[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[S. 890 Introduced in Senate (IS)]

<DOC>






116th CONGRESS
  1st Session
                                 S. 890

 To authorize the Sergeant at Arms to protect the personal technology 
   devices and accounts of Senators and covered employees from cyber 
 attacks and hostile information collection activities, and for other 
                               purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             March 27, 2019

 Mr. Wyden (for himself and Mr. Cotton) introduced the following bill; 
    which was read twice and referred to the Committee on Rules and 
                             Administration

_______________________________________________________________________

                                 A BILL


 
 To authorize the Sergeant at Arms to protect the personal technology 
   devices and accounts of Senators and covered employees from cyber 
 attacks and hostile information collection activities, and for other 
                               purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Senate Cybersecurity Protection 
Act''.

SEC. 2. DEFINITIONS.

    In this Act--
            (1) the term ``covered employing office'' means--
                    (A) the personal office of a Senator;
                    (B) the office of a committee of the Senate;
                    (C) any other office of the Senate not described in 
                subparagraph (A) or (B); or
                    (D) the office of a joint committee or joint 
                commission;
            (2) the term ``covered employee'' means an individual--
                    (A) who is employed or serving in a position as--
                            (i) an officer or employee of a covered 
                        employing office;
                            (ii) a detailee in a covered employing 
                        office, without regard to whether the service 
                        is on a reimbursable basis; or
                            (iii) a fellow in a covered employing 
                        office, without regard to whether the position 
                        is compensated or the source of the 
                        compensation;
                    (B) who is not a Senate authorizer; and
                    (C) whom the covered employing office has 
                determined is highly vulnerable to cyber attacks and 
                hostile information collection activities because of 
                the position of the individual;
            (3) the term ``personal account'' means an account for 
        online or telecommunications services (including telephone, 
        residential internet access, email, text and multimedia 
        messaging, cloud computing, social media, health care, and 
        financial services)--
                    (A) used by a Senate authorizer or covered 
                employee;
                    (B) that is not administered or operated by the 
                Sergeant at Arms; and
                    (C) with respect to which the parties signing the 
                security memorandum of understanding as described in 
                paragraph (6)(A) jointly agree that the Sergeant at 
                Arms will provide security, in accordance with this 
                Act;
            (4) the term ``personal technology device''--
                    (A) means a handheld communications device, laptop 
                computer, desktop computer, or other internet-connected 
                device--
                            (i) used by a Senate authorizer or covered 
                        employee;
                            (ii) that is not provided to the Senate 
                        authorizer or covered employee, or 
                        administered, by the Sergeant at Arms; and
                            (iii) with respect to which the parties 
                        signing the security memorandum of 
                        understanding as described in paragraph (6)(A) 
                        jointly agree that the Sergeant at Arms will 
                        provide security, in accordance with this Act; 
                        and
                    (B) may, if agreed to by the parties pursuant to 
                the security memorandum of understanding, include any 
                computer network to which a computer or device 
                described in subparagraph (A) connects;
            (5) the term ``provide security'' means to provide 
        training, advice, support, technical assistance, and other 
        services to prevent, detect, and recover from cyber attacks and 
        hostile information collection activities;
            (6) the term ``security memorandum of understanding'' means 
        a written memorandum of understanding that--
                    (A) is signed by--
                            (i) the Sergeant at Arms;
                            (ii) the Senate authorizer or covered 
                        employee for whom the security will be provided 
                        pursuant to the memorandum; and
                            (iii) if the security is being provided for 
                        a covered employee, the applicable Senate 
                        authorizer for the covered employee;
                    (B) specifies the personal accounts or personal 
                technology devices, or categories of personal accounts 
                or personal technology devices, for which the Sergeant 
                at Arms will provide security;
                    (C) describes the rights and responsibilities of 
                each signing party relating to the provision of 
                security and with respect to privacy; and
                    (D) shall be effective for a period of not more 
                than 1 year;
            (7) the term ``Senate authorizer''--
                    (A) means a Senator or the head of a Senate office 
                described in paragraph (1)(C);
                    (B) when used with respect to a covered employee 
                not described in subparagraph (C), means the Senator or 
                the head of a Senate office who has final authority to 
                appoint, hire, discharge, and set the terms, 
                conditions, or privileges of the employment of the 
                covered employee; and
                    (C) when used with respect to a covered employee of 
                a joint committee or joint commission, the Senator from 
                the majority party of the Senate who--
                            (i) is a member of, or has authority over, 
                        the committee or commission; and
                            (ii) serves in the highest leadership role 
                        for a Senator in the committee or commission 
                        or, if there is no such leadership role, is the 
                        most senior Senator from the majority party of 
                        the committee or commission; and
            (8) the term ``Sergeant at Arms'' means the Sergeant at 
        Arms and Doorkeeper of the Senate.

SEC. 3. CYBERSECURITY ASSISTANCE FOR PERSONAL TECHNOLOGY DEVICES AND 
              ACCOUNTS.

    (a) Authorization.--
            (1) In general.--Upon request by a Senate authorizer and 
        upon the signing of a security memorandum of understanding by 
        the parties described in section 2(6)(A), the Sergeant at Arms 
        may use funds provided for official purposes in order to 
        provide security for personal accounts and personal technology 
        devices of the Senate authorizer or a covered employee of the 
        Senate authorizer.
            (2) Annual renewal.--A Senate authorizer or covered 
        employee for whom the Sergeant at Arms is providing security 
        for personal accounts and personal technology devices under a 
        security memorandum of understanding may continue to receive 
        such security services under this Act if the applicable signing 
        parties described in section 2(6)(A) enter into a security 
        memorandum of understanding each year.
    (b) Aggregate Reporting.--By the date that is 2 years after the 
date of enactment of this Act, and annually thereafter, the Sergeant at 
Arms shall prepare and submit to the Committee on Rules and 
Administration and the Select Committee on Intelligence of the Senate a 
report that includes aggregate statistics for the preceding fiscal year 
of the number of Senate authorizers and covered employees who entered 
into a security memorandum of understanding with the Sergeant at Arms 
and received security assistance for their personal accounts and 
personal technology devices.
    (c) Rule of Construction.--Nothing in this Act shall be construed 
to encourage any Senator or covered employee to conduct official 
Government business using a personal technology device.

SEC. 4. ANNUAL GAO REPORTS ON CYBERSECURITY AND SURVEILLANCE THREATS.

    (a) Annual Reports.--
            (1) In general.--Beginning 180 days after the date of 
        enactment of this Act, and annually thereafter, the Comptroller 
        General of the United States shall prepare and submit, to the 
        Committee on Rules and Administration and the Select Committee 
        on Intelligence of the Senate, a report regarding cybersecurity 
        and surveillance threats to the legislative branch.
            (2) Statistics.--Each report required under paragraph (1) 
        shall include statistics on cyber attacks, and other incidents 
        of espionage or surveillance targeted against Senators or the 
        immediate families or staff of the Senators, in which the non-
        public communications and other private information of such 
        targeted individuals were lost, stolen, or otherwise subject to 
        unauthorized access by criminals or a foreign government.
    (b) Consultation.--In preparing the report required under 
subsection (a), the Comptroller General shall consult with the Director 
of National Intelligence and the Sergeant at Arms.
                                 <all>