[Congressional Bills 106th Congress] [From the U.S. Government Publishing Office] [S. 1993 Introduced in Senate (IS)] 106th CONGRESS 1st Session S. 1993 To reform Government information security by strengthening information security practices throughout the Federal Government. _______________________________________________________________________ IN THE SENATE OF THE UNITED STATES November 19, 1999 Mr. Thompson (for himself and Mr. Lieberman) introduced the following bill; which was read twice and referred to the Committee on Governmental Affairs _______________________________________________________________________ A BILL To reform Government information security by strengthening information security practices throughout the Federal Government. Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE. This Act may be cited as the ``Government Information Security Act of 1999''. SEC. 2. COORDINATION OF FEDERAL INFORMATION POLICY. Chapter 35 of title 44, United States Code, is amended by inserting at the end the following: ``SUBCHAPTER II--INFORMATION SECURITY ``Sec. 3531. Purposes ``The purposes of this subchapter are to-- ``(1) provide a comprehensive framework for establishing and ensuring the effectiveness of controls over information resources that support Federal operations and assets; ``(2)(A) recognize the highly networked nature of the Federal computing environment including the need for Federal Government interoperability and, in the implementation of improved security management measures, assure that opportunities for interoperability are not adversely affected; and ``(B) provide effective governmentwide management and oversight of the related information security risks, including coordination of information security efforts throughout the civilian, national security, and law enforcement communities; ``(3) provide for development and maintenance of minimum controls required to protect Federal information and information systems; and ``(4) provide a mechanism for improved oversight of Federal agency information security programs. ``Sec. 3532. Definitions ``(a) Except as provided under subsection (b), the definitions under section 3502 shall apply to this subchapter. ``(b) As used in this subchapter the term `information technology' has the meaning given that term in section 5002 of the Clinger-Cohen Act of 1996 (40 U.S.C. 1401). ``Sec. 3533. Authority and functions of the Director ``(a)(1) Consistent with subchapter I, the Director shall establish governmentwide policies for the management of programs that support the cost-effective security of Federal information systems by promoting security as an integral component of each agency's business operations. ``(2) Policies under this subsection shall-- ``(A) be founded on a continuing risk management cycle that recognizes the need to-- ``(i) identify, assess, and understand risk; and ``(ii) determine security needs commensurate with the level of risk; ``(B) implement controls that adequately address the risk; ``(C) promote continuing awareness of information security risk; ``(D) continually monitor and evaluate policy; and ``(E) control effectiveness of information security practices. ``(b) The authority under subsection (a) includes the authority to-- ``(1) oversee and develop policies, principles, standards, and guidelines for the handling of Federal information and information resources to improve the efficiency and effectiveness of governmental operations, including principles, policies, and guidelines for the implementation of agency responsibilities under applicable law for ensuring the privacy, confidentiality, and security of Federal information; ``(2) consistent with the standards and guidelines promulgated under section 5131 of the Clinger-Cohen Act of 1996 (40 U.S.C. 1441) and sections 5 and 6 of the Computer Security Act of 1987 (40 U.S.C. 759 note; Public Law 100-235; 101 Stat. 1729), require Federal agencies to identify and afford security protections commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of information collected or maintained by or on behalf of an agency; ``(3) direct the heads of agencies to coordinate such agencies and coordinate with industry to-- ``(A) identify, use, and share best security practices; and ``(B) develop voluntary consensus-based standards for security controls, in a manner consistent with section 2(b)(13) of the National Institute of Standards and Technology Act (15 U.S.C. 272(b)(13)); ``(4) oversee the development and implementation of standards and guidelines relating to security controls for Federal computer systems by the Secretary of Commerce through the National Institute of Standards and Technology under section 5131 of the Clinger-Cohen Act of 1996 (40 U.S.C. 1441) and section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3); ``(5) oversee and coordinate compliance with this section in a manner consistent with-- ``(A) sections 552 and 552a of title 5; ``(B) sections 20 and 21 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3 and 278g-4); ``(C) section 5131 of the Clinger-Cohen Act of 1996 (40 U.S.C. 1441); ``(D) sections 5 and 6 of the Computer Security Act of 1987 (40 U.S.C. 759 note; Public Law 100-235; 101 Stat. 1729); and ``(E) related information management laws; and ``(6) take any authorized action that the Director considers appropriate, including any action involving the budgetary process or appropriations management process, to enforce accountability of the head of an agency for information resources management and for the investments made by the agency in information technology, including-- ``(A) recommending a reduction or an increase in any amount for information resources that the head of the agency proposes for the budget submitted to Congress under section 1105(a) of title 31; ``(B) reducing or otherwise adjusting apportionments and reapportionments of appropriations for information resources; and ``(C) using other authorized administrative controls over appropriations to restrict the availability of funds for information resources. ``(c) The authority under this section may be delegated only to the Deputy Director for Management of the Office of Management and Budget. ``Sec. 3534. Federal agency responsibilities ``(a) The head of each agency shall-- ``(1) be responsible for-- ``(A) adequately protecting the integrity, confidentiality, and availability of information and information systems supporting agency operations and assets; and ``(B) developing and implementing information security policies, procedures, and control techniques sufficient to afford security protections commensurate with the risk and magnitude of the harm resulting from unauthorized disclosure, disruption, modification, or destruction of information collected or maintained by or for the agency; ``(2) ensure that each senior program manager is responsible for-- ``(A) assessing the information security risk associated with the operations and assets of such manager; ``(B) determining the levels of information security appropriate to protect the operations and assets of such manager; and ``(C) periodically testing and evaluating information security controls and techniques; ``(3) delegate to the agency Chief Information Officer established under section 3506, or a comparable official in an agency not covered by such section, the authority to administer all functions under this subchapter including-- ``(A) designating a senior agency information security officer; ``(B) developing and maintaining an agencywide information security program as required under subsection (b); ``(C) ensuring that the agency effectively implements and maintains information security policies, procedures, and control techniques; ``(D) training and overseeing personnel with significant responsibilities for information security with respect to such responsibilities; and ``(E) assisting senior program managers concerning responsibilities under paragraph (2); ``(4) ensure that the agency has trained personnel sufficient to assist the agency in complying with the requirements of this subchapter and related policies, procedures, standards, and guidelines; and ``(5) ensure that the agency Chief Information Officer, in coordination with senior program managers, periodically-- ``(A)(i) evaluates the effectiveness of the agency information security program, including testing control techniques; and ``(ii) implements appropriate remedial actions based on that evaluation; and ``(B) reports to the agency head on-- ``(i) the results of such tests and evaluations; and ``(ii) the progress of remedial actions. ``(b)(1) Each agency shall develop and implement an agencywide information security program to provide information security for the operations and assets of the agency, including information security provided or managed by another agency. ``(2) Each program under this subsection shall include-- ``(A) periodic assessments of information security risks that consider internal and external threats to-- ``(i) the integrity, confidentiality, and availability of systems; and ``(ii) data supporting critical operations and assets; ``(B) policies and procedures that-- ``(i) are based on the risk assessments required under paragraph (1) that cost-effectively reduce information security risks to an acceptable level; and ``(ii) ensure compliance with-- ``(I) the requirements of this subchapter; ``(II) policies and procedures as may be prescribed by the Director; and ``(III) any other applicable requirements; ``(C) security awareness training to inform personnel of-- ``(i) information security risks associated with personnel activities; and ``(ii) responsibilities of personnel in complying with agency policies and procedures designed to reduce such risks; ``(D)(i) periodic management testing and evaluation of the effectiveness of information security policies and procedures; and ``(ii) a process for ensuring remedial action to address any deficiencies; and ``(E) procedures for detecting, reporting, and responding to security incidents, including-- ``(i) mitigating risks associated with such incidents before substantial damage occurs; ``(ii) notifying and consulting with law enforcement officials and other offices and authorities; and ``(iii) notifying and consulting with an office designated by the Administrator of General Services within the General Services Administration. ``(3) Each program under this subsection is subject to the approval of the Director and is required to be reviewed at least annually by agency program officials in consultation with the Chief Information Officer. ``(c)(1) Each agency shall examine the adequacy and effectiveness of information security policies, procedures, and practices in plans and reports relating to-- ``(A) annual agency budgets; ``(B) information resources management under the Paperwork Reduction Act of 1995 (44 U.S.C. 101 note); ``(C) program performance under sections 1105 and 1115 through 1119 of title 31, and sections 2801 through 2805 of title 39; and ``(D) financial management under-- ``(i) chapter 9 of title 31, United States Code, and the Chief Financial Officers Act of 1990 (31 U.S.C. 501 note; Public Law 101-576) (and the amendments made by that Act); ``(ii) the Federal Financial Management Improvement Act of 1996 (31 U.S.C. 3512 note) (and the amendments made by that Act); and ``(iii) the internal controls conducted under section 3512 of title 31. ``(2) Any deficiency in a policy, procedure, or practice identified under paragraph (1) shall be reported as a material weakness in reporting required under the applicable provision of law under paragraph (1). ``Sec. 3535. Annual independent evaluation ``(a)(1) Each year each agency shall have an independent evaluation performed of the information security program and practices of that agency. ``(2) Each evaluation under this section shall include-- ``(A) an assessment of compliance with-- ``(i) the requirements of this subchapter; and ``(ii) related information security policies, procedures, standards, and guidelines; and ``(B) tests of the effectiveness of information security control techniques. ``(b)(1) For agencies with Inspectors General appointed under the Inspector General Act of 1978 (5 U.S.C. App.), annual evaluations required under this section shall be performed by the Inspector General or by an independent external auditor, as determined by the Inspector General of the agency. ``(2) For any agency to which paragraph (1) does not apply, the head of the agency shall contract with an independent external auditor to perform the evaluation. ``(3) An evaluation of agency information security programs and practices performed by the Comptroller General may be in lieu of the evaluation required under this section. ``(c) Not later than March 1, 2001, and every March 1 thereafter, the results of an evaluation required under this section shall be submitted to the Director. ``(d) Each year the Comptroller General shall-- ``(1) review the evaluations required under this section and other information security evaluation results; and ``(2) report to Congress regarding the adequacy of agency information programs and practices. ``(e) Agencies and auditors shall take appropriate actions to ensure the protection of information, the disclosure of which may adversely affect information security. Such protections shall be commensurate with the risk and comply with all applicable laws.''. SEC. 3. RESPONSIBILITIES OF CERTAIN AGENCIES. (a) Department of Commerce.--The Secretary of Commerce, through the National Institute of Standards and Technology and with technical assistance from the National Security Agency, shall-- (1) develop, issue, review, and update standards and guidance for the security of information in Federal computer systems, including development of methods and techniques for security systems and validation programs; (2) develop, issue, review, and update guidelines for training in computer security awareness and accepted computer security practices, with assistance from the Office of Personnel Management; (3) provide agencies with guidance for security planning to assist in the development of applications and system security plans for such agencies; (4) provide guidance and assistance to agencies concerning cost-effective controls when interconnecting with other systems; and (5) evaluate information technologies to assess security vulnerabilities and alert Federal agencies of such vulnerabilities. (b) Department of Justice.--The Department of Justice shall review and update guidance to agencies on-- (1) legal remedies regarding security incidents and ways to report to and work with law enforcement agencies concerning such incidents; and (2) permitted uses of security techniques and technologies. (c) General Services Administration.--The General Services Administration shall-- (1) review and update General Services Administration guidance to agencies on addressing security considerations when acquiring information technology; and (2) assist agencies in the acquisition of cost-effective security products, services, and incident response capabilities. (d) Office of Personnel Management.--The Office of Personnel Management shall-- (1) review and update Office of Personnel Management regulations concerning computer security training for Federal civilian employees; and (2) assist the Department of Commerce in updating and maintaining guidelines for training in computer security awareness and computer security best practices. SEC. 4. TECHNICAL AND CONFORMING AMENDMENTS. (a) In General.--Chapter 35 of title 44, United States Code, is amended-- (1) in the table of sections-- (A) by inserting after the chapter heading the following: ``SUBCHAPTER I--FEDERAL INFORMATION POLICY''; and (B) by inserting after the item relating to section 3520 the following: ``SUBCHAPTER II--INFORMATION SECURITY ``Sec. ``3531. Purposes. ``3532. Definitions. ``3533. Authority and functions of the Director. ``3534. Federal agency responsibilities. ``3535. Annual independent evaluation.''; and (2) by inserting before section 3501 the following: ``SUBCHAPTER I--FEDERAL INFORMATION POLICY''. (b) References to Chapter 35.--Chapter 35 of title 44, United States Code, is amended-- (1) in section 3501-- (A) in the matter preceding paragraph (1), by striking ``chapter'' and inserting ``subchapter''; and (B) in paragraph (11), by striking ``chapter'' and inserting ``subchapter''; (2) in section 3502, in the matter preceding paragraph (1), by striking ``chapter'' and inserting ``subchapter''; (3) in section 3503, in subsection (b), by striking ``chapter'' and inserting ``subchapter''; (4) in section 3504-- (A) in subsection (a)(2), by striking ``chapter'' and inserting ``subchapter''; (B) in subsection (d)(2), by striking ``chapter'' and inserting ``subchapter''; and (C) in subsection (f)(1), by striking ``chapter'' and inserting ``subchapter''; (5) in section 3505-- (A) in subsection (a), in the matter preceding paragraph (1), by striking ``chapter'' and inserting ``subchapter''; (B) in subsection (a)(2), by striking ``chapter'' and inserting ``subchapter''; and (C) in subsection (a)(3)(B)(iii), by striking ``chapter'' and inserting ``subchapter''; (6) in section 3506-- (A) in subsection (a)(1)(B), by striking ``chapter'' and inserting ``subchapter''; (B) in subsection (a)(2)(A), by striking ``chapter'' and inserting ``subchapter''; (C) in subsection (a)(2)(B), by striking ``chapter'' and inserting ``subchapter''; (D) in subsection (a)(3)-- (i) in the first sentence, by striking ``chapter'' and inserting ``subchapter''; and (ii) in the second sentence, by striking ``chapter'' and inserting ``subchapter''; (E) in subsection (b)(4), by striking ``chapter'' and inserting ``subchapter''; (F) in subsection (c)(1), by striking ``chapter, to'' and inserting ``subchapter, to''; and (G) in subsection (c)(1)(A), by striking ``chapter'' and inserting ``subchapter''; (7) in section 3507-- (A) in subsection (e)(3)(B), by striking ``chapter'' and inserting ``subchapter''; (B) in subsection (h)(2)(B), by striking ``chapter'' and inserting ``subchapter''; (C) in subsection (h)(3), by striking ``chapter'' and inserting ``subchapter''; (D) in subsection (j)(1)(A)(i), by striking ``chapter'' and inserting ``subchapter''; (E) in subsection (j)(1)(B), by striking ``chapter'' and inserting ``subchapter''; and (F) in subsection (j)(2), by striking ``chapter'' and inserting ``subchapter''; (8) in section 3509, by striking ``chapter'' and inserting ``subchapter''; (9) in section 3512-- (A) in subsection (a), by striking ``chapter if'' and inserting ``subchapter if''; and (B) in subsection (a)(1), by striking ``chapter'' and inserting ``subchapter''; (10) in section 3514-- (A) in subsection (a)(1)(A), by striking ``chapter'' and inserting ``subchapter''; and (B) in subsection (a)(2)(A)(ii), by striking ``chapter'' and inserting ``subchapter'' each place it appears; (11) in section 3515, by striking ``chapter'' and inserting ``subchapter''; (12) in section 3516, by striking ``chapter'' and inserting ``subchapter''; (13) in section 3517(b), by striking ``chapter'' and inserting ``subchapter''; (14) in section 3518-- (A) in subsection (a), by striking ``chapter'' and inserting ``subchapter'' each place it appears; (B) in subsection (b), by striking ``chapter'' and inserting ``subchapter''; (C) in subsection (c)(1), by striking ``chapter'' and inserting ``subchapter''; (D) in subsection (c)(2), by striking ``chapter'' and inserting ``subchapter''; (E) in subsection (d), by striking ``chapter'' and inserting ``subchapter''; and (F) in subsection (e), by striking ``chapter'' and inserting ``subchapter''; and (15) in section 3520, by striking ``chapter'' and inserting ``subchapter''. SEC. 5. EFFECTIVE DATE. This Act and the amendments made by this Act shall take effect 30 days after the date of enactment of this Act. <all>