[Congressional Bills 113th Congress]
[From the U.S. Government Publishing Office]
[S. 2521 Engrossed in Senate (ES)]

113th CONGRESS
  2d Session
                                S. 2521

_______________________________________________________________________

                                 AN ACT


 
  To amend chapter 35 of title 44, United States Code, to provide for 
                reform to Federal information security.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Federal Information Security 
Modernization Act of 2014''.

SEC. 2. FISMA REFORM.

    (a) In General.--Chapter 35 of title 44, United States Code, is 
amended by striking subchapters II and III and inserting the following:

                 ``SUBCHAPTER II--INFORMATION SECURITY

``Sec. 3551. Purposes
    ``The purposes of this subchapter are to--
            ``(1) provide a comprehensive framework for ensuring the 
        effectiveness of information security controls over information 
        resources that support Federal operations and assets;
            ``(2) recognize the highly networked nature of the current 
        Federal computing environment and provide effective 
        governmentwide management and oversight of the related 
        information security risks, including coordination of 
        information security efforts throughout the civilian, national 
        security, and law enforcement communities;
            ``(3) provide for development and maintenance of minimum 
        controls required to protect Federal information and 
        information systems;
            ``(4) provide a mechanism for improved oversight of Federal 
        agency information security programs, including through 
        automated security tools to continuously diagnose and improve 
        security;
            ``(5) acknowledge that commercially developed information 
        security products offer advanced, dynamic, robust, and 
        effective information security solutions, reflecting market 
        solutions for the protection of critical information 
        infrastructures important to the national defense and economic 
        security of the nation that are designed, built, and operated 
        by the private sector; and
            ``(6) recognize that the selection of specific technical 
        hardware and software information security solutions should be 
        left to individual agencies from among commercially developed 
        products.
``Sec. 3552. Definitions
    ``(a) In General.--Except as provided under subsection (b), the 
definitions under section 3502 shall apply to this subchapter.
    ``(b) Additional Definitions.--As used in this subchapter:
            ``(1) The term `binding operational directive' means a 
        compulsory direction to an agency that--
                    ``(A) is for purposes of safeguarding Federal 
                information and information systems from a known or 
                reasonably suspected information security threat, 
                vulnerability, or risk;
                    ``(B) shall be in accordance with policies, 
                principles, standards, and guidelines issued by the 
                Director; and
                    ``(C) may be revised or repealed by the Director if 
                the direction issued on behalf of the Director is not 
                in accordance with policies and principles developed by 
                the Director.
            ``(2) The term `incident' means an occurrence that--
                    ``(A) actually or imminently jeopardizes, without 
                lawful authority, the integrity, confidentiality, or 
                availability of information or an information system; 
                or
                    ``(B) constitutes a violation or imminent threat of 
                violation of law, security policies, security 
                procedures, or acceptable use policies.
            ``(3) The term `information security' means protecting 
        information and information systems from unauthorized access, 
        use, disclosure, disruption, modification, or destruction in 
        order to provide--
                    ``(A) integrity, which means guarding against 
                improper information modification or destruction, and 
                includes ensuring information nonrepudiation and 
                authenticity;
                    ``(B) confidentiality, which means preserving 
                authorized restrictions on access and disclosure, 
                including means for protecting personal privacy and 
                proprietary information; and
                    ``(C) availability, which means ensuring timely and 
                reliable access to and use of information.
            ``(4) The term `information technology' has the meaning 
        given that term in section 11101 of title 40.
            ``(5) The term `intelligence community' has the meaning 
        given that term in section 3(4) of the National Security Act of 
        1947 (50 U.S.C. 3003(4)).
            ``(6)(A) The term `national security system' means any 
        information system (including any telecommunications system) 
        used or operated by an agency or by a contractor of an agency, 
        or other organization on behalf of an agency--
                    ``(i) the function, operation, or use of which--
                            ``(I) involves intelligence activities;
                            ``(II) involves cryptologic activities 
                        related to national security;
                            ``(III) involves command and control of 
                        military forces;
                            ``(IV) involves equipment that is an 
                        integral part of a weapon or weapons system; or
                            ``(V) subject to subparagraph (B), is 
                        critical to the direct fulfillment of military 
                        or intelligence missions; or
                    ``(ii) is protected at all times by procedures 
                established for information that have been specifically 
                authorized under criteria established by an Executive 
                order or an Act of Congress to be kept classified in 
                the interest of national defense or foreign policy.
            ``(B) Subparagraph (A)(i)(V) does not include a system that 
        is to be used for routine administrative and business 
        applications (including payroll, finance, logistics, and 
        personnel management applications).
            ``(7) The term `Secretary' means the Secretary of Homeland 
        Security.
``Sec. 3553. Authority and functions of the Director and the Secretary
    ``(a) Director.--The Director shall oversee agency information 
security policies and practices, including--
            ``(1) developing and overseeing the implementation of 
        policies, principles, standards, and guidelines on information 
        security, including through ensuring timely agency adoption of 
        and compliance with standards promulgated under section 11331 
        of title 40;
            ``(2) requiring agencies, consistent with the standards 
        promulgated under such section 11331 and the requirements of 
        this subchapter, to identify and provide information security 
        protections commensurate with the risk and magnitude of the 
        harm resulting from the unauthorized access, use, disclosure, 
        disruption, modification, or destruction of--
                    ``(A) information collected or maintained by or on 
                behalf of an agency; or
                    ``(B) information systems used or operated by an 
                agency or by a contractor of an agency or other 
                organization on behalf of an agency;
            ``(3) ensuring that the Secretary carries out the 
        authorities and functions under subsection (b);
            ``(4) coordinating the development of standards and 
        guidelines under section 20 of the National Institute of 
        Standards and Technology Act (15 U.S.C. 278g-3) with agencies 
        and offices operating or exercising control of national 
        security systems (including the National Security Agency) to 
        assure, to the maximum extent feasible, that such standards and 
        guidelines are complementary with standards and guidelines 
        developed for national security systems;
            ``(5) overseeing agency compliance with the requirements of 
        this subchapter, including through any authorized action under 
        section 11303 of title 40, to enforce accountability for 
        compliance with such requirements; and
            ``(6) coordinating information security policies and 
        procedures with related information resources management 
        policies and procedures.
    ``(b) Secretary.--The Secretary, in consultation with the Director, 
shall administer the implementation of agency information security 
policies and practices for information systems, except for national 
security systems and information systems described in paragraph (2) or 
(3) of subsection (e), including--
            ``(1) assisting the Director in carrying out the 
        authorities and functions under paragraphs (1), (2), (3), (5), 
        and (6) of subsection (a);
            ``(2) developing and overseeing the implementation of 
        binding operational directives to agencies to implement the 
        policies, principles, standards, and guidelines developed by 
        the Director under subsection (a)(1) and the requirements of 
        this subchapter, which may be revised or repealed by the 
        Director if the operational directives issued on behalf of the 
        Director are not in accordance with policies, principles, 
        standards, and guidelines developed by the Director, 
        including--
                    ``(A) requirements for reporting security incidents 
                to the Federal information security incident center 
                established under section 3556;
                    ``(B) requirements for the contents of the annual 
                reports required to be submitted under section 
                3554(c)(1);
                    ``(C) requirements for the mitigation of exigent 
                risks to information systems; and
                    ``(D) other operational requirements as the 
                Director or Secretary, in consultation with the 
                Director, may determine necessary;
            ``(3) monitoring agency implementation of information 
        security policies and practices;
            ``(4) convening meetings with senior agency officials to 
        help ensure effective implementation of information security 
        policies and practices;
            ``(5) coordinating Government-wide efforts on information 
        security policies and practices, including consultation with 
        the Chief Information Officers Council established under 
        section 3603 and the Director of the National Institute of 
        Standards and Technology;
            ``(6) providing operational and technical assistance to 
        agencies in implementing policies, principles, standards, and 
        guidelines on information security, including implementation of 
        standards promulgated under section 11331 of title 40, 
        including by--
                    ``(A) operating the Federal information security 
                incident center established under section 3556;
                    ``(B) upon request by an agency, deploying 
                technology to assist the agency to continuously 
                diagnose and mitigate against cyber threats and 
                vulnerabilities, with or without reimbursement;
                    ``(C) compiling and analyzing data on agency 
                information security; and
                    ``(D) developing and conducting targeted 
                operational evaluations, including threat and 
                vulnerability assessments, on the information systems; 
                and
            ``(7) other actions as the Director or the Secretary, in 
        consultation with the Director, may determine necessary to 
        carry out this subsection.
    ``(c) Report.--Not later than March 1 of each year, the Director, 
in consultation with the Secretary, shall submit to Congress a report 
on the effectiveness of information security policies and practices 
during the preceding year, including--
            ``(1) a summary of the incidents described in the annual 
        reports required to be submitted under section 3554(c)(1), 
        including a summary of the information required under section 
        3554(c)(1)(A)(iii);
            ``(2) a description of the threshold for reporting major 
        information security incidents;
            ``(3) a summary of the results of evaluations required to 
        be performed under section 3555;
            ``(4) an assessment of agency compliance with standards 
        promulgated under section 11331 of title 40; and
            ``(5) an assessment of agency compliance with data breach 
        notification policies and procedures issued by the Director.
    ``(d) National Security Systems.--Except for the authorities and 
functions described in subsection (a)(5) and subsection (c), the 
authorities and functions of the Director and the Secretary under this 
section shall not apply to national security systems.
    ``(e) Department of Defense and Intelligence Community Systems.--
(1) The authorities of the Director described in paragraphs (1) and (2) 
of subsection (a) shall be delegated to the Secretary of Defense in the 
case of systems described in paragraph (2) and to the Director of 
National Intelligence in the case of systems described in paragraph 
(3).
    ``(2) The systems described in this paragraph are systems that are 
operated by the Department of Defense, a contractor of the Department 
of Defense, or another entity on behalf of the Department of Defense 
that processes any information the unauthorized access, use, 
disclosure, disruption, modification, or destruction of which would 
have a debilitating impact on the mission of the Department of Defense.
    ``(3) The systems described in this paragraph are systems that are 
operated by an element of the intelligence community, a contractor of 
an element of the intelligence community, or another entity on behalf 
of an element of the intelligence community that processes any 
information the unauthorized access, use, disclosure, disruption, 
modification, or destruction of which would have a debilitating impact 
on the mission of an element of the intelligence community.
    ``(f) Consideration.--
            ``(1) In general.--In carrying out the responsibilities 
        under subsection (b), the Secretary shall consider any 
        applicable standards or guidelines developed by the National 
        Institute of Standards and Technology and issued by the 
        Secretary of Commerce under section 11331 of title 40.
            ``(2) Directives.--The Secretary shall--
                    ``(A) consult with the Director of the National 
                Institute of Standards and Technology regarding any 
                binding operational directive that implements standards 
                and guidelines developed by the National Institute of 
                Standards and Technology; and
                    ``(B) ensure that binding operational directives 
                issued under subsection (b)(2) do not conflict with the 
                standards and guidelines issued under section 11331 of 
                title 40.
            ``(3) Rule of construction.--Nothing in this subchapter 
        shall be construed as authorizing the Secretary to direct the 
        Secretary of Commerce in the development and promulgation of 
        standards and guidelines under section 11331 of title 40.
    ``(g) Exercise of Authority.--To ensure fiscal and policy 
consistency, the Secretary shall exercise the authority under this 
section subject to direction by the President, in coordination with the 
Director.
``Sec. 3554. Federal agency responsibilities
    ``(a) In General.--The head of each agency shall--
            ``(1) be responsible for--
                    ``(A) providing information security protections 
                commensurate with the risk and magnitude of the harm 
                resulting from unauthorized access, use, disclosure, 
                disruption, modification, or destruction of--
                            ``(i) information collected or maintained 
                        by or on behalf of the agency; and
                            ``(ii) information systems used or operated 
                        by an agency or by a contractor of an agency or 
                        other organization on behalf of an agency;
                    ``(B) complying with the requirements of this 
                subchapter and related policies, procedures, standards, 
                and guidelines, including--
                            ``(i) information security standards 
                        promulgated under section 11331 of title 40;
                            ``(ii) operational directives developed by 
                        the Secretary under section 3553(b);
                            ``(iii) policies and procedures issued by 
                        the Director; and
                            ``(iv) information security standards and 
                        guidelines for national security systems issued 
                        in accordance with law and as directed by the 
                        President; and
                    ``(C) ensuring that information security management 
                processes are integrated with agency strategic, 
                operational, and budgetary planning processes;
            ``(2) ensure that senior agency officials provide 
        information security for the information and information 
        systems that support the operations and assets under their 
        control, including through--
                    ``(A) assessing the risk and magnitude of the harm 
                that could result from the unauthorized access, use, 
                disclosure, disruption, modification, or destruction of 
                such information or information systems;
                    ``(B) determining the levels of information 
                security appropriate to protect such information and 
                information systems in accordance with standards 
                promulgated under section 11331 of title 40, for 
                information security classifications and related 
                requirements;
                    ``(C) implementing policies and procedures to cost-
                effectively reduce risks to an acceptable level; and
                    ``(D) periodically testing and evaluating 
                information security controls and techniques to ensure 
                that they are effectively implemented;
            ``(3) delegate to the agency Chief Information Officer 
        established under section 3506 (or comparable official in an 
        agency not covered by such section) the authority to ensure 
        compliance with the requirements imposed on the agency under 
        this subchapter, including--
                    ``(A) designating a senior agency information 
                security officer who shall--
                            ``(i) carry out the Chief Information 
                        Officer's responsibilities under this section;
                            ``(ii) possess professional qualifications, 
                        including training and experience, required to 
                        administer the functions described under this 
                        section;
                            ``(iii) have information security duties as 
                        that official's primary duty; and
                            ``(iv) head an office with the mission and 
                        resources to assist in ensuring agency 
                        compliance with this section;
                    ``(B) developing and maintaining an agencywide 
                information security program as required by subsection 
                (b);
                    ``(C) developing and maintaining information 
                security policies, procedures, and control techniques 
                to address all applicable requirements, including those 
                issued under section 3553 of this title and section 
                11331 of title 40;
                    ``(D) training and overseeing personnel with 
                significant responsibilities for information security 
                with respect to such responsibilities; and
                    ``(E) assisting senior agency officials concerning 
                their responsibilities under paragraph (2);
            ``(4) ensure that the agency has trained personnel 
        sufficient to assist the agency in complying with the 
        requirements of this subchapter and related policies, 
        procedures, standards, and guidelines;
            ``(5) ensure that the agency Chief Information Officer, in 
        coordination with other senior agency officials, reports 
        annually to the agency head on the effectiveness of the agency 
        information security program, including progress of remedial 
        actions;
            ``(6) ensure that senior agency officials, including chief 
        information officers of component agencies or equivalent 
        officials, carry out responsibilities under this subchapter as 
        directed by the official delegated authority under paragraph 
        (3); and
            ``(7) ensure that all personnel are held accountable for 
        complying with the agency-wide information security program 
        implemented under subsection (b).
    ``(b) Agency Program.--Each agency shall develop, document, and 
implement an agency-wide information security program to provide 
information security for the information and information systems that 
support the operations and assets of the agency, including those 
provided or managed by another agency, contractor, or other source, 
that includes--
            ``(1) periodic assessments of the risk and magnitude of the 
        harm that could result from the unauthorized access, use, 
        disclosure, disruption, modification, or destruction of 
        information and information systems that support the operations 
        and assets of the agency, which may include using automated 
        tools consistent with standards and guidelines promulgated 
        under section 11331 of title 40;
            ``(2) policies and procedures that--
                    ``(A) are based on the risk assessments required by 
                paragraph (1);
                    ``(B) cost-effectively reduce information security 
                risks to an acceptable level;
                    ``(C) ensure that information security is addressed 
                throughout the life cycle of each agency information 
                system; and
                    ``(D) ensure compliance with--
                            ``(i) the requirements of this subchapter;
                            ``(ii) policies and procedures as may be 
                        prescribed by the Director, and information 
                        security standards promulgated under section 
                        11331 of title 40;
                            ``(iii) minimally acceptable system 
                        configuration requirements, as determined by 
                        the agency; and
                            ``(iv) any other applicable requirements, 
                        including standards and guidelines for national 
                        security systems issued in accordance with law 
                        and as directed by the President;
            ``(3) subordinate plans for providing adequate information 
        security for networks, facilities, and systems or groups of 
        information systems, as appropriate;
            ``(4) security awareness training to inform personnel, 
        including contractors and other users of information systems 
        that support the operations and assets of the agency, of--
                    ``(A) information security risks associated with 
                their activities; and
                    ``(B) their responsibilities in complying with 
                agency policies and procedures designed to reduce these 
                risks;
            ``(5) periodic testing and evaluation of the effectiveness 
        of information security policies, procedures, and practices, to 
        be performed with a frequency depending on risk, but no less 
        than annually, of which such testing--
                    ``(A) shall include testing of management, 
                operational, and technical controls of every 
                information system identified in the inventory required 
                under section 3505(c);
                    ``(B) may include testing relied on in an 
                evaluation under section 3555; and
                    ``(C) shall include using automated tools, 
                consistent with standards and guidelines promulgated 
                under section 11331 of title 40;
            ``(6) a process for planning, implementing, evaluating, and 
        documenting remedial action to address any deficiencies in the 
        information security policies, procedures, and practices of the 
        agency;
            ``(7) procedures for detecting, reporting, and responding 
        to security incidents, which--
                    ``(A) shall be consistent with the standards and 
                guidelines described in section 3556(b);
                    ``(B) may include using automated tools; and
                    ``(C) shall include--
                            ``(i) mitigating risks associated with such 
                        incidents before substantial damage is done;
                            ``(ii) notifying and consulting with the 
                        Federal information security incident center 
                        established in section 3556; and
                            ``(iii) notifying and consulting with, as 
                        appropriate--
                                    ``(I) law enforcement agencies and 
                                relevant Offices of Inspector General 
                                and Offices of General Counsel;
                                    ``(II) an office designated by the 
                                President for any incident involving a 
                                national security system;
                                    ``(III) for a major incident, the 
                                committees of Congress described in 
                                subsection (c)(1)--
                                            ``(aa) not later than 7 
                                        days after the date on which 
                                        there is a reasonable basis to 
                                        conclude that the major 
                                        incident has occurred; and
                                            ``(bb) after the initial 
                                        notification under item (aa), 
                                        within a reasonable period of 
                                        time after additional 
                                        information relating to the 
                                        incident is discovered, 
                                        including the summary required 
                                        under subsection (c)(1)(A)(i); 
                                        and
                                    ``(IV) any other agency or office, 
                                in accordance with law or as directed 
                                by the President; and
            ``(8) plans and procedures to ensure continuity of 
        operations for information systems that support the operations 
        and assets of the agency.
    ``(c) Agency Reporting.--
            ``(1) Annual report.--
                    ``(A) In general.--Each agency shall submit to the 
                Director, the Secretary, the Committee on Government 
                Reform, the Committee on Homeland Security, and the 
                Committee on Science of the House of Representatives, 
                the Committee on Homeland Security and Governmental 
                Affairs and the Committee on Commerce, Science, and 
                Transportation of the Senate, the appropriate 
                authorization and appropriations committees of 
                Congress, and the Comptroller General a report on the 
                adequacy and effectiveness of information security 
                policies, procedures, and practices, including--
                            ``(i) a description of each major 
                        information security incident or related sets 
                        of incidents, including summaries of--
                                    ``(I) the threats and threat 
                                actors, vulnerabilities, and impacts 
                                relating to the incident;
                                    ``(II) the risk assessments 
                                conducted under section 3554(a)(2)(A) 
                                of the affected information systems 
                                before the date on which the incident 
                                occurred;
                                    ``(III) the status of compliance of 
                                the affected information systems with 
                                applicable security requirements at the 
                                time of the incident; and
                                    ``(IV) the detection, response, and 
                                remediation actions;
                            ``(ii) the total number of information 
                        security incidents, including a description of 
                        incidents resulting in significant compromise 
                        of information security, system impact levels, 
                        types of incident, and locations of affected 
                        systems;
                            ``(iii) a description of each major 
                        information security incident that involved a 
                        breach of personally identifiable information, 
                        as defined by the Director, including--
                                    ``(I) the number of individuals 
                                whose information was affected by the 
                                major information security incident; 
                                and
                                    ``(II) a description of the 
                                information that was breached or 
                                exposed; and
                            ``(iv) any other information as the 
                        Director or the Secretary, in consultation with 
                        the Director, may require.
                    ``(B) Unclassified report.--
                            ``(i) In general.--Each report submitted 
                        under subparagraph (A) shall be in unclassified 
                        form, but may include a classified annex.
                            ``(ii) Access to information.--The head of 
                        an agency shall ensure that, to the greatest 
                        extent practicable, information is included in 
                        the unclassified version of the reports 
                        submitted by the agency under subparagraph (A).
            ``(2) Other plans and reports.--Each agency shall address 
        the adequacy and effectiveness of information security 
        policies, procedures, and practices in management plans and 
        reports.
    ``(d) Performance Plan.--(1) In addition to the requirements of 
subsection (c), each agency, in consultation with the Director, shall 
include as part of the performance plan required under section 1115 of 
title 31 a description of--
            ``(A) the time periods; and
            ``(B) the resources, including budget, staffing, and 
        training,
that are necessary to implement the program required under subsection 
(b).
    ``(2) The description under paragraph (1) shall be based on the 
risk assessments required under subsection (b)(1).
    ``(e) Public Notice and Comment.--Each agency shall provide the 
public with timely notice and opportunities for comment on proposed 
information security policies and procedures to the extent that such 
policies and procedures affect communication with the public.
``Sec. 3555. Annual independent evaluation
    ``(a) In General.--(1) Each year each agency shall have performed 
an independent evaluation of the information security program and 
practices of that agency to determine the effectiveness of such program 
and practices.
    ``(2) Each evaluation under this section shall include--
            ``(A) testing of the effectiveness of information security 
        policies, procedures, and practices of a representative subset 
        of the agency's information systems;
            ``(B) an assessment of the effectiveness of the information 
        security policies, procedures, and practices of the agency; and
            ``(C) separate presentations, as appropriate, regarding 
        information security relating to national security systems.
    ``(b) Independent Auditor.--Subject to subsection (c)--
            ``(1) for each agency with an Inspector General appointed 
        under the Inspector General Act of 1978, the annual evaluation 
        required by this section shall be performed by the Inspector 
        General or by an independent external auditor, as determined by 
        the Inspector General of the agency; and
            ``(2) for each agency to which paragraph (1) does not 
        apply, the head of the agency shall engage an independent 
        external auditor to perform the evaluation.
    ``(c) National Security Systems.--For each agency operating or 
exercising control of a national security system, that portion of the 
evaluation required by this section directly relating to a national 
security system shall be performed--
            ``(1) only by an entity designated by the agency head; and
            ``(2) in such a manner as to ensure appropriate protection 
        for information associated with any information security 
        vulnerability in such system commensurate with the risk and in 
        accordance with all applicable laws.
    ``(d) Existing Evaluations.--The evaluation required by this 
section may be based in whole or in part on an audit, evaluation, or 
report relating to programs or practices of the applicable agency.
    ``(e) Agency Reporting.--(1) Each year, not later than such date 
established by the Director, the head of each agency shall submit to 
the Director the results of the evaluation required under this section.
    ``(2) To the extent an evaluation required under this section 
directly relates to a national security system, the evaluation results 
submitted to the Director shall contain only a summary and assessment 
of that portion of the evaluation directly relating to a national 
security system.
    ``(f) Protection of Information.--Agencies and evaluators shall 
take appropriate steps to ensure the protection of information which, 
if disclosed, may adversely affect information security. Such 
protections shall be commensurate with the risk and comply with all 
applicable laws and regulations.
    ``(g) OMB Reports to Congress.--(1) The Director shall summarize 
the results of the evaluations conducted under this section in the 
report to Congress required under section 3553(c).
    ``(2) The Director's report to Congress under this subsection shall 
summarize information regarding information security relating to 
national security systems in such a manner as to ensure appropriate 
protection for information associated with any information security 
vulnerability in such system commensurate with the risk and in 
accordance with all applicable laws.
    ``(3) Evaluations and any other descriptions of information systems 
under the authority and control of the Director of National 
Intelligence or of National Foreign Intelligence Programs systems under 
the authority and control of the Secretary of Defense shall be made 
available to Congress only through the appropriate oversight committees 
of Congress, in accordance with applicable laws.
    ``(h) Comptroller General.--The Comptroller General shall 
periodically evaluate and report to Congress on--
            ``(1) the adequacy and effectiveness of agency information 
        security policies and practices; and
            ``(2) implementation of the requirements of this 
        subchapter.
    ``(i) Assessment Technical Assistance.--The Comptroller General may 
provide technical assistance to an Inspector General or the head of an 
agency, as applicable, to assist the Inspector General or head of an 
agency in carrying out the duties under this section, including by 
testing information security controls and procedures.
    ``(j) Guidance.--The Director, in consultation with the Secretary, 
the Chief Information Officers Council established under section 3603, 
the Council of the Inspectors General on Integrity and Efficiency, and 
other interested parties as appropriate, shall ensure the development 
of guidance for evaluating the effectiveness of an information security 
program and practices.
``Sec. 3556. Federal information security incident center
    ``(a) In General.--The Secretary shall ensure the operation of a 
central Federal information security incident center to--
            ``(1) provide timely technical assistance to operators of 
        agency information systems regarding security incidents, 
        including guidance on detecting and handling information 
        security incidents;
            ``(2) compile and analyze information about incidents that 
        threaten information security;
            ``(3) inform operators of agency information systems about 
        current and potential information security threats, and 
        vulnerabilities;
            ``(4) provide, as appropriate, intelligence and other 
        information about cyber threats, vulnerabilities, and incidents 
        to agencies to assist in risk assessments conducted under 
        section 3554(b); and
            ``(5) consult with the National Institute of Standards and 
        Technology, agencies or offices operating or exercising control 
        of national security systems (including the National Security 
        Agency), and such other agencies or offices in accordance with 
        law and as directed by the President regarding information 
        security incidents and related matters.
    ``(b) National Security Systems.--Each agency operating or 
exercising control of a national security system shall share 
information about information security incidents, threats, and 
vulnerabilities with the Federal information security incident center 
to the extent consistent with standards and guidelines for national 
security systems, issued in accordance with law and as directed by the 
President.
``Sec. 3557. National security systems
    ``The head of each agency operating or exercising control of a 
national security system shall be responsible for ensuring that the 
agency--
            ``(1) provides information security protections 
        commensurate with the risk and magnitude of the harm resulting 
        from the unauthorized access, use, disclosure, disruption, 
        modification, or destruction of the information contained in 
        such system;
            ``(2) implements information security policies and 
        practices as required by standards and guidelines for national 
        security systems, issued in accordance with law and as directed 
        by the President; and
            ``(3) complies with the requirements of this subchapter.
``Sec. 3558. Effect on existing law
    ``Nothing in this subchapter, section 11331 of title 40, or section 
20 of the National Standards and Technology Act (15 U.S.C. 278g-3) may 
be construed as affecting the authority of the President, the Office of 
Management and Budget or the Director thereof, the National Institute 
of Standards and Technology, or the head of any agency, with respect to 
the authorized use or disclosure of information, including with regard 
to the protection of personal privacy under section 552a of title 5, 
the disclosure of information under section 552 of title 5, the 
management and disposition of records under chapters 29, 31, or 33 of 
title 44, the management of information resources under subchapter I of 
chapter 35 of this title, or the disclosure of information to the 
Congress or the Comptroller General of the United States.''.
    (b) Major Incident.--The Director of the Office of Management and 
Budget shall--
            (1) develop guidance on what constitutes a major incident 
        for purposes of section 3554(b) of title 44, United States 
        Code, as added by subsection (a); and
            (2) provide to Congress periodic briefings on the status of 
        the developing of the guidance until the date on which the 
        guidance is issued.
    (c) Continuous Diagnostics.--During the 2 year period beginning on 
the date of enactment of this Act, the Director of the Office of 
Management and Budget, with the assistance of the Secretary of Homeland 
Security, shall include in each report submitted under section 3553(c) 
of title 44, United States Code, as added by subsection (a), an 
assessment of the adoption by agencies of continuous diagnostics 
technologies, including through the Continuous Diagnostics and 
Mitigation program, and other advanced security tools to provide 
information security, including challenges to the adoption of such 
technologies or security tools.
    (d) Breaches.--
            (1) Requirements.--The Director of the Office of Management 
        and Budget shall ensure that data breach notification policies 
        and guidelines are updated periodically and require--
                    (A) except as provided in paragraph (4), notice by 
                the affected agency to each committee of Congress 
                described in section 3554(c)(1) of title 44, United 
                States Code, as added by subsection (a), the Committee 
                on the Judiciary of the Senate, and the Committee on 
                the Judiciary of the House of Representatives, which 
                shall--
                            (i) be provided expeditiously and not later 
                        than 30 days after the date on which the agency 
                        discovered the unauthorized acquisition or 
                        access; and
                            (ii) include--
                                    (I) information about the breach, 
                                including a summary of any information 
                                that the agency knows on the date on 
                                which notification is provided about 
                                how the breach occurred;
                                    (II) an estimate of the number of 
                                individuals affected by the breach, 
                                based on information that the agency 
                                knows on the date on which notification 
                                is provided, including an assessment of 
                                the risk of harm to affected 
                                individuals;
                                    (III) a description of any 
                                circumstances necessitating a delay in 
                                providing notice to affected 
                                individuals; and
                                    (IV) an estimate of whether and 
                                when the agency will provide notice to 
                                affected individuals; and
                    (B) notice by the affected agency to affected 
                individuals, pursuant to data breach notification 
                policies and guidelines, which shall be provided as 
                expeditiously as practicable and without unreasonable 
                delay after the agency discovers the unauthorized 
                acquisition or access.
            (2) National security; law enforcement; remediation.--The 
        Attorney General, the head of an element of the intelligence 
        community (as such term is defined under section 3(4) of the 
        National Security Act of 1947 (50 U.S.C. 3003(4)), or the 
        Secretary of Homeland Security may delay the notice to affected 
        individuals under paragraph (1)(B) if the notice would disrupt 
        a law enforcement investigation, endanger national security, or 
        hamper security remediation actions.
            (3) Reports.--
                    (A) Director of omb.--During the first 2 years 
                beginning after the date of enactment of this Act, the 
                Director of the Office of Management and Budget shall, 
                on an annual basis--
                            (i) assess agency implementation of data 
                        breach notification policies and guidelines in 
                        aggregate; and
                            (ii) include the assessment described in 
                        clause (i) in the report required under section 
                        3553(c) of title 44, United States Code.
                    (B) Secretary of homeland security.--During the 
                first 2 years beginning after the date of enactment of 
                this Act, the Secretary of Homeland Security shall 
                include an assessment of the status of agency 
                implementation of data breach notification policies and 
                guidelines in the requirements under section 
                3553(b)(2)(B) of title 44, United States Code.
            (4) Exception.--Any element of the intelligence community 
        (as such term is defined under section 3(4) of the National 
        Security Act of 1947 (50 U.S.C. 3003(4)) that is required to 
        provide notice under paragraph (1)(A) shall only provide such 
        notice to appropriate committees of Congress.
            (5) Rule of construction.--Nothing in paragraph (1) shall 
        be construed to alter any authority of a Federal agency or 
        department.
    (e) Technical and Conforming Amendments.--
            (1) Table of sections.--The table of sections for chapter 
        35 of title 44, United States Code is amended by striking the 
        matter relating to subchapters II and III and inserting the 
        following:

                  ``subchapter ii--information security

``3551. Purposes.
``3552. Definitions.
``3553. Authority and functions of the Director and the Secretary.
``3554. Federal agency responsibilities.
``3555. Annual independent evaluation.
``3556. Federal information security incident center.
``3557. National security systems.
``3558. Effect on existing law.''.
            (2) Cybersecurity research and development act.--Section 
        8(d)(1) of the Cybersecurity Research and Development Act (15 
        U.S.C. 7406) is amended by striking ``section 3534'' and 
        inserting ``section 3554''.
            (3) Homeland security act of 2002.--The Homeland Security 
        Act of 2002 (6 U.S.C. 101 et seq.) is amended--
                    (A) in section 223 (6 U.S.C. 143)
                            (i) in the section heading, by inserting 
                        ``federal and'' before ``non-federal'';
                            (ii) in the matter preceding paragraph (1), 
                        by striking ``the Under Secretary for 
                        Intelligence and Analysis, in cooperation with 
                        the Assistant Secretary for Infrastructure 
                        Protection'' and inserting ``the Under 
                        Secretary appointed under section 
                        103(a)(1)(H)'';
                            (iii) in paragraph (2), by striking the 
                        period at the end and inserting ``; and''; and
                            (iv) by adding at the end the following:
            ``(3) fulfill the responsibilities of the Secretary to 
        protect Federal information systems under subchapter II of 
        chapter 35 of title 44, United States Code.'';
                    (B) in section 1001(c)(1)(A) (6 U.S.C. 
                511(c)(1)(A)), by striking ``section 3532(3)'' and 
                inserting ``section 3552(b)(5)''; and
                    (C) in the table of contents in section 1(b), by 
                striking the item relating to section 223 and inserting 
                the following:

``Sec. 223. Enhancement of Federal and non-Federal cybersecurity.''.
            (4) National institute of standards and technology act.--
        Section 20 of the National Institute of Standards and 
        Technology Act (15 U.S.C. 278g-3) is amended--
                    (A) in subsection (a)(2), by striking ``section 
                3532(b)(2)'' and inserting ``section 3552(b)(5)''; and
                    (B) in subsection (e)--
                            (i) in paragraph (2), by striking ``section 
                        3532(1)'' and inserting ``section 3552(b)(2)''; 
                        and
                            (ii) in paragraph (5), by striking 
                        ``section 3532(b)(2)'' and inserting ``section 
                        3552(b)(5)''.
            (5) Title 10.--Title 10, United States Code, is amended--
                    (A) in section 2222(j)(5), by striking ``section 
                3542(b)(2)'' and inserting ``section 3552(b)(5)'';
                    (B) in section 2223(c)(3), by striking ``section 
                3542(b)(2)'' and inserting ``section 3552(b)(5)''; and
                    (C) in section 2315, by striking ``section 
                3542(b)(2)'' and inserting ``section 3552(b)(5)''.
    (f) Other Provisions.--
            (1) Circular a-130.--Not later than 1 year after the date 
        of enactment of this Act, the Director of the Office of 
        Management and Budget shall amend or revise Office of 
        Management and Budget Circular A-130 to eliminate inefficient 
        or wasteful reporting. The Director of the Office of Management 
        and Budget shall provide quarterly briefings to Congress on the 
        status of the amendment or revision required under this 
        paragraph.
            (2) ISPAB.--Section 21(b) of the National Institute of 
        Standards and Technology Act (15 U.S.C. 278g-4(b)) is amended--
                    (A) in paragraph (2), by inserting ``, the 
                Secretary of Homeland Security,'' after ``the 
                Institute''; and
                    (B) in paragraph (3), by inserting ``the Secretary 
                of Homeland Security,'' after ``the Secretary of 
                Commerce,''.

            Passed the Senate December 8, 2014.

            Attest:

                                                             Secretary.
113th CONGRESS

  2d Session

                                S. 2521

_______________________________________________________________________

                                 AN ACT

  To amend chapter 35 of title 44, United States Code, to provide for 
                reform to Federal information security.