[Congressional Bills 113th Congress]
[From the U.S. Government Publishing Office]
[S. 2521 Reported in Senate (RS)]

                                                       Calendar No. 564
113th CONGRESS
  2d Session
                                S. 2521

                          [Report No. 113-256]

  To amend chapter 35 of title 44, United States Code, to provide for 
                reform to Federal information security.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             June 24, 2014

Mr. Carper (for himself and Mr. Coburn) introduced the following bill; 
which was read twice and referred to the Committee on Homeland Security 
                        and Governmental Affairs

                           September 15, 2014

               Reported by Mr. Carper, without amendment

_______________________________________________________________________

                                 A BILL


 
  To amend chapter 35 of title 44, United States Code, to provide for 
                reform to Federal information security.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Federal Information Security 
Modernization Act of 2014''.

SEC. 2. FISMA REFORM.

    (a) In General.--Chapter 35 of title 44, United States Code, is 
amended by striking subchapters II and III and inserting the following:

                 ``SUBCHAPTER II--INFORMATION SECURITY

``Sec. 3551. Purposes
    ``The purposes of this subchapter are to--
            ``(1) provide a comprehensive framework for ensuring the 
        effectiveness of information security controls over information 
        resources that support Federal operations and assets;
            ``(2) recognize the highly networked nature of the current 
        Federal computing environment and provide effective 
        governmentwide management and oversight of the related 
        information security risks, including coordination of 
        information security efforts throughout the civilian, national 
        security, and law enforcement communities;
            ``(3) provide for development and maintenance of minimum 
        controls required to protect Federal information and 
        information systems;
            ``(4) provide a mechanism for improved oversight of Federal 
        agency information security programs;
            ``(5) acknowledge that commercially developed information 
        security products offer advanced, dynamic, robust, and 
        effective information security solutions, reflecting market 
        solutions for the protection of critical information 
        infrastructures important to the national defense and economic 
        security of the nation that are designed, built, and operated 
        by the private sector; and
            ``(6) recognize that the selection of specific technical 
        hardware and software information security solutions should be 
        left to individual agencies from among commercially developed 
        products.
``Sec. 3552. Definitions
    ``(a) In General.--Except as provided under subsection (b), the 
definitions under section 3502 shall apply to this subchapter.
    ``(b) Additional Definitions.--As used in this subchapter:
            ``(1) The term `binding operational directive' means a 
        compulsory direction to an agency that is in accordance with 
        policies, principles, standards, and guidelines issued by the 
        Director.
            ``(2) The term `incident' means an occurrence that--
                    ``(A) actually or imminently jeopardizes, without 
                lawful authority, the integrity, confidentiality, or 
                availability of information or an information system; 
                or
                    ``(B) constitutes a violation or imminent threat of 
                violation of law, security policies, security 
                procedures, or acceptable use policies.
            ``(3) The term `information security' means protecting 
        information and information systems from unauthorized access, 
        use, disclosure, disruption, modification, or destruction in 
        order to provide--
                    ``(A) integrity, which means guarding against 
                improper information modification or destruction, and 
                includes ensuring information nonrepudiation and 
                authenticity;
                    ``(B) confidentiality, which means preserving 
                authorized restrictions on access and disclosure, 
                including means for protecting personal privacy and 
                proprietary information; and
                    ``(C) availability, which means ensuring timely and 
                reliable access to and use of information.
            ``(4) The term `information technology' has the meaning 
        given that term in section 11101 of title 40.
            ``(5) The term `intelligence community' has the meaning 
        given that term in section 3(4) of the National Security Act of 
        1947 (50 U.S.C. 3003(4)).
            ``(6)(A) The term `national security system' means any 
        information system (including any telecommunications system) 
        used or operated by an agency or by a contractor of an agency, 
        or other organization on behalf of an agency--
                    ``(i) the function, operation, or use of which--
                            ``(I) involves intelligence activities;
                            ``(II) involves cryptologic activities 
                        related to national security;
                            ``(III) involves command and control of 
                        military forces;
                            ``(IV) involves equipment that is an 
                        integral part of a weapon or weapons system; or
                            ``(V) subject to subparagraph (B), is 
                        critical to the direct fulfillment of military 
                        or intelligence missions; or
                    ``(ii) is protected at all times by procedures 
                established for information that have been specifically 
                authorized under criteria established by an Executive 
                order or an Act of Congress to be kept classified in 
                the interest of national defense or foreign policy.
            ``(B) Subparagraph (A)(i)(V) does not include a system that 
        is to be used for routine administrative and business 
        applications (including payroll, finance, logistics, and 
        personnel management applications).
            ``(7) The term `Secretary' means the Secretary of Homeland 
        Security.
``Sec. 3553. Authority and functions of the Director and the Secretary
    ``(a) Director.--The Director shall oversee agency information 
security policies, including--
            ``(1) developing and overseeing the implementation of 
        policies, principles, standards, and guidelines on information 
        security, including through ensuring timely agency adoption of 
        and compliance with standards promulgated under section 11331 
        of title 40;
            ``(2) requiring agencies, consistent with the standards 
        promulgated under such section 11331 and the requirements of 
        this subchapter, to identify and provide information security 
        protections commensurate with the risk and magnitude of the 
        harm resulting from the unauthorized access, use, disclosure, 
        disruption, modification, or destruction of--
                    ``(A) information collected or maintained by or on 
                behalf of an agency; or
                    ``(B) information systems used or operated by an 
                agency or by a contractor of an agency or other 
                organization on behalf of an agency;
            ``(3) ensuring that the Secretary carries out the 
        authorities and functions under subsection (b);
            ``(4) coordinating the development of standards and 
        guidelines under section 20 of the National Institute of 
        Standards and Technology Act (15 U.S.C. 278g-3) with agencies 
        and offices operating or exercising control of national 
        security systems (including the National Security Agency) to 
        assure, to the maximum extent feasible, that such standards and 
        guidelines are complementary with standards and guidelines 
        developed for national security systems;
            ``(5) overseeing agency compliance with the requirements of 
        this subchapter, including through any authorized action under 
        section 11303 of title 40, to enforce accountability for 
        compliance with such requirements;
            ``(6) coordinating information security policies and 
        procedures with related information resources management 
        policies and procedures; and
            ``(7) consulting with the Secretary in carrying out the 
        authorities and functions under this subsection.
    ``(b) Secretary.--The Secretary, in consultation with the Director, 
shall oversee the operational aspects of agency information security 
policies and practices for information systems, except for national 
security systems and information systems described in paragraph (2) or 
(3) of subsection (e), including--
            ``(1) assisting the Director in carrying out the 
        authorities and functions under subsection (a);
            ``(2) developing and overseeing the implementation of 
        binding operational directives to agencies to implement the 
        policies, principles, standards, and guidelines developed by 
        the Director under subsection (a)(1) and the requirements of 
        this subchapter, which may be repealed by the Director if the 
        operational directives issued on behalf of the Director are not 
        in accordance with policies, principles, standards, and 
        guidelines developed by the Director, including--
                    ``(A) requirements for reporting security incidents 
                to the Federal information security incident center 
                established under section 3556;
                    ``(B) requirements for the contents of the annual 
                reports required to be submitted under section 
                3554(c)(1);
                    ``(C) requirements for the mitigation of exigent 
                risks to information systems; and
                    ``(D) other operational requirements as the 
                Director or Secretary may determine necessary;
            ``(3) monitoring agency implementation of information 
        security policies and practices;
            ``(4) convening meetings with senior agency officials to 
        help ensure effective implementation of information security 
        policies and practices;
            ``(5) coordinating Government-wide efforts on information 
        security policies and practices, including consultation with 
        the Chief Information Officers Council established under 
        section 3603;
            ``(6) providing operational and technical assistance to 
        agencies in implementing policies, principles, standards, and 
        guidelines on information security, including implementation of 
        standards promulgated under section 11331 of title 40, 
        including by--
                    ``(A) operating the Federal information security 
                incident center established under section 3556;
                    ``(B) upon request by an agency, deploying 
                technology to assist the agency to continuously 
                diagnose and mitigate against cyber threats and 
                vulnerabilities, with or without reimbursement;
                    ``(C) compiling and analyzing data on agency 
                information security; and
                    ``(D) developing and conducting targeted 
                operational evaluations, including threat and 
                vulnerability assessments, on the information systems; 
                and
            ``(7) other actions as the Secretary may determine 
        necessary to carry out this subsection on behalf of the 
        Director.
    ``(c) Report.--Not later than March 1 of each year, the Director, 
in consultation with the Secretary, shall submit to Congress a report 
on the effectiveness of information security policies and practices 
during the preceding year, including--
            ``(1) a summary of the incidents described in the annual 
        reports required to be submitted under section 3554(c)(1), 
        including a summary of the information required under section 
        3554(c)(1)(A)(iii);
            ``(2) a description of the threshold for reporting major 
        information security incidents;
            ``(3) a summary of the results of evaluations required to 
        be performed under section 3555;
            ``(4) an assessment of agency compliance with standards 
        promulgated under section 11331 of title 40; and
            ``(5) an assessment of agency compliance with the policies 
        and procedures established under section 3559(a).
    ``(d) National Security Systems.--Except for the authorities and 
functions described in subsection (a)(4) and subsection (c), the 
authorities and functions of the Director and the Secretary under this 
section shall not apply to national security systems.
    ``(e) Department of Defense and Intelligence Community Systems.--
(1) The authorities of the Director described in paragraphs (1) and (2) 
of subsection (a) shall be delegated to the Secretary of Defense in the 
case of systems described in paragraph (2) and to the Director of 
National Intelligence in the case of systems described in paragraph 
(3).
    ``(2) The systems described in this paragraph are systems that are 
operated by the Department of Defense, a contractor of the Department 
of Defense, or another entity on behalf of the Department of Defense 
that processes any information the unauthorized access, use, 
disclosure, disruption, modification, or destruction of which would 
have a debilitating impact on the mission of the Department of Defense.
    ``(3) The systems described in this paragraph are systems that are 
operated by an element of the intelligence community, a contractor of 
an element of the intelligence community, or another entity on behalf 
of an element of the intelligence community that processes any 
information the unauthorized access, use, disclosure, disruption, 
modification, or destruction of which would have a debilitating impact 
on the mission of an element of the intelligence community.
``Sec. 3554. Federal agency responsibilities
    ``(a) In General.--The head of each agency shall--
            ``(1) be responsible for--
                    ``(A) providing information security protections 
                commensurate with the risk and magnitude of the harm 
                resulting from unauthorized access, use, disclosure, 
                disruption, modification, or destruction of--
                            ``(i) information collected or maintained 
                        by or on behalf of the agency; and
                            ``(ii) information systems used or operated 
                        by an agency or by a contractor of an agency or 
                        other organization on behalf of an agency;
                    ``(B) complying with the requirements of this 
                subchapter and related policies, procedures, standards, 
                and guidelines, including--
                            ``(i) information security standards 
                        promulgated under section 11331 of title 40;
                            ``(ii) operational directives developed by 
                        the Secretary under section 3553(b);
                            ``(iii) policies and procedures issued by 
                        the Director under section 3559; and
                            ``(iv) information security standards and 
                        guidelines for national security systems issued 
                        in accordance with law and as directed by the 
                        President; and
                    ``(C) ensuring that information security management 
                processes are integrated with agency strategic and 
                operational planning processes;
            ``(2) ensure that senior agency officials provide 
        information security for the information and information 
        systems that support the operations and assets under their 
        control, including through--
                    ``(A) assessing the risk and magnitude of the harm 
                that could result from the unauthorized access, use, 
                disclosure, disruption, modification, or destruction of 
                such information or information systems;
                    ``(B) determining the levels of information 
                security appropriate to protect such information and 
                information systems in accordance with standards 
                promulgated under section 11331 of title 40, for 
                information security classifications and related 
                requirements;
                    ``(C) implementing policies and procedures to cost-
                effectively reduce risks to an acceptable level; and
                    ``(D) periodically testing and evaluating 
                information security controls and techniques to ensure 
                that they are effectively implemented;
            ``(3) delegate to the agency Chief Information Officer 
        established under section 3506 (or comparable official in an 
        agency not covered by such section) the authority to ensure 
        compliance with the requirements imposed on the agency under 
        this subchapter, including--
                    ``(A) designating a senior agency information 
                security officer who shall--
                            ``(i) carry out the Chief Information 
                        Officer's responsibilities under this section;
                            ``(ii) possess professional qualifications, 
                        including training and experience, required to 
                        administer the functions described under this 
                        section;
                            ``(iii) have information security duties as 
                        that official's primary duty; and
                            ``(iv) head an office with the mission and 
                        resources to assist in ensuring agency 
                        compliance with this section;
                    ``(B) developing and maintaining an agency-wide 
                information security program as required by subsection 
                (b);
                    ``(C) developing and maintaining information 
                security policies, procedures, and control techniques 
                to address all applicable requirements, including those 
                issued under section 3553 of this title and section 
                11331 of title 40;
                    ``(D) training and overseeing personnel with 
                significant responsibilities for information security 
                with respect to such responsibilities; and
                    ``(E) assisting senior agency officials concerning 
                their responsibilities under paragraph (2);
            ``(4) ensure that the agency has trained personnel 
        sufficient to assist the agency in complying with the 
        requirements of this subchapter and related policies, 
        procedures, standards, and guidelines;
            ``(5) ensure that the agency Chief Information Officer, in 
        coordination with other senior agency officials, reports 
        annually to the agency head on the effectiveness of the agency 
        information security program, including progress of remedial 
        actions;
            ``(6) ensure that senior agency officials, including chief 
        information officers of component agencies or equivalent 
        officials, carry out responsibilities under this subchapter as 
        directed by the official delegated authority under paragraph 
        (3); and
            ``(7) ensure that all personnel are held accountable for 
        complying with the agency-wide information security program 
        implemented under subsection (b).
    ``(b) Agency Program.--Each agency shall develop, document, and 
implement an agency-wide information security program to provide 
information security for the information and information systems that 
support the operations and assets of the agency, including those 
provided or managed by another agency, contractor, or other source, 
that includes--
            ``(1) periodic assessments of the risk and magnitude of the 
        harm that could result from the unauthorized access, use, 
        disclosure, disruption, modification, or destruction of 
        information and information systems that support the operations 
        and assets of the agency;
            ``(2) policies and procedures that--
                    ``(A) are based on the risk assessments required by 
                paragraph (1);
                    ``(B) cost-effectively reduce information security 
                risks to an acceptable level;
                    ``(C) ensure that information security is addressed 
                throughout the life cycle of each agency information 
                system; and
                    ``(D) ensure compliance with--
                            ``(i) the requirements of this subchapter;
                            ``(ii) policies and procedures as may be 
                        prescribed by the Director, and information 
                        security standards promulgated under section 
                        11331 of title 40;
                            ``(iii) minimally acceptable system 
                        configuration requirements, as determined by 
                        the agency; and
                            ``(iv) any other applicable requirements, 
                        including standards and guidelines for national 
                        security systems issued in accordance with law 
                        and as directed by the President;
            ``(3) subordinate plans for providing adequate information 
        security for networks, facilities, and systems or groups of 
        information systems, as appropriate;
            ``(4) security awareness training to inform personnel, 
        including contractors and other users of information systems 
        that support the operations and assets of the agency, of--
                    ``(A) information security risks associated with 
                their activities; and
                    ``(B) their responsibilities in complying with 
                agency policies and procedures designed to reduce these 
                risks;
            ``(5) periodic testing and evaluation of the effectiveness 
        of information security policies, procedures, and practices, to 
        be performed with a frequency depending on risk, but no less 
        than annually, of which such testing--
                    ``(A) shall include testing of management, 
                operational, and technical controls of every 
                information system identified in the inventory required 
                under section 3505(c); and
                    ``(B) may include testing relied on in an 
                evaluation under section 3555;
            ``(6) a process for planning, implementing, evaluating, and 
        documenting remedial action to address any deficiencies in the 
        information security policies, procedures, and practices of the 
        agency;
            ``(7) procedures for detecting, reporting, and responding 
        to security incidents, consistent with standards and guidelines 
        described in section 3556(b), including--
                    ``(A) mitigating risks associated with such 
                incidents before substantial damage is done;
                    ``(B) notifying and consulting with the Federal 
                information security incident center established in 
                section 3556; and
                    ``(C) notifying and consulting with, as 
                appropriate--
                            ``(i) law enforcement agencies and relevant 
                        Offices of Inspector General;
                            ``(ii) an office designated by the 
                        President for any incident involving a national 
                        security system;
                            ``(iii) the committees of Congress 
                        described in subsection (c)(1)--
                                    ``(I) not later than 7 days after 
                                the date on which the incident is 
                                discovered; and
                                    ``(II) after the initial 
                                notification under subclause (I), 
                                within a reasonable period of time 
                                after additional information relating 
                                to the incident is discovered; and
                            ``(iv) any other agency or office, in 
                        accordance with law or as directed by the 
                        President; and
            ``(8) plans and procedures to ensure continuity of 
        operations for information systems that support the operations 
        and assets of the agency.
    ``(c) Agency Reporting.--
            ``(1) Annual report.--
                    ``(A) In general.--Each agency shall submit to the 
                Director, the Secretary, the Committee on Government 
                Reform, the Committee on Homeland Security, and the 
                Committee on Science of the House of Representatives, 
                the Committee on Homeland Security and Governmental 
                Affairs and the Committee on Commerce, Science, and 
                Transportation of the Senate, the appropriate 
                authorization and appropriations committees of 
                Congress, and the Comptroller General a report on the 
                adequacy and effectiveness of information security 
                policies, procedures, and practices, including--
                            ``(i) a description of each major 
                        information security incident or related sets 
                        of incidents, including summaries of--
                                    ``(I) the threats and threat 
                                actors, vulnerabilities, and impacts 
                                relating to the incident;
                                    ``(II) the risk assessments 
                                conducted under section 3554(a)(2)(A) 
                                of the affected information systems 
                                before the date on which the incident 
                                occurred; and
                                    ``(III) the detection, response, 
                                and remediation actions;
                            ``(ii) the total number of information 
                        security incidents, including a description of 
                        incidents resulting in significant compromise 
                        of information security, system impact levels, 
                        types of incident, and locations of affected 
                        systems;
                            ``(iii) a description of each major 
                        information security incident that involved a 
                        breach of personally identifiable information, 
                        including--
                                    ``(I) the number of individuals 
                                whose information was affected by the 
                                major information security incident; 
                                and
                                    ``(II) a description of the 
                                information that was breached or 
                                exposed; and
                            ``(iv) any other information as the 
                        Secretary may require.
                    ``(B) Unclassified report.--
                            ``(i) In general.--Each report submitted 
                        under subparagraph (A) shall be in unclassified 
                        form, but may include a classified annex.
                            ``(ii) Access to information.--The head of 
                        an agency shall ensure that, to the greatest 
                        extent practicable, information is included in 
                        the unclassified version of the reports 
                        submitted by the agency under subparagraph (A).
            ``(2) Other plans and reports.--Each agency shall address 
        the adequacy and effectiveness of information security 
        policies, procedures, and practices in management plans and 
        reports.
    ``(d) Performance Plan.--(1) In addition to the requirements of 
subsection (c), each agency, in consultation with the Director, shall 
include as part of the performance plan required under section 1115 of 
title 31 a description of--
            ``(A) the time periods; and
            ``(B) the resources, including budget, staffing, and 
        training,
that are necessary to implement the program required under subsection 
(b).
    ``(2) The description under paragraph (1) shall be based on the 
risk assessments required under subsection (b)(1).
    ``(e) Public Notice and Comment.--Each agency shall provide the 
public with timely notice and opportunities for comment on proposed 
information security policies and procedures to the extent that such 
policies and procedures affect communication with the public.
``Sec. 3555. Annual independent evaluation
    ``(a) In General.--(1) Each year each agency shall have performed 
an independent evaluation of the information security program and 
practices of that agency to determine the effectiveness of such program 
and practices.
    ``(2) Each evaluation under this section shall include--
            ``(A) testing of the effectiveness of information security 
        policies, procedures, and practices of a representative subset 
        of the agency's information systems;
            ``(B) an assessment of the effectiveness of the information 
        security policies, procedures, and practices of the agency; and
            ``(C) separate presentations, as appropriate, regarding 
        information security relating to national security systems.
    ``(b) Independent Auditor.--Subject to subsection (c)--
            ``(1) for each agency with an Inspector General appointed 
        under the Inspector General Act of 1978, the annual evaluation 
        required by this section shall be performed by the Inspector 
        General or by an independent external auditor, as determined by 
        the Inspector General of the agency; and
            ``(2) for each agency to which paragraph (1) does not 
        apply, the head of the agency shall engage an independent 
        external auditor to perform the evaluation.
    ``(c) National Security Systems.--For each agency operating or 
exercising control of a national security system, that portion of the 
evaluation required by this section directly relating to a national 
security system shall be performed--
            ``(1) only by an entity designated by the agency head; and
            ``(2) in such a manner as to ensure appropriate protection 
        for information associated with any information security 
        vulnerability in such system commensurate with the risk and in 
        accordance with all applicable laws.
    ``(d) Existing Evaluations.--The evaluation required by this 
section may be based in whole or in part on an audit, evaluation, or 
report relating to programs or practices of the applicable agency.
    ``(e) Agency Reporting.--(1) Each year, not later than such date 
established by the Director, the head of each agency shall submit to 
the Director the results of the evaluation required under this section.
    ``(2) To the extent an evaluation required under this section 
directly relates to a national security system, the evaluation results 
submitted to the Director shall contain only a summary and assessment 
of that portion of the evaluation directly relating to a national 
security system.
    ``(f) Protection of Information.--Agencies and evaluators shall 
take appropriate steps to ensure the protection of information which, 
if disclosed, may adversely affect information security. Such 
protections shall be commensurate with the risk and comply with all 
applicable laws and regulations.
    ``(g) OMB Reports to Congress.--(1) The Director shall summarize 
the results of the evaluations conducted under this section in the 
report to Congress required under section 3553(c).
    ``(2) The Director's report to Congress under this subsection shall 
summarize information regarding information security relating to 
national security systems in such a manner as to ensure appropriate 
protection for information associated with any information security 
vulnerability in such system commensurate with the risk and in 
accordance with all applicable laws.
    ``(3) Evaluations and any other descriptions of information systems 
under the authority and control of the Director of Central Intelligence 
or of National Foreign Intelligence Programs systems under the 
authority and control of the Secretary of Defense shall be made 
available to Congress only through the appropriate oversight committees 
of Congress, in accordance with applicable laws.
    ``(h) Comptroller General.--The Comptroller General shall 
periodically evaluate and report to Congress on--
            ``(1) the adequacy and effectiveness of agency information 
        security policies and practices; and
            ``(2) implementation of the requirements of this 
        subchapter.
    ``(i) Assessment Technical Assistance.--The Comptroller General may 
provide technical assistance to an Inspector General or the head of an 
agency, as applicable, to assist the Inspector General or head of an 
agency in carrying out the duties under this section, including by 
testing information security controls and procedures.
``Sec. 3556. Federal information security incident center
    ``(a) In General.--The Secretary shall ensure the operation of a 
central Federal information security incident center to--
            ``(1) provide timely technical assistance to operators of 
        agency information systems regarding security incidents, 
        including guidance on detecting and handling information 
        security incidents;
            ``(2) compile and analyze information about incidents that 
        threaten information security;
            ``(3) inform operators of agency information systems about 
        current and potential information security threats, and 
        vulnerabilities;
            ``(4) provide, as appropriate, intelligence and other 
        information about cyber threats, vulnerabilities, and incidents 
        to agencies to assist in risk assessments conducted under 
        section 3554(b); and
            ``(5) consult with the National Institute of Standards and 
        Technology, agencies or offices operating or exercising control 
        of national security systems (including the National Security 
        Agency), and such other agencies or offices in accordance with 
        law and as directed by the President regarding information 
        security incidents and related matters.
    ``(b) National Security Systems.--Each agency operating or 
exercising control of a national security system shall share 
information about information security incidents, threats, and 
vulnerabilities with the Federal information security incident center 
to the extent consistent with standards and guidelines for national 
security systems, issued in accordance with law and as directed by the 
President.
``Sec. 3557. National security systems
    ``The head of each agency operating or exercising control of a 
national security system shall be responsible for ensuring that the 
agency--
            ``(1) provides information security protections 
        commensurate with the risk and magnitude of the harm resulting 
        from the unauthorized access, use, disclosure, disruption, 
        modification, or destruction of the information contained in 
        such system;
            ``(2) implements information security policies and 
        practices as required by standards and guidelines for national 
        security systems, issued in accordance with law and as directed 
        by the President; and
            ``(3) complies with the requirements of this subchapter.
``Sec. 3558. Effect on existing law
    ``Nothing in this subchapter, section 11331 of title 40, or section 
20 of the National Standards and Technology Act (15 U.S.C. 278g-3) may 
be construed as affecting the authority of the President, the Office of 
Management and Budget or the Director thereof, the National Institute 
of Standards and Technology, or the head of any agency, with respect to 
the authorized use or disclosure of information, including with regard 
to the protection of personal privacy under section 552a of title 5, 
the disclosure of information under section 552 of title 5, the 
management and disposition of records under chapters 29, 31, or 33 of 
title 44, the management of information resources under subchapter I of 
chapter 35 of this title, or the disclosure of information to the 
Congress or the Comptroller General of the United States.''.
    (b) Technical and Conforming Amendments.--
            (1) Table of sections.--The table of sections for chapter 
        35 of title 44, United States Code is amended by striking the 
        matter relating to subchapters II and III and inserting the 
        following:

                  ``subchapter ii--information security

``3551. Purposes.
``3552. Definitions.
``3553. Authority and functions of the Director and the Secretary.
``3554. Federal agency responsibilities.
``3555. Annual independent evaluation.
``3556. Federal information security incident center.
``3557. National security systems.
``3558. Effect on existing law.''.
            (2) Cybersecurity research and development act.--Section 
        8(d)(1) of the Cybersecurity Research and Development Act (15 
        U.S.C. 7406) is amended by striking ``section 3534'' and 
        inserting ``section 3554''.
            (3) Homeland security act of 2002.--Section 1001(c)(1)(A) 
        of the Homeland Security Act of 2002 (6 U.S.C. 511) by striking 
        ``section 3532(3)'' and inserting ``section 3552(b)(5)''.
            (4) National institute of standards and technology act.--
        Section 20 of the National Institute of Standards and 
        Technology Act (15 U.S.C. 278g-3) is amended--
                    (A) in subsection (a)(2), by striking ``section 
                3532(b)(2)'' and inserting ``section 3552(b)(5)''; and
                    (B) in subsection (e)--
                            (i) in paragraph (2), by striking ``section 
                        3532(1)'' and inserting ``section 3552(b)(2)''; 
                        and
                            (ii) in paragraph (5), by striking 
                        ``section 3532(b)(2)'' and inserting ``section 
                        3552(b)(5)''.
            (5) Title 10.--Title 10, United States Code, is amended--
                    (A) in section 2222(j)(5), by striking ``section 
                3542(b)(2)'' and inserting ``section 3552(b)(5)'';
                    (B) in section 2223(c)(3), by striking ``section 
                3542(b)(2)'' and inserting ``section 3552(b)(5)''; and
                    (C) in section 2315, by striking ``section 
                3542(b)(2)'' and inserting ``section 3552(b)(5)''.
    (c) Other Provisions.--
            (1) Circular a-130.--Not later than 180 days after the date 
        of enactment of this Act, the Director of the Office of 
        Management and Budget shall revise Office of Management and 
        Budget Circular A-130 to eliminate inefficient or wasteful 
        reporting.
            (2) ISPAB.--Section 21(b) of the National Institute of 
        Standards and Technology Act (15 U.S.C. 278g-4(b)) is amended--
                    (A) in paragraph (2), by inserting ``, the 
                Secretary of Homeland Security,'' after ``the 
                Institute''; and
                    (B) in paragraph (3), by inserting ``the Secretary 
                of Homeland Security,'' after ``the Secretary of 
                Commerce,''.

SEC. 3. FEDERAL DATA BREACH RESPONSE GUIDELINES.

    (a) In General.--Subchapter II of chapter 35 of title 44, United 
States Code, as added by this Act, is amended by adding at the end the 
following:
``Sec. 3559. Privacy breach requirements
    ``(a) Policies and Procedures.--The Director, in consultation with 
the Secretary, shall establish and oversee policies and procedures for 
agencies to follow in the event of a breach of information security 
involving the disclosure of personally identifiable information, 
including requirements for--
            ``(1) timely notice to affected individuals based on a 
        determination of the level of risk and consistent with law 
        enforcement and national security considerations;
            ``(2) timely reporting to the Federal information security 
        incident center established under section 3556 or other Federal 
        cybersecurity center, as designated by the Director;
            ``(3) timely notice to committees of Congress with 
        jurisdiction over cybersecurity; and
            ``(4) such additional actions as the Director may determine 
        necessary and appropriate, including the provision of risk 
        mitigation measures to affected individuals.
    ``(b) Considerations.--In carrying out subsection (a), the Director 
shall consider recommendations made by the Government Accountability 
Office, including recommendations in the December 2013 Government 
Accountability Office report entitled `Information Security: Agency 
Responses to Breaches of Personally Identifiable Information Need to Be 
More Consistent' (GAO-14-34).
    ``(c) Required Agency Action.--The head of each agency shall ensure 
that actions taken in response to a breach of information security 
involving the disclosure of personally identifiable information under 
the authority or control of the agency comply with policies and 
procedures established under subsection (a).
    ``(d) Timeliness.--
            ``(1) In general.--Except as provided in paragraph (2), the 
        policies and procedures established under subsection (a) shall 
        require that the notice to affected individuals required under 
        subsection (a)(1) be made without unreasonable delay and with 
        consideration of the likely risk of harm and the level of 
        impact, but not later than 60 days after the date on which the 
        head of an agency discovers the breach of information security 
        involving the disclosure of personally identifiable 
        information.
            ``(2) Delay.--The Attorney General, the head of an element 
        of the intelligence community (as such term is defined under 
        section 3(4) of the National Security Act of 1947 (50 U.S.C. 
        3003(4)), or the Secretary may delay the notice to affected 
        individuals under subsection (a)(1) for not more than 180 days, 
        if the notice would disrupt a law enforcement investigation, 
        endanger national security, or hamper security remediation 
        actions from the breach of information security involving the 
        disclosure of personally identifiable information.''.
    (b) Technical and Conforming Amendment.--The table of sections for 
subchapter II for chapter 35 of title 44, United States Code, as added 
by this Act, is amended by inserting after the item relating to section 
3558 the following:

``3559. Privacy breach requirements.''.
                                                       Calendar No. 564

113th CONGRESS

  2d Session

                                S. 2521

                          [Report No. 113-256]

_______________________________________________________________________

                                 A BILL

  To amend chapter 35 of title 44, United States Code, to provide for 
                reform to Federal information security.

_______________________________________________________________________

                           September 15, 2014

                       Reported without amendment