[Congressional Record Volume 160, Number 119 (Monday, July 28, 2014)]
[House]
[Pages H6935-H6936]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




              SAFE AND SECURE FEDERAL WEBSITES ACT OF 2014

  Mr. BENTIVOLIO. Mr. Speaker, I move to suspend the rules and pass the 
bill (H.R. 3635) to ensure the functionality and security of new 
Federal websites that collect personally identifiable information, and 
for other purposes, as amended.
  The Clerk read the title of the bill.
  The text of the bill is as follows:

                               H.R. 3635

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Safe and Secure Federal 
     Websites Act of 2014''.

     SEC. 2. ENSURING FUNCTIONALITY AND SECURITY OF NEW FEDERAL 
                   WEBSITES THAT COLLECT PERSONALLY IDENTIFIABLE 
                   INFORMATION.

       (a) Certification Requirement.--
       (1) In general.--Except as otherwise provided under this 
     subsection, an agency may not deploy or make available to the 
     public a new Federal PII website until the date on which the 
     chief information officer of the agency submits a 
     certification to Congress that the website is fully 
     functional and secure.
       (2) Transition.--In the case of a new Federal PII website 
     that is operational on the date of the enactment of this Act, 
     paragraph (1) shall not apply until the end of the 90-day 
     period beginning on such date of enactment. If the 
     certification required under paragraph (1) for such website 
     has not been submitted to Congress before the end of such 
     period, the head of the responsible agency shall render the 
     website inaccessible to the public until such certification 
     is submitted to Congress.
       (3) Exception for beta website with explicit permission.--
     Paragraph (1) shall not apply to a website (or portion 
     thereof) that is in a development or testing phase, if the 
     following conditions are met:
       (A) A member of the public may access PII-related portions 
     of the website only after executing an agreement that 
     acknowledges the risks involved.
       (B) No agency compelled, enjoined, or otherwise provided 
     incentives for such a member to access the website for such 
     purposes.
       (4) Construction.--Nothing in this section shall be 
     construed as applying to a website that is operated entirely 
     by an entity (such as a State or locality) that is 
     independent of the Federal Government, regardless of the 
     receipt of funding in support of such website from the 
     Federal Government.
       (b) Definitions.--In this section:
       (1) Agency.--The term ``agency'' has the meaning given that 
     term under section 551 of title 5, United States Code.
       (2) Fully functional.--The term ``fully functional'' means, 
     with respect to a new Federal PII website, that the website 
     can fully support the activities for which it is designed or 
     intended with regard to the eliciting, collection, storage, 
     or maintenance of personally identifiable information, 
     including handling a volume of queries relating to such 
     information commensurate with the purpose for which the 
     website is designed.
       (3) New federal personally identifiable information website 
     (new federal pii website).--The terms ``new Federal 
     personally identifiable information website'' and ``new 
     Federal PII website'' mean a website that--
       (A) is operated by (or under a contract with) an agency;
       (B) elicits, collects, stores, or maintains personally 
     identifiable information of individuals and is accessible to 
     the public; and
       (C) is first made accessible to the public and collects or 
     stores personally identifiable information of individuals, on 
     or after October 1, 2012.
       (4) Operational.--The term ``operational'' means, with 
     respect to a website, that such website elicits, collects, 
     stores, or maintains personally identifiable information of 
     members of the public and is accessible to the public.
       (5) Personally identifiable information (pii).--The terms 
     ``personally identifiable information'' and ``PII'' mean any 
     information about an individual elicited, collected, stored, 
     or maintained by an agency, including--
       (A) any information that can be used to distinguish or 
     trace the identity of an individual, such as a name, a social 
     security number, a date and place of birth, a mother's maiden 
     name, or biometric records; and
       (B) any other information that is linked or linkable to an 
     individual, such as medical, educational, financial, and 
     employment information.
       (6) Responsible agency.--The term ``responsible agency'' 
     means, with respect to a new Federal PII website, the agency 
     that is responsible for the operation (whether directly or 
     through contracts with other entities) of the website.
       (7) Secure.--The term ``secure'' means, with respect to a 
     new Federal PII website, that the following requirements are 
     met:
       (A) The website is in compliance with subchapter III of 
     chapter 35 of title 44, United States Code.
       (B) The website ensures that personally identifiable 
     information elicited, collected, stored, or maintained in 
     connection with the website is captured at the latest 
     possible step in a user input sequence.
       (C) The responsible agency for the website has taken 
     reasonable efforts to minimize domain name confusion, 
     including through additional domain registrations.
       (D) The responsible agency requires all personnel who have 
     access to personally identifiable information in connection 
     with the website to have completed a Standard Form 85P and 
     signed a non-disclosure agreement with respect to personally 
     identifiable information, and the agency takes proper 
     precautions to ensure only trustworthy persons may access 
     such information.
       (E) The responsible agency maintains (either directly or 
     through contract) sufficient personnel to respond in a timely 
     manner to issues relating to the proper functioning and 
     security of the website, and to monitor on an ongoing basis 
     existing and emerging security threats to the website.
       (8) State.--The term ``State'' means each State of the 
     United States, the District of Columbia, each territory or 
     possession of the United States, and each federally 
     recognized Indian tribe.

     SEC. 3. PRIVACY BREACH REQUIREMENTS.

       (a) Information Security Amendment.--Subchapter III of 
     chapter 35 of title 44, United States Code, is amended by 
     adding at the end the following:

     ``Sec. 3550. Privacy breach requirements

       ``(a) Policies and Procedures.--The Director of the Office 
     of Management and Budget shall establish and oversee policies 
     and procedures for agencies to follow in the event of a 
     breach of information security involving the disclosure of 
     personally identifiable information, including requirements 
     for--
       ``(1) not later than 72 hours after the agency discovers 
     such a breach, or discovers evidence that reasonably 
     indicates such a breach has occurred, notice to the 
     individuals whose personally identifiable information could 
     be compromised as a result of such breach;
       ``(2) timely reporting to a Federal cybersecurity center, 
     as designated by the Director of the Office of Management and 
     Budget; and
       ``(3) any additional actions that the Director finds 
     necessary and appropriate, including data breach analysis, 
     fraud resolution services, identity theft insurance, and 
     credit protection or monitoring services.
       ``(b) Required Agency Action.--The head of each agency 
     shall ensure that actions taken in response to a breach of 
     information security involving the disclosure of personally 
     identifiable information under the authority or control of 
     the agency comply with policies and procedures established by 
     the Director of the Office of Management and Budget under 
     subsection (a).
       ``(c) Report.--Not later than March 1 of each year, the 
     Director of the Office of Management and Budget shall report 
     to Congress on agency compliance with the policies and 
     procedures established under subsection (a).
       ``(d) Federal Cybersecurity Center Defined.--The term 
     `Federal cybersecurity center' means any of the following:
       ``(1) The Department of Defense Cyber Crime Center.
       ``(2) The Intelligence Community Incident Response Center.
       ``(3) The United States Cyber Command Joint Operations 
     Center.
       ``(4) The National Cyber Investigative Joint Task Force.

[[Page H6936]]

       ``(5) Central Security Service Threat Operations Center of 
     the National Security Agency.
       ``(6) The United States Computer Emergency Readiness Team.
       ``(7) Any successor to a center, team, or task force 
     described in paragraphs (1) through (6).
       ``(8) Any center that the Director of the Office of 
     Management and Budget determines is appropriate to carry out 
     the requirements of this section.''.
       (b) Technical and Conforming Amendment.--The table of 
     sections for subchapter III of chapter 35 of title 44, United 
     States Code, is amended by adding at the end the following:

``3550. Privacy breach requirements.''.

  The SPEAKER pro tempore. Pursuant to the rule, the gentleman from 
Michigan (Mr. Bentivolio) and the gentleman from Massachusetts (Mr. 
Lynch) each will control 20 minutes.
  The Chair recognizes the gentleman from Michigan.


                             General Leave

  Mr. BENTIVOLIO. Mr. Speaker, I ask unanimous consent that all Members 
may have 5 legislative days within which to revise and extend their 
remarks and include extraneous material on the bill under 
consideration.
  The SPEAKER pro tempore. Is there objection to the request of the 
gentleman from Michigan?
  There was no objection.
  Mr. BENTIVOLIO. Mr. Speaker, I yield myself such time as I may 
consume.
  Mr. Speaker, we, as Members of Congress, have been sent here to 
protect the people's right to privacy, not take it away. My bill, H.R. 
3635, will help to instill confidence in Americans that their privacy 
and personal information is secure. H.R. 3635 will help ensure the 
functionality and security of Federal Web sites. The escalation of 
security breaches involving personally identifiable information has 
contributed to the loss of millions of records over the past few years, 
both within and outside the Federal Government.
  Web sites that fail to meet their intended function are a waste of 
taxpayer dollars and can result in needless frustration to the end user 
who is trying to access a Federal service or benefit. The harm to the 
Federal Government is the loss of public trust, as well as potential 
legal liability or remediation costs that the taxpayer may ultimately 
bear.
  H.R. 3635 guards against the loss of the public's trust by requiring 
agency chief information officers certify that Federal Web sites 
collecting personally identifiable information are fully functional and 
secure. In addition, the bill requires agencies to notify affected 
individuals that their personally identifiable information may have 
been compromised within 72 hours of a known or suspected data breach.
  I would like to thank Chairman Issa, Ranking Member Cummings, and 
Congressman Connolly for their support of the bill, along with Chairman 
McCaul and committee staff.
  I reserve the balance of my time.
  Mr. LYNCH. Mr. Speaker, I yield myself such time as I may consume.
  I think we all agree that Federal agency Web sites must be secure in 
order to protect taxpayers from being the victims of an information 
security breach. For that reason, I support the measure before us, the 
Safe and Secure Federal Websites Act. The recent data breaches at 
Target, Neiman Marcus, and other retail establishments affected more 
than 100 million Americans. The importance of information security 
cannot be overstated.
  It is the responsibility of Congress to ensure that the Federal 
Government is not the source of these types of data breaches and to 
ensure that the personally identifiable information of American 
citizens is not compromised through Federal Web sites. This bill would 
require agency chief information officers to certify to Congress the 
functionality and security of new or substantially modified Web sites 
that contain personally identifiable information. It would also require 
that existing Web sites that contain personally identifiable 
information meet these security requirements within 90 days.
  We are not known for our speed around here, so I am not entirely sure 
that that will be enough for agencies to secure existing Web sites. I 
hope, as this bill moves forward in the legislation, the timeliness 
issue is addressed. However, overall, these requirements are positive, 
beginning steps in preventing harmful data breaches within the Federal 
Government.
  I also want to take special time to mention and to thank Congressman 
Connolly from Virginia for his positive contribution to this 
legislation and for his work on data security issues. Mr. Connolly's 
amendment to this legislation closes the loopholes in Federal privacy 
requirements and streamlines Federal oversight of agency implementation 
of privacy policies and procedures pertaining to agency responses to 
security incidents involving personally identifiable information.
  I join with the gentleman from Virginia in sincerely hoping that we 
can continue to work together to move this bill forward in a bipartisan 
manner. I also hope that we can work together to ensure that this bill 
is compatible with the existing framework of the Federal Security 
Management Act.
  I have no further speakers, and I yield back the balance of my time.
  Mr. BENTIVOLIO. Mr. Speaker, I yield myself such time as I may 
consume.
  This bill has 126 cosponsors and passed out of committee with 
bipartisan support. I strongly urge passage of this bill to protect the 
privacy of Americans accessing Federal Web sites and support this 
bipartisan legislation.
  Mr. Speaker, I yield back the balance of my time.
  The SPEAKER pro tempore. The question is on the motion offered by the 
gentleman from Michigan (Mr. Bentivolio) that the House suspend the 
rules and pass the bill, H.R. 3635, as amended.
  The question was taken; and (two-thirds being in the affirmative) the 
rules were suspended and the bill, as amended, was passed.
  A motion to reconsider was laid on the table.

                          ____________________