[113th Congress Public Law 283]
[From the U.S. Government Publishing Office]



[[Page 128 STAT. 3073]]

Public Law 113-283
113th Congress

                                 An Act


 
  To amend chapter 35 of title 44, United States Code, to provide for 
  reform to Federal information security. <<NOTE: Dec. 18, 2014 -  [S. 
                                2521]>> 

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled, <<NOTE: Federal 
Information Security Modernization Act of 2014. 44 USC 101 note.>> 
SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Federal Information Security 
Modernization Act of 2014''.
SEC. 2. FISMA REFORM.

    (a) In General.--Chapter 35 of title 44, United States Code, is 
amended by striking subchapters II and III <<NOTE: 44 USC prec. 
3531, 3531-3538, 3541 prec., 3541-3549.>>  and inserting the following:

``SUBCHAPTER <<NOTE: 44 USC prec. 3551.>>  II--INFORMATION SECURITY
``Sec. 3551. <<NOTE: 44 USC 3551.>>  Purposes

    ``The purposes of this subchapter are to--
            ``(1) provide a comprehensive framework for ensuring the 
        effectiveness of information security controls over information 
        resources that support Federal operations and assets;
            ``(2) recognize the highly networked nature of the current 
        Federal computing environment and provide effective 
        governmentwide management and oversight of the related 
        information security risks, including coordination of 
        information security efforts throughout the civilian, national 
        security, and law enforcement communities;
            ``(3) provide for development and maintenance of minimum 
        controls required to protect Federal information and information 
        systems;
            ``(4) provide a mechanism for improved oversight of Federal 
        agency information security programs, including through 
        automated security tools to continuously diagnose and improve 
        security;
            ``(5) acknowledge that commercially developed information 
        security products offer advanced, dynamic, robust, and effective 
        information security solutions, reflecting market solutions for 
        the protection of critical information infrastructures important 
        to the national defense and economic security of the nation that 
        are designed, built, and operated by the private sector; and
            ``(6) recognize that the selection of specific technical 
        hardware and software information security solutions should be

[[Page 128 STAT. 3074]]

        left to individual agencies from among commercially developed 
        products.
``Sec. 3552. <<NOTE: 44 USC 3552.>>  Definitions

    ``(a) <<NOTE: Applicability.>>  In General.--Except as provided 
under subsection (b), the definitions under section 3502 shall apply to 
this subchapter.

    ``(b) Additional Definitions.--As used in this subchapter:
            ``(1) The term `binding operational directive' means a 
        compulsory direction to an agency that--
                    ``(A) is for purposes of safeguarding Federal 
                information and information systems from a known or 
                reasonably suspected information security threat, 
                vulnerability, or risk;
                    ``(B) shall be in accordance with policies, 
                principles, standards, and guidelines issued by the 
                Director; and
                    ``(C) may be revised or repealed by the Director if 
                the direction issued on behalf of the Director is not in 
                accordance with policies and principles developed by the 
                Director.
            ``(2) The term `incident' means an occurrence that--
                    ``(A) actually or imminently jeopardizes, without 
                lawful authority, the integrity, confidentiality, or 
                availability of information or an information system; or
                    ``(B) constitutes a violation or imminent threat of 
                violation of law, security policies, security 
                procedures, or acceptable use policies.
            ``(3) The term `information security' means protecting 
        information and information systems from unauthorized access, 
        use, disclosure, disruption, modification, or destruction in 
        order to provide--
                    ``(A) integrity, which means guarding against 
                improper information modification or destruction, and 
                includes ensuring information nonrepudiation and 
                authenticity;
                    ``(B) confidentiality, which means preserving 
                authorized restrictions on access and disclosure, 
                including means for protecting personal privacy and 
                proprietary information; and
                    ``(C) availability, which means ensuring timely and 
                reliable access to and use of information.
            ``(4) The term `information technology' has the meaning 
        given that term in section 11101 of title 40.
            ``(5) The term `intelligence community' has the meaning 
        given that term in section 3(4) of the National Security Act of 
        1947 (50 U.S.C. 3003(4)).
            ``(6)(A) The term `national security system' means any 
        information system (including any telecommunications system) 
        used or operated by an agency or by a contractor of an agency, 
        or other organization on behalf of an agency--
                    ``(i) the function, operation, or use of which--
                          ``(I) involves intelligence activities;
                          ``(II) involves cryptologic activities related 
                      to national security;
                          ``(III) involves command and control of 
                      military forces;
                          ``(IV) involves equipment that is an integral 
                      part of a weapon or weapons system; or

[[Page 128 STAT. 3075]]

                          ``(V) subject to subparagraph (B), is critical 
                      to the direct fulfillment of military or 
                      intelligence missions; or
                    ``(ii) is protected at all times by procedures 
                established for information that have been specifically 
                authorized under criteria established by an Executive 
                order or an Act of Congress to be kept classified in the 
                interest of national defense or foreign policy.
            ``(B) Subparagraph (A)(i)(V) does not include a system that 
        is to be used for routine administrative and business 
        applications (including payroll, finance, logistics, and 
        personnel management applications).
            ``(7) The term `Secretary' means the Secretary of Homeland 
        Security.
``Sec. 3553. <<NOTE: 44 USC 3553.>>  Authority and functions of 
                  the Director and the Secretary

    ``(a) Director.--The Director shall oversee agency information 
security policies and practices, including--
            ``(1) developing and overseeing the implementation of 
        policies, principles, standards, and guidelines on information 
        security, including through ensuring timely agency adoption of 
        and compliance with standards promulgated under section 11331 of 
        title 40;
            ``(2) requiring agencies, consistent with the standards 
        promulgated under such section 11331 and the requirements of 
        this subchapter, to identify and provide information security 
        protections commensurate with the risk and magnitude of the harm 
        resulting from the unauthorized access, use, disclosure, 
        disruption, modification, or destruction of--
                    ``(A) information collected or maintained by or on 
                behalf of an agency; or
                    ``(B) information systems used or operated by an 
                agency or by a contractor of an agency or other 
                organization on behalf of an agency;
            ``(3) ensuring that the Secretary carries out the 
        authorities and functions under subsection (b);
            ``(4) coordinating the development of standards and 
        guidelines under section 20 of the National Institute of 
        Standards and Technology Act (15 U.S.C. 278g-3) with agencies 
        and offices operating or exercising control of national security 
        systems (including the National Security Agency) to assure, to 
        the maximum extent feasible, that such standards and guidelines 
        are complementary with standards and guidelines developed for 
        national security systems;
            ``(5) overseeing agency compliance with the requirements of 
        this subchapter, including through any authorized action under 
        section 11303 of title 40, to enforce accountability for 
        compliance with such requirements; and
            ``(6) coordinating information security policies and 
        procedures with related information resources management 
        policies and procedures.

    ``(b) <<NOTE: Consultation.>>  Secretary.--The Secretary, in 
consultation with the Director, shall administer the implementation of 
agency information security policies and practices for information 
systems, except for national security systems and information systems 
described in paragraph (2) or (3) of subsection (e), including--

[[Page 128 STAT. 3076]]

            ``(1) assisting the Director in carrying out the authorities 
        and functions under paragraphs (1), (2), (3), (5), and (6) of 
        subsection (a);
            ``(2) developing and overseeing the implementation of 
        binding operational directives to agencies to implement the 
        policies, principles, standards, and guidelines developed by the 
        Director under subsection (a)(1) and the requirements of this 
        subchapter, which may be revised or repealed by the Director if 
        the operational directives issued on behalf of the Director are 
        not in accordance with policies, principles, standards, and 
        guidelines developed by the Director, including--
                    ``(A) requirements for reporting security incidents 
                to the Federal information security incident center 
                established under section 3556;
                    ``(B) requirements for the contents of the annual 
                reports required to be submitted under section 
                3554(c)(1);
                    ``(C) requirements for the mitigation of exigent 
                risks to information systems; and
                    ``(D) <<NOTE: Consultation.>>  other operational 
                requirements as the Director or Secretary, in 
                consultation with the Director, may determine necessary;
            ``(3) monitoring agency implementation of information 
        security policies and practices;
            ``(4) convening meetings with senior agency officials to 
        help ensure effective implementation of information security 
        policies and practices;
            ``(5) coordinating Government-wide efforts on information 
        security policies and practices, including consultation with the 
        Chief Information Officers Council established under section 
        3603 and the Director of the National Institute of Standards and 
        Technology;
            ``(6) providing operational and technical assistance to 
        agencies in implementing policies, principles, standards, and 
        guidelines on information security, including implementation of 
        standards promulgated under section 11331 of title 40, including 
        by--
                    ``(A) operating the Federal information security 
                incident center established under section 3556;
                    ``(B) upon request by an agency, deploying 
                technology to assist the agency to continuously diagnose 
                and mitigate against cyber threats and vulnerabilities, 
                with or without reimbursement;
                    ``(C) compiling and analyzing data on agency 
                information security; and
                    ``(D) developing and conducting targeted operational 
                evaluations, including threat and vulnerability 
                assessments, on the information systems; and
            ``(7) <<NOTE: Consultation.>>  other actions as the Director 
        or the Secretary, in consultation with the Director, may 
        determine necessary to carry out this subsection.

    ``(c) <<NOTE: Consultation.>>  Report.--Not later than March 1 of 
each year, the Director, in consultation with the Secretary, shall 
submit to Congress a report on the effectiveness of information security 
policies and practices during the preceding year, including--
            ``(1) a summary of the incidents described in the annual 
        reports required to be submitted under section 3554(c)(1),

[[Page 128 STAT. 3077]]

        including a summary of the information required under section 
        3554(c)(1)(A)(iii);
            ``(2) a description of the threshold for reporting major 
        information security incidents;
            ``(3) a summary of the results of evaluations required to be 
        performed under section 3555;
            ``(4) <<NOTE: Assessment.>>  an assessment of agency 
        compliance with standards promulgated under section 11331 of 
        title 40; and
            ``(5) <<NOTE: Assessment.>>  an assessment of agency 
        compliance with data breach notification policies and procedures 
        issued by the Director.

    ``(d) National Security Systems.--Except for the authorities and 
functions described in subsection (a)(5) and subsection (c), the 
authorities and functions of the Director and the Secretary under this 
section shall not apply to national security systems.
    ``(e) Department of Defense and Intelligence Community Systems.--(1) 
The authorities <<NOTE: Delegated authority.>>  of the Director 
described in paragraphs (1) and (2) of subsection (a) shall be delegated 
to the Secretary of Defense in the case of systems described in 
paragraph (2) and to the Director of National Intelligence in the case 
of systems described in paragraph (3).

    ``(2) The systems described in this paragraph are systems that are 
operated by the Department of Defense, a contractor of the Department of 
Defense, or another entity on behalf of the Department of Defense that 
processes any information the unauthorized access, use, disclosure, 
disruption, modification, or destruction of which would have a 
debilitating impact on the mission of the Department of Defense.
    ``(3) The systems described in this paragraph are systems that are 
operated by an element of the intelligence community, a contractor of an 
element of the intelligence community, or another entity on behalf of an 
element of the intelligence community that processes any information the 
unauthorized access, use, disclosure, disruption, modification, or 
destruction of which would have a debilitating impact on the mission of 
an element of the intelligence community.
    ``(f) Consideration.--
            ``(1) In general.--In carrying out the responsibilities 
        under subsection (b), the Secretary shall consider any 
        applicable standards or guidelines developed by the National 
        Institute of Standards and Technology and issued by the 
        Secretary of Commerce under section 11331 of title 40.
            ``(2) Directives.--The Secretary shall--
                    ``(A) <<NOTE: Consultation.>>  consult with the 
                Director of the National Institute of Standards and 
                Technology regarding any binding operational directive 
                that implements standards and guidelines developed by 
                the National Institute of Standards and Technology; and
                    ``(B) ensure that binding operational directives 
                issued under subsection (b)(2) do not conflict with the 
                standards and guidelines issued under section 11331 of 
                title 40.
            ``(3) Rule of construction.--Nothing in this subchapter 
        shall be construed as authorizing the Secretary to direct the 
        Secretary of Commerce in the development and promulgation of 
        standards and guidelines under section 11331 of title 40.

    ``(g) <<NOTE: President. Coordination.>>  Exercise of Authority.--To 
ensure fiscal and policy consistency, the Secretary shall exercise the 
authority under this

[[Page 128 STAT. 3078]]

section subject to direction by the President, in coordination with the 
Director.
``Sec. 3554. <<NOTE: 44 USC 3554.>>  Federal agency 
                  responsibilities

    ``(a) In General.--The head of each agency shall--
            ``(1) be responsible for--
                    ``(A) providing information security protections 
                commensurate with the risk and magnitude of the harm 
                resulting from unauthorized access, use, disclosure, 
                disruption, modification, or destruction of--
                          ``(i) information collected or maintained by 
                      or on behalf of the agency; and
                          ``(ii) information systems used or operated by 
                      an agency or by a contractor of an agency or other 
                      organization on behalf of an agency;
                    ``(B) complying with the requirements of this 
                subchapter and related policies, procedures, standards, 
                and guidelines, including--
                          ``(i) information security standards 
                      promulgated under section 11331 of title 40;
                          ``(ii) operational directives developed by the 
                      Secretary under section 3553(b);
                          ``(iii) policies and procedures issued by the 
                      Director; and
                          ``(iv) <<NOTE: President.>>  information 
                      security standards and guidelines for national 
                      security systems issued in accordance with law and 
                      as directed by the President; and
                    ``(C) ensuring that information security management 
                processes are integrated with agency strategic, 
                operational, and budgetary planning processes;
            ``(2) ensure that senior agency officials provide 
        information security for the information and information systems 
        that support the operations and assets under their control, 
        including through--
                    ``(A) assessing the risk and magnitude of the harm 
                that could result from the unauthorized access, use, 
                disclosure, disruption, modification, or destruction of 
                such information or information systems;
                    ``(B) determining the levels of information security 
                appropriate to protect such information and information 
                systems in accordance with standards promulgated under 
                section 11331 of title 40, for information security 
                classifications and related requirements;
                    ``(C) implementing policies and procedures to cost-
                effectively reduce risks to an acceptable level; and
                    ``(D) periodically testing and evaluating 
                information security controls and techniques to ensure 
                that they are effectively implemented;
            ``(3) <<NOTE: Delegated authority.>>  delegate to the agency 
        Chief Information Officer established under section 3506 (or 
        comparable official in an agency not covered by such section) 
        the authority to ensure compliance with the requirements imposed 
        on the agency under this subchapter, including--
                    ``(A) designating a senior agency information 
                security officer who shall--
                          ``(i) carry out the Chief Information 
                      Officer's responsibilities under this section;

[[Page 128 STAT. 3079]]

                          ``(ii) possess professional qualifications, 
                      including training and experience, required to 
                      administer the functions described under this 
                      section;
                          ``(iii) have information security duties as 
                      that official's primary duty; and
                          ``(iv) head an office with the mission and 
                      resources to assist in ensuring agency compliance 
                      with this section;
                    ``(B) developing and maintaining an agencywide 
                information security program as required by subsection 
                (b);
                    ``(C) developing and maintaining information 
                security policies, procedures, and control techniques to 
                address all applicable requirements, including those 
                issued under section 3553 of this title and section 
                11331 of title 40;
                    ``(D) training and overseeing personnel with 
                significant responsibilities for information security 
                with respect to such responsibilities; and
                    ``(E) assisting senior agency officials concerning 
                their responsibilities under paragraph (2);
            ``(4) ensure that the agency has trained personnel 
        sufficient to assist the agency in complying with the 
        requirements of this subchapter and related policies, 
        procedures, standards, and guidelines;
            ``(5) <<NOTE: Coordination. Reports. Deadline.>>  ensure 
        that the agency Chief Information Officer, in coordination with 
        other senior agency officials, reports annually to the agency 
        head on the effectiveness of the agency information security 
        program, including progress of remedial actions;
            ``(6) ensure that senior agency officials, including chief 
        information officers of component agencies or equivalent 
        officials, carry out responsibilities under this subchapter as 
        directed by the official delegated authority under paragraph 
        (3); and
            ``(7) ensure that all personnel are held accountable for 
        complying with the agency-wide information security program 
        implemented under subsection (b).

    ``(b) Agency Program.--Each agency shall develop, document, and 
implement an agency-wide information security program to provide 
information security for the information and information systems that 
support the operations and assets of the agency, including those 
provided or managed by another agency, contractor, or other source, that 
includes--
            ``(1) <<NOTE: Risk assessments.>>  periodic assessments of 
        the risk and magnitude of the harm that could result from the 
        unauthorized access, use, disclosure, disruption, modification, 
        or destruction of information and information systems that 
        support the operations and assets of the agency, which may 
        include using automated tools consistent with standards and 
        guidelines promulgated under section 11331 of title 40;
            ``(2) <<NOTE: Procedures.>>  policies and procedures that--
                    ``(A) are based on the risk assessments required by 
                paragraph (1);
                    ``(B) cost-effectively reduce information security 
                risks to an acceptable level;
                    ``(C) ensure that information security is addressed 
                throughout the life cycle of each agency information 
                system; and

[[Page 128 STAT. 3080]]

                    ``(D) ensure compliance with--
                          ``(i) the requirements of this subchapter;
                          ``(ii) policies and procedures as may be 
                      prescribed by the Director, and information 
                      security standards promulgated under section 11331 
                      of title 40;
                          ``(iii) minimally acceptable system 
                      configuration requirements, as determined by the 
                      agency; and
                          ``(iv) <<NOTE: President.>>  any other 
                      applicable requirements, including standards and 
                      guidelines for national security systems issued in 
                      accordance with law and as directed by the 
                      President;
            ``(3) subordinate plans for providing adequate information 
        security for networks, facilities, and systems or groups of 
        information systems, as appropriate;
            ``(4) security awareness training to inform personnel, 
        including contractors and other users of information systems 
        that support the operations and assets of the agency, of--
                    ``(A) information security risks associated with 
                their activities; and
                    ``(B) their responsibilities in complying with 
                agency policies and procedures designed to reduce these 
                risks;
            ``(5) <<NOTE: Evaluation.>>  periodic testing and evaluation 
        of the effectiveness of information security policies, 
        procedures, and practices, to be performed with a frequency 
        depending on risk, but no less than annually, of which such 
        testing--
                    ``(A) shall include testing of management, 
                operational, and technical controls of every information 
                system identified in the inventory required under 
                section 3505(c);
                    ``(B) may include testing relied on in an evaluation 
                under section 3555; and
                    ``(C) shall include using automated tools, 
                consistent with standards and guidelines promulgated 
                under section 11331 of title 40;
            ``(6) a process for planning, implementing, evaluating, and 
        documenting remedial action to address any deficiencies in the 
        information security policies, procedures, and practices of the 
        agency;
            ``(7) <<NOTE: Procedures.>>  procedures for detecting, 
        reporting, and responding to security incidents, which--
                    ``(A) shall be consistent with the standards and 
                guidelines described in section 3556(b);
                    ``(B) may include using automated tools; and
                    ``(C) <<NOTE: Notification. Consultation.>>  shall 
                include--
                          ``(i) mitigating risks associated with such 
                      incidents before substantial damage is done;
                          ``(ii) notifying and consulting with the 
                      Federal information security incident center 
                      established in section 3556; and
                          ``(iii) notifying and consulting with, as 
                      appropriate--
                                    ``(I) law enforcement agencies and 
                                relevant Offices of Inspector General 
                                and Offices of General Counsel;
                                    ``(II) <<NOTE: President.>>  an 
                                office designated by the President for 
                                any incident involving a national 
                                security system;
                                    ``(III) for a major incident, the 
                                committees of Congress described in 
                                subsection (c)(1)--

[[Page 128 STAT. 3081]]

                                            ``(aa) <<NOTE: Deadline.>>  
                                        not later than 7 days after the 
                                        date on which there is a 
                                        reasonable basis to conclude 
                                        that the major incident has 
                                        occurred; and
                                            ``(bb) after the initial 
                                        notification under item (aa), 
                                        within a reasonable period of 
                                        time after additional 
                                        information relating to the 
                                        incident is discovered, 
                                        including the summary required 
                                        under subsection (c)(1)(A)(i); 
                                        and
                                    ``(IV) <<NOTE: President.>>  any 
                                other agency or office, in accordance 
                                with law or as directed by the 
                                President; and
            ``(8) <<NOTE: Plans. Procedures.>>  plans and procedures to 
        ensure continuity of operations for information systems that 
        support the operations and assets of the agency.

    ``(c) Agency Reporting.--
            ``(1) Annual report.--
                    ``(A) In general.--Each agency shall submit to the 
                Director, the Secretary, the Committee on Government 
                Reform, the Committee on Homeland Security, and the 
                Committee on Science of the House of Representatives, 
                the Committee on Homeland Security and Governmental 
                Affairs and the Committee on Commerce, Science, and 
                Transportation of the Senate, the appropriate 
                authorization and appropriations committees of Congress, 
                and the Comptroller General a report on the adequacy and 
                effectiveness of information security policies, 
                procedures, and practices, including--
                          ``(i) a description of each major information 
                      security incident or related sets of incidents, 
                      including summaries of--
                                    ``(I) the threats and threat actors, 
                                vulnerabilities, and impacts relating to 
                                the incident;
                                    ``(II) <<NOTE: Risk 
                                assessments. Deadline.>>  the risk 
                                assessments conducted under section 
                                3554(a)(2)(A) of the affected 
                                information systems before the date on 
                                which the incident occurred;
                                    ``(III) the status of compliance of 
                                the affected information systems with 
                                applicable security requirements at the 
                                time of the incident; and
                                    ``(IV) the detection, response, and 
                                remediation actions;
                          ``(ii) the total number of information 
                      security incidents, including a description of 
                      incidents resulting in significant compromise of 
                      information security, system impact levels, types 
                      of incident, and locations of affected systems;
                          ``(iii) a description of each major 
                      information security incident that involved a 
                      breach of personally identifiable information, as 
                      defined by the Director, including--
                                    ``(I) the number of individuals 
                                whose information was affected by the 
                                major information security incident; and
                                    ``(II) a description of the 
                                information that was breached or 
                                exposed; and

[[Page 128 STAT. 3082]]

                          ``(iv) <<NOTE: Consultation.>>  any other 
                      information as the Director or the Secretary, in 
                      consultation with the Director, may require.
                    ``(B) Unclassified report.--
                          ``(i) In general.--Each report submitted under 
                      subparagraph (A) shall be in unclassified form, 
                      but may include a classified annex.
                          ``(ii) Access to information.--The head of an 
                      agency shall ensure that, to the greatest extent 
                      practicable, information is included in the 
                      unclassified version of the reports submitted by 
                      the agency under subparagraph (A).
            ``(2) Other plans and reports.--Each agency shall address 
        the adequacy and effectiveness of information security policies, 
        procedures, and practices in management plans and reports.

    ``(d) <<NOTE: Consultation.>>  Performance Plan.--(1) In addition to 
the requirements of subsection (c), each agency, in consultation with 
the Director, shall include as part of the performance plan required 
under section 1115 of title 31 a description of--
            ``(A) the time periods; and
            ``(B) the resources, including budget, staffing, and 
        training,

that are necessary to implement the program required under subsection 
(b).
    ``(2) The description under paragraph (1) shall be based on the risk 
assessments required under subsection (b)(1).
    ``(e) Public Notice and Comment.--Each agency shall provide the 
public with timely notice and opportunities for comment on proposed 
information security policies and procedures to the extent that such 
policies and procedures affect communication with the public.
``Sec. 3555. <<NOTE: 42 USC 3555.>>  Annual independent evaluation

    ``(a) In General.--(1) Each year each agency shall have performed an 
independent evaluation of the information security program and practices 
of that agency to determine the effectiveness of such program and 
practices.
    ``(2) Each evaluation under this section shall include--
            ``(A) <<NOTE: Testing.>>  testing of the effectiveness of 
        information security policies, procedures, and practices of a 
        representative subset of the agency's information systems;
            ``(B) <<NOTE: Assessment.>>  an assessment of the 
        effectiveness of the information security policies, procedures, 
        and practices of the agency; and
            ``(C) separate presentations, as appropriate, regarding 
        information security relating to national security systems.

    ``(b) Independent Auditor.--Subject to subsection (c)--
            ``(1) for each agency with an Inspector General appointed 
        under the Inspector General Act of 1978, the annual evaluation 
        required by this section shall be performed by the Inspector 
        General or by an independent external auditor, as determined by 
        the Inspector General of the agency; and
            ``(2) for each agency to which paragraph (1) does not apply, 
        the head of the agency shall engage an independent external 
        auditor to perform the evaluation.

    ``(c) National Security Systems.--For each agency operating or 
exercising control of a national security system, that portion

[[Page 128 STAT. 3083]]

of the evaluation required by this section directly relating to a 
national security system shall be performed--
            ``(1) only by an entity designated by the agency head; and
            ``(2) in such a manner as to ensure appropriate protection 
        for information associated with any information security 
        vulnerability in such system commensurate with the risk and in 
        accordance with all applicable laws.

    ``(d) Existing Evaluations.--The evaluation required by this section 
may be based in whole or in part on an audit, evaluation, or report 
relating to programs or practices of the applicable agency.
    ``(e) Agency Reporting.--(1) Each year, not later than such date 
established by the Director, the head of each agency shall submit to the 
Director the results of the evaluation required under this section.
    ``(2) <<NOTE: Assessment.>>  To the extent an evaluation required 
under this section directly relates to a national security system, the 
evaluation results submitted to the Director shall contain only a 
summary and assessment of that portion of the evaluation directly 
relating to a national security system.

    ``(f) Protection of Information.--Agencies and evaluators shall take 
appropriate steps to ensure the protection of information which, if 
disclosed, may adversely affect information security. Such protections 
shall be commensurate with the risk and comply with all applicable laws 
and regulations.
    ``(g) OMB Reports to Congress.--(1) The Director shall summarize the 
results of the evaluations conducted under this section in the report to 
Congress required under section 3553(c).
    ``(2) The Director's report to Congress under this subsection shall 
summarize information regarding information security relating to 
national security systems in such a manner as to ensure appropriate 
protection for information associated with any information security 
vulnerability in such system commensurate with the risk and in 
accordance with all applicable laws.
    ``(3) <<NOTE: Evaluations.>>  Evaluations and any other descriptions 
of information systems under the authority and control of the Director 
of National Intelligence or of National Foreign Intelligence Programs 
systems under the authority and control of the Secretary of Defense 
shall be made available to Congress only through the appropriate 
oversight committees of Congress, in accordance with applicable laws.

    ``(h) <<NOTE: Evaluation. Reports.>>  Comptroller General.--The 
Comptroller General shall periodically evaluate and report to Congress 
on--
            ``(1) the adequacy and effectiveness of agency information 
        security policies and practices; and
            ``(2) implementation of the requirements of this subchapter.

    ``(i) <<NOTE: Testing.>>  Assessment Technical Assistance.--The 
Comptroller General may provide technical assistance to an Inspector 
General or the head of an agency, as applicable, to assist the Inspector 
General or head of an agency in carrying out the duties under this 
section, including by testing information security controls and 
procedures.

    ``(j) <<NOTE: Consultation.>>  Guidance.--The Director, in 
consultation with the Secretary, the Chief Information Officers Council 
established under section 3603, the Council of the Inspectors General on 
Integrity and Efficiency, and other interested parties as appropriate, 
shall ensure the development of guidance for evaluating the 
effectiveness of an information security program and practices.

[[Page 128 STAT. 3084]]

``Sec. 3556. <<NOTE: 44 USC 3556.>>  Federal information security 
                  incident center

    ``(a) In General.--The Secretary shall ensure the operation of a 
central Federal information security incident center to--
            ``(1) provide timely technical assistance to operators of 
        agency information systems regarding security incidents, 
        including guidance on detecting and handling information 
        security incidents;
            ``(2) <<NOTE: Analysis.>>  compile and analyze information 
        about incidents that threaten information security;
            ``(3) inform operators of agency information systems about 
        current and potential information security threats, and 
        vulnerabilities;
            ``(4) provide, as appropriate, intelligence and other 
        information about cyber threats, vulnerabilities, and incidents 
        to agencies to assist in risk assessments conducted under 
        section 3554(b); and
            ``(5) <<NOTE: Consultation. President.>>  consult with the 
        National Institute of Standards and Technology, agencies or 
        offices operating or exercising control of national security 
        systems (including the National Security Agency), and such other 
        agencies or offices in accordance with law and as directed by 
        the President regarding information security incidents and 
        related matters.

    ``(b) National Security Systems.--Each agency operating or 
exercising control of a national security system shall share information 
about information security incidents, threats, and vulnerabilities with 
the Federal information security incident center to the extent 
consistent with standards and guidelines for national security systems, 
issued in accordance with law and as directed by the President.
``Sec. 3557. <<NOTE: 44 USC 3557.>>  National security systems

    ``The head of each agency operating or exercising control of a 
national security system shall be responsible for ensuring that the 
agency--
            ``(1) provides information security protections commensurate 
        with the risk and magnitude of the harm resulting from the 
        unauthorized access, use, disclosure, disruption, modification, 
        or destruction of the information contained in such system;
            ``(2) <<NOTE: President.>>  implements information security 
        policies and practices as required by standards and guidelines 
        for national security systems, issued in accordance with law and 
        as directed by the President; and
            ``(3) <<NOTE: Compliance.>>  complies with the requirements 
        of this subchapter.
``Sec. 3558. <<NOTE: 44 USC 3558.>>  Effect on existing law

    ``Nothing in this subchapter, section 11331 of title 40, or section 
20 of the National Standards and Technology Act (15 U.S.C. 278g-3) may 
be construed as affecting the authority of the President, the Office of 
Management and Budget or the Director thereof, the National Institute of 
Standards and Technology, or the head of any agency, with respect to the 
authorized use or disclosure of information, including with regard to 
the protection of personal privacy under section 552a of title 5, the 
disclosure of information under section 552 of title 5, the management 
and disposition of records under chapters 29, 31, or 33 of title 44, the 
management of information resources under subchapter I of chapter 35 of 
this

[[Page 128 STAT. 3085]]

title, or the disclosure of information to the Congress or the 
Comptroller General of the United States.''.
    (b) <<NOTE: 44 USC 3554 note.>>  Major Incident.--The Director of 
the Office of Management and Budget shall--
            (1) <<NOTE: Guidance.>>  develop guidance on what 
        constitutes a major incident for purposes of section 3554(b) of 
        title 44, United States Code, as added by subsection (a); and
            (2) <<NOTE: Briefings. Deadline.>>  provide to Congress 
        periodic briefings on the status of the developing of the 
        guidance until the date on which the guidance is issued.

    (c) <<NOTE: Time period. Assessment.>>  Continuous Diagnostics.--
During the 2 year period beginning on the date of enactment of this Act, 
the Director of the Office of Management and Budget, with the assistance 
of the Secretary of Homeland Security, shall include in each report 
submitted under section 3553(c) of title 44, United States Code, as 
added by subsection (a), an assessment of the adoption by agencies of 
continuous diagnostics technologies, including through the Continuous 
Diagnostics and Mitigation program, and other advanced security tools to 
provide information security, including challenges to the adoption of 
such technologies or security tools.

    (d) <<NOTE: 44 USC 3553 note. Notification.>>  Breaches.--
            (1) Requirements.--The Director of the Office of Management 
        and Budget shall ensure that data breach notification policies 
        and guidelines are updated periodically and require--
                    (A) except as provided in paragraph (4), notice by 
                the affected agency to each committee of Congress 
                described in section 3554(c)(1) of title 44, United 
                States Code, as added by subsection (a), the Committee 
                on the Judiciary of the Senate, and the Committee on the 
                Judiciary of the House of Representatives, which shall--
                          (i) <<NOTE: Deadline.>>  be provided 
                      expeditiously and not later than 30 days after the 
                      date on which the agency discovered the 
                      unauthorized acquisition or access; and
                          (ii) include--
                                    (I) information about the breach, 
                                including a summary of any information 
                                that the agency knows on the date on 
                                which notification is provided about how 
                                the breach occurred;
                                    (II) <<NOTE: Estimate. Risk 
                                assessment.>>  an estimate of the number 
                                of individuals affected by the breach, 
                                based on information that the agency 
                                knows on the date on which notification 
                                is provided, including an assessment of 
                                the risk of harm to affected 
                                individuals;
                                    (III) a description of any 
                                circumstances necessitating a delay in 
                                providing notice to affected 
                                individuals; and
                                    (IV) <<NOTE: Estimate.>>  an 
                                estimate of whether and when the agency 
                                will provide notice to affected 
                                individuals; and
                    (B) notice by the affected agency to affected 
                individuals, pursuant to data breach notification 
                policies and guidelines, which shall be provided as 
                expeditiously as practicable and without unreasonable 
                delay after the agency discovers the unauthorized 
                acquisition or access.
            (2) National security; law enforcement; remediation.--The 
        Attorney General, the head of an element of the intelligence 
        community (as such term is defined under section

[[Page 128 STAT. 3086]]

        3(4) of the National Security Act of 1947 (50 U.S.C. 3003(4)), 
        or the Secretary of Homeland Security may delay the notice to 
        affected individuals under paragraph (1)(B) if the notice would 
        disrupt a law enforcement investigation, endanger national 
        security, or hamper security remediation actions.
            (3) <<NOTE: Time period. Effective date.>>  Reports.--
                    (A) Director of omb.--During the first 2 years 
                beginning after the date of enactment of this Act, the 
                Director of the Office of Management and Budget shall, 
                on an annual basis--
                          (i) <<NOTE: Assessment.>>  assess agency 
                      implementation of data breach notification 
                      policies and guidelines in aggregate; and
                          (ii) include the assessment described in 
                      clause (i) in the report required under section 
                      3553(c) of title 44, United States Code.
                    (B) Secretary of homeland security.--During the 
                first 2 years beginning after the date of enactment of 
                this Act, the Secretary of Homeland Security shall 
                include an assessment of the status of agency 
                implementation of data breach notification policies and 
                guidelines in the requirements under section 
                3553(b)(2)(B) of title 44, United States Code.
            (4) <<NOTE: Notification.>>  Exception.--Any element of the 
        intelligence community (as such term is defined under section 
        3(4) of the National Security Act of 1947 (50 U.S.C. 3003(4)) 
        that is required to provide notice under paragraph (1)(A) shall 
        only provide such notice to appropriate committees of Congress.
            (5) Rule of construction.--Nothing in paragraph (1) shall be 
        construed to alter any authority of a Federal agency or 
        department.

    (e) Technical and Conforming Amendments.--
            (1) Table of sections.--The table of sections for chapter 35 
        of title 44, United States Code is amended by striking the 
        matter relating to subchapters II and III <<NOTE: 44 USC prec. 
        3501.>>  and inserting the following:

                  ``subchapter ii--information security

``3551. Purposes.
``3552. Definitions.
``3553. Authority and functions of the Director and the Secretary.
``3554. Federal agency responsibilities.
``3555. Annual independent evaluation.
``3556. Federal information security incident center.
``3557. National security systems.
``3558. Effect on existing law.''.

            (2) Cybersecurity research and development act.--Section 
        8(d)(1) of the Cybersecurity Research and Development Act (15 
        U.S.C. 7406) is amended by striking ``section 3534'' and 
        inserting ``section 3554''.
            (3) Homeland security act of 2002.--The Homeland Security 
        Act of 2002 (6 U.S.C. 101 et seq.) is amended--
                    (A) in section 223 (6 U.S.C. 143)
                          (i) in the section heading, by inserting 
                      ``federal and'' before ``non-federal'';
                          (ii) in the matter preceding paragraph (1), by 
                      striking ``the Under Secretary for Intelligence 
                      and Analysis, in cooperation with the Assistant 
                      Secretary for Infrastructure Protection'' and 
                      inserting ``the Under Secretary appointed under 
                      section 103(a)(1)(H)'';

[[Page 128 STAT. 3087]]

                          (iii) in paragraph (2), by striking the period 
                      at the end and inserting ``; and''; and
                          (iv) by adding at the end the following:
            ``(3) fulfill the responsibilities of the Secretary to 
        protect Federal information systems under subchapter II of 
        chapter 35 of title 44, United States Code.'';
                    (B) in section 1001(c)(1)(A) (6 U.S.C. 
                511(c)(1)(A)), by striking ``section 3532(3)'' and 
                inserting ``section 3552(b)(5)''; and
                    (C) in the table of contents in section 1(b), by 
                striking the item relating to section 223 and inserting 
                the following:

``Sec. 223. Enhancement of Federal and non-Federal cybersecurity.''.

            (4) National institute of standards and technology act.--
        Section 20 of the National Institute of Standards and Technology 
        Act (15 U.S.C. 278g-3) is amended--
                    (A) in subsection (a)(2), by striking ``section 
                3532(b)(2)'' and inserting ``section 3552(b)(5)''; and
                    (B) in subsection (e)--
                          (i) in paragraph (2), by striking ``section 
                      3532(1)'' and inserting ``section 3552(b)(2)''; 
                      and
                          (ii) in paragraph (5), by striking ``section 
                      3532(b)(2)'' and inserting ``section 3552(b)(5)''.
            (5) Title 10.--Title 10, United States Code, is amended--
                    (A) <<NOTE: 10 USC 2222.>>  in section 2222(j)(5), 
                by striking ``section 3542(b)(2)'' and inserting 
                ``section 3552(b)(5)'';
                    (B) in section 2223(c)(3), by striking ``section 
                3542(b)(2)'' and inserting ``section 3552(b)(5)''; and
                    (C) in section 2315, by striking ``section 
                3542(b)(2)'' and inserting ``section 3552(b)(5)''.

    (f) Other Provisions.--
            (1) <<NOTE: Reports. Deadline.>>  Circular a-130.--Not later 
        than 1 year after the date of enactment of this Act, the 
        Director of the Office of Management and Budget shall amend or 
        revise Office of Management and Budget Circular A-130 to 
        eliminate inefficient or wasteful reporting. 
        The <<NOTE: Deadline. Briefings.>>  Director of the Office of 
        Management and Budget shall provide quarterly briefings to 
        Congress on the status of the amendment or revision required 
        under this paragraph.
            (2) ISPAB.--Section 21(b) of the National Institute of 
        Standards and Technology Act (15 U.S.C. 278g-4(b)) is amended--
                    (A) in paragraph (2), by inserting ``, the Secretary 
                of Homeland Security,'' after ``the Institute''; and

[[Page 128 STAT. 3088]]

                    (B) in paragraph (3), by inserting ``the Secretary 
                of Homeland Security,'' after ``the Secretary of 
                Commerce,''.

    Approved December 18, 2014.

LEGISLATIVE HISTORY--S. 2521:
---------------------------------------------------------------------------

SENATE REPORTS: No. 113-256 (Comm. on Homeland Security and Governmental 
Affairs).
CONGRESSIONAL RECORD, Vol. 160 (2014):
            Dec. 8, considered and passed Senate.
            Dec. 10, considered and passed House.

                                  <all>