[Congressional Bills 113th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3635 Referred in Senate (RFS)]
113th CONGRESS
2d Session
H. R. 3635
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
July 29, 2014
Received; read twice and referred to the Committee on Homeland Security
and Governmental Affairs
_______________________________________________________________________
AN ACT
To ensure the functionality and security of new Federal websites that
collect personally identifiable information, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Safe and Secure Federal Websites Act
of 2014''.
SEC. 2. ENSURING FUNCTIONALITY AND SECURITY OF NEW FEDERAL WEBSITES
THAT COLLECT PERSONALLY IDENTIFIABLE INFORMATION.
(a) Certification Requirement.--
(1) In general.--Except as otherwise provided under this
subsection, an agency may not deploy or make available to the
public a new Federal PII website until the date on which the
chief information officer of the agency submits a certification
to Congress that the website is fully functional and secure.
(2) Transition.--In the case of a new Federal PII website
that is operational on the date of the enactment of this Act,
paragraph (1) shall not apply until the end of the 90-day
period beginning on such date of enactment. If the
certification required under paragraph (1) for such website has
not been submitted to Congress before the end of such period,
the head of the responsible agency shall render the website
inaccessible to the public until such certification is
submitted to Congress.
(3) Exception for beta website with explicit permission.--
Paragraph (1) shall not apply to a website (or portion thereof)
that is in a development or testing phase, if the following
conditions are met:
(A) A member of the public may access PII-related
portions of the website only after executing an
agreement that acknowledges the risks involved.
(B) No agency compelled, enjoined, or otherwise
provided incentives for such a member to access the
website for such purposes.
(4) Construction.--Nothing in this section shall be
construed as applying to a website that is operated entirely by
an entity (such as a State or locality) that is independent of
the Federal Government, regardless of the receipt of funding in
support of such website from the Federal Government.
(b) Definitions.--In this section:
(1) Agency.--The term ``agency'' has the meaning given that
term under section 551 of title 5, United States Code.
(2) Fully functional.--The term ``fully functional'' means,
with respect to a new Federal PII website, that the website can
fully support the activities for which it is designed or
intended with regard to the eliciting, collection, storage, or
maintenance of personally identifiable information, including
handling a volume of queries relating to such information
commensurate with the purpose for which the website is
designed.
(3) New federal personally identifiable information website
(new federal pii website).--The terms ``new Federal personally
identifiable information website'' and ``new Federal PII
website'' mean a website that--
(A) is operated by (or under a contract with) an
agency;
(B) elicits, collects, stores, or maintains
personally identifiable information of individuals and
is accessible to the public; and
(C) is first made accessible to the public and
collects or stores personally identifiable information
of individuals, on or after October 1, 2012.
(4) Operational.--The term ``operational'' means, with
respect to a website, that such website elicits, collects,
stores, or maintains personally identifiable information of
members of the public and is accessible to the public.
(5) Personally identifiable information (pii).--The terms
``personally identifiable information'' and ``PII'' mean any
information about an individual elicited, collected, stored, or
maintained by an agency, including--
(A) any information that can be used to distinguish
or trace the identity of an individual, such as a name,
a social security number, a date and place of birth, a
mother's maiden name, or biometric records; and
(B) any other information that is linked or
linkable to an individual, such as medical,
educational, financial, and employment information.
(6) Responsible agency.--The term ``responsible agency''
means, with respect to a new Federal PII website, the agency
that is responsible for the operation (whether directly or
through contracts with other entities) of the website.
(7) Secure.--The term ``secure'' means, with respect to a
new Federal PII website, that the following requirements are
met:
(A) The website is in compliance with subchapter
III of chapter 35 of title 44, United States Code.
(B) The website ensures that personally
identifiable information elicited, collected, stored,
or maintained in connection with the website is
captured at the latest possible step in a user input
sequence.
(C) The responsible agency for the website has
taken reasonable efforts to minimize domain name
confusion, including through additional domain
registrations.
(D) The responsible agency requires all personnel
who have access to personally identifiable information
in connection with the website to have completed a
Standard Form 85P and signed a non-disclosure agreement
with respect to personally identifiable information,
and the agency takes proper precautions to ensure only
trustworthy persons may access such information.
(E) The responsible agency maintains (either
directly or through contract) sufficient personnel to
respond in a timely manner to issues relating to the
proper functioning and security of the website, and to
monitor on an ongoing basis existing and emerging
security threats to the website.
(8) State.--The term ``State'' means each State of the
United States, the District of Columbia, each territory or
possession of the United States, and each federally recognized
Indian tribe.
SEC. 3. PRIVACY BREACH REQUIREMENTS.
(a) Information Security Amendment.--Subchapter III of chapter 35
of title 44, United States Code, is amended by adding at the end the
following:
``Sec. 3550. Privacy breach requirements
``(a) Policies and Procedures.--The Director of the Office of
Management and Budget shall establish and oversee policies and
procedures for agencies to follow in the event of a breach of
information security involving the disclosure of personally
identifiable information, including requirements for--
``(1) not later than 72 hours after the agency discovers
such a breach, or discovers evidence that reasonably indicates
such a breach has occurred, notice to the individuals whose
personally identifiable information could be compromised as a
result of such breach;
``(2) timely reporting to a Federal cybersecurity center,
as designated by the Director of the Office of Management and
Budget; and
``(3) any additional actions that the Director finds
necessary and appropriate, including data breach analysis,
fraud resolution services, identity theft insurance, and credit
protection or monitoring services.
``(b) Required Agency Action.--The head of each agency shall ensure
that actions taken in response to a breach of information security
involving the disclosure of personally identifiable information under
the authority or control of the agency comply with policies and
procedures established by the Director of the Office of Management and
Budget under subsection (a).
``(c) Report.--Not later than March 1 of each year, the Director of
the Office of Management and Budget shall report to Congress on agency
compliance with the policies and procedures established under
subsection (a).
``(d) Federal Cybersecurity Center Defined.--The term `Federal
cybersecurity center' means any of the following:
``(1) The Department of Defense Cyber Crime Center.
``(2) The Intelligence Community Incident Response Center.
``(3) The United States Cyber Command Joint Operations
Center.
``(4) The National Cyber Investigative Joint Task Force.
``(5) Central Security Service Threat Operations Center of
the National Security Agency.
``(6) The United States Computer Emergency Readiness Team.
``(7) Any successor to a center, team, or task force
described in paragraphs (1) through (6).
``(8) Any center that the Director of the Office of
Management and Budget determines is appropriate to carry out
the requirements of this section.''.
(b) Technical and Conforming Amendment.--The table of sections for
subchapter III of chapter 35 of title 44, United States Code, is
amended by adding at the end the following:
``3550. Privacy breach requirements.''.
Passed the House of Representatives July 28, 2014.
Attest:
KAREN L. HAAS,
Clerk.