Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 117th Congress · H.R. 6497 (Introduced in House) — To modernize Federal information security management and improve Federal cybersecurity to combat persisting and emerg... · Sec. 102

Sec. 102. Amendments to subtitle III of title 40

1,024 words·~5 min read·/bill/117/hr/6497/ih/section-102

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

Subtitle G of title X of Division A of the National Defense Authorization Act for Fiscal Year 2018 ( Public Law 115–91 ; 40 U.S.C. 11301 note) is amended in section 1078— by striking subsection
(a)and inserting the following: In this section: The term agency has the meaning given the term in section 551 of title 5, United States Code. The term high value asset has the meaning given the term in section 3552 of title 44, United States Code. ; and in subsection (c)— in paragraph (2)(A)(i), by inserting , including a consideration of the impact on high value assets after operational risks ; in paragraph (5)— in subparagraph (A), by striking and at the end; in subparagraph (B), by striking the period at the end and inserting and ; and by adding at the end the following: a senior official from the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security, appointed by the Director. ; and in paragraph (6)(A), by striking shall be— and all that follows through 4 employees and inserting shall be 4 employees . Subchapter I of chapter 113 of subtitle III of title 40, United States Code, is amended— in section 11302— in subsection (b), by striking use, security, and disposal of and inserting use, and disposal of, and, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency and the National Cyber Director, promote and improve the security of, ; in subsection (c)(3)(B), by adding at the end the following: The Director may make available, upon request, to the National Cyber Director any cybersecurity funding information provided to the Director under clause
(ii)of this subparagraph. ; in subsection (f), by striking The Director shall and inserting The Director shall— encourage the heads of the executive agencies to develop and use the best practices in the acquisition of information technology, including supply chain risk management standards, guidelines, and practices developed by the National Institute of Standards and Technology; and consult with the Federal Chief Information Security Officer appointed by the President under section 3607 of title 44, for the development and use of risk management standards, guidelines, and practices developed by the National Institute of Standards and Technology. ; and in subsection (h), by inserting , including cybersecurity performances, after the performances ; and in section 11303(b), in paragraph (2)(B)— in clause (i), by striking or at the end; in clause (ii), by adding or at the end; and by adding at the end the following: whether the function should be performed by a shared service offered by another executive agency. . Subchapter II of chapter 113 of subtitle III of title 40, United States Code, is amended— in section 11312(a), by inserting , including security risks after managing the risks ; in section 11313(1), by striking efficiency and effectiveness and inserting efficiency, security, and effectiveness ; in section 11315, by adding at the end the following: The Chief Information Officer or an equivalent official of a component agency shall report to— the Chief Information Officer designated under section 3506(a)(2) of title 44 or an equivalent official of the agency of which the component agency is a component; and the head of the component agency. ; in section 11317, by inserting security, before or schedule ; and in section 11319(b)(1), in the paragraph heading, by striking and inserting CIOS . Chief Information Officers Section 11331 of title 40, United States Code, is amended— in subsection (a), by striking section 3532(b)(1) and inserting section 3552(b) ; in subsection (b)(1)(A), by striking the Secretary of Homeland Security and inserting the Director of the Cybersecurity and Infrastructure Security Agency ; and by adding at the end the following: Not less frequently than once every 3 years, the Director of the Office of Management and Budget, in consultation with, as available, the Chief Information Officers Council, the Director of the Cybersecurity and Infrastructure Security Agency, the National Cyber Director, the Comptroller General of the United States, and the Council of the Inspectors General on Integrity and Efficiency, shall review the efficacy of the guidance and policy promulgated by the Director in reducing cybersecurity risks, including an assessment of the requirements for agencies to report information to the Director, and determine whether any changes to that guidance or policy is appropriate. In conducting the review described in subparagraph (A), the Director shall consider the Federal risk assessments performed under section 3553(i) of title 44. In conducting the review described in subparagraph (A), the Director shall consider the cumulative reporting and compliance burden to agencies as well as the clarity of the requirements and deadlines contained in guidance and policy documents. Not later than 90 days after the date on which a review is completed under paragraph (1), the Director of the Office of Management and Budget shall issue updated guidance or policy to agencies determined appropriate by the Director, based on the results of the review. Not later than 60 days after the date on which a review is completed under paragraph (1), the Director is expected to provide to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Reform of the House of Representatives a briefing on the review and any newly issued guidance or policy, which shall include— an overview of the guidance and policy promulgated under this section that is currently in effect; the cybersecurity risk mitigation, or other cybersecurity benefit, offered by each guidance or policy document described in subparagraph (A); and a summary of the guidance or policy to which changes were determined appropriate during the review and what the changes include. When the Director of the National Institute of Standards and Technology issues a proposed standard pursuant to paragraphs
(2)and
(3)of section 20(a) of the National Institute of Standards and Technology Act ( 15 U.S.C. 278g–3(a) ), the Director of the National Institute of Standards and Technology shall consider developing and, if appropriate and practical, develop, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, specifications to enable the automated verification of the implementation of controls. .
Connectionstraces to 2
1 reference not yet in our index
  • 15 USC 278g–3(a)
Citation graph
cites case law
Sec. 102
Amendments to subtitle III of title 40
Pub. L.Public Law 115-91
U.S.C.§ 11301
Cite15 USC 278g–3(a)
Cites 3Cited by 0 across 0 sources
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.