[House Report 110-777]
[From the U.S. Government Publishing Office]





110th Congress                                                   Report
                        HOUSE OF REPRESENTATIVES
 2d Session                                                     110-777

======================================================================



 
    HOMELAND SECURITY NETWORK DEFENSE AND ACCOUNTABILITY ACT OF 2008

                                _______
                                

 July 24, 2008.--Committed to the Committee of the Whole House on the 
              State of the Union and ordered to be printed

                                _______
                                

 Mr. Thompson of Mississippi, from the Committee on Homeland Security, 
                        submitted the following

                              R E P O R T

                        [To accompany H.R. 5983]

      [Including cost estimate of the Congressional Budget Office]

  The Committee on Homeland Security, to whom was referred the 
bill (H.R. 5983) to amend the Homeland Security Act of 2002 to 
enhance the information security of the Department of Homeland 
Security, and for other purposes, having considered the same, 
report favorably thereon with an amendment and recommend that 
the bill as amended do pass.

                                CONTENTS

                                                                   Page
Purpose and Summary..............................................     5
Background and Need for Legislation..............................     5
Hearings.........................................................     5
Committee Consideration..........................................     6
Committee Votes..................................................     7
Committee Oversight Findings.....................................     7
New Budget Authority, Entitlement Authority, and Tax Expenditures     7
Congressional Budget Office Estimate.............................     7
Statement of General Performance Goals and Objectives............     8
Congressional Earmarks, Limited Tax Benefits, and Limited Tariff 
  Benefits.......................................................     9
Federal Mandates Statement.......................................     9
Advisory Committee Statement.....................................     9
Constitutional Authority Statement...............................     9
Applicability to Legislative Branch..............................     9
Section-by-Section Analysis of the Legislation...................     9
Changes in Existing Law Made by the Bill, as Reported............    12
Committee Correspondence.........................................    18

  The amendment is as follows:
  Strike all after the enacting clause and insert the 
following:

SECTION 1. SHORT TITLE.

   This Act may be cited as the ``Homeland Security Network Defense and 
Accountability Act of 2008''.

SEC. 2. AUTHORITY OF CHIEF INFORMATION OFFICER; QUALIFICATIONS FOR 
                    APPOINTMENT.

  Section 703(a) of the Homeland Security Act of 2002 (6 U.S.C. 343(a)) 
is amended--
          (1) by inserting before the first sentence the following:
          ``(1) Authorities and duties.--The Secretary shall delegate 
        to the Chief Information Officer such authority necessary for 
        the development, approval, implementation, integration, and 
        oversight of policies, procedures, processes, activities, 
        funding, and systems of the Department relating to the 
        management of information and information infrastructure for 
        the Department, including the management of all related mission 
        applications, information resources, and personnel.
          ``(2) Line authority.--''; and
          (2) by adding at the end the following new paragraphs:
          ``(3) Qualifications for appointment.--An individual may not 
        be appointed as Chief Information Officer unless the individual 
        has--
                  ``(A) demonstrated ability in and knowledge of 
                information technology and information security; and
                  ``(B) not less than 5 years of executive leadership 
                and management experience in information technology and 
                information security in the public or private sector.
          ``(4) Functions.--The Chief Information Officer shall--
                  ``(A) establish and maintain an incident response 
                team that provides a continuous, real-time capability 
                within the Department of Homeland Security to--
                          ``(i) detect, respond to, contain, 
                        investigate, attribute, and mitigate any 
                        computer incident, as defined by the National 
                        Institute of Standards and Technology, that 
                        could violate or pose an imminent threat of 
                        violation of computer security policies, 
                        acceptable use policies, or standard security 
                        practices of the Department; and
                          ``(ii) deliver timely notice of any incident 
                        to individuals responsible for information 
                        infrastructure of the Department, and to the 
                        United States Computer Emergency Readiness 
                        Team;
                  ``(B) establish, maintain, and update a network 
                architecture, including a diagram detailing how 
                security controls are positioned throughout the 
                information infrastructure of the Department to 
                maintain the confidentiality, integrity, availability, 
                accountability, and assurance of electronic 
                information; and
                  ``(C) ensure that vulnerability assessments are 
                conducted on a regular basis for any Department 
                information infrastructure connected to the Internet or 
                another external network, and that vulnerabilities are 
                mitigated in a timely fashion.''.

SEC. 3. ATTACK-BASED TESTING PROTOCOLS.

  Section 703 of the Homeland Security Act of 2002 (6 U.S.C. 343) is 
amended by adding at the end the following new subsection:
  ``(c) Attack-Based Testing Protocols.--The Chief Information Officer, 
in consultation with the Inspector General, the Assistant Secretary for 
Cybersecurity, and the heads of other appropriate Federal agencies, 
shall--
          ``(1) establish security control testing protocols that 
        ensure that the Department's information infrastructure is 
        effectively protected against known attacks against and 
        exploitations of Federal and contractor information 
        infrastructure;
          ``(2) oversee the deployment of such protocols throughout the 
        information infrastructure of the Department; and
          ``(3) update such protocols on a regular basis.''.

SEC. 4. INSPECTOR GENERAL REVIEWS OF INFORMATION INFRASTRUCTURE.

  Section 703 of the Homeland Security Act of 2002 (6 U.S.C. 343) is 
further amended by adding at the end the following new subsection:
  ``(d) Inspector General Reviews.--
          ``(1) In general.--The Inspector General of the Department 
        shall use authority under the Inspector General Act of 1978 (5 
        App. U.S.C.) to conduct announced and unannounced performance 
        reviews and programmatic reviews of the information 
        infrastructure of the Department to determine the effectiveness 
        of security policies and controls of the Department.
          ``(2) Performance reviews.--Performance reviews under this 
        subsection shall test and validate a system's security controls 
        using the protocols created under subsection (c), beginning not 
        later than 270 days after the date of enactment of the Homeland 
        Security Network Defense and Accountability Act of 2008.
          ``(3) Programmatic reviews.--Programmatic reviews under this 
        subsection shall--
                  ``(A) determine whether an agency of the Department 
                is complying with policies, processes, and procedures 
                established by the Chief Information Officer; and
                  ``(B) focus on risk assessment, risk management, and 
                risk mitigation, with primary regard to the 
                implementation of best practices such as 
                authentication, access control (including remote 
                access), intrusion detection and prevention, data 
                protection and integrity, and any other controls that 
                the Inspector General considers necessary.
          ``(4) Information security report.--The Inspector General 
        shall submit a security report containing the results of each 
        review under this subsection and prioritized recommendations 
        for improving security controls based on that review, including 
        recommendations regarding funding changes and personnel 
        management, to--
                  ``(A) the Secretary;
                  ``(B) the Chief Information Officer; and
                  ``(C) the head of the Department component that was 
                the subject of the review, and other appropriate 
                individuals responsible for the information 
                infrastructure of such agency.
          ``(5) Corrective action report.--
                  ``(A) In general.--Within 60 days after receiving a 
                security report under paragraph (4), the head of the 
                Department component that was the subject of the review 
                and the Chief Information Officer shall jointly submit 
                a corrective action report to the Secretary and the 
                Inspector General.
                  ``(B) Contents.--The corrective action report--
                          ``(i) shall contain a plan for addressing 
                        recommendations and mitigating vulnerabilities 
                        contained in the security report, including a 
                        timeline and budget for implementing such plan; 
                        and
                          ``(ii) shall note any matters in disagreement 
                        between the head of the Department component 
                        and the Chief Information Officer.
          ``(6) Reports to congress.--
                  ``(A) Annual reports.--In conjunction with the 
                reporting requirements of section 3545 of title 44, 
                United States Code, the Inspector General shall submit 
                an annual report to the Committee on Homeland Security 
                of the House of Representatives and the Committee on 
                Homeland Security and Governmental Affairs of the 
                Senate--
                          ``(i) summarizing the performance and 
                        programmatic reviews performed during the 
                        preceding fiscal year, the results of those 
                        reviews, and any actions that remain to be 
                        taken under plans included in corrective action 
                        reports under paragraph (5); and
                          ``(ii) describing the effectiveness of the 
                        testing protocols developed under subsection 
                        (c) in reducing successful exploitations of the 
                        Department's information infrastructure.
                  ``(B) Security reports and corrective action 
                reports.--The Inspector General shall make all security 
                reports and corrective action reports available to any 
                member of the Committee on Homeland Security of the 
                House of Representatives, any member of the Committee 
                on Homeland Security and Governmental Affairs of the 
                Senate, and the Comptroller General of the United 
                States, upon request.''.

SEC. 5. INFORMATION INFRASTRUCTURE DEFINED.

  Section 703 of the Homeland Security Act of 2002 (6 U.S.C. 343) is 
further amended by adding at the end the following:
  ``(e) Information Infrastructure Defined.--In this section, the term 
`information infrastructure' means systems and assets used in 
processing, transmitting, receiving, or storing information 
electronically.''.

SEC. 6. NETWORK SERVICE PROVIDERS.

  (a) In General.--Subtitle D of title VIII of the Homeland Security 
Act of 2002 (6 U.S.C. 391 et seq.) is amended by adding at the end the 
following new section:

``SEC. 836. REQUIREMENTS FOR NETWORK SERVICE PROVIDERS.

  ``(a) Compatibility Determination.--
          ``(1) In general.--Before entering into or renewing a covered 
        contract, the Secretary, acting through the Chief Information 
        Officer, must determine that the contractor has an internal 
        information systems security policy that complies with the 
        Department's information security requirements for risk 
        assessment, risk management, and risk mitigation, with primary 
        regard to the implementation of best practices such as 
        authentication, access control (including remote access), 
        intrusion detection and prevention, data protection and 
        integrity, and any other policies that the Secretary considers 
        necessary to ensure the security of the Department's 
        information infrastructure.
          ``(2) Limitation on public disclosures.--The Chief 
        Information Officer shall not disclose to the public any 
        information provided for purposes of such determination, 
        notwithstanding any other provision of Federal, State, or local 
        law, including section 552 of title 5, United States Code.
  ``(b) Contract Requirements Regarding Security.--The Secretary shall 
include in each covered contract provisions requiring the contractor 
to--
          ``(1) implement and regularly update the internal information 
        systems security policy required under subsection (a);
          ``(2) maintain the capability to provide contracted services 
        on a continuing and ongoing basis to the Department in the 
        event of unplanned or disruptive event; and
          ``(3) deliver timely notice of any internal computer 
        incident, as defined by the National Institute of Standards and 
        Technology, that could violate or pose an imminent threat of 
        violation of computer security policies, acceptable use 
        policies, or standard security practices at the Department, to 
        the United States Computer Emergency Readiness Team and the 
        incident response team established under section 703(a)(4).
  ``(c) Contract Requirements Regarding Subcontracting.--The Secretary 
shall include in each covered contract--
          ``(1) a requirement that the contractor develop and implement 
        a plan for the award of subcontracts, as appropriate, to small 
        business concerns and disadvantaged business concerns in 
        accordance with other applicable requirements, including the 
        terms of such plan, as appropriate; and
          ``(2) a requirement that the contractor submit to the 
        Secretary, during performance of the contract, periodic reports 
        describing the extent to which the contractor has complied with 
        such plan, including specification (by total dollar amount and 
        by percentage of the total dollar value of the contract) of the 
        value of subcontracts awarded at all tiers of subcontracting to 
        small business concerns, including socially and economically 
        disadvantaged small businesses concerns, small business 
        concerns owned and controlled by service-disabled veterans, 
        HUBZone small business concerns, small business concerns 
        eligible to be awarded contracts pursuant to section 8(a) of 
        the Small Business Act (15 U.S.C. 637(a)), and Historically 
        Black Colleges and Universities and Hispanic-serving 
        institutions, tribal colleges and universities, and other 
        minority institutions.
  ``(d) Existing Contracts.--The Secretary shall, to the extent 
practicable under the terms of existing contracts, require each 
contractor who provides covered information services under a contract 
in effect on the date of the enactment of the Homeland Security Network 
Defense and Accountability Act of 2008 to comply with the requirements 
described in subsection (b).
  ``(e) Definitions.--For purposes of this section:
          ``(1) Socially and economically disadvantaged small 
        businesses concern, small business concern owned and controlled 
        by service-disabled veterans, and hubzone small business 
        concern.--The terms `socially and economically disadvantaged 
        small businesses concern', `small business concern owned and 
        controlled by service-disabled veterans', and `HUBZone small 
        business concern' have the meanings given such terms under the 
        Small Business Act (15 U.S.C. 631 et seq.).
          ``(2) Contractor.--The term `contractor' includes each 
        subcontractor of a contractor.
          ``(3) Covered contract.--The term `covered contract' means a 
        contract entered into or renewed after the date of the 
        enactment of the Homeland Security Network Defense and 
        Accountability Act of 2008 for the provision of covered 
        information services.
          ``(4) Covered information services.--The term `covered 
        information services' means creation, management, maintenance, 
        control, or operation of information networks or Internet Web 
        sites for the Department.
          ``(5) Historically black colleges and universities.--The term 
        `Historically Black Colleges and Universities' means part B 
        institutions under title III of the Higher Education Act of 
        1965 (20 U.S.C. 1061).
          ``(6) Hispanic-serving institution.--The term `Hispanic-
        serving institution' has the meaning given such term under 
        title V of the Higher Education Act of 1965 (20 U.S.C. 
        1101a(a)(5)).
          ``(7) Information infrastructure.--The term `information 
        infrastructure' has the meaning that term has under section 
        703.
          ``(8) Tribal colleges and universities.--The term `tribal 
        colleges and universities' has the meaning given such term 
        under the Tribally Controlled College or University Assistance 
        Act of 1978 (25 U.S.C. 1801 et seq.).''.
  (b) Clerical Amendment.--The table of contents in section 1(b) of 
such Act is amended by inserting after the item relating to section 835 
the following new item:

``Sec. 836. Requirements for network service providers.''.
  (c) Report.--Within 90 days after the date of enactment of this Act, 
the Secretary of Homeland Security shall transmit to the Committee on 
Homeland Security of the House of Representatives and the Homeland 
Security and Governmental Affairs Committee of the Senate a report 
describing--
          (1) the progress in implementing requirements issued by the 
        Office of Management and Budget for encryption, authentication, 
        Internet Protocol version 6, and Trusted Internet Connections, 
        including a timeline for completion;
          (2) a plan, including an estimated budget and a timeline, to 
        investigate breaches against the Department of Homeland 
        Security's information infrastructure for purposes of 
        counterintelligence assessment, attribution, and response;
          (3) a proposal to increase threat information sharing with 
        cleared and uncleared contractors and provide specialized 
        damage assessment training to private sector information 
        security professionals; and
          (4) a process to coordinate the Department of Homeland 
        Security's information infrastructure protection activities.

                          Purpose and Summary

    The purpose of H.R. 5983 is to amend the Homeland Security 
Act of 2002 to enhance the information security of the 
Department of Homeland Security, and for other purposes.

                  Background and Need for Legislation

    During the course of the 110th Congress, the Subcommittee 
on Emerging Threats, Cybersecurity, Science and Technology of 
the Committee on Homeland Security conducted dozens of hearings 
and investigations into cybersecurity issues affecting Federal 
and critical infrastructure networks, with the goal of 
increasing public awareness, fixing vulnerabilities, and 
holding individuals, agencies, and private sector entities 
responsible and accountable for their actions. The Committee 
became particularly concerned with improving the information 
security posture of the Department of Homeland Security, 
regarded by many experts--including the Government 
Accountability Office--as having inadequate security controls 
in place to safeguard the existing information infrastructure. 
For instance, during one investigation into the Department's 
information security practices, the Committee found that 
weaknesses in security practices resulted in the exfiltration 
of Departmental data to foreign-language websites. The 
Committee believes that over time, the theft of critical 
information from Government servers like those operated by the 
Department could be harmful to the national and economic 
security of the United States.
    The Committee believes the Department of Homeland Security 
should be the nation's leader in information security, and 
seeks to hold the Department to higher standards than other 
executive agencies through this legislation.

                                Hearings

    No hearings were held on H.R. 5983, however the Committee 
conducted oversight hearings on cybersecurity issues.
    On February 15, 2007, the Committee on Homeland Security 
held a hearing entitled ``Lessons Learned and Grading Goals: 
The Department of Homeland Security in 2007.'' The Committee 
received testimony from Michael Jackson, Deputy Secretary, 
Department of Homeland Security.
    On April 19, 2007, the Subcommittee on Emerging Threats, 
Cybersecurity and Science and Technology held a hearing 
entitled ``Cyber Insecurity: Hackers are Penetrating Federal 
Systems and Critical Infrastructure.'' The Subcommittee 
received testimony from Mr. Greg Wilshusen, Director, 
Information Security Issues, Government Accountability Office; 
Mr. Donald Reid, Senior Coordinator for Security 
Infrastructure, Bureau of Diplomatic Security, Department of 
State; Mr. Dave Jarrell, Manager, Critical Infrastructure 
Protection Program, Department of Commerce; Mr. Jerry Dixon, 
Director, National Cyber Security Division, Department of 
Homeland Security; Mr. Aaron Turner, Cybersecurity Strategist, 
National & Homeland Security, Idaho National Laboratory; and 
Mr. Ken Silva, Chief Security Officer, VeriSign.
    On April 25, 2007, the Subcommittee on Emerging Threats, 
Cybersecurity and Science and Technology held a hearing 
entitled ``Addressing the Nation's Cybersecurity Challenges: 
Reducing Vulnerabilities Requires Strategic Investment and 
Immediate Action.'' The Subcommittee received testimony from 
Dr. Daniel E. Geer, Jr., Principal, Geer Risk Services, LLC; 
Dr. James Andrew Lewis, Director and Senior Fellow, Technology 
and Public Policy Program, Center for Strategic and 
International Studies; Dr. Douglas Maughan, Program Manager, 
Cyber Security R&D, science and Technology Directorate, 
Department of Homeland Security; and Mr. O. Sami Saydjari, 
President, Professionals for Cyber Defense Chief Executive 
Officer, Cyber Defense Agency, LLC.
    On June 20, 2007, the Subcommittee on Emerging Threats, 
Cybersecurity and Science and Technology held a hearing 
entitled ``Hacking the Homeland: Investigating Cybersecurity 
Vulnerabilities at the Department of Homeland Security.'' The 
Subcommittee received testimony from Mr. Scott Charbo, Chief 
Information Officer, Department of Homeland Security; Mr. Greg 
Wilshusen, Director, Information Security Issues, Government 
Accountability Office; and Mr. Keith A. Rhodes, Chief 
Technologist, Director, Center for Technology and Engineering, 
Government Accountability Office.

                        Committee Consideration

    H.R. 5983 was introduced in the House by Mr. Langevin and 
Mr. Thompson of Mississippi on May 7, 2008, and referred solely 
to the Committee on Homeland Security.
    The Committee on Homeland Security considered H.R. 5983 on 
June 26, 2008, and ordered the measure to be reported to the 
House favorably, as amended, by voice vote.
          The following amendment was offered:
          An Amendment in the Nature of a Substitute offered by 
        Mr. Langevin (#1); was AGREED TO by unanimous consent.

                            Committee Votes

    Clause 3(b) of Rule XIII of the Rules of the House of 
Representatives requires the Committee to list the recorded 
votes on the motion to report legislation and amendments 
thereto.
    No recorded votes were requested during Committee 
consideration.

                      Committee Oversight Findings

    Pursuant to clause 3(c)(1) of Rule XIII of the Rules of the 
House of Representatives, the Committee has held oversight 
hearings and made findings that are reflected in this report.

   New Budget Authority, Entitlement Authority, and Tax Expenditures

     In compliance with clause 3(c)(2) of Rule XIII of the 
Rules of the House of Representatives, the Committee finds that 
H.R. 5983, the Homeland Security Network Defense and 
Accountability Act of 2008, would result in no new or increased 
budget authority, entitlement authority, or tax expenditures or 
revenues.

                  Congressional Budget Office Estimate

     The Committee adopts as its own the cost estimate prepared 
by the Director of the Congressional Budget Office pursuant to 
section 402 of the Congressional Budget Act of 1974.

                                     U.S. Congress,
                               Congressional Budget Office,
                                     Washington, DC, July 10, 2008.
Hon. Benny G. Thompson,
Chairman, Committee on Homeland Security,
House of Representatives, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for H.R. 5983, the Homeland 
Security Network Defense and Accountability Act of 2008.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is Mark 
Grabowicz.
            Sincerely,
                                         Robert A. Sunshine
                                   (For Peter R. Orszag, Director).
    Enclosure.

H.R. 5983--Homeland Security Network Defense and Accountability Act of 
        2008

    Summary: H.R. 5983 would direct the Department of Homeland 
Security (DHS) to improve the security of its computer networks 
and increase oversight of contractors that provide network 
services to the department. Assuming appropriation of the 
necessary amounts, CBO estimates that implementing H.R. 5983 
would cost $163 million over the 2009-2013 period for DHS to 
hire additional staff to carry out the bill's provisions. 
Enacting H.R. 5983 would not affect direct spending or 
revenues.
    H.R. 5983 contains no intergovernmental or private-sector 
mandates as defined in the Unfunded Mandates Reform Act (UMRA) 
and would not affect the budgets of state, local, or tribal 
governments.
    Estimated cost to the Federal Government: The estimated 
budgetary impact of H.R. 5983 is shown in the following table. 
The costs of this legislation fall within budget function 750 
(administration of justice).

----------------------------------------------------------------------------------------------------------------
                                                                    By fiscal year, in millions of dollars--
                                                              --------------------------------------------------
                                                                2009    2010    2011    2012    2013   2009-2013
----------------------------------------------------------------------------------------------------------------
                                  CHANGES IN SPENDING SUBJECT TO APPROPRIATION

Estimated Authorization Level................................      27      34      34      35      36       166
Estimated Outlays............................................      25      33      34      35      36       163
----------------------------------------------------------------------------------------------------------------

    Basis of estimate: H.R. 5983 would direct DHS to improve 
the security of its computer networks and increase oversight of 
contractors that provide network services to the department. 
The bill would require the department to establish and maintain 
an incident response team capable of responding at any time to 
a threat to the security of the department's computers.
    Based on information provided by DHS on how the department 
would likely carry out the bill's provisions, CBO expects that 
the department would need to hire about 150 additional staff. 
Additional personnel would be hired by the Chief Information 
Officer, the Inspector General, and the procurement office. We 
estimate that annual costs would reach $33 million by 2010, 
including salaries, benefits, training and support costs, and 
new hardware and software components.
    Estimated intergovernmental and private-sector impact: H.R. 
5983 contains no intergovernmental or private-sector mandates 
as defined in UMRA and would not affect the budgets of state, 
local, or tribal governments.
    Estimate prepared by: Federal Costs: Mark Grabowicz; Impact 
on State, Local, and Tribal Governments: Burke Doherty; Impact 
on the Private Sector: Paige Piper/Bach.
    Estimate approved by: Theresa Gullo, Deputy Assistant 
Director for Budget Analysis.

         Statement of General Performance Goals and Objectives

     Pursuant to clause 3(c)(4) of rule XIII of the Rules of 
the House of Representatives, H.R. 5983 contains the following 
general performance goals, and objectives, including outcome 
related goals and objectives authorized.
    This legislation takes a critical step toward improving the 
cybersecurity posture at the Department of Homeland Security by 
ensuring a robust defense-in-depth of the Department's 
information systems, and holding individuals at all levels 
accountable for mitigating vulnerabilities within the 
information technology infrastructure. The legislation 
establishes authorities and qualifications for the Chief 
Information Officer (CIO) position at the Department, including 
specific operational security practices for the CIO to 
implement. The bill also establishes testing protocols, to 
reduce the number of successful vulnerability exploitations 
throughout the Department's networks. Finally, the legislation 
requires the Secretary of the Department of Homeland Security 
to make determinations about the security posture of 
contractors prior to entering into network service agreements 
with them; create a detailed counter-intelligence plan to 
investigate all cyber breaches; and report on a program to 
increase threat information sharing with cleared contractors. 
Each of these measures will improve the overall information 
security at the Department.

   Congressional Earmarks, Limited Tax Benefits, and Limited Tariff 
                                Benefits

     In compliance with rule XXI of the Rules of the House of 
Representatives, this bill, as reported, contains no 
congressional earmarks, limited tax benefits, or limited tariff 
benefits as defined in clause 9(d), 9(e), or 9(f) of the rule 
XXI.

                       Federal Mandates Statement

    The Committee adopts as its own the estimate of Federal 
mandates prepared by the Director of the Congressional Budget 
Office pursuant to section 423 of the Unfunded Mandates Reform 
Act.

                      Advisory Committee Statement

    No advisory committees within the meaning of section 5(b) 
of the Federal Advisory Committee Act were created by this 
legislation.

                   Constitutional Authority Statement

    Pursuant to clause 3(d)(1) of rule XIII of the Rules of the 
House of Representatives, the Committee finds that the 
Constitutional authority for this legislation is provided in 
Article I, section 8, clause 1, which grants Congress the power 
to provide for the common defense of the United States.

                  Applicability to Legislative Branch

     The Committee finds that the legislation does not relate 
to the terms and conditions of employment or access to public 
services or accommodations within the meaning of section 
102(b)(3) of the Congressional Accountability Act.

             Section-by-Section Analysis of the Legislation


Section 1. Short title

    This section cites the measure as the ``Homeland Security 
Network Defense and Accountability Act of 2008.''

Section 2. Authority of CIO and qualifications

    This section requires the Secretary to delegate authorities 
essential for the Chief Information Officer (CIO) to manage the 
information and information infrastructure for the Department 
and requires a CIO to possess certain qualifications, including 
a background in information security and management. The 
Committee believes the inclusion of professional requirements 
will provide the Department with requisite expertise for such 
an important executive position. Similarly, the Committee is 
concerned that information security has not received the 
attention it deserves. Therefore, the Committee directs the CIO 
to establish and maintain a continuous real-time incident 
response team, a network architecture with security controls, 
and regularly perform vulnerability assessments on the 
infrastructure.

Section 3. Attack-based testing protocols

    This section requires the CIO to consult with the 
Department of Homeland Security Inspector General, the 
Assistant Secretary for Cybersecurity, and the heads of other 
appropriate Federal agencies_including, for instance, the 
Department of Defense and the experienced practitioners at the 
National Security Agency's Information Assurance Division_to 
establish security control testing protocols that will protect 
the Department's information infrastructure against known 
attacks and exploitations. The Committee is concerned that the 
Federal Information Security Management Act (FISMA), while 
bringing much needed public scrutiny to the information 
security practices across the Federal Government, has not been 
as effective in curtailing sophisticated attacks against the 
Federal information infrastructure. Network administrators must 
be able to identify and mitigate ongoing exploitations of the 
Department's infrastructure in order to limit the exfiltration 
of sensitive information out of the Federal government.
    The Committee expects this section will transition 
information security requirements from a paperwork exercise 
into operational improvements on the enterprise level. The 
Committee believes the creation and deployment of new testing 
protocols throughout the Department's infrastructure will help 
guard against ongoing attacks.

Section 4. Inspector General reviews of information infrastructure

    This section requires the Department of Homeland Security 
Inspector General to conduct announced and unannounced 
performance and programmatic reviews of the information 
infrastructure of the Department to determine the effectiveness 
of security policies and controls. The Committee seeks to 
expand upon the model that exists at the Department of Energy's 
Office of Independent Oversight, requiring the Inspector 
General to conduct performance reviews based on the protocols 
created by the CIO and other officials in accordance with the 
previous section and programmatic reviews to determine the 
extent to which a Department agency is complying with the 
policies and procedures established by the CIO. It is important 
to note that these performance and programmatic reviews are in 
addition to those reports required by FISMA, and are not an 
alternative to those mandates.
    After conducting a performance or programmatic review, the 
Inspector General will issue a security report containing the 
results of the review, including recommendations regarding 
funding and personnel management to the Secretary, the CIO, the 
head of the Department component subject to the review, and 
other appropriate individuals who are responsible for 
information security at these components. Within 60 days of 
receiving the security report, the head of the Department 
component subject to the review and the CIO must submit a 
corrective action report which includes a plan to address the 
recommendations of the Inspector General and mitigate the 
vulnerabilities uncovered during the review. The Committee 
recognizes that mitigating vulnerabilities requires appropriate 
plans and budgets, something that only comes from appropriate 
executive involvement and oversight and which has not been a 
priority of the Department. The Committee seeks to create 
accountability among all Department employees, especially 
executives responsible for information security within their 
agencies.

Section 5. Requirements for network service providers

    This section requires the CIO_prior to entering into or 
renewing a covered contract_to determine that the contractor's 
internal information systems security policy complies with the 
Department's information security requirements. The Committee 
found that this common private sector best practice often does 
not occur at the Department; nevertheless, these efforts are 
vital to reduce vulnerabilities and successful exploitations at 
the Department, and must become a part of the procurement 
language. To help identify the most important aspects of 
information security management, the Committee directs the CIO 
to focus his review on risk assessment, risk management, and 
risk mitigation, with primary regard to the implementation of 
best practices such as authentication, access control 
(including remote access), intrusion detection and prevention, 
data protection and integrity, and any other policy that the 
Secretary considers necessary to secure the Department's 
information infrastructure. The Committee believes that by 
ensuring a high level of security of its contractors, the 
Department can elevate its own security. Furthermore, the 
provision requiring the contractor to implement and update its 
own internal information systems security policy will give the 
Department legal recourse in the event that it wishes to hold 
contractors liable for security breaches of contractor-owned 
networks that affect Department information.
    This section also requires the Secretary to include in each 
covered contract, provisions requiring the contractor to 
deliver timely notice of any internal computer incident that 
could violate or pose an imminent threat of violation of 
computer security policies or practices at the Department to 
the United States Computer Emergency Readiness Teams (US-CERT) 
and the CIO's incident response team. These practices are 
designed to ensure situational awareness of the Department and 
enhance the security of Government-wide networks.
    Because the requirements in this section apply only to 
contracts entered into after the date of enactment, the 
Secretary is instructed to obtain this information from current 
contractors to the extent practicable under the terms of 
existing contracts.
    Furthermore, this section requires the Secretary to issue 
within 90 days of enactment, a report to the appropriate House 
and Senate Committees describing: (1) the progress in 
implementing requirements issued by the Office of Management 
and Budget for encryption, authentication, Internet Protocol 
version 6, and Trusted Internet Connections, including a 
timeline for completion; (2) a plan, including an estimated 
budget and a timeline, to investigate breaches against the 
Department of Homeland Security's information infrastructure 
for the purposes of counterintelligence assessment, 
attribution, and response; (3) a proposal to increase threat 
information sharing with cleared and uncleared contractors and 
provide specialized damage assessment training to private 
sector information security professionals; and (4) a process to 
coordinate the Department's information infrastructure 
protection activities as required in the recent report by the 
Office of the Inspector General.
    The Committee is alarmed at the Department's lack of 
progress in implementing encryption and Internet Protocol 
Version 6 (IPV6) transition requirements, and believes this 
should be a top priority for the Secretary. In light of the 
Committee's investigation into data exfiltration out of the 
Department's networks, the Committee remains concerned that the 
Department's Office of Security does not have the resources or 
manpower to develop an agency-wide counter-intelligence plan, 
and expects to see a comprehensive initiative developed by both 
the Office of Security and the Chief Information Officer. The 
Committee expects the Department will develop a program similar 
to the ongoing initiative between the Department of Defense and 
the Defense Industrial Base.

         Changes in Existing Law Made by the Bill, as Reported

  In compliance with clause 3(e) of rule XIII of the Rules of 
the House of Representatives, changes in existing law made by 
the bill, as reported, are shown as follows (new matter is 
printed in italic and existing law in which no change is 
proposed is shown in roman):

                     HOMELAND SECURITY ACT OF 2002


SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

  (a) * * *
  (b) Table of Contents.--The table of contents for this Act is 
as follows:
     * * * * * * *

 TITLE VIII--COORDINATION WITH NON-FEDERAL ENTITIES; INSPECTOR GENERAL; 
      UNITED STATES SECRET SERVICE; COAST GUARD; GENERAL PROVISIONS

     * * * * * * *

                        Subtitle D--Acquisitions

     * * * * * * *
Sec. 836. Requirements for network service providers.

           *       *       *       *       *       *       *


TITLE VII--MANAGEMENT

           *       *       *       *       *       *       *


SEC. 703. CHIEF INFORMATION OFFICER.

  (a) In General.--
          (1) Authorities and duties.--The Secretary shall 
        delegate to the Chief Information Officer such 
        authority necessary for the development, approval, 
        implementation, integration, and oversight of policies, 
        procedures, processes, activities, funding, and systems 
        of the Department relating to the management of 
        information and information infrastructure for the 
        Department, including the management of all related 
        mission applications, information resources, and 
        personnel.
          (2) Line authority.--The Chief Information Officer 
        shall report to the Secretary, or to another official 
        of the Department, as the Secretary may direct.
          (3) Qualifications for appointment.--An individual 
        may not be appointed as Chief Information Officer 
        unless the individual has--
                  (A) demonstrated ability in and knowledge of 
                information technology and information 
                security; and
                  (B) not less than 5 years of executive 
                leadership and management experience in 
                information technology and information security 
                in the public or private sector.
          (4) Functions.--The Chief Information Officer shall--
                  (A) establish and maintain an incident 
                response team that provides a continuous, real-
                time capability within the Department of 
                Homeland Security to--
                          (i) detect, respond to, contain, 
                        investigate, attribute, and mitigate 
                        any computer incident, as defined by 
                        the National Institute of Standards and 
                        Technology, that could violate or pose 
                        an imminent threat of violation of 
                        computer security policies, acceptable 
                        use policies, or standard security 
                        practices of the Department; and
                          (ii) deliver timely notice of any 
                        incident to individuals responsible for 
                        information infrastructure of the 
                        Department, and to the United States 
                        Computer Emergency Readiness Team;
                  (B) establish, maintain, and update a network 
                architecture, including a diagram detailing how 
                security controls are positioned throughout the 
                information infrastructure of the Department to 
                maintain the confidentiality, integrity, 
                availability, accountability, and assurance of 
                electronic information; and
                  (C) ensure that vulnerability assessments are 
                conducted on a regular basis for any Department 
                information infrastructure connected to the 
                Internet or another external network, and that 
                vulnerabilities are mitigated in a timely 
                fashion.

           *       *       *       *       *       *       *

  (c) Attack-Based Testing Protocols.--The Chief Information 
Officer, in consultation with the Inspector General, the 
Assistant Secretary for Cybersecurity, and the heads of other 
appropriate Federal agencies, shall--
          (1) establish security control testing protocols that 
        ensure that the Department's information infrastructure 
        is effectively protected against known attacks against 
        and exploitations of Federal and contractor information 
        infrastructure;
          (2) oversee the deployment of such protocols 
        throughout the information infrastructure of the 
        Department; and
          (3) update such protocols on a regular basis.
  (d) Inspector General Reviews.--
          (1) In general.--The Inspector General of the 
        Department shall use authority under the Inspector 
        General Act of 1978 (5 App. U.S.C.) to conduct 
        announced and unannounced performance reviews and 
        programmatic reviews of the information infrastructure 
        of the Department to determine the effectiveness of 
        security policies and controls of the Department.
          (2) Performance reviews.--Performance reviews under 
        this subsection shall test and validate a system's 
        security controls using the protocols created under 
        subsection (c), beginning not later than 270 days after 
        the date of enactment of the Homeland Security Network 
        Defense and Accountability Act of 2008.
          (3) Programmatic reviews.--Programmatic reviews under 
        this subsection shall--
                  (A) determine whether an agency of the 
                Department is complying with policies, 
                processes, and procedures established by the 
                Chief Information Officer; and
                  (B) focus on risk assessment, risk 
                management, and risk mitigation, with primary 
                regard to the implementation of best practices 
                such as authentication, access control 
                (including remote access), intrusion detection 
                and prevention, data protection and integrity, 
                and any other controls that the Inspector 
                General considers necessary.
          (4) Information security report.--The Inspector 
        General shall submit a security report containing the 
        results of each review under this subsection and 
        prioritized recommendations for improving security 
        controls based on that review, including 
        recommendations regarding funding changes and personnel 
        management, to--
                  (A) the Secretary;
                  (B) the Chief Information Officer; and
                  (C) the head of the Department component that 
                was the subject of the review, and other 
                appropriate individuals responsible for the 
                information infrastructure of such agency.
          (5) Corrective action report.--
                  (A) In general.--Within 60 days after 
                receiving a security report under paragraph 
                (4), the head of the Department component that 
                was the subject of the review and the Chief 
                Information Officer shall jointly submit a 
                corrective action report to the Secretary and 
                the Inspector General.
                  (B) Contents.--The corrective action report--
                          (i) shall contain a plan for 
                        addressing recommendations and 
                        mitigating vulnerabilities contained in 
                        the security report, including a 
                        timeline and budget for implementing 
                        such plan; and
                          (ii) shall note any matters in 
                        disagreement between the head of the 
                        Department component and the Chief 
                        Information Officer.
          (6) Reports to congress.--
                  (A) Annual reports.--In conjunction with the 
                reporting requirements of section 3545 of title 
                44, United States Code, the Inspector General 
                shall submit an annual report to the Committee 
                on Homeland Security of the House of 
                Representatives and the Committee on Homeland 
                Security and Governmental Affairs of the 
                Senate--
                          (i) summarizing the performance and 
                        programmatic reviews performed during 
                        the preceding fiscal year, the results 
                        of those reviews, and any actions that 
                        remain to be taken under plans included 
                        in corrective action reports under 
                        paragraph (5); and
                          (ii) describing the effectiveness of 
                        the testing protocols developed under 
                        subsection (c) in reducing successful 
                        exploitations of the Department's 
                        information infrastructure.
                  (B) Security reports and corrective action 
                reports.--The Inspector General shall make all 
                security reports and corrective action reports 
                available to any member of the Committee on 
                Homeland Security of the House of 
                Representatives, any member of the Committee on 
                Homeland Security and Governmental Affairs of 
                the Senate, and the Comptroller General of the 
                United States, upon request.
  (e) Information Infrastructure Defined.--In this section, the 
term ``information infrastructure'' means systems and assets 
used in processing, transmitting, receiving, or storing 
information electronically.

           *       *       *       *       *       *       *


TITLE VIII--COORDINATION WITH NON-FEDERAL ENTITIES; INSPECTOR GENERAL; 
UNITED STATES SECRET SERVICE; COAST GUARD; GENERAL PROVISIONS

           *       *       *       *       *       *       *


Subtitle D--Acquisitions

           *       *       *       *       *       *       *


SEC. 836. REQUIREMENTS FOR NETWORK SERVICE PROVIDERS.

  (a) Compatibility Determination.--
          (1) In general.--Before entering into or renewing a 
        covered contract, the Secretary, acting through the 
        Chief Information Officer, must determine that the 
        contractor has an internal information systems security 
        policy that complies with the Department's information 
        security requirements for risk assessment, risk 
        management, and risk mitigation, with primary regard to 
        the implementation of best practices such as 
        authentication, access control (including remote 
        access), intrusion detection and prevention, data 
        protection and integrity, and any other policies that 
        the Secretary considers necessary to ensure the 
        security of the Department's information 
        infrastructure.
          (2) Limitation on public disclosures.--The Chief 
        Information Officer shall not disclose to the public 
        any information provided for purposes of such 
        determination, notwithstanding any other provision of 
        Federal, State, or local law, including section 552 of 
        title 5, United States Code.
  (b) Contract Requirements Regarding Security.--The Secretary 
shall include in each covered contract provisions requiring the 
contractor to--
          (1) implement and regularly update the internal 
        information systems security policy required under 
        subsection (a);
          (2) maintain the capability to provide contracted 
        services on a continuing and ongoing basis to the 
        Department in the event of unplanned or disruptive 
        event; and
          (3) deliver timely notice of any internal computer 
        incident, as defined by the National Institute of 
        Standards and Technology, that could violate or pose an 
        imminent threat of violation of computer security 
        policies, acceptable use policies, or standard security 
        practices at the Department, to the United States 
        Computer Emergency Readiness Team and the incident 
        response team established under section 703(a)(4).
  (c) Contract Requirements Regarding Subcontracting.--The 
Secretary shall include in each covered contract--
          (1) a requirement that the contractor develop and 
        implement a plan for the award of subcontracts, as 
        appropriate, to small business concerns and 
        disadvantaged business concerns in accordance with 
        other applicable requirements, including the terms of 
        such plan, as appropriate; and
          (2) a requirement that the contractor submit to the 
        Secretary, during performance of the contract, periodic 
        reports describing the extent to which the contractor 
        has complied with such plan, including specification 
        (by total dollar amount and by percentage of the total 
        dollar value of the contract) of the value of 
        subcontracts awarded at all tiers of subcontracting to 
        small business concerns, including socially and 
        economically disadvantaged small businesses concerns, 
        small business concerns owned and controlled by 
        service-disabled veterans, HUBZone small business 
        concerns, small business concerns eligible to be 
        awarded contracts pursuant to section 8(a) of the Small 
        Business Act (15 U.S.C. 637(a)), and Historically Black 
        Colleges and Universities and Hispanic-serving 
        institutions, tribal colleges and universities, and 
        other minority institutions.
  (d) Existing Contracts.--The Secretary shall, to the extent 
practicable under the terms of existing contracts, require each 
contractor who provides covered information services under a 
contract in effect on the date of the enactment of the Homeland 
Security Network Defense and Accountability Act of 2008 to 
comply with the requirements described in subsection (b).
  (e) Definitions.--For purposes of this section:
          (1) Socially and economically disadvantaged small 
        businesses concern, small business concern owned and 
        controlled by service-disabled veterans, and hubzone 
        small business concern.--The terms ``socially and 
        economically disadvantaged small businesses concern'', 
        ``small business concern owned and controlled by 
        service-disabled veterans'', and ``HUBZone small 
        business concern'' have the meanings given such terms 
        under the Small Business Act (15 U.S.C. 631 et seq.).
          (2) Contractor.--The term ``contractor'' includes 
        each subcontractor of a contractor.
          (3) Covered contract.--The term ``covered contract'' 
        means a contract entered into or renewed after the date 
        of the enactment of the Homeland Security Network 
        Defense and Accountability Act of 2008 for the 
        provision of covered information services.
          (4) Covered information services.--The term ``covered 
        information services'' means creation, management, 
        maintenance, control, or operation of information 
        networks or Internet Web sites for the Department.
          (5) Historically black colleges and universities.--
        The term ``Historically Black Colleges and 
        Universities'' means part B institutions under title 
        III of the Higher Education Act of 1965 (20 U.S.C. 
        1061).
          (6) Hispanic-serving institution.--The term 
        ``Hispanic-serving institution'' has the meaning given 
        such term under title V of the Higher Education Act of 
        1965 (20 U.S.C. 1101a(a)(5)).
          (7) Information infrastructure.--The term 
        ``information infrastructure'' has the meaning that 
        term has under section 703.
          (8) Tribal colleges and universities.--The term 
        ``tribal colleges and universities'' has the meaning 
        given such term under the Tribally Controlled College 
        or University Assistance Act of 1978 (25 U.S.C. 1801 et 
        seq.).

           *       *       *       *       *       *       *



