Coordination of Federal information policy

Chapter 35 of title 44, United States Code, is amended by striking subchapters II and III and inserting the following:

Information Security

3551.

Purposes

The purposes of this subchapter are to— (1)provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets; (2)recognize the highly networked nature of the current Federal computing environment and provide effective Governmentwide management and oversight of the related information security risks, including coordination of information security efforts throughout the civilian, national security, and law enforcement communities assets; (3)provide for development and maintenance of minimum controls required to protect Federal information and information systems; (4)provide a mechanism for improved oversight of Federal agency information security programs and systems through a focus on automated and continuous monitoring of agency information systems and regular threat assessments; (5)acknowledge that commercially developed information security products offer advanced, dynamic, robust, and effective information security solutions, reflecting market solutions for the protection of critical information systems important to the national defense and economic security of the Nation that are designed, built, and operated by the private sector; and (6)recognize that the selection of specific technical hardware and software information security solutions should be left to individual agencies from among commercially developed products.

3552.

Definitions

(a)

Section 3502 definitions

Except as provided under subsection (b), the definitions under section 3502 shall apply to this subchapter. (b)

Additional definitions

In this subchapter: (1)

Adequate security

The term adequate security means security commensurate with the risk and magnitude of the harm resulting from the unauthorized access to or loss, misuse, destruction, or modification of information. (2)

Automated and continuous monitoring

The term automated and continuous monitoring means monitoring, with minimal human involvement, through an uninterrupted, ongoing real time, or near real-time process used to determine if the complete set of planned, required, and deployed security controls within an information system continue to be effective over time with rapidly changing information technology and threat development. (3)

Incident

The term incident means an occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system, or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. (4)

Information security

The term information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide— (A)integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity; (B)confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and (C)availability, which means ensuring timely and reliable access to and use of information. (5)

Information system

The term information system means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information and includes— (A)computers and computer networks; (B)ancillary equipment; (C)software, firmware, and related procedures; (D)services, including support services; and (E)related resources. (6)

Information technology

The term information technology has the meaning given that term in section 11101 of title 40. (7)

National security system

(A)

Definition

The term national security system means any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency— (i)the function, operation, or use of which— (I)involves intelligence activities; (II)involves cryptologic activities related to national security; (III)involves command and control of military forces; (IV)involves equipment that is an integral part of a weapon or weapons system; or (V)subject to subparagraph (B), is critical to the direct fulfillment of military or intelligence missions; or (ii)is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive order or an Act of Congress to be kept classified in the interest of national defense or foreign policy. (B)

Exception

Subparagraph (A)(i)(V) does not include a system that is to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications). (8)

Threat assessment

The term threat assessment means the formal description and evaluation of threat to an information system.

3553.

Authority and functions of the Director

(a)

In general

The Director shall oversee agency information security policies and practices, including— (1)developing and overseeing the implementation of policies, principles, standards, and guidelines on information security, including through ensuring timely agency adoption of and compliance with standards promulgated under section 11331 of title 40; (2)requiring agencies, consistent with the standards promulgated under such section 11331 and the requirements of this subchapter, to identify and provide information security protections commensurate with the risk and magnitude of the harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of— (A)information collected or maintained by or on behalf of an agency; or (B)information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency; (3)coordinating the development of standards and guidelines under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3) with agencies and offices operating or exercising control of national security systems (including the National Security Agency) to assure, to the maximum extent feasible, that such standards and guidelines are complementary with standards and guidelines developed for national security systems; (4)overseeing agency compliance with the requirements of this subchapter, including through any authorized action under section 11303 of title 40, to enforce accountability for compliance with such requirements; (5)reviewing at least annually, and approving or disapproving, agency information security programs required under section 3554(b); (6)coordinating information security policies and procedures with related information resources management policies and procedures; (7)overseeing the operation of the Federal information security incident center required under section 3555; and (8)reporting to Congress no later than March 1 of each year on agency compliance with the requirements of this subchapter, including— (A)an assessment of the development, promulgation, and adoption of, and compliance with, standards developed under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3) and promulgated under section 11331 of title 40; (B)significant deficiencies in agency information security practices; (C)planned remedial action to address such deficiencies; and (D)a summary of, and the views of the Director on, the report prepared by the National Institute of Standards and Technology under section 20(d)(10) of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3). (b)

National security systems

Except for the authorities described in paragraphs (4) and (8) of subsection (a), the authorities of the Director under this section shall not apply to national security systems. (c)

Department of defense and central intelligence agency systems

(1)The authorities of the Director described in paragraphs (1) and (2) of subsection (a) shall be delegated to the Secretary of Defense in the case of systems described in paragraph (2) and to the Director of Central Intelligence in the case of systems described in paragraph (3). (2)The systems described in this paragraph are systems that are operated by the Department of Defense, a contractor of the Department of Defense, or another entity on behalf of the Department of Defense that processes any information the unauthorized access, use, disclosure, disruption, modification, or destruction of which would have a debilitating impact on the mission of the Department of Defense. (3)The systems described in this paragraph are systems that are operated by the Central Intelligence Agency, a contractor of the Central Intelligence Agency, or another entity on behalf of the Central Intelligence Agency that processes any information the unauthorized access, use, disclosure, disruption, modification, or destruction of which would have a debilitating impact on the mission of the Central Intelligence Agency.

3554.

Agency responsibilities

(a)

In general

The head of each agency shall— (1)be responsible for— (A)providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of— (i)information collected or maintained by or on behalf of the agency; and (ii)information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency; (B)complying with the requirements of this subchapter and related policies, procedures, standards, and guidelines, including— (i)information security standards and guidelines promulgated under section 11331 of title 40 and section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3); (ii)information security standards and guidelines for national security systems issued in accordance with law and as directed by the President; and (iii)ensuring the standards implemented for information systems and national security systems of the agency are complementary and uniform, to the extent practicable; (C)ensuring that information security management processes are integrated with agency strategic and operational planning and budget processes, including policies, procedures, and practices described in subsection (c)(2); (D)as appropriate, maintaining secure facilities that have the capability of accessing, sending, receiving, and storing classified information; (E)maintaining a sufficient number of personnel with security clearances, at the appropriate levels, to access, send, receive and analyze classified information to carry out the responsibilities of this subchapter; and (F)ensuring that information security performance indicators and measures are included in the annual performance evaluations of all managers, senior managers, senior executive service personnel, and political appointees; (2)ensure that senior agency officials provide information security for the information and information systems that support the operations and assets under their control, including through— (A)assessing the risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of such information or information system; (B)determining the levels of information security appropriate to protect such information and information systems in accordance with policies, principles, standards, and guidelines promulgated under section 11331 of title 40 and section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3) for information security classifications and related requirements; (C)implementing policies and procedures to cost effectively reduce risks to an acceptable level; (D)with a frequency sufficient to support risk-based security decisions, testing and evaluating information security controls and techniques to ensure that such controls and techniques are effectively implemented and operated; and (E)with a frequency sufficient to support risk-based security decisions, conducting threat assessments by monitoring information systems, identifying potential system vulnerabilities, and reporting security incidents in accordance with paragraph (3)(A)(v); (3)delegate to the Chief Information Officer or equivalent (or a senior agency official who reports to the Chief Information Officer or equivalent), who is designated as the Chief Information Security Officer, the authority and primary responsibility to develop, implement, and oversee an agencywide information security program to ensure and enforce compliance with the requirements imposed on the agency under this subchapter, including— (A)overseeing the establishment and maintenance of a security operations capability that through automated and continuous monitoring, when possible, can— (i)detect, report, respond to, contain, and mitigate incidents that impair information security and agency information systems, in accordance with policy provided by the Director; (ii)commensurate with the risk to information security, monitor and mitigate the vulnerabilities of every information system within the agency; (iii)continually evaluate risks posed to information collected or maintained by or on behalf of the agency and information systems and hold senior agency officials accountable for ensuring information security; (iv)collaborate with the Director and appropriate public and private sector security operations centers to detect, report, respond to, contain, and mitigate incidents that impact the security of information and information systems that extend beyond the control of the agency; and (v)report any incident described under clauses (i) and (ii) to the Federal information security incident center, to other appropriate security operations centers, and to the Inspector General of the agency, to the extent practicable, within 24 hours after discovery of the incident, but no later than 48 hours after such discovery; (B)developing, maintaining, and overseeing an agencywide information security program as required by subsection (b); (C)developing, maintaining, and overseeing information security policies, procedures, and control techniques to address all applicable requirements, including those issued under section 11331 of title 40; (D)training and overseeing personnel with significant responsibilities for information security with respect to such responsibilities; and (E)assisting senior agency officials concerning their responsibilities under paragraph (2); (4)ensure that the agency has a sufficient number of trained and cleared personnel to assist the agency in complying with the requirements of this subchapter, other applicable laws, and related policies, procedures, standards, and guidelines; (5)ensure that the Chief Information Security Officer, in consultation with other senior agency officials, reports periodically, but not less than annually, to the agency head on— (A)the effectiveness of the agency information security program; (B)information derived from automated and continuous monitoring, when possible, and threat assessments; and (C)the progress of remedial actions; (6)ensure that the Chief Information Security Officer possesses the necessary qualifications, including education, training, experience, and the security clearance required to administer the functions described under this subchapter; and has information security duties as the primary duty of that official; and (7)ensure that components of that agency establish and maintain an automated reporting mechanism that allows the Chief Information Security Officer with responsibility for the entire agency, and all components thereof, to implement, monitor, and hold senior agency officers accountable for the implementation of appropriate security policies, procedures, and controls of agency components. (b)

Agency program

Each agency shall develop, document, and implement an agencywide information security program, approved by the Director and consistent with components across and within agencies, to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source, that includes— (1)automated and continuous monitoring, when possible, of the risk and magnitude of the harm that could result from the disruption or unauthorized access, use, disclosure, modification, or destruction of information and information systems that support the operations and assets of the agency; (2)consistent with guidance developed under section 11331 of title 40, vulnerability assessments and penetration tests commensurate with the risk posed to agency information systems; (3)policies and procedures that— (A)cost effectively reduce information security risks to an acceptable level; (B)ensure compliance with— (i)the requirements of this subchapter; (ii)policies and procedures as may be prescribed by the Director, and information security standards promulgated pursuant to section 11331 of title 40; (iii)minimally acceptable system configuration requirements, as determined by the Director; and (iv)any other applicable requirements, including— (I)standards and guidelines for national security systems issued in accordance with law and as directed by the President; and (II)the National Institute of Standards and Technology standards and guidance; (C)develop, maintain, and oversee information security policies, procedures, and control techniques to address all applicable requirements, including those promulgated pursuant section 11331 of title 40; and (D)ensure the oversight and training of personnel with significant responsibilities for information security with respect to such responsibilities; (4)with a frequency sufficient to support risk-based security decisions, automated and continuous monitoring, when possible, for testing and evaluation of the effectiveness and compliance of information security policies, procedures, and practices, including— (A)controls of every information system identified in the inventory required under section 3505(c); and (B)controls relied on for an evaluation under this section; (5)a process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies, procedures, and practices of the agency; (6)with a frequency sufficient to support risk-based security decisions, automated and continuous monitoring, when possible, for detecting, reporting, and responding to security incidents, consistent with standards and guidelines issued by the National Institute of Standards and Technology, including— (A)mitigating risks associated with such incidents before substantial damage is done; (B)notifying and consulting with the Federal information security incident center and other appropriate security operations response centers; and (C)notifying and consulting with, as appropriate— (i)law enforcement agencies and relevant Offices of Inspectors General; and (ii)any other agency, office, or entity, in accordance with law or as directed by the President; and (7)plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency. (c)

Agency reporting

Each agency shall— (1)submit an annual report on the adequacy and effectiveness of information security policies, procedures, and practices, and compliance with the requirements of this subchapter, including compliance with each requirement of subsection (b) to— (A)the Director; (B)the Committee on Homeland Security and Governmental Affairs of the Senate; (C)the Committee on Oversight and Government Reform of the House of Representatives; (D)other appropriate authorization and appropriations committees of Congress; and (E)the Comptroller General; (2)address the adequacy and effectiveness of information security policies, procedures, and practices in plans and reports relating to— (A)annual agency budgets; (B)information resources management of this subchapter; (C)information technology management under this chapter; (D)program performance under sections 1105 and 1115 through 1119 of title 31, and sections 2801 and 2805 of title 39; (E)financial management under chapter 9 of title 31, and the Chief Financial Officers Act of 1990 (31 U.S.C. 501 note; Public Law 101–576); (F)financial management systems under the Federal Financial Management Improvement Act of 1996 (31 U.S.C. 3512 note); and (G)internal accounting and administrative controls under section 3512 of title 31; and (3)report any significant deficiency in a policy, procedure, or practice identified under paragraph (1) or (2)— (A)as a material weakness in reporting under section 3512 of title 31; and (B)if relating to financial management systems, as an instance of a lack of substantial compliance under the Federal Financial Management Improvement Act of 1996 (31 U.S.C. 3512 note).

3555.

Federal information security incident center

(a)

In general

The Director shall ensure the operation of a central Federal information security incident center to— (1)provide timely technical assistance to operators of agency information systems regarding security incidents, including guidance on detecting and handling information security incidents; (2)compile and analyze information about incidents that threaten information security; (3)inform operators of agency information systems about current and potential information security threats, and vulnerabilities; and (4)consult with the National Institute of Standards and Technology, agencies or offices operating or exercising control of national security systems (including the National Security Agency), and such other agencies or offices in accordance with law and as directed by the President regarding information security incidents and related matters. (b)

National security systems

Each agency operating or exercising control of a national security system shall share information about information security incidents, threats, and vulnerabilities with the Federal information security incident center to the extent consistent with standards and guidelines for national security systems, issued in accordance with law and as directed by the President. (c)

Review and approval

The Director shall review and approve the policies, procedures, and guidance established in this subchapter to ensure that the incident center has the capability to effectively and efficiently detect, correlate, respond to, contain, mitigate, and remediate incidents that impair the adequate security of the information systems of more than one agency. To the extent practicable, the capability shall be continuous and technically automated.

3556.

National security systems

The head of each agency operating or exercising control of a national security system shall be responsible for ensuring that the agency— (1)provides information security protections commensurate with the risk and magnitude of the harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information contained in such system; (2)implements information security policies and practices as required by standards and guidelines for national security systems, issued in accordance with law and as directed by the President; and (3)complies with the requirements of this subchapter.