[Congressional Bills 106th Congress]
[From the U.S. Government Publishing Office]
[H.R. 5024 Introduced in House (IH)]







106th CONGRESS
  2d Session
                                H. R. 5024

 To provide for the coordination of Federal information policy through 
the establishment of a Federal Chief Information Officer and an Office 
of Information Policy in the Executive Office of the President, and to 
     otherwise strengthen Federal information resources management.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             July 27, 2000

Mr. Davis of Virginia introduced the following bill; which was referred 
                 to the Committee on Government Reform

_______________________________________________________________________

                                 A BILL


 
 To provide for the coordination of Federal information policy through 
the establishment of a Federal Chief Information Officer and an Office 
of Information Policy in the Executive Office of the President, and to 
     otherwise strengthen Federal information resources management.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Federal Information Policy Act of 
2000''.

SEC. 2. FINDINGS AND PURPOSES.

    (a) Findings.--The Congress finds--
            (1) the use of computers and the Internet are fundamentally 
        changing the way in which the Federal Government operates;
            (2) Government service to the public is significantly 
        harmed by the failure of the Federal Government to efficiently 
        and effectively develop, use, and manage information resources, 
        particularly information technology;
            (3) Government agency information activities are poorly 
        coordinated and implemented;
            (4) the current statutory framework for the management of 
        Federal Government information resources is fundamentally 
        flawed by its reliance on direction and oversight by the Office 
        of Management and Budget;
            (5) new leadership, and a new oversight framework, is 
        required to provide efficient and effective management of 
        Federal Government information resources; and
            (6) the executive branch agencies do not have an effective 
        framework for establishing essential requirements to ensure 
        adequate control and protection of information resources that 
        support Federal operations and assets, and thus cannot provide 
        effective management and oversight of the related information 
        security risks.
    (b) The purposes of this Act are to--
            (1) establish a Chief Information Officer for the Federal 
        Government who can assert leadership, direction, and oversight 
        of Federal agency management of information resources to 
        efficiently and effectively perform governmental functions;
            (2) harmonize existing information resources management 
        laws in order to coordinate and improve the Federal 
        Government's development, use, and management of information 
        resources, particularly information technology;
            (3) create opportunities for innovation in the development, 
        use, and management of information resources, including 
        information technology, by the Federal Government; and
            (4) create effective management and oversight of related 
        information security risks, including the coordination of 
        information security standards and efforts throughout the 
        executive branch.

SEC. 3. COORDINATION OF FEDERAL INFORMATION POLICY.

    Chapter 35 of title 44, United States Code, is amended to read as 
follows:

        ``CHAPTER 35--COORDINATION OF FEDERAL INFORMATION POLICY

``Sec.
``3501. Purposes.
``3502. Definitions.
``3503. Office of Information Policy.
``3504. Authority and functions of the Chief Information Officer.
``3505. Assignment of tasks and deadlines.
``3506. Federal agency responsibilities.
``3507. Federal agency chief information officers.
``3508. Chief Information Officers Council.
``3509. Establishment and operation of Government Information Locator 
                            Service.
``3510. Chief Information Officer review of agency activities; 
                            reporting; agency response.
``3511. Report to Congress.
``3512. Rules and regulations.
``3513. Effect on existing laws and regulations.
``3514. Access to information.
``3515. Application to national security systems.
``3516. Authorization of appropriations.

        ``CHAPTER 35--COORDINATION OF FEDERAL INFORMATION POLICY

``Sec. 3501. Purposes
    ``The purposes of this chapter are to--
            ``(1) establish a central focal point to provide effective 
        leadership to improve Federal Government information resources 
        management, particularly with regard to efforts to use 
        information technology to more efficiently and effectively 
        perform governmental functions;
            ``(2) provide a mechanism for improved coordination among 
        Federal agencies for the development, use, and management of 
        information technology and related information resources by the 
        Federal Government;
            ``(3) create opportunities for innovation in the 
        development, use, and management of information technology and 
        related information resources by the Federal Government;
            ``(4) ensure the greatest possible public benefit from and 
        maximize the utility of information created, collected, 
        maintained, used, shared and disseminated by or for the Federal 
        Government, while minimizing burdens on the public;
            ``(5) coordinate, integrate, and to the extent practicable 
        and appropriate, make uniform Federal information resources 
        management policies and practices as a means to improve the 
        productivity, efficiency, and effectiveness of Government 
        programs, including the reduction of information collection 
        burdens on the public and the improvement of service delivery 
        to the public;
            ``(6) improve the quality and use of Federal information to 
        strengthen decisionmaking, accountability, and openness in 
        Government and society;
            ``(7) minimize the cost to the Federal Government of the 
        creation, collection, maintenance, use, dissemination, and 
        disposition of information;
            ``(8) strengthen the partnership between the Federal 
        Government and State, local, and tribal governments by 
        minimizing the burden and maximizing the utility of information 
        created, collected, maintained, used, disseminated, and 
        retained by or for the Federal Government;
            ``(9) provide for the dissemination of public information 
        on a timely basis, on equitable terms, and in a manner that 
        promotes the utility of the information to the public and makes 
        effective use of information technology;
            ``(10) ensure that the creation, collection, maintenance, 
        use, dissemination, and disposition of information by or for 
        the Federal Government is consistent with applicable laws, 
        including laws relating to--
                    ``(A) privacy and confidentiality, including 
                section 552a of title 5;
                    ``(B) security of information, including the 
                Computer Security Act of 1987 (Public Law 100-235); and
                    ``(C) access to information, including section 552 
                of title 5;
            ``(11) ensure the integrity, quality, and utility of the 
        Federal statistical system;
            ``(12) ensure that information technology is acquired, 
        used, and managed to improve performance of agency missions, 
        including the reduction of information collection burdens on 
        the public; and
            ``(13) improve the responsibility and accountability of the 
        President and all agencies of the Federal Government to 
        Congress and to the public for complying with information 
        resources management, and related policies and guidelines 
        established under this chapter.
``Sec. 3502. Definitions
    ``As used in this chapter--
            ``(1) the term `agency' means any executive department, 
        military department, Government corporation, Government 
        controlled corporation, or other establishment in the executive 
        branch of the Government (including the Executive Office of the 
        President), or any independent regulatory agency, but does not 
        include--
                    ``(A) the Federal Election Commission;
                    ``(B) the governments of the District of Columbia 
                and of the territories and possessions of the United 
                States, and their various subdivisions; or
                    ``(C) Government-owned contractor-operated 
                facilities, including laboratories engaged in national 
                defense research and production activities;
            ``(2) the term `Director' means the Director of the Office 
        of Management and Budget;
            ``(3) the term `independent regulatory agency' means the 
        Board of Governors of the Federal Reserve System, the Commodity 
        Futures Trading Commission, the Consumer Product Safety 
        Commission, the Federal Communications Commission, the Federal 
        Deposit Insurance Corporation, the Federal Energy Regulatory 
        Commission, the Federal Housing Finance Board, the Federal 
        Maritime Commission, the Federal Trade Commission, the 
        Interstate Commerce Commission, the Mine Enforcement Safety and 
        Health Review Commission, the National Labor Relations Board, 
        the Nuclear Regulatory Commission, the Occupational Safety and 
        Health Review Commission, the Postal Rate Commission, the 
        Securities and Exchange Commission, and any other similar 
        agency designated by statute as a Federal independent 
        regulatory agency or commission;
            ``(4) the term `information resources' means information 
        and related resources, such as personnel, equipment, funds, and 
        information technology;
            ``(5) the term `information resources management' means the 
        process of managing information resources to accomplish agency 
        missions and to improve agency performance, including through 
        the reduction of information collection burdens on the public;
            ``(6) the term `information system' means a discrete set of 
        information resources organized for the collection, processing, 
        maintenance, use, sharing, dissemination, or disposition of 
        information;
            ``(7) the term `information technology'--
                    ``(A) means any equipment or interconnected system 
                or subsystem of equipment, that is used in the 
                automatic acquisition, storage, manipulation, 
                management, movement, control, display, switching, 
                interchange, transmission, or reception of data or 
                information by an agency. For purposes of the preceding 
                sentence, equipment is used by an agency if the 
                equipment is used by the agency directly or is used by 
                a contractor under a contract with the agency which (i) 
                requires the use of such equipment, or (ii) requires 
                the use, to a significant extent, of such equipment in 
                the performance of a service or the furnishing of a 
                product;
                    ``(B) includes computers, ancillary equipment, 
                software, firmware and similar procedures, services 
                (including support services), and related resources; 
                and
                    ``(C) notwithstanding subparagraphs (A) and (B), 
                does not include--
                            ``(i) any equipment that is acquired by a 
                        Federal contractor incidental to a Federal 
                        contract; or
                            ``(ii) any national security system;
            ``(8) the term `information technology architecture' means 
        an integrated framework for evolving or maintaining existing 
        information technology and acquiring new information technology 
        to achieve the agency's strategic goals and information 
        resources management goals;
            ``(9) the term `national security system' means any 
        telecommunications or information system operated by the United 
        States Government, the function, operation, or use of which--
                    ``(A) involves intelligence activities;
                    ``(B) involves cryptologic activities related to 
                national security;
                    ``(C) involves command and control of military 
                forces;
                    ``(D) involves equipment that is an integral part 
                of a weapon or weapons system; or
                    ``(E) is critical to the direct fulfillment of 
                military or intelligence missions, provided that this 
                exclusion does not apply to a system that is used for 
                routine administrative and business applications 
                (including payroll, finance, logistics, and personnel 
                management applications);
            ``(10) the term `person' means an individual, partnership, 
        association, corporation, business trust, or legal 
        representative, an organized group of individuals, a State, 
        territorial, tribal, or local government or branch thereof, or 
        a political subdivision of a State, territory, tribal, or local 
        government or a branch of a political subdivision; and
            ``(11) the term `public information' means any information, 
        regardless of form or format, that an agency discloses, 
        disseminates, or makes available to the public.
``Sec. 3503. Office of Information Policy
    ``(a) Establishment.--There is established in the Executive Office 
of the President an Office of Information Policy (hereinafter in this 
chapter referred to as the `Office'). The purpose of the Office shall 
be to serve as a source of advice for the President and to direct and 
oversee agencies with respect to the development, use, and management 
of information resources.
    ``(b) Chief Information Officer of the United States.--There shall 
be at the head of the Office a Chief Information Officer of the United 
States (hereinafter in this chapter referred to as the `Chief 
Information Officer'), who shall serve as a special assistant to, and 
report directly to, the President. The Chief Information Officer is 
appointed by the President, by and with the advice and consent of the 
Senate, from among persons who have demonstrated through practical 
experience in the public or private sectors knowledge, skills, and 
leadership abilities in the management and use of information resources 
necessary for the performance of the functions required under this 
chapter.
    ``(c) Deputy Chief Information Officer of the United States.--There 
shall be a Deputy Chief Information Officer of the United States 
(hereinafter in this chapter referred to as the `Deputy Chief 
Information Officer'), who shall carry out the duties and powers 
prescribed by the Chief Information Officer, and acts as the Chief 
Information Officer when the Chief Information Officer is absent or 
unable to serve or when the office of Chief Information Officer is 
vacant. The Deputy Chief Information Officer is appointed by the 
President, by and with the advice and consent of the Senate, from among 
persons who have demonstrated through practical experience in the 
public or private sectors knowledge, skills, and leadership abilities 
in the management and use of information resources necessary for the 
performance of the functions required under this chapter.
    ``(d) Acting Chief Information Officer.--When the Chief Information 
Officer and Deputy Chief Information Officer are absent or unable to 
serve or when the offices of Chief Information Officer and Deputy Chief 
Information Officer are vacant, the President may designate an officer 
of the Office to act as the Chief Information Officer.
    ``(e) Employees.--The Chief Information Officer shall appoint and 
fix the pay of employees of the Office under regulations prescribed by 
the President.
    ``(f) Necessary Expenditures.--The Chief Information Officer may 
make necessary expenditures for the Office under regulations prescribed 
by the President.
    ``(g) Support From Other Agencies.--Upon the request of the Chief 
Information Officer, the head of an agency shall, on a nonreimbursable 
basis, make services, personnel, or facilities of the agency available 
to the Office to assist in the performance of functions under this 
chapter.
``Sec. 3504. Authority and functions of Chief Information Officer
    ``(a) Adviser to the President.--The Chief Information Officer 
shall, to the extent that the President determines appropriate and in 
the interest of the United States, be the principal adviser to the 
President on matters relating to the efficient and effective 
development, use, and management of information technology and other 
information resources by the Federal Government.
    ``(b) Oversight of Information Resources Management.--In addition 
to such other functions and activities as the President may assign, the 
Chief Information Officer shall oversee the use of information 
resources to improve the efficiency and effectiveness of governmental 
operations to serve agency missions. In performing such oversight, the 
Chief Information Officer shall--
            ``(1) develop, coordinate, and oversee the implementation 
        of uniform Federal information resources management policies, 
        principles, standards, and guidelines;
            ``(2) provide direction and oversee activities of agencies 
        with regard to--
                    ``(A) dissemination of and public access to 
                information;
                    ``(B) statistical activities;
                    ``(C) records management activities;
                    ``(D) privacy, confidentiality, security, 
                disclosure, and sharing of information; and
                    ``(E) the acquisition and use of information 
                technology;
            ``(3) provide advice and assistance to agencies and to the 
        Director with respect to the collection of information and 
        control of paperwork burdens on the public, consistent with the 
        requirements of chapter 36;
            ``(4) review and recommend to the President and the 
        Director changes to the budget and legislative proposals of 
        agencies to provide more efficient and effective use of 
        information resources;
            ``(5) serve as the chairperson of the Chief Information 
        Officers Council established under section 3508;
            ``(6) notwithstanding any other provision of law, direct 
        and oversee all actions by the Administrator of General 
        Services with regard to the provision of any information 
        resources related services for or on behalf of agencies, 
        including the acquisition or management of telecommunications 
        or other information technology or services;
            ``(7) direct, at his discretion, the use by the 
        Administrator of General Services of available budget authority 
        in the Information Technology Fund established by section 110 
        of the Federal Property and Administrative Services Act of 1949 
        (40 U.S.C. 757);
            ``(8) foster greater sharing, dissemination, and access to 
        public information, including through--
                    ``(A) the use of the Government Information Locator 
                Service; and
                    ``(B) the development and utilization of common 
                standards for information collection, storage, 
                processing, and communication, including standards for 
                security, interconnectivity, and interoperability;
            ``(9) oversee the development and implementation of best 
        practices in information resources management, including 
        training;
            ``(10) oversee agency integration of program and management 
        functions with information resources management functions; and
            ``(11)(i) with selected agencies and non-Federal entities 
        on a voluntary basis, conduct pilot projects to test 
        alternative policies, practices, regulations, and procedures to 
        fulfill the purposes of this chapter; and
            ``(ii) for purposes of any pilot project conducted under 
        clause (i), in his discretion, after consultation with the 
        agency head, waive the application of any administrative 
        directive issued by an agency with which the project is 
        conducted, after giving timely notice to the public and the 
        Congress regarding the need for such waiver.
    ``(c) Information Collection.--With respect to the collection of 
information and the control of paperwork, the Chief Information Officer 
shall provide advice and assistance to agencies and to the Director to 
promote efficient and effective management of the collection of 
information and the reduction of paperwork burdens on the public, 
consistent with the requirements of chapter 36.
    ``(d) Information Dissemination.--With respect to information 
dissemination, the Chief Information Officer shall develop and oversee 
the implementation of policies, principles, standards, and guidelines 
to--
            ``(1) apply to Federal agency dissemination of public 
        information, regardless of the form or format in which such 
        information is disseminated; and
            ``(2) promote public access to public information and 
        fulfill the purposes of this chapter, including through the 
        effective use of information technology.
    ``(e) Statistics.--With respect to statistical policy and 
coordination, the Chief Information Officer shall--
            ``(1) coordinate the activities of the Federal statistical 
        system to ensure--
                    ``(A) the efficiency and effectiveness of the 
                system; and
                    ``(B) the integrity, objectivity, impartiality, 
                utility, and confidentiality of information collected 
                for statistical purposes;
            ``(2) consult with the Director to ensure that budget 
        proposals of agencies are consistent with systemwide priorities 
        for maintaining and improving the quality of Federal statistics 
        and prepare an annual report on statistical program funding;
            ``(3) develop and oversee the implementation of 
        Governmentwide policies, principles, standards, and guidelines 
        concerning--
                    ``(A) statistical collection procedures and 
                methods;
                    ``(B) statistical data classification;
                    ``(C) statistical information presentation and 
                dissemination;
                    ``(D) timely release of statistical data; and
                    ``(E) such statistical data sources as may be 
                required for the administration of Federal programs;
            ``(4) evaluate statistical program performance and agency 
        compliance with Governmentwide policies, principles, standards, 
        and guidelines;
            ``(5) promote the sharing of information collected for 
        statistical purposes consistent with privacy rights and 
        confidentiality pledges;
            ``(6) coordinate the participation of the United States in 
        international statistical activities, including the development 
        of comparable statistics;
            ``(7) appoint a chief statistician who is a trained and 
        experienced professional statistician to carry out the 
        functions described under this subsection;
            ``(8) establish an Interagency Council on Statistical 
        Policy to advise and assist the Chief Information Officer in 
        carrying out the functions under this subsection that shall--
                    ``(A) be headed by the chief statistician; and
                    ``(B) consist of--
                            ``(i) the heads of the major statistical 
                        programs; and
                            ``(ii) representatives of other statistical 
                        agencies under rotating membership; and
            ``(9) provide opportunities for training in statistical 
        policy functions to employees of the Federal Government under 
        which--
                    ``(A) each trainee shall be selected at the 
                discretion of the Chief Information Officer based on 
                agency requests and shall serve under the chief 
                statistician for at least 6 months and not more than 1 
                year; and
                    ``(B) all costs of the training shall be paid by 
                the agency requesting training.
    ``(f) Records Management.--With respect to records management, the 
Chief Information Officer shall--
            ``(1) provide advice and assistance to the Archivist of the 
        United States and the Administrator of General Services to 
        promote coordination in the administration of chapters 29, 31, 
        and 33 of this title with the information resources management 
        policies, principles, standards, and guidelines established 
        under this chapter;
            ``(2) review compliance by agencies with--
                    ``(A) the requirements of chapters 29, 31, and 33 
                of this title; and
                    ``(B) regulations promulgated by the Archivist of 
                the United States and the Administrator of General 
                Services; and
            ``(3) oversee the application of records management 
        policies, principles, standards, and guidelines, including 
        requirements for archiving information maintained in electronic 
        format, in the planning and design of information systems.
    ``(g) Privacy and Security.--With respect to privacy and security, 
the Chief Information Officer shall--
            ``(1) develop and oversee the implementation of policies, 
        principles, standards, and guidelines on privacy, 
        confidentiality, security, disclosure, and sharing of 
        information collected or maintained by or for agencies;
            ``(2) oversee and coordinate compliance with sections 552 
        and 552a of title 5, sections 20 and 21 of the National 
        Institute of Standards and Technology Act (15 U.S.C. 278g-3 and 
        278g-4), sections 5 and 6 of the Computer Security Act of 1987 
        (40 U.S.C. 759 note), chapters 37 and 38 of this title, and 
        related information management laws; and
            ``(3) require Federal agencies, consistent with the 
        standards and guidelines promulgated under section 3812 of this 
        title, sections 5 and 6 of the Computer Security Act of 1987 
        (40 U.S.C. 759 note), and chapter 37 of this title, to identify 
        and afford security protections commensurate with the risk and 
        magnitude of the harm resulting from the loss, misuse, or 
        unauthorized access to or modification of information collected 
        or maintained by or on behalf of an agency.
    ``(h) Information Technology.--With respect to Federal information 
technology, the Chief Information Officer shall--
            ``(1) in consultation with the Secretary of Commerce and 
        the Chief Information Officers Council, develop and oversee the 
        implementation of policies, principles, standards, and 
        guidelines for information technology functions and activities 
        of the Federal Government, as provided in this chapter and in 
        chapters 37 and 38 of this title, including through periodic 
        evaluations of major information systems; and
            ``(2) oversee the effectiveness of, and compliance with, 
        directives issued under section 110 of the Federal Property and 
        Administrative Services Act of 1949 (40 U.S.C. 757);
            ``(3) provide advice and assistance to the Administrator of 
        the Office of Federal Procurement Policy in the Office of 
        Management and Budget to ensure coordination of policies 
        associated with Federal procurement and acquisition of 
        information technology with policies under this chapter;
            ``(4) ensure, through the review of agency budget 
        proposals, information resources management plans and other 
        means--
                    ``(A) agency integration of information resources 
                management plans, program plans, and budgets for 
                acquisition and use of information technology; and
                    ``(B) the efficiency and effectiveness of inter-
                agency information technology initiatives to improve 
                agency performance and the accomplishment of agency 
                missions;
            ``(5) promote the use of information technology by the 
        Federal Government to improve the productivity, efficiency, and 
        effectiveness of Federal programs, including through 
        dissemination of public information and the reduction of 
        information collection burdens on the public;
            ``(6) provide leadership in innovative uses of information 
        technology by agencies through support of experimentation, 
        testing, and adoption of innovative concepts and technologies, 
        particularly with regard to multiagency initiatives and efforts 
        to improve communication and data exchange among all levels of 
        government and with the public, including by providing 
        consolidated points of public access to government services; 
        and
            ``(7) consult with the heads of agencies that operate 
        national security systems to ensure effective communication 
        among all agencies concerning best practices experiences in the 
        development, use, and management of information technology.
    ``(i) Requirements of Law.--The authority of the Chief Information 
Officer under this chapter shall be exercised consistent with 
applicable law.
``Sec. 3505. Assignment of tasks and deadlines
    ``(a) Strategic Information Resources Management Plan.--In 
consultation with the Director, the Administrator of General Services, 
the Director of the National Institute of Standards and Technology, the 
Archivist of the United States, the Director of the Office of Personnel 
Management, and the Chief Information Officer Council, the Chief 
Information Officer shall develop and maintain a Governmentwide 
strategic plan for information resources management, that shall 
include--
            ``(1) a description of the objectives and the means by 
        which the Federal Government shall apply information resources 
        to improve agency and program performance;
            ``(2) plans for--
                    ``(A) reducing information burdens on the public, 
                including reducing such burdens through the elimination 
                of duplication and meeting shared data needs with 
                shared resources, in accordance with the purposes of 
                chapter 36 of this title;
                    ``(B) enhancing public access to and dissemination 
                of, information, using electronic and other formats; 
                and
                    ``(C) meeting the information technology needs of 
                the Federal Government in accordance with the purposes 
of this chapter and chapter 38 of this title; and
            ``(3) a description of progress in applying information 
        resources management to improve agency performance and the 
        accomplishment of missions.
    ``(b) Government Paperwork Elimination.--
            ``(1) Use and acceptance of electronic signatures by 
        executive agencies.--
                    ``(A) Development of procedures.--The Chief 
                Information Officer shall, in consultation with the 
                Director and the Administrator of the National 
                Telecommunications and Information Administration and 
                not later than October 1, 2000, develop and implement 
                procedures for the use and acceptance of electronic 
                signatures by agencies.
                    ``(B) Requirements for procedures.--
                            ``(i) The procedures developed under 
                        subparagraph (A)--
                                    ``(I) shall be compatible with 
                                standards and technology for electronic 
                                signatures that are generally used in 
                                commerce and industry and by State 
                                governments;
                                    ``(II) may not inappropriately 
                                favor one industry or technology;
                                    ``(III) shall ensure that 
                                electronic signatures are as reliable 
                                as is appropriate for the purpose in 
                                question and keep intact the 
                                information submitted;
                                    ``(IV) shall provide for the 
                                electronic acknowledgment of electronic 
                                forms that are successfully submitted; 
                                and
                                    ``(V) shall, to the extent feasible 
                                and appropriate, require an executive 
                                agency that anticipates receipt by 
                                electronic means of 50,000 or more 
                                submittals of a particular form to take 
                                all steps necessary to ensure that 
                                multiple methods of electronic 
                                signatures are available for the 
                                submittal of such form.
                            ``(ii) The Director shall ensure the 
                        compatibility of the procedures under clause 
                        (i)(I) in consultation with appropriate private 
                        bodies and State government entities that set 
                        standards for the use and acceptance of 
                        electronic signatures.
                    ``(C) Deadline for use and acceptance of electronic 
                signatures.--The Chief Information Officer shall ensure 
                that, commencing not later than October 1, 2003, 
                agencies provide--
                            ``(i) for the option of the electronic 
                        maintenance, submission, or disclosure of 
                        information, when practicable as a substitute 
                        for paper; and
                            ``(ii) for the use and acceptance of 
                        electronic signatures, when practicable.
            ``(2) Electronic storage and filing of employment forms.--
        The Chief Information Officer shall, in consultation with the 
        Director and not later than October 1, 2000, develop and 
        implement procedures to permit private employers to store and 
        file electronically with agencies forms containing information 
        pertaining to the employees of such employers.
            ``(3) Study on use of electronic signatures.--The Chief 
        Information Officer shall, in consultation with the Director 
        and the Administrator of the National Telecommunications and 
        Information Administration, conduct an ongoing study of, and 
        periodically report to Congress on, the use of electronic 
        signatures under this subsection on--
                    ``(A) paperwork reduction and electronic commerce;
                    ``(B) individual privacy; and
                    ``(C) the security and authenticity of 
                transactions.
            ``(4) Enforceability and legal effect of electronic 
        records.--Electronic records submitted or maintained in 
        accordance with procedures developed under this subsection, or 
        electronic signatures or other forms of electronic 
        authentication used in accordance with such procedures, shall 
        not be denied legal effect, validity, or enforceability because 
        such records are in electronic form.
            ``(5) Disclosure of information.--Except as provided by 
        law, information collected in the provision of electronic 
        signature services for communications with an agency, as 
        provided by this subsection shall only be used or disclosed by 
        persons who obtain, collect, or maintain such information as a 
        business or government practice, for the purpose of 
        facilitating such communications, or with the prior affirmative 
        consent of the person about whom the information pertains.
            ``(6) Application with internal revenue laws.--No provision 
        of this subsection shall apply to the Department of the 
        Treasury or the Internal Revenue Service to the extent that 
        such provision--
                    ``(A) involves the administration of the internal 
                revenue laws; or
                    ``(B) conflicts with any provision of the Internal 
                Revenue Service Restructuring and Reform Act of 1998 or 
                the Internal Revenue Code of 1986.
            ``(7) Definition.--For purposes of this subsection, the 
        term `electronic signature' means a method of signing an 
        electronic message that--
                    ``(A) identifies and authenticates a particular 
                person as the source of the electronic message; and
                    ``(B) indicates such person's approval of the 
                information contained in the electronic message.
    ``(c) Electronic Government.--The Chief Information Officer shall, 
assisted by the Chief Information Officers Council and other interested 
persons as selected by the Chief Information Officer, monitor the 
implementation of the requirements of subsection (b), the Electronic 
Signatures in Global and National Commerce Act, and related laws to 
ensure that the Federal Government--
            ``(1) develops and maintains an efficient and effective 
        information infrastructure for undertaking government 
        operations using electronic information processes;
            ``(2) provides efficient and effective means for members of 
        the public to interact with the Federal Government by means 
        other than electronic information processes; and
            ``(3) manages its increasing reliance on information 
        technology in a manner consistent with the purposes and 
        requirements of this chapter.
    ``(d) Study of Standard Setting Process.--The Chief Information 
Officer shall, in consultation with the Secretary of Commerce, review 
the Federal information systems standards setting process, established 
under sections 20 and 21 of the National Institute of Standards and 
Technology Act (15 U.S.C. 278g-3 and 278g-4) and section 3812 of this 
title, and report to the President on the efficiency and effectiveness 
of the process and any recommendations for improving the process.
    ``(e) Evaluation of Information Technology Management Processes.--
            ``(1) The Chief Information Officer shall, not later than 
        one year after enactment of this chapter, establish minimum 
        evaluation criteria to be used for independent evaluations of--
                    ``(A) agency implementation of information 
                technology management processes and capabilities 
                required under sections 3805 and 3806 of this title;
                    ``(B) cost, schedule, risk, and return status of 
                major information management and technology 
                initiatives; and
                    ``(C) results of major information technology 
                investments and programs in achieving progress toward 
                improvements in mission performance and programmatic 
                outcomes.
            ``(2) The head of each agency shall, not later than two 
        years after enactment of this chapter, have performed an 
        independent evaluation of the agency's information technology 
        management processes and capabilities, using criteria required 
        under paragraph (1).
            ``(3) Results of agency assessments required under 
        paragraph (2) shall be submitted not later than October 1 of 
        each year to the Chief Information Officer, the Director, and 
        the Congress.
``Sec. 3506. Federal agency responsibilities
    ``(a) General Responsibilities.--
            ``(1) The head of each agency shall be responsible for--
                    ``(A) carrying out the agency's information 
                resources management activities to improve agency 
                productivity, efficiency, and effectiveness; and
                    ``(B) complying with the requirements of this 
                chapter and related policies established by the Chief 
                Information Officer.
    ``(b) Information Resources Management.--With respect to general 
information resources management, each agency shall--
            ``(1) manage information resources to--
                    ``(A) reduce information collection burdens on the 
                public;
                    ``(B) increase program efficiency and 
                effectiveness; and
                    ``(C) improve the integrity, quality, and utility 
                of information to all users within and outside the 
                agency, including capabilities for ensuring 
                dissemination of public information, public access to 
                government information, and protections for privacy and 
                security;
            ``(2) in accordance with guidance by the Chief Information 
        Officer, develop and maintain a strategic information resources 
        management plan that shall describe how information resources 
        management activities help accomplish agency missions;
            ``(3) develop and maintain an ongoing process to--
                    ``(A) ensure that information resources management 
                operations and decisions are integrated with 
                organizational planning, budget, financial management, 
                human resources management, and program decisions;
                    ``(B) in cooperation with the agency Chief 
                Financial Officer (or comparable official), develop a 
                full and accurate accounting of information technology 
                expenditures, related expenses, and results; and
                    ``(C) establish goals for improving information 
                resources management's contribution to program 
                productivity, efficiency, and effectiveness, methods 
                for measuring progress toward those goals, and clear 
                roles and responsibilities for achieving those goals;
            ``(4) in consultation with the Chief Information Officer, 
        the Director, the Administrator of General Services, and the 
Archivist of the United States, maintain a current and complete 
inventory of the agency's information resources, including directories 
necessary to fulfill the requirements of section 3509; and
            ``(5) in consultation with the Chief Information Officer 
        and the Director of the Office of Personnel Management, conduct 
        formal training programs to educate agency program and 
        management officials about information resources management.
    ``(c) Information Collection.--With respect to information 
collection and the control of paperwork, each agency shall comply with 
the requirements of chapter 36 and ensure that information resources 
are managed to maximize efficiency and effectiveness while reducing 
paperwork burdens on the public.
    ``(d) Information Dissemination.--With respect to information 
dissemination, each agency shall--
            ``(1) ensure that the public has timely and equitable 
        access to the agency's public information, including ensuring 
        such access through--
                    ``(A) encouraging a diversity of public and private 
                sources for information based on government public 
                information;
                    ``(B) in cases in which the agency provides public 
                information maintained in electronic format, providing 
                timely and equitable access to the underlying data (in 
                whole or in part); and
                    ``(C) agency dissemination of public information in 
                an efficient, effective, and economical manner;
            ``(2) regularly solicit and consider public input on the 
        agency's information dissemination activities;
            ``(3) provide adequate notice when initiating, 
        substantially modifying, or terminating significant information 
        dissemination products; and
            ``(4) not, except where specifically authorized by 
        statute--
                    ``(A) establish an exclusive, restricted, or other 
                distribution arrangement that interferes with timely 
                and equitable availability of public information to the 
                public;
                    ``(B) restrict or regulate the use, resale, or 
                redissemination of public information by the public;
                    ``(C) charge fees or royalties for resale or 
                redissemination of public information; or
                    ``(D) establish user fees for public information 
                that exceed the cost of dissemination.
    ``(e) Statistics.--With respect to statistical policy and 
coordination, each agency shall--
            ``(1) ensure the relevance, accuracy, timeliness, 
        integrity, and objectivity of information collected or created 
        for statistical purposes;
            ``(2) inform respondents fully and accurately about the 
        sponsors, purposes, and uses of statistical surveys and 
        studies;
            ``(3) protect respondents' privacy and ensure that 
        disclosure policies fully honor pledges of confidentiality;
            ``(4) observe Federal standards and practices for data 
        collection, analysis, documentation, sharing, and dissemination 
        of information;
            ``(5) ensure the timely publication of the results of 
        statistical surveys and studies, including information about 
        the quality and limitations of the surveys and studies; and
            ``(6) make data available to statistical agencies and 
        readily accessible to the public.
    ``(f) Records Management.--With respect to records management, each 
agency shall implement and enforce applicable policies and procedures, 
including requirements for archiving information maintained in 
electronic format, particularly in the planning, design, and operation 
of information systems.
    ``(g) Privacy and Security.--With respect to privacy and security, 
each agency shall--
            ``(1) implement and enforce applicable policies, 
        procedures, standards, and guidelines on privacy, 
        confidentiality, security, disclosure, and sharing of 
        information collected or maintained by or for the agency;
            ``(2) assume responsibility and accountability for 
        compliance with and coordinated management of sections 552 and 
        552a of title 5, the Computer Security Act of 1987 (40 U.S.C. 
        759 note), chapter 37 of this title, and related information 
        management laws; and
            ``(3) consistent with the Computer Security Act of 1987 (40 
        U.S.C. 759 note) and chapter 37 of this title, identify and 
        afford security protections commensurate with the risk and 
        magnitude of the harm resulting from the loss, misuse, or 
        unauthorized access to or modification of information collected 
        or maintained by or on behalf of an agency.
    ``(h) Information Technology.--With respect to Federal information 
technology, each agency shall--
            ``(1) implement and enforce applicable Governmentwide and 
        agency information technology management policies, principles, 
        standards, and guidelines;
            ``(2) assume responsibility and accountability for 
        information technology investments;
            ``(3) promote the use of information technology by the 
        agency to improve the productivity, efficiency, and 
        effectiveness of agency programs, including the reduction of 
        information collection burdens on the public and improved 
        dissemination of public information;
            ``(4) propose changes in legislation, regulations, and 
        agency procedures to improve information technology practices, 
        including changes that improve the ability of the agency to use 
        technology to reduce burden;
            ``(5) assume responsibility for maximizing the value and 
        assessing and managing the risks of major information systems 
        initiatives through a process that is--
                    ``(A) integrated with budget, financial, and 
                program management decisions; and
                    ``(B) used to select, control, and evaluate the 
                results of major information systems initiatives; and
            ``(6) comply with the requirements of chapter 38 of this 
        title.
``Sec. 3507. Agency chief information officers
    ``(a) Designation.--(1) Except as provided under paragraph (2), the 
head of each agency shall designate a chief information officer who 
shall report directly to such agency head to carry out the 
responsibilities of the agency under this chapter.
    ``(2) The Secretary of the Department of Defense and the Secretary 
of each military department may each designate chief information 
officers who shall report directly to such Secretary to carry out the 
responsibilities of the department under this chapter. If more than one 
chief information officer is designated, the respective duties of the 
chief information officers shall be clearly delineated.
    ``(b) General Responsibilities.--(1) The chief information officer 
designated under subsection (a) shall head an office responsible for 
ensuring agency compliance with and prompt, efficient, and effective 
implementation of the information policies and information resources 
management responsibilities established under this chapter, including 
the reduction of information collection burdens on the public. The 
chief information officer and employees of such office shall be 
selected with special attention to the professional qualifications 
required to administer the functions described under this chapter.
    ``(2) Each agency program official shall be responsible and 
accountable for information resources assigned to and supporting the 
programs under such official. In consultation with the chief 
information officer designated under subsection (a) and the agency 
chief financial officer (or comparable official), each agency program 
official shall define program information needs and develop strategies, 
systems, and capabilities to meet those needs.
    ``(3) The chief information officer designated under subsection (a) 
shall be responsible for--
            ``(A) providing advice and other assistance to the head of 
        the agency and other senior management personnel of the agency 
        to ensure that information technology is acquired and 
        information resources are managed for the agency in a manner 
        that implements the policies and procedures of this chapter, 
        chapters 36, 37, and 38 of this title, and the priorities 
        established by the head of the agency;
            ``(B) developing, maintaining, and facilitating the 
        implementation of a sound and integrated information technology 
        architecture for the agency; and
            ``(C) promoting the effective and efficient design and 
        operation of all major information resources management 
        processes for the agency, including improvements to work 
        processes of the agency.
    ``(c) Duties and Qualifications.--The chief information officer of 
an agency that is listed in section 901(b) of title 31 shall--
            ``(1) have information resources management duties as that 
        official's primary duty;
            ``(2) monitor the performance of information technology 
        programs of the agency, evaluate the performance of those 
        programs on the basis of the applicable performance 
        measurements, and advise the head of the agency regarding 
        whether to continue, modify, or terminate a program or project; 
        and
            ``(3) annually, as part of the strategic planning and 
        performance evaluation process required (subject to section 
        1117 of title 31) under section 306 of title 5 and sections 
        1105(a)(29), 1115, 1116, 1117, and 9703 of title 31--
                    ``(A) assess the requirements established for 
                agency personnel regarding knowledge and skill in 
                information resources management and the adequacy of 
                such requirements for facilitating the achievement of 
                the performance goals established for information 
                resources management;
                    ``(B) assess the extent to which the positions and 
                personnel at the executive level of the agency and the 
                positions and personnel at management level of the 
                agency below the executive level meet those 
                requirements;
                    ``(C) in order to rectify any deficiency in meeting 
                those requirements, develop strategies and specific 
                plans for hiring, training, and professional 
                development; and
                    ``(D) report to the head of the agency on the 
                progress made in improving information resources 
                management capability.
``Sec. 3508. Chief Information Officers Council
    ``(a) Establishment.--There is established in the executive branch 
a `Chief Information Officers Council.'
    ``(b) Membership.--The members of the Chief Information Officers 
Council are as follows:
            ``(1) The chief information officer of each agency that is 
        listed in section 901(b) of title 31.
            ``(2) The chief information officer of each agency who is 
        designated as a member of the Council by the Chief Information 
        Officer.
            ``(3) The Administrator of the Office of Information and 
        Regulatory Affairs in the Office of Management and Budget.
            ``(4) Other officers or employees of the Federal Government 
        designated by the Chief Information Officer.
    ``(c) Administrative Provisions.--
            ``(1) Chairman.--The Chief Information Officer is the 
        Chairman of the Chief Information Officers Council.
            ``(2) Deputy chairman.--
                    ``(A) The Deputy Chairman of the Council shall be 
                selected by the Council from among its members.
                    ``(B) The Deputy Chairman shall serve a one year 
                term, and may serve multiple terms.
            ``(3) Support.--The Administrator of General Services shall 
        provide administrative and other support for the Council, 
        including resources provided through the Information Technology 
        Fund established by section 110 of the Federal Property and 
        Administrative Services Act of 1949 (40 U.S.C. 757).
    ``(d) Functions.--The Chief Information Officers Council shall--
            ``(1) assist and advise in the development and 
        implementation of Federal policies and practices with regard to 
        agency development, use, and management of information 
        resources;
            ``(2) assist and advise the Chief Information Officer in 
        developing and maintaining the Governmentwide strategic 
        information resources management plan required by section 
        3505(a);
            ``(3) assist and advise the Chief Information Officer in 
        the selection and coordination of--
                    ``(A) multiagency initiatives to improve the 
                performance of agency missions through the use of 
                information technology and other information resources; 
                and
                    ``(B) pilot projects to test alternative approaches 
                for agencies to plan for, acquire, and manage 
                information technology and other information resources;
            ``(4) coordinate and monitor the development and use of 
        common performance measures for agency information resources 
        management activities;
            ``(5) coordinate the acquisition and provision of common 
        infrastructure services to facilitate communication and data 
        exchange among agencies and with State, local, and tribal 
        governments;
            ``(6) review and make recommendations to address the 
        hiring, training, classification, and professional development 
        needs of agencies with regard to the development, use, and 
        management of information resources;
            ``(7) review and make recommendations with regard to 
        information systems standards, including those developed under 
        section 20 of the National Institute of Standards and 
        Technology Act (15 U.S.C. 278g-3) and section 3812 of this 
        title;
            ``(8) consult with appropriate individuals and 
        organizations at all levels of government and the private 
        sector to enhance understanding of opportunities to improve the 
        development, application, and management of information 
        resources to serve public needs; and
            ``(9) consult with appropriate agencies to facilitate 
        effective participation by the Federal Government in 
        international information-related activities and organizations.
``Sec. 3509. Establishment and operation of Government Information 
              Locator Service
    ``(a) In order to assist agencies and the public in locating 
information and to promote information sharing and equitable access by 
the public, the Chief Information Officer shall--
            ``(1) cause to be established and maintained a distributed 
        agency-based electronic Government Information Locator Service 
        (hereafter in this section referred to as the `Service'), which 
        shall identify the major information systems, holdings, and 
        dissemination products of each agency;
            ``(2) require each agency to establish and maintain an 
        agency information locator service as a component of, and to 
        support the establishment and operation of the Service;
            ``(3) in cooperation with the Director, the Archivist of 
        the United States, the Administrator of General Services, the 
        Public Printer, and the Librarian of Congress, establish an 
        interagency committee to advise the Secretary of Commerce on 
        the development of technical standards for the Service to 
        ensure compatibility, promote information sharing, and uniform 
        access by the public;
            ``(4) consider public access and other user needs in the 
        establishment and operation of the Service;
            ``(5) ensure the security and integrity of the Service, 
        including measures to ensure that only information which is 
        intended to be disclosed to the public is disclosed through the 
        Service; and
            ``(6) periodically review the development and effectiveness 
        of the Service and make recommendations for improvement, 
        including other mechanisms for improving public access to 
        Federal agency public information.
    ``(b) This section shall not apply to operational files as defined 
by the Central Intelligence Agency Information Act (50 U.S.C. 431 et 
seq.).
``Sec. 3510. Chief Information Officer review of agency activities; 
              reporting; agency response
    ``(a) In consultation with the Director, the Administrator of 
General Services, the Archivist of the United States, the Director of 
the National Institute of Standards and Technology, and the Director of 
the Office of Personnel Management, the Chief Information Officer shall 
periodically review selected agency information resources management 
activities to ascertain the efficiency and effectiveness of such 
activities to improve agency performance and the accomplishment of 
agency missions.
    ``(b) Each agency having an activity reviewed under subsection (a) 
shall, within 60 days after receipt of a report on the review, provide 
a written plan to the Chief Information Officer describing steps 
(including milestones) to--
            ``(1) be taken to address information resources management 
        problems identified in the report; and
            ``(2) improve agency performance and the accomplishment of 
        agency missions.
``Sec. 3511. Report to Congress
    The Chief Information Officer shall submit an annual report to the 
President and the Congress describing--
            ``(1) efforts undertaken by the Chief Information Officer 
        to improve the development, application, and management of 
        information resources, including--
                    ``(A) the results of major information technology 
                initiatives, including those funded by the Information 
                Technology Fund; and
                    ``(B) recommendations to improve Federal policies 
                and practices with regard to the development, use, and 
                management of information resources; and
            ``(2) the results of major activities undertaken by the 
        Chief Information Officers Council to carry out the functions 
        under section 3508.
``Sec. 3512. Rules and regulations
    ``(a) The Chief Information Officer shall promulgate rules, 
regulations, or procedures necessary to exercise the authority provided 
by this chapter.
    ``(b) In developing information resources management policies, 
plans, rules, regulations, procedures, and guidelines, the Chief 
Information Officer shall provide interested agencies and persons early 
and meaningful opportunity to comment.
``Sec. 3513. Effect on existing laws and regulations
    ``Except as otherwise provided in this chapter, the authority of an 
agency under any other law to prescribe policies, rules, regulations, 
and procedures for Federal information resources management activities 
is subject to the authority of the Chief Information Officer under this 
chapter.
``Sec. 3514. Access to information
    ``Under the conditions and procedures prescribed in section 716 of 
title 31, the Director and personnel in the Office of Information and 
Regulatory Affairs shall furnish such information as the Comptroller 
General may require for the discharge of the responsibilities of the 
Comptroller General. For the purpose of obtaining such information, the 
Comptroller General or representatives thereof shall have access to all 
books, documents, papers, and records, regardless of form or format, of 
the Office.
``Sec. 3515. Application to national security systems
    ``Notwithstanding the exemption of national security systems from 
the term `information technology,' the head of an agency responsible 
for a national security system shall--
            ``(1) comply with the provisions of this chapter with 
        regard to information technology other than such national 
        security system; and
            ``(2) consult with the Chief Information Officer to ensure 
        effective communication concerning best practices experiences 
        in the development, use, and management of information 
        technology, including national security systems.
``Sec. 3516. Authorization of appropriations
    ``There are authorized to be appropriated to carry out the 
provisions of this chapter, to remain available until expended, such 
sums as may be necessary for each of fiscal years 2001 through 2005.''.

SEC. 4. PAPERWORK REDUCTION.

    Title 44, United States Code, is amended by inserting after chapter 
35 the following:

                   ``CHAPTER 36--PAPERWORK REDUCTION

``Sec.
``3601. Purposes.
``3602. Definitions.
``3603. Office of Information and Regulatory Affairs.
``3604. Authority and functions of Director.
``3605. Assignment of tasks and deadlines.
``3606. Federal agency responsibilities.
``3607. Public information collection activities; submission to 
                            Director; approval and delegation.
``3608. Determination of necessity for information; hearing.
``3609. Designation of central collection agency.
``3610. Cooperation of agencies in making information available.
``3611. Use of the Government Information Locator Service.
``3612. Public protection.
``3613. Director review of agency activities; reporting; agency 
                            response.
``3614. Responsiveness to Congress.
``3615. Administrative powers.
``3616. Rules and regulations.
``3617. Consultation with other agencies and the public.
``3618. Effect on existing laws and regulations.
``3619. Access to information.
``3620. Authorization of appropriations.

                   ``CHAPTER 36--PAPERWORK REDUCTION

``Sec. 3601. Purposes
    ``The purposes of this chapter are to--
            ``(1) minimize the paperwork burden for individuals, small 
        businesses, educational and nonprofit institutions, Federal 
        contractors, State, local, and tribal governments, and other 
        persons resulting from the collection of information by or for 
        the Federal Government;
            ``(2) ensure the greatest possible public benefit from and 
        maximize the utility of information collected by or for the 
        Federal Government;
            ``(3) coordinate agency information collection activities 
        with other information resources management activities as a 
        means to improve the productivity, efficiency, and 
        effectiveness of Government programs, including the reduction 
        of information collection burdens on the public and the 
        improvement of service delivery to the public;
            ``(4) improve the quality and use of Federal information to 
        strengthen decisionmaking, accountability, and openness in 
        Government and society;
            ``(5) minimize the cost to the Federal Government of the 
        collection of information;
            ``(6) strengthen the partnership between the Federal 
        Government and State, local, and tribal governments by 
        minimizing the burden and maximizing the utility of information 
        collected and retained by or for the Federal Government;
            ``(7) ensure that the collection of information by or for 
        the Federal Government is consistent with applicable laws, 
        including laws relating to--
                    ``(A) privacy and confidentiality, including 
                section 552a of title 5;
                    ``(B) security of information, including the 
                Computer Security Act of 1987 (Public Law 100-235); and
                    ``(C) access to information, including section 552 
                of title 5;
            ``(8) ensure the integrity, quality, and utility of 
        information collected for statistical purposes; and
            ``(9) improve the responsibility and accountability of the 
        Office of Management and Budget and all other Federal agencies 
        to Congress and to the public for implementing the information 
        collection review process, and related policies and guidelines 
        established under this chapter.
``Sec. 3602. Definitions
    ``(a) The definitions in section 3502 of this title shall apply to 
this chapter.
    ``(b) As used in this chapter--
            ``(1) the term `burden' means time, effort, or financial 
        resources expended by persons to generate, maintain, or provide 
        information to or for a Federal agency, including the resources 
        expended for--
                    ``(A) reviewing instructions;
                    ``(B) acquiring, installing, and utilizing 
                technology and systems;
                    ``(C) adjusting the existing ways to comply with 
                any previously applicable instructions and 
                requirements;
                    ``(D) searching data sources;
                    ``(E) completing and reviewing the collection of 
                information; and
                    ``(F) transmitting, or otherwise disclosing the 
                information;
            ``(2) the term `collection of information'--
                    ``(A) means the obtaining, causing to be obtained, 
                soliciting, or requiring the disclosure to third 
                parties or the public, of facts or opinions by or for 
                an agency, regardless of form or format, calling for 
                either--
                            ``(i) answers to identical questions posed 
                        to, or identical reporting or recordkeeping 
                        requirements imposed on, ten or more persons, 
                        other than agencies, instrumentalities, or 
                        employees of the United States; or
                            ``(ii) answers to questions posed to 
                        agencies, instrumentalities, or employees of 
                        the United States which are to be used for 
                        general statistical purposes; and
                    ``(B) shall not include a collection of information 
                described under section 3618(c)(1);
            ``(3) the term `practical utility' means the ability of an 
        agency to use information, particularly the capability to 
        process such information in a timely and useful fashion;
            ``(4) the term `recordkeeping requirement' means a 
        requirement imposed by or for an agency on persons to maintain 
        specified records, including a requirement to--
                    ``(A) retain such records;
                    ``(B) notify third parties, the Federal Government, 
                or the public of the existence of such records;
                    ``(C) disclose such records to third parties, the 
                Federal Government, or the public; or
                    ``(D) report to third parties, the Federal 
                Government, or the public regarding such records; and
            ``(5) the term `penalty' includes the imposition by an 
        agency or court of a fine or other punishment; a judgment for 
        monetary damages or equitable relief; or the revocation, 
        suspension, reduction, or denial of a license, privilege, 
        right, grant, or benefit.
``Sec. 3603. Office of Information and Regulatory Affairs
    ``(a) There is established in the Office of Management and Budget 
an office to be known as the Office of Information and Regulatory 
Affairs.
    ``(b) There shall be at the head of the Office an Administrator who 
shall be appointed by the President, by and with the advice and consent 
of the Senate. The Director shall delegate to the Administrator the 
authority to administer all functions under this chapter, except that 
any such delegation shall not relieve the Director of responsibility 
for the administration of such functions.
``Sec. 3604. The authority and functions of the Director
    ``(a) With respect to the collection of information and the control 
of paperwork, the Director shall--
            ``(1) review and approve proposed agency collections of 
        information;
            ``(2) minimize the Federal information collection burden, 
        with particular emphasis on those individuals and entities most 
        adversely affected;
            ``(3) maximize the practical utility of and public benefit 
        from information collected by or for the Federal Government;
            ``(4) establish and oversee standards and guidelines by 
        which agencies are to estimate the burden to comply with a 
        proposed collection of information;
            ``(5) coordinate activities under this chapter with the 
        activities of the Chief Information Officer under chapter 35;
            ``(6) coordinate the review of the collection of 
        information associated with Federal procurement and acquisition 
        by the Office of Information and Regulatory Affairs with the 
        Office of Federal Procurement Policy, with particular emphasis 
        on applying information technology to improve the efficiency 
        and effectiveness of Federal procurement, acquisition, and 
        payment, and to reduce information collection burdens on the 
        public; and
            ``(7) initiate and review proposals for changes in 
        legislation, regulations, and agency procedures to improve 
        information collection practices and reduce information 
        collection burdens on the public.
    ``(b) The authority of the Director under this chapter shall be 
exercised consistent with applicable law.
``Sec. 3605. Assignment of tasks and deadlines
    ``(a) In carrying out the functions under this chapter, the 
Director shall--
            ``(1) in consultation with agency heads, set an annual 
        Governmentwide goal for the reduction of information collection 
        burdens by at least 5 percent during each of fiscal years 2001, 
        2002, 2003, 2004, and 2005, and set annual agency goals to 
reduce information collection burdens imposed on the public that--
                    ``(A) represent the maximum practicable opportunity 
                in each agency; and
                    ``(B) are consistent with improving agency 
                management of the process for the review of collections 
                of information established under section 3606; and
            ``(2) with selected agencies and non-Federal entities on a 
        voluntary basis, conduct pilot projects to test alternative 
        policies, practices, regulations, and procedures to fulfill the 
        purposes of this chapter; and
            ``(3) assist the Chief Information Officer to develop and 
        maintain a Governmentwide strategic plan for information 
        resources management, particularly with regards to reducing 
        information burdens on the public, including reducing such 
        burdens through the elimination of duplication and meeting 
        shared data needs with shared resources.
    ``(b) For purposes of any pilot project conducted under subsection 
(a)(2), the Director may, after consultation with the agency head, 
waive the application of any administrative directive issued by an 
agency with which the project is conducted, including any directive 
requiring a collection of information, after giving timely notice to 
the public and the Congress regarding the need for such waiver.
``Sec. 3606. Federal agency responsibilities
    ``(a) Each agency shall establish a process within the office 
headed by the chief information officer designated under section 3507 
of this title, that is sufficiently independent of program 
responsibility to evaluate fairly whether proposed collections of 
information should be approved under this chapter, to--
            ``(1) review each collection of information before 
        submission to the Director for review under this chapter, 
        including--
                    ``(A) an evaluation of the need for the collection 
                of information;
                    ``(B) a functional description of the information 
                to be collected;
                    ``(C) a plan for the collection of the information;
                    ``(D) a specific, objectively supported estimate of 
                burden;
                    ``(E) a test of the collection of information 
                through a pilot program, if appropriate; and
                    ``(F) a plan for the efficient and effective 
                management and use of the information to be collected, 
                including necessary resources;
            ``(2) ensure that each information collection--
                    ``(A) is inventoried, displays a control number 
                and, if appropriate, an expiration date;
                    ``(B) indicates the collection is in accordance 
                with the clearance requirements of section 3607; and
                    ``(C) informs the person receiving the collection 
                of information of--
                            ``(i) the reasons the information is being 
                        collected;
                            ``(ii) the way such information is to be 
                        used;
                            ``(iii) an estimate, to the extent 
                        practicable, of the burden of the collection;
                            ``(iv) whether responses to the collection 
                        of information are voluntary, required to 
                        obtain a benefit, or mandatory; and
                            ``(v) the fact that an agency may not 
                        conduct or sponsor, and a person is not 
                        required to respond to, a collection of 
                        information unless it displays a valid control 
                        number; and
            ``(3) assess the information collection burden of proposed 
        legislation affecting the agency.
    ``(b) Each agency shall--
            ``(1) except as provided under paragraph (2) or section 
        3607(j), provide a 60-day notice in the Federal Register, and 
        otherwise consult with members of the public and affected 
        agencies concerning each proposed collection of information, to 
        solicit comment to--
                    ``(A) evaluate whether the proposed collection of 
                information is necessary for the proper performance of 
                the functions of the agency, including whether the 
                information shall have practical utility;
                    ``(B) evaluate the accuracy of the agency's 
                estimate of the burden of the proposed collection of 
                information;
                    ``(C) enhance the quality, utility, and clarity of 
                the information to be collected; and
                    ``(D) minimize the burden of the collection of 
                information on those who are to respond, including 
                through the use of automated collection techniques or 
                other forms of information technology; and
            ``(2) for any proposed collection of information contained 
        in a proposed rule (to be reviewed by the Director under 
        section 3607(d)), provide notice and comment through the notice 
        of proposed rulemaking for the proposed rule and such notice 
        shall have the same purposes specified under paragraph (1)(A) 
        and (B).
    ``(c) Each agency shall certify (and provide a record supporting 
such certification, including public comments received by the agency) 
that each collection of information submitted to the Director for 
review under section 3607--
            ``(1) is necessary for the proper performance of the 
        functions of the agency, including that the information has 
        practical utility;
            ``(2) is not unnecessarily duplicative of information 
        otherwise reasonably accessible to the agency;
            ``(3) reduces to the extent practicable and appropriate the 
        burden on persons who shall provide information to or for the 
        agency, including with respect to small entities, as defined 
        under section 601(6) of title 5, the use of such techniques 
        as--
                    ``(A) establishing differing compliance or 
                reporting requirements or timetables that take into 
                account the resources available to those who are to 
                respond;
                    ``(B) the clarification, consolidation, or 
                simplification of compliance and reporting 
                requirements; or
                    ``(C) an exemption from coverage of the collection 
                of information, or any part thereof;
                            ``(i) is written using plain, coherent, and 
                        unambiguous terminology and is understandable 
                        to those who are to respond;
                            ``(ii) is to be implemented in ways 
                        consistent and compatible, to the maximum 
                        extent practicable, with the existing reporting 
                        and recordkeeping practices of those who are to 
                        respond;
                            ``(iii) indicates for each recordkeeping 
                        requirement the length of time persons are 
                        required to maintain the records specified;
                            ``(iv) contains the statement required 
                        under subsection (a)(2)(C);
                            ``(v) has been developed by an office that 
                        has planned and allocated resources for the 
                        efficient and effective management and use of 
                        the information to be collected, including the 
                        processing of the information in a manner which 
                        shall enhance, where appropriate, the utility 
                        of the information to agencies and the public;
                            ``(vi) uses effective and efficient 
                        statistical survey methodology appropriate to 
                        the purpose for which the information is to be 
                        collected; and
                            ``(vii) to the maximum extent practicable, 
                        uses information technology to reduce burden 
                        and improve data quality, agency efficiency and 
                        responsiveness to the public.
``Sec. 3607. Public information collection activities; submission to 
              Director; approval and delegation
    ``(a) An agency shall not conduct or sponsor the collection of 
information unless in advance of the adoption or revision of the 
collection of information--
            ``(1) the agency has--
                    ``(A) conducted the review established under 
                section 3606(a);
                    ``(B) evaluated the public comments received under 
                section 3606(b);
                    ``(C) submitted to the Director the certification 
                required under section 3606(c), the proposed collection 
                of information, copies of pertinent statutory 
                authority, regulations, and other related materials as 
                the Director may specify; and
                    ``(D) published a notice in the Federal Register--
                            ``(i) stating that the agency has made such 
                        submission; and
                            ``(ii) setting forth--
                                    ``(I) a title for the collection of 
                                information;
                                    ``(II) a summary of the collection 
                                of information;
                                    ``(III) a brief description of the 
                                need for the information and the 
                                proposed use of the information;
                                    ``(IV) a description of the likely 
                                respondents and proposed frequency of 
                                response to the collection of 
                                information;
                                    ``(V) an estimate of the burden 
                                that shall result from the collection 
                                of information; and
                                    ``(VI) notice that comments may be 
                                submitted to the agency and the 
                                Director;
            ``(2) the Director has approved the proposed collection of 
        information or approval has been inferred, under the provisions 
        of this section; and
            ``(3) the agency has obtained from the Director a control 
        number to be displayed upon the collection of information.
    ``(b) The Director shall provide at least 30 days for public 
comment prior to making a decision under subsection (c), (d), or (h), 
except as provided under subsection (j).
    ``(c)(1) For any proposed collection of information not contained 
in a proposed rule, the Director shall notify the agency involved of 
the decision to approve or disapprove the proposed collection of 
information.
    ``(2) The Director shall provide the notification under paragraph 
(1), within 60 days after receipt or publication of the notice under 
subsection (a)(1)(D), whichever is later.
    ``(3) If the Director does not notify the agency of a denial or 
approval within the 60-day period described under paragraph (2)--
            ``(A) the approval may be inferred;
            ``(B) a control number shall be assigned without further 
        delay; and
            ``(C) the agency may collect the information for not more 
        than 1 year.
    ``(d)(1) For any proposed collection of information contained in a 
proposed rule--
            ``(A) as soon as practicable, but no later than the date of 
        publication of a notice of proposed rulemaking in the Federal 
        Register, each agency shall forward to the Director a copy of 
        any proposed rule which contains a collection of information 
        and any information requested by the Director necessary to make 
        the determination required under this subsection; and
            ``(B) within 60 days after the notice of proposed 
        rulemaking is published in the Federal Register, the Director 
        may file public comments pursuant to the standards set forth in 
        section 3608 on the collection of information contained in the 
        proposed rule.
    ``(2) When a final rule is published in the Federal Register, the 
agency shall explain--
            ``(A) how any collection of information contained in the 
        final rule responds to the comments, if any, filed by the 
        Director or the public; or
            ``(B) the reasons such comments were rejected.
    ``(3) If the Director has received notice and failed to comment on 
an agency rule within 60 days after the notice of proposed rulemaking, 
the Director may not disapprove any collection of information 
specifically contained in an agency rule.
    ``(4) No provision in this section shall be construed to prevent 
the Director, in the Director's discretion--
            ``(A) from disapproving any collection of information which 
        was not specifically required by an agency rule;
            ``(B) from disapproving any collection of information 
        contained in an agency rule, if the agency failed to comply 
        with the requirements of paragraph (1);
            ``(C) from disapproving any collection of information 
        contained in a final agency rule, if the Director finds within 
        60 days after the publication of the final rule that the 
        agency's response to the Director's comments filed under 
        paragraph (2) was unreasonable; or
            ``(D) from disapproving any collection of information 
        contained in a final rule, if--
                    ``(i) the Director determines that the agency has 
                substantially modified in the final rule the collection 
                of information contained in the proposed rule; and
                    ``(ii) the agency has not given the Director the 
                information required under paragraph (1) with respect 
                to the modified collection of information, at least 60 
                days before the issuance of the final rule.
    ``(5) This subsection shall apply only when an agency publishes a 
notice of proposed rulemaking and requests public comments.
    ``(6) The decision by the Director to approve or not act upon a 
collection of information contained in an agency rule shall not be 
subject to judicial review.
    ``(e)(1) Any decision by the Director under subsection (c), (d), 
(h), or (j) to disapprove a collection of information, or to instruct 
the agency to make substantive or material change to a collection of 
information, shall be publicly available and include an explanation of 
the reasons for such decision.
    ``(2) Any written communication between the Administrator of the 
Office of Information and Regulatory Affairs, or any employee of the 
Office of Information and Regulatory Affairs, and an agency or person 
not employed by the Federal Government concerning a proposed collection 
of information shall be made available to the public.
    ``(3) This subsection shall not require the disclosure of--
            ``(A) any information which is protected at all times by 
        procedures established for information which has been 
        specifically authorized under criteria established by an 
        Executive order or an Act of Congress to be kept secret in the 
        interest of national defense or foreign policy; or
            ``(B) any communication relating to a collection of 
        information which is not approved under this chapter, the 
        disclosure of which could lead to retaliation or discrimination 
        against the communicator.
    ``(f)(1) An independent regulatory agency which is administered by 
2 or more members of a commission, board, or similar body, may by 
majority vote void--
            ``(A) any disapproval by the Director, in whole or in part, 
        of a proposed collection of information of that agency; or
            ``(B) an exercise of authority under subsection (d) of 
        section 3607 concerning that agency.
    ``(2) The agency shall certify each vote to void such disapproval 
or exercise to the Director, and explain the reasons for such vote. The 
Director shall without further delay assign a control number to such 
collection of information, and such vote to void the disapproval or 
exercise shall be valid for a period of 3 years.
    ``(g) The Director may not approve a collection of information for 
a period in excess of 3 years.
    ``(h)(1) If an agency decides to seek extension of the Director's 
approval granted for a currently approved collection of information, 
the agency shall--
            ``(A) conduct the review established under section 3606(c), 
        including the seeking of comment from the public on the 
        continued need for, and burden imposed by the collection of 
        information; and
            ``(B) after having made a reasonable effort to seek public 
        comment, but no later than 60 days before the expiration date 
        of the control number assigned by the Director for the 
        currently approved collection of information, submit the 
        collection of information for review and approval under this 
        section, which shall include an explanation of how the agency 
        has used the information that it has collected.
    ``(2) If under the provisions of this section, the Director 
disapproves a collection of information contained in an existing rule, 
or recommends or instructs the agency to make a substantive or material 
change to a collection of information contained in an existing rule, 
the Director shall--
            ``(A) publish an explanation thereof in the Federal 
        Register; and
            ``(B) instruct the agency to undertake a rulemaking within 
        a reasonable time limited to consideration of changes to the 
        collection of information contained in the rule and thereafter 
        to submit the collection of information for approval or 
        disapproval under this chapter.
    ``(3) An agency may not make a substantive or material modification 
to a collection of information after such collection has been approved 
by the Director, unless the modification has been submitted to the 
Director for review and approval under this chapter.
    ``(i)(1) If the Director finds that a chief information officer of 
an agency designated under section 3507 is sufficiently independent of 
program responsibility to evaluate fairly whether proposed collections 
of information should be approved and has sufficient resources to carry 
out this responsibility effectively, the Director may, by rule in 
accordance with the notice and comment provisions of chapter 5 of title 
5, delegate to such official the authority to approve proposed 
collections of information in specific program areas, for specific 
purposes, or for all agency purposes.
    ``(2) A delegation by the Director under this section shall not 
preclude the Director from reviewing individual collections of 
information if the Director determines that circumstances warrant such 
a review. The Director shall retain authority to revoke such 
delegations, both in general and with regard to any specific matter. In 
acting for the Director, any official to whom approval authority has 
been delegated under this section shall comply fully with the rules and 
regulations promulgated by the Director.
    ``(j)(1) The agency head may request the Director to authorize a 
collection of information, if an agency head determines that--
            ``(A) a collection of information--
                    ``(i) is needed prior to the expiration of time 
                periods established under this chapter; and
                    ``(ii) is essential to the mission of the agency; 
                and
            ``(B) the agency cannot reasonably comply with the 
        provisions of this chapter because--
                    ``(i) public harm is reasonably likely to result if 
                normal clearance procedures are followed;
                    ``(ii) an unanticipated event has occurred; or
                    ``(iii) the use of normal clearance procedures is 
                reasonably likely to prevent or disrupt the collection 
                of information or is reasonably likely to cause a 
                statutory or court ordered deadline to be missed.
    ``(2) The Director shall approve or disapprove any such 
authorization request within the time requested by the agency head and, 
if approved, shall assign the collection of information a control 
number. Any collection of information conducted under this subsection 
may be conducted without compliance with the provisions of this chapter 
for a maximum of 90 days after the date on which the Director received 
the request to authorize such collection.
``Sec. 3608. Determination of necessity for information; hearing
    ``Before approving a proposed collection of information, the 
Director shall determine whether the collection of information by the 
agency is necessary for the proper performance of the functions of the 
agency, including whether the information shall have practical utility. 
Before making a determination the Director may give the agency and 
other interested persons an opportunity to be heard or to submit 
statements in writing. To the extent, if any, that the Director 
determines that the collection of information by an agency is 
unnecessary for any reason, the agency may not engage in the collection 
of information.
``Sec. 3609. Designation of central collection agency
    ``The Director may designate a central collection agency to obtain 
information for two or more agencies if the Director determines that 
the needs of such agencies for information will be adequately served by 
a single collection agency, and such sharing of data is not 
inconsistent with applicable law. In such cases the Director shall 
prescribe (with reference to the collection of information) the duties 
and functions of the collection agency so designated and of the 
agencies for which it is to act as agent (including reimbursement for 
costs). While the designation is in effect, an agency covered by the 
designation may not obtain for itself information for the agency which 
is the duty of the collection agency to obtain. The Director may modify 
the designation from time to time as circumstances require. The 
authority to designate under this section is subject to the provisions 
of section 3607(f).
``Sec. 3610. Cooperation of agencies in making information available
    ``(a) The Director may direct an agency to make available to 
another agency, or an agency may make available to another agency, 
information obtained by a collection of information if the disclosure 
is not inconsistent with applicable law.
    ``(b)(1) If information obtained by an agency is released by that 
agency to another agency, all the provisions of law (including 
penalties) that relate to the unlawful disclosure of information apply 
to the officers and employees of the agency to which information is 
released to the same extent and in the same manner as the provisions 
apply to the officers and employees of the agency which originally 
obtained the information.
    ``(2) The officers and employees of the agency to which the 
information is released, in addition, shall be subject to the same 
provisions of law, including penalties, relating to the unlawful 
disclosure of information as if the information had been collected 
directly by that agency.
``Sec. 3611. Use of the Government Information Locator Service
    ``In consultation with the Chief Information Officer, the Director 
shall encourage the use of the Government Information Locator Service 
to provide information to agencies and the public regarding agency 
information collection activities and opportunities to maximize the 
efficiency and effectiveness of agency collections of information and 
the reduction of paperwork burdens on the public.
``Sec. 3612. Public protection
    ``(a) Notwithstanding any other provision of law, no person shall 
be subject to any penalty for failing to comply with a collection of 
information that is subject to this chapter if--
            ``(1) the collection of information does not display a 
        valid control number assigned by the Director in accordance 
        with this chapter; or
            ``(2) the agency fails to inform the person who is to 
        respond to the collection of information that such person is 
        not required to respond to the collection of information unless 
        it displays a valid control number.
    ``(b) The protection provided by this section may be raised in the 
form of a complete defense, bar, or otherwise at any time during the 
agency administrative process or judicial action applicable thereto.
``Sec. 3613. Director review of agency activities; reporting; agency 
              response
    ``(a) In consultation with the Chief Information Officer, the 
Administrator of General Services, the Archivist of the United States, 
the Director of the National Institute of Standards and Technology, and 
the Director of the Office of Personnel Management, the Director shall 
periodically review selected agency information collection activities 
to ascertain the efficiency and effectiveness of such activities to 
improve agency performance and the accomplishment of agency missions.
    ``(b) Each agency having an activity reviewed under subsection (a) 
shall, within 60 days after receipt of a report on the review, provide 
a written plan to the Director describing steps (including milestones) 
to--
            ``(1) be taken to address information resources management 
        problems identified in the report; and
            ``(2) improve agency performance and the accomplishment of 
        agency missions.
``Sec. 3614. Responsiveness to Congress
    ``(a)(1) The Director shall--
            ``(A) keep the Congress and congressional committees fully 
        and currently informed of the major activities under this 
        chapter; and
            ``(B) submit a report on such activities to the President 
        of the Senate and the Speaker of the House of Representatives 
        annually and at such other times as the Director determines 
        necessary.
    ``(2) The Director shall include in any such report a description 
of the extent to which agencies have--
            ``(A) reduced information collection burdens on the public, 
        including--
                    ``(i) a summary of accomplishments and planned 
                initiatives to reduce collection of information 
                burdens;
                    ``(ii) a list of all violations of this chapter and 
                of any rules, guidelines, policies, and procedures 
                issued pursuant to this chapter;
                    ``(iii) a list of any increase in the collection of 
                information burden, including the authority for each 
                such collection; and
                    ``(iv) a list of agencies that in the preceding 
                year did not reduce information collection burdens in 
                accordance with section 3605(a)(1), a list of the 
                programs and statutory responsibilities of those 
                agencies that precluded that reduction, and 
                recommendations to assist those agencies to reduce 
                information collection burdens in accordance with that 
                section;
            ``(B) improved the quality and utility of statistical 
        information;
            ``(C) improved public access to Government information; and
            ``(D) improved program performance and the accomplishment 
        of agency missions through activities under this chapter.
    ``(b) The preparation of any report required by this section shall 
be based on performance results reported by the agencies and shall not 
increase the collection of information burden on persons outside the 
Federal Government.
``Sec. 3615. Administrative powers
    ``Upon the request of the Director, each agency (other than an 
independent regulatory agency) shall, to the extent practicable, make 
its services, personnel, and facilities available to the Director for 
the performance of functions under this chapter.
``Sec. 3616. Rules and regulations
    ``The Director shall promulgate rules, regulations, or procedures 
necessary to exercise the authority provided by this chapter.
``Sec. 3617. Consultation with other agencies and the public
    ``(a) In developing management policies, plans, rules, regulations, 
procedures, and guidelines under this chapter and in reviewing 
collections of information, the Director shall provide interested 
agencies and persons early and meaningful opportunity to comment.
    ``(b) Any person may request the Director to review any collection 
of information conducted by or for an agency to determine, if, under 
this chapter, a person shall maintain, provide, or disclose the 
information to or for the agency. Unless the request is frivolous, the 
Director shall, in coordination with the agency responsible for the 
collection of information--
            ``(1) respond to the request within 60 days after receiving 
        the request, unless such period is extended by the Director to 
        a specified date and the person making the request is given 
        notice of such extension; and
            ``(2) take appropriate remedial action, if necessary.
``Sec. 3618. Effect on existing laws and regulations
    ``(a) Except as otherwise provided in this chapter, the authority 
of an agency under any other law to prescribe policies, rules, 
regulations, and procedures for Federal information resources 
management activities is subject to the authority of the Director under 
this chapter.
    ``(b) Nothing in this chapter shall be deemed to affect or reduce 
the authority of the Secretary of Commerce or the Director of the 
Office of Management and Budget pursuant to Reorganization Plan No. 1 
of 1977 (as amended) and Executive order, relating to 
telecommunications and information policy, procurement and management 
of telecommunications and information systems, spectrum use, and 
related matters.
    ``(c)(1) Except as provided in paragraph (2), this chapter shall 
not apply to the collection of information--
            ``(A) during the conduct of a Federal criminal 
        investigation or prosecution, or during the disposition of a 
        particular criminal matter;
            ``(B) during the conduct of--
                    ``(i) a civil action to which the United States or 
                any official or agency thereof is a party; or
                    ``(ii) an administrative action or investigation 
                involving an agency against specific individuals or 
                entities;
            ``(C) by compulsory process pursuant to the Antitrust Civil 
        Process Act and section 13 of the Federal Trade Commission 
        Improvements Act of 1980; or
            ``(D) during the conduct of intelligence activities as 
        defined in section 3.4(e) of Executive Order No. 12333, issued 
        December 4, 1981, or successor orders, or during the conduct of 
        cryptologic activities that are communications security 
        activities.
    ``(2) This chapter applies to the collection of information during 
the conduct of general investigations (other than information collected 
in an antitrust investigation to the extent provided in subparagraph 
(C) of paragraph (1)) undertaken with reference to a category of 
individuals or entities such as a class of licensees or an entire 
industry.
    ``(d) Nothing in this chapter shall be interpreted as increasing or 
decreasing the authority conferred by Public Law 89-306 on the 
Administrator of General Services, the Secretary of Commerce, or the 
Director of the Office of Management and Budget.
    ``(e) Nothing in this chapter shall be interpreted as increasing or 
decreasing the authority of the President, the Office of Management and 
Budget or the Director thereof, under the laws of the United States, 
with respect to the substantive policies and programs of department, 
agencies and offices, including the substantive authority of any 
Federal agency to enforce the civil rights laws.
``Sec. 3619. Access to information
    ``Under the conditions and procedures prescribed in section 716 of 
title 31, the Director and personnel in the Office of Information and 
Regulatory Affairs shall furnish such information as the Comptroller 
General may require for the discharge of the responsibilities of the 
Comptroller General. For the purpose of obtaining such information, the 
Comptroller General or representatives thereof shall have access to all 
books, documents, papers, and records, regardless of form or format, of 
the Office.
``Sec. 3620. Authorization of appropriations
    ``There are authorized to be appropriated to the Office of 
Information and Regulatory Affairs to carry out the provisions of this 
chapter, and for no other purpose, $5,000,000 for each of the fiscal 
years 2001, 2002, 2003, 2004, and 2005.''.

SEC. 5. INFORMATION SECURITY.

    Title 44, United States Code, is amended by inserting after chapter 
36 the following:

                   ``CHAPTER 37--INFORMATION SECURITY

``Sec.
``3701. Purposes.
``3702. Definitions.
``3703. Office of Information Security and Technical Protection.
``3704. Authorities and functions of the Chief Information Officer.
``3705. Federal agency responsibilities.
``3706. Annual independent evaluation.
``3707. Authorization of appropriations.

                   ``CHAPTER 37--INFORMATION SECURITY

``Sec. 3701. Purposes
    ``The purposes of this chapter are to--
            ``(1) provide a comprehensive framework for establishing 
        and ensuring the effectiveness of controls over information 
        resources that support Federal operations and assets;
            ``(2)(A) recognize the highly networked nature of the 
        Federal computing environment including the need for Federal 
        Government interoperability and, in the implementation of 
        improved security management measures, assure that 
        opportunities for interoperability are not adversely affected; 
        and
            ``(B) provide effective Governmentwide management and 
        oversight of the related information security risks, including 
        coordination of information security efforts throughout the 
        civilian, national security, and law enforcement communities;
            ``(3) provide for development and maintenance of minimum 
        controls required to protect Federal information and 
        information systems; and
            ``(4) provide a mechanism for improved oversight of Federal 
        agency information security programs.
``Sec. 3702. Definitions
    ``(a) Except as provided under subsection (b), the definitions 
under section 3502 shall apply to this chapter.
    ``(b) As used in this chapter, the term `mission critical system' 
means any telecommunications or information system used or operated by 
an agency or by a contractor of an agency, or other organization on 
behalf of an agency, that--
            ``(1) is defined as a national security system under 
        section 3502;
            ``(2) is protected at all times by procedures established 
        for information which has been specifically authorized under 
        criteria established by an Executive order or an Act of 
        Congress to be classified in the interest of national defense 
        or foreign policy; or
            ``(3) processes any information, the loss, misuse, 
        disclosure, or unauthorized access to or modification of, would 
        have a debilitating impact on the mission of an agency.
``Sec. 3703. Office of Information Security and Technical Protection
    ``There is established in the Office of Information Policy, 
established under section 3503, an Office of Information Security and 
Technical Protection. The head of the Office is the Director of 
Information Security and Technical Protection, who shall report 
directly to the Chief Information Officer of the United States. The 
Chief Information Officer shall delegate to the Director authority to 
administer all functions under this chapter, except that such 
delegation shall not relieve the Chief Information Officer of 
responsibility for the administration of such functions. The Director 
shall serve as the principal adviser to the Chief Information Officer 
on Federal Government information security.
``Sec. 3704. Authority and functions of the Chief Information Officer
    ``(a)(1) The Chief Information Officer shall establish 
Governmentwide policies for the management of programs that--
            ``(A) support the cost-effective security of Federal 
        information systems by promoting security as an integral 
        component of each agency's business operations; and
            ``(B) include information technology architectures.
    ``(2) Policies under this subsection shall--
            ``(A) be founded on a continuing risk management cycle that 
        recognizes the need to--
                    ``(i) identify, assess, and understand risk; and
                    ``(ii) determine security needs commensurate with 
                the level of risk;
            ``(B) implement controls that adequately address the risk;
            ``(C) promote continuing awareness of information security 
        risk; and
            ``(D) continually monitor and evaluate policy and control 
        effectiveness of information security practices.
    ``(b) The authority under subsection (a) includes the authority 
to--
            ``(1) oversee and develop policies, principles, standards, 
        and guidelines for the handling of Federal information and 
        information resources to improve the efficiency and 
        effectiveness of governmental operations, including principles, 
        policies, and guidelines for the implementation of agency 
        responsibilities under applicable law for ensuring the privacy, 
        confidentiality, and security of Federal information;
            ``(2) consistent with the standards and guidelines 
        promulgated under section 3812 of this title, sections 20 and 
        21 of the National Institute of Standards and Technology Act 
        (15 U.S.C. 278g-3 and 278g-4), and sections 5 and 6 of the 
        Computer Security Act of 1987 (40 U.S.C. 1441 note; Public Law 
        100-235; 101 Stat. 1729), require Federal agencies to identify 
        and afford security protections commensurate with the risk and 
        magnitude of the harm resulting from the loss, misuse, or 
        unauthorized access to or modification of information collected 
        or maintained by or on behalf of an agency;
            ``(3) direct the heads of agencies to--
                    ``(A) identify, use, and share best security 
                practices;
                    ``(B) develop an agencywide information security 
                plan;
                    ``(C) incorporate information security principles 
                and practices throughout the life cycles of the 
                agency's information systems; and
                    ``(D) ensure that the agency's information security 
                plan is practiced throughout all life cycles of the 
                agency's information systems;
            ``(4) oversee the development and implementation of 
        standards and guidelines relating to security controls for 
        Federal computer systems by the Secretary of Commerce through 
        the National Institute of Standards and Technology under 
        section 3812 of this title and section 20 of the National 
        Institute of Standards and Technology Act (15 U.S.C. 278g-3);
            ``(5) oversee and coordinate compliance with this section 
        in a manner consistent with--
                    ``(A) sections 552 and 552a of title 5;
                    ``(B) sections 20 and 21 of the National Institute 
                of Standards and Technology Act (15 U.S.C. 278g-3 and 
                278g-4);
                    ``(C) chapters 35 and 38 of this title;
                    ``(D) sections 5 and 6 of the Computer Security Act 
                of 1987 (40 U.S.C. 1441 note; Public Law 100-235; 101 
                Stat. 1729); and
                    ``(E) related information management laws; and
            ``(6) request that the Director take any authorized action 
        under section 3803(b)(5) of this title that the Chief 
        Information Officer considers appropriate, including any action 
        involving the budgetary process or appropriations management 
        process, to enforce accountability of the head of an agency for 
        information resources management, including the requirements of 
        this subchapter, and for the investments made by the agency in 
        information technology, including recommending to the 
        Director--
                    ``(A) a reduction or an increase in any amount for 
                information resources that the head of the agency 
                proposes for the budget submitted to Congress under 
                section 1105(a) of title 31;
                    ``(B) a reduction or other adjustment of 
                apportionments and reapportionments of appropriations 
                for information resources; or
                    ``(C) the use of other authorized administrative 
                controls over appropriations to restrict the 
                availability of funds for information resources.
``Sec. 3705. Federal agency responsibilities
    ``(a) The head of each agency shall--
            ``(1) be responsible for--
                    ``(A) adequately ensuring the integrity, 
                confidentiality, authenticity, availability, and 
                nonrepudiation of information and information systems 
                supporting agency operations and assets;
                    ``(B) developing and implementing information 
                security policies, procedures, and control techniques 
                sufficient to afford security protections commensurate 
                with the risk and magnitude of the harm resulting from 
                unauthorized disclosure, disruption, modification, or 
                destruction of information collected or maintained by 
                or for the agency; and
                    ``(C) ensuring that the agency's information 
                security plan is practiced throughout the life cycle of 
                each agency system;
            ``(2) ensure that appropriate senior agency officials are 
        responsible for--
                    ``(A) assessing the information security risks 
                associated with the operations and assets for programs 
and systems over which such officials have control;
                    ``(B) determining the levels of information 
                security appropriate to protect such operations and 
                assets; and
                    ``(C) periodically testing and evaluating 
                information security controls and techniques;
            ``(3) delegate to the agency chief information officer 
        established under section 3507, or a comparable official in an 
        agency not covered by such section, the authority to administer 
        all functions under this subchapter including--
                    ``(A) designating a senior agency information 
                security official who shall report to the chief 
                information officer or a comparable official;
                    ``(B) developing and maintaining an agencywide 
                information security program as required under 
                subsection (b);
                    ``(C) ensuring that the agency effectively 
                implements and maintains information security policies, 
                procedures, and control techniques;
                    ``(D) training and overseeing personnel with 
                significant responsibilities for information security 
                with respect to such responsibilities; and
                    ``(E) assisting senior agency officials concerning 
                responsibilities under paragraph (2);
            ``(4) ensure that the agency has trained personnel 
        sufficient to assist the agency in complying with the 
        requirements of this subchapter and related policies, 
        procedures, standards, and guidelines; and
            ``(5) ensure that the agency chief information officer, in 
        coordination with senior agency officials, periodically--
                    ``(A)(i) evaluates the effectiveness of the agency 
                information security program, including testing control 
                techniques; and
                    ``(ii) implements appropriate remedial actions 
                based on that evaluation; and
                    ``(B) reports to the agency head on--
                            ``(i) the results of such tests and 
                        evaluations; and
                            ``(ii) the progress of remedial actions.
    ``(b)(1) Each agency shall develop and implement an agencywide 
information security program to provide information security for the 
operations and assets of the agency, including operations and assets 
provided or managed by another agency.
    ``(2) Each program under this subsection shall include--
            ``(A) periodic risk assessments that consider internal and 
        external threats to--
                    ``(i) the integrity, confidentiality, and 
                availability of systems; and
                    ``(ii) data supporting critical operations and 
                assets;
            ``(B) policies and procedures that--
                    ``(i) are based on the risk assessments required 
                under subparagraph (A) that cost-effectively reduce 
                information security risks to an acceptable level; and
                    ``(ii) ensure compliance with--
                            ``(I) the requirements of this chapter;
                            ``(II) policies and procedures as may be 
                        prescribed by the Chief Information Officer; 
                        and
                            ``(III) any other applicable requirements;
            ``(C) security awareness training to inform personnel of--
                    ``(i) information security risks associated with 
                the activities of personnel; and
                    ``(ii) responsibilities of personnel in complying 
                with agency policies and procedures designed to reduce 
                such risks;
            ``(D)(i) periodic management testing and evaluation of the 
        effectiveness of information security policies and procedures; 
        and
            ``(ii) a process for ensuring remedial action to address 
        any significant deficiencies; and
            ``(E) procedures for detecting, reporting, and responding 
        to security incidents, including--
                    ``(i) mitigating risks associated with such 
                incidents before substantial damage occurs;
                    ``(ii) notifying and consulting with law 
                enforcement officials and other offices and 
                authorities;
                    ``(iii) notifying and consulting with an office 
                designated by the Administrator of General Services 
                within the General Services Administration; and
                    ``(iv) notifying and consulting with an office 
                designated by the Secretary of Defense and the Director 
                of Central Intelligence for incidents involving systems 
                described under section 3702(b)(1) and (2).
    ``(3) Each program under this subsection is subject to the approval 
of the Chief Information Officer and is required to be reviewed at 
least annually by agency program officials in consultation with the 
Chief Information Officer.
    ``(c)(1) Each agency shall examine the adequacy and effectiveness 
of information security policies, procedures, and practices in plans 
and reports relating to--
            ``(A) annual agency budgets;
            ``(B) information resources management requirements under 
        chapter 35 of this title;
            ``(C) information technology performance and results based 
        management under chapter 38 of this title;
            ``(D) program performance under sections 1105 and 1115 
        through 1119 of title 31, and sections 2801 through 2805 of 
        title 39; and
            ``(E) financial management under--
                    ``(i) chapter 9 of title 31, and the Chief 
                Financial Officers Act of 1990 (31 U.S.C. 501 note; 
                Public Law 101-576) (and the amendments made by that 
                Act);
                    ``(ii) the Federal Financial Management Improvement 
                Act of 1996 (31 U.S.C. 3512 note) (and the amendments 
made by that Act); and
                    ``(iii) the internal controls conducted under 
                section 3512 of title 31.
    ``(2) Any significant deficiency in a policy, procedure, or 
practice identified under paragraph (1) shall be reported as a material 
weakness in reporting required under the applicable provision of law 
under paragraph (1).
    ``(d)(1) In addition to the requirements of subsection (c), each 
agency, in consultation with the Chief Information Officer, shall 
include as part of the performance plan required under section 1115 of 
title 31 a description of--
            ``(A) the time periods; and
            ``(B) the resources, including budget, staffing, and 
        training, which are necessary to implement the program required 
        under subsection (b)(1).
    ``(2) The description under paragraph (1) shall be based on the 
risk assessment required under subsection (b)(2)(A).
``Sec. 3706. Annual independent evaluation
    ``(a)(1) Requirement.--Each year each agency shall have performed 
an independent evaluation of the information security program and 
practices of that agency.
    ``(2) Information To Be Included.--Each evaluation under this 
section shall include--
            ``(A) an assessment of compliance with--
                    ``(i) the requirements of this Act; and
                    ``(ii) related information security policies, 
                procedures, standards, and guidelines; and
            ``(B) tests of the effectiveness of information security 
        control techniques.
    ``(3) Use of Information.--The Inspector General or the independent 
evaluator performing an evaluation under this subsection including the 
Comptroller General may use any audit, evaluation, or report relating 
to programs or practices of the applicable agency.
    ``(4) Person or Entity Responsible for Performing Evaluation.--
            ``(A) For agencies with Inspectors General appointed under 
        the Inspector General Act of 1978 (5 U.S.C. App.) or any other 
        law, the annual evaluation required under this section shall be 
        performed by the Inspector General or by an independent 
        evaluator, as determined by the Inspector General of the 
        agency.
            ``(B) For any agency to which subparagraph (A) does not 
        apply, the head of the agency shall contract with an 
        independent evaluator to perform the evaluation.
            ``(C) An evaluation of agency information security programs 
        and practices performed by the Comptroller General may be in 
        lieu of the evaluation required under this section.
    ``(5) Submission of Results.--Not later than 1 year after the date 
of enactment of this chapter, and on that date every year thereafter, 
the applicable agency head shall submit to the Chief Information 
Officer the results of each evaluation required under this section.
``Sec. 3707. Authorization of appropriations
    ``There are authorized to be appropriated to carry out the 
provisions of this chapter such sums as may be necessary for each of 
fiscal years 2001 through 2005.''.

SEC. 6. INFORMATION SECURITY RESPONSIBILITIES OF CERTAIN AGENCIES.

    (a) Department of Commerce.--Notwithstanding section 20 of the 
National Institute of Standards and Technology Act (15 U.S.C. 278g-3) 
and except as provided under subsection (b), the Secretary of Commerce, 
in consultation with the Chief Information Officer, through the 
National Institute of Standards and Technology and with technical 
assistance from the National Security Agency, as required or when 
requested by the Chief Information Officer, shall--
            (1) develop, issue, review, and update standards and 
        guidance for the security of Federal information systems, 
        including development of methods and techniques for security 
        systems and validation programs;
            (2) develop, issue, review, and update guidelines for 
        training in computer security awareness and accepted computer 
        security practices, with assistance from the Office of 
        Personnel Management;
            (3) provide agencies with guidance for security planning to 
        assist in the development of applications and system security 
        plans for such agencies;
            (4) provide guidance and assistance to agencies concerning 
        cost-effective controls when interconnecting with other 
        systems; and
            (5) evaluate information technologies to assess security 
        vulnerabilities and alert Federal agencies of such 
        vulnerabilities as soon as those vulnerabilities are known.
    (b) Department of Defense and the Intelligence Community.--
            (1) In general.--Notwithstanding section 3704 of title 44, 
        United States Code (as added by section 5 of this Act), the 
        Secretary of Defense, and the Director of Central Intelligence, 
        shall, consistent with their respective authorities--
                    (A) develop and issue information security 
                policies, standards, and guidelines for systems 
                described under section 3702(b)(1) and (2) of title 44, 
                United States Code, that provide more stringent 
                protection than the policies, principles, standards, 
                and guidelines required under section 3704 of title 44, 
                United States Code; and
                    (B) ensure the implementation of the information 
                security policies, principles, standards, and 
                guidelines described under subparagraph (A).
            (2) Measures addressed.--The policies, principles, 
        standards, and guidelines developed by the Secretary of Defense 
        and the Director of Central Intelligence under paragraph (1) 
        shall address the full range of information assurance measures 
        needed to protect and defend Federal information and 
        information systems by ensuring their integrity, 
        confidentiality, authenticity, availability, and 
        nonrepudiation.
    (c) Department of Justice.--The Department of Justice shall review 
and update guidance to agencies on--
            (1) legal remedies regarding security incidents and ways to 
        report to and work with law enforcement agencies concerning 
        such incidents; and
            (2) lawful uses of security techniques and technologies.
    (d) General Services Administration.--The General Services 
Administration shall--
            (1) review and update General Services Administration 
        guidance to agencies on addressing security considerations when 
        acquiring information technology; and
            (2) assist agencies in--
                    (A) fulfilling agency responsibilities under 
                section 3705(b)(2)(E) of title 44, United States Code 
                (as added by section 5 of this Act); and
                    (B) the acquisition of cost-effective security 
                products, services, and incident response capabilities.
    (e) Office of Personnel Management.--The Office of Personnel 
Management shall--
            (1) review and update Office of Personnel Management 
        regulations concerning computer security training for Federal 
        civilian employees;
            (2) assist the Department of Commerce in updating and 
        maintaining guidelines for training in computer security 
        awareness and computer security best practices; and
            (3) work with the National Science Foundation and other 
        agencies on personnel and training initiatives (including 
        scholarships and fellowships, as authorized by law) as 
        necessary to ensure that the Federal Government--
                    (A) has adequate sources of continuing information 
                security education and training available for 
                employees; and
                    (B) has an adequate supply of qualified information 
                security professionals to meet agency needs.
    (f) Information Security Policies, Principles, Standards, and 
Guidelines.--
            (1) In general.--Notwithstanding any provision of this act 
        (including any amendment made by this Act)--
                    (A) the Secretary of Defense, the Director of 
                Central Intelligence, and other agency heads as 
                designated by the President shall develop such 
                policies, principles, standards, and guidelines for 
                mission critical systems subject to their control;
                    (B) the policies, principles, standards, and 
                guidelines developed by the Secretary of Defense, the 
                Director of Central Intelligence, and other agency 
                heads as designated by the President may be adopted, to 
                the extent that such policies are consistent with 
                policies and guidance developed by the Chief 
                Information Officer and the Secretary of Commerce--
                            (i) by the Chief Information Officer, as 
                        appropriate, to the mission critical systems of 
                        all agencies; or
                            (ii) by an agency head, as appropriate, to 
                        the mission critical systems of that agency; 
                        and
                    (C) to the extent that such policies are consistent 
                with policies and guidance developed by the Chief 
                Information Officer and the Secretary of Commerce, an 
                agency may develop and implement information security 
                policies, principles, standards, and guidelines that 
                provide more stringent protection than those required 
                under section 3702(b)(1) and (2) of title 44, United 
                States Code (as added by section 5 of this Act), or 
                subsection (a) of this section.
            (2) Measures addressed.--The policies, principles, 
        standards, and guidelines developed by the Secretary of Defense 
        and the Director of Central Intelligence under paragraph (1) 
        shall address the full range of information assurance measures 
        needed to protect and defend Federal information and 
        information systems by ensuring their integrity, 
        confidentiality, authenticity, availability, and 
        nonrepudiation.
    (g) Atomic Energy Act of 1954.--Nothing in this Act shall supersede 
any requirement made by or under the Atomic Energy Act of 1954 (42 
U.S.C. 2011 et seq.). Restricted Data or Formerly Restricted Data shall 
be handled, protected, classified, downgraded, and declassified in 
conformity with the Atomic Energy Act of 1954 (42 U.S.C. 2011 et seq.).

SEC. 7. MANAGEMENT OF INFORMATION TECHNOLOGY.

    Title 44, United States Code, is amended by inserting after chapter 
37 the following:

           ``CHAPTER 38--MANAGEMENT OF INFORMATION TECHNOLOGY

``Sec.
``3801. Responsibility of Chief Information Officer.
``3802. Capital planning and investment control.
``3803. Performance-based and results-based management.
``3804. Responsibilities of Federal agencies.
``3805. Agency capital planning and investment control.
``3806. Agency performance and results-based management.
``3807. Acquisitions of information technology.
``3808. Accountability.
``3809. Significant deviations.
``3810. Interagency support.
``3811. Application to national security systems.
``3812. Responsibilities for Federal information system standards.

           ``CHAPTER 38--MANAGEMENT OF INFORMATION TECHNOLOGY

``Sec. 3801. Responsibility of the Chief Information 
              Officer
    ``In fulfilling the responsibility to administer the functions 
assigned under chapter 35 of this title, the Chief Information Officer 
shall comply with this chapter with respect to the specific matters 
covered by this chapter.
``Sec. 3802. Capital planning and investment control
    ``(a) Federal Information Technology.--The Chief Information 
Officer shall perform the responsibilities set forth in this section in 
fulfilling the responsibilities under section 3504(h) of this title.
    ``(b) Use of Information Technology in Federal Programs.--The Chief 
Information Officer shall promote and be responsible for improving the 
acquisition, use, and disposal of information technology by the Federal 
Government to improve the productivity, efficiency, and effectiveness 
of Federal programs, including through dissemination of public 
information and the reduction of information collection burdens on the 
public.
    ``(c) Use of Budget Process.--The Chief Information shall advise 
and assist the Director to develop, as part of the budget process, a 
process for analyzing, tracking, and evaluating the risks and results 
of all major capital investments made by an executive agency for 
information systems. The process shall cover the life of each system 
and shall include explicit criteria for analyzing the projected and 
actual costs, benefits, and risks associated with the investments. At 
the same time that the President submits the budget for a fiscal year 
to Congress under section 1105(a) of title 31, the Chief Information 
Officer shall submit to Congress a report on the net program 
performance benefits achieved as a result of major capital investments 
made by executive agencies in information systems and how the benefits 
relate to the accomplishment of the goals of the executive agencies.
    ``(d) Information Technology Standards.--The Chief Information 
Officer shall oversee the development and implementation of standards 
and guidelines pertaining to Federal information systems, as provided 
under section 3812.
    ``(e) Designation of Executive Agents for Acquisitions.--The Chief 
Information Officer shall designate (as the Chief Information Officer 
considers appropriate) one or more heads of agencies as executive agent 
for Governmentwide acquisitions of information technology.
    ``(f) Use of Best Practices in Acquisitions.--The Chief Information 
Officer shall encourage the heads of agencies to develop and use the 
best practices in the acquisition of information technology.
    ``(g) Assessment of Other Models for Managing Information 
Technology.--The Chief Information Officer shall assess, on a 
continuing basis, the experiences of agencies, State and local 
governments, international organizations, and the private sector in 
managing information technology.
    ``(h) Comparison of Agency Uses of Information Technology.--The 
Chief Information Officer shall compare the performances of agencies in 
using information technology and shall disseminate the comparisons to 
the heads of agencies.
    ``(i) Training.--The Chief Information Officer shall monitor the 
development and implementation of training in information resources 
management for agency personnel.
    ``(j) Informing Congress.--The Chief Information Officer shall keep 
Congress fully informed on the extent to which agencies are improving 
the performance of agency programs and the accomplishment of agency 
missions through the use of the best practices in information resources 
management.
    ``(k) Procurement Policy and Acquisitions of Information 
Technology.--The Chief Information Officer shall coordinate the 
development and review policy associated with Federal acquisition of 
information technology with the Office of Federal Procurement Policy in 
the Office of Management and Budget.
``Sec. 3803. Performance-based and results-based management
    ``(a) In General.--The Chief Information Officer shall encourage 
the use of performance-based and results-based management in fulfilling 
the responsibilities assigned under section 3504(h) of this title.
    ``(b) Evaluation of Agency Programs and Investments.--
            ``(1) Requirement.--The Chief Information Officer shall 
        evaluate the information resources management practices of 
        agencies with respect to the performance and results of the 
        investments made by agencies in information technology.
            ``(2) Direction for agency action.--The Chief Information 
        Officer shall issue to the head of each agency clear and 
        concise direction that the head of such agency shall--
                    ``(A) establish effective and efficient capital 
                planning processes for selecting, managing, and 
                evaluating the results of all of its major investments 
                in information systems;
                    ``(B) determine, before making an investment in a 
                new information system--
                            ``(i) whether the function to be supported 
                        by the system should be performed by the 
                        private sector and, if so, whether any 
                        component of the agency performing that 
                        function should be converted from a 
                        governmental organization to a private sector 
                        organization; or
                            ``(ii) whether the function should be 
                        performed by agency and, if so, whether the 
                        function should be performed by a private 
                        sector source under contract or by agency 
                        personnel;
                    ``(C) analyze the missions of the agency and, based 
                on the analysis, revise the agency's mission-related 
                processes and administrative processes, as appropriate, 
                before making significant investments in information 
                technology to be used in support of those missions; and
                    ``(D) ensure that information security policies, 
                procedures, and practices are adequate.
            ``(3) Guidance for multiagency investments.--The direction 
        issued under paragraph (2) shall include guidance for 
        undertaking efficiently and effectively interagency and 
Governmentwide investments in information technology to improve the 
accomplishment of missions that are common to agencies.
            ``(4) Periodic reviews.--The Chief Information Officer 
        shall advise and assist the Director in implementing through 
        the budget process periodic reviews of information resources 
        management activities of selected agencies in order to 
        ascertain the efficiency and effectiveness of information 
        technology in improving agency performance and the 
        accomplishment of agency missions.
            ``(5) Enforcement of accountability.--
                    ``(A) In general.--The Chief Information Officer 
                may take any authorized action that the Chief 
                Information Officer considers appropriate, including an 
                action coordinated with the Director involving the 
                budgetary process or appropriations management process, 
                to enforce accountability of the head of an agency for 
                information resources management and for the 
                investments made by the agency in information 
                technology.
                    ``(B) Specific actions.--Actions taken by the Chief 
                Information Officer, including those coordinated with 
                the Director where appropriate, in the case of an 
                agency may include--
                            ``(i) recommending a reduction or an 
                        increase in any amount for information 
                        resources that the head of the agency proposes 
                        for the budget submitted to Congress under 
                        section 1105(a) of title 31;
                            ``(ii) recommending reducing or otherwise 
                        adjusting apportionments and reapportionments 
                        of appropriations for information resources;
                            ``(iii) using other authorized 
                        administrative controls over appropriations to 
                        restrict the availability of funds for 
                        information resources; and
                            ``(iv) designating for the agency an 
                        executive agent to contract with private sector 
                        sources for the performance of information 
                        resources management or the acquisition of 
                        information technology.
``Sec. 3804. Agency responsibilities
    ``In fulfilling the responsibilities assigned under chapter 35 of 
this title, the head of each agency shall comply with this chapter with 
respect to the specific matters covered by this chapter.
``Sec. 3805. Capital planning and investment control
    ``(a) Design of Process.--In fulfilling the responsibilities 
assigned under section 3506(h) of this title, the head of each agency 
shall design and implement in the agency a process for maximizing the 
value and assessing and managing the risks of the information 
technology acquisitions of the agency.
    ``(b) Content of Process.--The process of an agency shall--
            ``(1) provide for the selection of information technology 
        investments to be made by the agency, the management of such 
        investments, and the evaluation of the results of such 
        investments;
            ``(2) be integrated with the processes for making budget, 
        financial, and program management decisions within the agency;
            ``(3) include minimum criteria to be applied in considering 
        whether to undertake a particular investment in information 
        systems, including criteria related to the quantitatively 
        expressed projected net, risk-adjusted return on investment and 
        specific quantitative and qualitative criteria for comparing 
        and prioritizing alternative information systems investment 
        projects;
            ``(4) provide for identifying information systems 
        investments that would result in shared benefits or costs for 
        other Federal agencies or State or local governments;
            ``(5) provide for identifying for a proposed investment 
        quantifiable measurements for determining the net benefits and 
        risks of the investment; and
            ``(6) provide the means for senior management personnel of 
        the agency to obtain timely information regarding the progress 
        of an investment in an information system, including a system 
        of milestones for measuring progress, on an independently 
        verifiable basis, in terms of cost, capability of the system to 
        meet specified requirements, timeliness, and quality.
``Sec. 3806. Performance and results-based management
    ``In fulfilling the responsibilities under section 3506(h) of this 
title, the head of an agency shall--
            ``(1) establish goals for improving the efficiency and 
        effectiveness of agency operations and, as appropriate, the 
        delivery of services to the public through the effective use of 
        information technology;
            ``(2) prepare an annual report, to be included in the 
        agency's budget submission to Congress, on the progress in 
        achieving the goals;
            ``(3) ensure that performance measurements are prescribed 
        for information technology used by or to be acquired for, the 
        agency and that the performance measurements measure how well 
        the information technology supports programs of the agency;
            ``(4) where comparable processes and organizations in the 
        public or private sectors exist, quantitatively benchmark 
        agency process performance against such processes in terms of 
        cost, speed, productivity, and quality of outputs and outcomes;
            ``(5) analyze the missions of the agency and, based on the 
        analysis, revise the agency's mission-related processes and 
        administrative processes as appropriate before making 
        significant investments in information technology that is to be 
        used in support of the performance of those missions; and
            ``(6) ensure that the information security policies, 
        procedures, and practices of the agency are adequate.
``Sec. 3807. Acquisitions of information technology
    ``The authority of the head of an agency to conduct an acquisition 
of information technology includes the following authorities:
            ``(1) To acquire information technology as authorized by 
        law.
            ``(2) To enter into a contract that provides for 
        multiagency acquisitions of information technology in 
        accordance with guidance issued by Chief Information Officer.
            ``(3) If the Chief Information Officer finds that it would 
        be advantageous for the Federal Government to do so, to enter 
        into a multiagency contract for procurement of commercial items 
        of information technology that requires each agency covered by 
        the contract, when procuring such items, either to procure the 
        items under that contract or to justify an alternative 
        procurement of the items.
``Sec. 3808. Accountability
    ``The head of each agency, in consultation with the Chief 
Information Officer and the chief financial officer of that agency (or, 
in the case of an agency without a chief financial officer, any 
comparable official), shall establish policies and procedures that--
            ``(1) ensure that the accounting, financial, and asset 
        management systems and other information systems of the agency 
        are designed, developed, maintained, and used effectively to 
        provide financial or program performance data for financial 
        statements of the executive agency;
            ``(2) ensure that financial and related program performance 
        data are provided on a reliable, consistent, and timely basis 
        to agency financial management systems; and
            ``(3) ensure that financial statements support--
                    ``(A) assessments and revisions of mission-related 
                processes and administrative processes of the agency; 
                and
                    ``(B) performance measurement of the performance in 
                the case of investments made by the agency in 
                information systems.
``Sec. 3809. Significant deviations
    ``The head of an agency shall identify in the strategic information 
resources management plan required under section 3505(a)(2) of this 
title any major information technology acquisition program, or any 
phase or increment of such a program, that has significantly deviated 
from the cost, performance, or schedule goals established for the 
program.
``Sec. 3810. Interagency support
    ``Funds available for an agency for oversight, acquisition, and 
procurement of information technology may be used by the head of the 
agency to support jointly with other agencies the activities of 
interagency groups that are established to advise the Chief Information 
Officer in carrying out the Chief Information Officer's 
responsibilities under this chapter. The use of such funds for that 
purpose shall be subject to such requirements and limitations on uses 
and amounts as the Director may prescribe, in consultation with the 
Chief Information Officer. The Director shall, in consultation with the 
Chief Information Officer, prescribe any such requirements and 
limitations during the Director's review of the agency's proposed 
budget submitted to the Director by the head of the agency for purposes 
of section 1105 of title 31, United States Code.
``Sec. 3811. Applicability to national security systems
    ``(a) In General.--Except as provided in subsection (b), this 
chapter does not apply to national security systems.
    ``(b) Exceptions.--
            ``(1) In general.--Sections 3806, 3808, and 3809 of this 
        chapter apply to national security systems.
            ``(2) Capital planning and investment control.--The heads 
        of agencies shall apply sections 3802 and 3805 of this chapter 
        to national security systems to the extent practicable.
            ``(3) Performance and results of information technology 
        investments.--
                    ``(A) Subject to subparagraph (B), the heads of 
                executive agencies shall apply section 3803 of this 
                chapter to national security systems to the extent 
                practicable.
                    ``(B) National security systems shall be subject to 
                section 3803(b)(5) of this title except for 
                subparagraph (B)(iv) of that section.
``Sec. 3812. Responsibilities for Federal information system standards
    ``(a) Standards and Guidelines.--
            ``(1) Authority.--The Chief Information Officer shall, on 
        the basis of standards and guidelines developed by the National 
        Institute of Standards and Technology pursuant to paragraphs 
        (2) and (3) of section 278g-3(a) of title 15 and in 
        consultation with the Secretary of Commerce, promulgate 
        standards and guidelines pertaining to Federal information 
        systems. The Chief Information Officer shall make such 
        standards compulsory and binding to the extent to which the 
        Chief Information Officer Secretary determines necessary to 
        improve the efficiency of operation or security and privacy of 
Federal information systems. The President may disapprove or modify 
such standards and guidelines if the President determines such action 
to be in the public interest. The President's authority to disapprove 
or modify such standards and guidelines may not be delegated. Notice of 
such disapproval or modification shall be published promptly in the 
Federal Register. Upon receiving notice of such disapproval or 
modification, the Chief Information Officer shall immediately rescind 
or modify such standards or guidelines as directed by the President.
            ``(2) Exercise of authority.--The authority conferred upon 
        the Chief Information Officer by this section shall be 
        exercised subject to direction by the President and in 
        coordination with the Director to ensure fiscal and policy 
        consistency.
    ``(b) Application of More Stringent Standards.--The head of an 
agency may employ standards for the cost-effective security and privacy 
of sensitive information in an information system within or under the 
supervision of that agency that are more stringent than the standards 
promulgated by the Chief Information Officer under this section, if 
such standards contain, at a minimum, the provisions of those 
applicable standards made compulsory and binding by the Chief 
Information Officer.
    ``(c) Waiver of Standards.--The standards determined under 
subsection (a) to be compulsory and binding may be waived by the Chief 
Information Officer in writing upon a determination that compliance 
would adversely affect the accomplishment of the mission of an agency 
operating an information system, or cause a major adverse financial 
impact on the agency which is not offset by Governmentwide savings. The 
Chief Information Officer may delegate to the head of one or more 
agencies authority to waive such standards to the extent to which the 
Chief Information Officer determines such action to be necessary and 
desirable to allow for timely and effective implementation of 
information system standards. The head of such agency may redelegate 
such authority only to a chief information officer designated pursuant 
to section 3507 of this title. Notice of each such waiver and 
delegation shall be transmitted promptly to Congress and shall be 
published promptly in the Federal Register.
    ``(d) Definitions.--In this section, the term `information system' 
has the meaning given `Federal computer system' in section 278g-3(d) of 
Title 15.''

SEC. 8. TECHNICAL AND CONFORMING AMENDMENTS.

    (a) Executive Level Positions.--
            (1) Executive level i.--Section 5312 of title 5, United 
        States Code, is amended by adding at the end the following:
    ``Chief Information Officer of the United States.''.
            (2) Executive level ii.--Section 5313 of title 5, United 
        States Code, is amended by adding at the end the following:
    ``Deputy Chief Information Officer of the United States.''.
            (3) Executive level iii.--Section 5314 of title 5, United 
        States Code, is amended by adding at the end the following:
    ``Director of Information Security and Technical Protection.''.
    (b) Privacy Act.--Section 552a of title 5, United States Code, is 
amended as follows--
            (1) in section 552a(a)(8)(B)(iv), by striking ``Director of 
        the Office of Management and Budget'' and inserting ``Chief 
        Information Officer of the United States'' in lieu thereof;
            (2) in section 552a(a)(8)(B)(v)(I), by striking ``Director 
        of the Office of Management and Budget'' and inserting ``Chief 
        Information Officer of the United States'' in lieu thereof;
            (3) in section 552a(o)(1)(D), by striking ``Director of the 
        Office of Management and Budget'' and inserting ``Chief 
        Information Officer of the United States'' in lieu thereof;
            (4) in section 552a(p)(1)(A)(ii), by striking ``Director of 
        the Office of Management and Budget'' and inserting ``Chief 
        Information Officer of the United States'' in lieu thereof;
            (5) in section 552a(r), by striking ``Office of Management 
        and Budget'' and inserting ``Chief Information Officer of the 
        United States'' in lieu thereof;
            (6) in section 552a(s)(1), by striking ``Director of the 
        Office of Management and Budget'' and inserting ``Chief 
        Information Officer of the United States'' in lieu thereof;
            (7) in section 552a(u)(3)(D), by striking ``Office of 
        Management and Budget'' and inserting ``Chief Information 
        Officer of the United States'' in lieu thereof;
            (8) in section 552a(u)(3)(D)(vi), by striking ``Director of 
        the Office of Management and Budget'' and inserting ``Chief 
        Information Officer of the United States'' in lieu thereof;
            (9) in section 552a(u)(4)(B), by striking ``Director of the 
        Office of Management and Budget'' and inserting ``Chief 
        Information Officer of the United States'' in lieu thereof;
            (10) in section 552a(u)(5)(A), by striking ``Director of 
        the Office of Management and Budget'' each time it appears, and 
        inserting ``Chief Information Officer of the United States'' in 
        lieu thereof;
            (11) in section 552a(u)(5)(B), by striking ``Director of 
        the Office of Management and Budget'' and ``Director'' and 
        inserting ``Chief Information Officer of the United States'' in 
        lieu thereof;
            (12) in section 552a(u)(5)(C), by striking ``Director'' and 
        inserting ``Chief Information Officer of the United States'' in 
        lieu thereof;
            (13) in section 552a(u)(5)(D), by striking ``Director of 
        the Office of Management and Budget'' and inserting ``Chief 
        Information Officer of the United States'' in lieu thereof;
            (14) in section 552a(u)(6), by striking ``Director of the 
        Office of Management and Budget'' and inserting ``Chief 
        Information Officer of the United States'' in lieu thereof; and
            (15) in section 552a(v)--
                    (A) by striking ``Office of Management and Budget'' 
                in the heading and inserting ``Chief Information 
                Officer of the United States'' in lieu thereof; and
                    (B) by striking ``Director of the Office of 
                Management and Budget'' and inserting ``Chief 
                Information Officer of the United States'' in lieu 
                thereof.
    (c) Computer Security Act.--
            (1) Section 20(b)(5) of the National Institute of Standards 
        and Technology Act (15 U.S.C. 278g-3(b)(5)) is amended by 
        striking ``Office of Management and Budget'' and inserting 
        ``Chief Information Officer of the United States'' in lieu 
        thereof.
            (2) Section 21(b)(3) of the National Institute of Standards 
        and Technology Act (15 U.S.C. 278g-4(b)(3)) is amended by 
        striking ``Director of the Office of Management and Budget'' 
        and inserting ``Chief Information Officer of the United 
        States'' in lieu thereof.
            (3) Section 6(b) of the Computer Security Act of 1987 (40 
        U.S.C. 1441 note) is amended by striking ``Director of the 
        Office of Management and Budget'' and inserting ``Chief 
        Information Officer of the United States'' in lieu thereof.
    (d) Information Technology Fund.--Section 757(a) of title 40, 
United States Code, is amended by inserting at the end the following:
            ``(3) The Administrator's decisions with regard to 
        obligations of and expenditures from the Fund shall be subject 
        to direction by the Chief Information Officer of the United 
        States.''.
    (e) Government Paperwork Elimination Act.--Title XVII of Public Law 
105-277 is repealed.
    (f) Clinger-Cohen Act.--The Clinger-Cohen Act (Public Law 104-106; 
110 Stat. 679-703) is amended as follows:
            (1) Sections 5111, 5112, 5113, 5121, 5123, 5124, 5125(b), 
        (c), and (d), 5126, 5127, 5128, 5131, 5132, 5141, 5142, 5201 
        are repealed.
            (2) Section 5301(a)(1) is amended by striking 
        ``Administrator for the Office of Information and Regulatory 
        Affairs'' and inserting ``Chief Information Officer'' in lieu 
        thereof.
            (3) Section 5303(a)(1) is amended by inserting ``and the 
        Chief Information Officer'' after ``Director''.
            (4) Section 5304 is amended by striking all and inserting 
        in lieu thereof: ``If the Director and the Chief Information 
        Officer determine that the results and findings under a pilot 
        program under this title indicate that legislation is necessary 
        or desirable in order to improve the process for acquisition of 
        information technology, the Director and the Chief Information 
        Officer shall transmit recommendations for such legislation to 
        Congress.''.
            (5) Section 5311(c) is amended by striking ``Administrator 
        for the Office of Information and Regulatory Affairs'' and 
        inserting ``Chief Information Officer'' in lieu thereof.
            (6) Section 5312(d)(1) is amended by striking 
        ``Administrator for the Office of Information and Regulatory 
        Affairs'' and inserting ``Chief Information Officer'' in lieu 
        thereof.

SEC. 9. EFFECTIVE DATE.

    This Act and the amendments made by the Act shall take effect 60 
days after the date of the enactment of this Act.
                                 <all>