[Senate Report 106-259]
[From the U.S. Government Publishing Office]
Calendar No. 489
106th Congress Report
SENATE
2d Session 106-259
_______________________________________________________________________
GOVERNMENT INFORMATION SECURITY ACT
OF 1999
__________
R E P O R T
of the
COMMITTEE ON GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
to accompany
S. 1993
TO REFORM GOVERNMENT INFORMATION SECURITY BY STRENGTHENING INFORMATION
SECURITY PRACTICES THROUGHOUT THE FEDERAL GOVERNMENT
April 10, 2000.--Ordered to be printed
__________
U.S. GOVERNMENT PRINTING OFFICE
79-010 WASHINGTON : 2000
COMMITTEE ON GOVERNMENTAL AFFAIRS
FRED THOMPSON, Tennessee, Chairman
WILLIAM V. ROTH, Jr., Delaware JOSEPH I. LIEBERMAN, Connecticut
TED STEVENS, Alaska CARL LEVIN, Michigan
SUSAN M. COLLINS, Maine DANIEL K. AKAKA, Hawaii
GEORGE VOINOVICH, Ohio RICHARD J. DURBIN, Illinois
PETE V. DOMENICI, New Mexico ROBERT G. TORRICELLI, New Jersey
THAD COCHRAN, Mississippi MAX CLELAND, Georgia
ARLEN SPECTER, Pennsylvania JOHN EDWARDS, North Carolina
JUDD GREGG, New Hampshire
Hannah S. Sistare, Staff Director and Counsel
Ellen B. Brown, Senior Counsel
Susan G. Marshall, Professional Staff Member
Joyce A. Rechtschaffen, Minority Staff Director and Counsel
Deborah Cohen Lehrich, Minority Counsel
Darla D. Cassell, Administrative Clerk
Calendar No. 489
106th Congress Report
SENATE
2d Session 106-259
======================================================================
GOVERNMENT INFORMATION SECURITY ACT OF 1999
_______
April 10, 2000.--Ordered to be printed
_______
Mr. Thompson, from the Committee on Governmental Affairs, submitted the
following
R E P O R T
[To accompany S. 1993]
The Committee on Governmental Affairs, to which was
referred the bill (S. 1993) to reform Government information
security by strengthening information security practices
throughout the Federal Government, having considered the same,
reports favorably thereon with an amendment in the nature of a
substitute and recommends by voice vote that the bill as
amended do pass.
C O N T E N T S
Page
I. Purpose and Summary..............................................1
II. Background and Need for Legislation..............................3
III. Legislative History..............................................6
IV. Section-by-Section Analysis.....................................10
V. Regulatory Impact Statement.....................................15
VI. CBO Cost Estimate...............................................15
VII. Changes to Existing Law.........................................17
I. Purpose and Summary
The Government Information Security Act would provide a
comprehensive framework for establishing and ensuring the
effectiveness of controls over information resources that
support Federal operations and assets. It is modeled on the
``best practices'' of leading organizations in the area of
informationsecurity. It does this by strengthening
responsibilities and procedures and coordinating information policy to
ensure better control and oversight of systems. It also recognizes the
highly networked nature of the current Federal computing environment
and provides for governmentwide management and oversight of the related
information security risks including coordination of security efforts
between civilian, national security and law enforcement communities.
S. 1993 would amend the Paperwork Reduction Act by
inserting a new Subchapter II.
Agency Responsibilities: Agency heads would be responsible
for developing and implementing security policies. This
responsibility would be delegable to the agency's Chief
Information Officer or comparable official. Each agency would
be responsible for developing and implementing an agency-wide
security program which must include risk assessment considering
internal and external threats, risk-based policies, security
awareness training for personnel, periodic reviews of the
effectiveness of security policies including remedies to
address deficiencies, and procedures for detecting, reporting
and responding to security incidents. Further, each agency
would be required to identify specific actions--including
budget, staffing, and training resources--necessary to
implement the security program and include this as part of its
Government Performance and Results Act performance plan.
Director of OMB Responsibilities: The agency plans must be
affirmatively approved by the Director of OMB who also would be
responsible for establishing government-wide policies for the
management of programs that support the cost-effective security
of Federal information systems by promoting security as an
integral part of each agency's business operations. Other
responsibilities of the Director would include overseeing and
coordinating agency implementation of security policies, and
coordinating with the National Institute for Standards and
Technology on the development of standards and guidelines for
security controls for Federal systems. Such standards would be
voluntary and consensus-based and developed in consultation
with industry. To enforce agency accountability, the Director
would be authorized to take budgetary action with respect to an
agency's information resources management allocations. The OMB
Director may delegate these responsibilities only down to the
Deputy Director for Management.
Annual Audit: Based on the General Accounting Office's
audit findings, S. 1993 adds a new requirement that each agency
must annually undergo an independent evaluation of its
information security program and practices to be conducted
either by the agency's Inspector General, the General
Accounting Office or an independent external auditor. GAO then
will review these evaluations and report annually to Congress
regarding the adequacy of agency information programs and
practices.
National Security Systems: S. 1993 would require that the
same management framework be applied to all systems including
national security systems. However, in order to ensure that
national security concerns are adequately addressed and that
the appropriate individuals have oversight over national
security and other classified information, the substitute
amendment would vest responsibility for approving the security
plan for these systems in the Secretary of Defense and the
Director of Central Intelligence, rather than the Director of
OMB. Additionally, for these systems, the Secretary of Defense
or the Director of Central Intelligence shall designate who
conducts the evaluation of these systems with the IG conducting
an audit of the evaluation. Finally, the bill also allows the
defense and intelligence agencies to develop their own
procedures for detecting, reporting and responding to security
incidents.
Specific Agency Responsibilities:
The Department of Commerce would continue to be responsible
for developing, issuing, reviewing and updating standards and
guidance for the security of information in Federal computer
systems.
The Department of Justice would be responsible for
reviewing and updating guidance to agencies on legal remedies
regarding security incidents and coordination with law
enforcement agencies concerning such incidents.
The General Services Administration would be responsible
for reviewing and updating guidance on addressing security
considerations relating to the acquisition of information
technology.
The Office of Personnel Management would be responsible for
reviewing and updating regulations concerning computer security
training for Federal civilian employees and for providing,
along with the National Science Foundation, for personnel and
training initiatives such as a Federal Cyber Service.
II. Background and Need for Legislation
Recent news accounts have described attacks on a handful of
popular commercial Internet web sites. Less publicized, though
potentially more damaging, is the fact that government computer
systems also are vulnerable to the kinds of attacks these
businesses have been suffering. Like the rest of the nation,
government is increasingly dependent upon computers to store
important information and perform vital tasks. That dependence,
however, has not been accompanied by an equivalent growth in
the security of those computer systems, leaving the
governmentsusceptible to potentially devastating disruptions in
critical services, potentially exposing our citizens' most personal
information and opening our national security apparatus to attack from
terrorists or enemy states.
The Committee on Governmental Affairs has spent
considerable time examining the security of the government's
information technology systems. During the past several years,
Committee hearings and Committee-requested reports from the
General Accounting Office (GAO) have uncovered and publicly
highlighted the security failures affecting our vulnerability
to domestic and international cyberterrorism. On October 6,
1999, in testimony before the Senate Judiciary Committee, GAO
noted that significant information security weaknesses exist in
22 Federal agencies it analyzed. In fact, GAO believes the
problems in the government's information technology systems to
be so severe that it has put governmentwide information
security on its list of ``high-risk'' government programs.
GAO Reports
As a result of its work, GAO identified many specific
weaknesses in agency controls and concluded that an underlying
cause was inadequate security program planning and management.
In particular, agencies were addressing identified weaknesses
on a piecemeal basis rather than proactively addressing
systemic causes that diminished security effectiveness
throughout the agency.
Over the years, the following GAO reports provided the
Committee with substantial evidence of Federal agency
vulnerabilities in the area of information security and became
the basis for S. 1993:
Department of Energy Procedures Lacking to Protect
Computerized Data (GAO/AIMD-95-118, June 1995): Allegations
were made that the Idaho National Engineering Laboratory sold
surplus computer equipment that contained sensitive data to an
Idaho businessman. GAO concluded that some of the computers
sold may have contained sensitive data, but did not determine
how many. GAO added that, like all Federal agencies, the
Department of Energy is required to establish computer security
safeguards, yet it had not.
Information Security: Computer Attacks at Department of
Defense Pose Increasing Risks (GAO/AIMD-96-84, May 1996):
Unknown and unauthorized individuals were increasingly
attacking and gaining access to highly sensitive unclassified
information at the DoD. These attacks ranged from being
nuisances to being a serious threat to national security.
According to GAO, DoD needed to make better use of technology
and, more importantly, needed to develop better policies and
employ better trained personnel.
Information Security: Opportunities for Improved OMB
Oversight of Agency Practices (GAO/AIMD-96-110, September
1996): GAO provided OMB with a number of recommendations on how
to better manage governmentwide information technology system
security. The recommendations included directing the Office of
Information and Regulatory Affairs, Office of Federal Financial
Management and others to review Chief Financial Officer audits
for any information security weaknesses, proactively monitoring
agency information security effectiveness through reviews, and
encouraging the development of improved information resources
to better evaluate agency information security effectiveness.
Resolving Serious Information Security Weaknesses (GAO/HR-
97-1, February 1997): GAO identified information security as a
governmentwide high-risk area because of growing evidence
indicating that controls over computer operations were not
effective. GAO recommended that agencies proactively manage
risk and that strong, governmentwide leadership be provided on
the issue by OMB in order to ensure that executives understand
their risks, monitor agency performance, and resolve issues
affecting multiple agencies.
IRS Systems: Tax Processing Operations and Data Still at
Risk Due to Serious Weaknesses (GAO/AIMD-97-76, April 1997):
The GAO reported that ``weaknesses in IRS computer security
controls continue to place IRS's automated systems and taxpayer
data at serious risk to both internal and external attack.''
The report stated that more needs to be done at IRS to combat
the unauthorized access or browsing of taxpayer records by
agency employees. For example, the GAO found that IRS's ability
to detect and monitor employee browsing of taxpayer data
remains limited. In addition, unauthorized employees were given
access to sensitive computer areas while employees whose jobs
did not require it were given the ability to change, alter, or
delete taxpayer data. Additionally, the GAO reported that the
IRS could not account for a total of 397 missing computer tapes
(some of which contained sensitive taxpayer data or privacy
information) and found that tapes and disks containing taxpayer
data were not erased prior to reuse (thus potentially allowing
unauthorized access to sensitive data).
Computer Security: Pervasive, Serious Weaknesses Jeopardize
State Department Operations (GAO/AIMD-98-145, May 1998):
Todetermine the extent to which the State Department's systems are
vulnerable to unauthorized attack, the GAO directed and supervised
penetration testing of State Department systems. GAO's reviews and
testing revealed the susceptibility of the State Department's systems
to unauthorized access and that unauthorized retrieval of sensitive
information from such systems was possible. Specifically, testers were
able to download, delete, and modify data, add new data, shut down
servers, and monitor network traffic. Moreover, this activity went
largely undetected, further underscoring the State Department's serious
vulnerability to attack.
Air Traffic Control: Weak Computer Security Practices
Jeopardize Flight Safety (GAO/AIMD-98-155, May 1998): Malicious
attacks on computer systems could cause nationwide disruption
of air traffic or even the loss of life due to collisions. Such
attacks are an increasing threat to the Federal Aviation
Administration's (FAA) systems and, consequently, those who
fly. Auditors at GAO found that, in all critical areas of
review, FAA was ineffective in implementing sound computer
security practices. In fact, FAA was found not only to be
ineffectively managing current systems, but it did not provide
accurate security specifications in new modernization efforts.
Information Security: Many NASA Mission-Critical Systems
Face Serious Risks (GAO/AIMD-99-47, May 1999): GAO conducted an
evaluation of the National Aeronautics and Space
Administration's (NASA) information technology security program
to determine (1) whether NASA's mission critical systems are
vulnerable to unauthorized access; (2) whether NASA is
effectively managing its information systems security; and (3)
what NASA is doing to address the risk of unauthorized access
to mission critical systems. GAO determined that NASA's
information security program did not include key elements of a
comprehensive information technology security management
program because it did not assess risks, effectively implement
controls, provide training, monitor policy compliance, or
provide incident response capabilities.
Information Security: Serious Weaknesses Place Critical
Federal Operations and Assets at Risk (GAO/AIMD-98-92,
September 1998): GAO conducted a review of 24 of the largest
Federal agencies and found serious weaknesses in the
government's ability to adequately protect: (1) federal assets
from fraud and misuse; (2) sensitive information from
inappropriate disclosure; and (3) critical operations,
including some affecting safety, from disruption. According to
the report's conclusions, these weaknesses place critical
government operations, such as national defense, tax
collection, law enforcement and benefit distribution, at risk.
Further, the Committee asked GAO to study organizations
with superior information security programs to identify
management practices that could benefit Federal agencies. This
report detailed the ``best practices'' used by these
organizations and became the basis for the management framework
of S. 1993:
Information Security Management: Learning from Leading
Organizations (GAO/AIMD-98-68, May 1998): At the Committee's
request, GAO studied the management practices of eight
organizations known for their superior security programs and
found that these organizations managed information security
through continuous management activities which incorporated
specific practices to support their information security
principles. These practices included providing senior
management support and involvement, defining procedures,
integrating business and technical experts, holding business
units responsible, documenting and maintaining results,
identifying threats, ranking critical assets, estimating
potential damage, identifying cost-effective mitigating
controls, and documenting assessment findings.
III. Legislative History
The oversight of Federal government information management
is within the jurisdiction of the Committee on Governmental
Affairs. Over the years, the Committee spent considerable time
on this issue. During the 105th Congress, Committee hearings
focused on information security and cyberterrorism. The
Committee uncovered and identified failures of information
security affecting our international security and revealing our
vulnerability to domestic and international terrorism. These
hearings highlighted our nation's vulnerability to computer
attacks--from international and domestic terrorists to crime
rings to everyday hackers--and led to the development of S.
1993.
Hearings
On May 18, 1998, the Committee held a hearing--``Weak
Computer Security in the Government: Is the Public at Risk?''--
on how Federal agencies are providing computer security. The
hearing provided many new insights into how the government has
not kept pace with the advances in technology and its
multipleapplications. In fact, the hearing revealed that, not only has
technology advanced, it has become less complex for users and its
availability is not limited and instead is widely distributed around
the world.
Witnesses at this hearing addressed systemic problems which
make government computer and communication systems vulnerable
to both deliberate and inadvertent attacks. Dr. Peter Neumann,
Principal Scientist, Computer Science Laboratory, SRI
International, testified that our nation's underlying
information infrastructure (for example, power generation,
transmission and distribution, air traffic control, and
telecommunications) remains at risk. Even though the risk is
widely known, Dr. Neumann stated that until high-visibility
disasters occur, few people are willing to admit that something
drastic needs to be done. He testified that it may take a
Chernobyl-scale event to raise awareness levels adequately.
Also, seven members of L0pht, a ``hacker'' think tank, provided
testimony to the Committee. L0pht said that, in a matter of
thirty minutes, they could unlock the security systems within
the Internet and make the entire system unusable for a couple
of days.
On June 24, 1998, the Committee held another hearing--
``Cyber Attack: Is the Nation at Risk?'' This hearing addressed
threats and vulnerabilities to the U.S. national security due
to weak computer security.
The Director of Central Intelligence, Mr. George Tenet,
testified that information warfare has the potential to deal a
crippling blow to our national security if strong measures are
not taken to counter it. Director Tenet noted that the U.S. is
highly dependent on information systems and therefore is the
most likely target for an information-based attack. He
testified that potential threats range from national
intelligence and military organizations to terrorists,
criminals, industrial competitors, hackers, and disgruntled or
disloyal insiders. Director Tenet stated that several
countries, including, Russia and China, have government-
sponsored information warfare programs with both offensive and
defensive applications. These countries see information warfare
as a way of leveling the playing field against a stronger
military power, such as the U.S. The more difficult threat to
assess is that from non-State actors, such as terrorists and
criminals. Cyber attacks offer these groups greater security
and operational flexibility. They can launch an assault from
almost anywhere in the world without directly exposing
themselves to physical harm.
The Director of the National Security Agency (NSA),
Lieutenant General Kenneth Minihan, USAF, testified on the
findings from the DoD's exercise ``Eligible Receiver.'' This
exercise demonstrated that our nation's information
infrastructure is riddled with vulnerabilities and that severe
deficiencies exist in our ability to respond to a coordinated
attack on our national infrastructure and information systems.
During the exercise, a team of hackers from NSA, using tools
easily obtained from the Internet, proved that they could deny
our military the ability to deploy forces and conduct
operations.
On September 23, 1998, the Committee held a hearing on
computer security in Federal government agencies which examined
whether private information held by the Federal government--
information relating to one's identification, finances and
health--is susceptible to unauthorized access and manipulation
by computer hackers. The hearing focused on the results of
penetration testing performed under GAO's direction and
supervision at two federal agencies--the Department of Veterans
Affairs (VA) and the Social Security Administration (SSA).
The Committee heard testimony from agents of the SSA Office
of Inspector General who described a variety of computer crimes
committed by SSA employees. The agents discussed in detail a
series of prosecutions, known as ``Operation Pinch,'' in which
14 SSA employees were convicted for their part in a widespread
credit card fraud ring centered in New York. The agents
determined that SSA employees sold identity information on
20,000 people whose credit cards then were fraudulently
activated by a West African crime ring, resulting in bank
losses of at least $70 million. ``Operation Pinch''
demonstrated the danger of the ``inside threat'' to agencies
that do not adequately monitor and limit access to computer
information by their own employees.
Witnesses from GAO described the results of penetration
testing at the VA and SSA. GAO would have been able, during its
VA testing, to alter, disclose or delete sensitive information,
such as financial data and personal information on veterans'
medical records and benefit payments. GAO's penetration went
undetected because the VA did not have a monitoring system.
GAO's penetration testing of the SSA exposed vulnerabilities in
the SSA computer system to both external and internal
intrusions. These types of weakness place at risk private
information held by SSA, including Social Security numbers,
earnings, and benefits.
Legislation
S. 1993, the Government Information Security Act, was
introduced on November 19, 1999, by Senator Thompson (for
himself and Senator Lieberman). Senators Abraham, Voinovich,
Akaka, Cleland, Collins, and Stevens became additional co-
sponsors.
On March 2, 2000, the Committee held a legislative hearing
on S. 1993. The Committee sought general comments on S. 1993
and additional testimony on the security of Federal information
systems including computer system vulnerabilities, how people
exploit those weaknesses and what Federal agencies should be
doing to strengthen the management of information systems.
Thefollowing witnesses presented testimony on S. 1993: Mr. Kevin
Mitnick, a self-described reformed hacker; Mr. Jack Brock, Director,
Governmentwide and Defense Information Systems, General Accounting
Office; Ms. Roberta Gross, Inspector General, National Aeronautics and
Space Administration; Mr. James Adams, Chief Executive Officer,
iDefense; and Mr. Ken Watson, Manager, Critical Infrastructure, Cisco
Systems.
Mr. Mitnick provided testimony which outlined four
components of information security: physical security, network
security, computer systems security, and personnel security.
After detailing the first three elements, Mr. Mitnick
highlighted the most complex element of information security--
personnel security--noting that weaknesses in personnel
security negate the effort and cost of the other three types of
security efforts. He said, ``The human side of computer
security is easily exploited and constantly overlooked.
Companies spend millions of dollars on firewalls, encryption,
and secure access devices and it is money wasted because none
of these measures address the link in the security chain, the
people who use, administer, operate and account for computer
systems that contain protected information.''
Mr. Mitnick's testimony provided the Committee with
examples of how all of the elements of information security can
be compromised. He explained to the Committee how he
successfully tricked the employees of a multi-national company
into giving him pass codes to the company's security access
devices. Mr. Mitnick characterized S. 1993 as a good first step
toward the goal of increasing information security for
government systems and recommended increased oversight,
education and training.
Mr. James Adams provided testimony supporting S. 1993. He
said, ``By stepping up to the plate and tackling computer
security with an innovative, bold approach the Thompson-
Lieberman bill significantly boosts the chances of reversing
the current bureaucratic approach to a dynamic problem.'' His
testimony focused on current threats and vulnerabilities within
the nation's critical infrastructure and his belief that total
cultural reform is needed. One of Mr. Adams's proposals for
reform included the establishment of a Business Assurance
Office to better manage governmentwide information security.
This Office would draw on the skills of individuals such as
Chief Information Officers, Chief Financial Officers, and Chief
Security Officers, in order for policies to be devised which
take into account the whole environment of a public sector
organization.
Mr. Watson's testimony focused on ``best practices'' and
the management approach applied within Cisco Systems. For
example, Mr. Watson highlighted the need for a continuous
management approach which includes assessing information,
determining the level of risk of exposure of that data, and
applying the appropriate solutions. Mr. Watson emphasized that
each Federal agency and department should execute its own
programs based on tailored mission and risk analyses because no
two departments will have the same requirements at the same
time. And those requirements and solutions will change over
time.
During the hearing Senator Thompson said, ``Hopefully the
recent breaches of security at the various dot.com companies is
the wake up call needed to focus attention on the security of
government computer systems. We know that federal agencies
continue to use a band-aid approach to computer security rather
than addressing the systemic problems which make government
systems vulnerable to repeated computer attacks.'' Senator
Lieberman said, ``The security of our digital information is
something that affects every one of us on a daily basis and
should be taken as seriously as the security of our property,
of our neighborhoods, of our communities, of our Nation, and in
the worst case, as seriously as the security of our lives * * *
the intention of the bill is to raise up computer security as a
priority consideration for Federal agencies and individual
Federal employees who have responsibility.''
committee action
The Committee considered a substitute amendment to S. 1993
offered by Chairman Thompson, on behalf of himself and Senator
Lieberman, at a business meeting on March 23, 2000. The
Thompson/Lieberman substitute included changes made based on
comments received from the witnesses at the hearing held on
March 2, 2000, and working with the Office of Management and
Budget, the agency Inspectors General, the Department of
Defense and others in the intelligence community, and industry.
The substitute amendment requires that the same management
framework be applied to all systems including national security
systems. However, in order to ensure that national security
concerns were adequately addressed and that the appropriate
individuals have oversight over national security information,
the substitute amendment vests responsibility for approving the
security plan for these systems in the Secretary of Defense and
the Director of Central Intelligence, rather than the Director
of OMB. Additionally, for these systems, the Secretary of
Defense or the Director of Central Intelligence shall designate
who conducts the evaluation of these systems, with the IG
conducting an audit of the evaluation. Finally, the amendment
also allows defense and intelligence agencies to develop their
own procedures for detecting, reporting and responding to
security incidents. And, it gives the Director of the Office of
Management and Budget and agency heads the discretion to apply
more stringent policies and procedures where appropriate for
systems critical to the missions of Federal agencies.
In addition, the amendment includes language which the
Committee intends to lay the foundation for the education and
training of a Federal Cyber Service. As envisioned under the
President's National Plan for Information Systems Protection,
the Committee intends that the program will, at a minimum,
provide for a ROTC-like scholarships-for-service program to get
educated information security professionals straight from their
university training into government service.
Finally, by unanimous consent, the Committee added language
on behalf of Senator Akaka to require agencies to identify
specific actions necessary to implement the security program
and include this as part of the agency's Government Performance
and Results Act performance plan. These actions include budget,
staffing and training requirements and could include specific
funding necessary to perform the independent evaluation.
The Committee passed the Thompson/Lieberman substitute
amendment by voice vote and voted to report it to the full
Senate. Senators present were: Thompson, Collins, Stevens,
Domenici, Cochran, Voinovich, Lieberman, Akaka, and Cleland.
IV. Section-by-Section
Section 1. Short Title
This section states the short title of the bill.
Section 2. Coordination of Federal Information Policy
This section would add a new subchapter II to chapter 35 of
title 44, United States Code, which currently contains the
information resources management requirements of the Paperwork
Reduction Act. The new subchapter II, entitled ``Information
Security,'' would establish comprehensive and coordinated
information security requirements for Federal agencies to be
implemented under the guidance of the Office of Management and
Budget (OMB), the Secretary of Defense and the Director of
Central Intelligence. It also would coordinate information
security provisions under the new subchapter II with other
information resources management requirements in title 44 and
other laws.
The new subchapter II would add sections 3531 through 3535
to title 44, as follows:
Section 3531. Purposes
This section would establish as the purposes of subchapter
II:
(1) providing a comprehensive framework for managing
the security of information resources that support
Federal operations and assets;
(2) assuring that implementation of improved security
management measures does not adversely affect
opportunities for interoperability in the Federal
computing environment, and providing effective
governmentwide management and oversight of information
security risks and coordination of information security
efforts;
(3) establishing minimum controls to protect Federal
information and information systems; and
(4) improving oversight of Federal agency information
security programs.
Section 3532. Definitions
(a) This section would apply to subchapter II the
definitions now contained in the Paperwork Reduction Act,
except that--
(b)(1) the term ``information technology'' would be defined
by section 5002 of the Clinger-Cohen Act (40 U.S.C. 1401); and
(2) the term ``mission critical system'' would be defined
as (A) a national security system pursuant to section 5142 of
the Clinger-Cohen Act; (B) a system that is protected as secret
at all times by procedures established by an Executive Order or
an Act of Congress in the interest of national defense or
foreign policy; or (C) a system which processes information,
the loss, misuse, disclosure, unauthorized access to or
modification of which would have a debilitating impact on an
agency's mission.
Section 3533. Authority and functions of the Director
This section would prescribe the authority and functions of
the Director of OMB with respect to information security.
Subsection 3533(a) would require the Director to establish
governmentwide policies for the management of programs that
support the cost-effective security of government information
systems by promoting security as an integral part of agency
business operations, including information technology
architectures. The policies would require a continuing cycle of
risk management to include risk assessments, implementation of
controls to address risks, promotion of continuing awareness of
risks, and continual monitoring and evaluation of information
security policies and practices.
Subsection 3533(b) would include within the Director's
authority under subsection (a)--
(1) overseeing and developing policies to implement
agency responsibilities under applicable law to ensure
the privacy, confidentiality, and security of Federal
information;
(2) requiring agencies to develop information
security protections that are commensurate with the
risk and magnitude of harm resulting from unauthorized
disclosure, disruption, modification, or destruction of
information and consistent with specified provisions of
law;
(3) directing agency heads to (A) identify, use, and
share best security practices; (B) develop an agency-
wide information security plan; (C) incorporate
information security principles and practices
throughout the agency's information systems' life
cycles; and (D) ensure that the agency's information
security plan is practiced throughout all agency
information systems' life cycles;
(4) overseeing the development and implementation of
standards relating to Federal computer system security
controls by the Commerce Department's National
Institute of Standards and Technology (NIST);
(5) overseeing and coordinating compliance with this
section in a manner consistent with the Freedom of
Information Act, the Privacy Act, and other information
management laws; and
(6) taking any authorized action under 40 U.S.C.
section 1413(b)(5) which the Director considers
appropriate, including budget or appropriations-related
actions, to enforce the accountability of agency heads
for information resources management, including the
requirements of this subchapter and information
technology investments.
Subsection 3533(c) would limit delegation of the Director's
authority under this section to the Director of Central
Intelligence and the Secretary of Defense for systems
identified under (A) and (B) of section 3532(b)(2) and to the
OMB Deputy Director for Management for all other systems.
Section 3534. Federal agency responsibilities
Subsection (a)(1) of this section would assign agency heads
responsibility for: (A) ensuring the integrity,
confidentiality, authenticity, availability, and non-
repudiation of the information in their systems; (B) adopting
information security policies, procedures, and control
techniques commensurate with the risk and magnitude of harm
resulting from unauthorized disclosure, disruption,
modification, or destruction of information; and (C) ensuring
that the agency's information security plan is practiced
throughout each system's life cycle.
Subsection (a)(2) would ensure that the appropriate senior
agency officials are responsible for: (A) assessing information
security risks associated with the operations and assets for
programs and systems over which such officials have control;
(B) determining appropriate levels of information security for
the operations and assets; and (C) periodically testing and
evaluating information security controls and techniques.
Subsection (a)(3) would require agency heads to delegate
administration of all functions under subchapter II to the
agency's Chief Information Officer (CIO), or a comparable
official if the agency does not have a CIO. These functions
include (A) designating a senior agency information security
official who would report back to the CIO or comparable
official; (B) developing and maintaining an agencywide
information security program; (C) ensuring that the agency
effectively implements and maintains information security
policies, procedures and control techniques; (D) training and
overseeing personnel with information security
responsibilities; and (E) assisting senior agency officials
with their responsibilities under paragraph (2).
Subsection (a)(4) would require agency heads to ensure that
the agency has sufficiently trained personnel to assist in
complying with subchapter II and related administrative
requirements.
Subsection (a)(5) would require agency heads to ensure that
the CIO, in coordination with senior agency officials,
periodically evaluates the effectiveness of the agency's
information security program, including testing control
techniques; implements appropriate remedial actions based on
those evaluations; and reports to the agency head on the
results of tests and evaluations and the progress of remedial
actions.
Subsection 3534(b) would require each agency to develop and
implement an agencywide information security program. The
program would include: (A) periodic risk assessments; (B)
policies and procedures that cost-effectively reduce risks to
an acceptable level and ensure compliance with subchapter II
and related requirements; (C) security awareness training; (D)
periodic management testing and evaluation of the effectiveness
of security policies and procedures and a process for remedying
significant deficiencies; and (E) procedures for detecting,
reporting, and responding to security incidents for all systems
including a separate process for systems identified under (A)
and (B) of section 3532(b)(2). Each information security
program would be subject to the approval of the OMB Director,
or the Secretary of Defense or Director, Central Intelligence
(in the case of systems identified under (A) and (B) of section
3532(b)(2)) and would be reviewed at least annually by agency
program officials in consultation with the CIO.
Subsection 3534(c) would require agencies to examine the
adequacy and effectiveness of information security policies,
procedures, and practices in their plans and reports relating
to their annual budget, information resources management under
the Paperwork Reduction Act, the Clinger-Cohen Act, the
Government Performance and Results Act, and financial
management laws. Any significant deficiency would be reported
as a material weakness under the applicable reporting
requirement.
Section 3535. Annual independent evaluation
This section would require each agency to obtain annually
an independent evaluation of its information security program
and practices.The evaluation would include an assessment of
compliance with subchapter II and related requirements as well as tests
of the effectiveness of information security control techniques. The
evaluator conducting the evaluation may use the results of other audits
or evaluations relating to agency programs or practices.
The annual evaluation would be performed by the agency
Inspector General or by an independent evaluator determined by
the Inspector General. An agency that does not have an
Inspector General would contract with an independent evaluator
for the annual evaluation. A General Accounting Office (GAO)
evaluation may be used in lieu of the evaluation under this
section.
In the case of systems described in paragraphs (A) and (B)
of section 3532(b)(2), the evaluation required under the
section, shall be performed only by an entity designated by the
Secretary of Defense or the Director of Central Intelligence,
as appropriate and, an audit of the evaluation shall be
performed by the Inspector General.
The results of the annual evaluation or audit (in the case
of systems identified under (A) or (B) of section 3532(b)(2))
would be submitted to OMB within one year of enactment of this
Act and on that date every year thereafter.
The GAO would annually review the evaluations required
under this section or an audit of the evaluation in the case of
systems described in paragraphs (A) and (B) of section
3532(b)(2) and other information security evaluation results,
and report to Congress on the adequacy of agency information
programs and practices.
Consistent with applicable law and commensurate with risk,
agencies and evaluators would protect information from
disclosure if such disclosure would adversely affect
information security.
section 3. responsibilities of certain agencies
This section would assign responsibilities to specified
Federal agencies as follows:
Department of Commerce
Subsection (a) provides that the National Institute of
Standards and Technology, with requested or required technical
assistance from the National Security Agency shall (except as
provided in subsection (b))--
(1) establish standards and guidance for the security
of information in Federal computer systems, including
methods and techniques for security systems and
validation programs;
(2) establish guidelines for training in computer
security awareness and practices, with assistance from
the Office of Personnel Management (OPM);
(3) provide guidance to agencies on security
planning;
(4) provide guidance and assistance to agencies on
cost-effective controls when interconnecting with other
systems; and
(5) evaluate information technologies to assess and
alert agencies to security vulnerabilities as soon as
possible.
Department of Defense and the Intelligence Community
Subsection (b) provides that the Secretary of Defense and
the Director of Central Intelligence shall (notwithstanding
section 2 of this Act), consistent with their respective
authorities--
(1) develop and issue information security policies,
standards and guidelines for systems described in
paragraphs (A) and (B) of subsection 3532(b)(2) that
provide more stringent protection than policies,
principles, standards, and guidelines required under
section 2 of this Act, as amended; and
(2) ensure the implementation of information security
policies, principles, standards, and guidelines as
prescribed by subsection (1).
Department of Justice
Subsection (c) would require the Justice Department to
review and update guidance to agencies on: (1) legal remedies
regarding security incidents and ways to work with law
enforcement agencies concerning such incidents; and (2) lawful
uses of security techniques and technologies.
General Services Administration
Subsection (d) would require the General Services
Administration to: (1) assist agencies in fulfilling their
responsibilities under section 3534(b)(2)(E) and in acquiring
cost-effective security products, services, and incident
response capabilities.
Office of Personnel Management
Subsection (e) would require the Office of Personnel
Management to: (1) review and update its regulations on
computer security training and (2) assist the Commerce
Department in updating and maintaining guidelines for training
in computer security awareness and best practices and (3) work
with the National Science Foundation in providing agencies with
the appropriate personnel and training initiatives, including
scholarships and fellowships to ensure that the Federal
government has adequate sources of information security
training and education and qualified personnel.
Subsection (f) would require that, notwithstanding any
provision in this Act, the Secretary of Defense and the
Director of Central Intelligence shall develop policies,
principles, procedures and guidelines for mission critical
systems subject to their control, and these policies may be
adopted by the Director of OMB, or by an agency head, as
appropriate, to the mission critical systems of all agencies or
of that agency if consistent with other OMB and Commerce
Department guidance. Further, agencies may use the more
stringent policies, principles, procedures and guidelines for
any information system if consistent with other OMB and
Commerce Department guidance.
Section 4. Technical and Conforming Amendments
This section would make technical and conforming changes to
chapter 35 of title 44, United States Code.
Section 5. Effective Date
This section would provide for the bill to become effective
30 days after the date of its enactment into law.
V. Regulatory Impact Statement
Paragraph 11(b)(1) of the Standing Rules of the Senate
requires that each report accompanying a bill evaluate ``the
regulatory impact which would be incurred in carrying out this
bill.''
The enactment of this legislation will not have significant
regulatory impact. S. 1993 contains no intergovernmental or
private-sector mandates as defined in the Unfunded Mandates
Reform Act and would have no impact on state, local or tribal
governments.
VI. CBO Cost Estimate
U.S. Congress,
Congressional Budget Office,
Washington, DC, March 29, 2000.
Hon. Fred Thompson,
Chairman, Committee on Governmental Affairs,
U.S. Senate, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for S. 1993, the Government
Information Security Act.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is John R.
Righter.
Sincerely,
Barry B. Anderson
(For Dan L. Crippen, Director).
Enclosure.
S. 1993--Government Information Security Act
S. 1993 would require federal agencies to perform certain
tasks to improve the security of their computer systems.
Subject to the availability of appropriated funds, CBO
estimates that implementing S. 1993 would cost federal agencies
between $10 million and $15 million annually to audit their
security programs and practices. While this work should both
increase the cost-effectiveness of federal security systems and
reduce the likelihood of costly service disruptions, CBO has no
basis for estimating the amount of potential savings from such
improvements.
The bill would not affect direct spending or receipts, so
pay-as-you-go procedures would not apply. S. 1993 contains no
intergovernmental or private-sector mandates as defined in the
Unfunded Mandates Reform Act and would not affect the budgets
of state, local, or tribal governments.
S. 1993 would require federal agencies to develop a risk-
based program for ensuring the security of their information
systems, including designating a senior official to oversee the
program, periodically assessing and testing their systems, and
providing training to personnel. In addition, the bill would
require that either an inspector general or independent
evaluator annually audit an agency's security programs and
practices. S. 1993 also would specify the responsibilities of
particular agencies in securing the government's information
systems, including the National Institute of Standards and
Technology, the Department of Justice, and the General Services
Administration. Finally, the bill would require the Office of
Management and Budget (OMB) to establish policies for
implementing its provisions.
Most of S. 1993 would codify and centralize current
practice, including directions provided in the Government
Security Act, OMB Circular No. A-130 (Management of Federal
Information Resources), and Presidential Decision Directive 63,
concerning the protection of critical infrastructure. While
some agencies already evaluate portions of their information
systems through the financial audits required by the Chief
Financial Officers (CFO) Act and the security reviews required
by OMB Circular No. A-130, the bill would call for agencies to
audit their systems more extensively and regularly.
Based on information from the General Accounting Office,
which has reviewed the security practices of federal agencies,
and OMB, CBO estimates that requiring the annual audits would
increase agency costs by between $10 million and $15 million
annually, subject to the availability of appropriated funds.
That estimate assumes that the 25 largest federal departments
and agencies those with appointed CFOs) would regularly test
the general and management controls of critical, nonfinancial
operations. We estimate that the evaluation of between 55 and
75 computer systems operated by these agencies would cost
around $150,000 each, or a total of around $10 million
annually. Although much uncertainty exists as to the number and
complexity of computer operations that smaller agencies would
need to evaluate, as well as the extent that such evaluations
already take place, CBO expects that applying the audit
requirement to them would increase the provision's cost by as
much as 50 percent.
In addition, the audits should both improve the cost-
effectiveness of federal security systems and decrease the
likelihood of costly service disruptions. CBO, however, cannot
estimate the amount of potential savings from such
improvements.
The CBO staff contact is John R. Righter. This estimate was
approved by Peter H. Fontaine, Deputy Assistant Director for
Budget Analysis.
VII. Changes to Existing Law
In compliance with paragraph 12 of rule XXVI of the
Standing Rules of the Senate, changes in existing law made by
the bill, as reported, are shown as follows, (existing law
proposed to be omitted is enclosed in black brackets, new
material is printed in italic, existing law in which no change
is proposed is shown in roman).
UNITED STATES CODE
TITLE 44--PUBLIC PRINTING AND DOCUMENTS
* * * * * * *
CHAPTER 35--COORDINATION OF FEDERAL INFORMATION POLICY
Subchapter I_Federal Information Policy
Sec.
3501. Purposes.
3502. Definitions.
3503. Office of Information and Regulatory Affairs.
3504. Authority and functions of Director.
3505. Assignment of tasks and deadlines.
3506. Federal agency responsibilities.
3507. Public information collection activities; submission to Director;
approval and delegation.
3508. Determination of necessity for information; hearing.
3509. Designation of central collection agency.
3510. Cooperation of agencies in making information available.
3511. Establishment and operation of Government Information Locator
Service.
3512. Public protection.
3513. Director review of agency activities; reporting; agency response.
3514. Responsiveness to Congress.
3515. Administrative powers.
3516. Rules and regulations.
3517. Consultation with other agencies and the public.
3518. Effect on existing laws and regulations.
3519. Access to information.
3520. Authorization of appropriations.
Subchapter II--Information Security
3531. Purposes.
3532. Definitions.
3533. Authority and functions of the Director.
3534. Federal agency responsibilities.
3535. Annual independent evaluation.
Subchapter I_Federal Information Policy
Sec. 3501. Purposes
The purposes of this [chapter] subchapter are to--
* * * * * * *
(11) improve the responsibility and accountability of
the Office of Management and Budget and all other
Federal agencies to Congress and to the public for
implementing the information collection review process,
information resources management, and related policies
and guidelines established under this [chapter]
subchapter.
Sec. 3502. Definitions
As used in this [chapter] subchapter-
* * * * * * *
Sec. 3503. Office of Information and Regulatory Affairs
* * * * * * *
(b) There shall be at the head of the Office an
Administrator who shall be appointed by the President, by and
with the advice and consent of the Senate. The Director shall
delegate to the Administrator the authority to administer all
functions under this [chapter] subchapter, except that any such
delegation shall not relieve the Director of responsibility for
the administration of such functions. The Administrator shall
serve as principal adviser to the Director on Federal
information resources management policy.
Sec. 3504. Authority and functions of Director
(a)(1) The Director shall oversee the use of information
resources to improve the efficiency and effectiveness of
governmental operations to serve agency missions, including
burden reduction and service delivery to the public. In
performing such oversight, the Director shall--
(A) develop, coordinate and oversee the
implementation of Federal information resources
management policies, principles, standards, and
guidelines; and
(B) provide direction and oversee--
(i) the review and approval of the collection
of information and the reduction of the
information collection burden;
(ii) agency dissemination of and public
access to information;
(iii) statistical activities;
(iv) records management activities;
(v) privacy, confidentiality, security,
disclosure, and sharing of information; and
(vi) the acquisition and use of information
technology.
(2) The authority of the Director under this [chapter]
subchapter shall be exercised consistent with applicable law.
* * * * * * *
(d) With respect to information dissemination, the Director
shall develop and oversee the implementation of policies,
principles, standards, and guidelines to--
(1) apply to Federal agency dissemination of public
information, regardless of the form or format in which
such information is disseminated; and
(2) promote public access to public information and
fulfill the purposes of this [chapter] subchapter,
including through the effective use of information
technology.
* * * * * * *
(f) With respect to records management, the Director
shall--
(1) provide advice and assistance to the Archivist of
the United States and the Administrator of General
Services to promote coordination in the administration
of chapters 29, 31, and 33 of this title with the
information resources management policies, principles,
standards, and guidelines established under this
[chapter] subchapter;
* * * * * * *
Sec. 3505. Assignment of tasks and deadlines
(a) In carrying out the functions under this [chapter]
subchapter, the Director shall--
(1) in consultation with agency heads, set an annual
Governmentwide goal for the reduction of information
collection burdens by at least 10 percent during each
of fiscal years 1996 and 1997 and 5 percent during each
of fiscal years 1998, 1999, 2000, and 2001, and set
annual agency goals to--
(A) reduce information collection burdens
imposed on the public that--
(i) represent the maximum practicable
opportunity in each agency; and
(ii) are consistent with improving
agency management of the process for
the review of collections of
information established under section
3506(c); and
(B) improve information resources management
in ways that increase the productivity,
efficiency and effectiveness of Federal
programs, including service delivery to the
public;
(2) with selected agencies and non-Federal entities
on a voluntary basis, conduct pilot projects to test
alternative policies, practices, regulations, and
procedures to fulfill the purposes of this [chapter]
subchapter, particularly with regard to minimizing the
Federal information collection burden; and
* * * * * * *
Sec. 3506. Federal agency responsibilities
(a)(1) The head of each agency shall be responsible for--
(A) carrying out the agency's information resources
management activities to improve agency productivity,
efficiency, and effectiveness; and
(B) complying with the requirements of this [chapter]
subchapter and related policies established by the
Director. (2)(A) Except as provided under subparagraph
(B), the head of each agency shall designate a senior
official who shall report directly to such agency head
to carry out the responsibilities of the agency under
this [chapter] subchapter.
(B) The Secretary of the Department of Defense and the
Secretary of each military department may each designate senior
officials who shall report directly to such Secretary to carry
out the responsibilities of the department under this [chapter]
subchapter. If more than one official is designated, the
respective duties of the officials shall be clearly delineated.
(3) The senior official designated under paragraph (2)
shall head an office responsible for ensuring agency compliance
with and prompt, efficient, and effective implementation of the
information policies and information resources management
responsibilities established under this [chapter] subchapter,
including the reduction of information collection burdens on
the public. The senior official and employees of such office
shall be selected with special attention to the professional
qualifications required to administer the functions described
under this [chapter] subchapter.
* * * * * * *
(4) in consultation with the Director, the
Administrator of General Services, and the Archivist of
the United States, maintain a current and complete
inventory of the agency's information resources,
including directories necessary to fulfill the
requirements of section 3511 of this [chapter]
subchapter; and
(5) in consultation with the Director and the
Director of the Office of Personnel Management, conduct
formal training programs to educate agency program and
management officials about information resources
management.
(c) With respect to the collection of information and the
control of paperwork, each agency shall--
(1) establish a process within the office headed by
the official designated under subsection (a), that is
sufficiently independent of program responsibility to
evaluate fairly whether proposed collections of
information should be approved under this [chapter]
subchapter, to--
(A) review each collection of information before
submission to the Director for review under this
[chapter] subchapter, including--
* * * * * * *
Sec. 3507. Public information collection activities; submission to
Director; approval and delegation
* * * * * * *
(e)(1) Any decision by the Director under subsection (c),
(d), (h), or (j) to disapprove a collection of information, or
to instruct the agency to make substantive or material change
to a collection of information, shall be publicly available and
include an explanation of the reasons for such decision.
(2) Any written communication between the Administrator of
the Office of Information and Regulatory Affairs, or any
employee of the Office of Information and Regulatory Affairs,
and an agency or person not employed by the Federal Government
concerning a proposed collection of information shall be made
available to the public.
(3) This subsection shall not require the disclosure of--
(A) any information which is protected at all times
by procedures established for information which has
been specifically authorized under criteria established
by an Executive order or an Act of Congress to be kept
secret in the interest of national defense or foreign
policy; or
(B) any communication relating to a collection of
information which is not approved under this [chapter]
subchapter, the disclosure of which could lead to
retaliation or discrimination against the communicator.
* * * * * * *
(h)(1) If an agency decides to seek extension of the
Directors approval granted for a currently approved collection
of information, the agency shall--
(A) conduct the review established under section
3506(c), including the seeking of comment from the
public on the continued need for, and burden imposed by
the collection of information; and
(B) after having made a reasonable effort to seek
public comment, but no later than 60 days before the
expiration date of the control number assigned by the
Director for the currently approved collection of
information, submit the collection of information for
review and approval under this section, which shall
include an explanation of how the agency has used the
information that it has collected.
(2) If under the provisions of this section, the Director
disapproves a collection of information contained in an
existing rule, or recommends or instructs the agency to make a
substantive or material change to a collection of information
contained in an existing rule, the Director shall--
(A) publish an explanation thereof in the Federal
Register; and
(B) instruct the agency to undertake a rulemaking
within a reasonable time limited to consideration of
changes to the collection of information contained in
the rule and thereafter to submit the collection of
information for approval or disapproval under this
[chapter] subchapter.
(3) An agency may not make a substantive or material
modification of a collection of information after such
collection has been approved by the Director, unless the
modification has been submitted to the Director for review and
approval under this [chapter] subchapter.
* * * * * * *
(j)(1) The agency head may request the Director to
authorize a collection of information, if an agency head
determines that--
(A) a collection of information--
(i) is needed prior to the expiration of time
periods established under this [chapter]
subchapter; and
(ii) is essential to the mission of the
agency; and
(B) the agency cannot reasonably comply with the
provisions of this [chapter] subchapter because--
(i) public harm is reasonably likely to
result if normal clearance procedures are
followed;
(ii) an unanticipated event has occurred; or
(iii) the use of normal clearance procedures
is reasonably likely to prevent or disrupt the
collection of information or is reasonably
likely to cause a statutory or court ordered
deadline to be missed.
(2) The Director shall approve or disapprove any such
authorization request within the time requested by the agency
head and, if approved, shall assign the collection of
information a control number. Any collection of information
conducted under this subsection may be conducted without
compliance with the provisions of this [chapter] subchapter for
a maximum of 90 days after the date on which the Director
received the request to authorize such collection.
* * * * * * *
Sec. 3509. Designation of central collection agency
The Director may designate a central collection agency to
obtain information for two or more agencies if the Director
determines that the needs of such agencies for information will
be adequately served by a single collection agency, and such
sharing of data is not inconsistent with applicable law. In
such cases the Director shall prescribe (with reference to the
collection of information) the duties and functions of the
collection agency so designated and of the agencies for which
it is to act as agent (including reimbursement for costs).
While the designation is in effect, an agency covered by the
designation may not obtain for itself information for the
agency which is the duty of the collection agency to obtain.
The Director may modify the designation from time to time as
circumstances require. The authority to designate under this
section is subject to the provisions of section 3507(f) of this
[chapter] subchapter.
* * * * * * *
Sec. 3512. Public protection
(a) Notwithstanding any other provision of law, no person
shall be subject to any penalty for failing to comply with a
collection of information that is subject to this [chapter]
subchapter if--
(1) the collection of information does not display a
valid control number assigned by the Director in
accordance with this [chapter] subchapter;
* * * * * * *
Sec. 3514. Responsiveness to Congress
(a)(1) The Director shall--
(A) keep the Congress and congressional committees
fully and currently informed of the major activities
under this [chapter] subchapter; and
(B) submit a report on such activities to the
President of the Senate and the Speaker of the House of
Representatives annually and at such other times as the
Director determines necessary.
(2) The Director shall include in any such report a
description of the extent to which agencies have--
(A) reduced information collection burdens on the
public, including--
(i) a summary of accomplishments and planned
initiatives to reduce collection of information
burdens;
(ii) a list of all violations of this
[chapter] subchapter and of any rules,
guidelines, policies, and procedures issued
pursuant to this [chapter] subchapter;
* * * * * * *
Sec. 3515. Administrative powers
Upon the request of the Director, each agency (other than
an independent regulatory agency) shall, to the extent
practicable, make its services, personnel, and facilities
available to the Director for the performance of functions
under this [chapter] subsection.
Sec. 3516. Rules and regulations
The Director shall promulgate rules, regulations, or
procedures necessary to exercise the authority provided by this
[chapter] subchapter.
Sec. 3517. Consultation with other agencies and the public
(a) In developing information resources management
policies, plans, rules, regulations, procedures, and guidelines
and in reviewing collections of information, the Director shall
provide interested agencies and persons early and meaningful
opportunity to comment.
(b) Any person may request the Director to review any
collection of information conducted by or for an agency to
determine, if, under this [chapter] subchapter, a person shall
maintain, provide, or disclose the information to or for the
agency. Unless the request is frivolous, the Director shall, in
coordination with the agency responsible for the collection of
information--
(1) respond to the request within 60 days after
receiving the request, unless such period is extended
by the Director to a specified date and the person
making the request is given notice of such extension;
and
(2) take appropriate remedial action, if necessary.
Sec. 3518. Effect on existing laws and regulations
(a) Except as otherwise provided in this [chapter]
subchapter, the authority of an agency under any other law to
prescribe policies, rules, regulations, and procedures for
Federal information resources management activities is subject
to the authority of the Director under this [chapter]
subchapter.
(b) Nothing in this [chapter] subchapter shall be deemed to
affect or reduce the authority of the Secretary of Commerce or
the Director of the Office of Management and Budget pursuant to
Reorganization Plan No. 1 of 1977 (as amended) and Executive
order, relating to telecommunications and information policy,
procurement and management of telecommunications and
information systems, spectrum use, and related matters.
(c)(1) Except as provided in paragraph (2), this [chapter]
subchapter shall not apply to the collection of information--
(A) during the conduct of a Federal criminal
investigation or prosecution, or during the disposition
of a particular criminal matter;
(B) during the conduct of--
(i) a civil action to which the United States
or any official or agency thereof is a party;
or
(ii) an administrative action or
investigation involving an agency against
specific individuals or entities;
(C) by compulsory process pursuant to the Antitrust
Civil Process Act and section 13 of the Federal Trade
Commission Improvements Act of 1980; or
(D) during the conduct of intelligence activities as
defined in section 3.4(e) of Executive Order No. 12333,
issued December 4, 1981, or successor orders, or during
the conduct of cryptologic activities that are
communications security activities.
(2) This [chapter] subchapter applies to the collection of
information during the conduct of general investigations (other
than information collected in an antitrust investigation to the
extent provided in subparagraph (C) of paragraph (1))
undertaken with reference to a category of individuals or
entities such as a class of licensees or an entire industry.
(d) Nothing in this [chapter] subchapter shall be
interpreted as increasing or decreasing the authority conferred
by Public Law 89-306 on the Administrator of the General
Services Administration, the Secretary of Commerce, or the
Director of the Office of Management and Budget.
(e) Nothing in this [chapter] subchapter shall be
interpreted as increasing or decreasing the authority of the
President, the Office of Management and Budget or the Director
thereof, under the laws of the United States, with respect to
the substantive policies and programs of departments, agencies
and offices, including the substantive authority of any Federal
agency to enforce the civil rights laws.
* * * * * * *
Sec. 3520. Authorization of appropriations
There are authorized to be appropriated to the Office of
Information and Regulatory Affairs to carry out the provisions
ofthis [chapter] subchapter, and for no other purpose,
$8,000,000 for each of the fiscal years 1996, 1997, 1998, 1999, 2000,
and 2001.
Subchapter II--Information Security
Sec. 3531. Purposes
The purposes of this subchapter are to--
(1) provide a comprehensive framework for
establishing and ensuring the effectiveness of controls
over information resources that support Federal
operations and assets;
(2)(A) recognize the highly networked nature of the
Federal computing environment including the need for
Federal Government interoperability and, in the
implementation of improved security management
measures, assure that opportunities for
interoperability are not adversely affected; and
(B) provide effective governmentwide management and
oversight of the related information security risks,
including coordination of information security efforts
throughout the civilian, national security, and law
enforcement communities;
(3) provide for development and maintenance of
minimum controls required to protect Federal
information and information systems; and
(4) provide a mechanism for improved oversight of
Federal agency information security programs.
Sec. 3532. Definitions
(a) Except as provided under subsection (b), the
definitions under section 3502 shall apply to this subchapter.
(b) As used in this subchapter the term--
(1) ``information technology'' has the meaning given
that term in section 5002 of the Clinger-Cohen Act of
1996 (40 U.S.C. 1401); and
(2) ``mission critical system'' means any
telecommunications or information system used or
operated by an agency or by a contractor of an agency,
or other organization on behalf of an agency, that--
(A) is defined as a national security system
under section 5142 of the Clinger-Cohen Act of
1996 (40 U.S.C. 1452);
(B) is protected at all times by procedures
established for information which has been
specifically authorized under criteria
established by an Executive order or an Act of
Congress to be kept secret in the interest of
national defense or foreign policy; or
(C) processes any information, the loss,
misuse, disclosure, or unauthorized access to
or modification of, would have a debilitating
impact on the mission of an agency.
Sec. 3533. Authority and functions of the Director
(a)(1) The Director shall establish governmentwide policies
for the management of programs that--
(A) support the cost-effective security of Federal
information systems by promoting security as an
integral component of each agency's business
operations; and
(B) include information technology architectures as
defined under section 5125 of the Clinger-Cohen Act of
1996 (40 U.S.C. 1425).
(2) Policies under this subsection shall--
(A) be founded on a continuing risk management cycle
that recognizes the need to--
(i) identify, assess, and understand risk;
and
(ii) determine security needs commensurate
with the level of risk;
(B) implement controls that adequately address the
risk;
(C) promote continuing awareness of information
security risk; and
(D) continually monitor and evaluate policy and
control effectiveness of information security
practices.
(b) The authority under subsection (a) includes the
authority to--
(1) oversee and develop policies, principles,
standards, and guidelines for the handling of Federal
information and information resources to improve the
efficiency and effectiveness of governmental
operations, including principles, policies, and
guidelines for the implementation of agency
responsibilities under applicable law for ensuring the
privacy, confidentiality, and security of Federal
information;
(2) consistent with the standards and guidelines
promulgated under section 5131 of the Clinger-Cohen Act
of 1996 (40 U.S.C. 1441) and sections 5 and 6 of the
Computer Security Act of 1987 (40 U.S.C. 1441 note;
Public Law 100-235; 101 Stat. 1729), require Federal
agencies to identify and afford security protections
commensurate with the risk and magnitude of the harm
resulting from the loss, misuse, or unauthorized access
to or modification of information collected or
maintained by or on behalf of an agency;
(3) direct the heads of agencies to
(A) identify, use, and share best security
practices;
(B) develop an agency-wide information
security plan;
(C) incorporate information security
principles and practices throughout the life
cycles of the agency's information systems; and
(D) ensure that the agency's information
security plan is practiced throughout all life
cycles of the agency's information systems;
(4) oversee the development and implementation of
standards and guidelines relating to security controls
for Federal computer systems by the Secretary of
Commerce through the National Institute of Standards
and Technology under section 5131 of the Clinger-Cohen
Act of 1996 (40 U.S.C. 1441) and section 20 of the
National Institute of Standards and Technology Act (15
U.S.C. 278g-3);
(5) oversee and coordinate compliance with this
section in a manner consistent with--
(A) sections 552 and 552a of title 5;
(B) sections 20 and 21 of the National
Institute of Standards and Technology Act (15
U.S.C. 278g-3 and 278g-4);
(C) section 5131 of the Clinger-Cohen Act of
1996 (40 U.S.C. 1441);
(D) sections 5 and 6 of the Computer Security
Act of 1987 (40 U.S.C. 1441 note; Public Law
100-235; 101 Stat. 1729); and
(E) related information management laws; and
(6) take any authorized action under section
5113(b)(5) of the Clinger-Cohen Act of 1996 (40 U.S.C.
1413(b)(5)) that the Director considers appropriate,
including any action involving the budgetary process or
appropriations management process, to enforce
accountability of the head of an agency for information
resources management, including the requirements of
this subchapter, and for the investments made by the
agency in information technology, including--
(A) recommending a reduction or an increase
in any amount for information resources that
the head of the agency proposes for the budget
submitted to Congress under section 1105(a) of
title 31;
(B) reducing or otherwise adjusting
apportionments and reapportionments of
appropriations for information resources; and
(C) using other authorized administrative
controls over appropriations to restrict the
availability of funds for information
resources.
(c) The authorities of the Director under this section may
be delegated--
(1) to the Secretary of Defense and the Director of
Central Intelligence in the case of systems described
under subparagraphs (A) and (B) of section 3532(b)(2);
and
(2) in the case of all other Federal information
systems, only to the Deputy Director for Management of
the Office of Management and Budget.
Sec. 3534. Federal agency responsibilities
(a) The head of each agency shall--
(1) be responsible for--
(A) adequately ensuring the integrity,
confidentiality, authenticity, availability,
and nonrepudiation of information and
information systems supporting agency
operations and assets;
(B) developing and implementing information
security policies, procedures, and control
techniques sufficient to afford security
protections commensurate with the risk and
magnitude of the harm resulting from
unauthorized disclosure, disruption,
modification, or destruction of information
collected or maintained by or for the agency;
and
(C) ensuring that the agency's information
security plan is practiced throughout the life
cycle of each agency system;
(2) ensure that appropriate senior agency officials
are responsible for--
(A) assessing the information security risks
associated with the operations and assets for
programs and systems over which such officials
have control;
(B) determining the levels of information
security appropriate to protect such operations
and assets; and
(C) periodically testing and evaluating
information security controls and techniques;
(3) delegate to the agency Chief Information Officer
established under section 3506, or a comparable
official in an agency not covered by such section, the
authority to administer all functions under this
subchapter including--
(A) designating a senior agency information
security official who shall report to the Chief
Information Officer or a comparable official;
(B) developing and maintaining an agencywide
information security program as required under
subsection (b);
(C) ensuring that the agency effectively
implements and maintains information security
policies, procedures, and control techniques;
(D) training and overseeing personnel with
significant responsibilities for information
security with respect to such responsibilities;
and
(E) assisting senior agency officials
concerning responsibilities under paragraph
(2);
(4) ensure that the agency has trained personnel
sufficient to assist the agency in complying with the
requirements of this subchapter and related policies,
procedures, standards, and guidelines; and
(5) ensure that the agency Chief Information Officer,
in coordination with senior agency officials,
periodically--
(A)(i) evaluates the effectiveness of the
agency information security program, including
testing control techniques; and
(ii) implements appropriate remedial actions
based on that evaluation; and
(B) reports to the agency head on--
(i) the results of such tests and
evaluations; and
(ii) the progress of remedial
actions.
(b)(1) Each agency shall develop and implement an
agencywide information security program to provide information
security for the operations and assets of the agency, including
operations and assets provided or managed by another agency.
(2) Each program under this subsection shall include--
(A) periodic risk assessments that consider internal
and external threats to--
(i) the integrity, confidentiality, and
availability of systems; and
(ii) data supporting critical operations and
assets;
(B) policies and procedures that--
(i) are based on the risk assessments
required under subparagraph (A) that cost-
effectively reduce information security risks
to an acceptable level; and
(ii) ensure compliance with--
(I) the requirements of this
subchapter;
(II) policies and procedures as may
be prescribed by the Director; and
(III) any other applicable
requirements;
(C) security awareness training to inform personnel
of--
(i) information security risks associated
with the activities of personnel; and
(ii) responsibilities of personnel in
complying with agency policies and procedures
designed to reduce such risks;
(D)(i) periodic management testing and evaluation of
the effectiveness of information security policies and
procedures; and
(ii) a process for ensuring remedial action to
address any significant deficiencies; and
(E) procedures for detecting, reporting, and
responding to security incidents, including--
(i) mitigating risks associated with such
incidents before substantial damage occurs;
(ii) notifying and consulting with law
enforcement officials and other offices and
authorities;
(iii) notifying and consulting with an office
designated by the Administrator of General
Services within the General Services
Administration; and
(iv) notifying and consulting with an office
designated by the Secretary of Defense and the
Director of Central Intelligence for incidents
involving systems described under subparagraphs
(A) and (B) of section 3532(b)(2).
(3) Each program under this subsection is subject to the
approval of the Director and is required to be reviewed at
least annually by agency program officials in consultation with
the Chief Information Officer. In the case of systems described
under subparagraphs (A) and (B) of section 3532(b)(2), the
Director shall delegate approval authority under this paragraph
to the Secretary of Defense and the Director of Central
Intelligence.
(c)(1) Each agency shall examine the adequacy and
effectiveness of information security policies, procedures, and
practices in plans and reports relating to--
(A) annual agency budgets;
(B) information resources management under the
Paperwork Reduction Act of 1995 (44 U.S.C. 101 note);
(C) performance and results based management under
the Clinger-Cohen Act of 1996 (40 U.S.C. 1401 et seq.);
(D) program performance under sections 1105 and 1115
through 1119 of title 31, and sections 2801 through
2805 of title 39; and
(E) financial management under--
(i) chapter 9 of title 31, United States
Code, and the Chief Financial Officers Act of
1990 (31 U.S.C. 501 note; Public Law 101-576)
(and the amendments made by that Act);
(ii) the Federal Financial Management
Improvement Act of 1996 (31 U.S.C. 3512 note)
(and the amendments made by that Act); and
(iii) the internal controls conducted under
section 3512 of title 31.
(2) Any significant deficiency in a policy, procedure,
or practice identified under paragraph (1) shall be reported as a
material weakness in reporting required under the applicable provision
of law under paragraph (1).
(d)(1) In addition to the requirements of subsection (c),
each agency, in consultation with the Chief Information
Officer, shall include as part of the performance plan required
under section 1115 of title 31 a description of--
(A) the time periods; and
(B) the resources, including budget, staffing, and
training,
which are necessary to implement the program required under
subsection (b)(1).
(2) The description under paragraph (1) shall be based on
the risk assessment required under subsection (b)(2)(A).
Sec. 3535. Annual independent evaluation
(a)(1) Each year each agency shall have performed an
independent evaluation of the information security program and
practices of that agency.
(2) Each evaluation under this section shall include--
(A) an assessment of compliance with--
(i) the requirements of this subchapter; and
(ii) related information security policies,
procedures, standards, and guidelines; and
(B) tests of the effectiveness of information
security control techniques.
(3) The Inspector General or the independent evaluator
performing an evaluation under this section including the
Comptroller General may use any audit, evaluation, or report
relating to programs or practices of the applicable agency.
(b)(1)(A) Subject to subparagraph (B), for agencies with
Inspectors General appointed under the Inspector General Act of
1978 (5 U.S.C. App.) or any other law, the annual evaluation
required under this section or, in the case of systems
described under subparagraphs (A) and (B) of section
3532(b)(2), an audit of the annual evaluation required under
this section, shall be performed by the Inspector General or by
an independent evaluator, as determined by the Inspector
General of the agency.
(B) For systems described under subparagraphs (A) and (B)
of section 3532(b)(2), the evaluation required under this
section shall be performed only by an entity designated by the
Secretary of Defense of the Director of Central Intelligence as
appropriate.
(2) For any agency to which paragraph (1) does not apply,
the head of the agency shall contract with an independent
evaluator to perform the evaluation.
(3) An evaluation of agency information security programs
and practices performed by the Comptroller General may be in
lieu of the evaluation required under this section.
(c) Not later than 1 year after the date of enactment of
this subchapter, and on that date every year thereafter, the
applicable agency head shall submit to the Director--
(1) the results of each evaluation required under
this section, other than an evaluation of a system
described under subparagraph (A) or (B) of section
3532(b)(2); and
(2) the results of each audit of an evaluation
required under this section of a system described under
subparagraph (A) or (B) of section 3532(b)(2).
(d) Each year the Comptroller General shall--
(1) review the evaluations required under this
section and other information security evaluation
results; and
(2) report to Congress regarding the adequacy of
agency information programs and practices.
(e) Agencies and evaluators shall take appropriate actions
to ensure the protection of information, the disclosure of
which may adversely affect information security. Such
protections shall be commensurate with the risk and comply with
all applicable laws.
�