114 S1990 IS: Federal Computer Security Act U.S. Senate 2015-08-05 text/xml EN Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.

II 114th CONGRESS1st Session S. 1990 IN THE SENATE OF THE UNITED STATES August 5, 2015 Mr. Hatch (for himself and Mr. Carper) introduced the following bill; which was read twice and referred to the Committee on Homeland Security and Governmental Affairs A BILL To require Inspectors General and the Comptroller General of the United States to submit reports on the use of logical access controls and other security practices to safeguard classified and personally identifiable information on Federal computer systems, and for other purposes.

1.

Short title

This Act may be cited as the Federal Computer Security Act.

2.

Definitions

In this Act: (1)

Agency

The term agency has the meaning given the term in section 3502 of title 44, United States Code. (2)

Covered agency

The term covered agency means an agency that operates a Federal computer system that provides access to classified information or personally identifiable information. (3)

Logical access control

The term logical access control means a process of granting or denying specific requests to obtain and use information and related information processing services. (4)

Multi-factor logical access controls

The term multi-factor logical access controls means a set of not less than 2 of the following logical access controls: (A)Information that is known to the user, such as a password or personal identification number. (B)An access device that is provided to the user, such as a cryptographic identification device or token. (C)A unique biometric characteristic of the user.

3.

Inspector General report on Federal computer systems

(a)

In general

Not later than 240 days after the date of enactment of this Act, the Inspector General of each covered agency shall each submit to the Comptroller General of the United States and the appropriate committees of jurisdiction in the Senate and the House of Representatives a report, which shall include information collected from the covered agency for the contents described in subsection (b) regarding the Federal computer systems of the covered agency. (b)

Contents

The report submitted by each Inspector General of a covered agency under subsection (a) shall include, with respect to the covered agency, the following: (1)A description of the logical access standards used by the covered agency to access a Federal computer system that provides access to classified or personally identifiable information, including— (A)in aggregate, a list and description of logical access controls used to access such a Federal computer system; and (B)whether the covered agency is using multi-factor logical access controls to access such a Federal computer system. (2)If the covered agency does not use logical access controls or multi-factor logical access controls to access a Federal computer system that provides access to classified or personally identifiable information, a description of the reasons for not using such logical access controls or multi-factor logical access controls. (3)A description of the following data security management practices used by the covered agency: (A)The policies and procedures followed to conduct inventories of the software present on the Federal computer systems of the covered agency and the licenses associated with such software. (B)Whether the covered agency has entered into a licensing agreement for the use of software security controls to monitor and detect exfiltration and other threats, including— (i)data loss prevention software; or (ii)digital rights management software. (C)A description of how the covered agency is using software described in subparagraph (B). (D)If the covered agency has not entered into a licensing agreement for the use of, or is otherwise not using, software described in subparagraph (B), a description of the reasons for not entering into such a licensing agreement or using such software. (4)A description of the policies and procedures of the covered agency with respect to ensuring that entities, including contractors, that provide services to the covered agency are implementing the data security management practices described in paragraph (3). (c)

Existing review

The report required under this section may be based in whole or in part on an audit, evaluation, or report relating to programs or practices of the covered agency, and may be submitted as part of another report, including the report required under section 3555 of title 44, United States Code. (d)

Classified information

A report submitted under this section shall be in unclassified form, but may include a classified annex. (e)

Availability to members of Congress

A report submitted under this section shall be made available upon request by any Member of Congress.

4.

GAO economic analysis and report on Federal computer systems

(a)

Report

Not later than 1 year after the date of enactment of this Act, the Comptroller General of the United States shall submit to Congress a report examining, including an economic analysis of, any impediments to agency use of effective security software and security devices. (b)

Classified information

A report submitted under this section shall be in unclassified form, but may include a classified annex.