Sec. 102. Amendments to subtitle III of title 40
1,709 words·~8 min read·
/bill/117/s/2902/is/section-102A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Section 2(c)(4)(A)(ii) of the Information Technology Modernization Centers of Excellence Program Act ( 40 U.S.C. 11301 note) is amended by striking the period at the end and inserting , which shall be provided in coordination with the Director of the Cybersecurity and Infrastructure Security Agency. . Subtitle G of title X of Division A of the National Defense Authorization Act for Fiscal Year 2018 ( 40 U.S.C. 11301 note) is amended— in section 1077(b)— in paragraph (5)(A), by inserting improving the cybersecurity of systems and before cost savings activities ; and in paragraph (7)— in the paragraph heading, by striking and inserting cio ;
CIO by striking In evaluating projects and inserting the following: In evaluating projects ; in subparagraph (A), as so designated, by striking under section 1094(b)(1) and inserting guidance issued by the Director ; and by adding at the end the following: In using funds under paragraph (3)(A), the Chief Information Officer of the covered agency shall consult with the Director of the Cybersecurity and Infrastructure Security Agency. ; and in section 1078— by striking subsection
(a)and inserting the following: In this section: The term agency has the meaning given the term in section 551 of title 5, United States Code. The term high value asset has the meaning given the term in section 3552 of title 44, United States Code. ; in subsection (b), by adding at the end the following: The Director shall— give consideration for the use of amounts in the Fund to improve the security of high value assets; and require that any proposal for the use of amounts in the Fund includes a cybersecurity plan, including a chain risk management plan, to be reviewed by the member of the Technology Modernization Board described in subsection (c)(5)(C). ; and in subsection (c)— in paragraph (2)(A)(i), by inserting , including a consideration of the impact on high value assets after operational risks ; in paragraph (5)— in subparagraph (A), by striking and at the end; in subparagraph (B), by striking the period at the end and inserting and ; and by adding at the end the following: a senior official from the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security, appointed by the Director. ; and in paragraph (6)(A), by striking shall be— and all that follows through 4 employees and inserting shall be 4 employees . Subchapter I of subtitle III of title 40, United States Code, is amended— in section 11302— in subsection (b), by striking use, security, and disposal of and inserting use, and disposal, and, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, promote and improve the security, of ; in subsection (c)— in paragraph (2), by inserting in consultation with the Director of the Cybersecurity and Infrastructure Security Agency before , and results of ; in paragraph (3)— in subparagraph (A), by striking , and performance and inserting security, and performance ; and in subparagraph (C)— by striking For each major and inserting the following: For each major ; and by adding at the end the following: In categorizing an investment according to risk under clause (i), the Chief Information Officer of the covered agency shall consult with the Director of the Cybersecurity and Infrastructure Security Agency on the cybersecurity or supply chain risk. The Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, shall issue guidance for the categorization of an investment under clause
(i)according to the cybersecurity or supply chain risk. ; and in paragraph (4)— in subparagraph (A)— in clause (ii), by striking and at the end; in clause (iii), by striking the period at the end and inserting ; and ; and by adding at the end the following: in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, the cybersecurity risks of the investment. ; and in subparagraph (B), in the matter preceding clause (i), by inserting not later than 30 days after the date on which the review under subparagraph
(A)is completed, before the Administrator ; in subsection (f)— by striking heads of executive agencies to develop and inserting “heads of executive agencies to— develop ; in paragraph (1), as so designated, by striking the period at the end and inserting ; and ; and by adding at the end the following: consult with the Director of the Cybersecurity and Infrastructure Security Agency for the development and use of supply chain security best practices. ; and in subsection (h), by inserting , including cybersecurity performances, after the performances ; and in section 11303(b)(2)(B)— in clause (i), by striking or at the end; in clause (ii), by adding or at the end; and by adding at the end the following: whether the function should be performed by a shared service offered by another executive agency; . Subchapter II of subtitle III of title 40, United States Code, is amended— in section 11312(a), by inserting , including security risks after managing the risks ; in section 11313(1), by striking efficiency and effectiveness and inserting efficiency, security, and effectiveness ; in section 11317, by inserting security, before or schedule ; and in section 11319(b)(1), in the paragraph heading, by striking and inserting cios . Chief Information Officers Section 11331 of title 40, United States Code, is amended— in subsection (a), by striking section 3532(b)(1) and inserting section 3552(b) ; in subsection (b)(1)(A)— by striking in consultation and inserting in coordination ; by striking the Secretary of Homeland Security and inserting the Director of the Cybersecurity and Infrastructure Security Agency ; and by inserting and associated verification specifications developed under subsection
(g)before pertaining to Federal ; by striking subsection
(c)and inserting the following: The head of an agency shall— evaluate the need to employ standards for cost-effective, risk-based information security for all systems, operations, and assets within or under the supervision of the agency that are more stringent than the standards promulgated by the Director under this section, if such standards contain, at a minimum, the provisions of those applicable standards made compulsory and binding by the Director; and to the greatest extent practicable and if the head of the agency determines that the standards described in subparagraph
(A)are necessary, employ those standards. In evaluating the need to employ more stringent standards under paragraph (1), the head of an agency shall consider available risk information, including— the status of cybersecurity remedial actions of the agency; any vulnerability information relating to agency systems that is known to the agency; incident information of the agency; information from— penetration testing performed under section 3559A of title 44; and information from the verification disclosure program established under section 3559B of title 44; agency threat hunting results under section 207 of the Federal Information Security Modernization Act of 2021 ; Federal and non-Federal threat intelligence; data on compliance with standards issued under this section, using the verification specifications developed under subsection
(f)when appropriate; agency system risk assessments of the agency performed under section 3554(a)(1)(A) of title 44; and any other information determined relevant by the head of the agency. ; in subsection (d)(2)— by striking the paragraph heading and inserting ; Consultation, notice, and comment by inserting promulgate, before significantly modify ; and by striking shall be made after the public is given an opportunity to comment on the Director's proposed decision. and inserting “shall be made— for a decision to significantly modify or not promulgate such a proposed standard, after the public is given an opportunity to comment on the Director's proposed decision; in consultation with the Chief Information Officers Council, the Director of the Cybersecurity and Infrastructure Security Agency, the National Cyber Director, the Comptroller General of the United States, and the Council of the Inspectors General on Integrity and Efficiency; considering the Federal risk assessments performed under section 3553(i) of title 44; and considering the extent to which the proposed standard reduces risk relative to the cost of implementation of the standard. ; and by adding at the end the following: Not less frequently than once every 2 years, the Director of the Office of Management and Budget, in consultation with the Chief Information Officers Council, the Director of the Cybersecurity and Infrastructure Security Agency, the National Cyber Director, the Comptroller General of the United States, and the Council of the Inspectors General on Integrity and Efficiency shall review the efficacy of the standards in effect promulgated under this section in reducing cybersecurity risks and determine whether any changes to those standards are appropriate based on— the Federal risk assessment developed under section 3553(i) of title 44; public comment; and an assessment of the extent to which the proposed standards reduce risk relative to the cost of implementation of the standards. Not later than 90 days after the date of the completion of the review under paragraph (1), the Director of the Office of Management and Budget shall issue guidance to agencies to make any necessary updates to the standards in effect promulgated under this section based on the results of the review. Not later than 30 days after the date on which a review is completed under paragraph (1), the Director shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Reform of the House of Representatives a report that includes— the review of the standards in effect promulgated under this section conducted under paragraph (1); the risk mitigation offered by each standard described in subparagraph (A); and a summary of— the standards to which changes were determined appropriate during the review; and anticipated changes to the standards under this section in guidance issued under paragraph (2). Not later than 1 year after the date on which the Director of the National Institute of Standards and Technology issues a proposed standard pursuant to paragraphs
(2)and
(3)of section 20(a) of the National Institute of Standards and Technology Act ( 15 U.S.C. 278g–3(a) ), the Director of the Cybersecurity and Infrastructure Security Agency, in consultation with the Director of the National Institute of Standards and Technology, as practicable, shall develop technical specifications to enable the automated verification of the implementation of the controls within the standard. .
Connectionstraces to 1
Traces to 1 document
U.S. Code
1 reference not yet in our index
- 15 USC 278g–3(a)
Citation graph
cites case law
Cites 2Cited by 0 across 0 sources