Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 117th Congress · S. 3600 (Engrossed in Senate) — To improve the cybersecurity of the Federal Government, and for other purposes. · Sec. 103

Sec. 103. Title 44 amendments

8,813 words·~40 min read·/bill/117/s/3600/es/section-103

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

Subchapter I of chapter 35 of title 44, United States Code, is amended— in section 3504— in subsection (a)(1)(B)— by striking clause
(v)and inserting the following: confidentiality, privacy, disclosure, and sharing of information; ; by redesignating clause
(vi)as clause (vii); and by inserting after clause
(v)the following: in consultation with the National Cyber Director, security of information; and ; and in subsection (g), by striking paragraph
(1)and inserting the following: develop and oversee the implementation of policies, principles, standards, and guidelines on privacy, confidentiality, disclosure, and sharing, and in consultation with the National Cyber Director, oversee the implementation of policies, principles, standards, and guidelines on security, of information collected or maintained by or for agencies; and ; in section 3505— by striking the first subsection designated as subsection (c); in paragraph
(2)of the second subsection designated as subsection (c), by inserting an identification of internet accessible information systems and after an inventory under this subsection shall include ; in paragraph
(3)of the second subsection designated as subsection (c)— in subparagraph (B)— by inserting the Director of the Cybersecurity and Infrastructure Security Agency, the National Cyber Director, and before the Comptroller General ; and by striking and at the end; in subparagraph (C)(v), by striking the period at the end and inserting ; and ; and by adding at the end the following: maintained on a continual basis through the use of automation, machine-readable data, and scanning, wherever practicable. ; in section 3506— in subsection (a)(3), by inserting In carrying out these duties, the Chief Information Officer shall coordinate, as appropriate, with the Chief Data Officer in accordance with the designated functions under section 3520(c). after reduction of information collection burdens on the public. ; in subsection (b)(1)(C), by inserting , availability after integrity ; and in subsection (h)(3), by inserting security, after efficiency, ; and in section 3513— by redesignating subsection
(c)as subsection (d); and by inserting after subsection
(b)the following: Each agency providing a written plan under subsection
(b)shall provide any portion of the written plan addressing information security to the Secretary of the Department of Homeland Security and the National Cyber Director. . Section 3552(b) of title 44, United States Code, is amended— by redesignating paragraphs (1), (2), (3), (4), (5), (6), and
(7)as paragraphs (2), (4), (5), (6), (7), (9), and (11), respectively; by inserting before paragraph (2), as so redesignated, the following: The term additional cybersecurity procedure means a process, procedure, or other activity that is established in excess of the information security standards promulgated under section 11331(b) of title 40 to increase the security and reduce the cybersecurity risk of agency systems. ; by inserting after paragraph (2), as so redesignated, the following: The term high value asset means information or an information system that the head of an agency, using policies, principles, standards, or guidelines issued by the Director under section 3553(a), determines to be so critical to the agency that the loss or corruption of the information or the loss of access to the information system would have a serious impact on the ability of the agency to perform the mission of the agency or conduct business. ; by inserting after paragraph (7), as so redesignated, the following: The term major incident has the meaning given the term in guidance issued by the Director under section 3598(a). ; by inserting after paragraph (9), as so redesignated, the following: The term penetration test — means an authorized assessment that emulates attempts to gain unauthorized access to, or disrupt the operations of, an information system or component of an information system; and includes any additional meaning given the term in policies, principles, standards, or guidelines issued by the Director under section 3553(a). ; and by inserting after paragraph (11), as so redesignated, the following: The term shared service means a centralized business or mission capability that is provided to multiple organizations within an agency or to multiple agencies. . Section 1001(c)(1)(A) of the Homeland Security Act of 2002 ( 6 U.S.C. 511(1)(A) ) is amended by striking section 3552(b)(5) and inserting section 3552(b) . Section 2222(i)(8) of title 10, United States Code, is amended by striking section 3552(b)(6)(A) and inserting section 3552(b)(9)(A) . Section 2223(c)(3) of title 10, United States Code, is amended by striking section 3552(b)(6) and inserting section 3552(b) . Section 2315 of title 10, United States Code, is amended by striking section 3552(b)(6) and inserting section 3552(b) . Section 2339a(e)(5) of title 10, United States Code, is amended by striking section 3552(b)(6) and inserting section 3552(b) . Section 207(a) of the High-Performance Computing Act of 1991 ( 15 U.S.C. 5527(a) ) is amended by striking section 3552(b)(6)(A)(i) and inserting section 3552(b)(9)(A)(i) . Section 3(5) of the Internet of Things Cybersecurity Improvement Act of 2020 ( 15 U.S.C. 278g–3a ) is amended by striking section 3552(b)(6) and inserting section 3552(b) . Section 933(e)(1)(B) of the National Defense Authorization Act for Fiscal Year 2013 ( 10 U.S.C. 2224 note) is amended by striking section 3542(b)(2) and inserting section 3552(b) . The Ike Skelton National Defense Authorization Act for Fiscal Year 2011 ( Public Law 111–383 ) is amended— in section 806(e)(5) ( 10 U.S.C. 2304 note), by striking section 3542(b) and inserting section 3552(b) ; in section 931(b)(3) ( 10 U.S.C. 2223 note), by striking section 3542(b)(2) and inserting section 3552(b) ; and in section 932(b)(2) ( 10 U.S.C. 2224 note), by striking section 3542(b)(2) and inserting section 3552(b) . Section 301(c)(1)(A) of the E-Government Act of 2002 ( 44 U.S.C. 3501 note) is amended by striking section 3542(b)(2) and inserting section 3552(b) . Section 20 of the National Institute of Standards and Technology Act ( 15 U.S.C. 278g–3 ) is amended— in subsection (a)(2), by striking section 3552(b)(5) and inserting section 3552(b) ; and in subsection (f)— in paragraph (3), by striking section 3532(1) and inserting section 3552(b) ; and in paragraph (5), by striking section 3532(b)(2) and inserting section 3552(b) . Subchapter II of chapter 35 of title 44, United States Code, is amended— in section 3551— in paragraph (4), by striking diagnose and improve and inserting integrate, deliver, diagnose, and improve ; in paragraph (5), by striking and at the end; in paragraph (6), by striking the period at the end and inserting a semi colon; and by adding at the end the following: recognize that each agency has specific mission requirements and, at times, unique cybersecurity requirements to meet the mission of the agency; recognize that each agency does not have the same resources to secure agency systems, and an agency should not be expected to have the capability to secure the systems of the agency from advanced adversaries alone; and recognize that a holistic Federal cybersecurity model is necessary to account for differences between the missions and capabilities of agencies. ; in section 3553— in subsection (a)— in paragraph (1), by inserting , in consultation with the Secretary and the National Cyber Director, before overseeing ; in paragraph (5), by striking and at the end; and by adding at the end the following: promoting, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, the National Cyber Director, and the Director of the National Institute of Standards and Technology— the use of automation to improve Federal cybersecurity and visibility with respect to the implementation of Federal cybersecurity; and the use of presumption of compromise and least privilege principles to improve resiliency and timely response actions to incidents on Federal systems. ; in subsection (b)— in the matter preceding paragraph (1), by inserting and the National Cyber Director after Director ; and in paragraph (2)(A), by inserting and reporting requirements under subchapter IV of this chapter after section 3556 ; and in subsection (c)— in the matter preceding paragraph (1)— by striking each year and inserting each year during which agencies are required to submit reports under section 3554(c) ; and by striking preceding year and inserting preceding 2 years ; by striking paragraph (1); by redesignating paragraphs (2), (3), and
(4)as paragraphs (1), (2), and (3), respectively; in paragraph (3), as so redesignated, by striking and at the end; by inserting after paragraph (3), as so redesignated the following: a summary of each assessment of Federal risk posture performed under subsection (i); ; and in paragraph (5), by striking the period at the end and inserting ; and ; by redesignating subsections (i), (j), (k), and
(l)as subsections (j), (k), (l), and
(m)respectively; by inserting after subsection
(h)the following: On an ongoing and continuous basis, the Director of the Cybersecurity and Infrastructure Security Agency shall perform assessments of Federal risk posture using any available information on the cybersecurity posture of agencies, and brief the Director and National Cyber Director on the findings of those assessments including— the status of agency cybersecurity remedial actions described in section 3554(b)(7); any vulnerability information relating to the systems of an agency that is known by the agency; analysis of incident information under section 3597; evaluation of penetration testing performed under section 3559A; evaluation of vulnerability disclosure program information under section 3559B; evaluation of agency threat hunting results; evaluation of Federal and non-Federal cyber threat intelligence; data on agency compliance with standards issued under section 11331 of title 40; agency system risk assessments performed under section 3554(a)(1)(A); and any other information the Director of the Cybersecurity and Infrastructure Security Agency determines relevant. ; in subsection (j), as so redesignated— by striking regarding the specific and inserting “that includes a summary of— the specific ; in paragraph (1), as so designated, by striking the period at the end and inserting ; and and by adding at the end the following: the trends identified in the Federal risk assessment performed under subsection (i). ; and by adding at the end the following: If the Director of the Cybersecurity and Infrastructure Security Agency issues a binding operational directive or an emergency directive under this section, not later than 4 days after the date on which the binding operational directive requires an agency to take an action, the Director of the Cybersecurity and Infrastructure Security Agency shall provide to the Director, National Cyber Director, the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Reform of the House of Representatives the status of the implementation of the binding operational directive at the agency. Not less frequently than once every 3 years, the Director, in consultation with the Chief Information Officers Council, the Director of the Cybersecurity and Infrastructure Security Agency, the National Cyber Director, the Comptroller General of the United States, and the Council of the Inspectors General on Integrity and Efficiency, shall— review the efficacy of the guidance and policy developed by the Director under subsection (a)(1) in reducing cybersecurity risks, including an assessment of the requirements for agencies to report information to the Director; and determine whether any changes to the guidance or policy developed under subsection (a)(1) is appropriate. In conducting the review required under subparagraph (A), the Director shall consider— the Federal risk assessments performed under subsection (i); the cumulative reporting and compliance burden to agencies; and the clarity of the requirements and deadlines contained in guidance and policy documents. Not later than 90 days after the date on which a review is completed under paragraph (1), the Director shall issue updated guidance or policy to agencies determined appropriate by the Director, based on the results of the review. Not later than 30 days after the date on which the Director completes a review under paragraph (1), the Director shall make publicly available a report that includes— an overview of the guidance and policy developed under subsection (a)(1) that is in effect; the cybersecurity risk mitigation, or other cybersecurity benefit, offered by each guidance or policy described in subparagraph (A); a summary of the guidance or policy developed under subsection (a)(1) to which changes were determined appropriate during the review; and the changes that are anticipated to be included in the updated guidance or policy issued under paragraph (2). Not later than 60 days after the date on which a review is completed under paragraph (1), the Director shall provide to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Reform of the House of Representatives a briefing on the review. When the Director of the National Institute of Standards and Technology issues a proposed standard pursuant to paragraphs
(2)or
(3)of section 20(a) of the National Institute of Standards and Technology Act ( 15 U.S.C. 278g–3(a) ), the Director of the National Institute of Standards and Technology shall consider developing and, if appropriate and practical, develop, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, specifications to enable the automated verification of the implementation of the controls within the standard. ; in section 3554— in subsection (a)— in paragraph (1)— by redesignating subparagraphs (A), (B), and
(C)as subparagraphs (B), (C), and (D), respectively; by inserting before subparagraph (B), as so redesignated, the following: on an ongoing and continuous basis, performing agency system risk assessments that— identify and document the high value assets of the agency using guidance from the Director; evaluate the data assets inventoried under section 3511 for sensitivity to compromises in confidentiality, integrity, and availability; identify agency systems that have access to or hold the data assets inventoried under section 3511; evaluate the threats facing agency systems and data, including high value assets, based on Federal and non-Federal cyber threat intelligence products, where available; evaluate the vulnerability of agency systems and data, including high value assets, including by analyzing— the results of penetration testing performed by the Department of Homeland Security under section 3553(b)(9); the results of penetration testing performed under section 3559A; information provided to the agency through the vulnerability disclosure program of the agency under section 3559B; incidents; and any other vulnerability information relating to agency systems that is known to the agency; assess the impacts of potential agency incidents to agency systems, data, and operations based on the evaluations described in clauses
(ii)and
(iv)and the agency systems identified under clause (iii); and assess the consequences of potential incidents occurring on agency systems that would impact systems at other agencies, including due to interconnectivity between different agency systems or operational reliance on the operations of the system or data in the system; ; in subparagraph (B), as so redesignated, in the matter preceding clause (i), by striking providing information and inserting using information from the assessment conducted under subparagraph (A), providing information ; in subparagraph (C), as so redesignated— in clause
(ii)by inserting binding before operational ; and in clause (vi), by striking and at the end; and by adding at the end the following: providing an update on the ongoing and continuous assessment performed under subparagraph (A)— upon request, to the inspector general of the agency or the Comptroller General of the United States; and on a periodic basis, as determined by guidance issued by the Director but not less frequently than annually, to— the Director; the Director of the Cybersecurity and Infrastructure Security Agency; and the National Cyber Director; in consultation with the Director of the Cybersecurity and Infrastructure Security Agency and not less frequently than once every 3 years, performing an evaluation of whether additional cybersecurity procedures are appropriate for securing a system of, or under the supervision of, the agency, which shall— be completed considering the agency system risk assessment performed under subparagraph (A); and include a specific evaluation for high value assets; not later than 30 days after completing the evaluation performed under subparagraph (F), providing the evaluation and an implementation plan, if applicable, for using additional cybersecurity procedures determined to be appropriate to— the Director of the Cybersecurity and Infrastructure Security Agency; the Director; and the National Cyber Director; and if the head of the agency determines there is need for additional cybersecurity procedures, ensuring that those additional cybersecurity procedures are reflected in the budget request of the agency; ; in paragraph (2)— in subparagraph (A), by inserting in accordance with the agency system risk assessment performed under paragraph (1)(A) after information systems ; in subparagraph (B)— by striking in accordance with standards and inserting “in accordance with— standards ; and by adding at the end the following: the evaluation performed under paragraph (1)(F); and the implementation plan described in paragraph (1)(G); ; and in subparagraph (D), by inserting , through the use of penetration testing, the vulnerability disclosure program established under section 3559B, and other means, after periodically ; in paragraph (3)— in subparagraph (A)— in clause (iii), by striking and at the end; in clause (iv), by adding and at the end; and by adding at the end the following: ensure that— senior agency information security officers of component agencies carry out responsibilities under this subchapter, as directed by the senior agency information security officer of the agency or an equivalent official; and senior agency information security officers of component agencies report to— the senior information security officer of the agency or an equivalent official; and the Chief Information Officer of the component agency or an equivalent official; ; and in paragraph (5), by inserting and the Director of the Cybersecurity and Infrastructure Security Agency before on the effectiveness ; in subsection (b)— by striking paragraph
(1)and inserting the following: pursuant to subsection (a)(1)(A), performing ongoing and continuous agency system risk assessments, which may include using guidelines and automated tools consistent with standards and guidelines promulgated under section 11331 of title 40, as applicable; ; in paragraph (2)— by striking subparagraph
(B)and inserting the following: comply with the risk-based cyber budget model developed pursuant to section 3553(a)(7); ; and in subparagraph (D)— by redesignating clauses
(iii)and
(iv)as clauses
(iv)and (v), respectively; by inserting after clause
(ii)the following: binding operational directives and emergency directives promulgated by the Director of the Cybersecurity and Infrastructure Security Agency under section 3553; ; and in clause (iv), as so redesignated, by striking as determined by the agency; and and inserting “as determined by the agency, considering the agency risk assessment performed under subsection (a)(1)(A); and in paragraph (5)(A), by inserting , including penetration testing, as appropriate, after shall include testing ; in paragraph (6), by striking planning, implementing, evaluating, and documenting and inserting planning and implementing and, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, evaluating and documenting ; by redesignating paragraphs
(7)and
(8)as paragraphs
(8)and (9), respectively; by inserting after paragraph
(6)the following: a process for providing the status of every remedial action and unremediated identified system vulnerability to the Director and the Director of the Cybersecurity and Infrastructure Security Agency, using automation and machine-readable data to the greatest extent practicable; ; and in paragraph (8)(C), as so redesignated— by striking clause
(ii)and inserting the following: notifying and consulting with the Federal information security incident center established under section 3556 pursuant to the requirements of section 3594; ; by redesignating clause
(iii)as clause (iv); by inserting after clause
(ii)the following: performing the notifications and other activities required under subchapter IV of this chapter; and ; and in clause (iv), as so redesignated— in subclause (I), by striking and relevant offices of inspectors general ; in subclause (II), by adding and at the end; by striking subclause (III); and by redesignating subclause
(IV)as subclause (III); in subsection (c)— by redesignating paragraph
(2)as paragraph (5); by striking paragraph
(1)and inserting the following: Not later than 2 years after the date of enactment of the Federal Information Security Modernization Act of 2022 and not less frequently than once every 2 years thereafter, using the continuous and ongoing agency system risk assessment under subsection (a)(1)(A), the head of each agency shall submit to the Director, the Director of the Cybersecurity and Infrastructure Security Agency, the majority and minority leaders of the Senate, the Speaker and minority leader of the House of Representatives, the Committee on Homeland Security and Governmental Affairs of the Senate, the Committee on Oversight and Reform of the House of Representatives, the Committee on Homeland Security of the House of Representatives, the Committee on Commerce, Science, and Transportation of the Senate, the Committee on Science, Space, and Technology of the House of Representatives, the appropriate authorization and appropriations committees of Congress, the National Cyber Director, and the Comptroller General of the United States a report that— summarizes the agency system risk assessment performed under subsection (a)(1)(A); evaluates the adequacy and effectiveness of information security policies, procedures, and practices of the agency to address the risks identified in the agency system risk assessment performed under subsection (a)(1)(A), including an analysis of the agency’s cybersecurity and incident response capabilities using the metrics established under section 224(c) of the Cybersecurity Act of 2015 ( 6 U.S.C. 1522(c) ); summarizes the evaluation and implementation plans described in subparagraphs
(F)and
(G)of subsection (a)(1) and whether those evaluation and implementation plans call for the use of additional cybersecurity procedures determined to be appropriate by the agency; and summarizes the status of remedial actions identified by inspector general of the agency, the Comptroller General of the United States, and any other source determined appropriate by the head of the agency. Each report submitted under paragraph (1)— shall be, to the greatest extent practicable, in an unclassified and otherwise uncontrolled form; and may include a classified annex. The head of an agency shall ensure that, to the greatest extent practicable, information is included in the unclassified form of the report submitted by the agency under paragraph (2)(A). During each year during which a report is not required to be submitted under paragraph (1), the Director shall provide to the congressional committees described in paragraph
(1)a briefing summarizing current agency and Federal risk postures. ; and in paragraph (5), as so redesignated, by striking the period at the end and inserting , including the reporting procedures established under section 11315(d) of title 40 and subsection (a)(3)(A)(v) of this section ; and in subsection (d)(1), in the matter preceding subparagraph (A), by inserting and the National Cyber Director after the Director ; and by adding at the end the following: On an annual basis, the Director may exempt an agency from the reporting structure requirement under subsection (a)(3)(A)(v)(II). On an annual basis, the Director shall submit a report to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Reform of the House of Representatives that includes a list of each exemption granted under paragraph
(1)and the associated rationale for each exemption. The report required under paragraph
(2)may be incorporated into any other annual report required under this chapter. ; in section 3555— in the section heading, by striking and inserting Annual independent ; Independent in subsection (a)— in paragraph (1), by inserting during which a report is required to be submitted under section 3553(c), after Each year ; in paragraph (2)(A), by inserting , including by penetration testing and analyzing the vulnerability disclosure program of the agency after information systems ; and by adding at the end the following: An evaluation under this section may include recommendations for improving the cybersecurity posture of the agency. ; in subsection (b)(1), by striking annual ; in subsection (e)(1), by inserting during which a report is required to be submitted under section 3553(c) after Each year ; by striking subsection
(f)and inserting the following: Agencies, evaluators, and other recipients of information that, if disclosed, may cause grave harm to the efforts of Federal information security officers, shall take appropriate steps to ensure the protection of that information, including safeguarding the information from public disclosure. The protections required under paragraph
(1)shall be commensurate with the risk and comply with all applicable laws and regulations. With respect to information that is not related to national security systems, agencies and evaluators shall make a summary of the information unclassified and publicly available, including information that does not identify— specific information system incidents; or specific information system vulnerabilities. ; in subsection (g)(2)— by striking this subsection shall and inserting “this subsection— shall ; in subparagraph (A), as so designated, by striking the period at the end and inserting ; and ; and by adding at the end the following: identify any entity that performs an independent evaluation under subsection (b). ; and by striking subsection
(j)and inserting the following: The Director, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, the Chief Information Officers Council, the Council of the Inspectors General on Integrity and Efficiency, and other interested parties as appropriate, shall ensure the development of risk-based guidance for evaluating the effectiveness of an information security program and practices The risk-based guidance developed under paragraph
(1)shall include— the identification of the most common successful threat patterns experienced by each agency; the identification of security controls that address the threat patterns described in subparagraph (A); any other security risks unique to the networks of each agency; and any other element the Director, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency and the Council of the Inspectors General on Integrity and Efficiency, determines appropriate. ; and in section 3556(a)— in the matter preceding paragraph (1), by inserting within the Cybersecurity and Infrastructure Security Agency after incident center ; and in paragraph (4), by striking 3554(b) and inserting 3554(a)(1)(A) . The table of sections for chapter 35 of title 44, United States Code, is amended by striking the item relating to section 3555 and inserting the following: 3555. Independent evaluation . Section 226(c) of the Cybersecurity Act of 2015 ( 6 U.S.C. 1524(c) ) is amended— in paragraph (1)(B), in the matter preceding clause (i), by striking annually thereafter and inserting thereafter during the years during which a report is required to be submitted under section 3553(c) of title 44, United States Code ; and in paragraph (2)(B), in the matter preceding clause (i)— by striking annually thereafter and inserting thereafter during the years during which a report is required to be submitted under section 3553(c) of title 44, United States Code ; and by striking the report required under section 3553(c) of title 44, United States Code and inserting that report . Section 20(d)(3)(B) of the National Institute of Standards and Technology Act ( 15 U.S.C. 278g–3(d)(3)(B) ) is amended by striking annual . Chapter 35 of title 44, United States Code, is amended by adding at the end the following: Except as provided in subsection (b), the definitions under sections 3502 and 3552 shall apply to this subchapter. As used in this subchapter: The term appropriate reporting entities means— the majority and minority leaders of the Senate; the Speaker and minority leader of the House of Representatives; the Committee on Homeland Security and Governmental Affairs of the Senate; the Committee on Oversight and Reform of the House of Representatives; the Committee on Homeland Security of the House of Representatives; the appropriate authorization and appropriations committees of Congress; the Director; the Director of the Cybersecurity and Infrastructure Security Agency; the National Cyber Director; the Comptroller General of the United States; and the inspector general of any impacted agency. The term awardee — means a person, business, or other entity that receives a grant from, or is a party to a cooperative agreement or an other transaction agreement with, an agency; and includes any subgrantee of a person, business, or other entity described in subparagraph (A). The term breach — means the loss, control, compromise, unauthorized disclosure, or unauthorized acquisition of personally identifiable information or any similar occurrence; and includes any additional meaning given the term in policies, principles, standards, or guidelines issued by the Director under section 3553(a). The term contractor means a prime contractor of an agency or a subcontractor of a prime contractor of an agency. The term Federal information means information created, collected, processed, maintained, disseminated, disclosed, or disposed of by or for the Federal Government in any medium or form. The term Federal information system means an information system used or operated by an agency, a contractor, an awardee, or another organization on behalf of an agency. The term intelligence community has the meaning given the term in section 3 of the National Security Act of 1947 ( 50 U.S.C. 3003 ). The term nationwide consumer reporting agency means a consumer reporting agency described in section 603(p) of the Fair Credit Reporting Act ( 15 U.S.C. 1681a(p) ). The term vulnerability disclosure means a vulnerability identified under section 3559B. As expeditiously as practicable and without unreasonable delay, and in any case not later than 45 days after an agency has a reasonable basis to conclude that a breach has occurred, the head of the agency, in consultation with a senior privacy officer of the agency, shall— determine whether notice to any individual potentially affected by the breach is appropriate based on an assessment of the risk of harm to the individual that considers— the nature and sensitivity of the personally identifiable information affected by the breach; the likelihood of access to and use of the personally identifiable information affected by the breach; the type of breach; and any other factors determined by the Director; and as appropriate, provide written notice in accordance with subsection
(b)to each individual potentially affected by the breach— to the last known mailing address of the individual; or through an appropriate alternative method of notification that the head of the agency or a designated senior-level individual of the agency selects based on factors determined by the Director. Each notice of a breach provided to an individual under subsection (a)(2) shall include— a brief description of the breach; if possible, a description of the types of personally identifiable information affected by the breach; contact information of the agency that may be used to ask questions of the agency, which— shall include an e-mail address or another digital contact mechanism; and may include a telephone number, mailing address, or a website; information on any remedy being offered by the agency; any applicable educational materials relating to what individuals can do in response to a breach that potentially affects their personally identifiable information, including relevant contact information for Federal law enforcement agencies and each nationwide consumer reporting agency; and any other appropriate information, as determined by the head of the agency or established in guidance by the Director. The Attorney General, the Director of National Intelligence, or the Secretary of Homeland Security may delay a notification required under subsection
(a)or
(d)if the notification would— impede a criminal investigation or a national security activity; reveal sensitive sources and methods; cause damage to national security; or hamper security remediation actions. Any delay under paragraph
(1)shall be reported in writing to the Director, the Attorney General, the Director of National Intelligence, the Secretary of Homeland Security, the National Cyber Director, the Director of the Cybersecurity and Infrastructure Security Agency, and the head of the agency and the inspector general of the agency that experienced the breach. A report required under subparagraph
(A)shall include a written statement from the entity that delayed the notification explaining the need for the delay. The report required under subparagraph
(A)shall be unclassified but may include a classified annex. A delay under paragraph
(1)shall be for a period of 60 days and may be renewed. If an agency determines there is a significant change in the reasonable basis to conclude that a breach occurred, a significant change to the determination made under subsection (a)(1), or that it is necessary to update the details of the information provided to potentially affected individuals as described in subsection (b), the agency shall as expeditiously as practicable and without unreasonable delay, and in any case not later than 30 days after such a determination, notify each individual who received a notification pursuant to subsection
(a)of those changes. Nothing in this section shall be construed to limit— the Director from issuing guidance relating to notifications or the head of an agency from notifying individuals potentially affected by breaches that are not determined to be major incidents; or the Director from issuing guidance relating to notifications of major incidents or the head of an agency from providing more information than described in subsection
(b)when notifying individuals potentially affected by breaches. Not later than 72 hours after an agency has a reasonable basis to conclude that a major incident occurred, the head of the agency impacted by the major incident shall submit to the appropriate reporting entities a written report and, to the extent practicable, provide a briefing to the Committee on Homeland Security and Governmental Affairs of the Senate, the Committee on Oversight and Reform of the House of Representatives, the Committee on Homeland Security of the House of Representatives, and the appropriate authorization and appropriations committees of Congress, taking into account— the information known at the time of the report; the sensitivity of the details associated with the major incident; and the classification level of the information contained in the report. A report required under paragraph
(1)shall include, in a manner that excludes or otherwise reasonably protects personally identifiable information and to the extent permitted by applicable law, including privacy and statistical laws— a summary of the information available about the major incident, including how the major incident occurred, information indicating that the major incident may be a breach, and information relating to the major incident as a breach, based on information available to agency officials as of the date on which the agency submits the report; if applicable, a description and any associated documentation of any circumstances necessitating a delay in a notification to individuals potentially affected by the major incident under section 3592(c); if applicable, an assessment of the impacts to the agency, the Federal Government, or the security of the United States, based on information available to agency officials on the date on which the agency submits the report; and if applicable, whether any ransom has been demanded or paid, or plans to be paid, by any entity operating a Federal information system or with access to a Federal information system, unless disclosure of such information may disrupt an active Federal law enforcement or national security operation. Within a reasonable amount of time, but not later than 30 days after the date on which an agency submits a written report under subsection (a), the head of the agency shall provide to the appropriate reporting entities written updates, which may include classified annexes, on the major incident and, to the extent practicable, provide a briefing, which may include a classified component, to the congressional committees described in subsection (a)(1), including summaries of— vulnerabilities, means by which the major incident occurred, and impacts to the agency relating to the major incident; any risk assessment and subsequent risk-based security implementation of the affected information system before the date on which the major incident occurred; the status of compliance of the affected information system with applicable security requirements that are directly related to the cause of the incident, at the time of the major incident; an estimate of the number of individuals potentially affected by the major incident based on information available to agency officials as of the date on which the agency provides the update; an assessment of the risk of harm to individuals potentially affected by the major incident based on information available to agency officials as of the date on which the agency provides the update; an update to the assessment of the risk to agency operations, or to impacts on other agency or non-Federal entity operations, affected by the major incident based on information available to agency officials as of the date on which the agency provides the update; the detection, response, and remediation actions of the agency, including any support provided by the Cybersecurity and Infrastructure Security Agency under section 3594(d) and status updates on the notification process described in section 3592(a), including any delay described in section 3592(c), if applicable; and if applicable, a description of any circumstances or data leading the head of the agency to determine, pursuant to section 3592(a)(1), not to notify individuals potentially impacted by a breach. If the agency determines that there is any significant change in the understanding of the agency of the scope, scale, or consequence of a major incident for which an agency submitted a written report under subsection (a), the agency shall provide an updated report to the appropriate reporting entities that includes information relating to the change in understanding. Each agency shall submit as part of the biannual report required under section 3554(c)(1) of this title a description of each major incident that occurred during the 2-year period preceding the date on which the biannual report is submitted. The Director shall submit to the appropriate reporting entities an annual report on all notification delays granted pursuant to section 3592(c). The Director shall submit to the appropriate reporting entities an annual report on each breach with respect to which the head of an agency determined, pursuant to section 3592(a)(1), not to notify individuals potentially impacted by the breach. The Director may submit the report required under paragraph
(1)as a component of the annual report submitted under section 3597(b). Any written report required to be submitted under this section may be submitted in a paper or electronic format. Not later than 7 days after the date on which an agency has a reasonable basis to conclude that a major incident occurred, the head of the agency, jointly with the Director, the National Cyber Director and any other Federal entity determined appropriate by the National Cyber Director, shall provide a briefing to the congressional committees described in subsection (a)(1) on the threat causing the major incident. The briefing required under paragraph (1)— shall, to the greatest extent practicable, include an unclassified component; and may include a classified component. Nothing in this section shall be construed to limit— the ability of an agency to provide additional reports or briefings to Congress; or Congress from requesting additional information from agencies through reports, briefings, or other means. Subject to the limitations described in subsection (b), the head of each agency shall provide any information relating to any incident affecting the agency, whether the information is obtained by the Federal Government directly or indirectly, to the Cybersecurity and Infrastructure Security Agency. A provision of information relating to an incident made by the head of an agency under paragraph
(1)shall— include detailed information about the safeguards that were in place when the incident occurred; whether the agency implemented the safeguards described in subparagraph
(A)correctly; in order to protect against a similar incident, identify— how the safeguards described in subparagraph
(A)should be implemented differently; and additional necessary safeguards; and include information to aid in incident response, such as— a description of the affected systems or networks; the estimated dates of when the incident occurred; and information that could reasonably help identify the party that conducted the incident or the cause of the incident, subject to appropriate privacy protections. The Director of the Cybersecurity and Infrastructure Security Agency shall— make incident information provided under paragraph
(1)available to the Director and the National Cyber Director; to the greatest extent practicable, share information relating to an incident with the head of any agency that may be— impacted by the incident; similarly susceptible to the incident; or similarly targeted by the incident; and coordinate any necessary information sharing efforts relating to a major incident with the private sector. Each agency operating or exercising control of a national security system shall share information about incidents that occur on national security systems with the Director of the Cybersecurity and Infrastructure Security Agency to the extent consistent with standards and guidelines for national security systems issued in accordance with law and as directed by the President. In providing information and selecting a method to provide information under subsection (a), the head of each agency shall take into account the level of classification of the information and any information sharing limitations and protections, such as limitations and protections relating to law enforcement, national security, privacy, statistical confidentiality, or other factors determined by the Director in order to implement subsection (a)(1) in a manner that enables automated and consistent reporting to the greatest extent practicable. Each agency that has a reasonable basis to conclude that a major incident occurred involving Federal information in electronic medium or form that does not exclusively involve a national security system, regardless of delays from notification granted for a major incident that is also a breach, shall coordinate with the Cybersecurity and Infrastructure Security Agency to facilitate asset response activities and provide recommendations for mitigating future incidents. Unless otherwise specified in a contract, grant, cooperative agreement, or an other transaction agreement, any contractor or awardee of an agency shall report to the agency within the same amount of time such agency is required to report an incident to the Cybersecurity and Infrastructure Security Agency, if the contractor or awardee has a reasonable basis to suspect or conclude that— an incident or breach has occurred with respect to Federal information collected, used, or maintained by the contractor or awardee in connection with the contract, grant, cooperative agreement, or other transaction agreement of the contractor or awardee; an incident or breach has occurred with respect to a Federal information system used or operated by the contractor or awardee in connection with the contract, grant, cooperative agreement, or other transaction agreement of the contractor or awardee; or the contractor or awardee has received information from the agency that the contractor or awardee is not authorized to receive in connection with the contract, grant, cooperative agreement, or other transaction agreement of the contractor or awardee. Following a report of a breach or major incident by a contractor or awardee under paragraph (1), the agency, in consultation with the contractor or awardee, shall carry out the requirements under sections 3592, 3593, and 3594 with respect to the major incident. Following a report of an incident by a contractor or awardee under paragraph (1), an agency, in consultation with the contractor or awardee, shall carry out the requirements under section 3594 with respect to the incident. This section shall apply— on and after the date that is 1 year after the date of enactment of the Federal Information Security Modernization Act of 2022 ; and with respect to any contract entered into on or after the date described in paragraph (1). In this section, the term covered individual means an individual who obtains access to Federal information or Federal information systems because of the status of the individual as an employee, contractor, awardee, volunteer, or intern of an agency. The head of each agency shall develop training for covered individuals on how to identify and respond to an incident, including— the internal process of the agency for reporting an incident; and the obligation of a covered individual to report to the agency a confirmed major incident and any suspected incident involving information in any medium or form, including paper, oral, and electronic. The training developed under subsection
(b)may be included as part of an annual privacy or security awareness training of an agency. The Director of the Cybersecurity and Infrastructure Security Agency shall develop, in consultation with the Director and the National Cyber Director, and perform continuous monitoring and quantitative and qualitative analyses of incidents at agencies, including major incidents, including— the causes of incidents, including— attacker tactics, techniques, and procedures; and system vulnerabilities, including zero days, unpatched systems, and information system misconfigurations; the scope and scale of incidents at agencies; common root causes of incidents across multiple Federal agencies; agency incident response, recovery, and remediation actions and the effectiveness of those actions, as applicable; lessons learned and recommendations in responding to, recovering from, remediating, and mitigating future incidents; and trends across multiple Federal agencies to address intrusion detection and incident response capabilities using the metrics established under section 224(c) of the Cybersecurity Act of 2015 ( 6 U.S.C. 1522(c) ). The analyses developed under paragraph
(1)shall, to the greatest extent practicable, use machine readable data, automation, and machine learning processes. The Director shall share on an ongoing basis the analyses required under this subsection with agencies and the National Cyber Director to— improve the understanding of cybersecurity risk of agencies; and support the cybersecurity improvement efforts of agencies. In carrying out subparagraph (A), the Director shall share the analyses— in human-readable written products; and to the greatest extent practicable, in machine-readable formats in order to enable automated intake and use by agencies. Not later than 2 years after the date of enactment of this section, and not less frequently than annually thereafter, the Director of the Cybersecurity and Infrastructure Security Agency, in consultation with the Director, the National Cyber Director and the heads of other Federal agencies, as appropriate, shall submit to the appropriate reporting entities a report that includes— a summary of causes of incidents from across the Federal Government that categorizes those incidents as incidents or major incidents; the quantitative and qualitative analyses of incidents developed under subsection (a)(1) on an agency-by-agency basis and comprehensively across the Federal Government, including— a specific analysis of breaches; and an analysis of the Federal Government’s performance against the metrics established under section 224(c) of the Cybersecurity Act of 2015 ( 6 U.S.C. 1522(c) ); and an annex for each agency that includes— a description of each major incident; the total number of incidents of the agency; and an analysis of the agency’s performance against the metrics established under section 224(c) of the Cybersecurity Act of 2015 ( 6 U.S.C. 1522(c) ). A version of each report submitted under subsection
(b)shall be made publicly available on the website of the Cybersecurity and Infrastructure Security Agency during the year in which the report is submitted. The Director of the Cybersecurity and Infrastructure Security Agency may exempt all or a portion of a report described in paragraph
(1)from public publication if the Director of the Cybersecurity and Infrastructure Security Agency determines the exemption is in the interest of national security. An exemption granted under paragraph
(2)shall not apply to any version of a report submitted to the appropriate reporting entities under subsection (b). The analysis required under subsection
(a)and each report submitted under subsection
(b)shall use information provided by agencies under section 3594(a). Subject to subparagraph (B), during any year during which the head of an agency does not provide data for an incident to the Cybersecurity and Infrastructure Security Agency in accordance with section 3594(a), the head of the agency, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency and the Director, shall submit to the appropriate reporting entities a report that includes the information described in subsection
(b)with respect to the agency. The head of an agency that owns or exercises control of a national security system shall not include data for an incident that occurs on a national security system in any report submitted under subparagraph (A). Annually, the head of an agency that operates or exercises control of a national security system shall submit a report that includes the information described in subsection
(b)with respect to the national security system to the extent that the submission is consistent with standards and guidelines for national security systems issued in accordance with law and as directed by the President to— the majority and minority leaders of the Senate, the Speaker and minority leader of the House of Representatives; the Committee on Homeland Security and Governmental Affairs of the Senate; the Select Committee on Intelligence of the Senate; the Committee on Armed Services of the Senate; the Committee on Appropriations of the Senate; the Committee on Oversight and Reform of the House of Representatives; the Committee on Homeland Security of the House of Representatives; the Permanent Select Committee on Intelligence of the House of Representatives; the Committee on Armed Services of the House of Representatives; and the Committee on Appropriations of the House of Representatives. A report required under subparagraph
(A)may be submitted in a classified form. In publishing the public report required under subsection (c), the Director of the Cybersecurity and Infrastructure Security Agency shall sufficiently compile information such that no specific incident of an agency can be identified, except with the concurrence of the Director of the Office of Management and Budget and in consultation with the impacted agency. Not later than 180 days after the date of enactment of the Federal Information Security Modernization Act of 2022 , the Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency and the National Cyber Director, shall develop and promulgate guidance on the definition of the term major incident for the purposes of subchapter II and this subchapter. With respect to the guidance issued under subsection (a), the definition of the term major incident shall— include, with respect to any information collected or maintained by or on behalf of an agency or an information system used or operated by an agency or by a contractor of an agency or another organization on behalf of an agency— any incident the head of the agency determines is likely to have an impact on— the national security, homeland security, or economic security of the United States; or the civil liberties or public health and safety of the people of the United States; any incident the head of the agency determines likely to result in an inability for the agency, a component of the agency, or the Federal Government, to provide 1 or more critical services; any incident that the head of an agency, in consultation with a senior privacy officer of the agency, determines is likely to have a significant privacy impact on 1 or more individual; any incident that the head of the agency, in consultation with a senior privacy official of the agency, determines is likely to have a substantial privacy impact on a significant number of individuals; any incident the head of the agency determines substantially disrupts the operations of a high value asset owned or operated by the agency; any incident involving the exposure of sensitive agency information to a foreign entity, such as the communications of the head of the agency, the head of a component of the agency, or the direct reports of the head of the agency or the head of a component of the agency; and any other type of incident determined appropriate by the Director; stipulate that the National Cyber Director, in consultation with the Director, shall declare a major incident at each agency impacted by an incident if it is determined that an incident— occurs at not less than 2 agencies; and is enabled by— a common technical root cause, such as a supply chain compromise, a common software or hardware vulnerability; or the related activities of a common threat actor; and stipulate that, in determining whether an incident constitutes a major incident because that incident is any incident described in paragraph (1), the head of the agency shall consult with the National Cyber Director and may consult with the Director of the Cybersecurity and Infrastructure Security Agency. In determining what constitutes a significant number of individuals under subsection (b)(1)(D), the Director— may determine a threshold for a minimum number of individuals that constitutes a significant amount; and may not determine a threshold described in paragraph
(1)that exceeds 5,000 individuals. Not later than 2 years after the date of enactment of the Federal Information Security Modernization Act of 2022 , and not less frequently than every 2 years thereafter, the Director shall provide a briefing to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Reform of the House of Representatives, which shall include— an evaluation of any necessary updates to the guidance issued under subsection (a); an evaluation of any necessary updates to the definition of the term major incident included in the guidance issued under subsection (a); and an explanation of, and the analysis that led to, the definition described in paragraph (2). . The table of sections for chapter 35 of title 44, United States Code, is amended by adding at the end the following: SUBCHAPTER IV—Federal System Incident Response 3591. Definitions 3592. Notification of breach 3593. Congressional and Executive Branch reports 3594. Government information sharing and incident response 3595. Responsibilities of contractors and awardees 3596. Training 3597. Analysis and report on Federal incidents 3598. Major incident definition .
Connectionstraces to 10
5 references not yet in our index
  • 15 USC 278g–3a
  • Pub. L. 111-383
  • 15 USC 278g–3
  • 15 USC 278g–3(a)
  • 15 USC 278g–3(d)(3)(B)
Citation graph
cites case law
Sec. 103
Title 44 amendments
U.S.C.§ 511
U.S.C.§ 5527
U.S.C.§ 2224
U.S.C.§ 2304
U.S.C.§ 2223
U.S.C.§ 3501
U.S.C.§ 1522
U.S.C.§ 1524
U.S.C.§ 3003
Cite15 USC 278g–3a
Pub. L.Pub. L. 111-383
Cite15 USC 278g–3
Cites 15 · showing 12Cited by 0 across 0 sources
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.