[Senate Report 117-274]
[From the U.S. Government Publishing Office]


                                                      Calendar No. 673
117th Congress     }                                    {       Report
                                 SENATE
 2d Session        }                                    {      117-274
_______________________________________________________________________

                                     


         FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2021

                               __________

                              R E P O R T

                                 of the

                   COMMITTEE ON HOMELAND SECURITY AND

                          GOVERNMENTAL AFFAIRS

                          UNITED STATES SENATE

                              to accompany

                                S. 2902

               TO MODERNIZE FEDERAL INFORMATION SECURITY
                   MANAGEMENT, AND FOR OTHER PURPOSES









[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]










               December 19, 2022.--Ordered to be printed   
                             _________
                              
                 U.S. GOVERNMENT PUBLISHING OFFICE
                 
39-010                   WASHINGTON : 2023
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                   GARY C. PETERS, Michigan, Chairman
THOMAS R. CARPER, Delaware           ROB PORTMAN, Ohio
MAGGIE HASSAN, New Hampshire         RON JOHNSON, Wisconsin
KYRSTEN SINEMA, Arizona              RAND PAUL, Kentucky
JACKY ROSEN, Nevada                  JAMES LANKFORD, Oklahoma
ALEX PADILLA, California             MITT ROMNEY, Utah
JON OSSOFF, Georgia                  RICK SCOTT, Florida
                                     JOSH HAWLEY, Missouri

                   David M. Weinberg, Staff Director
                    Zachary I. Schram, Chief Counsel
         Christopher J. Mulkins, Director of Homeland Security
         Jeffrey D. Rothblum, Senior Professional Staff Member
                Pamela Thiessen, Minority Staff Director
            Sam J. Mulopulos, Minority Deputy Staff Director
              William H.W. McKenna, Minority Chief Counsel
       Cara G. Mumford, Minority Director of Governmental Affairs
                     Laura W. Kilbride, Chief Clerk   
                     
                     
                     
                     
                     
                     
                     
                     
                     
                     
                     
                     
                     
                     
                     
                     
                     
                     
                     
                     
                     
                     
                     
                     
                     
                     
                                                      Calendar No. 673
117th Congress     }                                    {       Report
                                 SENATE
 2d Session        }                                    {      117-274

======================================================================



 
         FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2021

                                _______
                                

               December 19, 2022.--Ordered to be printed

                                _______
                                

 Mr. Peters, from the Committee on Homeland Security and Governmental 
                    Affairs, submitted the following

                              R E P O R T

                         [To accompany S. 2902]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Homeland Security and Governmental 
Affairs, to which was referred the bill (S. 2902), to modernize 
Federal information security management, and for other 
purposes, having considered the same, reports favorably thereon 
with an amendment, in the nature of a substitute, and 
recommends that the bill, as amended, do pass.

                                CONTENTS

                                                                     Page
  I. Purpose and Summary..............................................  1
 II. Background and Need for the Legislation..........................  2
III. Legislative History..............................................  4
 IV. Section-by-Section Analysis of the Bill, as Reported.............  5
  V. Evaluation of Regulatory Impact.................................  14
 VI. Congressional Budget Office Cost Estimate.......................  15
VII. Changes in Existing Law Made by the Bill, as Reported...........  17

                         I. Purpose and Summary

    S. 2902, the Federal Information Security Modernization Act 
of 2021 (FISMA 2021), revises and updates the Federal 
Information Security Modernization Act of 2014 (FISMA 2014) to 
support a more effective Federal cybersecurity regime and 
improve cybersecurity coordination between the Office of 
Management and Budget (OMB), the Cybersecurity and 
Infrastructure Agency (CISA), the Office of the National Cyber 
Director (NCD), and other Federal agencies and contractors. The 
bill reforms how Federal agencies report and respond to cyber 
attacks, codifies and expands security priorities such as zero 
trust architecture, and enhances logging and detection 
capabilities. FISMA 2021 also provides new operational 
authorities to bolster CISA's lead role in supporting agency 
information security programs, ensuring that CISA is the 
central point for reporting and help to remediate incidents and 
breaches on Federal networks.

              II. Background and Need for the Legislation

    The United States' Federal cybersecurity posture has left 
America's data at risk.\1\ Despite reforms to Federal 
cybersecurity codified in FISMA 2014, Federal agencies continue 
to receive poor marks for cybersecurity.\2\ Recent attacks, 
such as the SolarWinds breach, led to compromises of Federal 
government agencies and have shown the vulnerability of Federal 
information systems to hackers, underscoring the urgent need 
for Federal cybersecurity reforms.\3\
---------------------------------------------------------------------------
    \1\Senate Committee on Homeland Security and Governmental Affairs, 
Federal Cybersecurity: America's Data Still At Risk (Aug. 2021) (S. 
Rept. 117-XX).
    \2\Id.
    \3\SolarWinds recap: All of the federal agencies caught up in the 
Orion breach, FEDSCOOP (Dec. 22, 2020) (https://www.fedscoop.com/
solarwinds-recap-federal-agencies-caught-orion-
breach/)
---------------------------------------------------------------------------
    The Senate Homeland Security and Governmental Affairs 
Committee thoroughly examined the issues surrounding Federal 
cybersecurity, hosted multiple hearings and published a report 
during the 117th Congress.\4\ These hearings and report 
illuminated several themes that FISMA 2021 works to address, 
including:
---------------------------------------------------------------------------
    \4\Senate Committee on Homeland Security and Governmental Affairs, 
Hearing on GAO's 2021 High Risk List: Addressing Waste, Fraud, and 
Abuse, 117th Cong. (Mar. 2, 2021 ) (S. Hrg. 117-XX); Senate Committee 
on Homeland Security and Governmental Affairs, Hearing on Understanding 
and Responding to the SolarWinds Supply Chain Attack: The Federal 
Perspective (Mar. 18, 2021) (S. Hrg. 117-XX); Senate Committee on 
Homeland Security and Governmental Affairs, Hearing on Prevention, 
Response, and Recovery: Improving Federal Cybersecurity Post-SolarWinds 
(May 11, 2021) (S. Hrg. 117-XX); Senate Committee on Homeland Security 
and Governmental Affairs, Hearing on National Cybersecurity Strategy: 
Protection of Federal and Critical Infrastructure Systems (Sep. 23, 
2021) (S. Hrg. 117-XX); Senate Committee on Homeland Security and 
Governmental Affairs, Federal Cybersecurity: America's Data Still At 
Risk (Aug. 2021) (S. Rept. 117-XX).
---------------------------------------------------------------------------
         The need for improved Congressional oversight 
        over agency cybersecurity incidents;
         The benefits of integrating Federal 
        cybersecurity by breaking down silos between agencies;
         The importance of the National Cyber Director 
        (NCD) and Cybersecurity and Infrastructure Security 
        Agency (CISA), and the need to codify their Federal 
        cybersecurity roles; and
         The benefits of taking a risk-based approach 
        to cybersecurity, and to allocate resources away from 
        burdensome reporting requirements.
    FISMA 2021 addresses these issues by building on and 
updating FISMA 2014. The bill updates the law to recognize and 
clearly define the roles of two Federal entities that did not 
exist when FISMA 2014 was passed: CISA as the lead agency for 
operational Federal cybersecurity support and the NCD serving 
as the lead cybersecurity advisor to the President for strategy 
and budgeting priorities. These two new offices, along with 
OMB, are tasked with breaking down the silos between agencies 
by being required to consult on various agency cybersecurity 
plans and investments. They are also tasked with centralizing 
analysis of incident data, to reduce the burden on each agency 
and enable Federal-wide analysis of cyber attacks.
    Under FISMA 2014, Congress is required to be notified when 
an agency experiences a ``major incident''--a subset of all 
cybersecurity incidents that reach an OMB defined threshold of 
significance.\5\ Congress received zero major incident reports 
in Fiscal Year (FY) 2018, out of a total of 31,107 
cybersecurity incidents at agencies. In FY 2019, only 3 major 
incidents were reported, and in FY 2020 only 6 major incidents 
were reported, with about 30,000 total agency incidents 
occurring in each of those two years.\6\ One of the 
recommendations from the Committee's report on FISMA was the 
need to define ``major incidents'' such that Congress is 
notified in a consistent and timely manner, rather than 
continue to rely on OMB's current definition which has led to 
inconsistent notifications.\7\ FISMA 2021 attempts to address 
this issue by explicitly defining the thresholds for ``major 
incidents'' that need to be reported to Congress.
---------------------------------------------------------------------------
    \5\Under FISMA 2014, the definition of a cybersecurity incident is 
``an occurrence that (A) actually or imminently jeopardizes, without 
lawful authority, the integrity, confidentiality, or availability of 
information or an information system; or (B) constitutes a violation or 
imminent threat of violation of law, security policies, security 
procedures, or acceptable use policies. FISMA 2014 also gives OMB the 
authority to set the definition of a ``major incident'' without any 
additional specifications on what the threshold should include. 44 
U.S.C. Sec. 3552; Pub. L. 113-283, Sec. 2(b).
    \6\Executive Office of the President, Federal Information Security 
Modernization Act of 2014 Annual Report to Congress Fiscal Year 2018 
(Sep. 2019); Executive Office of the President, Federal Information 
Security Modernization Act of 2014 Annual Report to Congress Fiscal 
Year 2019 (May 2020); Executive Office of the President, Federal 
Information Security Modernization Act of 2014 Annual Report to 
Congress Fiscal Year 2020 (May 2021)
    \7\Senate Committee on Homeland Security and Governmental Affairs, 
Federal Cybersecurity: America's Data Still At Risk (Aug. 2021) (S. 
Rept. 117-XX)
---------------------------------------------------------------------------
    The major incident definition in FISMA 2021 builds on the 
existing definition established by the OMB. The existing 
definition focuses on national security and national health, 
safety and privacy of the public, while the FISMA 2021 language 
also includes cyber incidents that impact an agency's ability 
to deliver a critical service, that impact high value assets 
agencies, and require notification when sensitive agency 
information is exposed to a foreign entity. The major incident 
definition also changes the thresholds for reporting to 
Congress when personally identifiable information is breached, 
and requires the NCD to declare a major incident at each 
impacted agency if a common root cause leads to incidents at 
multiple agencies, as occurred during the SolarWinds 
incident.\8\ The existing major incident definition, and the 
definition at the time of the SolarWinds incident, as 
established by OMB pursuant to FISMA 2014, do not include any 
requirements for reporting incidents impacting multiple 
agencies.\9\ During the SolarWinds compromise, some agencies 
declared major incidents to Congress, while others who were 
publicly reported to have been impacted, did not. Preliminary 
inconsistencies in applying the major incident standard also 
led agencies to at times delay notification to Congress. These 
issues led to then-Ranking Member Peters sending letters to 26 
agencies requesting information about their status with respect 
to the vulnerability and if they had experienced any resulting 
cybersecurity incidents, for lack of any other mechanism to 
determine the full impact to the Federal government.\10\
---------------------------------------------------------------------------
    \8\SolarWinds recap: All of the federal agencies caught up in the 
Orion breach, FEDSCOOP (Dec. 22, 2020) (https://www.fedscoop.com/
solarwinds-recap-federal-agencies-caught-orion-
breach/)
    \9\Office of Management and Budget, Fiscal Year 2019-2020 Guidance 
on Federal Information Security and Privacy Management Requirements (M-
20-04) (Nov. 2019); Office of Management and Budget, Fiscal Year 2020-
2021 Guidance on Federal Information Security and Privacy Management 
Requirements (M-21-02) (Nov. 2020)
    \10\Letters from Ranking Member Gary C. Peters to the heads of the 
following agencies: Department of Health and Human Services, 
Environmental Protection Agency, Department of Housing and Urban 
Development, Department of Homeland Security, Federal Emergency 
Management Agency, Department of Defense, Department of Energy, 
Department of the Interior, Department of Transportation, General 
Services Administration, Department of Labor, Department of Justice, 
National Aeronautics and Space Administration, United States Agency for 
International Development, Small Business Administration, U.S. Nuclear 
Regulatory Commission, Department of State, Office of Personnel 
Management, Department of Education, Department of Veterans Affairs, 
Office of Management and Budget, Office of the Director of National 
Intelligence, National Science Foundation, Department of Agriculture, 
Department of Treasury, and Department of Commerce (Feb. 21, 2019)
---------------------------------------------------------------------------
    FISMA 2021 also moves agencies towards a risk-based 
approach, while reducing resources dedicated to reporting 
metrics. Each agency is required to perform an ongoing and 
continuous agency risk assessment, and CISA is required to 
consolidate this work to perform Federal-wide risk assessments. 
These assessments will be required to be incorporated into 
agency resource allocations for cybersecurity investments. The 
bill also shifts existing agency annual FISMA reports to be 
every two years, and requires agencies move to automation for 
information sharing throughout the legislation.
    Additionally, the Committee performed oversight over the 
Biden Administration's Executive Order 14028 on cybersecurity, 
including requirements for agencies to move to Zero Trust 
Architectures.\11\ Several provisions of FISMA 2021 are based 
on that directive and other recent Executive branch mandates to 
require agencies to move towards modern cybersecurity 
practices, including increased use of automation, moving 
network security to Zero Trust Architectures using principles 
of least privilege, increased use of penetration testing, and 
establishing vulnerability disclosure programs at all 
agencies.\12\
---------------------------------------------------------------------------
    \11\Exec. Order No. 14028, 86 Fed. Reg. 26633 (May 12, 2021).
    \12\E.g. Cybersecurity and Infrastructure Security Agency, Binding 
Operational Directive 20-01--Develop and Publish a Vulnerability 
Disclosure Policy (BOD-20-01) (Sep. 2020) and Exec. Order No. 14028, 86 
Fed. Reg. 26633 (May 12, 2021).
---------------------------------------------------------------------------

                        III. Legislative History

    Chairman Peters (D-MI) and Ranking Member Portman (R-OH) 
introduced S. 2902, the Federal Information Security 
Modernization Act of 2021, on September 29, 2021. The bill was 
referred to the Senate Committee on Homeland Security and 
Governmental Affairs. The Committee considered S. 2902 at a 
business meeting on October 6, 2021.
    During the business meeting, a substitute amendment, as 
modified, was offered by Chairman Peters and Ranking Member 
Portman which made technical corrections, adjusted a number of 
activity deadlines throughout the text, updated the definition 
of ``breach,'' updated the threshold for reporting breaches to 
Congress, updated the section on Zero Trust Architecture and 
least privilege principles, and removed several sections from 
the bill. The Peters-Portman substitute amendment, as modified, 
was adopted by unanimous consent, with Senators Peters, Carper, 
Hassan, Rosen, Padilla, Ossoff, Portman, Lankford, Romney, 
Scott, and Hawley present.
    The Committee ordered the bill, as amended, reported 
favorably by voice vote with Senators Peters, Carper, Hassan, 
Rosen, Padilla, Ossoff, Portman, Lankford, Romney, Scott, and 
Hawley present.

        IV. Section-by-Section Analysis of the Bill, as Reported


Section 1. Short title

    This section designates the short title of the bill as the 
``Federal Information Security Modernization Act of 2021.''

Section 2. Table of contents

    This section contains the table of contents.

Section 3. Definitions

    This section defines ``additional cybersecurity 
procedure,'' ``agency,'' ``appropriate congressional 
committees,'' Director,'' ``incident,'' ``national security 
system,'' ``penetration test,'' and ``threat hunting.''

                       TITLE I. UPDATES TO FISMA

Section 101. Title 44 amendments

    This section amends several sections within title 44, U.S. 
Code.
           Subsection (a) amends U.S. Code sections in 
        subchapter I of chapter 35 of title 44.
                   (a)(1) amends 44 U.S.C. 
                Sec. 3504. It requires the Director of the 
                Office of Management and Budget (OMB) to 
                consult with the National Cyber Director (NCD) 
                and the Director of the Cybersecurity and 
                Infrastructure Security Agency (CISA) to 
                develop policies, principles, standards, and 
                guidelines on information confidentiality and 
                security.
                   (a)(2) amends 44 U.S.C. 
                Sec. 3505. It includes the NCD and the Director 
                of CISA on the list of individuals who receive 
                a copy of the inventory of agency IT systems 
                conducted by OMB and requires the inventory be 
                maintained on a continual basis, through the 
                use of automation.
                   (a)(3) amends 44 U.S.C. 
                Sec. 3506. It requires agencies to improve the 
                availability of information resources and also 
                requires agencies to promote security with 
                respect to Federal information technology.
                   (a)(4) amends 44 U.S.C. 
                Sec. 3513. It requires agencies to provide any 
                portion of a written plan, developed in 
                response to an OMB review under Sec. 3513(a), 
                addressing information security or 
                cybersecurity to the Director of CISA.
           Subsection (b) amends definitions in U.S. 
        Code subchapter II of chapter 35 of title 44.
                   (b)(1) amends 44 U.S.C. 
                Sec. 3552(b). It adds several definitions, 
                including ``additional cybersecurity 
                procedure,'' ``high value asset,'' ``major 
                incident,'' ``penetration test,'' and ``shared 
                service.''
                   (b)(2) contains a number of 
                conforming amendments to align scattered 
                Federal statutes with the updated definitions 
                in Sec. 3552.
           Subsection (c) amends U.S. Code sections in 
        subchapter II of chapter 35 of title 44.
                   (c)(1) amends 44 U.S.C. 
                Sec. 3551. It recognizes CISA as the lead 
                cybersecurity entity for operational 
                coordination and operational implementation 
                across the Federal government, recognizes OMB 
                as the leader for Federal cybersecurity policy 
                development and oversight, and recognizes the 
                NCD as responsible for developing the U.S. 
                Cybersecurity Strategy and advising the 
                President on cybersecurity.
                   (c)(2) amends 44 U.S.C. 
                Sec. 3553. This subsection requires agencies to 
                submit FISMA reports every two years, instead 
                of every year. It also requires OMB to work 
                with CISA and the NCD to oversee agency 
                information security policies and practices, 
                including overseeing agency compliance. It also 
                requires OMB to work with CISA and NIST to 
                promote the use of automation and least 
                privilege principles to improve cybersecurity. 
                It also specifies that CISA, in consultation 
                with the NCD and OMB, will administer the 
                implementation of agency information security 
                policies and practices, monitor implementation, 
                lead coordination, perform penetration testing, 
                and provide technical and operational 
                assistance to agencies. (c)(2) also requires 
                CISA to perform ongoing and continuous 
                assessments of Federal cybersecurity risk 
                posture, using a variety of information 
                sources, and to brief OMB and NCD on those 
                assessments. It also directs the Director of 
                OMB to submit a report to Congress that 
                includes the trends identified in the Federal 
                risk assessment. This subsection also requires 
                CISA to report to appropriate reporting 
                entities, including Congress, within two days 
                on the implementation by an agency of any 
                binding operational or emergency directive 
                issued by CISA to that agency.
                   (c)(3) amends 44 U.S.C. 
                Sec. 3554. This subsection requires agency 
                heads to perform an ongoing and continuous 
                agency risk assessment, specifies what must be 
                included in that assessment, and requires that 
                an update on that assessment to be provided to 
                OMB, CISA, and the NCD. It requires agency 
                heads to consult with OMB and CISA to evaluate 
                whether additional cybersecurity procedures are 
                required for individual information systems, 
                provide those evaluations and implementation 
                plans for any additional cybersecurity 
                procedures to OMB, CISA, and the NCD, and 
                ensure that those additional procedures are 
                reflected in the risk-based cyber budget model. 
                (c)(3) also aligns later sections of Sec. 3554 
                with the updated risk assessment, 
                implementation plan, and other programs added 
                by the bill, including ensuring compliance with 
                operational directives, creating acceptable 
                system configuration requirements, and creating 
                a process for providing the status of remedial 
                actions and known system vulnerabilities to 
                CISA. This subsection requires information 
                security officers of component agencies to 
                carry out various information security 
                responsibilities and report to their designated 
                senior information security officer and the 
                Chief Information Officer of the component 
                agency. (c)(3) also requires each agency to 
                submit a biannual report summarizing its annual 
                risk assessment, evaluating the effectiveness 
                of cybersecurity policies, summarizing 
                evaluations and implementation plans, and 
                summarizing the status of remedial actions 
                identified by the agency Inspector General, 
                GAO, or any other source to OMB, DHS, relevant 
                Congressional committees, the NCD, and GAO. 
                Finally, the subsection directs that, to the 
                greatest extent practicable, those reports 
                should be unclassified.
                   (c)(4) amends 44 U.S.C. 
                Sec. 3555. This subsection changes the 
                independent evaluations of agency information 
                security programs and practices from yearly to 
                biannual and instructs agencies, evaluators, 
                Congressional committees, and any other 
                recipients of the information from those audits 
                to take steps to protect information that, if 
                disclosed, could adversely affect information 
                security. It also instructs OMB to identify any 
                entity performing this independent audit in 
                OMB's summary report to Congress of these 
                evaluations. (c)(4) further requires that the 
                guidance developed by the OMB Director to 
                evaluate the effectiveness of an information 
                security program and practices will prioritize 
                the identification of the most common threat 
                patterns experienced by each agency and the 
                security controls that address those patterns, 
                and any other security risks unique to the 
                networks of each agency.
                   (c)(5) amends 44 U.S.C. 
                Sec. 3556(a) to require the Federal information 
                security incident center be maintained at CISA.
           Subsection (d) makes conforming amendments 
        to update the table of sections and update other 
        references to FISMA reports to be submitted every two 
        years, instead of every year, as changed in Sec. 3553.
           Subsection (e)(1) amends U.S. Code by adding 
        a new subchapter IV, Federal System Incident Response, 
        to chapter 35 of title 44. This new subchapter contains 
        new sections, discussed below:
                   Sec. 3591 defines ``appropriate 
                reporting entities,'' ``awardee,'' 
                ``contractor,'' ``federal information,'' 
                ``federal information system,'' ``intelligence 
                community,'' ``nationwide consumer reporting 
                agency,'' ``vulnerability disclosure,'' and 
                ``breach.'' It also imports definitions from 
                sections Sec. 3502 and Sec. 3552.
                   Sec. 3592 requires agency heads 
                to expeditiously determine whether notice to 
                individuals potentially impacted by a 
                cybersecurity breach is appropriate and, if 
                appropriate, notify those individuals within 45 
                days after the agency has concluded that such 
                an incident occurred. The section specifies the 
                contents of the notification and allows the 
                Attorney General, Director of National 
                Intelligence, or Secretary of Homeland Security 
                to delay the notification if it would impede a 
                criminal investigation, reveal sensitive 
                sources and methods, cause damage to national 
                security, or hamper security remediation 
                actions. It also imposes documentary 
                requirements on such a delay. If there is a 
                significant change in the details of the 
                information that must be provided to impacted 
                individuals, the agency must notify those 
                individuals within 30 days.
                   Sec. 3593 requires agencies to 
                provide written notification to the appropriate 
                reporting entities, and if practicable a 
                briefing to Congress, within 72 hours after the 
                agency has reasonable basis to conclude that a 
                major incident occurred. It specifies the 
                content of the report, and of a supplemental 
                report required within 30 days after the 
                written notification provided to the 
                appropriate reporting entities is submitted, 
                and requires the agency to provide an updated 
                report if there is any significant change in 
                the agency's understanding of the incident. The 
                section also requires the agency, the NCD, and 
                any other Federal entity deemed appropriate by 
                the NCD to provide a briefing to Congress on 
                the threat that caused the incident within 
                seven days after the incident.
                   Sec. 3594 requires agency heads 
                to provide any information on any incident to 
                CISA and OMB, and specifies the contents of 
                that communication. It also requires each 
                agency that has been the target of a major 
                incident involving federal information in 
                electronic medium or form, not involving a 
                national security system, to consult with CISA 
                regarding response, recovery, and mitigation.
                   Sec. 3595 imposes 
                responsibilities on Federal contractors and 
                awardees who have been targets of cyber 
                incidents or breaches to immediately report to 
                the contracting or grantor agency immediate 
                with respect to: Federal information collected, 
                used, or maintained in connection with the 
                contract, grant, or cooperative agreement; a 
                Federal information system used or operated by 
                the contractor or awardee in connection with 
                the contract, grant, or cooperative agreement, 
                or; it has received information from the agency 
                it was not authorized to receive. In a major 
                incident, the agency must consult with the 
                contractor or awardee to comply with the 
                requirements of Sec. Sec. 3592, 3593, and 3594. 
                If it is not a major incident, the agency, in 
                consultation with the contractor or awardee, 
                must comply with Sec. 3594. This section 
                becomes effective one year after enactment.
                   Sec. 3596 directs agencies to 
                develop training for individuals at the agency 
                who obtain access to Federal information as an 
                employee, contractor, awardee, volunteer, or 
                intern to identify and respond to cyber 
                incidents, and includes requirements for the 
                contents of those trainings. It also directs 
                that this training may be included in an annual 
                agency privacy or security awareness training.
                   Sec. 3597 requires CISA to 
                perform continuous quantitative and qualitative 
                analysis of incidents at federal agencies. It 
                directs that this analysis should be automated 
                to the greatest extent practicable. It directs 
                OMB to share this information with agencies and 
                the NCD to support and improve their 
                cybersecurity efforts, specifies a format for 
                that analysis, and directs CISA and OMB to 
                produce an annual report on federal incidents 
                beginning not later than two years after 
                enactment. The section directs agencies that do 
                not provide all incident data to CISA pursuant 
                to 3594(a) to develop and provide to the 
                appropriate notification entities, in 
                coordination with CISA and OMB, an annual 
                report including data not provided to CISA that 
                meets the requirements in this section. 
                Finally, the section requires that information 
                contained in the report must be anonymized to 
                prevent identification of specific incidents 
                with specific agencies unless OMB and the 
                impacted agency are consulted.
                   Sec. 3598 requires the Director 
                of OMB, in coordination with the Director of 
                CISA and the NCD, to issue guidance on the 
                definition of ``major incident'' 180 days after 
                the enactment of this bill. It also provides 
                requirements for elements that, at a minimum, 
                should be included in the guidance and 
                scenarios where a major incident determination 
                should be made by the head of an agency or the 
                NCD. This section also includes a requirement 
                for OMB, CISA, the Privacy and Civil Liberties 
                Oversight Board (PCLOB), and the Federal Trade 
                Commission (FTC) to establish within 90 days of 
                enactment of this legislation a risk-based 
                framework to help agencies determine if an 
                incident involving personally identifiable 
                information could result in substantial harm, 
                embarrassment or unfairness to an individual.
           Subsection (e)(2) amends U.S. Code by 
        amending the table of sections for chapter 35 of title 
        44.

Section 102. Amendments to Subtitle III of Title 40

    This section amends several sections within title 40 U.S. 
Code.
           Subsection (a) amends 40 U.S.C. 
        Sec. 2(c)(4)(A)(ii). It directs the Director of CISA to 
        coordinate with existing cybersecurity and governance 
        frameworks, risk management best practices and 
        prioritizing risk, impact, and consequences.
           Subsection (b) amends 40 U.S.C. Sec. 11301. 
        It prioritizes the funds in an agency's IT working 
        capital fund to include improving cybersecurity and 
        systems along with cost savings activities.
                   Subsection (b)(1)(B) requires 
                agency CIOs to consult with necessary 
                stakeholders, including the Director of CISA, 
                when using funds affiliated with the IT working 
                capital fund.
                   Subsection (b) also adds 
                definitions of ``Agency'' and ``High Value 
                Asset''. This amendment also requires the 
                Director of OMB to advise agencies on the best 
                utilization of the fund.
                   Subsection (b) also adds a 
                senior official from CISA to the Technology 
                Modernization Board.
           Subsection (c) amends 40 U.S.C. 11302. It 
        requires that the Director of CISA and the NCD be 
        consulted about promoting and improving the security of 
        information technology used by the Federal Government.
                   Subsection (c) also adds data on 
                costs, schedules, security and performance, for 
                public availability.
                   This subsection requires the OMB 
                to provide the NCD agency cybersecurity funding 
                information as appropriate.
           Subsection (d) amends several sections of 
        title 40, including 40 U.S.C. Sec. 11315, by requiring 
        the Chief Information Officers of component agency to 
        report to their parent agency Chief Information Officer 
        and the head of the component agency.
           Subsection (e) amends 40 U.S.C. Sec. 11331. 
        The head of every agency, in consultation with senior 
        agency information security officers, must evaluate the 
        need to employ (and, if needed, actually employ) 
        standards that are more stringent than those 
        promulgated by OMB. Increased reporting requirements, 
        stored data information, risk assessments, 
        vulnerabilities, and threat hunting results are 
        required to be maintained and coordinated with the 
        Director of CISA.
                   It also requires the Director of 
                OMB to await public comment and consult with 
                the Director of CISA, the Chief Information 
                Officers Council, the Comptroller General of 
                the United States, and the Council of Inspector 
                Generals on Integrity and Efficiency (CIGIE), 
                before promulgating or significantly modifying 
                a proposed standard issued by the Director of 
                NIST.
                   It requires the Director of OMB 
                to review the efficacy of the guidance and 
                policy promulgated by OMB to reduce 
                cybersecurity risks, including an assessment of 
                the requirements on agencies to report to the 
                Director and shall provide updated guidance 
                based on that review every three years.
                   OMB will also issue a public 
                report within 30 days after the completion of 
                that review specifying the guidance and policy 
                currently in effect, the risk mitigation or 
                other benefit offered by that guidance or 
                policy, and a summary of any changes made by 
                the review.
                   It also requires OMB to report 
                to the Senate Committee on Homeland Security 
                and Governmental Affairs and the House 
                Committee on Oversight and Reform on that 
                review.
           It also requires the Director of NIST to 
        develop and issue federal information system standards. 
        The Director of NIST shall consider developing, in 
        consultation with the Director of CISA and if 
        appropriate and practical, specifications to enable an 
        automated verification of the implementation of the 
        controls described within the standards.

Section 103. Actions to enhance federal incident response

           Subsection (a) requires that CISA develop a 
        plan for the analysis required under 44 U.S.C. 3597(b) 
        that will include a description of any anticipated 
        challenges, and the use of automation and machine 
        readable formats for monitoring and analyzing data. It 
        also requires CISA to brief appropriate congressional 
        committees on the plan.
           Subsection (b) requires the Director of OMB 
        to develop guidelines and templates for agencies' 
        implementation of the U.S. Code sections amended by 
        this act, including Sec. 3594(a), Sec. 3594(c), 
        Sec. 3595, and Sec. 3596.
           Subsection (c) amends 5 U.S.C. Sec. 552a(b), 
        the ``Privacy Act of 1974'' to clarify when disclosure 
        of information to another federal agency is warranted 
        to facilitate a response to a cybersecurity incident, a 
        federal agency may provide it after the head of the 
        requesting agency has provided a written request to the 
        agency specifying the particular portion of information 
        necessary and for what purpose.

Section 104. Additional guidance to agencies on FISMA updates

    This section requires the Director of OMB, in coordination 
with the Director of CISA, to issue guidance on:
                   Performing the ongoing and 
                continuous agency risk assessment required 
                under law being amended by this Act;
                   Implementing additional 
                cybersecurity procedures;
                   Establishing a process for 
                providing a status of remediation to OMB and 
                CISA.
                   Interpretation of the definition 
                of ``high value asset'';
                   Coordination with agency OIGs to 
                ensure understanding and application of agency 
                policies for the purpose of agency OIG 
                evaluations; and

Section 105. Agency requirements to notify private sector entities 
        impacted by incidents

    This section directs the Director of OMB to issue guidance 
that requires agencies to notify private sector entities of 
cybersecurity incidents impacting the sensitive information 
shared by that private sector entity with the agency or the 
systems used to transmit described information.

               TITLE II. IMPROVING FEDERAL CYBERSECURITY

Section 201. Mobile security standards

    This section requires an evaluation of mobile security 
standards.
           Subsection (a) requires OMB, within one year 
        of enactment, to evaluate the mobile application 
        security guidance promulgated by OMB and to issue 
        guidance to secure mobile devices for every agency.
           Subsection (b) specifies the contents of 
        that guidance, including conducting an inventory of 
        mobile devices and vulnerabilities, for every federal 
        agency, and requires that every agency continuously 
        evaluate those vulnerabilities.
           Subsection (c) requires OMB, in coordination 
        with CISA to issue guidance on how to share the 
        inventory in subsection (b) with CISA.
           Subsection (d) requires OMB in coordination 
        with CISA to provide briefings to Congress on the 
        guidance in subsection (b).

Section 203. Data and logging retention for incident response

    This section requires certain data and log retention 
elements for Federal agencies.
           Subsection (a) requires the Director of 
        CISA, in consultation with the Attorney General, to 
        submit recommendations not later than two years after 
        enactment to OMB on how to log events on agency systems 
        and how to retain other relevant network and systems 
        data.
           Subsection (b) specifies the contents of 
        those recommendations.
           Subsection (c) requires OMB, as determined 
        appropriate by the Director of OMB and in consultation 
        with the Director of CISA and the Attorney General, to 
        update guidance for agencies regarding requirement for 
        logging, log retention, log management, sharing of log 
        data, and any other appropriate logging activity, 
        within 90 days after receiving the recommendations.

Section 203. CISA agency advisors

    This section creates a liaison between CISA and each 
agency. Within 120 days after enactment of FISMA 2021, CISA 
will assign each agency one CISA employee to be the liaison of 
that agency and CISA. This will clarify CISA's role, 
responsibility or services for that agency. This will also help 
CISA understand agency nuances to provide more custom 
cybersecurity guidance. This section specifies the 
qualification and duties of an advisor, and stipulates that the 
advisor shall not be a contractor but may be assigned to 
multiple senior agency information security officers.

Section 204. Federal penetration testing policy

    Subsection (a) amends 44 U.S.C. chapter 35 by adding 
section 3559A, which allows CISA to enter into rules of 
engagement contracts with agencies for penetration testing. 
Requires OMB within 180 days to issue guidance requiring 
agencies to use penetration testing on agency systems when and 
where appropriate. Plans and guidelines on how to operate the 
penetration test will be developed within the agencies. 
Agencies are also expected to conduct their own penetration 
test on high value assets or coordinate with CISA to ensure 
that such testing is being performed. CISA will also establish 
processes to assess the performance of the penetration testing 
by both Federal and non-Federal entities; develop operational 
guidance for instituting penetration programs; develop and 
maintain capability to offer penetration testing as a service 
for Federal and non-Federal entities; and provide guidance to 
agencies on the best use of penetration testing resources.

Section 205. Ongoing threat hunting program

    This section establishes a Threat Hunting Program under 
CISA within 540 days adding to the additional cybersecurity 
procedures under section 3554 of title 44, United States Code. 
The section also requires a plan from the Director of CISA 
within 180 days that details how CISA will collect and analyze 
appropriate agency data, resources required to support the 
program, and consultation with agency heads on how the program 
will complement or improve cybersecurity efforts at individual 
agencies.

Section 206. Codifying vulnerability disclosure programs

    This section requires that agencies create and follow a 
vulnerability disclosure program. Agencies will also disclose 
to CISA any discovered or not publicly known vulnerabilities in 
agency information systems or commercially used systems. OMB 
shall also submit a report 90 days after the date of enactment, 
and every three years thereafter on the status of the use of 
vulnerability disclosure policies.

Section 207. Implementing presumption of compromise and least privilege 
        principles

    This section requires OMB, in consultation with CISA and 
NIST and not later than 1 year after enactment, to provide an 
update to Congress on progress in increasing the internal 
defenses of agency systems. This section also requires agencies 
to submit to OMB a progress report on the implementation of 
information security programs based on the presumption of 
compromise and lease privilege principles.

Section 208. Automation Reports

    This section requires an OMB Report of the use of 
automation in 44 U.S.C. 3554(b) to Congress within 180 days 
after the date of enactment, and also requires a GAO Report 
detailing the use of automation and machine readable data cross 
the Government for cybersecurity purposes within one year of 
enactment.

Section 209. Extension of Federal Acquisition Security Council

    This section extends the sunset on the Federal Acquisition 
Security Council to December 31, 2026.

Section 210. Council of the Inspectors General on integrity and 
        efficiency dashboard

    This section requires the Council of Inspectors General to 
create a dashboard, located on Oversight.gov, containing open 
information security recommendations identified in the 
evaluations required by 44 U.S.C. 3555(a).

                   TITLE III. RISK-BASED BUDGET MODEL

Section 301. Definitions

    This section defines certain terms, including ``appropriate 
congressional committees,'' ``covered agency,'' ``director,'' 
``information technology,'' and ``risk-based budget.''

Section 302. Establishment of risk-based model

    This section requires OMB, in consultation with CISA, the 
NCD, and in coordination with NIST, to develop a standard model 
for creating a risk-based budget for cybersecurity spending 
within one year after the first publication of the President's 
budget following enactment of this act.
           It specifies the content of this model, 
        requires triennial updates to the model by OMB, and 
        mandates publication of the model on the OMB website.
           It also requires OMB to report annually on 
        the development of the model from passage of this act 
        until completion of the model.
           This section also requires that every 
        agency, within two years after publication of the 
        model, use the model to develop their annual 
        cybersecurity and information technology budget 
        request.
           It also includes an assessment of agency 
        implementation of risk-based budget models in the 
        independent evaluation under 44 U.S.C. 3555, and 
        requires a GAO report submitted to appropriate 
        congressional committees evaluating the development, 
        implementation, and success of the risk-based budgets 
        developed by agencies.

       TITLE IV. PILOT PROGRAMS TO ENHANCE FEDERAL CYBERSECURITY

Section 401. Active cyber defense study

    This section defines ``active defense technique'' and 
authorizes an active cyber defense pilot program.
           Subsection (a) defines the term ``active 
        defense technique.''
           Subsection (b) requires the Director of 
        CISA, in coordination with OMB, to perform a study on 
        the use of active defense techniques to enhance the 
        security of agencies. The study shall include a legal 
        review on the use of active defense techniques; 
        efficacy of selection of active defense techniques and 
        efficacy factors; and development of a framework to use 
        different techniques by agencies.

Section 402. Security operations center as a service pilot

    This section creates a pilot program allowing CISA to 
create and operate a security operation center on behalf of 
other federal agencies.
           Subsection (a) establishes that the purpose 
        of this section is for CISA to run a security operation 
        center on behalf of another agency, alleviating the 
        need to duplicate this function at every agency, and 
        empowering a greater centralized cybersecurity 
        capability.
           Subsection (b) requires the Director of CISA 
        to develop a plan within 1 year to establish a 
        centralized Federal security operation center.
           Subsection (c) requires certain elements of 
        the plan, including consideration for collecting, 
        organizing, and analyzing agency information system 
        data in real time; staff and resource the center, and 
        enter into agreements and governance plans with 
        agencies.
           Subsection (d) directs the Director of CISA, 
        in consultation with the Director of OMB, to initiate 
        this pilot program with not less than two federal 
        agencies for a one-year agreement to offer a security 
        operations center as a shared service.
           Subsection (e) requires CISA to report to 
        appropriate Congressional Committees not later than 260 
        days after the enactment of this act, to report the 
        parameters and conditions of any one-year agreements 
        signed to date.

                   V. Evaluation of Regulatory Impact

    Pursuant to the requirements of paragraph 11(b) of rule 
XXVI of the Standing Rules of the Senate, the Committee has 
considered the regulatory impact of this bill and determined 
that the bill will have no regulatory impact within the meaning 
of the rules. The Committee agrees with the Congressional 
Budget Office's statement that the bill contains no 
intergovernmental or private-sector mandates as defined in the 
Unfunded Mandates Reform Act (UMRA) and would impose no costs 
on state, local, or tribal governments.

             VI. Congressional Budget Office Cost Estimate

                                     U.S. Congress,
                               Congressional Budget Office,
                                  Washington, DC, November 9, 2022.
Hon. Gary C. Peters,
Chairman, Committee on Homeland Security and Governmental Affairs, U.S. 
        Senate, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed table summarizing estimated budgetary 
effects and mandates information for some of the legislation 
that has been ordered reported by the Senate Committee on 
Homeland Security and Governmental Affairs during the 117th 
Congress.
    If you wish further details, we will be pleased to provide 
them. The CBO staff contact for each estimate is listed on the 
enclosed table.
            Sincerely,
                                         Phillip L. Swagel,
                                                          Director.
    Enclosure.

           SUMMARY ESTIMATES OF LEGISLATION ORDERED REPORTED

    The Congressional Budget Act of 1974 requires the 
Congressional Budget Office, to the extent practicable, to 
prepare estimates of the budgetary effects of legislation 
ordered reported by Congressional authorizing committees. In 
order to provide the Congress with as much information as 
possible, the attached table summarizes information about the 
estimated direct spending and revenue effects of some of the 
legislation that has been ordered reported by the Senate 
Committee on Homeland Security and Governmental Affairs during 
the 117th Congress. The legislation listed in this table 
generally would have small effects, if any, on direct spending 
or revenues, CBO estimates. Where possible, the table also 
provides information about the legislation's estimated effects 
on spending subject to appropriation and on intergovernmental 
and private-sector mandates as defined in the Unfunded Mandates 
Reform Act.

                                                                      ESTIMATED BUDGETARY EFFECTS AND MANDATES INFORMATION
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                                                                                                           Increases On-
                                                                                                                          Spending Subject  Pay-As-You-Go     Budget
   Bill          Title         Status        Last Action       Budget Function    Direct Spending,    Revenues,  2023-   to Appropriation,    Procedures     Deficits      Mandates     Contact
  Number                                                                              2023-2032             2032             2023-2027          Apply?     Beginning in
                                                                                                                                                               2033?
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
S. 2902     Federal         Ordered               10/06/21                 800    Between zero and                   0   Not estimated      Yes            No            No           Matthew
             Information     reported                                                     $500,000                                                                                     Pickford
             Security
             Modernization
             Act of 2021
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
S. 2902 would amend federal information security policies and authorize pilot programs to enhance federal cybersecurity. CBO estimates that enacting S. 2902 would have an insignificant effect
  on direct spending and no effect on revenues over the 2023-2032 period. CBO has not estimated the discretionary costs of implementing the bill. The bill contains no intergovernmental or
  private-sector mandates as defined in the Unfunded Mandates Reform Act.

       VII. Changes in Existing Law Made by the Bill, as Reported

    In compliance with paragraph 12 of rule XXVI of the 
Standing Rules of the Senate, changes in existing law made by 
the bill, as reported, are shown as follows: (existing law 
proposed to be omitted is enclosed in brackets, new matter is 
printed in italic, and existing law in which no change is 
proposed is shown in roman):

UNITED STATES CODE

           *       *       *       *       *       *       *


TITLE 5--GOVERNMENT ORGANIZATION AND EMPLOYEES

           *       *       *       *       *       *       *


PART 1--THE AGENCIES GENERALLY

           *       *       *       *       *       *       *



CHAPTER 5--ADMINISTRATIVE PROCEDURE

           *       *       *       *       *       *       *



Subchapter II--Administrative Procedure

           *       *       *       *       *       *       *



SEC. 552A. RECORDS MAINTAINED ON INDIVIDUALS

    (a) * * *
    (b) * * *
          (1) * * *

           *       *       *       *       *       *       *

          (11) pursuant to the order of a court of competent 
        jurisdiction; [or]
          (12) to a consumer reporting agency in accordance 
        with section 3711(e) of title 31[.]; and
          (13) to another agency in furtherance of a response 
        to an incident (as defined in section 3552 of title 44) 
        and pursuant to the information sharing requirements in 
        section 3594 of title 44 if the head of the requesting 
        agency has made a written request to the agency that 
        maintains the record specifying the particular portion 
        desired and the activity for which the record is 
        sought.

           *       *       *       *       *       *       *


TITLE 5--APPENDIX

           *       *       *       *       *       *       *


INSPECTOR GENERAL ACT OF 1978

           *       *       *       *       *       *       *



SEC. 11. ESTABLISHMENT OF THE COUNCIL OF THE INSPECTORS GENERAL ON 
                    INTEGRITY AND EFFICIENCY

    (a) * * *

           *       *       *       *       *       *       *

    (e) * * *
          (1) * * *
          (2) * * *
                  (A) to consolidate all public reports from 
                each Office of Inspector General to improve the 
                access of the public to any audit report, 
                inspection report, or evaluation report (or 
                portion of any such report) made by an Office 
                of Inspector General; [and]
                  (B) that shall include a dashboard of open 
                information security recommendations identified 
                in the independent evaluations required by 
                section 3555(a) of title 44, United States 
                Code; and
                  [(B)] (C) that shall include any additional 
                resources, information, and enhancements as the 
                Council determines are necessary or desirable.

           *       *       *       *       *       *       *


TITLE 10--ARMED FORCES

           *       *       *       *       *       *       *


Subtitle A--General Military Law

           *       *       *       *       *       *       *


PART IV--SERVICE, SUPPLY, AND PROCUREMENT

           *       *       *       *       *       *       *



CHAPTER 131--PLANNING AND COORDINATION

           *       *       *       *       *       *       *



SEC. 2222. DEFENSE BUSINESS SYSTEMS: ARCHITECTURE, ACCOUNTABILITY, AND 
                    MODERNIZATION

           *       *       *       *       *       *       *


    (i) * * *
          (1) * * *

           *       *       *       *       *       *       *

          (8) National security system.--The term ``national 
        security system'' has the meaning given that term in 
        [section 3552(b)(6)(A)] section 3552(b)(9)(A) of title 
        44.

           *       *       *       *       *       *       *


SEC. 2223. INFORMATION TECHNOLOGY: ADDITIONAL RESPONSIBILITIES OF CHIEF 
                    INFORMATION OFFICERS

           *       *       *       *       *       *       *


    (c) * * *
          (1) * * *
          (2) * * *
          (3) The term ``national security system'' has the 
        meaning given that term by [section 3552(b)(6)] section 
        3552(b) of title 44.

           *       *       *       *       *       *       *


CONTINUOUS MONITORING OF DEPARTMENT OF DEFENSE INFORMATION SYSTEMS FOR 
                             CYBERSECURITY

    (a) * * *
    (b) * * *
          (1) * * *
          (2) * * *
          (3) The term `national security system' has the 
        meaning given that term in [section 3542(b)(2)] section 
        3552(b) of title 44, United States Code.

           *       *       *       *       *       *       *


SEC. 2224. DEFENSE INFORMATION ASSURANCE PROGRAM

           *       *       *       *       *       *       *


                STRATEGY ON COMPUTER SOFTWARE ASSURANCE

    (a) * * *
    (b) * * *
      (1) * * *
      (2) A national security system, as that term is defined 
in [section 3542(b)(2)] section 3552(b) of title 44, United 
States Code.

           *       *       *       *       *       *       *


CHAPTER 137--PROCUREMENT GENERALLY

           *       *       *       *       *       *       *



SEC. 2315. LAW INAPPICABLE TO THE PROCUREMENT OF AUTOMATIC DATA 
                    PROCESSING EQUIPMENT AND SERVICES FOR CERTAIN 
                    DEFENSE PURPOSES

    For purposes of subtitle III of title 40, the term 
``national security system,'' with respect to a 
telecommunications and information system operated by the 
Department of Defense, has the meaning given that term by 
[section 3542(b)(2)] section 3552(b) of title 44.

           *       *       *       *       *       *       *


SEC. 2339A. REQUIREMENTS FOR INFORMATION RELATING TO SUPPLY CHAIN RISK

           *       *       *       *       *       *       *


    (e) * * *

           *       *       *       *       *       *       *

          (5) Covered system.--The term ``covered system'' 
        means a national security system, as that term is 
        defined in [section 3552(b)(6)] section 3552(b) of 
        title 44.

           *       *       *       *       *       *       *


TITLE 15--COMMERCE AND TRADE

           *       *       *       *       *       *       *


             CHAPTER 7--NATIONAL INSTITUTE OF STANDARDS AND
TECHNOLOGY

           *       *       *       *       *       *       *



SEC. 278G-3. COMPUTER STANDARDS PROGRAM

    (a) * * *
          (1) * * *
          (2) develop standards and guidelines, including 
        minimum requirements, for information systems used or 
        operated by an agency or by a contractor of an agency 
        or other organization on behalf of an agency, other 
        than national security systems (as defined in [section 
        3552(b)(5)] section 3552(b) of title 44);

           *       *       *       *       *       *       *

    (d) * * *
          (1) * * *
          (2) * * *
          (3) conduct research and analysis--
                  (A) to determine the nature and extent of 
                information security vulnerabilities and 
                techniques for providing cost-effective 
                information security;
                  (B) to review and determine prevalent 
                information security challenges and 
                deficiencies identified by agencies or the 
                Institute, including any challenges or 
                deficiencies described in any of the [annual] 
                reports under section 3553 or 3554 of title 44, 
                and in any of the reports and the independent 
                evaluations under section 3555 of that title, 
                that may undermine the effectiveness of agency 
                information security programs and practices; 
                and

           *       *       *       *       *       *       *

    (f) * * *
          (1) * * *
          (2) * * *
          (3) the term ``information technology'' has the same 
        meaning as provided in [section 3502(8)] section 
        3552(b) of such title;
          (4) * * *
          (5) the term national security systemo has the same 
        meaning as provided in [section 3552(b)(5)] section 
        3552(b) of such title.

SEC. 278G-3A. DEFINITIONS

           *       *       *       *       *       *       *


          (5) National security system
                  The term national security system: has the 
                meaning given that term in [section 3552(b)(6)] 
                3552(b) of title 44.

           *       *       *       *       *       *       *


CHAPTER 81--HIGH-PERFORMANCE COMPUTING

           *       *       *       *       *       *       *



Subchapter II--Agency Activities

           *       *       *       *       *       *       *



SEC. 5527. MISCELLANEOUS PROVISIONS

    (a) * * *
          (1) * * *
          (2) computer systems the function, operation, or use 
        of which are those delineated in [section 
        3552(b)(6)(A)(i)] section 3552(b)(9)(A)(i) of title 44.

           *       *       *       *       *       *       *


TITLE 31--MONEY AND FINANCE

           *       *       *       *       *       *       *


Subtitle II--The Budget Process

           *       *       *       *       *       *       *


CHAPTER 11--THE BUDGET AND FISCAL, BUDGET, AND PROGRAM INFORMATION

           *       *       *       *       *       *       *



SEC. 1105. BUDGET CONTENTS AND SUBMISSION TO CONGRESS.

    (a) * * *

           *       *       *       *       *       *       *

          (35)(A)(i) a detailed, separate analysis, by budget 
        function, [by agency, and by initiative area (as 
        determined by the administration)] and by agency for 
        the prior fiscal year, the current fiscal year, the 
        fiscal years for which the budget is submitted, and the 
        ensuing fiscal year identifying the amounts of gross 
        and net appropriations or obligational authority and 
        outlays that contribute to cybersecurity, with separate 
        displays for mandatory and discretionary amounts, 
        including
                  (I) * * *
                  (II) * * *
                  (III) the most recent risk assessment and 
                summary of cybersecurity needs in each 
                initiative area (as determined by the 
                administration); [and]
                  (IV) * * *
                  (V) a validation that the budgets submitted 
                were developed using a risk-based methodology; 
                and
                  (VI) a report on the progress of each agency 
                on closing recommendations identified under the 
                independent evaluation required by section 
                3555(a)(1) of title 44.

           *       *       *       *       *       *       *


TITLE 40--PUBLIC BUILDINGS, PROPERTY, AND WORKS

           *       *       *       *       *       *       *


Subtitle III--Information Technology Management

           *       *       *       *       *       *       *


CHAPTER 113--RESPONSIBILITY FOR ACQUISITIONS OF INFORMATION TECHNOLOGY

           *       *       *       *       *       *       *



Subchapter I--Director of Office of Management and Budget

           *       *       *       *       *       *       *



SEC. 11301. RESPONSIBILITY OF DIRECTOR

           *       *       *       *       *       *       *


STATUTORY NOTES AND RELATED SUBSIDIARIES

           *       *       *       *       *       *       *


            GSA MODERNIZATION CENTERS OF EXCELLENCE PROGRAM

    Pub. L. 116-194, 2, Dec. 3, 2020, 134 Stat. 981, provided 
that:
    (a) * * *
    (b) * * *
    (c) Responsibilities.--The Program shall have the following 
responsibilities:
          (1) * * *
          (2) * * *
          (3) * * *
          (4) * * *
                  (A) * * *
                          (i) * * *
                          (ii) a cybersecurity and governance 
                        framework the promotes industry and 
                        government risk management best 
                        practice approaches, prioritizing 
                        efforts based on risk, impact, and 
                        consequences[.], which shall be 
                        provided in coordination with the 
                        director of the Cybersecurity and 
                        Infrastructure Security Agency.

           *       *       *       *       *       *       *


                   MODERNIZING GOVERNMENT TECHNOLOGY

    Pub. L. 115--91, div. A, title X, subtitle G, Dec. 12, 
2017, 131 Stat. 1586, provided that:

           *       *       *       *       *       *       *


SEC. 1077. ESTABLISHMENT OF AGENCY INFORMATION TECHNOLOGY SYSTEMS 
                    MODERNIZATION AND WORKING CAPITAL FUNDS.

    (a) * * *
    (b) * * *
          (1) * * *

           *       *       *       *       *       *       *

          (5) Prioritization of funds.--The head of each 
        covered agency--
                  (A) shall prioritize funds within the IT 
                working capital fund of the covered agency to 
                be used initially for improving the 
                cybersecurity of systems and cost savings 
                activities approved by the Chief Information 
                Officer of the covered agency; and
                  (B) * * *
          (6) * * *
          (7) Agency [cio] CIO responsibilities.--
                  (A) Consideration of guidance.--In evaluating 
                projects to be funded by the IT working capital 
                fund of a covered agency, the Chief Information 
                Officer of the covered agency shall consider, 
                to the extent applicable, guidance issued 
                [under section 1094(b)(1)] by the Director to 
                evaluate applications for funding from the Fund 
                that include factors including a strong 
                business case, technical design, consideration 
                of commercial off-the-shelf products and 
                services, procurement strategy (including 
                adequate use of rapid, iterative software 
                development practices) and program management.
                  (B) Consultation.--In using funds under 
                paragraph (3)(A), the Chief Information Officer 
                of the covered agency shall consult with the 
                necessary stakeholders to ensure the project 
                appropriately addresses cybersecurity risks, 
                including the Director of the Cybersecurity and 
                Infrastructure Security Agency as appropriate.

           *       *       *       *       *       *       *


SEC. 1078. ESTABLISHMENT OF TECHNOLOGY MODERNIZATION FUND AND BOARD.

    [(a) Definition.--In this section, the term agency has the 
meaning given the term in section 551 of title 5, United States 
Code.]
    (a) Definitions.--In this section:
                  (1) Agency.--The term `agency' has the 
                meaning given the term in section 551 of title 
                5, United States Code
                  (2) High value asset.--The term high value 
                asset has the meaning given the term in section 
                3552 of title 44, United States Code.
    (b) * * *
          (1) * * *

           *       *       *       *       *       *       *

          (7) * * *
          (8) Proposal evaluation.--The Director shall--
                  (A) give consideration for the use of amounts 
                in the Fund to improve the security of high 
                value assets; and
                  (B) require that any proposal for the use of 
                amounts in the Fund includes a cybersecurity 
                plan, including a supply chain risk management 
                plan, to be reviewed by the members of the 
                Technology Modernization Board described in 
                subsection (c)(5)(C).
    (c) * * *
          (1) * * *
          (2) Responsibilities.--The responsibilities of the 
        Board are--
                  (A) to provide input to the Director for the 
                development of processes for agencies to submit 
                modernization proposals to the Board and to 
                establish the criteria by which those proposals 
                are evaluated, which shall include--
                          (i) addressing the greatest security, 
                        privacy, and operational risks, 
                        including a consideration of the impact 
                        of high value assets;
                          (ii) * * *

           *       *       *       *       *       *       *

          (5) Permanent members.--The permanent members of the 
        Board shall be--
                  (A) the Administrator of the Office of 
                Electronic Government; [and]
                  (B) a senior official from the General 
                Services Administration having technical 
                expertise in information technology 
                development, appointed by the Administrator, 
                with the approval of the Director[.]; and
                  (C) a senior official from the Cybersecurity 
                and Infrastructure Security Agency of the 
                Department of Homeland Security, appointed by 
                the Director. 
          (6) Additional members of the board.--
                  (A) Appointment.--The other members of the 
                Board [shall be--
                          (i) 1 employee of the National 
                        Protection and Programs Directorate 
                        [now Cybersecurity and Infrastructure 
                        Security Agency] of the Department of 
                        Homeland Security, appointed by the 
                        Secretary of Homeland Security; and
                          (ii) 4 employees] shall be 4 
                        employees of the Federal Government 
                        primarily having technical expertise in 
                        information technology development, 
                        financial management, cybersecurity and 
                        privacy, and acquisition, appointed by 
                        the Director.

           *       *       *       *       *       *       *


SEC. 11302. CAPITAL PLANNING AND INVESTMENT CONTROL

    (a) * * *
    (b) Use of Information Technology in Federal Programs.--The 
Director shall promote and improve the acquisition, [use, 
security, and disposal of] use, and disposal of, and, in 
consultation with the Director of the Cybersecurity and 
Infrastructure Security Agency and the National Cyber Director, 
promote and improve the security of, information technology by 
the Federal government to improve the productivity, efficiency, 
and effectiveness of federal programs, including through 
dissemination of public information and the reduction of 
information collection burdens on the public.
    (c) Use of Budget Process.--
          (1) * * *
          (2) * * *
          (3) Public availability.--
          (A) In general.--The Director shall make available to 
        the public a list of each major information technology 
        investment, without regard to whether the investments 
        are for new information technology acquisitions or for 
        operations and maintenance of existing information 
        technology, [including data] which shall--
                          (i) include data on cost, schedule[, 
                        and performance] security, and 
                        performance; and
                          (ii) specifically denote 
                        cybersecurity funding under the risk-
                        based cyber budget model developed 
                        pursuant to section 3553(a)(7) of title 
                        44. 
                  (B) * * *
                          (i) * * *
                          (ii) * * *
                          (iii) The Director shall provide to 
                        the National Cyber Director any 
                        cybersecurity funding information 
                        described in subparagraph (A)(ii) that 
                        is provided to the Director under 
                        clause (ii) of this subparagraph.
          (4) * * *
                  (A) * * *
                  (B) not later than 30 days after the date on 
                which the review under subparagraph (A) is 
                completed, the Administrator of the Office of 
                Electronic Government shall communicate the 
                results of the review under subparagraph (A) 
                to--

           *       *       *       *       *       *       *

    (f) Use of Best Practices in Acquisitions.--The Director 
shall encourage the [heads of the executive agencies to 
develop] heads of executive agencies to--
          (1) develop and use the best practices in the 
        acquisition of information technology[.]; and
          (2) consult with the Director of the Cybersecurity 
        and Infrastructure Security Agency for the development 
        and use of supply chain security best practices.
    (g) * * *
    (h) Comparison of Agency Uses of Information Technology.--
The Director shall compare the performances, including 
cybersecurity performances, of the executive agencies in using 
information technology and shall disseminate the comparisons to 
the heads of the executive agencies.

           *       *       *       *       *       *       *


SEC. 11303. PERFORMANCE-BASED AND RESULTS-BASED MANAGEMENT

    (a) * * *
    (b) * * *
          (1) * * *
          (2) * * *
                  (A) * * *
                  (B) * * *
                          (i) whether the function to be 
                        supported by the system should be 
                        performed by the private sector and, if 
                        so, whether any component of the 
                        executive agency performing that 
                        function should be converted from a 
                        governmental organization to a private 
                        sector organization; [or]
                          (ii) whether the function should be 
                        performed by the executive agency and, 
                        if so, whether the function should be 
                        performed by a private sector source 
                        under contract or by executive agency 
                        personnel; or
                          (iii) whether the function should be 
                        performed by a shared service offered 
                        by another executive agency;

           *       *       *       *       *       *       *

          (5) * * *
                  (A) * * *
                  (B) * * *
                          (i) recommending a reduction or an 
                        increase in the amount for information 
                        resources that the head of the 
                        executive agency proposes for the 
                        budget submitted to Congress under 
                        section 1105(a) of title 31, while 
                        taking into account the risk-based 
                        cyber budget model developed pursuant 
                        to section 3553(a)(7) of title 44;

           *       *       *       *       *       *       *


Subchapter II--Executive Agencies

           *       *       *       *       *       *       *



SEC. 11312. CAPITAL PLANNING AND INVESTMENT CONTROL

    (a) Design of Process.--In fulfilling the responsibilities 
assigned under section 3506(h) of title 44, the head of each 
executive agency shall design and implement in the executive 
agency a process for maximizing the value, and assessing and 
managing the risks, including security risks, of the 
information technology acquisitions of the executive agency.

           *       *       *       *       *       *       *


SEC. 11313. PERFORMANCE AND RESULTS-BASED MANAGEMENT

    In fulfilling the responsibilities under section 3506(h) of 
title 44, the head of an executive agency shall
    (1) establish goals for improving the [efficiency and 
effectiveness] efficiency, security, and effectiveness of 
agency operations and, as appropriate, the delivery of services 
to the public through the effective use of information 
technology;

           *       *       *       *       *       *       *


SEC. 11315. AGENCY CHIEF INFORMATION OFFICER

    (a) * * *
    (b) * * *
    (c) * * *
    (d) Component Agency Chief Information Officers.--The Chief 
Information Officer or an equivalent official of a component 
agency shall report to--
          (1) the Chief Information Officer designated under 
        section 3506(a)(2) of title 44 or an equivalent 
        official of the agency of which the component agency is 
        a component; and
          (2) the head of the component agency.

           *       *       *       *       *       *       *


SEC. 11317. SIGNIFICANT DEVIATIONS

    The head of each executive agency shall identify in the 
strategic information resources management plan required under 
section 3506(b)(2) of title 44 any major information technology 
acquisition program, or any phase or increment of that program, 
that has significantly deviated from the cost, performance, 
security, or schedule goals established for the program.

           *       *       *       *       *       *       *


SEC. 11319. RESOURCES, PLANNING, AND PORTFOLIO MANAGEMENT

    (a) * * *
    (b) * * *
          (1) Planning, programming, budgeting, and execution 
        authorities for [cios] chief information officers.--

           *       *       *       *       *       *       *


Subchapter III--Other Responsibilities

           *       *       *       *       *       *       *



SEC. 11331. RESPONSIBILITIES FOR FEDERAL INFORMATION SYSTEMS STANDARDS

    (a) Definition.--In this section, the term ``information 
security'' has the meaning given that term in section 
[3532(b)(1)] section 3552(b) of title 44.
    (b) * * *
          (1) * * *
                  (A) Requirement.--Except as provided under 
                paragraph (2), the Director of the Office of 
                Management and Budget shall, on the basis of 
                proposed standards developed by the National 
                Institute of Standards and Technology pursuant 
                to paragraphs (2) and (3) of section 20(a) of 
                the National Institute of Standards and 
                Technology Act (15 U.S.C. 278g-3(a)) and [in 
                consultation] in coordination with [the 
                Secretary of Homeland Security] the Director of 
                the Cybersecurity and Infrastructure Security 
                Agency, promulgate information security 
                standards pertaining to Federal information 
                systems.

           *       *       *       *       *       *       *

     [(c) Application of More Stringent Standards.--The head of 
an agency may employ standards for the cost-effective 
information security for all operations and assets within or 
under the supervision of that agency that are more stringent 
than the standards promulgated by the Director under this 
section, if such standards--
          (1) contain, at a minimum, the provisions of those 
        applicable standards made compulsory and binding by the 
        Director; and
          (2) are otherwise consistent with policies and 
        guidelines issued under section 3533 1 of title 44.]
    (c) Application of More Stringent Standards.--
          (1) In general.--The head of an agency shall--
                  (A) evaluate, in consultation with the senior 
                agency information security officers, the need 
                to employ standards for cost-effective, risk-
                based information security for all systems, 
                operations, and assets within or under the 
                supervision of the agency that are more 
                stringent than the standards promulgated by the 
                Director under this section, if such standards 
                contain, at a minimum, the provisions of those 
                applicable standards made compulsory and 
                binding by the Director; and
                  (B) to the greatest extent practicable and if 
                the head of the agency determines that the 
                standards described in subparagraph (A) are 
                necessary, employ those standards.
          (2) Evaluation of more stringent standards.--In 
        evaluating the need to employ more stringent standards 
        under paragraph (1), the head of an agency shall 
        consider available risk information, such as--
                  (A) the status of cybersecurity remedial 
                actions of the agency;
                  (B) any vulnerability information relating to 
                agency systems that is known to the agency;
                  (C) incident information of the agency;
                  (D) information from
                          (i) penetration testing performed 
                        under section 3559A of title 44; and
                          (ii) information from the 
                        vulnerability disclosure program 
                        established under section 3559B of 
                        title 44;
                  (E) agency threat hunting results under 
                section 205 of the Federal Information Security 
                Modernization Act of 2021;
                  (F) Federal and non-Federal threat 
                intelligence;
                  (G) data on compliance ith standards issued 
                under this section;
                  (H) agency system risk assessments performed 
                under section 3554(a)(1)(A) of title 44; and
                  (I) any other information determined relevant 
                by the head of the agency.
          (d) * * *
          (1) * * *
          (2) [Notice and Comment] Consultation, notice, and 
        comment.--A decision by the Director to promulgate 
        significantly modify, or not promulgate, a proposed 
        standard submitted to the Director by the National 
        Institute of Standards and Technology, as provided 
        under section 20 of the National Institute of Standards 
        and Technology Act (15 U.S.C. 278g-3), [shall be made 
        after the public is given an opportunity to comment on 
        the Director's proposed decision.] shall be made--
                  (A) for a decision to significantly modify or 
                not promulgate such a proposed standard, after 
                the public is given an opportunity to comment 
                on the Director's proposed decision;
                  (B) in consultation with the Chief 
                Information Officers Council, the Director of 
                the Cybersecurity and Infrastructure Security 
                Agency, the National Cyber Director, the 
                Comptroller General of the United States, and 
                the Council of the Inspectors General on 
                Integrity and Efficiency;
                  (C) considering the Federal risk assessments 
                performed under section 3553(i) of title 44; 
                and
                  (D) considering the extent to which the 
                proposed standard reduces risk relative to the 
                cost of implementation of the standard.
    (e) Review of Office of Management and Budget Guidance and 
Policy.--
          (1) Conduct of review.--
                  (A) In general.--Not less frequently than 
                once every 3 years, the Director of the Office 
                of Management and Budget, in consultation with 
                the Chief Information Officers Council, the 
                Director of the Cybersecurity and 
                Infrastructure Security Agency, the National 
                Cyber Director, the Comptroller General of the 
                United States, and the Council of the 
                Inspectors General on Integrity and Efficiency 
                shall review the efficacy of the guidance and 
                policy promulgated by the Director in reducing 
                cybersecurity risks, including an assessment of 
                the requirements for agencies to report 
                information to the Director, and determine 
                whether any changes to that guidance or policy 
                is appropriate.
                  (B) Federal risk assessments.--In conducting 
                the review described in subparagraph (A), the 
                Director shall consider the Federal risk 
                assessments performed under section 3553(i) of 
                title 44.
          (2) Updated guidance.--Not later than 90 days after 
        the date on which a review is completed under paragraph 
        (1), the Director of the Office of Management and 
        Budget shall issue updated guidance or policy to 
        agencies determined appropriate by the Director, based 
        on the results of the review.
          (3) Public report.--Not later than 30 days after the 
        date on which a review is completed under paragraph 
        (1), the Director of the Office of Management and 
        Budget shall make publicly available a report that 
        includes--
                  (A) an overview of the guidance and policy 
                promulgated under this section that is 
                currently in effect;
                  (B) the cybersecurity risk mitigation, or 
                other cybersecurity benefit, offered by each 
                guidance or policy document described in 
                subparagraph (A); and
                  (C) a summary of the guidance or policy to 
                which changes were determined appropriate 
                during the review and what the changes are 
                anticipated to include.
          (4) Congressional briefing.--Not later than 30 days 
        after the date on which a review is completed under 
        paragraph (1), the Director shall provide to the 
        Committee on Homeland Security and Governmental Affairs 
        of the Senate and the Committee on Oversight and Reform 
        of the House of Representatives a briefing on the 
        review.
    (f) Automated Standard Implementation Verification.--When 
the Director of the National Institute of Standards and 
Technology issues a proposed standard pursuant to paragraphs 
(2) and (3) of section 20(a) of the National Institute of 
Standards and Technology Act (15 U.S.C. 278g-3(a)), the 
Director of the National Institute of Standards and Technology 
shall consider developing and, if appropriate and practical, 
develop, in consultation with the Director of the Cybersecurity 
and Infrastructure Security Agency, specifications to enable 
the automated verification of the implementation of the 
controls within the standard

           *       *       *       *       *       *       *


TITLE 41--PUBLIC CONTRACTS

           *       *       *       *       *       *       *


Subtitle I--Federal Procurement Policy

           *       *       *       *       *       *       *


Division B--Office of Federal Procurement Policy

           *       *       *       *       *       *       *



CHAPTER 13--ACQUISITION COUNCILS

           *       *       *       *       *       *       *



Subchapter III--Federal Acquisition Supply Chain Security

           *       *       *       *       *       *       *



SEC. 1328. TERMINATION

    This subchapter shall terminate on [the date that is 5 
years after the date of the enactment of the Federal 
Acquisition Supply Chain Security Act of 2018] December 31, 
2026.

           *       *       *       *       *       *       *


TITLE 44--PUBLIC BUILDINGS, PROPERTY, AND WORKS

           *       *       *       *       *       *       *


         CHAPTER 35--COORDINATION OF FEDERAL INFORMATION POLICY

Sec.
3501. Purposes
     * * * * * * *

                Subchapter II--Federal Information Policy

3552. Definitions
[3553. Authority and functions of the Director and the Secretary]
3553. Authority and functions of the Director and the Director of the 
          Cybersecurity and Infrastructure Security Agency.
3554. Federal agency responsibilities.
[3555. Annual independent evaluation.]
3555. Independent evaluation.
     * * * * * * *
3559A. Federal penetration testing.
3559B. Federal vulnerability disclosure programs.
     * * * * * * *

             Subchapter IV--Federal System Incident Response

3591. Definitions.
3592. Notification of breach.
3593. Congressional and Executive Branch reports.
3594. Government information sharing and incident response.
3595. Responsibilities of contractors and awardees.
3596. Training.
3597. Analysis and report on Federal incidents.
3598. Major incident definition.
     * * * * * * *

                Subchapter I--Federal Information Policy


SEC. 3501. PURPOSES

           *       *       *       *       *       *       *


                INFORMATION SECURITY RESPONSIBILITIES OF
                            CERTAIN AGENCIES

    Pub. L. 107-347, title III, 301(c)(1)(A), Dec. 17, 2002, 
116 Stat. 2955, provided that: ``Nothing in this Act [see 
Tables for classification] (including any amendment made by 
this Act) shall supersede any authority of the Secretary of 
Defense, the Director of Central Intelligence, or other agency 
head, as authorized by law and as directed by the President, 
with regard to the operation, control, or management of 
national security systems, as defined by [section 3542(b)(2)] 
section 3552(b) of title 44, United States Code.''

           *       *       *       *       *       *       *


SEC. 3504. AUTHORITY AND FUNCTIONS OF DIRECTOR

    (a)(1) * * *
          (A) * * *
          (B) provide direction and oversee--
                  (i) * * *

           *       *       *       *       *       *       *

                  [(v) privacy, confidentiality, security, 
                disclosure, and sharing of information; and]
                  (v) confidentiality, disclosure, and sharing 
                of information;
                  (vi) in consultation with the National Cyber 
                Director and the Director of the Cybersecurity 
                and Infrastructure Security Agency, security of 
                information; and
                  [(vi)](vii) * * *

           *       *       *       *       *       *       *

    (g) * * *
          [(1) develop and oversee the implementation of 
        policies, principles, standards, and guidelines on 
        privacy, confidentiality, security, disclosure and 
        sharing of information collected or maintained by or 
        for agencies; and]
          (1) with respect to information collected or 
        maintained by or for agencies--
                  (A) develop and oversee the implementation of 
                policies, principles, standards, and guidelines 
                on privacy, confidentiality, disclosure, and 
                sharing of the information; and
                  (B) in consultation with the National Cyber 
                Director and the Director of the Cybersecurity 
                and Infrastructure Security Agency, develop and 
                oversee policies, principles, standards, and 
                guidelines on security of the information; and
    (h) * * *
          (1) in consultation with the Director of the 
        Cybersecurity and Infrastructure Security Agency and 
        the National Cyber Director, the Director of the 
        National Institute of Standards and Technology, and the 
        Administrator of General Services--
                  (A) develop and oversee the implementation of 
                policies, principles, standards, and guidelines 
                for information technology security and 
                functions and activities of the Federal 
                Government, including periodic evaluations of 
                major information systems; and

           *       *       *       *       *       *       *


SEC. 3505. ASSIGNMENT OF TASKS AND DEADLINES

    (a) * * *

           *       *       *       *       *       *       *

    (c) * * *
          (1) * * *
          (2) * * *
          (3) Such inventory shall be--
                  (A) * * *
                  (B) made available to the Director of the 
                Cybersecurity and Infrastructure Security 
                Agency, the National Cyber Director, and the 
                Comptroller General; [and]
                  (C) * * *
                          (i) * * *

           *       *       *       *       *       *       *

                          (v) preparation of information system 
                        inventories required for records 
                        management under chapters 21, 29, 31, 
                        and 33[.]; and
                  (D) maintained on a continual basis through 
                the use of automation, machine-readable data, 
                and scanning.

           *       *       *       *       *       *       *

    [(c) Inventory of Information Systems.--(1) The head of 
each agency shall develop and maintain an inventory of the 
information systems (including national security systems) 
operated by or under the control of such agency;
          (2) The identification of information systems in an 
        inventory under this subsection shall include an 
        identification of the interfaces between each such 
        system and all other systems or networks, including 
        those not operated by or under the control of the 
        agency;
          (3) Such inventory shall be--
                  (A) updated at least annually;
                  (B) made available to the Comptroller 
                General; and
                  (C) used to support information resources 
                management, including
                          (i) preparation and maintenance of 
                        the inventory of information resources 
                        under section 3506(b)(4);
                          (ii) information technology planning, 
                        budgeting, acquisition, and management 
                        under section 3506(h), subtitle III of 
                        title 40, and related laws and 
                        guidance;
                          (iii) monitoring, testing, and 
                        evaluation of information security 
                        controls under subchapter II;
                          (iv) preparation of the index of 
                        major information systems required 
                        under section 552(g) of title 5, United 
                        States Code; and
                          (v) preparation of information system 
                        inventories required for records 
                        management under chapters 21, 29, 31, 
                        and 33.]

           *       *       *       *       *       *       *


SEC. 3506. FEDERAL AGENCY RESPONSIBILITIES

    (a) * * *
    (b) * * *
          (1) * * *
                  (A) * * *
                  (B) * * *
                  (C) Improve the integrity, availability, 
                quality, and utility of information to all 
                users within and outside the agency, including 
                capabilities for ensuring dissemination of 
                public information, public access to government 
                information, and protections for privacy and 
                security;

           *       *       *       *       *       *       *

    (h) * * *
          (1) * * *
          (2) * * *
          (3) promote the use of information technology by the 
        agency to improve the productivity, efficiency, 
        security, and effectiveness of agency programs, 
        including the reduction of information collection 
        burdens on the public and improved dissemination of 
        public information;

           *       *       *       *       *       *       *


SEC. 3513. DIRECTOR REVIEW OF AGENCY ACTIVITIES; REPORTING; AGENCY 
                    RESPONSE

    (a) * * *
    (b) * * *
    (c) Each agency providing a written plan under subsection 
(b) shall provide any portion of the written plan addressing 
information security or cybersecurity to the Director of the 
Cybersecurity and Infrastructure Security Agency.
    [(c)] (d) Comparable Treatment.--Notwithstanding any other 
provision of law, the Director shall treat or review a rule or 
order prescribed or proposed by the Director of the Bureau of 
Consumer Financial Protection on the same terms and conditions 
as apply to any rule or order prescribed or proposed by the 
Board of Governors of the Federal Reserve System.

           *       *       *       *       *       *       *


                  Subchapter II--Information Security


SEC. 3551. PURPOSES

    The purposes of this subchapter are to--
          (1) * * *
          (2) * * *
          (3) recognize the role of the Cybersecurity and 
        Infrastructure Security Agency as the lead entity for 
        operational cybersecurity coordination across the 
        Federal Government;
          [(3)] (4) * * *
          [(4)] (5) provide a mechanism for improved oversight 
        of Federal agency information security programs, 
        including through automated security tools to 
        continuously [diagnose and improve] integrate, deliver, 
        diagnose, and improve security;
          [(5)] (6) acknowledge that commercially developed 
        information security products offer advanced, dynamic, 
        robust, and effective information security solutions, 
        reflecting market solutions for the protection of 
        critical information infrastructures important to the 
        national defense and economic security of the nation 
        that are designed, built, and operated by the private 
        sector; [and]
          [(6)] (7) recognize that the selection of specific 
        technical hardware and software information security 
        solutions should be left to individual agencies from 
        among commercially developed products[.];
          (8) recognize that each agency has specific mission 
        requirements and, at times, unique cybersecurity 
        requirements to meet the mission of the agency;
          (9) recognize that each agency does not have the same 
        resources to secure agency systems, and an agency 
        should not be expected to have the capability to secure 
        the systems of the agency from advanced adversaries 
        alone; and
          (10) recognize that--
                  (A) a holistic Federal cybersecurity model is 
                necessary to account for differences between 
                the missions and capabilities of agencies; and
                  (B) in accounting for the differences 
                described in subparagraph (A) and ensuring 
                overall Federal cybersecurity--
                          (i) the Office of Management and 
                        Budget is the leader for policy 
                        development and oversight of Federal 
                        cybersecurity;
                          (ii) the Cybersecurity and 
                        Infrastructure Security Agency is the 
                        leader for implementing operations at 
                        agencies; and
                          (iii) the National Cyber Director is 
                        responsible for developing the overall 
                        cybersecurity strategy of the United 
                        States and advising the President on 
                        matters relating to cybersecurity.

           *       *       *       *       *       *       *


SEC. 3552. DEFINITIONS

    (a) * * *
    (b) Additional Definitions.--As used in this subchapter:
          (1) The term `additional cybersecurity procedure' 
        means a process, procedure, or other activity that is 
        established in excess of the information security 
        standards promulgated under section 11331(b) of title 
        40 to increase the security and reduce the 
        cybersecurity risk of agency systems.
          [(1)] (2) * * *
          [(2)] (3) * * *
          [(3)] (4) * * *
          [(4)] (5) * * *
          [(5)] (6) * * *
          (7) The term `high value asset' means information or 
        an information system that the head of an agency 
        determines so critical to the agency that the loss or 
        corruption of the information or the loss of access to 
        the information system would have a serious impact on 
        the ability of the agency to perform the mission of the 
        agency or conduct business.
          (8) The term `major incident' has the meaning given 
        the term in guidance issued by the Director under 
        section 3598(a).
          [(6)] (9) * * *
          (10) The term `penetration test' means a specialized 
        type of assessment that--
                  (A) is conducted on an information system or 
                a component of an information system; and
                  (B) emulates an attack or other exploitation 
                capability of a potential adversary, typically 
                under specific constraints, in order to 
                identify any vulnerabilities of an information 
                system or a component of an information system 
                that could be exploited.
          [(7)] (11) * * *
          (12) The term `shared service' means a centralized 
        business or mission capability that is provided to 
        multiple organizations within an agency or to multiple 
        agencies.

           *       *       *       *       *       *       *


SEC. 3553. [AUTHORITY AND FUNCTIONS OF THE DIRECTOR AND THE SECRETARY] 
                    AUTHORITY AND FUNCTIONS OF THE DIRECTOR AND THE 
                    DIRECTOR OF THE CYBERSECURITY AND INFRASTRUCTURE 
                    SECURITY AGENCY

    (a) * * *
          (1) in coordination with the Director of the 
        Cybersecurity and Infrastructure Security Agency and 
        the National Cyber Director, developing and overseeing 
        the implementation of policies, principles, standards, 
        and guidelines on information security, including 
        through ensuring timely agency adoption of and 
        compliance with standards promulgated under section 
        11331 of title 40;

           *       *       *       *       *       *       *

          (5) overseeing, in consultation with the Director of 
        the Cybersecurity and Infrastructure Security Agency 
        and the National Cyber Director, agency compliance with 
        the requirements of this subchapter and section 1326 of 
        title 41, including through any authorized action under 
        section 11303 of title 40, to enforce accountability 
        for compliance with such requirements; [and]
          (6) * * *
          (7) developing a standard risk-based budget model to 
        inform Federal agency cybersecurity budget development; 
        and
          (8) promoting, in consultation with the Director of 
        the Cybersecurity and Infrastructure Security Agency 
        and the Director of the National Institute of Standards 
        and Technology--
                  (A) the use of automation to improve Federal 
                cybersecurity and visibility with respect to 
                the implementation of Federal cybersecurity; 
                and
                  (B) the use of presumption of compromise and 
                least privilege principles to improve 
                resiliency and timely response actions to 
                incidents on Federal systems.
    (b) [Secretary] Cybersecurity and Infrastructure Security 
Agency.--[The Secretary, in consultation with the Director] The 
Director of the Cybersecurity and Infrastructure Security 
Agency, in consultation with the Director and the National 
Cyber Director, shall administer the implementation of agency 
information security policies and practices for information 
systems, except for national security systems and information 
systems described in paragraph (2) or (3) of subsection (e), 
including--
          (1) * * *
          (2) * * *
                  (A) requirements for reporting security 
                incidents to the Federal information security 
                incident center established under section 3556 
                and reporting requirements under subchapter IV 
                of this title;
                  (B) * * *
                  (C) * * *
                  (D) other operational requirements as [the 
                Director or Secretary] the Director of the 
                Cybersecurity and Infrastructure Security 
                Agency, in consultation with the Director, may 
                determine necessary;
          (3) * * *
          (4) * * *
          (5) [coordinating] leading the coordination of 
        Government-wide efforts on information security 
        policies and practices, including consultation with the 
        Chief Information Officers Council established under 
        section 3603 and the Director of the National Institute 
        of Standards and Technology;
          (6) * * *
          (7) * * *
          (8) upon request by an agency, and at [the 
        Secretary's discretion] the Director of the 
        Cybersecurity and Infrastructure Security Agency's 
        discretion, with or without reimbursement
                  (A) * * *
                  (B) deploying, operating, and maintaining 
                secure technology platforms and tools, 
                including networks and common business 
                applications, for use by the agency to perform 
                agency functions, including collecting, 
                maintaining, storing, processing, 
                disseminating, and analyzing information; [and]
          (9) performing penetration testing with or without 
        advance notice to, or authorization from, agencies, to 
        identify vulnerabilities within Federal information 
        systems; and
          [(9)] (10) other actions [as the Director or the 
        Secretary, in consultation with the Director,] as the 
        Director of the Cybersecurity and Infrastructure 
        Security Agency may determine necessary to carry out 
        this subsection.
    (c) Report.--Not later than March 1 of [each year] each 
year during which agencies are required to submit reports under 
section 3554(c), the Director, in consultation with the 
Secretary, shall submit to Congress a report on the 
effectiveness of information security policies and practices 
during the preceding year, including--
          [(1) a summary of the incidents described in the 
        annual reports required to be submitted under section 
        3554(c)(1), including a summary of the information 
        required under section 3554(c)(1)(A)(iii);]
          [(2)] (1) * * *
          [(3)] (2) * * *
          [(4)] (3) an assessment of agency compliance with 
        standards promulgated under section 11331 of title 40; 
        [and]
          (4) a summary of each assessment of Federal risk 
        posture performed under subsection (i);
          (5) an assessment of agency compliance with data 
        breach notification policies and procedures issued by 
        the Director[.]; and
          (6) an assessment of--
                  (A) Federal agency implementation of the 
                model required under subsection (a)(7);
                  (B) how cyber vulnerabilities of Federal 
                agencies changed from the previous year; and
                  (C) whether the model mitigates the cyber 
                vulnerabilities of the Federal Government;

           *       *       *       *       *       *       *

    (h) * * *
    (i) Federal Risk Assessments.--On an ongoing and continuous 
basis, the Director of the Cybersecurity and Infrastructure 
Security Agency shall perform assessments of Federal risk 
posture using any available information on the cybersecurity 
posture of agencies, and brief the Director and National Cyber 
Director on the findings of those assessments including--
          (1) the status of agency cybersecurity remedial 
        actions described in section 3554(b)(7);
          (2) any vulnerability information relating to the 
        systems of an agency that is known by the agency;
          (3) analysis of incident information under section 
        3597;
          (4) evaluation of penetration testing performed under 
        section 3559A;
          (5) evaluation of vulnerability disclosure program 
        information under section 3559B;
          (6) evaluation of agency threat hunting results;
          (7) evaluation of Federal and non-Federal threat 
        intelligence;
          (8) data on agency compliance with standards issued 
        under section 11331 of title 40;
          (9) agency system risk assessments performed under 
        section 3554(a)(1)(A); and
          (10) any other information the Director of the 
        Cybersecurity and Infrastructure Security Agency 
        determines relevant.
    [(i)] (j) Annual Report to Congress.--Not later than 
February 1 of each year, the Director and the Secretary shall 
submit to the appropriate congressional committees a report 
[regarding the specific] that includes a summary of
          (1) the specific actions the Director and the 
        Secretary have taken pursuant to subsection (a)(5), 
        including any actions taken pursuant to section 
        11303(b)(5) of title 40[.]; and
          (2) the trends identified in the Federal risk 
        assessment performed under subsection (i).
    [(j)] (k) * * *
    [(k)] (l) * * *
    [(l)] (m) * * *
    (n) Binding Operational Directives.--If the Director of the 
Cybersecurity and Infrastructure Security Agency issues a 
binding operational directive or an emergency directive under 
this section, not later than 2 days after the date on which the 
binding operational directive requires an agency to take an 
action, the Director of the Cybersecurity and Infrastructure 
Security Agency shall provide to the appropriate reporting 
entities the status of the implementation of the binding 
operational directive at the agency.

           *       *       *       *       *       *       *


SEC. 3554. FEDERAL AGENCY RESPONSIBILITIES

    (a) * * *
          (1) be responsible for--
                  (A) on an ongoing and continuous basis, 
                performing agency system risk assessments 
                that--
                          (i) identify and document the high 
                        value assets of the agency using 
                        guidance from the Director;
                          (ii) evaluate the data assets 
                        inventoried under section 3511 of title 
                        44 for sensitivity to compromises in 
                        confidentiality, integrity, and 
                        availability;
                          (iii) identify agency systems that 
                        have access to or hold the data assets 
                        inventoried under section 3511 of title 
                        44;
                          (iv) evaluate the threats facing 
                        agency systems and data, including high 
                        value assets, based on Federal and non-
                        Federal cyber threat intelligence 
                        products, where available;
                          (v) evaluate the vulnerability of 
                        agency systems and data, including high 
                        value assets, including by analyzing
                                  (I) the results of 
                                penetration testing performed 
                                by the Department of Homeland 
                                Security under section 
                                3553(b)(9);
                                  (II) the results of 
                                penetration testing performed 
                                under section 3559A;
                                  (III) information provided to 
                                the agency through the 
                                vulnerability disclosure 
                                program of the agency under 
                                section 3559B;
                                  (IV) incidents; and
                                  (V) any other vulnerability 
                                information relating to agency 
                                systems that is known to the 
                                agency;
                          (vi) assess the impacts of potential 
                        agency incidents to agency systems, 
                        data, and operations based on the 
                        evaluations described in clauses (ii) 
                        and (iv) and the agency systems 
                        identified under clause (iii); and
                          (vii) assess the consequences of 
                        potential incidents occurring on agency 
                        systems that would impact systems at 
                        other agencies, including due to 
                        interconnectivity between different 
                        agency systems or operational reliance 
                        on the operations of the system or data 
                        in the system;
                  [(A)] (B) [providing information] using 
                information from the assessment conducted under 
                subparagraph (A), providing, in coordination 
                with the Director of the Cybersecurity and 
                Infrastructure Security Agency, information 
                security protections commensurate with the risk 
                and magnitude of the harm resulting from 
                unauthorized access, use, disclosure, 
                disruption, modification, or destruction of--
                  [(B)] (C) complying with the requirements of 
                this subchapter, subchapter III of chapter 13 
                of title 41, and related policies, procedures, 
                standards, and guidelines, including--
                          (i) information security standards 
                        promulgated under section 11331 of 
                        title 40;
                          (ii) binding operational directives 
                        developed by the Secretary under 
                        section 3553(b);
                          (iii) policies and procedures issued 
                        by the Director;
                          (iv) information security standards 
                        and guidelines for national security 
                        systems issued in accordance with law 
                        and as directed by the President;
                          (v) emergency directives issued by 
                        the Secretary under section 3553(h); 
                        and
                          (vi) responsibilities relating to 
                        assessing and avoiding, mitigating, 
                        transferring, or accepting supply chain 
                        risks under section 1326 of title 41, 
                        and complying with exclusion and 
                        removal orders issued under section 
                        1323 of such title; [and]
                  [(C)] (D) * * *
                  (E) providing an update on the ongoing and 
                continuous assessment performed under 
                subparagraph (A)--
                          (i) upon request, to the inspector 
                        general of the agency or the 
                        Comptroller General of the United 
                        States; and
                          (ii) on a periodic basis, as 
                        determined by guidance issued by the 
                        Director but not less frequently than 
                        annually, to--
                                  (I) the Director;
                                  (II) the Director of the 
                                Cybersecurity and 
                                Infrastructure Security Agency; 
                                and
                                  (III) the National Cyber 
                                Director;
                  (F) in consultation with the Director of the 
                Cybersecurity and Infrastructure Security 
                Agency and not less frequently than once every 
                3 years, performing an evaluation of whether 
                additional cybersecurity procedures are 
                appropriate for securing a system of, or under 
                the supervision of, the agency, which shall--
                          (i) be completed considering the 
                        agency system risk assessment performed 
                        under subparagraph (A); and
                          (ii) include a specific evaluation 
                        for high value assets;
                  (G) not later than 30 days after completing 
                the evaluation performed under subparagraph 
                (F), providing the evaluation and an 
                implementation plan, if applicable, for using 
                additional cybersecurity procedures determined 
                to be appropriate to--
                          (i) the Director of the Cybersecurity 
                        and Infrastructure Security Agency;
                          (ii) the Director; and
                          (iii) the National Cyber Director; 
                        and
                  (H) if the head of the agency determines 
                there is need for additional cybersecurity 
                procedures, ensuring that those additional 
                cybersecurity procedures are reflected in the 
                budget request of the agency in accordance with 
                the risk-based cyber budget model developed 
                pursuant to section 3553(a)(7);
          (2) * * *
                  (A) assessing the risk and magnitude of the 
                harm that could result from the unauthorized 
                access, use, disclosure, disruption, 
                modification, or destruction of such 
                information or information systems in 
                accordance with the agency system risk 
                assessment performed under paragraph (1)(A);
                  (B) determining the levels of information 
                security appropriate to protect such 
                information and information systems [in 
                accordance with standards] in accordance with--
                          (i) standards promulgated under 
                        section 11331 of title 40, for 
                        information security classifications 
                        and related requirements;
                          (ii) the evaluation performed under 
                        paragraph (1)(F); and
                          (iii) the implementation plan 
                        described in paragraph (1)(G);
                  (C) * * *
                  (D) periodically, through the use of 
                penetration testing, the vulnerability 
                disclosure program established under section 
                3559B, and other means, testing and evaluating 
                information security controls and techniques to 
                ensure that they are effectively implemented;
          (3) * * *
                  (A) * * *
                          (i) * * *
                          (ii) * * *
                          (iii) have information security 
                        duties as that official's primary duty; 
                        [and]
                          (iv) head an office with the mission 
                        and resources to assist in ensuring 
                        agency compliance with this section; 
                        and
                          (v) ensure that--
                                  (I) senior agency information 
                                security officers of component 
                                agencies carry out 
                                responsibilities under this 
                                subchapter, as directed by the 
                                senior agency information 
                                security officer of the agency 
                                or an equivalent official; and
                                  (II) senior agency 
                                information security officers 
                                of component agencies report 
                                to--
                                          (aa) the senior 
                                        information security 
                                        officer of the agency 
                                        or an equivalent 
                                        official; and
                                          (bb) the Chief 
                                        Information Officer of 
                                        the component agency or 
                                        an equivalent official;

           *       *       *       *       *       *       *

          (5) ensure that the agency Chief Information Officer, 
        in coordination with other senior agency officials, 
        reports annually to the agency head and the Director of 
        the Cybersecurity and Infrastructure Security Agency on 
        the effectiveness of the agency information security 
        program, including progress of remedial actions;
          (6) * * *
          (7) * * *
    (b) * * *
          [(1) periodic assessments of the risk and magnitude 
        of the harm that could result from the unauthorized 
        access, use, disclosure, disruption, modification, or 
        destruction of information and information systems that 
        support the operations and assets of the agency, which 
        may include using automated tools consistent with 
        standards and guidelines promulgated under section 
        11331 of title 40;]
          (1) pursuant to subsection (a)(1)(A), performing 
        ongoing and continuous agency system risk assessments, 
        which may include using guidelines and automated tools 
        consistent with standards and guidelines promulgated 
        under section 11331 of title 40, as applicable;
          (2) * * *
                  (A) * * *
                  [(B) cost-effectively reduce information 
                security risks to an acceptable level;]
                  (B) comply with the risk-based cyber budget 
                model developed pursuant to section 3553(a)(7);
                  (C) * * *
                  (D) * * *
                          (i) * * *
                          (ii) * * *
                          (iii) binding operational directives 
                        and emergency directives promulgated by 
                        the Director of the Cybersecurity and 
                        Infrastructure Security Agency under 
                        section 3553;
                          [(iii)] (iv) minimally acceptable 
                        system configuration requirements, [as 
                        determined by the agency; and] as 
                        determined by the agency, considering--
                                  (I) the agency risk 
                                assessment performed under 
                                subsection (a)(1)(A); and
                                  (II) the determinations of 
                                applying more stringent 
                                standards and additional 
                                cybersecurity procedures 
                                pursuant to section 11331(c)(1) 
                                of title 40; and
                          [(iv)] (v) * * *
          (3) * * *
          (4) * * *
          (5) * * *
                  (A) shall include testing, including 
                penetration testing, as appropriate, of 
                management, operational, and technical controls 
                of every information system identified in the 
                inventory required under section 3505(c);
                  (B) * * *
                  (C) * * *
          (6) a process for [planning, implementing, 
        evaluating, and documenting] planning and implementing 
        and, in consultation with the Director of the 
        Cybersecurity and Infrastructure Security Agency, 
        evaluating and documenting remedial action to address 
        any deficiencies in the information security policies, 
        procedures, and practices of the agency;
          (7) a process for providing the status of every 
        remedial action and known system vulnerability to the 
        Director and the Director of the Cybersecurity and 
        Infrastructure Security Agency, using automation and 
        machine-readable data to the greatest extent 
        practicable;
          [(7)] (8) * * *
                  (A) * * *
                  (B) * * *
                  (C) shall include--
                          (i) * * *
                          [(ii) notifying and consulting with 
                        the Federal information security 
                        incident center established in section 
                        3556; and]
                          (ii) notifying and consulting with 
                        the Federal information security 
                        incident center established under 
                        section 3556 pursuant to the 
                        requirements of section 3594;
                          (iii) performing the notifications 
                        and other activities required under 
                        subchapter IV of this title; and
                          [(iii)] (iv) notifying and consulting 
                        with, as appropriate
                                  (I) law enforcement agencies 
                                [and relevant offices of 
                                inspectors general] and Offices 
                                of General Counsel;
                                  (II) an office designated by 
                                the President for any incident 
                                involving a national security 
                                system; and
                                  [(III) for a major incident, 
                                the committees of Congress 
                                described in subsection 
                                (c)(1)]--
                                          (aa) not later than 7 
                                        days after the date on 
                                        which there is a 
                                        reasonable basis to 
                                        conclude that the major 
                                        incident has occurred; 
                                        and
                                          (bb) after the 
                                        initial notification 
                                        under item (aa), within 
                                        a reasonable period of 
                                        time after additional 
                                        information relating to 
                                        the incident is 
                                        discovered, including 
                                        the summary required 
                                        under subsection 
                                        (c)(1)(A)(i); and]
                                  [(IV)] (III) any other agency 
                                or office, in accordance with 
                                law or as directed by the 
                                President; and
          [(8)] (9) * * *
    (c) * * *
          [(1) Annual report.--
                  (A) In general.--Each agency shall submit to 
                the Director, the Secretary, the Committee on 
                Government Reform, the Committee on Homeland 
                Security, and the Committee on Science of the 
                House of Representatives, the Committee on 
                Homeland Security and Governmental Affairs and 
                the Committee on Commerce, Science, and 
                Transportation of the Senate, the appropriate 
                authorization and appropriations committees of 
                Congress, and the Comptroller General a report 
                on the adequacy and effectiveness of 
                information security policies, procedures, and 
                practices, including--
                          (i) a description of each major 
                        information security incident or 
                        related sets of incidents, including 
                        summaries of--
                                  (I) the threats and threat 
                                actors, vulnerabilities, and 
                                impacts relating to the 
                                incident;
                                  (II) the risk assessments 
                                conducted under section 
                                3554(a)(2)(A) of the affected 
                                information systems before the 
                                date on which the incident 
                                occurred;
                                  (III) the status of 
                                compliance of the affected 
                                information systems with 
                                applicable security 
                                requirements at the time of the 
                                incident; and
                                  (IV) the detection, response, 
                                and remediation actions;
                          (ii) the total number of information 
                        security incidents, including a 
                        description of incidents resulting in 
                        significant compromise of information 
                        security, system impact levels, types 
                        of incident, and locations of affected 
                        systems;
                          (iii) a description of each major 
                        information security incident that 
                        involved a breach of personally 
                        identifiable information, as defined by 
                        the Director, including--
                                  (I) the number of individuals 
                                whose information was affected 
                                by the major information 
                                security incident; and
                                  (II) a description of the 
                                information that was breached 
                                or exposed; and
                          (iv) any other information as the 
                        Director or the Secretary, in 
                        consultation with the Director, may 
                        require.
                  (B) Unclassified report--.
                          (i) In general.--Each report 
                        submitted under subparagraph (A) shall 
                        be in unclassified form, but may 
                        include a classified annex.
                          (ii) Access to information.--The head 
                        of an agency shall ensure that, to the 
                        greatest extent practicable, 
                        information is included in the 
                        unclassified version of the reports 
                        submitted by the agency under 
                        subparagraph (A).]
          (1) Biannual report.--Not later than 2 years after 
        the date of enactment of the Federal Information 
        Security Modernization Act of 2021 and not less 
        frequently than once every 2 years thereafter, using 
        the continuous and ongoing agency system risk 
        assessment under subsection (a)(1)(A), the head of each 
        agency shall submit to the Director, the Director of 
        the Cybersecurity and Infrastructure Security Agency, 
        the Committee on Homeland Security and Governmental 
        Affairs of the Senate, the Committee on Oversight and 
        Reform of the House of Representatives, the Committee 
        on Homeland Security of the House of Representatives, 
        the appropriate authorization and appropriations 
        committees of Congress, the National Cyber Director, 
        and the Comptroller General of the United States a 
        report that--
                  (A) summarizes the agency system risk 
                assessment performed under subsection 
                (a)(1)(A);
                  (B) evaluates the adequacy and effectiveness 
                of information security policies, procedures, 
                and practices of the agency to address the 
                risks identified in the agency system risk 
                assessment performed under subsection 
                (a)(1)(A);
                  (C) summarizes the evaluation and 
                implementation plans described in subparagraphs 
                (F) and (G) of subsection (a)(1) and whether 
                those evaluation and implementation plans call 
                for the use of additional cybersecurity 
                procedures determined to be appropriate by the 
                agency; and
                  (D) summarizes the status of remedial actions 
                identified by inspector general of the agency, 
                the Comptroller General of the United States, 
                and any other source determined appropriate by 
                the head of the agency.
          (2) Unclassified reports. Each report submitted under 
        paragraph (1)--
                  (A) shall be, to the greatest extent 
                practicable, in an unclassified and otherwise 
                uncontrolled form; and
                  (B) may include a classified annex.
          (3) Access to information.--The head of an agency 
        shall ensure that, to the greatest extent practicable, 
        information is included in the unclassified form of the 
        report submitted by the agency under paragraph (2)(A).
          (4) Briefings.--During each year during which a 
        report is not required to be submitted under paragraph 
        (1), the Director shall provide to the congressional 
        committees described in paragraph (1) a briefing 
        summarizing current agency and Federal risk postures.
          [(2)] (5) Other plans and reports.--Each agency shall 
        address the adequacy and effectiveness of information 
        security policies, procedures, and practices in 
        management plans and reports, including the reporting 
        procedures established under section 11315(d) of title 
        40 and subsection (a)(3)(A)(v) of this section. 
    (d) Performance Plan.--
          (1) In addition to the requirements of subsection 
        (c), each agency, in consultation with the Director and 
        the Director of the Cybersecurity and Infrastructure 
        Security Agency, shall include as part of the 
        performance plan required under section 1115 of title 
        31 a description of--
                  (A) * * *
                  (B) * * *
          (2) The description under paragraph (1) and the risk-
        based budget model required under section 3553(a)(7) 
        shall be based on the risk assessments required under 
        subsection (b)(1).

SEC. 3555. [ANNUAL INDEPENDENT] INDEPENDENT EVALUATION.

    (a) In General.--
          (1) Each year during which a report is required to be 
        submitted under section 3553(c), each agency shall have 
        performed an independent evaluation of the information 
        security program and practices of that agency to 
        determine the effectiveness of such program and 
        practices.
          (2) Each evaluation under this section shall 
        include--
                  (A) testing of the effectiveness of 
                information security policies, procedures, and 
                practices of a representative subset of the 
                agency's information systems, including by 
                penetration testing and analyzing the 
                vulnerability disclosure program of the agency;
                  (B) an assessment of the effectiveness of the 
                information security policies, procedures, and 
                practices of the agency; [and]
                  (C) separate presentations, as appropriate, 
                regarding information security relating to 
                national security systems[.]; and
                  (D) an assessment of how the agency 
                implemented the risk-based budget model 
                required under section 3553(a)(7) and an 
                evaluation of whether the model mitigates 
                agency cyber vulnerabilities.
          (3) An evaluation under this section may include 
        recommendations for improving the cybersecurity posture 
        of the agency.
    (b) * * *
          (1) for each agency with an Inspector General 
        appointed under the Inspector General Act of 1978, the 
        [annual] evaluation required by this section shall be 
        performed by the Inspector General or by an independent 
        external auditor, as determined by the Inspector 
        General of the agency; and

           *       *       *       *       *       *       *

    (e) Agency Reporting.--
          (1) Each year during which a report is required to be 
        submitted under section 3553(c), not later than such 
        date established by the Director, the head of each 
        agency shall submit to the Director the results of the 
        evaluation required under this section.
          (2) * * *
    [(f) Protection of Information.--Agencies and evaluators 
shall take appropriate steps to ensure the protection of 
information which, if disclosed, may adversely affect 
information security. Such protections shall be commensurate 
with the risk and comply with all applicable laws and 
regulations.]
    (f) Protection of Information.--
          (1) Agencies, evaluators, and other recipients of 
        information that, if disclosed, may cause grave harm to 
        the efforts of Federal information security officers, 
        including the appropriate congressional committees, 
        shall take appropriate steps to ensure the protection 
        of that information, including safeguarding the 
        information from public disclosure.
          (2) The protections required under paragraph (1) 
        shall be commensurate with the risk and comply with all 
        applicable laws and regulations.
          (3) With respect to information that is not related 
        to national security systems, agencies and evaluators 
        shall make a summary of the information unclassified 
        and publicly available, including information that does 
        not identify--
                  (A) specific information system incidents; or
                  (B) specific information system 
                vulnerabilities. 
    (g) * * *
          (1) * * *
          (2) The Director's report to Congress under [this 
        subsection shall] this subsection--
                  (A) shall summarize information regarding 
                information security relating to national 
                security systems in such a manner as to ensure 
                appropriate protection for information 
                associated with any information security 
                vulnerability in such system commensurate with 
                the risk and in accordance with all applicable 
                laws[.];
                  (B) identify any entity that performs an 
                independent evaluation under subsection (b).

           *       *       *       *       *       *       *

    (i) * * *
    [(j) Guidance.--The Director, in consultation with the 
Secretary, the Chief Information Officers Council established 
under section 3603, the Council of the Inspectors General on 
Integrity and Efficiency, and other interested parties as 
appropriate, shall ensure the development of guidance for 
evaluating the effectiveness of an information security program 
and practices.]
    (j) Guidance.--
          (1) In general.--The Director, in consultation with 
        the Director of the Cybersecurity and Infrastructure 
        Security Agency, the Chief Information Officers 
        Council, the Council of the Inspectors General on 
        Integrity and Efficiency, and other interested parties 
        as appropriate, shall ensure the development of 
        guidance for evaluating the effectiveness of an 
        information security program and practices
          (2) Priorities.--The guidance developed under 
        paragraph (1) shall prioritize the identification of--
                  (A) the most common threat patterns 
                experienced by each agency;
                  (B) the security controls that address the 
                threat patterns described in subparagraph (A); 
                and
                  (C) any other security risks unique to the 
                networks of each agency.

           *       *       *       *       *       *       *


SEC. 3556. FEDERAL INFORMATION SECURITY INCIDENT CENTER

    (a) In General.--The Secretary shall ensure the operation 
of a central Federal information security incident center 
within the Cybersecurity and Infrastructure Security Agency 
to--
          (1) * * *
          (2) * * *
          (3) * * *
          (4) provide, as appropriate, intelligence and other 
        information about cyber threats, vulnerabilities, and 
        incidents to agencies to assist in risk assessments 
        conducted under section [3554(b)] 3554(a)(1)(A); and

           *       *       *       *       *       *       *


SEC. 3559A. FEDERAL PENETRATION TESTING

    (a) Definitions.--In this section:
          (1) Agency operational plan.--The term `agency 
        operational plan' means a plan of an agency for the use 
        of penetration testing.
          (2) Rules of engagement.--The term `rules of 
        engagement' means a set of rules established by an 
        agency for the use of penetration testing.
    (b) Guidance.--
          (1) In general.--The Director shall issue guidance 
        that--
                  (A) requires agencies to use, when and where 
                appropriate, penetration testing on agency 
                systems; and 
                  (B) requires agencies to develop an agency 
                operational plan and rules of engagement that 
                meet the requirements under subsection (c).
          (2) Penetration testing guidance.--The guidance 
        issued under this section shall--
                  (A) permit an agency to use, for the purpose 
                of performing penetration testing--
                          (i) a shared service of the agency or 
                        another agency; or
                          (ii) an external entity, such as a 
                        vendor; and
                  (B) require agencies to provide the rules of 
                engagement and results of penetration testing 
                to the Director and the Director of the 
                Cybersecurity and Infrastructure Security 
                Agency, without regard to the status of the 
                entity that performs the penetration testing.
    (c) Agency Plans and Rules of Engagement.--The agency 
operational plan and rules of engagement of an agency shall--
          (1) require the agency to--
                  (A) perform penetration testing on the high 
                value assets of the agency; or
                  (B) coordinate with the Director of the 
                Cybersecurity and Infrastructure Security 
                Agency to ensure that penetration testing is 
                being performed;
          (2) establish guidelines for avoiding, as a result of 
        penetration testing--
                  (A) adverse impacts to the operations of the 
                agency;
                  (B) adverse impacts to operational 
                environments and systems of the agency; and
                  (C) inappropriate access to data;
          (3) require the results of penetration testing to 
        include feedback to improve the cybersecurity of the 
        agency; and
          (4) include mechanisms for providing consistently 
        formatted, and, if applicable, automated and machine-
        readable, data to the Director and the Director of the 
        Cybersecurity and Infrastructure Security Agency.
    (d) Responsibilities of CISA.--The Director of the 
Cybersecurity and Infrastructure Security Agency shall--
          (1) establish a process to assess the performance of 
        penetration testing by both Federal and non-Federal 
        entities that establishes minimum quality controls for 
        penetration testing;
          (2) develop operational guidance for instituting 
        penetration testing programs at agencies;
          (3) develop and maintain a centralized capability to 
        offer penetration testing as a service to Federal and 
        non-Federal entities; and
          (4) provide guidance to agencies on the best use of 
        penetration testing resources.
    (e) Responsibilities of OMB.--The Director, in coordination 
with the Director of the Cybersecurity and Infrastructure 
Security Agency, shall--
          (1) not less frequently than annually, inventory all 
        Federal penetration testing assets; and
          (2) develop and maintain a standardized process for 
        the use of penetration testing.
    (f) Prioritization of Penetration Testing Resources.--
          (1) In general.--The Director, in coordination with 
        the Director of the Cybersecurity and Infrastructure 
        Security Agency, shall develop a framework for 
        prioritizing Federal penetration testing resources 
        among agencies.
          (2) Considerations.--In developing the framework 
        under this subsection, the Director shall consider--
                  (A) agency system risk assessments performed 
                under section 3554(a)(1)(A);
                  (B) the Federal risk assessment performed 
                under section 3553(i);
                  (C) the analysis of Federal incident data 
                performed under section 3597; and
                  (D) any other information determined 
                appropriate by the Director or the Director of 
                the Cybersecurity and Infrastructure Security 
                Agency.
    (g) Exception for National Security Systems.--The guidance 
issued under subsection (b) shall not apply to national 
security systems.
    (h) Delegation of Authority for Certain Systems.--The 
authorities of the Director described in subsection (b) shall 
be delegated--
          (1) to the Secretary of Defense in the case of 
        systems described in section 3553(e)(2); and
          (2) to the Director of National Intelligence in the 
        case of systems described in 3553(e)(3).

SEC. 3559B. FEDERAL VULNERABILITY DISCLOSURE PROGRAMS

    (a) Definitions.--In this section:
          (1) Report.--The term `report' means a vulnerability 
        disclosure made to an agency by a reporter.
          (2) Reporter.--The term `reporter' means an 
        individual that submits a vulnerability report pursuant 
        to the vulnerability disclosure process of an agency.
    (b) Responsibilities of OMB.--
          (1) Limitation on legal action.--The Director, in 
        consultation with the Attorney General, shall issue 
        guidance to agencies to not recommend or pursue legal 
        action against a reporter or an individual that 
        conducts a security research activity that the head of 
        the agency determines--
                  (A) represents a good faith effort to follow 
                the vulnerability disclosure policy of the 
                agency developed under subsection (d)(2); and
                  (B) is authorized under the vulnerability 
                disclosure policy of the agency developed under 
                subsection (d)(2).
          (2) Sharing information with CISA.--The Director, in 
        coordination with the Director of the Cybersecurity and 
        Infrastructure Security Agency and the National Cyber 
        Director, shall issue guidance to agencies on sharing 
        relevant information in a consistent, automated, and 
        machine readable manner with the Cybersecurity and 
        Infrastructure Security Agency, including--
                  (A) any valid or credible reports of newly 
                discovered or not publicly known 
                vulnerabilities (including misconfigurations) 
                on Federal information systems that use 
                commercial software or services;
                  (B) information relating to vulnerability 
                disclosure, coordination, or remediation 
                activities of an agency, particularly as those 
                activities relate to outside organizations--
                          (i) with which the head of the agency 
                        believes the Director of the 
                        Cybersecurity and Infrastructure 
                        Security Agency can assist; or
                          (ii) about which the head of the 
                        agency believes the Director of the 
                        Cybersecurity and Infrastructure 
                        Security Agency should know; and
                  (C) any other information with respect to 
                which the head of the agency determines helpful 
                or necessary to involve the Cybersecurity and 
                Infrastructure Security Agency.
          (3) Agency vulnerability disclosure policies.--The 
        Director shall issue guidance to agencies on the 
        required minimum scope of agency systems covered by the 
        vulnerability disclosure policy of an agency required 
        under subsection (d)(2).
    (c) Responsibilities of CISA.--The Director of the 
Cybersecurity and Infrastructure Security Agency shall--
          (1) provide support to agencies with respect to the 
        implementation of the requirements of this section;
          (2) develop tools, processes, and other mechanisms 
        determined appropriate to offer agencies capabilities 
        to implement the requirements of this section; and
          (3) upon a request by an agency, assist the agency in 
        the disclosure to vendors of newly identified 
        vulnerabilities in vendor products and services.
    (d) Responsibilities of Agencies.--
          (1) Public information.--The head of each agency 
        shall make publicly available, with respect to each 
        internet domain under the control of the agency that is 
        not a national security system--
                  (A) an appropriate security contact; and
                  (B) the component of the agency that is 
                responsible for the internet accessible 
                services offered at the domain.
          (2) Vulnerability disclosure policy.--The head of 
        each agency shall develop and make publicly available a 
        vulnerability disclosure policy for the agency, which 
        shall--
                  (A) describe--
                          (i) the scope of the systems of the 
                        agency included in the vulnerability 
                        disclosure policy;
                          (ii) the type of information system 
                        testing that is authorized by the 
                        agency;
                          (iii) the type of information system 
                        testing that is not authorized by the 
                        agency; and
                          (iv) the disclosure policy of the 
                        agency for sensitive information;
                  (B) with respect to a report to an agency, 
                describe--
                          (i) how the reporter should submit 
                        the report; and
                          (ii) if the report is not anonymous, 
                        when the reporter should anticipate an 
                        acknowledgment of receipt of the report 
                        by the agency;
                  (C) include any other relevant information; 
                and
                  (D) be mature in scope, to cover all Federal 
                information systems used or operated by that 
                agency or on behalf of that agency.
          (3) Identified vulnerabilities.--The head of each 
        agency shall incorporate any vulnerabilities reported 
        under paragraph (2) into the vulnerability management 
        process of the agency in order to track and remediate 
        the vulnerability.
    (e) Paperwork Reduction Act Exemption.--The requirements of 
subchapter I (commonly known as the `Paperwork Reduction Act') 
shall not apply to a vulnerability disclosure program 
established under this section.
    (f) Congressional Reporting.--Not later than 90 days after 
the date of enactment of the Federal Information Security 
Modernization Act of 2021, and annually thereafter for a 3-year 
period, the Director shall provide to the Committee on Homeland 
Security and Governmental Affairs of the Senate and the 
Committee on Oversight and Reform of the House of 
Representatives a briefing on the status of the use of 
vulnerability disclosure policies under this section at 
agencies, including, with respect to the guidance issued under 
subsection (b)(3), an identification of the agencies that are 
compliant and not compliant.
    (g) Exemptions.--The authorities and functions of the 
Director and Director of the Cybersecurity and Infrastructure 
Security Agency under this section shall not apply to national 
security systems.
    (h) Delegation of Authority for Certain Systems.--The 
authorities of the Director and the Director of the 
Cybersecurity and Infrastructure Security Agency described in 
this section shall be delegated--
          (1) to the Secretary of Defense in the case of 
        systems described in section 3553(e)(2); and
          (2) to the Director of National Intelligence in the 
        case of systems described in section 3553(e)(3).

           *       *       *       *       *       *       *


Subchapter IV--Federal System Incident Response

           *       *       *       *       *       *       *


SEC. 3591. DEFINITIONS

    (a) In General.--Except as provided in subsection (b), the 
definitions under sections 3502 and 3552 shall apply to this 
subchapter.
    (b) Additional Definitions.--As used in this subchapter:
          (1) Appropriate reporting entities.--The term 
        `appropriate reporting entities' means--
                  (A) the majority and minority leaders of the 
                Senate;
                  (B) the Speaker and minority leader of the 
                House of Representatives;
                  (C) the Committee on Homeland Security and 
                Governmental Affairs of the Senate;
                  (D) the Committee on Oversight and Reform of 
                the House of Representatives;
                  (E) the Committee on Homeland Security of the 
                House of Representatives;
                  (F) the appropriate authorization and 
                appropriations committees of Congress;
                  (G) the Director;
                  (H) the Director of the Cybersecurity and 
                Infrastructure Security Agency;
                  (I) the National Cyber Director;
                  (J) the Comptroller General of the United 
                States; and
                  (K) the inspector general of any impacted 
                agency.
          (2) Awardee.--The term `awardee'--
                  (A) means a person, business, or other entity 
                that receives a grant from, or is a party to a 
                cooperative agreement with, an agency; and
                  (B) includes any subgrantee of a person, 
                business, or other entity described in 
                subparagraph (A).
          (3) Breach.--The term `breach` means--
                  (A) a compromise of the security, 
                confidentiality, or integrity of data in 
                electronic form that results in unauthorized 
                access to, or an acquisition of, personal 
                information; or
                  (B) a loss of data in electronic form that 
                results in unauthorized access to, or an 
                acquisition of, personal information.
          (4) Contractor.--The term `contractor' means--
                  (A) a prime contractor of an agency or a 
                subcontractor of a prime contractor of an 
                agency; and
                  (B) any person or business that collects or 
                maintains information, including personally 
                identifiable information, on behalf of an 
                agency.
          (5) Federal information.--The term `Federal 
        information' means information created, collected, 
        processed, maintained, disseminated, disclosed, or 
        disposed of by or for the Federal Government in any 
        medium or form.
          (6) Federal information system.--The term `Federal 
        information system' means an information system used or 
        operated by an agency, a contractor, or another 
        organization on behalf of an agency.
          (7) Intelligence community.--The term `intelligence 
        community' has the meaning given the term in section 3 
        of the National Security Act of 1947 (50 U.S.C. 3003).
          (8) Nationwide consumer reporting agency.--The term 
        `nationwide consumer reporting agency' means a consumer 
        reporting agency described in section 603(p) of the 
        Fair Credit Reporting Act (15 U.S.C. 1681a(p)).
          (9) Vulnerability disclosure.--The term 
        `vulnerability disclosure' means a vulnerability 
        identified under section 3559B.

SEC. 3592. NOTIFICATION OF BREACH

    (a) Notification.--As expeditiously as practicable and 
without unreasonable delay, and in any case not later than 45 
days after an agency has a reasonable basis to conclude that a 
breach has occurred, the head of the agency, in consultation 
with a senior privacy officer of the agency, shall--
          (1) determine whether notice to any individual 
        potentially affected by the breach is appropriate based 
        on an assessment of the risk of harm to the individual 
        that considers--
                  (A) the nature and sensitivity of the 
                personally identifiable information affected by 
                the breach;
                  (B) the likelihood of access to and use of 
                the personally identifiable information 
                affected by the breach;
                  (C) the type of breach; and
                  (D) any other factors determined by the 
                Director; and
          (2) as appropriate, provide written notice in 
        accordance with subsection (b) to each individual 
        potentially affected by the breach--
                  (A) to the last known mailing address of the 
                individual; or
                  (B) through an appropriate alternative method 
                of notification that the head of the agency or 
                a designated senior-level individual of the 
                agency selects based on factors determined by 
                the Director.
    (b)  Contents of Notice.--Each notice of a breach provided 
to an individual under subsection (a)(2) shall include--
          (1) a brief description of the rationale for the 
        determination that notice should be provided under 
        subsection (a);
          (2) if possible, a description of the types of 
        personally identifiable information affected by the 
        breach;
          (3) contact information of the agency that may be 
        used to ask questions of the agency, which--
                  (A) shall include an e-mail address or 
                another digital contact mechanism; and
                  (B) may include a telephone number or a 
                website;
          (4) information on any remedy being offered by the 
        agency;
          (5) any applicable educational materials relating to 
        what individuals can do in response to a breach that 
        potentially affects their personally identifiable 
        information, including relevant information to contact 
        Federal law enforcement agencies and each nationwide 
        consumer reporting agency; and
          (6) any other appropriate information, as determined 
        by the head of the agency or established in guidance by 
        the Director.
    (c) Delay of Notification.--
          (1) In general.--The Attorney General, the Director 
        of National Intelligence, or the Secretary of Homeland 
        Security may delay a notification required under 
        subsection (a) if the notification would--
                  (A) impede a criminal investigation or a 
                national security activity;
                  (B) reveal sensitive sources and methods;
                  (C) cause damage to national security; or
                  (D) hamper security remediation actions.
          (2) Documentation.--
                  (A) In general.--Any delay under paragraph 
                (1) shall be reported in writing to the 
                Director, the Attorney General, the Director of 
                National Intelligence, the Secretary of 
                Homeland Security, the Director of the 
                Cybersecurity and Infrastructure Security 
                Agency, and the head of the agency and the 
                inspector general of the agency that 
                experienced the breach.
                  (B) Contents.--A report required under 
                subparagraph (A) shall include a written 
                statement from the entity that delayed the 
                notification explaining the need for the delay.
                  (C) Form.--The report required under 
                subparagraph (A) shall be unclassified but may 
                include a classified annex.
          (3) Renewal.--A delay under paragraph (1) shall be 
        for a period of 60 days and may be renewed.
    (d) Update Notification.--If an agency determines there is 
a significant change in the reasonable basis to conclude that a 
breach occurred, a significant change to the determination made 
under subsection (a)(1), or that it is necessary to update the 
details of the information provided to impacted individuals as 
described in subsection (b), the agency shall as expeditiously 
as practicable and without unreasonable delay, and in any case 
not later than 30 days after such a determination, notify each 
individual who received a notification pursuant to subsection 
(a) of those changes.
    (e) Exemption From Notification.--
          (1) In general.--The head of an agency, in 
        consultation with the inspector general of the agency, 
        may request an exemption from the Director from 
        complying with the notification requirements under 
        subsection (a) if the information affected by the 
        breach is determined by an independent evaluation to be 
        unreadable, including, as appropriate, instances in 
        which the information is--
                  (A) encrypted; and
                  (B) determined by the Director of the 
                Cybersecurity and Infrastructure Security 
                Agency to be of sufficiently low risk of 
                exposure.
          (2) Approval.--The Director shall determine whether 
        to grant an exemption requested under paragraph (1) in 
        consultation with--
                  (A) the Director of the Cybersecurity and 
                Infrastructure Security Agency; and
                  (B) the Attorney General.
          (3) Documentation.--Any exemption granted by the 
        Director under paragraph (1) shall be reported in 
        writing to the head of the agency and the inspector 
        general of the agency that experienced the breach and 
        the Director of the Cybersecurity and Infrastructure 
        Security Agency.
    (f) Rule of Construction.--Nothing in this section shall be 
construed to limit--
          (1) the Director from issuing guidance relating to 
        notifications or the head of an agency from notifying 
        individuals potentially affected by breaches that are 
        not determined to be major incidents; or
          (2) the Director from issuing guidance relating to 
        notifications of major incidents or the head of an 
        agency from providing more information than described 
        in subsection (b) when notifying individuals 
        potentially affected by breaches.

SEC. 3593. CONGRESSIONAL AND EXECUTIVE BRANCH REPORTS

    (a) Initial Report.--
          (1) In general.--Not later than 72 hours after an 
        agency has a reasonable basis to conclude that a major 
        incident occurred, the head of the agency impacted by 
        the major incident shall submit to the appropriate 
        reporting entities a written report and, to the extent 
        practicable, provide a briefing to the Committee on 
        Homeland Security and Governmental Affairs of the 
        Senate, the Committee on Oversight and Reform of the 
        House of Representatives, the Committee on Homeland 
        Security of the House of Representatives, and the 
        appropriate authorization and appropriations committees 
        of Congress, taking into account--
                  (A) the information known at the time of the 
                report;
                  (B) the sensitivity of the details associated 
                with the major incident; and
                  (C) the classification level of the 
                information contained in the report.
          (2) Contents.--A report required under paragraph (1) 
        shall include, in a manner that excludes or otherwise 
        reasonably protects personally identifiable information 
        and to the extent permitted by applicable law, 
        including privacy and statistical laws--
                  (A) a summary of the information available 
                about the major incident, including how the 
                major incident occurred, information indicating 
                that the major incident may be a breach, and 
                information relating to the major incident as a 
                breach, based on information available to 
                agency officials as of the date on which the 
                agency submits the report;
                  (B) if applicable, a description and any 
                associated documentation of any circumstances 
                necessitating a delay in or exemption to 
                notification to individuals potentially 
                affected by the major incident under subsection 
                (c) or (e) of section 3592; and
                  (C) if applicable, an assessment of the 
                impacts to the agency, the Federal Government, 
                or the security of the United States, based on 
                information available to agency officials on 
                the date on which the agency submits the 
                report.
    (b) Supplemental Report.--Within a reasonable amount of 
time, but not later than 30 days after the date on which an 
agency submits a written report under subsection (a), the head 
of the agency shall provide to the appropriate reporting 
entities written updates on the major incident and, to the 
extent practicable, provide a briefing to the congressional 
committees described in subsection (a)(1), including summaries 
of--
          (1) vulnerabilities, means by which the major 
        incident occurred, and impacts to the agency relating 
        to the major incident;
          (2) any risk assessment and subsequent risk-based 
        security implementation of the affected information 
        system before the date on which the major incident 
        occurred;
          (3) the status of compliance of the affected 
        information system with applicable security 
        requirements at the time of the major incident;
          (4) an estimate of the number of individuals 
        potentially affected by the major incident based on 
        information available to agency officials as of the 
        date on which the agency provides the update;
          (5) an assessment of the risk of harm to individuals 
        potentially affected by the major incident based on 
        information available to agency officials as of the 
        date on which the agency provides the update;
          (6) an update to the assessment of the risk to agency 
        operations, or to impacts on other agency or non-
        Federal entity operations, affected by the major 
        incident based on information available to agency 
        officials as of the date on which the agency provides 
        the update; and
          (7) the detection, response, and remediation actions 
        of the agency, including any support provided by the 
        Cybersecurity and Infrastructure Security Agency under 
        section 3594(d) and status updates on the notification 
        process described in section 3592(a), including any 
        delay or exemption described in subsection (c) or (e), 
        respectively, of section 3592, if applicable.
    (c) Update Report.--If the agency determines that there is 
any significant change in the understanding of the agency of 
the scope, scale, or consequence of a major incident for which 
an agency submitted a written report under subsection (a), the 
agency shall provide an updated report to the appropriate 
reporting entities that includes information relating to the 
change in understanding.
    (d) Annual Report.--Each agency shall submit as part of the 
annual report required under section 3554(c)(1) of this title a 
description of each major incident that occurred during the 1-
year period preceding the date on which the report is 
submitted.
    (e) Delay and Exemption Report.--
          (1) In general.--The Director shall submit to the 
        appropriate notification entities an annual report on 
        all notification delays and exemptions granted pursuant 
        to subsections (c) and (d) of section 3592.
          (2) Component of other report.--The Director may 
        submit the report required under paragraph (1) as a 
        component of the annual report submitted under section 
        3597(b).
    (f) Report Delivery.--Any written report required to be 
submitted under this section may be submitted in a paper or 
electronic format.
    (g) Threat Briefing.--
          (1) In general.--Not later than 7 days after the date 
        on which an agency has a reasonable basis to conclude 
        that a major incident occurred, the head of the agency, 
        jointly with the National Cyber Director and any other 
        Federal entity determined appropriate by the National 
        Cyber Director, shall provide a briefing to the 
        congressional committees described in subsection (a)(1) 
        on the threat causing the major incident.
          (2) Components.--The briefing required under 
        paragraph (1)--
                  (A) shall, to the greatest extent 
                practicable, include an unclassified component; 
                and
                  (B) may include a classified component.
    (h) Rule of Construction.--Nothing in this section shall be 
construed to limit--
          (1) the ability of an agency to provide additional 
        reports or briefings to Congress; or
          (2) Congress from requesting additional information 
        from agencies through reports, briefings, or other 
        means.

SEC. 3594. GOVERNMENT INFORMATION SHARING AND INCIDENT RESPONSE

    (a) In General.--
          (1) Incident reporting.--The head of each agency 
        shall provide any information relating to any incident, 
        whether the information is obtained by the Federal 
        Government directly or indirectly, to the Cybersecurity 
        and Infrastructure Security Agency and the Office of 
        Management and Budget.
          (2) Contents.--A provision of information relating to 
        an incident made by the head of an agency under 
        paragraph (1) shall--
                  (A) include detailed information about the 
                safeguards that were in place when the incident 
                occurred;
                  (B) whether the agency implemented the 
                safeguards described in subparagraph (A) 
                correctly;
                  (C) in order to protect against a similar 
                incident, identify--
                          (i) how the safeguards described in 
                        subparagraph (A) should be implemented 
                        differently; and
                          (ii) additional necessary safeguards; 
                        and
                  (D) include information to aid in incident 
                response, such as--
                          (i) a description of the affected 
                        systems or networks;
                          (ii) the estimated dates of when the 
                        incident occurred; and
                          (iii) information that could 
                        reasonably help identify the party that 
                        conducted the incident.
          (3) Information sharing.--To the greatest extent 
        practicable, the Director of the Cybersecurity and 
        Infrastructure Security Agency shall share information 
        relating to an incident with any agencies that may be 
        impacted by the incident.
          (4) National security systems.--Each agency operating 
        or exercising control of a national security system 
        shall share information about incidents with the 
        Director of the Cybersecurity and Infrastructure 
        Security Agency to the extent consistent with standards 
        and guidelines for national security systems issued in 
        accordance with law and as directed by the President.
    (b) Compliance.--The information provided under subsection 
(a) shall take into account the level of classification of the 
information and any information sharing limitations and 
protections, such as limitations and protections relating to 
law enforcement, national security, privacy, statistical 
confidentiality, or other factors determined by the Director
    (c) Incident Response.--Each agency that has a reasonable 
basis to conclude that a major incident occurred involving 
Federal information in electronic medium or form, as defined by 
the Director and not involving a national security system, 
regardless of delays from notification granted for a major 
incident, shall coordinate with the Cybersecurity and 
Infrastructure Security Agency regarding--
          (1) incident response and recovery; and
          (2) recommendations for mitigating future incidents.

SEC. 3595. RESPONSIBILITIES OF CONTRACTORS AND AWARDEES.``3595. 
                    RESPONSIBILITIES OF CONTRACTORS AND AWARDEES

    (a) Notification.--
          (1) In general.--Unless otherwise specified in a 
        contract, grant, or cooperative agreement, any 
        contractor or awardee of an agency shall report to the 
        agency within the same amount of time such agency is 
        required to report an incident to the Cybersecurity and 
        Infrastructure Security Agency, if the contractor or 
        awardee has a reasonable basis to conclude that--
                  (A) an incident or breach has occurred with 
                respect to Federal information collected, used, 
                or maintained by the contractor or awardee in 
                connection with the contract, grant, or 
                cooperative agreement of the contractor or 
                awardee;
                  (B) an incident or breach has occurred with 
                respect to a Federal information system used or 
                operated by the contractor or awardee in 
                connection with the contract, grant, or 
                cooperative agreement of the contractor or 
                awardee; or
                  (C) the contractor or awardee has received 
                information from the agency that the contractor 
                or awardee is not authorized to receive in 
                connection with the contract, grant, or 
                cooperative agreement of the contractor or 
                awardee.
          (2) Procedures.--
                  (A) Major incident.--Following a report of a 
                breach or major incident by a contractor or 
                awardee under paragraph (1), the agency, in 
                consultation with the contractor or awardee, 
                shall carry out the requirements under sections 
                3592, 3593, and 3594 with respect to the major 
                incident.
                  (B) Incident.--Following a report of an 
                incident by a contractor or awardee under 
                paragraph (1), an agency, in consultation with 
                the contractor or awardee, shall carry out the 
                requirements under section 3594 with respect to 
                the incident.
    (b) Effective Date.--This section shall apply on and after 
the date that is 1 year after the date of enactment of the 
Federal Information Security Modernization Act of 2021.

SEC. 3596. TRAINING

    (a) Covered Individual Defined.--In this section, the term 
`covered individual' means an individual who obtains access to 
Federal information or Federal information systems because of 
the status of the individual as an employee, contractor, 
awardee, volunteer, or intern of an agency.
    (b) Requirement.--The head of each agency shall develop 
training for covered individuals on how to identify and respond 
to an incident, including--
          (1) the internal process of the agency for reporting 
        an incident; and
          (2) the obligation of a covered individual to report 
        to the agency a confirmed major incident and any 
        suspected incident involving information in any medium 
        or form, including paper, oral, and electronic.
    (c) Inclusion in Annual Training.--The training developed 
under subsection (b) may be included as part of an annual 
privacy or security awareness training of an agency.

SEC. 3597. ANALYSIS AND REPORT ON FEDERAL INCIDENTS

    (a) Analysis of Federal Incidents.--
          (1) Quantitative and qualitative analyses.--The 
        Director of the Cybersecurity and Infrastructure 
        Security Agency shall develop, in consultation with the 
        Director and the National Cyber Director, and perform 
        continuous monitoring and quantitative and qualitative 
        analyses of incidents at agencies, including major 
        incidents, including--
                  (A) the causes of incidents, including--
                          (i) attacker tactics, techniques, and 
                        procedures; and
                          (ii) system vulnerabilities, 
                        including zero days, unpatched systems, 
                        and information system 
                        misconfigurations;
                  (B) the scope and scale of incidents at 
                agencies;
                  (C) cross Federal Government root causes of 
                incidents at agencies;
                  (D) agency incident response, recovery, and 
                remediation actions and the effectiveness of 
                those actions, as applicable; and
                  (E) lessons learned and recommendations in 
                responding to, recovering from, remediating, 
                and mitigating future incidents.
          (2) Automated analysis.--The analyses developed under 
        paragraph (1) shall, to the greatest extent 
        practicable, use machine readable data, automation, and 
        machine learning processes.
          (3) Sharing of data and analysis.--
                  (A) In general.--The Director shall share on 
                an ongoing basis the analyses required under 
                this subsection with agencies and the National 
                Cyber Director to--
                          (i) improve the understanding of 
                        cybersecurity risk of agencies; and
                          (ii) support the cybersecurity 
                        improvement efforts of agencies.
                  (B) Format.--In carrying out subparagraph 
                (A), the Director shall share the analyses--
                          (i) in human-readable written 
                        products; and
                          (ii) to the greatest extent 
                        practicable, in machine-readable 
                        formats in order to enable automated 
                        intake and use by agencies.
    (b) Annual Report on Federal Incidents.--Not later than 2 
years after the date of enactment of this section, and not less 
frequently than annually thereafter, the Director of the 
Cybersecurity and Infrastructure Security Agency, in 
consultation with the Director and other Federal agencies as 
appropriate, shall submit to the appropriate notification 
entities a report that includes--
          (1) a summary of causes of incidents from across the 
        Federal Government that categorizes those incidents as 
        incidents or major incidents;
          (2) the quantitative and qualitative analyses of 
        incidents developed under subsection (a)(1), including 
        specific analysis of breaches, on an agency-by-agency 
        basis and comprehensively across the Federal 
        Government; and
          (3) an annex for each agency that includes--
                  (A) a description of each major incident; and
                  (B) the total number of compromises of the 
                agency.
    (c) Publication.--A version of each report submitted under 
subsection (b) shall be made publicly available on the website 
of the Cybersecurity and Infrastructure Security Agency during 
the year in which the report is submitted.
    (d) Information Provided by Agencies.--
          (1) In general.--The analysis required under 
        subsection (a) and each report submitted under 
        subsection (b) shall use information provided by 
        agencies under section 3594(a).
          (2) Noncompliance reports.--
                  (A) In general.--Subject to subparagraph (B), 
                during any year during which the head of an 
                agency does not provide data for an incident to 
                the Cybersecurity and Infrastructure Security 
                Agency in accordance with section 3594(a), the 
                head of the agency, in coordination with the 
                Director of the Cybersecurity and 
                Infrastructure Security Agency and the 
                Director, shall submit to the appropriate 
                reporting entities a report that includes--
                          (i) data for the incident; and
                          (ii) the information described in 
                        subsection (b) with respect to the 
                        agency.
                  (B) Exception for national security 
                systems.--The head of an agency that owns or 
                exercises control of a national security system 
                shall not include data for an incident that 
                occurs on a national security system in any 
                report submitted under subparagraph (A).
          (3) National security system reports.--
                  (A) In general.--Annually, the head of an 
                agency that operates or exercises control of a 
                national security system shall submit a report 
                that includes the information described in 
                subsection (b) with respect to the agency to 
                the extent that the submission is consistent 
                with standards and guidelines for national 
                security systems issued in accordance with law 
                and as directed by the President to--
                          (i) the the majority and minority 
                        leaders of the Senate,
                          (ii) the Speaker and minority leader 
                        of the House of Representatives;
                          (iii) the Committee on Homeland 
                        Security and Governmental Affairs of 
                        the Senate;
                          (iv) the Select Committee on 
                        Intelligence of the Senate;
                          (v) the Committee on Armed Services 
                        of the Senate;
                          (vi) the Committee on Oversight and 
                        Reform of the House of Representatives;
                          (vii) the Committee on Homeland 
                        Security of the House of 
                        Representatives;
                          (viii) the Permanent Select Committee 
                        on Intelligence of the House of 
                        Representatives; and
                          (ix) the Committee on Armed Services 
                        of the House of Representatives.
                  (B) Classified form.--A report required under 
                subparagraph (A) may be submitted in a 
                classified form.
    (e) Requirement for Compiling Information.--In publishing 
the public report required under subsection (c), the Director 
of the Cybersecurity and Infrastructure Security Agency shall 
sufficiently compile information such that no specific incident 
of an agency can be identified, except with the concurrence of 
the Director of the Office of Management and Budget and in 
consultation with the impacted agency.

SEC. 3598. MAJOR INCIDENT DEFINITION

    (a) In General.--Not later than 180 days after the date of 
enactment of the Federal Information Security Modernization Act 
of 2021, the Director, in coordination with the Director of the 
Cybersecurity and Infrastructure Security Agency and the 
National Cyber Director, shall develop and promulgate guidance 
on the definition of the term `major incident' for the purposes 
of subchapter II and this subchapter.
    (b) Requirements.--With respect to the guidance issued 
under subsection (a), the definition of the term `major 
incident' shall--
          (1) include, with respect to any information 
        collected or maintained by or on behalf of an agency or 
        an information system used or operated by an agency or 
        by a contractor of an agency or another organization on 
        behalf of an agency--
                  (A) any incident the head of the agency 
                determines is likely to have an impact on--
                          (i) the national security, homeland 
                        security, or economic security of the 
                        United States; or
                          (ii) the civil liberties or public 
                        health and safety of the people of the 
                        United States;
                  (B) any incident the head of the agency 
                determines likely to result in an inability for 
                the agency, a component of the agency, or the 
                Federal Government, to provide 1 or more 
                critical services;
                  (C) any incident that the head of an agency, 
                in consultation with a senior privacy officer 
                of the agency, determines is likely to have a 
                significant privacy impact on 1 or more 
                individual;
                  (D) any incident that the head of the agency, 
                in consultation with a senior privacy official 
                of the agency, determines is likely to have a 
                substantial privacy impact on a significant 
                number of individuals;
                  (E) any incident the head of the agency 
                determines impacts the operations of a high 
                value asset owned or operated by the agency;
                  (F) any incident involving the exposure of 
                sensitive agency information to a foreign 
                entity, such as the communications of the head 
                of the agency, the head of a component of the 
                agency, or the direct reports of the head of 
                the agency or the head of a component of the 
                agency; and
                  (G) any other type of incident determined 
                appropriate by the Director;
          (2) stipulate that the National Cyber Director shall 
        declare a major incident at each agency impacted by an 
        incident if the Director of the Cybersecurity and 
        Infrastructure Security Agency determines that an 
        incident--
                  (A) occurs at not less than 2 agencies; and
                  (B) is enabled by
                          (i) a common technical root cause, 
                        such as a supply chain compromise, a 
                        common software or hardware 
                        vulnerability; or
                          (ii) the related activities of a 
                        common threat actor; and
          (3) stipulate that, in determining whether an 
        incident constitutes a major incident because that 
        incident--
                  (A) is any incident described in paragraph 
                (1), the head of an agency shall consult with 
                the Director of the Cybersecurity and 
                Infrastructure Security Agency;
                  (B) is an incident described in paragraph 
                (1)(A), the head of the agency shall consult 
                with the National Cyber Director; and
                  (C) is an incident described in subparagraph 
                (C) or (D) of paragraph (1), the head of the 
                agency shall consult with--
                          (i) the Privacy and Civil Liberties 
                        Oversight Board; and
                          (ii) the Executive Director of the 
                        Federal Trade Commission.
    (c) Significant Number of Individuals.--In determining what 
constitutes a significant number of individuals under 
subsection (b)(1)(D), the Director--
          (1) may determine a threshold for a minimum number of 
        individuals that constitutes a significant amount; and
          (2) may not determine a threshold described in 
        paragraph (1) that exceeds 5,000 individuals.
    (d) Evaluation and Updates.--Not later than 2 years after 
the date of enactment of the Federal Information Security 
Modernization Act of 2021, and not less frequently than every 2 
years thereafter, the Director shall submit to the Committee on 
Homeland Security and Governmental Affairs of the Senate and 
the Committee on Oversight and Reform of the House of 
Representatives an evaluation, which shall include--
          (1) an update, if necessary, to the guidance issued 
        under subsection (a);
          (2) the definition of the term `major incident' 
        included in the guidance issued under subsection (a); 
        and
          (3) an explanation of, and the analysis that led to, 
        the definition described in paragraph (2).

           *       *       *       *       *       *       *


HOMELAND SECURITY ACT OF 2002

           *       *       *       *       *       *       *


SEC. 1001. INFORMATION SECURITY.

    (a) * * *
    (b) * * *
    (c) Information Security Responsibilities of Certain 
Agencies.--
          (1) National security responsibilities.--(A) Nothing 
        in this Act (including any amendment made by this Act) 
        shall supersede any authority of the Secretary of 
        Defense, the Director of Central Intelligence, or other 
        agency head, as authorized by law and as directed by 
        the President, with regard to the operation, control, 
        or management of national security systems, as defined 
        by [section 3552(b)(5)] section 3552(b) of title 44, 
        United States Code.

           *       *       *       *       *       *       *


CYBERSECURITY ACT OF 2015

           *       *       *       *       *       *       *


TITLE II--NATIONAL CYBERSECURITY ADVANCEMENT

           *       *       *       *       *       *       *


Subtitle B--Federal Cybersecurity Enhancement

           *       *       *       *       *       *       *


SEC. 226. ASSESSMENT; REPORTS.

    (a) * * *
    (b) * * *
    (c) Reports to Congress
          (1) * * *
                  (A) * * *
                  (B) OMB report.--Not later than 18 months 
                after December 18, 2015, and [annually 
                thereafter] thereafter during the years during 
                which a report is required to be submitted 
                under section 3553(c) of title 44, United 
                States Code, the Director shall submit to 
                Congress, as part of the report required under 
                section 3553(c) of title 44, an analysis of 
                agency application of the intrusion detection 
                and prevention capabilities, including--

           *       *       *       *       *       *       *

          (2) * * *
                  (A) * * *
                  (B) not later than 1 year after December 18, 
                2015, and [annually thereafter] thereafter 
                during the years during which a report is 
                required to be submitted under section 3553(c) 
                of title 44, United States Code, submit to 
                Congress, as part of [the report required under 
                section 3553(c) of title 44] that report.

           *       *       *       *       *       *       *


                                  [all]