[Senate Report 115-382] [From the U.S. Government Publishing Office] Calendar No. 668 115th Congress } { Report SENATE 2d Session } { 115-382 _______________________________________________________________________ FEDERAL INFORMATION SYSTEMS SAFEGUARDS ACT OF 2018 __________ R E P O R T of the COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS UNITED STATES SENATE to accompany S. 3208 TO PROVIDE AGENCIES WITH DISCRETION IN SECURING INFORMATION TECHNOLOGY AND INFORMATION SYSTEMS [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] November 26, 2018.--Ordered to be printed _________ U.S. GOVERNMENT PUBLISHING OFFICE 89-010 WASHINGTON : 2018 COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS RON JOHNSON, Wisconsin Chairman JOHN McCAIN, Arizona CLAIRE McCASKILL, Missouri ROB PORTMAN, Ohio THOMAS R. CARPER, Delaware RAND PAUL, Kentucky HEIDI HEITKAMP, North Dakota JAMES LANKFORD, Oklahoma GARY C. PETERS, Michigan MICHAEL B. ENZI, Wyoming MAGGIE HASSAN, New Hampshire JOHN HOEVEN, North Dakota KAMALA D. HARRIS, California STEVE DAINES, Montana DOUG JONES, Alabama Christopher R. Hixon, Staff Director Gabrielle D'Adamo Singer, Chief Counsel Elliott A. Walden, Professional Staff Member Margaret E. Daum, Minority Staff Director Charles A. Moskowitz, Minority Senior Legislative Counsel Katherine C. Sybenga, Minority Counsel Laura W. Kilbride, Chief Clerk Calendar No. 668 115th Congress } { Report SENATE 2d Session } { 115-382 ====================================================================== FEDERAL INFORMATION SYSTEMS SAFEGUARDS ACT OF 2018 _______ November 26, 2018.--Ordered to be printed _______ Mr. Johnson, from the Committee on Homeland Security and Governmental Affairs, submitted the following R E P O R T [To accompany S. 3208] [Including cost estimate of the Congressional Budget Office] The Committee on Homeland Security and Governmental Affairs, to which was referred the bill (S. 3208) to provide agencies with discretion in securing information technology and information systems, having considered the same, reports favorably thereon with an amendment in the nature of a substitute and recommends that the bill, as amended, do pass. CONTENTS Page I. Purpose and Summary..............................................1 II. Background and Need for the Legislation..........................2 III. Legislative History..............................................4 IV. Section-by-Section Analysis......................................4 V. Evaluation of Regulatory Impact..................................5 VI. Congressional Budget Office Cost Estimate.......................5 VII. Changes in Existing Law Made by the Bill, as Reported............6 I. PURPOSE AND SUMMARY S. 3208, the Federal Information Systems Safeguards Act of 2018, allows executive agencies to take action to protect their information technology (IT) systems, such as restricting access to websites the agencies have deemed a security risk, without regard to Federal employee labor-management relationship requirements.\1\ --------------------------------------------------------------------------- \1\On May 25, 2016, the Committee approved S. 2975, the Federal Information Systems Safeguards Act of 2016. That bill is substantially similar to S. 3208, which has been modified only slightly. Accordingly, this committee report is in large part a reproduction of Chairman Johnson's committee report for S. 2975, S. Rep. No. 114-361 (2016). --------------------------------------------------------------------------- II. BACKGROUND AND NEED FOR THE LEGISLATION Information security is a significant and persistent challenge for the Federal Government. The Government Accountability Office (GAO) has repeatedly identified weaknesses in Federal agencies' information security programs and compliance with Federal information security policies and practices. In September 2015, GAO reported that information security remains a persistent weakness at twenty-four Federal agencies.\2\ In February 2015, GAO reported that ``federal cyber assets'' have been identified as high-risk since 1997.\3\ The current cybersecurity threat is increased due, in part, to the proliferation of increasingly sophisticated threat actors who have expertise and resources to defeat cyber defenses.\4\ In 2016, the Office of Management and Budget alerted Congress that Federal agencies reported more than 77,000 security incidents during fiscal year (FY) 2015, an increase of ten percent over the prior year.\5\ --------------------------------------------------------------------------- \2\Gov't Accountability Office, GAO-15-714, Federal Information Security: Agencies Need to Correct Weaknesses and Fully Implement Security Programs (Sept. 2015), http://www.gao.gov/assets/680/ 672801.pdf. \3\Id. \4\Id. \5\Office of Management and Budget, Annual Report to Congress: Federal Information Security Modernization Act (Mar. 18, 2016). --------------------------------------------------------------------------- Federal agencies identify nation-state actors as the most serious cybersecurity threat they face. In May 2016, GAO reported that 18 agencies with high impact systems--those where the loss of information can have severe impact on the nation or affected individuals--identified foreign nations as the most serious and frequently occurring threat.\6\ --------------------------------------------------------------------------- \6\Gov't Accountability Office, GAO-16-501, Information Security: Agencies Need to Improve Controls Over Selected High-Impact Systems (May 2016), http://www.gao.gov/products/GAO-16-501. --------------------------------------------------------------------------- In 2015, the nation learned that a sophisticated threat actor had penetrated the information systems of the Office of Personnel Management (OPM), exfiltrating data that included 22.1 million records about Federal employees, including employee personnel and background investigation files.\7\ An additional 5.6 million individuals had their fingerprint data stolen.\8\ In the aftermath of the breach, OPM instituted a new policy to prohibit its employees from accessing certain websites, including Gmail and Facebook, from their work computers.\9\ An OPM spokesperson described the change as a response to the breach and cybersecurity threats: --------------------------------------------------------------------------- \7\See Under Attack: Cybersecurity and the OPM Data Breach: Hearing Before the S. Comm. on Homeland Sec. & Governmental Affairs, 114th Cong. (2015). \8\See Majority staff report, Cmte. on Oversight and Gov't. Reform, U.S. House of Reps., The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation, Sept. 7, 2016, https://oversight.house.gov/wp-content/uploads/2016/09/The-OPM- Data-Breach-How-the-Government-Jeopardized-Our-National-Security-for- More-than-a-Generation.pdf. \9\Statement of Samuel Schumach, Press Secretary, Office of Personnel Management, July 2, 2015. As is the case throughout the Federal government, agencies monitor the use of official computers and other devices. In addition, at OPM, we provide guidance on the use of computers and conduct yearly training. Out of caution, and in light of the recent breaches, OPM has recently tightened restrictions on internet access using web security technology. As we move forward with security measures which will ensure both agency and individual security, OPM will continue to monitor and make adjustments to our web security policies.\10\ --------------------------------------------------------------------------- \10\Id. Seven months later during her February 2016 confirmation hearing, OPM Acting Director Beth Cobert explained the reasoning behind OPM's decision to limit employees' access to --------------------------------------------------------------------------- certain websites: As the world of cybersecurity is changing, as we recognize the nature of these threats, we all need to change the way we interact, the way we use systems at work and at home. What we have done at OPM, and I think what is important for every agency to do, is to recognize what needs to change in the way they operate, what needs to change in the way their employees operate to make sure systems are secure. At OPM, for example, I cannot access my personal Gmail account from my OPM computer. That is the way a lot of threats come in.\11\ --------------------------------------------------------------------------- \11\Nomination of the Honorable Beth F. Cobert to be Director, Office of Personnel Management: Hearing Before S. Comm. on Homeland Sec; & Governmental Affairs, 114th Cong. (2016). However, Federal employee labor unions have raised concerns that such measures could have an adverse impact on Federal employees. In 2011, U.S. Immigration and Customs Enforcement (ICE) imposed a similar policy to limit employees' access to personal email from their workstations to improve cybersecurity. The American Federation of Government Employees (AFGE) filed a grievance against ICE with the Federal Labor Relations Authority (FLRA).\12\ The AFGE's grievance alleged that the agency's decision to block access to certain websites on employees' computers unlawfully bypassed the collective bargaining process.\13\ --------------------------------------------------------------------------- \12\U.S. Department of Homeland Security, Immigration and Customs Enforcement (Agency) and American Federation of Government Employees, National Immigration and Customs Enforcement Council (Union), 67 F.L.R.A. 126 (July 8, 2014), available at https://www.flra.gov/ decisions/v67/67-126.html. \13\Id. --------------------------------------------------------------------------- On July 8, 2014, the FLRA ruled that the agency was required to bargain with the union before changing the cybersecurity policy in this case.\14\ The FLRA held that Federal employees' legal requirement to protect Federal information under the Federal Information Security Management Act (FISMA) did not provide the agency with sole and exclusive discretion to implement network-access policies affecting employees without first satisfying its bargaining obligations with the union.\15\ --------------------------------------------------------------------------- \14\Id. \15\Id. --------------------------------------------------------------------------- Although the remedy provided by the arbitrator and affirmed by the FLRA in this case directed bargaining over only the ``impact and implementation'' of the agency's decision to block webmail access, concerns have been raised by this decision that the remedy in a future case could include the requirement that an agency restore access and engage in pre-implementation bargaining.\16\ Agency heads and their chief information officers must have the ability to act quickly to respond to threats and address perceived weaknesses and vulnerabilities in their information systems. Failure to successfully defend against cyberattacks can have significant consequences for the nation and, in cases such as the OPM breach, millions of Federal employees. --------------------------------------------------------------------------- \16\Id. (dissent by Member Pizzella). --------------------------------------------------------------------------- The Federal Information Systems Safeguards Act of 2018 clarifies that an agency head may limit, restrict, or prohibit access to a website if the agency head determines such action is necessary to carry out his or her responsibilities as head of the agency. Although such a decision by the agency head is not subject to collective bargaining, after an agency head takes such an action, the bill as amended requires the agency head to seek guidance and take into consideration the personal communication needs of agency employees, upon the employees' request. However, the bill further clarifies that this requirement does not establish a right to collective bargaining. This bill accurately captures the congressional intent of FISMA to permit agencies authority over securing their networks. Giving agency heads the authority to act swiftly to protect Federal information systems will improve Federal cybersecurity and, thus, national security. III. LEGISLATIVE HISTORY Chairman Ron Johnson (R-WI) introduced S. 3208, the Federal Information Systems Safeguards Act of 2018, on July 12, 2018. The bill was referred to the Committee on Homeland Security and Governmental Affairs. Senator Joni Ernst (R-IA) joined as a cosponsor on August 15, 2018. The Committee considered S. 3208 at a business meeting on September 26, 2018. During the meeting, Chairman Johnson offered an amendment in the nature of a substitute to include language allowing for consideration of employee communication needs. The bill, as amended by the Johnson Substitute Amendment, was ordered reported favorably by voice vote. Senators present were Johnson, Portman, Lankford, Enzi, Hoeven, Daines, McCaskill, Carper, Heitkamp, Peters, Hassan, Harris, and Jones. Senators Peters, Hassan, and Harris were recorded as voting ``no'' for the record. IV. SECTION-BY-SECTION ANALYSIS OF THE BILL, AS REPORTED Section 1. Short title This section provides that the bill may be referred to as the ``Federal Information Systems Safeguards Act of 2018.'' Sec. 2. Agency discretion to secure information technology and information systems Section 2 establishes that agencies have discretion in securing their IT and information systems. New subsection (a) states that the authority described in new subsection (b) may not be limited by a collective bargaining agreement, memorandum of agreement, any other agreement, or negotiated under section 7106(b) or any other section of chapter 71. New subsection (b) gives the head of an agency the authority to take any action to limit, restrict, or prohibit access to a website or to test, deploy, or update a cybersecurity measure if the agency head determines it necessary. New subsection (c) states that, after having taken an action under this section and upon the request of employees of the agency, the agency head will take into consideration and seek guidance on the personal communication needs of the agency's employees. This does not establish a right to collective bargaining. New subsection (d) states that the term ``agency'' has the same meaning as in section 3502 of title 44, United States Code. V. EVALUATION OF REGULATORY IMPACT Pursuant to the requirements of paragraph 11(b) of rule XXVI of the Standing Rules of the Senate, the Committee has considered the regulatory impact of this bill and determined that the bill will have no regulatory impact within the meaning of the rules. The Committee agrees with the Congressional Budget Office's statement that the bill contains no intergovernmental or private-sector mandates as defined in the Unfunded Mandates Reform Act (UMRA) and would impose no costs on state, local, or tribal governments. VI. CONGRESSIONAL BUDGET OFFICE COST ESTIMATE U.S. Congress, Congressional Budget Office, Washington, DC, October 3, 2018. Hon. Ron Johnson, Chairman, Committee on Homeland Security and Governmental Affairs, U.S. Senate, Washington, DC. Dear Mr. Chairman: The Congressional Budget Office has prepared the enclosed cost estimate for S. 3208, the Federal Information Systems Safeguards Act of 2018. If you wish further details on this estimate, we will be pleased to provide them. The CBO staff contact is Matthew Pickford. Sincerely, Keith Hall. Enclosure. S. 3208--Federal Information Systems Safeguards Act of 2018 The Federal Information Security Management Act (FISMA) provides a framework to protect government information operations against security threats. S. 3208 would clarify that, under FISMA, federal agencies have the sole and exclusive authority to take appropriate and timely actions to secure their information technology and information systems. CBO estimates that implementing S. 3208 would clarify Congressional intent, but it would have no significant effect on the federal budget because it would not expand the duties of executive agencies. Enacting the bill could affect direct spending by agencies not funded through annual appropriations; therefore, pay-as- you-go procedures apply. CBO estimates, however, that any net change in spending by those agencies would be negligible. S. 3208 would not affect revenues. CBO estimates that enacting S. 3208 would not significantly increase net direct spending or on-budget deficits in any of the four consecutive 10-year periods beginning in 2029. S. 3208 contains no intergovernmental or private-sector mandates as defined in the Unfunded Mandates Reform Act. On August 10, 2018, CBO transmitted a cost estimate for H.R. 5300, the Federal Information Safeguards Act of 2018, as ordered reported by the House Committee on Oversight and Government Reform on July 17, 2018. The two pieces of legislation are similar and the estimated budgetary effects are the same. The CBO staff contact for this estimate is Matthew Pickford. The estimate was reviewed by H. Samuel Papenfuss, Deputy Assistant Director for Budget Analysis. VII. CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED Because S. 3208 would not repeal or amend any provision of current law, it would make no changes in existing law within the meaning of clauses (a) and (b) of paragraph 12 of rule XXVI of the Standing Rules of the Senate.