“(a)Not later than 180 days after the date of the enactment of this Act, the Director of the Office of Management and Budget, in coordination with the Department of Homeland Security, Department of Transportation, the Department of Justice, and other Departments as determined by the Director of the Office of Management and Budget, and in consultation with the National Institute of Standards and Technology, shall establish a government-wide policy for the procurement of an unmanned aircraft system—
“(1)for non-Department of Defense and non-intelligence community operations; and
“(2)through grants and cooperative agreements entered into with non-Federal entities.
“(b)The policy developed under subsection (a) shall include the following specifications, which to the extent practicable, shall be based on industry standards and technical guidance from the National Institute of Standards and Technology, to address the risks associated with processing, storing, and transmitting Federal information in an unmanned aircraft system:
“(1)Protections to ensure controlled access to an unmanned aircraft system.
“(2)Protecting software, firmware, and hardware by ensuring changes to an unmanned aircraft system are properly managed, including by ensuring an unmanned aircraft system can be updated using a secure, controlled, and configurable mechanism.
“(3)Cryptographically securing sensitive collected, stored, and transmitted data, including proper handling of privacy data and other controlled unclassified information.
“(4)Appropriate safeguards necessary to protect sensitive information, including during and after use of an unmanned aircraft system.
“(5)Appropriate data security to ensure that data is not transmitted to or stored in non-approved locations.
“(6)The ability to opt out of the uploading, downloading, or transmitting of data that is not required by law or regulation and an ability to choose with whom and where information is shared when it is required.
“(c)The policy developed under subsection (a) shall reflect an appropriate risk-based approach to information security related to use of an unmanned aircraft system.
“(d)Not later than 180 days after the date on which the policy required under subsection (a) is issued—
“(1)the Federal Acquisition Regulatory Council shall revise the Federal Acquisition Regulation, as necessary, to implement the policy; and
“(2)any Federal department or agency or other Federal entity not subject to, or not subject solely to, the Federal Acquisition Regulation shall revise applicable policy, guidance, or regulations, as necessary, to implement the policy.
“(e)In developing the policy required under subsection (a), the Director of the Office of Management and Budget shall—
“(1)incorporate policies to implement the exemptions contained in this subtitle; and
“(2)incorporate an exemption to the policy in the case of a head of the procuring department or agency determining, in writing, that no product that complies with the information security requirements described in subsection (b) is capable of fulfilling mission critical performance requirements, and such determination—
“(A)may not be delegated below the level of the Deputy Secretary, or Administrator, of the procuring department or agency;
“(B)shall specify—
“(i)the quantity of end items to which the waiver applies and the procurement value of those items; and
“(ii)the time period over which the waiver applies, which shall not exceed three years;
“(C)shall be reported to the Office of Management and Budget following issuance of such a determination; and
“(D)not later than 30 days after the date on which the determination is made, shall be provided to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Accountability of the House of Representatives.
