PRIA Logo
Title 6Domestic SecurityRelease 119-73not60

§1523 Federal Cybersecurity Requirements

Title 6 › Chapter 6— CYBERSECURITY › Subchapter II— FEDERAL CYBERSECURITY ENHANCEMENT › § 1523

Last updated Apr 3, 2026|Official source

Summary

The Secretary must issue binding operational orders, working with the Cybersecurity Director, to make sure agencies quickly adopt and follow federal cybersecurity policies and standards for protecting their information systems. Not later than 1 year after December 18, 2015, each agency head must identify sensitive and mission‑critical data in their system inventories, check who can access that data and whether it needs to be readily available, encrypt or otherwise make that data unreadable to anyone not authorized, use a single sign‑on identity system for public websites that need logins (using the system built by the General Services Administration with the Secretary), and use identity management with multi‑factor authentication for remote access and for accounts with elevated privileges. An agency can be exempt from a requirement if the agency head personally certifies in detail to the Director that implementing it would be excessively burdensome, is not needed for security, and the agency has taken other steps to secure the system, and then sends that certification to the relevant congressional and authorizing committees. These rules do not change the authority of other federal cybersecurity officials or NIST’s standards process. The requirements do not apply to the Department of Defense, national security systems, or elements of the intelligence community.

Full Legal Text

Title 6, §1523

Domestic Security — Source: USLM XML via OLRC

(a)Consistent with section 3553 of title 44, the Secretary, in consultation with the Director, shall exercise the authority to issue binding operational directives to assist the Director in ensuring timely agency adoption of and compliance with policies and standards promulgated under section 11331 of title 40 11 See References in Text note below. for securing agency information systems.
(b)(1)Consistent with policies, standards, guidelines, and directives on information security under subchapter II of chapter 35 of title 44 and the standards and guidelines promulgated under section 11331 of title 40 and except as provided in paragraph (2), not later than 1 year after December 18, 2015, the head of each agency shall—
(A)identify sensitive and mission critical data stored by the agency consistent with the inventory required under the first subsection (c) (relating to the inventory of major information systems) and the second subsection (c) (relating to the inventory of information systems) of section 3505 of title 44;
(B)assess access controls to the data described in subparagraph (A), the need for readily accessible storage of the data, and individuals’ need to access the data;
(C)encrypt or otherwise render indecipherable to unauthorized users the data described in subparagraph (A) that is stored on or transiting agency information systems;
(D)implement a single sign-on trusted identity platform for individuals accessing each public website of the agency that requires user authentication, as developed by the Administrator of General Services in collaboration with the Secretary; and
(E)implement identity management consistent with section 7464 of title 15, including multi-factor authentication, for—
(i)remote access to an agency information system; and
(ii)each user account with elevated privileges on an agency information system.
(2)The requirements under paragraph (1) shall not apply to an agency information system for which—
(A)the head of the agency has personally certified to the Director with particularity that—
(i)operational requirements articulated in the certification and related to the agency information system would make it excessively burdensome to implement the cybersecurity requirement;
(ii)the cybersecurity requirement is not necessary to secure the agency information system or agency information stored on or transiting it; and
(iii)the agency has taken all necessary steps to secure the agency information system and agency information stored on or transiting it; and
(B)the head of the agency or the designee of the head of the agency has submitted the certification described in subparagraph (A) to the appropriate congressional committees and the agency’s authorizing committees.
(3)Nothing in this section shall be construed to alter the authority of the Secretary, the Director, or the Director of the National Institute of Standards and Technology in implementing subchapter II of chapter 35 of title 44. Nothing in this section shall be construed to affect the National Institute of Standards and Technology standards process or the requirement under section 3553(a)(4) of such title or to discourage continued improvements and advancements in the technology, standards, policies, and guidelines used to promote Federal information security.
(c)The requirements under this section shall not apply to the Department of Defense, a national security system, or an element of the intelligence community.

Legislative History

Notes & Related Subsidiaries

Editorial Notes

References in Text

The text of section 11331 of title 40, referred to in subsec. (a), was generally amended by Pub. L. 117–167, div. B, title II, § 10246(f), Aug. 9, 2022, 136 Stat. 1492, so as to provide for the prescription by the Secretary of Commerce of standards and guidelines pertaining to Federal information systems.

Reference

Citations & Metadata

Citation

6 U.S.C. § 1523

Title 6Domestic Security

Last Updated

Apr 3, 2026

Release point: 119-73not60