[Senate Report 114-361] [From the U.S. Government Publishing Office] Calendar No. 647 114th Congress } { Report SENATE 2d Session } { 114-361 ______________________________________________________________________ FEDERAL INFORMATION SYSTEMS SAFEGUARDS ACT OF 2016 __________ R E P O R T of the COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS UNITED STATES SENATE to accompany S. 2975 TO PROVIDE AGENCIES WITH DISCRETION IN SECURING INFORMATION TECHNOLOGY AND INFORMATION SYSTEMS [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] September 27, 2016.--Ordered to be printed ______ U.S. GOVERNMENT PUBLISHING OFFICE 59-010 WASHINGTON : 2016 COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS RON JOHNSON, Wisconsin, Chairman JOHN McCAIN, Arizona THOMAS R. CARPER, Delaware ROB PORTMAN, Ohio CLAIRE McCASKILL, Missouri RAND PAUL, Kentucky JON TESTER, Montana JAMES LANKFORD, Oklahoma TAMMY BALDWIN, Wisconsin MICHAEL B. ENZI, Wyoming HEIDI HEITKAMP, North Dakota KELLY AYOTTE, New Hampshire CORY A. BOOKER, New Jersey JONI ERNST, Iowa GARY C. PETERS, Michigan BEN SASSE, Nebraska Christopher R. Hixon, Staff Director Gabrielle D'Adamo Singer, Chief Counsel Daniel P. Lips, Policy Director Gabrielle A. Batkin, Minority Staff Director John P. Kilvington, Minority Deputy Staff Director Mary Beth Schultz, Minority Chief Counsel John A. Kane, Minority Senior Governmental Affairs Advisor Laura W. Kilbride, Chief Clerk Calendar No. 647 114th Congress } { Report SENATE 2d Session } { 114-361 ====================================================================== FEDERAL INFORMATION SYSTEMS SAFEGUARDS ACT OF 2016 _______ September 27, 2016.--Ordered to be printed _______ Mr. Johnson, from the Committee on Homeland Security and Governmental Affairs, submitted the following R E P O R T [To accompany S. 2975] The Committee on Homeland Security and Governmental Affairs, to which was referred the bill (S. 2975) to provide agencies with discretion in securing information technology and information systems, having considered the same, reports favorably thereon with amendments and recommends that the bill, as amended, do pass. CONTENTS Page I. Purpose and Summary..............................................1 II. Background and Need for the Legislation..........................2 III. Legislative History..............................................4 IV. Section-by-Section Analysis......................................4 V. Evaluation of Regulatory Impact..................................5 VI. Congressional Budget Office Cost Estimate........................5 VII. Changes in Existing Law Made by the Bill, as Reported............6 I. PURPOSE AND SUMMARY The purpose of S. 2975, the Federal Information Systems Safeguards Act of 2016, is to strengthen Federal cybersecurity by providing agencies greater discretion to secure their information technology and information systems. The legislation clarifies agency heads' authority to limit, restrict, or prohibit access to websites that may present current or future security weakness or risk to the agency's information system. II. BACKGROUND AND THE NEED FOR LEGISLATION Information security is a significant and persistent challenge for the Federal Government. The Government Accountability Office (GAO) has repeatedly identified weaknesses in Federal agencies' information security programs and compliance with Federal information security policies and practices. In September 2015, GAO reported that information security remains a persistent weakness at twenty-four Federal agencies.\1\ In February 2015, GAO reported that ``federal cyber assets'' have been identified as high-risk since 1997.\2\ The current cybersecurity threat is increased due, in part, to the proliferation of increasingly sophisticated threat actors who have expertise and resources to defeat cyber defenses.\3\ In 2016, the Office of Management and Budget alerted Congress that Federal agencies reported more than 77,000 security incidents during fiscal year (FY) 2015, an increase of ten percent over the prior year.\4\ --------------------------------------------------------------------------- \1\Gov't Accountability Office, GAO-15-714, Federal Information Security: Agencies Need to Correct Weaknesses and Fully Implement Security Programs (Sept. 2015), available at: http://www.gao.gov/ assets/680/672801.pdf). \2\Id. \3\Id. \4\Office of Management and Budget, Annual Report to Congress: Federal Information Security Modernization Act (Mar. 18, 2016). --------------------------------------------------------------------------- Federal agencies identify nation-state actors as the most serious cybersecurity threat they face. In May 2016, GAO reported that 18 agencies that have high impact systems--those where the loss of information can have severe impact on the nation or affected individuals--identified foreign nations as the most serious and frequently occurring threat.\5\ --------------------------------------------------------------------------- \5\Gov't Accountability Office, GAO-16-501, Information Security: Agencies Need to Improve Controls Over Selected High-Impact Systems (May 2016), available at http://www.gao.gov/products/GAO-16-501. --------------------------------------------------------------------------- In 2015, the nation learned that a sophisticated threat actor had penetrated the information system of the Office of Personnel Management (OPM), exfiltrating data that included millions of sensitive records about Federal employees, including employee background investigations.\6\ In the aftermath of the OPM breach, OPM instituted a new policy to prohibit its employees from accessing certain websites, including Gmail and Facebook, from their work computers.\7\ An OPM spokesperson described the change as a response to the breach and cybersecurity threats: --------------------------------------------------------------------------- \6\Under Attack: Cybersecurity and the OPM Data Breach: Hearing Before the Comm. on Homeland Sec. & Governmental Affairs, 114th Cong. (2015). \7\Statement of Samuel Schumach, Press Secretary, Office of Personnel Management, July 2, 2015. As is the case throughout the Federal government, agencies monitor the use of official computers and other devices. In addition, at OPM, we provide guidance on the use of computers and conduct yearly training. Out of caution, and in light of the recent breaches, OPM has recently tightened restrictions on internet access using web security technology. As we move forward with security measures which will ensure both agency and individual security, OPM will continue to monitor and make adjustments to our web security policies.\8\ --------------------------------------------------------------------------- \8\Id. Seven months later during her February 2016 confirmation hearing, OPM Acting Director Beth Cobert explained the reasoning behind OPM's decision to limit employees' access to --------------------------------------------------------------------------- certain websites: As the world of cybersecurity is changing, as we recognize the nature of these threats, we all need to change the way we interact, the way we use systems at work and at home. What we have done at OPM, and I think what is important for every agency to do, is to recognize what needs to change in the way they operate, what needs to change in the way their employees operate to make sure systems are secure. At OPM, for example, I cannot access my personal Gmail account from my OPM computer. That is the way a lot of threats come in.\9\ --------------------------------------------------------------------------- \9\Nomination of the Honorable Beth F. Cobert to be Director, Office of Personnel Management: Hearing Before S. Comm. on Homeland Sec; & Governmental Affairs, 114th Cong. (2016). However, Federal employee labor unions have raised concerns that such measures could have an adverse impact on Federal employees. In 2011, U.S. Immigration and Customs Enforcement (ICE) imposed a similar policy to limit employees' access to personal email from their workstations to improve cybersecurity.\10\ The American Federation of Government Employees (AFGE) filed a grievance against ICE with the Federal Labor Relations Authority (FLRA).\11\ The AFGE's grievance alleged that the agency's decision to block access to certain websites on employees' computers unlawfully bypassed the collective bargaining process.\12\ --------------------------------------------------------------------------- \10\U.S. Department of Homeland Security Immigration and Customs Enforcement and American Federation of Government Employees National Immigration and Customs Enforcement Council 118, 67 F.L.R.A. 126 (July 8, 2014). \11\Id. \12\Id. --------------------------------------------------------------------------- On July 8, 2014, the FLRA issued a decision ruling that the agency was required to bargain with the union before changing the cybersecurity policy in this case.\13\ The FLRA held that Federal employees' legal requirement to protect Federal information under the Federal Information Security Management Act (FISMA) did not provide the agency with sole and exclusive discretion to implement network-access policies affecting employees without first satisfying its bargaining obligations with the union.\14\ --------------------------------------------------------------------------- \13\Id. \14\Id. --------------------------------------------------------------------------- Although the remedy provided by the arbitrator and affirmed by the FLRA in this case directed bargaining over only the ``impact and implementation'' of the agency's decision to block webmail access, concerns have been raised by this decision that the remedy in a future case could include the requirement that an agency restore access and engage in pre-implementation bargaining. Agency heads and their chief information officers must have the ability to act quickly to respond to threats and address perceived weaknesses and vulnerabilities in their information systems. Failure to successfully defend against cyberattacks can have significant consequences for the nation and, in cases such as the OPM breach, millions of Federal employees. The Federal Information Systems Safeguards Act of 2016 will clarify that an agency head may limit, restrict, or prohibit access to certain websites that are determined to present a current or future security risk. Although such a decision by the agency head is not subject to collective bargaining, after an agency head takes such an action, the bill as amended requires the agency head to seek guidance and take into consideration the personal and work-related communication and access needs of agency employees, upon the employees' request. However, the bill further clarifies that this requirement does not establish a right to collective bargaining. The legislation will clarify Federal agency heads' cyber security authorities and discretion to act quickly to protect Federal information systems and, therefore, improve Federal cybersecurity. III. LEGISLATIVE HISTORY Senator Joni Ernst introduced the Federal Information Systems Safeguard Act of 2016, S. 2975, on May 23, 2016. The bill was referred to the Senate Homeland Security and Governmental Affairs Committee. The Committee considered S. 2975 at a business meeting on May 25, 2016. During the business meeting, Senator Ernst offered an amendment which was modified by a second degree amendment co- sponsored by Senator Ernst and Senator Carper. The second degree amendment struck language expressing a sense of the Senate and inserted language to clarify that agency heads shall consider employees' communications needs, upon the request of the employees, after taking an action described in the legislation. The Ernst-Carper second degree amendment further clarified that nothing in this subsection shall be construed to establish a right to collective bargaining. The Ernst amendment, as amended by the Ernst-Carper second degree amendment, was adopted by voice vote with Senators Johnson, Portman, Paul, Lankford, Ayotte, Ernst, Sasse, Carper, McCaskill, Tester, Baldwin, Heitkamp, Booker, and Peters present. S. 2975, as amended, was reported favorably by voice vote with Senators Johnson, Portman, Paul, Lankford, Ayotte, Ernst, Sasse, Carper, McCaskill, Tester, Baldwin, Heitkamp, Booker, and Peters present. IV. SECTION-BY-SECTION ANALYSIS OF THE BILL, AS REPORTED Section 1. Short title This section establishes the short title of the bill as the ``Federal Information Systems Safeguards Act of 2016.'' Section 2. Agency discretion to secure information technology and information systems This section enhances Federal information security by clarifying that any action taken by the head of an agency that is necessary to limit, restrict, or prohibit access to any website the head of the agency determines to present a current or future security weakness or risk to the information technology or information system under the control of the agency, shall not be subject to chapter 71 of title 5, United States Code, regarding labor-management relations. The section requires that agency heads shall, upon the request of employees of the agency, take into consideration and seek guidance on the personal communication needs of the employees of the agency. The section includes a rule of construction that nothing in this subsection shall be construed to establish a right to collective bargaining. The section also defines the terms ``agency,'' ``information systems,'' and ``information technology.'' V. EVALUATION OF REGULATORY IMPACT Pursuant to the requirements of paragraph 11(b) of rule XXVI of the Standing Rules of the Senate, the Committee has considered the regulatory impact of this bill and determined that the bill will have no regulatory impact within the meaning of the rules. The Committee agrees with the Congressional Budget Office's statement that the bill contains no intergovernmental or private-sector mandates as defined in the Unfunded Mandates Reform Act (UMRA) and would impose no costs on state, local, or tribal governments. VI. CONGRESSIONAL BUDGET OFFICE COST ESTIMATE U.S. Congress, Congressional Budget Office, Washington, DC, June 28, 2016. Hon. Ron Johnson, Chairman Committee on Homeland Security and Governmental Affairs, U.S. Senate, Washington, DC. Dear Mr. Chairman: The Congressional Budget Office has prepared the enclosed cost estimate for S. 2975, the Federal Information Systems Safeguards Act of 2016. If you wish further details on this estimate, we will be pleased to provide them. The CBO staff contact is Matthew Pickford. Sincerely, Keith Hall. Enclosure. S. 2975--Federal Information Systems Safeguards Act of 2016 The Federal Information Security Management Act (FISMA) provides a comprehensive framework to protect the security of federal information systems. S. 2975 would clarify that, under FISMA, federal agencies have the sole and exclusive authority to take appropriate and timely actions to secure their information technology and information systems. CBO estimates that while implementing S. 2975 would clarify Congressional intent, it would have no significant effect on the federal budget because it would not expand the duties of executive agencies. Because enacting the bill could affect direct spending by agencies not funded through annual appropriations, pay-as-you-go procedures apply. CBO estimates, however, that any net change in spending by those agencies would be negligible. Enacting S. 2975 would not affect revenues. CBO estimates that enacting S. 2975 would not increase direct spending or on-budget deficits in any of the four consecutive 10-year periods beginning in 2027. S. 2975 contains no intergovernmental or private-sector mandates as defined in the Unfunded Mandates Reform Act and would not affect the budgets of state, local, or tribal governments. On March 24, 2016, CBO transmitted a cost estimate for H.R. 4361, the Federal Information Systems Safeguards Act of 2016, as ordered reported by the House Committee on Oversight and Government Reform on March 1, 2016. The two bills are similar and CBO's estimate of their budgetary effects are the same. The CBO staff contact for this estimate is Matthew Pickford. This estimate was approved by H. Samuel Papenfuss, Deputy Assistant Director for Budget Analysis. VII. CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED Because S. 2975 would not repeal or amend any provision of current law, it would make no changes in existing law within the meaning of clauses (a) and (b) of paragraph 12 of rule XXVI of the Standing Rules of the Senate. [all]