
	

113 HR 1163 : Federal Information Security Amendments Act of 2013
U.S. House of Representatives
2013-04-17
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.



		IIB
		113th CONGRESS
		1st Session
		H. R. 1163
		IN THE SENATE OF THE UNITED
		  STATES
		
			April 17, 2013
			Received; read twice and referred to the
			 Committee on Homeland Security and
			 Governmental Affairs
		
		AN ACT
		To amend
		  chapter 35 of title 44,
		  United States Code, to revise requirements relating to Federal information
		  security, and for other purposes.
	
	
		1.Short titleThis Act may be cited as the
			 Federal Information Security
			 Amendments Act of 2013.
		2.Coordination of
			 Federal information policyChapter 35 of title 44,
			 United States Code, is amended by striking subchapters II and III and inserting
			 the following:
			
				IIInformation
				Security
					3551.PurposesThe purposes of this subchapter are
				to—
						(1)provide a
				comprehensive framework for ensuring the effectiveness of information security
				controls over information resources that support Federal operations and
				assets;
						(2)recognize the
				highly networked nature of the current Federal computing environment and
				provide effective Governmentwide management and oversight of the related
				information security risks, including coordination of information security
				efforts throughout the civilian, national security, and law enforcement
				communities assets;
						(3)provide for
				development and maintenance of minimum controls required to protect Federal
				information and information systems;
						(4)provide a
				mechanism for improved oversight of Federal agency information security
				programs and systems through a focus on automated and continuous monitoring of
				agency information systems and regular threat assessments;
						(5)acknowledge that
				commercially developed information security products offer advanced, dynamic,
				robust, and effective information security solutions, reflecting market
				solutions for the protection of critical information systems important to the
				national defense and economic security of the Nation that are designed, built,
				and operated by the private sector; and
						(6)recognize that the
				selection of specific technical hardware and software information security
				solutions should be left to individual agencies from among commercially
				developed products.
						3552.Definitions
						(a)Section 3502
				definitionsExcept as provided under subsection (b), the
				definitions under section 3502 shall apply to this subchapter.
						(b)Additional
				definitionsIn this subchapter:
							(1)Adequate
				securityThe term
				adequate security means security commensurate with the risk and
				magnitude of the harm resulting from the unauthorized access to or loss,
				misuse, destruction, or modification of information.
							(2)Automated and
				continuous monitoringThe term automated and continuous
				monitoring means monitoring, with minimal human involvement, through an
				uninterrupted, ongoing real time, or near real-time process used to determine
				if the complete set of planned, required, and deployed security controls within
				an information system continue to be effective over time with rapidly changing
				information technology and threat development.
							(3)IncidentThe
				term incident means an occurrence that actually or potentially
				jeopardizes the confidentiality, integrity, or availability of an information
				system, or the information the system processes, stores, or transmits or that
				constitutes a violation or imminent threat of violation of security policies,
				security procedures, or acceptable use policies.
							(4)Information
				securityThe term information security means
				protecting information and information systems from unauthorized access, use,
				disclosure, disruption, modification, or destruction in order to
				provide—
								(A)integrity, which
				means guarding against improper information modification or destruction, and
				includes ensuring information nonrepudiation and authenticity;
								(B)confidentiality,
				which means preserving authorized restrictions on access and disclosure,
				including means for protecting personal privacy and proprietary information;
				and
								(C)availability,
				which means ensuring timely and reliable access to and use of
				information.
								(5)Information
				systemThe term
				information system means a discrete set of information resources
				organized for the collection, processing, maintenance, use, sharing,
				dissemination, or disposition of information and includes—
								(A)computers and
				computer networks;
								(B)ancillary
				equipment;
								(C)software,
				firmware, and related procedures;
								(D)services,
				including support services; and
								(E)related
				resources.
								(6)Information
				technologyThe term information technology has the
				meaning given that term in
				section
				11101 of title 40.
							(7)National
				security system
								(A)DefinitionThe term national security
				system means any information system (including any telecommunications
				system) used or operated by an agency or by a contractor of an agency, or other
				organization on behalf of an agency—
									(i)the function,
				operation, or use of which—
										(I)involves
				intelligence activities;
										(II)involves
				cryptologic activities related to national security;
										(III)involves command
				and control of military forces;
										(IV)involves
				equipment that is an integral part of a weapon or weapons system; or
										(V)subject to
				subparagraph (B), is critical to the direct fulfillment of military or
				intelligence missions; or
										(ii)is protected at
				all times by procedures established for information that have been specifically
				authorized under criteria established by an Executive order or an Act of
				Congress to be kept classified in the interest of national defense or foreign
				policy.
									(B)ExceptionSubparagraph
				(A)(i)(V) does not include a system that is to be used for routine
				administrative and business applications (including payroll, finance,
				logistics, and personnel management applications).
								(8)Threat
				assessmentThe term
				threat assessment means the formal description and evaluation of
				threat to an information system.
							3553.Authority and
				functions of the Director
						(a)In
				generalThe Director shall oversee agency information security
				policies and practices, including—
							(1)developing and
				overseeing the implementation of policies, principles, standards, and
				guidelines on information security, including through ensuring timely agency
				adoption of and compliance with standards promulgated under
				section
				11331 of title 40;
							(2)requiring
				agencies, consistent with the standards promulgated under such section 11331
				and the requirements of this subchapter, to identify and provide information
				security protections commensurate with the risk and magnitude of the harm
				resulting from the unauthorized access, use, disclosure, disruption,
				modification, or destruction of—
								(A)information
				collected or maintained by or on behalf of an agency; or
								(B)information
				systems used or operated by an agency or by a contractor of an agency or other
				organization on behalf of an agency;
								(3)coordinating the
				development of standards and guidelines under section 20 of the National
				Institute of Standards and Technology Act (15 U.S.C. 278g–3) with agencies
				and offices operating or exercising control of national security systems
				(including the National Security Agency) to assure, to the maximum extent
				feasible, that such standards and guidelines are complementary with standards
				and guidelines developed for national security systems;
							(4)overseeing agency
				compliance with the requirements of this subchapter, including through any
				authorized action under
				section
				11303 of title 40, to enforce accountability for compliance
				with such requirements;
							(5)reviewing at least
				annually, and approving or disapproving, agency information security programs
				required under section 3554(b);
							(6)coordinating
				information security policies and procedures with related information resources
				management policies and procedures;
							(7)overseeing the
				operation of the Federal information security incident center required under
				section 3555; and
							(8)reporting to
				Congress no later than March 1 of each year on agency compliance with the
				requirements of this subchapter, including—
								(A)an assessment of
				the development, promulgation, and adoption of, and compliance with, standards
				developed under section 20 of the National Institute of Standards and
				Technology Act (15
				U.S.C. 278g–3) and promulgated under
				section
				11331 of title 40;
								(B)significant
				deficiencies in agency information security practices;
								(C)planned remedial
				action to address such deficiencies; and
								(D)a summary of, and
				the views of the Director on, the report prepared by the National Institute of
				Standards and Technology under section 20(d)(10) of the National Institute of
				Standards and Technology Act (15 U.S.C. 278g–3).
								(b)National
				security systemsExcept for the authorities described in
				paragraphs (4) and (8) of subsection (a), the authorities of the Director under
				this section shall not apply to national security systems.
						(c)Department of
				defense and central intelligence agency systems(1)The authorities of the
				Director described in paragraphs (1) and (2) of subsection (a) shall be
				delegated to the Secretary of Defense in the case of systems described in
				paragraph (2) and to the Director of Central Intelligence in the case of
				systems described in paragraph (3).
							(2)The systems described in this
				paragraph are systems that are operated by the Department of Defense, a
				contractor of the Department of Defense, or another entity on behalf of the
				Department of Defense that processes any information the unauthorized access,
				use, disclosure, disruption, modification, or destruction of which would have a
				debilitating impact on the mission of the Department of Defense.
							(3)The systems described in this
				paragraph are systems that are operated by the Central Intelligence Agency, a
				contractor of the Central Intelligence Agency, or another entity on behalf of
				the Central Intelligence Agency that processes any information the unauthorized
				access, use, disclosure, disruption, modification, or destruction of which
				would have a debilitating impact on the mission of the Central Intelligence
				Agency.
							3554.Agency
				responsibilities
						(a)In
				generalThe head of each agency shall—
							(1)be responsible
				for—
								(A)providing
				information security protections commensurate with the risk and magnitude of
				the harm resulting from unauthorized access, use, disclosure, disruption,
				modification, or destruction of—
									(i)information
				collected or maintained by or on behalf of the agency; and
									(ii)information
				systems used or operated by an agency or by a contractor of an agency or other
				organization on behalf of an agency;
									(B)complying with the
				requirements of this subchapter and related policies, procedures, standards,
				and guidelines, including—
									(i)information
				security standards and guidelines promulgated under
				section
				11331 of title 40 and section 20 of the National Institute of
				Standards and Technology Act (15 U.S.C. 278g–3);
									(ii)information
				security standards and guidelines for national security systems issued in
				accordance with law and as directed by the President; and
									(iii)ensuring the
				standards implemented for information systems and national security systems of
				the agency are complementary and uniform, to the extent practicable;
									(C)ensuring that
				information security management processes are integrated with agency strategic
				and operational planning and budget processes, including policies, procedures,
				and practices described in subsection (c)(2);
								(D)as appropriate,
				maintaining secure facilities that have the capability of accessing, sending,
				receiving, and storing classified information;
								(E)maintaining a
				sufficient number of personnel with security clearances, at the appropriate
				levels, to access, send, receive and analyze classified information to carry
				out the responsibilities of this subchapter; and
								(F)ensuring that
				information security performance indicators and measures are included in the
				annual performance evaluations of all managers, senior managers, senior
				executive service personnel, and political appointees;
								(2)ensure that senior
				agency officials provide information security for the information and
				information systems that support the operations and assets under their control,
				including through—
								(A)assessing the risk
				and magnitude of the harm that could result from the unauthorized access, use,
				disclosure, disruption, modification, or destruction of such information or
				information system;
								(B)determining the
				levels of information security appropriate to protect such information and
				information systems in accordance with policies, principles, standards, and
				guidelines promulgated under
				section
				11331 of title 40 and section 20 of the National Institute of
				Standards and Technology Act (15 U.S.C. 278g–3) for information
				security classifications and related requirements;
								(C)implementing
				policies and procedures to cost effectively reduce risks to an acceptable
				level;
								(D)with a frequency sufficient to support
				risk-based security decisions, testing and evaluating information security
				controls and techniques to ensure that such controls and techniques are
				effectively implemented and operated; and
								(E)with a frequency sufficient to support
				risk-based security decisions, conducting threat assessments by monitoring
				information systems, identifying potential system vulnerabilities, and
				reporting security incidents in accordance with paragraph (3)(A)(v);
								(3)delegate to the
				Chief Information Officer or equivalent (or a senior agency official who
				reports to the Chief Information Officer or equivalent), who is designated as
				the Chief Information Security Officer, the authority and
				primary responsibility to develop, implement, and oversee an agencywide
				information security program to ensure and enforce compliance with the
				requirements imposed on the agency under this subchapter, including—
								(A)overseeing the
				establishment and maintenance of a security operations capability that through
				automated and continuous monitoring, when possible, can—
									(i)detect, report,
				respond to, contain, and mitigate incidents that impair information security
				and agency information systems, in accordance with policy provided by the
				Director;
									(ii)commensurate with the risk to information
				security, monitor and mitigate the vulnerabilities of every information system
				within the agency;
									(iii)continually
				evaluate risks posed to information collected or maintained by or on behalf of
				the agency and information systems and hold senior agency officials accountable
				for ensuring information security;
									(iv)collaborate with
				the Director and appropriate public and private sector security operations
				centers to detect, report, respond to, contain, and mitigate incidents that
				impact the security of information and information systems that extend beyond
				the control of the agency; and
									(v)report any incident described under clauses
				(i) and (ii) to the Federal information security incident center, to other
				appropriate security operations centers, and to the Inspector General of the
				agency, to the extent practicable, within 24 hours after discovery of the
				incident, but no later than 48 hours after such discovery;
									(B)developing,
				maintaining, and overseeing an agencywide information security program as
				required by subsection (b);
								(C)developing,
				maintaining, and overseeing information security policies, procedures, and
				control techniques to address all applicable requirements, including those
				issued under section 11331 of title 40;
								(D)training and
				overseeing personnel with significant responsibilities for information security
				with respect to such responsibilities; and
								(E)assisting senior
				agency officials concerning their responsibilities under paragraph (2);
								(4)ensure that the
				agency has a sufficient number of trained and cleared personnel to assist the
				agency in complying with the requirements of this subchapter, other applicable
				laws, and related policies, procedures, standards, and guidelines;
							(5)ensure that the
				Chief Information Security Officer, in consultation with other senior agency
				officials, reports periodically, but not less than annually, to the agency head
				on—
								(A)the effectiveness
				of the agency information security program;
								(B)information derived from automated and
				continuous monitoring, when possible, and threat assessments; and
								(C)the progress of
				remedial actions;
								(6)ensure that the
				Chief Information Security Officer possesses the necessary qualifications,
				including education, training, experience, and the security clearance required
				to administer the functions described under this subchapter; and has
				information security duties as the primary duty of that official; and
							(7)ensure that
				components of that agency establish and maintain an automated reporting
				mechanism that allows the Chief Information Security Officer with
				responsibility for the entire agency, and all components thereof, to implement,
				monitor, and hold senior agency officers accountable for the implementation of
				appropriate security policies, procedures, and controls of agency
				components.
							(b)Agency
				programEach agency shall develop, document, and implement an
				agencywide information security program, approved by the Director and
				consistent with components across and within agencies, to provide information
				security for the information and information systems that support the
				operations and assets of the agency, including those provided or managed by
				another agency, contractor, or other source, that includes—
							(1)automated and continuous monitoring, when
				possible, of the risk and magnitude of the harm that could result from the
				disruption or unauthorized access, use, disclosure, modification, or
				destruction of information and information systems that support the operations
				and assets of the agency;
							(2)consistent with
				guidance developed under
				section
				11331 of title 40, vulnerability assessments and penetration
				tests commensurate with the risk posed to agency information systems;
							(3)policies and
				procedures that—
								(A)cost effectively
				reduce information security risks to an acceptable level;
								(B)ensure compliance
				with—
									(i)the requirements
				of this subchapter;
									(ii)policies and
				procedures as may be prescribed by the Director, and information security
				standards promulgated pursuant to
				section
				11331 of title 40;
									(iii)minimally
				acceptable system configuration requirements, as determined by the Director;
				and
									(iv)any other
				applicable requirements, including—
										(I)standards and
				guidelines for national security systems issued in accordance with law and as
				directed by the President; and
										(II)the National
				Institute of Standards and Technology standards and guidance;
										(C)develop, maintain,
				and oversee information security policies, procedures, and control techniques
				to address all applicable requirements, including those promulgated pursuant
				section
				11331 of title 40; and
								(D)ensure the
				oversight and training of personnel with significant responsibilities for
				information security with respect to such responsibilities;
								(4)with a frequency sufficient to support
				risk-based security decisions, automated and continuous monitoring, when
				possible, for testing and evaluation of the effectiveness and compliance of
				information security policies, procedures, and practices, including—
								(A)controls of every
				information system identified in the inventory required under section 3505(c);
				and
								(B)controls relied on
				for an evaluation under this section;
								(5)a process for
				planning, implementing, evaluating, and documenting remedial action to address
				any deficiencies in the information security policies, procedures, and
				practices of the agency;
							(6)with a frequency sufficient to support
				risk-based security decisions, automated and continuous monitoring, when
				possible, for detecting, reporting, and responding to security incidents,
				consistent with standards and guidelines issued by the National Institute of
				Standards and Technology, including—
								(A)mitigating risks
				associated with such incidents before substantial damage is done;
								(B)notifying and consulting with the Federal
				information security incident center and other appropriate security operations
				response centers; and
								(C)notifying and
				consulting with, as appropriate—
									(i)law enforcement
				agencies and relevant Offices of Inspectors General; and
									(ii)any other agency,
				office, or entity, in accordance with law or as directed by the President;
				and
									(7)plans and
				procedures to ensure continuity of operations for information systems that
				support the operations and assets of the agency.
							(c)Agency
				reportingEach agency shall—
							(1)submit an annual
				report on the adequacy and effectiveness of information security policies,
				procedures, and practices, and compliance with the requirements of this
				subchapter, including compliance with each requirement of subsection (b)
				to—
								(A)the
				Director;
								(B)the Committee on
				Homeland Security and Governmental Affairs of the Senate;
								(C)the Committee on
				Oversight and Government Reform of the House of Representatives;
								(D)other appropriate
				authorization and appropriations committees of Congress; and
								(E)the Comptroller
				General;
								(2)address the
				adequacy and effectiveness of information security policies, procedures, and
				practices in plans and reports relating to—
								(A)annual agency
				budgets;
								(B)information
				resources management of this subchapter;
								(C)information
				technology management under this chapter;
								(D)program
				performance under sections 1105 and 1115 through 1119 of title 31, and sections
				2801
				and 2805 of title 39;
								(E)financial
				management under
				chapter
				9 of title 31, and the Chief Financial Officers Act of 1990
				(31 U.S.C.
				501 note;
				Public Law
				101–576);
								(F)financial
				management systems under the Federal Financial Management Improvement Act of
				1996 (31 U.S.C.
				3512 note); and
								(G)internal
				accounting and administrative controls under
				section
				3512 of title 31; and
								(3)report any
				significant deficiency in a policy, procedure, or practice identified under
				paragraph (1) or (2)—
								(A)as a material
				weakness in reporting under
				section
				3512 of title 31; and
								(B)if relating to
				financial management systems, as an instance of a lack of substantial
				compliance under the Federal Financial Management Improvement Act of 1996
				(31 U.S.C.
				3512 note).
								3555.Federal
				information security incident center
						(a)In
				generalThe Director shall ensure the operation of a central
				Federal information security incident center to—
							(1)provide timely
				technical assistance to operators of agency information systems regarding
				security incidents, including guidance on detecting and handling information
				security incidents;
							(2)compile and
				analyze information about incidents that threaten information security;
							(3)inform operators
				of agency information systems about current and potential information security
				threats, and vulnerabilities; and
							(4)consult with the
				National Institute of Standards and Technology, agencies or offices operating
				or exercising control of national security systems (including the National
				Security Agency), and such other agencies or offices in accordance with law and
				as directed by the President regarding information security incidents and
				related matters.
							(b)National
				security systemsEach agency operating or exercising control of a
				national security system shall share information about information security
				incidents, threats, and vulnerabilities with the Federal information security
				incident center to the extent consistent with standards and guidelines for
				national security systems, issued in accordance with law and as directed by the
				President.
						(c)Review and
				approvalThe Director shall review and approve the policies,
				procedures, and guidance established in this subchapter to ensure that the
				incident center has the capability to effectively and efficiently detect,
				correlate, respond to, contain, mitigate, and remediate incidents that impair
				the adequate security of the information systems of more than one agency. To
				the extent practicable, the capability shall be continuous and technically
				automated.
						3556.National
				security systemsThe head of
				each agency operating or exercising control of a national security system shall
				be responsible for ensuring that the agency—
						(1)provides
				information security protections commensurate with the risk and magnitude of
				the harm resulting from the unauthorized access, use, disclosure, disruption,
				modification, or destruction of the information contained in such
				system;
						(2)implements
				information security policies and practices as required by standards and
				guidelines for national security systems, issued in accordance with law and as
				directed by the President; and
						(3)complies with the
				requirements of this
				subchapter.
						.
		3.Technical and
			 conforming amendments
			(a)Table of
			 sections in title 44The table of sections for
			 chapter 35 of title 44,
			 United States Code, is amended by striking the matter relating to subchapters
			 II and III and inserting the following:
				
					
						SUBCHAPTER II—INFORMATION
				SECURITY
						Sec.
						3551. Purposes.
						3552. Definitions.
						3553. Authority and functions of the
				Director.
						3554. Agency responsibilities.
						3555. Federal information security
				incident center.
						3556. National security
				systems.
					
					.
			(b)Other
			 references
				(1)Section
			 1001(c)(1)(A) of the Homeland Security Act of 2002 (6 U.S.C.
			 511(c)(1)(A)) is amended by striking section
			 3532(3) and inserting section 3552(b).
				(2)Section 2222(j)(5)
			 of title 10, United States Code, is amended by striking section
			 3542(b)(2) and inserting section 3552(b).
				(3)Section 2223(c)(3)
			 of title 10, United States Code, is amended, by striking section
			 3542(b)(2) and inserting section 3552(b).
				(4)Section 2315 of
			 title 10, United States Code, is amended by striking section
			 3542(b)(2) and inserting section 3552(b).
				(5)Section 20 of the
			 National Institute of Standards and Technology Act (15 U.S.C. 278g–3)
			 is amended—
					(A)in subsections
			 (a)(2) and (e)(5), by striking section 3532(b)(2) and inserting
			 section 3552(b); and
					(B)in subsection
			 (e)—
						(i)in
			 paragraph (2), by striking section 3532(1) and inserting
			 section 3552(b); and
						(ii)in paragraph (5),
			 by striking section 3532(b)(2) and inserting section
			 3552(b).
						(6)Section 8(d)(1) of
			 the Cyber Security Research and Development Act (15 U.S.C. 7406(d)(1)) is amended by
			 striking section 3534(b) and inserting section
			 3554(b).
				4.No
			 additional funds authorizedNo
			 additional funds are authorized to carry out the requirements of
			 section
			 3554 of title 44, United States Code, as amended by section 2
			 of this Act. Such requirements shall be carried out using amounts otherwise
			 authorized or appropriated.
		5.Effective
			 dateThis Act (including the
			 amendments made by this Act) shall take effect 30 days after the date of the
			 enactment of this Act.
		
	
		
			Passed the House of
			 Representatives April 16, 2013.
			Karen L. Haas,
			Clerk
		
	
