[House Report 115-910]
[From the U.S. Government Publishing Office]
115th Congress } { Report
HOUSE OF REPRESENTATIVES
2d Session } { 115-910
======================================================================
ADVANCING CYBERSECURITY DIAGNOSTICS AND MITIGATION ACT
_______
August 28, 2018.--Committed to the Committee of the Whole House on the
State of the Union and ordered to be printed
_______
Mr. McCaul, from the Committee on Homeland Security, submitted the
following
R E P O R T
[To accompany H.R. 6443]
[Including cost estimate of the Congressional Budget Office]
The Committee on Homeland Security, to whom was referred
the bill (H.R. 6443) to amend the Homeland Security Act of 2002
to authorize the Secretary of Homeland Security to establish a
continuous diagnostics and mitigation program at the Department
of Homeland Security, and for other purposes, having considered
the same, report favorably thereon with an amendment and
recommend that the bill as amended do pass.
CONTENTS
Page
Purpose and Summary.............................................. 3
Background and Need for Legislation.............................. 3
Hearings......................................................... 4
Committee Consideration.......................................... 4
Committee Votes.................................................. 4
Committee Oversight Findings..................................... 5
New Budget Authority, Entitlement Authority, and Tax Expenditures 5
Congressional Budget Office Estimate............................. 5
Statement of General Performance Goals and Objectives............ 6
Duplicative Federal Programs..................................... 6
Congressional Earmarks, Limited Tax Benefits, and Limited Tariff
Benefits....................................................... 6
Federal Mandates Statement....................................... 6
Preemption Clarification......................................... 6
Disclosure of Directed Rule Makings.............................. 6
Advisory Committee Statement..................................... 7
Applicability to Legislative Branch.............................. 7
Section-by-Section Analysis of the Legislation................... 7
Changes in Existing Law Made by the Bill, as Reported............ 8
The amendment is as follows:
Strike all after the enacting clause and insert the
following:
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Advancing Cybersecurity Diagnostics
and Mitigation Act''.
SEC. 2. ESTABLISHMENT OF CONTINUOUS DIAGNOSTICS AND MITIGATION PROGRAM
IN DEPARTMENT OF HOMELAND SECURITY.
(a) In General.--Section 230 of the Homeland Security Act of 2002 (6
U.S.C. 151) is amended by adding at the end the following new
subsection:
``(g) Continuous Diagnostics and Mitigation.--
``(1) Program.--
``(A) In general.--The Secretary shall deploy,
operate, and maintain a continuous diagnostics and
mitigation program. Under such program, the Secretary
shall--
``(i) develop and provide the capability to
collect, analyze, and visualize information
relating to security data and cybersecurity
risks;
``(ii) make program capabilities available
for use, with or without reimbursement;
``(iii) employ shared services, collective
purchasing, blanket purchase agreements, and
any other economic or procurement models the
Secretary determines appropriate to maximize
the costs savings associated with implementing
an information system;
``(iv) assist entities in setting information
security priorities and managing cybersecurity
risks; and
``(v) develop policies and procedures for
reporting systemic cybersecurity risks and
potential incidents based upon data collected
under such program.
``(B) Regular improvement.--The Secretary shall
regularly deploy new technologies and modify existing
technologies to the continuous diagnostics and
mitigation program required under subparagraph (A), as
appropriate, to improve the program.
``(2) Activities.--In carrying out the continuous diagnostics
and mitigation program under paragraph (1), the Secretary shall
ensure, to the extent practicable, that--
``(A) timely, actionable, and relevant cybersecurity
risk information, assessments, and analysis are
provided in real time;
``(B) share the analysis and products developed under
such program;
``(C) all information, assessments, analyses, and raw
data under such program is made available to the
national cybersecurity and communications integration
center of the Department; and
``(D) provide regular reports on cybersecurity
risks.''.
(b) Continuous Diagnostics and Mitigation Strategy.--
(1) In general.--Not later than 180 days after the date of
the enactment of this Act, the Secretary of Homeland Security
shall develop a comprehensive continuous diagnostics and
mitigation strategy to carry out the continuous diagnostics and
mitigation program required under subsection (g) of section 230
of such Act, as added by subsection (a).
(2) Scope.--The strategy required under paragraph (1) shall
include the following:
(A) A description of the continuous diagnostics and
mitigation program, including efforts by the Secretary
of Homeland Security to assist with the deployment of
program tools, capabilities, and services, from the
inception of the program referred to in paragraph (1)
to the date of the enactment of this Act.
(B) A description of the coordination required to
deploy, install, and maintain the tools, capabilities,
and services that the Secretary of Homeland Security
determines to be necessary to satisfy the requirements
of such program.
(C) A description of any obstacles facing the
deployment, installation, and maintenance of tools,
capabilities, and services under such program.
(D) Recommendations and guidelines to help maintain
and continuously upgrade tools, capabilities, and
services provided under such program.
(E) Recommendations for using the data collected by
such program for creating a common framework for data
analytics, visualization of enterprise-wide risks, and
real-time reporting.
(F) Recommendations for future efforts and
activities, including for the rollout of new tools,
capabilities and services, proposed timelines for
delivery, and whether to continue the use of phased
rollout plans, related to securing networks, devices,
data, and information technology assets through the use
of such program.
(3) Form.--The strategy required under subparagraph (A) shall
be submitted in an unclassified form, but may contain a
classified annex.
(c) Report.--Not later than 90 days after the development of the
strategy required under subsection (b), the Secretary of Homeland
Security shall submit to the Committee on Homeland Security and
Governmental Affairs of the Senate and the Committee on Homeland
Security of the House of Representative a report on cybersecurity risk
posture based on the data collected through the continuous diagnostics
and mitigation program under subsection (g) of section 230 of the
Homeland Security Act of 2002, as added by subsection (a).
Purpose and Summary
H.R. 6443, the ``Advancing Cybersecurity Diagnostics and
Mitigation Act,'' codifies and defines the activities of the
continuous diagnostics and mitigation (CDM) program at the
Department of Homeland Security (DHS). The bill requires the
Secretary of Homeland Security to deploy, operate, and maintain
the CDM program, developing and providing capabilities to
collect, analyze, and visualize information related to security
data and cybersecurity risk. H.R. 6443 requires the Secretary
to make these capabilities available, with or without
reimbursement. The Secretary is also required to develop
policies and procedures for reporting systemic cybersecurity
risks and potential incidents based upon data collected under
CDM.
The bill requires the Secretary to regularly deploy new CDM
technologies and modify existing CDM capabilities to
continuously improve the program. H.R. 6443 also requires the
Secretary to ensure timely, actionable, and relevant
cybersecurity risk information, assessments, and analysis are
provided in real time while ensuring all raw data is made
available to the National Cybersecurity and Communications
Integration Center (NCCIC). Additionally, the bill requires DHS
to develop a strategy to ensure the program continues to evolve
and adjust to the changing cyber threat landscape and requires
the strategy to be shared with Congress.
Background and Need for Legislation
DHS's National Protection and Programs Directorate (NPPD)
is currently in the process of implementing a four-phase
rollout of CDM capabilities at participating federal agencies.
The CDM program office has been working with federal civilian
agencies and departments, including the 24 Chief Financial
Officer (CFO) Act agencies to deploy CDM functionality since
2013. To provide near-real time effective continuous monitoring
and mitigation, agencies and DHS will not only need to
implement all four phases and deploy CDM dashboards, but also
evolve cybersecurity tools to address the growing threats the
federal enterprise faces.
CDM tools and data provide individual agencies improved
visibility and understanding of their systems and networks. The
CDM program also provides DHS with broad situational awareness
and places DHS in a strong position to leverage individual
agency data to identify, respond to, and mitigate cybersecurity
vulnerabilities and threats. In this way, DHS can utilize CDM
to consolidate some of the federal government's cybersecurity
responsibilities, allowing agencies to focus on the specific
and unique cybersecurity risks their agency is facing.
H.R. 6443 will codify the work of CDM to date, while
ensuring DHS continues to update CDM technologies to regularly
improve the program and develops a long-term strategy to
strengthen the future of the program.
Hearings
The Committee did not hold any specific hearing
specifically on H.R. 6443. However, the Subcommittee on
Cybersecurity and Infrastructure Protection held a joint
hearing with the House Oversight and Government Reform,
Subcommittee on Information Technology on January 17, 2018
entitled, ``CDM, the Future of Federal Cybersecurity'' to
understand the current state of the CDM program from the
perspective of stakeholders. Testimony was heard from Frank
Dimina, Area Vice President, Splunk; Dan Carayiannis, Public
Sector Director, RSA Archer; Gregg Mossburg, Senior Vice
President for Strategic Operations, CGI Federal; and A.R.
``Trey'' Hodgkins, III, Senior Vice President, Public Sector,
Information Technology Alliance for Public Sector.
The Subcommittee on Cybersecurity and Infrastructure
Protection held a hearing on March 20, 2018 entitled, ``CDM:
Government Perspectives on Security and Modernization'' to
explore the development, deployment, and utilization of the CDM
program by federal agencies. Testimony was heard from Max
Everett, Chief Information Officer, Department of Energy; Scott
Blackburn, Executive in Charge, Office of Information and
Technology, Department of Veterans Affairs; David Garcia, Chief
Information Officer, Office of Personnel Management; and Kevin
Cox, Program Manager, Continuous Diagnostics and Mitigation,
Office of Cybersecurity and Communications, National Protection
and Programs Directorate, Department of Homeland Security.
Committee Consideration
The Committee met on July 24, 2018, to consider H.R. 6443,
and ordered the measure to be reported to the House with a
favorable recommendation, amended by Mr. Langevin. The
Committee took the following actions:
The following amendments were offered:
An Amendment by Mr. Langevin to the bill (#1); was accepted by
unanimous consent.
Consisting of the following amendments:
On page (5) in line (17), insert ``, including for the
rollout of new tools, capabilities and services, proposed
timelines for delivery, and whether to continue the use of
phased rollout plans,'' after ``activities''
Committee Votes
Clause 3(b) of rule XIII of the Rules of the House of
Representatives requires the Committee to list the recorded
votes on the motion to report legislation and amendments
thereto.
No recorded votes were requested during consideration of
H.R. 6443.
Committee Oversight Findings
Pursuant to clause 3(c)(1) of rule XIII of the Rules of the
House of Representatives, the Committee has held oversight
hearings and made findings that are reflected in this report.
New Budget Authority, Entitlement Authority, and Tax Expenditures
In compliance with clause 3(c)(2) of rule XIII of the Rules
of the House of Representatives, the Committee finds that H.R.
6443, the Advancing Cybersecurity Diagnostics and Mitigation
Act, would result in no new or increased budget authority,
entitlement authority, or tax expenditures or revenues.
Congressional Budget Office Estimate
The Committee adopts as its own the cost estimate prepared
by the Director of the Congressional Budget Office pursuant to
section 402 of the Congressional Budget Act of 1974.
U.S. Congress,
Congressional Budget Office,
Washington, DC, August 1, 2018.
Hon. Michael McCaul,
Chairman, Committee on Homeland Security,
House of Representatives, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for H.R. 6443, the
Advancing Cybersecurity Diagnostics and Mitigation Act.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is William Ma.
Sincerely,
Keith Hall,
Director.
Enclosure.
H.R. 6443--Advancing Cybersecurity Diagnostics and Mitigation Act
H.R. 6443 would require the Department of Homeland Security
(DHS) to deploy, operate, and maintain a continuous diagnostics
and mitigation (CDM) program to assist federal agencies to
improve the cybersecurity of their respective networks and
systems. Based on information from DHS, the department already
makes available to all federal agencies the capabilities
required in the bill; thus, the bill would codify in law
current activities.
H.R. 6443 also would require DHS, within 180 days of the
bill's enactment, to develop and submit to the Congress a
strategy to carry out the CDM program. Not later than 90 days
after developing that strategy, the bill also would require DHS
to submit a report to the Congress on the cybersecurity
strength of federal networks and systems based on the data
collected through the CDM program. Based on the cost of similar
activities, CBO estimates that preparing the strategy and
report would cost less than $500,000 over the 2019-2023 period;
such spending would be subject to the availability of
appropriated amounts.
Enacting H.R. 6443 would not affect direct spending or
revenues; therefore, pay-as-you-go procedures do not apply.
CBO estimates that enacting H.R. 6443 would not increase
net direct spending or on-budget deficits in any of the four
consecutive 10-year periods beginning in 2029.
H.R. 6443 contains no intergovernmental or private-sector
mandates as defined in the Unfunded Mandates Reform Act.
The CBO staff contact for this estimate is William Ma. The
estimate was reviewed by Leo Lex, Deputy Assistant Director for
Budget Analysis.
Statement of General Performance Goals and Objectives
Pursuant to clause 3(c)(4) of rule XIII of the Rules of the
House of Representatives, H.R. 6443 contains the following
general performance goals and objectives, including outcome
related goals and objectives authorized.
H.R. 6443 requires the Secretary of Homeland Security to
provide House and Senate Homeland Security Committees a report
on cybersecurity risk posture based on the data collected
through the continuous diagnostics and mitigation program under
this bill.
Duplicative Federal Programs
Pursuant to clause 3(c) of rule XIII, the Committee finds
that H.R. 6443 does not contain any provision that establishes
or reauthorizes a program known to be duplicative of another
Federal program.
Congressional Earmarks, Limited Tax Benefits, and Limited Tariff
Benefits
In compliance with rule XXI of the Rules of the House of
Representatives, this bill, as reported, contains no
congressional earmarks, limited tax benefits, or limited tariff
benefits as defined in clause 9(e), 9(f), or 9(g) of the rule
XXI.
Federal Mandates Statement
The Committee adopts as its own the estimate of Federal
mandates prepared by the Director of the Congressional Budget
Office pursuant to section 423 of the Unfunded Mandates Reform
Act.
Preemption Clarification
In compliance with section 423 of the Congressional Budget
Act of 1974, requiring the report of any Committee on a bill or
joint resolution to include a statement on the extent to which
the bill or joint resolution is intended to preempt State,
local, or Tribal law, the Committee finds that H.R. 6443 does
not preempt any State, local, or Tribal law.
Disclosure of Directed Rule Makings
The Committee estimates that H.R. 6443 would require no
directed rule makings.
Advisory Committee Statement
No advisory committees within the meaning of section 5(b)
of the Federal Advisory Committee Act were created by this
legislation.
Applicability to Legislative Branch
The Committee finds that the legislation does not relate to
the terms and conditions of employment or access to public
services or accommodations within the meaning of section
102(b)(3) of the Congressional Accountability Act.
Section-by-Section Analysis of the Legislation
Section 1. Short title
This section provides that this bill may be cited as the
``Advancing Cybersecurity Diagnostics and Mitigation Act''.
Sec. 2. Establishment of Continuous Diagnostics and Mitigation Program
in Department of Homeland Security
Section 2(a) amends the Homeland Security Act of 2002 in
Section 230 (6 U.S.C. 151), by creating a new subsection (g)
entitled ``Continuous Diagnostics and Mitigation.''
This section requires the Secretary to deploy, operate, and
maintain a continuous diagnostics and mitigation (CDM) program
that includes the capability to collect, analyze, and visualize
security data and cybersecurity risk information. The Committee
intends for agencies to make available raw data and information
available to DHS to continue to support the efficacy and
accuracy of risk assessments based on or in part by the CDM
program.
This section requires the Secretary to make the CDM program
available to agencies, with or without reimbursement; to
leverage collective economic and procurement models to maximize
cost savings; to assist in setting information security
priorities and managing cybersecurity risk; and to develop
policies and procedures on reporting cybersecurity risks and
potential incidents.
This section defines the activities of CDM to produce
timely, actionable, and relevant cybersecurity risk
information, assessments and analysis in real time; to share
analysis and products with federal and non-Federal entities; to
ensure all information, assessments, analysis and raw data is
made available to the National Cybersecurity Integration Center
(NCCIC); and to provide regular reports on cybersecurity risks.
Section 2(b) requires the Secretary to develop a
comprehensive strategy for the CDM program, consistent with the
purpose and activities established in this bill. The strategy
must include a description of the current state of the program,
how the program is being coordinated, a description of any
obstacles to fully establishing the CDM program,
recommendations for maintaining CDM capabilities and optimizing
the use of CDM data collected, and recommendations for future
activities. The strategy must be presented in an unclassified
form but may include a classified annex. The Committee intends
for the strategy to include recommendations that are applicable
to all federal agencies and departments, and departments, and
for the strategy to examine whether or not the capabilities of
the program should continue to be rolled out in phases or in
some other manner. The Committee intends for the strategy to
address the metrics necessary to measure the effectiveness of
the CDM program in reducing cybersecurity risks across the
federal enterprise
This section requires the Secretary of Homeland Security to
produce a report to Congress on cybersecurity risk posture
based on the data collected through the CDM program. The
Committee intends for the report to address the cybersecurity
risk posture of the entire federal enterprise.
Changes in Existing Law Made by the Bill, as Reported
In compliance with clause 3(e) of rule XIII of the Rules of
the House of Representatives, changes in existing law made by
the bill, as reported, are shown as follows (new matter is
printed in italic and existing law in which no change is
proposed is shown in roman):
HOMELAND SECURITY ACT OF 2002
* * * * * * *
TITLE II--INFORMATION ANALYSIS AND INFRASTRUCTURE PROTECTION
* * * * * * *
Subtitle C--Information Security
* * * * * * *
SEC. 230. FEDERAL INTRUSION DETECTION AND PREVENTION SYSTEM.
(a) Definitions.--In this section--
(1) the term ``agency'' has the meaning given the
term in section 3502 of title 44, United States Code;
(2) the term ``agency information'' means information
collected or maintained by or on behalf of an agency;
(3) the term ``agency information system'' has the
meaning given the term in section 228; and
(4) the terms ``cybersecurity risk'' and
``information system'' have the meanings given those
terms in section 227.
(b) Requirement.--
(1) In general.--Not later than 1 year after the date
of enactment of this section, the Secretary shall
deploy, operate, and maintain, to make available for
use by any agency, with or without reimbursement--
(A) a capability to detect cybersecurity
risks in network traffic transiting or
traveling to or from an agency information
system; and
(B) a capability to prevent network traffic
associated with such cybersecurity risks from
transiting or traveling to or from an agency
information system or modify such network
traffic to remove the cybersecurity risk.
(2) Regular improvement.--The Secretary shall
regularly deploy new technologies and modify existing
technologies to the intrusion detection and prevention
capabilities described in paragraph (1) as appropriate
to improve the intrusion detection and prevention
capabilities.
(c) Activities.--In carrying out subsection (b), the
Secretary--
(1) may access, and the head of an agency may
disclose to the Secretary or a private entity providing
assistance to the Secretary under paragraph (2),
information transiting or traveling to or from an
agency information system, regardless of the location
from which the Secretary or a private entity providing
assistance to the Secretary under paragraph (2)
accesses such information, notwithstanding any other
provision of law that would otherwise restrict or
prevent the head of an agency from disclosing such
information to the Secretary or a private entity
providing assistance to the Secretary under paragraph
(2);
(2) may enter into contracts or other agreements
with, or otherwise request and obtain the assistance
of, private entities to deploy, operate, and maintain
technologies in accordance with subsection (b);
(3) may retain, use, and disclose information
obtained through the conduct of activities authorized
under this section only to protect information and
information systems from cybersecurity risks;
(4) shall regularly assess through operational test
and evaluation in real world or simulated environments
available advanced protective technologies to improve
detection and prevention capabilities, including
commercial and noncommercial technologies and detection
technologies beyond signature-based detection, and
acquire, test, and deploy such technologies when
appropriate;
(5) shall establish a pilot through which the
Secretary may acquire, test, and deploy, as rapidly as
possible, technologies described in paragraph (4); and
(6) shall periodically update the privacy impact
assessment required under section 208(b) of the E-
Government Act of 2002 (44 U.S.C. 3501 note).
(d) Principles.--In carrying out subsection (b), the
Secretary shall ensure that--
(1) activities carried out under this section are
reasonably necessary for the purpose of protecting
agency information and agency information systems from
a cybersecurity risk;
(2) information accessed by the Secretary will be
retained no longer than reasonably necessary for the
purpose of protecting agency information and agency
information systems from a cybersecurity risk;
(3) notice has been provided to users of an agency
information system concerning access to communications
of users of the agency information system for the
purpose of protecting agency information and the agency
information system; and
(4) the activities are implemented pursuant to
policies and procedures governing the operation of the
intrusion detection and prevention capabilities.
(e) Private Entities.--
(1) Conditions.--A private entity described in
subsection (c)(2) may not--
(A) disclose any network traffic transiting
or traveling to or from an agency information
system to any entity other than the Department
or the agency that disclosed the information
under subsection (c)(1), including personal
information of a specific individual or
information that identifies a specific
individual not directly related to a
cybersecurity risk; or
(B) use any network traffic transiting or
traveling to or from an agency information
system to which the private entity gains access
in accordance with this section for any purpose
other than to protect agency information and
agency information systems against
cybersecurity risks or to administer a contract
or other agreement entered into pursuant to
subsection (c)(2) or as part of another
contract with the Secretary.
(2) Limitation on liability.--No cause of action
shall lie in any court against a private entity for
assistance provided to the Secretary in accordance with
this section and any contract or agreement entered into
pursuant to subsection (c)(2).
(3) Rule of construction.--Nothing in paragraph (2)
shall be construed to authorize an Internet service
provider to break a user agreement with a customer
without the consent of the customer.
(f) Privacy Officer Review.--Not later than 1 year after the
date of enactment of this section, the Privacy Officer
appointed under section 222, in consultation with the Attorney
General, shall review the policies and guidelines for the
program carried out under this section to ensure that the
policies and guidelines are consistent with applicable privacy
laws, including those governing the acquisition, interception,
retention, use, and disclosure of communications.
(g) Continuous Diagnostics and Mitigation.--
(1) Program.--
(A) In general.--The Secretary shall deploy,
operate, and maintain a continuous diagnostics
and mitigation program. Under such program, the
Secretary shall--
(i) develop and provide the
capability to collect, analyze, and
visualize information relating to
security data and cybersecurity risks;
(ii) make program capabilities
available for use, with or without
reimbursement;
(iii) employ shared services,
collective purchasing, blanket purchase
agreements, and any other economic or
procurement models the Secretary
determines appropriate to maximize the
costs savings associated with
implementing an information system;
(iv) assist entities in setting
information security priorities and
managing cybersecurity risks; and
(v) develop policies and procedures
for reporting systemic cybersecurity
risks and potential incidents based
upon data collected under such program.
(B) Regular improvement.--The Secretary shall
regularly deploy new technologies and modify
existing technologies to the continuous
diagnostics and mitigation program required
under subparagraph (A), as appropriate, to
improve the program.
(2) Activities.--In carrying out the continuous
diagnostics and mitigation program under paragraph (1),
the Secretary shall ensure, to the extent practicable,
that--
(A) timely, actionable, and relevant
cybersecurity risk information, assessments,
and analysis are provided in real time;
(B) share the analysis and products developed
under such program;
(C) all information, assessments, analyses,
and raw data under such program is made
available to the national cybersecurity and
communications integration center of the
Department; and
(D) provide regular reports on cybersecurity
risks.
* * * * * * *
[all]