U.S. Congress - Text of H.R.4791 as Referred in Senate Federal Agency Data Protection Act
The easiest way to email your members of Congress
Donate NowH.R.4791 - Federal Agency Data Protection Act
To amend title 44, United States Code, to strengthen requirements for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets, and for other purposes.
| Version | Word Count | Changes From Previous Version | Percent Change |
|---|---|---|---|
| Introduced in House | 2,844 | n/a | n/a |
| Reported in House | 2,906 | 126 | 74% |
| Engrossed in House | 2,741 | 11 | 16% |
| Referred in Senate | 2,712 | 5 Show Changes Hide Changes | 4% |
Key: changed or removed text inserted or modified text
Loading Bill Text
Rollover any line of text to comment and/or link to it.
HR 4791 EHRFSCommentsClose CommentsPermalink
June 4, 2008
Received; read twice and referred to the Committee on Homeland Security and Governmental AffairsCommentsClose CommentsPermalink
To amend title 44, United States Code, to strengthen requirements for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets, and for other purposes.CommentsClose CommentsPermalink
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, CommentsClose CommentsPermalink
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title- This Act may be cited as the `Federal Agency Data Protection Act'.CommentsClose CommentsPermalink
(b) Table of Contents- The table of contents of this Act is as follows:CommentsClose CommentsPermalink
Sec. 1. Short title; table of contents.CommentsClose CommentsPermalink
Sec. 2. Purpose.CommentsClose CommentsPermalink
Sec. 3. Definitions.CommentsClose CommentsPermalink
Sec. 4. Authority of Director of Office of Management and Budget to establish information security policies and procedures.CommentsClose CommentsPermalink
Sec. 5. Responsibilities of Federal agencies for information security.CommentsClose CommentsPermalink
Sec. 6. Federal agency data breach notification requirements.CommentsClose CommentsPermalink
Sec. 7. Protection of government computers from risks of peer-to-peer file sharing.CommentsClose CommentsPermalink
Sec. 8. Annual independent audit.CommentsClose CommentsPermalink
Sec. 9. Best practices for privacy impact assessments.CommentsClose CommentsPermalink
Sec. 10. Implementation.CommentsClose CommentsPermalink
SEC. 2. PURPOSE.
The purpose of this Act is to protect personally identifiable information of individuals that is maintained in or transmitted by Federal agency information systems.CommentsClose CommentsPermalink
SEC. 3. DEFINITIONS.
(a) Personally Identifiable Information and Mobile Digital Device Definitions-
`(4) The term `personally identifiable information', with respect to an individual, means any information about the individual maintained by an agency, including information--CommentsClose CommentsPermalink
`(A) about the individual's education, finances, or medical, criminal, or employment history;CommentsClose CommentsPermalink
`(B) that can be used to distinguish or trace the individual's identity, including name, social security number, date and place of birth, mother's maiden name, or biometric records; orCommentsClose CommentsPermalink
`(C) that is otherwise linked or linkable to the individual.CommentsClose CommentsPermalink
`(5) The term `mobile digital device' includes any device that can store or process information electronically and is designed to be used in a manner not limited to a fixed location, including--CommentsClose CommentsPermalink
`(A) processing devices such as laptop computers, communication devices, and other hand-held computing devices; andCommentsClose CommentsPermalink
`(B) storage devices such as portable hard drives, CD-ROMs, DVDs, and other portable electronic media.'.CommentsClose CommentsPermalink
(b) Conforming Amendments- Section 208 of the E-Government Act of 2002 (
(1) in subsection (b)(1)(A)--CommentsClose CommentsPermalink
(A) in clause (i), by striking `information that is in an identifiable form' and inserting `personally identifiable information'; andCommentsClose CommentsPermalink
(B) in clause (ii)(II), by striking `information in an identifiable form permitting the physical or online contacting of a specific individual' and inserting `personally identifiable information';CommentsClose CommentsPermalink
(2) in subsection (b)(2)(B)(i), by striking `information that is in an identifiable form' and inserting `personally identifiable information';CommentsClose CommentsPermalink
(3) in subsection (b)(3)(C), by striking `information that is in an identifiable form' and inserting `personally identifiable information'; andCommentsClose CommentsPermalink
(4) in subsection (d), by striking the text and inserting `In this section, the term `personally identifiable information' has the meaning given that term in
SEC. 4. AUTHORITY OF DIRECTOR OF OFFICE OF MANAGEMENT AND BUDGET TO ESTABLISH INFORMATION SECURITY POLICIES AND PROCEDURES.
(1) by inserting before the semicolon at the end of paragraph (5) the following: `, including plans and schedules, developed by the agency on the basis of priorities for addressing levels of identified risk, for conducting--CommentsClose CommentsPermalink
`(A) testing and evaluation, as required under section 3544(b)(5); andCommentsClose CommentsPermalink
`(B) remedial action, as required under section 3544(b)(6), to address deficiencies identified by such testing and evaluation'; andCommentsClose CommentsPermalink
(2) by adding at the end the following:CommentsClose CommentsPermalink
`(9) establishing minimum requirements regarding the protection of personally identifiable information maintained in or transmitted by mobile digital devices, including requirements for the use of technologies that efficiently and effectively render information unusable by unauthorized persons;CommentsClose CommentsPermalink
`(10) requiring agencies to comply with--CommentsClose CommentsPermalink
`(A) minimally acceptable system configuration requirements consistent with best practices, including checklists developed under section 8(c) of the Cyber Security Research and Development Act (
; 116 Stat. 2378) by the Director of the National Institute of Standards and Technology; andCommentsClose CommentsPermalink Public Law 107-305 `(B) minimally acceptable requirements for periodic testing and evaluation of the implementation of such configuration requirements;CommentsClose CommentsPermalink
`(11) ensuring that agency contracts for (or involving or including) the provision of information technology products or services include requirements for contractors to meet minimally acceptable configuration requirements, as required under paragraph (10);CommentsClose CommentsPermalink
`(12) ensuring the establishment through regulation and guidance of contract requirements to ensure compliance with this subchapter with regard to providing information security for information and information systems used or operated by a contractor of an agency or other organization on behalf of the agency; and'.CommentsClose CommentsPermalink
SEC. 5. RESPONSIBILITIES OF FEDERAL AGENCIES FOR INFORMATION SECURITY.
(1) in paragraph (2)(D)(iii), by striking `as determined by the agency' and inserting `as required by the Director under section 3543(a)(10)';CommentsClose CommentsPermalink
(2) in paragraph (5)--CommentsClose CommentsPermalink
(A) by inserting after `annually' the following: `and as approved by the Director';CommentsClose CommentsPermalink
(B) by striking `and' at the end of subparagraph (A);CommentsClose CommentsPermalink
(C) by redesignating subparagraph (B) as subparagraph (D); andCommentsClose CommentsPermalink
(D) by inserting after subparagraph (A) the following:CommentsClose CommentsPermalink
`(B) shall include testing and evaluation of system configuration requirements as required under section 3543(a)(10);CommentsClose CommentsPermalink
`(C) shall include testing of systems operated by a contractor of the agency or other organization on behalf of the agency, which testing requirement may be satisfied by independent testing, evaluation, or audit of such systems; and';CommentsClose CommentsPermalink
(3) by striking `and' at the end of paragraph (7);CommentsClose CommentsPermalink
(4) by striking the period at the end of paragraph (8) and inserting a semicolon; andCommentsClose CommentsPermalink
(5) by adding at the end the following:CommentsClose CommentsPermalink
`(9) plans and procedures for ensuring the adequacy of information security protections for systems maintaining or transmitting personally identifiable information, including requirements for--CommentsClose CommentsPermalink
`(A) maintaining a current inventory of systems maintaining or transmitting such information;CommentsClose CommentsPermalink
`(B) implementing information security requirements for mobile digital devices maintaining or transmitting such information, as required by the Director (including the use of technologies rendering data unusable by unauthorized persons); andCommentsClose CommentsPermalink
`(C) developing, implementing, and overseeing remediation plans to address vulnerabilities in information security protections for such information;'.CommentsClose CommentsPermalink
SEC. 6. FEDERAL AGENCY DATA BREACH NOTIFICATION REQUIREMENTS.
(a) Authority of Director of Office of Management and Budget To Establish Data Breach Policies-
(1) by striking `and' at the end of paragraph (7);CommentsClose CommentsPermalink
(2) in paragraph (8)--CommentsClose CommentsPermalink
(A) by striking `and' at the end of subparagraph (D);CommentsClose CommentsPermalink
(B) by striking the period and inserting `; and' at the end of subparagraph (E); andCommentsClose CommentsPermalink
(C) by adding at the end the following new subparagraph:CommentsClose CommentsPermalink
`(F) a summary of the breaches of information security reported by agencies to the Director and the Federal information security incident center pursuant to paragraph (13);'; andCommentsClose CommentsPermalink
(3) by adding at the end the following:CommentsClose CommentsPermalink
`(13) establishing policies, procedures, and standards for agencies to follow in the event of a breach of data security involving the disclosure of personally identifiable information, specifically including--CommentsClose CommentsPermalink
`(A) a requirement for timely notice to be provided to those individuals whose personally identifiable information could be compromised as a result of such breach, except no notice shall be required if the breach does not create a reasonable risk--CommentsClose CommentsPermalink
`(i) of identity theft, fraud, or other unlawful conduct regarding such individual; orCommentsClose CommentsPermalink
`(ii) of other harm to the individual;CommentsClose CommentsPermalink
`(B) guidance on determining how timely notice is to be provided;CommentsClose CommentsPermalink
`(C) guidance regarding whether additional special actions are necessary and appropriate, including data breach analysis, fraud resolution services, identify theft insurance, and credit protection or monitoring services; andCommentsClose CommentsPermalink
`(D) a requirement for timely reporting by the agencies of such breaches to the Director and Federal information security center.'.CommentsClose CommentsPermalink
(b) Authority of Chief Information Officer To Develop and Maintain Inventories-
(1) by inserting after `authority to ensure compliance with' the following: `and, to the extent determined necessary and explicitly authorized by the head of the agency, to enforce';CommentsClose CommentsPermalink
(2) by striking `and' at the end of subparagraph (D);CommentsClose CommentsPermalink
(3) by inserting `and' at the end of subparagraph (E); andCommentsClose CommentsPermalink
(4) by adding at the end the following:CommentsClose CommentsPermalink
`(F) developing and maintaining an inventory of all personal computers, laptops, or any other hardware containing personally identifiable information;'.CommentsClose CommentsPermalink
(c) Inclusion of Data Breach Notification-
`(10) procedures for notifying individuals whose personally identifiable information may have been compromised or accessed following a breach of information security; andCommentsClose CommentsPermalink
`(11) procedures for timely reporting of information security breaches involving personally identifiable information to the Director and the Federal information security incident center.'.CommentsClose CommentsPermalink
(d) Authority of Agency Chief Human Capital Officers To Assess Federal Personal Property-
(1) by striking `, and' at the end of paragraph (5) and inserting a semicolon;CommentsClose CommentsPermalink
(2) by striking the period and inserting `; and' at the end of paragraph (6); andCommentsClose CommentsPermalink
(3) by adding at the end the following:CommentsClose CommentsPermalink
`(7) prescribing policies and procedures for exit interviews of employees, including a full accounting of all Federal personal property that was assigned to the employee during the course of employment.'.CommentsClose CommentsPermalink
SEC. 7. PROTECTION OF GOVERNMENT COMPUTERS FROM RISKS OF PEER-TO-PEER FILE SHARING.
(a) Plans Required- As part of the Federal agency responsibilities set forth in sections 3544 and 3545 of title 44, United States Code, the head of each agency shall develop and implement a plan to ensure the security and privacy of information collected or maintained by or on behalf of the agency from the risks posed by certain peer-to-peer file sharing programs.CommentsClose CommentsPermalink
(b) Contents of Plans- Such plans shall set forth appropriate methods, including both technological (such as the use of software and hardware) and nontechnological methods (such as employee policies and user training), to achieve the goal of securing and protecting such information from the risks posed by peer-to-peer file sharing programs.CommentsClose CommentsPermalink
(c) Implementation of Plans- The head of each agency shall--CommentsClose CommentsPermalink
(1) develop and implement the plan required under this section as expeditiously as possible, but in no event later than six months after the date of the enactment of this Act; andCommentsClose CommentsPermalink
(2) review and revise the plan periodically as necessary.CommentsClose CommentsPermalink
(d) Review of Plans- Not later than 18 months after the date of the enactment of this Act, the Comptroller General shall--CommentsClose CommentsPermalink
(1) review the adequacy of the agency plans required by this section; andCommentsClose CommentsPermalink
(2) submit to the Committee on Oversight and Government Reform of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate a report on the results of the review, together with any recommendations the Comptroller General considers appropriate.CommentsClose CommentsPermalink
(e) Definitions- In this section:CommentsClose CommentsPermalink
(1) PEER-TO-PEER FILE SHARING PROGRAM- The term `peer-to-peer file sharing program' means computer software that allows the computer on which such software is installed (A) to designate files available for transmission to another such computer, (B) to transmit files directly to another such computer, and (C) to request the transmission of files from another such computer. The term does not include the use of such software for file sharing between, among, or within Federal, State, or local government agencies in order to perform official agency business.CommentsClose CommentsPermalink
(2) AGENCY- The term `agency' has the meaning provided by
SEC. 8. ANNUAL INDEPENDENT AUDIT.
(a) Requirement for Audit Instead of Evaluation-
(1) in the section heading, by striking `evaluation' and inserting `audit' ; andCommentsClose CommentsPermalink
(2) in paragraphs (1) and (2) of subsection (a), by striking `evaluation' and inserting `audit' both places it appears.CommentsClose CommentsPermalink
(b) Additional Specific Requirements for Audits- Section 3545(a) of such title is amended--CommentsClose CommentsPermalink
(1) in paragraph (2)--CommentsClose CommentsPermalink
(A) in subparagraph (A), by striking `subset of the agency's information systems;' and inserting the following: `subset of--CommentsClose CommentsPermalink
`(i) the information systems used or operated by the agency; andCommentsClose CommentsPermalink
`(ii) the information systems used, operated, or supported on behalf of the agency by a contractor of the agency, any subcontractor (at any tier) of such a contractor, or any other entity;';CommentsClose CommentsPermalink
(B) in subparagraph (B), by striking `and' at the end;CommentsClose CommentsPermalink
(C) in subparagraph (C), by striking the period and inserting `; and'; andCommentsClose CommentsPermalink
(D) by adding at the end the following new subparagraph:CommentsClose CommentsPermalink
`(D) a conclusion whether the agency's information security controls are effective, including an identification of any significant deficiencies in such controls.'; andCommentsClose CommentsPermalink
(2) by adding at the end the following new paragraph:CommentsClose CommentsPermalink
`(3) Each audit under this section shall conform to generally accepted government auditing standards.'.CommentsClose CommentsPermalink
(c) Conforming Amendments-CommentsClose CommentsPermalink
(1) Each of the following provisions of
(A) Subsection (b)(1).CommentsClose CommentsPermalink
(B) Subsection (b)(2).CommentsClose CommentsPermalink
(C) Subsection (c).CommentsClose CommentsPermalink
(D) Subsection (e)(1).CommentsClose CommentsPermalink
(E) Subsection (e)(2).CommentsClose CommentsPermalink
(2) Section 3545(d) of such title is amended to read as follows:CommentsClose CommentsPermalink
`(d) Existing Audits- The audit required by this section may be based in whole or in part on an audit relating to programs or practices of the applicable agency.'.CommentsClose CommentsPermalink
(3) Section 3545(f) of such title is amended by striking `evaluators' and inserting `auditors'.CommentsClose CommentsPermalink
(4) Section 3545(g)(1) of such title is amended by striking `evaluations' and inserting `audits'.CommentsClose CommentsPermalink
(5) Section 3545(g)(3) of such title is amended by striking `Evaluations' and inserting `Audits'.CommentsClose CommentsPermalink
(6) Section 3543(a)(8)(A) of such title is amended by striking `evaluations' and inserting `audits'.CommentsClose CommentsPermalink
(7) Section 3544(b)(5)(D) of such title (as redesignated by section 5(2)(C)) is amended by striking `a evaluation' and inserting `an audit'.CommentsClose CommentsPermalink
SEC. 9. BEST PRACTICES FOR PRIVACY IMPACT ASSESSMENTS.
Section 208(b)(3) of the E-Government Act of 2002 (
(1) in subparagraph (B), by striking `and' at the end;CommentsClose CommentsPermalink
(2) in subparagraph (C), by striking the period and inserting `; and', andCommentsClose CommentsPermalink
(3) by adding at the end the following:CommentsClose CommentsPermalink
`(D) develop best practices for agencies to follow in conducting privacy impact assessments.'.CommentsClose CommentsPermalink
SEC. 10. IMPLEMENTATION.
Except as otherwise specifically provided in this Act, implementation of this Act and the amendments made by this Act shall begin not later than 90 days after the date of the enactment of this Act.CommentsClose CommentsPermalink
Passed the House of Representatives June 3, 2008.CommentsClose CommentsPermalink
Attest:CommentsClose CommentsPermalink
Clerk.
Clerk.CommentsClose CommentsPermalink
Vote on This Bill
-
Share This Bill
More Share via Email
OC Blog Articles Related To This Bill
- With SOPA Shelved, Congress Readies its Next Attack on the Internet Feb 13, 2012
- Anti-Web Censorship Bill Protest from Our Perspective at OC Feb 08, 2012
- Indefinite military detention for U.S. citizens now in the hands of a secretive conference committee Dec 08, 2011
- Read the Military Detention Bill Nov 29, 2011
- Supercommittee Failure and Stimulus Nov 22, 2011
Recent OC Blog Articles
- Yes, let's stride towards an open VCS for legislation (or, GitHub for laws on OC) May 23, 2012
- Contact Congress Today to #FreeTHOMAS May 17, 2012
- Yochai Benkler: Blueprint for Democratic Participation May 10, 2012
- New NDAA Would Give the Military Clandestine Cyberwar Powers May 08, 2012
- The Week Ahead in Congress May 07, 2012