Collapse to view only § 1523. Federal cybersecurity requirements

§ 1521. Definitions
In this subchapter:
(1) Agency
(2) Agency information system
(3) Appropriate congressional committees
The term “appropriate congressional committees” means—
(A) the Committee on Homeland Security and Governmental Affairs of the Senate; and
(B) the Committee on Homeland Security of the House of Representatives.
(4) Cybersecurity risk; information system
(5) Director
(6) Intelligence community
(7) National security system
(8) Secretary
(Pub. L. 114–113, div. N, title II, § 222, Dec. 18, 2015, 129 Stat. 2963; Pub. L. 115–278, § 2(h)(1)(D), Nov. 16, 2018, 132 Stat. 4182; Pub. L. 117–263, div. G, title LXXI, § 7143(d)(1)(A), Dec. 23, 2022, 136 Stat. 3663.)
§ 1522. Advanced internal defenses
(a) Advanced network security tools
(1) In general
(2) Development of plan
(b) Prioritizing advanced security tools
The Director and the Secretary, in consultation with appropriate agencies, shall—
(1) review and update Government-wide policies and programs to ensure appropriate prioritization and use of network security monitoring tools within agency networks; and
(2) brief appropriate congressional committees on such prioritization and use.
(c) Improved metrics
(d) Transparency and accountability
(e) Omitted
(f) Exception
(Pub. L. 114–113, div. N, title II, § 224, Dec. 18, 2015, 129 Stat. 2967.)
§ 1523. Federal cybersecurity requirements
(a) Implementation of Federal cybersecurity standards
(b) Cybersecurity requirements at agencies
(1) In generalConsistent with policies, standards, guidelines, and directives on information security under subchapter II of chapter 35 of title 44 and the standards and guidelines promulgated under section 11331 of title 40 and except as provided in paragraph (2), not later than 1 year after December 18, 2015, the head of each agency shall—
(A) identify sensitive and mission critical data stored by the agency consistent with the inventory required under the first subsection (c) (relating to the inventory of major information systems) and the second subsection (c) (relating to the inventory of information systems) of section 3505 of title 44;
(B) assess access controls to the data described in subparagraph (A), the need for readily accessible storage of the data, and individuals’ need to access the data;
(C) encrypt or otherwise render indecipherable to unauthorized users the data described in subparagraph (A) that is stored on or transiting agency information systems;
(D) implement a single sign-on trusted identity platform for individuals accessing each public website of the agency that requires user authentication, as developed by the Administrator of General Services in collaboration with the Secretary; and
(E) implement identity management consistent with section 7464 of title 15, including multi-factor authentication, for—
(i) remote access to an agency information system; and
(ii) each user account with elevated privileges on an agency information system.
(2) ExceptionThe requirements under paragraph (1) shall not apply to an agency information system for which—
(A) the head of the agency has personally certified to the Director with particularity that—
(i) operational requirements articulated in the certification and related to the agency information system would make it excessively burdensome to implement the cybersecurity requirement;
(ii) the cybersecurity requirement is not necessary to secure the agency information system or agency information stored on or transiting it; and
(iii) the agency has taken all necessary steps to secure the agency information system and agency information stored on or transiting it; and
(B) the head of the agency or the designee of the head of the agency has submitted the certification described in subparagraph (A) to the appropriate congressional committees and the agency’s authorizing committees.
(3) Construction
(c) Exception
(Pub. L. 114–113, div. N, title II, § 225, Dec. 18, 2015, 129 Stat. 2967.)
§ 1524. Assessment; reports
(a) DefinitionsIn this section:
(1) Agency information
(2) Cyber threat indicator; defensive measure
(3) Intrusion assessments
(4) Intrusion assessment plan
(5) Intrusion detection and prevention capabilities
(b) Third-party assessment
(c) Reports to Congress
(1) Intrusion detection and prevention capabilities
(A) Secretary of Homeland Security reportNot later than 6 months after December 18, 2015, and annually thereafter, the Secretary shall submit to the appropriate congressional committees a report on the status of implementation of the intrusion detection and prevention capabilities, including—
(i) a description of privacy controls;
(ii) a description of the technologies and capabilities utilized to detect cybersecurity risks in network traffic, including the extent to which those technologies and capabilities include existing commercial and noncommercial technologies;
(iii) a description of the technologies and capabilities utilized to prevent network traffic associated with cybersecurity risks from transiting or traveling to or from agency information systems, including the extent to which those technologies and capabilities include existing commercial and noncommercial technologies;
(iv) a list of the types of indicators or other identifiers or techniques used to detect cybersecurity risks in network traffic transiting or traveling to or from agency information systems on each iteration of the intrusion detection and prevention capabilities and the number of each such type of indicator, identifier, and technique;
(v) the number of instances in which the intrusion detection and prevention capabilities detected a cybersecurity risk in network traffic transiting or traveling to or from agency information systems and the number of times the intrusion detection and prevention capabilities blocked network traffic associated with cybersecurity risk; and
(vi) a description of the pilot established under section 2213(c)(5) of the Homeland Security Act of 2002 [6 U.S.C. 663(c)(5)], including the number of new technologies tested and the number of participating agencies.
(B) OMB reportNot later than 18 months after December 18, 2015, and annually thereafter, the Director shall submit to Congress, as part of the report required under section 3553(c) of title 44, an analysis of agency application of the intrusion detection and prevention capabilities, including—
(i) a list of each agency and the degree to which each agency has applied the intrusion detection and prevention capabilities to an agency information system; and
(ii) a list by agency of—(I) the number of instances in which the intrusion detection and prevention capabilities detected a cybersecurity risk in network traffic transiting or traveling to or from an agency information system and the types of indicators, identifiers, and techniques used to detect such cybersecurity risks; and(II) the number of instances in which the intrusion detection and prevention capabilities prevented network traffic associated with a cybersecurity risk from transiting or traveling to or from an agency information system and the types of indicators, identifiers, and techniques used to detect such agency information systems.
(C) Chief information officerNot earlier than 18 months after December 18, 2015, and not later than 2 years after December 18, 2015, the Federal Chief Information Officer shall review and submit to the appropriate congressional committees a report assessing the intrusion detection and intrusion prevention capabilities, including—
(i) the effectiveness of the system in detecting, disrupting, and preventing cyber-threat actors, including advanced persistent threats, from accessing agency information and agency information systems;
(ii) whether the intrusion detection and prevention capabilities, continuous diagnostics and mitigation, and other systems deployed under subtitle D 1
1 See References in Text note below.
of title II of the Homeland Security Act of 2002 (6 U.S.C. 231 et seq.) are effective in securing Federal information systems;
(iii) the costs and benefits of the intrusion detection and prevention capabilities, including as compared to commercial technologies and tools and including the value of classified cyber threat indicators; and
(iv) the capability of agencies to protect sensitive cyber threat indicators and defensive measures if they were shared through unclassified mechanisms for use in commercial technologies and tools.
(2) OMB report on development and implementation of intrusion assessment plan, advanced internal defenses, and Federal cybersecurity requirementsThe Director shall—
(A) not later than 6 months after December 18, 2015, and 30 days after any update thereto, submit the intrusion assessment plan to the appropriate congressional committees;
(B) not later than 1 year after December 18, 2015, and annually thereafter, submit to Congress, as part of the report required under section 3553(c) of title 44
(i) a description of the implementation of the intrusion assessment plan;
(ii) the findings of the intrusion assessments conducted pursuant to the intrusion assessment plan;
(iii) a description of the advanced network security tools included in the efforts to continuously diagnose and mitigate cybersecurity risks pursuant to section 1522(a)(1) of this title; and
(iv) a list by agency of compliance with the requirements of section 1523(b) of this title; and
(C) not later than 1 year after December 18, 2015, submit to the appropriate congressional committees—
(i) a copy of the plan developed pursuant to section 1522(a)(2) of this title; and
(ii) the improved metrics developed pursuant to section 1522(c) of this title.
(d) Form
(Pub. L. 114–113, div. N, title II, § 226, Dec. 18, 2015, 129 Stat. 2969; Pub. L. 115–278, § 2(h)(1)(F), Nov. 16, 2018, 132 Stat. 4182; Pub. L. 117–263, div. G, title LXXI, § 7143(d)(1)(B), Dec. 23, 2022, 136 Stat. 3663.)
§ 1525. Termination
(a) In general
(b) Rule of construction
(Pub. L. 114–113, div. N, title II, § 227, Dec. 18, 2015, 129 Stat. 2971; Pub. L. 115–278, § 2(h)(1)(G), Nov. 16, 2018, 132 Stat. 4182; Pub. L. 117–328, div. O, title I, § 101, Dec. 29, 2022, 136 Stat. 5226; Pub. L. 118–47, div. G, title I, § 106, Mar. 23, 2024, 138 Stat. 857; Pub. L. 118–83, div. B, title I, § 103, Sept. 26, 2024, 138 Stat. 1534.)
§ 1526. Inventory of cryptographic systems; migration to post-quantum cryptography
(a) Inventory
(1) Establishment
Not later than 180 days after December 21, 2022, the Director of OMB, in coordination with the National Cyber Director and in consultation with the Director of CISA, shall issue guidance on the migration of information technology to post-quantum cryptography, which shall include at a minimum—
(A) a requirement for each agency to establish and maintain a current inventory of information technology in use by the agency that is vulnerable to decryption by quantum computers, prioritized using the criteria described in subparagraph (B);
(B) criteria to allow agencies to prioritize their inventory efforts; and
(C) a description of the information required to be reported pursuant to subsection (b).
(2) Additional span in guidance
In the guidance established by paragraph (1), the Director of OMB shall include, in addition to the requirements described in that paragraph—
(A) a description of information technology to be prioritized for migration to post-quantum cryptography; and
(B) a process for evaluating progress on migrating information technology to post-quantum cryptography, which shall be automated to the greatest extent practicable.
(3) Periodic updates
(b) Agency reports
Not later than 1 year after December 21, 2022, and on an ongoing basis thereafter, the head of each agency shall provide to the Director of OMB, the Director of CISA, and the National Cyber Director—
(1) the inventory described in subsection (a)(1); and
(2) any other information required to be reported under subsection (a)(1)(C).
(c) Migration and assessment
Not later than 1 year after the date on which the Director of NIST has issued post-quantum cryptography standards, the Director of OMB shall issue guidance requiring each agency to—
(1) prioritize information technology described under subsection (a)(2)(A) for migration to post-quantum cryptography; and
(2) develop a plan to migrate information technology of the agency to post-quantum cryptography consistent with the prioritization under paragraph (1).
(d) Interoperability
(e) Office of Management and Budget reports
(1) Report on post-quantum cryptography
Not later than 15 months after December 21, 2022, the Director of OMB, in coordination with the National Cyber Director and in consultation with the Director of CISA, shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Reform of the House of Representatives a report on the following:
(A) A strategy to address the risk posed by the vulnerabilities of information technology of agencies to weakened encryption due to the potential and possible capability of a quantum computer to breach that encryption.
(B) An estimate of the amount of funding needed by agencies to secure the information technology described in subsection (a)(1)(A) from the risk posed by an adversary of the United States using a quantum computer to breach the encryption of the information technology.
(C) A description of Federal civilian executive branch coordination efforts led by the National Institute of Standards and Technology, including timelines, to develop standards for post-quantum cryptography, including any Federal Information Processing Standards developed under chapter 35 of title 44, as well as standards developed through voluntary, consensus standards bodies such as the International Organization for Standardization.
(2) Report on migration to post-quantum cryptography in information technology
(Pub. L. 117–260, § 4, Dec. 21, 2022, 136 Stat. 2390.)