, training, and'';
       (dd) by redesignating clauses (iii) and (iv) as clauses 
     (iv) and (v), respectively;
       (ee) by inserting after clause (ii) the following:
       ``(iii) manage information security, cybersecurity budgets, 
     and risk and compliance activities and explain those concepts 
     to the head of the agency and the executive team of the 
     agency;''; and
       (ff) in clause (iv), as so redesignated, by striking 
     ``information security duties as that official's primary 
     duty'' and inserting ``information, computer network, and 
     technology security duties as the Chief Information Security 
     Officers' primary duty'';

       (IV) in paragraph (5), by striking ``annually'' and 
     inserting ``not less frequently than quarterly''; and
       (V) in paragraph (6), by striking ``official delegated'' 
     and inserting ``Chief Information Security Officer 
     delegated'';

       (ii) in subsection (b)--

       (I) by striking paragraph (1) and inserting the following:

       ``(1) the ongoing and continual assessment of agency system 
     risk required under subsection (a)(1)(A), which may include 
     using guidance and automated tools consistent with standards 
     and guidelines promulgated under section 11331 of title 40, 
     as applicable;'';

       (II) in paragraph (2)--

       (aa) by striking subparagraph (B);
       (bb) by redesignating subparagraphs (C) and (D) as 
     subparagraphs (B) and (C), respectively; and
       (cc) in subparagraph (C), as so redesignated--
       (AA) by redesignating clauses (iii) and (iv) as clauses 
     (iv) and (v), respectively;
       (BB) by inserting after clause (ii) the following:
       ``(iii) binding operational directives and emergency 
     directives issued by the Secretary under section 3553;''; and
       (CC) in clause (iv), as so redesignated, by striking ``as 
     determined by the agency;'' and inserting ``as determined by 
     the agency, considering the agency risk assessment required 
     under subsection (a)(1)(A);'';

       (III) in paragraph (5)(A), by inserting ``, including 
     penetration testing, as appropriate,'' after ``shall include 
     testing'';
       (IV) by redesignating paragraphs (7) and (8) as paragraphs 
     (8) and (9), respectively;
       (V) by inserting after paragraph (6) the following:

       ``(7) a process for securely providing the status of 
     remedial cybersecurity actions and un-remediated identified 
     system vulnerabilities of high value assets to the Director 
     and the Director of the Cybersecurity and Infrastructure 
     Security Agency, using automation and machine-readable data 
     as appropriate;''; and

       (VI) in paragraph (8)(C), as so redesignated--

       (aa) by striking clause (ii) and inserting the following:
       ``(ii) notifying and consulting with the Federal 
     information security incident center established under 
     section 3556 pursuant to the requirements of section 3594;'';
       (bb) by redesignating clause (iii) as clause (iv);
       (cc) by inserting after clause (ii) the following:
       ``(iii) performing the notifications and other activities 
     required under subchapter IV of this chapter; and''; and
       (dd) in clause (iv), as so redesignated--
       (AA) in subclause (II), by adding ``and'' at the end;
       (BB) by striking subclause (III); and
       (CC) by redesignating subclause (IV) as subclause (III); 
     and
       (iii) in subsection (c)--

       (I) by redesignating paragraph (2) as paragraph (4);
       (II) by striking paragraph (1) and inserting the following:

       ``(1) Biennial report.--Not later than 2 years after the 
     date of enactment of the Federal Information Security 
     Modernization Act of 2024 and not less frequently than once 
     every 2 years thereafter, using the ongoing and continual 
     agency system risk assessment required under subsection 
     (a)(1)(A), the head of each agency shall submit to the 
     Director, the National Cyber Director, the Director of the 
     Cybersecurity and Infrastructure Security Agency, the 
     Comptroller General of the United States, the majority and 
     minority leaders of the Senate, the Speaker and minority 
     leader of the House of Representatives, the Committee on 
     Homeland Security and Governmental Affairs of the Senate, the 
     Committee on Oversight and Accountability of the House of 
     Representatives, the Committee on Homeland Security of the 
     House of Representatives, the Committee on Commerce, Science, 
     and Transportation of the Senate, the Committee on Science, 
     Space, and Technology of the House of Representatives, and 
     the appropriate authorization and appropriations committees 
     of Congress a report that--
       ``(A) summarizes the agency system risk assessment required 
     under subsection (a)(1)(A);
       ``(B) evaluates the adequacy and effectiveness of 
     information security policies, procedures, and practices of 
     the agency to address the risks identified in the agency 
     system risk assessment required under subsection (a)(1)(A), 
     including an analysis of the agency's cybersecurity and 
     incident response capabilities using the metrics established 
     under section 224(c) of the Cybersecurity Act of 2015 (6 
     U.S.C. 1522(c));
       ``(C) summarizes the status of remedial actions identified 
     by inspector general of the agency, the Comptroller General 
     of the United States, and any other source determined 
     appropriate by the head of the agency; and
       ``(D) includes the cybersecurity shared services offered by 
     the Cybersecurity and Infrastructure Security Agency that the 
     agency participates in, if any, and explanations for any non-
     participation in such services.
       ``(2) Unclassified reports.--Each report submitted under 
     paragraph (1)--
       ``(A) shall be, to the greatest extent practicable, in an 
     unclassified and otherwise uncontrolled form; and
       ``(B) may include 1 or more annexes that contain classified 
     or other sensitive information, as appropriate.
       ``(3) Briefings.--During each year during which a report is 
     not required to be submitted under paragraph (1), the 
     Director shall provide to the congressional committees 
     described in paragraph (1) a briefing summarizing current 
     agency and Federal risk postures.''; and

       (III) in paragraph (4), as so redesignated, by striking the 
     period at the end and inserting ``, including the reporting 
     procedures established under section 11315(d) of title 40 and 
     subsection (a)(3)(A)(v) of this section.'';

       (D) in section 3555--
       (i) in the section heading, by striking ``Annual 
     independent'' and inserting ``Independent'';
       (ii) in subsection (a)--

       (I) in paragraph (1), by inserting ``during which a report 
     is required to be submitted under section 3553(c),'' after 
     ``Each year'';
       (II) in paragraph (2)(A), by inserting ``, including by 
     performing, or reviewing the results of, agency penetration 
     testing and analyzing the vulnerability disclosure program of 
     the agency'' after ``information systems''; and
       (III) by adding at the end the following:

       ``(3) An evaluation under this section may include 
     recommendations for improving the cybersecurity posture of 
     the agency.'';
       (iii) in subsection (b)(1), by striking ``annual'';
       (iv) in subsection (e)(1), by inserting ``during which a 
     report is required to be submitted under section 3553(c)'' 
     after ``Each year'';
       (v) in subsection (g)(2)--

       (I) by striking ``this subsection shall'' and inserting 
     ``this subsection--

       ``(A) shall'';

       (II) in subparagraph (A), as so designated, by striking the 
     period at the end and inserting ``; and''; and
       (III) by adding at the end the following:

       ``(B) identify any entity that performs an independent 
     evaluation under subsection (b).'';
       (vi) by striking subsection (j) and inserting the 
     following:
       ``(j) Guidance.--
       ``(1) In general.--The Director, in consultation with the 
     Director of the Cybersecurity and Infrastructure Security 
     Agency, the Chief Information Officers Council, the Council 
     of the Inspectors General on Integrity and Efficiency, and 
     other interested parties as appropriate, shall ensure the 
     development of risk-based guidance for evaluating the 
     effectiveness of an information security program and 
     practices.
       ``(2) Priorities.--The risk-based guidance developed under 
     paragraph (1) shall include--
       ``(A) the identification of the most common successful 
     threat patterns;
       ``(B) the identification of security controls that address 
     the threat patterns described in subparagraph (A);
       ``(C) any other security risks unique to Federal systems; 
     and
       ``(D) any other element the Director determines 
     appropriate.''; and
       (vii) by adding at the end the following:
       ``(k) Coordination.--The head of each agency shall 
     coordinate with the inspector general of the agency, as 
     applicable, to ensure consistent understanding of agency 
     cybersecurity or information security policies for the 
     purpose of evaluations of such policies conducted by the 
     inspector general.''; and
       (E) in section 3556(a)--
       (i) in the matter preceding paragraph (1), by inserting 
     ``within the Cybersecurity and Infrastructure Security 
     Agency'' after ``incident center''; and
       (ii) in paragraph (4), by striking ``3554(b)'' and 
     inserting ``3554(a)(1)(A)''.
       (4) Conforming amendments.--
       (A) Table of sections.--The table of sections for chapter 
     35 of title 44, United States Code, is amended by striking 
     the item relating to section 3555 and inserting the 
     following:

``3555. Independent evaluation.''.
       (B) OMB reports.--Section 226(c) of the Cybersecurity Act 
     of 2015 (6 U.S.C. 1524(c)) is amended--
       (i) in paragraph (1)(B), in the matter preceding clause 
     (i), by striking ``annually thereafter'' and inserting 
     ``thereafter during the years during which a report is 
     required to be submitted under section 3553(c) of title 44, 
     United States Code''; and

[[Page S4360]]

       (ii) in paragraph (2)(B), in the matter preceding clause 
     (i)--

       (I) by striking ``annually thereafter'' and inserting 
     ``thereafter during the years during which a report is 
     required to be submitted under section 3553(c) of title 44, 
     United States Code''; and
       (II) by striking ``the report required under section 
     3553(c) of title 44, United States Code'' and inserting 
     ``that report''.

       (C) NIST responsibilities.--Section 20(d)(3)(B) of the 
     National Institute of Standards and Technology Act (15 U.S.C. 
     278g-3(d)(3)(B)) is amended by striking ``annual''.
       (5) Federal system incident response.--
       (A) In general.--Chapter 35 of title 44, United States 
     Code, is amended by adding at the end the following:

           ``SUBCHAPTER IV--FEDERAL SYSTEM INCIDENT RESPONSE

     ``Sec. 3591. Definitions

       ``(a) In General.--Except as provided in subsection (b), 
     the definitions under sections 3502 and 3552 shall apply to 
     this subchapter.
       ``(b) Additional Definitions.--As used in this subchapter:
       ``(1) Appropriate reporting entities.--The term 
     `appropriate reporting entities' means--
       ``(A) the majority and minority leaders of the Senate;
       ``(B) the Speaker and minority leader of the House of 
     Representatives;
       ``(C) the Committee on Homeland Security and Governmental 
     Affairs of the Senate;
       ``(D) the Committee on Commerce, Science, and 
     Transportation of the Senate;
       ``(E) the Committee on Oversight and Accountability of the 
     House of Representatives;
       ``(F) the Committee on Homeland Security of the House of 
     Representatives;
       ``(G) the Committee on Science, Space, and Technology of 
     the House of Representatives;
       ``(H) the appropriate authorization and appropriations 
     committees of Congress;
       ``(I) the Director;
       ``(J) the Director of the Cybersecurity and Infrastructure 
     Security Agency;
       ``(K) the National Cyber Director;
       ``(L) the Comptroller General of the United States; and
       ``(M) the inspector general of any impacted agency.
       ``(2) Awardee.--The term `awardee', with respect to an 
     agency--
       ``(A) means--
       ``(i) the recipient of a grant from an agency;
       ``(ii) a party to a cooperative agreement with an agency; 
     and
       ``(iii) a party to an other transaction agreement with an 
     agency; and
       ``(B) includes a subawardee of an entity described in 
     subparagraph (A).
       ``(3) Breach.--The term `breach'--
       ``(A) means the compromise, unauthorized disclosure, 
     unauthorized acquisition, or loss of control of personally 
     identifiable information owned, maintained or otherwise 
     controlled by an agency, or any similar occurrence; and
       ``(B) includes any additional meaning given the term in 
     policies, principles, standards, or guidelines issued by the 
     Director.
       ``(4) Contractor.--The term `contractor' means a prime 
     contractor of an agency or a subcontractor of a prime 
     contractor of an agency that creates, collects, stores, 
     processes, maintains, or transmits Federal information on 
     behalf of an agency.
       ``(5) Federal information.--The term `Federal information' 
     means information created, collected, processed, maintained, 
     disseminated, disclosed, or disposed of by or for the Federal 
     Government in any medium or form.
       ``(6) Federal information system.--The term `Federal 
     information system' means an information system owned, 
     managed, or operated by an agency, or on behalf of an agency 
     by a contractor, an awardee, or another organization.
       ``(7) Intelligence community.--The term `intelligence 
     community' has the meaning given the term in section 3 of the 
     National Security Act of 1947 (50 U.S.C. 3003).
       ``(8) Nationwide consumer reporting agency.--The term 
     `nationwide consumer reporting agency' means a consumer 
     reporting agency described in section 603(p) of the Fair 
     Credit Reporting Act (15 U.S.C. 1681a(p)).
       ``(9) Vulnerability disclosure.--The term `vulnerability 
     disclosure' means a vulnerability identified under section 
     3559B.

     ``Sec. 3592. Notification of breach

       ``(a) Definition.--In this section, the term `covered 
     breach' means a breach--
       ``(1) involving not less than 50,000 potentially affected 
     individuals; or
       ``(2) the result of which the head of an agency determines 
     that notifying potentially affected individuals is necessary 
     pursuant to subsection (b)(1), regardless of whether--
       ``(A) the number of potentially affected individuals is 
     less than 50,000; or
       ``(B) the notification is delayed under subsection (d).
       ``(b) Notification.--As expeditiously as practicable and 
     without unreasonable delay, and in any case not later than 45 
     days after an agency has a reasonable basis to conclude that 
     a breach has occurred, the head of the agency, in 
     consultation with the Chief Information Officer and Chief 
     Privacy Officer of the agency and, as appropriate, any non-
     Federal entity supporting the remediation of the breach, 
     shall--
       ``(1) determine whether notice to any individual 
     potentially affected by the breach is appropriate, including 
     by conducting an assessment of the risk of harm to the 
     individual that considers--
       ``(A) the nature and sensitivity of the personally 
     identifiable information affected by the breach;
       ``(B) the likelihood of access to and use of the personally 
     identifiable information affected by the breach;
       ``(C) the type of breach; and
       ``(D) any other factors determined by the Director; and
       ``(2) if the head of the agency determines notification is 
     necessary pursuant to paragraph (1), provide written 
     notification in accordance with subsection (c) to each 
     individual potentially affected by the breach--
       ``(A) to the last known mailing address of the individual; 
     or
       ``(B) through an appropriate alternative method of 
     notification.
       ``(c) Contents of Notification.--Each notification of a 
     breach provided to an individual under subsection (b)(2) 
     shall include, to the maximum extent practicable--
       ``(1) a brief description of the breach;
       ``(2) if possible, a description of the types of personally 
     identifiable information affected by the breach;
       ``(3) contact information of the agency that may be used to 
     ask questions of the agency, which--
       ``(A) shall include an e-mail address or another digital 
     contact mechanism; and
       ``(B) may include a telephone number, mailing address, or a 
     website;
       ``(4) information on any remedy being offered by the 
     agency;
       ``(5) any applicable educational materials relating to what 
     individuals can do in response to a breach that potentially 
     affects their personally identifiable information, including 
     relevant contact information for the appropriate Federal law 
     enforcement agencies and each nationwide consumer reporting 
     agency; and
       ``(6) any other appropriate information, as determined by 
     the head of the agency or established in guidance by the 
     Director.
       ``(d) Delay of Notification.--
       ``(1) In general.--The head of an agency, in coordination 
     with the Director and the National Cyber Director, and as 
     appropriate, the Attorney General, the Director of National 
     Intelligence, or the Secretary of Homeland Security, may 
     delay a notification required under subsection (b) or (e) if 
     the notification would--
       ``(A) impede a criminal investigation or a national 
     security activity;
       ``(B) cause an adverse result (as described in section 
     2705(a)(2) of title 18);
       ``(C) reveal sensitive sources and methods;
       ``(D) cause damage to national security; or
       ``(E) hamper security remediation actions.
       ``(2) Renewal.--A delay under paragraph (1) shall be for a 
     period of 60 days and may be renewed.
       ``(3) National security systems.--The head of an agency 
     delaying notification under this subsection with respect to a 
     breach exclusively of a national security system shall 
     coordinate such delay with the Secretary of Defense.
       ``(e) Update Notification.--If an agency determines there 
     is a significant change in the reasonable basis to conclude 
     that a breach occurred, a significant change to the 
     determination made under subsection (b)(1), or that it is 
     necessary to update the details of the information provided 
     to potentially affected individuals as described in 
     subsection (c), the agency shall as expeditiously as 
     practicable and without unreasonable delay, and in any case 
     not later than 30 days after such a determination, notify 
     each individual who received a notification pursuant to 
     subsection (b) of those changes.
       ``(f) Delay of Notification Report.--
       ``(1) In general.--Not later than 1 year after the date of 
     enactment of the Federal Information Security Modernization 
     Act of 2024, and annually thereafter, the head of an agency, 
     in coordination with any official who delays a notification 
     under subsection (d), shall submit to the appropriate 
     reporting entities a report on each delay that occurred 
     during the previous 2 years.
       ``(2) Component of other report.--The head of an agency may 
     submit the report required under paragraph (1) as a component 
     of the report submitted under section 3554(c).
       ``(g) Congressional Reporting Requirements.--
       ``(1) Review and update.--On a periodic basis, the Director 
     of the Office of Management and Budget shall review, and 
     update as appropriate, breach notification policies and 
     guidelines for agencies.
       ``(2) Required notice from agencies.--Subject to paragraph 
     (4), the Director of the Office of Management and Budget 
     shall require the head of an agency affected by a covered 
     breach to expeditiously and not later than 30 days after the 
     date on which the agency discovers the covered breach give 
     notice of the breach, which may be provided electronically, 
     to--
       ``(A) each congressional committee described in section 
     3554(c)(1); and
       ``(B) the Committee on the Judiciary of the Senate and the 
     Committee on the Judiciary of the House of Representatives.
       ``(3) Contents of notice.--Notice of a covered breach 
     provided by the head of an agency pursuant to paragraph (2) 
     shall include, to the extent practicable--
       ``(A) information about the covered breach, including a 
     summary of any information about how the covered breach 
     occurred

[[Page S4361]]

     known by the agency as of the date of the notice;
       ``(B) an estimate of the number of individuals affected by 
     the covered breach based on information known by the agency 
     as of the date of the notice, including an assessment of the 
     risk of harm to affected individuals;
       ``(C) a description of any circumstances necessitating a 
     delay in providing notice to individuals affected by the 
     covered breach in accordance with subsection (d); and
       ``(D) an estimate of when the agency will provide notice to 
     individuals affected by the covered breach, if applicable.
       ``(4) Exception.--Any agency that is required to provide 
     notice to Congress pursuant to paragraph (2) due to a covered 
     breach exclusively on a national security system shall only 
     provide such notice to--
       ``(A) the majority and minority leaders of the Senate;
       ``(B) the Speaker and minority leader of the House of 
     Representatives;
       ``(C) the appropriations committees of Congress;
       ``(D) the Committee on Homeland Security and Governmental 
     Affairs of the Senate;
       ``(E) the Select Committee on Intelligence of the Senate;
       ``(F) the Committee on Oversight and Accountability of the 
     House of Representatives; and
       ``(G) the Permanent Select Committee on Intelligence of the 
     House of Representatives.
       ``(5) Rule of construction.--Nothing in paragraphs (1) 
     through (3) shall be construed to alter any authority of an 
     agency.
       ``(h) Rule of Construction.--Nothing in this section shall 
     be construed to--
       ``(1) limit--
       ``(A) the authority of the Director to issue guidance 
     relating to notifications of, or the head of an agency to 
     notify individuals potentially affected by, breaches that are 
     not determined to be covered breaches or major incidents;
       ``(B) the authority of the Director to issue guidance 
     relating to notifications and reporting of breaches, covered 
     breaches, or major incidents;
       ``(C) the authority of the head of an agency to provide 
     more information than required under subsection (b) when 
     notifying individuals potentially affected by a breach;
       ``(D) the timing of incident reporting or the types of 
     information included in incident reports provided, pursuant 
     to this subchapter, to--
       ``(i) the Director;
       ``(ii) the National Cyber Director;
       ``(iii) the Director of the Cybersecurity and 
     Infrastructure Security Agency; or
       ``(iv) any other agency;
       ``(E) the authority of the head of an agency to provide 
     information to Congress about agency breaches, including--
       ``(i) breaches that are not covered breaches; and
       ``(ii) additional information beyond the information 
     described in subsection (g)(3); or
       ``(F) any congressional reporting requirements of agencies 
     under any other law; or
       ``(2) limit or supersede any existing privacy protections 
     in existing law.

     ``Sec. 3593. Congressional and executive branch reports on 
       major incidents

       ``(a) Appropriate Congressional Entities.--In this section, 
     the term `appropriate congressional entities' means--
       ``(1) the majority and minority leaders of the Senate;
       ``(2) the Speaker and minority leader of the House of 
     Representatives;
       ``(3) the Committee on Homeland Security and Governmental 
     Affairs of the Senate;
       ``(4) the Committee on Commerce, Science, and 
     Transportation of the Senate;
       ``(5) the Committee on Oversight and Accountability of the 
     House of Representatives;
       ``(6) the Committee on Homeland Security of the House of 
     Representatives;
       ``(7) the Committee on Science, Space, and Technology of 
     the House of Representatives; and
       ``(8) the appropriate authorization and appropriations 
     committees of Congress.
       ``(b) Initial Notification.--
       ``(1) In general.--Not later than 72 hours after an agency 
     has a reasonable basis to conclude that a major incident 
     occurred, the head of the agency impacted by the major 
     incident shall submit to the appropriate reporting entities a 
     written notification, which may be submitted electronically 
     and include 1 or more annexes that contain classified or 
     other sensitive information, as appropriate.
       ``(2) Contents.--A notification required under paragraph 
     (1) with respect to a major incident shall include the 
     following, based on information available to agency officials 
     as of the date on which the agency submits the notification:
       ``(A) A summary of the information available about the 
     major incident, including how the major incident occurred and 
     the threat causing the major incident.
       ``(B) If applicable, information relating to any breach 
     associated with the major incident, regardless of whether--
       ``(i) the breach was the reason the incident was determined 
     to be a major incident; and
       ``(ii) head of the agency determined it was appropriate to 
     provide notification to potentially impacted individuals 
     pursuant to section 3592(b)(1).
       ``(C) A preliminary assessment of the impacts to--
       ``(i) the agency;
       ``(ii) the Federal Government;
       ``(iii) the national security, foreign relations, homeland 
     security, and economic security of the United States; and
       ``(iv) the civil liberties, public confidence, privacy, and 
     public health and safety of the people of the United States.
       ``(D) If applicable, whether any ransom has been demanded 
     or paid, or is expected to be paid, by any entity operating a 
     Federal information system or with access to Federal 
     information or a Federal information system, including, as 
     available, the name of the entity demanding ransom, the date 
     of the demand, and the amount and type of currency demanded, 
     unless disclosure of such information will disrupt an active 
     Federal law enforcement or national security operation.
       ``(c) Supplemental Update.--Within a reasonable amount of 
     time, but not later than 30 days after the date on which the 
     head of an agency submits a written notification under 
     subsection (b), the head of the agency shall provide to the 
     appropriate congressional entities an unclassified and 
     written update, which may include 1 or more annexes that 
     contain classified or other sensitive information, as 
     appropriate, on the major incident, based on information 
     available to agency officials as of the date on which the 
     agency provides the update, on--
       ``(1) system vulnerabilities relating to the major 
     incident, where applicable, means by which the major incident 
     occurred, the threat causing the major incident, where 
     applicable, and impacts of the major incident to--
       ``(A) the agency;
       ``(B) other Federal agencies, Congress, or the judicial 
     branch;
       ``(C) the national security, foreign relations, homeland 
     security, or economic security of the United States; or
       ``(D) the civil liberties, public confidence, privacy, or 
     public health and safety of the people of the United States;
       ``(2) the status of compliance of the affected Federal 
     information system with applicable security requirements at 
     the time of the major incident;
       ``(3) if the major incident involved a breach, a 
     description of the affected information, an estimate of the 
     number of individuals potentially impacted, and any 
     assessment to the risk of harm to such individuals;
       ``(4) an update to the assessment of the risk to agency 
     operations, or to impacts on other agency or non-Federal 
     entity operations, affected by the major incident;
       ``(5) the detection, response, and remediation actions of 
     the agency, including any support provided by the 
     Cybersecurity and Infrastructure Security Agency under 
     section 3594(d), if applicable;
       ``(6) as appropriate and available, actions undertaken by 
     any non-Federal entities impacted by or supporting 
     remediation of the major incident; and
       ``(7) as appropriate and available, recommendations for 
     mitigating future similar incidents, including 
     recommendations from any non-Federal entity impacted by or 
     supporting the remediation of the major incident.
       ``(d) Additional Update.--If the head of an agency, the 
     Director, or the National Cyber Director determines that 
     there is any significant change in the understanding of the 
     scope, scale, or consequence of a major incident for which 
     the head of the agency submitted a written notification and 
     update under subsections (b) and (c), the head of the agency 
     shall submit to the appropriate congressional entities a 
     written update that includes information relating to the 
     change in understanding.
       ``(e) Biennial Report.--Each agency shall submit as part of 
     the biennial report required under section 3554(c)(1) a 
     description of each major incident that occurred during the 
     2-year period preceding the date on which the biennial report 
     is submitted.
       ``(f) Report Delivery.--
       ``(1) In general.--Any written notification or update 
     required to be submitted under this section--
       ``(A) shall be submitted in an electronic format; and
       ``(B) may be submitted in a paper format.
       ``(2) Classification status.--Any written notification or 
     update required to be submitted under this section--
       ``(A) shall be--
       ``(i) unclassified; and
       ``(ii) submitted through unclassified electronic means 
     pursuant to paragraph (1)(A); and
       ``(B) may include classified annexes, as appropriate.
       ``(g) Report Consistency.--To achieve consistent and 
     coherent agency reporting to Congress, the National Cyber 
     Director, in coordination with the Director, shall--
       ``(1) provide recommendations to agencies on formatting and 
     the contents of information to be included in the reports 
     required under this section, including recommendations for 
     consistent formats for presenting any associated metrics; and
       ``(2) maintain a comprehensive record of each major 
     incident notification, update, and briefing provided under 
     this section, which shall--
       ``(A) include, at a minimum--
       ``(i) the full contents of the written notification or 
     update;
       ``(ii) the identity of the reporting agency; and
       ``(iii) the date of submission; and
       ``(iv) a list of the recipient congressional entities; and
       ``(B) be made available upon request to the majority and 
     minority leaders of the Senate, the Speaker and minority 
     leader of the

[[Page S4362]]

     House of Representatives, the Committee on Homeland Security 
     and Governmental Affairs of the Senate, and the Committee on 
     Oversight and Accountability of the House of Representatives.
       ``(h) National Security Systems Congressional Reporting 
     Exemption.--With respect to a major incident that occurs 
     exclusively on a national security system, the head of the 
     affected agency shall submit the notifications and reports 
     required to be submitted to Congress under this section only 
     to--
       ``(1) the majority and minority leaders of the Senate;
       ``(2) the Speaker and minority leader of the House of 
     Representatives;
       ``(3) the appropriations committees of Congress;
       ``(4) the appropriate authorization committees of Congress;
       ``(5) the Committee on Homeland Security and Governmental 
     Affairs of the Senate;
       ``(6) the Select Committee on Intelligence of the Senate;
       ``(7) the Committee on Oversight and Accountability of the 
     House of Representatives; and
       ``(8) the Permanent Select Committee on Intelligence of the 
     House of Representatives.
       ``(i) Major Incidents Including Breaches.--If a major 
     incident constitutes a covered breach, as defined in section 
     3592(a), information on the covered breach required to be 
     submitted to Congress pursuant to section 3592(g) may--
       ``(1) be included in the notifications required under 
     subsection (b) or (c); or
       ``(2) be reported to Congress under the process established 
     under section 3592(g).
       ``(j) Rule of Construction.--Nothing in this section shall 
     be construed to--
       ``(1) limit--
       ``(A) the ability of an agency to provide additional 
     reports or briefings to Congress;
       ``(B) Congress from requesting additional information from 
     agencies through reports, briefings, or other means; and
       ``(C) any congressional reporting requirements of agencies 
     under any other law; or
       ``(2) limit or supersede any privacy protections under any 
     other law.

     ``Sec. 3594. Government information sharing and incident 
       response

       ``(a) In General.--
       ``(1) Incident sharing.--Subject to paragraph (4) and 
     subsection (b), and in accordance with the applicable 
     requirements pursuant to section 3553(b)(2)(A) for reporting 
     to the Federal information security incident center 
     established under section 3556, the head of each agency shall 
     provide to the Cybersecurity and Infrastructure Security 
     Agency information relating to any incident affecting the 
     agency, whether the information is obtained by the Federal 
     Government directly or indirectly.
       ``(2) Contents.--A provision of information relating to an 
     incident made by the head of an agency under paragraph (1) 
     shall include, at a minimum--
       ``(A) a full description of the incident, including--
       ``(i) all indicators of compromise and tactics, techniques, 
     and procedures;
       ``(ii) an indicator of how the intruder gained initial 
     access, accessed agency data or systems, and undertook 
     additional actions on the network of the agency;
       ``(iii) information that would support enabling defensive 
     measures; and
       ``(iv) other information that may assist in identifying 
     other victims;
       ``(B) information to help prevent similar incidents, such 
     as information about relevant safeguards in place when the 
     incident occurred and the effectiveness of those safeguards; 
     and
       ``(C) information to aid in incident response, such as--
       ``(i) a description of the affected systems or networks;
       ``(ii) the estimated dates of when the incident occurred; 
     and
       ``(iii) information that could reasonably help identify any 
     malicious actor that may have conducted or caused the 
     incident, subject to appropriate privacy protections.
       ``(3) Information sharing.--The Director of the 
     Cybersecurity and Infrastructure Security Agency shall--
       ``(A) make incident information provided under paragraph 
     (1) available to the Director and the National Cyber 
     Director;
       ``(B) to the greatest extent practicable, share information 
     relating to an incident with--
       ``(i) the head of any agency that may be--

       ``(I) impacted by the incident;
       ``(II) particularly susceptible to the incident; or
       ``(III) similarly targeted by the incident; and

       ``(ii) appropriate Federal law enforcement agencies to 
     facilitate any necessary threat response activities, as 
     requested;
       ``(C) coordinate any necessary information sharing efforts 
     relating to a major incident with the private sector; and
       ``(D) notify the National Cyber Director of any efforts 
     described in subparagraph (C).
       ``(4) National security systems exemption.--
       ``(A) In general.--Notwithstanding paragraphs (1) and (3), 
     each agency operating or exercising control of a national 
     security system shall share information about an incident 
     that occurs exclusively on a national security system with 
     the Secretary of Defense, the Director, the National Cyber 
     Director, and the Director of the Cybersecurity and 
     Infrastructure Security Agency to the extent consistent with 
     standards and guidelines for national security systems issued 
     in accordance with law and as directed by the President.
       ``(B) Protections.--Any information sharing and handling of 
     information under this paragraph shall be appropriately 
     protected consistent with procedures authorized for the 
     protection of sensitive sources and methods or by procedures 
     established for information that have been specifically 
     authorized under criteria established by an Executive order 
     or an Act of Congress to be kept classified in the interest 
     of national defense or foreign policy.
       ``(b) Automation.--In providing information and selecting a 
     method to provide information under subsection (a), the head 
     of each agency shall implement subsection (a)(1) in a manner 
     that provides such information to the Cybersecurity and 
     Infrastructure Security Agency in an automated and machine-
     readable format, to the greatest extent practicable.
       ``(c) Incident Response.--Each agency that has a reasonable 
     basis to suspect or conclude that a major incident occurred 
     involving Federal information in electronic medium or form 
     that does not exclusively involve a national security system 
     shall coordinate with--
       ``(1) the Cybersecurity and Infrastructure Security Agency 
     to facilitate asset response activities and provide 
     recommendations for mitigating future incidents; and
       ``(2) consistent with relevant policies, appropriate 
     Federal law enforcement agencies to facilitate threat 
     response activities.

     ``Sec. 3595. Responsibilities of contractors and awardees

       ``(a) Notification.--
       ``(1) In general.--Any contractor or awardee of an agency 
     shall provide written notification to the agency if the 
     contractor or awardee has a reasonable basis to conclude 
     that--
       ``(A) an incident or breach has occurred with respect to 
     Federal information the contractor or awardee collected, 
     used, or maintained on behalf of an agency;
       ``(B) an incident or breach has occurred with respect to a 
     Federal information system used, operated, managed, or 
     maintained on behalf of an agency by the contractor or 
     awardee;
       ``(C) a component of any Federal information system 
     operated, managed, or maintained by a contractor or awardee 
     contains a security vulnerability, including a supply chain 
     compromise or an identified software or hardware 
     vulnerability, for which there is reliable evidence of a 
     successful exploitation of the vulnerability by an actor 
     without authorization of the Federal information system 
     owner; or
       ``(D) the contractor or awardee has received from the 
     agency personally identifiable information or personal health 
     information that is beyond the scope of the contract or 
     agreement with the agency that the contractor or awardee is 
     not authorized to receive.
       ``(2) Third-party notification of vulnerabilities.--Subject 
     to the guidance issued by the Director pursuant to paragraph 
     (4), any contractor or awardee of an agency shall provide 
     written notification to the agency and the Cybersecurity and 
     Infrastructure Security Agency if the contractor or awardee 
     has a reasonable basis to conclude that a component of any 
     Federal information system operated, managed, or maintained 
     on behalf of an agency by the contractor or awardee on behalf 
     of the agency contains a security vulnerability, including a 
     supply chain compromise or an identified software or hardware 
     vulnerability, that has been reported to the contractor or 
     awardee by a third party, including through a vulnerability 
     disclosure program.
       ``(3) Procedures.--
       ``(A) Sharing with cisa.--As soon as practicable following 
     a notification of an incident or vulnerability to an agency 
     by a contractor or awardee under paragraph (1), the head of 
     the agency shall provide, pursuant to section 3594, 
     information about the incident or vulnerability to the 
     Director of the Cybersecurity and Infrastructure Security 
     Agency.
       ``(B) Timing of notifications.--Unless a different time for 
     notification is specified in a contract, grant, cooperative 
     agreement, or other transaction agreement, a contractor or 
     awardee shall--
       ``(i) make a notification required under paragraph (1) not 
     later than 1 day after the date on which the contractor or 
     awardee has reasonable basis to suspect or conclude that the 
     criteria under paragraph (1) have been met; and
       ``(ii) make a notification required under paragraph (2) 
     within a reasonable time, but not later than 90 days after 
     the date on which the contractor or awardee has reasonable 
     basis to suspect or conclude that the criteria under 
     paragraph (2) have been met.
       ``(C) Procedures.--Following a notification of a breach or 
     incident to an agency by a contractor or awardee under 
     paragraph (1), the head of the agency, in consultation with 
     the contractor or awardee, shall carry out the applicable 
     requirements under sections 3592, 3593, and 3594 with respect 
     to the breach or incident.
       ``(D) Rule of construction.--Nothing in subparagraph (B) 
     shall be construed to allow the negation of the requirements 
     to notify vulnerabilities under paragraph (1) or (2) through 
     a contract, grant, cooperative agreement, or other 
     transaction agreement.

[[Page S4363]]

       ``(4) Guidance.--The Director shall issue guidance as soon 
     as practicable to agencies relating to the scope of 
     vulnerabilities to be included in required notifications 
     under paragraph (2), such as the minimum severity or minimum 
     risk level of a vulnerability included in required 
     notifications, whether vulnerabilities that are already 
     publicly disclosed must be reported, or likely cybersecurity 
     impact to Federal information systems.
       ``(b) Regulations; Modifications.--
       ``(1) In general.--Not later than 2 years after the date of 
     enactment of the Federal Information Security Modernization 
     Act of 2024--
       ``(A) the Federal Acquisition Regulatory Council shall 
     promulgate regulations, as appropriate, relating to the 
     responsibilities of contractors and recipients of other 
     transaction agreements and cooperative agreements to comply 
     with this section; and
       ``(B) the Office of Federal Financial Management shall 
     promulgate regulations under title 2, Code of Federal 
     Regulations, as appropriate, relating to the responsibilities 
     of grantees to comply with this section.
       ``(2) Implementation.--Not later than 1 year after the date 
     on which the Federal Acquisition Regulatory Council and the 
     Office of Federal Financial Management promulgates 
     regulations under paragraph (1), the head of each agency 
     shall implement policies and procedures, as appropriate, 
     necessary to implement those regulations.
       ``(3) Congressional notification.--
       ``(A) In general.--The head of each agency head shall 
     notify the Director upon implementation of policies and 
     procedures necessary to implement the regulations promulgated 
     under paragraph (1).
       ``(B) OMB notification.-- Not later than 30 days after the 
     date described in paragraph (2), the Director shall notify 
     the Committee on Homeland Security and Governmental Affairs 
     of the Senate and the Committees on Oversight and 
     Accountability and Homeland Security of the House of 
     Representatives on the status of the implementation by each 
     agency of the regulations promulgated under paragraph (1).
       ``(c) Allowable Use.--Information provided to an agency 
     pursuant to this section may be disclosed to, retained by, 
     and used by any agency, component, officer, employee, or 
     agent of the Federal Government solely for any of the 
     following:
       ``(1) A cybersecurity purpose (as defined in section 2200 
     of the Homeland Security Act of 2002 (6 U.S.C. 650)).
       ``(2) Identifying--
       ``(A) a cyber threat (as defined in such section 2200), 
     including the source of the cyber threat; or
       ``(B) a security vulnerability (as defined in such section 
     2200).
       ``(3) Preventing, investigating, disrupting, or prosecuting 
     an offense arising out of an incident notified to an agency 
     pursuant to this section or any of the offenses listed in 
     section 105(d)(5)(A)(v) of the Cybersecurity Information 
     Sharing Act of 2015 (6 U.S.C. 1504(d)(5)(A)(v)).
       ``(d) Harmonization of Other Private-sector Cybersecurity 
     Reporting Obligations.--Any non-Federal entity required to 
     report an incident under section 2242 of the Homeland 
     Security Act of 2002 (6 U.S.C. 681b) may submit as part of 
     the written notification requirements in this section all 
     information required by such section 2242 to the agency of 
     which the entity is a contractor or recipient of Federal 
     financial assistance, or with which the entity holds an other 
     transaction agreement or cooperative agreement, within the 
     deadline specified in subsection (a)(3)(B)(1). If such 
     submission is completed, the non-Federal entity shall not be 
     required to subsequently report the same incident under the 
     requirements of such section 2242. Any incident information 
     shared under this subsection shall be shared with the 
     Director of the Cybersecurity and Infrastructure Security 
     Agency pursuant to subsection (a)(3)(A).
       ``(e) National Security Systems Exemption.--Notwithstanding 
     any other provision of this section, a contractor or awardee 
     of an agency that would be required to report an incident or 
     vulnerability pursuant to this section that occurs 
     exclusively on a national security system shall--
       ``(1) report the incident or vulnerability to the head of 
     the agency and the Secretary of Defense; and
       ``(2) comply with applicable laws and policies relating to 
     national security systems.

     ``Sec. 3596. Training

       ``(a) Covered Individual Defined.--In this section, the 
     term `covered individual' means an individual who obtains 
     access to a Federal information system because of the status 
     of the individual as--
       ``(1) an employee, contractor, awardee, volunteer, or 
     intern of an agency; or
       ``(2) an employee of a contractor or awardee of an agency.
       ``(b) Best Practices and Consistency.--The Director of the 
     Cybersecurity and Infrastructure Security Agency, in 
     consultation with the Director, the National Cyber Director, 
     and the Director of the National Institute of Standards and 
     Technology, shall consolidate best practices to support 
     consistency across agencies in cybersecurity incident 
     response training, including--
       ``(1) information to be collected and shared with the 
     Cybersecurity and Infrastructure Security Agency pursuant to 
     section 3594(a) and processes for sharing such information; 
     and
       ``(2) appropriate training and qualifications for cyber 
     incident responders.
       ``(c) Agency Training.--The head of each agency shall 
     develop training for covered individuals on how to identify 
     and respond to an incident, including--
       ``(1) the internal process of the agency for reporting an 
     incident; and
       ``(2) the obligation of a covered individual to report to 
     the agency any suspected or confirmed incident involving 
     Federal information in any medium or form, including paper, 
     oral, and electronic.
       ``(d) Inclusion in Annual Training.--The training developed 
     under subsection (c) may be included as part of an annual 
     privacy, security awareness, or other appropriate training of 
     an agency.

     ``Sec. 3597. Analysis and report on Federal incidents

       ``(a) Analysis of Federal Incidents.--
       ``(1) Quantitative and qualitative analyses.--The Director 
     of the Cybersecurity and Infrastructure Security Agency shall 
     perform and, in coordination with the Director and the 
     National Cyber Director, develop, continuous monitoring and 
     quantitative and qualitative analyses of incidents at 
     agencies, including major incidents, including--
       ``(A) the causes of incidents, including--
       ``(i) attacker tactics, techniques, and procedures; and
       ``(ii) system vulnerabilities, including zero days, 
     unpatched systems, and information system misconfigurations;
       ``(B) the scope and scale of incidents at agencies;
       ``(C) common root causes of incidents across multiple 
     agencies;
       ``(D) agency incident response, recovery, and remediation 
     actions and the effectiveness of those actions, as 
     applicable;
       ``(E) lessons learned and recommendations in responding to, 
     recovering from, remediating, and mitigating future 
     incidents; and
       ``(F) trends across multiple agencies to address intrusion 
     detection and incident response capabilities using the 
     metrics established under section 224(c) of the Cybersecurity 
     Act of 2015 (6 U.S.C. 1522(c)).
       ``(2) Automated analysis.--The analyses developed under 
     paragraph (1) shall, to the greatest extent practicable, use 
     machine-readable data, automation, and machine learning 
     processes.
       ``(3) Sharing of data and analysis.--
       ``(A) In general.--The Director of the Cybersecurity and 
     Infrastructure Security Agency shall share on an ongoing 
     basis the analyses and underlying data required under this 
     subsection with agencies, the Director, and the National 
     Cyber Director to--
       ``(i) improve the understanding of cybersecurity risk of 
     agencies; and
       ``(ii) support the cybersecurity improvement efforts of 
     agencies.
       ``(B) Format.--In carrying out subparagraph (A), the 
     Director of the Cybersecurity and Infrastructure Security 
     Agency shall share the analyses--
       ``(i) in human-readable written products; and
       ``(ii) to the greatest extent practicable, in machine-
     readable formats in order to enable automated intake and use 
     by agencies.
       ``(C) Exemption.--This subsection shall not apply to 
     incidents that occur exclusively on national security 
     systems.
       ``(b) Annual Report on Federal Incidents.--Not later than 2 
     years after the date of enactment of this section, and not 
     less frequently than annually thereafter, the Director of the 
     Cybersecurity and Infrastructure Security Agency, in 
     consultation with the Director, the National Cyber Director 
     and the heads of other agencies, as appropriate, shall submit 
     to the appropriate reporting entities a report that 
     includes--
       ``(1) a summary of causes of incidents from across the 
     Federal Government that categorizes those incidents as 
     incidents or major incidents;
       ``(2) the quantitative and qualitative analyses of 
     incidents developed under subsection (a)(1) on an agency-by-
     agency basis and comprehensively across the Federal 
     Government, including--
       ``(A) a specific analysis of breaches; and
       ``(B) an analysis of the Federal Government's performance 
     against the metrics established under section 224(c) of the 
     Cybersecurity Act of 2015 (6 U.S.C. 1522(c)); and
       ``(3) an annex for each agency that includes--
       ``(A) a description of each major incident;
       ``(B) the total number of incidents of the agency; and
       ``(C) an analysis of the agency's performance against the 
     metrics established under section 224(c) of the Cybersecurity 
     Act of 2015 (6 U.S.C. 1522(c)).
       ``(c) Publication.--
       ``(1) In general.--The Director of the Cybersecurity and 
     Infrastructure Security Agency shall make a version of each 
     report submitted under subsection (b) publicly available on 
     the website of the Cybersecurity and Infrastructure Security 
     Agency during the year during which the report is submitted.
       ``(2) Exemption.--The publication requirement under 
     paragraph (1) shall not apply to a portion of a report that 
     contains content that should be protected in the interest of 
     national security, as determined by the Director, the 
     Director of the Cybersecurity and Infrastructure Security 
     Agency, or the National Cyber Director.
       ``(3) Limitation on exemption.--The exemption under 
     paragraph (2) shall not apply to any version of a report 
     submitted to the appropriate reporting entities under 
     subsection (b).

[[Page S4364]]

       ``(4) Requirement for compiling information.--
       ``(A) Compilation.--Subject to subparagraph (B), in making 
     a report publicly available under paragraph (1), the Director 
     of the Cybersecurity and Infrastructure Security Agency shall 
     sufficiently compile information so that no specific incident 
     of an agency can be identified.
       ``(B) Exception.--The Director of the Cybersecurity and 
     Infrastructure Security Agency may include information that 
     enables a specific incident of an agency to be identified in 
     a publicly available report--
       ``(i) with the concurrence of the Director and the National 
     Cyber Director;
       ``(ii) in consultation with the impacted agency, which may, 
     as appropriate, consult with any non-Federal entity impacted 
     by or supporting the remediation of such incident; and
       ``(iii) in consultation with the inspector general of the 
     impacted agency.
       ``(d) Information Provided by Agencies.--
       ``(1) In general.--The analysis required under subsection 
     (a) and each report submitted under subsection (b) shall use 
     information provided by agencies under section 3594(a).
       ``(2) Noncompliance reports.--During any year during which 
     the head of an agency does not provide data for an incident 
     to the Cybersecurity and Infrastructure Security Agency in 
     accordance with section 3594(a), the head of the agency, in 
     coordination with the Director of the Cybersecurity and 
     Infrastructure Security Agency and the Director, shall submit 
     to the appropriate reporting entities a report that includes 
     the information described in subsection (b) with respect to 
     the agency.
       ``(e) National Security System Reports.--
       ``(1) In general.--Notwithstanding any other provision of 
     this section, the Secretary of Defense, in consultation with 
     the Director, the National Cyber Director, the Director of 
     National Intelligence, and the Director of the Cybersecurity 
     and Infrastructure Security Agency shall annually submit a 
     report that includes the information described in subsection 
     (b) with respect to national security systems, to the extent 
     that the submission is consistent with standards and 
     guidelines for national security systems issued in accordance 
     with law and as directed by the President, to--
       ``(A) the majority and minority leaders of the Senate;
       ``(B) the Speaker and minority leader of the House of 
     Representatives;
       ``(C) the Committee on Homeland Security and Governmental 
     Affairs of the Senate;
       ``(D) the Select Committee on Intelligence of the Senate;
       ``(E) the Committee on Armed Services of the Senate;
       ``(F) the Committee on Appropriations of the Senate;
       ``(G) the Committee on Oversight and Accountability of the 
     House of Representatives;
       ``(H) the Committee on Homeland Security of the House of 
     Representatives;
       ``(I) the Permanent Select Committee on Intelligence of the 
     House of Representatives;
       ``(J) the Committee on Armed Services of the House of 
     Representatives; and
       ``(K) the Committee on Appropriations of the House of 
     Representatives.
       ``(2) Classified form.--A report required under paragraph 
     (1) may be submitted in a classified form.

     ``Sec. 3598. Major incident definition

       ``(a) In General.--Not later than 1 year after the later of 
     the date of enactment of the Federal Information Security 
     Modernization Act of 2024 and the most recent publication by 
     the Director of guidance to agencies regarding major 
     incidents as of the date of enactment of the Federal 
     Information Security Modernization Act of 2024, the Director 
     shall develop, in coordination with the National Cyber 
     Director, and promulgate guidance on the definition of the 
     term `major incident' for the purposes of subchapter II and 
     this subchapter.
       ``(b) Requirements.--With respect to the guidance issued 
     under subsection (a), the definition of the term `major 
     incident' shall--
       ``(1) include, with respect to any information collected or 
     maintained by or on behalf of an agency or a Federal 
     information system--
       ``(A) any incident the head of the agency determines is 
     likely to result in demonstrable harm to--
       ``(i) the national security interests, foreign relations, 
     homeland security, or economic security of the United States; 
     or
       ``(ii) the civil liberties, public confidence, privacy, or 
     public health and safety of the people of the United States;
       ``(B) any incident the head of the agency determines likely 
     to result in an inability or substantial disruption for the 
     agency, a component of the agency, or the Federal Government, 
     to provide 1 or more critical services;
       ``(C) any incident the head of the agency determines 
     substantially disrupts or substantially degrades the 
     operations of a high value asset owned or operated by the 
     agency;
       ``(D) any incident involving the exposure to a foreign 
     entity of sensitive agency information, such as the 
     communications of the head of the agency, the head of a 
     component of the agency, or the direct reports of the head of 
     the agency or the head of a component of the agency; and
       ``(E) any other type of incident determined appropriate by 
     the Director;
       ``(2) stipulate that the National Cyber Director, in 
     consultation with the Director and the Director of the 
     Cybersecurity and Infrastructure Security Agency, may declare 
     a major incident at any agency, and such a declaration shall 
     be considered if it is determined that an incident--
       ``(A) occurs at not less than 2 agencies; and
       ``(B) is enabled by--
       ``(i) a common technical root cause, such as a supply chain 
     compromise, or a common software or hardware vulnerability; 
     or
       ``(ii) the related activities of a common threat actor;
       ``(3) stipulate that, in determining whether an incident 
     constitutes a major incident under the standards described in 
     paragraph (1), the head of the agency shall consult with the 
     National Cyber Director; and
       ``(4) stipulate that the mere report of a vulnerability 
     discovered or disclosed without a loss of confidentiality, 
     integrity, or availability shall not on its own constitute a 
     major incident.
       ``(c) Evaluation and Updates.--Not later than 60 days after 
     the date on which the Director first promulgates the guidance 
     required under subsection (a), and not less frequently than 
     once during the first 90 days of each evenly numbered 
     Congress thereafter, the Director shall provide to the 
     Committee on Homeland Security and Governmental Affairs of 
     the Senate and the Committees on Oversight and Accountability 
     and Homeland Security of the House of Representatives a 
     briefing that includes--
       ``(1) an evaluation of any necessary updates to the 
     guidance;
       ``(2) an evaluation of any necessary updates to the 
     definition of the term `major incident' included in the 
     guidance; and
       ``(3) an explanation of, and the analysis that led to, the 
     definition described in paragraph (2).''.
       (B) Clerical amendment.--The table of sections for chapter 
     35 of title 44, United States Code, is amended by adding at 
     the end the following:

            ``subchapter iv--federal system incident response

``3591. Definitions.
``3592. Notification of breach.
``3593. Congressional and executive branch reports on major incidents.
``3594. Government information sharing and incident response.
``3595. Responsibilities of contractors and awardees.
``3596. Training.
``3597. Analysis and report on Federal incidents.
``3598. Major incident definition.''.
       (b) Amendments to Subtitle III of Title 40.--
       (1) Modernizing government technology.--Subtitle G of title 
     X of division A of the National Defense Authorization Act for 
     Fiscal Year 2018 (40 U.S.C. 11301 note) is amended in section 
     1078--
       (A) by striking subsection (a) and inserting the following:
       ``(a) Definitions.--In this section:
       ``(1) Agency.--The term `agency' has the meaning given the 
     term in section 551 of title 5, United States Code.
       ``(2) High value asset.--The term `high value asset' has 
     the meaning given the term in section 3552 of title 44, 
     United States Code.'';
       (B) in subsection (b), by adding at the end the following:
       ``(8) Proposal evaluation.--The Director shall--
       ``(A) give consideration for the use of amounts in the Fund 
     to improve the security of high value assets; and
       ``(B) require that any proposal for the use of amounts in 
     the Fund includes, as appropriate, and which may be 
     incorporated into otherwise required project proposal 
     documentation--
       ``(i) cybersecurity risk management considerations; and
       ``(ii) a supply chain risk assessment in accordance with 
     section 1326 of title 41.''; and
       (C) in subsection (c)--
       (i) in paragraph (2)(A)(i), by inserting ``, including a 
     consideration of the impact on high value assets'' after 
     ``operational risks'';
       (ii) in paragraph (5)--

       (I) in subparagraph (A), by striking ``and'' at the end;
       (II) in subparagraph (B), by striking the period at the end 
     and inserting ``; and''; and
       (III) by adding at the end the following:

       ``(C) a senior official from the Cybersecurity and 
     Infrastructure Security Agency of the Department of Homeland 
     Security, appointed by the Director.''; and
       (iii) in paragraph (6)(A), by striking ``shall be--'' and 
     all that follows through ``4 employees'' and inserting 
     ``shall be 4 employees''.
       (2) Subchapter i.--Subchapter I of chapter 113 of subtitle 
     III of title 40, United States Code, is amended--
       (A) in section 11302--
       (i) in subsection (b), by striking ``use, security, and 
     disposal of'' and inserting ``use, and disposal of, and, in 
     consultation with the Director of the Cybersecurity and 
     Infrastructure Security Agency and the National Cyber 
     Director, promote and improve the security of,''; and
       (ii) in subsection (h), by inserting ``, including 
     cybersecurity performances,'' after ``the performances''; and
       (B) in section 11303(b)(2)(B)--
       (i) in clause (i), by striking ``or'' at the end;
       (ii) in clause (ii), by adding ``or'' at the end; and

[[Page S4365]]

       (iii) by adding at the end the following:
       ``(iii) whether the function should be performed by a 
     shared service offered by another executive agency;''.
       (3) Subchapter ii.--Subchapter II of chapter 113 of 
     subtitle III of title 40, United States Code, is amended--
       (A) in section 11312(a), by inserting ``, including 
     security risks'' after ``managing the risks'';
       (B) in section 11313(1), by striking ``efficiency and 
     effectiveness'' and inserting ``efficiency, security, and 
     effectiveness'';
       (C) in section 11317, by inserting ``security,'' before 
     ``or schedule''; and
       (D) in section 11319(b)(1), in the paragraph heading, by 
     striking ``cios'' and inserting ``chief information 
     officers''.
       (c) Actions to Enhance Federal Incident Transparency.--
       (1) Responsibilities of the cybersecurity and 
     infrastructure security agency.--
       (A) In general.--Not later than 180 days after the date of 
     enactment of this section, the Director of the Cybersecurity 
     and Infrastructure Security Agency shall--
       (i) develop a plan for the development, using systems in 
     place on the date of enactment of this section, of the 
     analysis required under section 3597(a) of title 44, United 
     States Code, as added by this section, and the report 
     required under subsection (b) of that section that includes--

       (I) a description of any challenges the Director of the 
     Cybersecurity and Infrastructure Security Agency anticipates 
     encountering; and
       (II) the use of automation and machine-readable formats for 
     collecting, compiling, monitoring, and analyzing data; and

       (ii) provide to the appropriate congressional committees a 
     briefing on the plan developed under clause (i).
       (B) Briefing.--Not later than 1 year after the date of 
     enactment of this section, the Director of the Cybersecurity 
     and Infrastructure Security Agency shall provide to the 
     appropriate congressional committees a briefing on--
       (i) the execution of the plan required under subparagraph 
     (A)(i); and
       (ii) the development of the report required under section 
     3597(b) of title 44, United States Code, as added by this 
     section.
       (2) Responsibilities of the director of the office of 
     management and budget.--
       (A) Updating fisma 2014.--Section 2 of the Federal 
     Information Security Modernization Act of 2014 (Public Law 
     113-283; 128 Stat. 3073) is amended--
       (i) by striking subsections (b) and (d); and
       (ii) by redesignating subsections (c), (e), and (f) as 
     subsections (b), (c), and (d), respectively.
       (B) Incident data sharing.--
       (i) In general.--The Director, in coordination with the 
     Director of the Cybersecurity and Infrastructure Security 
     Agency, shall develop, and as appropriate update, guidance, 
     on the content, timeliness, and format of the information 
     provided by agencies under section 3594(a) of title 44, 
     United States Code, as added by this section.
       (ii) Requirements.--The guidance developed under clause (i) 
     shall--

       (I) enable the efficient development of--

       (aa) lessons learned and recommendations in responding to, 
     recovering from, remediating, and mitigating future 
     incidents; and
       (bb) the report on Federal incidents required under section 
     3597(b) of title 44, United States Code, as added by this 
     section; and

       (II) include requirements for the timeliness of data 
     production.

       (iii) Automation.--The Director, in coordination with the 
     Director of the Cybersecurity and Infrastructure Security 
     Agency, shall promote, as feasible, the use of automation and 
     machine-readable data for data sharing under section 3594(a) 
     of title 44, United States Code, as added by this section.
       (C) Contractor and awardee guidance.--
       (i) In general.--Not later than 1 year after the date of 
     enactment of this section, the Director shall issue guidance 
     to agencies on how to deconflict, to the greatest extent 
     practicable, existing regulations, policies, and procedures 
     relating to the responsibilities of contractors and awardees 
     established under section 3595 of title 44, United States 
     Code, as added by this section.
       (ii) Existing processes.--To the greatest extent 
     practicable, the guidance issued under clause (i) shall allow 
     contractors and awardees to use existing processes for 
     notifying agencies of incidents involving information of the 
     Federal Government.
       (3) Update to the privacy act of 1974.--Section 552a(b) of 
     title 5, United States Code (commonly known as the ``Privacy 
     Act of 1974'') is amended--
       (A) in paragraph (11), by striking ``or'' at the end;
       (B) in paragraph (12), by striking the period at the end 
     and inserting ``; or''; and
       (C) by adding at the end the following:
       ``(13) to another agency, to the extent necessary, to 
     assist the recipient agency in responding to an incident (as 
     defined in section 3552 of title 44) or breach (as defined in 
     section 3591 of title 44) or to fulfill the information 
     sharing requirements under section 3594 of title 44.''.
       (d) Agency Requirements to Notify Private Sector Entities 
     Impacted by Incidents.--
       (1) Guidance on notification of reporting entities.--Not 
     later than 1 year after the date of enactment of this 
     section, the Director shall develop, in consultation with the 
     National Cyber Director, and issue guidance requiring the 
     head of each agency to notify a reporting entity in an 
     appropriate and timely manner, and take into consideration 
     the need to coordinate with Sector Risk Management Agencies 
     (as defined in section 2200 of the Homeland Security Act of 
     2002 (6 U.S.C. 650)), as appropriate, of an incident at the 
     agency that is likely to substantially affect--
       (A) the confidentiality or integrity of sensitive 
     information submitted by the reporting entity to the agency 
     pursuant to a statutory or regulatory requirement; or
       (B) any information system (as defined in section 3502 of 
     title 44, United States Code) used in the transmission or 
     storage of the sensitive information described in 
     subparagraph (A).
       (2) Definitions.--In this subsection:
       (A) Reporting entity.--The term ``reporting entity'' means 
     private organization or governmental unit that is required by 
     statute or regulation to submit sensitive information to an 
     agency.
       (B) Sensitive information.--The term ``sensitive 
     information'' has the meaning given the term by the Director 
     in guidance issued under paragraph (1).
       (e) Federal Penetration Testing Policy.--
       (1) In general.--Subchapter II of chapter 35 of title 44, 
     United States Code, is amended by adding at the end the 
     following:

     ``Sec. 3559A. Federal penetration testing

       ``(a) Guidance.--The Director, in consultation with the 
     Director of the Cybersecurity and Infrastructure Security 
     Agency, shall issue guidance to agencies that--
       ``(1) requires agencies to perform penetration testing on 
     information systems, as appropriate, including on high value 
     assets;
       ``(2) provides policies governing the development of--
       ``(A) rules of engagement for using penetration testing; 
     and
       ``(B) procedures to use the results of penetration testing 
     to improve the cybersecurity and risk management of the 
     agency;
       ``(3) ensures that operational support or a shared service 
     is available; and
       ``(4) in no manner restricts the authority of the Secretary 
     of Homeland Security or the Director of the Cybersecurity and 
     Infrastructure Agency to conduct threat hunting pursuant to 
     section 3553, or penetration testing under this chapter.
       ``(b) Exception for National Security Systems.--The 
     guidance issued under subsection (a) shall not apply to 
     national security systems.
       ``(c) Delegation of Authority for Certain Systems.--The 
     authorities of the Director described in subsection (a) shall 
     be delegated to--
       ``(1) the Secretary of Defense in the case of a system 
     described in section 3553(e)(2); and
       ``(2) the Director of National Intelligence in the case of 
     a system described in section 3553(e)(3).''.
       (2) Existing guidance.--
       (A) In general.--Compliance with guidance issued by the 
     Director relating to penetration testing before the date of 
     enactment of this section shall be deemed to be compliant 
     with section 3559A of title 44, United States Code, as added 
     by this section.
       (B) Immediate new guidance not required.--Nothing in 
     section 3559A of title 44, United States Code, as added by 
     this section, shall be construed to require the Director to 
     issue new guidance to agencies relating to penetration 
     testing before the date described in clause (iii).
       (C) Guidance updates.--Notwithstanding clauses (i) and 
     (ii), not later than 2 years after the date of enactment of 
     this section, the Director shall review and, as appropriate, 
     update existing guidance requiring penetration testing by 
     agencies.
       (3) Clerical amendment.--The table of sections for chapter 
     35 of title 44, United States Code, is amended by adding 
     after the item relating to section 3559 the following:

``3559A. Federal penetration testing.''.
       (4) Penetration testing by the secretary of homeland 
     security.--Section 3553(b) of title 44, United States Code, 
     as amended by this section, is further amended by inserting 
     after paragraph (8) the following:
       ``(9) performing penetration testing that may leverage 
     manual expert analysis to identify threats and 
     vulnerabilities within information systems--
       ``(A) without consent or authorization from agencies; and
       ``(B) with prior consultation with the head of the agency 
     at least 72 hours in advance of such testing;''.
       (f) Vulnerability Disclosure Policies.--
       (1) In general.--Chapter 35 of title 44, United States 
     Code, is amended by inserting after section 3559A, as added 
     by this section, the following:

     ``Sec. 3559B. Federal vulnerability disclosure policies

       ``(a) Purpose; Sense of Congress.--
       ``(1) Purpose.--The purpose of Federal vulnerability 
     disclosure policies is to create a mechanism to enable the 
     public to inform agencies of vulnerabilities in Federal 
     information systems.
       ``(2) Sense of congress.--It is the sense of Congress that, 
     in implementing the requirements of this section, the Federal 
     Government should take appropriate steps to reduce real and 
     perceived burdens in communications between agencies and 
     security researchers.
       ``(b) Definitions.--In this section:

[[Page S4366]]

       ``(1) Contractor.--The term `contractor' has the meaning 
     given the term in section 3591.
       ``(2) Internet of things.--The term `internet of things' 
     has the meaning given the term in Special Publication 800-213 
     of the National Institute of Standards and Technology, 
     entitled `IoT Device Cybersecurity Guidance for the Federal 
     Government: Establishing IoT Device Cybersecurity 
     Requirements', or any successor document.
       ``(3) Security vulnerability.--The term `security 
     vulnerability' has the meaning given the term in section 102 
     of the Cybersecurity Information Sharing Act of 2015 (6 
     U.S.C. 1501).
       ``(4) Submitter.--The term `submitter' means an individual 
     that submits a vulnerability disclosure report pursuant to 
     the vulnerability disclosure process of an agency.
       ``(5) Vulnerability disclosure report.--The term 
     `vulnerability disclosure report' means a disclosure of a 
     security vulnerability made to an agency by a submitter.
       ``(c) Guidance.--The Director shall issue guidance to 
     agencies that includes--
       ``(1) use of the information system security 
     vulnerabilities disclosure process guidelines established 
     under section 4(a)(1) of the IoT Cybersecurity Improvement 
     Act of 2020 (15 U.S.C. 278g-3b(a)(1));
       ``(2) direction to not recommend or pursue legal action 
     against a submitter or an individual that conducts a security 
     research activity that--
       ``(A) represents a good faith effort to identify and report 
     security vulnerabilities in information systems; or
       ``(B) otherwise represents a good faith effort to follow 
     the vulnerability disclosure policy of the agency developed 
     under subsection (f)(2);
       ``(3) direction on sharing relevant information in a 
     consistent, automated, and machine-readable manner with the 
     Director of the Cybersecurity and Infrastructure Security 
     Agency;
       ``(4) the minimum scope of agency systems required to be 
     covered by the vulnerability disclosure policy of an agency 
     required under subsection (f)(2), including exemptions under 
     subsection (g);
       ``(5) requirements for providing information to the 
     submitter of a vulnerability disclosure report on the 
     resolution of the vulnerability disclosure report;
       ``(6) a stipulation that the mere identification by a 
     submitter of a security vulnerability, without a significant 
     compromise of confidentiality, integrity, or availability, 
     does not constitute a major incident; and
       ``(7) the applicability of the guidance to internet of 
     things devices owned or controlled by an agency.
       ``(d) Consultation.--In developing the guidance required 
     under subsection (c)(3), the Director shall consult with the 
     Director of the Cybersecurity and Infrastructure Security 
     Agency.
       ``(e) Responsibilities of CISA.--The Director of the 
     Cybersecurity and Infrastructure Security Agency shall--
       ``(1) provide support to agencies with respect to the 
     implementation of the requirements of this section;
       ``(2) develop tools, processes, and other mechanisms 
     determined appropriate to offer agencies capabilities to 
     implement the requirements of this section;
       ``(3) upon a request by an agency, assist the agency in the 
     disclosure to vendors of newly identified security 
     vulnerabilities in vendor products and services; and
       ``(4) as appropriate, implement the requirements of this 
     section, in accordance with the authority under section 
     3553(b)(8), as a shared service available to agencies.
       ``(f) Responsibilities of Agencies.--
       ``(1) Public information.--The head of each agency shall 
     make publicly available, with respect to each internet domain 
     under the control of the agency that is not a national 
     security system and to the extent consistent with the 
     security of information systems but with the presumption of 
     disclosure--
       ``(A) an appropriate security contact; and
       ``(B) the component of the agency that is responsible for 
     the internet accessible services offered at the domain.
       ``(2) Vulnerability disclosure policy.--The head of each 
     agency shall develop and make publicly available a 
     vulnerability disclosure policy for the agency, which shall--
       ``(A) describe--
       ``(i) the scope of the systems of the agency included in 
     the vulnerability disclosure policy, including for internet 
     of things devices owned or controlled by the agency;
       ``(ii) the type of information system testing that is 
     authorized by the agency;
       ``(iii) the type of information system testing that is not 
     authorized by the agency;
       ``(iv) the disclosure policy for a contractor; and
       ``(v) the disclosure policy of the agency for sensitive 
     information;
       ``(B) with respect to a vulnerability disclosure report to 
     an agency, describe--
       ``(i) how the submitter should submit the vulnerability 
     disclosure report; and
       ``(ii) if the report is not anonymous, when the reporter 
     should anticipate an acknowledgment of receipt of the report 
     by the agency;
       ``(C) include any other relevant information; and
       ``(D) be mature in scope and cover every internet 
     accessible information system used or operated by that agency 
     or on behalf of that agency.
       ``(3) Identified security vulnerabilities.--The head of 
     each agency shall--
       ``(A) consider security vulnerabilities reported in 
     accordance with paragraph (2);
       ``(B) commensurate with the risk posed by the security 
     vulnerability, address such security vulnerability using the 
     security vulnerability management process of the agency; and
       ``(C) in accordance with subsection (c)(5), provide 
     information to the submitter of a vulnerability disclosure 
     report.
       ``(g) Exemptions.--
       ``(1) In general.--The Director and the head of each agency 
     shall carry out this section in a manner consistent with the 
     protection of national security information.
       ``(2) Limitation.--The Director and the head of each agency 
     may not publish under subsection (f)(1) or include in a 
     vulnerability disclosure policy under subsection (f)(2) host 
     names, services, information systems, or other information 
     that the Director or the head of an agency, in coordination 
     with the Director and other appropriate heads of agencies, 
     determines would--
       ``(A) disrupt a law enforcement investigation;
       ``(B) endanger national security or intelligence 
     activities; or
       ``(C) impede national defense activities or military 
     operations.
       ``(3) National security systems.--This section shall not 
     apply to national security systems.
       ``(h) Delegation of Authority for Certain Systems.--The 
     authorities of the Director and the Director of the 
     Cybersecurity and Infrastructure Security Agency described in 
     this section shall be delegated--
       ``(1) to the Secretary of Defense in the case of systems 
     described in section 3553(e)(2); and
       ``(2) to the Director of National Intelligence in the case 
     of systems described in section 3553(e)(3).
       ``(i) Revision of Federal Acquisition Regulation.--The 
     Federal Acquisition Regulation shall be revised as necessary 
     to implement the provisions under this section.''.
       (2) Existing guidance and policies.--
       (A) In general.--Compliance with guidance issued by the 
     Director relating to vulnerability disclosure policies before 
     the date of enactment of this section shall be deemed to be 
     compliance with section 3559B of title 44, United States 
     Code, as added by this section.
       (B) Immediate new guidance not required.--Nothing in 
     section 3559B of title 44, United States Code, as added by 
     this title, shall be construed to require the Director to 
     issue new guidance to agencies relating to vulnerability 
     disclosure policies before the date described in paragraph 
     (4).
       (C) Immediate new policies not required.--Nothing in 
     section 3559B of title 44, United States Code, as added by 
     this title, shall be construed to require the head of any 
     agency to issue new policies relating to vulnerability 
     disclosure policies before the issuance of any updated 
     guidance under paragraph (4).
       (D) Guidance update.--Notwithstanding paragraphs (1), (2) 
     and (3), not later than 4 years after the date of enactment 
     of this section, the Director shall review and, as 
     appropriate, update existing guidance relating to 
     vulnerability disclosure policies.
       (3) Clerical amendment.--The table of sections for chapter 
     35 of title 44, United States Code, is amended by adding 
     after the item relating to section 3559A, as added by this 
     section, the following:

``3559B. Federal vulnerability disclosure policies.''.
       (4) Conforming update and repeal.--
       (A) Guidelines on the disclosure process for security 
     vulnerabilities relating to information systems, including 
     internet of things devices.--Section 5 of the IoT 
     Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g-3c) is 
     amended by striking subsections (d) and (e).
       (B) Implementation and contractor compliance.--The IoT 
     Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g-3a et 
     seq.) is amended--
       (i) by striking section 6 (15 U.S.C. 278g-3d); and
       (ii) by striking section 7 (15 U.S.C. 278g-3e).
       (g) Implementing Zero Trust Architecture.--
       (1) Briefings.--Not later than 1 year after the date of 
     enactment of this section, the Director shall provide to the 
     Committee on Homeland Security and Governmental Affairs of 
     the Senate and the Committees on Oversight and Accountability 
     and Homeland Security of the House of Representatives a 
     briefing on progress in increasing the internal defenses of 
     agency systems, including--
       (A) shifting away from trusted networks to implement 
     security controls based on a presumption of compromise, 
     including through the transition to zero trust architecture;
       (B) implementing principles of least privilege in 
     administering information security programs;
       (C) limiting the ability of entities that cause incidents 
     to move laterally through or between agency systems;
       (D) identifying incidents quickly;
       (E) isolating and removing unauthorized entities from 
     agency systems as quickly as practicable, accounting for 
     intelligence or law enforcement purposes; and
       (F) otherwise increasing the resource costs for entities 
     that cause incidents to be successful.

[[Page S4367]]

       (2) Progress report.--As a part of each report required to 
     be submitted under section 3553(c) of title 44, United States 
     Code, during the period beginning on the date that is 4 years 
     after the date of enactment of this section and ending on the 
     date that is 10 years after the date of enactment of this 
     section, the Director shall include an update on agency 
     implementation of zero trust architecture, which shall 
     include--
       (A) a description of steps agencies have completed, 
     including progress toward achieving any requirements issued 
     by the Director, including the adoption of any models or 
     reference architecture;
       (B) an identification of activities that have not yet been 
     completed and that would have the most immediate security 
     impact; and
       (C) a schedule to implement any planned activities.
       (3) Classified annex.--Each update required under paragraph 
     (2) may include 1 or more annexes that contain classified or 
     other sensitive information, as appropriate.
       (4) National security systems.--
       (A) Briefing.--Not later than 1 year after the date of 
     enactment of this section, the Secretary of Defense shall 
     provide to the Committee on Homeland Security and 
     Governmental Affairs of the Senate, the Committee on 
     Oversight and Accountability of the House of Representatives, 
     the Committee on Armed Services of the Senate, the Committee 
     on Armed Services of the House of Representatives, the Select 
     Committee on Intelligence of the Senate, and the Permanent 
     Select Committee on Intelligence of the House of 
     Representatives a briefing on the implementation of zero 
     trust architecture with respect to national security systems.
       (B) Progress report.--Not later than the date on which each 
     update is required to be submitted under paragraph (2), the 
     Secretary of Defense shall submit to the congressional 
     committees described in subparagraph (A) a progress report on 
     the implementation of zero trust architecture with respect to 
     national security systems.
       (h) Automation and Artificial Intelligence.--
       (1) Use of artificial intelligence.--
       (A) In general.--As appropriate, the Director shall issue 
     guidance on the use of artificial intelligence by agencies to 
     improve the cybersecurity of information systems.
       (B) Considerations.--The Director and head of each agency 
     shall consider the use and capabilities of artificial 
     intelligence systems in furtherance of the cybersecurity of 
     information systems.
       (C) Report.--Not later than 1 year after the date of 
     enactment of this section, and annually thereafter until the 
     date that is 5 years after the date of enactment of this 
     section, the Director shall submit to the appropriate 
     congressional committees a report on the use of artificial 
     intelligence to further the cybersecurity of information 
     systems.
       (2) Comptroller general reports.--
       (A) In general.--Not later than 2 years after the date of 
     enactment of this section, the Comptroller General of the 
     United States shall submit to the appropriate congressional 
     committees a report on the risks to the privacy of 
     individuals and the cybersecurity of information systems 
     associated with the use by Federal agencies of artificial 
     intelligence systems or capabilities.
       (B) Study.--Not later than 2 years after the date of 
     enactment of this section, the Comptroller General of the 
     United States shall perform a study, and submit to the 
     Committees on Homeland Security and Governmental Affairs and 
     Commerce, Science, and Transportation of the Senate and the 
     Committees on Oversight and Accountability, Homeland 
     Security, and Science, Space, and Technology of the House of 
     Representatives a report, on the use of automation, 
     artificial intelligence, including generative artificial 
     intelligence, and machine-readable data across the Federal 
     Government for cybersecurity purposes, including--
       (i) the automated updating of cybersecurity tools, sensors, 
     or processes employed by agencies under paragraphs (1), 
     (5)(C), and (8)(B) of section 3554(b) of title 44, United 
     States Code, as amended by this section; and
       (ii) to combat social engineering attacks.
       (3) Information system defined.--In this subsection, the 
     term ``information system'' has the meaning given the term in 
     section 3502 of title 44, United States Code.
       (i) Federal Cybersecurity Requirements.--
       (1) Codifying federal cybersecurity requirements in title 
     44.--
       (A) Amendment to federal cybersecurity enhancement act of 
     2015.--Section 225 of the Federal Cybersecurity Enhancement 
     Act of 2015 (6 U.S.C. 1523) is amended by striking 
     subsections (b) and (c).
       (B) Title 44.--Section 3554 of title 44, United States 
     Code, as amended by this section, is further amended by 
     adding at the end the following:
       ``(f) Specific Cybersecurity Requirements at Agencies.--
       ``(1) In general.--Consistent with policies, standards, 
     guidelines, and directives on information security under this 
     subchapter, and except as provided under paragraph (3), the 
     head of each agency shall--
       ``(A) identify sensitive and mission critical data stored 
     by the agency consistent with the inventory required under 
     section 3505(c);
       ``(B) assess access controls to the data described in 
     subparagraph (A), the need for readily accessible storage of 
     the data, and the need of individuals to access the data;
       ``(C) encrypt or otherwise render indecipherable to 
     unauthorized users the data described in subparagraph (A) 
     that is stored on or transiting agency information systems;
       ``(D) implement identity and access management systems to 
     ensure the security of Federal information systems and 
     protect agency records and data from fraud resulting from the 
     misrepresentation of identity or identity theft, including--
       ``(i) a single sign-on trusted identity platform for 
     individuals accessing each public website of the agency that 
     requires, at a minimum, user authentication and verification 
     services consistent with applicable law and guidance issued 
     by the Director of the Office of Management and Budget who 
     shall consider any applicable standard or guideline developed 
     by the National Institute of Standards and Technology, which 
     may be one developed by the Administrator of General Services 
     in consultation with the Director of the Office of Management 
     and Budget; and
       ``(ii) multi-factor authentication, consistent with 
     guidance issued by the Director of the Office of Management 
     and Budget who shall consider any applicable standard or 
     guideline developed by the National Institute of Standards 
     and Technology, for--

       ``(I) remote access to an information system; and
       ``(II) each user account with elevated privileges on an 
     information system.

       ``(2) Prohibition.--
       ``(A) Definition.--In this paragraph, the term `internet of 
     things' has the meaning given the term in section 3559B.
       ``(B) Prohibition.--Consistent with policies, standards, 
     guidelines, and directives on information security under this 
     subchapter, and except as provided under paragraph (3), the 
     head of an agency may not procure, obtain, renew a contract 
     to procure or obtain in any amount, notwithstanding section 
     1905 of title 41, or use an internet of things device if the 
     Chief Information Officer of the agency determines during a 
     review required under section 11319(b)(1)(C) of title 40 of a 
     contract for an internet of things device that the use of the 
     device prevents compliance with the standards and guidelines 
     developed under section 4 of the IoT Cybersecurity 
     Improvement Act (15 U.S.C. 278g-3b) with respect to the 
     device.
       ``(3) Exceptions.--
       ``(A) In general.--The requirements under subparagraphs 
     (A), (B), (C), and (D)(ii) of paragraph (1) shall not apply 
     to an information system for which the head of the agency, 
     without delegation, has--
       ``(i) certified to the Director with particularity that--

       ``(I) operational requirements articulated in the 
     certification and related to the information system would 
     make it excessively burdensome to implement the cybersecurity 
     requirement;
       ``(II) the cybersecurity requirement is not necessary to 
     secure the information system or agency information stored on 
     or transiting it; and
       ``(III) the agency has taken all necessary steps to secure 
     the information system and agency information stored on or 
     transiting it; and

       ``(ii) submitted the certification described in clause (i) 
     to the appropriate congressional committees and the 
     authorizing committees of the agency.
       ``(B) Identity management platform waiver.--The head of an 
     agency shall be in compliance with the requirement under 
     paragraph (1)(D)(i) with respect to implementing a single-
     sign on trusted identity system or platform other than one 
     developed by the Administrator of General Services as 
     described under paragraph (1)(D)(i) if the head of the 
     agency--
       ``(i) without delegation--

       ``(I) has certified to the Director that the alternative 
     system or platform, including a procured system or platform, 
     conforms with applicable security and privacy requirements of 
     this subchapter and guidance issued by the Director, at least 
     30 days before use of the system or platform; or
       ``(II) with regard to a system or platform in use as of the 
     date of enactment of this subsection, the head of the agency 
     provides such certification to the Director within 60 days 
     after the date of enactment of this subsection;

       ``(ii) has received a written waiver from the Director in 
     response to the request submitted under clause (i); and
       ``(iii) has submitted the certification described in clause 
     (i) and the waiver described clause (ii) to the appropriate 
     congressional committees and the authorizing committees of 
     the agency.
       ``(4) Duration of certification.--
       ``(A) In general.--A certification and corresponding 
     exemption of an agency under paragraph (3) shall expire on 
     the date that is 4 years after the date on which the head of 
     the agency submits the certification under paragraph (3).
       ``(B) Renewal.--Upon the expiration of a certification of 
     an agency under paragraph (3), the head of the agency may 
     submit an additional certification in accordance with that 
     paragraph.
       ``(5) Presumption of adequacy.--A FedRAMP authorization 
     issued pursuant to chapter 36 of title 44 shall be presumed 
     adequate to fulfill the requirements under subparagraphs (A) 
     through (C) of paragraph (1) with respect to an agency 
     authorization to operate cloud computing products and 
     services if such presumption of adequacy does not alter or 
     modify--
       ``(A) the responsibility of any agency to ensure compliance 
     with this subchapter for

[[Page S4368]]

     any cloud computing product or service used by the agency; or
       ``(B) the authority of the head of any agency to make a 
     determination that there is a demonstrable need to include 
     additional security controls beyond those included in a 
     FedRAMP authorization package for a particular cloud 
     computing product or service.
       ``(6) Rules of construction.--Nothing in this subsection 
     shall be construed--
       ``(A) to alter the authority of the Secretary, the 
     Director, or the Director of the National Institute of 
     Standards and Technology in implementing subchapter II of 
     this title;
       ``(B) to affect the standards or process of the National 
     Institute of Standards and Technology;
       ``(C) to affect the requirement under section 3553(a)(4);
       ``(D) to discourage continued improvements and advancements 
     in the technology, standards, policies, and guidelines used 
     to promote Federal information security; or
       ``(E) to affect the requirements under subchapter III.
       ``(g) Exception.--
       ``(1) National security system requirements.--The 
     requirements under subsection (f)(1) shall not apply to--
       ``(A) a national security system; or
       ``(B) an information system described in paragraph (2) or 
     (3) of section 3553(e)(2).
       ``(2) Prohibition.--The prohibition under subsection (f)(2) 
     shall not apply to--
       ``(A) necessary in the interest of national security;
       ``(B) national security systems; or
       ``(C) a procured internet of things device described in 
     subsection (f)(2)(B) that the Chief Information Officer of an 
     agency determines is--
       ``(i) necessary for research purposes;
       ``(ii) necessary in the interest of national security; or
       ``(iii) secured using alternative and effective methods 
     appropriate to the function of the internet of things 
     device.''.
       (2) Report on exemptions.--Section 3554(c)(1) of title 44, 
     United States Code, as amended by this section, is further 
     amended--
       (A) in subparagraph (C), by striking ``and'' at the end;
       (B) in subparagraph (D), by striking the period at the end 
     and inserting ``; and''; and
       (C) by adding at the end the following:
       ``(E) with respect to any exemption from the requirements 
     of subsection (f)(3) that is effective on the date of 
     submission of the report, includes the number of information 
     systems that have received an exemption from those 
     requirements.''.
       (3) Guidance for identity management systems used by 
     agencies.--Not later than 1 year after the date of enactment 
     of this section, the Director of the Office of Management and 
     Budget, in consultation with the Director of the National 
     Institute of Standards and Technology, shall issue, and 
     routinely update thereafter, guidance for agencies to 
     implement identity management systems and a single sign-on 
     trusted identity platform as required under section 
     3554(f)(1)(D)(i) of title 44, United States Code, as amended 
     by this section, which shall at a minimum, include the 
     following:
       (A) Requirements for agencies to routinely certify that 
     such systems are in compliance with this guidance.
       (B) Requirements for agencies to routinely verify and 
     certify that information stored on or transiting through a 
     commercially available product (as defined in section 103 of 
     title 41, United States Code) or commercial service (as 
     defined in section 103a of title 41, United States Code) used 
     to fulfil such requirements is appropriately secured in 
     conformity with subchapter II of chapter 35 of title 44, 
     United States Code.
       (C) Address national security concerns and requirements to 
     ensure the protection of sensitive personal records and 
     biometric data of United States persons from malign foreign 
     ownership, control, or influence and fraud actors.
       (D) Requirements or guidelines to comply with section 3 of 
     the 21st Century Idea Act (44 U.S.C. 3501 note).
       (E) Requirements to prevent discrimination in violation of 
     title VI of the Civil Rights Act of 1964 (42 U.S.C. 2000d et 
     seq.).
       (F) A description of the information necessary to be 
     submitted under the exception described in section 
     3554(f)(3)(B) of title 44, United States Code, as amended by 
     this section.
       (4) GAO evaluation of technical capability of identity 
     management systems and platforms.--Not less frequently than 
     every 3 years for the next 6 years after the date of the 
     enactment of this section, the Comptroller General shall 
     submit to the appropriate congressional committees a report 
     on whether the single sign-on trusted identity systems and 
     platforms used by agencies or the one developed by the 
     General Services Administration under section 3554(f)(D)(i) 
     of title 44, United States Code, as amended by this section, 
     adhere to the information security requirements of chapter 35 
     of title 44, United States Code, guidance issued under 
     subparagraph (C), and relevant identity management technical 
     standards promulgated by the National Institute of Standards 
     and Technology, as appropriate, including section 504 of the 
     Cybersecurity Enhancement Act of 2014 (15 U.S.C. 7464).
       (5) Duration of certification effective date.--Paragraph 
     (3) of section 3554(f) of title 44, United States Code, as 
     added by this section, shall take effect on the date that is 
     1 year after the date of enactment of this section.
       (6) Federal cybersecurity enhancement act of 2015 update.--
     Section 222(3)(B) of the Federal Cybersecurity Enhancement 
     Act of 2015 (6 U.S.C. 1521(3)(B)) is amended by inserting 
     ``and the Committee on Oversight and Accountability'' before 
     ``of the House of Representatives''.
       (j) Federal Chief Information Security Officer.--
       (1) Amendment.--Chapter 36 of title 44, United States Code, 
     is amended by adding at the end the following:

     ``Sec. 3617. Federal Chief Information Security Officer

       ``(a) Establishment.--There is established a Federal Chief 
     Information Security Officer, who shall serve in--
       ``(1) the Office of the Federal Chief Information Officer 
     of the Office of Management and Budget; and
       ``(2) the Office of the National Cyber Director.
       ``(b) Appointment.--The Federal Chief Information Security 
     Officer shall be appointed by the President.
       ``(c) OMB Duties.--The Federal Chief Information Security 
     Officer shall report to the Federal Chief Information Officer 
     and assist the Federal Chief Information Officer in carrying 
     out--
       ``(1) every function under this chapter;
       ``(2) every function assigned to the Director under title 
     II of the E-Government Act of 2002 (44 U.S.C. 3501 note; 
     Public Law 107-347);
       ``(3) other electronic government initiatives consistent 
     with other statutes; and
       ``(4) other Federal cybersecurity initiatives determined by 
     the Federal Chief Information Officer.
       ``(d) Additional Duties.--The Federal Chief Information 
     Security Officer shall--
       ``(1) support the Federal Chief Information Officer in 
     overseeing and implementing Federal cybersecurity under the 
     E-Government Act of 2002 (Public Law 107-347; 116 Stat. 2899) 
     and other relevant statutes in a manner consistent with law; 
     and
       ``(2) perform every function assigned to the Director under 
     sections 1321 through 1328 of title 41, United States Code.
       ``(e) Coordination With ONCD.--The Federal Chief 
     Information Security Officer shall support initiatives 
     determined by the Federal Chief Information Officer necessary 
     to coordinate with the Office of the National Cyber 
     Director.''.
       (2) National cyber director duties.--Section 1752 of the 
     William M. (Mac) Thornberry National Defense Authorization 
     Act for Fiscal Year 2021 (6 U.S.C. 1500) is amended--
       (A) by redesignating subsection (g) as subsection (h); and
       (B) by inserting after subsection (f) the following:
       ``(g) Senior Federal Cybersecurity Officer.--The Federal 
     Chief Information Security Officer appointed by the President 
     under section 3617 of title 44, United States Code, shall be 
     a senior official within the Office and carry out duties 
     applicable to the protection of information technology (as 
     defined in section 11101 of title 40, United States Code), 
     including initiatives determined by the Director necessary to 
     coordinate with the Office of the Federal Chief Information 
     Officer.''.
       (3) Treatment of incumbent.--The individual serving as the 
     Federal Chief Information Security Officer appointed by the 
     President as of the date of enactment of this Act may serve 
     as the Federal Chief Information Security Officer under 
     section 3617 of title 44, United States Code, as added by 
     this section, beginning on the date of enactment of this 
     section, without need for a further or additional appointment 
     under such section.
       (4) Clerical amendment.--The table of sections for chapter 
     36 of title 44, United States Code, is amended by adding at 
     the end the following:

``3617. Federal Chief Information Security Officer.''.
       (k) Renaming Office of the Federal Chief Information 
     Officer.--
       (1) Definitions.--
       (A) In general.--Section 3601 of title 44, United States 
     Code, is amended--
       (i) by striking paragraph (1); and
       (ii) by redesignating paragraphs (2) through (8) as 
     paragraphs (1) through (7), respectively.
       (B) Conforming amendments.--
       (i) Title 10.--Section 2222(i)(6) of title 10, United 
     States Code, is amended by striking ``section 3601(4)'' and 
     inserting ``section 3601''.
       (ii) National security act of 1947.--Section 506D(k)(1) of 
     the National Security Act of 1947 (50 U.S.C. 3100(k)(1)) is 
     amended by striking ``section 3601(4)'' and inserting 
     ``section 3601''.
       (2) Office of electronic government.--Section 3602 of title 
     44, United States Code, is amended--
       (A) in the heading, by striking ``Office of Electronic 
     Government'' and inserting ``Office of the Federal Chief 
     Information Officer'';
       (B) in subsection (a), by striking ``Office of Electronic 
     Government'' and inserting ``Office of the Federal Chief 
     Information Officer'';
       (C) in subsection (b), by striking ``an Administrator'' and 
     inserting ``a Federal Chief Information Officer'';
       (D) in subsection (c), in the matter preceding paragraph 
     (1), by striking ``The Administrator'' and inserting ``The 
     Federal Chief Information Officer'';

[[Page S4369]]

       (E) in subsection (d), in the matter preceding paragraph 
     (1), by striking ``The Administrator'' and inserting ``The 
     Federal Chief Information Officer'';
       (F) in subsection (e), in the matter preceding paragraph 
     (1), by striking ``The Administrator'' and inserting ``The 
     Federal Chief Information Officer'';
       (G) in subsection (f)--
       (i) in the matter preceding paragraph (1), by striking 
     ``the Administrator'' and inserting ``the Federal Chief 
     Information Officer'';
       (ii) in paragraph (16), by striking ``the Office of 
     Electronic Government'' and inserting ``the Office of the 
     Federal Chief Information Officer''; and
       (iii) in paragraph (17), by striking ``E-Government'' and 
     inserting ``annual''; and
       (H) in subsection (g), by striking ``the Office of 
     Electronic Government'' and inserting ``the Office of the 
     Federal Chief Information Officer''.
       (3) Chief information officers council.--Section 3603 of 
     title 44, United States Code, is amended--
       (A) in subsection (b)(2), by striking ``The Administrator 
     of the Office of Electronic Government'' and inserting ``The 
     Federal Chief Information Officer'';
       (B) in subsection (c)(1), by striking ``The Administrator 
     of the Office of Electronic Government'' and inserting ``The 
     Federal Chief Information Officer''; and
       (C) in subsection (f)--
       (i) in paragraph (3), by striking ``the Administrator'' and 
     inserting ``the Federal Chief Information Officer''; and
       (ii) in paragraph (5), by striking ``the Administrator'' 
     and inserting ``the Federal Chief Information Officer''.
       (4) E-Government fund.--Section 3604 of title 44, United 
     States Code, is amended--
       (A) in subsection (a)(2), by striking ``the Administrator 
     of the Office of Electronic Government'' and inserting ``the 
     Federal Chief Information Officer'';
       (B) in subsection (b), by striking ``Administrator'' each 
     place it appears and inserting ``Federal Chief Information 
     Officer''; and
       (C) in subsection (c), in the matter preceding paragraph 
     (1), by striking ``the Administrator'' and inserting ``the 
     Federal Chief Information Officer''.
       (5) Program to encourage innovative solutions to enhance 
     electronic government services and processes.--Section 3605 
     of title 44, United States Code, is amended--
       (A) in subsection (a), by striking ``The Administrator'' 
     and inserting ``The Federal Chief Information Officer'';
       (B) in subsection (b), by striking ``, the Administrator,'' 
     and inserting ``, the Federal Chief Information Officer,''; 
     and
       (C) in subsection (c)(1)--
       (i) by striking ``The Administrator'' and inserting ``The 
     Federal Chief Information Officer''; and
       (ii) by striking ``proposals submitted to the 
     Administrator'' and inserting ``proposals submitted to the 
     Federal Chief Information Officer'';
       (D) in subsection (c)(2)(B), by striking ``the 
     Administrator'' and inserting ``the Federal Chief Information 
     Officer''; and
       (E) in subsection (c)(4), by striking ``the Administrator'' 
     and inserting ``the Federal Chief Information Officer''.
       (6) E-Government report.--Section 3606 of title 44, United 
     States Code, is amended--
       (A) in the section heading by striking ``E-Government'' and 
     inserting ``Annual'';
       (B) in subsection (a), by striking ``E-Government'' and 
     inserting ``annual''; and
       (C) in subsection (b)(1), by striking ``202(f)'' and 
     inserting ``202(g)''.
       (7) Treatment of incumbent.--The individual serving as the 
     Administrator of the Office of Electronic Government under 
     section 3602 of title 44, United States Code, as of the date 
     of enactment of this Act, may continue to serve as the 
     Federal Chief Information Officer commencing as of that date, 
     without need for a further or additional appointment under 
     such section.
       (8) Technical and conforming amendments.--The table of 
     sections for chapter 36 of title 44, United States Code, is 
     amended--
       (A) by striking the item relating to section 3602 and 
     inserting the following:

``3602. Office of the Federal Chief Information Officer.'';
     and
       (B) in the item relating to section 3606, by striking ``E-
     Government'' and inserting ``Annual''.
       (9) References.--
       (A) Administrator.--Any reference to the Administrator of 
     the Office of Electronic Government in any law, regulation, 
     map, document, record, or other paper of the United States 
     shall be deemed to be a reference to the Federal Chief 
     Information Officer.
       (B) Office of electronic government.--Any reference to the 
     Office of Electronic Government in any law, regulation, map, 
     document, record, or other paper of the United States shall 
     be deemed to be a reference to the Office of the Federal 
     Chief Information Officer.
       (l) Rules of Construction.--
       (1) Agency actions.--Nothing in this section, or an 
     amendment made by this section, shall be construed to 
     authorize the head of an agency to take an action that is not 
     authorized by this section, an amendment made by this 
     section, or existing law.
       (2) Protection of rights.--Nothing in this section, or an 
     amendment made by this section, shall be construed to permit 
     the violation of the rights of any individual protected by 
     the Constitution of the United States, including through 
     censorship of speech protected by the Constitution of the 
     United States or unauthorized surveillance.
       (3) Protection of privacy.--Nothing in this section, or an 
     amendment made by this section, shall be construed to--
       (A) impinge on the privacy rights of individuals; or
       (B) allow the unauthorized access, sharing, or use of 
     personal data.
       (m) Definitions.--In t his section, unless otherwise 
     specified:
       (1) The term ``agency'' has the meaning given the term in 
     section 3502 of title 44, United States Code.
       (2) The term ``appropriate congressional committees'' 
     means--
       (A) the Committee on Homeland Security and Governmental 
     Affairs of the Senate;
       (B) the Committee on Oversight and Accountability of the 
     House of Representatives; and
       (C) the Committee on Homeland Security of the House of 
     Representatives.
       (3) The term ``awardee'' has the meaning given the term in 
     section 3591 of title 44, United States Code, as added by 
     this section.
       (4) The term ``contractor'' has the meaning given the term 
     in section 3591 of title 44, United States Code, as added by 
     this section.
       (5) The term ``Director'' means the Director of the Office 
     of Management and Budget.
       (6) The term ``Federal information system'' has the meaning 
     given the term in section 3591 of title 44, United States 
     Code, as added by this section.
       (7) The term ``incident'' has the meaning given the term in 
     section 3552(b) of title 44, United States Code.
       (8) The term ``national security system'' has the meaning 
     given the term in section 3552(b) of title 44, United States 
     Code.
       (9) The term ``penetration test'' has the meaning given the 
     term in section 3552(b) of title 44, United States Code, as 
     amended by this section.
       (10) The term ``threat hunting'' means proactively and 
     iteratively searching systems for threats and 
     vulnerabilities, including threats or vulnerabilities that 
     may evade detection by automated threat detection systems.
       (11) The term ``zero trust architecture'' has the meaning 
     given the term in Special Publication 800-207 of the National 
     Institute of Standards and Technology, or any successor 
     document.

     SEC. 1096. RURAL HOSPITAL CYBERSECURITY.

       (a) Definitions.--In this section:
       (1) Agency.--The term ``agency'' has the meaning given the 
     term in section 551 of title 5, United States Code.
       (2) Appropriate committees of congress.--The term 
     ``appropriate committees of Congress'' means--
       (A) the Committee on Homeland Security and Governmental 
     Affairs of the Senate; and
       (B) the Committee on Homeland Security of the House of 
     Representatives.
       (3) Director.--The term ``Director'' means the Director of 
     the Cybersecurity and Infrastructure Security Agency.
       (4) Geographic division.--The term ``geographic division'' 
     means a geographic division that is among the 9 geographic 
     divisions determined by the Bureau of the Census.
       (5) Rural hospital.--The term ``rural hospital'' means a 
     healthcare facility that--
       (A) is located in a non-urbanized area, as determined by 
     the Bureau of the Census; and
       (B) provides inpatient and outpatient healthcare services, 
     including primary care, emergency care, and diagnostic 
     services.
       (6) Secretary.--The term ``Secretary'' means the Secretary 
     of Homeland Security.
       (b) Rural Hospital Cybersecurity Workforce Development 
     Strategy.--
       (1) In general.--Not later than 1 year after the date of 
     enactment of this Act, the Secretary, acting through the 
     Director, shall develop and transmit to the appropriate 
     committees of Congress a comprehensive rural hospital 
     cybersecurity workforce development strategy to address the 
     growing need for skilled cybersecurity professionals in rural 
     hospitals.
       (2) Consultation.--
       (A) Agencies.--In carrying out paragraph (1), the Secretary 
     and Director may consult with the Secretary of Health and 
     Human Services, the Secretary of Education, the Secretary of 
     Labor, and any other appropriate head of an agency.
       (B) Providers.--In carrying out paragraph (1), the 
     Secretary shall consult with not less than 2 representatives 
     of rural healthcare providers from each geographic division 
     in the United States.
       (3) Considerations.--The rural hospital cybersecurity 
     workforce development strategy developed under paragraph (1) 
     shall, at a minimum, consider the following components:
       (A) Partnerships between rural hospitals, non-rural 
     healthcare systems, educational institutions, private sector 
     entities, and nonprofit organizations to develop, promote, 
     and expand the rural hospital cybersecurity workforce, 
     including through education and training programs tailored to 
     the needs of rural hospitals.
       (B) The development of a cybersecurity curriculum and 
     teaching resources that focus on teaching technical skills 
     and abilities related to cybersecurity in rural hospitals for 
     use in community colleges, vocational schools, and other 
     educational institutions located in rural areas.
       (C) Identification of--
       (i) cybersecurity workforce challenges that are specific to 
     rural hospitals, as well as

[[Page S4370]]

     challenges that are relative to hospitals generally; and
       (ii) common practices to mitigate both sets of challenges 
     described in clause (i).
       (D) Recommendations for legislation, rulemaking, or 
     guidance to implement the components of the rural hospital 
     cybersecurity workforce development strategy.
       (4) Annual briefing.--Not later than 60 days after the date 
     on which the first full fiscal year ends following the date 
     on which the Secretary transmits the rural hospital 
     cybersecurity workforce development strategy developed under 
     paragraph (1), and not later than 60 days after the date on 
     which each fiscal year thereafter ends, the Secretary shall 
     provide a briefing to the appropriate committees of Congress 
     that includes, at a minimum, information relating to--
       (A) updates to the rural hospital cybersecurity workforce 
     development strategy, as appropriate;
       (B) any programs or initiatives established pursuant to the 
     rural hospital cybersecurity workforce development strategy, 
     as well as the number of individuals trained or educated 
     through such programs or initiatives;
       (C) additional recommendations for legislation, rulemaking, 
     or guidance to implement the components of the rural hospital 
     cybersecurity workforce development strategy; and
       (D) the effectiveness of the rural hospital cybersecurity 
     workforce development strategy in addressing the need for 
     skilled cybersecurity professionals in rural hospitals.
       (c) Instructional Materials for Rural Hospitals.--
       (1) In general.--Not later than 1 year after the date of 
     enactment of this Act, the Director shall make available 
     instructional materials for rural hospitals that can be used 
     to train staff on fundamental cybersecurity efforts.
       (2) Duties.--In carrying out paragraph (1), the Director 
     shall--
       (A) consult with appropriate heads of agencies, experts in 
     cybersecurity education, and rural healthcare experts;
       (B) identify existing cybersecurity instructional materials 
     that can be adapted for use in rural hospitals and create new 
     materials as needed; and
       (C) conduct an awareness campaign to promote the materials 
     available to rural hospitals developed under paragraph (1).
       (d) No Additional Funds.--No additional funds are 
     authorized to be appropriated for the purpose of carrying out 
     this section.
                                 ______