Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 117th Congress · S. 2902 (Introduced in Senate) — To modernize Federal information security management, and for other purposes. · Sec. 101

Sec. 101. Title 44 amendments

7,597 words·~35 min read·/bill/117/s/2902/is/section-101

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

Subchapter I of chapter 35 of title 44, United States Code, is amended— in section 3504— in subsection (a)(1)(B)(v), by striking confidentiality, security, disclosure, and sharing of information and inserting disclosure, sharing of information, and, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, confidentiality and security ; in subsection (b)(2)(B), by inserting in coordination with the Director of the Cybersecurity and Infrastructure Security Agency after standards for security ; in subsection (g), by striking paragraph
(1)and inserting the following: with respect to information collected or maintained by or for agencies— develop and oversee the implementation of policies, principles, standards, and guidelines on privacy, disclosure, and sharing of the information; and in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, develop and oversee policies, principles, standards, and guidelines on confidentiality and security of the information; and ; and in subsection (h)(1)— in the matter preceding subparagraph (A)— by inserting the Director of the Cybersecurity and Infrastructure Security Agency, before the Director ; and by inserting a comma before and the Administrator ; and in subparagraph (A), by inserting security and after information technology ; in section 3505— in paragraph
(3)of the first subsection designated as subsection (c)— in subparagraph (B)— by inserting and the Director of the Cybersecurity and Infrastructure Security Agency after Comptroller General ; and by striking and at the end; in subparagraph (C)(v), by striking the period at the end and inserting ; and ; and by adding at the end the following: maintained on a continual basis through the use of automation, machine-readable data, and scanning. ; and by striking the second subsection designated as subsection (c); in section 3506— in subsection (b)— in paragraph (1)(C), by inserting , availability after integrity ; and in paragraph (4), by inserting the Director of the Cybersecurity and Infrastructure Security Agency, after General Services, ; and in subsection (h)(3), by inserting security, after efficiency, ; in section 3513— in subsection (a), by inserting the Director of the Cybersecurity and Infrastructure Security Agency, before the Administrator of General Services ; by redesignating subsection
(c)as subsection (d); and by inserting after subsection
(b)the following: Each agency providing a written plan under subsection
(b)shall provide any portion of the written plan addressing information security or cybersecurity to the Director of the Cybersecurity and Infrastructure Security Agency. ; and in section 3520A(b)— in paragraph (1), by striking , protection ; by redesignating paragraphs (2), (3), (4), and
(5)as paragraphs (3), (4), (5), and (6), respectively; and by inserting after paragraph
(1)the following: in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, establish Governmentwide best practices for the protection of data; . Section 3552(b) of title 44, United States Code, is amended— by redesignating paragraphs (1), (2), (3), (4), (5), (6), and
(7)as paragraphs (2), (3), (4), (5), (6), (9), and (11), respectively; by inserting before paragraph (2), as so redesignated, the following: The term additional cybersecurity procedure means a process, procedure, or other activity that is established in excess of the information security standards promulgated under section 11331(b) of title 40 to increase the security and reduce the cybersecurity risk of agency systems, such as continuous threat hunting, increased network segmentation, endpoint detection and response, or persistent penetration testing. ; by inserting after paragraph (6), as so redesignated, the following: The term high value asset means information or an information system that the head of an agency determines so critical to the agency that the loss or corruption of the information or the loss of access to the information system would have a serious impact on the ability of the agency to perform the mission of the agency or conduct business. The term major incident has the meaning given the term in guidance issued by the Director under section 3598(a). ; by inserting after paragraph (9), as so redesignated, the following: The term penetration test means a specialized type of assessment that— is conducted on an information system or a component of an information system; and emulates an attack or other exploitation capability of a potential adversary, typically under specific constraints, in order to identify any vulnerabilities of an information system or a component of an information system that could be exploited. ; and by inserting after paragraph (11), as so redesignated, the following: The term shared service means a business or mission function that is provided for use by multiple organizations within or between agencies. The term verification specification means a specification developed under section 11331(f) of title 40. . Section 1001(c)(1)(A) of the Homeland Security Act of 2002 ( 6 U.S.C. 511(1)(A) ) is amended by striking section 3552(b)(5) and inserting section 3552(b) . Section 2222(i)(8) of title 10, United States Code, is amended by striking section 3552(b)(6)(A) and inserting section 3552(b)(9)(A) . Section 2223(c)(3) of title 10, United States Code, is amended by striking section 3552(b)(6) and inserting section 3552(b) . Section 2315 of title 10, United States Code, is amended by striking section 3552(b)(6) and inserting section 3552(b) . Section 2339a(e)(5) of title 10, United States Code, is amended by striking section 3552(b)(6) and inserting section 3552(b) . Section 207(a) of the High-Performance Computing Act of 1991 ( 15 U.S.C. 5527(a) ) is amended by striking section 3552(b)(6)(A)(i) and inserting section 3552(b)(9)(A)(i) . Section 3(5) of the Internet of Things Cybersecurity Improvement Act of 2020 ( 15 U.S.C. 278g–3a ) is amended by striking section 3552(b)(6) and inserting section 3552(b) . Section 933(e)(1)(B) of the National Defense Authorization Act for Fiscal Year 2013 ( 10 U.S.C. 2224 note) is amended by striking section 3542(b)(2) and inserting section 3552(b) . The Ike Skelton National Defense Authorization Act for Fiscal Year 2011 ( Public Law 111–383 ) is amended— in section 806(e)(5) ( 10 U.S.C. 2304 note), by striking section 3542(b) and inserting section 3552(b) ; in section 931(b)(3) ( 10 U.S.C. 2223 note), by striking section 3542(b)(2) and inserting section 3552(b) ; and in section 932(b)(2) ( 10 U.S.C. 2224 note), by striking section 3542(b)(2) and inserting section 3552(b) . Section 301(c)(1)(A) of the E-Government Act of 2002 ( 44 U.S.C. 3501 note) is amended by striking section 3542(b)(2) and inserting section 3552(b) . Section 20 of the National Institute of Standards and Technology Act ( 15 U.S.C. 278g–3 ) is amended— in subsection (a)(2), by striking section 3552(b)(5) and inserting section 3552(b) ; and in subsection (f)— in paragraph (3), by striking section 3532(1) and inserting section 3552(b) ; and in paragraph (5), by striking section 3532(b)(2) and inserting section 3552(b) . Subchapter II of chapter 35 of title 44, United States Code, is amended— in section 3551— by redesignating paragraphs (3), (4), (5), and
(6)as paragraphs (4), (5), (6), and (7), respectively; by inserting after paragraph
(2)the following: recognize the role of the Cybersecurity and Infrastructure Security Agency as the lead cybersecurity entity for operational coordination across the Federal Government; ; in paragraph (5), as so redesignated, by striking diagnose and improve and inserting integrate, deliver, diagnose, and improve ; in paragraph (6), as so redesignated, by striking and at the end; and by adding at the end the following: recognize that each agency has specific mission requirements and, at times, unique cybersecurity requirements to meet the mission of the agency; recognize that each agency does not have the same resources to secure agency systems, and an agency should not be expected to have the capability to secure the systems of the agency from advanced adversaries alone; and recognize that— a holistic Federal cybersecurity model is necessary to account for differences between the missions and capabilities of agencies; and in accounting for the differences described in subparagraph
(A)and ensuring overall Federal cybersecurity— the Office of Management and Budget is the leader for policy development and oversight of Federal cybersecurity; the Cybersecurity and Infrastructure Security Agency is the leader for implementing operations at agencies; and the National Cyber Director is responsible for developing the overall cybersecurity strategy of the United States and advising the President on matters relating to cybersecurity. ; in section 3553, as amended by section 1705 of the William M.
(Mac)Thornberry National Defense Authorization Act for Fiscal Year 2021 ( Public Law 116–283 )— in subsection (a)— in paragraph (1)— by striking developing and and inserting in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, ; and by inserting and associated verification specifications before promulgated ; and in paragraph (5), by inserting , in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, before agency compliance ; in subsection (b)— by striking the subsection heading and inserting ; Cybersecurity and Infrastructure Security Agency in the matter preceding paragraph (1), by striking the Secretary and inserting the Director of the Cybersecurity and Infrastructure Security Agency ; in paragraph (2)— in subparagraph (A), by inserting and reporting requirements under subchapter IV of this title after section 3556 ; and in subparagraph (D), by striking the Director or Secretary and inserting the Director of the Cybersecurity and Infrastructure Security Agency ; in paragraph (5), by striking coordinating and inserting leading the coordination of ; in paragraph (6)— in the matter preceding subparagraph (A), by inserting and verifications specifications before promulgated under ; in subparagraph (C), by striking and at the end; in subparagraph (D), by adding and at the end; and by adding at the end the following: taking any other action that the Director of the Cybersecurity and Infrastructure Security Agency, in consultation with the Director— may determine necessary; and is authorized to perform; ; in paragraph (8), by striking the Secretary's discretion and inserting the Director of the Cybersecurity and Infrastructure Security Agency's discretion ; and in paragraph (9), by striking as the Director or the Secretary, in consultation with the Director, and inserting as the Director of the Cybersecurity and Infrastructure Security Agency ; in subsection (c)— in paragraph (4), by striking and at the end; by redesignating paragraph
(5)as paragraph (7); and by inserting after paragraph
(4)the following: an assessment of agency use of automated verification of standards for the standards promulgated under section 11331 of title 40 using verification specifications; a summary of each assessment of Federal risk posture performed under subsection (i); and ; in subsection (f)(2)(B), by striking conflict with and inserting reduce the security posture of agencies established under ; by redesignating subsections (i), (j), (k), and
(l)as subsections (j), (k), (l), and
(m)respectively; by inserting after subsection
(h)the following: The Director of the Cybersecurity and Infrastructure Security Agency, in coordination with the Director, shall perform, on an ongoing and continuous basis, assessments of Federal risk posture using any available information on the cybersecurity posture of agencies, including— the status of agency cybersecurity remedial actions described in section 3554(b)(7); any vulnerability information relating to the systems of an agency that is known by the agency; analysis of incident information under section 3597; evaluation of penetration testing performed under section 3559A; evaluation of vulnerability disclosure program information under section 3559B; evaluation of agency threat hunting results; evaluation of Federal and non-Federal threat intelligence; data on compliance with standards issued under section 11331 of title 40 that, when appropriate, uses verification specifications; agency system risk assessments performed under section 3554(a)(1)(A); and any other information the Secretary determines relevant. ; and in subsection (j), as so redesignated— by striking regarding the specific and inserting “that includes a summary of— the specific ; in paragraph (1), as so designated, by striking the period at the end and inserting ; and and by adding at the end the following: the trends identified in the Federal risk assessment performed under subsection (i). ; in section 3554— in subsection (a)— in paragraph (1)— by redesignating subparagraphs (A), (B), and
(C)as subparagraphs (B), (C), and (D), respectively; by inserting before subparagraph (B), as so redesignated, the following: performing, not less frequently than once every 2 years or based on a significant change to system architecture or security posture, an agency system risk assessment that— identifies and documents the high value assets of the agency using guidance from the Director; evaluates the data assets inventoried under section 3511 of title 44 for sensitivity to compromises in confidentiality, integrity, and availability; identifies agency systems that have access to or hold the data assets inventoried under section 3511 of title 44; evaluates the threats facing agency systems and data, including high value assets, based on Federal and non-Federal cyber threat intelligence products, where available; evaluates the vulnerability of agency systems and data, including high value assets, based on— the results of penetration testing performed by the Department of Homeland Security under section 3553(b)(9); the results of penetration testing performed under section 3559A; information provided to the agency through the vulnerability disclosure program of the agency under section 3559B; incidents; and any other vulnerability information relating to agency systems that is known to the agency; assesses the impacts of potential agency incidents to agency systems, data, and operations based on the evaluations described in clauses
(ii)and
(iv)and the agency systems identified under clause (iii); and assesses the consequences of potential incidents occurring on agency systems that would impact systems at other agencies, including due to interconnectivity between different agency systems or operational reliance on the operations of the system or data in the system; ; in subparagraph (B), as so redesignated— in the matter preceding clause (i), by striking providing information and inserting using information from the assessment conducted under subparagraph (A), providing, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, information ; in clause (i), by striking and at the end; in clause (ii), by adding and at the end; and by adding at the end the following: in consultation with the Director and the Director of the Cybersecurity and Infrastructure Security Agency, information or information systems used by agencies through shared services, memoranda of understanding, or other agreements; ; in subparagraph (C), as so redesignated— in clause
(ii)by inserting binding before operational ; and in clause (vi), by striking and at the end; and by adding at the end the following: not later than 30 days after the date on which an agency system risk assessment is performed under subparagraph (A), providing the assessment to— the Director; the Director of the Cybersecurity and Infrastructure Security Agency; and the National Cyber Director; in consultation with the Director of the Cybersecurity and Infrastructure Security Agency and not less frequently than annually, performing an evaluation of whether additional cybersecurity procedures are appropriate for securing a system of, or under the supervision of, the agency, which shall— be completed considering the agency system risk assessment performed under subparagraph (A); and include a specific evaluation for high value assets; and not later than 30 days after completing the evaluation performed under subparagraph (F), providing the evaluation and an implementation plan for using additional cybersecurity procedures determined to be appropriate to— the Director of the Cybersecurity and Infrastructure Security Agency; the Director; and the National Cyber Director. ; in paragraph (2)— in subparagraph (A), by inserting in accordance with the agency system risk assessment performed under paragraph (1)(A) after information systems ; in subparagraph (B)— by striking in accordance with standards and inserting “in accordance with— standards ; and by adding at the end the following: the evaluation performed under paragraph (1)(F); and the implementation plan described in paragraph (1)(G); ; and in subparagraph (D), by inserting , through the use of penetration testing, the vulnerability disclosure program established under section 3559B, and other means, after periodically ; in paragraph (3)— in subparagraph (B), by inserting , in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, after maintaining ; in subparagraph (D), by striking and at the end; in subparagraph (E), by adding and at the end; and by adding at the end the following: implementing mechanisms for using verification specifications, or alternate verification specifications validated by the Director of the Cybersecurity and Infrastructure Security Agency, in consultation with the Director of the National Institute of Standards and Technology, to automatically verify the implementation of standards of agency systems promulgated under section 11331 of title 40 or any additional cybersecurity procedures, as applicable; ; and in paragraph (5), by inserting and the Director of the Cybersecurity and Infrastructure Security Agency before on the effectiveness ; in subsection (b)— by striking paragraph
(1)and inserting the following: pursuant to subsection (a)(1)(A), performing an agency system risk assessment, which shall include using automated tools consistent with standards, verification specifications, and guidelines promulgated under section 11331 of title 40, as applicable; ; in paragraph (2)(D)— by redesignating clauses
(iii)and
(iv)as clauses
(iv)and (v), respectively; by inserting after clause
(ii)the following: binding operational directives and emergency directives promulgated by the Director of the Cybersecurity and Infrastructure Security Agency under section 3553 of title 44; ; and in clause (iv), as so redesignated, by striking as determined by the agency; and and inserting “as determined by the agency— in coordination with the Director of the Cybersecurity and Infrastructure Security Agency; and in consideration of— the agency risk assessment performed under subsection (a)(1)(A); and the determinations of applying more stringent standards and additional cybersecurity procedures pursuant to section 11331(c)(1) of title 40; and ; in paragraph (5)— in subparagraph (A), by inserting , including penetration testing, as appropriate, after shall include testing ; and in subparagraph (C), by inserting , verification specifications, after with standards ; in paragraph (6), by striking planning, implementing, evaluating, and documenting and inserting planning and implementing and, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, evaluating and documenting ; by redesignating paragraphs
(7)and
(8)as paragraphs
(9)and (10), respectively; by inserting after paragraph
(6)the following: a process for providing the status of every remedial action and known system vulnerability to the Director and the Director of the Cybersecurity and Infrastructure Security Agency, using automation and machine-readable data to the greatest extent practicable; a process for providing the verification of the implementation of standards promulgated under section 11331 of title 40 using verification specifications, automation, and machine-readable data, to the Director and the Director of the Cybersecurity and Infrastructure Security Agency; ; and in paragraph (9)(C), as so redesignated— by striking clause
(ii)and inserting the following: notifying and consulting with the Federal information security incident center established under section 3556 pursuant to the requirements of section 3594; ; by redesignating clause
(iii)as clause (iv); by inserting after clause
(ii)the following: performing the notifications and other activities required under subchapter IV of this title; and ; and in clause (iv), as so redesignated— in subclause (I), by striking and relevant Offices of Inspector General ; in subclause (II), by adding and at the end; by striking subclause (III); and by redesignating subclause
(IV)as subclause (III); in subsection (c)— in paragraph (1)— in subparagraph (A)— in the matter preceding clause (i), by striking on the adequacy and effectiveness of information security policies, procedures, and practices, including and inserting that includes ; and in clause (ii), by inserting unless the Director issues a waiver to the agency under subparagraph (B)(iii), before the total number ; and by striking subparagraph
(B)and inserting the following: If the Director, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, determines that an agency shares any information relating to any incident pursuant to section 3594(a), the Director shall certify that the agency is in compliance with that section. If the Director determines that the Director of the Cybersecurity and Infrastructure Security Agency uses the information described in clause
(i)with respect to a particular agency to submit to Congress an annex required under section 3597(c)(3) for that agency, the Director shall certify that the Cybersecurity and Infrastructure Security Agency is in compliance with that section with respect to that agency. The Director may waive the reporting requirement with respect to the information required to be included in the report under subparagraph (A)(ii) for a particular agency if— the Director has issued a certification for the agency under clause (i); and the Director has issued a certification with respect to the annex of the agency under clause (ii). If, at any time, the Director determines that the Director of the Cybersecurity and Infrastructure Security Agency cannot submit to Congress an annex for a particular agency under section 3597(c)(3)— any waiver previously issued under clause
(iii)with respect to that agency shall be considered void; and the Director shall revoke the certification for the annex of that agency under clause (ii). If, at any time, the Director determines that an agency has not provided to the Director of the Cybersecurity and Infrastructure Security Agency the totality of incident information required under section 3594(a)— any waiver previously issued under clause
(iii)with respect to that agency shall be considered void; and the Director shall revoke the certification for that agency under clause (i). If the Director revokes a waiver under this clause, the Director may issue a subsequent waiver if the Director issues new certifications under clauses
(i)and (ii). ; by redesignating paragraphs
(2)through
(5)as paragraphs
(4)through (7), respectively; and by inserting after paragraph
(1)the following: Not later than 180 days after the date on which an agency completes an agency system risk assessment under subsection (a)(1)(A) and not less frequently than every 2 years, each agency shall submit to the Director, the Secretary, the Committee on Homeland Security and Governmental Affairs of the Senate, the Committee on Oversight and Reform of the House of Representatives, the Committee on Homeland Security of the House of Representatives, the appropriate authorization and appropriations committees of Congress, the National Cyber Director, and the Comptroller General of the United States a report that— summarizes the agency system risk assessment performed under subsection (a)(1)(A); evaluates the adequacy and effectiveness of information security policies, procedures, and practices of the agency to address the risks identified in the system risk assessment performed under subsection (a)(1)(A); and summarizes the evaluations and implementation plans described in subparagraphs
(F)and
(G)of subsection (a)(1) and whether those evaluations and implementation plans call for the use of additional cybersecurity procedures determined to be appropriate by the agency. Each report submitted under paragraphs
(1)and (2)— shall be, to the greatest extent practicable, in an unclassified and otherwise uncontrolled form; and may include a classified annex. ; and in subsection (d)(1), in the matter preceding subparagraph (A), by inserting and the Director of the Cybersecurity and Infrastructure Security Agency after the Director ; in section 3555— in subsection (a)(2)(A), by inserting , including by penetration testing and analyzing the vulnerability disclosure program of the agency after information systems ; by striking subsection
(f)and inserting the following: Agencies and evaluators shall take appropriate steps to ensure the protection of information which, if disclosed, may adversely affect information security. The protections required under paragraph
(1)shall be commensurate with the risk and comply with all applicable laws and regulations. With respect to information that is not related to national security systems, agencies and evaluators shall make a summary of the information unclassified and publicly available, including information that does not identify— specific information system incidents; or specific information system vulnerabilities. ; in subsection (g)(2)— by striking this subsection shall and inserting “this subsection— shall ; in subparagraph (A), as so designated, by striking the period at the end and inserting ; and ; and by adding at the end the following: identify any entity that performs an independent audit under subsection (b). ; and in subsection (j), by striking the Secretary and inserting the Director of the Cyber Security and Infrastructure Security Agency ; and in section 3556(a)— in the matter preceding paragraph (1), by inserting within the Cybersecurity and Infrastructure Security Agency after incident center ; and in paragraph (4), by striking 3554(b) and inserting 3554(a)(1)(A) . Chapter 35 of title 44, United States Code, is amended by adding at the end the following: Except as provided in subsection (b), the definitions under sections 3502 and 3552 shall apply to this subchapter. As used in this subchapter: The term appropriate notification entities means— the Committee on Homeland Security and Governmental Affairs of the Senate; the Committee on Oversight and Reform of the House of Representatives; the Committee on Homeland Security of the House of Representatives; the appropriate authorization and appropriations committees of Congress; the Director; the Director of the Cybersecurity and Infrastructure Security Agency; the National Cyber Director; and the Comptroller General of the United States. The term contractor — means any person or business that collects or maintains information that includes personally identifiable information or sensitive personal information on behalf of an agency; and includes any subcontractor of a person or business described in subparagraph (A). The term intelligence community has the meaning given the term in section 3 of the National Security Act of 1947 ( 50 U.S.C. 3003 ). The term nationwide consumer reporting agency means a consumer reporting agency described in section 603(p) of the Fair Credit Reporting Act ( 15 U.S.C. 1681a(p) ). The term vulnerability disclosure means a vulnerability identified under section 3559B. As expeditiously as practicable and without unreasonable delay, and in any case not later than 30 days after an agency has a reasonable basis to conclude that a major incident has occurred due to a high risk exposure of personal identifiable information, as described in section 3598(c)(2), the head of the agency shall provide notice of the major incident in accordance with subsection
(b)in writing to the last known home mailing address of each individual whom the major incident may have impacted. Each notice to an individual required under subsection
(a)shall include— a description of the rationale for the determination that the major incident resulted in a high risk of exposure of the personal information of the individual; an assessment of the type of risk the individual may face as a result of an exposure; contact information for the Federal Bureau of Investigation or other appropriate entity; the contact information of each nationwide consumer reporting agency; the contact information for questions to the agency, including a telephone number, e-mail address, and website; information on any remedy being offered by the agency; consolidated Federal Government recommendations on what to do in the event of a major incident; and any other appropriate information as determined by the head of the agency. The Attorney General, the Director of National Intelligence, or the Secretary of Homeland Security may impose a delay of a notification required under subsection
(a)if the notification would disrupt a law enforcement investigation, endanger national security, or hamper security remediation actions. Any delay under paragraph
(1)shall be reported in writing to the head of the agency, the Director, the Director of the Cybersecurity and Infrastructure Security Agency, and the Office of Inspector General of the agency that experienced the major incident. A statement required under subparagraph
(A)shall include a written statement from the entity that delayed the notification explaining the need for the delay. The statement required under subparagraph
(A)shall be unclassified, but may include a classified annex. A delay under paragraph
(1)shall be for a period of 2 months and may be renewed. If an agency determines there is a change in the reasonable basis to conclude that a major incident occurred, or that there is a change in the details of the information provided to impacted individuals as described in subsection (b), the agency shall as expeditiously as practicable and without unreasonable delay, and in any case not later than 30 days after such a determination, notify all such individuals who received a notification pursuant to subsection
(a)of those changes. Nothing in this section shall be construed to limit— the Director from issuing guidance regarding notifications or the head of an agency from sending notifications to individuals impacted by incidents not determined to be major incidents; or the Director from issuing guidance regarding notifications of major incidents or the head of an agency from issuing notifications to individuals impacted by major incidents that contain more information than described in subsection (b). Not later than 5 days after the date on which an agency has a reasonable basis to conclude that a major incident occurred, the head of the agency shall submit a written notification and, to the extent practicable, provide a briefing, to the appropriate notification entities, taking into account— the information known at the time of the notification; the sensitivity of the details associated with the major incident; and the classification level of the information contained in the notification. A notification required under paragraph
(1)shall include— a summary of the information available about the major incident, including how the major incident occurred, based on information available to agency officials as of the date on which the agency submits the report; if applicable, an estimate of the number of individuals impacted by the major incident, including an assessment of the risk level to impacted individuals based on the guidance promulgated under section 3598(c)(1) and any information available to agency officials on the date on which the agency submits the report; if applicable, a description and any associated documentation of any circumstances necessitating a delay in or exemption to notification granted under subsection
(c)or
(d)of section 3592; and if applicable, an assessment of the impacts to the agency, the Federal Government, or the security of the United States, based on information available to agency officials on the date on which the agency submits the report. Within a reasonable amount of time, but not later than 45 days after the date on which additional information relating to a major incident for which an agency submitted a written notification under subsection
(a)is discovered by the agency, the head of the agency shall submit to the appropriate notification entities updates to the written notification that include summaries of— the threats and threat actors, vulnerabilities, means by which the major incident occurred, and impacts to the agency relating to the major incident; any risk assessment and subsequent risk-based security implementation of the affected information system before the date on which the major incident occurred; the status of compliance of the affected information system with applicable security requirements at the time of the major incident; an estimate of the number of individuals affected by the major incident based on information available to agency officials as of the date on which the agency submits the update; an update to the assessment of the risk of harm to impacted individuals affected by the major incident based on information available to agency officials as of the date on which the agency submits the update; an update to the assessment of the risk to agency operations, or to impacts on other agency or non-Federal entity operations, affected by the major incident based on information available to agency officials as of the date on which the agency submits the update; and the detection, response, and remediation actions of the agency, including any support provided by the Cybersecurity and Infrastructure Security Agency under section 3594(d) and status updates on the notification process described in section 3592(a), including any delay or exemption described in subsection
(c)or (d), respectively, of section 3592, if applicable. If the agency determines that there is any significant change in the understanding of the agency of the scope, scale, or consequence of a major incident for which an agency submitted a written notification under subsection (a), the agency shall provide an updated report to the appropriate notification entities that includes information relating to the change in understanding. Each agency shall submit as part of the annual report required under section 3554(c)(1) of this title a description of each major incident that occurred during the 1-year period preceding the date on which the report is submitted. The Director shall submit to the appropriate notification entities an annual report on all notification delays and exemptions granted pursuant to subsections
(c)and
(d)of section 3592. Any written notification or report required to be submitted under this section may be submitted in a paper or electronic format. Nothing in this section shall be construed to limit— the ability of an agency to provide additional reports or briefings to Congress; or Congress from requesting additional information from agencies through reports, briefings, or other means. If the Director of the Cybersecurity and Infrastructure Security Agency issues a binding operational directive or an emergency directive under section 3553, not later than 2 days after the date on which the binding operational directive requires an agency to take an action, each agency shall provide to the appropriate notification entities the status of the implementation of the binding operational directive at the agency. The head of each agency shall provide any information relating to any incident, whether the information is obtained by the Federal Government directly or indirectly, to the Cybersecurity and Infrastructure Security Agency and the Office of Management and Budget. A provision of information relating to an incident made by the head of an agency under paragraph
(1)shall— include detailed information about the safeguards that were in place when the incident occurred; whether the agency implemented the safeguards described in subparagraph
(A)correctly; and in order to protect against a similar incident, identify— how the safeguards described in subparagraph
(A)should be implemented differently; and additional necessary safeguards. The information provided under subsection
(a)shall— take into account the level of classification of the information and any information sharing limitations relating to law enforcement; and be in compliance with the requirements limiting the release of information under section 552a of title 5 (commonly known as the Privacy Act of 1974 ). An agency that receives a request from another agency or Federal entity for information specifically intended to assist in the remediation or notification requirements due to an incident shall provide that information to the greatest extent possible, in accordance with guidance issued by the Director and taking into account classification, law enforcement, national security, and compliance with section 552a of title 5 (commonly known as the Privacy Act of 1974 ). Each agency that has a reasonable basis to conclude that a major incident occurred, regardless of delays from notification granted for a major incident, shall consult with the Cybersecurity and Infrastructure Security Agency regarding— incident response and recovery; and recommendations for mitigating future incidents. Subject to paragraph (3), any contractor of an agency or recipient of a grant from an agency that has a reasonable basis to conclude that an incident involving Federal information has occurred shall immediately notify the agency. Following notification of a major incident by a contractor or recipient of a grant under paragraph (1), an agency, in consultation with the contractor or grant recipient, as applicable, shall carry out the requirements under sections 3592, 3593, and 3594 with respect to the major incident. Following notification of an incident by a contractor or recipient of a grant under paragraph (1), an agency, in consultation with the contractor or grant recipient, as applicable, shall carry out the requirements under section 3594 with respect to the incident. This subsection shall apply to a contractor of an agency or a recipient of a grant from an agency that— receives information from the agency that the contractor or recipient, as applicable, is not contractually authorized to receive; experiences an incident relating to Federal information on an information system of the contractor or recipient, as applicable; or identifies an incident involving a Federal information system. Any contractor of an agency or recipient of a grant from an agency that has a reasonable basis to conclude that a major incident occurred shall, in coordination with the agency, consult with the Cybersecurity and Infrastructure Security Agency regarding— incident response assistance; and recommendations for mitigating future incidents at the agency. This section shall apply on and after the date that is 1 year after the date of enactment of the Federal Information Security Modernization Act of 2021 . Each agency shall develop training for individuals at the agency with access to Federal information or information systems on how to identify and respond to an incident, including— the internal process at the agency for reporting an incident; and the obligation of the individual to report to the agency a confirmed major incident and any suspected incident, involving information in any medium or form, including paper, oral, and electronic. The training developed under subsection
(a)shall— be required for an individual before the individual may access Federal information or information systems; and apply to individuals with temporary access to Federal information or information systems, such as detailees, contractors, subcontractors, grantees, volunteers, and interns. The training developed under subsection
(a)may be included as part of an annual privacy or security awareness training of the agency, as applicable. In this section, the term compromise means— an incident; a result of a penetration test in which the tester successfully gains access to a system within the standards under section 3559A; a vulnerability disclosure; or any other event that the Director of the Cybersecurity and Infrastructure Security Agency determines identifies an exploitable vulnerability in an agency system. The Director of the Cybersecurity and Infrastructure Security Agency shall perform continuous monitoring of compromises of agencies. The Director of the Cybersecurity and Infrastructure Security Agency, in consultation with the Director, shall develop and perform continuous monitoring and quantitative and qualitative analyses of compromises of agencies, including— the causes of successful compromises, including— attacker tactics, techniques, and procedures; and system vulnerabilities, including zero days, unpatched systems, and information system misconfigurations; the scope and scale of compromises of agencies; cross Federal Government root causes of compromises of agencies; agency response, recovery, and remediation actions and effectiveness of incidents, as applicable; and lessons learned and recommendations in responding, recovering, remediating, and mitigating future incidents. The analyses developed under paragraph
(2)shall, to the greatest extent practicable, use machine readable data, automation, and machine learning processes. The Director shall share on an ongoing basis the analyses required under this subsection with agencies to— improve the understanding of agencies with respect to risk; and support the cybersecurity improvement efforts of agencies. In carrying out subparagraph (A), the Director shall share the analyses— in human-readable written products; and to the greatest extent practicable, in machine-readable formats in order to enable automated intake and use by agencies. Not later than 2 years after the date of enactment of this section, and not less frequently than annually thereafter, the Director of the Cybersecurity and Infrastructure Security Agency, in consultation with the Director, shall submit to the appropriate notification entities a report that includes— a summary of causes of compromises from across the Federal Government that categorizes those compromises by the items described in paragraphs
(1)through
(4)of subsection (a); the quantitative and qualitative analyses of compromises developed under subsection (b)(2) on an agency-by-agency basis and comprehensively; and an annex for each agency that includes the total number of compromises of the agency and categorizes those compromises by the items described in paragraphs
(1)through
(4)of subsection (a). A version of each report submitted under subsection
(c)shall be made publicly available on the website of the Cybersecurity and Infrastructure Security Agency during the year in which the report is submitted. The analysis required under subsection
(b)and each report submitted under subsection
(c)shall utilize information provided by agencies pursuant to section 3594(d). In publishing the public report required under subsection (d), the Director of the Cybersecurity and Infrastructure Security Agency shall sufficiently anonymize and compile information such that no specific incidents of an agency can be identified, except with the concurrence of the Director of the Office of Management and Budget and in consultation with the impacted agency. Not later than 90 days after the date of enactment of the Federal Information Security Management Act of 2021, the Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, shall develop and promulgate guidance on the definition of the term major incident for the purposes of subchapter II and this subchapter. With respect to the guidance issued under subsection (a), the definition of the term major incident shall— include, with respect to any information collected or maintained by or on behalf of an agency or an information system used or operated by an agency or by a contractor of an agency or another organization on behalf of an agency— any incident the head of the agency determines is likely to have an impact on the national security, homeland security, or economic security of the United States; any incident the head of the agency determines is likely to have an impact on the operations of the agency, a component of the agency, or the Federal Government, including an impact on the efficiency or effectiveness of agency information systems; any incident that the head of an agency, in consultation with the Chief Privacy Officer of the agency, determines involves a high risk incident in accordance with the guidance issued under subsection (c)(1); any incident that involves the unauthorized disclosure of personally identifiable information of not less than 500 individuals, regardless of the risk level determined under the guidance issued under subsection (c)(1); any incident the head of the agency determines involves a high value asset owned or operated by the agency; and any other type of incident determined appropriate by the Director; stipulate that every agency shall be considered to have experienced a major incident if the Director of the Cybersecurity and Infrastructure Security Agency determines that an incident that occurs at not less than 2 agencies— is enabled by a common technical root cause, such as a supply chain compromise, a common software or hardware vulnerability; or is enabled by the related activities of a common actor; and stipulate that, in determining whether an incident constitutes a major incident because that incident— is any incident described in paragraph (1), the head of an agency shall consult with the Director of the Cybersecurity and Infrastructure Security Agency; is an incident described in paragraph (1)(A), the head of the agency shall consult with the National Cyber Director; and is an incident described in subparagraph
(C)or
(D)of paragraph (1), the head of the agency shall consult with— the Privacy and Civil Liberties Oversight Board; and the Executive Director of the Federal Trade Commission. Not later than 90 days after the date of enactment of the Federal Information Security Modernization Act of 2021 , the Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, the Privacy and Civil Liberties Oversight Board, and the Executive Director of the Federal Trade Commission, shall develop and issue guidance to agencies that establishes a risk-based framework for determining the level of risk that an incident involving personally identifiable information could result in substantial harm, physical harm, embarrassment, or unfairness to an individual. The risk-based framework included in the guidance issued under paragraph
(1)shall— include a range of risk levels, including a high risk level; and consider— any personally identifiable information that was exposed as a result of an incident; the circumstances under which the exposure of personally identifiable information of an individual occurred; and whether an independent evaluation of the information affected by an incident determines that the information is unreadable, including, as appropriate, instances in which the information is— encrypted; and determined by the Director of the Cybersecurity and Infrastructure Security Agency to be of sufficiently low risk of exposure. The guidance issued under paragraph
(1)shall include a process by which the Director, jointly with the Director of the Cybersecurity and Infrastructure Security Agency and the Attorney General, may approve the designation of an incident that would be considered high risk as lower risk if information exposed by the incident is unreadable, as described in paragraph (2)(B)(iii). The Director shall report any approval of an incident granted by the Director under subparagraph
(A)to— the head of the agency that experienced the incident; the inspector general of the agency that experienced the incident; and the Director of the Cybersecurity and Infrastructure Security Agency. Not later than 2 years after the date of enactment of the Federal Information Security Modernization Act of 2021 , and not less frequently than every 2 years thereafter, the Director shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Reform of the House of Representatives an evaluation, which shall include— an update, if necessary, to the guidance issued under subsections
(a)and (c); the definition of the term major incident included in the guidance issued under subsection (a); an explanation of, and the analysis that led to, the definition described in paragraph (2); and an assessment of any additional datasets or risk evaluation criteria that should be included in the risk-based framework included in the guidance issued under subsection (c)(1). . The table of sections for chapter 35 of title 44, United States Code, is amended by adding at the end the following: SUBCHAPTER IV—Federal System Incident Response 3591. Definitions. 3592. Notification of high risk exposure after major incident. 3593. Congressional notifications and reports. 3594. Government information sharing and incident response. 3595. Responsibilities of contractors and grant recipients. 3596. Training. 3597. Analysis and report on Federal incidents. 3598. Major incident guidance. .
Connectionstraces to 9
3 references not yet in our index
  • 15 USC 278g–3a
  • Pub. L. 111-383
  • 15 USC 278g–3
Citation graph
cites case law
Sec. 101
Title 44 amendments
U.S.C.§ 511
U.S.C.§ 5527
U.S.C.§ 2224
U.S.C.§ 2304
U.S.C.§ 2223
U.S.C.§ 3501
Pub. L.Public Law 116-283
U.S.C.§ 3003
U.S.C.§ 1681a
Cite15 USC 278g–3a
Pub. L.Pub. L. 111-383
Cite15 USC 278g–3
Cites 12Cited by 0 across 0 sources
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.