[Congressional Record Volume 161, Number 152 (Monday, October 19, 2015)]
[Senate]
[Pages S7305-S7306]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




                           TEXT OF AMENDMENTS

  SA 2712. Mr. HATCH submitted an amendment intended to be proposed by 
him to the bill S. 754, to improve cybersecurity in the United States 
through enhanced sharing of information about cybersecurity threats, 
and for other purposes; which was ordered to lie on the table; as 
follows:

       At the appropriate place, insert the following:

     SEC. __. FEDERAL COMPUTER SECURITY.

       (a) Definitions.--In this section:
       (1) Covered agency.--The term ``covered agency'' means an 
     agency that operates a Federal computer system that provides 
     access to classified information or personally identifiable 
     information.
       (2) Logical access control.--The term ``logical access 
     control'' means a process of granting or denying specific 
     requests to obtain and use information and related 
     information processing services.
       (3) Multi-factor logical access controls.--The term 
     ``multi-factor logical access controls'' means a set of not 
     less than 2 of the following logical access controls:
       (A) Information that is known to the user, such as a 
     password or personal identification number.

[[Page S7306]]

       (B) An access device that is provided to the user, such as 
     a cryptographic identification device or token.
       (C) A unique biometric characteristic of the user.
       (4) Privileged user.--The term ``privileged user'' means a 
     user who, by virtue of function or seniority, has been 
     allocated powers within a Federal computer system, which are 
     significantly greater than those available to the majority of 
     users.
       (b) Inspector General Report on Federal Computer Systems.--
       (1) In general.--Not later than 240 days after the date of 
     enactment of this Act, the Inspector General of each covered 
     agency shall each submit to the Comptroller General of the 
     United States and the appropriate committees of jurisdiction 
     in the Senate and the House of Representatives a report, 
     which shall include information collected from the covered 
     agency for the contents described in paragraph (2) regarding 
     the Federal computer systems of the covered agency.
       (2) Contents.--The report submitted by each Inspector 
     General of a covered agency under paragraph (1) shall 
     include, with respect to the covered agency, the following:
       (A) A description of the logical access standards used by 
     the covered agency to access a Federal computer system that 
     provides access to classified or personally identifiable 
     information, including--
       (i) in aggregate, a list and description of logical access 
     controls used to access such a Federal computer system; and
       (ii) whether the covered agency is using multi-factor 
     logical access controls to access such a Federal computer 
     system.
       (B) A description of the logical access controls used by 
     the covered agency to govern access to Federal computer 
     systems by privileged users.
       (C) If the covered agency does not use logical access 
     controls or multi-factor logical access controls to access a 
     Federal computer system that provides access to classified or 
     personally identifiable information, a description of the 
     reasons for not using such logical access controls or multi-
     factor logical access controls.
       (D) A description of the following data security management 
     practices used by the covered agency:
       (i) The policies and procedures followed to conduct 
     inventories of the software present on the Federal computer 
     systems of the covered agency and the licenses associated 
     with such software.
       (ii) Whether the covered agency has entered into a 
     licensing agreement for the use of software security controls 
     to monitor and detect exfiltration and other threats, 
     including--

       (I) data loss prevention software; or
       (II) digital rights management software.

       (iii) A description of how the covered agency is using 
     software described in clause (ii).
       (iv) If the covered agency has not entered into a licensing 
     agreement for the use of, or is otherwise not using, software 
     described in clause (ii), a description of the reasons for 
     not entering into such a licensing agreement or using such 
     software.
       (E) A description of the policies and procedures of the 
     covered agency with respect to ensuring that entities, 
     including contractors, that provide services to the covered 
     agency are implementing the data security management 
     practices described in subparagraph (D).
       (3) Existing review.--The report required under this 
     subsection may be based in whole or in part on an audit, 
     evaluation, or report relating to programs or practices of 
     the covered agency, and may be submitted as part of another 
     report, including the report required under section 3555 of 
     title 44, United States Code.
       (4) Classified information.--A report submitted under this 
     subsection shall be in unclassified form, but may include a 
     classified annex.
       (5) Availability to members of congress.--A report 
     submitted under this subsection shall be made available upon 
     request by any Member of Congress.
       (c) GAO Economic Analysis and Report on Federal Computer 
     Systems.--
       (1) Report.--Not later than 1 year after the date of 
     enactment of this Act, the Comptroller General of the United 
     States shall submit to Congress a report examining, including 
     an economic analysis of, any impediments to agency use of 
     effective security software and security devices.
       (2) Classified information.--A report submitted under this 
     subsection shall be in unclassified form, but may include a 
     classified annex.

                          ____________________