Sec. 5. Federal agency head responsibilities
1,035 words·~5 min read·
/bill/114/hr/6066/ih/section-5A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Section 3554 of title 44, United States Code, is amended— in subsection (a)(3)(A)— by striking designating a senior agency information security officer and inserting collaborating with the agency head to designate a Chief Information Security Officer ; by redesignating clauses
(i)through
(iv)as clauses
(ii)through (v), respectively; by inserting before clause (ii), as so redesignated, the following new clause: have the job description and responsibilities that shall be provided in guidance issued by the Director, developed in consultation with the Director of the National Institute of Standards and Technology and the Secretary, within 6 months after the date of enactment of the Cybersecurity Responsibility and Accountability Act of 2016; ; in clause (iv), as so redesignated, by striking and at the end; in clause (v), as so redesignated, by inserting and after the semicolon at the end; and by adding at the end the following new clause: be designated without increasing the number of full-time equivalent employee positions at the agency; ; in subsection (b)— by redesignating paragraphs
(5)through
(8)as paragraphs
(6)through (9), respectively; and by inserting after paragraph
(4)the following new paragraph: mandatory annual information security training and certification designed specifically for the agency head, developed and updated as necessary by the National Institute of Standards and Technology, the purpose of which shall be to ensure that the agency head has an understanding of Federal cybersecurity policy, including an understanding of— the information and information systems that support the operations and assets of the agency, using nontechnical terms as much as possible; the potential impact of common types of cyber-attacks and data breaches on the agency’s operations and assets; how cyber-attacks and data breaches occur; steps the agency head and agency employees should take to protect their information and information systems, including not using private messaging system software or private e-mail servers for official communications; and the annual reporting requirements required of the agency head under subsection (c), including the certifications required under subsection (c)(1)(A)(iv); ; in subsection (c)— in paragraph (1)(A)— by striking Each agency and inserting The head of each agency ; by inserting the Director of the National Institute of Standards and Technology, after the Director, the Secretary, ; by inserting , Space, and Technology after the Committee on Science ; by striking and at the end of clause (iii)(II); by redesignating clause
(iv)as clause (v); and by inserting after clause
(iii)the following new clause: specific written certification by the agency head that— certifies that information security standards developed under section 20 of the National Institute of Standards and Technology Act ( 15 U.S.C. 278g–3 ) are being met by the agency; identifies the security controls in place at the agency and how they each meet the relevant information security standard; may be based on or informed by the assessment described in section 3553(d)(4); and for any information security standard that the agency does not meet, provides the reasons therefor and includes documentation of the Director’s certification of the agency not meeting the standard; and ; and in paragraph (2), by striking Each agency and inserting The head of each agency ; in subsection (d), by striking each agency and inserting the head of each agency ; by redesignating subsection
(e)as subsection (f); by inserting after subsection
(d)the following new subsection: In addition to the requirements of subsections
(c)and (d), each agency head shall, not later than 6 months after the date of enactment of the Cybersecurity Responsibility and Accountability Act of 2016, develop a plan, in consultation with the Comptroller General, to implement all of the Comptroller General’s recommendations regarding information security controls relevant to that agency. The plan required under subparagraph (A)— shall be submitted to the agencies and committees described in subsection (c)(1)(A); shall include a schedule for implementation of the Comptroller General’s recommendations, including a completion deadline; shall be updated annually, and such annual updates shall be included in the annual report described in subsection (c)(1)(A); and may, as appropriate, be based on or informed by recommendations included in the evaluation and report described in section 3555(h). If the Comptroller General does not have any relevant recommendations for an agency head to implement relative to information security controls, then the agency head shall accordingly notify the agencies and committees described in subsection (c)(1)(A). If there are any Comptroller General recommendations that an agency head does not implement, the agency head shall provide the reasons for that failure to the Director for the Director’s approval. For each unimplemented recommendation, the plan shall include either the Director’s approval or a certification by the Director of the agency head’s failure to implement such recommendation. In addition to the requirements of subsections
(c)and (d), each agency head shall, not later than 6 months after the date of enactment of the Cybersecurity Responsibility and Accountability Act of 2016, develop a plan, in consultation with its Inspector General, to implement all of the Inspector General’s recommendations regarding the agency’s information security program. The plan required under subparagraph (A)— shall be submitted to the agencies and committees described in subsection (c)(1)(A); shall include a schedule for implementation of the Inspector General’s recommendations, including a completion deadline; shall be updated annually, and such annual updates shall be included in the annual report described in subsection (c)(1)(A); and may, as appropriate, be based on or informed by recommendations included in— the evaluation described in section 3555(b)(1); or if the agency does not have an Inspector General, the evaluation described in section 3555(b)(2). If the Inspector General does not have any relevant information security control recommendations for the agency head to implement, then the agency head shall accordingly notify the agencies and committees described in subsection (c)(1)(A). If there are any Inspector General recommendations that the agency head does not implement, the agency head shall provide the reasons for that failure to the Director for the Director’s approval. For each unimplemented recommendation, the plan shall include either the Director’s approval or a certification by the Director of the agency head’s failure to implement such recommendation. ; and in subsection (f), as so redesignated, by striking Each agency and inserting The head of each agency .
Connections1 off-index
1 reference not yet in our index
- 15 USC 278g–3
Citation graph
cites case law
Sec. 5
Federal agency head responsibilities
Cite15 USC 278g–3
Cites 1Cited by 0 across 0 sources