U.S. Congress - Text of S.921 as Introduced in Senate United States Information and Communications Enhancement Act of 2009
The easiest way to email your members of Congress
Donate NowS.921 - United States Information and Communications Enhancement Act of 2009
A bill to amend chapter 35 of title 44, United States Code, to recognize the interconnected nature of the Internet and agency networks, improve situational awareness of Government cyberspace, enhance information security of the Federal Government, unify policies, procedures, and guidelines for securing information systems and national security systems, establish security standards for Government purchased products and services, and for other purposes.
Loading Bill Text
Rollover any line of text to comment and/or link to it.
S 921 ISCommentsClose CommentsPermalink
111th CONGRESSCommentsClose CommentsPermalink
1st SessionCommentsClose CommentsPermalink
S. 921CommentsClose CommentsPermalink
To amend chapter 35 of title 44, United States Code, to recognize the interconnected nature of the Internet and agency networks, improve situational awareness of Government cyberspace, enhance information security of the Federal Government, unify policies, procedures, and guidelines for securing information systems and national security systems, establish security standards for Government purchased products and services, and for other purposes.CommentsClose CommentsPermalink
IN THE SENATE OF THE UNITED STATESCommentsClose CommentsPermalink
April 28, 2009CommentsClose CommentsPermalink
April 28, 2009CommentsClose CommentsPermalink
Mr. CARPER introduced the following bill; which was read twice and referred to the Committee on Homeland Security and Governmental AffairsCommentsClose CommentsPermalink
A BILLCommentsClose CommentsPermalink
To amend chapter 35 of title 44, United States Code, to recognize the interconnected nature of the Internet and agency networks, improve situational awareness of Government cyberspace, enhance information security of the Federal Government, unify policies, procedures, and guidelines for securing information systems and national security systems, establish security standards for Government purchased products and services, and for other purposes.CommentsClose CommentsPermalink
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,CommentsClose CommentsPermalink
SECTION 1. SHORT TITLE.
This Act may be cited as the ‘United States Information and Communications Enhancement Act of 2009’ or the ‘U.S. ICE Act of 2009’.CommentsClose CommentsPermalink
SEC. 2. FINDINGS.
The Congress finds the following:CommentsClose CommentsPermalink
(1) The development of an interconnected global information infrastructure has significantly enhanced the productivity, prosperity, and collaboration of people, business, and governments worldwide.CommentsClose CommentsPermalink
(2) The information infrastructure of the United States is a strategic national resource vital to our democracy, economy, and security.CommentsClose CommentsPermalink
(3) The Federal Government must increasingly rely on a trusted and resilient information infrastructure to effectively and efficiently communicate with and deliver services to citizens, enhance economic prosperity, defend the Nation from attack, and recover from natural disasters.CommentsClose CommentsPermalink
(4) Since 2002 the Federal Government has experienced multiple high-profile breaches that resulted in the theft of sensitive information amounting to more than the entire print collection contained in the Library of Congress, including personally identifiable information, advanced scientific research, and prenegotiated United States diplomatic positions.CommentsClose CommentsPermalink
(5) On March 12, 2008 witnesses testified before a hearing held by the Subcommittee on Federal Financial Management, Government Information, Federal Services, and International Security of the Committee on Homeland Security and Governmental Affairs of the Senate that--CommentsClose CommentsPermalink
(A) implementation of the Federal Information Security Management Act of 2002 (
(B) agencies do not fully understand what information they hold, who has access to that information, and whether the information has been compromised; andCommentsClose CommentsPermalink
(C) agencies lack effective coordination for mitigating and responding to cyber-related incidents.CommentsClose CommentsPermalink
(6) The Federal Information Security Management Act of 2002 (
SEC. 3. COORDINATION OF FEDERAL INFORMATION POLICY.
Chapter 35 of title 44, United States Code, is amended by striking subchapters II and III and inserting the following:CommentsClose CommentsPermalink
‘SUBCHAPTER II--INFORMATION SECURITY
‘Sec. 3551. Definitions
‘(a) Except as provided under subsection (b), the definitions under section 3502 shall apply to this subchapter.CommentsClose CommentsPermalink
‘(b) In this subchapter:CommentsClose CommentsPermalink
‘(1) The term ‘adequate security’ means security commensurate with the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to, or modification, of information.CommentsClose CommentsPermalink
‘(2) The term ‘Director’ means the Director of the National Office for Cyberspace.CommentsClose CommentsPermalink
‘(3) The term ‘incident’ means an occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.CommentsClose CommentsPermalink
‘(4) The term ‘information infrastructure’ means the underlying framework that information systems and assets rely on in processing, transmitting, receiving, or storing information electronically.CommentsClose CommentsPermalink
‘(5) The term ‘information security’ means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide--CommentsClose CommentsPermalink
‘(A) integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity;CommentsClose CommentsPermalink
‘(B) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; andCommentsClose CommentsPermalink
‘(C) availability, which means ensuring timely and reliable access to and use of information.CommentsClose CommentsPermalink
‘(6) The term ‘information technology’ has the meaning given that term in section 11101 of title 40.CommentsClose CommentsPermalink
‘(7)(A) The term ‘national security system’ means any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency--CommentsClose CommentsPermalink
‘(i) the function, operation, or use of which--CommentsClose CommentsPermalink
‘(I) involves intelligence activities;CommentsClose CommentsPermalink
‘(II) involves cryptologic activities related to national security;CommentsClose CommentsPermalink
‘(III) involves command and control of military forces;CommentsClose CommentsPermalink
‘(IV) involves equipment that is an integral part of a weapon or weapons system; orCommentsClose CommentsPermalink
‘(V) subject to subparagraph (B), is critical to the direct fulfillment of military or intelligence missions; orCommentsClose CommentsPermalink
‘(ii) is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.CommentsClose CommentsPermalink
‘(B) Subparagraph (A)(i)(V) does not include a system that is to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications).CommentsClose CommentsPermalink
‘Sec. 3552. National Office for Cyberspace
‘(a) There is established within the Executive Office of the President an office to be known as the National Office for Cyberspace.CommentsClose CommentsPermalink
‘(b) There shall be at the head of the Office a Director who shall be appointed by the President, by and with the advice and consent of the Senate. The Director of the National Office for Cyberspace shall administer all functions under this subchapter and collaborate to the extent practicable with the heads of the appropriate agencies, the private sector, and international partners. The Office shall serve as the principal office for coordinating issues relating to achieving an assured, reliable, secure, and survivable global information and communications infrastructure and related capabilities.CommentsClose CommentsPermalink
‘Sec. 3553. Authority and functions of the National Office for Cyberspace
‘(a) The Director shall develop and implement a comprehensive national cyberspace strategy to ensure a trusted and resilient communications and information infrastructures that--CommentsClose CommentsPermalink
‘(1) enhances economic prosperity and facilitates market leadership for the United States information and communications industry;CommentsClose CommentsPermalink
‘(2) deters, prevents, detects, defends against, responds to, and remediates interruptions and damage to United States information and communications infrastructure;CommentsClose CommentsPermalink
‘(3) ensures United States capabilities to operate in cyberspace in support of national goals; andCommentsClose CommentsPermalink
‘(4) protects privacy rights and preserving civil liberties of United States persons.CommentsClose CommentsPermalink
‘(b) Notwithstanding any provision of law, regulation, rule, or policy to the contrary, the National Office for Cyberspace may--CommentsClose CommentsPermalink
‘(1) direct the sponsorship of the security clearances for Federal officers and employees (including experts and consultants employed under section 3109) whose responsibilities involve critical infrastructure in the interest of national security; andCommentsClose CommentsPermalink
‘(2) employ experts and consultants under section 3109 for cyber security-related work.CommentsClose CommentsPermalink
‘(c) With respect to responsibilities with the Federal Government, the National Office for Cyberspace shall--CommentsClose CommentsPermalink
‘(1) provide recommendations to agencies on measures that shall be required to be implemented to mitigate vulnerabilities, attacks, and exploitations discovered as a result of activities required pursuant to this section;CommentsClose CommentsPermalink
‘(2) oversee the implementation of policies, principles, standards, and guidelines on information security, including through ensuring timely agency adoption of and compliance with standards promulgated under section 3556;CommentsClose CommentsPermalink
‘(3) to the extent practicable--CommentsClose CommentsPermalink
‘(A) prioritize the policies, principles, standards, and guidelines developed under section 3556 based upon the threat, vulnerability and consequences of an information security incident; andCommentsClose CommentsPermalink
‘(B) develop guidance that requires agencies to actively monitor the effective implementation of policies, principles, standards, and guidelines developed under section 3556;CommentsClose CommentsPermalink
‘(4) require agencies, consistent with the standards promulgated under such section 3556 and the requirements of this subchapter, to identify and provide information security protections commensurate with the risk and magnitude of the harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of--CommentsClose CommentsPermalink
‘(A) information collected or maintained by or on behalf of an agency; orCommentsClose CommentsPermalink
‘(B) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency;CommentsClose CommentsPermalink
‘(5) coordinate and ensure that the development of standards and guidelines under section 20 of the National Institute of Standards and Technology Act (
15 U.S.C. 278g-3 ) and standards and guidelines developed for national security systems are, to the maximum extent practicable, complementary and unified;CommentsClose CommentsPermalink‘(6) oversee agency compliance with the requirements of this subchapter, including coordinating with the Office of Management and Budget to use any authorized action under section 11303 of title 40, to enforce accountability for compliance with such requirements;CommentsClose CommentsPermalink
‘(7) review at least annually, and approving or disapproving, agency information security programs required under section 3554(b); andCommentsClose CommentsPermalink
‘(8) coordinate information security policies and procedures with related information resources management policies and procedures.CommentsClose CommentsPermalink
‘(d)(1) After consultation with the appropriate agencies, the Director shall oversee the effective implementation of governmentwide operational evaluations on a frequent and recurring basis to evaluate whether agencies effectively--CommentsClose CommentsPermalink
‘(A) monitor, detect, analyze, protect, report, and respond against known vulnerabilities, attacks, and exploitations;CommentsClose CommentsPermalink
‘(B) report to and collaborate with the appropriate public and private security operation centers and law enforcement agencies; andCommentsClose CommentsPermalink
‘(C) mitigate the risk posed by previous successful exploitations in a timely fashion and in order to prevent future vulnerabilities, attacks, and exploitations.CommentsClose CommentsPermalink
‘(2) Not later than 30 days after receiving an operational evaluation under this subsection, the Director shall ensure agencies evaluated under paragraph (1) develop a plan for addressing recommendations and mitigating vulnerabilities contained in the security reports identified under paragraph (1), including a timeline and budget for implementing such plan.CommentsClose CommentsPermalink
‘(e) Not later than March 1 of each year, the Director shall submit a report to Congress on the overall information security posture of the communications and information infrastructure of the United States, including--CommentsClose CommentsPermalink
‘(1) the evaluations conducted under subsection (d) for the United States Government;CommentsClose CommentsPermalink
‘(2) a detailed assessment of the overall resiliency of the communications and information infrastructure effectiveness of the United States and the United States Government including the ability to monitor, detect, mitigate, and respond to an incident;CommentsClose CommentsPermalink
‘(3) a detailed assessment the information security effectiveness of each agency, including the ability to monitor, detect, mitigate, collaborate, and respond to an incident;CommentsClose CommentsPermalink
‘(4) a detailed assessment of operational evaluations performed during the preceding fiscal year, the results of such evaluations, and any actions that remain to be taken under plans included in corrective action reports under subsection (d);CommentsClose CommentsPermalink
‘(5) a detailed assessment of the development, promulgation, and adoption of, and compliance with, standards developed under section 20 of the National Institute of Standards and Technology Act (
15 U.S.C. 278g-3 ) and promulgated under section 3554, and recommendations for enhancement;CommentsClose CommentsPermalink‘(6) a detailed assessment of significant deficiencies in the information security and reporting practices of the Federal Government as applicable to each agency;CommentsClose CommentsPermalink
‘(7) planned remedial action to address deficiencies described under paragraph (6), including an associated budget and recommendations for relevant executive and legislative branch actions;CommentsClose CommentsPermalink
‘(8) a summary of the results of the independent evaluations under section 3555; andCommentsClose CommentsPermalink
‘(9) a detailed assessment of the effectiveness of reporting to the National Cyber Investigative Joint Task Force under section 3554.CommentsClose CommentsPermalink
‘(f) Evaluations and any other descriptions of information systems under the authority and control of the Director of National Intelligence or of National Foreign Intelligence Programs systems under the authority and control of the Secretary of Defense shall be made available to Congress only through the appropriate oversight committees of Congress, in accordance with applicable laws.CommentsClose CommentsPermalink
‘(g)(1) In collaboration with the private sector and in coordination with the Director of the Office of Management and Budget, the National Institute of Standards and Technology, and the General Service Administration, the Director shall develop and implement policy, guidance, and regulations that cost effectively enhance the security of the Federal Government, including policy, guidance, and regulations that--CommentsClose CommentsPermalink
‘(A) to the extent practicable, standardize security requirements (also known as ‘lock-down configurations’) of commercial off-the-shelf products and services (including cloud products and services) purchased by the Federal Government;CommentsClose CommentsPermalink
‘(B) to the extent practicable, obtain products and services with security configuration baselines consistent with available security standards and configurations and guidelines developed by the National Institute of Standards and Technology;CommentsClose CommentsPermalink
‘(C) incentivize agencies to purchase standard products and services through the General Service Administration in order to reduce the vulnerabilities and costs associated with custom products and services; andCommentsClose CommentsPermalink
‘(D) enable purchasing decisions to reasonably and appropriately account for significant supply chain security risks associated with any particular product or service.CommentsClose CommentsPermalink
‘(2) Not later than 180 days after the date of enactment of the United States Information and Communications Enhancement Act of 2009, and annually thereafter, the Director shall submit a report to Congress that includes--CommentsClose CommentsPermalink
‘(A) a description of the cost savings and security enhancements that can be achieved by using the purchasing power of the Federal Government; andCommentsClose CommentsPermalink
‘(B) recommendations for legislative or executive branch actions necessary to achieve such cost savings.CommentsClose CommentsPermalink
‘Sec. 3554. Agency responsibilities
‘(a) The head of each agency shall--CommentsClose CommentsPermalink
‘(1) be responsible for--CommentsClose CommentsPermalink
‘(A) providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of--CommentsClose CommentsPermalink
‘(i) information collected or maintained by or on behalf of the agency; andCommentsClose CommentsPermalink
‘(ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency;CommentsClose CommentsPermalink
‘(B) complying with the requirements of this subchapter and related policies, procedures, standards, and guidelines, including--CommentsClose CommentsPermalink
‘(i) information security standards promulgated under section 3556;CommentsClose CommentsPermalink
‘(ii) information security standards and guidelines for national security systems issued in accordance with law and as directed by the President; andCommentsClose CommentsPermalink
‘(iii) ensuring the standards implemented for information systems and national security systems under the agency head are complementary and uniform, to the extent practicable; andCommentsClose CommentsPermalink
‘(C) ensuring that information security management processes are integrated with agency strategic and operational planning processes;CommentsClose CommentsPermalink
‘(2) ensure that senior agency officials provide information security for the information and information systems that support the operations and assets under their control, including through--CommentsClose CommentsPermalink
‘(A) assessing the risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of such information or information systems;CommentsClose CommentsPermalink
‘(B) determining the levels of information security appropriate to protect such information and information systems in accordance with standards promulgated under section 3556, for information security classifications and related requirements;CommentsClose CommentsPermalink
‘(C) implementing policies and procedures to cost effectively reduce risks to an acceptable level; andCommentsClose CommentsPermalink
‘(D) continuously testing and evaluating information security controls and techniques to ensure that they are effectively implemented;CommentsClose CommentsPermalink
‘(3) delegate to an agency official designated as the Chief Information Security Officer the authority to ensure and enforce compliance with the requirements imposed on the agency under this subchapter, including--CommentsClose CommentsPermalink
‘(A) overseeing the establishment and maintenance of a security operations capability that on an automated and continuous basis can--CommentsClose CommentsPermalink
‘(i) detect, report, respond to, contain, and mitigate incidents that impair adequate security of the information and information infrastructure, in accordance with policy provided by the Director, in consultation with the Chief Information Officers Council, and guidance from the National Institute of Standards and Technology;CommentsClose CommentsPermalink
‘(ii) collaborate with the National Office for Cyberspace and appropriate public and private sector security operations centers to address incidents that impact the security of information and information infrastructure that extend beyond the control of the agency; andCommentsClose CommentsPermalink
‘(iii) not later than 24 hours after discovery of any incident described under subparagraph (A), unless otherwise directed by policy of the National Office for Cyberspace, provide notice to the appropriate security operations center, the National Cyber Investigative Joint Task Force, and inspector general;CommentsClose CommentsPermalink
‘(B) collaborating with the Administrator for E-Government and the Chief Information Officer to establish, maintain, and update an enterprise network, system, storage, and security architecture framework documentation to be submitted quarterly to the National Office for Cyberspace and the appropriate security operations center, that includes--CommentsClose CommentsPermalink
‘(i) documentation of how technical, managerial, and operational security controls are implemented throughout the agency’s information infrastructure; andCommentsClose CommentsPermalink
‘(ii) documentation of how the controls described under subparagraph (A) maintain the appropriate level of confidentiality, integrity, and availability of information and information systems based on--CommentsClose CommentsPermalink
‘(I) the policy of the Director;CommentsClose CommentsPermalink
‘(II) the National Institute of Standards and Technology guidance; andCommentsClose CommentsPermalink
‘(III) the Chief Information Officers Council recommended approaches;CommentsClose CommentsPermalink
‘(C) developing, maintaining, and overseeing an agency wide information security program as required by subsection (b);CommentsClose CommentsPermalink
‘(D) developing, maintaining, and overseeing information security policies, procedures, and control techniques to address all applicable requirements, including those issued under sections 3553 and 3556;CommentsClose CommentsPermalink
‘(E) training and overseeing personnel with significant responsibilities for information security with respect to such responsibilities; andCommentsClose CommentsPermalink
‘(F) assisting senior agency officials concerning their responsibilities under paragraph (2);CommentsClose CommentsPermalink
‘(4) ensure that the agency has trained and cleared personnel sufficient to assist the agency in complying with the requirements of this subchapter and related policies, procedures, standards, and guidelines;CommentsClose CommentsPermalink
‘(5) ensure that the agency Chief Information Security Officer, in coordination with other senior agency officials, reports biannually to the agency head on the effectiveness of the agency information security program, including progress of remedial actions; andCommentsClose CommentsPermalink
‘(6) ensure that the Chief Information Security Officer possesses necessary qualifications, including education, professional certifications, training, experience, and the security clearance required to administer the functions described under this subchapter; and has information security duties as the primary duty of that official.CommentsClose CommentsPermalink
‘(b) Each agency shall develop, document, and implement an agencywide information security program, approved by the Director under section 3553(a)(5), to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source, that includes--CommentsClose CommentsPermalink
‘(1) periodic assessments--CommentsClose CommentsPermalink
‘(A) of the risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency; andCommentsClose CommentsPermalink
‘(B) that recommend a prioritized description of which data and applications should be removed or migrated to more secure networks or standards;CommentsClose CommentsPermalink
‘(2) penetration tests commensurate with risk (as defined by the National Institute of Standards and Technology and the National Office for Cyberspace) for agency information systems;CommentsClose CommentsPermalink
‘(3) information security vulnerabilities are mitigated based on the risk posed to the agency;CommentsClose CommentsPermalink
‘(4) policies and procedures that--CommentsClose CommentsPermalink
‘(A) are based on the risk assessments required by paragraph (1);CommentsClose CommentsPermalink
‘(B) cost effectively reduce information security risks to an acceptable level;CommentsClose CommentsPermalink
‘(C) ensure that information security is addressed throughout the life cycle of each agency information system; andCommentsClose CommentsPermalink
‘(D) ensure compliance with--CommentsClose CommentsPermalink
‘(i) the requirements of this subchapter;CommentsClose CommentsPermalink
‘(ii) policies and procedures as may be prescribed by the Director, and information security standards promulgated under section 3556;CommentsClose CommentsPermalink
‘(iii) minimally acceptable system configuration requirements, as determined by the Director; andCommentsClose CommentsPermalink
‘(iv) any other applicable requirements, including standards and guidelines for national security systems issued in accordance with law and as directed by the President;CommentsClose CommentsPermalink
‘(5) subordinate plans for providing adequate information security for networks, facilities, and systems or groups of information systems, as appropriate;CommentsClose CommentsPermalink
‘(6) role-based security awareness training to inform personnel with access to the agency network, including contractors and other users of information systems that support the operations and assets of the agency, of--CommentsClose CommentsPermalink
‘(A) information security risks associated with their activities; andCommentsClose CommentsPermalink
‘(B) their responsibilities in complying with agency policies and procedures designed to reduce these risks;CommentsClose CommentsPermalink
‘(7) to the extent practicable, automated and continuous technical monitoring for testing, and evaluation of the effectiveness and compliance of information security policies, procedures, and practices, including--CommentsClose CommentsPermalink
‘(A) management, operational, and technical controls of every information system identified in the inventory required under section 3505(b); andCommentsClose CommentsPermalink
‘(B) management, operational, and technical controls relied on for an evaluation under section 3555;CommentsClose CommentsPermalink
‘(8) a process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies, procedures, and practices of the agency;CommentsClose CommentsPermalink
‘(9) to the extent practicable, continuous technical monitoring for detecting, reporting, and responding to security incidents, consistent with standards and guidelines issued by the Director, including--CommentsClose CommentsPermalink
‘(A) mitigating risks associated with such incidents before substantial damage is done;CommentsClose CommentsPermalink
‘(B) notifying and consulting with the appropriate security operations response center; andCommentsClose CommentsPermalink
‘(C) notifying and consulting with, as appropriate--CommentsClose CommentsPermalink
‘(i) law enforcement agencies and relevant Offices of Inspectors General;CommentsClose CommentsPermalink
‘(ii) the National Office for Cyberspace; andCommentsClose CommentsPermalink
‘(iii) any other agency or office, in accordance with law or as directed by the President; andCommentsClose CommentsPermalink
‘(10) plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency.CommentsClose CommentsPermalink
‘(c) Each agency shall--CommentsClose CommentsPermalink
‘(1) submit an annual report on the adequacy and effectiveness of information security policies, procedures, and practices, and compliance with the requirements of this subchapter, including compliance with each requirement of subsection (b) to--CommentsClose CommentsPermalink
‘(A) the National Office for Cyberspace;CommentsClose CommentsPermalink
‘(B) the Committee on Homeland Security and Governmental Affairs of the Senate;CommentsClose CommentsPermalink
‘(C) the Committee on Commerce, Science, and Transportation of the Senate;CommentsClose CommentsPermalink
‘(D) the Committee on Government Oversight and Reform of the House of Representatives;CommentsClose CommentsPermalink
‘(E) the Committee on Homeland Security of the House of Representatives;CommentsClose CommentsPermalink
‘(F) other appropriate authorization and appropriations committees of Congress; andCommentsClose CommentsPermalink
‘(G) the Comptroller General.CommentsClose CommentsPermalink
‘(2) address the adequacy and effectiveness of information security policies, procedures, and practices in plans and reports relating to--CommentsClose CommentsPermalink
‘(A) annual agency budgets;CommentsClose CommentsPermalink
‘(B) information resources management of this subchapter;CommentsClose CommentsPermalink
‘(C) information technology management under this chapter;CommentsClose CommentsPermalink
‘(D) program performance under sections 1105 and 1115 through 1119 of title 31, and sections 2801 and 2805 of title 39;CommentsClose CommentsPermalink
‘(E) financial management under chapter 9 of title 31, and the Chief Financial Officers Act of 1990 (
31 U.S.C. 501 note;Public Law 101-576 ) (and the amendments made by that Act);CommentsClose CommentsPermalink‘(F) financial management systems under the Federal Financial Management Improvement Act (
31 U.S.C. 3512 note);CommentsClose CommentsPermalink‘(G) internal accounting and administrative controls under section 3512 of title 31; andCommentsClose CommentsPermalink
‘(H) performance ratings, salaries, and bonuses provided to the Chief Information Security Officer and supporting personnel taking into account program performance; andCommentsClose CommentsPermalink
‘(3) report any significant deficiency in a policy, procedure, or practice identified under paragraph (1) or (2)--CommentsClose CommentsPermalink
‘(A) as a material weakness in reporting under section 3512 of title 31; andCommentsClose CommentsPermalink
‘(B) if relating to financial management systems, as an instance of a lack of substantial compliance under the Federal Financial Management Improvement Act (
31 U.S.C. 3512 note).CommentsClose CommentsPermalink‘(d)(1) In addition to the requirements of subsection (c), each agency, in consultation with the National Office for Cyberspace, shall include as part of the performance plan required under section 1115 of title 31 a description of--CommentsClose CommentsPermalink
‘(A) the time periods; andCommentsClose CommentsPermalink
‘(B) the resources, including budget, staffing, and training, that are necessary to implement the program required under subsection (b).CommentsClose CommentsPermalink
‘(2) The description under paragraph (1) shall be based on the risk assessments required under subsection (b)(2)(1) and operational evaluations required under section 3553(d).CommentsClose CommentsPermalink
‘(e) Each agency shall provide the public with timely notice and opportunities for comment on proposed information security policies and procedures to the extent that such policies and procedures affect communication with the public.CommentsClose CommentsPermalink
‘Sec. 3555. Annual independent evaluation
‘(a)(1) Each year each agency shall have performed an independent evaluation of the information security program and practices of that agency to determine the effectiveness of such program and practices.CommentsClose CommentsPermalink
‘(2) Each evaluation under this section shall consist of--CommentsClose CommentsPermalink
‘(A) testing of the effectiveness of information security policies, procedures, and practices of a representative subset of the information systems of the agency; andCommentsClose CommentsPermalink
‘(B) an assessment (made on the basis of the results of the testing) of compliance with--CommentsClose CommentsPermalink
‘(i) the requirements of this subchapter; andCommentsClose CommentsPermalink
‘(ii) related information security policies, procedures, standards, and guidelines.CommentsClose CommentsPermalink
‘(b)(1) For each agency with an Inspector General appointed under the Inspector General Act of 1978 (5 U.S.C. App.) or any other law, the annual evaluation required by this section shall be performed by the Inspector General or by an independent external auditor, as determined by the Inspector General of the agency.CommentsClose CommentsPermalink
‘(2) For each agency to which paragraph (1) does not apply, the head of the agency shall engage an independent external auditor to perform the evaluation.CommentsClose CommentsPermalink
‘(c) The evaluation required by this section may be based in whole or in part on an audit, evaluation, or report relating to programs or practices of the applicable agency.CommentsClose CommentsPermalink
‘(d) Each year, not later than such date established by the Director, the head of each agency shall submit to the Director the results of the evaluation required under this section.CommentsClose CommentsPermalink
‘(e) Agencies and evaluators shall take appropriate steps to ensure the protection of information which, if disclosed, may adversely affect information security. Such protections shall be commensurate with the risk and comply with all applicable laws and regulations.CommentsClose CommentsPermalink
‘(f) The Comptroller General shall--CommentsClose CommentsPermalink
‘(1) not later than 180 days after the date of enactment of the United States Communications and Information Enhancement Act of 2009 and after collaboration with the Director and the Inspectors General, develop and deliver standards for independent evaluations as required under this section that are risk-based and cost effective;CommentsClose CommentsPermalink
‘(2) periodically evaluate and report to Congress on--CommentsClose CommentsPermalink
‘(A) the adequacy and effectiveness of agency information security policies and practices; andCommentsClose CommentsPermalink
‘(B) the implementation of the requirements of this subchapter.CommentsClose CommentsPermalink
‘Sec. 3556. Responsibilities for Federal information systems standards
‘(a)(1) The Secretary of Commerce shall, on the basis of standards and guidelines developed by the National Institute of Standards and Technology under paragraphs (2) and (3) of section 20(a) of the National Institute of Standards and Technology Act (
15 U.S.C. 278g-3(a) ), prescribe standards and guidelines pertaining to information systems, including national security systems.CommentsClose CommentsPermalink‘(2)(A) Standards prescribed under subsection (a)(1) shall include information security standards that--CommentsClose CommentsPermalink
‘(i) to the extent practicable, are unified with standards and guidelines developed for information systems and national security systems to ensure the adequacy and effectiveness of information security and information sharing;CommentsClose CommentsPermalink
‘(ii) provide minimum information security requirements as determined under section 20(b) of the National Institute of Standards and Technology Act (
15 U.S.C. 278g-3(b) ); andCommentsClose CommentsPermalink‘(iii) are otherwise necessary to improve the security of information and information systems, including information stored by third parties on behalf of the Federal Government.CommentsClose CommentsPermalink
‘(B) Information security standards described in subparagraph (A) shall be compulsory and binding.CommentsClose CommentsPermalink
‘(b) The President may disapprove or modify the standards and guidelines referred to in subsection (a)(1) if the President determines such action to be in the public interest. The President’s authority to disapprove or modify such standards and guidelines may not be delegated. Notice of such disapproval or modification shall be published promptly in the Federal Register. Upon receiving notice of such disapproval or modification, the Secretary of Commerce shall immediately rescind or modify such standards or guidelines as directed by the President.CommentsClose CommentsPermalink
‘(c) To ensure fiscal and policy consistency, the Secretary shall exercise the authority conferred by this section subject to direction by the President and in coordination with the Director of the Office of Management and Budget and the National Office for Cyberspace.CommentsClose CommentsPermalink
‘(d) The National Office for Cyberspace and the head of an agency may employ standards for the cost effective information security for information systems within or under the supervision of that agency that are more stringent than the standards the Secretary prescribes under this section if the more stringent standards--CommentsClose CommentsPermalink
‘(1) contain at least the applicable standards made compulsory and binding by the Secretary; andCommentsClose CommentsPermalink
‘(2) are otherwise consistent with policies and guidelines issued under section 3553.CommentsClose CommentsPermalink
‘(e) The decision by the Secretary regarding the promulgation of any standard under this section shall occur not later than 6 months after the submission of the proposed standard to the Secretary by the National Institute of Standards and Technology, as provided under section 20 of the National Institute of Standards and Technology Act (
15 U.S.C. 278g-3 ).’.CommentsClose CommentsPermalink
SEC. 4. AUTHORITY AND RESPONSIBILITY OF THE UNITED STATES COMPUTER EMERGENCY READINESS TEAM IN RELATION TO FEDERAL AGENCIES.
(a) Definition- In this section:CommentsClose CommentsPermalink
(1) The term ‘agency’ has the meaning given under
(2) The term ‘US-CERT’ means the United States Computer Emergency Readiness Team.CommentsClose CommentsPermalink
(b) Purposes- The purposes of this section are to recognize that US-CERT--CommentsClose CommentsPermalink
(1) is charged with providing response support and defense against cyber attacks for agencies and information sharing and collaboration with State and local government, industry, and international partners;CommentsClose CommentsPermalink
(2) interacts with agencies, industry, the research community, State and local governments, and others to disseminate reasoned and actionable cyber security information to the public;CommentsClose CommentsPermalink
(3) provides a way for citizens, businesses, and other institutions to communicate and coordinate directly with the United States Government about cyber security; andCommentsClose CommentsPermalink
(4) has continually enhanced its ability to monitor, detect, and respond to information security incidents that affect the Federal Government.CommentsClose CommentsPermalink
(c) Coordination With US-CERT- The head of each agency shall ensure that the Chief Information Officer, Chief Information Security Officer, and security operations centers under the direction of that agency head shall establish policies, procedures, and guidance to effectively coordinate with the Director of US-CERT in a timely fashion to detect, report, respond to, contain, and mitigate incidents that impair adequate security of the information and information infrastructure.CommentsClose CommentsPermalink
(d) Review and Approval- In coordination with the Administrator for Electronic Government and Information Technology, the Director of the National Office for Cyberspace shall review and approve the policies, procedures, and guidance established in subparagraph (c) to ensure that US-CERT has the capability to effectively and efficiently detect, correlate, respond to, contain, and mitigate incidents that impair the adequate security of the information and information infrastructure of more than 1 agency. To the extent practicable, the capability shall be continuous and technically automated.CommentsClose CommentsPermalink
(e) Security Clearances; Experts and Consultants- Notwithstanding any provision of law, regulation, rule, or policy to the contrary, the Director of US-CERT may--CommentsClose CommentsPermalink
(1) direct the sponsorship of the security clearances for Federal officers and employees (including experts and consultants employed under section 3109) whose responsibilities involve critical infrastructure in the interest of national security; andCommentsClose CommentsPermalink
(2) employ experts and consultants under section 3109 for cyber security-related work.CommentsClose CommentsPermalink
SEC. 5. AUTHORITY AND RESPONSIBILITY OF DEPARTMENTS NOT RELATED TO MILITARY FUNCTIONS.
(a) Definitions- In this section:CommentsClose CommentsPermalink
(1) AGENCY- The term ‘agency’--CommentsClose CommentsPermalink
(A) means--CommentsClose CommentsPermalink
(i) an Executive department defined under
(ii) an Executive agency that has multiple components which have separate and distinct enterprise architectures; andCommentsClose CommentsPermalink
(B) shall not include--CommentsClose CommentsPermalink
(i) the Department of Defense; orCommentsClose CommentsPermalink
(ii) any component of an Executive agency that is performing any national security function, including military intelligence.CommentsClose CommentsPermalink
(2) EXECUTIVE AGENCY- The term ‘Executive agency’ has the meaning given under
(b) Purpose- The purpose of this section is to recognize that--CommentsClose CommentsPermalink
(1) agencies have developed and maintained separate and distinct enterprise architectures that inhibit the ability of an agency to ensure that components of that agency have effectively implemented security policies, procedures, and practices;CommentsClose CommentsPermalink
(2) the separate and distinct enterprise architectures have in many instances been at the detriment of securing the agency information infrastructure (the civilian cyberspace) and exposed that infrastructure to unnecessary risk for an extended period of time; andCommentsClose CommentsPermalink
(3) a more uniform agency enterprise architecture will be more efficient and effective for the purposes of information sharing and ensuring the appropriate confidentiality, integrity, and availability of information and information systems.CommentsClose CommentsPermalink
(c) Agency Coordination-CommentsClose CommentsPermalink
(1) IN GENERAL- Not later than 1 year after the date of enactment of this Act, the head of each agency shall ensure that components of that agency shall establish an automated reporting mechanism that allows the Chief Information Security Officer and security operations center at the total agency level to implement and monitor the implementation of appropriate security policies, procedures, and controls of agency components.CommentsClose CommentsPermalink
(2) APPROVAL AND COORDINATION- The activities conducted under paragraph (1) shall be--CommentsClose CommentsPermalink
(A) approved by the Director of the National Office for Cyberspace; andCommentsClose CommentsPermalink
(B) to the extent practicable, in coordination and complementary with activities--CommentsClose CommentsPermalink
(i) described under section 4; andCommentsClose CommentsPermalink
(ii) conducted by the Administrator for E-Government and Information Technology.CommentsClose CommentsPermalink
SEC. 6. TECHNICAL AND CONFORMING AMENDMENTS.
(a) Table of Sections- The table of sections for chapter 35 of title 44, United States Code, is amended by striking the matter relating to subchapters II and III and inserting the following:CommentsClose CommentsPermalink
‘subchapter ii--information security
‘Sec. 3551. Definitions.CommentsClose CommentsPermalink
‘Sec. 3552. National Office for Cyberspace.CommentsClose CommentsPermalink
‘Sec. 3553. Authority and functions of the National Office for Cyberspace.CommentsClose CommentsPermalink
‘Sec. 3554. Agency responsibilities.CommentsClose CommentsPermalink
‘Sec. 3555. Annual independent evaluation.CommentsClose CommentsPermalink
‘Sec. 3556. Responsibilities for Federal information systems standards.’.CommentsClose CommentsPermalink
(b) Other References-CommentsClose CommentsPermalink
(1) Section 1001(c)(1)(A) of the Homeland Security Act of 2002 (
6 U.S.C. 511(c)(1)(A) ) is amended by striking ‘section 3532(3)’ and inserting ‘section 3551(b)’.CommentsClose CommentsPermalink(2)
Section 2222(j)(6) of title 10, United States Code , is amended by striking ‘section 3542(b)(2))’ and inserting ‘section 3551(b)’.CommentsClose CommentsPermalink(3)
Section 2223(c)(3) of title 10, United States Code , is amended, by striking ‘section 3542(b)(2))’ and inserting ‘section 3551(b)’.CommentsClose CommentsPermalink(4)
Section 2315 of title 10, United States Code , is amended by striking ‘section 3542(b)(2))’ and inserting ‘section 3551(b)’.CommentsClose CommentsPermalink(5) Section 20(a)(2) of the National Institute of Standards and Technology Act (
15 U.S.C. 278g-3 ) is amended by striking ‘section 3532(b)(2)’ and inserting ‘section 3551(b)’.CommentsClose CommentsPermalink(6) Section 8(d)(1) of the Cyber Security Research and Development Act (
15 U.S.C. 7406(d)(1) ) is amended by striking ‘section 3534(b)’ and inserting ‘section 3554(b)’.CommentsClose CommentsPermalink
SEC. 7. EFFECTIVE DATE.
This Act (including the amendments made by this Act) shall take effect 30 days after the date of enactment of this Act.CommentsClose CommentsPermalink
Vote on This Bill
-
Share This Bill
More Share via Email
OC Blog Articles Related To This Bill
- House Advances Internet Surveillance Bill Aug 04, 2011
- Reid Protects PATRIOT Act From Senators Seeking Reform May 25, 2011
- PATRIOT Act Extension Get Bipartisan Love in Senate May 24, 2011
- Unemployment Benefits Info By and For the Unemployed Dec 09, 2010
- After Surveilling Congressman, Intelligence Program Faces Investigation Apr 16, 2009
Recent OC Blog Articles
- Yes, let's stride towards an open VCS for legislation (or, GitHub for laws on OC) May 23, 2012
- Congress Refuses to #FreeTHOMAS (updated) May 17, 2012
- Yochai Benkler: Blueprint for Democratic Participation May 10, 2012
- New NDAA Would Give the Military Clandestine Cyberwar Powers May 08, 2012
- The Week Ahead in Congress May 07, 2012