U.S. Congress - Text of H.R.1136 as Introduced in House Executive Cyberspace Coordination Act of 2011
The easiest way to email your members of Congress
Donate NowH.R.1136 - Executive Cyberspace Coordination Act of 2011
To amend chapter 35 of title 44, United States Code, to create the National Office for Cyberspace, to revise requirements relating to Federal information security, and for other purposes.
Loading Bill Text
Rollover any line of text to comment and/or link to it.
HR 1136 IHCommentsClose CommentsPermalink
112th CONGRESSCommentsClose CommentsPermalink
1st SessionCommentsClose CommentsPermalink
H. R. 1136CommentsClose CommentsPermalink
To amend chapter 35 of title 44, United States Code, to create the National Office for Cyberspace, to revise requirements relating to Federal information security, and for other purposes.CommentsClose CommentsPermalink
IN THE HOUSE OF REPRESENTATIVESCommentsClose CommentsPermalink
March 16, 2011CommentsClose CommentsPermalink
March 16, 2011CommentsClose CommentsPermalink
Mr. LANGEVIN (for himself, Mr. BARTLETT, Mr. RUPPERSBERGER, Ms. LORETTA SANCHEZ of California, Mr. ANDREWS, and Mr. DICKS) introduced the following bill; which was referred to the Committee on Oversight and Government Reform, and in addition to the Committee on Homeland Security, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concernedCommentsClose CommentsPermalink
A BILLCommentsClose CommentsPermalink
To amend chapter 35 of title 44, United States Code, to create the National Office for Cyberspace, to revise requirements relating to Federal information security, and for other purposes.CommentsClose CommentsPermalink
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,CommentsClose CommentsPermalink
SECTION 1. SHORT TITLE.
(a) Short Title- This Act may be cited as the ‘Executive Cyberspace Coordination Act of 2011’.CommentsClose CommentsPermalink
(b) Table of Contents- The table of contents for this Act is as follows:CommentsClose CommentsPermalink
Sec. 1. Short title.CommentsClose CommentsPermalink
TITLE I--FEDERAL INFORMATION SECURITY AMENDMENTS
Sec. 101. Coordination of Federal information policy.CommentsClose CommentsPermalink
Sec. 102. Information security acquisition requirements.CommentsClose CommentsPermalink
Sec. 103. Technical and conforming amendments.CommentsClose CommentsPermalink
Sec. 104. Effective date.CommentsClose CommentsPermalink
TITLE II--FEDERAL CHIEF TECHNOLOGY OFFICER
Sec. 201. Office of the Chief Technology Officer.CommentsClose CommentsPermalink
TITLE III--STRENGTHENING CYBERSECURITY FOR CRITICAL INFRASTRUCTURE
Sec. 301. Definitions.CommentsClose CommentsPermalink
Sec. 302. Authority of Secretary.CommentsClose CommentsPermalink
TITLE I--FEDERAL INFORMATION SECURITY AMENDMENTSCommentsClose CommentsPermalink
TITLE I--FEDERAL INFORMATION SECURITY AMENDMENTSCommentsClose CommentsPermalink
SEC. 101. COORDINATION OF FEDERAL INFORMATION POLICY.
Chapter 35 of title 44, United States Code, is amended by striking subchapters II and III and inserting the following:CommentsClose CommentsPermalink
‘SUBCHAPTER II--INFORMATION SECURITY
‘Sec. 3551. Purposes
‘The purposes of this subchapter are to--CommentsClose CommentsPermalink
‘(1) provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets;CommentsClose CommentsPermalink
‘(2) recognize the highly networked nature of the current Federal computing environment and provide effective Governmentwide management and oversight of the related information security risks, including coordination of information security efforts throughout the civilian, national security, and law enforcement communities;CommentsClose CommentsPermalink
‘(3) provide for development and maintenance of minimum controls required to protect Federal information and information infrastructure;CommentsClose CommentsPermalink
‘(4) provide a mechanism for improved oversight of Federal agency information security programs;CommentsClose CommentsPermalink
‘(5) acknowledge that commercially developed information security products offer advanced, dynamic, robust, and effective information security solutions, reflecting market solutions for the protection of critical information infrastructures important to the national defense and economic security of the Nation that are designed, built, and operated by the private sector; andCommentsClose CommentsPermalink
‘(6) recognize that the selection of specific technical hardware and software information security solutions should be left to individual agencies from among commercially developed products.CommentsClose CommentsPermalink
‘Sec. 3552. Definitions
‘(a) Section 3502 Definitions- Except as provided under subsection (b), the definitions under section 3502 shall apply to this subchapter.CommentsClose CommentsPermalink
‘(b) Additional Definitions- In this subchapter:CommentsClose CommentsPermalink
‘(1) The term ‘adequate security’ means security that complies with the regulations promulgated under section 3554 and the standards promulgated under section 3558.CommentsClose CommentsPermalink
‘(2) The term ‘incident’ means an occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system, information infrastructure, or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.CommentsClose CommentsPermalink
‘(3) The term ‘information infrastructure’ means the underlying framework that information systems and assets rely on in processing, storing, or transmitting information electronically.CommentsClose CommentsPermalink
‘(4) The term ‘information security’ means protecting information and information infrastructure from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide--CommentsClose CommentsPermalink
‘(A) integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity;CommentsClose CommentsPermalink
‘(B) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information;CommentsClose CommentsPermalink
‘(C) availability, which means ensuring timely and reliable access to and use of information; andCommentsClose CommentsPermalink
‘(D) authentication, which means using digital credentials to assure the identity of users and validate access of such users.CommentsClose CommentsPermalink
‘(5) The term ‘information technology’ has the meaning given that term in section 11101 of title 40.CommentsClose CommentsPermalink
‘(6)(A) The term ‘national security system’ means any information infrastructure (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency--CommentsClose CommentsPermalink
‘(i) the function, operation, or use of which--CommentsClose CommentsPermalink
‘(I) involves intelligence activities;CommentsClose CommentsPermalink
‘(II) involves cryptologic activities related to national security;CommentsClose CommentsPermalink
‘(III) involves command and control of military forces;CommentsClose CommentsPermalink
‘(IV) involves equipment that is an integral part of a weapon or weapons system; orCommentsClose CommentsPermalink
‘(V) subject to subparagraph (B), is critical to the direct fulfillment of military or intelligence missions; orCommentsClose CommentsPermalink
‘(ii) is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.CommentsClose CommentsPermalink
‘(B) Subparagraph (A)(i)(V) does not include a system that is to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications).CommentsClose CommentsPermalink
‘Sec. 3553. National Office for Cyberspace
‘(a) Establishment- There is established within the Executive Office of the President an office to be known as the National Office for Cyberspace.CommentsClose CommentsPermalink
‘(b) Director-CommentsClose CommentsPermalink
‘(1) IN GENERAL- There shall be at the head of the National Office for Cyberspace a Director, who shall be appointed by the President by and with the advice and consent of the Senate. The Director of the National Office for Cyberspace shall administer all functions designated to such Director under this subchapter and collaborate to the extent practicable with the heads of appropriate agencies, the private sector, and international partners. The Office shall serve as the principal office for coordinating issues relating to cyberspace, including achieving an assured, reliable, secure, and survivable information infrastructure and related capabilities for the Federal Government, while promoting national economic interests, security, and civil liberties.CommentsClose CommentsPermalink
‘(2) BASIC PAY- The Director of the National Office for Cyberspace shall be paid at the rate of basic pay for level III of the Executive Schedule.CommentsClose CommentsPermalink
‘(c) Staff- The Director of the National Office for Cyberspace may appoint and fix the pay of additional personnel as the Director considers appropriate.CommentsClose CommentsPermalink
‘(d) Experts and Consultants- The Director of the National Office for Cyberspace may procure temporary and intermittent services under section 3109(b) of title 5.CommentsClose CommentsPermalink
‘Sec. 3554. Federal Cybersecurity Practice Board
‘(a) Establishment- Within the National Office for Cyberspace, there shall be established a board to be known as the ‘Federal Cybersecurity Practice Board’ (in this section referred to as the ‘Board’).CommentsClose CommentsPermalink
‘(b) Members- The Board shall be chaired by the Director of the National Office for Cyberspace and consist of not more than 10 members, with at least one representative from--CommentsClose CommentsPermalink
‘(1) the Office of Management and Budget;CommentsClose CommentsPermalink
‘(2) civilian agencies;CommentsClose CommentsPermalink
‘(3) the Department of Defense;CommentsClose CommentsPermalink
‘(4) the Federal law enforcement community;CommentsClose CommentsPermalink
‘(5) the Federal Chief Technology Office; andCommentsClose CommentsPermalink
‘(6) such additional military and civilian agencies as the Director considers appropriate.CommentsClose CommentsPermalink
‘(c) Responsibilities-CommentsClose CommentsPermalink
‘(1) DEVELOPMENT OF POLICIES AND PROCEDURES- Subject to the authority, direction, and control of the Director of the National Office for Cyberspace, the Board shall be responsible for developing and periodically updating information security policies and procedures relating to the matters described in paragraph (2). In developing such policies and procedures, the Board shall require that all matters addressed in the policies and procedures are consistent, to the maximum extent practicable and in accordance with applicable law, among the civilian, military, intelligence, and law enforcement communities.CommentsClose CommentsPermalink
‘(2) SPECIFIC MATTERS COVERED IN POLICIES AND PROCEDURES-CommentsClose CommentsPermalink
‘(A) MINIMUM SECURITY CONTROLS- The Board shall be responsible for developing and periodically updating information security policies and procedures relating to minimum security controls for information technology, in order to--CommentsClose CommentsPermalink
‘(i) provide Governmentwide protection of Government-networked computers against common attacks; andCommentsClose CommentsPermalink
‘(ii) provide agencywide protection against threats, vulnerabilities, and other risks to the information infrastructure within individual agencies.CommentsClose CommentsPermalink
‘(B) MEASURES OF EFFECTIVENESS- The Board shall be responsible for developing and periodically updating information security policies and procedures relating to measurements needed to assess the effectiveness of the minimum security controls referred to in subparagraph (A). Such measurements shall include a risk scoring system to evaluate risk to information security both Governmentwide and within contractors of the Federal Government.CommentsClose CommentsPermalink
‘(C) PRODUCTS AND SERVICES- The Board shall be responsible for developing and periodically updating information security policies, procedures, and minimum security standards relating to criteria for products and services to be used in agency information systems and information infrastructure that will meet the minimum security controls referred to in subparagraph (A). In carrying out this subparagraph, the Board shall act in consultation with the Office of Management and Budget and the General Services Administration.CommentsClose CommentsPermalink
‘(D) REMEDIES- The Board shall be responsible for developing and periodically updating information security policies and procedures relating to methods for providing remedies for security deficiencies identified in agency information infrastructure.CommentsClose CommentsPermalink
‘(3) ADDITIONAL CONSIDERATIONS- The Board shall also consider--CommentsClose CommentsPermalink
‘(A) opportunities to engage with the international community to set policies, principles, training, standards, or guidelines for information security;CommentsClose CommentsPermalink
‘(B) opportunities to work with agencies and industry partners to increase information sharing and policy coordination efforts in order to reduce vulnerabilities in the national information infrastructure; andCommentsClose CommentsPermalink
‘(C) options necessary to encourage and maintain accountability of any agency, or senior agency official, for efforts to secure the information infrastructure of such agency.CommentsClose CommentsPermalink
‘(4) RELATIONSHIP TO OTHER STANDARDS- The policies and procedures developed under paragraph (1) are supplemental to the standards promulgated by the Director of the National Office for Cyberspace under section 3558.CommentsClose CommentsPermalink
‘(5) RECOMMENDATIONS FOR REGULATIONS- The Board shall be responsible for making recommendations to the Director of the National Office for Cyberspace on regulations to carry out the policies and procedures developed by the Board under paragraph (1).CommentsClose CommentsPermalink
‘(d) Regulations- The Director of the National Office for Cyberspace, in consultation with the Director of the Office of Management and the Administrator of General Services, shall promulgate and periodically update regulations to carry out the policies and procedures developed by the Board under subsection (c).CommentsClose CommentsPermalink
‘(e) Annual Report- The Director of the National Office for Cyberspace shall provide to Congress a report containing a summary of agency progress in implementing the regulations promulgated under this section as part of the annual report to Congress required under section 3555(a)(8).CommentsClose CommentsPermalink
‘(f) No Disclosure by Board Required- The Board is not required to disclose under section 552 of title 5 information submitted by agencies to the Board regarding threats, vulnerabilities, and risks.CommentsClose CommentsPermalink
‘Sec. 3555. Authority and functions of the Director of the National Office for Cyberspace
‘(a) In General- The Director of the National Office for Cyberspace shall oversee agency information security policies and practices, including--CommentsClose CommentsPermalink
‘(1) developing and overseeing the implementation of policies, principles, standards, and guidelines on information security, including through ensuring timely agency adoption of and compliance with standards promulgated under section 3558;CommentsClose CommentsPermalink
‘(2) requiring agencies, consistent with the standards promulgated under section 3558 and other requirements of this subchapter, to identify and provide information security protections commensurate with the risk and magnitude of the harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of--CommentsClose CommentsPermalink
‘(A) information collected or maintained by or on behalf of an agency; orCommentsClose CommentsPermalink
‘(B) information infrastructure used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency;CommentsClose CommentsPermalink
‘(3) coordinating the development of standards and guidelines under section 20 of the National Institute of Standards and Technology Act (
15 U.S.C. 278g-3 ) with agencies and offices operating or exercising control of national security systems (including the National Security Agency) to assure, to the maximum extent feasible, that such standards and guidelines are complementary with standards and guidelines developed for national security systems;CommentsClose CommentsPermalink‘(4) overseeing agency compliance with the requirements of this subchapter, including through any authorized action under section 11303 of title 40, to enforce accountability for compliance with such requirements;CommentsClose CommentsPermalink
‘(5) reviewing at least annually, and approving or disapproving, agency information security programs required under section 3556(b);CommentsClose CommentsPermalink
‘(6) coordinating information security policies and procedures of the Federal Government with related information resources management policies and procedures on the security and resiliency of cyberspace;CommentsClose CommentsPermalink
‘(7) overseeing the operation of the Federal information security incident center required under section 3559;CommentsClose CommentsPermalink
‘(8) reporting to Congress no later than March 1 of each year on agency compliance with the requirements of this subchapter, including--CommentsClose CommentsPermalink
‘(A) a summary of the findings of audits required by section 3557;CommentsClose CommentsPermalink
‘(B) an assessment of the development, promulgation, and adoption of, and compliance with, standards developed under section 20 of the National Institute of Standards and Technology Act (
15 U.S.C. 278g-3 ) and promulgated under section 3558;CommentsClose CommentsPermalink‘(C) significant deficiencies in agency information security practices;CommentsClose CommentsPermalink
‘(D) planned remedial action to address such deficiencies; andCommentsClose CommentsPermalink
‘(E) a summary of, and the views of the Director of the National Office for Cyberspace on, the report prepared by the National Institute of Standards and Technology under section 20(d)(10) of the National Institute of Standards and Technology Act (
15 U.S.C. 278g-3 );CommentsClose CommentsPermalink‘(9) coordinating the defense of information infrastructure operated by agencies in the case of a large-scale attack on information infrastructure, as determined by the Director;CommentsClose CommentsPermalink
‘(10) establishing a national strategy not later than 120 days after the date of the enactment of this section;CommentsClose CommentsPermalink
‘(11) coordinating information security training for Federal employees with the Office of Personnel Management;CommentsClose CommentsPermalink
‘(12) ensuring the adequacy of protections for privacy and civil liberties in carrying out the responsibilities of the Director under this subchapter;CommentsClose CommentsPermalink
‘(13) making recommendations that the Director determines are necessary to ensure risk-based security of the Federal information infrastructure and information infrastructure that is owned, operated, controlled, or licensed for use by, or on behalf of, the Department of Defense, a military department, or another element of the intelligence community to--CommentsClose CommentsPermalink
‘(A) the Director of the Office of Management and Budget;CommentsClose CommentsPermalink
‘(B) the head of an agency; orCommentsClose CommentsPermalink
‘(C) to Congress with regard to the reprogramming of funds;CommentsClose CommentsPermalink
‘(14) ensuring, in consultation with the Administrator of the Office of Information and Regulatory Affairs, that the efforts of agencies relating to the development of regulations, rules, requirements, or other actions applicable to the national information infrastructure are complementary;CommentsClose CommentsPermalink
‘(15) when directed by the President, carrying out the responsibilities for national security and emergency preparedness communications described in section 706 of the Communications Act of 1934 (
47 U.S.C. 606 ) to ensure integration and coordination; andCommentsClose CommentsPermalink‘(16) as assigned by the President, other duties relating to the security and resiliency of cyberspace.CommentsClose CommentsPermalink
‘(b) Recruitment Program- Not later than 1 year after appointment, the Director of the National Office for Cyberspace shall establish a national program to conduct competitions and challenges that instruct United States students in cybersecurity education and computer literacy.CommentsClose CommentsPermalink
‘(c) Budget Oversight and Reporting- (1) The head of each agency shall submit to the Director of the National Office for Cyberspace a budget each year for the following fiscal year relating to the protection of information infrastructure for such agency, by a date determined by the Director that is before the submission of such budget by the head of the agency to the Office of Management and Budget.CommentsClose CommentsPermalink
‘(2) The Director shall review and offer a non-binding approval or disapproval of each agency’s annual budget to each such agency before the submission of such budget by the head of the agency to the Office of Management and Budget.CommentsClose CommentsPermalink
‘(3) If the Director offers a non-binding disapproval of an agency’s budget, the Director shall transmit recommendations to the head of such agency for strengthening its proposed budget with regard to the protection of such agency’s information infrastructure.CommentsClose CommentsPermalink
‘(4) Each budget submitted by the head of an agency pursuant to paragraph (1) shall include--CommentsClose CommentsPermalink
‘(A) a review of any threats to information technology for such agency;CommentsClose CommentsPermalink
‘(B) a plan to secure the information infrastructure for such agency based on threats to information technology, using the National Institute of Standards and Technology guidelines and recommendations;CommentsClose CommentsPermalink
‘(C) a review of compliance by such agency with any previous year plan described in subparagraph (B); andCommentsClose CommentsPermalink
‘(D) a report on the development of the credentialing process to enable secure authentication of identity and authorization for access to the information infrastructure of such agency.CommentsClose CommentsPermalink
‘(5) The Director of the National Office for Cyberspace may recommend to the President monetary penalties or incentives necessary to encourage and maintain accountability of any agency, or senior agency official, for efforts to secure the information infrastructure of such agency.CommentsClose CommentsPermalink
‘Sec. 3556. Agency responsibilities
‘(a) In General- The head of each agency shall--CommentsClose CommentsPermalink
‘(1) be responsible for--CommentsClose CommentsPermalink
‘(A) providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of--CommentsClose CommentsPermalink
‘(i) information collected or maintained by or on behalf of the agency; andCommentsClose CommentsPermalink
‘(ii) information infrastructure used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency;CommentsClose CommentsPermalink
‘(B) complying with the requirements of this subchapter and related policies, procedures, standards, and guidelines, including--CommentsClose CommentsPermalink
‘(i) the regulations promulgated under section 3554 and the information security standards promulgated under section 3558;CommentsClose CommentsPermalink
‘(ii) information security standards and guidelines for national security systems issued in accordance with law and as directed by the President; andCommentsClose CommentsPermalink
‘(iii) ensuring the standards implemented for information infrastructure and national security systems under the agency head are complementary and uniform, to the extent practicable; andCommentsClose CommentsPermalink
‘(C) ensuring that information security management processes are integrated with agency strategic and operational planning processes;CommentsClose CommentsPermalink
‘(2) ensure that senior agency officials provide information security for the information and information infrastructure that support the operations and assets under their control, including through--CommentsClose CommentsPermalink
‘(A) assessing the risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of such information or information infrastructure;CommentsClose CommentsPermalink
‘(B) determining the levels of information security appropriate to protect such information and information infrastructure in accordance with regulations promulgated under section 3554 and standards promulgated under section 3558, for information security classifications and related requirements;CommentsClose CommentsPermalink
‘(C) implementing policies and procedures to cost effectively reduce risks to an acceptable level; andCommentsClose CommentsPermalink
‘(D) continuously testing and evaluating information security controls and techniques to ensure that they are effectively implemented;CommentsClose CommentsPermalink
‘(3) delegate to an agency official, designated as the ‘Chief Information Security Officer’, under the authority of the agency Chief Information Officer the responsibility to oversee agency information security and the authority to ensure and enforce compliance with the requirements imposed on the agency under this subchapter, including--CommentsClose CommentsPermalink
‘(A) overseeing the establishment and maintenance of a security operations capability on an automated and continuous basis that can--CommentsClose CommentsPermalink
‘(i) assess the state of compliance of all networks and systems with prescribed controls issued pursuant to section 3558 and report immediately any variance therefrom and, where appropriate and with the approval of the agency Chief Information Officer, shut down systems that are found to be non-compliant;CommentsClose CommentsPermalink
‘(ii) detect, report, respond to, contain, and mitigate incidents that impair adequate security of the information and information infrastructure, in accordance with policy provided by the Director of the National Office for Cyberspace, in consultation with the Chief Information Officers Council, and guidance from the National Institute of Standards and Technology;CommentsClose CommentsPermalink
‘(iii) collaborate with the National Office for Cyberspace and appropriate public and private sector security operations centers to address incidents that impact the security of information and information infrastructure that extend beyond the control of the agency; andCommentsClose CommentsPermalink
‘(iv) not later than 24 hours after discovery of any incident described under subparagraph (A)(ii), unless otherwise directed by policy of the National Office for Cyberspace, provide notice to the appropriate security operations center, the National Cyber Investigative Joint Task Force, and the Inspector General of the agency;CommentsClose CommentsPermalink
‘(B) developing, maintaining, and overseeing an agency wide information security program as required by subsection (b);CommentsClose CommentsPermalink
‘(C) developing, maintaining, and overseeing information security policies, procedures, and control techniques to address all applicable requirements, including those issued under sections 3555 and 3558;CommentsClose CommentsPermalink
‘(D) training and overseeing personnel with significant responsibilities for information security with respect to such responsibilities; andCommentsClose CommentsPermalink
‘(E) assisting senior agency officials concerning their responsibilities under paragraph (2);CommentsClose CommentsPermalink
‘(4) ensure that the agency has trained and cleared personnel sufficient to assist the agency in complying with the requirements of this subchapter and related policies, procedures, standards, and guidelines;CommentsClose CommentsPermalink
‘(5) ensure that the Chief Information Security Officer, in coordination with other senior agency officials, reports biannually to the agency head on the effectiveness of the agency information security program, including progress of remedial actions; andCommentsClose CommentsPermalink
‘(6) ensure that the Chief Information Security Officer possesses necessary qualifications, including education, professional certifications, training, experience, and the security clearance required to administer the functions described under this subchapter; and has information security duties as the primary duty of that official.CommentsClose CommentsPermalink
‘(b) Agency Program- Each agency shall develop, document, and implement an agencywide information security program, approved by the Director of the National Office for Cyberspace under section 3555(a)(5), to provide information security for the information and information infrastructure that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source, that includes--CommentsClose CommentsPermalink
‘(1) continuous automated technical monitoring of information infrastructure used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency to assure conformance with regulations promulgated under section 3554 and standards promulgated under section 3558;CommentsClose CommentsPermalink
‘(2) testing of the effectiveness of security controls that are commensurate with risk (as defined by the National Institute of Standards and Technology and the National Office for Cyberspace) for agency information infrastructure;CommentsClose CommentsPermalink
‘(3) policies and procedures that--CommentsClose CommentsPermalink
‘(A) mitigate and remediate, to the extent practicable, information security vulnerabilities based on the risk posed to the agency;CommentsClose CommentsPermalink
‘(B) cost effectively reduce information security risks to an acceptable level;CommentsClose CommentsPermalink
‘(C) ensure that information security is addressed throughout the life cycle of each agency information system and information infrastructure;CommentsClose CommentsPermalink
‘(D) ensure compliance with--CommentsClose CommentsPermalink
‘(i) the requirements of this subchapter;CommentsClose CommentsPermalink
‘(ii) policies and procedures as may be prescribed by the Director of the National Office for Cyberspace, and information security standards promulgated under section 3558;CommentsClose CommentsPermalink
‘(iii) minimally acceptable system configuration requirements, as determined by the Director of the National Office for Cyberspace; andCommentsClose CommentsPermalink
‘(iv) any other applicable requirements, including--CommentsClose CommentsPermalink
‘(I) standards and guidelines for national security systems issued in accordance with law and as directed by the President;CommentsClose CommentsPermalink
‘(II) the policy of the Director of the National Office for Cyberspace;CommentsClose CommentsPermalink
‘(III) the National Institute of Standards and Technology guidance; andCommentsClose CommentsPermalink
‘(IV) the Chief Information Officers Council recommended approaches;CommentsClose CommentsPermalink
‘(E) develop, maintain, and oversee information security policies, procedures, and control techniques to address all applicable requirements, including those issued under sections 3555 and 3558; andCommentsClose CommentsPermalink
‘(F) ensure the oversight and training of personnel with significant responsibilities for information security with respect to such responsibilities;CommentsClose CommentsPermalink
‘(4) ensuring that the agency has trained and cleared personnel sufficient to assist the agency in complying with the requirements of this subchapter and related policies, procedures, standards, and guidelines;CommentsClose CommentsPermalink
‘(5) to the extent practicable, automated and continuous technical monitoring for testing, and evaluation of the effectiveness and compliance of information security policies, procedures, and practices, including--CommentsClose CommentsPermalink
‘(A) management, operational, and technical controls of every information infrastructure identified in the inventory required under section 3505(b); andCommentsClose CommentsPermalink
‘(B) management, operational, and technical controls relied on for an evaluation under section 3556;CommentsClose CommentsPermalink
‘(6) a process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies, procedures, and practices of the agency;CommentsClose CommentsPermalink
‘(7) to the extent practicable, continuous automated technical monitoring for detecting, reporting, and responding to security incidents, consistent with standards and guidelines issued by the Director of the National Office for Cyberspace, including--CommentsClose CommentsPermalink
‘(A) mitigating risks associated with such incidents before substantial damage is done;CommentsClose CommentsPermalink
‘(B) notifying and consulting with the appropriate security operations response center; andCommentsClose CommentsPermalink
‘(C) notifying and consulting with, as appropriate--CommentsClose CommentsPermalink
‘(i) law enforcement agencies and relevant Offices of Inspectors General;CommentsClose CommentsPermalink
‘(ii) the National Office for Cyberspace; andCommentsClose CommentsPermalink
‘(iii) any other agency or office, in accordance with law or as directed by the President; andCommentsClose CommentsPermalink
‘(8) plans and procedures to ensure continuity of operations for information infrastructure that support the operations and assets of the agency.CommentsClose CommentsPermalink
‘(c) Agency Reporting- Each agency shall--CommentsClose CommentsPermalink
‘(1) submit an annual report on the adequacy and effectiveness of information security policies, procedures, and practices, and compliance with the requirements of this subchapter, including compliance with each requirement of subsection (b) to--CommentsClose CommentsPermalink
‘(A) the National Office for Cyberspace;CommentsClose CommentsPermalink
‘(B) the Committee on Homeland Security and Governmental Affairs of the Senate;CommentsClose CommentsPermalink
‘(C) the Committee on Oversight and Government Reform of the House of Representatives;CommentsClose CommentsPermalink
‘(D) other appropriate authorization and appropriations committees of Congress; andCommentsClose CommentsPermalink
‘(E) the Comptroller General;CommentsClose CommentsPermalink
‘(2) address the adequacy and effectiveness of information security policies, procedures, and practices in plans and reports relating to--CommentsClose CommentsPermalink
‘(A) annual agency budgets;CommentsClose CommentsPermalink
‘(B) information resources management of this subchapter;CommentsClose CommentsPermalink
‘(C) information technology management under this chapter;CommentsClose CommentsPermalink
‘(D) program performance under sections 1105 and 1115 through 1119 of title 31, and sections 2801 and 2805 of title 39;CommentsClose CommentsPermalink
‘(E) financial management under chapter 9 of title 31, and the Chief Financial Officers Act of 1990 (
31 U.S.C. 501 note;Public Law 101-576 ) (and the amendments made by that Act);CommentsClose CommentsPermalink‘(F) financial management systems under the Federal Financial Management Improvement Act (
31 U.S.C. 3512 note); andCommentsClose CommentsPermalink‘(G) internal accounting and administrative controls under section 3512 of title 31; andCommentsClose CommentsPermalink
‘(3) report any significant deficiency in a policy, procedure, or practice identified under paragraph (1) or (2)--CommentsClose CommentsPermalink
‘(A) as a material weakness in reporting under section 3512 of title 31; andCommentsClose CommentsPermalink
‘(B) if relating to financial management systems, as an instance of a lack of substantial compliance under the Federal Financial Management Improvement Act (
31 U.S.C. 3512 note).CommentsClose CommentsPermalink‘(d) Performance Plan- (1) In addition to the requirements of subsection (c), each agency, in consultation with the National Office for Cyberspace, shall include as part of the performance plan required under section 1115 of title 31 a description of the resources, including budget, staffing, and training, that are necessary to implement the program required under subsection (b).CommentsClose CommentsPermalink
‘(2) The description under paragraph (1) shall be based on the risk assessments required under subsection (a)(2).CommentsClose CommentsPermalink
‘(e) Public Notice and Comment- Each agency shall provide the public with timely notice and opportunities for comment on proposed information security policies and procedures to the extent that such policies and procedures affect communication with the public.CommentsClose CommentsPermalink
‘Sec. 3557. Annual independent audit
‘(a) In General- (1) Each year each agency shall have performed an independent audit of the information security program and practices of that agency to determine the effectiveness of such program and practices.CommentsClose CommentsPermalink
‘(2) Each audit under this section shall include--CommentsClose CommentsPermalink
‘(A) testing of the effectiveness of the information infrastructure of the agency for automated, continuous monitoring of the state of compliance of its information infrastructure with regulations promulgated under section 3554 and standards promulgated under section 3558 in a representative subset of--CommentsClose CommentsPermalink
‘(i) the information infrastructure used or operated by the agency; andCommentsClose CommentsPermalink
‘(ii) the information infrastructure used, operated, or supported on behalf of the agency by a contractor of the agency, a subcontractor (at any tier) of such contractor, or any other entity;CommentsClose CommentsPermalink
‘(B) an assessment (made on the basis of the results of the testing) of compliance with--CommentsClose CommentsPermalink
‘(i) the requirements of this subchapter; andCommentsClose CommentsPermalink
‘(ii) related information security policies, procedures, standards, and guidelines;CommentsClose CommentsPermalink
‘(C) separate assessments, as appropriate, regarding information security relating to national security systems; andCommentsClose CommentsPermalink
‘(D) a conclusion regarding whether the information security controls of the agency are effective, including an identification of any significant deficiencies in such controls.CommentsClose CommentsPermalink
‘(3) Each audit under this section shall be performed in accordance with applicable generally accepted Government auditing standards.CommentsClose CommentsPermalink
‘(b) Independent Auditor- Subject to subsection (c)--CommentsClose CommentsPermalink
‘(1) for each agency with an Inspector General appointed under the Inspector General Act of 1978 or any other law, the annual audit required by this section shall be performed by the Inspector General or by an independent external auditor, as determined by the Inspector General of the agency; andCommentsClose CommentsPermalink
‘(2) for each agency to which paragraph (1) does not apply, the head of the agency shall engage an independent external auditor to perform the audit.CommentsClose CommentsPermalink
‘(c) National Security Systems- For each agency operating or exercising control of a national security system, that portion of the audit required by this section directly relating to a national security system shall be performed--CommentsClose CommentsPermalink
‘(1) only by an entity designated head; andCommentsClose CommentsPermalink
‘(2) in such a manner as to ensure appropriate protection for information associated with any information security vulnerability in such system commensurate with the risk and in accordance with all applicable laws.CommentsClose CommentsPermalink
‘(d) Existing Audits- The audit required by this section may be based in whole or in part on another audit relating to programs or practices of the applicable agency.CommentsClose CommentsPermalink
‘(e) Agency Reporting- (1) Each year, not later than such date established by the Director of the National Office for Cyberspace, the head of each agency shall submit to the Director the results of the audit required under this section.CommentsClose CommentsPermalink
‘(2) To the extent an audit required under this section directly relates to a national security system, the results of the audit submitted to the Director of the National Office for Cyberspace shall contain only a summary and assessment of that portion of the audit directly relating to a national security system.CommentsClose CommentsPermalink
‘(f) Protection of Information- Agencies and auditors shall take appropriate steps to ensure the protection of information which, if disclosed, may adversely affect information security. Such protections shall be commensurate with the risk and comply with all applicable laws and regulations.CommentsClose CommentsPermalink
‘(g) National Office for Cyberspace Reports to Congress- (1) The Director of the National Office for Cyberspace shall summarize the results of the audits conducted under this section in the annual report to Congress required under section 3555(a)(8).CommentsClose CommentsPermalink
‘(2) The Director’s report to Congress under this subsection shall summarize information regarding information security relating to national security systems in such a manner as to ensure appropriate protection for information associated with any information security vulnerability in such system commensurate with the risk and in accordance with all applicable laws.CommentsClose CommentsPermalink
‘(3) Audits and any other descriptions of information infrastructure under the authority and control of the Director of Central Intelligence or of National Foreign Intelligence Programs systems under the authority and control of the Secretary of Defense shall be made available to Congress only through the appropriate oversight committees of Congress, in accordance with applicable laws.CommentsClose CommentsPermalink
‘(h) Comptroller General- The Comptroller General shall periodically evaluate and report to Congress on--CommentsClose CommentsPermalink
‘(1) the adequacy and effectiveness of agency information security policies and practices; andCommentsClose CommentsPermalink
‘(2) implementation of the requirements of this subchapter.CommentsClose CommentsPermalink
‘(i) Contractor Audits- Each year each contractor that operates, uses, or supports an information system or information infrastructure on behalf of an agency and each subcontractor of such contractor--CommentsClose CommentsPermalink
‘(1) shall conduct an audit using an independent external auditor in accordance with subsection (a), including an assessment of compliance with the applicable requirements of this subchapter; andCommentsClose CommentsPermalink
‘(2) shall submit the results of such audit to such agency not later than such date established by the Agency.CommentsClose CommentsPermalink
‘Sec. 3558. Responsibilities for Federal information systems standards
‘(a) Requirement To Prescribe Standards-CommentsClose CommentsPermalink
‘(1) IN GENERAL-CommentsClose CommentsPermalink
‘(A) REQUIREMENT- Except as provided under paragraph (2), the Secretary of Commerce shall, on the basis of proposed standards developed by the National Institute of Standards and Technology pursuant to paragraphs (2) and (3) of section 20(a) of the National Institute of Standards and Technology Act (
15 U.S.C. 278g-3(a) ) and in consultation with the Secretary of Homeland Security, promulgate information security standards pertaining to Federal information systems.CommentsClose CommentsPermalink‘(B) REQUIRED STANDARDS- Standards promulgated under subparagraph (A) shall include--CommentsClose CommentsPermalink
‘(i) standards that provide minimum information security requirements as determined under section 20(b) of the National Institute of Standards and Technology Act (
15 U.S.C. 278g-3(b) ); andCommentsClose CommentsPermalink‘(ii) such standards that are otherwise necessary to improve the efficiency of operation or security of Federal information systems.CommentsClose CommentsPermalink
‘(C) REQUIRED STANDARDS BINDING- Information security standards described under subparagraph (B) shall be compulsory and binding.CommentsClose CommentsPermalink
‘(2) STANDARDS AND GUIDELINES FOR NATIONAL SECURITY SYSTEMS- Standards and guidelines for national security systems, as defined under section 3552(b), shall be developed, promulgated, enforced, and overseen as otherwise authorized by law and as directed by the President.CommentsClose CommentsPermalink
‘(b) Application of More Stringent Standards- The head of an agency may employ standards for the cost-effective information security for all operations and assets within or under the supervision of that agency that are more stringent than the standards promulgated by the Secretary of Commerce under this section, if such standards--CommentsClose CommentsPermalink
‘(1) contain, at a minimum, the provisions of those applicable standards made compulsory and binding by the Secretary; andCommentsClose CommentsPermalink
‘(2) are otherwise consistent with policies and guidelines issued under section 3555.CommentsClose CommentsPermalink
‘(c) Requirements Regarding Decisions by the Secretary-CommentsClose CommentsPermalink
‘(1) DEADLINE- The decision regarding the promulgation of any standard by the Secretary of Commerce under subsection (b) shall occur not later than 6 months after the submission of the proposed standard to the Secretary by the National Institute of Standards and Technology, as provided under section 20 of the National Institute of Standards and Technology Act (
15 U.S.C. 278g-3 ).CommentsClose CommentsPermalink‘(2) NOTICE AND COMMENT- A decision by the Secretary of Commerce to significantly modify, or not promulgate, a proposed standard submitted to the Secretary by the National Institute of Standards and Technology, as provided under section 20 of the National Institute of Standards and Technology Act (
15 U.S.C. 278g-3 ), shall be made after the public is given an opportunity to comment on the Secretary’s proposed decision.CommentsClose CommentsPermalink
‘Sec. 3559. Federal information security incident center
‘(a) In General- The Director of the National Office for Cyberspace shall ensure the operation of a central Federal information security incident center to--CommentsClose CommentsPermalink
‘(1) provide timely technical assistance to operators of agency information systems and information infrastructure regarding security incidents, including guidance on detecting and handling information security incidents;CommentsClose CommentsPermalink
‘(2) compile and analyze information about incidents that threaten information security;CommentsClose CommentsPermalink
‘(3) inform operators of agency information systems and information infrastructure about current and potential information security threats, and vulnerabilities; andCommentsClose CommentsPermalink
‘(4) consult with the National Institute of Standards and Technology, agencies or offices operating or exercising control of national security systems (including the National Security Agency), and such other agencies or offices in accordance with law and as directed by the President regarding information security incidents and related matters.CommentsClose CommentsPermalink
‘(b) National Security Systems- Each agency operating or exercising control of a national security system shall share information about information security incidents, threats, and vulnerabilities with the Federal information security incident center to the extent consistent with standards and guidelines for national security systems, issued in accordance with law and as directed by the President.CommentsClose CommentsPermalink
‘(c) Review and Approval- In coordination with the Administrator for Electronic Government and Information Technology, the Director of the National Office for Cyberspace shall review and approve the policies, procedures, and guidance established in this subchapter to ensure that the incident center has the capability to effectively and efficiently detect, correlate, respond to, contain, mitigate, and remediate incidents that impair the adequate security of the information systems and information infrastructure of more than one agency. To the extent practicable, the capability shall be continuous and technically automated.CommentsClose CommentsPermalink
‘Sec. 3560. National security systems
‘The head of each agency operating or exercising control of a national security system shall be responsible for ensuring that the agency--CommentsClose CommentsPermalink
‘(1) provides information security protections commensurate with the risk and magnitude of the harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information contained in such system;CommentsClose CommentsPermalink
‘(2) implements information security policies and practices as required by standards and guidelines for national security systems, issued in accordance with law and as directed by the President; andCommentsClose CommentsPermalink
‘(3) complies with the requirements of this subchapter.’.CommentsClose CommentsPermalink
SEC. 102. INFORMATION SECURITY ACQUISITION REQUIREMENTS.
Chapter 113 of title 40, United States Code, is amended by adding at the end of subchapter II the following new section:CommentsClose CommentsPermalink
‘Sec. 11319. Information security acquisition requirements.
‘(a) Prohibition- Notwithstanding any other provision of law, beginning one year after the date of the enactment of the Executive Cyberspace Coordination Act of 2011, no agency may enter into a contract, an order under a contract, or an interagency agreement for--CommentsClose CommentsPermalink
‘(1) the collection, use, management, storage, or dissemination of information on behalf of the agency;CommentsClose CommentsPermalink
‘(2) the use or operation of an information system or information infrastructure on behalf of the agency; orCommentsClose CommentsPermalink
‘(3) information technology;CommentsClose CommentsPermalink
unless such contract, order, or agreement includes requirements to provide effective information security that supports the operations and assets under the control of the agency, in compliance with the policies, standards, and guidance developed under subsection (b), and otherwise ensures compliance with this section.CommentsClose CommentsPermalink
‘(b) Coordination of Secure Acquisition Policies-CommentsClose CommentsPermalink
‘(1) IN GENERAL- The Director of the Office of Management and Budget, in consultation with the Director of the National Institute of Standards and Technology, the Director of the National Office for Cyberspace, and the Administrator of General Services, shall oversee the development and implementation of policies, standards, and guidance, including through revisions to the Federal Acquisition Regulation and the Department of Defense supplement to the Federal Acquisition Regulation, to cost effectively enhance agency information security, including--CommentsClose CommentsPermalink
‘(A) minimum information security requirements for agency procurement of information technology products and services; andCommentsClose CommentsPermalink
‘(B) approaches for evaluating and mitigating significant supply chain security risks associated with products or services to be acquired by agencies.CommentsClose CommentsPermalink
‘(2) REPORT- Not later than two years after the date of the enactment of the Executive Cyberspace Coordination Act of 2011, the Director of the Office of Management and Budget shall submit to Congress a report describing--CommentsClose CommentsPermalink
‘(A) actions taken to improve the information security associated with the procurement of products and services by the Federal Government; andCommentsClose CommentsPermalink
‘(B) plans for overseeing and coordinating efforts of agencies to use best practice approaches for cost-effectively purchasing more secure products and services.CommentsClose CommentsPermalink
‘(c) Vulnerability Assessments of Major Systems-CommentsClose CommentsPermalink
‘(1) REQUIREMENT FOR INITIAL VULNERABILITY ASSESSMENTS- The Director of the Office of Management and Budget shall require each agency to conduct an initial vulnerability assessment for any major system and its significant items of supply prior to the development of the system. The initial vulnerability assessment of a major system and its significant items of supply shall include use of an analysis-based approach to--CommentsClose CommentsPermalink
‘(A) identify vulnerabilities;CommentsClose CommentsPermalink
‘(B) define exploitation potential;CommentsClose CommentsPermalink
‘(C) examine the system’s potential effectiveness;CommentsClose CommentsPermalink
‘(D) determine overall vulnerability; andCommentsClose CommentsPermalink
‘(E) make recommendations for risk reduction.CommentsClose CommentsPermalink
‘(2) SUBSEQUENT VULNERABILITY ASSESSMENTS-CommentsClose CommentsPermalink
‘(A) The Director shall require a subsequent vulnerability assessment of each major system and its significant items of supply within a program if the Director determines that circumstances warrant the issuance of an additional vulnerability assessment.CommentsClose CommentsPermalink
‘(B) Upon the request of a congressional committee, the Director may require a subsequent vulnerability assessment of a particular major system and its significant items of supply within the program.CommentsClose CommentsPermalink
‘(C) Any subsequent vulnerability assessment of a major system and its significant items of supply shall include use of an analysis-based approach and, if applicable, a testing-based approach, to monitor the exploitation potential of such system and reexamine the factors described in subparagraphs (A) through (E) of paragraph (1).CommentsClose CommentsPermalink
‘(3) CONGRESSIONAL OVERSIGHT- The Director shall provide to the appropriate congressional committees a copy of each vulnerability assessment conducted under paragraph (1) or (2) not later than 10 days after the date of the completion of such assessment.CommentsClose CommentsPermalink
‘(d) Definitions- In this section:CommentsClose CommentsPermalink
‘(1) ITEM OF SUPPLY- The term ‘item of supply’--CommentsClose CommentsPermalink
‘(A) means any individual part, component, subassembly, assembly, or subsystem integral to a major system, and other property which may be replaced during the service life of the major system, including a spare part or replenishment part; andCommentsClose CommentsPermalink
‘(B) does not include packaging or labeling associated with shipment or identification of an item.CommentsClose CommentsPermalink
‘(2) VULNERABILITY ASSESSMENT- The term ‘vulnerability assessment’ means the process of identifying and quantifying vulnerabilities in a major system and its significant items of supply.CommentsClose CommentsPermalink
‘(3) MAJOR SYSTEM- The term ‘major system’ has the meaning given that term in section 4 of the Office of Federal Procurement Policy Act (
41 U.S.C. 403 ).’.CommentsClose CommentsPermalink
SEC. 103. TECHNICAL AND CONFORMING AMENDMENTS.
(a) Table of Sections in Title 44- The table of sections for chapter 35 of title 44, United States Code, is amended by striking the matter relating to subchapters II and III and inserting the following:CommentsClose CommentsPermalink
‘subchapter ii--information security
‘3551. Purposes.CommentsClose CommentsPermalink
‘3552. Definitions.CommentsClose CommentsPermalink
‘3553. National Office for Cyberspace.CommentsClose CommentsPermalink
‘3554. Federal Cybersecurity Practice Board.CommentsClose CommentsPermalink
‘3555. Authority and functions of the Director of the National Office for Cyberspace.CommentsClose CommentsPermalink
‘3556. Agency responsibilities.CommentsClose CommentsPermalink
‘3557. Annual independent audit.CommentsClose CommentsPermalink
‘3558. Responsibilities for Federal information systems standards.CommentsClose CommentsPermalink
‘3559. Federal information security incident center.CommentsClose CommentsPermalink
‘3560. National security systems.’.CommentsClose CommentsPermalink
(b) Table of Sections in Title 40- The table of sections for chapter 113 of title 40, United States Code, is amended by inserting after the item relating to section 11318 the following new item:CommentsClose CommentsPermalink
‘Sec. 11319. Information security acquisition requirements.’.CommentsClose CommentsPermalink
(c) Other References-CommentsClose CommentsPermalink
(1) Section 1001(c)(1)(A) of the Homeland Security Act of 2002 (
6 U.S.C. 511(c)(1)(A) ) is amended by striking ‘section 3532(3)’ and inserting ‘section 3552(b)’.CommentsClose CommentsPermalink(2)
Section 2222(j)(6) of title 10, United States Code , is amended by striking ‘section 3542(b)(2))’ and inserting ‘section 3552(b)’.CommentsClose CommentsPermalink(3)
Section 2223(c)(3) of title 10, United States Code , is amended, by striking ‘section 3542(b)(2))’ and inserting ‘section 3552(b)’.CommentsClose CommentsPermalink(4)
Section 2315 of title 10, United States Code , is amended by striking ‘section 3542(b)(2))’ and inserting ‘section 3552(b)’.CommentsClose CommentsPermalink(5) Section 20 of the National Institute of Standards and Technology Act (
15 U.S.C. 278g-3 ) is amended--CommentsClose CommentsPermalink
(A) in subsections (a)(2) and (e)(5), by striking ‘section 3532(b)(2)’ and inserting ‘section 3552(b)’;CommentsClose CommentsPermalink
(B) in subsection (e)(2), by striking ‘section 3532(1)’ and inserting ‘section 3552(b)’; andCommentsClose CommentsPermalink
(C) in subsections (c)(3) and (d)(1), by striking ‘section 11331 of title 40’ and inserting ‘section 3558 of title 44’.CommentsClose CommentsPermalink
(6) Section 8(d)(1) of the Cyber Security Research and Development Act (
15 U.S.C. 7406(d)(1) ) is amended by striking ‘section 3534(b)’ and inserting ‘section 3556(b)’.CommentsClose CommentsPermalink(d) Repeal-CommentsClose CommentsPermalink
(1) Subchapter III of chapter 113 of title 40, United States Code, is repealed.CommentsClose CommentsPermalink
(2) The table of sections for chapter 113 of such title is amended by striking the matter relating to subchapter III.CommentsClose CommentsPermalink
(e) Executive Schedule Pay Rate-
Section 5314 of title 5, United States Code , is amended by adding at the end the following:CommentsClose CommentsPermalink
‘Director of the National Office for Cyberspace.’.CommentsClose CommentsPermalink
(f) Membership on the National Security Council- Section 101(a) of the National Security Act of 1947 (
50 U.S.C. 402(a) ) is amended--CommentsClose CommentsPermalink
(1) by redesignating paragraphs (7) and (8) as paragraphs (8) and (9), respectively; andCommentsClose CommentsPermalink
(2) by inserting after paragraph (6) the following:CommentsClose CommentsPermalink
‘(7) the Director of the National Office for Cyberspace;’.CommentsClose CommentsPermalink
SEC. 104. EFFECTIVE DATE.
(a) In General- Unless otherwise specified in this section, this title (including the amendments made by this title) shall take effect 30 days after the date of enactment of this Act.CommentsClose CommentsPermalink
(b) National Office for Cyberspace-
(c) Federal Cybersecurity Practice Board-
TITLE II--FEDERAL CHIEF TECHNOLOGY OFFICERCommentsClose CommentsPermalink
TITLE II--FEDERAL CHIEF TECHNOLOGY OFFICERCommentsClose CommentsPermalink
SEC. 201. OFFICE OF THE CHIEF TECHNOLOGY OFFICER.
(a) Establishment and Staff-CommentsClose CommentsPermalink
(1) ESTABLISHMENT-CommentsClose CommentsPermalink
(A) IN GENERAL- There is established in the Executive Office of the President an Office of the Federal Chief Technology Officer (in this section referred to as the ‘Office’).CommentsClose CommentsPermalink
(B) HEAD OF THE OFFICE-CommentsClose CommentsPermalink
(i) FEDERAL CHIEF TECHNOLOGY OFFICER- The President shall appoint a Federal Chief Technology Officer (in this section referred to as the ‘Federal CTO’) who shall be the head of the Office.CommentsClose CommentsPermalink
(ii) COMPENSATION-
‘Federal Chief Technology Officer.’.CommentsClose CommentsPermalink
(2) STAFF OF THE OFFICE- The President may appoint additional staff members to the Office.CommentsClose CommentsPermalink
(b) Duties of the Office- The functions of the Federal CTO are the following:CommentsClose CommentsPermalink
(1) Undertake fact-gathering, analysis, and assessment of the Federal Government’s information technology infrastructures, information technology strategy, and use of information technology, and provide advice on such matters to the President, heads of Federal departments and agencies, and government chief information officers and chief technology officers.CommentsClose CommentsPermalink
(2) Lead an interagency effort, working with the chief technology and chief information officers of each of the Federal departments and agencies, to develop and implement a planning process to ensure that they use best-in-class technologies, share best practices, and improve the use of technology in support of Federal Government requirements.CommentsClose CommentsPermalink
(3) Advise the President on information technology considerations with regard to Federal budgets and with regard to general coordination of the research and development programs of the Federal Government for information technology-related matters.CommentsClose CommentsPermalink
(4) Promote technological innovation in the Federal Government, and encourage and oversee the adoption of robust cross-governmental architectures and standards-based information technologies, in support of effective operational and management policies, practices, and services across Federal departments and agencies and with the public and external entities.CommentsClose CommentsPermalink
(5) Establish cooperative public-private sector partnership initiatives to achieve knowledge of technologies available in the marketplace that can be used for improving governmental operations and information technology research and development activities.CommentsClose CommentsPermalink
(6) Gather timely and authoritative information concerning significant developments and trends in information technology, and in national priorities, both current and prospective, and analyze and interpret the information for the purpose of determining whether the developments and trends are likely to affect achievement of the priority goals of the Federal Government.CommentsClose CommentsPermalink
(7) Develop, review, revise, and recommend criteria for determining information technology activities warranting Federal support, and recommend Federal policies designed to advance the development and maintenance of effective and efficient information technology capabilities, including human resources, at all levels of government, academia, and industry, and the effective application of the capabilities to national needs.CommentsClose CommentsPermalink
(8) Any other functions and activities that the President may assign to the Federal CTO.CommentsClose CommentsPermalink
(c) Policy Planning; Analysis and Advice- The Office shall serve as a source of analysis and advice for the President and heads of Federal departments and agencies with respect to major policies, plans, and programs of the Federal Government in accordance with the functions described in subsection (b).CommentsClose CommentsPermalink
(d) Coordination of the Office With Other Entities-CommentsClose CommentsPermalink
(1) FEDERAL CTO ON DOMESTIC POLICY COUNCIL- The Federal CTO shall be a member of the Domestic Policy Council.CommentsClose CommentsPermalink
(2) FEDERAL CTO ON CYBER SECURITY PRACTICE BOARD- The Federal CTO shall be a member of the Federal Cybersecurity Practice Board.CommentsClose CommentsPermalink
(3) OBTAIN INFORMATION FROM AGENCIES- The Office may secure, directly from any department or agency of the United States, information necessary to enable the Federal CTO to carry out this section. On request of the Federal CTO, the head of the department or agency shall furnish the information to the Office, subject to any applicable limitations of Federal law.CommentsClose CommentsPermalink
(4) STAFF OF FEDERAL AGENCIES- On request of the Federal CTO, to assist the Office in carrying out the duties of the Office, the head of any Federal department or agency may detail personnel, services, or facilities of the department or agency to the Office.CommentsClose CommentsPermalink
(e) Annual Report-CommentsClose CommentsPermalink
(1) PUBLICATION AND CONTENTS- The Federal CTO shall publish, in the Federal Register and on a public Internet website of the Federal CTO, an annual report that includes the following:CommentsClose CommentsPermalink
(A) Information on programs to promote the development of technological innovations.CommentsClose CommentsPermalink
(B) Recommendations for the adoption of policies to encourage the generation of technological innovations.CommentsClose CommentsPermalink
(C) Information on the activities and accomplishments of the Office in the year covered by the report.CommentsClose CommentsPermalink
(2) SUBMISSION- The Federal CTO shall submit each report under paragraph (1) to--CommentsClose CommentsPermalink
(A) the President;CommentsClose CommentsPermalink
(B) the Committee on Oversight and Government Reform of the House of Representatives;CommentsClose CommentsPermalink
(C) the Committee on Science and Technology of the House of Representatives; andCommentsClose CommentsPermalink
(D) the Committee on Commerce, Science, and Transportation of the Senate.CommentsClose CommentsPermalink
TITLE III--STRENGTHENING CYBERSECURITY FOR CRITICAL INFRASTRUCTURECommentsClose CommentsPermalink
TITLE III--STRENGTHENING CYBERSECURITY FOR CRITICAL INFRASTRUCTURECommentsClose CommentsPermalink
SEC. 301. DEFINITIONS.
In this title:CommentsClose CommentsPermalink
(1) CRITICAL INFORMATION INFRASTRUCTURE- The term ‘critical information infrastructure’ means the electronic information and communications systems, software, and assets that control, protect, process, transmit, receive, program, or store information in any form, including data, voice, and video, relied upon by critical infrastructure, industrial control systems such as supervisory control and data acquisition systems, and programmable logic controllers. This shall also include such systems of the Federal Government.CommentsClose CommentsPermalink
(2) SECRETARY- The term ‘Secretary’ means the Secretary of Homeland Security.CommentsClose CommentsPermalink
SEC. 302. AUTHORITY OF SECRETARY.
(a) In General- The Secretary shall have primary authority, in consultation with the Director of the National Office for Cyberspace and the Federal Cyberspace Practice Board, in the executive branch of the Federal Government in creation, verification, and enforcement of measures with respect to the protection of critical information infrastructure, including promulgating risk-informed information security practices and standards applicable to critical information infrastructures that are not owned by or under the direct control of the Federal Government. The Secretary should consult with appropriate private sector entities, including private owners and operators of the affected infrastructure, to carry out this section.CommentsClose CommentsPermalink
(b) Other Federal Agencies- In establishing measures with respect to the protection of critical information infrastructure the Secretary shall--CommentsClose CommentsPermalink
(1) consult with the Secretary of Commerce, the Secretary of Defense, the National Institute of Standards and Technology, and other sector specific Federal regulatory agencies in exercising the authority referred to in subsection (a); andCommentsClose CommentsPermalink
(2) coordinate, though the Executive Office of the President, with sector specific Federal regulatory agencies, including the Federal Energy Regulatory Commission, in establishing enforcement mechanisms under the authority referred to in subsection (a).CommentsClose CommentsPermalink
(c) Auditing Authority- The Secretary may--CommentsClose CommentsPermalink
(1) conduct such audits as are necessary to ensure that appropriate measures are taken to secure critical information infrastructure;CommentsClose CommentsPermalink
(2) issue such subpoenas as are necessary to determine compliance with Federal regulatory requirements for securing critical information infrastructure; andCommentsClose CommentsPermalink
(3) authorize sector specific Federal regulatory agencies to undertake such audits.CommentsClose CommentsPermalink
Vote on This Bill
-
Share This Bill
More Share via Email
OC Blog Articles Related To This Bill
- House Advances Internet Surveillance Bill Aug 04, 2011
- Reid Protects PATRIOT Act From Senators Seeking Reform May 25, 2011
- PATRIOT Act Extension Get Bipartisan Love in Senate May 24, 2011
- After Weeks of Delay, Senate Small Biz Jobs Bill in Jeopardy Apr 20, 2011
- After Surveilling Congressman, Intelligence Program Faces Investigation Apr 16, 2009