U.S. CODE
Rulings
AD/CVD
Notices
HTSUS
U.S. Code
Regs
More
Ports
About
Updates
Apps
Larger font
Smaller font
SEARCH
Toggle Dropdown
Search US Code
Search Leg. Notes
Sort by Rank
Titles Ascending
Titles Descending
10 per page
25 Result/page
50 Result/page
U.S Code last checked for updates: Apr 29, 2024
All Titles
Title 6
Chapter 6
Subchapter II
§ 1522. Advanced internal defens...
§ 1524. Assessment; reports...
§ 1522. Advanced internal defens...
§ 1524. Assessment; reports...
U.S. Code
Notes
§ 1523.
Federal cybersecurity requirements
(a)
Implementation of Federal cybersecurity standards
(b)
Cybersecurity requirements at agencies
(1)
In general
Consistent with policies, standards, guidelines, and directives on information security under subchapter II of chapter 35 of title 44 and the standards and guidelines promulgated under
section 11331 of title 40
and except as provided in paragraph (2), not later than 1 year after
December 18, 2015
, the head of each agency shall—
(A)
identify sensitive and mission critical data stored by the agency consistent with the inventory required under the first subsection (c) (relating to the inventory of major information systems) and the second subsection (c) (relating to the inventory of information systems) of
section 3505 of title 44
;
(B)
assess access controls to the data described in subparagraph (A), the need for readily accessible storage of the data, and individuals’ need to access the data;
(C)
encrypt or otherwise render indecipherable to unauthorized users the data described in subparagraph (A) that is stored on or transiting agency information systems;
(D)
implement a single sign-on trusted identity platform for individuals accessing each public website of the agency that requires user authentication, as developed by the Administrator of General Services in collaboration with the Secretary; and
(E)
implement identity management consistent with
section 7464 of title 15
, including multi-factor authentication, for—
(i)
remote access to an agency information system; and
(ii)
each user account with elevated privileges on an agency information system.
(2)
Exception
The requirements under paragraph (1) shall not apply to an agency information system for which—
(A)
the head of the agency has personally certified to the Director with particularity that—
(i)
operational requirements articulated in the certification and related to the agency information system would make it excessively burdensome to implement the cybersecurity requirement;
(ii)
the cybersecurity requirement is not necessary to secure the agency information system or agency information stored on or transiting it; and
(iii)
the agency has taken all necessary steps to secure the agency information system and agency information stored on or transiting it; and
(B)
the head of the agency or the designee of the head of the agency has submitted the certification described in subparagraph (A) to the appropriate congressional committees and the agency’s authorizing committees.
(3)
Construction
(c)
Exception
(
Pub. L. 114–113, div. N, title II, § 225
,
Dec. 18, 2015
,
129 Stat. 2967
.)
cite as:
6 USC 1523
.list_box li,p,.cm-search-info,.cm-search-detail,.abt span,.expand-collapse_top
Get the CustomsMobile app!