[Congressional Bills 114th Congress]
[From the U.S. Government Publishing Office]
[S. 1990 Introduced in Senate (IS)]
114th CONGRESS
1st Session
S. 1990
To require Inspectors General and the Comptroller General of the United
States to submit reports on the use of logical access controls and
other security practices to safeguard classified and personally
identifiable information on Federal computer systems, and for other
purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
August 5, 2015
Mr. Hatch (for himself and Mr. Carper) introduced the following bill;
which was read twice and referred to the Committee on Homeland Security
and Governmental Affairs
_______________________________________________________________________
A BILL
To require Inspectors General and the Comptroller General of the United
States to submit reports on the use of logical access controls and
other security practices to safeguard classified and personally
identifiable information on Federal computer systems, and for other
purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Federal Computer Security Act''.
SEC. 2. DEFINITIONS.
In this Act:
(1) Agency.--The term ``agency'' has the meaning given the
term in section 3502 of title 44, United States Code.
(2) Covered agency.--The term ``covered agency'' means an
agency that operates a Federal computer system that provides
access to classified information or personally identifiable
information.
(3) Logical access control.--The term ``logical access
control'' means a process of granting or denying specific
requests to obtain and use information and related information
processing services.
(4) Multi-factor logical access controls.--The term
``multi-factor logical access controls'' means a set of not
less than 2 of the following logical access controls:
(A) Information that is known to the user, such as
a password or personal identification number.
(B) An access device that is provided to the user,
such as a cryptographic identification device or token.
(C) A unique biometric characteristic of the user.
SEC. 3. INSPECTOR GENERAL REPORT ON FEDERAL COMPUTER SYSTEMS.
(a) In General.--Not later than 240 days after the date of
enactment of this Act, the Inspector General of each covered agency
shall each submit to the Comptroller General of the United States and
the appropriate committees of jurisdiction in the Senate and the House
of Representatives a report, which shall include information collected
from the covered agency for the contents described in subsection (b)
regarding the Federal computer systems of the covered agency.
(b) Contents.--The report submitted by each Inspector General of a
covered agency under subsection (a) shall include, with respect to the
covered agency, the following:
(1) A description of the logical access standards used by
the covered agency to access a Federal computer system that
provides access to classified or personally identifiable
information, including--
(A) in aggregate, a list and description of logical
access controls used to access such a Federal computer
system; and
(B) whether the covered agency is using multi-
factor logical access controls to access such a Federal
computer system.
(2) If the covered agency does not use logical access
controls or multi-factor logical access controls to access a
Federal computer system that provides access to classified or
personally identifiable information, a description of the
reasons for not using such logical access controls or multi-
factor logical access controls.
(3) A description of the following data security management
practices used by the covered agency:
(A) The policies and procedures followed to conduct
inventories of the software present on the Federal
computer systems of the covered agency and the licenses
associated with such software.
(B) Whether the covered agency has entered into a
licensing agreement for the use of software security
controls to monitor and detect exfiltration and other
threats, including--
(i) data loss prevention software; or
(ii) digital rights management software.
(C) A description of how the covered agency is
using software described in subparagraph (B).
(D) If the covered agency has not entered into a
licensing agreement for the use of, or is otherwise not
using, software described in subparagraph (B), a
description of the reasons for not entering into such a
licensing agreement or using such software.
(4) A description of the policies and procedures of the
covered agency with respect to ensuring that entities,
including contractors, that provide services to the covered
agency are implementing the data security management practices
described in paragraph (3).
(c) Existing Review.--The report required under this section may be
based in whole or in part on an audit, evaluation, or report relating
to programs or practices of the covered agency, and may be submitted as
part of another report, including the report required under section
3555 of title 44, United States Code.
(d) Classified Information.--A report submitted under this section
shall be in unclassified form, but may include a classified annex.
(e) Availability to Members of Congress.--A report submitted under
this section shall be made available upon request by any Member of
Congress.
SEC. 4. GAO ECONOMIC ANALYSIS AND REPORT ON FEDERAL COMPUTER SYSTEMS.
(a) Report.--Not later than 1 year after the date of enactment of
this Act, the Comptroller General of the United States shall submit to
Congress a report examining, including an economic analysis of, any
impediments to agency use of effective security software and security
devices.
(b) Classified Information.--A report submitted under this section
shall be in unclassified form, but may include a classified annex.
<all>