This Act may be cited as the “Strengthening American Cybersecurity Act of 2022”.

The table of contents for this Act is as follows:

Sec. 1. Short title.
Sec. 2. Table of contents.

This title may be cited as the “Federal Information Security Modernization Act of 2022”.

In this title, unless otherwise specified:

(1) ADDITIONAL CYBERSECURITY PROCEDURE.—The term “additional cybersecurity procedure” has the meaning given the term in section 3552(b) of title 44, United States Code, as amended by this title.

(2) AGENCY.—The term “agency” has the meaning given the term in section 3502 of title 44, United States Code.

(3) APPROPRIATE CONGRESSIONAL COMMITTEES.—The term “appropriate congressional committees” means—

(A) the Committee on Homeland Security and Governmental Affairs of the Senate;

(B) the Committee on Oversight and Reform of the House of Representatives; and

(C) the Committee on Homeland Security of the House of Representatives.

(4) DIRECTOR.—The term “Director” means the Director of the Office of Management and Budget.

(5) INCIDENT.—The term “incident” has the meaning given the term in section 3552(b) of title 44, United States Code.

(6) NATIONAL SECURITY SYSTEM.—The term “national security system” has the meaning given the term in section 3552(b) of title 44, United States Code.

(7) PENETRATION TEST.—The term “penetration test” has the meaning given the term in section 3552(b) of title 44, United States Code, as amended by this title.

(8) THREAT HUNTING.—The term “threat hunting” means proactively and iteratively searching systems for threats that evade detection by automated threat detection systems.

(a) Subchapter I amendments.—Subchapter I of chapter 35 of title 44, United States Code, is amended—

(1) in section 3504—

(A) in subsection (a)(1)(B)—

(i) by striking clause (v) and inserting the following:

“(v) confidentiality, privacy, disclosure, and sharing of information;”;

(ii) by redesignating clause (vi) as clause (vii); and

(iii) by inserting after clause (v) the following:

“(vi) in consultation with the National Cyber Director, security of information; and”; and

(B) in subsection (g), by striking paragraph (1) and inserting the following:

“(1) develop and oversee the implementation of policies, principles, standards, and guidelines on privacy, confidentiality, disclosure, and sharing, and in consultation with the National Cyber Director, oversee the implementation of policies, principles, standards, and guidelines on security, of information collected or maintained by or for agencies; and”;

(2) in section 3505—

(A) by striking the first subsection designated as subsection (c);

(B) in paragraph (2) of the second subsection designated as subsection (c), by inserting “an identification of internet accessible information systems and” after “an inventory under this subsection shall include”;

(C) in paragraph (3) of the second subsection designated as subsection (c)—

(i) in subparagraph (B)—

(I) by inserting “the Director of the Cybersecurity and Infrastructure Security Agency, the National Cyber Director, and” before “the Comptroller General”; and

(II) by striking “and” at the end;

(ii) in subparagraph (C)(v), by striking the period at the end and inserting “; and”; and

(iii) by adding at the end the following:

“(D) maintained on a continual basis through the use of automation, machine-readable data, and scanning, wherever practicable.”;

(3) in section 3506—

(A) in subsection (a)(3), by inserting “In carrying out these duties, the Chief Information Officer shall coordinate, as appropriate, with the Chief Data Officer in accordance with the designated functions under section 3520(c).” after “reduction of information collection burdens on the public.”;

(B) in subsection (b)(1)(C), by inserting “, availability” after “integrity”; and

(C) in subsection (h)(3), by inserting “security,” after “efficiency,”; and

(4) in section 3513—

(A) by redesignating subsection (c) as subsection (d); and

(B) by inserting after subsection (b) the following:

“(c) Each agency providing a written plan under subsection (b) shall provide any portion of the written plan addressing information security to the Secretary of the Department of Homeland Security and the National Cyber Director.”.

(b) Subchapter II definitions.—

(1) IN GENERAL.—Section 3552(b) of title 44, United States Code, is amended—

(A) by redesignating paragraphs (1), (2), (3), (4), (5), (6), and (7) as paragraphs (2), (4), (5), (6), (7), (9), and (11), respectively;

(B) by inserting before paragraph (2), as so redesignated, the following:

“(1) The term ‘additional cybersecurity procedure’ means a process, procedure, or other activity that is established in excess of the information security standards promulgated under section 11331(b) of title 40 to increase the security and reduce the cybersecurity risk of agency systems.”;

(C) by inserting after paragraph (2), as so redesignated, the following:

“(3) The term ‘high value asset’ means information or an information system that the head of an agency, using policies, principles, standards, or guidelines issued by the Director under section 3553(a), determines to be so critical to the agency that the loss or corruption of the information or the loss of access to the information system would have a serious impact on the ability of the agency to perform the mission of the agency or conduct business.”;

(D) by inserting after paragraph (7), as so redesignated, the following:

“(8) The term ‘major incident’ has the meaning given the term in guidance issued by the Director under section 3598(a).”;

(E) by inserting after paragraph (9), as so redesignated, the following:

“(10) The term ‘penetration test’—

“(A) means an authorized assessment that emulates attempts to gain unauthorized access to, or disrupt the operations of, an information system or component of an information system; and

“(B) includes any additional meaning given the term in policies, principles, standards, or guidelines issued by the Director under section 3553(a).”; and

(F) by inserting after paragraph (11), as so redesignated, the following:

“(12) The term ‘shared service’ means a centralized business or mission capability that is provided to multiple organizations within an agency or to multiple agencies.”.

(2) CONFORMING AMENDMENTS.—

(A) HOMELAND SECURITY ACT OF 2002.—Section 1001(c)(1)(A) of the Homeland Security Act of 2002 (6 U.S.C. 511(1)(A)) is amended by striking “section 3552(b)(5)” and inserting “section 3552(b)”.

(B) TITLE 10.—

(i) SECTION 2222.—Section 2222(i)(8) of title 10, United States Code, is amended by striking “section 3552(b)(6)(A)” and inserting “section 3552(b)(9)(A)”.

(ii) SECTION 2223.—Section 2223(c)(3) of title 10, United States Code, is amended by striking “section 3552(b)(6)” and inserting “section 3552(b)”.

(iii) SECTION 2315.—Section 2315 of title 10, United States Code, is amended by striking “section 3552(b)(6)” and inserting “section 3552(b)”.

(iv) SECTION 2339A.—Section 2339a(e)(5) of title 10, United States Code, is amended by striking “section 3552(b)(6)” and inserting “section 3552(b)”.

(C) HIGH-PERFORMANCE COMPUTING ACT OF 1991.—Section 207(a) of the High-Performance Computing Act of 1991 (15 U.S.C. 5527(a)) is amended by striking “section 3552(b)(6)(A)(i)” and inserting “section 3552(b)(9)(A)(i)”.

(D) INTERNET OF THINGS CYBERSECURITY IMPROVEMENT ACT OF 2020.—Section 3(5) of the Internet of Things Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g–3a) is amended by striking “section 3552(b)(6)” and inserting “section 3552(b)”.

(E) NATIONAL DEFENSE AUTHORIZATION ACT FOR FISCAL YEAR 2013.—Section 933(e)(1)(B) of the National Defense Authorization Act for Fiscal Year 2013 (10 U.S.C. 2224 note) is amended by striking “section 3542(b)(2)” and inserting “section 3552(b)”.

(F) IKE SKELTON NATIONAL DEFENSE AUTHORIZATION ACT FOR FISCAL YEAR 2011.—The Ike Skelton National Defense Authorization Act for Fiscal Year 2011 (Public Law 111–383) is amended—

(i) in section 806(e)(5) (10 U.S.C. 2304 note), by striking “section 3542(b)” and inserting “section 3552(b)”;

(ii) in section 931(b)(3) (10 U.S.C. 2223 note), by striking “section 3542(b)(2)” and inserting “section 3552(b)”; and

(iii) in section 932(b)(2) (10 U.S.C. 2224 note), by striking “section 3542(b)(2)” and inserting “section 3552(b)”.

(G) E-GOVERNMENT ACT OF 2002.—Section 301(c)(1)(A) of the E-Government Act of 2002 (44 U.S.C. 3501 note) is amended by striking “section 3542(b)(2)” and inserting “section 3552(b)”.

(H) NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY ACT.—Section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3) is amended—

(i) in subsection (a)(2), by striking “section 3552(b)(5)” and inserting “section 3552(b)”; and

(ii) in subsection (f)—

(I) in paragraph (3), by striking “section 3532(1)” and inserting “section 3552(b)”; and

(II) in paragraph (5), by striking “section 3532(b)(2)” and inserting “section 3552(b)”.

(c) Subchapter II amendments.—Subchapter II of chapter 35 of title 44, United States Code, is amended—

(1) in section 3551—

(A) in paragraph (4), by striking “diagnose and improve” and inserting “integrate, deliver, diagnose, and improve”;

(B) in paragraph (5), by striking “and” at the end;

(C) in paragraph (6), by striking the period at the end and inserting a semi colon; and

(D) by adding at the end the following:

“(7) recognize that each agency has specific mission requirements and, at times, unique cybersecurity requirements to meet the mission of the agency;

“(8) recognize that each agency does not have the same resources to secure agency systems, and an agency should not be expected to have the capability to secure the systems of the agency from advanced adversaries alone; and

“(9) recognize that a holistic Federal cybersecurity model is necessary to account for differences between the missions and capabilities of agencies.”;

(2) in section 3553—

(A) in subsection (a)—

(i) in paragraph (1), by inserting “, in consultation with the Secretary and the National Cyber Director,” before “overseeing”;

(ii) in paragraph (5), by striking “and” at the end; and

(iii) by adding at the end the following:

“(8) promoting, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, the National Cyber Director, and the Director of the National Institute of Standards and Technology—

“(A) the use of automation to improve Federal cybersecurity and visibility with respect to the implementation of Federal cybersecurity; and

“(B) the use of presumption of compromise and least privilege principles to improve resiliency and timely response actions to incidents on Federal systems.”;

(B) in subsection (b)—

(i) in the matter preceding paragraph (1), by inserting “and the National Cyber Director” after “Director”; and

(ii) in paragraph (2)(A), by inserting “and reporting requirements under subchapter IV of this chapter” after “section 3556”; and

(C) in subsection (c)—

(i) in the matter preceding paragraph (1)—

(I) by striking “each year” and inserting “each year during which agencies are required to submit reports under section 3554(c)”; and

(II) by striking “preceding year” and inserting “preceding 2 years”;

(ii) by striking paragraph (1);

(iii) by redesignating paragraphs (2), (3), and (4) as paragraphs (1), (2), and (3), respectively;

(iv) in paragraph (3), as so redesignated, by striking “and” at the end;

(v) by inserting after paragraph (3), as so redesignated the following:

“(4) a summary of each assessment of Federal risk posture performed under subsection (i);”; and

(vi) in paragraph (5), by striking the period at the end and inserting “; and”;

(D) by redesignating subsections (i), (j), (k), and (l) as subsections (j), (k), (l), and (m) respectively;

(E) by inserting after subsection (h) the following:

“(i) Federal risk assessments.—On an ongoing and continuous basis, the Director of the Cybersecurity and Infrastructure Security Agency shall perform assessments of Federal risk posture using any available information on the cybersecurity posture of agencies, and brief the Director and National Cyber Director on the findings of those assessments including—

“(1) the status of agency cybersecurity remedial actions described in section 3554(b)(7);

“(2) any vulnerability information relating to the systems of an agency that is known by the agency;

“(3) analysis of incident information under section 3597;

“(4) evaluation of penetration testing performed under section 3559A;

“(5) evaluation of vulnerability disclosure program information under section 3559B;

“(6) evaluation of agency threat hunting results;

“(7) evaluation of Federal and non-Federal cyber threat intelligence;

“(8) data on agency compliance with standards issued under section 11331 of title 40;

“(9) agency system risk assessments performed under section 3554(a)(1)(A); and

“(10) any other information the Director of the Cybersecurity and Infrastructure Security Agency determines relevant.”;

(F) in subsection (j), as so redesignated—

(i) by striking “regarding the specific” and inserting “that includes a summary of—

“(1) the specific”;

(ii) in paragraph (1), as so designated, by striking the period at the end and inserting “; and” and

(iii) by adding at the end the following:

“(2) the trends identified in the Federal risk assessment performed under subsection (i).”; and

(G) by adding at the end the following:

“(n) Binding operational directives.—If the Director of the Cybersecurity and Infrastructure Security Agency issues a binding operational directive or an emergency directive under this section, not later than 4 days after the date on which the binding operational directive requires an agency to take an action, the Director of the Cybersecurity and Infrastructure Security Agency shall provide to the Director, National Cyber Director, the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Reform of the House of Representatives the status of the implementation of the binding operational directive at the agency.

“(o) Review of Office of Management and Budget guidance and policy.—

“(1) REVIEW.—

“(A) IN GENERAL.—Not less frequently than once every 3 years, the Director, in consultation with the Chief Information Officers Council, the Director of the Cybersecurity and Infrastructure Security Agency, the National Cyber Director, the Comptroller General of the United States, and the Council of the Inspectors General on Integrity and Efficiency, shall—

“(i) review the efficacy of the guidance and policy developed by the Director under subsection (a)(1) in reducing cybersecurity risks, including an assessment of the requirements for agencies to report information to the Director; and

“(ii) determine whether any changes to the guidance or policy developed under subsection (a)(1) is appropriate.

“(B) CONSIDERATIONS.—In conducting the review required under subparagraph (A), the Director shall consider—

“(i) the Federal risk assessments performed under subsection (i);

“(ii) the cumulative reporting and compliance burden to agencies; and

“(iii) the clarity of the requirements and deadlines contained in guidance and policy documents.

“(2) UPDATED GUIDANCE.—Not later than 90 days after the date on which a review is completed under paragraph (1), the Director shall issue updated guidance or policy to agencies determined appropriate by the Director, based on the results of the review.

“(3) PUBLIC REPORT.—Not later than 30 days after the date on which the Director completes a review under paragraph (1), the Director shall make publicly available a report that includes—

“(A) an overview of the guidance and policy developed under subsection (a)(1) that is in effect;

“(B) the cybersecurity risk mitigation, or other cybersecurity benefit, offered by each guidance or policy described in subparagraph (A);

“(C) a summary of the guidance or policy developed under subsection (a)(1) to which changes were determined appropriate during the review; and

“(D) the changes that are anticipated to be included in the updated guidance or policy issued under paragraph (2).

“(4) CONGRESSIONAL BRIEFING.—Not later than 60 days after the date on which a review is completed under paragraph (1), the Director shall provide to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Reform of the House of Representatives a briefing on the review.

“(p) Automated standard implementation verification.—When the Director of the National Institute of Standards and Technology issues a proposed standard pursuant to paragraphs (2) or (3) of section 20(a) of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3(a)), the Director of the National Institute of Standards and Technology shall consider developing and, if appropriate and practical, develop, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, specifications to enable the automated verification of the implementation of the controls within the standard.”;

(3) in section 3554—

(A) in subsection (a)—

(i) in paragraph (1)—

(I) by redesignating subparagraphs (A), (B), and (C) as subparagraphs (B), (C), and (D), respectively;

(II) by inserting before subparagraph (B), as so redesignated, the following:

“(A) on an ongoing and continuous basis, performing agency system risk assessments that—

“(i) identify and document the high value assets of the agency using guidance from the Director;

“(ii) evaluate the data assets inventoried under section 3511 for sensitivity to compromises in confidentiality, integrity, and availability;

“(iii) identify agency systems that have access to or hold the data assets inventoried under section 3511;

“(iv) evaluate the threats facing agency systems and data, including high value assets, based on Federal and non-Federal cyber threat intelligence products, where available;

“(v) evaluate the vulnerability of agency systems and data, including high value assets, including by analyzing—

“(I) the results of penetration testing performed by the Department of Homeland Security under section 3553(b)(9);

“(II) the results of penetration testing performed under section 3559A;

“(III) information provided to the agency through the vulnerability disclosure program of the agency under section 3559B;

“(IV) incidents; and

“(V) any other vulnerability information relating to agency systems that is known to the agency;

“(vi) assess the impacts of potential agency incidents to agency systems, data, and operations based on the evaluations described in clauses (ii) and (iv) and the agency systems identified under clause (iii); and

“(vii) assess the consequences of potential incidents occurring on agency systems that would impact systems at other agencies, including due to interconnectivity between different agency systems or operational reliance on the operations of the system or data in the system;”;

(III) in subparagraph (B), as so redesignated, in the matter preceding clause (i), by striking “providing information” and inserting “using information from the assessment conducted under subparagraph (A), providing information”;

(IV) in subparagraph (C), as so redesignated—

(aa) in clause (ii) by inserting “binding” before “operational”; and

(bb) in clause (vi), by striking “and” at the end; and

(V) by adding at the end the following:

“(E) providing an update on the ongoing and continuous assessment performed under subparagraph (A)—

“(i) upon request, to the inspector general of the agency or the Comptroller General of the United States; and

“(ii) on a periodic basis, as determined by guidance issued by the Director but not less frequently than annually, to—

“(I) the Director;

“(II) the Director of the Cybersecurity and Infrastructure Security Agency; and

“(III) the National Cyber Director;

“(F) in consultation with the Director of the Cybersecurity and Infrastructure Security Agency and not less frequently than once every 3 years, performing an evaluation of whether additional cybersecurity procedures are appropriate for securing a system of, or under the supervision of, the agency, which shall—

“(i) be completed considering the agency system risk assessment performed under subparagraph (A); and

“(ii) include a specific evaluation for high value assets;

“(G) not later than 30 days after completing the evaluation performed under subparagraph (F), providing the evaluation and an implementation plan, if applicable, for using additional cybersecurity procedures determined to be appropriate to—

“(i) the Director of the Cybersecurity and Infrastructure Security Agency;

“(ii) the Director; and

“(iii) the National Cyber Director; and

“(H) if the head of the agency determines there is need for additional cybersecurity procedures, ensuring that those additional cybersecurity procedures are reflected in the budget request of the agency;”;

(ii) in paragraph (2)—

(I) in subparagraph (A), by inserting “in accordance with the agency system risk assessment performed under paragraph (1)(A)” after “information systems”;

(II) in subparagraph (B)—

(aa) by striking “in accordance with standards” and inserting “in accordance with—

“(i) standards”; and

(bb) by adding at the end the following:

“(ii) the evaluation performed under paragraph (1)(F); and

“(iii) the implementation plan described in paragraph (1)(G);”; and

(III) in subparagraph (D), by inserting “, through the use of penetration testing, the vulnerability disclosure program established under section 3559B, and other means,” after “periodically”;

(iii) in paragraph (3)—

(I) in subparagraph (A)—

(aa) in clause (iii), by striking “and” at the end;

(bb) in clause (iv), by adding “and” at the end; and

(cc) by adding at the end the following:

“(v) ensure that—

“(I) senior agency information security officers of component agencies carry out responsibilities under this subchapter, as directed by the senior agency information security officer of the agency or an equivalent official; and

“(II) senior agency information security officers of component agencies report to—

“(aa) the senior information security officer of the agency or an equivalent official; and

“(bb) the Chief Information Officer of the component agency or an equivalent official;”; and

(iv) in paragraph (5), by inserting “and the Director of the Cybersecurity and Infrastructure Security Agency” before “on the effectiveness”;

(B) in subsection (b)—

(i) by striking paragraph (1) and inserting the following:

“(1) pursuant to subsection (a)(1)(A), performing ongoing and continuous agency system risk assessments, which may include using guidelines and automated tools consistent with standards and guidelines promulgated under section 11331 of title 40, as applicable;”;

(ii) in paragraph (2)—

(I) by striking subparagraph (B) and inserting the following:

“(B) comply with the risk-based cyber budget model developed pursuant to section 3553(a)(7);”; and

(II) in subparagraph (D)—

(aa) by redesignating clauses (iii) and (iv) as clauses (iv) and (v), respectively;

(bb) by inserting after clause (ii) the following:

“(iii) binding operational directives and emergency directives promulgated by the Director of the Cybersecurity and Infrastructure Security Agency under section 3553;”; and

(cc) in clause (iv), as so redesignated, by striking “as determined by the agency; and” and inserting “as determined by the agency, considering the agency risk assessment performed under subsection (a)(1)(A); and

(iii) in paragraph (5)(A), by inserting “, including penetration testing, as appropriate,” after “shall include testing”;

(iv) in paragraph (6), by striking “planning, implementing, evaluating, and documenting” and inserting “planning and implementing and, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, evaluating and documenting”;

(v) by redesignating paragraphs (7) and (8) as paragraphs (8) and (9), respectively;

(vi) by inserting after paragraph (6) the following:

“(7) a process for providing the status of every remedial action and unremediated identified system vulnerability to the Director and the Director of the Cybersecurity and Infrastructure Security Agency, using automation and machine-readable data to the greatest extent practicable;”; and

(vii) in paragraph (8)(C), as so redesignated—

(I) by striking clause (ii) and inserting the following:

“(ii) notifying and consulting with the Federal information security incident center established under section 3556 pursuant to the requirements of section 3594;”;

(II) by redesignating clause (iii) as clause (iv);

(III) by inserting after clause (ii) the following:

“(iii) performing the notifications and other activities required under subchapter IV of this chapter; and”; and

(IV) in clause (iv), as so redesignated—

(aa) in subclause (I), by striking “and relevant offices of inspectors general”;

(bb) in subclause (II), by adding “and” at the end;

(cc) by striking subclause (III); and

(dd) by redesignating subclause (IV) as subclause (III);

(C) in subsection (c)—

(i) by redesignating paragraph (2) as paragraph (5);

(ii) by striking paragraph (1) and inserting the following:

“(1) BIANNUAL REPORT.—Not later than 2 years after the date of enactment of the Federal Information Security Modernization Act of 2022 and not less frequently than once every 2 years thereafter, using the continuous and ongoing agency system risk assessment under subsection (a)(1)(A), the head of each agency shall submit to the Director, the Director of the Cybersecurity and Infrastructure Security Agency, the majority and minority leaders of the Senate, the Speaker and minority leader of the House of Representatives, the Committee on Homeland Security and Governmental Affairs of the Senate, the Committee on Oversight and Reform of the House of Representatives, the Committee on Homeland Security of the House of Representatives, the Committee on Commerce, Science, and Transportation of the Senate, the Committee on Science, Space, and Technology of the House of Representatives, the appropriate authorization and appropriations committees of Congress, the National Cyber Director, and the Comptroller General of the United States a report that—

“(A) summarizes the agency system risk assessment performed under subsection (a)(1)(A);

“(B) evaluates the adequacy and effectiveness of information security policies, procedures, and practices of the agency to address the risks identified in the agency system risk assessment performed under subsection (a)(1)(A), including an analysis of the agency’s cybersecurity and incident response capabilities using the metrics established under section 224(c) of the Cybersecurity Act of 2015 (6 U.S.C. 1522(c));

“(C) summarizes the evaluation and implementation plans described in subparagraphs (F) and (G) of subsection (a)(1) and whether those evaluation and implementation plans call for the use of additional cybersecurity procedures determined to be appropriate by the agency; and

“(D) summarizes the status of remedial actions identified by inspector general of the agency, the Comptroller General of the United States, and any other source determined appropriate by the head of the agency.

“(2) UNCLASSIFIED REPORTS.—Each report submitted under paragraph (1)—

“(A) shall be, to the greatest extent practicable, in an unclassified and otherwise uncontrolled form; and

“(B) may include a classified annex.

“(3) ACCESS TO INFORMATION.—The head of an agency shall ensure that, to the greatest extent practicable, information is included in the unclassified form of the report submitted by the agency under paragraph (2)(A).

“(4) BRIEFINGS.—During each year during which a report is not required to be submitted under paragraph (1), the Director shall provide to the congressional committees described in paragraph (1) a briefing summarizing current agency and Federal risk postures.”; and

(iii) in paragraph (5), as so redesignated, by striking the period at the end and inserting “, including the reporting procedures established under section 11315(d) of title 40 and subsection (a)(3)(A)(v) of this section”; and

(D) in subsection (d)(1), in the matter preceding subparagraph (A), by inserting “and the National Cyber Director” after “the Director”; and

(E) by adding at the end the following:

“(f) Reporting structure exemption.—

“(1) IN GENERAL.—On an annual basis, the Director may exempt an agency from the reporting structure requirement under subsection (a)(3)(A)(v)(II).

“(2) REPORT.—On an annual basis, the Director shall submit a report to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Reform of the House of Representatives that includes a list of each exemption granted under paragraph (1) and the associated rationale for each exemption.

“(3) COMPONENT OF OTHER REPORT.—The report required under paragraph (2) may be incorporated into any other annual report required under this chapter.”;

(4) in section 3555—

(A) in the section heading, by striking “Annual independent” and inserting “Independent”;

(B) in subsection (a)—

(i) in paragraph (1), by inserting “during which a report is required to be submitted under section 3553(c),” after “Each year”;

(ii) in paragraph (2)(A), by inserting “, including by penetration testing and analyzing the vulnerability disclosure program of the agency” after “information systems”; and

(iii) by adding at the end the following:

“(3) An evaluation under this section may include recommendations for improving the cybersecurity posture of the agency.”;

(C) in subsection (b)(1), by striking “annual”;

(D) in subsection (e)(1), by inserting “during which a report is required to be submitted under section 3553(c)” after “Each year”;

(E) by striking subsection (f) and inserting the following:

“(f) Protection of information.— (1) Agencies, evaluators, and other recipients of information that, if disclosed, may cause grave harm to the efforts of Federal information security officers, shall take appropriate steps to ensure the protection of that information, including safeguarding the information from public disclosure.

“(2) The protections required under paragraph (1) shall be commensurate with the risk and comply with all applicable laws and regulations.

“(3) With respect to information that is not related to national security systems, agencies and evaluators shall make a summary of the information unclassified and publicly available, including information that does not identify—

“(A) specific information system incidents; or

“(B) specific information system vulnerabilities.”;

(F) in subsection (g)(2)—

(i) by striking “this subsection shall” and inserting “this subsection—

“(A) shall”;

(ii) in subparagraph (A), as so designated, by striking the period at the end and inserting “; and”; and

(iii) by adding at the end the following:

“(B) identify any entity that performs an independent evaluation under subsection (b).”; and

(G) by striking subsection (j) and inserting the following:

“(j) Guidance.—

“(1) IN GENERAL.—The Director, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, the Chief Information Officers Council, the Council of the Inspectors General on Integrity and Efficiency, and other interested parties as appropriate, shall ensure the development of risk-based guidance for evaluating the effectiveness of an information security program and practices

“(2) PRIORITIES.—The risk-based guidance developed under paragraph (1) shall include—

“(A) the identification of the most common successful threat patterns experienced by each agency;

“(B) the identification of security controls that address the threat patterns described in subparagraph (A);

“(C) any other security risks unique to the networks of each agency; and

“(D) any other element the Director, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency and the Council of the Inspectors General on Integrity and Efficiency, determines appropriate.”; and

(5) in section 3556(a)—

(A) in the matter preceding paragraph (1), by inserting “within the Cybersecurity and Infrastructure Security Agency” after “incident center”; and

(B) in paragraph (4), by striking “3554(b)” and inserting “3554(a)(1)(A)”.

(d) Conforming amendments.—

(1) TABLE OF SECTIONS.—The table of sections for chapter 35 of title 44, United States Code, is amended by striking the item relating to section 3555 and inserting the following:

“3555. Independent evaluation”.

(2) OMB REPORTS.—Section 226(c) of the Cybersecurity Act of 2015 (6 U.S.C. 1524(c)) is amended—

(A) in paragraph (1)(B), in the matter preceding clause (i), by striking “annually thereafter” and inserting “thereafter during the years during which a report is required to be submitted under section 3553(c) of title 44, United States Code”; and

(B) in paragraph (2)(B), in the matter preceding clause (i)—

(i) by striking “annually thereafter” and inserting “thereafter during the years during which a report is required to be submitted under section 3553(c) of title 44, United States Code”; and

(ii) by striking “the report required under section 3553(c) of title 44, United States Code” and inserting “that report”.

(3) NIST RESPONSIBILITIES.—Section 20(d)(3)(B) of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3(d)(3)(B)) is amended by striking “annual”.

(e) Federal system incident response.—

(1) IN GENERAL.—Chapter 35 of title 44, United States Code, is amended by adding at the end the following:

(2) CLERICAL AMENDMENT.—The table of sections for chapter 35 of title 44, United States Code, is amended by adding at the end the following:

(a) Modernizing Government Technology.—Subtitle G of title X of Division A of the National Defense Authorization Act for Fiscal Year 2018 (40 U.S.C. 11301 note) is amended in section 1078—

(1) by striking subsection (a) and inserting the following:

“(a) Definitions.—In this section:

“(1) AGENCY.—The term ‘agency’ has the meaning given the term in section 551 of title 5, United States Code.

“(2) HIGH VALUE ASSET.—The term ‘high value asset’ has the meaning given the term in section 3552 of title 44, United States Code.”;

(2) in subsection (b), by adding at the end the following:

“(8) PROPOSAL EVALUATION.—The Director shall—

“(A) give consideration for the use of amounts in the Fund to improve the security of high value assets; and

“(B) require that any proposal for the use of amounts in the Fund includes a cybersecurity plan, including a supply chain risk management plan, to be reviewed by the member of the Technology Modernization Board described in subsection (c)(5)(C).”; and

(3) in subsection (c)—

(A) in paragraph (2)(A)(i), by inserting “, including a consideration of the impact on high value assets” after “operational risks”;

(B) in paragraph (5)—

(i) in subparagraph (A), by striking “and” at the end;

(ii) in subparagraph (B), by striking the period at the end and inserting “and”; and

(iii) by adding at the end the following:

“(C) a senior official from the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security, appointed by the Director.”; and

(C) in paragraph (6)(A), by striking “shall be—” and all that follows through “4 employees” and inserting “shall be 4 employees”.

(b) Subchapter I.—Subchapter I of chapter 113 of subtitle III of title 40, United States Code, is amended—

(1) in section 11302—

(A) in subsection (b), by striking “use, security, and disposal of” and inserting “use, and disposal of, and, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency and the National Cyber Director, promote and improve the security of,”;

(B) in subsection (c)—

(i) in paragraph (3)—

(I) in subparagraph (A)—

(aa) by striking “including data” and inserting “which shall—

“(i) include data”; and

(bb) by adding at the end the following:

“(ii) specifically denote cybersecurity funding under the risk-based cyber budget model developed pursuant to section 3553(a)(7) of title 44.”; and

(II) in subparagraph (B), by adding at the end the following:

“(iii) The Director shall provide to the National Cyber Director any cybersecurity funding information described in subparagraph (A)(ii) that is provided to the Director under clause (ii) of this subparagraph.”;

(C) in subsection (f)—

(i) by striking “heads of executive agencies to develop” and inserting “heads of executive agencies to—

“(1) develop”;

(ii) in paragraph (1), as so designated, by striking the period at the end and inserting “; and”; and

(iii) by adding at the end the following:

“(2) consult with the Director of the Cybersecurity and Infrastructure Security Agency for the development and use of supply chain security best practices.”; and

(D) in subsection (h), by inserting “, including cybersecurity performances,” after “the performances”; and

(2) in section 11303(b)—

(A) in paragraph (2)(B)—

(i) in clause (i), by striking “or” at the end;

(ii) in clause (ii), by adding “or” at the end; and

(iii) by adding at the end the following:

“(iii) whether the function should be performed by a shared service offered by another executive agency;”; and

(B) in paragraph (5)(B)(i), by inserting “, while taking into account the risk-based cyber budget model developed pursuant to section 3553(a)(7) of title 44” after “title 31”.

(c) Subchapter II.—Subchapter II of chapter 113 of subtitle III of title 40, United States Code, is amended—

(1) in section 11312(a), by inserting “, including security risks” after “managing the risks”;

(2) in section 11313(1), by striking “efficiency and effectiveness” and inserting “efficiency, security, and effectiveness”;

(3) in section 11315, by adding at the end the following:

“(d) Component agency chief information officers.—The Chief Information Officer or an equivalent official of a component agency shall report to—

“(1) the Chief Information Officer designated under section 3506(a)(2) of title 44 or an equivalent official of the agency of which the component agency is a component; and

“(2) the head of the component agency.

“(e) Reporting structure exemption.—

“(1) IN GENERAL.—On annual basis, the Director may exempt any agency from the reporting structure requirements under subsection (d).

“(2) REPORT.—On an annual basis, the Director shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Reform of the House of Representatives a report that includes a list of each exemption granted under paragraph (1) and the associated rationale for each exemption.

“(3) COMPONENT OF OTHER REPORT.—The report required under paragraph (2) may be incorporated into any other annual report required under chapter 35 of title 44, United States Code.”;

(4) in section 11317, by inserting “security,” before “or schedule”; and

(5) in section 11319(b)(1), in the paragraph heading, by striking “CIOS” and inserting “Chief Information Officers”.

(a) Responsibilities of the cybersecurity and infrastructure security agency.—

(1) IN GENERAL.—Not later than 180 days after the date of enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency shall—

(A) develop a plan for the development of the analysis required under section 3597(a) of title 44, United States Code, as added by this title, and the report required under subsection (b) of that section that includes—

(i) a description of any challenges the Director of the Cybersecurity and Infrastructure Security Agency anticipates encountering; and

(ii) the use of automation and machine-readable formats for collecting, compiling, monitoring, and analyzing data; and

(B) provide to the appropriate congressional committees a briefing on the plan developed under subparagraph (A).

(2) BRIEFING.—Not later than 1 year after the date of enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency shall provide to the appropriate congressional committees a briefing on—

(A) the execution of the plan required under paragraph (1)(A); and

(B) the development of the report required under section 3597(b) of title 44, United States Code, as added by this title.

(b) Responsibilities of the director of the office of management and budget.—

(1) FISMA.—Section 2 of the Federal Information Security Modernization Act of 2014 (44 U.S.C. 3554 note) is amended—

(A) by striking subsection (b); and

(B) by redesignating subsections (c) through (f) as subsections (b) through (e), respectively.

(2) INCIDENT DATA SHARING.—

(A) IN GENERAL.—The Director shall develop guidance, to be updated not less frequently than once every 2 years, on the content, timeliness, and format of the information provided by agencies under section 3594(a) of title 44, United States Code, as added by this title.

(B) REQUIREMENTS.—The guidance developed under subparagraph (A) shall—

(i) prioritize the availability of data necessary to understand and analyze—

(I) the causes of incidents;

(II) the scope and scale of incidents within the environments and systems of an agency;

(III) a root cause analysis of incidents that—

(aa) are common across the Federal Government; or

(bb) have a Government-wide impact;

(IV) agency response, recovery, and remediation actions and the effectiveness of those actions; and

(V) the impact of incidents;

(ii) enable the efficient development of—

(I) lessons learned and recommendations in responding to, recovering from, remediating, and mitigating future incidents; and

(II) the report on Federal incidents required under section 3597(b) of title 44, United States Code, as added by this title;

(iii) include requirements for the timeliness of data production; and

(iv) include requirements for using automation and machine-readable data for data sharing and availability.

(3) GUIDANCE ON RESPONDING TO INFORMATION REQUESTS.—Not later than 1 year after the date of enactment of this Act, the Director shall develop guidance for agencies to implement the requirement under section 3594(c) of title 44, United States Code, as added by this title, to provide information to other agencies experiencing incidents.

(4) STANDARD GUIDANCE AND TEMPLATES.—Not later than 1 year after the date of enactment of this Act, the Director, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, shall develop guidance and templates, to be reviewed and, if necessary, updated not less frequently than once every 2 years, for use by Federal agencies in the activities required under sections 3592, 3593, and 3596 of title 44, United States Code, as added by this title.

(5) CONTRACTOR AND AWARDEE GUIDANCE.—

(A) IN GENERAL.—Not later than 1 year after the date of enactment of this Act, the Director, in coordination with the Secretary of Homeland Security, the Secretary of Defense, the Administrator of General Services, and the heads of other agencies determined appropriate by the Director, shall issue guidance to Federal agencies on how to deconflict, to the greatest extent practicable, existing regulations, policies, and procedures relating to the responsibilities of contractors and awardees established under section 3595 of title 44, United States Code, as added by this title.

(B) EXISTING PROCESSES.—To the greatest extent practicable, the guidance issued under subparagraph (A) shall allow contractors and awardees to use existing processes for notifying Federal agencies of incidents involving information of the Federal Government.

(6) UPDATED BRIEFINGS.—Not less frequently than once every 2 years, the Director shall provide to the appropriate congressional committees an update on the guidance and templates developed under paragraphs (2) through (4).

(c) Update to the privacy act of 1974.—Section 552a(b) of title 5, United States Code (commonly known as the “Privacy Act of 1974”) is amended—

(1) in paragraph (11), by striking “or” at the end;

(2) in paragraph (12), by striking the period at the end and inserting “; or”; and

(3) by adding at the end the following:

“(13) to another agency in furtherance of a response to an incident (as defined in section 3552 of title 44) and pursuant to the information sharing requirements in section 3594 of title 44 if the head of the requesting agency has made a written request to the agency that maintains the record specifying the particular portion desired and the activity for which the record is sought.”.

Not later than 1 year after the date of enactment of this Act, the Director, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency, shall issue guidance for agencies on—

(1) performing the ongoing and continuous agency system risk assessment required under section 3554(a)(1)(A) of title 44, United States Code, as amended by this title;

(2) implementing additional cybersecurity procedures, which shall include resources for shared services;

(3) establishing a process for providing the status of each remedial action under section 3554(b)(7) of title 44, United States Code, as amended by this title, to the Director and the Cybersecurity and Infrastructure Security Agency using automation and machine-readable data, as practicable, which shall include—

(A) specific guidance for the use of automation and machine-readable data; and

(B) templates for providing the status of the remedial action; and

(4) a requirement to coordinate with inspectors general of agencies to ensure consistent understanding and application of agency policies for the purpose of evaluations by inspectors general.

(a) Definitions.—In this section:

(1) REPORTING ENTITY.—The term “reporting entity” means private organization or governmental unit that is required by statute or regulation to submit sensitive information to an agency.

(2) SENSITIVE INFORMATION.—The term “sensitive information” has the meaning given the term by the Director in guidance issued under subsection (b).

(b) Guidance on notification of reporting entities.—Not later than 180 days after the date of enactment of this Act, the Director shall issue guidance requiring the head of each agency to notify a reporting entity of an incident that is likely to substantially affect—

(1) the confidentiality or integrity of sensitive information submitted by the reporting entity to the agency pursuant to a statutory or regulatory requirement; or

(2) the agency information system or systems used in the transmission or storage of the sensitive information described in paragraph (1).

(a) In general.—Not later than 1 year after the date of enactment of this Act, the Director shall—

(1) evaluate mobile application security guidance promulgated by the Director; and

(2) issue guidance to secure mobile devices, including for mobile applications, for every agency.

(b) Contents.—The guidance issued under subsection (a)(2) shall include—

(1) a requirement, pursuant to section 3506(b)(4) of title 44, United States Code, for every agency to maintain a continuous inventory of every—

(A) mobile device operated by or on behalf of the agency; and

(B) vulnerability identified by the agency associated with a mobile device; and

(2) a requirement for every agency to perform continuous evaluation of the vulnerabilities described in paragraph (1)(B) and other risks associated with the use of applications on mobile devices.

(c) Information sharing.—The Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, shall issue guidance to agencies for sharing the inventory of the agency required under subsection (b)(1) with the Director of the Cybersecurity and Infrastructure Security Agency, using automation and machine-readable data to the greatest extent practicable.

(d) Briefing.—Not later than 60 days after the date on which the Director issues guidance under subsection (a)(2), the Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, shall provide to the appropriate congressional committees a briefing on the guidance.

(a) Recommendations.—Not later than 2 years after the date of enactment of this Act, and not less frequently than every 2 years thereafter, the Director of the Cybersecurity and Infrastructure Security Agency, in consultation with the Attorney General, shall submit to the Director recommendations on requirements for logging events on agency systems and retaining other relevant data within the systems and networks of an agency.

(b) Contents.—The recommendations provided under subsection (a) shall include—

(1) the types of logs to be maintained;

(2) the duration that logs and other relevant data should be retained;

(3) the time periods for agency implementation of recommended logging and security requirements;

(4) how to ensure the confidentiality, integrity, and availability of logs;

(5) requirements to ensure that, upon request, in a manner that excludes or otherwise reasonably protects personally identifiable information, and to the extent permitted by applicable law (including privacy and statistical laws), agencies provide logs to—

(A) the Director of the Cybersecurity and Infrastructure Security Agency for a cybersecurity purpose; and

(B) the Director of the Federal Bureau of Investigation, or the appropriate Federal law enforcement agency, to investigate potential criminal activity; and

(6) requirements to ensure that, subject to compliance with statistical laws and other relevant data protection requirements, the highest level security operations center of each agency has visibility into all agency logs.

(c) Guidance.—Not later than 90 days after receiving the recommendations submitted under subsection (a), the Director, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency and the Attorney General, shall, as determined to be appropriate by the Director, update guidance to agencies regarding requirements for logging, log retention, log management, sharing of log data with other appropriate agencies, or any other logging activity determined to be appropriate by the Director.

(d) Sunset.—This section shall cease to have force or effect on the date that is 10 years after the date of the enactment of this Act.

(a) In general.—Not later than 120 days after the date of enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency shall assign not less than 1 cybersecurity professional employed by the Cybersecurity and Infrastructure Security Agency to be the Cybersecurity and Infrastructure Security Agency advisor to the senior agency information security officer of each agency.

(b) Qualifications.—Each advisor assigned under subsection (a) shall have knowledge of—

(1) cybersecurity threats facing agencies, including any specific threats to the assigned agency;

(2) performing risk assessments of agency systems; and

(3) other Federal cybersecurity initiatives.

(c) Duties.—The duties of each advisor assigned under subsection (a) shall include—

(1) providing ongoing assistance and advice, as requested, to the agency Chief Information Officer;

(2) serving as an incident response point of contact between the assigned agency and the Cybersecurity and Infrastructure Security Agency; and

(3) familiarizing themselves with agency systems, processes, and procedures to better facilitate support to the agency in responding to incidents.

(d) Limitation.—An advisor assigned under subsection (a) shall not be a contractor.

(e) Multiple assignments.—One individual advisor may be assigned to multiple agency Chief Information Officers under subsection (a).

(a) In general.—Subchapter II of chapter 35 of title 44, United States Code, is amended by adding at the end the following:

(b) Deadline for guidance.—Not later than 180 days after the date of enactment of this Act, the Director shall issue the guidance required under section 3559A(b) of title 44, United States Code, as added by subsection (a).

(c) Clerical amendment.—The table of sections for chapter 35 of title 44, United States Code, is amended by adding after the item relating to section 3559 the following:

“3559A. Federal penetration testing.”.

(d) Sunset.—

(1) IN GENERAL.—Effective on the date that is 10 years after the date of enactment of this Act, subchapter II of chapter 35 of title 44, United States Code, is amended by striking section 3559A.

(2) CLERICAL AMENDMENT.—Effective on the date that is 10 years after the date of enactment of this Act, the table of sections for chapter 35 of title 44, United States Code, is amended by striking the item relating to section 3559A.

(a) Threat hunting program.—

(1) IN GENERAL.—Not later than 540 days after the date of enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency shall establish a program to provide ongoing, hypothesis-driven threat-hunting services on the network of each agency.

(2) PLAN.—Not later than 180 days after the date of enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency shall develop a plan to establish the program required under paragraph (1) that describes how the Director of the Cybersecurity and Infrastructure Security Agency plans to—

(A) determine the method for collecting, storing, accessing, analyzing, and safeguarding appropriate agency data;

(B) provide on-premises support to agencies;

(C) staff threat hunting services;

(D) allocate available human and financial resources to implement the plan; and

(E) provide input to the heads of agencies on the use of additional cybersecurity procedures under section 3554 of title 44, United States Code.

(b) Reports.—The Director of the Cybersecurity and Infrastructure Security Agency shall submit to the appropriate congressional committees—

(1) not later than 30 days after the date on which the Director of the Cybersecurity and Infrastructure Security Agency completes the plan required under subsection (a)(2), a report on the plan to provide threat hunting services to agencies;

(2) not less than 30 days before the date on which the Director of the Cybersecurity and Infrastructure Security Agency begins providing threat hunting services under the program under subsection (a)(1), a report providing any updates to the plan developed under subsection (a)(2); and

(3) not later than 1 year after the date on which the Director of the Cybersecurity and Infrastructure Security Agency begins providing threat hunting services to agencies other than the Cybersecurity and Infrastructure Security Agency, a report describing lessons learned from providing those services.

(a) In general.—Chapter 35 of title 44, United States Code, is amended by inserting after section 3559A, as added by section 111 of this title, the following:

(b) Clerical amendment.—The table of sections for chapter 35 of title 44, United States Code, is amended by adding after the item relating to section 3559A, as added by section 111, the following:

“3559B. Federal vulnerability disclosure programs.”.

(c) Sunset.—

(1) IN GENERAL.—Effective on the date that is 10 years after the date of enactment of this Act, subchapter II of chapter 35 of title 44, United States Code, is amended by striking section 3559B.

(2) CLERICAL AMENDMENT.—Effective on the date that is 10 years after the date of enactment of this Act, the table of sections for chapter 35 of title 44, United States Code, is amended by striking the item relating to section 3559B.

(a) Guidance.—Not later than 18 months after the date of enactment of this Act, the Director shall provide an update to the appropriate congressional committees on progress in increasing the internal defenses of agency systems, including—

(1) shifting away from “trusted networks” to implement security controls based on a presumption of compromise;

(2) implementing principles of least privilege in administering information security programs;

(3) limiting the ability of entities that cause incidents to move laterally through or between agency systems;

(4) identifying incidents quickly;

(5) isolating and removing unauthorized entities from agency systems as quickly as practicable, accounting for intelligence or law enforcement purposes;

(6) otherwise increasing the resource costs for entities that cause incidents to be successful; and

(7) a summary of the agency progress reports required under subsection (b).

(b) Agency progress reports.—Not later than 270 days after the date of enactment of this Act, the head of each agency shall submit to the Director a progress report on implementing an information security program based on the presumption of compromise and least privilege principles, which shall include—

(1) a description of any steps the agency has completed, including progress toward achieving requirements issued by the Director, including the adoption of any models or reference architecture;

(2) an identification of activities that have not yet been completed and that would have the most immediate security impact; and

(3) a schedule to implement any planned activities.

(a) OMB report.—Not later than 180 days after the date of enactment of this Act, the Director shall provide to the appropriate congressional committees an update on the use of automation under paragraphs (1), (5)(C), and (8)(B) of section 3554(b) of title 44, United States Code.

(b) GAO report.—Not later than 1 year after the date of enactment of this Act, the Comptroller General of the United States shall perform a study on the use of automation and machine readable data across the Federal Government for cybersecurity purposes, including the automated updating of cybersecurity tools, sensors, or processes by agencies.

(a) Extension.—Section 1328 of title 41, United States Code, is amended by striking “the date that” and all that follows and inserting “December 31, 2026.”.

(b) Requirement.—Subsection 1326(b) of title 41, United States Code, is amended—

(1) in paragraph (5), by striking “and” at the end;

(2) by redesignating paragraph (6) as paragraph (7); and

(3) by inserting after paragraph (5) the following:

“(6) maintaining an up-to-date and accurate inventory of software in use by the agency and, if available and applicable, the components of such software, that can be communicated at the request of the Federal Acquisition Security Council, the National Cyber Director, or the Secretary of Homeland Security, acting through the Director of Cybersecurity and Infrastructure Security Agency; and”.

(a) Dashboard required.—Section 11(e)(2) of the Inspector General Act of 1978 (5 U.S.C. App.) is amended—

(1) in subparagraph (A), by striking “and” at the end;

(2) by redesignating subparagraph (B) as subparagraph (C); and

(3) by inserting after subparagraph (A) the following:

“(B) that shall include a dashboard of open information security recommendations identified in the independent evaluations required by section 3555(a) of title 44, United States Code; and”.

(a) Definition of covered metrics.—In this section, the term “covered metrics” means the metrics established, reviewed, and updated under section 224(c) of the Cybersecurity Act of 2015 (6 U.S.C. 1522(c)).

(b) Updating and establishing metrics.—Not later than 1 year after the date of enactment of this Act, and as appropriate thereafter, the Director of the Cybersecurity and Infrastructure Security Agency, in coordination with the Director, shall—

(1) evaluate any covered metrics established as of the date of enactment of this Act; and

(2) as appropriate and pursuant to section 224(c) of the Cybersecurity Act of 2015 (6 U.S.C. 1522(c)) update or establish new covered metrics.

(c) Implementation.—

(1) IN GENERAL.—Not later than 540 days after the date of enactment of this Act, the Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, shall promulgate guidance that requires each agency to use covered metrics to track trends in the cybersecurity and incident response capabilities of the agency.

(2) PERFORMANCE DEMONSTRATION.—The guidance issued under paragraph (1) and any subsequent guidance shall require agencies to share with the Director of the Cybersecurity and Infrastructure Security Agency data demonstrating the performance of the agency using the covered metrics included in the guidance.

(3) PENETRATION TESTS.—On not less than 2 occasions during the 2-year period following the date on which guidance is promulgated under paragraph (1), the Director shall ensure that not less than 3 agencies are subjected to substantially similar penetration tests, as determined by the Director, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, in order to validate the utility of the covered metrics.

(4) ANALYSIS CAPACITY.—The Director of the Cybersecurity and Infrastructure Security Agency shall develop a capability that allows for the analysis of the covered metrics, including cross-agency performance of agency cybersecurity and incident response capability trends.

(5) TIME-BASED METRIC.—With respect the first update or establishment of covered metrics required under subsection (b)(2), the Director of the Cybersecurity and Infrastructure Security Agency shall establish covered metrics that include not less than 1 metric addressing the time it takes for agencies to identify and respond to incidents.

(d) Congressional reports.—Not later than 1 year after the date of enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency, in coordination with the Director, shall submit to the appropriate congressional committees a report on the utility and use of the covered metrics.

(a) Definitions.—In this section:

(1) APPROPRIATE CONGRESSIONAL COMMITTEES.—The term “appropriate congressional committees” means—

(A) the Committee on Homeland Security and Governmental Affairs and the Committee on Appropriations of the Senate; and

(B) the Committee on Oversight and Reform, the Committee on Homeland Security, and the Committee on Appropriations of the House of Representatives.

(2) COVERED AGENCY.—The term “covered agency” has the meaning given the term “executive agency” in section 133 of title 41, United States Code.

(3) DIRECTOR.—The term “Director” means the Director of the Office of Management and Budget.

(4) INFORMATION TECHNOLOGY.—The term “information technology”—

(A) has the meaning given the term in section 11101 of title 40, United States Code; and

(B) includes the hardware and software systems of a Federal agency that monitor and control physical equipment and processes of the Federal agency.

(5) RISK-BASED BUDGET.—The term “risk-based budget” means a budget—

(A) developed by identifying and prioritizing cybersecurity risks and vulnerabilities, including impact on agency operations in the case of a cyber attack, through analysis of cyber threat intelligence, incident data, and tactics, techniques, procedures, and capabilities of cyber threats; and

(B) that allocates resources based on the risks identified and prioritized under subparagraph (A).

(b) Establishment of risk-based budget model.—

(1) IN GENERAL.—

(A) MODEL.—Not later than 1 year after the first publication of the budget submitted by the President under section 1105 of title 31, United States Code, following the date of enactment of this Act, the Director, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency and the National Cyber Director and in coordination with the Director of the National Institute of Standards and Technology, shall develop a standard model for informing a risk-based budget for cybersecurity spending.

(B) RESPONSIBILITY OF DIRECTOR.—Section 3553(a) of title 44, United States Code, as amended by section 103 of this title, is further amended by inserting after paragraph (6) the following:

“(7) developing a standard risk-based budget model to inform Federal agency cybersecurity budget development; and”.

(C) CONTENTS OF MODEL.—The model required to be developed under subparagraph (A) shall utilize appropriate information to evaluate risk, including, as determined appropriate by the Director—

(i) Federal and non-Federal cyber threat intelligence products, where available, to identify threats, vulnerabilities, and risks;

(ii) analysis of the impact of agency operations of compromise of systems, including the interconnectivity to other agency systems and the operations of other agencies; and

(iii) to the greatest extent practicable, analysis of where resources should be allocated to have the greatest impact on mitigating current and future threats and current and future cybersecurity capabilities.

(D) USE OF MODEL.—The model required to be developed under subparagraph (A) shall be used to—

(i) inform acquisition and sustainment of—

(I) information technology and cybersecurity tools;

(II) information technology and cybersecurity architectures;

(III) information technology and cybersecurity personnel; and

(IV) cybersecurity and information technology concepts of operations; and

(ii) evaluate and inform Government-wide cybersecurity programs.

(E) MODEL VARIATION.—The Director may develop multiple models under subparagraph (A) based on different agency characteristics, such as size or cybersecurity maturity.

(F) REQUIRED UPDATES.—Not less frequently than once every 3 years, the Director shall review, and update as necessary, the model required to be developed under subparagraph (A).

(G) PUBLICATION.—Not earlier than 5 years after the date on which the model developed under subparagraph (A) is completed, the Director shall, taking into account any classified or sensitive information, publish the model, and any updates necessary under subparagraph (F), on the public website of the Office of Management and Budget.

(H) REPORTS.—Not later than 2 years after the first publication of the budget submitted by the President under section 1105 of title 31, United States Code, following the date of enactment of this Act, and annually thereafter for each of the 2 following fiscal years or until the date on which the model required to be developed under subparagraph (A) is completed, whichever is sooner, the Director shall submit to the appropriate congressional committees a report on the development of the model.

(2) PHASED IMPLEMENTATION OF RISK-BASED BUDGET MODEL.—

(A) INITIAL PHASE.—

(i) IN GENERAL.—Not later than 2 years after the date on which the model developed under paragraph (1) is completed, the Director shall require not less than 5 covered agencies to use the model to inform the development of the annual cybersecurity and information technology budget requests of those covered agencies.

(ii) BRIEFING.—Not later than 1 year after the date on which the covered agencies selected under clause (i) begin using the model developed under paragraph (1), the Director shall provide to the appropriate congressional committees a briefing on implementation of risk-based budgeting for cybersecurity spending, an assessment of agency implementation, and an evaluation of whether the risk-based budget helps to mitigate cybersecurity vulnerabilities.

(B) FULL DEPLOYMENT.—Not later than 5 years after the date on which the model developed under paragraph (1) is completed, the head of each covered agency shall use the model, or any updated model pursuant to paragraph (1)(F), to the greatest extent practicable, to inform the development of the annual cybersecurity and information technology budget requests of the covered agency.

(C) AGENCY PERFORMANCE PLANS.—

(i) AMENDMENT.—Section 3554(d)(2) of title 44, United States Code, is amended by inserting “and the risk-based budget model required under section 3553(a)(7)” after “paragraph (1)”.

(ii) EFFECTIVE DATE.—The amendment made by clause (i) shall take effect on the date that is 5 years after the date on which the model developed under paragraph (1) is completed.

(3) VERIFICATION.—

(A) IN GENERAL.—Section 1105(a)(35)(A)(i) of title 31, United States Code, is amended—

(i) in the matter preceding subclause (I), by striking “by agency, and by initiative area (as determined by the administration)” and inserting “and by agency”;

(ii) in subclause (III), by striking “and” at the end; and

(iii) by adding at the end the following:

“(V) a validation that the budgets submitted were informed by using a risk-based methodology; and

“(VI) a report on the progress of each agency on closing recommendations identified under the independent evaluation required by section 3555(a)(1) of title 44.”.

(B) EFFECTIVE DATE.—The amendments made by subparagraph (A) shall take effect on the date that is 5 years after the date on which the model developed under paragraph (1) is completed.

(4) REPORTS.—

(A) INDEPENDENT EVALUATION.—Section 3555(a)(2) of title 44, United States Code, is amended—

(i) in subparagraph (B), by striking “and” at the end;

(ii) in subparagraph (C), by striking the period at the end and inserting “; and”; and

(iii) by adding at the end the following:

“(D) an assessment of how the agency was informed by the risk-based budget model required under section 3553(a)(7) and an evaluation of whether the model mitigates agency cyber vulnerabilities.”.

(B) ASSESSMENT.—

(i) AMENDMENT.—Section 3553(c) of title 44, United States Code, as amended by section 103 of this title, is further amended by inserting after paragraph (5) the following:

“(6) an assessment of—

“(A) Federal agency utilization of the model required under subsection (a)(7); and

“(B) whether the model mitigates the cyber vulnerabilities of the Federal Government.”.

(ii) EFFECTIVE DATE.—The amendment made by clause (i) shall take effect on the date that is 5 years after the date on which the model developed under paragraph (1) is completed.

(5) GAO REPORT.—Not later than 3 years after the date on which the first budget of the President is submitted to Congress containing the validation required under section 1105(a)(35)(A)(i)(V) of title 31, United States Code, as amended by paragraph (3), the Comptroller General of the United States shall submit to the appropriate congressional committees a report that includes—

(A) an evaluation of the success of covered agencies in utilizing the risk-based budget model;

(B) an evaluation of the success of covered agencies in implementing risk-based budgets;

(C) an evaluation of whether the risk-based budgets developed by covered agencies are effective at informing Federal Government-wide cybersecurity programs; and

(D) any other information relating to risk-based budgets the Comptroller General determines appropriate.

(a) Definition.—In this section, the term “active defense technique”—

(1) means an action taken on the systems of an entity to increase the security of information on the network of an agency by misleading an adversary; and

(2) includes a honeypot, deception, or purposefully feeding false or misleading data to an adversary when the adversary is on the systems of the entity.

(b) Study.—Not later than 180 days after the date of enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency, in coordination with the Director and the National Cyber Director, shall perform a study on the use of active defense techniques to enhance the security of agencies, which shall include—

(1) a review of legal restrictions on the use of different active cyber defense techniques in Federal environments, in consultation with the Department of Justice;

(2) an evaluation of—

(A) the efficacy of a selection of active defense techniques determined by the Director of the Cybersecurity and Infrastructure Security Agency; and

(B) factors that impact the efficacy of the active defense techniques evaluated under subparagraph (A);

(3) recommendations on safeguards and procedures that shall be established to require that active defense techniques are adequately coordinated to ensure that active defense techniques do not impede agency operations and mission delivery, threat response efforts, criminal investigations, and national security activities, including intelligence collection; and

(4) the development of a framework for the use of different active defense techniques by agencies.

(a) Purpose.—The purpose of this section is for the Cybersecurity and Infrastructure Security Agency to run a security operation center on behalf of another agency, alleviating the need to duplicate this function at every agency, and empowering a greater centralized cybersecurity capability.

(b) Plan.—Not later than 1 year after the date of enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency shall develop a plan to establish a centralized Federal security operations center shared service offering within the Cybersecurity and Infrastructure Security Agency.

(c) Contents.—The plan required under subsection (b) shall include considerations for—

(1) collecting, organizing, and analyzing agency information system data in real time;

(2) staffing and resources; and

(3) appropriate interagency agreements, concepts of operations, and governance plans.

(d) Pilot program.—

(1) IN GENERAL.—Not later than 180 days after the date on which the plan required under subsection (b) is developed, the Director of the Cybersecurity and Infrastructure Security Agency, in consultation with the Director, shall enter into a 1-year agreement with not less than 2 agencies to offer a security operations center as a shared service.

(2) ADDITIONAL AGREEMENTS.—After the date on which the briefing required under subsection (e)(1) is provided, the Director of the Cybersecurity and Infrastructure Security Agency, in consultation with the Director, may enter into additional 1-year agreements described in paragraph (1) with agencies.

(e) Briefing and report.—

(1) BRIEFING.—Not later than 270 days after the date of enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency shall provide to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security and the Committee on Oversight and Reform of the House of Representatives a briefing on the parameters of any 1-year agreements entered into under subsection (d)(1).

(2) REPORT.—Not later than 90 days after the date on which the first 1-year agreement entered into under subsection (d) expires, the Director of the Cybersecurity and Infrastructure Security Agency shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security and the Committee on Oversight and Reform of the House of Representatives a report on—

(A) the agreement; and

(B) any additional agreements entered into with agencies under subsection (d).

Section 3520A(e)(2) of title 44, United States Code, is amended by striking “upon the expiration of the 2-year period that begins on the date the Comptroller General submits the report under paragraph (1) to Congress” and inserting “January 31, 2030”.

SEC. 123. Federal cybersecurity requirements.

This title may be cited as the “Cyber Incident Reporting for Critical Infrastructure Act of 2022”.

In this title:

(1) COVERED CYBER INCIDENT; COVERED ENTITY; CYBER INCIDENT; INFORMATION SYSTEM; RANSOM PAYMENT; RANSOMWARE ATTACK; SECURITY VULNERABILITY.—The terms “covered cyber incident”, “covered entity”, “cyber incident”, “information system”, “ransom payment”, “ransomware attack”, and “security vulnerability” have the meanings given those terms in section 2240 of the Homeland Security Act of 2002, as added by section 203 of this title.

(2) DIRECTOR.—The term “Director” means the Director of the Cybersecurity and Infrastructure Security Agency.

(a) Cyber incident reporting.—Title XXII of the Homeland Security Act of 2002 (6 U.S.C. 651 et seq.) is amended—

(1) in section 2209(c) (6 U.S.C. 659(c))—

(A) in paragraph (11), by striking “; and” and inserting a semicolon;

(B) in paragraph (12), by striking the period at the end and inserting “; and”; and

(C) by adding at the end the following:

“(13) receiving, aggregating, and analyzing reports related to covered cyber incidents (as defined in section 2240) submitted by covered entities (as defined in section 2240) and reports related to ransom payments (as defined in section 2240) submitted by covered entities (as defined in section 2240) in furtherance of the activities specified in sections 2202(e), 2203, and 2241, this subsection, and any other authorized activity of the Director, to enhance the situational awareness of cybersecurity threats across critical infrastructure sectors.”; and

(2) by adding at the end the following:

(b) Technical and conforming amendment.—The table of contents in section 1(b) of the Homeland Security Act of 2002 (Public Law 107–296; 116 Stat. 2135) is amended by inserting after the items relating to subtitle C of title XXII the following:

(a) Cyber incident reporting sharing.—

(1) IN GENERAL.—Notwithstanding any other provision of law or regulation, any Federal agency, including any independent establishment (as defined in section 104 of title 5, United States Code), that receives a report from an entity of a cyber incident, including a ransomware attack, shall provide the report to the Agency as soon as possible, but not later than 24 hours after receiving the report, unless a shorter period is required by an agreement made between the Department of Homeland Security (including the Cybersecurity and Infrastructure Security Agency) and the recipient Federal agency. The Director shall share and coordinate each report pursuant to section 2241(b) of the Homeland Security Act of 2002, as added by section 203 of this title.

(2) RULE OF CONSTRUCTION.—The requirements described in paragraph (1) and section 2245(d) of the Homeland Security Act of 2002, as added by section 203 of this title, may not be construed to be a violation of any provision of law or policy that would otherwise prohibit disclosure or provision of information within the executive branch.

(3) PROTECTION OF INFORMATION.—The Director shall comply with any obligations of the recipient Federal agency described in paragraph (1) to protect information, including with respect to privacy, confidentiality, or information security, if those obligations would impose greater protection requirements than this Act or the amendments made by this Act.

(4) EFFECTIVE DATE.—This subsection shall take effect on the effective date of the final rule issued pursuant to section 2242(b) of the Homeland Security Act of 2002, as added by section 203 of this title.

(5) AGENCY AGREEMENTS.—

(A) IN GENERAL.—The Agency and any Federal agency, including any independent establishment (as defined in section 104 of title 5, United States Code) that receives incident reports from entities, including due to ransomware attacks, shall, as appropriate, enter into a documented agreement to establish policies, processes, procedures, and mechanisms to ensure reports are shared with the Agency pursuant to paragraph (1).

(B) AVAILABILITY.—To the maximum extent practicable, each documented agreement required under subparagraph (A) shall be made publicly available.

(C) REQUIREMENT.—The documented agreements required by subparagraph (A) shall require reports be shared from Federal agencies with the Agency in such time as to meet the overall timeline for covered entity reporting of covered cyber incidents and ransom payments established in section 2242 of the Homeland Security Act of 2002, as added by section 203 of this title.

(b) Harmonizing reporting requirements.—The Secretary of Homeland Security, acting through the Director, shall, in consultation with the Cyber Incident Reporting Council described in section 2246 of the Homeland Security Act of 2002, as added by section 203 of this title, to the maximum extent practicable—

(1) periodically review existing regulatory requirements, including the information required in such reports, to report incidents and ensure that any such reporting requirements and procedures avoid conflicting, duplicative, or burdensome requirements; and

(2) coordinate with appropriate Federal partners and regulatory authorities that receive reports relating to incidents to identify opportunities to streamline reporting processes, and where feasible, facilitate interagency agreements between such authorities to permit the sharing of such reports, consistent with applicable law and policy, without impacting the ability of the Agency to gain timely situational awareness of a covered cyber incident or ransom payment.

(a) Program.—Not later than 1 year after the date of enactment of this Act, the Director shall establish a ransomware vulnerability warning pilot program to leverage existing authorities and technology to specifically develop processes and procedures for, and to dedicate resources to, identifying information systems that contain security vulnerabilities associated with common ransomware attacks, and to notify the owners of those vulnerable systems of their security vulnerability.

(b) Identification of vulnerable systems.—The pilot program established under subsection (a) shall—

(1) identify the most common security vulnerabilities utilized in ransomware attacks and mitigation techniques; and

(2) utilize existing authorities to identify information systems that contain the security vulnerabilities identified in paragraph (1).

(c) Entity notification.—

(1) IDENTIFICATION.—If the Director is able to identify the entity at risk that owns or operates a vulnerable information system identified in subsection (b), the Director may notify the owner of the information system.

(2) NO IDENTIFICATION.—If the Director is not able to identify the entity at risk that owns or operates a vulnerable information system identified in subsection (b), the Director may utilize the subpoena authority pursuant to section 2209 of the Homeland Security Act of 2002 (6 U.S.C. 659) to identify and notify the entity at risk pursuant to the procedures under that section.

(3) REQUIRED INFORMATION.—A notification made under paragraph (1) shall include information on the identified security vulnerability and mitigation techniques.

(d) Prioritization of notifications.—To the extent practicable, the Director shall prioritize covered entities for identification and notification activities under the pilot program established under this section.

(e) Limitation on procedures.—No procedure, notification, or other authorities utilized in the execution of the pilot program established under subsection (a) shall require an owner or operator of a vulnerable information system to take any action as a result of a notice of a security vulnerability made pursuant to subsection (c).

(f) Rule of construction.—Nothing in this section shall be construed to provide additional authorities to the Director to identify vulnerabilities or vulnerable systems.

(g) Termination.—The pilot program established under subsection (a) shall terminate on the date that is 4 years after the date of enactment of this Act.

(a) Joint ransomware task force.—

(1) IN GENERAL.—Not later than 180 days after the date of enactment of this Act, the Director, in consultation with the National Cyber Director, the Attorney General, and the Director of the Federal Bureau of Investigation, shall establish and chair the Joint Ransomware Task Force to coordinate an ongoing nationwide campaign against ransomware attacks, and identify and pursue opportunities for international cooperation.

(2) COMPOSITION.—The Joint Ransomware Task Force shall consist of participants from Federal agencies, as determined appropriate by the National Cyber Director in consultation with the Secretary of Homeland Security.

(3) RESPONSIBILITIES.—The Joint Ransomware Task Force, utilizing only existing authorities of each participating Federal agency, shall coordinate across the Federal Government the following activities:

(A) Prioritization of intelligence-driven operations to disrupt specific ransomware actors.

(B) Consult with relevant private sector, State, local, Tribal, and territorial governments and international stakeholders to identify needs and establish mechanisms for providing input into the Joint Ransomware Task Force.

(C) Identifying, in consultation with relevant entities, a list of highest threat ransomware entities updated on an ongoing basis, in order to facilitate—

(i) prioritization for Federal action by appropriate Federal agencies; and

(ii) identify metrics for success of said actions.

(D) Disrupting ransomware criminal actors, associated infrastructure, and their finances.

(E) Facilitating coordination and collaboration between Federal entities and relevant entities, including the private sector, to improve Federal actions against ransomware threats.

(F) Collection, sharing, and analysis of ransomware trends to inform Federal actions.

(G) Creation of after-action reports and other lessons learned from Federal actions that identify successes and failures to improve subsequent actions.

(H) Any other activities determined appropriate by the Joint Ransomware Task Force to mitigate the threat of ransomware attacks.

(b) Rule of construction.—Nothing in this section shall be construed to provide any additional authority to any Federal agency.

(a) Report on stakeholder engagement.—Not later than 30 days after the date on which the Director issues the final rule under section 2242(b) of the Homeland Security Act of 2002, as added by section 203(b) of this title, the Director shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a report that describes how the Director engaged stakeholders in the development of the final rule.

(b) Report on opportunities to strengthen security research.—Not later than 1 year after the date of enactment of this Act, the Director shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a report describing how the National Cybersecurity and Communications Integration Center established under section 2209 of the Homeland Security Act of 2002 (6 U.S.C. 659) has carried out activities under section 2241(a)(9) of the Homeland Security Act of 2002, as added by section 203(a) of this title, by proactively identifying opportunities to use cyber incident data to inform and enable cybersecurity research within the academic and private sector.

(c) Report on ransomware vulnerability warning pilot program.—Not later than 1 year after the date of enactment of this Act, and annually thereafter for the duration of the pilot program established under section 205, the Director shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a report, which may include a classified annex, on the effectiveness of the pilot program, which shall include a discussion of the following:

(1) The effectiveness of the notifications under section 205(c) in mitigating security vulnerabilities and the threat of ransomware.

(2) Identification of the most common vulnerabilities utilized in ransomware.

(3) The number of notifications issued during the preceding year.

(4) To the extent practicable, the number of vulnerable devices or systems mitigated under the pilot program by the Agency during the preceding year.

(d) Report on harmonization of reporting regulations.—

(1) IN GENERAL.—Not later than 180 days after the date on which the Secretary of Homeland Security convenes the Cyber Incident Reporting Council described in section 2246 of the Homeland Security Act of 2002, as added by section 203 of this title, the Secretary of Homeland Security shall submit to the appropriate congressional committees a report that includes—

(A) a list of duplicative Federal cyber incident reporting requirements on covered entities;

(B) a description of any challenges in harmonizing the duplicative reporting requirements;

(C) any actions the Director intends to take to facilitate harmonizing the duplicative reporting requirements; and

(D) any proposed legislative changes necessary to address the duplicative reporting.

(2) RULE OF CONSTRUCTION.—Nothing in paragraph (1) shall be construed to provide any additional regulatory authority to any Federal agency.

(e) GAO reports.—

(1) IMPLEMENTATION OF THIS ACT.—Not later than 2 years after the date of enactment of this Act, the Comptroller General of the United States shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a report on the implementation of this Act and the amendments made by this Act.

(2) EXEMPTIONS TO REPORTING.—Not later than 1 year after the date on which the Director issues the final rule required under section 2242(b) of the Homeland Security Act of 2002, as added by section 203 of this title, the Comptroller General of the United States shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a report on the exemptions to reporting under paragraphs (2) and (5) of section 2242(a) of the Homeland Security Act of 2002, as added by section 203 of this title, which shall include—

(A) to the extent practicable, an evaluation of the quantity of cyber incidents not reported to the Federal Government;

(B) an evaluation of the impact on impacted entities, homeland security, and the national economy due to cyber incidents, ransomware attacks, and ransom payments, including a discussion on the scope of impact of cyber incidents that were not reported to the Federal Government;

(C) an evaluation of the burden, financial and otherwise, on entities required to report cyber incidents under this Act, including an analysis of entities that meet the definition of a small business concern under section 3 of the Small Business Act (15 U.S.C. 632); and

(D) a description of the consequences and effects of limiting covered cyber incident and ransom payment reporting to only covered entities.

(f) Report on effectiveness of enforcement mechanisms.—Not later than 1 year after the date on which the Director issues the final rule required under section 2242(b) of the Homeland Security Act of 2002, as added by section 203 of this title, the Director shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a report on the effectiveness of the enforcement mechanisms within section 2244 of the Homeland Security Act of 2002, as added by section 203 of this title.

This title may be cited as the “Federal Secure Cloud Improvement and Jobs Act of 2022”.

Congress finds the following:

(1) Ensuring that the Federal Government can securely leverage cloud computing products and services is key to expediting the modernization of legacy information technology systems, increasing cybersecurity within and across departments and agencies, and supporting the continued leadership of the United States in technology innovation and job creation.

(2) According to independent analysis, as of calendar year 2019, the size of the cloud computing market had tripled since 2004, enabling more than 2,000,000 jobs and adding more than $200,000,000,000 to the gross domestic product of the United States.

(3) The Federal Government, across multiple presidential administrations and Congresses, has continued to support the ability of agencies to move to the cloud, including through—

(A) President Barack Obama’s “Cloud First Strategy”;

(B) President Donald Trump’s “Cloud Smart Strategy”;

(C) the prioritization of cloud security in Executive Order 14028 (86 Fed. Reg. 26633; relating to improving the nation’s cybersecurity), which was issued by President Joe Biden; and

(D) more than a decade of appropriations and authorization legislation that provides agencies with relevant authorities and appropriations to modernize on-premises information technology systems and more readily adopt cloud computing products and services.

(4) Since it was created in 2011, the Federal Risk and Authorization Management Program (referred to in this section as “FedRAMP”) at the General Services Administration has made steady and sustained improvements in supporting the secure authorization and reuse of cloud computing products and services within the Federal Government, including by reducing the costs and burdens on both agencies and cloud companies to quickly and securely enter the Federal market.

(5) According to data from the General Services Administration, as of the end of fiscal year 2021, there were 239 cloud providers with FedRAMP authorizations, and those authorizations had been reused more than 2,700 times across various agencies.

(6) Providing a legislative framework for FedRAMP and new authorities to the General Services Administration, the Office of Management and Budget, and Federal agencies will—

(A) improve the speed at which new cloud computing products and services can be securely authorized;

(B) enhance the ability of agencies to effectively evaluate FedRAMP authorized providers for reuse;

(C) reduce the costs and burdens to cloud providers seeking a FedRAMP authorization; and

(D) provide for more robust transparency and dialogue between industry and the Federal Government to drive stronger adoption of secure cloud capabilities, create jobs, and reduce wasteful legacy information technology.

(a) Amendment.—Chapter 36 of title 44, United States Code, is amended by adding at the end the following:

(b) Technical and conforming amendment.—The table of sections for chapter 36 of title 44, United States Code, is amended by adding at the end the following new items:

“3607. Definitions.
“3608. Federal Risk and Authorization Management Program.
“3609. Roles and responsibilities of the General Services Administration.
“3610. FedRAMP Board.
“3611. Independent assessment.
“3612. Declaration of foreign interests.
“3613. Roles and responsibilities of agencies.
“3614. Roles and responsibilities of the Office of Management and Budget.
“3615. Reports to Congress; GAO report.
“3616. Federal Secure Cloud Advisory Committee.”.

(c) Sunset.—

(1) IN GENERAL.—Effective on the date that is 5 years after the date of enactment of this Act, chapter 36 of title 44, United States Code, is amended by striking sections 3607 through 3616.

(2) CONFORMING AMENDMENT.—Effective on the date that is 5 years after the date of enactment of this Act, the table of sections for chapter 36 of title 44, United States Code, is amended by striking the items relating to sections 3607 through 3616.

(d) Rule of construction.—Nothing in this section or any amendment made by this section shall be construed as altering or impairing the authorities of the Director of the Office of Management and Budget or the Secretary of Homeland Security under subchapter II of chapter 35 of title 44, United States Code.