HR6190-118

1. Cybersecurity prioritization in information technology procurement It is the sense of Congress that— the Department has not sufficiently emphasized cybersecurity in its operations or in its procurement of information technology, and that these shortcomings have contributed to numerous cybersecurity incidents at the Department; and the Department should prioritize, to the highest level and to a greater extent than it already does, the minimization of cybersecurity risks in its procurement of information technology. The Chief Information Officer in the Bureau of Information Resources Management shall submit to the appropriate congressional committees an annual report that— describes all Department information technology procurement contracts awarded in the year prior to the issuance of the report, including the name of the awardee and the information technology they were contracted to procure; for all Department information technology procurement contracts awarded in the year prior to the issuance of the report with contract price exceeding $10 million— details the cybersecurity risks which have been or will be created by the information technology procured or intended to be procured under the contract, including the Department’s strategy for mitigating these risks; justifies the Department’s choice to award the contract to its particular awardee in light of those cybersecurity risks; and justifies the Department’s choice to procure such information technology in light of those cybersecurity risks. In this section— the term “appropriate congressional committees” means— the Committee on Foreign Affairs of the House of Representatives; and the Committee on Foreign Relations of the Senate; the term “cybersecurity incident” has the meaning given the term “incident” in section 3552 of title 44, United States Code; the term “cybersecurity risk” has the meaning given that term in section 2200 of the Homeland Security Act of 2002 (6 U.S.C. 650), except that such term refers exclusively to cybersecurity risks to the Department’s information and information systems; the term “Department” means the Department of State; the term “information system” has the meaning given that term in section 3502 of title 44, United States Code; and the term “information technology” has the meaning given that term in section 11101 of title 40, United States Code.