Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · STATUTE-COMPILATIONS · Consolidated Appropriations Act, 2016 · Sec. 225

Sec. 225. FEDERAL CYBERSECURITY REQUIREMENTS

593 words·~3 min read·/statute-compilations/comps-13909/sec-225

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

## SEC. 225 FEDERAL CYBERSECURITY REQUIREMENTS **[**[6 U.S.C. 1523](/us/usc/t6/s1523)**]** ###
(a)Implementation of Federal Cybersecurity Standards Consistent with section 3553 of title 44, United States Code, the Secretary, in consultation with the Director, shall exercise the authority to issue binding operational directives to assist the Director in ensuring timely agency adoption of and compliance with policies and standards promulgated under section 11331 of title 40, United States Code, for securing agency information systems. ###
(b)Cybersecurity Requirements at Agencies ####
(1)In general Consistent with policies, standards, guidelines, and directives on information security under subchapter II of chapter 35 of title 44, United States Code, and the standards and guidelines promulgated under section 11331 of title 40, United States Code, and except as provided in paragraph (2), not later than 1 year after the date of the enactment of this Act, the head of each agency shall— #####
(A)identify sensitive and mission critical data stored by the agency consistent with the inventory required under the first subsection
(c)(relating to the inventory of major information systems) and the second subsection
(c)(relating to the inventory of information systems) of section 3505 of title 44, United States Code; #####
(B)assess access controls to the data described in subparagraph (A), the need for readily accessible storage of the data, and individuals’ need to access the data; #####
(C)encrypt or otherwise render indecipherable to unauthorized users the data described in subparagraph
(A)that is stored on or transiting agency information systems; #####
(D)implement a single sign-on trusted identity platform for individuals accessing each public website of the agency that requires user authentication, as developed by the Administrator of General Services in collaboration with the Secretary; and #####
(E)implement identity management consistent with section 504 of the Cybersecurity Enhancement Act of 2014 (Public Law 113-274; 15 U.S.C. 7464), including multi-factor authentication, for— ######
(i)remote access to an agency information system; and ######
(ii)each user account with elevated privileges on an agency information system. ####
(2)Exception The requirements under paragraph
(1)shall not apply to an agency information system for which— #####
(A)the head of the agency has personally certified to the Director with particularity that— ######
(i)operational requirements articulated in the certification and related to the agency information system would make it excessively burdensome to implement the cybersecurity requirement; ######
(ii)the cybersecurity requirement is not necessary to secure the agency information system or agency information stored on or transiting it; and ######
(iii)the agency has taken all necessary steps to secure the agency information system and agency information stored on or transiting it; and #####
(B)the head of the agency or the designee of the head of the agency has submitted the certification described in subparagraph
(A)to the appropriate congressional committees and the agency’s authorizing committees. ####
(3)Construction Nothing in this section shall be construed to alter the authority of the Secretary, the Director, or the Director of the National Institute of Standards and Technology in implementing subchapter II of chapter 35 of title 44, United States Code. Nothing in this section shall be construed to affect the National Institute of Standards and Technology standards process or the requirement under section 3553(a)(4) of such title or to discourage continued improvements and advancements in the technology, standards, policies, and guidelines used to promote Federal information security. ###
(c)Exception The requirements under this section shall not apply to the Department of Defense, a national security system, or an element of the intelligence community.
Connectionstraces to 3
Citation graph
cites case law
Sec. 225
FEDERAL CYBERSECURITY REQUIREMENTS
U.S.C.§ 1523
Pub. L.Public Law 113-274
U.S.C.§ 7464
Cites 3Cited by 0 across 0 sources
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.