[Congressional Bills 106th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3906 Introduced in House (IH)]







106th CONGRESS
  2d Session
                                H. R. 3906

 To ensure that the Department of Energy has appropriate mechanisms to 
     independently assess the effectiveness of its policy and site 
performance in the areas of safeguards and security and cyber security.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             March 14, 2000

 Mr. Bliley (for himself, Mr. Upton, Mr. Barton of Texas, and Mr. Burr 
of North Carolina) introduced the following bill; which was referred to 
 the Committee on Commerce, and in addition to the Committees on Armed 
 Services, and Science, for a period to be subsequently determined by 
the Speaker, in each case for consideration of such provisions as fall 
           within the jurisdiction of the committee concerned

_______________________________________________________________________

                                 A BILL


 
 To ensure that the Department of Energy has appropriate mechanisms to 
     independently assess the effectiveness of its policy and site 
performance in the areas of safeguards and security and cyber security.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. OFFICE OF INDEPENDENT SECURITY OVERSIGHT.

    (a) Office.--The Secretary of Energy shall maintain an Office of 
Independent Security Oversight, which shall be headed by a Director 
appointed by the Secretary without regard to political affiliation and 
solely on the basis of integrity and demonstrated ability in the 
oversight and evaluation of security for nuclear and classified 
programs. The Director shall report directly to and be under the 
general supervision of the Secretary, but shall not report to or be 
subject to supervision by any other office of the Department of Energy. 
The Secretary shall not prevent, prohibit, or delay the Director from 
initiating, carrying out, or completing any inspection, evaluation, or 
report undertaken pursuant to this Act. Such Office shall be 
responsible for carrying out the missions and functions described in 
subsections (b) and (c).
    (b) Safeguards and Security Evaluations.--
            (1) Mission.--The Office of Independent Security Oversight 
        shall be responsible for the independent evaluation of the 
        effectiveness of safeguards and security policies, practices, 
        and programs throughout the Department of Energy (including the 
        National Nuclear Security Administration), including protection 
        of special nuclear material, protection of classified and 
        sensitive information, personnel security, and foreign visits 
        and assignments. The Office shall develop and validate reports 
        that identify findings and issues, and make recommendations for 
        improvement. It also shall perform timely followup reviews to 
        ensure that corrective actions are effective, and conduct 
        complex-wide studies of security issues and generic weaknesses 
        in safeguards and security.
            (2) Functions.--The Office of Independent Security 
        Oversight shall perform the following functions:
                    (A) Conduct regular evaluations, at least once 
                every 18 months at each site, of safeguards and 
                security programs at Department of Energy sites that 
                have significant amounts of special nuclear material, 
                classified information, or other security interests. 
                The scope of the evaluations shall include all aspects 
                of safeguards and security, including physical 
                protection of special nuclear material, accountability 
                of special nuclear material, protection of classified 
                and sensitive information, personnel security, and 
                foreign visits and assignments.
                    (B) Perform regular assessments of nuclear 
                materials assurance at Department of Energy sites.
                    (C) Evaluate and assess Department of Energy 
                policies related to safeguards and security.
                    (D) Perform timely followup reviews to ensure that 
                corrective actions are effective.
                    (E) Perform complex-wide studies of issues and 
                generic weaknesses in safeguards and security.
                    (F) Develop and validate reports that identify 
                findings and issues, and make recommendations for 
                improvement.
                    (G) Review other government and commercial 
                safeguards and security programs to provide a benchmark 
                for Department of Energy performance.
                    (H) Develop recommendations and opportunities for 
                improving safeguards and security for submittal to the 
                Secretary.
                    (I) Any other function the Secretary considers 
                appropriate and consistent with the mission described 
                in paragraph (1).
    (c) Cyber Security.--
            (1) Mission.--The Office of Independent Security Oversight 
        shall be responsible for the independent evaluation of the 
        effectiveness of classified and unclassified computer security 
        policies and programs throughout the Department of Energy 
        (including the National Nuclear Security Administration). This 
        consists of establishing and maintaining a continuous program 
        for assessing Internet security to include offsite scanning and 
        controlled penetration attempts to detect vulnerabilities that 
        could be exploited by hackers. The Office shall also conduct 
        timely followup reviews to ensure that corrective actions are 
        effective, and perform complex-wide studies and analyses of 
        events associated with computer security programs.
            (2) Functions.--The Office of Independent Security 
        Oversight shall perform the following functions:
                    (A) Conduct regular evaluations of classified and 
                unclassified computer security programs at Department 
                of Energy sites, with sites having significant amounts 
                of special nuclear material, classified information, or 
                other security interests being evaluated at least once 
                every 18 months.
                    (B) Establish and maintain a continuous program for 
                assessing Internet security to include offsite scanning 
                and controlled penetration attempts to detect 
                vulnerabilities that could be exploited by hackers and 
                ensure they are corrected by line management.
                    (C) Evaluate and assess Department of Energy 
                policies related to classified and unclassified 
                computer security.
                    (D) Perform timely followup reviews to ensure that 
                corrective actions are effective.
                    (E) Perform complex-wide studies of issues and 
                generic weaknesses in computer security programs.
                    (F) Develop and validate reports that identify 
                findings and issues, and make recommendations for 
                improvement.
                    (G) Review other government and commercial computer 
                security programs to provide a benchmark for Department 
                of Energy performance.
                    (H) Develop recommendations and opportunities for 
                improving cyber security for submittal to the 
                Secretary.
                    (I) Any other function the Secretary considers 
                appropriate and consistent with the mission described 
                in paragraph (1).

SEC. 2. REPORTS TO CONGRESS.

    (a) Report by Office.--The Office of Independent Security Oversight 
shall, before February 15 of each year, transmit to the Secretary of 
Energy and to the Congress an unclassified report, with a classified 
appendix if requested or necessary, summarizing the activities of the 
Office during the immediately preceding calendar year. Such report 
shall include--
            (1) an overview of the status of security at the Department 
        of Energy in the areas of responsibility of that Office;
            (2) a description of significant problems and deficiencies, 
        by site if applicable, identified in such security areas;
            (3) a description of recommendations for corrective action 
        made by the Office during the reporting period with respect to 
        significant problems or deficiencies identified pursuant to 
        paragraph (2);
            (4) the adequacy of corrective actions, if any, taken by 
        the Department to address such problems and deficiencies;
            (5) an identification of each significant problem or 
        deficiency described in previous annual reports on which 
        corrective action has not been effectively completed;
            (6) a summary of each significant report made to the 
        Secretary pursuant to this Act during the reporting period;
            (7) a description and explanation of the reasons for any 
        significant revisions to security policy decisions made during 
        the reporting period; and
            (8) a description of any significant security policy 
        decision with which the Director is in disagreement.
    (b) Report by Secretary.--The Secretary of Energy shall, before 
March 15 of each year, transmit to the Congress an unclassified report, 
with a classified appendix if requested or necessary, summarizing the 
Secretary's response to the Office's annual report submitted under 
subsection (a). Such report from the Secretary shall include--
            (1) an identification of each significant problem, 
        deficiency, or recommendation identified in the Office's annual 
        report with which the Secretary is in disagreement;
            (2) an explanation of the reasons for any failure on the 
        part of the Department of Energy to complete effectively 
        corrective actions recommended by the Office in its previous 
        annual reports; and
            (3) a description of the Secretary's response to each 
        significant report made to the Secretary pursuant to this Act 
        during the reporting period.
    (c) Public Availability.--Within 60 days after the transmission of 
the annual report of the Office of Independent Security Oversight under 
subsection (a), the Secretary of Energy shall make copies of the 
unclassified portions of such report available to the public upon 
request and at a reasonable cost. Within 60 days after the transmission 
of the annual report of the Secretary under subsection (b), the 
Secretary shall make the unclassified portions of such report available 
to the public upon request and at a reasonable cost.
    (d) Special Reports.--The Director of the Office of Independent 
Security Oversight shall report immediately to the Secretary of Energy 
and the Congress whenever the Director becomes aware of particularly 
serious or flagrant problems or deficiencies relating to the security 
programs, practices, or operations of the Department of Energy. The 
Secretary shall, within 7 calendar days after receiving a report under 
this subsection, report to Congress on the corrective actions taken to 
address such problems.
    (e) Direct Reporting.--The Director of the Office of Independent 
Security Oversight shall report directly to the Congress with respect 
to those matters identified in subsections (a) and (d), and the 
Secretary of Energy shall not alter, modify, or otherwise change the 
substance of any such report, nor shall the Secretary prevent, 
prohibit, or delay any such report.
    (f) Congressional Testimony and Briefings.--The Director of the 
Office of Independent Security Oversight, whenever called to testify 
before any Committee of Congress or to brief its Members or staff, 
shall provide the Secretary of Energy with advance notice of the 
subject matter of that testimony or briefing, but the Secretary shall 
not alter, modify, or otherwise change the substance of such testimony 
or briefing, or prevent, prohibit, or delay such testimony or briefing.
                                 <all>