S 3474 ISRSCommentsClose CommentsPermalink

To amend title 44, United States Code, to enhance information security of the Federal Government, and for other purposes.CommentsClose CommentsPermalink

September 11, 2008CommentsClose CommentsPermalink

Mr. CARPER (for himself and, Mr. LIEBERMAN, Ms. COLLINS, and Mr. COLEMAN) introduced the following bill; which was read twice and referred to the Committee on Homeland Security and Governmental AffairsCommentsClose CommentsPermalink

To amend title 44, United States Code, to enhance information security of the Federal Government, and for other purposes.CommentsClose CommentsPermalink

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, CommentsClose CommentsPermalink

SECTION 1. SHORT TITLE.

This Act may be cited as the ‘Federal Information Security Management Act of 2008’ or the ‘FISMA Act of 2008’.CommentsClose CommentsPermalink

SEC. 2. DEFINITIONS.

Section 3542(b) of title 44, United States Code, is amended by adding at the end the following:CommentsClose CommentsPermalink





‘(4) The term ‘adequate security’ means security commensurate with the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information.CommentsClose CommentsPermalink





‘(5) The term ‘incident’ means an occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.CommentsClose CommentsPermalink





‘(6) The term ‘information infrastructure’ means the underlying framework that information systems and assets rely on in processing, transmitting, receiving, or storing information electronically.’.CommentsClose CommentsPermalink

SEC. 3. ANNUAL INDEPENDENT AUDIT.

(a) Requirement for Audit Instead of Evaluation- Section 3545 of title 44, United States Code, is amended--CommentsClose CommentsPermalink





(1) in the section heading, by striking ‘evaluation’ and inserting ‘audit’ ; andCommentsClose CommentsPermalink





(2) in paragraphs (1) and (2) of subsection (a), by striking ‘evaluation’ and inserting ‘audit’ both places that term appears.CommentsClose CommentsPermalink





(b) Additional Specific Requirements for Audits- Section 3545(a) of such title is amended--CommentsClose CommentsPermalink





(1) in paragraph (2)--CommentsClose CommentsPermalink





(A) in subparagraph (A), by striking ‘subset of the agency’s information systems;’ and inserting the following: ‘subset of--CommentsClose CommentsPermalink





‘(i) the information systems used or operated by the agency; andCommentsClose CommentsPermalink





‘(ii) the information systems used, operated, or supported on behalf of the agency by a contractor of the agency, any subcontractor (at any tier) of such a contractor, or any other entity;’;CommentsClose CommentsPermalink





(B) in subparagraph (B), by striking ‘and’ at the end;CommentsClose CommentsPermalink





(C) in subparagraph (C), by striking the period and inserting ‘; and’; andCommentsClose CommentsPermalink





(D) by adding at the end the following new subparagraph:CommentsClose CommentsPermalink





‘(D) a conclusion as to whether the agency’s information security controls are effective, including an identification of any significant deficiencies identified in such controls.’; andCommentsClose CommentsPermalink





(2) by adding at the end the following:CommentsClose CommentsPermalink





‘(3) Each audit under this section shall conform to generally accepted government auditing standards.’.CommentsClose CommentsPermalink





(c) Technical and Conforming Amendments-CommentsClose CommentsPermalink





(1) Each of the following provisions of section 3545 of title 44, United States Code, is amended by striking ‘evaluation’ and inserting ‘audit’ each place it appears:CommentsClose CommentsPermalink





(A) Subsection (b)(1).CommentsClose CommentsPermalink





(B) Subsection (b)(2).CommentsClose CommentsPermalink





(C) Subsection (c).CommentsClose CommentsPermalink





(D) Subsection (e)(1).CommentsClose CommentsPermalink





(E) Subsection (e)(2).CommentsClose CommentsPermalink





(2) Section 3545(d) of such title is amended to read as follows:CommentsClose CommentsPermalink





‘(d) Existing Information- The audit required by this section may include consideration of relevant audits, evaluations, reports, or other information relating to programs or practices of the applicable agency.’.CommentsClose CommentsPermalink





(3) Section 3545(f) of such title is amended by striking ‘evaluators’ and inserting ‘auditors’.CommentsClose CommentsPermalink





(4) Section 3545(g)(1) of such title is amended by striking ‘evaluations’ and inserting ‘audits’.CommentsClose CommentsPermalink





(5) Section 3545(g)(3) of such title is amended by striking ‘Evaluations’ and inserting ‘Audits’.CommentsClose CommentsPermalink





(6) Section 3543(a)(8)(A) of such title is amended by striking ‘evaluations’ and inserting ‘audits’.CommentsClose CommentsPermalink





(7) Section 3544(b)(5)(B) of such title is amended by striking ‘a evaluation’ and inserting ‘an audit, evaluation, report, or other information relating to programs or practices of the applicable agency’.CommentsClose CommentsPermalink

SEC. 4. CHIEF INFORMATION SECURITY OFFICER AND CHIEF INFORMATION SECURITY OFFICER COUNCIL.

(a) Delegations to Chief Information Security Officer- Section 3544(a) of title 44, United States Code, is amended--CommentsClose CommentsPermalink





(1) in paragraph (3)--CommentsClose CommentsPermalink





(A) in the matter preceding subparagraph (A)--CommentsClose CommentsPermalink





(i) by striking ‘Chief Information Officer established under section 3506’ and inserting ‘Chief Information Security Officer designated under section 3548’; andCommentsClose CommentsPermalink





(ii) by striking ‘ensure compliance’ and inserting ‘enforce compliance’;CommentsClose CommentsPermalink





(B) by striking subparagraph (A); andCommentsClose CommentsPermalink





(C) by redesignating subparagraphs (B) through (E) as subparagraphs (A) through (D), respectively;CommentsClose CommentsPermalink





(2) in paragraph (4), by inserting ‘and cleared’ after ‘trained’; andCommentsClose CommentsPermalink





(3) in paragraph (5), by striking ‘Chief Information Officer’ and inserting ‘Chief Information Security Officer’.CommentsClose CommentsPermalink





(b) Chief Information Security Officer and Chief Information Security Officer Council- Chapter 35 of title 44, United States Code, is amended--CommentsClose CommentsPermalink





(1) by redesignating sections 3548 and 3549 as sections 3553 and 3554, respectively; andCommentsClose CommentsPermalink





(2) by inserting after section 3547 the following:CommentsClose CommentsPermalink

‘Sec. 3548. Chief Information Security Officers

‘(a) Designations- (1) Except as provided under paragraph (2), the head of each agency shall designate a Chief Information Security Officer who with such agency head shall carry out the responsibilities of the agency under this subchapter. An individual may not serve as the Chief Information Officer and the Chief Information Security Officer for an agency at the same time. The Chief Information Security Officer shall report directly to the Chief Information Officer to carry out such responsibilities.CommentsClose CommentsPermalink





‘(2) The Secretary of Defense and the Secretary of each military department may each designate Chief Information Security Officers who with the Secretary making the designation shall carry out the responsibilities of the applicable department under this subchapter. An individual may not serve as the Chief Information Officer and the Chief Information Security Officer for a department at the same time. The Secretary shall provide for the Chief Information Security Officer to report to the applicable Chief Information Officer to carry out such responsibilities. If more than 1 Chief Information Security Officer is designated, the respective duties of the Chief Information Security Officers shall be clearly delineated.CommentsClose CommentsPermalink





‘(b) Qualifications and General Duties- A Chief Information Security Officer shall--CommentsClose CommentsPermalink





‘(1) possess necessary qualifications, including education, professional certifications, training, experience, and the security clearance required to administer the functions described under this subchapter; andCommentsClose CommentsPermalink





‘(2) have information security duties as the primary duty of that official.CommentsClose CommentsPermalink





‘(c) Responsibilities- A Chief Information Security Officer for an agency shall have the mission, budget, resources, and authority necessary to--CommentsClose CommentsPermalink





‘(1) oversee the establishment and maintenance of an incident response capability that on a continuous basis can--CommentsClose CommentsPermalink





‘(A) detect, report, respond to, contain, investigate, attribute, and mitigate any network, computer, or data security incident that impairs adequate security, in accordance with policy provided by the Office of Management and Budget, in consultation with the Chief Information Security Officer Council, and guidance from the National Institute of Standards and Technology;CommentsClose CommentsPermalink





‘(B) collaborate with other public and private sector incident response resources to address incidents that extend beyond the agency; andCommentsClose CommentsPermalink





‘(C) not later than 24 hours after discovery of any incident described under subparagraph (A) unless otherwise directed by policy of the Office of Management and Budget, provide notice to the appropriate supporting information security operating center, inspector general, and the United States Computer Emergency Readiness Team;CommentsClose CommentsPermalink





‘(2) collaborate with the Chief Information Officer to establish, maintain, and update an enterprise network, system, storage, and security architecture framework documentation to be submitted quarterly to the United States Computer Emergency Readiness Team, that includes--CommentsClose CommentsPermalink





‘(A) documentation of how technical, managerial, and operational security controls are implemented throughout the agency’s information infrastructure; andCommentsClose CommentsPermalink





‘(B) documentation of how the controls described under subparagraph (A) maintain the appropriate level of confidentiality, integrity, and availability of electronic information and information systems based on National Institute of Standards and Technology guidance and Chief Information Security Officers Council recommended approaches;CommentsClose CommentsPermalink





‘(3) ensure that--CommentsClose CommentsPermalink





‘(A) risk assessments are conducted on a periodic basis;CommentsClose CommentsPermalink





‘(B) penetration tests are conducted commensurate with risk (as defined by the National Institute of Standards and Technology) for an agency’s information infrastructure; andCommentsClose CommentsPermalink





‘(C) information security vulnerabilities are mitigated in a timely fashion;CommentsClose CommentsPermalink





‘(4) ensure that annual information technology security awareness and role-based training for agency employees and contractors is conducted;CommentsClose CommentsPermalink





‘(5) create, maintain, and manage an information security performance measurement system that aligns with agency goals and budget process; andCommentsClose CommentsPermalink





‘(6) direct and manage information technology security programs and functions within all subordinate agency organizations (including components, bureaus, offices, and other organizations within the agency).CommentsClose CommentsPermalink





‘(d) Continuous Technical Monitoring for Malicious Activity of Agency Network and Information System- (1) Each agency shall establish a mechanism that allows the Chief Information Security Officer of the agency to detect, monitor, correlate, and analyze, the security of any information system that is connected to the agency’s information infrastructure on a continuous basis through automated monitoring.CommentsClose CommentsPermalink





‘(2) The Chief Information Security Officer of an agency shall be responsible for and have the authority to assure that any information system connected to the network (directly or indirectly) that does not comply with security policies and standards, or has been compromised, is denied access and use of the agency network until the information system meets or exceeds accepted security policies and standards established by--CommentsClose CommentsPermalink





‘(A) the National Institute of Standards and Technology;CommentsClose CommentsPermalink





‘(B) the Office of Management and Budget; andCommentsClose CommentsPermalink





‘(C) the applicable agency.CommentsClose CommentsPermalink





‘(3) After notification to the applicable agency’s Chief Information Officer, the Chief Information Security Officer of an agency may prevent access to any information system or individual that is using or attempts to use the agency information infrastructure if information security policies and procedures have not been followed or implemented.CommentsClose CommentsPermalink





‘(4) If the Chief Information Security Officer recognizes a network, computer, or data security incident that impairs adequate security of an interagency information system, the Chief Information Security Officer shall notify the managing agency, agency inspector general, and the United States Computer Emergency Readiness Team within 24 hours after discovery of an incident as defined by policy of the Office of Management and Budget.CommentsClose CommentsPermalink





‘(e) Operational Evaluation- (1) The Chief Information Security Officer of an agency in consultation with the agency Chief Information Officer, with recommendations from the Chief Information Security Officers Council and in consultation with the Secretary of Homeland Security and the heads of other appropriate Federal agencies, shall--CommentsClose CommentsPermalink





‘(A) establish security control testing protocols that ensure that the information infrastructure of the agency, including contractor information systems operating on behalf of the agency are effectively protected against known vulnerabilities, attacks, and exploitations;CommentsClose CommentsPermalink





‘(B) oversee the deployment of such protocols throughout the information infrastructure of the agency; andCommentsClose CommentsPermalink





‘(C) update and test such protocols on a recurring basis.CommentsClose CommentsPermalink





‘(2) After consideration of best practices and recommendations for operational evaluations established by the Chief Information Security Officer Council and in consultation with the heads of appropriate agencies, the Department of Homeland Security shall no less than annually--CommentsClose CommentsPermalink





‘(A) conduct an operational evaluation of the information infrastructure of each agency for known vulnerabilities, attacks, and exploitations of Federal networks on a frequent and recurring basis;CommentsClose CommentsPermalink





‘(B) evaluate the ability of each agency to monitor, detect, correlate, analyze, report, and respond to breaches in information security policies and practices;CommentsClose CommentsPermalink





‘(C) report to the agency head, the Chief Information Officer, and the Chief Information Security Officer of the applicable agency the findings of the operational evaluation; andCommentsClose CommentsPermalink





‘(D) in consultation with the Chief Information Officer and the Chief Information Security Officer of the applicable agency, assist with mitigating exploited vulnerabilities, attacks, and exploitations.CommentsClose CommentsPermalink





‘(3) Not later than 30 days after receiving an operational evaluation under paragraph (2), the Chief Information Security Officer of an agency shall provide the Chief Information Officer and the agency head a plan for addressing recommendations and mitigating vulnerabilities contained in the security reports identified under paragraph (2), including a timeline and budget for implementing such plan.CommentsClose CommentsPermalink





‘(f) National Security Systems- Subsections (c), (d), and (e) shall not apply to any national security system as defined under section 3542(b)(2) so long as that system is evaluated in a manner consistent with processes described under subsection (e)(2) (A) through (D) of this section.CommentsClose CommentsPermalink

‘Sec. 3549. Chief Information Security Officer Council

‘(a) Establishment- There is established in the executive branch a Chief Information Security Officers Council (in this section referred to as the ‘Council’).CommentsClose CommentsPermalink





‘(b) Membership- The members of the Council shall be full-time senior government employees. The members shall be as follows:CommentsClose CommentsPermalink





‘(1) The Administrator of the Office of Electronic Government of the Office of Management and Budget.CommentsClose CommentsPermalink





‘(2) The Chief Information Security Officer of each agency described under section 901(b) of title 31.CommentsClose CommentsPermalink





‘(3) The Chief Information Security Officer of the Department of the Army, the Department of the Navy, and the Department of the Air Force, if chief information officers have been designated for such departments under section 3506(a)(2)(B).CommentsClose CommentsPermalink





‘(4) A representative from the Office of the Director of National Intelligence.CommentsClose CommentsPermalink





‘(5) A representative from the United States Strategic Command.CommentsClose CommentsPermalink





‘(6) A representative from the United States Computer Emergency Readiness Team.CommentsClose CommentsPermalink





‘(7) A representative from the Intelligence Community Incident Response Center.CommentsClose CommentsPermalink





‘(8) A representative from the Committee on National Security Systems.CommentsClose CommentsPermalink





‘(9) Any other officer or employee of the United States designated by the chairperson.CommentsClose CommentsPermalink





‘(c) Co-Chairpersons and Vice Chairpersons- (1) The Director of the National Cyber Security Center shall act as chairperson of the Council. The Administrator of the Office of Electronic Government of the Office of Management and Budget shall act as co-chairperson of the Council.CommentsClose CommentsPermalink





‘(2) The vice chairperson of the Council shall be selected by the Council from among its members. The vice chairperson shall serve a 1-year term and may serve multiple terms. The vice chairperson shall serve as a liaison to the Chief Information Officer, Council Committee on National Security Systems, and other councils or committees as appointed by the chairperson.CommentsClose CommentsPermalink





‘(d) Functions- (1) The Council shall be the principal interagency forum for establishing best practices and recommendations for operational evaluations that use attack-based testing protocols established under section 3548(e).CommentsClose CommentsPermalink





‘(2) The Council shall--CommentsClose CommentsPermalink





‘(A) share experiences and innovative approaches relating to information sharing and information security best practices, penetration testing regimes, and incident response mitigation;CommentsClose CommentsPermalink





‘(B) promote the development and use of standard performance measures for agency information security that--CommentsClose CommentsPermalink





‘(i) are outcome-based;CommentsClose CommentsPermalink





‘(ii) focus on risk management;CommentsClose CommentsPermalink





‘(iii) align with the business and program goals of the agency;CommentsClose CommentsPermalink





‘(iv) measure improvements in the agency security posture over time; andCommentsClose CommentsPermalink





‘(v) reduce burdensome compliance measures;CommentsClose CommentsPermalink





‘(C) develop and recommend to the Office of Management and Budget the necessary qualifications to be established for Chief Information Security Officers to be capable of administering the functions described under this subchapter including education, training, and experience;CommentsClose CommentsPermalink





‘(D) enhance information system certification and accreditation processes by establishing a prioritized baseline of information security measures and controls that can be continuously monitored through automated mechanisms; andCommentsClose CommentsPermalink





‘(E) submit proposed enhancements to the Office of Management and Budget.CommentsClose CommentsPermalink

‘Sec. 3550. Requirements for contracts relating to agency information and information systems

‘(a) In General- (1) Not later than 180 days after the date of enactment of the Federal Information Security Management Act of 2008, the Director of the Office of Management and Budget, in consultation with the Director of the National Institutes of Standards and Technology, shall promulgate information security regulations governing contracts (including task or delivery orders issued pursuant to contracts) between the Federal Government and any individual, corporation, partnership, organization, or other entity that interfaces with an information system of an agency or collects, stores, operates, or maintains information on behalf of the agency.CommentsClose CommentsPermalink





‘(2) Regulations promulgated under this subsection shall specify requirements concerning--CommentsClose CommentsPermalink





‘(A) adequacy and effectiveness of the security of information systems;CommentsClose CommentsPermalink





‘(B) the collection and transmission of information, including personally identifiable information; andCommentsClose CommentsPermalink





‘(C) procedures in the event of a security incident.CommentsClose CommentsPermalink





‘(b) Compliance- Notwithstanding any other provision of law, effective 180 days after the issuance of regulations under subsection (a), no agency may enter into a contract (or issue a task or delivery orders under a contract), or otherwise enter into an agreement, with an individual, corporation, partnership, organization, or other entity that interfaces with an information system of an agency or collects, stores, operates, or maintains information on behalf of the agency, unless the requirements of the contract or agreement are in compliance with such regulations.CommentsClose CommentsPermalink





‘(c) Security Requirements- Notwithstanding any other provision of law, effective 3 years after the issuance of regulations under subsection (a), no agency may enter into a contract (or issue a task or delivery order under contract), or otherwise enter into an agreement, with an individual, corporation, partnership, organization, or other entity for commercial off the shelf items, including hardware and software that does not conform to the security requirements in such regulations.CommentsClose CommentsPermalink

‘Sec. 3551. Reports to Congress

‘(a) Annual Reports- (1) On March 1 of each year, the Department of Homeland Security shall submit a report on operational evaluations and testing protocols to--CommentsClose CommentsPermalink





‘(A) the Committee on Homeland Security and Governmental Affairs of the Senate;CommentsClose CommentsPermalink





‘(B) the Committee on Oversight and Government Reform and the Committee on Homeland Security of the House of Representatives;CommentsClose CommentsPermalink





‘(C) the Select Committee on Intelligence of the Senate;CommentsClose CommentsPermalink





‘(D) the Permanent Select Committee on Intelligence of the House of Representatives;CommentsClose CommentsPermalink





‘(E) the Government Accountability Office; andCommentsClose CommentsPermalink





‘(F) the President’s Council on Integrity and Efficiency and the Executive Council on Integrity and Efficiency.CommentsClose CommentsPermalink





‘(2) Each report submitted under this subsection shall--CommentsClose CommentsPermalink





‘(A) provide detailed information on the operational evaluations of each agency performed during the preceding fiscal year, the results of such evaluations, and any actions that remain to be taken under plans included in corrective action reports under section 3548(e)(3);CommentsClose CommentsPermalink





‘(B) describe the effectiveness of the testing protocols developed under section 3548(e)(1) in mitigating the risks associated with known vulnerabilities, attacks, and exploitations of the information infrastructure of each agency;CommentsClose CommentsPermalink





‘(C) describe the information security posture of the Federal Government, including--CommentsClose CommentsPermalink





‘(i) the risks to the confidentiality, integrity, and availability of information governmentwide; andCommentsClose CommentsPermalink





‘(ii) a plan of action and milestones to mitigate the risks governmentwide;CommentsClose CommentsPermalink





‘(D) include any recommendations for relevant executive branch action and congressional oversight; andCommentsClose CommentsPermalink





‘(E) include an unclassified and classified report of the operational evaluation.CommentsClose CommentsPermalink





‘(b) Security Reports and Corrective Action Reports- The agency head and inspector general of each agency shall make all information security reports and information security corrective action reports available upon request to--CommentsClose CommentsPermalink





‘(1) the Secretary of Homeland Security for purposes of completing the requirements under subsection (a); andCommentsClose CommentsPermalink





‘(2) the Comptroller General of the United States.’.CommentsClose CommentsPermalink





(c) Technical and Conforming Amendments- The table of sections for chapter 35 of title 44, United States Code, is amended by striking the items relating to sections 3548 and 3549 and inserting the following:CommentsClose CommentsPermalink





‘Sec.CommentsClose CommentsPermalink





‘3548. Chief Information Security Officers.CommentsClose CommentsPermalink





‘3549. Chief Information Security Officer Council.CommentsClose CommentsPermalink





‘3550. Requirements for contracts relating to agency information and information systems.CommentsClose CommentsPermalink





‘3551. Reports to Congress.CommentsClose CommentsPermalink





‘3552. Authorization of appropriations.CommentsClose CommentsPermalink





‘3553. Effect on existing law.’.CommentsClose CommentsPermalink