[Congressional Record Volume 158, Number 61 (Thursday, April 26, 2012)]
[House]
[Pages H2187-H2192]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]
FEDERAL INFORMATION SECURITY AMENDMENTS ACT OF 2012
Mr. ISSA. Madam Speaker, I move to suspend the rules and pass the
bill (H.R. 4257) to amend chapter 35 of title 44, United States Code,
to revise requirements relating to Federal information security, and
for other purposes, as amended.
The Clerk read the title of the bill.
The text of the bill is as follows:
H.R. 4257
Be it enacted by the Senate and House of Representatives of
the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Federal Information Security
Amendments Act of 2012''.
SEC. 2. COORDINATION OF FEDERAL INFORMATION POLICY.
Chapter 35 of title 44, United States Code, is amended by
striking subchapters II and III and inserting the following:
``SUBCHAPTER II--INFORMATION SECURITY
``Sec. 3551. Purposes
``The purposes of this subchapter are to--
``(1) provide a comprehensive framework for ensuring the
effectiveness of information security controls over
information resources that support Federal operations and
assets;
``(2) recognize the highly networked nature of the current
Federal computing environment and provide effective
Governmentwide management and oversight of the related
information security risks, including coordination of
information security efforts throughout the civilian,
national security, and law enforcement communities assets;
``(3) provide for development and maintenance of minimum
controls required to protect Federal information and
information systems;
``(4) provide a mechanism for improved oversight of Federal
agency information security programs and systems through a
focus on automated and continuous monitoring of agency
information systems and regular threat assessments;
``(5) acknowledge that commercially developed information
security products offer advanced, dynamic, robust, and
effective information security solutions, reflecting market
solutions for the protection of critical information systems
important to the national defense and economic security of
the Nation that are designed, built, and operated by the
private sector; and
``(6) recognize that the selection of specific technical
hardware and software information security solutions should
be left to individual agencies from among commercially
developed products.
``Sec. 3552. Definitions
``(a) Section 3502 Definitions.--Except as provided under
subsection (b), the definitions under section 3502 shall
apply to this subchapter.
``(b) Additional Definitions.--In this subchapter:
``(1) Adequate security.--The term `adequate security'
means security commensurate with the risk and magnitude of
the harm resulting from the unauthorized access to or loss,
misuse, destruction, or modification of information.
``(2) Automated and continuous monitoring.--The term
`automated and continuous monitoring' means monitoring, with
minimal human involvement, through an uninterrupted, ongoing
real time, or near real-time process used to determine if the
complete set of planned, required, and deployed security
controls within an information system continue to be
effective over time with rapidly changing information
technology and threat development.
``(3) Incident.--The term `incident' means an occurrence
that actually or potentially jeopardizes the confidentiality,
integrity, or availability of an information system, or the
information the system processes, stores, or transmits or
that constitutes a violation or imminent threat of violation
of security policies, security procedures, or acceptable use
policies.
``(4) Information security.--The term `information
security' means protecting information and information
systems from unauthorized access, use, disclosure,
disruption, modification, or destruction in order to
provide--
``(A) integrity, which means guarding against improper
information modification or destruction, and includes
ensuring information nonrepudiation and authenticity;
``(B) confidentiality, which means preserving authorized
restrictions on access and disclosure, including means for
protecting personal privacy and proprietary information; and
``(C) availability, which means ensuring timely and
reliable access to and use of information.
``(5) Information system.--The term `information system'
means a discrete set of information resources organized for
the collection, processing, maintenance, use, sharing,
dissemination, or disposition of information and includes--
``(A) computers and computer networks;
``(B) ancillary equipment;
``(C) software, firmware, and related procedures;
``(D) services, including support services; and
``(E) related resources.
``(6) Information technology.--The term `information
technology' has the meaning given that term in section 11101
of title 40.
``(7) National security system.--
``(A) Definition.--The term `national security system'
means any information system (including any
telecommunications system) used or operated by an agency or
by a contractor of an agency, or other organization on behalf
of an agency--
``(i) the function, operation, or use of which--
``(I) involves intelligence activities;
``(II) involves cryptologic activities related to national
security;
``(III) involves command and control of military forces;
``(IV) involves equipment that is an integral part of a
weapon or weapons system; or
``(V) subject to subparagraph (B), is critical to the
direct fulfillment of military or intelligence missions; or
``(ii) is protected at all times by procedures established
for information that have been specifically authorized under
criteria established by an Executive order or an Act of
Congress to be kept classified in the interest of national
defense or foreign policy.
``(B) Exception.--Subparagraph (A)(i)(V) does not include a
system that is to be used for routine administrative and
business applications (including payroll, finance, logistics,
and personnel management applications).
``(8) Threat assessment.--The term `threat assessment'
means the formal description and evaluation of threat to an
information system.
``Sec. 3553. Authority and functions of the Director
``(a) In General.--The Director shall oversee agency
information security policies and practices, including--
``(1) developing and overseeing the implementation of
policies, principles, standards, and guidelines on
information security, including through ensuring timely
agency adoption of and compliance with standards promulgated
under section 11331 of title 40;
``(2) requiring agencies, consistent with the standards
promulgated under such section 11331 and the requirements of
this subchapter, to identify and provide information security
protections commensurate with the risk and magnitude of the
harm resulting from the unauthorized access, use, disclosure,
disruption, modification, or destruction of--
``(A) information collected or maintained by or on behalf
of an agency; or
``(B) information systems used or operated by an agency or
by a contractor of an agency or other organization on behalf
of an agency;
``(3) coordinating the development of standards and
guidelines under section 20 of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3) with agencies
and offices operating or exercising control of national
security systems (including the National Security Agency) to
assure, to the maximum extent feasible, that such standards
and guidelines are complementary with standards and
guidelines developed for national security systems;
``(4) overseeing agency compliance with the requirements of
this subchapter, including through any authorized action
under section 11303 of title 40, to enforce accountability
for compliance with such requirements;
``(5) reviewing at least annually, and approving or
disapproving, agency information security programs required
under section 3554(b);
``(6) coordinating information security policies and
procedures with related information resources management
policies and procedures;
``(7) overseeing the operation of the Federal information
security incident center required under section 3555; and
``(8) reporting to Congress no later than March 1 of each
year on agency compliance with the requirements of this
subchapter, including--
``(A) an assessment of the development, promulgation, and
adoption of, and compliance with, standards developed under
section 20 of the National Institute of Standards and
Technology Act (15 U.S.C. 278g-3) and promulgated under
section 11331 of title 40;
``(B) significant deficiencies in agency information
security practices;
``(C) planned remedial action to address such deficiencies;
and
``(D) a summary of, and the views of the Director on, the
report prepared by the National Institute of Standards and
Technology under section 20(d)(10) of the National Institute
of Standards and Technology Act (15 U.S.C. 278g-3).
``(b) National Security Systems.--Except for the
authorities described in paragraphs (4) and (8) of subsection
(a), the authorities of the Director under this section shall
not apply to national security systems.
[[Page H2188]]
``(c) Department of Defense and Central Intelligence Agency
Systems.--(1) The authorities of the Director described in
paragraphs (1) and (2) of subsection (a) shall be delegated
to the Secretary of Defense in the case of systems described
in paragraph (2) and to the Director of Central Intelligence
in the case of systems described in paragraph (3).
``(2) The systems described in this paragraph are systems
that are operated by the Department of Defense, a contractor
of the Department of Defense, or another entity on behalf of
the Department of Defense that processes any information the
unauthorized access, use, disclosure, disruption,
modification, or destruction of which would have a
debilitating impact on the mission of the Department of
Defense.
``(3) The systems described in this paragraph are systems
that are operated by the Central Intelligence Agency, a
contractor of the Central Intelligence Agency, or another
entity on behalf of the Central Intelligence Agency that
processes any information the unauthorized access, use,
disclosure, disruption, modification, or destruction of which
would have a debilitating impact on the mission of the
Central Intelligence Agency.
``Sec. 3554. Agency responsibilities
``(a) In General.--The head of each agency shall--
``(1) be responsible for--
``(A) providing information security protections
commensurate with the risk and magnitude of the harm
resulting from unauthorized access, use, disclosure,
disruption, modification, or destruction of--
``(i) information collected or maintained by or on behalf
of the agency; and
``(ii) information systems used or operated by an agency or
by a contractor of an agency or other organization on behalf
of an agency;
``(B) complying with the requirements of this subchapter
and related policies, procedures, standards, and guidelines,
including--
``(i) information security standards and guidelines
promulgated under section 11331 of title 40 and section 20 of
the National Institute of Standards and Technology Act (15
U.S.C. 278g 3);
``(ii) information security standards and guidelines for
national security systems issued in accordance with law and
as directed by the President; and
``(iii) ensuring the standards implemented for information
systems and national security systems of the agency are
complementary and uniform, to the extent practicable;
``(C) ensuring that information security management
processes are integrated with agency strategic and
operational planning and budget processes, including
policies, procedures, and practices described in subsection
(c)(2);
``(D) as appropriate, maintaining secure facilities that
have the capability of accessing, sending, receiving, and
storing classified information;
``(E) maintaining a sufficient number of personnel with
security clearances, at the appropriate levels, to access,
send, receive and analyze classified information to carry out
the responsibilities of this subchapter; and
``(F) ensuring that information security performance
indicators and measures are included in the annual
performance evaluations of all managers, senior managers,
senior executive service personnel, and political appointees;
``(2) ensure that senior agency officials provide
information security for the information and information
systems that support the operations and assets under their
control, including through--
``(A) assessing the risk and magnitude of the harm that
could result from the unauthorized access, use, disclosure,
disruption, modification, or destruction of such information
or information system;
``(B) determining the levels of information security
appropriate to protect such information and information
systems in accordance with policies, principles, standards,
and guidelines promulgated under section 11331 of title 40
and section 20 of the National Institute of Standards and
Technology Act (15 U.S.C. 278g 3) for information security
classifications and related requirements;
``(C) implementing policies and procedures to cost
effectively reduce risks to an acceptable level;
``(D) with a frequency sufficient to support risk-based
security decisions, testing and evaluating information
security controls and techniques to ensure that such controls
and techniques are effectively implemented and operated; and
``(E) with a frequency sufficient to support risk-based
security decisions, conducting threat assessments by
monitoring information systems, identifying potential system
vulnerabilities, and reporting security incidents in
accordance with paragraph (3)(A)(v);
``(3) delegate to the Chief Information Officer or
equivalent (or a senior agency official who reports to the
Chief Information Officer or equivalent), who is designated
as the `Chief Information Security Officer', the authority
and primary responsibility to develop, implement, and oversee
an agencywide information security program to ensure and
enforce compliance with the requirements imposed on the
agency under this subchapter, including--
``(A) overseeing the establishment and maintenance of a
security operations capability that through automated and
continuous monitoring, when possible, can--
``(i) detect, report, respond to, contain, and mitigate
incidents that impair information security and agency
information systems, in accordance with policy provided by
the Director;
``(ii) commensurate with the risk to information security,
monitor and mitigate the vulnerabilities of every information
system within the agency;
``(iii) continually evaluate risks posed to information
collected or maintained by or on behalf of the agency and
information systems and hold senior agency officials
accountable for ensuring information security;
``(iv) collaborate with the Director and appropriate public
and private sector security operations centers to detect,
report, respond to, contain, and mitigate incidents that
impact the security of information and information systems
that extend beyond the control of the agency; and
``(v) report any incident described under clauses (i) and
(ii) to the Federal information security incident center, to
other appropriate security operations centers, and to the
Inspector General of the agency, to the extent practicable,
within 24 hours after discovery of the incident, but no later
than 48 hours after such discovery;
``(B) developing, maintaining, and overseeing an agencywide
information security program as required by subsection (b);
``(C) developing, maintaining, and overseeing information
security policies, procedures, and control techniques to
address all applicable requirements, including those issued
under section 11331 of title 40;
``(D) training and overseeing personnel with significant
responsibilities for information security with respect to
such responsibilities; and
``(E) assisting senior agency officials concerning their
responsibilities under paragraph (2);
``(4) ensure that the agency has a sufficient number of
trained and cleared personnel to assist the agency in
complying with the requirements of this subchapter, other
applicable laws, and related policies, procedures, standards,
and guidelines;
``(5) ensure that the Chief Information Security Officer,
in consultation with other senior agency officials, reports
periodically, but not less than annually, to the agency head
on--
``(A) the effectiveness of the agency information security
program;
``(B) information derived from automated and continuous
monitoring, when possible, and threat assessments; and
``(C) the progress of remedial actions;
``(6) ensure that the Chief Information Security Officer
possesses the necessary qualifications, including education,
training, experience, and the security clearance required to
administer the functions described under this subchapter; and
has information security duties as the primary duty of that
official; and
``(7) ensure that components of that agency establish and
maintain an automated reporting mechanism that allows the
Chief Information Security Officer with responsibility for
the entire agency, and all components thereof, to implement,
monitor, and hold senior agency officers accountable for the
implementation of appropriate security policies, procedures,
and controls of agency components.
``(b) Agency Program.--Each agency shall develop, document,
and implement an agencywide information security program,
approved by the Director and consistent with components
across and within agencies, to provide information security
for the information and information systems that support the
operations and assets of the agency, including those provided
or managed by another agency, contractor, or other source,
that includes--
``(1) automated and continuous monitoring, when possible,
of the risk and magnitude of the harm that could result from
the disruption or unauthorized access, use, disclosure,
modification, or destruction of information and information
systems that support the operations and assets of the agency;
``(2) consistent with guidance developed under section
11331 of title 40, vulnerability assessments and penetration
tests commensurate with the risk posed to agency information
systems;
``(3) policies and procedures that--
``(A) cost effectively reduce information security risks to
an acceptable level;
``(B) ensure compliance with--
``(i) the requirements of this subchapter;
``(ii) policies and procedures as may be prescribed by the
Director, and information security standards promulgated
pursuant to section 11331 of title 40;
``(iii) minimally acceptable system configuration
requirements, as determined by the Director; and
``(iv) any other applicable requirements, including--
``(I) standards and guidelines for national security
systems issued in accordance with law and as directed by the
President; and
``(II) the National Institute of Standards and Technology
standards and guidance;
``(C) develop, maintain, and oversee information security
policies, procedures, and control techniques to address all
applicable requirements, including those promulgated pursuant
section 11331 of title 40; and
``(D) ensure the oversight and training of personnel with
significant responsibilities for information security with
respect to such responsibilities;
``(4) with a frequency sufficient to support risk-based
security decisions, automated and continuous monitoring, when
possible, for
[[Page H2189]]
testing and evaluation of the effectiveness and compliance of
information security policies, procedures, and practices,
including--
``(A) controls of every information system identified in
the inventory required under section 3505(c); and
``(B) controls relied on for an evaluation under this
section;
``(5) a process for planning, implementing, evaluating, and
documenting remedial action to address any deficiencies in
the information security policies, procedures, and practices
of the agency;
``(6) with a frequency sufficient to support risk-based
security decisions, automated and continuous monitoring, when
possible, for detecting, reporting, and responding to
security incidents, consistent with standards and guidelines
issued by the National Institute of Standards and Technology,
including--
``(A) mitigating risks associated with such incidents
before substantial damage is done;
``(B) notifying and consulting with the Federal information
security incident center and other appropriate security
operations response centers; and
``(C) notifying and consulting with, as appropriate--
``(i) law enforcement agencies and relevant Offices of
Inspectors General; and
``(ii) any other agency, office, or entity, in accordance
with law or as directed by the President; and
``(7) plans and procedures to ensure continuity of
operations for information systems that support the
operations and assets of the agency.
``(c) Agency Reporting.--Each agency shall--
``(1) submit an annual report on the adequacy and
effectiveness of information security policies, procedures,
and practices, and compliance with the requirements of this
subchapter, including compliance with each requirement of
subsection (b) to--
``(A) the Director;
``(B) the Committee on Homeland Security and Governmental
Affairs of the Senate;
``(C) the Committee on Oversight and Government Reform of
the House of Representatives;
``(D) other appropriate authorization and appropriations
committees of Congress; and
``(E) the Comptroller General;
``(2) address the adequacy and effectiveness of information
security policies, procedures, and practices in plans and
reports relating to--
``(A) annual agency budgets;
``(B) information resources management of this subchapter;
``(C) information technology management under this chapter;
``(D) program performance under sections 1105 and 1115
through 1119 of title 31, and sections 2801 and 2805 of title
39;
``(E) financial management under chapter 9 of title 31, and
the Chief Financial Officers Act of 1990 (31 U.S.C. 501 note;
Public Law 101 576);
``(F) financial management systems under the Federal
Financial Management Improvement Act of 1996 (31 U.S.C. 3512
note); and
``(G) internal accounting and administrative controls under
section 3512 of title 31; and
``(3) report any significant deficiency in a policy,
procedure, or practice identified under paragraph (1) or
(2)--
``(A) as a material weakness in reporting under section
3512 of title 31; and
``(B) if relating to financial management systems, as an
instance of a lack of substantial compliance under the
Federal Financial Management Improvement Act of 1996 (31
U.S.C. 3512 note).
``Sec. 3555. Federal information security incident center
``(a) In General.--The Director shall ensure the operation
of a central Federal information security incident center
to--
``(1) provide timely technical assistance to operators of
agency information systems regarding security incidents,
including guidance on detecting and handling information
security incidents;
``(2) compile and analyze information about incidents that
threaten information security;
``(3) inform operators of agency information systems about
current and potential information security threats, and
vulnerabilities; and
``(4) consult with the National Institute of Standards and
Technology, agencies or offices operating or exercising
control of national security systems (including the National
Security Agency), and such other agencies or offices in
accordance with law and as directed by the President
regarding information security incidents and related matters.
``(b) National Security Systems.--Each agency operating or
exercising control of a national security system shall share
information about information security incidents, threats,
and vulnerabilities with the Federal information security
incident center to the extent consistent with standards and
guidelines for national security systems, issued in
accordance with law and as directed by the President.
``(c) Review and Approval.--The Director shall review and
approve the policies, procedures, and guidance established in
this subchapter to ensure that the incident center has the
capability to effectively and efficiently detect, correlate,
respond to, contain, mitigate, and remediate incidents that
impair the adequate security of the information systems of
more than one agency. To the extent practicable, the
capability shall be continuous and technically automated.
``Sec. 3556. National security systems
``The head of each agency operating or exercising control
of a national security system shall be responsible for
ensuring that the agency--
``(1) provides information security protections
commensurate with the risk and magnitude of the harm
resulting from the unauthorized access, use, disclosure,
disruption, modification, or destruction of the information
contained in such system;
``(2) implements information security policies and
practices as required by standards and guidelines for
national security systems, issued in accordance with law and
as directed by the President; and
``(3) complies with the requirements of this subchapter.''.
SEC. 3. TECHNICAL AND CONFORMING AMENDMENTS.
(a) Table of Sections in Title 44.--The table of sections
for chapter 35 of title 44, United States Code, is amended by
striking the matter relating to subchapters II and III and
inserting the following:
``subchapter ii--information security
``Sec.
``3551. Purposes.
``3552. Definitions.
``3553. Authority and functions of the Director.
``3554. Agency responsibilities.
``3555. Federal information security incident center.
``3556. National security systems.''.
(b) Other References.--
(1) Section 1001(c)(1)(A) of the Homeland Security Act of
2002 (6 U.S.C. 511(c)(1)(A)) is amended by striking ``section
3532(3)'' and inserting ``section 3552(b)''.
(2) Section 2222(j)(5) of title 10, United States Code, is
amended by striking ``section 3542(b)(2)'' and inserting
``section 3552(b)''.
(3) Section 2223(c)(3) of title 10, United States Code, is
amended, by striking ``section 3542(b)(2)'' and inserting
``section 3552(b)''.
(4) Section 2315 of title 10, United States Code, is
amended by striking ``section 3542(b)(2)'' and inserting
``section 3552(b)''.
(5) Section 20 of the National Institute of Standards and
Technology Act (15 U.S.C. 278g 3) is amended--
(A) in subsections (a)(2) and (e)(5), by striking ``section
3532(b)(2)'' and inserting ``section 3552(b)''; and
(B) in subsection (e)(2), by striking ``section 3532(1)''
and inserting ``section 3552(b)''.
(6) Section 8(d)(1) of the Cyber Security Research and
Development Act (15 U.S.C. 7406(d)(1)) is amended by striking
``section 3534(b)'' and inserting ``section 3554(b)''.
SEC. 4. NO ADDITIONAL FUNDS AUTHORIZED.
No additional funds are authorized to carry out the
requirements of section 3554 of title 44, United States Code,
as amended by section 2 of this Act. Such requirements shall
be carried out using amounts otherwise authorized or
appropriated.
SEC. 5. EFFECTIVE DATE.
This Act (including the amendments made by this Act) shall
take effect 30 days after the date of the enactment of this
Act.
The SPEAKER pro tempore. Pursuant to the rule, the gentleman from
California (Mr. Issa) and the gentleman from Maryland (Mr. Cummings)
each will control 20 minutes.
The Chair recognizes the gentleman from California.
General Leave
Mr. ISSA. Madam Speaker, I ask unanimous consent that all Members may
have 5 legislative days within which to revise and extend their remarks
and include extraneous material on the bill under consideration.
The SPEAKER pro tempore. Is there objection to the request of the
gentleman from California?
There was no objection.
Mr. ISSA. Madam Speaker, I yield myself such time as I may consume.
Madam Speaker, cybersecurity threats represent one of the most
serious national security and economic challenges we face as a Nation.
Whether it's criminal hackers, organized crime, terrorist networks or
national states, our Nation is under siege from dangerous cybersecurity
threats that grow daily in frequency and sophistication.
{time} 1840
It is critical that the Federal Government address cybersecurity
threats in a manner that keeps pace with the Nation's growing
dependence on technology. The President himself recently stated:
``Cybersecurity is a challenge that we as a government or as a country
are not adequately prepared to counter.''
Madam Speaker, it is essential that we, in fact, change that here
today.
Current law does not adequately address the nature of today's
cybersecurity threats. Since the enactment in 2002 of the Federal
Information Security Management Act, or FISMA, it
[[Page H2190]]
has become a check-the-box compliance activity that all too often has
little to do with minimizing security threats, and yet the Government
Accountability Office recently found that security incidents among 24
key agencies increased more than 650 percent during the last 5 years.
To address the rising challenge posed by cyberthreats, Ranking Member
Cummings and I introduced H.R. 4257, the Federal Information Security
Amendments Act of 2012. The bill aims to harness the last decade of
technological innovation in securing the Federal information systems.
It amends FISMA to move beyond the check-the-box compliance mentality.
It enhances the current framework for securing Federal information
technology systems.
Our bill calls for automated and continuous monitoring of government
information systems. And it ensures that control monitoring finally
incorporates regular threat assessment and--Madam Speaker, this is the
most important part of what we do--continuous monitoring and constant
threat assessments so that never again will we find that the incidents
are going up double digits every month in some cases.
The bill also reaffirms the role of the Office of Management and
Budget, or OMB, with respect to FISMA, recognizing that the budgetary
leverage of the Executive Office of the President is necessary to
ensure agencies are focused on effective security of its IT systems.
While our bill does not include new requirements, restrictions, or
mandates on private or non-Federal computer systems, H.R. 4257 does
highlight the need for stronger public-private partnerships. Through
our Web site, keepthewebopen.com, our bill has been vetted by the
American people. It has also received strong support from cybersecurity
experts and industry, including the Information Technology Industry
Council and the Business Software Alliance.
I'd like to thank my ranking member, Mr. Cummings, for a one-on-one
equal partnership with me in the efforts to address the growing threat
for cybersecurity. He has led the way on his side of the aisle, and I
have been honored to serve on my side. We have encouraged all Members
to support this timely legislation. We recognize that some things are
too important to be partisan. This certainly is one of them.
I reserve the balance of my time.
Mr. CUMMINGS. Madam Speaker, I yield myself such time as I may
consume.
Madam Speaker, first of all, I'd like to express my appreciation to
the chairman of our committee for his kind words and for his
cooperation. I start by thanking him for working with me and my staff
to make this a bipartisan effort, and it is truly a bipartisan effort.
From the beginning, we agreed that we did not want to make securing our
Federal information systems a partisan issue and that securing our
Nation against a cyberattack is an issue that transcends any party
lines. This bill is evidence of the good work that we can do when we
work together to address an important issue like cybersecurity.
Not only does this bill enjoy bipartisan support, but it is
noncontroversial. Last week, the bill was marked up in committee and
passed on a voice vote. The only amendments considered made
constructive changes to the bill that were recommended by the National
Institute of Standards and Technology and the Government Accountability
Office. These changes enjoyed universal support in committee.
This legislation will ensure that Federal agencies use a risk-based
approach to defend against cyberattacks and protect government
information from being compromised by our adversaries. The bill would
make key changes to help protect our Federal information systems from
cyberattacks. It would shift the Federal Government to a system of
continuous monitoring of information systems, streamline reporting
requirements, and ensure that agencies take a smart, risk-based
approach to securing networks.
This bill will continue to authorize the Office of Management and
Budget to set Federal policy for information security. This is
important because we need to hold all agencies accountable for
developing appropriate standards and living up to them. However,
nothing in this bill would prevent the Department of Homeland Security
from continuing the great work it is doing to protect our Nation
against potential cyberattacks.
The Department has dramatically expanded its cybersecurity workforce,
and it has built the National Cybersecurity and Communications
Integration Center to serve as Federal Government's cybersecurity
command center. This command center is a vital part of our efforts to
protect Federal information systems.
Earlier this month, the head of U.S. Cyber Command, General Keith
Alexander, testified that securing our Nation against cyberthreats is
one of our biggest national security challenges. Securing our Federal
information systems is a critical component of addressing this
challenge, and I urge my colleagues to join me and our chairman in
supporting this legislation.
With that, Madam Speaker, I reserve the balance of my time.
Mr. ISSA. Madam Speaker, we have a speaker on the other side for a
colloquy, so I'd reserve at this time to allow him to go next.
Mr. CUMMINGS. I want to thank the gentleman.
Madam Speaker, I yield 3 minutes to the gentleman from Virginia (Mr.
Connolly).
Mr. CONNOLLY of Virginia. I thank my friend from Maryland, the
distinguished ranking member.
I want to thank Chairman Issa and appreciate the work of him and the
ranking member, Mr. Cummings, and their staff on this legislation,
which I think is a thoughtful, bipartisan update to an information
security bill actually written by my predecessor and the chairman's,
Tom Davis of Virginia.
The FISMA Amendments Act transitions from compliance to performance
metrics to address major shortcomings in Federal agency cybersecurity
implementation. Of course, when considering the performance of Federal
agencies, it's a natural extension to question the relationship between
the executive branch and those agencies and the relationship among
technology and cybersecurity-related positions within the executive
branch.
I appreciate President Obama's focus on technology, particularly the
chief information officer's 25-point plan, but I'm concerned that the
current ad hoc nature of the CIO, CTO, and Cybersecurity coordinator
could create certain risk and continuity of operations challenges when
we look out to further administrations. I would ask Chairman Issa if he
shares those concerns.
I yield to the gentleman from California.
Mr. ISSA. I thank the gentleman. I do share those concerns and
appreciate the gentleman's work on this.
Proper organization of the executive branch is essential to the
successful long-term management of technology, and particularly
cybersecurity.
This policy is going to require additional work. FISMA is not the end
but, in fact, a starting point; and I look forward to working with the
gentleman to make sure that as we work with the executive branch,
including OMB, that we get it right and we keep the focus where it
needs to be on all the agencies and bringing them together.
Mr. CONNOLLY of Virginia. Madam Speaker, I thank the chairman and
look forward to working with him and the ranking member, as well as Mr.
Langevin of Rhode Island, who has been a leader on this subject, to
advance legislation that will address executive branch organization in
the context of cybersecurity. With the right framework, I believe the
current and future administrations will be able to more efficiently
implement these FISMA reforms and other related legislation. Given its
jurisdiction, the Oversight and Government Reform Committee is the
appropriate venue to develop such legislation, and I look forward to
working with the committee chair and ranking member to advance it.
{time} 1850
Mr. CUMMINGS. Madam Speaker, I yield 3 minutes to the gentleman from
Rhode Island (Mr. Langevin).
Mr. LANGEVIN. I thank the gentleman for yielding.
Madam Speaker, I rise to engage in a colloquy with my colleague and
friend, the chairman of the Committee on
[[Page H2191]]
Oversight and Government Reform, Mr. Issa.
I'd first like to thank the chairman for his hard work. His efforts
to update the Federal Information Security Management Act have been
commendably inclusive and bipartisan, and I want to thank him and his
staff, as well as Mr. Cummings and Mr. Connolly and their staff, for
all the outreach and good faith negotiation that's occurred during the
crafting of this legislation.
There can be no question that the FISMA reform language before the
House today is both sorely needed and long overdue. To this end,
together with my good friend and our former colleague, Ms. Watson, I
introduced an amendment that passed the House overwhelmingly last
Congress during consideration of the FY 2011 National Defense
Authorization Act.
That amendment, which was, unfortunately, stripped out during
conference with the Senate, would have made important updates to FISMA,
in addition to establishing a National Office for Cyberspace in the
Executive Office of the President.
Such an office has been recommended by the Obama administration's 60
Day Cyberspace Policy Review, public-private sector working groups such
as the CSIS Commission on Cybersecurity for the 44th Presidency, which
I cochaired with my good friend, Mr. McCaul, and the GAO, as a response
to security deficiencies throughout the Federal Government.
While I applaud my friend for delivering on the need for FISMA
reform, I'd like to ask the chairman if he gave thought to such
organizational changes within the executive branch and, in particular,
an organization like a National Office for Cyberspace during the
drafting of this legislation.
I yield to my friend.
Mr. ISSA. I thank the gentleman. And yes, we did. Your leadership on
cybersecurity matters, including FISMA reform, have been essential.
When you and I served on the Select Intelligence Committee, I
recognized that you put more time and effort into the behind-the-door
work than any of us. And, in fact, you and I share some of the
challenges that we faced with the DNI and other earlier organizations.
But I share with you that your suggestions on how we can, in fact,
find single-point accountability in future legislation, in concert with
this administration, is essential. I look forward to working with you
on exactly that. I know of no other partner I could have on the other
side of the aisle that is more prepared to do it, and I thank the
gentleman.
Mr. LANGEVIN. I thank the gentleman for that. In that spirit, I'd
like to encourage the gentleman to continue in this open and bipartisan
fashion. I'd like to ask if you would be interested in working together
on such subsequent legislation, along with Mr. Cummings and Mr.
Connolly, who have been so involved and thoughtful on this issue.
I believe that such legislation should include strong, centralized
oversight to protect our Nation's critical infrastructure, including
budgetary oversight powers, while remaining accountable to Congress.
Mr. ISSA. I couldn't agree with the gentleman more. Your work with
our staff has been essential. I look forward to doing exactly that, and
I think we have to have that ongoing effort to get to there.
I saw the ranking member's head also shaking. I know that we will
both look forward to working with you on a bipartisan basis.
Mr. LANGEVIN. I thank the gentleman for that, and I look forward to
working with my good friend to ensure that our Federal Government is
properly addressing this critically important issue.
Mr. ISSA. Madam Speaker, I yield 3 minutes to my colleague and the
gentleman from Utah (Mr. Chaffetz), the chairman of the subcommittee
that has done so much on, in fact, cybersecurity.
Mr. CHAFFETZ. Madam Speaker, I appreciate Chairman Issa and his
foresight and leadership on this issue in driving this forward. This is
so, so important to our country and our nation, and for the Federal
Government to operate properly.
Madam Speaker, I also want to thank and recognize the ranking member,
Mr. Cummings, his unparalleled support and need and just patriotism for
what's good for this Nation, working together in a bipartisan way. This
is what I think the American people want, and this is what they get in
this bill.
I also want to share the fact that cybersecurity is a real threat.
It's a threat to the mom who's got the computer sitting in there in the
kitchen, and the kids are going in every direction, to the most secure
infrastructure we have in our Federal Government. It is imperative that
we get this right, because everything from a guy in a van down by the
river to nation-states, our country is under a constant bombardment and
attack, for our intellectual property, to trade secrets, to what's
going on in this government.
And while this is focused on what our government is doing and how
it's organized, it updates the law so that we have the right provisions
at the right place, and we're doing the right things. We have to be
vigilant as a people. So this is focused, not--it doesn't give a new
mandate. There's no new mandate upon the American people. There's no
mandate upon businesses.
What this does is get the structure for what should happen in the
Federal Government right, and updating and doing things like continuous
monitoring, vulnerability assessments and penetration tests that are
done within the Federal Government. It requires a chief information
security officer within these different agencies, and it focuses these
efforts upon the Director of OMB.
By really putting the focal point on the executive branch within the
White House, you will get a much better response, because everything,
from the Bureau of Indian Affairs to the Department of Defense and
everywhere in between, we have to make sure that our systems are
updated because the threat is constant, it is real, it is 24/7. And
without these updates, without the constant monitoring, without these
types of things, we will be doing a disservice to the American people,
and we will not be living up to the commitment that we have to make
sure that these networks are as secure as they possibly can be.
This is something that will be with us, not just for the next 6
months, not just for the next year, but for the foreseeable future. And
Madam Speaker, that's why I'm so enthusiastic about this bill. I
appreciate the bipartisan nature in which it was done. And I certainly
appreciate Chairman Issa and his leadership on this. I'm glad to be
part of it.
I would encourage my colleagues to vote in favor of this bill.
Mr. CUMMINGS. We don't have any additional speakers. I reserve the
balance of my time.
Mr. ISSA. Madam Speaker, I yield 2 minutes to the gentleman from
Texas (Mr. Thornberry) who coordinated so much of the work that we're
doing today from multiple committees.
Mr. THORNBERRY. I thank Chairman Issa for yielding. Madam Speaker, I
want to commend the chairman and the ranking member for working
together and bringing this important bill to the floor.
I also want to commend the gentleman from Utah (Mr. Chaffetz), who
was a member of our task force and, as the chairman noted, has done so
much work on this.
Madam Speaker, this is an important bill on cybersecurity. The FISMA
law passed in 2002 needs to be updated. The growth in the number and
sophistication of the threats has not been matched by our response, and
so laws and policies are increasingly outdated and not able to keep up
with the threats faced by Federal networks as well as private sector
networks.
And this bill requires continuous monitoring, as you have heard. The
threat is dynamic. It changes. It doesn't work anymore to just check a
box and say, I've done this. You have to have that continuous
monitoring of what's happening within your networks. That's important
for defense of the Federal Government, but it's also important to be an
example for the rest of the country. And in cybersecurity, it seems to
me, it's particularly important for the Federal Government to lead by
example.
I also want to just say that this is an example of an issue, a part
of cybersecurity, on which everybody agrees needs to happen, and this
committee
[[Page H2192]]
has brought a bipartisan answer. We cannot allow differences that may
exist between this body and the other body on other cybersecurity
issues prevent us from taking action, getting something accomplished on
something that everybody agrees on.
This is one of the things everybody agrees needs to happen.
Information-sharing, everybody agrees on. Research and development that
we'll have tomorrow on the floor, everybody agrees needs to happen.
I appreciate the work of this committee. It's an important bill. It
will help make the Nation more secure, as well as this government, and
I hope all Members will support it.
Mr. ISSA. Madam Speaker, at this time I have no other speakers, and
I'm prepared to close.
Mr. CUMMINGS. Madam Speaker, I yield myself such time as I may
consume.
Madam Speaker, I want to associate myself with all the words that
have been said by both sides this evening, because we understand that
cybersecurity is so very, very important to our Nation. We often look
back to 9/11 and we think about what happened in that very short time,
and how it disrupted our entire Nation, taking planes out of the air,
causing our world to at least pause.
{time} 1900
We saw the damage that was done in a matter of a few minutes.
Cybersecurity and the cyberthreat is just as great, if not far
greater, and can happen very, very quickly. A cyberattack can take
place very, very quickly, and it is something that we must do
everything in our power to protect ourselves against. This bill does
not solve all the problems, but it certainly leads us in the right
direction.
Again, I want to thank the chairman. I want to thank everybody
involved for the bipartisan effort and for making the security of our
Nation our number one priority.
With that, I urge all of the Members to vote for this bill, and I
yield back the balance of my time.
Mr. ISSA. Madam Speaker, in closing, I urge all Members to support
the passage of this bill, H.R. 4257, as amended. I want to make one
closing statement.
Often we talk about cybersecurity, and people think just about the
Internet. We sit here in a room that is essentially windowless. I've
been in this room when the lights are out. It is very, very dark. We
would have a hard time finding our way out. Yet the very essence of
keeping the grid up requires computers to talk to each other. Our phone
systems, our lights, our power, our sewage, our water all depend today
on interoperable computer systems that span the entire country and, in
many cases, the entire world.
So, as people realize the government-to-government relationship and,
particularly, the public-private partnerships that this bill encourages
and asks the Office of Management and Budget to assure occur, we are
doing so, of course, in order to maintain a reliable Internet; but much
more importantly, the fundamentals of the very electricity that powers
the Internet must be maintained and protected. I believe we've gone a
long way today in the passage of this bill. I urge its passage.
I thank the gentleman from Maryland for his leadership on this
important matter.
I yield back the balance of my time.
Mr. HALL. Madam Speaker, I would like to thank Chairman Issa for the
hard work that he and the Committee on Oversight and Government Reform
has undertaken in the development of H.R. 4257, the Federal Information
Security Amendments Act of 2012.
This bill updates and improves the decade old Federal Information
Security and Management Act (FISMA). FISMA currently requires each
Federal agency to develop, document, and implement an agency-wide
program to provide information security for their systems.
The Science, Space, and Technology Committee receives annual FISMA
reports from each Federal agency. These reports detail the management
and security of each agency's information technology resources, and the
actions necessary to ensure the effectiveness of the government's
information security policies.
The Science, Space, and Technology Committee monitors these reports
to review the cybersecurity standards and guidelines that the National
Institute of Standards and Technology sets for Federal information
systems. These standards and guidelines are particularly important
because along with agency use, the same standards and guidelines are
frequently adopted on a voluntary basis by many organizations in the
private sector. The Committee will continue to receive and review these
annual FISMA reports from Federal agencies, and will provide continued
oversight of NIST's role in FISMA process.
H.R. 4257 takes an important step forward in the protection of the
government's information technology resources by establishing a
mechanism for stronger oversight. The bill ensures implementation of
new developments in technological innovation, including automated and
continuous monitoring of cybersecurity threats as well as regular
threat assessments.
Our Federal agencies depend on FISMA to guide them to protect federal
networks. Officials are already working to integrate some of the
concepts proposed by H.R. 4257, such as continuous monitoring, into the
management of information systems. I am encouraged that this bill will
help agencies more easily comply with the latest cybersecurity
standards and guidelines set forth by NIST.
H.R. 4257 is a good bill that represents another critical piece in
Congress's overall efforts to address the Nation's cybersecurity needs.
There are additional tweaks that could make the bill even better, and I
look forward to working with Mr. Issa as the bill moves through the
process to address remaining issues to our mutual satisfaction.
I support the passage of H.R. 4257 and encourage my colleagues to do
the same.
The SPEAKER pro tempore. The question is on the motion offered by the
gentleman from California (Mr. Issa) that the House suspend the rules
and pass the bill, H.R. 4257, as amended.
The question was taken; and (two-thirds being in the affirmative) the
rules were suspended and the bill, as amended, was passed.
A motion to reconsider was laid on the table.
____________________