[Congressional Bills 114th Congress]
[From the U.S. Government Publishing Office]
[S. 1990 Introduced in Senate (IS)]

114th CONGRESS
  1st Session
                                S. 1990

To require Inspectors General and the Comptroller General of the United 
  States to submit reports on the use of logical access controls and 
    other security practices to safeguard classified and personally 
  identifiable information on Federal computer systems, and for other 
                               purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             August 5, 2015

 Mr. Hatch (for himself and Mr. Carper) introduced the following bill; 
which was read twice and referred to the Committee on Homeland Security 
                        and Governmental Affairs

_______________________________________________________________________

                                 A BILL


 
To require Inspectors General and the Comptroller General of the United 
  States to submit reports on the use of logical access controls and 
    other security practices to safeguard classified and personally 
  identifiable information on Federal computer systems, and for other 
                               purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Federal Computer Security Act''.

SEC. 2. DEFINITIONS.

    In this Act:
            (1) Agency.--The term ``agency'' has the meaning given the 
        term in section 3502 of title 44, United States Code.
            (2) Covered agency.--The term ``covered agency'' means an 
        agency that operates a Federal computer system that provides 
        access to classified information or personally identifiable 
        information.
            (3) Logical access control.--The term ``logical access 
        control'' means a process of granting or denying specific 
        requests to obtain and use information and related information 
        processing services.
            (4) Multi-factor logical access controls.--The term 
        ``multi-factor logical access controls'' means a set of not 
        less than 2 of the following logical access controls:
                    (A) Information that is known to the user, such as 
                a password or personal identification number.
                    (B) An access device that is provided to the user, 
                such as a cryptographic identification device or token.
                    (C) A unique biometric characteristic of the user.

SEC. 3. INSPECTOR GENERAL REPORT ON FEDERAL COMPUTER SYSTEMS.

    (a) In General.--Not later than 240 days after the date of 
enactment of this Act, the Inspector General of each covered agency 
shall each submit to the Comptroller General of the United States and 
the appropriate committees of jurisdiction in the Senate and the House 
of Representatives a report, which shall include information collected 
from the covered agency for the contents described in subsection (b) 
regarding the Federal computer systems of the covered agency.
    (b) Contents.--The report submitted by each Inspector General of a 
covered agency under subsection (a) shall include, with respect to the 
covered agency, the following:
            (1) A description of the logical access standards used by 
        the covered agency to access a Federal computer system that 
        provides access to classified or personally identifiable 
        information, including--
                    (A) in aggregate, a list and description of logical 
                access controls used to access such a Federal computer 
                system; and
                    (B) whether the covered agency is using multi-
                factor logical access controls to access such a Federal 
                computer system.
            (2) If the covered agency does not use logical access 
        controls or multi-factor logical access controls to access a 
        Federal computer system that provides access to classified or 
        personally identifiable information, a description of the 
        reasons for not using such logical access controls or multi-
        factor logical access controls.
            (3) A description of the following data security management 
        practices used by the covered agency:
                    (A) The policies and procedures followed to conduct 
                inventories of the software present on the Federal 
                computer systems of the covered agency and the licenses 
                associated with such software.
                    (B) Whether the covered agency has entered into a 
                licensing agreement for the use of software security 
                controls to monitor and detect exfiltration and other 
                threats, including--
                            (i) data loss prevention software; or
                            (ii) digital rights management software.
                    (C) A description of how the covered agency is 
                using software described in subparagraph (B).
                    (D) If the covered agency has not entered into a 
                licensing agreement for the use of, or is otherwise not 
                using, software described in subparagraph (B), a 
                description of the reasons for not entering into such a 
                licensing agreement or using such software.
            (4) A description of the policies and procedures of the 
        covered agency with respect to ensuring that entities, 
        including contractors, that provide services to the covered 
        agency are implementing the data security management practices 
        described in paragraph (3).
    (c) Existing Review.--The report required under this section may be 
based in whole or in part on an audit, evaluation, or report relating 
to programs or practices of the covered agency, and may be submitted as 
part of another report, including the report required under section 
3555 of title 44, United States Code.
    (d) Classified Information.--A report submitted under this section 
shall be in unclassified form, but may include a classified annex.
    (e) Availability to Members of Congress.--A report submitted under 
this section shall be made available upon request by any Member of 
Congress.

SEC. 4. GAO ECONOMIC ANALYSIS AND REPORT ON FEDERAL COMPUTER SYSTEMS.

    (a) Report.--Not later than 1 year after the date of enactment of 
this Act, the Comptroller General of the United States shall submit to 
Congress a report examining, including an economic analysis of, any 
impediments to agency use of effective security software and security 
devices.
    (b) Classified Information.--A report submitted under this section 
shall be in unclassified form, but may include a classified annex.
                                 <all>