[House Report 113-562]
[From the U.S. Government Publishing Office]
113th Congress Report
HOUSE OF REPRESENTATIVES
2d Session 113-562
======================================================================
SAFE AND SECURE FEDERAL WEBSITES ACT OF 2014
_______
July 28, 2014.--Committed to the Committee of the Whole House on the
State of the Union and ordered to be printed
_______
Mr. Issa, from the Committee on Oversight and Government Reform,
submitted the following
R E P O R T
[To accompany H.R. 3635]
[Including cost estimate of the Congressional Budget Office]
The Committee on Oversight and Government Reform, to whom
was referred the bill (H.R. 3635) to ensure the functionality
and security of new Federal websites that collect personally
identifiable information, and for other purposes, having
considered the same, report favorably thereon with an amendment
and recommend that the bill as amended do pass.
CONTENTS
Page
Committee Statement and Views.................................... 3
Section-by-Section............................................... 5
Explanation of Amendments........................................ 6
Committee Consideration.......................................... 6
Application of Law to the Legislative Branch..................... 6
Statement of Oversight Findings and Recommendations of the
Committee...................................................... 6
Statement of General Performance Goals and Objectives............ 6
Duplication of Federal Programs.................................. 6
Disclosure of Directed Rule Makings.............................. 6
Federal Advisory Committee Act................................... 7
Unfunded Mandate Statement....................................... 7
Earmark Identification........................................... 7
Committee Estimate............................................... 7
Budget Authority and Congressional Budget Office Cost Estimate... 7
Changes in Existing Law Made by the Bill as Reported............. 8
The amendment is as follows:
Strike all after the enacting clause and insert the
following:
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Safe and Secure Federal Websites Act
of 2014''.
SEC. 2. ENSURING FUNCTIONALITY AND SECURITY OF NEW FEDERAL WEBSITES
THAT COLLECT PERSONALLY IDENTIFIABLE INFORMATION.
(a) Certification Requirement.--
(1) In general.--Except as otherwise provided under this
subsection, an agency may not deploy or make available to the
public a new Federal PII website until the date on which the
chief information officer of the agency submits a certification
to Congress that the website is fully functional and secure.
(2) Transition.--In the case of a new Federal PII website
that is operational on the date of the enactment of this Act,
paragraph (1) shall not apply until the end of the 90-day
period beginning on such date of enactment. If the
certification required under paragraph (1) for such website has
not been submitted to Congress before the end of such period,
the head of the responsible agency shall render the website
inaccessible to the public until such certification is
submitted to Congress.
(3) Exception for beta website with explicit permission.--
Paragraph (1) shall not apply to a website (or portion thereof)
that is in a development or testing phase, if the following
conditions are met:
(A) A member of the public may access PII-related
portions of the website only after executing an
agreement that acknowledges the risks involved.
(B) No agency compelled, enjoined, or otherwise
provided incentives for such a member to access the
website for such purposes.
(4) Construction.--Nothing in this section shall be construed
as applying to a website that is operated entirely by an entity
(such as a State or locality) that is independent of the
Federal Government, regardless of the receipt of funding in
support of such website from the Federal Government.
(b) Definitions.--In this section:
(1) Agency.--The term ``agency'' has the meaning given that
term under section 551 of title 5, United States Code.
(2) Fully functional.--The term ``fully functional'' means,
with respect to a new Federal PII website, that the website can
fully support the activities for which it is designed or
intended with regard to the eliciting, collection, storage, or
maintenance of personally identifiable information, including
handling a volume of queries relating to such information
commensurate with the purpose for which the website is
designed.
(3) New federal personally identifiable information website
(new federal pii website).--The terms ``new Federal personally
identifiable information website'' and ``new Federal PII
website'' mean a website that--
(A) is operated by (or under a contract with) an
agency;
(B) elicits, collects, stores, or maintains
personally identifiable information of individuals and
is accessible to the public; and
(C) is first made accessible to the public and
collects or stores personally identifiable information
of individuals, on or after October 1, 2012.
(4) Operational.--The term ``operational'' means, with
respect to a website, that such website elicits, collects,
stores, or maintains personally identifiable information of
members of the public and is accessible to the public.
(5) Personally identifiable information (pii).--The terms
``personally identifiable information'' and ``PII'' mean any
information about an individual elicited, collected, stored, or
maintained by an agency, including--
(A) any information that can be used to distinguish
or trace the identity of an individual, such as a name,
a social security number, a date and place of birth, a
mother's maiden name, or biometric records; and
(B) any other information that is linked or linkable
to an individual, such as medical, educational,
financial, and employment information.
(6) Responsible agency.--The term ``responsible agency''
means, with respect to a new Federal PII website, the agency
that is responsible for the operation (whether directly or
through contracts with other entities) of the website.
(7) Secure.--The term ``secure'' means, with respect to a new
Federal PII website, that the following requirements are met:
(A) The website is in compliance with subchapter III
of chapter 35 of title 44, United States Code.
(B) The website ensures that personally identifiable
information elicited, collected, stored, or maintained
in connection with the website is captured at the
latest possible step in a user input sequence.
(C) The responsible agency for the website has taken
reasonable efforts to minimize domain name confusion,
including through additional domain registrations.
(D) The responsible agency requires all personnel who
have access to personally identifiable information in
connection with the website to have completed a
Standard Form 85P and signed a non-disclosure agreement
with respect to personally identifiable information,
and the agency takes proper precautions to ensure only
trustworthy persons may access such information.
(E) The responsible agency maintains (either directly
or through contract) sufficient personnel to respond in
a timely manner to issues relating to the proper
functioning and security of the website, and to monitor
on an ongoing basis existing and emerging security
threats to the website.
(8) State.--The term ``State'' means each State of the United
States, the District of Columbia, each territory or possession
of the United States, and each federally recognized Indian
tribe.
SEC. 3. PRIVACY BREACH REQUIREMENTS.
(a) Information Security Amendment.--Subchapter III of chapter 35 of
title 44, United States Code, is amended by adding at the end the
following:
``Sec. 3550. Privacy breach requirements
``(a) Policies and Procedures.--The Director of the Office of
Management and Budget shall establish and oversee policies and
procedures for agencies to follow in the event of a breach of
information security involving the disclosure of personally
identifiable information, including requirements for--
``(1) not later than 72 hours after the agency discovers such
a breach, or discovers evidence that reasonably indicates such
a breach has occurred, notice to the individuals whose
personally identifiable information could be compromised as a
result of such breach;
``(2) timely reporting to a Federal cybersecurity center, as
designated by the Director of the Office of Management and
Budget; and
``(3) any additional actions that the Director finds
necessary and appropriate, including data breach analysis,
fraud resolution services, identity theft insurance, and credit
protection or monitoring services.
``(b) Required Agency Action.--The head of each agency shall ensure
that actions taken in response to a breach of information security
involving the disclosure of personally identifiable information under
the authority or control of the agency comply with policies and
procedures established by the Director of the Office of Management and
Budget under subsection (a).
``(c) Report.--Not later than March 1 of each year, the Director of
the Office of Management and Budget shall report to Congress on agency
compliance with the policies and procedures established under
subsection (a).
``(d) Federal Cybersecurity Center Defined.--The term `Federal
cybersecurity center' means any of the following:
``(1) The Department of Defense Cyber Crime Center.
``(2) The Intelligence Community Incident Response Center.
``(3) The United States Cyber Command Joint Operations
Center.
``(4) The National Cyber Investigative Joint Task Force.
``(5) Central Security Service Threat Operations Center of
the National Security Agency.
``(6) The United States Computer Emergency Readiness Team.
``(7) Any successor to a center, team, or task force
described in paragraphs (1) through (6).
``(8) Any center that the Director of the Office of
Management and Budget determines is appropriate to carry out
the requirements of this section.''.
(b) Technical and Conforming Amendment.--The table of sections for
subchapter III of chapter 35 of title 44, United States Code, is
amended by adding at the end the following:
``3550. Privacy breach requirements.''.
Committee Statement and Views
PURPOSE AND SUMMARY
H.R. 3635, the Safe and Secure Federal Websites Act of
2014, will help ensure the functionality and security of
federal websites, giving individuals confidence that their
privacy and personal information is secure. The bill guards
against the loss of the public's trust by requiring agency
chief information officers to certify that federal websites
collecting personally identifiable information are fully
functional and secure. In addition, the bill requires agencies
to notify affected individuals that their personally
identifiable information may have been compromised within 72
hours of a known or suspected data breach.
BACKGROUND AND NEED FOR LEGISLATION
2013 marked a year of high-profile data breaches. From data
breaches at Target, one of the nation's largest retail chains,
to Neiman Marcus, a high-end department store chain, the public
is now more aware than ever of the potential severity and
consequences of such occurrences.\1\ Other widely publicized
data breaches at federal agencies in recent years include the
Federal Retirement Thrift Investment Board (2012), the Federal
Aviation Administration (2009), and the Department of Veterans
Affairs (2006).\2\ The loss of public trust resulting from
large scale data breaches is damaging to the economy and the
overall fabric and spirit of our country. The public should
feel confident and secure in knowing that their personal
information is protected by businesses and especially by the
government who serves them.
---------------------------------------------------------------------------
\1\Senate Judiciary Committee hearing: Privacy in the Digital Age:
Preventing Data Breaches and Combating Cybercrime. February 4, 2014.
http://www.judiciary.senate.gov/meetings/privacy-in-the-digital-age-
preventing-data-breaches-and-combating-cybercrime.
\2\The Federal Retirement Thrift Investment Board data breach was
the subject of a Senate Committee on Homeland Security & Governmental
Affairs (Subcommittee on Oversight of Government Management, the
Federal Workforce and the District of Columbia) hearing: State of
Federal Privacy and Data Security Law: Lagging Behind the Times? July
31, 2012. http://www.hsgac.senate.gov/subcommittees/oversight-of-
government-management/hearings/state-of-federal-privacy-and-data-
security-law-lagging-behind-the-times.
The Federal Aviation Administration issued a press release on
February 9, 2009 about its data breach: Press Release--FAA Notifies
Employees of Personal Identity Breach. http://www.faa.gov/news/
press_releases/news_story.cfm?newsId=10394.
Department of Veterans Affairs Office of Inspector General, Review
of Issues Related to the Loss of VA Information Involving the Identity
of Millions of Veterans, Report No. 06-02238-163 (Washington, D.C.:
July 11, 2006).
---------------------------------------------------------------------------
Ensuring website security is especially important in an era
where the federal government increasingly relies on technology
to conduct its work more efficiently. Balancing the desire to
strive for technological advancements with the need to
constantly monitor and neutralize cyber threats and
vulnerabilities is vital. The federal government should be ever
vigilant in working to regain and maintain the public's trust.
The ``Safe and Secure Federal Websites Act of 2014'' is a major
step in reestablishing that trust.
This act requires, among other things, the Director of the
Office of Management and Budget (OMB) to establish and oversee
policies and procedures for agencies to follow in the event of
a breach of information security involving the disclosure of
personally identifiable information. This includes establishing
requirements for the timely notification of individuals
affected; timely reporting of the compromise to a federal cyber
security center; and any additional actions the Director deems
necessary and appropriate. These actions can include data
breach analysis, fraud resolution services, identity theft
insurance, and credit protection or monitoring services.
Further, OMB is required to report to Congress on its oversight
of agencies implementation of its policies. In a December 2013
report, GAO found that agency responses to breaches of
personally identifiable information were inconsistent and
recommended that OMB update its guidance on federal agencies'
response to data breach.\3\ Though OMB previously issued five
memoranda to advise agencies on proper protocols, GAO found the
guidance to be incomplete thus contributing to agencies'
inconsistent implementation.\4\ Adopting the ``Safe and Secure
Federal Websites Act of 2014'' will help remedy the problem of
data breach.
---------------------------------------------------------------------------
\3\GAO, Information Security: Agency Responses to Breaches of
Personally Identifiable Information Need to Be More Consistent, GAO-14-
34 (Washington, D.C.: Dec. 9, 2013).
\4\OMB, Safeguarding Against and Responding to the Breach of
Personally Identifiable Information, M-07-16 (May 22, 2007); OMB, Use
of Commercial Credit Monitoring Services Blanket Purchase Agreements,
M-07-04 (Washington, D.C.: Dec. 22, 2006); OMB, Recommendations for
Identity Theft Related Data Breach Notification (Washington, D.C.:
Sept. 20, 2006); OMB, Reporting Incidents Involving Personally
Identifiable Information and Incorporating the Cost for Security in
Agency Information Technology Investments, M-06-19 (July 12, 2006); and
OMB, Safeguarding Personally Identifiable Information, M-06-15
(Washington, D.C.: May 22, 2006.
---------------------------------------------------------------------------
Section-by-Section
Section 1. Short title
The short title of the bill is the ``Safe and Secure
Federal Websites Act of 2014.''
Section 2. Ensuring functionality and security of new federal websites
that collect personally identifiable information
Federal agency chief information officers must certify to
Congress the functionality and security of new (or
substantially modified) agency websites that collect personally
identifiable information. The bill applies to websites created
(or substantially modified) on or after October 1, 2012, and
requires agency chief information officers to submit
certifications within 90 days for websites operational on the
date of enactment. Agency heads must render inaccessible each
website that is not certified before the end of the
certification period established in the bill. An exception is
made for beta websites.
Under the bill, certification as a ``fully functional''
website means the website can fully support the activities for
which it is designed, including the collection, storage, and
maintenance of personally identifiable information.
Under the bill, certification as a ``secure'' website means
the website complies with the Federal Information Security
Management Act (FISMA); the host agency has taken steps to
minimize domain name confusion; personally identifiable
information is captured at the latest possible step in the data
collection sequence; individuals who have access to personally
identifiable information have completed public trust
questionnaire and signed a non-disclosure agreement; and the
agency maintains sufficient personnel to respond in a timely
manner to issues related to proper functioning and security of
the website, including emerging security threats.
The bill uses a definition developed by the National
Institute of Standards and Technology (Special Publication 800-
122) to describe personally identifiable information.
Section 3. Privacy breach requirements
The Director of the Office of Management and Budget shall
establish and oversee policies and procedures for agencies to
follow in the event of a breach of information security
involving the disclosure of personally identifiable
information. Notice must be given to individuals whose
personally identifiable information could be compromised within
72 hours of the agency discovering a breach or discovering
evidence that reasonably indicates occurrence of a breach.
The Director of the Office of Management and Budget must
annually report to Congress by March 1 of each year on agency
compliance with the breach notification procedures.
Explanation of Amendments
The provisions of the adopted amendments are explained in
this report.
Committee Consideration
On March 12, 2014, the Committee met in open session and
ordered reported favorably the bill, H.R. 3635, as amended, by
voice vote, a quorum being present.
Application of Law to the Legislative Branch
Section 102(b)(3) of Public Law 104-1 requires a
description of the application of this bill to the legislative
branch where the bill relates to the terms and conditions of
employment or access to public services and accommodations.
This bill requires agencies to notify affected individuals that
their personally identifiable information may have been
compromised within 72 hours of a known or suspected data
breach. As such this bill does not relate to employment or
access to public services and accommodations.
Statement of Oversight Findings and Recommendations of the Committee
In compliance with clause 3(c)(1) of rule XIII and clause
2(b)(1) of rule X of the Rules of the House of Representatives,
the Committee's oversight findings and recommendations are
reflected in the descriptive portions of this report.
Statement of General Performance Goals and Objectives
In accordance with clause 3(c)(4) of rule XIII of the Rules
of the House of Representatives, the Committee's performance
goals and objectives are reflected in the descriptive portions
of this report.
Duplication of Federal Programs
No provision of H.R. 3635 establishes or reauthorizes a
program of the Federal Government known to be duplicative of
another Federal program, a program that was included in any
report from the Government Accountability Office to Congress
pursuant to section 21 of Public Law 111-139, or a program
related to a program identified in the most recent Catalog of
Federal Domestic Assistance.
Disclosure of Directed Rule Makings
H.R. 3635 requires the Director of the Office of Management
and Budget to establish policies and procedures for agencies to
follow in the event of a breach of information security
involving the disclosure of personally identifiable
information.
Federal Advisory Committee Act
The Committee finds that the legislation does not establish
or authorize the establishment of an advisory committee within
the definition of 5 U.S.C. App., Section 5(b).
Unfunded Mandate Statement
Section 423 of the Congressional Budget and Impoundment
Control Act (as amended by Section 101(a)(2) of the Unfunded
Mandates Reform Act, P.L. 104-4) requires a statement as to
whether the provisions of the reported include unfunded
mandates. In compliance with this requirement the Committee has
received a letter from the Congressional Budget Office included
herein.
Earmark Identification
H.R. 3635 does not include any congressional earmarks,
limited tax benefits, or limited tariff benefits as defined in
clause 9 of rule XXI.
Committee Estimate
Clause 3(d)(2) of rule XIII of the Rules of the House of
Representatives requires an estimate and a comparison by the
Committee of the costs that would be incurred in carrying out
H.R. 3635. However, clause 3(d)(3)(B) of that rule provides
that this requirement does not apply when the Committee has
included in its report a timely submitted cost estimate of the
bill prepared by the Director of the Congressional Budget
Office under section 402 of the Congressional Budget Act.
Budget Authority and Congressional Budget Office Cost Estimate
With respect to the requirements of clause 3(c)(2) of rule
XIII of the Rules of the House of Representatives and section
308(a) of the Congressional Budget Act of 1974 and with respect
to requirements of clause (3)(c)(3) of rule XIII of the Rules
of the House of Representatives and section 402 of the
Congressional Budget Act of 1974, the Committee has received
the following cost estimate for H.R. 3635 from the Director of
Congressional Budget Office:
April 22, 2014.
Hon. Darrell Issa,
Chairman, Committee on Oversight and Government Reform,
House of Representatives, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for H.R. 3635, the Safe and
Secure Federal Websites Act of 2014.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is Matthew
Pickford.
Sincerely,
Douglas W. Elmendorf.
Enclosure.
H.R. 3635--Safe and Secure Federal Websites Act of 2014
CBO estimates that enacting H.R. 3635 would have no
significant effect on the federal budget. The legislation would
amend federal laws that protect the privacy of personally
identifiable information collected by the government.
Personally identifiable information includes any information
that identifies an individual such as name, Social Security
number, and medical or financial records. The legislation would
prohibit an agency from deploying a new website until the
agency's Chief Information Officer certifies that all such
information is safe and secure. Existing federal websites would
have 90 days following enactment of H.R. 3635 to comply with
this requirement. The legislation also would require the Office
of Management and Budget (OMB) to issue policies and procedures
for agencies to follow in the event of a security breach of a
federal data system that contains personally identifiable
information.
No single federal law or regulation governs the security of
all types of sensitive personal information collected by
federal agencies. The Federal Information Security Management
Act requires each federal agency to develop, document, and
implement an agencywide security program for sensitive
information. The Privacy Act of 1974 governs the collection,
use, and dissemination by federal agencies of personal records.
OMB's ``Breach Notification Policy'' requires all agencies to
implement a policy to safeguard personally identifiable
information and to provide notification of a security breach.
Because those laws and policies regarding the security of
personally identifiable information are already in place, CBO
estimates that the cost of certifying the safety of information
collected by federal websites would be less than $500,000 over
the next five years. Enacting the bill could affect direct
spending by agencies not funded through annual appropriations;
therefore, pay-as-you-go procedures apply. CBO estimates,
however, that any net change in spending by those agencies
would be negligible. Enacting the bill would not affect
revenues.
H.R. 3635 contains no intergovernmental or private-sector
mandates as defined in the Unfunded Mandates Reform Act and
would impose no costs on state, local, or tribal governments.
The CBO staff contact for this estimate is Matthew
Pickford. The estimate was approved by Theresa Gullo, Deputy
Assistant Director for Budget Analysis.
Changes in Existing Law Made by the Bill, as Reported
In compliance with clause 3(e) of rule XIII of the Rules of
the House of Representatives, changes in existing law made by
the bill, as reported, are shown as follows (new matter is
printed in italic and existing law in which no change is
proposed is shown in roman):
TITLE 44, UNITED STATES CODE
* * * * * * *
CHAPTER 35--COORDINATION OF FEDERAL INFORMATION POLICY
SUBCHAPTER I--FEDERAL INFORMATION POLICY
Sec.
3501. Purposes.
* * * * * * *
SUBCHAPTER III--INFORMATION SECURITY
* * * * * * *
3550. Privacy breach requirements.
* * * * * * *
SUBCHAPTER III--INFORMATION SECURITY
* * * * * * *
Sec. 3550. Privacy breach requirements
(a) Policies and Procedures.--The Director of the Office of
Management and Budget shall establish and oversee policies and
procedures for agencies to follow in the event of a breach of
information security involving the disclosure of personally
identifiable information, including requirements for--
(1) not later than 72 hours after the agency
discovers such a breach, or discovers evidence that
reasonably indicates such a breach has occurred, notice
to the individuals whose personally identifiable
information could be compromised as a result of such
breach;
(2) timely reporting to a Federal cybersecurity
center, as designated by the Director of the Office of
Management and Budget; and
(3) any additional actions that the Director finds
necessary and appropriate, including data breach
analysis, fraud resolution services, identity theft
insurance, and credit protection or monitoring
services.
(b) Required Agency Action.--The head of each agency shall
ensure that actions taken in response to a breach of
information security involving the disclosure of personally
identifiable information under the authority or control of the
agency comply with policies and procedures established by the
Director of the Office of Management and Budget under
subsection (a).
(c) Report.--Not later than March 1 of each year, the
Director of the Office of Management and Budget shall report to
Congress on agency compliance with the policies and procedures
established under subsection (a).
(d) Federal Cybersecurity Center Defined.--The term ``Federal
cybersecurity center'' means any of the following:
(1) The Department of Defense Cyber Crime Center.
(2) The Intelligence Community Incident Response
Center.
(3) The United States Cyber Command Joint Operations
Center.
(4) The National Cyber Investigative Joint Task
Force.
(5) Central Security Service Threat Operations Center
of the National Security Agency.
(6) The United States Computer Emergency Readiness
Team.
(7) Any successor to a center, team, or task force
described in paragraphs (1) through (6).
(8) Any center that the Director of the Office of
Management and Budget determines is appropriate to
carry out the requirements of this section.
* * * * * * *
�