Sec. 103. Actions to enhance Federal incident response
855 words·~4 min read·
/bill/117/s/2902/is/section-103A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Not later than 180 days after the date of enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency, in coordination with the Chair of the Federal Trade Commission, the Chair of the Securities and Exchange Commission, the Secretary of the Treasury, the Director of the Federal Bureau of Investigation, the Director of the National Institute of Standards and Technology, and the head of any other appropriate Federal or non-Federal entity, shall consolidate, maintain, and make publicly available recommendations for individuals whose personal information, as defined in section 3591 of title 44, United States Code, as added by this Act, is inappropriately exposed as a result of a high risk incident described in section 3598(c)(2) of title 44, United States Code.
Not later than 180 days after the date of enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency shall— develop a plan for the development of the analysis required under section 3597(b) of title 44, United States Code, as added by this Act, and the report required under subsection
(c)of that section that includes— a description of any challenges the Director anticipates encountering; and the use of automation and machine-readable formats for collecting, compiling, monitoring, and analyzing data; and provide to the appropriate congressional committees a briefing on the plan developed under clause (i). Not later than 1 year after the date of enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency shall provide to the appropriate congressional committees a briefing on— the execution of the plan required under subparagraph (A); and the development of the report required under section 3597(c) of title 44, United States Code, as added by this Act. Section 2 of the Federal Information Security Modernization Act of 2014 ( 44 U.S.C. 3554 note) is amended— by striking subsection (b); and by redesignating subsections
(c)through
(f)as subsections
(b)through (e), respectively. The Director shall develop guidance, to be updated not less frequently than once every 2 years, on the content, timeliness, and format of the information provided by agencies under section 3594(a) of title 44, United States Code, as added by this Act. The guidance developed under subparagraph
(A)shall— prioritize the availability of data necessary to understand and analyze— the causes of incidents; the scope and scale of incidents within the agency networks and systems; cross Federal Government root causes of incidents; agency response, recovery, and remediation actions; and the effectiveness of incidents; enable the efficient development of— lessons learned and recommendations in responding to, recovering from, remediating, and mitigating future incidents; and the report on Federal compromises required under section 3597(c) of title 44, United States Code, as added by this Act; include requirements for the timeliness of data production; and include requirements for using automation and machine-readable data for data sharing and availability. Not later than 1 year after the date of enactment of this Act, the Director shall develop guidance for agencies to implement the requirement under section 3594(c) of title 44, United States Code, as added by this Act, to provide information to other agencies experiencing incidents. Not later than 1 year after the date of enactment of this Act, the Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, shall develop guidance and templates, to be reviewed and, if necessary, updated not less frequently than once every 2 years, for use by Federal agencies in the activities required under sections 3592, 3593, and 3596 of title 44, United States Code, as added by this Act. Not later than 1 year after the date of enactment of this Act, the Director, in coordination with the Secretary of Homeland Security, the Secretary of Defense, the Administrator of General Services, and the heads of other agencies determined appropriate by the Director, shall issue guidance to Federal agencies on how to deconflict existing regulations, policies, and procedures relating to the responsibilities of contractors and grant recipients established under section 3595 of title 44, United States Code, as added by this Act. To the greatest extent practicable, the guidance issued under subparagraph
(A)shall allow contractors and grantees to use existing processes for notifying Federal agencies of incidents involving information of the Federal Government. Not less frequently than once every 2 years, the Director shall provide to the appropriate congressional committees an update on the guidance and templates developed under paragraphs
(2)through (4). Section 552a(b) of title 5, United States Code (commonly known as the Privacy Act of 1974 ) is amended— in paragraph (11), by striking or at the end; in paragraph (12), by striking the period at the end and inserting ; and ; and by adding at the end the following: to another agency in furtherance of a response to an incident (as defined in section 3552 of title 44) and pursuant to the information sharing requirements in section 3594 of title 44 if the head of the requesting agency has made a written request to the agency that maintains the record specifying the particular portion desired and the activity for which the record is sought. .
Connectionstraces to 1
Traces to 1 document
Citation graph
cites case law
Sec. 103
Actions to enhance Federal incident response
Cites 1Cited by 0 across 0 sources