Sec. 207. Congressional reporting
818 words·~4 min read·
/bill/117/s/3600/pcs/section-207·A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Not later than 30 days after the date on which the Director issues the final rule under section 2242(b) of the Homeland Security Act of 2002, as added by section 203(b) of this title, the Director shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a report that describes how the Director engaged stakeholders in the development of the final rule. Not later than 1 year after the date of enactment of this Act, the Director shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a report describing how the National Cybersecurity and Communications Integration Center established under section 2209 of the Homeland Security Act of 2002 ( 6 U.S.C. 659 ) has carried out activities under section 2241(a)(9) of the Homeland Security Act of 2002, as added by section 203(a) of this title, by proactively identifying opportunities to use cyber incident data to inform and enable cybersecurity research within the academic and private sector.
Not later than 1 year after the date of enactment of this Act, and annually thereafter for the duration of the pilot program established under section 205, the Director shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a report, which may include a classified annex, on the effectiveness of the pilot program, which shall include a discussion of the following: The effectiveness of the notifications under section 205(c) in mitigating security vulnerabilities and the threat of ransomware.
Identification of the most common vulnerabilities utilized in ransomware. The number of notifications issued during the preceding year. To the extent practicable, the number of vulnerable devices or systems mitigated under the pilot program by the Agency during the preceding year. Not later than 180 days after the date on which the Secretary of Homeland Security convenes the Cyber Incident Reporting Council described in section 2246 of the Homeland Security Act of 2002, as added by section 203 of this title, the Secretary of Homeland Security shall submit to the appropriate congressional committees a report that includes— a list of duplicative Federal cyber incident reporting requirements on covered entities; a description of any challenges in harmonizing the duplicative reporting requirements; any actions the Director intends to take to facilitate harmonizing the duplicative reporting requirements; and any proposed legislative changes necessary to address the duplicative reporting.
Nothing in paragraph
(1)shall be construed to provide any additional regulatory authority to any Federal agency. Not later than 2 years after the date of enactment of this Act, the Comptroller General of the United States shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a report on the implementation of this Act and the amendments made by this Act. Not later than 1 year after the date on which the Director issues the final rule required under section 2242(b) of the Homeland Security Act of 2002, as added by section 203 of this title, the Comptroller General of the United States shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a report on the exemptions to reporting under paragraphs
(2)and
(5)of section 2242(a) of the Homeland Security Act of 2002, as added by section 203 of this title, which shall include— to the extent practicable, an evaluation of the quantity of cyber incidents not reported to the Federal Government; an evaluation of the impact on impacted entities, homeland security, and the national economy due to cyber incidents, ransomware attacks, and ransom payments, including a discussion on the scope of impact of cyber incidents that were not reported to the Federal Government; an evaluation of the burden, financial and otherwise, on entities required to report cyber incidents under this Act, including an analysis of entities that meet the definition of a small business concern under section 3 of the Small Business Act ( 15 U.S.C. 632 ); and a description of the consequences and effects of limiting covered cyber incident and ransom payment reporting to only covered entities. Not later than 1 year after the date on which the Director issues the final rule required under section 2242(b) of the Homeland Security Act of 2002, as added by section 203 of this title, the Director shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a report on the effectiveness of the enforcement mechanisms within section 2244 of the Homeland Security Act of 2002, as added by section 203 of this title.
Connectionstraces to 2
Traces to 2 documents
Citation graph
cites case law
Cites 2Cited by 0 across 0 sources