Report text available as:

  • TXT
  • PDF   (PDF provides a complete and accurate display of this text.) Tip ?

113th Congress 
 2d Session                      SENATE                          Report
                                                                113-256
_______________________________________________________________________

                                     

                                                       Calendar No. 564

 
         FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014

                               __________

                              R E P O R T

                                 of the

                   COMMITTEE ON HOMELAND SECURITY AND

                          GOVERNMENTAL AFFAIRS

                          UNITED STATES SENATE

                              to accompany

                                S. 2521

  TO AMEND CHAPTER 35 OF TITLE 44, UNITED STATES CODE, TO PROVIDE FOR 
                 REFORM TO FEDERAL INFORMATION SECURITY

          


               September 15, 2014.--Ordered to be printed
        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                  THOMAS R. CARPER, Delaware Chairman
CARL LEVIN, Michigan                 TOM COBURN, Oklahoma
MARK L. PRYOR, Arkansas              JOHN McCAIN, Arizona
MARY L. LANDRIEU, Louisiana          RON JOHNSON, Wisconsin
CLAIRE McCASKILL, Missouri           ROB PORTMAN, Ohio
JON TESTER, Montana                  RAND PAUL, Kentucky
MARK BEGICH, Alaska                  MICHAEL B. ENZI, Wyoming
TAMMY BALDWIN, Wisconsin             KELLY AYOTTE, New Hampshire
HEIDI HEITKAMP, North Dakota

                  Gabrielle A. Batkin, Staff Director
               John P. Kilvington, Deputy Staff Director
                    Mary Beth Schultz, Chief Counsel
          Stephen R. Vina, Chief Counsel for Homeland Security
           Matthew R. Grote, Senior Professional Staff Member
               Keith B. Ashdown, Minority Staff Director
         Christopher J. Barkley, Minority Deputy Staff Director
               Andrew C. Dockham, Minority Chief Counsel
         Daniel P. Lips, Minority Director of Homeland Security
            Justin Rood, Minority Director of Investigations
          William H.W. McKenna, Minority Investigative Counsel
                     Laura W. Kilbride, Chief Clerk
                                                       Calendar No. 564
113th Congress
                                 SENATE
                                                                 Report
 2d Session                                                     113-256

======================================================================




         FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014

                                _______
                                

               September 15, 2014.--Ordered to be printed

                                _______
                                

 Mr. Carper, from the Committee on Homeland Security and Governmental 
                    Affairs, submitted the following

                              R E P O R T

                         [To accompany S. 2521]

    The Committee on Homeland Security and Governmental 
Affairs, to which was referred the bill (S. 2521), to amend 
chapter 35 of title 44, United States Code, to provide for 
reform to Federal information security, having considered the 
same, reports favorably thereon without amendment and 
recommends that the bill do pass.

                                CONTENTS

                                                                   Page
  I. Purpose and Summary..............................................1
 II. Background and Need for the Legislation..........................2
III. Legislative History..............................................9
 IV. Section-by-Section Analysis......................................9
  V. Evaluation of Regulatory Impact.................................12
 VI. Congressional Budget Office Cost Estimate.......................12
VII. Changes in Existing Law Made by the Bill, as Reported...........13

                         I. Purpose and Summary

    S. 2521, the Federal Information Security Modernization 
Act, aims to strengthen the security of federal computer 
networks and information systems by updating the Federal 
Information Security Management Act of 2002. Specifically, it 
would: (1) clarify the roles and responsibilities of the Office 
of Management and Budget (OMB) and the Department of Homeland 
Security (DHS) to ensure that the statute appropriately 
reflects each agency's current functions, as well as their 
respective expertise and resources; (2) improve security by 
transitioning agencies away from paperwork requirements toward 
a more automated and continuous security posture; and (3) 
strengthen transparency and accountability including by making 
important improvements to the way federal data breaches are 
managed and reported to Congress and the public.

              II. Background and the Need for Legislation

    In 2002, President Bush signed into law the Federal 
Information Security Management Act of 2002 (FISMA), which 
built on existing information security laws,\1\ to ``provide a 
comprehensive framework for ensuring the effectiveness of 
information security controls over information resources that 
support Federal operations and assets.''\2\ This law aimed to 
protect all information and information systems held by or on 
behalf of Federal agencies from unauthorized access, use, 
disclosure, disruption, modification, or destruction. Under 
FISMA, a number of different federal agencies play a variety of 
roles in implementing the law's framework. For example, the 
National Institute of Standards and Technology (NIST) develops 
minimum security standards for federal information and 
information systems (other than national security systems).\3\ 
Agencies, through the Chief Information Officers and system 
owners, were required to establish information security 
programs with specific elements, implement minimum system 
security standards, and report to OMB and Congress on 
implementation progress. FISMA gave OMB the role of overseeing 
and enforcing agency compliance with the law and security 
standards. Finally, the bill required Inspectors General to 
audit agencies' compliance with the law annually, and 
Government Accountability Office to periodically review the 
effectiveness of the overall framework.
---------------------------------------------------------------------------
    \1\For example, the Computer Security Act of 1987 established 
government-wide mandatory standards for computer security developed by 
the National Institute of Standards and Technology (NIST) and required 
certain security plans and training; see Public Law No. 100-235 (H.R. 
145), (Jan. 8, 1988).
    \2\See 44 USC Sec. 35; 44 section Sec. 3541.
    \3\NIST received this charge in the Computer Security Act of 1987; 
See Public Law No. 100-235 (H.R. 145), (Jan. 8, 1988).
---------------------------------------------------------------------------
    Since the passage of FISMA, agencies have made progress in 
setting up consistent information security programs across 
government. Unfortunately, however, they have not kept up with 
the cyber threat that has grown even faster and larger than 
Congress could have foreseen in 2002. Over the past two 
decades, the growth of the Internet and the country's 
increasing use of interconnected networks to conduct its 
business has led to significant economic growth and innovation. 
However, this ever-increasing reliance upon the Internet has 
also unintentionally enabled new threats to develop. Indeed, 
the Federal Bureau of Investigation Director James Comey 
testified before the Homeland Security and Governmental Affairs 
Committee that he agreed with former-Director Robert Mueller's 
assessment that within the next ten years cyber threats would 
surpass the threat from foreign terrorists to the United 
States.\4\
---------------------------------------------------------------------------
    \4\See ``Threats to the Homeland'' hearing, Committee on Homeland 
Security and Governmental Affairs, U.S. Senate, November 14, 2013.
---------------------------------------------------------------------------
    Criminals, terrorists, and state actors have repeatedly 
shown their interest in attacking the computer networks that 
run so much of our economy, and have made clear that government 
systems are also in their sights.\5\ For example, in 2011, the 
Thrift Savings Plan (TSP), the retirement savings and 
investment plan used by millions of federal employees and 
members of the uniformed services, suffered a data security 
breach, allowing unauthorized access to the personal 
information of approximately 123,000 TSP participants.\6\ And, 
in 2013, malicious actors broke into the computer network at 
the Department of Energy's Washington headquarters and 
compromised the personal information of hundreds of 
employees.\7\ The Government Accountability Office has written 
that from 2006 to 2012, ``the number of incidents reported by 
federal agencies to the U.S. Computer Emergency Readiness 
Team\8\ (US-CERT) has increased from 5,503 in fiscal year 2006 
to 48,562 incidents in fiscal year 2012, an increase of 782 
percent.''\9\
---------------------------------------------------------------------------
    \5\Some actors in cyberspace also seek to disrupt or destroy 
computer systems, including those that control some of our nation's 
critical infrastructure--the systems that deliver power and water to 
our homes, our energy pipelines, our nuclear plants and our 
telecommunications systems. In Saudi Arabia, for example, a cyber 
attack against Saudi Aramco, one of the world's largest oil companies, 
damaged 30,000 computers on the company's network. See Worldwide Threat 
Assessment of the US Intelligence Community, Hearing before the House 
Permanent Select Committee on Intelligence, Written Statement of James 
R. Clapper, Director of National Intelligence (April 11, 2013). To 
date, there has been no similarly damaging cyber attack with physical 
effects to critical infrastructure in the United States. However, in 
2013, major financial institutions were targeted by repeated ``denial-
of-service'' cyber attacks, which attempted to disrupt the performance 
of company websites by flooding them with internet traffic. Id.
    \6\See Federal Retirement Thrift Investment Board, Press Release, 
``Federal Retirement Thrift Investment Board Reports a Cyber Attack on 
a Contractor Potentially Affecting TSP Participants'' (May 25, 2012) 
https://www.tsp.gov/PDF/formspubs/Press.Release.2012-05-25.Cyber.pdf 
(last accessed July 20, 2014).
    \7\See Department of Energy, Office of the Inspector General, The 
Department of Energy's July 2013 Cyber Security Breach, DOE/IG-0900 
(Washington, D.C.: Dec. 6, 2013) http://energy.gov/sites/prod/files/
2013/12/f5/IG-0900.pdf (last accessed July 20, 2014).
    \8\US-CERT within DHS provides technical and incident response 
assistance to operators of agency information systems.
    \9\See GAO-13-776, ``Federal Information Security: Mixed Progress 
In Implementing Program Components; Improved Metrics Needed To Measure 
Effectiveness,'' pages 8, 27, September 26, 2013. It is likely that 
some of these increases can be attributed to better reporting tools and 
metrics. For example, the increased use of automated discovery and 
monitoring tools has uncovered more security flaws than were known in 
past years and it is the hope that more visibility will bring more 
attention to prevent these vulnerabilities. Nonetheless, critical 
weaknesses continue to exist in agencies' security programs.
---------------------------------------------------------------------------
    Given the ever-increasing threat, the Committee believes 
that Congress must do everything possible to make government 
computer networks as strong as possible. S. 2521 would do that 
by modernizing and strengthening the current, outdated 
statutory framework governing federal information security. 
Specifically, it would: clarify the roles of the OMB and DHS; 
reduce paperwork and speed up the move toward real-time 
security; and make important improvements to the way federal 
data breaches are handled.

           CODIFYING AND CLARIFYING THE ROLES OF OMB AND DHS

    S. 2521 updates FISMA to codify and clarify the existing 
roles that DHS and OMB play in overseeing and securing federal 
agency computer networks. Under FISMA, the Director of OMB has 
exclusive authority to oversee the management and security of 
information security across federal civilian agencies. These 
functions include developing and overseeing information 
security policies, principles, standards and guidelines, 
requiring agencies to identify and provide information security 
protections commensurate with risk, and overseeing agency 
compliance with the requirements of FISMA, among other things. 
Although DHS does not have an explicit statutory role under 
FISMA, the Department currently performs a variety of 
functions, including providing cybersecurity services for 
federal civilian agencies across the government, under a 
patchwork of other authorities.
    In January 2008, President Bush issued National Security 
Presidential Directive 54/Homeland Security Presidential 
Directive 23, which, among other things, required DHS to lead 
the national effort to secure Federal networks and to 
coordinate and carry out government-wide security programs. The 
directive required DHS to ``lead the national effort to 
protect, defend, and reduce vulnerabilities of Federal 
systems,'' including to ``manage and oversee . . . the external 
access points, including access to the Internet for all Federal 
systems,'' ``provide consolidated intrusion detection, incident 
analysis, and cyber response capabilities,'' and set and 
enforce minimum operational standards for agency operation 
centers to manage external access points.\10\
---------------------------------------------------------------------------
    \10\See National Security Presidential Directive 54/Homeland 
Security Presidential Directive 23 ``Cybersecurity Policy'', paragraph 
15, January 8, 2008.
---------------------------------------------------------------------------
    In 2010, OMB issued M-10-28, ``Clarifying Cybersecurity 
Responsibilities and Activities of the Executive Office of the 
President and the Department of Homeland Security''. This 
memorandum delegated most of OMB's FISMA oversight functions to 
DHS and stated that ``DHS will exercise primary responsibility 
within the executive branch for the operational aspects of 
Federal agency cybersecurity.''\11\ Specifically, the memo made 
DHS responsible for:
---------------------------------------------------------------------------
    \11\See Office of Management and Budget, Memorandum M-10-28, 
``Clarifying Cybersecurity Responsibilities and Activities of the 
Executive Office of the President and the Department of Homeland 
Security'' (July 6, 2010).
---------------------------------------------------------------------------
            overseeing the government-wide and agency-
        specific implementation of and reporting on 
        cybersecurity policies and guidance;
            overseeing and assisting government-wide 
        and agency-specific efforts to provide adequate, risk-
        based and cost-effective cybersecurity;
            overseeing the agencies' compliance with 
        FISMA and developing analyses for OMB to assist in the 
        development of the FISMA annual report;
            overseeing the agencies' cybersecurity 
        operations and incident response and providing 
        appropriate assistance; and
            annually reviewing the agencies' 
        cybersecurity programs.\12\
---------------------------------------------------------------------------
    \12\Id.
---------------------------------------------------------------------------
    Under this memorandum, OMB submits the annual 
implementation report to Congress required by FISMA and carries 
out its traditional budgetary and fiscal oversight 
responsibilities with respect to agency spending on information 
security. OMB also oversees DHS in implementing its 
responsibilities under the memorandum. OMB's delegation of 
certain FISMA responsibilities to DHS is a sound move that has 
been and will continue to improve our federal information 
security.
    Within the federal government, DHS is responsible for 
working with the private sector to help protect our Nation's 
critical infrastructure from physical and cyber threats and 
overseeing the protection of the .gov domain. DHS employs over 
400 personnel dedicated to the security of government networks, 
and in fiscal year 2014 DHS was appropriated $680 million for 
its efforts on federal network security, network security 
deployment, and the United States Computer Emergency Readiness 
Team (US-CERT).\13\ OMB, on the other hand, has the equivalent 
of only 2-3 full-time employees on the ``management'' side 
overseeing security for the entire federal government and does 
not possess the technical capabilities of an operational 
department such as DHS.
---------------------------------------------------------------------------
    \13\See Department of Homeland Security, Congressional Budget 
Justification Fiscal Year 2015, page 9 (February 2014).
---------------------------------------------------------------------------
    At the center of DHS' cybersecurity and communications 
mission is the National Cybersecurity and Communications 
Integration Center (NCCIC). The NCICC is a round-the-clock 
information sharing, analysis and incident response center 
where government, private sector, and international partners 
work together on cybersecurity matters. Among its various 
functions, the NCCIC: analyzes cybersecurity and communications 
threats and vulnerabilities and coordinates findings with 
partners to manage risks to critical systems; creates shared 
situational awareness among public sector, private sector, and 
international partners by collaboratively developing and 
sharing timely and actionable cybersecurity and communications 
information; and responds cybersecurity and communications 
incidents and events to mitigate harmful activity, manage 
crisis situations, and support recovery efforts.
    Operation of the NCCIC gives DHS the ability to see and 
understand cyber threats and to find ways to mitigate against 
such threats, risks, and vulnerabilities. This insight is an 
extremely valuable tool, one that helps DHS to assist federal 
agencies in effectively implementing federal information 
security measures. In fiscal year 2013 alone, the NCCIC 
responded to more than 228,000 incident reports from a variety 
of stakeholders, ranging from minor compromises of personal 
information up to mass data thefts. The NCCIC also released 
over 11,000 cyber alerts to industry, federal agencies, and 
other partners in fiscal year 2013 and more than 5,000 
organizations have used the NCCIC's tools to perform self-
assessments to identify their own vulnerabilities.\14\
---------------------------------------------------------------------------
    \14\Department of Homeland Security, NCCIC Weekly Cyber Analytics 
Report, Week ending 14 June 2014 (on file with Committee staff).
---------------------------------------------------------------------------
    Since memoranda M-10-28 was issued, DHS has taken on the 
role of operational oversight of FISMA implementation and 
assisted agencies in bolstering their security. For example, 
DHS's National Protection and Programs Directorate (NPPD) has 
overseen government-wide FISMA compliance by issuing several 
policy directives, collecting and analyzing monthly compliance 
data, working with senior management at agencies to increase 
compliance, and updating reporting metrics to be more 
performance-based. DHS has also taken several measures to 
improve its own network security and scored first in its FISMA 
compliance among all major agencies in 2013.\15\
---------------------------------------------------------------------------
    \15\See ``Annual Report to Congress: Federal Information Security 
Management Act'', OMB, May 1, 2014, page 61. In 2012, DHS tied for 
first place with two other agencies. See ``Fiscal Year 2012 Report to 
Congress on the Implementation of The Federal Information Security 
Management Act of 2002'', OMB, March 2013, page 41.
---------------------------------------------------------------------------
    As mentioned above, OMB's delegation of many of its FISMA 
responsibilities was done through a memorandum. There has been 
no explicit statutory grant of authority of DHS's FISMA 
responsibilities. This lack of statutory clarity has led to 
uncertainty regarding the roles of DHS and OMB, resulting in 
inefficiencies and confusion. For example, in 2013, OMB and DHS 
released conflicting guidance to agencies on the same topic, 
annual reporting instructions to agencies on security 
implementation.\16\ A recent GAO report recognized the problems 
caused by the confusion regarding the roles and 
responsibilities of DHS and OMB, and GAO recommended that 
Congress consider passing legislation to clarify the respective 
agencies roles and responsibilities regarding implementation of 
and oversight of federal information security.\17\
---------------------------------------------------------------------------
    \16\See GAO-13-187, ``Cybersecurity: National Strategy, Roles, and 
Responsibilities Need to Be Better Defined and More Effectively 
Implemented'', February 14, 2013, page 33.
    \17\Id. at page 83.
---------------------------------------------------------------------------
    The Committee agrees that having clear statutory roles and 
responsibilities is beneficial in this area. This bill would 
address these concerns by codifying and clarifying the existing 
roles and responsibilities of DHS and OMB as described in 
memorandum M-10-28. Under this bill, OMB would retain federal 
information security enforcement responsibilities through its 
budget powers and its discretion in setting over-arching 
information security policies. DHS would continue to carry out 
the responsibilities delegated to it under the memorandum to 
oversee operational aspects of agency information security 
policies and practices, including by developing and overseeing 
implementation of binding operational directives to federal 
agencies, setting requirements for reporting security incidents 
and requirements for annual reports, establishing requirements 
for the mitigation of exigent risks, collecting implementation 
data, convening meetings with agencies to help ensure effective 
implementation of federal information security, coordinating 
government-wide information security efforts, and providing 
operational and technical assistance to agencies on information 
security. This structure is similar to the way other agencies 
share government-wide policy and implementation 
responsibilities in highly-technical areas. For example, the 
General Services Administration sets property management 
regulations that agencies must carry out and the Office of 
Personnel Management sets standards for personnel management 
that agencies must carry out.\18\
---------------------------------------------------------------------------
    \18\See 40 U.S.C. Sec. 121(c), and 5 U.S.C. Sec. 1104(b).
---------------------------------------------------------------------------
    Under the bill, DHS would also assist agencies in 
implementing information security programs, including by 
operating the Federal information security incident center, 
deploying continuous diagnostics and mitigation capabilities, 
compiling and analyzing data on agency information security, 
and conducting targeted operational evaluations.

                         CONTINUOUS MONITORING

    Over the years a number of experts have called for reform 
of the Federal information security framework to move away from 
paperwork-heavy processes toward real-time and automated 
security. Continuous monitoring, for example, allows federal 
agencies to monitor the effectiveness of security controls with 
a frequency based on risk and often in an automated fashion 
using security tools. It is common practice for a system owner 
to ``authorize'' that a system has adequate security before a 
system is active for the first time or if it undergoes a major 
change. Within the Federal government, this process is 
traditionally known as ``Certification and Accreditation,'' and 
agencies have been required to produce large binders of 
paperwork every three years to assure that adequate security 
controls were in place. This process has been criticized for 
requiring vast amounts of paperwork for little return on 
security.\19\ The modern approach to providing assurance of 
security controls involves automated monitoring and diagnostics 
with greater frequency and less paperwork.\20\
---------------------------------------------------------------------------
    \19\See ``More Security, Less Waste: What Makes Sense for our 
Federal Cyber Defense'', Federal Financial Management Subcommittee, 
Committee on Homeland Security and Governmental Affairs, United States 
Senate, October 29, 2009. See ``Updating U.S. Federal Cybersecurity 
Policy and Guidance,'' Center for Strategic and International Studies, 
page 3, October 2012.
    \20\See ``Federal Departments and Agencies Focus Cybersecurity 
Activity on Three Administration Priorities,'' Howard Schmidt, 
Cybersecurity Coordinator and Special Assistant to the President, March 
23, 2012; ``Continuous Diagnostics and Mitigation,'' Department of 
Homeland Security. See ``Special Publication 800-37, Guide for Applying 
the Risk Management Framework to Federal Information Systems,'' 
National Institute of Standards and Technology, page 1, February 2010. 
Current law requires agencies to test their systems ``with a frequency 
depending on risk, but no less than annually''. See 44 U.S.C. 
3542(b)(5). This requirement is flexible enough for agencies to adopt 
continuous monitoring programs prescribed by the National Institute of 
Standards and Technology.
---------------------------------------------------------------------------
    One of the main obstacles to full adoption of the modern, 
automated approach is a policy issued in 2000 by the Office of 
Management and Budget known as Circular A-130 Appendix III. 
This policy, which originated in the 1980's, has not been 
revised in over thirteen years despite the ever-changing nature 
of the cyber threat and information security best practices. It 
requires agencies to document the implementation of security 
controls on their systems every three years, which can result 
in large binders of paperwork. While some level of 
documentation is necessary to provide assurance of the 
effectiveness of controls, the requirements in this policy are 
not cost-effective methods to reduce information security risk. 
Experts have called for the rewrite of Circular A-130, stating 
that ``absent changes in policy, agency staff and oversight 
groups (e.g., Inspectors General and the Government 
Accountability Office) will continue to waste scarce resources 
on strategies that do little to mitigate risk.''\21\ S. 2521 
would move toward continuous and automated monitoring by 
requiring the Office of Management and Budget to revise A-130 
within 180 days to eliminate these inefficient and wasteful 
reports.
---------------------------------------------------------------------------
    \21\See ``Updating U.S. Federal Cybersecurity Policy and 
Guidance,'' Center for Strategic and International Studies, page 1, 
October 2012.
---------------------------------------------------------------------------
    Another way S. 2521 helps agencies improve security is by 
codifying the existing Continuous Diagnostics and Mitigation 
program at DHS. This program offers advanced security 
technologies to all agencies with the potential advantage of 
bulk-buying economies.\22\ In particular, the program offers 
software to implement the modern approach of automated 
security.
---------------------------------------------------------------------------
    \22\See ``Continuous Diagnostics and Mitigation,'' Department of 
Homeland Security, http://www.dhs.gov/cdm, last accessed July 8, 2014.
---------------------------------------------------------------------------

 STRENGTHENING ACCOUNTABILITY AND TRANSPARENCY THROUGH CYBER INCIDENT 
                              NOTIFICATION

    Finally, the bill would make important improvements to the 
way federal data breaches are managed. For example, the bill 
calls on federal agencies to provide timely notice to victims 
when their personally identifiable information is stolen from 
government networks. When it comes to responding to a data 
breach and notifying the public, it is very important for the 
federal government to be transparent and lead by example.
    Currently, agencies are required by OMB policy to publicly 
report only security incidents that affect personal information 
of individuals, with certain restrictions.\23\ Even then, the 
reports that are made are often inconsistent and don't have to 
go to Congress. Further, mandated management reports all focus 
on implementation compliance rather than actual incidents. For 
example, the annual reports to Congress required by FISMA from 
every agency are often dozens of pages long and show 
implementation levels of certain elements of agencies' 
information security programs. However, these reports provide 
Congress with only a limited view of how effective the security 
investments truly are. While it is difficult to measure 
security, the Committee believes that these reports would 
provide a clearer picture if they detailed major information 
security incidents at the agencies. Better transparency on 
incidents allows for more effective management and oversight of 
information security programs.
---------------------------------------------------------------------------
    \23\See OMB M-7-16 ``Safeguarding Against and Responding to the 
Breach of Personally Identifiable Information,'' May 22, 2007, page 13.
---------------------------------------------------------------------------
    The Government Accountability Office found that agencies' 
responses to breaches of personally identifiable information 
were inconsistent, partly due to incomplete guidance from 
OMB.\24\ S. 2521 would require OMB to issue data breach 
guidance to agencies requiring timely notification of breaches 
to victims and federal cybersecurity centers. The Director of 
OMB is required to consider the recommendations of GAO when 
establishing its policies and procedures for agencies to follow 
in the event of a breach.
---------------------------------------------------------------------------
    \24\GAO-14-34 ``Information Security: Agency Responses to Breaches 
of Personally Identifiable Information Need to Be More Consistent,'' 
December 9, 2013, page 26.
---------------------------------------------------------------------------
    Currently, there are no requirements for all agencies to 
notify Congress about major information security breaches. 
Management reports, such as the annual FISMA reports, typically 
focus on compliance of implementation of program requirements. 
While full implementation of program requirements is important, 
compliance data does not provide a complete picture of the 
effectiveness of security programs. The bill would require that 
major incidents are reported to Congress and that incidents are 
included in management and oversight reports.

                            OTHER AMENDMENTS

    Importantly, the bill requires the head of agencies to 
ensure that all personnel are held accountable for complying 
with the agency-wide information security program. Information 
security requires compliance and vigilance from all employees 
to ensure that there are no unnecessary weaknesses or 
vulnerabilities in each system. Requiring agencies to hold all 
employees accountable for complying with information security 
guidelines is an important measure to strengthen the security 
of federal networks and information systems.
    The bill makes several other minor changes to modernize the 
law. For example, to strengthen the oversight powers of 
department-level Chief Information Officers over component and 
agency information systems, the bill would require that senior 
agency officials (including component agency Chief Information 
Officers) carry out the directions of the department-level 
Chief Information Officer. It would also give Inspectors 
General more flexibility in how they audit security programs, 
require the Federal information security incident center at 
section 3556 of the bill to share threat intelligence with 
agencies, and require that the existing Information Security 
and Privacy Advisory Board, which currently advises NIST, also 
advise DHS.

                        III. Legislative History

    Chairman Carper and Ranking Member Coburn introduced S. 
2521 on June 24, 2014. The bill was referred to the Committee 
on Homeland Security and Governmental Affairs.
    The Committee considered S. 2521 at a business meeting on 
June 25, 2014 and ordered the bill reported favorably by voice 
vote. Senators present for vote on the bill were Senators 
Carper, Levin, Pryor, Landrieu, McCaskill, Tester, Heitkamp, 
Coburn, McCain, Johnson, and Portman.

        IV. Section-by-Section Analysis of the Bill, as Reported


Section 1. Short title

    The short title of the bill is the ``Federal Information 
Security Modernization Act of 2014''.

Section 2. FISMA reform

            Subsection (a)
    This subsection amends the Federal Information Security 
Management Act of 2002 (FISMA) by striking subchapters II and 
III of chapter 35 of Title 44, United States Code (44 U.S.C. 
3541, et seq.), and replacing them with a new subchapter. This 
new subchapter, however, retains the vast majority of original 
FISMA requirements. The following section-by-section analysis 
focuses on how this bill amends the original FISMA language.

New Section 3551. Purposes

    Section 3551 maintains the language under current FISMA 
stating that the purposes of this subchapter are to provide a 
comprehensive policy and oversight framework for federal 
agencies' information security.

New Section 3552. Definitions

    Section 3552 uses the same definitions that FISMA currently 
uses for the terms ``information security'', ``information 
technology'', ``national security system'', and the definitions 
under section 3502, from which FISMA derives much of its 
terminology. This section adds to the original FISMA language 
definitions for the terms ``binding operational directive'', 
``incident'', ``intelligence community'', and ``Secretary''. 
The term ``binding operational directive'' means a compulsory 
direction to an agency that is in accordance with policies, 
principles, standards, and guidelines issued by the Director. 
The definition for `incident' is derived from widely used 
guidance issued by the National Institute of Standards and 
Technology and the Committee on National Security Systems.

New Section 3553. Authority and functions of the Director and the 
        Secretary

    Section 3553 codifies and clarifies the roles currently 
played by the Director of the Office of Management and Budget 
(OMB) and the Secretary of Homeland Security, consistent with 
OMB Memoranda M-10-28.
    The Director would oversee agency information security 
policies, including developing and overseeing implementation of 
policies, requiring agencies to provide adequate information 
security protections, ensuring that the Secretary carries out 
the authorities and functions that have been assigned to him; 
coordinating the development of security standards, 
coordinating information security policy with information 
technology management policy, and consulting with the Secretary 
in carrying out OMB's authorities and functions under this 
subsection. This section maintains the scope of information and 
information systems subject to the requirements of FISMA set 
out by current law and OMB guidance.
    The Secretary would oversee the operational aspects of 
information security policies, including assisting the Director 
in fulfilling OMB's responsibilities under the bill. The 
Secretary would develop and oversee implementation of binding 
operational directives in accordance with overarching policies 
issued by the Director. The Secretary would monitor agency 
implementation of information security policies and practices, 
convene oversight meetings with agency officials, coordinate 
government-wide information security efforts and provide 
operational and technical assistance to agencies in 
implementing policies, principles, standards and guidelines on 
information security.
    The Secretary would also assist agencies in implementing 
information security programs, including by operating the 
Federal information security incident center, by deploying 
continuous diagnostics and mitigation capabilities, compiling 
and analyzing data on agency information security, and 
conducting targeted operational evaluations.
    The section would require the Director, in consultation 
with the Secretary, to report annually to Congress on the 
effectiveness of agency implementation of information security 
programs, including providing a summary of information security 
incidents across the federal government.
    This section would maintain the treatment of national 
security systems under current law. Current law gives the 
Secretary of Defense and the Director of National Intelligence 
policy and oversight authorities for systems critical to their 
missions.

New Section 3554. Federal agency responsibilities

    Section 3554 maintains much of current law that lays out 
responsibilities of agency heads to provide adequate security 
for the information and systems under their control. This 
section clarifies that Department heads would be required to 
ensure that component chief information officers follow the 
directions of the department-level chief information officer on 
information security matters. Agencies would be required to 
report major information security incidents to Congress, for 
incidents affecting information collected or maintained by or 
on behalf of the agency and information systems used or 
operated by the agency or by a contractor of the agency or 
other organization on behalf of the agency. Agency heads would 
report annually on the effectiveness of their security 
programs, along with a summary of incidents, and identify 
significant deficiencies and processes to remediate those 
deficiencies. This section maintains the scope of information 
and information systems subject to the requirements of FISMA 
set out by current law and OMB guidance, and the 
responsibilities of agency heads to provide adequate security 
for those information and information systems. The bill also 
requires heads of agencies to ensure that all personnel are 
held accountable for complying with agency-wide information 
security program requirements.

New Section 3555. Annual independent evaluation

    Section 3555 maintains much of current law and gives 
inspectors general additional flexibility in conducting their 
annual reviews under current law. GAO would provide technical 
assistance to inspectors general in conducting security 
reviews.

New Section 3556. Federal information security incident center

    Section 3556 maintains much of current law and requires the 
federal information security incident center, which is 
responsible for providing technical and incident response 
assistance to agencies, to share threat intelligence with 
agencies.

New Section 3557. National security systems

    Section 3557 maintains the language under current law to 
ensure that agencies provide security for national security 
systems.

New Section 3558. Effect on existing law

    Section 3558 maintains the language under current law to 
provide that nothing in this subchapter or those provisions of 
law relating to the development and promulgation of NIST-
developed standards may be construed as affecting current 
authorities regarding the use or disclosure of information.
            Subsection (b)
    Subsection (a) adds a table of sections in Title 44--
Information Security. Subsection (b) references other sections 
of related bills, including the Homeland Security Act of 2002, 
the National Institute of Standards and Technology Act, and the 
Cybersecurity Research and Development Act.
            Subsection (c)
    This subsection requires OMB to revise Appendix III of 
Office of Management and Budget Circular A-130 to eliminate 
inefficient or wasteful reporting. With this language, the 
Committee intends for OMB to rescind or amend Circular A-130 to 
eliminate the requirement for burdensome paperwork that does 
not provide cost-effective security.
    This subsection ensures that the existing Information 
Security and Privacy Advisory Board, which currently advises 
NIST, also advises DHS.

Section 3. Federal data breach response guidelines

    Section 201 adds a new section to Title 44: ``Section 3559, 
Privacy breach requirements.'' This new section requires that 
the Director of OMB establish and oversee policies and 
procedures for agencies to follow in the event of a breach of 
personally identifiable information at an agency. It requires 
agencies to provide timely notice to affected individuals, 
report to the federal information security incident center, 
provide notice to Congress, and perform other mitigation 
measures as required by the Director. Agencies are required to 
notify victims within 60 days, with law enforcement and 
national security exceptions. The Director must consider 
recommendations of the Government Accountability Office, 
including those found in GAO Report GAO-14-34, regarding OMB's 
policies for agency data breach notification practices and 
report to Congress annually to improve the consistency and 
effectiveness of government wide data breach response programs.

                   V. Evaluation of Regulatory Impact

    Pursuant to the requirements of paragraph 11(b) of rule 
XXVI of the Standing Rules of the Senate, the Committee has 
considered the regulatory impact of this bill and determined 
that the bill will have no regulatory impact within the meaning 
of the rules. The Committee agrees with the Congressional 
Budget Office's statement that the bill contains no 
intergovernmental or private-sector mandates as defined in the 
Unfunded Mandates Reform Act (UMRA) and would impose no costs 
on state, local, or tribal governments.

             VI. Congressional Budget Office Cost Estimate

                                                     July 28, 2014.
Hon. Tom Carper,
Chairman, Committee on Homeland Security and Governmental Affairs, U.S. 
        Senate, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for S. 2521, the Federal 
Information Security Modernization Act of 2014.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is Matthew 
Pickford.
            Sincerely,
                                              Douglas W. Elmendorf.
    Enclosure.

S. 2521--Federal Information Security Modernization Act of 2014

    S. 2521 would amend the Federal Information Security 
Management Act of 2002 (FISMA)--the law that governs the 
security of the federal government's information technology 
systems. The legislation would clarify the roles and 
responsibilities of the Office of Management and Budget (OMB) 
and the Department of Homeland Security (DHS) for information 
security. The bill also would update guidelines that federal 
agencies follow in the event that there is an unauthorized 
release of data. S. 2521 would require OMB to revise Circular 
A-130--Management of Federal Information Resources.
    CBO estimates that implementing S. 2521 would have no 
significant net impact on the federal budget over the next five 
years. The bill could affect direct spending by agencies not 
funded through annual appropriations; therefore, pay-as-you-go 
procedures apply. CBO estimates, however, that any net increase 
in spending by those agencies would not be significant. 
Enacting S. 2521 would not affect revenues.
    Most of the provisions of the bill would codify and expand 
on current practices of the federal government. OMB has 
reported that in 2013, federal agencies spent almost $80 
billion on information technology and more than $10 billion on 
related security.
    S. 2521 contains no intergovernmental or private-sector 
mandates as defined in the Unfunded Mandates Reform Act and 
would impose no costs on state, local, or tribal governments 
budget.
    The CBO staff contacts for this estimate are Matthew 
Pickford and Jason Wheelock. The estimate was approved by 
Theresa Gullo, Deputy Assistant Director for Budget Analysis.

       VII. Changes in Existing Law Made by the Bill, as Reported

    In compliance with paragraph 12 of rule XXVI of the 
Standing Rules of the Senate, changes in existing law made by 
S. 2521 as reported are shown as follows (existing law proposed 
to be omitted is enclosed in brackets, new matter is printed in 
italic, and existing law in which no change is proposed is 
shown in roman):

TITLE 44, UNITED STATES CODE

           *       *       *       *       *       *       *


CHAPTER 35 COORDINATION OF FEDERAL INFORMATION POLICY

           *       *       *       *       *       *       *



                  [SUBCHAPTER II--INFORMATION SECURITY

[3531. Purposes.
[3532. Definitions.
[3533. Authority and functions of the Director.
[3534. Federal agency responsibilities.
[3535. Annual independent evaluation.
[3536. National security systems.
[3537. Authorization of appropriations.
[3538. Effect on existing law.]

                  [SUBCHAPTER III--INFORMATION SECURITY

[3541. Purposes.
[3542. Definitions.
[3543. Authority and functions of the Director.
[3544. Federal agency responsibilities.
[3545. Annual independent evaluation.
[3546. Federal information security incident center.
[3547. National security systems.
[3548. Authorization of appropriations.
[3549. Effect on existing law.

                  Subchapter II--Information Security]

Sec.
3551. Purposes.
3552. Definitions.
3553. Authority and functions of the Director and the Secretary.
3554. Federal agency responsibilities.
3555. Annual independent evaluation.
3556. Federal information security incident center.
3557. National security systems.
3558. Effect on existing law.
3559. Privacy breach requirements.

           *       *       *       *       *       *       *


                  [Subchapter II--Information Security


[SEC. 3531. PURPOSES.

    [The purposes of this subchapter are to--
          [(1) provide a comprehensive framework for ensuring 
        the effectiveness of information security controls over 
        information resources that support Federal operations 
        and assets;
          [(2) recognize the highly networked nature of the 
        current Federal computing environment and provide 
        effective government-wide management and oversight of 
        the related information security risks, including 
        coordination of information security efforts throughout 
        the civilian, national security, and law enforcement 
        communities;
          [(3) provide for development and maintenance of 
        minimum controls required to protect Federal 
        information and information systems;
          [(4) provide a mechanism for improved oversight of 
        Federal agency information security programs;
          [(5) acknowledge that commercially developed 
        information security products offer advanced, dynamic, 
        robust, and effective information security solutions, 
        reflecting market solutions for the protection of 
        critical information infrastructures important to the 
        national defense and economic security of the nation 
        that are designed, built, and operated by the private 
        sector; and
          [(6) recognize that the selection of specific 
        technical hardware and software information security 
        solutions should be left to individual agencies from 
        among commercially developed products.'.

[SEC. 3532. DEFINITIONS.

    [(a) In General.--Except as provided under subsection (b), 
the definitions under section 3502 shall apply to this 
subchapter.
    [(b) Additional Definitions.--As used in this subchapter--
          [(1) the term `information security' means protecting 
        information and information systems from unauthorized 
        access, use, disclosure, disruption, modification, or 
        destruction in order to provide--
                  [(A) integrity, which means guarding against 
                improper information modification or 
                destruction, and includes ensuring information 
                nonrepudiation and authenticity;
                  [(B) confidentiality, which means preserving 
                authorized restrictions on access and 
                disclosure, including means for protecting 
                personal privacy and proprietary information;
                  [(C) availability, which means ensuring 
                timely and reliable access to and use of 
                information; and
                  [(D) authentication, which means utilizing 
                digital credentials to assure the identity of 
                users and validate their access;
          [(2) the term `national security system' means any 
        information system (including any telecommunications 
        system) used or operated by an agency or by a 
        contractor of an agency, or other organization on 
        behalf of an agency, the function, operation, or use of 
        which--
                  [(A) involves intelligence activities;
                  [(B) involves cryptologic activities related 
                to national security;
                  [(C) involves command and control of military 
                forces;
                  [(D) involves equipment that is an integral 
                part of a weapon or weapons system; or
                  [(E) is critical to the direct fulfillment of 
                military or intelligence missions provided that 
                this definition does not apply to a system that 
                is used for routine administrative and business 
                applications (including payroll, finance, 
                logistics, and personnel management 
                applications);
          [(3) the term `information technology' has the 
        meaning given that term in section 11101 of title 40; 
        and
          [(4) the term `information system' means any 
        equipment or interconnected system or subsystems of 
        equipment that is used in the automatic acquisition, 
        storage, manipulation, management, movement, control, 
        display, switching, interchange, transmission, or 
        reception of data or information, and includes--
                  [(A) computers and computer networks;
                  [(B) ancillary equipment;
                  [(C) software, firmware, and related 
                procedures;
                  [(D) services, including support services; 
                and
                  [(E) related resources.

[SEC. 3533. AUTHORITY AND FUNCTIONS OF THE DIRECTOR.

    [(a) The Director shall oversee agency information security 
policies and practices, by--
          [(1) promulgating information security standards 
        under section 11331 of title 40;
          [(2) overseeing the implementation of policies, 
        principles, standards, and guidelines on information 
        security;
          [(3) requiring agencies, consistent with the 
        standards promulgated under such section 11331 and the 
        requirements of this subchapter, to identify and 
        provide information security protections commensurate 
        with the risk and magnitude of the harm resulting from 
        the unauthorized access, use, disclosure, disruption, 
        modification, or destruction of--
                  [(A) information collected or maintained by 
                or on behalf of an agency; or
                  [(B) information systems used or operated by 
                an agency or by a contractor of an agency or 
                other organization on behalf of an agency;
          [(4) coordinating the development of standards and 
        guidelines under section 20 of the National Institute 
        of Standards and Technology Act (15 U.S.C. 278g-3) with 
        agencies and offices operating or exercising control of 
        national security systems (including the National 
        Security Agency) to assure, to the maximum extent 
        feasible, that such standards and guidelines are 
        complementary with standards and guidelines developed 
        for national security systems;
          [(5) overseeing agency compliance with the 
        requirements of this subchapter, including through any 
        authorized action under section 11303(b)(5) of title 
        40, to enforce accountability for compliance with such 
        requirements;
          [(6) reviewing at least annually, and approving or 
        disapproving, agency information security programs 
        required under section 3534(b);
          [(7) coordinating information security policies and 
        procedures with related information resources 
        management policies and procedures; and
          [(8) reporting to Congress no later than March 1 of 
        each year on agency compliance with the requirements of 
        this subchapter, including--
                  [(A) a summary of the findings of evaluations 
                required by section 3535;
                  [(B) significant deficiencies in agency 
                information security practices;
                  [(C) planned remedial action to address such 
                deficiencies; and
                  [(D) a summary of, and the views of the 
                Director on, the report prepared by the 
                National Institute of Standards and Technology 
                under section 20(d)(9) of the National 
                Institute of Standards and Technology Act (15 
                U.S.C. 278g-3).
    [(b) Except for the authorities described in paragraphs (4) 
and (7) of subsection (a), the authorities of the Director 
under this section shall not apply to national security 
systems.

[SEC. 3534. FEDERAL AGENCY RESPONSIBILITIES.

    [(a) The head of each agency shall--
          [(1) be responsible for--
                  [(A) providing information security 
                protections commensurate with the risk and 
                magnitude of the harm resulting from 
                unauthorized access, use, disclosure, 
                disruption, modification, or destruction of--
                          [(i) information collected or 
                        maintained by or on behalf of the 
                        agency; and
                          [(ii) information systems used or 
                        operated by an agency or by a 
                        contractor of an agency or other 
                        organization on behalf of an agency;
                  [(B) complying with the requirements of this 
                subchapter and related policies, procedures, 
                standards, and guidelines, including--
                          [(i) information security standards 
                        promulgated by the Director under 
                        section 11331 of title 40; and
                          [(ii) information security standards 
                        and guidelines for national security 
                        systems issued in accordance with law 
                        and as directed by the President; and
                  [(C) ensuring that information security 
                management processes are integrated with agency 
                strategic and operational planning processes;
          [(2) ensure that senior agency officials provide 
        information security for the information and 
        information systems that support the operations and 
        assets under their control, including through--
                  [(A) assessing the risk and magnitude of the 
                harm that could result from the unauthorized 
                access, use, disclosure, disruption, 
                modification, or destruction of such 
                information or information systems;
                  [(B) determining the levels of information 
                security appropriate to protect such 
                information and information systems in 
                accordance with standards promulgated under 
                section 11331 of title 40 for information 
                security classifications and related 
                requirements;
                  [(C) implementing policies and procedures to 
                cost-effectively reduce risks to an acceptable 
                level; and
                  [(D) periodically testing and evaluating 
                information security controls and techniques to 
                ensure that they are effectively implemented;
          [(3) delegate to the agency Chief Information Officer 
        established under section 3506 (or comparable official 
        in an agency not covered by such section) the authority 
        to ensure compliance with the requirements imposed on 
        the agency under this subchapter, including--
                  [(A) designating a senior agency information 
                security officer who shall--
                          [(i) carry out the Chief Information 
                        Officer's responsibilities under this 
                        section;
                          [(ii) possess professional 
                        qualifications, including training and 
                        experience, required to administer the 
                        functions described under this section;
                          [(iii) have information security 
                        duties as that official's primary duty; 
                        and
                          [(iv) head an office with the mission 
                        and resources to assist in ensuring 
                        agency compliance with this section;
                  [(B) developing and maintaining an agency-
                wide information security program as required 
                by subsection (b);
                  [(C) developing and maintaining information 
                security policies, procedures, and control 
                techniques to address all applicable 
                requirements, including those issued under 
                section 3533 of this title, and section 11331 
                of title 40;
                  [(D) training and overseeing personnel with 
                significant responsibilities for information 
                security with respect to such responsibilities; 
                and
                  [(E) assisting senior agency officials 
                concerning their responsibilities under 
                paragraph (2);
          [(4) ensure that the agency has trained personnel 
        sufficient to assist the agency in complying with the 
        requirements of this subchapter and related policies, 
        procedures, standards, and guidelines; and
          [(5) ensure that the agency Chief Information 
        Officer, in coordination with other senior agency 
        officials, reports annually to the agency head on the 
        effectiveness of the agency information security 
        program, including progress of remedial actions.
    [(b) Each agency shall develop, document, and implement an 
agency-wide information security program, approved by the 
Director under section 3533(a)(5), to provide information 
security for the information and information systems that 
support the operations and assets of the agency, including 
those provided or managed by another agency, contractor, or 
other source, that includes--
          [(1) periodic assessments of the risk and magnitude 
        of the harm that could result from the unauthorized 
        access, use, disclosure, disruption, modification, or 
        destruction of information and information systems that 
        support the operations and assets of the agency;
          [(2) policies and procedures that--
                  [(A) are based on the risk assessments 
                required by paragraph (1);
                  [(B) cost-effectively reduce information 
                security risks to an acceptable level;
                  [(C) ensure that information security is 
                addressed throughout the life cycle of each 
                agency information system; and
                  [(D) ensure compliance with--
                          [(i) the requirements of this 
                        subchapter;
                          [(ii) policies and procedures as may 
                        be prescribed by the Director, and 
                        information security standards 
                        promulgated under section 11331 of 
                        title 40;
                          [(iii) minimally acceptable system 
                        configuration requirements, as 
                        determined by the agency; and
                          [(iv) any other applicable 
                        requirements, including standards and 
                        guidelines for national security 
                        systems issued in accordance with law 
                        and as directed by the President;
          [(3) subordinate plans for providing adequate 
        information security for networks, facilities, and 
        systems or groups of information systems, as 
        appropriate;
          [(4) security awareness training to inform personnel, 
        including contractors and other users of information 
        systems that support the operations and assets of the 
        agency, of--
                  [(A) information security risks associated 
                with their activities; and
                  [(B) their responsibilities in complying with 
                agency policies and procedures designed to 
                reduce these risks;
          [(5) periodic testing and evaluation of the 
        effectiveness of information security policies, 
        procedures, and practices, to be performed with a 
        frequency depending on risk, but no less than annually, 
        of which such testing--
                  [(A) shall include testing of management, 
                operational, and technical controls of every 
                information system identified in the inventory 
                required under section 3505(c); and
                  [(B) may include testing relied on in an 
                evaluation under section 3535;
          [(6) a process for planning, implementing, 
        evaluating, and documenting remedial action to address 
        any deficiencies in the information security policies, 
        procedures, and practices of the agency;
          [(7) procedures for detecting, reporting, and 
        responding to security incidents, including--
                  [(A) mitigating risks associated with such 
                incidents before substantial damage is done; 
                and
                  [(B) notifying and consulting with, as 
                appropriate--
                          [(i) law enforcement agencies and 
                        relevant Offices of Inspector General;
                          [(ii) an office designated by the 
                        President for any incident involving a 
                        national security system; and
                          [(iii) any other agency or office, in 
                        accordance with law or as directed by 
                        the President; and
          [(8) plans and procedures to ensure continuity of 
        operations for information systems that support the 
        operations and assets of the agency.
    [(c) Each agency shall--
          [(1) report annually to the Director, the Committees 
        on Government Reform and Science of the House of 
        Representatives, the Committees on Governmental Affairs 
        and Commerce, Science, and Transportation of the 
        Senate, the appropriate authorization and 
        appropriations committees of Congress, and the 
        Comptroller General on the adequacy and effectiveness 
        of information security policies, procedures, and 
        practices, and compliance with the requirements of this 
        subchapter, including compliance with each requirement 
        of subsection (b);
          [(2) address the adequacy and effectiveness of 
        information security policies, procedures, and 
        practices in plans and reports relating to--
                  [(A) annual agency budgets;
                  [(B) information resources management under 
                subchapter 1 of this chapter;
                  [(C) information technology management under 
                subtitle III of title 40;
                  [(D) program performance under sections 1105 
                and 1115 through 1119 of title 31, and sections 
                2801 and 2805 of title 39;
                  [(E) financial management under chapter 9 of 
                title 31, and the Chief Financial Officers Act 
                of 1990 (31 U.S.C. 501 note; Public Law 101-
                576) (and the amendments made by that Act);
                  [(F) financial management systems under the 
                Federal Financial Management Improvement Act 
                (31 U.S.C. 3512 note); and
                  [(G) internal accounting and administrative 
                controls under section 3512 of title 31, United 
                States Code, (known as the Federal Managers 
                Financial Integrity Act'); and
          [(3) report any significant deficiency in a policy, 
        procedure, or practice identified under paragraph (1) 
        or (2)--
                  [(A) as a material weakness in reporting 
                under section 3512 of title 31; and
                  [(B) if relating to financial management 
                systems, as an instance of a lack of 
                substantial compliance under the Federal 
                Financial Management Improvement Act (31 U.S.C. 
                3512 note).
    [(d)(1) In addition to the requirements of subsection (c), 
each agency, in consultation with the Director, shall include 
as part of the performance plan required under section 1115 of 
title 31 a description of--
          [(A) the time periods; and
          [(B) the resources, including budget, staffing, and 
        training,
[that are necessary to implement the program required under 
subsection (b).
    [(2) The description under paragraph (1) shall be based on 
the risk assessments required under subsection (b)(2)(1).
    [(e) Each agency shall provide the public with timely 
notice and opportunities for comment on proposed information 
security policies and procedures to the extent that such 
policies and procedures affect communication with the public.

[SEC. 3535. ANNUAL INDEPENDENT EVALUATION.

    [(a)(1) Each year each agency shall have performed an 
independent evaluation of the information security program and 
practices of that agency to determine the effectiveness of such 
program and practices.
    [(2) Each evaluation by an agency under this section shall 
include--
          [(A) testing of the effectiveness of information 
        security policies, procedures, and practices of a 
        representative subset of the agency's information 
        systems;
          [(B) an assessment (made on the basis of the results 
        of the testing) of compliance with--
                  [(i) the requirements of this subchapter; and
                  [(ii) related information security policies, 
                procedures, standards, and guidelines; and
          [(C) separate presentations, as appropriate, 
        regarding information security relating to national 
        security systems.
    [(b) Subject to subsection (c)--
          [(1) for each agency with an Inspector General 
        appointed under the Inspector General Act of 1978, the 
        annual evaluation required by this section shall be 
        performed by the Inspector General or by an independent 
        external auditor, as determined by the Inspector 
        General of the agency; and
          [(2) for each agency to which paragraph (1) does not 
        apply, the head of the agency shall engage an 
        independent external auditor to perform the evaluation.
    [(c) For each agency operating or exercising control of a 
national security system, that portion of the evaluation 
required by this section directly relating to a national 
security system shall be performed--
          [(1) only by an entity designated by the agency head; 
        and
          [(2) in such a manner as to ensure appropriate 
        protection for information associated with any 
        information security vulnerability in such system 
        commensurate with the risk and in accordance with all 
        applicable laws.
    [(d) The evaluation required by this section--
          [(1) shall be performed in accordance with generally 
        accepted government auditing standards; and
          [(2) may be based in whole or in part on an audit, 
        evaluation, or report relating to programs or practices 
        of the applicable agency.
    [(e) Each year, not later than such date established by the 
Director, the head of each agency shall submit to the Director 
the results of the evaluation required under this section.
    [(f) Agencies and evaluators shall take appropriate steps 
to ensure the protection of information which, if disclosed, 
may adversely affect information security. Such protections 
shall be commensurate with the risk and comply with all 
applicable laws and regulations.
    [(g)(1) The Director shall summarize the results of the 
evaluations conducted under this section in the report to 
Congress required under section 3533(a)(8).
    [(2) The Director's report to Congress under this 
subsection shall summarize information regarding information 
security relating to national security systems in such a manner 
as to ensure appropriate protection for information associated 
with any information security vulnerability in such system 
commensurate with the risk and in accordance with all 
applicable laws.
    [(3) Evaluations and any other descriptions of information 
systems under the authority and control of the Director of 
Central Intelligence or of National Foreign Intelligence 
Programs systems under the authority and control of the 
Secretary of Defense shall be made available to Congress only 
through the appropriate oversight committees of Congress, in 
accordance with applicable laws.
    [(h) The Comptroller General shall periodically evaluate 
and report to Congress on--
          [(1) the adequacy and effectiveness of agency 
        information security policies and practices; and
          [(2) implementation of the requirements of this 
        subchapter.

[SEC. 3536. NATIONAL SECURITY SYSTEMS.

    [The head of each agency operating or exercising control of 
a national security system shall be responsible for ensuring 
that the agency--
          [(1) provides information security protections 
        commensurate with the risk and magnitude of the harm 
        resulting from the unauthorized access, use, 
        disclosure, disruption, modification, or destruction of 
        the information contained in such system;
          [(2) implements information security policies and 
        practices as required by standards and guidelines for 
        national security systems, issued in accordance with 
        law and as directed by the President; and
          [(3) complies with the requirements of this 
        subchapter.

[SEC. 3537. AUTHORIZATION OF APPROPRIATIONS.

    [There are authorized to be appropriated to carry out the 
provisions of this subchapter such sums as may be necessary for 
each of fiscal years 2003 through 2007.

[SEC. 3538. EFFECT ON EXISTING LAW.

    [Nothing in this subchapter, section 11331 of title 40, or 
section 20 of the National Standards and Technology Act (15 
U.S.C. 278g-3) may be construed as affecting the authority of 
the President, the Office of Management and Budget or the 
Director thereof, the National Institute of Standards and 
Technology, or the head of any agency, with respect to the 
authorized use or disclosure of information, including with 
regard to the protection of personal privacy under section 552a 
of title 5, the disclosure of information under section 552 of 
title 5, the management and disposition of records under 
chapters 29, 31, or 33 of title 44, the management of 
information resources under subchapter I of chapter 35 of this 
title, or the disclosure of information to Congress or the 
Comptroller General of the United States.

                 [Subchapter III--Information Security


[SEC. 3541. PURPOSES.

    [The purposes of this subchapter are to--
          [(1) provide a comprehensive framework for ensuring 
        the effectiveness of information security controls over 
        information resources that support Federal operations 
        and assets;
          [(2) recognize the highly networked nature of the 
        current Federal computing environment and provide 
        effective government-wide management and oversight of 
        the related information security risks, including 
        coordination of information security efforts throughout 
        the civilian, national security, and law enforcement 
        communities;
          [(3) provide for development and maintenance of 
        minimum controls required to protect Federal 
        information and information systems; and
          [(4) provide a mechanism for improved oversight of 
        Federal agency information security programs.

[SEC. 3542. DEFINITIONS.

    [(a) In General.--Except as provided under subsection (b), 
the definitions under section 3502 shall apply to this 
subchapter.
    [(b) Additional Definitions.--As used in this subchapter--
          [(1) the term `information security' means protecting 
        information and information systems from unauthorized 
        use, disclosure, disruption, modification, or 
        destruction in order to provide--
                  [(A) integrity, which means guarding against 
                improper information modification or 
                destruction, and includes ensuring information 
                nonrepudiation and authenticity;
                  [(B) confidentiality, which means preserving 
                an appropriate level of information secrecy; 
                and
                  [(C) availability, which means ensuring 
                timely and reliable access to and use of 
                information;
          [(2) the term `national security system' means any 
        information system (including any telecommunications 
        system) used or operated by an agency or by a 
        contractor of an agency, or other organization on 
        behalf of an agency--
                  [(A) the function, operation, or use of 
                which--
                          [(i) involves intelligence 
                        activities;
                          [(ii) involves cryptologic activities 
                        related to national security;
                          [(iii) involves command and control 
                        of military forces;
                          [(iv) involves equipment that is an 
                        integral part of a weapon or weapons 
                        system; or
                          [(v) is critical to the direct 
                        fulfillment of military or intelligence 
                        missions provided that this definition 
                        does not apply to a system that is used 
                        for routine administrative and business 
                        applications (including payroll, 
                        finance, logistics, and personnel 
                        management applications); or
                  [(B) is protected at all times by procedures 
                established for information that have been 
                specifically authorized under criteria 
                established by an Executive order or an Act of 
                Congress to be kept secret in the interest of 
                national defense or foreign policy; and
          [(3) the term `information technology' has the 
        meaning given that term in section 5002 of the Clinger-
        Cohen Act of 1996 (40 U.S.C. 1401).

[SEC. 3543. AUTHORITY AND FUNCTIONS OF THE DIRECTOR.

    [(a) The Director shall oversee agency information security 
policies and practices, including--
          [(1) developing and overseeing the implementation of 
        policies, principles, standards, and guidelines on 
        information security, including through the 
        promulgation of standards and guidelines under section 
        5131 of the Clinger-Cohen Act of 1996 (40 U.S.C. 1441);
          [(2) requiring agencies, consistent with the 
        standards and guidelines promulgated under such section 
        5131 and the requirements of this subchapter, to 
        identify and provide information security protections 
        commensurate with the risk and magnitude of the harm 
        resulting from the unauthorized use, disclosure, 
        disruption, modification, or destruction of--
                  [(A) information collected or maintained by 
                or on behalf of an agency; or
                  [(B) information systems used or operated by 
                an agency or by a contractor of an agency or 
                other organization on behalf of an agency;
          [(3) coordinating the development of standards and 
        guidelines under section 20 of the National Institute 
        of Standards and Technology Act (15 U.S.C. 278g-3) with 
        agencies and offices operating or exercising control of 
        national security systems (including the National 
        Security Agency) to assure, to the maximum extent 
        feasible, that such standards and guidelines are 
        complementary with standards and guidelines developed 
        for national security systems;
          [(4) overseeing agency compliance with the 
        requirements of this subchapter, including through any 
        authorized action under section 5113(b)(5) of the 
        Clinger-Cohen Act of 1996 (40 U.S.C. 1413(b)(5)) to 
        enforce accountability for compliance with such 
        requirements;
          [(5) coordinating information security policies and 
        procedures with related information resources 
        management policies and procedures;
          [(6) overseeing the development and operation of the 
        Federal information security incident center 
        established under section 3536; and
          [(7) reporting to Congress on agency compliance with 
        the requirements of this subchapter, including--
                  [(A) a summary of the findings of evaluations 
                required by section 3535;
                  [(B) significant deficiencies in agency 
                information security practices; and
                  [(C) planned remedial action to address such 
                deficiencies.
    [(b) Except for the authorities described in paragraphs (4) 
and (7) of subsection (a), the authorities of the Director 
under this section shall not apply to national security 
systems.

[SEC. 3544. FEDERAL AGENCY RESPONSIBILITIES.

    [(a) The head of each agency shall--
          [(1) be responsible for--
                  [(A) providing information security 
                protections commensurate with the risk and 
                magnitude of the harm resulting from 
                unauthorized use, disclosure, disruption, 
                modification, or destruction of--
                          [(i) information collected or 
                        maintained by or on behalf of the 
                        agency; and
                          [(ii) information systems used or 
                        operated by an agency or by a 
                        contractor of an agency or other 
                        organization on behalf of an agency;
                  [(B) complying with the requirements of this 
                subchapter and related policies, procedures, 
                standards, and guidelines, including--
                          [(i) information security standards 
                        and guidelines promulgated by the 
                        Director under section 5131 of the 
                        Clinger-Cohen Act of 1996 (40 U.S.C. 
                        1441); and
                          [(ii) information security standards 
                        and guidelines for national security 
                        systems issued in accordance with law 
                        and as directed by the President; and
                  [(C) ensuring that information security 
                management processes are integrated with agency 
                strategic and operational planning processes;
          [(2) ensure that senior agency officials provide 
        information security for the information and 
        information systems that support the operations and 
        assets under their control, including through--
                  [(A) assessing the risk and magnitude of the 
                harm that could result from the unauthorized 
                use, disclosure, disruption, modification, or 
                destruction of such information or information 
                systems;
                  [(B) determining the levels of information 
                security appropriate to protect such 
                information and information systems in 
                accordance with standards and guidelines 
                promulgated under section 5131 of the Clinger-
                Cohen Act of 1996 (40 U.S.C. 1441) for 
                information security classifications and 
                related requirements;
                  [(C) implementing policies and procedures to 
                cost-effectively reduce risks to an acceptable 
                level; and
                  [(D) periodically testing and evaluating 
                information security controls and techniques to 
                ensure that they are effectively implemented;
          [(3) delegate to the agency Chief Information Officer 
        established under section 3506 (or comparable official 
        in an agency not covered by such section) the authority 
        to ensure compliance with the requirements imposed on 
        the agency under this subchapter, including--
                  [(A) designating a senior agency information 
                security officer who shall--
                          [(i) carry out the Chief Information 
                        Officer's responsibilities under this 
                        section;
                          [(ii) possess professional 
                        qualifications, including training and 
                        experience, required to administer the 
                        functions described under this section;
                          [(iii) have information security 
                        duties as that official's primary duty; 
                        and
                          [(iv) head an office with the mission 
                        and resources to assist in ensuring 
                        agency compliance with this section;
                  [(B) developing and maintaining an agency-
                wide information security program as required 
                by subsection (b);
                  [(C) developing and maintaining information 
                security policies, procedures, and control 
                techniques to address all applicable 
                requirements, including those issued under 
                section 3533 of this title, and section 5131 of 
                the Clinger-Cohen Act of 1996 (40 U.S.C. 1441);
                  [(D) training and overseeing personnel with 
                significant responsibilities for information 
                security with respect to such responsibilities; 
                and
                  [(E) assisting senior agency officials 
                concerning their responsibilities under 
                subparagraph (2);
          [(4) ensure that the agency has trained personnel 
        sufficient to assist the agency in complying with the 
        requirements of this subchapter and related policies, 
        procedures, standards, and guidelines; and
          [(5) ensure that the agency Chief Information 
        Officer, in coordination with other senior agency 
        officials, reports annually to the agency head on the 
        effectiveness of the agency information security 
        program, including progress of remedial actions.
    [(b) Each agency shall develop, document, and implement an 
agency-wide information security program to provide information 
security for the information and information systems that 
support the operations and assets of the agency, including 
those provided or managed by another agency, contractor, or 
other source, that includes--
          [(1) periodic assessments of the risk and magnitude 
        of the harm that could result from the unauthorized 
        use, disclosure, disruption, modification, or 
        destruction of information and information systems that 
        support the operations and assets of the agency;
          [(2) policies and procedures that--
                  [(A) are based on the risk assessments 
                required by subparagraph (1);
                  [(B) cost-effectively reduce information 
                security risks to an acceptable level;
                  [(C) ensure that information security is 
                addressed throughout the life cycle of each 
                agency information system; and
                  [(D) ensure compliance with--
                          [(i) the requirements of this 
                        subchapter;
                          [(ii) policies and procedures as may 
                        be prescribed by the Director, 
                        including information security 
                        standards and guidelines promulgated 
                        under section 5131 of the Clinger-Cohen 
                        Act of 1996 (40 U.S.C. 1441); and
                          [(iii) any other applicable 
                        requirements, including standards and 
                        guidelines for national security 
                        systems issued in accordance with law 
                        and as directed by the President;
          [(3) subordinate plans for providing adequate 
        information security for networks, facilities, and 
        systems or groups of information systems, as 
        appropriate;
          [(4) security awareness training to inform personnel, 
        including contractors and other users of information 
        systems that support the operations and assets of the 
        agency, of--
                  [(A) information security risks associated 
                with their activities; and
                  [(B) their responsibilities in complying with 
                agency policies and procedures designed to 
                reduce these risks;
          [(5) periodic testing and evaluation of the 
        effectiveness of information security policies, 
        procedures, and practices, to be performed with a 
        frequency depending on risk, but no less than annually;
          [(6) a process for ensuring remedial action to 
        address any deficiencies in the information security 
        policies, procedures, and practices of the agency;
          [(7) procedures for detecting, reporting, and 
        responding to security incidents, consistent with 
        guidance issued under section 3536, including--
                  [(A) mitigating risks associated with such 
                incidents before substantial damage is done;
                  [(B) notifying and consulting with the 
                Federal information security incident center 
                established under section 3536; and
                  [(C) notifying and consulting with, as 
                appropriate--
                          [(i) law enforcement agencies and 
                        relevant Offices of Inspector General;
                          [(ii) an office designated by the 
                        President for any incident involving a 
                        national security system; and
                          [(iii) any other agency or office, in 
                        accordance with law or as directed by 
                        the President; and
          [(8) plans and procedures to ensure continuity of 
        operations for information systems that support the 
        operations and assets of the agency.
    [(c) Each agency shall--
          [(1) report annually to the Director and the 
        Comptroller General on the adequacy and effectiveness 
        of information security policies, procedures, and 
        practices, including compliance with the requirements 
        of this subchapter;
          [(2) address the adequacy and effectiveness of 
        information security policies, procedures, and 
        practices in plans and reports relating to--
                  [(A) annual agency budgets;
                  [(B) information resources management under 
                subchapter 1 of this chapter;
                  [(C) information technology management under 
                the Clinger-Cohen Act of 1996 (40 U.S.C. 1401 
                et seq.);
                  [(D) program performance under sections 1105 
                and 1115 through 1119 of title 31, and sections 
                2801 and 2805 of title 39;
                  [(E) financial management under chapter 9 of 
                title 31, and the Chief Financial Officers Act 
                of 1990 (31 U.S.C. 501 note; Public Law 101-
                576) (and the amendments made by that Act);
                  [(F) financial management systems under the 
                Federal Financial Management Improvement Act 
                (31 U.S.C. 3512 note); and
                  [(G) internal accounting and administrative 
                controls under section 3512 of title 31, United 
                States Code, (known as the Federal Managers 
                Financial Integrity Act'); and
          [(3) report any significant deficiency in a policy, 
        procedure, or practice identified under paragraph (1) 
        or (2)--
                  [(A) as a material weakness in reporting 
                under section 3512 of title 31, United States 
                Code; and
                  [(B) if relating to financial management 
                systems, as an instance of a lack of 
                substantial compliance under the Federal 
                Financial Management Improvement Act (31 U.S.C. 
                3512 note).
    [(d)(1) In addition to the requirements of subsection (c), 
each agency, in consultation with the Director, shall include 
as part of the performance plan required under section 1115 of 
title 31 a description of--
          [(A) the time periods, and
          [(B) the resources, including budget, staffing, and 
        training,
[that are necessary to implement the program required under 
subsection (b).
    [(2) The description under paragraph (1) shall be based on 
the risk assessments required under subsection (b)(2)(1).
    [(e) Each agency shall provide the public with timely 
notice and opportunities for comment on proposed information 
security policies and procedures to the extent that such 
policies and procedures affect communication with the public.

[SEC. 3545. ANNUAL INDEPENDENT EVALUATION.

    [(a)(1) Each year each agency shall have performed an 
independent evaluation of the information security program and 
practices of that agency to determine the effectiveness of such 
program and practices.
    [(2) Each evaluation by an agency under this section shall 
include--
          [(A) testing of the effectiveness of information 
        security policies, procedures, and practices of a 
        representative subset of the agency's information 
        systems;
          [(B) an assessment (made on the basis of the results 
        of the testing) of compliance with--
                  [(i) the requirements of this subchapter; and
                  [(ii) related information security policies, 
                procedures, standards, and guidelines; and
          [(C) separate presentations, as appropriate, 
        regarding information security relating to national 
        security systems.
    [(b) Subject to subsection (c)--
          [(1) for each agency with an Inspector General 
        appointed under the Inspector General Act of 1978, the 
        annual evaluation required by this section shall be 
        performed by the Inspector General or by an independent 
        external auditor, as determined by the Inspector 
        General of the agency; and
          [(2) for each agency to which paragraph (1) does not 
        apply, the head of the agency shall engage an 
        independent external auditor to perform the evaluation.
    [(c) For each agency operating or exercising control of a 
national security system, that portion of the evaluation 
required by this section directly relating to a national 
security system shall be performed--
          [(1) only by an entity designated by the agency head; 
        and
          [(2) in such a manner as to ensure appropriate 
        protection for information associated with any 
        information security vulnerability in such system 
        commensurate with the risk and in accordance with all 
        applicable laws.
    [(d) The evaluation required by this section--
          [(1) shall be performed in accordance with generally 
        accepted government auditing standards; and
          [(2) may be based in whole or in part on an audit, 
        evaluation, or report relating to programs or practices 
        of the applicable agency.
    [(e) The results of an evaluation required by this section 
shall be submitted to the Director no later than March 1, 2003, 
and every March 1 thereafter.
    [(f) Agencies and evaluators shall take appropriate steps 
to ensure the protection of information which, if disclosed, 
may adversely affect information security. Such protections 
shall be commensurate with the risk and comply with all 
applicable laws and regulations.
    [(g)(1) The Director shall summarize the results of the 
evaluations conducted under this section in a report to 
Congress.
    [(2) The Director's report to Congress under this 
subsection shall summarize information regarding information 
security relating to national security systems in such a manner 
as to ensure appropriate protection for information associated 
with any information security vulnerability in such system 
commensurate with the risk and in accordance with all 
applicable laws.
    [(3) Evaluations and any other descriptions of information 
systems under the authority and control of the Director of 
Central Intelligence or of National Foreign Intelligence 
Programs systems under the authority and control of the 
Secretary of Defense shall be made available to Congress only 
through the appropriate oversight committees of Congress, in 
accordance with applicable laws.
    [(h) The Comptroller General shall periodically evaluate 
and report to Congress on--
          [(1) the adequacy and effectiveness of agency 
        information security policies and practices; and
          [(2) implementation of the requirements of this 
        subchapter.

[SEC. 3546. FEDERAL INFORMATION SECURITY INCIDENT CENTER.

    [(a) The Director shall cause to be established and 
operated a central Federal information security incident center 
to--
          [(1) provide timely technical assistance to operators 
        of agency information systems regarding security 
        incidents, including guidance on detecting and handling 
        information security incidents;
          [(2) compile and analyze information about incidents 
        that threaten information security;
          [(3) inform operators of agency information systems 
        about current and potential information security 
        threats, and vulnerabilities; and
          [(4) consult with agencies or offices operating or 
        exercising control of national security systems 
        (including the National Security Agency) and such other 
        agencies or offices in accordance with law and as 
        directed by the President regarding information 
        security incidents and related matters.
    [(b) Each agency operating or exercising control of a 
national security system shall share information about 
information security incidents, threats, and vulnerabilities 
with the Federal information security incident center to the 
extent consistent with standards and guidelines for national 
security systems, issued in accordance with law and as directed 
by the President.

[SEC. 3547. NATIONAL SECURITY SYSTEMS.

    [The head of each agency operating or exercising control of 
a national security system shall be responsible for ensuring 
that the agency--
          [(1) provides information security protections 
        commensurate with the risk and magnitude of the harm 
        resulting from the unauthorized use, disclosure, 
        disruption, modification, or destruction of the 
        information contained in such system;
          [(2) implements information security policies and 
        practices as required by standards and guidelines for 
        national security systems, issued in accordance with 
        law and as directed by the President; and
          [(3) complies with the requirements of this 
        subchapter.

[SEC. 3548. AUTHORIZATION OF APPROPRIATIONS.

    [There are authorized to be appropriated to carry out the 
provisions of this subchapter such sums as may be necessary for 
each of fiscal years 2003 through 2007.]

                  Subchapter II--Information Security

SEC. 3551. PURPOSES.

    The purposes of this subchapter are to--
          (1) provide a comprehensive framework for ensuring 
        the effectiveness of information security controls over 
        information resources that support Federal operations 
        and assets;
          (2) recognize the highly networked nature of the 
        current Federal computing environment and provide 
        effective government-wide management and oversight of 
        the related information security risks, including 
        coordination of information security efforts throughout 
        the civilian, national security, and law enforcement 
        communities;
          (3) provide for development and maintenance of 
        minimum controls required to protect Federal 
        information and information systems;
          (4) provide a mechanism for improved oversight of 
        Federal agency information security programs;
          (5) acknowledge that commercially developed 
        information security products offer advanced, dynamic, 
        robust, and effective information security solutions, 
        reflecting market solutions for the protection of 
        critical information infrastructures important to the 
        national defense and economic security of the nation 
        that are designed, built, and operated by the private 
        sector; and
          (6) recognize that the selection of specific 
        technical hardware and software information security 
        solutions should be left to individual agencies from 
        among commercially developed products.

SEC. 3552. DEFINITIONS.

    (a) In General.--Except as provided under subsection (b), 
the definitions under section 3502 shall apply to this 
subchapter.
    (b) Additional Definitions.--As used in this subchapter:
          (1) The term ``binding operational directive'' means 
        a compulsory direction to an agency that is in 
        accordance with policies, principles, standards, and 
        guidelines issued by the Director.
          (2) The term ``incident'' means an occurrence that--
                  (A) actually or imminently jeopardizes, 
                without lawful authority, the integrity, 
                confidentiality, or availability of information 
                or an information system; or
                  (B) constitutes a violation or imminent 
                threat of violation of law, security policies, 
                security procedures, or acceptable use 
                policies.
          (3) The term ``information security'' means 
        protecting information and information systems from 
        unauthorized access, use, disclosure, disruption, 
        modification, or destruction in order to provide--
                  (A) integrity, which means guarding against 
                improper information modification or 
                destruction, and includes ensuring information 
                nonrepudiation and authenticity;
                  (B) confidentiality, which means preserving 
                authorized restrictions on access and 
                disclosure, including means for protecting 
                personal privacy and proprietary information; 
                and
                  (C) availability, which means ensuring timely 
                and reliable access to and use of information.
          (4) The term ``information technology'' has the 
        meaning given that term in section 11101 of title 40.
          (5) The term ``intelligence community'' has the 
        meaning given that term in section 3(4) of the National 
        Security Act of 1947 (50 U.S.C. 3003(4)).
          (6)(A) The term ``national security system'' means 
        any information system (including any 
        telecommunications system) used or operated by an 
        agency or by a contractor of an agency, or other 
        organization on behalf of an agency--
                  (i) the function, operation, or use of 
                which--
                          (I) involves intelligence activities;
                          (II) involves cryptologic activities 
                        related to national security;
                          (III) involves command and control of 
                        military forces;
                          (IV) involves equipment that is an 
                        integral part of a weapon or weapons 
                        system; or
                          (V) subject to subparagraph (B), is 
                        critical to the direct fulfillment of 
                        military or intelligence missions; or
                  (ii) is protected at all times by procedures 
                established for information that have been 
                specifically authorized under criteria 
                established by an Executive order or an Act of 
                Congress to be kept classified in the interest 
                of national defense or foreign policy.
          (B) Subparagraph (A)(i)(V) does not include a system 
        that is to be used for routine administrative and 
        business applications (including payroll, finance, 
        logistics, and personnel management applications).
          (7) The term ``Secretary'' means the Secretary of 
        Homeland Security.

SEC. 3553. AUTHORITY AND FUNCTIONS OF THE DIRECTOR AND THE SECRETARY.

    (a) Director.--The Director shall oversee agency 
information security policies, including--
          (1) developing and overseeing the implementation of 
        policies, principles, standards, and guidelines on 
        information security, including through ensuring timely 
        agency adoption of and compliance with standards 
        promulgated under section 11331 of title 40;
          (2) requiring agencies, consistent with the standards 
        promulgated under such section 11331 and the 
        requirements of this subchapter, to identify and 
        provide information security protections commensurate 
        with the risk and magnitude of the harm resulting from 
        the unauthorized access, use, disclosure, disruption, 
        modification, or destruction of--
                  (A) information collected or maintained by or 
                on behalf of an agency; or
                  (B) information systems used or operated by 
                an agency or by a contractor of an agency or 
                other organization on behalf of an agency;
          (3) ensuring that the Secretary carries out the 
        authorities and functions under subsection (b);
          (4) coordinating the development of standards and 
        guidelines under section 20 of the National Institute 
        of Standards and Technology Act (15 U.S.C. 278g-3) with 
        agencies and offices operating or exercising control of 
        national security systems (including the National 
        Security Agency) to assure, to the maximum extent 
        feasible, that such standards and guidelines are 
        complementary with standards and guidelines developed 
        for national security systems;
          (5) overseeing agency compliance with the 
        requirements of this subchapter, including through any 
        authorized action under section 11303 of title 40, to 
        enforce accountability for compliance with such 
        requirements;
          (6) coordinating information security policies and 
        procedures with related information resources 
        management policies and procedures; and
          (7) consulting with the Secretary in carrying out the 
        authorities and functions under this subsection.
    (b) Secretary.--The Secretary, in consultation with the 
Director, shall oversee the operational aspects of agency 
information security policies and practices for information 
systems, except for national security systems and information 
systems described in paragraph (2) or (3) of subsection (e), 
including--
          (1) assisting the Director in carrying out the 
        authorities and functions under subsection (a);
          (2) developing and overseeing the implementation of 
        binding operational directives to agencies to implement 
        the policies, principles, standards, and guidelines 
        developed by the Director under subsection (a)(1) and 
        the requirements of this subchapter, which may be 
        repealed by the Director if the operational directives 
        issued on behalf of the Director are not in accordance 
        with policies, principles, standards, and guidelines 
        developed by the Director, including--
                  (A) requirements for reporting security 
                incidents to the Federal information security 
                incident center established under section 3556;
                  (B) requirements for the contents of the 
                annual reports required to be submitted under 
                section 3554(c)(1);
                  (C) requirements for the mitigation of 
                exigent risks to information systems; and
                  (D) other operational requirements as the 
                Director or Secretary may determine necessary;
          (3) monitoring agency implementation of information 
        security policies and practices;
          (4) convening meetings with senior agency officials 
        to help ensure effective implementation of information 
        security policies and practices;
          (5) coordinating Government-wide efforts on 
        information security policies and practices, including 
        consultation with the Chief Information Officers 
        Council established under section 3603;
          (6) providing operational and technical assistance to 
        agencies in implementing policies, principles, 
        standards, and guidelines on information security, 
        including implementation of standards promulgated under 
        section 11331 of title 40, including by--
                  (A) operating the Federal information 
                security incident center established under 
                section 3556;
                  (B) upon request by an agency, deploying 
                technology to assist the agency to continuously 
                diagnose and mitigate against cyber threats and 
                vulnerabilities, with or without reimbursement;
                  (C) compiling and analyzing data on agency 
                information security; and
                  (D) developing and conducting targeted 
                operational evaluations, including threat and 
                vulnerability assessments, on the information 
                systems; and
          (7) other actions as the Secretary may determine 
        necessary to carry out this subsection on behalf of the 
        Director.
    (c) Report.--Not later than March 1 of each year, the 
Director, in consultation with the Secretary, shall submit to 
Congress a report on the effectiveness of information security 
policies and practices during the preceding year, including--
          (1) a summary of the incidents described in the 
        annual reports required to be submitted under section 
        3554(c)(1), including a summary of the information 
        required under section 3554(c)(1)(A)(iii);
          (2) a description of the threshold for reporting 
        major information security incidents;
          (3) a summary of the results of evaluations required 
        to be performed under section 3555;
          (4) an assessment of agency compliance with standards 
        promulgated under section 11331 of title 40; and
          (5) an assessment of agency compliance with the 
        policies and procedures established under section 
        3559(a).
    (d) National Security Systems.--Except for the authorities 
and functions described in subsection (a)(4) and subsection 
(c), the authorities and functions of the Director and the 
Secretary under this section shall not apply to national 
security systems.
    (e) Department of Defense and Intelligence Community 
Systems.--(1) The authorities of the Director described in 
paragraphs (1) and (2) of subsection (a) shall be delegated to 
the Secretary of Defense in the case of systems described in 
paragraph (2) and to the Director of National Intelligence in 
the case of systems described in paragraph (3).
    (2) The systems described in this paragraph are systems 
that are operated by the Department of Defense, a contractor of 
the Department of Defense, or another entity on behalf of the 
Department of Defense that processes any information the 
unauthorized access, use, disclosure, disruption, modification, 
or destruction of which would have a debilitating impact on the 
mission of the Department of Defense.
    (3) The systems described in this paragraph are systems 
that are operated by an element of the intelligence community, 
a contractor of an element of the intelligence community, or 
another entity on behalf of an element of the intelligence 
community that processes any information the unauthorized 
access, use, disclosure, disruption, modification, or 
destruction of which would have a debilitating impact on the 
mission of an element of the intelligence community.

SEC. 3554. FEDERAL AGENCY RESPONSIBILITIES.

    (a) In General.--The head of each agency shall--
          (1) be responsible for--
                  (A) providing information security 
                protections commensurate with the risk and 
                magnitude of the harm resulting from 
                unauthorized access, use, disclosure, 
                disruption, modification, or destruction of--
                          (i) information collected or 
                        maintained by or on behalf of the 
                        agency; and
                          (ii) information systems used or 
                        operated by an agency or by a 
                        contractor of an agency or other 
                        organization on behalf of an agency;
                  (B) complying with the requirements of this 
                subchapter and related policies, procedures, 
                standards, and guidelines, including--
                          (i) information security standards 
                        promulgated under section 11331 of 
                        title 40;
                          (ii) operational directives developed 
                        by the Secretary under section 3553(b);
                          (iii) policies and procedures issued 
                        by the Director under section 3559; and
                          (iv) information security standards 
                        and guidelines for national security 
                        systems issued in accordance with law 
                        and as directed by the President; and
                  (C) ensuring that information security 
                management processes are integrated with agency 
                strategic and operational planning processes;
          (2) ensure that senior agency officials provide 
        information security for the information and 
        information systems that support the operations and 
        assets under their control, including through--
                  (A) assessing the risk and magnitude of the 
                harm that could result from the unauthorized 
                access, use, disclosure, disruption, 
                modification, or destruction of such 
                information or information systems;
                  (B) determining the levels of information 
                security appropriate to protect such 
                information and information systems in 
                accordance with standards promulgated under 
                section 11331 of title 40, for information 
                security classifications and related 
                requirements;
                  (C) implementing policies and procedures to 
                cost-effectively reduce risks to an acceptable 
                level; and
                  (D) periodically testing and evaluating 
                information security controls and techniques to 
                ensure that they are effectively implemented;
          (3) delegate to the agency Chief Information Officer 
        established under section 3506 (or comparable official 
        in an agency not covered by such section) the authority 
        to ensure compliance with the requirements imposed on 
        the agency under this subchapter, including--
                  (A) designating a senior agency information 
                security officer who shall--
                          (i) carry out the Chief Information 
                        Officer's responsibilities under this 
                        section;
                          (ii) possess professional 
                        qualifications, including training and 
                        experience, required to administer the 
                        functions described under this section;
                          (iii) have information security 
                        duties as that official's primary duty; 
                        and
                          (iv) head an office with the mission 
                        and resources to assist in ensuring 
                        agency compliance with this section;
                  (B) developing and maintaining an agency-wide 
                information security program as required by 
                subsection (b);
                  (C) developing and maintaining information 
                security policies, procedures, and control 
                techniques to address all applicable 
                requirements, including those issued under 
                section 3553 of this title and section 11331 of 
                title 40;
                  (D) training and overseeing personnel with 
                significant responsibilities for information 
                security with respect to such responsibilities; 
                and
                  (E) assisting senior agency officials 
                concerning their responsibilities under 
                paragraph (2);
          (4) ensure that the agency has trained personnel 
        sufficient to assist the agency in complying with the 
        requirements of this subchapter and related policies, 
        procedures, standards, and guidelines;
          (5) ensure that the agency Chief Information Officer, 
        in coordination with other senior agency officials, 
        reports annually to the agency head on the 
        effectiveness of the agency information security 
        program, including progress of remedial actions;
          (6) ensure that senior agency officials, including 
        chief information officers of component agencies or 
        equivalent officials, carry out responsibilities under 
        this subchapter as directed by the official delegated 
        authority under paragraph (3); and
          (7) ensure that all personnel are held accountable 
        for complying with the agency-wide information security 
        program implemented under subsection (b).
    (b) Agency Program.--Each agency shall develop, document, 
and implement an agency-wide information security program to 
provide information security for the information and 
information systems that support the operations and assets of 
the agency, including those provided or managed by another 
agency, contractor, or other source, that includes--
          (1) periodic assessments of the risk and magnitude of 
        the harm that could result from the unauthorized 
        access, use, disclosure, disruption, modification, or 
        destruction of information and information systems that 
        support the operations and assets of the agency;
          (2) policies and procedures that--
                  (A) are based on the risk assessments 
                required by paragraph (1);
                  (B) cost-effectively reduce information 
                security risks to an acceptable level;
                  (C) ensure that information security is 
                addressed throughout the life cycle of each 
                agency information system; and
                  (D) ensure compliance with--
                          (i) the requirements of this 
                        subchapter;
                          (ii) policies and procedures as may 
                        be prescribed by the Director, and 
                        information security standards 
                        promulgated under section 11331 of 
                        title 40;
                          (iii) minimally acceptable system 
                        configuration requirements, as 
                        determined by the agency; and
                          (iv) any other applicable 
                        requirements, including standards and 
                        guidelines for national security 
                        systems issued in accordance with law 
                        and as directed by the President;
          (3) subordinate plans for providing adequate 
        information security for networks, facilities, and 
        systems or groups of information systems, as 
        appropriate;
          (4) security awareness training to inform personnel, 
        including contractors and other users of information 
        systems that support the operations and assets of the 
        agency, of--
                  (A) information security risks associated 
                with their activities; and
                  (B) their responsibilities in complying with 
                agency policies and procedures designed to 
                reduce these risks;
          (5) periodic testing and evaluation of the 
        effectiveness of information security policies, 
        procedures, and practices, to be performed with a 
        frequency depending on risk, but no less than annually, 
        of which such testing--
                  (A) shall include testing of management, 
                operational, and technical controls of every 
                information system identified in the inventory 
                required under section 3505(c); and
                  (B) may include testing relied on in an 
                evaluation under section 3555;
          (6) a process for planning, implementing, evaluating, 
        and documenting remedial action to address any 
        deficiencies in the information security policies, 
        procedures, and practices of the agency;
          (7) procedures for detecting, reporting, and 
        responding to security incidents, consistent with 
        standards and guidelines described in section 3556(b), 
        including--
                  (A) mitigating risks associated with such 
                incidents before substantial damage is done;
                  (B) notifying and consulting with the Federal 
                information security incident center 
                established in section 3556; and
                  (C) notifying and consulting with, as 
                appropriate--
                          (i) law enforcement agencies and 
                        relevant Offices of Inspector General;
                          (ii) an office designated by the 
                        President for any incident involving a 
                        national security system;
                          (iii) the committees of Congress 
                        described in subsection (c)(1)--
                                  (I) not later than 7 days 
                                after the date on which the 
                                incident is discovered; and
                                  (II) after the initial 
                                notification under subclause 
                                (I), within a reasonable period 
                                of time after additional 
                                information relating to the 
                                incident is discovered; and
                          (iv) any other agency or office, in 
                        accordance with law or as directed by 
                        the President; and
          (8) plans and procedures to ensure continuity of 
        operations for information systems that support the 
        operations and assets of the agency.
    (c) Agency Reporting.--
          (1) Annual report.--
                  (A) In general.--Each agency shall submit to 
                the Director, the Secretary, the Committee on 
                Government Reform, the Committee on Homeland 
                Security, and the Committee on Science of the 
                House of Representatives, the Committee on 
                Homeland Security and Governmental Affairs and 
                the Committee on Commerce, Science, and 
                Transportation of the Senate, the appropriate 
                authorization and appropriations committees of 
                Congress, and the Comptroller General a report 
                on the adequacy and effectiveness of 
                information security policies, procedures, and 
                practices, including--
                          (i) a description of each major 
                        information security incident or 
                        related sets of incidents, including 
                        summaries of--
                                  (I) the threats and threat 
                                actors, vulnerabilities, and 
                                impacts relating to the 
                                incident;
                                  (II) the risk assessments 
                                conducted under section 
                                3554(a)(2)(A) of the affected 
                                information systems before the 
                                date on which the incident 
                                occurred; and
                                  (III) the detection, 
                                response, and remediation 
                                actions;
                          (ii) the total number of information 
                        security incidents, including a 
                        description of incidents resulting in 
                        significant compromise of information 
                        security, system impact levels, types 
                        of incident, and locations of affected 
                        systems;
                          (iii) a description of each major 
                        information security incident that 
                        involved a breach of personally 
                        identifiable information, including--
                                  (I) the number of individuals 
                                whose information was affected 
                                by the major information 
                                security incident; and
                                  (II) a description of the 
                                information that was breached 
                                or exposed; and
                          (iv) any other information as the 
                        Secretary may require.
                  (B) Unclassified report.--
                          (i) In general.--Each report 
                        submitted under subparagraph (A) shall 
                        be in unclassified form, but may 
                        include a classified annex.
                          (ii) Access to information.--The head 
                        of an agency shall ensure that, to the 
                        greatest extent practicable, 
                        information is included in the 
                        unclassified version of the reports 
                        submitted by the agency under 
                        subparagraph (A).
          (2) Other plans and reports.--Each agency shall 
        address the adequacy and effectiveness of information 
        security policies, procedures, and practices in 
        management plans and reports.
    (d) Performance Plan.--(1) In addition to the requirements 
of subsection (c), each agency, in consultation with the 
Director, shall include as part of the performance plan 
required under section 1115 of title 31 a description of--
          (A) the time periods; and
          (B) the resources, including budget, staffing, and 
        training,
that are necessary to implement the program required under 
subsection (b).
    (2) The description under paragraph (1) shall be based on 
the risk assessments required under subsection (b)(1).
    (e) Public Notice and Comment.--Each agency shall provide 
the public with timely notice and opportunities for comment on 
proposed information security policies and procedures to the 
extent that such policies and procedures affect communication 
with the public.

SEC. 3555. ANNUAL INDEPENDENT EVALUATION.

    (a) In General.--(1) Each year each agency shall have 
performed an independent evaluation of the information security 
program and practices of that agency to determine the 
effectiveness of such program and practices.
    (2) Each evaluation under this section shall include--
          (A) testing of the effectiveness of information 
        security policies, procedures, and practices of a 
        representative subset of the agency's information 
        systems;
          (B) an assessment of the effectiveness of the 
        information security policies, procedures, and 
        practices of the agency; and
          (C) separate presentations, as appropriate, regarding 
        information security relating to national security 
        systems.
    (b) Independent Auditor.--Subject to subsection (c)--
          (1) for each agency with an Inspector General 
        appointed under the Inspector General Act of 1978, the 
        annual evaluation required by this section shall be 
        performed by the Inspector General or by an independent 
        external auditor, as determined by the Inspector 
        General of the agency; and
          (2) for each agency to which paragraph (1) does not 
        apply, the head of the agency shall engage an 
        independent external auditor to perform the evaluation.
    (c) National Security Systems.--For each agency operating 
or exercising control of a national security system, that 
portion of the evaluation required by this section directly 
relating to a national security system shall be performed--
          (1) only by an entity designated by the agency head; 
        and
          (2) in such a manner as to ensure appropriate 
        protection for information associated with any 
        information security vulnerability in such system 
        commensurate with the risk and in accordance with all 
        applicable laws.
    (d) Existing Evaluations.--The evaluation required by this 
section may be based in whole or in part on an audit, 
evaluation, or report relating to programs or practices of the 
applicable agency.
    (e) Agency Reporting.--(1) Each year, not later than such 
date established by the Director, the head of each agency shall 
submit to the Director the results of the evaluation required 
under this section.
    (2) To the extent an evaluation required under this section 
directly relates to a national security system, the evaluation 
results submitted to the Director shall contain only a summary 
and assessment of that portion of the evaluation directly 
relating to a national security system.
    (f) Protection of Information.--Agencies and evaluators 
shall take appropriate steps to ensure the protection of 
information which, if disclosed, may adversely affect 
information security. Such protections shall be commensurate 
with the risk and comply with all applicable laws and 
regulations.
    (g) OMB Reports to Congress.--(1) The Director shall 
summarize the results of the evaluations conducted under this 
section in the report to Congress required under section 
3553(c).
    (2) The Director's report to Congress under this subsection 
shall summarize information regarding information security 
relating to national security systems in such a manner as to 
ensure appropriate protection for information associated with 
any information security vulnerability in such system 
commensurate with the risk and in accordance with all 
applicable laws.
    (3) Evaluations and any other descriptions of information 
systems under the authority and control of the Director of 
Central Intelligence or of National Foreign Intelligence 
Programs systems under the authority and control of the 
Secretary of Defense shall be made available to Congress only 
through the appropriate oversight committees of Congress, in 
accordance with applicable laws.
    (h) Comptroller General.--The Comptroller General shall 
periodically evaluate and report to Congress on--
          (1) the adequacy and effectiveness of agency 
        information security policies and practices; and
          (2) implementation of the requirements of this 
        subchapter.
    (i) Assessment Technical Assistance.--The Comptroller 
General may provide technical assistance to an Inspector 
General or the head of an agency, as applicable, to assist the 
Inspector General or head of an agency in carrying out the 
duties under this section, including by testing information 
security controls and procedures.

SEC. 3556. FEDERAL INFORMATION SECURITY INCIDENT CENTER.

    (a) In General.--The Secretary shall ensure the operation 
of a central Federal information security incident center to--
          (1) provide timely technical assistance to operators 
        of agency information systems regarding security 
        incidents, including guidance on detecting and handling 
        information security incidents;
          (2) compile and analyze information about incidents 
        that threaten information security;
          (3) inform operators of agency information systems 
        about current and potential information security 
        threats, and vulnerabilities;
          (4) provide, as appropriate, intelligence and other 
        information about cyber threats, vulnerabilities, and 
        incidents to agencies to assist in risk assessments 
        conducted under section 3554(b); and
          (5) consult with the National Institute of Standards 
        and Technology, agencies or offices operating or 
        exercising control of national security systems 
        (including the National Security Agency), and such 
        other agencies or offices in accordance with law and as 
        directed by the President regarding information 
        security incidents and related matters.
    (b) National Security Systems.--Each agency operating or 
exercising control of a national security system shall share 
information about information security incidents, threats, and 
vulnerabilities with the Federal information security incident 
center to the extent consistent with standards and guidelines 
for national security systems, issued in accordance with law 
and as directed by the President.

SEC. 3557. NATIONAL SECURITY SYSTEMS.

    The head of each agency operating or exercising control of 
a national security system shall be responsible for ensuring 
that the agency--
          (1) provides information security protections 
        commensurate with the risk and magnitude of the harm 
        resulting from the unauthorized access, use, 
        disclosure, disruption, modification, or destruction of 
        the information contained in such system;
          (2) implements information security policies and 
        practices as required by standards and guidelines for 
        national security systems, issued in accordance with 
        law and as directed by the President; and
          (3) complies with the requirements of this 
        subchapter.

SEC. 3558. EFFECT ON EXISTING LAW.

    Nothing in this subchapter, section 11331 of title 40, or 
section 20 of the National Standards and Technology Act (15 
U.S.C. 278g-3) may be construed as affecting the authority of 
the President, the Office of Management and Budget or the 
Director thereof, the National Institute of Standards and 
Technology, or the head of any agency, with respect to the 
authorized use or disclosure of information, including with 
regard to the protection of personal privacy under section 552a 
of title 5, the disclosure of information under section 552 of 
title 5, the management and disposition of records under 
chapters 29, 31, or 33 of title 44, the management of 
information resources under subchapter I of chapter 35 of this 
title, or the disclosure of information to the Congress or the 
Comptroller General of the United States.

SEC. 3559. PRIVACY BREACH REQUIREMENTS.

    (a) Policies and Procedures.--The Director, in consultation 
with the Secretary, shall establish and oversee policies and 
procedures for agencies to follow in the event of a breach of 
information security involving the disclosure of personally 
identifiable information, including requirements for--
          (1) timely notice to affected individuals based on a 
        determination of the level of risk and consistent with 
        law enforcement and national security considerations;
          (2) timely reporting to the Federal information 
        security incident center established under section 3556 
        or other Federal cybersecurity center, as designated by 
        the Director;
          (3) timely notice to committees of Congress with 
        jurisdiction over cybersecurity; and
          (4) such additional actions as the Director may 
        determine necessary and appropriate, including the 
        provision of risk mitigation measures to affected 
        individuals.
    (b) Considerations.--In carrying out subsection (a), the 
Director shall consider recommendations made by the Government 
Accountability Office, including recommendations in the 
December 2013 Government Accountability Office report entitled 
``Information Security: Agency Responses to Breaches of 
Personally Identifiable Information Need to Be More 
Consistent'' (GAO-14-34).
    (c) Required Agency Action.--The head of each agency shall 
ensure that actions taken in response to a breach of 
information security involving the disclosure of personally 
identifiable information under the authority or control of the 
agency comply with policies and procedures established under 
subsection (a).
    (d) Timeliness.--
          (1) In general.--Except as provided in paragraph (2), 
        the policies and procedures established under 
        subsection (a) shall require that the notice to 
        affected individuals required under subsection (a)(1) 
        be made without unreasonable delay and with 
        consideration of the likely risk of harm and the level 
        of impact, but not later than 60 days after the date on 
        which the head of an agency discovers the breach of 
        information security involving the disclosure of 
        personally identifiable information.
          (2) Delay.--The Attorney General, the head of an 
        element of the intelligence community (as such term is 
        defined under section 3(4) of the National Security Act 
        of 1947 (50 U.S.C. 3003(4)), or the Secretary may delay 
        the notice to affected individuals under subsection 
        (a)(1) for not more than 180 days, if the notice would 
        disrupt a law enforcement investigation, endanger 
        national security, or hamper security remediation 
        actions from the breach of information security 
        involving the disclosure of personally identifiable 
        information.

HOMELAND SECURITY ACT OF 2002

           *       *       *       *       *       *       *


                     TITLE X--INFORMATION SECURITY

SEC. 1001. INFORMATION SECURITY.

    (a) * * *

           *       *       *       *       *       *       *

    (c) Information Security Responsibilities of Certain 
Agencies.--
          (1) National security responsibilities--(A) Nothing 
        in this Act (including any amendment made by this Act) 
        shall supersede any authority of the Secretary of 
        Defense, the Director of Central Intelligence, or other 
        agency head, as authorized by law and as directed by 
        the President, with regard to the operation, control, 
        or management of national security systems, as defined 
        by [section 3532(3)] section 3552(b) of title 44, 
        United States Code.

           *       *       *       *       *       *       *


TITLE 10, UNITED STATES CODE

           *       *       *       *       *       *       *


Subtitle A--General Military Law

           *       *       *       *       *       *       *


PART IV--SERVICE, SUPPLY, AND PROCUREMENT

           *       *       *       *       *       *       *


                 CHAPTER 131--PLANNING AND COORDINATION


SEC. 2222. DEFENSE BUSINESS SYSTEMS: ARCHITECTURE, ACCOUNTABILITY, AND 
                    MODERNIZATION.

    (a) * * *

           *       *       *       *       *       *       *

    (j) Definitions.--In this section:
          (1) * * *

           *       *       *       *       *       *       *

          (5) The term ``national security system'' has the 
        meaning given that term in [section 3542(b)(2)] section 
        3552(b) of title 44.

           *       *       *       *       *       *       *


SEC. 2223. INFORMATION TECHNOLOGY: ADDITIONAL RESPONSIBILITIES OF CHIEF 
                    INFORMATION OFFICERS.

    (a) * * *

           *       *       *       *       *       *       *

    (c) Definitions.--
          (1) * * *

           *       *       *       *       *       *       *

          (3) The term ``national security system'' has the 
        meaning given that term by [section 3542(b)(2)] section 
        3552(b) of title 44.

           *       *       *       *       *       *       *


CHAPTER 137--PROCUREMENT GENERALLY

           *       *       *       *       *       *       *



SEC. 2315. LAW INAPPLICABLE TO THE PROCUREMENT OF AUTOMATIC DATA 
                    PROCESSING EQUIPMENT AND SERVICES FOR CERTAIN 
                    DEFENSE PURPOSES.

    For purposes of subtitle III of title 40, the term 
``national security system'', with respect to a 
telecommunications and information system operated by the 
Department of Defense, has the meaning given that term by 
[section 3542(b)(2)] section 3552(b) of title 44.

           *       *       *       *       *       *       *


NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY ACT

           *       *       *       *       *       *       *


    Sec. 20. (a) The Institute shall--
          (1) * * *
          (2) develop standards and guidelines, including 
        minimum requirements, for information systems used or 
        operated by an agency or by a contractor of an agency 
        or other organization on behalf of an agency, other 
        than national security systems (as defined in [section 
        3532(b)(2)] section 3552(b) of title 44, United States 
        Code);

           *       *       *       *       *       *       *

    (e) As used in this section--
          (1) * * *
          (2) the term ``information security'' has the same 
        meaning as provided in [section 3532(1)] section 
        3552(b) of such title;

           *       *       *       *       *       *       *

          (5) the term ``national security system'' has the 
        same meaning as provided in [section 3532(b)(2)] 
        section 3552(b) of such title.

           *       *       *       *       *       *       *


CYBER SECURITY RESEARCH AND DEVELOPMENT ACT

           *       *       *       *       *       *       *



SEC. 8. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY PROGRAMS.

    (a) * * *

           *       *       *       *       *       *       *

    (d) Federal Agency Information Security Programs.--
          (1) In general.--In developing the agency-wide 
        information security program required by [section 
        3534(b)] section 3554(b) of title 44, United States 
        Code, an agency that deploys a computer hardware or 
        software system for which the Director of the National 
        Institute of Standards and Technology has developed a 
        checklist under subsection (c) of this section--
                  (A) * * *

           *       *       *       *       *       *       *