Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 117th Congress · S. 3600 (Placed on Calendar Senate) — To improve the cybersecurity of the Federal Government, and for other purposes. · Sec. 104

Sec. 104. Amendments to subtitle III of title 40

1,655 words·~8 min read·/bill/117/s/3600/pcs/section-104

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

Subtitle G of title X of Division A of the National Defense Authorization Act for Fiscal Year 2018 ( 40 U.S.C. 11301 note) is amended in section 1078— by striking subsection
(a)and inserting the following: In this section: The term agency has the meaning given the term in section 551 of title 5, United States Code. The term high value asset has the meaning given the term in section 3552 of title 44, United States Code. ; in subsection (b), by adding at the end the following: The Director shall— give consideration for the use of amounts in the Fund to improve the security of high value assets; and require that any proposal for the use of amounts in the Fund includes a cybersecurity plan, including a supply chain risk management plan, to be reviewed by the member of the Technology Modernization Board described in subsection (c)(5)(C). ; and in subsection (c)— in paragraph (2)(A)(i), by inserting , including a consideration of the impact on high value assets after operational risks ; in paragraph (5)— in subparagraph (A), by striking and at the end; in subparagraph (B), by striking the period at the end and inserting and ; and by adding at the end the following: a senior official from the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security, appointed by the Director. ; and in paragraph (6)(A), by striking shall be— and all that follows through 4 employees and inserting shall be 4 employees . Subchapter I of chapter 113 of subtitle III of title 40, United States Code, is amended— in section 11302— in subsection (b), by striking use, security, and disposal of and inserting use, and disposal of, and, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency and the National Cyber Director, promote and improve the security of, ; in subsection (c)— in paragraph (3)— in subparagraph (A)— by striking including data and inserting which shall— include data ; and by adding at the end the following: specifically denote cybersecurity funding under the risk-based cyber budget model developed pursuant to section 3553(a)(7) of title 44. ; and in subparagraph (B), by adding at the end the following: The Director shall provide to the National Cyber Director any cybersecurity funding information described in subparagraph (A)(ii) that is provided to the Director under clause
(ii)of this subparagraph. ; in subsection (f)— by striking heads of executive agencies to develop and inserting “heads of executive agencies to— develop ; in paragraph (1), as so designated, by striking the period at the end and inserting ; and ; and by adding at the end the following: consult with the Director of the Cybersecurity and Infrastructure Security Agency for the development and use of supply chain security best practices. ; and in subsection (h), by inserting , including cybersecurity performances, after the performances ; and in section 11303(b)— in paragraph (2)(B)— in clause (i), by striking or at the end; in clause (ii), by adding or at the end; and by adding at the end the following: whether the function should be performed by a shared service offered by another executive agency; ; and in paragraph (5)(B)(i), by inserting , while taking into account the risk-based cyber budget model developed pursuant to section 3553(a)(7) of title 44 after title 31 . Subchapter II of chapter 113 of subtitle III of title 40, United States Code, is amended— in section 11312(a), by inserting , including security risks after managing the risks ; in section 11313(1), by striking efficiency and effectiveness and inserting efficiency, security, and effectiveness ; in section 11315, by adding at the end the following: The Chief Information Officer or an equivalent official of a component agency shall report to— the Chief Information Officer designated under section 3506(a)(2) of title 44 or an equivalent official of the agency of which the component agency is a component; and the head of the component agency. On annual basis, the Director may exempt any agency from the reporting structure requirements under subsection (d). On an annual basis, the Director shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Reform of the House of Representatives a report that includes a list of each exemption granted under paragraph
(1)and the associated rationale for each exemption. The report required under paragraph
(2)may be incorporated into any other annual report required under chapter 35 of title 44, United States Code. ; in section 11317, by inserting security, before or schedule ; and in section 11319(b)(1), in the paragraph heading, by striking and inserting CIOS . Chief Information Officers Section 11331 of title 40, United States Code, is amended— in subsection (a), by striking section 3532(b)(1) and inserting section 3552(b) ; in subsection (b)(1)(A), by striking the Secretary of Homeland Security and inserting the Director of the Cybersecurity and Infrastructure Security Agency ; by striking subsection
(c)and inserting the following: The head of an agency shall— evaluate, in consultation with the senior agency information security officers, the need to employ standards for cost-effective, risk-based information security for all systems, operations, and assets within or under the supervision of the agency that are more stringent than the standards promulgated by the Director under this section, if such standards contain, at a minimum, the provisions of those applicable standards made compulsory and binding by the Director; and to the greatest extent practicable and if the head of the agency determines that the standards described in subparagraph
(A)are necessary, employ those standards. In evaluating the need to employ more stringent standards under paragraph (1), the head of an agency shall consider available risk information, such as— the status of cybersecurity remedial actions of the agency; any vulnerability information relating to agency systems that is known to the agency; incident information of the agency; information from— penetration testing performed under section 3559A of title 44; and information from the vulnerability disclosure program established under section 3559B of title 44; agency threat hunting results under section 112 of the Federal Information Security Modernization Act of 2022 ; Federal and non-Federal cyber threat intelligence; data on compliance with standards issued under this section; agency system risk assessments performed under section 3554(a)(1)(A) of title 44; and any other information determined relevant by the head of the agency. ; in subsection (d)(2)— in the paragraph heading, by striking and inserting Notice and comment ; Consultation, notice, and comment by inserting promulgate, before significantly modify ; and by striking shall be made after the public is given an opportunity to comment on the Director’s proposed decision. and inserting “shall be made— for a decision to significantly modify or not promulgate such a proposed standard, after the public is given an opportunity to comment on the Director’s proposed decision; in consultation with the Chief Information Officers Council, the Director of the Cybersecurity and Infrastructure Security Agency, the National Cyber Director, the Comptroller General of the United States, and the Council of the Inspectors General on Integrity and Efficiency; considering the Federal risk assessments performed under section 3553(i) of title 44; and considering the extent to which the proposed standard reduces risk relative to the cost of implementation of the standard. ; and by adding at the end the following: Not less frequently than once every 3 years, the Director of the Office of Management and Budget, in consultation with the Chief Information Officers Council, the Director of the Cybersecurity and Infrastructure Security Agency, the National Cyber Director, the Comptroller General of the United States, and the Council of the Inspectors General on Integrity and Efficiency, shall review the efficacy of the guidance and policy promulgated by the Director in reducing cybersecurity risks, including an assessment of the requirements for agencies to report information to the Director, and determine whether any changes to that guidance or policy is appropriate. In conducting the review described in subparagraph (A), the Director shall consider the Federal risk assessments performed under section 3553(i) of title 44. In conducting the review described in subparagraph (A), the Director shall consider— the cumulative reporting and compliance burden to agencies; and the clarity of the requirements and deadlines contained in guidance and policy documents. Not later than 90 days after the date on which a review is completed under paragraph (1), the Director of the Office of Management and Budget shall issue updated guidance or policy to agencies determined appropriate by the Director, based on the results of the review. Not later than 30 days after the date on which a review is completed under paragraph (1), the Director of the Office of Management and Budget shall make publicly available a report that includes— an overview of the guidance and policy promulgated under this section that is currently in effect; the cybersecurity risk mitigation, or other cybersecurity benefit, offered by each guidance or policy document described in subparagraph (A); and a summary of the guidance or policy to which changes were determined appropriate during the review and what the changes are anticipated to include. Not later than 60 days after the date on which a review is completed under paragraph (1), the Director shall provide to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Reform of the House of Representatives a briefing on the review. When the Director of the National Institute of Standards and Technology issues a proposed standard pursuant to paragraphs
(2)and
(3)of section 20(a) of the National Institute of Standards and Technology Act ( 15 U.S.C. 278g–3(a) ), the Director of the National Institute of Standards and Technology shall consider developing and, if appropriate and practical, develop, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, specifications to enable the automated verification of the implementation of the controls within the standard. .
Connectionstraces to 1
Traces to 1 document
1 reference not yet in our index
  • 15 USC 278g–3(a)
Citation graph
cites case law
Sec. 104
Amendments to subtitle III of title 40
U.S.C.§ 11301
Cite15 USC 278g–3(a)
Cites 2Cited by 0 across 0 sources
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.