[Congressional Record Volume 154, Number 90 (Tuesday, June 3, 2008)]
[House]
[Pages H4853-H4856]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




                   FEDERAL AGENCY DATA PROTECTION ACT

  Mr. CLAY. Mr. Speaker, I move to suspend the rules and pass the bill 
(H.R. 4791) to amend title 44, United States Code, to strengthen 
requirements for ensuring the effectiveness of information security 
controls over information resources that support Federal operations and 
assets, and for other purposes, as amended.
  The Clerk read the title of the bill.
  The text of the bill is as follows:

                               H.R. 4791

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

       (a) Short Title.--This Act may be cited as the ``Federal 
     Agency Data Protection Act''.
       (b) Table of Contents.--The table of contents of this Act 
     is as follows:

Sec. 1. Short title; table of contents.
Sec. 2. Purpose.
Sec. 3. Definitions.
Sec. 4. Authority of Director of Office of Management and Budget to 
              establish information security policies and procedures.
Sec. 5. Responsibilities of Federal agencies for information security.
Sec. 6. Federal agency data breach notification requirements.
Sec. 7. Protection of government computers from risks of peer-to-peer 
              file sharing.
Sec. 8. Annual independent audit.
Sec. 9. Best practices for privacy impact assessments.
Sec. 10. Implementation.

     SEC. 2. PURPOSE.

       The purpose of this Act is to protect personally 
     identifiable information of individuals that is maintained in 
     or transmitted by Federal agency information systems.

     SEC. 3. DEFINITIONS.

       (a) Personally Identifiable Information and Mobile Digital 
     Device Definitions.--Section 3542(b) of title 44, United 
     States Code, is amended by adding at the end the following 
     new paragraphs:
       ``(4) The term `personally identifiable information', with 
     respect to an individual, means any information about the 
     individual maintained by an agency, including information--
       ``(A) about the individual's education, finances, or 
     medical, criminal, or employment history;
       ``(B) that can be used to distinguish or trace the 
     individual's identity, including name, social security 
     number, date and place of birth, mother's maiden name, or 
     biometric records; or
       ``(C) that is otherwise linked or linkable to the 
     individual.
       ``(5) The term `mobile digital device' includes any device 
     that can store or process information electronically and is 
     designed to be used in a manner not limited to a fixed 
     location, including--
       ``(A) processing devices such as laptop computers, 
     communication devices, and other hand-held computing devices; 
     and
       ``(B) storage devices such as portable hard drives, CD-
     ROMs, DVDs, and other portable electronic media.''.
       (b) Conforming Amendments.--Section 208 of the E-Government 
     Act of 2002 (Public Law 107-347; 44 U.S.C. 3501 note) is 
     amended--
       (1) in subsection (b)(1)(A)--
       (A) in clause (i), by striking ``information that is in an 
     identifiable form'' and inserting ``personally identifiable 
     information''; and
       (B) in clause (ii)(II), by striking ``information in an 
     identifiable form permitting the physical or online 
     contacting of a specific individual'' and inserting 
     ``personally identifiable information'';
       (2) in subsection (b)(2)(B)(i), by striking ``information 
     that is in an identifiable form'' and inserting ``personally 
     identifiable information'';
       (3) in subsection (b)(3)(C), by striking ``information that 
     is in an identifiable form'' and inserting ``personally 
     identifiable information''; and
       (4) in subsection (d), by striking the text and inserting 
     ``In this section, the term `personally identifiable 
     information' has the meaning given that term in section 
     3542(b)(4) of title 44, United States Code.''.

     SEC. 4. AUTHORITY OF DIRECTOR OF OFFICE OF MANAGEMENT AND 
                   BUDGET TO ESTABLISH INFORMATION SECURITY 
                   POLICIES AND PROCEDURES.

       Section 3543(a) of title 44, United States Code, is 
     amended--
       (1) by inserting before the semicolon at the end of 
     paragraph (5) the following: ``, including plans and 
     schedules, developed by the agency on the basis of priorities 
     for addressing levels of identified risk, for conducting--
       ``(A) testing and evaluation, as required under section 
     3544(b)(5); and
       ``(B) remedial action, as required under section 
     3544(b)(6), to address deficiencies identified by such 
     testing and evaluation''; and
       (2) by adding at the end the following:
       ``(9) establishing minimum requirements regarding the 
     protection of personally identifiable information maintained 
     in or transmitted by mobile digital devices, including 
     requirements for the use of technologies that efficiently and 
     effectively render information unusable by unauthorized 
     persons;
       ``(10) requiring agencies to comply with--
       ``(A) minimally acceptable system configuration 
     requirements consistent with best practices, including 
     checklists developed under section 8(c) of the Cyber Security 
     Research and Development Act (Public Law 107-305; 116 Stat. 
     2378) by the Director of the National Institute of Standards 
     and Technology; and
       ``(B) minimally acceptable requirements for periodic 
     testing and evaluation of the implementation of such 
     configuration requirements;
       ``(11) ensuring that agency contracts for (or involving or 
     including) the provision of information technology products 
     or services include requirements for contractors to meet 
     minimally acceptable configuration requirements, as required 
     under paragraph (10);
       ``(12) ensuring the establishment through regulation and 
     guidance of contract requirements to ensure compliance with 
     this subchapter with regard to providing information security 
     for information and information systems used or operated by a 
     contractor of an agency or other organization on behalf of 
     the agency; and''.

     SEC. 5. RESPONSIBILITIES OF FEDERAL AGENCIES FOR INFORMATION 
                   SECURITY.

       Section 3544(b) of title 44, United States Code, is 
     amended--
       (1) in paragraph (2)(D)(iii), by striking ``as determined 
     by the agency'' and inserting ``as required by the Director 
     under section 3543(a)(10)'';
       (2) in paragraph (5)--
       (A) by inserting after ``annually'' the following: ``and as 
     approved by the Director'';
       (B) by striking ``and'' at the end of subparagraph (A);
       (C) by redesignating subparagraph (B) as subparagraph (D); 
     and
       (D) by inserting after subparagraph (A) the following:
       ``(B) shall include testing and evaluation of system 
     configuration requirements as required under section 
     3543(a)(10);
       ``(C) shall include testing of systems operated by a 
     contractor of the agency or other organization on behalf of 
     the agency, which testing requirement may be satisfied by 
     independent testing, evaluation, or audit of such systems; 
     and'';
       (3) by striking ``and'' at the end of paragraph (7);
       (4) by striking the period at the end of paragraph (8) and 
     inserting a semicolon; and
       (5) by adding at the end the following:
       ``(9) plans and procedures for ensuring the adequacy of 
     information security protections for systems maintaining or 
     transmitting personally identifiable information, including 
     requirements for--
       ``(A) maintaining a current inventory of systems 
     maintaining or transmitting such information;
       ``(B) implementing information security requirements for 
     mobile digital devices maintaining or transmitting such 
     information, as required by the Director (including the use 
     of technologies rendering data unusable by unauthorized 
     persons); and
       ``(C) developing, implementing, and overseeing remediation 
     plans to address vulnerabilities in information security 
     protections for such information;''.

     SEC. 6. FEDERAL AGENCY DATA BREACH NOTIFICATION REQUIREMENTS.

       (a) Authority of Director of Office of Management and 
     Budget To Establish Data Breach Policies.--Section 3543(a) of 
     title 44, United States Code, as amended by section 4, is 
     further amended--
       (1) by striking ``and'' at the end of paragraph (7);

[[Page H4854]]

       (2) in paragraph (8)--
       (A) by striking ``and'' at the end of subparagraph (D);
       (B) by striking the period and inserting ``; and'' at the 
     end of subparagraph (E); and
       (C) by adding at the end the following new subparagraph:
       ``(F) a summary of the breaches of information security 
     reported by agencies to the Director and the Federal 
     information security incident center pursuant to paragraph 
     (13);''; and
       (3) by adding at the end the following:
       ``(13) establishing policies, procedures, and standards for 
     agencies to follow in the event of a breach of data security 
     involving the disclosure of personally identifiable 
     information, specifically including--
       ``(A) a requirement for timely notice to be provided to 
     those individuals whose personally identifiable information 
     could be compromised as a result of such breach, except no 
     notice shall be required if the breach does not create a 
     reasonable risk--
       ``(i) of identity theft, fraud, or other unlawful conduct 
     regarding such individual; or
       ``(ii) of other harm to the individual;
       ``(B) guidance on determining how timely notice is to be 
     provided;
       ``(C) guidance regarding whether additional special actions 
     are necessary and appropriate, including data breach 
     analysis, fraud resolution services, identify theft 
     insurance, and credit protection or monitoring services; and
       ``(D) a requirement for timely reporting by the agencies of 
     such breaches to the Director and Federal information 
     security center.''.
       (b) Authority of Chief Information Officer To Develop and 
     Maintain Inventories.--Section 3544(a)(3) of title 44, United 
     States Code, is amended--
       (1) by inserting after ``authority to ensure compliance 
     with'' the following: ``and, to the extent determined 
     necessary and explicitly authorized by the head of the 
     agency, to enforce'';
       (2) by striking ``and'' at the end of subparagraph (D);
       (3) by inserting ``and'' at the end of subparagraph (E); 
     and
       (4) by adding at the end the following:
       ``(F) developing and maintaining an inventory of all 
     personal computers, laptops, or any other hardware containing 
     personally identifiable information;''.
       (c) Inclusion of Data Breach Notification.--Section 3544(b) 
     of title 44, United States Code, as amended by section 5, is 
     further amended by adding at the end the following:
       ``(10) procedures for notifying individuals whose 
     personally identifiable information may have been compromised 
     or accessed following a breach of information security; and
       ``(11) procedures for timely reporting of information 
     security breaches involving personally identifiable 
     information to the Director and the Federal information 
     security incident center.''.
       (d) Authority of Agency Chief Human Capital Officers To 
     Assess Federal Personal Property.--Section 1402(a) of title 
     5, United States Code, is amended--
       (1) by striking ``, and'' at the end of paragraph (5) and 
     inserting a semicolon;
       (2) by striking the period and inserting ``; and'' at the 
     end of paragraph (6); and
       (3) by adding at the end the following:
       ``(7) prescribing policies and procedures for exit 
     interviews of employees, including a full accounting of all 
     Federal personal property that was assigned to the employee 
     during the course of employment.''.

     SEC. 7. PROTECTION OF GOVERNMENT COMPUTERS FROM RISKS OF 
                   PEER-TO-PEER FILE SHARING.

       (a) Plans Required.--As part of the Federal agency 
     responsibilities set forth in sections 3544 and 3545 of title 
     44, United States Code, the head of each agency shall develop 
     and implement a plan to ensure the security and privacy of 
     information collected or maintained by or on behalf of the 
     agency from the risks posed by certain peer-to-peer file 
     sharing programs.
       (b) Contents of Plans.--Such plans shall set forth 
     appropriate methods, including both technological (such as 
     the use of software and hardware) and nontechnological 
     methods (such as employee policies and user training), to 
     achieve the goal of securing and protecting such information 
     from the risks posed by peer-to-peer file sharing programs.
       (c) Implementation of Plans.--The head of each agency 
     shall--
       (1) develop and implement the plan required under this 
     section as expeditiously as possible, but in no event later 
     than six months after the date of the enactment of this Act; 
     and
       (2) review and revise the plan periodically as necessary.
       (d) Review of Plans.--Not later than 18 months after the 
     date of the enactment of this Act, the Comptroller General 
     shall--
       (1) review the adequacy of the agency plans required by 
     this section; and
       (2) submit to the Committee on Oversight and Government 
     Reform of the House of Representatives and the Committee on 
     Homeland Security and Governmental Affairs of the Senate a 
     report on the results of the review, together with any 
     recommendations the Comptroller General considers 
     appropriate.
       (e) Definitions.--In this section:
       (1) Peer-to-peer file sharing program.--The term ``peer-to-
     peer file sharing program'' means computer software that 
     allows the computer on which such software is installed (A) 
     to designate files available for transmission to another such 
     computer, (B) to transmit files directly to another such 
     computer, and (C) to request the transmission of files from 
     another such computer. The term does not include the use of 
     such software for file sharing between, among, or within 
     Federal, State, or local government agencies in order to 
     perform official agency business.
       (2) Agency.--The term ``agency'' has the meaning provided 
     by section 3502 of title 44, United States Code.

     SEC. 8. ANNUAL INDEPENDENT AUDIT.

       (a) Requirement for Audit Instead of Evaluation.--Section 
     3545 of title 44, United States Code, is amended--
       (1) in the section heading, by striking ``evaluation'' and 
     inserting ``audit'' ; and
       (2) in paragraphs (1) and (2) of subsection (a), by 
     striking ``evaluation'' and inserting ``audit'' both places 
     it appears.
       (b) Additional Specific Requirements for Audits.--Section 
     3545(a) of such title is amended--
       (1) in paragraph (2)--
       (A) in subparagraph (A), by striking ``subset of the 
     agency's information systems;'' and inserting the following: 
     ``subset of--
       ``(i) the information systems used or operated by the 
     agency; and
       ``(ii) the information systems used, operated, or supported 
     on behalf of the agency by a contractor of the agency, any 
     subcontractor (at any tier) of such a contractor, or any 
     other entity;'';
       (B) in subparagraph (B), by striking ``and'' at the end;
       (C) in subparagraph (C), by striking the period and 
     inserting ``; and''; and
       (D) by adding at the end the following new subparagraph:
       ``(D) a conclusion whether the agency's information 
     security controls are effective, including an identification 
     of any significant deficiencies in such controls.''; and
       (2) by adding at the end the following new paragraph:
       ``(3) Each audit under this section shall conform to 
     generally accepted government auditing standards.''.
       (c) Conforming Amendments.--
       (1) Each of the following provisions of section 3545 of 
     title 44, United States Code, is amended by striking 
     ``evaluation'' and inserting ``audit'' each place it appears:
       (A) Subsection (b)(1).
       (B) Subsection (b)(2).
       (C) Subsection (c).
       (D) Subsection (e)(1).
       (E) Subsection (e)(2).
       (2) Section 3545(d) of such title is amended to read as 
     follows:
       ``(d) Existing Audits.--The audit required by this section 
     may be based in whole or in part on an audit relating to 
     programs or practices of the applicable agency.''.
       (3) Section 3545(f) of such title is amended by striking 
     ``evaluators'' and inserting ``auditors''.
       (4) Section 3545(g)(1) of such title is amended by striking 
     ``evaluations'' and inserting ``audits''.
       (5) Section 3545(g)(3) of such title is amended by striking 
     ``Evaluations'' and inserting ``Audits''.
       (6) Section 3543(a)(8)(A) of such title is amended by 
     striking ``evaluations'' and inserting ``audits''.
       (7) Section 3544(b)(5)(D) of such title (as redesignated by 
     section 5(2)(C)) is amended by striking ``a evaluation'' and 
     inserting ``an audit''.

     SEC. 9. BEST PRACTICES FOR PRIVACY IMPACT ASSESSMENTS.

       Section 208(b)(3) of the E-Government Act of 2002 (Public 
     Law 107-347; 44 U.S.C. 3501 note) is amended--
       (1) in subparagraph (B), by striking ``and'' at the end;
       (2) in subparagraph (C), by striking the period and 
     inserting ``; and'', and
       (3) by adding at the end the following:
       ``(D) develop best practices for agencies to follow in 
     conducting privacy impact assessments.''.

     SEC. 10. IMPLEMENTATION.

       Except as otherwise specifically provided in this Act, 
     implementation of this Act and the amendments made by this 
     Act shall begin not later than 90 days after the date of the 
     enactment of this Act.

  The SPEAKER pro tempore. Pursuant to the rule, the gentleman from 
Missouri (Mr. Clay) and the gentlewoman from North Carolina (Ms. Foxx) 
each will control 20 minutes.
  The Chair recognizes the gentleman from Missouri.


                             General Leave

  Mr. CLAY. Mr. Speaker, I ask unanimous consent that all Members may 
have 5 legislative days in which to revise and extend their remarks.
  The SPEAKER pro tempore. Is there objection to the request of the 
gentleman from Missouri?
  There was no objection.
  Mr. CLAY. Mr. Speaker, I yield myself such time as I may consume.
  Mr. Speaker, as chairman of the Subcommittee of Information Policy, 
Census and National Archives, I am pleased to join my colleagues in the 
consideration of H.R. 4791, the Federal Agency Data Protection Act, a 
bill to protect personally identifiable information of individuals that 
is maintained in or transmitted by Federal agency information systems.
  H.R. 4791, which I introduced along with Chairman Henry Waxman and 
Representative Ed Towns on December 18, 2007, was reported from the 
Committee on Oversight and Government Reform on May 21, 2008. I want to 
also thank Ranking Member Tom Davis for working with us on this 
legislation, especially on the notification provision.

[[Page H4855]]

  Despite progress made with the implementation of the Federal 
Information Security Management Act, or FISMA, GAO found that pervasive 
weaknesses continue to exist primarily because agencies fail to 
maintain secure IT networks. As a result, GAO concluded that Federal 
financial data are at risk of unauthorized modification or destruction, 
sensitive information at risk of inappropriate disclosure, and critical 
operations at risk of disruption.
  H.R. 4791 would secure our agencies' IT access and require an annual 
audit of agency programs. The bill would also establish a comprehensive 
definition for ``personally identifiable information'' and mandate that 
agencies notify individuals when their personal information is accessed 
in a data breach.
  Mr. Speaker, in light of today's report that 1,000 patients at Walter 
Reed Army Medical Center and other military hospitals had their names, 
Social Security numbers and birth dates exposed in a security breach, 
this is a timely measure that provides Americans with some assurance 
that the Federal Government will work diligently to protect their 
personal information.
  I urge the swift passage of H.R. 4791.
  Mr. Speaker, I reserve the balance of my time.

                              {time}  1600

  Ms. FOXX. Mr. Speaker, I yield myself such time as I may consume.
  Mr. Speaker, I rise today to speak on H.R. 4791, the Federal Agency 
Data Protection Act. While we appreciate the majority's willingness to 
incorporate several suggestions from our side such as including 
language from H.R. 2124, Representative Tom Davis' Federal Agency Data 
Breach Protection Act, we remain concerned that this legislation misses 
some key opportunities to advance legislation which truly strengthens 
our Federal information security laws.
  But, Mr. Speaker, I rise today to speak on a much more pressing 
issue, an issue of great concern to all Americans.
  With gas prices soaring to $3.98 per gallon over the weekend, 
according to AAA, the House returned officially from Memorial Day break 
today, but believe it or not, not a single piece of legislation to help 
lower gas prices is on the House schedule this week. This is 
particularly amazing since then Minority Leader Nancy Pelosi promised 
the American people ``a commonsense plan'' to lower gas prices way back 
in April, 2006. And it's particularly troubling since House Republicans 
unveiled a comprehensive plan to lower gas prices 2 weeks ago and has 
promoted that plan across the country during last week's Memorial Day 
recess.
  Instead of delivering on their April, 2006, promise, however, the 
Democrats in charge of Congress have delivered only a staggering $1.65 
Pelosi premium, meaning consumers are forced to pay $1.65 more per 
gallon of gasoline compared to what they paid on January 4, 2007, the 
Democrats' first day in the majority.
  For an average family that fills up its two cars once a week, that's 
an astronomical 2,574 more dollars per year that they are forced to pay 
at the pump. That's $2,574 less that families have for their children's 
educational expenses; $2,574 less for family vacations this summer; and 
$2,574 less for food costs, which also are skyrocketing.
  No wonder Democrats are continuing to feel the heat for doing 
nothing, nothing, to address the rising cost of gasoline.
  Let me quote part of a column in Monday's New Hampshire Union Leader 
about what Congress has done to contribute to American families' and 
small businesses' pain at the pump:
  ``Congress has prevented the drilling in the Alaska National Wildlife 
Refuge, which could be providing 1 million gallons of oil per day. 
Congress has put 85 percent of the U.S. coastal areas off-limits for 
drilling. Congress has recently prohibited the processing of oil shale, 
which could provide substantial quantities of oil economically . . .
  ``To sum it up, Congress has done nothing to help but lots to 
increase on our dependence on foreign oil and increase the price 
Americans pay for oil and gas.''
  An op-ed published over the weekend in the Athens, Georgia, Banner-
Herald makes the case that the Democratic Congress has contributed to 
the recent surge in gas prices:
  ``Drilling is prohibited in the Alaska National Wildlife Refuge, a 
potential source of 1 million barrels a day, 5 percent of America's 
daily oil consumption. Also off-limits is 85 percent of America's 
coastline.
  ``Americans deserve to know the story, in all its gory details, of 
what their government has done and is doing to cause high prices at the 
pump and to make gasoline, indeed, all energy, more scarce and more 
expensive in the future.''
  Indeed, while Democrats have offered nothing more than broken 
promises and policies that drive up gas prices, House Republicans have 
unveiled a comprehensive plan for lower gas prices and energy 
independence. The GOP blueprint promotes alternative and renewable 
fuels, harnesses technologies already being employed successfully by 
our global competitors, and unlocks America's natural energy resources 
through the responsible exploration of oil and gas in the United 
States, a reform backed by the majority of Americans, according to a 
new Gallup Poll. How much longer will Democrats ignore the will of the 
American people by keeping the House Republicans' plan off the House 
floor?
  Another quote from the Charleston, West Virginia, Daily Mail: ``Doing 
Nothing is What Democrats in Congress Have Specialized in, and That's 
One of the Reasons Gasoline Costs $4 Per Gallon.''
  Mr. Speaker, we can stand here and deal with a lot of issues that 
we're dealing with this week, but we need to get to the issues that the 
American people want us to deal with, and that's the soaring price of 
gasoline and energy costs.
  Mr. Speaker, I have no further requests for time, and I yield back 
the balance of my time.
  Mr. CLAY. Mr. Speaker, in closing, I want to urge the House to 
support this bill, H.R. 4791, and to say that the American people 
expect that personal information that they share with their government 
should be kept private and should be protected, and this bill will 
ensure that that information is protected.
  Mr. DAVIS of Virginia. Mr. Speaker, secure information is the 
lifeblood of effective government. But we've seen a wide range of 
incidents involving data loss or theft, privacy breaches, and security 
incidents at Federal agencies.
  In almost all of these cases, Congress and the public would not have 
learned of these events had we not requested the information. After 
all, despite the volume of sensitive information held by agencies--tax 
returns, military records, health records, to name a few--there 
currently is no requirement that agencies notify citizens whose 
personal information may have been compromised. We need to ensure the 
public knows when its sensitive personal information has been lost or 
compromised.
  Therefore I am pleased we incorporated my legislation, H.R. 2124, 
which requires timely notice be provided to individuals whose sensitive 
personal information could be compromised by a breach of data security 
at a Federal agency.
  In addition to focusing on ensuring adequate protection of 
individuals' personal information held by the Federal Government, I 
have also spent years focusing on general, government-wide information 
management and security policy.
  For example, the Privacy Act and the E-Government Act of 2002 outline 
the parameters for the protection of personal information. The Federal 
Information Security Management Act (FISMA), which I authored, requires 
each agency to create a comprehensive risk-based approach to agency-
wide information security management, through preparedness, evaluation, 
and reporting requirements.
  These laws created a solid foundation for Federal information 
security, making security management an integral part of an agency's 
operations and ensuring agencies are actively using best practices to 
secure the Federal Government's systems.
  But it is now incumbent upon us to take Federal information security 
to the next level--to find new and innovative ways to secure government 
information.
  Unfortunately, I do not believe H.R. 4791 does enough. Most of the 
provisions contained in this bill are a grab bag of vague requirements, 
additional mandates, and misplaced priorities. It casts dynamic 
concepts in stone. And it gives agency personnel more boxes to check.
  I have long called for a bill with teeth--and an opportunity to 
discuss and debate the overall issues associated with improving 
Federal 

[[Page H4856]]

information security. I think we have missed some key opportunities in 
that regard.

  For example: (1) We haven't seriously considered, to my knowledge, 
the need to pursue providing incentives for agency success--such as 
financial incentives for agencies which excel.
  (2) We haven't given enough consideration, to my knowledge, to the 
need to pursue funding penalties and personnel reforms which provide 
real motivation for an agency to improve its information security.
  (3) Although I've pushed the scorecards for many years, we need 
increased Congressional oversight of agency information security 
practices.
  (4) Have we done enough to bring greater consistency across the IG 
community regarding standards and review regarding improved information 
security?
  (5) And in our recent review of this issue, I do not believe we have 
considered, nor do we address, what I believe is one of the most 
important and complex problems associated with these issues: the 
difficulties faced by agency Chief Information Officers in their 
attempts to be successful and effective--both in terms of their status 
within their agencies and their underlying statutory authority.
  (6) Also, have we taken a serious look at whether the creation of a 
Federal CIO or an Information Czar at OMB would improve the Federal 
Government's ability to handle and process information? I do not 
believe so.
  Yesterday, OMB Deputy Director for Management, Clay Johnson, wrote to 
the Committee asking to work with us on a handful of concerns the 
Administration has with the current draft of the legislation. Although 
the majority did make important modifications, removing controversial 
provisions affecting data brokers for example, which were of particular 
concern to Representative Mike Turner, other areas still need to be 
addressed.
  The Administration has expressed particular concern about the bill's 
codification of terms and requirements in statute, including the 
definition of ``personally identifiable information'' as well as 
various technology-specific provisions, including ``personal digital 
devices'' and ``peer-to-peer file-sharing programs''. I have long 
maintained that effective security legislation should be technology 
neutral to enable the government to adequately address constantly 
evolving threats and technologies. Ironically, we could find ourselves 
less secure as agencies are forced to meet outdated mandates and 
requirements. I trust the majority is willing to continue these 
discussions as the legIslation moves forward.
  Mr. Speaker, public confidence in government is essential. In the 
end, the public demands effective government. And effective government 
depends on secure information. I remain concerned that this legislation 
falls short in a number of these important areas.
  Mr. CLAY. Mr. Speaker, I yield back the balance of my time.
  The SPEAKER pro tempore (Mr. Salazar). The question is on the motion 
offered by the gentleman from Missouri (Mr. Clay) that the House 
suspend the rules and pass the bill, H.R. 4791, as amended.
  The question was taken; and (two-thirds being in the affirmative) the 
rules were suspended and the bill, as amended, was passed.
  A motion to reconsider was laid on the table.

                          ____________________