IN THE SENATE OF THE UNITED STATES
February 9, 2022
Mr. Wyden introduced the following bill; which was read twice and referred to the Committee on Homeland Security and Governmental Affairs
To amend the Federal Cybersecurity Enhancement Act of 2015 to require Federal agencies to obtain exemptions from certain cybersecurity requirements in order to avoid compliance with those requirements, and for other purposes.
This Act may be cited as the
Federal Cybersecurity Oversight Act of 2022.
Federal cybersecurity requirements
Exemption from Federal requirements
Section 225(b)(2) of the Federal Cybersecurity Enhancement Act of 2015 (6 U.S.C. 1523(b)(2)) is amended to read as follows:
A particular requirement under paragraph (1) shall not apply to an agency information system of an agency if—
with respect to the agency information system, the head of the agency submits to the Director an application for an exemption from the particular requirement, in which the head of the agency personally certifies to the Director with particularity that—
operational requirements articulated in the certification and related to the agency information system would make it excessively burdensome to implement the particular requirement;
the particular requirement is not necessary to secure the agency information system or agency information stored on or transiting the agency information system; and
the agency has taken all necessary steps to secure the agency information system and agency information stored on or transiting the agency information system;
the head of the agency or the designee of the head of the agency has submitted the certification described in clause (i) to the appropriate congressional committees and any other congressional committee with jurisdiction over the agency; and
the Director grants the exemption from the particular requirement.
Duration of exemption
An exemption granted under subparagraph (A) shall expire on the date that is 1 year after the date on which the Director granted the exemption.
Upon the expiration of an exemption granted to an agency under subparagraph (A), the head of the agency may apply for an additional exemption.
Report on exemptions
Section 3554(c)(1)(A) of title 44, United States Code, is amended—
in clause (iii), by striking
and at the end;
by redesignating clause (iv) as clause (v); and
by inserting after clause (iii) the following:
with respect to any exemption the Director of the Office of Management and Budget has granted the agency under section 225(b)(2) of the Federal Cybersecurity Enhancement Act of 2015 (6 U.S.C. 1523(b)(2)) that is effective on the date of submission of the report—
an identification of each particular requirement from which any agency information system (as defined in section 2210 of the Homeland Security Act of 2002 (6 U.S.C. 660)) is exempted; and
for each requirement identified under subclause (I)—
an identification of the agency information system described in subclause (I) exempted from the requirement; and
an estimate of the date on which the agency will to be able to comply with the requirement; and
This Act and the amendments made by this Act shall take effect on the date that is 1 year after the date of enactment of this Act.