[Congressional Record Volume 154, Number 90 (Tuesday, June 3, 2008)]
[House]
[Pages H4853-H4856]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]
FEDERAL AGENCY DATA PROTECTION ACT
Mr. CLAY. Mr. Speaker, I move to suspend the rules and pass the bill
(H.R. 4791) to amend title 44, United States Code, to strengthen
requirements for ensuring the effectiveness of information security
controls over information resources that support Federal operations and
assets, and for other purposes, as amended.
The Clerk read the title of the bill.
The text of the bill is as follows:
H.R. 4791
Be it enacted by the Senate and House of Representatives of
the United States of America in Congress assembled,
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the ``Federal
Agency Data Protection Act''.
(b) Table of Contents.--The table of contents of this Act
is as follows:
Sec. 1. Short title; table of contents.
Sec. 2. Purpose.
Sec. 3. Definitions.
Sec. 4. Authority of Director of Office of Management and Budget to
establish information security policies and procedures.
Sec. 5. Responsibilities of Federal agencies for information security.
Sec. 6. Federal agency data breach notification requirements.
Sec. 7. Protection of government computers from risks of peer-to-peer
file sharing.
Sec. 8. Annual independent audit.
Sec. 9. Best practices for privacy impact assessments.
Sec. 10. Implementation.
SEC. 2. PURPOSE.
The purpose of this Act is to protect personally
identifiable information of individuals that is maintained in
or transmitted by Federal agency information systems.
SEC. 3. DEFINITIONS.
(a) Personally Identifiable Information and Mobile Digital
Device Definitions.--Section 3542(b) of title 44, United
States Code, is amended by adding at the end the following
new paragraphs:
``(4) The term `personally identifiable information', with
respect to an individual, means any information about the
individual maintained by an agency, including information--
``(A) about the individual's education, finances, or
medical, criminal, or employment history;
``(B) that can be used to distinguish or trace the
individual's identity, including name, social security
number, date and place of birth, mother's maiden name, or
biometric records; or
``(C) that is otherwise linked or linkable to the
individual.
``(5) The term `mobile digital device' includes any device
that can store or process information electronically and is
designed to be used in a manner not limited to a fixed
location, including--
``(A) processing devices such as laptop computers,
communication devices, and other hand-held computing devices;
and
``(B) storage devices such as portable hard drives, CD-
ROMs, DVDs, and other portable electronic media.''.
(b) Conforming Amendments.--Section 208 of the E-Government
Act of 2002 (Public Law 107-347; 44 U.S.C. 3501 note) is
amended--
(1) in subsection (b)(1)(A)--
(A) in clause (i), by striking ``information that is in an
identifiable form'' and inserting ``personally identifiable
information''; and
(B) in clause (ii)(II), by striking ``information in an
identifiable form permitting the physical or online
contacting of a specific individual'' and inserting
``personally identifiable information'';
(2) in subsection (b)(2)(B)(i), by striking ``information
that is in an identifiable form'' and inserting ``personally
identifiable information'';
(3) in subsection (b)(3)(C), by striking ``information that
is in an identifiable form'' and inserting ``personally
identifiable information''; and
(4) in subsection (d), by striking the text and inserting
``In this section, the term `personally identifiable
information' has the meaning given that term in section
3542(b)(4) of title 44, United States Code.''.
SEC. 4. AUTHORITY OF DIRECTOR OF OFFICE OF MANAGEMENT AND
BUDGET TO ESTABLISH INFORMATION SECURITY
POLICIES AND PROCEDURES.
Section 3543(a) of title 44, United States Code, is
amended--
(1) by inserting before the semicolon at the end of
paragraph (5) the following: ``, including plans and
schedules, developed by the agency on the basis of priorities
for addressing levels of identified risk, for conducting--
``(A) testing and evaluation, as required under section
3544(b)(5); and
``(B) remedial action, as required under section
3544(b)(6), to address deficiencies identified by such
testing and evaluation''; and
(2) by adding at the end the following:
``(9) establishing minimum requirements regarding the
protection of personally identifiable information maintained
in or transmitted by mobile digital devices, including
requirements for the use of technologies that efficiently and
effectively render information unusable by unauthorized
persons;
``(10) requiring agencies to comply with--
``(A) minimally acceptable system configuration
requirements consistent with best practices, including
checklists developed under section 8(c) of the Cyber Security
Research and Development Act (Public Law 107-305; 116 Stat.
2378) by the Director of the National Institute of Standards
and Technology; and
``(B) minimally acceptable requirements for periodic
testing and evaluation of the implementation of such
configuration requirements;
``(11) ensuring that agency contracts for (or involving or
including) the provision of information technology products
or services include requirements for contractors to meet
minimally acceptable configuration requirements, as required
under paragraph (10);
``(12) ensuring the establishment through regulation and
guidance of contract requirements to ensure compliance with
this subchapter with regard to providing information security
for information and information systems used or operated by a
contractor of an agency or other organization on behalf of
the agency; and''.
SEC. 5. RESPONSIBILITIES OF FEDERAL AGENCIES FOR INFORMATION
SECURITY.
Section 3544(b) of title 44, United States Code, is
amended--
(1) in paragraph (2)(D)(iii), by striking ``as determined
by the agency'' and inserting ``as required by the Director
under section 3543(a)(10)'';
(2) in paragraph (5)--
(A) by inserting after ``annually'' the following: ``and as
approved by the Director'';
(B) by striking ``and'' at the end of subparagraph (A);
(C) by redesignating subparagraph (B) as subparagraph (D);
and
(D) by inserting after subparagraph (A) the following:
``(B) shall include testing and evaluation of system
configuration requirements as required under section
3543(a)(10);
``(C) shall include testing of systems operated by a
contractor of the agency or other organization on behalf of
the agency, which testing requirement may be satisfied by
independent testing, evaluation, or audit of such systems;
and'';
(3) by striking ``and'' at the end of paragraph (7);
(4) by striking the period at the end of paragraph (8) and
inserting a semicolon; and
(5) by adding at the end the following:
``(9) plans and procedures for ensuring the adequacy of
information security protections for systems maintaining or
transmitting personally identifiable information, including
requirements for--
``(A) maintaining a current inventory of systems
maintaining or transmitting such information;
``(B) implementing information security requirements for
mobile digital devices maintaining or transmitting such
information, as required by the Director (including the use
of technologies rendering data unusable by unauthorized
persons); and
``(C) developing, implementing, and overseeing remediation
plans to address vulnerabilities in information security
protections for such information;''.
SEC. 6. FEDERAL AGENCY DATA BREACH NOTIFICATION REQUIREMENTS.
(a) Authority of Director of Office of Management and
Budget To Establish Data Breach Policies.--Section 3543(a) of
title 44, United States Code, as amended by section 4, is
further amended--
(1) by striking ``and'' at the end of paragraph (7);
[[Page H4854]]
(2) in paragraph (8)--
(A) by striking ``and'' at the end of subparagraph (D);
(B) by striking the period and inserting ``; and'' at the
end of subparagraph (E); and
(C) by adding at the end the following new subparagraph:
``(F) a summary of the breaches of information security
reported by agencies to the Director and the Federal
information security incident center pursuant to paragraph
(13);''; and
(3) by adding at the end the following:
``(13) establishing policies, procedures, and standards for
agencies to follow in the event of a breach of data security
involving the disclosure of personally identifiable
information, specifically including--
``(A) a requirement for timely notice to be provided to
those individuals whose personally identifiable information
could be compromised as a result of such breach, except no
notice shall be required if the breach does not create a
reasonable risk--
``(i) of identity theft, fraud, or other unlawful conduct
regarding such individual; or
``(ii) of other harm to the individual;
``(B) guidance on determining how timely notice is to be
provided;
``(C) guidance regarding whether additional special actions
are necessary and appropriate, including data breach
analysis, fraud resolution services, identify theft
insurance, and credit protection or monitoring services; and
``(D) a requirement for timely reporting by the agencies of
such breaches to the Director and Federal information
security center.''.
(b) Authority of Chief Information Officer To Develop and
Maintain Inventories.--Section 3544(a)(3) of title 44, United
States Code, is amended--
(1) by inserting after ``authority to ensure compliance
with'' the following: ``and, to the extent determined
necessary and explicitly authorized by the head of the
agency, to enforce'';
(2) by striking ``and'' at the end of subparagraph (D);
(3) by inserting ``and'' at the end of subparagraph (E);
and
(4) by adding at the end the following:
``(F) developing and maintaining an inventory of all
personal computers, laptops, or any other hardware containing
personally identifiable information;''.
(c) Inclusion of Data Breach Notification.--Section 3544(b)
of title 44, United States Code, as amended by section 5, is
further amended by adding at the end the following:
``(10) procedures for notifying individuals whose
personally identifiable information may have been compromised
or accessed following a breach of information security; and
``(11) procedures for timely reporting of information
security breaches involving personally identifiable
information to the Director and the Federal information
security incident center.''.
(d) Authority of Agency Chief Human Capital Officers To
Assess Federal Personal Property.--Section 1402(a) of title
5, United States Code, is amended--
(1) by striking ``, and'' at the end of paragraph (5) and
inserting a semicolon;
(2) by striking the period and inserting ``; and'' at the
end of paragraph (6); and
(3) by adding at the end the following:
``(7) prescribing policies and procedures for exit
interviews of employees, including a full accounting of all
Federal personal property that was assigned to the employee
during the course of employment.''.
SEC. 7. PROTECTION OF GOVERNMENT COMPUTERS FROM RISKS OF
PEER-TO-PEER FILE SHARING.
(a) Plans Required.--As part of the Federal agency
responsibilities set forth in sections 3544 and 3545 of title
44, United States Code, the head of each agency shall develop
and implement a plan to ensure the security and privacy of
information collected or maintained by or on behalf of the
agency from the risks posed by certain peer-to-peer file
sharing programs.
(b) Contents of Plans.--Such plans shall set forth
appropriate methods, including both technological (such as
the use of software and hardware) and nontechnological
methods (such as employee policies and user training), to
achieve the goal of securing and protecting such information
from the risks posed by peer-to-peer file sharing programs.
(c) Implementation of Plans.--The head of each agency
shall--
(1) develop and implement the plan required under this
section as expeditiously as possible, but in no event later
than six months after the date of the enactment of this Act;
and
(2) review and revise the plan periodically as necessary.
(d) Review of Plans.--Not later than 18 months after the
date of the enactment of this Act, the Comptroller General
shall--
(1) review the adequacy of the agency plans required by
this section; and
(2) submit to the Committee on Oversight and Government
Reform of the House of Representatives and the Committee on
Homeland Security and Governmental Affairs of the Senate a
report on the results of the review, together with any
recommendations the Comptroller General considers
appropriate.
(e) Definitions.--In this section:
(1) Peer-to-peer file sharing program.--The term ``peer-to-
peer file sharing program'' means computer software that
allows the computer on which such software is installed (A)
to designate files available for transmission to another such
computer, (B) to transmit files directly to another such
computer, and (C) to request the transmission of files from
another such computer. The term does not include the use of
such software for file sharing between, among, or within
Federal, State, or local government agencies in order to
perform official agency business.
(2) Agency.--The term ``agency'' has the meaning provided
by section 3502 of title 44, United States Code.
SEC. 8. ANNUAL INDEPENDENT AUDIT.
(a) Requirement for Audit Instead of Evaluation.--Section
3545 of title 44, United States Code, is amended--
(1) in the section heading, by striking ``evaluation'' and
inserting ``audit'' ; and
(2) in paragraphs (1) and (2) of subsection (a), by
striking ``evaluation'' and inserting ``audit'' both places
it appears.
(b) Additional Specific Requirements for Audits.--Section
3545(a) of such title is amended--
(1) in paragraph (2)--
(A) in subparagraph (A), by striking ``subset of the
agency's information systems;'' and inserting the following:
``subset of--
``(i) the information systems used or operated by the
agency; and
``(ii) the information systems used, operated, or supported
on behalf of the agency by a contractor of the agency, any
subcontractor (at any tier) of such a contractor, or any
other entity;'';
(B) in subparagraph (B), by striking ``and'' at the end;
(C) in subparagraph (C), by striking the period and
inserting ``; and''; and
(D) by adding at the end the following new subparagraph:
``(D) a conclusion whether the agency's information
security controls are effective, including an identification
of any significant deficiencies in such controls.''; and
(2) by adding at the end the following new paragraph:
``(3) Each audit under this section shall conform to
generally accepted government auditing standards.''.
(c) Conforming Amendments.--
(1) Each of the following provisions of section 3545 of
title 44, United States Code, is amended by striking
``evaluation'' and inserting ``audit'' each place it appears:
(A) Subsection (b)(1).
(B) Subsection (b)(2).
(C) Subsection (c).
(D) Subsection (e)(1).
(E) Subsection (e)(2).
(2) Section 3545(d) of such title is amended to read as
follows:
``(d) Existing Audits.--The audit required by this section
may be based in whole or in part on an audit relating to
programs or practices of the applicable agency.''.
(3) Section 3545(f) of such title is amended by striking
``evaluators'' and inserting ``auditors''.
(4) Section 3545(g)(1) of such title is amended by striking
``evaluations'' and inserting ``audits''.
(5) Section 3545(g)(3) of such title is amended by striking
``Evaluations'' and inserting ``Audits''.
(6) Section 3543(a)(8)(A) of such title is amended by
striking ``evaluations'' and inserting ``audits''.
(7) Section 3544(b)(5)(D) of such title (as redesignated by
section 5(2)(C)) is amended by striking ``a evaluation'' and
inserting ``an audit''.
SEC. 9. BEST PRACTICES FOR PRIVACY IMPACT ASSESSMENTS.
Section 208(b)(3) of the E-Government Act of 2002 (Public
Law 107-347; 44 U.S.C. 3501 note) is amended--
(1) in subparagraph (B), by striking ``and'' at the end;
(2) in subparagraph (C), by striking the period and
inserting ``; and'', and
(3) by adding at the end the following:
``(D) develop best practices for agencies to follow in
conducting privacy impact assessments.''.
SEC. 10. IMPLEMENTATION.
Except as otherwise specifically provided in this Act,
implementation of this Act and the amendments made by this
Act shall begin not later than 90 days after the date of the
enactment of this Act.
The SPEAKER pro tempore. Pursuant to the rule, the gentleman from
Missouri (Mr. Clay) and the gentlewoman from North Carolina (Ms. Foxx)
each will control 20 minutes.
The Chair recognizes the gentleman from Missouri.
General Leave
Mr. CLAY. Mr. Speaker, I ask unanimous consent that all Members may
have 5 legislative days in which to revise and extend their remarks.
The SPEAKER pro tempore. Is there objection to the request of the
gentleman from Missouri?
There was no objection.
Mr. CLAY. Mr. Speaker, I yield myself such time as I may consume.
Mr. Speaker, as chairman of the Subcommittee of Information Policy,
Census and National Archives, I am pleased to join my colleagues in the
consideration of H.R. 4791, the Federal Agency Data Protection Act, a
bill to protect personally identifiable information of individuals that
is maintained in or transmitted by Federal agency information systems.
H.R. 4791, which I introduced along with Chairman Henry Waxman and
Representative Ed Towns on December 18, 2007, was reported from the
Committee on Oversight and Government Reform on May 21, 2008. I want to
also thank Ranking Member Tom Davis for working with us on this
legislation, especially on the notification provision.
[[Page H4855]]
Despite progress made with the implementation of the Federal
Information Security Management Act, or FISMA, GAO found that pervasive
weaknesses continue to exist primarily because agencies fail to
maintain secure IT networks. As a result, GAO concluded that Federal
financial data are at risk of unauthorized modification or destruction,
sensitive information at risk of inappropriate disclosure, and critical
operations at risk of disruption.
H.R. 4791 would secure our agencies' IT access and require an annual
audit of agency programs. The bill would also establish a comprehensive
definition for ``personally identifiable information'' and mandate that
agencies notify individuals when their personal information is accessed
in a data breach.
Mr. Speaker, in light of today's report that 1,000 patients at Walter
Reed Army Medical Center and other military hospitals had their names,
Social Security numbers and birth dates exposed in a security breach,
this is a timely measure that provides Americans with some assurance
that the Federal Government will work diligently to protect their
personal information.
I urge the swift passage of H.R. 4791.
Mr. Speaker, I reserve the balance of my time.
{time} 1600
Ms. FOXX. Mr. Speaker, I yield myself such time as I may consume.
Mr. Speaker, I rise today to speak on H.R. 4791, the Federal Agency
Data Protection Act. While we appreciate the majority's willingness to
incorporate several suggestions from our side such as including
language from H.R. 2124, Representative Tom Davis' Federal Agency Data
Breach Protection Act, we remain concerned that this legislation misses
some key opportunities to advance legislation which truly strengthens
our Federal information security laws.
But, Mr. Speaker, I rise today to speak on a much more pressing
issue, an issue of great concern to all Americans.
With gas prices soaring to $3.98 per gallon over the weekend,
according to AAA, the House returned officially from Memorial Day break
today, but believe it or not, not a single piece of legislation to help
lower gas prices is on the House schedule this week. This is
particularly amazing since then Minority Leader Nancy Pelosi promised
the American people ``a commonsense plan'' to lower gas prices way back
in April, 2006. And it's particularly troubling since House Republicans
unveiled a comprehensive plan to lower gas prices 2 weeks ago and has
promoted that plan across the country during last week's Memorial Day
recess.
Instead of delivering on their April, 2006, promise, however, the
Democrats in charge of Congress have delivered only a staggering $1.65
Pelosi premium, meaning consumers are forced to pay $1.65 more per
gallon of gasoline compared to what they paid on January 4, 2007, the
Democrats' first day in the majority.
For an average family that fills up its two cars once a week, that's
an astronomical 2,574 more dollars per year that they are forced to pay
at the pump. That's $2,574 less that families have for their children's
educational expenses; $2,574 less for family vacations this summer; and
$2,574 less for food costs, which also are skyrocketing.
No wonder Democrats are continuing to feel the heat for doing
nothing, nothing, to address the rising cost of gasoline.
Let me quote part of a column in Monday's New Hampshire Union Leader
about what Congress has done to contribute to American families' and
small businesses' pain at the pump:
``Congress has prevented the drilling in the Alaska National Wildlife
Refuge, which could be providing 1 million gallons of oil per day.
Congress has put 85 percent of the U.S. coastal areas off-limits for
drilling. Congress has recently prohibited the processing of oil shale,
which could provide substantial quantities of oil economically . . .
``To sum it up, Congress has done nothing to help but lots to
increase on our dependence on foreign oil and increase the price
Americans pay for oil and gas.''
An op-ed published over the weekend in the Athens, Georgia, Banner-
Herald makes the case that the Democratic Congress has contributed to
the recent surge in gas prices:
``Drilling is prohibited in the Alaska National Wildlife Refuge, a
potential source of 1 million barrels a day, 5 percent of America's
daily oil consumption. Also off-limits is 85 percent of America's
coastline.
``Americans deserve to know the story, in all its gory details, of
what their government has done and is doing to cause high prices at the
pump and to make gasoline, indeed, all energy, more scarce and more
expensive in the future.''
Indeed, while Democrats have offered nothing more than broken
promises and policies that drive up gas prices, House Republicans have
unveiled a comprehensive plan for lower gas prices and energy
independence. The GOP blueprint promotes alternative and renewable
fuels, harnesses technologies already being employed successfully by
our global competitors, and unlocks America's natural energy resources
through the responsible exploration of oil and gas in the United
States, a reform backed by the majority of Americans, according to a
new Gallup Poll. How much longer will Democrats ignore the will of the
American people by keeping the House Republicans' plan off the House
floor?
Another quote from the Charleston, West Virginia, Daily Mail: ``Doing
Nothing is What Democrats in Congress Have Specialized in, and That's
One of the Reasons Gasoline Costs $4 Per Gallon.''
Mr. Speaker, we can stand here and deal with a lot of issues that
we're dealing with this week, but we need to get to the issues that the
American people want us to deal with, and that's the soaring price of
gasoline and energy costs.
Mr. Speaker, I have no further requests for time, and I yield back
the balance of my time.
Mr. CLAY. Mr. Speaker, in closing, I want to urge the House to
support this bill, H.R. 4791, and to say that the American people
expect that personal information that they share with their government
should be kept private and should be protected, and this bill will
ensure that that information is protected.
Mr. DAVIS of Virginia. Mr. Speaker, secure information is the
lifeblood of effective government. But we've seen a wide range of
incidents involving data loss or theft, privacy breaches, and security
incidents at Federal agencies.
In almost all of these cases, Congress and the public would not have
learned of these events had we not requested the information. After
all, despite the volume of sensitive information held by agencies--tax
returns, military records, health records, to name a few--there
currently is no requirement that agencies notify citizens whose
personal information may have been compromised. We need to ensure the
public knows when its sensitive personal information has been lost or
compromised.
Therefore I am pleased we incorporated my legislation, H.R. 2124,
which requires timely notice be provided to individuals whose sensitive
personal information could be compromised by a breach of data security
at a Federal agency.
In addition to focusing on ensuring adequate protection of
individuals' personal information held by the Federal Government, I
have also spent years focusing on general, government-wide information
management and security policy.
For example, the Privacy Act and the E-Government Act of 2002 outline
the parameters for the protection of personal information. The Federal
Information Security Management Act (FISMA), which I authored, requires
each agency to create a comprehensive risk-based approach to agency-
wide information security management, through preparedness, evaluation,
and reporting requirements.
These laws created a solid foundation for Federal information
security, making security management an integral part of an agency's
operations and ensuring agencies are actively using best practices to
secure the Federal Government's systems.
But it is now incumbent upon us to take Federal information security
to the next level--to find new and innovative ways to secure government
information.
Unfortunately, I do not believe H.R. 4791 does enough. Most of the
provisions contained in this bill are a grab bag of vague requirements,
additional mandates, and misplaced priorities. It casts dynamic
concepts in stone. And it gives agency personnel more boxes to check.
I have long called for a bill with teeth--and an opportunity to
discuss and debate the overall issues associated with improving
Federal
[[Page H4856]]
information security. I think we have missed some key opportunities in
that regard.
For example: (1) We haven't seriously considered, to my knowledge,
the need to pursue providing incentives for agency success--such as
financial incentives for agencies which excel.
(2) We haven't given enough consideration, to my knowledge, to the
need to pursue funding penalties and personnel reforms which provide
real motivation for an agency to improve its information security.
(3) Although I've pushed the scorecards for many years, we need
increased Congressional oversight of agency information security
practices.
(4) Have we done enough to bring greater consistency across the IG
community regarding standards and review regarding improved information
security?
(5) And in our recent review of this issue, I do not believe we have
considered, nor do we address, what I believe is one of the most
important and complex problems associated with these issues: the
difficulties faced by agency Chief Information Officers in their
attempts to be successful and effective--both in terms of their status
within their agencies and their underlying statutory authority.
(6) Also, have we taken a serious look at whether the creation of a
Federal CIO or an Information Czar at OMB would improve the Federal
Government's ability to handle and process information? I do not
believe so.
Yesterday, OMB Deputy Director for Management, Clay Johnson, wrote to
the Committee asking to work with us on a handful of concerns the
Administration has with the current draft of the legislation. Although
the majority did make important modifications, removing controversial
provisions affecting data brokers for example, which were of particular
concern to Representative Mike Turner, other areas still need to be
addressed.
The Administration has expressed particular concern about the bill's
codification of terms and requirements in statute, including the
definition of ``personally identifiable information'' as well as
various technology-specific provisions, including ``personal digital
devices'' and ``peer-to-peer file-sharing programs''. I have long
maintained that effective security legislation should be technology
neutral to enable the government to adequately address constantly
evolving threats and technologies. Ironically, we could find ourselves
less secure as agencies are forced to meet outdated mandates and
requirements. I trust the majority is willing to continue these
discussions as the legIslation moves forward.
Mr. Speaker, public confidence in government is essential. In the
end, the public demands effective government. And effective government
depends on secure information. I remain concerned that this legislation
falls short in a number of these important areas.
Mr. CLAY. Mr. Speaker, I yield back the balance of my time.
The SPEAKER pro tempore (Mr. Salazar). The question is on the motion
offered by the gentleman from Missouri (Mr. Clay) that the House
suspend the rules and pass the bill, H.R. 4791, as amended.
The question was taken; and (two-thirds being in the affirmative) the
rules were suspended and the bill, as amended, was passed.
A motion to reconsider was laid on the table.
____________________