Report text available as:

(PDF provides a complete and accurate display of this text.) Tip?


113th Congress                                                   Report
                        HOUSE OF REPRESENTATIVES
 2d Session                                                     113-562

======================================================================



 
              SAFE AND SECURE FEDERAL WEBSITES ACT OF 2014

                                _______
                                

 July 28, 2014.--Committed to the Committee of the Whole House on the 
              State of the Union and ordered to be printed

                                _______
                                

   Mr. Issa, from the Committee on Oversight and Government Reform, 
                        submitted the following

                              R E P O R T

                        [To accompany H.R. 3635]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Oversight and Government Reform, to whom 
was referred the bill (H.R. 3635) to ensure the functionality 
and security of new Federal websites that collect personally 
identifiable information, and for other purposes, having 
considered the same, report favorably thereon with an amendment 
and recommend that the bill as amended do pass.

                                CONTENTS

                                                                   Page
Committee Statement and Views....................................     3
Section-by-Section...............................................     5
Explanation of Amendments........................................     6
Committee Consideration..........................................     6
Application of Law to the Legislative Branch.....................     6
Statement of Oversight Findings and Recommendations of the 
  Committee......................................................     6
Statement of General Performance Goals and Objectives............     6
Duplication of Federal Programs..................................     6
Disclosure of Directed Rule Makings..............................     6
Federal Advisory Committee Act...................................     7
Unfunded Mandate Statement.......................................     7
Earmark Identification...........................................     7
Committee Estimate...............................................     7
Budget Authority and Congressional Budget Office Cost Estimate...     7
Changes in Existing Law Made by the Bill as Reported.............     8

    The amendment is as follows:
  Strike all after the enacting clause and insert the 
following:

SECTION 1. SHORT TITLE.

  This Act may be cited as the ``Safe and Secure Federal Websites Act 
of 2014''.

SEC. 2. ENSURING FUNCTIONALITY AND SECURITY OF NEW FEDERAL WEBSITES 
                    THAT COLLECT PERSONALLY IDENTIFIABLE INFORMATION.

  (a) Certification Requirement.--
          (1) In general.--Except as otherwise provided under this 
        subsection, an agency may not deploy or make available to the 
        public a new Federal PII website until the date on which the 
        chief information officer of the agency submits a certification 
        to Congress that the website is fully functional and secure.
          (2) Transition.--In the case of a new Federal PII website 
        that is operational on the date of the enactment of this Act, 
        paragraph (1) shall not apply until the end of the 90-day 
        period beginning on such date of enactment. If the 
        certification required under paragraph (1) for such website has 
        not been submitted to Congress before the end of such period, 
        the head of the responsible agency shall render the website 
        inaccessible to the public until such certification is 
        submitted to Congress.
          (3) Exception for beta website with explicit permission.--
        Paragraph (1) shall not apply to a website (or portion thereof) 
        that is in a development or testing phase, if the following 
        conditions are met:
                  (A) A member of the public may access PII-related 
                portions of the website only after executing an 
                agreement that acknowledges the risks involved.
                  (B) No agency compelled, enjoined, or otherwise 
                provided incentives for such a member to access the 
                website for such purposes.
          (4) Construction.--Nothing in this section shall be construed 
        as applying to a website that is operated entirely by an entity 
        (such as a State or locality) that is independent of the 
        Federal Government, regardless of the receipt of funding in 
        support of such website from the Federal Government.
  (b) Definitions.--In this section:
          (1) Agency.--The term ``agency'' has the meaning given that 
        term under section 551 of title 5, United States Code.
          (2) Fully functional.--The term ``fully functional'' means, 
        with respect to a new Federal PII website, that the website can 
        fully support the activities for which it is designed or 
        intended with regard to the eliciting, collection, storage, or 
        maintenance of personally identifiable information, including 
        handling a volume of queries relating to such information 
        commensurate with the purpose for which the website is 
        designed.
          (3) New federal personally identifiable information website 
        (new federal pii website).--The terms ``new Federal personally 
        identifiable information website'' and ``new Federal PII 
        website'' mean a website that--
                  (A) is operated by (or under a contract with) an 
                agency;
                  (B) elicits, collects, stores, or maintains 
                personally identifiable information of individuals and 
                is accessible to the public; and
                  (C) is first made accessible to the public and 
                collects or stores personally identifiable information 
                of individuals, on or after October 1, 2012.
          (4) Operational.--The term ``operational'' means, with 
        respect to a website, that such website elicits, collects, 
        stores, or maintains personally identifiable information of 
        members of the public and is accessible to the public.
          (5) Personally identifiable information (pii).--The terms 
        ``personally identifiable information'' and ``PII'' mean any 
        information about an individual elicited, collected, stored, or 
        maintained by an agency, including--
                  (A) any information that can be used to distinguish 
                or trace the identity of an individual, such as a name, 
                a social security number, a date and place of birth, a 
                mother's maiden name, or biometric records; and
                  (B) any other information that is linked or linkable 
                to an individual, such as medical, educational, 
                financial, and employment information.
          (6) Responsible agency.--The term ``responsible agency'' 
        means, with respect to a new Federal PII website, the agency 
        that is responsible for the operation (whether directly or 
        through contracts with other entities) of the website.
          (7) Secure.--The term ``secure'' means, with respect to a new 
        Federal PII website, that the following requirements are met:
                  (A) The website is in compliance with subchapter III 
                of chapter 35 of title 44, United States Code.
                  (B) The website ensures that personally identifiable 
                information elicited, collected, stored, or maintained 
                in connection with the website is captured at the 
                latest possible step in a user input sequence.
                  (C) The responsible agency for the website has taken 
                reasonable efforts to minimize domain name confusion, 
                including through additional domain registrations.
                  (D) The responsible agency requires all personnel who 
                have access to personally identifiable information in 
                connection with the website to have completed a 
                Standard Form 85P and signed a non-disclosure agreement 
                with respect to personally identifiable information, 
                and the agency takes proper precautions to ensure only 
                trustworthy persons may access such information.
                  (E) The responsible agency maintains (either directly 
                or through contract) sufficient personnel to respond in 
                a timely manner to issues relating to the proper 
                functioning and security of the website, and to monitor 
                on an ongoing basis existing and emerging security 
                threats to the website.
          (8) State.--The term ``State'' means each State of the United 
        States, the District of Columbia, each territory or possession 
        of the United States, and each federally recognized Indian 
        tribe.

SEC. 3. PRIVACY BREACH REQUIREMENTS.

  (a) Information Security Amendment.--Subchapter III of chapter 35 of 
title 44, United States Code, is amended by adding at the end the 
following:

``Sec. 3550. Privacy breach requirements

  ``(a) Policies and Procedures.--The Director of the Office of 
Management and Budget shall establish and oversee policies and 
procedures for agencies to follow in the event of a breach of 
information security involving the disclosure of personally 
identifiable information, including requirements for--
          ``(1) not later than 72 hours after the agency discovers such 
        a breach, or discovers evidence that reasonably indicates such 
        a breach has occurred, notice to the individuals whose 
        personally identifiable information could be compromised as a 
        result of such breach;
          ``(2) timely reporting to a Federal cybersecurity center, as 
        designated by the Director of the Office of Management and 
        Budget; and
          ``(3) any additional actions that the Director finds 
        necessary and appropriate, including data breach analysis, 
        fraud resolution services, identity theft insurance, and credit 
        protection or monitoring services.
  ``(b) Required Agency Action.--The head of each agency shall ensure 
that actions taken in response to a breach of information security 
involving the disclosure of personally identifiable information under 
the authority or control of the agency comply with policies and 
procedures established by the Director of the Office of Management and 
Budget under subsection (a).
  ``(c) Report.--Not later than March 1 of each year, the Director of 
the Office of Management and Budget shall report to Congress on agency 
compliance with the policies and procedures established under 
subsection (a).
  ``(d) Federal Cybersecurity Center Defined.--The term `Federal 
cybersecurity center' means any of the following:
          ``(1) The Department of Defense Cyber Crime Center.
          ``(2) The Intelligence Community Incident Response Center.
          ``(3) The United States Cyber Command Joint Operations 
        Center.
          ``(4) The National Cyber Investigative Joint Task Force.
          ``(5) Central Security Service Threat Operations Center of 
        the National Security Agency.
          ``(6) The United States Computer Emergency Readiness Team.
          ``(7) Any successor to a center, team, or task force 
        described in paragraphs (1) through (6).
          ``(8) Any center that the Director of the Office of 
        Management and Budget determines is appropriate to carry out 
        the requirements of this section.''.
  (b) Technical and Conforming Amendment.--The table of sections for 
subchapter III of chapter 35 of title 44, United States Code, is 
amended by adding at the end the following:

``3550. Privacy breach requirements.''.

                     Committee Statement and Views


                          PURPOSE AND SUMMARY

    H.R. 3635, the Safe and Secure Federal Websites Act of 
2014, will help ensure the functionality and security of 
federal websites, giving individuals confidence that their 
privacy and personal information is secure. The bill guards 
against the loss of the public's trust by requiring agency 
chief information officers to certify that federal websites 
collecting personally identifiable information are fully 
functional and secure. In addition, the bill requires agencies 
to notify affected individuals that their personally 
identifiable information may have been compromised within 72 
hours of a known or suspected data breach.

                  BACKGROUND AND NEED FOR LEGISLATION

    2013 marked a year of high-profile data breaches. From data 
breaches at Target, one of the nation's largest retail chains, 
to Neiman Marcus, a high-end department store chain, the public 
is now more aware than ever of the potential severity and 
consequences of such occurrences.\1\ Other widely publicized 
data breaches at federal agencies in recent years include the 
Federal Retirement Thrift Investment Board (2012), the Federal 
Aviation Administration (2009), and the Department of Veterans 
Affairs (2006).\2\ The loss of public trust resulting from 
large scale data breaches is damaging to the economy and the 
overall fabric and spirit of our country. The public should 
feel confident and secure in knowing that their personal 
information is protected by businesses and especially by the 
government who serves them.
---------------------------------------------------------------------------
    \1\Senate Judiciary Committee hearing: Privacy in the Digital Age: 
Preventing Data Breaches and Combating Cybercrime. February 4, 2014. 
http://www.judiciary.senate.gov/meetings/privacy-in-the-digital-age-
preventing-data-breaches-and-combating-cybercrime.
    \2\The Federal Retirement Thrift Investment Board data breach was 
the subject of a Senate Committee on Homeland Security & Governmental 
Affairs (Subcommittee on Oversight of Government Management, the 
Federal Workforce and the District of Columbia) hearing: State of 
Federal Privacy and Data Security Law: Lagging Behind the Times? July 
31, 2012. http://www.hsgac.senate.gov/subcommittees/oversight-of-
government-management/hearings/state-of-federal-privacy-and-data-
security-law-lagging-behind-the-times.
    The Federal Aviation Administration issued a press release on 
February 9, 2009 about its data breach: Press Release--FAA Notifies 
Employees of Personal Identity Breach. http://www.faa.gov/news/
press_releases/news_story.cfm?newsId=10394.
    Department of Veterans Affairs Office of Inspector General, Review 
of Issues Related to the Loss of VA Information Involving the Identity 
of Millions of Veterans, Report No. 06-02238-163 (Washington, D.C.: 
July 11, 2006).
---------------------------------------------------------------------------
    Ensuring website security is especially important in an era 
where the federal government increasingly relies on technology 
to conduct its work more efficiently. Balancing the desire to 
strive for technological advancements with the need to 
constantly monitor and neutralize cyber threats and 
vulnerabilities is vital. The federal government should be ever 
vigilant in working to regain and maintain the public's trust. 
The ``Safe and Secure Federal Websites Act of 2014'' is a major 
step in reestablishing that trust.
    This act requires, among other things, the Director of the 
Office of Management and Budget (OMB) to establish and oversee 
policies and procedures for agencies to follow in the event of 
a breach of information security involving the disclosure of 
personally identifiable information. This includes establishing 
requirements for the timely notification of individuals 
affected; timely reporting of the compromise to a federal cyber 
security center; and any additional actions the Director deems 
necessary and appropriate. These actions can include data 
breach analysis, fraud resolution services, identity theft 
insurance, and credit protection or monitoring services. 
Further, OMB is required to report to Congress on its oversight 
of agencies implementation of its policies. In a December 2013 
report, GAO found that agency responses to breaches of 
personally identifiable information were inconsistent and 
recommended that OMB update its guidance on federal agencies' 
response to data breach.\3\ Though OMB previously issued five 
memoranda to advise agencies on proper protocols, GAO found the 
guidance to be incomplete thus contributing to agencies' 
inconsistent implementation.\4\ Adopting the ``Safe and Secure 
Federal Websites Act of 2014'' will help remedy the problem of 
data breach.
---------------------------------------------------------------------------
    \3\GAO, Information Security: Agency Responses to Breaches of 
Personally Identifiable Information Need to Be More Consistent, GAO-14-
34 (Washington, D.C.: Dec. 9, 2013).
    \4\OMB, Safeguarding Against and Responding to the Breach of 
Personally Identifiable Information, M-07-16 (May 22, 2007); OMB, Use 
of Commercial Credit Monitoring Services Blanket Purchase Agreements, 
M-07-04 (Washington, D.C.: Dec. 22, 2006); OMB, Recommendations for 
Identity Theft Related Data Breach Notification (Washington, D.C.: 
Sept. 20, 2006); OMB, Reporting Incidents Involving Personally 
Identifiable Information and Incorporating the Cost for Security in 
Agency Information Technology Investments, M-06-19 (July 12, 2006); and 
OMB, Safeguarding Personally Identifiable Information, M-06-15 
(Washington, D.C.: May 22, 2006.
---------------------------------------------------------------------------

                           Section-by-Section


Section 1. Short title

    The short title of the bill is the ``Safe and Secure 
Federal Websites Act of 2014.''

Section 2. Ensuring functionality and security of new federal websites 
        that collect personally identifiable information

    Federal agency chief information officers must certify to 
Congress the functionality and security of new (or 
substantially modified) agency websites that collect personally 
identifiable information. The bill applies to websites created 
(or substantially modified) on or after October 1, 2012, and 
requires agency chief information officers to submit 
certifications within 90 days for websites operational on the 
date of enactment. Agency heads must render inaccessible each 
website that is not certified before the end of the 
certification period established in the bill. An exception is 
made for beta websites.
    Under the bill, certification as a ``fully functional'' 
website means the website can fully support the activities for 
which it is designed, including the collection, storage, and 
maintenance of personally identifiable information.
    Under the bill, certification as a ``secure'' website means 
the website complies with the Federal Information Security 
Management Act (FISMA); the host agency has taken steps to 
minimize domain name confusion; personally identifiable 
information is captured at the latest possible step in the data 
collection sequence; individuals who have access to personally 
identifiable information have completed public trust 
questionnaire and signed a non-disclosure agreement; and the 
agency maintains sufficient personnel to respond in a timely 
manner to issues related to proper functioning and security of 
the website, including emerging security threats.
    The bill uses a definition developed by the National 
Institute of Standards and Technology (Special Publication 800-
122) to describe personally identifiable information.

Section 3. Privacy breach requirements

    The Director of the Office of Management and Budget shall 
establish and oversee policies and procedures for agencies to 
follow in the event of a breach of information security 
involving the disclosure of personally identifiable 
information. Notice must be given to individuals whose 
personally identifiable information could be compromised within 
72 hours of the agency discovering a breach or discovering 
evidence that reasonably indicates occurrence of a breach.
    The Director of the Office of Management and Budget must 
annually report to Congress by March 1 of each year on agency 
compliance with the breach notification procedures.

                       Explanation of Amendments

    The provisions of the adopted amendments are explained in 
this report.

                        Committee Consideration

    On March 12, 2014, the Committee met in open session and 
ordered reported favorably the bill, H.R. 3635, as amended, by 
voice vote, a quorum being present.

              Application of Law to the Legislative Branch

    Section 102(b)(3) of Public Law 104-1 requires a 
description of the application of this bill to the legislative 
branch where the bill relates to the terms and conditions of 
employment or access to public services and accommodations. 
This bill requires agencies to notify affected individuals that 
their personally identifiable information may have been 
compromised within 72 hours of a known or suspected data 
breach. As such this bill does not relate to employment or 
access to public services and accommodations.

  Statement of Oversight Findings and Recommendations of the Committee

    In compliance with clause 3(c)(1) of rule XIII and clause 
2(b)(1) of rule X of the Rules of the House of Representatives, 
the Committee's oversight findings and recommendations are 
reflected in the descriptive portions of this report.

         Statement of General Performance Goals and Objectives

    In accordance with clause 3(c)(4) of rule XIII of the Rules 
of the House of Representatives, the Committee's performance 
goals and objectives are reflected in the descriptive portions 
of this report.

                    Duplication of Federal Programs

    No provision of H.R. 3635 establishes or reauthorizes a 
program of the Federal Government known to be duplicative of 
another Federal program, a program that was included in any 
report from the Government Accountability Office to Congress 
pursuant to section 21 of Public Law 111-139, or a program 
related to a program identified in the most recent Catalog of 
Federal Domestic Assistance.

                  Disclosure of Directed Rule Makings

    H.R. 3635 requires the Director of the Office of Management 
and Budget to establish policies and procedures for agencies to 
follow in the event of a breach of information security 
involving the disclosure of personally identifiable 
information.

                     Federal Advisory Committee Act

    The Committee finds that the legislation does not establish 
or authorize the establishment of an advisory committee within 
the definition of 5 U.S.C. App., Section 5(b).

                       Unfunded Mandate Statement

    Section 423 of the Congressional Budget and Impoundment 
Control Act (as amended by Section 101(a)(2) of the Unfunded 
Mandates Reform Act, P.L. 104-4) requires a statement as to 
whether the provisions of the reported include unfunded 
mandates. In compliance with this requirement the Committee has 
received a letter from the Congressional Budget Office included 
herein.

                         Earmark Identification

    H.R. 3635 does not include any congressional earmarks, 
limited tax benefits, or limited tariff benefits as defined in 
clause 9 of rule XXI.

                           Committee Estimate

    Clause 3(d)(2) of rule XIII of the Rules of the House of 
Representatives requires an estimate and a comparison by the 
Committee of the costs that would be incurred in carrying out 
H.R. 3635. However, clause 3(d)(3)(B) of that rule provides 
that this requirement does not apply when the Committee has 
included in its report a timely submitted cost estimate of the 
bill prepared by the Director of the Congressional Budget 
Office under section 402 of the Congressional Budget Act.

     Budget Authority and Congressional Budget Office Cost Estimate

    With respect to the requirements of clause 3(c)(2) of rule 
XIII of the Rules of the House of Representatives and section 
308(a) of the Congressional Budget Act of 1974 and with respect 
to requirements of clause (3)(c)(3) of rule XIII of the Rules 
of the House of Representatives and section 402 of the 
Congressional Budget Act of 1974, the Committee has received 
the following cost estimate for H.R. 3635 from the Director of 
Congressional Budget Office:

                                                    April 22, 2014.
Hon. Darrell Issa,
Chairman, Committee on Oversight and Government Reform,
House of Representatives, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for H.R. 3635, the Safe and 
Secure Federal Websites Act of 2014.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is Matthew 
Pickford.
            Sincerely,
                                              Douglas W. Elmendorf.
    Enclosure.

H.R. 3635--Safe and Secure Federal Websites Act of 2014

    CBO estimates that enacting H.R. 3635 would have no 
significant effect on the federal budget. The legislation would 
amend federal laws that protect the privacy of personally 
identifiable information collected by the government. 
Personally identifiable information includes any information 
that identifies an individual such as name, Social Security 
number, and medical or financial records. The legislation would 
prohibit an agency from deploying a new website until the 
agency's Chief Information Officer certifies that all such 
information is safe and secure. Existing federal websites would 
have 90 days following enactment of H.R. 3635 to comply with 
this requirement. The legislation also would require the Office 
of Management and Budget (OMB) to issue policies and procedures 
for agencies to follow in the event of a security breach of a 
federal data system that contains personally identifiable 
information.
    No single federal law or regulation governs the security of 
all types of sensitive personal information collected by 
federal agencies. The Federal Information Security Management 
Act requires each federal agency to develop, document, and 
implement an agencywide security program for sensitive 
information. The Privacy Act of 1974 governs the collection, 
use, and dissemination by federal agencies of personal records. 
OMB's ``Breach Notification Policy'' requires all agencies to 
implement a policy to safeguard personally identifiable 
information and to provide notification of a security breach.
    Because those laws and policies regarding the security of 
personally identifiable information are already in place, CBO 
estimates that the cost of certifying the safety of information 
collected by federal websites would be less than $500,000 over 
the next five years. Enacting the bill could affect direct 
spending by agencies not funded through annual appropriations; 
therefore, pay-as-you-go procedures apply. CBO estimates, 
however, that any net change in spending by those agencies 
would be negligible. Enacting the bill would not affect 
revenues.
    H.R. 3635 contains no intergovernmental or private-sector 
mandates as defined in the Unfunded Mandates Reform Act and 
would impose no costs on state, local, or tribal governments.
    The CBO staff contact for this estimate is Matthew 
Pickford. The estimate was approved by Theresa Gullo, Deputy 
Assistant Director for Budget Analysis.

         Changes in Existing Law Made by the Bill, as Reported

  In compliance with clause 3(e) of rule XIII of the Rules of 
the House of Representatives, changes in existing law made by 
the bill, as reported, are shown as follows (new matter is 
printed in italic and existing law in which no change is 
proposed is shown in roman):

TITLE 44, UNITED STATES CODE

           *       *       *       *       *       *       *


         CHAPTER 35--COORDINATION OF FEDERAL INFORMATION POLICY

                SUBCHAPTER I--FEDERAL INFORMATION POLICY

Sec.
3501. Purposes.
     * * * * * * *

                  SUBCHAPTER III--INFORMATION SECURITY

     * * * * * * *
3550. Privacy breach requirements.

           *       *       *       *       *       *       *


SUBCHAPTER III--INFORMATION SECURITY

           *       *       *       *       *       *       *


Sec. 3550. Privacy breach requirements

  (a) Policies and Procedures.--The Director of the Office of 
Management and Budget shall establish and oversee policies and 
procedures for agencies to follow in the event of a breach of 
information security involving the disclosure of personally 
identifiable information, including requirements for--
          (1) not later than 72 hours after the agency 
        discovers such a breach, or discovers evidence that 
        reasonably indicates such a breach has occurred, notice 
        to the individuals whose personally identifiable 
        information could be compromised as a result of such 
        breach;
          (2) timely reporting to a Federal cybersecurity 
        center, as designated by the Director of the Office of 
        Management and Budget; and
          (3) any additional actions that the Director finds 
        necessary and appropriate, including data breach 
        analysis, fraud resolution services, identity theft 
        insurance, and credit protection or monitoring 
        services.
  (b) Required Agency Action.--The head of each agency shall 
ensure that actions taken in response to a breach of 
information security involving the disclosure of personally 
identifiable information under the authority or control of the 
agency comply with policies and procedures established by the 
Director of the Office of Management and Budget under 
subsection (a).
  (c) Report.--Not later than March 1 of each year, the 
Director of the Office of Management and Budget shall report to 
Congress on agency compliance with the policies and procedures 
established under subsection (a).
  (d) Federal Cybersecurity Center Defined.--The term ``Federal 
cybersecurity center'' means any of the following:
          (1) The Department of Defense Cyber Crime Center.
          (2) The Intelligence Community Incident Response 
        Center.
          (3) The United States Cyber Command Joint Operations 
        Center.
          (4) The National Cyber Investigative Joint Task 
        Force.
          (5) Central Security Service Threat Operations Center 
        of the National Security Agency.
          (6) The United States Computer Emergency Readiness 
        Team.
          (7) Any successor to a center, team, or task force 
        described in paragraphs (1) through (6).
          (8) Any center that the Director of the Office of 
        Management and Budget determines is appropriate to 
        carry out the requirements of this section.

           *       *       *       *       *       *       *