
	

114 HR 3313 IH: Cyber Defense of Federal Networks Act of 2015
U.S. House of Representatives
2015-07-29
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.



		I
		114th CONGRESS
		1st Session
		H. R. 3313
		IN THE HOUSE OF REPRESENTATIVES
		
			July 29, 2015
			Mr. McCaul (for himself and Mr. Ratcliffe) introduced the following bill; which was referred to the Committee on Oversight and Government Reform, and in addition to the Committee on Homeland Security, for a period to be subsequently determined by the Speaker, in each case for consideration of such
			 provisions as fall within the jurisdiction of the committee concerned
		
		A BILL
		To amend the Homeland Security Act of 2002 to strengthen the ability of the Secretary of Homeland
			 Security to detect and prevent intrusions against, and to use
			 countermeasures to protect, agency information systems, and for other
			 purposes.
	
	
 1.Short titleThis Act may be cited as the Cyber Defense of Federal Networks Act of 2015. 2.Cyber defense of Federal networks (a)In generalSubtitle C of title II of the Homeland Security Act of 2002 (6 U.S.C. 141 et seq.) is amended by adding at the end the following new sections:
				
					230.Cybersecurity plans
 (a)Intrusion detection and response planNot later than one year after the date of the enactment of this section, the Secretary, in coordination with the Director of the Office of Management and Budget, shall develop and implement an intrusion detection and response plan to detect, identify, and remove intruders in agency information systems. The Secretary, in coordination with the Director, shall update such plan as necessary.
 (b)ExceptionThe intrusion detection and response plan required under subsection (a) shall not apply to the Department of Defense or an element of the intelligence community.
 (c)DefinitionsIn this section and sections 231, 232, and 233: (1)AgencyThe term agency has the meaning given such term in section 3502 of title 44, United States Code.
 (2)Cybersecurity riskThe term cybersecurity risk has the meaning given such term in the second section 226 (relating to the national cybersecurity and communications integration center).
 (3)Information systemThe term information system has the meaning given such term in the second section 226 (relating to the national cybersecurity and communications integration center).
 (4)Intelligence communityThe term intelligence community has the meaning given such term in section 3(4) of the National Security Act of 1947 (50 U.S.C. 3003(4)).
							231.Advanced internal defenses
						(a)Advanced network security tools
 (1)In generalThe Secretary shall include in the Department’s efforts to continuously diagnose and mitigate cybersecurity risks advanced network security tools to improve visibility of network activity, including through the use of commercial and free or open source tools, to detect and mitigate intrusions and anomalous activity in agencies’ information systems.
 (2)Development of planThe Secretary, in coordination with the Director of the Office of Management and Budget, shall develop and implement a plan to ensure advanced network security tools, including tools described in paragraph (1), to detect and mitigate intrusions and anomalous activity are available for use by each agency.
 (b)Prioritizing advanced security toolsThe Secretary, in coordination with the Director of the Office of Management and Budget, and in consultation with the heads of appropriate agencies, shall—
 (1)review and update operational capabilities to ensure appropriate prioritization and use of network security monitoring tools within such agency networks; and
 (2)brief the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate on such prioritization and use.
 (c)Improved metricsThe Secretary, in coordination with the Director of the Office of Management and Budget, shall review and update the metrics used to measure security under section 3554 of title 44, United States Code, to include measures of intrusion and incident detection and response times.
 (d)Transparency and accountabilityThe Secretary, in coordination with the Director of the Office of Management and Budget, shall increase transparency to the public on agency cybersecurity postures, including by increasing the number of metrics available on Federal Government performance websites and, to the greatest extent practicable, displaying metrics for agencies.
 (e)Maintenance of technologiesSubparagraph (B) of section 3553(b)(6) of title 44, United States Code, is amended by inserting , operating, and maintaining after deploying. 232.Federal cybersecurity best practicesThe Secretary, in consultation with the Director of the Office of Management and Budget, shall regularly assess and require implementation of best practices for—
 (1)securing agency information systems against intrusion; and (2)preventing data exfiltration from such systems in the event of an intrusion.
						233.Assessment; reports
 (a)DefinitionsIn this section: (1)Appropriate congressional committeesThe term appropriate congressional committees means the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate.
 (2)Intrusion assessmentsThe term intrusion assessments means actions taken under the intrusion detection and response plan described in section 230 to detect, identify, and remove intruders in agency information systems.
 (3)Intrusion detection and response planThe term intrusion detection and response plan means the intrusion detection and response plan described in section 230. (b)GAO assessmentNot later than three years after the date of the enactment of this section, the Comptroller General of the United States shall conduct a study and publish a report on the effectiveness of the approach and strategy of the Department’s capabilities and plans in securing agency information systems, including in the plans and assessments under sections 230, 231, and 232.
 (c)Report to CongressThe Secretary, in coordination with the Director of the Office of Management and Budget, shall— (1)not later than six months after the date of the enactment of this section and 30 days after any update thereto, submit to the appropriate congressional committees the intrusion detection and response plan described in section 230; and
 (2)not later than one year after the date of the enactment of this section and annually thereafter, submit to Congress—
 (A)a description of the implementation of such intrusion detection and response plan; (B)the findings of the intrusion assessments conducted pursuant to such intrusion detection and response plan;
 (C)a description of the advanced network security tools referred to in section 231; (D)information relating to the results of the assessment of the Secretary of Federal cybersecurity best practices under section 232; and
 (E)the improved metrics referred to in section 231. . (b)DefinitionsParagraphs (1) and (2) of the second section 226 of the Homeland Security Act of 2002 (6 U.S.C. 148; relating to the national cybersecurity and communications integration center) are amended to read as follows:
				
					(1)
 (A)except as provided in subparagraph (B), the term cybersecurity risk means threats to and vulnerabilities of information or information systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of such information or information systems, including such related consequences caused by an act of terrorism; and
 (B)such term does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement;
 (2)the term incident means an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system;.
 (c)Clerical amendmentsThe table of contents for subtitle C of title II of the Homeland Security Act of 2002 is amended by adding at the end the following new items:
				
					
						Sec. 230. Cybersecurity plans.
						Sec. 231. Advanced internal defenses.
						Sec. 232. Federal cybersecurity best practices.
						Sec. 233. Assessment; reports..
 3.Duties of the Secretary of Homeland Security related to information securitySection 3553(b)(6) of title 44, United States Code, is amended by striking subparagraphs (C) and (D) and inserting the following:
			
 (C)providing incident detection, analysis, mitigation, and response information, disseminating related homeland security information, and providing remote or onsite technical assistance to the head of an agency;
 (D)compiling and analyzing data on agency information security and disseminating related homeland security information;
 (E)developing and conducting targeted risk assessments, including assessments of the risk of terrorism, and operational evaluations for agency information and information systems in consultation with the heads of other agencies or governmental and private entities that own and operate such systems, that may include threat, vulnerability, and impact assessments;
 (F)in conjunction with other agencies and the private sector, assessing and fostering the development of information security technologies and capabilities for use across multiple agencies; and
 (G)coordinating with appropriate agencies and officials to ensure, to the maximum extent feasible, that policies and directives issued under paragraph (2) are complementary with—
 (i)standards and guidelines developed for national security systems; and (ii)policies and directives issued by the Secretary of Defense and the Director of National Intelligence under subsection (e)(1); and.
 4.Directives and imminent threatsSection 3553 of title 44, United States Code, is amended by adding at the end the following:  (h)Direction to agencies (1)Authority (A)In generalNotwithstanding section 3554, and subject to subparagraph (B), in response to a known or reasonably suspected information security threat, vulnerability, risk, or incident, including an act of terrorism, that represents a substantial threat to the information security of an agency, the Secretary may issue a directive to the head of an agency to take any lawful action with respect to the operation of the information system, including such systems owned or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information, for the purpose of protecting the information system from, or mitigating, an information security threat or an act of terrorism.
 (B)ExceptionThe authorities of the Secretary under this subsection shall not apply to a system described in paragraph (2) or (3) of subsection (e).
 (2)Procedures for use of authorityThe Secretary shall— (A)in coordination with the Director and in consultation with Federal contractors, as appropriate, establish procedures under which a directive may be issued under this subsection, which shall include—
 (i)thresholds and other criteria; (ii)privacy and civil liberties protections; and
 (iii)providing notice to potentially affected third parties; (B)specify the reasons for the required action and the duration of the directive;
 (C)minimize the impact of a directive under this subsection by— (i)adopting the least intrusive means possible under the circumstances to secure the agency information systems; and
 (ii)limiting the directive to the shortest period practicable; and (D)notify the Director and the head of any affected agency immediately upon the issuance of a directive under this subsection.
						(3)Imminent threats
 (A)In generalIf the Secretary determines that there is an imminent threat, including a threat of terrorism, to agency information systems and a directive under this subsection is not reasonably likely to result in a timely response to the threat, the Secretary may authorize the use of protective capabilities under the control of the Secretary for communications or other system traffic transiting to or from or stored on an agency information system without prior consultation with the affected agency for the purpose of ensuring the security of the information, information system, or other agency information systems.
 (B)Limitation on delegationThe authority under this paragraph may not be delegated to an official in a position lower than an Assistant Secretary of the Department of Homeland Security.
 (C)NoticeThe Secretary shall immediately notify the Director and the head and chief information officer (or equivalent official) of each affected agency of—
 (i)any action taken under this subsection; and (ii)the reasons for and duration and nature of the action.
 (D)Other lawAny action of the Secretary under this paragraph shall be consistent with applicable law. (4)LimitationThe Secretary may direct or authorize lawful action or protective capability under this subsection only to—
 (A)protect agency information from unauthorized access, use, disclosure, disruption, modification, or destruction; or
 (B)require the remediation of or protect against identified information security risks, including acts of terrorism, with respect to—
 (i)information collected or maintained by or on behalf of an agency; or (ii)that portion of an information system used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency..
 5.Report to Congress regarding DHS functionsSection 3553 of title 44, United States Code, as amended by section 3, is further amended by adding at the end the following new subsection:
			
 (i)Annual report to CongressNot later than February 1 of every year, the Secretary shall report to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate, regarding the specific actions the Secretary has taken pursuant to subsections (b) and (h).
				.
		
