[Congressional Record Volume 145, Number 165 (Friday, November 19, 1999)]
[Senate]
[Pages S15108-S15112]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. THOMPSON (for himself, and Mr. Lieberman):
  S. 1993. A bill to reform Government information security by 
strengthening information security practices throughout the Federal 
Government; to the Committee on Governmental Affairs.


              government information security act of 1999

  Mr. THOMPSON. Mr. President, I rise today to introduce a bill on 
behalf of myself as chairman of the Governmental Affairs Committee and 
Senator Lieberman, the Committee's ranking minority member, on an issue 
of great importance to our committee and the nation--the security of 
Federal government computer systems.
  Over the last decade, the Federal Government, like most private-
sector organizations, has become enormously dependent on interconnected 
computer systems, including the Internet, to support its operations and 
account for its assets. This explosion in interconnectivity has 
resulted in many benefits. In particular, it has increased 
productivity, made enormous amounts of useful information instantly 
available to millions of people, and contributed to the economic boom 
of the 1990s.
  However, the factors that generate these benefits--widely accessible 
data and instantaneous communication--also increase the risks that 
information will be misused, possibly to commit fraud or other crimes, 
or that sensitive information will be in appropriately disclosed. In 
addition, our government's, as well as our nation's, dependence on this 
computer support makes it susceptible to devastating disruptions in 
critical services, as well as in computer-based safety and financial 
controls. Such disruptions could be caused by sabotage, natural 
disasters, or widespread system faults, as illustrated by the Y2K date 
conversion concerns.
  The Governmental Affairs Committee spent considerable time during the 
last Congress on this issue with a specific emphasis on information 
security and cyberterrorism. We uncovered and identified failures of 
information security affecting our international security and 
vulnerability to domestic and international terrorism. We highlighted 
our nation's vulnerability to computer attacks--from international and 
domestic terrorists to crime rings to everyday hackers. We directed GAO 
to prepare a ``best practices'' guide on computer security for Federal 
agencies to use, and we asked GAO to study computer security 
vulnerabilities at several Federal agencies including the Internal 
Revenue Service, the State Department, the Federal Aviation 
Administration, the Social Security Administration, and the Veterans' 
Administration.
  As a result of its work, GAO identified many specific weaknesses in 
agency controls and concluded that the underlying cause was inadequate 
security program planning and management. In particular, agencies were 
addressing identified weaknesses on a piecemeal basis rather than 
proactively addressing systemic causes that diminished security 
effectiveness throughout the agency.
  That is not to say that nothing is being done. Many in the executive 
branch recognize that action is needed to improve Federal information 
security, and several efforts have been initiated. For example, in May 
1998, Presidential Decision Directive (PDD) 63 directed the National 
Security Council to lead a variety of efforts intended to improve 
critical infrastructure protection, including protection of Federal 
agency information infrastructures, and required major agencies to 
develop plans to protect their own critical computer-based systems.
  But despite a flurry of activity in this area and a number of 
statutes already on the books which deal with the issues, we have 
concluded that a more complete and meaningful statutory foundation for 
improvement is needed. The primary objective of this legislation is to 
update existing information security statutory requirements to address 
the management challenges associated with operating in the current 
interconnected computing environment.
  We begin where the Paperwork Reduction Act of 1995 and the Clinger-
Cohen Act of 1996 left off. These laws, and the computer Security Act 
of 1987, provided the basic framework for managing information 
security. This legislation which we introduce today will update and 
clarify existing requirements and responsibilities of Federal agencies 
in dealing with information security.
  The Government Information Security Act:
  Strengthens the Office of Management and Budget's information 
security duties, consistent with its existing responsibilities under 
the Paperwork Reduction Act;
  Establishes Federal agency accountability for information security as 
needed to cost-effectively protect the assets and operations of the 
agency by creating a set of management requirements derived from GAO 
``Best Practices'' audit work;
  Requires agencies to have an annual independent evaluation of their 
information security programs and practices to assess compliance with 
authorized requirements and to test effectiveness of information 
security control techniques;
  Provides for the application of a unified and logical set of 
governmentwide controls by including national security systems within 
the application of the legislation; and
  Focuses on the importance of training programs and governmentwide 
incident handling.
  We recognize that these aren't the only things that need to be done. 
Some have suggested we provide specific standards in the legislation. 
Others

[[Page S15109]]

have recommended we establish a new position of a National Chief 
Information Officer. These and, no doubt, many other proposals will be 
considered as we debate this important issue. But this legislation is 
intended as a good first step to better define roles among Federal 
agencies in order to develop a fully secure government.
  I ask unanimous consent that the full text of the bill we are 
introducing be printed in the Record.

                                S. 1993

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Government Information 
     Security Act of 1999''.

     SEC. 2. COORDINATION OF FEDERAL INFORMATION POLICY.

       Chapter 35 of title 44, United States Code, is amended by 
     inserting at the end the following:

                 ``SUBCHAPTER II--INFORMATION SECURITY

     ``Sec. 3531. Purposes

       ``The purposes of this subchapter are to--
       ``(1) provide a comprehensive framework for establishing 
     and ensuring the effectiveness of controls over information 
     resources that support Federal operations and assets;
       ``(2)(A) recognize the highly networked nature of the 
     Federal computing environment including the need for Federal 
     Government interoperability and, in the implementation of 
     improved security management measures, assure that 
     opportunities for interoperability are not adversely 
     affected; and
       ``(B) provide effective governmentwide management and 
     oversight of the related information security risks, 
     including coordination of information security efforts 
     throughout the civilian, national security, and law 
     enforcement communities;
       ``(3) provide for development and maintenance of minimum 
     controls required to protect Federal information and 
     information systems; and
       ``(4) provide a mechanism for improved oversight of Federal 
     agency information security programs.

     ``Sec. 3532. Definitions

       ``(a) Except as provided under subsection (b), the 
     definitions under section 3502 shall apply to this 
     subchapter.
       ``(b) As used in this subchapter the term `information 
     technology' has the meaning given that term in section 5002 
     of the Clinger-Cohen Act of 1996 (40 U.S.C. 1401).

     ``Sec. 3533. Authority and functions of the Director

       ``(a)(1) Consistent with subchapter I, the Director shall 
     establish governmentwide policies for the management of 
     programs that support the cost-effective security of Federal 
     information systems by promoting security as an integral 
     component of each agency's business operations.
       ``(2) Policies under this subsection shall--
       ``(A) be founded on a continuing risk management cycle that 
     recognizes the need to--
       ``(i) identify, assess, and understand risk; and
       ``(ii) determine security needs commensurate with the level 
     of risk;
       ``(B) implement controls that adequately address the risk;
       ``(C) promote continuing awareness of information security 
     risk;
       ``(D) continually monitor and evaluate policy; and
       ``(E) control effectiveness of information security 
     practices.
       ``(b) The authority under subsection (a) includes the 
     authority to--
       ``(1) oversee and develop policies, principles, standards, 
     and guidelines for the handling of Federal information and 
     information resources to improve the efficiency and 
     effectiveness of governmental operations, including 
     principles, policies, and guidelines for the implementation 
     of agency responsibilities under applicable law for ensuring 
     the privacy, confidentiality, and security of Federal 
     information;
       ``(2) consistent with the standards and guidelines 
     promulgated under section 5131 of the Clinger-Cohen Act of 
     1996 (40 U.S.C. 1441) and sections 5 and 6 of the Computer 
     Security Act of 1987 (40 U.S.C. 759 note; Public Law 100-235; 
     101 Stat. 1729), require Federal agencies to identify and 
     afford security protections commensurate with the risk and 
     magnitude of the harm resulting from the loss, misuse, or 
     unauthorized access to or modification of information 
     collected or maintained by or on behalf of an agency;
       ``(3) direct the heads of agencies to coordinate such 
     agencies and coordinate with industry to--
       ``(A) identify, use, and share best security practices; and
       ``(B) develop voluntary consensus-based standards for 
     security controls, in a manner consistent with section 
     2(b)(13) of the National Institute of Standards and 
     Technology Act (15 U.S.C. 272(b)(13));
       ``(4) oversee the development and implementation of 
     standards and guidelines relating to security controls for 
     Federal computer systems by the Secretary of Commerce through 
     the National Institute of Standards and Technology under 
     section 5131 of the Clinger-Cohen Act of 1996 (40 U.S.C. 
     1441) and section 20 of the National Institute of Standards 
     and Technology Act (15 U.S.C. 278g-3);
       ``(5) oversee and coordinate compliance with this section 
     in a manner consistent with--
       ``(A) sections 552 and 552a of title 5;
       ``(B) sections 20 and 21 of the National Institute of 
     Standards and Technology Act (15 U.S.C. 278g-3 and 278g-4);
       ``(C) section 5131 of the Clinger-Cohen Act of 1996 (40 
     U.S.C. 1441);
       ``(D) sections 5 and 6 of the Computer Security Act of 1987 
     (40 U.S.C. 759 note; Public Law 100-235; 101 Stat. 1729); and
       ``(E) related information management laws; and
       ``(6) take any authorized action that the Director 
     considers appropriate, including any action involving the 
     budgetary process or appropriations management process, to 
     enforce accountability of the head of an agency for 
     information resources management and for the investments made 
     by the agency in information technology, including--
       ``(A) recommending a reduction or an increase in any amount 
     for information resources that the head of the agency 
     proposes for the budget submitted to Congress under section 
     1105(a) of title 31;
       ``(B) reducing or otherwise adjusting apportionments and 
     reapportionments of appropriations for information resources; 
     and
       ``(C) using other authorized administrative controls over 
     appropriations to restrict the availability of funds for 
     information resources.
       ``(c) The authority under this section may be delegated 
     only to the Deputy Director for Management of the Office of 
     Management and Budget.

     ``Sec. 3534. Federal agency responsibilities

       ``(a) The head of each agency shall--
       ``(1) be responsible for--
       ``(A) adequately protecting the integrity, confidentiality, 
     and availability of information and information systems 
     supporting agency operations and assets; and
       ``(B) developing and implementing information security 
     policies, procedures, and control techniques sufficient to 
     afford security protections commensurate with the risk and 
     magnitude of the harm resulting from unauthorized disclosure, 
     disruption, modification, or destruction of information 
     collected or maintained by or for the agency;
       ``(2) ensure that each senior program manager is 
     responsible for--
       ``(A) assessing the information security risk associated 
     with the operations and assets of such manager;
       ``(B) determining the levels of information security 
     appropriate to protect the operations and assets of such 
     manager; and
       ``(C) periodically testing and evaluating information 
     security controls and techniques;
       ``(3) delegate to the agency Chief Information Officer 
     established under section 3506, or a comparable official in 
     an agency not covered by such section, the authority to 
     administer all functions under this subchapter including--
       ``(A) designating a senior agency information security 
     officer;
       ``(B) developing and maintaining an agencywide information 
     security program as required under subsection (b);
       ``(C) ensuring that the agency effectively implements and 
     maintains information security policies, procedures, and 
     control techniques;
       ``(D) training and overseeing personnel with significant 
     responsibilities for information security with respect to 
     such responsibilities; and
       ``(E) assisting senior program managers concerning 
     responsibilities under paragraph (2);
       ``(4) ensure that the agency has trained personnel 
     sufficient to assist the agency in complying with the 
     requirements of this subchapter and related policies, 
     procedures, standards, and guidelines; and
       ``(5) ensure that the agency Chief Information Officer, in 
     coordination with senior program managers, periodically--
       ``(A)(i) evaluates the effectiveness of the agency 
     information security program, including testing control 
     techniques; and
       ``(ii) implements appropriate remedial actions based on 
     that evaluation; and
       ``(B) reports to the agency head on--
       ``(i) the results of such tests and evaluations; and
       ``(ii) the progress of remedial actions.
       ``(b)(1) Each agency shall develop and implement an 
     agencywide information security program to provide 
     information security for the operations and assets of the 
     agency, including information security provided or managed by 
     another agency.
       ``(2) Each program under this subsection shall include--
       ``(A) periodic assessments of information security risks 
     that consider internal and external threats to--
       ``(i) the integrity, confidentiality, and availability of 
     systems; and
       ``(ii) data supporting critical operations and assets;
       ``(B) policies and procedures that--
       ``(i) are based on the risk assessments required under 
     paragraph (1) that cost-effectively reduce information 
     security risks to an acceptable level; and
       ``(ii) ensure compliance with--
       ``(I) the requirements of this subchapter;
       ``(II) policies and procedures as may be prescribed by the 
     Director; and
       ``(III) any other applicable requirements;
       ``(C) security awareness training to inform personnel of--
       ``(i) information security risks associated with personnel 
     activities; and

[[Page S15110]]

       ``(ii) responsibilities of personnel in complying with 
     agency policies and procedures designed to reduce such risks;
       ``(D)(i) periodic management testing and evaluation of the 
     effectiveness of information security policies and 
     procedures; and
       ``(ii) a process for ensuring remedial action to address 
     any deficiencies; and
       ``(E) procedures for detecting, reporting, and responding 
     to security incidents, including--
       ``(i) mitigating risks associated with such incidents 
     before substantial damage occurs;
       ``(ii) notifying and consulting with law enforcement 
     officials and other offices and authorities; and
       ``(iii) notifying and consulting with an office designated 
     by the Administrator of General Services within the General 
     Services Administration.
       ``(3) Each program under this subsection is subject to the 
     approval of the Director and is required to be reviewed at 
     least annually by agency program officials in consultation 
     with the Chief Information Officer.
       ``(c)(1) Each agency shall examine the adequacy and 
     effectiveness of information security policies, procedures, 
     and practices in plans and reports relating to--
       ``(A) annual agency budgets;
       ``(B) information resources management under the Paperwork 
     Reduction Act of 1995 (44 U.S.C. 101 note);
       ``(C) program performance under sections 1105 and 1115 
     through 1119 of title 31, and sections 2801 through 2805 of 
     title 39; and
       ``(D) financial management under--
       ``(i) chapter 9 of title 31, United States Code, and the 
     Chief Financial Officers Act of 1990 (31 U.S.C. 501 note; 
     Public Law 101-576) (and the amendments made by that Act);
       ``(ii) the Federal Financial Management Improvement Act of 
     1996 (31 U.S.C. 3512 note) (and the amendments made by that 
     Act); and
       ``(iii) the internal controls conducted under section 3512 
     of title 31.
       ``(2) Any deficiency in a policy, procedure, or practice 
     identified under paragraph (1) shall be reported as a 
     material weakness in reporting required under the applicable 
     provision of law under paragraph (1).

     ``Sec. 3535. Annual independent evaluation

       ``(a)(1) Each year each agency shall have an independent 
     evaluation performed of the information security program and 
     practices of that agency.
       ``(2) Each evaluation under this section shall include--
       ``(A) an assessment of compliance with--
       ``(i) the requirements of this subchapter; and
       ``(ii) related information security policies, procedures, 
     standards, and guidelines; and
       ``(B) tests of the effectiveness of information security 
     control techniques.
       ``(b)(1) For agencies with Inspectors General appointed 
     under the Inspector General Act of 1978 (5 U.S.C. App.), 
     annual evaluations required under this section shall be 
     performed by the Inspector General or by an independent 
     external auditor, as determined by the Inspector General of 
     the agency.
       ``(2) For any agency to which paragraph (1) does not apply, 
     the head of the agency shall contract with an independent 
     external auditor to perform the evaluation.
       ``(3) An evaluation of agency information security programs 
     and practices performed by the Comptroller General may be in 
     lieu of the evaluation required under this section.
       ``(c) Not later than March 1, 2001, and every March 1 
     thereafter, the results of an evaluation required under this 
     section shall be submitted to the Director.
       ``(d) Each year the Comptroller General shall--
       ``(1) review the evaluations required under this section 
     and other information security evaluation results; and
       ``(2) report to Congress regarding the adequacy of agency 
     information programs and practices.
       ``(e) Agencies and auditors shall take appropriate actions 
     to ensure the protection of information, the disclosure of 
     which may adversely affect information security. Such 
     protections shall be commensurate with the risk and comply 
     with all applicable laws.''.

     SEC. 3. RESPONSIBILITIES OF CERTAIN AGENCIES.

       (a) Department of Commerce.--The Secretary of Commerce, 
     through the National Institute of Standards and Technology 
     and with technical assistance from the National Security 
     Agency, shall--
       (1) develop, issue, review, and update standards and 
     guidance for the security of information in Federal computer 
     systems, including development of methods and techniques for 
     security systems and validation programs;
       (2) develop, issue, review, and update guidelines for 
     training in computer security awareness and accepted computer 
     security practices, with assistance from the Office of 
     Personnel Management;
       (3) provide agencies with guidance for security planning to 
     assist in the development of applications and system security 
     plans for such agencies;
       (4) provide guidance and assistance to agencies concerning 
     cost-effective controls when interconnecting with other 
     systems; and
       (5) evaluate information technologies to assess security 
     vulnerabilities and alert Federal agencies of such 
     vulnerabilities.
       (b) Department of Justice.--The Department of Justice shall 
     review and update guidance to agencies on--
       (1) legal remedies regarding security incidents and ways to 
     report to and work with law enforcement agencies concerning 
     such incidents; and
       (2) permitted uses of security techniques and technologies.
       (c) General Services Administration.--The General Services 
     Administration shall--
       (1) review and update General Services Administration 
     guidance to agencies on addressing security considerations 
     when acquiring information technology; and
       (2) assist agencies in the acquisition of cost-effective 
     security products, services, and incident response 
     capabilities.
       (d) Office of Personnel Management.--The Office of 
     Personnel Management shall--
       (1) review and update Office of Personnel Management 
     regulations concerning computer security training for Federal 
     civilian employees; and
       (2) assist the Department of Commerce in updating and 
     maintaining guidelines for training in computer security 
     awareness and computer security best practices.

     SEC. 4. TECHNICAL AND CONFORMING AMENDMENTS.

       (a) In General.--Chapter 35 of title 44, United States 
     Code, is amended--
       (1) in the table of sections--
       (A) by inserting after the chapter heading the following:

             ``SUBCHAPTER I--FEDERAL INFORMATION POLICY'';

     and
       (B) by inserting after the item relating to section 3520 
     the following:

                 ``SUBCHAPTER II--INFORMATION SECURITY

``Sec.
``3531. Purposes.
``3532. Definitions.
``3533. Authority and functions of the Director.
``3534. Federal agency responsibilities.
``3535. Annual independent evaluation.'';
     and
       (2) by inserting before section 3501 the following:

             ``SUBCHAPTER I--FEDERAL INFORMATION POLICY''.

       (b) References to Chapter 35.--Chapter 35 of title 44, 
     United States Code, is amended--
       (1) in section 3501--
       (A) in the matter preceding paragraph (1), by striking 
     ``chapter'' and inserting ``subchapter''; and
       (B) in paragraph (11), by striking ``chapter'' and 
     inserting ``subchapter'';
       (2) in section 3502, in the matter preceding paragraph (1), 
     by striking ``chapter'' and inserting ``subchapter'';
       (3) in section 3503, in subsection (b), by striking 
     ``chapter'' and inserting ``subchapter'';
       (4) in section 3504--
       (A) in subsection (a)(2), by striking ``chapter'' and 
     inserting ``subchapter'';
       (B) in subsection (d)(2), by striking ``chapter'' and 
     inserting ``subchapter''; and
       (C) in subsection (f)(1), by striking ``chapter'' and 
     inserting ``subchapter'';
       (5) in section 3505--
       (A) in subsection (a), in the matter preceding paragraph 
     (1), by striking ``chapter'' and inserting ``subchapter'';
       (B) in subsection (a)(2), by striking ``chapter'' and 
     inserting ``subchapter''; and
       (C) in subsection (a)(3)(B)(iii), by striking ``chapter'' 
     and inserting ``subchapter'';
       (6) in section 3506--
       (A) in subsection (a)(1)(B), by striking ``chapter'' and 
     inserting ``subchapter'';
       (B) in subsection (a)(2)(A), by striking ``chapter'' and 
     inserting ``subchapter'';
       (C) in subsection (a)(2)(B), by striking ``chapter'' and 
     inserting ``subchapter'';
       (D) in subsection (a)(3)--
       (i) in the first sentence, by striking ``chapter'' and 
     inserting ``subchapter''; and
       (ii) in the second sentence, by striking ``chapter'' and 
     inserting ``subchapter'';
       (E) in subsection (b)(4), by striking ``chapter'' and 
     inserting ``subchapter'';
       (F) in subsection (c)(1), by striking ``chapter, to'' and 
     inserting ``subchapter, to''; and
       (G) in subsection (c)(1)(A), by striking ``chapter'' and 
     inserting ``subchapter'';
       (7) in section 3507--
       (A) in subsection (e)(3)(B), by striking ``chapter'' and 
     inserting ``subchapter'';
       (B) in subsection (h)(2)(B), by striking ``chapter'' and 
     inserting ``subchapter'';
       (C) in subsection (h)(3), by striking ``chapter'' and 
     inserting ``subchapter'';
       (D) in subsection (j)(1)(A)(i), by striking ``chapter'' and 
     inserting ``subchapter'';
       (E) in subsection (j)(1)(B), by striking ``chapter'' and 
     inserting ``subchapter''; and
       (F) in subsection (j)(2), by striking ``chapter'' and 
     inserting ``subchapter'';
       (8) in section 3509, by striking ``chapter'' and inserting 
     ``subchapter'';
       (9) in section 3512--
       (A) in subsection (a), by striking ``chapter if'' and 
     inserting ``subchapter if''; and
       (B) in subsection (a)(1), by striking ``chapter'' and 
     inserting ``subchapter'';
       (10) in section 3514--
       (A) in subsection (a)(1)(A), by striking ``chapter'' and 
     inserting ``subchapter''; and
       (B) in subsection (a)(2)(A)(ii), by striking ``chapter'' 
     and inserting ``subchapter'' each place it appears;
       (11) in section 3515, by striking ``chapter'' and inserting 
     ``subchapter'';
       (12) in section 3516, by striking ``chapter'' and inserting 
     ``subchapter'';
       (13) in section 3517(b), by striking ``chapter'' and 
     inserting ``subchapter'';
       (14) in section 3518--
       (A) in subsection (a), by striking ``chapter'' and 
     inserting ``subchapter'' each place it appears;

[[Page S15111]]

       (B) in subsection (b), by striking ``chapter'' and 
     inserting ``subchapter'';
       (C) in subsection (c)(1), by striking ``chapter'' and 
     inserting ``subchapter'';
       (D) in subsection (c)(2), by striking ``chapter'' and 
     inserting ``subchapter'';
       (E) in subsection (d), by striking ``chapter'' and 
     inserting ``subchapter''; and
       (F) in subsection (e), by striking ``chapter'' and 
     inserting ``subchapter''; and
       (15) in section 3520, by striking ``chapter'' and inserting 
     ``subchapter''.

     SEC. 5. EFFECTIVE DATE.

       This Act and the amendments made by this Act shall take 
     effect 30 days after the date of enactment of this Act.

 Mr. LIEBERMAN. Mr. President, I am pleased to join today with 
Senator Thompson in introducing the Government Information Security Act 
of 1999. This bill would put a management structure in place for the 
implementation of risk-based computer security measures across the 
government.
  We are introducing this bill in the closing days of this session with 
the hope that it will serve as the basis for launching a discussion 
about the most effective ways to improve government's approach to 
computer security. We invite and look forward to comments from 
government agencies, industry and academic experts, think tanks and 
others who have been involved in this field.
  Like the rest of the nation,the government is increasingly dependent 
on computer and other electronic information systems to collect, 
analyze and preserve important data and perform vital tasks. Government 
computer systems are rife with sensitive information pertaining to the 
fundamentals of our existence--our national security, the strength of 
our economy, transportation and communications systems, and the 
personal lives of millions of individual citizens. The Department of 
Defense and other national security agencies control our weapons of 
mass destruction and track the offensive movements of enemy states 
through complex computer programs; the Internal Revenue Service 
maintains an automated systems wage information on every working 
American; the Federal Reserve calculates key economic indicators 
electronically and the Center for Disease Control relies on computers 
to tracks threats to the nation's public health.
  And yet, this computer-reliant infrastructure is frighteningly 
vulnerable to exploitation not only by trouble-makers and professional 
hackers but by organized crime and international terrorists. Indeed, a 
disruption of our communications, transportation and energy sections 
could prove as destructive as any conventional weapons attack to our 
ability to defend our privacy, our safety, even our freedom.
  Indeed, witnesses before the Governmental Affairs Committee last 
Congress testified that the government's reliance on computer systems 
is not matched by a concomitant growth in the security of those 
systems. A series of Government Accounting Office studies found 
government computer security so lax that it landed on the GAO's list of 
``high risk'' government programs. For example, this year, GAO reported 
that one of its test teams gained access to mission critical computer 
systems at NASA which would have allowed the team to control spacecraft 
or alter data returned from space. In May 1998, the GAO was able to 
gain unauthorized access to the State Department's networks which would 
have enabled GAO to modify, delete or download important data and 
shutdown services. And the GAO reported in September 1998 that 
inadequate information system controls by the Veterans Administration 
threatened the disruption or misuse of service delivery to the men and 
women who have fought our wars.
  Less significant on a global scale, but of utmost concern to 
individual citizens is the extent to which inadequate security leaves 
personal information, and therefore people, vulnerable to exposure and 
exploitation. Our legislation will address personal information 
maintained by the government such as benefits and tax data and 
demographics culled from personal information we supply to the Census 
Bureau.
  While the GAO's work is compelling, I am convinced by two other 
developments that legislation in this area needs to be addressed 
quickly. First, we have been intensely focused throughout the year on 
fixing the computer problems associated with Y2K. Ensuring that the 
information our government collects and produces is secure may seem 
similar to the Y2K issue because both reflect our dependency on 
computers and their vulnerability to programming failures and outside 
disruptions. The need for secure government computer systems, however, 
will not disappear in the first days and weeks of the year 2000. 
Indeed, it will be with us until we have a structure within the 
government dedicated to fixing these problems.
  Second,we have spent significant time this session digging into the 
Los Alamo National Laboratory espionage scandal and allegations that an 
employee improperly downloaded classified material to an unclassified 
computer. The Energy and Justice Departments are still looking into 
this breach of security, but it should focus everyone's attention on 
the vulnerability associated with extensive reliance computers and the 
undeniable need for improvements in how we manage and secure these 
systems.
  Mr. President, the goal of the bill we are introducing today is to 
protect the integrity, confidentiality and availability of information 
and ensure that critical improvements in the management of our computer 
security system take place. Specifically, our bill would:
  Require high-level accountability. The Director of the Office of 
Management and Budget will be accountable for overseeing policy while 
the agency heads will be accountable for developing specific security 
plans.
  Require agency heads to develop and implement security plans and 
policies based on the appropriate level of risk for the different type 
of information the agency maintains. We need to ensure that each 
agency's plan reflects an understanding that computer security must be 
an integral part of the development process for any new system. 
Agencies now tend to develop a system and consider security issues only 
as an afterthought, if at all.
  Establish an ongoing, periodic reporting, testing and evaluation 
process to gauge the effectiveness of the policies and procedures. This 
would be accomplished through agency budgets, program performance and 
financial management.
  Require an independent, annual audit of all information security 
practices and programs within an agency. The audit would be conducted 
either by the agency's Inspector General, GAO or an independent 
external auditor. GAO has told us that an audit requirement is 
essential to monitoring agencies' management of information security 
and to ensure that these systems are kept current.
  Require that agencies report unauthorized intrusions into government 
systems. GSA currently has a program where agencies can report and seek 
help to respond to intrusions into their information systems and share 
information concerning common vulnerabilities and threats. Our bill 
would require agencies to use this reporting and monitoring system.
  Mr. President, the provisions of this bill would apply to all 
information, including classified and unclassified information 
maintained on civilian and national security systems. We are also 
considering whether the bill's provisions should apply to government 
owned, contractor operated facilities including laboratories engaged in 
national defense research. We look forward to discussions with the 
defense and intelligence communities on how best to address these 
issues.
  There are a number of areas we have not addressed, and I welcome 
comments on how best to handle these areas. For example:
  We need to ensure that computer security systems will not interfere 
with the ability of agencies to share data and communicate with each 
other and the rest of the world. The new era of ``e-business'' and ``e-
government'' holds untold opportunities for improving government 
efficiency, and that's something we want to encourage.
  The government needs to rapidly and safely increase the number of 
trained technical information security professionals. There are a range 
of approaches to addressing this need, including incentives to 
universities to train more people in this area; contracting out to the 
private sector; establishing a CyberCorps at universities based on the 
ROTC model; or establishing special career designations for personnel 
specializing in computer security.

[[Page S15112]]

  We should consider whether current technology will meet the 
government's computer security needs or whether we need to develop 
incentives for technology development. A Presidential advisory 
committee is developing recommendations based on a national laboratory 
model to conduct research and development of security technology with a 
possible secondary focus on testing.
  We are interested in exploring whether provisions in this bill 
addressing risk and technology standards, which are now voluntary, 
consensus-based standards, should be issued as minimum mandatory 
requirements for successive levels of risk.
  And we will also consider issues relating to budgetary needs, privacy 
requirements, performance measures and how best to coordinate 
information security and management within the federal government.
  Mr. President, I expect what we have proposed will generate a hearty 
debate. As I have said, I consider this bill a work in progress, so I 
look forward to hearing from a wide range of interested parties and to 
working with the Chairman to craft the best possible legislation to 
protect the integrity and the confidentiality of the government's vast 
storehouse of information.
                                 ______