[Senate Report 113-256]
[From the U.S. Government Publishing Office]
113th Congress
2d Session SENATE Report
113-256
_______________________________________________________________________
Calendar No. 564
FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014
__________
R E P O R T
of the
COMMITTEE ON HOMELAND SECURITY AND
GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
to accompany
S. 2521
TO AMEND CHAPTER 35 OF TITLE 44, UNITED STATES CODE, TO PROVIDE FOR
REFORM TO FEDERAL INFORMATION SECURITY
September 15, 2014.--Ordered to be printed
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
THOMAS R. CARPER, Delaware Chairman
CARL LEVIN, Michigan TOM COBURN, Oklahoma
MARK L. PRYOR, Arkansas JOHN McCAIN, Arizona
MARY L. LANDRIEU, Louisiana RON JOHNSON, Wisconsin
CLAIRE McCASKILL, Missouri ROB PORTMAN, Ohio
JON TESTER, Montana RAND PAUL, Kentucky
MARK BEGICH, Alaska MICHAEL B. ENZI, Wyoming
TAMMY BALDWIN, Wisconsin KELLY AYOTTE, New Hampshire
HEIDI HEITKAMP, North Dakota
Gabrielle A. Batkin, Staff Director
John P. Kilvington, Deputy Staff Director
Mary Beth Schultz, Chief Counsel
Stephen R. Vina, Chief Counsel for Homeland Security
Matthew R. Grote, Senior Professional Staff Member
Keith B. Ashdown, Minority Staff Director
Christopher J. Barkley, Minority Deputy Staff Director
Andrew C. Dockham, Minority Chief Counsel
Daniel P. Lips, Minority Director of Homeland Security
Justin Rood, Minority Director of Investigations
William H.W. McKenna, Minority Investigative Counsel
Laura W. Kilbride, Chief Clerk
Calendar No. 564
113th Congress
SENATE
Report
2d Session 113-256
======================================================================
FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014
_______
September 15, 2014.--Ordered to be printed
_______
Mr. Carper, from the Committee on Homeland Security and Governmental
Affairs, submitted the following
R E P O R T
[To accompany S. 2521]
The Committee on Homeland Security and Governmental
Affairs, to which was referred the bill (S. 2521), to amend
chapter 35 of title 44, United States Code, to provide for
reform to Federal information security, having considered the
same, reports favorably thereon without amendment and
recommends that the bill do pass.
CONTENTS
Page
I. Purpose and Summary..............................................1
II. Background and Need for the Legislation..........................2
III. Legislative History..............................................9
IV. Section-by-Section Analysis......................................9
V. Evaluation of Regulatory Impact.................................12
VI. Congressional Budget Office Cost Estimate.......................12
VII. Changes in Existing Law Made by the Bill, as Reported...........13
I. Purpose and Summary
S. 2521, the Federal Information Security Modernization
Act, aims to strengthen the security of federal computer
networks and information systems by updating the Federal
Information Security Management Act of 2002. Specifically, it
would: (1) clarify the roles and responsibilities of the Office
of Management and Budget (OMB) and the Department of Homeland
Security (DHS) to ensure that the statute appropriately
reflects each agency's current functions, as well as their
respective expertise and resources; (2) improve security by
transitioning agencies away from paperwork requirements toward
a more automated and continuous security posture; and (3)
strengthen transparency and accountability including by making
important improvements to the way federal data breaches are
managed and reported to Congress and the public.
II. Background and the Need for Legislation
In 2002, President Bush signed into law the Federal
Information Security Management Act of 2002 (FISMA), which
built on existing information security laws,\1\ to ``provide a
comprehensive framework for ensuring the effectiveness of
information security controls over information resources that
support Federal operations and assets.''\2\ This law aimed to
protect all information and information systems held by or on
behalf of Federal agencies from unauthorized access, use,
disclosure, disruption, modification, or destruction. Under
FISMA, a number of different federal agencies play a variety of
roles in implementing the law's framework. For example, the
National Institute of Standards and Technology (NIST) develops
minimum security standards for federal information and
information systems (other than national security systems).\3\
Agencies, through the Chief Information Officers and system
owners, were required to establish information security
programs with specific elements, implement minimum system
security standards, and report to OMB and Congress on
implementation progress. FISMA gave OMB the role of overseeing
and enforcing agency compliance with the law and security
standards. Finally, the bill required Inspectors General to
audit agencies' compliance with the law annually, and
Government Accountability Office to periodically review the
effectiveness of the overall framework.
---------------------------------------------------------------------------
\1\For example, the Computer Security Act of 1987 established
government-wide mandatory standards for computer security developed by
the National Institute of Standards and Technology (NIST) and required
certain security plans and training; see Public Law No. 100-235 (H.R.
145), (Jan. 8, 1988).
\2\See 44 USC Sec. 35; 44 section Sec. 3541.
\3\NIST received this charge in the Computer Security Act of 1987;
See Public Law No. 100-235 (H.R. 145), (Jan. 8, 1988).
---------------------------------------------------------------------------
Since the passage of FISMA, agencies have made progress in
setting up consistent information security programs across
government. Unfortunately, however, they have not kept up with
the cyber threat that has grown even faster and larger than
Congress could have foreseen in 2002. Over the past two
decades, the growth of the Internet and the country's
increasing use of interconnected networks to conduct its
business has led to significant economic growth and innovation.
However, this ever-increasing reliance upon the Internet has
also unintentionally enabled new threats to develop. Indeed,
the Federal Bureau of Investigation Director James Comey
testified before the Homeland Security and Governmental Affairs
Committee that he agreed with former-Director Robert Mueller's
assessment that within the next ten years cyber threats would
surpass the threat from foreign terrorists to the United
States.\4\
---------------------------------------------------------------------------
\4\See ``Threats to the Homeland'' hearing, Committee on Homeland
Security and Governmental Affairs, U.S. Senate, November 14, 2013.
---------------------------------------------------------------------------
Criminals, terrorists, and state actors have repeatedly
shown their interest in attacking the computer networks that
run so much of our economy, and have made clear that government
systems are also in their sights.\5\ For example, in 2011, the
Thrift Savings Plan (TSP), the retirement savings and
investment plan used by millions of federal employees and
members of the uniformed services, suffered a data security
breach, allowing unauthorized access to the personal
information of approximately 123,000 TSP participants.\6\ And,
in 2013, malicious actors broke into the computer network at
the Department of Energy's Washington headquarters and
compromised the personal information of hundreds of
employees.\7\ The Government Accountability Office has written
that from 2006 to 2012, ``the number of incidents reported by
federal agencies to the U.S. Computer Emergency Readiness
Team\8\ (US-CERT) has increased from 5,503 in fiscal year 2006
to 48,562 incidents in fiscal year 2012, an increase of 782
percent.''\9\
---------------------------------------------------------------------------
\5\Some actors in cyberspace also seek to disrupt or destroy
computer systems, including those that control some of our nation's
critical infrastructure--the systems that deliver power and water to
our homes, our energy pipelines, our nuclear plants and our
telecommunications systems. In Saudi Arabia, for example, a cyber
attack against Saudi Aramco, one of the world's largest oil companies,
damaged 30,000 computers on the company's network. See Worldwide Threat
Assessment of the US Intelligence Community, Hearing before the House
Permanent Select Committee on Intelligence, Written Statement of James
R. Clapper, Director of National Intelligence (April 11, 2013). To
date, there has been no similarly damaging cyber attack with physical
effects to critical infrastructure in the United States. However, in
2013, major financial institutions were targeted by repeated ``denial-
of-service'' cyber attacks, which attempted to disrupt the performance
of company websites by flooding them with internet traffic. Id.
\6\See Federal Retirement Thrift Investment Board, Press Release,
``Federal Retirement Thrift Investment Board Reports a Cyber Attack on
a Contractor Potentially Affecting TSP Participants'' (May 25, 2012)
https://www.tsp.gov/PDF/formspubs/Press.Release.2012-05-25.Cyber.pdf
(last accessed July 20, 2014).
\7\See Department of Energy, Office of the Inspector General, The
Department of Energy's July 2013 Cyber Security Breach, DOE/IG-0900
(Washington, D.C.: Dec. 6, 2013) http://energy.gov/sites/prod/files/
2013/12/f5/IG-0900.pdf (last accessed July 20, 2014).
\8\US-CERT within DHS provides technical and incident response
assistance to operators of agency information systems.
\9\See GAO-13-776, ``Federal Information Security: Mixed Progress
In Implementing Program Components; Improved Metrics Needed To Measure
Effectiveness,'' pages 8, 27, September 26, 2013. It is likely that
some of these increases can be attributed to better reporting tools and
metrics. For example, the increased use of automated discovery and
monitoring tools has uncovered more security flaws than were known in
past years and it is the hope that more visibility will bring more
attention to prevent these vulnerabilities. Nonetheless, critical
weaknesses continue to exist in agencies' security programs.
---------------------------------------------------------------------------
Given the ever-increasing threat, the Committee believes
that Congress must do everything possible to make government
computer networks as strong as possible. S. 2521 would do that
by modernizing and strengthening the current, outdated
statutory framework governing federal information security.
Specifically, it would: clarify the roles of the OMB and DHS;
reduce paperwork and speed up the move toward real-time
security; and make important improvements to the way federal
data breaches are handled.
CODIFYING AND CLARIFYING THE ROLES OF OMB AND DHS
S. 2521 updates FISMA to codify and clarify the existing
roles that DHS and OMB play in overseeing and securing federal
agency computer networks. Under FISMA, the Director of OMB has
exclusive authority to oversee the management and security of
information security across federal civilian agencies. These
functions include developing and overseeing information
security policies, principles, standards and guidelines,
requiring agencies to identify and provide information security
protections commensurate with risk, and overseeing agency
compliance with the requirements of FISMA, among other things.
Although DHS does not have an explicit statutory role under
FISMA, the Department currently performs a variety of
functions, including providing cybersecurity services for
federal civilian agencies across the government, under a
patchwork of other authorities.
In January 2008, President Bush issued National Security
Presidential Directive 54/Homeland Security Presidential
Directive 23, which, among other things, required DHS to lead
the national effort to secure Federal networks and to
coordinate and carry out government-wide security programs. The
directive required DHS to ``lead the national effort to
protect, defend, and reduce vulnerabilities of Federal
systems,'' including to ``manage and oversee . . . the external
access points, including access to the Internet for all Federal
systems,'' ``provide consolidated intrusion detection, incident
analysis, and cyber response capabilities,'' and set and
enforce minimum operational standards for agency operation
centers to manage external access points.\10\
---------------------------------------------------------------------------
\10\See National Security Presidential Directive 54/Homeland
Security Presidential Directive 23 ``Cybersecurity Policy'', paragraph
15, January 8, 2008.
---------------------------------------------------------------------------
In 2010, OMB issued M-10-28, ``Clarifying Cybersecurity
Responsibilities and Activities of the Executive Office of the
President and the Department of Homeland Security''. This
memorandum delegated most of OMB's FISMA oversight functions to
DHS and stated that ``DHS will exercise primary responsibility
within the executive branch for the operational aspects of
Federal agency cybersecurity.''\11\ Specifically, the memo made
DHS responsible for:
---------------------------------------------------------------------------
\11\See Office of Management and Budget, Memorandum M-10-28,
``Clarifying Cybersecurity Responsibilities and Activities of the
Executive Office of the President and the Department of Homeland
Security'' (July 6, 2010).
---------------------------------------------------------------------------
overseeing the government-wide and agency-
specific implementation of and reporting on
cybersecurity policies and guidance;
overseeing and assisting government-wide
and agency-specific efforts to provide adequate, risk-
based and cost-effective cybersecurity;
overseeing the agencies' compliance with
FISMA and developing analyses for OMB to assist in the
development of the FISMA annual report;
overseeing the agencies' cybersecurity
operations and incident response and providing
appropriate assistance; and
annually reviewing the agencies'
cybersecurity programs.\12\
---------------------------------------------------------------------------
\12\Id.
---------------------------------------------------------------------------
Under this memorandum, OMB submits the annual
implementation report to Congress required by FISMA and carries
out its traditional budgetary and fiscal oversight
responsibilities with respect to agency spending on information
security. OMB also oversees DHS in implementing its
responsibilities under the memorandum. OMB's delegation of
certain FISMA responsibilities to DHS is a sound move that has
been and will continue to improve our federal information
security.
Within the federal government, DHS is responsible for
working with the private sector to help protect our Nation's
critical infrastructure from physical and cyber threats and
overseeing the protection of the .gov domain. DHS employs over
400 personnel dedicated to the security of government networks,
and in fiscal year 2014 DHS was appropriated $680 million for
its efforts on federal network security, network security
deployment, and the United States Computer Emergency Readiness
Team (US-CERT).\13\ OMB, on the other hand, has the equivalent
of only 2-3 full-time employees on the ``management'' side
overseeing security for the entire federal government and does
not possess the technical capabilities of an operational
department such as DHS.
---------------------------------------------------------------------------
\13\See Department of Homeland Security, Congressional Budget
Justification Fiscal Year 2015, page 9 (February 2014).
---------------------------------------------------------------------------
At the center of DHS' cybersecurity and communications
mission is the National Cybersecurity and Communications
Integration Center (NCCIC). The NCICC is a round-the-clock
information sharing, analysis and incident response center
where government, private sector, and international partners
work together on cybersecurity matters. Among its various
functions, the NCCIC: analyzes cybersecurity and communications
threats and vulnerabilities and coordinates findings with
partners to manage risks to critical systems; creates shared
situational awareness among public sector, private sector, and
international partners by collaboratively developing and
sharing timely and actionable cybersecurity and communications
information; and responds cybersecurity and communications
incidents and events to mitigate harmful activity, manage
crisis situations, and support recovery efforts.
Operation of the NCCIC gives DHS the ability to see and
understand cyber threats and to find ways to mitigate against
such threats, risks, and vulnerabilities. This insight is an
extremely valuable tool, one that helps DHS to assist federal
agencies in effectively implementing federal information
security measures. In fiscal year 2013 alone, the NCCIC
responded to more than 228,000 incident reports from a variety
of stakeholders, ranging from minor compromises of personal
information up to mass data thefts. The NCCIC also released
over 11,000 cyber alerts to industry, federal agencies, and
other partners in fiscal year 2013 and more than 5,000
organizations have used the NCCIC's tools to perform self-
assessments to identify their own vulnerabilities.\14\
---------------------------------------------------------------------------
\14\Department of Homeland Security, NCCIC Weekly Cyber Analytics
Report, Week ending 14 June 2014 (on file with Committee staff).
---------------------------------------------------------------------------
Since memoranda M-10-28 was issued, DHS has taken on the
role of operational oversight of FISMA implementation and
assisted agencies in bolstering their security. For example,
DHS's National Protection and Programs Directorate (NPPD) has
overseen government-wide FISMA compliance by issuing several
policy directives, collecting and analyzing monthly compliance
data, working with senior management at agencies to increase
compliance, and updating reporting metrics to be more
performance-based. DHS has also taken several measures to
improve its own network security and scored first in its FISMA
compliance among all major agencies in 2013.\15\
---------------------------------------------------------------------------
\15\See ``Annual Report to Congress: Federal Information Security
Management Act'', OMB, May 1, 2014, page 61. In 2012, DHS tied for
first place with two other agencies. See ``Fiscal Year 2012 Report to
Congress on the Implementation of The Federal Information Security
Management Act of 2002'', OMB, March 2013, page 41.
---------------------------------------------------------------------------
As mentioned above, OMB's delegation of many of its FISMA
responsibilities was done through a memorandum. There has been
no explicit statutory grant of authority of DHS's FISMA
responsibilities. This lack of statutory clarity has led to
uncertainty regarding the roles of DHS and OMB, resulting in
inefficiencies and confusion. For example, in 2013, OMB and DHS
released conflicting guidance to agencies on the same topic,
annual reporting instructions to agencies on security
implementation.\16\ A recent GAO report recognized the problems
caused by the confusion regarding the roles and
responsibilities of DHS and OMB, and GAO recommended that
Congress consider passing legislation to clarify the respective
agencies roles and responsibilities regarding implementation of
and oversight of federal information security.\17\
---------------------------------------------------------------------------
\16\See GAO-13-187, ``Cybersecurity: National Strategy, Roles, and
Responsibilities Need to Be Better Defined and More Effectively
Implemented'', February 14, 2013, page 33.
\17\Id. at page 83.
---------------------------------------------------------------------------
The Committee agrees that having clear statutory roles and
responsibilities is beneficial in this area. This bill would
address these concerns by codifying and clarifying the existing
roles and responsibilities of DHS and OMB as described in
memorandum M-10-28. Under this bill, OMB would retain federal
information security enforcement responsibilities through its
budget powers and its discretion in setting over-arching
information security policies. DHS would continue to carry out
the responsibilities delegated to it under the memorandum to
oversee operational aspects of agency information security
policies and practices, including by developing and overseeing
implementation of binding operational directives to federal
agencies, setting requirements for reporting security incidents
and requirements for annual reports, establishing requirements
for the mitigation of exigent risks, collecting implementation
data, convening meetings with agencies to help ensure effective
implementation of federal information security, coordinating
government-wide information security efforts, and providing
operational and technical assistance to agencies on information
security. This structure is similar to the way other agencies
share government-wide policy and implementation
responsibilities in highly-technical areas. For example, the
General Services Administration sets property management
regulations that agencies must carry out and the Office of
Personnel Management sets standards for personnel management
that agencies must carry out.\18\
---------------------------------------------------------------------------
\18\See 40 U.S.C. Sec. 121(c), and 5 U.S.C. Sec. 1104(b).
---------------------------------------------------------------------------
Under the bill, DHS would also assist agencies in
implementing information security programs, including by
operating the Federal information security incident center,
deploying continuous diagnostics and mitigation capabilities,
compiling and analyzing data on agency information security,
and conducting targeted operational evaluations.
CONTINUOUS MONITORING
Over the years a number of experts have called for reform
of the Federal information security framework to move away from
paperwork-heavy processes toward real-time and automated
security. Continuous monitoring, for example, allows federal
agencies to monitor the effectiveness of security controls with
a frequency based on risk and often in an automated fashion
using security tools. It is common practice for a system owner
to ``authorize'' that a system has adequate security before a
system is active for the first time or if it undergoes a major
change. Within the Federal government, this process is
traditionally known as ``Certification and Accreditation,'' and
agencies have been required to produce large binders of
paperwork every three years to assure that adequate security
controls were in place. This process has been criticized for
requiring vast amounts of paperwork for little return on
security.\19\ The modern approach to providing assurance of
security controls involves automated monitoring and diagnostics
with greater frequency and less paperwork.\20\
---------------------------------------------------------------------------
\19\See ``More Security, Less Waste: What Makes Sense for our
Federal Cyber Defense'', Federal Financial Management Subcommittee,
Committee on Homeland Security and Governmental Affairs, United States
Senate, October 29, 2009. See ``Updating U.S. Federal Cybersecurity
Policy and Guidance,'' Center for Strategic and International Studies,
page 3, October 2012.
\20\See ``Federal Departments and Agencies Focus Cybersecurity
Activity on Three Administration Priorities,'' Howard Schmidt,
Cybersecurity Coordinator and Special Assistant to the President, March
23, 2012; ``Continuous Diagnostics and Mitigation,'' Department of
Homeland Security. See ``Special Publication 800-37, Guide for Applying
the Risk Management Framework to Federal Information Systems,''
National Institute of Standards and Technology, page 1, February 2010.
Current law requires agencies to test their systems ``with a frequency
depending on risk, but no less than annually''. See 44 U.S.C.
3542(b)(5). This requirement is flexible enough for agencies to adopt
continuous monitoring programs prescribed by the National Institute of
Standards and Technology.
---------------------------------------------------------------------------
One of the main obstacles to full adoption of the modern,
automated approach is a policy issued in 2000 by the Office of
Management and Budget known as Circular A-130 Appendix III.
This policy, which originated in the 1980's, has not been
revised in over thirteen years despite the ever-changing nature
of the cyber threat and information security best practices. It
requires agencies to document the implementation of security
controls on their systems every three years, which can result
in large binders of paperwork. While some level of
documentation is necessary to provide assurance of the
effectiveness of controls, the requirements in this policy are
not cost-effective methods to reduce information security risk.
Experts have called for the rewrite of Circular A-130, stating
that ``absent changes in policy, agency staff and oversight
groups (e.g., Inspectors General and the Government
Accountability Office) will continue to waste scarce resources
on strategies that do little to mitigate risk.''\21\ S. 2521
would move toward continuous and automated monitoring by
requiring the Office of Management and Budget to revise A-130
within 180 days to eliminate these inefficient and wasteful
reports.
---------------------------------------------------------------------------
\21\See ``Updating U.S. Federal Cybersecurity Policy and
Guidance,'' Center for Strategic and International Studies, page 1,
October 2012.
---------------------------------------------------------------------------
Another way S. 2521 helps agencies improve security is by
codifying the existing Continuous Diagnostics and Mitigation
program at DHS. This program offers advanced security
technologies to all agencies with the potential advantage of
bulk-buying economies.\22\ In particular, the program offers
software to implement the modern approach of automated
security.
---------------------------------------------------------------------------
\22\See ``Continuous Diagnostics and Mitigation,'' Department of
Homeland Security, http://www.dhs.gov/cdm, last accessed July 8, 2014.
---------------------------------------------------------------------------
STRENGTHENING ACCOUNTABILITY AND TRANSPARENCY THROUGH CYBER INCIDENT
NOTIFICATION
Finally, the bill would make important improvements to the
way federal data breaches are managed. For example, the bill
calls on federal agencies to provide timely notice to victims
when their personally identifiable information is stolen from
government networks. When it comes to responding to a data
breach and notifying the public, it is very important for the
federal government to be transparent and lead by example.
Currently, agencies are required by OMB policy to publicly
report only security incidents that affect personal information
of individuals, with certain restrictions.\23\ Even then, the
reports that are made are often inconsistent and don't have to
go to Congress. Further, mandated management reports all focus
on implementation compliance rather than actual incidents. For
example, the annual reports to Congress required by FISMA from
every agency are often dozens of pages long and show
implementation levels of certain elements of agencies'
information security programs. However, these reports provide
Congress with only a limited view of how effective the security
investments truly are. While it is difficult to measure
security, the Committee believes that these reports would
provide a clearer picture if they detailed major information
security incidents at the agencies. Better transparency on
incidents allows for more effective management and oversight of
information security programs.
---------------------------------------------------------------------------
\23\See OMB M-7-16 ``Safeguarding Against and Responding to the
Breach of Personally Identifiable Information,'' May 22, 2007, page 13.
---------------------------------------------------------------------------
The Government Accountability Office found that agencies'
responses to breaches of personally identifiable information
were inconsistent, partly due to incomplete guidance from
OMB.\24\ S. 2521 would require OMB to issue data breach
guidance to agencies requiring timely notification of breaches
to victims and federal cybersecurity centers. The Director of
OMB is required to consider the recommendations of GAO when
establishing its policies and procedures for agencies to follow
in the event of a breach.
---------------------------------------------------------------------------
\24\GAO-14-34 ``Information Security: Agency Responses to Breaches
of Personally Identifiable Information Need to Be More Consistent,''
December 9, 2013, page 26.
---------------------------------------------------------------------------
Currently, there are no requirements for all agencies to
notify Congress about major information security breaches.
Management reports, such as the annual FISMA reports, typically
focus on compliance of implementation of program requirements.
While full implementation of program requirements is important,
compliance data does not provide a complete picture of the
effectiveness of security programs. The bill would require that
major incidents are reported to Congress and that incidents are
included in management and oversight reports.
OTHER AMENDMENTS
Importantly, the bill requires the head of agencies to
ensure that all personnel are held accountable for complying
with the agency-wide information security program. Information
security requires compliance and vigilance from all employees
to ensure that there are no unnecessary weaknesses or
vulnerabilities in each system. Requiring agencies to hold all
employees accountable for complying with information security
guidelines is an important measure to strengthen the security
of federal networks and information systems.
The bill makes several other minor changes to modernize the
law. For example, to strengthen the oversight powers of
department-level Chief Information Officers over component and
agency information systems, the bill would require that senior
agency officials (including component agency Chief Information
Officers) carry out the directions of the department-level
Chief Information Officer. It would also give Inspectors
General more flexibility in how they audit security programs,
require the Federal information security incident center at
section 3556 of the bill to share threat intelligence with
agencies, and require that the existing Information Security
and Privacy Advisory Board, which currently advises NIST, also
advise DHS.
III. Legislative History
Chairman Carper and Ranking Member Coburn introduced S.
2521 on June 24, 2014. The bill was referred to the Committee
on Homeland Security and Governmental Affairs.
The Committee considered S. 2521 at a business meeting on
June 25, 2014 and ordered the bill reported favorably by voice
vote. Senators present for vote on the bill were Senators
Carper, Levin, Pryor, Landrieu, McCaskill, Tester, Heitkamp,
Coburn, McCain, Johnson, and Portman.
IV. Section-by-Section Analysis of the Bill, as Reported
Section 1. Short title
The short title of the bill is the ``Federal Information
Security Modernization Act of 2014''.
Section 2. FISMA reform
Subsection (a)
This subsection amends the Federal Information Security
Management Act of 2002 (FISMA) by striking subchapters II and
III of chapter 35 of Title 44, United States Code (44 U.S.C.
3541, et seq.), and replacing them with a new subchapter. This
new subchapter, however, retains the vast majority of original
FISMA requirements. The following section-by-section analysis
focuses on how this bill amends the original FISMA language.
New Section 3551. Purposes
Section 3551 maintains the language under current FISMA
stating that the purposes of this subchapter are to provide a
comprehensive policy and oversight framework for federal
agencies' information security.
New Section 3552. Definitions
Section 3552 uses the same definitions that FISMA currently
uses for the terms ``information security'', ``information
technology'', ``national security system'', and the definitions
under section 3502, from which FISMA derives much of its
terminology. This section adds to the original FISMA language
definitions for the terms ``binding operational directive'',
``incident'', ``intelligence community'', and ``Secretary''.
The term ``binding operational directive'' means a compulsory
direction to an agency that is in accordance with policies,
principles, standards, and guidelines issued by the Director.
The definition for `incident' is derived from widely used
guidance issued by the National Institute of Standards and
Technology and the Committee on National Security Systems.
New Section 3553. Authority and functions of the Director and the
Secretary
Section 3553 codifies and clarifies the roles currently
played by the Director of the Office of Management and Budget
(OMB) and the Secretary of Homeland Security, consistent with
OMB Memoranda M-10-28.
The Director would oversee agency information security
policies, including developing and overseeing implementation of
policies, requiring agencies to provide adequate information
security protections, ensuring that the Secretary carries out
the authorities and functions that have been assigned to him;
coordinating the development of security standards,
coordinating information security policy with information
technology management policy, and consulting with the Secretary
in carrying out OMB's authorities and functions under this
subsection. This section maintains the scope of information and
information systems subject to the requirements of FISMA set
out by current law and OMB guidance.
The Secretary would oversee the operational aspects of
information security policies, including assisting the Director
in fulfilling OMB's responsibilities under the bill. The
Secretary would develop and oversee implementation of binding
operational directives in accordance with overarching policies
issued by the Director. The Secretary would monitor agency
implementation of information security policies and practices,
convene oversight meetings with agency officials, coordinate
government-wide information security efforts and provide
operational and technical assistance to agencies in
implementing policies, principles, standards and guidelines on
information security.
The Secretary would also assist agencies in implementing
information security programs, including by operating the
Federal information security incident center, by deploying
continuous diagnostics and mitigation capabilities, compiling
and analyzing data on agency information security, and
conducting targeted operational evaluations.
The section would require the Director, in consultation
with the Secretary, to report annually to Congress on the
effectiveness of agency implementation of information security
programs, including providing a summary of information security
incidents across the federal government.
This section would maintain the treatment of national
security systems under current law. Current law gives the
Secretary of Defense and the Director of National Intelligence
policy and oversight authorities for systems critical to their
missions.
New Section 3554. Federal agency responsibilities
Section 3554 maintains much of current law that lays out
responsibilities of agency heads to provide adequate security
for the information and systems under their control. This
section clarifies that Department heads would be required to
ensure that component chief information officers follow the
directions of the department-level chief information officer on
information security matters. Agencies would be required to
report major information security incidents to Congress, for
incidents affecting information collected or maintained by or
on behalf of the agency and information systems used or
operated by the agency or by a contractor of the agency or
other organization on behalf of the agency. Agency heads would
report annually on the effectiveness of their security
programs, along with a summary of incidents, and identify
significant deficiencies and processes to remediate those
deficiencies. This section maintains the scope of information
and information systems subject to the requirements of FISMA
set out by current law and OMB guidance, and the
responsibilities of agency heads to provide adequate security
for those information and information systems. The bill also
requires heads of agencies to ensure that all personnel are
held accountable for complying with agency-wide information
security program requirements.
New Section 3555. Annual independent evaluation
Section 3555 maintains much of current law and gives
inspectors general additional flexibility in conducting their
annual reviews under current law. GAO would provide technical
assistance to inspectors general in conducting security
reviews.
New Section 3556. Federal information security incident center
Section 3556 maintains much of current law and requires the
federal information security incident center, which is
responsible for providing technical and incident response
assistance to agencies, to share threat intelligence with
agencies.
New Section 3557. National security systems
Section 3557 maintains the language under current law to
ensure that agencies provide security for national security
systems.
New Section 3558. Effect on existing law
Section 3558 maintains the language under current law to
provide that nothing in this subchapter or those provisions of
law relating to the development and promulgation of NIST-
developed standards may be construed as affecting current
authorities regarding the use or disclosure of information.
Subsection (b)
Subsection (a) adds a table of sections in Title 44--
Information Security. Subsection (b) references other sections
of related bills, including the Homeland Security Act of 2002,
the National Institute of Standards and Technology Act, and the
Cybersecurity Research and Development Act.
Subsection (c)
This subsection requires OMB to revise Appendix III of
Office of Management and Budget Circular A-130 to eliminate
inefficient or wasteful reporting. With this language, the
Committee intends for OMB to rescind or amend Circular A-130 to
eliminate the requirement for burdensome paperwork that does
not provide cost-effective security.
This subsection ensures that the existing Information
Security and Privacy Advisory Board, which currently advises
NIST, also advises DHS.
Section 3. Federal data breach response guidelines
Section 201 adds a new section to Title 44: ``Section 3559,
Privacy breach requirements.'' This new section requires that
the Director of OMB establish and oversee policies and
procedures for agencies to follow in the event of a breach of
personally identifiable information at an agency. It requires
agencies to provide timely notice to affected individuals,
report to the federal information security incident center,
provide notice to Congress, and perform other mitigation
measures as required by the Director. Agencies are required to
notify victims within 60 days, with law enforcement and
national security exceptions. The Director must consider
recommendations of the Government Accountability Office,
including those found in GAO Report GAO-14-34, regarding OMB's
policies for agency data breach notification practices and
report to Congress annually to improve the consistency and
effectiveness of government wide data breach response programs.
V. Evaluation of Regulatory Impact
Pursuant to the requirements of paragraph 11(b) of rule
XXVI of the Standing Rules of the Senate, the Committee has
considered the regulatory impact of this bill and determined
that the bill will have no regulatory impact within the meaning
of the rules. The Committee agrees with the Congressional
Budget Office's statement that the bill contains no
intergovernmental or private-sector mandates as defined in the
Unfunded Mandates Reform Act (UMRA) and would impose no costs
on state, local, or tribal governments.
VI. Congressional Budget Office Cost Estimate
July 28, 2014.
Hon. Tom Carper,
Chairman, Committee on Homeland Security and Governmental Affairs, U.S.
Senate, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for S. 2521, the Federal
Information Security Modernization Act of 2014.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is Matthew
Pickford.
Sincerely,
Douglas W. Elmendorf.
Enclosure.
S. 2521--Federal Information Security Modernization Act of 2014
S. 2521 would amend the Federal Information Security
Management Act of 2002 (FISMA)--the law that governs the
security of the federal government's information technology
systems. The legislation would clarify the roles and
responsibilities of the Office of Management and Budget (OMB)
and the Department of Homeland Security (DHS) for information
security. The bill also would update guidelines that federal
agencies follow in the event that there is an unauthorized
release of data. S. 2521 would require OMB to revise Circular
A-130--Management of Federal Information Resources.
CBO estimates that implementing S. 2521 would have no
significant net impact on the federal budget over the next five
years. The bill could affect direct spending by agencies not
funded through annual appropriations; therefore, pay-as-you-go
procedures apply. CBO estimates, however, that any net increase
in spending by those agencies would not be significant.
Enacting S. 2521 would not affect revenues.
Most of the provisions of the bill would codify and expand
on current practices of the federal government. OMB has
reported that in 2013, federal agencies spent almost $80
billion on information technology and more than $10 billion on
related security.
S. 2521 contains no intergovernmental or private-sector
mandates as defined in the Unfunded Mandates Reform Act and
would impose no costs on state, local, or tribal governments
budget.
The CBO staff contacts for this estimate are Matthew
Pickford and Jason Wheelock. The estimate was approved by
Theresa Gullo, Deputy Assistant Director for Budget Analysis.
VII. Changes in Existing Law Made by the Bill, as Reported
In compliance with paragraph 12 of rule XXVI of the
Standing Rules of the Senate, changes in existing law made by
S. 2521 as reported are shown as follows (existing law proposed
to be omitted is enclosed in brackets, new matter is printed in
italic, and existing law in which no change is proposed is
shown in roman):
TITLE 44, UNITED STATES CODE
* * * * * * *
CHAPTER 35 COORDINATION OF FEDERAL INFORMATION POLICY
* * * * * * *
[SUBCHAPTER II--INFORMATION SECURITY
[3531. Purposes.
[3532. Definitions.
[3533. Authority and functions of the Director.
[3534. Federal agency responsibilities.
[3535. Annual independent evaluation.
[3536. National security systems.
[3537. Authorization of appropriations.
[3538. Effect on existing law.]
[SUBCHAPTER III--INFORMATION SECURITY
[3541. Purposes.
[3542. Definitions.
[3543. Authority and functions of the Director.
[3544. Federal agency responsibilities.
[3545. Annual independent evaluation.
[3546. Federal information security incident center.
[3547. National security systems.
[3548. Authorization of appropriations.
[3549. Effect on existing law.
Subchapter II--Information Security]
Sec.
3551. Purposes.
3552. Definitions.
3553. Authority and functions of the Director and the Secretary.
3554. Federal agency responsibilities.
3555. Annual independent evaluation.
3556. Federal information security incident center.
3557. National security systems.
3558. Effect on existing law.
3559. Privacy breach requirements.
* * * * * * *
[Subchapter II--Information Security
[SEC. 3531. PURPOSES.
[The purposes of this subchapter are to--
[(1) provide a comprehensive framework for ensuring
the effectiveness of information security controls over
information resources that support Federal operations
and assets;
[(2) recognize the highly networked nature of the
current Federal computing environment and provide
effective government-wide management and oversight of
the related information security risks, including
coordination of information security efforts throughout
the civilian, national security, and law enforcement
communities;
[(3) provide for development and maintenance of
minimum controls required to protect Federal
information and information systems;
[(4) provide a mechanism for improved oversight of
Federal agency information security programs;
[(5) acknowledge that commercially developed
information security products offer advanced, dynamic,
robust, and effective information security solutions,
reflecting market solutions for the protection of
critical information infrastructures important to the
national defense and economic security of the nation
that are designed, built, and operated by the private
sector; and
[(6) recognize that the selection of specific
technical hardware and software information security
solutions should be left to individual agencies from
among commercially developed products.'.
[SEC. 3532. DEFINITIONS.
[(a) In General.--Except as provided under subsection (b),
the definitions under section 3502 shall apply to this
subchapter.
[(b) Additional Definitions.--As used in this subchapter--
[(1) the term `information security' means protecting
information and information systems from unauthorized
access, use, disclosure, disruption, modification, or
destruction in order to provide--
[(A) integrity, which means guarding against
improper information modification or
destruction, and includes ensuring information
nonrepudiation and authenticity;
[(B) confidentiality, which means preserving
authorized restrictions on access and
disclosure, including means for protecting
personal privacy and proprietary information;
[(C) availability, which means ensuring
timely and reliable access to and use of
information; and
[(D) authentication, which means utilizing
digital credentials to assure the identity of
users and validate their access;
[(2) the term `national security system' means any
information system (including any telecommunications
system) used or operated by an agency or by a
contractor of an agency, or other organization on
behalf of an agency, the function, operation, or use of
which--
[(A) involves intelligence activities;
[(B) involves cryptologic activities related
to national security;
[(C) involves command and control of military
forces;
[(D) involves equipment that is an integral
part of a weapon or weapons system; or
[(E) is critical to the direct fulfillment of
military or intelligence missions provided that
this definition does not apply to a system that
is used for routine administrative and business
applications (including payroll, finance,
logistics, and personnel management
applications);
[(3) the term `information technology' has the
meaning given that term in section 11101 of title 40;
and
[(4) the term `information system' means any
equipment or interconnected system or subsystems of
equipment that is used in the automatic acquisition,
storage, manipulation, management, movement, control,
display, switching, interchange, transmission, or
reception of data or information, and includes--
[(A) computers and computer networks;
[(B) ancillary equipment;
[(C) software, firmware, and related
procedures;
[(D) services, including support services;
and
[(E) related resources.
[SEC. 3533. AUTHORITY AND FUNCTIONS OF THE DIRECTOR.
[(a) The Director shall oversee agency information security
policies and practices, by--
[(1) promulgating information security standards
under section 11331 of title 40;
[(2) overseeing the implementation of policies,
principles, standards, and guidelines on information
security;
[(3) requiring agencies, consistent with the
standards promulgated under such section 11331 and the
requirements of this subchapter, to identify and
provide information security protections commensurate
with the risk and magnitude of the harm resulting from
the unauthorized access, use, disclosure, disruption,
modification, or destruction of--
[(A) information collected or maintained by
or on behalf of an agency; or
[(B) information systems used or operated by
an agency or by a contractor of an agency or
other organization on behalf of an agency;
[(4) coordinating the development of standards and
guidelines under section 20 of the National Institute
of Standards and Technology Act (15 U.S.C. 278g-3) with
agencies and offices operating or exercising control of
national security systems (including the National
Security Agency) to assure, to the maximum extent
feasible, that such standards and guidelines are
complementary with standards and guidelines developed
for national security systems;
[(5) overseeing agency compliance with the
requirements of this subchapter, including through any
authorized action under section 11303(b)(5) of title
40, to enforce accountability for compliance with such
requirements;
[(6) reviewing at least annually, and approving or
disapproving, agency information security programs
required under section 3534(b);
[(7) coordinating information security policies and
procedures with related information resources
management policies and procedures; and
[(8) reporting to Congress no later than March 1 of
each year on agency compliance with the requirements of
this subchapter, including--
[(A) a summary of the findings of evaluations
required by section 3535;
[(B) significant deficiencies in agency
information security practices;
[(C) planned remedial action to address such
deficiencies; and
[(D) a summary of, and the views of the
Director on, the report prepared by the
National Institute of Standards and Technology
under section 20(d)(9) of the National
Institute of Standards and Technology Act (15
U.S.C. 278g-3).
[(b) Except for the authorities described in paragraphs (4)
and (7) of subsection (a), the authorities of the Director
under this section shall not apply to national security
systems.
[SEC. 3534. FEDERAL AGENCY RESPONSIBILITIES.
[(a) The head of each agency shall--
[(1) be responsible for--
[(A) providing information security
protections commensurate with the risk and
magnitude of the harm resulting from
unauthorized access, use, disclosure,
disruption, modification, or destruction of--
[(i) information collected or
maintained by or on behalf of the
agency; and
[(ii) information systems used or
operated by an agency or by a
contractor of an agency or other
organization on behalf of an agency;
[(B) complying with the requirements of this
subchapter and related policies, procedures,
standards, and guidelines, including--
[(i) information security standards
promulgated by the Director under
section 11331 of title 40; and
[(ii) information security standards
and guidelines for national security
systems issued in accordance with law
and as directed by the President; and
[(C) ensuring that information security
management processes are integrated with agency
strategic and operational planning processes;
[(2) ensure that senior agency officials provide
information security for the information and
information systems that support the operations and
assets under their control, including through--
[(A) assessing the risk and magnitude of the
harm that could result from the unauthorized
access, use, disclosure, disruption,
modification, or destruction of such
information or information systems;
[(B) determining the levels of information
security appropriate to protect such
information and information systems in
accordance with standards promulgated under
section 11331 of title 40 for information
security classifications and related
requirements;
[(C) implementing policies and procedures to
cost-effectively reduce risks to an acceptable
level; and
[(D) periodically testing and evaluating
information security controls and techniques to
ensure that they are effectively implemented;
[(3) delegate to the agency Chief Information Officer
established under section 3506 (or comparable official
in an agency not covered by such section) the authority
to ensure compliance with the requirements imposed on
the agency under this subchapter, including--
[(A) designating a senior agency information
security officer who shall--
[(i) carry out the Chief Information
Officer's responsibilities under this
section;
[(ii) possess professional
qualifications, including training and
experience, required to administer the
functions described under this section;
[(iii) have information security
duties as that official's primary duty;
and
[(iv) head an office with the mission
and resources to assist in ensuring
agency compliance with this section;
[(B) developing and maintaining an agency-
wide information security program as required
by subsection (b);
[(C) developing and maintaining information
security policies, procedures, and control
techniques to address all applicable
requirements, including those issued under
section 3533 of this title, and section 11331
of title 40;
[(D) training and overseeing personnel with
significant responsibilities for information
security with respect to such responsibilities;
and
[(E) assisting senior agency officials
concerning their responsibilities under
paragraph (2);
[(4) ensure that the agency has trained personnel
sufficient to assist the agency in complying with the
requirements of this subchapter and related policies,
procedures, standards, and guidelines; and
[(5) ensure that the agency Chief Information
Officer, in coordination with other senior agency
officials, reports annually to the agency head on the
effectiveness of the agency information security
program, including progress of remedial actions.
[(b) Each agency shall develop, document, and implement an
agency-wide information security program, approved by the
Director under section 3533(a)(5), to provide information
security for the information and information systems that
support the operations and assets of the agency, including
those provided or managed by another agency, contractor, or
other source, that includes--
[(1) periodic assessments of the risk and magnitude
of the harm that could result from the unauthorized
access, use, disclosure, disruption, modification, or
destruction of information and information systems that
support the operations and assets of the agency;
[(2) policies and procedures that--
[(A) are based on the risk assessments
required by paragraph (1);
[(B) cost-effectively reduce information
security risks to an acceptable level;
[(C) ensure that information security is
addressed throughout the life cycle of each
agency information system; and
[(D) ensure compliance with--
[(i) the requirements of this
subchapter;
[(ii) policies and procedures as may
be prescribed by the Director, and
information security standards
promulgated under section 11331 of
title 40;
[(iii) minimally acceptable system
configuration requirements, as
determined by the agency; and
[(iv) any other applicable
requirements, including standards and
guidelines for national security
systems issued in accordance with law
and as directed by the President;
[(3) subordinate plans for providing adequate
information security for networks, facilities, and
systems or groups of information systems, as
appropriate;
[(4) security awareness training to inform personnel,
including contractors and other users of information
systems that support the operations and assets of the
agency, of--
[(A) information security risks associated
with their activities; and
[(B) their responsibilities in complying with
agency policies and procedures designed to
reduce these risks;
[(5) periodic testing and evaluation of the
effectiveness of information security policies,
procedures, and practices, to be performed with a
frequency depending on risk, but no less than annually,
of which such testing--
[(A) shall include testing of management,
operational, and technical controls of every
information system identified in the inventory
required under section 3505(c); and
[(B) may include testing relied on in an
evaluation under section 3535;
[(6) a process for planning, implementing,
evaluating, and documenting remedial action to address
any deficiencies in the information security policies,
procedures, and practices of the agency;
[(7) procedures for detecting, reporting, and
responding to security incidents, including--
[(A) mitigating risks associated with such
incidents before substantial damage is done;
and
[(B) notifying and consulting with, as
appropriate--
[(i) law enforcement agencies and
relevant Offices of Inspector General;
[(ii) an office designated by the
President for any incident involving a
national security system; and
[(iii) any other agency or office, in
accordance with law or as directed by
the President; and
[(8) plans and procedures to ensure continuity of
operations for information systems that support the
operations and assets of the agency.
[(c) Each agency shall--
[(1) report annually to the Director, the Committees
on Government Reform and Science of the House of
Representatives, the Committees on Governmental Affairs
and Commerce, Science, and Transportation of the
Senate, the appropriate authorization and
appropriations committees of Congress, and the
Comptroller General on the adequacy and effectiveness
of information security policies, procedures, and
practices, and compliance with the requirements of this
subchapter, including compliance with each requirement
of subsection (b);
[(2) address the adequacy and effectiveness of
information security policies, procedures, and
practices in plans and reports relating to--
[(A) annual agency budgets;
[(B) information resources management under
subchapter 1 of this chapter;
[(C) information technology management under
subtitle III of title 40;
[(D) program performance under sections 1105
and 1115 through 1119 of title 31, and sections
2801 and 2805 of title 39;
[(E) financial management under chapter 9 of
title 31, and the Chief Financial Officers Act
of 1990 (31 U.S.C. 501 note; Public Law 101-
576) (and the amendments made by that Act);
[(F) financial management systems under the
Federal Financial Management Improvement Act
(31 U.S.C. 3512 note); and
[(G) internal accounting and administrative
controls under section 3512 of title 31, United
States Code, (known as the Federal Managers
Financial Integrity Act'); and
[(3) report any significant deficiency in a policy,
procedure, or practice identified under paragraph (1)
or (2)--
[(A) as a material weakness in reporting
under section 3512 of title 31; and
[(B) if relating to financial management
systems, as an instance of a lack of
substantial compliance under the Federal
Financial Management Improvement Act (31 U.S.C.
3512 note).
[(d)(1) In addition to the requirements of subsection (c),
each agency, in consultation with the Director, shall include
as part of the performance plan required under section 1115 of
title 31 a description of--
[(A) the time periods; and
[(B) the resources, including budget, staffing, and
training,
[that are necessary to implement the program required under
subsection (b).
[(2) The description under paragraph (1) shall be based on
the risk assessments required under subsection (b)(2)(1).
[(e) Each agency shall provide the public with timely
notice and opportunities for comment on proposed information
security policies and procedures to the extent that such
policies and procedures affect communication with the public.
[SEC. 3535. ANNUAL INDEPENDENT EVALUATION.
[(a)(1) Each year each agency shall have performed an
independent evaluation of the information security program and
practices of that agency to determine the effectiveness of such
program and practices.
[(2) Each evaluation by an agency under this section shall
include--
[(A) testing of the effectiveness of information
security policies, procedures, and practices of a
representative subset of the agency's information
systems;
[(B) an assessment (made on the basis of the results
of the testing) of compliance with--
[(i) the requirements of this subchapter; and
[(ii) related information security policies,
procedures, standards, and guidelines; and
[(C) separate presentations, as appropriate,
regarding information security relating to national
security systems.
[(b) Subject to subsection (c)--
[(1) for each agency with an Inspector General
appointed under the Inspector General Act of 1978, the
annual evaluation required by this section shall be
performed by the Inspector General or by an independent
external auditor, as determined by the Inspector
General of the agency; and
[(2) for each agency to which paragraph (1) does not
apply, the head of the agency shall engage an
independent external auditor to perform the evaluation.
[(c) For each agency operating or exercising control of a
national security system, that portion of the evaluation
required by this section directly relating to a national
security system shall be performed--
[(1) only by an entity designated by the agency head;
and
[(2) in such a manner as to ensure appropriate
protection for information associated with any
information security vulnerability in such system
commensurate with the risk and in accordance with all
applicable laws.
[(d) The evaluation required by this section--
[(1) shall be performed in accordance with generally
accepted government auditing standards; and
[(2) may be based in whole or in part on an audit,
evaluation, or report relating to programs or practices
of the applicable agency.
[(e) Each year, not later than such date established by the
Director, the head of each agency shall submit to the Director
the results of the evaluation required under this section.
[(f) Agencies and evaluators shall take appropriate steps
to ensure the protection of information which, if disclosed,
may adversely affect information security. Such protections
shall be commensurate with the risk and comply with all
applicable laws and regulations.
[(g)(1) The Director shall summarize the results of the
evaluations conducted under this section in the report to
Congress required under section 3533(a)(8).
[(2) The Director's report to Congress under this
subsection shall summarize information regarding information
security relating to national security systems in such a manner
as to ensure appropriate protection for information associated
with any information security vulnerability in such system
commensurate with the risk and in accordance with all
applicable laws.
[(3) Evaluations and any other descriptions of information
systems under the authority and control of the Director of
Central Intelligence or of National Foreign Intelligence
Programs systems under the authority and control of the
Secretary of Defense shall be made available to Congress only
through the appropriate oversight committees of Congress, in
accordance with applicable laws.
[(h) The Comptroller General shall periodically evaluate
and report to Congress on--
[(1) the adequacy and effectiveness of agency
information security policies and practices; and
[(2) implementation of the requirements of this
subchapter.
[SEC. 3536. NATIONAL SECURITY SYSTEMS.
[The head of each agency operating or exercising control of
a national security system shall be responsible for ensuring
that the agency--
[(1) provides information security protections
commensurate with the risk and magnitude of the harm
resulting from the unauthorized access, use,
disclosure, disruption, modification, or destruction of
the information contained in such system;
[(2) implements information security policies and
practices as required by standards and guidelines for
national security systems, issued in accordance with
law and as directed by the President; and
[(3) complies with the requirements of this
subchapter.
[SEC. 3537. AUTHORIZATION OF APPROPRIATIONS.
[There are authorized to be appropriated to carry out the
provisions of this subchapter such sums as may be necessary for
each of fiscal years 2003 through 2007.
[SEC. 3538. EFFECT ON EXISTING LAW.
[Nothing in this subchapter, section 11331 of title 40, or
section 20 of the National Standards and Technology Act (15
U.S.C. 278g-3) may be construed as affecting the authority of
the President, the Office of Management and Budget or the
Director thereof, the National Institute of Standards and
Technology, or the head of any agency, with respect to the
authorized use or disclosure of information, including with
regard to the protection of personal privacy under section 552a
of title 5, the disclosure of information under section 552 of
title 5, the management and disposition of records under
chapters 29, 31, or 33 of title 44, the management of
information resources under subchapter I of chapter 35 of this
title, or the disclosure of information to Congress or the
Comptroller General of the United States.
[Subchapter III--Information Security
[SEC. 3541. PURPOSES.
[The purposes of this subchapter are to--
[(1) provide a comprehensive framework for ensuring
the effectiveness of information security controls over
information resources that support Federal operations
and assets;
[(2) recognize the highly networked nature of the
current Federal computing environment and provide
effective government-wide management and oversight of
the related information security risks, including
coordination of information security efforts throughout
the civilian, national security, and law enforcement
communities;
[(3) provide for development and maintenance of
minimum controls required to protect Federal
information and information systems; and
[(4) provide a mechanism for improved oversight of
Federal agency information security programs.
[SEC. 3542. DEFINITIONS.
[(a) In General.--Except as provided under subsection (b),
the definitions under section 3502 shall apply to this
subchapter.
[(b) Additional Definitions.--As used in this subchapter--
[(1) the term `information security' means protecting
information and information systems from unauthorized
use, disclosure, disruption, modification, or
destruction in order to provide--
[(A) integrity, which means guarding against
improper information modification or
destruction, and includes ensuring information
nonrepudiation and authenticity;
[(B) confidentiality, which means preserving
an appropriate level of information secrecy;
and
[(C) availability, which means ensuring
timely and reliable access to and use of
information;
[(2) the term `national security system' means any
information system (including any telecommunications
system) used or operated by an agency or by a
contractor of an agency, or other organization on
behalf of an agency--
[(A) the function, operation, or use of
which--
[(i) involves intelligence
activities;
[(ii) involves cryptologic activities
related to national security;
[(iii) involves command and control
of military forces;
[(iv) involves equipment that is an
integral part of a weapon or weapons
system; or
[(v) is critical to the direct
fulfillment of military or intelligence
missions provided that this definition
does not apply to a system that is used
for routine administrative and business
applications (including payroll,
finance, logistics, and personnel
management applications); or
[(B) is protected at all times by procedures
established for information that have been
specifically authorized under criteria
established by an Executive order or an Act of
Congress to be kept secret in the interest of
national defense or foreign policy; and
[(3) the term `information technology' has the
meaning given that term in section 5002 of the Clinger-
Cohen Act of 1996 (40 U.S.C. 1401).
[SEC. 3543. AUTHORITY AND FUNCTIONS OF THE DIRECTOR.
[(a) The Director shall oversee agency information security
policies and practices, including--
[(1) developing and overseeing the implementation of
policies, principles, standards, and guidelines on
information security, including through the
promulgation of standards and guidelines under section
5131 of the Clinger-Cohen Act of 1996 (40 U.S.C. 1441);
[(2) requiring agencies, consistent with the
standards and guidelines promulgated under such section
5131 and the requirements of this subchapter, to
identify and provide information security protections
commensurate with the risk and magnitude of the harm
resulting from the unauthorized use, disclosure,
disruption, modification, or destruction of--
[(A) information collected or maintained by
or on behalf of an agency; or
[(B) information systems used or operated by
an agency or by a contractor of an agency or
other organization on behalf of an agency;
[(3) coordinating the development of standards and
guidelines under section 20 of the National Institute
of Standards and Technology Act (15 U.S.C. 278g-3) with
agencies and offices operating or exercising control of
national security systems (including the National
Security Agency) to assure, to the maximum extent
feasible, that such standards and guidelines are
complementary with standards and guidelines developed
for national security systems;
[(4) overseeing agency compliance with the
requirements of this subchapter, including through any
authorized action under section 5113(b)(5) of the
Clinger-Cohen Act of 1996 (40 U.S.C. 1413(b)(5)) to
enforce accountability for compliance with such
requirements;
[(5) coordinating information security policies and
procedures with related information resources
management policies and procedures;
[(6) overseeing the development and operation of the
Federal information security incident center
established under section 3536; and
[(7) reporting to Congress on agency compliance with
the requirements of this subchapter, including--
[(A) a summary of the findings of evaluations
required by section 3535;
[(B) significant deficiencies in agency
information security practices; and
[(C) planned remedial action to address such
deficiencies.
[(b) Except for the authorities described in paragraphs (4)
and (7) of subsection (a), the authorities of the Director
under this section shall not apply to national security
systems.
[SEC. 3544. FEDERAL AGENCY RESPONSIBILITIES.
[(a) The head of each agency shall--
[(1) be responsible for--
[(A) providing information security
protections commensurate with the risk and
magnitude of the harm resulting from
unauthorized use, disclosure, disruption,
modification, or destruction of--
[(i) information collected or
maintained by or on behalf of the
agency; and
[(ii) information systems used or
operated by an agency or by a
contractor of an agency or other
organization on behalf of an agency;
[(B) complying with the requirements of this
subchapter and related policies, procedures,
standards, and guidelines, including--
[(i) information security standards
and guidelines promulgated by the
Director under section 5131 of the
Clinger-Cohen Act of 1996 (40 U.S.C.
1441); and
[(ii) information security standards
and guidelines for national security
systems issued in accordance with law
and as directed by the President; and
[(C) ensuring that information security
management processes are integrated with agency
strategic and operational planning processes;
[(2) ensure that senior agency officials provide
information security for the information and
information systems that support the operations and
assets under their control, including through--
[(A) assessing the risk and magnitude of the
harm that could result from the unauthorized
use, disclosure, disruption, modification, or
destruction of such information or information
systems;
[(B) determining the levels of information
security appropriate to protect such
information and information systems in
accordance with standards and guidelines
promulgated under section 5131 of the Clinger-
Cohen Act of 1996 (40 U.S.C. 1441) for
information security classifications and
related requirements;
[(C) implementing policies and procedures to
cost-effectively reduce risks to an acceptable
level; and
[(D) periodically testing and evaluating
information security controls and techniques to
ensure that they are effectively implemented;
[(3) delegate to the agency Chief Information Officer
established under section 3506 (or comparable official
in an agency not covered by such section) the authority
to ensure compliance with the requirements imposed on
the agency under this subchapter, including--
[(A) designating a senior agency information
security officer who shall--
[(i) carry out the Chief Information
Officer's responsibilities under this
section;
[(ii) possess professional
qualifications, including training and
experience, required to administer the
functions described under this section;
[(iii) have information security
duties as that official's primary duty;
and
[(iv) head an office with the mission
and resources to assist in ensuring
agency compliance with this section;
[(B) developing and maintaining an agency-
wide information security program as required
by subsection (b);
[(C) developing and maintaining information
security policies, procedures, and control
techniques to address all applicable
requirements, including those issued under
section 3533 of this title, and section 5131 of
the Clinger-Cohen Act of 1996 (40 U.S.C. 1441);
[(D) training and overseeing personnel with
significant responsibilities for information
security with respect to such responsibilities;
and
[(E) assisting senior agency officials
concerning their responsibilities under
subparagraph (2);
[(4) ensure that the agency has trained personnel
sufficient to assist the agency in complying with the
requirements of this subchapter and related policies,
procedures, standards, and guidelines; and
[(5) ensure that the agency Chief Information
Officer, in coordination with other senior agency
officials, reports annually to the agency head on the
effectiveness of the agency information security
program, including progress of remedial actions.
[(b) Each agency shall develop, document, and implement an
agency-wide information security program to provide information
security for the information and information systems that
support the operations and assets of the agency, including
those provided or managed by another agency, contractor, or
other source, that includes--
[(1) periodic assessments of the risk and magnitude
of the harm that could result from the unauthorized
use, disclosure, disruption, modification, or
destruction of information and information systems that
support the operations and assets of the agency;
[(2) policies and procedures that--
[(A) are based on the risk assessments
required by subparagraph (1);
[(B) cost-effectively reduce information
security risks to an acceptable level;
[(C) ensure that information security is
addressed throughout the life cycle of each
agency information system; and
[(D) ensure compliance with--
[(i) the requirements of this
subchapter;
[(ii) policies and procedures as may
be prescribed by the Director,
including information security
standards and guidelines promulgated
under section 5131 of the Clinger-Cohen
Act of 1996 (40 U.S.C. 1441); and
[(iii) any other applicable
requirements, including standards and
guidelines for national security
systems issued in accordance with law
and as directed by the President;
[(3) subordinate plans for providing adequate
information security for networks, facilities, and
systems or groups of information systems, as
appropriate;
[(4) security awareness training to inform personnel,
including contractors and other users of information
systems that support the operations and assets of the
agency, of--
[(A) information security risks associated
with their activities; and
[(B) their responsibilities in complying with
agency policies and procedures designed to
reduce these risks;
[(5) periodic testing and evaluation of the
effectiveness of information security policies,
procedures, and practices, to be performed with a
frequency depending on risk, but no less than annually;
[(6) a process for ensuring remedial action to
address any deficiencies in the information security
policies, procedures, and practices of the agency;
[(7) procedures for detecting, reporting, and
responding to security incidents, consistent with
guidance issued under section 3536, including--
[(A) mitigating risks associated with such
incidents before substantial damage is done;
[(B) notifying and consulting with the
Federal information security incident center
established under section 3536; and
[(C) notifying and consulting with, as
appropriate--
[(i) law enforcement agencies and
relevant Offices of Inspector General;
[(ii) an office designated by the
President for any incident involving a
national security system; and
[(iii) any other agency or office, in
accordance with law or as directed by
the President; and
[(8) plans and procedures to ensure continuity of
operations for information systems that support the
operations and assets of the agency.
[(c) Each agency shall--
[(1) report annually to the Director and the
Comptroller General on the adequacy and effectiveness
of information security policies, procedures, and
practices, including compliance with the requirements
of this subchapter;
[(2) address the adequacy and effectiveness of
information security policies, procedures, and
practices in plans and reports relating to--
[(A) annual agency budgets;
[(B) information resources management under
subchapter 1 of this chapter;
[(C) information technology management under
the Clinger-Cohen Act of 1996 (40 U.S.C. 1401
et seq.);
[(D) program performance under sections 1105
and 1115 through 1119 of title 31, and sections
2801 and 2805 of title 39;
[(E) financial management under chapter 9 of
title 31, and the Chief Financial Officers Act
of 1990 (31 U.S.C. 501 note; Public Law 101-
576) (and the amendments made by that Act);
[(F) financial management systems under the
Federal Financial Management Improvement Act
(31 U.S.C. 3512 note); and
[(G) internal accounting and administrative
controls under section 3512 of title 31, United
States Code, (known as the Federal Managers
Financial Integrity Act'); and
[(3) report any significant deficiency in a policy,
procedure, or practice identified under paragraph (1)
or (2)--
[(A) as a material weakness in reporting
under section 3512 of title 31, United States
Code; and
[(B) if relating to financial management
systems, as an instance of a lack of
substantial compliance under the Federal
Financial Management Improvement Act (31 U.S.C.
3512 note).
[(d)(1) In addition to the requirements of subsection (c),
each agency, in consultation with the Director, shall include
as part of the performance plan required under section 1115 of
title 31 a description of--
[(A) the time periods, and
[(B) the resources, including budget, staffing, and
training,
[that are necessary to implement the program required under
subsection (b).
[(2) The description under paragraph (1) shall be based on
the risk assessments required under subsection (b)(2)(1).
[(e) Each agency shall provide the public with timely
notice and opportunities for comment on proposed information
security policies and procedures to the extent that such
policies and procedures affect communication with the public.
[SEC. 3545. ANNUAL INDEPENDENT EVALUATION.
[(a)(1) Each year each agency shall have performed an
independent evaluation of the information security program and
practices of that agency to determine the effectiveness of such
program and practices.
[(2) Each evaluation by an agency under this section shall
include--
[(A) testing of the effectiveness of information
security policies, procedures, and practices of a
representative subset of the agency's information
systems;
[(B) an assessment (made on the basis of the results
of the testing) of compliance with--
[(i) the requirements of this subchapter; and
[(ii) related information security policies,
procedures, standards, and guidelines; and
[(C) separate presentations, as appropriate,
regarding information security relating to national
security systems.
[(b) Subject to subsection (c)--
[(1) for each agency with an Inspector General
appointed under the Inspector General Act of 1978, the
annual evaluation required by this section shall be
performed by the Inspector General or by an independent
external auditor, as determined by the Inspector
General of the agency; and
[(2) for each agency to which paragraph (1) does not
apply, the head of the agency shall engage an
independent external auditor to perform the evaluation.
[(c) For each agency operating or exercising control of a
national security system, that portion of the evaluation
required by this section directly relating to a national
security system shall be performed--
[(1) only by an entity designated by the agency head;
and
[(2) in such a manner as to ensure appropriate
protection for information associated with any
information security vulnerability in such system
commensurate with the risk and in accordance with all
applicable laws.
[(d) The evaluation required by this section--
[(1) shall be performed in accordance with generally
accepted government auditing standards; and
[(2) may be based in whole or in part on an audit,
evaluation, or report relating to programs or practices
of the applicable agency.
[(e) The results of an evaluation required by this section
shall be submitted to the Director no later than March 1, 2003,
and every March 1 thereafter.
[(f) Agencies and evaluators shall take appropriate steps
to ensure the protection of information which, if disclosed,
may adversely affect information security. Such protections
shall be commensurate with the risk and comply with all
applicable laws and regulations.
[(g)(1) The Director shall summarize the results of the
evaluations conducted under this section in a report to
Congress.
[(2) The Director's report to Congress under this
subsection shall summarize information regarding information
security relating to national security systems in such a manner
as to ensure appropriate protection for information associated
with any information security vulnerability in such system
commensurate with the risk and in accordance with all
applicable laws.
[(3) Evaluations and any other descriptions of information
systems under the authority and control of the Director of
Central Intelligence or of National Foreign Intelligence
Programs systems under the authority and control of the
Secretary of Defense shall be made available to Congress only
through the appropriate oversight committees of Congress, in
accordance with applicable laws.
[(h) The Comptroller General shall periodically evaluate
and report to Congress on--
[(1) the adequacy and effectiveness of agency
information security policies and practices; and
[(2) implementation of the requirements of this
subchapter.
[SEC. 3546. FEDERAL INFORMATION SECURITY INCIDENT CENTER.
[(a) The Director shall cause to be established and
operated a central Federal information security incident center
to--
[(1) provide timely technical assistance to operators
of agency information systems regarding security
incidents, including guidance on detecting and handling
information security incidents;
[(2) compile and analyze information about incidents
that threaten information security;
[(3) inform operators of agency information systems
about current and potential information security
threats, and vulnerabilities; and
[(4) consult with agencies or offices operating or
exercising control of national security systems
(including the National Security Agency) and such other
agencies or offices in accordance with law and as
directed by the President regarding information
security incidents and related matters.
[(b) Each agency operating or exercising control of a
national security system shall share information about
information security incidents, threats, and vulnerabilities
with the Federal information security incident center to the
extent consistent with standards and guidelines for national
security systems, issued in accordance with law and as directed
by the President.
[SEC. 3547. NATIONAL SECURITY SYSTEMS.
[The head of each agency operating or exercising control of
a national security system shall be responsible for ensuring
that the agency--
[(1) provides information security protections
commensurate with the risk and magnitude of the harm
resulting from the unauthorized use, disclosure,
disruption, modification, or destruction of the
information contained in such system;
[(2) implements information security policies and
practices as required by standards and guidelines for
national security systems, issued in accordance with
law and as directed by the President; and
[(3) complies with the requirements of this
subchapter.
[SEC. 3548. AUTHORIZATION OF APPROPRIATIONS.
[There are authorized to be appropriated to carry out the
provisions of this subchapter such sums as may be necessary for
each of fiscal years 2003 through 2007.]
Subchapter II--Information Security
SEC. 3551. PURPOSES.
The purposes of this subchapter are to--
(1) provide a comprehensive framework for ensuring
the effectiveness of information security controls over
information resources that support Federal operations
and assets;
(2) recognize the highly networked nature of the
current Federal computing environment and provide
effective government-wide management and oversight of
the related information security risks, including
coordination of information security efforts throughout
the civilian, national security, and law enforcement
communities;
(3) provide for development and maintenance of
minimum controls required to protect Federal
information and information systems;
(4) provide a mechanism for improved oversight of
Federal agency information security programs;
(5) acknowledge that commercially developed
information security products offer advanced, dynamic,
robust, and effective information security solutions,
reflecting market solutions for the protection of
critical information infrastructures important to the
national defense and economic security of the nation
that are designed, built, and operated by the private
sector; and
(6) recognize that the selection of specific
technical hardware and software information security
solutions should be left to individual agencies from
among commercially developed products.
SEC. 3552. DEFINITIONS.
(a) In General.--Except as provided under subsection (b),
the definitions under section 3502 shall apply to this
subchapter.
(b) Additional Definitions.--As used in this subchapter:
(1) The term ``binding operational directive'' means
a compulsory direction to an agency that is in
accordance with policies, principles, standards, and
guidelines issued by the Director.
(2) The term ``incident'' means an occurrence that--
(A) actually or imminently jeopardizes,
without lawful authority, the integrity,
confidentiality, or availability of information
or an information system; or
(B) constitutes a violation or imminent
threat of violation of law, security policies,
security procedures, or acceptable use
policies.
(3) The term ``information security'' means
protecting information and information systems from
unauthorized access, use, disclosure, disruption,
modification, or destruction in order to provide--
(A) integrity, which means guarding against
improper information modification or
destruction, and includes ensuring information
nonrepudiation and authenticity;
(B) confidentiality, which means preserving
authorized restrictions on access and
disclosure, including means for protecting
personal privacy and proprietary information;
and
(C) availability, which means ensuring timely
and reliable access to and use of information.
(4) The term ``information technology'' has the
meaning given that term in section 11101 of title 40.
(5) The term ``intelligence community'' has the
meaning given that term in section 3(4) of the National
Security Act of 1947 (50 U.S.C. 3003(4)).
(6)(A) The term ``national security system'' means
any information system (including any
telecommunications system) used or operated by an
agency or by a contractor of an agency, or other
organization on behalf of an agency--
(i) the function, operation, or use of
which--
(I) involves intelligence activities;
(II) involves cryptologic activities
related to national security;
(III) involves command and control of
military forces;
(IV) involves equipment that is an
integral part of a weapon or weapons
system; or
(V) subject to subparagraph (B), is
critical to the direct fulfillment of
military or intelligence missions; or
(ii) is protected at all times by procedures
established for information that have been
specifically authorized under criteria
established by an Executive order or an Act of
Congress to be kept classified in the interest
of national defense or foreign policy.
(B) Subparagraph (A)(i)(V) does not include a system
that is to be used for routine administrative and
business applications (including payroll, finance,
logistics, and personnel management applications).
(7) The term ``Secretary'' means the Secretary of
Homeland Security.
SEC. 3553. AUTHORITY AND FUNCTIONS OF THE DIRECTOR AND THE SECRETARY.
(a) Director.--The Director shall oversee agency
information security policies, including--
(1) developing and overseeing the implementation of
policies, principles, standards, and guidelines on
information security, including through ensuring timely
agency adoption of and compliance with standards
promulgated under section 11331 of title 40;
(2) requiring agencies, consistent with the standards
promulgated under such section 11331 and the
requirements of this subchapter, to identify and
provide information security protections commensurate
with the risk and magnitude of the harm resulting from
the unauthorized access, use, disclosure, disruption,
modification, or destruction of--
(A) information collected or maintained by or
on behalf of an agency; or
(B) information systems used or operated by
an agency or by a contractor of an agency or
other organization on behalf of an agency;
(3) ensuring that the Secretary carries out the
authorities and functions under subsection (b);
(4) coordinating the development of standards and
guidelines under section 20 of the National Institute
of Standards and Technology Act (15 U.S.C. 278g-3) with
agencies and offices operating or exercising control of
national security systems (including the National
Security Agency) to assure, to the maximum extent
feasible, that such standards and guidelines are
complementary with standards and guidelines developed
for national security systems;
(5) overseeing agency compliance with the
requirements of this subchapter, including through any
authorized action under section 11303 of title 40, to
enforce accountability for compliance with such
requirements;
(6) coordinating information security policies and
procedures with related information resources
management policies and procedures; and
(7) consulting with the Secretary in carrying out the
authorities and functions under this subsection.
(b) Secretary.--The Secretary, in consultation with the
Director, shall oversee the operational aspects of agency
information security policies and practices for information
systems, except for national security systems and information
systems described in paragraph (2) or (3) of subsection (e),
including--
(1) assisting the Director in carrying out the
authorities and functions under subsection (a);
(2) developing and overseeing the implementation of
binding operational directives to agencies to implement
the policies, principles, standards, and guidelines
developed by the Director under subsection (a)(1) and
the requirements of this subchapter, which may be
repealed by the Director if the operational directives
issued on behalf of the Director are not in accordance
with policies, principles, standards, and guidelines
developed by the Director, including--
(A) requirements for reporting security
incidents to the Federal information security
incident center established under section 3556;
(B) requirements for the contents of the
annual reports required to be submitted under
section 3554(c)(1);
(C) requirements for the mitigation of
exigent risks to information systems; and
(D) other operational requirements as the
Director or Secretary may determine necessary;
(3) monitoring agency implementation of information
security policies and practices;
(4) convening meetings with senior agency officials
to help ensure effective implementation of information
security policies and practices;
(5) coordinating Government-wide efforts on
information security policies and practices, including
consultation with the Chief Information Officers
Council established under section 3603;
(6) providing operational and technical assistance to
agencies in implementing policies, principles,
standards, and guidelines on information security,
including implementation of standards promulgated under
section 11331 of title 40, including by--
(A) operating the Federal information
security incident center established under
section 3556;
(B) upon request by an agency, deploying
technology to assist the agency to continuously
diagnose and mitigate against cyber threats and
vulnerabilities, with or without reimbursement;
(C) compiling and analyzing data on agency
information security; and
(D) developing and conducting targeted
operational evaluations, including threat and
vulnerability assessments, on the information
systems; and
(7) other actions as the Secretary may determine
necessary to carry out this subsection on behalf of the
Director.
(c) Report.--Not later than March 1 of each year, the
Director, in consultation with the Secretary, shall submit to
Congress a report on the effectiveness of information security
policies and practices during the preceding year, including--
(1) a summary of the incidents described in the
annual reports required to be submitted under section
3554(c)(1), including a summary of the information
required under section 3554(c)(1)(A)(iii);
(2) a description of the threshold for reporting
major information security incidents;
(3) a summary of the results of evaluations required
to be performed under section 3555;
(4) an assessment of agency compliance with standards
promulgated under section 11331 of title 40; and
(5) an assessment of agency compliance with the
policies and procedures established under section
3559(a).
(d) National Security Systems.--Except for the authorities
and functions described in subsection (a)(4) and subsection
(c), the authorities and functions of the Director and the
Secretary under this section shall not apply to national
security systems.
(e) Department of Defense and Intelligence Community
Systems.--(1) The authorities of the Director described in
paragraphs (1) and (2) of subsection (a) shall be delegated to
the Secretary of Defense in the case of systems described in
paragraph (2) and to the Director of National Intelligence in
the case of systems described in paragraph (3).
(2) The systems described in this paragraph are systems
that are operated by the Department of Defense, a contractor of
the Department of Defense, or another entity on behalf of the
Department of Defense that processes any information the
unauthorized access, use, disclosure, disruption, modification,
or destruction of which would have a debilitating impact on the
mission of the Department of Defense.
(3) The systems described in this paragraph are systems
that are operated by an element of the intelligence community,
a contractor of an element of the intelligence community, or
another entity on behalf of an element of the intelligence
community that processes any information the unauthorized
access, use, disclosure, disruption, modification, or
destruction of which would have a debilitating impact on the
mission of an element of the intelligence community.
SEC. 3554. FEDERAL AGENCY RESPONSIBILITIES.
(a) In General.--The head of each agency shall--
(1) be responsible for--
(A) providing information security
protections commensurate with the risk and
magnitude of the harm resulting from
unauthorized access, use, disclosure,
disruption, modification, or destruction of--
(i) information collected or
maintained by or on behalf of the
agency; and
(ii) information systems used or
operated by an agency or by a
contractor of an agency or other
organization on behalf of an agency;
(B) complying with the requirements of this
subchapter and related policies, procedures,
standards, and guidelines, including--
(i) information security standards
promulgated under section 11331 of
title 40;
(ii) operational directives developed
by the Secretary under section 3553(b);
(iii) policies and procedures issued
by the Director under section 3559; and
(iv) information security standards
and guidelines for national security
systems issued in accordance with law
and as directed by the President; and
(C) ensuring that information security
management processes are integrated with agency
strategic and operational planning processes;
(2) ensure that senior agency officials provide
information security for the information and
information systems that support the operations and
assets under their control, including through--
(A) assessing the risk and magnitude of the
harm that could result from the unauthorized
access, use, disclosure, disruption,
modification, or destruction of such
information or information systems;
(B) determining the levels of information
security appropriate to protect such
information and information systems in
accordance with standards promulgated under
section 11331 of title 40, for information
security classifications and related
requirements;
(C) implementing policies and procedures to
cost-effectively reduce risks to an acceptable
level; and
(D) periodically testing and evaluating
information security controls and techniques to
ensure that they are effectively implemented;
(3) delegate to the agency Chief Information Officer
established under section 3506 (or comparable official
in an agency not covered by such section) the authority
to ensure compliance with the requirements imposed on
the agency under this subchapter, including--
(A) designating a senior agency information
security officer who shall--
(i) carry out the Chief Information
Officer's responsibilities under this
section;
(ii) possess professional
qualifications, including training and
experience, required to administer the
functions described under this section;
(iii) have information security
duties as that official's primary duty;
and
(iv) head an office with the mission
and resources to assist in ensuring
agency compliance with this section;
(B) developing and maintaining an agency-wide
information security program as required by
subsection (b);
(C) developing and maintaining information
security policies, procedures, and control
techniques to address all applicable
requirements, including those issued under
section 3553 of this title and section 11331 of
title 40;
(D) training and overseeing personnel with
significant responsibilities for information
security with respect to such responsibilities;
and
(E) assisting senior agency officials
concerning their responsibilities under
paragraph (2);
(4) ensure that the agency has trained personnel
sufficient to assist the agency in complying with the
requirements of this subchapter and related policies,
procedures, standards, and guidelines;
(5) ensure that the agency Chief Information Officer,
in coordination with other senior agency officials,
reports annually to the agency head on the
effectiveness of the agency information security
program, including progress of remedial actions;
(6) ensure that senior agency officials, including
chief information officers of component agencies or
equivalent officials, carry out responsibilities under
this subchapter as directed by the official delegated
authority under paragraph (3); and
(7) ensure that all personnel are held accountable
for complying with the agency-wide information security
program implemented under subsection (b).
(b) Agency Program.--Each agency shall develop, document,
and implement an agency-wide information security program to
provide information security for the information and
information systems that support the operations and assets of
the agency, including those provided or managed by another
agency, contractor, or other source, that includes--
(1) periodic assessments of the risk and magnitude of
the harm that could result from the unauthorized
access, use, disclosure, disruption, modification, or
destruction of information and information systems that
support the operations and assets of the agency;
(2) policies and procedures that--
(A) are based on the risk assessments
required by paragraph (1);
(B) cost-effectively reduce information
security risks to an acceptable level;
(C) ensure that information security is
addressed throughout the life cycle of each
agency information system; and
(D) ensure compliance with--
(i) the requirements of this
subchapter;
(ii) policies and procedures as may
be prescribed by the Director, and
information security standards
promulgated under section 11331 of
title 40;
(iii) minimally acceptable system
configuration requirements, as
determined by the agency; and
(iv) any other applicable
requirements, including standards and
guidelines for national security
systems issued in accordance with law
and as directed by the President;
(3) subordinate plans for providing adequate
information security for networks, facilities, and
systems or groups of information systems, as
appropriate;
(4) security awareness training to inform personnel,
including contractors and other users of information
systems that support the operations and assets of the
agency, of--
(A) information security risks associated
with their activities; and
(B) their responsibilities in complying with
agency policies and procedures designed to
reduce these risks;
(5) periodic testing and evaluation of the
effectiveness of information security policies,
procedures, and practices, to be performed with a
frequency depending on risk, but no less than annually,
of which such testing--
(A) shall include testing of management,
operational, and technical controls of every
information system identified in the inventory
required under section 3505(c); and
(B) may include testing relied on in an
evaluation under section 3555;
(6) a process for planning, implementing, evaluating,
and documenting remedial action to address any
deficiencies in the information security policies,
procedures, and practices of the agency;
(7) procedures for detecting, reporting, and
responding to security incidents, consistent with
standards and guidelines described in section 3556(b),
including--
(A) mitigating risks associated with such
incidents before substantial damage is done;
(B) notifying and consulting with the Federal
information security incident center
established in section 3556; and
(C) notifying and consulting with, as
appropriate--
(i) law enforcement agencies and
relevant Offices of Inspector General;
(ii) an office designated by the
President for any incident involving a
national security system;
(iii) the committees of Congress
described in subsection (c)(1)--
(I) not later than 7 days
after the date on which the
incident is discovered; and
(II) after the initial
notification under subclause
(I), within a reasonable period
of time after additional
information relating to the
incident is discovered; and
(iv) any other agency or office, in
accordance with law or as directed by
the President; and
(8) plans and procedures to ensure continuity of
operations for information systems that support the
operations and assets of the agency.
(c) Agency Reporting.--
(1) Annual report.--
(A) In general.--Each agency shall submit to
the Director, the Secretary, the Committee on
Government Reform, the Committee on Homeland
Security, and the Committee on Science of the
House of Representatives, the Committee on
Homeland Security and Governmental Affairs and
the Committee on Commerce, Science, and
Transportation of the Senate, the appropriate
authorization and appropriations committees of
Congress, and the Comptroller General a report
on the adequacy and effectiveness of
information security policies, procedures, and
practices, including--
(i) a description of each major
information security incident or
related sets of incidents, including
summaries of--
(I) the threats and threat
actors, vulnerabilities, and
impacts relating to the
incident;
(II) the risk assessments
conducted under section
3554(a)(2)(A) of the affected
information systems before the
date on which the incident
occurred; and
(III) the detection,
response, and remediation
actions;
(ii) the total number of information
security incidents, including a
description of incidents resulting in
significant compromise of information
security, system impact levels, types
of incident, and locations of affected
systems;
(iii) a description of each major
information security incident that
involved a breach of personally
identifiable information, including--
(I) the number of individuals
whose information was affected
by the major information
security incident; and
(II) a description of the
information that was breached
or exposed; and
(iv) any other information as the
Secretary may require.
(B) Unclassified report.--
(i) In general.--Each report
submitted under subparagraph (A) shall
be in unclassified form, but may
include a classified annex.
(ii) Access to information.--The head
of an agency shall ensure that, to the
greatest extent practicable,
information is included in the
unclassified version of the reports
submitted by the agency under
subparagraph (A).
(2) Other plans and reports.--Each agency shall
address the adequacy and effectiveness of information
security policies, procedures, and practices in
management plans and reports.
(d) Performance Plan.--(1) In addition to the requirements
of subsection (c), each agency, in consultation with the
Director, shall include as part of the performance plan
required under section 1115 of title 31 a description of--
(A) the time periods; and
(B) the resources, including budget, staffing, and
training,
that are necessary to implement the program required under
subsection (b).
(2) The description under paragraph (1) shall be based on
the risk assessments required under subsection (b)(1).
(e) Public Notice and Comment.--Each agency shall provide
the public with timely notice and opportunities for comment on
proposed information security policies and procedures to the
extent that such policies and procedures affect communication
with the public.
SEC. 3555. ANNUAL INDEPENDENT EVALUATION.
(a) In General.--(1) Each year each agency shall have
performed an independent evaluation of the information security
program and practices of that agency to determine the
effectiveness of such program and practices.
(2) Each evaluation under this section shall include--
(A) testing of the effectiveness of information
security policies, procedures, and practices of a
representative subset of the agency's information
systems;
(B) an assessment of the effectiveness of the
information security policies, procedures, and
practices of the agency; and
(C) separate presentations, as appropriate, regarding
information security relating to national security
systems.
(b) Independent Auditor.--Subject to subsection (c)--
(1) for each agency with an Inspector General
appointed under the Inspector General Act of 1978, the
annual evaluation required by this section shall be
performed by the Inspector General or by an independent
external auditor, as determined by the Inspector
General of the agency; and
(2) for each agency to which paragraph (1) does not
apply, the head of the agency shall engage an
independent external auditor to perform the evaluation.
(c) National Security Systems.--For each agency operating
or exercising control of a national security system, that
portion of the evaluation required by this section directly
relating to a national security system shall be performed--
(1) only by an entity designated by the agency head;
and
(2) in such a manner as to ensure appropriate
protection for information associated with any
information security vulnerability in such system
commensurate with the risk and in accordance with all
applicable laws.
(d) Existing Evaluations.--The evaluation required by this
section may be based in whole or in part on an audit,
evaluation, or report relating to programs or practices of the
applicable agency.
(e) Agency Reporting.--(1) Each year, not later than such
date established by the Director, the head of each agency shall
submit to the Director the results of the evaluation required
under this section.
(2) To the extent an evaluation required under this section
directly relates to a national security system, the evaluation
results submitted to the Director shall contain only a summary
and assessment of that portion of the evaluation directly
relating to a national security system.
(f) Protection of Information.--Agencies and evaluators
shall take appropriate steps to ensure the protection of
information which, if disclosed, may adversely affect
information security. Such protections shall be commensurate
with the risk and comply with all applicable laws and
regulations.
(g) OMB Reports to Congress.--(1) The Director shall
summarize the results of the evaluations conducted under this
section in the report to Congress required under section
3553(c).
(2) The Director's report to Congress under this subsection
shall summarize information regarding information security
relating to national security systems in such a manner as to
ensure appropriate protection for information associated with
any information security vulnerability in such system
commensurate with the risk and in accordance with all
applicable laws.
(3) Evaluations and any other descriptions of information
systems under the authority and control of the Director of
Central Intelligence or of National Foreign Intelligence
Programs systems under the authority and control of the
Secretary of Defense shall be made available to Congress only
through the appropriate oversight committees of Congress, in
accordance with applicable laws.
(h) Comptroller General.--The Comptroller General shall
periodically evaluate and report to Congress on--
(1) the adequacy and effectiveness of agency
information security policies and practices; and
(2) implementation of the requirements of this
subchapter.
(i) Assessment Technical Assistance.--The Comptroller
General may provide technical assistance to an Inspector
General or the head of an agency, as applicable, to assist the
Inspector General or head of an agency in carrying out the
duties under this section, including by testing information
security controls and procedures.
SEC. 3556. FEDERAL INFORMATION SECURITY INCIDENT CENTER.
(a) In General.--The Secretary shall ensure the operation
of a central Federal information security incident center to--
(1) provide timely technical assistance to operators
of agency information systems regarding security
incidents, including guidance on detecting and handling
information security incidents;
(2) compile and analyze information about incidents
that threaten information security;
(3) inform operators of agency information systems
about current and potential information security
threats, and vulnerabilities;
(4) provide, as appropriate, intelligence and other
information about cyber threats, vulnerabilities, and
incidents to agencies to assist in risk assessments
conducted under section 3554(b); and
(5) consult with the National Institute of Standards
and Technology, agencies or offices operating or
exercising control of national security systems
(including the National Security Agency), and such
other agencies or offices in accordance with law and as
directed by the President regarding information
security incidents and related matters.
(b) National Security Systems.--Each agency operating or
exercising control of a national security system shall share
information about information security incidents, threats, and
vulnerabilities with the Federal information security incident
center to the extent consistent with standards and guidelines
for national security systems, issued in accordance with law
and as directed by the President.
SEC. 3557. NATIONAL SECURITY SYSTEMS.
The head of each agency operating or exercising control of
a national security system shall be responsible for ensuring
that the agency--
(1) provides information security protections
commensurate with the risk and magnitude of the harm
resulting from the unauthorized access, use,
disclosure, disruption, modification, or destruction of
the information contained in such system;
(2) implements information security policies and
practices as required by standards and guidelines for
national security systems, issued in accordance with
law and as directed by the President; and
(3) complies with the requirements of this
subchapter.
SEC. 3558. EFFECT ON EXISTING LAW.
Nothing in this subchapter, section 11331 of title 40, or
section 20 of the National Standards and Technology Act (15
U.S.C. 278g-3) may be construed as affecting the authority of
the President, the Office of Management and Budget or the
Director thereof, the National Institute of Standards and
Technology, or the head of any agency, with respect to the
authorized use or disclosure of information, including with
regard to the protection of personal privacy under section 552a
of title 5, the disclosure of information under section 552 of
title 5, the management and disposition of records under
chapters 29, 31, or 33 of title 44, the management of
information resources under subchapter I of chapter 35 of this
title, or the disclosure of information to the Congress or the
Comptroller General of the United States.
SEC. 3559. PRIVACY BREACH REQUIREMENTS.
(a) Policies and Procedures.--The Director, in consultation
with the Secretary, shall establish and oversee policies and
procedures for agencies to follow in the event of a breach of
information security involving the disclosure of personally
identifiable information, including requirements for--
(1) timely notice to affected individuals based on a
determination of the level of risk and consistent with
law enforcement and national security considerations;
(2) timely reporting to the Federal information
security incident center established under section 3556
or other Federal cybersecurity center, as designated by
the Director;
(3) timely notice to committees of Congress with
jurisdiction over cybersecurity; and
(4) such additional actions as the Director may
determine necessary and appropriate, including the
provision of risk mitigation measures to affected
individuals.
(b) Considerations.--In carrying out subsection (a), the
Director shall consider recommendations made by the Government
Accountability Office, including recommendations in the
December 2013 Government Accountability Office report entitled
``Information Security: Agency Responses to Breaches of
Personally Identifiable Information Need to Be More
Consistent'' (GAO-14-34).
(c) Required Agency Action.--The head of each agency shall
ensure that actions taken in response to a breach of
information security involving the disclosure of personally
identifiable information under the authority or control of the
agency comply with policies and procedures established under
subsection (a).
(d) Timeliness.--
(1) In general.--Except as provided in paragraph (2),
the policies and procedures established under
subsection (a) shall require that the notice to
affected individuals required under subsection (a)(1)
be made without unreasonable delay and with
consideration of the likely risk of harm and the level
of impact, but not later than 60 days after the date on
which the head of an agency discovers the breach of
information security involving the disclosure of
personally identifiable information.
(2) Delay.--The Attorney General, the head of an
element of the intelligence community (as such term is
defined under section 3(4) of the National Security Act
of 1947 (50 U.S.C. 3003(4)), or the Secretary may delay
the notice to affected individuals under subsection
(a)(1) for not more than 180 days, if the notice would
disrupt a law enforcement investigation, endanger
national security, or hamper security remediation
actions from the breach of information security
involving the disclosure of personally identifiable
information.
HOMELAND SECURITY ACT OF 2002
* * * * * * *
TITLE X--INFORMATION SECURITY
SEC. 1001. INFORMATION SECURITY.
(a) * * *
* * * * * * *
(c) Information Security Responsibilities of Certain
Agencies.--
(1) National security responsibilities--(A) Nothing
in this Act (including any amendment made by this Act)
shall supersede any authority of the Secretary of
Defense, the Director of Central Intelligence, or other
agency head, as authorized by law and as directed by
the President, with regard to the operation, control,
or management of national security systems, as defined
by [section 3532(3)] section 3552(b) of title 44,
United States Code.
* * * * * * *
TITLE 10, UNITED STATES CODE
* * * * * * *
Subtitle A--General Military Law
* * * * * * *
PART IV--SERVICE, SUPPLY, AND PROCUREMENT
* * * * * * *
CHAPTER 131--PLANNING AND COORDINATION
SEC. 2222. DEFENSE BUSINESS SYSTEMS: ARCHITECTURE, ACCOUNTABILITY, AND
MODERNIZATION.
(a) * * *
* * * * * * *
(j) Definitions.--In this section:
(1) * * *
* * * * * * *
(5) The term ``national security system'' has the
meaning given that term in [section 3542(b)(2)] section
3552(b) of title 44.
* * * * * * *
SEC. 2223. INFORMATION TECHNOLOGY: ADDITIONAL RESPONSIBILITIES OF CHIEF
INFORMATION OFFICERS.
(a) * * *
* * * * * * *
(c) Definitions.--
(1) * * *
* * * * * * *
(3) The term ``national security system'' has the
meaning given that term by [section 3542(b)(2)] section
3552(b) of title 44.
* * * * * * *
CHAPTER 137--PROCUREMENT GENERALLY
* * * * * * *
SEC. 2315. LAW INAPPLICABLE TO THE PROCUREMENT OF AUTOMATIC DATA
PROCESSING EQUIPMENT AND SERVICES FOR CERTAIN
DEFENSE PURPOSES.
For purposes of subtitle III of title 40, the term
``national security system'', with respect to a
telecommunications and information system operated by the
Department of Defense, has the meaning given that term by
[section 3542(b)(2)] section 3552(b) of title 44.
* * * * * * *
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY ACT
* * * * * * *
Sec. 20. (a) The Institute shall--
(1) * * *
(2) develop standards and guidelines, including
minimum requirements, for information systems used or
operated by an agency or by a contractor of an agency
or other organization on behalf of an agency, other
than national security systems (as defined in [section
3532(b)(2)] section 3552(b) of title 44, United States
Code);
* * * * * * *
(e) As used in this section--
(1) * * *
(2) the term ``information security'' has the same
meaning as provided in [section 3532(1)] section
3552(b) of such title;
* * * * * * *
(5) the term ``national security system'' has the
same meaning as provided in [section 3532(b)(2)]
section 3552(b) of such title.
* * * * * * *
CYBER SECURITY RESEARCH AND DEVELOPMENT ACT
* * * * * * *
SEC. 8. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY PROGRAMS.
(a) * * *
* * * * * * *
(d) Federal Agency Information Security Programs.--
(1) In general.--In developing the agency-wide
information security program required by [section
3534(b)] section 3554(b) of title 44, United States
Code, an agency that deploys a computer hardware or
software system for which the Director of the National
Institute of Standards and Technology has developed a
checklist under subsection (c) of this section--
(A) * * *
* * * * * * *
�