[Congressional Bills 113th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3032 Introduced in House (IH)]

113th CONGRESS
  1st Session
                                H. R. 3032

  To amend chapter 35 of title 44, United States Code, to create the 
  National Office for Cyberspace, to revise requirements relating to 
         Federal information security, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             August 2, 2013

Mr. Langevin (for himself, Mr. Castro of Texas, Mr. Ruppersberger, Ms. 
 Loretta Sanchez of California, Mr. Pocan, Mr. Andrews, Mr. Larsen of 
  Washington, and Mrs. Davis of California) introduced the following 
 bill; which was referred to the Committee on Oversight and Government 
 Reform, and in addition to the Committee on Homeland Security, for a 
 period to be subsequently determined by the Speaker, in each case for 
consideration of such provisions as fall within the jurisdiction of the 
                          committee concerned

_______________________________________________________________________

                                 A BILL


 
  To amend chapter 35 of title 44, United States Code, to create the 
  National Office for Cyberspace, to revise requirements relating to 
         Federal information security, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    (a) Short Title.--This Act may be cited as the ``Executive 
Cyberspace Coordination Act of 2013''.
    (b) Table of Contents.--The table of contents for this Act is as 
follows:

Sec. 1. Short title.
            TITLE I--FEDERAL INFORMATION SECURITY AMENDMENTS

Sec. 101. Coordination of Federal information policy.
Sec. 102. Information security acquisition requirements.
Sec. 103. Technical and conforming amendments.
Sec. 104. Effective date.
               TITLE II--FEDERAL CHIEF TECHNOLOGY OFFICER

Sec. 201. Office of the Chief Technology Officer.
   TITLE III--STRENGTHENING CYBERSECURITY FOR CRITICAL INFRASTRUCTURE

Sec. 301. Definitions.
Sec. 302. Authority of Secretary.

            TITLE I--FEDERAL INFORMATION SECURITY AMENDMENTS

SEC. 101. COORDINATION OF FEDERAL INFORMATION POLICY.

    Chapter 35 of title 44, United States Code, is amended by striking 
subchapters II and III and inserting the following:

                 ``SUBCHAPTER II--INFORMATION SECURITY

``Sec. 3551. Purposes
    ``The purposes of this subchapter are to--
            ``(1) provide a comprehensive framework for ensuring the 
        effectiveness of information security controls over information 
        resources that support Federal operations and assets;
            ``(2) recognize the highly networked nature of the current 
        Federal computing environment and provide effective 
        Governmentwide management and oversight of the related 
        information security risks, including coordination of 
        information security efforts throughout the civilian, national 
        security, and law enforcement communities;
            ``(3) provide for development and maintenance of minimum 
        controls required to protect Federal information and 
        information infrastructure;
            ``(4) provide a mechanism for improved oversight of Federal 
        agency information security programs;
            ``(5) acknowledge that commercially developed information 
        security products offer advanced, dynamic, robust, and 
        effective information security solutions, reflecting market 
        solutions for the protection of critical information 
        infrastructures important to the national defense and economic 
        security of the Nation that are designed, built, and operated 
        by the private sector; and
            ``(6) recognize that the selection of specific technical 
        hardware and software information security solutions should be 
        left to individual agencies from among commercially developed 
        products.
``Sec. 3552. Definitions
    ``(a) Section 3502 Definitions.--Except as provided under 
subsection (b), the definitions under section 3502 shall apply to this 
subchapter.
    ``(b) Additional Definitions.--In this subchapter:
            ``(1) The term `adequate security' means security that 
        complies with the regulations promulgated under section 3554 
        and the standards promulgated under section 3558.
            ``(2) The term `incident' means an occurrence that actually 
        or potentially jeopardizes the confidentiality, integrity, or 
        availability of an information system, information 
        infrastructure, or the information the system processes, 
        stores, or transmits or that constitutes a violation or 
        imminent threat of violation of security policies, security 
        procedures, or acceptable use policies.
            ``(3) The term `information infrastructure' means the 
        underlying framework that information systems and assets rely 
        on in processing, storing, or transmitting information 
        electronically.
            ``(4) The term `information security' means protecting 
        information and information infrastructure from unauthorized 
        access, use, disclosure, disruption, modification, or 
        destruction in order to provide--
                    ``(A) integrity, which means guarding against 
                improper information modification or destruction, and 
                includes ensuring information nonrepudiation and 
                authenticity;
                    ``(B) confidentiality, which means preserving 
                authorized restrictions on access and disclosure, 
                including means for protecting personal privacy and 
                proprietary information;
                    ``(C) availability, which means ensuring timely and 
                reliable access to and use of information; and
                    ``(D) authentication, which means using digital 
                credentials to assure the identity of users and 
                validate access of such users.
            ``(5) The term `information technology' has the meaning 
        given that term in section 11101 of title 40.
            ``(6)(A) The term `national security system' means any 
        information infrastructure (including any telecommunications 
        system) used or operated by an agency or by a contractor of an 
        agency, or other organization on behalf of an agency--
                    ``(i) the function, operation, or use of which--
                            ``(I) involves intelligence activities;
                            ``(II) involves cryptologic activities 
                        related to national security;
                            ``(III) involves command and control of 
                        military forces;
                            ``(IV) involves equipment that is an 
                        integral part of a weapon or weapons system; or
                            ``(V) subject to subparagraph (B), is 
                        critical to the direct fulfillment of military 
                        or intelligence missions; or
                    ``(ii) is protected at all times by procedures 
                established for information that have been specifically 
                authorized under criteria established by an Executive 
                order or an Act of Congress to be kept classified in 
                the interest of national defense or foreign policy.
            ``(B) Subparagraph (A)(i)(V) does not include a system that 
        is to be used for routine administrative and business 
        applications (including payroll, finance, logistics, and 
        personnel management applications).
``Sec. 3553. National Office for Cyberspace
    ``(a) Establishment.--There is established within the Executive 
Office of the President an office to be known as the National Office 
for Cyberspace.
    ``(b) Director.--
            ``(1) In general.--There shall be at the head of the 
        National Office for Cyberspace a Director, who shall be 
        appointed by the President by and with the advice and consent 
        of the Senate. The Director of the National Office for 
        Cyberspace shall administer all functions designated to such 
        Director under this subchapter and collaborate to the extent 
        practicable with the heads of appropriate agencies, the private 
        sector, and international partners. The Office shall serve as 
        the principal office for coordinating issues relating to 
        cyberspace, including achieving an assured, reliable, secure, 
        and survivable information infrastructure and related 
        capabilities for the Federal Government, while promoting 
        national economic interests, security, and civil liberties.
            ``(2) Basic pay.--The Director of the National Office for 
        Cyberspace shall be paid at the rate of basic pay for level III 
        of the Executive Schedule.
    ``(c) Staff.--The Director of the National Office for Cyberspace 
may appoint and fix the pay of additional personnel as the Director 
considers appropriate.
    ``(d) Experts and Consultants.--The Director of the National Office 
for Cyberspace may procure temporary and intermittent services under 
section 3109(b) of title 5.
``Sec. 3554. Federal Cybersecurity Practice Board
    ``(a) Establishment.--Within the National Office for Cyberspace, 
there shall be established a board to be known as the `Federal 
Cybersecurity Practice Board' (in this section referred to as the 
`Board').
    ``(b) Members.--The Board shall be chaired by the Director of the 
National Office for Cyberspace and consist of not more than 10 members, 
with at least one representative from--
            ``(1) the Office of Management and Budget;
            ``(2) civilian agencies;
            ``(3) the Department of Defense;
            ``(4) the Federal law enforcement community;
            ``(5) the Federal Chief Technology Office; and
            ``(6) such additional military and civilian agencies as the 
        Director considers appropriate.
    ``(c) Responsibilities.--
            ``(1) Development of policies and procedures.--Subject to 
        the authority, direction, and control of the Director of the 
        National Office for Cyberspace, the Board shall be responsible 
        for developing and periodically updating information security 
        policies and procedures relating to the matters described in 
        paragraph (2). In developing such policies and procedures, the 
        Board shall require that all matters addressed in the policies 
        and procedures are consistent, to the maximum extent 
        practicable and in accordance with applicable law, among the 
        civilian, military, intelligence, and law enforcement 
        communities.
            ``(2) Specific matters covered in policies and 
        procedures.--
                    ``(A) Minimum security controls.--The Board shall 
                be responsible for developing and periodically updating 
                information security policies and procedures relating 
                to minimum security controls for information 
                technology, in order to--
                            ``(i) provide Governmentwide protection of 
                        Government-networked computers against common 
                        attacks; and
                            ``(ii) provide agencywide protection 
                        against threats, vulnerabilities, and other 
                        risks to the information infrastructure within 
                        individual agencies.
                    ``(B) Measures of effectiveness.--The Board shall 
                be responsible for developing and periodically updating 
                information security policies and procedures relating 
                to measurements needed to assess the effectiveness of 
                the minimum security controls referred to in 
                subparagraph (A). Such measurements shall include a 
                risk scoring system to evaluate risk to information 
                security both Governmentwide and within contractors of 
                the Federal Government.
                    ``(C) Products and services.--The Board shall be 
                responsible for developing and periodically updating 
                information security policies, procedures, and minimum 
                security standards relating to criteria for products 
                and services to be used in agency information systems 
                and information infrastructure that will meet the 
                minimum security controls referred to in subparagraph 
                (A). In carrying out this subparagraph, the Board shall 
                act in consultation with the Office of Management and 
                Budget and the General Services Administration.
                    ``(D) Remedies.--The Board shall be responsible for 
                developing and periodically updating information 
                security policies and procedures relating to methods 
                for providing remedies for security deficiencies 
                identified in agency information infrastructure.
            ``(3) Additional considerations.--The Board shall also 
        consider--
                    ``(A) opportunities to engage with the 
                international community to set policies, principles, 
                training, standards, or guidelines for information 
                security;
                    ``(B) opportunities to work with agencies and 
                industry partners to increase information sharing and 
                policy coordination efforts in order to reduce 
                vulnerabilities in the national information 
                infrastructure; and
                    ``(C) options necessary to encourage and maintain 
                accountability of any agency, or senior agency 
                official, for efforts to secure the information 
                infrastructure of such agency.
            ``(4) Relationship to other standards.--The policies and 
        procedures developed under paragraph (1) are supplemental to 
        the standards promulgated by the Director of the National 
        Office for Cyberspace under section 3558.
            ``(5) Recommendations for regulations.--The Board shall be 
        responsible for making recommendations to the Director of the 
        National Office for Cyberspace on regulations to carry out the 
        policies and procedures developed by the Board under paragraph 
        (1).
    ``(d) Regulations.--The Director of the National Office for 
Cyberspace, in consultation with the Director of the Office of 
Management and the Administrator of General Services, shall promulgate 
and periodically update regulations to carry out the policies and 
procedures developed by the Board under subsection (c).
    ``(e) Annual Report.--The Director of the National Office for 
Cyberspace shall provide to Congress a report containing a summary of 
agency progress in implementing the regulations promulgated under this 
section as part of the annual report to Congress required under section 
3555(a)(8).
    ``(f) No Disclosure by Board Required.--The Board is not required 
to disclose under section 552 of title 5 information submitted by 
agencies to the Board regarding threats, vulnerabilities, and risks.
``Sec. 3555. Authority and functions of the Director of the National 
              Office for Cyberspace
    ``(a) In General.--The Director of the National Office for 
Cyberspace shall oversee agency information security policies and 
practices, including--
            ``(1) developing and overseeing the implementation of 
        policies, principles, standards, and guidelines on information 
        security, including through ensuring timely agency adoption of 
        and compliance with standards promulgated under section 3558;
            ``(2) requiring agencies, consistent with the standards 
        promulgated under section 3558 and other requirements of this 
        subchapter, to identify and provide information security 
        protections commensurate with the risk and magnitude of the 
        harm resulting from the unauthorized access, use, disclosure, 
        disruption, modification, or destruction of--
                    ``(A) information collected or maintained by or on 
                behalf of an agency; or
                    ``(B) information infrastructure used or operated 
                by an agency or by a contractor of an agency or other 
                organization on behalf of an agency;
            ``(3) coordinating the development of standards and 
        guidelines under section 20 of the National Institute of 
        Standards and Technology Act (15 U.S.C. 278g-3) with agencies 
        and offices operating or exercising control of national 
        security systems (including the National Security Agency) to 
        assure, to the maximum extent feasible, that such standards and 
        guidelines are complementary with standards and guidelines 
        developed for national security systems;
            ``(4) overseeing agency compliance with the requirements of 
        this subchapter, including through any authorized action under 
        section 11303 of title 40, to enforce accountability for 
        compliance with such requirements;
            ``(5) reviewing at least annually, and approving or 
        disapproving, agency information security programs required 
        under section 3556(b);
            ``(6) coordinating information security policies and 
        procedures of the Federal Government with related information 
        resources management policies and procedures on the security 
        and resiliency of cyberspace;
            ``(7) overseeing the operation of the Federal information 
        security incident center required under section 3559;
            ``(8) reporting to Congress no later than March 1 of each 
        year on agency compliance with the requirements of this 
        subchapter, including--
                    ``(A) a summary of the findings of audits required 
                by section 3557;
                    ``(B) an assessment of the development, 
                promulgation, and adoption of, and compliance with, 
                standards developed under section 20 of the National 
                Institute of Standards and Technology Act (15 U.S.C. 
                278g-3) and promulgated under section 3558;
                    ``(C) significant deficiencies in agency 
                information security practices;
                    ``(D) planned remedial action to address such 
                deficiencies; and
                    ``(E) a summary of, and the views of the Director 
                of the National Office for Cyberspace on, the report 
                prepared by the National Institute of Standards and 
                Technology under section 20(d)(10) of the National 
                Institute of Standards and Technology Act (15 U.S.C. 
                278g-3);
            ``(9) coordinating the defense of information 
        infrastructure operated by agencies in the case of a large-
        scale attack on information infrastructure, as determined by 
        the Director;
            ``(10) establishing a national strategy not later than 120 
        days after the date of the enactment of this section;
            ``(11) coordinating information security training for 
        Federal employees with the Office of Personnel Management;
            ``(12) ensuring the adequacy of protections for privacy and 
        civil liberties in carrying out the responsibilities of the 
        Director under this subchapter;
            ``(13) making recommendations that the Director determines 
        are necessary to ensure risk-based security of the Federal 
        information infrastructure and information infrastructure that 
        is owned, operated, controlled, or licensed for use by, or on 
        behalf of, the Department of Defense, a military department, or 
        another element of the intelligence community to--
                    ``(A) the Director of the Office of Management and 
                Budget;
                    ``(B) the head of an agency; or
                    ``(C) to Congress with regard to the reprogramming 
                of funds;
            ``(14) ensuring, in consultation with the Administrator of 
        the Office of Information and Regulatory Affairs, that the 
        efforts of agencies relating to the development of regulations, 
        rules, requirements, or other actions applicable to the 
        national information infrastructure are complementary;
            ``(15) when directed by the President, carrying out the 
        responsibilities for national security and emergency 
        preparedness communications described in section 706 of the 
        Communications Act of 1934 (47 U.S.C. 606) to ensure 
        integration and coordination; and
            ``(16) as assigned by the President, other duties relating 
        to the security and resiliency of cyberspace.
    ``(b) Recruitment Program.--Not later than 1 year after 
appointment, the Director of the National Office for Cyberspace shall 
establish a national program to conduct competitions and challenges 
that instruct United States students in cybersecurity education and 
computer literacy.
    ``(c) Budget Oversight and Reporting.--(1) The head of each agency 
shall submit to the Director of the National Office for Cyberspace a 
budget each year for the following fiscal year relating to the 
protection of information infrastructure for such agency, by a date 
determined by the Director that is before the submission of such budget 
by the head of the agency to the Office of Management and Budget.
    ``(2) The Director shall review and offer a non-binding approval or 
disapproval of each agency's annual budget to each such agency before 
the submission of such budget by the head of the agency to the Office 
of Management and Budget.
    ``(3) If the Director offers a non-binding disapproval of an 
agency's budget, the Director shall transmit recommendations to the 
head of such agency for strengthening its proposed budget with regard 
to the protection of such agency's information infrastructure.
    ``(4) Each budget submitted by the head of an agency pursuant to 
paragraph (1) shall include--
            ``(A) a review of any threats to information technology for 
        such agency;
            ``(B) a plan to secure the information infrastructure for 
        such agency based on threats to information technology, using 
        the National Institute of Standards and Technology guidelines 
        and recommendations;
            ``(C) a review of compliance by such agency with any 
        previous year plan described in subparagraph (B); and
            ``(D) a report on the development of the credentialing 
        process to enable secure authentication of identity and 
        authorization for access to the information infrastructure of 
        such agency.
    ``(5) The Director of the National Office for Cyberspace may 
recommend to the President monetary penalties or incentives necessary 
to encourage and maintain accountability of any agency, or senior 
agency official, for efforts to secure the information infrastructure 
of such agency.
``Sec. 3556. Agency responsibilities
    ``(a) In General.--The head of each agency shall--
            ``(1) be responsible for--
                    ``(A) providing information security protections 
                commensurate with the risk and magnitude of the harm 
                resulting from unauthorized access, use, disclosure, 
                disruption, modification, or destruction of--
                            ``(i) information collected or maintained 
                        by or on behalf of the agency; and
                            ``(ii) information infrastructure used or 
                        operated by an agency or by a contractor of an 
                        agency or other organization on behalf of an 
                        agency;
                    ``(B) complying with the requirements of this 
                subchapter and related policies, procedures, standards, 
                and guidelines, including--
                            ``(i) the regulations promulgated under 
                        section 3554 and the information security 
                        standards promulgated under section 3558;
                            ``(ii) information security standards and 
                        guidelines for national security systems issued 
                        in accordance with law and as directed by the 
                        President; and
                            ``(iii) ensuring the standards implemented 
                        for information infrastructure and national 
                        security systems under the agency head are 
                        complementary and uniform, to the extent 
                        practicable; and
                    ``(C) ensuring that information security management 
                processes are integrated with agency strategic and 
                operational planning processes;
            ``(2) ensure that senior agency officials provide 
        information security for the information and information 
        infrastructure that support the operations and assets under 
        their control, including through--
                    ``(A) assessing the risk and magnitude of the harm 
                that could result from the unauthorized access, use, 
                disclosure, disruption, modification, or destruction of 
                such information or information infrastructure;
                    ``(B) determining the levels of information 
                security appropriate to protect such information and 
                information infrastructure in accordance with 
                regulations promulgated under section 3554 and 
                standards promulgated under section 3558, for 
                information security classifications and related 
                requirements;
                    ``(C) implementing policies and procedures to cost 
                effectively reduce risks to an acceptable level; and
                    ``(D) continuously testing and evaluating 
                information security controls and techniques to ensure 
                that they are effectively implemented;
            ``(3) delegate to an agency official, designated as the 
        `Chief Information Security Officer', under the authority of 
        the agency Chief Information Officer the responsibility to 
        oversee agency information security and the authority to ensure 
        and enforce compliance with the requirements imposed on the 
        agency under this subchapter, including--
                    ``(A) overseeing the establishment and maintenance 
                of a security operations capability on an automated and 
                continuous basis that can--
                            ``(i) assess the state of compliance of all 
                        networks and systems with prescribed controls 
                        issued pursuant to section 3558 and report 
                        immediately any variance therefrom and, where 
                        appropriate and with the approval of the agency 
                        Chief Information Officer, shut down systems 
                        that are found to be non-compliant;
                            ``(ii) detect, report, respond to, contain, 
                        and mitigate incidents that impair adequate 
                        security of the information and information 
                        infrastructure, in accordance with policy 
                        provided by the Director of the National Office 
                        for Cyberspace, in consultation with the Chief 
                        Information Officers Council, and guidance from 
                        the National Institute of Standards and 
                        Technology;
                            ``(iii) collaborate with the National 
                        Office for Cyberspace and appropriate public 
                        and private sector security operations centers 
                        to address incidents that impact the security 
                        of information and information infrastructure 
                        that extend beyond the control of the agency; 
                        and
                            ``(iv) not later than 24 hours after 
                        discovery of any incident described under 
                        subparagraph (A)(ii), unless otherwise directed 
                        by policy of the National Office for 
                        Cyberspace, provide notice to the appropriate 
                        security operations center, the National Cyber 
                        Investigative Joint Task Force, and the 
                        Inspector General of the agency;
                    ``(B) developing, maintaining, and overseeing an 
                agency wide information security program as required by 
                subsection (b);
                    ``(C) developing, maintaining, and overseeing 
                information security policies, procedures, and control 
                techniques to address all applicable requirements, 
                including those issued under sections 3555 and 3558;
                    ``(D) training and overseeing personnel with 
                significant responsibilities for information security 
                with respect to such responsibilities; and
                    ``(E) assisting senior agency officials concerning 
                their responsibilities under paragraph (2);
            ``(4) ensure that the agency has trained and cleared 
        personnel sufficient to assist the agency in complying with the 
        requirements of this subchapter and related policies, 
        procedures, standards, and guidelines;
            ``(5) ensure that the Chief Information Security Officer, 
        in coordination with other senior agency officials, reports 
        biannually to the agency head on the effectiveness of the 
        agency information security program, including progress of 
        remedial actions; and
            ``(6) ensure that the Chief Information Security Officer 
        possesses necessary qualifications, including education, 
        professional certifications, training, experience, and the 
        security clearance required to administer the functions 
        described under this subchapter; and has information security 
        duties as the primary duty of that official.
    ``(b) Agency Program.--Each agency shall develop, document, and 
implement an agencywide information security program, approved by the 
Director of the National Office for Cyberspace under section 
3555(a)(5), to provide information security for the information and 
information infrastructure that support the operations and assets of 
the agency, including those provided or managed by another agency, 
contractor, or other source, that includes--
            ``(1) continuous automated technical monitoring of 
        information infrastructure used or operated by an agency or by 
        a contractor of an agency or other organization on behalf of an 
        agency to assure conformance with regulations promulgated under 
        section 3554 and standards promulgated under section 3558;
            ``(2) testing of the effectiveness of security controls 
        that are commensurate with risk (as defined by the National 
        Institute of Standards and Technology and the National Office 
        for Cyberspace) for agency information infrastructure;
            ``(3) policies and procedures that--
                    ``(A) mitigate and remediate, to the extent 
                practicable, information security vulnerabilities based 
                on the risk posed to the agency;
                    ``(B) cost effectively reduce information security 
                risks to an acceptable level;
                    ``(C) ensure that information security is addressed 
                throughout the life cycle of each agency information 
                system and information infrastructure;
                    ``(D) ensure compliance with--
                            ``(i) the requirements of this subchapter;
                            ``(ii) policies and procedures as may be 
                        prescribed by the Director of the National 
                        Office for Cyberspace, and information security 
                        standards promulgated under section 3558;
                            ``(iii) minimally acceptable system 
                        configuration requirements, as determined by 
                        the Director of the National Office for 
                        Cyberspace; and
                            ``(iv) any other applicable requirements, 
                        including--
                                    ``(I) standards and guidelines for 
                                national security systems issued in 
                                accordance with law and as directed by 
                                the President;
                                    ``(II) the policy of the Director 
                                of the National Office for Cyberspace;
                                    ``(III) the National Institute of 
                                Standards and Technology guidance; and
                                    ``(IV) the Chief Information 
                                Officers Council recommended 
                                approaches;
                    ``(E) develop, maintain, and oversee information 
                security policies, procedures, and control techniques 
                to address all applicable requirements, including those 
                issued under sections 3555 and 3558; and
                    ``(F) ensure the oversight and training of 
                personnel with significant responsibilities for 
                information security with respect to such 
                responsibilities;
            ``(4) ensuring that the agency has trained and cleared 
        personnel sufficient to assist the agency in complying with the 
        requirements of this subchapter and related policies, 
        procedures, standards, and guidelines;
            ``(5) to the extent practicable, automated and continuous 
        technical monitoring for testing, and evaluation of the 
        effectiveness and compliance of information security policies, 
        procedures, and practices, including--
                    ``(A) management, operational, and technical 
                controls of every information infrastructure identified 
                in the inventory required under section 3505(b); and
                    ``(B) management, operational, and technical 
                controls relied on for an evaluation under section 
                3556;
            ``(6) a process for planning, implementing, evaluating, and 
        documenting remedial action to address any deficiencies in the 
        information security policies, procedures, and practices of the 
        agency;
            ``(7) to the extent practicable, continuous automated 
        technical monitoring for detecting, reporting, and responding 
        to security incidents, consistent with standards and guidelines 
        issued by the Director of the National Office for Cyberspace, 
        including--
                    ``(A) mitigating risks associated with such 
                incidents before substantial damage is done;
                    ``(B) notifying and consulting with the appropriate 
                security operations response center; and
                    ``(C) notifying and consulting with, as 
                appropriate--
                            ``(i) law enforcement agencies and relevant 
                        Offices of Inspectors General;
                            ``(ii) the National Office for Cyberspace; 
                        and
                            ``(iii) any other agency or office, in 
                        accordance with law or as directed by the 
                        President; and
            ``(8) plans and procedures to ensure continuity of 
        operations for information infrastructure that support the 
        operations and assets of the agency.
    ``(c) Agency Reporting.--Each agency shall--
            ``(1) submit an annual report on the adequacy and 
        effectiveness of information security policies, procedures, and 
        practices, and compliance with the requirements of this 
        subchapter, including compliance with each requirement of 
        subsection (b) to--
                    ``(A) the National Office for Cyberspace;
                    ``(B) the Committee on Homeland Security and 
                Governmental Affairs of the Senate;
                    ``(C) the Committee on Oversight and Government 
                Reform of the House of Representatives;
                    ``(D) other appropriate authorization and 
                appropriations committees of Congress; and
                    ``(E) the Comptroller General;
            ``(2) address the adequacy and effectiveness of information 
        security policies, procedures, and practices in plans and 
        reports relating to--
                    ``(A) annual agency budgets;
                    ``(B) information resources management of this 
                subchapter;
                    ``(C) information technology management under this 
                chapter;
                    ``(D) program performance under sections 1105 and 
                1115 through 1119 of title 31, and sections 2801 and 
                2805 of title 39;
                    ``(E) financial management under chapter 9 of title 
                31, and the Chief Financial Officers Act of 1990 (31 
                U.S.C. 501 note; Public Law 101-576) (and the 
                amendments made by that Act);
                    ``(F) financial management systems under the 
                Federal Financial Management Improvement Act (31 U.S.C. 
                3512 note); and
                    ``(G) internal accounting and administrative 
                controls under section 3512 of title 31; and
            ``(3) report any significant deficiency in a policy, 
        procedure, or practice identified under paragraph (1) or (2)--
                    ``(A) as a material weakness in reporting under 
                section 3512 of title 31; and
                    ``(B) if relating to financial management systems, 
                as an instance of a lack of substantial compliance 
                under the Federal Financial Management Improvement Act 
                (31 U.S.C. 3512 note).
    ``(d) Performance Plan.--(1) In addition to the requirements of 
subsection (c), each agency, in consultation with the National Office 
for Cyberspace, shall include as part of the performance plan required 
under section 1115 of title 31 a description of the resources, 
including budget, staffing, and training, that are necessary to 
implement the program required under subsection (b).
    ``(2) The description under paragraph (1) shall be based on the 
risk assessments required under subsection (a)(2).
    ``(e) Public Notice and Comment.--Each agency shall provide the 
public with timely notice and opportunities for comment on proposed 
information security policies and procedures to the extent that such 
policies and procedures affect communication with the public.
``Sec. 3557. Annual independent audit
    ``(a) In General.--(1) Each year each agency shall have performed 
an independent audit of the information security program and practices 
of that agency to determine the effectiveness of such program and 
practices.
    ``(2) Each audit under this section shall include--
            ``(A) testing of the effectiveness of the information 
        infrastructure of the agency for automated, continuous 
        monitoring of the state of compliance of its information 
        infrastructure with regulations promulgated under section 3554 
        and standards promulgated under section 3558 in a 
        representative subset of--
                    ``(i) the information infrastructure used or 
                operated by the agency; and
                    ``(ii) the information infrastructure used, 
                operated, or supported on behalf of the agency by a 
                contractor of the agency, a subcontractor (at any tier) 
                of such contractor, or any other entity;
            ``(B) an assessment (made on the basis of the results of 
        the testing) of compliance with--
                    ``(i) the requirements of this subchapter; and
                    ``(ii) related information security policies, 
                procedures, standards, and guidelines;
            ``(C) separate assessments, as appropriate, regarding 
        information security relating to national security systems; and
            ``(D) a conclusion regarding whether the information 
        security controls of the agency are effective, including an 
        identification of any significant deficiencies in such 
        controls.
    ``(3) Each audit under this section shall be performed in 
accordance with applicable generally accepted Government auditing 
standards.
    ``(b) Independent Auditor.--Subject to subsection (c)--
            ``(1) for each agency with an Inspector General appointed 
        under the Inspector General Act of 1978 or any other law, the 
        annual audit required by this section shall be performed by the 
        Inspector General or by an independent external auditor, as 
        determined by the Inspector General of the agency; and
            ``(2) for each agency to which paragraph (1) does not 
        apply, the head of the agency shall engage an independent 
        external auditor to perform the audit.
    ``(c) National Security Systems.--For each agency operating or 
exercising control of a national security system, that portion of the 
audit required by this section directly relating to a national security 
system shall be performed--
            ``(1) only by an entity designated head; and
            ``(2) in such a manner as to ensure appropriate protection 
        for information associated with any information security 
        vulnerability in such system commensurate with the risk and in 
        accordance with all applicable laws.
    ``(d) Existing Audits.--The audit required by this section may be 
based in whole or in part on another audit relating to programs or 
practices of the applicable agency.
    ``(e) Agency Reporting.--(1) Each year, not later than such date 
established by the Director of the National Office for Cyberspace, the 
head of each agency shall submit to the Director the results of the 
audit required under this section.
    ``(2) To the extent an audit required under this section directly 
relates to a national security system, the results of the audit 
submitted to the Director of the National Office for Cyberspace shall 
contain only a summary and assessment of that portion of the audit 
directly relating to a national security system.
    ``(f) Protection of Information.--Agencies and auditors shall take 
appropriate steps to ensure the protection of information which, if 
disclosed, may adversely affect information security. Such protections 
shall be commensurate with the risk and comply with all applicable laws 
and regulations.
    ``(g) National Office for Cyberspace Reports to Congress.--(1) The 
Director of the National Office for Cyberspace shall summarize the 
results of the audits conducted under this section in the annual report 
to Congress required under section 3555(a)(8).
    ``(2) The Director's report to Congress under this subsection shall 
summarize information regarding information security relating to 
national security systems in such a manner as to ensure appropriate 
protection for information associated with any information security 
vulnerability in such system commensurate with the risk and in 
accordance with all applicable laws.
    ``(3) Audits and any other descriptions of information 
infrastructure under the authority and control of the Director of 
Central Intelligence or of National Foreign Intelligence Programs 
systems under the authority and control of the Secretary of Defense 
shall be made available to Congress only through the appropriate 
oversight committees of Congress, in accordance with applicable laws.
    ``(h) Comptroller General.--The Comptroller General shall 
periodically evaluate and report to Congress on--
            ``(1) the adequacy and effectiveness of agency information 
        security policies and practices; and
            ``(2) implementation of the requirements of this 
        subchapter.
    ``(i) Contractor Audits.--Each year each contractor that operates, 
uses, or supports an information system or information infrastructure 
on behalf of an agency and each subcontractor of such contractor--
            ``(1) shall conduct an audit using an independent external 
        auditor in accordance with subsection (a), including an 
        assessment of compliance with the applicable requirements of 
        this subchapter; and
            ``(2) shall submit the results of such audit to such agency 
        not later than such date established by the Agency.
``Sec. 3558. Responsibilities for Federal information systems standards
    ``(a) Requirement To Prescribe Standards.--
            ``(1) In general.--
                    ``(A) Requirement.--Except as provided under 
                paragraph (2), the Secretary of Commerce shall, on the 
                basis of proposed standards developed by the National 
                Institute of Standards and Technology pursuant to 
                paragraphs (2) and (3) of section 20(a) of the National 
                Institute of Standards and Technology Act (15 U.S.C. 
                278g-3(a)) and in consultation with the Secretary of 
                Homeland Security, promulgate information security 
                standards pertaining to Federal information systems.
                    ``(B) Required standards.--Standards promulgated 
                under subparagraph (A) shall include--
                            ``(i) standards that provide minimum 
                        information security requirements as determined 
                        under section 20(b) of the National Institute 
                        of Standards and Technology Act (15 U.S.C. 
                        278g-3(b)); and
                            ``(ii) such standards that are otherwise 
                        necessary to improve the efficiency of 
                        operation or security of Federal information 
                        systems.
                    ``(C) Required standards binding.--Information 
                security standards described under subparagraph (B) 
                shall be compulsory and binding.
            ``(2) Standards and guidelines for national security 
        systems.--Standards and guidelines for national security 
        systems, as defined under section 3552(b), shall be developed, 
        promulgated, enforced, and overseen as otherwise authorized by 
        law and as directed by the President.
    ``(b) Application of More Stringent Standards.--The head of an 
agency may employ standards for the cost-effective information security 
for all operations and assets within or under the supervision of that 
agency that are more stringent than the standards promulgated by the 
Secretary of Commerce under this section, if such standards--
            ``(1) contain, at a minimum, the provisions of those 
        applicable standards made compulsory and binding by the 
        Secretary; and
            ``(2) are otherwise consistent with policies and guidelines 
        issued under section 3555.
    ``(c) Requirements Regarding Decisions by the Secretary.--
            ``(1) Deadline.--The decision regarding the promulgation of 
        any standard by the Secretary of Commerce under subsection (b) 
        shall occur not later than 6 months after the submission of the 
        proposed standard to the Secretary by the National Institute of 
        Standards and Technology, as provided under section 20 of the 
        National Institute of Standards and Technology Act (15 U.S.C. 
        278g-3).
            ``(2) Notice and comment.--A decision by the Secretary of 
        Commerce to significantly modify, or not promulgate, a proposed 
        standard submitted to the Secretary by the National Institute 
        of Standards and Technology, as provided under section 20 of 
        the National Institute of Standards and Technology Act (15 
        U.S.C. 278g-3), shall be made after the public is given an 
        opportunity to comment on the Secretary's proposed decision.
``Sec. 3559. Federal information security incident center
    ``(a) In General.--The Director of the National Office for 
Cyberspace shall ensure the operation of a central Federal information 
security incident center to--
            ``(1) provide timely technical assistance to operators of 
        agency information systems and information infrastructure 
        regarding security incidents, including guidance on detecting 
        and handling information security incidents;
            ``(2) compile and analyze information about incidents that 
        threaten information security;
            ``(3) inform operators of agency information systems and 
        information infrastructure about current and potential 
        information security threats, and vulnerabilities; and
            ``(4) consult with the National Institute of Standards and 
        Technology, agencies or offices operating or exercising control 
        of national security systems (including the National Security 
        Agency), and such other agencies or offices in accordance with 
        law and as directed by the President regarding information 
        security incidents and related matters.
    ``(b) National Security Systems.--Each agency operating or 
exercising control of a national security system shall share 
information about information security incidents, threats, and 
vulnerabilities with the Federal information security incident center 
to the extent consistent with standards and guidelines for national 
security systems, issued in accordance with law and as directed by the 
President.
    ``(c) Review and Approval.--In coordination with the Administrator 
for Electronic Government and Information Technology, the Director of 
the National Office for Cyberspace shall review and approve the 
policies, procedures, and guidance established in this subchapter to 
ensure that the incident center has the capability to effectively and 
efficiently detect, correlate, respond to, contain, mitigate, and 
remediate incidents that impair the adequate security of the 
information systems and information infrastructure of more than one 
agency. To the extent practicable, the capability shall be continuous 
and technically automated.
``Sec. 3560. National security systems
    ``The head of each agency operating or exercising control of a 
national security system shall be responsible for ensuring that the 
agency--
            ``(1) provides information security protections 
        commensurate with the risk and magnitude of the harm resulting 
        from the unauthorized access, use, disclosure, disruption, 
        modification, or destruction of the information contained in 
        such system;
            ``(2) implements information security policies and 
        practices as required by standards and guidelines for national 
        security systems, issued in accordance with law and as directed 
        by the President; and
            ``(3) complies with the requirements of this subchapter.''.

SEC. 102. INFORMATION SECURITY ACQUISITION REQUIREMENTS.

    Chapter 113 of title 40, United States Code, is amended by adding 
at the end of subchapter II the following new section:
``Sec. 11319. Information security acquisition requirements.
    ``(a) Prohibition.--Notwithstanding any other provision of law, 
beginning one year after the date of the enactment of the Executive 
Cyberspace Coordination Act of 2013, no agency may enter into a 
contract, an order under a contract, or an interagency agreement for--
            ``(1) the collection, use, management, storage, or 
        dissemination of information on behalf of the agency;
            ``(2) the use or operation of an information system or 
        information infrastructure on behalf of the agency; or
            ``(3) information technology;
unless such contract, order, or agreement includes requirements to 
provide effective information security that supports the operations and 
assets under the control of the agency, in compliance with the 
policies, standards, and guidance developed under subsection (b), and 
otherwise ensures compliance with this section.
    ``(b) Coordination of Secure Acquisition Policies.--
            ``(1) In general.--The Director of the Office of Management 
        and Budget, in consultation with the Director of the National 
        Institute of Standards and Technology, the Director of the 
        National Office for Cyberspace, and the Administrator of 
        General Services, shall oversee the development and 
        implementation of policies, standards, and guidance, including 
        through revisions to the Federal Acquisition Regulation and the 
        Department of Defense supplement to the Federal Acquisition 
        Regulation, to cost effectively enhance agency information 
        security, including--
                    ``(A) minimum information security requirements for 
                agency procurement of information technology products 
                and services; and
                    ``(B) approaches for evaluating and mitigating 
                significant supply chain security risks associated with 
                products or services to be acquired by agencies.
            ``(2) Report.--Not later than two years after the date of 
        the enactment of the Executive Cyberspace Coordination Act of 
        2013, the Director of the Office of Management and Budget shall 
        submit to Congress a report describing--
                    ``(A) actions taken to improve the information 
                security associated with the procurement of products 
                and services by the Federal Government; and
                    ``(B) plans for overseeing and coordinating efforts 
                of agencies to use best practice approaches for cost-
                effectively purchasing more secure products and 
                services.
    ``(c) Vulnerability Assessments of Major Systems.--
            ``(1) Requirement for initial vulnerability assessments.--
        The Director of the Office of Management and Budget shall 
        require each agency to conduct an initial vulnerability 
        assessment for any major system and its significant items of 
        supply prior to the development of the system. The initial 
        vulnerability assessment of a major system and its significant 
        items of supply shall include use of an analysis-based approach 
        to--
                    ``(A) identify vulnerabilities;
                    ``(B) define exploitation potential;
                    ``(C) examine the system's potential effectiveness;
                    ``(D) determine overall vulnerability; and
                    ``(E) make recommendations for risk reduction.
            ``(2) Subsequent vulnerability assessments.--
                    ``(A) The Director shall require a subsequent 
                vulnerability assessment of each major system and its 
                significant items of supply within a program if the 
                Director determines that circumstances warrant the 
                issuance of an additional vulnerability assessment.
                    ``(B) Upon the request of a congressional 
                committee, the Director may require a subsequent 
                vulnerability assessment of a particular major system 
                and its significant items of supply within the program.
                    ``(C) Any subsequent vulnerability assessment of a 
                major system and its significant items of supply shall 
                include use of an analysis-based approach and, if 
                applicable, a testing-based approach, to monitor the 
                exploitation potential of such system and reexamine the 
                factors described in subparagraphs (A) through (E) of 
                paragraph (1).
            ``(3) Congressional oversight.--The Director shall provide 
        to the appropriate congressional committees a copy of each 
        vulnerability assessment conducted under paragraph (1) or (2) 
        not later than 10 days after the date of the completion of such 
        assessment.
    ``(d) Definitions.--In this section:
            ``(1) Item of supply.--The term `item of supply'--
                    ``(A) means any individual part, component, 
                subassembly, assembly, or subsystem integral to a major 
                system, and other property which may be replaced during 
                the service life of the major system, including a spare 
                part or replenishment part; and
                    ``(B) does not include packaging or labeling 
                associated with shipment or identification of an item.
            ``(2) Vulnerability assessment.--The term `vulnerability 
        assessment' means the process of identifying and quantifying 
        vulnerabilities in a major system and its significant items of 
        supply.
            ``(3) Major system.--The term `major system' has the 
        meaning given that term in section 4 of the Office of Federal 
        Procurement Policy Act (41 U.S.C. 403).''.

SEC. 103. TECHNICAL AND CONFORMING AMENDMENTS.

    (a) Table of Sections in Title 44.--The table of sections for 
chapter 35 of title 44, United States Code, is amended by striking the 
matter relating to subchapters II and III and inserting the following:

                  ``subchapter ii--information security

``3551. Purposes.
``3552. Definitions.
``3553. National Office for Cyberspace.
``3554. Federal Cybersecurity Practice Board.
``3555. Authority and functions of the Director of the National Office 
                            for Cyberspace.
``3556. Agency responsibilities.
``3557. Annual independent audit.
``3558. Responsibilities for Federal information systems standards.
``3559. Federal information security incident center.
``3560. National security systems.''.
    (b) Table of Sections in Title 40.--The table of sections for 
chapter 113 of title 40, United States Code, is amended by inserting 
after the item relating to section 11318 the following new item:

``Sec. 11319. Information security acquisition requirements.''.
    (c) Other References.--
            (1) Section 1001(c)(1)(A) of the Homeland Security Act of 
        2002 (6 U.S.C. 511(c)(1)(A)) is amended by striking ``section 
        3532(3)'' and inserting ``section 3552(b)''.
            (2) Section 2222(j)(6) of title 10, United States Code, is 
        amended by striking ``section 3542(b)(2))'' and inserting 
        ``section 3552(b)''.
            (3) Section 2223(c)(3) of title 10, United States Code, is 
        amended, by striking ``section 3542(b)(2))'' and inserting 
        ``section 3552(b)''.
            (4) Section 2315 of title 10, United States Code, is 
        amended by striking ``section 3542(b)(2))'' and inserting 
        ``section 3552(b)''.
            (5) Section 20 of the National Institute of Standards and 
        Technology Act (15 U.S.C. 278g-3) is amended--
                    (A) in subsections (a)(2) and (e)(5), by striking 
                ``section 3532(b)(2)'' and inserting ``section 
                3552(b)'';
                    (B) in subsection (e)(2), by striking ``section 
                3532(1)'' and inserting ``section 3552(b)''; and
                    (C) in subsections (c)(3) and (d)(1), by striking 
                ``section 11331 of title 40'' and inserting ``section 
                3558 of title 44''.
            (6) Section 8(d)(1) of the Cyber Security Research and 
        Development Act (15 U.S.C. 7406(d)(1)) is amended by striking 
        ``section 3534(b)'' and inserting ``section 3556(b)''.
    (d) Repeal.--
            (1) Subchapter III of chapter 113 of title 40, United 
        States Code, is repealed.
            (2) The table of sections for chapter 113 of such title is 
        amended by striking the matter relating to subchapter III.
    (e) Executive Schedule Pay Rate.--Section 5314 of title 5, United 
States Code, is amended by adding at the end the following:
            ``Director of the National Office for Cyberspace.''.
    (f) Membership on the National Security Council.--Section 101(a) of 
the National Security Act of 1947 (50 U.S.C. 402(a)) is amended--
            (1) by redesignating paragraphs (7) and (8) as paragraphs 
        (8) and (9), respectively; and
            (2) by inserting after paragraph (6) the following:
            ``(7) the Director of the National Office for 
        Cyberspace;''.

SEC. 104. EFFECTIVE DATE.

    (a) In General.--Unless otherwise specified in this section, this 
title (including the amendments made by this title) shall take effect 
30 days after the date of enactment of this Act.
    (b) National Office for Cyberspace.--Section 3553 of title 44, 
United States Code, as added by section 101 of this title, shall take 
effect 180 days after the date of enactment of this Act.
    (c) Federal Cybersecurity Practice Board.--Section 3554 of title 
44, United States Code, as added by section 101 of this title, shall 
take effect one year after the date of enactment of this Act.

               TITLE II--FEDERAL CHIEF TECHNOLOGY OFFICER

SEC. 201. OFFICE OF THE CHIEF TECHNOLOGY OFFICER.

    (a) Establishment and Staff.--
            (1) Establishment.--
                    (A) In general.--There is established in the 
                Executive Office of the President an Office of the 
                Federal Chief Technology Officer (in this section 
                referred to as the ``Office'').
                    (B) Head of the office.--
                            (i) Federal chief technology officer.--The 
                        President shall appoint a Federal Chief 
                        Technology Officer (in this section referred to 
                        as the ``Federal CTO'') who shall be the head 
                        of the Office.
                            (ii) Compensation.--Section 5314 of title 
                        5, United States Code, is amended by adding at 
                        the end the following:
            ``Federal Chief Technology Officer.''.
            (2) Staff of the office.--The President may appoint 
        additional staff members to the Office.
    (b) Duties of the Office.--The functions of the Federal CTO are the 
following:
            (1) Undertake fact-gathering, analysis, and assessment of 
        the Federal Government's information technology 
        infrastructures, information technology strategy, and use of 
        information technology, and provide advice on such matters to 
        the President, heads of Federal departments and agencies, and 
        government chief information officers and chief technology 
        officers.
            (2) Lead an interagency effort, working with the chief 
        technology and chief information officers of each of the 
        Federal departments and agencies, to develop and implement a 
        planning process to ensure that they use best-in-class 
        technologies, share best practices, and improve the use of 
        technology in support of Federal Government requirements.
            (3) Advise the President on information technology 
        considerations with regard to Federal budgets and with regard 
        to general coordination of the research and development 
        programs of the Federal Government for information technology-
        related matters.
            (4) Promote technological innovation in the Federal 
        Government, and encourage and oversee the adoption of robust 
        cross-governmental architectures and standards-based 
        information technologies, in support of effective operational 
        and management policies, practices, and services across Federal 
        departments and agencies and with the public and external 
        entities.
            (5) Establish cooperative public-private sector partnership 
        initiatives to achieve knowledge of technologies available in 
        the marketplace that can be used for improving governmental 
        operations and information technology research and development 
        activities.
            (6) Gather timely and authoritative information concerning 
        significant developments and trends in information technology, 
        and in national priorities, both current and prospective, and 
        analyze and interpret the information for the purpose of 
        determining whether the developments and trends are likely to 
        affect achievement of the priority goals of the Federal 
        Government.
            (7) Develop, review, revise, and recommend criteria for 
        determining information technology activities warranting 
        Federal support, and recommend Federal policies designed to 
        advance the development and maintenance of effective and 
        efficient information technology capabilities, including human 
        resources, at all levels of government, academia, and industry, 
        and the effective application of the capabilities to national 
        needs.
            (8) Any other functions and activities that the President 
        may assign to the Federal CTO.
    (c) Policy Planning; Analysis and Advice.--The Office shall serve 
as a source of analysis and advice for the President and heads of 
Federal departments and agencies with respect to major policies, plans, 
and programs of the Federal Government in accordance with the functions 
described in subsection (b).
    (d) Coordination of the Office With Other Entities.--
            (1) Federal cto on domestic policy council.--The Federal 
        CTO shall be a member of the Domestic Policy Council.
            (2) Federal cto on cyber security practice board.--The 
        Federal CTO shall be a member of the Federal Cybersecurity 
        Practice Board.
            (3) Obtain information from agencies.--The Office may 
        secure, directly from any department or agency of the United 
        States, information necessary to enable the Federal CTO to 
        carry out this section. On request of the Federal CTO, the head 
        of the department or agency shall furnish the information to 
        the Office, subject to any applicable limitations of Federal 
        law.
            (4) Staff of federal agencies.--On request of the Federal 
        CTO, to assist the Office in carrying out the duties of the 
        Office, the head of any Federal department or agency may detail 
        personnel, services, or facilities of the department or agency 
        to the Office.
    (e) Annual Report.--
            (1) Publication and contents.--The Federal CTO shall 
        publish, in the Federal Register and on a public Internet 
        website of the Federal CTO, an annual report that includes the 
        following:
                    (A) Information on programs to promote the 
                development of technological innovations.
                    (B) Recommendations for the adoption of policies to 
                encourage the generation of technological innovations.
                    (C) Information on the activities and 
                accomplishments of the Office in the year covered by 
                the report.
            (2) Submission.--The Federal CTO shall submit each report 
        under paragraph (1) to--
                    (A) the President;
                    (B) the Committee on Oversight and Government 
                Reform of the House of Representatives;
                    (C) the Committee on Science and Technology of the 
                House of Representatives; and
                    (D) the Committee on Commerce, Science, and 
                Transportation of the Senate.

   TITLE III--STRENGTHENING CYBERSECURITY FOR CRITICAL INFRASTRUCTURE

SEC. 301. DEFINITIONS.

    In this title:
            (1) Critical information infrastructure.--The term 
        ``critical information infrastructure'' means the electronic 
        information and communications systems, software, and assets 
        that control, protect, process, transmit, receive, program, or 
        store information in any form, including data, voice, and 
        video, relied upon by critical infrastructure, industrial 
        control systems such as supervisory control and data 
        acquisition systems, and programmable logic controllers. This 
        shall also include such systems of the Federal Government.
            (2) Secretary.--The term ``Secretary'' means the Secretary 
        of Homeland Security.

SEC. 302. AUTHORITY OF SECRETARY.

    (a) In General.--The Secretary shall have primary authority, in 
consultation with the Director of the National Office for Cyberspace 
and the Federal Cyberspace Practice Board, in the executive branch of 
the Federal Government in creation, verification, and enforcement of 
measures with respect to the protection of critical information 
infrastructure, including promulgating risk-informed information 
security practices and standards applicable to critical information 
infrastructures that are not owned by or under the direct control of 
the Federal Government. The Secretary should consult with appropriate 
private sector entities, including private owners and operators of the 
affected infrastructure, to carry out this section.
    (b) Other Federal Agencies.--In establishing measures with respect 
to the protection of critical information infrastructure the Secretary 
shall--
            (1) consult with the Secretary of Commerce, the Secretary 
        of Defense, the National Institute of Standards and Technology, 
        and other sector specific Federal regulatory agencies in 
        exercising the authority referred to in subsection (a); and
            (2) coordinate, though the Executive Office of the 
        President, with sector specific Federal regulatory agencies, 
        including the Federal Energy Regulatory Commission, in 
        establishing enforcement mechanisms under the authority 
        referred to in subsection (a).
    (c) Auditing Authority.--The Secretary may--
            (1) conduct such audits as are necessary to ensure that 
        appropriate measures are taken to secure critical information 
        infrastructure;
            (2) issue such subpoenas as are necessary to determine 
        compliance with Federal regulatory requirements for securing 
        critical information infrastructure; and
            (3) authorize sector specific Federal regulatory agencies 
        to undertake such audits.
                                 <all>