skip to main content

S. 3618: Federal Cybersecurity Oversight Act of 2022


The text of the bill below is as of Feb 9, 2022 (Introduced).


II

117th CONGRESS

2d Session

S. 3618

IN THE SENATE OF THE UNITED STATES

February 9, 2022

introduced the following bill; which was read twice and referred to the Committee on Homeland Security and Governmental Affairs

A BILL

To amend the Federal Cybersecurity Enhancement Act of 2015 to require Federal agencies to obtain exemptions from certain cybersecurity requirements in order to avoid compliance with those requirements, and for other purposes.

1.

Short title

This Act may be cited as the Federal Cybersecurity Oversight Act of 2022.

2.

Federal cybersecurity requirements

(a)

Exemption from Federal requirements

Section 225(b)(2) of the Federal Cybersecurity Enhancement Act of 2015 (6 U.S.C. 1523(b)(2)) is amended to read as follows:

(2)

Exception

(A)

In general

A particular requirement under paragraph (1) shall not apply to an agency information system of an agency if—

(i)

with respect to the agency information system, the head of the agency submits to the Director an application for an exemption from the particular requirement, in which the head of the agency personally certifies to the Director with particularity that—

(I)

operational requirements articulated in the certification and related to the agency information system would make it excessively burdensome to implement the particular requirement;

(II)

the particular requirement is not necessary to secure the agency information system or agency information stored on or transiting the agency information system; and

(III)

the agency has taken all necessary steps to secure the agency information system and agency information stored on or transiting the agency information system;

(ii)

the head of the agency or the designee of the head of the agency has submitted the certification described in clause (i) to the appropriate congressional committees and any other congressional committee with jurisdiction over the agency; and

(iii)

the Director grants the exemption from the particular requirement.

(B)

Duration of exemption

(i)

In general

An exemption granted under subparagraph (A) shall expire on the date that is 1 year after the date on which the Director granted the exemption.

(ii)

Renewal

Upon the expiration of an exemption granted to an agency under subparagraph (A), the head of the agency may apply for an additional exemption.

.

(b)

Report on exemptions

Section 3554(c)(1)(A) of title 44, United States Code, is amended—

(1)

in clause (iii), by striking and at the end;

(2)

by redesignating clause (iv) as clause (v); and

(3)

by inserting after clause (iii) the following:

(iv)

with respect to any exemption the Director of the Office of Management and Budget has granted the agency under section 225(b)(2) of the Federal Cybersecurity Enhancement Act of 2015 (6 U.S.C. 1523(b)(2)) that is effective on the date of submission of the report—

(I)

an identification of each particular requirement from which any agency information system (as defined in section 2210 of the Homeland Security Act of 2002 (6 U.S.C. 660)) is exempted; and

(II)

for each requirement identified under subclause (I)—

(aa)

an identification of the agency information system described in subclause (I) exempted from the requirement; and

(bb)

an estimate of the date on which the agency will to be able to comply with the requirement; and

.

(c)

Effective date

This Act and the amendments made by this Act shall take effect on the date that is 1 year after the date of enactment of this Act.