Sec. 104. Additional guidance to agencies on FISMA updates
267 words·~1 min read·
/bill/117/s/2902/is/section-104A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Not later than 1 year after the date of enactment of this Act, the Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, shall issue guidance for agencies on— completing the agency system risk assessment required under section 3554(a)(1)(A) of title 44, United States Code, as amended by this Act; implementing additional cybersecurity procedures, which shall include resources for shared services; establishing a process for providing the status of each remedial action under section 3554(b)(7) of title 44, United States Code, as amended by this Act, to the Director and the Cybersecurity and Infrastructure Security Agency using automation and machine-readable data, as practicable, which shall include— specific standards for the automation and machine-readable data; and templates for providing the status of the remedial action; interpreting the definition of high value asset in section 3552 of title 44, United States Code, as amended by this Act; implementing standards in agency authorization processes to encourage the tailoring of processes to agency and system risk that are proportionate to the sensitivity of systems, which shall include— a clarification of— the acceptable use and development of customization of standards promulgated under section 11331 of title 40, United States Code; and the acceptable use of risk-based authorization procedures authorized on the date of enactment of this Act; and a requirement to coordinate with Inspectors Generals of agencies to ensure consistent understanding and application of agency policies for the purpose of Inspector General audits; and requiring, as practicable and pursuant to section 203, an evaluation of agency cybersecurity using metrics that are— based on outcomes; and based on time.