[Senate Report 117-274] [From the U.S. Government Publishing Office] Calendar No. 673 117th Congress } { Report SENATE 2d Session } { 117-274 _______________________________________________________________________ FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2021 __________ R E P O R T of the COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS UNITED STATES SENATE to accompany S. 2902 TO MODERNIZE FEDERAL INFORMATION SECURITY MANAGEMENT, AND FOR OTHER PURPOSES [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] December 19, 2022.--Ordered to be printed _________ U.S. GOVERNMENT PUBLISHING OFFICE 39-010 WASHINGTON : 2023 COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS GARY C. PETERS, Michigan, Chairman THOMAS R. CARPER, Delaware ROB PORTMAN, Ohio MAGGIE HASSAN, New Hampshire RON JOHNSON, Wisconsin KYRSTEN SINEMA, Arizona RAND PAUL, Kentucky JACKY ROSEN, Nevada JAMES LANKFORD, Oklahoma ALEX PADILLA, California MITT ROMNEY, Utah JON OSSOFF, Georgia RICK SCOTT, Florida JOSH HAWLEY, Missouri David M. Weinberg, Staff Director Zachary I. Schram, Chief Counsel Christopher J. Mulkins, Director of Homeland Security Jeffrey D. Rothblum, Senior Professional Staff Member Pamela Thiessen, Minority Staff Director Sam J. Mulopulos, Minority Deputy Staff Director William H.W. McKenna, Minority Chief Counsel Cara G. Mumford, Minority Director of Governmental Affairs Laura W. Kilbride, Chief Clerk Calendar No. 673 117th Congress } { Report SENATE 2d Session } { 117-274 ====================================================================== FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2021 _______ December 19, 2022.--Ordered to be printed _______ Mr. Peters, from the Committee on Homeland Security and Governmental Affairs, submitted the following R E P O R T [To accompany S. 2902] [Including cost estimate of the Congressional Budget Office] The Committee on Homeland Security and Governmental Affairs, to which was referred the bill (S. 2902), to modernize Federal information security management, and for other purposes, having considered the same, reports favorably thereon with an amendment, in the nature of a substitute, and recommends that the bill, as amended, do pass. CONTENTS Page I. Purpose and Summary.............................................. 1 II. Background and Need for the Legislation.......................... 2 III. Legislative History.............................................. 4 IV. Section-by-Section Analysis of the Bill, as Reported............. 5 V. Evaluation of Regulatory Impact................................. 14 VI. Congressional Budget Office Cost Estimate....................... 15 VII. Changes in Existing Law Made by the Bill, as Reported........... 17 I. Purpose and Summary S. 2902, the Federal Information Security Modernization Act of 2021 (FISMA 2021), revises and updates the Federal Information Security Modernization Act of 2014 (FISMA 2014) to support a more effective Federal cybersecurity regime and improve cybersecurity coordination between the Office of Management and Budget (OMB), the Cybersecurity and Infrastructure Agency (CISA), the Office of the National Cyber Director (NCD), and other Federal agencies and contractors. The bill reforms how Federal agencies report and respond to cyber attacks, codifies and expands security priorities such as zero trust architecture, and enhances logging and detection capabilities. FISMA 2021 also provides new operational authorities to bolster CISA's lead role in supporting agency information security programs, ensuring that CISA is the central point for reporting and help to remediate incidents and breaches on Federal networks. II. Background and Need for the Legislation The United States' Federal cybersecurity posture has left America's data at risk.\1\ Despite reforms to Federal cybersecurity codified in FISMA 2014, Federal agencies continue to receive poor marks for cybersecurity.\2\ Recent attacks, such as the SolarWinds breach, led to compromises of Federal government agencies and have shown the vulnerability of Federal information systems to hackers, underscoring the urgent need for Federal cybersecurity reforms.\3\ --------------------------------------------------------------------------- \1\Senate Committee on Homeland Security and Governmental Affairs, Federal Cybersecurity: America's Data Still At Risk (Aug. 2021) (S. Rept. 117-XX). \2\Id. \3\SolarWinds recap: All of the federal agencies caught up in the Orion breach, FEDSCOOP (Dec. 22, 2020) (https://www.fedscoop.com/ solarwinds-recap-federal-agencies-caught-orion- breach/) --------------------------------------------------------------------------- The Senate Homeland Security and Governmental Affairs Committee thoroughly examined the issues surrounding Federal cybersecurity, hosted multiple hearings and published a report during the 117th Congress.\4\ These hearings and report illuminated several themes that FISMA 2021 works to address, including: --------------------------------------------------------------------------- \4\Senate Committee on Homeland Security and Governmental Affairs, Hearing on GAO's 2021 High Risk List: Addressing Waste, Fraud, and Abuse, 117th Cong. (Mar. 2, 2021 ) (S. Hrg. 117-XX); Senate Committee on Homeland Security and Governmental Affairs, Hearing on Understanding and Responding to the SolarWinds Supply Chain Attack: The Federal Perspective (Mar. 18, 2021) (S. Hrg. 117-XX); Senate Committee on Homeland Security and Governmental Affairs, Hearing on Prevention, Response, and Recovery: Improving Federal Cybersecurity Post-SolarWinds (May 11, 2021) (S. Hrg. 117-XX); Senate Committee on Homeland Security and Governmental Affairs, Hearing on National Cybersecurity Strategy: Protection of Federal and Critical Infrastructure Systems (Sep. 23, 2021) (S. Hrg. 117-XX); Senate Committee on Homeland Security and Governmental Affairs, Federal Cybersecurity: America's Data Still At Risk (Aug. 2021) (S. Rept. 117-XX). ---------------------------------------------------------------------------The need for improved Congressional oversight over agency cybersecurity incidents; The benefits of integrating Federal cybersecurity by breaking down silos between agencies; The importance of the National Cyber Director (NCD) and Cybersecurity and Infrastructure Security Agency (CISA), and the need to codify their Federal cybersecurity roles; and The benefits of taking a risk-based approach to cybersecurity, and to allocate resources away from burdensome reporting requirements. FISMA 2021 addresses these issues by building on and updating FISMA 2014. The bill updates the law to recognize and clearly define the roles of two Federal entities that did not exist when FISMA 2014 was passed: CISA as the lead agency for operational Federal cybersecurity support and the NCD serving as the lead cybersecurity advisor to the President for strategy and budgeting priorities. These two new offices, along with OMB, are tasked with breaking down the silos between agencies by being required to consult on various agency cybersecurity plans and investments. They are also tasked with centralizing analysis of incident data, to reduce the burden on each agency and enable Federal-wide analysis of cyber attacks. Under FISMA 2014, Congress is required to be notified when an agency experiences a ``major incident''--a subset of all cybersecurity incidents that reach an OMB defined threshold of significance.\5\ Congress received zero major incident reports in Fiscal Year (FY) 2018, out of a total of 31,107 cybersecurity incidents at agencies. In FY 2019, only 3 major incidents were reported, and in FY 2020 only 6 major incidents were reported, with about 30,000 total agency incidents occurring in each of those two years.\6\ One of the recommendations from the Committee's report on FISMA was the need to define ``major incidents'' such that Congress is notified in a consistent and timely manner, rather than continue to rely on OMB's current definition which has led to inconsistent notifications.\7\ FISMA 2021 attempts to address this issue by explicitly defining the thresholds for ``major incidents'' that need to be reported to Congress. --------------------------------------------------------------------------- \5\Under FISMA 2014, the definition of a cybersecurity incident is ``an occurrence that (A) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or (B) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies. FISMA 2014 also gives OMB the authority to set the definition of a ``major incident'' without any additional specifications on what the threshold should include. 44 U.S.C. Sec. 3552; Pub. L. 113-283, Sec. 2(b). \6\Executive Office of the President, Federal Information Security Modernization Act of 2014 Annual Report to Congress Fiscal Year 2018 (Sep. 2019); Executive Office of the President, Federal Information Security Modernization Act of 2014 Annual Report to Congress Fiscal Year 2019 (May 2020); Executive Office of the President, Federal Information Security Modernization Act of 2014 Annual Report to Congress Fiscal Year 2020 (May 2021) \7\Senate Committee on Homeland Security and Governmental Affairs, Federal Cybersecurity: America's Data Still At Risk (Aug. 2021) (S. Rept. 117-XX) --------------------------------------------------------------------------- The major incident definition in FISMA 2021 builds on the existing definition established by the OMB. The existing definition focuses on national security and national health, safety and privacy of the public, while the FISMA 2021 language also includes cyber incidents that impact an agency's ability to deliver a critical service, that impact high value assets agencies, and require notification when sensitive agency information is exposed to a foreign entity. The major incident definition also changes the thresholds for reporting to Congress when personally identifiable information is breached, and requires the NCD to declare a major incident at each impacted agency if a common root cause leads to incidents at multiple agencies, as occurred during the SolarWinds incident.\8\ The existing major incident definition, and the definition at the time of the SolarWinds incident, as established by OMB pursuant to FISMA 2014, do not include any requirements for reporting incidents impacting multiple agencies.\9\ During the SolarWinds compromise, some agencies declared major incidents to Congress, while others who were publicly reported to have been impacted, did not. Preliminary inconsistencies in applying the major incident standard also led agencies to at times delay notification to Congress. These issues led to then-Ranking Member Peters sending letters to 26 agencies requesting information about their status with respect to the vulnerability and if they had experienced any resulting cybersecurity incidents, for lack of any other mechanism to determine the full impact to the Federal government.\10\ --------------------------------------------------------------------------- \8\SolarWinds recap: All of the federal agencies caught up in the Orion breach, FEDSCOOP (Dec. 22, 2020) (https://www.fedscoop.com/ solarwinds-recap-federal-agencies-caught-orion- breach/) \9\Office of Management and Budget, Fiscal Year 2019-2020 Guidance on Federal Information Security and Privacy Management Requirements (M- 20-04) (Nov. 2019); Office of Management and Budget, Fiscal Year 2020- 2021 Guidance on Federal Information Security and Privacy Management Requirements (M-21-02) (Nov. 2020) \10\Letters from Ranking Member Gary C. Peters to the heads of the following agencies: Department of Health and Human Services, Environmental Protection Agency, Department of Housing and Urban Development, Department of Homeland Security, Federal Emergency Management Agency, Department of Defense, Department of Energy, Department of the Interior, Department of Transportation, General Services Administration, Department of Labor, Department of Justice, National Aeronautics and Space Administration, United States Agency for International Development, Small Business Administration, U.S. Nuclear Regulatory Commission, Department of State, Office of Personnel Management, Department of Education, Department of Veterans Affairs, Office of Management and Budget, Office of the Director of National Intelligence, National Science Foundation, Department of Agriculture, Department of Treasury, and Department of Commerce (Feb. 21, 2019) --------------------------------------------------------------------------- FISMA 2021 also moves agencies towards a risk-based approach, while reducing resources dedicated to reporting metrics. Each agency is required to perform an ongoing and continuous agency risk assessment, and CISA is required to consolidate this work to perform Federal-wide risk assessments. These assessments will be required to be incorporated into agency resource allocations for cybersecurity investments. The bill also shifts existing agency annual FISMA reports to be every two years, and requires agencies move to automation for information sharing throughout the legislation. Additionally, the Committee performed oversight over the Biden Administration's Executive Order 14028 on cybersecurity, including requirements for agencies to move to Zero Trust Architectures.\11\ Several provisions of FISMA 2021 are based on that directive and other recent Executive branch mandates to require agencies to move towards modern cybersecurity practices, including increased use of automation, moving network security to Zero Trust Architectures using principles of least privilege, increased use of penetration testing, and establishing vulnerability disclosure programs at all agencies.\12\ --------------------------------------------------------------------------- \11\Exec. Order No. 14028, 86 Fed. Reg. 26633 (May 12, 2021). \12\E.g. Cybersecurity and Infrastructure Security Agency, Binding Operational Directive 20-01--Develop and Publish a Vulnerability Disclosure Policy (BOD-20-01) (Sep. 2020) and Exec. Order No. 14028, 86 Fed. Reg. 26633 (May 12, 2021). --------------------------------------------------------------------------- III. Legislative History Chairman Peters (D-MI) and Ranking Member Portman (R-OH) introduced S. 2902, the Federal Information Security Modernization Act of 2021, on September 29, 2021. The bill was referred to the Senate Committee on Homeland Security and Governmental Affairs. The Committee considered S. 2902 at a business meeting on October 6, 2021. During the business meeting, a substitute amendment, as modified, was offered by Chairman Peters and Ranking Member Portman which made technical corrections, adjusted a number of activity deadlines throughout the text, updated the definition of ``breach,'' updated the threshold for reporting breaches to Congress, updated the section on Zero Trust Architecture and least privilege principles, and removed several sections from the bill. The Peters-Portman substitute amendment, as modified, was adopted by unanimous consent, with Senators Peters, Carper, Hassan, Rosen, Padilla, Ossoff, Portman, Lankford, Romney, Scott, and Hawley present. The Committee ordered the bill, as amended, reported favorably by voice vote with Senators Peters, Carper, Hassan, Rosen, Padilla, Ossoff, Portman, Lankford, Romney, Scott, and Hawley present. IV. Section-by-Section Analysis of the Bill, as Reported Section 1. Short title This section designates the short title of the bill as the ``Federal Information Security Modernization Act of 2021.'' Section 2. Table of contents This section contains the table of contents. Section 3. Definitions This section defines ``additional cybersecurity procedure,'' ``agency,'' ``appropriate congressional committees,'' Director,'' ``incident,'' ``national security system,'' ``penetration test,'' and ``threat hunting.'' TITLE I. UPDATES TO FISMA Section 101. Title 44 amendments This section amends several sections within title 44, U.S. Code. Subsection (a) amends U.S. Code sections in subchapter I of chapter 35 of title 44. (a)(1) amends 44 U.S.C. Sec. 3504. It requires the Director of the Office of Management and Budget (OMB) to consult with the National Cyber Director (NCD) and the Director of the Cybersecurity and Infrastructure Security Agency (CISA) to develop policies, principles, standards, and guidelines on information confidentiality and security. (a)(2) amends 44 U.S.C. Sec. 3505. It includes the NCD and the Director of CISA on the list of individuals who receive a copy of the inventory of agency IT systems conducted by OMB and requires the inventory be maintained on a continual basis, through the use of automation. (a)(3) amends 44 U.S.C. Sec. 3506. It requires agencies to improve the availability of information resources and also requires agencies to promote security with respect to Federal information technology. (a)(4) amends 44 U.S.C. Sec. 3513. It requires agencies to provide any portion of a written plan, developed in response to an OMB review under Sec. 3513(a), addressing information security or cybersecurity to the Director of CISA. Subsection (b) amends definitions in U.S. Code subchapter II of chapter 35 of title 44. (b)(1) amends 44 U.S.C. Sec. 3552(b). It adds several definitions, including ``additional cybersecurity procedure,'' ``high value asset,'' ``major incident,'' ``penetration test,'' and ``shared service.'' (b)(2) contains a number of conforming amendments to align scattered Federal statutes with the updated definitions in Sec. 3552. Subsection (c) amends U.S. Code sections in subchapter II of chapter 35 of title 44. (c)(1) amends 44 U.S.C. Sec. 3551. It recognizes CISA as the lead cybersecurity entity for operational coordination and operational implementation across the Federal government, recognizes OMB as the leader for Federal cybersecurity policy development and oversight, and recognizes the NCD as responsible for developing the U.S. Cybersecurity Strategy and advising the President on cybersecurity. (c)(2) amends 44 U.S.C. Sec. 3553. This subsection requires agencies to submit FISMA reports every two years, instead of every year. It also requires OMB to work with CISA and the NCD to oversee agency information security policies and practices, including overseeing agency compliance. It also requires OMB to work with CISA and NIST to promote the use of automation and least privilege principles to improve cybersecurity. It also specifies that CISA, in consultation with the NCD and OMB, will administer the implementation of agency information security policies and practices, monitor implementation, lead coordination, perform penetration testing, and provide technical and operational assistance to agencies. (c)(2) also requires CISA to perform ongoing and continuous assessments of Federal cybersecurity risk posture, using a variety of information sources, and to brief OMB and NCD on those assessments. It also directs the Director of OMB to submit a report to Congress that includes the trends identified in the Federal risk assessment. This subsection also requires CISA to report to appropriate reporting entities, including Congress, within two days on the implementation by an agency of any binding operational or emergency directive issued by CISA to that agency. (c)(3) amends 44 U.S.C. Sec. 3554. This subsection requires agency heads to perform an ongoing and continuous agency risk assessment, specifies what must be included in that assessment, and requires that an update on that assessment to be provided to OMB, CISA, and the NCD. It requires agency heads to consult with OMB and CISA to evaluate whether additional cybersecurity procedures are required for individual information systems, provide those evaluations and implementation plans for any additional cybersecurity procedures to OMB, CISA, and the NCD, and ensure that those additional procedures are reflected in the risk-based cyber budget model. (c)(3) also aligns later sections of Sec. 3554 with the updated risk assessment, implementation plan, and other programs added by the bill, including ensuring compliance with operational directives, creating acceptable system configuration requirements, and creating a process for providing the status of remedial actions and known system vulnerabilities to CISA. This subsection requires information security officers of component agencies to carry out various information security responsibilities and report to their designated senior information security officer and the Chief Information Officer of the component agency. (c)(3) also requires each agency to submit a biannual report summarizing its annual risk assessment, evaluating the effectiveness of cybersecurity policies, summarizing evaluations and implementation plans, and summarizing the status of remedial actions identified by the agency Inspector General, GAO, or any other source to OMB, DHS, relevant Congressional committees, the NCD, and GAO. Finally, the subsection directs that, to the greatest extent practicable, those reports should be unclassified. (c)(4) amends 44 U.S.C. Sec. 3555. This subsection changes the independent evaluations of agency information security programs and practices from yearly to biannual and instructs agencies, evaluators, Congressional committees, and any other recipients of the information from those audits to take steps to protect information that, if disclosed, could adversely affect information security. It also instructs OMB to identify any entity performing this independent audit in OMB's summary report to Congress of these evaluations. (c)(4) further requires that the guidance developed by the OMB Director to evaluate the effectiveness of an information security program and practices will prioritize the identification of the most common threat patterns experienced by each agency and the security controls that address those patterns, and any other security risks unique to the networks of each agency. (c)(5) amends 44 U.S.C. Sec. 3556(a) to require the Federal information security incident center be maintained at CISA. Subsection (d) makes conforming amendments to update the table of sections and update other references to FISMA reports to be submitted every two years, instead of every year, as changed in Sec. 3553. Subsection (e)(1) amends U.S. Code by adding a new subchapter IV, Federal System Incident Response, to chapter 35 of title 44. This new subchapter contains new sections, discussed below: Sec. 3591 defines ``appropriate reporting entities,'' ``awardee,'' ``contractor,'' ``federal information,'' ``federal information system,'' ``intelligence community,'' ``nationwide consumer reporting agency,'' ``vulnerability disclosure,'' and ``breach.'' It also imports definitions from sections Sec. 3502 and Sec. 3552. Sec. 3592 requires agency heads to expeditiously determine whether notice to individuals potentially impacted by a cybersecurity breach is appropriate and, if appropriate, notify those individuals within 45 days after the agency has concluded that such an incident occurred. The section specifies the contents of the notification and allows the Attorney General, Director of National Intelligence, or Secretary of Homeland Security to delay the notification if it would impede a criminal investigation, reveal sensitive sources and methods, cause damage to national security, or hamper security remediation actions. It also imposes documentary requirements on such a delay. If there is a significant change in the details of the information that must be provided to impacted individuals, the agency must notify those individuals within 30 days. Sec. 3593 requires agencies to provide written notification to the appropriate reporting entities, and if practicable a briefing to Congress, within 72 hours after the agency has reasonable basis to conclude that a major incident occurred. It specifies the content of the report, and of a supplemental report required within 30 days after the written notification provided to the appropriate reporting entities is submitted, and requires the agency to provide an updated report if there is any significant change in the agency's understanding of the incident. The section also requires the agency, the NCD, and any other Federal entity deemed appropriate by the NCD to provide a briefing to Congress on the threat that caused the incident within seven days after the incident. Sec. 3594 requires agency heads to provide any information on any incident to CISA and OMB, and specifies the contents of that communication. It also requires each agency that has been the target of a major incident involving federal information in electronic medium or form, not involving a national security system, to consult with CISA regarding response, recovery, and mitigation. Sec. 3595 imposes responsibilities on Federal contractors and awardees who have been targets of cyber incidents or breaches to immediately report to the contracting or grantor agency immediate with respect to: Federal information collected, used, or maintained in connection with the contract, grant, or cooperative agreement; a Federal information system used or operated by the contractor or awardee in connection with the contract, grant, or cooperative agreement, or; it has received information from the agency it was not authorized to receive. In a major incident, the agency must consult with the contractor or awardee to comply with the requirements of Sec. Sec. 3592, 3593, and 3594. If it is not a major incident, the agency, in consultation with the contractor or awardee, must comply with Sec. 3594. This section becomes effective one year after enactment. Sec. 3596 directs agencies to develop training for individuals at the agency who obtain access to Federal information as an employee, contractor, awardee, volunteer, or intern to identify and respond to cyber incidents, and includes requirements for the contents of those trainings. It also directs that this training may be included in an annual agency privacy or security awareness training. Sec. 3597 requires CISA to perform continuous quantitative and qualitative analysis of incidents at federal agencies. It directs that this analysis should be automated to the greatest extent practicable. It directs OMB to share this information with agencies and the NCD to support and improve their cybersecurity efforts, specifies a format for that analysis, and directs CISA and OMB to produce an annual report on federal incidents beginning not later than two years after enactment. The section directs agencies that do not provide all incident data to CISA pursuant to 3594(a) to develop and provide to the appropriate notification entities, in coordination with CISA and OMB, an annual report including data not provided to CISA that meets the requirements in this section. Finally, the section requires that information contained in the report must be anonymized to prevent identification of specific incidents with specific agencies unless OMB and the impacted agency are consulted. Sec. 3598 requires the Director of OMB, in coordination with the Director of CISA and the NCD, to issue guidance on the definition of ``major incident'' 180 days after the enactment of this bill. It also provides requirements for elements that, at a minimum, should be included in the guidance and scenarios where a major incident determination should be made by the head of an agency or the NCD. This section also includes a requirement for OMB, CISA, the Privacy and Civil Liberties Oversight Board (PCLOB), and the Federal Trade Commission (FTC) to establish within 90 days of enactment of this legislation a risk-based framework to help agencies determine if an incident involving personally identifiable information could result in substantial harm, embarrassment or unfairness to an individual. Subsection (e)(2) amends U.S. Code by amending the table of sections for chapter 35 of title 44. Section 102. Amendments to Subtitle III of Title 40 This section amends several sections within title 40 U.S. Code. Subsection (a) amends 40 U.S.C. Sec. 2(c)(4)(A)(ii). It directs the Director of CISA to coordinate with existing cybersecurity and governance frameworks, risk management best practices and prioritizing risk, impact, and consequences. Subsection (b) amends 40 U.S.C. Sec. 11301. It prioritizes the funds in an agency's IT working capital fund to include improving cybersecurity and systems along with cost savings activities. Subsection (b)(1)(B) requires agency CIOs to consult with necessary stakeholders, including the Director of CISA, when using funds affiliated with the IT working capital fund. Subsection (b) also adds definitions of ``Agency'' and ``High Value Asset''. This amendment also requires the Director of OMB to advise agencies on the best utilization of the fund. Subsection (b) also adds a senior official from CISA to the Technology Modernization Board. Subsection (c) amends 40 U.S.C. 11302. It requires that the Director of CISA and the NCD be consulted about promoting and improving the security of information technology used by the Federal Government. Subsection (c) also adds data on costs, schedules, security and performance, for public availability. This subsection requires the OMB to provide the NCD agency cybersecurity funding information as appropriate. Subsection (d) amends several sections of title 40, including 40 U.S.C. Sec. 11315, by requiring the Chief Information Officers of component agency to report to their parent agency Chief Information Officer and the head of the component agency. Subsection (e) amends 40 U.S.C. Sec. 11331. The head of every agency, in consultation with senior agency information security officers, must evaluate the need to employ (and, if needed, actually employ) standards that are more stringent than those promulgated by OMB. Increased reporting requirements, stored data information, risk assessments, vulnerabilities, and threat hunting results are required to be maintained and coordinated with the Director of CISA. It also requires the Director of OMB to await public comment and consult with the Director of CISA, the Chief Information Officers Council, the Comptroller General of the United States, and the Council of Inspector Generals on Integrity and Efficiency (CIGIE), before promulgating or significantly modifying a proposed standard issued by the Director of NIST. It requires the Director of OMB to review the efficacy of the guidance and policy promulgated by OMB to reduce cybersecurity risks, including an assessment of the requirements on agencies to report to the Director and shall provide updated guidance based on that review every three years. OMB will also issue a public report within 30 days after the completion of that review specifying the guidance and policy currently in effect, the risk mitigation or other benefit offered by that guidance or policy, and a summary of any changes made by the review. It also requires OMB to report to the Senate Committee on Homeland Security and Governmental Affairs and the House Committee on Oversight and Reform on that review. It also requires the Director of NIST to develop and issue federal information system standards. The Director of NIST shall consider developing, in consultation with the Director of CISA and if appropriate and practical, specifications to enable an automated verification of the implementation of the controls described within the standards. Section 103. Actions to enhance federal incident response Subsection (a) requires that CISA develop a plan for the analysis required under 44 U.S.C. 3597(b) that will include a description of any anticipated challenges, and the use of automation and machine readable formats for monitoring and analyzing data. It also requires CISA to brief appropriate congressional committees on the plan. Subsection (b) requires the Director of OMB to develop guidelines and templates for agencies' implementation of the U.S. Code sections amended by this act, including Sec. 3594(a), Sec. 3594(c), Sec. 3595, and Sec. 3596. Subsection (c) amends 5 U.S.C. Sec. 552a(b), the ``Privacy Act of 1974'' to clarify when disclosure of information to another federal agency is warranted to facilitate a response to a cybersecurity incident, a federal agency may provide it after the head of the requesting agency has provided a written request to the agency specifying the particular portion of information necessary and for what purpose. Section 104. Additional guidance to agencies on FISMA updates This section requires the Director of OMB, in coordination with the Director of CISA, to issue guidance on: Performing the ongoing and continuous agency risk assessment required under law being amended by this Act; Implementing additional cybersecurity procedures; Establishing a process for providing a status of remediation to OMB and CISA. Interpretation of the definition of ``high value asset''; Coordination with agency OIGs to ensure understanding and application of agency policies for the purpose of agency OIG evaluations; and Section 105. Agency requirements to notify private sector entities impacted by incidents This section directs the Director of OMB to issue guidance that requires agencies to notify private sector entities of cybersecurity incidents impacting the sensitive information shared by that private sector entity with the agency or the systems used to transmit described information. TITLE II. IMPROVING FEDERAL CYBERSECURITY Section 201. Mobile security standards This section requires an evaluation of mobile security standards. Subsection (a) requires OMB, within one year of enactment, to evaluate the mobile application security guidance promulgated by OMB and to issue guidance to secure mobile devices for every agency. Subsection (b) specifies the contents of that guidance, including conducting an inventory of mobile devices and vulnerabilities, for every federal agency, and requires that every agency continuously evaluate those vulnerabilities. Subsection (c) requires OMB, in coordination with CISA to issue guidance on how to share the inventory in subsection (b) with CISA. Subsection (d) requires OMB in coordination with CISA to provide briefings to Congress on the guidance in subsection (b). Section 203. Data and logging retention for incident response This section requires certain data and log retention elements for Federal agencies. Subsection (a) requires the Director of CISA, in consultation with the Attorney General, to submit recommendations not later than two years after enactment to OMB on how to log events on agency systems and how to retain other relevant network and systems data. Subsection (b) specifies the contents of those recommendations. Subsection (c) requires OMB, as determined appropriate by the Director of OMB and in consultation with the Director of CISA and the Attorney General, to update guidance for agencies regarding requirement for logging, log retention, log management, sharing of log data, and any other appropriate logging activity, within 90 days after receiving the recommendations. Section 203. CISA agency advisors This section creates a liaison between CISA and each agency. Within 120 days after enactment of FISMA 2021, CISA will assign each agency one CISA employee to be the liaison of that agency and CISA. This will clarify CISA's role, responsibility or services for that agency. This will also help CISA understand agency nuances to provide more custom cybersecurity guidance. This section specifies the qualification and duties of an advisor, and stipulates that the advisor shall not be a contractor but may be assigned to multiple senior agency information security officers. Section 204. Federal penetration testing policy Subsection (a) amends 44 U.S.C. chapter 35 by adding section 3559A, which allows CISA to enter into rules of engagement contracts with agencies for penetration testing. Requires OMB within 180 days to issue guidance requiring agencies to use penetration testing on agency systems when and where appropriate. Plans and guidelines on how to operate the penetration test will be developed within the agencies. Agencies are also expected to conduct their own penetration test on high value assets or coordinate with CISA to ensure that such testing is being performed. CISA will also establish processes to assess the performance of the penetration testing by both Federal and non-Federal entities; develop operational guidance for instituting penetration programs; develop and maintain capability to offer penetration testing as a service for Federal and non-Federal entities; and provide guidance to agencies on the best use of penetration testing resources. Section 205. Ongoing threat hunting program This section establishes a Threat Hunting Program under CISA within 540 days adding to the additional cybersecurity procedures under section 3554 of title 44, United States Code. The section also requires a plan from the Director of CISA within 180 days that details how CISA will collect and analyze appropriate agency data, resources required to support the program, and consultation with agency heads on how the program will complement or improve cybersecurity efforts at individual agencies. Section 206. Codifying vulnerability disclosure programs This section requires that agencies create and follow a vulnerability disclosure program. Agencies will also disclose to CISA any discovered or not publicly known vulnerabilities in agency information systems or commercially used systems. OMB shall also submit a report 90 days after the date of enactment, and every three years thereafter on the status of the use of vulnerability disclosure policies. Section 207. Implementing presumption of compromise and least privilege principles This section requires OMB, in consultation with CISA and NIST and not later than 1 year after enactment, to provide an update to Congress on progress in increasing the internal defenses of agency systems. This section also requires agencies to submit to OMB a progress report on the implementation of information security programs based on the presumption of compromise and lease privilege principles. Section 208. Automation Reports This section requires an OMB Report of the use of automation in 44 U.S.C. 3554(b) to Congress within 180 days after the date of enactment, and also requires a GAO Report detailing the use of automation and machine readable data cross the Government for cybersecurity purposes within one year of enactment. Section 209. Extension of Federal Acquisition Security Council This section extends the sunset on the Federal Acquisition Security Council to December 31, 2026. Section 210. Council of the Inspectors General on integrity and efficiency dashboard This section requires the Council of Inspectors General to create a dashboard, located on Oversight.gov, containing open information security recommendations identified in the evaluations required by 44 U.S.C. 3555(a). TITLE III. RISK-BASED BUDGET MODEL Section 301. Definitions This section defines certain terms, including ``appropriate congressional committees,'' ``covered agency,'' ``director,'' ``information technology,'' and ``risk-based budget.'' Section 302. Establishment of risk-based model This section requires OMB, in consultation with CISA, the NCD, and in coordination with NIST, to develop a standard model for creating a risk-based budget for cybersecurity spending within one year after the first publication of the President's budget following enactment of this act. It specifies the content of this model, requires triennial updates to the model by OMB, and mandates publication of the model on the OMB website. It also requires OMB to report annually on the development of the model from passage of this act until completion of the model. This section also requires that every agency, within two years after publication of the model, use the model to develop their annual cybersecurity and information technology budget request. It also includes an assessment of agency implementation of risk-based budget models in the independent evaluation under 44 U.S.C. 3555, and requires a GAO report submitted to appropriate congressional committees evaluating the development, implementation, and success of the risk-based budgets developed by agencies. TITLE IV. PILOT PROGRAMS TO ENHANCE FEDERAL CYBERSECURITY Section 401. Active cyber defense study This section defines ``active defense technique'' and authorizes an active cyber defense pilot program. Subsection (a) defines the term ``active defense technique.'' Subsection (b) requires the Director of CISA, in coordination with OMB, to perform a study on the use of active defense techniques to enhance the security of agencies. The study shall include a legal review on the use of active defense techniques; efficacy of selection of active defense techniques and efficacy factors; and development of a framework to use different techniques by agencies. Section 402. Security operations center as a service pilot This section creates a pilot program allowing CISA to create and operate a security operation center on behalf of other federal agencies. Subsection (a) establishes that the purpose of this section is for CISA to run a security operation center on behalf of another agency, alleviating the need to duplicate this function at every agency, and empowering a greater centralized cybersecurity capability. Subsection (b) requires the Director of CISA to develop a plan within 1 year to establish a centralized Federal security operation center. Subsection (c) requires certain elements of the plan, including consideration for collecting, organizing, and analyzing agency information system data in real time; staff and resource the center, and enter into agreements and governance plans with agencies. Subsection (d) directs the Director of CISA, in consultation with the Director of OMB, to initiate this pilot program with not less than two federal agencies for a one-year agreement to offer a security operations center as a shared service. Subsection (e) requires CISA to report to appropriate Congressional Committees not later than 260 days after the enactment of this act, to report the parameters and conditions of any one-year agreements signed to date. V. Evaluation of Regulatory Impact Pursuant to the requirements of paragraph 11(b) of rule XXVI of the Standing Rules of the Senate, the Committee has considered the regulatory impact of this bill and determined that the bill will have no regulatory impact within the meaning of the rules. The Committee agrees with the Congressional Budget Office's statement that the bill contains no intergovernmental or private-sector mandates as defined in the Unfunded Mandates Reform Act (UMRA) and would impose no costs on state, local, or tribal governments. VI. Congressional Budget Office Cost Estimate U.S. Congress, Congressional Budget Office, Washington, DC, November 9, 2022. Hon. Gary C. Peters, Chairman, Committee on Homeland Security and Governmental Affairs, U.S. Senate, Washington, DC. Dear Mr. Chairman: The Congressional Budget Office has prepared the enclosed table summarizing estimated budgetary effects and mandates information for some of the legislation that has been ordered reported by the Senate Committee on Homeland Security and Governmental Affairs during the 117th Congress. If you wish further details, we will be pleased to provide them. The CBO staff contact for each estimate is listed on the enclosed table. Sincerely, Phillip L. Swagel, Director. Enclosure. SUMMARY ESTIMATES OF LEGISLATION ORDERED REPORTED The Congressional Budget Act of 1974 requires the Congressional Budget Office, to the extent practicable, to prepare estimates of the budgetary effects of legislation ordered reported by Congressional authorizing committees. In order to provide the Congress with as much information as possible, the attached table summarizes information about the estimated direct spending and revenue effects of some of the legislation that has been ordered reported by the Senate Committee on Homeland Security and Governmental Affairs during the 117th Congress. The legislation listed in this table generally would have small effects, if any, on direct spending or revenues, CBO estimates. Where possible, the table also provides information about the legislation's estimated effects on spending subject to appropriation and on intergovernmental and private-sector mandates as defined in the Unfunded Mandates Reform Act. ESTIMATED BUDGETARY EFFECTS AND MANDATES INFORMATION ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Increases On- Spending Subject Pay-As-You-Go Budget Bill Title Status Last Action Budget Function Direct Spending, Revenues, 2023- to Appropriation, Procedures Deficits Mandates Contact Number 2023-2032 2032 2023-2027 Apply? Beginning in 2033? ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ S. 2902 Federal Ordered 10/06/21 800 Between zero and 0 Not estimated Yes No No Matthew Information reported $500,000 Pickford Security Modernization Act of 2021 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ S. 2902 would amend federal information security policies and authorize pilot programs to enhance federal cybersecurity. CBO estimates that enacting S. 2902 would have an insignificant effect on direct spending and no effect on revenues over the 2023-2032 period. CBO has not estimated the discretionary costs of implementing the bill. The bill contains no intergovernmental or private-sector mandates as defined in the Unfunded Mandates Reform Act. VII. Changes in Existing Law Made by the Bill, as Reported In compliance with paragraph 12 of rule XXVI of the Standing Rules of the Senate, changes in existing law made by the bill, as reported, are shown as follows: (existing law proposed to be omitted is enclosed in brackets, new matter is printed in italic, and existing law in which no change is proposed is shown in roman): UNITED STATES CODE * * * * * * * TITLE 5--GOVERNMENT ORGANIZATION AND EMPLOYEES * * * * * * * PART 1--THE AGENCIES GENERALLY * * * * * * * CHAPTER 5--ADMINISTRATIVE PROCEDURE * * * * * * * Subchapter II--Administrative Procedure * * * * * * * SEC. 552A. RECORDS MAINTAINED ON INDIVIDUALS (a) * * * (b) * * * (1) * * * * * * * * * * (11) pursuant to the order of a court of competent jurisdiction; [or] (12) to a consumer reporting agency in accordance with section 3711(e) of title 31[.]; and (13) to another agency in furtherance of a response to an incident (as defined in section 3552 of title 44) and pursuant to the information sharing requirements in section 3594 of title 44 if the head of the requesting agency has made a written request to the agency that maintains the record specifying the particular portion desired and the activity for which the record is sought. * * * * * * * TITLE 5--APPENDIX * * * * * * * INSPECTOR GENERAL ACT OF 1978 * * * * * * * SEC. 11. ESTABLISHMENT OF THE COUNCIL OF THE INSPECTORS GENERAL ON INTEGRITY AND EFFICIENCY (a) * * * * * * * * * * (e) * * * (1) * * * (2) * * * (A) to consolidate all public reports from each Office of Inspector General to improve the access of the public to any audit report, inspection report, or evaluation report (or portion of any such report) made by an Office of Inspector General; [and] (B) that shall include a dashboard of open information security recommendations identified in the independent evaluations required by section 3555(a) of title 44, United States Code; and [(B)] (C) that shall include any additional resources, information, and enhancements as the Council determines are necessary or desirable. * * * * * * * TITLE 10--ARMED FORCES * * * * * * * Subtitle A--General Military Law * * * * * * * PART IV--SERVICE, SUPPLY, AND PROCUREMENT * * * * * * * CHAPTER 131--PLANNING AND COORDINATION * * * * * * * SEC. 2222. DEFENSE BUSINESS SYSTEMS: ARCHITECTURE, ACCOUNTABILITY, AND MODERNIZATION * * * * * * * (i) * * * (1) * * * * * * * * * * (8) National security system.--The term ``national security system'' has the meaning given that term in [section 3552(b)(6)(A)] section 3552(b)(9)(A) of title 44. * * * * * * * SEC. 2223. INFORMATION TECHNOLOGY: ADDITIONAL RESPONSIBILITIES OF CHIEF INFORMATION OFFICERS * * * * * * * (c) * * * (1) * * * (2) * * * (3) The term ``national security system'' has the meaning given that term by [section 3552(b)(6)] section 3552(b) of title 44. * * * * * * * CONTINUOUS MONITORING OF DEPARTMENT OF DEFENSE INFORMATION SYSTEMS FOR CYBERSECURITY (a) * * * (b) * * * (1) * * * (2) * * * (3) The term `national security system' has the meaning given that term in [section 3542(b)(2)] section 3552(b) of title 44, United States Code. * * * * * * * SEC. 2224. DEFENSE INFORMATION ASSURANCE PROGRAM * * * * * * * STRATEGY ON COMPUTER SOFTWARE ASSURANCE (a) * * * (b) * * * (1) * * * (2) A national security system, as that term is defined in [section 3542(b)(2)] section 3552(b) of title 44, United States Code. * * * * * * * CHAPTER 137--PROCUREMENT GENERALLY * * * * * * * SEC. 2315. LAW INAPPICABLE TO THE PROCUREMENT OF AUTOMATIC DATA PROCESSING EQUIPMENT AND SERVICES FOR CERTAIN DEFENSE PURPOSES For purposes of subtitle III of title 40, the term ``national security system,'' with respect to a telecommunications and information system operated by the Department of Defense, has the meaning given that term by [section 3542(b)(2)] section 3552(b) of title 44. * * * * * * * SEC. 2339A. REQUIREMENTS FOR INFORMATION RELATING TO SUPPLY CHAIN RISK * * * * * * * (e) * * * * * * * * * * (5) Covered system.--The term ``covered system'' means a national security system, as that term is defined in [section 3552(b)(6)] section 3552(b) of title 44. * * * * * * * TITLE 15--COMMERCE AND TRADE * * * * * * * CHAPTER 7--NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY * * * * * * * SEC. 278G-3. COMPUTER STANDARDS PROGRAM (a) * * * (1) * * * (2) develop standards and guidelines, including minimum requirements, for information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency, other than national security systems (as defined in [section 3552(b)(5)] section 3552(b) of title 44); * * * * * * * (d) * * * (1) * * * (2) * * * (3) conduct research and analysis-- (A) to determine the nature and extent of information security vulnerabilities and techniques for providing cost-effective information security; (B) to review and determine prevalent information security challenges and deficiencies identified by agencies or the Institute, including any challenges or deficiencies described in any of the [annual] reports under section 3553 or 3554 of title 44, and in any of the reports and the independent evaluations under section 3555 of that title, that may undermine the effectiveness of agency information security programs and practices; and * * * * * * * (f) * * * (1) * * * (2) * * * (3) the term ``information technology'' has the same meaning as provided in [section 3502(8)] section 3552(b) of such title; (4) * * * (5) the term national security systemo has the same meaning as provided in [section 3552(b)(5)] section 3552(b) of such title. SEC. 278G-3A. DEFINITIONS * * * * * * * (5) National security system The term national security system: has the meaning given that term in [section 3552(b)(6)] 3552(b) of title 44. * * * * * * * CHAPTER 81--HIGH-PERFORMANCE COMPUTING * * * * * * * Subchapter II--Agency Activities * * * * * * * SEC. 5527. MISCELLANEOUS PROVISIONS (a) * * * (1) * * * (2) computer systems the function, operation, or use of which are those delineated in [section 3552(b)(6)(A)(i)] section 3552(b)(9)(A)(i) of title 44. * * * * * * * TITLE 31--MONEY AND FINANCE * * * * * * * Subtitle II--The Budget Process * * * * * * * CHAPTER 11--THE BUDGET AND FISCAL, BUDGET, AND PROGRAM INFORMATION * * * * * * * SEC. 1105. BUDGET CONTENTS AND SUBMISSION TO CONGRESS. (a) * * * * * * * * * * (35)(A)(i) a detailed, separate analysis, by budget function, [by agency, and by initiative area (as determined by the administration)] and by agency for the prior fiscal year, the current fiscal year, the fiscal years for which the budget is submitted, and the ensuing fiscal year identifying the amounts of gross and net appropriations or obligational authority and outlays that contribute to cybersecurity, with separate displays for mandatory and discretionary amounts, including (I) * * * (II) * * * (III) the most recent risk assessment and summary of cybersecurity needs in each initiative area (as determined by the administration); [and] (IV) * * * (V) a validation that the budgets submitted were developed using a risk-based methodology; and (VI) a report on the progress of each agency on closing recommendations identified under the independent evaluation required by section 3555(a)(1) of title 44. * * * * * * * TITLE 40--PUBLIC BUILDINGS, PROPERTY, AND WORKS * * * * * * * Subtitle III--Information Technology Management * * * * * * * CHAPTER 113--RESPONSIBILITY FOR ACQUISITIONS OF INFORMATION TECHNOLOGY * * * * * * * Subchapter I--Director of Office of Management and Budget * * * * * * * SEC. 11301. RESPONSIBILITY OF DIRECTOR * * * * * * * STATUTORY NOTES AND RELATED SUBSIDIARIES * * * * * * * GSA MODERNIZATION CENTERS OF EXCELLENCE PROGRAM Pub. L. 116-194, 2, Dec. 3, 2020, 134 Stat. 981, provided that: (a) * * * (b) * * * (c) Responsibilities.--The Program shall have the following responsibilities: (1) * * * (2) * * * (3) * * * (4) * * * (A) * * * (i) * * * (ii) a cybersecurity and governance framework the promotes industry and government risk management best practice approaches, prioritizing efforts based on risk, impact, and consequences[.], which shall be provided in coordination with the director of the Cybersecurity and Infrastructure Security Agency. * * * * * * * MODERNIZING GOVERNMENT TECHNOLOGY Pub. L. 115--91, div. A, title X, subtitle G, Dec. 12, 2017, 131 Stat. 1586, provided that: * * * * * * * SEC. 1077. ESTABLISHMENT OF AGENCY INFORMATION TECHNOLOGY SYSTEMS MODERNIZATION AND WORKING CAPITAL FUNDS. (a) * * * (b) * * * (1) * * * * * * * * * * (5) Prioritization of funds.--The head of each covered agency-- (A) shall prioritize funds within the IT working capital fund of the covered agency to be used initially for improving the cybersecurity of systems and cost savings activities approved by the Chief Information Officer of the covered agency; and (B) * * * (6) * * * (7) Agency [cio] CIO responsibilities.-- (A) Consideration of guidance.--In evaluating projects to be funded by the IT working capital fund of a covered agency, the Chief Information Officer of the covered agency shall consider, to the extent applicable, guidance issued [under section 1094(b)(1)] by the Director to evaluate applications for funding from the Fund that include factors including a strong business case, technical design, consideration of commercial off-the-shelf products and services, procurement strategy (including adequate use of rapid, iterative software development practices) and program management. (B) Consultation.--In using funds under paragraph (3)(A), the Chief Information Officer of the covered agency shall consult with the necessary stakeholders to ensure the project appropriately addresses cybersecurity risks, including the Director of the Cybersecurity and Infrastructure Security Agency as appropriate. * * * * * * * SEC. 1078. ESTABLISHMENT OF TECHNOLOGY MODERNIZATION FUND AND BOARD. [(a) Definition.--In this section, the term agency has the meaning given the term in section 551 of title 5, United States Code.] (a) Definitions.--In this section: (1) Agency.--The term `agency' has the meaning given the term in section 551 of title 5, United States Code (2) High value asset.--The term high value asset has the meaning given the term in section 3552 of title 44, United States Code. (b) * * * (1) * * * * * * * * * * (7) * * * (8) Proposal evaluation.--The Director shall-- (A) give consideration for the use of amounts in the Fund to improve the security of high value assets; and (B) require that any proposal for the use of amounts in the Fund includes a cybersecurity plan, including a supply chain risk management plan, to be reviewed by the members of the Technology Modernization Board described in subsection (c)(5)(C). (c) * * * (1) * * * (2) Responsibilities.--The responsibilities of the Board are-- (A) to provide input to the Director for the development of processes for agencies to submit modernization proposals to the Board and to establish the criteria by which those proposals are evaluated, which shall include-- (i) addressing the greatest security, privacy, and operational risks, including a consideration of the impact of high value assets; (ii) * * * * * * * * * * (5) Permanent members.--The permanent members of the Board shall be-- (A) the Administrator of the Office of Electronic Government; [and] (B) a senior official from the General Services Administration having technical expertise in information technology development, appointed by the Administrator, with the approval of the Director[.]; and (C) a senior official from the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security, appointed by the Director. (6) Additional members of the board.-- (A) Appointment.--The other members of the Board [shall be-- (i) 1 employee of the National Protection and Programs Directorate [now Cybersecurity and Infrastructure Security Agency] of the Department of Homeland Security, appointed by the Secretary of Homeland Security; and (ii) 4 employees] shall be 4 employees of the Federal Government primarily having technical expertise in information technology development, financial management, cybersecurity and privacy, and acquisition, appointed by the Director. * * * * * * * SEC. 11302. CAPITAL PLANNING AND INVESTMENT CONTROL (a) * * * (b) Use of Information Technology in Federal Programs.--The Director shall promote and improve the acquisition, [use, security, and disposal of] use, and disposal of, and, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency and the National Cyber Director, promote and improve the security of, information technology by the Federal government to improve the productivity, efficiency, and effectiveness of federal programs, including through dissemination of public information and the reduction of information collection burdens on the public. (c) Use of Budget Process.-- (1) * * * (2) * * * (3) Public availability.-- (A) In general.--The Director shall make available to the public a list of each major information technology investment, without regard to whether the investments are for new information technology acquisitions or for operations and maintenance of existing information technology, [including data] which shall-- (i) include data on cost, schedule[, and performance] security, and performance; and (ii) specifically denote cybersecurity funding under the risk- based cyber budget model developed pursuant to section 3553(a)(7) of title 44. (B) * * * (i) * * * (ii) * * * (iii) The Director shall provide to the National Cyber Director any cybersecurity funding information described in subparagraph (A)(ii) that is provided to the Director under clause (ii) of this subparagraph. (4) * * * (A) * * * (B) not later than 30 days after the date on which the review under subparagraph (A) is completed, the Administrator of the Office of Electronic Government shall communicate the results of the review under subparagraph (A) to-- * * * * * * * (f) Use of Best Practices in Acquisitions.--The Director shall encourage the [heads of the executive agencies to develop] heads of executive agencies to-- (1) develop and use the best practices in the acquisition of information technology[.]; and (2) consult with the Director of the Cybersecurity and Infrastructure Security Agency for the development and use of supply chain security best practices. (g) * * * (h) Comparison of Agency Uses of Information Technology.-- The Director shall compare the performances, including cybersecurity performances, of the executive agencies in using information technology and shall disseminate the comparisons to the heads of the executive agencies. * * * * * * * SEC. 11303. PERFORMANCE-BASED AND RESULTS-BASED MANAGEMENT (a) * * * (b) * * * (1) * * * (2) * * * (A) * * * (B) * * * (i) whether the function to be supported by the system should be performed by the private sector and, if so, whether any component of the executive agency performing that function should be converted from a governmental organization to a private sector organization; [or] (ii) whether the function should be performed by the executive agency and, if so, whether the function should be performed by a private sector source under contract or by executive agency personnel; or (iii) whether the function should be performed by a shared service offered by another executive agency; * * * * * * * (5) * * * (A) * * * (B) * * * (i) recommending a reduction or an increase in the amount for information resources that the head of the executive agency proposes for the budget submitted to Congress under section 1105(a) of title 31, while taking into account the risk-based cyber budget model developed pursuant to section 3553(a)(7) of title 44; * * * * * * * Subchapter II--Executive Agencies * * * * * * * SEC. 11312. CAPITAL PLANNING AND INVESTMENT CONTROL (a) Design of Process.--In fulfilling the responsibilities assigned under section 3506(h) of title 44, the head of each executive agency shall design and implement in the executive agency a process for maximizing the value, and assessing and managing the risks, including security risks, of the information technology acquisitions of the executive agency. * * * * * * * SEC. 11313. PERFORMANCE AND RESULTS-BASED MANAGEMENT In fulfilling the responsibilities under section 3506(h) of title 44, the head of an executive agency shall (1) establish goals for improving the [efficiency and effectiveness] efficiency, security, and effectiveness of agency operations and, as appropriate, the delivery of services to the public through the effective use of information technology; * * * * * * * SEC. 11315. AGENCY CHIEF INFORMATION OFFICER (a) * * * (b) * * * (c) * * * (d) Component Agency Chief Information Officers.--The Chief Information Officer or an equivalent official of a component agency shall report to-- (1) the Chief Information Officer designated under section 3506(a)(2) of title 44 or an equivalent official of the agency of which the component agency is a component; and (2) the head of the component agency. * * * * * * * SEC. 11317. SIGNIFICANT DEVIATIONS The head of each executive agency shall identify in the strategic information resources management plan required under section 3506(b)(2) of title 44 any major information technology acquisition program, or any phase or increment of that program, that has significantly deviated from the cost, performance, security, or schedule goals established for the program. * * * * * * * SEC. 11319. RESOURCES, PLANNING, AND PORTFOLIO MANAGEMENT (a) * * * (b) * * * (1) Planning, programming, budgeting, and execution authorities for [cios] chief information officers.-- * * * * * * * Subchapter III--Other Responsibilities * * * * * * * SEC. 11331. RESPONSIBILITIES FOR FEDERAL INFORMATION SYSTEMS STANDARDS (a) Definition.--In this section, the term ``information security'' has the meaning given that term in section [3532(b)(1)] section 3552(b) of title 44. (b) * * * (1) * * * (A) Requirement.--Except as provided under paragraph (2), the Director of the Office of Management and Budget shall, on the basis of proposed standards developed by the National Institute of Standards and Technology pursuant to paragraphs (2) and (3) of section 20(a) of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3(a)) and [in consultation] in coordination with [the Secretary of Homeland Security] the Director of the Cybersecurity and Infrastructure Security Agency, promulgate information security standards pertaining to Federal information systems. * * * * * * * [(c) Application of More Stringent Standards.--The head of an agency may employ standards for the cost-effective information security for all operations and assets within or under the supervision of that agency that are more stringent than the standards promulgated by the Director under this section, if such standards-- (1) contain, at a minimum, the provisions of those applicable standards made compulsory and binding by the Director; and (2) are otherwise consistent with policies and guidelines issued under section 3533 1 of title 44.] (c) Application of More Stringent Standards.-- (1) In general.--The head of an agency shall-- (A) evaluate, in consultation with the senior agency information security officers, the need to employ standards for cost-effective, risk- based information security for all systems, operations, and assets within or under the supervision of the agency that are more stringent than the standards promulgated by the Director under this section, if such standards contain, at a minimum, the provisions of those applicable standards made compulsory and binding by the Director; and (B) to the greatest extent practicable and if the head of the agency determines that the standards described in subparagraph (A) are necessary, employ those standards. (2) Evaluation of more stringent standards.--In evaluating the need to employ more stringent standards under paragraph (1), the head of an agency shall consider available risk information, such as-- (A) the status of cybersecurity remedial actions of the agency; (B) any vulnerability information relating to agency systems that is known to the agency; (C) incident information of the agency; (D) information from (i) penetration testing performed under section 3559A of title 44; and (ii) information from the vulnerability disclosure program established under section 3559B of title 44; (E) agency threat hunting results under section 205 of the Federal Information Security Modernization Act of 2021; (F) Federal and non-Federal threat intelligence; (G) data on compliance ith standards issued under this section; (H) agency system risk assessments performed under section 3554(a)(1)(A) of title 44; and (I) any other information determined relevant by the head of the agency. (d) * * * (1) * * * (2) [Notice and Comment] Consultation, notice, and comment.--A decision by the Director to promulgate significantly modify, or not promulgate, a proposed standard submitted to the Director by the National Institute of Standards and Technology, as provided under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3), [shall be made after the public is given an opportunity to comment on the Director's proposed decision.] shall be made-- (A) for a decision to significantly modify or not promulgate such a proposed standard, after the public is given an opportunity to comment on the Director's proposed decision; (B) in consultation with the Chief Information Officers Council, the Director of the Cybersecurity and Infrastructure Security Agency, the National Cyber Director, the Comptroller General of the United States, and the Council of the Inspectors General on Integrity and Efficiency; (C) considering the Federal risk assessments performed under section 3553(i) of title 44; and (D) considering the extent to which the proposed standard reduces risk relative to the cost of implementation of the standard. (e) Review of Office of Management and Budget Guidance and Policy.-- (1) Conduct of review.-- (A) In general.--Not less frequently than once every 3 years, the Director of the Office of Management and Budget, in consultation with the Chief Information Officers Council, the Director of the Cybersecurity and Infrastructure Security Agency, the National Cyber Director, the Comptroller General of the United States, and the Council of the Inspectors General on Integrity and Efficiency shall review the efficacy of the guidance and policy promulgated by the Director in reducing cybersecurity risks, including an assessment of the requirements for agencies to report information to the Director, and determine whether any changes to that guidance or policy is appropriate. (B) Federal risk assessments.--In conducting the review described in subparagraph (A), the Director shall consider the Federal risk assessments performed under section 3553(i) of title 44. (2) Updated guidance.--Not later than 90 days after the date on which a review is completed under paragraph (1), the Director of the Office of Management and Budget shall issue updated guidance or policy to agencies determined appropriate by the Director, based on the results of the review. (3) Public report.--Not later than 30 days after the date on which a review is completed under paragraph (1), the Director of the Office of Management and Budget shall make publicly available a report that includes-- (A) an overview of the guidance and policy promulgated under this section that is currently in effect; (B) the cybersecurity risk mitigation, or other cybersecurity benefit, offered by each guidance or policy document described in subparagraph (A); and (C) a summary of the guidance or policy to which changes were determined appropriate during the review and what the changes are anticipated to include. (4) Congressional briefing.--Not later than 30 days after the date on which a review is completed under paragraph (1), the Director shall provide to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Reform of the House of Representatives a briefing on the review. (f) Automated Standard Implementation Verification.--When the Director of the National Institute of Standards and Technology issues a proposed standard pursuant to paragraphs (2) and (3) of section 20(a) of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3(a)), the Director of the National Institute of Standards and Technology shall consider developing and, if appropriate and practical, develop, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, specifications to enable the automated verification of the implementation of the controls within the standard * * * * * * * TITLE 41--PUBLIC CONTRACTS * * * * * * * Subtitle I--Federal Procurement Policy * * * * * * * Division B--Office of Federal Procurement Policy * * * * * * * CHAPTER 13--ACQUISITION COUNCILS * * * * * * * Subchapter III--Federal Acquisition Supply Chain Security * * * * * * * SEC. 1328. TERMINATION This subchapter shall terminate on [the date that is 5 years after the date of the enactment of the Federal Acquisition Supply Chain Security Act of 2018] December 31, 2026. * * * * * * * TITLE 44--PUBLIC BUILDINGS, PROPERTY, AND WORKS * * * * * * * CHAPTER 35--COORDINATION OF FEDERAL INFORMATION POLICY Sec. 3501. Purposes * * * * * * * Subchapter II--Federal Information Policy 3552. Definitions [3553. Authority and functions of the Director and the Secretary] 3553. Authority and functions of the Director and the Director of the Cybersecurity and Infrastructure Security Agency. 3554. Federal agency responsibilities. [3555. Annual independent evaluation.] 3555. Independent evaluation. * * * * * * * 3559A. Federal penetration testing. 3559B. Federal vulnerability disclosure programs. * * * * * * * Subchapter IV--Federal System Incident Response 3591. Definitions. 3592. Notification of breach. 3593. Congressional and Executive Branch reports. 3594. Government information sharing and incident response. 3595. Responsibilities of contractors and awardees. 3596. Training. 3597. Analysis and report on Federal incidents. 3598. Major incident definition. * * * * * * * Subchapter I--Federal Information Policy SEC. 3501. PURPOSES * * * * * * * INFORMATION SECURITY RESPONSIBILITIES OF CERTAIN AGENCIES Pub. L. 107-347, title III, 301(c)(1)(A), Dec. 17, 2002, 116 Stat. 2955, provided that: ``Nothing in this Act [see Tables for classification] (including any amendment made by this Act) shall supersede any authority of the Secretary of Defense, the Director of Central Intelligence, or other agency head, as authorized by law and as directed by the President, with regard to the operation, control, or management of national security systems, as defined by [section 3542(b)(2)] section 3552(b) of title 44, United States Code.'' * * * * * * * SEC. 3504. AUTHORITY AND FUNCTIONS OF DIRECTOR (a)(1) * * * (A) * * * (B) provide direction and oversee-- (i) * * * * * * * * * * [(v) privacy, confidentiality, security, disclosure, and sharing of information; and] (v) confidentiality, disclosure, and sharing of information; (vi) in consultation with the National Cyber Director and the Director of the Cybersecurity and Infrastructure Security Agency, security of information; and [(vi)](vii) * * * * * * * * * * (g) * * * [(1) develop and oversee the implementation of policies, principles, standards, and guidelines on privacy, confidentiality, security, disclosure and sharing of information collected or maintained by or for agencies; and] (1) with respect to information collected or maintained by or for agencies-- (A) develop and oversee the implementation of policies, principles, standards, and guidelines on privacy, confidentiality, disclosure, and sharing of the information; and (B) in consultation with the National Cyber Director and the Director of the Cybersecurity and Infrastructure Security Agency, develop and oversee policies, principles, standards, and guidelines on security of the information; and (h) * * * (1) in consultation with the Director of the Cybersecurity and Infrastructure Security Agency and the National Cyber Director, the Director of the National Institute of Standards and Technology, and the Administrator of General Services-- (A) develop and oversee the implementation of policies, principles, standards, and guidelines for information technology security and functions and activities of the Federal Government, including periodic evaluations of major information systems; and * * * * * * * SEC. 3505. ASSIGNMENT OF TASKS AND DEADLINES (a) * * * * * * * * * * (c) * * * (1) * * * (2) * * * (3) Such inventory shall be-- (A) * * * (B) made available to the Director of the Cybersecurity and Infrastructure Security Agency, the National Cyber Director, and the Comptroller General; [and] (C) * * * (i) * * * * * * * * * * (v) preparation of information system inventories required for records management under chapters 21, 29, 31, and 33[.]; and (D) maintained on a continual basis through the use of automation, machine-readable data, and scanning. * * * * * * * [(c) Inventory of Information Systems.--(1) The head of each agency shall develop and maintain an inventory of the information systems (including national security systems) operated by or under the control of such agency; (2) The identification of information systems in an inventory under this subsection shall include an identification of the interfaces between each such system and all other systems or networks, including those not operated by or under the control of the agency; (3) Such inventory shall be-- (A) updated at least annually; (B) made available to the Comptroller General; and (C) used to support information resources management, including (i) preparation and maintenance of the inventory of information resources under section 3506(b)(4); (ii) information technology planning, budgeting, acquisition, and management under section 3506(h), subtitle III of title 40, and related laws and guidance; (iii) monitoring, testing, and evaluation of information security controls under subchapter II; (iv) preparation of the index of major information systems required under section 552(g) of title 5, United States Code; and (v) preparation of information system inventories required for records management under chapters 21, 29, 31, and 33.] * * * * * * * SEC. 3506. FEDERAL AGENCY RESPONSIBILITIES (a) * * * (b) * * * (1) * * * (A) * * * (B) * * * (C) Improve the integrity, availability, quality, and utility of information to all users within and outside the agency, including capabilities for ensuring dissemination of public information, public access to government information, and protections for privacy and security; * * * * * * * (h) * * * (1) * * * (2) * * * (3) promote the use of information technology by the agency to improve the productivity, efficiency, security, and effectiveness of agency programs, including the reduction of information collection burdens on the public and improved dissemination of public information; * * * * * * * SEC. 3513. DIRECTOR REVIEW OF AGENCY ACTIVITIES; REPORTING; AGENCY RESPONSE (a) * * * (b) * * * (c) Each agency providing a written plan under subsection (b) shall provide any portion of the written plan addressing information security or cybersecurity to the Director of the Cybersecurity and Infrastructure Security Agency. [(c)] (d) Comparable Treatment.--Notwithstanding any other provision of law, the Director shall treat or review a rule or order prescribed or proposed by the Director of the Bureau of Consumer Financial Protection on the same terms and conditions as apply to any rule or order prescribed or proposed by the Board of Governors of the Federal Reserve System. * * * * * * * Subchapter II--Information Security SEC. 3551. PURPOSES The purposes of this subchapter are to-- (1) * * * (2) * * * (3) recognize the role of the Cybersecurity and Infrastructure Security Agency as the lead entity for operational cybersecurity coordination across the Federal Government; [(3)] (4) * * * [(4)] (5) provide a mechanism for improved oversight of Federal agency information security programs, including through automated security tools to continuously [diagnose and improve] integrate, deliver, diagnose, and improve security; [(5)] (6) acknowledge that commercially developed information security products offer advanced, dynamic, robust, and effective information security solutions, reflecting market solutions for the protection of critical information infrastructures important to the national defense and economic security of the nation that are designed, built, and operated by the private sector; [and] [(6)] (7) recognize that the selection of specific technical hardware and software information security solutions should be left to individual agencies from among commercially developed products[.]; (8) recognize that each agency has specific mission requirements and, at times, unique cybersecurity requirements to meet the mission of the agency; (9) recognize that each agency does not have the same resources to secure agency systems, and an agency should not be expected to have the capability to secure the systems of the agency from advanced adversaries alone; and (10) recognize that-- (A) a holistic Federal cybersecurity model is necessary to account for differences between the missions and capabilities of agencies; and (B) in accounting for the differences described in subparagraph (A) and ensuring overall Federal cybersecurity-- (i) the Office of Management and Budget is the leader for policy development and oversight of Federal cybersecurity; (ii) the Cybersecurity and Infrastructure Security Agency is the leader for implementing operations at agencies; and (iii) the National Cyber Director is responsible for developing the overall cybersecurity strategy of the United States and advising the President on matters relating to cybersecurity. * * * * * * * SEC. 3552. DEFINITIONS (a) * * * (b) Additional Definitions.--As used in this subchapter: (1) The term `additional cybersecurity procedure' means a process, procedure, or other activity that is established in excess of the information security standards promulgated under section 11331(b) of title 40 to increase the security and reduce the cybersecurity risk of agency systems. [(1)] (2) * * * [(2)] (3) * * * [(3)] (4) * * * [(4)] (5) * * * [(5)] (6) * * * (7) The term `high value asset' means information or an information system that the head of an agency determines so critical to the agency that the loss or corruption of the information or the loss of access to the information system would have a serious impact on the ability of the agency to perform the mission of the agency or conduct business. (8) The term `major incident' has the meaning given the term in guidance issued by the Director under section 3598(a). [(6)] (9) * * * (10) The term `penetration test' means a specialized type of assessment that-- (A) is conducted on an information system or a component of an information system; and (B) emulates an attack or other exploitation capability of a potential adversary, typically under specific constraints, in order to identify any vulnerabilities of an information system or a component of an information system that could be exploited. [(7)] (11) * * * (12) The term `shared service' means a centralized business or mission capability that is provided to multiple organizations within an agency or to multiple agencies. * * * * * * * SEC. 3553. [AUTHORITY AND FUNCTIONS OF THE DIRECTOR AND THE SECRETARY] AUTHORITY AND FUNCTIONS OF THE DIRECTOR AND THE DIRECTOR OF THE CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY (a) * * * (1) in coordination with the Director of the Cybersecurity and Infrastructure Security Agency and the National Cyber Director, developing and overseeing the implementation of policies, principles, standards, and guidelines on information security, including through ensuring timely agency adoption of and compliance with standards promulgated under section 11331 of title 40; * * * * * * * (5) overseeing, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency and the National Cyber Director, agency compliance with the requirements of this subchapter and section 1326 of title 41, including through any authorized action under section 11303 of title 40, to enforce accountability for compliance with such requirements; [and] (6) * * * (7) developing a standard risk-based budget model to inform Federal agency cybersecurity budget development; and (8) promoting, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency and the Director of the National Institute of Standards and Technology-- (A) the use of automation to improve Federal cybersecurity and visibility with respect to the implementation of Federal cybersecurity; and (B) the use of presumption of compromise and least privilege principles to improve resiliency and timely response actions to incidents on Federal systems. (b) [Secretary] Cybersecurity and Infrastructure Security Agency.--[The Secretary, in consultation with the Director] The Director of the Cybersecurity and Infrastructure Security Agency, in consultation with the Director and the National Cyber Director, shall administer the implementation of agency information security policies and practices for information systems, except for national security systems and information systems described in paragraph (2) or (3) of subsection (e), including-- (1) * * * (2) * * * (A) requirements for reporting security incidents to the Federal information security incident center established under section 3556 and reporting requirements under subchapter IV of this title; (B) * * * (C) * * * (D) other operational requirements as [the Director or Secretary] the Director of the Cybersecurity and Infrastructure Security Agency, in consultation with the Director, may determine necessary; (3) * * * (4) * * * (5) [coordinating] leading the coordination of Government-wide efforts on information security policies and practices, including consultation with the Chief Information Officers Council established under section 3603 and the Director of the National Institute of Standards and Technology; (6) * * * (7) * * * (8) upon request by an agency, and at [the Secretary's discretion] the Director of the Cybersecurity and Infrastructure Security Agency's discretion, with or without reimbursement (A) * * * (B) deploying, operating, and maintaining secure technology platforms and tools, including networks and common business applications, for use by the agency to perform agency functions, including collecting, maintaining, storing, processing, disseminating, and analyzing information; [and] (9) performing penetration testing with or without advance notice to, or authorization from, agencies, to identify vulnerabilities within Federal information systems; and [(9)] (10) other actions [as the Director or the Secretary, in consultation with the Director,] as the Director of the Cybersecurity and Infrastructure Security Agency may determine necessary to carry out this subsection. (c) Report.--Not later than March 1 of [each year] each year during which agencies are required to submit reports under section 3554(c), the Director, in consultation with the Secretary, shall submit to Congress a report on the effectiveness of information security policies and practices during the preceding year, including-- [(1) a summary of the incidents described in the annual reports required to be submitted under section 3554(c)(1), including a summary of the information required under section 3554(c)(1)(A)(iii);] [(2)] (1) * * * [(3)] (2) * * * [(4)] (3) an assessment of agency compliance with standards promulgated under section 11331 of title 40; [and] (4) a summary of each assessment of Federal risk posture performed under subsection (i); (5) an assessment of agency compliance with data breach notification policies and procedures issued by the Director[.]; and (6) an assessment of-- (A) Federal agency implementation of the model required under subsection (a)(7); (B) how cyber vulnerabilities of Federal agencies changed from the previous year; and (C) whether the model mitigates the cyber vulnerabilities of the Federal Government; * * * * * * * (h) * * * (i) Federal Risk Assessments.--On an ongoing and continuous basis, the Director of the Cybersecurity and Infrastructure Security Agency shall perform assessments of Federal risk posture using any available information on the cybersecurity posture of agencies, and brief the Director and National Cyber Director on the findings of those assessments including-- (1) the status of agency cybersecurity remedial actions described in section 3554(b)(7); (2) any vulnerability information relating to the systems of an agency that is known by the agency; (3) analysis of incident information under section 3597; (4) evaluation of penetration testing performed under section 3559A; (5) evaluation of vulnerability disclosure program information under section 3559B; (6) evaluation of agency threat hunting results; (7) evaluation of Federal and non-Federal threat intelligence; (8) data on agency compliance with standards issued under section 11331 of title 40; (9) agency system risk assessments performed under section 3554(a)(1)(A); and (10) any other information the Director of the Cybersecurity and Infrastructure Security Agency determines relevant. [(i)] (j) Annual Report to Congress.--Not later than February 1 of each year, the Director and the Secretary shall submit to the appropriate congressional committees a report [regarding the specific] that includes a summary of (1) the specific actions the Director and the Secretary have taken pursuant to subsection (a)(5), including any actions taken pursuant to section 11303(b)(5) of title 40[.]; and (2) the trends identified in the Federal risk assessment performed under subsection (i). [(j)] (k) * * * [(k)] (l) * * * [(l)] (m) * * * (n) Binding Operational Directives.--If the Director of the Cybersecurity and Infrastructure Security Agency issues a binding operational directive or an emergency directive under this section, not later than 2 days after the date on which the binding operational directive requires an agency to take an action, the Director of the Cybersecurity and Infrastructure Security Agency shall provide to the appropriate reporting entities the status of the implementation of the binding operational directive at the agency. * * * * * * * SEC. 3554. FEDERAL AGENCY RESPONSIBILITIES (a) * * * (1) be responsible for-- (A) on an ongoing and continuous basis, performing agency system risk assessments that-- (i) identify and document the high value assets of the agency using guidance from the Director; (ii) evaluate the data assets inventoried under section 3511 of title 44 for sensitivity to compromises in confidentiality, integrity, and availability; (iii) identify agency systems that have access to or hold the data assets inventoried under section 3511 of title 44; (iv) evaluate the threats facing agency systems and data, including high value assets, based on Federal and non- Federal cyber threat intelligence products, where available; (v) evaluate the vulnerability of agency systems and data, including high value assets, including by analyzing (I) the results of penetration testing performed by the Department of Homeland Security under section 3553(b)(9); (II) the results of penetration testing performed under section 3559A; (III) information provided to the agency through the vulnerability disclosure program of the agency under section 3559B; (IV) incidents; and (V) any other vulnerability information relating to agency systems that is known to the agency; (vi) assess the impacts of potential agency incidents to agency systems, data, and operations based on the evaluations described in clauses (ii) and (iv) and the agency systems identified under clause (iii); and (vii) assess the consequences of potential incidents occurring on agency systems that would impact systems at other agencies, including due to interconnectivity between different agency systems or operational reliance on the operations of the system or data in the system; [(A)] (B) [providing information] using information from the assessment conducted under subparagraph (A), providing, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of-- [(B)] (C) complying with the requirements of this subchapter, subchapter III of chapter 13 of title 41, and related policies, procedures, standards, and guidelines, including-- (i) information security standards promulgated under section 11331 of title 40; (ii) binding operational directives developed by the Secretary under section 3553(b); (iii) policies and procedures issued by the Director; (iv) information security standards and guidelines for national security systems issued in accordance with law and as directed by the President; (v) emergency directives issued by the Secretary under section 3553(h); and (vi) responsibilities relating to assessing and avoiding, mitigating, transferring, or accepting supply chain risks under section 1326 of title 41, and complying with exclusion and removal orders issued under section 1323 of such title; [and] [(C)] (D) * * * (E) providing an update on the ongoing and continuous assessment performed under subparagraph (A)-- (i) upon request, to the inspector general of the agency or the Comptroller General of the United States; and (ii) on a periodic basis, as determined by guidance issued by the Director but not less frequently than annually, to-- (I) the Director; (II) the Director of the Cybersecurity and Infrastructure Security Agency; and (III) the National Cyber Director; (F) in consultation with the Director of the Cybersecurity and Infrastructure Security Agency and not less frequently than once every 3 years, performing an evaluation of whether additional cybersecurity procedures are appropriate for securing a system of, or under the supervision of, the agency, which shall-- (i) be completed considering the agency system risk assessment performed under subparagraph (A); and (ii) include a specific evaluation for high value assets; (G) not later than 30 days after completing the evaluation performed under subparagraph (F), providing the evaluation and an implementation plan, if applicable, for using additional cybersecurity procedures determined to be appropriate to-- (i) the Director of the Cybersecurity and Infrastructure Security Agency; (ii) the Director; and (iii) the National Cyber Director; and (H) if the head of the agency determines there is need for additional cybersecurity procedures, ensuring that those additional cybersecurity procedures are reflected in the budget request of the agency in accordance with the risk-based cyber budget model developed pursuant to section 3553(a)(7); (2) * * * (A) assessing the risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of such information or information systems in accordance with the agency system risk assessment performed under paragraph (1)(A); (B) determining the levels of information security appropriate to protect such information and information systems [in accordance with standards] in accordance with-- (i) standards promulgated under section 11331 of title 40, for information security classifications and related requirements; (ii) the evaluation performed under paragraph (1)(F); and (iii) the implementation plan described in paragraph (1)(G); (C) * * * (D) periodically, through the use of penetration testing, the vulnerability disclosure program established under section 3559B, and other means, testing and evaluating information security controls and techniques to ensure that they are effectively implemented; (3) * * * (A) * * * (i) * * * (ii) * * * (iii) have information security duties as that official's primary duty; [and] (iv) head an office with the mission and resources to assist in ensuring agency compliance with this section; and (v) ensure that-- (I) senior agency information security officers of component agencies carry out responsibilities under this subchapter, as directed by the senior agency information security officer of the agency or an equivalent official; and (II) senior agency information security officers of component agencies report to-- (aa) the senior information security officer of the agency or an equivalent official; and (bb) the Chief Information Officer of the component agency or an equivalent official; * * * * * * * (5) ensure that the agency Chief Information Officer, in coordination with other senior agency officials, reports annually to the agency head and the Director of the Cybersecurity and Infrastructure Security Agency on the effectiveness of the agency information security program, including progress of remedial actions; (6) * * * (7) * * * (b) * * * [(1) periodic assessments of the risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency, which may include using automated tools consistent with standards and guidelines promulgated under section 11331 of title 40;] (1) pursuant to subsection (a)(1)(A), performing ongoing and continuous agency system risk assessments, which may include using guidelines and automated tools consistent with standards and guidelines promulgated under section 11331 of title 40, as applicable; (2) * * * (A) * * * [(B) cost-effectively reduce information security risks to an acceptable level;] (B) comply with the risk-based cyber budget model developed pursuant to section 3553(a)(7); (C) * * * (D) * * * (i) * * * (ii) * * * (iii) binding operational directives and emergency directives promulgated by the Director of the Cybersecurity and Infrastructure Security Agency under section 3553; [(iii)] (iv) minimally acceptable system configuration requirements, [as determined by the agency; and] as determined by the agency, considering-- (I) the agency risk assessment performed under subsection (a)(1)(A); and (II) the determinations of applying more stringent standards and additional cybersecurity procedures pursuant to section 11331(c)(1) of title 40; and [(iv)] (v) * * * (3) * * * (4) * * * (5) * * * (A) shall include testing, including penetration testing, as appropriate, of management, operational, and technical controls of every information system identified in the inventory required under section 3505(c); (B) * * * (C) * * * (6) a process for [planning, implementing, evaluating, and documenting] planning and implementing and, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, evaluating and documenting remedial action to address any deficiencies in the information security policies, procedures, and practices of the agency; (7) a process for providing the status of every remedial action and known system vulnerability to the Director and the Director of the Cybersecurity and Infrastructure Security Agency, using automation and machine-readable data to the greatest extent practicable; [(7)] (8) * * * (A) * * * (B) * * * (C) shall include-- (i) * * * [(ii) notifying and consulting with the Federal information security incident center established in section 3556; and] (ii) notifying and consulting with the Federal information security incident center established under section 3556 pursuant to the requirements of section 3594; (iii) performing the notifications and other activities required under subchapter IV of this title; and [(iii)] (iv) notifying and consulting with, as appropriate (I) law enforcement agencies [and relevant offices of inspectors general] and Offices of General Counsel; (II) an office designated by the President for any incident involving a national security system; and [(III) for a major incident, the committees of Congress described in subsection (c)(1)]-- (aa) not later than 7 days after the date on which there is a reasonable basis to conclude that the major incident has occurred; and (bb) after the initial notification under item (aa), within a reasonable period of time after additional information relating to the incident is discovered, including the summary required under subsection (c)(1)(A)(i); and] [(IV)] (III) any other agency or office, in accordance with law or as directed by the President; and [(8)] (9) * * * (c) * * * [(1) Annual report.-- (A) In general.--Each agency shall submit to the Director, the Secretary, the Committee on Government Reform, the Committee on Homeland Security, and the Committee on Science of the House of Representatives, the Committee on Homeland Security and Governmental Affairs and the Committee on Commerce, Science, and Transportation of the Senate, the appropriate authorization and appropriations committees of Congress, and the Comptroller General a report on the adequacy and effectiveness of information security policies, procedures, and practices, including-- (i) a description of each major information security incident or related sets of incidents, including summaries of-- (I) the threats and threat actors, vulnerabilities, and impacts relating to the incident; (II) the risk assessments conducted under section 3554(a)(2)(A) of the affected information systems before the date on which the incident occurred; (III) the status of compliance of the affected information systems with applicable security requirements at the time of the incident; and (IV) the detection, response, and remediation actions; (ii) the total number of information security incidents, including a description of incidents resulting in significant compromise of information security, system impact levels, types of incident, and locations of affected systems; (iii) a description of each major information security incident that involved a breach of personally identifiable information, as defined by the Director, including-- (I) the number of individuals whose information was affected by the major information security incident; and (II) a description of the information that was breached or exposed; and (iv) any other information as the Director or the Secretary, in consultation with the Director, may require. (B) Unclassified report--. (i) In general.--Each report submitted under subparagraph (A) shall be in unclassified form, but may include a classified annex. (ii) Access to information.--The head of an agency shall ensure that, to the greatest extent practicable, information is included in the unclassified version of the reports submitted by the agency under subparagraph (A).] (1) Biannual report.--Not later than 2 years after the date of enactment of the Federal Information Security Modernization Act of 2021 and not less frequently than once every 2 years thereafter, using the continuous and ongoing agency system risk assessment under subsection (a)(1)(A), the head of each agency shall submit to the Director, the Director of the Cybersecurity and Infrastructure Security Agency, the Committee on Homeland Security and Governmental Affairs of the Senate, the Committee on Oversight and Reform of the House of Representatives, the Committee on Homeland Security of the House of Representatives, the appropriate authorization and appropriations committees of Congress, the National Cyber Director, and the Comptroller General of the United States a report that-- (A) summarizes the agency system risk assessment performed under subsection (a)(1)(A); (B) evaluates the adequacy and effectiveness of information security policies, procedures, and practices of the agency to address the risks identified in the agency system risk assessment performed under subsection (a)(1)(A); (C) summarizes the evaluation and implementation plans described in subparagraphs (F) and (G) of subsection (a)(1) and whether those evaluation and implementation plans call for the use of additional cybersecurity procedures determined to be appropriate by the agency; and (D) summarizes the status of remedial actions identified by inspector general of the agency, the Comptroller General of the United States, and any other source determined appropriate by the head of the agency. (2) Unclassified reports. Each report submitted under paragraph (1)-- (A) shall be, to the greatest extent practicable, in an unclassified and otherwise uncontrolled form; and (B) may include a classified annex. (3) Access to information.--The head of an agency shall ensure that, to the greatest extent practicable, information is included in the unclassified form of the report submitted by the agency under paragraph (2)(A). (4) Briefings.--During each year during which a report is not required to be submitted under paragraph (1), the Director shall provide to the congressional committees described in paragraph (1) a briefing summarizing current agency and Federal risk postures. [(2)] (5) Other plans and reports.--Each agency shall address the adequacy and effectiveness of information security policies, procedures, and practices in management plans and reports, including the reporting procedures established under section 11315(d) of title 40 and subsection (a)(3)(A)(v) of this section. (d) Performance Plan.-- (1) In addition to the requirements of subsection (c), each agency, in consultation with the Director and the Director of the Cybersecurity and Infrastructure Security Agency, shall include as part of the performance plan required under section 1115 of title 31 a description of-- (A) * * * (B) * * * (2) The description under paragraph (1) and the risk- based budget model required under section 3553(a)(7) shall be based on the risk assessments required under subsection (b)(1). SEC. 3555. [ANNUAL INDEPENDENT] INDEPENDENT EVALUATION. (a) In General.-- (1) Each year during which a report is required to be submitted under section 3553(c), each agency shall have performed an independent evaluation of the information security program and practices of that agency to determine the effectiveness of such program and practices. (2) Each evaluation under this section shall include-- (A) testing of the effectiveness of information security policies, procedures, and practices of a representative subset of the agency's information systems, including by penetration testing and analyzing the vulnerability disclosure program of the agency; (B) an assessment of the effectiveness of the information security policies, procedures, and practices of the agency; [and] (C) separate presentations, as appropriate, regarding information security relating to national security systems[.]; and (D) an assessment of how the agency implemented the risk-based budget model required under section 3553(a)(7) and an evaluation of whether the model mitigates agency cyber vulnerabilities. (3) An evaluation under this section may include recommendations for improving the cybersecurity posture of the agency. (b) * * * (1) for each agency with an Inspector General appointed under the Inspector General Act of 1978, the [annual] evaluation required by this section shall be performed by the Inspector General or by an independent external auditor, as determined by the Inspector General of the agency; and * * * * * * * (e) Agency Reporting.-- (1) Each year during which a report is required to be submitted under section 3553(c), not later than such date established by the Director, the head of each agency shall submit to the Director the results of the evaluation required under this section. (2) * * * [(f) Protection of Information.--Agencies and evaluators shall take appropriate steps to ensure the protection of information which, if disclosed, may adversely affect information security. Such protections shall be commensurate with the risk and comply with all applicable laws and regulations.] (f) Protection of Information.-- (1) Agencies, evaluators, and other recipients of information that, if disclosed, may cause grave harm to the efforts of Federal information security officers, including the appropriate congressional committees, shall take appropriate steps to ensure the protection of that information, including safeguarding the information from public disclosure. (2) The protections required under paragraph (1) shall be commensurate with the risk and comply with all applicable laws and regulations. (3) With respect to information that is not related to national security systems, agencies and evaluators shall make a summary of the information unclassified and publicly available, including information that does not identify-- (A) specific information system incidents; or (B) specific information system vulnerabilities. (g) * * * (1) * * * (2) The Director's report to Congress under [this subsection shall] this subsection-- (A) shall summarize information regarding information security relating to national security systems in such a manner as to ensure appropriate protection for information associated with any information security vulnerability in such system commensurate with the risk and in accordance with all applicable laws[.]; (B) identify any entity that performs an independent evaluation under subsection (b). * * * * * * * (i) * * * [(j) Guidance.--The Director, in consultation with the Secretary, the Chief Information Officers Council established under section 3603, the Council of the Inspectors General on Integrity and Efficiency, and other interested parties as appropriate, shall ensure the development of guidance for evaluating the effectiveness of an information security program and practices.] (j) Guidance.-- (1) In general.--The Director, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, the Chief Information Officers Council, the Council of the Inspectors General on Integrity and Efficiency, and other interested parties as appropriate, shall ensure the development of guidance for evaluating the effectiveness of an information security program and practices (2) Priorities.--The guidance developed under paragraph (1) shall prioritize the identification of-- (A) the most common threat patterns experienced by each agency; (B) the security controls that address the threat patterns described in subparagraph (A); and (C) any other security risks unique to the networks of each agency. * * * * * * * SEC. 3556. FEDERAL INFORMATION SECURITY INCIDENT CENTER (a) In General.--The Secretary shall ensure the operation of a central Federal information security incident center within the Cybersecurity and Infrastructure Security Agency to-- (1) * * * (2) * * * (3) * * * (4) provide, as appropriate, intelligence and other information about cyber threats, vulnerabilities, and incidents to agencies to assist in risk assessments conducted under section [3554(b)] 3554(a)(1)(A); and * * * * * * * SEC. 3559A. FEDERAL PENETRATION TESTING (a) Definitions.--In this section: (1) Agency operational plan.--The term `agency operational plan' means a plan of an agency for the use of penetration testing. (2) Rules of engagement.--The term `rules of engagement' means a set of rules established by an agency for the use of penetration testing. (b) Guidance.-- (1) In general.--The Director shall issue guidance that-- (A) requires agencies to use, when and where appropriate, penetration testing on agency systems; and (B) requires agencies to develop an agency operational plan and rules of engagement that meet the requirements under subsection (c). (2) Penetration testing guidance.--The guidance issued under this section shall-- (A) permit an agency to use, for the purpose of performing penetration testing-- (i) a shared service of the agency or another agency; or (ii) an external entity, such as a vendor; and (B) require agencies to provide the rules of engagement and results of penetration testing to the Director and the Director of the Cybersecurity and Infrastructure Security Agency, without regard to the status of the entity that performs the penetration testing. (c) Agency Plans and Rules of Engagement.--The agency operational plan and rules of engagement of an agency shall-- (1) require the agency to-- (A) perform penetration testing on the high value assets of the agency; or (B) coordinate with the Director of the Cybersecurity and Infrastructure Security Agency to ensure that penetration testing is being performed; (2) establish guidelines for avoiding, as a result of penetration testing-- (A) adverse impacts to the operations of the agency; (B) adverse impacts to operational environments and systems of the agency; and (C) inappropriate access to data; (3) require the results of penetration testing to include feedback to improve the cybersecurity of the agency; and (4) include mechanisms for providing consistently formatted, and, if applicable, automated and machine- readable, data to the Director and the Director of the Cybersecurity and Infrastructure Security Agency. (d) Responsibilities of CISA.--The Director of the Cybersecurity and Infrastructure Security Agency shall-- (1) establish a process to assess the performance of penetration testing by both Federal and non-Federal entities that establishes minimum quality controls for penetration testing; (2) develop operational guidance for instituting penetration testing programs at agencies; (3) develop and maintain a centralized capability to offer penetration testing as a service to Federal and non-Federal entities; and (4) provide guidance to agencies on the best use of penetration testing resources. (e) Responsibilities of OMB.--The Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, shall-- (1) not less frequently than annually, inventory all Federal penetration testing assets; and (2) develop and maintain a standardized process for the use of penetration testing. (f) Prioritization of Penetration Testing Resources.-- (1) In general.--The Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, shall develop a framework for prioritizing Federal penetration testing resources among agencies. (2) Considerations.--In developing the framework under this subsection, the Director shall consider-- (A) agency system risk assessments performed under section 3554(a)(1)(A); (B) the Federal risk assessment performed under section 3553(i); (C) the analysis of Federal incident data performed under section 3597; and (D) any other information determined appropriate by the Director or the Director of the Cybersecurity and Infrastructure Security Agency. (g) Exception for National Security Systems.--The guidance issued under subsection (b) shall not apply to national security systems. (h) Delegation of Authority for Certain Systems.--The authorities of the Director described in subsection (b) shall be delegated-- (1) to the Secretary of Defense in the case of systems described in section 3553(e)(2); and (2) to the Director of National Intelligence in the case of systems described in 3553(e)(3). SEC. 3559B. FEDERAL VULNERABILITY DISCLOSURE PROGRAMS (a) Definitions.--In this section: (1) Report.--The term `report' means a vulnerability disclosure made to an agency by a reporter. (2) Reporter.--The term `reporter' means an individual that submits a vulnerability report pursuant to the vulnerability disclosure process of an agency. (b) Responsibilities of OMB.-- (1) Limitation on legal action.--The Director, in consultation with the Attorney General, shall issue guidance to agencies to not recommend or pursue legal action against a reporter or an individual that conducts a security research activity that the head of the agency determines-- (A) represents a good faith effort to follow the vulnerability disclosure policy of the agency developed under subsection (d)(2); and (B) is authorized under the vulnerability disclosure policy of the agency developed under subsection (d)(2). (2) Sharing information with CISA.--The Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency and the National Cyber Director, shall issue guidance to agencies on sharing relevant information in a consistent, automated, and machine readable manner with the Cybersecurity and Infrastructure Security Agency, including-- (A) any valid or credible reports of newly discovered or not publicly known vulnerabilities (including misconfigurations) on Federal information systems that use commercial software or services; (B) information relating to vulnerability disclosure, coordination, or remediation activities of an agency, particularly as those activities relate to outside organizations-- (i) with which the head of the agency believes the Director of the Cybersecurity and Infrastructure Security Agency can assist; or (ii) about which the head of the agency believes the Director of the Cybersecurity and Infrastructure Security Agency should know; and (C) any other information with respect to which the head of the agency determines helpful or necessary to involve the Cybersecurity and Infrastructure Security Agency. (3) Agency vulnerability disclosure policies.--The Director shall issue guidance to agencies on the required minimum scope of agency systems covered by the vulnerability disclosure policy of an agency required under subsection (d)(2). (c) Responsibilities of CISA.--The Director of the Cybersecurity and Infrastructure Security Agency shall-- (1) provide support to agencies with respect to the implementation of the requirements of this section; (2) develop tools, processes, and other mechanisms determined appropriate to offer agencies capabilities to implement the requirements of this section; and (3) upon a request by an agency, assist the agency in the disclosure to vendors of newly identified vulnerabilities in vendor products and services. (d) Responsibilities of Agencies.-- (1) Public information.--The head of each agency shall make publicly available, with respect to each internet domain under the control of the agency that is not a national security system-- (A) an appropriate security contact; and (B) the component of the agency that is responsible for the internet accessible services offered at the domain. (2) Vulnerability disclosure policy.--The head of each agency shall develop and make publicly available a vulnerability disclosure policy for the agency, which shall-- (A) describe-- (i) the scope of the systems of the agency included in the vulnerability disclosure policy; (ii) the type of information system testing that is authorized by the agency; (iii) the type of information system testing that is not authorized by the agency; and (iv) the disclosure policy of the agency for sensitive information; (B) with respect to a report to an agency, describe-- (i) how the reporter should submit the report; and (ii) if the report is not anonymous, when the reporter should anticipate an acknowledgment of receipt of the report by the agency; (C) include any other relevant information; and (D) be mature in scope, to cover all Federal information systems used or operated by that agency or on behalf of that agency. (3) Identified vulnerabilities.--The head of each agency shall incorporate any vulnerabilities reported under paragraph (2) into the vulnerability management process of the agency in order to track and remediate the vulnerability. (e) Paperwork Reduction Act Exemption.--The requirements of subchapter I (commonly known as the `Paperwork Reduction Act') shall not apply to a vulnerability disclosure program established under this section. (f) Congressional Reporting.--Not later than 90 days after the date of enactment of the Federal Information Security Modernization Act of 2021, and annually thereafter for a 3-year period, the Director shall provide to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Reform of the House of Representatives a briefing on the status of the use of vulnerability disclosure policies under this section at agencies, including, with respect to the guidance issued under subsection (b)(3), an identification of the agencies that are compliant and not compliant. (g) Exemptions.--The authorities and functions of the Director and Director of the Cybersecurity and Infrastructure Security Agency under this section shall not apply to national security systems. (h) Delegation of Authority for Certain Systems.--The authorities of the Director and the Director of the Cybersecurity and Infrastructure Security Agency described in this section shall be delegated-- (1) to the Secretary of Defense in the case of systems described in section 3553(e)(2); and (2) to the Director of National Intelligence in the case of systems described in section 3553(e)(3). * * * * * * * Subchapter IV--Federal System Incident Response * * * * * * * SEC. 3591. DEFINITIONS (a) In General.--Except as provided in subsection (b), the definitions under sections 3502 and 3552 shall apply to this subchapter. (b) Additional Definitions.--As used in this subchapter: (1) Appropriate reporting entities.--The term `appropriate reporting entities' means-- (A) the majority and minority leaders of the Senate; (B) the Speaker and minority leader of the House of Representatives; (C) the Committee on Homeland Security and Governmental Affairs of the Senate; (D) the Committee on Oversight and Reform of the House of Representatives; (E) the Committee on Homeland Security of the House of Representatives; (F) the appropriate authorization and appropriations committees of Congress; (G) the Director; (H) the Director of the Cybersecurity and Infrastructure Security Agency; (I) the National Cyber Director; (J) the Comptroller General of the United States; and (K) the inspector general of any impacted agency. (2) Awardee.--The term `awardee'-- (A) means a person, business, or other entity that receives a grant from, or is a party to a cooperative agreement with, an agency; and (B) includes any subgrantee of a person, business, or other entity described in subparagraph (A). (3) Breach.--The term `breach` means-- (A) a compromise of the security, confidentiality, or integrity of data in electronic form that results in unauthorized access to, or an acquisition of, personal information; or (B) a loss of data in electronic form that results in unauthorized access to, or an acquisition of, personal information. (4) Contractor.--The term `contractor' means-- (A) a prime contractor of an agency or a subcontractor of a prime contractor of an agency; and (B) any person or business that collects or maintains information, including personally identifiable information, on behalf of an agency. (5) Federal information.--The term `Federal information' means information created, collected, processed, maintained, disseminated, disclosed, or disposed of by or for the Federal Government in any medium or form. (6) Federal information system.--The term `Federal information system' means an information system used or operated by an agency, a contractor, or another organization on behalf of an agency. (7) Intelligence community.--The term `intelligence community' has the meaning given the term in section 3 of the National Security Act of 1947 (50 U.S.C. 3003). (8) Nationwide consumer reporting agency.--The term `nationwide consumer reporting agency' means a consumer reporting agency described in section 603(p) of the Fair Credit Reporting Act (15 U.S.C. 1681a(p)). (9) Vulnerability disclosure.--The term `vulnerability disclosure' means a vulnerability identified under section 3559B. SEC. 3592. NOTIFICATION OF BREACH (a) Notification.--As expeditiously as practicable and without unreasonable delay, and in any case not later than 45 days after an agency has a reasonable basis to conclude that a breach has occurred, the head of the agency, in consultation with a senior privacy officer of the agency, shall-- (1) determine whether notice to any individual potentially affected by the breach is appropriate based on an assessment of the risk of harm to the individual that considers-- (A) the nature and sensitivity of the personally identifiable information affected by the breach; (B) the likelihood of access to and use of the personally identifiable information affected by the breach; (C) the type of breach; and (D) any other factors determined by the Director; and (2) as appropriate, provide written notice in accordance with subsection (b) to each individual potentially affected by the breach-- (A) to the last known mailing address of the individual; or (B) through an appropriate alternative method of notification that the head of the agency or a designated senior-level individual of the agency selects based on factors determined by the Director. (b) Contents of Notice.--Each notice of a breach provided to an individual under subsection (a)(2) shall include-- (1) a brief description of the rationale for the determination that notice should be provided under subsection (a); (2) if possible, a description of the types of personally identifiable information affected by the breach; (3) contact information of the agency that may be used to ask questions of the agency, which-- (A) shall include an e-mail address or another digital contact mechanism; and (B) may include a telephone number or a website; (4) information on any remedy being offered by the agency; (5) any applicable educational materials relating to what individuals can do in response to a breach that potentially affects their personally identifiable information, including relevant information to contact Federal law enforcement agencies and each nationwide consumer reporting agency; and (6) any other appropriate information, as determined by the head of the agency or established in guidance by the Director. (c) Delay of Notification.-- (1) In general.--The Attorney General, the Director of National Intelligence, or the Secretary of Homeland Security may delay a notification required under subsection (a) if the notification would-- (A) impede a criminal investigation or a national security activity; (B) reveal sensitive sources and methods; (C) cause damage to national security; or (D) hamper security remediation actions. (2) Documentation.-- (A) In general.--Any delay under paragraph (1) shall be reported in writing to the Director, the Attorney General, the Director of National Intelligence, the Secretary of Homeland Security, the Director of the Cybersecurity and Infrastructure Security Agency, and the head of the agency and the inspector general of the agency that experienced the breach. (B) Contents.--A report required under subparagraph (A) shall include a written statement from the entity that delayed the notification explaining the need for the delay. (C) Form.--The report required under subparagraph (A) shall be unclassified but may include a classified annex. (3) Renewal.--A delay under paragraph (1) shall be for a period of 60 days and may be renewed. (d) Update Notification.--If an agency determines there is a significant change in the reasonable basis to conclude that a breach occurred, a significant change to the determination made under subsection (a)(1), or that it is necessary to update the details of the information provided to impacted individuals as described in subsection (b), the agency shall as expeditiously as practicable and without unreasonable delay, and in any case not later than 30 days after such a determination, notify each individual who received a notification pursuant to subsection (a) of those changes. (e) Exemption From Notification.-- (1) In general.--The head of an agency, in consultation with the inspector general of the agency, may request an exemption from the Director from complying with the notification requirements under subsection (a) if the information affected by the breach is determined by an independent evaluation to be unreadable, including, as appropriate, instances in which the information is-- (A) encrypted; and (B) determined by the Director of the Cybersecurity and Infrastructure Security Agency to be of sufficiently low risk of exposure. (2) Approval.--The Director shall determine whether to grant an exemption requested under paragraph (1) in consultation with-- (A) the Director of the Cybersecurity and Infrastructure Security Agency; and (B) the Attorney General. (3) Documentation.--Any exemption granted by the Director under paragraph (1) shall be reported in writing to the head of the agency and the inspector general of the agency that experienced the breach and the Director of the Cybersecurity and Infrastructure Security Agency. (f) Rule of Construction.--Nothing in this section shall be construed to limit-- (1) the Director from issuing guidance relating to notifications or the head of an agency from notifying individuals potentially affected by breaches that are not determined to be major incidents; or (2) the Director from issuing guidance relating to notifications of major incidents or the head of an agency from providing more information than described in subsection (b) when notifying individuals potentially affected by breaches. SEC. 3593. CONGRESSIONAL AND EXECUTIVE BRANCH REPORTS (a) Initial Report.-- (1) In general.--Not later than 72 hours after an agency has a reasonable basis to conclude that a major incident occurred, the head of the agency impacted by the major incident shall submit to the appropriate reporting entities a written report and, to the extent practicable, provide a briefing to the Committee on Homeland Security and Governmental Affairs of the Senate, the Committee on Oversight and Reform of the House of Representatives, the Committee on Homeland Security of the House of Representatives, and the appropriate authorization and appropriations committees of Congress, taking into account-- (A) the information known at the time of the report; (B) the sensitivity of the details associated with the major incident; and (C) the classification level of the information contained in the report. (2) Contents.--A report required under paragraph (1) shall include, in a manner that excludes or otherwise reasonably protects personally identifiable information and to the extent permitted by applicable law, including privacy and statistical laws-- (A) a summary of the information available about the major incident, including how the major incident occurred, information indicating that the major incident may be a breach, and information relating to the major incident as a breach, based on information available to agency officials as of the date on which the agency submits the report; (B) if applicable, a description and any associated documentation of any circumstances necessitating a delay in or exemption to notification to individuals potentially affected by the major incident under subsection (c) or (e) of section 3592; and (C) if applicable, an assessment of the impacts to the agency, the Federal Government, or the security of the United States, based on information available to agency officials on the date on which the agency submits the report. (b) Supplemental Report.--Within a reasonable amount of time, but not later than 30 days after the date on which an agency submits a written report under subsection (a), the head of the agency shall provide to the appropriate reporting entities written updates on the major incident and, to the extent practicable, provide a briefing to the congressional committees described in subsection (a)(1), including summaries of-- (1) vulnerabilities, means by which the major incident occurred, and impacts to the agency relating to the major incident; (2) any risk assessment and subsequent risk-based security implementation of the affected information system before the date on which the major incident occurred; (3) the status of compliance of the affected information system with applicable security requirements at the time of the major incident; (4) an estimate of the number of individuals potentially affected by the major incident based on information available to agency officials as of the date on which the agency provides the update; (5) an assessment of the risk of harm to individuals potentially affected by the major incident based on information available to agency officials as of the date on which the agency provides the update; (6) an update to the assessment of the risk to agency operations, or to impacts on other agency or non- Federal entity operations, affected by the major incident based on information available to agency officials as of the date on which the agency provides the update; and (7) the detection, response, and remediation actions of the agency, including any support provided by the Cybersecurity and Infrastructure Security Agency under section 3594(d) and status updates on the notification process described in section 3592(a), including any delay or exemption described in subsection (c) or (e), respectively, of section 3592, if applicable. (c) Update Report.--If the agency determines that there is any significant change in the understanding of the agency of the scope, scale, or consequence of a major incident for which an agency submitted a written report under subsection (a), the agency shall provide an updated report to the appropriate reporting entities that includes information relating to the change in understanding. (d) Annual Report.--Each agency shall submit as part of the annual report required under section 3554(c)(1) of this title a description of each major incident that occurred during the 1- year period preceding the date on which the report is submitted. (e) Delay and Exemption Report.-- (1) In general.--The Director shall submit to the appropriate notification entities an annual report on all notification delays and exemptions granted pursuant to subsections (c) and (d) of section 3592. (2) Component of other report.--The Director may submit the report required under paragraph (1) as a component of the annual report submitted under section 3597(b). (f) Report Delivery.--Any written report required to be submitted under this section may be submitted in a paper or electronic format. (g) Threat Briefing.-- (1) In general.--Not later than 7 days after the date on which an agency has a reasonable basis to conclude that a major incident occurred, the head of the agency, jointly with the National Cyber Director and any other Federal entity determined appropriate by the National Cyber Director, shall provide a briefing to the congressional committees described in subsection (a)(1) on the threat causing the major incident. (2) Components.--The briefing required under paragraph (1)-- (A) shall, to the greatest extent practicable, include an unclassified component; and (B) may include a classified component. (h) Rule of Construction.--Nothing in this section shall be construed to limit-- (1) the ability of an agency to provide additional reports or briefings to Congress; or (2) Congress from requesting additional information from agencies through reports, briefings, or other means. SEC. 3594. GOVERNMENT INFORMATION SHARING AND INCIDENT RESPONSE (a) In General.-- (1) Incident reporting.--The head of each agency shall provide any information relating to any incident, whether the information is obtained by the Federal Government directly or indirectly, to the Cybersecurity and Infrastructure Security Agency and the Office of Management and Budget. (2) Contents.--A provision of information relating to an incident made by the head of an agency under paragraph (1) shall-- (A) include detailed information about the safeguards that were in place when the incident occurred; (B) whether the agency implemented the safeguards described in subparagraph (A) correctly; (C) in order to protect against a similar incident, identify-- (i) how the safeguards described in subparagraph (A) should be implemented differently; and (ii) additional necessary safeguards; and (D) include information to aid in incident response, such as-- (i) a description of the affected systems or networks; (ii) the estimated dates of when the incident occurred; and (iii) information that could reasonably help identify the party that conducted the incident. (3) Information sharing.--To the greatest extent practicable, the Director of the Cybersecurity and Infrastructure Security Agency shall share information relating to an incident with any agencies that may be impacted by the incident. (4) National security systems.--Each agency operating or exercising control of a national security system shall share information about incidents with the Director of the Cybersecurity and Infrastructure Security Agency to the extent consistent with standards and guidelines for national security systems issued in accordance with law and as directed by the President. (b) Compliance.--The information provided under subsection (a) shall take into account the level of classification of the information and any information sharing limitations and protections, such as limitations and protections relating to law enforcement, national security, privacy, statistical confidentiality, or other factors determined by the Director (c) Incident Response.--Each agency that has a reasonable basis to conclude that a major incident occurred involving Federal information in electronic medium or form, as defined by the Director and not involving a national security system, regardless of delays from notification granted for a major incident, shall coordinate with the Cybersecurity and Infrastructure Security Agency regarding-- (1) incident response and recovery; and (2) recommendations for mitigating future incidents. SEC. 3595. RESPONSIBILITIES OF CONTRACTORS AND AWARDEES.``3595. RESPONSIBILITIES OF CONTRACTORS AND AWARDEES (a) Notification.-- (1) In general.--Unless otherwise specified in a contract, grant, or cooperative agreement, any contractor or awardee of an agency shall report to the agency within the same amount of time such agency is required to report an incident to the Cybersecurity and Infrastructure Security Agency, if the contractor or awardee has a reasonable basis to conclude that-- (A) an incident or breach has occurred with respect to Federal information collected, used, or maintained by the contractor or awardee in connection with the contract, grant, or cooperative agreement of the contractor or awardee; (B) an incident or breach has occurred with respect to a Federal information system used or operated by the contractor or awardee in connection with the contract, grant, or cooperative agreement of the contractor or awardee; or (C) the contractor or awardee has received information from the agency that the contractor or awardee is not authorized to receive in connection with the contract, grant, or cooperative agreement of the contractor or awardee. (2) Procedures.-- (A) Major incident.--Following a report of a breach or major incident by a contractor or awardee under paragraph (1), the agency, in consultation with the contractor or awardee, shall carry out the requirements under sections 3592, 3593, and 3594 with respect to the major incident. (B) Incident.--Following a report of an incident by a contractor or awardee under paragraph (1), an agency, in consultation with the contractor or awardee, shall carry out the requirements under section 3594 with respect to the incident. (b) Effective Date.--This section shall apply on and after the date that is 1 year after the date of enactment of the Federal Information Security Modernization Act of 2021. SEC. 3596. TRAINING (a) Covered Individual Defined.--In this section, the term `covered individual' means an individual who obtains access to Federal information or Federal information systems because of the status of the individual as an employee, contractor, awardee, volunteer, or intern of an agency. (b) Requirement.--The head of each agency shall develop training for covered individuals on how to identify and respond to an incident, including-- (1) the internal process of the agency for reporting an incident; and (2) the obligation of a covered individual to report to the agency a confirmed major incident and any suspected incident involving information in any medium or form, including paper, oral, and electronic. (c) Inclusion in Annual Training.--The training developed under subsection (b) may be included as part of an annual privacy or security awareness training of an agency. SEC. 3597. ANALYSIS AND REPORT ON FEDERAL INCIDENTS (a) Analysis of Federal Incidents.-- (1) Quantitative and qualitative analyses.--The Director of the Cybersecurity and Infrastructure Security Agency shall develop, in consultation with the Director and the National Cyber Director, and perform continuous monitoring and quantitative and qualitative analyses of incidents at agencies, including major incidents, including-- (A) the causes of incidents, including-- (i) attacker tactics, techniques, and procedures; and (ii) system vulnerabilities, including zero days, unpatched systems, and information system misconfigurations; (B) the scope and scale of incidents at agencies; (C) cross Federal Government root causes of incidents at agencies; (D) agency incident response, recovery, and remediation actions and the effectiveness of those actions, as applicable; and (E) lessons learned and recommendations in responding to, recovering from, remediating, and mitigating future incidents. (2) Automated analysis.--The analyses developed under paragraph (1) shall, to the greatest extent practicable, use machine readable data, automation, and machine learning processes. (3) Sharing of data and analysis.-- (A) In general.--The Director shall share on an ongoing basis the analyses required under this subsection with agencies and the National Cyber Director to-- (i) improve the understanding of cybersecurity risk of agencies; and (ii) support the cybersecurity improvement efforts of agencies. (B) Format.--In carrying out subparagraph (A), the Director shall share the analyses-- (i) in human-readable written products; and (ii) to the greatest extent practicable, in machine-readable formats in order to enable automated intake and use by agencies. (b) Annual Report on Federal Incidents.--Not later than 2 years after the date of enactment of this section, and not less frequently than annually thereafter, the Director of the Cybersecurity and Infrastructure Security Agency, in consultation with the Director and other Federal agencies as appropriate, shall submit to the appropriate notification entities a report that includes-- (1) a summary of causes of incidents from across the Federal Government that categorizes those incidents as incidents or major incidents; (2) the quantitative and qualitative analyses of incidents developed under subsection (a)(1), including specific analysis of breaches, on an agency-by-agency basis and comprehensively across the Federal Government; and (3) an annex for each agency that includes-- (A) a description of each major incident; and (B) the total number of compromises of the agency. (c) Publication.--A version of each report submitted under subsection (b) shall be made publicly available on the website of the Cybersecurity and Infrastructure Security Agency during the year in which the report is submitted. (d) Information Provided by Agencies.-- (1) In general.--The analysis required under subsection (a) and each report submitted under subsection (b) shall use information provided by agencies under section 3594(a). (2) Noncompliance reports.-- (A) In general.--Subject to subparagraph (B), during any year during which the head of an agency does not provide data for an incident to the Cybersecurity and Infrastructure Security Agency in accordance with section 3594(a), the head of the agency, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency and the Director, shall submit to the appropriate reporting entities a report that includes-- (i) data for the incident; and (ii) the information described in subsection (b) with respect to the agency. (B) Exception for national security systems.--The head of an agency that owns or exercises control of a national security system shall not include data for an incident that occurs on a national security system in any report submitted under subparagraph (A). (3) National security system reports.-- (A) In general.--Annually, the head of an agency that operates or exercises control of a national security system shall submit a report that includes the information described in subsection (b) with respect to the agency to the extent that the submission is consistent with standards and guidelines for national security systems issued in accordance with law and as directed by the President to-- (i) the the majority and minority leaders of the Senate, (ii) the Speaker and minority leader of the House of Representatives; (iii) the Committee on Homeland Security and Governmental Affairs of the Senate; (iv) the Select Committee on Intelligence of the Senate; (v) the Committee on Armed Services of the Senate; (vi) the Committee on Oversight and Reform of the House of Representatives; (vii) the Committee on Homeland Security of the House of Representatives; (viii) the Permanent Select Committee on Intelligence of the House of Representatives; and (ix) the Committee on Armed Services of the House of Representatives. (B) Classified form.--A report required under subparagraph (A) may be submitted in a classified form. (e) Requirement for Compiling Information.--In publishing the public report required under subsection (c), the Director of the Cybersecurity and Infrastructure Security Agency shall sufficiently compile information such that no specific incident of an agency can be identified, except with the concurrence of the Director of the Office of Management and Budget and in consultation with the impacted agency. SEC. 3598. MAJOR INCIDENT DEFINITION (a) In General.--Not later than 180 days after the date of enactment of the Federal Information Security Modernization Act of 2021, the Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency and the National Cyber Director, shall develop and promulgate guidance on the definition of the term `major incident' for the purposes of subchapter II and this subchapter. (b) Requirements.--With respect to the guidance issued under subsection (a), the definition of the term `major incident' shall-- (1) include, with respect to any information collected or maintained by or on behalf of an agency or an information system used or operated by an agency or by a contractor of an agency or another organization on behalf of an agency-- (A) any incident the head of the agency determines is likely to have an impact on-- (i) the national security, homeland security, or economic security of the United States; or (ii) the civil liberties or public health and safety of the people of the United States; (B) any incident the head of the agency determines likely to result in an inability for the agency, a component of the agency, or the Federal Government, to provide 1 or more critical services; (C) any incident that the head of an agency, in consultation with a senior privacy officer of the agency, determines is likely to have a significant privacy impact on 1 or more individual; (D) any incident that the head of the agency, in consultation with a senior privacy official of the agency, determines is likely to have a substantial privacy impact on a significant number of individuals; (E) any incident the head of the agency determines impacts the operations of a high value asset owned or operated by the agency; (F) any incident involving the exposure of sensitive agency information to a foreign entity, such as the communications of the head of the agency, the head of a component of the agency, or the direct reports of the head of the agency or the head of a component of the agency; and (G) any other type of incident determined appropriate by the Director; (2) stipulate that the National Cyber Director shall declare a major incident at each agency impacted by an incident if the Director of the Cybersecurity and Infrastructure Security Agency determines that an incident-- (A) occurs at not less than 2 agencies; and (B) is enabled by (i) a common technical root cause, such as a supply chain compromise, a common software or hardware vulnerability; or (ii) the related activities of a common threat actor; and (3) stipulate that, in determining whether an incident constitutes a major incident because that incident-- (A) is any incident described in paragraph (1), the head of an agency shall consult with the Director of the Cybersecurity and Infrastructure Security Agency; (B) is an incident described in paragraph (1)(A), the head of the agency shall consult with the National Cyber Director; and (C) is an incident described in subparagraph (C) or (D) of paragraph (1), the head of the agency shall consult with-- (i) the Privacy and Civil Liberties Oversight Board; and (ii) the Executive Director of the Federal Trade Commission. (c) Significant Number of Individuals.--In determining what constitutes a significant number of individuals under subsection (b)(1)(D), the Director-- (1) may determine a threshold for a minimum number of individuals that constitutes a significant amount; and (2) may not determine a threshold described in paragraph (1) that exceeds 5,000 individuals. (d) Evaluation and Updates.--Not later than 2 years after the date of enactment of the Federal Information Security Modernization Act of 2021, and not less frequently than every 2 years thereafter, the Director shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Reform of the House of Representatives an evaluation, which shall include-- (1) an update, if necessary, to the guidance issued under subsection (a); (2) the definition of the term `major incident' included in the guidance issued under subsection (a); and (3) an explanation of, and the analysis that led to, the definition described in paragraph (2). * * * * * * * HOMELAND SECURITY ACT OF 2002 * * * * * * * SEC. 1001. INFORMATION SECURITY. (a) * * * (b) * * * (c) Information Security Responsibilities of Certain Agencies.-- (1) National security responsibilities.--(A) Nothing in this Act (including any amendment made by this Act) shall supersede any authority of the Secretary of Defense, the Director of Central Intelligence, or other agency head, as authorized by law and as directed by the President, with regard to the operation, control, or management of national security systems, as defined by [section 3552(b)(5)] section 3552(b) of title 44, United States Code. * * * * * * * CYBERSECURITY ACT OF 2015 * * * * * * * TITLE II--NATIONAL CYBERSECURITY ADVANCEMENT * * * * * * * Subtitle B--Federal Cybersecurity Enhancement * * * * * * * SEC. 226. ASSESSMENT; REPORTS. (a) * * * (b) * * * (c) Reports to Congress (1) * * * (A) * * * (B) OMB report.--Not later than 18 months after December 18, 2015, and [annually thereafter] thereafter during the years during which a report is required to be submitted under section 3553(c) of title 44, United States Code, the Director shall submit to Congress, as part of the report required under section 3553(c) of title 44, an analysis of agency application of the intrusion detection and prevention capabilities, including-- * * * * * * * (2) * * * (A) * * * (B) not later than 1 year after December 18, 2015, and [annually thereafter] thereafter during the years during which a report is required to be submitted under section 3553(c) of title 44, United States Code, submit to Congress, as part of [the report required under section 3553(c) of title 44] that report. * * * * * * * [all]