S2251-118

1. Short title; table of contents This Act may be cited as the Federal Information Security Modernization Act of 2023. The table of contents for this Act is as follows:

2. Definitions In this Act, unless otherwise specified: The term agency has the meaning given the term in section 3502 of title 44, United States Code. The term appropriate congressional committees means— the Committee on Homeland Security and Governmental Affairs of the Senate; the Committee on Oversight and Accountability of the House of Representatives; and the Committee on Homeland Security of the House of Representatives. The term awardee has the meaning given the term in section 3591 of title 44, United States Code, as added by this Act. The term contractor has the meaning given the term in section 3591 of title 44, United States Code, as added by this Act. The term Director means the Director of the Office of Management and Budget. The term Federal information system has the meaning give the term in section 3591 of title 44, United States Code, as added by this Act. The term incident has the meaning given the term in section 3552(b) of title 44, United States Code. The term national security system has the meaning given the term in section 3552(b) of title 44, United States Code. The term penetration test has the meaning given the term in section 3552(b) of title 44, United States Code, as amended by this Act. The term threat hunting means proactively and iteratively searching systems for threats and vulnerabilities, including threats or vulnerabilities that may evade detection by automated threat detection systems. The term zero trust architecture has the meaning given the term in Special Publication 800–207 of the National Institute of Standards and Technology, or any successor document.

3. Amendments to title 44 Subchapter I of chapter 35 of title 44, United States Code, is amended— in section 3504— in subsection (a)(1)(B)— by striking clause (v) and inserting the following: privacy, confidentiality, disclosure, and sharing of information; by redesignating clause (vi) as clause (vii); and by inserting after clause (v) the following: in consultation with the National Cyber Director, security of information; and in subsection (g)— by redesignating paragraph (2) as paragraph (3); and by striking paragraph (1) and inserting the following: develop and oversee the implementation of policies, principles, standards, and guidelines on privacy, confidentiality, disclosure, and sharing of information collected or maintained by or for agencies; in consultation with the National Cyber Director, oversee the implementation of policies, principles, standards, and guidelines on security, of information collected or maintained by or for agencies; and in section 3505— by striking the first subsection designated as subsection (c); in paragraph (2) of the second subsection designated as subsection (c), by inserting an identification of internet accessible information systems and after an inventory under this subsection shall include; in paragraph (3) of the second subsection designated as subsection (c)— in subparagraph (B)— by inserting the Director of the Cybersecurity and Infrastructure Security Agency, the National Cyber Director, and before the Comptroller General; and by striking and at the end; in subparagraph (C)(v), by striking the period at the end and inserting ; and; and by adding at the end the following: maintained on a continual basis through the use of automation, machine-readable data, and scanning, wherever practicable. in section 3506— in subsection (a)(3), by inserting In carrying out these duties, the Chief Information Officer shall consult, as appropriate, with the Chief Data Officer in accordance with the designated functions under section 3520(c). after reduction of information collection burdens on the public.; in subsection (b)(1)(C), by inserting availability, after integrity,; in subsection (h)(3), by inserting security, after efficiency,; and by adding at the end the following: Nothwithstanding paragraphs (2) and (3) of subsection (a), the head of each agency shall designate a Chief Privacy Officer with the necessary skills, knowledge, and expertise, who shall have the authority and responsibility to— lead the privacy program of the agency; and carry out the privacy responsibilities of the agency under this chapter, section 552a of title 5, and guidance issued by the Director. The Chief Privacy Officer of each agency shall— serve in a central leadership position within the agency; have visibility into relevant agency operations; and be positioned highly enough within the agency to regularly engage with other agency leaders and officials, including the head of the agency. A privacy officer of an agency established under a statute enacted before the date of enactment of the Federal Information Security Modernization Act of 2023 may carry out the responsibilities under this subsection for the agency. in section 3513— by redesignating subsection (c) as subsection (d); and by inserting after subsection (b) the following: Each agency providing a written plan under subsection (b) shall provide any portion of the written plan addressing information security to the Secretary of Homeland Security and the National Cyber Director. Section 3552(b) of title 44, United States Code, is amended— by redesignating paragraphs (2), (3), (4), (5), (6), and (7) as paragraphs (3), (4), (5), (6), (8), and (10), respectively; by inserting after paragraph (1) the following: The term high value asset means information or an information system that the head of an agency, using policies, principles, standards, or guidelines issued by the Director under section 3553(a), determines to be so critical to the agency that the loss or degradation of the confidentiality, integrity, or availability of such information or information system would have a serious impact on the ability of the agency to perform the mission of the agency or conduct business. by inserting after paragraph (6), as so redesignated, the following: The term major incident has the meaning given the term in guidance issued by the Director under section 3598(a). in paragraph (8)(A), as so redesignated, by striking used and inserting owned, managed,; by inserting after paragraph (8), as so redesignated, the following: The term penetration test— means an authorized assessment that emulates attempts to gain unauthorized access to, or disrupt the operations of, an information system or component of an information system; and includes any additional meaning given the term in policies, principles, standards, or guidelines issued by the Director under section 3553(a). by inserting after paragraph (10), as so redesignated, the following: The term shared service means a centralized mission capability or consolidated business function that is provided to multiple organizations within an agency or to multiple agencies. The term zero trust architecture has the meaning given the term in Special Publication 800–207 of the National Institute of Standards and Technology, or any successor document. Section 1001(c)(1)(A) of the Homeland Security Act of 2002 (6 U.S.C. 511(c)(1)(A)) is amended by striking section 3552(b)(5) and inserting section 3552(b). Section 2222(i)(8) of title 10, United States Code, is amended by striking section 3552(b)(6)(A) and inserting section 3552(b)(8)(A). Section 2223(c)(3) of title 10, United States Code, is amended by striking section 3552(b)(6) and inserting section 3552(b). Section 2315 of title 10, United States Code, is amended by striking section 3552(b)(6) and inserting section 3552(b). Section 2339a(e)(5) of title 10, United States Code, is amended by striking section 3552(b)(6) and inserting section 3552(b). Section 207(a) of the High-Performance Computing Act of 1991 (15 U.S.C. 5527(a)) is amended by striking section 3552(b)(6)(A)(i) and inserting section 3552(b)(8)(A)(i). Section 3(5) of the Internet of Things Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g–3a(5)) is amended by striking section 3552(b)(6) and inserting section 3552(b). Section 933(e)(1)(B) of the National Defense Authorization Act for Fiscal Year 2013 (10 U.S.C. 2224 note) is amended by striking section 3542(b)(2) and inserting section 3552(b). The Ike Skelton National Defense Authorization Act for Fiscal Year 2011 (Public Law 111–383) is amended— in section 806(e)(5) (10 U.S.C. 2304 note), by striking section 3542(b) and inserting section 3552(b); in section 931(b)(3) (10 U.S.C. 2223 note), by striking section 3542(b)(2) and inserting section 3552(b); and in section 932(b)(2) (10 U.S.C. 2224 note), by striking section 3542(b)(2) and inserting section 3552(b). Section 301(c)(1)(A) of the E-Government Act of 2002 (44 U.S.C. 3501 note) is amended by striking section 3542(b)(2) and inserting section 3552(b). Section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3) is amended— in subsection (a)(2), by striking section 3552(b)(5) and inserting section 3552(b); and in subsection (f)— in paragraph (3), by striking section 3532(1) and inserting section 3552(b); and in paragraph (5), by striking section 3532(b)(2) and inserting section 3552(b). Subchapter II of chapter 35 of title 44, United States Code, is amended— in section 3551— in paragraph (4), by striking diagnose and improve and inserting integrate, deliver, diagnose, and improve; in paragraph (5), by striking and at the end; in paragraph (6), by striking the period at the end and inserting a semicolon; and by adding at the end the following: recognize that each agency has specific mission requirements and, at times, unique cybersecurity requirements to meet the mission of the agency; recognize that each agency does not have the same resources to secure agency systems, and an agency should not be expected to have the capability to secure the systems of the agency from advanced adversaries alone; and recognize that a holistic Federal cybersecurity model is necessary to account for differences between the missions and capabilities of agencies. in section 3553— in subsection (a)— in paragraph (5), by striking and at the end; in paragraph (6), by striking the period at the end and inserting ; and; and by adding at the end the following: promoting, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, the National Cyber Director, and the Director of the National Institute of Standards and Technology— the use of automation to improve Federal cybersecurity and visibility with respect to the implementation of Federal cybersecurity; and the use of presumption of compromise and least privilege principles, such as zero trust architecture, to improve resiliency and timely response actions to incidents on Federal systems. in subsection (b)— in the matter preceding paragraph (1), by inserting and the National Cyber Director after Director; in paragraph (2)(A), by inserting and reporting requirements under subchapter IV of this chapter after section 3556; by redesignating paragraphs (8) and (9) as paragraphs (10) and (11), respectively; and by inserting after paragraph (7) the following: expeditiously seeking opportunities to reduce costs, administrative burdens, and other barriers to information technology security and modernization for agencies, including through shared services for cybersecurity capabilities identified as appropriate by the Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency and other agencies as appropriate; in subsection (c)— in the matter preceding paragraph (1)— by striking each year and inserting each year during which agencies are required to submit reports under section 3554(c); by inserting , which shall be unclassified but may include 1 or more annexes that contain classified or other sensitive information, as appropriate after a report; and by striking preceding year and inserting preceding 2 years; by striking paragraph (1); by redesignating paragraphs (2), (3), and (4) as paragraphs (1), (2), and (3), respectively; in paragraph (3), as so redesignated, by striking and at the end; and by inserting after paragraph (3), as so redesignated, the following: a summary of the risks and trends identified in the Federal risk assessment required under subsection (i); and in subsection (h)— in paragraph (2)— in subparagraph (A), by inserting and the National Cyber Director after in coordination with the Director; and in subparagraph (D), by inserting , the National Cyber Director, after notify the Director; and in paragraph (3)(A)(iv), by inserting , the National Cyber Director, after the Secretary provides prior notice to the Director; by amending subsection (i) to read as follows: On an ongoing and continuous basis, the Director of the Cybersecurity and Infrastructure Security Agency shall assess the Federal risk posture using any available information on the cybersecurity posture of agencies, and brief the Director and National Cyber Director on the findings of such assessment, including— the status of agency cybersecurity remedial actions for high value assets described in section 3554(b)(7); any vulnerability information relating to the systems of an agency that is known by the agency; analysis of incident information under section 3597; evaluation of penetration testing performed under section 3559A; evaluation of vulnerability disclosure program information under section 3559B; evaluation of agency threat hunting results; evaluation of Federal and non-Federal cyber threat intelligence; data on agency compliance with standards issued under section 11331 of title 40; agency system risk assessments required under section 3554(a)(1)(A); relevant reports from inspectors general of agencies and the Government Accountability Office; and any other information the Director of the Cybersecurity and Infrastructure Security Agency determines relevant. by adding at the end the following: If the Secretary issues an emergency directive under this section, the Director of the Cybersecurity and Infrastructure Security Agency shall submit to the Director, the National Cyber Director, the Committee on Homeland Security and Governmental Affairs of the Senate, and the Committees on Oversight and Accountability and Homeland Security of the House of Representatives an update on the status of the implementation of the emergency directive at agencies not later than 7 days after the date on which the emergency directive requires an agency to complete a requirement specified by the emergency directive, and every 30 days thereafter until— the date on which every agency has fully implemented the emergency directive; the Secretary determines that an emergency directive no longer requires active reporting from agencies or additional implementation; or the date that is 1 year after the issuance of the directive. If the Secretary issues a binding operational directive under this section, the Director of the Cybersecurity and Infrastructure Security Agency shall submit to the Director, the National Cyber Director, the Committee on Homeland Security and Governmental Affairs of the Senate, and the Committees on Oversight and Accountability and Homeland Security of the House of Representatives an update on the status of the implementation of the binding operational directive at agencies not later than 30 days after the issuance of the binding operational directive, and every 90 days thereafter until— the date on which every agency has fully implemented the binding operational directive; the Secretary determines that a binding operational directive no longer requires active reporting from agencies or additional implementation; or the date that is 1 year after the issuance or substantive update of the directive. If the Director of the Cybersecurity and Infrastructure Security Agency ceases submitting updates required under paragraphs (1) or (2) on the date described in paragraph (1)(C) or (2)(C), the Director of the Cybersecurity and Infrastructure Security Agency shall submit to the Director, the National Cyber Director, the Committee on Homeland Security and Governmental Affairs of the Senate, and the Committees on Oversight and Accountability and Homeland Security of the House of Representatives a list of every agency that, at the time of the report— has not completed a requirement specified by an emergency directive; or has not implemented a binding operational directive. Not less frequently than once every 3 years, the Director of the Office of Management and Budget shall review the efficacy of the guidance and policy promulgated by the Director in reducing cybersecurity risks, including a consideration of reporting and compliance burden on agencies. The Director of the Office of Management and Budget shall notify the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Accountability of the House of Representatives of changes to guidance or policy resulting from the review under paragraph (1). The Government Accountability Office shall review guidance and policy promulgated by the Director to assess its efficacy in risk reduction and burden on agencies. When the Director of the National Institute of Standards and Technology issues a proposed standard or guideline pursuant to paragraphs (2) or (3) of section 20(a) of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3(a)), the Director of the National Institute of Standards and Technology shall consider developing and, if appropriate and practical, develop specifications to enable the automated verification of the implementation of the controls. The Director of the Cybersecurity and Infrastructure Security Agency shall, upon request, make available Federal risk assessment information under subsection (i) to the Inspector General of the Department of Homeland Security and the inspector general of any agency that was included in the Federal risk assessment. in section 3554— in subsection (a)— in paragraph (1)— by redesignating subparagraphs (A), (B), and (C) as subparagraphs (B), (C), and (D), respectively; by inserting before subparagraph (B), as so redesignated, the following: on an ongoing and continuous basis, assessing agency system risk, as applicable, by— identifying and documenting the high value assets of the agency using guidance from the Director; evaluating the data assets inventoried under section 3511 for sensitivity to compromises in confidentiality, integrity, and availability; identifying whether the agency is participating in federally offered cybersecurity shared services programs; identifying agency systems that have access to or hold the data assets inventoried under section 3511; evaluating the threats facing agency systems and data, including high value assets, based on Federal and non-Federal cyber threat intelligence products, where available; evaluating the vulnerability of agency systems and data, including high value assets, including by analyzing— the results of penetration testing performed by the Department of Homeland Security under section 3553(b)(9); the results of penetration testing performed under section 3559A; information provided to the agency through the vulnerability disclosure program of the agency under section 3559B; incidents; and any other vulnerability information relating to agency systems that is known to the agency; assessing the impacts of potential agency incidents to agency systems, data, and operations based on the evaluations described in clauses (ii) and (v) and the agency systems identified under clause (iv); and assessing the consequences of potential incidents occurring on agency systems that would impact systems at other agencies, including due to interconnectivity between different agency systems or operational reliance on the operations of the system or data in the system; in subparagraph (B), as so redesignated, in the matter preceding clause (i), by striking providing information and inserting using information from the assessment required under subparagraph (A), providing information; in subparagraph (C), as so redesignated— in clause (ii) by inserting binding before operational; and in clause (vi), by striking and at the end; and by adding at the end the following: providing an update on the ongoing and continuous assessment required under subparagraph (A)— upon request, to the inspector general of the agency or the Comptroller General of the United States; and at intervals determined by guidance issued by the Director, and to the extent appropriate and practicable using automation, to— the Director; the Director of the Cybersecurity and Infrastructure Security Agency; and the National Cyber Director; in paragraph (2)— in subparagraph (A), by inserting in accordance with the agency system risk assessment required under paragraph (1)(A) after information systems; in subparagraph (D), by inserting , through the use of penetration testing, the vulnerability disclosure program established under section 3559B, and other means, after periodically; in paragraph (3)(A)— in the matter preceding clause (i), by striking senior agency information security officer and inserting Chief Information Security Officer; in clause (i), by striking this section and inserting subsections (a) through (c); in clause (ii), by striking training and and inserting skills, training, and; by redesignating clauses (iii) and (iv) as (iv) and (v), respectively; by inserting after clause (ii) the following: manage information security, cybersecurity budgets, and risk and compliance activities and explain those concepts to the head of the agency and the executive team of the agency; in clause (iv), as so redesignated, by striking information security duties as that official's primary duty and inserting information, computer network, and technology security duties as the Chief Information Security Officers' primary duty; in paragraph (5), by striking annually and inserting not less frequently than quarterly; and in paragraph (6), by striking official delegated and inserting Chief Information Security Officer delegated; and in subsection (b)— by striking paragraph (1) and inserting the following: the ongoing and continuous assessment of agency system risk required under subsection (a)(1)(A), which may include using guidance and automated tools consistent with standards and guidelines promulgated under section 11331 of title 40, as applicable; in paragraph (2)— by striking subparagraph (B); by redesignating subparagraphs (C) and (D) as subparagraphs (B) and (C), respectively; in subparagraph (B), as so redesignated, by striking and at the end; and in subparagraph (C), as so redesignated— by redesignating clauses (iii) and (iv) as clauses (iv) and (v), respectively; by inserting after clause (ii) the following: binding operational directives and emergency directives issued by the Secretary under section 3553; in clause (iv), as so redesignated, by striking as determined by the agency; and and inserting “as determined by the agency, considering the agency risk assessment required under subsection (a)(1)(A); in paragraph (5)(A), by inserting , including penetration testing, as appropriate, after shall include testing; by redesignating paragraphs (7) and (8) as paragraphs (8) and (9), respectively; by inserting after paragraph (6) the following: a secure process for providing the status of every remedial action and unremediated identified system vulnerability of a high value asset to the Director and the Director of the Cybersecurity and Infrastructure Security Agency, using automation and machine-readable data to the greatest extent practicable; in paragraph (8)(C), as so redesignated— by striking clause (ii) and inserting the following: notifying and consulting with the Federal information security incident center established under section 3556 pursuant to the requirements of section 3594; by redesignating clause (iii) as clause (iv); by inserting after clause (ii) the following: performing the notifications and other activities required under subchapter IV of this chapter; and in clause (iv), as so redesignated— in subclause (II), by adding and at the end; by striking subclause (III); and by redesignating subclause (IV) as subclause (III); and in subsection (c)— by redesignating paragraph (2) as paragraph (5); by striking paragraph (1) and inserting the following: Not later than 2 years after the date of enactment of the Federal Information Security Modernization Act of 2023 and not less frequently than once every 2 years thereafter, using the continuous and ongoing agency system risk assessment required under subsection (a)(1)(A), the head of each agency shall submit to the Director, the National Cyber Director, the Director of the Cybersecurity and Infrastructure Security Agency, the Comptroller General of the United States, the majority and minority leaders of the Senate, the Speaker and minority leader of the House of Representatives, the Committee on Homeland Security and Governmental Affairs of the Senate, the Committee on Oversight and Accountability of the House of Representatives, the Committee on Homeland Security of the House of Representatives, the Committee on Commerce, Science, and Transportation of the Senate, the Committee on Science, Space, and Technology of the House of Representatives, and the appropriate authorization and appropriations committees of Congress a report that— summarizes the agency system risk assessment required under subsection (a)(1)(A); evaluates the adequacy and effectiveness of information security policies, procedures, and practices of the agency to address the risks identified in the agency system risk assessment required under subsection (a)(1)(A), including an analysis of the agency’s cybersecurity and incident response capabilities using the metrics established under section 224(c) of the Cybersecurity Act of 2015 (6 U.S.C. 1522(c)); and summarizes the status of remedial actions identified by inspector general of the agency, the Comptroller General of the United States, and any other source determined appropriate by the head of the agency. Each report submitted under paragraph (1)— shall be, to the greatest extent practicable, in an unclassified and otherwise uncontrolled form; and may include 1 or more annexes that contain classified or other sensitive information, as appropriate. During each year during which a report is not required to be submitted under paragraph (1), the Director shall provide to the congressional committees described in paragraph (1) a briefing summarizing current agency and Federal risk postures. in paragraph (5), as so redesignated, by striking the period at the end and inserting , including the reporting procedures established under section 11315(d) of title 40 and subsection (a)(3)(A)(v) of this section; in section 3555— in the section heading, by striking Annual independent and inserting Independent; in subsection (a)— in paragraph (1), by inserting during which a report is required to be submitted under section 3553(c), after Each year; in paragraph (2)(A), by inserting , including by performing, or reviewing the results of, agency penetration testing and analyzing the vulnerability disclosure program of the agency after information systems; and by adding at the end the following: An evaluation under this section may include recommendations for improving the cybersecurity posture of the agency. in subsection (b)(1), by striking annual; in subsection (e)(1), by inserting during which a report is required to be submitted under section 3553(c) after Each year; in subsection (g)(2)— by striking this subsection shall and inserting “this subsection— shall in subparagraph (A), as so designated, by striking the period at the end and inserting ; and; and by adding at the end the following: identify any entity that performs an independent evaluation under subsection (b). by striking subsection (j) and inserting the following: The Director, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, the Chief Information Officers Council, the Council of the Inspectors General on Integrity and Efficiency, and other interested parties as appropriate, shall ensure the development of risk-based guidance for evaluating the effectiveness of an information security program and practices. The risk-based guidance developed under paragraph (1) shall include— the identification of the most common successful threat patterns; the identification of security controls that address the threat patterns described in subparagraph (A); any other security risks unique to Federal systems; and any other element the Director determines appropriate. in section 3556(a)— in the matter preceding paragraph (1), by inserting within the Cybersecurity and Infrastructure Security Agency after incident center; and in paragraph (4), by striking 3554(b) and inserting 3554(a)(1)(A). The table of sections for chapter 35 of title 44, United States Code, is amended by striking the item relating to section 3555 and inserting the following: Section 226(c) of the Cybersecurity Act of 2015 (6 U.S.C. 1524(c)) is amended— in paragraph (1)(B), in the matter preceding clause (i), by striking annually thereafter and inserting thereafter during the years during which a report is required to be submitted under section 3553(c) of title 44, United States Code; and in paragraph (2)(B), in the matter preceding clause (i)— by striking annually thereafter and inserting thereafter during the years during which a report is required to be submitted under section 3553(c) of title 44, United States Code; and by striking the report required under section 3553(c) of title 44, United States Code and inserting that report. Section 20(d)(3)(B) of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3(d)(3)(B)) is amended by striking annual. Chapter 35 of title 44, United States Code, is amended by adding at the end the following: Except as provided in subsection (b), the definitions under sections 3502 and 3552 shall apply to this subchapter. As used in this subchapter: The term appropriate reporting entities means— the majority and minority leaders of the Senate; the Speaker and minority leader of the House of Representatives; the Committee on Homeland Security and Governmental Affairs of the Senate; the Committee on Commerce, Science, and Transportation of the Senate; the Committee on Oversight and Accountability of the House of Representatives; the Committee on Homeland Security of the House of Representatives; the Committee on Science, Space, and Technology of the House of Representatives; the appropriate authorization and appropriations committees of Congress; the Director; the Director of the Cybersecurity and Infrastructure Security Agency; the National Cyber Director; the Comptroller General of the United States; and the inspector general of any impacted agency. The term awardee, with respect to an agency— means— the recipient of a grant from an agency; a party to a cooperative agreement with an agency; and a party to an other transaction agreement with an agency; and includes a subawardee of an entity described in subparagraph (A). The term breach— means the compromise, unauthorized disclosure, unauthorized acquisition, or loss of control of personally identifiable information or any similar occurrence; and includes any additional meaning given the term in policies, principles, standards, or guidelines issued by the Director. The term contractor means a prime contractor of an agency or a subcontractor of a prime contractor of an agency that creates, collects, stores, processes, maintains, or transmits Federal information on behalf of an agency. The term Federal information means information created, collected, processed, maintained, disseminated, disclosed, or disposed of by or for the Federal Government in any medium or form. The term Federal information system means an information system owned, managed, or operated by an agency, or on behalf of an agency by a contractor, an awardee, or another organization. The term intelligence community has the meaning given the term in section 3 of the National Security Act of 1947 (50 U.S.C. 3003). The term nationwide consumer reporting agency means a consumer reporting agency described in section 603(p) of the Fair Credit Reporting Act (15 U.S.C. 1681a(p)). The term vulnerability disclosure means a vulnerability identified under section 3559B. In this section, the term covered breach means a breach— involving not less than 50,000 potentially affected individuals; or the result of which the head of an agency determines that notifying potentially affected individuals is necessary pursuant to subsection (b)(1), regardless of whether— the number of potentially affected individuals is less than 50,000; or the notification is delayed under subsection (d). As expeditiously as practicable and without unreasonable delay, and in any case not later than 45 days after an agency has a reasonable basis to conclude that a breach has occurred, the head of the agency, in consultation with the Chief Information Officer and Chief Privacy Officer of the agency, shall— determine whether notice to any individual potentially affected by the breach is appropriate, including by conducting an assessment of the risk of harm to the individual that considers— the nature and sensitivity of the personally identifiable information affected by the breach; the likelihood of access to and use of the personally identifiable information affected by the breach; the type of breach; and any other factors determined by the Director; and if the head of the agency determines notification is necessary pursuant to paragraph (1), provide written notification in accordance with subsection (c) to each individual potentially affected by the breach— to the last known mailing address of the individual; or through an appropriate alternative method of notification. Each notification of a breach provided to an individual under subsection (b)(2) shall include, to the maximum extent practicable— a brief description of the breach; if possible, a description of the types of personally identifiable information affected by the breach; contact information of the agency that may be used to ask questions of the agency, which— shall include an e-mail address or another digital contact mechanism; and may include a telephone number, mailing address, or a website; information on any remedy being offered by the agency; any applicable educational materials relating to what individuals can do in response to a breach that potentially affects their personally identifiable information, including relevant contact information for the appropriate Federal law enforcement agencies and each nationwide consumer reporting agency; and any other appropriate information, as determined by the head of the agency or established in guidance by the Director. The head of an agency, in coordination with the Director and the National Cyber Director, and as appropriate, the Attorney General, the Director of National Intelligence, or the Secretary of Homeland Security, may delay a notification required under subsection (b) or (e) if the notification would— impede a criminal investigation or a national security activity; cause an adverse result (as described in section 2705(a)(2) of title 18); reveal sensitive sources and methods; cause damage to national security; or hamper security remediation actions. A delay under paragraph (1) shall be for a period of 60 days and may be renewed. The head of an agency delaying notification under this subsection with respect to a breach exclusively of a national security system shall coordinate such delay with the Secretary of Defense. If an agency determines there is a significant change in the reasonable basis to conclude that a breach occurred, a significant change to the determination made under subsection (b)(1), or that it is necessary to update the details of the information provided to potentially affected individuals as described in subsection (c), the agency shall as expeditiously as practicable and without unreasonable delay, and in any case not later than 30 days after such a determination, notify each individual who received a notification pursuant to subsection (b) of those changes. Not later than 1 year after the date of enactment of the Federal Information Security Modernization Act of 2023, and annually thereafter, the head of an agency, in coordination with any official who delays a notification under subsection (d), shall submit to the appropriate reporting entities a report on each delay that occurred during the previous 2 years. The head of an agency may submit the report required under paragraph (1) as a component of the report submitted under section 3554(c). On a periodic basis, the Director of the Office of Management and Budget shall review, and update as appropriate, breach notification policies and guidelines for agencies. Subject to paragraph (4), the Director of the Office of Management and Budget shall require the head of an agency affected by a covered breach to expeditiously and not later than 30 days after the date on which the agency discovers the covered breach give notice of the breach, which may be provided electronically, to— each congressional committee described in section 3554(c)(1); and the Committee on the Judiciary of the Senate and the Committee on the Judiciary of the House of Representatives. Notice of a covered breach provided by the head of an agency pursuant to paragraph (2) shall include, to the extent practicable— information about the covered breach, including a summary of any information about how the covered breach occurred known by the agency as of the date of the notice; an estimate of the number of individuals affected by covered the breach based on information known by the agency as of the date of the notice, including an assessment of the risk of harm to affected individuals; a description of any circumstances necessitating a delay in providing notice to individuals affected by the covered breach in accordance with subsection (d); and an estimate of when the agency will provide notice to individuals affected by the covered breach, if applicable. Any agency that is required to provide notice to Congress pursuant to paragraph (2) due to a covered breach exclusively on a national security system shall only provide such notice to— the majority and minority leaders of the Senate; the Speaker and minority leader of the House of Representatives; the appropriations committees of Congress; the Committee on Homeland Security and Governmental Affairs of the Senate; the Select Committee on Intelligence of the Senate; the Committee on Oversight and Accountability of the House of Representatives; and the Permanent Select Committee on Intelligence of the House of Representatives. Nothing in paragraphs (1) through (3) shall be construed to alter any authority of an agency. Nothing in this section shall be construed to— limit— the authority of the Director to issue guidance relating to notifications of, or the head of an agency to notify individuals potentially affected by, breaches that are not determined to be covered breaches or major incidents; the authority of the Director to issue guidance relating to notifications and reporting of breaches, covered breaches, or major incidents; the authority of the head of an agency to provide more information than required under subsection (b) when notifying individuals potentially affected by a breach; the timing of incident reporting or the types of information included in incident reports provided, pursuant to this subchapter, to— the Director; the National Cyber Director; the Director of the Cybersecurity and Infrastructure Security Agency; or any other agency; the authority of the head of an agency to provide information to Congress about agency breaches, including— breaches that are not covered breaches; and additional information beyond the information described in subsection (g)(3); or any Congressional reporting requirements of agencies under any other law; or limit or supersede any existing privacy protections in existing law. In this section, the term appropriate congressional entities means— the majority and minority leaders of the Senate; the Speaker and minority leader of the House of Representatives; the Committee on Homeland Security and Governmental Affairs of the Senate; the Committee on Commerce, Science, and Transportation of the Senate; the Committee on Oversight and Accountability of the House of Representatives; the Committee on Homeland Security of the House of Representatives; the Committee on Science, Space, and Technology of the House of Representatives; and the appropriate authorization and appropriations committees of Congress Not later than 72 hours after an agency has a reasonable basis to conclude that a major incident occurred, the head of the agency impacted by the major incident shall submit to the appropriate reporting entities a written notification, which may be submitted electronically and include 1 or more annexes that contain classified or other sensitive information, as appropriate. A notification required under paragraph (1) with respect to a major incident shall include the following, based on information available to agency officials as of the date on which the agency submits the notification: A summary of the information available about the major incident, including how the major incident occurred and the threat causing the major incident. If applicable, information relating to any breach associated with the major incident, regardless of whether— the breach was the reason the incident was determined to be a major incident; and head of the agency determined it was appropriate to provide notification to potentially impacted individuals pursuant to section 3592(b)(1). A preliminary assessment of the impacts to— the agency; the Federal Government; the national security, foreign relations, homeland security, and economic security of the United States; and the civil liberties, public confidence, privacy, and public health and safety of the people of the United States. If applicable, whether any ransom has been demanded or paid, or is expected to be paid, by any entity operating a Federal information system or with access to Federal information or a Federal information system, including, as available, the name of the entity demanding ransom, the date of the demand, and the amount and type of currency demanded, unless disclosure of such information will disrupt an active Federal law enforcement or national security operation. Within a reasonable amount of time, but not later than 30 days after the date on which the head of an agency submits a written notification under subsection (a), the head of the agency shall provide to the appropriate congressional entities an unclassified and written update, which may include 1 or more annexes that contain classified or other sensitive information, as appropriate, on the major incident, based on information available to agency officials as of the date on which the agency provides the update, on— system vulnerabilities relating to the major incident, where applicable, means by which the major incident occurred, the threat causing the major incident, where applicable, and impacts of the major incident to— the agency; other Federal agencies, Congress, or the judicial branch; the national security, foreign relations, homeland security, or economic security of the United States; or the civil liberties, public confidence, privacy, or public health and safety of the people of the United States; the status of compliance of the affected Federal information system with applicable security requirements at the time of the major incident; if the major incident involved a breach, a description of the affected information, an estimate of the number of individuals potentially impacted, and any assessment to the risk of harm to such individuals; an update to the assessment of the risk to agency operations, or to impacts on other agency or non-Federal entity operations, affected by the major incident; and the detection, response, and remediation actions of the agency, including any support provided by the Cybersecurity and Infrastructure Security Agency under section 3594(d), if applicable. If the head of an agency, the Director, or the National Cyber Director determines that there is any significant change in the understanding of the scope, scale, or consequence of a major incident for which the head of the agency submitted a written notification and update under subsections (b) and (c), the head of the agency shall submit to the appropriate congressional entities a written update that includes information relating to the change in understanding. Each agency shall submit as part of the biennial report required under section 3554(c)(1) a description of each major incident that occurred during the 2-year period preceding the date on which the biennial report is submitted. Any written notification or update required to be submitted under this section— shall be submitted in an electronic format; and may be submitted in a paper format. Any written notification or update required to be submitted under this section— shall be— unclassified; and submitted through unclassified electronic means pursuant to paragraph (1)(A); and may include classified annexes, as appropriate. To achieve consistent and coherent agency reporting to Congress, the National Cyber Director, in coordination with the Director, shall— provide recommendations to agencies on formatting and the contents of information to be included in the reports required under this section, including recommendations for consistent formats for presenting any associated metrics; and maintain a comprehensive record of each major incident notification, update, and briefing provided under this section, which shall— include, at a minimum— the full contents of the written notification or update; the identity of the reporting agency; and the date of submission; and a list of the recipient congressional entities; and be made available upon request to the majority and minority leaders of the Senate, the Speaker and minority leader of the House of Representatives, the Committee on Homeland Security and Governmental Affairs of the Senate, and the Committee on Oversight and Accountability of the House of Representatives. With respect to a major incident that occurs exclusively on a national security system, the head of the affected agency shall submit the notifications and reports required to be submitted to Congress under this section only to— the majority and minority leaders of the Senate; the Speaker and minority leader of the House of Representatives; the appropriations committees of Congress; the appropriate authorization committees of Congress; the Committee on Homeland Security and Governmental Affairs of the Senate; the Select Committee on Intelligence of the Senate; the Committee on Oversight and Accountability of the House of Representatives; and the Permanent Select Committee on Intelligence of the House of Representatives. If a major incident constitutes a covered breach, as defined in section 3592(a), information on the covered breach required to be submitted to Congress pursuant to section 3592(g) may— be included in the notifications required under subsection (b) or (c); or be reported to Congress under the process established under section 3592(g). Nothing in this section shall be construed to— limit— the ability of an agency to provide additional reports or briefings to Congress; Congress from requesting additional information from agencies through reports, briefings, or other means; any congressional reporting requirements of agencies under any other law; or limit or supersede any privacy protections under any other law. Subject to paragraph (4) and subsection (b), and in accordance with the applicable requirements pursuant to section 3553(b)(2)(A) for reporting to the Federal information security incident center established under section 3556, the head of each agency shall provide to the Cybersecurity and Infrastructure Security Agency information relating to any incident affecting the agency, whether the information is obtained by the Federal Government directly or indirectly. A provision of information relating to an incident made by the head of an agency under paragraph (1) shall include, at a minimum— a full description of the incident, including— all indicators of compromise and tactics, techniques, and procedures; an indicator of how the intruder gained initial access, accessed agency data or systems, and undertook additional actions on the network of the agency; and information that would support enabling defensive measures; and other information that may assist in identifying other victims; information to help prevent similar incidents, such as information about relevant safeguards in place when the incident occurred and the effectiveness of those safeguards; and information to aid in incident response, such as— a description of the affected systems or networks; the estimated dates of when the incident occurred; and information that could reasonably help identify any malicious actor that may have conducted or caused the incident, subject to appropriate privacy protections. The Director of the Cybersecurity and Infrastructure Security Agency shall— make incident information provided under paragraph (1) available to the Director and the National Cyber Director; to the greatest extent practicable, share information relating to an incident with— the head of any agency that may be— impacted by the incident; particularly susceptible to the incident; or similarly targeted by the incident; and appropriate Federal law enforcement agencies to facilitate any necessary threat response activities, as requested; coordinate any necessary information sharing efforts relating to a major incident with the private sector; and notify the National Cyber Director of any efforts described in subparagraph (C). Notwithstanding paragraphs (1) and (3), each agency operating or exercising control of a national security system shall share information about an incident that occurs exclusively on a national security system with the Secretary of Defense, the Director, the National Cyber Director, and the Director of the Cybersecurity and Infrastructure Security Agency to the extent consistent with standards and guidelines for national security systems issued in accordance with law and as directed by the President. Any information sharing and handling of information under this paragraph shall be appropriately protected consistent with procedures authorized for the protection of sensitive sources and methods or by procedures established for information that have been specifically authorized under criteria established by an Executive order or an Act of Congress to be kept classified in the interest of national defense or foreign policy. In providing information and selecting a method to provide information under subsection (a), the head of each agency shall implement subsection (a)(1) in a manner that provides such information to the Cybersecurity and Infrastructure Security Agency in an automated and machine-readable format, to the greatest extent practicable. Each agency that has a reasonable basis to suspect or conclude that a major incident occurred involving Federal information in electronic medium or form that does not exclusively involve a national security system shall coordinate with— the Cybersecurity and Infrastructure Security Agency to facilitate asset response activities and provide recommendations for mitigating future incidents; and consistent with relevant policies, appropriate Federal law enforcement agencies to facilitate threat response activities. Any contractor or awardee of an agency shall report to the agency if the contractor or awardee has a reasonable basis to conclude that— an incident or breach has occurred with respect to Federal information the contractor or awardee collected, used, or maintained on behalf of an agency; an incident or breach has occurred with respect to a Federal information system used, operated, managed, or maintained on behalf of an agency by the contractor or awardee; a component of any Federal information system operated, managed, or maintained by a contractor or awardee contains a security vulnerability, including a supply chain compromise or an identified software or hardware vulnerability, for which there is reliable evidence of attempted or successful exploitation of the vulnerability by an actor without authorization of the Federal information system owner; or the contractor or awardee has received personally identifiable information, personal health information, or other clearly sensitive information that is beyond the scope of the contract or agreement with the agency from the agency that the contractor or awardee is not authorized to receive. Subject to the guidance issued by the Director pursuant to paragraph (4), any contractor or awardee of an agency shall report to the agency and the Cybersecurity and Infrastructure Security Agency if the contractor or awardee has a reasonable basis to suspect or conclude that a component of any Federal information system operated, managed, or maintained on behalf of an agency by the contractor or awardee on behalf of the agency contains a security vulnerability, including a supply chain compromise or an identified software or hardware vulnerability, that has been reported to the contractor or awardee by a third party, including through a vulnerability disclosure program. As soon as practicable following a report of an incident to an agency by a contractor or awardee under paragraph (1), the head of the agency shall provide, pursuant to section 3594, information about the incident to the Director of the Cybersecurity and Infrastructure Security Agency. Unless a different time for reporting is specified in a contract, grant, cooperative agreement, or other transaction agreement, a contractor or awardee shall— make a report required under paragraph (1) not later than 1 day after the date on which the contractor or awardee has reasonable basis to suspect or conclude that the criteria under paragraph (1) have been met; and make a report required under paragraph (2) within a reasonable time, but not later than 90 days after the date on which the contractor or awardee has reasonable basis to suspect or conclude that the criteria under paragraph (2) have been met. Following a report of a breach or incident to an agency by a contractor or awardee under paragraph (1), the head of the agency, in consultation with the contractor or awardee, shall carry out the applicable requirements under sections 3592, 3593, and 3594 with respect to the breach or incident. Nothing in subparagraph (B) shall be construed to allow the negation of the requirements to report vulnerabilities under paragraph (1) or (2) through a contract, grant, cooperative agreement, or other transaction agreement. The Director shall issue guidance to agencies relating to the scope of vulnerabilities to be reported under paragraph (2), such as the minimum severity of a vulnerability required to be reported or whether vulnerabilities that are already publicly disclosed must be reported. Not later than 1 year after the date of enactment of the Federal Information Security Modernization Act of 2023— the Federal Acquisition Regulatory Council shall promulgate regulations, as appropriate, relating to the responsibilities of contractors and recipients of other transaction agreements and cooperative agreements to comply with this section; and the Office of Federal Financial Management shall promulgate regulations under title 2, Code Federal Regulations, as appropriate, relating to the responsibilities of grantees to comply with this section. Not later than 1 year after the date on which the Federal Acquisition Regulatory Council and the Office of Federal Financial Management promulgates regulations under paragraph (1), the head of each agency shall implement policies and procedures, as appropriate, necessary to implement those regulations. The head of each agency head shall notify the Director upon implementation of policies and procedures necessary to implement the regulations promulgated under paragraph (1). Not later than 30 days after the date described in paragraph (2), the Director shall notify the Committee on Homeland Security and Governmental Affairs of the Senate and the Committees on Oversight and Accountability and Homeland Security of the House of Representatives on the status of the implementation by each agency of the regulations promulgated under paragraph (1). Notwithstanding any other provision of this section, a contractor or awardee of an agency that would be required to report an incident or vulnerability pursuant to this section that occurs exclusively on a national security system shall— report the incident or vulnerability to the head of the agency and the Secretary of Defense; and comply with applicable laws and policies relating to national security systems. In this section, the term covered individual means an individual who obtains access to a Federal information system because of the status of the individual as— an employee, contractor, awardee, volunteer, or intern of an agency; or an employee of a contractor or awardee of an agency. The Director of the Cybersecurity and Infrastructure Security Agency, in consultation with the Director, the National Cyber Director, and the Director of the National Institute of Standards and Technology, shall develop best practices to support consistency across agencies in cybersecurity incident response training, including— information to be collected and shared with the Cybersecurity and Infrastructure Security Agency pursuant to section 3594(a) and processes for sharing such information; and appropriate training and qualifications for cyber incident responders. The head of each agency shall develop training for covered individuals on how to identify and respond to an incident, including— the internal process of the agency for reporting an incident; and the obligation of a covered individual to report to the agency any suspected or confirmed incident involving Federal information in any medium or form, including paper, oral, and electronic. The training developed under subsection (c) may be included as part of an annual privacy, security awareness, or other appropriate training of an agency. The Director of the Cybersecurity and Infrastructure Security Agency shall perform and, in coordination with the Director and the National Cyber Director, develop, continuous monitoring and quantitative and qualitative analyses of incidents at agencies, including major incidents, including— the causes of incidents, including— attacker tactics, techniques, and procedures; and system vulnerabilities, including zero days, unpatched systems, and information system misconfigurations; the scope and scale of incidents at agencies; common root causes of incidents across multiple agencies; agency incident response, recovery, and remediation actions and the effectiveness of those actions, as applicable; lessons learned and recommendations in responding to, recovering from, remediating, and mitigating future incidents; and trends across multiple agencies to address intrusion detection and incident response capabilities using the metrics established under section 224(c) of the Cybersecurity Act of 2015 (6 U.S.C. 1522(c)). The analyses developed under paragraph (1) shall, to the greatest extent practicable, use machine readable data, automation, and machine learning processes. The Director of the Cybersecurity and Infrastructure Security Agency shall share on an ongoing basis the analyses and underlying data required under this subsection with agencies, the Director, and the National Cyber Director to— improve the understanding of cybersecurity risk of agencies; and support the cybersecurity improvement efforts of agencies. In carrying out subparagraph (A), the Director of the Cybersecurity and Infrastructure Security Agency shall share the analyses— in human-readable written products; and to the greatest extent practicable, in machine-readable formats in order to enable automated intake and use by agencies. This subsection shall not apply to incidents that occur exclusively on national security systems. Not later than 2 years after the date of enactment of this section, and not less frequently than annually thereafter, the Director of the Cybersecurity and Infrastructure Security Agency, in consultation with the Director, the National Cyber Director and the heads of other agencies, as appropriate, shall submit to the appropriate reporting entities a report that includes— a summary of causes of incidents from across the Federal Government that categorizes those incidents as incidents or major incidents; the quantitative and qualitative analyses of incidents developed under subsection (a)(1) on an agency-by-agency basis and comprehensively across the Federal Government, including— a specific analysis of breaches; and an analysis of the Federal Government’s performance against the metrics established under section 224(c) of the Cybersecurity Act of 2015 (6 U.S.C. 1522(c)); and an annex for each agency that includes— a description of each major incident; the total number of incidents of the agency; and an analysis of the agency’s performance against the metrics established under section 224(c) of the Cybersecurity Act of 2015 (6 U.S.C. 1522(c)). The Director of the Cybersecurity and Infrastructure Security Agency shall make a version of each report submitted under subsection (b) publicly available on the website of the Cybersecurity and Infrastructure Security Agency during the year during which the report is submitted. The publication requirement under paragraph (1) shall not apply to a portion of a report that contains content that should be protected in the interest of national security, as determined by the Director, the Director of the Cybersecurity and Infrastructure Security Agency, or the National Cyber Director. The exemption under paragraph (2) shall not apply to any version of a report submitted to the appropriate reporting entities under subsection (b). Subject to subparagraph (B), in making a report publicly available under paragraph (1), the Director of the Cybersecurity and Infrastructure Security Agency shall sufficiently compile information so that no specific incident of an agency can be identified. The Director of the Cybersecurity and Infrastructure Security Agency may include information that enables a specific incident of an agency to be identified in a publicly available report— with the concurrence of the Director and the National Cyber Director; in consultation with the impacted agency; and in consultation with the inspector general of the impacted agency. The analysis required under subsection (a) and each report submitted under subsection (b) shall use information provided by agencies under section 3594(a). During any year during which the head of an agency does not provide data for an incident to the Cybersecurity and Infrastructure Security Agency in accordance with section 3594(a), the head of the agency, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency and the Director, shall submit to the appropriate reporting entities a report that includes the information described in subsection (b) with respect to the agency. Notwithstanding any other provision of this section, the Secretary of Defense, in consultation with the Director, the National Cyber Director, the Director of National Intelligence, and the Director of Cybersecurity and Infrastructure Security shall annually submit a report that includes the information described in subsection (b) with respect to national security systems, to the extent that the submission is consistent with standards and guidelines for national security systems issued in accordance with law and as directed by the President, to— the majority and minority leaders of the Senate, the Speaker and minority leader of the House of Representatives; the Committee on Homeland Security and Governmental Affairs of the Senate; the Select Committee on Intelligence of the Senate; the Committee on Armed Services of the Senate; the Committee on Appropriations of the Senate; the Committee on Oversight and Accountability of the House of Representatives; the Committee on Homeland Security of the House of Representatives; the Permanent Select Committee on Intelligence of the House of Representatives; the Committee on Armed Services of the House of Representatives; and the Committee on Appropriations of the House of Representatives. A report required under paragraph (1) may be submitted in a classified form. Not later than 1 year after the later of the date of enactment of the Federal Information Security Modernization Act of 2023 and the most recent publication by the Director of guidance to agencies regarding major incidents as of the date of enactment of the Federal Information Security Modernization Act of 2023, the Director shall develop, in coordination with the National Cyber Director, and promulgate guidance on the definition of the term major incident for the purposes of subchapter II and this subchapter. With respect to the guidance issued under subsection (a), the definition of the term major incident shall— include, with respect to any information collected or maintained by or on behalf of an agency or a Federal information system— any incident the head of the agency determines is likely to result in demonstrable harm to— the national security interests, foreign relations, homeland security, or economic security of the United States; or the civil liberties, public confidence, privacy, or public health and safety of the people of the United States; any incident the head of the agency determines likely to result in an inability or substantial disruption for the agency, a component of the agency, or the Federal Government, to provide 1 or more critical services; any incident the head of the agency determines substantially disrupts or substantially degrades the operations of a high value asset owned or operated by the agency; any incident involving the exposure to a foreign entity of sensitive agency information, such as the communications of the head of the agency, the head of a component of the agency, or the direct reports of the head of the agency or the head of a component of the agency; and any other type of incident determined appropriate by the Director; stipulate that the National Cyber Director, in consultation with the Director and the Director of the Cybersecurity and Infrastructure Security Agency, may declare a major incident at any agency, and such a declaration shall be considered if it is determined that an incident— occurs at not less than 2 agencies; and is enabled by— a common technical root cause, such as a supply chain compromise, or a common software or hardware vulnerability; or the related activities of a common threat actor; stipulate that, in determining whether an incident constitutes a major incident under the standards described in paragraph (1), the head of the agency shall consult with the National Cyber Director; and stipulate that the mere report of a vulnerability discovered or disclosed without a loss of confidentiality, integrity, or availability shall not on its own constitute a major incident. Not later than 60 days after the date on which the Director first promulgates the guidance required under subsection (a), and not less frequently than once during the first 90 days of each evenly numbered Congress thereafter, the Director shall provide to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committees on Oversight and Accountability and Homeland Security of the House of Representatives a briefing that includes— an evaluation of any necessary updates to the guidance; an evaluation of any necessary updates to the definition of the term major incident included in the guidance; and an explanation of, and the analysis that led to, the definition described in paragraph (2). The table of sections for chapter 35 of title 44, United States Code, is amended by adding at the end the following: (v)privacy, confidentiality, disclosure, and sharing of information;; (vi)in consultation with the National Cyber Director, security of information; and; and (1)develop and oversee the implementation of policies, principles, standards, and guidelines on privacy, confidentiality, disclosure, and sharing of information collected or maintained by or for agencies;(2)in consultation with the National Cyber Director, oversee the implementation of policies, principles, standards, and guidelines on security, of information collected or maintained by or for agencies; and; (D)maintained on a continual basis through the use of automation, machine-readable data, and scanning, wherever practicable.; (j)(1)Nothwithstanding paragraphs (2) and (3) of subsection (a), the head of each agency shall designate a Chief Privacy Officer with the necessary skills, knowledge, and expertise, who shall have the authority and responsibility to—(A)lead the privacy program of the agency; and(B)carry out the privacy responsibilities of the agency under this chapter, section 552a of title 5, and guidance issued by the Director.(2)The Chief Privacy Officer of each agency shall—(A)serve in a central leadership position within the agency;(B)have visibility into relevant agency operations; and(C)be positioned highly enough within the agency to regularly engage with other agency leaders and officials, including the head of the agency.(3)A privacy officer of an agency established under a statute enacted before the date of enactment of the Federal Information Security Modernization Act of 2023 may carry out the responsibilities under this subsection for the agency.; and (c)Each agency providing a written plan under subsection (b) shall provide any portion of the written plan addressing information security to the Secretary of Homeland Security and the National Cyber Director.. (2)The term high value asset means information or an information system that the head of an agency, using policies, principles, standards, or guidelines issued by the Director under section 3553(a), determines to be so critical to the agency that the loss or degradation of the confidentiality, integrity, or availability of such information or information system would have a serious impact on the ability of the agency to perform the mission of the agency or conduct business.; (7)The term major incident has the meaning given the term in guidance issued by the Director under section 3598(a).; (9)The term penetration test—(A)means an authorized assessment that emulates attempts to gain unauthorized access to, or disrupt the operations of, an information system or component of an information system; and(B)includes any additional meaning given the term in policies, principles, standards, or guidelines issued by the Director under section 3553(a).; and (11)The term shared service means a centralized mission capability or consolidated business function that is provided to multiple organizations within an agency or to multiple agencies.(12)The term zero trust architecture has the meaning given the term in Special Publication 800–207 of the National Institute of Standards and Technology, or any successor document.. (7)recognize that each agency has specific mission requirements and, at times, unique cybersecurity requirements to meet the mission of the agency;(8)recognize that each agency does not have the same resources to secure agency systems, and an agency should not be expected to have the capability to secure the systems of the agency from advanced adversaries alone; and(9)recognize that a holistic Federal cybersecurity model is necessary to account for differences between the missions and capabilities of agencies.; (7)promoting, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, the National Cyber Director, and the Director of the National Institute of Standards and Technology—(A)the use of automation to improve Federal cybersecurity and visibility with respect to the implementation of Federal cybersecurity; and(B)the use of presumption of compromise and least privilege principles, such as zero trust architecture, to improve resiliency and timely response actions to incidents on Federal systems.; (8)expeditiously seeking opportunities to reduce costs, administrative burdens, and other barriers to information technology security and modernization for agencies, including through shared services for cybersecurity capabilities identified as appropriate by the Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency and other agencies as appropriate;; (4)a summary of the risks and trends identified in the Federal risk assessment required under subsection (i); and; (i)Federal risk assessmentOn an ongoing and continuous basis, the Director of the Cybersecurity and Infrastructure Security Agency shall assess the Federal risk posture using any available information on the cybersecurity posture of agencies, and brief the Director and National Cyber Director on the findings of such assessment, including—(1)the status of agency cybersecurity remedial actions for high value assets described in section 3554(b)(7);(2)any vulnerability information relating to the systems of an agency that is known by the agency;(3)analysis of incident information under section 3597;(4)evaluation of penetration testing performed under section 3559A;(5)evaluation of vulnerability disclosure program information under section 3559B;(6)evaluation of agency threat hunting results;(7)evaluation of Federal and non-Federal cyber threat intelligence;(8)data on agency compliance with standards issued under section 11331 of title 40;(9)agency system risk assessments required under section 3554(a)(1)(A); (10)relevant reports from inspectors general of agencies and the Government Accountability Office; and (11)any other information the Director of the Cybersecurity and Infrastructure Security Agency determines relevant.; and (m)Directives(1)Emergency directive updatesIf the Secretary issues an emergency directive under this section, the Director of the Cybersecurity and Infrastructure Security Agency shall submit to the Director, the National Cyber Director, the Committee on Homeland Security and Governmental Affairs of the Senate, and the Committees on Oversight and Accountability and Homeland Security of the House of Representatives an update on the status of the implementation of the emergency directive at agencies not later than 7 days after the date on which the emergency directive requires an agency to complete a requirement specified by the emergency directive, and every 30 days thereafter until—(A)the date on which every agency has fully implemented the emergency directive;(B)the Secretary determines that an emergency directive no longer requires active reporting from agencies or additional implementation; or(C)the date that is 1 year after the issuance of the directive.(2)Binding operational directive updatesIf the Secretary issues a binding operational directive under this section, the Director of the Cybersecurity and Infrastructure Security Agency shall submit to the Director, the National Cyber Director, the Committee on Homeland Security and Governmental Affairs of the Senate, and the Committees on Oversight and Accountability and Homeland Security of the House of Representatives an update on the status of the implementation of the binding operational directive at agencies not later than 30 days after the issuance of the binding operational directive, and every 90 days thereafter until—(A)the date on which every agency has fully implemented the binding operational directive;(B)the Secretary determines that a binding operational directive no longer requires active reporting from agencies or additional implementation; or(C)the date that is 1 year after the issuance or substantive update of the directive.(3)ReportIf the Director of the Cybersecurity and Infrastructure Security Agency ceases submitting updates required under paragraphs (1) or (2) on the date described in paragraph (1)(C) or (2)(C), the Director of the Cybersecurity and Infrastructure Security Agency shall submit to the Director, the National Cyber Director, the Committee on Homeland Security and Governmental Affairs of the Senate, and the Committees on Oversight and Accountability and Homeland Security of the House of Representatives a list of every agency that, at the time of the report—(A)has not completed a requirement specified by an emergency directive; or(B)has not implemented a binding operational directive.(n)Review of Office of Management and Budget guidance and policy(1)Conduct of reviewNot less frequently than once every 3 years, the Director of the Office of Management and Budget shall review the efficacy of the guidance and policy promulgated by the Director in reducing cybersecurity risks, including a consideration of reporting and compliance burden on agencies.(2)Congressional notificationThe Director of the Office of Management and Budget shall notify the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Accountability of the House of Representatives of changes to guidance or policy resulting from the review under paragraph (1).(3)GAO reviewThe Government Accountability Office shall review guidance and policy promulgated by the Director to assess its efficacy in risk reduction and burden on agencies.(o)Automated standard implementation verificationWhen the Director of the National Institute of Standards and Technology issues a proposed standard or guideline pursuant to paragraphs (2) or (3) of section 20(a) of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3(a)), the Director of the National Institute of Standards and Technology shall consider developing and, if appropriate and practical, develop specifications to enable the automated verification of the implementation of the controls.(p)Inspectors general access to federal risk assessmentsThe Director of the Cybersecurity and Infrastructure Security Agency shall, upon request, make available Federal risk assessment information under subsection (i) to the Inspector General of the Department of Homeland Security and the inspector general of any agency that was included in the Federal risk assessment.; (A)on an ongoing and continuous basis, assessing agency system risk, as applicable, by—(i)identifying and documenting the high value assets of the agency using guidance from the Director;(ii)evaluating the data assets inventoried under section 3511 for sensitivity to compromises in confidentiality, integrity, and availability;(iii)identifying whether the agency is participating in federally offered cybersecurity shared services programs;(iv)identifying agency systems that have access to or hold the data assets inventoried under section 3511;(v)evaluating the threats facing agency systems and data, including high value assets, based on Federal and non-Federal cyber threat intelligence products, where available;(vi)evaluating the vulnerability of agency systems and data, including high value assets, including by analyzing—(I)the results of penetration testing performed by the Department of Homeland Security under section 3553(b)(9);(II)the results of penetration testing performed under section 3559A;(III)information provided to the agency through the vulnerability disclosure program of the agency under section 3559B;(IV)incidents; and(V)any other vulnerability information relating to agency systems that is known to the agency;(vii)assessing the impacts of potential agency incidents to agency systems, data, and operations based on the evaluations described in clauses (ii) and (v) and the agency systems identified under clause (iv); and(viii)assessing the consequences of potential incidents occurring on agency systems that would impact systems at other agencies, including due to interconnectivity between different agency systems or operational reliance on the operations of the system or data in the system;; (E)providing an update on the ongoing and continuous assessment required under subparagraph (A)—(i)upon request, to the inspector general of the agency or the Comptroller General of the United States; and(ii)at intervals determined by guidance issued by the Director, and to the extent appropriate and practicable using automation, to—(I)the Director;(II)the Director of the Cybersecurity and Infrastructure Security Agency; and(III)the National Cyber Director;; (iii)manage information security, cybersecurity budgets, and risk and compliance activities and explain those concepts to the head of the agency and the executive team of the agency;; and (1)the ongoing and continuous assessment of agency system risk required under subsection (a)(1)(A), which may include using guidance and automated tools consistent with standards and guidelines promulgated under section 11331 of title 40, as applicable;; (iii)binding operational directives and emergency directives issued by the Secretary under section 3553;; and (7)a secure process for providing the status of every remedial action and unremediated identified system vulnerability of a high value asset to the Director and the Director of the Cybersecurity and Infrastructure Security Agency, using automation and machine-readable data to the greatest extent practicable;; and (ii)notifying and consulting with the Federal information security incident center established under section 3556 pursuant to the requirements of section 3594;; (iii)performing the notifications and other activities required under subchapter IV of this chapter; and; and (1)Biennial reportNot later than 2 years after the date of enactment of the Federal Information Security Modernization Act of 2023 and not less frequently than once every 2 years thereafter, using the continuous and ongoing agency system risk assessment required under subsection (a)(1)(A), the head of each agency shall submit to the Director, the National Cyber Director, the Director of the Cybersecurity and Infrastructure Security Agency, the Comptroller General of the United States, the majority and minority leaders of the Senate, the Speaker and minority leader of the House of Representatives, the Committee on Homeland Security and Governmental Affairs of the Senate, the Committee on Oversight and Accountability of the House of Representatives, the Committee on Homeland Security of the House of Representatives, the Committee on Commerce, Science, and Transportation of the Senate, the Committee on Science, Space, and Technology of the House of Representatives, and the appropriate authorization and appropriations committees of Congress a report that—(A)summarizes the agency system risk assessment required under subsection (a)(1)(A);(B)evaluates the adequacy and effectiveness of information security policies, procedures, and practices of the agency to address the risks identified in the agency system risk assessment required under subsection (a)(1)(A), including an analysis of the agency’s cybersecurity and incident response capabilities using the metrics established under section 224(c) of the Cybersecurity Act of 2015 (6 U.S.C. 1522(c)); and(C)summarizes the status of remedial actions identified by inspector general of the agency, the Comptroller General of the United States, and any other source determined appropriate by the head of the agency.(2)Unclassified reportsEach report submitted under paragraph (1)—(A)shall be, to the greatest extent practicable, in an unclassified and otherwise uncontrolled form; and(B)may include 1 or more annexes that contain classified or other sensitive information, as appropriate.(3)BriefingsDuring each year during which a report is not required to be submitted under paragraph (1), the Director shall provide to the congressional committees described in paragraph (1) a briefing summarizing current agency and Federal risk postures.; and (3)An evaluation under this section may include recommendations for improving the cybersecurity posture of the agency.; (A)shall; (B)identify any entity that performs an independent evaluation under subsection (b).; and (j)Guidance(1)In generalThe Director, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, the Chief Information Officers Council, the Council of the Inspectors General on Integrity and Efficiency, and other interested parties as appropriate, shall ensure the development of risk-based guidance for evaluating the effectiveness of an information security program and practices.(2)PrioritiesThe risk-based guidance developed under paragraph (1) shall include—(A)the identification of the most common successful threat patterns;(B)the identification of security controls that address the threat patterns described in subparagraph (A);(C)any other security risks unique to Federal systems; and(D)any other element the Director determines appropriate.; and 3555. Independent evaluation.. IVFederal system incident response3591.Definitions(a)In generalExcept as provided in subsection (b), the definitions under sections 3502 and 3552 shall apply to this subchapter.(b)Additional definitionsAs used in this subchapter:(1)Appropriate reporting entitiesThe term appropriate reporting entities means—(A)the majority and minority leaders of the Senate;(B)the Speaker and minority leader of the House of Representatives;(C)the Committee on Homeland Security and Governmental Affairs of the Senate;(D)the Committee on Commerce, Science, and Transportation of the Senate;(E)the Committee on Oversight and Accountability of the House of Representatives;(F)the Committee on Homeland Security of the House of Representatives;(G)the Committee on Science, Space, and Technology of the House of Representatives;(H)the appropriate authorization and appropriations committees of Congress;(I)the Director;(J)the Director of the Cybersecurity and Infrastructure Security Agency;(K)the National Cyber Director;(L)the Comptroller General of the United States; and(M)the inspector general of any impacted agency.(2)AwardeeThe term awardee, with respect to an agency—(A)means—(i)the recipient of a grant from an agency;(ii)a party to a cooperative agreement with an agency; and(iii)a party to an other transaction agreement with an agency; and(B)includes a subawardee of an entity described in subparagraph (A).(3)BreachThe term breach—(A)means the compromise, unauthorized disclosure, unauthorized acquisition, or loss of control of personally identifiable information or any similar occurrence; and(B)includes any additional meaning given the term in policies, principles, standards, or guidelines issued by the Director.(4)ContractorThe term contractor means a prime contractor of an agency or a subcontractor of a prime contractor of an agency that creates, collects, stores, processes, maintains, or transmits Federal information on behalf of an agency.(5)Federal informationThe term Federal information means information created, collected, processed, maintained, disseminated, disclosed, or disposed of by or for the Federal Government in any medium or form.(6)Federal information systemThe term Federal information system means an information system owned, managed, or operated by an agency, or on behalf of an agency by a contractor, an awardee, or another organization. (7)Intelligence communityThe term intelligence community has the meaning given the term in section 3 of the National Security Act of 1947 (50 U.S.C. 3003).(8)Nationwide consumer reporting agencyThe term nationwide consumer reporting agency means a consumer reporting agency described in section 603(p) of the Fair Credit Reporting Act (15 U.S.C. 1681a(p)).(9)Vulnerability disclosureThe term vulnerability disclosure means a vulnerability identified under section 3559B.3592.Notification of breach(a)DefinitionIn this section, the term covered breach means a breach—(1)involving not less than 50,000 potentially affected individuals; or(2)the result of which the head of an agency determines that notifying potentially affected individuals is necessary pursuant to subsection (b)(1), regardless of whether—(A)the number of potentially affected individuals is less than 50,000; or(B)the notification is delayed under subsection (d). (b)NotificationAs expeditiously as practicable and without unreasonable delay, and in any case not later than 45 days after an agency has a reasonable basis to conclude that a breach has occurred, the head of the agency, in consultation with the Chief Information Officer and Chief Privacy Officer of the agency, shall—(1)determine whether notice to any individual potentially affected by the breach is appropriate, including by conducting an assessment of the risk of harm to the individual that considers—(A)the nature and sensitivity of the personally identifiable information affected by the breach;(B)the likelihood of access to and use of the personally identifiable information affected by the breach;(C)the type of breach; and(D)any other factors determined by the Director; and(2)if the head of the agency determines notification is necessary pursuant to paragraph (1), provide written notification in accordance with subsection (c) to each individual potentially affected by the breach—(A)to the last known mailing address of the individual; or(B)through an appropriate alternative method of notification.(c)Contents of notificationEach notification of a breach provided to an individual under subsection (b)(2) shall include, to the maximum extent practicable—(1)a brief description of the breach;(2)if possible, a description of the types of personally identifiable information affected by the breach;(3)contact information of the agency that may be used to ask questions of the agency, which—(A)shall include an e-mail address or another digital contact mechanism; and(B)may include a telephone number, mailing address, or a website;(4)information on any remedy being offered by the agency;(5)any applicable educational materials relating to what individuals can do in response to a breach that potentially affects their personally identifiable information, including relevant contact information for the appropriate Federal law enforcement agencies and each nationwide consumer reporting agency; and(6)any other appropriate information, as determined by the head of the agency or established in guidance by the Director.(d)Delay of notification(1)In generalThe head of an agency, in coordination with the Director and the National Cyber Director, and as appropriate, the Attorney General, the Director of National Intelligence, or the Secretary of Homeland Security, may delay a notification required under subsection (b) or (e) if the notification would—(A)impede a criminal investigation or a national security activity;(B)cause an adverse result (as described in section 2705(a)(2) of title 18);(C)reveal sensitive sources and methods;(D)cause damage to national security; or(E)hamper security remediation actions.(2)RenewalA delay under paragraph (1) shall be for a period of 60 days and may be renewed.(3)National security systemsThe head of an agency delaying notification under this subsection with respect to a breach exclusively of a national security system shall coordinate such delay with the Secretary of Defense.(e)Update notificationIf an agency determines there is a significant change in the reasonable basis to conclude that a breach occurred, a significant change to the determination made under subsection (b)(1), or that it is necessary to update the details of the information provided to potentially affected individuals as described in subsection (c), the agency shall as expeditiously as practicable and without unreasonable delay, and in any case not later than 30 days after such a determination, notify each individual who received a notification pursuant to subsection (b) of those changes.(f)Delay of notification report(1)In generalNot later than 1 year after the date of enactment of the Federal Information Security Modernization Act of 2023, and annually thereafter, the head of an agency, in coordination with any official who delays a notification under subsection (d), shall submit to the appropriate reporting entities a report on each delay that occurred during the previous 2 years.(2)Component of other reportThe head of an agency may submit the report required under paragraph (1) as a component of the report submitted under section 3554(c). (g)Congressional reporting requirements(1)Review and updateOn a periodic basis, the Director of the Office of Management and Budget shall review, and update as appropriate, breach notification policies and guidelines for agencies.(2)Required notice from agenciesSubject to paragraph (4), the Director of the Office of Management and Budget shall require the head of an agency affected by a covered breach to expeditiously and not later than 30 days after the date on which the agency discovers the covered breach give notice of the breach, which may be provided electronically, to— (A)each congressional committee described in section 3554(c)(1); and(B)the Committee on the Judiciary of the Senate and the Committee on the Judiciary of the House of Representatives.(3)Contents of noticeNotice of a covered breach provided by the head of an agency pursuant to paragraph (2) shall include, to the extent practicable—(A)information about the covered breach, including a summary of any information about how the covered breach occurred known by the agency as of the date of the notice;(B)an estimate of the number of individuals affected by covered the breach based on information known by the agency as of the date of the notice, including an assessment of the risk of harm to affected individuals;(C)a description of any circumstances necessitating a delay in providing notice to individuals affected by the covered breach in accordance with subsection (d); and (D)an estimate of when the agency will provide notice to individuals affected by the covered breach, if applicable.(4)ExceptionAny agency that is required to provide notice to Congress pursuant to paragraph (2) due to a covered breach exclusively on a national security system shall only provide such notice to—(A)the majority and minority leaders of the Senate;(B)the Speaker and minority leader of the House of Representatives;(C)the appropriations committees of Congress;(D)the Committee on Homeland Security and Governmental Affairs of the Senate;(E)the Select Committee on Intelligence of the Senate;(F)the Committee on Oversight and Accountability of the House of Representatives; and(G)the Permanent Select Committee on Intelligence of the House of Representatives.(5)Rule of constructionNothing in paragraphs (1) through (3) shall be construed to alter any authority of an agency.(h)Rule of constructionNothing in this section shall be construed to—(1)limit—(A)the authority of the Director to issue guidance relating to notifications of, or the head of an agency to notify individuals potentially affected by, breaches that are not determined to be covered breaches or major incidents;(B)the authority of the Director to issue guidance relating to notifications and reporting of breaches, covered breaches, or major incidents;(C)the authority of the head of an agency to provide more information than required under subsection (b) when notifying individuals potentially affected by a breach; (D)the timing of incident reporting or the types of information included in incident reports provided, pursuant to this subchapter, to—(i)the Director;(ii)the National Cyber Director;(iii)the Director of the Cybersecurity and Infrastructure Security Agency; or(iv)any other agency; (E)the authority of the head of an agency to provide information to Congress about agency breaches, including—(i)breaches that are not covered breaches; and(ii)additional information beyond the information described in subsection (g)(3); or(F)any Congressional reporting requirements of agencies under any other law; or(2)limit or supersede any existing privacy protections in existing law. 3593.Congressional and Executive Branch reports on major incidents(a)Appropriate congressional entitiesIn this section, the term appropriate congressional entities means—(1)the majority and minority leaders of the Senate;(2)the Speaker and minority leader of the House of Representatives;(3)the Committee on Homeland Security and Governmental Affairs of the Senate;(4)the Committee on Commerce, Science, and Transportation of the Senate;(5)the Committee on Oversight and Accountability of the House of Representatives;(6)the Committee on Homeland Security of the House of Representatives;(7)the Committee on Science, Space, and Technology of the House of Representatives; and(8)the appropriate authorization and appropriations committees of Congress(b)Initial notification(1)In generalNot later than 72 hours after an agency has a reasonable basis to conclude that a major incident occurred, the head of the agency impacted by the major incident shall submit to the appropriate reporting entities a written notification, which may be submitted electronically and include 1 or more annexes that contain classified or other sensitive information, as appropriate.(2)ContentsA notification required under paragraph (1) with respect to a major incident shall include the following, based on information available to agency officials as of the date on which the agency submits the notification:(A)A summary of the information available about the major incident, including how the major incident occurred and the threat causing the major incident.(B)If applicable, information relating to any breach associated with the major incident, regardless of whether—(i)the breach was the reason the incident was determined to be a major incident; and(ii)head of the agency determined it was appropriate to provide notification to potentially impacted individuals pursuant to section 3592(b)(1).(C)A preliminary assessment of the impacts to—(i)the agency;(ii)the Federal Government;(iii)the national security, foreign relations, homeland security, and economic security of the United States; and(iv)the civil liberties, public confidence, privacy, and public health and safety of the people of the United States.(D)If applicable, whether any ransom has been demanded or paid, or is expected to be paid, by any entity operating a Federal information system or with access to Federal information or a Federal information system, including, as available, the name of the entity demanding ransom, the date of the demand, and the amount and type of currency demanded, unless disclosure of such information will disrupt an active Federal law enforcement or national security operation.(c)Supplemental updateWithin a reasonable amount of time, but not later than 30 days after the date on which the head of an agency submits a written notification under subsection (a), the head of the agency shall provide to the appropriate congressional entities an unclassified and written update, which may include 1 or more annexes that contain classified or other sensitive information, as appropriate, on the major incident, based on information available to agency officials as of the date on which the agency provides the update, on— (1)system vulnerabilities relating to the major incident, where applicable, means by which the major incident occurred, the threat causing the major incident, where applicable, and impacts of the major incident to—(A)the agency;(B)other Federal agencies, Congress, or the judicial branch;(C)the national security, foreign relations, homeland security, or economic security of the United States; or(D)the civil liberties, public confidence, privacy, or public health and safety of the people of the United States;(2)the status of compliance of the affected Federal information system with applicable security requirements at the time of the major incident; (3)if the major incident involved a breach, a description of the affected information, an estimate of the number of individuals potentially impacted, and any assessment to the risk of harm to such individuals;(4)an update to the assessment of the risk to agency operations, or to impacts on other agency or non-Federal entity operations, affected by the major incident; and(5)the detection, response, and remediation actions of the agency, including any support provided by the Cybersecurity and Infrastructure Security Agency under section 3594(d), if applicable.(d)Additional updateIf the head of an agency, the Director, or the National Cyber Director determines that there is any significant change in the understanding of the scope, scale, or consequence of a major incident for which the head of the agency submitted a written notification and update under subsections (b) and (c), the head of the agency shall submit to the appropriate congressional entities a written update that includes information relating to the change in understanding.(e)Biennial reportEach agency shall submit as part of the biennial report required under section 3554(c)(1) a description of each major incident that occurred during the 2-year period preceding the date on which the biennial report is submitted.(f)Report delivery(1)In generalAny written notification or update required to be submitted under this section—(A)shall be submitted in an electronic format; and(B)may be submitted in a paper format.(2)Classification statusAny written notification or update required to be submitted under this section—(A)shall be—(i)unclassified; and(ii)submitted through unclassified electronic means pursuant to paragraph (1)(A); and(B)may include classified annexes, as appropriate.(g)Report consistencyTo achieve consistent and coherent agency reporting to Congress, the National Cyber Director, in coordination with the Director, shall—(1)provide recommendations to agencies on formatting and the contents of information to be included in the reports required under this section, including recommendations for consistent formats for presenting any associated metrics; and(2)maintain a comprehensive record of each major incident notification, update, and briefing provided under this section, which shall—(A)include, at a minimum—(i)the full contents of the written notification or update;(ii)the identity of the reporting agency; and(iii)the date of submission; and(iv)a list of the recipient congressional entities; and(B)be made available upon request to the majority and minority leaders of the Senate, the Speaker and minority leader of the House of Representatives, the Committee on Homeland Security and Governmental Affairs of the Senate, and the Committee on Oversight and Accountability of the House of Representatives.(h)National security systems congressional reporting exemptionWith respect to a major incident that occurs exclusively on a national security system, the head of the affected agency shall submit the notifications and reports required to be submitted to Congress under this section only to— (1)the majority and minority leaders of the Senate;(2)the Speaker and minority leader of the House of Representatives;(3)the appropriations committees of Congress;(4)the appropriate authorization committees of Congress;(5)the Committee on Homeland Security and Governmental Affairs of the Senate;(6)the Select Committee on Intelligence of the Senate;(7)the Committee on Oversight and Accountability of the House of Representatives; and(8)the Permanent Select Committee on Intelligence of the House of Representatives.(i)Major incidents including breachesIf a major incident constitutes a covered breach, as defined in section 3592(a), information on the covered breach required to be submitted to Congress pursuant to section 3592(g) may— (1)be included in the notifications required under subsection (b) or (c); or(2)be reported to Congress under the process established under section 3592(g). (j)Rule of constructionNothing in this section shall be construed to—(1)limit—(A)the ability of an agency to provide additional reports or briefings to Congress;(B)Congress from requesting additional information from agencies through reports, briefings, or other means; (C)any congressional reporting requirements of agencies under any other law; or(2)limit or supersede any privacy protections under any other law.3594.Government information sharing and incident response(a)In general(1)Incident sharingSubject to paragraph (4) and subsection (b), and in accordance with the applicable requirements pursuant to section 3553(b)(2)(A) for reporting to the Federal information security incident center established under section 3556, the head of each agency shall provide to the Cybersecurity and Infrastructure Security Agency information relating to any incident affecting the agency, whether the information is obtained by the Federal Government directly or indirectly.(2)ContentsA provision of information relating to an incident made by the head of an agency under paragraph (1) shall include, at a minimum—(A)a full description of the incident, including—(i)all indicators of compromise and tactics, techniques, and procedures;(ii)an indicator of how the intruder gained initial access, accessed agency data or systems, and undertook additional actions on the network of the agency; and(iii)information that would support enabling defensive measures; and(iv)other information that may assist in identifying other victims; (B)information to help prevent similar incidents, such as information about relevant safeguards in place when the incident occurred and the effectiveness of those safeguards; and(C)information to aid in incident response, such as—(i)a description of the affected systems or networks;(ii)the estimated dates of when the incident occurred; and(iii)information that could reasonably help identify any malicious actor that may have conducted or caused the incident, subject to appropriate privacy protections. (3)Information sharingThe Director of the Cybersecurity and Infrastructure Security Agency shall—(A)make incident information provided under paragraph (1) available to the Director and the National Cyber Director;(B)to the greatest extent practicable, share information relating to an incident with—(i)the head of any agency that may be—(I)impacted by the incident;(II)particularly susceptible to the incident; or(III)similarly targeted by the incident; and(ii)appropriate Federal law enforcement agencies to facilitate any necessary threat response activities, as requested;(C)coordinate any necessary information sharing efforts relating to a major incident with the private sector; and(D)notify the National Cyber Director of any efforts described in subparagraph (C).(4)National security systems exemption(A)In generalNotwithstanding paragraphs (1) and (3), each agency operating or exercising control of a national security system shall share information about an incident that occurs exclusively on a national security system with the Secretary of Defense, the Director, the National Cyber Director, and the Director of the Cybersecurity and Infrastructure Security Agency to the extent consistent with standards and guidelines for national security systems issued in accordance with law and as directed by the President.(B)ProtectionsAny information sharing and handling of information under this paragraph shall be appropriately protected consistent with procedures authorized for the protection of sensitive sources and methods or by procedures established for information that have been specifically authorized under criteria established by an Executive order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.(b)AutomationIn providing information and selecting a method to provide information under subsection (a), the head of each agency shall implement subsection (a)(1) in a manner that provides such information to the Cybersecurity and Infrastructure Security Agency in an automated and machine-readable format, to the greatest extent practicable.(c)Incident responseEach agency that has a reasonable basis to suspect or conclude that a major incident occurred involving Federal information in electronic medium or form that does not exclusively involve a national security system shall coordinate with—(1)the Cybersecurity and Infrastructure Security Agency to facilitate asset response activities and provide recommendations for mitigating future incidents; and(2)consistent with relevant policies, appropriate Federal law enforcement agencies to facilitate threat response activities.3595.Responsibilities of contractors and awardees(a)Reporting(1)In generalAny contractor or awardee of an agency shall report to the agency if the contractor or awardee has a reasonable basis to conclude that—(A)an incident or breach has occurred with respect to Federal information the contractor or awardee collected, used, or maintained on behalf of an agency;(B)an incident or breach has occurred with respect to a Federal information system used, operated, managed, or maintained on behalf of an agency by the contractor or awardee;(C)a component of any Federal information system operated, managed, or maintained by a contractor or awardee contains a security vulnerability, including a supply chain compromise or an identified software or hardware vulnerability, for which there is reliable evidence of attempted or successful exploitation of the vulnerability by an actor without authorization of the Federal information system owner; or(D)the contractor or awardee has received personally identifiable information, personal health information, or other clearly sensitive information that is beyond the scope of the contract or agreement with the agency from the agency that the contractor or awardee is not authorized to receive.(2)Third-party reports of vulnerabilitiesSubject to the guidance issued by the Director pursuant to paragraph (4), any contractor or awardee of an agency shall report to the agency and the Cybersecurity and Infrastructure Security Agency if the contractor or awardee has a reasonable basis to suspect or conclude that a component of any Federal information system operated, managed, or maintained on behalf of an agency by the contractor or awardee on behalf of the agency contains a security vulnerability, including a supply chain compromise or an identified software or hardware vulnerability, that has been reported to the contractor or awardee by a third party, including through a vulnerability disclosure program. (3)Procedures(A)Sharing with CISAAs soon as practicable following a report of an incident to an agency by a contractor or awardee under paragraph (1), the head of the agency shall provide, pursuant to section 3594, information about the incident to the Director of the Cybersecurity and Infrastructure Security Agency.(B)Time for reportingUnless a different time for reporting is specified in a contract, grant, cooperative agreement, or other transaction agreement, a contractor or awardee shall—(i)make a report required under paragraph (1) not later than 1 day after the date on which the contractor or awardee has reasonable basis to suspect or conclude that the criteria under paragraph (1) have been met; and(ii)make a report required under paragraph (2) within a reasonable time, but not later than 90 days after the date on which the contractor or awardee has reasonable basis to suspect or conclude that the criteria under paragraph (2) have been met.(C)ProceduresFollowing a report of a breach or incident to an agency by a contractor or awardee under paragraph (1), the head of the agency, in consultation with the contractor or awardee, shall carry out the applicable requirements under sections 3592, 3593, and 3594 with respect to the breach or incident.(D)Rule of constructionNothing in subparagraph (B) shall be construed to allow the negation of the requirements to report vulnerabilities under paragraph (1) or (2) through a contract, grant, cooperative agreement, or other transaction agreement. (4)GuidanceThe Director shall issue guidance to agencies relating to the scope of vulnerabilities to be reported under paragraph (2), such as the minimum severity of a vulnerability required to be reported or whether vulnerabilities that are already publicly disclosed must be reported.(b)Regulations; modifications(1)In generalNot later than 1 year after the date of enactment of the Federal Information Security Modernization Act of 2023—(A)the Federal Acquisition Regulatory Council shall promulgate regulations, as appropriate, relating to the responsibilities of contractors and recipients of other transaction agreements and cooperative agreements to comply with this section; and(B)the Office of Federal Financial Management shall promulgate regulations under title 2, Code Federal Regulations, as appropriate, relating to the responsibilities of grantees to comply with this section.(2)ImplementationNot later than 1 year after the date on which the Federal Acquisition Regulatory Council and the Office of Federal Financial Management promulgates regulations under paragraph (1), the head of each agency shall implement policies and procedures, as appropriate, necessary to implement those regulations.(3)Congressional notification(A)In generalThe head of each agency head shall notify the Director upon implementation of policies and procedures necessary to implement the regulations promulgated under paragraph (1).(B)OMB notification Not later than 30 days after the date described in paragraph (2), the Director shall notify the Committee on Homeland Security and Governmental Affairs of the Senate and the Committees on Oversight and Accountability and Homeland Security of the House of Representatives on the status of the implementation by each agency of the regulations promulgated under paragraph (1). (c)National security systems exemptionNotwithstanding any other provision of this section, a contractor or awardee of an agency that would be required to report an incident or vulnerability pursuant to this section that occurs exclusively on a national security system shall—(1)report the incident or vulnerability to the head of the agency and the Secretary of Defense; and (2)comply with applicable laws and policies relating to national security systems. 3596.Training(a)Covered individual definedIn this section, the term covered individual means an individual who obtains access to a Federal information system because of the status of the individual as—(1)an employee, contractor, awardee, volunteer, or intern of an agency; or(2)an employee of a contractor or awardee of an agency.(b)Best practices and consistencyThe Director of the Cybersecurity and Infrastructure Security Agency, in consultation with the Director, the National Cyber Director, and the Director of the National Institute of Standards and Technology, shall develop best practices to support consistency across agencies in cybersecurity incident response training, including— (1)information to be collected and shared with the Cybersecurity and Infrastructure Security Agency pursuant to section 3594(a) and processes for sharing such information; and(2)appropriate training and qualifications for cyber incident responders.(c)Agency trainingThe head of each agency shall develop training for covered individuals on how to identify and respond to an incident, including—(1)the internal process of the agency for reporting an incident; and(2)the obligation of a covered individual to report to the agency any suspected or confirmed incident involving Federal information in any medium or form, including paper, oral, and electronic.(d)Inclusion in annual trainingThe training developed under subsection (c) may be included as part of an annual privacy, security awareness, or other appropriate training of an agency. 3597.Analysis and report on Federal incidents(a)Analysis of Federal incidents(1)Quantitative and qualitative analysesThe Director of the Cybersecurity and Infrastructure Security Agency shall perform and, in coordination with the Director and the National Cyber Director, develop, continuous monitoring and quantitative and qualitative analyses of incidents at agencies, including major incidents, including—(A)the causes of incidents, including—(i)attacker tactics, techniques, and procedures; and(ii)system vulnerabilities, including zero days, unpatched systems, and information system misconfigurations;(B)the scope and scale of incidents at agencies;(C)common root causes of incidents across multiple agencies;(D)agency incident response, recovery, and remediation actions and the effectiveness of those actions, as applicable;(E)lessons learned and recommendations in responding to, recovering from, remediating, and mitigating future incidents; and(F)trends across multiple agencies to address intrusion detection and incident response capabilities using the metrics established under section 224(c) of the Cybersecurity Act of 2015 (6 U.S.C. 1522(c)).(2)Automated analysisThe analyses developed under paragraph (1) shall, to the greatest extent practicable, use machine readable data, automation, and machine learning processes.(3)Sharing of data and analysis(A)In generalThe Director of the Cybersecurity and Infrastructure Security Agency shall share on an ongoing basis the analyses and underlying data required under this subsection with agencies, the Director, and the National Cyber Director to—(i)improve the understanding of cybersecurity risk of agencies; and(ii)support the cybersecurity improvement efforts of agencies.(B)FormatIn carrying out subparagraph (A), the Director of the Cybersecurity and Infrastructure Security Agency shall share the analyses—(i)in human-readable written products; and(ii)to the greatest extent practicable, in machine-readable formats in order to enable automated intake and use by agencies.(C)ExemptionThis subsection shall not apply to incidents that occur exclusively on national security systems. (b)Annual report on Federal incidentsNot later than 2 years after the date of enactment of this section, and not less frequently than annually thereafter, the Director of the Cybersecurity and Infrastructure Security Agency, in consultation with the Director, the National Cyber Director and the heads of other agencies, as appropriate, shall submit to the appropriate reporting entities a report that includes—(1)a summary of causes of incidents from across the Federal Government that categorizes those incidents as incidents or major incidents;(2)the quantitative and qualitative analyses of incidents developed under subsection (a)(1) on an agency-by-agency basis and comprehensively across the Federal Government, including—(A)a specific analysis of breaches; and(B)an analysis of the Federal Government’s performance against the metrics established under section 224(c) of the Cybersecurity Act of 2015 (6 U.S.C. 1522(c)); and(3)an annex for each agency that includes—(A)a description of each major incident;(B)the total number of incidents of the agency; and(C)an analysis of the agency’s performance against the metrics established under section 224(c) of the Cybersecurity Act of 2015 (6 U.S.C. 1522(c)).(c)Publication(1)In generalThe Director of the Cybersecurity and Infrastructure Security Agency shall make a version of each report submitted under subsection (b) publicly available on the website of the Cybersecurity and Infrastructure Security Agency during the year during which the report is submitted.(2)ExemptionThe publication requirement under paragraph (1) shall not apply to a portion of a report that contains content that should be protected in the interest of national security, as determined by the Director, the Director of the Cybersecurity and Infrastructure Security Agency, or the National Cyber Director. (3)Limitation on exemptionThe exemption under paragraph (2) shall not apply to any version of a report submitted to the appropriate reporting entities under subsection (b).(4)Requirement for compiling information(A)CompilationSubject to subparagraph (B), in making a report publicly available under paragraph (1), the Director of the Cybersecurity and Infrastructure Security Agency shall sufficiently compile information so that no specific incident of an agency can be identified.(B)ExceptionThe Director of the Cybersecurity and Infrastructure Security Agency may include information that enables a specific incident of an agency to be identified in a publicly available report—(i)with the concurrence of the Director and the National Cyber Director; (ii)in consultation with the impacted agency; and(iii)in consultation with the inspector general of the impacted agency. (d)Information provided by agencies(1)In generalThe analysis required under subsection (a) and each report submitted under subsection (b) shall use information provided by agencies under section 3594(a).(2)Noncompliance reportsDuring any year during which the head of an agency does not provide data for an incident to the Cybersecurity and Infrastructure Security Agency in accordance with section 3594(a), the head of the agency, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency and the Director, shall submit to the appropriate reporting entities a report that includes the information described in subsection (b) with respect to the agency.(e)National security system reports(1)In generalNotwithstanding any other provision of this section, the Secretary of Defense, in consultation with the Director, the National Cyber Director, the Director of National Intelligence, and the Director of Cybersecurity and Infrastructure Security shall annually submit a report that includes the information described in subsection (b) with respect to national security systems, to the extent that the submission is consistent with standards and guidelines for national security systems issued in accordance with law and as directed by the President, to—(A)the majority and minority leaders of the Senate,(B)the Speaker and minority leader of the House of Representatives;(C)the Committee on Homeland Security and Governmental Affairs of the Senate;(D)the Select Committee on Intelligence of the Senate;(E)the Committee on Armed Services of the Senate;(F)the Committee on Appropriations of the Senate;(G)the Committee on Oversight and Accountability of the House of Representatives;(H)the Committee on Homeland Security of the House of Representatives;(I)the Permanent Select Committee on Intelligence of the House of Representatives;(J)the Committee on Armed Services of the House of Representatives; and(K)the Committee on Appropriations of the House of Representatives.(2)Classified formA report required under paragraph (1) may be submitted in a classified form.3598.Major incident definition(a)In generalNot later than 1 year after the later of the date of enactment of the Federal Information Security Modernization Act of 2023 and the most recent publication by the Director of guidance to agencies regarding major incidents as of the date of enactment of the Federal Information Security Modernization Act of 2023, the Director shall develop, in coordination with the National Cyber Director, and promulgate guidance on the definition of the term major incident for the purposes of subchapter II and this subchapter.(b)RequirementsWith respect to the guidance issued under subsection (a), the definition of the term major incident shall—(1)include, with respect to any information collected or maintained by or on behalf of an agency or a Federal information system—(A)any incident the head of the agency determines is likely to result in demonstrable harm to—(i)the national security interests, foreign relations, homeland security, or economic security of the United States; or(ii)the civil liberties, public confidence, privacy, or public health and safety of the people of the United States;(B)any incident the head of the agency determines likely to result in an inability or substantial disruption for the agency, a component of the agency, or the Federal Government, to provide 1 or more critical services;(C)any incident the head of the agency determines substantially disrupts or substantially degrades the operations of a high value asset owned or operated by the agency;(D)any incident involving the exposure to a foreign entity of sensitive agency information, such as the communications of the head of the agency, the head of a component of the agency, or the direct reports of the head of the agency or the head of a component of the agency; and(E)any other type of incident determined appropriate by the Director;(2)stipulate that the National Cyber Director, in consultation with the Director and the Director of the Cybersecurity and Infrastructure Security Agency, may declare a major incident at any agency, and such a declaration shall be considered if it is determined that an incident— (A)occurs at not less than 2 agencies; and(B)is enabled by—(i)a common technical root cause, such as a supply chain compromise, or a common software or hardware vulnerability; or(ii)the related activities of a common threat actor;(3)stipulate that, in determining whether an incident constitutes a major incident under the standards described in paragraph (1), the head of the agency shall consult with the National Cyber Director; and (4)stipulate that the mere report of a vulnerability discovered or disclosed without a loss of confidentiality, integrity, or availability shall not on its own constitute a major incident.(c)Evaluation and updatesNot later than 60 days after the date on which the Director first promulgates the guidance required under subsection (a), and not less frequently than once during the first 90 days of each evenly numbered Congress thereafter, the Director shall provide to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committees on Oversight and Accountability and Homeland Security of the House of Representatives a briefing that includes— (1)an evaluation of any necessary updates to the guidance;(2)an evaluation of any necessary updates to the definition of the term major incident included in the guidance; and (3)an explanation of, and the analysis that led to, the definition described in paragraph (2).. SUBCHAPTER IV—Federal system incident response 3591. Definitions. 3592. Notification of breach. 3593. Congressional and Executive Branch reports. 3594. Government information sharing and incident response. 3595. Responsibilities of contractors and awardees. 3596. Training. 3597. Analysis and report on Federal incidents. 3598. Major incident definition..

3591. Definitions Except as provided in subsection (b), the definitions under sections 3502 and 3552 shall apply to this subchapter. As used in this subchapter: The term appropriate reporting entities means— the majority and minority leaders of the Senate; the Speaker and minority leader of the House of Representatives; the Committee on Homeland Security and Governmental Affairs of the Senate; the Committee on Commerce, Science, and Transportation of the Senate; the Committee on Oversight and Accountability of the House of Representatives; the Committee on Homeland Security of the House of Representatives; the Committee on Science, Space, and Technology of the House of Representatives; the appropriate authorization and appropriations committees of Congress; the Director; the Director of the Cybersecurity and Infrastructure Security Agency; the National Cyber Director; the Comptroller General of the United States; and the inspector general of any impacted agency. The term awardee, with respect to an agency— means— the recipient of a grant from an agency; a party to a cooperative agreement with an agency; and a party to an other transaction agreement with an agency; and includes a subawardee of an entity described in subparagraph (A). The term breach— means the compromise, unauthorized disclosure, unauthorized acquisition, or loss of control of personally identifiable information or any similar occurrence; and includes any additional meaning given the term in policies, principles, standards, or guidelines issued by the Director. The term contractor means a prime contractor of an agency or a subcontractor of a prime contractor of an agency that creates, collects, stores, processes, maintains, or transmits Federal information on behalf of an agency. The term Federal information means information created, collected, processed, maintained, disseminated, disclosed, or disposed of by or for the Federal Government in any medium or form. The term Federal information system means an information system owned, managed, or operated by an agency, or on behalf of an agency by a contractor, an awardee, or another organization. The term intelligence community has the meaning given the term in section 3 of the National Security Act of 1947 (50 U.S.C. 3003). The term nationwide consumer reporting agency means a consumer reporting agency described in section 603(p) of the Fair Credit Reporting Act (15 U.S.C. 1681a(p)). The term vulnerability disclosure means a vulnerability identified under section 3559B.

3592. Notification of breach In this section, the term covered breach means a breach— involving not less than 50,000 potentially affected individuals; or the result of which the head of an agency determines that notifying potentially affected individuals is necessary pursuant to subsection (b)(1), regardless of whether— the number of potentially affected individuals is less than 50,000; or the notification is delayed under subsection (d). As expeditiously as practicable and without unreasonable delay, and in any case not later than 45 days after an agency has a reasonable basis to conclude that a breach has occurred, the head of the agency, in consultation with the Chief Information Officer and Chief Privacy Officer of the agency, shall— determine whether notice to any individual potentially affected by the breach is appropriate, including by conducting an assessment of the risk of harm to the individual that considers— the nature and sensitivity of the personally identifiable information affected by the breach; the likelihood of access to and use of the personally identifiable information affected by the breach; the type of breach; and any other factors determined by the Director; and if the head of the agency determines notification is necessary pursuant to paragraph (1), provide written notification in accordance with subsection (c) to each individual potentially affected by the breach— to the last known mailing address of the individual; or through an appropriate alternative method of notification. Each notification of a breach provided to an individual under subsection (b)(2) shall include, to the maximum extent practicable— a brief description of the breach; if possible, a description of the types of personally identifiable information affected by the breach; contact information of the agency that may be used to ask questions of the agency, which— shall include an e-mail address or another digital contact mechanism; and may include a telephone number, mailing address, or a website; information on any remedy being offered by the agency; any applicable educational materials relating to what individuals can do in response to a breach that potentially affects their personally identifiable information, including relevant contact information for the appropriate Federal law enforcement agencies and each nationwide consumer reporting agency; and any other appropriate information, as determined by the head of the agency or established in guidance by the Director. The head of an agency, in coordination with the Director and the National Cyber Director, and as appropriate, the Attorney General, the Director of National Intelligence, or the Secretary of Homeland Security, may delay a notification required under subsection (b) or (e) if the notification would— impede a criminal investigation or a national security activity; cause an adverse result (as described in section 2705(a)(2) of title 18); reveal sensitive sources and methods; cause damage to national security; or hamper security remediation actions. A delay under paragraph (1) shall be for a period of 60 days and may be renewed. The head of an agency delaying notification under this subsection with respect to a breach exclusively of a national security system shall coordinate such delay with the Secretary of Defense. If an agency determines there is a significant change in the reasonable basis to conclude that a breach occurred, a significant change to the determination made under subsection (b)(1), or that it is necessary to update the details of the information provided to potentially affected individuals as described in subsection (c), the agency shall as expeditiously as practicable and without unreasonable delay, and in any case not later than 30 days after such a determination, notify each individual who received a notification pursuant to subsection (b) of those changes. Not later than 1 year after the date of enactment of the Federal Information Security Modernization Act of 2023, and annually thereafter, the head of an agency, in coordination with any official who delays a notification under subsection (d), shall submit to the appropriate reporting entities a report on each delay that occurred during the previous 2 years. The head of an agency may submit the report required under paragraph (1) as a component of the report submitted under section 3554(c). On a periodic basis, the Director of the Office of Management and Budget shall review, and update as appropriate, breach notification policies and guidelines for agencies. Subject to paragraph (4), the Director of the Office of Management and Budget shall require the head of an agency affected by a covered breach to expeditiously and not later than 30 days after the date on which the agency discovers the covered breach give notice of the breach, which may be provided electronically, to— each congressional committee described in section 3554(c)(1); and the Committee on the Judiciary of the Senate and the Committee on the Judiciary of the House of Representatives. Notice of a covered breach provided by the head of an agency pursuant to paragraph (2) shall include, to the extent practicable— information about the covered breach, including a summary of any information about how the covered breach occurred known by the agency as of the date of the notice; an estimate of the number of individuals affected by covered the breach based on information known by the agency as of the date of the notice, including an assessment of the risk of harm to affected individuals; a description of any circumstances necessitating a delay in providing notice to individuals affected by the covered breach in accordance with subsection (d); and an estimate of when the agency will provide notice to individuals affected by the covered breach, if applicable. Any agency that is required to provide notice to Congress pursuant to paragraph (2) due to a covered breach exclusively on a national security system shall only provide such notice to— the majority and minority leaders of the Senate; the Speaker and minority leader of the House of Representatives; the appropriations committees of Congress; the Committee on Homeland Security and Governmental Affairs of the Senate; the Select Committee on Intelligence of the Senate; the Committee on Oversight and Accountability of the House of Representatives; and the Permanent Select Committee on Intelligence of the House of Representatives. Nothing in paragraphs (1) through (3) shall be construed to alter any authority of an agency. Nothing in this section shall be construed to— limit— the authority of the Director to issue guidance relating to notifications of, or the head of an agency to notify individuals potentially affected by, breaches that are not determined to be covered breaches or major incidents; the authority of the Director to issue guidance relating to notifications and reporting of breaches, covered breaches, or major incidents; the authority of the head of an agency to provide more information than required under subsection (b) when notifying individuals potentially affected by a breach; the timing of incident reporting or the types of information included in incident reports provided, pursuant to this subchapter, to— the Director; the National Cyber Director; the Director of the Cybersecurity and Infrastructure Security Agency; or any other agency; the authority of the head of an agency to provide information to Congress about agency breaches, including— breaches that are not covered breaches; and additional information beyond the information described in subsection (g)(3); or any Congressional reporting requirements of agencies under any other law; or limit or supersede any existing privacy protections in existing law.

3593. Congressional and Executive Branch reports on major incidents In this section, the term appropriate congressional entities means— the majority and minority leaders of the Senate; the Speaker and minority leader of the House of Representatives; the Committee on Homeland Security and Governmental Affairs of the Senate; the Committee on Commerce, Science, and Transportation of the Senate; the Committee on Oversight and Accountability of the House of Representatives; the Committee on Homeland Security of the House of Representatives; the Committee on Science, Space, and Technology of the House of Representatives; and the appropriate authorization and appropriations committees of Congress Not later than 72 hours after an agency has a reasonable basis to conclude that a major incident occurred, the head of the agency impacted by the major incident shall submit to the appropriate reporting entities a written notification, which may be submitted electronically and include 1 or more annexes that contain classified or other sensitive information, as appropriate. A notification required under paragraph (1) with respect to a major incident shall include the following, based on information available to agency officials as of the date on which the agency submits the notification: A summary of the information available about the major incident, including how the major incident occurred and the threat causing the major incident. If applicable, information relating to any breach associated with the major incident, regardless of whether— the breach was the reason the incident was determined to be a major incident; and head of the agency determined it was appropriate to provide notification to potentially impacted individuals pursuant to section 3592(b)(1). A preliminary assessment of the impacts to— the agency; the Federal Government; the national security, foreign relations, homeland security, and economic security of the United States; and the civil liberties, public confidence, privacy, and public health and safety of the people of the United States. If applicable, whether any ransom has been demanded or paid, or is expected to be paid, by any entity operating a Federal information system or with access to Federal information or a Federal information system, including, as available, the name of the entity demanding ransom, the date of the demand, and the amount and type of currency demanded, unless disclosure of such information will disrupt an active Federal law enforcement or national security operation. Within a reasonable amount of time, but not later than 30 days after the date on which the head of an agency submits a written notification under subsection (a), the head of the agency shall provide to the appropriate congressional entities an unclassified and written update, which may include 1 or more annexes that contain classified or other sensitive information, as appropriate, on the major incident, based on information available to agency officials as of the date on which the agency provides the update, on— system vulnerabilities relating to the major incident, where applicable, means by which the major incident occurred, the threat causing the major incident, where applicable, and impacts of the major incident to— the agency; other Federal agencies, Congress, or the judicial branch; the national security, foreign relations, homeland security, or economic security of the United States; or the civil liberties, public confidence, privacy, or public health and safety of the people of the United States; the status of compliance of the affected Federal information system with applicable security requirements at the time of the major incident; if the major incident involved a breach, a description of the affected information, an estimate of the number of individuals potentially impacted, and any assessment to the risk of harm to such individuals; an update to the assessment of the risk to agency operations, or to impacts on other agency or non-Federal entity operations, affected by the major incident; and the detection, response, and remediation actions of the agency, including any support provided by the Cybersecurity and Infrastructure Security Agency under section 3594(d), if applicable. If the head of an agency, the Director, or the National Cyber Director determines that there is any significant change in the understanding of the scope, scale, or consequence of a major incident for which the head of the agency submitted a written notification and update under subsections (b) and (c), the head of the agency shall submit to the appropriate congressional entities a written update that includes information relating to the change in understanding. Each agency shall submit as part of the biennial report required under section 3554(c)(1) a description of each major incident that occurred during the 2-year period preceding the date on which the biennial report is submitted. Any written notification or update required to be submitted under this section— shall be submitted in an electronic format; and may be submitted in a paper format. Any written notification or update required to be submitted under this section— shall be— unclassified; and submitted through unclassified electronic means pursuant to paragraph (1)(A); and may include classified annexes, as appropriate. To achieve consistent and coherent agency reporting to Congress, the National Cyber Director, in coordination with the Director, shall— provide recommendations to agencies on formatting and the contents of information to be included in the reports required under this section, including recommendations for consistent formats for presenting any associated metrics; and maintain a comprehensive record of each major incident notification, update, and briefing provided under this section, which shall— include, at a minimum— the full contents of the written notification or update; the identity of the reporting agency; and the date of submission; and a list of the recipient congressional entities; and be made available upon request to the majority and minority leaders of the Senate, the Speaker and minority leader of the House of Representatives, the Committee on Homeland Security and Governmental Affairs of the Senate, and the Committee on Oversight and Accountability of the House of Representatives. With respect to a major incident that occurs exclusively on a national security system, the head of the affected agency shall submit the notifications and reports required to be submitted to Congress under this section only to— the majority and minority leaders of the Senate; the Speaker and minority leader of the House of Representatives; the appropriations committees of Congress; the appropriate authorization committees of Congress; the Committee on Homeland Security and Governmental Affairs of the Senate; the Select Committee on Intelligence of the Senate; the Committee on Oversight and Accountability of the House of Representatives; and the Permanent Select Committee on Intelligence of the House of Representatives. If a major incident constitutes a covered breach, as defined in section 3592(a), information on the covered breach required to be submitted to Congress pursuant to section 3592(g) may— be included in the notifications required under subsection (b) or (c); or be reported to Congress under the process established under section 3592(g). Nothing in this section shall be construed to— limit— the ability of an agency to provide additional reports or briefings to Congress; Congress from requesting additional information from agencies through reports, briefings, or other means; any congressional reporting requirements of agencies under any other law; or limit or supersede any privacy protections under any other law.

3594. Government information sharing and incident response Subject to paragraph (4) and subsection (b), and in accordance with the applicable requirements pursuant to section 3553(b)(2)(A) for reporting to the Federal information security incident center established under section 3556, the head of each agency shall provide to the Cybersecurity and Infrastructure Security Agency information relating to any incident affecting the agency, whether the information is obtained by the Federal Government directly or indirectly. A provision of information relating to an incident made by the head of an agency under paragraph (1) shall include, at a minimum— a full description of the incident, including— all indicators of compromise and tactics, techniques, and procedures; an indicator of how the intruder gained initial access, accessed agency data or systems, and undertook additional actions on the network of the agency; and information that would support enabling defensive measures; and other information that may assist in identifying other victims; information to help prevent similar incidents, such as information about relevant safeguards in place when the incident occurred and the effectiveness of those safeguards; and information to aid in incident response, such as— a description of the affected systems or networks; the estimated dates of when the incident occurred; and information that could reasonably help identify any malicious actor that may have conducted or caused the incident, subject to appropriate privacy protections. The Director of the Cybersecurity and Infrastructure Security Agency shall— make incident information provided under paragraph (1) available to the Director and the National Cyber Director; to the greatest extent practicable, share information relating to an incident with— the head of any agency that may be— impacted by the incident; particularly susceptible to the incident; or similarly targeted by the incident; and appropriate Federal law enforcement agencies to facilitate any necessary threat response activities, as requested; coordinate any necessary information sharing efforts relating to a major incident with the private sector; and notify the National Cyber Director of any efforts described in subparagraph (C). Notwithstanding paragraphs (1) and (3), each agency operating or exercising control of a national security system shall share information about an incident that occurs exclusively on a national security system with the Secretary of Defense, the Director, the National Cyber Director, and the Director of the Cybersecurity and Infrastructure Security Agency to the extent consistent with standards and guidelines for national security systems issued in accordance with law and as directed by the President. Any information sharing and handling of information under this paragraph shall be appropriately protected consistent with procedures authorized for the protection of sensitive sources and methods or by procedures established for information that have been specifically authorized under criteria established by an Executive order or an Act of Congress to be kept classified in the interest of national defense or foreign policy. In providing information and selecting a method to provide information under subsection (a), the head of each agency shall implement subsection (a)(1) in a manner that provides such information to the Cybersecurity and Infrastructure Security Agency in an automated and machine-readable format, to the greatest extent practicable. Each agency that has a reasonable basis to suspect or conclude that a major incident occurred involving Federal information in electronic medium or form that does not exclusively involve a national security system shall coordinate with— the Cybersecurity and Infrastructure Security Agency to facilitate asset response activities and provide recommendations for mitigating future incidents; and consistent with relevant policies, appropriate Federal law enforcement agencies to facilitate threat response activities.

3595. Responsibilities of contractors and awardees Any contractor or awardee of an agency shall report to the agency if the contractor or awardee has a reasonable basis to conclude that— an incident or breach has occurred with respect to Federal information the contractor or awardee collected, used, or maintained on behalf of an agency; an incident or breach has occurred with respect to a Federal information system used, operated, managed, or maintained on behalf of an agency by the contractor or awardee; a component of any Federal information system operated, managed, or maintained by a contractor or awardee contains a security vulnerability, including a supply chain compromise or an identified software or hardware vulnerability, for which there is reliable evidence of attempted or successful exploitation of the vulnerability by an actor without authorization of the Federal information system owner; or the contractor or awardee has received personally identifiable information, personal health information, or other clearly sensitive information that is beyond the scope of the contract or agreement with the agency from the agency that the contractor or awardee is not authorized to receive. Subject to the guidance issued by the Director pursuant to paragraph (4), any contractor or awardee of an agency shall report to the agency and the Cybersecurity and Infrastructure Security Agency if the contractor or awardee has a reasonable basis to suspect or conclude that a component of any Federal information system operated, managed, or maintained on behalf of an agency by the contractor or awardee on behalf of the agency contains a security vulnerability, including a supply chain compromise or an identified software or hardware vulnerability, that has been reported to the contractor or awardee by a third party, including through a vulnerability disclosure program. As soon as practicable following a report of an incident to an agency by a contractor or awardee under paragraph (1), the head of the agency shall provide, pursuant to section 3594, information about the incident to the Director of the Cybersecurity and Infrastructure Security Agency. Unless a different time for reporting is specified in a contract, grant, cooperative agreement, or other transaction agreement, a contractor or awardee shall— make a report required under paragraph (1) not later than 1 day after the date on which the contractor or awardee has reasonable basis to suspect or conclude that the criteria under paragraph (1) have been met; and make a report required under paragraph (2) within a reasonable time, but not later than 90 days after the date on which the contractor or awardee has reasonable basis to suspect or conclude that the criteria under paragraph (2) have been met. Following a report of a breach or incident to an agency by a contractor or awardee under paragraph (1), the head of the agency, in consultation with the contractor or awardee, shall carry out the applicable requirements under sections 3592, 3593, and 3594 with respect to the breach or incident. Nothing in subparagraph (B) shall be construed to allow the negation of the requirements to report vulnerabilities under paragraph (1) or (2) through a contract, grant, cooperative agreement, or other transaction agreement. The Director shall issue guidance to agencies relating to the scope of vulnerabilities to be reported under paragraph (2), such as the minimum severity of a vulnerability required to be reported or whether vulnerabilities that are already publicly disclosed must be reported. Not later than 1 year after the date of enactment of the Federal Information Security Modernization Act of 2023— the Federal Acquisition Regulatory Council shall promulgate regulations, as appropriate, relating to the responsibilities of contractors and recipients of other transaction agreements and cooperative agreements to comply with this section; and the Office of Federal Financial Management shall promulgate regulations under title 2, Code Federal Regulations, as appropriate, relating to the responsibilities of grantees to comply with this section. Not later than 1 year after the date on which the Federal Acquisition Regulatory Council and the Office of Federal Financial Management promulgates regulations under paragraph (1), the head of each agency shall implement policies and procedures, as appropriate, necessary to implement those regulations. The head of each agency head shall notify the Director upon implementation of policies and procedures necessary to implement the regulations promulgated under paragraph (1). Not later than 30 days after the date described in paragraph (2), the Director shall notify the Committee on Homeland Security and Governmental Affairs of the Senate and the Committees on Oversight and Accountability and Homeland Security of the House of Representatives on the status of the implementation by each agency of the regulations promulgated under paragraph (1). Notwithstanding any other provision of this section, a contractor or awardee of an agency that would be required to report an incident or vulnerability pursuant to this section that occurs exclusively on a national security system shall— report the incident or vulnerability to the head of the agency and the Secretary of Defense; and comply with applicable laws and policies relating to national security systems.

3596. Training In this section, the term covered individual means an individual who obtains access to a Federal information system because of the status of the individual as— an employee, contractor, awardee, volunteer, or intern of an agency; or an employee of a contractor or awardee of an agency. The Director of the Cybersecurity and Infrastructure Security Agency, in consultation with the Director, the National Cyber Director, and the Director of the National Institute of Standards and Technology, shall develop best practices to support consistency across agencies in cybersecurity incident response training, including— information to be collected and shared with the Cybersecurity and Infrastructure Security Agency pursuant to section 3594(a) and processes for sharing such information; and appropriate training and qualifications for cyber incident responders. The head of each agency shall develop training for covered individuals on how to identify and respond to an incident, including— the internal process of the agency for reporting an incident; and the obligation of a covered individual to report to the agency any suspected or confirmed incident involving Federal information in any medium or form, including paper, oral, and electronic. The training developed under subsection (c) may be included as part of an annual privacy, security awareness, or other appropriate training of an agency.

3597. Analysis and report on Federal incidents The Director of the Cybersecurity and Infrastructure Security Agency shall perform and, in coordination with the Director and the National Cyber Director, develop, continuous monitoring and quantitative and qualitative analyses of incidents at agencies, including major incidents, including— the causes of incidents, including— attacker tactics, techniques, and procedures; and system vulnerabilities, including zero days, unpatched systems, and information system misconfigurations; the scope and scale of incidents at agencies; common root causes of incidents across multiple agencies; agency incident response, recovery, and remediation actions and the effectiveness of those actions, as applicable; lessons learned and recommendations in responding to, recovering from, remediating, and mitigating future incidents; and trends across multiple agencies to address intrusion detection and incident response capabilities using the metrics established under section 224(c) of the Cybersecurity Act of 2015 (6 U.S.C. 1522(c)). The analyses developed under paragraph (1) shall, to the greatest extent practicable, use machine readable data, automation, and machine learning processes. The Director of the Cybersecurity and Infrastructure Security Agency shall share on an ongoing basis the analyses and underlying data required under this subsection with agencies, the Director, and the National Cyber Director to— improve the understanding of cybersecurity risk of agencies; and support the cybersecurity improvement efforts of agencies. In carrying out subparagraph (A), the Director of the Cybersecurity and Infrastructure Security Agency shall share the analyses— in human-readable written products; and to the greatest extent practicable, in machine-readable formats in order to enable automated intake and use by agencies. This subsection shall not apply to incidents that occur exclusively on national security systems. Not later than 2 years after the date of enactment of this section, and not less frequently than annually thereafter, the Director of the Cybersecurity and Infrastructure Security Agency, in consultation with the Director, the National Cyber Director and the heads of other agencies, as appropriate, shall submit to the appropriate reporting entities a report that includes— a summary of causes of incidents from across the Federal Government that categorizes those incidents as incidents or major incidents; the quantitative and qualitative analyses of incidents developed under subsection (a)(1) on an agency-by-agency basis and comprehensively across the Federal Government, including— a specific analysis of breaches; and an analysis of the Federal Government’s performance against the metrics established under section 224(c) of the Cybersecurity Act of 2015 (6 U.S.C. 1522(c)); and an annex for each agency that includes— a description of each major incident; the total number of incidents of the agency; and an analysis of the agency’s performance against the metrics established under section 224(c) of the Cybersecurity Act of 2015 (6 U.S.C. 1522(c)). The Director of the Cybersecurity and Infrastructure Security Agency shall make a version of each report submitted under subsection (b) publicly available on the website of the Cybersecurity and Infrastructure Security Agency during the year during which the report is submitted. The publication requirement under paragraph (1) shall not apply to a portion of a report that contains content that should be protected in the interest of national security, as determined by the Director, the Director of the Cybersecurity and Infrastructure Security Agency, or the National Cyber Director. The exemption under paragraph (2) shall not apply to any version of a report submitted to the appropriate reporting entities under subsection (b). Subject to subparagraph (B), in making a report publicly available under paragraph (1), the Director of the Cybersecurity and Infrastructure Security Agency shall sufficiently compile information so that no specific incident of an agency can be identified. The Director of the Cybersecurity and Infrastructure Security Agency may include information that enables a specific incident of an agency to be identified in a publicly available report— with the concurrence of the Director and the National Cyber Director; in consultation with the impacted agency; and in consultation with the inspector general of the impacted agency. The analysis required under subsection (a) and each report submitted under subsection (b) shall use information provided by agencies under section 3594(a). During any year during which the head of an agency does not provide data for an incident to the Cybersecurity and Infrastructure Security Agency in accordance with section 3594(a), the head of the agency, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency and the Director, shall submit to the appropriate reporting entities a report that includes the information described in subsection (b) with respect to the agency. Notwithstanding any other provision of this section, the Secretary of Defense, in consultation with the Director, the National Cyber Director, the Director of National Intelligence, and the Director of Cybersecurity and Infrastructure Security shall annually submit a report that includes the information described in subsection (b) with respect to national security systems, to the extent that the submission is consistent with standards and guidelines for national security systems issued in accordance with law and as directed by the President, to— the majority and minority leaders of the Senate, the Speaker and minority leader of the House of Representatives; the Committee on Homeland Security and Governmental Affairs of the Senate; the Select Committee on Intelligence of the Senate; the Committee on Armed Services of the Senate; the Committee on Appropriations of the Senate; the Committee on Oversight and Accountability of the House of Representatives; the Committee on Homeland Security of the House of Representatives; the Permanent Select Committee on Intelligence of the House of Representatives; the Committee on Armed Services of the House of Representatives; and the Committee on Appropriations of the House of Representatives. A report required under paragraph (1) may be submitted in a classified form.

3598. Major incident definition Not later than 1 year after the later of the date of enactment of the Federal Information Security Modernization Act of 2023 and the most recent publication by the Director of guidance to agencies regarding major incidents as of the date of enactment of the Federal Information Security Modernization Act of 2023, the Director shall develop, in coordination with the National Cyber Director, and promulgate guidance on the definition of the term major incident for the purposes of subchapter II and this subchapter. With respect to the guidance issued under subsection (a), the definition of the term major incident shall— include, with respect to any information collected or maintained by or on behalf of an agency or a Federal information system— any incident the head of the agency determines is likely to result in demonstrable harm to— the national security interests, foreign relations, homeland security, or economic security of the United States; or the civil liberties, public confidence, privacy, or public health and safety of the people of the United States; any incident the head of the agency determines likely to result in an inability or substantial disruption for the agency, a component of the agency, or the Federal Government, to provide 1 or more critical services; any incident the head of the agency determines substantially disrupts or substantially degrades the operations of a high value asset owned or operated by the agency; any incident involving the exposure to a foreign entity of sensitive agency information, such as the communications of the head of the agency, the head of a component of the agency, or the direct reports of the head of the agency or the head of a component of the agency; and any other type of incident determined appropriate by the Director; stipulate that the National Cyber Director, in consultation with the Director and the Director of the Cybersecurity and Infrastructure Security Agency, may declare a major incident at any agency, and such a declaration shall be considered if it is determined that an incident— occurs at not less than 2 agencies; and is enabled by— a common technical root cause, such as a supply chain compromise, or a common software or hardware vulnerability; or the related activities of a common threat actor; stipulate that, in determining whether an incident constitutes a major incident under the standards described in paragraph (1), the head of the agency shall consult with the National Cyber Director; and stipulate that the mere report of a vulnerability discovered or disclosed without a loss of confidentiality, integrity, or availability shall not on its own constitute a major incident. Not later than 60 days after the date on which the Director first promulgates the guidance required under subsection (a), and not less frequently than once during the first 90 days of each evenly numbered Congress thereafter, the Director shall provide to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committees on Oversight and Accountability and Homeland Security of the House of Representatives a briefing that includes— an evaluation of any necessary updates to the guidance; an evaluation of any necessary updates to the definition of the term major incident included in the guidance; and an explanation of, and the analysis that led to, the definition described in paragraph (2).

4. Amendments to subtitle III of title 40 Subtitle G of title X of division A of the National Defense Authorization Act for Fiscal Year 2018 (40 U.S.C. 11301 note) is amended in section 1078— by striking subsection (a) and inserting the following: In this section: The term agency has the meaning given the term in section 551 of title 5, United States Code. The term high value asset has the meaning given the term in section 3552 of title 44, United States Code. in subsection (b), by adding at the end the following: The Director shall— give consideration for the use of amounts in the Fund to improve the security of high value assets; and require that any proposal for the use of amounts in the Fund includes, as appropriate— a cybersecurity risk management plan; and a supply chain risk assessment in accordance with section 1326 of title 41. in subsection (c)— in paragraph (2)(A)(i), by inserting , including a consideration of the impact on high value assets after operational risks; in paragraph (5)— in subparagraph (A), by striking and at the end; in subparagraph (B), by striking the period at the end and inserting and; and by adding at the end the following: a senior official from the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security, appointed by the Director. in paragraph (6)(A), by striking shall be— and all that follows through 4 employees and inserting shall be 4 employees. Subchapter I of chapter 113 of subtitle III of title 40, United States Code, is amended— in section 11302— in subsection (b), by striking use, security, and disposal of and inserting use, and disposal of, and, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency and the National Cyber Director, promote and improve the security of,; and in subsection (h), by inserting , including cybersecurity performances, after the performances; and in section 11303(b)(2)(B)— in clause (i), by striking or at the end; in clause (ii), by adding or at the end; and by adding at the end the following: whether the function should be performed by a shared service offered by another executive agency; Subchapter II of chapter 113 of subtitle III of title 40, United States Code, is amended— in section 11312(a), by inserting , including security risks after managing the risks; in section 11313(1), by striking efficiency and effectiveness and inserting efficiency, security, and effectiveness; in section 11317, by inserting security, before or schedule; and in section 11319(b)(1), in the paragraph heading, by striking CIOS and inserting Chief Information Officers. (a)DefinitionsIn this section:(1)AgencyThe term agency has the meaning given the term in section 551 of title 5, United States Code.(2)High value assetThe term high value asset has the meaning given the term in section 3552 of title 44, United States Code.; (8)Proposal evaluationThe Director shall—(A)give consideration for the use of amounts in the Fund to improve the security of high value assets; and(B)require that any proposal for the use of amounts in the Fund includes, as appropriate—(i)a cybersecurity risk management plan; and(ii)a supply chain risk assessment in accordance with section 1326 of title 41.; and (C)a senior official from the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security, appointed by the Director.; and (iii)whether the function should be performed by a shared service offered by another executive agency;.

5. Actions to enhance Federal incident transparency Not later than 180 days after the date of enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency shall— develop a plan for the development of the analysis required under section 3597(a) of title 44, United States Code, as added by this Act, and the report required under subsection (b) of that section that includes— a description of any challenges the Director of the Cybersecurity and Infrastructure Security Agency anticipates encountering; and the use of automation and machine-readable formats for collecting, compiling, monitoring, and analyzing data; and provide to the appropriate congressional committees a briefing on the plan developed under subparagraph (A). Not later than 1 year after the date of enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency shall provide to the appropriate congressional committees a briefing on— the execution of the plan required under paragraph (1)(A); and the development of the report required under section 3597(b) of title 44, United States Code, as added by this Act. Section 2 of the Federal Information Security Modernization Act of 2014 (Public Law 113–283; 128 Stat. 3073) is amended— by striking subsections (b) and (d); and by redesignating subsections (c), (e), and (f) as subsections (b), (c), and (d), respectively. The Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, shall develop, and as appropriate update, guidance, on the content, timeliness, and format of the information provided by agencies under section 3594(a) of title 44, United States Code, as added by this Act. The guidance developed under subparagraph (A) shall— enable the efficient development of— lessons learned and recommendations in responding to, recovering from, remediating, and mitigating future incidents; and the report on Federal incidents required under section 3597(b) of title 44, United States Code, as added by this Act; and include requirements for the timeliness of data production. The Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, shall promote, as feasible, the use of automation and machine-readable data for data sharing under section 3594(a) of title 44, United States Code, as added by this Act. Not later than 1 year after the date of enactment of this Act, the Director shall issue guidance to agencies on how to deconflict, to the greatest extent practicable, existing regulations, policies, and procedures relating to the responsibilities of contractors and awardees established under section 3595 of title 44, United States Code, as added by this Act. To the greatest extent practicable, the guidance issued under subparagraph (A) shall allow contractors and awardees to use existing processes for notifying agencies of incidents involving information of the Federal Government. Section 552a(b) of title 5, United States Code (commonly known as the Privacy Act of 1974) is amended— in paragraph (11), by striking or at the end; in paragraph (12), by striking the period at the end and inserting ; or; and by adding at the end the following: to another agency, to the extent necessary, to assist the recipient agency in responding to an incident (as defined in section 3552 of title 44) or breach (as defined in section 3591 of title 44) or to fulfill the information sharing requirements under section 3594 of title 44. (13)to another agency, to the extent necessary, to assist the recipient agency in responding to an incident (as defined in section 3552 of title 44) or breach (as defined in section 3591 of title 44) or to fulfill the information sharing requirements under section 3594 of title 44..

6. Additional guidance to agencies on FISMA updates Not later than 1 year after the date of enactment of this Act, the Director shall issue guidance for agencies on— performing the ongoing and continuous agency system risk assessment required under section 3554(a)(1)(A) of title 44, United States Code, as amended by this Act; and establishing a process for securely providing the status of each remedial action for high value assets under section 3554(b)(7) of title 44, United States Code, as amended by this Act, to the Director and the Director of the Cybersecurity and Infrastructure Security Agency using automation and machine-readable data, as practicable, which shall include— specific guidance for the use of automation and machine-readable data; and templates for providing the status of the remedial action. The head of each agency shall coordinate with the inspector general of the agency, as applicable, to ensure consistent understanding of agency policies for the purpose of evaluations conducted by the inspector general.

7. Agency requirements to notify private sector entities impacted by incidents In this section: The term reporting entity means private organization or governmental unit that is required by statute or regulation to submit sensitive information to an agency. The term sensitive information has the meaning given the term by the Director in guidance issued under subsection (b). Not later than 1 year after the date of enactment of this Act, the Director shall develop, in consultation with the National Cyber Director, and issue guidance requiring the head of each agency to notify a reporting entity, and take into consideration the need to coordinate with Sector Risk Management Agencies (as defined in section 2200 of the Homeland Security Act of 2002 (6 U.S.C. 650)), as appropriate, of an incident at the agency that is likely to substantially affect— the confidentiality or integrity of sensitive information submitted by the reporting entity to the agency pursuant to a statutory or regulatory requirement; or any information system (as defined in section 3502 of title 44, United States Code) used in the transmission or storage of the sensitive information described in paragraph (1).

8. Mobile security briefings Not later than 180 days after the date of enactment of this Act, the Director shall provide to the appropriate congressional committees— a briefing on the compliance of agencies with the No TikTok on Government Devices Act (44 U.S.C. 3553 note; Public Law 117–328); and as a component of the briefing required under paragraph (1), a list of each exception of an agency from the No TikTok on Government Devices Act (44 U.S.C. 3553 note; Public Law 117–328), which may include a classified annex. Not later than 1 year after the date of the briefing required under subsection (a)(1), the Director shall provide to the appropriate congressional committees— a briefing on the compliance of any agency that was not compliant with the No TikTok on Government Devices Act (44 U.S.C. 3553 note; Public Law 117–328) at the time of the briefing required under subsection (a)(1); and as a component of the briefing required under paragraph (1), an update to the list required under subsection (a)(2).

9. Data and logging retention for incident response Not later than 2 years after the date of enactment of this Act the Director, in consultation with the National Cyber Director and the Director of the Cybersecurity and Infrastructure Security Agency, shall update guidance to agencies regarding requirements for logging, log retention, log management, sharing of log data with other appropriate agencies, or any other logging activity determined to be appropriate by the Director. The Secretary of Defense shall issue guidance that meets or exceeds the standards required in guidance issued under subsection (a) for National Security Systems.

10. CISA agency liaisons Not later than 120 days after the date of enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency shall assign not less than 1 cybersecurity professional employed by the Cybersecurity and Infrastructure Security Agency to be the Cybersecurity and Infrastructure Security Agency liaison to the Chief Information Security Officer of each agency. Each liaison assigned under subsection (a) shall have knowledge of— cybersecurity threats facing agencies, including any specific threats to the assigned agency; risk assessments of agency systems; and other Federal cybersecurity initiatives. The duties of each liaison assigned under subsection (a) shall include— providing, as requested, assistance and advice to the agency Chief Information Security Officer; supporting, as requested, incident response coordination between the assigned agency and the Cybersecurity and Infrastructure Security Agency; becoming familiar with assigned agency systems, processes, and procedures to better facilitate support to the agency; and other liaison duties to the assigned agency solely in furtherance of Federal cybersecurity or support to the assigned agency as a Sector Risk Management Agency, as assigned by the Director of the Cybersecurity and Infrastructure Security Agency in consultation with the head of the assigned agency. A liaison assigned under subsection (a) shall not be a contractor. One individual liaison may be assigned to multiple agency Chief Information Security Officers under subsection (a). The Director of the Cybersecurity and Infrastructure Security Agency shall consult with the Director on the execution of the duties of the Cybersecurity and Infrastructure Security Agency liaisons to ensure that there is no inappropriate duplication of activities among— Federal cybersecurity support to agencies of the Office of Management and Budget; and the Cybersecurity and Infrastructure Security Agency liaison. Nothing in this section shall be construed impact the ability of the Director to support agency implementation of Federal cybersecurity requirements pursuant to subchapter II of chapter 35 of title 44, United States Code, as amended by this Act.

11. Federal penetration testing policy Subchapter II of chapter 35 of title 44, United States Code, is amended by adding at the end the following: The Director, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, shall issue guidance to agencies that— requires agencies to perform penetration testing on information systems, as appropriate, including on high value assets; provides policies governing the development of— rules of engagement for using penetration testing; and procedures to use the results of penetration testing to improve the cybersecurity and risk management of the agency; ensures that operational support or a shared service is available; and in no manner restricts the authority of the Secretary of Homeland Security or the Director of the Cybersecurity and Infrastructure Agency to conduct threat hunting pursuant to section 3553 of title 44, United States Code, or penetration testing under this chapter. The guidance issued under subsection (a) shall not apply to national security systems. The authorities of the Director described in subsection (a) shall be delegated to— the Secretary of Defense in the case of a system described in section 3553(e)(2); and the Director of National Intelligence in the case of a system described in section 3553(e)(3). Compliance with guidance issued by the Director relating to penetration testing before the date of enactment of this Act shall be deemed to be compliance with section 3559A of title 44, United States Code, as added by this Act. Nothing in section 3559A of title 44, United States Code, as added by this Act, shall be construed to require the Director to issue new guidance to agencies relating to penetration testing before the date described in paragraph (3). Notwithstanding paragraphs (1) and (2), not later than 2 years after the date of enactment of this Act, the Director shall review and, as appropriate, update existing guidance requiring penetration testing by agencies. The table of sections for chapter 35 of title 44, United States Code, is amended by adding after the item relating to section 3559 the following: Section 3553(b) of title 44, United States Code, as amended by this Act, is further amended by inserting after paragraph (8) the following: performing penetration testing that may leverage manual expert analysis to identify threats and vulnerabilities within information systems— without consent or authorization from agencies; and with prior notification to the head of the agency; 3559A.Federal penetration testing(a)GuidanceThe Director, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, shall issue guidance to agencies that—(1)requires agencies to perform penetration testing on information systems, as appropriate, including on high value assets;(2)provides policies governing the development of—(A)rules of engagement for using penetration testing; and(B)procedures to use the results of penetration testing to improve the cybersecurity and risk management of the agency;(3)ensures that operational support or a shared service is available; and (4)in no manner restricts the authority of the Secretary of Homeland Security or the Director of the Cybersecurity and Infrastructure Agency to conduct threat hunting pursuant to section 3553 of title 44, United States Code, or penetration testing under this chapter.(b)Exception for national security systemsThe guidance issued under subsection (a) shall not apply to national security systems.(c)Delegation of authority for certain systemsThe authorities of the Director described in subsection (a) shall be delegated to—(1)the Secretary of Defense in the case of a system described in section 3553(e)(2); and(2)the Director of National Intelligence in the case of a system described in section 3553(e)(3).. 3559A. Federal penetration testing.. (9)performing penetration testing that may leverage manual expert analysis to identify threats and vulnerabilities within information systems—(A)without consent or authorization from agencies; and(B)with prior notification to the head of the agency;.

3559A. Federal penetration testing The Director, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, shall issue guidance to agencies that— requires agencies to perform penetration testing on information systems, as appropriate, including on high value assets; provides policies governing the development of— rules of engagement for using penetration testing; and procedures to use the results of penetration testing to improve the cybersecurity and risk management of the agency; ensures that operational support or a shared service is available; and in no manner restricts the authority of the Secretary of Homeland Security or the Director of the Cybersecurity and Infrastructure Agency to conduct threat hunting pursuant to section 3553 of title 44, United States Code, or penetration testing under this chapter. The guidance issued under subsection (a) shall not apply to national security systems. The authorities of the Director described in subsection (a) shall be delegated to— the Secretary of Defense in the case of a system described in section 3553(e)(2); and the Director of National Intelligence in the case of a system described in section 3553(e)(3).

12. Vulnerability disclosure policies Chapter 35 of title 44, United States Code, is amended by inserting after section 3559A, as added by this Act, the following: The purpose of Federal vulnerability disclosure policies is to create a mechanism to enable the public to inform agencies of vulnerabilities in Federal information systems. It is the sense of Congress that, in implementing the requirements of this section, the Federal Government should take appropriate steps to reduce real and perceived burdens in communications between agencies and security researchers. In this section: The term contractor has the meaning given the term in section 3591. The term internet of things has the meaning given the term in Special Publication 800–213 of the National Institute of Standards and Technology, entitled IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements, or any successor document. The term security vulnerability has the meaning given the term in section 102 of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501). The term submitter means an individual that submits a vulnerability disclosure report pursuant to the vulnerability disclosure process of an agency. The term vulnerability disclosure report means a disclosure of a security vulnerability made to an agency by a submitter. The Director shall issue guidance to agencies that includes— use of the information system security vulnerabilities disclosure process guidelines established under section 4(a)(1) of the IoT Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g–3b(a)(1)); direction to not recommend or pursue legal action against a submitter or an individual that conducts a security research activity that— represents a good faith effort to identify and report security vulnerabilities in information systems; or otherwise represents a good faith effort to follow the vulnerability disclosure policy of the agency developed under subsection (f)(2); direction on sharing relevant information in a consistent, automated, and machine readable manner with the Director of the Cybersecurity and Infrastructure Security Agency; the minimum scope of agency systems required to be covered by the vulnerability disclosure policy of an agency required under subsection (f)(2), including exemptions under subsection (g); requirements for providing information to the submitter of a vulnerability disclosure report on the resolution of the vulnerability disclosure report; a stipulation that the mere identification by a submitter of a security vulnerability, without a significant compromise of confidentiality, integrity, or availability, does not constitute a major incident; and the applicability of the guidance to Internet of things devices owned or controlled by an agency. In developing the guidance required under subsection (c)(3), the Director shall consult with the Director of the Cybersecurity and Infrastructure Security Agency. The Director of the Cybersecurity and Infrastructure Security Agency shall— provide support to agencies with respect to the implementation of the requirements of this section; develop tools, processes, and other mechanisms determined appropriate to offer agencies capabilities to implement the requirements of this section; upon a request by an agency, assist the agency in the disclosure to vendors of newly identified security vulnerabilities in vendor products and services; and as appropriate, implement the requirements of this section, in accordance with the authority under section 3553(b)(8), as a shared service available to agencies. The head of each agency shall make publicly available, with respect to each internet domain under the control of the agency that is not a national security system and to the extent consistent with the security of information systems but with the presumption of disclosure— an appropriate security contact; and the component of the agency that is responsible for the internet accessible services offered at the domain. The head of each agency shall develop and make publicly available a vulnerability disclosure policy for the agency, which shall— describe— the scope of the systems of the agency included in the vulnerability disclosure policy, including for Internet of things devices owned or controlled by the agency; the type of information system testing that is authorized by the agency; the type of information system testing that is not authorized by the agency; the disclosure policy for a contractor; and the disclosure policy of the agency for sensitive information; with respect to a vulnerability disclosure report to an agency, describe— how the submitter should submit the vulnerability disclosure report; and if the report is not anonymous, when the reporter should anticipate an acknowledgment of receipt of the report by the agency; include any other relevant information; and be mature in scope and cover every internet accessible information system used or operated by that agency or on behalf of that agency. The head of each agency shall— consider security vulnerabilities reported in accordance with paragraph (2); commensurate with the risk posed by the security vulnerability, address such security vulnerability using the security vulnerability management process of the agency; and in accordance with subsection (c)(5), provide information to the submitter of a vulnerability disclosure report. The Director and the head of each agency shall carry out this section in a manner consistent with the protection of national security information. The Director and the head of each agency may not publish under subsection (f)(1) or include in a vulnerability disclosure policy under subsection (f)(2) host names, services, information systems, or other information that the Director or the head of an agency, in coordination with the Director and other appropriate heads of agencies, determines would— disrupt a law enforcement investigation; endanger national security or intelligence activities; or impede national defense activities or military operations. This section shall not apply to national security systems. The authorities of the Director and the Director of the Cybersecurity and Infrastructure Security Agency described in this section shall be delegated— to the Secretary of Defense in the case of systems described in section 3553(e)(2); and to the Director of National Intelligence in the case of systems described in section 3553(e)(3). The Federal Acquisition Regulation shall be revised as necessary to implement the provisions under this section. The table of sections for chapter 35 of title 44, United States Code, is amended by adding after the item relating to section 3559A, as added by this Act, the following: Section 5 of the IoT Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g–3c) is amended by striking subsections (d) and (e). The IoT Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g–3a et seq.) is amended— by striking section 6 (15 U.S.C. 278g–3d); and by striking section 7 (15 U.S.C. 278g–3e). 3559B.Federal vulnerability disclosure policies(a)Purpose; sense of Congress(1)PurposeThe purpose of Federal vulnerability disclosure policies is to create a mechanism to enable the public to inform agencies of vulnerabilities in Federal information systems.(2)Sense of CongressIt is the sense of Congress that, in implementing the requirements of this section, the Federal Government should take appropriate steps to reduce real and perceived burdens in communications between agencies and security researchers.(b)DefinitionsIn this section:(1)ContractorThe term contractor has the meaning given the term in section 3591.(2)Internet of thingsThe term internet of things has the meaning given the term in Special Publication 800–213 of the National Institute of Standards and Technology, entitled IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements, or any successor document. (3)Security vulnerabilityThe term security vulnerability has the meaning given the term in section 102 of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501).(4)SubmitterThe term submitter means an individual that submits a vulnerability disclosure report pursuant to the vulnerability disclosure process of an agency. (5)Vulnerability disclosure reportThe term vulnerability disclosure report means a disclosure of a security vulnerability made to an agency by a submitter.(c)GuidanceThe Director shall issue guidance to agencies that includes—(1)use of the information system security vulnerabilities disclosure process guidelines established under section 4(a)(1) of the IoT Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g–3b(a)(1));(2)direction to not recommend or pursue legal action against a submitter or an individual that conducts a security research activity that—(A)represents a good faith effort to identify and report security vulnerabilities in information systems; or(B)otherwise represents a good faith effort to follow the vulnerability disclosure policy of the agency developed under subsection (f)(2);(3)direction on sharing relevant information in a consistent, automated, and machine readable manner with the Director of the Cybersecurity and Infrastructure Security Agency;(4)the minimum scope of agency systems required to be covered by the vulnerability disclosure policy of an agency required under subsection (f)(2), including exemptions under subsection (g);(5)requirements for providing information to the submitter of a vulnerability disclosure report on the resolution of the vulnerability disclosure report;(6)a stipulation that the mere identification by a submitter of a security vulnerability, without a significant compromise of confidentiality, integrity, or availability, does not constitute a major incident; and(7)the applicability of the guidance to Internet of things devices owned or controlled by an agency.(d)ConsultationIn developing the guidance required under subsection (c)(3), the Director shall consult with the Director of the Cybersecurity and Infrastructure Security Agency.(e)Responsibilities of CISAThe Director of the Cybersecurity and Infrastructure Security Agency shall—(1)provide support to agencies with respect to the implementation of the requirements of this section;(2)develop tools, processes, and other mechanisms determined appropriate to offer agencies capabilities to implement the requirements of this section;(3)upon a request by an agency, assist the agency in the disclosure to vendors of newly identified security vulnerabilities in vendor products and services; and(4)as appropriate, implement the requirements of this section, in accordance with the authority under section 3553(b)(8), as a shared service available to agencies.(f)Responsibilities of agencies(1)Public informationThe head of each agency shall make publicly available, with respect to each internet domain under the control of the agency that is not a national security system and to the extent consistent with the security of information systems but with the presumption of disclosure—(A)an appropriate security contact; and(B)the component of the agency that is responsible for the internet accessible services offered at the domain.(2)Vulnerability disclosure policyThe head of each agency shall develop and make publicly available a vulnerability disclosure policy for the agency, which shall—(A)describe—(i)the scope of the systems of the agency included in the vulnerability disclosure policy, including for Internet of things devices owned or controlled by the agency; (ii)the type of information system testing that is authorized by the agency;(iii)the type of information system testing that is not authorized by the agency; (iv)the disclosure policy for a contractor; and (v)the disclosure policy of the agency for sensitive information;(B)with respect to a vulnerability disclosure report to an agency, describe—(i)how the submitter should submit the vulnerability disclosure report; and(ii)if the report is not anonymous, when the reporter should anticipate an acknowledgment of receipt of the report by the agency;(C)include any other relevant information; and(D)be mature in scope and cover every internet accessible information system used or operated by that agency or on behalf of that agency.(3)Identified security vulnerabilitiesThe head of each agency shall—(A)consider security vulnerabilities reported in accordance with paragraph (2); (B)commensurate with the risk posed by the security vulnerability, address such security vulnerability using the security vulnerability management process of the agency; and(C)in accordance with subsection (c)(5), provide information to the submitter of a vulnerability disclosure report. (g)Exemptions(1)In generalThe Director and the head of each agency shall carry out this section in a manner consistent with the protection of national security information.(2)LimitationThe Director and the head of each agency may not publish under subsection (f)(1) or include in a vulnerability disclosure policy under subsection (f)(2) host names, services, information systems, or other information that the Director or the head of an agency, in coordination with the Director and other appropriate heads of agencies, determines would—(A)disrupt a law enforcement investigation;(B)endanger national security or intelligence activities; or(C)impede national defense activities or military operations.(3)National security systemsThis section shall not apply to national security systems.(h)Delegation of authority for certain systemsThe authorities of the Director and the Director of the Cybersecurity and Infrastructure Security Agency described in this section shall be delegated—(1)to the Secretary of Defense in the case of systems described in section 3553(e)(2); and(2)to the Director of National Intelligence in the case of systems described in section 3553(e)(3).(i)Revision of Federal acquisition regulationThe Federal Acquisition Regulation shall be revised as necessary to implement the provisions under this section.. 3559B. Federal vulnerability disclosure policies..

3559B. Federal vulnerability disclosure policies The purpose of Federal vulnerability disclosure policies is to create a mechanism to enable the public to inform agencies of vulnerabilities in Federal information systems. It is the sense of Congress that, in implementing the requirements of this section, the Federal Government should take appropriate steps to reduce real and perceived burdens in communications between agencies and security researchers. In this section: The term contractor has the meaning given the term in section 3591. The term internet of things has the meaning given the term in Special Publication 800–213 of the National Institute of Standards and Technology, entitled IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements, or any successor document. The term security vulnerability has the meaning given the term in section 102 of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501). The term submitter means an individual that submits a vulnerability disclosure report pursuant to the vulnerability disclosure process of an agency. The term vulnerability disclosure report means a disclosure of a security vulnerability made to an agency by a submitter. The Director shall issue guidance to agencies that includes— use of the information system security vulnerabilities disclosure process guidelines established under section 4(a)(1) of the IoT Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g–3b(a)(1)); direction to not recommend or pursue legal action against a submitter or an individual that conducts a security research activity that— represents a good faith effort to identify and report security vulnerabilities in information systems; or otherwise represents a good faith effort to follow the vulnerability disclosure policy of the agency developed under subsection (f)(2); direction on sharing relevant information in a consistent, automated, and machine readable manner with the Director of the Cybersecurity and Infrastructure Security Agency; the minimum scope of agency systems required to be covered by the vulnerability disclosure policy of an agency required under subsection (f)(2), including exemptions under subsection (g); requirements for providing information to the submitter of a vulnerability disclosure report on the resolution of the vulnerability disclosure report; a stipulation that the mere identification by a submitter of a security vulnerability, without a significant compromise of confidentiality, integrity, or availability, does not constitute a major incident; and the applicability of the guidance to Internet of things devices owned or controlled by an agency. In developing the guidance required under subsection (c)(3), the Director shall consult with the Director of the Cybersecurity and Infrastructure Security Agency. The Director of the Cybersecurity and Infrastructure Security Agency shall— provide support to agencies with respect to the implementation of the requirements of this section; develop tools, processes, and other mechanisms determined appropriate to offer agencies capabilities to implement the requirements of this section; upon a request by an agency, assist the agency in the disclosure to vendors of newly identified security vulnerabilities in vendor products and services; and as appropriate, implement the requirements of this section, in accordance with the authority under section 3553(b)(8), as a shared service available to agencies. The head of each agency shall make publicly available, with respect to each internet domain under the control of the agency that is not a national security system and to the extent consistent with the security of information systems but with the presumption of disclosure— an appropriate security contact; and the component of the agency that is responsible for the internet accessible services offered at the domain. The head of each agency shall develop and make publicly available a vulnerability disclosure policy for the agency, which shall— describe— the scope of the systems of the agency included in the vulnerability disclosure policy, including for Internet of things devices owned or controlled by the agency; the type of information system testing that is authorized by the agency; the type of information system testing that is not authorized by the agency; the disclosure policy for a contractor; and the disclosure policy of the agency for sensitive information; with respect to a vulnerability disclosure report to an agency, describe— how the submitter should submit the vulnerability disclosure report; and if the report is not anonymous, when the reporter should anticipate an acknowledgment of receipt of the report by the agency; include any other relevant information; and be mature in scope and cover every internet accessible information system used or operated by that agency or on behalf of that agency. The head of each agency shall— consider security vulnerabilities reported in accordance with paragraph (2); commensurate with the risk posed by the security vulnerability, address such security vulnerability using the security vulnerability management process of the agency; and in accordance with subsection (c)(5), provide information to the submitter of a vulnerability disclosure report. The Director and the head of each agency shall carry out this section in a manner consistent with the protection of national security information. The Director and the head of each agency may not publish under subsection (f)(1) or include in a vulnerability disclosure policy under subsection (f)(2) host names, services, information systems, or other information that the Director or the head of an agency, in coordination with the Director and other appropriate heads of agencies, determines would— disrupt a law enforcement investigation; endanger national security or intelligence activities; or impede national defense activities or military operations. This section shall not apply to national security systems. The authorities of the Director and the Director of the Cybersecurity and Infrastructure Security Agency described in this section shall be delegated— to the Secretary of Defense in the case of systems described in section 3553(e)(2); and to the Director of National Intelligence in the case of systems described in section 3553(e)(3). The Federal Acquisition Regulation shall be revised as necessary to implement the provisions under this section.

13. Implementing zero trust architecture Not later than 1 year after the date of enactment of this Act, the Director shall provide to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committees on Oversight and Accountability and Homeland Security of the House of Representatives a briefing on progress in increasing the internal defenses of agency systems, including— shifting away from trusted networks to implement security controls based on a presumption of compromise, including through the transition to zero trust architecture; implementing principles of least privilege in administering information security programs; limiting the ability of entities that cause incidents to move laterally through or between agency systems; identifying incidents quickly; isolating and removing unauthorized entities from agency systems as quickly as practicable, accounting for intelligence or law enforcement purposes; and otherwise increasing the resource costs for entities that cause incidents to be successful. As a part of each report required to be submitted under section 3553(c) of title 44, United States Code, during the period beginning on the date that is 4 years after the date of enactment of this Act and ending on the date that is 10 years after the date of enactment of this Act, the Director shall include an update on agency implementation of zero trust architecture, which shall include— a description of steps agencies have completed, including progress toward achieving any requirements issued by the Director, including the adoption of any models or reference architecture; an identification of activities that have not yet been completed and that would have the most immediate security impact; and a schedule to implement any planned activities. Each update required under subsection (b) may include 1 or more annexes that contain classified or other sensitive information, as appropriate. Not later than 1 year after the date of enactment of this Act, the Secretary of Defense shall provide to the Committee on Homeland Security and Governmental Affairs of the Senate, the Committee on Oversight and Accountability of the House of Representatives, the Committee on Armed Services of the Senate, the Committee on Armed Services of the House of Representatives, the Select Committee on Intelligence of the Senate, and the Permanent Select Committee on Intelligence of the House of Representatives a briefing on the implementation of zero trust architecture with respect to national security systems. Not later than the date on which each update is required to be submitted under subsection (b), the Secretary of Defense shall submit to the congressional committees described in paragraph (1) a progress report on the implementation of zero trust architecture with respect to national security systems.

14. Automation and artificial intelligence In this section, the term information system has the meaning given the term in section 3502 of title 44, United States Code. As appropriate, the Director shall issue guidance on the use of artificial intelligence by agencies to improve the cybersecurity of information systems. The Director and head of each agency shall consider the use and capabilities of artificial intelligence systems wherever automation is used in furtherance of the cybersecurity of information systems. Not later than 1 year after the date of enactment of this Act, and annually thereafter until the date that is 5 years after the date of enactment of this Act, the Director shall submit to the appropriate congressional committees a report on the use of artificial intelligence to further the cybersecurity of information systems. Not later than 2 years after the date of enactment of this Act, the Comptroller General of the United States shall submit to the appropriate congressional committees a report on the risks to the privacy of individuals and the cybersecurity of information systems associated with the use by Federal agencies of artificial intelligence systems or capabilities. Not later than 2 years after the date of enactment of this Act, the Comptroller General of the United States shall perform a study, and submit to the Committees on Homeland Security and Governmental Affairs and Commerce, Science, and Transportation of the Senate and the Committees on Oversight and Accountability, Homeland Security, and Science, Space, and Technology of the House of Representatives a report, on the use of automation, including artificial intelligence, and machine-readable data across the Federal Government for cybersecurity purposes, including the automated updating of cybersecurity tools, sensors, or processes employed by agencies under paragraphs (1), (5)(C), and (8)(B) of section 3554(b) of title 44, United States Code, as amended by this Act.

15. Extension of chief data officer council Section 3520A(e)(2) of title 44, United States Code, is amended by striking upon the expiration of the 2-year period that begins on the date the Comptroller General submits the report under paragraph (1) to Congress and inserting December 31, 2031.

16. Council of the inspectors general on integrity and efficiency dashboard Section 424(e) of title 5, United States Code, is amended— in paragraph (2)— in subparagraph (A), by striking and at the end; by redesignating subparagraph (B) as subparagraph (C); by inserting after subparagraph (A) the following: that shall include a dashboard of open information security recommendations identified in the independent evaluations required by section 3555(a) of title 44; and by adding at the end the following: Nothing in this subsection shall be construed to require the publication of information that is exempted from disclosure under section 552 of this title. (B)that shall include a dashboard of open information security recommendations identified in the independent evaluations required by section 3555(a) of title 44; and; and (5)Rule of constructionNothing in this subsection shall be construed to require the publication of information that is exempted from disclosure under section 552 of this title..

17. Security operations center shared service Not later than 180 days after the date of enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency shall provide to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security and the Committee on Oversight and Accountability of the House of Representatives a briefing on— existing security operations center shared services; the capability for such shared service to offer centralized and simultaneous support to multiple agencies; the capability for such shared service to integrate with or support agency threat hunting activities authorized under section 3553 of title 44, United States Code, as amended by this Act; the capability for such shared service to integrate with or support Federal vulnerability management activities; and future plans for expansion and maturation of such shared service. Not less than 540 days after the date of enactment of this Act, the Comptroller General of the United States shall submit to the appropriate congressional committees a report on Federal cybersecurity security operations centers that— identifies Federal agency best practices for efficiency and effectiveness; identifies non-Federal best practices used by large entity operations centers and entities providing operation centers as a service; and includes recommendations for the Cybersecurity and Infrastructure Security Agency and any other relevant agency to improve the efficiency and effectiveness of security operations centers shared service offerings.

18. Federal cybersecurity requirements Section 225 of the Federal Cybersecurity Enhancement Act of 2015 (6 U.S.C. 1523) is amended by striking subsections (b) and (c). Section 3554 of title 44, United States Code, as amended by this Act, is further amended by adding at the end the following: Consistent with policies, standards, guidelines, and directives on information security under this subchapter, and except as provided under paragraph (3), the head of each agency shall— identify sensitive and mission critical data stored by the agency consistent with the inventory required under section 3505(c); assess access controls to the data described in subparagraph (A), the need for readily accessible storage of the data, and the need of individuals to access the data; encrypt or otherwise render indecipherable to unauthorized users the data described in subparagraph (A) that is stored on or transiting agency information systems; implement a single sign-on trusted identity platform for individuals accessing each public website of the agency that requires user authentication, as developed by the Administrator of General Services in collaboration with the Secretary; and implement identity management consistent with section 504 of the Cybersecurity Enhancement Act of 2014 (15 U.S.C. 7464), including multi-factor authentication, for— remote access to a information system; and each user account with elevated privileges on a information system. In this paragraph, the term Internet of things has the meaning given the term in section 3559B. Consistent with policies, standards, guidelines, and directives on information security under this subchapter, and except as provided under paragraph (3), the head of an agency may not procure, obtain, renew a contract to procure or obtain in any amount, notwithstanding section 1905 of title 41, United States Code, or use an Internet of things device if the Chief Information Officer of the agency determines during a review required under section 11319(b)(1)(C) of title 40 of a contract for an Internet of things device that the use of the device prevents compliance with the standards and guidelines developed under section 4 of the IoT Cybersecurity Improvement Act (15 U.S.C. 278g–3b) with respect to the device. The requirements under paragraph (1) shall not apply to a information system for which— the head of the agency, without delegation, has certified to the Director with particularity that— operational requirements articulated in the certification and related to the information system would make it excessively burdensome to implement the cybersecurity requirement; the cybersecurity requirement is not necessary to secure the information system or agency information stored on or transiting it; and the agency has taken all necessary steps to secure the information system and agency information stored on or transiting it; and the head of the agency has submitted the certification described in subparagraph (A) to the appropriate congressional committees and the authorizing committees of the agency. A certification and corresponding exemption of an agency under paragraph (3) shall expire on the date that is 4 years after the date on which the head of the agency submits the certification under paragraph (3)(A). Upon the expiration of a certification of an agency under paragraph (3), the head of the agency may submit an additional certification in accordance with that paragraph. Nothing in this subsection shall be construed— to alter the authority of the Secretary, the Director, or the Director of the National Institute of Standards and Technology in implementing subchapter II of this title; to affect the standards or process of the National Institute of Standards and Technology; to affect the requirement under section 3553(a)(4); or to discourage continued improvements and advancements in the technology, standards, policies, and guidelines used to promote Federal information security. The requirements under subsection (f)(1) shall not apply to— the Department of Defense; a national security system; or an element of the intelligence community. The prohibition under subsection (f)(2) shall not apply to— Internet of things devices that are or comprise a national security system; national security systems; or a procured Internet of things device described in subsection (f)(2)(B) that the Chief Information Officer of an agency determines is— necessary for research purposes; or secured using alternative and effective methods appropriate to the function of the Internet of things device. Section 3554(c)(1) of title 44, United States Code, as amended by this Act, is further amended— in subparagraph (C), by striking and at the end; in subparagraph (D), by striking the period at the end and inserting ; and; and by adding at the end the following: with respect to any exemption from the requirements of subsection (f)(3) that is effective on the date of submission of the report, the number of information systems that have received an exemption from those requirements. Paragraph (3) of section 3554(f) of title 44, United States Code, as added by this Act, shall take effect on the date that is 1 year after the date of enactment of this Act. Section 222(3)(B) of the Federal Cybersecurity Enhancement Act of 2015 (6 U.S.C. 1521(3)(B)) is amended by inserting and the Committee on Oversight and Accountability before of the House of Representatives. (f)Specific cybersecurity requirements at agencies(1)In generalConsistent with policies, standards, guidelines, and directives on information security under this subchapter, and except as provided under paragraph (3), the head of each agency shall— (A)identify sensitive and mission critical data stored by the agency consistent with the inventory required under section 3505(c); (B)assess access controls to the data described in subparagraph (A), the need for readily accessible storage of the data, and the need of individuals to access the data; (C)encrypt or otherwise render indecipherable to unauthorized users the data described in subparagraph (A) that is stored on or transiting agency information systems;(D)implement a single sign-on trusted identity platform for individuals accessing each public website of the agency that requires user authentication, as developed by the Administrator of General Services in collaboration with the Secretary; and(E)implement identity management consistent with section 504 of the Cybersecurity Enhancement Act of 2014 (15 U.S.C. 7464), including multi-factor authentication, for— (i)remote access to a information system; and (ii)each user account with elevated privileges on a information system.(2)Prohibition(A)DefinitionIn this paragraph, the term Internet of things has the meaning given the term in section 3559B.(B)ProhibitionConsistent with policies, standards, guidelines, and directives on information security under this subchapter, and except as provided under paragraph (3), the head of an agency may not procure, obtain, renew a contract to procure or obtain in any amount, notwithstanding section 1905 of title 41, United States Code, or use an Internet of things device if the Chief Information Officer of the agency determines during a review required under section 11319(b)(1)(C) of title 40 of a contract for an Internet of things device that the use of the device prevents compliance with the standards and guidelines developed under section 4 of the IoT Cybersecurity Improvement Act (15 U.S.C. 278g–3b) with respect to the device. (3)ExceptionThe requirements under paragraph (1) shall not apply to a information system for which—(A)the head of the agency, without delegation, has certified to the Director with particularity that—(i)operational requirements articulated in the certification and related to the information system would make it excessively burdensome to implement the cybersecurity requirement; (ii)the cybersecurity requirement is not necessary to secure the information system or agency information stored on or transiting it; and (iii)the agency has taken all necessary steps to secure the information system and agency information stored on or transiting it; and (B)the head of the agency has submitted the certification described in subparagraph (A) to the appropriate congressional committees and the authorizing committees of the agency. (4)Duration of certification(A)In generalA certification and corresponding exemption of an agency under paragraph (3) shall expire on the date that is 4 years after the date on which the head of the agency submits the certification under paragraph (3)(A).(B)RenewalUpon the expiration of a certification of an agency under paragraph (3), the head of the agency may submit an additional certification in accordance with that paragraph.(5)Rules of constructionNothing in this subsection shall be construed—(A)to alter the authority of the Secretary, the Director, or the Director of the National Institute of Standards and Technology in implementing subchapter II of this title;(B)to affect the standards or process of the National Institute of Standards and Technology;(C)to affect the requirement under section 3553(a)(4); or(D)to discourage continued improvements and advancements in the technology, standards, policies, and guidelines used to promote Federal information security. (g)Exception(1)RequirementsThe requirements under subsection (f)(1) shall not apply to—(A)the Department of Defense;(B)a national security system; or(C)an element of the intelligence community.(2)ProhibitionThe prohibition under subsection (f)(2) shall not apply to—(A)Internet of things devices that are or comprise a national security system;(B)national security systems; or(C)a procured Internet of things device described in subsection (f)(2)(B) that the Chief Information Officer of an agency determines is—(i)necessary for research purposes; or(ii)secured using alternative and effective methods appropriate to the function of the Internet of things device.. (E)with respect to any exemption from the requirements of subsection (f)(3) that is effective on the date of submission of the report, the number of information systems that have received an exemption from those requirements..

19. Federal chief information security officer Chapter 36 of title 44, United States Code, is amended by adding at the end the following: There is established a Federal Chief Information Security Officer, who shall serve in— the Office of the Federal Chief Information Officer of the Office of Management and Budget; and the Office of the National Cyber Director. The Federal Chief Information Security Officer shall be appointed by the President. The Federal Chief Information Security Officer shall report to the Federal Chief Information Officer and assist the Federal Chief Information Officer in carrying out— every function under this chapter; every function assigned to the Director under title II of the E–Government Act of 2002 (44 U.S.C. 3501 note; Public Law 107–347); other electronic government initiatives consistent with other statutes; and other Federal cybersecurity initiatives determined by the Federal Chief Information Officer. The Federal Chief Information Security Officer shall— support the Federal Chief Information Officer in overseeing and implementing Federal cybersecurity under the E–Government Act of 2002 (Public Law 107–347; 116 Stat. 2899) and other relevant statutes in a manner consistent with law; and perform every function assigned to the Director under sections 1321 through 1328 of title 41, United States Code. The Federal Chief Information Security Officer shall support initiatives determined by the Federal Chief Information Officer necessary to coordinate with the Office of the National Cyber Director. Section 1752 of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (6 U.S.C. 1500) is amended— by redesignating subsection (g) as subsection (h); and by inserting after subsection (f) the following: The Federal Chief Information Security Officer appointed by the President under section 3617 of title 44, United States Code, shall be a senior official within the Office and carry out duties applicable to the protection of information technology (as defined in section 11101 of title 40, United States Code), including initiatives determined by the Director necessary to coordinate with the Office of the Federal Chief Information Officer. The individual serving as the Federal Chief Information Security Officer appointed by the President as of the date of the enactment of this Act may serve as the Federal Chief Information Security Officer under section 3617 of title 44, United States Code, as added by this Act, beginning on the date of enactment of this Act, without need for a further or additional appointment under such section. The table of sections for chapter 36 of title 44, United States Code, is amended by adding at the end the following: 3617.Federal chief information security officer(a)EstablishmentThere is established a Federal Chief Information Security Officer, who shall serve in—(1)the Office of the Federal Chief Information Officer of the Office of Management and Budget; and(2)the Office of the National Cyber Director.(b)AppointmentThe Federal Chief Information Security Officer shall be appointed by the President.(c)OMB dutiesThe Federal Chief Information Security Officer shall report to the Federal Chief Information Officer and assist the Federal Chief Information Officer in carrying out—(1)every function under this chapter;(2)every function assigned to the Director under title II of the E–Government Act of 2002 (44 U.S.C. 3501 note; Public Law 107–347);(3)other electronic government initiatives consistent with other statutes; and(4)other Federal cybersecurity initiatives determined by the Federal Chief Information Officer.(d)Additional dutiesThe Federal Chief Information Security Officer shall—(1)support the Federal Chief Information Officer in overseeing and implementing Federal cybersecurity under the E–Government Act of 2002 (Public Law 107–347; 116 Stat. 2899) and other relevant statutes in a manner consistent with law; and(2)perform every function assigned to the Director under sections 1321 through 1328 of title 41, United States Code.(e)Coordination with ONCDThe Federal Chief Information Security Officer shall support initiatives determined by the Federal Chief Information Officer necessary to coordinate with the Office of the National Cyber Director.. (g)Senior Federal Cybersecurity OfficerThe Federal Chief Information Security Officer appointed by the President under section 3617 of title 44, United States Code, shall be a senior official within the Office and carry out duties applicable to the protection of information technology (as defined in section 11101 of title 40, United States Code), including initiatives determined by the Director necessary to coordinate with the Office of the Federal Chief Information Officer.. Sec. 3617. Federal chief information security officer.

3617. Federal chief information security officer There is established a Federal Chief Information Security Officer, who shall serve in— the Office of the Federal Chief Information Officer of the Office of Management and Budget; and the Office of the National Cyber Director. The Federal Chief Information Security Officer shall be appointed by the President. The Federal Chief Information Security Officer shall report to the Federal Chief Information Officer and assist the Federal Chief Information Officer in carrying out— every function under this chapter; every function assigned to the Director under title II of the E–Government Act of 2002 (44 U.S.C. 3501 note; Public Law 107–347); other electronic government initiatives consistent with other statutes; and other Federal cybersecurity initiatives determined by the Federal Chief Information Officer. The Federal Chief Information Security Officer shall— support the Federal Chief Information Officer in overseeing and implementing Federal cybersecurity under the E–Government Act of 2002 (Public Law 107–347; 116 Stat. 2899) and other relevant statutes in a manner consistent with law; and perform every function assigned to the Director under sections 1321 through 1328 of title 41, United States Code. The Federal Chief Information Security Officer shall support initiatives determined by the Federal Chief Information Officer necessary to coordinate with the Office of the National Cyber Director.

20. Renaming office of the Federal Chief Information Officer Section 3601 of title 44, United States Code, is amended— by striking paragraph (1); and by redesignating paragraphs (2) through (8) as paragraphs (1) through (7), respectively. Section 2222(i)(6) of title 10, United States Code, is amended by striking section 3601(4) and inserting section 3601. Section 506D(k)(1) of the National Security Act of 1947 (50 U.S.C. 3100(k)(1)) is amended by striking section 3601(4) and inserting section 3601. Section 3602 of title 44, United States Code, is amended— in the heading, by striking Office of Electronic Government and inserting Office of the Federal Chief Information Officer; in subsection (a), by striking Office of Electronic Government and inserting Office of the Federal Chief Information Officer; in subsection (b), by striking an Administrator and inserting a Federal Chief Information Officer; in subsection (c), in the matter preceding paragraph (1), by striking The Administrator and inserting The Federal Chief Information Officer; in subsection (d), in the matter preceding paragraph (1), by striking The Administrator and inserting The Federal Chief Information Officer; in subsection (e), in the matter preceding paragraph (1), by striking The Administrator and inserting The Federal Chief Information Officer; in subsection (f)— in the matter preceding paragraph (1), by striking the Administrator and inserting the Federal Chief Information Officer; in paragraph (16), by striking the Office of Electronic Government and inserting the Office of the Federal Chief Information Officer; and in subsection (g), by striking the Office of Electronic Government and inserting the Office of the Federal Chief Information Officer. Section 3603 of title 44, United States Code, is amended— in subsection (b)(2), by striking The Administrator of the Office of Electronic Government and inserting The Federal Chief Information Officer; in subsection (c)(1), by striking The Administrator of the Office of Electronic Government and inserting The Federal Chief Information Officer; and in subsection (f)— in paragraph (3), by striking the Administrator and inserting the Federal Chief Information Officer; and in paragraph (5), by striking the Administrator and inserting the Federal Chief Information Officer. Section 3604 of title 44, United States Code, is amended— in subsection (a)(2), by striking the Administrator of the Office of Electronic Government and inserting the Federal Chief Information Officer; in subsection (b), by striking Administrator each place it appears and inserting Federal Chief Information Officer; and in subsection (c), in the matter preceding paragraph (1), by striking the Administrator and inserting the Federal Chief Information Officer. Section 3605 of title 44, United States Code, is amended— in subsection (a), by striking The Administrator and inserting The Federal Chief Information Officer; in subsection (b), by striking , the Administrator, and inserting , the Federal Chief Information Officer,; and in subsection (c)— in paragraph (1)— by striking The Administrator and inserting The Federal Chief Information Officer; and by striking proposals submitted to the Administrator and inserting proposals submitted to the Federal Chief Information Officer; in paragraph (2)(B), by striking the Administrator and inserting the Federal Chief Information Officer; and in paragraph (4), by striking the Administrator and inserting the Federal Chief Information Officer. Section 3606 of title 44, United States Code, is amended in the section heading by striking E-Government and inserting Annual. The individual serving as the Administrator of the Office of Electronic Government under section 3602 of title 44, United States Code, as of the date of the enactment of this Act, may continue to serve as the Federal Chief Information Officer commencing as of that date, without need for a further or additional appointment under such section. The table of sections for chapter 36 of title 44, United States Code, is amended— by striking the item relating to section 3602 and inserting the following: in the item relating to section 3606, by striking E–Government and inserting Annual. Any reference to the Administrator of the Office of Electronic Government in any law, regulation, map, document, record, or other paper of the United States shall be deemed to be a reference to the Federal Chief Information Officer. Any reference to the Office of Electronic Government in any law, regulation, map, document, record, or other paper of the United States shall be deemed to be a reference to the Office of the Federal Chief Information Officer. 3602. Office of the Federal Chief Information Officer.; and

21. Rules of construction Nothing in this Act, or an amendment made by this Act, shall be construed to authorize the head of an agency to take an action that is not authorized by this Act, an amendment made by this Act, or existing law. Nothing in this Act, or an amendment made by this Act, shall be construed to permit the violation of the rights of any individual protected by the Constitution of the United States, including through censorship of speech protected by the Constitution of the United States or unauthorized surveillance.