[Senate Report 115-382]
[From the U.S. Government Publishing Office]
Calendar No. 668
115th Congress } { Report
SENATE
2d Session } { 115-382
_______________________________________________________________________
FEDERAL INFORMATION SYSTEMS SAFEGUARDS ACT OF 2018
__________
R E P O R T
of the
COMMITTEE ON HOMELAND SECURITY AND
GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
to accompany
S. 3208
TO PROVIDE AGENCIES WITH DISCRETION IN SECURING
INFORMATION TECHNOLOGY AND INFORMATION SYSTEMS
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
November 26, 2018.--Ordered to be printed
_________
U.S. GOVERNMENT PUBLISHING OFFICE
89-010 WASHINGTON : 2018
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
RON JOHNSON, Wisconsin Chairman
JOHN McCAIN, Arizona CLAIRE McCASKILL, Missouri
ROB PORTMAN, Ohio THOMAS R. CARPER, Delaware
RAND PAUL, Kentucky HEIDI HEITKAMP, North Dakota
JAMES LANKFORD, Oklahoma GARY C. PETERS, Michigan
MICHAEL B. ENZI, Wyoming MAGGIE HASSAN, New Hampshire
JOHN HOEVEN, North Dakota KAMALA D. HARRIS, California
STEVE DAINES, Montana DOUG JONES, Alabama
Christopher R. Hixon, Staff Director
Gabrielle D'Adamo Singer, Chief Counsel
Elliott A. Walden, Professional Staff Member
Margaret E. Daum, Minority Staff Director
Charles A. Moskowitz, Minority Senior Legislative Counsel
Katherine C. Sybenga, Minority Counsel
Laura W. Kilbride, Chief Clerk
Calendar No. 668
115th Congress } { Report
SENATE
2d Session } { 115-382
======================================================================
FEDERAL INFORMATION SYSTEMS SAFEGUARDS
ACT OF 2018
_______
November 26, 2018.--Ordered to be printed
_______
Mr. Johnson, from the Committee on Homeland Security and Governmental
Affairs, submitted the following
R E P O R T
[To accompany S. 3208]
[Including cost estimate of the Congressional Budget Office]
The Committee on Homeland Security and Governmental
Affairs, to which was referred the bill (S. 3208) to provide
agencies with discretion in securing information technology and
information systems, having considered the same, reports
favorably thereon with an amendment in the nature of a
substitute and recommends that the bill, as amended, do pass.
CONTENTS
Page
I. Purpose and Summary..............................................1
II. Background and Need for the Legislation..........................2
III. Legislative History..............................................4
IV. Section-by-Section Analysis......................................4
V. Evaluation of Regulatory Impact..................................5
VI. Congressional Budget Office Cost Estimate.......................5
VII. Changes in Existing Law Made by the Bill, as Reported............6
I. PURPOSE AND SUMMARY
S. 3208, the Federal Information Systems Safeguards Act of
2018, allows executive agencies to take action to protect their
information technology (IT) systems, such as restricting access
to websites the agencies have deemed a security risk, without
regard to Federal employee labor-management relationship
requirements.\1\
---------------------------------------------------------------------------
\1\On May 25, 2016, the Committee approved S. 2975, the Federal
Information Systems Safeguards Act of 2016. That bill is substantially
similar to S. 3208, which has been modified only slightly. Accordingly,
this committee report is in large part a reproduction of Chairman
Johnson's committee report for S. 2975, S. Rep. No. 114-361 (2016).
---------------------------------------------------------------------------
II. BACKGROUND AND NEED FOR THE LEGISLATION
Information security is a significant and persistent
challenge for the Federal Government. The Government
Accountability Office (GAO) has repeatedly identified
weaknesses in Federal agencies' information security programs
and compliance with Federal information security policies and
practices. In September 2015, GAO reported that information
security remains a persistent weakness at twenty-four Federal
agencies.\2\ In February 2015, GAO reported that ``federal
cyber assets'' have been identified as high-risk since 1997.\3\
The current cybersecurity threat is increased due, in part, to
the proliferation of increasingly sophisticated threat actors
who have expertise and resources to defeat cyber defenses.\4\
In 2016, the Office of Management and Budget alerted Congress
that Federal agencies reported more than 77,000 security
incidents during fiscal year (FY) 2015, an increase of ten
percent over the prior year.\5\
---------------------------------------------------------------------------
\2\Gov't Accountability Office, GAO-15-714, Federal Information
Security: Agencies Need to Correct Weaknesses and Fully Implement
Security Programs (Sept. 2015), http://www.gao.gov/assets/680/
672801.pdf.
\3\Id.
\4\Id.
\5\Office of Management and Budget, Annual Report to Congress:
Federal Information Security Modernization Act (Mar. 18, 2016).
---------------------------------------------------------------------------
Federal agencies identify nation-state actors as the most
serious cybersecurity threat they face. In May 2016, GAO
reported that 18 agencies with high impact systems--those where
the loss of information can have severe impact on the nation or
affected individuals--identified foreign nations as the most
serious and frequently occurring threat.\6\
---------------------------------------------------------------------------
\6\Gov't Accountability Office, GAO-16-501, Information Security:
Agencies Need to Improve Controls Over Selected High-Impact Systems
(May 2016), http://www.gao.gov/products/GAO-16-501.
---------------------------------------------------------------------------
In 2015, the nation learned that a sophisticated threat
actor had penetrated the information systems of the Office of
Personnel Management (OPM), exfiltrating data that included
22.1 million records about Federal employees, including
employee personnel and background investigation files.\7\ An
additional 5.6 million individuals had their fingerprint data
stolen.\8\ In the aftermath of the breach, OPM instituted a new
policy to prohibit its employees from accessing certain
websites, including Gmail and Facebook, from their work
computers.\9\ An OPM spokesperson described the change as a
response to the breach and cybersecurity threats:
---------------------------------------------------------------------------
\7\See Under Attack: Cybersecurity and the OPM Data Breach: Hearing
Before the S. Comm. on Homeland Sec. & Governmental Affairs, 114th
Cong. (2015).
\8\See Majority staff report, Cmte. on Oversight and Gov't. Reform,
U.S. House of Reps., The OPM Data Breach: How the Government
Jeopardized Our National Security for More than a Generation, Sept. 7,
2016, https://oversight.house.gov/wp-content/uploads/2016/09/The-OPM-
Data-Breach-How-the-Government-Jeopardized-Our-National-Security-for-
More-than-a-Generation.pdf.
\9\Statement of Samuel Schumach, Press Secretary, Office of
Personnel Management, July 2, 2015.
As is the case throughout the Federal government,
agencies monitor the use of official computers and
other devices. In addition, at OPM, we provide guidance
on the use of computers and conduct yearly training.
Out of caution, and in light of the recent breaches,
OPM has recently tightened restrictions on internet
access using web security technology. As we move
forward with security measures which will ensure both
agency and individual security, OPM will continue to
monitor and make adjustments to our web security
policies.\10\
---------------------------------------------------------------------------
\10\Id.
Seven months later during her February 2016 confirmation
hearing, OPM Acting Director Beth Cobert explained the
reasoning behind OPM's decision to limit employees' access to
---------------------------------------------------------------------------
certain websites:
As the world of cybersecurity is changing, as we
recognize the nature of these threats, we all need to
change the way we interact, the way we use systems at
work and at home. What we have done at OPM, and I think
what is important for every agency to do, is to
recognize what needs to change in the way they operate,
what needs to change in the way their employees operate
to make sure systems are secure. At OPM, for example, I
cannot access my personal Gmail account from my OPM
computer. That is the way a lot of threats come in.\11\
---------------------------------------------------------------------------
\11\Nomination of the Honorable Beth F. Cobert to be Director,
Office of Personnel Management: Hearing Before S. Comm. on Homeland
Sec; & Governmental Affairs, 114th Cong. (2016).
However, Federal employee labor unions have raised concerns
that such measures could have an adverse impact on Federal
employees. In 2011, U.S. Immigration and Customs Enforcement
(ICE) imposed a similar policy to limit employees' access to
personal email from their workstations to improve
cybersecurity. The American Federation of Government Employees
(AFGE) filed a grievance against ICE with the Federal Labor
Relations Authority (FLRA).\12\ The AFGE's grievance alleged
that the agency's decision to block access to certain websites
on employees' computers unlawfully bypassed the collective
bargaining process.\13\
---------------------------------------------------------------------------
\12\U.S. Department of Homeland Security, Immigration and Customs
Enforcement (Agency) and American Federation of Government Employees,
National Immigration and Customs Enforcement Council (Union), 67
F.L.R.A. 126 (July 8, 2014), available at https://www.flra.gov/
decisions/v67/67-126.html.
\13\Id.
---------------------------------------------------------------------------
On July 8, 2014, the FLRA ruled that the agency was
required to bargain with the union before changing the
cybersecurity policy in this case.\14\ The FLRA held that
Federal employees' legal requirement to protect Federal
information under the Federal Information Security Management
Act (FISMA) did not provide the agency with sole and exclusive
discretion to implement network-access policies affecting
employees without first satisfying its bargaining obligations
with the union.\15\
---------------------------------------------------------------------------
\14\Id.
\15\Id.
---------------------------------------------------------------------------
Although the remedy provided by the arbitrator and affirmed
by the FLRA in this case directed bargaining over only the
``impact and implementation'' of the agency's decision to block
webmail access, concerns have been raised by this decision that
the remedy in a future case could include the requirement that
an agency restore access and engage in pre-implementation
bargaining.\16\ Agency heads and their chief information
officers must have the ability to act quickly to respond to
threats and address perceived weaknesses and vulnerabilities in
their information systems. Failure to successfully defend
against cyberattacks can have significant consequences for the
nation and, in cases such as the OPM breach, millions of
Federal employees.
---------------------------------------------------------------------------
\16\Id. (dissent by Member Pizzella).
---------------------------------------------------------------------------
The Federal Information Systems Safeguards Act of 2018
clarifies that an agency head may limit, restrict, or prohibit
access to a website if the agency head determines such action
is necessary to carry out his or her responsibilities as head
of the agency. Although such a decision by the agency head is
not subject to collective bargaining, after an agency head
takes such an action, the bill as amended requires the agency
head to seek guidance and take into consideration the personal
communication needs of agency employees, upon the employees'
request. However, the bill further clarifies that this
requirement does not establish a right to collective
bargaining.
This bill accurately captures the congressional intent of
FISMA to permit agencies authority over securing their
networks. Giving agency heads the authority to act swiftly to
protect Federal information systems will improve Federal
cybersecurity and, thus, national security.
III. LEGISLATIVE HISTORY
Chairman Ron Johnson (R-WI) introduced S. 3208, the Federal
Information Systems Safeguards Act of 2018, on July 12, 2018.
The bill was referred to the Committee on Homeland Security and
Governmental Affairs. Senator Joni Ernst (R-IA) joined as a
cosponsor on August 15, 2018.
The Committee considered S. 3208 at a business meeting on
September 26, 2018. During the meeting, Chairman Johnson
offered an amendment in the nature of a substitute to include
language allowing for consideration of employee communication
needs. The bill, as amended by the Johnson Substitute
Amendment, was ordered reported favorably by voice vote.
Senators present were Johnson, Portman, Lankford, Enzi, Hoeven,
Daines, McCaskill, Carper, Heitkamp, Peters, Hassan, Harris,
and Jones. Senators Peters, Hassan, and Harris were recorded as
voting ``no'' for the record.
IV. SECTION-BY-SECTION ANALYSIS OF THE BILL, AS REPORTED
Section 1. Short title
This section provides that the bill may be referred to as
the ``Federal Information Systems Safeguards Act of 2018.''
Sec. 2. Agency discretion to secure information technology and
information systems
Section 2 establishes that agencies have discretion in
securing their IT and information systems.
New subsection (a) states that the authority described in
new subsection (b) may not be limited by a collective
bargaining agreement, memorandum of agreement, any other
agreement, or negotiated under section 7106(b) or any other
section of chapter 71.
New subsection (b) gives the head of an agency the
authority to take any action to limit, restrict, or prohibit
access to a website or to test, deploy, or update a
cybersecurity measure if the agency head determines it
necessary.
New subsection (c) states that, after having taken an
action under this section and upon the request of employees of
the agency, the agency head will take into consideration and
seek guidance on the personal communication needs of the
agency's employees. This does not establish a right to
collective bargaining.
New subsection (d) states that the term ``agency'' has the
same meaning as in section 3502 of title 44, United States
Code.
V. EVALUATION OF REGULATORY IMPACT
Pursuant to the requirements of paragraph 11(b) of rule
XXVI of the Standing Rules of the Senate, the Committee has
considered the regulatory impact of this bill and determined
that the bill will have no regulatory impact within the meaning
of the rules. The Committee agrees with the Congressional
Budget Office's statement that the bill contains no
intergovernmental or private-sector mandates as defined in the
Unfunded Mandates Reform Act (UMRA) and would impose no costs
on state, local, or tribal governments.
VI. CONGRESSIONAL BUDGET OFFICE COST ESTIMATE
U.S. Congress,
Congressional Budget Office,
Washington, DC, October 3, 2018.
Hon. Ron Johnson,
Chairman, Committee on Homeland Security and Governmental Affairs, U.S.
Senate, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for S. 3208, the Federal
Information Systems Safeguards Act of 2018.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is Matthew
Pickford.
Sincerely,
Keith Hall.
Enclosure.
S. 3208--Federal Information Systems Safeguards Act of 2018
The Federal Information Security Management Act (FISMA)
provides a framework to protect government information
operations against security threats. S. 3208 would clarify
that, under FISMA, federal agencies have the sole and exclusive
authority to take appropriate and timely actions to secure
their information technology and information systems. CBO
estimates that implementing S. 3208 would clarify Congressional
intent, but it would have no significant effect on the federal
budget because it would not expand the duties of executive
agencies.
Enacting the bill could affect direct spending by agencies
not funded through annual appropriations; therefore, pay-as-
you-go procedures apply. CBO estimates, however, that any net
change in spending by those agencies would be negligible. S.
3208 would not affect revenues.
CBO estimates that enacting S. 3208 would not significantly
increase net direct spending or on-budget deficits in any of
the four consecutive 10-year periods beginning in 2029.
S. 3208 contains no intergovernmental or private-sector
mandates as defined in the Unfunded Mandates Reform Act.
On August 10, 2018, CBO transmitted a cost estimate for
H.R. 5300, the Federal Information Safeguards Act of 2018, as
ordered reported by the House Committee on Oversight and
Government Reform on July 17, 2018. The two pieces of
legislation are similar and the estimated budgetary effects are
the same.
The CBO staff contact for this estimate is Matthew
Pickford. The estimate was reviewed by H. Samuel Papenfuss,
Deputy Assistant Director for Budget Analysis.
VII. CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED
Because S. 3208 would not repeal or amend any provision of
current law, it would make no changes in existing law within
the meaning of clauses (a) and (b) of paragraph 12 of rule XXVI
of the Standing Rules of the Senate.