113 HR 4370 IH: Veterans Information Security Improvement Act
U.S. House of Representatives
2014-04-02
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.
1.Short title; table of contents
(a)
This Act may be cited as the Veterans Information Security Improvement Act
.
(b)
The table of contents for this Act is as follows:
Sec. 1. Short title; table of contents.
Sec. 2. Governance of information security program of Department of Veterans Affairs.
Sec. 3. Security of critical network infrastructure, including domain controller, of Department of
Veterans Affairs.
Sec. 4. Security of computers and servers of Department of Veterans Affairs.
Sec. 5. Upgrade or phase-out of unsupported or outdated operating systems.
Sec. 6. Security of web applications from vital vulnerabilities.
Sec. 7. Security of the Vista system.
Sec. 8. Report on compliance with information security requirements and best practices.
Sec. 9. Reports on implementation.
Sec. 10. Application.
Sec. 11. Definitions.
2.Governance of information security program of Department of Veterans Affairs
(a)Requirements for certain officials and staff
(1)
Subchapter III of chapter 57 of title 38, United States Code, is amended by inserting after section
5723 the following new section:
5723A.
Governance of information security program
(a)
The Secretary shall carry out this section to improve the transparency and the coordination of the
information security program of the Department.
(b)Office of Information and Technology
(1)The Secretary shall ensure that the Assistant Secretary for Information and Technology, as the
Chief Information Officer of the Department, possesses—
(A)
the appropriate education and at least 10 concurrent years of validated experience and capabilities
in the management of information technology organizations;
(B)
an industry recognized certification in information security and cyber security defense; and
(C)demonstrated, sound technical capabilities.
(2)The Secretary shall ensure that the staff of the Office of Information and Technology who perform
security functions, including the assessment and analysis of risk,
security auditing, security operations, and security engineering, are
assigned to the Office of Information Security.
(3)The Secretary shall ensure that subordinate offices of the Office of Information and Technology, in
coordination with the head of the Office of Information Security, maintain
appropriate information security functions within each such office to—
(A)incorporate secure software assurance processes into the software development lifecycle for all
software development activities;
(B)validate that each third-party developed software used in any information system of the Department
meets the standards of the National Institute of Standards and Technology
with respect to security, safety, reliability, functionality and
extensibility;
(C)maintain established information security baseline controls for such information systems, and
immediately remediate systems determined to be out of compliance with
established baseline controls to the maximum extent possible;
(D)ensure that the security architecture of the Department is documented and fully integrated into the
overall enterprise architecture strategy of the Department; and
(E)develop and implement a policy that restricts the development of new data warehouses and data marts
holding sensitive personal information of veterans and reduces the number
of data marts holding such information.
(c)Office of Information Security
(1)The Secretary shall ensure that the head of the Office of Information Security possesses—
(A)
the appropriate education and at least 10 concurrent years of experience with respect to validated
information security; and
(B)
an industry recognized certification in cyber security defense;
(C)
demonstrated, sound technical capabilities; and
(D)
other relevant experience.
(2)The Secretary shall ensure that all of the field staff of the Office of Information Security,
including relevant staff of the Office of Information Technology, whose
primary responsibility is the protection of personally identifiable
information of veterans maintain current information security training and
possess a certain level of information security, cyber security defense,
and technical capabilities and certifications as appropriate..
(2)The table of sections at the beginning of such chapter is amended by inserting after the item
relating to section 5723 the following new item:
5723A. Governance of information security program..
(b)Section 5721 of title 38, United States Code, is amended by adding at the end the following new
paragraphs:
(24)The term data mart means a subset of a data warehouse that contains information for a specific department or entity
of an organization rather than the entire organization.
(25)The term data warehouse means a collection of data designed to support management decision making that contains a wide
variety of data that present a coherent picture of business conditions for
an entire organization at a single point in time and whose development
includes the development of systems to extract data from operating systems
plus installation of a warehouse database system that provides managers
flexible access to the data..
3.Security of critical network infrastructure, including domain controller, of Department of Veterans
Affairs
(a)
Not later than 90 days after the date of the enactment of this Act, the Secretary of Veterans
Affairs shall ensure the security and safeguard of the network
infrastructure of the Department of Veterans Affairs.
(b)
In carrying out subsection (a), the Secretary shall carry out the following actions:
(1)Maintain the awareness and complete physical and logical control of the critical network
infrastructure, including routers, switches, domain naming systems,
firewalls, load balancers, proxy devices, authentication services,
telecommunications, domain controllers, and any device that is part of the
trusted Internet connection system.
(2)If the Secretary determines that any critical network infrastructure device or service has been
compromised, restore the device or service to the last known
noncompromised state and determine the cause of the compromise.
(3)If the Secretary determines that compromised devices or services must be used for a limited time,
conduct such use in accordance with the guidance established by the
National Security Agency under the document titled Information Assurance Guidance for Operating on a Compromised Network
, or successor document.
(4)Provide special security configurations for protecting critical infrastructure devices and
services.
(5)Implement policies and security measures that minimize the threats to critical infrastructure
devices and services.
(6)Ensure that critical infrastructure devices and services, including the domain controller settings,
are in compliance with the Server Security Plan of the Department under
the Department of Veterans Affairs Handbook 6500.
(7)Establish access rights, permissions, and multifactor authentication for the critical
infrastructure devices and services, including the domain controller, for
specific users or groups of users.
(8)Ensure that proper physical security measures are taken to safeguard the critical infrastructure
devices and services and limit physical access to such location to a
limited number of authorized individuals.
(9)Limit the access from network connections to critical infrastructure devices and services and only
configure services and software that are needed by the devices and
services.
(10)Disable or delete any service or software from critical infrastructure devices and services that is
unnecessary.
(11)Where feasible, secure critical infrastructure devices and services with host-based and
networked-based security controls and limit the number of ports that are
opened between critical infrastructure devices and services, including any
device requesting access to network resources and services.
(12)Conduct regular audits and testing of the backups and restore events of the critical infrastructure
devices and services.
(13)Ensure that for any device to access and communicate with critical infrastructure devices and
services within the domain, the authentication traffic has to be signed
and encrypted.
(14)Limit the administrator account from accessing critical infrastructure devices and services,
including domain controllers, throughout the network and use such account
only for emergencies.
(15)Restrict remote access to local administrator accounts and use firewall rules to restrict lateral
movement on the network.
(16)Conduct regular formal penetration testing to test for potential security weaknesses and resolve
such weaknesses by not later than seven days after identifying such
weaknesses.
(c)Not later than 30 days after the date of the enactment of this Act, the Secretary shall submit to
the congressional veterans committees written certification that the
Secretary has commenced each action described in subsection (b).
4.Security of computers and servers of Department of Veterans Affairs
(a)The Secretary shall ensure the security of each general purpose computer and server of the
Department.
(b)In carrying out subsection (a), the Secretary shall carry out the following actions:
(1)
Formalize and enforce a Department-wide process to monitor software installed on general purpose
computers and servers of the Department, prevent the unauthorized
installation of software, and remove any unauthorized software that has
been installed.
(2)Not later than 45 days after the date of the enactment of this Act, implement automated patching
tools and processes that ensure that security patches are installed for
any software or operating system on a computer by not later than 48 hours
after the patch is made available.
(3)
Employ automated tools to continuously monitor general purpose computers, servers, and mobile
devices for active, up-to-date anti-malware protection with antivirus,
antispyware, personal firewalls, and host-based intrusion prevention
system functionality.
(4)
Centralize oversight and control to effectively administer patch management processes (but the
responsibility for testing and applying patches to specific systems may be
decentralized to the component level).
(5)
Perform regular scans of general purpose computers and servers to discover security
vulnerabilities and log the results of such scans.
(6)
Perform a patch-focused risk assessment to evaluate each system, database, and general purpose
computer for threats, vulnerabilities, and its criticality to the mission
of the Department.
(7)
If the Secretary determines any security vulnerability—
(A)develop a test for the vulnerability and determine the cause of the vulnerability;
(B)address the vulnerability, including by patching, implementing a compensating control, or
documenting and accepting a reasonable business risk (in accordance with
industry accepted best practices) with respect to the vulnerability; and
(C)perform a post remediation scan to verify that the vulnerability was so addressed.
(8)
Establish and ensure the use of standard, secure configurations of each operating system in use on
the computers of the Department.
(9)
Employ system-scanning tools that check computers daily for software version, patch levels, and
configuration files.
(10)Deploy a security content automation protocol tool that is validated by the National Institute of
Standards and Technology to use specific standards to enable automated
vulnerability management, measurement, and policy compliance evaluation.
(11)
Standardize policies, procedures, and tools for effective patch management, including by assigning
roles and responsibilities, performing risk assessments, and testing
patches.
(12)
Test each patch against all system configurations of the Department in a test environment to
determine any effect on the network before deploying the patch to the
affected systems and monitor the status of the patches after deployment.
(13)
Establish and maintain an inventory of all hardware equipment, software packages, services, and
other technologies installed and used by the Department for patch
management.
(14)
Establish a policy for security fixes that is clearly communicated to computer users to ensure that
the users are aware of—
(A)
the versions of software or operating systems that are supported with respect to security fixes;
and
(B)
when software, operating systems, or other products are scheduled to no longer be maintained.
(15)
Ensure that—
(A)
the staff or contractors of the Department who are involved in patch management have the skills and
knowledge needed to perform the responsibilities relating to such
management; and
(B)
system administrators are trained in identifying new patches and vulnerabilities.
(c)Not later than 30 days after the date of the enactment of this Act, the Secretary shall submit to
the congressional veterans committees written certification that the
Secretary has commenced each action described in subsection (b).
5.Upgrade or phase-out of unsupported or outdated operating systems
(a)Not later than 90 days after the date of the enactment of this Act, the Secretary shall ensure that
the Secretary upgrades or phases out outdated or unsupported operating
systems to protect computers of the Department from harmful viruses,
spyware, and other malicious software that could affect the
confidentiality of sensitive personal information of veterans.
(b)In carrying out subsection (a), the Secretary shall carry out the following activities:
(1)
Establish a plan for phasing out outdated or unsupported operating systems used by the Department.
(2)
Establish a policy to ensure that outdated and unsupported operating systems used by the Department
do not connect to the network of the Department by not later than 15 days
after the date on which such operating systems are so outdated or
unsupported, as determined appropriate by the Secretary.
(3)
Establish a configuration management process to ensure that—
(A)
a secure image that is regularly updated is used to build all new computers used by the Department;
and
(B)any computer used by the Department that becomes compromised is re-imaged using such image.
(4)Implement applicable operating systems based on security guidance identified by the Information
Assurance Directorate of the National Security Agency.
(5)Appropriately configure and test required software that was designed to be used on older operating
systems to ensure the software is usable on a new operating system used by
the Department.
(6)Limit administrative privileges to very few users who have both the appropriate knowledge and
business need to modify the configuration of the operating system.
(7)
Until the date on which an unsupported operating system is replaced, if a computer uses such
operating system, disable web browser plug-ins, use a hardware firewall,
and if practicable, disconnect the computer from the network and do not
use the computer to access the Internet.
(8)
Deploy a software inventory tool to cover each of the operating systems in use by the Department to
track—
(A)the type of such operating systems being used by the Department; and
(B)with respect to each computer of the Department—
(i)the type of operating system installed and the version number and patch level of such operating
system; and
(ii)
the software being used on such operating system.
(9)Regularly use file integrity checking tools to check any changes to critical operating systems,
services, and configuration files.
(c)Not later than 30 days after the date of the enactment of this Act, the Secretary shall submit to
the congressional veterans committees written certification that the
Secretary has commenced each action described in subsection (b).
6.Security of web applications from vital vulnerabilities
(a)The Secretary shall ensure that web applications used by the Department are secure from
vulnerabilities that could affect the confidentiality of sensitive
personal information of veterans.
(b)In carrying out subsection (a), the Secretary shall carry out the following activities:
(1)
Not later than 60 days after the date of the enactment of this Act, develop a plan, including
required actions and milestones, to fully remediate all security
vulnerabilities described in subsection (a) that exist as of the date of
the enactment of this Act.
(2)
Develop detailed guidance for remediating each critical security vulnerability.
(3)
Use best practices and lessons learned, including such practices and lessons described by the
National Institute of Standards and Technology and the Open Web
Application Security Project, to address the security vulnerabilities of
web applications.
(4)
Limit the permissions on the database logon used by web applications to only what is needed to
reduce the effectiveness of any attack that exploits bugs in the
application.
(5)
Provide to web application developers—
(A)
thorough application development guidance to ensure that new applications are designed by taking
into account security; and
(B)
detailed guidance on testing existing web applications for security vulnerabilities, including
buffer overflows and cross-site scripting.
(6)
Configure administrative passwords to be—
(A)complex and consist only of strings of letters, numbers, and characters that do not form a
recognizable word; and
(B)changed every 90 days, in accordance with industry best practices.
(7)
With respect to passwords used in connection with web applications, store the passwords for each
system of the Department only in a well-hashed or encrypted format.
(8)
Implement two-factor authentication technology requirements throughout the Department.
(9)
If vulnerabilities in a web application are found, administer a full-source code review to
determine if the vulnerabilities exist elsewhere within the code of the
application.
(10)
Periodically review user access to networks and web applications to identify unnecessary, inactive,
or terminated user accounts.
(11)
Establish a single set of strong authentication and session management controls that meet all the
authentication and session management requirements defined in the
Application Security Verification Standard of the Open Web Application
Security Project.
(12)
Implement visibility and attribution measures to improve the process, architecture, and technical
capabilities of the Department to monitor web applications used on the
networks and computers of the Department to detect attack attempts, locate
points of entry, identify already compromised machines, interrupt
activities of infiltrated attackers, and gain information about the
sources of an attack.
(c)Not later than 30 days after the date of the enactment of this Act, the Secretary shall submit to
the congressional veterans committees written certification that the
Secretary has commenced each action described in subsection (b).
7.Security of the Vista system
(a)Not later than 90 days after the date of the enactment of this Act, the Secretary shall ensure that
the Vista system is secure from vulnerabilities that could affect the
confidentiality of sensitive personal information of veterans.
(b)
In carrying out subsection (a), the Secretary shall carry out the following activities:
(1)
Develop a remedial action plan to address the approaches to interoperability—
(A)
between multiple Vista systems; and
(B)
between the Vista system and external systems and software.
(2)
Update the policy, procedures, and governance of the Department with respect to system-to-system
integration where users log on to external systems and then automatically
connect to the Vista system and interact.
(3)Provide authentication for the machine-to-machine broker so that the Vista system listener
verifies the identity of the calling system.
(4)
Establish and implement policy with respect to the authentication of external systems attempting to
connect to the Vista system and criteria by which user authentication must
be accomplished to ensure all applications that connect to the Vista
system convey accurate user information.
(5)
Establish a business requirement that system-to-system integration connectivity across the
wide-area network must consist of encrypted communication and require
external systems to securely identify themselves, or for the Vista system
to securely identify external systems that attempt to connect to the
system.
(6)
Establish a business requirement that external systems communicate accurate user information to the
Vista system relating to actions initiated by actual individuals and
facilitate the revocation of access by the Vista system relative to
specific users or external systems attempting to connect.
(7)
Implement monthly project design reviews of the integration between systems and web applications to
ensure that the effectiveness of the existing controls is sustained.
(8)
Assess the potential compromise to non-Department networks that are interconnected with the network
of the Department, including the networks of the Department of Defense and
the Department of Health and Human Services.
(9)
Ensure that, in the near-term, software development for the Vista system develops the critical
enhancements and fixes to the system that are necessary to ensure
compliance with changes to patient enrollment.
(10)
Ensure that all systems of the Department have been given the Authority to Operate designation and have been properly certified by meeting all requirements, including a
comprehensive assessment of management, operational, and technical
security controls, to become operational, and restrict the use of waivers.
(c)Not later than 30 days after the date of the enactment of this Act, the Secretary shall submit to
the congressional veterans committees written certification that the
Secretary has commenced each action described in subsection (b).
8.Report on compliance with information security requirements and best practicesNot later than 60 days after the date of the enactment of this Act, the Secretary of Veterans
Affairs shall submit to the congressional veterans committees the
following:
(1)
Written certification that the Secretary is taking every action required to comply with—
(A)
subchapter III of chapter 57 of title 38, United States Code;
(B)
subchapter III of chapter 35 of title 44, United States Code;
(C)
special publications 800–53 and 800–111 of the National Institute of Standards and Technology,
including with respect to encrypting databases;
(D)
applicable memoranda issued by the Director of Management and Budget regarding protecting
personally identifiable information; and
(E)any other relevant law or regulation regarding the information security of the Department of
Veterans Affairs.
(2)How the Secretary is using and implementing the principles and best practices regarding improving
information security, including with respect to such principles and
practices described in the document titled Framework for Improving Critical Infrastructure Cybersecurity
of the National Institute of Standards and Technology.
9.Reports on implementation
(a)
(1)Not later than 180 days after the date of the enactment of this Act, and every 180-day period
thereafter, the Secretary shall submit to the congressional veterans
committees a report on the implementation of this Act, including the
amendments made by this Act.
(2)Each report under subsection (a) shall include the following:
(A)A description of the actions taken by the Secretary to implement and comply with sections 2 through
7.
(B)
A timeline and project plan, both short-term and long-term, for implementing each of sections 2
through 7 and assigning roles and responsibilities under such plan.
(C)
Performance measures and benchmarks to measure the results of the Secretary in carrying out
remediation efforts under sections 2 through 7.
(D)
A description of the best practices and lessons learned by the Secretary in carrying out sections 2
through 7.
(E)The progress made by the Secretary during each month covered by the report with respect to reducing
the total number of outdated operating systems, web application
vulnerabilities, critical security vulnerabilities, and other matters
covered by sections 2 through 7.
(F)An appendix containing detailed reports of the Department, including the enterprise information
technology dashboard and reports regarding security vulnerabilities,
operating system trends, and web applications.
(b)Annual Inspector General reportThe Inspector General of the Department of Veterans Affairs shall submit to the congressional
veterans committees an annual report that includes a comprehensive
assessment of the adequacy and effectiveness of the implementation by the
Secretary of Veterans Affairs of sections 2 through 7, including the
amendments made by this Act.
(c)On a monthly basis, the Secretary shall submit to the congressional veterans committees reports on
security vulnerabilities discovered pursuant to the actions taken under
section 4(b)(5).
10.In carrying out this Act, including the amendments made by this Act, the Secretary of Veterans
Affairs may substitute a new technology or process relating to information
security for a specific technology or process relating to information
security described in this Act, including the amendments made by this Act,
if the Secretary determines that such new technology or process—
(1)is a successor to the specific technology or process described in this Act, including the
amendments made by this Act; and
(2)provides a greater amount of information security than would be provided if the Secretary did not
make such substitution.
11.In this Act:
(1)The term Authority to Operate means the official management decision given by a senior official of the Department to authorize
operation of an information system and to explicitly accept the risk to
the operations of the Department (including with respect to the mission,
functions, image, or reputation of the Department), the assets and
individuals of the Department, other elements of the Federal Government,
and the United States based on the implementation of an agreed-upon set of
security controls.
(2)The terms confidentiality has the meaning given that term in section 5727 of title 38, United States Code.
(3)The term congressional veterans committees means the Committees on Veterans’ Affairs of the House of Representatives and the Senate.
(4)The term critical network infrastructure means information technology hardware that provides—
(A)vital network services to the Department that is vital to carrying out the mission of the
Department; and
(B)communications, security, transportation, access, and authentication services and capabilities.
(5)The term domain controller means a server that responds to security authentication requests responsible for allowing host
access to domain resources by authenticating users, sorting user account
information, and enforcing security policy.
(6)The term general purpose computer means a computer that, given the appropriate application and required time, should be able to
perform most common computing tasks. Such term includes personal
computers, including desktops, notebooks, smart phones, and tablets.
(7)The term image means a standard set of software (including the operating system and other software) that is
installed on a computer.
(8)The term information security has the meaning given that term in section 5727 of title 38, United States Code.
(9)The term information system has the meaning given that term in section 5727 of title 38, United States Code.
(10)The term sensitive personal information has the meaning given that term in section 5727 of title 38, United States Code.
(11)The term Vista system means the Veterans Health Information Systems and Technology Architecture of the Department of
Veterans Affairs that allows for an integrated inpatient and outpatient
electronic health record for patients and provides administrative tools to
employees of the Department.
(12)The term web application means an application in which all or some parts of the software are downloaded from the Internet
each time the software is accessed, including web browser-based software
that run within a web browser, desktop software that does not use a web
browser, and mobile software that accesses the Internet for additional
information.
(13)The term well-hashed means the process of using a mathematical algorithm against data to produce a numeric value that
is representative of that data.