Sec. 18. Federal cybersecurity requirements
844 words·~4 min read·
/bill/118/s/2251/is/section-18A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Section 225 of the Federal Cybersecurity Enhancement Act of 2015 ( 6 U.S.C. 1523 ) is amended by striking subsections
(b)and (c). Section 3554 of title 44, United States Code, as amended by this Act, is further amended by adding at the end the following: Consistent with policies, standards, guidelines, and directives on information security under this subchapter, and except as provided under paragraph (3), the head of each agency shall— identify sensitive and mission critical data stored by the agency consistent with the inventory required under section 3505(c); assess access controls to the data described in subparagraph (A), the need for readily accessible storage of the data, and the need of individuals to access the data; encrypt or otherwise render indecipherable to unauthorized users the data described in subparagraph
(A)that is stored on or transiting agency information systems; implement a single sign-on trusted identity platform for individuals accessing each public website of the agency that requires user authentication, as developed by the Administrator of General Services in collaboration with the Secretary; and implement identity management consistent with section 504 of the Cybersecurity Enhancement Act of 2014 ( 15 U.S.C. 7464 ), including multi-factor authentication, for— remote access to a information system; and each user account with elevated privileges on a information system. In this paragraph, the term Internet of things has the meaning given the term in section 3559B. Consistent with policies, standards, guidelines, and directives on information security under this subchapter, and except as provided under paragraph (3), the head of an agency may not procure, obtain, renew a contract to procure or obtain in any amount, notwithstanding section 1905 of title 41, United States Code, or use an Internet of things device if the Chief Information Officer of the agency determines during a review required under section 11319(b)(1)(C) of title 40 of a contract for an Internet of things device that the use of the device prevents compliance with the standards and guidelines developed under section 4 of the IoT Cybersecurity Improvement Act ( 15 U.S.C. 278g–3b ) with respect to the device. The requirements under paragraph
(1)shall not apply to a information system for which— the head of the agency, without delegation, has certified to the Director with particularity that— operational requirements articulated in the certification and related to the information system would make it excessively burdensome to implement the cybersecurity requirement; the cybersecurity requirement is not necessary to secure the information system or agency information stored on or transiting it; and the agency has taken all necessary steps to secure the information system and agency information stored on or transiting it; and the head of the agency has submitted the certification described in subparagraph
(A)to the appropriate congressional committees and the authorizing committees of the agency. A certification and corresponding exemption of an agency under paragraph
(3)shall expire on the date that is 4 years after the date on which the head of the agency submits the certification under paragraph (3)(A). Upon the expiration of a certification of an agency under paragraph (3), the head of the agency may submit an additional certification in accordance with that paragraph. Nothing in this subsection shall be construed— to alter the authority of the Secretary, the Director, or the Director of the National Institute of Standards and Technology in implementing subchapter II of this title; to affect the standards or process of the National Institute of Standards and Technology; to affect the requirement under section 3553(a)(4); or to discourage continued improvements and advancements in the technology, standards, policies, and guidelines used to promote Federal information security. The requirements under subsection (f)(1) shall not apply to— the Department of Defense; a national security system; or an element of the intelligence community. The prohibition under subsection (f)(2) shall not apply to— Internet of things devices that are or comprise a national security system; national security systems; or a procured Internet of things device described in subsection (f)(2)(B) that the Chief Information Officer of an agency determines is— necessary for research purposes; or secured using alternative and effective methods appropriate to the function of the Internet of things device. . Section 3554(c)(1) of title 44, United States Code, as amended by this Act, is further amended— in subparagraph (C), by striking and at the end; in subparagraph (D), by striking the period at the end and inserting ; and ; and by adding at the end the following: with respect to any exemption from the requirements of subsection (f)(3) that is effective on the date of submission of the report, the number of information systems that have received an exemption from those requirements. . Paragraph
(3)of section 3554(f) of title 44, United States Code, as added by this Act, shall take effect on the date that is 1 year after the date of enactment of this Act. Section 222(3)(B) of the Federal Cybersecurity Enhancement Act of 2015 ( 6 U.S.C. 1521(3)(B) ) is amended by inserting and the Committee on Oversight and Accountability before of the House of Representatives.
Connectionstraces to 3
Traces to 3 documents
1 reference not yet in our index
- 15 USC 278g–3b
Citation graph
cites case law
Cites 4Cited by 0 across 0 sources