[Congressional Record Volume 159, Number 51 (Tuesday, April 16, 2013)]
[House]
[Pages H2037-H2042]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]
FEDERAL INFORMATION SECURITY AMENDMENTS ACT OF 2013
Mr. ISSA. Mr. Speaker, I move to suspend the rules and pass the bill
(H.R. 1163) to amend chapter 35 of title 44, United States Code, to
revise requirements relating to Federal information security, and for
other purposes.
The Clerk read the title of the bill.
The text of the bill is as follows:
H.R. 1163
Be it enacted by the Senate and House of Representatives of
the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Federal Information Security
Amendments Act of 2013''.
SEC. 2. COORDINATION OF FEDERAL INFORMATION POLICY.
Chapter 35 of title 44, United States Code, is amended by
striking subchapters II and III and inserting the following:
``SUBCHAPTER II--INFORMATION SECURITY
``Sec. 3551. Purposes
``The purposes of this subchapter are to--
``(1) provide a comprehensive framework for ensuring the
effectiveness of information security controls over
information resources that support Federal operations and
assets;
``(2) recognize the highly networked nature of the current
Federal computing environment and provide effective
Governmentwide management and oversight of the related
information security risks, including coordination of
information security efforts throughout the civilian,
national security, and law enforcement communities assets;
``(3) provide for development and maintenance of minimum
controls required to protect Federal information and
information systems;
``(4) provide a mechanism for improved oversight of Federal
agency information security programs and systems through a
focus on automated and continuous monitoring of agency
information systems and regular threat assessments;
``(5) acknowledge that commercially developed information
security products offer advanced, dynamic, robust, and
effective information security solutions, reflecting market
solutions for the protection of critical information systems
important to the national defense and economic security of
the Nation that are designed, built, and operated by the
private sector; and
``(6) recognize that the selection of specific technical
hardware and software information security solutions should
be left to individual agencies from among commercially
developed products.
``Sec. 3552. Definitions
``(a) Section 3502 Definitions.--Except as provided under
subsection (b), the definitions under section 3502 shall
apply to this subchapter.
``(b) Additional Definitions.--In this subchapter:
``(1) Adequate security.--The term `adequate security'
means security commensurate with the risk and magnitude of
the harm resulting from the unauthorized access to or loss,
misuse, destruction, or modification of information.
``(2) Automated and continuous monitoring.--The term
`automated and continuous monitoring' means monitoring, with
minimal human involvement, through an uninterrupted, ongoing
real time, or near real-time process used to determine if the
complete set of planned, required, and deployed security
controls within an information system continue to be
effective over time with rapidly changing information
technology and threat development.
``(3) Incident.--The term `incident' means an occurrence
that actually or potentially jeopardizes the confidentiality,
integrity, or availability of an information system, or the
information the system processes, stores, or transmits or
that constitutes a violation or imminent threat of violation
of security policies, security procedures, or acceptable use
policies.
``(4) Information security.--The term `information
security' means protecting information and information
systems from unauthorized access, use, disclosure,
disruption, modification, or destruction in order to
provide--
``(A) integrity, which means guarding against improper
information modification or destruction, and includes
ensuring information nonrepudiation and authenticity;
``(B) confidentiality, which means preserving authorized
restrictions on access and disclosure, including means for
protecting personal privacy and proprietary information; and
``(C) availability, which means ensuring timely and
reliable access to and use of information.
``(5) Information system.--The term `information system'
means a discrete set of information resources organized for
the collection, processing, maintenance, use, sharing,
dissemination, or disposition of information and includes--
``(A) computers and computer networks;
``(B) ancillary equipment;
``(C) software, firmware, and related procedures;
``(D) services, including support services; and
``(E) related resources.
``(6) Information technology.--The term `information
technology' has the meaning given that term in section 11101
of title 40.
``(7) National security system.--
``(A) Definition.--The term `national security system'
means any information system (including any
telecommunications system) used or operated by an agency or
by a contractor of an agency, or other organization on behalf
of an agency--
``(i) the function, operation, or use of which--
``(I) involves intelligence activities;
``(II) involves cryptologic activities related to national
security;
``(III) involves command and control of military forces;
``(IV) involves equipment that is an integral part of a
weapon or weapons system; or
``(V) subject to subparagraph (B), is critical to the
direct fulfillment of military or intelligence missions; or
``(ii) is protected at all times by procedures established
for information that have been specifically authorized under
criteria established by an Executive order or an Act of
Congress to be kept classified in the interest of national
defense or foreign policy.
``(B) Exception.--Subparagraph (A)(i)(V) does not include a
system that is to be used for routine administrative and
business applications (including payroll, finance, logistics,
and personnel management applications).
``(8) Threat assessment.--The term `threat assessment'
means the formal description and evaluation of threat to an
information system.
``Sec. 3553. Authority and functions of the Director
``(a) In General.--The Director shall oversee agency
information security policies and practices, including--
``(1) developing and overseeing the implementation of
policies, principles, standards, and guidelines on
information security, including through ensuring timely
agency adoption of and compliance with standards promulgated
under section 11331 of title 40;
``(2) requiring agencies, consistent with the standards
promulgated under such section 11331 and the requirements of
this subchapter, to identify and provide information security
protections commensurate with the risk and magnitude of the
harm resulting from the unauthorized access, use, disclosure,
disruption, modification, or destruction of--
``(A) information collected or maintained by or on behalf
of an agency; or
``(B) information systems used or operated by an agency or
by a contractor of an agency or other organization on behalf
of an agency;
``(3) coordinating the development of standards and
guidelines under section 20 of the National Institute of
Standards and Technology Act (15 U.S.C. 278g-3) with agencies
and offices operating or exercising control of national
security systems (including the National Security Agency) to
assure, to the maximum extent feasible, that such standards
and guidelines are complementary with standards and
guidelines developed for national security systems;
``(4) overseeing agency compliance with the requirements of
this subchapter, including through any authorized action
under section 11303 of title 40, to enforce accountability
for compliance with such requirements;
``(5) reviewing at least annually, and approving or
disapproving, agency information security programs required
under section 3554(b);
``(6) coordinating information security policies and
procedures with related information resources management
policies and procedures;
``(7) overseeing the operation of the Federal information
security incident center required under section 3555; and
``(8) reporting to Congress no later than March 1 of each
year on agency compliance with the requirements of this
subchapter, including--
``(A) an assessment of the development, promulgation, and
adoption of, and compliance with, standards developed under
section 20 of the National Institute of Standards and
Technology Act (15 U.S.C. 278g-3) and promulgated under
section 11331 of title 40;
``(B) significant deficiencies in agency information
security practices;
``(C) planned remedial action to address such deficiencies;
and
``(D) a summary of, and the views of the Director on, the
report prepared by the National Institute of Standards and
Technology under section 20(d)(10) of the National Institute
of Standards and Technology Act (15 U.S.C. 278g-3).
``(b) National Security Systems.--Except for the
authorities described in paragraphs (4) and (8) of subsection
(a), the authorities of the Director under this section shall
not apply to national security systems.
``(c) Department of Defense and Central Intelligence Agency
Systems.--(1) The authorities of the Director described in
paragraphs (1) and (2) of subsection (a) shall be delegated
to the Secretary of Defense in the
[[Page H2038]]
case of systems described in paragraph (2) and to the
Director of Central Intelligence in the case of systems
described in paragraph (3).
``(2) The systems described in this paragraph are systems
that are operated by the Department of Defense, a contractor
of the Department of Defense, or another entity on behalf of
the Department of Defense that processes any information the
unauthorized access, use, disclosure, disruption,
modification, or destruction of which would have a
debilitating impact on the mission of the Department of
Defense.
``(3) The systems described in this paragraph are systems
that are operated by the Central Intelligence Agency, a
contractor of the Central Intelligence Agency, or another
entity on behalf of the Central Intelligence Agency that
processes any information the unauthorized access, use,
disclosure, disruption, modification, or destruction of which
would have a debilitating impact on the mission of the
Central Intelligence Agency.
``Sec. 3554. Agency responsibilities
``(a) In General.--The head of each agency shall--
``(1) be responsible for--
``(A) providing information security protections
commensurate with the risk and magnitude of the harm
resulting from unauthorized access, use, disclosure,
disruption, modification, or destruction of--
``(i) information collected or maintained by or on behalf
of the agency; and
``(ii) information systems used or operated by an agency or
by a contractor of an agency or other organization on behalf
of an agency;
``(B) complying with the requirements of this subchapter
and related policies, procedures, standards, and guidelines,
including--
``(i) information security standards and guidelines
promulgated under section 11331 of title 40 and section 20 of
the National Institute of Standards and Technology Act (15
U.S.C. 278g-3);
``(ii) information security standards and guidelines for
national security systems issued in accordance with law and
as directed by the President; and
``(iii) ensuring the standards implemented for information
systems and national security systems of the agency are
complementary and uniform, to the extent practicable;
``(C) ensuring that information security management
processes are integrated with agency strategic and
operational planning and budget processes, including
policies, procedures, and practices described in subsection
(c)(2);
``(D) as appropriate, maintaining secure facilities that
have the capability of accessing, sending, receiving, and
storing classified information;
``(E) maintaining a sufficient number of personnel with
security clearances, at the appropriate levels, to access,
send, receive and analyze classified information to carry out
the responsibilities of this subchapter; and
``(F) ensuring that information security performance
indicators and measures are included in the annual
performance evaluations of all managers, senior managers,
senior executive service personnel, and political appointees;
``(2) ensure that senior agency officials provide
information security for the information and information
systems that support the operations and assets under their
control, including through--
``(A) assessing the risk and magnitude of the harm that
could result from the unauthorized access, use, disclosure,
disruption, modification, or destruction of such information
or information system;
``(B) determining the levels of information security
appropriate to protect such information and information
systems in accordance with policies, principles, standards,
and guidelines promulgated under section 11331 of title 40
and section 20 of the National Institute of Standards and
Technology Act (15 U.S.C. 278g-3) for information security
classifications and related requirements;
``(C) implementing policies and procedures to cost
effectively reduce risks to an acceptable level;
``(D) with a frequency sufficient to support risk-based
security decisions, testing and evaluating information
security controls and techniques to ensure that such controls
and techniques are effectively implemented and operated; and
``(E) with a frequency sufficient to support risk-based
security decisions, conducting threat assessments by
monitoring information systems, identifying potential system
vulnerabilities, and reporting security incidents in
accordance with paragraph (3)(A)(v);
``(3) delegate to the Chief Information Officer or
equivalent (or a senior agency official who reports to the
Chief Information Officer or equivalent), who is designated
as the `Chief Information Security Officer', the authority
and primary responsibility to develop, implement, and oversee
an agencywide information security program to ensure and
enforce compliance with the requirements imposed on the
agency under this subchapter, including--
``(A) overseeing the establishment and maintenance of a
security operations capability that through automated and
continuous monitoring, when possible, can--
``(i) detect, report, respond to, contain, and mitigate
incidents that impair information security and agency
information systems, in accordance with policy provided by
the Director;
``(ii) commensurate with the risk to information security,
monitor and mitigate the vulnerabilities of every information
system within the agency;
``(iii) continually evaluate risks posed to information
collected or maintained by or on behalf of the agency and
information systems and hold senior agency officials
accountable for ensuring information security;
``(iv) collaborate with the Director and appropriate public
and private sector security operations centers to detect,
report, respond to, contain, and mitigate incidents that
impact the security of information and information systems
that extend beyond the control of the agency; and
``(v) report any incident described under clauses (i) and
(ii) to the Federal information security incident center, to
other appropriate security operations centers, and to the
Inspector General of the agency, to the extent practicable,
within 24 hours after discovery of the incident, but no later
than 48 hours after such discovery;
``(B) developing, maintaining, and overseeing an agencywide
information security program as required by subsection (b);
``(C) developing, maintaining, and overseeing information
security policies, procedures, and control techniques to
address all applicable requirements, including those issued
under section 11331 of title 40;
``(D) training and overseeing personnel with significant
responsibilities for information security with respect to
such responsibilities; and
``(E) assisting senior agency officials concerning their
responsibilities under paragraph (2);
``(4) ensure that the agency has a sufficient number of
trained and cleared personnel to assist the agency in
complying with the requirements of this subchapter, other
applicable laws, and related policies, procedures, standards,
and guidelines;
``(5) ensure that the Chief Information Security Officer,
in consultation with other senior agency officials, reports
periodically, but not less than annually, to the agency head
on--
``(A) the effectiveness of the agency information security
program;
``(B) information derived from automated and continuous
monitoring, when possible, and threat assessments; and
``(C) the progress of remedial actions;
``(6) ensure that the Chief Information Security Officer
possesses the necessary qualifications, including education,
training, experience, and the security clearance required to
administer the functions described under this subchapter; and
has information security duties as the primary duty of that
official; and
``(7) ensure that components of that agency establish and
maintain an automated reporting mechanism that allows the
Chief Information Security Officer with responsibility for
the entire agency, and all components thereof, to implement,
monitor, and hold senior agency officers accountable for the
implementation of appropriate security policies, procedures,
and controls of agency components.
``(b) Agency Program.--Each agency shall develop, document,
and implement an agencywide information security program,
approved by the Director and consistent with components
across and within agencies, to provide information security
for the information and information systems that support the
operations and assets of the agency, including those provided
or managed by another agency, contractor, or other source,
that includes--
``(1) automated and continuous monitoring, when possible,
of the risk and magnitude of the harm that could result from
the disruption or unauthorized access, use, disclosure,
modification, or destruction of information and information
systems that support the operations and assets of the agency;
``(2) consistent with guidance developed under section
11331 of title 40, vulnerability assessments and penetration
tests commensurate with the risk posed to agency information
systems;
``(3) policies and procedures that--
``(A) cost effectively reduce information security risks to
an acceptable level;
``(B) ensure compliance with--
``(i) the requirements of this subchapter;
``(ii) policies and procedures as may be prescribed by the
Director, and information security standards promulgated
pursuant to section 11331 of title 40;
``(iii) minimally acceptable system configuration
requirements, as determined by the Director; and
``(iv) any other applicable requirements, including--
``(I) standards and guidelines for national security
systems issued in accordance with law and as directed by the
President; and
``(II) the National Institute of Standards and Technology
standards and guidance;
``(C) develop, maintain, and oversee information security
policies, procedures, and control techniques to address all
applicable requirements, including those promulgated pursuant
section 11331 of title 40; and
``(D) ensure the oversight and training of personnel with
significant responsibilities for information security with
respect to such responsibilities;
``(4) with a frequency sufficient to support risk-based
security decisions, automated and continuous monitoring, when
possible, for testing and evaluation of the effectiveness and
compliance of information security policies, procedures, and
practices, including--
[[Page H2039]]
``(A) controls of every information system identified in
the inventory required under section 3505(c); and
``(B) controls relied on for an evaluation under this
section;
``(5) a process for planning, implementing, evaluating, and
documenting remedial action to address any deficiencies in
the information security policies, procedures, and practices
of the agency;
``(6) with a frequency sufficient to support risk-based
security decisions, automated and continuous monitoring, when
possible, for detecting, reporting, and responding to
security incidents, consistent with standards and guidelines
issued by the National Institute of Standards and Technology,
including--
``(A) mitigating risks associated with such incidents
before substantial damage is done;
``(B) notifying and consulting with the Federal information
security incident center and other appropriate security
operations response centers; and
``(C) notifying and consulting with, as appropriate--
``(i) law enforcement agencies and relevant Offices of
Inspectors General; and
``(ii) any other agency, office, or entity, in accordance
with law or as directed by the President; and
``(7) plans and procedures to ensure continuity of
operations for information systems that support the
operations and assets of the agency.
``(c) Agency Reporting.--Each agency shall--
``(1) submit an annual report on the adequacy and
effectiveness of information security policies, procedures,
and practices, and compliance with the requirements of this
subchapter, including compliance with each requirement of
subsection (b) to--
``(A) the Director;
``(B) the Committee on Homeland Security and Governmental
Affairs of the Senate;
``(C) the Committee on Oversight and Government Reform of
the House of Representatives;
``(D) other appropriate authorization and appropriations
committees of Congress; and
``(E) the Comptroller General;
``(2) address the adequacy and effectiveness of information
security policies, procedures, and practices in plans and
reports relating to--
``(A) annual agency budgets;
``(B) information resources management of this subchapter;
``(C) information technology management under this chapter;
``(D) program performance under sections 1105 and 1115
through 1119 of title 31, and sections 2801 and 2805 of title
39;
``(E) financial management under chapter 9 of title 31, and
the Chief Financial Officers Act of 1990 (31 U.S.C. 501 note;
Public Law 101-576);
``(F) financial management systems under the Federal
Financial Management Improvement Act of 1996 (31 U.S.C. 3512
note); and
``(G) internal accounting and administrative controls under
section 3512 of title 31; and
``(3) report any significant deficiency in a policy,
procedure, or practice identified under paragraph (1) or
(2)--
``(A) as a material weakness in reporting under section
3512 of title 31; and
``(B) if relating to financial management systems, as an
instance of a lack of substantial compliance under the
Federal Financial Management Improvement Act of 1996 (31
U.S.C. 3512 note).
``Sec. 3555. Federal information security incident center
``(a) In General.--The Director shall ensure the operation
of a central Federal information security incident center
to--
``(1) provide timely technical assistance to operators of
agency information systems regarding security incidents,
including guidance on detecting and handling information
security incidents;
``(2) compile and analyze information about incidents that
threaten information security;
``(3) inform operators of agency information systems about
current and potential information security threats, and
vulnerabilities; and
``(4) consult with the National Institute of Standards and
Technology, agencies or offices operating or exercising
control of national security systems (including the National
Security Agency), and such other agencies or offices in
accordance with law and as directed by the President
regarding information security incidents and related matters.
``(b) National Security Systems.--Each agency operating or
exercising control of a national security system shall share
information about information security incidents, threats,
and vulnerabilities with the Federal information security
incident center to the extent consistent with standards and
guidelines for national security systems, issued in
accordance with law and as directed by the President.
``(c) Review and Approval.--The Director shall review and
approve the policies, procedures, and guidance established in
this subchapter to ensure that the incident center has the
capability to effectively and efficiently detect, correlate,
respond to, contain, mitigate, and remediate incidents that
impair the adequate security of the information systems of
more than one agency. To the extent practicable, the
capability shall be continuous and technically automated.
``Sec. 3556. National security systems
``The head of each agency operating or exercising control
of a national security system shall be responsible for
ensuring that the agency--
``(1) provides information security protections
commensurate with the risk and magnitude of the harm
resulting from the unauthorized access, use, disclosure,
disruption, modification, or destruction of the information
contained in such system;
``(2) implements information security policies and
practices as required by standards and guidelines for
national security systems, issued in accordance with law and
as directed by the President; and
``(3) complies with the requirements of this subchapter.''.
SEC. 3. TECHNICAL AND CONFORMING AMENDMENTS.
(a) Table of Sections in Title 44.--The table of sections
for chapter 35 of title 44, United States Code, is amended by
striking the matter relating to subchapters II and III and
inserting the following:
``subchapter ii--information security
``Sec.
``3551. Purposes.
``3552. Definitions.
``3553. Authority and functions of the Director.
``3554. Agency responsibilities.
``3555. Federal information security incident center.
``3556. National security systems.''.
(b) Other References.--
(1) Section 1001(c)(1)(A) of the Homeland Security Act of
2002 (6 U.S.C. 511(c)(1)(A)) is amended by striking ``section
3532(3)'' and inserting ``section 3552(b)''.
(2) Section 2222(j)(5) of title 10, United States Code, is
amended by striking ``section 3542(b)(2)'' and inserting
``section 3552(b)''.
(3) Section 2223(c)(3) of title 10, United States Code, is
amended, by striking ``section 3542(b)(2)'' and inserting
``section 3552(b)''.
(4) Section 2315 of title 10, United States Code, is
amended by striking ``section 3542(b)(2)'' and inserting
``section 3552(b)''.
(5) Section 20 of the National Institute of Standards and
Technology Act (15 U.S.C. 278g-3) is amended--
(A) in subsections (a)(2) and (e)(5), by striking ``section
3532(b)(2)'' and inserting ``section 3552(b)''; and
(B) in subsection (e)--
(i) in paragraph (2), by striking ``section 3532(1)'' and
inserting ``section 3552(b)''; and
(ii) in paragraph (5), by striking ``section 3532(b)(2)''
and inserting ``section 3552(b)''.
(6) Section 8(d)(1) of the Cyber Security Research and
Development Act (15 U.S.C. 7406(d)(1)) is amended by striking
``section 3534(b)'' and inserting ``section 3554(b)''.
SEC. 4. NO ADDITIONAL FUNDS AUTHORIZED.
No additional funds are authorized to carry out the
requirements of section 3554 of title 44, United States Code,
as amended by section 2 of this Act. Such requirements shall
be carried out using amounts otherwise authorized or
appropriated.
SEC. 5. EFFECTIVE DATE.
This Act (including the amendments made by this Act) shall
take effect 30 days after the date of the enactment of this
Act.
The SPEAKER pro tempore. Pursuant to the rule, the gentleman from
California (Mr. Issa) and the gentleman from Maryland (Mr. Cummings)
each will control 20 minutes.
The Chair recognizes the gentleman from California.
General Leave
Mr. ISSA. Mr. Speaker, I ask unanimous consent that all Members may
have 5 legislative days within which to revise and extend their remarks
and include extraneous materials on the bill under consideration.
The SPEAKER pro tempore. Is there objection to the request of the
gentleman from California?
There was no objection.
Mr. ISSA. Mr. Speaker, I yield myself such time as I may consume.
Cybersecurity threats represent one of the most serious national
security and economic challenges we face in our Nation. Whether it's
criminal hackers, organized crime, terrorist networks, or nation-
states, our Nation is under siege from dangerous cybersecurity threats
that grow daily in frequency and sophistication.
It is critical that the Federal Government address cybersecurity
threats in a manner that keeps pace with our Nation's growing
dependence on technology, but current Federal law does not adequately
address the nature of today's cybersecurity threats.
Since the enactment in 2002 of the Federal Information Security
Management Act, or FISMA, it has become a ``check the box'' compliance
activity that all too often has little to do with minimizing cyber
threats. And yet the Government Accountability Office recently found
that security incidents among 24 key agencies increased by 650 percent,
or more than six-fold, in the last 5 years.
To address the rising challenge posed by cyber threats, Ranking
Member Cummings and I introduced last Congress a bill to reauthorize
FISMA. That
[[Page H2040]]
bill was adopted by the House unanimously.
Recently, Mr. Cummings and I reintroduced that legislation as H.R.
1163, the Federal Information Security Amendments Act of 2013. The bill
was voted out of our committee by unanimous vote on March 20. This bill
aims to harness the last decade of technological innovation in securing
Federal information systems.
To enhance the current framework of securing Federal information
technology systems, our bill calls for automated and continuous
monitoring of government information systems--and I'm going to repeat--
automated and continuous monitoring of government information systems.
And it ensures that continuous monitoring finally incorporates regular
threat assessments, not just ``check the box.''
The bill also reaffirms the role of the Office of Management and
Budget with respect to FISMA, recognizing that the budgetary leverage
of the Executive Office of the President is necessary to ensure
agencies are focused on effective security IT systems. Mr. Speaker,
that's particularly significant because IT is the backbone of every
single large and small agency of the government; and only with the
power of the President through the Office of Management and Budget can
you, in fact, ensure that the President has transparency and his
authority is respected throughout all these agencies.
We can no longer afford the ``check the box'' that came out of the
first piece of legislation. It wasn't its intent, and the six-fold
increase in the last 5 years says it has failed us.
While our bill does not include new requirements, restrictions, or
mandates on private, non-Federal computer systems, H.R. 1163 does
highlight the need for stronger public-private partnership. Again, as
we interface over the public Internet, it is critical that the weakest
link be prevented. To that extent, this bill has received strong
support from cybersecurity experts and industry, including TechAmerica,
the Information Technology Industry Council, and the Business Software
Alliance.
I'd like to personally thank Ranking Member Cummings for partnering,
both personally and through his staff, to create a bill that is
necessary, timely, and accurate to meet the growing threat of
cybersecurity.
I encourage all Members to support this timely legislation, and I
reserve the balance of my time.
Mr. CUMMINGS. Mr. Speaker, I yield myself such time as I may consume.
I want to begin by thanking Chairman Issa for sponsoring this
legislation and for making this a truly bipartisan effort. I am pleased
to join the chairman in sponsoring this bill again this Congress.
Also, I thank the other cosponsors of the bill, including the
chairman and the ranking member of the Subcommittee on Government
Operations, Representatives John Mica and Gerry Connolly, and the
chairman and the ranking member of the Subcommittee on National
Security, Representatives Jason Chaffetz and John Tierney.
Last month, the Director of National Intelligence, James Clapper,
placed cyber attacks at the top of his list of national security
threats. This bill is an important step in Congress' response to the
cyber threat. This legislation would ensure that Federal agencies use a
risk-based approach to defend against cyber attacks and protect
government information from being compromised by our adversaries.
It is important that the Federal Government set the example by
ensuring that its own information is protected. The Department of
Energy was hacked in January, and personal data for hundreds of
employees was compromised. We are better than that, Mr. Speaker, and we
can do better.
Personal data for more than 100,000 accounts in the Thrift Savings
Plan was compromised last year when a contractor's computer was hacked.
This bill would shift the Federal Government to a system of continuous
monitoring of information systems. And just this morning, the chairman
said in a hearing that we have to do more with less and we have to
figure out ways to use technology so that we can efficiently and
effectively do the things that we need to do.
This bill goes right in that direction, which is so important. It
would also streamline reporting requirements and ensure that agencies
take a smart, risk-based approach to securing networks.
This bill would continue to authorize the Office of Management and
Budget to set Federal policy for information security. This is
important because we need to hold all the agencies accountable for
developing appropriate standards and living up to those very standards.
OMB is the appropriate entity to be responsible for ensuring that that
happens.
However, nothing in this bill will prevent the Department of Homeland
Security from continuing the great work it is doing to protect our
Nation against potential cyber attacks. The Department has expanded its
cybersecurity workforce and is working with agencies to establish
continuous monitoring. This bill supports that work by making clear
that agencies must take action to protect their networks, rather than
just doing routine ``check the box'' reports, as Chairman Issa just
talked about.
{time} 1240
Today, we have a bipartisan effort. It is truly a bipartisan effort
to address a problem that affects every single American and business,
every entity of our Nation. That's why it's so good that we had all of
our subcommittee rankings and chairmen working together and Mr. Issa
making sure that this legislation got out. As it is so very important,
I urge my colleagues to vote in favor of this legislation.
With that, I reserve the balance of my time.
Mr. ISSA. Mr. Speaker, I yield myself 1\1/2\ minutes.
I want to associate myself with the ranking member's statements.
Mr. Cummings does make the great point that Homeland Security is, in
fact, doing a great deal. And if there is an active activity through
NSA and other agencies, we applaud that.
A great deal of what this bill reauthorization is intended to do, in
working with the subcommittee ranking member Mr. Connolly, is to
recognize that there needs to be a public-private partnership. We need
our private entities to be as strong as they can be so they don't
become conduits for espionage and for attacks. But also that, in fact,
it's the smallest entity of government, the one that you don't think
much of, the one that may not be high priority that, in fact, also has
to be protected: commerce at our public parks; commerce occurring
throughout the Federal Government; and, in fact, just the records that
are so often collected and maintained in places like the Veterans
Administration and so on.
Although they may not represent an immediate threat to national
security, as a veteran, I must tell you the fact that those records sit
there tells all of us, millions of veterans, that we want to have a
robust maintenance of cybersecurity, something that under the current
statute we believe the box is being checked, but not all that needs to
be done is being done.
I reserve the balance of my time.
Mr. CUMMINGS. It gives me great pleasure, Mr. Speaker, to yield 3
minutes to a gentleman who has worked very hard on this issue night and
day, and it's been at the forefront of his efforts, the gentleman from
Virginia (Mr. Connolly).
Mr. CONNOLLY. Mr. Speaker, I thank the distinguished ranking member,
my friend from Maryland, and I also thank the distinguished chairman of
the Oversight and Government Reform Committee.
I proudly join them in cosponsoring this legislation and rising in
strong support of H.R. 1136, the Federal Information Security
Amendments Act of 2013. The chairman and ranking member of the full
committee have worked in a bipartisan fashion to advance this bill to
the floor today, and they deserve great credit.
H.R. 1163 is desperately needed to address a looming and critical
threat to our Nation's economic and national security. As the
Government Accountability Office testified before our committee in its
2013 High Risk Report, the number of cyber incidents has grown
exponentially among Federal agencies and, for that matter, in the
private sector.
Specifically, in the year 2006, they reported 5,503 cyber incidents
to the U.S. Computer Emergency Readiness Team.
[[Page H2041]]
Six years later, that same number was 48,562, which is an astounding
782 percent increase in just 6 years.
According to the Government Accountability Office, cyber attacks
involving Federal systems and critical infrastructure, Mr. Speaker,
could be devastating to the country. Yet, its audits have consistently
revealed information security deficiencies in public and
private, financial and nonfinancial systems.
More troubling, despite producing hundreds of recommendations over
the past 2 fiscal years that would address security-control
deficiencies, the majority of GAO's recommendations have, in fact, not
been fully implemented. Unfortunately, vital Federal assets and
missions will remain at high risk for fraud, misuse, and disruption
unless agencies fully implement the literally hundreds of
recommendations made by the GAO and various offices of the inspectors
general aimed at strengthening the security of critical information
systems.
The sophisticated and rapidly involving cybersecurity threat has
outpaced the security framework established by the former Federal
Information Security Management Act of 2002. FISMA's static,
compliance-based framework, as noted by both the ranking member and the
distinguished chairman of the committee, must be enhanced. It can't be
used as a substitute for developing strategies to counter this threat.
I believe this bipartisan legislation will accomplish that goal by
enhancing FISMA to promote a more dynamic, risk-based approach that
leverages current technology to implement continuous monitoring of
networks and systems.
Specifically, the Federal Information Security Amendments Act will
direct agencies to test and evaluate information security controls and
techniques and conduct threat assessments by monitoring information
systems and identifying potential system vulnerabilities.
The SPEAKER pro tempore. The time of the gentleman has expired.
Mr. CUMMINGS. I yield the gentleman an additional 1\1/2\ minutes.
Mr. CONNOLLY. It will conduct vulnerability assessments and
penetration tests commensurate with the risk posed to agency
information systems and collaborate with OMB and appropriate public-
and private-sector security operations centers on security incidents
that extend beyond the control of the agency to require that security
incidents be reported through an automated and continuous monitoring
capability to the Federal Information Security Incident Center,
appropriate security operations centers, and respective agency Offices
of Inspector General.
Mr. Speaker, I join the distinguished chairman and ranking member of
the Oversight and Government Reform Committee in urging all Members to
support this critical bipartisan cybersecurity legislation that is
urgently needed to provide Federal agencies with the necessary tools to
effectively secure our Federal information systems.
With that, I thank them both for their leadership on this critical
matter.
Mr. ISSA. I reserve the balance of my time.
Mr. CUMMINGS. I yield myself such time as I may consume.
As we have no other speakers, Mr. Speaker, I just want to make it
clear that I think yesterday's incident in Boston should remind us of
how fragile our society is and that there are so many people who want
to do us harm.
A lot of times we concentrate on those kinds of attacks and don't
spend the kind of time we really need to on the cyber attacks, which
can be just as harmful, just as damaging. These cyber attacks can
literally bring our country and our economy to a halt. That's why we
are urging all Members to vote in favor of this.
And it is my hope, Mr. Speaker, that as we are addressing this issue
today, that it will send the word out to the Nation that once again our
committee and this Congress is putting a microscope on this issue and
doing everything in our power to make sure that our efforts are
effective and efficient because the threats are there, and they are
real.
It is up to us. It is our watch. It is our watch, just like a
watchman watching over a fort or watching over a city. We are the
watchmen right now, and it's our watch, and we have to make sure we do
everything in our power to make sure that we protect against this very
clear threat.
With that, I urge all Members to vote in favor of this legislation,
and I yield back the balance of my time and.
Mr. ISSA. Mr. Chairman, I yield myself the balance of my time.
Mr. Speaker, H.R. 1163 has many authors: Mr. Cummings and myself, Mr.
Connolly, Mr. Chaffetz, Mr. Tierney. It also has every committee
chairman and every ranking member here in the House. And I would like
to take a moment to thank all the committee chairmen of Homeland
Security, Foreign Affairs, and House Administration, because staffs
from all of those committees, particularly with the acquiescence of the
chairmen and ranking members, have contributed to our fact-finding to
try to produce a good bill here today.
I think often our committee is viewed as, what is your authority and
so on. This is an odd situation in which, in order for us to bring the
bill here today, we really needed all the agencies and all the
personnel here to be brought to bear so that we could try to fashion a
piece of legislation that would allow the Federal Government to work
better, that would allow the executive branch to execute better on
behalf of the American people.
{time} 1250
Lastly, I would like to thank the outside groups, many of which I
mentioned in my opening statement, but even more who responded when
this bill was posted for comment. They responded with constructive
suggestions.
I know there is a lot of trepidation any time the government is, in
fact, looking at data passing through the system, but this and other
legislation is a balancing act. We cannot have the economy that we
enjoy today if these systems are shut down by attacks. At the same
time, I know I join with the ranking member and all of the authors of
this legislation in that we are committed to making sure we maintain
the personal freedom and the privacy that goes with what we are
entrusted to here in the government.
So, in closing, Mr. Speaker, this is an update. It is not the last
time we will have to update cybersecurity. It is not the last time we
will be here concerned about America's economy so dependent on the
Internet, but it is a good bill. It is ready.
I urge its approval, and I yield back the balance of my time.
Committee on Homeland Security,
House of Representatives,
Washington, DC, April 11, 2013.
Hon. Darrell E. Issa,
Chairman, Committee on Oversight and Government Reform,
Rayburn House Office Building, Washington, DC.
Dear Chairman Issa: On March 20, 2013, the Committee on
Oversight and Government Reform ordered H.R. 1163, the
``Federal Information Security Amendments Act of 2013'',
reported favorably to the House with certain provisions in
the legislation that fall within the Rule X jurisdiction of
the Committee on Homeland Security. Specifically, this
legislation would require the Department of Homeland Security
to share cyber threat information with an information
security center, delegate the authority and primary
responsibility of information security to a Chief Information
Security Officer responsible for overseeing a Department-wide
information security program, and recognize the existence of
a Federal information security incident center, which in
practice, is currently the National Cybersecurity and
Communications Integration Center at the Department of
Homeland Security.
The Office of Management and Budget (OMB) issued Memorandum
M-10-28 on July 6, 2010, transferring many of OMB's Federal
information security and responsibilities to the Department
of Homeland Security. Since Memorandum M-10-28 was issued,
the Department of Homeland Security has conducted the
operational aspects of Federal information security through
the functions of the National Cybersecurity and
Communications Integration Center and the United States
Computer Emergency Readiness Team. This legislation, through
its accompanied report, preserves the operational
capabilities of DHS pertaining to Federal information
security while reaffirming OMB's supervisory role with
respect to FISMA.
I understand the importance of advancing this legislation
to the House floor in an expeditious manner. Therefore, the
Committee on Homeland Security will not seek a sequential
referral over provisions within our jurisdiction. This action
is conditional on our mutual understanding and agreement that
doing so will in no way diminish or alter the jurisdiction of
the Committee on Homeland Security over the subject matter
included in this or similar legislation. In addition, I would
like to thank you for working
[[Page H2042]]
with me on modifying the report that accompanies H.R. 1163 to
ensure the operational role the Department of Homeland
Security plays in the protection of the Nation's Federal
information systems is in no way diminished. I request that
you urge the Speaker to appoint Members of this Committee to
any conference committee for consideration of any provisions
that fall within the jurisdiction of the Committee on
Homeland Security in the House-Senate conference on this or
similar legislation.
I also request that this letter and your response be
included in the committee report on H.R. 1163 and into the
Congressional Record during consideration of this measure on
the House floor. Thank you for your consideration of this
matter.
Sincerely,
Michael T. McCaul,
Chairman.
____
Committee on Oversight and Government Reform, House of
Representatives,
Washington, DC, April 12, 2013.
Hon. Michael McCaul,
Chairman, Committee on Homeland Security, House of
Representatives, Washington, DC.
Dear Mr. Chairman: Thank you for your letter regarding the
Committee on Homeland Security's jurisdictional interest in
H.R. 1163, the ``Federal Information Security Amendments.''
I agree that the Committee on Homeland Security has a valid
jurisdictional interest in federal cybersecurity, and that
the Committee's jurisdiction will not be adversely affected
by your decision to forego consideration of H.R. 1163. As you
have requested, I will support your request for an
appropriate appointment of outside conferees from your
Committee in the event of a House-Senate conference on this
or similar legislation, should such a conference be convened.
Finally, I will include a copy of your letter and this
response in the Committee Report and in the Congressional
Record during the floor consideration of this bill. Thank you
again for your cooperation.
Sincerely,
Darrell Issa,
Chairman.
____
Committee on Science, Space, and Technology, House of
Representatives,
Washington, DC, April 12, 2013.
Hon. Darrell Issa,
Chairman, Committee on Oversight and Government Reform,
Rayburn House Office Building, Washington, DC.
Dear Chairman Issa: I am writing to you concerning the
jurisdictional interest of the Committee on Science, Space,
and Technology in H.R. 1163. the Federal Information Security
Amendments Act of 2013.
I recognize and appreciate the desire to bring this
legislation before the House of Representatives in an
expeditious manner, and accordingly, I will waive further
consideration of this bill in Committee, notwithstanding any
provisions that fall within the jurisdiction of the Committee
on Science, Space, and Technology. This waiver, of course, is
conditional on our mutual understanding that agreeing to
waive consideration of this bill should not be construed as
waiving, reducing, or affecting the jurisdiction of the
Committee on Science, Space, and Technology.
Additionally, the Committee on Science, Space, and
Technology expressly reserves its authority to seek conferees
on any provision within its jurisdiction during any House-
Senate conference that may be convened on this, or any
similar legislation. I ask for your commitment to support any
request by the Committee for conferees on H.R. 1163, as well
as any similar or related legislation.
I ask that a copy of this letter be placed in the Committee
Report on H.R. 1163 and in the Congressional Record during
consideration of this bill on the House floor.
I look forward to continuing to work with you on the
legislation as you work towards enactment of H.R. 1163.
Sincerely,
Lamar Smith,
Chairman, Committee on Science,
Space, and Technology.
____
Committee on Oversight and Government Reform, House of
Representatives,
Washington, DC, April 16, 2013.
Hon. Lamar Smith,
Chairman, Committee on Science, Space, and Technology,
Washington, DC.
Dear Mr. Chairman: Thank you for your letter regarding the
Committee on Science, Space, and Technology's jurisdictional
interest in H.R. 1163, the ``Federal Information Security
Amendments Act of 2013,'' and your willingness to forego
consideration of H.R. 1163 by your committee.
I agree that the Committee on Science, Space, and
Technology has a valid jurisdictional interest in certain
provisions of H.R. 1163 and that the Committee's jurisdiction
will not be adversely affected by your decision to forego
consideration of H.R. 1163. As you have requested, I will
support your request for an appropriate appointment of
outside conferees from your Committee in the event of a
House-Senate conference on this or similar legislation should
such a conference be convened.
Finally, I will include a copy of your letter and this
response in the Committee Report and in the Congressional
Record during the floor consideration of this bill. Thank you
again for your cooperation.
Sincerely,
Darrell Issa,
Chairman.
The SPEAKER pro tempore. The question is on the motion offered by the
gentleman from California (Mr. Issa) that the House suspend the rules
and pass the bill, H.R. 1163.
The question was taken.
The SPEAKER pro tempore. In the opinion of the Chair, two-thirds
being in the affirmative, the ayes have it.
Mr. ISSA. Mr. Speaker, on that I demand the yeas and nays.
The yeas and nays were ordered.
The SPEAKER pro tempore. Pursuant to clause 8 of rule XX, further
proceedings on this motion will be postponed.
____________________