[House Report 118-939]
[From the U.S. Government Publishing Office]
118th Congress } { Rept. 118-939
HOUSE OF REPRESENTATIVES
2d Session } { Part 1
======================================================================
FEDERAL INFORMATION SECURITY MODERNIZATION ACT
OF 2024
_______
December 19, 2024.--Committed to the Committee of the Whole House on
the State of the Union and ordered to be printed
_______
Mr. Comer, from the Committee on Oversight and Accountability,
submitted the following
R E P O R T
[To accompany H.R. 4552]
[Including cost estimate of the Congressional Budget Office]
The Committee on Oversight and Accountability, to whom was
referred the bill (H.R. 4552) to improve the cybersecurity of
the Federal Government, and for other purposes, having
considered the same, reports favorably thereon with an
amendment and recommends that the bill as amended do pass.
CONTENTS
Page
Summary and Purpose of Legislation............................... 33
Background and Need for Legislation.............................. 34
Section-by-Section Analysis...................................... 37
Legislative History.............................................. 51
Committee Consideration.......................................... 51
Roll Call Votes.................................................. 51
Explanation of Amendments........................................ 53
List of Related Committee Hearings............................... 53
Statement of Oversight Findings and Recommendations of the
Committee...................................................... 53
Statement of General Performance Goals and Objectives............ 53
Application of Law to the Legislative Branch..................... 53
Duplication of Federal Programs.................................. 53
Federal Advisory Committee Act Statement......................... 54
Unfunded Mandates Reform Act Statement........................... 54
Earmark Identification........................................... 54
Committee Cost Estimate.......................................... 54
New Budget Authority and Congressional Budget Office Cost
Estimate....................................................... 54
Changes in Existing Law Made by the Bill, as Reported............ 58
The amendment is as follows:
Strike all after the enacting clause and insert the
following:
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the ``Federal Information
Security Modernization Act of 2024''.
(b) Table of Contents.--The table of contents for this Act is as
follows:
Sec. 1. Short title; table of contents.
Sec. 2. Definitions.
Sec. 3. Amendments to title 44.
Sec. 4. Amendments to subtitle III of title 40.
Sec. 5. Actions to enhance Federal incident transparency.
Sec. 6. Agency requirements to notify private sector entities impacted
by incidents.
Sec. 7. Federal penetration testing policy.
Sec. 8. Vulnerability disclosure policies.
Sec. 9. Implementing zero trust architecture.
Sec. 10. Automation and artificial intelligence.
Sec. 11. Federal cybersecurity requirements.
Sec. 12. Federal Chief Information Security Officer.
Sec. 13. Renaming Office of the Federal Chief Information Officer.
Sec. 14. Rules of construction.
SEC. 2. DEFINITIONS.
In this Act, unless otherwise specified:
(1) Agency.--The term ``agency'' has the meaning given the
term in section 3502 of title 44, United States Code.
(2) Appropriate congressional committees.--The term
``appropriate congressional committees''' means--
(A) the Committee on Homeland Security and
Governmental Affairs of the Senate;
(B) the Committee on Oversight and Accountability of
the House of Representatives; and
(C) the Committee on Homeland Security of the House
of Representatives.
(3) Awardee.--The term ``awardee'' has the meaning given the
term in section 3591 of title 44, United States Code, as added
by this Act.
(4) Contractor.--The term ``contractor'' has the meaning
given the term in section 3591 of title 44, United States Code,
as added by this Act.
(5) Director.--The term ``Director'' means the Director of
the Office of Management and Budget.
(6) Federal information system.--The term ``Federal
information system'' has the meaning given the term in section
3591 of title 44, United States Code, as added by this Act.
(7) Incident.--The term ``incident'' has the meaning given
the term in section 3552(b) of title 44, United States Code.
(8) National security system.--The term ``national security
system'' has the meaning given the term in section 3552(b) of
title 44, United States Code.
(9) Penetration test.--The term ``penetration test'' has the
meaning given the term in section 3552(b) of title 44, United
States Code, as amended by this Act.
(10) Threat hunting.--The term ``threat hunting'' means
proactively and iteratively searching systems for threats and
vulnerabilities, including threats or vulnerabilities that may
evade detection by automated threat detection systems.
(11) Zero trust architecture.--The term ``zero trust
architecture'' has the meaning given the term in Special
Publication 800 207 of the National Institute of Standards and
Technology, or any successor document.
SEC. 3. AMENDMENTS TO TITLE 44.
(a) Subchapter I Amendments.--Subchapter I of chapter 35 of title 44,
United States Code, is amended--
(1) in section 3504--
(A) in subsection (a)(1)(B)--
(i) by striking clause (v) and inserting the
following:
``(v) privacy, confidentiality, disclosure, and
sharing of information;'';
(ii) by redesignating clause (vi) as clause
(vii); and
(iii) by inserting after clause (v) the
following:
``(vi) in consultation with the National Cyber
Director, security of information; and''; and
(B) in subsection (g)--
(i) by redesignating paragraph (2) as
paragraph (3); and
(ii) by striking paragraph (1) and inserting
the following:
``(1) develop and oversee the implementation of policies,
principles, standards, and guidelines on privacy,
confidentiality, disclosure, and sharing of information
collected or maintained by or for agencies;
``(2) in consultation with the National Cyber Director,
oversee the implementation of policies, principles, standards,
and guidelines on security, of information collected or
maintained by or for agencies; and'';
(2) in section 3505--
(A) by striking the first subsection designated as
subsection (c);
(B) in paragraph (2) of the second subsection
designated as subsection (c), by inserting ``an
identification of internet accessible information
systems and'' after ``an inventory under this
subsection shall include'';
(C) in paragraph (3) of the second subsection
designated as subsection (c)--
(i) in subparagraph (B)--
(I) by inserting ``the Director of
the Cybersecurity and Infrastructure
Security Agency, the National Cyber
Director, and'' before ``the
Comptroller General''; and
(II) by striking ``and'' at the end;
(ii) in subparagraph (C)(v), by striking the
period at the end and inserting ``; and''; and
(iii) by adding at the end the following:
``(D) maintained on a continual basis through the use
of automation, machine-readable data, and scanning,
wherever practicable.'';
(3) in section 3506--
(A) in subsection (a)(3), by inserting ``In carrying
out these duties, the Chief Information Officer shall
consult, as appropriate, with the Chief Data Officer in
accordance with the designated functions under section
3520(c).'' after ``reduction of information collection
burdens on the public.'';
(B) in subsection (b)(1)(C), by inserting
``availability,'' after ``integrity,'';
(C) in subsection (h)(3), by inserting ``security,''
after ``efficiency,''; and
(D) by adding at the end the following:
``(j)(1) Notwithstanding paragraphs (2) and (3) of subsection (a),
the head of each agency shall, in accordance with section 522(a) of
division H of the Consolidated Appropriations Act, 2005 (42 U.S.C.
2000ee 2), designate a Chief Privacy Officer with the necessary skills,
knowledge, and expertise, who shall have the authority and
responsibility to--
``(A) lead the privacy program of the agency; and
``(B) carry out the privacy responsibilities of the agency
under this chapter, section 552a of title 5, and guidance
issued by the Director.
``(2) The Chief Privacy Officer of each agency shall--
``(A) serve in a central leadership position within the
agency;
``(B) have visibility into relevant agency operations; and
``(C) be positioned highly enough within the agency to
regularly engage with other agency leaders and officials,
including the head of the agency.
``(3) A privacy officer of an agency established under a statute
enacted before the date of enactment of the Federal Information
Security Modernization Act of 2024 may carry out the responsibilities
under this subsection for the agency.''; and
(4) in section 3513--
(A) by redesignating subsection (c) as subsection
(d); and
(B) by inserting after subsection (b) the following:
``(c) Each agency providing a written plan under subsection (b) shall
provide any portion of the written plan addressing information security
to the Secretary of Homeland Security and the National Cyber
Director.''.
(b) Subchapter II Definitions.--
(1) In general.--Section 3552(b) of title 44, United States
Code, is amended--
(A) by redesignating paragraphs (2), (3), (4), (5),
(6), and (7) as paragraphs (3), (4), (5), (6), (8), and
(10), respectively;
(B) by inserting after paragraph (1) the following:
``(2) The term `high value asset' means information or an
information system that the head of an agency, using policies,
principles, standards, or guidelines issued by the Director
under section 3553(a), determines to be so critical to the
agency that the loss or degradation of the confidentiality,
integrity, or availability of such information or information
system would have a serious impact on the ability of the agency
to perform the mission of the agency or conduct business.'';
(C) by inserting after paragraph (6), as so
redesignated, the following:
``(7) The term `major incident' has the meaning given the
term in guidance issued by the Director under section
3598(a).'';
(D) in paragraph (8)(A), as so redesignated, in the
matter preceding clause (i), by striking ``used'' and
inserting ``owned, managed,'';
(E) by inserting after paragraph (8), as so
redesignated, the following:
``(9) The term `penetration test'--
``(A) means an authorized assessment that emulates
attempts to gain unauthorized access to, or disrupt the
operations of, an information system or component of an
information system; and
``(B) includes any additional meaning given the term
in policies, principles, standards, or guidelines
issued by the Director under section 3553(a).''; and
(F) by inserting after paragraph (10), as so
redesignated, the following:
``(11) The term `shared service' means a centralized mission
capability or consolidated business function that is provided
to multiple organizations within an agency or to multiple
agencies.
``(12) The term `zero trust architecture' has the meaning
given the term in Special Publication 800 207 of the National
Institute of Standards and Technology, or any successor
document.''.
(2) Conforming amendments.--
(A) Homeland security act of 2002.--Section
1001(c)(1)(A) of the Homeland Security Act of 2002 (6
U.S.C. 511(c)(1)(A)) is amended by striking ``section
3552(b)(5)'' and inserting ``section 3552(b)''.
(B) Title 10.--
(i) Section 2222.--Section 2222(i)(8) of
title 10, United States Code, is amended by
striking ``section 3552(b)(6)(A)'' and
inserting ``section 3552(b)(8)(A)''.
(ii) Section 2223.--Section 2223(c)(3) of
title 10, United States Code, is amended by
striking ``section 3552(b)(6)'' and inserting
``section 3552(b)''.
(iii) Section 3068.--Section 3068(b) of title
10, United States Code, is amended by striking
``section 3552(b)(6)'' and inserting ``section
3552(b)''.
(iv) Section 3252.--Section 3252(e)(5) of
title 10, United States Code, is amended by
striking ``section 3552(b)(6)'' and inserting
``section 3552(b)''.
(C) High-performance computing act of 1991.--Section
207(a) of the High-Performance Computing Act of 1991
(15 U.S.C. 5527(a)) is amended by striking ``section
3552(b)(6)(A)(i)'' and inserting ``section
3552(b)(8)(A)(i)''.
(D) Internet of things cybersecurity improvement act
of 2020.--Section 3(5) of the Internet of Things
Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g
3a(5)) is amended by striking ``section 3552(b)(6)''
and inserting ``section 3552(b)''.
(E) National defense authorization act for fiscal
year 2013.--Section 933(e)(1)(B) of the National
Defense Authorization Act for Fiscal Year 2013 (10
U.S.C. 2224 note) is amended by striking ``section
3542(b)(2)'' and inserting ``section 3552(b)''.
(F) Ike skelton national defense authorization act
for fiscal year 2011.--The Ike Skelton National Defense
Authorization Act for Fiscal Year 2011 (Public Law 111
383) is amended--
(i) in section 931(b)(3) (10 U.S.C. 2223
note), by striking ``section 3542(b)(2)'' and
inserting ``section 3552(b)''; and
(ii) in section 932(b)(2) (10 U.S.C. 2224
note), by striking ``section 3542(b)(2)'' and
inserting ``section 3552(b)''.
(G) E Government act of 2002.--Section 301(c)(1)(A)
of the E Government Act of 2002 (44 U.S.C. 3501 note)
is amended by striking ``section 3542(b)(2)'' and
inserting ``section 3552(b)''.
(H) National institute of standards and technology
act.--Section 20 of the National Institute of Standards
and Technology Act (15 U.S.C. 278g 3) is amended--
(i) in subsection (a)(2), by striking
``section 3552(b)(6)'' and inserting ``section
3552(b)''; and
(ii) in subsection (f)--
(I) in paragraph (2), by striking
``section 3532(1)'' and inserting
``section 3552(b)''; and
(II) in paragraph (5), by striking
``section 3532(b)(2)'' and inserting
``section 3552(b)''.
(c) Subchapter II Amendments.--Subchapter II of chapter 35 of title
44, United States Code, is amended--
(1) in section 3551--
(A) in paragraph (4), by striking ``diagnose and
improve'' and inserting ``integrate, deliver, diagnose,
and improve'';
(B) in paragraph (5), by striking ``and'' at the end;
(C) in paragraph (6), by striking the period at the
end and inserting a semicolon; and
(D) by adding at the end the following:
``(7) recognize that each agency has specific mission
requirements and, at times, unique cybersecurity requirements
to meet the mission of the agency;
``(8) recognize that each agency does not have the same
resources to secure agency systems, and an agency should not be
expected to have the capability to secure the systems of the
agency from advanced adversaries alone; and
``(9) recognize that a holistic Federal cybersecurity model
is necessary to account for differences between the missions
and capabilities of agencies.'';
(2) in section 3553--
(A) in subsection (a)--
(i) in paragraph (5), by striking ``and'' at
the end;
(ii) in paragraph (6), by striking the period
at the end and inserting ``; and''; and
(iii) by adding at the end the following:
``(7) promoting, in consultation with the Director of the
Cybersecurity and Infrastructure Security Agency, the National
Cyber Director, and the Director of the National Institute of
Standards and Technology--
``(A) the use of automation to improve Federal
cybersecurity and visibility with respect to the
implementation of Federal cybersecurity; and
``(B) the use of presumption of compromise and least
privilege principles, such as zero trust architecture,
to improve resiliency and timely response actions to
incidents on Federal systems.'';
(B) in subsection (b)--
(i) in the matter preceding paragraph (1), by
inserting ``and the National Cyber Director''
after ``Director'';
(ii) in paragraph (2)(A), by inserting ``and
reporting requirements under subchapter IV of
this chapter'' after ``section 3556'';
(iii) by redesignating paragraphs (8) and (9)
as paragraphs (10) and (11), respectively; and
(iv) by inserting after paragraph (7) the
following:
``(8) expeditiously seeking opportunities to reduce costs,
administrative burdens, and other barriers to information
technology security and modernization for agencies, including
through shared services (and appropriate commercial off the
shelf options for such shared services) for cybersecurity
capabilities identified as appropriate by the Director, in
coordination with the Director of the Cybersecurity and
Infrastructure Security Agency and other agencies as
appropriate;'';
(C) in subsection (c)--
(i) in the matter preceding paragraph (1)--
(I) by striking ``each year'' and
inserting ``each year during which
agencies are required to submit reports
under section 3554(c)'';
(II) by inserting ``, which shall be
unclassified but may include 1 or more
annexes that contain classified or
other sensitive information, as
appropriate'' after ``a report''; and
(III) by striking ``preceding year''
and inserting ``preceding 2 years''';
(ii) by striking paragraph (1);
(iii) by redesignating paragraphs (2), (3),
and (4) as paragraphs (1), (2), and (3),
respectively;
(iv) in paragraph (3), as so redesignated, by
striking ``and'' at the end; and
(v) by inserting after paragraph (3), as so
redesignated, the following:
``(4) a summary of the risks and trends identified in the
Federal risk assessment required under subsection (i); and'';
(D) in subsection (h)--
(i) in paragraph (2)--
(I) in subparagraph (A), by inserting
``and the National Cyber Director''
after ``in coordination with the
Director'';
(II) in subparagraph (B), by
inserting ``, the scope of the required
action (such as applicable software,
firmware, or hardware versions),''
after ``reasons for the required
action''; and
(III) in subparagraph (D), by
inserting ``, the National Cyber
Director,'' after ``notify the
Director''; and
(ii) in paragraph (3)(A)(iv), by inserting
``, the National Cyber Director'' after ``the
Secretary provides prior notice to the
Director'';
(E) by amending subsection (i) to read as follows:
``(i) Federal Risk Assessment.--On an ongoing and continual basis,
the Director of the Cybersecurity and Infrastructure Security Agency
shall assess the Federal risk posture using any available information
on the cybersecurity posture of agencies, and brief the Director and
National Cyber Director on the findings of such assessment, including--
``(1) the status of agency cybersecurity remedial actions for
high value assets described in section 3554(b)(7);
``(2) any vulnerability information relating to the systems
of an agency that is known by the agency;
``(3) analysis of incident information under section 3597;
``(4) evaluation of penetration testing performed under
section 3559A;
``(5) evaluation of vulnerability disclosure program
information under section 3559B;
``(6) evaluation of agency threat hunting results;
``(7) evaluation of Federal and non-Federal cyber threat
intelligence;
``(8) data on agency compliance with standards issued under
section 11331 of title 40;
``(9) agency system risk assessments required under section
3554(a)(1)(A);
``(10) relevant reports from inspectors general of agencies
and the Government Accountability Office; and
``(11) any other information the Director of the
Cybersecurity and Infrastructure Security Agency determines
relevant.''; and
(F) by adding at the end the following:
``(m) Directives.--
``(1) Emergency directive updates.--If the Secretary issues
an emergency directive under this section, the Director of the
Cybersecurity and Infrastructure Security Agency shall submit
to the Director, the National Cyber Director, the Committee on
Homeland Security and Governmental Affairs of the Senate, and
the Committees on Oversight and Accountability and Homeland
Security of the House of Representatives an update on the
status of the implementation of the emergency directive at
agencies not later than 7 days after the date on which the
emergency directive requires an agency to complete a
requirement specified by the emergency directive, and every 30
days thereafter until--
``(A) the date on which every agency has fully
implemented the emergency directive;
``(B) the Secretary determines that an emergency
directive no longer requires active reporting from
agencies or additional implementation; or
``(C) the date that is 1 year after the issuance of
the directive.
``(2) Binding operational directive updates.--If the
Secretary issues a binding operational directive under this
section, the Director of the Cybersecurity and Infrastructure
Security Agency shall submit to the Director, the National
Cyber Director, the Committee on Homeland Security and
Governmental Affairs of the Senate, and the Committees on
Oversight and Accountability and Homeland Security of the House
of Representatives an update on the status of the
implementation of the binding operational directive at agencies
not later than 30 days after the issuance of the binding
operational directive, and every 90 days thereafter until--
``(A) the date on which every agency has fully
implemented the binding operational directive;
``(B) the Secretary determines that a binding
operational directive no longer requires active
reporting from agencies or additional implementation;
or
``(C) the date that is 1 year after the issuance or
substantive update of the directive.
``(3) Report.--If the Director of the Cybersecurity and
Infrastructure Security Agency ceases submitting updates
required under paragraphs (1) or (2) on the date described in
paragraph (1)(C) or (2)(C), the Director of the Cybersecurity
and Infrastructure Security Agency shall submit to the
Director, the National Cyber Director, the Committee on
Homeland Security and Governmental Affairs of the Senate, and
the Committees on Oversight and Accountability and Homeland
Security of the House of Representatives a list of every agency
that, at the time of the report--
``(A) has not completed a requirement specified by an
emergency directive; or
``(B) has not implemented a binding operational
directive.
``(n) Review of Office of Management and Budget Guidance and
Policy.--
``(1) Conduct of review.--Not less frequently than once every
3 years, the Director of the Office of Management and Budget
shall review the efficacy of the guidance and policy
promulgated by the Director in reducing cybersecurity risks,
including a consideration of reporting and compliance burden on
agencies.
``(2) Congressional notification.--The Director of the Office
of Management and Budget shall notify the Committee on Homeland
Security and Governmental Affairs of the Senate and the
Committee on Oversight and Accountability of the House of
Representatives of the results of the review under paragraph
(1).
``(3) GAO review.--The Government Accountability Office shall
review guidance and policy promulgated by the Director to
assess its efficacy in risk reduction and burden on agencies.
``(o) Automated Standard Implementation Verification.--When the
Director of the National Institute of Standards and Technology issues a
proposed standard or guideline pursuant to paragraphs (2) or (3) of
section 20(a) of the National Institute of Standards and Technology Act
(15 U.S.C. 278g 3(a)), the Director of the National Institute of
Standards and Technology shall consider developing and, if appropriate
and practical, develop specifications to enable the automated
verification of the implementation of the controls.
``(p) Inspectors General Access to Federal Risk Assessments.--The
Director of the Cybersecurity and Infrastructure Security Agency shall,
upon request, make available Federal risk assessment information under
subsection (i) to the Inspector General of the Department of Homeland
Security and the inspector general of any agency that was included in
the Federal risk assessment.'';
(3) in section 3554--
(A) in subsection (a)--
(i) in paragraph (1)--
(I) by redesignating subparagraphs
(A), (B), and (C) as subparagraphs (B),
(C), and (D), respectively;
(II) by inserting before subparagraph
(B), as so redesignated, the following:
``(A) on an ongoing and continual basis, assessing
agency system risk, as applicable, by--
``(i) identifying and documenting the high
value assets of the agency using guidance from
the Director;
``(ii) evaluating the data assets inventoried
under section 3511 for sensitivity to
compromises in confidentiality, integrity, and
availability;
``(iii) identifying whether the agency is
participating in federally offered
cybersecurity shared services programs;
``(iv) identifying agency systems that have
access to or hold the data assets inventoried
under section 3511;
``(v) evaluating the threats facing agency
systems and data, including high value assets,
based on Federal and non-Federal cyber threat
intelligence products, where available;
``(vi) evaluating the vulnerability of agency
systems and data, including high value assets,
including by analyzing--
``(I) the results of penetration
testing performed by the Department of
Homeland Security under section
3553(b)(9);
``(II) the results of penetration
testing performed under section 3559A;
``(III) information provided to the
agency through the vulnerability
disclosure program of the agency under
section 3559B;
``(IV) incidents; and
``(V) any other vulnerability
information relating to agency systems
that is known to the agency;
``(vii) assessing the impacts of potential
agency incidents to agency systems, data, and
operations based on the evaluations described
in clauses (ii) and (v) and the agency systems
identified under clause (iv); and
``(viii) assessing the consequences of
potential incidents occurring on agency systems
that would impact systems at other agencies,
including due to interconnectivity between
different agency systems or operational
reliance on the operations of the system or
data in the system;'';
(III) in subparagraph (B), as so
redesignated, in the matter preceding
clause (i), by striking ``providing
information'' and inserting ``using
information from the assessment
required under subparagraph (A),
providing information'';
(IV) in subparagraph (C), as so
redesignated--
(aa) in clause (ii) by
inserting ``binding'' before
``operational''; and
(bb) in clause (vi), by
striking ``and'' at the end;
(V) in subparagraph (D), as so
redesignated, by inserting ``and''
after the semicolon at the end; and
(VI) by adding at the end the
following:
``(E) providing an update on the ongoing and
continual assessment required under subparagraph (A)--
``(i) upon request, to the inspector general
of the agency or the Comptroller General of the
United States; and
``(ii) at intervals determined by guidance
issued by the Director, and to the extent
appropriate and practicable using automation,
to--
``(I) the Director;
``(II) the Director of the
Cybersecurity and Infrastructure
Security Agency; and
``(III) the National Cyber
Director;'';
(ii) in paragraph (2)--
(I) in subparagraph (A), by inserting
``in accordance with the agency system
risk assessment required under
paragraph (1)(A)'' after ``information
systems'''; and
(II) in subparagraph (D), by
inserting ``, through the use of
penetration testing, the vulnerability
disclosure program established under
section 3559B, and other means,'' after
``periodically'';
(iii) in paragraph (3)(A)--
(I) in the matter preceding clause
(i), by striking ``senior agency
information security officer'' and
inserting ``Chief Information Security
Officer'';
(II) in clause (i), by striking
``this section'' and inserting
``subsections (a) through (c)'';
(III) in clause (ii), by striking
``training and'' and inserting
``skills, training, and'';
(IV) by redesignating clauses (iii)
and (iv) as clauses (iv) and (v),
respectively;
(V) by inserting after clause (ii)
the following:
``(iii) manage information security,
cybersecurity budgets, and risk and compliance
activities and explain those concepts to the
head of the agency and the executive team of
the agency;''; and
(VI) in clause (iv), as so
redesignated, by striking ``information
security duties as that official's
primary duty'' and inserting
``information, computer network, and
technology security duties as the Chief
Information Security Officers'' primary
duty'';
(iv) in paragraph (5), by striking
``annually'' and inserting ``not less
frequently than quarterly''; and
(v) in paragraph (6), by striking ``official
delegated'' and inserting ``Chief Information
Security Officer delegated'';
(B) in subsection (b)--
(i) by striking paragraph (1) and inserting
the following:
``(1) the ongoing and continual assessment of agency system
risk required under subsection (a)(1)(A), which may include
using guidance and automated tools consistent with standards
and guidelines promulgated under section 11331 of title 40, as
applicable;'';
(ii) in paragraph (2)--
(I) by striking subparagraph (B);
(II) by redesignating subparagraphs
(C) and (D) as subparagraphs (B) and
(C), respectively; and
(III) in subparagraph (C), as so
redesignated--
(aa) by redesignating clauses
(iii) and (iv) as clauses (iv)
and (v), respectively;
(bb) by inserting after
clause (ii) the following:
``(iii) binding operational directives and
emergency directives issued by the Secretary
under section 3553;''; and
(cc) in clause (iv), as so
redesignated, by striking ``as
determined by the agency;'' and
inserting ``as determined by
the agency, considering the
agency risk assessment required
under subsection (a)(1)(A);'';
(iii) in paragraph (5)(A), by inserting ``,
including penetration testing, as
appropriate,'' after ``shall include testing'';
(iv) by redesignating paragraphs (7) and (8)
as paragraphs (8) and (9), respectively;
(v) by inserting after paragraph (6) the
following:
``(7) a process for securely providing the status of remedial
cybersecurity actions and un-remediated identified system
vulnerabilities of high value assets to the Director and the
Director of the Cybersecurity and Infrastructure Security
Agency, using automation and machine-readable data as
appropriate;''; and
(vi) in paragraph (8)(C), as so
redesignated--
(I) by striking clause (ii) and
inserting the following:
``(ii) notifying and consulting with the
Federal information security incident center
established under section 3556 pursuant to the
requirements of section 3594;'';
(II) by redesignating clause (iii) as
clause (iv);
(III) by inserting after clause (ii)
the following:
``(iii) performing the notifications and
other activities required under subchapter IV
of this chapter; and''; and
(IV) in clause (iv), as so
redesignated--
(aa) in subclause (II), by
adding ``and'' at the end;
(bb) by striking subclause
(III); and
(cc) by redesignating
subclause (IV) as subclause
(III); and
(C) in subsection (c)--
(i) by redesignating paragraph (2) as
paragraph (4);
(ii) by striking paragraph (1) and inserting
the following:
``(1) Biennial report.--Not later than 2 years after the date
of enactment of the Federal Information Security Modernization
Act of 2024 and not less frequently than once every 2 years
thereafter, using the ongoing and continual agency system risk
assessment required under subsection (a)(1)(A), the head of
each agency shall submit to the Director, the National Cyber
Director, the Director of the Cybersecurity and Infrastructure
Security Agency, the Comptroller General of the United States,
the majority and minority leaders of the Senate, the Speaker
and minority leader of the House of Representatives, the
Committee on Homeland Security and Governmental Affairs of the
Senate, the Committee on Oversight and Accountability of the
House of Representatives, the Committee on Homeland Security of
the House of Representatives, the Committee on Commerce,
Science, and Transportation of the Senate, the Committee on
Science, Space, and Technology of the House of Representatives,
and the appropriate authorization and appropriations committees
of Congress a report that--
``(A) summarizes the agency system risk assessment
required under subsection (a)(1)(A);
``(B) evaluates the adequacy and effectiveness of
information security policies, procedures, and
practices of the agency to address the risks identified
in the agency system risk assessment required under
subsection (a)(1)(A), including an analysis of the
agency's cybersecurity and incident response
capabilities using the metrics established under
section 224(c) of the Cybersecurity Act of 2015 (6
U.S.C. 1522(c));
``(C) summarizes the status of remedial actions
identified by inspector general of the agency, the
Comptroller General of the United States, and any other
source determined appropriate by the head of the
agency; and
``(D) includes the cybersecurity shared services
offered by the Cybersecurity and Infrastructure
Security Agency that the agency participates in, if
any, and explanations for any non-participation in such
services.
``(2) Unclassified reports.--Each report submitted under
paragraph (1)--
``(A) shall be, to the greatest extent practicable,
in an unclassified and otherwise uncontrolled form; and
``(B) may include 1 or more annexes that contain
classified or other sensitive information, as
appropriate.
``(3) Briefings.--During each year during which a report is
not required to be submitted under paragraph (1), the Director
shall provide to the congressional committees described in
paragraph (1) a briefing summarizing current agency and Federal
risk postures.''; and
(iii) in paragraph (4), as so redesignated,
by striking the period at the end and inserting
``, including the reporting procedures
established under section 11315(d) of title 40
and subsection (a)(3)(A)(v) of this section.'';
(4) in section 3555--
(A) in the section heading, by striking ``Annual
independent'' and inserting ``Independent'';
(B) in subsection (a)--
(i) in paragraph (1), by inserting ``during
which a report is required to be submitted
under section 3553(c),'' after ``Each year'';
(ii) in paragraph (2)(A), by inserting ``,
including by performing, or reviewing the
results of, agency penetration testing and
analyzing the vulnerability disclosure program
of the agency'' after ``information systems''';
and
(iii) by adding at the end the following:
``(3) An evaluation under this section may include recommendations
for improving the cybersecurity posture of the agency.'';
(C) in subsection (b)(1), by striking ``annual'';
(D) in subsection (e)(1), by inserting ``during which
a report is required to be submitted under section
3553(c)'' after ``Each year'';
(E) in subsection (g)(2)--
(i) by striking ``this subsection shall'' and
inserting ``this subsection--
``(A) shall'';
(ii) in subparagraph (A), as so designated,
by striking the period at the end and inserting
``; and''; and
(iii) by adding at the end the following:
``(B) identify any entity that performs an independent
evaluation under subsection (b).'';
(F) by striking subsection (j) and inserting the
following:
``(j) Guidance.--
``(1) In general.--The Director, in consultation with the
Director of the Cybersecurity and Infrastructure Security
Agency, the Chief Information Officers Council, the Council of
the Inspectors General on Integrity and Efficiency, and other
interested parties as appropriate, shall ensure the development
of risk-based guidance for evaluating the effectiveness of an
information security program and practices.
``(2) Priorities.--The risk-based guidance developed under
paragraph (1) shall include--
``(A) the identification of the most common
successful threat patterns;
``(B) the identification of security controls that
address the threat patterns described in subparagraph
(A);
``(C) any other security risks unique to Federal
systems; and
``(D) any other element the Director determines
appropriate.''; and
(G) by adding at the end the following:
``(k) Coordination.--The head of each agency shall coordinate with
the inspector general of the agency, as applicable, to ensure
consistent understanding of agency cybersecurity or information
security policies for the purpose of evaluations of such policies
conducted by the inspector general.''; and
(5) in section 3556(a)--
(A) in the matter preceding paragraph (1), by
inserting ``within the Cybersecurity and Infrastructure
Security Agency'' after ``incident center''; and
(B) in paragraph (4), by striking ``3554(b)'' and
inserting ``3554(a)(1)(A)''.
(d) Conforming Amendments.--
(1) Table of sections.--The table of sections for chapter 35
of title 44, United States Code, is amended by striking the
item relating to section 3555 and inserting the following:
``3555. Independent evaluation.''.
(2) OMB reports.--Section 226(c) of the Cybersecurity Act of
2015 (6 U.S.C. 1524(c)) is amended--
(A) in paragraph (1)(B), in the matter preceding
clause (i), by striking ``annually thereafter'' and
inserting ``thereafter during the years during which a
report is required to be submitted under section
3553(c) of title 44, United States Code''; and
(B) in paragraph (2)(B), in the matter preceding
clause (i)--
(i) by striking ``annually thereafter'' and
inserting ``thereafter during the years during
which a report is required to be submitted
under section 3553(c) of title 44, United
States Code''; and
(ii) by striking ``the report required under
section 3553(c) of title 44, United States
Code'' and inserting ``that report''.
(3) NIST responsibilities.--Section 20(d)(3)(B) of the
National Institute of Standards and Technology Act (15 U.S.C.
278g 3(d)(3)(B)) is amended by striking ``annual''.
(e) Federal System Incident Response.--
(1) In general.--Chapter 35 of title 44, United States Code,
is amended by adding at the end the following:
``SUBCHAPTER IV--FEDERAL SYSTEM INCIDENT RESPONSE
``Sec. 3591. Definitions
``(a) In General.--Except as provided in subsection (b), the
definitions under sections 3502 and 3552 shall apply to this
subchapter.
``(b) Additional Definitions.--As used in this subchapter:
``(1) Appropriate reporting entities.--The term `appropriate
reporting entities'' means--
``(A) the majority and minority leaders of the
Senate;
``(B) the Speaker and minority leader of the House of
Representatives;
``(C) the Committee on Homeland Security and
Governmental Affairs of the Senate;
``(D) the Committee on Commerce, Science, and
Transportation of the Senate;
``(E) the Committee on Oversight and Accountability
of the House of Representatives;
``(F) the Committee on Homeland Security of the House
of Representatives;
``(G) the Committee on Science, Space, and Technology
of the House of Representatives;
``(H) the appropriate authorization and
appropriations committees of Congress;
``(I) the Director;
``(J) the Director of the Cybersecurity and
Infrastructure Security Agency;
``(K) the National Cyber Director;
``(L) the Comptroller General of the United States;
and
``(M) the inspector general of any impacted agency.
``(2) Awardee.--The term `awardee', with respect to an
agency--
``(A) means--
``(i) the recipient of a grant from an
agency;
``(ii) a party to a cooperative agreement
with an agency; and
``(iii) a party to an other transaction
agreement with an agency; and
``(B) includes a subawardee of an entity described in
subparagraph (A).
``(3) Breach.--The term `breach'--
``(A) means the compromise, unauthorized disclosure,
unauthorized acquisition, or loss of control of
personally identifiable information owned, maintained
or otherwise controlled by an agency, or any similar
occurrence; and
``(B) includes any additional meaning given the term
in policies, principles, standards, or guidelines
issued by the Director.
``(4) Contractor.--The term `contractor' means a prime
contractor of an agency or a subcontractor of a prime
contractor of an agency that creates, collects, stores,
processes, maintains, or transmits Federal information on
behalf of an agency.
``(5) Federal information.--The term `Federal information'
means information created, collected, processed, maintained,
disseminated, disclosed, or disposed of by or for the Federal
Government in any medium or form.
``(6) Federal information system.--The term `Federal
information system' means an information system owned, managed,
or operated by an agency, or on behalf of an agency by a
contractor, an awardee, or another organization.
``(7) Intelligence community.--The term `intelligence
community' has the meaning given the term in section 3 of the
National Security Act of 1947 (50 U.S.C. 3003).
``(8) Nationwide consumer reporting agency.--The term
`nationwide consumer reporting agency' means a consumer
reporting agency described in section 603(p) of the Fair Credit
Reporting Act (15 U.S.C. 1681a(p)).
``(9) Vulnerability disclosure.--The term `vulnerability
disclosure' means a vulnerability identified under section
3559B.
``Sec. 3592. Notification of breach
``(a) Definition.--In this section, the term `covered breach' means a
breach--
``(1) involving not less than 50,000 potentially affected
individuals; or
``(2) the result of which the head of an agency determines
that notifying potentially affected individuals is necessary
pursuant to subsection (b)(1), regardless of whether--
``(A) the number of potentially affected individuals
is less than 50,000; or
``(B) the notification is delayed under subsection
(d).
``(b) Notification.--As expeditiously as practicable and without
unreasonable delay, and in any case not later than 45 days after an
agency has a reasonable basis to conclude that a breach has occurred,
the head of the agency, in consultation with the Chief Information
Officer and Chief Privacy Officer of the agency and, as appropriate,
any non-Federal entity supporting the remediation of the breach,
shall--
``(1) determine whether notice to any individual potentially
affected by the breach is appropriate, including by conducting
an assessment of the risk of harm to the individual that
considers--
``(A) the nature and sensitivity of the personally
identifiable information affected by the breach;
``(B) the likelihood of access to and use of the
personally identifiable information affected by the
breach;
``(C) the type of breach; and
``(D) any other factors determined by the Director;
and
``(2) if the head of the agency determines notification is
necessary pursuant to paragraph (1), provide written
notification in accordance with subsection (c) to each
individual potentially affected by the breach--
``(A) to the last known mailing address of the
individual; or
``(B) through an appropriate alternative method of
notification.
``(c) Contents of Notification.--Each notification of a breach
provided to an individual under subsection (b)(2) shall include, to the
maximum extent practicable--
``(1) a brief description of the breach;
``(2) if possible, a description of the types of personally
identifiable information affected by the breach;
``(3) contact information of the agency that may be used to
ask questions of the agency, which--
``(A) shall include an e-mail address or another
digital contact mechanism; and
``(B) may include a telephone number, mailing
address, or a website;
``(4) information on any remedy being offered by the agency;
``(5) any applicable educational materials relating to what
individuals can do in response to a breach that potentially
affects their personally identifiable information, including
relevant contact information for the appropriate Federal law
enforcement agencies and each nationwide consumer reporting
agency; and
``(6) any other appropriate information, as determined by the
head of the agency or established in guidance by the Director.
``(d) Delay of Notification.--
``(1) In general.--The head of an agency, in coordination
with the Director and the National Cyber Director, and as
appropriate, the Attorney General, the Director of National
Intelligence, or the Secretary of Homeland Security, may delay
a notification required under subsection (b) or (e) if the
notification would--
``(A) impede a criminal investigation or a national
security activity;
``(B) cause an adverse result (as described in
section 2705(a)(2) of title 18);
``(C) reveal sensitive sources and methods;
``(D) cause damage to national security; or
``(E) hamper security remediation actions.
``(2) Renewal.--A delay under paragraph (1) shall be for a
period of 60 days and may be renewed.
``(3) National security systems.--The head of an agency
delaying notification under this subsection with respect to a
breach exclusively of a national security system shall
coordinate such delay with the Secretary of Defense.
``(e) Update Notification.--If an agency determines there is a
significant change in the reasonable basis to conclude that a breach
occurred, a significant change to the determination made under
subsection (b)(1), or that it is necessary to update the details of the
information provided to potentially affected individuals as described
in subsection (c), the agency shall as expeditiously as practicable and
without unreasonable delay, and in any case not later than 30 days
after such a determination, notify each individual who received a
notification pursuant to subsection (b) of those changes.
``(f) Delay of Notification Report.--
``(1) In general.--Not later than 1 year after the date of
enactment of the Federal Information Security Modernization Act
of 2024, and annually thereafter, the head of an agency, in
coordination with any official who delays a notification under
subsection (d), shall submit to the appropriate reporting
entities a report on each delay that occurred during the
previous 2 years.
``(2) Component of other report.--The head of an agency may
submit the report required under paragraph (1) as a component
of the report submitted under section 3554(c).
``(g) Congressional Reporting Requirements.--
``(1) Review and update.--On a periodic basis, the Director
of the Office of Management and Budget shall review, and update
as appropriate, breach notification policies and guidelines for
agencies.
``(2) Required notice from agencies.--Subject to paragraph
(4), the Director of the Office of Management and Budget shall
require the head of an agency affected by a covered breach to
expeditiously and not later than 30 days after the date on
which the agency discovers the covered breach give notice of
the breach, which may be provided electronically, to--
``(A) each congressional committee described in
section 3554(c)(1); and
``(B) the Committee on the Judiciary of the Senate
and the Committee on the Judiciary of the House of
Representatives.
``(3) Contents of notice.--Notice of a covered breach
provided by the head of an agency pursuant to paragraph (2)
shall include, to the extent practicable--
``(A) information about the covered breach, including
a summary of any information about how the covered
breach occurred known by the agency as of the date of
the notice;
``(B) an estimate of the number of individuals
affected by the covered breach based on information
known by the agency as of the date of the notice,
including an assessment of the risk of harm to affected
individuals;
``(C) a description of any circumstances
necessitating a delay in providing notice to
individuals affected by the covered breach in
accordance with subsection (d); and
``(D) an estimate of when the agency will provide
notice to individuals affected by the covered breach,
if applicable.
``(4) Exception.--Any agency that is required to provide
notice to Congress pursuant to paragraph (2) due to a covered
breach exclusively on a national security system shall only
provide such notice to--
``(A) the majority and minority leaders of the
Senate;
``(B) the Speaker and minority leader of the House of
Representatives;
``(C) the appropriations committees of Congress;
``(D) the Committee on Homeland Security and
Governmental Affairs of the Senate;
``(E) the Select Committee on Intelligence of the
Senate;
``(F) the Committee on Oversight and Accountability
of the House of Representatives; and
``(G) the Permanent Select Committee on Intelligence
of the House of Representatives.
``(5) Rule of construction.--Nothing in paragraphs (1)
through (3) shall be construed to alter any authority of an
agency.
``(h) Rule of Construction.--Nothing in this section shall be
construed to--
``(1) limit--
``(A) the authority of the Director to issue guidance
relating to notifications of, or the head of an agency
to notify individuals potentially affected by, breaches
that are not determined to be covered breaches or major
incidents;
``(B) the authority of the Director to issue guidance
relating to notifications and reporting of breaches,
covered breaches, or major incidents;
``(C) the authority of the head of an agency to
provide more information than required under subsection
(b) when notifying individuals potentially affected by
a breach;
``(D) the timing of incident reporting or the types
of information included in incident reports provided,
pursuant to this subchapter, to--
``(i) the Director;
``(ii) the National Cyber Director;
``(iii) the Director of the Cybersecurity and
Infrastructure Security Agency; or
``(iv) any other agency;
``(E) the authority of the head of an agency to
provide information to Congress about agency breaches,
including--
``(i) breaches that are not covered breaches;
and
``(ii) additional information beyond the
information described in subsection (g)(3); or
``(F) any congressional reporting requirements of
agencies under any other law; or
``(2) limit or supersede any existing privacy protections in
existing law.
``Sec. 3593. Congressional and executive branch reports on major
incidents
``(a) Appropriate Congressional Entities.--In this section, the term
`appropriate congressional entities'' means--
``(1) the majority and minority leaders of the Senate;
``(2) the Speaker and minority leader of the House of
Representatives;
``(3) the Committee on Homeland Security and Governmental
Affairs of the Senate;
``(4) the Committee on Commerce, Science, and Transportation
of the Senate;
``(5) the Committee on Oversight and Accountability of the
House of Representatives;
``(6) the Committee on Homeland Security of the House of
Representatives;
``(7) the Committee on Science, Space, and Technology of the
House of Representatives; and
``(8) the appropriate authorization and appropriations
committees of Congress.
``(b) Initial Notification.--
``(1) In general.--Not later than 72 hours after an agency
has a reasonable basis to conclude that a major incident
occurred, the head of the agency impacted by the major incident
shall submit to the appropriate reporting entities a written
notification, which may be submitted electronically and include
1 or more annexes that contain classified or other sensitive
information, as appropriate.
``(2) Contents.--A notification required under paragraph (1)
with respect to a major incident shall include the following,
based on information available to agency officials as of the
date on which the agency submits the notification:
``(A) A summary of the information available about
the major incident, including how the major incident
occurred and the threat causing the major incident.
``(B) If applicable, information relating to any
breach associated with the major incident, regardless
of whether--
``(i) the breach was the reason the incident
was determined to be a major incident; and
``(ii) head of the agency determined it was
appropriate to provide notification to
potentially impacted individuals pursuant to
section 3592(b)(1).
``(C) A preliminary assessment of the impacts to--
``(i) the agency;
``(ii) the Federal Government;
``(iii) the national security, foreign
relations, homeland security, and economic
security of the United States; and
``(iv) the civil liberties, public
confidence, privacy, and public health and
safety of the people of the United States.
``(D) If applicable, whether any ransom has been
demanded or paid, or is expected to be paid, by any
entity operating a Federal information system or with
access to Federal information or a Federal information
system, including, as available, the name of the entity
demanding ransom, the date of the demand, and the
amount and type of currency demanded, unless disclosure
of such information will disrupt an active Federal law
enforcement or national security operation.
``(c) Supplemental Update.--Within a reasonable amount of time, but
not later than 30 days after the date on which the head of an agency
submits a written notification under subsection (b), the head of the
agency shall provide to the appropriate congressional entities an
unclassified and written update, which may include 1 or more annexes
that contain classified or other sensitive information, as appropriate,
on the major incident, based on information available to agency
officials as of the date on which the agency provides the update, on--
``(1) system vulnerabilities relating to the major incident,
where applicable, means by which the major incident occurred,
the threat causing the major incident, where applicable, and
impacts of the major incident to--
``(A) the agency;
``(B) other Federal agencies, Congress, or the
judicial branch;
``(C) the national security, foreign relations,
homeland security, or economic security of the United
States; or
``(D) the civil liberties, public confidence,
privacy, or public health and safety of the people of
the United States;
``(2) the status of compliance of the affected Federal
information system with applicable security requirements at the
time of the major incident;
``(3) if the major incident involved a breach, a description
of the affected information, an estimate of the number of
individuals potentially impacted, and any assessment to the
risk of harm to such individuals;
``(4) an update to the assessment of the risk to agency
operations, or to impacts on other agency or non-Federal entity
operations, affected by the major incident;
``(5) the detection, response, and remediation actions of the
agency, including any support provided by the Cybersecurity and
Infrastructure Security Agency under section 3594(d), if
applicable;
``(6) as appropriate and available, actions undertaken by any
non-Federal entities impacted by or supporting remediation of
the major incident; and
``(7) as appropriate and available, recommendations for
mitigating future similar incidents, including recommendations
from any non-Federal entity impacted by or supporting the
remediation of the major incident.
``(d) Additional Update.--If the head of an agency, the Director, or
the National Cyber Director determines that there is any significant
change in the understanding of the scope, scale, or consequence of a
major incident for which the head of the agency submitted a written
notification and update under subsections (b) and (c), the head of the
agency shall submit to the appropriate congressional entities a written
update that includes information relating to the change in
understanding.
``(e) Biennial Report.--Each agency shall submit as part of the
biennial report required under section 3554(c)(1) a description of each
major incident that occurred during the 2-year period preceding the
date on which the biennial report is submitted.
``(f) Report Delivery.--
``(1) In general.--Any written notification or update
required to be submitted under this section--
``(A) shall be submitted in an electronic format; and
``(B) may be submitted in a paper format.
``(2) Classification status.--Any written notification or
update required to be submitted under this section--
``(A) shall be--
``(i) unclassified; and
``(ii) submitted through unclassified
electronic means pursuant to paragraph (1)(A);
and
``(B) may include classified annexes, as appropriate.
``(g) Report Consistency.--To achieve consistent and coherent agency
reporting to Congress, the National Cyber Director, in coordination
with the Director, shall--
``(1) provide recommendations to agencies on formatting and
the contents of information to be included in the reports
required under this section, including recommendations for
consistent formats for presenting any associated metrics; and
``(2) maintain a comprehensive record of each major incident
notification, update, and briefing provided under this section,
which shall--
``(A) include, at a minimum--
``(i) the full contents of the written
notification or update;
``(ii) the identity of the reporting agency;
and
``(iii) the date of submission; and
``(iv) a list of the recipient congressional
entities; and
``(B) be made available upon request to the majority
and minority leaders of the Senate, the Speaker and
minority leader of the House of Representatives, the
Committee on Homeland Security and Governmental Affairs
of the Senate, and the Committee on Oversight and
Accountability of the House of Representatives.
``(h) National Security Systems Congressional Reporting Exemption.--
With respect to a major incident that occurs exclusively on a national
security system, the head of the affected agency shall submit the
notifications and reports required to be submitted to Congress under
this section only to--
``(1) the majority and minority leaders of the Senate;
``(2) the Speaker and minority leader of the House of
Representatives;
``(3) the appropriations committees of Congress;
``(4) the appropriate authorization committees of Congress;
``(5) the Committee on Homeland Security and Governmental
Affairs of the Senate;
``(6) the Select Committee on Intelligence of the Senate;
``(7) the Committee on Oversight and Accountability of the
House of Representatives; and
``(8) the Permanent Select Committee on Intelligence of the
House of Representatives.
``(i) Major Incidents Including Breaches.--If a major incident
constitutes a covered breach, as defined in section 3592(a),
information on the covered breach required to be submitted to Congress
pursuant to section 3592(g) may--
``(1) be included in the notifications required under
subsection (b) or (c); or
``(2) be reported to Congress under the process established
under section 3592(g).
``(j) Rule of Construction.--Nothing in this section shall be
construed to--
``(1) limit--
``(A) the ability of an agency to provide additional
reports or briefings to Congress;
``(B) Congress from requesting additional information
from agencies through reports, briefings, or other
means; and
``(C) any congressional reporting requirements of
agencies under any other law; or
``(2) limit or supersede any privacy protections under any
other law.
``Sec. 3594. Government information sharing and incident response
``(a) In General.--
``(1) Incident sharing.--Subject to paragraph (4) and
subsection (b), and in accordance with the applicable
requirements pursuant to section 3553(b)(2)(A) for reporting to
the Federal information security incident center established
under section 3556, the head of each agency shall provide to
the Cybersecurity and Infrastructure Security Agency
information relating to any incident affecting the agency,
whether the information is obtained by the Federal Government
directly or indirectly.
``(2) Contents.--A provision of information relating to an
incident made by the head of an agency under paragraph (1)
shall include, at a minimum--
``(A) a full description of the incident, including--
``(i) all indicators of compromise and
tactics, techniques, and procedures;
``(ii) an indicator of how the intruder
gained initial access, accessed agency data or
systems, and undertook additional actions on
the network of the agency;
``(iii) information that would support
enabling defensive measures; and
``(iv) other information that may assist in
identifying other victims;
``(B) information to help prevent similar incidents,
such as information about relevant safeguards in place
when the incident occurred and the effectiveness of
those safeguards; and
``(C) information to aid in incident response, such
as--
``(i) a description of the affected systems
or networks;
``(ii) the estimated dates of when the
incident occurred; and
``(iii) information that could reasonably
help identify any malicious actor that may have
conducted or caused the incident, subject to
appropriate privacy protections.
``(3) Information sharing.--The Director of the Cybersecurity
and Infrastructure Security Agency shall--
``(A) make incident information provided under
paragraph (1) available to the Director and the
National Cyber Director;
``(B) to the greatest extent practicable, share
information relating to an incident with--
``(i) the head of any agency that may be--
``(I) impacted by the incident;
``(II) particularly susceptible to
the incident; or
``(III) similarly targeted by the
incident; and
``(ii) appropriate Federal law enforcement
agencies to facilitate any necessary threat
response activities, as requested;
``(C) coordinate any necessary information sharing
efforts relating to a major incident with the private
sector; and
``(D) notify the National Cyber Director of any
efforts described in subparagraph (C).
``(4) National security systems exemption.--
``(A) In general.--Notwithstanding paragraphs (1) and
(3), each agency operating or exercising control of a
national security system shall share information about
an incident that occurs exclusively on a national
security system with the Secretary of Defense, the
Director, the National Cyber Director, and the Director
of the Cybersecurity and Infrastructure Security Agency
to the extent consistent with standards and guidelines
for national security systems issued in accordance with
law and as directed by the President.
``(B) Protections.--Any information sharing and
handling of information under this paragraph shall be
appropriately protected consistent with procedures
authorized for the protection of sensitive sources and
methods or by procedures established for information
that have been specifically authorized under criteria
established by an Executive order or an Act of Congress
to be kept classified in the interest of national
defense or foreign policy.
``(b) Automation.--In providing information and selecting a method to
provide information under subsection (a), the head of each agency shall
implement subsection (a)(1) in a manner that provides such information
to the Cybersecurity and Infrastructure Security Agency in an automated
and machine-readable format, to the greatest extent practicable.
``(c) Incident Response.--Each agency that has a reasonable basis to
suspect or conclude that a major incident occurred involving Federal
information in electronic medium or form that does not exclusively
involve a national security system shall coordinate with--
``(1) the Cybersecurity and Infrastructure Security Agency to
facilitate asset response activities and provide
recommendations for mitigating future incidents; and
``(2) consistent with relevant policies, appropriate Federal
law enforcement agencies to facilitate threat response
activities.
``Sec. 3595. Responsibilities of contractors and awardees
``(a) Notification.--
``(1) In general.--Any contractor or awardee of an agency
shall provide written notification to the agency if the
contractor or awardee has a reasonable basis to conclude that--
``(A) an incident or breach has occurred with respect
to Federal information the contractor or awardee
collected, used, or maintained on behalf of an agency;
``(B) an incident or breach has occurred with respect
to a Federal information system used, operated,
managed, or maintained on behalf of an agency by the
contractor or awardee;
``(C) a component of any Federal information system
operated, managed, or maintained by a contractor or
awardee contains a security vulnerability, including a
supply chain compromise or an identified software or
hardware vulnerability, for which there is reliable
evidence of a successful exploitation of the
vulnerability by an actor without authorization of the
Federal information system owner; or
``(D) the contractor or awardee has received from the
agency personally identifiable information or personal
health information that is beyond the scope of the
contract or agreement with the agency that the
contractor or awardee is not authorized to receive.
``(2) Third-party notification of vulnerabilities.--Subject
to the guidance issued by the Director pursuant to paragraph
(4), any contractor or awardee of an agency shall provide
written notification to the agency and the Cybersecurity and
Infrastructure Security Agency if the contractor or awardee has
a reasonable basis to conclude that a component of any Federal
information system operated, managed, or maintained on behalf
of an agency by the contractor or awardee on behalf of the
agency contains a security vulnerability, including a supply
chain compromise or an identified software or hardware
vulnerability, that has been reported to the contractor or
awardee by a third party, including through a vulnerability
disclosure program.
``(3) Procedures.--
``(A) Sharing with cisa.--As soon as practicable
following a notification of an incident or
vulnerability to an agency by a contractor or awardee
under paragraph (1), the head of the agency shall
provide, pursuant to section 3594, information about
the incident or vulnerability to the Director of the
Cybersecurity and Infrastructure Security Agency.
``(B) Timing of notifications.--Unless a different
time for notification is specified in a contract,
grant, cooperative agreement, or other transaction
agreement, a contractor or awardee shall--
``(i) make a notification required under
paragraph (1) not later than 1 day after the
date on which the contractor or awardee has
reasonable basis to suspect or conclude that
the criteria under paragraph (1) have been met;
and
``(ii) make a notification required under
paragraph (2) within a reasonable time, but not
later than 90 days after the date on which the
contractor or awardee has reasonable basis to
suspect or conclude that the criteria under
paragraph (2) have been met.
``(C) Procedures.--Following a notification of a
breach or incident to an agency by a contractor or
awardee under paragraph (1), the head of the agency, in
consultation with the contractor or awardee, shall
carry out the applicable requirements under sections
3592, 3593, and 3594 with respect to the breach or
incident.
``(D) Rule of construction.--Nothing in subparagraph
(B) shall be construed to allow the negation of the
requirements to notify vulnerabilities under paragraph
(1) or (2) through a contract, grant, cooperative
agreement, or other transaction agreement.
``(4) Guidance.--The Director shall issue guidance as soon as
practicable to agencies relating to the scope of
vulnerabilities to be included in required notifications under
paragraph (2), such as the minimum severity or minimum risk
level of a vulnerability included in required notifications,
whether vulnerabilities that are already publicly disclosed
must be reported, or likely cybersecurity impact to Federal
information systems.
``(b) Regulations; Modifications.--
``(1) In general.--Not later than 2 years after the date of
enactment of the Federal Information Security Modernization Act
of 2024--
``(A) the Federal Acquisition Regulatory Council
shall promulgate regulations, as appropriate, relating
to the responsibilities of contractors and recipients
of other transaction agreements and cooperative
agreements to comply with this section; and
``(B) the Office of Federal Financial Management
shall promulgate regulations under title 2, Code of
Federal Regulations, as appropriate, relating to the
responsibilities of grantees to comply with this
section.
``(2) Implementation.--Not later than 1 year after the date
on which the Federal Acquisition Regulatory Council and the
Office of Federal Financial Management promulgates regulations
under paragraph (1), the head of each agency shall implement
policies and procedures, as appropriate, necessary to implement
those regulations.
``(3) Congressional notification.--
``(A) In general.--The head of each agency head shall
notify the Director upon implementation of policies and
procedures necessary to implement the regulations
promulgated under paragraph (1).
``(B) OMB notification.-- Not later than 30 days
after the date described in paragraph (2), the Director
shall notify the Committee on Homeland Security and
Governmental Affairs of the Senate and the Committees
on Oversight and Accountability and Homeland Security
of the House of Representatives on the status of the
implementation by each agency of the regulations
promulgated under paragraph (1).
``(c) Allowable Use.--Information provided to an agency pursuant to
this section may be disclosed to, retained by, and used by any agency,
component, officer, employee, or agent of the Federal Government solely
for any of the following:
``(1) A cybersecurity purpose (as defined in section 2200 of
the Homeland Security Act of 2002 (6 U.S.C. 650)).
``(2) Identifying--
``(A) a cyber threat (as defined in such section
2200), including the source of the cyber threat; or
``(B) a security vulnerability (as defined in such
section 2200).
``(3) Preventing, investigating, disrupting, or prosecuting
an offense arising out of an incident notified to an agency
pursuant to this section or any of the offenses listed in
section 105(d)(5)(A)(v) of the Cybersecurity Information
Sharing Act of 2015 (6 U.S.C. 1504(d)(5)(A)(v)).
``(d) Harmonization of Other Private-sector Cybersecurity Reporting
Obligations.--Any non-Federal entity required to report an incident
under section 2242 of the Homeland Security Act of 2002 (6 U.S.C. 681b)
may submit as part of the written notification requirements in this
section all information required by such section 2242 to the agency of
which the entity is a contractor or recipient of Federal financial
assistance, or with which the entity holds an other transaction
agreement or cooperative agreement, within the deadline specified in
subsection (a)(3)(B)(1). If such submission is completed, the non-
Federal entity shall not be required to subsequently report the same
incident under the requirements of such section 2242. Any incident
information shared under this subsection shall be shared with the
Director of the Cybersecurity and Infrastructure Security Agency
pursuant to subsection (a)(3)(A).
``(e) National Security Systems Exemption.--Notwithstanding any other
provision of this section, a contractor or awardee of an agency that
would be required to report an incident or vulnerability pursuant to
this section that occurs exclusively on a national security system
shall--
``(1) report the incident or vulnerability to the head of the
agency and the Secretary of Defense; and
``(2) comply with applicable laws and policies relating to
national security systems.
``Sec. 3596. Training
``(a) Covered Individual Defined.--In this section, the term `covered
individual' means an individual who obtains access to a Federal
information system because of the status of the individual as--
``(1) an employee, contractor, awardee, volunteer, or intern
of an agency; or
``(2) an employee of a contractor or awardee of an agency.
``(b) Best Practices and Consistency.--The Director of the
Cybersecurity and Infrastructure Security Agency, in consultation with
the Director, the National Cyber Director, and the Director of the
National Institute of Standards and Technology, shall consolidate best
practices to support consistency across agencies in cybersecurity
incident response training, including--
``(1) information to be collected and shared with the
Cybersecurity and Infrastructure Security Agency pursuant to
section 3594(a) and processes for sharing such information; and
``(2) appropriate training and qualifications for cyber
incident responders.
``(c) Agency Training.--The head of each agency shall develop
training for covered individuals on how to identify and respond to an
incident, including--
``(1) the internal process of the agency for reporting an
incident; and
``(2) the obligation of a covered individual to report to the
agency any suspected or confirmed incident involving Federal
information in any medium or form, including paper, oral, and
electronic.
``(d) Inclusion in Annual Training.--The training developed under
subsection (c) may be included as part of an annual privacy, security
awareness, or other appropriate training of an agency.
``Sec. 3597. Analysis and report on Federal incidents
``(a) Analysis of Federal Incidents.--
``(1) Quantitative and qualitative analyses.--The Director of
the Cybersecurity and Infrastructure Security Agency shall
perform and, in coordination with the Director and the National
Cyber Director, develop, continuous monitoring and quantitative
and qualitative analyses of incidents at agencies, including
major incidents, including--
``(A) the causes of incidents, including--
``(i) attacker tactics, techniques, and
procedures; and
``(ii) system vulnerabilities, including zero
days, unpatched systems, and information system
misconfigurations;
``(B) the scope and scale of incidents at agencies;
``(C) common root causes of incidents across multiple
agencies;
``(D) agency incident response, recovery, and
remediation actions and the effectiveness of those
actions, as applicable;
``(E) lessons learned and recommendations in
responding to, recovering from, remediating, and
mitigating future incidents; and
``(F) trends across multiple agencies to address
intrusion detection and incident response capabilities
using the metrics established under section 224(c) of
the Cybersecurity Act of 2015 (6 U.S.C. 1522(c)).
``(2) Automated analysis.--The analyses developed under
paragraph (1) shall, to the greatest extent practicable, use
machine-readable data, automation, and machine learning
processes.
``(3) Sharing of data and analysis.--
``(A) In general.--The Director of the Cybersecurity
and Infrastructure Security Agency shall share on an
ongoing basis the analyses and underlying data required
under this subsection with agencies, the Director, and
the National Cyber Director to--
``(i) improve the understanding of
cybersecurity risk of agencies; and
``(ii) support the cybersecurity improvement
efforts of agencies.
``(B) Format.--In carrying out subparagraph (A), the
Director of the Cybersecurity and Infrastructure
Security Agency shall share the analyses--
``(i) in human-readable written products; and
``(ii) to the greatest extent practicable, in
machine-readable formats in order to enable
automated intake and use by agencies.
``(C) Exemption.--This subsection shall not apply to
incidents that occur exclusively on national security
systems.
``(b) Annual Report on Federal Incidents.--Not later than 2 years
after the date of enactment of this section, and not less frequently
than annually thereafter, the Director of the Cybersecurity and
Infrastructure Security Agency, in consultation with the Director, the
National Cyber Director and the heads of other agencies, as
appropriate, shall submit to the appropriate reporting entities a
report that includes--
``(1) a summary of causes of incidents from across the
Federal Government that categorizes those incidents as
incidents or major incidents;
``(2) the quantitative and qualitative analyses of incidents
developed under subsection (a)(1) on an agency-by-agency basis
and comprehensively across the Federal Government, including--
``(A) a specific analysis of breaches; and
``(B) an analysis of the Federal Government's
performance against the metrics established under
section 224(c) of the Cybersecurity Act of 2015 (6
U.S.C. 1522(c)); and
``(3) an annex for each agency that includes--
``(A) a description of each major incident;
``(B) the total number of incidents of the agency;
and
``(C) an analysis of the agency's performance against
the metrics established under section 224(c) of the
Cybersecurity Act of 2015 (6 U.S.C. 1522(c)).
``(c) Publication.--
``(1) In general.--The Director of the Cybersecurity and
Infrastructure Security Agency shall make a version of each
report submitted under subsection (b) publicly available on the
website of the Cybersecurity and Infrastructure Security Agency
during the year during which the report is submitted.
``(2) Exemption.--The publication requirement under paragraph
(1) shall not apply to a portion of a report that contains
content that should be protected in the interest of national
security, as determined by the Director, the Director of the
Cybersecurity and Infrastructure Security Agency, or the
National Cyber Director.
``(3) Limitation on exemption.--The exemption under paragraph
(2) shall not apply to any version of a report submitted to the
appropriate reporting entities under subsection (b).
``(4) Requirement for compiling information.--
``(A) Compilation.--Subject to subparagraph (B), in
making a report publicly available under paragraph (1),
the Director of the Cybersecurity and Infrastructure
Security Agency shall sufficiently compile information
so that no specific incident of an agency can be
identified.
``(B) Exception.--The Director of the Cybersecurity
and Infrastructure Security Agency may include
information that enables a specific incident of an
agency to be identified in a publicly available
report--
``(i) with the concurrence of the Director
and the National Cyber Director;
``(ii) in consultation with the impacted
agency, which may, as appropriate, consult with
any non-Federal entity impacted by or
supporting the remediation of such incident;
and
``(iii) in consultation with the inspector
general of the impacted agency.
``(d) Information Provided by Agencies.--
``(1) In general.--The analysis required under subsection (a)
and each report submitted under subsection (b) shall use
information provided by agencies under section 3594(a).
``(2) Noncompliance reports.--During any year during which
the head of an agency does not provide data for an incident to
the Cybersecurity and Infrastructure Security Agency in
accordance with section 3594(a), the head of the agency, in
coordination with the Director of the Cybersecurity and
Infrastructure Security Agency and the Director, shall submit
to the appropriate reporting entities a report that includes
the information described in subsection (b) with respect to the
agency.
``(e) National Security System Reports.--
``(1) In general.--Notwithstanding any other provision of
this section, the Secretary of Defense, in consultation with
the Director, the National Cyber Director, the Director of
National Intelligence, and the Director of the Cybersecurity
and Infrastructure Security Agency shall annually submit a
report that includes the information described in subsection
(b) with respect to national security systems, to the extent
that the submission is consistent with standards and guidelines
for national security systems issued in accordance with law and
as directed by the President, to--
``(A) the majority and minority leaders of the
Senate;
``(B) the Speaker and minority leader of the House of
Representatives;
``(C) the Committee on Homeland Security and
Governmental Affairs of the Senate;
``(D) the Select Committee on Intelligence of the
Senate;
``(E) the Committee on Armed Services of the Senate;
``(F) the Committee on Appropriations of the Senate;
``(G) the Committee on Oversight and Accountability
of the House of Representatives;
``(H) the Committee on Homeland Security of the House
of Representatives;
``(I) the Permanent Select Committee on Intelligence
of the House of Representatives;
``(J) the Committee on Armed Services of the House of
Representatives; and
``(K) the Committee on Appropriations of the House of
Representatives.
``(2) Classified form.--A report required under paragraph (1)
may be submitted in a classified form.
``Sec. 3598. Major incident definition
``(a) In General.--Not later than 1 year after the later of the date
of enactment of the Federal Information Security Modernization Act of
2024 and the most recent publication by the Director of guidance to
agencies regarding major incidents as of the date of enactment of the
Federal Information Security Modernization Act of 2024, the Director
shall develop, in coordination with the National Cyber Director, and
promulgate guidance on the definition of the term `major incident' for
the purposes of subchapter II and this subchapter.
``(b) Requirements.--With respect to the guidance issued under
subsection (a), the definition of the term `major incident' shall--
``(1) include, with respect to any information collected or
maintained by or on behalf of an agency or a Federal
information system--
``(A) any incident the head of the agency determines
is likely to result in demonstrable harm to--
``(i) the national security interests,
foreign relations, homeland security, or
economic security of the United States; or
``(ii) the civil liberties, public
confidence, privacy, or public health and
safety of the people of the United States;
``(B) any incident the head of the agency determines
likely to result in an inability or substantial
disruption for the agency, a component of the agency,
or the Federal Government, to provide 1 or more
critical services;
``(C) any incident the head of the agency determines
substantially disrupts or substantially degrades the
operations of a high value asset owned or operated by
the agency;
``(D) any incident involving the exposure to a
foreign entity of sensitive agency information, such as
the communications of the head of the agency, the head
of a component of the agency, or the direct reports of
the head of the agency or the head of a component of
the agency; and
``(E) any other type of incident determined
appropriate by the Director;
``(2) stipulate that the National Cyber Director, in
consultation with the Director and the Director of the
Cybersecurity and Infrastructure Security Agency, may declare a
major incident at any agency, and such a declaration shall be
considered if it is determined that an incident--
``(A) occurs at not less than 2 agencies; and
``(B) is enabled by--
``(i) a common technical root cause, such as
a supply chain compromise, or a common software
or hardware vulnerability; or
``(ii) the related activities of a common
threat actor;
``(3) stipulate that, in determining whether an incident
constitutes a major incident under the standards described in
paragraph (1), the head of the agency shall consult with the
National Cyber Director; and
``(4) stipulate that the mere report of a vulnerability
discovered or disclosed without a loss of confidentiality,
integrity, or availability shall not on its own constitute a
major incident.
``(c) Evaluation and Updates.--Not later than 60 days after the date
on which the Director first promulgates the guidance required under
subsection (a), and not less frequently than once during the first 90
days of each evenly numbered Congress thereafter, the Director shall
provide to the Committee on Homeland Security and Governmental Affairs
of the Senate and the Committees on Oversight and Accountability and
Homeland Security of the House of Representatives a briefing that
includes--
``(1) an evaluation of any necessary updates to the guidance;
``(2) an evaluation of any necessary updates to the
definition of the term `major incident' included in the
guidance; and
``(3) an explanation of, and the analysis that led to, the
definition described in paragraph (2).''.
(2) Clerical amendment.--The table of sections for chapter 35
of title 44, United States Code, is amended by adding at the
end the following:
``subchapter iv--federal system incident response
``3591. Definitions.
``3592. Notification of breach.
``3593. Congressional and executive branch reports on major incidents.
``3594. Government information sharing and incident response.
``3595. Responsibilities of contractors and awardees.
``3596. Training.
``3597. Analysis and report on Federal incidents.
``3598. Major incident definition.''.
SEC. 4. AMENDMENTS TO SUBTITLE III OF TITLE 40.
(a) Modernizing Government Technology.--Subtitle G of title X of
division A of the National Defense Authorization Act for Fiscal Year
2018 (40 U.S.C. 11301 note) is amended in section 1078--
(1) by striking subsection (a) and inserting the following:
``(a) Definitions.--In this section:
``(1) Agency.--The term `agency' has the meaning given the
term in section 551 of title 5, United States Code.
``(2) High value asset.--The term `high value asset' has the
meaning given the term in section 3552 of title 44, United
States Code.'';
(2) in subsection (b), by adding at the end the following:
``(8) Proposal evaluation.--The Director shall--
``(A) give consideration for the use of amounts in
the Fund to improve the security of high value assets;
and
``(B) require that any proposal for the use of
amounts in the Fund includes, as appropriate, and which
may be incorporated into otherwise required project
proposal documentation--
``(i) cybersecurity risk management
considerations; and
``(ii) a supply chain risk assessment in
accordance with section 1326 of title 41.'';
and
(3) in subsection (c)--
(A) in paragraph (2)(A)(i), by inserting ``,
including a consideration of the impact on high value
assets''' after ``operational risks''';
(B) in paragraph (5)--
(i) in subparagraph (A), by striking ``and''
at the end;
(ii) in subparagraph (B), by striking the
period at the end and inserting ``; and''; and
(iii) by adding at the end the following:
``(C) a senior official from the Cybersecurity and
Infrastructure Security Agency of the Department of
Homeland Security, appointed by the Director.''; and
(C) in paragraph (6)(A), by striking ``shall be--''
and all that follows through ``4 employees''' and
inserting ``shall be 4 employees'''.
(b) Subchapter I.--Subchapter I of chapter 113 of subtitle III of
title 40, United States Code, is amended--
(1) in section 11302--
(A) in subsection (b), by striking ``use, security,
and disposal of'' and inserting ``use, and disposal of,
and, in consultation with the Director of the
Cybersecurity and Infrastructure Security Agency and
the National Cyber Director, promote and improve the
security of,''; and
(B) in subsection (h), by inserting ``, including
cybersecurity performances,'' after ``the
performances'''; and
(2) in section 11303(b)(2)(B)--
(A) in clause (i), by striking ``or'' at the end;
(B) in clause (ii), by adding ``or'' at the end; and
(C) by adding at the end the following:
``(iii) whether the function should be
performed by a shared service offered by
another executive agency;''.
(c) Subchapter II.--Subchapter II of chapter 113 of subtitle III of
title 40, United States Code, is amended--
(1) in section 11312(a), by inserting ``, including security
risks''' after ``managing the risks''';
(2) in section 11313(1), by striking ``efficiency and
effectiveness''' and inserting ``efficiency, security, and
effectiveness''';
(3) in section 11317, by inserting ``security,'' before ``or
schedule''; and
(4) in section 11319(b)(1), in the paragraph heading, by
striking ``cios'' and inserting ``chief information officers''.
SEC. 5. ACTIONS TO ENHANCE FEDERAL INCIDENT TRANSPARENCY.
(a) Responsibilities of the Cybersecurity and Infrastructure Security
Agency.--
(1) In general.--Not later than 180 days after the date of
enactment of this Act, the Director of the Cybersecurity and
Infrastructure Security Agency shall--
(A) develop a plan for the development, using systems
in place on the date of enactment of this Act, of the
analysis required under section 3597(a) of title 44,
United States Code, as added by this Act, and the
report required under subsection (b) of that section
that includes--
(i) a description of any challenges the
Director of the Cybersecurity and
Infrastructure Security Agency anticipates
encountering; and
(ii) the use of automation and machine-
readable formats for collecting, compiling,
monitoring, and analyzing data; and
(B) provide to the appropriate congressional
committees a briefing on the plan developed under
subparagraph (A).
(2) Briefing.--Not later than 1 year after the date of
enactment of this Act, the Director of the Cybersecurity and
Infrastructure Security Agency shall provide to the appropriate
congressional committees a briefing on--
(A) the execution of the plan required under
paragraph (1)(A); and
(B) the development of the report required under
section 3597(b) of title 44, United States Code, as
added by this Act.
(b) Responsibilities of the Director of the Office of Management and
Budget.--
(1) Updating fisma 2014.--Section 2 of the Federal
Information Security Modernization Act of 2014 (Public Law 113
283; 128 Stat. 3073) is amended--
(A) by striking subsections (b) and (d); and
(B) by redesignating subsections (c), (e), and (f) as
subsections (b), (c), and (d), respectively.
(2) Incident data sharing.--
(A) In general.--The Director, in coordination with
the Director of the Cybersecurity and Infrastructure
Security Agency, shall develop, and as appropriate
update, guidance, on the content, timeliness, and
format of the information provided by agencies under
section 3594(a) of title 44, United States Code, as
added by this Act.
(B) Requirements.--The guidance developed under
subparagraph (A) shall--
(i) enable the efficient development of--
(I) lessons learned and
recommendations in responding to,
recovering from, remediating, and
mitigating future incidents; and
(II) the report on Federal incidents
required under section 3597(b) of title
44, United States Code, as added by
this Act; and
(ii) include requirements for the timeliness
of data production.
(C) Automation.--The Director, in coordination with
the Director of the Cybersecurity and Infrastructure
Security Agency, shall promote, as feasible, the use of
automation and machine-readable data for data sharing
under section 3594(a) of title 44, United States Code,
as added by this Act.
(3) Contractor and awardee guidance.--
(A) In general.--Not later than 1 year after the date
of enactment of this Act, the Director shall issue
guidance to agencies on how to deconflict, to the
greatest extent practicable, existing regulations,
policies, and procedures relating to the
responsibilities of contractors and awardees
established under section 3595 of title 44, United
States Code, as added by this Act.
(B) Existing processes.--To the greatest extent
practicable, the guidance issued under subparagraph (A)
shall allow contractors and awardees to use existing
processes for notifying agencies of incidents involving
information of the Federal Government.
(c) Update to the Privacy Act of 1974.--Section 552a(b) of title 5,
United States Code (commonly known as the ``Privacy Act of 1974'') is
amended--
(1) in paragraph (11), by striking ``or'' at the end;
(2) in paragraph (12), by striking the period at the end and
inserting ``; or''; and
(3) by adding at the end the following:
``(13) to another agency, to the extent necessary, to assist
the recipient agency in responding to an incident (as defined
in section 3552 of title 44) or breach (as defined in section
3591 of title 44) or to fulfill the information sharing
requirements under section 3594 of title 44.''.
SEC. 6. AGENCY REQUIREMENTS TO NOTIFY PRIVATE SECTOR ENTITIES IMPACTED
BY INCIDENTS.
(a) Definitions.--In this section:
(1) Reporting entity.--The term ``reporting entity'' means
private organization or governmental unit that is required by
statute or regulation to submit sensitive information to an
agency.
(2) Sensitive information.--The term ``sensitive
information'' has the meaning given the term by the Director in
guidance issued under subsection (b).
(b) Guidance on Notification of Reporting Entities.--Not later than 1
year after the date of enactment of this Act, the Director shall
develop, in consultation with the National Cyber Director, and issue
guidance requiring the head of each agency to notify a reporting entity
in an appropriate and timely manner, and take into consideration the
need to coordinate with Sector Risk Management Agencies (as defined in
section 2200 of the Homeland Security Act of 2002 (6 U.S.C. 650)), as
appropriate, of an incident at the agency that is likely to
substantially affect--
(1) the confidentiality or integrity of sensitive information
submitted by the reporting entity to the agency pursuant to a
statutory or regulatory requirement; or
(2) any information system (as defined in section 3502 of
title 44, United States Code) used in the transmission or
storage of the sensitive information described in paragraph
(1).
SEC. 7. FEDERAL PENETRATION TESTING POLICY.
(a) In General.--Subchapter II of chapter 35 of title 44, United
States Code, is amended by adding at the end the following:
``Sec. 3559A. Federal penetration testing
``(a) Guidance.--The Director, in consultation with the Director of
the Cybersecurity and Infrastructure Security Agency, shall issue
guidance to agencies that--
``(1) requires agencies to perform penetration testing on
information systems, as appropriate, including on high value
assets;
``(2) provides policies governing the development of--
``(A) rules of engagement for using penetration
testing; and
``(B) procedures to use the results of penetration
testing to improve the cybersecurity and risk
management of the agency;
``(3) ensures that operational support or a shared service is
available; and
``(4) in no manner restricts the authority of the Secretary
of Homeland Security or the Director of the Cybersecurity and
Infrastructure Agency to conduct threat hunting pursuant to
section 3553, or penetration testing under this chapter.
``(b) Exception for National Security Systems.--The guidance issued
under subsection (a) shall not apply to national security systems.
``(c) Delegation of Authority for Certain Systems.--The authorities
of the Director described in subsection (a) shall be delegated to--
``(1) the Secretary of Defense in the case of a system
described in section 3553(e)(2); and
``(2) the Director of National Intelligence in the case of a
system described in section 3553(e)(3).''.
(b) Existing Guidance.--
(1) In general.--Compliance with guidance issued by the
Director relating to penetration testing before the date of
enactment of this Act shall be deemed to be compliant with
section 3559A of title 44, United States Code, as added by this
Act.
(2) Immediate new guidance not required.--Nothing in section
3559A of title 44, United States Code, as added by this Act,
shall be construed to require the Director to issue new
guidance to agencies relating to penetration testing before the
date described in paragraph (3).
(3) Guidance updates.--Notwithstanding paragraphs (1) and
(2), not later than 2 years after the date of enactment of this
Act, the Director shall review and, as appropriate, update
existing guidance requiring penetration testing by agencies.
(c) Clerical Amendment.--The table of sections for chapter 35 of
title 44, United States Code, is amended by adding after the item
relating to section 3559 the following:
``3559A. Federal penetration testing.''.
(d) Penetration Testing by the Secretary of Homeland Security.--
Section 3553(b) of title 44, United States Code, as amended by this
Act, is further amended by inserting after paragraph (8) the following:
``(9) performing penetration testing that may leverage manual
expert analysis to identify threats and vulnerabilities within
information systems--
``(A) without consent or authorization from agencies;
and
``(B) with prior consultation with the head of the
agency at least 72 hours in advance of such testing;''.
SEC. 8. VULNERABILITY DISCLOSURE POLICIES.
(a) In General.--Chapter 35 of title 44, United States Code, is
amended by inserting after section 3559A, as added by this Act, the
following:
``Sec. 3559B. Federal vulnerability disclosure policies
``(a) Purpose; Sense of Congress.--
``(1) Purpose.--The purpose of Federal vulnerability
disclosure policies is to create a mechanism to enable the
public to inform agencies of vulnerabilities in Federal
information systems.
``(2) Sense of congress.--It is the sense of Congress that,
in implementing the requirements of this section, the Federal
Government should take appropriate steps to reduce real and
perceived burdens in communications between agencies and
security researchers.
``(b) Definitions.--In this section:
``(1) Contractor.--The term `contractor' has the meaning
given the term in section 3591.
``(2) Internet of things.--The term `internet of things'' has
the meaning given the term in Special Publication 800 213 of
the National Institute of Standards and Technology, entitled
`IoT Device Cybersecurity Guidance for the Federal Government:
Establishing IoT Device Cybersecurity Requirements', or any
successor document.
``(3) Security vulnerability.--The term `security
vulnerability' has the meaning given the term in section 102 of
the Cybersecurity Information Sharing Act of 2015 (6 U.S.C.
1501).
``(4) Submitter.--The term `submitter' means an individual
that submits a vulnerability disclosure report pursuant to the
vulnerability disclosure process of an agency.
``(5) Vulnerability disclosure report.--The term
`vulnerability disclosure report' means a disclosure of a
security vulnerability made to an agency by a submitter.
``(c) Guidance.--The Director shall issue guidance to agencies that
includes--
``(1) use of the information system security vulnerabilities
disclosure process guidelines established under section 4(a)(1)
of the IoT Cybersecurity Improvement Act of 2020 (15 U.S.C.
278g 3b(a)(1));
``(2) direction to not recommend or pursue legal action
against a submitter or an individual that conducts a security
research activity that--
``(A) represents a good faith effort to identify and
report security vulnerabilities in information systems;
or
``(B) otherwise represents a good faith effort to
follow the vulnerability disclosure policy of the
agency developed under subsection (f)(2);
``(3) direction on sharing relevant information in a
consistent, automated, and machine-readable manner with the
Director of the Cybersecurity and Infrastructure Security
Agency;
``(4) the minimum scope of agency systems required to be
covered by the vulnerability disclosure policy of an agency
required under subsection (f)(2), including exemptions under
subsection (g);
``(5) requirements for providing information to the submitter
of a vulnerability disclosure report on the resolution of the
vulnerability disclosure report;
``(6) a stipulation that the mere identification by a
submitter of a security vulnerability, without a significant
compromise of confidentiality, integrity, or availability, does
not constitute a major incident; and
``(7) the applicability of the guidance to internet of things
devices owned or controlled by an agency.
``(d) Consultation.--In developing the guidance required under
subsection (c)(3), the Director shall consult with the Director of the
Cybersecurity and Infrastructure Security Agency.
``(e) Responsibilities of CISA.--The Director of the Cybersecurity
and Infrastructure Security Agency shall--
``(1) provide support to agencies with respect to the
implementation of the requirements of this section;
``(2) develop tools, processes, and other mechanisms
determined appropriate to offer agencies capabilities to
implement the requirements of this section;
``(3) upon a request by an agency, assist the agency in the
disclosure to vendors of newly identified security
vulnerabilities in vendor products and services; and
``(4) as appropriate, implement the requirements of this
section, in accordance with the authority under section
3553(b)(8), as a shared service available to agencies.
``(f) Responsibilities of Agencies.--
``(1) Public information.--The head of each agency shall make
publicly available, with respect to each internet domain under
the control of the agency that is not a national security
system and to the extent consistent with the security of
information systems but with the presumption of disclosure--
``(A) an appropriate security contact; and
``(B) the component of the agency that is responsible
for the internet accessible services offered at the
domain.
``(2) Vulnerability disclosure policy.--The head of each
agency shall develop and make publicly available a
vulnerability disclosure policy for the agency, which shall--
``(A) describe--
``(i) the scope of the systems of the agency
included in the vulnerability disclosure
policy, including for internet of things
devices owned or controlled by the agency;
``(ii) the type of information system testing
that is authorized by the agency;
``(iii) the type of information system
testing that is not authorized by the agency;
``(iv) the disclosure policy for a
contractor; and
``(v) the disclosure policy of the agency for
sensitive information;
``(B) with respect to a vulnerability disclosure
report to an agency, describe--
``(i) how the submitter should submit the
vulnerability disclosure report; and
``(ii) if the report is not anonymous, when
the reporter should anticipate an
acknowledgment of receipt of the report by the
agency;
``(C) include any other relevant information; and
``(D) be mature in scope and cover every internet
accessible information system used or operated by that
agency or on behalf of that agency.
``(3) Identified security vulnerabilities.--The head of each
agency shall--
``(A) consider security vulnerabilities reported in
accordance with paragraph (2);
``(B) commensurate with the risk posed by the
security vulnerability, address such security
vulnerability using the security vulnerability
management process of the agency; and
``(C) in accordance with subsection (c)(5), provide
information to the submitter of a vulnerability
disclosure report.
``(g) Exemptions.--
``(1) In general.--The Director and the head of each agency
shall carry out this section in a manner consistent with the
protection of national security information.
``(2) Limitation.--The Director and the head of each agency
may not publish under subsection (f)(1) or include in a
vulnerability disclosure policy under subsection (f)(2) host
names, services, information systems, or other information that
the Director or the head of an agency, in coordination with the
Director and other appropriate heads of agencies, determines
would--
``(A) disrupt a law enforcement investigation;
``(B) endanger national security or intelligence
activities; or
``(C) impede national defense activities or military
operations.
``(3) National security systems.--This section shall not
apply to national security systems.
``(h) Delegation of Authority for Certain Systems.--The authorities
of the Director and the Director of the Cybersecurity and
Infrastructure Security Agency described in this section shall be
delegated--
``(1) to the Secretary of Defense in the case of systems
described in section 3553(e)(2); and
``(2) to the Director of National Intelligence in the case of
systems described in section 3553(e)(3).
``(i) Revision of Federal Acquisition Regulation.--The Federal
Acquisition Regulation shall be revised as necessary to implement the
provisions under this section.''.
(b) Existing Guidance and Policies.--
(1) In general.--Compliance with guidance issued by the
Director relating to vulnerability disclosure policies before
the date of enactment of this Act shall be deemed to be
compliance with section 3559B of title 44, United States Code,
as added by this title.
(2) Immediate new guidance not required.--Nothing in section
3559B of title 44, United States Code, as added by this title,
shall be construed to require the Director to issue new
guidance to agencies relating to vulnerability disclosure
policies before the date described in paragraph (4).
(3) Immediate new policies not required.--Nothing in section
3559B of title 44, United States Code, as added by this title,
shall be construed to require the head of any agency to issue
new policies relating to vulnerability disclosure policies
before the issuance of any updated guidance under paragraph
(4).
(4) Guidance update.--Notwithstanding paragraphs (1), (2) and
(3), not later than 4 years after the date of enactment of this
Act, the Director shall review and, as appropriate, update
existing guidance relating to vulnerability disclosure
policies.
(c) Clerical Amendment.--The table of sections for chapter 35 of
title 44, United States Code, is amended by adding after the item
relating to section 3559A, as added by this Act, the following:
``3559B. Federal vulnerability disclosure policies.''.
(d) Conforming Update and Repeal.--
(1) Guidelines on the disclosure process for security
vulnerabilities relating to information systems, including
internet of things devices.--Section 5 of the IoT Cybersecurity
Improvement Act of 2020 (15 U.S.C. 278g 3c) is amended by
striking subsections (d) and (e).
(2) Implementation and contractor compliance.--The IoT
Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g 3a et
seq.) is amended--
(A) by striking section 6 (15 U.S.C. 278g 3d); and
(B) by striking section 7 (15 U.S.C. 278g 3e).
SEC. 9. IMPLEMENTING ZERO TRUST ARCHITECTURE.
(a) Briefings.--Not later than 1 year after the date of enactment of
this Act, the Director shall provide to the Committee on Homeland
Security and Governmental Affairs of the Senate and the Committees on
Oversight and Accountability and Homeland Security of the House of
Representatives a briefing on progress in increasing the internal
defenses of agency systems, including--
(1) shifting away from trusted networks to implement security
controls based on a presumption of compromise, including
through the transition to zero trust architecture;
(2) implementing principles of least privilege in
administering information security programs;
(3) limiting the ability of entities that cause incidents to
move laterally through or between agency systems;
(4) identifying incidents quickly;
(5) isolating and removing unauthorized entities from agency
systems as quickly as practicable, accounting for intelligence
or law enforcement purposes; and
(6) otherwise increasing the resource costs for entities that
cause incidents to be successful.
(b) Progress Report.--As a part of each report required to be
submitted under section 3553(c) of title 44, United States Code, during
the period beginning on the date that is 4 years after the date of
enactment of this Act and ending on the date that is 10 years after the
date of enactment of this Act, the Director shall include an update on
agency implementation of zero trust architecture, which shall include--
(1) a description of steps agencies have completed, including
progress toward achieving any requirements issued by the
Director, including the adoption of any models or reference
architecture;
(2) an identification of activities that have not yet been
completed and that would have the most immediate security
impact; and
(3) a schedule to implement any planned activities.
(c) Classified Annex.--Each update required under subsection (b) may
include 1 or more annexes that contain classified or other sensitive
information, as appropriate.
(d) National Security Systems.--
(1) Briefing.--Not later than 1 year after the date of
enactment of this Act, the Secretary of Defense shall provide
to the Committee on Homeland Security and Governmental Affairs
of the Senate, the Committee on Oversight and Accountability of
the House of Representatives, the Committee on Armed Services
of the Senate, the Committee on Armed Services of the House of
Representatives, the Select Committee on Intelligence of the
Senate, and the Permanent Select Committee on Intelligence of
the House of Representatives a briefing on the implementation
of zero trust architecture with respect to national security
systems.
(2) Progress report.--Not later than the date on which each
update is required to be submitted under subsection (b), the
Secretary of Defense shall submit to the congressional
committees described in paragraph (1) a progress report on the
implementation of zero trust architecture with respect to
national security systems.
SEC. 10. AUTOMATION AND ARTIFICIAL INTELLIGENCE.
(a) Definition.--In this section, the term ``information system'' has
the meaning given the term in section 3502 of title 44, United States
Code.
(b) Use of Artificial Intelligence.--
(1) In general.--As appropriate, the Director shall issue
guidance on the use of artificial intelligence by agencies to
improve the cybersecurity of information systems.
(2) Considerations.--The Director and head of each agency
shall consider the use and capabilities of artificial
intelligence systems in furtherance of the cybersecurity of
information systems.
(3) Report.--Not later than 1 year after the date of
enactment of this Act, and annually thereafter until the date
that is 5 years after the date of enactment of this Act, the
Director shall submit to the appropriate congressional
committees a report on the use of artificial intelligence to
further the cybersecurity of information systems.
(c) Comptroller General Reports.--
(1) In general.--Not later than 2 years after the date of
enactment of this Act, the Comptroller General of the United
States shall submit to the appropriate congressional committees
a report on the risks to the privacy of individuals and the
cybersecurity of information systems associated with the use by
Federal agencies of artificial intelligence systems or
capabilities.
(2) Study.--Not later than 2 years after the date of
enactment of this Act, the Comptroller General of the United
States shall perform a study, and submit to the Committees on
Homeland Security and Governmental Affairs and Commerce,
Science, and Transportation of the Senate and the Committees on
Oversight and Accountability, Homeland Security, and Science,
Space, and Technology of the House of Representatives a report,
on the use of automation, artificial intelligence, including
generative artificial intelligence, and machine-readable data
across the Federal Government for cybersecurity purposes,
including--
(A) the automated updating of cybersecurity tools,
sensors, or processes employed by agencies under
paragraphs (1), (5)(C), and (8)(B) of section 3554(b)
of title 44, United States Code, as amended by this
Act; and
(B) to combat social engineering attacks.
SEC. 11. FEDERAL CYBERSECURITY REQUIREMENTS.
(a) Codifying Federal Cybersecurity Requirements in Title 44.--
(1) Amendment to federal cybersecurity enhancement act of
2015.--Section 225 of the Federal Cybersecurity Enhancement Act
of 2015 (6 U.S.C. 1523) is amended by striking subsections (b)
and (c).
(2) Title 44.--Section 3554 of title 44, United States Code,
as amended by this Act, is further amended by adding at the end
the following:
``(f) Specific Cybersecurity Requirements at Agencies.--
``(1) In general.--Consistent with policies, standards,
guidelines, and directives on information security under this
subchapter, and except as provided under paragraph (3), the
head of each agency shall--
``(A) identify sensitive and mission critical data
stored by the agency consistent with the inventory
required under section 3505(c);
``(B) assess access controls to the data described in
subparagraph (A), the need for readily accessible
storage of the data, and the need of individuals to
access the data;
``(C) encrypt or otherwise render indecipherable to
unauthorized users the data described in subparagraph
(A) that is stored on or transiting agency information
systems;
``(D) implement identity and access management
systems to ensure the security of Federal information
systems and protect agency records and data from fraud
resulting from the misrepresentation of identity or
identity theft, including--
``(i) a single sign-on trusted identity
platform for individuals accessing each public
website of the agency that requires, at a
minimum, user authentication and verification
services consistent with applicable law and
guidance issued by the Director of the Office
of Management and Budget who shall consider any
applicable standard or guideline developed by
the National Institute of Standards and
Technology, which may be one developed by the
Administrator of General Services in
consultation with the Director of the Office of
Management and Budget; and
``(ii) multi-factor authentication,
consistent with guidance issued by the Director
of the Office of Management and Budget who
shall consider any applicable standard or
guideline developed by the National Institute
of Standards and Technology, for--
``(I) remote access to an information
system; and
``(II) each user account with
elevated privileges on an information
system.
``(2) Prohibition.--
``(A) Definition.--In this paragraph, the term
`internet of things'' has the meaning given the term in
section 3559B.
``(B) Prohibition.--Consistent with policies,
standards, guidelines, and directives on information
security under this subchapter, and except as provided
under paragraph (3), the head of an agency may not
procure, obtain, renew a contract to procure or obtain
in any amount, notwithstanding section 1905 of title
41, or use an internet of things device if the Chief
Information Officer of the agency determines during a
review required under section 11319(b)(1)(C) of title
40 of a contract for an internet of things device that
the use of the device prevents compliance with the
standards and guidelines developed under section 4 of
the IoT Cybersecurity Improvement Act (15 U.S.C. 278g
3b) with respect to the device.
``(3) Exceptions.--
``(A) In general.--The requirements under
subparagraphs (A), (B), (C), and (D)(ii) of paragraph
(1) shall not apply to an information system for which
the head of the agency, without delegation, has--
``(i) certified to the Director with
particularity that--
``(I) operational requirements
articulated in the certification and
related to the information system would
make it excessively burdensome to
implement the cybersecurity
requirement;
``(II) the cybersecurity requirement
is not necessary to secure the
information system or agency
information stored on or transiting it;
and
``(III) the agency has taken all
necessary steps to secure the
information system and agency
information stored on or transiting it;
and
``(ii) submitted the certification described
in clause (i) to the appropriate congressional
committees and the authorizing committees of
the agency.
``(B) Identity management platform waiver.--The head
of an agency shall be in compliance with the
requirement under paragraph (1)(D)(i) with respect to
implementing a single-sign on trusted identity system
or platform other than one developed by the
Administrator of General Services as described under
paragraph (1)(D)(i) if the head of the agency--
``(i) without delegation--
``(I) has certified to the Director
that the alternative system or
platform, including a procured system
or platform, conforms with applicable
security and privacy requirements of
this subchapter and guidance issued by
the Director, at least 30 days before
use of the system or platform; or
``(II) with regard to a system or
platform in use as of the date of
enactment of this subsection, the head
of the agency provides such
certification to the Director within 60
days after the date of enactment of
this subsection;
``(ii) has received a written waiver from the
Director in response to the request submitted
under clause (i); and
``(iii) has submitted the certification
described in clause (i) and the waiver
described clause (ii) to the appropriate
congressional committees and the authorizing
committees of the agency.
``(4) Duration of certification.--
``(A) In general.--A certification and corresponding
exemption of an agency under paragraph (3) shall expire
on the date that is 4 years after the date on which the
head of the agency submits the certification under
paragraph (3).
``(B) Renewal.--Upon the expiration of a
certification of an agency under paragraph (3), the
head of the agency may submit an additional
certification in accordance with that paragraph.
``(5) Presumption of adequacy.--A FedRAMP authorization
issued pursuant to chapter 36 of title 44 shall be presumed
adequate to fulfill the requirements under subparagraphs (A)
through (C) of paragraph (1) with respect to an agency
authorization to operate cloud computing products and services
if such presumption of adequacy does not alter or modify--
``(A) the responsibility of any agency to ensure
compliance with this subchapter for any cloud computing
product or service used by the agency; or
``(B) the authority of the head of any agency to make
a determination that there is a demonstrable need to
include additional security controls beyond those
included in a FedRAMP authorization package for a
particular cloud computing product or service.
``(6) Rules of construction.--Nothing in this subsection
shall be construed--
``(A) to alter the authority of the Secretary, the
Director, or the Director of the National Institute of
Standards and Technology in implementing subchapter II
of this title;
``(B) to affect the standards or process of the
National Institute of Standards and Technology;
``(C) to affect the requirement under section
3553(a)(4);
``(D) to discourage continued improvements and
advancements in the technology, standards, policies,
and guidelines used to promote Federal information
security; or
``(E) to affect the requirements under subchapter
III.
``(g) Exception.--
``(1) National security system requirements.--The
requirements under subsection (f)(1) shall not apply to--
``(A) a national security system; or
``(B) an information system described in paragraph
(2) or (3) of section 3553(e)(2).
``(2) Prohibition.--The prohibition under subsection (f)(2)
shall not apply to--
``(A) necessary in the interest of national security;
``(B) national security systems; or
``(C) a procured internet of things device described
in subsection (f)(2)(B) that the Chief Information
Officer of an agency determines is--
``(i) necessary for research purposes;
``(ii) necessary in the interest of national
security; or
``(iii) secured using alternative and
effective methods appropriate to the function
of the internet of things device.''.
(b) Report on Exemptions.--Section 3554(c)(1) of title 44, United
States Code, as amended by this Act, is further amended--
(1) in subparagraph (C), by striking ``and'' at the end;
(2) in subparagraph (D), by striking the period at the end
and inserting ``; and''; and
(3) by adding at the end the following:
``(E) with respect to any exemption from the
requirements of subsection (f)(3) that is effective on
the date of submission of the report, includes the
number of information systems that have received an
exemption from those requirements.''.
(c) Guidance for Identity Management Systems Used by Agencies.--Not
later than 1 year after the date of enactment of this Act, the Director
of the Office of Management and Budget, in consultation with the
Director of the National Institute of Standards and Technology, shall
issue, and routinely update thereafter, guidance for agencies to
implement identity management systems and a single sign-on trusted
identity platform as required under section 3554(f)(1)(D)(i) of title
44, United States Code, as amended by this Act, which shall at a
minimum, include the following:
(1) Requirements for agencies to routinely certify that such
systems are in compliance with this guidance.
(2) Requirements for agencies to routinely verify and certify
that information stored on or transiting through a commercially
available product (as defined in section 103 of title 41,
United States Code) or commercial service (as defined in
section 103a of title 41, United States Code) used to fulfil
such requirements is appropriately secured in conformity with
subchapter II of chapter 35 of title 44, United States Code.
(3) Address national security concerns and requirements to
ensure the protection of sensitive personal records and
biometric data of United States persons from malign foreign
ownership, control, or influence and fraud actors.
(4) Requirements or guidelines to comply with section 3 of
the 21st Century Idea Act (44 U.S.C. 3501 note).
(5) Requirements to prevent discrimination in violation of
title VI of the Civil Rights Act of 1964 (42 U.S.C. 2000d et
seq.).
(6) A description of the information necessary to be
submitted under the exception described in section
3554(f)(3)(B) of title 44, United States Code, as amended by
this Act.
(d) GAO Evaluation of Technical Capability of Identity Management
Systems and Platforms.--Not less frequently than every 3 years for the
next 6 years, the Comptroller General shall submit to the appropriate
congressional committees a report on whether the single sign-on trusted
identity systems and platforms used by agencies or the one developed by
the General Services Administration under section 3554(f)(D)(i) of
title 44, United States Code, as amended by this Act, adhere to the
information security requirements of chapter 35 of title 44, United
States Code, guidance issued under subsection (c), and relevant
identity management technical standards promulgated by the National
Institute of Standards and Technology, as appropriate, including
section 504 of the Cybersecurity Enhancement Act of 2014 (15 U.S.C.
7464).
(e) Duration of Certification Effective Date.--Paragraph (3) of
section 3554(f) of title 44, United States Code, as added by this Act,
shall take effect on the date that is 1 year after the date of
enactment of this Act.
(f) Federal Cybersecurity Enhancement Act of 2015 Update.--Section
222(3)(B) of the Federal Cybersecurity Enhancement Act of 2015 (6
U.S.C. 1521(3)(B)) is amended by inserting ``and the Committee on
Oversight and Accountability'' before ``of the House of
Representatives'''.
SEC. 12. FEDERAL CHIEF INFORMATION SECURITY OFFICER.
(a) Amendment.--Chapter 36 of title 44, United States Code, is
amended by adding at the end the following:
``Sec. 3617. Federal Chief Information Security Officer
``(a) Establishment.--There is established a Federal Chief
Information Security Officer, who shall serve in--
``(1) the Office of the Federal Chief Information Officer of
the Office of Management and Budget; and
``(2) the Office of the National Cyber Director.
``(b) Appointment.--The Federal Chief Information Security Officer
shall be appointed by the President.
``(c) OMB Duties.--The Federal Chief Information Security Officer
shall report to the Federal Chief Information Officer and assist the
Federal Chief Information Officer in carrying out--
``(1) every function under this chapter;
``(2) every function assigned to the Director under title II
of the E Government Act of 2002 (44 U.S.C. 3501 note; Public
Law 107 347);
``(3) other electronic government initiatives consistent with
other statutes; and
``(4) other Federal cybersecurity initiatives determined by
the Federal Chief Information Officer.
``(d) Additional Duties.--The Federal Chief Information Security
Officer shall--
``(1) support the Federal Chief Information Officer in
overseeing and implementing Federal cybersecurity under the E
Government Act of 2002 (Public Law 107 347; 116 Stat. 2899) and
other relevant statutes in a manner consistent with law; and
``(2) perform every function assigned to the Director under
sections 1321 through 1328 of title 41, United States Code.
``(e) Coordination With ONCD.--The Federal Chief Information Security
Officer shall support initiatives determined by the Federal Chief
Information Officer necessary to coordinate with the Office of the
National Cyber Director.''.
(b) National Cyber Director Duties.--Section 1752 of the William M.
(Mac) Thornberry National Defense Authorization Act for Fiscal Year
2021 (6 U.S.C. 1500) is amended--
(1) by redesignating subsection (g) as subsection (h); and
(2) by inserting after subsection (f) the following:
``(g) Senior Federal Cybersecurity Officer.--The Federal Chief
Information Security Officer appointed by the President under section
3617 of title 44, United States Code, shall be a senior official within
the Office and carry out duties applicable to the protection of
information technology (as defined in section 11101 of title 40, United
States Code), including initiatives determined by the Director
necessary to coordinate with the Office of the Federal Chief
Information Officer.''.
(c) Treatment of Incumbent.--The individual serving as the Federal
Chief Information Security Officer appointed by the President as of the
date of enactment of this Act may serve as the Federal Chief
Information Security Officer under section 3617 of title 44, United
States Code, as added by this Act, beginning on the date of enactment
of this Act, without need for a further or additional appointment under
such section.
(d) Clerical Amendment.--The table of sections for chapter 36 of
title 44, United States Code, is amended by adding at the end the
following:
``3617. Federal Chief Information Security Officer.''.
SEC. 13. RENAMING OFFICE OF THE FEDERAL CHIEF INFORMATION OFFICER.
(a) Definitions.--
(1) In general.--Section 3601 of title 44, United States
Code, is amended--
(A) by striking paragraph (1); and
(B) by redesignating paragraphs (2) through (8) as
paragraphs (1) through (7), respectively.
(2) Conforming amendments.--
(A) Title 10.--Section 2222(i)(6) of title 10, United
States Code, is amended by striking ``section 3601(4)''
and inserting ``section 3601''.
(B) National security act of 1947.--Section
506D(k)(1) of the National Security Act of 1947 (50
U.S.C. 3100(k)(1)) is amended by striking ``section
3601(4)'' and inserting ``section 3601''.
(b) Office of Electronic Government.--Section 3602 of title 44,
United States Code, is amended--
(1) in the heading, by striking ``Office of Electronic
Government'' and inserting ``Office of the Federal Chief
Information Officer'';
(2) in subsection (a), by striking ``Office of Electronic
Government'' and inserting ``Office of the Federal Chief
Information Officer'';
(3) in subsection (b), by striking ``an Administrator'' and
inserting ``a Federal Chief Information Officer'';
(4) in subsection (c), in the matter preceding paragraph (1),
by striking ``The Administrator'' and inserting ``The Federal
Chief Information Officer'';
(5) in subsection (d), in the matter preceding paragraph (1),
by striking ``The Administrator'' and inserting ``The Federal
Chief Information Officer'';
(6) in subsection (e), in the matter preceding paragraph (1),
by striking ``The Administrator'' and inserting ``The Federal
Chief Information Officer'';
(7) in subsection (f)--
(A) in the matter preceding paragraph (1), by
striking ``the Administrator'' and inserting ``the
Federal Chief Information Officer'';
(B) in paragraph (16), by striking ``the Office of
Electronic Government'' and inserting ``the Office of
the Federal Chief Information Officer''; and
(C) in paragraph (17), by striking ``E Government''
and inserting ``annual''; and
(8) in subsection (g), by striking ``the Office of Electronic
Government'' and inserting ``the Office of the Federal Chief
Information Officer''.
(c) Chief Information Officers Council.--Section 3603 of title 44,
United States Code, is amended--
(1) in subsection (b)(2), by striking ``The Administrator of
the Office of Electronic Government'' and inserting ``The
Federal Chief Information Officer'';
(2) in subsection (c)(1), by striking ``The Administrator of
the Office of Electronic Government'' and inserting ``The
Federal Chief Information Officer''; and
(3) in subsection (f)--
(A) in paragraph (3), by striking ``the
Administrator'' and inserting ``the Federal Chief
Information Officer''; and
(B) in paragraph (5), by striking ``the
Administrator'' and inserting ``the Federal Chief
Information Officer''.
(d) E Government Fund.--Section 3604 of title 44, United States Code,
is amended--
(1) in subsection (a)(2), by striking ``the Administrator of
the Office of Electronic Government'' and inserting ``the
Federal Chief Information Officer'';
(2) in subsection (b), by striking ``Administrator'' each
place it appears and inserting ``Federal Chief Information
Officer''; and
(3) in subsection (c), in the matter preceding paragraph (1),
by striking ``the Administrator'' and inserting ``the Federal
Chief Information Officer''.
(e) Program to Encourage Innovative Solutions to Enhance Electronic
Government Services and Processes.--Section 3605 of title 44, United
States Code, is amended--
(1) in subsection (a), by striking ``The Administrator'' and
inserting ``The Federal Chief Information Officer'';
(2) in subsection (b), by striking ``, the Administrator,''
and inserting ``, the Federal Chief Information Officer,''; and
(3) in subsection (c)--
(A) in paragraph (1)--
(i) by striking ``The Administrator'' and
inserting ``The Federal Chief Information
Officer''; and
(ii) by striking ``proposals submitted to the
Administrator'' and inserting ``proposals
submitted to the Federal Chief Information
Officer'';
(B) in paragraph (2)(B), by striking ``the
Administrator'' and inserting ``the Federal Chief
Information Officer''; and
(C) in paragraph (4), by striking ``the
Administrator'' and inserting ``the Federal Chief
Information Officer''.
(f) E Government Report.--Section 3606 of title 44, United States
Code, is amended--
(1) in the section heading by striking ``E Government'' and
inserting ``Annual'';
(2) in subsection (a), by striking ``E Government'' and
inserting ``annual''; and
(3) in subsection (b)(1), by striking ``202(f)'' and
inserting ``202(g)''.
(g) Treatment of Incumbent.--The individual serving as the
Administrator of the Office of Electronic Government under section 3602
of title 44, United States Code, as of the date of enactment of this
Act, may continue to serve as the Federal Chief Information Officer
commencing as of that date, without need for a further or additional
appointment under such section.
(h) Technical and Conforming Amendments.--The table of sections for
chapter 36 of title 44, United States Code, is amended--
(1) by striking the item relating to section 3602 and
inserting the following:
``3602. Office of the Federal Chief Information Officer.'';
and
(2) in the item relating to section 3606, by striking ``E
Government'' and inserting ``Annual''.
(i) References.--
(1) Administrator.--Any reference to the Administrator of the
Office of Electronic Government in any law, regulation, map,
document, record, or other paper of the United States shall be
deemed to be a reference to the Federal Chief Information
Officer.
(2) Office of electronic government.--Any reference to the
Office of Electronic Government in any law, regulation, map,
document, record, or other paper of the United States shall be
deemed to be a reference to the Office of the Federal Chief
Information Officer.
SEC. 14. RULES OF CONSTRUCTION.
(a) Agency Actions.--Nothing in this Act, or an amendment made by
this Act, shall be construed to authorize the head of an agency to take
an action that is not authorized by this Act, an amendment made by this
Act, or existing law.
(b) Protection of Rights.--Nothing in this Act, or an amendment made
by this Act, shall be construed to permit the violation of the rights
of any individual protected by the Constitution of the United States,
including through censorship of speech protected by the Constitution of
the United States or unauthorized surveillance.
(c) Protection of Privacy.--Nothing in this Act, or any amendment
made by this Act, shall be construed to--
(1) impinge on the privacy rights of individuals; or
(2) allow the unauthorized access, sharing, or use of
personal data.
Summary and Purpose of Legislation
H.R. 4552, the Federal Information Security Modernization
Act of 2024 (FISMA 2024), preserves--and modernizes--the
current framework to protect federal agency information
systems. It assigns federal agency cybersecurity policy
development and oversight responsibilities to the Office of
Management and Budget (OMB), based on appropriate cyber
standards developed by the National Institute of Standards and
Technology (NIST). Operational and technical coordination
responsibilities are assigned to the Department of Homeland
Security (DHS) through the Cybersecurity and Infrastructure
Security Agency (CISA), and overall cybersecurity strategy and
Congressional reporting responsibilities to the recently
established National Cyber Director (NCD). The bill also
improves the NCD's reporting of major incidents to Congress and
codifies the OMB Federal Chief Information Security Officer
(CISO) as a `dual-hatted' role in the OMB Office of the Chief
Information Officer (OFCIO) and as a Deputy-NCD.
Overall, the bill advances risk-based cybersecurity
principles focused on equipping agencies to understand and
address vulnerabilities in real-time--as opposed to relying on
backwards looking compliance-based security assessments--by
prioritizing modern cybersecurity techniques like zero trust
architecture, cloud migration, automation, penetration testing,
vulnerability disclosure programs, and improved identity
management. The bill promotes the use of artificial
intelligence (AI) by agencies to improve the cybersecurity of
information systems by requiring OMB to develop relevant
guidance. The bill streamlines agency reporting requirements
and reduces the frequency of FISMA assessments while requiring
continuous monitoring of systems.
The bill does not imbue CISA with authorities other than
those related to federal cybersecurity. In fact, this
legislation clarifies that nothing in this bill may be used to
authorize an agency to take an action not authorized by law,
nor may it be used to violate the constitutionally protected
rights of any individual--including freedom of speech--or
impinge on the privacy rights of individuals.
Background and Need for Legislation
In 2002, Congress passed the Federal Information Security
Management Act (FISMA), which established a framework to
protect federal agency information systems. FISMA 2024 updates
the 2002 FISMA law, as well as the subsequent 2014 revision, by
further clarifying federal cybersecurity roles and
responsibilities.\1\
---------------------------------------------------------------------------
\1\Federal Information Security Management Act, Pub. L. No. 107-
347, 116 Stat. 2899 (2002); Federal Information Security Modernization
Act, Pub. L. No. 113-283, 128 Stat. 3073 (2014).
---------------------------------------------------------------------------
The U.S. government's increasing use of and reliance on
technology to provide information and services to all Americans
makes federal information systems a constant target of hostile
nations, criminal organizations, and other malicious actors
that leverage modern advances in technology. Attacks on federal
information systems are disruptive not just to agency missions
and programs, but also risk exposure of sensitive national
security and the public's private information.
Over the past decade, cyber incidents have become more
sophisticated, often presenting `zero-day' threats with the
potential to cause significant and widespread harm.
Adversaries--including criminal syndicates and nation states--
continue to exploit weaknesses borne from bureaucratic layers,
misaligned roles and responsibilities, and the resulting
confusion in the immediate aftermath of an intrusion.
For instance, in 2015, the Office of Personnel Management
announced the cyber theft of the sensitive information of over
20 million Americans.\2\ Between 2019 and 2020, nine federal
agencies and 100 private sector organizations were compromised
by the SolarWinds software supply-chain attack.\3\ In 2021, the
Colonial Pipeline ransomware attack showed the havoc an attack
on our nation's critical infrastructure could wreak as cars
lined up at gas stations in parts of the U.S. with ``panicked
Americans filling bags with fuel.''\4\ Also in 2021, meat
supplier JBS paid a ransom of $11 million when a cyber-attack
shut down its entire beef processing operation.\5\ And it is
not just cyber-attacks that cause problems, as evidenced by the
recent faulty CrowdStrike software update that led to the
``largest IT outage in history,''\6\ impacting several critical
industries worldwide including multiple federal agencies--a
stark reminder of how dependent many global organizations are
on common software systems.
---------------------------------------------------------------------------
\2\Ellen Nakashima, Hacks of OPM databases compromised 22.1 million
people, federal authorities say, The Washington Post (July 9, 2015).
\3\Jessica Davis, White House: SolarWinds hack impacted 9 Fed
agencies, 100 entities, TechTarget (Feb. 18, 2021).
\4\Blog Post, Cybersecurity and Infrastructure Security Agency, The
attack on Colonial Pipeline: what we've learned and what we've done
over the past two years (May 7, 2023).
\5\Brian Fung, JBS says it paid $11 million ransom after
cyberattack, CNN Business (June 9, 2021).
\6\Ruxandra Iordache et al, Microsoft-CrowdStrike issue causes
`largest IT outage in history,' CNBC (July 19, 2024).
---------------------------------------------------------------------------
To address some of the major gaps in federal cybersecurity
underscored by these examples, a core tenet of this legislation
is to equip the executive branch with the ability to evolve and
mature cyber policies on an ongoing basis, and avoid locking
overly prescriptive technical mandates into law. The bill also
attempts to avoid imposing statutory constraints that increase
compliance burdens or inflexibly mandate solutions which fail
to stand the test of time even as it pushes agencies toward
becoming diligent stewardsof the sensitive and valuable
information under its purview.
For the first time, the bill incorporates the recently
established National Cyber Director (NCD) more broadly into the
FISMA framework, granting the office greater visibility into
federal agency budget cyber resourcing, tasking it with
coordinating agency incident reporting, and providing the NCD a
central role in federal agency cyber policy consultation.
Beyond the operational roles agencies must play in
responding to and mitigating intrusions and attacks, timely and
fulsome reporting to Congress is crucial for oversight and
potential legislative response. Therefore, H.R. 4552 assigns
central incident intake and reporting roles to the NCD in order
to improve coordination between Congress and the private
sector.
The Committee also recognizes that the Office of Management
and Budget (OMB) Federal Chief Information Security Officer
(CISO) is a critical official lacking a legal mandate. The bill
therefor codifies the Federal CISO as a `dual-hatted' role
within OMB and as a Deputy NCD to provide a valuable
coordination link between the nationally focused NCD and the
government-wide policy setting functions of OMB.
In addition to the above structural reforms to federal
cybersecurity roles and responsibilities, the bill proposes
modifications to the FISMA structure to ensure federal agencies
are continuously evaluating risks posed to the security of
devices, networks, software, and personnel within their
control. Specifically, the bill:
Requires agencies to designate Chief Privacy
Officers (Sec. 3(a)).
Advances the adoption of automation and zero
trust architectural principles (Sec. 3(c) & Sec. 9).
Requires continuous, ongoing Federal Risk
Assessments performed by CISA of the whole-of-
government cybersecurity risk posture (Sec. 3(c)).
Requires continuous, ongoing agency risk
assessments of high value assets, data, and systems, by
implementing penetration testing and agency
vulnerability disclosure programs (Sec. 3(c), Sec. 7, &
Sec. 8).
Adds a new framework for Federal System
Incident Response that includes notification
requirements for individuals potentially put at risk by
a cyber breach (Sec. 3(e) new Sec. 3592).
Mandates agencies notify Congress, OMB,
CISA, NCD, GAO, and the relevant agency Inspector
General within 72 hours of a major incident and include
a summary of the major incident (how the incident
occurred and the threat origin). Requires a
supplemental update to Congress within 30 days after
the notification (Sec. 3(e) new Sec. 3593).
Directs CISA to perform continuous and
automated monitoring of compromises, to improve
incident response (Sec. 3(e) new Sec. 3594).
Requires contractors or awardees to report
incidents and breaches to the contracting agency within
a day, which will then report to DHS. If a contractor
or awardee receives information about a security
vulnerability or supply chain compromise through a
third party (such as a vulnerability disclosure
program), then the contractor or awardee must notify
the contracting agency and DHS within 90 days (Sec.
3(e) new Sec. 3595).
Requires an agency that experiences a
covered breach to determine whether to send a notice to
potentially impacted individuals within 45 days--with
some exceptions allowing for a delay to 60 days--and
notification to relevant congressional committees
within 30 days (Sec. 3(e) new Sec. 3592).
Establishes a federal penetration testing
policy to understand agency preparedness (Sec. 7) and
codifies agency vulnerability disclosure programs to
address known problems (Sec. 8).
Requires an OMB and GAO report on the ways
AI can help automate and enhance agency cybersecurity
functions and for GAO to report on the privacy risks
associated with federal agency use of AI (Sec. 10).
Improves existing agency identity management
requirements and addresses shortcomings of the GSA-
developed Login.gov single sign-on identity platform
with increased oversight and guidance (Sec. 11).
H.R. 4552 represents a prudent and effective response to
the recent escalation of costly cyber-attacks and intrusions,
updating authorities to strengthen the federal government's
cyber defense as technology evolves and threats become more
sophisticated, persistent, and malicious.
Section-by-Section Analysis
Section 1. Short title
The short title is ``Federal Information Security
Modernization Act of 2024.''
Section 2. Definitions
This section defines the following terms for the
Act: agency, appropriate congressional committees, awardee,
contractor, Director, federal information system, incident,
national security system, penetration test, threat hunting, and
zero trust architecture.
Section 3. Amendments to title 44
Subsection (a) amends several sections in
subchapter I (Federal Information Policy) of chapter 35 of
title 44 related to federal information policy.
(a)(1) amends 44 U.S.C. Sec. 3504
related to the authority and functions of the Director
of the Office of Management and Budget (OMB). It
requires the OMB Director to consult with the National
Cyber Director (NCD) when developing and overseeing the
implementation of policies, principles, standards, and
guidelines on information security.
(a)(2) amends 44 U.S.C. Sec. 3505
related to the assignment of tasks and deadlines. It
requires agency heads to include internet-accessible
information systems and assets in the inventory of
major information systems required by the subsection.
Agency heads are directed to make the inventory
available to the NCD and the Director of the
Cybersecurity and Infrastructure Security
Administration (CISA) in addition to the Comptroller
General, and to maintain it on a continual basis
through the use of automation, machine-readable data,
and scanning wherever practicable. The paragraph also
removes a duplicated subsection (c) from section 3505.
(a)(3) amends 44 U.S.C. Sec. 3506
related to federal agency responsibilities. It requires
each agency Chief Information Officer (CIO) to
coordinate with the agency Chief Data Officer, as
appropriate, in ensuring prompt, efficient, and
effective implementation of, and compliance with,
information policies and resources management
responsibilities. It also requires agencies to improve
the availability of information to all users, both
within and outside the agency.
(a)(4) amends 44 U.S.C. Sec. 3513. It
requires agencies to provide any portion of a written
plan, developed in response to an OMB review under
Sec. 3513(a), addressing information security or
cybersecurity, to the National Cyber Director and
Secretary of Homeland Security.
Subsection (b) amends definitions in U.S.C.
subchapter II (Information Security) of chapter 35 of title 44.
(b)(1) amends 44 U.S.C. Sec. 3552(b) to
add definitions for the following terms: high value
asset, major incident, penetration test, shared
service, and zero trust architecture.
(b)(2) contains conforming amendments to
align various federal statutes with the updated
definitions in section 3552.
Subsection (c) amends U.S.C. sections in
subchapter II of chapter 35 of title 44.
(c)(1) amends 44 U.S.C. Sec. 3551
related to the purposes of the subchapter. It clarifies
that automated tools to continuously diagnose and
improve the security of agency information security
programs should also continuously integrate and deliver
security. It also recognizes that each agency has
specific mission requirements that lead to unique
cybersecurity requirements, with varying levels of
resources, and should not be expected to have the
capability to secure its systems from advanced
adversaries alone. Rather, a holistic federal
cybersecurity model is necessary to account for these
differences.
(c)(2) amends 44 U.S.C. Sec. 3553
related to the authority and functions of OMB and the
Secretary of Homeland Security. The subsection:
D Requires OMB to work with CISA, the NCD,
and the National Institute of Standards and
Technology (NIST) to promote the use of
automation and zero trust architecture to
improve cybersecurity.
D Requires the Secretary of Homeland Security
to consult with the NCD, in addition to OMB, in
implementing agency information security
policies and practices.
D Directs CISA to seek opportunities to
reduce costs, administrative burdens, and other
barriers to information technology security and
modernization faced by agencies, including
through shared services contracts and technical
assistance and expertise on the selection and
successful engagement of government-wide
contract vehicles offered by the GSA.
D Reduces the frequency of OMB's report to
Congress on the state of federal information
security from annually to biennially and
removes the summary of incidents previously
required in the reports.
D Amends the OMB and DHS annual report to
appropriate congressional committees on actions
taken to oversee agency FISMA compliance,
adding a summary of the trends identified in
the federal risk assessments and requiring the
reports to be unclassified (with a classified
annex).
D Includes the NCD in developing the
procedures for issuing emergency directives and
requires that CISA notify the NCD, in addition
to OMB and the head of any affected agency,
immediately upon the issuance of an emergency
directive.
D Requires CISA to provide prior notice to
the NCD, in addition to OMB and the head and
CIO of each affected agency, when authorizing
the use of intrusion detection and prevention
capabilities.
D Creates a new requirement that federal risk
assessments by CISA be performed on an ongoing
and continual basis to determine the
cybersecurity posture of agencies. CISA is
required to brief OMB and the NCD on these
assessments, and OMB is required to include a
summary of each assessment in its annual report
to Congress.
D Requires CISA to report to appropriate
reporting entities, including Congress, on
agency status of implementing Emergency
Directives (first within 7 days with 30-day
updates) and Binding Operational Directives
(first within 30 days with 90-day updates)
issued by the Secretary of DHS.
D Directs OMB and GAO to review the efficacy
of OMB-issued information security guidance and
policies once every 3 years.
D Directs NIST to develop, as appropriate,
specifications to enable agencies to automate
the verification of NIST-required controls.
D Requires CISA to provide federal risk
assessment information to the Inspector General
of the Department of Homeland Security and
other appropriate IGs upon request.
(c)(3) amends 44 U.S.C. Sec. 3554
related to the responsibilities of agencies. The
subsection:
D Requires agency heads to perform an agency
system risk assessment on an ongoing and
continual basis. The assessment must identify
high value assets, evaluate data assets and
associated agency systems, assess threats based
on federal and non-federal cyber threat
intelligence products, analyze vulnerabilities
including through penetration testing and
agency vulnerability disclosure programs, and
assess the impacts and consequences of
potential incidents for both the agency and
other agencies. Agency heads must provide an
update on the assessment to OMB, CISA, and the
NCD at intervals determined by OMB guidance,
and upon request, to the agency inspector
general and the Government Accountability
Office (GAO).
D Aligns existing provisions of the Code with
the updated risk assessment, implementation
plan, and other programs added by the bill.
D Technical correction to remove provisions
requiring reporting of a major incident to
Congressional Committees within seven days of
reasonably knowing that the event occurred. The
bill instead adds a new section 3593
(``Congressional and executive branch
reports.'') to Title 44 that requires more
timely Congressional reporting with 72 hours of
a major incident occurring (see p. 51).
D Changes existing law by requiring each
agency to submit a biennial report, rather than
an annual report, summarizing its annual risk
assessment, evaluating the effectiveness of
cybersecurity policies, and summarizing the
status of remedial actions identified by the
agency Inspector General, GAO, or any other
source to OMB, DHS, Congressional leadership,
relevant Congressional committees, the NCD, and
GAO. The subsection directs that, to the
greatest extent practicable, those reports
should be unclassified, but may include 1 or
more annexes that contain classified or
sensitive information. The subsection also
mandates that OMB provide a briefing to
congressional committees the years a report is
not required. Finally, the subsection requires
each agency to identify a Chief Information
Security Officer (CISO) to manage information
security, cybersecurity budgets, and risk and
compliance activities.
(c)(4) amends 44 U.S.C. Sec. 3555
related to the annual independent evaluation of agency
information security programs. The subsection:
D Changes the independent evaluations of
agency information security programs and
practices from yearly to biennial (in line with
the change to have agencies submit biennial
rather than annual FISMA reports to Congress).
D Instructs OMB to identify any entity
performing this independent audit in OMB's
summary report to Congress of these
evaluations.
D Requires that OMB, in consultation with
CISA, the CIO Council, the Council of the
Inspectors General on Integrity and Efficiency
(CIGIE), and other interested parties, shall
develop risk-based guidance for evaluating the
effectiveness of information security programs
and practices.
D Requires the risk-based guidance to
prioritize the identification of the most
common threat patterns experienced by each
agency and the security controls that address
those patterns, and any other security risks
unique to the networks of each agency.
D Requires agency heads to coordinate with
their IGs to ensure consistent understanding of
agency cybersecurity policies.
(c)(5) amends 44 U.S.C. Sec. 3556(a) to
require the existing reference to a Federal information
security incident center be maintained at CISA. This
subsection also amends 44 U.S.C. Sec. 3556(a) to
require that the intelligence and information on cyber
threats, vulnerabilities, and incidents provided by the
federal information security incident center to
agencies be used in the risk assessments required by
section 3554(a)(1)(A).
Subsection (d) makes conforming amendments to
update the table of sections and update other references to
FISMA reports to be submitted every two years, instead of every
year, as changed in Sec. 3553.
Subsection (e)
Subsection (e)(1) amends U.S.C. by
adding a new subchapter IV, entitled ``Federal System
Incident Response,'' to chapter 35 of title 44. The new
subchapter contains the following sections:
D Section 3591 (``Definitions'') defines the
following terms: appropriate reporting
entities, awardee, breach, contractor, federal
information, federal information system,
intelligence community, nationwide consumer
reporting agency, and vulnerability disclosure.
D Section 3592 (``Notification of breach'')
requires agency heads to expeditiously
determine whether notice to individuals
potentially impacted by a cybersecurity breach
(involving not less than 50,000 people, but
subject to change if agency head makes such a
determination) is appropriate and, if
appropriate, to notify those individuals within
45 days after the agency has concluded that
such an incident occurred. The section:
Specifies the contents of
the notification, which must include a
description of the breach, a
description of the types of personally
identifiable information (PII) affected
by the breach (if possible), the
relevant contact information for the
agency, information on any remedy the
agency is offering, and educational
materials.
Allows the head of an agency
in coordination with OMB and the
National Cyber Director, and as
appropriate, with the Attorney General,
Director of National Intelligence, or
Secretary of Homeland Security to delay
the notification for 60 days, with an
option to renew the delay, if it would
impede a criminal investigation, reveal
sensitive sources and methods, cause
damage to national security, or hamper
security remediation actions.
Requires the agency head to
re-notify individuals within 30 days if
there is a significant change in
information or understanding related to
the breach.
Requires the head of an
agency to submit annual reports to
Congress regarding any delays of
notifications or determinations to not
provide notifications from the prior
two years.
Requires agencies affected
by a covered breach to notify Congress
within 30 days. The notice should
include information about the covered
breach, an estimate of the number of
affected individuals, including an
assessment of the risk of harm,
description of any circumstances
necessitating a delay in providing
notice to individuals affected by the
covered breach, and an estimate of when
the agency will provide notice to
impacted individuals.
Clarifies that this section
does not limit OMB from issuing
guidance related to notifications of
incidents or major incidents, nor does
it limit agency heads from notifying
individuals potentially impacted by
non-major breaches. It also does not
limit agency heads from issuing
notifications that provide more
information than required in this
section.
D Section 3593 (``Congressional and executive
branch reports on major incidents'') requires
agencies, within 72 hours of having reasonable
basis to conclude that a major incident
occurred, to provide written notification to
House and Senate leadership, the Senate
Committee on Homeland Security and Governmental
Affairs, the House Committee on Oversight and
Accountability, the House Committee on Homeland
Security, House Committee on Science, Space,
and Technology, and the appropriate
authorization and appropriations committees.
The section:
Specifies that the written
notification contain a summary of the
available information about the major
incident including how it occurred,
whether it was appropriate to provide
notification to potentially impacted
individuals, an assessment of any
impacts to government operations or
national security, among other things,
and whether any ransom has been
demanded or paid by an entity operating
or with access to a federal information
system.
It also requires a
supplemental written update within 30
days after the initial written
notification, and requires the agency
to provide an additional updated report
if the agency, OMB, or the NCD
determines there is any significant
change in the agency's understanding of
the incident following the supplemental
written update.
Directs agencies to include
a description of every major incident
in the biennial report required under
44 U.S.C. Sec. 3554(c)(1).
Allows any report under this
section to be provided electronically
and unclassified (allowing for
classified annexes).
Directs the NCD, in
coordination with the OMB Director, to
make recommendations to agencies on
formatting and content of Congressional
notifications to improve consistency
and to maintain a comprehensive record
of all major incident notifications to
be provided to Congress, upon request.
Clarifies that the section
does not limit agencies from providing
additional reports or briefings to
Congress or limit Congress from
requesting additional information.
D Section 3594 (``Government information
sharing and incident response'') requires
agency heads to provide information on any
incidents affecting their agency to CISA,
regardless of whether the information was
obtained by the federal government directly or
indirectly, and specifies the contents of that
communication. The section:
Requires CISA to make the
incident information received available
to OMB, NCD, and to the greatest extent
practicable, share the information with
any agency that may be impacted or
could be similarly targeted, as well as
appropriate federal law enforcement
agencies to facilitate any necessary
threat response activities.
Directs CISA to notify NCD
about efforts to coordinate any
information sharing efforts related to
a major incident with the private
sector.
Requires any agency
operating or controlling a national
security system to share information
about incidents with DOD, OMB, NCD, and
CISA, consistent with standards and
guidelines for national security
systems.
Requires agencies that
provide incident information to CISA to
do so in an automated and machine-
readable format, to the greatest extent
practicable.
Requires each agency that
has been the target of a major incident
involving federal information in
electronic medium or form, not
involving a national security system,
to coordinate with CISA and the
appropriate federal law enforcement
agencies regarding response, recovery,
and mitigation.
D Section 3595 (``Responsibilities of
contractors and awardees'') imposes
responsibilities on Federal contractors and
awardees who have a reasonable basis to
conclude that a cyber incident or breach
involving Federal information or Federal
systems has occurred, to provide written
notification to the contracting or grantor
agency. Federal contractors and awardees are
also required to report a security
vulnerability affecting federal information or
federal information systems, including a supply
chain compromise, or if they receive
information from the agency that the contractor
or awardee is not authorized to receive.
Subject to OMB guidance,
requires Federal contractors and
awardees to also provide written
notification of security
vulnerabilities reported to the
contractor or awardee by a third-party,
including through a vulnerability
disclosure program, to the contracting
or grantor agency and to CISA.
Requires Federal contractors
and awardees to report to CISA no later
than 1 day after identification of an
incident or a vulnerability that has
been exploited, and no later than 90
days after identification of a
vulnerability reported to the
contractor or awardee by a third party.
Directs FARC and OFFM to
promulgate regulations to help Federal
contractors and awardees comply with
the requirements in this section.
Requires agencies to put in
place policies and procedures as
appropriate to implement the FARC and
OFFM regulations. Not later than 30
days after agencies' implementation of
these policies and procedures, OMB is
required to report to Congress the
status of each agency's implementation
of these regulations.
Information provided to an
agency under this section may be used
by any agency, component, officer,
employee, or Federal Government agent
solely for a cybersecurity purpose and
identifying a cyber threat or security
vulnerability.
Harmonizes private sector
reporting requirements with other
cybersecurity reporting obligations.
D Section 3596 (``Training'') directs
agencies to develop training for individuals at
the agency who have access to Federal
information systems as an employee, contractor,
awardee, volunteer, or intern, to identify and
respond to cyber incidents, and includes
requirements for the contents of those
trainings. Requires CISA, in consultation with
OMB, NCD, and NIST, to provide best practices
to agencies on developing these trainings. Also
allows this training to be included in an
annual agency privacy or security awareness
training.
D Section 3597 (``Analysis and report on
Federal incidents'') requires CISA to perform,
and in coordination with OMB and NCD, develop
continuous quantitative and qualitative
analysis of incidents at agencies, including
the causes, scope, and scale of incidents;
common root causes of incidents across multiple
agencies; agency incident response, recovery,
and remediation actions, including their
effectiveness and lessons learned; and trends
across agencies to address intrusion detection
and response capabilities. The section:
Directs this analysis to be
automated to the greatest extent
practicable.
Requires CISA to share this
information with agencies, OMB, and
NCD, on an ongoing basis in human-
readable and, to the greatest extent
practicable, machine-readable formats,
to support and improve their
cybersecurity efforts.
Directs CISA, in
consultation with OMB, NCD, and
agencies, to produce an annual report
on federal incidents. The annual report
would include a summary of causes of
incidents across the federal
government; the quantitative and
qualitative analyses required by this
section, both agency-by-agency and
comprehensively across the federal
government; and an annex for each
agency that describes major incidents
and assessments of the agency's
detection and response times. The
report would be published on CISA's
website consistent with national
security interests, and information
contained in the report would be
anonymized to prevent identification of
specific incidents with specific
agencies unless OMB, the NCD, the
impacted agency and the agency's IG are
consulted.
Directs agencies that do not
provide all incident data to CISA
pursuant to 3594(a), to develop and
provide to the appropriate notification
entities, in coordination with CISA and
OMB, their own annual report including
data not provided to CISA that meets
the requirements in this section.
For agencies operating
national security systems, directs DOD,
in consultation with OMB, NCD, DNI, and
CISA, to submit an annual report on
incidents to congressional leadership
and House and Senate committees on
homeland security, oversight, armed
services, intelligence, and
appropriations. The report may be
submitted in a classified form.
Section 3598 (``Major
incident definition'') requires OMB, in
coordination with NCD, to issue
guidance on the definition of ``major
incident'' 1 year after the enactment
of this bill or 1 year after
publication of OMB's previous guidance
to agencies regarding major incidents.
Requires the definition of
the term ``major incident'' to include,
with respect to federal information or
federal information systems, any
incident the head of the agency
determines is likely to result in
demonstrable harm to the national
security interests, foreign relations,
or the economy of the United States; to
the public confidence, civil liberties,
or public health and safety of the
people of the United States; or to the
integrity of personally identifiable
information, including the
exfiltration, modification, or deletion
of such information. Stipulates that
the head of an agency shall consult
with NCD when determining if an
incident constitutes a major incident
under these standards.
Further stipulates that NCD,
in consultation with OMB and CISA, may
declare a major incident at an agency
if it is determined that an incident
occurred at two or more agencies and is
enabled by a common technical root
cause and related to the activities of
a common threat actor.
Directs OMB to provide a
briefing to the Senate Committee on
Homeland Security and Governmental
Affairs and the House Committee on
Oversight and Accountability that
includes an evaluation of any necessary
updates to the guidance and to the term
``major incident'' during the first 90
days of each evenly numbered Congress.
Subsection (e)(2) amends U.S.C. by
amending the table of sections for chapter 35 of title
44.
Section 4. Amendments to subtitle III of title 40
This section amends several sections within title 40 U.S.C.
Subsection (a) amends 40 U.S.C. Sec. 11301 note,
to add definitions of the terms ``agency'' and ``high value
asset'' to the provision establishing the Technology
Modernization Fund and Board. Requires the TMF consider using
funds to improve the security of high value assets, and
requires, as appropriate, for TMF proposals to include
cybersecurity risk management considerations and supply chain
risk assessment. Adds CISA to serve as a permanent member of
the TMF board.
Subsection (b) amends 40 U.S.C. Sec. 11302,
related to capital planning and investment control, to require
OMB to consult with CISA and the NCD to promote and improve the
security of information technology used by the Federal
Government. Also amends 40 U.S.C. Sec. 11303, related to
performance-based and results-based management, to require
agencies to determine, before making an investment in a new
information system, whether the function should be performed by
a shared service provided by another executive agency.
Subsection (c) amends 40 U.S.C Sec. 11312, 11313,
11317, and 11319 by adding security considerations into the
acquisition and resource management planning activities of
agencies.
Section 5. Actions to enhance Federal incident transparency
Subsection (a) requires CISA to develop a plan for
the analysis required under 44 U.S.C. 3597(a) that will include
a description of any anticipated challenges, and the use of
automation and machine-readable formats for monitoring and
analyzing data. It also requires CISA to brief appropriate
congressional committees on the plan's execution.
Subsection (b) amends the note to section 3554 of
title 44 U.S.C. to remove the requirement that OMB develop
guidance on what constitutes a major incident, which has been
replaced by section 3598 as added by this Act.
Requires OMB to coordinate with CISA in
developing guidance on the content, timeliness, and
format of agency incident reports required under
section 3594(a) of title 44 U.S.C. as added by this
Act. The guidance will enable efficient development of
lessons learned and recommendations in responding to,
recovering from, remediating, and mitigating future
incidents. Allows OMB, in coordination with CISA, to
promote, as feasible, the use of automation and
machine-readable data for data sharing under 44 U.S.C.
3594(a) as added by this Act.
Directs OMB to issue guidance to
agencies on how to deconflict existing regulations,
policies, and procedures relating to the incident
reporting responsibilities of contractors and awardees
under 44 U.S.C. Sec. 3595 (``Responsibilities of
contractors and awardees.'') as added by this Act. To
the greatest extent practicable, contractors and
awardees would be permitted to use existing processes
for notifying agencies of incidents involving federal
information.
Subsection (c) amends section 552a(b) of title 5
U.S.C., the Privacy Act of 1974, to clarify instances in which
disclosure of information about an individual to another
federal agency is permitted to facilitate a response to a
cybersecurity incident.
Section 6: Agency requirements to notify private sector entities
impacted by incidents
Directs OMB, in consultation with NCD, to issue
guidance, not later than 1 year after the enactment of this
act, pertaining to agencies that receive sensitive information
from private organizations or governmental units. The agencies
would be required to notify the entities of any cybersecurity
incident likely to substantially impact the sensitive
information shared by the entity with the agency, or the agency
information systems used to transmit or store such information.
Section 7. Federal penetration testing policy
Subsection (a) amends subchapter II of chapter 35
of title 44 U.S.C. by adding section 3559A on federal
penetration testing, which contains the following subsections:
Subsection (a) requires OMB, in
consultation with CISA, to issue guidance requiring
agencies to perform penetration testing on agency
systems, as appropriate, including high value assets,
and to develop rules of engagement for using
penetration testing, and procedures for the use of
penetration testing to improve cybersecurity and risk
management of the agency. Ensures penetration testing
is being performed appropriately, including through
operational support or provided as a shared service.
Does not restrict the authority of the
DHS Secretary or CISA Director to conduct threat
hunting pursuant to section 3553 or penetration testing
under this chapter.
OMB guidance does not apply to national
security systems, but delegates OMB authorities to DOD
for DOD systems and such systems as described in
section 3553(e)(2). Also, delegates OMB authorities to
DNI for systems that are operated by an element of the
intelligence community and such systems as described in
section 3553(e)(3).
Subsection (b) specifies that compliance
with OMB-issued guidance on penetration testing prior
to this Act's enactment shall be considered to be
compliant with 44 U.S.C. 3559A, as added by this Act.
Nothing in 44 U.S.C. 3559A, as added by this Act, shall
be construed as a requirement on OMB to issue immediate
new guidance relating to penetration testing--OMB has
up to two years to review and, as appropriate, update
existing guidance requiring penetration testing by
agencies.
Subsection(c) makes clerical amendments
to the table of sections for Chapter 35 of title 44.
Subsection (d) authorizes the DHS
Secretary, in consultation with OMB and NCD, to perform
penetration testing that may leverage manual expert
analysis to identify threats and vulnerabilities within
information systems without agency consent or
authorization, but with at least 72-hour prior
consultation with the head of the agency in advance of
such penetration testing.
Section 8. Vulnerability disclosure policies
This section amends subchapter II of chapter 35 of
title 44 U.S.C. to add section 3559B on federal vulnerability
disclosure programs. The new section contains the following
subsections:
Subsection(a) of the new section 3559B
identifies the purpose and sense of Congress.
Subsection (b) of the new section 3559B
defines the following terms: contractor; Internet of
things; security vulnerability; submitter; and
vulnerability disclosure report.
Subsection (c) of the new section 3559B
directs OMB to issue guidance to agencies to not
recommend or pursue legal action against an individual
that submits a vulnerability report pursuant to the
vulnerability disclosure process of an agency, or
against an individual that conducts a security research
activity that is authorized by, or represents a good
faith effort to follow, the agency's vulnerability
disclosure policy.
D The OMB guidance is also required to
include direction on sharing relevant
information to CISA in a consistent, automated,
and machine-readable manner.
D The OMB guidance is also required to
include: the minimum scope of agency systems
required to be covered by the vulnerability
disclosure policy of an agency, requirements
for providing information to the submitter of a
vulnerability disclosure report on the
resolution of the vulnerability disclosure
report, a stipulation that the mere
identification by a submitter of a security
vulnerability, without a significant compromise
of confidentiality, integrity, or availability,
does not constitute a major incident, and, the
applicability of the guidance to Internet of
Things devices owned or controlled by an
agency.
Subsection (d) of the new section 3559B
requires OMB to consult with CISA when developing the
guidance required in subsection (c) of the new section
3559B.
Subsection (e) of the new section 3559B
clarifies responsibilities of CISA, which include:
providing support to agencies with implementing
requirements of this section, developing tools,
processes, and other mechanisms to offer agencies
capabilities to implement requirements of this section,
upon request by an agency, assist the agency in the
disclosure to vendors of newly identified security
vulnerabilities in vendor products and services, and as
appropriate, implement the requirements of this
section, in accordance with the authority under section
3553(b)(8), as a shared service available to agencies.
Subsection (f) of the new section 3559B
clarifies responsibilities for agency heads to make
publicly available, with respect to each internet
domain under the control of the agency that is not a
national security system, an appropriate security
contact, and the component of the agency that is
responsible for the Internet accessible services
offered at the domain.
D Agencies are also required to develop and
make publicly available a vulnerability
disclosure policy that describes the scope of
the systems to be included, type of information
testing that is authorized--and not
authorized--by the agency, disclosure policy
for contractors, the agency's disclosure policy
for sensitive information, and relevant
information related to submitting a
vulnerability disclosure report to an agency.
Directs agency heads to consider and address
identified security vulnerabilities.
Subsection (g) of the new section 3559B
clarifies that OMB and agency heads may not publish
information that would disrupt a law-enforcement,
national security, intelligence, or national defense
activity. This section does not apply to National
Security Systems.
Subsection (h) of the new section 3559B
clarifies that the OMB and CISA authorities in this
section shall be delegated to DOD for national security
systems and such systems as described in section
3553(e)(2). Also, delegates OMB and CISA authorities to
DNI for systems that are operated by an element of the
intelligence community and such systems as described in
section 3553(e)(3).
Subsection (b) specifies that compliance with OMB-
issued guidance on vulnerability disclosure policies prior to
this Act's enactment shall be considered to be compliant with
44 U.S.C. 3559B, as added by this title. Nothing in 44 U.S.C.
3559B, as added by this title, shall be construed as a
requirement on OMB to issue immediate new guidance relating to
vulnerability disclosure policies--OMB has up to four years to
review and, as appropriate, update existing guidance requiring
vulnerability disclosure policies by agencies.
Subsection (c) strikes subsections (d) and (e) of
15 U.S.C. 278g-3c. Also strikes 15 U.S.C. 278g-3d and 15 U.S.C.
278g-3e.
Section 9. Implementing zero trust architecture
This section requires OMB to provide a briefing
within 1 year to relevant congressional committees, and a
progress report submitted alongside the report required by
Section 3553(c) of Title 44 during the 4-10 years following the
enactment of this Act, regarding agency progress in increasing
the internal defenses of agency systems and on agency
implementation of zero trust architectures. Additionally, the
Secretary of Defense is directed to provide a briefing and
progress reports under the same timeline to relevant
congressional committees.
Section 10. Automation and artificial intelligence
This section requires OMB to issue guidance on the
use of AI by agencies to improve the cybersecurity of
information systems. OMB and the head of each agency shall
consider the use and capabilities of AI systems in furtherance
of the cybersecurity of information systems.
Requires OMB to report to relevant Congressional
committees about the use of AI to further the cybersecurity of
information systems within 1 year of enactment, and annually
for 5 years thereafter.
Requires GAO, within 2 years of enactment to
submit to the appropriate congressional committees a report on
the risks to the privacy of individuals and the cybersecurity
of information systems associated with the use by Federal
agencies of AI systems or capabilities.
Also requires GAO, within two years of enactment,
to conduct a study of the use of automation, AI, and machine-
readable data, across the federal government for cybersecurity
purposes, including the automated updating of tools, sensors,
or processes employed by agencies under section 3554(b) of
title 44 U.S.C.
Section 11. Federal cybersecurity requirements
This section moves existing government-wide
cybersecurity requirements from existing law in the Federal
Cybersecurity Enhancement Act of 2015 (6 U.S.C. 1523) into the
FISMA legal framework under Title 44 in order to harmonize such
requirements with other Federal agency cybersecurity
requirements. It also recodifies certain provisions of the
Internet of Things (IOT) Cybersecurity Improvement Act of 2020
(P.L. 116-207; 15 USC 278g-3a note) pertaining to an existing
agency prohibition on purchasing certain IOT devices.
Subparagraphs (f)(1)(A), (f)(1)(B), and (f)(1)(C)
specify cybersecurity requirements for agencies with regard to
identifying sensitive and mission critical data stored by the
agency, assessing access controls to such data and protecting
such data by encrypting or otherwise rendering indecipherable
to unauthorized users.
Updates the transferred statute relative to
identity management systems by further clarifying that federal
agencies may choose between a government option or a
commercially available service to implement a single sign-on
trusted identity platform.
Subparagraph (f)(1)(D) requires the head of each
agency to implement identity and access management systems to
ensure the security of Federal information systems, including
for the purposes of protecting agency records and data from
fraud resulting from the misrepresentation of identity or
identity theft.
Clause (f)(1)(D)(i) requires agencies to
maintain a single sign-on trusted identity platform for
individuals accessing agency websites that require user
authentication and verification services consistent
with laws and guidance issued by the OMB Director, who
shall consider any applicable standards or guidelines
developed by NIST, which may be one developed by GSA in
consultation with OMB.
Clause (f)(1)(D)(ii) requires agencies
to implement multi-factor authentication consistent
with OMB-issued guidance that considers applicable NIST
standards or guidelines for remote access to an
information system and for each user account with
elevated privileges.
Paragraph (f)(2) prohibits an agency from using,
procuring, obtaining, or renewing a contract to procure or
obtain an Internet of things device that the agency determines
the use of which does not comply with standards and guidelines
developed under section 4 of 15 U.S.C. 278g-3b.
Paragraph (f)(3) provides exceptions for
information systems for which agency heads certify the
operational requirements are burdensome, the cybersecurity
requirements are not necessary, and the agency has taken all
necessary steps to secure the information system and
information. Requires the number of information systems that
receive an exemption to be identified in the report described
in 44 USC 3554(c)(1).
Paragraph (f)(3) also provides waivers
for identity management platforms that allow an agency
to implement a single-sign on trusted identity system
or platform other than one developed by GSA if the
agency head certifies to OMB that the alternative
system or platform conforms with applicable security
and privacy requirements, including with guidance
issued by the Director in this subchapter, at least 30
days prior to use of the system or platform. For a
system or platform already in use, the head of the
agency shall provide such certification within 60 days
to OMB after the date of enactment of this bill. The
agency head must receive a written waver from OMB and
submit the certification described above to appropriate
congressional committees.
Paragraph (f)(4) clarifies that a certification
and corresponding exemption will expire every 4 years unless
the agency head submits an additional waiver request.
Paragraph (f)(5) specifies a presumption of
adequacy with regard to FedRAMP authorization with respect to
an agency authorization to operate cloud computing products as
long as the authorization meets compliance and security
controls needs.
Paragraph (f)(6) adds a clarifying rule of
construction that preserves authorities of DHS, OMB, and NIST.
Subsection (g) identifies exceptions and
prohibitions for national security systems and Internet
of things devices necessary national security and
research purposes or those that are effectively secured
through alternate methods.
Subsection (c) requires OMB, in consultation with
NIST, to issue and routinely update guidance for Federal
agencies to implement identity management systems and a single
sign-on trusted identity platform as required under 44 U.S.C.
3554(f)(1)(D)(i), as amended by this Act.
Subsection (d) requires a GAO evaluation of the
technical capabilities of identity management systems and
platforms via a report to the appropriate congressional
committees every 3 years for 6 years.
Section 12. Federal Chief Information Security Officer
This section establishes the position of a
Presidentially appointed Federal Chief Information Security
Officer within OMB, reporting to the Federal CIO. The CISO
would serve in both the office of the Federal CIO in OMB and in
the Office of the National Cyber Director (ONCD).
The duties for this position are to carry out the
information security functions within FISMA, the E Government
Act of 2002, and other statutes, as well as Federal
cybersecurity initiatives determined by the CIO and specific
electronic government initiatives currently authorized to the
Director of OMB. The Federal CISO shall also support
initiatives determined by the Federal CIO as necessary to
coordinate with the ONCD.
Additionally, this section permits the individual
serving as the Federal CISO at enactment to continue to serve
in this role without additional appointment.
Section 13. Renaming Office of the Federal Chief Information Officer
This section renames relevant parts of the U.S.
Code in accordance with the changes made by this Act.
Additionally, the individual serving as the Administrator of
the Office of Electronic Government at enactment may continue
to serve as the Federal Chief Information Officer without
additional appointment.
Section 14. Rules of construction
This section clarifies that nothing in this Act
may be used to authorize an agency to take an action not
authorized by law, nor may it be used to violate the
constitutionally protected rights of any individual or impinge
on the privacy rights of individuals.
Legislative History
H.R. 4552, the Federal Information Security Modernization
Act of 2024, was introduced on July 11, 2023, by Representative
Nancy Mace. The following Representatives are cosponsors of the
bill: Jamie Raskin (D-MD), James Comer (R-KY), Gerald E.
Connolly (D-VA), and Donald G. Davis (D-NC). The bill was
referred to the Committee on Oversight and Accountability, the
Committee on Science, Space, and Technology, the Committee on
Homeland Security, and the Committee on Armed Services. The
Committee on Oversight and Accountability held hearings related
to and used for development and consideration of the bill on
March 23, 2023, and May 10, 2023. The Committee considered H.R.
4552 at a business meeting on March 7, 2024, and ordered the
bill as amended favorably reported by a recorded vote.
Committee Consideration
On March 7, 2024, the Committee met in open session and
ordered the bill, H.R. 4552, favorably reported with an
amendment in the nature of a substitute, by a roll call vote of
32-7, a quorum being present.
Roll Call Votes
In compliance with clause 3(b) of rule XIII of the Rules of
the House of Representatives, the following roll call vote
occurred during the Committee's consideration of H.R. 4552:
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Explanation of Amendments
During Committee consideration of the bill, Representative
James Comer (R-KY), Chairman of the Committee, offered an
amendment in the nature of a substitute that removed seven bill
sections from the introduced text and made substantive edits
including to the contractor vulnerability and disclosure
policies and federal cybersecurity requirements. The amendment
in the nature of a substitute passed by voice vote.
List of Related Committee Hearings
In accordance with clause 3(c)(6) of rule XIII of the Rules
of the House of Representatives, (1) The following hearings
were used to develop or consider H.R. 4552:
On March 23, 2023, the Subcommittee on Cybersecurity,
Information Technology, and Government Innovation held a
hearing titled, ``Unpacking the White House National
Cybersecurity Strategy'' with Ms. Kemba Walden, Acting National
Cyber Director, White House Office of the National Director.
On May 10, 2023, the Subcommittee on Cybersecurity,
Information Technology, and Government Innovation held a
hearing titled, ``Risky Business: Costly Inaction on Federal
Legacy IT'' with Mr. Kevin Walsh, Director, Information
Technology and Cybersecurity, U.S. Government Accountability
Office; Ms. Suzette Kent, Chief Executive Officer, Kent
Advisory Services; and Mr. David Powner, Executive Director,
Center for Data-Driven Policy, The MITRE Corporation.
Statement of Oversight Findings and Recommendations of
the Committee
In compliance with clause 3(c)(1) of rule XIII and clause
(2)(b)(1) of rule X of the Rules of the House of
Representatives, the Committee's oversight findings and
recommendations are reflected in the Background and Need for
Legislation section above.
Statement of General Performance Goals and Objectives
In accordance with clause 3(c)(4) of rule XIII of the Rules
of the House of Representatives, the Committee's performance
goals or objectives of this bill are to update the Federal
Information Security Management Act of 2002 (FISMA), last
updated in 2014, by clarifying federal cybersecurity roles and
responsibilities.
Application of Law to the Legislative Branch
Section 102(b)(3) of Public Law 104-1 requires a
description of the application of this bill to the legislative
branch where the bill relates to the terms and conditions of
employment or access to public services and accommodations.
This bill does not relate to employment or access to public
services and accommodations in the legislative branch.
Duplication of Federal Programs
In accordance with clause 3(c)(5) of rule XIII of the Rules
of the House of Representatives, no provision of this bill
establishes or reauthorizes a program of the Federal Government
known to be duplicative of another Federal program, a program
that was included in any report from the Government
Accountability Office to Congress pursuant to section 21 of
Public Law 111-139, or a program related to a program
identified in the most recent Catalog of Federal Domestic
Assistance.
Federal Advisory Committee Act Statement
The Committee finds that this legislation does not direct
the establishment of advisory committees within the definition
of Section 5(b) of the appendix to title 5, U.S.C.
Unfunded Mandates Reform Act Statement
Pursuant to section 423 of the Congressional Budget Act of
1974 the Committee has included a letter received from the
Congressional Budget Office below.
Earmark Identification
This bill does not include any congressional earmarks,
limited tax benefits, or limited tariff benefits as defined in
clause 9 of rule XXI of the Rules of the House of
Representatives.
Committee Cost Estimate
Pursuant to clause 3(d) of rule XIII of the Rules of the
House of Representatives, the Committee includes below a cost
estimate of the bill prepared by the Director of the
Congressional Budget Office under section 402 of the
Congressional Budget Act of 1974.
New Budget Authority and Congressional Budget Office
Cost Estimate
Pursuant to clause 3(c)(2) of rule XIII of the Rules of the
House of Representatives and section 308(a) of the
Congressional Budget Act of 1974, and pursuant to clause
3(c)(3) of rule XIII of the Rules of the House of
Representatives, the cost estimate prepared by the Director of
the Congressional Budget Office and submitted pursuant to
section 402 of the Congressional Budget Act of 1974 is as
follows:
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
The bill would:
Update policies, procedures, and programs
for information security at federal agencies
Require all federal agencies to report
significant cyber incidents on their networks
Require agencies to train federal
information technology workers on responding to cyber
incidents
Estimated budgetary effects would mainly stem from:
Contracting with information security
service companies
Hiring information security analysts
Providing cyber incident response training
to federal employees
Reporting and responding to cyber incidents
at federal agencies
Areas of significant uncertainty include:
Anticipating the adoption schedules of new
cybersecurity procedures and programs
Predicting the staffing and contracting
requirements of federal information security offices
Bill summary: The Federal Information Security
Modernization Act (FISMA) provides a framework to protect
government information operations against cybersecurity
threats. H.R. 4552 would update FISMA to require federal
agencies to report all cybersecurity incidents and conduct
standardized cybersecurity procedures on a regular basis.
Estimated Federal cost: The estimated budgetary effects of
H.R. 4552 are shown in Table 1. The costs of the legislation
fall within budget functions 050 (national defense) and 800
(general government).
TABLE 1.--ESTIMATED BUDGETARY EFFECTS OF H.R. 4552
----------------------------------------------------------------------------------------------------------------
By fiscal year, millions of dollars--
----------------------------------------------------------------
2024 2025 2026 2027 2028 2029 2024-2029
----------------------------------------------------------------------------------------------------------------
INCREASES IN SPENDING SUBJECT TO APPROPRIATION
Federal Risk Assessment:
Estimated Authorization...................... * 3 3 3 3 3 15
Estimated Outlays............................ * 3 3 3 3 3 15
Cyber Incident Training:
Estimated Authorization...................... * 2 3 3 3 3 14
Estimated Outlays............................ * 2 3 3 3 3 14
Reporting Requirements:
Estimated Authorization...................... * * 4 2 6 2 14
Estimated Outlays............................ * * 4 2 6 2 14
Total Changes:
Estimated Authorization.................... * 5 10 8 12 8 43
Estimated Outlays.......................... * 5 10 8 12 8 43
----------------------------------------------------------------------------------------------------------------
In addition to the budgetary effects shown above, CBO estimates that enacting H.R. 4552 would have insignificant
effects on direct spending and the deficit over the 2024-2034 period.
*=between zero and $500,000.
Basis of estimate: For this estimate, CBO assumes that H.R.
4552 will be enacted in fiscal year 2024. Outlays are based on
historical spending patterns for existing or similar programs.
Spending subject to appropriation: CBO estimates that
implementing the bill would cost $43 million over the 2024-2029
period. Such spending would be subject to the availability of
appropriated funds.
Federal Risk Assessment: H.R. 4552 would codify and expand
the responsibility of the Cybersecurity and Infrastructure
Security Agency (CISA) to assess and report on cyber
preparedness at federal agencies. Using information from CISA
about risk assessments and reporting efforts similar to those
that the bill would require, CBO anticipates that the agency
would need five full-time employees to track and report on
cyber risks to federal agencies. Compensation and salaries for
those employees would total $5 million over the 2024-2029
period. CBO also expects that federal agencies would modify
existing cybersecurity services contracts to track and transmit
additional data from their information technology systems to
CISA at a cost of $10 million over that same period. In total,
implementing the risk assessments would cost $15 million over
the 2024-2029 period, CBO estimates.
Cyber Incident Training: H.R. 4552 would require federal
agencies to develop training for information technology workers
on how to identify and respond to cyber incidents. Using
information from agencies about government-wide training
efforts, CBO expects that CISA would need five full-time
employees to study best practices and establish standard
qualifications for the training. CBO also anticipates that
agencies will modify existing contracts for training to
incorporate the new content created by CISA. Accounting for the
time needed to develop the training, CBO estimates that
implementing this program would cost $14 million over the 2024-
2029 period for staff and information technology costs.
Reporting Requirements: H.R. 4552 would require federal
agencies to track and report on the effectiveness of their
information security programs. Under the bill, the Office of
Management and Budget (OMB) would compile those reports and
publish information about agency performance on a federal
dashboard. The Administration has issued executive orders and
memoranda concerning many of the reporting requirements
included in H.R. 4552. CBO expects those actions would satisfy
most of the requirements of the bill. H.R. 4552 also would
increase the frequency of some of the existing reporting
requirements and decrease the frequency of others. On the basis
of the costs of similar plans and reports, CBO estimates that
satisfying the reporting requirements of the bill would cost
$14million over the 2024-2029 period.
Direct spending: Enacting the bill could affect direct
spending by some federal agencies that are allowed to use fees,
receipts from the sale of goods, and other collections to cover
operating costs. CBO estimates that any net changes in direct
spending by those agencies would be negligible because most of
them can adjust amounts collected to reflect changes in
operating costs.
Uncertainty: Areas of uncertainty in this estimate include
predicting the implementation timeline at federal agencies. The
budgetary effects of the bill could be significantly higher or
lower than CBO's estimate if the time needed to adopt new
cybersecurity procedures and technology differs from CBO's
estimate.
The budgetary effects of the bill also would depend on the
number of additional employees that would be needed at CISA,
OMB, and other federal agencies to satisfy the requirements of
the bill. Costs would be moderately larger or smaller than this
estimate if the number of analysts hired differs from CBO's
estimate.
Pay-As-You-Go considerations: The Statutory Pay-As-You-Go
Act of 2010 establishes budget-reporting and enforcement
procedures for legislation affecting direct spending or
revenues. CBO estimates that enacting the bill would increase
direct spending by less than $500,000 over the 2024-2034
period.
Increase in long-term net direct spending and deficits: CBO
estimates that enacting H.R. 4552 would not significantly
increase net direct spending in any of the four consecutive 10-
year periods beginning in 2035.
CBO estimates that enacting H.R. 4552 would not
significantly increase on-budget deficits in any of the four
consecutive 10-year periods beginning in 2035.
Mandates: The bill contains no intergovernmental or
private-sector mandates as defined in the Unfunded Mandates
Reform Act.
Previous CBO estimate: On August 16, 2023, CBO transmitted
a cost estimate for S. 2251, the Cybersecurity Act of 2023, as
ordered reported by the Senate Committee on Homeland Security
and Governmental Affairs on July 26, 2023. The estimated cost
to CISA and federal agencies to implement H.R. 4552 is
substantially less than for S. 2551 because that bill included
requirements for data logging and retention, continuous risk
assessments, and additional personnel that would not be
required under H.R. 4552.
Estimate prepared by: Federal Costs: Aldo Prosperi;
Mandates: Brandon Lever.
Estimate reviewed by: David Newman, Chief, Defense,
International Affairs, and Veterans' Affairs Cost Estimates
Unit; Kathleen FitzGerald, Chief, Public and Private Mandates
Unit; Christina Hawley Anthony, Deputy Director of Budget
Analysis.
Estimate approved by: Phillip L. Swagel, Director,
Congressional Budget Office.
Changes in Existing Law Made by the Bill, as Reported
In compliance with clause 3(e) of rule XIII of the Rules of
the House of Representatives, changes in existing law made by
the bill, as reported, are shown as follows (existing law
proposed to be omitted is enclosed in black brackets, new
matter is printed in italics, and existing law in which no
change is proposed is shown in roman):
Changes in Existing Law Made by the Bill, as Reported
In compliance with clause 3(e) of rule XIII of the Rules of
the House of Representatives, changes in existing law made by
the bill, as reported, are shown as follows (existing law
proposed to be omitted is enclosed in black brackets, new
matter is printed in italics, and existing law in which no
change is proposed is shown in roman):
TITLE 44, UNITED STATES CODE
* * * * * * *
PART A--GENERAL
* * * * * * *
CHAPTER 35--COORDINATION OF FEDERAL
INFORMATION POLICY
* * * * * * *
SUBCHAPTER II--INFORMATION SECURITY
3551. Purposes.
* * * * * * *
[3555. Annual independent evaluation.]
3555. Independent evaluation.
* * * * * * *
3559A. Federal penetration testing.
3559B. Federal vulnerability disclosure policies.
* * * * * * *
SUBCHAPTER IV--FEDERAL SYSTEM INCIDENT RESPONSE
3591. Definitions.
3592. Notification of breach.
3593. Congressional and executive branch reports on major incidents.
3594. Government information sharing and incident response.
3595. Responsibilities of contractors and awardees.
3596. Training.
3597. Analysis and report on Federal incidents.
3598. Major incident definition.
* * * * * * *
SUBCHAPTER I--FEDERAL INFORMATION POLICY
* * * * * * *
Sec. 3504. Authority and functions of Director
(a)(1) The Director shall oversee the use of information
resources to improve the efficiency and effectiveness of
governmental operations to serve agency missions, including
burden reduction and service delivery to the public. In
performing such oversight, the Director shall--
(A) develop, coordinate and oversee the
implementation of Federal information resources
management policies, principles, standards, and
guidelines; and
(B) provide direction and oversee--
(i) the review and approval of the collection
of information and the reduction of the
information collection burden;
(ii) agency dissemination of and public
access to information;
(iii) statistical activities;
(iv) records management activities;
[(v) privacy, confidentiality, security,
disclosure, and sharing of information; and]
(v) privacy, confidentiality, disclosure, and
sharing of information;
(vi) in consultation with the National Cyber
Director, security of information; and
[(vi)] (vii) the acquisition and use of
information technology, including alternative
information technologies that provide for
electronic submission, maintenance, or
disclosure of information as a substitute for
paper and for the use and acceptance of
electronic signatures.
(2) The authority of the Director under this subchapter shall
be exercised consistent with applicable law.
(b) With respect to general information resources management
policy, the Director shall--
(1) develop and oversee the implementation of uniform
information resources management policies, principles,
standards, and guidelines;
(2) foster greater sharing, dissemination, and access
to public information, including through--
(A) the use of comprehensive data inventories
and the Federal data catalogue under section
3511; and
(B) the development and utilization of common
standards for information collection, storage,
processing and communication, including
standards for security, interconnectivity and
interoperability;
(3) initiate and review proposals for changes in
legislation, regulations, and agency procedures to
improve information resources management practices;
(4) oversee the development and implementation of
best practices in information resources management,
including training;
(5) oversee agency integration of program and
management functions with information resources
management functions; and
(6) issue guidance for agencies to implement section
3506(b)(6) in a manner that takes into account--
(A) risks and restrictions related to the
disclosure of personally identifiable
information, including the risk that an
individual data asset in isolation does not
pose a privacy or confidentiality risk but when
combined with other available information may
pose such a risk;
(B) security considerations, including the
risk that information in an individual data
asset in isolation does not pose a security
risk but when combined with other available
information may pose such a risk;
(C) the cost and benefits to the public of
converting a data asset into a machine-readable
format that is accessible and useful to the
public;
(D) whether the application of the
requirements described in such section to a
data asset could result in legal liability;
(E) a determination of whether a data asset--
(i) is subject to intellectual
property rights, including rights under
titles 17 and 35;
(ii) contains confidential business
information, that could be withheld
under section 552(b)(4) of title 5; or
(iii) is otherwise restricted by
contract or other binding, written
agreement;
(F) the requirement that a data asset be
disclosed, if it would otherwise be made
available under section 552 of title 5
(commonly known as the ``Freedom of Information
Act''); and
(G) any other considerations that the
Director determines to be relevant.
(c) With respect to the collection of information and the
control of paperwork, the Director shall--
(1) review and approve proposed agency collections of
information;
(2) coordinate the review of the collection of
information associated with Federal procurement and
acquisition by the Office of Information and Regulatory
Affairs with the Office of Federal Procurement Policy,
with particular emphasis on applying information
technology to improve the efficiency and effectiveness
of Federal procurement, acquisition and payment, and to
reduce information collection burdens on the public;
(3) minimize the Federal information collection
burden, with particular emphasis on those individuals
and entities most adversely affected;
(4) maximize the practical utility of and public
benefit from information collected by or for the
Federal Government;
(5) establish and oversee standards and guidelines by
which agencies are to estimate the burden to comply
with a proposed collection of information;
(6) publish in the Federal Register and make
available on the Internet (in consultation with the
Small Business Administration) on an annual basis a
list of the compliance assistance resources available
to small businesses, with the first such publication
occurring not later than 1 year after the date of
enactment of the Small Business Paperwork Relief Act of
2002.
(d) With respect to information dissemination, the Director
shall develop and oversee the implementation of policies,
principles, standards, and guidelines to--
(1) apply to Federal agency dissemination of public
information, regardless of the form or format in which
such information is disseminated; and
(2) promote public access to public information and
fulfill the purposes of this subchapter, including
through the effective use of information technology.
(e) With respect to statistical policy and coordination, the
Director shall--
(1) coordinate the activities of the Federal
statistical system to ensure--
(A) the efficiency and effectiveness of the
system; and
(B) the integrity, objectivity, impartiality,
utility, and confidentiality of information
collected for statistical purposes;
(2) ensure that budget proposals of agencies are
consistent with system-wide priorities for maintaining
and improving the quality of Federal statistics and
prepare an annual report on statistical program
funding;
(3) develop and oversee the implementation of
Governmentwide policies, principles, standards, and
guidelines concerning--
(A) statistical collection procedures and
methods;
(B) statistical data classification;
(C) statistical information presentation and
dissemination;
(D) timely release of statistical data; and
(E) such statistical data sources as may be
required for the administration of Federal
programs;
(4) evaluate statistical program performance and
agency compliance with Governmentwide policies,
principles, standards and guidelines;
(5) promote the sharing of information collected for
statistical purposes consistent with privacy rights and
confidentiality pledges;
(6) coordinate the participation of the United States
in international statistical activities, including the
development of comparable statistics;
(7) appoint a chief statistician who is a trained and
experienced professional statistician to carry out the
functions described under this subsection;
(8) establish an Interagency Council on Statistical
Policy to advise and assist the Director in carrying
out the functions under this subsection that shall--
(A) be headed by the chief statistician; and
(B) consist of--
(i) the heads of the major
statistical programs; and
(ii) representatives of other
statistical agencies under rotating
membership;
(9) provide opportunities for training in statistical
policy functions to employees of the Federal Government
under which--
(A) each trainee shall be selected at the
discretion of the Director based on agency
requests and shall serve under the chief
statistician for at least 6 months and not more
than 1 year; and
(B) all costs of the training shall be paid
by the agency requesting training; and
(10) ensure that any change to the standards of core-
based statistical area (as defined in section 4 of the
MAPS Act of 2021) delineations pursuant to this
subsection shall--
(A) be accompanied by a public report that
explains--
(i) the scientific basis, criteria,
and methodology for such change to
existing standards, including clear
quantitative thresholds for determining
any future statistical re-delineations;
and
(ii) the opinions of domestic and
international experts in statistics and
demographics, including government
experts at the Bureau of the Census and
other relevant agencies, who were
consulted regarding such change to
existing standards;
(B) not be influenced by any non-statistical
considerations such as impact on program
administration or service delivery; and
(C) not propagate automatically for any non-
statistical use by any domestic assistance
program (as defined in section 4 of the MAPS
Act of 2021).
(f) With respect to records management, the Director shall--
(1) provide advice and assistance to the Archivist of
the United States and the Administrator of General
Services to promote coordination in the administration
of chapters 29, 31, and 33 of this title with the
information resources management policies, principles,
standards, and guidelines established under this
subchapter;
(2) review compliance by agencies with--
(A) the requirements of chapters 29, 31, and
33 of this title; and
(B) regulations promulgated by the Archivist
of the United States and the Administrator of
General Services; and
(3) oversee the application of records management
policies, principles, standards, and guidelines,
including requirements for archiving information
maintained in electronic format, in the planning and
design of information systems.
(g) With respect to privacy and security, the Director
shall--
[(1) develop and oversee the implementation of
policies, principles, standards, and guidelines on
privacy, confidentiality, security, disclosure and
sharing of information collected or maintained by or
for agencies; and]
(1) develop and oversee the implementation of
policies, principles, standards, and guidelines on
privacy, confidentiality, disclosure, and sharing of
information collected or maintained by or for agencies;
(2) in consultation with the National Cyber Director,
oversee the implementation of policies, principles,
standards, and guidelines on security, of information
collected or maintained by or for agencies; and
[(2)] (3) oversee and coordinate compliance with
sections 552 and 552a of title 5, sections 20 and 21 of
the National Institute of Standards and Technology Act
(15 U.S.C. 278g-3 and 278g-4), section 11331 of title
40 and subchapter II of this chapter, and related
information management laws.
(h) With respect to Federal information technology, the
Director shall--
(1) in consultation with the Director of the National
Institute of Standards and Technology and the
Administrator of General Services--
(A) develop and oversee the implementation of
policies, principles, standards, and guidelines
for information technology functions and
activities of the Federal Government, including
periodic evaluations of major information
systems; and
(B) oversee the development and
implementation of standards under section 11331
of title 40;
(2) monitor the effectiveness of, and compliance
with, directives issued under subtitle III of title 40
and directives issued under section 322 2 of
title 40;
(3) coordinate the development and review by the
Office of Information and Regulatory Affairs of policy
associated with Federal procurement and acquisition of
information technology with the Office of Federal
Procurement Policy;
(4) ensure, through the review of agency budget
proposals, information resources management plans and
other means--
(A) agency integration of information
resources management plans, program plans and
budgets for acquisition and use of information
technology; and
(B) the efficiency and effectiveness of
inter-agency information technology initiatives
to improve agency performance and the
accomplishment of agency missions; and
(5) promote the use of information technology by the
Federal Government to improve the productivity,
efficiency, and effectiveness of Federal programs,
including through dissemination of public information
and the reduction of information collection burdens on
the public.
Sec. 3505. Assignment of tasks and deadlines
(a) In carrying out the functions under this subchapter, the
Director shall--
(1) in consultation with agency heads, set an annual
Governmentwide goal for the reduction of information
collection burdens by at least 10 percent during each
of fiscal years 1996 and 1997 and 5 percent during each
of fiscal years 1998, 1999, 2000, and 2001, and set
annual agency goals to--
(A) reduce information collection burdens
imposed on the public that--
(i) represent the maximum practicable
opportunity in each agency; and
(ii) are consistent with improving
agency management of the process for
the review of collections of
information established under section
3506(c); and
(B) improve information resources management
in ways that increase the productivity,
efficiency and effectiveness of Federal
programs, including service delivery to the
public;
(2) with selected agencies and non-Federal entities
on a voluntary basis, conduct pilot projects to test
alternative policies, practices, regulations, and
procedures to fulfill the purposes of this subchapter,
particularly with regard to minimizing the Federal
information collection burden; and
(3) in consultation with the Administrator of General
Services, the Director of the National Institute of
Standards and Technology, the Archivist of the United
States, and the Director of the Office of Personnel
Management, develop and maintain a Governmentwide
strategic plan for information resources management,
that shall include--
(A) a description of the objectives and the
means by which the Federal Government shall
apply information resources to improve agency
and program performance;
(B) plans for--
(i) reducing information burdens on
the public, including reducing such
burdens through the elimination of
duplication and meeting shared data
needs with shared resources;
(ii) enhancing public access to and
dissemination of, information, using
electronic and other formats; and
(iii) meeting the information
technology needs of the Federal
Government in accordance with the
purposes of this subchapter; and
(C) a description of progress in applying
information resources management to improve
agency performance and the accomplishment of
missions.
(b) For purposes of any pilot project conducted under
subsection (a)(2), the Director may, after consultation with
the agency head, waive the application of any administrative
directive issued by an agency with which the project is
conducted, including any directive requiring a collection of
information, after giving timely notice to the public and the
Congress regarding the need for such waiver.
[(c) Inventory of Major Information Systems.--(1) The head
of each agency shall develop and maintain an inventory of major
information systems (including major national security systems)
operated by or under the control of such agency.
[(2) The identification of information systems in an
inventory under this subsection shall include an identification
of the interfaces between each such system and all other
systems or networks, including those not operated by or under
the control of the agency.
[(3) Such inventory shall be--
[(A) updated at least annually;
[(B) made available to the Comptroller General; and
[(C) used to support information resources
management, including--
[(i) preparation and maintenance of the
inventory of information resources under
section 3506(b)(4);
[(ii) information technology planning,
budgeting, acquisition, and management under
section 3506(h), subtitle III of title 40, and
related laws and guidance;
[(iii) monitoring, testing, and evaluation of
information security controls under subchapter
II;
[(iv) preparation of the index of major
information systems required under section
552(g) of title 5, United States Code; and
[(v) preparation of information system
inventories required for records management
under chapters 21, 29, 31, and 33.
[(4) The Director shall issue guidance for and oversee the
implementation of the requirements of this subsection.]
(c) Inventory of Information Systems.--(1) The head of
each agency shall develop and maintain an inventory of the
information systems (including national security systems)
operated by or under the control of such agency;
(2) The identification of information systems in an inventory
under this subsection shall include an identification of
internet accessible information systems and an identification
of the interfaces between each such system and all other
systems or networks, including those not operated by or under
the control of the agency;
(3) Such inventory shall be--
(A) updated at least annually;
(B) made available to the Director of the
Cybersecurity and Infrastructure Security Agency, the
National Cyber Director, and the Comptroller General;
[and]
(C) used to support information resources management,
including--
(i) preparation and maintenance of the
inventory of information resources under
section 3506(b)(4);
(ii) information technology planning,
budgeting, acquisition, and management under
section 3506(h), subtitle III of title 40, and
related laws and guidance;
(iii) monitoring, testing, and evaluation of
information security controls under subchapter
II;
(iv) preparation of the index of major
information systems required under section
552(g) of title 5, United States Code; and
(v) preparation of information system
inventories required for records management
under chapters 21, 29, 31, and 33[.]; and
(D) maintained on a continual basis through the use
of automation, machine-readable data, and scanning,
wherever practicable.
(4) The Director shall issue guidance for and oversee the
implementation of the requirements of this subsection.
Sec. 3506. Federal agency responsibilities
(a)(1) The head of each agency shall be responsible for--
(A) carrying out the agency's information resources
management activities to improve agency productivity,
efficiency, and effectiveness; and
(B) complying with the requirements of this
subchapter and related policies established by the
Director.
(2)(A) Except as provided under subparagraph (B), the head of
each agency shall designate a Chief Information Officer who
shall report directly to such agency head to carry out the
responsibilities of the agency under this subchapter.
(B) The Secretary of the Department of Defense and the
Secretary of each military department may each designate Chief
Information Officers who shall report directly to such
Secretary to carry out the responsibilities of the department
under this subchapter. If more than one Chief Information
Officer is designated, the respective duties of the Chief
Information Officers shall be clearly delineated.
(3) The Chief Information Officer designated under paragraph
(2) shall head an office responsible for ensuring agency
compliance with and prompt, efficient, and effective
implementation of the information policies and information
resources management responsibilities established under this
subchapter, including the reduction of information collection
burdens on the public. In carrying out these duties, the Chief
Information Officer shall consult, as appropriate, with the
Chief Data Officer in accordance with the designated functions
under section 3520(c). The Chief Information Officer and
employees of such office shall be selected with special
attention to the professional qualifications required to
administer the functions described under this subchapter.
(4) Each agency program official shall be responsible and
accountable for information resources assigned to and
supporting the programs under such official. In consultation
with the Chief Information Officer designated under paragraph
(2) and the agency Chief Financial Officer (or comparable
official), each agency program official shall define program
information needs and develop strategies, systems, and
capabilities to meet those needs.
(b) With respect to general information resources management,
each agency shall--
(1) manage information resources to--
(A) reduce information collection burdens on
the public;
(B) increase program efficiency and
effectiveness; and
(C) improve the integrity, availability,
quality, and utility of information to all
users within and outside the agency, including
capabilities for ensuring dissemination of
public information, public access to government
information, and protections for privacy and
security;
(2) in accordance with guidance by the Director,
develop and maintain a strategic information resources
management plan that, to the extent practicable--
(A) describes how information resources
management activities help accomplish agency
missions;
(B) includes an open data plan for data that
does not concern monetary policy that--
(i) requires the agency to develop
processes and procedures that--
(I) require data collection
mechanisms created on or after
the date of the enactment of
the OPEN Government Data Act to
be available in an open format;
and
(II) facilitate collaboration
with non-Government entities
(including businesses),
researchers, and the public for
the purpose of understanding
how data users value and use
government data;
(ii) identifies and implements
methods for collecting and analyzing
digital information on data asset usage
by users within and outside of the
agency, including designating a point
of contact within the agency to assist
the public and to respond to quality
issues, usability issues,
recommendations for improvements, and
complaints about adherence to open data
requirements within a reasonable period
of time;
(iii) develops and implements a
process to evaluate and improve the
timeliness, completeness, consistency,
accuracy, usefulness, and availability
of open Government data assets;
(iv) includes requirements for
meeting the goals of the agency open
data plan, including the acquisition of
technology, provision of training for
employees, and the implementation of
procurement standards, in accordance
with existing law, regulation, and
policy, that allow for the acquisition
of innovative solutions from public and
private sectors;
(v) identifies as priority data
assets any data asset for which
disclosure would be in the public
interest and establishes a plan to
evaluate each priority data asset for
disclosure on the Federal Data
Catalogue under section 3511 and for a
determination under
3511(a)(2)(A)(iii)(I)(bb), including an
accounting of which priority data
assets have not yet been evaluated; and
(vi) requires the agency to comply
with requirements under section 3511,
including any standards established by
the Director under such section, when
disclosing a data asset pursuant to
such section; and
(C) is updated annually and made publicly
available on the website of the agency not
later than 5 days after each such update;
(3) develop and maintain an ongoing process to--
(A) ensure that information resources
management operations and decisions are
integrated with organizational planning,
budget, financial management, human resources
management, and program decisions;
(B) in cooperation with the agency Chief
Financial Officer (or comparable official),
develop a full and accurate accounting of
information technology expenditures, related
expenses, and results; and
(C) establish goals for improving information
resources management's contribution to program
productivity, efficiency, and effectiveness,
methods for measuring progress towards those
goals, and clear roles and responsibilities for
achieving those goals;
(4) in consultation with the Director, the
Administrator of General Services, and the Archivist of
the United States, maintain a current and complete
inventory of the agency's information resources,
including directories necessary to fulfill the
requirements of section 3511 of this subchapter;
(5) in consultation with the Director and the
Director of the Office of Personnel Management, conduct
formal training programs to educate agency program and
management officials about information resources
management; and
(6) in accordance with guidance by the Director--
(A) make each data asset of the agency
available in an open format; and
(B) make each public data asset of the agency
available--
(i) as an open Government data asset;
and
(ii) under an open license.
(c) With respect to the collection of information and the
control of paperwork, each agency shall--
(1) establish a process within the office headed by
the Chief Information Officer designated under
subsection (a), that is sufficiently independent of
program responsibility to evaluate fairly whether
proposed collections of information should be approved
under this subchapter, to--
(A) review each collection of information
before submission to the Director for review
under this subchapter, including--
(i) an evaluation of the need for the
collection of information;
(ii) a functional description of the
information to be collected;
(iii) a plan for the collection of
the information;
(iv) a specific, objectively
supported estimate of burden;
(v) a test of the collection of
information through a pilot program, if
appropriate; and
(vi) a plan for the efficient and
effective management and use of the
information to be collected, including
necessary resources;
(B) ensure that each information collection--
(i) is inventoried, displays a
control number and, if appropriate, an
expiration date;
(ii) indicates the collection is in
accordance with the clearance
requirements of section 3507; and
(iii) informs the person receiving
the collection of information of--
(I) the reasons the
information is being collected;
(II) the way such information
is to be used;
(III) an estimate, to the
extent practicable, of the
burden of the collection;
(IV) whether responses to the
collection of information are
voluntary, required to obtain a
benefit, or mandatory; and
(V) the fact that an agency
may not conduct or sponsor, and
a person is not required to
respond to, a collection of
information unless it displays
a valid control number; and
(C) assess the information collection burden
of proposed legislation affecting the agency;
(2)(A) except as provided under subparagraph (B) or
section 3507(j), provide 60-day notice in the Federal
Register, and otherwise consult with members of the
public and affected agencies concerning each proposed
collection of information, to solicit comment to--
(i) evaluate whether the proposed collection
of information is necessary for the proper
performance of the functions of the agency,
including whether the information shall have
practical utility;
(ii) evaluate the accuracy of the agency's
estimate of the burden of the proposed
collection of information;
(iii) enhance the quality, utility, and
clarity of the information to be collected; and
(iv) minimize the burden of the collection of
information on those who are to respond,
including through the use of automated
collection techniques or other forms of
information technology; and
(B) for any proposed collection of information
contained in a proposed rule (to be reviewed by the
Director under section 3507(d)), provide notice and
comment through the notice of proposed rulemaking for
the proposed rule and such notice shall have the same
purposes specified under subparagraph (A)(i) through
(iv);
(3) certify (and provide a record supporting such
certification, including public comments received by
the agency) that each collection of information
submitted to the Director for review under section
3507--
(A) is necessary for the proper performance
of the functions of the agency, including that
the information has practical utility;
(B) is not unnecessarily duplicative of
information otherwise reasonably accessible to
the agency;
(C) reduces to the extent practicable and
appropriate the burden on persons who shall
provide information to or for the agency,
including with respect to small entities, as
defined under section 601(6) of title 5, the
use of such techniques as--
(i) establishing differing compliance
or reporting requirements or timetables
that take into account the resources
available to those who are to respond;
(ii) the clarification,
consolidation, or simplification of
compliance and reporting requirements;
or
(iii) an exemption from coverage of
the collection of information, or any
part thereof;
(D) is written using plain, coherent, and
unambiguous terminology and is understandable
to those who are to respond;
(E) is to be implemented in ways consistent
and compatible, to the maximum extent
practicable, with the existing reporting and
recordkeeping practices of those who are to
respond;
(F) indicates for each recordkeeping
requirement the length of time persons are
required to maintain the records specified;
(G) contains the statement required under
paragraph (1)(B)(iii);
(H) has been developed by an office that has
planned and allocated resources for the
efficient and effective management and use of
the information to be collected, including the
processing of the information in a manner which
shall enhance, where appropriate, the utility
of the information to agencies and the public;
(I) uses effective and efficient statistical
survey methodology appropriate to the purpose
for which the information is to be collected;
and
(J) to the maximum extent practicable, uses
information technology to reduce burden and
improve data quality, agency efficiency and
responsiveness to the public; and
(4) in addition to the requirements of this chapter
regarding the reduction of information collection
burdens for small business concerns (as defined in
section 3 of the Small Business Act (15 U.S.C. 632)),
make efforts to further reduce the information
collection burden for small business concerns with
fewer than 25 employees.
(d) With respect to information dissemination, each agency
shall--
(1) ensure that the public has timely and equitable
access to the agency's public information, including
ensuring such access through--
(A) encouraging a diversity of public and
private sources for information based on
government public information;
(B) in cases in which the agency provides
public information maintained in electronic
format, providing timely and equitable access
to the underlying data (in whole or in part);
and
(C) agency dissemination of public
information in an efficient, effective, and
economical manner;
(2) regularly solicit and consider public input on
the agency's information dissemination activities;
(3) provide adequate notice when initiating,
substantially modifying, or terminating significant
information dissemination products;
(4) not, except where specifically authorized by
statute--
(A) establish an exclusive, restricted, or
other distribution arrangement that interferes
with timely and equitable availability of
public information to the public;
(B) restrict or regulate the use, resale, or
redissemination of public information by the
public;
(C) charge fees or royalties for resale or
redissemination of public information; or
(D) establish user fees for public
information that exceed the cost of
dissemination;
(5) ensure that any public data asset of the agency
is machine-readable; and
(6) engage the public in using public data assets of
the agency and encourage collaboration by--
(A) publishing on the website of the agency,
on a regular basis (not less than annually),
information on the usage of such assets by non-
Government users;
(B) providing the public with the opportunity
to request specific data assets to be
prioritized for disclosure and to provide
suggestions for the development of agency
criteria with respect to prioritizing data
assets for disclosure;
(C) assisting the public in expanding the use
of public data assets; and
(D) hosting challenges, competitions, events,
or other initiatives designed to create
additional value from public data assets of the
agency.
(e) With respect to statistical policy and coordination, each
agency shall--
(1) ensure the relevance, accuracy, timeliness,
integrity, and objectivity of information collected or
created for statistical purposes;
(2) inform respondents fully and accurately about the
sponsors, purposes, and uses of statistical surveys and
studies;
(3) protect respondents' privacy and ensure that
disclosure policies fully honor pledges of
confidentiality;
(4) observe Federal standards and practices for data
collection, analysis, documentation, sharing, and
dissemination of information;
(5) ensure the timely publication of the results of
statistical surveys and studies, including information
about the quality and limitations of the surveys and
studies; and
(6) make data available to statistical agencies and
readily accessible to the public.
(f) With respect to records management, each agency shall
implement and enforce applicable policies and procedures,
including requirements for archiving information maintained in
electronic format, particularly in the planning, design and
operation of information systems.
(g) With respect to privacy and security, each agency shall--
(1) implement and enforce applicable policies,
procedures, standards, and guidelines on privacy,
confidentiality, security, disclosure and sharing of
information collected or maintained by or for the
agency; and
(2) assume responsibility and accountability for
compliance with and coordinated management of sections
552 and 552a of title 5, subchapter II of this chapter,
and related information management laws.
(h) With respect to Federal information technology, each
agency shall--
(1) implement and enforce applicable Governmentwide
and agency information technology management policies,
principles, standards, and guidelines;
(2) assume responsibility and accountability for
information technology investments;
(3) promote the use of information technology by the
agency to improve the productivity, efficiency,
security, and effectiveness of agency programs,
including the reduction of information collection
burdens on the public and improved dissemination of
public information;
(4) propose changes in legislation, regulations, and
agency procedures to improve information technology
practices, including changes that improve the ability
of the agency to use technology to reduce burden; and
(5) assume responsibility for maximizing the value
and assessing and managing the risks of major
information systems initiatives through a process that
is--
(A) integrated with budget, financial, and
program management decisions; and
(B) used to select, control, and evaluate the
results of major information systems
initiatives.
(i)(1) In addition to the requirements described in
subsection (c), each agency shall, with respect to the
collection of information and the control of paperwork,
establish 1 point of contact in the agency to act as a liaison
between the agency and small business concerns (as defined in
section 3 of the Small Business Act (15 U.S.C. 632)).
(2) Each point of contact described under paragraph (1) shall
be established not later than 1 year after the date of
enactment of the Small Business Paperwork Relief Act of 2002.
(j)(1) Notwithstanding paragraphs (2) and (3) of subsection
(a), the head of each agency shall, in accordance with section
522(a) of division H of the Consolidated Appropriations Act,
2005 (42 U.S.C. 2000ee-2), designate a Chief Privacy Officer
with the necessary skills, knowledge, and expertise, who shall
have the authority and responsibility to--
(A) lead the privacy program of the agency; and
(B) carry out the privacy responsibilities of the
agency under this chapter, section 552a of title 5, and
guidance issued by the Director.
(2) The Chief Privacy Officer of each agency shall--
(A) serve in a central leadership position within the
agency;
(B) have visibility into relevant agency operations;
and
(C) be positioned highly enough within the agency to
regularly engage with other agency leaders and
officials, including the head of the agency.
(3) A privacy officer of an agency established under a
statute enacted before the date of enactment of the Federal
Information Security Modernization Act of 2024 may carry out
the responsibilities under this subsection for the agency.
* * * * * * *
Sec. 3513. Director review of agency activities; reporting; agency
response
(a) In consultation with the Administrator of General
Services, the Archivist of the United States, the Director of
the National Institute of Standards and Technology, and the
Director of the Office of Personnel Management, the Director
shall periodically review selected agency information resources
management activities to ascertain the efficiency and
effectiveness of such activities to improve agency performance
and the accomplishment of agency missions.
(b) Each agency having an activity reviewed under subsection
(a) shall, within 60 days after receipt of a report on the
review, provide a written plan to the Director describing steps
(including milestones) to--
(1) be taken to address information resources
management problems identified in the report; and
(2) improve agency performance and the accomplishment
of agency missions.
(c) Each agency providing a written plan under subsection (b)
shall provide any portion of the written plan addressing
information security to the Secretary of Homeland Security and
the National Cyber Director.
[(c)] (d) Comparable Treatment.--Notwithstanding any other
provision of law, the Director shall treat or review a rule or
order prescribed or proposed by the Director of the Bureau of
Consumer Financial Protection on the same terms and conditions
as apply to any rule or order prescribed or proposed by the
Board of Governors of the Federal Reserve System.
* * * * * * *
SUBCHAPTER II--INFORMATION SECURITY
Sec. 3551. Purposes
The purposes of this subchapter are to--
(1) provide a comprehensive framework for ensuring
the effectiveness of information security controls over
information resources that support Federal operations
and assets;
(2) recognize the highly networked nature of the
current Federal computing environment and provide
effective governmentwide management and oversight of
the related information security risks, including
coordination of information security efforts throughout
the civilian, national security, and law enforcement
communities;
(3) provide for development and maintenance of
minimum controls required to protect Federal
information and information systems;
(4) provide a mechanism for improved oversight of
Federal agency information security programs, including
through automated security tools to continuously
[diagnose and improve] integrate, deliver, diagnose,
and improve security;
(5) acknowledge that commercially developed
information security products offer advanced, dynamic,
robust, and effective information security solutions,
reflecting market solutions for the protection of
critical information infrastructures important to the
national defense and economic security of the nation
that are designed, built, and operated by the private
sector; [and]
(6) recognize that the selection of specific
technical hardware and software information security
solutions should be left to individual agencies from
among commercially developed products[.];
(7) recognize that each agency has specific mission
requirements and, at times, unique cybersecurity
requirements to meet the mission of the agency;
(8) recognize that each agency does not have the same
resources to secure agency systems, and an agency
should not be expected to have the capability to secure
the systems of the agency from advanced adversaries
alone; and
(9) recognize that a holistic Federal cybersecurity
model is necessary to account for differences between
the missions and capabilities of agencies.
Sec. 3552. Definitions
(a) In General.--Except as provided under subsection (b), the
definitions under section 3502 shall apply to this subchapter.
(b) Additional Definitions.--As used in this subchapter:
(1) The term ``binding operational directive'' means
a compulsory direction to an agency that--
(A) is for purposes of safeguarding Federal
information and information systems from a
known or reasonably suspected information
security threat, vulnerability, or risk;
(B) shall be in accordance with policies,
principles, standards, and guidelines issued by
the Director; and
(C) may be revised or repealed by the
Director if the direction issued on behalf of
the Director is not in accordance with policies
and principles developed by the Director.
(2) The term ``high value asset'' means information
or an information system that the head of an agency,
using policies, principles, standards, or guidelines
issued by the Director under section 3553(a),
determines to be so critical to the agency that the
loss or degradation of the confidentiality, integrity,
or availability of such information or information
system would have a serious impact on the ability of
the agency to perform the mission of the agency or
conduct business.
[(2)] (3) The term ``incident'' means an occurrence
that--
(A) actually or imminently jeopardizes,
without lawful authority, the integrity,
confidentiality, or availability of information
or an information system; or
(B) constitutes a violation or imminent
threat of violation of law, security policies,
security procedures, or acceptable use
policies.
[(3)] (4) The term ``information security'' means
protecting information and information systems from
unauthorized access, use, disclosure, disruption,
modification, or destruction in order to provide--
(A) integrity, which means guarding against
improper information modification or
destruction, and includes ensuring information
nonrepudiation and authenticity;
(B) confidentiality, which means preserving
authorized restrictions on access and
disclosure, including means for protecting
personal privacy and proprietary information;
and
(C) availability, which means ensuring timely
and reliable access to and use of information.
[(4)] (5) The term ``information technology'' has the
meaning given that term in section 11101 of title 40.
[(5)] (6) The term ``intelligence community'' has the
meaning given that term in section 3(4) of the National
Security Act of 1947 (50 U.S.C. 3003(4)).
(7) The term ``major incident'' has the meaning given
the term in guidance issued by the Director under
section 3598(a).
[(6)] (8)(A) The term ``national security system''
means any information system (including any
telecommunications system) [used] owned, managed, or
operated by an agency or by a contractor of an agency,
or other organization on behalf of an agency--
(i) the function, operation, or use of
which--
(I) involves intelligence activities;
(II) involves cryptologic activities
related to national security;
(III) involves command and control of
military forces;
(IV) involves equipment that is an
integral part of a weapon or weapons
system; or
(V) subject to subparagraph (B), is
critical to the direct fulfillment of
military or intelligence missions; or
(ii) is protected at all times by procedures
established for information that have been
specifically authorized under criteria
established by an Executive order or an Act of
Congress to be kept classified in the interest
of national defense or foreign policy.
(B) Subparagraph (A)(i)(V) does not include a system
that is to be used for routine administrative and
business applications (including payroll, finance,
logistics, and personnel management applications).
(9) The term ``penetration test''--
(A) means an authorized assessment that
emulates attempts to gain unauthorized access
to, or disrupt the operations of, an
information system or component of an
information system; and
(B) includes any additional meaning given the
term in policies, principles, standards, or
guidelines issued by the Director under section
3553(a).
[(7)] (10) The term ``Secretary'' means the Secretary
of Homeland Security.
(11) The term ``shared service'' means a centralized
mission capability or consolidated business function
that is provided to multiple organizations within an
agency or to multiple agencies.
(12) The term ``zero trust architecture'' has the
meaning given the term in Special Publication 800-207
of the National Institute of Standards and Technology,
or any successor document.
Sec. 3553. Authority and functions of the Director and the Sec-
retary
(a) Director.--The Director shall oversee agency information
security policies and practices, including--
(1) developing and overseeing the implementation of
policies, principles, standards, and guidelines on
information security, including through ensuring timely
agency adoption of and compliance with standards
promulgated under section 11331 of title 40;
(2) requiring agencies, consistent with the standards
promulgated under such section 11331 and the
requirements of this subchapter, to identify and
provide information security protections commensurate
with the risk and magnitude of the harm resulting from
the unauthorized access, use, disclosure, disruption,
modification, or destruction of--
(A) information collected or maintained by or
on behalf of an agency; or
(B) information systems used or operated by
an agency or by a contractor of an agency or
other organization on behalf of an agency;
(3) ensuring that the Secretary carries out the
authorities and functions under subsection (b);
(4) coordinating the development of standards and
guidelines under section 20 of the National Institute
of Standards and Technology Act (15 U.S.C. 278g-3) with
agencies and offices operating or exercising control of
national security systems (including the National
Security Agency) to assure, to the maximum extent
feasible, that such standards and guidelines are
complementary with standards and guidelines developed
for national security systems;
(5) overseeing agency compliance with the
requirements of this subchapter and section 1326 of
title 41, including through any authorized action under
section 11303 of title 40, to enforce accountability
for compliance with such requirements; [and]
(6) coordinating information security policies and
procedures with related information resources
management policies and procedures[.]; and
(7) promoting, in consultation with the Director of
the Cybersecurity and Infrastructure Security Agency,
the National Cyber Director, and the Director of the
National Institute of Standards and Technology--
(A) the use of automation to improve Federal
cybersecurity and visibility with respect to
the implementation of Federal cybersecurity;
and
(B) the use of presumption of compromise and
least privilege principles, such as zero trust
architecture, to improve resiliency and timely
response actions to incidents on Federal
systems.
(b) Secretary.--The Secretary, in consultation with the
Director and the National Cyber Director, shall administer the
implementation of agency information security policies and
practices for information systems, except for national security
systems and information systems described in paragraph (2) or
(3) of subsection (e), including--
(1) assisting the Director in carrying out the
authorities and functions under paragraphs (1), (2),
(3), (5), and (6) of subsection (a);
(2) developing and overseeing the implementation of
binding operational directives to agencies to implement
the policies, principles, standards, and guidelines
developed by the Director under subsection (a)(1) and
the requirements of this subchapter, which may be
revised or repealed by the Director if the operational
directives issued on behalf of the Director are not in
accordance with policies, principles, standards, and
guidelines developed by the Director, including--
(A) requirements for reporting security
incidents to the Federal information security
incident center established under section 3556
and reporting requirements under subchapter IV
of this chapter;
(B) requirements for the contents of the
annual reports required to be submitted under
section 3554(c)(1);
(C) requirements for the mitigation of
exigent risks to information systems; and
(D) other operational requirements as the
Director or Secretary, in consultation with the
Director, may determine necessary;
(3) monitoring agency implementation of information
security policies and practices;
(4) convening meetings with senior agency officials
to help ensure effective implementation of information
security policies and practices;
(5) coordinating Government-wide efforts on
information security policies and practices, including
consultation with the Chief Information Officers
Council established under section 3603 and the Director
of the National Institute of Standards and Technology;
(6) providing operational and technical assistance to
agencies in implementing policies, principles,
standards, and guidelines on information security,
including implementation of standards promulgated under
section 11331 of title 40, including by--
(A) operating the Federal information
security incident center established under
section 3556;
(B) upon request by an agency, deploying,
operating, and maintaining technology to assist
the agency to continuously diagnose and
mitigate against cyber threats and
vulnerabilities, with or without reimbursement;
(C) compiling and analyzing data on agency
information security; and
(D) developing and conducting targeted
operational evaluations, including threat and
vulnerability assessments, on the information
systems;
(7) hunting for and identifying, with or without
advance notice to or authorization from agencies,
threats and vulnerabilities within Federal information
systems;
(8) expeditiously seeking opportunities to reduce
costs, administrative burdens, and other barriers to
information technology security and modernization for
agencies, including through shared services (and
appropriate commercial off the shelf options for such
shared services) for cybersecurity capabilities
identified as appropriate by the Director, in
coordination with the Director of the Cybersecurity and
Infrastructure Security Agency and other agencies as
appropriate;
(9) performing penetration testing that may leverage
manual expert analysis to identify threats and
vulnerabilities within information systems--
(A) without consent or authorization from
agencies; and
(B) with prior consultation with the head of
the agency at least 72 hours in advance of such
testing;
[(8)] (10) upon request by an agency, and at the
Secretary's discretion, with or without reimbursement--
(A) providing services, functions, and
capabilities, including operation of the
agency's information security program, to
assist the agency with meeting the requirements
set forth in section 3554(b); and
(B) deploying, operating, and maintaining
secure technology platforms and tools,
including networks and common business
applications, for use by the agency to perform
agency functions, including collecting,
maintaining, storing, processing,
disseminating, and analyzing information; and
[(9)] (11) other actions as the Director or the
Secretary, in consultation with the Director, may
determine necessary to carry out this subsection.
(c) Report.--Not later than March 1 of [each year] each year
during which agencies are required to submit reports under
section 3554(c), the Director, in consultation with the
Secretary, shall submit to Congress a report, which shall be
unclassified but may include 1 or more annexes that contain
classified or other sensitive information, as appropriate on
the effectiveness of information security policies and
practices during the [preceding year] preceding 2 years,
including--
[(1) a summary of the incidents described in the
annual reports required to be submitted under section
3554(c)(1), including a summary of the information
required under section 3554(c)(1)(A)(iii);]
[(2)] (1) a description of the threshold for
reporting major information security incidents;
[(3)] (2) a summary of the results of evaluations
required to be performed under section 3555;
[(4)] (3) an assessment of agency compliance with
standards promulgated under section 11331 of title 40;
[and]
(4) a summary of the risks and trends identified in
the Federal risk assessment required under subsection
(i); and
(5) an assessment of agency compliance with data
breach notification policies and procedures issued by
the Director.
(d) National Security Systems.--Except for the authorities
and functions described in subsection (a)(5) and subsection
(c), the authorities and functions of the Director and the
Secretary under this section shall not apply to national
security systems.
(e) Department of Defense and Intelligence Community
Systems.--(1) The authorities of the Director described in
paragraphs (1) and (2) of subsection (a) shall be delegated to
the Secretary of Defense in the case of systems described in
paragraph (2) and to the Director of National Intelligence in
the case of systems described in paragraph (3).
(2) The systems described in this paragraph are systems that
are operated by the Department of Defense, a contractor of the
Department of Defense, or another entity on behalf of the
Department of Defense that processes any information the
unauthorized access, use, disclosure, disruption, modification,
or destruction of which would have a debilitating impact on the
mission of the Department of Defense.
(3) The systems described in this paragraph are systems that
are operated by an element of the intelligence community, a
contractor of an element of the intelligence community, or
another entity on behalf of an element of the intelligence
community that processes any information the unauthorized
access, use, disclosure, disruption, modification, or
destruction of which would have a debilitating impact on the
mission of an element of the intelligence community.
(f) Consideration.--
(1) In general.--In carrying out the responsibilities
under subsection (b), the Secretary shall consider any
applicable standards or guidelines developed by the
National Institute of Standards and Technology and
issued by the Secretary of Commerce under section 11331
of title 40.
(2) Directives.--The Secretary shall--
(A) consult with the Director of the National
Institute of Standards and Technology regarding
any binding operational directive that
implements standards and guidelines developed
by the National Institute of Standards and
Technology; and
(B) ensure that binding operational
directives issued under subsection (b)(2) do
not conflict with the standards and guidelines
issued under section 11331 of title 40.
(3) Rule of construction.--Nothing in this subchapter
shall be construed as authorizing the Secretary to
direct the Secretary of Commerce in the development and
promulgation of standards and guidelines under section
11331 of title 40.
(g) Exercise of Authority.--To ensure fiscal and policy
consistency, the Secretary shall exercise the authority under
this section subject to direction by the President, in
coordination with the Director.
(h) Direction to Agencies.--
(1) Authority.--
(A) In general.--Subject to subparagraph (B),
in response to a known or reasonably suspected
information security threat, vulnerability, or
incident that represents a substantial threat
to the information security of an agency, the
Secretary may issue an emergency directive to
the head of an agency to take any lawful action
with respect to the operation of the
information system, including such systems used
or operated by another entity on behalf of an
agency, that collects, processes, stores,
transmits, disseminates, or otherwise maintains
agency information, for the purpose of
protecting the information system from, or
mitigating, an information security threat.
(B) Exception.--The authorities of the
Secretary under this subsection shall not apply
to a system described subsection (d) or to a
system described in paragraph (2) or (3) of
subsection (e).
(2) Procedures for use of authority.--The Secretary
shall--
(A) in coordination with the Director and the
National Cyber Director, and in consultation
with Federal contractors as appropriate,
establish procedures governing the
circumstances under which a directive may be
issued under this subsection, which shall
include--
(i) thresholds and other criteria;
(ii) privacy and civil liberties
protections; and
(iii) providing notice to potentially
affected third parties;
(B) specify the reasons for the required
action, the scope of the required action (such
as applicable software, firmware, or hardware
versions), and the duration of the directive;
(C) minimize the impact of a directive under
this subsection by--
(i) adopting the least intrusive
means possible under the circumstances
to secure the agency information
systems; and
(ii) limiting directives to the
shortest period practicable;
(D) notify the Director, the National Cyber
Director, and the head of any affected agency
immediately upon the issuance of a directive
under this subsection;
(E) consult with the Director of the National
Institute of Standards and Technology regarding
any directive under this subsection that
implements standards and guidelines developed
by the National Institute of Standards and
Technology;
(F) ensure that directives issued under this
subsection do not conflict with the standards
and guidelines issued under section 11331 of
title 40;
(G) consider any applicable standards or
guidelines developed by the National Institute
of Standards and Technology issued by the
Secretary of Commerce under section 11331 of
title 40; and
(H) not later than February 1 of each year,
submit to the appropriate congressional
committees a report regarding the specific
actions the Secretary has taken pursuant to
paragraph (1)(A).
(3) Imminent threats.--
(A) In general.--Notwithstanding section
3554, the Secretary may authorize the use under
this subsection of the intrusion detection and
prevention capabilities established under
section 230(b)(1) of the Homeland Security Act
of 2002 for the purpose of ensuring the
security of agency information systems, if--
(i) the Secretary determines there is
an imminent threat to agency
information systems;
(ii) the Secretary determines a
directive under subsection (b)(2)(C) or
paragraph (1)(A) is not reasonably
likely to result in a timely response
to the threat;
(iii) the Secretary determines the
risk posed by the imminent threat
outweighs any adverse consequences
reasonably expected to result from the
use of the intrusion detection and
prevention capabilities under the
control of the Secretary;
(iv) the Secretary provides prior
notice to the Director, the National
Cyber Director, and the head and chief
information officer (or equivalent
official) of each agency to which
specific actions will be taken pursuant
to this paragraph, and notifies the
appropriate congressional committees
and authorizing committees of each such
agency within 7 days of taking an
action under this paragraph of--
(I) any action taken under
this paragraph; and
(II) the reasons for and
duration and nature of the
action;
(v) the action of the Secretary is
consistent with applicable law; and
(vi) the Secretary authorizes the use
of the intrusion detection and
prevention capabilities in accordance
with the advance procedures established
under subparagraph (C).
(B) Limitation on delegation.--The authority
under this paragraph may not be delegated by
the Secretary.
(C) Advance procedures.--The Secretary shall,
in coordination with the Director, and in
consultation with the heads of Federal
agencies, establish procedures governing the
circumstances under which the Secretary may
authorize the use of the intrusion detection
and prevention capabilities under subparagraph
(A). The Secretary shall submit the procedures
to Congress.
(4) Limitation.--The Secretary may direct or
authorize lawful action or the use of the intrusion
detection and prevention capabilities under this
subsection only to--
(A) protect agency information from
unauthorized access, use, disclosure,
disruption, modification, or destruction; or
(B) require the remediation of or protect
against identified information security risks
with respect to--
(i) information collected or
maintained by or on behalf of an
agency; or
(ii) that portion of an information
system used or operated by an agency or
by a contractor of an agency or other
organization on behalf of an agency.
[(i) Annual Report to Congress.--Not later than February 1 of
each year, the Director and the Secretary shall submit to the
appropriate congressional committees a report regarding the
specific actions the Director and the Secretary have taken
pursuant to subsection (a)(5), including any actions taken
pursuant to section 11303(b)(5) of title 40.]
(i) Federal Risk Assessment.--On an ongoing and continual
basis, the Director of the Cybersecurity and Infrastructure
Security Agency shall assess the Federal risk posture using any
available information on the cybersecurity posture of agencies,
and brief the Director and National Cyber Director on the
findings of such assessment, including--
(1) the status of agency cybersecurity remedial
actions for high value assets described in section
3554(b)(7);
(2) any vulnerability information relating to the
systems of an agency that is known by the agency;
(3) analysis of incident information under section
3597;
(4) evaluation of penetration testing performed under
section 3559A;
(5) evaluation of vulnerability disclosure program
information under section 3559B;
(6) evaluation of agency threat hunting results;
(7) evaluation of Federal and non-Federal cyber
threat intelligence;
(8) data on agency compliance with standards issued
under section 11331 of title 40;
(9) agency system risk assessments required under
section 3554(a)(1)(A);
(10) relevant reports from inspectors general of
agencies and the Government Accountability Office; and
(11) any other information the Director of the
Cybersecurity and Infrastructure Security Agency
determines relevant.
(j) Rule of Construction.--Nothing in this section shall be
construed to require the Secretary to provide notice to any
private entity before the Secretary issues a binding
operational directive under subsection (b)(2).
(k) Appropriate Congressional Committees Defined.--In this
section, the term ``appropriate congressional committees''
means--
(1) the Committee on Appropriations and the Committee
on Homeland Security and Governmental Affairs of the
Senate; and
(2) the Committee on Appropriations, the Committee on
Homeland Security, the Committee on Oversight and
Government Reform, and the Committee on Science, Space,
and Technology of the House of Representatives.
(l) Information Sharing.--
(1) In general.--Notwithstanding any other provision
of law, including any provision of law that would
otherwise restrict or prevent the head of an agency
from disclosing information to the Secretary, the
Secretary in carrying out this section and title XXII
of the Homeland Security Act of 2002 (6 U.S.C. 651 et
seq.) may access, use, retain, and disclose, and the
head of an agency may disclose to the Secretary,
information, for the purpose of protecting information
and information systems from cybersecurity risks.
(2) Exception.--Paragraph (1) shall not apply to
national security systems or to information systems
described in paragraph (2) or (3) of subsection (e).
(m) Directives.--
(1) Emergency directive updates.--If the Secretary
issues an emergency directive under this section, the
Director of the Cybersecurity and Infrastructure
Security Agency shall submit to the Director, the
National Cyber Director, the Committee on Homeland
Security and Governmental Affairs of the Senate, and
the Committees on Oversight and Accountability and
Homeland Security of the House of Representatives an
update on the status of the implementation of the
emergency directive at agencies not later than 7 days
after the date on which the emergency directive
requires an agency to complete a requirement specified
by the emergency directive, and every 30 days
thereafter until--
(A) the date on which every agency has fully
implemented the emergency directive;
(B) the Secretary determines that an
emergency directive no longer requires active
reporting from agencies or additional
implementation; or
(C) the date that is 1 year after the
issuance of the directive.
(2) Binding operational directive updates.--If the
Secretary issues a binding operational directive under
this section, the Director of the Cybersecurity and
Infrastructure Security Agency shall submit to the
Director, the National Cyber Director, the Committee on
Homeland Security and Governmental Affairs of the
Senate, and the Committees on Oversight and
Accountability and Homeland Security of the House of
Representatives an update on the status of the
implementation of the binding operational directive at
agencies not later than 30 days after the issuance of
the binding operational directive, and every 90 days
thereafter until--
(A) the date on which every agency has fully
implemented the binding operational directive;
(B) the Secretary determines that a binding
operational directive no longer requires active
reporting from agencies or additional
implementation; or
(C) the date that is 1 year after the
issuance or substantive update of the
directive.
(3) Report.--If the Director of the Cybersecurity and
Infrastructure Security Agency ceases submitting
updates required under paragraphs (1) or (2) on the
date described in paragraph (1)(C) or (2)(C), the
Director of the Cybersecurity and Infrastructure
Security Agency shall submit to the Director, the
National Cyber Director, the Committee on Homeland
Security and Governmental Affairs of the Senate, and
the Committees on Oversight and Accountability and
Homeland Security of the House of Representatives a
list of every agency that, at the time of the report--
(A) has not completed a requirement specified
by an emergency directive; or
(B) has not implemented a binding operational
directive.
(n) Review of Office of Management and Budget Guidance and
Policy.--
(1) Conduct of review.--Not less frequently than once
every 3 years, the Director of the Office of Management
and Budget shall review the efficacy of the guidance
and policy promulgated by the Director in reducing
cybersecurity risks, including a consideration of
reporting and compliance burden on agencies.
(2) Congressional notification.--The Director of the
Office of Management and Budget shall notify the
Committee on Homeland Security and Governmental Affairs
of the Senate and the Committee on Oversight and
Accountability of the House of Representatives of the
results of the review under paragraph (1).
(3) GAO review.--The Government Accountability Office
shall review guidance and policy promulgated by the
Director to assess its efficacy in risk reduction and
burden on agencies.
(o) Automated Standard Implementation Verification.--When the
Director of the National Institute of Standards and Technology
issues a proposed standard or guideline pursuant to paragraphs
(2) or (3) of section 20(a) of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3(a)), the
Director of the National Institute of Standards and Technology
shall consider developing and, if appropriate and practical,
develop specifications to enable the automated verification of
the implementation of the controls.
(p) Inspectors General Access to Federal Risk Assessments.--
The Director of the Cybersecurity and Infrastructure Security
Agency shall, upon request, make available Federal risk
assessment information under subsection (i) to the Inspector
General of the Department of Homeland Security and the
inspector general of any agency that was included in the
Federal risk assessment.
Sec. 3554. Federal agency responsibilities
(a) In General.--The head of each agency shall--
(1) be responsible for--
(A) on an ongoing and continual basis,
assessing agency system risk, as applicable,
by--
(i) identifying and documenting the
high value assets of the agency using
guidance from the Director;
(ii) evaluating the data assets
inventoried under section 3511 for
sensitivity to compromises in
confidentiality, integrity, and
availability;
(iii) identifying whether the agency
is participating in federally offered
cybersecurity shared services programs;
(iv) identifying agency systems that
have access to or hold the data assets
inventoried under section 3511;
(v) evaluating the threats facing
agency systems and data, including high
value assets, based on Federal and non-
Federal cyber threat intelligence
products, where available;
(vi) evaluating the vulnerability of
agency systems and data, including high
value assets, including by analyzing--
(I) the results of
penetration testing performed
by the Department of Homeland
Security under section
3553(b)(9);
(II) the results of
penetration testing performed
under section 3559A;
(III) information provided to
the agency through the
vulnerability disclosure
program of the agency under
section 3559B;
(IV) incidents; and
(V) any other vulnerability
information relating to agency
systems that is known to the
agency;
(vii) assessing the impacts of
potential agency incidents to agency
systems, data, and operations based on
the evaluations described in clauses
(ii) and (v) and the agency systems
identified under clause (iv); and
(viii) assessing the consequences of
potential incidents occurring on agency
systems that would impact systems at
other agencies, including due to
interconnectivity between different
agency systems or operational reliance
on the operations of the system or data
in the system;
[(A) providing information] (B) using
information from the assessment required under
subparagraph (A), providing information
security protections commensurate with the risk
and magnitude of the harm resulting from
unauthorized access, use, disclosure,
disruption, modification, or destruction of--
(i) information collected or
maintained by or on behalf of the
agency; and
(ii) information systems used or
operated by an agency or by a
contractor of an agency or other
organization on behalf of an agency;
[(B)] (C) complying with the requirements of
this subchapter, subchapter III of chapter 13
of title 41, and related policies, procedures,
standards, and guidelines, including--
(i) information security standards
promulgated under section 11331 of
title 40;
(ii) binding operational directives
developed by the Secretary under
section 3553(b);
(iii) policies and procedures issued
by the Director;
(iv) information security standards
and guidelines for national security
systems issued in accordance with law
and as directed by the President;
(v) emergency directives issued by
the Secretary under section 3553(h);
and
(vi) responsibilities relating to
assessing and avoiding, mitigating,
transferring, or accepting supply chain
risks under section 1326 of title 41,
and complying with exclusion and
removal orders issued under section
1323 of such title; [and]
[(C)] (D) ensuring that information security
management processes are integrated with agency
strategic, operational, and budgetary planning
processes; and
(E) providing an update on the ongoing and
continual assessment required under
subparagraph (A)--
(i) upon request, to the inspector
general of the agency or the
Comptroller General of the United
States; and
(ii) at intervals determined by
guidance issued by the Director, and to
the extent appropriate and practicable
using automation, to--
(I) the Director;
(II) the Director of the
Cybersecurity and
Infrastructure Security Agency;
and
(III) the National Cyber
Director;
(2) ensure that senior agency officials provide
information security for the information and
information systems that support the operations and
assets under their control, including through--
(A) assessing the risk and magnitude of the
harm that could result from the unauthorized
access, use, disclosure, disruption,
modification, or destruction of such
information or information systems in
accordance with the agency system risk
assessment required under paragraph (1)(A);
(B) determining the levels of information
security appropriate to protect such
information and information systems in
accordance with standards promulgated under
section 11331 of title 40, for information
security classifications and related
requirements;
(C) implementing policies and procedures to
cost-effectively reduce risks to an acceptable
level; and
(D) periodically, through the use of
penetration testing, the vulnerability
disclosure program established under section
3559B, and other means, testing and evaluating
information security controls and techniques to
ensure that they are effectively implemented;
(3) delegate to the agency Chief Information Officer
established under section 3506 (or comparable official
in an agency not covered by such section) the authority
to ensure compliance with the requirements imposed on
the agency under this subchapter, including--
(A) designating a [senior agency information
security officer] Chief Information Security
Officer who shall--
(i) carry out the Chief Information
Officer's responsibilities under [this
section] subsections (a) through (c);
(ii) possess professional
qualifications, including [training
and] skills, training, and experience,
required to administer the functions
described under this section;
(iii) manage information security,
cybersecurity budgets, and risk and
compliance activities and explain those
concepts to the head of the agency and
the executive team of the agency;
[(iii)] (iv) have [information
security duties as that official's
primary duty] information, computer
network, and technology security duties
as the Chief Information Security
Officers' primary duty; and
[(iv)] (v) head an office with the
mission and resources to assist in
ensuring agency compliance with this
section;
(B) developing and maintaining an agencywide
information security program as required by
subsection (b);
(C) developing and maintaining information
security policies, procedures, and control
techniques to address all applicable
requirements, including those issued under
section 3553 of this title and section 11331 of
title 40;
(D) training and overseeing personnel with
significant responsibilities for information
security with respect to such responsibilities;
and
(E) assisting senior agency officials
concerning their responsibilities under
paragraph (2);
(4) ensure that the agency has trained personnel
sufficient to assist the agency in complying with the
requirements of this subchapter and related policies,
procedures, standards, and guidelines;
(5) ensure that the agency Chief Information Officer,
in coordination with other senior agency officials,
reports [annually] not less frequently than quarterly
to the agency head on the effectiveness of the agency
information security program, including progress of
remedial actions;
(6) ensure that senior agency officials, including
chief information officers of component agencies or
equivalent officials, carry out responsibilities under
this subchapter as directed by the [official delegated]
Chief Information Security Officer delegated authority
under paragraph (3); and
(7) ensure that all personnel are held accountable
for complying with the agency-wide information security
program implemented under subsection (b).
(b) Agency Program.--Each agency shall develop, document, and
implement an agency-wide information security program to
provide information security for the information and
information systems that support the operations and assets of
the agency, including those provided or managed by another
agency, contractor, or other source, that includes--
[(1) periodic assessments of the risk and magnitude
of the harm that could result from the unauthorized
access, use, disclosure, disruption, modification, or
destruction of information and information systems that
support the operations and assets of the agency, which
may include using automated tools consistent with
standards and guidelines promulgated under section
11331 of title 40;]
(1) the ongoing and continual assessment of agency
system risk required under subsection (a)(1)(A), which
may include using guidance and automated tools
consistent with standards and guidelines promulgated
under section 11331 of title 40, as applicable;
(2) policies and procedures that--
(A) are based on the risk assessments
required by paragraph (1);
[(B) cost-effectively reduce information
security risks to an acceptable level;]
[(C)] (B) ensure that information security is
addressed throughout the life cycle of each
agency information system; and
[(D)] (C) ensure compliance with--
(i) the requirements of this
subchapter;
(ii) policies and procedures as may
be prescribed by the Director, and
information security standards
promulgated under section 11331 of
title 40;
(iii) binding operational directives
and emergency directives issued by the
Secretary under section 3553;
[(iii)] (iv) minimally acceptable
system configuration requirements, [as
determined by the agency;] as
determined by the agency, considering
the agency risk assessment required
under subsection (a)(1)(A); and
[(iv)] (v) any other applicable
requirements, including standards and
guidelines for national security
systems issued in accordance with law
and as directed by the President;
(3) subordinate plans for providing adequate
information security for networks, facilities, and
systems or groups of information systems, as
appropriate;
(4) security awareness training to inform personnel,
including contractors and other users of information
systems that support the operations and assets of the
agency, of--
(A) information security risks associated
with their activities; and
(B) their responsibilities in complying with
agency policies and procedures designed to
reduce these risks;
(5) periodic testing and evaluation of the
effectiveness of information security policies,
procedures, and practices, to be performed with a
frequency depending on risk, but no less than annually,
of which such testing--
(A) shall include testing, including
penetration testing, as appropriate, of
management, operational, and technical controls
of every information system identified in the
inventory required under section 3505(c);
(B) may include testing relied on in an
evaluation under section 3555; and
(C) shall include using automated tools,
consistent with standards and guidelines
promulgated under section 11331 of title 40;
(6) a process for planning, implementing, evaluating,
and documenting remedial action to address any
deficiencies in the information security policies,
procedures, and practices of the agency;
(7) a process for securely providing the status of
remedial cybersecurity actions and un-remediated
identified system vulnerabilities of high value assets
to the Director and the Director of the Cybersecurity
and Infrastructure Security Agency, using automation
and machine-readable data as appropriate;
[(7)] (8) procedures for detecting, reporting, and
responding to security incidents, which--
(A) shall be consistent with the standards
and guidelines described in section 3556(b);
(B) may include using automated tools; and
(C) shall include--
(i) mitigating risks associated with
such incidents before substantial
damage is done;
[(ii) notifying and consulting with
the Federal information security
incident center established in section
3556; and]
(ii) notifying and consulting with
the Federal information security
incident center established under
section 3556 pursuant to the
requirements of section 3594;
(iii) performing the notifications
and other activities required under
subchapter IV of this chapter; and
[(iii)] (iv) notifying and consulting
with, as appropriate--
(I) law enforcement agencies
and relevant Offices of
Inspector General and Offices
of General Counsel;
(II) an office designated by
the President for any incident
involving a national security
system; and
[(III) for a major incident,
the committees of Congress
described in subsection
(c)(1)--
[(aa) not later than
7 days after the date
on which there is a
reasonable basis to
conclude that the major
incident has occurred;
and
[(bb) after the
initial notification
under item (aa), within
a reasonable period of
time after additional
information relating to
the incident is
discovered, including
the summary required
under subsection
(c)(1)(A)(i); and]
[(IV)] (III) any other agency
or office, in accordance with
law or as directed by the
President; and
[(8)] (9) plans and procedures to ensure continuity
of operations for information systems that support the
operations and assets of the agency.
(c) Agency Reporting.--
[(1) Annual report.--
[(A) In general.--Each agency shall submit to
the Director, the Secretary, the Committee on
Government Reform, the Committee on Homeland
Security, and the Committee on Science of the
House of Representatives, the Committee on
Homeland Security and Governmental Affairs and
the Committee on Commerce, Science, and
Transportation of the Senate, the appropriate
authorization and appropriations committees of
Congress, and the Comptroller General a report
on the adequacy and effectiveness of
information security policies, procedures, and
practices, including--
[(i) a description of each major
information security incident or
related sets of incidents, including
summaries of--
[(I) the threats and threat
actors, vulnerabilities, and
impacts relating to the
incident;
[(II) the risk assessments
conducted under section
3554(a)(2)(A) of the affected
information systems before the
date on which the incident
occurred;
[(III) the status of
compliance of the affected
information systems with
applicable security
requirements at the time of the
incident; and
[(IV) the detection,
response, and remediation
actions;
[(ii) the total number of information
security incidents, including a
description of incidents resulting in
significant compromise of information
security, system impact levels, types
of incident, and locations of affected
systems;
[(iii) a description of each major
information security incident that
involved a breach of personally
identifiable information, as defined by
the Director, including--
[(I) the number of
individuals whose information
was affected by the major
information security incident;
and
[(II) a description of the
information that was breached
or exposed; and
[(iv) any other information as the
Director or the Secretary, in
consultation with the Director, may
require.
[(B) Unclassified report.--
[(i) In general.--Each report
submitted under subparagraph (A) shall
be in unclassified form, but may
include a classified annex.
[(ii) Access to information.--The
head of an agency shall ensure that, to
the greatest extent practicable,
information is included in the
unclassified version of the reports
submitted by the agency under
subparagraph (A).]
(1) Biennial report.--Not later than 2 years after
the date of enactment of the Federal Information
Security Modernization Act of 2024 and not less
frequently than once every 2 years thereafter, using
the ongoing and continual agency system risk assessment
required under subsection (a)(1)(A), the head of each
agency shall submit to the Director, the National Cyber
Director, the Director of the Cybersecurity and
Infrastructure Security Agency, the Comptroller General
of the United States, the majority and minority leaders
of the Senate, the Speaker and minority leader of the
House of Representatives, the Committee on Homeland
Security and Governmental Affairs of the Senate, the
Committee on Oversight and Accountability of the House
of Representatives, the Committee on Homeland Security
of the House of Representatives, the Committee on
Commerce, Science, and Transportation of the Senate,
the Committee on Science, Space, and Technology of the
House of Representatives, and the appropriate
authorization and appropriations committees of Congress
a report that--
(A) summarizes the agency system risk
assessment required under subsection (a)(1)(A);
(B) evaluates the adequacy and effectiveness
of information security policies, procedures,
and practices of the agency to address the
risks identified in the agency system risk
assessment required under subsection (a)(1)(A),
including an analysis of the agency's
cybersecurity and incident response
capabilities using the metrics established
under section 224(c) of the Cybersecurity Act
of 2015 (6 U.S.C. 1522(c));
(C) summarizes the status of remedial actions
identified by inspector general of the agency,
the Comptroller General of the United States,
and any other source determined appropriate by
the head of the agency;
(D) includes the cybersecurity shared
services offered by the Cybersecurity and
Infrastructure Security Agency that the agency
participates in, if any, and explanations for
any non-participation in such services; and
(E) with respect to any exemption from the
requirements of subsection (f)(3) that is
effective on the date of submission of the
report, includes the number of information
systems that have received an exemption from
those requirements.
(2) Unclassified reports.--Each report submitted
under paragraph (1)--
(A) shall be, to the greatest extent
practicable, in an unclassified and otherwise
uncontrolled form; and
(B) may include 1 or more annexes that
contain classified or other sensitive
information, as appropriate.
(3) Briefings.--During each year during which a
report is not required to be submitted under paragraph
(1), the Director shall provide to the congressional
committees described in paragraph (1) a briefing
summarizing current agency and Federal risk postures.
[(2)] (4) Other plans and reports.--Each agency shall
address the adequacy and effectiveness of information
security policies, procedures, and practices in
management plans and reports[.], including the
reporting procedures established under section 11315(d)
of title 40 and subsection (a)(3)(A)(v) of this
section.
(d) Performance Plan.--(1) In addition to the requirements of
subsection (c), each agency, in consultation with the Director,
shall include as part of the performance plan required under
section 1115 of title 31 a description of--
(A) the time periods; and
(B) the resources, including budget, staffing, and
training,
that are necessary to implement the program required under
subsection (b).
(2) The description under paragraph (1) shall be based on the
risk assessments required under subsection (b)(1).
(e) Public Notice and Comment.--Each agency shall provide the
public with timely notice and opportunities for comment on
proposed information security policies and procedures to the
extent that such policies and procedures affect communication
with the public.
(f) Specific Cybersecurity Requirements at Agencies.--
(1) In general.--Consistent with policies, standards,
guidelines, and directives on information security
under this subchapter, and except as provided under
paragraph (3), the head of each agency shall--
(A) identify sensitive and mission critical
data stored by the agency consistent with the
inventory required under section 3505(c);
(B) assess access controls to the data
described in subparagraph (A), the need for
readily accessible storage of the data, and the
need of individuals to access the data;
(C) encrypt or otherwise render
indecipherable to unauthorized users the data
described in subparagraph (A) that is stored on
or transiting agency information systems;
(D) implement identity and access management
systems to ensure the security of Federal
information systems and protect agency records
and data from fraud resulting from the
misrepresentation of identity or identity
theft, including--
(i) a single sign-on trusted identity
platform for individuals accessing each
public website of the agency that
requires, at a minimum, user
authentication and verification
services consistent with applicable law
and guidance issued by the Director of
the Office of Management and Budget who
shall consider any applicable standard
or guideline developed by the National
Institute of Standards and Technology,
which may be one developed by the
Administrator of General Services in
consultation with the Director of the
Office of Management and Budget; and
(ii) multi-factor authentication,
consistent with guidance issued by the
Director of the Office of Management
and Budget who shall consider any
applicable standard or guideline
developed by the National Institute of
Standards and Technology, for--
(I) remote access to an
information system; and
(II) each user account with
elevated privileges on an
information system.
(2) Prohibition.--
(A) Definition.--In this paragraph, the term
``internet of things'' has the meaning given
the term in section 3559B.
(B) Prohibition.--Consistent with policies,
standards, guidelines, and directives on
information security under this subchapter, and
except as provided under paragraph (3), the
head of an agency may not procure, obtain,
renew a contract to procure or obtain in any
amount, notwithstanding section 1905 of title
41, or use an internet of things device if the
Chief Information Officer of the agency
determines during a review required under
section 11319(b)(1)(C) of title 40 of a
contract for an internet of things device that
the use of the device prevents compliance with
the standards and guidelines developed under
section 4 of the IoT Cybersecurity Improvement
Act (15 U.S.C. 278g-3b) with respect to the
device.
(3) Exceptions.--
(A) In general.--The requirements under
subparagraphs (A), (B), (C), and (D)(ii) of
paragraph (1) shall not apply to an information
system for which the head of the agency,
without delegation, has--
(i) certified to the Director with
particularity that--
(I) operational requirements
articulated in the
certification and related to
the information system would
make it excessively burdensome
to implement the cybersecurity
requirement;
(II) the cybersecurity
requirement is not necessary to
secure the information system
or agency information stored on
or transiting it; and
(III) the agency has taken
all necessary steps to secure
the information system and
agency information stored on or
transiting it; and
(ii) submitted the certification
described in clause (i) to the
appropriate congressional committees
and the authorizing committees of the
agency.
(B) Identity management platform waiver.--The
head of an agency shall be in compliance with
the requirement under paragraph (1)(D)(i) with
respect to implementing a single-sign on
trusted identity system or platform other than
one developed by the Administrator of General
Services as described under paragraph (1)(D)(i)
if the head of the agency--
(i) without delegation--
(I) has certified to the
Director that the alternative
system or platform, including a
procured system or platform,
conforms with applicable
security and privacy
requirements of this subchapter
and guidance issued by the
Director, at least 30 days
before use of the system or
platform; or
(II) with regard to a system
or platform in use as of the
date of enactment of this
subsection, the head of the
agency provides such
certification to the Director
within 60 days after the date
of enactment of this
subsection;
(ii) has received a written waiver
from the Director in response to the
request submitted under clause (i); and
(iii) has submitted the certification
described in clause (i) and the waiver
described clause (ii) to the
appropriate congressional committees
and the authorizing committees of the
agency.
(4) Duration of certification.--
(A) In general.--A certification and
corresponding exemption of an agency under
paragraph (3) shall expire on the date that is
4 years after the date on which the head of the
agency submits the certification under
paragraph (3).
(B) Renewal.--Upon the expiration of a
certification of an agency under paragraph (3),
the head of the agency may submit an additional
certification in accordance with that
paragraph.
(5) Presumption of adequacy.--A FedRAMP authorization
issued pursuant to chapter 36 of title 44 shall be
presumed adequate to fulfill the requirements under
subparagraphs (A) through (C) of paragraph (1) with
respect to an agency authorization to operate cloud
computing products and services if such presumption of
adequacy does not alter or modify--
(A) the responsibility of any agency to
ensure compliance with this subchapter for any
cloud computing product or service used by the
agency; or
(B) the authority of the head of any agency
to make a determination that there is a
demonstrable need to include additional
security controls beyond those included in a
FedRAMP authorization package for a particular
cloud computing product or service.
(6) Rules of construction.--Nothing in this
subsection shall be construed--
(A) to alter the authority of the Secretary,
the Director, or the Director of the National
Institute of Standards and Technology in
implementing subchapter II of this title;
(B) to affect the standards or process of the
National Institute of Standards and Technology;
(C) to affect the requirement under section
3553(a)(4);
(D) to discourage continued improvements and
advancements in the technology, standards,
policies, and guidelines used to promote
Federal information security; or
(E) to affect the requirements under
subchapter III.
(g) Exception.--
(1) National security system requirements.--The
requirements under subsection (f)(1) shall not apply
to--
(A) a national security system; or
(B) an information system described in
paragraph (2) or (3) of section 3553(e)(2).
(2) Prohibition.--The prohibition under subsection
(f)(2) shall not apply to--
(A) necessary in the interest of national
security;
(B) national security systems; or
(C) a procured internet of things device
described in subsection (f)(2)(B) that the
Chief Information Officer of an agency
determines is--
(i) necessary for research purposes;
(ii) necessary in the interest of
national security; or
(iii) secured using alternative and
effective methods appropriate to the
function of the internet of things
device.
Sec. 3555. [Annual independent] Independent evaluation
(a) In General.--(1) Each year during which a report is
required to be submitted under section 3553(c), each agency
shall have performed an independent evaluation of the
information security program and practices of that agency to
determine the effectiveness of such program and practices.
(2) Each evaluation under this section shall include--
(A) testing of the effectiveness of information
security policies, procedures, and practices of a
representative subset of the agency's information
systems, including by performing, or reviewing the
results of, agency penetration testing and analyzing
the vulnerability disclosure program of the agency;
(B) an assessment of the effectiveness of the
information security policies, procedures, and
practices of the agency; and
(C) separate presentations, as appropriate, regarding
information security relating to national security
systems.
(3) An evaluation under this section may include
recommendations for improving the cybersecurity posture of the
agency.
(b) Independent Auditor.--Subject to subsection (c)--
(1) for each agency with an Inspector General
appointed under chapter 4 of title 5, the [annual]
evaluation required by this section shall be performed
by the Inspector General or by an independent external
auditor, as determined by the Inspector General of the
agency; and
(2) for each agency to which paragraph (1) does not
apply, the head of the agency shall engage an
independent external auditor to perform the evaluation.
(c) National Security Systems.--For each agency operating or
exercising control of a national security system, that portion
of the evaluation required by this section directly relating to
a national security system shall be performed--
(1) only by an entity designated by the agency head;
and
(2) in such a manner as to ensure appropriate
protection for information associated with any
information security vulnerability in such system
commensurate with the risk and in accordance with all
applicable laws.
(d) Existing Evaluations.--The evaluation required by this
section may be based in whole or in part on an audit,
evaluation, or report relating to programs or practices of the
applicable agency.
(e) Agency Reporting.--(1) Each year during which a report is
required to be submitted under section 3553(c), not later than
such date established by the Director, the head of each agency
shall submit to the Director the results of the evaluation
required under this section.
(2) To the extent an evaluation required under this section
directly relates to a national security system, the evaluation
results submitted to the Director shall contain only a summary
and assessment of that portion of the evaluation directly
relating to a national security system.
(f) Protection of Information.--Agencies and evaluators shall
take appropriate steps to ensure the protection of information
which, if disclosed, may adversely affect information security.
Such protections shall be commensurate with the risk and comply
with all applicable laws and regulations.
(g) OMB Reports to Congress.--(1) The Director shall
summarize the results of the evaluations conducted under this
section in the report to Congress required under section
3553(c).
(2) The Director's report to Congress under [this subsection
shall] this subsection--
(A) shall summarize information regarding
information security relating to national security
systems in such a manner as to ensure appropriate
protection for information associated with any
information security vulnerability in such system
commensurate with the risk and in accordance with all
applicable laws[.]; and
(B) identify any entity that performs an independent
evaluation under subsection (b).
(3) Evaluations and any other descriptions of information
systems under the authority and control of the Director of
National Intelligence or of National Foreign Intelligence
Programs systems under the authority and control of the
Secretary of Defense shall be made available to Congress only
through the appropriate oversight committees of Congress, in
accordance with applicable laws.
(h) Comptroller General.--The Comptroller General shall
periodically evaluate and report to Congress on--
(1) the adequacy and effectiveness of agency
information security policies and practices; and
(2) implementation of the requirements of this
subchapter.
(i) Assessment Technical Assistance.--The Comptroller General
may provide technical assistance to an Inspector General or the
head of an agency, as applicable, to assist the Inspector
General or head of an agency in carrying out the duties under
this section, including by testing information security
controls and procedures.
[(j) Guidance.--The Director, in consultation with the
Secretary, the Chief Information Officers Council established
under section 3603, the Council of the Inspectors General on
Integrity and Efficiency, and other interested parties as
appropriate, shall ensure the development of guidance for
evaluating the effectiveness of an information security program
and practices.]
(j) Guidance.--
(1) In general.--The Director, in consultation with
the Director of the Cybersecurity and Infrastructure
Security Agency, the Chief Information Officers
Council, the Council of the Inspectors General on
Integrity and Efficiency, and other interested parties
as appropriate, shall ensure the development of risk-
based guidance for evaluating the effectiveness of an
information security program and practices.
(2) Priorities.--The risk-based guidance developed
under paragraph (1) shall include--
(A) the identification of the most common
successful threat patterns;
(B) the identification of security controls
that address the threat patterns described in
subparagraph (A);
(C) any other security risks unique to
Federal systems; and
(D) any other element the Director determines
appropriate.
(k) Coordination.--The head of each agency shall coordinate
with the inspector general of the agency, as applicable, to
ensure consistent understanding of agency cybersecurity or
information security policies for the purpose of evaluations of
such policies conducted by the inspector general.
Sec. 3556. Federal information security incident center
(a) In General.--The Secretary shall ensure the operation of
a central Federal information security incident center within
the Cybersecurity and Infrastructure Security Agency to--
(1) provide timely technical assistance to operators
of agency information systems regarding security
incidents, including guidance on detecting and handling
information security incidents;
(2) compile and analyze information about incidents
that threaten information security;
(3) inform operators of agency information systems
about current and potential information security
threats, and vulnerabilities;
(4) provide, as appropriate, intelligence and other
information about cyber threats, vulnerabilities, and
incidents to agencies to assist in risk assessments
conducted under section [3554(b)] 3554(a)(1)(A); and
(5) consult with the National Institute of Standards
and Technology, agencies or offices operating or
exercising control of national security systems
(including the National Security Agency), and such
other agencies or offices in accordance with law and as
directed by the President regarding information
security incidents and related matters.
(b) National Security Systems.--Each agency operating or
exercising control of a national security system shall share
information about information security incidents, threats, and
vulnerabilities with the Federal information security incident
center to the extent consistent with standards and guidelines
for national security systems, issued in accordance with law
and as directed by the President.
* * * * * * *
Sec. 3559A. Federal penetration testing
(a) Guidance.--The Director, in consultation with the
Director of the Cybersecurity and Infrastructure Security
Agency, shall issue guidance to agencies that--
(1) requires agencies to perform penetration testing
on information systems, as appropriate, including on
high value assets;
(2) provides policies governing the development of--
(A) rules of engagement for using penetration
testing; and
(B) procedures to use the results of
penetration testing to improve the
cybersecurity and risk management of the
agency;
(3) ensures that operational support or a shared
service is available; and
(4) in no manner restricts the authority of the
Secretary of Homeland Security or the Director of the
Cybersecurity and Infrastructure Agency to conduct
threat hunting pursuant to section 3553, or penetration
testing under this chapter.
(b) Exception for National Security Systems.--The guidance
issued under subsection (a) shall not apply to national
security systems.
(c) Delegation of Authority for Certain Systems.--The
authorities of the Director described in subsection (a) shall
be delegated to--
(1) the Secretary of Defense in the case of a system
described in section 3553(e)(2); and
(2) the Director of National Intelligence in the case
of a system described in section 3553(e)(3).
Sec. 3559B. Federal vulnerability disclosure policies
(a) Purpose; Sense of Congress.--
(1) Purpose.--The purpose of Federal vulnerability
disclosure policies is to create a mechanism to enable
the public to inform agencies of vulnerabilities in
Federal information systems.
(2) Sense of congress.--It is the sense of Congress
that, in implementing the requirements of this section,
the Federal Government should take appropriate steps to
reduce real and perceived burdens in communications
between agencies and security researchers.
(b) Definitions.--In this section:
(1) Contractor.--The term ``contractor'' has the
meaning given the term in section 3591.
(2) Internet of things.--The term ``internet of
things'' has the meaning given the term in Special
Publication 800-213 of the National Institute of
Standards and Technology, entitled ``IoT Device
Cybersecurity Guidance for the Federal Government:
Establishing IoT Device Cybersecurity Requirements'',
or any successor document.
(3) Security vulnerability.--The term ``security
vulnerability'' has the meaning given the term in
section 102 of the Cybersecurity Information Sharing
Act of 2015 (6 U.S.C. 1501).
(4) Submitter.--The term ``submitter'' means an
individual that submits a vulnerability disclosure
report pursuant to the vulnerability disclosure process
of an agency.
(5) Vulnerability disclosure report.--The term
``vulnerability disclosure report'' means a disclosure
of a security vulnerability made to an agency by a
submitter.
(c) Guidance.--The Director shall issue guidance to agencies
that includes--
(1) use of the information system security
vulnerabilities disclosure process guidelines
established under section 4(a)(1) of the IoT
Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g-
3b(a)(1));
(2) direction to not recommend or pursue legal action
against a submitter or an individual that conducts a
security research activity that--
(A) represents a good faith effort to
identify and report security vulnerabilities in
information systems; or
(B) otherwise represents a good faith effort
to follow the vulnerability disclosure policy
of the agency developed under subsection
(f)(2);
(3) direction on sharing relevant information in a
consistent, automated, and machine-readable manner with
the Director of the Cybersecurity and Infrastructure
Security Agency;
(4) the minimum scope of agency systems required to
be covered by the vulnerability disclosure policy of an
agency required under subsection (f)(2), including
exemptions under subsection (g);
(5) requirements for providing information to the
submitter of a vulnerability disclosure report on the
resolution of the vulnerability disclosure report;
(6) a stipulation that the mere identification by a
submitter of a security vulnerability, without a
significant compromise of confidentiality, integrity,
or availability, does not constitute a major incident;
and
(7) the applicability of the guidance to internet of
things devices owned or controlled by an agency.
(d) Consultation.--In developing the guidance required under
subsection (c)(3), the Director shall consult with the Director
of the Cybersecurity and Infrastructure Security Agency.
(e) Responsibilities of CISA.--The Director of the
Cybersecurity and Infrastructure Security Agency shall--
(1) provide support to agencies with respect to the
implementation of the requirements of this section;
(2) develop tools, processes, and other mechanisms
determined appropriate to offer agencies capabilities
to implement the requirements of this section;
(3) upon a request by an agency, assist the agency in
the disclosure to vendors of newly identified security
vulnerabilities in vendor products and services; and
(4) as appropriate, implement the requirements of
this section, in accordance with the authority under
section 3553(b)(8), as a shared service available to
agencies.
(f) Responsibilities of Agencies.--
(1) Public information.--The head of each agency
shall make publicly available, with respect to each
internet domain under the control of the agency that is
not a national security system and to the extent
consistent with the security of information systems but
with the presumption of disclosure--
(A) an appropriate security contact; and
(B) the component of the agency that is
responsible for the internet accessible
services offered at the domain.
(2) Vulnerability disclosure policy.--The head of
each agency shall develop and make publicly available a
vulnerability disclosure policy for the agency, which
shall--
(A) describe--
(i) the scope of the systems of the
agency included in the vulnerability
disclosure policy, including for
internet of things devices owned or
controlled by the agency;
(ii) the type of information system
testing that is authorized by the
agency;
(iii) the type of information system
testing that is not authorized by the
agency;
(iv) the disclosure policy for a
contractor; and
(v) the disclosure policy of the
agency for sensitive information;
(B) with respect to a vulnerability
disclosure report to an agency, describe--
(i) how the submitter should submit
the vulnerability disclosure report;
and
(ii) if the report is not anonymous,
when the reporter should anticipate an
acknowledgment of receipt of the report
by the agency;
(C) include any other relevant information;
and
(D) be mature in scope and cover every
internet accessible information system used or
operated by that agency or on behalf of that
agency.
(3) Identified security vulnerabilities.--The head of
each agency shall--
(A) consider security vulnerabilities
reported in accordance with paragraph (2);
(B) commensurate with the risk posed by the
security vulnerability, address such security
vulnerability using the security vulnerability
management process of the agency; and
(C) in accordance with subsection (c)(5),
provide information to the submitter of a
vulnerability disclosure report.
(g) Exemptions.--
(1) In general.--The Director and the head of each
agency shall carry out this section in a manner
consistent with the protection of national security
information.
(2) Limitation.--The Director and the head of each
agency may not publish under subsection (f)(1) or
include in a vulnerability disclosure policy under
subsection (f)(2) host names, services, information
systems, or other information that the Director or the
head of an agency, in coordination with the Director
and other appropriate heads of agencies, determines
would--
(A) disrupt a law enforcement investigation;
(B) endanger national security or
intelligence activities; or
(C) impede national defense activities or
military operations.
(3) National security systems.--This section shall
not apply to national security systems.
(h) Delegation of Authority for Certain Systems.--The
authorities of the Director and the Director of the
Cybersecurity and Infrastructure Security Agency described in
this section shall be delegated--
(1) to the Secretary of Defense in the case of
systems described in section 3553(e)(2); and
(2) to the Director of National Intelligence in the
case of systems described in section 3553(e)(3).
(i) Revision of Federal Acquisition Regulation.--The Federal
Acquisition Regulation shall be revised as necessary to
implement the provisions under this section.
* * * * * * *
SUBCHAPTER IV--FEDERAL SYSTEM INCIDENT RESPONSE
Sec. 3591. Definitions
(a) In General.--Except as provided in subsection (b), the
definitions under sections 3502 and 3552 shall apply to this
subchapter.
(b) Additional Definitions.--As used in this subchapter:
(1) Appropriate reporting entities.--The term
``appropriate reporting entities'' means--
(A) the majority and minority leaders of the
Senate;
(B) the Speaker and minority leader of the
House of Representatives;
(C) the Committee on Homeland Security and
Governmental Affairs of the Senate;
(D) the Committee on Commerce, Science, and
Transportation of the Senate;
(E) the Committee on Oversight and
Accountability of the House of Representatives;
(F) the Committee on Homeland Security of the
House of Representatives;
(G) the Committee on Science, Space, and
Technology of the House of Representatives;
(H) the appropriate authorization and
appropriations committees of Congress;
(I) the Director;
(J) the Director of the Cybersecurity and
Infrastructure Security Agency;
(K) the National Cyber Director;
(L) the Comptroller General of the United
States; and
(M) the inspector general of any impacted
agency.
(2) Awardee.--The term ``awardee'', with respect to
an agency--
(A) means--
(i) the recipient of a grant from an
agency;
(ii) a party to a cooperative
agreement with an agency; and
(iii) a party to an other transaction
agreement with an agency; and
(B) includes a subawardee of an entity
described in subparagraph (A).
(3) Breach.--The term ``breach''--
(A) means the compromise, unauthorized
disclosure, unauthorized acquisition, or loss
of control of personally identifiable
information owned, maintained or otherwise
controlled by an agency, or any similar
occurrence; and
(B) includes any additional meaning given the
term in policies, principles, standards, or
guidelines issued by the Director.
(4) Contractor.--The term ``contractor'' means a
prime contractor of an agency or a subcontractor of a
prime contractor of an agency that creates, collects,
stores, processes, maintains, or transmits Federal
information on behalf of an agency.
(5) Federal information.--The term ``Federal
information'' means information created, collected,
processed, maintained, disseminated, disclosed, or
disposed of by or for the Federal Government in any
medium or form.
(6) Federal information system.--The term ``Federal
information system'' means an information system owned,
managed, or operated by an agency, or on behalf of an
agency by a contractor, an awardee, or another
organization.
(7) Intelligence community.--The term ``intelligence
community'' has the meaning given the term in section 3
of the National Security Act of 1947 (50 U.S.C. 3003).
(8) Nationwide consumer reporting agency.--The term
``nationwide consumer reporting agency'' means a
consumer reporting agency described in section 603(p)
of the Fair Credit Reporting Act (15 U.S.C. 1681a(p)).
(9) Vulnerability disclosure.--The term
``vulnerability disclosure'' means a vulnerability
identified under section 3559B.
Sec. 3592. Notification of breach
(a) Definition.--In this section, the term ``covered breach''
means a breach--
(1) involving not less than 50,000 potentially
affected individuals; or
(2) the result of which the head of an agency
determines that notifying potentially affected
individuals is necessary pursuant to subsection (b)(1),
regardless of whether--
(A) the number of potentially affected
individuals is less than 50,000; or
(B) the notification is delayed under
subsection (d).
(b) Notification.--As expeditiously as practicable and
without unreasonable delay, and in any case not later than 45
days after an agency has a reasonable basis to conclude that a
breach has occurred, the head of the agency, in consultation
with the Chief Information Officer and Chief Privacy Officer of
the agency and, as appropriate, any non-Federal entity
supporting the remediation of the breach, shall--
(1) determine whether notice to any individual
potentially affected by the breach is appropriate,
including by conducting an assessment of the risk of
harm to the individual that considers--
(A) the nature and sensitivity of the
personally identifiable information affected by
the breach;
(B) the likelihood of access to and use of
the personally identifiable information
affected by the breach;
(C) the type of breach; and
(D) any other factors determined by the
Director; and
(2) if the head of the agency determines notification
is necessary pursuant to paragraph (1), provide written
notification in accordance with subsection (c) to each
individual potentially affected by the breach--
(A) to the last known mailing address of the
individual; or
(B) through an appropriate alternative method
of notification.
(c) Contents of Notification.--Each notification of a breach
provided to an individual under subsection (b)(2) shall
include, to the maximum extent practicable--
(1) a brief description of the breach;
(2) if possible, a description of the types of
personally identifiable information affected by the
breach;
(3) contact information of the agency that may be
used to ask questions of the agency, which--
(A) shall include an e-mail address or
another digital contact mechanism; and
(B) may include a telephone number, mailing
address, or a website;
(4) information on any remedy being offered by the
agency;
(5) any applicable educational materials relating to
what individuals can do in response to a breach that
potentially affects their personally identifiable
information, including relevant contact information for
the appropriate Federal law enforcement agencies and
each nationwide consumer reporting agency; and
(6) any other appropriate information, as determined
by the head of the agency or established in guidance by
the Director.
(d) Delay of Notification.--
(1) In general.--The head of an agency, in
coordination with the Director and the National Cyber
Director, and as appropriate, the Attorney General, the
Director of National Intelligence, or the Secretary of
Homeland Security, may delay a notification required
under subsection (b) or (e) if the notification would--
(A) impede a criminal investigation or a
national security activity;
(B) cause an adverse result (as described in
section 2705(a)(2) of title 18);
(C) reveal sensitive sources and methods;
(D) cause damage to national security; or
(E) hamper security remediation actions.
(2) Renewal.--A delay under paragraph (1) shall be
for a period of 60 days and may be renewed.
(3) National security systems.--The head of an agency
delaying notification under this subsection with
respect to a breach exclusively of a national security
system shall coordinate such delay with the Secretary
of Defense.
(e) Update Notification.--If an agency determines there is a
significant change in the reasonable basis to conclude that a
breach occurred, a significant change to the determination made
under subsection (b)(1), or that it is necessary to update the
details of the information provided to potentially affected
individuals as described in subsection (c), the agency shall as
expeditiously as practicable and without unreasonable delay,
and in any case not later than 30 days after such a
determination, notify each individual who received a
notification pursuant to subsection (b) of those changes.
(f) Delay of Notification Report.--
(1) In general.--Not later than 1 year after the date
of enactment of the Federal Information Security
Modernization Act of 2024, and annually thereafter, the
head of an agency, in coordination with any official
who delays a notification under subsection (d), shall
submit to the appropriate reporting entities a report
on each delay that occurred during the previous 2
years.
(2) Component of other report.--The head of an agency
may submit the report required under paragraph (1) as a
component of the report submitted under section
3554(c).
(g) Congressional Reporting Requirements.--
(1) Review and update.--On a periodic basis, the
Director of the Office of Management and Budget shall
review, and update as appropriate, breach notification
policies and guidelines for agencies.
(2) Required notice from agencies.--Subject to
paragraph (4), the Director of the Office of Management
and Budget shall require the head of an agency affected
by a covered breach to expeditiously and not later than
30 days after the date on which the agency discovers
the covered breach give notice of the breach, which may
be provided electronically, to--
(A) each congressional committee described in
section 3554(c)(1); and
(B) the Committee on the Judiciary of the
Senate and the Committee on the Judiciary of
the House of Representatives.
(3) Contents of notice.--Notice of a covered breach
provided by the head of an agency pursuant to paragraph
(2) shall include, to the extent practicable--
(A) information about the covered breach,
including a summary of any information about
how the covered breach occurred known by the
agency as of the date of the notice;
(B) an estimate of the number of individuals
affected by the covered breach based on
information known by the agency as of the date
of the notice, including an assessment of the
risk of harm to affected individuals;
(C) a description of any circumstances
necessitating a delay in providing notice to
individuals affected by the covered breach in
accordance with subsection (d); and
(D) an estimate of when the agency will
provide notice to individuals affected by the
covered breach, if applicable.
(4) Exception.--Any agency that is required to
provide notice to Congress pursuant to paragraph (2)
due to a covered breach exclusively on a national
security system shall only provide such notice to--
(A) the majority and minority leaders of the
Senate;
(B) the Speaker and minority leader of the
House of Representatives;
(C) the appropriations committees of
Congress;
(D) the Committee on Homeland Security and
Governmental Affairs of the Senate;
(E) the Select Committee on Intelligence of
the Senate;
(F) the Committee on Oversight and
Accountability of the House of Representatives;
and
(G) the Permanent Select Committee on
Intelligence of the House of Representatives.
(5) Rule of construction.--Nothing in paragraphs (1)
through (3) shall be construed to alter any authority
of an agency.
(h) Rule of Construction.--Nothing in this section shall be
construed to--
(1) limit--
(A) the authority of the Director to issue
guidance relating to notifications of, or the
head of an agency to notify individuals
potentially affected by, breaches that are not
determined to be covered breaches or major
incidents;
(B) the authority of the Director to issue
guidance relating to notifications and
reporting of breaches, covered breaches, or
major incidents;
(C) the authority of the head of an agency to
provide more information than required under
subsection (b) when notifying individuals
potentially affected by a breach;
(D) the timing of incident reporting or the
types of information included in incident
reports provided, pursuant to this subchapter,
to--
(i) the Director;
(ii) the National Cyber Director;
(iii) the Director of the
Cybersecurity and Infrastructure
Security Agency; or
(iv) any other agency;
(E) the authority of the head of an agency to
provide information to Congress about agency
breaches, including--
(i) breaches that are not covered
breaches; and
(ii) additional information beyond
the information described in subsection
(g)(3); or
(F) any congressional reporting requirements
of agencies under any other law; or
(2) limit or supersede any existing privacy
protections in existing law.
Sec. 3593. Congressional and executive branch reports on major
incidents
(a) Appropriate Congressional Entities.--In this section, the
term ``appropriate congressional entities'' means--
(1) the majority and minority leaders of the Senate;
(2) the Speaker and minority leader of the House of
Representatives;
(3) the Committee on Homeland Security and
Governmental Affairs of the Senate;
(4) the Committee on Commerce, Science, and
Transportation of the Senate;
(5) the Committee on Oversight and Accountability of
the House of Representatives;
(6) the Committee on Homeland Security of the House
of Representatives;
(7) the Committee on Science, Space, and Technology
of the House of Representatives; and
(8) the appropriate authorization and appropriations
committees of Congress.
(b) Initial Notification.--
(1) In general.--Not later than 72 hours after an
agency has a reasonable basis to conclude that a major
incident occurred, the head of the agency impacted by
the major incident shall submit to the appropriate
reporting entities a written notification, which may be
submitted electronically and include 1 or more annexes
that contain classified or other sensitive information,
as appropriate.
(2) Contents.--A notification required under
paragraph (1) with respect to a major incident shall
include the following, based on information available
to agency officials as of the date on which the agency
submits the notification:
(A) A summary of the information available
about the major incident, including how the
major incident occurred and the threat causing
the major incident.
(B) If applicable, information relating to
any breach associated with the major incident,
regardless of whether--
(i) the breach was the reason the
incident was determined to be a major
incident; and
(ii) head of the agency determined it
was appropriate to provide notification
to potentially impacted individuals
pursuant to section 3592(b)(1).
(C) A preliminary assessment of the impacts
to--
(i) the agency;
(ii) the Federal Government;
(iii) the national security, foreign
relations, homeland security, and
economic security of the United States;
and
(iv) the civil liberties, public
confidence, privacy, and public health
and safety of the people of the United
States.
(D) If applicable, whether any ransom has
been demanded or paid, or is expected to be
paid, by any entity operating a Federal
information system or with access to Federal
information or a Federal information system,
including, as available, the name of the entity
demanding ransom, the date of the demand, and
the amount and type of currency demanded,
unless disclosure of such information will
disrupt an active Federal law enforcement or
national security operation.
(c) Supplemental Update.--Within a reasonable amount of time,
but not later than 30 days after the date on which the head of
an agency submits a written notification under subsection (b),
the head of the agency shall provide to the appropriate
congressional entities an unclassified and written update,
which may include 1 or more annexes that contain classified or
other sensitive information, as appropriate, on the major
incident, based on information available to agency officials as
of the date on which the agency provides the update, on--
(1) system vulnerabilities relating to the major
incident, where applicable, means by which the major
incident occurred, the threat causing the major
incident, where applicable, and impacts of the major
incident to--
(A) the agency;
(B) other Federal agencies, Congress, or the
judicial branch;
(C) the national security, foreign relations,
homeland security, or economic security of the
United States; or
(D) the civil liberties, public confidence,
privacy, or public health and safety of the
people of the United States;
(2) the status of compliance of the affected Federal
information system with applicable security
requirements at the time of the major incident;
(3) if the major incident involved a breach, a
description of the affected information, an estimate of
the number of individuals potentially impacted, and any
assessment to the risk of harm to such individuals;
(4) an update to the assessment of the risk to agency
operations, or to impacts on other agency or non-
Federal entity operations, affected by the major
incident;
(5) the detection, response, and remediation actions
of the agency, including any support provided by the
Cybersecurity and Infrastructure Security Agency under
section 3594(d), if applicable;
(6) as appropriate and available, actions undertaken
by any non-Federal entities impacted by or supporting
remediation of the major incident; and
(7) as appropriate and available, recommendations for
mitigating future similar incidents, including
recommendations from any non-Federal entity impacted by
or supporting the remediation of the major incident.
(d) Additional Update.--If the head of an agency, the
Director, or the National Cyber Director determines that there
is any significant change in the understanding of the scope,
scale, or consequence of a major incident for which the head of
the agency submitted a written notification and update under
subsections (b) and (c), the head of the agency shall submit to
the appropriate congressional entities a written update that
includes information relating to the change in understanding.
(e) Biennial Report.--Each agency shall submit as part of the
biennial report required under section 3554(c)(1) a description
of each major incident that occurred during the 2-year period
preceding the date on which the biennial report is submitted.
(f) Report Delivery.--
(1) In general.--Any written notification or update
required to be submitted under this section--
(A) shall be submitted in an electronic
format; and
(B) may be submitted in a paper format.
(2) Classification status.--Any written notification
or update required to be submitted under this section--
(A) shall be--
(i) unclassified; and
(ii) submitted through unclassified
electronic means pursuant to paragraph
(1)(A); and
(B) may include classified annexes, as
appropriate.
(g) Report Consistency.--To achieve consistent and coherent
agency reporting to Congress, the National Cyber Director, in
coordination with the Director, shall--
(1) provide recommendations to agencies on formatting
and the contents of information to be included in the
reports required under this section, including
recommendations for consistent formats for presenting
any associated metrics; and
(2) maintain a comprehensive record of each major
incident notification, update, and briefing provided
under this section, which shall--
(A) include, at a minimum--
(i) the full contents of the written
notification or update;
(ii) the identity of the reporting
agency; and
(iii) the date of submission; and
(iv) a list of the recipient
congressional entities; and
(B) be made available upon request to the
majority and minority leaders of the Senate,
the Speaker and minority leader of the House of
Representatives, the Committee on Homeland
Security and Governmental Affairs of the
Senate, and the Committee on Oversight and
Accountability of the House of Representatives.
(h) National Security Systems Congressional Reporting
Exemption.--With respect to a major incident that occurs
exclusively on a national security system, the head of the
affected agency shall submit the notifications and reports
required to be submitted to Congress under this section only
to--
(1) the majority and minority leaders of the Senate;
(2) the Speaker and minority leader of the House of
Representatives;
(3) the appropriations committees of Congress;
(4) the appropriate authorization committees of
Congress;
(5) the Committee on Homeland Security and
Governmental Affairs of the Senate;
(6) the Select Committee on Intelligence of the
Senate;
(7) the Committee on Oversight and Accountability of
the House of Representatives; and
(8) the Permanent Select Committee on Intelligence of
the House of Representatives.
(i) Major Incidents Including Breaches.--If a major incident
constitutes a covered breach, as defined in section 3592(a),
information on the covered breach required to be submitted to
Congress pursuant to section 3592(g) may--
(1) be included in the notifications required under
subsection (b) or (c); or
(2) be reported to Congress under the process
established under section 3592(g).
(j) Rule of Construction.--Nothing in this section shall be
construed to--
(1) limit--
(A) the ability of an agency to provide
additional reports or briefings to Congress;
(B) Congress from requesting additional
information from agencies through reports,
briefings, or other means; and
(C) any congressional reporting requirements
of agencies under any other law; or
(2) limit or supersede any privacy protections under
any other law.
Sec. 3594. Government information sharing and incident response
(a) In General.--
(1) Incident sharing.--Subject to paragraph (4) and
subsection (b), and in accordance with the applicable
requirements pursuant to section 3553(b)(2)(A) for
reporting to the Federal information security incident
center established under section 3556, the head of each
agency shall provide to the Cybersecurity and
Infrastructure Security Agency information relating to
any incident affecting the agency, whether the
information is obtained by the Federal Government
directly or indirectly.
(2) Contents.--A provision of information relating to
an incident made by the head of an agency under
paragraph (1) shall include, at a minimum--
(A) a full description of the incident,
including--
(i) all indicators of compromise and
tactics, techniques, and procedures;
(ii) an indicator of how the intruder
gained initial access, accessed agency
data or systems, and undertook
additional actions on the network of
the agency;
(iii) information that would support
enabling defensive measures; and
(iv) other information that may
assist in identifying other victims;
(B) information to help prevent similar
incidents, such as information about relevant
safeguards in place when the incident occurred
and the effectiveness of those safeguards; and
(C) information to aid in incident response,
such as--
(i) a description of the affected
systems or networks;
(ii) the estimated dates of when the
incident occurred; and
(iii) information that could
reasonably help identify any malicious
actor that may have conducted or caused
the incident, subject to appropriate
privacy protections.
(3) Information sharing.--The Director of the
Cybersecurity and Infrastructure Security Agency
shall--
(A) make incident information provided under
paragraph (1) available to the Director and the
National Cyber Director;
(B) to the greatest extent practicable, share
information relating to an incident with--
(i) the head of any agency that may
be--
(I) impacted by the incident;
(II) particularly susceptible
to the incident; or
(III) similarly targeted by
the incident; and
(ii) appropriate Federal law
enforcement agencies to facilitate any
necessary threat response activities,
as requested;
(C) coordinate any necessary information
sharing efforts relating to a major incident
with the private sector; and
(D) notify the National Cyber Director of any
efforts described in subparagraph (C).
(4) National security systems exemption.--
(A) In general.--Notwithstanding paragraphs
(1) and (3), each agency operating or
exercising control of a national security
system shall share information about an
incident that occurs exclusively on a national
security system with the Secretary of Defense,
the Director, the National Cyber Director, and
the Director of the Cybersecurity and
Infrastructure Security Agency to the extent
consistent with standards and guidelines for
national security systems issued in accordance
with law and as directed by the President.
(B) Protections.--Any information sharing and
handling of information under this paragraph
shall be appropriately protected consistent
with procedures authorized for the protection
of sensitive sources and methods or by
procedures established for information that
have been specifically authorized under
criteria established by an Executive order or
an Act of Congress to be kept classified in the
interest of national defense or foreign policy.
(b) Automation.--In providing information and selecting a
method to provide information under subsection (a), the head of
each agency shall implement subsection (a)(1) in a manner that
provides such information to the Cybersecurity and
Infrastructure Security Agency in an automated and machine-
readable format, to the greatest extent practicable.
(c) Incident Response.--Each agency that has a reasonable
basis to suspect or conclude that a major incident occurred
involving Federal information in electronic medium or form that
does not exclusively involve a national security system shall
coordinate with--
(1) the Cybersecurity and Infrastructure Security
Agency to facilitate asset response activities and
provide recommendations for mitigating future
incidents; and
(2) consistent with relevant policies, appropriate
Federal law enforcement agencies to facilitate threat
response activities.
Sec. 3595. Responsibilities of contractors and awardees
(a) Notification.--
(1) In general.--Any contractor or awardee of an
agency shall provide written notification to the agency
if the contractor or awardee has a reasonable basis to
conclude that--
(A) an incident or breach has occurred with
respect to Federal information the contractor
or awardee collected, used, or maintained on
behalf of an agency;
(B) an incident or breach has occurred with
respect to a Federal information system used,
operated, managed, or maintained on behalf of
an agency by the contractor or awardee;
(C) a component of any Federal information
system operated, managed, or maintained by a
contractor or awardee contains a security
vulnerability, including a supply chain
compromise or an identified software or
hardware vulnerability, for which there is
reliable evidence of a successful exploitation
of the vulnerability by an actor without
authorization of the Federal information system
owner; or
(D) the contractor or awardee has received
from the agency personally identifiable
information or personal health information that
is beyond the scope of the contract or
agreement with the agency that the contractor
or awardee is not authorized to receive.
(2) Third-party notification of vulnerabilities.--
Subject to the guidance issued by the Director pursuant
to paragraph (4), any contractor or awardee of an
agency shall provide written notification to the agency
and the Cybersecurity and Infrastructure Security
Agency if the contractor or awardee has a reasonable
basis to conclude that a component of any Federal
information system operated, managed, or maintained on
behalf of an agency by the contractor or awardee on
behalf of the agency contains a security vulnerability,
including a supply chain compromise or an identified
software or hardware vulnerability, that has been
reported to the contractor or awardee by a third party,
including through a vulnerability disclosure program.
(3) Procedures.--
(A) Sharing with cisa.--As soon as
practicable following a notification of an
incident or vulnerability to an agency by a
contractor or awardee under paragraph (1), the
head of the agency shall provide, pursuant to
section 3594, information about the incident or
vulnerability to the Director of the
Cybersecurity and Infrastructure Security
Agency.
(B) Timing of notifications.--Unless a
different time for notification is specified in
a contract, grant, cooperative agreement, or
other transaction agreement, a contractor or
awardee shall--
(i) make a notification required
under paragraph (1) not later than 1
day after the date on which the
contractor or awardee has reasonable
basis to suspect or conclude that the
criteria under paragraph (1) have been
met; and
(ii) make a notification required
under paragraph (2) within a reasonable
time, but not later than 90 days after
the date on which the contractor or
awardee has reasonable basis to suspect
or conclude that the criteria under
paragraph (2) have been met.
(C) Procedures.--Following a notification of
a breach or incident to an agency by a
contractor or awardee under paragraph (1), the
head of the agency, in consultation with the
contractor or awardee, shall carry out the
applicable requirements under sections 3592,
3593, and 3594 with respect to the breach or
incident.
(D) Rule of construction.--Nothing in
subparagraph (B) shall be construed to allow
the negation of the requirements to notify
vulnerabilities under paragraph (1) or (2)
through a contract, grant, cooperative
agreement, or other transaction agreement.
(4) Guidance.--The Director shall issue guidance as
soon as practicable to agencies relating to the scope
of vulnerabilities to be included in required
notifications under paragraph (2), such as the minimum
severity or minimum risk level of a vulnerability
included in required notifications, whether
vulnerabilities that are already publicly disclosed
must be reported, or likely cybersecurity impact to
Federal information systems.
(b) Regulations; Modifications.--
(1) In general.--Not later than 2 years after the
date of enactment of the Federal Information Security
Modernization Act of 2024--
(A) the Federal Acquisition Regulatory
Council shall promulgate regulations, as
appropriate, relating to the responsibilities
of contractors and recipients of other
transaction agreements and cooperative
agreements to comply with this section; and
(B) the Office of Federal Financial
Management shall promulgate regulations under
title 2, Code of Federal Regulations, as
appropriate, relating to the responsibilities
of grantees to comply with this section.
(2) Implementation.--Not later than 1 year after the
date on which the Federal Acquisition Regulatory
Council and the Office of Federal Financial Management
promulgates regulations under paragraph (1), the head
of each agency shall implement policies and procedures,
as appropriate, necessary to implement those
regulations.
(3) Congressional notification.--
(A) In general.--The head of each agency head
shall notify the Director upon implementation
of policies and procedures necessary to
implement the regulations promulgated under
paragraph (1).
(B) OMB notification.-- Not later than 30
days after the date described in paragraph (2),
the Director shall notify the Committee on
Homeland Security and Governmental Affairs of
the Senate and the Committees on Oversight and
Accountability and Homeland Security of the
House of Representatives on the status of the
implementation by each agency of the
regulations promulgated under paragraph (1).
(c) Allowable Use.--Information provided to an agency
pursuant to this section may be disclosed to, retained by, and
used by any agency, component, officer, employee, or agent of
the Federal Government solely for any of the following:
(1) A cybersecurity purpose (as defined in section
2200 of the Homeland Security Act of 2002 (6 U.S.C.
650)).
(2) Identifying--
(A) a cyber threat (as defined in such
section 2200), including the source of the
cyber threat; or
(B) a security vulnerability (as defined in
such section 2200).
(3) Preventing, investigating, disrupting, or
prosecuting an offense arising out of an incident
notified to an agency pursuant to this section or any
of the offenses listed in section 105(d)(5)(A)(v) of
the Cybersecurity Information Sharing Act of 2015 (6
U.S.C. 1504(d)(5)(A)(v)).
(d) Harmonization of Other Private-sector Cybersecurity
Reporting Obligations.--Any non-Federal entity required to
report an incident under section 2242 of the Homeland Security
Act of 2002 (6 U.S.C. 681b) may submit as part of the written
notification requirements in this section all information
required by such section 2242 to the agency of which the entity
is a contractor or recipient of Federal financial assistance,
or with which the entity holds an other transaction agreement
or cooperative agreement, within the deadline specified in
subsection (a)(3)(B)(1). If such submission is completed, the
non-Federal entity shall not be required to subsequently report
the same incident under the requirements of such section 2242.
Any incident information shared under this subsection shall be
shared with the Director of the Cybersecurity and
Infrastructure Security Agency pursuant to subsection
(a)(3)(A).
(e) National Security Systems Exemption.--Notwithstanding any
other provision of this section, a contractor or awardee of an
agency that would be required to report an incident or
vulnerability pursuant to this section that occurs exclusively
on a national security system shall--
(1) report the incident or vulnerability to the head
of the agency and the Secretary of Defense; and
(2) comply with applicable laws and policies relating
to national security systems.
Sec. 3596. Training
(a) Covered Individual Defined.--In this section, the term
``covered individual'' means an individual who obtains access
to a Federal information system because of the status of the
individual as--
(1) an employee, contractor, awardee, volunteer, or
intern of an agency; or
(2) an employee of a contractor or awardee of an
agency.
(b) Best Practices and Consistency.--The Director of the
Cybersecurity and Infrastructure Security Agency, in
consultation with the Director, the National Cyber Director,
and the Director of the National Institute of Standards and
Technology, shall consolidate best practices to support
consistency across agencies in cybersecurity incident response
training, including--
(1) information to be collected and shared with the
Cybersecurity and Infrastructure Security Agency
pursuant to section 3594(a) and processes for sharing
such information; and
(2) appropriate training and qualifications for cyber
incident responders.
(c) Agency Training.--The head of each agency shall develop
training for covered individuals on how to identify and respond
to an incident, including--
(1) the internal process of the agency for reporting
an incident; and
(2) the obligation of a covered individual to report
to the agency any suspected or confirmed incident
involving Federal information in any medium or form,
including paper, oral, and electronic.
(d) Inclusion in Annual Training.--The training developed
under subsection (c) may be included as part of an annual
privacy, security awareness, or other appropriate training of
an agency.
Sec. 3597. Analysis and report on Federal incidents
(a) Analysis of Federal Incidents.--
(1) Quantitative and qualitative analyses.--The
Director of the Cybersecurity and Infrastructure
Security Agency shall perform and, in coordination with
the Director and the National Cyber Director, develop,
continuous monitoring and quantitative and qualitative
analyses of incidents at agencies, including major
incidents, including--
(A) the causes of incidents, including--
(i) attacker tactics, techniques, and
procedures; and
(ii) system vulnerabilities,
including zero days, unpatched systems,
and information system
misconfigurations;
(B) the scope and scale of incidents at
agencies;
(C) common root causes of incidents across
multiple agencies;
(D) agency incident response, recovery, and
remediation actions and the effectiveness of
those actions, as applicable;
(E) lessons learned and recommendations in
responding to, recovering from, remediating,
and mitigating future incidents; and
(F) trends across multiple agencies to
address intrusion detection and incident
response capabilities using the metrics
established under section 224(c) of the
Cybersecurity Act of 2015 (6 U.S.C. 1522(c)).
(2) Automated analysis.--The analyses developed under
paragraph (1) shall, to the greatest extent
practicable, use machine-readable data, automation, and
machine learning processes.
(3) Sharing of data and analysis.--
(A) In general.--The Director of the
Cybersecurity and Infrastructure Security
Agency shall share on an ongoing basis the
analyses and underlying data required under
this subsection with agencies, the Director,
and the National Cyber Director to--
(i) improve the understanding of
cybersecurity risk of agencies; and
(ii) support the cybersecurity
improvement efforts of agencies.
(B) Format.--In carrying out subparagraph
(A), the Director of the Cybersecurity and
Infrastructure Security Agency shall share the
analyses--
(i) in human-readable written
products; and
(ii) to the greatest extent
practicable, in machine-readable
formats in order to enable automated
intake and use by agencies.
(C) Exemption.--This subsection shall not
apply to incidents that occur exclusively on
national security systems.
(b) Annual Report on Federal Incidents.--Not later than 2
years after the date of enactment of this section, and not less
frequently than annually thereafter, the Director of the
Cybersecurity and Infrastructure Security Agency, in
consultation with the Director, the National Cyber Director and
the heads of other agencies, as appropriate, shall submit to
the appropriate reporting entities a report that includes--
(1) a summary of causes of incidents from across the
Federal Government that categorizes those incidents as
incidents or major incidents;
(2) the quantitative and qualitative analyses of
incidents developed under subsection (a)(1) on an
agency-by-agency basis and comprehensively across the
Federal Government, including--
(A) a specific analysis of breaches; and
(B) an analysis of the Federal Government's
performance against the metrics established
under section 224(c) of the Cybersecurity Act
of 2015 (6 U.S.C. 1522(c)); and
(3) an annex for each agency that includes--
(A) a description of each major incident;
(B) the total number of incidents of the
agency; and
(C) an analysis of the agency's performance
against the metrics established under section
224(c) of the Cybersecurity Act of 2015 (6
U.S.C. 1522(c)).
(c) Publication.--
(1) In general.--The Director of the Cybersecurity
and Infrastructure Security Agency shall make a version
of each report submitted under subsection (b) publicly
available on the website of the Cybersecurity and
Infrastructure Security Agency during the year during
which the report is submitted.
(2) Exemption.--The publication requirement under
paragraph (1) shall not apply to a portion of a report
that contains content that should be protected in the
interest of national security, as determined by the
Director, the Director of the Cybersecurity and
Infrastructure Security Agency, or the National Cyber
Director.
(3) Limitation on exemption.--The exemption under
paragraph (2) shall not apply to any version of a
report submitted to the appropriate reporting entities
under subsection (b).
(4) Requirement for compiling information.--
(A) Compilation.--Subject to subparagraph
(B), in making a report publicly available
under paragraph (1), the Director of the
Cybersecurity and Infrastructure Security
Agency shall sufficiently compile information
so that no specific incident of an agency can
be identified.
(B) Exception.--The Director of the
Cybersecurity and Infrastructure Security
Agency may include information that enables a
specific incident of an agency to be identified
in a publicly available report--
(i) with the concurrence of the
Director and the National Cyber
Director;
(ii) in consultation with the
impacted agency, which may, as
appropriate, consult with any non-
Federal entity impacted by or
supporting the remediation of such
incident; and
(iii) in consultation with the
inspector general of the impacted
agency.
(d) Information Provided by Agencies.--
(1) In general.--The analysis required under
subsection (a) and each report submitted under
subsection (b) shall use information provided by
agencies under section 3594(a).
(2) Noncompliance reports.--During any year during
which the head of an agency does not provide data for
an incident to the Cybersecurity and Infrastructure
Security Agency in accordance with section 3594(a), the
head of the agency, in coordination with the Director
of the Cybersecurity and Infrastructure Security Agency
and the Director, shall submit to the appropriate
reporting entities a report that includes the
information described in subsection (b) with respect to
the agency.
(e) National Security System Reports.--
(1) In general.--Notwithstanding any other provision
of this section, the Secretary of Defense, in
consultation with the Director, the National Cyber
Director, the Director of National Intelligence, and
the Director of the Cybersecurity and Infrastructure
Security Agency shall annually submit a report that
includes the information described in subsection (b)
with respect to national security systems, to the
extent that the submission is consistent with standards
and guidelines for national security systems issued in
accordance with law and as directed by the President,
to--
(A) the majority and minority leaders of the
Senate;
(B) the Speaker and minority leader of the
House of Representatives;
(C) the Committee on Homeland Security and
Governmental Affairs of the Senate;
(D) the Select Committee on Intelligence of
the Senate;
(E) the Committee on Armed Services of the
Senate;
(F) the Committee on Appropriations of the
Senate;
(G) the Committee on Oversight and
Accountability of the House of Representatives;
(H) the Committee on Homeland Security of the
House of Representatives;
(I) the Permanent Select Committee on
Intelligence of the House of Representatives;
(J) the Committee on Armed Services of the
House of Representatives; and
(K) the Committee on Appropriations of the
House of Representatives.
(2) Classified form.--A report required under
paragraph (1) may be submitted in a classified form.
Sec. 3598. Major incident definition
(a) In General.--Not later than 1 year after the later of the
date of enactment of the Federal Information Security
Modernization Act of 2024 and the most recent publication by
the Director of guidance to agencies regarding major incidents
as of the date of enactment of the Federal Information Security
Modernization Act of 2024, the Director shall develop, in
coordination with the National Cyber Director, and promulgate
guidance on the definition of the term ``major incident'' for
the purposes of subchapter II and this subchapter.
(b) Requirements.--With respect to the guidance issued under
subsection (a), the definition of the term ``major incident''
shall--
(1) include, with respect to any information
collected or maintained by or on behalf of an agency or
a Federal information system--
(A) any incident the head of the agency
determines is likely to result in demonstrable
harm to--
(i) the national security interests,
foreign relations, homeland security,
or economic security of the United
States; or
(ii) the civil liberties, public
confidence, privacy, or public health
and safety of the people of the United
States;
(B) any incident the head of the agency
determines likely to result in an inability or
substantial disruption for the agency, a
component of the agency, or the Federal
Government, to provide 1 or more critical
services;
(C) any incident the head of the agency
determines substantially disrupts or
substantially degrades the operations of a high
value asset owned or operated by the agency;
(D) any incident involving the exposure to a
foreign entity of sensitive agency information,
such as the communications of the head of the
agency, the head of a component of the agency,
or the direct reports of the head of the agency
or the head of a component of the agency; and
(E) any other type of incident determined
appropriate by the Director;
(2) stipulate that the National Cyber Director, in
consultation with the Director and the Director of the
Cybersecurity and Infrastructure Security Agency, may
declare a major incident at any agency, and such a
declaration shall be considered if it is determined
that an incident--
(A) occurs at not less than 2 agencies; and
(B) is enabled by--
(i) a common technical root cause,
such as a supply chain compromise, or a
common software or hardware
vulnerability; or
(ii) the related activities of a
common threat actor;
(3) stipulate that, in determining whether an
incident constitutes a major incident under the
standards described in paragraph (1), the head of the
agency shall consult with the National Cyber Director;
and
(4) stipulate that the mere report of a vulnerability
discovered or disclosed without a loss of
confidentiality, integrity, or availability shall not
on its own constitute a major incident.
(c) Evaluation and Updates.--Not later than 60 days after the
date on which the Director first promulgates the guidance
required under subsection (a), and not less frequently than
once during the first 90 days of each evenly numbered Congress
thereafter, the Director shall provide to the Committee on
Homeland Security and Governmental Affairs of the Senate and
the Committees on Oversight and Accountability and Homeland
Security of the House of Representatives a briefing that
includes--
(1) an evaluation of any necessary updates to the
guidance;
(2) an evaluation of any necessary updates to the
definition of the term ``major incident'' included in
the guidance; and
(3) an explanation of, and the analysis that led to,
the definition described in paragraph (2).
* * * * * * *
CHAPTER 36--MANAGEMENT AND PROMOTION OF
ELECTRONIC GOVERNMENT SERVICES
Sec.
3601. Definitions.
[3602. Office of Electronic Government.]
3602. Office of the Federal Chief Information Officer.
* * * * * * *
3606. [E-Government] Annual report.
* * * * * * *
3617. Federal Chief Information Security Officer.
Sec. 3601. Definitions
In this chapter, the definitions under section 3502 shall
apply, and the term--
[(1) ``Administrator'' means the Administrator of the
Office of Electronic Government established under
section 3602;]
[(2)] (1) ``Council'' means the Chief Information
Officers Council established under section 3603;
[(3)] (2) ``electronic Government'' means the use by
the Government of web-based Internet applications and
other information technologies, combined with processes
that implement these technologies, to--
(A) enhance the access to and delivery of
Government information and services to the
public, other agencies, and other Government
entities; or
(B) bring about improvements in Government
operations that may include effectiveness,
efficiency, service quality, or transformation;
[(4)] (3) ``enterprise architecture''--
(A) means--
(i) a strategic information asset
base, which defines the mission;
(ii) the information necessary to
perform the mission;
(iii) the technologies necessary to
perform the mission; and
(iv) the transitional processes for
implementing new technologies in
response to changing mission needs; and
(B) includes--
(i) a baseline architecture;
(ii) a target architecture; and
(iii) a sequencing plan;
[(5)] (4) ``Fund'' means the E-Government Fund
established under section 3604;
[(6)] (5) ``interoperability'' means the ability of
different operating and software systems, applications,
and services to communicate and exchange data in an
accurate, effective, and consistent manner;
[(7)] (6) ``integrated service delivery'' means the
provision of Internet-based Federal Government
information or services integrated according to
function or topic rather than separated according to
the boundaries of agency jurisdiction; and
[(8)] (7) ``tribal government'' means--
(A) the governing body of any Indian tribe,
band, nation, or other organized group or
community located in the continental United
States (excluding the State of Alaska) that is
recognized as eligible for the special programs
and services provided by the United States to
Indians because of their status as Indians, and
(B) any Alaska Native regional or village
corporation established pursuant to the Alaska
Native Claims Settlement Act (43 U.S.C. 1601 et
seq.).
Sec. 3602. [Office of Electronic Government] Office of the Federal
Chief Information Officer
(a) There is established in the Office of Management and
Budget an [Office of Electronic Government] Office of the
Federal Chief Information Officer.
(b) There shall be at the head of the Office [an
Administrator] a Federal Chief Information Officer who shall be
appointed by the President.
(c) [The Administrator] The Federal Chief Information Officer
shall assist the Director in carrying out--
(1) all functions under this chapter;
(2) all of the functions assigned to the Director
under title II of the E-Government Act of 2002; and
(3) other electronic government initiatives,
consistent with other statutes.
(d) [The Administrator] The Federal Chief Information Officer
shall assist the Director and the Deputy Director for
Management and work with the Administrator of the Office of
Information and Regulatory Affairs in setting strategic
direction for implementing electronic Government, under
relevant statutes, including--
(1) chapter 35;
(2) subtitle III of title 40, United States Code;
(3) section 552a of title 5 (commonly referred to as
the ``Privacy Act'');
(4) the Government Paperwork Elimination Act (44
U.S.C. 3504 note); and
(5) the Federal Information Security Management Act
of 2002.
(e) [The Administrator] The Federal Chief Information Officer
shall work with the Administrator of the Office of Information
and Regulatory Affairs and with other offices within the Office
of Management and Budget to oversee implementation of
electronic Government under this chapter, chapter 35, the E-
Government Act of 2002, and other relevant statutes, in a
manner consistent with law, relating to--
(1) capital planning and investment control for
information technology;
(2) the development of enterprise architectures;
(3) information security;
(4) privacy;
(5) access to, dissemination of, and preservation of
Government information;
(6) accessibility of information technology for
persons with disabilities; and
(7) other areas of electronic Government.
(f) Subject to requirements of this chapter, [the
Administrator] the Federal Chief Information Officer shall
assist the Director by performing electronic Government
functions as follows:
(1) Advise the Director on the resources required to
develop and effectively administer electronic
Government initiatives.
(2) Recommend to the Director changes relating to
Governmentwide strategies and priorities for electronic
Government.
(3) Provide overall leadership and direction to the
executive branch on electronic Government.
(4) Promote innovative uses of information technology
by agencies, particularly initiatives involving
multiagency collaboration, through support of pilot
projects, research, experimentation, and the use of
innovative technologies.
(5) Oversee the distribution of funds from, and
ensure appropriate administration and coordination of,
the E-Government Fund established under section 3604.
(6) Coordinate with the Administrator of General
Services regarding programs undertaken by the General
Services Administration to promote electronic
government and the efficient use of information
technologies by agencies.
(7) Lead the activities of the Chief Information
Officers Council established under section 3603 on
behalf of the Deputy Director for Management, who shall
chair the council.
(8) Assist the Director in establishing policies
which shall set the framework for information
technology standards for the Federal Government
developed by the National Institute of Standards and
Technology and promulgated by the Secretary of Commerce
under section 11331 of title 40, taking into account,
if appropriate, recommendations of the Chief
Information Officers Council, experts, and interested
parties from the private and nonprofit sectors and
State, local, and tribal governments, and maximizing
the use of commercial standards as appropriate,
including the following:
(A) Standards and guidelines for
interconnectivity and interoperability as
described under section 3504.
(B) Consistent with the process under section
207(d) of the E-Government Act of 2002,
standards and guidelines for categorizing
Federal Government electronic information to
enable efficient use of technologies, such as
through the use of extensible markup language.
(C) Standards and guidelines for Federal
Government computer system efficiency and
security.
(9) Sponsor ongoing dialogue that--
(A) shall be conducted among Federal, State,
local, and tribal government leaders on
electronic Government in the executive,
legislative, and judicial branches, as well as
leaders in the private and nonprofit sectors,
to encourage collaboration and enhance
understanding of best practices and innovative
approaches in acquiring, using, and managing
information resources;
(B) is intended to improve the performance of
governments in collaborating on the use of
information technology to improve the delivery
of Government information and services; and
(C) may include--
(i) development of innovative
models--
(I) for electronic Government
management and Government
information technology
contracts; and
(II) that may be developed
through focused discussions or
using separately sponsored
research;
(ii) identification of opportunities
for public-private collaboration in
using Internet-based technology to
increase the efficiency of Government-
to-business transactions;
(iii) identification of mechanisms
for providing incentives to program
managers and other Government employees
to develop and implement innovative
uses of information technologies; and
(iv) identification of opportunities
for public, private, and
intergovernmental collaboration in
addressing the disparities in access to
the Internet and information
technology.
(10) Sponsor activities to engage the general public
in the development and implementation of policies and
programs, particularly activities aimed at fulfilling
the goal of using the most effective citizen-centered
strategies and those activities which engage multiple
agencies providing similar or related information and
services.
(11) Oversee the work of the General Services
Administration and other agencies in developing the
integrated Internet-based system under section 204 of
the E-Government Act of 2002.
(12) Coordinate with the Administrator for Federal
Procurement Policy to ensure effective implementation
of electronic procurement initiatives.
(13) Assist Federal agencies, including the General
Services Administration, the Department of Justice, and
the United States Access Board in--
(A) implementing accessibility standards
under section 508 of the Rehabilitation Act of
1973 (29 U.S.C. 794d); and
(B) ensuring compliance with those standards
through the budget review process and other
means.
(14) Oversee the development of enterprise
architectures within and across agencies.
(15) Assist the Director and the Deputy Director for
Management in overseeing agency efforts to ensure that
electronic Government activities incorporate adequate,
risk-based, and cost-effective security compatible with
business processes.
(16) Administer [the Office of Electronic Government]
the Office of the Federal Chief Information Officer
established under this section.
(17) Assist the Director in preparing the [E-
Government] annual report established under section
3606.
(g) The Director shall ensure that the Office of Management
and Budget, including [the Office of Electronic Government] the
Office of the Federal Chief Information Officer, the Office of
Information and Regulatory Affairs, and other relevant offices,
have adequate staff and resources to properly fulfill all
functions under the E-Government Act of 2002.
Sec. 3603. Chief Information Officers Council
(a) There is established in the executive branch a Chief
Information Officers Council.
(b) The members of the Council shall be as follows:
(1) The Deputy Director for Management of the Office
of Management and Budget, who shall act as chairperson
of the Council.
(2) [The Administrator of the Office of Electronic
Government] The Federal Chief Information Officer.
(3) The Administrator of the Office of Information
and Regulatory Affairs.
(4) The chief information officer of each agency
described under section 901(b) of title 31.
(5) The chief information officer of the Central
Intelligence Agency.
(6) The chief information officer of the Department
of the Army, the Department of the Navy, and the
Department of the Air Force, if chief information
officers have been designated for such departments
under section 3506(a)(2)(B).
(7) Any other officer or employee of the United
States designated by the chairperson.
(c)(1) [The Administrator of the Office of Electronic
Government] The Federal Chief Information Officer shall lead
the activities of the Council on behalf of the Deputy Director
for Management.
(2)(A) The Vice Chairman of the Council shall be selected by
the Council from among its members.
(B) The Vice Chairman shall serve a 1-year term, and may
serve multiple terms.
(3) The Administrator of General Services shall provide
administrative and other support for the Council.
(d) The Council is designated the principal interagency forum
for improving agency practices related to the design,
acquisition, development, modernization, use, operation,
sharing, and performance of Federal Government information
resources.
(e) In performing its duties, the Council shall consult
regularly with representatives of State, local, and tribal
governments.
(f) The Council shall perform functions that include the
following:
(1) Develop recommendations for the Director on
Government information resources management policies
and requirements.
(2) Share experiences, ideas, best practices, and
innovative approaches related to information resources
management.
(3) Assist [the Administrator] the Federal Chief
Information Officer in the identification, development,
and coordination of multiagency projects and other
innovative initiatives to improve Government
performance through the use of information technology.
(4) Promote the development and use of common
performance measures for agency information resources
management under this chapter and title II of the E-
Government Act of 2002.
(5) Work as appropriate with the National Institute
of Standards and Technology and [the Administrator] the
Federal Chief Information Officer to develop
recommendations on information technology standards
developed under section 20 of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3) and
promulgated under section 11331 of title 40, and
maximize the use of commercial standards as
appropriate, including the following:
(A) Standards and guidelines for
interconnectivity and interoperability as
described under section 3504.
(B) Consistent with the process under section
207(d) of the E-Government Act of 2002,
standards and guidelines for categorizing
Federal Government electronic information to
enable efficient use of technologies, such as
through the use of extensible markup language.
(C) Standards and guidelines for Federal
Government computer system efficiency and
security.
(6) Work with the Office of Personnel Management to
assess and address the hiring, training,
classification, and professional development needs of
the Government related to information resources
management.
(7) Work with the Archivist of the United States to
assess how the Federal Records Act can be addressed
effectively by Federal information resources management
activities.
Sec. 3604. E-Government Fund
(a)(1) There is established in the Treasury of the United
States the E-Government Fund.
(2) The Fund shall be administered by the Administrator of
the General Services Administration to support projects
approved by the Director, assisted by [the Administrator of the
Office of Electronic Government] the Federal Chief Information
Officer, that enable the Federal Government to expand its
ability, through the development and implementation of
innovative uses of the Internet or other electronic methods, to
conduct activities electronically.
(3) Projects under this subsection may include efforts to--
(A) make Federal Government information and services
more readily available to members of the public
(including individuals, businesses, grantees, and State
and local governments);
(B) make it easier for the public to apply for
benefits, receive services, pursue business
opportunities, submit information, and otherwise
conduct transactions with the Federal Government; and
(C) enable Federal agencies to take advantage of
information technology in sharing information and
conducting transactions with each other and with State
and local governments.
(b)(1) The [Administrator] Federal Chief Information Officer
shall--
(A) establish procedures for accepting and reviewing
proposals for funding;
(B) consult with interagency councils, including the
Chief Information Officers Council, the Chief Financial
Officers Council, and other interagency management
councils, in establishing procedures and reviewing
proposals; and
(C) assist the Director in coordinating resources
that agencies receive from the Fund with other
resources available to agencies for similar purposes.
(2) When reviewing proposals and managing the Fund, the
[Administrator] Federal Chief Information Officer shall observe
and incorporate the following procedures:
(A) A project requiring substantial involvement or
funding from an agency shall be approved by a senior
official with agencywide authority on behalf of the
head of the agency, who shall report directly to the
head of the agency.
(B) Projects shall adhere to fundamental capital
planning and investment control processes.
(C) Agencies shall identify in their proposals
resource commitments from the agencies involved and how
these resources would be coordinated with support from
the Fund, and include plans for potential continuation
of projects after all funds made available from the
Fund are expended.
(D) After considering the recommendations of the
interagency councils, the Director, assisted by the
[Administrator] Federal Chief Information Officer,
shall have final authority to determine which of the
candidate projects shall be funded from the Fund.
(E) Agencies shall assess the results of funded
projects.
(c) In determining which proposals to recommend for funding,
[the Administrator] the Federal Chief Information Officer--
(1) shall consider criteria that include whether a
proposal--
(A) identifies the group to be served,
including citizens, businesses, the Federal
Government, or other governments;
(B) indicates what service or information the
project will provide that meets needs of groups
identified under subparagraph (A);
(C) ensures proper security and protects
privacy;
(D) is interagency in scope, including
projects implemented by a primary or single
agency that--
(i) could confer benefits on multiple
agencies; and
(ii) have the support of other
agencies; and
(E) has performance objectives that tie to
agency missions and strategic goals, and
interim results that relate to the objectives;
and
(2) may also rank proposals based on criteria that
include whether a proposal--
(A) has Governmentwide application or
implications;
(B) has demonstrated support by the public to
be served;
(C) integrates Federal with State, local, or
tribal approaches to service delivery;
(D) identifies resource commitments from
nongovernmental sectors;
(E) identifies resource commitments from the
agencies involved;
(F) uses web-based technologies to achieve
objectives;
(G) identifies records management and records
access strategies;
(H) supports more effective citizen
participation in and interaction with agency
activities that further progress toward a more
citizen-centered Government;
(I) directly delivers Government information
and services to the public or provides the
infrastructure for delivery;
(J) supports integrated service delivery;
(K) describes how business processes across
agencies will reflect appropriate
transformation simultaneous to technology
implementation; and
(L) is new or innovative and does not
supplant existing funding streams within
agencies.
(d) The Fund may be used to fund the integrated Internet-
based system under section 204 of the E-Government Act of 2002.
(e) None of the funds provided from the Fund may be
transferred to any agency until 15 days after the Administrator
of the General Services Administration has submitted to the
Committees on Appropriations of the Senate and the House of
Representatives, the Committee on Governmental Affairs of the
Senate, the Committee on Government Reform of the House of
Representatives, and the appropriate authorizing committees of
the Senate and the House of Representatives, a notification and
description of how the funds are to be allocated and how the
expenditure will further the purposes of this chapter.
(f)(1) The Director shall report annually to Congress on the
operation of the Fund, through the report established under
section 3606.
(2) The report under paragraph (1) shall describe--
(A) all projects which the Director has approved for
funding from the Fund; and
(B) the results that have been achieved to date for
these funded projects.
(g)(1) There are authorized to be appropriated to the Fund--
(A) $45,000,000 for fiscal year 2003;
(B) $50,000,000 for fiscal year 2004;
(C) $100,000,000 for fiscal year 2005;
(D) $150,000,000 for fiscal year 2006; and
(E) such sums as are necessary for fiscal year 2007.
(2) Funds appropriated under this subsection shall remain
available until expended.
Sec. 3605. Program to encourage innovative solutions to enhance
electronic Government services and processes
(a) Establishment of Program.--[The Administrator] The
Federal Chief Information Officer shall establish and promote a
Governmentwide program to encourage contractor innovation and
excellence in facilitating the development and enhancement of
electronic Government services and processes.
(b) Issuance of Announcements Seeking Innovative Solutions.--
Under the program[, the Administrator,], the Federal Chief
Information Officer, in consultation with the Council and the
Administrator for Federal Procurement Policy, shall issue
announcements seeking unique and innovative solutions to
facilitate the development and enhancement of electronic
Government services and processes.
(c) Multiagency Technical Assistance Team.--(1) [The
Administrator] The Federal Chief Information Officer, in
consultation with the Council and the Administrator for Federal
Procurement Policy, shall convene a multiagency technical
assistance team to assist in screening [proposals submitted to
the Administrator] proposals submitted to the Federal Chief
Information Officer to provide unique and innovative solutions
to facilitate the development and enhancement of electronic
Government services and processes. The team shall be composed
of employees of the agencies represented on the Council who
have expertise in scientific and technical disciplines that
would facilitate the assessment of the feasibility of the
proposals.
(2) The technical assistance team shall--
(A) assess the feasibility, scientific and technical
merits, and estimated cost of each proposal; and
(B) submit each proposal, and the assessment of the
proposal, to [the Administrator] the Federal Chief
Information Officer.
(3) The technical assistance team shall not consider or
evaluate proposals submitted in response to a solicitation for
offers for a pending procurement or for a specific agency
requirement.
(4) After receiving proposals and assessments from the
technical assistance team, [the Administrator] the Federal
Chief Information Officer shall consider recommending
appropriate proposals for funding under the E-Government Fund
established under section 3604 or, if appropriate, forward the
proposal and the assessment of it to the executive agency whose
mission most coincides with the subject matter of the proposal.
Sec. 3606. [E-Government] Annual report
(a) Not later than March 1 of each year, the Director shall
submit an [E-Government] annual status report to the Committee
on Governmental Affairs of the Senate and the Committee on
Government Reform of the House of Representatives.
(b) The report under subsection (a) shall contain--
(1) a summary of the information reported by agencies
under section [202(f)] 202(g) of the E-Government Act
of 2002;
(2) the information required to be reported by
section 3604(f); and
(3) a description of compliance by the Federal
Government with other goals and provisions of the E-
Government Act of 2002.
* * * * * * *
Sec. 3617. Federal Chief Information Security Officer
(a) Establishment.--There is established a Federal Chief
Information Security Officer, who shall serve in--
(1) the Office of the Federal Chief Information
Officer of the Office of Management and Budget; and
(2) the Office of the National Cyber Director.
(b) Appointment.--The Federal Chief Information Security
Officer shall be appointed by the President.
(c) OMB Duties.--The Federal Chief Information Security
Officer shall report to the Federal Chief Information Officer
and assist the Federal Chief Information Officer in carrying
out--
(1) every function under this chapter;
(2) every function assigned to the Director under
title II of the E-Government Act of 2002 (44 U.S.C.
3501 note; Public Law 107-347);
(3) other electronic government initiatives
consistent with other statutes; and
(4) other Federal cybersecurity initiatives
determined by the Federal Chief Information Officer.
(d) Additional Duties.--The Federal Chief Information
Security Officer shall--
(1) support the Federal Chief Information Officer in
overseeing and implementing Federal cybersecurity under
the E-Government Act of 2002 (Public Law 107-347; 116
Stat. 2899) and other relevant statutes in a manner
consistent with law; and
(2) perform every function assigned to the Director
under sections 1321 through 1328 of title 41, United
States Code.
(e) Coordination With ONCD.--The Federal Chief Information
Security Officer shall support initiatives determined by the
Federal Chief Information Officer necessary to coordinate with
the Office of the National Cyber Director.
* * * * * * *
----------
HOMELAND SECURITY ACT OF 2002
* * * * * * *
TITLE X--INFORMATION SECURITY
SEC. 1001. INFORMATION SECURITY.
(a) Short Title.--This title may be cited as the ``Federal
Information Security Management Act of 2002''.
(b) [Omitted-amends another Act]
(c) Information Security Responsibilities of Certain
Agencies.--
(1) National security responsibilities.--(A) Nothing
in this Act (including any amendment made by this Act)
shall supersede any authority of the Secretary of
Defense, the Director of Central Intelligence, or other
agency head, as authorized by law and as directed by
the President, with regard to the operation, control,
or management of national security systems, as defined
by [section 3552(b)(5)] section 3552(b) of title 44,
United States Code.
(B) [Omitted-amends another Act]
(2) Atomic energy act of 1954.--Nothing in this Act
shall supersede any requirement made by or under the
Atomic Energy Act of 1954 (42 U.S.C. 2011 et seq.).
Restricted Data or Formerly Restricted Data shall be
handled, protected, classified, downgraded, and
declassified in conformity with the Atomic Energy Act
of 1954 (42 U.S.C. 2011 et seq.).
* * * * * * *
----------
TITLE 10, UNITED STATES CODE
* * * * * * *
SUBTITLE A--GENERAL MILITARY LAW
* * * * * * *
PART IV--SERVICE, SUPPLY, AND PROPERTY
* * * * * * *
CHAPTER 131--PLANNING AND COORDINATION
* * * * * * *
Sec. 2222. Defense business systems: business process reengineering;
enterprise architecture; management
(a) Defense Business Processes Generally.--The Secretary of
Defense shall ensure that defense business processes are
reviewed, and as appropriate revised, through business process
reengineering to match best commercial practices, to the
maximum extent practicable, so as to minimize customization of
commercial business systems.
(b) Defense Business Systems Generally.--The Secretary of
Defense shall ensure that each covered defense business system
developed, deployed, and operated by the Department of
Defense--
(1) supports efficient business processes that have
been reviewed, and as appropriate revised, through
business process reengineering;
(2) is integrated into a comprehensive defense
business enterprise architecture;
(3) is managed in a manner that provides visibility
into, and traceability of, expenditures for the system;
and
(4) uses an acquisition and sustainment strategy that
prioritizes the use of commercial software and business
practices.
(c) Issuance of Guidance.--
(1) Secretary of defense guidance.--The Secretary
shall issue guidance to provide for the coordination
of, and decision making for, the planning, programming,
and control of investments in covered defense business
systems.
(2) Supporting guidance.--The Secretary shall direct
the Chief Information Officer of the Department of
Defense, the Under Secretary of Defense for Acquisition
and Sustainment, and the Chief Information Officer of
each of the military departments to issue and maintain
supporting guidance, as appropriate and within their
respective areas of responsibility, for the guidance of
the Secretary issued under paragraph (1).
(d) Guidance Elements.--The guidance issued under subsection
(c) shall include the following elements:
(1) Policy to ensure that the business processes of
the Department of Defense are continuously reviewed and
revised--
(A) to implement the most streamlined and
efficient business processes practicable; and
(B) to eliminate or reduce the need to tailor
commercial off-the-shelf systems to meet or
incorporate requirements or interfaces that are
unique to the Department of Defense.
(2) A process to establish requirements for covered
defense business systems.
(3) Mechanisms for the planning and control of
investments in covered defense business systems,
including a process for the collection and review of
programming and budgeting information for covered
defense business systems.
(4) Policy requiring the periodic review of covered
defense business systems that have been fully deployed,
by portfolio, to ensure that investments in such
portfolios are appropriate.
(5) Policy to ensure full consideration of
sustainability and technological refreshment
requirements, and the appropriate use of open
architectures.
(6) Policy to ensure that best acquisition and
systems engineering practices are used in the
procurement and deployment of commercial systems,
modified commercial systems, and defense-unique systems
to meet Department of Defense missions.
(7) Policy to ensure a covered defense business
system is in compliance with the Department's
auditability requirements.
(8) Policy to ensure approvals required for the
development of a covered defense business system.
(e) Defense Business Enterprise Architecture.--
(1) Blueprint.--The Secretary, working through the
Chief Information Officer of the Department of Defense,
shall develop and maintain a blueprint to guide the
development of integrated business processes within the
Department of Defense. Such blueprint shall be known as
the ``defense business enterprise architecture''.
(2) Purpose.--The defense business enterprise
architecture shall be sufficiently defined to
effectively guide implementation of interoperable
defense business system solutions and shall be
consistent with the policies and procedures established
by the Director of the Office of Management and Budget.
(3) Elements.--The defense business enterprise
architecture shall--
(A) include policies, procedures, business
data standards, business performance measures,
and business information requirements that
apply uniformly throughout the Department of
Defense; and
(B) enable the Department of Defense to--
(i) comply with all applicable law,
including Federal accounting, financial
management, and reporting requirements;
(ii) routinely produce verifiable,
timely, accurate, and reliable business
and financial information for
management purposes;
(iii) integrate budget, accounting,
and program information and systems;
and
(iv) identify whether each existing
business system is a part of the
business systems environment outlined
by the defense business enterprise
architecture, will become a part of
that environment with appropriate
modifications, or is not a part of that
environment.
(4) Integration into information technology
architecture.--(A) The defense business enterprise
architecture shall be integrated into the information
technology enterprise architecture required under
subparagraph (B).
(B) The Chief Information Officer of the Department
of Defense shall develop an information technology
enterprise architecture. The architecture shall
describe a plan for improving the information
technology and computing infrastructure of the
Department of Defense, including for each of the major
business processes conducted by the Department of
Defense.
(5) Common enterprise data.--The defense business
enterprise shall include enterprise data that may be
automatically extracted from the relevant systems to
facilitate Department of Defense-wide analysis and
management of its business operations.
(6) Roles and responsibilities.--
(A) The Chief Information Officer of the
Department of Defense, in coordination with the
Chief Data and Artificial Intelligence Officer,
shall have primary decision-making authority
with respect to the development of common
enterprise data. In consultation with the
Defense Business Council, the Chief Information
Officer shall--
(i) develop an associated data
governance process; and
(ii) oversee the preparation,
extraction, and provision of data
across the defense business enterprise.
(B) The Chief Information Officer and the
Under Secretary of Defense (Comptroller)
shall--
(i) in consultation with the Defense
Business Council, document and maintain
any common enterprise data for their
respective areas of authority;
(ii) participate in any related data
governance process;
(iii) extract data from defense
business systems as needed to support
priority activities and analyses;
(iv) when appropriate, ensure the
source data is the same as that used to
produce the financial statements
subject to annual audit;
(v) in consultation with the Defense
Business Council, provide access,
except as otherwise provided by law or
regulation, to such data to the Office
of the Secretary of Defense, the Joint
Staff, the military departments, the
combatant commands, the Defense
Agencies, the Department of Defense
Field Activities, and all other
offices, agencies, activities, and
commands of the Department of Defense;
and
(vi) ensure consistency of the common
enterprise data maintained by their
respective organizations.
(C) The Director of Cost Assessment and
Program Evaluation shall have access to data
for the purpose of executing missions as
designated by the Secretary of Defense.
(D) The Secretary of Defense, the Chairman of
the Joint Chiefs of Staff, the Secretaries of
the military departments, commanders of
combatant commands, the heads of the Defense
Agencies, the heads of the Department of
Defense Field Activities, and the heads of all
other offices, agencies, activities, and
commands of the Department of Defense shall
provide access to the relevant system of such
department, combatant command, Defense Agency,
Defense Field Activity, or office, agency,
activity, and command organization, as
applicable, and data extracted from such
system, for purposes of automatically
populating data sets coded with common
enterprise data.
(f) Defense Business Council.--
(1) Requirement for council.--The Secretary shall
establish a Defense Business Council to provide advice
to the Secretary on developing the defense business
enterprise architecture, reengineering the Department's
business processes, developing and deploying defense
business systems, and developing requirements for
defense business systems. The Council shall be chaired
by the Chief Information Officer of the Department of
Defense.
(2) Membership.--The membership of the Council shall
include the following:
(A) The Chief Information Officers of the
military departments, or their designees.
(B) The Chief Management Officers of the
military departments, or their designees.
(C) The following officials of the Department
of Defense, or their designees:
(i) The Under Secretary of Defense
for Acquisition and Sustainment with
respect to acquisition, logistics, and
installations management processes.
(ii) The Under Secretary of Defense
(Comptroller) with respect to financial
management and planning and budgeting
processes.
(iii) The Under Secretary of Defense
for Personnel and Readiness with
respect to human resources management
processes.
(iv) The Chief Data and Artificial
Intelligence Officer of the Department
of Defense.
(g) Approvals Required for Development.--
(1) Initial approval required.--The Secretary shall
ensure that a covered defense business system program
cannot proceed into development (or, if no development
is required, into production or fielding) unless the
appropriate approval official (as specified in
paragraph (2)) determines that--
(A) the system has been, or is being,
reengineered to be as streamlined and efficient
as practicable, and the implementation of the
system will maximize the elimination of unique
software requirements and unique interfaces;
(B) the system and business system portfolio
are or will be in compliance with the defense
business enterprise architecture developed
pursuant to subsection (e) or will be in
compliance as a result of modifications
planned;
(C) the system has valid, achievable
requirements and a viable plan for implementing
those requirements (including, as appropriate,
market research, business process
reengineering, and prototyping activities);
(D) the system has an acquisition strategy
designed to eliminate or reduce the need to
tailor commercial off-the-shelf systems to meet
unique requirements, incorporate unique
requirements, or incorporate unique interfaces
to the maximum extent practicable; and
(E) the system is in compliance with the
Department's auditability requirements.
(2) Appropriate official.--For purposes of paragraph
(1), the appropriate approval official with respect to
a covered defense business system is the following:
(A) Except as may be provided in subparagraph
(C), in the case of a priority defense business
system, the Chief Information Officer of the
Department of Defense.
(B) Except as may be provided in subparagraph
(C), for any defense business system other than
a priority defense business system--
(i) in the case of a system of a
military department, the Chief
Information Officer of that military
department; and
(ii) in the case of a system of a
Defense Agency or Department of Defense
Field Activity, or a system that will
support the business process of more
than one military department or Defense
Agency or Department of Defense Field
Activity, the Chief Information Officer
of the Department of Defense.
(C) In the case of any defense business
system, such official other than the applicable
official under subparagraph (A) or (B) as the
Secretary designates for such purpose.
(3) Annual certification.--For any fiscal year in
which funds are expended for development or sustainment
pursuant to a covered defense business system program,
the appropriate approval official shall review the
system and certify, certify with conditions, or decline
to certify, as the case may be, that it continues to
satisfy the requirements of paragraph (1). If the
approval official determines that certification cannot
be granted, the approval official shall notify the
milestone decision authority for the program and
provide a recommendation for corrective action.
(4) Obligation of funds in violation of
requirements.--The obligation of Department of Defense
funds for a covered defense business system program
that has not been certified in accordance with
paragraph (3) is a violation of section 1341(a)(1)(A)
of title 31.
(h) Responsibility of Milestone Decision Authority.--The
milestone decision authority for a covered defense business
system program shall be responsible for the acquisition of such
system and shall ensure that acquisition process approvals are
not considered for such system until the relevant
certifications and approvals have been made under this section.
(i) Definitions.--In this section:
(1)(A) Defense business system.--The term ``defense
business system'' means an information system that is
operated by, for, or on behalf of the Department of
Defense, including any of the following:
(i) A financial system.
(ii) A financial data feeder system.
(iii) A contracting system.
(iv) A logistics system.
(v) A planning and budgeting system.
(vi) An installations management system.
(vii) A human resources management system.
(viii) A training and readiness system.
(B) The term does not include--
(i) a national security system; or
(ii) an information system used exclusively
by and within the defense commissary system or
the exchange system or other instrumentality of
the Department of Defense conducted for the
morale, welfare, and recreation of members of
the armed forces using nonappropriated funds.
(2) Covered defense business system.--The term
``covered defense business system'' means a defense
business system that is expected to have a total amount
of budget authority, over the period of the current
future-years defense program submitted to Congress
under section 221 of this title, in excess of
$50,000,000.
(3) Business system portfolio.--The term ``business
system portfolio'' means all business systems
performing functions closely related to the functions
performed or to be performed by a covered defense
business system.
(4) Covered defense business system program.--The
term ``covered defense business system program'' means
a defense acquisition program to develop and field a
covered defense business system or an increment of a
covered defense business system.
(5) Priority defense business system.--The term
``priority defense business system'' means a defense
business system that is--
(A) expected to have a total amount of budget
authority over the period of the current
future-years defense program submitted to
Congress under section 221 of this title in
excess of $250,000,000; or
(B) designated by the Chief Information
Officer of the Department of Defense as a
priority defense business system, based on
specific program analyses of factors including
complexity, scope, and technical risk, and
after notification to Congress of such
designation.
(6) Enterprise architecture.--The term ``enterprise
architecture'' has the meaning given that term in
[section 3601(4)] section 3601 of title 44.
(7) Information system.--The term ``information
system'' has the meaning given that term in section
11101 of title 40, United States Code.
(8) National security system.--The term ``national
security system'' has the meaning given that term in
[section 3552(b)(6)(A)] section 3552(b)(8)(A) of title
44.
(9) Business process mapping.--The term ``business
process mapping'' means a procedure in which the steps
in a business process are clarified and documented in
both written form and in a flow chart.
(10) Common enterprise data.--The term ``common
enterprise data'' means business operations or
management-related data, generally from defense
business systems, in a usable format that is
automatically accessible by authorized personnel and
organizations.
(11) Data governance process.--The term ``data
governance process'' means a system to manage the
timely Department of Defense-wide sharing of data
described under subsection (e)(6)(A).
Sec. 2223. Information technology: additional responsibilities of Chief
Information Officers
(a) Additional Responsibilities of Chief Information Officer
of Department of Defense.--In addition to the responsibilities
provided for in chapter 35 of title 44 and in section 11315 of
title 40, the Chief Information Officer of the Department of
Defense shall--
(1) review and provide recommendations to the
Secretary of Defense on Department of Defense budget
requests for information technology and national
security systems;
(2) ensure the interoperability of information
technology and national security systems throughout the
Department of Defense;
(3) ensure that information technology and national
security systems standards that will apply throughout
the Department of Defense are prescribed;
(4) provide for the elimination of duplicate
information technology and national security systems
within and between the military departments and Defense
Agencies; and
(5) maintain a consolidated inventory of Department
of Defense mission critical and mission essential
information systems, identify interfaces between those
systems and other information systems, and develop and
maintain contingency plans for responding to a
disruption in the operation of any of those information
systems.
(b) Additional Responsibilities of Chief Information Officer
of Military Departments.--In addition to the responsibilities
provided for in chapter 35 of title 44 and in section 11315 of
title 40, the Chief Information Officer of a military
department, with respect to the military department concerned,
shall--
(1) review budget requests for all information
technology and national security systems;
(2) ensure that information technology and national
security systems are in compliance with standards of
the Government and the Department of Defense;
(3) ensure that information technology and national
security systems are interoperable with other relevant
information technology and national security systems of
the Government and the Department of Defense; and
(4) coordinate with the Joint Staff with respect to
information technology and national security systems.
(c) Definitions.--In this section:
(1) The term ``Chief Information Officer'' means the
senior official designated by the Secretary of Defense
or a Secretary of a military department pursuant to
section 3506 of title 44.
(2) The term ``information technology'' has the
meaning given that term by section 11101 of title 40.
(3) The term ``national security system'' has the
meaning given that term by [section 3552(b)(6)] section
3552(b) of title 44.
* * * * * * *
PART V--ACQUISITION
* * * * * * *
SUBPART A--GENERAL
* * * * * * *
CHAPTER 203--GENERAL MATTERS
* * * * * * *
Sec. 3068. Inapplicability of certain laws
(a) Laws Inapplicable to Agencies Named in Section 3063.--
Sections 6101 and 6304 of title 41 do not apply to the
procurement or sale of property or services by the agencies
named in section 3063 of this title.
(b) Laws Inapplicable to Procurement of Automatic Data
Processing Equipment and Services for Certain Defense
Purposes.--For purposes of subtitle III of title 40, the term
``national security system'', with respect to a
telecommunications and information system operated by the
Department of Defense, has the meaning given that term by
[section 3552(b)(6)] section 3552(b) of title 44.
* * * * * * *
SUBPART B--ACQUISITION PLANNING
* * * * * * *
CHAPTER 223--OTHER PROVISIONS RELATING TO
PLANNING AND SOLICITATION GENERALLY
* * * * * * *
Sec. 3252. Requirements for information relating to supply
chain risk
(a) Authority.--Subject to subsection (b), the head of a
covered agency may--
(1) carry out a covered procurement action; and
(2) limit, notwithstanding any other provision of
law, in whole or in part, the disclosure of information
relating to the basis for carrying out a covered
procurement action.
(b) Determination and Notification.--The head of a covered
agency may exercise the authority provided in subsection (a)
only after--
(1) obtaining a joint recommendation by the Under
Secretary of Defense for Acquisition and Sustainment
and the Chief Information Officer of the Department of
Defense, on the basis of a risk assessment by the Under
Secretary of Defense for Intelligence and Security,
that there is a significant supply chain risk to a
covered system;
(2) making a determination in writing, in
unclassified or classified form, with the concurrence
of the Under Secretary of Defense for Acquisition and
Sustainment, that--
(A) use of the authority in subsection (a)(1)
is necessary to protect national security by
reducing supply chain risk;
(B) less intrusive measures are not
reasonably available to reduce such supply
chain risk; and
(C) in a case where the head of the covered
agency plans to limit disclosure of information
under subsection (a)(2), the risk to national
security due to the disclosure of such
information outweighs the risk due to not
disclosing such information; and
(3) providing a classified or unclassified notice of
the determination made under paragraph (2) to the
appropriate congressional committees, which notice
shall include--
(A) the information required by section
3204(e)(2) of this title;
(B) the joint recommendation by the Under
Secretary of Defense for Acquisition and
Sustainment and the Chief Information Officer
of the Department of Defense as specified in
paragraph (1);
(C) a summary of the risk assessment by the
Under Secretary of Defense for Intelligence
that serves as the basis for the joint
recommendation specified in paragraph (1); and
(D) a summary of the basis for the
determination, including a discussion of less
intrusive measures that were considered and why
they were not reasonably available to reduce
supply chain risk.
(c) Delegation.--The head of a covered agency may not
delegate the authority provided in subsection (a) or the
responsibility to make a determination under subsection (b) to
an official below the level of the service acquisition
executive for the agency concerned.
(d) Limitation on Disclosure.--If the head of a covered
agency has exercised the authority provided in subsection
(a)(2) to limit disclosure of information--
(1) no action undertaken by the agency head under
such authority shall be subject to review in a bid
protest before the Government Accountability Office or
in any Federal court; and
(2) the agency head shall--
(A) notify appropriate parties of a covered
procurement action and the basis for such
action only to the extent necessary to
effectuate the covered procurement action;
(B) notify other Department of Defense
components or other Federal agencies
responsible for procurements that may be
subject to the same or similar supply chain
risk, in a manner and to the extent consistent
with the requirements of national security; and
(C) ensure the confidentiality of any such
notifications.
(e) Definitions.--In this section:
(1) Head of a covered agency.--The term ``head of a
covered agency'' means each of the following:
(A) The Secretary of Defense.
(B) The Secretary of the Army.
(C) The Secretary of the Navy.
(D) The Secretary of the Air Force.
(2) Covered procurement action.--The term ``covered
procurement action'' means any of the following
actions, if the action takes place in the course of
conducting a covered procurement:
(A) The exclusion of a source that fails to
meet qualification standards established in
accordance with the requirements of section
3243 of this title for the purpose of reducing
supply chain risk in the acquisition of covered
systems.
(B) The exclusion of a source that fails to
achieve an acceptable rating with regard to an
evaluation factor providing for the
consideration of supply chain risk in the
evaluation of proposals for the award of a
contract or the issuance of a task or delivery
order.
(C) The decision to withhold consent for a
contractor to subcontract with a particular
source or to direct a contractor for a covered
system to exclude a particular source from
consideration for a subcontract under the
contract.
(3) Covered procurement.--The term ``covered
procurement'' means--
(A) a source selection for a covered system
or a covered item of supply involving either a
performance specification, as provided in
section 3206(a)(3)(B) of this title, or an
evaluation factor, as provided in section
3206(b)(1) of this title, relating to supply
chain risk;
(B) the consideration of proposals for and
issuance of a task or delivery order for a
covered system or a covered item of supply, as
provided in section 3406(d)(3) of this title,
where the task or delivery order contract
concerned includes a contract clause
establishing a requirement relating to supply
chain risk; or
(C) any contract action involving a contract
for a covered system or a covered item of
supply where such contract includes a clause
establishing requirements relating to supply
chain risk.
(4) Supply chain risk.--The term ``supply chain
risk'' means the risk that an adversary may sabotage,
maliciously introduce unwanted function, or otherwise
subvert the design, integrity, manufacturing,
production, distribution, installation, operation, or
maintenance of a covered system so as to surveil, deny,
disrupt, or otherwise degrade the function, use, or
operation of such system.
(5) Covered system.--The term ``covered system''
means a national security system, as that term is
defined in [section 3552(b)(6)] section 3552(b) of
title 44.
(6) Covered item of supply.--The term ``covered item
of supply'' means an item of information technology (as
that term is defined in section 11101 of title 40) that
is purchased for inclusion in a covered system, and the
loss of integrity of which could result in a supply
chain risk for a covered system.
(7) Appropriate congressional committees.--The term
``appropriate congressional committees'' means--
(A) in the case of a covered system included
in the National Intelligence Program or the
Military Intelligence Program, the Select
Committee on Intelligence of the Senate, the
Permanent Select Committee on Intelligence of
the House of Representatives, and the
congressional defense committees; and
(B) in the case of a covered system not
otherwise included in subparagraph (A), the
congressional defense committees.
----------
HIGH-PERFORMANCE COMPUTING ACT OF 1991
* * * * * * *
TITLE II--AGENCY ACTIVITIES
* * * * * * *
SEC. 207. MISCELLANEOUS PROVISIONS.
(a) Nonapplicability.--Except to the extent the appropriate
Federal agency or department head determines, the provisions of
this Act shall not apply to--
(1) programs or activities regarding computer systems
that process classified information; or
(2) computer systems the function, operation, or use
of which are those delineated in [section
3552(b)(6)(A)(i)] section 3552(b)(8)(A)(i) of title 44,
United States Code.
(b) Acquisition of Prototype and Early Production Models.--In
accordance with Federal contracting law, Federal agencies and
departments participating in the Program may acquire prototype
or early production models of new networking and information
technology systems and subsystems to stimulate hardware and
software development. Items of computing equipment acquired
under this subsection shall be considered research computers
for purposes of applicable acquisition regulations.
----------
INTERNET OF THINGS CYBERSECURITY IMPROVEMENT
ACT OF 2020
* * * * * * *
SEC. 3. DEFINITIONS.
In this Act:
(1) Agency.--The term ``agency'' has the meaning
given that term in section 3502 of title 44, United
States Code.
(2) Director of omb.--The term ``Director of OMB''
means the Director of the Office of Management and
Budget.
(3) Director of the institute.--The term ``Director
of the Institute'' means the Director of the National
Institute of Standards and Technology.
(4) Information system.--The term ``information
system'' has the meaning given that term in section
3502 of title 44, United States Code.
(5) National security system.--The term ``national
security system'' has the meaning given that term in
[section 3552(b)(6)] section 3552(b) of title 44,
United States Code.
(6) Operational technology.--The term ``operational
technology'' means hardware and software that detects
or causes a change through the direct monitoring or
control of physical devices, processes, and events in
the enterprise.
(7) Secretary.--The term ``Secretary'' means the
Secretary of Homeland Security.
(8) Security vulnerability.--The term ``security
vulnerability'' has the meaning given that term in
section 2200 of the Homeland Security Act of 2002.
* * * * * * *
----------
NATIONAL DEFENSE AUTHORIZATION ACT FOR FISCAL
YEAR 2013
* * * * * * *
DIVISION A--DEPARTMENT OF
DEFENSE AUTHORIZATIONS
* * * * * * *
TITLE IX--DEPARTMENT OF DEFENSE
ORGANIZATION AND MANAGEMENT
* * * * * * *
Subtitle D--Cyberspace-Related Matters
* * * * * * *
SEC. 933. IMPROVEMENTS IN ASSURANCE OF COMPUTER SOFTWARE
PROCURED BY THE DEPARTMENT OF DEFENSE.
(a) Baseline Software Assurance Policy.--The Under Secretary
of Defense for Acquisition, Technology, and Logistics, in
coordination with the Chief Information Officer of the
Department of Defense, shall develop and implement a baseline
software assurance policy for the entire lifecycle of covered
systems. Such policy shall be included as part of the strategy
for trusted defense systems of the Department of Defense.
(b) Policy Elements.--The baseline software assurance policy
under subsection (a) shall--
(1) require use of appropriate automated
vulnerability analysis tools in computer software code
during the entire lifecycle of a covered system,
including during development, operational testing,
operations and sustainment phases, and retirement;
(2) require covered systems to identify and
prioritize security vulnerabilities and, based on risk,
determine appropriate remediation strategies for such
security vulnerabilities;
(3) ensure such remediation strategies are translated
into contract requirements and evaluated during source
selection;
(4) promote best practices and standards to achieve
software security, assurance, and quality; and
(5) support competition and allow flexibility and
compatibility with current or emerging software
methodologies.
(c) Verification of Effective Implementation.--The Under
Secretary of Defense for Acquisition, Technology, and
Logistics, in coordination with the Chief Information Officer
of the Department of Defense, shall--
(1) collect data on implementation of the policy
developed under subsection (a) and measure the
effectiveness of such policy, including the particular
elements required under subsection (b); and
(2) identify and promote best practices, tools, and
standards for developing and validating assured
software for the Department of Defense.
(d) Briefing on Additional Means of Improving Software
Assurance.--Not later than one year after the date of the
enactment of this Act, the Under Secretary for Acquisition,
Technology, and Logistics shall, in coordination with the Chief
Information Officer of the Department of Defense, provide to
the congressional defense committees a briefing on the
following:
(1) A research and development strategy to advance
capabilities in software assurance and vulnerability
detection.
(2) The state-of-the-art of software assurance
analysis and test.
(3) How the Department might hold contractors liable
for software defects or vulnerabilities.
(e) Definitions.--In this section:
(1) Covered system.--The term ``covered system''
means any Department of Defense critical information,
business, or weapons system that is--
(A) a major system, as that term is defined
in section 2302(5) of title 10, United States
Code;
(B) a national security system, as that term
is defined in [section 3542(b)(2)] section
3552(b) of title 44, United States Code; or
(C) a Department of Defense information
system categorized as Mission Assurance
Category I in Department of Defense Directive
8500.01E that is funded by the Department of
Defense.
(2) Software assurance.--The term ``software
assurance'' means the level of confidence that software
functions as intended and is free of vulnerabilities,
either intentionally or unintentionally designed or
inserted as part of the software, throughout the life
cycle.
* * * * * * *
----------
IKE SKELTON NATIONAL DEFENSE AUTHORIZATION
ACT FOR FISCAL YEAR 2011
* * * * * * *
DIVISION A--DEPARTMENT OF
DEFENSE AUTHORIZATIONS
* * * * * * *
TITLE IX--DEPARTMENT OF DEFENSE
ORGANIZATION AND MANAGEMENT
* * * * * * *
Subtitle D--Cyber Warfare, Cyber
Security, and Related Matters
SEC. 931. CONTINUOUS MONITORING OF DEPARTMENT OF DEFENSE
INFORMATION SYSTEMS FOR CYBERSECURITY.
(a) In general.--The Secretary of Defense shall direct the
Chief Information Officer of the Department of Defense to work,
in coordination with the Chief Information Officers of the
military departments and the Defense Agencies and with senior
cybersecurity and information assurance officials within the
Department of Defense and otherwise within the Federal
Government, to achieve, to the extent practicable, the
following:
(1) The continuous prioritization of the policies,
principles, standards, and guidelines developed under
section 20 of the National Institute of Standards and
Technology Act (15 U.S.C. 278g-3) with agencies and
offices operating or exercising control of national
security systems (including the National Security
Agency) based upon the evolving threat of information
security incidents with respect to national security
systems, the vulnerability of such systems to such
incidents, and the consequences of information security
incidents involving such systems.
(2) The automation of continuous monitoring of the
effectiveness of the information security policies,
procedures, and practices within the information
infrastructure of the Department of Defense, and the
compliance of that infrastructure with such policies,
procedures, and practices, including automation of--
(A) management, operational, and technical
controls of every information system identified
in the inventory required under section 3505(c)
of title 44, United States Code; and
(B) management, operational, and technical
controls relied on for evaluations under
section 3545 of title 44, United States Code.
(b) Definitions.--In this section:
(1) The term ``information security incident'' means
an occurrence that--
(A) actually or potentially jeopardizes the
confidentiality, integrity, or availability of
an information system or the information such
system processes, stores, or transmits; or
(B) constitutes a violation or imminent
threat of violation of security policies,
security procedures, or acceptable use policies
with respect to an information system.
(2) The term ``information infrastructure'' means the
underlying framework, equipment, and software that an
information system and related assets rely on to
process, transmit, receive, or store information
electronically.
(3) The term ``national security system'' has the
meaning given that term in [section 3542(b)(2)] section
3552(b) of title 44, United States Code.
SEC. 932. STRATEGY ON COMPUTER SOFTWARE ASSURANCE.
(a) Strategy Required.--The Secretary of Defense shall
develop and implement, by not later than October 1, 2011, a
strategy for assuring the security of software and software-
based applications for all covered systems.
(b) Covered Systems.--For purposes of this section, a covered
system is any critical information system or weapon system of
the Department of Defense, including the following:
(1) A major system, as that term is defined in
section 3041 of title 10, United States Code.
(2) A national security system, as that term is
defined in [section 3542(b)(2)] section 3552(b) of
title 44, United States Code.
(3) Any Department of Defense information system
categorized as Mission Assurance Category I.
(4) Any Department of Defense information system
categorized as Mission Assurance Category II in
accordance with Department of Defense Directive
8500.01E.
(c) Elements.--The strategy required by subsection (a) shall
include the following:
(1) Policy and regulations on the following:
(A) Software assurance generally.
(B) Contract requirements for software
assurance for covered systems in development
and production.
(C) Inclusion of software assurance in
milestone reviews and milestone approvals.
(D) Rigorous test and evaluation of software
assurance in development, acceptance, and
operational tests.
(E) Certification and accreditation
requirements for software assurance for new
systems and for updates for legacy systems,
including mechanisms to monitor and enforce
reciprocity of certification and accreditation
processes among the military departments and
Defense Agencies.
(F) Remediation in legacy systems of critical
software assurance deficiencies that are
defined as critical in accordance with the
Application Security Technical Implementation
Guide of the Defense Information Systems
Agency.
(2) Allocation of adequate facilities and other
resources for test and evaluation and certification and
accreditation of software to meet applicable
requirements for research and development, systems
acquisition, and operations.
(3) Mechanisms for protection against compromise of
information systems through the supply chain or cyber
attack by acquiring and improving automated tools for--
(A) assuring the security of software and
software applications during software
development;
(B) detecting vulnerabilities during testing
of software; and
(C) detecting intrusions during real-time
monitoring of software applications.
(4) Mechanisms providing the Department of Defense
with the capabilities--
(A) to monitor systems and applications in
order to detect and defeat attempts to
penetrate or disable such systems and
applications; and
(B) to ensure that such monitoring
capabilities are integrated into the Department
of Defense system of cyber defense-in-depth
capabilities.
(5) An update to Committee for National Security
Systems Instruction No. 4009, entitled ``National
Information Assurance Glossary'', to include a standard
definition for software security assurance.
(6) Either--
(A) mechanisms to ensure that vulnerable
Mission Assurance Category III information
systems, if penetrated, cannot be used as a
foundation for penetration of protected covered
systems, and means for assessing the
effectiveness of such mechanisms; or
(B) plans to address critical vulnerabilities
in Mission Assurance Category III information
systems to prevent their use for intrusions of
Mission Assurance Category I systems and
Mission Assurance Category II systems.
(7) A funding mechanism for remediation of critical
software assurance vulnerabilities in legacy systems.
(d) Report.--Not later than October 1, 2011, the Secretary of
Defense shall submit to the congressional defense committees a
report on the strategy required by subsection (a). The report
shall include the following:
(1) A description of the current status of the
strategy required by subsection (a) and of the
implementation of the strategy, including a description
of the role of the strategy in the risk management by
the Department regarding the supply chain and in
operational planning for cyber security.
(2) A description of the risks, if any, that the
Department will accept in the strategy due to
limitations on funds or other applicable constraints.
* * * * * * *
----------
SECTION 301 OF THE E-GOVERNMENT ACT OF 2002
SEC. 301. INFORMATION SECURITY.
(a) Short Title.--This title may be cited as the ``Federal
Information Security Management Act of 2002''.
(b) [Omitted--Amends another Act]
(c) Information Security Responsibilities of Certain
Agencies.--
(1) National security responsibilities.--(A) Nothing
in this Act (including any amendment made by this Act)
shall supersede any authority of the Secretary of
Defense, the Director of Central Intelligence, or other
agency head, as authorized by law and as directed by
the President, with regard to the operation, control,
or management of national security systems, as defined
by [section 3542(b)(2)] section 3552(b) of title 44,
United States Code.
(B) Section 2224 of title 10, United States Code, is
amended--
(i) in subsection (b), by striking ``(b)
Objectives and Minimum Requirements.--(1)'' and
inserting ``(b) Objectives of the Program.--'';
(ii) in subsection (b), by striking paragraph
(2); and
(iii) in subsection (c), in the matter
preceding paragraph (1), by inserting ``,
including through compliance with subchapter
III of chapter 35 of title 44'' after
``infrastructure''.
(2) Atomic energy act of 1954.--Nothing in this Act
shall supersede any requirement made by or under the
Atomic Energy Act of 1954 (42 U.S.C. 2011 et seq.).
Restricted data or formerly restricted data shall be
handled, protected, classified, downgraded, and
declassified in conformity with the Atomic Energy Act
of 1954 (42 U.S.C. 2011 et seq.).
----------
NATIONAL INSTITUTE OF STANDARDS AND
TECHNOLOGY ACT
* * * * * * *
Sec. 20. (a) The Institute shall--
(1) have the mission of developing standards,
guidelines, and associated methods and techniques for
information systems;
(2) develop standards and guidelines, including
minimum requirements, for information systems used or
operated by an agency or by a contractor of an agency
or other organization on behalf of an agency, other
than national security systems (as defined in [section
3552(b)(6)] section 3552(b) of title 44, United States
Code);
(3) develop standards and guidelines, including
minimum requirements, for providing adequate
information security for all agency operations and
assets, but such standards and guidelines shall not
apply to national security systems;
(4) carry out the responsibilities described in
paragraph (3) through the Computer Security Division;
and
(5) identify and develop standards and guidelines for
improving the cybersecurity workforce for an agency as
part of the National Initiative for Cybersecurity
Education (NICE) Cybersecurity Workforce Framework
(NIST Special Publication 800-181), or successor
framework.
(b) The standards and guidelines required by subsection (a)
shall include, at a minimum--
(1)(A) standards to be used by all agencies to
categorize all information and information systems
collected or maintained by or on behalf of each agency
based on the objectives of providing appropriate levels
of information security according to a range of risk
levels;
(B) guidelines recommending the types of information
and information systems to be included in each such
category; and
(C) minimum information security requirements for
information and information systems in each such
category;
(2) a definition of and guidelines concerning
detection and handling of information security
incidents;
(3) guidelines developed in coordination with the
National Security Agency for identifying an information
system as a national security system consistent with
applicable requirements for national security systems,
issued in accordance with law and as directed by the
President; and
(4) performance standards and guidelines for high
risk biometric identification systems, including facial
recognition systems, accounting for various use cases,
types of biometric identification systems, and relevant
operational conditions.
(c) In developing standards and guidelines required by
subsections (a) and (b), the Institute shall--
(1) consult with other agencies and offices
(including, but not limited to, the Director of the
Office of Management and Budget, the Departments of
Defense and Energy, the National Security Agency, the
General Accounting Office, and the Secretary of
Homeland Security) to assure--
(A) use of appropriate information security
policies, procedures, and techniques, in order
to improve information security and avoid
unnecessary and costly duplication of effort;
and
(B) that such standards and guidelines are
complementary with standards and guidelines
employed for the protection of national
security systems and information contained in
such systems;
(2) provide the public with an opportunity to comment
on proposed standards and guidelines;
(3) submit such standards and guidelines to the
Secretary of Commerce for promulgation under section
11331 of title 40;
(4) issue guidelines as required under subsection
(b)(1)(B), no later than 18 months after the date of
the enactment of this Act;
(5) ensure that such standards and guidelines do not
require specific technological solutions or products,
including any specific hardware or software security
solutions;
(6) ensure that such standards and guidelines provide
for sufficient flexibility to permit alternative
solutions to provide equivalent levels of protection
for identified information security risks; and
(7) use flexible, performance-based standards and
guidelines that, to the greatest extent possible,
permit the use of off-the-shelf commercially developed
information security products.
(d) The Institute shall--
(1) submit standards developed pursuant to subsection
(a), along with recommendations as to the extent to
which these should be made compulsory and binding, to
the Secretary of Commerce for promulgation under
section 11331 of title 40, United States Code;
(2) provide assistance to agencies regarding--
(A) compliance with the standards and
guidelines developed under subsection (a);
(B) detecting and handling information
security incidents; and
(C) information security policies,
procedures, and practices;
(3) conduct research and analysis--
(A) to determine the nature and extent of
information security vulnerabilities and
techniques for providing cost-effective
information security;
(B) to review and determine prevalent
information security challenges and
deficiencies identified by agencies or the
Institute, including any challenges or
deficiencies described in any of the [annual]
reports under section 3553 or 3554 of title 44,
United States Code, and in any of the reports
and the independent evaluations under section
3555 of that title, that may undermine the
effectiveness of agency information security
programs and practices; and
(C) to evaluate the effectiveness and
sufficiency of, and challenges to, Federal
agencies' implementation of standards and
guidelines developed under this section and
policies and standards promulgated under
section 11331 of title 40, United States Code;
(4) develop and periodically revise performance
indicators and measures for agency information security
policies and practices;
(5) evaluate private sector information security
policies and practices and commercially available
information technologies to assess potential
application by agencies to strengthen information
security;
(6) evaluate security policies and practices
developed for national security systems to assess
potential application by agencies to strengthen
information security;
(7) periodically assess the effectiveness of
standards and guidelines developed under this section
and undertake revisions as appropriate;
(8) solicit and consider the recommendations of the
Information Security and Privacy Advisory Board,
established by section 21, regarding standards and
guidelines developed under subsection (a) and submit
such recommendations to the Director of the Office of
Management and Budget with such standards submitted to
the Director; and
(9) prepare an annual public report on activities
undertaken in the previous year, and planned for the
coming year, to carry out responsibilities under this
section.
(e) Intramural Security Research.--As part of the research
activities conducted in accordance with subsection (d)(3), the
Institute shall, to the extent practicable and appropriate--
(1) conduct a research program to develop a unifying
and standardized identity, privilege, and access
control management framework for the execution of a
wide variety of resource protection policies and that
is amenable to implementation within a wide variety of
existing and emerging computing environments;
(2) carry out research associated with improving the
security of information systems and networks;
(3) carry out research associated with improving the
testing, measurement, usability, and assurance of
information systems and networks;
(4) carry out research associated with improving
security of industrial control systems;
(5) carry out research associated with improving the
security and integrity of the information technology
supply chain; and
(6) carry out any additional research the Institute
determines appropriate.
(f) As used in this section--
(1) the term ``agency'' has the same meaning as
provided in section 3502(1) of title 44, United States
Code;
(2) the term ``information security'' has the same
meaning as provided in [section 3532(1)] section
3552(b) of such title;
(3) the term ``information system'' has the same
meaning as provided in section 3502(8) of such title;
(4) the term ``information technology'' has the same
meaning as provided in section 11101 of title 40,
United States Code; and
(5) the term ``national security system'' has the
same meaning as provided in [section 3532(b)(2)]
section 3552(b) of such title.
* * * * * * *
----------
CYBERSECURITY ACT OF 2015
* * * * * * *
DIVISION N--CYBERSECURITY ACT OF 2015
* * * * * * *
TITLE II
NATIONAL CYBERSECURITY ADVANCEMENT
* * * * * * *
Subtitle B--Federal Cybersecurity Enhancement
* * * * * * *
Sec. 221. SHORT TITLE.
This subtitle may be cited as the ``Federal Cybersecurity
Enhancement Act of 2015''.
Sec. 222. DEFINITIONS.
In this subtitle:
(1) Agency.--The term ``agency'' has the meaning
given the term in section 3502 of title 44, United
States Code.
(2) Agency information system.--The term ``agency
information system'' has the meaning given the term in
section 2210 of the Homeland Security Act of 2002.
(3) Appropriate congressional committees.--The term
``appropriate congressional committees'' means--
(A) the Committee on Homeland Security and
Governmental Affairs of the Senate; and
(B) the Committee on Homeland Security and
the Committee on Oversight and Accountability
of the House of Representatives.
(4) Cybersecurity risk; information system.--The
terms ``cybersecurity risk'' and ``information system''
have the meanings given those terms in section 2200 of
the Homeland Security Act of 2002.
(5) Director.--The term ``Director'' means the
Director of the Office of Management and Budget.
(6) Intelligence community.--The term ``intelligence
community'' has the meaning given the term in section
3(4) of the National Security Act of 1947 (50 U.S.C.
3003(4)).
(7) National security system.--The term ``national
security system'' has the meaning given the term in
section 11103 of title 40, United States Code.
(8) Secretary.--The term ``Secretary'' means the
Secretary of Homeland Security.
* * * * * * *
Sec. 226. ASSESSMENT; REPORTS.
(a) Definitions.--In this section:
(1) Agency information.--The term ``agency
information'' has the meaning given the term in section
2213 of the Homeland Security Act of 2002.
(2) Cyber threat indicator; defensive measure.--The
terms ``cyber threat indicator'' and ``defensive
measure'' have the meanings given those terms in
section 2200 of the Homeland Security Act of 2002.
(3) Intrusion assessments.--The term ``intrusion
assessments'' means actions taken under the intrusion
assessment plan to identify and remove intruders in
agency information systems.
(4) Intrusion Assessment Plan.--The term ``intrusion
assessment plan'' means the plan required under section
2210(b)(1) of the Homeland Security Act of 2002.
(5) Intrusion detection and prevention
capabilities.--The term ``intrusion detection and
prevention capabilities'' means the capabilities
required under section 2213(b) of the Homeland Security
Act of 2002.
(b) Third-party Assessment.--Not later than 3 years after the
date of enactment of this Act, the Comptroller General of the
United States shall conduct a study and publish a report on the
effectiveness of the approach and strategy of the Federal
Government to securing agency information systems, including
the intrusion detection and prevention capabilities and the
intrusion assessment plan.
(c) Reports to Congress.--
(1) Intrusion detection and prevention
capabilities.--
(A) Secretary of homeland security report.--
Not later than 6 months after the date of
enactment of this Act, and annually thereafter,
the Secretary shall submit to the appropriate
congressional committees a report on the status
of implementation of the intrusion detection
and prevention capabilities, including--
(i) a description of privacy
controls;
(ii) a description of the
technologies and capabilities utilized
to detect cybersecurity risks in
network traffic, including the extent
to which those technologies and
capabilities include existing
commercial and noncommercial
technologies;
(iii) a description of the
technologies and capabilities utilized
to prevent network traffic associated
with cybersecurity risks from
transiting or traveling to or from
agency information systems, including
the extent to which those technologies
and capabilities include existing
commercial and noncommercial
technologies;
(iv) a list of the types of
indicators or other identifiers or
techniques used to detect cybersecurity
risks in network traffic transiting or
traveling to or from agency information
systems on each iteration of the
intrusion detection and prevention
capabilities and the number of each
such type of indicator, identifier, and
technique;
(v) the number of instances in which
the intrusion detection and prevention
capabilities detected a cybersecurity
risk in network traffic transiting or
traveling to or from agency information
systems and the number of times the
intrusion detection and prevention
capabilities blocked network traffic
associated with cybersecurity risk; and
(vi) a description of the pilot
established under section 2213(c)(5) of
the Homeland Security Act of 2002,
including the number of new
technologies tested and the number of
participating agencies.
(B) OMB report.--Not later than 18 months
after the date of enactment of this Act, and
[annually thereafter] thereafter during the
years during which a report is required to be
submitted under section 3553(c) of title 44,
United States Code, the Director shall submit
to Congress, as part of the report required
under section 3553(c) of title 44, United
States Code, an analysis of agency application
of the intrusion detection and prevention
capabilities, including--
(i) a list of each agency and the
degree to which each agency has applied
the intrusion detection and prevention
capabilities to an agency information
system; and
(ii) a list by agency of--
(I) the number of instances
in which the intrusion
detection and prevention
capabilities detected a
cybersecurity risk in network
traffic transiting or traveling
to or from an agency
information system and the
types of indicators,
identifiers, and techniques
used to detect such
cybersecurity risks; and
(II) the number of instances
in which the intrusion
detection and prevention
capabilities prevented network
traffic associated with a
cybersecurity risk from
transiting or traveling to or
from an agency information
system and the types of
indicators, identifiers, and
techniques used to detect such
agency information systems.
(C) Chief information officer.--Not earlier
than 18 months after the date of enactment of
this Act and not later than 2 years after the
date of enactment of this Act, the Federal
Chief Information Officer shall review and
submit to the appropriate congressional
committees a report assessing the intrusion
detection and intrusion prevention
capabilities, including--
(i) the effectiveness of the system
in detecting, disrupting, and
preventing cyber-threat actors,
including advanced persistent threats,
from accessing agency information and
agency information systems;
(ii) whether the intrusion detection
and prevention capabilities, continuous
diagnostics and mitigation, and other
systems deployed under subtitle D of
title II of the Homeland Security Act
of 2002 (6 U.S.C. 231 et seq.) are
effective in securing Federal
information systems;
(iii) the costs and benefits of the
intrusion detection and prevention
capabilities, including as compared to
commercial technologies and tools and
including the value of classified cyber
threat indicators; and
(iv) the capability of agencies to
protect sensitive cyber threat
indicators and defensive measures if
they were shared through unclassified
mechanisms for use in commercial
technologies and tools.
(2) OMB report on development and implementation of
intrusion assessment plan, advanced internal defenses,
and federal cybersecurity requirements.--The Director
shall--
(A) not later than 6 months after the date of
enactment of this Act, and 30 days after any
update thereto, submit the intrusion assessment
plan to the appropriate congressional
committees;
(B) not later than 1 year after the date of
enactment of this Act, and [annually
thereafter] thereafter during the years during
which a report is required to be submitted
under section 3553(c) of title 44, United
States Code, submit to Congress, as part of
[the report required under section 3553(c) of
title 44, United States Code] that report--
(i) a description of the
implementation of the intrusion
assessment plan;
(ii) the findings of the intrusion
assessments conducted pursuant to the
intrusion assessment plan;
(iii) a description of the advanced
network security tools included in the
efforts to continuously diagnose and
mitigate cybersecurity risks pursuant
to section 224(a)(1); and
(iv) a list by agency of compliance
with the requirements of section
225(b); and
(C) not later than 1 year after the date of
enactment of this Act, submit to the
appropriate congressional committees--
(i) a copy of the plan developed
pursuant to section 224(a)(2); and
(ii) the improved metrics developed
pursuant to section 224(c).
(d) Form.--Each report required under this section shall be
submitted in unclassified form, but may include a classified
annex.
* * * * * * *
----------
NATIONAL DEFENSE AUTHORIZATION ACT FOR FISCAL
YEAR 2018
* * * * * * *
DIVISION A--DEPARTMENT OF
DEFENSE AUTHORIZATIONS
* * * * * * *
TITLE X--GENERAL PROVISIONS
* * * * * * *
Subtitle G--Modernizing Government
Technology
* * * * * * *
SEC. 1078. ESTABLISHMENT OF TECHNOLOGY MODERNIZATION FUND
AND BOARD.
[(a) Definition.--In this section, the term ``agency'' has
the meaning given the term in section 551 of title 5, United
States Code.]
(a) Definitions.--In this section:
(1) Agency.--The term ``agency'' has the meaning
given the term in section 551 of title 5, United States
Code.
(2) High value asset.--The term ``high value asset''
has the meaning given the term in section 3552 of title
44, United States Code.
(b) Technology Modernization Fund.--
(1) Establishment.--There is established in the
Treasury a Technology Modernization Fund for
technology-related activities, to improve information
technology, to enhance cybersecurity across the Federal
Government, and to be administered in accordance with
guidance issued by the Director.
(2) Administration of fund.--The Administrator, in
consultation with the Chief Information Officers
Council and with the approval of the Director, shall
administer the Fund in accordance with this subsection.
(3) Use of funds.--The Administrator shall, in
accordance with recommendations from the Board, use
amounts in the Fund--
(A) to transfer such amounts, to remain
available until expended, to the head of an
agency for the acquisition of products and
services, or the development of such products
and services when more efficient and cost
effective, to improve, retire, or replace
existing Federal information technology systems
to enhance cybersecurity and privacy and
improve long-term efficiency and effectiveness;
(B) to transfer such amounts, to remain
available until expended, to the head of an
agency for the operation and procurement of
information technology products and services,
or the development of such products and
services when more efficient and cost
effective, and acquisition vehicles for use by
agencies to improve Governmentwide efficiency
and cybersecurity in accordance with the
requirements of the agencies;
(C) to provide services or work performed in
support of--
(i) the activities described in
subparagraph (A) or (B); and
(ii) the Board and the Director in
carrying out the responsibilities
described in subsection (c)(2); and
(D) to fund only programs, projects, or
activities or to fund increases for any
programs, projects, or activities that have not
been denied or restricted by Congress.
(4) Authorization of appropriations; credits;
availability of funds.--
(A) Authorization of appropriations.--There
is authorized to be appropriated to the Fund
$250,000,000 for each of fiscal years 2018 and
2019.
(B) Credits.--In addition to any funds
otherwise appropriated, the Fund shall be
credited with all reimbursements, advances, or
refunds or recoveries relating to information
technology or services provided for the
purposes described in paragraph (3).
(C) Availability of funds.--Amounts
deposited, credited, or otherwise made
available to the Fund shall be available until
expended for the purposes described in
paragraph (3).
(5) Reimbursement.--
(A) Reimbursement by agency.--
(i) In general.--The head of an
agency shall reimburse the Fund for any
transfer made under subparagraph (A) or
(B) of paragraph (3), including any
services or work performed in support
of the transfer under paragraph (3)(C),
in accordance with the terms
established in a written agreement
described in paragraph (6).
(ii) Reimbursement from subsequent
appropriations.--Notwithstanding any
other provision of law, an agency may
make a reimbursement required under
clause (i) from any appropriation made
available after the date of enactment
of this Act for information technology
activities, consistent with any
applicable reprogramming law or
guidelines of the Committees on
Appropriations of the Senate and the
House of Representatives.
(iii) Recording of obligation.--
Notwithstanding section 1501 of title
31, United States Code, an obligation
to make a payment under a written
agreement described in paragraph (6) in
a fiscal year after the date of
enactment of this Act shall be recorded
in the fiscal year in which the payment
is due.
(B) Prices fixed by administrator.--
(i) In general.--The Administrator,
in consultation with the Director,
shall establish amounts to be paid by
an agency under this paragraph and the
terms of repayment for activities
funded under paragraph (3), including
any services or work performed in
support of that development under
paragraph (3)(C), at levels sufficient
to ensure the solvency of the Fund,
including operating expenses.
(ii) Review and approval.--Before
making any changes to the established
amounts and terms of repayment, the
Administrator shall conduct a review
and obtain approval from the Director.
(C) Failure to make timely reimbursement.--
The Administrator may obtain reimbursement from
an agency under this paragraph by the issuance
of transfer and counterwarrants, or other
lawful transfer documents, supported by
itemized bills, if payment is not made by the
agency during the 90-day period beginning after
the expiration of a repayment period described
in a written agreement described in paragraph
(6).
(6) Written agreement.--
(A) In general.--Before the transfer of funds
to an agency under subparagraphs (A) and (B) of
paragraph (3), the Administrator, in
consultation with the Director, and the head of
the agency shall enter into a written
agreement--
(i) documenting the purpose for which
the funds will be used and the terms of
repayment, which may not exceed 5 years
unless approved by the Director; and
(ii) which shall be recorded as an
obligation as provided in paragraph
(5)(A).
(B) Requirement for use of incremental
funding, commercial products and services, and
rapid, iterative development practices.--The
Administrator shall ensure--
(i) for any funds transferred to an
agency under paragraph (3)(A), in the
absence of compelling circumstances
documented by the Administrator at the
time of transfer, that such funds shall
be transferred only on an incremental
basis, tied to metric-based development
milestones achieved by the agency
through the use of rapid, iterative,
development processes; and
(ii) that the use of commercial
products and services are incorporated
to the greatest extent practicable in
activities funded under subparagraphs
(A) and (B) of paragraph (3), and that
the written agreement required under
paragraph (6) documents this
preference.
(7) Reporting requirements.--
(A) List of projects.--
(i) In general.--Not later than 6
months after the date of enactment of
this Act, the Director shall maintain a
list of each project funded by the
Fund, to be updated not less than
quarterly, that includes a description
of the project, project status
(including any schedule delay and cost
overruns), financial expenditure data
related to the project, and the extent
to which the project is using
commercial products and services,
including if applicable, a
justification of why commercial
products and services were not used and
the associated development and
integration costs of custom
development.
(ii) Public availability.--The list
required under clause (i) shall be
published on a public website in a
manner that is, to the greatest extent
possible, consistent with applicable
law on the protection of classified
information, sources, and methods.
(B) Comptroller general reports.--Not later
than 2 years after the date of enactment of
this Act, and every 2 years thereafter, the
Comptroller General of the United States shall
submit to Congress and make publically
available a report assessing--
(i) the costs associated with
establishing the Fund and maintaining
the oversight structure associated with
the Fund compared with the cost savings
associated with the projects funded
both annually and over the life of the
acquired products and services by the
Fund;
(ii) the reliability of the cost
savings estimated by agencies
associated with projects funded by the
Fund;
(iii) whether agencies receiving
transfers of funds from the Fund used
full and open competition to acquire
the custom development of information
technology products or services; and
(iv) the number of IT procurement,
development, and modernization
programs, offices, and entities in the
Federal Government, including 18F and
the United States Digital Services, the
roles, responsibilities, and goals of
those programs and entities, and the
extent to which they duplicate work.
(8) Proposal evaluation.--The Director shall--
(A) give consideration for the use of amounts
in the Fund to improve the security of high
value assets; and
(B) require that any proposal for the use of
amounts in the Fund includes, as appropriate,
and which may be incorporated into otherwise
required project proposal documentation--
(i) cybersecurity risk management
considerations; and
(ii) a supply chain risk assessment
in accordance with section 1326 of
title 41.
(c) Technology Modernization Board.--
(1) Establishment.--There is established a Technology
Modernization Board to evaluate proposals submitted by
agencies for funding authorized under the Fund.
(2) Responsibilities.--The responsibilities of the
Board are--
(A) to provide input to the Director for the
development of processes for agencies to submit
modernization proposals to the Board and to
establish the criteria by which those proposals
are evaluated, which shall include--
(i) addressing the greatest security,
privacy, and operational risks,
including a consideration of the impact
on high value assets;
(ii) having the greatest
Governmentwide impact; and
(iii) having a high probability of
success based on factors including a
strong business case, technical design,
consideration of commercial off-the-
shelf products and services,
procurement strategy (including
adequate use of rapid, agile iterative
software development practices), and
program management;
(B) to make recommendations to the
Administrator to assist agencies in the further
development and refinement of select submitted
modernization proposals, based on an initial
evaluation performed with the assistance of the
Administrator;
(C) to review and prioritize, with the
assistance of the Administrator and the
Director, modernization proposals based on
criteria established pursuant to subparagraph
(A);
(D) to identify, with the assistance of the
Administrator, opportunities to improve or
replace multiple information technology systems
with a smaller number of information technology
services common to multiple agencies;
(E) to recommend the funding of modernization
projects, in accordance with the uses described
in subsection (b)(3), to the Administrator;
(F) to monitor, in consultation with the
Administrator, progress and performance in
executing approved projects and, if necessary,
recommend the suspension or termination of
funding for projects based on factors including
the failure to meet the terms of a written
agreement described in subsection (b)(6); and
(G) to monitor the operating costs of the
Fund.
(3) Membership.--The Board shall consist of 7 voting
members.
(4) Chair.--The Chair of the Board shall be the
Administrator of the Office of Electronic Government.
(5) Permanent members.--The permanent members of the
Board shall be--
(A) the Administrator of the Office of
Electronic Government; [and]
(B) a senior official from the General
Services Administration having technical
expertise in information technology
development, appointed by the Administrator,
with the approval of the Director[.] ; and
(C) a senior official from the Cybersecurity
and Infrastructure Security Agency of the
Department of Homeland Security, appointed by
the Director.
(6) Additional members of the board.--
(A) Appointment.--The other members of the
Board [shall be--]
[(i) 1 employee of the National
Protection and Programs Directorate of
the Department of Homeland Security,
appointed by the Secretary of Homeland
Security; and]
[(ii) 4 employees] shall be 4
employees of the Federal Government
primarily having technical expertise in
information technology development,
financial management, cybersecurity and
privacy, and acquisition, appointed by
the Director.
(B) Term.--Each member of the Board described
in paragraph (A) shall serve a term of 1 year,
which shall be renewable not more than 4 times
at the discretion of the appointing Secretary
or Director, as applicable.
(7) Prohibition on compensation.--Members of the
Board may not receive additional pay, allowances, or
benefits by reason of their service on the Board.
(8) Staff.--Upon request of the Chair of the Board,
the Director and the Administrator may detail, on a
reimbursable or nonreimbursable basis, any employee of
the Federal Government to the Board to assist the Board
in carrying out the functions of the Board.
(d) Responsibilities of Administrator.--
(1) In general.--In addition to the responsibilities
described in subsection (b), the Administrator shall
support the activities of the Board and provide
technical support to, and, with the concurrence of the
Director, oversight of, agencies that receive transfers
from the Fund.
(2) Responsibilities.--The responsibilities of the
Administrator are--
(A) to provide direct technical support in
the form of personnel services or otherwise to
agencies transferred amounts under subsection
(b)(3)(A) and for products, services, and
acquisition vehicles funded under subsection
(b)(3)(B);
(B) to assist the Board with the evaluation,
prioritization, and development of agency
modernization proposals.
(C) to perform regular project oversight and
monitoring of approved agency modernization
projects, in consultation with the Board and
the Director, to increase the likelihood of
successful implementation and reduce waste; and
(D) to provide the Director with information
necessary to meet the requirements of
subsection (b)(7).
(e) Effective Date.--This section shall take effect on the
date that is 90 days after the date of enactment of this Act.
(f) Sunset.--
(1) In general.--On and after the date that is 2
years after the date on which the Comptroller General
of the United States issues the third report required
under subsection (b)(7)(B), the Administrator may not
award or transfer funds from the Fund for any project
that is not already in progress as of such date.
(2) Transfer of unobligated amounts.--Not later than
90 days after the date on which all projects that
received an award from the Fund are completed, any
amounts in the Fund shall be transferred to the general
fund of the Treasury and shall be used for deficit
reduction.
(3) Termination of technology modernization board.--
Not later than 90 days after the date on which all
projects that received an award from the Fund are
completed, the Technology Modernization Board and all
the authorities of subsection (c) shall terminate.
* * * * * * *
----------
TITLE 40, UNITED STATES CODE
* * * * * * *
SUBTITLE III--INFORMATION TECHNOLOGY
MANAGEMENT
* * * * * * *
CHAPTER 113--RESPONSIBILITY FOR ACQUISITIONS OF
INFORMATION TECHNOLOGY
* * * * * * *
SUBCHAPTER I--DIRECTOR OF OFFICE OF MANAGEMENT
AND BUDGET
* * * * * * *
Sec. 11302. Capital planning and investment control
(a) Federal Information Technology.--The Director of the
Office of Management and Budget shall perform the
responsibilities set forth in this section in fulfilling the
responsibilities under section 3504(h) of title 44.
(b) Use of Information Technology in Federal Programs.--The
Director shall promote and improve the acquisition, [use,
security, and disposal of] use, and disposal of, and, in
consultation with the Director of the Cybersecurity and
Infrastructure Security Agency and the National Cyber Director,
promote and improve the security of, information technology by
the Federal Government to improve the productivity, efficiency,
and effectiveness of federal programs, including through
dissemination of public information and the reduction of
information collection burdens on the public.
(c) Use of Budget Process.--
(1) Definitions.--In this subsection:
(A) The term ``covered agency'' means an
agency listed in section 901(b)(1) or 901(b)(2)
of title 31.
(B) The term ``major information technology
investment'' means an investment within a
covered agency information technology
investment portfolio that is designated by the
covered agency as major, in accordance with
capital planning guidance issued by the
Director.
(C) The term ``national security system'' has
the meaning provided in section 3542 of title
44.
(2) Analyzing, tracking, and evaluating capital
investments.--As part of the budget process, the
Director shall develop a process for analyzing,
tracking, and evaluating the risks, including
information security risks, and results of all major
capital investments made by an executive agency for
information systems. The process shall cover the life
of each system and shall include explicit criteria for
analyzing the projected and actual costs, benefits, and
risks, including information security risks, associated
with the investments.
(3) Public availability.--
(A) In general.--The Director shall make
available to the public a list of each major
information technology investment, without
regard to whether the investments are for new
information technology acquisitions or for
operations and maintenance of existing
information technology, including data on cost,
schedule, and performance.
(B) Agency information.--
(i) The Director shall issue guidance
to each covered agency for reporting of
data required by subparagraph (A) that
provides a standardized data template
that can be incorporated into existing,
required data reporting formats and
processes. Such guidance shall
integrate the reporting process into
current budget reporting that each
covered agency provides to the Office
of Management and Budget, to minimize
additional workload. Such guidance
shall also clearly specify that the
investment evaluation required under
subparagraph (C) adequately reflect the
investment's cost and schedule
performance and employ incremental
development approaches in appropriate
cases.
(ii) The Chief Information Officer of
each covered agency shall provide the
Director with the information described
in subparagraph (A) on at least a semi-
annual basis for each major information
technology investment, using existing
data systems and processes.
(C) Investment evaluation.--For each major
information technology investment listed under
subparagraph (A), the Chief Information Officer
of the covered agency, in consultation with
other appropriate agency officials, shall
categorize the investment according to risk, in
accordance with guidance issued by the
Director.
(D) Continuous improvement.--If either the
Director or the Chief Information Officer of a
covered agency determines that the information
made available from the agency's existing data
systems and processes as required by
subparagraph (B) is not timely and reliable,
the Chief Information Officer, in consultation
with the Director and the head of the agency,
shall establish a program for the improvement
of such data systems and processes.
(E) Waiver or limitation authority.--The
applicability of subparagraph (A) may be waived
or the extent of the information may be limited
by the Director, if the Director determines
that such a waiver or limitation is in the
national security interests of the United
States.
(F) Additional limitation.--The requirements
of subparagraph (A) shall not apply to national
security systems or to telecommunications or
information technology that is fully funded by
amounts made available--
(i) under the National Intelligence
Program, defined by section 3(6) of the
National Security Act of 1947 (50
U.S.C. 3003(6));
(ii) under the Military Intelligence
Program or any successor program or
programs; or
(iii) jointly under the National
Intelligence Program and the Military
Intelligence Program (or any successor
program or programs).
(4) Risk management.--For each major information
technology investment listed under paragraph (3)(A)
that receives a high risk rating, as described in
paragraph (3)(C), for 4 consecutive quarters--
(A) the Chief Information Officer of the
covered agency and the program manager of the
investment within the covered agency, in
consultation with the Administrator of the
Office of Electronic Government, shall conduct
a review of the investment that shall
identify--
(i) the root causes of the high level
of risk of the investment;
(ii) the extent to which these causes
can be addressed; and
(iii) the probability of future
success;
(B) the Administrator of the Office of
Electronic Government shall communicate the
results of the review under subparagraph (A)
to--
(i) the Committee on Homeland
Security and Governmental Affairs and
the Committee on Appropriations of the
Senate;
(ii) the Committee on Oversight and
Government Reform and the Committee on
Appropriations of the House of
Representatives; and
(iii) the committees of the Senate
and the House of Representatives with
primary jurisdiction over the agency;
(C) in the case of a major information
technology investment of the Department of
Defense, the assessment required by
subparagraph (A) may be accomplished in
accordance with section 2445c 1 of
title 10, provided that the results of the
review are provided to the Administrator of the
Office of Electronic Government upon request
and to the committees identified in subsection
(B); and
(D) for a covered agency other than the
Department of Defense, if on the date that is
one year after the date of completion of the
review required under subsection (A), the
investment is rated as high risk under
paragraph (3)(C), the Director shall deny any
request for additional development,
modernization, or enhancement funding for the
investment until the date on which the Chief
Information Officer of the covered agency
determines that the root causes of the high
level of risk of the investment have been
addressed, and there is sufficient capability
to deliver the remaining planned increments
within the planned cost and schedule.
(5) Report to congress.--At the same time that the
President submits the budget for a fiscal year to
Congress under section 1105(a) of title 31, the
Director shall submit to Congress a report on the net
program performance benefits achieved as a result of
major capital investments made by executive agencies
for information systems and how the benefits relate to
the accomplishment of the goals of the executive
agencies.
(d) Information Technology Standards.--The Director shall
oversee the development and implementation of standards and
guidelines pertaining to federal computer systems by the
Secretary of Commerce through the National Institute of
Standards and Technology under section 11331 of this title and
section 20 of the National Institute of Standards and
Technology Act (15 U.S.C. 278g-3).
(e) Designation of Executive Agents for Acquisitions.--The
Director shall designate the head of one or more executive
agencies, as the Director considers appropriate, as executive
agent for Government-wide acquisitions of information
technology.
(f) Use of Best Practices in Acquisitions.--The Director
shall encourage the heads of the executive agencies to develop
and use the best practices in the acquisition of information
technology.
(g) Assessment of Other Models for Managing Information
Technology.--On a continuing basis, the Director shall assess
the experiences of executive agencies, state and local
governments, international organizations, and the private
sector in managing information technology.
(h) Comparison of Agency Uses of Information Technology.--The
Director shall compare the performances, including
cybersecurity performances, of the executive agencies in using
information technology and shall disseminate the comparisons to
the heads of the executive agencies.
(i) Monitoring Training.--The Director shall monitor the
development and implementation of training in information
resources management for executive agency personnel.
(j) Informing Congress.--The Director shall keep Congress
fully informed on the extent to which the executive agencies
are improving the performance of agency programs and the
accomplishment of the agency missions through the use of the
best practices in information resources management.
(k) Coordination of Policy Development and Review.--The
Director shall coordinate with the Office of Federal
Procurement Policy the development and review by the
Administrator of the Office of Information and Regulatory
Affairs of policy associated with federal acquisition of
information technology.
Sec. 11303. Performance-based and results-based management
(a) In General.--The Director of the Office of Management and
Budget shall encourage the use of performance-based and
results-based management in fulfilling the responsibilities
assigned under section 3504(h) of title 44.
(b) Evaluation of Agency Programs and Investments.--
(1) Requirement.--The Director shall evaluate the
information resources management practices of the
executive agencies with respect to the performance and
results of the investments made by the executive
agencies in information technology.
(2) Direction for executive agency action.--The
Director shall issue to the head of each executive
agency clear and concise direction that the head of
each agency shall--
(A) establish effective and efficient capital
planning processes for selecting, managing, and
evaluating the results of all of its major
investments in information systems;
(B) determine, before making an investment in
a new information system--
(i) whether the function to be
supported by the system should be
performed by the private sector and, if
so, whether any component of the
executive agency performing that
function should be converted from a
governmental organization to a private
sector organization; [or]
(ii) whether the function should be
performed by the executive agency and,
if so, whether the function should be
performed by a private sector source
under contract or by executive agency
personnel; or
(iii) whether the function should be
performed by a shared service offered
by another executive agency;
(C) analyze the missions of the executive
agency and, based on the analysis, revise the
executive agency's mission-related processes
and administrative processes, as appropriate,
before making significant investments in
information technology to be used in support of
those missions; and
(D) ensure that the information security
policies, procedures, and practices are
adequate.
(3) Guidance for multiagency investments.--The
direction issued under paragraph (2) shall include
guidance for undertaking efficiently and effectively
interagency and Federal Government-wide investments in
information technology to improve the accomplishment of
missions that are common to the executive agencies.
(4) Periodic reviews.--The Director shall implement
through the budget process periodic reviews of selected
information resources management activities of the
executive agencies to ascertain the efficiency and
effectiveness of information technology in improving
the performance of the executive agency and the
accomplishment of the missions of the executive agency.
(5) Enforcement of accountability.--
(A) In general.--The Director may take any
action that the Director considers appropriate,
including an action involving the budgetary
process or appropriations management process,
to enforce accountability of the head of an
executive agency for information resources
management and for the investments made by the
executive agency in information technology.
(B) Specific actions.--Actions taken by the
Director may include--
(i) recommending a reduction or an
increase in the amount for information
resources that the head of the
executive agency proposes for the
budget submitted to Congress under
section 1105(a) of title 31;
(ii) reducing or otherwise adjusting
apportionments and reapportionments of
appropriations for information
resources;
(iii) using other administrative
controls over appropriations to
restrict the availability of amounts
for information resources; and
(iv) designating for the executive
agency an executive agent to contract
with private sector sources for the
performance of information resources
management or the acquisition of
information technology.
SUBCHAPTER II--EXECUTIVE AGENCIES
* * * * * * *
Sec. 11312. Capital planning and investment control
(a) Design of Process.--In fulfilling the responsibilities
assigned under section 3506(h) of title 44, the head of each
executive agency shall design and implement in the executive
agency a process for maximizing the value, and assessing and
managing the risks, including security risks, of the
information technology acquisitions of the executive agency.
(b) Content of Process.--The process of an executive agency
shall--
(1) provide for the selection of investments in
information technology (including information security
needs) to be made by the executive agency, the
management of those investments, and the evaluation of
the results of those investments;
(2) be integrated with the processes for making
budget, financial, and program management decisions in
the executive agency;
(3) include minimum criteria to be applied in
considering whether to undertake a particular
investment in information systems, including criteria
related to the quantitatively expressed projected net,
risk-adjusted return on investment and specific
quantitative and qualitative criteria for comparing and
prioritizing alternative information systems investment
projects;
(4) identify information systems investments that
would result in shared benefits or costs for other
federal agencies or state or local governments;
(5) identify quantifiable measurements for
determining the net benefits and risks of a proposed
investment; and
(6) provide the means for senior management personnel
of the executive agency to obtain timely information
regarding the progress of an investment in an
information system, including a system of milestones
for measuring progress, on an independently verifiable
basis, in terms of cost, capability of the system to
meet specified requirements, timeliness, and quality.
Sec. 11313. Performance and results-based management
In fulfilling the responsibilities under section 3506(h) of
title 44, the head of an executive agency shall--
(1) establish goals for improving the [efficiency and
effectiveness] efficiency, security, and effectiveness
of agency operations and, as appropriate, the delivery
of services to the public through the effective use of
information technology;
(2) prepare an annual report, to be included in the
executive agency's budget submission to Congress, on
the progress in achieving the goals;
(3) ensure that performance measurements--
(A) are prescribed for information technology
used by, or to be acquired for, the executive
agency; and
(B) measure how well the information
technology supports programs of the executive
agency;
(4) where comparable processes and organizations in
the public or private sectors exist, quantitatively
benchmark agency process performance against those
processes in terms of cost, speed, productivity, and
quality of outputs and outcomes;
(5) analyze the missions of the executive agency and,
based on the analysis, revise the executive agency's
mission-related processes and administrative processes
as appropriate before making significant investments in
information technology to be used in support of the
performance of those missions; and
(6) ensure that the information security policies,
procedures, and practices of the executive agency are
adequate.
* * * * * * *
Sec. 11317. Significant deviations
The head of each executive agency shall identify in the
strategic information resources management plan required under
section 3506(b)(2) of title 44 any major information technology
acquisition program, or any phase or increment of that program,
that has significantly deviated from the cost, performance,
security, or schedule goals established for the program.
* * * * * * *
Sec. 11319. Resources, planning, and portfolio management
(a) Definitions.--In this section:
(1) The term ``covered agency'' means each agency
listed in section 901(b)(1) or 901(b)(2) of title 31.
(2) The term ``information technology'' has the
meaning given that term under capital planning guidance
issued by the Office of Management and Budget.
(b) Additional Authorities for Chief Information Officers.--
(1) Planning, programming, budgeting, and execution
authorities for [cios] chief information officers.--
(A) In general.--The head of each covered
agency other than the Department of Defense
shall ensure that the Chief Information Officer
of the agency has a significant role in--
(i) the decision processes for all
annual and multi-year planning,
programming, budgeting, and execution
decisions, related reporting
requirements, and reports related to
information technology; and
(ii) the management, governance, and
oversight processes related to
information technology.
(B) Budget formulation.--The Director of the
Office of Management and Budget shall require
in the annual information technology capital
planning guidance of the Office of Management
and Budget the following:
(i) That the Chief Information
Officer of each covered agency other
than the Department of Defense approve
the information technology budget
request of the covered agency, and that
the Chief Information Officer of the
Department of Defense review and
provide recommendations to the
Secretary of Defense on the information
technology budget request of the
Department.
(ii) That the Chief Information
Officer of each covered agency certify
that information technology investments
are adequately implementing incremental
development, as defined in capital
planning guidance issued by the Office
of Management and Budget.
(C) Review.--
(i) In general.--A covered agency
other than the Department of Defense--
(I) may not enter into a
contract or other agreement for
information technology or
information technology
services, unless the contract
or other agreement has been
reviewed and approved by the
Chief Information Officer of
the agency;
(II) may not request the
reprogramming of any funds made
available for information
technology programs, unless the
request has been reviewed and
approved by the Chief
Information Officer of the
agency; and
(III) may use the governance
processes of the agency to
approve such a contract or
other agreement if the Chief
Information Officer of the
agency is included as a full
participant in the governance
processes.
(ii) Delegation.--
(I) In general.--Except as
provided in subclause (II), the
duties of a Chief Information
Officer under clause (i) are
not delegable.
(II) Non-major information
technology investments.--For a
contract or agreement for a
non-major information
technology investment, as
defined in the annual
information technology capital
planning guidance of the Office
of Management and Budget, the
Chief Information Officer of a
covered agency other than the
Department of Defense may
delegate the approval of the
contract or agreement under
clause (i) to an individual who
reports directly to the Chief
Information Officer.
(2) Personnel-related authority.--Notwithstanding any
other provision of law, for each covered agency other
than the Department of Defense, the Chief Information
Officer of the covered agency shall approve the
appointment of any other employee with the title of
Chief Information Officer, or who functions in the
capacity of a Chief Information Officer, for any
component organization within the covered agency.
(c) Limitation.--None of the authorities provided in this
section shall apply to telecommunications or information
technology that is fully funded by amounts made available--
(1) under the National Intelligence Program, defined
by section 3(6) of the National Security Act of 1947
(50 U.S.C. 3003(6));
(2) under the Military Intelligence Program or any
successor program or programs; or
(3) jointly under the National Intelligence Program
and the Military Intelligence Program (or any successor
program or programs).
(d) Information Technology Portfolio, Program, and Resource
Reviews.--
(1) Process.--The Director of the Office of
Management and Budget, in consultation with the Chief
Information Officers of appropriate agencies, shall
implement a process to assist covered agencies in
reviewing their portfolio of information technology
investments--
(A) to identify or develop ways to increase
the efficiency and effectiveness of the
information technology investments of the
covered agency;
(B) to identify or develop opportunities to
consolidate the acquisition and management of
information technology services, and increase
the use of shared-service delivery models;
(C) to identify potential duplication and
waste;
(D) to identify potential cost savings;
(E) to develop plans for actions to optimize
the information technology portfolio, programs,
and resources of the covered agency;
(F) to develop ways to better align the
information technology portfolio, programs, and
financial resources of the covered agency to
any multi-year funding requirements or
strategic plans required by law;
(G) to develop a multi-year strategy to
identify and reduce duplication and waste
within the information technology portfolio of
the covered agency, including component-level
investments and to identify projected cost
savings resulting from such strategy; and
(H) to carry out any other goals that the
Director may establish.
(2) Metrics and performance indicators.--The Director
of the Office of Management and Budget, in consultation
with the Chief Information Officers of appropriate
agencies, shall develop standardized cost savings and
cost avoidance metrics and performance indicators for
use by agencies for the process implemented under
paragraph (1).
(3) Annual review.--The Chief Information Officer of
each covered agency, in conjunction with the Chief
Operating Officer or Deputy Secretary (or equivalent)
of the covered agency and the Administrator of the
Office of Electronic Government, shall conduct an
annual review of the information technology portfolio
of the covered agency.
(4) Applicability to the department of defense.--In
the case of the Department of Defense, processes
established pursuant to this subsection shall apply
only to the business systems information technology
portfolio of the Department of Defense and not to
national security systems as defined by section
11103(a) of this title. The annual review required by
paragraph (3) shall be carried out by the Chief
Information Officer of the Department of Defense, in
consultation with the Under Secretary of Defense for
Acquisition and Sustainment and other appropriate
Department of Defense officials. The Secretary of
Defense may designate an existing investment or
management review process to fulfill the requirement
for the annual review required by paragraph (3), in
consultation with the Administrator of the Office of
Electronic Government.
(5) Quarterly reports.--
(A) In general.--The Administrator of the
Office of Electronic Government shall submit a
quarterly report on the cost savings and
reductions in duplicative information
technology investments identified through the
review required by paragraph (3) to--
(i) the Committee on Homeland
Security and Governmental Affairs and
the Committee on Appropriations of the
Senate;
(ii) the Committee on Oversight and
Government Reform and the Committee on
Appropriations of the House of
Representatives; and
(iii) upon a request by any committee
of Congress, to that committee.
(B) Inclusion in other reports.--The reports
required under subparagraph (A) may be included
as part of another report submitted to the
committees of Congress described in clauses
(i), (ii), and (iii) of subparagraph (A).
* * * * * * *
----------
FEDERAL INFORMATION SECURITY MODERNIZATION
ACT OF 2014
* * * * * * *
SEC. 2. FISMA REFORM.
(a) In General.--Chapter 35 of title 44, United States Code,
is amended by striking subchapters II and III and inserting the
following:
* * * * * * *
[(b) Major Incident.--The Director of the Office of
Management and Budget shall--
[(1) develop guidance on what constitutes a major
incident for purposes of section 3554(b) of title 44,
United States Code, as added by subsection (a); and
[(2) provide to Congress periodic briefings on the
status of the developing of the guidance until the date
on which the guidance is issued.]
[(c)] (b) Continuous Diagnostics.--During the 2 year period
beginning on the date of enactment of this Act, the Director of
the Office of Management and Budget, with the assistance of the
Secretary of Homeland Security, shall include in each report
submitted under section 3553(c) of title 44, United States
Code, as added by subsection (a), an assessment of the adoption
by agencies of continuous diagnostics technologies, including
through the Continuous Diagnostics and Mitigation program, and
other advanced security tools to provide information security,
including challenges to the adoption of such technologies or
security tools.
[(d) Breaches.--
[(1) Requirements.--The Director of the Office of
Management and Budget shall ensure that data breach
notification policies and guidelines are updated
periodically and require--
[(A) except as provided in paragraph (4),
notice by the affected agency to each committee
of Congress described in section 3554(c)(1) of
title 44, United States Code, as added by
subsection (a), the Committee on the Judiciary
of the Senate, and the Committee on the
Judiciary of the House of Representatives,
which shall--
[(i) be provided expeditiously and
not later than 30 days after the date
on which the agency discovered the
unauthorized acquisition or access; and
[(ii) include--
[(I) information about the
breach, including a summary of
any information that the agency
knows on the date on which
notification is provided about
how the breach occurred;
[(II) an estimate of the
number of individuals affected
by the breach, based on
information that the agency
knows on the date on which
notification is provided,
including an assessment of the
risk of harm to affected
individuals;
[(III) a description of any
circumstances necessitating a
delay in providing notice to
affected individuals; and
[(IV) an estimate of whether
and when the agency will
provide notice to affected
individuals; and
[(B) notice by the affected agency to
affected individuals, pursuant to data breach
notification policies and guidelines, which
shall be provided as expeditiously as
practicable and without unreasonable delay
after the agency discovers the unauthorized
acquisition or access.
[(2) National security; law enforcement;
remediation.--The Attorney General, the head of an
element of the intelligence community (as such term is
defined under section 3(4) of the National Security Act
of 1947 (50 U.S.C. 3003(4)), or the Secretary of
Homeland Security may delay the notice to affected
individuals under paragraph (1)(B) if the notice would
disrupt a law enforcement investigation, endanger
national security, or hamper security remediation
actions.
[(3) Reports.--
[(A) Director of omb.--During the first 2
years beginning after the date of enactment of
this Act, the Director of the Office of
Management and Budget shall, on an annual
basis--
[(i) assess agency implementation of
data breach notification policies and
guidelines in aggregate; and
[(ii) include the assessment
described in clause (i) in the report
required under section 3553(c) of title
44, United States Code.
[(B) Secretary of homeland security.--During
the first 2 years beginning after the date of
enactment of this Act, the Secretary of
Homeland Security shall include an assessment
of the status of agency implementation of data
breach notification policies and guidelines in
the requirements under section 3553(b)(2)(B) of
title 44, United States Code.
[(4) Exception.--Any element of the intelligence
community (as such term is defined under section 3(4)
of the National Security Act of 1947 (50 U.S.C.
3003(4)) that is required to provide notice under
paragraph (1)(A) shall only provide such notice to
appropriate committees of Congress.
[(5) Rule of construction.--Nothing in paragraph (1)
shall be construed to alter any authority of a Federal
agency or department.]
[(e)] (c) Technical and Conforming Amendments.--
(1) Table of sections.--The table of sections for
chapter 35 of title 44, United States Code is amended
by striking the matter relating to subchapters II and
III and inserting the following:
``subchapter ii--information security
3551. Purposes.
3552. Definitions.
3553. Authority and functions of the Director and the Secretary.
3554. Federal agency responsibilities.
3555. Annual independent evaluation.
3556. Federal information security incident center.
3557. National security systems.
3558. Effect on existing law.
(2) Cybersecurity research and development act.--
Section 8(d)(1) of the Cybersecurity Research and
Development Act (15 U.S.C. 7406) is amended by striking
``section 3534'' and inserting ``section 3554''.
(3) Homeland security act of 2002.--The Homeland
Security Act of 2002 (6 U.S.C. 101 et seq.) is
amended--
(A) in section 223 (6 U.S.C. 143)
(i) in the section heading, by
inserting ``federal and'' before ``non-
federal'';
(ii) in the matter preceding
paragraph (1), by striking ``the Under
Secretary for Intelligence and
Analysis, in cooperation with the
Assistant Secretary for Infrastructure
Protection'' and inserting ``the Under
Secretary appointed under section
103(a)(1)(H)'';
(iii) in paragraph (2), by striking
the period at the end and inserting ``;
and''; and
(iv) by adding at the end the
following:
``(3) fulfill the responsibilities of the Secretary
to protect Federal information systems under subchapter
II of chapter 35 of title 44, United States Code.'';
(B) in section 1001(c)(1)(A) (6 U.S.C.
511(c)(1)(A)), by striking ``section 3532(3)''
and inserting ``section 3552(b)(5)''; and
(C) in the table of contents in section 1(b),
by striking the item relating to section 223
and inserting the following:
``Sec. 223. Enhancement of Federal and non-Federal cybersecurity.''.
(4) National institute of standards and technology
act.--Section 20 of the National Institute of Standards
and Technology Act (15 U.S.C. 278g-3) is amended--
(A) in subsection (a)(2), by striking
``section 3532(b)(2)'' and inserting ``section
3552(b)(5)''; and
(B) in subsection (e)--
(i) in paragraph (2), by striking
``section 3532(1)'' and inserting
``section 3552(b)(2)''; and
(ii) in paragraph (5), by striking
``section 3532(b)(2)'' and inserting
``section 3552(b)(5)''.
(5) Title 10.--Title 10, United States Code, is
amended--
(A) in section 2222(j)(5), by striking
``section 3542(b)(2)'' and inserting ``section
3552(b)(5)'';
(B) in section 2223(c)(3), by striking
``section 3542(b)(2)'' and inserting ``section
3552(b)(5)''; and
(C) in section 2315, by striking ``section
3542(b)(2)'' and inserting ``section
3552(b)(5)''.
[(f)] (d) Other Provisions.--
(1) Circular a-130.--Not later than 1 year after the
date of enactment of this Act, the Director of the
Office of Management and Budget shall amend or revise
Office of Management and Budget Circular A-130 to
eliminate inefficient or wasteful reporting. The
Director of the Office of Management and Budget shall
provide quarterly briefings to Congress on the status
of the amendment or revision required under this
paragraph.
(2) ISPAB.--Section 21(b) of the National Institute
of Standards and Technology Act (15 U.S.C. 278g-4(b))
is amended--
(A) in paragraph (2), by inserting ``, the
Secretary of Homeland Security,'' after ``the
Institute''; and
(B) in paragraph (3), by inserting ``the
Secretary of Homeland Security,'' after ``the
Secretary of Commerce,''.
----------
TITLE 5, UNITED STATES CODE
* * * * * * *
PART I--THE AGENCIES GENERALLY
* * * * * * *
CHAPTER 5--ADMINISTRATIVE PROCEDURE
* * * * * * *
SUBCHAPTER II--ADMINISTRATIVE PROCEDURE
* * * * * * *
Sec. 552a. Records maintained on individuals
(a) Definitions.--For purposes of this section--
(1) the term ``agency'' means agency as defined in
section 552(e) of this title;
(2) the term ``individual'' means a citizen of the
United States or an alien lawfully admitted for
permanent residence;
(3) the term ``maintain'' includes maintain, collect,
use, or disseminate;
(4) the term ``record'' means any item, collection,
or grouping of information about an individual that is
maintained by an agency, including, but not limited to,
his education, financial transactions, medical history,
and criminal or employment history and that contains
his name, or the identifying number, symbol, or other
identifying particular assigned to the individual, such
as a finger or voice print or a photograph;
(5) the term ``system of records'' means a group of
any records under the control of any agency from which
information is retrieved by the name of the individual
or by some identifying number, symbol, or other
identifying particular assigned to the individual;
(6) the term ``statistical record'' means a record in
a system of records maintained for statistical research
or reporting purposes only and not used in whole or in
part in making any determination about an identifiable
individual, except as provided by section 8 of title
13;
(7) the term ``routine use'' means, with respect to
the disclosure of a record, the use of such record for
a purpose which is compatible with the purpose for
which it was collected;
(8) the term ``matching program''--
(A) means any computerized comparison of--
(i) two or more automated systems of
records or a system of records with
non-Federal records for the purpose
of--
(I) establishing or verifying
the eligibility of, or
continuing compliance with
statutory and regulatory
requirements by, applicants
for, recipients or
beneficiaries of, participants
in, or providers of services
with respect to, cash or in-
kind assistance or payments
under Federal benefit programs,
or
(II) recouping payments or
delinquent debts under such
Federal benefit programs, or
(ii) two or more automated Federal
personnel or payroll systems of records
or a system of Federal personnel or
payroll records with non-Federal
records,
(B) but does not include--
(i) matches performed to produce
aggregate statistical data without any
personal identifiers;
(ii) matches performed to support any
research or statistical project, the
specific data of which may not be used
to make decisions concerning the
rights, benefits, or privileges of
specific individuals;
(iii) matches performed, by an agency
(or component thereof) which performs
as its principal function any activity
pertaining to the enforcement of
criminal laws, subsequent to the
initiation of a specific criminal or
civil law enforcement investigation of
a named person or persons for the
purpose of gathering evidence against
such person or persons;
(iv) matches of tax information (I)
pursuant to section 6103(d) of the
Internal Revenue Code of 1986, (II) for
purposes of tax administration as
defined in section 6103(b)(4) of such
Code, (III) for the purpose of
intercepting a tax refund due an
individual under authority granted by
section 404(e), 464, or 1137 of the
Social Security Act; or (IV) for the
purpose of intercepting a tax refund
due an individual under any other tax
refund intercept program authorized by
statute which has been determined by
the Director of the Office of
Management and Budget to contain
verification, notice, and hearing
requirements that are substantially
similar to the procedures in section
1137 of the Social Security Act;
(v) matches--
(I) using records
predominantly relating to
Federal personnel, that are
performed for routine
administrative purposes
(subject to guidance provided
by the Director of the Office
of Management and Budget
pursuant to subsection (v)); or
(II) conducted by an agency
using only records from systems
of records maintained by that
agency;
if the purpose of the match is not to take any
adverse financial, personnel, disciplinary, or
other adverse action against Federal personnel;
(vi) matches performed for foreign
counterintelligence purposes or to
produce background checks for security
clearances of Federal personnel or
Federal contractor personnel;
(vii) matches performed incident to a
levy described in section 6103(k)(8) of
the Internal Revenue Code of 1986;
(viii) matches performed pursuant to
section 202(x)(3) or 1611(e)(1) of the
Social Security Act (42 U.S.C.
402(x)(3), 1382(e)(1));
(ix) matches performed by the
Secretary of Health and Human Services
or the Inspector General of the
Department of Health and Human Services
with respect to potential fraud, waste,
and abuse, including matches of a
system of records with non-Federal
records; or
(x) matches performed pursuant to
section 3(d)(4) of the Achieving a
Better Life Experience Act of 2014;
(9) the term ``recipient agency'' means any agency,
or contractor thereof, receiving records contained in a
system of records from a source agency for use in a
matching program;
(10) the term ``non-Federal agency'' means any State
or local government, or agency thereof, which receives
records contained in a system of records from a source
agency for use in a matching program;
(11) the term ``source agency'' means any agency
which discloses records contained in a system of
records to be used in a matching program, or any State
or local government, or agency thereof, which discloses
records to be used in a matching program;
(12) the term ``Federal benefit program'' means any
program administered or funded by the Federal
Government, or by any agent or State on behalf of the
Federal Government, providing cash or in-kind
assistance in the form of payments, grants, loans, or
loan guarantees to individuals; and
(13) the term ``Federal personnel'' means officers
and employees of the Government of the United States,
members of the uniformed services (including members of
the Reserve Components), individuals entitled to
receive immediate or deferred retirement benefits under
any retirement program of the Government of the United
States (including survivor benefits).
(b) Conditions of Disclosure.--No agency shall disclose any
record which is contained in a system of records by any means
of communication to any person, or to another agency, except
pursuant to a written request by, or with the prior written
consent of, the individual to whom the record pertains, unless
disclosure of the record would be--
(1) to those officers and employees of the agency
which maintains the record who have a need for the
record in the performance of their duties;
(2) required under section 552 of this title;
(3) for a routine use as defined in subsection (a)(7)
of this section and described under subsection
(e)(4)(D) of this section;
(4) to the Bureau of the Census for purposes of
planning or carrying out a census or survey or related
activity pursuant to the provisions of title 13;
(5) to a recipient who has provided the agency with
advance adequate written assurance that the record will
be used solely as a statistical research or reporting
record, and the record is to be transferred in a form
that is not individually identifiable;
(6) to the National Archives and Records
Administration as a record which has sufficient
historical or other value to warrant its continued
preservation by the United States Government, or for
evaluation by the Archivist of the United States or the
designee of the Archivist to determine whether the
record has such value;
(7) to another agency or to an instrumentality of any
governmental jurisdiction within or under the control
of the United States for a civil or criminal law
enforcement activity if the activity is authorized by
law, and if the head of the agency or instrumentality
has made a written request to the agency which
maintains the record specifying the particular portion
desired and the law enforcement activity for which the
record is sought;
(8) to a person pursuant to a showing of compelling
circumstances affecting the health or safety of an
individual if upon such disclosure notification is
transmitted to the last known address of such
individual;
(9) to either House of Congress, or, to the extent of
matter within its jurisdiction, any committee or
subcommittee thereof, any joint committee of Congress
or subcommittee of any such joint committee;
(10) to the Comptroller General, or any of his
authorized representatives, in the course of the
performance of the duties of the Government
Accountability Office;
(11) pursuant to the order of a court of competent
jurisdiction; [or]
(12) to a consumer reporting agency in accordance
with section 3711(e) of title 31[.]; or
(13) to another agency, to the extent necessary, to
assist the recipient agency in responding to an
incident (as defined in section 3552 of title 44) or
breach (as defined in section 3591 of title 44) or to
fulfill the information sharing requirements under
section 3594 of title 44.
(c) Accounting of Certain Disclosures.--Each agency, with
respect to each system of records under its control, shall--
(1) except for disclosures made under subsections
(b)(1) or (b)(2) of this section, keep an accurate
accounting of--
(A) the date, nature, and purpose of each
disclosure of a record to any person or to
another agency made under subsection (b) of
this section; and
(B) the name and address of the person or
agency to whom the disclosure is made;
(2) retain the accounting made under paragraph (1) of
this subsection for at least five years or the life of
the record, whichever is longer, after the disclosure
for which the accounting is made;
(3) except for disclosures made under subsection
(b)(7) of this section, make the accounting made under
paragraph (1) of this subsection available to the
individual named in the record at his request; and
(4) inform any person or other agency about any
correction or notation of dispute made by the agency in
accordance with subsection (d) of this section of any
record that has been disclosed to the person or agency
if an accounting of the disclosure was made.
(d) Access to Records.--Each agency that maintains a system
of records shall--
(1) upon request by any individual to gain access to
his record or to any information pertaining to him
which is contained in the system, permit him and upon
his request, a person of his own choosing to accompany
him, to review the record and have a copy made of all
or any portion thereof in a form comprehensible to him,
except that the agency may require the individual to
furnish a written statement authorizing discussion of
that individual's record in the accompanying person's
presence;
(2) permit the individual to request amendment of a
record pertaining to him and--
(A) not later than 10 days (excluding
Saturdays, Sundays, and legal public holidays)
after the date of receipt of such request,
acknowledge in writing such receipt; and
(B) promptly, either--
(i) make any correction of any
portion thereof which the individual
believes is not accurate, relevant,
timely, or complete; or
(ii) inform the individual of its
refusal to amend the record in
accordance with his request, the reason
for the refusal, the procedures
established by the agency for the
individual to request a review of that
refusal by the head of the agency or an
officer designated by the head of the
agency, and the name and business
address of that official;
(3) permit the individual who disagrees with the
refusal of the agency to amend his record to request a
review of such refusal, and not later than 30 days
(excluding Saturdays, Sundays, and legal public
holidays) from the date on which the individual
requests such review, complete such review and make a
final determination unless, for good cause shown, the
head of the agency extends such 30-day period; and if,
after his review, the reviewing official also refuses
to amend the record in accordance with the request,
permit the individual to file with the agency a concise
statement setting forth the reasons for his
disagreement with the refusal of the agency, and notify
the individual of the provisions for judicial review of
the reviewing official's determination under subsection
(g)(1)(A) of this section;
(4) in any disclosure, containing information about
which the individual has filed a statement of
disagreement, occurring after the filing of the
statement under paragraph (3) of this subsection,
clearly note any portion of the record which is
disputed and provide copies of the statement and, if
the agency deems it appropriate, copies of a concise
statement of the reasons of the agency for not making
the amendments requested, to persons or other agencies
to whom the disputed record has been disclosed; and
(5) nothing in this section shall allow an individual
access to any information compiled in reasonable
anticipation of a civil action or proceeding.
(e) Agency Requirements.--Each agency that maintains a system
of records shall--
(1) maintain in its records only such information
about an individual as is relevant and necessary to
accomplish a purpose of the agency required to be
accomplished by statute or by executive order of the
President;
(2) collect information to the greatest extent
practicable directly from the subject individual when
the information may result in adverse determinations
about an individual's rights, benefits, and privileges
under Federal programs;
(3) inform each individual whom it asks to supply
information, on the form which it uses to collect the
information or on a separate form that can be retained
by the individual--
(A) the authority (whether granted by
statute, or by executive order of the
President) which authorizes the solicitation of
the information and whether disclosure of such
information is mandatory or voluntary;
(B) the principal purpose or purposes for
which the information is intended to be used;
(C) the routine uses which may be made of the
information, as published pursuant to paragraph
(4)(D) of this subsection; and
(D) the effects on him, if any, of not
providing all or any part of the requested
information;
(4) subject to the provisions of paragraph (11) of
this subsection, publish in the Federal Register upon
establishment or revision a notice of the existence and
character of the system of records, which notice shall
include--
(A) the name and location of the system;
(B) the categories of individuals on whom
records are maintained in the system;
(C) the categories of records maintained in
the system;
(D) each routine use of the records contained
in the system, including the categories of
users and the purpose of such use;
(E) the policies and practices of the agency
regarding storage, retrievability, access
controls, retention, and disposal of the
records;
(F) the title and business address of the
agency official who is responsible for the
system of records;
(G) the agency procedures whereby an
individual can be notified at his request if
the system of records contains a record
pertaining to him;
(H) the agency procedures whereby an
individual can be notified at his request how
he can gain access to any record pertaining to
him contained in the system of records, and how
he can contest its content; and
(I) the categories of sources of records in
the system;
(5) maintain all records which are used by the agency
in making any determination about any individual with
such accuracy, relevance, timeliness, and completeness
as is reasonably necessary to assure fairness to the
individual in the determination;
(6) prior to disseminating any record about an
individual to any person other than an agency, unless
the dissemination is made pursuant to subsection (b)(2)
of this section, make reasonable efforts to assure that
such records are accurate, complete, timely, and
relevant for agency purposes;
(7) maintain no record describing how any individual
exercises rights guaranteed by the First Amendment
unless expressly authorized by statute or by the
individual about whom the record is maintained or
unless pertinent to and within the scope of an
authorized law enforcement activity;
(8) make reasonable efforts to serve notice on an
individual when any record on such individual is made
available to any person under compulsory legal process
when such process becomes a matter of public record;
(9) establish rules of conduct for persons involved
in the design, development, operation, or maintenance
of any system of records, or in maintaining any record,
and instruct each such person with respect to such
rules and the requirements of this section, including
any other rules and procedures adopted pursuant to this
section and the penalties for noncompliance;
(10) establish appropriate administrative, technical,
and physical safeguards to insure the security and
confidentiality of records and to protect against any
anticipated threats or hazards to their security or
integrity which could result in substantial harm,
embarrassment, inconvenience, or unfairness to any
individual on whom information is maintained;
(11) at least 30 days prior to publication of
information under paragraph (4)(D) of this subsection,
publish in the Federal Register notice of any new use
or intended use of the information in the system, and
provide an opportunity for interested persons to submit
written data, views, or arguments to the agency; and
(12) if such agency is a recipient agency or a source
agency in a matching program with a non-Federal agency,
with respect to any establishment or revision of a
matching program, at least 30 days prior to conducting
such program, publish in the Federal Register notice of
such establishment or revision.
(f) Agency Rules.--In order to carry out the provisions of
this section, each agency that maintains a system of records
shall promulgate rules, in accordance with the requirements
(including general notice) of section 553 of this title, which
shall--
(1) establish procedures whereby an individual can be
notified in response to his request if any system of
records named by the individual contains a record
pertaining to him;
(2) define reasonable times, places, and requirements
for identifying an individual who requests his record
or information pertaining to him before the agency
shall make the record or information available to the
individual;
(3) establish procedures for the disclosure to an
individual upon his request of his record or
information pertaining to him, including special
procedure, if deemed necessary, for the disclosure to
an individual of medical records, including
psychological records, pertaining to him;
(4) establish procedures for reviewing a request from
an individual concerning the amendment of any record or
information pertaining to the individual, for making a
determination on the request, for an appeal within the
agency of an initial adverse agency determination, and
for whatever additional means may be necessary for each
individual to be able to exercise fully his rights
under this section; and
(5) establish fees to be charged, if any, to any
individual for making copies of his record, excluding
the cost of any search for and review of the record.
The Office of the Federal Register shall biennially compile and
publish the rules promulgated under this subsection and agency
notices published under subsection (e)(4) of this section in a
form available to the public at low cost.
(g)(1) Civil Remedies.--Whenever any agency
(A) makes a determination under subsection (d)(3) of
this section not to amend an individual's record in
accordance with his request, or fails to make such
review in conformity with that subsection;
(B) refuses to comply with an individual request
under subsection (d)(1) of this section;
(C) fails to maintain any record concerning any
individual with such accuracy, relevance, timeliness,
and completeness as is necessary to assure fairness in
any determination relating to the qualifications,
character, rights, or opportunities of, or benefits to
the individual that may be made on the basis of such
record, and consequently a determination is made which
is adverse to the individual; or
(D) fails to comply with any other provision of this
section, or any rule promulgated thereunder, in such a
way as to have an adverse effect on an individual,
the individual may bring a civil action against the agency, and
the district courts of the United States shall have
jurisdiction in the matters under the provisions of this
subsection.
(2)(A) In any suit brought under the provisions of subsection
(g)(1)(A) of this section, the court may order the agency to
amend the individual's record in accordance with his request or
in such other way as the court may direct. In such a case the
court shall determine the matter de novo.
(B) The court may assess against the United States reasonable
attorney fees and other litigation costs reasonably incurred in
any case under this paragraph in which the complainant has
substantially prevailed.
(3)(A) In any suit brought under the provisions of subsection
(g)(1)(B) of this section, the court may enjoin the agency from
withholding the records and order the production to the
complainant of any agency records improperly withheld from him.
In such a case the court shall determine the matter de novo,
and may examine the contents of any agency records in camera to
determine whether the records or any portion thereof may be
withheld under any of the exemptions set forth in subsection
(k) of this section, and the burden is on the agency to sustain
its action.
(B) The court may assess against the United States reasonable
attorney fees and other litigation costs reasonably incurred in
any case under this paragraph in which the complainant has
substantially prevailed.
(4) In any suit brought under the provisions of subsection
(g)(1)(C) or (D) of this section in which the court determines
that the agency acted in a manner which was intentional or
willful, the United States shall be liable to the individual in
an amount equal to the sum of--
(A) actual damages sustained by the individual as a
result of the refusal or failure, but in no case shall
a person entitled to recovery receive less than the sum
of $1,000; and
(B) the costs of the action together with reasonable
attorney fees as determined by the court.
(5) An action to enforce any liability created under this
section may be brought in the district court of the United
States in the district in which the complainant resides, or has
his principal place of business, or in which the agency records
are situated, or in the District of Columbia, without regard to
the amount in controversy, within two years from the date on
which the cause of action arises, except that where an agency
has materially and willfully misrepresented any information
required under this section to be disclosed to an individual
and the information so misrepresented is material to
establishment of the liability of the agency to the individual
under this section, the action may be brought at any time
within two years after discovery by the individual of the
misrepresentation. Nothing in this section shall be construed
to authorize any civil action by reason of any injury sustained
as the result of a disclosure of a record prior to September
27, 1975.
(h) Rights of Legal Guardians.--For the purposes of this
section, the parent of any minor, or the legal guardian of any
individual who has been declared to be incompetent due to
physical or mental incapacity or age by a court of competent
jurisdiction, may act on behalf of the individual.
(i)(1) Criminal Penalties.--Any officer or employee of an
agency, who by virtue of his employment or official position,
has possession of, or access to, agency records which contain
individually identifiable information the disclosure of which
is prohibited by this section or by rules or regulations
established thereunder, and who knowing that disclosure of the
specific material is so prohibited, willfully discloses the
material in any manner to any person or agency not entitled to
receive it, shall be guilty of a misdemeanor and fined not more
than $5,000.
(2) Any officer or employee of any agency who willfully
maintains a system of records without meeting the notice
requirements of subsection (e)(4) of this section shall be
guilty of a misdemeanor and fined not more than $5,000.
(3) Any person who knowingly and willfully requests or
obtains any record concerning an individual from an agency
under false pretenses shall be guilty of a misdemeanor and
fined not more than $5,000.
(j) General Exemptions.--The head of any agency may
promulgate rules, in accordance with the requirements
(including general notice) of sections 553(b)(1), (2), and (3),
(c), and (e) of this title, to exempt any system of records
within the agency from any part of this section except
subsections (b), (c)(1) and (2), (e)(4)(A) through (F), (e)(6),
(7), (9), (10), and (11), and (i) if the system of records is--
(1) maintained by the Central Intelligence Agency; or
(2) maintained by an agency or component thereof
which performs as its principal function any activity
pertaining to the enforcement of criminal laws,
including police efforts to prevent, control, or reduce
crime or to apprehend criminals, and the activities of
prosecutors, courts, correctional, probation, pardon,
or parole authorities, and which consists of (A)
information compiled for the purpose of identifying
individual criminal offenders and alleged offenders and
consisting only of identifying data and notations of
arrests, the nature and disposition of criminal
charges, sentencing, confinement, release, and parole
and probation status; (B) information compiled for the
purpose of a criminal investigation, including reports
of informants and investigators, and associated with an
identifiable individual; or (C) reports identifiable to
an individual compiled at any stage of the process of
enforcement of the criminal laws from arrest or
indictment through release from supervision.
At the time rules are adopted under this subsection, the agency
shall include in the statement required under section 553(c) of
this title, the reasons why the system of records is to be
exempted from a provision of this section.
(k) Specific Exemptions.--The head of any agency may
promulgate rules, in accordance with the requirements
(including general notice) of sections 553(b)(1), (2), and (3),
(c), and (e) of this title, to exempt any system of records
within the agency from subsections (c)(3), (d), (e)(1),
(e)(4)(G), (H), and (I) and (f) of this section if the system
of records is--
(1) subject to the provisions of section 552(b)(1) of
this title;
(2) investigatory material compiled for law
enforcement purposes, other than material within the
scope of subsection (j)(2) of this section: Provided,
however, That if any individual is denied any right,
privilege, or benefit that he would otherwise be
entitled by Federal law, or for which he would
otherwise be eligible, as a result of the maintenance
of such material, such material shall be provided to
such individual, except to the extent that the
disclosure of such material would reveal the identity
of a source who furnished information to the Government
under an express promise that the identity of the
source would be held in confidence, or, prior to the
effective date of this section, under an implied
promise that the identity of the source would be held
in confidence;
(3) maintained in connection with providing
protective services to the President of the United
States or other individuals pursuant to section 3056 of
title 18;
(4) required by statute to be maintained and used
solely as statistical records;
(5) investigatory material compiled solely for the
purpose of determining suitability, eligibility, or
qualifications for Federal civilian employment,
military service, Federal contracts, or access to
classified information, but only to the extent that the
disclosure of such material would reveal the identity
of a source who furnished information to the Government
under an express promise that the identity of the
source would be held in confidence, or, prior to the
effective date of this section, under an implied
promise that the identity of the source would be held
in confidence;
(6) testing or examination material used solely to
determine individual qualifications for appointment or
promotion in the Federal service the disclosure of
which would compromise the objectivity or fairness of
the testing or examination process; or
(7) evaluation material used to determine potential
for promotion in the armed services, but only to the
extent that the disclosure of such material would
reveal the identity of a source who furnished
information to the Government under an express promise
that the identity of the source would be held in
confidence, or, prior to the effective date of this
section, under an implied promise that the identity of
the source would be held in confidence.
At the time rules are adopted under this subsection, the agency
shall include in the statement required under section 553(c) of
this title, the reasons why the system of records is to be
exempted from a provision of this section.
(l)(1) Archival Records.--Each agency record which is
accepted by the Archivist of the United States for storage,
processing, and servicing in accordance with section 3103 of
title 44 shall, for the purposes of this section, be considered
to be maintained by the agency which deposited the record and
shall be subject to the provisions of this section. The
Archivist of the United States shall not disclose the record
except to the agency which maintains the record, or under rules
established by that agency which are not inconsistent with the
provisions of this section.
(2) Each agency record pertaining to an identifiable
individual which was transferred to the National Archives of
the United States as a record which has sufficient historical
or other value to warrant its continued preservation by the
United States Government, prior to the effective date of this
section, shall, for the purposes of this section, be considered
to be maintained by the National Archives and shall not be
subject to the provisions of this section, except that a
statement generally describing such records (modeled after the
requirements relating to records subject to subsections
(e)(4)(A) through (G) of this section) shall be published in
the Federal Register.
(3) Each agency record pertaining to an identifiable
individual which is transferred to the National Archives of the
United States as a record which has sufficient historical or
other value to warrant its continued preservation by the United
States Government, on or after the effective date of this
section, shall, for the purposes of this section, be considered
to be maintained by the National Archives and shall be exempt
from the requirements of this section except subsections
(e)(4)(A) through (G) and (e)(9) of this section.
(m)(1) Government Contractors.--When an agency provides by a
contract for the operation by or on behalf of the agency of a
system of records to accomplish an agency function, the agency
shall, consistent with its authority, cause the requirements of
this section to be applied to such system. For purposes of
subsection (i) of this section any such contractor and any
employee of such contractor, if such contract is agreed to on
or after the effective date of this section, shall be
considered to be an employee of an agency.
(2) A consumer reporting agency to which a record is
disclosed under section 3711(e) of title 31 shall not be
considered a contractor for the purposes of this section.
(n) Mailing Lists.--An individual's name and address may not
be sold or rented by an agency unless such action is
specifically authorized by law. This provision shall not be
construed to require the withholding of names and addresses
otherwise permitted to be made public.
(o) Matching Agreements.--(1) No record which is contained in
a system of records may be disclosed to a recipient agency or
non-Federal agency for use in a computer matching program
except pursuant to a written agreement between the source
agency and the recipient agency or non-Federal agency
specifying--
(A) the purpose and legal authority for conducting
the program;
(B) the justification for the program and the
anticipated results, including a specific estimate of
any savings;
(C) a description of the records that will be
matched, including each data element that will be used,
the approximate number of records that will be matched,
and the projected starting and completion dates of the
matching program;
(D) procedures for providing individualized notice at
the time of application, and notice periodically
thereafter as directed by the Data Integrity Board of
such agency (subject to guidance provided by the
Director of the Office of Management and Budget
pursuant to subsection (v)), to--
(i) applicants for and recipients of
financial assistance or payments under Federal
benefit programs, and
(ii) applicants for and holders of positions
as Federal personnel,
that any information provided by such applicants, recipients,
holders, and individuals may be subject to verification through
matching programs;
(E) procedures for verifying information produced in
such matching program as required by subsection (p);
(F) procedures for the retention and timely
destruction of identifiable records created by a
recipient agency or non-Federal agency in such matching
program;
(G) procedures for ensuring the administrative,
technical, and physical security of the records matched
and the results of such programs;
(H) prohibitions on duplication and redisclosure of
records provided by the source agency within or outside
the recipient agency or the non-Federal agency, except
where required by law or essential to the conduct of
the matching program;
(I) procedures governing the use by a recipient
agency or non-Federal agency of records provided in a
matching program by a source agency, including
procedures governing return of the records to the
source agency or destruction of records used in such
program;
(J) information on assessments that have been made on
the accuracy of the records that will be used in such
matching program; and
(K) that the Comptroller General may have access to
all records of a recipient agency or a non-Federal
agency that the Comptroller General deems necessary in
order to monitor or verify compliance with the
agreement.
(2)(A) A copy of each agreement entered into pursuant to
paragraph (1) shall--
(i) be transmitted to the Committee on Governmental
Affairs of the Senate and the Committee on Government
Operations of the House of Representatives; and
(ii) be available upon request to the public.
(B) No such agreement shall be effective until 30 days after
the date on which such a copy is transmitted pursuant to
subparagraph (A)(i).
(C) Such an agreement shall remain in effect only for such
period, not to exceed 18 months, as the Data Integrity Board of
the agency determines is appropriate in light of the purposes,
and length of time necessary for the conduct, of the matching
program.
(D) Within 3 months prior to the expiration of such an
agreement pursuant to subparagraph (C), the Data Integrity
Board of the agency may, without additional review, renew the
matching agreement for a current, ongoing matching program for
not more than one additional year if--
(i) such program will be conducted without any
change; and
(ii) each party to the agreement certifies to the
Board in writing that the program has been conducted in
compliance with the agreement.
(p) Verification and Opportunity to Contest Findings.--(1) In
order to protect any individual whose records are used in a
matching program, no recipient agency, non-Federal agency, or
source agency may suspend, terminate, reduce, or make a final
denial of any financial assistance or payment under a Federal
benefit program to such individual, or take other adverse
action against such individual, as a result of information
produced by such matching program, until--
(A)(i) the agency has independently verified the
information; or
(ii) the Data Integrity Board of the agency, or in
the case of a non-Federal agency the Data Integrity
Board of the source agency, determines in accordance
with guidance issued by the Director of the Office of
Management and Budget that--
(I) the information is limited to
identification and amount of benefits paid by
the source agency under a Federal benefit
program; and
(II) there is a high degree of confidence
that the information provided to the recipient
agency is accurate;
(B) the individual receives a notice from the agency
containing a statement of its findings and informing
the individual of the opportunity to contest such
findings; and
(C)(i) the expiration of any time period established
for the program by statute or regulation for the
individual to respond to that notice; or
(ii) in the case of a program for which no such
period is established, the end of the 30-day period
beginning on the date on which notice under
subparagraph (B) is mailed or otherwise provided to the
individual.
(2) Independent verification referred to in paragraph (1)
requires investigation and confirmation of specific information
relating to an individual that is used as a basis for an
adverse action against the individual, including where
applicable investigation and confirmation of--
(A) the amount of any asset or income involved;
(B) whether such individual actually has or had
access to such asset or income for such individual's
own use; and
(C) the period or periods when the individual
actually had such asset or income.
(3) Notwithstanding paragraph (1), an agency may take any
appropriate action otherwise prohibited by such paragraph if
the agency determines that the public health or public safety
may be adversely affected or significantly threatened during
any notice period required by such paragraph.
(q) Sanctions.--(1) Notwithstanding any other provision of
law, no source agency may disclose any record which is
contained in a system of records to a recipient agency or non-
Federal agency for a matching program if such source agency has
reason to believe that the requirements of subsection (p), or
any matching agreement entered into pursuant to subsection (o),
or both, are not being met by such recipient agency.
(2) No source agency may renew a matching agreement unless--
(A) the recipient agency or non-Federal agency has
certified that it has complied with the provisions of
that agreement; and
(B) the source agency has no reason to believe that
the certification is inaccurate.
(r) Report on New Systems and Matching Programs.--Each agency
that proposes to establish or make a significant change in a
system of records or a matching program shall provide adequate
advance notice of any such proposal (in duplicate) to the
Committee on Government Operations of the House of
Representatives, the Committee on Governmental Affairs of the
Senate, and the Office of Management and Budget in order to
permit an evaluation of the probable or potential effect of
such proposal on the privacy or other rights of individuals.
(s) Biennial Report.--The President shall biennially submit
to the Speaker of the House of Representatives and the
President pro tempore of the Senate a report--
(1) describing the actions of the Director of the
Office of Management and Budget pursuant to section 6
of the Privacy Act of 1974 during the preceding 2
years;
(2) describing the exercise of individual rights of
access and amendment under this section during such
years;
(3) identifying changes in or additions to systems of
records;
(4) containing such other information concerning
administration of this section as may be necessary or
useful to the Congress in reviewing the effectiveness
of this section in carrying out the purposes of the
Privacy Act of 1974.
(t)(1) Effect of Other Laws.--No agency shall rely on any
exemption contained in section 552 of this title to withhold
from an individual any record which is otherwise accessible to
such individual under the provisions of this section.
(2) No agency shall rely on any exemption in this section to
withhold from an individual any record which is otherwise
accessible to such individual under the provisions of section
552 of this title.
(u) Data Integrity Boards.--(1) Every agency conducting or
participating in a matching program shall establish a Data
Integrity Board to oversee and coordinate among the various
components of such agency the agency's implementation of this
section.
(2) Each Data Integrity Board shall consist of senior
officials designated by the head of the agency, and shall
include any senior official designated by the head of the
agency as responsible for implementation of this section, and
the inspector general of the agency, if any. The inspector
general shall not serve as chairman of the Data Integrity
Board.
(3) Each Data Integrity Board--
(A) shall review, approve, and maintain all written
agreements for receipt or disclosure of agency records
for matching programs to ensure compliance with
subsection (o), and all relevant statutes, regulations,
and guidelines;
(B) shall review all matching programs in which the
agency has participated during the year, either as a
source agency or recipient agency, determine compliance
with applicable laws, regulations, guidelines, and
agency agreements, and assess the costs and benefits of
such programs;
(C) shall review all recurring matching programs in
which the agency has participated during the year,
either as a source agency or recipient agency, for
continued justification for such disclosures;
(D) shall compile an annual report, which shall be
submitted to the head of the agency and the Office of
Management and Budget and made available to the public
on request, describing the matching activities of the
agency, including--
(i) matching programs in which the agency has
participated as a source agency or recipient
agency;
(ii) matching agreements proposed under
subsection (o) that were disapproved by the
Board;
(iii) any changes in membership or structure
of the Board in the preceding year;
(iv) the reasons for any waiver of the
requirement in paragraph (4) of this section
for completion and submission of a cost-benefit
analysis prior to the approval of a matching
program;
(v) any violations of matching agreements
that have been alleged or identified and any
corrective action taken; and
(vi) any other information required by the
Director of the Office of Management and Budget
to be included in such report;
(E) shall serve as a clearinghouse for receiving and
providing information on the accuracy, completeness,
and reliability of records used in matching programs;
(F) shall provide interpretation and guidance to
agency components and personnel on the requirements of
this section for matching programs;
(G) shall review agency recordkeeping and disposal
policies and practices for matching programs to assure
compliance with this section; and
(H) may review and report on any agency matching
activities that are not matching programs.
(4)(A) Except as provided in subparagraphs (B) and (C), a
Data Integrity Board shall not approve any written agreement
for a matching program unless the agency has completed and
submitted to such Board a cost-benefit analysis of the proposed
program and such analysis demonstrates that the program is
likely to be cost effective.
(B) The Board may waive the requirements of subparagraph (A)
of this paragraph if it determines in writing, in accordance
with guidelines prescribed by the Director of the Office of
Management and Budget, that a cost-benefit analysis is not
required.
(C) A cost-benefit analysis shall not be required under
subparagraph (A) prior to the initial approval of a written
agreement for a matching program that is specifically required
by statute. Any subsequent written agreement for such a program
shall not be approved by the Data Integrity Board unless the
agency has submitted a cost-benefit analysis of the program as
conducted under the preceding approval of such agreement.
(5)(A) If a matching agreement is disapproved by a Data
Integrity Board, any party to such agreement may appeal the
disapproval to the Director of the Office of Management and
Budget. Timely notice of the filing of such an appeal shall be
provided by the Director of the Office of Management and Budget
to the Committee on Governmental Affairs of the Senate and the
Committee on Government Operations of the House of
Representatives.
(B) The Director of the Office of Management and Budget may
approve a matching agreement notwithstanding the disapproval of
a Data Integrity Board if the Director determines that--
(i) the matching program will be consistent with all
applicable legal, regulatory, and policy requirements;
(ii) there is adequate evidence that the matching
agreement will be cost-effective; and
(iii) the matching program is in the public interest.
(C) The decision of the Director to approve a matching
agreement shall not take effect until 30 days after it is
reported to committees described in subparagraph (A).
(D) If the Data Integrity Board and the Director of the
Office of Management and Budget disapprove a matching program
proposed by the inspector general of an agency, the inspector
general may report the disapproval to the head of the agency
and to the Congress.
(6) In the reports required by paragraph (3)(D), agency
matching activities that are not matching programs may be
reported on an aggregate basis, if and to the extent necessary
to protect ongoing law enforcement or counterintelligence
investigations.
(v) Office of Management and Budget Responsibilities.--The
Director of the Office of Management and Budget shall--
(1) develop and, after notice and opportunity for
public comment, prescribe guidelines and regulations
for the use of agencies in implementing the provisions
of this section; and
(2) provide continuing assistance to and oversight of
the implementation of this section by agencies.
(w) Applicability to Bureau of Consumer Financial
Protection.--Except as provided in the Consumer Financial
Protection Act of 2010, this section shall apply with respect
to the Bureau of Consumer Financial Protection.
* * * * * * *
----------
IOT CYBERSECURITY IMPROVEMENT ACT OF 2020
* * * * * * *
SEC. 5. GUIDELINES ON THE DISCLOSURE PROCESS FOR SECURITY
VULNERABILITIES RELATING TO INFORMATION SYSTEMS,
INCLUDING INTERNET OF THINGS DEVICES.
(a) In General.--Not later than 180 days after the date of
the enactment of this Act, the Director of the Institute, in
consultation with such cybersecurity researchers and private
sector industry experts as the Director considers appropriate,
and in consultation with the Secretary, shall develop and
publish under section 20 of the National Institute of Standards
and Technology Act (15 U.S.C. 278g-3) guidelines--
(1) for the reporting, coordinating, publishing, and
receiving of information about--
(A) a security vulnerability relating to
information systems owned or controlled by an
agency (including Internet of Things devices
owned or controlled by an agency); and
(B) the resolution of such security
vulnerability; and
(2) for a contractor providing to an agency an
information system (including an Internet of Things
device) and any subcontractor thereof at any tier
providing such information system to such contractor,
on--
(A) receiving information about a potential
security vulnerability relating to the
information system; and
(B) disseminating information about the
resolution of a security vulnerability relating
to the information system.
(b) Elements.--The guidelines published under subsection (a)
shall--
(1) to the maximum extent practicable, be aligned
with industry best practices and Standards 29147 and
30111 of the International Standards Organization (or
any successor standard) or any other appropriate,
relevant, and widely-used standard;
(2) incorporate guidelines on--
(A) receiving information about a potential
security vulnerability relating to an
information system owned or controlled by an
agency (including an Internet of Things
device); and
(B) disseminating information about the
resolution of a security vulnerability relating
to an information system owned or controlled by
an agency (including an Internet of Things
device); and
(3) be consistent with the policies and procedures
produced under section 2009(m) of the Homeland Security
Act of 2002 (6 U.S.C. 659(m)).
(c) Information Items.--The guidelines published under
subsection (a) shall include example content, on the
information items that should be reported, coordinated,
published, or received pursuant to this section by a
contractor, or any subcontractor thereof at any tier, providing
an information system (including Internet of Things device) to
the Federal Government.
[(d) Oversight.--The Director of OMB shall oversee the
implementation of the guidelines published under subsection
(a).
[(e) Operational and Technical Assistance.--The Secretary, in
consultation with the Director of OMB, shall administer the
implementation of the guidelines published under subsection (a)
and provide operational and technical assistance in
implementing such guidelines.]
[SEC. 6. IMPLEMENTATION OF COORDINATED DISCLOSURE OF SECURITY
VULNERABILITIES RELATING TO AGENCY INFORMATION
SYSTEMS, INCLUDING INTERNET OF THINGS DEVICES.
[(a) Agency Guidelines Required.--Not later than 2 years
after the date of the enactment of this Act, the Director of
OMB, in consultation with the Secretary, shall develop and
oversee the implementation of policies, principles, standards,
or guidelines as may be necessary to address security
vulnerabilities of information systems (including Internet of
Things devices).
[(b) Operational and Technical Assistance.--Consistent with
section 3553(b) of title 44, United States Code, the Secretary,
in consultation with the Director of OMB, shall provide
operational and technical assistance to agencies on reporting,
coordinating, publishing, and receiving information about
security vulnerabilities of information systems (including
Internet of Things devices).
[(c) Consistency With Guidelines From National Institute of
Standards and Technology.--The Secretary shall ensure that the
assistance provided under subsection (b) is consistent with
applicable standards and publications developed by the Director
of the Institute.
[(d) Revision of Federal Acquisition Regulation.--The Federal
Acquisition Regulation shall be revised as necessary to
implement the provisions under this section.
[SEC. 7. CONTRACTOR COMPLIANCE WITH COORDINATED DISCLOSURE OF
SECURITY VULNERABILITIES RELATING TO AGENCY INTERNET
OF THINGS DEVICES.
[(a) Prohibition on Procurement and Use.--
[(1) In general.--The head of an agency is prohibited
from procuring or obtaining, renewing a contract to
procure or obtain, or using an Internet of Things
device, if the Chief Information Officer of that agency
determines during a review required by section
11319(b)(1)(C) of title 40, United States Code, of a
contract for such device that the use of such device
prevents compliance with the standards and guidelines
developed under section 4 or the guidelines published
under section 5 with respect to such device.
[(2) Simplified acquisition threshold.--
Notwithstanding section 1905 of title 41, United States
Code, the requirements under paragraph (1) shall apply
to a contract or subcontract in amounts not greater
than the simplified acquisition threshold.
[(b) Waiver.--
[(1) Authority.--The head of an agency may waive the
prohibition under subsection (a)(1) with respect to an
Internet of Things device if the Chief Information
Officer of that agency determines that--
[(A) the waiver is necessary in the interest
of national security;
[(B) procuring, obtaining, or using such
device is necessary for research purposes; or
[(C) such device is secured using alternative
and effective methods appropriate to the
function of such device.
[(2) Agency process.--The Director of OMB shall
establish a standardized process for the Chief
Information Officer of each agency to follow in
determining whether the waiver under paragraph (1) may
be granted.
[(c) Reports to Congress.--
[(1) Report.--Every 2 years during the 6-year period
beginning on the date of the enactment of this Act, the
Comptroller General of the United States shall submit
to the Committee on Oversight and Reform of the House
of Representatives, the Committee on Homeland Security
of the House of Representatives, and the Committee on
Homeland Security and Governmental Affairs of the
Senate a report--
[(A) on the effectiveness of the process
established under subsection (b)(2);
[(B) that contains recommended best practices
for the procurement of Internet of Things
devices; and
[(C) that lists--
[(i) the number and type of each
Internet of Things device for which a
waiver under subsection (b)(1) was
granted during the 2-year period prior
to the submission of the report; and
[(ii) the legal authority under which
each such waiver was granted, such as
whether the waiver was granted pursuant
to subparagraph (A), (B), or (C) of
such subsection.
[(2) Classification of report.--Each report submitted
under this subsection shall be submitted in
unclassified form, but may include a classified annex
that contains the information described under paragraph
(1)(C).
[(d) Effective Date.--The prohibition under subsection (a)(1)
shall take effect 2 years after the date of the enactment of
this Act.]
* * * * * * *
----------
WILLIAM M. (MAC) THORNBERRY NATIONAL DEFENSE
AUTHORIZATION ACT FOR FISCAL YEAR 2021
* * * * * * *
DIVISION A--DEPARTMENT OF
DEFENSE AUTHORIZATIONS
* * * * * * *
TITLE XVII--CYBERSPACE-RELATED
MATTERS
* * * * * * *
SEC. 1752. NATIONAL CYBER DIRECTOR.
(a) Establishment.--There is established, within the
Executive Office of the President, the Office of the National
Cyber Director (in this section referred to as the ``Office'').
(b) National Cyber Director.--
(1) In general.--The Office shall be headed by the
National Cyber Director (in this section referred to as
the ``Director'') who shall be appointed by the
President, by and with the advice and consent of the
Senate.
(2) Position.--The Director shall hold office at the
pleasure of the President.
(3) Pay and allowances.--The Director shall be
entitled to receive the same pay and allowances as are
provided for level II of the Executive Schedule under
section 5313 of title 5, United States Code.
(c) Duties of the National Cyber Director.--
(1) In general.--Subject to the authority, direction,
and control of the President, the Director shall--
(A) serve as the principal advisor to the
President on cybersecurity policy and strategy
relating to the coordination of--
(i) information security and data
protection;
(ii) programs and policies intended
to improve the cybersecurity posture of
the United States;
(iii) efforts to understand and deter
malicious cyber activity;
(iv) efforts to increase the security
of information and communications
technology and services and to promote
national supply chain risk management
and vendor security;
(v) diplomatic and other efforts to
develop norms and international
consensus around responsible state
behavior in cyberspace;
(vi) awareness and adoption of
emerging technology that may enhance,
augment, or degrade the cybersecurity
posture of the United States; and
(vii) such other cybersecurity
matters as the President considers
appropriate;
(B) offer advice and consultation to the
National Security Council and its staff, the
Homeland Security Council and its staff, and
relevant Federal departments and agencies, for
their consideration, relating to the
development and coordination of national cyber
policy and strategy, including the National
Cyber Strategy;
(C) lead the coordination of implementation
of national cyber policy and strategy,
including the National Cyber Strategy, by--
(i) in coordination with the heads of
relevant Federal departments or
agencies, monitoring and assessing the
effectiveness, including cost-
effectiveness, of the implementation of
such national cyber policy and strategy
by Federal departments and agencies;
(ii) making recommendations, relevant
to changes in the organization,
personnel, and resource allocation and
to policies of Federal departments and
agencies, to the heads of relevant
Federal departments and agencies in
order to implement such national cyber
policy and strategy;
(iii) reviewing the annual budget
proposals for relevant Federal
departments and agencies and advising
the heads of such departments and
agencies whether such proposals are
consistent with such national cyber
policy and strategy;
(iv) continuously assessing and
making relevant recommendations to the
President on the appropriate level of
integration and interoperability across
the Federal cyber centers;
(v) coordinating with the Attorney
General, the Federal Chief Information
Officer, the Director of the Office of
Management and Budget, the Director of
National Intelligence, and the Director
of the Cybersecurity and Infrastructure
Security Agency, on the streamlining of
Federal policies and guidelines,
including with respect to
implementation of subchapter II of
chapter 35 of title 44, United States
Code, and, as appropriate or
applicable, regulations relating to
cybersecurity;
(vi) reporting annually to the
President, the Assistant to the
President for National Security
Affairs, and Congress on the state of
the cybersecurity posture of the United
States, the effectiveness of such
national cyber policy and strategy, and
the status of the implementation of
such national cyber policy and strategy
by Federal departments and agencies;
and
(vii) such other activity as the
President considers appropriate to
further such national cyber policy and
strategy;
(D) lead coordination of the development and
ensuring implementation by the Federal
Government of integrated incident response to
cyberattacks and cyber campaigns of significant
consequence, including--
(i) ensuring and facilitating
coordination among relevant Federal
departments and agencies in the
development of integrated operational
plans, processes, and playbooks,
including for incident response, that
feature--
(I) clear lines of authority
and lines of effort across the
Federal Government;
(II) authorities that have
been delegated to an
appropriate level to facilitate
effective operational responses
across the Federal Government;
and
(III) support for the
integration of defensive cyber
plans and capabilities with
offensive cyber plans and
capabilities in a manner
consistent with improving the
cybersecurity posture of the
United States;
(ii) ensuring the exercising of
defensive operational plans, processes,
and playbooks for incident response;
(iii) ensuring the updating of
defensive operational plans, processes,
and playbooks for incident response as
needed to keep them updated; and
(iv) reviewing and ensuring that
defensive operational plans, processes,
and playbooks improve coordination with
relevant private sector entities, as
appropriate;
(E) preparing the response by the Federal
Government to cyberattacks and cyber campaigns
of significant consequence across Federal
departments and agencies with responsibilities
pertaining to cybersecurity and with the
relevant private sector entities, including--
(i) developing for the approval of
the President, in coordination with the
Assistant to the President for National
Security Affairs and the heads of
relevant Federal departments and
agencies, operational priorities,
requirements, and plans;
(ii) ensuring incident response is
executed consistent with the plans
described in clause (i); and
(iii) ensuring relevant Federal
department and agency consultation with
relevant private sector entities in
incident response;
(F) coordinate and consult with private
sector leaders on cybersecurity and emerging
technology issues in support of, and in
coordination with, the Director of the
Cybersecurity and Infrastructure Security
Agency, the Director of National Intelligence,
and the heads of other Federal departments and
agencies, as appropriate;
(G) annually report to Congress on
cybersecurity threats and issues facing the
United States, including any new or emerging
technologies that may affect national security,
economic prosperity, or enforcing the rule of
law; and
(H) be responsible for such other functions
as the President may direct.
(2) Delegation of authority.--(A) The Director may--
(i) serve as the senior
representative to any organization that
the President may establish for the
purpose of providing the President
advice on cybersecurity;
(ii) subject to subparagraph (B), be
included as a participant in
preparations for and, when appropriate,
the execution of domestic and
international summits and other
international meetings at which
cybersecurity is a major topic;
(iii) delegate any of the Director's
functions, powers, and duties to such
officers and employees of the Office as
the Director considers appropriate; and
(iv) authorize such successive re-
delegations of such functions, powers,
and duties to such officers and
employees of the Office as the Director
considers appropriate.
(B) In acting under subparagraph (A)(ii) in
the case of a summit or a meeting with an
international partner, the Director shall act
in coordination with the Secretary of State.
(d) Attendance and Participation in National Security Council
Meetings.--Section 101(c)(2) of the National Security Act of
1947 (50 U.S.C. 3021(c)(2)) is amended by striking ``and the
Chairman of the Joint Chiefs of Staff'' and inserting ``the
Chairman of the Joint Chiefs of Staff, and the National Cyber
Director''.
(e) Powers of the Director.--
(1) In general.--The Director may, for the purposes
of carrying out the functions of the Director under
this section--
(A) subject to the civil service and
classification laws, select, appoint, employ,
and fix the compensation of such officers and
employees as are necessary and prescribe their
duties, except that not more than 75
individuals may be employed without regard to
any provision of law regulating the employment
or compensation at rates not to exceed the
basic rate of basic pay payable for level IV of
the Executive Schedule under section 5315 of
title 5, United States Code;
(B) employ experts and consultants in
accordance with section 3109 of title 5, United
States Code, and compensate individuals so
employed for each day (including travel time)
at rates not in excess of the maximum rate of
basic pay for grade GS-15 as provided in
section 5332 of such title, and while such
experts and consultants are so serving away
from their homes or regular place of business,
to pay such employees travel expenses and per
diem in lieu of subsistence at rates authorized
by section 5703 of such title 5 for persons in
Federal Government service employed
intermittently;
(C) accept officers or employees of the
United States or members of the Armed Forces on
a detail from an element of the intelligence
community (as such term is defined in section
3(4) of the National Security Act of 1947 (50
U.S.C. 3003(4))) or from another element of the
Federal Government on a nonreimbursable basis,
as jointly agreed to by the heads of the
receiving and detailing elements, for a period
not to exceed three years;
(D) promulgate such rules and regulations as may be
necessary to carry out the functions, powers, and
duties vested in the Director;
(E) utilize, with their consent, the services,
personnel, and facilities of other Federal agencies;
(F) enter into and perform such contracts, leases,
cooperative agreements, or other transactions as may be
necessary in the conduct of the work of the Office and
on such terms as the Director may determine
appropriate, with any Federal agency, or with any
public or private person or entity;
(G) accept voluntary and uncompensated services,
notwithstanding the provisions of section 1342 of title
31, United States Code;
(H) adopt an official seal, which shall be judicially
noticed; and
(I) provide, where authorized by law, copies of
documents to persons at cost, except that any funds so
received shall be credited to, and be available for use
from, the account from which expenditures relating
thereto were made.
(2) Rules of construction regarding details.--Nothing
in paragraph (1)(C) may be construed as imposing any
limitation on any other authority for reimbursable or
nonreimbursable details. A nonreimbursable detail made
pursuant to such paragraph shall not be considered an
augmentation of the appropriations of the receiving
element of the Office of the National Cyber Director.
(f) Rules of Construction.--Nothing in this section may be
construed as--
(1) modifying any authority or responsibility,
including any operational authority or responsibility
of any head of a Federal department or agency;
(2) authorizing the Director or any person acting
under the authority of the Director to interfere with
or to direct a criminal or national security
investigation, arrest, search, seizure, or disruption
operation;
(3) amending a legal restriction that was in effect
on the day before the date of the enactment of this Act
that requires a law enforcement agency to keep
confidential information learned in the course of a
criminal or national security investigation;
(4) authorizing the Director or any person acting
under the authority of the Director to interfere with
or to direct a military operation;
(5) authorizing the Director or any person acting
under the authority of the Director to interfere with
or to direct any diplomatic or consular activity;
(6) authorizing the Director or any person acting
under the authority of the Director to interfere with
or to direct an intelligence activity, resource, or
operation; or
(7) authorizing the Director or any person acting
under the authority of the Director to modify the
classification of intelligence information.
(g) Senior Federal Cybersecurity Officer.--The Federal Chief
Information Security Officer appointed by the President under
section 3617 of title 44, United States Code, shall be a senior
official within the Office and carry out duties applicable to
the protection of information technology (as defined in section
11101 of title 40, United States Code), including initiatives
determined by the Director necessary to coordinate with the
Office of the Federal Chief Information Officer.
[(g)] (h) Definitions.--In this section:
(1) The term ``cybersecurity posture'' means the
ability to identify, to protect against, to detect, to
respond to, and to recover from an intrusion in an
information system the compromise of which could
constitute a cyber attack or cyber campaign of
significant consequence.
(2) The term ``cyber attack and cyber campaign of
significant consequence'' means an incident or series
of incidents that has the purpose or effect of--
(A) causing a significant disruption to the
confidentiality, integrity, or availability of
a Federal information system;
(B) harming, or otherwise significantly
compromising the provision of service by, a
computer or network of computers that support
one or more entities in a critical
infrastructure sector;
(C) significantly compromising the provision
of services by one or more entities in a
critical infrastructure sector;
(D) causing a significant misappropriation of
funds or economic resources, trade secrets,
personal identifiers, or financial information
for commercial or competitive advantage or
private financial gain; or
(E) otherwise constituting a significant
threat to the national security, foreign
policy, or economic health or financial
stability of the United States.
(3) The term ``incident'' has the meaning given such
term in section 3552 of title 44, United States Code.
(4) The term ``incident response'' means a government
or private sector activity that detects, mitigates, or
recovers from a cyber attack or cyber campaign of
significant consequence.
(5) The term ``information security'' has the meaning
given such term in section 3552 of title 44, United
States Code.
(6) The term ``intelligence'' has the meaning given
such term in section 3 of the National Security Act of
1947 (50 U.S.C. 3003).
* * * * * * *
----------
NATIONAL SECURITY ACT OF 1947
* * * * * * *
TITLE V--ACCOUNTABILITY FOR INTELLIGENCE
ACTIVITIES
* * * * * * *
intelligence community business system transformation
Sec. 506D. (a) Limitation on Obligation of Funds.--(1)
Subject to paragraph (3), no funds appropriated to any element
of the intelligence community may be obligated for an
intelligence community business system transformation that will
have a total cost in excess of $3,000,000 unless--
(A) the Director of the Office of Business
Transformation of the Office of the Director of
National Intelligence makes a certification described
in paragraph (2) with respect to such intelligence
community business system transformation; and
(B) such certification is approved by the board
established under subsection (f).
(2) The certification described in this paragraph for an
intelligence community business system transformation is a
certification made by the Director of the Office of Business
Transformation of the Office of the Director of National
Intelligence that the intelligence community business system
transformation--
(A) complies with the enterprise architecture under
subsection (b) and such other policies and standards
that the Director of National Intelligence considers
appropriate; or
(B) is necessary--
(i) to achieve a critical national security
capability or address a critical requirement;
or
(ii) to prevent a significant adverse effect
on a project that is needed to achieve an
essential capability, taking into consideration
any alternative solutions for preventing such
adverse effect.
(3) With respect to a fiscal year after fiscal year 2010, the
amount referred to in paragraph (1) in the matter preceding
subparagraph (A) shall be equal to the sum of--
(A) the amount in effect under such paragraph (1) for
the preceding fiscal year (determined after application
of this paragraph), plus
(B) such amount multiplied by the annual percentage
increase in the consumer price index (all items; U.S.
city average) as of September of the previous fiscal
year.
(b) Enterprise Architecture for Intelligence Community
Business Systems.--(1) The Director of National Intelligence
shall, acting through the board established under subsection
(f), develop and implement an enterprise architecture to cover
all intelligence community business systems, and the functions
and activities supported by such business systems. The
enterprise architecture shall be sufficiently defined to
effectively guide, constrain, and permit implementation of
interoperable intelligence community business system solutions,
consistent with applicable policies and procedures established
by the Director of the Office of Management and Budget.
(2) The enterprise architecture under paragraph (1) shall
include the following:
(A) An information infrastructure that will enable
the intelligence community to--
(i) comply with all Federal accounting,
financial management, and reporting
requirements;
(ii) routinely produce timely, accurate, and
reliable financial information for management
purposes;
(iii) integrate budget, accounting, and
program information and systems; and
(iv) provide for the measurement of
performance, including the ability to produce
timely, relevant, and reliable cost
information.
(B) Policies, procedures, data standards, and system
interface requirements that apply uniformly throughout
the intelligence community.
(c) Responsibilities for Intelligence Community Business
System Transformation.--The Director of National Intelligence
shall be responsible for the entire life cycle of an
intelligence community business system transformation,
including review, approval, and oversight of the planning,
design, acquisition, deployment, operation, and maintenance of
the business system transformation.
(d) Intelligence Community Business System Investment
Review.--(1) The Director of the Office of Business
Transformation of the Office of the Director of National
Intelligence shall establish and implement, not later than 60
days after the enactment of the Intelligence Authorization Act
for Fiscal Year 2010, an investment review process for the
intelligence community business systems for which the Director
of the Office of Business Transformation is responsible.
(2) The investment review process under paragraph (1) shall--
(A) meet the requirements of section 11312 of title
40, United States Code; and
(B) specifically set forth the responsibilities of
the Director of the Office of Business Transformation
under such review process.
(3) The investment review process under paragraph (1) shall
include the following elements:
(A) Review and approval by an investment review board
(consisting of appropriate representatives of the
intelligence community) of each intelligence community
business system as an investment before the obligation
of funds for such system.
(B) Periodic review, but not less often than
annually, of every intelligence community business
system investment.
(C) Thresholds for levels of review to ensure
appropriate review of intelligence community business
system investments depending on the scope, complexity,
and cost of the system involved.
(D) Procedures for making certifications in
accordance with the requirements of subsection (a)(2).
(f) Intelligence Community Business System Transformation
Governance Board.--(1) The Director of National Intelligence
shall establish a board within the intelligence community
business system transformation governance structure (in this
subsection referred to as the ``Board'').
(2) The Board shall--
(A) recommend to the Director policies and procedures
necessary to effectively integrate all business
activities and any transformation, reform,
reorganization, or process improvement initiatives
undertaken within the intelligence community;
(B) review and approve any major update of--
(i) the enterprise architecture developed
under subsection (b); and
(ii) any plans for an intelligence community
business systems modernization;
(C) manage cross-domain integration consistent with
such enterprise architecture;
(D) coordinate initiatives for intelligence community
business system transformation to maximize benefits and
minimize costs for the intelligence community, and
periodically report to the Director on the status of
efforts to carry out an intelligence community business
system transformation;
(E) ensure that funds are obligated for intelligence
community business system transformation in a manner
consistent with subsection (a); and
(F) carry out such other duties as the Director shall
specify.
(g) Relation to Annual Registration Requirements.--Nothing in
this section shall be construed to alter the requirements of
section 8083 of the Department of Defense Appropriations Act,
2005 (Public Law 108-287; 118 Stat. 989), with regard to
information technology systems (as defined in subsection (d) of
such section).
(h) Relationship to Defense Business Enterprise
Architecture.--Nothing in this section shall be construed to
exempt funds authorized to be appropriated to the Department of
Defense from the requirements of section 2222 of title 10,
United States Code, to the extent that such requirements are
otherwise applicable.
(i) Relation to Clinger-Cohen Act.--(1) Executive agency
responsibilities in chapter 113 of title 40, United States
Code, for any intelligence community business system
transformation shall be exercised jointly by--
(A) the Director of National Intelligence and the
Chief Information Officer of the Intelligence
Community; and
(B) the head of the executive agency that contains
the element of the intelligence community involved and
the chief information officer of that executive agency.
(2) The Director of National Intelligence and the head of the
executive agency referred to in paragraph (1)(B) shall enter
into a Memorandum of Understanding to carry out the
requirements of this section in a manner that best meets the
needs of the intelligence community and the executive agency.
(j) Reports.--Not later than March 31 of each of the years
2011 through 2014, the Director of National Intelligence shall
submit to the congressional intelligence committees a report on
the compliance of the intelligence community with the
requirements of this section. Each such report shall--
(1) describe actions taken and proposed for meeting
the requirements of subsection (a), including--
(A) specific milestones and actual
performance against specified performance
measures, and any revision of such milestones
and performance measures; and
(B) specific actions on the intelligence
community business system transformations
submitted for certification under such
subsection;
(2) identify the number of intelligence community
business system transformations that received a
certification described in subsection (a)(2); and
(3) describe specific improvements in business
operations and cost savings resulting from successful
intelligence community business systems transformation
efforts.
(k) Definitions.--In this section:
(1) The term ``enterprise architecture'' has the
meaning given that term in [section 3601(4)] section
3601 of title 44, United States Code.
(2) The terms ``information system'' and
``information technology'' have the meanings given
those terms in section 11101 of title 40, United States
Code.
(3) The term ``intelligence community business
system'' means an information system, including a
national security system, that is operated by, for, or
on behalf of an element of the intelligence community,
including a financial system, mixed system, financial
data feeder system, and the business infrastructure
capabilities shared by the systems of the business
enterprise architecture, including people, process, and
technology, that build upon the core infrastructure
used to support business activities, such as
acquisition, financial management, logistics, strategic
planning and budgeting, installations and environment,
and human resource management.
(4) The term ``intelligence community business system
transformation'' means--
(A) the acquisition or development of a new
intelligence community business system; or
(B) any significant modification or
enhancement of an existing intelligence
community business system (other than necessary
to maintain current services).
(5) The term ``national security system'' has the
meaning given that term in section 3542 of title 44,
United States Code.
(6) The term ``Office of Business Transformation of
the Office of the Director of National Intelligence''
includes any successor office that assumes the
functions of the Office of Business Transformation of
the Office of the Director of National Intelligence as
carried out by the Office of Business Transformation on
the date of the enactment of the Intelligence
Authorization Act for Fiscal Year 2010.
* * * * * * *
[all]