Text: H.R.4370 — 113th Congress (2013-2014)All Information (Except Text)

There is one version of the bill.

Text available as:

Shown Here:
Introduced in House (04/02/2014)


113th CONGRESS
2d Session
H. R. 4370


To improve the information security of the Department of Veterans Affairs by directing the Secretary of Veterans Affairs to carry out certain actions to improve the transparency and the governance of the information security program of the Department, and for other purposes.


IN THE HOUSE OF REPRESENTATIVES

April 2, 2014

Mrs. Walorski (for herself, Mr. Coffman, Mr. Wenstrup, and Mr. Nugent) introduced the following bill; which was referred to the Committee on Veterans' Affairs


A BILL

To improve the information security of the Department of Veterans Affairs by directing the Secretary of Veterans Affairs to carry out certain actions to improve the transparency and the governance of the information security program of the Department, and for other purposes.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. Short title; table of contents.

(a) Short title.—This Act may be cited as the “Veterans Information Security Improvement Act”.

(b) Table of contents.—The table of contents for this Act is as follows:


Sec. 1. Short title; table of contents.

Sec. 2. Governance of information security program of Department of Veterans Affairs.

Sec. 3. Security of critical network infrastructure, including domain controller, of Department of Veterans Affairs.

Sec. 4. Security of computers and servers of Department of Veterans Affairs.

Sec. 5. Upgrade or phase-out of unsupported or outdated operating systems.

Sec. 6. Security of web applications from vital vulnerabilities.

Sec. 7. Security of the Vista system.

Sec. 8. Report on compliance with information security requirements and best practices.

Sec. 9. Reports on implementation.

Sec. 10. Application.

Sec. 11. Definitions.

SEC. 2. Governance of information security program of Department of Veterans Affairs.

(a) Requirements for certain officials and staff.—

(1) IN GENERAL.—Subchapter III of chapter 57 of title 38, United States Code, is amended by inserting after section 5723 the following new section:

§ 5723A. Governance of information security program

“(a) In general.—The Secretary shall carry out this section to improve the transparency and the coordination of the information security program of the Department.

“(b) Office of Information and Technology.— (1) The Secretary shall ensure that the Assistant Secretary for Information and Technology, as the Chief Information Officer of the Department, possesses—

“(A) the appropriate education and at least 10 concurrent years of validated experience and capabilities in the management of information technology organizations;

“(B) an industry recognized certification in information security and cyber security defense; and

“(C) demonstrated, sound technical capabilities.

“(2) The Secretary shall ensure that the staff of the Office of Information and Technology who perform security functions, including the assessment and analysis of risk, security auditing, security operations, and security engineering, are assigned to the Office of Information Security.

“(3) The Secretary shall ensure that subordinate offices of the Office of Information and Technology, in coordination with the head of the Office of Information Security, maintain appropriate information security functions within each such office to—

“(A) incorporate secure software assurance processes into the software development life­cy­cle for all software development activities;

“(B) validate that each third-party developed software used in any information system of the Department meets the standards of the National Institute of Standards and Technology with respect to security, safety, reliability, func­tion­al­i­ty and extensibility;

“(C) maintain established information security baseline controls for such information systems, and immediately remediate systems determined to be out of compliance with established baseline controls to the maximum extent possible;

“(D) ensure that the security architecture of the Department is documented and fully integrated into the overall enterprise architecture strategy of the Department; and

“(E) develop and implement a policy that restricts the development of new data warehouses and data marts holding sensitive personal information of veterans and reduces the number of data marts holding such information.

“(c) Office of Information Security.— (1) The Secretary shall ensure that the head of the Office of Information Security possesses—

“(A) the appropriate education and at least 10 concurrent years of experience with respect to validated information security; and

“(B) an industry recognized certification in cyber security defense;

“(C) demonstrated, sound technical capabilities; and

“(D) other relevant experience.

“(2) The Secretary shall ensure that all of the field staff of the Office of Information Security, including relevant staff of the Office of Information Technology, whose primary responsibility is the protection of personally identifiable information of veterans maintain current information security training and possess a certain level of information security, cyber security defense, and technical capabilities and certifications as appropriate.”.

(2) CLERICAL AMENDMENT.—The table of sections at the beginning of such chapter is amended by inserting after the item relating to section 5723 the following new item:


“5723A. Governance of information security program.”.

(b) Definitions.—Section 5721 of title 38, United States Code, is amended by adding at the end the following new paragraphs:

“(24) DATA MART.—The term ‘data mart’ means a subset of a data warehouse that contains information for a specific department or entity of an organization rather than the entire organization.

“(25) DATA WAREHOUSE.—The term ‘data warehouse’ means a collection of data designed to support management decision making that contains a wide variety of data that present a coherent picture of business conditions for an entire organization at a single point in time and whose development includes the development of systems to extract data from operating systems plus installation of a warehouse database system that provides managers flexible access to the data.”.

SEC. 3. Security of critical network infrastructure, including domain controller, of Department of Veterans Affairs.

(a) In general.—Not later than 90 days after the date of the enactment of this Act, the Secretary of Veterans Affairs shall ensure the security and safeguard of the network infrastructure of the Department of Veterans Affairs.

(b) Actions required.—In carrying out subsection (a), the Secretary shall carry out the following actions:

(1) Maintain the awareness and complete physical and logical control of the critical network infrastructure, including routers, switches, domain naming systems, firewalls, load balancers, proxy devices, authentication services, telecommunications, domain controllers, and any device that is part of the trusted Internet connection system.

(2) If the Secretary determines that any critical network infrastructure device or service has been compromised, restore the device or service to the last known noncompromised state and determine the cause of the compromise.

(3) If the Secretary determines that compromised devices or services must be used for a limited time, conduct such use in accordance with the guidance established by the National Security Agency under the document titled “Information Assurance Guidance for Operating on a Compromised Network”, or successor document.

(4) Provide special security configurations for protecting critical infrastructure devices and services.

(5) Implement policies and security measures that minimize the threats to critical infrastructure devices and services.

(6) Ensure that critical infrastructure devices and services, including the domain controller settings, are in compliance with the Server Security Plan of the Department under the Department of Veterans Affairs Handbook 6500.

(7) Establish access rights, permissions, and multifactor authentication for the critical infrastructure devices and services, including the domain controller, for specific users or groups of users.

(8) Ensure that proper physical security measures are taken to safeguard the critical infrastructure devices and services and limit physical access to such location to a limited number of authorized individuals.

(9) Limit the access from network connections to critical infrastructure devices and services and only configure services and software that are needed by the devices and services.

(10) Disable or delete any service or software from critical infrastructure devices and services that is unnecessary.

(11) Where feasible, secure critical infrastructure devices and services with host-based and networked-based security controls and limit the number of ports that are opened between critical infrastructure devices and services, including any device requesting access to network resources and services.

(12) Conduct regular audits and testing of the backups and restore events of the critical infrastructure devices and services.

(13) Ensure that for any device to access and communicate with critical infrastructure devices and services within the domain, the authentication traffic has to be signed and encrypted.

(14) Limit the administrator account from accessing critical infrastructure devices and services, including domain controllers, throughout the network and use such account only for emergencies.

(15) Restrict remote access to local administrator accounts and use firewall rules to restrict lateral movement on the network.

(16) Conduct regular formal penetration testing to test for potential security weaknesses and resolve such weaknesses by not later than seven days after identifying such weaknesses.

(c) Certification.—Not later than 30 days after the date of the enactment of this Act, the Secretary shall submit to the congressional veterans committees written certification that the Secretary has commenced each action described in subsection (b).

SEC. 4. Security of computers and servers of Department of Veterans Affairs.

(a) In general.—The Secretary shall ensure the security of each general purpose computer and server of the Department.

(b) Actions required.—In carrying out subsection (a), the Secretary shall carry out the following actions:

(1) Formalize and enforce a Department-wide process to monitor software installed on general purpose computers and servers of the Department, prevent the unauthorized installation of software, and remove any unauthorized software that has been installed.

(2) Not later than 45 days after the date of the enactment of this Act, implement automated patch­ing tools and processes that ensure that security patches are installed for any software or operating system on a computer by not later than 48 hours after the patch is made available.

(3) Employ automated tools to continuously monitor general purpose computers, servers, and mobile devices for active, up-to-date anti-malware protection with antivirus, antispyware, personal firewalls, and host-based intrusion prevention system functionality.

(4) Centralize oversight and control to effectively administer patch management processes (but the responsibility for testing and applying patches to specific systems may be decentralized to the component level).

(5) Perform regular scans of general purpose computers and servers to discover security vul­ner­a­bil­i­ties and log the results of such scans.

(6) Perform a patch-focused risk assessment to evaluate each system, database, and general purpose computer for threats, vulnerabilities, and its criticality to the mission of the Department.

(7) If the Secretary determines any security vulnerability—

(A) develop a test for the vulnerability and determine the cause of the vulnerability;

(B) address the vulnerability, including by patching, implementing a compensating control, or documenting and accepting a reasonable business risk (in accordance with industry accepted best practices) with respect to the vulnerability; and

(C) perform a post remediation scan to verify that the vulnerability was so addressed.

(8) Establish and ensure the use of standard, secure configurations of each operating system in use on the computers of the Department.

(9) Employ system-scanning tools that check computers daily for software version, patch levels, and configuration files.

(10) Deploy a security content automation protocol tool that is validated by the National Institute of Standards and Technology to use specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation.

(11) Standardize policies, procedures, and tools for effective patch management, including by assigning roles and responsibilities, performing risk assessments, and testing patches.

(12) Test each patch against all system configurations of the Department in a test environment to determine any effect on the network before deploying the patch to the affected systems and monitor the status of the patches after deployment.

(13) Establish and maintain an inventory of all hardware equipment, software packages, services, and other technologies installed and used by the Department for patch management.

(14) Establish a policy for security fixes that is clearly communicated to computer users to ensure that the users are aware of—

(A) the versions of software or operating systems that are supported with respect to security fixes; and

(B) when software, operating systems, or other products are scheduled to no longer be maintained.

(15) Ensure that—

(A) the staff or contractors of the Department who are involved in patch management have the skills and knowledge needed to perform the responsibilities relating to such management; and

(B) system administrators are trained in identifying new patches and vulnerabilities.

(c) Certification.—Not later than 30 days after the date of the enactment of this Act, the Secretary shall submit to the congressional veterans committees written certification that the Secretary has commenced each action described in subsection (b).

SEC. 5. Upgrade or phase-out of unsupported or outdated operating systems.

(a) In general.—Not later than 90 days after the date of the enactment of this Act, the Secretary shall ensure that the Secretary upgrades or phases out outdated or unsupported operating systems to protect computers of the Department from harmful viruses, spyware, and other malicious software that could affect the confidentiality of sensitive personal information of veterans.

(b) Actions required.—In carrying out subsection (a), the Secretary shall carry out the following activities:

(1) Establish a plan for phasing out outdated or unsupported operating systems used by the Department.

(2) Establish a policy to ensure that outdated and unsupported operating systems used by the Department do not connect to the network of the Department by not later than 15 days after the date on which such operating systems are so outdated or unsupported, as determined appropriate by the Secretary.

(3) Establish a configuration management process to ensure that—

(A) a secure image that is regularly updated is used to build all new computers used by the Department; and

(B) any computer used by the Department that becomes compromised is re-imaged using such image.

(4) Implement applicable operating systems based on security guidance identified by the Information Assurance Directorate of the National Security Agency.

(5) Appropriately configure and test required software that was designed to be used on older operating systems to ensure the software is usable on a new operating system used by the Department.

(6) Limit administrative privileges to very few users who have both the appropriate knowledge and business need to modify the configuration of the operating system.

(7) Until the date on which an unsupported operating system is replaced, if a computer uses such operating system, disable web browser plug-ins, use a hardware firewall, and if practicable, disconnect the computer from the network and do not use the computer to access the Internet.

(8) Deploy a software inventory tool to cover each of the operating systems in use by the Department to track—

(A) the type of such operating systems being used by the Department; and

(B) with respect to each computer of the Department—

(i) the type of operating system installed and the version number and patch level of such operating system; and

(ii) the software being used on such operating system.

(9) Regularly use file integrity checking tools to check any changes to critical operating systems, services, and configuration files.

(c) Certification.—Not later than 30 days after the date of the enactment of this Act, the Secretary shall submit to the congressional veterans committees written certification that the Secretary has commenced each action described in subsection (b).

SEC. 6. Security of web applications from vital vulnerabilities.

(a) In general.—The Secretary shall ensure that web applications used by the Department are secure from vulnerabilities that could affect the confidentiality of sensitive personal information of veterans.

(b) Actions required.—In carrying out subsection (a), the Secretary shall carry out the following activities:

(1) Not later than 60 days after the date of the enactment of this Act, develop a plan, including required actions and milestones, to fully remediate all security vulnerabilities described in subsection (a) that exist as of the date of the enactment of this Act.

(2) Develop detailed guidance for remediating each critical security vulnerability.

(3) Use best practices and lessons learned, including such practices and lessons described by the National Institute of Standards and Technology and the Open Web Application Security Project, to address the security vulnerabilities of web applications.

(4) Limit the permissions on the database logon used by web applications to only what is needed to reduce the effectiveness of any attack that exploits bugs in the application.

(5) Provide to web application developers—

(A) thorough application development guidance to ensure that new applications are designed by taking into account security; and

(B) detailed guidance on testing existing web applications for security vulnerabilities, including buffer overflows and cross-site script­ing.

(6) Configure administrative passwords to be—

(A) complex and consist only of strings of letters, numbers, and characters that do not form a recognizable word; and

(B) changed every 90 days, in accordance with industry best practices.

(7) With respect to passwords used in connection with web applications, store the passwords for each system of the Department only in a well-hashed or encrypted format.

(8) Implement two-factor authentication technology requirements throughout the Department.

(9) If vulnerabilities in a web application are found, administer a full-source code review to determine if the vulnerabilities exist elsewhere within the code of the application.

(10) Periodically review user access to networks and web applications to identify unnecessary, inactive, or terminated user accounts.

(11) Establish a single set of strong authentication and session management controls that meet all the authentication and session management requirements defined in the Application Security Ver­i­fi­ca­tion Standard of the Open Web Application Security Project.

(12) Implement visibility and attribution measures to improve the process, architecture, and technical capabilities of the Department to monitor web applications used on the networks and computers of the Department to detect attack attempts, locate points of entry, identify already compromised machines, interrupt activities of infiltrated attackers, and gain information about the sources of an attack.

(c) Certification.—Not later than 30 days after the date of the enactment of this Act, the Secretary shall submit to the congressional veterans committees written certification that the Secretary has commenced each action described in subsection (b).

SEC. 7. Security of the Vista system.

(a) In general.—Not later than 90 days after the date of the enactment of this Act, the Secretary shall ensure that the Vista system is secure from vulnerabilities that could affect the confidentiality of sensitive personal information of veterans.

(b) Actions required.—In carrying out subsection (a), the Secretary shall carry out the following activities:

(1) Develop a remedial action plan to address the approaches to interoperability—

(A) between multiple Vista systems; and

(B) between the Vista system and external systems and software.

(2) Update the policy, procedures, and governance of the Department with respect to system-to-system integration where users log on to external systems and then automatically connect to the Vista system and interact.

(3) Provide authentication for the machine-to-machine broker so that the Vista system “listener” verifies the identity of the calling system.

(4) Establish and implement policy with respect to the authentication of external systems attempting to connect to the Vista system and criteria by which user authentication must be accomplished to ensure all applications that connect to the Vista system convey accurate user information.

(5) Establish a business requirement that system-to-system integration connectivity across the wide-area network must consist of encrypted communication and require external systems to securely identify themselves, or for the Vista system to securely identify external systems that attempt to connect to the system.

(6) Establish a business requirement that external systems communicate accurate user information to the Vista system relating to actions initiated by actual individuals and facilitate the revocation of access by the Vista system relative to specific users or external systems attempting to connect.

(7) Implement monthly project design reviews of the integration between systems and web applications to ensure that the effectiveness of the existing controls is sustained.

(8) Assess the potential compromise to non-Department networks that are interconnected with the network of the Department, including the networks of the Department of Defense and the Department of Health and Human Services.

(9) Ensure that, in the near-term, software development for the Vista system develops the critical enhancements and fixes to the system that are necessary to ensure compliance with changes to patient enrollment.

(10) Ensure that all systems of the Department have been given the “Authority to Operate” designation and have been properly certified by meeting all requirements, including a comprehensive assessment of management, operational, and technical security controls, to become operational, and restrict the use of waivers.

(c) Certification.—Not later than 30 days after the date of the enactment of this Act, the Secretary shall submit to the congressional veterans committees written certification that the Secretary has commenced each action described in subsection (b).

SEC. 8. Report on compliance with information security requirements and best practices.

Not later than 60 days after the date of the enactment of this Act, the Secretary of Veterans Affairs shall submit to the congressional veterans committees the following:

(1) Written certification that the Secretary is taking every action required to comply with—

(A) subchapter III of chapter 57 of title 38, United States Code;

(B) subchapter III of chapter 35 of title 44, United States Code;

(C) special publications 800–53 and 800–111 of the National Institute of Standards and Technology, including with respect to en­crypt­ing databases;

(D) applicable memoranda issued by the Director of Management and Budget regarding protecting personally identifiable information; and

(E) any other relevant law or regulation regarding the information security of the Department of Veterans Affairs.

(2) How the Secretary is using and implementing the principles and best practices regarding improving information security, including with respect to such principles and practices described in the document titled “Framework for Improving Critical Infrastructure Cybersecurity” of the National Institute of Standards and Technology.

SEC. 9. Reports on implementation.

(a) Biannual reports.—

(1) IN GENERAL.—Not later than 180 days after the date of the enactment of this Act, and every 180-day period thereafter, the Secretary shall submit to the congressional veterans committees a report on the implementation of this Act, including the amendments made by this Act.

(2) MATTERS INCLUDED.—Each report under subsection (a) shall include the following:

(A) A description of the actions taken by the Secretary to implement and comply with sections 2 through 7.

(B) A timeline and project plan, both short-term and long-term, for implementing each of sections 2 through 7 and assigning roles and responsibilities under such plan.

(C) Performance measures and benchmarks to measure the results of the Secretary in carrying out remediation efforts under sections 2 through 7.

(D) A description of the best practices and lessons learned by the Secretary in carrying out sections 2 through 7.

(E) The progress made by the Secretary during each month covered by the report with respect to reducing the total number of outdated operating systems, web application vul­ner­a­bil­i­ties, critical security vulnerabilities, and other matters covered by sections 2 through 7.

(F) An appendix containing detailed reports of the Department, including the enterprise information technology dashboard and reports regarding security vulnerabilities, operating system trends, and web applications.

(b) Annual Inspector General report.—The Inspector General of the Department of Veterans Affairs shall submit to the congressional veterans committees an annual report that includes a comprehensive assessment of the adequacy and effectiveness of the implementation by the Secretary of Veterans Affairs of sections 2 through 7, including the amendments made by this Act.

(c) Monthly reports.—On a monthly basis, the Secretary shall submit to the congressional veterans committees reports on security vulnerabilities discovered pursuant to the actions taken under section 4(b)(5).

SEC. 10. Application.

In carrying out this Act, including the amendments made by this Act, the Secretary of Veterans Affairs may substitute a new technology or process relating to information security for a specific technology or process relating to information security described in this Act, including the amendments made by this Act, if the Secretary determines that such new technology or process—

(1) is a successor to the specific technology or process described in this Act, including the amendments made by this Act; and

(2) provides a greater amount of information security than would be provided if the Secretary did not make such substitution.

SEC. 11. Definitions.

In this Act:

(1) The term “Authority to Operate” means the official management decision given by a senior official of the Department to authorize operation of an information system and to explicitly accept the risk to the operations of the Department (including with respect to the mission, functions, image, or reputation of the Department), the assets and individuals of the Department, other elements of the Federal Government, and the United States based on the implementation of an agreed-upon set of security controls.

(2) The terms “confidentiality” has the meaning given that term in section 5727 of title 38, United States Code.

(3) The term “congressional veterans committees” means the Committees on Veterans’ Affairs of the House of Representatives and the Senate.

(4) The term “critical network infrastructure” means information technology hardware that provides—

(A) vital network services to the Department that is vital to carrying out the mission of the Department; and

(B) communications, security, transportation, access, and authentication services and capabilities.

(5) The term “domain controller” means a server that responds to security authentication requests responsible for allowing host access to domain resources by authenticating users, sorting user account information, and enforcing security policy.

(6) The term “general purpose computer” means a computer that, given the appropriate application and required time, should be able to perform most common computing tasks. Such term includes personal computers, including desktops, notebooks, smart phones, and tablets.

(7) The term “image” means a standard set of software (including the operating system and other software) that is installed on a computer.

(8) The term “information security” has the meaning given that term in section 5727 of title 38, United States Code.

(9) The term “information system” has the meaning given that term in section 5727 of title 38, United States Code.

(10) The term “sensitive personal information” has the meaning given that term in section 5727 of title 38, United States Code.

(11) The term “Vista system” means the Veterans Health Information Systems and Technology Architecture of the Department of Veterans Affairs that allows for an integrated inpatient and outpatient electronic health record for patients and provides administrative tools to employees of the Department.

(12) The term “web application” means an application in which all or some parts of the software are downloaded from the Internet each time the software is accessed, including web browser-based software that run within a web browser, desktop software that does not use a web browser, and mobile software that accesses the Internet for additional information.

(13) The term “well-hashed” means the process of using a mathematical algorithm against data to produce a numeric value that is representative of that data.


Share This